nucleus-core-ts 0.9.702 → 0.9.703

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -25,23 +25,36 @@ export function createWsProxyHandler(config) {
25
25
  url = `${url}?${queryString}`;
26
26
  }
27
27
  if (target.injectTokenFromCookie) {
28
- let token = cookies[target.injectTokenFromCookie.cookieName];
29
- let tokenSource = target.injectTokenFromCookie.cookieName;
30
- if (!token && target.injectTokenFromCookie.fallbackCookieNames) {
31
- for (const fallback of target.injectTokenFromCookie.fallbackCookieNames){
32
- if (cookies[fallback]) {
33
- token = cookies[fallback];
34
- tokenSource = `${fallback} (fallback)`;
35
- break;
28
+ const paramName = target.injectTokenFromCookie.queryParam ?? 'token';
29
+ // PRECEDENCE: respect a token the client already supplied in the URL.
30
+ // The frontend fetches/refreshes a FRESH access_token server-side and puts
31
+ // it in `?token=`. The browser ALSO auto-sends the spanning HttpOnly
32
+ // `access_token` COOKIE on the WS handshake — but on a sibling subdomain
33
+ // (e.g. acta./ace.) that cookie is STALE/expired (only www activity
34
+ // refreshes it), and a fallback `session_token` isn't a valid bearer for
35
+ // the backend. Injecting the cookie therefore OVERRODE the fresh client
36
+ // token → backend closed the WS with "Not authenticated". Only inject from
37
+ // the cookie when the client supplied no token.
38
+ if (query.get(paramName)) {
39
+ logger.info(`[WS:auth] Using client-supplied ${paramName} for ${path}`);
40
+ } else {
41
+ let token = cookies[target.injectTokenFromCookie.cookieName];
42
+ let tokenSource = target.injectTokenFromCookie.cookieName;
43
+ if (!token && target.injectTokenFromCookie.fallbackCookieNames) {
44
+ for (const fallback of target.injectTokenFromCookie.fallbackCookieNames){
45
+ if (cookies[fallback]) {
46
+ token = cookies[fallback];
47
+ tokenSource = `${fallback} (fallback)`;
48
+ break;
49
+ }
36
50
  }
37
51
  }
38
- }
39
- if (token) {
40
- const paramName = target.injectTokenFromCookie.queryParam ?? 'token';
41
- url = addQueryParam(url, paramName, token);
42
- logger.info(`[WS:auth] Token injected from ${tokenSource} for ${path}`);
43
- } else {
44
- logger.warn(`[WS:auth] No token found for ${path} — tried: ${target.injectTokenFromCookie.cookieName}${target.injectTokenFromCookie.fallbackCookieNames ? `, ${target.injectTokenFromCookie.fallbackCookieNames.join(', ')}` : ''}`);
52
+ if (token) {
53
+ url = addQueryParam(url, paramName, token);
54
+ logger.info(`[WS:auth] Token injected from ${tokenSource} for ${path}`);
55
+ } else {
56
+ logger.warn(`[WS:auth] No token found for ${path} tried: ${target.injectTokenFromCookie.cookieName}${target.injectTokenFromCookie.fallbackCookieNames ? `, ${target.injectTokenFromCookie.fallbackCookieNames.join(', ')}` : ''}`);
57
+ }
45
58
  }
46
59
  }
47
60
  return url;
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "nucleus-core-ts",
3
- "version": "0.9.702",
3
+ "version": "0.9.703",
4
4
  "description": "Production-ready, enterprise-grade TypeScript framework for building multi-tenant APIs",
5
5
  "author": "Hidayet Can \u00d6zcan <hidayetcan@gmail.com>",
6
6
  "license": "SEE LICENSE IN LICENSE",