Merge pull request #53522 from nextcloud/backport/53326/stable31

[stable31] fix: refactor request token handling and do not update with invalid result
2026-04-05 00:56:16 -04:00 · 2025-06-17 01:05:17 +02:00 · 2025-06-17 01:05:17 +02:00 · 6356a0fe46
commit 6356a0fe46
parent 1a7ff4b75b 4f3d3d32fd
24 changed files with 853 additions and 367 deletions
--- a/core/js/tests/specHelper.js
+++ b/core/js/tests/specHelper.js
@ -85,6 +85,9 @@ window._oc_appswebroots = {
 	"files": window.webroot + '/apps/files/',
 	"files_sharing": window.webroot + '/apps/files_sharing/'
 };
+
+window.OC ??= {};
+
 OC.config = {
 	session_lifetime: 600 * 1000,
 	session_keepalive: false,
@ -111,6 +114,10 @@ window.Snap.prototype = {

 window.isPhantom = /phantom/i.test(navigator.userAgent);
 document.documentElement.lang = navigator.language;
+const el = document.createElement('input');
+el.id = 'initial-state-core-config';
+el.value = btoa(JSON.stringify(window.OC.config))
+document.body.append(el);

 // global setup for all tests
 (function setupTests() {
--- a/core/js/tests/specs/coreSpec.js
+++ b/core/js/tests/specs/coreSpec.js
@ -119,93 +119,6 @@ describe('Core base tests', function() {
 			})).toEqual('number=123');
 		});
 	});
-	describe('Session heartbeat', function() {
-		var clock,
-			oldConfig,
-			counter;
-
-		beforeEach(function() {
-			clock = sinon.useFakeTimers();
-			oldConfig = OC.config;
-			counter = 0;
-
-			fakeServer.autoRespond = true;
-			fakeServer.autoRespondAfter = 0;
-			fakeServer.respondWith(/\/csrftoken/, function(xhr) {
-				counter++;
-				xhr.respond(200, {'Content-Type': 'application/json'}, '{"token": "pgBEsb3MzTb1ZPd2mfDZbQ6/0j3OrXHMEZrghHcOkg8=:3khw5PSa+wKQVo4f26exFD3nplud9ECjJ8/Y5zk5/k4="}');
-			});
-			$(document).off('ajaxComplete'); // ignore previously registered heartbeats
-		});
-		afterEach(function() {
-			clock.restore();
-			/* jshint camelcase: false */
-			OC.config = oldConfig;
-			$(document).off('ajaxError');
-			$(document).off('ajaxComplete');
-		});
-		it('sends heartbeat half the session lifetime when heartbeat enabled', function() {
-			/* jshint camelcase: false */
-			OC.config = {
-				session_keepalive: true,
-				session_lifetime: 300
-			};
-			window.initCore();
-
-			expect(counter).toEqual(0);
-
-			// less than half, still nothing
-			clock.tick(100 * 1000);
-			expect(counter).toEqual(0);
-
-			// reach past half (160), one call
-			clock.tick(55 * 1000);
-			expect(counter).toEqual(1);
-
-			// almost there to the next, still one
-			clock.tick(140 * 1000);
-			expect(counter).toEqual(1);
-
-			// past it, second call
-			clock.tick(20 * 1000);
-			expect(counter).toEqual(2);
-		});
-		it('does not send heartbeat when heartbeat disabled', function() {
-			/* jshint camelcase: false */
-			OC.config = {
-				session_keepalive: false,
-				session_lifetime: 300
-			};
-			window.initCore();
-
-			expect(counter).toEqual(0);
-
-			clock.tick(1000000);
-
-			// still nothing
-			expect(counter).toEqual(0);
-		});
-		it('limits the heartbeat between one minute and one day', function() {
-			/* jshint camelcase: false */
-			var setIntervalStub = sinon.stub(window, 'setInterval');
-			OC.config = {
-				session_keepalive: true,
-				session_lifetime: 5
-			};
-			window.initCore();
-			expect(setIntervalStub.getCall(0).args[1]).toEqual(60 * 1000);
-			setIntervalStub.reset();
-
-			OC.config = {
-				session_keepalive: true,
-				session_lifetime: 48 * 3600
-			};
-			window.initCore();
-			expect(setIntervalStub.getCall(0).args[1]).toEqual(24 * 3600 * 1000);
-
-			setIntervalStub.restore();
-		});
-	});
 	describe('Parse query string', function() {
 		it('Parses query string from full URL', function() {
 			var query = OC.parseQueryString('http://localhost/stuff.php?q=a&b=x');
--- a/core/src/OC/eventsource.js
+++ b/core/src/OC/eventsource.js
@ -7,7 +7,7 @@
 /* eslint-disable */
 import $ from 'jquery'

-import { getToken } from './requesttoken.js'
+import { getToken } from './requesttoken.ts'

 /**
 * Create a new event source
--- a/core/src/OC/index.js
+++ b/core/src/OC/index.js
@ -49,9 +49,7 @@ import {
 	getPort,
 	getProtocol,
 } from './host.js'
-import {
-	getToken as getRequestToken,
-} from './requesttoken.js'
+import { getRequestToken } from './requesttoken.ts'
 import {
 	hideMenus,
 	registerMenu,
--- a/core/src/OC/requesttoken.js
+++ b/core/src/OC/requesttoken.js
@ -1,39 +0,0 @@
-/**
- * SPDX-FileCopyrightText: 2019 Nextcloud GmbH and Nextcloud contributors
- * SPDX-License-Identifier: AGPL-3.0-or-later
- */
-
-import { emit } from '@nextcloud/event-bus'
-
-/**
- * @private
- * @param {Document} global the document to read the initial value from
- * @param {Function} emit the function to invoke for every new token
- * @return {object}
- */
-export const manageToken = (global, emit) => {
-	let token = global.getElementsByTagName('head')[0].getAttribute('data-requesttoken')
-
-	return {
-		getToken: () => token,
-		setToken: newToken => {
-			token = newToken
-
-			emit('csrf-token-update', {
-				token,
-			})
-		},
-	}
-}
-
-const manageFromDocument = manageToken(document, emit)
-
-/**
- * @return {string}
- */
-export const getToken = manageFromDocument.getToken
-
-/**
- * @param {string} newToken new token
- */
-export const setToken = manageFromDocument.setToken
--- a/core/src/OC/requesttoken.ts
+++ b/core/src/OC/requesttoken.ts
@ -0,0 +1,49 @@
+/**
+ * SPDX-FileCopyrightText: 2019 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+import { emit } from '@nextcloud/event-bus'
+import { generateUrl } from '@nextcloud/router'
+
+/**
+ * Get the current CSRF token.
+ */
+export function getRequestToken(): string {
+	return document.head.dataset.requesttoken!
+}
+
+/**
+ * Set a new CSRF token (e.g. because of session refresh).
+ * This also emits an event bus event for the updated token.
+ *
+ * @param token - The new token
+ * @fires Error - If the passed token is not a potential valid token
+ */
+export function setRequestToken(token: string): void {
+	if (!token || typeof token !== 'string') {
+		throw new Error('Invalid CSRF token given', { cause: { token } })
+	}
+
+	document.head.dataset.requesttoken = token
+	emit('csrf-token-update', { token })
+}
+
+/**
+ * Fetch the request token from the API.
+ * This does also set it on the current context, see `setRequestToken`.
+ *
+ * @fires Error - If the request failed
+ */
+export async function fetchRequestToken(): Promise<string> {
+	const url = generateUrl('/csrftoken')
+
+	const response = await fetch(url)
+	if (!response.ok) {
+		throw new Error('Could not fetch CSRF token from API', { cause: response })
+	}
+
+	const { token } = await response.json()
+	setRequestToken(token)
+	return token
+}
--- a/core/src/globals.js
+++ b/core/src/globals.js
@ -29,7 +29,7 @@ import 'strengthify/strengthify.css'
 import OC from './OC/index.js'
 import OCP from './OCP/index.js'
 import OCA from './OCA/index.js'
-import { getToken as getRequestToken } from './OC/requesttoken.js'
+import { getRequestToken } from './OC/requesttoken.ts'

 const warnIfNotTesting = function() {
 	if (window.TESTING === undefined) {
--- a/core/src/init.js
+++ b/core/src/init.js
@ -8,8 +8,8 @@ import _ from 'underscore'
 import $ from 'jquery'
 import moment from 'moment'

-import { initSessionHeartBeat } from './session-heartbeat.js'
 import OC from './OC/index.js'
+import { initSessionHeartBeat } from './session-heartbeat.ts'
 import { setUp as setUpContactsMenu } from './components/ContactsMenu.js'
 import { setUp as setUpMainMenu } from './components/MainMenu.js'
 import { setUp as setUpUserMenu } from './components/UserMenu.js'
--- a/core/src/install.js
+++ b/core/src/install.js
@ -7,7 +7,7 @@ import $ from 'jquery'
 import { translate as t } from '@nextcloud/l10n'
 import { linkTo } from '@nextcloud/router'

-import { getToken } from './OC/requesttoken.js'
+import { getRequestToken } from './OC/requesttoken.ts'
 import getURLParameter from './Util/get-url-parameter.js'

 import './jquery/showpassword.js'
@ -140,7 +140,7 @@ window.addEventListener('DOMContentLoaded', function() {
 			t('core', 'Strong password'),
 		],
 		drawTitles: true,
-		nonce: btoa(getToken()),
+		nonce: btoa(getRequestToken()),
 	})

 	$('#dbpass').showPassword().keyup()
--- a/core/src/jquery/requesttoken.js
+++ b/core/src/jquery/requesttoken.js
@ -5,11 +5,11 @@

 import $ from 'jquery'

-import { getToken } from '../OC/requesttoken.js'
+import { getRequestToken } from '../OC/requesttoken.ts'

 $(document).on('ajaxSend', function(elm, xhr, settings) {
 	if (settings.crossDomain === false) {
-		xhr.setRequestHeader('requesttoken', getToken())
+		xhr.setRequestHeader('requesttoken', getRequestToken())
 		xhr.setRequestHeader('OCS-APIREQUEST', 'true')
 	}
 })
--- a/core/src/session-heartbeat.js
+++ b/core/src/session-heartbeat.js
@ -1,168 +0,0 @@
-/**
- * SPDX-FileCopyrightText: 2019 Nextcloud GmbH and Nextcloud contributors
- * SPDX-License-Identifier: AGPL-3.0-or-later
- */
-
-import $ from 'jquery'
-import { emit } from '@nextcloud/event-bus'
-import { loadState } from '@nextcloud/initial-state'
-import { getCurrentUser } from '@nextcloud/auth'
-import { generateUrl } from '@nextcloud/router'
-
-import OC from './OC/index.js'
-import { setToken as setRequestToken, getToken as getRequestToken } from './OC/requesttoken.js'
-
-let config = null
-/**
- * The legacy jsunit tests overwrite OC.config before calling initCore
- * therefore we need to wait with assigning the config fallback until initCore calls initSessionHeartBeat
- */
-const loadConfig = () => {
-	try {
-		config = loadState('core', 'config')
-	} catch (e) {
-		// This fallback is just for our legacy jsunit tests since we have no way to mock loadState calls
-		config = OC.config
-	}
-}
-
-/**
- * session heartbeat (defaults to enabled)
- *
- * @return {boolean}
- */
-const keepSessionAlive = () => {
-	return config.session_keepalive === undefined
-		|| !!config.session_keepalive
-}
-
-/**
- * get interval in seconds
- *
- * @return {number}
- */
-const getInterval = () => {
-	let interval = NaN
-	if (config.session_lifetime) {
-		interval = Math.floor(config.session_lifetime / 2)
-	}
-
-	// minimum one minute, max 24 hours, default 15 minutes
-	return Math.min(
-		24 * 3600,
-		Math.max(
-			60,
-			isNaN(interval) ? 900 : interval,
-		),
-	)
-}
-
-const getToken = async () => {
-	const url = generateUrl('/csrftoken')
-
-	// Not using Axios here as Axios is not stubbable with the sinon fake server
-	// see https://stackoverflow.com/questions/41516044/sinon-mocha-test-with-async-ajax-calls-didnt-return-promises
-	// see js/tests/specs/coreSpec.js for the tests
-	const resp = await $.get(url)
-
-	return resp.token
-}
-
-const poll = async () => {
-	try {
-		const token = await getToken()
-		setRequestToken(token)
-	} catch (e) {
-		console.error('session heartbeat failed', e)
-	}
-}
-
-const startPolling = () => {
-	const interval = setInterval(poll, getInterval() * 1000)
-
-	console.info('session heartbeat polling started')
-
-	return interval
-}
-
-const registerAutoLogout = () => {
-	if (!config.auto_logout || !getCurrentUser()) {
-		return
-	}
-
-	let lastActive = Date.now()
-	window.addEventListener('mousemove', e => {
-		lastActive = Date.now()
-		localStorage.setItem('lastActive', lastActive)
-	})
-
-	window.addEventListener('touchstart', e => {
-		lastActive = Date.now()
-		localStorage.setItem('lastActive', lastActive)
-	})
-
-	window.addEventListener('storage', e => {
-		if (e.key !== 'lastActive') {
-			return
-		}
-		lastActive = e.newValue
-	})
-
-	let intervalId = 0
-	const logoutCheck = () => {
-		const timeout = Date.now() - config.session_lifetime * 1000
-		if (lastActive < timeout) {
-			clearTimeout(intervalId)
-			console.info('Inactivity timout reached, logging out')
-			const logoutUrl = generateUrl('/logout') + '?requesttoken=' + encodeURIComponent(getRequestToken())
-			window.location = logoutUrl
-		}
-	}
-	intervalId = setInterval(logoutCheck, 1000)
-}
-
-/**
- * Calls the server periodically to ensure that session and CSRF
- * token doesn't expire
- */
-export const initSessionHeartBeat = () => {
-	loadConfig()
-
-	registerAutoLogout()
-
-	if (!keepSessionAlive()) {
-		console.info('session heartbeat disabled')
-		return
-	}
-	let interval = startPolling()
-
-	window.addEventListener('online', async () => {
-		console.info('browser is online again, resuming heartbeat')
-		interval = startPolling()
-		try {
-			await poll()
-			console.info('session token successfully updated after resuming network')
-
-			// Let apps know we're online and requests will have the new token
-			emit('networkOnline', {
-				success: true,
-			})
-		} catch (e) {
-			console.error('could not update session token after resuming network', e)
-
-			// Let apps know we're online but requests might have an outdated token
-			emit('networkOnline', {
-				success: false,
-			})
-		}
-	})
-	window.addEventListener('offline', () => {
-		console.info('browser is offline, stopping heartbeat')
-
-		// Let apps know we're offline
-		emit('networkOffline', {})
-
-		clearInterval(interval)
-		console.info('session heartbeat polling stopped')
-	})
-}
--- a/core/src/session-heartbeat.ts
+++ b/core/src/session-heartbeat.ts
@ -0,0 +1,158 @@
+/**
+ * SPDX-FileCopyrightText: 2019 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+import { emit } from '@nextcloud/event-bus'
+import { loadState } from '@nextcloud/initial-state'
+import { getCurrentUser } from '@nextcloud/auth'
+import { generateUrl } from '@nextcloud/router'
+import {
+	fetchRequestToken,
+	getRequestToken,
+} from './OC/requesttoken.ts'
+import logger from './logger.js'
+
+interface OcJsConfig {
+	auto_logout: boolean
+	session_keepalive: boolean
+	session_lifetime: number
+}
+
+// This is always set, exception would be e.g. error pages where this is undefined
+const {
+	auto_logout: autoLogout,
+	session_keepalive: keepSessionAlive,
+	session_lifetime: sessionLifetime,
+} = loadState<Partial<OcJsConfig>>('core', 'config', {})
+
+/**
+ * Calls the server periodically to ensure that session and CSRF
+ * token doesn't expire
+ */
+export function initSessionHeartBeat() {
+	registerAutoLogout()
+
+	if (!keepSessionAlive) {
+		logger.info('Session heartbeat disabled')
+		return
+	}
+
+	let interval = startPolling()
+	window.addEventListener('online', async () => {
+		logger.info('Browser is online again, resuming heartbeat')
+
+		interval = startPolling()
+		try {
+			await poll()
+			logger.info('Session token successfully updated after resuming network')
+
+			// Let apps know we're online and requests will have the new token
+			emit('networkOnline', {
+				success: true,
+			})
+		} catch (error) {
+			logger.error('could not update session token after resuming network', { error })
+
+			// Let apps know we're online but requests might have an outdated token
+			emit('networkOnline', {
+				success: false,
+			})
+		}
+	})
+
+	window.addEventListener('offline', () => {
+		logger.info('Browser is offline, stopping heartbeat')
+
+		// Let apps know we're offline
+		emit('networkOffline', {})
+
+		clearInterval(interval)
+		logger.info('Session heartbeat polling stopped')
+	})
+}
+
+/**
+ * Get interval in seconds
+ */
+function getInterval(): number {
+	const interval = sessionLifetime
+		? Math.floor(sessionLifetime / 2)
+		: 900
+
+	// minimum one minute, max 24 hours, default 15 minutes
+	return Math.min(
+		24 * 3600,
+		Math.max(
+			60,
+			interval,
+		),
+	)
+}
+
+/**
+ * Poll the CSRF token for changes.
+ * This will also extend the current session if needed.
+ */
+async function poll() {
+	try {
+		await fetchRequestToken()
+	} catch (error) {
+		logger.error('session heartbeat failed', { error })
+	}
+}
+
+/**
+ * Start an window interval with the polling as the callback.
+ *
+ * @return The interval id
+ */
+function startPolling(): number {
+	const interval = window.setInterval(poll, getInterval() * 1000)
+
+	logger.info('session heartbeat polling started')
+	return interval
+}
+
+/**
+ * If enabled this will register event listeners to track if a user is active.
+ * If not the user will be automatically logged out after the configured IDLE time.
+ */
+function registerAutoLogout() {
+	if (!autoLogout || !getCurrentUser()) {
+		return
+	}
+
+	let lastActive = Date.now()
+	window.addEventListener('mousemove', () => {
+		lastActive = Date.now()
+		localStorage.setItem('lastActive', JSON.stringify(lastActive))
+	})
+
+	window.addEventListener('touchstart', () => {
+		lastActive = Date.now()
+		localStorage.setItem('lastActive', JSON.stringify(lastActive))
+	})
+
+	window.addEventListener('storage', (event) => {
+		if (event.key !== 'lastActive') {
+			return
+		}
+		if (event.newValue === null) {
+			return
+		}
+		lastActive = JSON.parse(event.newValue)
+	})
+
+	let intervalId = 0
+	const logoutCheck = () => {
+		const timeout = Date.now() - (sessionLifetime ?? 86400) * 1000
+		if (lastActive < timeout) {
+			clearTimeout(intervalId)
+			logger.info('Inactivity timout reached, logging out')
+			const logoutUrl = generateUrl('/logout') + '?requesttoken=' + encodeURIComponent(getRequestToken())
+			window.location.href = logoutUrl
+		}
+	}
+	intervalId = window.setInterval(logoutCheck, 1000)
+}
--- a/core/src/tests/OC/requesttoken.spec.js
+++ b/core/src/tests/OC/requesttoken.spec.js
@ -1,44 +0,0 @@
-/**
- * SPDX-FileCopyrightText: 2020 Nextcloud GmbH and Nextcloud contributors
- * SPDX-License-Identifier: AGPL-3.0-or-later
- */
-
-import { beforeEach, describe, expect, test, vi } from 'vitest'
-import { manageToken, setToken } from '../../OC/requesttoken.js'
-
-const eventbus = vi.hoisted(() => ({ emit: vi.fn() }))
-vi.mock('@nextcloud/event-bus', () => eventbus)
-
-describe('request token', () => {
-
-	let emit
-	let manager
-	const token = 'abc123'
-
-	beforeEach(() => {
-		emit = vi.fn()
-		const head = window.document.getElementsByTagName('head')[0]
-		head.setAttribute('data-requesttoken', token)
-
-		manager = manageToken(window.document, emit)
-	})
-
-	test('reads the token from the document', () => {
-		expect(manager.getToken()).toBe('abc123')
-	})
-
-	test('remembers the updated token', () => {
-		manager.setToken('bca321')
-
-		expect(manager.getToken()).toBe('bca321')
-	})
-
-	describe('@nextcloud/auth integration', () => {
-		test('fires off an event for @nextcloud/auth', () => {
-			setToken('123')
-
-			expect(eventbus.emit).toHaveBeenCalledWith('csrf-token-update', { token: '123' })
-		})
-	})
-
-})
--- a/core/src/tests/OC/requesttoken.spec.ts
+++ b/core/src/tests/OC/requesttoken.spec.ts
@ -0,0 +1,147 @@
+/**
+ * SPDX-FileCopyrightText: 2020 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+import { setupServer } from 'msw/node'
+import { http, HttpResponse } from 'msw'
+import { beforeAll, beforeEach, describe, expect, it, vi } from 'vitest'
+import { fetchRequestToken, getRequestToken, setRequestToken } from '../../OC/requesttoken.ts'
+
+const eventbus = vi.hoisted(() => ({ emit: vi.fn() }))
+vi.mock('@nextcloud/event-bus', () => eventbus)
+
+const server = setupServer()
+
+describe('getRequestToken', () => {
+	it('can read the token from DOM', () => {
+		mockToken('tokenmock-123')
+		expect(getRequestToken()).toBe('tokenmock-123')
+	})
+
+	it('can handle missing token', () => {
+		mockToken(undefined)
+		expect(getRequestToken()).toBeUndefined()
+	})
+})
+
+describe('setRequestToken', () => {
+	beforeEach(() => {
+		vi.resetAllMocks()
+	})
+
+	it('does emit an event on change', () => {
+		setRequestToken('new-token')
+		expect(eventbus.emit).toBeCalledTimes(1)
+		expect(eventbus.emit).toBeCalledWith('csrf-token-update', { token: 'new-token' })
+	})
+
+	it('does set the new token to the DOM', () => {
+		setRequestToken('new-token')
+		expect(document.head.dataset.requesttoken).toBe('new-token')
+	})
+
+	it('does remember the new token', () => {
+		mockToken('old-token')
+		setRequestToken('new-token')
+		expect(getRequestToken()).toBe('new-token')
+	})
+
+	it('throws if the token is not a string', () => {
+		// @ts-expect-error mocking
+		expect(() => setRequestToken(123)).toThrowError('Invalid CSRF token given')
+	})
+
+	it('throws if the token is not valid', () => {
+		expect(() => setRequestToken('')).toThrowError('Invalid CSRF token given')
+	})
+
+	it('does not emit an event if the token is not valid', () => {
+		expect(() => setRequestToken('')).toThrowError('Invalid CSRF token given')
+		expect(eventbus.emit).not.toBeCalled()
+	})
+})
+
+describe('fetchRequestToken', () => {
+	const successfullCsrf = http.get('/index.php/csrftoken', () => {
+		return HttpResponse.json({ token: 'new-token' })
+	})
+	const forbiddenCsrf = http.get('/index.php/csrftoken', () => {
+		return HttpResponse.json([], { status: 403 })
+	})
+	const serverErrorCsrf = http.get('/index.php/csrftoken', () => {
+		return HttpResponse.json([], { status: 500 })
+	})
+	const networkErrorCsrf = http.get('/index.php/csrftoken', () => {
+		return new HttpResponse(null, { type: 'error' })
+	})
+
+	beforeAll(() => {
+		server.listen()
+	})
+
+	beforeEach(() => {
+		vi.resetAllMocks()
+	})
+
+	it('correctly parses response', async () => {
+		server.use(successfullCsrf)
+
+		mockToken('oldToken')
+		const token = await fetchRequestToken()
+		expect(token).toBe('new-token')
+	})
+
+	it('sets the token', async () => {
+		server.use(successfullCsrf)
+
+		mockToken('oldToken')
+		await fetchRequestToken()
+		expect(getRequestToken()).toBe('new-token')
+	})
+
+	it('does emit an event', async () => {
+		server.use(successfullCsrf)
+
+		await fetchRequestToken()
+		expect(eventbus.emit).toHaveBeenCalledOnce()
+		expect(eventbus.emit).toBeCalledWith('csrf-token-update', { token: 'new-token' })
+	})
+
+	it('handles 403 error due to invalid cookies', async () => {
+		server.use(forbiddenCsrf)
+
+		mockToken('oldToken')
+		await expect(() => fetchRequestToken()).rejects.toThrowError('Could not fetch CSRF token from API')
+		expect(getRequestToken()).toBe('oldToken')
+	})
+
+	it('handles server error', async () => {
+		server.use(serverErrorCsrf)
+
+		mockToken('oldToken')
+		await expect(() => fetchRequestToken()).rejects.toThrowError('Could not fetch CSRF token from API')
+		expect(getRequestToken()).toBe('oldToken')
+	})
+
+	it('handles network error', async () => {
+		server.use(networkErrorCsrf)
+
+		mockToken('oldToken')
+		await expect(() => fetchRequestToken()).rejects.toThrow()
+		expect(getRequestToken()).toBe('oldToken')
+	})
+})
+
+/**
+ * Mock the request token directly so we can test reading it.
+ *
+ * @param token - The CSRF token to mock
+ */
+function mockToken(token?: string) {
+	if (token === undefined) {
+		delete document.head.dataset.requesttoken
+	} else {
+		document.head.dataset.requesttoken = token
+	}
+}
--- a/core/src/tests/OC/session-heartbeat.spec.ts
+++ b/core/src/tests/OC/session-heartbeat.spec.ts
@ -0,0 +1,123 @@
+/**
+ * SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+import { beforeAll, beforeEach, describe, expect, it, vi } from 'vitest'
+
+const requestToken = vi.hoisted(() => ({
+	fetchRequestToken: vi.fn<() => Promise<string>>(),
+	setRequestToken: vi.fn<(token: string) => void>(),
+}))
+vi.mock('../../OC/requesttoken.ts', () => requestToken)
+
+const initialState = vi.hoisted(() => ({ loadState: vi.fn() }))
+vi.mock('@nextcloud/initial-state', () => initialState)
+
+describe('Session heartbeat', () => {
+	beforeAll(() => {
+		vi.useFakeTimers()
+	})
+
+	beforeEach(() => {
+		vi.clearAllTimers()
+		vi.resetModules()
+		vi.resetAllMocks()
+	})
+
+	it('sends heartbeat half the session lifetime when heartbeat enabled', async () => {
+		initialState.loadState.mockImplementationOnce(() => ({
+			session_keepalive: true,
+			session_lifetime: 300,
+		}))
+
+		const { initSessionHeartBeat } = await import('../../session-heartbeat.ts')
+		initSessionHeartBeat()
+
+		// initial state loaded
+		expect(initialState.loadState).toBeCalledWith('core', 'config', {})
+
+		// less than half, still nothing
+		await vi.advanceTimersByTimeAsync(100 * 1000)
+		expect(requestToken.fetchRequestToken).not.toBeCalled()
+
+		// reach past half, one call
+		await vi.advanceTimersByTimeAsync(60 * 1000)
+		expect(requestToken.fetchRequestToken).toBeCalledTimes(1)
+
+		// almost there to the next, still one
+		await vi.advanceTimersByTimeAsync(135 * 1000)
+		expect(requestToken.fetchRequestToken).toBeCalledTimes(1)
+
+		// past it, second call
+		await vi.advanceTimersByTimeAsync(5 * 1000)
+		expect(requestToken.fetchRequestToken).toBeCalledTimes(2)
+	})
+
+	it('does not send heartbeat when heartbeat disabled', async () => {
+		initialState.loadState.mockImplementationOnce(() => ({
+			session_keepalive: false,
+			session_lifetime: 300,
+		}))
+
+		const { initSessionHeartBeat } = await import('../../session-heartbeat.ts')
+		initSessionHeartBeat()
+
+		// initial state loaded
+		expect(initialState.loadState).toBeCalledWith('core', 'config', {})
+
+		// less than half, still nothing
+		await vi.advanceTimersByTimeAsync(100 * 1000)
+		expect(requestToken.fetchRequestToken).not.toBeCalled()
+
+		// more than one, still nothing
+		await vi.advanceTimersByTimeAsync(300 * 1000)
+		expect(requestToken.fetchRequestToken).not.toBeCalled()
+	})
+
+	it('limit heartbeat to at least one minute', async () => {
+		initialState.loadState.mockImplementationOnce(() => ({
+			session_keepalive: true,
+			session_lifetime: 55,
+		}))
+
+		const { initSessionHeartBeat } = await import('../../session-heartbeat.ts')
+		initSessionHeartBeat()
+
+		// initial state loaded
+		expect(initialState.loadState).toBeCalledWith('core', 'config', {})
+
+		// 30 / 55 seconds
+		await vi.advanceTimersByTimeAsync(30 * 1000)
+		expect(requestToken.fetchRequestToken).not.toBeCalled()
+
+		// 59 / 55 seconds should not be called except it does not limit
+		await vi.advanceTimersByTimeAsync(29 * 1000)
+		expect(requestToken.fetchRequestToken).not.toBeCalled()
+
+		// now one minute has passed
+		await vi.advanceTimersByTimeAsync(1000)
+		expect(requestToken.fetchRequestToken).toHaveBeenCalledOnce()
+	})
+
+	it('limit heartbeat to at least one minute', async () => {
+		initialState.loadState.mockImplementationOnce(() => ({
+			session_keepalive: true,
+			session_lifetime: 50 * 60 * 60,
+		}))
+
+		const { initSessionHeartBeat } = await import('../../session-heartbeat.ts')
+		initSessionHeartBeat()
+
+		// initial state loaded
+		expect(initialState.loadState).toBeCalledWith('core', 'config', {})
+
+		// 23 hours
+		await vi.advanceTimersByTimeAsync(23 * 60 * 60 * 1000)
+		expect(requestToken.fetchRequestToken).not.toBeCalled()
+
+		// one day - it should be called now
+		await vi.advanceTimersByTimeAsync(60 * 60 * 1000)
+		expect(requestToken.fetchRequestToken).toHaveBeenCalledOnce()
+	})
+})
--- a/dist/core-install.js
+++ b/dist/core-install.js
--- a/dist/core-install.js.map
+++ b/dist/core-install.js.map
--- a/dist/core-login.js
+++ b/dist/core-login.js
--- a/dist/core-login.js.map
+++ b/dist/core-login.js.map
--- a/dist/core-main.js
+++ b/dist/core-main.js
--- a/dist/core-main.js.map
+++ b/dist/core-main.js.map
--- a/package-lock.json
+++ b/package-lock.json
@ -141,6 +141,7 @@
        "karma-spec-reporter": "^0.0.36",
        "karma-viewport": "^1.0.9",
        "mime": "^4.0.7",
+        "msw": "^2.10.2",
        "puppeteer": "^24.10.1",
        "raw-loader": "^4.0.2",
        "regextras": "^0.8.0",
@ -2106,6 +2107,47 @@
      "dev": true,
      "license": "MIT"
    },
+    "node_modules/@bundled-es-modules/cookie": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@bundled-es-modules/cookie/-/cookie-2.0.1.tgz",
+      "integrity": "sha512-8o+5fRPLNbjbdGRRmJj3h6Hh1AQJf2dk3qQ/5ZFb+PXkRNiSoMGGUKlsgLfrxneb72axVJyIYji64E2+nNfYyw==",
+      "dev": true,
+      "license": "ISC",
+      "dependencies": {
+        "cookie": "^0.7.2"
+      }
+    },
+    "node_modules/@bundled-es-modules/statuses": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/@bundled-es-modules/statuses/-/statuses-1.0.1.tgz",
+      "integrity": "sha512-yn7BklA5acgcBr+7w064fGV+SGIFySjCKpqjcWgBAIfrAkY+4GQTJJHQMeT3V/sgz23VTEVV8TtOmkvJAhFVfg==",
+      "dev": true,
+      "license": "ISC",
+      "dependencies": {
+        "statuses": "^2.0.1"
+      }
+    },
+    "node_modules/@bundled-es-modules/statuses/node_modules/statuses": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/statuses/-/statuses-2.0.2.tgz",
+      "integrity": "sha512-DvEy55V3DB7uknRo+4iOGT5fP1slR8wQohVdknigZPMpMstaKJQWhwiYBACJE3Ul2pTnATihhBYnRhZQHGBiRw==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/@bundled-es-modules/tough-cookie": {
+      "version": "0.1.6",
+      "resolved": "https://registry.npmjs.org/@bundled-es-modules/tough-cookie/-/tough-cookie-0.1.6.tgz",
+      "integrity": "sha512-dvMHbL464C0zI+Yqxbz6kZ5TOEp7GLW+pry/RWndAR8MJQAXZ2rPmIs8tziTZjeIyhSNZgZbCePtfSbdWqStJw==",
+      "dev": true,
+      "license": "ISC",
+      "dependencies": {
+        "@types/tough-cookie": "^4.0.5",
+        "tough-cookie": "^4.1.4"
+      }
+    },
    "node_modules/@buttercup/fetch": {
      "version": "0.2.1",
      "resolved": "https://registry.npmjs.org/@buttercup/fetch/-/fetch-0.2.1.tgz",
@ -3178,6 +3220,112 @@
      "license": "BSD-3-Clause",
      "peer": true
    },
+    "node_modules/@inquirer/confirm": {
+      "version": "5.1.12",
+      "resolved": "https://registry.npmjs.org/@inquirer/confirm/-/confirm-5.1.12.tgz",
+      "integrity": "sha512-dpq+ielV9/bqgXRUbNH//KsY6WEw9DrGPmipkpmgC1Y46cwuBTNx7PXFWTjc3MQ+urcc0QxoVHcMI0FW4Ok0hg==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@inquirer/core": "^10.1.13",
+        "@inquirer/type": "^3.0.7"
+      },
+      "engines": {
+        "node": ">=18"
+      },
+      "peerDependencies": {
+        "@types/node": ">=18"
+      },
+      "peerDependenciesMeta": {
+        "@types/node": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@inquirer/core": {
+      "version": "10.1.13",
+      "resolved": "https://registry.npmjs.org/@inquirer/core/-/core-10.1.13.tgz",
+      "integrity": "sha512-1viSxebkYN2nJULlzCxES6G9/stgHSepZ9LqqfdIGPHj5OHhiBUXVS0a6R0bEC2A+VL4D9w6QB66ebCr6HGllA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@inquirer/figures": "^1.0.12",
+        "@inquirer/type": "^3.0.7",
+        "ansi-escapes": "^4.3.2",
+        "cli-width": "^4.1.0",
+        "mute-stream": "^2.0.0",
+        "signal-exit": "^4.1.0",
+        "wrap-ansi": "^6.2.0",
+        "yoctocolors-cjs": "^2.1.2"
+      },
+      "engines": {
+        "node": ">=18"
+      },
+      "peerDependencies": {
+        "@types/node": ">=18"
+      },
+      "peerDependenciesMeta": {
+        "@types/node": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@inquirer/core/node_modules/signal-exit": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz",
+      "integrity": "sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==",
+      "dev": true,
+      "license": "ISC",
+      "engines": {
+        "node": ">=14"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/isaacs"
+      }
+    },
+    "node_modules/@inquirer/core/node_modules/wrap-ansi": {
+      "version": "6.2.0",
+      "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-6.2.0.tgz",
+      "integrity": "sha512-r6lPcBGxZXlIcymEu7InxDMhdW0KDxpLgoFLcguasxCaJ/SOIZwINatK9KY/tf+ZrlywOKU0UDj3ATXUBfxJXA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "ansi-styles": "^4.0.0",
+        "string-width": "^4.1.0",
+        "strip-ansi": "^6.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/@inquirer/figures": {
+      "version": "1.0.12",
+      "resolved": "https://registry.npmjs.org/@inquirer/figures/-/figures-1.0.12.tgz",
+      "integrity": "sha512-MJttijd8rMFcKJC8NYmprWr6hD3r9Gd9qUC0XwPNwoEPWSMVJwA2MlXxF+nhZZNMY+HXsWa+o7KY2emWYIn0jQ==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@inquirer/type": {
+      "version": "3.0.7",
+      "resolved": "https://registry.npmjs.org/@inquirer/type/-/type-3.0.7.tgz",
+      "integrity": "sha512-PfunHQcjwnju84L+ycmcMKB/pTPIngjUJvfnRhKY6FKPuYXlM4aQCb/nIdTFR6BEhMjFvngzvng/vBAJMZpLSA==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=18"
+      },
+      "peerDependencies": {
+        "@types/node": ">=18"
+      },
+      "peerDependenciesMeta": {
+        "@types/node": {
+          "optional": true
+        }
+      }
+    },
    "node_modules/@isaacs/cliui": {
      "version": "8.0.2",
      "resolved": "https://registry.npmjs.org/@isaacs/cliui/-/cliui-8.0.2.tgz",
@ -3565,6 +3713,24 @@
      "integrity": "sha512-WQ2gDll12T9WD34fdRFgQVgO8bag3gavrAgJ0frN4phlwdJARpE6gO1YvLEMJR0KKgoc+/Ea/A0Pp11I00xBvw==",
      "license": "Apache-2.0"
    },
+    "node_modules/@mswjs/interceptors": {
+      "version": "0.39.2",
+      "resolved": "https://registry.npmjs.org/@mswjs/interceptors/-/interceptors-0.39.2.tgz",
+      "integrity": "sha512-RuzCup9Ct91Y7V79xwCb146RaBRHZ7NBbrIUySumd1rpKqHL5OonaqrGIbug5hNwP/fRyxFMA6ISgw4FTtYFYg==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@open-draft/deferred-promise": "^2.2.0",
+        "@open-draft/logger": "^0.3.0",
+        "@open-draft/until": "^2.0.0",
+        "is-node-process": "^1.2.0",
+        "outvariant": "^1.4.3",
+        "strict-event-emitter": "^0.5.1"
+      },
+      "engines": {
+        "node": ">=18"
+      }
+    },
    "node_modules/@nextcloud/auth": {
      "version": "2.5.1",
      "resolved": "https://registry.npmjs.org/@nextcloud/auth/-/auth-2.5.1.tgz",
@ -4326,6 +4492,31 @@
      "dev": true,
      "license": "MIT"
    },
+    "node_modules/@open-draft/deferred-promise": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@open-draft/deferred-promise/-/deferred-promise-2.2.0.tgz",
+      "integrity": "sha512-CecwLWx3rhxVQF6V4bAgPS5t+So2sTbPgAzafKkVizyi7tlwpcFpdFqq+wqF2OwNBmqFuu6tOyouTuxgpMfzmA==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/@open-draft/logger": {
+      "version": "0.3.0",
+      "resolved": "https://registry.npmjs.org/@open-draft/logger/-/logger-0.3.0.tgz",
+      "integrity": "sha512-X2g45fzhxH238HKO4xbSr7+wBS8Fvw6ixhTDuvLd5mqh6bJJCFAPwU9mPDxbcrRtfxv4u5IHCEH77BmxvXmmxQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "is-node-process": "^1.2.0",
+        "outvariant": "^1.4.0"
+      }
+    },
+    "node_modules/@open-draft/until": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/@open-draft/until/-/until-2.1.0.tgz",
+      "integrity": "sha512-U69T3ItWHvLwGg5eJ0n3I62nWuE6ilHlmz7zM0npLBRvPRd7e6NYmg54vvRtP5mZG7kZqZCFVdsTWo7BPtBujg==",
+      "dev": true,
+      "license": "MIT"
+    },
    "node_modules/@parcel/watcher": {
      "version": "2.5.0",
      "resolved": "https://registry.npmjs.org/@parcel/watcher/-/watcher-2.5.0.tgz",
@ -6113,12 +6304,26 @@
      "dev": true,
      "license": "MIT"
    },
+    "node_modules/@types/statuses": {
+      "version": "2.0.6",
+      "resolved": "https://registry.npmjs.org/@types/statuses/-/statuses-2.0.6.tgz",
+      "integrity": "sha512-xMAgYwceFhRA2zY+XbEA7mxYbA093wdiW8Vu6gZPGWy9cmOyU9XesH1tNcEWsKFd5Vzrqx5T3D38PWx1FIIXkA==",
+      "dev": true,
+      "license": "MIT"
+    },
    "node_modules/@types/toastify-js": {
      "version": "1.12.4",
      "resolved": "https://registry.npmjs.org/@types/toastify-js/-/toastify-js-1.12.4.tgz",
      "integrity": "sha512-zfZHU4tKffPCnZRe7pjv/eFKzTVHozKewFCKaCjZ4gFinKgJRz/t0bkZiMCXJxPhv/ZoeDGNOeRD09R0kQZ/nw==",
      "license": "MIT"
    },
+    "node_modules/@types/tough-cookie": {
+      "version": "4.0.5",
+      "resolved": "https://registry.npmjs.org/@types/tough-cookie/-/tough-cookie-4.0.5.tgz",
+      "integrity": "sha512-/Ad8+nIOV7Rl++6f1BdKxFSMgmoqEoYbHRpPcx3JEfv8VRsQe9Z4mCXeJBzxs7mbHY/XOZZuXlRNfhpVPbs6ZA==",
+      "dev": true,
+      "license": "MIT"
+    },
    "node_modules/@types/trusted-types": {
      "version": "2.0.7",
      "resolved": "https://registry.npmjs.org/@types/trusted-types/-/trusted-types-2.0.7.tgz",
@ -9134,6 +9339,16 @@
        "url": "https://github.com/sponsors/sindresorhus"
      }
    },
+    "node_modules/cli-width": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/cli-width/-/cli-width-4.1.0.tgz",
+      "integrity": "sha512-ouuZd4/dm2Sw5Gmqy6bGyNNNe1qt9RpmxveLSO7KcgsTnU7RXfsw+/bukWGo1abgBiMAic068rclZsO4IWmmxQ==",
+      "dev": true,
+      "license": "ISC",
+      "engines": {
+        "node": ">= 12"
+      }
+    },
    "node_modules/clipboard": {
      "version": "2.0.11",
      "resolved": "https://registry.npmjs.org/clipboard/-/clipboard-2.0.11.tgz",
@ -14397,6 +14612,16 @@
      "license": "MIT",
      "peer": true
    },
+    "node_modules/graphql": {
+      "version": "16.11.0",
+      "resolved": "https://registry.npmjs.org/graphql/-/graphql-16.11.0.tgz",
+      "integrity": "sha512-mS1lbMsxgQj6hge1XZ6p7GPhbrtFwUFYi3wRzXAC/FmYnyXMTvvI3td3rjmQ2u8ewXueaSvRPWaEcgVVOT9Jnw==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": "^12.22.0 || ^14.16.0 || ^16.0.0 || >=17.0.0"
+      }
+    },
    "node_modules/handle-thing": {
      "version": "2.0.1",
      "resolved": "https://registry.npmjs.org/handle-thing/-/handle-thing-2.0.1.tgz",
@ -14670,6 +14895,13 @@
        "he": "bin/he"
      }
    },
+    "node_modules/headers-polyfill": {
+      "version": "4.0.3",
+      "resolved": "https://registry.npmjs.org/headers-polyfill/-/headers-polyfill-4.0.3.tgz",
+      "integrity": "sha512-IScLbePpkvO846sIwOtOTDjutRMWdXdJmXdMvk6gCBHxFO8d+QKOQedyZSxFTTFYRSmlgSTDtXqqq4pcenBXLQ==",
+      "dev": true,
+      "license": "MIT"
+    },
    "node_modules/highlight.js": {
      "version": "11.11.1",
      "resolved": "https://registry.npmjs.org/highlight.js/-/highlight.js-11.11.1.tgz",
@ -15599,6 +15831,13 @@
        "url": "https://github.com/sponsors/sindresorhus"
      }
    },
+    "node_modules/is-node-process": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/is-node-process/-/is-node-process-1.2.0.tgz",
+      "integrity": "sha512-Vg4o6/fqPxIjtxgUH5QLJhwZ7gW5diGCVlXpuUfELC62CuxM1iHcRe51f2W1FDy04Ai4KJkagKjx3XaqyfRKXw==",
+      "dev": true,
+      "license": "MIT"
+    },
    "node_modules/is-number": {
      "version": "7.0.0",
      "resolved": "https://registry.npmjs.org/is-number/-/is-number-7.0.0.tgz",
@ -18507,6 +18746,78 @@
      "dev": true,
      "license": "MIT"
    },
+    "node_modules/msw": {
+      "version": "2.10.2",
+      "resolved": "https://registry.npmjs.org/msw/-/msw-2.10.2.tgz",
+      "integrity": "sha512-RCKM6IZseZQCWcSWlutdf590M8nVfRHG1ImwzOtwz8IYxgT4zhUO0rfTcTvDGiaFE0Rhcc+h43lcF3Jc9gFtwQ==",
+      "dev": true,
+      "hasInstallScript": true,
+      "license": "MIT",
+      "dependencies": {
+        "@bundled-es-modules/cookie": "^2.0.1",
+        "@bundled-es-modules/statuses": "^1.0.1",
+        "@bundled-es-modules/tough-cookie": "^0.1.6",
+        "@inquirer/confirm": "^5.0.0",
+        "@mswjs/interceptors": "^0.39.1",
+        "@open-draft/deferred-promise": "^2.2.0",
+        "@open-draft/until": "^2.1.0",
+        "@types/cookie": "^0.6.0",
+        "@types/statuses": "^2.0.4",
+        "graphql": "^16.8.1",
+        "headers-polyfill": "^4.0.2",
+        "is-node-process": "^1.2.0",
+        "outvariant": "^1.4.3",
+        "path-to-regexp": "^6.3.0",
+        "picocolors": "^1.1.1",
+        "strict-event-emitter": "^0.5.1",
+        "type-fest": "^4.26.1",
+        "yargs": "^17.7.2"
+      },
+      "bin": {
+        "msw": "cli/index.js"
+      },
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/mswjs"
+      },
+      "peerDependencies": {
+        "typescript": ">= 4.8.x"
+      },
+      "peerDependenciesMeta": {
+        "typescript": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/msw/node_modules/@types/cookie": {
+      "version": "0.6.0",
+      "resolved": "https://registry.npmjs.org/@types/cookie/-/cookie-0.6.0.tgz",
+      "integrity": "sha512-4Kh9a6B2bQciAhf7FSuMRRkUWecJgJu9nPnx3yzpsfXX/c50REIqpHY4C82bXP90qrLtXtkDxTZosYO3UpOwlA==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/msw/node_modules/path-to-regexp": {
+      "version": "6.3.0",
+      "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-6.3.0.tgz",
+      "integrity": "sha512-Yhpw4T9C6hPpgPeA28us07OJeqZ5EzQTkbfwuhsUg0c237RomFoETJgmp2sa3F/41gfLE6G5cqcYwznmeEeOlQ==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/msw/node_modules/type-fest": {
+      "version": "4.41.0",
+      "resolved": "https://registry.npmjs.org/type-fest/-/type-fest-4.41.0.tgz",
+      "integrity": "sha512-TeTSQ6H5YHvpqVwBRcnLDCBnDOHWYu7IvGbHT6N8AOymcr9PJGjc1GTtiWZTYg0NCgYwvnYWEkVChQAr9bjfwA==",
+      "dev": true,
+      "license": "(MIT OR CC0-1.0)",
+      "engines": {
+        "node": ">=16"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
    "node_modules/multicast-dns": {
      "version": "7.2.5",
      "resolved": "https://registry.npmjs.org/multicast-dns/-/multicast-dns-7.2.5.tgz",
@ -18522,6 +18833,16 @@
        "multicast-dns": "cli.js"
      }
    },
+    "node_modules/mute-stream": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/mute-stream/-/mute-stream-2.0.0.tgz",
+      "integrity": "sha512-WWdIxpyjEn+FhQJQQv9aQAYlHoNVdzIzUySNV1gHUPDSdZJ3yZn7pAAbQcV7B56Mvu881q9FZV+0Vx2xC44VWA==",
+      "dev": true,
+      "license": "ISC",
+      "engines": {
+        "node": "^18.17.0 || >=20.5.0"
+      }
+    },
    "node_modules/nan": {
      "version": "2.22.0",
      "resolved": "https://registry.npmjs.org/nan/-/nan-2.22.0.tgz",
@ -19158,6 +19479,13 @@
      "dev": true,
      "license": "MIT"
    },
+    "node_modules/outvariant": {
+      "version": "1.4.3",
+      "resolved": "https://registry.npmjs.org/outvariant/-/outvariant-1.4.3.tgz",
+      "integrity": "sha512-+Sl2UErvtsoajRDKCE5/dBz4DIvHXQQnAxtQTF04OJxY0+DyZXSo5P5Bb7XYWOh81syohlYL24hbDwxedPUJCA==",
+      "dev": true,
+      "license": "MIT"
+    },
    "node_modules/p-cancelable": {
      "version": "4.0.1",
      "resolved": "https://registry.npmjs.org/p-cancelable/-/p-cancelable-4.0.1.tgz",
@ -20408,9 +20736,7 @@
      "resolved": "https://registry.npmjs.org/psl/-/psl-1.9.0.tgz",
      "integrity": "sha512-E/ZsdU4HLs/68gYzgGTkMicWTLPdAftJLfJFlLUAAKZGkStNU72sZjT66SnMDVOfOWY/YAoiD7Jxa9iHvngcag==",
      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "peer": true
+      "license": "MIT"
    },
    "node_modules/public-encrypt": {
      "version": "4.0.3",
@ -23014,6 +23340,13 @@
      "resolved": "git+ssh://git@github.com/nextcloud/strengthify.git#d78452649da2cd59df594a2a5c210cb7045ac899",
      "license": "MIT"
    },
+    "node_modules/strict-event-emitter": {
+      "version": "0.5.1",
+      "resolved": "https://registry.npmjs.org/strict-event-emitter/-/strict-event-emitter-0.5.1.tgz",
+      "integrity": "sha512-vMgjE/GGEPEFnhFub6pa4FmJBRBVOLpIII2hvCZ8Kzb7K0hlHo7mQv6xYrBvCL2LtAIBwFUK8wvuJgTVSQ5MFQ==",
+      "dev": true,
+      "license": "MIT"
+    },
    "node_modules/string_decoder": {
      "version": "1.3.0",
      "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.3.0.tgz",
@ -24320,8 +24653,6 @@
      "integrity": "sha512-Loo5UUvLD9ScZ6jh8beX1T6sO1w2/MpCRpEP7V280GKMVUQ0Jzar2U3UJPsrdbziLEMMhu3Ujnq//rhiFuIeag==",
      "dev": true,
      "license": "BSD-3-Clause",
-      "optional": true,
-      "peer": true,
      "dependencies": {
        "psl": "^1.1.33",
        "punycode": "^2.1.1",
@ -24338,8 +24669,6 @@
      "integrity": "sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==",
      "dev": true,
      "license": "MIT",
-      "optional": true,
-      "peer": true,
      "engines": {
        "node": ">=6"
      }
@ -24350,8 +24679,6 @@
      "integrity": "sha512-CJ1QgKmNg3CwvAv/kOFmtnEN05f0D/cn9QntgNOQlQF9dgvVTHj3t+8JPdjqawCHk7V/KA+fbUqzZ9XWhcqPUg==",
      "dev": true,
      "license": "MIT",
-      "optional": true,
-      "peer": true,
      "engines": {
        "node": ">= 4.0.0"
      }
@ -27496,6 +27823,19 @@
        "url": "https://github.com/sponsors/sindresorhus"
      }
    },
+    "node_modules/yoctocolors-cjs": {
+      "version": "2.1.2",
+      "resolved": "https://registry.npmjs.org/yoctocolors-cjs/-/yoctocolors-cjs-2.1.2.tgz",
+      "integrity": "sha512-cYVsTjKl8b+FrnidjibDWskAv7UKOfcwaVZdp/it9n1s9fU3IkgDbhdIRKCW4JDsAlECJY0ytoVPT3sK6kideA==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
    "node_modules/zod": {
      "version": "3.25.64",
      "resolved": "https://registry.npmjs.org/zod/-/zod-3.25.64.tgz",
--- a/package.json
+++ b/package.json
@ -172,6 +172,7 @@
    "karma-spec-reporter": "^0.0.36",
    "karma-viewport": "^1.0.9",
    "mime": "^4.0.7",
+    "msw": "^2.10.2",
    "puppeteer": "^24.10.1",
    "raw-loader": "^4.0.2",
    "regextras": "^0.8.0",
--- a/tsconfig.json
+++ b/tsconfig.json
@ -3,12 +3,13 @@
 	"include": ["./apps/**/*.ts", "./apps/**/*.vue", "./core/**/*.ts", "./core/**/*.vue", "./*.d.ts"],
 	"exclude": ["./**/*.cy.ts"],
 	"compilerOptions": {
+		"lib": ["DOM", "ESNext"],
 		"types": ["node", "vue", "vue-router"],
 		"outDir": "./dist/",
 		"target": "ESNext",
 		"module": "ESNext",
 		// Set module resolution to bundler and `noEmit` to be able to set `allowImportingTsExtensions`, so we can import Typescript with .ts extension
-		"moduleResolution": "Bundler",
+		"moduleResolution": "bundler",
 		"allowImportingTsExtensions": true,
 		"noEmit": true,
 		// Allow ts to import js files