feat: another security sweep

2026-02-04 22:02:24 -08:00
parent 5eae636f2f
commit 9caf74945a
10 changed files with 416 additions and 36 deletions
@@ -6,10 +6,11 @@

 import { Injectable, signal } from '@angular/core';
 import { Router } from '@angular/router';
-import { Observable, tap } from 'rxjs';
+import { Observable, tap, catchError, switchMap, throwError, of } from 'rxjs';
 import { ApiService } from './api.service';
 import { AuthResponse, User } from '@library/shared-types';
 import { environment } from '../../environments/environment';
+import { HttpClient } from '@angular/common/http';

@Injectable({
  providedIn: 'root'
@@ -17,10 +18,12 @@ import { environment } from '../../environments/environment';
 export class AuthService {
  private currentUser = signal<User | null>(null);
  public readonly user = this.currentUser.asReadonly();
+  private refreshing = false;

  constructor(
    private api: ApiService,
-    private router: Router
+    private router: Router,
+    private http: HttpClient
  ) {}

  login(): void {
@@ -32,6 +35,44 @@ export class AuthService {
    return this.api.get<AuthResponse>('/auth/me').pipe(
      tap(response => {
        this.currentUser.set(response.user);
+      }),
+      catchError(error => {
+        if (error.status === 401) {
+          return this.refreshToken().pipe(
+            switchMap(() => this.api.get<AuthResponse>('/auth/me')),
+            tap(response => {
+              this.currentUser.set(response.user);
+            }),
+            catchError(() => {
+              this.currentUser.set(null);
+              return throwError(() => error);
+            })
+          );
+        }
+        return throwError(() => error);
+      })
+    );
+  }
+
+  refreshToken(): Observable<AuthResponse> {
+    if (this.refreshing) {
+      return of({ user: this.currentUser()!, accessToken: '' });
+    }
+
+    this.refreshing = true;
+    return this.http.post<AuthResponse>(
+      `${environment.apiUrl}/auth/refresh`,
+      {},
+      { withCredentials: true }
+    ).pipe(
+      tap(response => {
+        this.currentUser.set(response.user);
+        this.refreshing = false;
+      }),
+      catchError(error => {
+        this.refreshing = false;
+        this.currentUser.set(null);
+        return throwError(() => error);
      })
    );
  }
@@ -46,6 +87,10 @@ export class AuthService {
    );
  }

+  clearUser(): void {
+    this.currentUser.set(null);
+  }
+
  isAuthenticated(): boolean {
    return this.user() !== null;
  }