From cc002adbd26efe4388a7e0475e800860715c1b9a Mon Sep 17 00:00:00 2001
From: Horux Dev <dev@horuxfin.com>
Date: Mon, 22 Jun 2026 21:47:13 +0000
Subject: [PATCH] fix: evita logout al cambiar de tenant (race condition
 refresh token)

---
 apps/api/src/services/auth.service.ts         | 39 ++++++------
 .../web/app/(dashboard)/mis-empresas/page.tsx |  4 ++
 apps/web/components/membership-switcher.tsx   |  4 ++
 apps/web/lib/api/client.ts                    | 59 ++++++++++++++++---
 4 files changed, 80 insertions(+), 26 deletions(-)

diff --git a/apps/api/src/services/auth.service.ts b/apps/api/src/services/auth.service.ts
index b69dbc2..dab22f2 100644
--- a/apps/api/src/services/auth.service.ts
+++ b/apps/api/src/services/auth.service.ts
@@ -590,18 +590,6 @@ export async function switchTenant(params: {
     throw new AppError(404, 'Empresa no encontrada o desactivada');
   }
 
-  // Persiste el target como "último tenant activo" — al re-loguear caerá aquí
-  // sin tener que volver a hacer switch.
-  const previousTenantId = user.lastTenantId;
-  await prisma.user.update({
-    where: { id: user.id },
-    data: { lastTenantId: targetTenant.id },
-  });
-
-  // Invalida el refresh token actual (puede no existir si el caller pasó el
-  // access token por error — deleteMany es idempotente).
-  await prisma.refreshToken.deleteMany({ where: { token: params.currentRefreshToken } });
-
   const [platformRoles, tenants] = await Promise.all([
     getPlatformRoles(user.id),
     getUserTenants(user.id),
@@ -619,13 +607,26 @@ export async function switchTenant(params: {
   const accessToken = generateAccessToken(tokenPayload);
   const refreshToken = generateRefreshToken(tokenPayload);
 
-  await prisma.refreshToken.create({
-    data: {
-      userId: user.id,
-      token: refreshToken,
-      expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000),
-    },
-  });
+  // Persiste el target como "último tenant activo" y atomiza la rotacion del
+  // refresh token (delete + create) para evitar race conditions con requests
+  // concurrentes que intenten refrescar con el token anterior.
+  const previousTenantId = user.lastTenantId;
+  await prisma.$transaction([
+    prisma.user.update({
+      where: { id: user.id },
+      data: { lastTenantId: targetTenant.id },
+    }),
+    // Invalida el refresh token actual (puede no existir si el caller pasó el
+    // access token por error — deleteMany es idempotente).
+    prisma.refreshToken.deleteMany({ where: { token: params.currentRefreshToken } }),
+    prisma.refreshToken.create({
+      data: {
+        userId: user.id,
+        token: refreshToken,
+        expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000),
+      },
+    }),
+  ]);
 
   auditLog({
     userId: user.id,
diff --git a/apps/web/app/(dashboard)/mis-empresas/page.tsx b/apps/web/app/(dashboard)/mis-empresas/page.tsx
index c8cf201..832832a 100644
--- a/apps/web/app/(dashboard)/mis-empresas/page.tsx
+++ b/apps/web/app/(dashboard)/mis-empresas/page.tsx
@@ -7,6 +7,7 @@ import { Header } from '@/components/layouts/header';
 import { Card, CardContent, CardHeader, CardTitle, Button, Input, Label, Select, SelectContent, SelectItem, SelectTrigger, SelectValue, Dialog, DialogContent, DialogHeader, DialogTitle, DialogDescription, DialogFooter } from '@horux/shared-ui';
 import { getMyTenants, addMyTenant, type MyTenantDetailed } from '@/lib/api/tenants';
 import { switchTenant } from '@/lib/api/auth';
+import { cancelAllApiRequests } from '@/lib/api/client';
 import { useAuthStore } from '@/stores/auth-store';
 import { formatCurrency } from '@/lib/utils';
 import { Building2, Plus, Crown, ArrowRight, Loader2, AlertCircle, CheckCircle2 } from 'lucide-react';
@@ -61,6 +62,9 @@ export default function MisEmpresasPage() {
       router.push('/dashboard');
       return;
     }
+    // Cancela requests pendientes para evitar que intenten refrescar con el
+    // token que switchTenant va a invalidar.
+    cancelAllApiRequests();
     try {
       const res = await switchTenant(tenantId);
       setTokens(res.accessToken, res.refreshToken);
diff --git a/apps/web/components/membership-switcher.tsx b/apps/web/components/membership-switcher.tsx
index ae8a389..fadb38d 100644
--- a/apps/web/components/membership-switcher.tsx
+++ b/apps/web/components/membership-switcher.tsx
@@ -4,6 +4,7 @@ import { useState, useEffect } from 'react';
 import { useQueryClient } from '@tanstack/react-query';
 import { useAuthStore } from '@/stores/auth-store';
 import { switchTenant } from '@/lib/api/auth';
+import { cancelAllApiRequests } from '@/lib/api/client';
 import { Building2, ChevronDown, Check, Loader2, Crown } from 'lucide-react';
 import { cn } from '@horux/shared-ui';
 import { isGlobalAdminRfc } from '@horux/shared';
@@ -44,6 +45,9 @@ export function MembershipSwitcher() {
   const handleSwitch = async (tenantId: string) => {
     if (tenantId === user?.tenantId) { setOpen(false); return; }
     setSwitching(true);
+    // Cancela requests pendientes para evitar que intenten refrescar con el
+    // token que switchTenant va a invalidar.
+    cancelAllApiRequests();
     try {
       const res = await switchTenant(tenantId);
       setTokens(res.accessToken, res.refreshToken);
diff --git a/apps/web/lib/api/client.ts b/apps/web/lib/api/client.ts
index e2ef6f8..3a4df81 100644
--- a/apps/web/lib/api/client.ts
+++ b/apps/web/lib/api/client.ts
@@ -7,6 +7,14 @@ export const apiClient = axios.create({
   },
 });
 
+// Lock para refrescos: solo un /auth/refresh puede estar en vuelo a la vez.
+// Cualquier otra peticion 401 espera el resultado del refresh en curso.
+let refreshPromise: Promise<{ accessToken: string; refreshToken: string }> | null = null;
+
+// Controllers de peticiones activas, para poder cancelarlas en operaciones
+// que invalidan el refresh token (ej. cambio de tenant real).
+const activeControllers = new Set<AbortController>();
+
 apiClient.interceptors.request.use((config) => {
   if (typeof window !== 'undefined') {
     const token = localStorage.getItem('accessToken');
@@ -26,13 +34,30 @@ apiClient.interceptors.request.use((config) => {
         // Ignore parse errors
       }
     }
+
+    // Rastrear controller para cancelacion masiva
+    const controller = new AbortController();
+    config.signal = controller.signal;
+    (config as any)._horuxController = controller;
+    activeControllers.add(controller);
   }
   return config;
 });
 
+function releaseController(config: any) {
+  const controller = config?._horuxController as AbortController | undefined;
+  if (controller) {
+    activeControllers.delete(controller);
+  }
+}
+
 apiClient.interceptors.response.use(
-  (response) => response,
+  (response) => {
+    releaseController(response.config);
+    return response;
+  },
   async (error) => {
+    releaseController(error.config);
     const originalRequest = error.config;
 
     // Rate limit hit. El backend envía { message } — lo preservamos para que los
@@ -67,9 +92,11 @@ apiClient.interceptors.response.use(
     if (error.response?.status === 401 && !originalRequest._retry) {
       originalRequest._retry = true;
 
-      try {
-        const refreshToken = localStorage.getItem('refreshToken');
-        if (refreshToken) {
+      if (!refreshPromise) {
+        refreshPromise = (async () => {
+          const refreshToken = localStorage.getItem('refreshToken');
+          if (!refreshToken) throw new Error('No refresh token');
+
           const response = await axios.post(
             `${process.env.NEXT_PUBLIC_API_URL || 'http://localhost:4000/api'}/auth/refresh`,
             { refreshToken }
@@ -78,17 +105,35 @@ apiClient.interceptors.response.use(
           const { accessToken, refreshToken: newRefreshToken } = response.data;
           localStorage.setItem('accessToken', accessToken);
           localStorage.setItem('refreshToken', newRefreshToken);
+          return { accessToken, refreshToken: newRefreshToken };
+        })().finally(() => {
+          refreshPromise = null;
+        });
+      }
 
-          originalRequest.headers.Authorization = `Bearer ${accessToken}`;
-          return apiClient(originalRequest);
-        }
+      try {
+        const { accessToken } = await refreshPromise;
+        originalRequest.headers.Authorization = `Bearer ${accessToken}`;
+        return apiClient(originalRequest);
       } catch {
         localStorage.removeItem('accessToken');
         localStorage.removeItem('refreshToken');
+        localStorage.removeItem('horux-tenant-view');
         window.location.href = '/login';
+        return Promise.reject(error);
       }
     }
 
     return Promise.reject(error);
   }
 );
+
+/**
+ * Cancela todas las peticiones activas del apiClient.
+ * Util antes de operaciones que invalidan el refresh token (ej. switch-tenant)
+ * para evitar race conditions entre requests viejas y el nuevo par de tokens.
+ */
+export function cancelAllApiRequests() {
+  activeControllers.forEach((controller) => controller.abort());
+  activeControllers.clear();
+}