feat(session): add per-user source refresh (#84)

* feat(session): add per-user source refresh

Add refreshSource(provider) to UserSession so per-user
config changes can re-resolve a source without replacing
the global provider.

- UserSession now carries userId
- Simplify UserSessionManager sessions map
- replaceProvider delegates to session.refreshSource
- Remove updateSessionSource from manager

Co-authored-by: Ona <no-reply@ona.com>

* docs: fix stale jsdoc on provider failure behavior

Co-authored-by: Ona <no-reply@ona.com>

---------

Co-authored-by: Ona <no-reply@ona.com>

apps/aelis-backend/src/admin/http.test.ts

@@ -0,0 +1,162 @@
+import type { ActionDefinition, ContextEntry, FeedItem, FeedSource } from "@aelis/core"
+
+import { Hono } from "hono"
+import { describe, expect, test } from "bun:test"
+
+import type { AdminMiddleware } from "../auth/admin-middleware.ts"
+import type { AuthSession, AuthUser } from "../auth/session.ts"
+import type { Database } from "../db/index.ts"
+import type { FeedSourceProvider } from "../session/feed-source-provider.ts"
+
+import { UserSessionManager } from "../session/user-session-manager.ts"
+import { registerAdminHttpHandlers } from "./http.ts"
+
+function createStubSource(id: string): FeedSource {
+	return {
+		id,
+		async listActions(): Promise<Record<string, ActionDefinition>> {
+			return {}
+		},
+		async executeAction(): Promise<unknown> {
+			return undefined
+		},
+		async fetchContext(): Promise<readonly ContextEntry[] | null> {
+			return null
+		},
+		async fetchItems(): Promise<FeedItem[]> {
+			return []
+		},
+	}
+}
+
+function createStubProvider(sourceId: string): FeedSourceProvider {
+	return {
+		sourceId,
+		async feedSourceForUser() {
+			return createStubSource(sourceId)
+		},
+	}
+}
+
+/** Passthrough admin middleware for testing (assumes admin). */
+function passthroughAdminMiddleware(): AdminMiddleware {
+	const now = new Date()
+	return async (c, next) => {
+		c.set("user", {
+			id: "admin-1",
+			name: "Admin",
+			email: "admin@test.com",
+			emailVerified: true,
+			image: null,
+			createdAt: now,
+			updatedAt: now,
+			role: "admin",
+			banned: false,
+			banReason: null,
+			banExpires: null,
+		} as AuthUser)
+		c.set("session", { id: "sess-1" } as AuthSession)
+		await next()
+	}
+}
+
+const fakeDb = {} as Database
+
+function createApp(providers: FeedSourceProvider[]) {
+	const sessionManager = new UserSessionManager({ providers })
+	const app = new Hono()
+	registerAdminHttpHandlers(app, {
+		sessionManager,
+		adminMiddleware: passthroughAdminMiddleware(),
+		db: fakeDb,
+	})
+	return { app, sessionManager }
+}
+
+const validWeatherConfig = {
+	credentials: {
+		privateKey: "pk-123",
+		keyId: "key-456",
+		teamId: "team-789",
+		serviceId: "svc-abc",
+	},
+}
+
+describe("PUT /api/admin/:sourceId/config", () => {
+	test("returns 404 for unknown provider", async () => {
+		const { app } = createApp([createStubProvider("aelis.location")])
+
+		const res = await app.request("/api/admin/aelis.nonexistent/config", {
+			method: "PUT",
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify({ key: "value" }),
+		})
+
+		expect(res.status).toBe(404)
+		const body = (await res.json()) as { error: string }
+		expect(body.error).toContain("not found")
+	})
+
+	test("returns 404 for provider without runtime config support", async () => {
+		const { app } = createApp([createStubProvider("aelis.location")])
+
+		const res = await app.request("/api/admin/aelis.location/config", {
+			method: "PUT",
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify({ key: "value" }),
+		})
+
+		expect(res.status).toBe(404)
+		const body = (await res.json()) as { error: string }
+		expect(body.error).toContain("not found")
+	})
+
+	test("returns 400 for invalid JSON body", async () => {
+		const { app } = createApp([createStubProvider("aelis.weather")])
+
+		const res = await app.request("/api/admin/aelis.weather/config", {
+			method: "PUT",
+			headers: { "Content-Type": "application/json" },
+			body: "not json",
+		})
+
+		expect(res.status).toBe(400)
+		const body = (await res.json()) as { error: string }
+		expect(body.error).toContain("Invalid JSON")
+	})
+
+	test("returns 400 when weather config fails validation", async () => {
+		const { app } = createApp([createStubProvider("aelis.weather")])
+
+		const res = await app.request("/api/admin/aelis.weather/config", {
+			method: "PUT",
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify({ credentials: { privateKey: 123 } }),
+		})
+
+		expect(res.status).toBe(400)
+		const body = (await res.json()) as { error: string }
+		expect(body.error).toBeDefined()
+	})
+
+	test("returns 204 and applies valid weather config", async () => {
+		const { app, sessionManager } = createApp([createStubProvider("aelis.weather")])
+
+		const originalProvider = sessionManager.getProvider("aelis.weather")
+
+		const res = await app.request("/api/admin/aelis.weather/config", {
+			method: "PUT",
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify(validWeatherConfig),
+		})
+
+		expect(res.status).toBe(204)
+
+		// Provider was replaced with a new instance
+		const provider = sessionManager.getProvider("aelis.weather")
+		expect(provider).toBeDefined()
+		expect(provider!.sourceId).toBe("aelis.weather")
+		expect(provider).not.toBe(originalProvider)
+	})
+
+})

apps/aelis-backend/src/admin/http.ts

@@ -0,0 +1,88 @@
+import type { Context, Hono } from "hono"
+
+import { type } from "arktype"
+import { createMiddleware } from "hono/factory"
+
+import type { AdminMiddleware } from "../auth/admin-middleware.ts"
+import type { Database } from "../db/index.ts"
+import type { UserSessionManager } from "../session/index.ts"
+
+import { WeatherSourceProvider } from "../weather/provider.ts"
+
+type Env = {
+	Variables: {
+		sessionManager: UserSessionManager
+		db: Database
+	}
+}
+
+interface AdminHttpHandlersDeps {
+	sessionManager: UserSessionManager
+	adminMiddleware: AdminMiddleware
+	db: Database
+}
+
+export function registerAdminHttpHandlers(
+	app: Hono,
+	{ sessionManager, adminMiddleware, db }: AdminHttpHandlersDeps,
+) {
+	const inject = createMiddleware<Env>(async (c, next) => {
+		c.set("sessionManager", sessionManager)
+		c.set("db", db)
+		await next()
+	})
+
+	app.put("/api/admin/:sourceId/config", inject, adminMiddleware, handleUpdateProviderConfig)
+}
+
+const WeatherKitSourceProviderConfig = type({
+	credentials: {
+		privateKey: "string",
+		keyId: "string",
+		teamId: "string",
+		serviceId: "string",
+	},
+})
+
+async function handleUpdateProviderConfig(c: Context<Env>) {
+	const sourceId = c.req.param("sourceId")
+	if (!sourceId) {
+		return c.body(null, 404)
+	}
+
+	const sessionManager = c.get("sessionManager")
+	const db = c.get("db")
+
+	let body: unknown
+	try {
+		body = await c.req.json()
+	} catch {
+		return c.json({ error: "Invalid JSON" }, 400)
+	}
+
+	switch (sourceId) {
+		case "aelis.weather": {
+			const parsed = WeatherKitSourceProviderConfig(body)
+			if (parsed instanceof type.errors) {
+				return c.json({ error: parsed.summary }, 400)
+			}
+
+			const updated = new WeatherSourceProvider({
+				db,
+				credentials: parsed.credentials,
+			})
+
+			try {
+				await sessionManager.replaceProvider(updated)
+			} catch (err) {
+				console.error(`[admin] replaceProvider("${sourceId}") failed:`, err)
+				return c.json({ error: "Failed to apply config" }, 500)
+			}
+
+			return c.body(null, 204)
+		}
+
+		default:
+			return c.json({ error: `Provider "${sourceId}" not found` }, 404)
+	}
+}

apps/aelis-backend/src/auth/admin-middleware.test.ts

@@ -0,0 +1,95 @@
+import { Hono } from "hono"
+import { describe, expect, test } from "bun:test"
+
+import type { Auth } from "./index.ts"
+import type { AuthSession, AuthUser } from "./session.ts"
+
+import { createRequireAdmin } from "./admin-middleware.ts"
+
+function makeUser(role: string | null): AuthUser {
+	const now = new Date()
+	return {
+		id: "user-1",
+		name: "Test User",
+		email: "test@example.com",
+		emailVerified: true,
+		image: null,
+		createdAt: now,
+		updatedAt: now,
+		role,
+		banned: false,
+		banReason: null,
+		banExpires: null,
+	}
+}
+
+function makeSession(): AuthSession {
+	const now = new Date()
+	return {
+		id: "sess-1",
+		userId: "user-1",
+		token: "tok-1",
+		expiresAt: new Date(now.getTime() + 7 * 24 * 60 * 60 * 1000),
+		ipAddress: "127.0.0.1",
+		userAgent: "test",
+		createdAt: now,
+		updatedAt: now,
+	}
+}
+
+function mockAuth(sessionResult: { user: AuthUser; session: AuthSession } | null): Auth {
+	return {
+		api: {
+			getSession: async () => sessionResult,
+		},
+	} as unknown as Auth
+}
+
+function createApp(auth: Auth) {
+	const app = new Hono()
+	const middleware = createRequireAdmin(auth)
+	app.get("/api/admin/test", middleware, (c) => c.json({ ok: true }))
+	return app
+}
+
+describe("createRequireAdmin", () => {
+	test("returns 401 when no session", async () => {
+		const app = createApp(mockAuth(null))
+
+		const res = await app.request("/api/admin/test")
+
+		expect(res.status).toBe(401)
+		const body = (await res.json()) as { error: string }
+		expect(body.error).toBe("Unauthorized")
+	})
+
+	test("returns 403 when user is not admin", async () => {
+		const app = createApp(mockAuth({ user: makeUser("user"), session: makeSession() }))
+
+		const res = await app.request("/api/admin/test")
+
+		expect(res.status).toBe(403)
+		const body = (await res.json()) as { error: string }
+		expect(body.error).toBe("Forbidden")
+	})
+
+	test("returns 403 when role is null", async () => {
+		const app = createApp(mockAuth({ user: makeUser(null), session: makeSession() }))
+
+		const res = await app.request("/api/admin/test")
+
+		expect(res.status).toBe(403)
+	})
+
+	test("allows admin users through and sets context", async () => {
+		const user = makeUser("admin")
+		const session = makeSession()
+		const app = createApp(mockAuth({ user, session }))
+
+		const res = await app.request("/api/admin/test")
+
+		expect(res.status).toBe(200)
+		const body = (await res.json()) as { ok: boolean }
+		expect(body.ok).toBe(true)
+	})
+})

apps/aelis-backend/src/auth/admin-middleware.ts

@@ -0,0 +1,28 @@
+import type { Context, MiddlewareHandler, Next } from "hono"
+
+import type { Auth } from "./index.ts"
+import type { AuthSessionEnv } from "./session-middleware.ts"
+
+export type AdminMiddleware = MiddlewareHandler<AuthSessionEnv>
+
+/**
+ * Creates a middleware that requires a valid session with admin role.
+ * Returns 401 if not authenticated, 403 if not admin.
+ */
+export function createRequireAdmin(auth: Auth): AdminMiddleware {
+	return async (c: Context, next: Next): Promise<Response | void> => {
+		const session = await auth.api.getSession({ headers: c.req.raw.headers })
+
+		if (!session) {
+			return c.json({ error: "Unauthorized" }, 401)
+		}
+
+		if (session.user.role !== "admin") {
+			return c.json({ error: "Forbidden" }, 403)
+		}
+
+		c.set("user", session.user)
+		c.set("session", session.session)
+		await next()
+	}
+}

apps/aelis-backend/src/server.ts

@@ -1,5 +1,7 @@
 import { Hono } from "hono"
 
+import { registerAdminHttpHandlers } from "./admin/http.ts"
+import { createRequireAdmin } from "./auth/admin-middleware.ts"
 import { registerAuthHandlers } from "./auth/http.ts"
 import { createAuth } from "./auth/index.ts"
 import { createRequireSession } from "./auth/session-middleware.ts"
@@ -50,6 +52,7 @@ function main() {
 	app.get("/health", (c) => c.json({ status: "ok" }))
 
 	const authSessionMiddleware = createRequireSession(auth)
+	const adminMiddleware = createRequireAdmin(auth)
 
 	registerAuthHandlers(app, auth)
 
@@ -58,6 +61,7 @@ function main() {
 		authSessionMiddleware,
 	})
 	registerLocationHttpHandlers(app, { sessionManager, authSessionMiddleware })
+	registerAdminHttpHandlers(app, { sessionManager, adminMiddleware, db })
 
 	process.on("SIGTERM", async () => {
 		await closeDb()

apps/aelis-backend/src/session/user-session-manager.test.ts

@@ -339,7 +339,7 @@ describe("UserSessionManager.replaceProvider", () => {
 		)
 	})
 
-	test("removes source from session when new provider fails for a user", async () => {
+	test("keeps existing source when new provider fails for a user", async () => {
 		const providerV1 = createStubProvider("test", async () => createStubSource("test"))
 		const manager = new UserSessionManager({ providers: [providerV1] })
 
@@ -353,7 +353,7 @@ describe("UserSessionManager.replaceProvider", () => {
 		})
 		await manager.replaceProvider(failingProvider)
 
-		expect(session.getSource("test")).toBeUndefined()
+		expect(session.getSource("test")).toBeDefined()
 		expect(spy).toHaveBeenCalled()
 
 		spy.mockRestore()

apps/aelis-backend/src/session/user-session-manager.ts

@@ -11,7 +11,7 @@ export interface UserSessionManagerConfig {
 }
 
 export class UserSessionManager {
-	private sessions = new Map<string, { userId: string; session: UserSession }>()
+	private sessions = new Map<string, UserSession>()
 	private pending = new Map<string, Promise<UserSession>>()
 	private readonly providers = new Map<string, FeedSourceProvider>()
 	private readonly feedEnhancer: FeedEnhancer | null
@@ -23,9 +23,13 @@ export class UserSessionManager {
 		this.feedEnhancer = config.feedEnhancer ?? null
 	}
 
+	getProvider(sourceId: string): FeedSourceProvider | undefined {
+		return this.providers.get(sourceId)
+	}
+
 	async getOrCreate(userId: string): Promise<UserSession> {
 		const existing = this.sessions.get(userId)
-		if (existing) return existing.session
+		if (existing) return existing
 
 		const inflight = this.pending.get(userId)
 		if (inflight) return inflight
@@ -40,7 +44,7 @@ export class UserSessionManager {
 				session.destroy()
 				throw new Error(`Session for user ${userId} was removed during creation`)
 			}
-			this.sessions.set(userId, { userId, session })
+			this.sessions.set(userId, session)
 			return session
 		} finally {
 			this.pending.delete(userId)
@@ -48,9 +52,9 @@ export class UserSessionManager {
 	}
 
 	remove(userId: string): void {
-		const entry = this.sessions.get(userId)
+		const session = this.sessions.get(userId)
-		if (entry) {
+		if (session) {
-			entry.session.destroy()
+			session.destroy()
 			this.sessions.delete(userId)
 		}
 		// Cancel any in-flight creation so getOrCreate won't store the session
@@ -60,8 +64,8 @@ export class UserSessionManager {
 	/**
 	 * Replaces a provider and updates all active sessions.
 	 * The new provider must have the same sourceId as an existing one.
-	 * For each active session, resolves a new source from the provider.
+	 * For each active session, re-resolves the source via session.refreshSource.
-	 * If the provider fails for a user, the old source is removed from that session.
+	 * If the provider fails for a user, the existing source is kept.
 	 */
 	async replaceProvider(provider: FeedSourceProvider): Promise<void> {
 		if (!this.providers.has(provider.sourceId)) {
@@ -74,16 +78,16 @@ export class UserSessionManager {
 
 		const updates: Promise<void>[] = []
 
-		for (const [, { userId, session }] of this.sessions) {
+		for (const [, session] of this.sessions) {
-			updates.push(this.updateSessionSource(provider, userId, session))
+			updates.push(session.refreshSource(provider))
 		}
 
 		// Also update sessions that are currently being created so they
 		// don't land in this.sessions with a stale source.
-		for (const [userId, pendingPromise] of this.pending) {
+		for (const [, pendingPromise] of this.pending) {
 			updates.push(
 				pendingPromise
-					.then((session) => this.updateSessionSource(provider, userId, session))
+					.then((session) => session.refreshSource(provider))
 					.catch(() => {
 						// Session creation itself failed — nothing to update.
 					}),
@@ -93,23 +97,6 @@ export class UserSessionManager {
 		await Promise.all(updates)
 	}
 
-	private async updateSessionSource(
-		provider: FeedSourceProvider,
-		userId: string,
-		session: UserSession,
-	): Promise<void> {
-		try {
-			const newSource = await provider.feedSourceForUser(userId)
-			session.replaceSource(provider.sourceId, newSource)
-		} catch (err) {
-			console.error(
-				`[UserSessionManager] replaceProvider("${provider.sourceId}") failed for user ${userId}:`,
-				err,
-			)
-			session.removeSource(provider.sourceId)
-		}
-	}
-
 	private async createSession(userId: string): Promise<UserSession> {
 		const results = await Promise.allSettled(
 			Array.from(this.providers.values()).map((p) => p.feedSourceForUser(userId)),
@@ -134,6 +121,6 @@ export class UserSessionManager {
 			console.error("[UserSessionManager] Feed source provider failed:", error)
 		}
 
-		return new UserSession(sources, this.feedEnhancer)
+		return new UserSession(userId, sources, this.feedEnhancer)
 	}
 }

apps/aelis-backend/src/session/user-session.test.ts

@@ -1,7 +1,9 @@
 import type { ActionDefinition, ContextEntry, FeedItem, FeedSource } from "@aelis/core"
 
 import { LocationSource } from "@aelis/source-location"
-import { describe, expect, test } from "bun:test"
+import { describe, expect, spyOn, test } from "bun:test"
+
+import type { FeedSourceProvider } from "./feed-source-provider.ts"
 
 import { UserSession } from "./user-session.ts"
 
@@ -25,7 +27,10 @@ function createStubSource(id: string, items: FeedItem[] = []): FeedSource {
 
 describe("UserSession", () => {
 	test("registers sources and starts engine", async () => {
-		const session = new UserSession([createStubSource("test-a"), createStubSource("test-b")])
+		const session = new UserSession("test-user", [
+			createStubSource("test-a"),
+			createStubSource("test-b"),
+		])
 
 		const result = await session.engine.refresh()
 
@@ -34,7 +39,7 @@ describe("UserSession", () => {
 
 	test("getSource returns registered source", () => {
 		const location = new LocationSource()
-		const session = new UserSession([location])
+		const session = new UserSession("test-user", [location])
 
 		const result = session.getSource<LocationSource>("aelis.location")
 
@@ -42,13 +47,13 @@ describe("UserSession", () => {
 	})
 
 	test("getSource returns undefined for unknown source", () => {
-		const session = new UserSession([createStubSource("test")])
+		const session = new UserSession("test-user", [createStubSource("test")])
 
 		expect(session.getSource("unknown")).toBeUndefined()
 	})
 
 	test("destroy stops engine and clears sources", () => {
-		const session = new UserSession([createStubSource("test")])
+		const session = new UserSession("test-user", [createStubSource("test")])
 
 		session.destroy()
 
@@ -57,7 +62,7 @@ describe("UserSession", () => {
 
 	test("engine.executeAction routes to correct source", async () => {
 		const location = new LocationSource()
-		const session = new UserSession([location])
+		const session = new UserSession("test-user", [location])
 
 		await session.engine.executeAction("aelis.location", "update-location", {
 			lat: 51.5,
@@ -82,7 +87,7 @@ describe("UserSession.feed", () => {
 				data: { value: 42 },
 			},
 		]
-		const session = new UserSession([createStubSource("test", items)])
+		const session = new UserSession("test-user", [createStubSource("test", items)])
 
 		const result = await session.feed()
 
@@ -103,7 +108,7 @@ describe("UserSession.feed", () => {
 		const enhancer = async (feedItems: FeedItem[]) =>
 			feedItems.map((item) => ({ ...item, data: { ...item.data, enhanced: true } }))
 
-		const session = new UserSession([createStubSource("test", items)], enhancer)
+		const session = new UserSession("test-user", [createStubSource("test", items)], enhancer)
 
 		const result = await session.feed()
 
@@ -127,7 +132,7 @@ describe("UserSession.feed", () => {
 			return feedItems.map((item) => ({ ...item, data: { ...item.data, enhanced: true } }))
 		}
 
-		const session = new UserSession([createStubSource("test", items)], enhancer)
+		const session = new UserSession("test-user", [createStubSource("test", items)], enhancer)
 
 		const result1 = await session.feed()
 		expect(result1.items[0]!.data.enhanced).toBe(true)
@@ -162,7 +167,7 @@ describe("UserSession.feed", () => {
 			}))
 		}
 
-		const session = new UserSession([source], enhancer)
+		const session = new UserSession("test-user", [source], enhancer)
 
 		// First feed triggers refresh + enhancement
 		const result1 = await session.feed()
@@ -205,7 +210,7 @@ describe("UserSession.feed", () => {
 			throw new Error("enhancement exploded")
 		}
 
-		const session = new UserSession([createStubSource("test", items)], enhancer)
+		const session = new UserSession("test-user", [createStubSource("test", items)], enhancer)
 
 		const result = await session.feed()
 
@@ -237,7 +242,7 @@ describe("UserSession.replaceSource", () => {
 		]
 
 		const sourceA = createStubSource("test", itemsA)
-		const session = new UserSession([sourceA])
+		const session = new UserSession("test-user", [sourceA])
 
 		const result1 = await session.feed()
 		expect(result1.items).toHaveLength(1)
@@ -253,7 +258,7 @@ describe("UserSession.replaceSource", () => {
 
 	test("getSource returns new source after replace", () => {
 		const sourceA = createStubSource("test")
-		const session = new UserSession([sourceA])
+		const session = new UserSession("test-user", [sourceA])
 
 		const sourceB = createStubSource("test")
 		session.replaceSource("test", sourceB)
@@ -263,7 +268,7 @@ describe("UserSession.replaceSource", () => {
 	})
 
 	test("throws when replacing a source that is not registered", () => {
-		const session = new UserSession([createStubSource("test")])
+		const session = new UserSession("test-user", [createStubSource("test")])
 
 		expect(() => session.replaceSource("nonexistent", createStubSource("other"))).toThrow(
 			'Cannot replace source "nonexistent": not registered',
@@ -289,7 +294,7 @@ describe("UserSession.replaceSource", () => {
 				data: { from: "b" },
 			},
 		])
-		const session = new UserSession([sourceA, sourceB])
+		const session = new UserSession("test-user", [sourceA, sourceB])
 
 		const replacement = createStubSource("source-a", [
 			{
@@ -325,7 +330,7 @@ describe("UserSession.replaceSource", () => {
 			return feedItems.map((item) => ({ ...item, data: { ...item.data, enhanced: true } }))
 		}
 
-		const session = new UserSession([createStubSource("test", items)], enhancer)
+		const session = new UserSession("test-user", [createStubSource("test", items)], enhancer)
 
 		await session.feed()
 		expect(enhanceCount).toBe(1)
@@ -350,7 +355,10 @@ describe("UserSession.replaceSource", () => {
 
 describe("UserSession.removeSource", () => {
 	test("removes source from engine and sources map", () => {
-		const session = new UserSession([createStubSource("test-a"), createStubSource("test-b")])
+		const session = new UserSession("test-user", [
+			createStubSource("test-a"),
+			createStubSource("test-b"),
+		])
 
 		session.removeSource("test-a")
 
@@ -368,7 +376,7 @@ describe("UserSession.removeSource", () => {
 				data: {},
 			},
 		]
-		const session = new UserSession([createStubSource("test", items)])
+		const session = new UserSession("test-user", [createStubSource("test", items)])
 
 		const result1 = await session.feed()
 		expect(result1.items).toHaveLength(1)
@@ -380,9 +388,79 @@ describe("UserSession.removeSource", () => {
 	})
 
 	test("is a no-op for unknown source", () => {
-		const session = new UserSession([createStubSource("test")])
+		const session = new UserSession("test-user", [createStubSource("test")])
 
 		expect(() => session.removeSource("unknown")).not.toThrow()
 		expect(session.getSource("test")).toBeDefined()
 	})
 })
+
+describe("UserSession.refreshSource", () => {
+	test("replaces existing source via provider", async () => {
+		const itemsV1: FeedItem[] = [
+			{
+				id: "v1",
+				sourceId: "test",
+				type: "test",
+				timestamp: new Date(),
+				data: { version: 1 },
+			},
+		]
+		const itemsV2: FeedItem[] = [
+			{
+				id: "v2",
+				sourceId: "test",
+				type: "test",
+				timestamp: new Date(),
+				data: { version: 2 },
+			},
+		]
+
+		const session = new UserSession("test-user", [createStubSource("test", itemsV1)])
+
+		const provider: FeedSourceProvider = {
+			sourceId: "test",
+			async feedSourceForUser() {
+				return createStubSource("test", itemsV2)
+			},
+		}
+
+		await session.refreshSource(provider)
+
+		const result = await session.feed()
+		expect(result.items[0]!.data.version).toBe(2)
+	})
+
+	test("throws when source is not registered", async () => {
+		const session = new UserSession("test-user", [createStubSource("existing")])
+
+		const provider: FeedSourceProvider = {
+			sourceId: "new-source",
+			async feedSourceForUser() {
+				return createStubSource("new-source")
+			},
+		}
+
+		await expect(session.refreshSource(provider)).rejects.toThrow()
+	})
+
+	test("keeps existing source when provider fails", async () => {
+		const session = new UserSession("test-user", [createStubSource("test")])
+
+		const spy = spyOn(console, "error").mockImplementation(() => {})
+
+		const provider: FeedSourceProvider = {
+			sourceId: "test",
+			async feedSourceForUser() {
+				throw new Error("source disabled")
+			},
+		}
+
+		await session.refreshSource(provider)
+
+		expect(session.getSource("test")).toBeDefined()
+		expect(spy).toHaveBeenCalled()
+
+		spy.mockRestore()
+	})
+})

apps/aelis-backend/src/session/user-session.ts

@@ -1,8 +1,10 @@
 import { FeedEngine, type FeedItem, type FeedResult, type FeedSource } from "@aelis/core"
 
 import type { FeedEnhancer } from "../enhancement/enhance-feed.ts"
+import type { FeedSourceProvider } from "./feed-source-provider.ts"
 
 export class UserSession {
+	readonly userId: string
 	readonly engine: FeedEngine
 	private sources = new Map<string, FeedSource>()
 	private readonly enhancer: FeedEnhancer | null
@@ -12,7 +14,8 @@ export class UserSession {
 	private enhancingPromise: Promise<void> | null = null
 	private unsubscribe: (() => void) | null = null
 
-	constructor(sources: FeedSource[], enhancer?: FeedEnhancer | null) {
+	constructor(userId: string, sources: FeedSource[], enhancer?: FeedEnhancer | null) {
+		this.userId = userId
 		this.engine = new FeedEngine()
 		this.enhancer = enhancer ?? null
 		for (const source of sources) {
@@ -67,6 +70,27 @@ export class UserSession {
 		return this.sources.get(sourceId) as T | undefined
 	}
 
+	/**
+	 * Re-resolves a source from its provider using this session's userId.
+	 * The source must already be registered. Throws if it isn't.
+	 * If the provider fails, the existing source is kept.
+	 */
+	async refreshSource(provider: FeedSourceProvider): Promise<void> {
+		if (!this.sources.has(provider.sourceId)) {
+			throw new Error(`Cannot refresh source "${provider.sourceId}": not registered`)
+		}
+
+		try {
+			const newSource = await provider.feedSourceForUser(this.userId)
+			this.replaceSource(provider.sourceId, newSource)
+		} catch (err) {
+			console.error(
+				`[UserSession] refreshSource("${provider.sourceId}") failed for user ${this.userId}:`,
+				err,
+			)
+		}
+	}
+
 	/**
 	 * Replaces a source in the engine and invalidates all caches.
 	 * Stops and restarts the engine to re-establish reactive subscriptions.