From 83259f64320a5a92902846cbef2f502988fcf484 Mon Sep 17 00:00:00 2001
From: Simon <therealslimv@yahoo.de>
Date: Mon, 23 May 2022 23:34:45 +0200
Subject: [PATCH 01/42] added proxy for local keycloak

---
 proxy.conf.json | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/proxy.conf.json b/proxy.conf.json
index ed34a75bf5..7adc593987 100644
--- a/proxy.conf.json
+++ b/proxy.conf.json
@@ -16,5 +16,14 @@
     "pathRewrite": {
       "^/nextcloud": ""
     }
+  },
+  "/auth": {
+    "target": "http://localhost:8080/realms/myrealm/protocol/openid-connect/token",
+    "secure": true,
+    "logLevel": "debug",
+    "changeOrigin": true,
+    "pathRewrite": {
+      "^/auth": ""
+    }
   }
 }

From a713dcad5e0bdd6d8878f36e40d8a8cadb1de356 Mon Sep 17 00:00:00 2001
From: Simon <therealslimv@yahoo.de>
Date: Mon, 23 May 2022 23:35:45 +0200
Subject: [PATCH 02/42] remote session authorizes against keycloak

---
 .../session/session-service/remote-session.ts | 62 ++++++++++++-------
 1 file changed, 41 insertions(+), 21 deletions(-)

diff --git a/src/app/core/session/session-service/remote-session.ts b/src/app/core/session/session-service/remote-session.ts
index 672d74cec3..6d7fedd28c 100644
--- a/src/app/core/session/session-service/remote-session.ts
+++ b/src/app/core/session/session-service/remote-session.ts
@@ -16,12 +16,17 @@
  */
 import { AppConfig } from "../../app-config/app-config";
 import { Injectable } from "@angular/core";
-import { HttpClient, HttpErrorResponse } from "@angular/common/http";
+import {
+  HttpClient,
+  HttpErrorResponse,
+  HttpHeaders,
+} from "@angular/common/http";
 import { DatabaseUser } from "./local-user";
 import { SessionService } from "./session.service";
 import { LoginState } from "../session-states/login-state.enum";
 import { PouchDatabase } from "../../database/pouch-database";
 import { LoggingService } from "../../logging/logging.service";
+import PouchDB from "pouchdb-browser";
 
 /**
  * Responsibilities:
@@ -46,12 +51,7 @@ export class RemoteSession extends SessionService {
     private loggingService: LoggingService
   ) {
     super();
-    this.database = new PouchDatabase(this.loggingService).initIndexedDB(
-      AppConfig.settings.database.remote_url + AppConfig.settings.database.name,
-      {
-        skip_setup: true,
-      }
-    );
+    this.database = new PouchDatabase(this.loggingService);
   }
 
   /**
@@ -61,15 +61,42 @@ export class RemoteSession extends SessionService {
    */
   public async login(username: string, password: string): Promise<LoginState> {
     try {
+      const body = new URLSearchParams();
+      body.set("username", username);
+      body.set("password", password);
+      body.set("grant_type", "password");
+      body.set("client_id", "myclient");
+      const options = {
+        headers: new HttpHeaders().set(
+          "Content-Type",
+          "application/x-www-form-urlencoded"
+        ),
+      };
       const response = await this.httpClient
-        .post<DatabaseUser>(
-          `${AppConfig.settings.database.remote_url}_session`,
-          { name: username, password: password },
-          { withCredentials: true }
-        )
+        .post<any>(`/auth`, body.toString(), options)
+        .toPromise();
+      this.database.initIndexedDB(
+        AppConfig.settings.database.remote_url +
+          AppConfig.settings.database.name,
+        {
+          skip_setup: true,
+          fetch: (url, opts) => {
+            // @ts-ignore
+            opts.headers.set(
+              "Authorization",
+              "Bearer " + response.access_token
+            );
+            return PouchDB.fetch(url, opts);
+          },
+        }
+      );
+      const user = await this.httpClient
+        .get<any>(`${AppConfig.settings.database.remote_url}_session`, {
+          withCredentials: true,
+          headers: { Authorization: "Bearer " + response.access_token },
+        })
         .toPromise();
-      await this.handleSuccessfulLogin(response);
-      this.assignDatabaseUser(response);
+      await this.handleSuccessfulLogin(user.userCtx);
       localStorage.setItem(
         RemoteSession.LAST_LOGIN_KEY,
         new Date().toISOString()
@@ -86,13 +113,6 @@ export class RemoteSession extends SessionService {
     return this.loginState.value;
   }
 
-  private assignDatabaseUser(couchDBResponse: any) {
-    this.currentDBUser = {
-      name: couchDBResponse.name,
-      roles: couchDBResponse.roles,
-    };
-  }
-
   public async handleSuccessfulLogin(userObject: DatabaseUser) {
     this.currentDBUser = userObject;
     this.loginState.next(LoginState.LOGGED_IN);

From fc74555c68a62f007723f478fa69ed4508e7b4e7 Mon Sep 17 00:00:00 2001
From: Simon <simon@aam-digital.com>
Date: Sun, 17 Jul 2022 22:14:10 +0200
Subject: [PATCH 03/42] updated to latest version and added support for
 autologin. Currently done with access_token, this should be a refresh token
 instead. Currently token validity is not limited

---
 proxy.conf.json                               |  2 +-
 .../session/session-service/remote-session.ts | 77 +++++++++++--------
 .../session-service/synced-session.service.ts | 14 ++--
 3 files changed, 53 insertions(+), 40 deletions(-)

diff --git a/proxy.conf.json b/proxy.conf.json
index 7adc593987..380a64bb44 100644
--- a/proxy.conf.json
+++ b/proxy.conf.json
@@ -1,6 +1,6 @@
 {
   "/db": {
-    "target": "https://dev.aam-digital.com/db",
+    "target": "http://localhost:5984",
     "secure": true,
     "logLevel": "debug",
     "changeOrigin": true,
diff --git a/src/app/core/session/session-service/remote-session.ts b/src/app/core/session/session-service/remote-session.ts
index 6d7fedd28c..7e6f87c49d 100644
--- a/src/app/core/session/session-service/remote-session.ts
+++ b/src/app/core/session/session-service/remote-session.ts
@@ -27,6 +27,7 @@ import { LoginState } from "../session-states/login-state.enum";
 import { PouchDatabase } from "../../database/pouch-database";
 import { LoggingService } from "../../logging/logging.service";
 import PouchDB from "pouchdb-browser";
+import { firstValueFrom } from "rxjs";
 
 /**
  * Responsibilities:
@@ -61,41 +62,21 @@ export class RemoteSession extends SessionService {
    */
   public async login(username: string, password: string): Promise<LoginState> {
     try {
-      const body = new URLSearchParams();
-      body.set("username", username);
-      body.set("password", password);
-      body.set("grant_type", "password");
-      body.set("client_id", "myclient");
-      const options = {
-        headers: new HttpHeaders().set(
-          "Content-Type",
-          "application/x-www-form-urlencoded"
-        ),
-      };
-      const response = await this.httpClient
-        .post<any>(`/auth`, body.toString(), options)
-        .toPromise();
-      this.database.initIndexedDB(
-        AppConfig.settings.database.remote_url +
-          AppConfig.settings.database.name,
-        {
-          skip_setup: true,
-          fetch: (url, opts) => {
-            // @ts-ignore
-            opts.headers.set(
-              "Authorization",
-              "Bearer " + response.access_token
-            );
-            return PouchDB.fetch(url, opts);
-          },
-        }
+      let token = window.localStorage.getItem("token");
+      if (!token) {
+        const response = await this.getUserToken(username, password);
+        token = response.access_token;
+      }
+      window.localStorage.setItem("token", token);
+      const user = await firstValueFrom(
+        this.httpClient.get<any>(
+          `${AppConfig.settings.database.remote_url}_session`,
+          {
+            withCredentials: true,
+            headers: { Authorization: "Bearer " + token },
+          }
+        )
       );
-      const user = await this.httpClient
-        .get<any>(`${AppConfig.settings.database.remote_url}_session`, {
-          withCredentials: true,
-          headers: { Authorization: "Bearer " + response.access_token },
-        })
-        .toPromise();
       await this.handleSuccessfulLogin(user.userCtx);
       localStorage.setItem(
         RemoteSession.LAST_LOGIN_KEY,
@@ -113,7 +94,35 @@ export class RemoteSession extends SessionService {
     return this.loginState.value;
   }
 
+  private getUserToken(username: string, password: string) {
+    const body = new URLSearchParams();
+    body.set("username", username);
+    body.set("password", password);
+    body.set("grant_type", "password");
+    body.set("client_id", "myclient");
+    const options = {
+      headers: new HttpHeaders().set(
+        "Content-Type",
+        "application/x-www-form-urlencoded"
+      ),
+    };
+    return firstValueFrom(
+      this.httpClient.post<any>(`/auth`, body.toString(), options)
+    );
+  }
+
   public async handleSuccessfulLogin(userObject: DatabaseUser) {
+    let token = window.localStorage.getItem("token");
+    this.database.initIndexedDB(
+      AppConfig.settings.database.remote_url + AppConfig.settings.database.name,
+      {
+        skip_setup: true,
+        fetch: (url, opts: any) => {
+          opts.headers.set("Authorization", "Bearer " + token);
+          return PouchDB.fetch(url, opts);
+        },
+      }
+    );
     this.currentDBUser = userObject;
     this.loginState.next(LoginState.LOGGED_IN);
   }
diff --git a/src/app/core/session/session-service/synced-session.service.ts b/src/app/core/session/session-service/synced-session.service.ts
index ba353ae5d9..2ea29ca7dd 100644
--- a/src/app/core/session/session-service/synced-session.service.ts
+++ b/src/app/core/session/session-service/synced-session.service.ts
@@ -74,9 +74,11 @@ export class SyncedSessionService extends SessionService {
    * Do login automatically if there is still a valid CouchDB cookie from last login with username and password
    */
   checkForValidSession() {
+    const token = window.localStorage.getItem("token");
     this.httpClient
-      .get(`${AppConfig.settings.database.remote_url}_session`, {
+      .get<any>(`${AppConfig.settings.database.remote_url}_session`, {
         withCredentials: true,
+        headers: { Authorization: "Bearer " + token },
       })
       .subscribe((res: any) => {
         if (res.userCtx.name) {
@@ -225,10 +227,12 @@ export class SyncedSessionService extends SessionService {
     this.syncState.next(SyncState.STARTED);
     const localPouchDB = this.localSession.getDatabase().getPouchDB();
     const remotePouchDB = this.remoteSession.getDatabase().getPouchDB();
-    this._liveSyncHandle = (localPouchDB.sync(remotePouchDB, {
-      live: true,
-      retry: true,
-    }) as any)
+    this._liveSyncHandle = (
+      localPouchDB.sync(remotePouchDB, {
+        live: true,
+        retry: true,
+      }) as any
+    )
       .on("paused", (info) => {
         // replication was paused: either because sync is finished or because of a failed sync (mostly due to lost connection). info is empty.
         if (this.remoteSession.loginState.value === LoginState.LOGGED_IN) {

From 75634046a500c785523674112cd5cb9d91a5b188 Mon Sep 17 00:00:00 2001
From: Simon <simon@aam-digital.com>
Date: Mon, 18 Jul 2022 12:18:59 +0200
Subject: [PATCH 04/42] added tests for remote session login using jwt

---
 .../session-service/remote-session.spec.ts    | 72 ++++++++++++-------
 .../session/session-service/remote-session.ts | 42 ++++++-----
 src/app/utils/utils.ts                        | 14 ++++
 3 files changed, 82 insertions(+), 46 deletions(-)

diff --git a/src/app/core/session/session-service/remote-session.spec.ts b/src/app/core/session/session-service/remote-session.spec.ts
index 7dd3d53d35..44a1a97c60 100644
--- a/src/app/core/session/session-service/remote-session.spec.ts
+++ b/src/app/core/session/session-service/remote-session.spec.ts
@@ -1,5 +1,5 @@
 import { TestBed } from "@angular/core/testing";
-import { RemoteSession } from "./remote-session";
+import { JwtToken, RemoteSession } from "./remote-session";
 import { HttpClient, HttpErrorResponse } from "@angular/common/http";
 import { of, throwError } from "rxjs";
 import { AppConfig } from "../../app-config/app-config";
@@ -14,6 +14,25 @@ describe("RemoteSessionService", () => {
   let service: RemoteSession;
   let mockHttpClient: jasmine.SpyObj<HttpClient>;
   let dbUser: DatabaseUser;
+  /**
+   * Check {@link jwt.io} to decode the JWT token.
+   * Extract:
+   * ```json
+   * {
+   *   "sub": "test",
+   *   "exp": 1658138259,
+   *   "_couchdb.roles": [
+   *      "user_app"
+   *   ],
+   *   ...
+   * }
+   * ```
+   */
+  const jwtTokenResponse: JwtToken = {
+    access_token:
+      "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJzV2FQaEdOYy1GSWpTdHBYVk96Y29oMjdSbVBpYVRwZjRlWUItUHpwU1VVIn0.eyJleHAiOjE2NTgxMzk0NTUsImlhdCI6MTY1ODEzOTM5NSwianRpIjoiY2YwZTYzNTMtNTJiMy00NzgyLTg1YjAtOWNkMzQ4MTM4YmI4IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy9teXJlYWxtIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6InRlc3QiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJteWNsaWVudCIsInNlc3Npb25fc3RhdGUiOiI2ZWE5YzRkYi0wOGZmLTQ4MjQtOTUzMS1lNTIzODg1Y2E2NTIiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHBzOi8vd3d3LmtleWNsb2FrLm9yZyJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiZGVmYXVsdC1yb2xlcy1teXJlYWxtIiwib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7Im15Y2xpZW50Ijp7InJvbGVzIjpbInVzZXJfYXBwIl19LCJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6ImVtYWlsIHByb2ZpbGUiLCJzaWQiOiI2ZWE5YzRkYi0wOGZmLTQ4MjQtOTUzMS1lNTIzODg1Y2E2NTIiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsIl9jb3VjaGRiLnJvbGVzIjpbInVzZXJfYXBwIl0sInByZWZlcnJlZF91c2VybmFtZSI6InRlc3QifQ.eynm8Zoox4Ovad0K4fYkia4mIyJUJpSfxEM0ZivQAD4LzhzDXuixsEJLQ3RFHI421k2q4wOMaorQAhjVbhmuu9CVQbPjTvNWfeO5DfTdo103KzWmQirWgBHP47H7dwF_2ksyag5HWFMTMCoD9BrNNPJPGjgkabXEFz4-dXg0GaslWd5MIO21cYqkZc_8YhFFLj9oP5gaY-9f3WTQg5YWTg7wk2YKM8IFlKrO67DMLTuO361lSdltnPNIBGzzAEC_oCM3GNFB1d8OkUnA5No89DhxCqQGHeQTKiYiJKoCdnZNQr7pIY0Ml-uNtAEHKAMV9Q6_sxqNcIFjROirdv3kkA",
+    refresh_token: "test-refresh-token",
+  };
 
   beforeEach(() => {
     AppConfig.settings = {
@@ -44,24 +63,20 @@ describe("RemoteSessionService", () => {
         return of(dbUser as any);
       } else {
         return throwError(
-          new HttpErrorResponse({ status: service.UNAUTHORIZED_STATUS_CODE })
+          () =>
+            new HttpErrorResponse({ status: service.UNAUTHORIZED_STATUS_CODE })
         );
       }
     });
   });
 
-  it("should be connected after successful login", async () => {
-    expect(service.loginState.value).toBe(LoginState.LOGGED_OUT);
-
-    await service.login(TEST_USER, TEST_PASSWORD);
-
-    expect(mockHttpClient.post).toHaveBeenCalled();
-    expect(service.loginState.value).toBe(LoginState.LOGGED_IN);
-  });
+  afterEach(() =>
+    window.localStorage.removeItem(RemoteSession.REFRESH_TOKEN_KEY)
+  );
 
   it("should be unavailable if requests fails with error other than 401", async () => {
     mockHttpClient.post.and.returnValue(
-      throwError(new HttpErrorResponse({ status: 501 }))
+      throwError(() => new HttpErrorResponse({ status: 501 }))
     );
 
     await service.login(TEST_USER, TEST_PASSWORD);
@@ -69,32 +84,35 @@ describe("RemoteSessionService", () => {
     expect(service.loginState.value).toBe(LoginState.UNAVAILABLE);
   });
 
-  it("should be rejected if login is unauthorized", async () => {
-    await service.login(TEST_USER, "wrongPassword");
-
-    expect(service.loginState.value).toBe(LoginState.LOGIN_FAILED);
+  it("should not throw error when remote logout is not possible", () => {
+    mockHttpClient.delete.and.returnValue(throwError(() => new Error()));
+    return expectAsync(service.logout()).not.toBeRejected();
   });
 
-  it("should disconnect after logout", async () => {
-    await service.login(TEST_USER, TEST_PASSWORD);
+  it("should request token and store refresh token in local storage", async () => {
+    mockHttpClient.post.and.returnValue(of(jwtTokenResponse));
 
-    await service.logout();
+    await service.login(TEST_USER, TEST_PASSWORD);
 
-    expect(service.loginState.value).toBe(LoginState.LOGGED_OUT);
+    expect(window.localStorage.getItem(RemoteSession.REFRESH_TOKEN_KEY)).toBe(
+      "test-refresh-token"
+    );
   });
 
-  it("should assign the current user after successful login", async () => {
+  it("should store access token in remote session", async () => {
+    mockHttpClient.post.and.returnValue(of(jwtTokenResponse));
+
     await service.login(TEST_USER, TEST_PASSWORD);
 
-    expect(service.getCurrentUser()).toEqual({
-      name: dbUser.name,
-      roles: dbUser.roles,
-    });
+    expect(service.accessToken).toBe(jwtTokenResponse.access_token);
   });
 
-  it("should not throw error when remote logout is not possible", () => {
-    mockHttpClient.delete.and.returnValue(throwError(new Error()));
-    return expectAsync(service.logout()).not.toBeRejected();
+  it("should take username and roles from jwtToken", async () => {
+    mockHttpClient.post.and.returnValue(of(jwtTokenResponse));
+
+    await service.login(TEST_USER, TEST_PASSWORD);
+
+    expect(service.getCurrentUser()).toEqual(dbUser);
   });
 
   testSessionServiceImplementation(() => Promise.resolve(service));
diff --git a/src/app/core/session/session-service/remote-session.ts b/src/app/core/session/session-service/remote-session.ts
index 7e6f87c49d..75154e2f26 100644
--- a/src/app/core/session/session-service/remote-session.ts
+++ b/src/app/core/session/session-service/remote-session.ts
@@ -28,6 +28,7 @@ import { PouchDatabase } from "../../database/pouch-database";
 import { LoggingService } from "../../logging/logging.service";
 import PouchDB from "pouchdb-browser";
 import { firstValueFrom } from "rxjs";
+import { parseJwt } from "../../../utils/utils";
 
 /**
  * Responsibilities:
@@ -38,12 +39,15 @@ import { firstValueFrom } from "rxjs";
 @Injectable()
 export class RemoteSession extends SessionService {
   static readonly LAST_LOGIN_KEY = "LAST_REMOTE_LOGIN";
+  static readonly REFRESH_TOKEN_KEY = "REFRESH_TOKEN";
   // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/401
   readonly UNAUTHORIZED_STATUS_CODE = 401;
   /** remote (!) PouchDB  */
   private readonly database: PouchDatabase;
   private currentDBUser: DatabaseUser;
 
+  public accessToken: string;
+
   /**
    * Create a RemoteSession and set up connection to the remote CouchDB server configured in AppConfig.
    */
@@ -62,22 +66,17 @@ export class RemoteSession extends SessionService {
    */
   public async login(username: string, password: string): Promise<LoginState> {
     try {
-      let token = window.localStorage.getItem("token");
-      if (!token) {
-        const response = await this.getUserToken(username, password);
-        token = response.access_token;
-      }
-      window.localStorage.setItem("token", token);
-      const user = await firstValueFrom(
-        this.httpClient.get<any>(
-          `${AppConfig.settings.database.remote_url}_session`,
-          {
-            withCredentials: true,
-            headers: { Authorization: "Bearer " + token },
-          }
-        )
+      let response = await this.getUserToken(username, password);
+      localStorage.setItem(
+        RemoteSession.REFRESH_TOKEN_KEY,
+        response.refresh_token
       );
-      await this.handleSuccessfulLogin(user.userCtx);
+      this.accessToken = response.access_token;
+      const parsedToken = parseJwt(response.access_token);
+      await this.handleSuccessfulLogin({
+        name: parsedToken.sub,
+        roles: parsedToken["_couchdb.roles"],
+      });
       localStorage.setItem(
         RemoteSession.LAST_LOGIN_KEY,
         new Date().toISOString()
@@ -94,7 +93,7 @@ export class RemoteSession extends SessionService {
     return this.loginState.value;
   }
 
-  private getUserToken(username: string, password: string) {
+  private getUserToken(username: string, password: string): Promise<JwtToken> {
     const body = new URLSearchParams();
     body.set("username", username);
     body.set("password", password);
@@ -107,18 +106,17 @@ export class RemoteSession extends SessionService {
       ),
     };
     return firstValueFrom(
-      this.httpClient.post<any>(`/auth`, body.toString(), options)
+      this.httpClient.post<JwtToken>(`/auth`, body.toString(), options)
     );
   }
 
   public async handleSuccessfulLogin(userObject: DatabaseUser) {
-    let token = window.localStorage.getItem("token");
     this.database.initIndexedDB(
       AppConfig.settings.database.remote_url + AppConfig.settings.database.name,
       {
         skip_setup: true,
         fetch: (url, opts: any) => {
-          opts.headers.set("Authorization", "Bearer " + token);
+          opts.headers.set("Authorization", "Bearer " + this.accessToken);
           return PouchDB.fetch(url, opts);
         },
       }
@@ -131,6 +129,7 @@ export class RemoteSession extends SessionService {
    * Logout at the remote database.
    */
   public async logout(): Promise<void> {
+    window.localStorage.removeItem(RemoteSession.REFRESH_TOKEN_KEY);
     await this.httpClient
       .delete(`${AppConfig.settings.database.remote_url}_session`, {
         withCredentials: true,
@@ -154,3 +153,8 @@ export class RemoteSession extends SessionService {
     return this.database;
   }
 }
+
+export interface JwtToken {
+  access_token: string;
+  refresh_token: string;
+}
diff --git a/src/app/utils/utils.ts b/src/app/utils/utils.ts
index 999ce3fcca..782fb4e5be 100644
--- a/src/app/utils/utils.ts
+++ b/src/app/utils/utils.ts
@@ -97,3 +97,17 @@ export function compareEnums(
 ): boolean {
   return a?.id === b?.id;
 }
+
+export function parseJwt(token) {
+  const base64Url = token.split(".")[1];
+  const base64 = base64Url.replace(/-/g, "+").replace(/_/g, "/");
+  const jsonPayload = decodeURIComponent(
+    window
+      .atob(base64)
+      .split("")
+      .map((c) => "%" + ("00" + c.charCodeAt(0).toString(16)).slice(-2))
+      .join("")
+  );
+
+  return JSON.parse(jsonPayload);
+}

From 4b9fd51e141041db185e7bb18300352e8e0da3d8 Mon Sep 17 00:00:00 2001
From: Simon <simon@aam-digital.com>
Date: Mon, 18 Jul 2022 23:03:12 +0200
Subject: [PATCH 05/42] addded token renewal

---
 .../session-service/remote-session.spec.ts    | 106 ++++++++++--------
 .../session/session-service/remote-session.ts |  76 ++++++++-----
 .../session-service/session.service.spec.ts   |   2 +-
 .../synced-session.service.spec.ts            |  23 ++--
 .../session-service/synced-session.service.ts |   4 +-
 src/app/utils/utils.ts                        |   2 +-
 6 files changed, 126 insertions(+), 87 deletions(-)

diff --git a/src/app/core/session/session-service/remote-session.spec.ts b/src/app/core/session/session-service/remote-session.spec.ts
index 44a1a97c60..c4b3191705 100644
--- a/src/app/core/session/session-service/remote-session.spec.ts
+++ b/src/app/core/session/session-service/remote-session.spec.ts
@@ -1,4 +1,4 @@
-import { TestBed } from "@angular/core/testing";
+import { fakeAsync, TestBed, tick } from "@angular/core/testing";
 import { JwtToken, RemoteSession } from "./remote-session";
 import { HttpClient, HttpErrorResponse } from "@angular/common/http";
 import { of, throwError } from "rxjs";
@@ -10,29 +10,49 @@ import { DatabaseUser } from "./local-user";
 import { LoginState } from "../session-states/login-state.enum";
 import { TEST_PASSWORD, TEST_USER } from "../../../utils/mocked-testing.module";
 
+export function remoteSessionHttpFake(url, body) {
+  const params = new URLSearchParams(body);
+  const isValidPassword =
+    params.get("username") === TEST_USER &&
+    params.get("password") === TEST_PASSWORD;
+  const isValidToken = params.get("refresh_token") === "test-refresh-token";
+  if (isValidPassword || isValidToken) {
+    return of(jwtTokenResponse as any);
+  } else {
+    return throwError(
+      () =>
+        new HttpErrorResponse({
+          status: RemoteSession.UNAUTHORIZED_STATUS_CODE,
+        })
+    );
+  }
+}
+
+/**
+ * Check {@link https://jwt.io} to decode the access_token.
+ * Extract:
+ * ```json
+ * {
+ *   "sub": "test",
+ *   "exp": 1658138259,
+ *   "_couchdb.roles": [
+ *      "user_app"
+ *   ],
+ *   ...
+ * }
+ * ```
+ */
+const jwtTokenResponse: JwtToken = {
+  access_token:
+    "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJzV2FQaEdOYy1GSWpTdHBYVk96Y29oMjdSbVBpYVRwZjRlWUItUHpwU1VVIn0.eyJleHAiOjE2NTgxMzk0NTUsImlhdCI6MTY1ODEzOTM5NSwianRpIjoiY2YwZTYzNTMtNTJiMy00NzgyLTg1YjAtOWNkMzQ4MTM4YmI4IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy9teXJlYWxtIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6InRlc3QiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJteWNsaWVudCIsInNlc3Npb25fc3RhdGUiOiI2ZWE5YzRkYi0wOGZmLTQ4MjQtOTUzMS1lNTIzODg1Y2E2NTIiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHBzOi8vd3d3LmtleWNsb2FrLm9yZyJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiZGVmYXVsdC1yb2xlcy1teXJlYWxtIiwib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7Im15Y2xpZW50Ijp7InJvbGVzIjpbInVzZXJfYXBwIl19LCJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6ImVtYWlsIHByb2ZpbGUiLCJzaWQiOiI2ZWE5YzRkYi0wOGZmLTQ4MjQtOTUzMS1lNTIzODg1Y2E2NTIiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsIl9jb3VjaGRiLnJvbGVzIjpbInVzZXJfYXBwIl0sInByZWZlcnJlZF91c2VybmFtZSI6InRlc3QifQ.eynm8Zoox4Ovad0K4fYkia4mIyJUJpSfxEM0ZivQAD4LzhzDXuixsEJLQ3RFHI421k2q4wOMaorQAhjVbhmuu9CVQbPjTvNWfeO5DfTdo103KzWmQirWgBHP47H7dwF_2ksyag5HWFMTMCoD9BrNNPJPGjgkabXEFz4-dXg0GaslWd5MIO21cYqkZc_8YhFFLj9oP5gaY-9f3WTQg5YWTg7wk2YKM8IFlKrO67DMLTuO361lSdltnPNIBGzzAEC_oCM3GNFB1d8OkUnA5No89DhxCqQGHeQTKiYiJKoCdnZNQr7pIY0Ml-uNtAEHKAMV9Q6_sxqNcIFjROirdv3kkA",
+  refresh_token: "test-refresh-token",
+  expires_in: 120,
+};
+
 describe("RemoteSessionService", () => {
   let service: RemoteSession;
   let mockHttpClient: jasmine.SpyObj<HttpClient>;
   let dbUser: DatabaseUser;
-  /**
-   * Check {@link jwt.io} to decode the JWT token.
-   * Extract:
-   * ```json
-   * {
-   *   "sub": "test",
-   *   "exp": 1658138259,
-   *   "_couchdb.roles": [
-   *      "user_app"
-   *   ],
-   *   ...
-   * }
-   * ```
-   */
-  const jwtTokenResponse: JwtToken = {
-    access_token:
-      "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJzV2FQaEdOYy1GSWpTdHBYVk96Y29oMjdSbVBpYVRwZjRlWUItUHpwU1VVIn0.eyJleHAiOjE2NTgxMzk0NTUsImlhdCI6MTY1ODEzOTM5NSwianRpIjoiY2YwZTYzNTMtNTJiMy00NzgyLTg1YjAtOWNkMzQ4MTM4YmI4IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy9teXJlYWxtIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6InRlc3QiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJteWNsaWVudCIsInNlc3Npb25fc3RhdGUiOiI2ZWE5YzRkYi0wOGZmLTQ4MjQtOTUzMS1lNTIzODg1Y2E2NTIiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHBzOi8vd3d3LmtleWNsb2FrLm9yZyJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiZGVmYXVsdC1yb2xlcy1teXJlYWxtIiwib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7Im15Y2xpZW50Ijp7InJvbGVzIjpbInVzZXJfYXBwIl19LCJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6ImVtYWlsIHByb2ZpbGUiLCJzaWQiOiI2ZWE5YzRkYi0wOGZmLTQ4MjQtOTUzMS1lNTIzODg1Y2E2NTIiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsIl9jb3VjaGRiLnJvbGVzIjpbInVzZXJfYXBwIl0sInByZWZlcnJlZF91c2VybmFtZSI6InRlc3QifQ.eynm8Zoox4Ovad0K4fYkia4mIyJUJpSfxEM0ZivQAD4LzhzDXuixsEJLQ3RFHI421k2q4wOMaorQAhjVbhmuu9CVQbPjTvNWfeO5DfTdo103KzWmQirWgBHP47H7dwF_2ksyag5HWFMTMCoD9BrNNPJPGjgkabXEFz4-dXg0GaslWd5MIO21cYqkZc_8YhFFLj9oP5gaY-9f3WTQg5YWTg7wk2YKM8IFlKrO67DMLTuO361lSdltnPNIBGzzAEC_oCM3GNFB1d8OkUnA5No89DhxCqQGHeQTKiYiJKoCdnZNQr7pIY0Ml-uNtAEHKAMV9Q6_sxqNcIFjROirdv3kkA",
-    refresh_token: "test-refresh-token",
-  };
 
   beforeEach(() => {
     AppConfig.settings = {
@@ -43,8 +63,8 @@ describe("RemoteSessionService", () => {
         remote_url: "database_url",
       },
     };
-    mockHttpClient = jasmine.createSpyObj(["post", "delete"]);
-    mockHttpClient.delete.and.returnValue(of());
+    mockHttpClient = jasmine.createSpyObj(["post"]);
+    mockHttpClient.post.and.callFake(remoteSessionHttpFake);
 
     TestBed.configureTestingModule({
       providers: [
@@ -57,17 +77,6 @@ describe("RemoteSessionService", () => {
     // Remote session allows TEST_USER and TEST_PASSWORD as valid credentials
     dbUser = { name: TEST_USER, roles: ["user_app"] };
     service = TestBed.inject(RemoteSession);
-
-    mockHttpClient.post.and.callFake((url, body) => {
-      if (body.name === TEST_USER && body.password === TEST_PASSWORD) {
-        return of(dbUser as any);
-      } else {
-        return throwError(
-          () =>
-            new HttpErrorResponse({ status: service.UNAUTHORIZED_STATUS_CODE })
-        );
-      }
-    });
   });
 
   afterEach(() =>
@@ -84,14 +93,7 @@ describe("RemoteSessionService", () => {
     expect(service.loginState.value).toBe(LoginState.UNAVAILABLE);
   });
 
-  it("should not throw error when remote logout is not possible", () => {
-    mockHttpClient.delete.and.returnValue(throwError(() => new Error()));
-    return expectAsync(service.logout()).not.toBeRejected();
-  });
-
   it("should request token and store refresh token in local storage", async () => {
-    mockHttpClient.post.and.returnValue(of(jwtTokenResponse));
-
     await service.login(TEST_USER, TEST_PASSWORD);
 
     expect(window.localStorage.getItem(RemoteSession.REFRESH_TOKEN_KEY)).toBe(
@@ -100,20 +102,36 @@ describe("RemoteSessionService", () => {
   });
 
   it("should store access token in remote session", async () => {
-    mockHttpClient.post.and.returnValue(of(jwtTokenResponse));
-
     await service.login(TEST_USER, TEST_PASSWORD);
 
     expect(service.accessToken).toBe(jwtTokenResponse.access_token);
   });
 
   it("should take username and roles from jwtToken", async () => {
-    mockHttpClient.post.and.returnValue(of(jwtTokenResponse));
-
     await service.login(TEST_USER, TEST_PASSWORD);
 
     expect(service.getCurrentUser()).toEqual(dbUser);
   });
 
+  it("should update token before it expires", fakeAsync(() => {
+    // token has 2 minutes expiration time
+    service.login(TEST_USER, TEST_PASSWORD);
+    tick();
+
+    mockHttpClient.post.calls.reset();
+    const newToken = { ...jwtTokenResponse, access_token: "new.token" };
+    // mock token cannot be parsed as JwtToken
+    spyOn(window, "atob").and.returnValue('{"decoded": "token"}');
+    mockHttpClient.post.and.returnValue(of(newToken));
+    // should refresh token one minute before it expires
+    tick(60 * 1000);
+
+    expect(mockHttpClient.post).toHaveBeenCalled();
+    expect(service.accessToken).toBe("new.token");
+
+    // clear timeouts
+    service.logout();
+  }));
+
   testSessionServiceImplementation(() => Promise.resolve(service));
 });
diff --git a/src/app/core/session/session-service/remote-session.ts b/src/app/core/session/session-service/remote-session.ts
index 75154e2f26..6c53ba2e75 100644
--- a/src/app/core/session/session-service/remote-session.ts
+++ b/src/app/core/session/session-service/remote-session.ts
@@ -41,12 +41,13 @@ export class RemoteSession extends SessionService {
   static readonly LAST_LOGIN_KEY = "LAST_REMOTE_LOGIN";
   static readonly REFRESH_TOKEN_KEY = "REFRESH_TOKEN";
   // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/401
-  readonly UNAUTHORIZED_STATUS_CODE = 401;
+  static readonly UNAUTHORIZED_STATUS_CODE = 401;
   /** remote (!) PouchDB  */
   private readonly database: PouchDatabase;
   private currentDBUser: DatabaseUser;
 
   public accessToken: string;
+  private refreshTokenTimeout;
 
   /**
    * Create a RemoteSession and set up connection to the remote CouchDB server configured in AppConfig.
@@ -66,17 +67,8 @@ export class RemoteSession extends SessionService {
    */
   public async login(username: string, password: string): Promise<LoginState> {
     try {
-      let response = await this.getUserToken(username, password);
-      localStorage.setItem(
-        RemoteSession.REFRESH_TOKEN_KEY,
-        response.refresh_token
-      );
-      this.accessToken = response.access_token;
-      const parsedToken = parseJwt(response.access_token);
-      await this.handleSuccessfulLogin({
-        name: parsedToken.sub,
-        roles: parsedToken["_couchdb.roles"],
-      });
+      let user = await this.verifyCredentials(username, password);
+      await this.handleSuccessfulLogin(user);
       localStorage.setItem(
         RemoteSession.LAST_LOGIN_KEY,
         new Date().toISOString()
@@ -84,7 +76,7 @@ export class RemoteSession extends SessionService {
       this.loginState.next(LoginState.LOGGED_IN);
     } catch (error) {
       const httpError = error as HttpErrorResponse;
-      if (httpError?.status === this.UNAUTHORIZED_STATUS_CODE) {
+      if (httpError?.status === RemoteSession.UNAUTHORIZED_STATUS_CODE) {
         this.loginState.next(LoginState.LOGIN_FAILED);
       } else {
         this.loginState.next(LoginState.UNAVAILABLE);
@@ -93,11 +85,37 @@ export class RemoteSession extends SessionService {
     return this.loginState.value;
   }
 
-  private getUserToken(username: string, password: string): Promise<JwtToken> {
+  private async verifyCredentials(
+    username: string,
+    password: string
+  ): Promise<DatabaseUser> {
+    const { body, options } = this.buildAuthRequest(username, password);
+    const response = await firstValueFrom(
+      this.httpClient.post<JwtToken>(`/auth`, body.toString(), options)
+    );
+    this.accessToken = response.access_token;
+    this.refreshTokenBeforeExpiry(response.expires_in, response.refresh_token);
+    localStorage.setItem(
+      RemoteSession.REFRESH_TOKEN_KEY,
+      response.refresh_token
+    );
+    const parsedToken = parseJwt(this.accessToken);
+    return {
+      name: parsedToken.sub,
+      roles: parsedToken["_couchdb.roles"],
+    };
+  }
+
+  private buildAuthRequest(username: string, password: string) {
     const body = new URLSearchParams();
-    body.set("username", username);
-    body.set("password", password);
-    body.set("grant_type", "password");
+    if (username) {
+      body.set("username", username);
+      body.set("password", password);
+      body.set("grant_type", "password");
+    } else {
+      body.set("refresh_token", password);
+      body.set("grant_type", "refresh_token");
+    }
     body.set("client_id", "myclient");
     const options = {
       headers: new HttpHeaders().set(
@@ -105,8 +123,18 @@ export class RemoteSession extends SessionService {
         "application/x-www-form-urlencoded"
       ),
     };
-    return firstValueFrom(
-      this.httpClient.post<JwtToken>(`/auth`, body.toString(), options)
+    return { body, options };
+  }
+
+  private refreshTokenBeforeExpiry(
+    secondsTillExpiration: number,
+    refreshToken: string
+  ) {
+    // Refresh token one minute before it expires or after ten seconds
+    const refreshTimeout = Math.max(10, secondsTillExpiration - 60);
+    this.refreshTokenTimeout = setTimeout(
+      () => this.verifyCredentials("", refreshToken),
+      refreshTimeout * 1000
     );
   }
 
@@ -128,14 +156,9 @@ export class RemoteSession extends SessionService {
   /**
    * Logout at the remote database.
    */
-  public async logout(): Promise<void> {
+  public logout(): void {
+    clearTimeout(this.refreshTokenTimeout);
     window.localStorage.removeItem(RemoteSession.REFRESH_TOKEN_KEY);
-    await this.httpClient
-      .delete(`${AppConfig.settings.database.remote_url}_session`, {
-        withCredentials: true,
-      })
-      .toPromise()
-      .catch(() => undefined);
     this.currentDBUser = undefined;
     this.loginState.next(LoginState.LOGGED_OUT);
   }
@@ -157,4 +180,5 @@ export class RemoteSession extends SessionService {
 export interface JwtToken {
   access_token: string;
   refresh_token: string;
+  expires_in: number;
 }
diff --git a/src/app/core/session/session-service/session.service.spec.ts b/src/app/core/session/session-service/session.service.spec.ts
index ee52ff8f77..12adf3ef24 100644
--- a/src/app/core/session/session-service/session.service.spec.ts
+++ b/src/app/core/session/session-service/session.service.spec.ts
@@ -82,7 +82,7 @@ export function testSessionServiceImplementation(
     const loginResult = await sessionService.login(TEST_USER, TEST_PASSWORD);
     expect(loginResult).toEqual(LoginState.LOGGED_IN);
 
-    await sessionService.logout();
+    sessionService.logout();
     expectNotToBeLoggedIn(LoginState.LOGGED_OUT);
   });
 
diff --git a/src/app/core/session/session-service/synced-session.service.spec.ts b/src/app/core/session/session-service/synced-session.service.spec.ts
index 6a21796a46..94091c1958 100644
--- a/src/app/core/session/session-service/synced-session.service.spec.ts
+++ b/src/app/core/session/session-service/synced-session.service.spec.ts
@@ -32,6 +32,7 @@ import { FontAwesomeTestingModule } from "@fortawesome/angular-fontawesome/testi
 import { PouchDatabase } from "../../database/pouch-database";
 import { SessionModule } from "../session.module";
 import { LOCATION_TOKEN } from "../../../utils/di-tokens";
+import { remoteSessionHttpFake } from "./remote-session.spec";
 
 describe("SyncedSessionService", () => {
   let sessionService: SyncedSessionService;
@@ -79,17 +80,7 @@ describe("SyncedSessionService", () => {
     // Setting up local and remote session to accept TEST_USER and TEST_PASSWORD as valid credentials
     dbUser = { name: TEST_USER, roles: ["user_app"] };
     localSession.saveUser({ name: TEST_USER, roles: [] }, TEST_PASSWORD);
-    mockHttpClient.post.and.callFake((url, body) => {
-      if (body.name === TEST_USER && body.password === TEST_PASSWORD) {
-        return of(dbUser as any);
-      } else {
-        return throwError(
-          new HttpErrorResponse({
-            status: remoteSession.UNAUTHORIZED_STATUS_CODE,
-          })
-        );
-      }
-    });
+    mockHttpClient.post.and.callFake(remoteSessionHttpFake);
 
     localLoginSpy = spyOn(localSession, "login").and.callThrough();
     remoteLoginSpy = spyOn(remoteSession, "login").and.callThrough();
@@ -196,6 +187,9 @@ describe("SyncedSessionService", () => {
     expect(syncSpy).toHaveBeenCalled();
     expect(liveSyncSpy).toHaveBeenCalled();
     expectAsync(login).toBeResolvedTo(LoginState.LOGGED_IN);
+
+    // clear timeouts and intervals
+    sessionService.logout();
     flush();
   }));
 
@@ -295,14 +289,17 @@ describe("SyncedSessionService", () => {
   testSessionServiceImplementation(() => Promise.resolve(sessionService));
 
   function passRemoteLogin(response: DatabaseUser = { name: "", roles: [] }) {
-    mockHttpClient.post.and.returnValue(of(response));
+    remoteLoginSpy.and.callFake(() => {
+      remoteSession.handleSuccessfulLogin(response);
+      return Promise.resolve(LoginState.LOGGED_IN);
+    });
   }
 
   function failRemoteLogin(offline = false) {
     let rejectError;
     if (!offline) {
       rejectError = new HttpErrorResponse({
-        status: remoteSession.UNAUTHORIZED_STATUS_CODE,
+        status: RemoteSession.UNAUTHORIZED_STATUS_CODE,
       });
     }
     mockHttpClient.post.and.returnValue(throwError(rejectError));
diff --git a/src/app/core/session/session-service/synced-session.service.ts b/src/app/core/session/session-service/synced-session.service.ts
index 2ea29ca7dd..3465f39518 100644
--- a/src/app/core/session/session-service/synced-session.service.ts
+++ b/src/app/core/session/session-service/synced-session.service.ts
@@ -301,11 +301,11 @@ export class SyncedSessionService extends SessionService {
    * Logout and stop any existing sync.
    * also see {@link SessionService}
    */
-  public async logout() {
+  public logout() {
     this.cancelLoginOfflineRetry();
     this.cancelLiveSync();
     this.localSession.logout();
-    await this.remoteSession.logout();
+    this.remoteSession.logout();
     this.location.reload();
     this.loginState.next(LoginState.LOGGED_OUT);
   }
diff --git a/src/app/utils/utils.ts b/src/app/utils/utils.ts
index 782fb4e5be..154ef8d30a 100644
--- a/src/app/utils/utils.ts
+++ b/src/app/utils/utils.ts
@@ -98,7 +98,7 @@ export function compareEnums(
   return a?.id === b?.id;
 }
 
-export function parseJwt(token) {
+export function parseJwt(token): { sub: string } {
   const base64Url = token.split(".")[1];
   const base64 = base64Url.replace(/-/g, "+").replace(/_/g, "/");
   const jsonPayload = decodeURIComponent(

From 82a14455c47ad59ff54a245c031066921f53ca08 Mon Sep 17 00:00:00 2001
From: Simon <simon@aam-digital.com>
Date: Mon, 18 Jul 2022 23:19:21 +0200
Subject: [PATCH 06/42] cleaned up remote session

---
 .../session/session-service/remote-session.ts | 67 +++++++++----------
 1 file changed, 33 insertions(+), 34 deletions(-)

diff --git a/src/app/core/session/session-service/remote-session.ts b/src/app/core/session/session-service/remote-session.ts
index 6c53ba2e75..f1ec3df8f0 100644
--- a/src/app/core/session/session-service/remote-session.ts
+++ b/src/app/core/session/session-service/remote-session.ts
@@ -67,7 +67,8 @@ export class RemoteSession extends SessionService {
    */
   public async login(username: string, password: string): Promise<LoginState> {
     try {
-      let user = await this.verifyCredentials(username, password);
+      const token = await this.authenticate(username, password);
+      const user = await this.processToken(token);
       await this.handleSuccessfulLogin(user);
       localStorage.setItem(
         RemoteSession.LAST_LOGIN_KEY,
@@ -85,37 +86,22 @@ export class RemoteSession extends SessionService {
     return this.loginState.value;
   }
 
-  private async verifyCredentials(
-    username: string,
-    password: string
-  ): Promise<DatabaseUser> {
-    const { body, options } = this.buildAuthRequest(username, password);
-    const response = await firstValueFrom(
-      this.httpClient.post<JwtToken>(`/auth`, body.toString(), options)
-    );
-    this.accessToken = response.access_token;
-    this.refreshTokenBeforeExpiry(response.expires_in, response.refresh_token);
-    localStorage.setItem(
-      RemoteSession.REFRESH_TOKEN_KEY,
-      response.refresh_token
-    );
-    const parsedToken = parseJwt(this.accessToken);
-    return {
-      name: parsedToken.sub,
-      roles: parsedToken["_couchdb.roles"],
-    };
+  private authenticate(username: string, password: string): Promise<JwtToken> {
+    const body = new URLSearchParams();
+    body.set("username", username);
+    body.set("password", password);
+    body.set("grant_type", "password");
+    return this.getToken(body);
   }
 
-  private buildAuthRequest(username: string, password: string) {
+  private refreshToken(token: string): Promise<JwtToken> {
     const body = new URLSearchParams();
-    if (username) {
-      body.set("username", username);
-      body.set("password", password);
-      body.set("grant_type", "password");
-    } else {
-      body.set("refresh_token", password);
-      body.set("grant_type", "refresh_token");
-    }
+    body.set("refresh_token", token);
+    body.set("grant_type", "refresh_token");
+    return this.getToken(body);
+  }
+
+  private getToken(body: URLSearchParams): Promise<JwtToken> {
     body.set("client_id", "myclient");
     const options = {
       headers: new HttpHeaders().set(
@@ -123,7 +109,20 @@ export class RemoteSession extends SessionService {
         "application/x-www-form-urlencoded"
       ),
     };
-    return { body, options };
+    return firstValueFrom(
+      this.httpClient.post<JwtToken>(`/auth`, body.toString(), options)
+    );
+  }
+
+  private async processToken(token: JwtToken): Promise<DatabaseUser> {
+    this.accessToken = token.access_token;
+    this.refreshTokenBeforeExpiry(token.expires_in, token.refresh_token);
+    localStorage.setItem(RemoteSession.REFRESH_TOKEN_KEY, token.refresh_token);
+    const parsedToken = parseJwt(this.accessToken);
+    return {
+      name: parsedToken.sub,
+      roles: parsedToken["_couchdb.roles"],
+    };
   }
 
   private refreshTokenBeforeExpiry(
@@ -132,10 +131,10 @@ export class RemoteSession extends SessionService {
   ) {
     // Refresh token one minute before it expires or after ten seconds
     const refreshTimeout = Math.max(10, secondsTillExpiration - 60);
-    this.refreshTokenTimeout = setTimeout(
-      () => this.verifyCredentials("", refreshToken),
-      refreshTimeout * 1000
-    );
+    this.refreshTokenTimeout = setTimeout(async () => {
+      const token = await this.refreshToken(refreshToken);
+      await this.processToken(token);
+    }, refreshTimeout * 1000);
   }
 
   public async handleSuccessfulLogin(userObject: DatabaseUser) {

From 6a2f3a07828e434efbab1e187c4d6c7ffc041688 Mon Sep 17 00:00:00 2001
From: Simon <simon@aam-digital.com>
Date: Mon, 18 Jul 2022 23:39:52 +0200
Subject: [PATCH 07/42] added automatic refresh of token when opening app

---
 .../session-service/remote-session.spec.ts    |  2 +-
 .../session/session-service/remote-session.ts | 14 +++----
 .../synced-session.service.spec.ts            | 41 ++++++-------------
 .../session-service/synced-session.service.ts | 17 +++-----
 4 files changed, 25 insertions(+), 49 deletions(-)

diff --git a/src/app/core/session/session-service/remote-session.spec.ts b/src/app/core/session/session-service/remote-session.spec.ts
index c4b3191705..9a79fef08e 100644
--- a/src/app/core/session/session-service/remote-session.spec.ts
+++ b/src/app/core/session/session-service/remote-session.spec.ts
@@ -42,7 +42,7 @@ export function remoteSessionHttpFake(url, body) {
  * }
  * ```
  */
-const jwtTokenResponse: JwtToken = {
+export const jwtTokenResponse: JwtToken = {
   access_token:
     "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJzV2FQaEdOYy1GSWpTdHBYVk96Y29oMjdSbVBpYVRwZjRlWUItUHpwU1VVIn0.eyJleHAiOjE2NTgxMzk0NTUsImlhdCI6MTY1ODEzOTM5NSwianRpIjoiY2YwZTYzNTMtNTJiMy00NzgyLTg1YjAtOWNkMzQ4MTM4YmI4IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy9teXJlYWxtIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6InRlc3QiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJteWNsaWVudCIsInNlc3Npb25fc3RhdGUiOiI2ZWE5YzRkYi0wOGZmLTQ4MjQtOTUzMS1lNTIzODg1Y2E2NTIiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHBzOi8vd3d3LmtleWNsb2FrLm9yZyJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiZGVmYXVsdC1yb2xlcy1teXJlYWxtIiwib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7Im15Y2xpZW50Ijp7InJvbGVzIjpbInVzZXJfYXBwIl19LCJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6ImVtYWlsIHByb2ZpbGUiLCJzaWQiOiI2ZWE5YzRkYi0wOGZmLTQ4MjQtOTUzMS1lNTIzODg1Y2E2NTIiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsIl9jb3VjaGRiLnJvbGVzIjpbInVzZXJfYXBwIl0sInByZWZlcnJlZF91c2VybmFtZSI6InRlc3QifQ.eynm8Zoox4Ovad0K4fYkia4mIyJUJpSfxEM0ZivQAD4LzhzDXuixsEJLQ3RFHI421k2q4wOMaorQAhjVbhmuu9CVQbPjTvNWfeO5DfTdo103KzWmQirWgBHP47H7dwF_2ksyag5HWFMTMCoD9BrNNPJPGjgkabXEFz4-dXg0GaslWd5MIO21cYqkZc_8YhFFLj9oP5gaY-9f3WTQg5YWTg7wk2YKM8IFlKrO67DMLTuO361lSdltnPNIBGzzAEC_oCM3GNFB1d8OkUnA5No89DhxCqQGHeQTKiYiJKoCdnZNQr7pIY0Ml-uNtAEHKAMV9Q6_sxqNcIFjROirdv3kkA",
   refresh_token: "test-refresh-token",
diff --git a/src/app/core/session/session-service/remote-session.ts b/src/app/core/session/session-service/remote-session.ts
index f1ec3df8f0..6669555ef2 100644
--- a/src/app/core/session/session-service/remote-session.ts
+++ b/src/app/core/session/session-service/remote-session.ts
@@ -94,8 +94,9 @@ export class RemoteSession extends SessionService {
     return this.getToken(body);
   }
 
-  private refreshToken(token: string): Promise<JwtToken> {
+  public refreshToken(): Promise<JwtToken> {
     const body = new URLSearchParams();
+    const token = localStorage.getItem(RemoteSession.REFRESH_TOKEN_KEY);
     body.set("refresh_token", token);
     body.set("grant_type", "refresh_token");
     return this.getToken(body);
@@ -114,10 +115,10 @@ export class RemoteSession extends SessionService {
     );
   }
 
-  private async processToken(token: JwtToken): Promise<DatabaseUser> {
+  public async processToken(token: JwtToken): Promise<DatabaseUser> {
     this.accessToken = token.access_token;
-    this.refreshTokenBeforeExpiry(token.expires_in, token.refresh_token);
     localStorage.setItem(RemoteSession.REFRESH_TOKEN_KEY, token.refresh_token);
+    this.refreshTokenBeforeExpiry(token.expires_in);
     const parsedToken = parseJwt(this.accessToken);
     return {
       name: parsedToken.sub,
@@ -125,14 +126,11 @@ export class RemoteSession extends SessionService {
     };
   }
 
-  private refreshTokenBeforeExpiry(
-    secondsTillExpiration: number,
-    refreshToken: string
-  ) {
+  private refreshTokenBeforeExpiry(secondsTillExpiration: number) {
     // Refresh token one minute before it expires or after ten seconds
     const refreshTimeout = Math.max(10, secondsTillExpiration - 60);
     this.refreshTokenTimeout = setTimeout(async () => {
-      const token = await this.refreshToken(refreshToken);
+      const token = await this.refreshToken();
       await this.processToken(token);
     }, refreshTimeout * 1000);
   }
diff --git a/src/app/core/session/session-service/synced-session.service.spec.ts b/src/app/core/session/session-service/synced-session.service.spec.ts
index 94091c1958..9f129679a6 100644
--- a/src/app/core/session/session-service/synced-session.service.spec.ts
+++ b/src/app/core/session/session-service/synced-session.service.spec.ts
@@ -32,7 +32,7 @@ import { FontAwesomeTestingModule } from "@fortawesome/angular-fontawesome/testi
 import { PouchDatabase } from "../../database/pouch-database";
 import { SessionModule } from "../session.module";
 import { LOCATION_TOKEN } from "../../../utils/di-tokens";
-import { remoteSessionHttpFake } from "./remote-session.spec";
+import { jwtTokenResponse, remoteSessionHttpFake } from "./remote-session.spec";
 
 describe("SyncedSessionService", () => {
   let sessionService: SyncedSessionService;
@@ -51,9 +51,10 @@ describe("SyncedSessionService", () => {
   let mockLocation: jasmine.SpyObj<Location>;
 
   beforeEach(() => {
-    mockHttpClient = jasmine.createSpyObj(["post", "delete", "get"]);
-    mockHttpClient.delete.and.returnValue(of());
-    mockHttpClient.get.and.returnValue(of());
+    mockHttpClient = jasmine.createSpyObj(["post"]);
+    mockHttpClient.post.and.returnValue(
+      throwError(() => new HttpErrorResponse({}))
+    );
     mockLocation = jasmine.createSpyObj(["reload"]);
     TestBed.configureTestingModule({
       imports: [SessionModule, NoopAnimationsModule, FontAwesomeTestingModule],
@@ -251,36 +252,20 @@ describe("SyncedSessionService", () => {
     tick();
   }));
 
-  it("should login, given that CouchDB cookie is still valid", fakeAsync(() => {
-    const responseObject = {
-      ok: true,
-      userCtx: {
-        name: "demo",
-        roles: ["user_app"],
-      },
-      info: {
-        authentication_handlers: ["cookie", "default"],
-        authenticated: "default",
-      },
-    };
-    mockHttpClient.get.and.returnValue(of(responseObject));
+  it("should login, if there is a valid refresh token", fakeAsync(() => {
+    localStorage.setItem(RemoteSession.REFRESH_TOKEN_KEY, "some-refresh-token");
+    mockHttpClient.post.and.returnValue(of(jwtTokenResponse));
     sessionService.checkForValidSession();
     tick();
     expect(sessionService.loginState.value).toEqual(LoginState.LOGGED_IN);
+    localStorage.removeItem(RemoteSession.REFRESH_TOKEN_KEY);
+    sessionService.logout();
   }));
 
   it("should not login, given that there is no valid CouchDB cookie", fakeAsync(() => {
-    const responseObject = {
-      ok: true,
-      userCtx: {
-        name: null,
-        roles: [],
-      },
-      info: {
-        authentication_handlers: ["cookie", "default"],
-      },
-    };
-    mockHttpClient.get.and.returnValue(of(responseObject));
+    mockHttpClient.post.and.returnValue(
+      throwError(() => new HttpErrorResponse({}))
+    );
     sessionService.checkForValidSession();
     tick();
     expect(sessionService.loginState.value).toEqual(LoginState.LOGGED_OUT);
diff --git a/src/app/core/session/session-service/synced-session.service.ts b/src/app/core/session/session-service/synced-session.service.ts
index 3465f39518..b59ee2094a 100644
--- a/src/app/core/session/session-service/synced-session.service.ts
+++ b/src/app/core/session/session-service/synced-session.service.ts
@@ -29,7 +29,6 @@ import { HttpClient } from "@angular/common/http";
 import { DatabaseUser } from "./local-user";
 import { waitForChangeTo } from "../session-states/session-utils";
 import { zip } from "rxjs";
-import { AppConfig } from "app/core/app-config/app-config";
 import { filter } from "rxjs/operators";
 import { LOCATION_TOKEN } from "../../../utils/di-tokens";
 
@@ -74,17 +73,11 @@ export class SyncedSessionService extends SessionService {
    * Do login automatically if there is still a valid CouchDB cookie from last login with username and password
    */
   checkForValidSession() {
-    const token = window.localStorage.getItem("token");
-    this.httpClient
-      .get<any>(`${AppConfig.settings.database.remote_url}_session`, {
-        withCredentials: true,
-        headers: { Authorization: "Bearer " + token },
-      })
-      .subscribe((res: any) => {
-        if (res.userCtx.name) {
-          this.handleSuccessfulLogin(res.userCtx);
-        }
-      });
+    this.remoteSession
+      .refreshToken()
+      .then((token) => this.remoteSession.processToken(token))
+      .then((user) => this.handleSuccessfulLogin(user))
+      .catch((err) => {});
   }
 
   async handleSuccessfulLogin(userObject: DatabaseUser) {

From a8e3c9dc674eb6c3ce4dd94819ceca4ef9a9bde1 Mon Sep 17 00:00:00 2001
From: Simon <simon@aam-digital.com>
Date: Wed, 27 Jul 2022 09:53:56 +0200
Subject: [PATCH 08/42] added keycloak package

---
 package-lock.json                             | 29 ++++++++++++++++
 package.json                                  |  1 +
 proxy.conf.json                               | 15 ++++++---
 .../session/session-service/remote-session.ts | 12 +++++--
 .../user-account/user-account.component.html  | 11 ++++---
 .../user-account/user-account.component.ts    | 33 ++++++++++++++++++-
 src/app/utils/utils.ts                        |  7 +++-
 7 files changed, 93 insertions(+), 15 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index d59d2be0ac..9d435905b1 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -39,6 +39,7 @@
         "flag-icons": "^6.6.2",
         "hammerjs": "^2.0.8",
         "json-query": "^2.2.2",
+        "keycloak-js": "^18.0.1",
         "lodash-es": "^4.17.21",
         "md5": "^2.3.0",
         "moment": "^2.29.4",
@@ -25371,6 +25372,11 @@
         "node": ">=8"
       }
     },
+    "node_modules/js-sha256": {
+      "version": "0.9.0",
+      "resolved": "https://registry.npmjs.org/js-sha256/-/js-sha256-0.9.0.tgz",
+      "integrity": "sha512-sga3MHh9sgQN2+pJ9VYZ+1LPwXOxuBJBA5nrR5/ofPfuiJBE2hnjsaN8se8JznOmGLN2p49Pe5U/ttafcs/apA=="
+    },
     "node_modules/js-string-escape": {
       "version": "1.0.1",
       "resolved": "https://registry.npmjs.org/js-string-escape/-/js-string-escape-1.0.1.tgz",
@@ -25792,6 +25798,15 @@
         "node": ">= 12"
       }
     },
+    "node_modules/keycloak-js": {
+      "version": "18.0.1",
+      "resolved": "https://registry.npmjs.org/keycloak-js/-/keycloak-js-18.0.1.tgz",
+      "integrity": "sha512-IRXToYpbIrkyfLeNNJly2OjUCf11ncx2Sdsg257NVDwjOYE923osu47w8pfxEVWpTaS14/Y2QjbTHciuBK0RBQ==",
+      "dependencies": {
+        "base64-js": "^1.5.1",
+        "js-sha256": "^0.9.0"
+      }
+    },
     "node_modules/khroma": {
       "version": "2.0.0",
       "resolved": "https://registry.npmjs.org/khroma/-/khroma-2.0.0.tgz",
@@ -57253,6 +57268,11 @@
         }
       }
     },
+    "js-sha256": {
+      "version": "0.9.0",
+      "resolved": "https://registry.npmjs.org/js-sha256/-/js-sha256-0.9.0.tgz",
+      "integrity": "sha512-sga3MHh9sgQN2+pJ9VYZ+1LPwXOxuBJBA5nrR5/ofPfuiJBE2hnjsaN8se8JznOmGLN2p49Pe5U/ttafcs/apA=="
+    },
     "js-string-escape": {
       "version": "1.0.1",
       "resolved": "https://registry.npmjs.org/js-string-escape/-/js-string-escape-1.0.1.tgz",
@@ -57588,6 +57608,15 @@
         }
       }
     },
+    "keycloak-js": {
+      "version": "18.0.1",
+      "resolved": "https://registry.npmjs.org/keycloak-js/-/keycloak-js-18.0.1.tgz",
+      "integrity": "sha512-IRXToYpbIrkyfLeNNJly2OjUCf11ncx2Sdsg257NVDwjOYE923osu47w8pfxEVWpTaS14/Y2QjbTHciuBK0RBQ==",
+      "requires": {
+        "base64-js": "^1.5.1",
+        "js-sha256": "^0.9.0"
+      }
+    },
     "khroma": {
       "version": "2.0.0",
       "resolved": "https://registry.npmjs.org/khroma/-/khroma-2.0.0.tgz",
diff --git a/package.json b/package.json
index cf0a458208..c65c5a8265 100644
--- a/package.json
+++ b/package.json
@@ -49,6 +49,7 @@
     "flag-icons": "^6.6.2",
     "hammerjs": "^2.0.8",
     "json-query": "^2.2.2",
+    "keycloak-js": "^18.0.1",
     "lodash-es": "^4.17.21",
     "md5": "^2.3.0",
     "moment": "^2.29.4",
diff --git a/proxy.conf.json b/proxy.conf.json
index 380a64bb44..1c4d1c6f1f 100644
--- a/proxy.conf.json
+++ b/proxy.conf.json
@@ -1,6 +1,6 @@
 {
   "/db": {
-    "target": "http://localhost:5984",
+    "target": "https://keycloak-test.aam-digital.com/db",
     "secure": true,
     "logLevel": "debug",
     "changeOrigin": true,
@@ -18,12 +18,17 @@
     }
   },
   "/auth": {
-    "target": "http://localhost:8080/realms/myrealm/protocol/openid-connect/token",
-    "secure": true,
+    "target": "http://localhost:8080",
+    "secure": false,
     "logLevel": "debug",
-    "changeOrigin": true,
+    "changeOrigin": false,
+    "withCredentials": true,
+    "xfwd": true,
     "pathRewrite": {
       "^/auth": ""
-    }
+    },
+    "cookiePathRewrite": "/",
+    "hostRewrite": "/auth",
+    "followRedirects": true
   }
 }
diff --git a/src/app/core/session/session-service/remote-session.ts b/src/app/core/session/session-service/remote-session.ts
index 6669555ef2..1584209ff8 100644
--- a/src/app/core/session/session-service/remote-session.ts
+++ b/src/app/core/session/session-service/remote-session.ts
@@ -103,7 +103,7 @@ export class RemoteSession extends SessionService {
   }
 
   private getToken(body: URLSearchParams): Promise<JwtToken> {
-    body.set("client_id", "myclient");
+    body.set("client_id", "app");
     const options = {
       headers: new HttpHeaders().set(
         "Content-Type",
@@ -111,7 +111,11 @@ export class RemoteSession extends SessionService {
       ),
     };
     return firstValueFrom(
-      this.httpClient.post<JwtToken>(`/auth`, body.toString(), options)
+      this.httpClient.post<JwtToken>(
+        `/auth/realms/local/protocol/openid-connect/token`,
+        body.toString(),
+        options
+      )
     );
   }
 
@@ -120,8 +124,9 @@ export class RemoteSession extends SessionService {
     localStorage.setItem(RemoteSession.REFRESH_TOKEN_KEY, token.refresh_token);
     this.refreshTokenBeforeExpiry(token.expires_in);
     const parsedToken = parseJwt(this.accessToken);
+    document.cookie = `KEYCLOAK_SESSION=keycloak-test/${parsedToken.sub}/${parsedToken.sid}`;
     return {
-      name: parsedToken.sub,
+      name: parsedToken.username,
       roles: parsedToken["_couchdb.roles"],
     };
   }
@@ -178,4 +183,5 @@ export interface JwtToken {
   access_token: string;
   refresh_token: string;
   expires_in: number;
+  session_state: string;
 }
diff --git a/src/app/core/user/user-account/user-account.component.html b/src/app/core/user/user-account/user-account.component.html
index 44a3a26009..8cda866ae6 100644
--- a/src/app/core/user/user-account/user-account.component.html
+++ b/src/app/core/user/user-account/user-account.component.html
@@ -18,6 +18,7 @@
 <mat-tab-group appTabStateMemo>
   <mat-tab i18n-label="User-Account label" label="User Account">
     <ng-template matTabContent>
+      <button mat-button (click)="resetPassword()">Change Passwort</button>
       <div class="user-profile-tab">
         <p>
           <mat-form-field>
@@ -73,12 +74,12 @@
               Please provide your correct current password for confirmation.
             </mat-error>
           </mat-form-field>
-          <br />
+          <br/>
 
           <mat-form-field class="user-form-field" style="height: 80px">
             <label i18n>
               New password
-              <input matInput type="password" formControlName="newPassword" />
+              <input matInput type="password" formControlName="newPassword"/>
             </label>
             <mat-error *ngIf="passwordForm.get('newPassword').invalid">
               <div
@@ -96,7 +97,7 @@
               </div>
             </mat-error>
           </mat-form-field>
-          <br />
+          <br/>
 
           <mat-form-field class="user-form-field">
             <label i18n>
@@ -117,14 +118,14 @@
               Confirmation does not match your new password.
             </mat-error>
           </mat-form-field>
-          <br />
+          <br/>
 
           <div *ngIf="passwordChangeResult">
             <div *ngIf="passwordChangeResult.success" class="info success" i18n>
               Password changed successfully.
             </div>
             <div *ngIf="!passwordChangeResult.success" class="info error" i18n>
-              Failed to change password: {{ passwordChangeResult.error }}<br />
+              Failed to change password: {{ passwordChangeResult.error }}<br/>
               Please try again. If the problem persists contact Aam Digital
               support.
             </div>
diff --git a/src/app/core/user/user-account/user-account.component.ts b/src/app/core/user/user-account/user-account.component.ts
index 1d616af06c..bbf890f11c 100644
--- a/src/app/core/user/user-account/user-account.component.ts
+++ b/src/app/core/user/user-account/user-account.component.ts
@@ -22,6 +22,8 @@ import { FormBuilder, ValidationErrors, Validators } from "@angular/forms";
 import { AppConfig } from "../../app-config/app-config";
 import { LoggingService } from "../../logging/logging.service";
 import { SessionType } from "../../session/session-type";
+import Keycloak from "keycloak-js";
+import { RemoteSession } from "../../session/session-service/remote-session";
 
 /**
  * User account form to allow the user to view and edit information.
@@ -64,7 +66,8 @@ export class UserAccountComponent implements OnInit {
     private sessionService: SessionService,
     private userAccountService: UserAccountService,
     private fb: FormBuilder,
-    private loggingService: LoggingService
+    private loggingService: LoggingService,
+    private remoteSession: RemoteSession
   ) {}
 
   ngOnInit() {
@@ -72,6 +75,34 @@ export class UserAccountComponent implements OnInit {
     this.username = this.sessionService.getCurrentUser()?.name;
   }
 
+  resetPassword() {
+    const keycloak = new Keycloak({
+      url: "http://localhost:4200/auth",
+      realm: "local",
+      clientId: "app",
+    });
+    keycloak.onReady = (res) => console.log("ready", res);
+    keycloak.onAuthSuccess = () => console.log("onAuthSuccess");
+    keycloak
+      .init({
+        token: this.remoteSession.accessToken,
+        refreshToken: localStorage.getItem(RemoteSession.REFRESH_TOKEN_KEY),
+        checkLoginIframe: true,
+        enableLogging: true,
+      })
+      .then((res) => {
+        console.log("logging in", res);
+        keycloak
+          .login({
+            action: "UPDATE_PASSWORD",
+            redirectUri: location.href,
+          })
+          .then((res) => console.log("res", res))
+          .catch((err) => console.log("err", err));
+      })
+      .catch((err) => console.log("err", err));
+  }
+
   checkIfPasswordChangeAllowed() {
     this.disabledForDemoMode = false;
     this.disabledForOfflineMode = false;
diff --git a/src/app/utils/utils.ts b/src/app/utils/utils.ts
index 154ef8d30a..8a48c03b9a 100644
--- a/src/app/utils/utils.ts
+++ b/src/app/utils/utils.ts
@@ -98,7 +98,12 @@ export function compareEnums(
   return a?.id === b?.id;
 }
 
-export function parseJwt(token): { sub: string } {
+export function parseJwt(token): {
+  sub: string;
+  username: string;
+  sid: string;
+  jti: string;
+} {
   const base64Url = token.split(".")[1];
   const base64 = base64Url.replace(/-/g, "+").replace(/_/g, "/");
   const jsonPayload = decodeURIComponent(

From 7d8299d39985b79aec260728e816dffe5fd447f2 Mon Sep 17 00:00:00 2001
From: Simon <simon@aam-digital.com>
Date: Fri, 29 Jul 2022 16:42:24 +0200
Subject: [PATCH 09/42] added proxy for keycloak

---
 build/Dockerfile                                  |  4 +++-
 build/default.conf                                |  8 ++++++++
 proxy.conf.json                                   | 15 ++++-----------
 .../session/session-service/remote-session.ts     |  2 +-
 .../user/user-account/user-account.component.ts   |  6 ++----
 5 files changed, 18 insertions(+), 17 deletions(-)

diff --git a/build/Dockerfile b/build/Dockerfile
index 0df54d22da..37b8e37b4a 100644
--- a/build/Dockerfile
+++ b/build/Dockerfile
@@ -71,6 +71,8 @@ ENV PORT=80
 ENV WEBDAV_URL="http://localhost"
 # The url to the CouchDB database
 ENV COUCHDB_URL="http://localhost"
+# The url to the Keycloak server
+ENV KEYCLOAK_URL="http://localhost"
 # variables are inserted into the nginx config
-CMD envsubst '$$PORT $$WEBDAV_URL $$COUCHDB_URL' < /etc/nginx/templates/default.conf > /etc/nginx/conf.d/default.conf &&\
+CMD envsubst '$$PORT $$WEBDAV_URL $$COUCHDB_URL $$KEYCLOAK_URL' < /etc/nginx/templates/default.conf > /etc/nginx/conf.d/default.conf &&\
     nginx -g 'daemon off;'
diff --git a/build/default.conf b/build/default.conf
index 765b47afc1..00eeccc66f 100644
--- a/build/default.conf
+++ b/build/default.conf
@@ -36,5 +36,13 @@ server {
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Ssl on;
     }
+
+    location ^~ /auth {
+      proxy_pass ${KEYCLOAK_URL};
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header X-Forwarded-Host $host;
+    }
 }
 
diff --git a/proxy.conf.json b/proxy.conf.json
index 1c4d1c6f1f..70af7778f2 100644
--- a/proxy.conf.json
+++ b/proxy.conf.json
@@ -1,6 +1,6 @@
 {
   "/db": {
-    "target": "https://keycloak-test.aam-digital.com/db",
+    "target": "https://dev.aam-digital.com/db",
     "secure": true,
     "logLevel": "debug",
     "changeOrigin": true,
@@ -19,16 +19,9 @@
   },
   "/auth": {
     "target": "http://localhost:8080",
-    "secure": false,
+    "secure": true,
     "logLevel": "debug",
-    "changeOrigin": false,
-    "withCredentials": true,
-    "xfwd": true,
-    "pathRewrite": {
-      "^/auth": ""
-    },
-    "cookiePathRewrite": "/",
-    "hostRewrite": "/auth",
-    "followRedirects": true
+    "followRedirects": true,
+    "xfwd": true
   }
 }
diff --git a/src/app/core/session/session-service/remote-session.ts b/src/app/core/session/session-service/remote-session.ts
index 1584209ff8..c564dc83c4 100644
--- a/src/app/core/session/session-service/remote-session.ts
+++ b/src/app/core/session/session-service/remote-session.ts
@@ -112,7 +112,7 @@ export class RemoteSession extends SessionService {
     };
     return firstValueFrom(
       this.httpClient.post<JwtToken>(
-        `/auth/realms/local/protocol/openid-connect/token`,
+        `/auth/realms/keycloak-test/protocol/openid-connect/token`,
         body.toString(),
         options
       )
diff --git a/src/app/core/user/user-account/user-account.component.ts b/src/app/core/user/user-account/user-account.component.ts
index bbf890f11c..42c1270065 100644
--- a/src/app/core/user/user-account/user-account.component.ts
+++ b/src/app/core/user/user-account/user-account.component.ts
@@ -77,12 +77,10 @@ export class UserAccountComponent implements OnInit {
 
   resetPassword() {
     const keycloak = new Keycloak({
-      url: "http://localhost:4200/auth",
-      realm: "local",
+      url: "/auth",
+      realm: "keycloak-test",
       clientId: "app",
     });
-    keycloak.onReady = (res) => console.log("ready", res);
-    keycloak.onAuthSuccess = () => console.log("onAuthSuccess");
     keycloak
       .init({
         token: this.remoteSession.accessToken,

From 4d3fd86789b5ce18ea708032e3d9917f182ed239 Mon Sep 17 00:00:00 2001
From: Simon <simon@aam-digital.com>
Date: Fri, 29 Jul 2022 17:20:26 +0200
Subject: [PATCH 10/42] excluding /auth requests from service worker

---
 ngsw-config.json | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ngsw-config.json b/ngsw-config.json
index 9e2c54c643..2ba029fed4 100644
--- a/ngsw-config.json
+++ b/ngsw-config.json
@@ -54,6 +54,7 @@
     "!/**/*__*",
     "!/**/*__*/**",
     "!/db/",
-    "!/db/**"
+    "!/db/**",
+    "!/auth/**"
   ]
 }

From d448d47164f6da8a97fd64074a610248451dcfba Mon Sep 17 00:00:00 2001
From: Simon <simon@aam-digital.com>
Date: Fri, 29 Jul 2022 18:38:01 +0200
Subject: [PATCH 11/42] fixed tests

---
 src/app/core/session/session-service/remote-session.spec.ts  | 5 +++--
 .../core/user/user-account/user-account.component.spec.ts    | 2 ++
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/app/core/session/session-service/remote-session.spec.ts b/src/app/core/session/session-service/remote-session.spec.ts
index 43b5752f3c..0b73eef711 100644
--- a/src/app/core/session/session-service/remote-session.spec.ts
+++ b/src/app/core/session/session-service/remote-session.spec.ts
@@ -33,7 +33,8 @@ export function remoteSessionHttpFake(url, body) {
  * Extract:
  * ```json
  * {
- *   "sub": "test",
+ *   "sub": "881ba191-0d27-4dff-9bc4-2c9e561ac900",
+ *   "username": "test",
  *   "exp": 1658138259,
  *   "_couchdb.roles": [
  *      "user_app"
@@ -44,7 +45,7 @@ export function remoteSessionHttpFake(url, body) {
  */
 export const jwtTokenResponse: JwtToken = {
   access_token:
-    "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJzV2FQaEdOYy1GSWpTdHBYVk96Y29oMjdSbVBpYVRwZjRlWUItUHpwU1VVIn0.eyJleHAiOjE2NTgxMzk0NTUsImlhdCI6MTY1ODEzOTM5NSwianRpIjoiY2YwZTYzNTMtNTJiMy00NzgyLTg1YjAtOWNkMzQ4MTM4YmI4IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy9teXJlYWxtIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6InRlc3QiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJteWNsaWVudCIsInNlc3Npb25fc3RhdGUiOiI2ZWE5YzRkYi0wOGZmLTQ4MjQtOTUzMS1lNTIzODg1Y2E2NTIiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHBzOi8vd3d3LmtleWNsb2FrLm9yZyJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiZGVmYXVsdC1yb2xlcy1teXJlYWxtIiwib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7Im15Y2xpZW50Ijp7InJvbGVzIjpbInVzZXJfYXBwIl19LCJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6ImVtYWlsIHByb2ZpbGUiLCJzaWQiOiI2ZWE5YzRkYi0wOGZmLTQ4MjQtOTUzMS1lNTIzODg1Y2E2NTIiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsIl9jb3VjaGRiLnJvbGVzIjpbInVzZXJfYXBwIl0sInByZWZlcnJlZF91c2VybmFtZSI6InRlc3QifQ.eynm8Zoox4Ovad0K4fYkia4mIyJUJpSfxEM0ZivQAD4LzhzDXuixsEJLQ3RFHI421k2q4wOMaorQAhjVbhmuu9CVQbPjTvNWfeO5DfTdo103KzWmQirWgBHP47H7dwF_2ksyag5HWFMTMCoD9BrNNPJPGjgkabXEFz4-dXg0GaslWd5MIO21cYqkZc_8YhFFLj9oP5gaY-9f3WTQg5YWTg7wk2YKM8IFlKrO67DMLTuO361lSdltnPNIBGzzAEC_oCM3GNFB1d8OkUnA5No89DhxCqQGHeQTKiYiJKoCdnZNQr7pIY0Ml-uNtAEHKAMV9Q6_sxqNcIFjROirdv3kkA",
+    "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJOTzU3NEpPTmoxWUM0V3VLbEtMN0R0dUdHemJTdEQ3WUFaX3FONUk0WDB3In0.eyJleHAiOjE2NTkxMTI1NjUsImlhdCI6MTY1OTExMjI2NSwianRpIjoiODYwMmJiMDQtZDA2Mi00MjcxLWFlYmMtN2I0MjY3YmY0MDNlIiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay10ZXN0LmFhbS1kaWdpdGFsLmNvbTo0NDMvYXV0aC9yZWFsbXMva2V5Y2xvYWstdGVzdCIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiI4ODFiYTE5MS0wZDI3LTRkZmYtOWJjNC0yYzllNTYxYWM5MDAiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhcHAiLCJzZXNzaW9uX3N0YXRlIjoiNTYwMmNhZDgtMjgxNS00YTY5LWFlN2YtZWY2MjVmZjE1ZGUyIiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyIqIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLWtleWNsb2FrLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYXBwIjp7InJvbGVzIjpbInVzZXJfYXBwIl19LCJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6InByb2ZpbGUgZW1haWwiLCJzaWQiOiI1NjAyY2FkOC0yODE1LTRhNjktYWU3Zi1lZjYyNWZmMTVkZTIiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsIl9jb3VjaGRiLnJvbGVzIjpbInVzZXJfYXBwIl0sInByZWZlcnJlZF91c2VybmFtZSI6InRlc3QiLCJnaXZlbl9uYW1lIjoiIiwiZmFtaWx5X25hbWUiOiIiLCJ1c2VybmFtZSI6InRlc3QifQ.g0Lq8tPN9fdni-tro7xcT4g4Ju-pyFTlYY8hjy-H34jxjkFDh6eTSjmnkof8w6r5TDg7V18k3WMz5Bf4XXt9kJtrVM0nOFq7wY-BSRdvl1TtMpRRkGlEUg5CMxCoyhkpkL1dcYslKlxNw4qwavvcjqYdtL7LU7ezZfs9wcAUV0VB9frxIzhq3WW6eHPBWYdFJFY1H5kl7jI6gtrLEc25tC-8Hpsz12Ey8O1DnsTqS7cXa1gNSGY10xYO9zNhxNfYy_x4uaaVJviT-gq9Bz-LM55H9s7Nz_FT9ETHNBm479jetBwURWLR-QRTwEdgajQWUUBw3l4Ld15q1YUSVSn1Ww",
   refresh_token: "test-refresh-token",
   expires_in: 120,
   session_state: "test-session-state",
diff --git a/src/app/core/user/user-account/user-account.component.spec.ts b/src/app/core/user/user-account/user-account.component.spec.ts
index 767a5192e1..220d5878f2 100644
--- a/src/app/core/user/user-account/user-account.component.spec.ts
+++ b/src/app/core/user/user-account/user-account.component.spec.ts
@@ -33,6 +33,7 @@ import { LoggingService } from "../../logging/logging.service";
 import { TabStateModule } from "../../../utils/tab-state/tab-state.module";
 import { RouterTestingModule } from "@angular/router/testing";
 import { environment } from "../../../../environments/environment";
+import { RemoteSession } from "../../session/session-service/remote-session";
 
 describe("UserAccountComponent", () => {
   let component: UserAccountComponent;
@@ -67,6 +68,7 @@ describe("UserAccountComponent", () => {
       ],
       providers: [
         { provide: SessionService, useValue: mockSessionService },
+        { provide: RemoteSession, useValue: { accessToken: "some token" } },
         { provide: UserAccountService, useValue: mockUserAccountService },
         { provide: LoggingService, useValue: mockLoggingService },
       ],

From f3faa2d812ae13809e47a9bc79838c6cdb46a930 Mon Sep 17 00:00:00 2001
From: Simon <simon@aam-digital.com>
Date: Sat, 30 Jul 2022 13:39:42 +0200
Subject: [PATCH 12/42] cleaned up reset password flow

---
 proxy.conf.json                               |   2 +-
 .../session/session-service/remote-session.ts |   3 +-
 .../user-account/user-account.component.html  | 118 ++----------------
 .../user-account.component.spec.ts            |  73 +----------
 .../user-account/user-account.component.ts    | 101 +++------------
 .../user-account/user-account.service.spec.ts |  57 ---------
 .../user/user-account/user-account.service.ts |  60 ---------
 src/app/core/user/user.module.ts              |  11 +-
 8 files changed, 31 insertions(+), 394 deletions(-)
 delete mode 100644 src/app/core/user/user-account/user-account.service.spec.ts
 delete mode 100644 src/app/core/user/user-account/user-account.service.ts

diff --git a/proxy.conf.json b/proxy.conf.json
index ffb4944f06..dcd1b7ede5 100644
--- a/proxy.conf.json
+++ b/proxy.conf.json
@@ -12,7 +12,7 @@
     "target": "http://localhost:8080",
     "secure": true,
     "logLevel": "debug",
-    "followRedirects": true,
+    "changeOrigin": true,
     "xfwd": true
   }
 }
diff --git a/src/app/core/session/session-service/remote-session.ts b/src/app/core/session/session-service/remote-session.ts
index 172b058c16..cd0ef526ed 100644
--- a/src/app/core/session/session-service/remote-session.ts
+++ b/src/app/core/session/session-service/remote-session.ts
@@ -124,7 +124,6 @@ export class RemoteSession extends SessionService {
     localStorage.setItem(RemoteSession.REFRESH_TOKEN_KEY, token.refresh_token);
     this.refreshTokenBeforeExpiry(token.expires_in);
     const parsedToken = parseJwt(this.accessToken);
-    document.cookie = `KEYCLOAK_SESSION=keycloak-test/${parsedToken.sub}/${parsedToken.sid}`;
     return {
       name: parsedToken.username,
       roles: parsedToken["_couchdb.roles"],
@@ -151,7 +150,7 @@ export class RemoteSession extends SessionService {
             opts.headers.set("Authorization", "Bearer " + this.accessToken);
             return PouchDB.fetch(
               AppSettings.DB_PROXY_PREFIX +
-              url.split(AppSettings.DB_PROXY_PREFIX)[1],
+                url.split(AppSettings.DB_PROXY_PREFIX)[1],
               opts
             );
           }
diff --git a/src/app/core/user/user-account/user-account.component.html b/src/app/core/user/user-account/user-account.component.html
index 8cda866ae6..74579a1cb0 100644
--- a/src/app/core/user/user-account/user-account.component.html
+++ b/src/app/core/user/user-account/user-account.component.html
@@ -18,7 +18,6 @@
 <mat-tab-group appTabStateMemo>
   <mat-tab i18n-label="User-Account label" label="User Account">
     <ng-template matTabContent>
-      <button mat-button (click)="resetPassword()">Change Passwort</button>
       <div class="user-profile-tab">
         <p>
           <mat-form-field>
@@ -33,115 +32,20 @@
             />
           </mat-form-field>
         </p>
-
-        <form [formGroup]="passwordForm" class="form-container">
-          <p *ngIf="disabledForDemoMode" class="info">
-            <fa-icon icon="exclamation-circle"></fa-icon>
-            <ng-container i18n>
-              Password change is not allowed in demo mode.
-            </ng-container>
-          </p>
-          <p *ngIf="disabledForOfflineMode" class="info">
-            <fa-icon icon="exclamation-circle"></fa-icon>
-            <ng-container i18n>
-              Password change is not possible while being offline.
-            </ng-container>
-            <button
-              mat-stroked-button
-              (click)="checkIfPasswordChangeAllowed()"
-              i18n="retry switching from offline to online"
-            >
-              retry
-            </button>
-          </p>
-
-          <mat-form-field class="user-form-field">
-            <label i18n>
-              Current Password
-              <input
-                matInput
-                type="password"
-                formControlName="currentPassword"
-              />
-            </label>
-            <mat-error
-              *ngIf="passwordForm.get('currentPassword').invalid"
-              i18n="
-                Password Confirmation|An incorrect password was entered trying
-                to change the password
-              "
-            >
-              Please provide your correct current password for confirmation.
-            </mat-error>
-          </mat-form-field>
-          <br/>
-
-          <mat-form-field class="user-form-field" style="height: 80px">
-            <label i18n>
-              New password
-              <input matInput type="password" formControlName="newPassword"/>
-            </label>
-            <mat-error *ngIf="passwordForm.get('newPassword').invalid">
-              <div
-                *ngIf="passwordForm.get('newPassword').errors.minlength"
-                i18n="Password validation"
-              >
-                Must be at least 8 characters long.
-              </div>
-              <div
-                *ngIf="passwordForm.get('newPassword').errors.pattern"
-                i18n="Illegal password pattern"
-              >
-                Must contain lower case letters, upper case letters, symbols and
-                numbers to be secure.
-              </div>
-            </mat-error>
-          </mat-form-field>
-          <br/>
-
-          <mat-form-field class="user-form-field">
-            <label i18n>
-              Confirm new password
-              <input
-                matInput
-                type="password"
-                formControlName="confirmPassword"
-              />
-            </label>
-            <mat-error
-              *ngIf="
-                passwordForm.get('confirmPassword').invalid &&
-                passwordForm.get('confirmPassword').touched
-              "
-              i18n="Illegal new password"
-            >
-              Confirmation does not match your new password.
-            </mat-error>
-          </mat-form-field>
-          <br/>
-
-          <div *ngIf="passwordChangeResult">
-            <div *ngIf="passwordChangeResult.success" class="info success" i18n>
-              Password changed successfully.
-            </div>
-            <div *ngIf="!passwordChangeResult.success" class="info error" i18n>
-              Failed to change password: {{ passwordChangeResult.error }}<br/>
-              Please try again. If the problem persists contact Aam Digital
-              support.
-            </div>
-          </div>
-
+        <div
+          [matTooltip]="getPasswordResetDisabledTooltip()"
+          [matTooltipDisabled]="!disabledForOfflineMode && !disabledForDemoMode"
+          style="width: fit-content"
+        >
           <button
-            mat-raised-button
-            type="submit"
-            [disabled]="passwordForm.invalid || passwordForm.disabled"
-            (click)="changePassword()"
-            (submit)="changePassword()"
-            i18n="Change password button"
+            mat-stroked-button
+            (click)="resetPassword()"
+            [disabled]="disabledForDemoMode || disabledForOfflineMode"
+            i18n="Button which opens password reset page"
           >
-            Change Password
+            Change Passwort
           </button>
-        </form>
+        </div>
       </div>
     </ng-template>
   </mat-tab>
diff --git a/src/app/core/user/user-account/user-account.component.spec.ts b/src/app/core/user/user-account/user-account.component.spec.ts
index 220d5878f2..fcd0be7f13 100644
--- a/src/app/core/user/user-account/user-account.component.spec.ts
+++ b/src/app/core/user/user-account/user-account.component.spec.ts
@@ -15,48 +15,31 @@
  *     along with ndb-core.  If not, see <http://www.gnu.org/licenses/>.
  */
 
-import {
-  ComponentFixture,
-  fakeAsync,
-  TestBed,
-  tick,
-  waitForAsync,
-} from "@angular/core/testing";
+import { ComponentFixture, TestBed, waitForAsync } from "@angular/core/testing";
 
 import { UserAccountComponent } from "./user-account.component";
 import { SessionService } from "../../session/session-service/session.service";
 import { NoopAnimationsModule } from "@angular/platform-browser/animations";
-import { UserAccountService } from "./user-account.service";
 import { UserModule } from "../user.module";
-import { SessionType } from "../../session/session-type";
 import { LoggingService } from "../../logging/logging.service";
 import { TabStateModule } from "../../../utils/tab-state/tab-state.module";
 import { RouterTestingModule } from "@angular/router/testing";
-import { environment } from "../../../../environments/environment";
-import { RemoteSession } from "../../session/session-service/remote-session";
 
 describe("UserAccountComponent", () => {
   let component: UserAccountComponent;
   let fixture: ComponentFixture<UserAccountComponent>;
 
   let mockSessionService: jasmine.SpyObj<SessionService>;
-  let mockUserAccountService: jasmine.SpyObj<UserAccountService>;
   let mockLoggingService: jasmine.SpyObj<LoggingService>;
 
   beforeEach(waitForAsync(() => {
-    environment.session_type = SessionType.synced; // password change only available in synced mode
     mockSessionService = jasmine.createSpyObj("sessionService", [
       "getCurrentUser",
-      "login",
-      "checkPassword",
     ]);
     mockSessionService.getCurrentUser.and.returnValue({
       name: "TestUser",
       roles: [],
     });
-    mockUserAccountService = jasmine.createSpyObj("mockUserAccount", [
-      "changePassword",
-    ]);
     mockLoggingService = jasmine.createSpyObj(["error"]);
 
     TestBed.configureTestingModule({
@@ -68,8 +51,6 @@ describe("UserAccountComponent", () => {
       ],
       providers: [
         { provide: SessionService, useValue: mockSessionService },
-        { provide: RemoteSession, useValue: { accessToken: "some token" } },
-        { provide: UserAccountService, useValue: mockUserAccountService },
         { provide: LoggingService, useValue: mockLoggingService },
       ],
     });
@@ -84,56 +65,4 @@ describe("UserAccountComponent", () => {
   it("should be created", () => {
     expect(component).toBeTruthy();
   });
-
-  it("should enable password form", () => {
-    expect(component.passwordForm).toBeEnabled();
-  });
-
-  it("should set error when password is incorrect", () => {
-    component.passwordForm.get("currentPassword").setValue("wrongPW");
-    mockSessionService.checkPassword.and.returnValue(false);
-
-    expect(component.passwordForm.get("currentPassword")).toBeValidForm();
-
-    component.changePassword();
-
-    expect(component.passwordForm.get("currentPassword")).not.toBeValidForm();
-  });
-
-  it("should set error when password change fails", fakeAsync(() => {
-    component.username = "testUser";
-    component.passwordForm.get("currentPassword").setValue("testPW");
-    mockSessionService.checkPassword.and.returnValue(true);
-    mockUserAccountService.changePassword.and.rejectWith(
-      new Error("pw change error")
-    );
-
-    try {
-      component.changePassword();
-      tick();
-    } catch (e) {
-      // expected to re-throw the error for upstream reporting
-    }
-
-    expect(mockUserAccountService.changePassword).toHaveBeenCalled();
-    expect(component.passwordChangeResult.success).toBeFalse();
-    expect(component.passwordChangeResult.error).toBe("pw change error");
-  }));
-
-  it("should set success and re-login when password change worked", fakeAsync(() => {
-    component.username = "testUser";
-    component.passwordForm.get("currentPassword").setValue("testPW");
-    component.passwordForm.get("newPassword").setValue("changedPassword");
-    mockSessionService.checkPassword.and.returnValue(true);
-    mockUserAccountService.changePassword.and.resolveTo();
-    mockSessionService.login.and.resolveTo(null);
-
-    component.changePassword();
-    tick();
-    expect(component.passwordChangeResult.success).toBeTrue();
-    expect(mockSessionService.login).toHaveBeenCalledWith(
-      "testUser",
-      "changedPassword"
-    );
-  }));
 });
diff --git a/src/app/core/user/user-account/user-account.component.ts b/src/app/core/user/user-account/user-account.component.ts
index a9ed96b525..d70fd73b4e 100644
--- a/src/app/core/user/user-account/user-account.component.ts
+++ b/src/app/core/user/user-account/user-account.component.ts
@@ -17,13 +17,10 @@
 
 import { Component, OnInit } from "@angular/core";
 import { SessionService } from "../../session/session-service/session.service";
-import { UserAccountService } from "./user-account.service";
-import { FormBuilder, ValidationErrors, Validators } from "@angular/forms";
 import { LoggingService } from "../../logging/logging.service";
 import { SessionType } from "../../session/session-type";
 import { environment } from "../../../../environments/environment";
 import Keycloak from "keycloak-js";
-import { RemoteSession } from "../../session/session-service/remote-session";
 
 /**
  * User account form to allow the user to view and edit information.
@@ -41,33 +38,9 @@ export class UserAccountComponent implements OnInit {
   disabledForDemoMode: boolean;
   disabledForOfflineMode: boolean;
 
-  passwordChangeResult: { success: boolean; error?: any };
-
-  passwordForm = this.fb.group(
-    {
-      currentPassword: ["", Validators.required],
-      newPassword: [
-        "",
-        [
-          Validators.required,
-          Validators.minLength(8),
-          Validators.pattern(/[A-Z]/),
-          Validators.pattern(/[a-z]/),
-          Validators.pattern(/[0-9]/),
-          Validators.pattern(/[^A-Za-z0-9]/),
-        ],
-      ],
-      confirmPassword: ["", [Validators.required]],
-    },
-    { validators: () => this.passwordMatchValidator() }
-  );
-
   constructor(
     private sessionService: SessionService,
-    private userAccountService: UserAccountService,
-    private fb: FormBuilder,
-    private loggingService: LoggingService,
-    private remoteSession: RemoteSession
+    private loggingService: LoggingService
   ) {}
 
   ngOnInit() {
@@ -82,76 +55,32 @@ export class UserAccountComponent implements OnInit {
       clientId: "app",
     });
     keycloak
-      .init({
-        token: this.remoteSession.accessToken,
-        refreshToken: localStorage.getItem(RemoteSession.REFRESH_TOKEN_KEY),
-        checkLoginIframe: true,
-        enableLogging: true,
-      })
-      .then((res) => {
-        console.log("logging in", res);
-        keycloak
-          .login({
-            action: "UPDATE_PASSWORD",
-            redirectUri: location.href,
-          })
-          .then((res) => console.log("res", res))
-          .catch((err) => console.log("err", err));
-      })
-      .catch((err) => console.log("err", err));
+      .init({})
+      .then(() =>
+        keycloak.login({
+          action: "UPDATE_PASSWORD",
+          redirectUri: location.href,
+        })
+      )
+      .catch((err) => this.loggingService.error(err));
   }
 
   checkIfPasswordChangeAllowed() {
     this.disabledForDemoMode = false;
     this.disabledForOfflineMode = false;
-    this.passwordForm.enable();
 
     if (environment.session_type !== SessionType.synced) {
       this.disabledForDemoMode = true;
-      this.passwordForm.disable();
     } else if (!navigator.onLine) {
       this.disabledForOfflineMode = true;
-      this.passwordForm.disable();
     }
   }
 
-  changePassword() {
-    this.passwordChangeResult = undefined;
-
-    const currentPassword = this.passwordForm.get("currentPassword").value;
-
-    if (!this.sessionService.checkPassword(this.username, currentPassword)) {
-      this.passwordForm
-        .get("currentPassword")
-        .setErrors({ incorrectPassword: true });
-      return;
-    }
-
-    const newPassword = this.passwordForm.get("newPassword").value;
-    this.userAccountService
-      .changePassword(this.username, currentPassword, newPassword)
-      .then(() => this.sessionService.login(this.username, newPassword))
-      .then(() => (this.passwordChangeResult = { success: true }))
-      .catch((err: Error) => {
-        this.passwordChangeResult = { success: false, error: err.message };
-        this.loggingService.error({
-          error: "password change failed",
-          details: err.message,
-        });
-        // rethrow to properly report to sentry.io; this exception is not expected, only caught to display in UI
-        throw err;
-      });
-  }
-
-  private passwordMatchValidator(): ValidationErrors | null {
-    const newPassword = this.passwordForm?.get("newPassword").value;
-    const confirmPassword = this.passwordForm?.get("confirmPassword").value;
-    if (newPassword !== confirmPassword) {
-      this.passwordForm
-        .get("confirmPassword")
-        .setErrors({ passwordConfirmationMismatch: true });
-      return { passwordConfirmationMismatch: true };
-    }
-    return null;
+  getPasswordResetDisabledTooltip(): string {
+    return this.disabledForDemoMode
+      ? $localize`:Password reset disabled tooltip:Password change is not allowed in demo mode.`
+      : this.disabledForOfflineMode
+      ? $localize`:Password reset disabled tooltip:Password change is not possible while being offline.`
+      : "";
   }
 }
diff --git a/src/app/core/user/user-account/user-account.service.spec.ts b/src/app/core/user/user-account/user-account.service.spec.ts
deleted file mode 100644
index 52c17c35fc..0000000000
--- a/src/app/core/user/user-account/user-account.service.spec.ts
+++ /dev/null
@@ -1,57 +0,0 @@
-import { TestBed } from "@angular/core/testing";
-import { UserAccountService } from "./user-account.service";
-import { HttpClient } from "@angular/common/http";
-import { of, throwError } from "rxjs";
-
-describe("UserAccountService", () => {
-  let service: UserAccountService;
-  let mockHttpClient: jasmine.SpyObj<HttpClient>;
-
-  beforeEach(() => {
-    mockHttpClient = jasmine.createSpyObj("mockHttpClient", ["get", "put"]);
-    TestBed.configureTestingModule({
-      providers: [{ provide: HttpClient, useValue: mockHttpClient }],
-    });
-    service = TestBed.inject(UserAccountService);
-  });
-
-  it("should be created", () => {
-    expect(service).toBeTruthy();
-  });
-
-  it("should reject if current user cant be fetched", (done) => {
-    mockHttpClient.get.and.returnValue(throwError(new Error()));
-
-    service
-      .changePassword("username", "wrongPW", "")
-      .then(() => fail())
-      .catch((err) => {
-        expect(err).toBeDefined();
-        done();
-      });
-  });
-
-  it("should report error when new Password cannot be saved", (done) => {
-    mockHttpClient.get.and.returnValues(of({}));
-    mockHttpClient.put.and.returnValue(throwError(new Error()));
-
-    service
-      .changePassword("username", "testPW", "")
-      .then(() => fail())
-      .catch((err) => {
-        expect(mockHttpClient.get).toHaveBeenCalled();
-        expect(mockHttpClient.put).toHaveBeenCalled();
-        expect(err).toBeDefined();
-        done();
-      });
-  });
-
-  it("should not fail if get and put requests are successful", () => {
-    mockHttpClient.get.and.returnValues(of({}));
-    mockHttpClient.put.and.returnValues(of({}));
-
-    return expectAsync(
-      service.changePassword("username", "testPW", "newPW")
-    ).not.toBeRejected();
-  });
-});
diff --git a/src/app/core/user/user-account/user-account.service.ts b/src/app/core/user/user-account/user-account.service.ts
deleted file mode 100644
index 4a40920867..0000000000
--- a/src/app/core/user/user-account/user-account.service.ts
+++ /dev/null
@@ -1,60 +0,0 @@
-import { Injectable } from "@angular/core";
-import { HttpClient, HttpHeaders } from "@angular/common/http";
-
-@Injectable({
-  providedIn: "root",
-})
-export class UserAccountService {
-  private static readonly COUCHDB_USER_ENDPOINT = "/db/_users/org.couchdb.user";
-  constructor(private http: HttpClient) {}
-
-  /**
-   * Function to change the password of a user
-   * @param username The username for which the password should be changed
-   * @param oldPassword The current plaintext password of the user
-   * @param newPassword The new plaintext password of the user
-   * @return Promise that resolves once the password is changed in _user and the database
-   */
-  public async changePassword(
-    username: string,
-    oldPassword: string,
-    newPassword: string
-  ): Promise<void> {
-    let userResponse;
-    try {
-      // TODO due to cookie-auth, the old password is actually not checked
-      userResponse = await this.getCouchDBUser(username, oldPassword);
-    } catch (e) {
-      throw new Error("Current password incorrect or server not available");
-    }
-
-    userResponse["password"] = newPassword;
-    try {
-      await this.saveNewPasswordToCouchDB(username, oldPassword, userResponse);
-    } catch (e) {
-      throw new Error(
-        "Could not save new password, please contact your system administrator"
-      );
-    }
-  }
-
-  private getCouchDBUser(username: string, password: string): Promise<any> {
-    const userUrl = UserAccountService.COUCHDB_USER_ENDPOINT + ":" + username;
-    const headers: HttpHeaders = new HttpHeaders({
-      Authorization: "Basic " + btoa(username + ":" + password),
-    });
-    return this.http.get(userUrl, { headers: headers }).toPromise();
-  }
-
-  private saveNewPasswordToCouchDB(
-    username: string,
-    oldPassword: string,
-    userObj: any
-  ): Promise<any> {
-    const userUrl = UserAccountService.COUCHDB_USER_ENDPOINT + ":" + username;
-    const headers: HttpHeaders = new HttpHeaders({
-      Authorization: "Basic " + btoa(username + ":" + oldPassword),
-    });
-    return this.http.put(userUrl, userObj, { headers: headers }).toPromise();
-  }
-}
diff --git a/src/app/core/user/user.module.ts b/src/app/core/user/user.module.ts
index 8b6c6890e7..30c832a200 100644
--- a/src/app/core/user/user.module.ts
+++ b/src/app/core/user/user.module.ts
@@ -22,11 +22,8 @@ import { MatFormFieldModule } from "@angular/material/form-field";
 import { MatInputModule } from "@angular/material/input";
 import { CommonModule } from "@angular/common";
 import { MatTabsModule } from "@angular/material/tabs";
-import { FormsModule, ReactiveFormsModule } from "@angular/forms";
-import { MatListModule } from "@angular/material/list";
-import { MatAutocompleteModule } from "@angular/material/autocomplete";
-import { FontAwesomeModule } from "@fortawesome/angular-fontawesome";
 import { TabStateModule } from "../../utils/tab-state/tab-state.module";
+import { MatTooltipModule } from "@angular/material/tooltip";
 
 /**
  * Provides a User functionality including user account forms.
@@ -38,12 +35,8 @@ import { TabStateModule } from "../../utils/tab-state/tab-state.module";
     MatInputModule,
     MatButtonModule,
     MatTabsModule,
-    ReactiveFormsModule,
-    MatListModule,
-    MatAutocompleteModule,
-    FormsModule,
-    FontAwesomeModule,
     TabStateModule,
+    MatTooltipModule,
   ],
   declarations: [UserAccountComponent],
 })

From 99e040af5c1e81dfa889fb5734c28bcd72ad8ed9 Mon Sep 17 00:00:00 2001
From: Simon <simon@aam-digital.com>
Date: Mon, 1 Aug 2022 18:53:36 +0200
Subject: [PATCH 13/42] trying to get reverse proxy for keycloak working

---
 build/default.conf | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/build/default.conf b/build/default.conf
index e83ae789f9..495cde6ddc 100644
--- a/build/default.conf
+++ b/build/default.conf
@@ -54,11 +54,13 @@ server {
     }
 
     location ^~ /auth {
-      proxy_pass ${KEYCLOAK_URL};
-      proxy_set_header X-Real-IP $remote_addr;
-      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-      proxy_set_header X-Forwarded-Proto $scheme;
-      proxy_set_header X-Forwarded-Host $host;
+#     TODO HTTPS required error
+        proxy_pass ${KEYCLOAK_URL};
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Ssl on;
     }
 }
 

From a09561125c00bb8fefcbd781d0dfd76d3ea02884 Mon Sep 17 00:00:00 2001
From: Simon <simon@aam-digital.com>
Date: Mon, 1 Aug 2022 19:47:08 +0200
Subject: [PATCH 14/42] using keycloak without a proxy

---
 build/default.conf                            | 10 -------
 proxy.conf.json                               |  7 -----
 .../session/session-service/remote-session.ts | 13 ++++++++--
 src/app/core/session/session.module.ts        | 10 ++++++-
 .../user-account/user-account.component.ts    | 26 +++++--------------
 src/assets/keycloak.json                      | 10 +++++++
 6 files changed, 36 insertions(+), 40 deletions(-)
 create mode 100644 src/assets/keycloak.json

diff --git a/build/default.conf b/build/default.conf
index 495cde6ddc..78234f002d 100644
--- a/build/default.conf
+++ b/build/default.conf
@@ -52,15 +52,5 @@ server {
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Ssl on;
     }
-
-    location ^~ /auth {
-#     TODO HTTPS required error
-        proxy_pass ${KEYCLOAK_URL};
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_set_header X-Forwarded-Host $host;
-        proxy_set_header X-Forwarded-Ssl on;
-    }
 }
 
diff --git a/proxy.conf.json b/proxy.conf.json
index dcd1b7ede5..3db0054f1c 100644
--- a/proxy.conf.json
+++ b/proxy.conf.json
@@ -7,12 +7,5 @@
     "pathRewrite": {
       "/db": ""
     }
-  },
-  "/auth": {
-    "target": "http://localhost:8080",
-    "secure": true,
-    "logLevel": "debug",
-    "changeOrigin": true,
-    "xfwd": true
   }
 }
diff --git a/src/app/core/session/session-service/remote-session.ts b/src/app/core/session/session-service/remote-session.ts
index cd0ef526ed..3f0765b693 100644
--- a/src/app/core/session/session-service/remote-session.ts
+++ b/src/app/core/session/session-service/remote-session.ts
@@ -29,6 +29,7 @@ import PouchDB from "pouchdb-browser";
 import { firstValueFrom } from "rxjs";
 import { parseJwt } from "../../../utils/utils";
 import { AppSettings } from "app/core/app-config/app-settings";
+import Keycloak from "keycloak-js";
 
 /**
  * Responsibilities:
@@ -54,7 +55,8 @@ export class RemoteSession extends SessionService {
    */
   constructor(
     private httpClient: HttpClient,
-    private loggingService: LoggingService
+    private loggingService: LoggingService,
+    private keycloak: Keycloak
   ) {
     super();
     this.database = new PouchDatabase(this.loggingService);
@@ -112,7 +114,7 @@ export class RemoteSession extends SessionService {
     };
     return firstValueFrom(
       this.httpClient.post<JwtToken>(
-        `/auth/realms/keycloak-test/protocol/openid-connect/token`,
+        `${this.keycloak.authServerUrl}realms/keycloak-test/protocol/openid-connect/token`,
         body.toString(),
         options
       )
@@ -183,6 +185,13 @@ export class RemoteSession extends SessionService {
   getDatabase(): PouchDatabase {
     return this.database;
   }
+
+  resetPassword() {
+    this.keycloak.login({
+      action: "UPDATE_PASSWORD",
+      redirectUri: location.href,
+    });
+  }
 }
 
 export interface JwtToken {
diff --git a/src/app/core/session/session.module.ts b/src/app/core/session/session.module.ts
index e6197070a7..03e6a83619 100644
--- a/src/app/core/session/session.module.ts
+++ b/src/app/core/session/session.module.ts
@@ -15,7 +15,7 @@
  *     along with ndb-core.  If not, see <http://www.gnu.org/licenses/>.
  */
 
-import { Injector, NgModule } from "@angular/core";
+import { APP_INITIALIZER, Injector, NgModule } from "@angular/core";
 import { CommonModule } from "@angular/common";
 import { LoginComponent } from "./login/login.component";
 import { FormsModule } from "@angular/forms";
@@ -36,6 +36,7 @@ import { RemoteSession } from "./session-service/remote-session";
 import { SessionService } from "./session-service/session.service";
 import { SessionType } from "./session-type";
 import { environment } from "../../../environments/environment";
+import Keycloak from "keycloak-js";
 
 /**
  * The core session logic handling user login as well as connection and synchronization with the remote database.
@@ -78,6 +79,13 @@ import { environment } from "../../../environments/environment";
       },
       deps: [Injector],
     },
+    { provide: Keycloak, useValue: new Keycloak("assets/keycloak.json") },
+    {
+      provide: APP_INITIALIZER,
+      deps: [Keycloak],
+      useFactory: (keycloak: Keycloak) => () => keycloak.init({}),
+      multi: true,
+    },
   ],
 })
 export class SessionModule {}
diff --git a/src/app/core/user/user-account/user-account.component.ts b/src/app/core/user/user-account/user-account.component.ts
index d70fd73b4e..819391ae7d 100644
--- a/src/app/core/user/user-account/user-account.component.ts
+++ b/src/app/core/user/user-account/user-account.component.ts
@@ -15,12 +15,10 @@
  *     along with ndb-core.  If not, see <http://www.gnu.org/licenses/>.
  */
 
-import { Component, OnInit } from "@angular/core";
+import { Component, OnInit, Optional } from "@angular/core";
 import { SessionService } from "../../session/session-service/session.service";
 import { LoggingService } from "../../logging/logging.service";
-import { SessionType } from "../../session/session-type";
-import { environment } from "../../../../environments/environment";
-import Keycloak from "keycloak-js";
+import { RemoteSession } from "../../session/session-service/remote-session";
 
 /**
  * User account form to allow the user to view and edit information.
@@ -40,7 +38,8 @@ export class UserAccountComponent implements OnInit {
 
   constructor(
     private sessionService: SessionService,
-    private loggingService: LoggingService
+    private loggingService: LoggingService,
+    @Optional() private remoteSession: RemoteSession
   ) {}
 
   ngOnInit() {
@@ -49,27 +48,14 @@ export class UserAccountComponent implements OnInit {
   }
 
   resetPassword() {
-    const keycloak = new Keycloak({
-      url: "/auth",
-      realm: "keycloak-test",
-      clientId: "app",
-    });
-    keycloak
-      .init({})
-      .then(() =>
-        keycloak.login({
-          action: "UPDATE_PASSWORD",
-          redirectUri: location.href,
-        })
-      )
-      .catch((err) => this.loggingService.error(err));
+    this.remoteSession.resetPassword();
   }
 
   checkIfPasswordChangeAllowed() {
     this.disabledForDemoMode = false;
     this.disabledForOfflineMode = false;
 
-    if (environment.session_type !== SessionType.synced) {
+    if (!this.remoteSession) {
       this.disabledForDemoMode = true;
     } else if (!navigator.onLine) {
       this.disabledForOfflineMode = true;
diff --git a/src/assets/keycloak.json b/src/assets/keycloak.json
new file mode 100644
index 0000000000..605552d359
--- /dev/null
+++ b/src/assets/keycloak.json
@@ -0,0 +1,10 @@
+{
+  "realm": "keycloak-test",
+  "auth-server-url": "https://keycloak.aam-digital.com/",
+  "ssl-required": "external",
+  "resource": "app",
+  "public-client": true,
+  "verify-token-audience": true,
+  "use-resource-role-mappings": true,
+  "confidential-port": 0
+}

From 1c1fc7dd379424ba4736a445e24af8454f594917 Mon Sep 17 00:00:00 2001
From: Simon <simon@aam-digital.com>
Date: Mon, 1 Aug 2022 20:13:01 +0200
Subject: [PATCH 15/42] fixed tests

---
 src/app/core/session/session-service/remote-session.spec.ts | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/app/core/session/session-service/remote-session.spec.ts b/src/app/core/session/session-service/remote-session.spec.ts
index 0b73eef711..eed6449061 100644
--- a/src/app/core/session/session-service/remote-session.spec.ts
+++ b/src/app/core/session/session-service/remote-session.spec.ts
@@ -9,6 +9,7 @@ import { DatabaseUser } from "./local-user";
 import { LoginState } from "../session-states/login-state.enum";
 import { TEST_PASSWORD, TEST_USER } from "../../../utils/mocked-testing.module";
 import { environment } from "../../../../environments/environment";
+import Keycloak from "keycloak-js";
 
 export function remoteSessionHttpFake(url, body) {
   const params = new URLSearchParams(body);
@@ -66,6 +67,7 @@ describe("RemoteSessionService", () => {
         RemoteSession,
         LoggingService,
         { provide: HttpClient, useValue: mockHttpClient },
+        { provide: Keycloak, useValue: {} },
       ],
     });
 

From 0ad58686ea179a1b5e9c0e6d5068a24355dee65e Mon Sep 17 00:00:00 2001
From: Simon <simon@aam-digital.com>
Date: Mon, 8 Aug 2022 14:01:44 +0200
Subject: [PATCH 16/42] fixed url for keycloak auth

---
 src/app/core/session/session-service/remote-session.ts | 2 +-
 src/assets/keycloak.json                               | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/app/core/session/session-service/remote-session.ts b/src/app/core/session/session-service/remote-session.ts
index 3f0765b693..7ba26cb8c2 100644
--- a/src/app/core/session/session-service/remote-session.ts
+++ b/src/app/core/session/session-service/remote-session.ts
@@ -114,7 +114,7 @@ export class RemoteSession extends SessionService {
     };
     return firstValueFrom(
       this.httpClient.post<JwtToken>(
-        `${this.keycloak.authServerUrl}realms/keycloak-test/protocol/openid-connect/token`,
+        `${this.keycloak.authServerUrl}realms/${this.keycloak.realm}/protocol/openid-connect/token`,
         body.toString(),
         options
       )
diff --git a/src/assets/keycloak.json b/src/assets/keycloak.json
index 605552d359..9a463971c8 100644
--- a/src/assets/keycloak.json
+++ b/src/assets/keycloak.json
@@ -1,5 +1,5 @@
 {
-  "realm": "keycloak-test",
+  "realm": "ndb-dev",
   "auth-server-url": "https://keycloak.aam-digital.com/",
   "ssl-required": "external",
   "resource": "app",

From af492739cf1b3c278d9f392e374a9a0c716bdffc Mon Sep 17 00:00:00 2001
From: Simon <simon@aam-digital.com>
Date: Wed, 10 Aug 2022 08:48:21 +0200
Subject: [PATCH 17/42] some general code cleanup

---
 .../session/session-service/remote-session.spec.ts  | 13 ++++++++++++-
 .../core/session/session-service/remote-session.ts  |  4 ++++
 .../session-service/synced-session.service.ts       | 12 +++++-------
 .../user/user-account/user-account.component.html   |  5 ++++-
 .../user/user-account/user-account.component.ts     |  8 +-------
 src/app/core/user/user.module.ts                    |  2 ++
 src/app/utils/utils.ts                              |  5 +++++
 7 files changed, 33 insertions(+), 16 deletions(-)

diff --git a/src/app/core/session/session-service/remote-session.spec.ts b/src/app/core/session/session-service/remote-session.spec.ts
index eed6449061..6c6ef767ed 100644
--- a/src/app/core/session/session-service/remote-session.spec.ts
+++ b/src/app/core/session/session-service/remote-session.spec.ts
@@ -67,7 +67,7 @@ describe("RemoteSessionService", () => {
         RemoteSession,
         LoggingService,
         { provide: HttpClient, useValue: mockHttpClient },
-        { provide: Keycloak, useValue: {} },
+        { provide: Keycloak, useValue: { login: () => {} } },
       ],
     });
 
@@ -130,5 +130,16 @@ describe("RemoteSessionService", () => {
     service.logout();
   }));
 
+  it("should call keycloak for a password reset", () => {
+    const keycloak = TestBed.inject(Keycloak);
+    spyOn(keycloak, "login");
+
+    service.resetPassword();
+
+    expect(keycloak.login).toHaveBeenCalledWith(
+      jasmine.objectContaining({ action: "UPDATE_PASSWORD" })
+    );
+  });
+
   testSessionServiceImplementation(() => Promise.resolve(service));
 });
diff --git a/src/app/core/session/session-service/remote-session.ts b/src/app/core/session/session-service/remote-session.ts
index 7ba26cb8c2..aee730b890 100644
--- a/src/app/core/session/session-service/remote-session.ts
+++ b/src/app/core/session/session-service/remote-session.ts
@@ -186,6 +186,10 @@ export class RemoteSession extends SessionService {
     return this.database;
   }
 
+  /**
+   * Open password reset page in browser.
+   * Only works with internet connection.
+   */
   resetPassword() {
     this.keycloak.login({
       action: "UPDATE_PASSWORD",
diff --git a/src/app/core/session/session-service/synced-session.service.ts b/src/app/core/session/session-service/synced-session.service.ts
index b59ee2094a..bdefdee668 100644
--- a/src/app/core/session/session-service/synced-session.service.ts
+++ b/src/app/core/session/session-service/synced-session.service.ts
@@ -220,12 +220,11 @@ export class SyncedSessionService extends SessionService {
     this.syncState.next(SyncState.STARTED);
     const localPouchDB = this.localSession.getDatabase().getPouchDB();
     const remotePouchDB = this.remoteSession.getDatabase().getPouchDB();
-    this._liveSyncHandle = (
-      localPouchDB.sync(remotePouchDB, {
-        live: true,
-        retry: true,
-      }) as any
-    )
+    this._liveSyncHandle = localPouchDB.sync(remotePouchDB, {
+      live: true,
+      retry: true,
+    });
+    this._liveSyncHandle
       .on("paused", (info) => {
         // replication was paused: either because sync is finished or because of a failed sync (mostly due to lost connection). info is empty.
         if (this.remoteSession.loginState.value === LoginState.LOGGED_IN) {
@@ -247,7 +246,6 @@ export class SyncedSessionService extends SessionService {
         // replication was canceled!
         this._liveSyncHandle = null;
       });
-    return this._liveSyncHandle;
   }
 
   /**
diff --git a/src/app/core/user/user-account/user-account.component.html b/src/app/core/user/user-account/user-account.component.html
index 74579a1cb0..9a0823a93d 100644
--- a/src/app/core/user/user-account/user-account.component.html
+++ b/src/app/core/user/user-account/user-account.component.html
@@ -39,7 +39,10 @@
         >
           <button
             mat-stroked-button
-            (click)="resetPassword()"
+            angulartics2On="click"
+            angularticsCategory="User"
+            angularticsAction="password_update"
+            (click)="remoteSession?.resetPassword()"
             [disabled]="disabledForDemoMode || disabledForOfflineMode"
             i18n="Button which opens password reset page"
           >
diff --git a/src/app/core/user/user-account/user-account.component.ts b/src/app/core/user/user-account/user-account.component.ts
index 819391ae7d..a195c33ceb 100644
--- a/src/app/core/user/user-account/user-account.component.ts
+++ b/src/app/core/user/user-account/user-account.component.ts
@@ -17,7 +17,6 @@
 
 import { Component, OnInit, Optional } from "@angular/core";
 import { SessionService } from "../../session/session-service/session.service";
-import { LoggingService } from "../../logging/logging.service";
 import { RemoteSession } from "../../session/session-service/remote-session";
 
 /**
@@ -38,8 +37,7 @@ export class UserAccountComponent implements OnInit {
 
   constructor(
     private sessionService: SessionService,
-    private loggingService: LoggingService,
-    @Optional() private remoteSession: RemoteSession
+    @Optional() public remoteSession: RemoteSession
   ) {}
 
   ngOnInit() {
@@ -47,10 +45,6 @@ export class UserAccountComponent implements OnInit {
     this.username = this.sessionService.getCurrentUser()?.name;
   }
 
-  resetPassword() {
-    this.remoteSession.resetPassword();
-  }
-
   checkIfPasswordChangeAllowed() {
     this.disabledForDemoMode = false;
     this.disabledForOfflineMode = false;
diff --git a/src/app/core/user/user.module.ts b/src/app/core/user/user.module.ts
index 30c832a200..9cdd8fab52 100644
--- a/src/app/core/user/user.module.ts
+++ b/src/app/core/user/user.module.ts
@@ -24,6 +24,7 @@ import { CommonModule } from "@angular/common";
 import { MatTabsModule } from "@angular/material/tabs";
 import { TabStateModule } from "../../utils/tab-state/tab-state.module";
 import { MatTooltipModule } from "@angular/material/tooltip";
+import { Angulartics2Module } from "angulartics2";
 
 /**
  * Provides a User functionality including user account forms.
@@ -37,6 +38,7 @@ import { MatTooltipModule } from "@angular/material/tooltip";
     MatTabsModule,
     TabStateModule,
     MatTooltipModule,
+    Angulartics2Module,
   ],
   declarations: [UserAccountComponent],
 })
diff --git a/src/app/utils/utils.ts b/src/app/utils/utils.ts
index 8a48c03b9a..310d77290a 100644
--- a/src/app/utils/utils.ts
+++ b/src/app/utils/utils.ts
@@ -98,6 +98,11 @@ export function compareEnums(
   return a?.id === b?.id;
 }
 
+/**
+ * Parses and returns the payload of a JWT into a JSON object.
+ * For me info see {@link https://jwt.io}.
+ * @param token a valid JWT
+ */
 export function parseJwt(token): {
   sub: string;
   username: string;

From 25e16cd8573eec5808eb101aaa1b08d8a84f03d0 Mon Sep 17 00:00:00 2001
From: Simon <simon@aam-digital.com>
Date: Wed, 10 Aug 2022 08:53:27 +0200
Subject: [PATCH 18/42] some more general code cleanup

---
 .../session/session-service/remote-session.spec.ts   |  4 ++--
 .../session-service/synced-session.service.ts        |  2 +-
 .../core/user/user-account/user-account.component.ts | 12 +++++++-----
 3 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/src/app/core/session/session-service/remote-session.spec.ts b/src/app/core/session/session-service/remote-session.spec.ts
index 6c6ef767ed..cb4bff1ce6 100644
--- a/src/app/core/session/session-service/remote-session.spec.ts
+++ b/src/app/core/session/session-service/remote-session.spec.ts
@@ -11,7 +11,7 @@ import { TEST_PASSWORD, TEST_USER } from "../../../utils/mocked-testing.module";
 import { environment } from "../../../../environments/environment";
 import Keycloak from "keycloak-js";
 
-export function remoteSessionHttpFake(url, body) {
+export function remoteSessionHttpFake(_url, body) {
   const params = new URLSearchParams(body);
   const isValidPassword =
     params.get("username") === TEST_USER &&
@@ -67,7 +67,7 @@ describe("RemoteSessionService", () => {
         RemoteSession,
         LoggingService,
         { provide: HttpClient, useValue: mockHttpClient },
-        { provide: Keycloak, useValue: { login: () => {} } },
+        { provide: Keycloak, useValue: { login: () => undefined } },
       ],
     });
 
diff --git a/src/app/core/session/session-service/synced-session.service.ts b/src/app/core/session/session-service/synced-session.service.ts
index bdefdee668..1e531abf76 100644
--- a/src/app/core/session/session-service/synced-session.service.ts
+++ b/src/app/core/session/session-service/synced-session.service.ts
@@ -77,7 +77,7 @@ export class SyncedSessionService extends SessionService {
       .refreshToken()
       .then((token) => this.remoteSession.processToken(token))
       .then((user) => this.handleSuccessfulLogin(user))
-      .catch((err) => {});
+      .catch(() => undefined);
   }
 
   async handleSuccessfulLogin(userObject: DatabaseUser) {
diff --git a/src/app/core/user/user-account/user-account.component.ts b/src/app/core/user/user-account/user-account.component.ts
index a195c33ceb..90b34e7fd3 100644
--- a/src/app/core/user/user-account/user-account.component.ts
+++ b/src/app/core/user/user-account/user-account.component.ts
@@ -57,10 +57,12 @@ export class UserAccountComponent implements OnInit {
   }
 
   getPasswordResetDisabledTooltip(): string {
-    return this.disabledForDemoMode
-      ? $localize`:Password reset disabled tooltip:Password change is not allowed in demo mode.`
-      : this.disabledForOfflineMode
-      ? $localize`:Password reset disabled tooltip:Password change is not possible while being offline.`
-      : "";
+    if (this.disabledForDemoMode) {
+      return $localize`:Password reset disabled tooltip:Password change is not allowed in demo mode.`;
+    } else if (this.disabledForOfflineMode) {
+      return $localize`:Password reset disabled tooltip:Password change is not possible while being offline.`;
+    } else {
+      return "";
+    }
   }
 }

From dc576b8bd6ce32698029ba1c83d0d62e6c32feb6 Mon Sep 17 00:00:00 2001
From: Simon <simon@aam-digital.com>
Date: Wed, 10 Aug 2022 10:07:35 +0200
Subject: [PATCH 19/42] fixed test

---
 src/app/core/user/user-account/user-account.component.spec.ts | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/app/core/user/user-account/user-account.component.spec.ts b/src/app/core/user/user-account/user-account.component.spec.ts
index fcd0be7f13..a2c9fe3acf 100644
--- a/src/app/core/user/user-account/user-account.component.spec.ts
+++ b/src/app/core/user/user-account/user-account.component.spec.ts
@@ -24,6 +24,7 @@ import { UserModule } from "../user.module";
 import { LoggingService } from "../../logging/logging.service";
 import { TabStateModule } from "../../../utils/tab-state/tab-state.module";
 import { RouterTestingModule } from "@angular/router/testing";
+import { Angulartics2Module } from "angulartics2";
 
 describe("UserAccountComponent", () => {
   let component: UserAccountComponent;
@@ -44,10 +45,11 @@ describe("UserAccountComponent", () => {
 
     TestBed.configureTestingModule({
       imports: [
+        RouterTestingModule,
         UserModule,
+        Angulartics2Module.forRoot(),
         NoopAnimationsModule,
         TabStateModule,
-        RouterTestingModule,
       ],
       providers: [
         { provide: SessionService, useValue: mockSessionService },

From 2929778fc7112809794aaeee1cd21a62a90c1a6a Mon Sep 17 00:00:00 2001
From: Simon <simon@aam-digital.com>
Date: Wed, 10 Aug 2022 13:53:06 +0200
Subject: [PATCH 20/42] app doesnt fail if keycloak couldnt be initialized

---
 src/app/core/session/session.module.ts | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/app/core/session/session.module.ts b/src/app/core/session/session.module.ts
index 03e6a83619..828139ab4a 100644
--- a/src/app/core/session/session.module.ts
+++ b/src/app/core/session/session.module.ts
@@ -83,7 +83,8 @@ import Keycloak from "keycloak-js";
     {
       provide: APP_INITIALIZER,
       deps: [Keycloak],
-      useFactory: (keycloak: Keycloak) => () => keycloak.init({}),
+      useFactory: (keycloak: Keycloak) => () =>
+        keycloak.init({}).catch(() => undefined),
       multi: true,
     },
   ],

From 42c45f3c52c555262cd7654160a66c644c3da4f6 Mon Sep 17 00:00:00 2001
From: Simon <simon@aam-digital.com>
Date: Wed, 10 Aug 2022 18:27:07 +0200
Subject: [PATCH 21/42] not initializing keycloak with app initializer

---
 src/app/core/session/session-service/remote-session.ts   | 2 +-
 .../session/session-service/synced-session.service.ts    | 5 +++--
 src/app/core/session/session.module.ts                   | 9 +--------
 3 files changed, 5 insertions(+), 11 deletions(-)

diff --git a/src/app/core/session/session-service/remote-session.ts b/src/app/core/session/session-service/remote-session.ts
index aee730b890..66b34c740c 100644
--- a/src/app/core/session/session-service/remote-session.ts
+++ b/src/app/core/session/session-service/remote-session.ts
@@ -56,7 +56,7 @@ export class RemoteSession extends SessionService {
   constructor(
     private httpClient: HttpClient,
     private loggingService: LoggingService,
-    private keycloak: Keycloak
+    public keycloak: Keycloak
   ) {
     super();
     this.database = new PouchDatabase(this.loggingService);
diff --git a/src/app/core/session/session-service/synced-session.service.ts b/src/app/core/session/session-service/synced-session.service.ts
index 1e531abf76..b694ab1d57 100644
--- a/src/app/core/session/session-service/synced-session.service.ts
+++ b/src/app/core/session/session-service/synced-session.service.ts
@@ -73,8 +73,9 @@ export class SyncedSessionService extends SessionService {
    * Do login automatically if there is still a valid CouchDB cookie from last login with username and password
    */
   checkForValidSession() {
-    this.remoteSession
-      .refreshToken()
+    this.remoteSession.keycloak
+      .init({})
+      .then(() => this.remoteSession.refreshToken())
       .then((token) => this.remoteSession.processToken(token))
       .then((user) => this.handleSuccessfulLogin(user))
       .catch(() => undefined);
diff --git a/src/app/core/session/session.module.ts b/src/app/core/session/session.module.ts
index 828139ab4a..cf9b9aed85 100644
--- a/src/app/core/session/session.module.ts
+++ b/src/app/core/session/session.module.ts
@@ -15,7 +15,7 @@
  *     along with ndb-core.  If not, see <http://www.gnu.org/licenses/>.
  */
 
-import { APP_INITIALIZER, Injector, NgModule } from "@angular/core";
+import { Injector, NgModule } from "@angular/core";
 import { CommonModule } from "@angular/common";
 import { LoginComponent } from "./login/login.component";
 import { FormsModule } from "@angular/forms";
@@ -80,13 +80,6 @@ import Keycloak from "keycloak-js";
       deps: [Injector],
     },
     { provide: Keycloak, useValue: new Keycloak("assets/keycloak.json") },
-    {
-      provide: APP_INITIALIZER,
-      deps: [Keycloak],
-      useFactory: (keycloak: Keycloak) => () =>
-        keycloak.init({}).catch(() => undefined),
-      multi: true,
-    },
   ],
 })
 export class SessionModule {}

From a9f0dabc3549b979e6176a5c60a85059af85c7f7 Mon Sep 17 00:00:00 2001
From: Simon <simon@aam-digital.com>
Date: Thu, 11 Aug 2022 11:16:38 +0200
Subject: [PATCH 22/42] cleaned up ngsw config

---
 ngsw-config.json | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/ngsw-config.json b/ngsw-config.json
index 2ba029fed4..1321d72c67 100644
--- a/ngsw-config.json
+++ b/ngsw-config.json
@@ -20,11 +20,7 @@
     "resources": {
       "files": [
         "/*.svg",
-        "/assets/child.png",
-        "/assets/config.default.json",
-        "/assets/How_To.md",
-        "/assets/locale/How_To.de.md",
-        "/assets/*/**"
+        "/assets/**"
       ]
     }
   }],

From 74903ddddb9e9c0adfa7754742f4f0f9e055904d Mon Sep 17 00:00:00 2001
From: Simon <simon@aam-digital.com>
Date: Thu, 11 Aug 2022 11:17:03 +0200
Subject: [PATCH 23/42] refactored keycloak login logic to own service

---
 src/app/core/session/auth/auth.service.ts     |  17 +++
 .../auth/keycloak-auth.service.spec.ts        | 137 ++++++++++++++++++
 .../session/auth/keycloak-auth.service.ts     | 120 +++++++++++++++
 .../session-service/remote-session.spec.ts    | 131 +++--------------
 .../session/session-service/remote-session.ts |  97 +------------
 .../synced-session.service.spec.ts            |  49 +++----
 .../session-service/synced-session.service.ts |  10 +-
 src/app/core/session/session.module.ts        |   5 +-
 .../user-account/user-account.component.html  |   2 +-
 .../user-account.component.spec.ts            |   2 +
 .../user-account/user-account.component.ts    |  10 +-
 11 files changed, 337 insertions(+), 243 deletions(-)
 create mode 100644 src/app/core/session/auth/auth.service.ts
 create mode 100644 src/app/core/session/auth/keycloak-auth.service.spec.ts
 create mode 100644 src/app/core/session/auth/keycloak-auth.service.ts

diff --git a/src/app/core/session/auth/auth.service.ts b/src/app/core/session/auth/auth.service.ts
new file mode 100644
index 0000000000..ebe3feb581
--- /dev/null
+++ b/src/app/core/session/auth/auth.service.ts
@@ -0,0 +1,17 @@
+import { HttpHeaders } from "@angular/common/http";
+import { DatabaseUser } from "../session-service/local-user";
+
+export abstract class AuthService {
+  abstract authenticate(
+    username: string,
+    password: string
+  ): Promise<DatabaseUser>;
+
+  abstract autoLogin(): Promise<DatabaseUser>;
+
+  abstract addAuthHeader(headers: HttpHeaders);
+
+  abstract logout(): Promise<void>;
+
+  abstract changePassword(): Promise<any>;
+}
diff --git a/src/app/core/session/auth/keycloak-auth.service.spec.ts b/src/app/core/session/auth/keycloak-auth.service.spec.ts
new file mode 100644
index 0000000000..ebdb2a2f98
--- /dev/null
+++ b/src/app/core/session/auth/keycloak-auth.service.spec.ts
@@ -0,0 +1,137 @@
+import { fakeAsync, TestBed, tick } from "@angular/core/testing";
+
+import { JwtToken, KeycloakAuthService } from "./keycloak-auth.service";
+import { TEST_PASSWORD, TEST_USER } from "../../../utils/mocked-testing.module";
+import { of, throwError } from "rxjs";
+import { HttpClient, HttpErrorResponse } from "@angular/common/http";
+import { RemoteSession } from "../session-service/remote-session";
+import { DatabaseUser } from "../session-service/local-user";
+
+function remoteSessionHttpFake(_url, body) {
+  const params = new URLSearchParams(body);
+  const isValidPassword =
+    params.get("username") === TEST_USER &&
+    params.get("password") === TEST_PASSWORD;
+  const isValidToken = params.get("refresh_token") === "test-refresh-token";
+  if (isValidPassword || isValidToken) {
+    return of(jwtTokenResponse as any);
+  } else {
+    return throwError(
+      () =>
+        new HttpErrorResponse({
+          status: RemoteSession.UNAUTHORIZED_STATUS_CODE,
+        })
+    );
+  }
+}
+
+/**
+ * Check {@link https://jwt.io} to decode the access_token.
+ * Extract:
+ * ```json
+ * {
+ *   "sub": "881ba191-0d27-4dff-9bc4-2c9e561ac900",
+ *   "username": "test",
+ *   "exp": 1658138259,
+ *   "_couchdb.roles": [
+ *      "user_app"
+ *   ],
+ *   ...
+ * }
+ * ```
+ */
+const jwtTokenResponse: JwtToken = {
+  access_token:
+    "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJOTzU3NEpPTmoxWUM0V3VLbEtMN0R0dUdHemJTdEQ3WUFaX3FONUk0WDB3In0.eyJleHAiOjE2NTkxMTI1NjUsImlhdCI6MTY1OTExMjI2NSwianRpIjoiODYwMmJiMDQtZDA2Mi00MjcxLWFlYmMtN2I0MjY3YmY0MDNlIiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay10ZXN0LmFhbS1kaWdpdGFsLmNvbTo0NDMvYXV0aC9yZWFsbXMva2V5Y2xvYWstdGVzdCIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiI4ODFiYTE5MS0wZDI3LTRkZmYtOWJjNC0yYzllNTYxYWM5MDAiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhcHAiLCJzZXNzaW9uX3N0YXRlIjoiNTYwMmNhZDgtMjgxNS00YTY5LWFlN2YtZWY2MjVmZjE1ZGUyIiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyIqIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLWtleWNsb2FrLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYXBwIjp7InJvbGVzIjpbInVzZXJfYXBwIl19LCJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6InByb2ZpbGUgZW1haWwiLCJzaWQiOiI1NjAyY2FkOC0yODE1LTRhNjktYWU3Zi1lZjYyNWZmMTVkZTIiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsIl9jb3VjaGRiLnJvbGVzIjpbInVzZXJfYXBwIl0sInByZWZlcnJlZF91c2VybmFtZSI6InRlc3QiLCJnaXZlbl9uYW1lIjoiIiwiZmFtaWx5X25hbWUiOiIiLCJ1c2VybmFtZSI6InRlc3QifQ.g0Lq8tPN9fdni-tro7xcT4g4Ju-pyFTlYY8hjy-H34jxjkFDh6eTSjmnkof8w6r5TDg7V18k3WMz5Bf4XXt9kJtrVM0nOFq7wY-BSRdvl1TtMpRRkGlEUg5CMxCoyhkpkL1dcYslKlxNw4qwavvcjqYdtL7LU7ezZfs9wcAUV0VB9frxIzhq3WW6eHPBWYdFJFY1H5kl7jI6gtrLEc25tC-8Hpsz12Ey8O1DnsTqS7cXa1gNSGY10xYO9zNhxNfYy_x4uaaVJviT-gq9Bz-LM55H9s7Nz_FT9ETHNBm479jetBwURWLR-QRTwEdgajQWUUBw3l4Ld15q1YUSVSn1Ww",
+  refresh_token: "test-refresh-token",
+  expires_in: 120,
+  session_state: "test-session-state",
+};
+
+describe("KeycloakAuthService", () => {
+  let service: KeycloakAuthService;
+  let mockHttpClient: jasmine.SpyObj<HttpClient>;
+  let dbUser: DatabaseUser;
+
+  beforeEach(() => {
+    mockHttpClient = jasmine.createSpyObj(["post"]);
+    mockHttpClient.post.and.callFake(remoteSessionHttpFake);
+    TestBed.configureTestingModule({
+      providers: [
+        { provide: HttpClient, useValue: mockHttpClient },
+        KeycloakAuthService,
+      ],
+    });
+    dbUser = { name: TEST_USER, roles: ["user_app"] };
+    service = TestBed.inject(KeycloakAuthService);
+    // Wait for keycloak to be initialized
+    return service["keycloakReady"];
+  });
+
+  afterEach(() =>
+    window.localStorage.removeItem(RemoteSession.REFRESH_TOKEN_KEY)
+  );
+
+  it("should be created", () => {
+    expect(service).toBeTruthy();
+  });
+
+  it("should take username and roles from jwtToken", async () => {
+    const user = await service.authenticate(TEST_USER, TEST_PASSWORD);
+
+    expect(user).toEqual(dbUser);
+  });
+
+  it("should store access token in remote session and refresh token in local storage", async () => {
+    await service.authenticate(TEST_USER, TEST_PASSWORD);
+
+    expect(service.accessToken).toBe(jwtTokenResponse.access_token);
+    expect(
+      window.localStorage.getItem(KeycloakAuthService.REFRESH_TOKEN_KEY)
+    ).toBe("test-refresh-token");
+  });
+
+  it("should update token before it expires", fakeAsync(() => {
+    // token has 2 minutes expiration time
+    service.authenticate(TEST_USER, TEST_PASSWORD);
+    tick();
+
+    mockHttpClient.post.calls.reset();
+    const newToken = { ...jwtTokenResponse, access_token: "new.token" };
+    // mock token cannot be parsed as JwtToken
+    spyOn(window, "atob").and.returnValue('{"decoded": "token"}');
+    mockHttpClient.post.and.returnValue(of(newToken));
+    // should refresh token one minute before it expires
+    tick(60 * 1000);
+
+    expect(mockHttpClient.post).toHaveBeenCalled();
+    expect(service.accessToken).toBe("new.token");
+
+    // clear timeouts
+    service.logout();
+  }));
+
+  it("should call keycloak for a password reset", () => {
+    const loginSpy = spyOn(service["keycloak"], "login");
+
+    service.changePassword();
+
+    expect(loginSpy).toHaveBeenCalledWith(
+      jasmine.objectContaining({ action: "UPDATE_PASSWORD" })
+    );
+  });
+
+  it("should login, if there is a valid refresh token", async () => {
+    localStorage.setItem(RemoteSession.REFRESH_TOKEN_KEY, "some-refresh-token");
+    mockHttpClient.post.and.returnValue(of(jwtTokenResponse));
+    const user = await service.autoLogin();
+    expect(user).toEqual(dbUser);
+  });
+
+  it("should not login, given that there is no valid refresh token", () => {
+    mockHttpClient.post.and.returnValue(
+      throwError(() => new HttpErrorResponse({}))
+    );
+    return expectAsync(service.autoLogin()).toBeRejected();
+  });
+});
diff --git a/src/app/core/session/auth/keycloak-auth.service.ts b/src/app/core/session/auth/keycloak-auth.service.ts
new file mode 100644
index 0000000000..77529f6e21
--- /dev/null
+++ b/src/app/core/session/auth/keycloak-auth.service.ts
@@ -0,0 +1,120 @@
+import { AuthService } from "./auth.service";
+import { Injectable } from "@angular/core";
+import Keycloak from "keycloak-js";
+import { HttpClient, HttpHeaders } from "@angular/common/http";
+import { firstValueFrom } from "rxjs";
+import { DatabaseUser } from "../session-service/local-user";
+import { parseJwt } from "../../../utils/utils";
+
+@Injectable()
+export class KeycloakAuthService extends AuthService {
+  static readonly REFRESH_TOKEN_KEY = "REFRESH_TOKEN";
+
+  public accessToken: string;
+
+  private keycloak = new Keycloak("assets/keycloak.json");
+  private keycloakReady = this.keycloak.init({});
+  private refreshTokenTimeout;
+
+  constructor(private httpClient: HttpClient) {
+    super();
+  }
+
+  authenticate(username: string, password: string): Promise<DatabaseUser> {
+    return this.keycloakReady
+      .then(() => this.credentialAuth(username, password))
+      .then((token) => this.processToken(token));
+  }
+
+  autoLogin(): Promise<DatabaseUser> {
+    return this.keycloakReady
+      .then(() => this.refreshTokenAuth())
+      .then((token) => this.processToken(token));
+  }
+
+  private credentialAuth(
+    username: string,
+    password: string
+  ): Promise<JwtToken> {
+    const body = new URLSearchParams();
+    body.set("username", username);
+    body.set("password", password);
+    body.set("grant_type", "password");
+    return this.getToken(body);
+  }
+
+  private refreshTokenAuth(): Promise<JwtToken> {
+    const body = new URLSearchParams();
+    const token = localStorage.getItem(KeycloakAuthService.REFRESH_TOKEN_KEY);
+    body.set("refresh_token", token);
+    body.set("grant_type", "refresh_token");
+    return this.getToken(body);
+  }
+
+  private getToken(body: URLSearchParams): Promise<JwtToken> {
+    body.set("client_id", "app");
+    const options = {
+      headers: new HttpHeaders().set(
+        "Content-Type",
+        "application/x-www-form-urlencoded"
+      ),
+    };
+    return firstValueFrom(
+      this.httpClient.post<JwtToken>(
+        `${this.keycloak.authServerUrl}realms/${this.keycloak.realm}/protocol/openid-connect/token`,
+        body.toString(),
+        options
+      )
+    );
+  }
+
+  private processToken(token: JwtToken): DatabaseUser {
+    this.accessToken = token.access_token;
+    localStorage.setItem(
+      KeycloakAuthService.REFRESH_TOKEN_KEY,
+      token.refresh_token
+    );
+    this.refreshTokenBeforeExpiry(token.expires_in);
+    const parsedToken = parseJwt(this.accessToken);
+    return {
+      name: parsedToken.username,
+      roles: parsedToken["_couchdb.roles"],
+    };
+  }
+
+  private refreshTokenBeforeExpiry(secondsTillExpiration: number) {
+    // Refresh token one minute before it expires or after ten seconds
+    const refreshTimeout = Math.max(10, secondsTillExpiration - 60);
+    this.refreshTokenTimeout = setTimeout(
+      () => this.refreshTokenAuth().then((token) => this.processToken(token)),
+      refreshTimeout * 1000
+    );
+  }
+
+  addAuthHeader(headers: HttpHeaders) {
+    headers.set("Authorization", "Bearer " + this.accessToken);
+  }
+
+  async logout() {
+    clearTimeout(this.refreshTokenTimeout);
+    window.localStorage.removeItem(KeycloakAuthService.REFRESH_TOKEN_KEY);
+  }
+
+  /**
+   * Open password reset page in browser.
+   * Only works with internet connection.
+   */
+  changePassword(): Promise<any> {
+    return this.keycloak.login({
+      action: "UPDATE_PASSWORD",
+      redirectUri: location.href,
+    });
+  }
+}
+
+export interface JwtToken {
+  access_token: string;
+  refresh_token: string;
+  expires_in: number;
+  session_state: string;
+}
diff --git a/src/app/core/session/session-service/remote-session.spec.ts b/src/app/core/session/session-service/remote-session.spec.ts
index cb4bff1ce6..b0e81f3264 100644
--- a/src/app/core/session/session-service/remote-session.spec.ts
+++ b/src/app/core/session/session-service/remote-session.spec.ts
@@ -1,88 +1,46 @@
-import { fakeAsync, TestBed, tick } from "@angular/core/testing";
-import { JwtToken, RemoteSession } from "./remote-session";
-import { HttpClient, HttpErrorResponse } from "@angular/common/http";
-import { of, throwError } from "rxjs";
+import { TestBed } from "@angular/core/testing";
+import { RemoteSession } from "./remote-session";
+import { HttpErrorResponse } from "@angular/common/http";
 import { SessionType } from "../session-type";
 import { LoggingService } from "../../logging/logging.service";
 import { testSessionServiceImplementation } from "./session.service.spec";
-import { DatabaseUser } from "./local-user";
 import { LoginState } from "../session-states/login-state.enum";
 import { TEST_PASSWORD, TEST_USER } from "../../../utils/mocked-testing.module";
 import { environment } from "../../../../environments/environment";
-import Keycloak from "keycloak-js";
-
-export function remoteSessionHttpFake(_url, body) {
-  const params = new URLSearchParams(body);
-  const isValidPassword =
-    params.get("username") === TEST_USER &&
-    params.get("password") === TEST_PASSWORD;
-  const isValidToken = params.get("refresh_token") === "test-refresh-token";
-  if (isValidPassword || isValidToken) {
-    return of(jwtTokenResponse as any);
-  } else {
-    return throwError(
-      () =>
-        new HttpErrorResponse({
-          status: RemoteSession.UNAUTHORIZED_STATUS_CODE,
-        })
-    );
-  }
-}
-
-/**
- * Check {@link https://jwt.io} to decode the access_token.
- * Extract:
- * ```json
- * {
- *   "sub": "881ba191-0d27-4dff-9bc4-2c9e561ac900",
- *   "username": "test",
- *   "exp": 1658138259,
- *   "_couchdb.roles": [
- *      "user_app"
- *   ],
- *   ...
- * }
- * ```
- */
-export const jwtTokenResponse: JwtToken = {
-  access_token:
-    "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJOTzU3NEpPTmoxWUM0V3VLbEtMN0R0dUdHemJTdEQ3WUFaX3FONUk0WDB3In0.eyJleHAiOjE2NTkxMTI1NjUsImlhdCI6MTY1OTExMjI2NSwianRpIjoiODYwMmJiMDQtZDA2Mi00MjcxLWFlYmMtN2I0MjY3YmY0MDNlIiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay10ZXN0LmFhbS1kaWdpdGFsLmNvbTo0NDMvYXV0aC9yZWFsbXMva2V5Y2xvYWstdGVzdCIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiI4ODFiYTE5MS0wZDI3LTRkZmYtOWJjNC0yYzllNTYxYWM5MDAiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhcHAiLCJzZXNzaW9uX3N0YXRlIjoiNTYwMmNhZDgtMjgxNS00YTY5LWFlN2YtZWY2MjVmZjE1ZGUyIiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyIqIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLWtleWNsb2FrLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYXBwIjp7InJvbGVzIjpbInVzZXJfYXBwIl19LCJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6InByb2ZpbGUgZW1haWwiLCJzaWQiOiI1NjAyY2FkOC0yODE1LTRhNjktYWU3Zi1lZjYyNWZmMTVkZTIiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsIl9jb3VjaGRiLnJvbGVzIjpbInVzZXJfYXBwIl0sInByZWZlcnJlZF91c2VybmFtZSI6InRlc3QiLCJnaXZlbl9uYW1lIjoiIiwiZmFtaWx5X25hbWUiOiIiLCJ1c2VybmFtZSI6InRlc3QifQ.g0Lq8tPN9fdni-tro7xcT4g4Ju-pyFTlYY8hjy-H34jxjkFDh6eTSjmnkof8w6r5TDg7V18k3WMz5Bf4XXt9kJtrVM0nOFq7wY-BSRdvl1TtMpRRkGlEUg5CMxCoyhkpkL1dcYslKlxNw4qwavvcjqYdtL7LU7ezZfs9wcAUV0VB9frxIzhq3WW6eHPBWYdFJFY1H5kl7jI6gtrLEc25tC-8Hpsz12Ey8O1DnsTqS7cXa1gNSGY10xYO9zNhxNfYy_x4uaaVJviT-gq9Bz-LM55H9s7Nz_FT9ETHNBm479jetBwURWLR-QRTwEdgajQWUUBw3l4Ld15q1YUSVSn1Ww",
-  refresh_token: "test-refresh-token",
-  expires_in: 120,
-  session_state: "test-session-state",
-};
+import { AuthService } from "../auth/auth.service";
 
 describe("RemoteSessionService", () => {
   let service: RemoteSession;
-  let mockHttpClient: jasmine.SpyObj<HttpClient>;
-  let dbUser: DatabaseUser;
+  let mockAuthService: jasmine.SpyObj<AuthService>;
 
   beforeEach(() => {
     environment.session_type = SessionType.mock;
-    mockHttpClient = jasmine.createSpyObj(["post"]);
-    mockHttpClient.post.and.callFake(remoteSessionHttpFake);
+    mockAuthService = jasmine.createSpyObj(["authenticate", "logout"]);
+    // Remote session allows TEST_USER and TEST_PASSWORD as valid credentials
+    mockAuthService.authenticate.and.callFake(async (u, p) => {
+      if (u === TEST_USER && p === TEST_PASSWORD) {
+        return { name: TEST_USER, roles: ["user_app"] };
+      } else {
+        throw new HttpErrorResponse({
+          status: RemoteSession.UNAUTHORIZED_STATUS_CODE,
+        });
+      }
+    });
 
     TestBed.configureTestingModule({
       providers: [
         RemoteSession,
         LoggingService,
-        { provide: HttpClient, useValue: mockHttpClient },
-        { provide: Keycloak, useValue: { login: () => undefined } },
+        { provide: AuthService, useValue: mockAuthService },
       ],
     });
 
-    // Remote session allows TEST_USER and TEST_PASSWORD as valid credentials
-    dbUser = { name: TEST_USER, roles: ["user_app"] };
     service = TestBed.inject(RemoteSession);
   });
 
-  afterEach(() =>
-    window.localStorage.removeItem(RemoteSession.REFRESH_TOKEN_KEY)
-  );
-
   it("should be unavailable if requests fails with error other than 401", async () => {
-    mockHttpClient.post.and.returnValue(
-      throwError(() => new HttpErrorResponse({ status: 501 }))
+    mockAuthService.authenticate.and.rejectWith(
+      new HttpErrorResponse({ status: 501 })
     );
 
     await service.login(TEST_USER, TEST_PASSWORD);
@@ -90,56 +48,5 @@ describe("RemoteSessionService", () => {
     expect(service.loginState.value).toBe(LoginState.UNAVAILABLE);
   });
 
-  it("should request token and store refresh token in local storage", async () => {
-    await service.login(TEST_USER, TEST_PASSWORD);
-
-    expect(window.localStorage.getItem(RemoteSession.REFRESH_TOKEN_KEY)).toBe(
-      "test-refresh-token"
-    );
-  });
-
-  it("should store access token in remote session", async () => {
-    await service.login(TEST_USER, TEST_PASSWORD);
-
-    expect(service.accessToken).toBe(jwtTokenResponse.access_token);
-  });
-
-  it("should take username and roles from jwtToken", async () => {
-    await service.login(TEST_USER, TEST_PASSWORD);
-
-    expect(service.getCurrentUser()).toEqual(dbUser);
-  });
-
-  it("should update token before it expires", fakeAsync(() => {
-    // token has 2 minutes expiration time
-    service.login(TEST_USER, TEST_PASSWORD);
-    tick();
-
-    mockHttpClient.post.calls.reset();
-    const newToken = { ...jwtTokenResponse, access_token: "new.token" };
-    // mock token cannot be parsed as JwtToken
-    spyOn(window, "atob").and.returnValue('{"decoded": "token"}');
-    mockHttpClient.post.and.returnValue(of(newToken));
-    // should refresh token one minute before it expires
-    tick(60 * 1000);
-
-    expect(mockHttpClient.post).toHaveBeenCalled();
-    expect(service.accessToken).toBe("new.token");
-
-    // clear timeouts
-    service.logout();
-  }));
-
-  it("should call keycloak for a password reset", () => {
-    const keycloak = TestBed.inject(Keycloak);
-    spyOn(keycloak, "login");
-
-    service.resetPassword();
-
-    expect(keycloak.login).toHaveBeenCalledWith(
-      jasmine.objectContaining({ action: "UPDATE_PASSWORD" })
-    );
-  });
-
   testSessionServiceImplementation(() => Promise.resolve(service));
 });
diff --git a/src/app/core/session/session-service/remote-session.ts b/src/app/core/session/session-service/remote-session.ts
index 66b34c740c..c2d053c743 100644
--- a/src/app/core/session/session-service/remote-session.ts
+++ b/src/app/core/session/session-service/remote-session.ts
@@ -15,21 +15,15 @@
  *     along with ndb-core.  If not, see <http://www.gnu.org/licenses/>.
  */
 import { Injectable } from "@angular/core";
-import {
-  HttpClient,
-  HttpErrorResponse,
-  HttpHeaders,
-} from "@angular/common/http";
+import { HttpErrorResponse } from "@angular/common/http";
 import { DatabaseUser } from "./local-user";
 import { SessionService } from "./session.service";
 import { LoginState } from "../session-states/login-state.enum";
 import { PouchDatabase } from "../../database/pouch-database";
 import { LoggingService } from "../../logging/logging.service";
 import PouchDB from "pouchdb-browser";
-import { firstValueFrom } from "rxjs";
-import { parseJwt } from "../../../utils/utils";
 import { AppSettings } from "app/core/app-config/app-settings";
-import Keycloak from "keycloak-js";
+import { AuthService } from "../auth/auth.service";
 
 /**
  * Responsibilities:
@@ -47,16 +41,12 @@ export class RemoteSession extends SessionService {
   private readonly database: PouchDatabase;
   private currentDBUser: DatabaseUser;
 
-  public accessToken: string;
-  private refreshTokenTimeout;
-
   /**
-   * Create a RemoteSession and set up connection to the remote CouchDB server configured in AppConfig.
+   * Create a RemoteSession and set up connection to the remote CouchDB server with valid authentication.
    */
   constructor(
-    private httpClient: HttpClient,
     private loggingService: LoggingService,
-    public keycloak: Keycloak
+    private authService: AuthService
   ) {
     super();
     this.database = new PouchDatabase(this.loggingService);
@@ -69,8 +59,7 @@ export class RemoteSession extends SessionService {
    */
   public async login(username: string, password: string): Promise<LoginState> {
     try {
-      const token = await this.authenticate(username, password);
-      const user = await this.processToken(token);
+      const user = await this.authService.authenticate(username, password);
       await this.handleSuccessfulLogin(user);
       localStorage.setItem(
         RemoteSession.LAST_LOGIN_KEY,
@@ -88,59 +77,6 @@ export class RemoteSession extends SessionService {
     return this.loginState.value;
   }
 
-  private authenticate(username: string, password: string): Promise<JwtToken> {
-    const body = new URLSearchParams();
-    body.set("username", username);
-    body.set("password", password);
-    body.set("grant_type", "password");
-    return this.getToken(body);
-  }
-
-  public refreshToken(): Promise<JwtToken> {
-    const body = new URLSearchParams();
-    const token = localStorage.getItem(RemoteSession.REFRESH_TOKEN_KEY);
-    body.set("refresh_token", token);
-    body.set("grant_type", "refresh_token");
-    return this.getToken(body);
-  }
-
-  private getToken(body: URLSearchParams): Promise<JwtToken> {
-    body.set("client_id", "app");
-    const options = {
-      headers: new HttpHeaders().set(
-        "Content-Type",
-        "application/x-www-form-urlencoded"
-      ),
-    };
-    return firstValueFrom(
-      this.httpClient.post<JwtToken>(
-        `${this.keycloak.authServerUrl}realms/${this.keycloak.realm}/protocol/openid-connect/token`,
-        body.toString(),
-        options
-      )
-    );
-  }
-
-  public async processToken(token: JwtToken): Promise<DatabaseUser> {
-    this.accessToken = token.access_token;
-    localStorage.setItem(RemoteSession.REFRESH_TOKEN_KEY, token.refresh_token);
-    this.refreshTokenBeforeExpiry(token.expires_in);
-    const parsedToken = parseJwt(this.accessToken);
-    return {
-      name: parsedToken.username,
-      roles: parsedToken["_couchdb.roles"],
-    };
-  }
-
-  private refreshTokenBeforeExpiry(secondsTillExpiration: number) {
-    // Refresh token one minute before it expires or after ten seconds
-    const refreshTimeout = Math.max(10, secondsTillExpiration - 60);
-    this.refreshTokenTimeout = setTimeout(async () => {
-      const token = await this.refreshToken();
-      await this.processToken(token);
-    }, refreshTimeout * 1000);
-  }
-
   public async handleSuccessfulLogin(userObject: DatabaseUser) {
     this.database.initIndexedDB(
       `${AppSettings.DB_PROXY_PREFIX}/${AppSettings.DB_NAME}`,
@@ -149,7 +85,7 @@ export class RemoteSession extends SessionService {
         skip_setup: true,
         fetch: (url, opts: any) => {
           if (typeof url === "string") {
-            opts.headers.set("Authorization", "Bearer " + this.accessToken);
+            this.authService.addAuthHeader(opts.headers);
             return PouchDB.fetch(
               AppSettings.DB_PROXY_PREFIX +
                 url.split(AppSettings.DB_PROXY_PREFIX)[1],
@@ -167,8 +103,7 @@ export class RemoteSession extends SessionService {
    * Logout at the remote database.
    */
   public logout(): void {
-    clearTimeout(this.refreshTokenTimeout);
-    window.localStorage.removeItem(RemoteSession.REFRESH_TOKEN_KEY);
+    this.authService.logout();
     this.currentDBUser = undefined;
     this.loginState.next(LoginState.LOGGED_OUT);
   }
@@ -185,22 +120,4 @@ export class RemoteSession extends SessionService {
   getDatabase(): PouchDatabase {
     return this.database;
   }
-
-  /**
-   * Open password reset page in browser.
-   * Only works with internet connection.
-   */
-  resetPassword() {
-    this.keycloak.login({
-      action: "UPDATE_PASSWORD",
-      redirectUri: location.href,
-    });
-  }
-}
-
-export interface JwtToken {
-  access_token: string;
-  refresh_token: string;
-  expires_in: number;
-  session_state: string;
 }
diff --git a/src/app/core/session/session-service/synced-session.service.spec.ts b/src/app/core/session/session-service/synced-session.service.spec.ts
index 0a125af940..b26d6ef3bf 100644
--- a/src/app/core/session/session-service/synced-session.service.spec.ts
+++ b/src/app/core/session/session-service/synced-session.service.spec.ts
@@ -21,8 +21,7 @@ import { LocalSession } from "./local-session";
 import { RemoteSession } from "./remote-session";
 import { SessionType } from "../session-type";
 import { fakeAsync, flush, TestBed, tick } from "@angular/core/testing";
-import { HttpClient, HttpErrorResponse } from "@angular/common/http";
-import { of, throwError } from "rxjs";
+import { HttpErrorResponse } from "@angular/common/http";
 import { NoopAnimationsModule } from "@angular/platform-browser/animations";
 import { DatabaseUser } from "./local-user";
 import { TEST_PASSWORD, TEST_USER } from "../../../utils/mocked-testing.module";
@@ -32,7 +31,7 @@ import { PouchDatabase } from "../../database/pouch-database";
 import { SessionModule } from "../session.module";
 import { LOCATION_TOKEN } from "../../../utils/di-tokens";
 import { environment } from "../../../../environments/environment";
-import { jwtTokenResponse, remoteSessionHttpFake } from "./remote-session.spec";
+import { AuthService } from "../auth/auth.service";
 
 describe("SyncedSessionService", () => {
   let sessionService: SyncedSessionService;
@@ -47,20 +46,27 @@ describe("SyncedSessionService", () => {
   let dbUser: DatabaseUser;
   let syncSpy: jasmine.Spy<() => Promise<void>>;
   let liveSyncSpy: jasmine.Spy<() => void>;
-  let mockHttpClient: jasmine.SpyObj<HttpClient>;
+  let mockAuthService: jasmine.SpyObj<AuthService>;
   let mockLocation: jasmine.SpyObj<Location>;
 
   beforeEach(() => {
-    mockHttpClient = jasmine.createSpyObj(["post"]);
-    mockHttpClient.post.and.returnValue(
-      throwError(() => new HttpErrorResponse({}))
-    );
     mockLocation = jasmine.createSpyObj(["reload"]);
+    mockAuthService = jasmine.createSpyObj(["authenticate", "autoLogin"]);
+    mockAuthService.autoLogin.and.rejectWith();
+    mockAuthService.authenticate.and.callFake(async (u, p) => {
+      if (u === TEST_USER && p === TEST_PASSWORD) {
+        return dbUser;
+      } else {
+        throw new HttpErrorResponse({
+          status: RemoteSession.UNAUTHORIZED_STATUS_CODE,
+        });
+      }
+    });
     TestBed.configureTestingModule({
       imports: [SessionModule, NoopAnimationsModule, FontAwesomeTestingModule],
       providers: [
         PouchDatabase,
-        { provide: HttpClient, useValue: mockHttpClient },
+        { provide: AuthService, useValue: mockAuthService },
         { provide: LOCATION_TOKEN, useValue: mockLocation },
       ],
     });
@@ -73,7 +79,6 @@ describe("SyncedSessionService", () => {
     // Setting up local and remote session to accept TEST_USER and TEST_PASSWORD as valid credentials
     dbUser = { name: TEST_USER, roles: ["user_app"] };
     localSession.saveUser({ name: TEST_USER, roles: [] }, TEST_PASSWORD);
-    mockHttpClient.post.and.callFake(remoteSessionHttpFake);
 
     localLoginSpy = spyOn(localSession, "login").and.callThrough();
     remoteLoginSpy = spyOn(remoteSession, "login").and.callThrough();
@@ -244,32 +249,18 @@ describe("SyncedSessionService", () => {
     tick();
   }));
 
-  it("should login, if there is a valid refresh token", fakeAsync(() => {
-    localStorage.setItem(RemoteSession.REFRESH_TOKEN_KEY, "some-refresh-token");
-    mockHttpClient.post.and.returnValue(of(jwtTokenResponse));
-    sessionService.checkForValidSession();
-    tick();
-    expect(sessionService.loginState.value).toEqual(LoginState.LOGGED_IN);
-    localStorage.removeItem(RemoteSession.REFRESH_TOKEN_KEY);
-    sessionService.logout();
-  }));
+  it("should login, if the session is still valid", fakeAsync(() => {
+    mockAuthService.autoLogin.and.resolveTo(dbUser);
 
-  it("should not login, given that there is no valid CouchDB cookie", fakeAsync(() => {
-    mockHttpClient.post.and.returnValue(
-      throwError(() => new HttpErrorResponse({}))
-    );
     sessionService.checkForValidSession();
     tick();
-    expect(sessionService.loginState.value).toEqual(LoginState.LOGGED_OUT);
+    expect(sessionService.loginState.value).toEqual(LoginState.LOGGED_IN);
   }));
 
   testSessionServiceImplementation(() => Promise.resolve(sessionService));
 
   function passRemoteLogin(response: DatabaseUser = { name: "", roles: [] }) {
-    remoteLoginSpy.and.callFake(() => {
-      remoteSession.handleSuccessfulLogin(response);
-      return Promise.resolve(LoginState.LOGGED_IN);
-    });
+    mockAuthService.authenticate.and.resolveTo(response);
   }
 
   function failRemoteLogin(offline = false) {
@@ -279,6 +270,6 @@ describe("SyncedSessionService", () => {
         status: RemoteSession.UNAUTHORIZED_STATUS_CODE,
       });
     }
-    mockHttpClient.post.and.returnValue(throwError(rejectError));
+    mockAuthService.authenticate.and.rejectWith(rejectError);
   }
 });
diff --git a/src/app/core/session/session-service/synced-session.service.ts b/src/app/core/session/session-service/synced-session.service.ts
index b694ab1d57..1289e9b796 100644
--- a/src/app/core/session/session-service/synced-session.service.ts
+++ b/src/app/core/session/session-service/synced-session.service.ts
@@ -31,6 +31,7 @@ import { waitForChangeTo } from "../session-states/session-utils";
 import { zip } from "rxjs";
 import { filter } from "rxjs/operators";
 import { LOCATION_TOKEN } from "../../../utils/di-tokens";
+import { AuthService } from "../auth/auth.service";
 
 /**
  * A synced session creates and manages a LocalSession and a RemoteSession
@@ -55,6 +56,7 @@ export class SyncedSessionService extends SessionService {
     private httpClient: HttpClient,
     private localSession: LocalSession,
     private remoteSession: RemoteSession,
+    private authService: AuthService,
     @Inject(LOCATION_TOKEN) private location: Location
   ) {
     super();
@@ -70,13 +72,11 @@ export class SyncedSessionService extends SessionService {
   }
 
   /**
-   * Do login automatically if there is still a valid CouchDB cookie from last login with username and password
+   * Do log in automatically if there is still a valid CouchDB cookie from last login with username and password
    */
   checkForValidSession() {
-    this.remoteSession.keycloak
-      .init({})
-      .then(() => this.remoteSession.refreshToken())
-      .then((token) => this.remoteSession.processToken(token))
+    this.authService
+      .autoLogin()
       .then((user) => this.handleSuccessfulLogin(user))
       .catch(() => undefined);
   }
diff --git a/src/app/core/session/session.module.ts b/src/app/core/session/session.module.ts
index cf9b9aed85..187cb52537 100644
--- a/src/app/core/session/session.module.ts
+++ b/src/app/core/session/session.module.ts
@@ -36,7 +36,8 @@ import { RemoteSession } from "./session-service/remote-session";
 import { SessionService } from "./session-service/session.service";
 import { SessionType } from "./session-type";
 import { environment } from "../../../environments/environment";
-import Keycloak from "keycloak-js";
+import { AuthService } from "./auth/auth.service";
+import { KeycloakAuthService } from "./auth/keycloak-auth.service";
 
 /**
  * The core session logic handling user login as well as connection and synchronization with the remote database.
@@ -79,7 +80,7 @@ import Keycloak from "keycloak-js";
       },
       deps: [Injector],
     },
-    { provide: Keycloak, useValue: new Keycloak("assets/keycloak.json") },
+    { provide: AuthService, useClass: KeycloakAuthService },
   ],
 })
 export class SessionModule {}
diff --git a/src/app/core/user/user-account/user-account.component.html b/src/app/core/user/user-account/user-account.component.html
index 9a0823a93d..0ecdb4870d 100644
--- a/src/app/core/user/user-account/user-account.component.html
+++ b/src/app/core/user/user-account/user-account.component.html
@@ -42,7 +42,7 @@
             angulartics2On="click"
             angularticsCategory="User"
             angularticsAction="password_update"
-            (click)="remoteSession?.resetPassword()"
+            (click)="authService.changePassword()"
             [disabled]="disabledForDemoMode || disabledForOfflineMode"
             i18n="Button which opens password reset page"
           >
diff --git a/src/app/core/user/user-account/user-account.component.spec.ts b/src/app/core/user/user-account/user-account.component.spec.ts
index a2c9fe3acf..58494a0bb2 100644
--- a/src/app/core/user/user-account/user-account.component.spec.ts
+++ b/src/app/core/user/user-account/user-account.component.spec.ts
@@ -25,6 +25,7 @@ import { LoggingService } from "../../logging/logging.service";
 import { TabStateModule } from "../../../utils/tab-state/tab-state.module";
 import { RouterTestingModule } from "@angular/router/testing";
 import { Angulartics2Module } from "angulartics2";
+import { AuthService } from "../../session/auth/auth.service";
 
 describe("UserAccountComponent", () => {
   let component: UserAccountComponent;
@@ -53,6 +54,7 @@ describe("UserAccountComponent", () => {
       ],
       providers: [
         { provide: SessionService, useValue: mockSessionService },
+        { provide: AuthService, useValue: { changePassword: () => undefined } },
         { provide: LoggingService, useValue: mockLoggingService },
       ],
     });
diff --git a/src/app/core/user/user-account/user-account.component.ts b/src/app/core/user/user-account/user-account.component.ts
index 90b34e7fd3..505c2f50f3 100644
--- a/src/app/core/user/user-account/user-account.component.ts
+++ b/src/app/core/user/user-account/user-account.component.ts
@@ -15,9 +15,11 @@
  *     along with ndb-core.  If not, see <http://www.gnu.org/licenses/>.
  */
 
-import { Component, OnInit, Optional } from "@angular/core";
+import { Component, OnInit } from "@angular/core";
 import { SessionService } from "../../session/session-service/session.service";
-import { RemoteSession } from "../../session/session-service/remote-session";
+import { environment } from "../../../../environments/environment";
+import { SessionType } from "../../session/session-type";
+import { AuthService } from "../../session/auth/auth.service";
 
 /**
  * User account form to allow the user to view and edit information.
@@ -37,7 +39,7 @@ export class UserAccountComponent implements OnInit {
 
   constructor(
     private sessionService: SessionService,
-    @Optional() public remoteSession: RemoteSession
+    public authService: AuthService
   ) {}
 
   ngOnInit() {
@@ -49,7 +51,7 @@ export class UserAccountComponent implements OnInit {
     this.disabledForDemoMode = false;
     this.disabledForOfflineMode = false;
 
-    if (!this.remoteSession) {
+    if (environment.session_type !== SessionType.synced) {
       this.disabledForDemoMode = true;
     } else if (!navigator.onLine) {
       this.disabledForOfflineMode = true;

From cdcd433af6b1fe28a1ff654eded3aded29f78bcc Mon Sep 17 00:00:00 2001
From: Simon <simon@aam-digital.com>
Date: Thu, 11 Aug 2022 11:43:41 +0200
Subject: [PATCH 24/42] re-implemented couchdb auth as alternative to keycloak

---
 .../session/auth/couchdb-auth.service.spec.ts |  18 +++
 .../core/session/auth/couchdb-auth.service.ts | 111 ++++++++++++++++++
 .../session/session-service/remote-session.ts |   4 +-
 .../session-service/synced-session.service.ts |   4 +-
 src/app/core/session/session.module.ts        |   3 +-
 5 files changed, 135 insertions(+), 5 deletions(-)
 create mode 100644 src/app/core/session/auth/couchdb-auth.service.spec.ts
 create mode 100644 src/app/core/session/auth/couchdb-auth.service.ts

diff --git a/src/app/core/session/auth/couchdb-auth.service.spec.ts b/src/app/core/session/auth/couchdb-auth.service.spec.ts
new file mode 100644
index 0000000000..715ec643b7
--- /dev/null
+++ b/src/app/core/session/auth/couchdb-auth.service.spec.ts
@@ -0,0 +1,18 @@
+import { TestBed } from "@angular/core/testing";
+
+import { CouchdbAuthService } from "./couchdb-auth.service";
+
+describe("CouchdbAuthService", () => {
+  let service: CouchdbAuthService;
+
+  beforeEach(() => {
+    TestBed.configureTestingModule({
+      providers: [CouchdbAuthService],
+    });
+    service = TestBed.inject(CouchdbAuthService);
+  });
+
+  it("should be created", () => {
+    expect(service).toBeTruthy();
+  });
+});
diff --git a/src/app/core/session/auth/couchdb-auth.service.ts b/src/app/core/session/auth/couchdb-auth.service.ts
new file mode 100644
index 0000000000..82b899c4fd
--- /dev/null
+++ b/src/app/core/session/auth/couchdb-auth.service.ts
@@ -0,0 +1,111 @@
+import { Injectable } from "@angular/core";
+import { AuthService } from "./auth.service";
+import {
+  HttpClient,
+  HttpErrorResponse,
+  HttpHeaders,
+} from "@angular/common/http";
+import { firstValueFrom } from "rxjs";
+import { DatabaseUser } from "../session-service/local-user";
+import { AppSettings } from "../../app-config/app-settings";
+import { RemoteSession } from "../session-service/remote-session";
+
+@Injectable()
+export class CouchdbAuthService extends AuthService {
+  private static readonly COUCHDB_USER_ENDPOINT = "/db/_users/org.couchdb.user";
+
+  constructor(private http: HttpClient) {
+    super();
+  }
+
+  addAuthHeader() {
+    return;
+  }
+
+  authenticate(username: string, password: string): Promise<DatabaseUser> {
+    return firstValueFrom(
+      this.http.post<DatabaseUser>(
+        `${AppSettings.DB_PROXY_PREFIX}/_session`,
+        { name: username, password: password },
+        { withCredentials: true }
+      )
+    );
+  }
+
+  autoLogin(): Promise<any> {
+    return firstValueFrom(
+      this.http.get<{ userCtx: DatabaseUser }>(
+        `${AppSettings.DB_PROXY_PREFIX}/_session`,
+        { withCredentials: true }
+      )
+    ).then((res: any) => {
+      if (res.userCtx.name) {
+        return res.userCtx;
+      } else {
+        throw new HttpErrorResponse({
+          status: RemoteSession.UNAUTHORIZED_STATUS_CODE,
+        });
+      }
+    });
+  }
+
+  /**
+   * Function to change the password of a user
+   * @param username The username for which the password should be changed
+   * @param oldPassword The current plaintext password of the user
+   * @param newPassword The new plaintext password of the user
+   * @return Promise that resolves once the password is changed in _user and the database
+   */
+  public async changePassword(
+    username?: string,
+    oldPassword?: string,
+    newPassword?: string
+  ): Promise<void> {
+    let userResponse;
+    try {
+      // TODO due to cookie-auth, the old password is actually not checked
+      userResponse = await this.getCouchDBUser(username, oldPassword);
+    } catch (e) {
+      throw new Error("Current password incorrect or server not available");
+    }
+
+    userResponse.password = newPassword;
+    try {
+      await this.saveNewPasswordToCouchDB(username, oldPassword, userResponse);
+    } catch (e) {
+      throw new Error(
+        "Could not save new password, please contact your system administrator"
+      );
+    }
+  }
+
+  private getCouchDBUser(username: string, password: string): Promise<any> {
+    const userUrl = CouchdbAuthService.COUCHDB_USER_ENDPOINT + ":" + username;
+    const headers: HttpHeaders = new HttpHeaders({
+      Authorization: "Basic " + btoa(username + ":" + password),
+    });
+    return firstValueFrom(this.http.get(userUrl, { headers: headers }));
+  }
+
+  private saveNewPasswordToCouchDB(
+    username: string,
+    oldPassword: string,
+    userObj: any
+  ): Promise<any> {
+    const userUrl = CouchdbAuthService.COUCHDB_USER_ENDPOINT + ":" + username;
+    const headers: HttpHeaders = new HttpHeaders({
+      Authorization: "Basic " + btoa(username + ":" + oldPassword),
+    });
+    return firstValueFrom(
+      this.http.put(userUrl, userObj, { headers: headers })
+    );
+  }
+
+  logout(): Promise<any> {
+    return firstValueFrom(
+      this.http.delete(`${AppSettings.DB_PROXY_PREFIX}/_session`, {
+        withCredentials: true,
+      })
+    );
+  }
+}
diff --git a/src/app/core/session/session-service/remote-session.ts b/src/app/core/session/session-service/remote-session.ts
index c2d053c743..584d58c9c2 100644
--- a/src/app/core/session/session-service/remote-session.ts
+++ b/src/app/core/session/session-service/remote-session.ts
@@ -102,8 +102,8 @@ export class RemoteSession extends SessionService {
   /**
    * Logout at the remote database.
    */
-  public logout(): void {
-    this.authService.logout();
+  public async logout(): Promise<void> {
+    await this.authService.logout();
     this.currentDBUser = undefined;
     this.loginState.next(LoginState.LOGGED_OUT);
   }
diff --git a/src/app/core/session/session-service/synced-session.service.ts b/src/app/core/session/session-service/synced-session.service.ts
index 1289e9b796..74c9fb1d51 100644
--- a/src/app/core/session/session-service/synced-session.service.ts
+++ b/src/app/core/session/session-service/synced-session.service.ts
@@ -293,11 +293,11 @@ export class SyncedSessionService extends SessionService {
    * Logout and stop any existing sync.
    * also see {@link SessionService}
    */
-  public logout() {
+  public async logout() {
     this.cancelLoginOfflineRetry();
     this.cancelLiveSync();
     this.localSession.logout();
-    this.remoteSession.logout();
+    await this.remoteSession.logout();
     this.location.reload();
     this.loginState.next(LoginState.LOGGED_OUT);
   }
diff --git a/src/app/core/session/session.module.ts b/src/app/core/session/session.module.ts
index 187cb52537..24aae95be5 100644
--- a/src/app/core/session/session.module.ts
+++ b/src/app/core/session/session.module.ts
@@ -38,6 +38,7 @@ import { SessionType } from "./session-type";
 import { environment } from "../../../environments/environment";
 import { AuthService } from "./auth/auth.service";
 import { KeycloakAuthService } from "./auth/keycloak-auth.service";
+import { CouchdbAuthService } from "./auth/couchdb-auth.service";
 
 /**
  * The core session logic handling user login as well as connection and synchronization with the remote database.
@@ -80,7 +81,7 @@ import { KeycloakAuthService } from "./auth/keycloak-auth.service";
       },
       deps: [Injector],
     },
-    { provide: AuthService, useClass: KeycloakAuthService },
+    { provide: AuthService, useClass: CouchdbAuthService },
   ],
 })
 export class SessionModule {}

From 9d9e76c1b54af17a92d029f654da8e14c5b37f73 Mon Sep 17 00:00:00 2001
From: Simon <simon@aam-digital.com>
Date: Thu, 11 Aug 2022 12:21:54 +0200
Subject: [PATCH 25/42] re-added tests for CouchDB auth

---
 .../session/auth/couchdb-auth.service.spec.ts | 89 ++++++++++++++++++-
 .../core/session/auth/couchdb-auth.service.ts |  2 +-
 .../session-service/session.service.spec.ts   |  2 +-
 .../synced-session.service.spec.ts            |  6 +-
 src/app/core/session/session.module.ts        |  4 +-
 5 files changed, 97 insertions(+), 6 deletions(-)

diff --git a/src/app/core/session/auth/couchdb-auth.service.spec.ts b/src/app/core/session/auth/couchdb-auth.service.spec.ts
index 715ec643b7..e48f93eb71 100644
--- a/src/app/core/session/auth/couchdb-auth.service.spec.ts
+++ b/src/app/core/session/auth/couchdb-auth.service.spec.ts
@@ -1,13 +1,37 @@
 import { TestBed } from "@angular/core/testing";
 
 import { CouchdbAuthService } from "./couchdb-auth.service";
+import { HttpClient, HttpErrorResponse } from "@angular/common/http";
+import { of, throwError } from "rxjs";
+import { TEST_PASSWORD, TEST_USER } from "../../../utils/mocked-testing.module";
+import { RemoteSession } from "../session-service/remote-session";
 
 describe("CouchdbAuthService", () => {
   let service: CouchdbAuthService;
+  let mockHttpClient: jasmine.SpyObj<HttpClient>;
+  let dbUser = { name: TEST_USER, roles: ["user_app"] };
 
   beforeEach(() => {
+    mockHttpClient = jasmine.createSpyObj(["get", "post", "put"]);
+    mockHttpClient.get.and.returnValue(throwError(() => new Error()));
+    mockHttpClient.post.and.callFake((url, body) => {
+      if (body.name === TEST_USER && body.password === TEST_PASSWORD) {
+        return of(dbUser as any);
+      } else {
+        return throwError(
+          () =>
+            new HttpErrorResponse({
+              status: RemoteSession.UNAUTHORIZED_STATUS_CODE,
+            })
+        );
+      }
+    });
+
     TestBed.configureTestingModule({
-      providers: [CouchdbAuthService],
+      providers: [
+        CouchdbAuthService,
+        { provide: HttpClient, useValue: mockHttpClient },
+      ],
     });
     service = TestBed.inject(CouchdbAuthService);
   });
@@ -15,4 +39,67 @@ describe("CouchdbAuthService", () => {
   it("should be created", () => {
     expect(service).toBeTruthy();
   });
+
+  it("should return the current user after successful login", async () => {
+    const user = await service.authenticate(TEST_USER, TEST_PASSWORD);
+    expect(user).toEqual(dbUser);
+  });
+
+  it("should login, given that CouchDB cookie is still valid", async () => {
+    const responseObject = {
+      ok: true,
+      userCtx: dbUser,
+      info: {
+        authentication_handlers: ["cookie", "default"],
+        authenticated: "default",
+      },
+    };
+    mockHttpClient.get.and.returnValue(of(responseObject));
+    const user = await service.autoLogin();
+
+    expect(user).toEqual(responseObject.userCtx);
+  });
+
+  it("should not login, given that there is no valid CouchDB cookie", () => {
+    const responseObject = {
+      ok: true,
+      userCtx: {
+        name: null,
+        roles: [],
+      },
+      info: {
+        authentication_handlers: ["cookie", "default"],
+      },
+    };
+    mockHttpClient.get.and.returnValue(of(responseObject));
+    return expectAsync(service.autoLogin()).toBeRejected();
+  });
+
+  it("should reject if current user cant be fetched", () => {
+    mockHttpClient.get.and.returnValue(throwError(() => new Error()));
+
+    return expectAsync(
+      service.changePassword("username", "wrongPW", "")
+    ).toBeRejected();
+  });
+
+  it("should report error when new Password cannot be saved", async () => {
+    mockHttpClient.get.and.returnValues(of({}));
+    mockHttpClient.put.and.returnValue(throwError(() => new Error()));
+
+    await expectAsync(
+      service.changePassword("username", "testPW", "")
+    ).toBeRejected();
+    expect(mockHttpClient.get).toHaveBeenCalled();
+    expect(mockHttpClient.put).toHaveBeenCalled();
+  });
+
+  it("should not fail if get and put requests are successful", () => {
+    mockHttpClient.get.and.returnValues(of({}));
+    mockHttpClient.put.and.returnValues(of({}));
+
+    return expectAsync(
+      service.changePassword("username", "testPW", "newPW")
+    ).not.toBeRejected();
+  });
 });
diff --git a/src/app/core/session/auth/couchdb-auth.service.ts b/src/app/core/session/auth/couchdb-auth.service.ts
index 82b899c4fd..36103459ce 100644
--- a/src/app/core/session/auth/couchdb-auth.service.ts
+++ b/src/app/core/session/auth/couchdb-auth.service.ts
@@ -12,7 +12,7 @@ import { RemoteSession } from "../session-service/remote-session";
 
 @Injectable()
 export class CouchdbAuthService extends AuthService {
-  private static readonly COUCHDB_USER_ENDPOINT = "/db/_users/org.couchdb.user";
+  private static readonly COUCHDB_USER_ENDPOINT = `${AppSettings.DB_PROXY_PREFIX}/_users/org.couchdb.user`;
 
   constructor(private http: HttpClient) {
     super();
diff --git a/src/app/core/session/session-service/session.service.spec.ts b/src/app/core/session/session-service/session.service.spec.ts
index 12adf3ef24..ee52ff8f77 100644
--- a/src/app/core/session/session-service/session.service.spec.ts
+++ b/src/app/core/session/session-service/session.service.spec.ts
@@ -82,7 +82,7 @@ export function testSessionServiceImplementation(
     const loginResult = await sessionService.login(TEST_USER, TEST_PASSWORD);
     expect(loginResult).toEqual(LoginState.LOGGED_IN);
 
-    sessionService.logout();
+    await sessionService.logout();
     expectNotToBeLoggedIn(LoginState.LOGGED_OUT);
   });
 
diff --git a/src/app/core/session/session-service/synced-session.service.spec.ts b/src/app/core/session/session-service/synced-session.service.spec.ts
index b26d6ef3bf..8b60bae34d 100644
--- a/src/app/core/session/session-service/synced-session.service.spec.ts
+++ b/src/app/core/session/session-service/synced-session.service.spec.ts
@@ -51,7 +51,11 @@ describe("SyncedSessionService", () => {
 
   beforeEach(() => {
     mockLocation = jasmine.createSpyObj(["reload"]);
-    mockAuthService = jasmine.createSpyObj(["authenticate", "autoLogin"]);
+    mockAuthService = jasmine.createSpyObj([
+      "authenticate",
+      "autoLogin",
+      "logout",
+    ]);
     mockAuthService.autoLogin.and.rejectWith();
     mockAuthService.authenticate.and.callFake(async (u, p) => {
       if (u === TEST_USER && p === TEST_PASSWORD) {
diff --git a/src/app/core/session/session.module.ts b/src/app/core/session/session.module.ts
index 24aae95be5..d24fcc1ebb 100644
--- a/src/app/core/session/session.module.ts
+++ b/src/app/core/session/session.module.ts
@@ -38,7 +38,6 @@ import { SessionType } from "./session-type";
 import { environment } from "../../../environments/environment";
 import { AuthService } from "./auth/auth.service";
 import { KeycloakAuthService } from "./auth/keycloak-auth.service";
-import { CouchdbAuthService } from "./auth/couchdb-auth.service";
 
 /**
  * The core session logic handling user login as well as connection and synchronization with the remote database.
@@ -81,7 +80,8 @@ import { CouchdbAuthService } from "./auth/couchdb-auth.service";
       },
       deps: [Injector],
     },
-    { provide: AuthService, useClass: CouchdbAuthService },
+    // TODO how do we differentiate between Keycloak and CouchDB auth?
+    { provide: AuthService, useClass: KeycloakAuthService },
   ],
 })
 export class SessionModule {}

From 1858bf3899d8242d37b2ac755cbf6d985c94278f Mon Sep 17 00:00:00 2001
From: Simon <simon@aam-digital.com>
Date: Thu, 11 Aug 2022 12:45:15 +0200
Subject: [PATCH 26/42] added documenation and cleaned up code

---
 build/Dockerfile                              |  4 +--
 src/app/core/session/auth/auth.service.ts     | 25 +++++++++++++++++++
 .../session/auth/couchdb-auth.service.spec.ts |  2 +-
 .../core/session/auth/couchdb-auth.service.ts |  1 +
 4 files changed, 28 insertions(+), 4 deletions(-)

diff --git a/build/Dockerfile b/build/Dockerfile
index 8ba867be4a..e82161566d 100644
--- a/build/Dockerfile
+++ b/build/Dockerfile
@@ -68,10 +68,8 @@ COPY --from=builder /app/dist/ /usr/share/nginx/html
 ENV PORT=80
 # The url to the CouchDB database
 ENV COUCHDB_URL="http://localhost"
-# The url to the Keycloak server
-ENV KEYCLOAK_URL="http://localhost"
 # Whether the app should be started in demo mode. Everything else then "true" is considered as "false".
 ENV DEMO="true"
 # variables are inserted into the nginx config
-CMD envsubst '$$PORT $$COUCHDB_URL $$DEMO $$KEYCLOAK_URL' < /etc/nginx/templates/default.conf > /etc/nginx/conf.d/default.conf &&\
+CMD envsubst '$$PORT $$COUCHDB_URL $$DEMO' < /etc/nginx/templates/default.conf > /etc/nginx/conf.d/default.conf &&\
     nginx -g 'daemon off;'
diff --git a/src/app/core/session/auth/auth.service.ts b/src/app/core/session/auth/auth.service.ts
index ebe3feb581..765bb022ca 100644
--- a/src/app/core/session/auth/auth.service.ts
+++ b/src/app/core/session/auth/auth.service.ts
@@ -1,17 +1,42 @@
 import { HttpHeaders } from "@angular/common/http";
 import { DatabaseUser } from "../session-service/local-user";
 
+/**
+ * Abstract class that handles user authentication and password change.
+ * Implement this for different authentication providers.
+ */
 export abstract class AuthService {
+
+  /**
+   * Authenticate a user with credentials.
+   * @param username The username of the user
+   * @param password The password of the user
+   * @returns Promise that resolves with the user if the login was successful, rejects otherwise.
+   */
   abstract authenticate(
     username: string,
     password: string
   ): Promise<DatabaseUser>;
 
+  /**
+   * Authenticate a user without credentials based on a still valid session.
+   * @returns Promise that resolves with the user if the session is still valid, rejects otherwise.
+   */
   abstract autoLogin(): Promise<DatabaseUser>;
 
+  /**
+   * Add headers to requests send by PouchDB if required for authentication.
+   * @param headers the object where further headers can be added
+   */
   abstract addAuthHeader(headers: HttpHeaders);
 
+  /**
+   * Clear the local session of the currently logged-in user.
+   */
   abstract logout(): Promise<void>;
 
+  /**
+   * Change the password of a user.
+   */
   abstract changePassword(): Promise<any>;
 }
diff --git a/src/app/core/session/auth/couchdb-auth.service.spec.ts b/src/app/core/session/auth/couchdb-auth.service.spec.ts
index e48f93eb71..ae6812d269 100644
--- a/src/app/core/session/auth/couchdb-auth.service.spec.ts
+++ b/src/app/core/session/auth/couchdb-auth.service.spec.ts
@@ -14,7 +14,7 @@ describe("CouchdbAuthService", () => {
   beforeEach(() => {
     mockHttpClient = jasmine.createSpyObj(["get", "post", "put"]);
     mockHttpClient.get.and.returnValue(throwError(() => new Error()));
-    mockHttpClient.post.and.callFake((url, body) => {
+    mockHttpClient.post.and.callFake((_url, body) => {
       if (body.name === TEST_USER && body.password === TEST_PASSWORD) {
         return of(dbUser as any);
       } else {
diff --git a/src/app/core/session/auth/couchdb-auth.service.ts b/src/app/core/session/auth/couchdb-auth.service.ts
index 36103459ce..092a249c7a 100644
--- a/src/app/core/session/auth/couchdb-auth.service.ts
+++ b/src/app/core/session/auth/couchdb-auth.service.ts
@@ -19,6 +19,7 @@ export class CouchdbAuthService extends AuthService {
   }
 
   addAuthHeader() {
+    // auth happens through cookie
     return;
   }
 

From d3f4dca2c1fc36efb47f5e92777d3edbe1cc38f5 Mon Sep 17 00:00:00 2001
From: Simon <simon@aam-digital.com>
Date: Thu, 11 Aug 2022 14:37:15 +0200
Subject: [PATCH 27/42] fix keycloak test

---
 src/app/core/session/auth/keycloak-auth.service.spec.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/app/core/session/auth/keycloak-auth.service.spec.ts b/src/app/core/session/auth/keycloak-auth.service.spec.ts
index ebdb2a2f98..d5e14a52f0 100644
--- a/src/app/core/session/auth/keycloak-auth.service.spec.ts
+++ b/src/app/core/session/auth/keycloak-auth.service.spec.ts
@@ -64,8 +64,8 @@ describe("KeycloakAuthService", () => {
     });
     dbUser = { name: TEST_USER, roles: ["user_app"] };
     service = TestBed.inject(KeycloakAuthService);
-    // Wait for keycloak to be initialized
-    return service["keycloakReady"];
+    // Mock initialization of keycloak
+    service["keycloakReady"] = Promise.resolve() as any;
   });
 
   afterEach(() =>

From 169cab1af88088d5e1f3740566de9cbbdfa12bc2 Mon Sep 17 00:00:00 2001
From: Simon <simon@aam-digital.com>
Date: Wed, 17 Aug 2022 13:47:54 +0200
Subject: [PATCH 28/42] Fix typo

Co-authored-by: Sebastian <sebastian.leidig@gmail.com>
---
 src/app/core/user/user-account/user-account.component.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/app/core/user/user-account/user-account.component.html b/src/app/core/user/user-account/user-account.component.html
index 0ecdb4870d..2b819ae5ab 100644
--- a/src/app/core/user/user-account/user-account.component.html
+++ b/src/app/core/user/user-account/user-account.component.html
@@ -46,7 +46,7 @@
             [disabled]="disabledForDemoMode || disabledForOfflineMode"
             i18n="Button which opens password reset page"
           >
-            Change Passwort
+            Change Password
           </button>
         </div>
       </div>

From 221d69ea22cd7df351f3297d99f44ded3c3570a1 Mon Sep 17 00:00:00 2001
From: Simon <simon@aam-digital.com>
Date: Wed, 17 Aug 2022 15:26:14 +0200
Subject: [PATCH 29/42] properly named class for access tokens

---
 .../core/session/auth/keycloak-auth.service.spec.ts  |  6 +++---
 src/app/core/session/auth/keycloak-auth.service.ts   | 12 ++++++------
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/src/app/core/session/auth/keycloak-auth.service.spec.ts b/src/app/core/session/auth/keycloak-auth.service.spec.ts
index d5e14a52f0..42d9f4f1d9 100644
--- a/src/app/core/session/auth/keycloak-auth.service.spec.ts
+++ b/src/app/core/session/auth/keycloak-auth.service.spec.ts
@@ -1,6 +1,6 @@
 import { fakeAsync, TestBed, tick } from "@angular/core/testing";
 
-import { JwtToken, KeycloakAuthService } from "./keycloak-auth.service";
+import { OIDCTokenResponse, KeycloakAuthService } from "./keycloak-auth.service";
 import { TEST_PASSWORD, TEST_USER } from "../../../utils/mocked-testing.module";
 import { of, throwError } from "rxjs";
 import { HttpClient, HttpErrorResponse } from "@angular/common/http";
@@ -40,7 +40,7 @@ function remoteSessionHttpFake(_url, body) {
  * }
  * ```
  */
-const jwtTokenResponse: JwtToken = {
+const jwtTokenResponse: OIDCTokenResponse = {
   access_token:
     "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJOTzU3NEpPTmoxWUM0V3VLbEtMN0R0dUdHemJTdEQ3WUFaX3FONUk0WDB3In0.eyJleHAiOjE2NTkxMTI1NjUsImlhdCI6MTY1OTExMjI2NSwianRpIjoiODYwMmJiMDQtZDA2Mi00MjcxLWFlYmMtN2I0MjY3YmY0MDNlIiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay10ZXN0LmFhbS1kaWdpdGFsLmNvbTo0NDMvYXV0aC9yZWFsbXMva2V5Y2xvYWstdGVzdCIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiI4ODFiYTE5MS0wZDI3LTRkZmYtOWJjNC0yYzllNTYxYWM5MDAiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhcHAiLCJzZXNzaW9uX3N0YXRlIjoiNTYwMmNhZDgtMjgxNS00YTY5LWFlN2YtZWY2MjVmZjE1ZGUyIiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyIqIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLWtleWNsb2FrLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYXBwIjp7InJvbGVzIjpbInVzZXJfYXBwIl19LCJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6InByb2ZpbGUgZW1haWwiLCJzaWQiOiI1NjAyY2FkOC0yODE1LTRhNjktYWU3Zi1lZjYyNWZmMTVkZTIiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsIl9jb3VjaGRiLnJvbGVzIjpbInVzZXJfYXBwIl0sInByZWZlcnJlZF91c2VybmFtZSI6InRlc3QiLCJnaXZlbl9uYW1lIjoiIiwiZmFtaWx5X25hbWUiOiIiLCJ1c2VybmFtZSI6InRlc3QifQ.g0Lq8tPN9fdni-tro7xcT4g4Ju-pyFTlYY8hjy-H34jxjkFDh6eTSjmnkof8w6r5TDg7V18k3WMz5Bf4XXt9kJtrVM0nOFq7wY-BSRdvl1TtMpRRkGlEUg5CMxCoyhkpkL1dcYslKlxNw4qwavvcjqYdtL7LU7ezZfs9wcAUV0VB9frxIzhq3WW6eHPBWYdFJFY1H5kl7jI6gtrLEc25tC-8Hpsz12Ey8O1DnsTqS7cXa1gNSGY10xYO9zNhxNfYy_x4uaaVJviT-gq9Bz-LM55H9s7Nz_FT9ETHNBm479jetBwURWLR-QRTwEdgajQWUUBw3l4Ld15q1YUSVSn1Ww",
   refresh_token: "test-refresh-token",
@@ -99,7 +99,7 @@ describe("KeycloakAuthService", () => {
     mockHttpClient.post.calls.reset();
     const newToken = { ...jwtTokenResponse, access_token: "new.token" };
     // mock token cannot be parsed as JwtToken
-    spyOn(window, "atob").and.returnValue('{"decoded": "token"}');
+    spyOn(window, "atob").and.returnValue("{\"decoded\": \"token\"}");
     mockHttpClient.post.and.returnValue(of(newToken));
     // should refresh token one minute before it expires
     tick(60 * 1000);
diff --git a/src/app/core/session/auth/keycloak-auth.service.ts b/src/app/core/session/auth/keycloak-auth.service.ts
index 77529f6e21..2b54957a57 100644
--- a/src/app/core/session/auth/keycloak-auth.service.ts
+++ b/src/app/core/session/auth/keycloak-auth.service.ts
@@ -35,7 +35,7 @@ export class KeycloakAuthService extends AuthService {
   private credentialAuth(
     username: string,
     password: string
-  ): Promise<JwtToken> {
+  ): Promise<OIDCTokenResponse> {
     const body = new URLSearchParams();
     body.set("username", username);
     body.set("password", password);
@@ -43,7 +43,7 @@ export class KeycloakAuthService extends AuthService {
     return this.getToken(body);
   }
 
-  private refreshTokenAuth(): Promise<JwtToken> {
+  private refreshTokenAuth(): Promise<OIDCTokenResponse> {
     const body = new URLSearchParams();
     const token = localStorage.getItem(KeycloakAuthService.REFRESH_TOKEN_KEY);
     body.set("refresh_token", token);
@@ -51,7 +51,7 @@ export class KeycloakAuthService extends AuthService {
     return this.getToken(body);
   }
 
-  private getToken(body: URLSearchParams): Promise<JwtToken> {
+  private getToken(body: URLSearchParams): Promise<OIDCTokenResponse> {
     body.set("client_id", "app");
     const options = {
       headers: new HttpHeaders().set(
@@ -60,7 +60,7 @@ export class KeycloakAuthService extends AuthService {
       ),
     };
     return firstValueFrom(
-      this.httpClient.post<JwtToken>(
+      this.httpClient.post<OIDCTokenResponse>(
         `${this.keycloak.authServerUrl}realms/${this.keycloak.realm}/protocol/openid-connect/token`,
         body.toString(),
         options
@@ -68,7 +68,7 @@ export class KeycloakAuthService extends AuthService {
     );
   }
 
-  private processToken(token: JwtToken): DatabaseUser {
+  private processToken(token: OIDCTokenResponse): DatabaseUser {
     this.accessToken = token.access_token;
     localStorage.setItem(
       KeycloakAuthService.REFRESH_TOKEN_KEY,
@@ -112,7 +112,7 @@ export class KeycloakAuthService extends AuthService {
   }
 }
 
-export interface JwtToken {
+export interface OIDCTokenResponse {
   access_token: string;
   refresh_token: string;
   expires_in: number;

From 693c44ff08ea14c03ba576765b8a4bf9ceaed8e4 Mon Sep 17 00:00:00 2001
From: Simon <simon@aam-digital.com>
Date: Thu, 18 Aug 2022 15:13:57 +0200
Subject: [PATCH 30/42] integrated password-form component when using
 CouchDBAuth

---
 .../password-form.component.html              | 88 ++++++++++++++++++
 .../password-form.component.scss              |  0
 .../password-form.component.spec.ts           | 79 ++++++++++++++++
 .../password-form/password-form.component.ts  | 91 +++++++++++++++++++
 .../user-account/user-account.component.html  |  7 ++
 .../user-account/user-account.component.ts    |  8 +-
 src/app/core/user/user.module.ts              | 10 +-
 7 files changed, 280 insertions(+), 3 deletions(-)
 create mode 100644 src/app/core/user/password-form/password-form.component.html
 create mode 100644 src/app/core/user/password-form/password-form.component.scss
 create mode 100644 src/app/core/user/password-form/password-form.component.spec.ts
 create mode 100644 src/app/core/user/password-form/password-form.component.ts

diff --git a/src/app/core/user/password-form/password-form.component.html b/src/app/core/user/password-form/password-form.component.html
new file mode 100644
index 0000000000..95afb80903
--- /dev/null
+++ b/src/app/core/user/password-form/password-form.component.html
@@ -0,0 +1,88 @@
+<form [formGroup]="passwordForm" class="form-container">
+  <mat-form-field class="user-form-field">
+    <label i18n>
+      Current Password
+      <input
+        matInput
+        type="password"
+        formControlName="currentPassword"
+      />
+    </label>
+    <mat-error
+      *ngIf="passwordForm.get('currentPassword').invalid"
+      i18n="
+                Password Confirmation|An incorrect password was entered trying
+                to change the password
+              "
+    >
+      Please provide your correct current password for confirmation.
+    </mat-error>
+  </mat-form-field>
+  <br/>
+
+  <mat-form-field class="user-form-field" style="height: 80px">
+    <label i18n>
+      New password
+      <input matInput type="password" formControlName="newPassword"/>
+    </label>
+    <mat-error *ngIf="passwordForm.get('newPassword').invalid">
+      <div
+        *ngIf="passwordForm.get('newPassword').errors.minlength"
+        i18n="Password validation"
+      >
+        Must be at least 8 characters long.
+      </div>
+      <div
+        *ngIf="passwordForm.get('newPassword').errors.pattern"
+        i18n="Illegal password pattern"
+      >
+        Must contain lower case letters, upper case letters, symbols and
+        numbers to be secure.
+      </div>
+    </mat-error>
+  </mat-form-field>
+  <br/>
+
+  <mat-form-field class="user-form-field">
+    <label i18n>
+      Confirm new password
+      <input
+        matInput
+        type="password"
+        formControlName="confirmPassword"
+      />
+    </label>
+    <mat-error
+      *ngIf="
+                passwordForm.get('confirmPassword').invalid &&
+                passwordForm.get('confirmPassword').touched
+              "
+      i18n="Illegal new password"
+    >
+      Confirmation does not match your new password.
+    </mat-error>
+  </mat-form-field>
+  <br/>
+
+  <div *ngIf="passwordChangeResult">
+    <div *ngIf="passwordChangeResult.success" class="info success" i18n>
+      Password changed successfully.
+    </div>
+    <div *ngIf="!passwordChangeResult.success" class="info error" i18n>
+      Failed to change password: {{ passwordChangeResult.error }}<br/>
+      Please try again. If the problem persists contact Aam Digital
+      support.
+    </div>
+  </div>
+
+  <button
+    mat-raised-button
+    type="submit"
+    [disabled]="passwordForm.invalid || passwordForm.disabled"
+    (click)="changePassword()"
+    (submit)="changePassword()"
+    i18n="Change password button"
+  >
+    Change Password
+  </button>
+</form>
diff --git a/src/app/core/user/password-form/password-form.component.scss b/src/app/core/user/password-form/password-form.component.scss
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/src/app/core/user/password-form/password-form.component.spec.ts b/src/app/core/user/password-form/password-form.component.spec.ts
new file mode 100644
index 0000000000..9c8e052ce8
--- /dev/null
+++ b/src/app/core/user/password-form/password-form.component.spec.ts
@@ -0,0 +1,79 @@
+import { ComponentFixture, fakeAsync, TestBed, tick } from "@angular/core/testing";
+
+import { PasswordFormComponent } from "./password-form.component";
+import { UserModule } from "../user.module";
+import { MockedTestingModule } from "../../../utils/mocked-testing.module";
+import { SessionService } from "../../session/session-service/session.service";
+import { CouchdbAuthService } from "../../session/auth/couchdb-auth.service";
+
+describe("PasswordFormComponent", () => {
+  let component: PasswordFormComponent;
+  let fixture: ComponentFixture<PasswordFormComponent>;
+  let mockSessionService: jasmine.SpyObj<SessionService>;
+  let mockCouchDBAuth: jasmine.SpyObj<CouchdbAuthService>;
+
+  beforeEach(async () => {
+    mockSessionService = jasmine.createSpyObj(["login", "checkPassword"]);
+    mockCouchDBAuth = jasmine.createSpyObj(["changePassword"]);
+
+    await TestBed.configureTestingModule({
+      imports: [UserModule, MockedTestingModule.withState()],
+      providers: [{ provide: SessionService, useValue: mockSessionService }]
+    })
+      .compileComponents();
+
+    fixture = TestBed.createComponent(PasswordFormComponent);
+    component = fixture.componentInstance;
+    component.couchdbAuthService = mockCouchDBAuth;
+    fixture.detectChanges();
+  });
+
+  it("should create", () => {
+    expect(component).toBeTruthy();
+  });
+
+  it("should set error when password is incorrect", () => {
+    component.passwordForm.get("currentPassword").setValue("wrongPW");
+    mockSessionService.checkPassword.and.returnValue(false);
+
+    expect(component.passwordForm.get("currentPassword")).toBeValidForm();
+
+    component.changePassword();
+
+    expect(component.passwordForm.get("currentPassword")).not.toBeValidForm();
+  });
+
+  it("should set error when password change fails", fakeAsync(() => {
+    component.username = "testUser";
+    component.passwordForm.get("currentPassword").setValue("testPW");
+    mockSessionService.checkPassword.and.returnValue(true);
+    mockCouchDBAuth.changePassword.and.rejectWith(
+      new Error("pw change error")
+    );
+
+
+    expectAsync(component.changePassword()).toBeRejected();
+    tick();
+
+    expect(mockCouchDBAuth.changePassword).toHaveBeenCalled();
+    expect(component.passwordChangeResult.success).toBeFalse();
+    expect(component.passwordChangeResult.error).toBe("pw change error");
+  }));
+
+  it("should set success and re-login when password change worked", fakeAsync(() => {
+    component.username = "testUser";
+    component.passwordForm.get("currentPassword").setValue("testPW");
+    component.passwordForm.get("newPassword").setValue("changedPassword");
+    mockSessionService.checkPassword.and.returnValue(true);
+    mockCouchDBAuth.changePassword.and.resolveTo();
+    mockSessionService.login.and.resolveTo(null);
+
+    component.changePassword();
+    tick();
+    expect(component.passwordChangeResult.success).toBeTrue();
+    expect(mockSessionService.login).toHaveBeenCalledWith(
+      "testUser",
+      "changedPassword"
+    );
+  }));
+});
diff --git a/src/app/core/user/password-form/password-form.component.ts b/src/app/core/user/password-form/password-form.component.ts
new file mode 100644
index 0000000000..bf9b768f26
--- /dev/null
+++ b/src/app/core/user/password-form/password-form.component.ts
@@ -0,0 +1,91 @@
+import { Component, Input, OnInit } from "@angular/core";
+import { FormBuilder, ValidationErrors, Validators } from "@angular/forms";
+import { SessionService } from "../../session/session-service/session.service";
+import { CouchdbAuthService } from "../../session/auth/couchdb-auth.service";
+import { LoggingService } from "../../logging/logging.service";
+
+/**
+ * A simple password form that enforces secure password.
+ */
+@Component({
+  selector: "app-password-form",
+  templateUrl: "./password-form.component.html",
+  styleUrls: ["./password-form.component.scss"]
+})
+export class PasswordFormComponent implements OnInit {
+  @Input() couchdbAuthService: CouchdbAuthService;
+  @Input() username: string;
+  @Input() disabled = false;
+
+  passwordChangeResult: { success: boolean; error?: any };
+
+  passwordForm = this.fb.group(
+    {
+      currentPassword: ["", Validators.required],
+      newPassword: [
+        "",
+        [
+          Validators.required,
+          Validators.minLength(8),
+          Validators.pattern(/[A-Z]/),
+          Validators.pattern(/[a-z]/),
+          Validators.pattern(/[0-9]/),
+          Validators.pattern(/[^A-Za-z0-9]/),
+        ],
+      ],
+      confirmPassword: ["", [Validators.required]],
+    },
+    { validators: () => this.passwordMatchValidator() }
+  );
+
+  constructor(
+    private fb: FormBuilder,
+    private sessionService: SessionService,
+    private loggingService: LoggingService
+  ) {}
+
+  ngOnInit() {
+    if (this.disabled) {
+      this.passwordForm.disable();
+    }
+  }
+
+  changePassword(): Promise<any> {
+    this.passwordChangeResult = undefined;
+
+    const currentPassword = this.passwordForm.get("currentPassword").value;
+
+    if (!this.sessionService.checkPassword(this.username, currentPassword)) {
+      this.passwordForm
+        .get("currentPassword")
+        .setErrors({ incorrectPassword: true });
+      return;
+    }
+
+    const newPassword = this.passwordForm.get("newPassword").value;
+    return this.couchdbAuthService.changePassword(this.username, currentPassword, newPassword)
+      .then(() => this.sessionService.login(this.username, newPassword))
+      .then(() => (this.passwordChangeResult = { success: true }))
+      .catch((err: Error) => {
+        this.passwordChangeResult = { success: false, error: err.message };
+        this.loggingService.error({
+          error: "password change failed",
+          details: err.message,
+        });
+        // rethrow to properly report to sentry.io; this exception is not expected, only caught to display in UI
+        throw err;
+      });
+  }
+
+  private passwordMatchValidator(): ValidationErrors | null {
+    const newPassword = this.passwordForm?.get("newPassword").value;
+    const confirmPassword = this.passwordForm?.get("confirmPassword").value;
+    if (newPassword !== confirmPassword) {
+      this.passwordForm
+        .get("confirmPassword")
+        .setErrors({ passwordConfirmationMismatch: true });
+      return { passwordConfirmationMismatch: true };
+    }
+    return null;
+  }
+}
diff --git a/src/app/core/user/user-account/user-account.component.html b/src/app/core/user/user-account/user-account.component.html
index 2b819ae5ab..44ea15660f 100644
--- a/src/app/core/user/user-account/user-account.component.html
+++ b/src/app/core/user/user-account/user-account.component.html
@@ -37,7 +37,14 @@
           [matTooltipDisabled]="!disabledForOfflineMode && !disabledForDemoMode"
           style="width: fit-content"
         >
+          <app-password-form
+            *ngIf="couchdbAuthService"
+            [couchdbAuthService]="couchdbAuthService"
+            [username]="username"
+            [disabled]="disabledForDemoMode || disabledForOfflineMode"
+          ></app-password-form>
           <button
+            *ngIf="!couchdbAuthService"
             mat-stroked-button
             angulartics2On="click"
             angularticsCategory="User"
diff --git a/src/app/core/user/user-account/user-account.component.ts b/src/app/core/user/user-account/user-account.component.ts
index 505c2f50f3..2ca9b2896b 100644
--- a/src/app/core/user/user-account/user-account.component.ts
+++ b/src/app/core/user/user-account/user-account.component.ts
@@ -20,6 +20,7 @@ import { SessionService } from "../../session/session-service/session.service";
 import { environment } from "../../../../environments/environment";
 import { SessionType } from "../../session/session-type";
 import { AuthService } from "../../session/auth/auth.service";
+import { CouchdbAuthService } from "../../session/auth/couchdb-auth.service";
 
 /**
  * User account form to allow the user to view and edit information.
@@ -36,11 +37,16 @@ export class UserAccountComponent implements OnInit {
   /** whether password change is disallowed because of demo mode */
   disabledForDemoMode: boolean;
   disabledForOfflineMode: boolean;
+  couchdbAuthService: CouchdbAuthService;
 
   constructor(
     private sessionService: SessionService,
     public authService: AuthService
-  ) {}
+  ) {
+    if (this.authService instanceof CouchdbAuthService) {
+      this.couchdbAuthService = this.authService;
+    }
+  }
 
   ngOnInit() {
     this.checkIfPasswordChangeAllowed();
diff --git a/src/app/core/user/user.module.ts b/src/app/core/user/user.module.ts
index 9cdd8fab52..f83db20ae0 100644
--- a/src/app/core/user/user.module.ts
+++ b/src/app/core/user/user.module.ts
@@ -25,6 +25,9 @@ import { MatTabsModule } from "@angular/material/tabs";
 import { TabStateModule } from "../../utils/tab-state/tab-state.module";
 import { MatTooltipModule } from "@angular/material/tooltip";
 import { Angulartics2Module } from "angulartics2";
+import { PasswordFormComponent } from "./password-form/password-form.component";
+import { ReactiveFormsModule } from "@angular/forms";
+import { FontAwesomeModule } from "@fortawesome/angular-fontawesome";
 
 /**
  * Provides a User functionality including user account forms.
@@ -39,7 +42,10 @@ import { Angulartics2Module } from "angulartics2";
     TabStateModule,
     MatTooltipModule,
     Angulartics2Module,
+    ReactiveFormsModule,
+    FontAwesomeModule
   ],
-  declarations: [UserAccountComponent],
+  declarations: [UserAccountComponent, PasswordFormComponent],
 })
-export class UserModule {}
+export class UserModule {
+}

From 0e18596daf0e2f714d9b8822945938e05ae792ec Mon Sep 17 00:00:00 2001
From: Simon <simon@aam-digital.com>
Date: Thu, 18 Aug 2022 15:40:34 +0200
Subject: [PATCH 31/42] cleaned up some code

---
 .../session/auth/couchdb-auth.service.spec.ts |  5 ++--
 .../core/session/auth/couchdb-auth.service.ts |  5 ++--
 .../auth/keycloak-auth.service.spec.ts        | 15 ++++++------
 .../session-service/remote-session.spec.ts    |  4 ++--
 .../session/session-service/remote-session.ts |  9 +++----
 .../synced-session.service.spec.ts            | 14 ++++-------
 .../user-account/user-account.component.html  |  8 +++----
 .../user-account/user-account.component.ts    | 24 ++++++-------------
 8 files changed, 32 insertions(+), 52 deletions(-)

diff --git a/src/app/core/session/auth/couchdb-auth.service.spec.ts b/src/app/core/session/auth/couchdb-auth.service.spec.ts
index ae6812d269..a6839a4b01 100644
--- a/src/app/core/session/auth/couchdb-auth.service.spec.ts
+++ b/src/app/core/session/auth/couchdb-auth.service.spec.ts
@@ -1,10 +1,9 @@
 import { TestBed } from "@angular/core/testing";
 
 import { CouchdbAuthService } from "./couchdb-auth.service";
-import { HttpClient, HttpErrorResponse } from "@angular/common/http";
+import { HttpClient, HttpErrorResponse, HttpStatusCode } from "@angular/common/http";
 import { of, throwError } from "rxjs";
 import { TEST_PASSWORD, TEST_USER } from "../../../utils/mocked-testing.module";
-import { RemoteSession } from "../session-service/remote-session";
 
 describe("CouchdbAuthService", () => {
   let service: CouchdbAuthService;
@@ -21,7 +20,7 @@ describe("CouchdbAuthService", () => {
         return throwError(
           () =>
             new HttpErrorResponse({
-              status: RemoteSession.UNAUTHORIZED_STATUS_CODE,
+              status: HttpStatusCode.Unauthorized,
             })
         );
       }
diff --git a/src/app/core/session/auth/couchdb-auth.service.ts b/src/app/core/session/auth/couchdb-auth.service.ts
index 092a249c7a..c4ddf25c37 100644
--- a/src/app/core/session/auth/couchdb-auth.service.ts
+++ b/src/app/core/session/auth/couchdb-auth.service.ts
@@ -3,12 +3,11 @@ import { AuthService } from "./auth.service";
 import {
   HttpClient,
   HttpErrorResponse,
-  HttpHeaders,
+  HttpHeaders, HttpStatusCode,
 } from "@angular/common/http";
 import { firstValueFrom } from "rxjs";
 import { DatabaseUser } from "../session-service/local-user";
 import { AppSettings } from "../../app-config/app-settings";
-import { RemoteSession } from "../session-service/remote-session";
 
 @Injectable()
 export class CouchdbAuthService extends AuthService {
@@ -44,7 +43,7 @@ export class CouchdbAuthService extends AuthService {
         return res.userCtx;
       } else {
         throw new HttpErrorResponse({
-          status: RemoteSession.UNAUTHORIZED_STATUS_CODE,
+          status: HttpStatusCode.Unauthorized,
         });
       }
     });
diff --git a/src/app/core/session/auth/keycloak-auth.service.spec.ts b/src/app/core/session/auth/keycloak-auth.service.spec.ts
index 42d9f4f1d9..12fbde5ee6 100644
--- a/src/app/core/session/auth/keycloak-auth.service.spec.ts
+++ b/src/app/core/session/auth/keycloak-auth.service.spec.ts
@@ -3,11 +3,10 @@ import { fakeAsync, TestBed, tick } from "@angular/core/testing";
 import { OIDCTokenResponse, KeycloakAuthService } from "./keycloak-auth.service";
 import { TEST_PASSWORD, TEST_USER } from "../../../utils/mocked-testing.module";
 import { of, throwError } from "rxjs";
-import { HttpClient, HttpErrorResponse } from "@angular/common/http";
-import { RemoteSession } from "../session-service/remote-session";
+import { HttpClient, HttpErrorResponse, HttpStatusCode } from "@angular/common/http";
 import { DatabaseUser } from "../session-service/local-user";
 
-function remoteSessionHttpFake(_url, body) {
+function keycloakAuthHttpFake(_url, body) {
   const params = new URLSearchParams(body);
   const isValidPassword =
     params.get("username") === TEST_USER &&
@@ -19,7 +18,7 @@ function remoteSessionHttpFake(_url, body) {
     return throwError(
       () =>
         new HttpErrorResponse({
-          status: RemoteSession.UNAUTHORIZED_STATUS_CODE,
+          status: HttpStatusCode.Unauthorized,
         })
     );
   }
@@ -55,7 +54,7 @@ describe("KeycloakAuthService", () => {
 
   beforeEach(() => {
     mockHttpClient = jasmine.createSpyObj(["post"]);
-    mockHttpClient.post.and.callFake(remoteSessionHttpFake);
+    mockHttpClient.post.and.callFake(keycloakAuthHttpFake);
     TestBed.configureTestingModule({
       providers: [
         { provide: HttpClient, useValue: mockHttpClient },
@@ -69,7 +68,7 @@ describe("KeycloakAuthService", () => {
   });
 
   afterEach(() =>
-    window.localStorage.removeItem(RemoteSession.REFRESH_TOKEN_KEY)
+    window.localStorage.removeItem(KeycloakAuthService.REFRESH_TOKEN_KEY)
   );
 
   it("should be created", () => {
@@ -82,7 +81,7 @@ describe("KeycloakAuthService", () => {
     expect(user).toEqual(dbUser);
   });
 
-  it("should store access token in remote session and refresh token in local storage", async () => {
+  it("should store access token in memory and refresh token in local storage", async () => {
     await service.authenticate(TEST_USER, TEST_PASSWORD);
 
     expect(service.accessToken).toBe(jwtTokenResponse.access_token);
@@ -122,7 +121,7 @@ describe("KeycloakAuthService", () => {
   });
 
   it("should login, if there is a valid refresh token", async () => {
-    localStorage.setItem(RemoteSession.REFRESH_TOKEN_KEY, "some-refresh-token");
+    localStorage.setItem(KeycloakAuthService.REFRESH_TOKEN_KEY, "some-refresh-token");
     mockHttpClient.post.and.returnValue(of(jwtTokenResponse));
     const user = await service.autoLogin();
     expect(user).toEqual(dbUser);
diff --git a/src/app/core/session/session-service/remote-session.spec.ts b/src/app/core/session/session-service/remote-session.spec.ts
index b0e81f3264..f263036ef2 100644
--- a/src/app/core/session/session-service/remote-session.spec.ts
+++ b/src/app/core/session/session-service/remote-session.spec.ts
@@ -1,6 +1,6 @@
 import { TestBed } from "@angular/core/testing";
 import { RemoteSession } from "./remote-session";
-import { HttpErrorResponse } from "@angular/common/http";
+import { HttpErrorResponse, HttpStatusCode } from "@angular/common/http";
 import { SessionType } from "../session-type";
 import { LoggingService } from "../../logging/logging.service";
 import { testSessionServiceImplementation } from "./session.service.spec";
@@ -22,7 +22,7 @@ describe("RemoteSessionService", () => {
         return { name: TEST_USER, roles: ["user_app"] };
       } else {
         throw new HttpErrorResponse({
-          status: RemoteSession.UNAUTHORIZED_STATUS_CODE,
+          status: HttpStatusCode.Unauthorized,
         });
       }
     });
diff --git a/src/app/core/session/session-service/remote-session.ts b/src/app/core/session/session-service/remote-session.ts
index 584d58c9c2..135084a5b1 100644
--- a/src/app/core/session/session-service/remote-session.ts
+++ b/src/app/core/session/session-service/remote-session.ts
@@ -15,7 +15,7 @@
  *     along with ndb-core.  If not, see <http://www.gnu.org/licenses/>.
  */
 import { Injectable } from "@angular/core";
-import { HttpErrorResponse } from "@angular/common/http";
+import { HttpErrorResponse, HttpStatusCode } from "@angular/common/http";
 import { DatabaseUser } from "./local-user";
 import { SessionService } from "./session.service";
 import { LoginState } from "../session-states/login-state.enum";
@@ -34,9 +34,6 @@ import { AuthService } from "../auth/auth.service";
 @Injectable()
 export class RemoteSession extends SessionService {
   static readonly LAST_LOGIN_KEY = "LAST_REMOTE_LOGIN";
-  static readonly REFRESH_TOKEN_KEY = "REFRESH_TOKEN";
-  // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/401
-  static readonly UNAUTHORIZED_STATUS_CODE = 401;
   /** remote (!) PouchDB  */
   private readonly database: PouchDatabase;
   private currentDBUser: DatabaseUser;
@@ -68,7 +65,7 @@ export class RemoteSession extends SessionService {
       this.loginState.next(LoginState.LOGGED_IN);
     } catch (error) {
       const httpError = error as HttpErrorResponse;
-      if (httpError?.status === RemoteSession.UNAUTHORIZED_STATUS_CODE) {
+      if (httpError?.status === HttpStatusCode.Unauthorized) {
         this.loginState.next(LoginState.LOGIN_FAILED);
       } else {
         this.loginState.next(LoginState.UNAVAILABLE);
@@ -88,7 +85,7 @@ export class RemoteSession extends SessionService {
             this.authService.addAuthHeader(opts.headers);
             return PouchDB.fetch(
               AppSettings.DB_PROXY_PREFIX +
-                url.split(AppSettings.DB_PROXY_PREFIX)[1],
+              url.split(AppSettings.DB_PROXY_PREFIX)[1],
               opts
             );
           }
diff --git a/src/app/core/session/session-service/synced-session.service.spec.ts b/src/app/core/session/session-service/synced-session.service.spec.ts
index 8b60bae34d..f16e217510 100644
--- a/src/app/core/session/session-service/synced-session.service.spec.ts
+++ b/src/app/core/session/session-service/synced-session.service.spec.ts
@@ -21,7 +21,7 @@ import { LocalSession } from "./local-session";
 import { RemoteSession } from "./remote-session";
 import { SessionType } from "../session-type";
 import { fakeAsync, flush, TestBed, tick } from "@angular/core/testing";
-import { HttpErrorResponse } from "@angular/common/http";
+import { HttpErrorResponse, HttpStatusCode } from "@angular/common/http";
 import { NoopAnimationsModule } from "@angular/platform-browser/animations";
 import { DatabaseUser } from "./local-user";
 import { TEST_PASSWORD, TEST_USER } from "../../../utils/mocked-testing.module";
@@ -37,12 +37,8 @@ describe("SyncedSessionService", () => {
   let sessionService: SyncedSessionService;
   let localSession: LocalSession;
   let remoteSession: RemoteSession;
-  let localLoginSpy: jasmine.Spy<
-    (username: string, password: string) => Promise<LoginState>
-  >;
-  let remoteLoginSpy: jasmine.Spy<
-    (username: string, password: string) => Promise<LoginState>
-  >;
+  let localLoginSpy: jasmine.Spy<(username: string, password: string) => Promise<LoginState>>;
+  let remoteLoginSpy: jasmine.Spy<(username: string, password: string) => Promise<LoginState>>;
   let dbUser: DatabaseUser;
   let syncSpy: jasmine.Spy<() => Promise<void>>;
   let liveSyncSpy: jasmine.Spy<() => void>;
@@ -62,7 +58,7 @@ describe("SyncedSessionService", () => {
         return dbUser;
       } else {
         throw new HttpErrorResponse({
-          status: RemoteSession.UNAUTHORIZED_STATUS_CODE,
+          status: HttpStatusCode.Unauthorized,
         });
       }
     });
@@ -271,7 +267,7 @@ describe("SyncedSessionService", () => {
     let rejectError;
     if (!offline) {
       rejectError = new HttpErrorResponse({
-        status: RemoteSession.UNAUTHORIZED_STATUS_CODE,
+        status: HttpStatusCode.Unauthorized,
       });
     }
     mockAuthService.authenticate.and.rejectWith(rejectError);
diff --git a/src/app/core/user/user-account/user-account.component.html b/src/app/core/user/user-account/user-account.component.html
index 44ea15660f..fec0394afd 100644
--- a/src/app/core/user/user-account/user-account.component.html
+++ b/src/app/core/user/user-account/user-account.component.html
@@ -33,15 +33,15 @@
           </mat-form-field>
         </p>
         <div
-          [matTooltip]="getPasswordResetDisabledTooltip()"
-          [matTooltipDisabled]="!disabledForOfflineMode && !disabledForDemoMode"
+          [matTooltip]="tooltipText"
+          [matTooltipDisabled]="!passwordChangeDisabled"
           style="width: fit-content"
         >
           <app-password-form
             *ngIf="couchdbAuthService"
             [couchdbAuthService]="couchdbAuthService"
             [username]="username"
-            [disabled]="disabledForDemoMode || disabledForOfflineMode"
+            [disabled]="passwordChangeDisabled"
           ></app-password-form>
           <button
             *ngIf="!couchdbAuthService"
@@ -50,7 +50,7 @@
             angularticsCategory="User"
             angularticsAction="password_update"
             (click)="authService.changePassword()"
-            [disabled]="disabledForDemoMode || disabledForOfflineMode"
+            [disabled]="passwordChangeDisabled"
             i18n="Button which opens password reset page"
           >
             Change Password
diff --git a/src/app/core/user/user-account/user-account.component.ts b/src/app/core/user/user-account/user-account.component.ts
index 2ca9b2896b..ab45624b45 100644
--- a/src/app/core/user/user-account/user-account.component.ts
+++ b/src/app/core/user/user-account/user-account.component.ts
@@ -34,9 +34,8 @@ export class UserAccountComponent implements OnInit {
   /** user to be edited */
   username: string;
 
-  /** whether password change is disallowed because of demo mode */
-  disabledForDemoMode: boolean;
-  disabledForOfflineMode: boolean;
+  passwordChangeDisabled = false;
+  tooltipText;
   couchdbAuthService: CouchdbAuthService;
 
   constructor(
@@ -54,23 +53,14 @@ export class UserAccountComponent implements OnInit {
   }
 
   checkIfPasswordChangeAllowed() {
-    this.disabledForDemoMode = false;
-    this.disabledForOfflineMode = false;
+    this.passwordChangeDisabled = false;
+    this.tooltipText = "";
 
     if (environment.session_type !== SessionType.synced) {
-      this.disabledForDemoMode = true;
+      this.passwordChangeDisabled = true;
+      this.tooltipText = $localize`:Password reset disabled tooltip:Password change is not allowed in demo mode.`;
     } else if (!navigator.onLine) {
-      this.disabledForOfflineMode = true;
-    }
-  }
-
-  getPasswordResetDisabledTooltip(): string {
-    if (this.disabledForDemoMode) {
-      return $localize`:Password reset disabled tooltip:Password change is not allowed in demo mode.`;
-    } else if (this.disabledForOfflineMode) {
-      return $localize`:Password reset disabled tooltip:Password change is not possible while being offline.`;
-    } else {
-      return "";
+      this.tooltipText = $localize`:Password reset disabled tooltip:Password change is not possible while being offline.`;
     }
   }
 }

From 5ce39fd457c6b9a9938c017f122640e25dd6d338 Mon Sep 17 00:00:00 2001
From: Simon <simon@aam-digital.com>
Date: Tue, 23 Aug 2022 16:14:02 +0200
Subject: [PATCH 32/42] removed reserved route

---
 ngsw-config.json | 60 ++++++++++++++++++++++++++----------------------
 1 file changed, 33 insertions(+), 27 deletions(-)

diff --git a/ngsw-config.json b/ngsw-config.json
index 1321d72c67..8405be4469 100644
--- a/ngsw-config.json
+++ b/ngsw-config.json
@@ -1,33 +1,38 @@
 {
   "index": "/index.html",
-  "assetGroups": [{
-    "name": "app",
-    "installMode": "prefetch",
-    "resources": {
-      "files": [
-        "/favicon.ico",
-        "/index.html",
-        "/*.js",
-        "/*.css",
-        "/*.woff2",
-        "/*.tff"
-      ]
-    }
-  }, {
-    "name": "assets",
-    "installMode": "lazy",
-    "updateMode": "prefetch",
-    "resources": {
-      "files": [
-        "/*.svg",
-        "/assets/**"
-      ]
+  "assetGroups": [
+    {
+      "name": "app",
+      "installMode": "prefetch",
+      "resources": {
+        "files": [
+          "/favicon.ico",
+          "/index.html",
+          "/*.js",
+          "/*.css",
+          "/*.woff2",
+          "/*.tff"
+        ]
+      }
+    },
+    {
+      "name": "assets",
+      "installMode": "lazy",
+      "updateMode": "prefetch",
+      "resources": {
+        "files": [
+          "/*.svg",
+          "/assets/**"
+        ]
+      }
     }
-  }],
+  ],
   "dataGroups": [
     {
       "name": "config",
-      "urls": ["**/assets/config.json"],
+      "urls": [
+        "**/assets/config.json"
+      ],
       "cacheConfig": {
         "maxSize": 1,
         "maxAge": "30d",
@@ -36,7 +41,9 @@
     },
     {
       "name": "childPhotos",
-      "urls": ["**/child-photos/**"],
+      "urls": [
+        "**/child-photos/**"
+      ],
       "cacheConfig": {
         "maxSize": 500,
         "maxAge": "10d",
@@ -50,7 +57,6 @@
     "!/**/*__*",
     "!/**/*__*/**",
     "!/db/",
-    "!/db/**",
-    "!/auth/**"
+    "!/db/**"
   ]
 }

From 812f4f594511306f0df76d38665d25d7c7f1e163 Mon Sep 17 00:00:00 2001
From: Simon <simon@aam-digital.com>
Date: Tue, 23 Aug 2022 16:20:04 +0200
Subject: [PATCH 33/42] undone changes to ngsw config

---
 ngsw-config.json | 57 +++++++++++++++++++++---------------------------
 1 file changed, 25 insertions(+), 32 deletions(-)

diff --git a/ngsw-config.json b/ngsw-config.json
index 8405be4469..dd61d444a4 100644
--- a/ngsw-config.json
+++ b/ngsw-config.json
@@ -1,38 +1,33 @@
 {
   "index": "/index.html",
-  "assetGroups": [
-    {
-      "name": "app",
-      "installMode": "prefetch",
-      "resources": {
-        "files": [
-          "/favicon.ico",
-          "/index.html",
-          "/*.js",
-          "/*.css",
-          "/*.woff2",
-          "/*.tff"
-        ]
-      }
-    },
-    {
-      "name": "assets",
-      "installMode": "lazy",
-      "updateMode": "prefetch",
-      "resources": {
-        "files": [
-          "/*.svg",
-          "/assets/**"
-        ]
-      }
+  "assetGroups": [{
+    "name": "app",
+    "installMode": "prefetch",
+    "resources": {
+      "files": [
+        "/favicon.ico",
+        "/index.html",
+        "/*.js",
+        "/*.css",
+        "/*.woff2",
+        "/*.tff"
+      ]
     }
-  ],
+  }, {
+    "name": "assets",
+    "installMode": "lazy",
+    "updateMode": "prefetch",
+    "resources": {
+      "files": [
+        "/*.svg",
+        "/assets/**"
+      ]
+    }
+  }],
   "dataGroups": [
     {
       "name": "config",
-      "urls": [
-        "**/assets/config.json"
-      ],
+      "urls": ["**/assets/config.json"],
       "cacheConfig": {
         "maxSize": 1,
         "maxAge": "30d",
@@ -41,9 +36,7 @@
     },
     {
       "name": "childPhotos",
-      "urls": [
-        "**/child-photos/**"
-      ],
+      "urls": ["**/child-photos/**"],
       "cacheConfig": {
         "maxSize": 500,
         "maxAge": "10d",

From f4e6c5a9771f51f63cefce83ffbf7563fb08b16d Mon Sep 17 00:00:00 2001
From: Simon <simon@aam-digital.com>
Date: Tue, 23 Aug 2022 16:51:39 +0200
Subject: [PATCH 34/42] trying to make authenticator configurable, DI not
 working

---
 src/app/core/session/auth/auth.service.ts |  1 +
 src/app/core/session/session.module.ts    | 19 +++++++++++++++++--
 src/environments/environment.prod.ts      |  1 +
 src/environments/environment.ts           |  1 +
 4 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/src/app/core/session/auth/auth.service.ts b/src/app/core/session/auth/auth.service.ts
index 765bb022ca..718e9c331f 100644
--- a/src/app/core/session/auth/auth.service.ts
+++ b/src/app/core/session/auth/auth.service.ts
@@ -6,6 +6,7 @@ import { DatabaseUser } from "../session-service/local-user";
  * Implement this for different authentication providers.
  */
 export abstract class AuthService {
+  someProp = "this is some value";
 
   /**
    * Authenticate a user with credentials.
diff --git a/src/app/core/session/session.module.ts b/src/app/core/session/session.module.ts
index d24fcc1ebb..77e2f7458b 100644
--- a/src/app/core/session/session.module.ts
+++ b/src/app/core/session/session.module.ts
@@ -38,6 +38,7 @@ import { SessionType } from "./session-type";
 import { environment } from "../../../environments/environment";
 import { AuthService } from "./auth/auth.service";
 import { KeycloakAuthService } from "./auth/keycloak-auth.service";
+import { CouchdbAuthService } from "./auth/couchdb-auth.service";
 
 /**
  * The core session logic handling user login as well as connection and synchronization with the remote database.
@@ -72,6 +73,7 @@ import { KeycloakAuthService } from "./auth/keycloak-auth.service";
     {
       provide: SessionService,
       useFactory: (injector: Injector) => {
+        console.log("requesting session");
         if (environment.session_type === SessionType.synced) {
           return injector.get(SyncedSessionService);
         } else {
@@ -80,8 +82,21 @@ import { KeycloakAuthService } from "./auth/keycloak-auth.service";
       },
       deps: [Injector],
     },
-    // TODO how do we differentiate between Keycloak and CouchDB auth?
-    { provide: AuthService, useClass: KeycloakAuthService },
+    KeycloakAuthService,
+    CouchdbAuthService,
+
+    {
+      provide: [AuthService],
+      useFactory: (injector: Injector) => {
+        console.log("requested");
+        if (environment.authenticator === "keycloak") {
+          return injector.get(KeycloakAuthService);
+        } else {
+          return injector.get(CouchdbAuthService);
+        }
+      },
+      deps: [KeycloakAuthService],
+    },
   ],
 })
 export class SessionModule {}
diff --git a/src/environments/environment.prod.ts b/src/environments/environment.prod.ts
index c6992a02f7..80f920b04a 100644
--- a/src/environments/environment.prod.ts
+++ b/src/environments/environment.prod.ts
@@ -34,4 +34,5 @@ export const environment = {
   /** The following settings can be overridden by the `config.json` if present, see {@link AppSettings} */
   demo_mode: true,
   session_type: SessionType.mock,
+  authenticator: "keycloak",
 };
diff --git a/src/environments/environment.ts b/src/environments/environment.ts
index dc88332220..d65589a22f 100644
--- a/src/environments/environment.ts
+++ b/src/environments/environment.ts
@@ -33,4 +33,5 @@ export const environment = {
   /** The following settings can be overridden by the `config.json` if present, see {@link AppSettings} */
   demo_mode: true,
   session_type: SessionType.mock,
+  authenticator: "keycloak", // set to "couchdb" if auth should happen with CouchDB directly
 };

From c61c662cdf17209c4d3799678eb891ecbc067641 Mon Sep 17 00:00:00 2001
From: Simon <simon@aam-digital.com>
Date: Tue, 23 Aug 2022 17:01:47 +0200
Subject: [PATCH 35/42] fixed AuthService DI

---
 src/app/core/session/session.module.ts | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/src/app/core/session/session.module.ts b/src/app/core/session/session.module.ts
index 77e2f7458b..0f060bf709 100644
--- a/src/app/core/session/session.module.ts
+++ b/src/app/core/session/session.module.ts
@@ -73,7 +73,6 @@ import { CouchdbAuthService } from "./auth/couchdb-auth.service";
     {
       provide: SessionService,
       useFactory: (injector: Injector) => {
-        console.log("requesting session");
         if (environment.session_type === SessionType.synced) {
           return injector.get(SyncedSessionService);
         } else {
@@ -84,18 +83,16 @@ import { CouchdbAuthService } from "./auth/couchdb-auth.service";
     },
     KeycloakAuthService,
     CouchdbAuthService,
-
     {
-      provide: [AuthService],
+      provide: AuthService,
       useFactory: (injector: Injector) => {
-        console.log("requested");
         if (environment.authenticator === "keycloak") {
           return injector.get(KeycloakAuthService);
         } else {
           return injector.get(CouchdbAuthService);
         }
       },
-      deps: [KeycloakAuthService],
+      deps: [Injector],
     },
   ],
 })

From 55a50f1797bfe03e25067478ae6d334fb0e6543e Mon Sep 17 00:00:00 2001
From: Simon <simon@aam-digital.com>
Date: Thu, 25 Aug 2022 18:17:59 +0200
Subject: [PATCH 36/42] removed unused code

---
 src/app/core/session/auth/auth.service.ts | 2 --
 1 file changed, 2 deletions(-)

diff --git a/src/app/core/session/auth/auth.service.ts b/src/app/core/session/auth/auth.service.ts
index 718e9c331f..8cee5d7683 100644
--- a/src/app/core/session/auth/auth.service.ts
+++ b/src/app/core/session/auth/auth.service.ts
@@ -6,8 +6,6 @@ import { DatabaseUser } from "../session-service/local-user";
  * Implement this for different authentication providers.
  */
 export abstract class AuthService {
-  someProp = "this is some value";
-
   /**
    * Authenticate a user with credentials.
    * @param username The username of the user

From 14b05e3522d58a4114cdcc72a6efcddf9a61521b Mon Sep 17 00:00:00 2001
From: Simon <simon@aam-digital.com>
Date: Thu, 25 Aug 2022 18:30:30 +0200
Subject: [PATCH 37/42] made CouchDB auth default and added enum with
 additional documentation.

---
 src/app/core/session/auth/auth-provider.ts | 18 ++++++++++++++++++
 src/app/core/session/auth/auth.service.ts  |  1 +
 src/app/core/session/session.module.ts     |  3 ++-
 src/environments/environment.prod.ts       |  3 ++-
 src/environments/environment.ts            |  3 ++-
 5 files changed, 25 insertions(+), 3 deletions(-)
 create mode 100644 src/app/core/session/auth/auth-provider.ts

diff --git a/src/app/core/session/auth/auth-provider.ts b/src/app/core/session/auth/auth-provider.ts
new file mode 100644
index 0000000000..1931b02834
--- /dev/null
+++ b/src/app/core/session/auth/auth-provider.ts
@@ -0,0 +1,18 @@
+/**
+ * Available authentication providers.
+ */
+export enum AuthProvider {
+  /**
+   * Default auth provider using CouchDB's `_users` database and permission settings.
+   * This is the simplest setup as no other service besides the CouchDB is required.
+   * However, this provider comes with limited functionality.
+   */
+  CouchDB = "couchdb",
+
+  /**
+   * Keycloak is used to authenticate and manage users.
+   * This requires keycloak and potentially other services to be running.
+   * Also, the client configuration has to be placed in a file called `keycloak.json` in the `assets` folder.
+   */
+  Keycloak = "keycloak",
+}
diff --git a/src/app/core/session/auth/auth.service.ts b/src/app/core/session/auth/auth.service.ts
index 8cee5d7683..05457c2631 100644
--- a/src/app/core/session/auth/auth.service.ts
+++ b/src/app/core/session/auth/auth.service.ts
@@ -4,6 +4,7 @@ import { DatabaseUser } from "../session-service/local-user";
 /**
  * Abstract class that handles user authentication and password change.
  * Implement this for different authentication providers.
+ * See {@link AuthProvider} for available options.
  */
 export abstract class AuthService {
   /**
diff --git a/src/app/core/session/session.module.ts b/src/app/core/session/session.module.ts
index 0f060bf709..fe13c62148 100644
--- a/src/app/core/session/session.module.ts
+++ b/src/app/core/session/session.module.ts
@@ -39,6 +39,7 @@ import { environment } from "../../../environments/environment";
 import { AuthService } from "./auth/auth.service";
 import { KeycloakAuthService } from "./auth/keycloak-auth.service";
 import { CouchdbAuthService } from "./auth/couchdb-auth.service";
+import { AuthProvider } from "./auth/auth-provider";
 
 /**
  * The core session logic handling user login as well as connection and synchronization with the remote database.
@@ -86,7 +87,7 @@ import { CouchdbAuthService } from "./auth/couchdb-auth.service";
     {
       provide: AuthService,
       useFactory: (injector: Injector) => {
-        if (environment.authenticator === "keycloak") {
+        if (environment.authenticator === AuthProvider.Keycloak) {
           return injector.get(KeycloakAuthService);
         } else {
           return injector.get(CouchdbAuthService);
diff --git a/src/environments/environment.prod.ts b/src/environments/environment.prod.ts
index 80f920b04a..15e0070287 100644
--- a/src/environments/environment.prod.ts
+++ b/src/environments/environment.prod.ts
@@ -16,6 +16,7 @@
  */
 
 import { SessionType } from "../app/core/session/session-type";
+import { AuthProvider } from "../app/core/session/auth/auth-provider";
 
 /**
  * Central environment that allows to configure differences between a "dev" and a "prod" build.
@@ -34,5 +35,5 @@ export const environment = {
   /** The following settings can be overridden by the `config.json` if present, see {@link AppSettings} */
   demo_mode: true,
   session_type: SessionType.mock,
-  authenticator: "keycloak",
+  authenticator: AuthProvider.CouchDB,
 };
diff --git a/src/environments/environment.ts b/src/environments/environment.ts
index d65589a22f..820ef1ff38 100644
--- a/src/environments/environment.ts
+++ b/src/environments/environment.ts
@@ -16,6 +16,7 @@
  */
 
 import { SessionType } from "../app/core/session/session-type";
+import { AuthProvider } from "../app/core/session/auth/auth-provider";
 
 /**
  * Central environment that allows to configure differences between a "dev" and a "prod" build.
@@ -33,5 +34,5 @@ export const environment = {
   /** The following settings can be overridden by the `config.json` if present, see {@link AppSettings} */
   demo_mode: true,
   session_type: SessionType.mock,
-  authenticator: "keycloak", // set to "couchdb" if auth should happen with CouchDB directly
+  authenticator: AuthProvider.CouchDB,
 };

From ee6b12c88d9146cee6caa412cd75bf19321412d2 Mon Sep 17 00:00:00 2001
From: Simon <simon@aam-digital.com>
Date: Thu, 25 Aug 2022 20:04:44 +0200
Subject: [PATCH 38/42] moved password reset button to own component

---
 .../couchdb-auth.service.spec.ts              | 11 +++++--
 .../{ => couchdb}/couchdb-auth.service.ts     |  9 +++---
 .../password-form.component.html              |  2 +-
 .../password-form.component.scss              |  0
 .../password-form.component.spec.ts           | 25 ++++++++-------
 .../password-form/password-form.component.ts  | 31 ++++++++++++++-----
 .../keycloak-auth.service.spec.ts             | 25 +++++++++++----
 .../{ => keycloak}/keycloak-auth.service.ts   |  6 ++--
 .../password-button.component.html            | 12 +++++++
 .../password-button.component.scss            |  0
 .../password-button.component.spec.ts         | 23 ++++++++++++++
 .../password-button.component.ts              | 19 ++++++++++++
 src/app/core/session/session.module.ts        | 21 ++++++++-----
 .../user-account/user-account.component.html  | 17 ++--------
 .../user-account/user-account.component.ts    |  8 +----
 src/app/core/user/user.module.ts              | 10 +++---
 16 files changed, 150 insertions(+), 69 deletions(-)
 rename src/app/core/session/auth/{ => couchdb}/couchdb-auth.service.spec.ts (94%)
 rename src/app/core/session/auth/{ => couchdb}/couchdb-auth.service.ts (93%)
 rename src/app/core/{user => session/auth/couchdb}/password-form/password-form.component.html (96%)
 rename src/app/core/{user => session/auth/couchdb}/password-form/password-form.component.scss (100%)
 rename src/app/core/{user => session/auth/couchdb}/password-form/password-form.component.spec.ts (83%)
 rename src/app/core/{user => session/auth/couchdb}/password-form/password-form.component.ts (74%)
 rename src/app/core/session/auth/{ => keycloak}/keycloak-auth.service.spec.ts (91%)
 rename src/app/core/session/auth/{ => keycloak}/keycloak-auth.service.ts (95%)
 create mode 100644 src/app/core/session/auth/keycloak/password-button/password-button.component.html
 create mode 100644 src/app/core/session/auth/keycloak/password-button/password-button.component.scss
 create mode 100644 src/app/core/session/auth/keycloak/password-button/password-button.component.spec.ts
 create mode 100644 src/app/core/session/auth/keycloak/password-button/password-button.component.ts

diff --git a/src/app/core/session/auth/couchdb-auth.service.spec.ts b/src/app/core/session/auth/couchdb/couchdb-auth.service.spec.ts
similarity index 94%
rename from src/app/core/session/auth/couchdb-auth.service.spec.ts
rename to src/app/core/session/auth/couchdb/couchdb-auth.service.spec.ts
index a6839a4b01..8b89ce0734 100644
--- a/src/app/core/session/auth/couchdb-auth.service.spec.ts
+++ b/src/app/core/session/auth/couchdb/couchdb-auth.service.spec.ts
@@ -1,9 +1,16 @@
 import { TestBed } from "@angular/core/testing";
 
 import { CouchdbAuthService } from "./couchdb-auth.service";
-import { HttpClient, HttpErrorResponse, HttpStatusCode } from "@angular/common/http";
+import {
+  HttpClient,
+  HttpErrorResponse,
+  HttpStatusCode,
+} from "@angular/common/http";
 import { of, throwError } from "rxjs";
-import { TEST_PASSWORD, TEST_USER } from "../../../utils/mocked-testing.module";
+import {
+  TEST_PASSWORD,
+  TEST_USER,
+} from "../../../../utils/mocked-testing.module";
 
 describe("CouchdbAuthService", () => {
   let service: CouchdbAuthService;
diff --git a/src/app/core/session/auth/couchdb-auth.service.ts b/src/app/core/session/auth/couchdb/couchdb-auth.service.ts
similarity index 93%
rename from src/app/core/session/auth/couchdb-auth.service.ts
rename to src/app/core/session/auth/couchdb/couchdb-auth.service.ts
index c4ddf25c37..9f47624254 100644
--- a/src/app/core/session/auth/couchdb-auth.service.ts
+++ b/src/app/core/session/auth/couchdb/couchdb-auth.service.ts
@@ -1,13 +1,14 @@
 import { Injectable } from "@angular/core";
-import { AuthService } from "./auth.service";
+import { AuthService } from "../auth.service";
 import {
   HttpClient,
   HttpErrorResponse,
-  HttpHeaders, HttpStatusCode,
+  HttpHeaders,
+  HttpStatusCode,
 } from "@angular/common/http";
 import { firstValueFrom } from "rxjs";
-import { DatabaseUser } from "../session-service/local-user";
-import { AppSettings } from "../../app-config/app-settings";
+import { DatabaseUser } from "../../session-service/local-user";
+import { AppSettings } from "../../../app-config/app-settings";
 
 @Injectable()
 export class CouchdbAuthService extends AuthService {
diff --git a/src/app/core/user/password-form/password-form.component.html b/src/app/core/session/auth/couchdb/password-form/password-form.component.html
similarity index 96%
rename from src/app/core/user/password-form/password-form.component.html
rename to src/app/core/session/auth/couchdb/password-form/password-form.component.html
index 95afb80903..d08d0588c5 100644
--- a/src/app/core/user/password-form/password-form.component.html
+++ b/src/app/core/session/auth/couchdb/password-form/password-form.component.html
@@ -1,4 +1,4 @@
-<form [formGroup]="passwordForm" class="form-container">
+<form *ngIf="couchdbAuthService" [formGroup]="passwordForm" class="form-container">
   <mat-form-field class="user-form-field">
     <label i18n>
       Current Password
diff --git a/src/app/core/user/password-form/password-form.component.scss b/src/app/core/session/auth/couchdb/password-form/password-form.component.scss
similarity index 100%
rename from src/app/core/user/password-form/password-form.component.scss
rename to src/app/core/session/auth/couchdb/password-form/password-form.component.scss
diff --git a/src/app/core/user/password-form/password-form.component.spec.ts b/src/app/core/session/auth/couchdb/password-form/password-form.component.spec.ts
similarity index 83%
rename from src/app/core/user/password-form/password-form.component.spec.ts
rename to src/app/core/session/auth/couchdb/password-form/password-form.component.spec.ts
index 9c8e052ce8..02b36e27da 100644
--- a/src/app/core/user/password-form/password-form.component.spec.ts
+++ b/src/app/core/session/auth/couchdb/password-form/password-form.component.spec.ts
@@ -1,10 +1,15 @@
-import { ComponentFixture, fakeAsync, TestBed, tick } from "@angular/core/testing";
+import {
+  ComponentFixture,
+  fakeAsync,
+  TestBed,
+  tick,
+} from "@angular/core/testing";
 
 import { PasswordFormComponent } from "./password-form.component";
-import { UserModule } from "../user.module";
-import { MockedTestingModule } from "../../../utils/mocked-testing.module";
-import { SessionService } from "../../session/session-service/session.service";
-import { CouchdbAuthService } from "../../session/auth/couchdb-auth.service";
+import { UserModule } from "../../../../user/user.module";
+import { MockedTestingModule } from "../../../../../utils/mocked-testing.module";
+import { SessionService } from "../../../session-service/session.service";
+import { CouchdbAuthService } from "../couchdb-auth.service";
 
 describe("PasswordFormComponent", () => {
   let component: PasswordFormComponent;
@@ -18,9 +23,8 @@ describe("PasswordFormComponent", () => {
 
     await TestBed.configureTestingModule({
       imports: [UserModule, MockedTestingModule.withState()],
-      providers: [{ provide: SessionService, useValue: mockSessionService }]
-    })
-      .compileComponents();
+      providers: [{ provide: SessionService, useValue: mockSessionService }],
+    }).compileComponents();
 
     fixture = TestBed.createComponent(PasswordFormComponent);
     component = fixture.componentInstance;
@@ -47,10 +51,7 @@ describe("PasswordFormComponent", () => {
     component.username = "testUser";
     component.passwordForm.get("currentPassword").setValue("testPW");
     mockSessionService.checkPassword.and.returnValue(true);
-    mockCouchDBAuth.changePassword.and.rejectWith(
-      new Error("pw change error")
-    );
-
+    mockCouchDBAuth.changePassword.and.rejectWith(new Error("pw change error"));
 
     expectAsync(component.changePassword()).toBeRejected();
     tick();
diff --git a/src/app/core/user/password-form/password-form.component.ts b/src/app/core/session/auth/couchdb/password-form/password-form.component.ts
similarity index 74%
rename from src/app/core/user/password-form/password-form.component.ts
rename to src/app/core/session/auth/couchdb/password-form/password-form.component.ts
index bf9b768f26..2cbb03d251 100644
--- a/src/app/core/user/password-form/password-form.component.ts
+++ b/src/app/core/session/auth/couchdb/password-form/password-form.component.ts
@@ -1,8 +1,9 @@
 import { Component, Input, OnInit } from "@angular/core";
 import { FormBuilder, ValidationErrors, Validators } from "@angular/forms";
-import { SessionService } from "../../session/session-service/session.service";
-import { CouchdbAuthService } from "../../session/auth/couchdb-auth.service";
-import { LoggingService } from "../../logging/logging.service";
+import { SessionService } from "../../../session-service/session.service";
+import { LoggingService } from "../../../../logging/logging.service";
+import { AuthService } from "../../auth.service";
+import { CouchdbAuthService } from "../couchdb-auth.service";
 
 /**
  * A simple password form that enforces secure password.
@@ -10,13 +11,14 @@ import { LoggingService } from "../../logging/logging.service";
 @Component({
   selector: "app-password-form",
   templateUrl: "./password-form.component.html",
-  styleUrls: ["./password-form.component.scss"]
+  styleUrls: ["./password-form.component.scss"],
 })
 export class PasswordFormComponent implements OnInit {
-  @Input() couchdbAuthService: CouchdbAuthService;
   @Input() username: string;
   @Input() disabled = false;
 
+  couchdbAuthService: CouchdbAuthService;
+
   passwordChangeResult: { success: boolean; error?: any };
 
   passwordForm = this.fb.group(
@@ -41,13 +43,25 @@ export class PasswordFormComponent implements OnInit {
   constructor(
     private fb: FormBuilder,
     private sessionService: SessionService,
-    private loggingService: LoggingService
-  ) {}
+    private loggingService: LoggingService,
+    authService: AuthService
+  ) {
+    if (authService instanceof CouchdbAuthService) {
+      this.couchdbAuthService = authService;
+    }
+  }
 
   ngOnInit() {
+    console.log("disabled", this.disabled);
+    console.log("form", this.passwordForm.valid, this.passwordForm.disabled);
     if (this.disabled) {
       this.passwordForm.disable();
     }
+    console.log(
+      "form after",
+      this.passwordForm.valid,
+      this.passwordForm.disabled
+    );
   }
 
   changePassword(): Promise<any> {
@@ -63,7 +77,8 @@ export class PasswordFormComponent implements OnInit {
     }
 
     const newPassword = this.passwordForm.get("newPassword").value;
-    return this.couchdbAuthService.changePassword(this.username, currentPassword, newPassword)
+    return this.couchdbAuthService
+      .changePassword(this.username, currentPassword, newPassword)
       .then(() => this.sessionService.login(this.username, newPassword))
       .then(() => (this.passwordChangeResult = { success: true }))
       .catch((err: Error) => {
diff --git a/src/app/core/session/auth/keycloak-auth.service.spec.ts b/src/app/core/session/auth/keycloak/keycloak-auth.service.spec.ts
similarity index 91%
rename from src/app/core/session/auth/keycloak-auth.service.spec.ts
rename to src/app/core/session/auth/keycloak/keycloak-auth.service.spec.ts
index 12fbde5ee6..54cba568cb 100644
--- a/src/app/core/session/auth/keycloak-auth.service.spec.ts
+++ b/src/app/core/session/auth/keycloak/keycloak-auth.service.spec.ts
@@ -1,10 +1,20 @@
 import { fakeAsync, TestBed, tick } from "@angular/core/testing";
 
-import { OIDCTokenResponse, KeycloakAuthService } from "./keycloak-auth.service";
-import { TEST_PASSWORD, TEST_USER } from "../../../utils/mocked-testing.module";
+import {
+  OIDCTokenResponse,
+  KeycloakAuthService,
+} from "./keycloak-auth.service";
+import {
+  TEST_PASSWORD,
+  TEST_USER,
+} from "../../../../utils/mocked-testing.module";
 import { of, throwError } from "rxjs";
-import { HttpClient, HttpErrorResponse, HttpStatusCode } from "@angular/common/http";
-import { DatabaseUser } from "../session-service/local-user";
+import {
+  HttpClient,
+  HttpErrorResponse,
+  HttpStatusCode,
+} from "@angular/common/http";
+import { DatabaseUser } from "../../session-service/local-user";
 
 function keycloakAuthHttpFake(_url, body) {
   const params = new URLSearchParams(body);
@@ -98,7 +108,7 @@ describe("KeycloakAuthService", () => {
     mockHttpClient.post.calls.reset();
     const newToken = { ...jwtTokenResponse, access_token: "new.token" };
     // mock token cannot be parsed as JwtToken
-    spyOn(window, "atob").and.returnValue("{\"decoded\": \"token\"}");
+    spyOn(window, "atob").and.returnValue('{"decoded": "token"}');
     mockHttpClient.post.and.returnValue(of(newToken));
     // should refresh token one minute before it expires
     tick(60 * 1000);
@@ -121,7 +131,10 @@ describe("KeycloakAuthService", () => {
   });
 
   it("should login, if there is a valid refresh token", async () => {
-    localStorage.setItem(KeycloakAuthService.REFRESH_TOKEN_KEY, "some-refresh-token");
+    localStorage.setItem(
+      KeycloakAuthService.REFRESH_TOKEN_KEY,
+      "some-refresh-token"
+    );
     mockHttpClient.post.and.returnValue(of(jwtTokenResponse));
     const user = await service.autoLogin();
     expect(user).toEqual(dbUser);
diff --git a/src/app/core/session/auth/keycloak-auth.service.ts b/src/app/core/session/auth/keycloak/keycloak-auth.service.ts
similarity index 95%
rename from src/app/core/session/auth/keycloak-auth.service.ts
rename to src/app/core/session/auth/keycloak/keycloak-auth.service.ts
index 2b54957a57..20eb176bbd 100644
--- a/src/app/core/session/auth/keycloak-auth.service.ts
+++ b/src/app/core/session/auth/keycloak/keycloak-auth.service.ts
@@ -1,10 +1,10 @@
-import { AuthService } from "./auth.service";
+import { AuthService } from "../auth.service";
 import { Injectable } from "@angular/core";
 import Keycloak from "keycloak-js";
 import { HttpClient, HttpHeaders } from "@angular/common/http";
 import { firstValueFrom } from "rxjs";
-import { DatabaseUser } from "../session-service/local-user";
-import { parseJwt } from "../../../utils/utils";
+import { DatabaseUser } from "../../session-service/local-user";
+import { parseJwt } from "../../../../utils/utils";
 
 @Injectable()
 export class KeycloakAuthService extends AuthService {
diff --git a/src/app/core/session/auth/keycloak/password-button/password-button.component.html b/src/app/core/session/auth/keycloak/password-button/password-button.component.html
new file mode 100644
index 0000000000..4c10783908
--- /dev/null
+++ b/src/app/core/session/auth/keycloak/password-button/password-button.component.html
@@ -0,0 +1,12 @@
+<button
+  *ngIf="keycloakAuthService"
+  mat-stroked-button
+  angulartics2On="click"
+  angularticsCategory="User"
+  angularticsAction="password_update"
+  (click)="keycloakAuthService.changePassword()"
+  [disabled]="disabled"
+  i18n="Button which opens password reset page"
+>
+  Change Password
+</button>
diff --git a/src/app/core/session/auth/keycloak/password-button/password-button.component.scss b/src/app/core/session/auth/keycloak/password-button/password-button.component.scss
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/src/app/core/session/auth/keycloak/password-button/password-button.component.spec.ts b/src/app/core/session/auth/keycloak/password-button/password-button.component.spec.ts
new file mode 100644
index 0000000000..1f43fa5377
--- /dev/null
+++ b/src/app/core/session/auth/keycloak/password-button/password-button.component.spec.ts
@@ -0,0 +1,23 @@
+import { ComponentFixture, TestBed } from '@angular/core/testing';
+
+import { PasswordButtonComponent } from './password-button.component';
+
+describe('PasswordButtonComponent', () => {
+  let component: PasswordButtonComponent;
+  let fixture: ComponentFixture<PasswordButtonComponent>;
+
+  beforeEach(async () => {
+    await TestBed.configureTestingModule({
+      declarations: [ PasswordButtonComponent ]
+    })
+    .compileComponents();
+
+    fixture = TestBed.createComponent(PasswordButtonComponent);
+    component = fixture.componentInstance;
+    fixture.detectChanges();
+  });
+
+  it('should create', () => {
+    expect(component).toBeTruthy();
+  });
+});
diff --git a/src/app/core/session/auth/keycloak/password-button/password-button.component.ts b/src/app/core/session/auth/keycloak/password-button/password-button.component.ts
new file mode 100644
index 0000000000..f567fb85d7
--- /dev/null
+++ b/src/app/core/session/auth/keycloak/password-button/password-button.component.ts
@@ -0,0 +1,19 @@
+import { Component, Input, OnInit } from "@angular/core";
+import { AuthService } from "../../auth.service";
+import { KeycloakAuthService } from "../keycloak-auth.service";
+
+@Component({
+  selector: "app-password-button",
+  templateUrl: "./password-button.component.html",
+  styleUrls: ["./password-button.component.scss"],
+})
+export class PasswordButtonComponent {
+  @Input() disabled: boolean;
+  keycloakAuthService: KeycloakAuthService;
+
+  constructor(authService: AuthService) {
+    if (authService instanceof KeycloakAuthService) {
+      this.keycloakAuthService = authService;
+    }
+  }
+}
diff --git a/src/app/core/session/session.module.ts b/src/app/core/session/session.module.ts
index fe13c62148..ec3033e1aa 100644
--- a/src/app/core/session/session.module.ts
+++ b/src/app/core/session/session.module.ts
@@ -18,10 +18,9 @@
 import { Injector, NgModule } from "@angular/core";
 import { CommonModule } from "@angular/common";
 import { LoginComponent } from "./login/login.component";
-import { FormsModule } from "@angular/forms";
+import { FormsModule, ReactiveFormsModule } from "@angular/forms";
 import { EntityModule } from "../entity/entity.module";
 import { AlertsModule } from "../alerts/alerts.module";
-import { UserModule } from "../user/user.module";
 import { MatButtonModule } from "@angular/material/button";
 import { MatCardModule } from "@angular/material/card";
 import { MatFormFieldModule } from "@angular/material/form-field";
@@ -37,9 +36,12 @@ import { SessionService } from "./session-service/session.service";
 import { SessionType } from "./session-type";
 import { environment } from "../../../environments/environment";
 import { AuthService } from "./auth/auth.service";
-import { KeycloakAuthService } from "./auth/keycloak-auth.service";
-import { CouchdbAuthService } from "./auth/couchdb-auth.service";
+import { KeycloakAuthService } from "./auth/keycloak/keycloak-auth.service";
+import { CouchdbAuthService } from "./auth/couchdb/couchdb-auth.service";
 import { AuthProvider } from "./auth/auth-provider";
+import { PasswordFormComponent } from "./auth/couchdb/password-form/password-form.component";
+import { PasswordButtonComponent } from "./auth/keycloak/password-button/password-button.component";
+import { Angulartics2OnModule } from "angulartics2";
 
 /**
  * The core session logic handling user login as well as connection and synchronization with the remote database.
@@ -60,13 +62,18 @@ import { AuthProvider } from "./auth/auth-provider";
     MatInputModule,
     MatButtonModule,
     RouterModule,
-    UserModule,
     HttpClientModule,
     MatDialogModule,
     MatProgressBarModule,
+    Angulartics2OnModule,
+    ReactiveFormsModule,
   ],
-  declarations: [LoginComponent],
-  exports: [LoginComponent],
+  declarations: [
+    LoginComponent,
+    PasswordFormComponent,
+    PasswordButtonComponent,
+  ],
+  exports: [LoginComponent, PasswordButtonComponent, PasswordFormComponent],
   providers: [
     SyncedSessionService,
     LocalSession,
diff --git a/src/app/core/user/user-account/user-account.component.html b/src/app/core/user/user-account/user-account.component.html
index fec0394afd..2ae143e113 100644
--- a/src/app/core/user/user-account/user-account.component.html
+++ b/src/app/core/user/user-account/user-account.component.html
@@ -38,23 +38,12 @@
           style="width: fit-content"
         >
           <app-password-form
-            *ngIf="couchdbAuthService"
-            [couchdbAuthService]="couchdbAuthService"
             [username]="username"
             [disabled]="passwordChangeDisabled"
           ></app-password-form>
-          <button
-            *ngIf="!couchdbAuthService"
-            mat-stroked-button
-            angulartics2On="click"
-            angularticsCategory="User"
-            angularticsAction="password_update"
-            (click)="authService.changePassword()"
-            [disabled]="passwordChangeDisabled"
-            i18n="Button which opens password reset page"
-          >
-            Change Password
-          </button>
+
+          <app-password-button [disabled]="passwordChangeDisabled">
+          </app-password-button>
         </div>
       </div>
     </ng-template>
diff --git a/src/app/core/user/user-account/user-account.component.ts b/src/app/core/user/user-account/user-account.component.ts
index ab45624b45..90fdbe4166 100644
--- a/src/app/core/user/user-account/user-account.component.ts
+++ b/src/app/core/user/user-account/user-account.component.ts
@@ -20,7 +20,6 @@ import { SessionService } from "../../session/session-service/session.service";
 import { environment } from "../../../../environments/environment";
 import { SessionType } from "../../session/session-type";
 import { AuthService } from "../../session/auth/auth.service";
-import { CouchdbAuthService } from "../../session/auth/couchdb-auth.service";
 
 /**
  * User account form to allow the user to view and edit information.
@@ -36,16 +35,11 @@ export class UserAccountComponent implements OnInit {
 
   passwordChangeDisabled = false;
   tooltipText;
-  couchdbAuthService: CouchdbAuthService;
 
   constructor(
     private sessionService: SessionService,
     public authService: AuthService
-  ) {
-    if (this.authService instanceof CouchdbAuthService) {
-      this.couchdbAuthService = this.authService;
-    }
-  }
+  ) {}
 
   ngOnInit() {
     this.checkIfPasswordChangeAllowed();
diff --git a/src/app/core/user/user.module.ts b/src/app/core/user/user.module.ts
index f83db20ae0..58cb619671 100644
--- a/src/app/core/user/user.module.ts
+++ b/src/app/core/user/user.module.ts
@@ -25,9 +25,9 @@ import { MatTabsModule } from "@angular/material/tabs";
 import { TabStateModule } from "../../utils/tab-state/tab-state.module";
 import { MatTooltipModule } from "@angular/material/tooltip";
 import { Angulartics2Module } from "angulartics2";
-import { PasswordFormComponent } from "./password-form/password-form.component";
 import { ReactiveFormsModule } from "@angular/forms";
 import { FontAwesomeModule } from "@fortawesome/angular-fontawesome";
+import { SessionModule } from "../session/session.module";
 
 /**
  * Provides a User functionality including user account forms.
@@ -43,9 +43,9 @@ import { FontAwesomeModule } from "@fortawesome/angular-fontawesome";
     MatTooltipModule,
     Angulartics2Module,
     ReactiveFormsModule,
-    FontAwesomeModule
+    FontAwesomeModule,
+    SessionModule,
   ],
-  declarations: [UserAccountComponent, PasswordFormComponent],
+  declarations: [UserAccountComponent],
 })
-export class UserModule {
-}
+export class UserModule {}

From ef67e1bacbf9c1275f36deb22a0a4546a60d09ed Mon Sep 17 00:00:00 2001
From: Simon <simon@aam-digital.com>
Date: Fri, 26 Aug 2022 11:38:07 +0200
Subject: [PATCH 39/42] fixed password form component

---
 src/app/core/session/auth/auth.service.ts              |  5 -----
 .../couchdb/password-form/password-form.component.html | 10 ++++++++--
 .../couchdb/password-form/password-form.component.ts   | 10 +++-------
 .../core/user/user-account/user-account.component.html |  5 +++--
 4 files changed, 14 insertions(+), 16 deletions(-)

diff --git a/src/app/core/session/auth/auth.service.ts b/src/app/core/session/auth/auth.service.ts
index 05457c2631..0167879840 100644
--- a/src/app/core/session/auth/auth.service.ts
+++ b/src/app/core/session/auth/auth.service.ts
@@ -34,9 +34,4 @@ export abstract class AuthService {
    * Clear the local session of the currently logged-in user.
    */
   abstract logout(): Promise<void>;
-
-  /**
-   * Change the password of a user.
-   */
-  abstract changePassword(): Promise<any>;
 }
diff --git a/src/app/core/session/auth/couchdb/password-form/password-form.component.html b/src/app/core/session/auth/couchdb/password-form/password-form.component.html
index d08d0588c5..02b8a40904 100644
--- a/src/app/core/session/auth/couchdb/password-form/password-form.component.html
+++ b/src/app/core/session/auth/couchdb/password-form/password-form.component.html
@@ -26,6 +26,12 @@
       <input matInput type="password" formControlName="newPassword"/>
     </label>
     <mat-error *ngIf="passwordForm.get('newPassword').invalid">
+      <div
+        *ngIf="passwordForm.get('newPassword').errors.required"
+        i18n="Password validation"
+      >
+        Please enter a new password.
+      </div>
       <div
         *ngIf="passwordForm.get('newPassword').errors.minlength"
         i18n="Password validation"
@@ -59,7 +65,7 @@
               "
       i18n="Illegal new password"
     >
-      Confirmation does not match your new password.
+      Passwords don't match.
     </mat-error>
   </mat-form-field>
   <br/>
@@ -78,7 +84,7 @@
   <button
     mat-raised-button
     type="submit"
-    [disabled]="passwordForm.invalid || passwordForm.disabled"
+    [disabled]="passwordForm.disabled"
     (click)="changePassword()"
     (submit)="changePassword()"
     i18n="Change password button"
diff --git a/src/app/core/session/auth/couchdb/password-form/password-form.component.ts b/src/app/core/session/auth/couchdb/password-form/password-form.component.ts
index 2cbb03d251..83b7f41382 100644
--- a/src/app/core/session/auth/couchdb/password-form/password-form.component.ts
+++ b/src/app/core/session/auth/couchdb/password-form/password-form.component.ts
@@ -52,19 +52,15 @@ export class PasswordFormComponent implements OnInit {
   }
 
   ngOnInit() {
-    console.log("disabled", this.disabled);
-    console.log("form", this.passwordForm.valid, this.passwordForm.disabled);
     if (this.disabled) {
       this.passwordForm.disable();
     }
-    console.log(
-      "form after",
-      this.passwordForm.valid,
-      this.passwordForm.disabled
-    );
   }
 
   changePassword(): Promise<any> {
+    if (this.passwordForm.invalid) {
+      return;
+    }
     this.passwordChangeResult = undefined;
 
     const currentPassword = this.passwordForm.get("currentPassword").value;
diff --git a/src/app/core/user/user-account/user-account.component.html b/src/app/core/user/user-account/user-account.component.html
index 2ae143e113..969b1f2dd1 100644
--- a/src/app/core/user/user-account/user-account.component.html
+++ b/src/app/core/user/user-account/user-account.component.html
@@ -42,8 +42,9 @@
             [disabled]="passwordChangeDisabled"
           ></app-password-form>
 
-          <app-password-button [disabled]="passwordChangeDisabled">
-          </app-password-button>
+          <app-password-button
+            [disabled]="passwordChangeDisabled"
+          ></app-password-button>
         </div>
       </div>
     </ng-template>

From d486adc371e25683d13d4860d0eff1fc140d1520 Mon Sep 17 00:00:00 2001
From: Simon <simon@aam-digital.com>
Date: Fri, 26 Aug 2022 12:22:33 +0200
Subject: [PATCH 40/42] cleaned up code

---
 .../auth/couchdb/password-form/password-form.component.scss    | 0
 .../auth/couchdb/password-form/password-form.component.ts      | 3 +--
 .../keycloak/password-button/password-button.component.scss    | 0
 .../auth/keycloak/password-button/password-button.component.ts | 3 +--
 4 files changed, 2 insertions(+), 4 deletions(-)
 delete mode 100644 src/app/core/session/auth/couchdb/password-form/password-form.component.scss
 delete mode 100644 src/app/core/session/auth/keycloak/password-button/password-button.component.scss

diff --git a/src/app/core/session/auth/couchdb/password-form/password-form.component.scss b/src/app/core/session/auth/couchdb/password-form/password-form.component.scss
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/src/app/core/session/auth/couchdb/password-form/password-form.component.ts b/src/app/core/session/auth/couchdb/password-form/password-form.component.ts
index 83b7f41382..ad09cf5d19 100644
--- a/src/app/core/session/auth/couchdb/password-form/password-form.component.ts
+++ b/src/app/core/session/auth/couchdb/password-form/password-form.component.ts
@@ -11,7 +11,6 @@ import { CouchdbAuthService } from "../couchdb-auth.service";
 @Component({
   selector: "app-password-form",
   templateUrl: "./password-form.component.html",
-  styleUrls: ["./password-form.component.scss"],
 })
 export class PasswordFormComponent implements OnInit {
   @Input() username: string;
@@ -31,7 +30,7 @@ export class PasswordFormComponent implements OnInit {
           Validators.minLength(8),
           Validators.pattern(/[A-Z]/),
           Validators.pattern(/[a-z]/),
-          Validators.pattern(/[0-9]/),
+          Validators.pattern(/\d/),
           Validators.pattern(/[^A-Za-z0-9]/),
         ],
       ],
diff --git a/src/app/core/session/auth/keycloak/password-button/password-button.component.scss b/src/app/core/session/auth/keycloak/password-button/password-button.component.scss
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/src/app/core/session/auth/keycloak/password-button/password-button.component.ts b/src/app/core/session/auth/keycloak/password-button/password-button.component.ts
index f567fb85d7..2984fd1a7a 100644
--- a/src/app/core/session/auth/keycloak/password-button/password-button.component.ts
+++ b/src/app/core/session/auth/keycloak/password-button/password-button.component.ts
@@ -1,11 +1,10 @@
-import { Component, Input, OnInit } from "@angular/core";
+import { Component, Input } from "@angular/core";
 import { AuthService } from "../../auth.service";
 import { KeycloakAuthService } from "../keycloak-auth.service";
 
 @Component({
   selector: "app-password-button",
   templateUrl: "./password-button.component.html",
-  styleUrls: ["./password-button.component.scss"],
 })
 export class PasswordButtonComponent {
   @Input() disabled: boolean;

From 86d92f0cad9d253d14ce5494633e12b9362a44d5 Mon Sep 17 00:00:00 2001
From: Simon <simon@aam-digital.com>
Date: Fri, 26 Aug 2022 12:37:53 +0200
Subject: [PATCH 41/42] fixed broken tests

---
 .../password-form.component.spec.ts             | 16 ++++++++++++----
 .../password-form/password-form.component.ts    |  9 +++++----
 .../password-button.component.spec.ts           | 17 ++++++++++-------
 3 files changed, 27 insertions(+), 15 deletions(-)

diff --git a/src/app/core/session/auth/couchdb/password-form/password-form.component.spec.ts b/src/app/core/session/auth/couchdb/password-form/password-form.component.spec.ts
index 02b36e27da..48701890b1 100644
--- a/src/app/core/session/auth/couchdb/password-form/password-form.component.spec.ts
+++ b/src/app/core/session/auth/couchdb/password-form/password-form.component.spec.ts
@@ -29,6 +29,7 @@ describe("PasswordFormComponent", () => {
     fixture = TestBed.createComponent(PasswordFormComponent);
     component = fixture.componentInstance;
     component.couchdbAuthService = mockCouchDBAuth;
+    component.username = "testUser";
     fixture.detectChanges();
   });
 
@@ -36,6 +37,12 @@ describe("PasswordFormComponent", () => {
     expect(component).toBeTruthy();
   });
 
+  it("should disable the form when disabled is passed to component", () => {
+    component.disabled = true;
+    component.ngOnInit();
+    expect(component.passwordForm.disabled).toBeTrue();
+  });
+
   it("should set error when password is incorrect", () => {
     component.passwordForm.get("currentPassword").setValue("wrongPW");
     mockSessionService.checkPassword.and.returnValue(false);
@@ -48,8 +55,9 @@ describe("PasswordFormComponent", () => {
   });
 
   it("should set error when password change fails", fakeAsync(() => {
-    component.username = "testUser";
     component.passwordForm.get("currentPassword").setValue("testPW");
+    component.passwordForm.get("newPassword").setValue("Password1-");
+    component.passwordForm.get("confirmPassword").setValue("Password1-");
     mockSessionService.checkPassword.and.returnValue(true);
     mockCouchDBAuth.changePassword.and.rejectWith(new Error("pw change error"));
 
@@ -62,9 +70,9 @@ describe("PasswordFormComponent", () => {
   }));
 
   it("should set success and re-login when password change worked", fakeAsync(() => {
-    component.username = "testUser";
     component.passwordForm.get("currentPassword").setValue("testPW");
-    component.passwordForm.get("newPassword").setValue("changedPassword");
+    component.passwordForm.get("newPassword").setValue("Password1-");
+    component.passwordForm.get("confirmPassword").setValue("Password1-");
     mockSessionService.checkPassword.and.returnValue(true);
     mockCouchDBAuth.changePassword.and.resolveTo();
     mockSessionService.login.and.resolveTo(null);
@@ -74,7 +82,7 @@ describe("PasswordFormComponent", () => {
     expect(component.passwordChangeResult.success).toBeTrue();
     expect(mockSessionService.login).toHaveBeenCalledWith(
       "testUser",
-      "changedPassword"
+      "Password1-"
     );
   }));
 });
diff --git a/src/app/core/session/auth/couchdb/password-form/password-form.component.ts b/src/app/core/session/auth/couchdb/password-form/password-form.component.ts
index ad09cf5d19..aa5cbc749f 100644
--- a/src/app/core/session/auth/couchdb/password-form/password-form.component.ts
+++ b/src/app/core/session/auth/couchdb/password-form/password-form.component.ts
@@ -57,9 +57,6 @@ export class PasswordFormComponent implements OnInit {
   }
 
   changePassword(): Promise<any> {
-    if (this.passwordForm.invalid) {
-      return;
-    }
     this.passwordChangeResult = undefined;
 
     const currentPassword = this.passwordForm.get("currentPassword").value;
@@ -68,7 +65,11 @@ export class PasswordFormComponent implements OnInit {
       this.passwordForm
         .get("currentPassword")
         .setErrors({ incorrectPassword: true });
-      return;
+      return Promise.reject();
+    }
+
+    if (this.passwordForm.invalid) {
+      return Promise.reject();
     }
 
     const newPassword = this.passwordForm.get("newPassword").value;
diff --git a/src/app/core/session/auth/keycloak/password-button/password-button.component.spec.ts b/src/app/core/session/auth/keycloak/password-button/password-button.component.spec.ts
index 1f43fa5377..6a6d9972f2 100644
--- a/src/app/core/session/auth/keycloak/password-button/password-button.component.spec.ts
+++ b/src/app/core/session/auth/keycloak/password-button/password-button.component.spec.ts
@@ -1,23 +1,26 @@
-import { ComponentFixture, TestBed } from '@angular/core/testing';
+import { ComponentFixture, TestBed } from "@angular/core/testing";
 
-import { PasswordButtonComponent } from './password-button.component';
+import { PasswordButtonComponent } from "./password-button.component";
+import { AuthService } from "../../auth.service";
 
-describe('PasswordButtonComponent', () => {
+describe("PasswordButtonComponent", () => {
   let component: PasswordButtonComponent;
   let fixture: ComponentFixture<PasswordButtonComponent>;
 
   beforeEach(async () => {
     await TestBed.configureTestingModule({
-      declarations: [ PasswordButtonComponent ]
-    })
-    .compileComponents();
+      declarations: [PasswordButtonComponent],
+      providers: [
+        { provide: AuthService, useValue: { changePassword: () => undefined } },
+      ],
+    }).compileComponents();
 
     fixture = TestBed.createComponent(PasswordButtonComponent);
     component = fixture.componentInstance;
     fixture.detectChanges();
   });
 
-  it('should create', () => {
+  it("should create", () => {
     expect(component).toBeTruthy();
   });
 });

From 6df220f3de62b7748d24ccd1af07d89286481aec Mon Sep 17 00:00:00 2001
From: Simon <simon@aam-digital.com>
Date: Fri, 26 Aug 2022 15:55:54 +0200
Subject: [PATCH 42/42] removed promise rejection

---
 .../auth/couchdb/password-form/password-form.component.ts     | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/app/core/session/auth/couchdb/password-form/password-form.component.ts b/src/app/core/session/auth/couchdb/password-form/password-form.component.ts
index aa5cbc749f..59f3ee7912 100644
--- a/src/app/core/session/auth/couchdb/password-form/password-form.component.ts
+++ b/src/app/core/session/auth/couchdb/password-form/password-form.component.ts
@@ -65,11 +65,11 @@ export class PasswordFormComponent implements OnInit {
       this.passwordForm
         .get("currentPassword")
         .setErrors({ incorrectPassword: true });
-      return Promise.reject();
+      return;
     }
 
     if (this.passwordForm.invalid) {
-      return Promise.reject();
+      return;
     }
 
     const newPassword = this.passwordForm.get("newPassword").value;