oneentry 1.0.151 → 1.0.152

package/changelog.md

@@ -1,5 +1,13 @@
 # SDK Change Log
 
+## v.1.0.152
+
+### Bug Fixes
+
+- Auth — eliminated the spurious `401` logged on every page load for a valid restored session. `browserResponse` now does a **proactive refresh** when a refresh token is present but there is no access token yet: it fetches the access token *before* the first request (clean `200`) instead of sending an unauthenticated request that is guaranteed to `401` and then reactively refreshing. After the proactive refresh it attaches `Authorization` and drops the `x-guest-id` scoping. The reactive `401 → refresh → retry` path is retained for mid-session token expiry.
+
+- Auth — `refreshToken` is now **single-flight**.
+
 ## v.1.0.151
 
 ### What's New

package/dist/base/asyncModules.d.ts

@@ -57,11 +57,17 @@ export default abstract class AsyncModules extends SyncModules {
      */
     protected _fetchDelete<T = unknown>(path: string, body?: unknown): Promise<T>;
     /**
-     * Refreshes the authentication token.
+     * Refreshes the authentication token (single-flight).
      * @returns {Promise<boolean>} A promise resolving to a boolean indicating success or failure.
-     * @description Define an asynchronous method 'refreshToken' that attempts to refresh the authentication token
+     * @description De-duplicates concurrent refreshes — the refresh token is single-use, so parallel requests must share one refresh call instead of each burning a rotated token.
      */
     protected refreshToken(): Promise<boolean>;
+    /**
+     * Performs the actual token refresh request (without de-duplication).
+     * @returns {Promise<boolean>} A promise resolving to a boolean indicating success or failure.
+     * @description Sends POST /users/refresh and, on success, stores the rotated access/refresh tokens and calls saveFunction.
+     */
+    private _performRefresh;
     /**
      * Creates options for HTTP requests.
      * @param {string} method - The HTTP method (GET, POST, PUT, DELETE, etc.).

package/dist/base/asyncModules.js

@@ -282,11 +282,33 @@ class AsyncModules extends syncModules_1.default {
         }
     }
     /**
-     * Refreshes the authentication token.
+     * Refreshes the authentication token (single-flight).
      * @returns {Promise<boolean>} A promise resolving to a boolean indicating success or failure.
-     * @description Define an asynchronous method 'refreshToken' that attempts to refresh the authentication token
+     * @description De-duplicates concurrent refreshes — the refresh token is single-use, so parallel requests must share one refresh call instead of each burning a rotated token.
      */
     async refreshToken() {
+        // Reuse an in-flight refresh if one is already running (shared via state
+        // across all module instances). Prevents parallel requests from each firing
+        // their own refresh and invalidating the single-use refresh token.
+        if (this.state._refreshPromise) {
+            return this.state._refreshPromise;
+        }
+        const promise = this._performRefresh();
+        this.state._refreshPromise = promise;
+        try {
+            return await promise;
+        }
+        finally {
+            // Clear so the next genuine 401 (e.g. mid-session expiry) can refresh again.
+            this.state._refreshPromise = null;
+        }
+    }
+    /**
+     * Performs the actual token refresh request (without de-duplication).
+     * @returns {Promise<boolean>} A promise resolving to a boolean indicating success or failure.
+     * @description Sends POST /users/refresh and, on success, stores the rotated access/refresh tokens and calls saveFunction.
+     */
+    async _performRefresh() {
         const url = this.state.url +
             `/api/content/users-auth-providers/marker/` +
             this.state.providerMarker +
@@ -396,7 +418,32 @@ class AsyncModules extends syncModules_1.default {
      * @description Define an asynchronous method 'browserResponse' that takes a path and options as parameters
      */
     async browserResponse(path, options) {
+        // Set when a proactive refresh ran and failed (dead/expired refresh token):
+        // used below to skip the reactive refresh so we don't fire a second,
+        // equally-doomed refresh on the 401 that the request is about to return.
+        let proactiveRefreshFailed = false;
         try {
+            // Proactive (eager) refresh: a session restored from storage has a refresh
+            // token but no access token yet. Sending the first authenticated request
+            // without an access token GUARANTEES a 401 (then a reactive refresh + retry)
+            // — a spurious 401 logged on every page load even for a perfectly valid
+            // session. Obtaining the access token up-front turns that into a clean 200.
+            // Fires at most once per session (skipped once accessToken is set), and is
+            // off for custom-auth callers who manage tokens themselves.
+            if (!this.state.accessToken &&
+                this.state.refreshToken &&
+                !this.state.customAuth) {
+                const refreshed = await this.refreshToken();
+                if (refreshed) {
+                    // Authenticated now — attach the bearer and drop the guest scoping
+                    // that makeOptions added while no access token was present.
+                    options.headers['Authorization'] = 'Bearer ' + this.state.accessToken;
+                    delete options.headers['x-guest-id'];
+                }
+                else {
+                    proactiveRefreshFailed = true;
+                }
+            }
             // Perform a fetch request using the full URL obtained from '_getFullPath' and the provided options
             const response = await fetch(this._getFullPath(path), options);
             // Check if the response status is OK (status code 200-299)
@@ -415,8 +462,12 @@ class AsyncModules extends syncModules_1.default {
             }
             else {
                 // Handle non-OK responses
-                // Check if the status is 401 (Unauthorized) and custom authentication is not used
-                if (response.status === 401 && !this.state.customAuth) {
+                // Reactive refresh for mid-session expiry: access token was present but
+                // the server rejected it. Skipped when a proactive refresh already ran
+                // and failed (the refresh token is dead — retrying would 400 again).
+                if (response.status === 401 &&
+                    !this.state.customAuth &&
+                    !proactiveRefreshFailed) {
                     // Attempt to refresh the access token
                     const refresh = await this.refreshToken();
                     if (refresh) {

package/dist/base/stateModule.d.ts

@@ -11,6 +11,7 @@ export default class StateModule {
     accessToken: string | undefined;
     traficLimit: boolean;
     refreshToken: string | undefined;
+    _refreshPromise: Promise<boolean> | null;
     providerMarker: string;
     customAuth: boolean;
     _NO_FETCH: boolean;

package/dist/base/stateModule.js

@@ -46,6 +46,10 @@ class StateModule {
      */
     constructor(url, config) {
         var _a, _b, _c, _d, _e, _f, _g, _h, _j, _k, _l, _m, _o, _p, _q, _r, _s, _t, _u, _v, _w, _x, _y, _z, _0, _1;
+        // In-flight token refresh, shared across all module instances (they share this
+        // state object). De-duplicates concurrent refreshes so the single-use refresh
+        // token is not burned by parallel requests. Null when no refresh is running.
+        this._refreshPromise = null;
         this.url = url;
         this.lang = (_a = config.langCode) !== null && _a !== void 0 ? _a : 'en_US';
         this.token = config.token;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "oneentry",
-  "version": "1.0.151",
+  "version": "1.0.152",
   "description": "OneEntry NPM package",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",