@oxyhq/auth 2.0.3 → 2.0.4

package/src/hooks/useSessionSocket.ts

@@ -1,5 +1,4 @@
 import { useEffect, useRef, useMemo } from 'react';
-import io from 'socket.io-client';
 import { toast } from 'sonner';
 import { logger } from '@oxyhq/core';
 import { createDebugLogger } from '@oxyhq/core';
@@ -10,6 +9,49 @@ import { invalidateSessionQueries } from './queries/queryKeys';
 
 const debug = createDebugLogger('SessionSocket');
 
+/** localStorage key used by AuthManager for persisting access tokens. */
+const LS_ACCESS_TOKEN_KEY = 'oxy_access_token';
+
+/** Delay before retrying socket connection after an auth failure (ms). */
+const AUTH_RETRY_DELAY_MS = 2000;
+
+/** Maximum number of consecutive auth-failure retries. */
+const MAX_AUTH_RETRIES = 3;
+
+/**
+ * Read the access token from localStorage directly.
+ * Used as a fallback when the in-memory token is empty (e.g., during a
+ * cross-tab token refresh race).
+ */
+function readTokenFromStorage(): string | null {
+  if (typeof window === 'undefined') return null;
+  try {
+    return window.localStorage.getItem(LS_ACCESS_TOKEN_KEY);
+  } catch {
+    return null;
+  }
+}
+
+type SocketIOFactory = (uri: string, opts?: Record<string, unknown>) => unknown;
+
+let _io: SocketIOFactory | null = null;
+let _ioLoadAttempted = false;
+
+async function getSocketIO(): Promise<SocketIOFactory | null> {
+  if (_io) return _io;
+  if (_ioLoadAttempted) return null;
+  _ioLoadAttempted = true;
+  try {
+    // eslint-disable-next-line @typescript-eslint/no-require-imports
+    const mod: any = await import('socket.io-client');
+    _io = (mod.io ?? mod.default) as SocketIOFactory;
+    return _io;
+  } catch {
+    debug.warn('socket.io-client is not installed. useSessionSocket will be disabled. Install it with: bun add socket.io-client');
+    return null;
+  }
+}
+
 export interface UseSessionSocketOptions {
   onRemoteSignOut?: () => void;
   onSessionRemoved?: (sessionId: string) => void;
@@ -66,139 +108,226 @@ export function useSessionSocket(options?: UseSessionSocketOptions) {
       socketRef.current = null;
     }
 
-    // Connect with auth token; use callback so reconnections get a fresh token
-    socketRef.current = io(baseURL, {
-      transports: ['websocket'],
-      auth: (cb: (data: { token: string }) => void) => {
-        const token = oxyServices.getAccessToken();
-        cb({ token: token ?? '' });
-      },
-    });
-    const socket = socketRef.current;
+    let cancelled = false;
+    let authRetryCount = 0;
+    let authRetryTimer: ReturnType<typeof setTimeout> | null = null;
 
-    // Server auto-joins the user to `user:<userId>` room on connection
-    const handleConnect = () => {
-      debug.log('Socket connected:', socket.id);
+    /**
+     * Resolve the best available access token.
+     * Prefers the in-memory token from OxyServices; falls back to
+     * localStorage which may have been updated by another tab.
+     */
+    const resolveToken = (): string | null => {
+      return oxyServices.getAccessToken() || readTokenFromStorage();
     };
 
-    const refreshSessions = () => {
-      invalidateSessionQueries(queryClientRef.current);
-      return Promise.resolve();
-    };
+    getSocketIO().then((ioFn) => {
+      if (cancelled || !ioFn) return;
 
-    const handleSessionUpdate = async (data: {
-      type: string;
-      sessionId?: string;
-      deviceId?: string;
-      sessionIds?: string[]
-    }) => {
-      debug.log('Received session_update:', data);
-
-      const currentActiveSessionId = activeSessionIdRef.current;
-      const deviceId = currentDeviceIdRef.current;
-
-      // Handle different event types
-      if (data.type === 'session_removed') {
-        // Track removed session
-        if (data.sessionId && onSessionRemovedRef.current) {
-          onSessionRemovedRef.current(data.sessionId);
-        }
-
-        // If the removed sessionId matches the current activeSessionId, immediately clear state
-        if (data.sessionId === currentActiveSessionId) {
-          if (onRemoteSignOutRef.current) {
-            onRemoteSignOutRef.current();
-          } else {
-            toast.info('You have been signed out remotely.');
-          }
-          try {
-            await clearSessionStateRef.current();
-          } catch (error) {
-            if (__DEV__) {
-              logger.error('Failed to clear session state after session_removed', error instanceof Error ? error : new Error(String(error)), { component: 'useSessionSocket' });
+      // Connect with auth token; use callback so reconnections get a fresh token.
+      // If no token is available at all, we skip the initial connect and let
+      // the storage listener or retry logic connect when a token appears.
+      const token = resolveToken();
+      socketRef.current = ioFn(baseURL, {
+        transports: ['websocket'],
+        autoConnect: !!token, // don't auto-connect when there is no token
+        auth: (cb: (data: { token: string }) => void) => {
+          const resolved = resolveToken();
+          if (!resolved) {
+            // No token available -- disconnect gracefully instead of sending
+            // an empty string that the server will reject.
+            debug.warn('No access token available for socket auth; disconnecting.');
+            if (socketRef.current) {
+              socketRef.current.disconnect();
             }
+            return;
           }
-        } else {
-          refreshSessions();
+          cb({ token: resolved });
+        },
+      });
+      const socket = socketRef.current;
+
+      // Server auto-joins the user to `user:<userId>` room on connection
+      const handleConnect = () => {
+        debug.log('Socket connected:', socket.id);
+        // Successful connection resets the auth retry counter.
+        authRetryCount = 0;
+      };
+
+      /**
+       * Handle socket disconnection. When the disconnect reason indicates an
+       * auth failure (server rejected the token), schedule a short retry so
+       * that an in-progress token refresh can complete before the next attempt.
+       */
+      const handleDisconnect = (reason: string) => {
+        debug.log('Socket disconnected:', reason);
+        // "io server disconnect" = server forcibly closed the connection (auth failure).
+        // "transport error" can also happen when the auth callback aborted.
+        if (
+          (reason === 'io server disconnect' || reason === 'transport error') &&
+          authRetryCount < MAX_AUTH_RETRIES &&
+          !cancelled
+        ) {
+          authRetryCount++;
+          debug.log(
+            `Auth-related disconnect; scheduling retry ${authRetryCount}/${MAX_AUTH_RETRIES} in ${AUTH_RETRY_DELAY_MS}ms`
+          );
+          authRetryTimer = setTimeout(() => {
+            if (cancelled) return;
+            const retryToken = resolveToken();
+            if (retryToken && socketRef.current) {
+              debug.log('Retrying socket connection with refreshed token');
+              socketRef.current.connect();
+            }
+          }, AUTH_RETRY_DELAY_MS);
         }
-      } else if (data.type === 'device_removed') {
-        // Track all removed sessions from this device
-        if (data.sessionIds && onSessionRemovedRef.current) {
-          for (const sessionId of data.sessionIds) {
-            onSessionRemovedRef.current(sessionId);
+      };
+
+      const refreshSessions = () => {
+        invalidateSessionQueries(queryClientRef.current);
+        return Promise.resolve();
+      };
+
+      const handleSessionUpdate = async (data: {
+        type: string;
+        sessionId?: string;
+        deviceId?: string;
+        sessionIds?: string[]
+      }) => {
+        debug.log('Received session_update:', data);
+
+        const currentActiveSessionId = activeSessionIdRef.current;
+        const deviceId = currentDeviceIdRef.current;
+
+        // Handle different event types
+        if (data.type === 'session_removed') {
+          // Track removed session
+          if (data.sessionId && onSessionRemovedRef.current) {
+            onSessionRemovedRef.current(data.sessionId);
           }
-        }
 
-        // If the removed deviceId matches the current device, immediately clear state
-        if (data.deviceId && data.deviceId === deviceId) {
-          if (onRemoteSignOutRef.current) {
-            onRemoteSignOutRef.current();
+          // If the removed sessionId matches the current activeSessionId, immediately clear state
+          if (data.sessionId === currentActiveSessionId) {
+            if (onRemoteSignOutRef.current) {
+              onRemoteSignOutRef.current();
+            } else {
+              toast.info('You have been signed out remotely.');
+            }
+            try {
+              await clearSessionStateRef.current();
+            } catch (error) {
+              if (process.env.NODE_ENV !== 'production') {
+                logger.error('Failed to clear session state after session_removed', error instanceof Error ? error : new Error(String(error)), { component: 'useSessionSocket' });
+              }
+            }
           } else {
-            toast.info('This device has been removed. You have been signed out.');
+            refreshSessions();
           }
-          try {
-            await clearSessionStateRef.current();
-          } catch (error) {
-            if (__DEV__) {
-              logger.error('Failed to clear session state after device_removed', error instanceof Error ? error : new Error(String(error)), { component: 'useSessionSocket' });
+        } else if (data.type === 'device_removed') {
+          // Track all removed sessions from this device
+          if (data.sessionIds && onSessionRemovedRef.current) {
+            for (const sessionId of data.sessionIds) {
+              onSessionRemovedRef.current(sessionId);
             }
           }
-        } else {
-          refreshSessions();
-        }
-      } else if (data.type === 'sessions_removed') {
-        // Track all removed sessions
-        if (data.sessionIds && onSessionRemovedRef.current) {
-          for (const sessionId of data.sessionIds) {
-            onSessionRemovedRef.current(sessionId);
-          }
-        }
 
-        // If the current activeSessionId is in the removed sessionIds list, immediately clear state
-        if (data.sessionIds && currentActiveSessionId && data.sessionIds.includes(currentActiveSessionId)) {
-          if (onRemoteSignOutRef.current) {
-            onRemoteSignOutRef.current();
+          // If the removed deviceId matches the current device, immediately clear state
+          if (data.deviceId && data.deviceId === deviceId) {
+            if (onRemoteSignOutRef.current) {
+              onRemoteSignOutRef.current();
+            } else {
+              toast.info('This device has been removed. You have been signed out.');
+            }
+            try {
+              await clearSessionStateRef.current();
+            } catch (error) {
+              if (process.env.NODE_ENV !== 'production') {
+                logger.error('Failed to clear session state after device_removed', error instanceof Error ? error : new Error(String(error)), { component: 'useSessionSocket' });
+              }
+            }
           } else {
-            toast.info('You have been signed out remotely.');
+            refreshSessions();
           }
-          try {
-            await clearSessionStateRef.current();
-          } catch (error) {
-            if (__DEV__) {
-              logger.error('Failed to clear session state after sessions_removed', error instanceof Error ? error : new Error(String(error)), { component: 'useSessionSocket' });
+        } else if (data.type === 'sessions_removed') {
+          // Track all removed sessions
+          if (data.sessionIds && onSessionRemovedRef.current) {
+            for (const sessionId of data.sessionIds) {
+              onSessionRemovedRef.current(sessionId);
             }
           }
-        } else {
-          refreshSessions();
-        }
-      } else {
-        // For other event types (e.g., session_created), refresh sessions
-        refreshSessions();
-
-        // If the current session was logged out (legacy behavior), handle it specially
-        if (data.sessionId === currentActiveSessionId) {
-          if (onRemoteSignOutRef.current) {
-            onRemoteSignOutRef.current();
+
+          // If the current activeSessionId is in the removed sessionIds list, immediately clear state
+          if (data.sessionIds && currentActiveSessionId && data.sessionIds.includes(currentActiveSessionId)) {
+            if (onRemoteSignOutRef.current) {
+              onRemoteSignOutRef.current();
+            } else {
+              toast.info('You have been signed out remotely.');
+            }
+            try {
+              await clearSessionStateRef.current();
+            } catch (error) {
+              if (process.env.NODE_ENV !== 'production') {
+                logger.error('Failed to clear session state after sessions_removed', error instanceof Error ? error : new Error(String(error)), { component: 'useSessionSocket' });
+              }
+            }
           } else {
-            toast.info('You have been signed out remotely.');
+            refreshSessions();
           }
-          try {
-            await clearSessionStateRef.current();
-          } catch (error) {
-            debug.error('Failed to clear session state after session_update:', error);
+        } else {
+          // For other event types (e.g., session_created), refresh sessions
+          refreshSessions();
+
+          // If the current session was logged out (legacy behavior), handle it specially
+          if (data.sessionId === currentActiveSessionId) {
+            if (onRemoteSignOutRef.current) {
+              onRemoteSignOutRef.current();
+            } else {
+              toast.info('You have been signed out remotely.');
+            }
+            try {
+              await clearSessionStateRef.current();
+            } catch (error) {
+              debug.error('Failed to clear session state after session_update:', error);
+            }
           }
         }
-      }
-    };
+      };
 
-    socket.on('connect', handleConnect);
-    socket.on('session_update', handleSessionUpdate);
+      socket.on('connect', handleConnect);
+      socket.on('disconnect', handleDisconnect);
+      socket.on('session_update', handleSessionUpdate);
+
+      // Listen for cross-tab token updates via the Storage event.
+      // When another tab writes a fresh access token to localStorage,
+      // reconnect this tab's socket if it was disconnected.
+      const handleStorageEvent = (e: StorageEvent) => {
+        if (e.key === LS_ACCESS_TOKEN_KEY && e.newValue && socketRef.current?.disconnected) {
+          debug.log('Cross-tab token update detected; reconnecting socket');
+          authRetryCount = 0; // reset retries since we got a fresh token
+          socketRef.current.connect();
+        }
+      };
+
+      if (typeof window !== 'undefined') {
+        window.addEventListener('storage', handleStorageEvent);
+        // Store the handler so cleanup can remove it
+        (socket as any).__oxyStorageHandler = handleStorageEvent;
+      }
+    });
 
     return () => {
-      socket.off('connect', handleConnect);
-      socket.off('session_update', handleSessionUpdate);
-      socket.disconnect();
-      socketRef.current = null;
+      cancelled = true;
+      if (authRetryTimer) {
+        clearTimeout(authRetryTimer);
+      }
+      if (socketRef.current) {
+        // Remove cross-tab storage listener
+        if (typeof window !== 'undefined' && (socketRef.current as any).__oxyStorageHandler) {
+          window.removeEventListener('storage', (socketRef.current as any).__oxyStorageHandler);
+        }
+        socketRef.current.disconnect();
+        socketRef.current = null;
+      }
     };
   }, [userId, baseURL]); // Only depend on userId and baseURL - callbacks are in refs
 }

package/src/index.ts

@@ -46,6 +46,17 @@ export {
   useAssetUsageCount,
   useIsAssetLinked,
 } from './stores/assetStore';
+export {
+  useAccountStore,
+  useAccounts,
+  useAccountLoading,
+  useAccountError,
+  useAccountLoadingSession,
+} from './stores/accountStore';
+export type { QuickAccount } from './stores/accountStore';
+export {
+  useFollowStore,
+} from './stores/followStore';
 
 // --- Query Hooks ---
 export {
@@ -89,6 +100,7 @@ export type {
 } from './hooks/mutations/mutationFactory';
 
 // --- Custom Hooks ---
+export { useWebSSO, isWebBrowser } from './hooks/useWebSSO';
 export { useSessionSocket } from './hooks/useSessionSocket';
 export type { UseSessionSocketOptions } from './hooks/useSessionSocket';
 export { useAssets, setOxyAssetInstance } from './hooks/useAssets';

package/src/stores/accountStore.ts

@@ -233,7 +233,7 @@ export const useAccountStore = create<AccountState>((set, get) => ({
                 get().setAccounts(ordered);
             } catch (error) {
                 const errorMessage = error instanceof Error ? error.message : 'Failed to load accounts';
-                if (__DEV__) {
+                if (process.env.NODE_ENV !== 'production') {
                     console.error('AccountStore: Failed to load accounts:', error);
                 }
                 set({ error: errorMessage });
@@ -242,7 +242,7 @@ export const useAccountStore = create<AccountState>((set, get) => ({
             }
         } catch (error) {
             const errorMessage = error instanceof Error ? error.message : 'Failed to load accounts';
-            if (__DEV__) {
+            if (process.env.NODE_ENV !== 'production') {
                 console.error('AccountStore: Failed to load accounts:', error);
             }
             set({ error: errorMessage, loading: false });

package/src/utils/sessionHelpers.ts

@@ -87,7 +87,7 @@ export const fetchSessionsWithFallback = async (
     const deviceSessions = await oxyServices.getDeviceSessions(sessionId);
     return mapSessionsToClient(deviceSessions, fallbackDeviceId, fallbackUserId);
   } catch (error) {
-    if (__DEV__ && logger) {
+    if (process.env.NODE_ENV !== 'production' && logger) {
       logger('Failed to get device sessions, falling back to user sessions', error);
     }
 

package/src/utils/storageHelpers.ts

@@ -91,7 +91,7 @@ const createNativeStorage = async (): Promise<StorageInterface> => {
     asyncStorageInstance = asyncStorageModule.default as unknown as StorageInterface;
     return asyncStorageInstance;
   } catch (error) {
-    if (__DEV__) {
+    if (process.env.NODE_ENV !== 'production') {
       console.error('Failed to import AsyncStorage:', error);
     }
     throw new Error('AsyncStorage is required in React Native environment');

package/src/global.d.ts

@@ -1 +0,0 @@
-declare const __DEV__: boolean;