@industream/hub-auth

Frontend connector for the Industream Hub shared authentication. Loads the Hub login bridge, resolves access tokens through the cross-origin SharedWorker, and injects Authorization: Bearer <token> on API calls — so any app (Angular, Svelte, React, vanilla) integrates the Hub auth the same way and stops getting 401s.

Extracted from the proven flowmaker / datacatalog-ui integration. Replaces the copy-pasted hub.service.ts + token.service.ts + withBearer in each app.

Why

Apps live on sibling subdomains (flowmaker.…, datacatalog-ui.…). They can't share JS state, so the Hub exposes a SharedWorker + bridge iframe served by the menu origin. Each app:

1. dynamically imports /industream-login.js from the Hub origin,
2. reads the shared session via the bridge,
3. attaches the bearer to its own API calls.

This package wraps all three.

Install

npm i @industream/hub-auth

@angular/* and rxjs are optional peers — only needed for /angular.

Framework-agnostic

import { HubService, TokenService, withBearer } from '@industream/hub-auth';

const tokens = new TokenService(new HubService({ hubOrigin: cfg.industreamHubOrigin }));

// any fetch-based client:
const res = await withBearer(tokens)('https://datacatalog-api.example/asset-dictionaries');

// or hand the wrapped fetch to a generated client:
const client = new DataCatalogClient({ baseUrl, fetch: withBearer(tokens) });

Angular

import { provideHttpClient, withInterceptors } from '@angular/common/http';
import { provideIndustreamHubAuth, hubBearerInterceptor } from '@industream/hub-auth/angular';

export const appConfig = {
  providers: [
    provideIndustreamHubAuth({ hubOrigin: environment.industreamHubOrigin }),
    provideHttpClient(withInterceptors([hubBearerInterceptor])),
  ],
};

Notes

• getToken() returns null in standalone/dev mode (no Hub origin) so apps keep working unauthenticated.
• The token is resolved per request, so silent refreshes are picked up.
• The matching backend validator is Industream.Hub.Authentication (NuGet).