================================================================================ AUTH FOLDER: COMPREHENSIVE ANALYSIS & TOKEN FLOW DOCUMENTATION ================================================================================ PROJECT: NewApproach DATE: 2026-01-10 STATUS: In-depth analysis of auth module token acquisition, storage, and retrieval ================================================================================ FOLDER CONTENTS OVERVIEW ================================================================================ /NewApproach/auth/ ├── auth.ts TypeScript implementation (source) ├── auth-universal.js JavaScript version (browser-compatible) ├── auth-test.html Interactive test interface for manual testing └── README.md Documentation and quick-start guide ================================================================================ ARCHITECTURAL DESIGN ================================================================================ PATTERN-BASED CONFIGURATION: - Auth system uses a "pattern" approach to enable only needed token types - Patterns: 'pb', 'graph', 'pb+graph' (composable, can add more) - This allows flexibility across different projects using different providers SUPPORTED TOKEN TYPES (4 total): 1. 'pb-user' → PocketBase user authentication token 2. 'pb-agent' → PocketBase service account token (for server-to-server) 3. 'graph-user' → Microsoft Graph delegated token (on behalf of signed-in user) 4. 'graph-agent' → Microsoft Graph app-only token (service principal auth) STORAGE MECHANISM: - All tokens stored in browser localStorage (client-side storage) - Storage keys use consistent naming pattern: 'auth:' - Examples: * 'auth:pb-user' → stores PocketBase user token * 'auth:graph-user' → stores Microsoft Graph delegated token ================================================================================ TOKEN ACQUISITION FLOW (WHERE & WHEN) ================================================================================ CRITICAL DISTINCTION: This module does NOT acquire tokens itself. It is a STORAGE & RETRIEVAL system. Actual token acquisition happens elsewhere. WHO ACQUIRES TOKENS? - PocketBase tokens: PocketBase SDK (pb.authStore.token after user logs in) - Graph tokens: Microsoft authentication library (via OAuth flow or app auth) - These are obtained OUTSIDE this auth module - This module then STORES and RETRIEVES them THE FLOW: 1. EXTERNAL CODE ACQUIRES TOKEN └─ Where: In user's application code or backend └─ How: Via PocketBase SDK login or Microsoft authentication libraries └─ When: After successful user authentication or service account setup 2. TOKEN IS STORED VIA Auth.setToken() └─ Code: Auth.setToken('pb-user', ) └─ Storage: localStorage under key 'auth:pb-user' └─ When: Immediately after acquisition (outside this module) 3. TOKEN IS RETRIEVED VIA Auth.getToken() └─ Code: const token = Auth.getToken('pb-user') └─ Returns: String token or null if not found └─ When: Whenever application needs to use the token (API calls, etc.) ================================================================================ STORAGE DETAILS (EXACT LOCATIONS & KEYS) ================================================================================ localStorage MAP: Token Type │ Storage Key │ Where It Comes From ────────────────────┼────────────────────┼──────────────────────────────── 'pb-user' │ 'auth:pb-user' │ PocketBase SDK after login 'pb-agent' │ 'auth:pb-agent' │ PocketBase SDK service account 'graph-user' │ 'auth:graph-user' │ MSAL or Graph auth library 'graph-agent' │ 'auth:graph-agent' │ Azure app authentication STORAGE FORMAT: - Raw string value (plaintext) - Example: localStorage['auth:pb-user'] = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." - No serialization, just direct token string storage PERSISTENCE: - localStorage persists until: * User manually clears browser data * JavaScript calls localStorage.removeItem(key) * Session expires (no automatic expiry in this module) - Survives page refreshes and browser restarts (within same origin) ================================================================================ RETRIEVAL METHODS (HOW TO GET TOKENS BACK) ================================================================================ METHOD 1: Direct Retrieval ───────────────────────── Auth.getToken('pb-user') Returns: string | null - Returns the token string if found - Returns null if token was never set or was cleared Usage Example: const pbToken = Auth.getToken('pb-user'); if (pbToken) { // Use token in API call fetch('/api/users', { headers: { 'Authorization': `Bearer ${pbToken}` } }); } Method Signature (TypeScript): getToken(type: TokenType): string | null Internal Implementation: 1. Accepts token type: 'pb-user', 'pb-agent', 'graph-user', or 'graph-agent' 2. Looks up storage key from TOKEN_STORAGE_KEYS map 3. Calls localStorage.getItem(key) 4. Returns result (string or null) ──────────────────────────────────────────────────────────────────────────── METHOD 2: Set Token (Store for Later Retrieval) ─────────────────────────────────────────────── Auth.setToken('pb-user', 'token-string-here') Usage: When you receive a token from external auth system // After PocketBase login: const pbAuth = await pb.collection('users').authWithPassword(email, pass); Auth.setToken('pb-user', pbAuth.token); // Now stored for later use Method Signature (TypeScript): setToken(type: TokenType, token: string | null): void Internal Implementation: 1. Accepts token type and token string 2. Looks up storage key 3. If token is provided: localStorage.setItem(key, token) 4. If token is null: localStorage.removeItem(key) ──────────────────────────────────────────────────────────────────────────── METHOD 3: Clear Individual Token ──────────────────────────────── Auth.clearToken('pb-user') Removes one token from storage. Method Signature (TypeScript): clearToken(type: TokenType): void Internal Implementation: Calls setToken(type, null) which removes the item Usage: On logout or when token expires Auth.clearToken('pb-user'); // PocketBase token removed ──────────────────────────────────────────────────────────────────────────── METHOD 4: Clear All Tokens ────────────────────────── Auth.clearAllTokens() Removes all stored tokens (all 4 types) in one call. Method Signature (TypeScript): clearAllTokens(): void Internal Implementation: Iterates through all TOKEN_STORAGE_KEYS Calls localStorage.removeItem() for each key Usage: On complete logout Auth.clearAllTokens(); // All tokens removed ──────────────────────────────────────────────────────────────────────────── METHOD 5: Configuration & Setup ──────────────────────────────── await Auth.configure('pb+graph', { pbUrl: 'http://localhost:8090' }) Initializes the auth module with: - Which patterns to enable ('pb', 'graph', 'pb+graph') - Optional config (PocketBase URL, Graph API URL) Method Signature (TypeScript): async configure(patternString: string, config?: AuthConfig): Promise Internal Implementation: 1. Parses pattern string into array of token types 2. Stores pattern for validation 3. If pattern includes 'pb' tokens: initializes PocketBase SDK 4. If PocketBase library not loaded: throws error CRITICAL: PocketBase must be loaded via