Fix multiple issues

* Show a Logout button as necessary when credentials have gone stale.
* Make login/logout buttons more sensible sizes.
* Fix audiobook fulfillment with bearer tokens.
* Improve handling of audiobook fulfillment credentials in general.

Affects: https://ebce-lyrasis.atlassian.net/browse/PP-3614
Affects: https://ebce-lyrasis.atlassian.net/browse/PP-3641

Author: io7m

README-CHANGES.xml

@@ -1012,13 +1012,43 @@
         </c:change>
       </c:changes>
     </c:release>
-    <c:release date="2026-02-03T13:29:02+00:00" is-open="true" ticket-system="org.lyrasis.jira" version="1.25.0">
+    <c:release date="2026-02-04T15:44:37+00:00" is-open="true" ticket-system="org.lyrasis.jira" version="1.25.0">
       <c:changes>
-        <c:change date="2026-02-03T13:29:02+00:00" summary="Attempt to allow notifications on Android 10.">
+        <c:change date="2026-02-03T00:00:00+00:00" summary="Attempt to allow notifications on Android 10.">
           <c:tickets>
             <c:ticket id="PP-3631"/>
           </c:tickets>
         </c:change>
+        <c:change date="2026-01-26T00:00:00+00:00" summary="Large refactoring for SAML and credential expiration.">
+          <c:tickets>
+            <c:ticket id="PP-3495"/>
+          </c:tickets>
+        </c:change>
+        <c:change date="2026-01-27T00:00:00+00:00" summary="Fix a very unlikely crash when refreshing an OPDS feed after an error.">
+          <c:tickets>
+            <c:ticket id="PP-3576"/>
+          </c:tickets>
+        </c:change>
+        <c:change date="2026-01-28T00:00:00+00:00" summary="Update catalog language to change Reservations to Holds.">
+          <c:tickets>
+            <c:ticket id="PP-3581"/>
+          </c:tickets>
+        </c:change>
+        <c:change date="2026-01-30T00:00:00+00:00" summary="Correct a possible ANR.">
+          <c:tickets>
+            <c:ticket id="PP-3577"/>
+          </c:tickets>
+        </c:change>
+        <c:change date="2026-02-04T00:00:00+00:00" summary="Allow a Logout button when SAML credentials have expired.">
+          <c:tickets>
+            <c:ticket id="PP-3614"/>
+          </c:tickets>
+        </c:change>
+        <c:change date="2026-02-04T15:44:37+00:00" summary="Correct audiobook download failures.">
+          <c:tickets>
+            <c:ticket id="PP-3641"/>
+          </c:tickets>
+        </c:change>
       </c:changes>
     </c:release>
   </c:releases>

palace-books-audio/src/main/java/org/nypl/simplified/books/audio/AudioBookManifestRequest.kt

@@ -6,14 +6,14 @@ import org.librarysimplified.audiobook.license_check.spi.SingleLicenseCheckProvi
 import org.librarysimplified.audiobook.manifest.api.PlayerPalaceID
 import org.librarysimplified.audiobook.manifest_fulfill.api.ManifestFulfillmentStrategies
 import org.librarysimplified.audiobook.manifest_fulfill.api.ManifestFulfillmentStrategyRegistryType
+import org.librarysimplified.audiobook.manifest_fulfill.basic.ManifestFulfillmentCredentialsType
 import org.librarysimplified.audiobook.manifest_fulfill.spi.ManifestFulfilled
 import org.librarysimplified.audiobook.manifest_parser.api.ManifestParsers
 import org.librarysimplified.audiobook.manifest_parser.api.ManifestParsersType
 import org.librarysimplified.audiobook.manifest_parser.extension_spi.ManifestParserExtensionType
 import org.librarysimplified.http.api.LSHTTPClientType
 import org.librarysimplified.http.api.LSHTTPProblemReportParserFactoryType
 import org.librarysimplified.services.api.ServiceDirectoryType
-import org.nypl.simplified.accounts.api.AccountAuthenticationCredentials
 import java.io.File
 import java.io.IOException
 import java.util.ServiceLoader
@@ -63,7 +63,7 @@ data class AudioBookManifestRequest(
    * The credentials used for license and manifest requests.
    */
 
-  val credentials: AccountAuthenticationCredentials?,
+  val credentials: ManifestFulfillmentCredentialsType?,
 
   /**
    * A service directory used to locate any required application services.

palace-books-audio/src/main/java/org/nypl/simplified/books/audio/AudioBookStrategy.kt

@@ -17,9 +17,10 @@ import org.librarysimplified.audiobook.manifest_fulfill.basic.ManifestFulfillmen
 import org.librarysimplified.audiobook.manifest_fulfill.basic.ManifestFulfillmentCredentialsToken
 import org.librarysimplified.audiobook.manifest_fulfill.basic.ManifestFulfillmentCredentialsType
 import org.librarysimplified.audiobook.manifest_fulfill.opa.OPAManifestFulfillmentStrategyProviderType
-import org.librarysimplified.audiobook.manifest_fulfill.opa.OPAManifestURI
+import org.librarysimplified.audiobook.manifest_fulfill.opa.OPAManifestURI.Indirect
 import org.librarysimplified.audiobook.manifest_fulfill.opa.OPAParameters
 import org.librarysimplified.audiobook.manifest_fulfill.opa.OPAPassword
+import org.librarysimplified.audiobook.manifest_fulfill.opa.OPAPassword.Password
 import org.librarysimplified.audiobook.manifest_fulfill.spi.ManifestFulfilled
 import org.librarysimplified.audiobook.manifest_fulfill.spi.ManifestFulfillmentError
 import org.librarysimplified.audiobook.manifest_fulfill.spi.ManifestFulfillmentEvent
@@ -28,6 +29,8 @@ import org.librarysimplified.audiobook.manifest_parser.api.ManifestUnparsed
 import org.librarysimplified.audiobook.parser.api.ParseError
 import org.librarysimplified.audiobook.parser.api.ParseResult
 import org.librarysimplified.audiobook.parser.api.ParseWarning
+import org.librarysimplified.http.api.LSHTTPAuthorizationBasic
+import org.librarysimplified.http.api.LSHTTPAuthorizationBearerToken
 import org.librarysimplified.http.api.LSHTTPAuthorizationType
 import org.librarysimplified.http.api.LSHTTPClientType
 import org.librarysimplified.http.api.LSHTTPProblemReport
@@ -38,8 +41,6 @@ import org.librarysimplified.http.downloads.LSHTTPDownloadState.LSHTTPDownloadRe
 import org.librarysimplified.http.downloads.LSHTTPDownloadState.LSHTTPDownloadResult.DownloadFailed.DownloadFailedServer
 import org.librarysimplified.http.downloads.LSHTTPDownloadState.LSHTTPDownloadResult.DownloadFailed.DownloadFailedUnacceptableMIME
 import org.librarysimplified.http.downloads.LSHTTPDownloads
-import org.nypl.simplified.accounts.api.AccountAuthenticatedHTTP.createAuthorizationIfPresent
-import org.nypl.simplified.accounts.api.AccountAuthenticationCredentials
 import org.nypl.simplified.books.book_database.api.BookFormats
 import org.nypl.simplified.taskrecorder.api.TaskRecorder
 import org.nypl.simplified.taskrecorder.api.TaskRecorderType
@@ -192,7 +193,7 @@ class AudioBookStrategy(
 
     val httpRequest =
       this.request.httpClient.newRequest(target.target)
-        .setAuthorization(createAuthorizationIfPresent(this.request.credentials))
+        .setAuthorization(authorization = createAuthorization(this.request.credentials))
         .build()
 
     val temporaryFile =
@@ -282,6 +283,25 @@ class AudioBookStrategy(
     }
   }
 
+  private fun createAuthorization(
+    credentials: ManifestFulfillmentCredentialsType?
+  ): LSHTTPAuthorizationType? {
+    return when (credentials) {
+      is ManifestFulfillmentCredentialsBasic -> {
+        LSHTTPAuthorizationBasic.ofUsernamePassword(
+          userName = credentials.userName,
+          password = credentials.password
+        )
+      }
+      is ManifestFulfillmentCredentialsToken -> {
+        LSHTTPAuthorizationBearerToken.ofToken(
+          token = credentials.token
+        )
+      }
+      null -> null
+    }
+  }
+
   private fun recordProblemReport(
     report: LSHTTPProblemReport?
   ) {
@@ -296,38 +316,9 @@ class AudioBookStrategy(
   ): TaskResult<AudioBookManifestData> {
     this.taskRecorder.beginNewStep("Retrieving manifest via LCP license.")
 
-    val credentials: ManifestFulfillmentCredentialsType? =
-      when (val c = this.request.credentials) {
-        is AccountAuthenticationCredentials.Basic -> {
-          ManifestFulfillmentCredentialsBasic(
-            userName = c.userName.value,
-            password = c.password.value
-          )
-        }
-
-        is AccountAuthenticationCredentials.BasicToken -> {
-          ManifestFulfillmentCredentialsBasic(
-            userName = c.userName.value,
-            password = c.password.value
-          )
-        }
-
-        is AccountAuthenticationCredentials.OAuthWithIntermediary -> {
-          ManifestFulfillmentCredentialsToken(c.accessToken)
-        }
-
-        is AccountAuthenticationCredentials.SAML2_0 -> {
-          ManifestFulfillmentCredentialsToken(c.accessToken)
-        }
-
-        null -> {
-          null
-        }
-      }
-
     return when (val result = LCPDownloads.downloadManifestFromPublication(
       context = this.context,
-      credentials = credentials,
+      credentials = request.credentials,
       license = license,
       receiver = { event ->
         this.logger.debug("Downloading manifest event: {}", event)
@@ -486,59 +477,35 @@ class AudioBookStrategy(
 
       val parameters =
         when (val credentials = this.request.credentials) {
-          is AccountAuthenticationCredentials.Basic -> {
-            val password = credentials.password.value
-            val opaPassword = if (password.isBlank()) {
-              OPAPassword.NotRequired
-            } else {
-              OPAPassword.Password(password)
-            }
-
-            OPAParameters(
-              userName = credentials.userName.value,
-              password = opaPassword,
-              clientKey = secretService.clientKey.orEmpty(),
-              clientPass = secretService.clientPass.orEmpty(),
-              targetURI = OPAManifestURI.Indirect(targetURI),
-              userAgent = this.request.userAgent
+          null -> {
+            throw UnsupportedOperationException(
+              "Credentials are required for Overdrive fulfillment"
             )
           }
 
-          is AccountAuthenticationCredentials.BasicToken -> {
-            val password = credentials.password.value
+          is ManifestFulfillmentCredentialsBasic -> {
+            val password = credentials.password
             val opaPassword = if (password.isBlank()) {
               OPAPassword.NotRequired
             } else {
-              OPAPassword.Password(password)
+              Password(password)
             }
 
             OPAParameters(
-              userName = credentials.userName.value,
+              userName = credentials.userName,
               password = opaPassword,
               clientKey = secretService.clientKey.orEmpty(),
               clientPass = secretService.clientPass.orEmpty(),
-              targetURI = OPAManifestURI.Indirect(targetURI),
+              targetURI = Indirect(targetURI),
               userAgent = this.request.userAgent
             )
           }
 
-          is AccountAuthenticationCredentials.OAuthWithIntermediary -> {
-            throw UnsupportedOperationException(
-              "Can't use bearer tokens for Overdrive fulfillment"
-            )
-          }
-
-          is AccountAuthenticationCredentials.SAML2_0 -> {
+          is ManifestFulfillmentCredentialsToken -> {
             throw UnsupportedOperationException(
               "Can't use bearer tokens for Overdrive fulfillment"
             )
           }
-
-          null -> {
-            throw UnsupportedOperationException(
-              "Credentials are required for Overdrive fulfillment"
-            )
-          }
         }
 
       strategies.create(parameters)
@@ -553,31 +520,7 @@ class AudioBookStrategy(
       val parameters =
         ManifestFulfillmentBasicParameters(
           uri = targetURI,
-          credentials = when (val c = this.request.credentials) {
-            is AccountAuthenticationCredentials.Basic -> {
-              ManifestFulfillmentCredentialsBasic(
-                userName = c.userName.value,
-                password = c.password.value
-              )
-            }
-
-            is AccountAuthenticationCredentials.BasicToken -> {
-              ManifestFulfillmentCredentialsBasic(
-                userName = c.userName.value,
-                password = c.password.value
-              )
-            }
-
-            is AccountAuthenticationCredentials.OAuthWithIntermediary -> {
-              ManifestFulfillmentCredentialsToken(c.accessToken)
-            }
-
-            is AccountAuthenticationCredentials.SAML2_0 -> {
-              ManifestFulfillmentCredentialsToken(c.accessToken)
-            }
-
-            null -> null
-          },
+          credentials = this.request.credentials,
           httpClient = this.request.services.requireService(LSHTTPClientType::class.java),
           userAgent = this.request.userAgent
         )

palace-books-borrowing/src/main/java/org/nypl/simplified/books/borrowing/BorrowContextType.kt

@@ -2,6 +2,9 @@ package org.nypl.simplified.books.borrowing
 
 import android.app.Application
 import org.joda.time.Instant
+import org.librarysimplified.audiobook.manifest_fulfill.basic.ManifestFulfillmentCredentialsBasic
+import org.librarysimplified.audiobook.manifest_fulfill.basic.ManifestFulfillmentCredentialsToken
+import org.librarysimplified.audiobook.manifest_fulfill.basic.ManifestFulfillmentCredentialsType
 import org.librarysimplified.http.api.LSHTTPClientType
 import org.librarysimplified.services.api.ServiceDirectoryType
 import org.nypl.drm.core.AdobeAdeptExecutorType
@@ -303,6 +306,7 @@ interface BorrowContextType {
       BorrowSubtaskCredentials.UseAccountCredentials -> {
         this.account.loginState.credentials
       }
+
       is BorrowSubtaskCredentials.UseBearerToken -> {
         this.taskRecorder.currentStepFailed(
           message = "A previous subtask required the use of a bearer token, but those cannot be used for this subtask.",
@@ -314,6 +318,44 @@ interface BorrowContextType {
     }
   }
 
+  /**
+   * Equivalent to [takeSubtaskCredentials] but the result is transformed into a form useful
+   * for fulfilling audiobook manifests and licenses.
+   */
+
+  fun takeSubtaskCredentialsForAudiobook(): ManifestFulfillmentCredentialsType? {
+    return when (val c = this.takeSubtaskCredentials()) {
+      BorrowSubtaskCredentials.UseAccountCredentials -> {
+        when (val ac = this.account.loginState.credentials) {
+          is AccountAuthenticationCredentials.Basic -> {
+            ManifestFulfillmentCredentialsBasic(
+              userName = ac.userName.value,
+              password = ac.password.value
+            )
+          }
+
+          is AccountAuthenticationCredentials.BasicToken -> {
+            ManifestFulfillmentCredentialsToken(ac.authenticationTokenInfo.accessToken)
+          }
+
+          is AccountAuthenticationCredentials.OAuthWithIntermediary -> {
+            throw UnsupportedOperationException("No OAuth audiobook support.")
+          }
+
+          is AccountAuthenticationCredentials.SAML2_0 -> {
+            ManifestFulfillmentCredentialsToken(ac.accessToken)
+          }
+
+          null -> null
+        }
+      }
+
+      is BorrowSubtaskCredentials.UseBearerToken -> {
+        ManifestFulfillmentCredentialsToken(c.token)
+      }
+    }
+  }
+
   /**
    * Information about the current SAML download, if one is in progress.
    */

palace-books-borrowing/src/main/java/org/nypl/simplified/books/borrowing/internal/BorrowAudioBook.kt

@@ -5,6 +5,7 @@ import one.irradia.mime.api.MIMECompatibility
 import one.irradia.mime.api.MIMEType
 import org.librarysimplified.audiobook.api.PlayerUserAgent
 import org.librarysimplified.audiobook.manifest.api.PlayerPalaceID
+import org.librarysimplified.audiobook.manifest_fulfill.basic.ManifestFulfillmentCredentialsType
 import org.nypl.simplified.accounts.api.AccountReadableType
 import org.nypl.simplified.books.audio.AudioBookLink
 import org.nypl.simplified.books.audio.AudioBookManifestRequest
@@ -87,8 +88,8 @@ class BorrowAudioBook private constructor() : BorrowSubtaskType {
   ): DownloadedManifest {
     context.taskRecorder.beginNewStep("Executing audio book manifest strategy...")
 
-    val credentials =
-      context.takeSubtaskCredentialsRequiringAccount()
+    val credentials: ManifestFulfillmentCredentialsType? =
+      context.takeSubtaskCredentialsForAudiobook()
 
     val strategy =
       context.audioBookManifestStrategies.createStrategy(

palace-books-borrowing/src/main/java/org/nypl/simplified/books/borrowing/internal/BorrowLCPAudiobook.kt

@@ -5,6 +5,7 @@ import one.irradia.mime.api.MIMECompatibility
 import one.irradia.mime.api.MIMEType
 import org.librarysimplified.audiobook.api.PlayerUserAgent
 import org.librarysimplified.audiobook.manifest.api.PlayerPalaceID
+import org.librarysimplified.audiobook.manifest_fulfill.basic.ManifestFulfillmentCredentialsType
 import org.nypl.simplified.accounts.api.AccountReadableType
 import org.nypl.simplified.books.api.BookDRMKind
 import org.nypl.simplified.books.audio.AudioBookLink
@@ -83,13 +84,16 @@ class BorrowLCPAudiobook : BorrowSubtaskType {
   ): DownloadedManifest {
     context.taskRecorder.beginNewStep("Executing audio book manifest strategy...")
 
+    val credentials: ManifestFulfillmentCredentialsType? =
+      context.takeSubtaskCredentialsForAudiobook()
+
     val strategy =
       context.audioBookManifestStrategies.createStrategy(
         context = context.application,
         AudioBookManifestRequest(
           cacheDirectory = context.cacheDirectory(),
           contentType = context.currentAcquisitionPathElement.mimeType,
-          credentials = context.account.loginState.credentials,
+          credentials = credentials,
           httpClient = context.httpClient,
           services = context.services,
           target = AudioBookLink.License(context.currentURICheck()),

palace-books-controller/src/main/java/org/nypl/simplified/books/controller/ProfileAccountLoginTask.kt

@@ -227,7 +227,12 @@ class ProfileAccountLoginTask(
     return when (val loginState = this.account.loginState) {
       is AccountLoggingIn,
       is AccountLoggingInWaitingForExternalAuthentication -> {
-        this.account.setLoginState(AccountNotLoggedIn(loginState.credentials))
+        val previous = loginState.previousCredentials
+        if (previous != null) {
+          this.account.setLoginState(AccountLoggedInStaleCredentials(credentials = previous))
+        } else {
+          this.account.setLoginState(AccountNotLoggedIn(loginState.credentials))
+        }
         this.steps.finishSuccess(Unit)
       }