Client/lib/api/marianumconnect/auth/session_validator.dart

import 'dart:developer';

import '../../../model/account_data.dart';
import '../../errors/auth_exception.dart';
import '../queries/auth_logout/auth_logout.dart';
import '../queries/auth_verify/auth_verify.dart';
import 'token_storage.dart';

/// Background credential probe — a server-side password rotation forces a
/// re-login on the next cold start even when the bearer token would still
/// be accepted.
class SessionValidator {
  static Future<void> probeStored({
    required Future<void> Function() onInvalidated,
  }) async {
    if (!AccountData().isPopulated()) return;
    final username = AccountData().getUsername();
    final password = AccountData().getPassword();
    try {
      await AuthVerify().run(username: username, password: password);
    } on AuthException catch (e) {
      if (e.statusCode != 401) return;
      log('MC: stored credentials rejected — forcing re-login');
      await AuthLogout().run();
      await const MarianumConnectTokenStorage().clear();
      await AccountData().removeData();
      await onInvalidated();
    } catch (e) {
      log('MC: background credential check failed (transient): $e');
    }
  }
}