@oxyhq/auth 1.1.3 → 1.1.4

package/dist/cjs/WebOxyProvider.js

@@ -49,6 +49,8 @@ function WebOxyProvider({ children, baseURL, authWebUrl, onAuthStateChange, onEr
     // Multi-session management is handled by @oxyhq/services (OxyContext) for RN apps.
     const sessions = [];
     const isAuthenticated = !!user;
+    // Mutex: prevents concurrent sign-in attempts (FedCM + popup + redirect)
+    const signingInRef = (0, react_1.useRef)(false);
     const handleAuthSuccess = (0, react_1.useCallback)(async (session, method = 'credentials') => {
         await authManager.handleAuthSuccess(session, method);
         if (session.sessionId) {
@@ -127,6 +129,9 @@ function WebOxyProvider({ children, baseURL, authWebUrl, onAuthStateChange, onEr
         onAuthStateChange?.(user);
     }, [user, onAuthStateChange]);
     const signIn = (0, react_1.useCallback)(async () => {
+        if (signingInRef.current)
+            return;
+        signingInRef.current = true;
         setError(null);
         setIsLoading(true);
         let selectedMethod = 'popup';
@@ -147,8 +152,14 @@ function WebOxyProvider({ children, baseURL, authWebUrl, onAuthStateChange, onEr
         catch (err) {
             handleAuthError(err);
         }
+        finally {
+            signingInRef.current = false;
+        }
     }, [crossDomainAuth, preferredAuthMethod, handleAuthSuccess, handleAuthError]);
     const signInWithFedCM = (0, react_1.useCallback)(async () => {
+        if (signingInRef.current)
+            return;
+        signingInRef.current = true;
         setError(null);
         setIsLoading(true);
         try {
@@ -158,8 +169,14 @@ function WebOxyProvider({ children, baseURL, authWebUrl, onAuthStateChange, onEr
         catch (err) {
             handleAuthError(err);
         }
+        finally {
+            signingInRef.current = false;
+        }
     }, [crossDomainAuth, handleAuthSuccess, handleAuthError]);
     const signInWithPopup = (0, react_1.useCallback)(async () => {
+        if (signingInRef.current)
+            return;
+        signingInRef.current = true;
         setError(null);
         setIsLoading(true);
         try {
@@ -169,6 +186,9 @@ function WebOxyProvider({ children, baseURL, authWebUrl, onAuthStateChange, onEr
         catch (err) {
             handleAuthError(err);
         }
+        finally {
+            signingInRef.current = false;
+        }
     }, [crossDomainAuth, handleAuthSuccess, handleAuthError]);
     const signInWithRedirect = (0, react_1.useCallback)(() => {
         setError(null);

package/dist/cjs/hooks/mutations/useAccountMutations.js

@@ -2,12 +2,12 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.useUploadFile = exports.useUpdatePrivacySettings = exports.useUpdateAccountSettings = exports.useUploadAvatar = exports.useUpdateProfile = void 0;
 const react_query_1 = require("@tanstack/react-query");
+const core_1 = require("@oxyhq/core");
 const queryKeys_1 = require("../queries/queryKeys");
 const WebOxyProvider_1 = require("../../WebOxyProvider");
 const sonner_1 = require("sonner");
 const avatarUtils_1 = require("../../utils/avatarUtils");
 const authStore_1 = require("../../stores/authStore");
-const authHelpers_1 = require("../../utils/authHelpers");
 /**
  * Update user profile with optimistic updates and offline queue support
  */
@@ -16,7 +16,7 @@ const useUpdateProfile = () => {
     const queryClient = (0, react_query_1.useQueryClient)();
     return (0, react_query_1.useMutation)({
         mutationFn: async (updates) => {
-            return (0, authHelpers_1.authenticatedApiCall)(oxyServices, activeSessionId, () => oxyServices.updateProfile(updates));
+            return (0, core_1.authenticatedApiCall)(oxyServices, activeSessionId, () => oxyServices.updateProfile(updates));
         },
         // Optimistic update
         onMutate: async (updates) => {
@@ -78,7 +78,7 @@ const useUploadAvatar = () => {
     const queryClient = (0, react_query_1.useQueryClient)();
     return (0, react_query_1.useMutation)({
         mutationFn: async (file) => {
-            return (0, authHelpers_1.authenticatedApiCall)(oxyServices, activeSessionId, async () => {
+            return (0, core_1.authenticatedApiCall)(oxyServices, activeSessionId, async () => {
                 // Upload file first
                 const uploadResult = await oxyServices.assetUpload(file, 'public');
                 const fileId = uploadResult?.file?.id || uploadResult?.id || uploadResult;
@@ -188,7 +188,7 @@ const useUpdatePrivacySettings = () => {
             if (!targetUserId) {
                 throw new Error('User ID is required');
             }
-            return (0, authHelpers_1.authenticatedApiCall)(oxyServices, activeSessionId, () => oxyServices.updatePrivacySettings(settings, targetUserId));
+            return (0, core_1.authenticatedApiCall)(oxyServices, activeSessionId, () => oxyServices.updatePrivacySettings(settings, targetUserId));
         },
         // Optimistic update
         onMutate: async ({ settings, userId }) => {
@@ -268,7 +268,7 @@ const useUploadFile = () => {
     const { oxyServices, activeSessionId } = (0, WebOxyProvider_1.useWebOxy)();
     return (0, react_query_1.useMutation)({
         mutationFn: async ({ file, visibility, metadata, onProgress }) => {
-            return (0, authHelpers_1.authenticatedApiCall)(oxyServices, activeSessionId, () => oxyServices.assetUpload(file, visibility, metadata, onProgress));
+            return (0, core_1.authenticatedApiCall)(oxyServices, activeSessionId, () => oxyServices.assetUpload(file, visibility, metadata, onProgress));
         },
     });
 };

package/dist/cjs/hooks/queries/useAccountQueries.js

@@ -2,9 +2,9 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.usePrivacySettings = exports.useUsersBySessions = exports.useUserByUsername = exports.useUserById = exports.useCurrentUser = exports.useUserProfiles = exports.useUserProfile = void 0;
 const react_query_1 = require("@tanstack/react-query");
+const core_1 = require("@oxyhq/core");
 const queryKeys_1 = require("./queryKeys");
 const WebOxyProvider_1 = require("../../WebOxyProvider");
-const authHelpers_1 = require("../../utils/authHelpers");
 /**
  * Get user profile by session ID
  */
@@ -131,7 +131,7 @@ const usePrivacySettings = (userId, options) => {
             if (!targetUserId) {
                 throw new Error('User ID is required');
             }
-            return (0, authHelpers_1.authenticatedApiCall)(oxyServices, activeSessionId, () => oxyServices.getPrivacySettings(targetUserId));
+            return (0, core_1.authenticatedApiCall)(oxyServices, activeSessionId, () => oxyServices.getPrivacySettings(targetUserId));
         },
         enabled: (options?.enabled !== false) && !!targetUserId,
         staleTime: 2 * 60 * 1000, // 2 minutes

package/dist/cjs/hooks/queries/useServicesQueries.js

@@ -2,10 +2,10 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.useSecurityInfo = exports.useUserDevices = exports.useDeviceSessions = exports.useSession = exports.useSessions = void 0;
 const react_query_1 = require("@tanstack/react-query");
+const core_1 = require("@oxyhq/core");
 const queryKeys_1 = require("./queryKeys");
 const WebOxyProvider_1 = require("../../WebOxyProvider");
 const sessionHelpers_1 = require("../../utils/sessionHelpers");
-const authHelpers_1 = require("../../utils/authHelpers");
 /**
  * Get all active sessions for the current user
  */
@@ -87,7 +87,7 @@ const useUserDevices = (options) => {
     return (0, react_query_1.useQuery)({
         queryKey: queryKeys_1.queryKeys.devices.list(),
         queryFn: async () => {
-            return (0, authHelpers_1.authenticatedApiCall)(oxyServices, activeSessionId, () => oxyServices.getUserDevices());
+            return (0, core_1.authenticatedApiCall)(oxyServices, activeSessionId, () => oxyServices.getUserDevices());
         },
         enabled: (options?.enabled !== false) && isAuthenticated,
         staleTime: 5 * 60 * 1000,

package/dist/cjs/index.js

@@ -24,8 +24,8 @@
  * ```
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.withAuthErrorHandling = exports.ensureValidToken = exports.useFileFiltering = exports.useFollowerCounts = exports.useFollow = exports.setOxyFileUrlInstance = exports.useFileDownloadUrl = exports.setOxyAssetInstance = exports.useAssets = exports.useSessionSocket = exports.createGenericMutation = exports.createProfileMutation = exports.useRemoveDevice = exports.useUpdateDeviceName = exports.useLogoutAll = exports.useLogoutSession = exports.useSwitchSession = exports.useUploadFile = exports.useUpdatePrivacySettings = exports.useUpdateAccountSettings = exports.useUploadAvatar = exports.useUpdateProfile = exports.useRecentSecurityActivity = exports.useSecurityActivity = exports.useSecurityInfo = exports.useUserDevices = exports.useDeviceSessions = exports.useSession = exports.useSessions = exports.usePrivacySettings = exports.useUsersBySessions = exports.useUserByUsername = exports.useUserById = exports.useCurrentUser = exports.useUserProfiles = exports.useUserProfile = exports.useIsAssetLinked = exports.useAssetUsageCount = exports.useAssetsByEntity = exports.useAssetsByApp = exports.useAssetErrors = exports.useAssetLoading = exports.useUploadProgress = exports.useAsset = exports.useAssetsStore = exports.useAssetStore = exports.useAuthStore = exports.useAuth = exports.useWebOxy = exports.WebOxyProvider = void 0;
-exports.createCrossDomainAuth = exports.createAuthManager = exports.AuthManager = exports.CrossDomainAuth = exports.OxyServices = exports.extractErrorMessage = exports.isTimeoutOrNetworkError = exports.isInvalidSessionError = exports.handleAuthError = exports.AuthenticationFailedError = exports.SessionSyncRequiredError = exports.isAuthenticationError = exports.authenticatedApiCall = void 0;
+exports.isInvalidSessionError = exports.handleAuthError = exports.useFileFiltering = exports.useFollowerCounts = exports.useFollow = exports.setOxyFileUrlInstance = exports.useFileDownloadUrl = exports.setOxyAssetInstance = exports.useAssets = exports.useSessionSocket = exports.createGenericMutation = exports.createProfileMutation = exports.useRemoveDevice = exports.useUpdateDeviceName = exports.useLogoutAll = exports.useLogoutSession = exports.useSwitchSession = exports.useUploadFile = exports.useUpdatePrivacySettings = exports.useUpdateAccountSettings = exports.useUploadAvatar = exports.useUpdateProfile = exports.useRecentSecurityActivity = exports.useSecurityActivity = exports.useSecurityInfo = exports.useUserDevices = exports.useDeviceSessions = exports.useSession = exports.useSessions = exports.usePrivacySettings = exports.useUsersBySessions = exports.useUserByUsername = exports.useUserById = exports.useCurrentUser = exports.useUserProfiles = exports.useUserProfile = exports.useIsAssetLinked = exports.useAssetUsageCount = exports.useAssetsByEntity = exports.useAssetsByApp = exports.useAssetErrors = exports.useAssetLoading = exports.useUploadProgress = exports.useAsset = exports.useAssetsStore = exports.useAssetStore = exports.useAuthStore = exports.useAuth = exports.useWebOxy = exports.WebOxyProvider = void 0;
+exports.extractErrorMessage = exports.isTimeoutOrNetworkError = void 0;
 // --- Provider & Hooks ---
 var WebOxyProvider_1 = require("./WebOxyProvider");
 Object.defineProperty(exports, "WebOxyProvider", { enumerable: true, get: function () { return WebOxyProvider_1.WebOxyProvider; } });
@@ -90,26 +90,11 @@ Object.defineProperty(exports, "useFollow", { enumerable: true, get: function ()
 Object.defineProperty(exports, "useFollowerCounts", { enumerable: true, get: function () { return useFollow_1.useFollowerCounts; } });
 var useFileFiltering_1 = require("./hooks/useFileFiltering");
 Object.defineProperty(exports, "useFileFiltering", { enumerable: true, get: function () { return useFileFiltering_1.useFileFiltering; } });
-// --- Auth Helpers ---
-var authHelpers_1 = require("./utils/authHelpers");
-Object.defineProperty(exports, "ensureValidToken", { enumerable: true, get: function () { return authHelpers_1.ensureValidToken; } });
-Object.defineProperty(exports, "withAuthErrorHandling", { enumerable: true, get: function () { return authHelpers_1.withAuthErrorHandling; } });
-Object.defineProperty(exports, "authenticatedApiCall", { enumerable: true, get: function () { return authHelpers_1.authenticatedApiCall; } });
-Object.defineProperty(exports, "isAuthenticationError", { enumerable: true, get: function () { return authHelpers_1.isAuthenticationError; } });
-Object.defineProperty(exports, "SessionSyncRequiredError", { enumerable: true, get: function () { return authHelpers_1.SessionSyncRequiredError; } });
-Object.defineProperty(exports, "AuthenticationFailedError", { enumerable: true, get: function () { return authHelpers_1.AuthenticationFailedError; } });
 // --- Error Handlers ---
 var errorHandlers_1 = require("./utils/errorHandlers");
 Object.defineProperty(exports, "handleAuthError", { enumerable: true, get: function () { return errorHandlers_1.handleAuthError; } });
 Object.defineProperty(exports, "isInvalidSessionError", { enumerable: true, get: function () { return errorHandlers_1.isInvalidSessionError; } });
 Object.defineProperty(exports, "isTimeoutOrNetworkError", { enumerable: true, get: function () { return errorHandlers_1.isTimeoutOrNetworkError; } });
 Object.defineProperty(exports, "extractErrorMessage", { enumerable: true, get: function () { return errorHandlers_1.extractErrorMessage; } });
-// Re-export core for convenience
-var core_1 = require("@oxyhq/core");
-Object.defineProperty(exports, "OxyServices", { enumerable: true, get: function () { return core_1.OxyServices; } });
-Object.defineProperty(exports, "CrossDomainAuth", { enumerable: true, get: function () { return core_1.CrossDomainAuth; } });
-Object.defineProperty(exports, "AuthManager", { enumerable: true, get: function () { return core_1.AuthManager; } });
-Object.defineProperty(exports, "createAuthManager", { enumerable: true, get: function () { return core_1.createAuthManager; } });
-Object.defineProperty(exports, "createCrossDomainAuth", { enumerable: true, get: function () { return core_1.createCrossDomainAuth; } });
 const WebOxyProvider_2 = require("./WebOxyProvider");
 exports.default = WebOxyProvider_2.WebOxyProvider;

package/dist/cjs/utils/avatarUtils.js

@@ -3,10 +3,10 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.updateAvatarVisibility = updateAvatarVisibility;
 exports.refreshAvatarInStore = refreshAvatarInStore;
 exports.updateProfileWithAvatar = updateProfileWithAvatar;
+const core_1 = require("@oxyhq/core");
 const accountStore_1 = require("../stores/accountStore");
 const authStore_1 = require("../stores/authStore");
 const queryKeys_1 = require("../hooks/queries/queryKeys");
-const authHelpers_1 = require("./authHelpers");
 /**
  * Updates file visibility to public for avatar use.
  * Handles errors gracefully, only logging non-404 errors.
@@ -58,7 +58,7 @@ function refreshAvatarInStore(sessionId, avatarFileId, oxyServices) {
  * @returns Promise that resolves with updated user data
  */
 async function updateProfileWithAvatar(updates, oxyServices, activeSessionId, queryClient, syncSession) {
-    const data = await (0, authHelpers_1.authenticatedApiCall)(oxyServices, activeSessionId, () => oxyServices.updateProfile(updates), syncSession);
+    const data = await (0, core_1.authenticatedApiCall)(oxyServices, activeSessionId, () => oxyServices.updateProfile(updates), syncSession);
     // Update cache with server response
     queryClient.setQueryData(queryKeys_1.queryKeys.accounts.current(), data);
     if (activeSessionId) {

package/dist/esm/WebOxyProvider.js

@@ -6,7 +6,7 @@ import { jsx as _jsx } from "react/jsx-runtime";
  * Provides FedCM, popup, and redirect authentication methods.
  * Uses centralized AuthManager for token and session management.
  */
-import { createContext, useCallback, useContext, useEffect, useMemo, useState, } from 'react';
+import { createContext, useCallback, useContext, useEffect, useMemo, useRef, useState, } from 'react';
 import { OxyServices, CrossDomainAuth, createAuthManager, } from '@oxyhq/core';
 import { QueryClientProvider } from '@tanstack/react-query';
 import { createQueryClient } from './hooks/queryClient';
@@ -44,6 +44,8 @@ export function WebOxyProvider({ children, baseURL, authWebUrl, onAuthStateChang
     // Multi-session management is handled by @oxyhq/services (OxyContext) for RN apps.
     const sessions = [];
     const isAuthenticated = !!user;
+    // Mutex: prevents concurrent sign-in attempts (FedCM + popup + redirect)
+    const signingInRef = useRef(false);
     const handleAuthSuccess = useCallback(async (session, method = 'credentials') => {
         await authManager.handleAuthSuccess(session, method);
         if (session.sessionId) {
@@ -122,6 +124,9 @@ export function WebOxyProvider({ children, baseURL, authWebUrl, onAuthStateChang
         onAuthStateChange?.(user);
     }, [user, onAuthStateChange]);
     const signIn = useCallback(async () => {
+        if (signingInRef.current)
+            return;
+        signingInRef.current = true;
         setError(null);
         setIsLoading(true);
         let selectedMethod = 'popup';
@@ -142,8 +147,14 @@ export function WebOxyProvider({ children, baseURL, authWebUrl, onAuthStateChang
         catch (err) {
             handleAuthError(err);
         }
+        finally {
+            signingInRef.current = false;
+        }
     }, [crossDomainAuth, preferredAuthMethod, handleAuthSuccess, handleAuthError]);
     const signInWithFedCM = useCallback(async () => {
+        if (signingInRef.current)
+            return;
+        signingInRef.current = true;
         setError(null);
         setIsLoading(true);
         try {
@@ -153,8 +164,14 @@ export function WebOxyProvider({ children, baseURL, authWebUrl, onAuthStateChang
         catch (err) {
             handleAuthError(err);
         }
+        finally {
+            signingInRef.current = false;
+        }
     }, [crossDomainAuth, handleAuthSuccess, handleAuthError]);
     const signInWithPopup = useCallback(async () => {
+        if (signingInRef.current)
+            return;
+        signingInRef.current = true;
         setError(null);
         setIsLoading(true);
         try {
@@ -164,6 +181,9 @@ export function WebOxyProvider({ children, baseURL, authWebUrl, onAuthStateChang
         catch (err) {
             handleAuthError(err);
         }
+        finally {
+            signingInRef.current = false;
+        }
     }, [crossDomainAuth, handleAuthSuccess, handleAuthError]);
     const signInWithRedirect = useCallback(() => {
         setError(null);

package/dist/esm/hooks/mutations/useAccountMutations.js

@@ -1,10 +1,10 @@
 import { useMutation, useQueryClient } from '@tanstack/react-query';
+import { authenticatedApiCall } from '@oxyhq/core';
 import { queryKeys, invalidateAccountQueries, invalidateUserQueries } from '../queries/queryKeys';
 import { useWebOxy } from '../../WebOxyProvider';
 import { toast } from 'sonner';
 import { refreshAvatarInStore } from '../../utils/avatarUtils';
 import { useAuthStore } from '../../stores/authStore';
-import { authenticatedApiCall } from '../../utils/authHelpers';
 /**
  * Update user profile with optimistic updates and offline queue support
  */

package/dist/esm/hooks/queries/useAccountQueries.js

@@ -1,7 +1,7 @@
 import { useQuery, useQueries } from '@tanstack/react-query';
+import { authenticatedApiCall } from '@oxyhq/core';
 import { queryKeys } from './queryKeys';
 import { useWebOxy } from '../../WebOxyProvider';
-import { authenticatedApiCall } from '../../utils/authHelpers';
 /**
  * Get user profile by session ID
  */

package/dist/esm/hooks/queries/useServicesQueries.js

@@ -1,8 +1,8 @@
 import { useQuery } from '@tanstack/react-query';
+import { authenticatedApiCall } from '@oxyhq/core';
 import { queryKeys } from './queryKeys';
 import { useWebOxy } from '../../WebOxyProvider';
 import { fetchSessionsWithFallback, mapSessionsToClient } from '../../utils/sessionHelpers';
-import { authenticatedApiCall } from '../../utils/authHelpers';
 /**
  * Get all active sessions for the current user
  */

package/dist/esm/index.js

@@ -38,11 +38,7 @@ export { useAssets, setOxyAssetInstance } from './hooks/useAssets';
 export { useFileDownloadUrl, setOxyFileUrlInstance } from './hooks/useFileDownloadUrl';
 export { useFollow, useFollowerCounts } from './hooks/useFollow';
 export { useFileFiltering } from './hooks/useFileFiltering';
-// --- Auth Helpers ---
-export { ensureValidToken, withAuthErrorHandling, authenticatedApiCall, isAuthenticationError, SessionSyncRequiredError, AuthenticationFailedError, } from './utils/authHelpers';
 // --- Error Handlers ---
 export { handleAuthError, isInvalidSessionError, isTimeoutOrNetworkError, extractErrorMessage, } from './utils/errorHandlers';
-// Re-export core for convenience
-export { OxyServices, CrossDomainAuth, AuthManager, createAuthManager, createCrossDomainAuth, } from '@oxyhq/core';
 import { WebOxyProvider as _WebOxyProvider } from './WebOxyProvider';
 export default _WebOxyProvider;

package/dist/esm/utils/avatarUtils.js

@@ -1,7 +1,7 @@
+import { authenticatedApiCall } from '@oxyhq/core';
 import { useAccountStore } from '../stores/accountStore';
 import { useAuthStore } from '../stores/authStore';
 import { queryKeys, invalidateUserQueries, invalidateAccountQueries } from '../hooks/queries/queryKeys';
-import { authenticatedApiCall } from './authHelpers';
 /**
  * Updates file visibility to public for avatar use.
  * Handles errors gracefully, only logging non-404 errors.

package/dist/types/index.d.ts

@@ -36,11 +36,7 @@ export { useFileDownloadUrl, setOxyFileUrlInstance } from './hooks/useFileDownlo
 export { useFollow, useFollowerCounts } from './hooks/useFollow';
 export { useFileFiltering } from './hooks/useFileFiltering';
 export type { ViewMode, SortBy, SortOrder } from './hooks/useFileFiltering';
-export { ensureValidToken, withAuthErrorHandling, authenticatedApiCall, isAuthenticationError, SessionSyncRequiredError, AuthenticationFailedError, } from './utils/authHelpers';
-export type { HandleApiErrorOptions } from './utils/authHelpers';
 export { handleAuthError, isInvalidSessionError, isTimeoutOrNetworkError, extractErrorMessage, } from './utils/errorHandlers';
 export type { HandleAuthErrorOptions } from './utils/errorHandlers';
-export { OxyServices, CrossDomainAuth, AuthManager, createAuthManager, createCrossDomainAuth, } from '@oxyhq/core';
-export type { User, LoginResponse, ApiError, SessionLoginResponse, ClientSession, MinimalUserData, OxyConfig, StorageAdapter, AuthStateChangeCallback, AuthMethod, AuthManagerConfig, CrossDomainAuthOptions, } from '@oxyhq/core';
 import { WebOxyProvider as _WebOxyProvider } from './WebOxyProvider';
 export default _WebOxyProvider;

package/dist/types/utils/avatarUtils.d.ts

@@ -1,5 +1,4 @@
-import type { OxyServices } from '@oxyhq/core';
-import type { User } from '@oxyhq/core';
+import type { OxyServices, User } from '@oxyhq/core';
 import { QueryClient } from '@tanstack/react-query';
 /**
  * Updates file visibility to public for avatar use.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@oxyhq/auth",
-  "version": "1.1.3",
+  "version": "1.1.4",
   "description": "OxyHQ Web Authentication SDK — headless auth with React hooks for Next.js, Vite, and web apps",
   "main": "dist/cjs/index.js",
   "module": "dist/esm/index.js",

package/src/WebOxyProvider.tsx

@@ -12,6 +12,7 @@ import {
   useContext,
   useEffect,
   useMemo,
+  useRef,
   useState,
   type ReactNode,
 } from 'react';
@@ -112,6 +113,9 @@ export function WebOxyProvider({
 
   const isAuthenticated = !!user;
 
+  // Mutex: prevents concurrent sign-in attempts (FedCM + popup + redirect)
+  const signingInRef = useRef(false);
+
   const handleAuthSuccess = useCallback(async (
     session: SessionLoginResponse,
     method: 'fedcm' | 'popup' | 'redirect' | 'credentials' = 'credentials'
@@ -201,6 +205,8 @@ export function WebOxyProvider({
   }, [user, onAuthStateChange]);
 
   const signIn = useCallback(async () => {
+    if (signingInRef.current) return;
+    signingInRef.current = true;
     setError(null);
     setIsLoading(true);
 
@@ -221,10 +227,14 @@ export function WebOxyProvider({
       }
     } catch (err) {
       handleAuthError(err);
+    } finally {
+      signingInRef.current = false;
     }
   }, [crossDomainAuth, preferredAuthMethod, handleAuthSuccess, handleAuthError]);
 
   const signInWithFedCM = useCallback(async () => {
+    if (signingInRef.current) return;
+    signingInRef.current = true;
     setError(null);
     setIsLoading(true);
     try {
@@ -232,10 +242,14 @@ export function WebOxyProvider({
       await handleAuthSuccess(session, 'fedcm');
     } catch (err) {
       handleAuthError(err);
+    } finally {
+      signingInRef.current = false;
     }
   }, [crossDomainAuth, handleAuthSuccess, handleAuthError]);
 
   const signInWithPopup = useCallback(async () => {
+    if (signingInRef.current) return;
+    signingInRef.current = true;
     setError(null);
     setIsLoading(true);
     try {
@@ -243,6 +257,8 @@ export function WebOxyProvider({
       await handleAuthSuccess(session, 'popup');
     } catch (err) {
       handleAuthError(err);
+    } finally {
+      signingInRef.current = false;
     }
   }, [crossDomainAuth, handleAuthSuccess, handleAuthError]);
 

package/src/hooks/mutations/useAccountMutations.ts

@@ -1,11 +1,11 @@
 import { useMutation, useQueryClient } from '@tanstack/react-query';
+import { authenticatedApiCall } from '@oxyhq/core';
 import type { User } from '@oxyhq/core';
 import { queryKeys, invalidateAccountQueries, invalidateUserQueries } from '../queries/queryKeys';
 import { useWebOxy } from '../../WebOxyProvider';
 import { toast } from 'sonner';
 import { refreshAvatarInStore } from '../../utils/avatarUtils';
 import { useAuthStore } from '../../stores/authStore';
-import { authenticatedApiCall } from '../../utils/authHelpers';
 
 /**
  * Update user profile with optimistic updates and offline queue support

package/src/hooks/queries/useAccountQueries.ts

@@ -1,8 +1,8 @@
 import { useQuery, useQueries } from '@tanstack/react-query';
+import { authenticatedApiCall } from '@oxyhq/core';
 import type { User } from '@oxyhq/core';
 import { queryKeys } from './queryKeys';
 import { useWebOxy } from '../../WebOxyProvider';
-import { authenticatedApiCall } from '../../utils/authHelpers';
 
 /**
  * Get user profile by session ID

package/src/hooks/queries/useServicesQueries.ts

@@ -1,9 +1,9 @@
 import { useQuery } from '@tanstack/react-query';
+import { authenticatedApiCall } from '@oxyhq/core';
 import type { ClientSession } from '@oxyhq/core';
 import { queryKeys } from './queryKeys';
 import { useWebOxy } from '../../WebOxyProvider';
 import { fetchSessionsWithFallback, mapSessionsToClient } from '../../utils/sessionHelpers';
-import { authenticatedApiCall } from '../../utils/authHelpers';
 
 /**
  * Get all active sessions for the current user

package/src/index.ts

@@ -96,17 +96,6 @@ export { useFollow, useFollowerCounts } from './hooks/useFollow';
 export { useFileFiltering } from './hooks/useFileFiltering';
 export type { ViewMode, SortBy, SortOrder } from './hooks/useFileFiltering';
 
-// --- Auth Helpers ---
-export {
-  ensureValidToken,
-  withAuthErrorHandling,
-  authenticatedApiCall,
-  isAuthenticationError,
-  SessionSyncRequiredError,
-  AuthenticationFailedError,
-} from './utils/authHelpers';
-export type { HandleApiErrorOptions } from './utils/authHelpers';
-
 // --- Error Handlers ---
 export {
   handleAuthError,
@@ -116,29 +105,5 @@ export {
 } from './utils/errorHandlers';
 export type { HandleAuthErrorOptions } from './utils/errorHandlers';
 
-// Re-export core for convenience
-export {
-  OxyServices,
-  CrossDomainAuth,
-  AuthManager,
-  createAuthManager,
-  createCrossDomainAuth,
-} from '@oxyhq/core';
-
-export type {
-  User,
-  LoginResponse,
-  ApiError,
-  SessionLoginResponse,
-  ClientSession,
-  MinimalUserData,
-  OxyConfig,
-  StorageAdapter,
-  AuthStateChangeCallback,
-  AuthMethod,
-  AuthManagerConfig,
-  CrossDomainAuthOptions,
-} from '@oxyhq/core';
-
 import { WebOxyProvider as _WebOxyProvider } from './WebOxyProvider';
 export default _WebOxyProvider;

package/src/utils/avatarUtils.ts

@@ -1,10 +1,9 @@
-import type { OxyServices } from '@oxyhq/core';
-import type { User } from '@oxyhq/core';
+import { authenticatedApiCall } from '@oxyhq/core';
+import type { OxyServices, User } from '@oxyhq/core';
 import { useAccountStore } from '../stores/accountStore';
 import { useAuthStore } from '../stores/authStore';
 import { QueryClient } from '@tanstack/react-query';
 import { queryKeys, invalidateUserQueries, invalidateAccountQueries } from '../hooks/queries/queryKeys';
-import { authenticatedApiCall } from './authHelpers';
 
 /**
  * Updates file visibility to public for avatar use.

package/src/utils/authHelpers.ts

@@ -1,183 +0,0 @@
-/**
- * Authentication helper utilities to reduce code duplication across hooks and utilities.
- * These functions handle common token validation and authentication error patterns.
- */
-
-import type { OxyServices } from '@oxyhq/core';
-
-/**
- * Error thrown when session sync is required
- */
-export class SessionSyncRequiredError extends Error {
-  constructor(message = 'Session needs to be synced. Please try again.') {
-    super(message);
-    this.name = 'SessionSyncRequiredError';
-  }
-}
-
-/**
- * Error thrown when authentication fails
- */
-export class AuthenticationFailedError extends Error {
-  constructor(message = 'Authentication failed. Please sign in again.') {
-    super(message);
-    this.name = 'AuthenticationFailedError';
-  }
-}
-
-/**
- * Ensures a valid token exists before making authenticated API calls.
- * If no valid token exists and an active session ID is available,
- * attempts to refresh the token using the session.
- *
- * @param oxyServices - The OxyServices instance
- * @param activeSessionId - The active session ID (if available)
- * @throws {SessionSyncRequiredError} If the session needs to be synced (offline session)
- * @throws {Error} If token refresh fails for other reasons
- *
- * @example
- * ```ts
- * // In a mutation or query function:
- * await ensureValidToken(oxyServices, activeSessionId);
- * return await oxyServices.updateProfile(updates);
- * ```
- */
-export async function ensureValidToken(
-  oxyServices: OxyServices,
-  activeSessionId: string | null | undefined
-): Promise<void> {
-  if (oxyServices.hasValidToken() || !activeSessionId) {
-    return;
-  }
-
-  try {
-    await oxyServices.getTokenBySession(activeSessionId);
-  } catch (tokenError) {
-    const errorMessage = tokenError instanceof Error ? tokenError.message : String(tokenError);
-
-    if (errorMessage.includes('AUTH_REQUIRED_OFFLINE_SESSION') || errorMessage.includes('offline')) {
-      throw new SessionSyncRequiredError();
-    }
-
-    throw tokenError;
-  }
-}
-
-/**
- * Options for handling API authentication errors
- */
-export interface HandleApiErrorOptions {
-  /** Optional callback to attempt session sync and retry */
-  syncSession?: () => Promise<unknown>;
-  /** The active session ID for retry attempts */
-  activeSessionId?: string | null;
-  /** The OxyServices instance for retry attempts */
-  oxyServices?: OxyServices;
-}
-
-/**
- * Checks if an error is an authentication error (401 or auth-related message)
- *
- * @param error - The error to check
- * @returns True if the error is an authentication error
- */
-export function isAuthenticationError(error: unknown): boolean {
-  if (!error || typeof error !== 'object') {
-    return false;
-  }
-
-  const errorObj = error as { message?: string; status?: number; response?: { status?: number } };
-  const errorMessage = errorObj.message || '';
-  const status = errorObj.status || errorObj.response?.status;
-
-  return (
-    status === 401 ||
-    errorMessage.includes('Authentication required') ||
-    errorMessage.includes('Invalid or missing authorization header')
-  );
-}
-
-/**
- * Wraps an API call with authentication error handling.
- * If an authentication error occurs, it can optionally attempt to sync the session and retry.
- *
- * @param apiCall - The API call function to execute
- * @param options - Optional error handling configuration
- * @returns The result of the API call
- * @throws {AuthenticationFailedError} If authentication fails and cannot be recovered
- * @throws {Error} If the API call fails for non-auth reasons
- *
- * @example
- * ```ts
- * // Simple usage:
- * const result = await withAuthErrorHandling(
- *   () => oxyServices.updateProfile(updates)
- * );
- *
- * // With retry on auth failure:
- * const result = await withAuthErrorHandling(
- *   () => oxyServices.updateProfile(updates),
- *   { syncSession, activeSessionId, oxyServices }
- * );
- * ```
- */
-export async function withAuthErrorHandling<T>(
-  apiCall: () => Promise<T>,
-  options?: HandleApiErrorOptions
-): Promise<T> {
-  try {
-    return await apiCall();
-  } catch (error) {
-    if (!isAuthenticationError(error)) {
-      throw error;
-    }
-
-    // If we have sync capabilities, try to recover
-    if (options?.syncSession && options?.activeSessionId && options?.oxyServices) {
-      try {
-        await options.syncSession();
-        await options.oxyServices.getTokenBySession(options.activeSessionId);
-        // Retry the API call after refreshing token
-        return await apiCall();
-      } catch {
-        throw new AuthenticationFailedError();
-      }
-    }
-
-    throw new AuthenticationFailedError();
-  }
-}
-
-/**
- * Combines token validation and auth error handling for a complete authenticated API call.
- * This is the recommended helper for most authenticated API operations.
- *
- * @param oxyServices - The OxyServices instance
- * @param activeSessionId - The active session ID
- * @param apiCall - The API call function to execute
- * @param syncSession - Optional callback to sync session on auth failure
- * @returns The result of the API call
- *
- * @example
- * ```ts
- * return await authenticatedApiCall(
- *   oxyServices,
- *   activeSessionId,
- *   () => oxyServices.updateProfile(updates)
- * );
- * ```
- */
-export async function authenticatedApiCall<T>(
-  oxyServices: OxyServices,
-  activeSessionId: string | null | undefined,
-  apiCall: () => Promise<T>,
-  syncSession?: () => Promise<unknown>
-): Promise<T> {
-  await ensureValidToken(oxyServices, activeSessionId);
-
-  return withAuthErrorHandling(apiCall, {
-    syncSession,
-    activeSessionId,
-    oxyServices,
-  });
-}