admin/goodgo-platform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7e655fd976d25206ede323ce18dca553b147c115
goodgo-platform/apps/web/lib/api-client.ts
Ho Ngoc Hai d2488b1cc1
Some checks failed
Security Scanning / Trivy Scan — Web Image (push) Failing after 42s
Details
Security Scanning / Trivy Scan — AI Services Image (push) Failing after 41s
Details
Deploy / Deploy to Staging (push) Has been skipped
Details
Deploy / Smoke Test Staging (push) Has been skipped
Details
Deploy / Smoke Test Production (push) Has been skipped
Details
Security Scanning / Security Gate (push) Failing after 0s
Details
CI / Lint → Typecheck → Test → Build (22) (push) Failing after 8s
Details
CI / E2E Tests (push) Has been skipped
Details
CodeQL Analysis / CodeQL (javascript-typescript) (push) Failing after 53s
Details
Deploy / Build API Image (push) Failing after 17s
Details
Deploy / Build Web Image (push) Failing after 10s
Details
Deploy / Build AI Services Image (push) Failing after 10s
Details
E2E Tests / Playwright E2E (push) Failing after 10s
Details
Security Scanning / Dependency Audit (pnpm) (push) Failing after 4s
Details
Security Scanning / Trivy Scan — API Image (push) Failing after 1m15s
Details
Security Scanning / Trivy Filesystem Scan (push) Failing after 37s
Details
Deploy / Deploy to Production (push) Has been skipped
Details
Deploy / Rollback Staging (push) Has been skipped
Details
Deploy / Rollback Production (push) Has been skipped
Details
fix(web): auto-refresh 401s + restore Vietnamese breadcrumb text 
- api-client: on 401 (non-auth endpoints), call /auth/refresh once and
  retry the original request. Coalesce concurrent refreshes via a shared
  in-flight promise so burst traffic only fires one refresh. Skip retry
  for /auth/* to avoid loops. Surfaced by the /listings/new wizard
  where an expired access_token cookie made the first submit throw
  "Unauthorized" even though goodgo_authenticated=1 was still set.
- listing-detail-client: breadcrumb was `Trang ch\u1ee7` / `T\u00ecm
  ki\u1ebfm` written as JSX text, not a string literal — rendered the
  raw escape sequence. Replaced with "Trang chủ" / "Tìm kiếm".

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-19 10:20:04 +07:00

127 lines
3.6 KiB
TypeScript
Raw Blame History

const API_BASE_URL = process.env['NEXT_PUBLIC_API_URL'] || 'http://localhost:3001/api/v1';
export class ApiError extends Error {
constructor(
public status: number,
message: string,
) {
super(message);
this.name = 'ApiError';
}
}
type RequestOptions = Omit<RequestInit, 'body'> & {
body?: unknown;
};
function getCsrfToken(): string | undefined {
if (typeof document === 'undefined') return undefined;
const match = document.cookie.match(/(?:^|;\s*)XSRF-TOKEN=([^;]*)/);
return match?.[1] ? decodeURIComponent(match[1]) : undefined;
}
const SAFE_METHODS = new Set(['GET', 'HEAD', 'OPTIONS']);
// Endpoints for which a transparent refresh-and-retry on 401 must NOT run
// (refresh itself, login, logout, exchange-token, etc.).
const AUTH_ENDPOINTS = new Set([
'/auth/refresh',
'/auth/login',
'/auth/logout',
'/auth/register',
'/auth/exchange-token',
'/auth/forgot-password',
'/auth/reset-password',
]);
/**
* Coalesce concurrent refresh attempts: if ten requests race a 401 at the same
* moment, we should fire `/auth/refresh` once, not ten times.
*/
let refreshInflight: Promise<boolean> | null = null;
async function tryRefresh(): Promise<boolean> {
if (refreshInflight) return refreshInflight;
refreshInflight = (async () => {
try {
const csrfToken = getCsrfToken();
const res = await fetch(`${API_BASE_URL}/auth/refresh`, {
method: 'POST',
credentials: 'include',
headers: {
'Content-Type': 'application/json',
...(csrfToken ? { 'X-CSRF-Token': csrfToken } : {}),
},
body: JSON.stringify({}),
});
return res.ok;
} catch {
return false;
} finally {
// Allow a new refresh attempt after this one settles.
setTimeout(() => {
refreshInflight = null;
}, 0);
}
})();
return refreshInflight;
}
async function doFetch(endpoint: string, options: RequestOptions): Promise<Response> {
const { body, headers, ...rest } = options;
const method = options.method?.toUpperCase() ?? 'GET';
const csrfHeaders: HeadersInit = {};
if (!SAFE_METHODS.has(method)) {
const csrfToken = getCsrfToken();
if (csrfToken) {
csrfHeaders['X-CSRF-Token'] = csrfToken;
}
}
return fetch(`${API_BASE_URL}${endpoint}`, {
...rest,
credentials: 'include',
headers: {
'Content-Type': 'application/json',
...csrfHeaders,
...headers,
},
body: body ? JSON.stringify(body) : undefined,
});
}
async function request<T>(endpoint: string, options: RequestOptions = {}): Promise<T> {
let res = await doFetch(endpoint, options);
// If the access_token expired silently, try one refresh+retry before giving
// up. Skip for auth endpoints themselves to avoid loops.
if (res.status === 401 && !AUTH_ENDPOINTS.has(endpoint)) {
const refreshed = await tryRefresh();
if (refreshed) {
res = await doFetch(endpoint, options);
}
}
if (!res.ok) {
const error = await res.json().catch(() => ({ message: res.statusText }));
throw new ApiError(res.status, error.message || 'Request failed');
}
return res.json();
}
export const apiClient = {
get: <T>(endpoint: string, headers?: HeadersInit) =>
request<T>(endpoint, { method: 'GET', headers }),
post: <T>(endpoint: string, body?: unknown, headers?: HeadersInit) =>
request<T>(endpoint, { method: 'POST', body, headers }),
patch: <T>(endpoint: string, body?: unknown, headers?: HeadersInit) =>
request<T>(endpoint, { method: 'PATCH', body, headers }),
delete: <T>(endpoint: string, headers?: HeadersInit) =>
request<T>(endpoint, { method: 'DELETE', headers }),
};
Reference in New Issue View Git Blame Copy Permalink