@oxyhq/auth 2.0.3 → 2.0.5

package/src/hooks/useSessionSocket.ts

@@ -1,5 +1,4 @@
 import { useEffect, useRef, useMemo } from 'react';
-import io from 'socket.io-client';
 import { toast } from 'sonner';
 import { logger } from '@oxyhq/core';
 import { createDebugLogger } from '@oxyhq/core';
@@ -10,6 +9,80 @@ import { invalidateSessionQueries } from './queries/queryKeys';
 
 const debug = createDebugLogger('SessionSocket');
 
+/** localStorage key used by AuthManager for persisting access tokens. */
+const LS_ACCESS_TOKEN_KEY = 'oxy_access_token';
+
+/** Delay before retrying socket connection after an auth failure (ms). */
+const AUTH_RETRY_DELAY_MS = 2000;
+
+/** Maximum number of consecutive auth-failure retries. */
+const MAX_AUTH_RETRIES = 3;
+
+/**
+ * Read the access token from localStorage directly.
+ * Used as a fallback when the in-memory token is empty (e.g., during a
+ * cross-tab token refresh race).
+ */
+function readTokenFromStorage(): string | null {
+  if (typeof window === 'undefined') return null;
+  try {
+    return window.localStorage.getItem(LS_ACCESS_TOKEN_KEY);
+  } catch (err) {
+    console.warn('[oxy.session-socket] localStorage read failed:', err);
+    return null;
+  }
+}
+
+/**
+ * Minimal subset of the socket.io-client Socket API used by this hook.
+ * We avoid importing socket.io-client types directly because the package
+ * is an optional peer dependency.
+ *
+ * `on()` uses a generic per-call handler signature because each socket event
+ * carries its own payload shape.
+ */
+interface MinimalSocket {
+  id?: string;
+  disconnected: boolean;
+  connect: () => void;
+  disconnect: () => void;
+  on<Args extends unknown[] = unknown[]>(
+    event: string,
+    handler: (...args: Args) => void
+  ): void;
+}
+
+/**
+ * Socket extended with a private property used to track the cross-tab
+ * storage event listener so cleanup can remove it.
+ */
+interface SocketWithStorageHandler extends MinimalSocket {
+  __oxyStorageHandler?: (event: StorageEvent) => void;
+}
+
+type SocketIOFactory = (uri: string, opts?: Record<string, unknown>) => MinimalSocket;
+
+let _io: SocketIOFactory | null = null;
+let _ioLoadAttempted = false;
+
+async function getSocketIO(): Promise<SocketIOFactory | null> {
+  if (_io) return _io;
+  if (_ioLoadAttempted) return null;
+  _ioLoadAttempted = true;
+  try {
+    const mod = (await import('socket.io-client')) as {
+      io?: SocketIOFactory;
+      default?: SocketIOFactory;
+    };
+    _io = mod.io ?? mod.default ?? null;
+    return _io;
+  } catch (err) {
+    console.warn('[oxy.session-socket] socket.io-client import failed:', err);
+    debug.warn('socket.io-client is not installed. useSessionSocket will be disabled. Install it with: bun add socket.io-client');
+    return null;
+  }
+}
+
 export interface UseSessionSocketOptions {
   onRemoteSignOut?: () => void;
   onSessionRemoved?: (sessionId: string) => void;
@@ -30,7 +103,7 @@ export function useSessionSocket(options?: UseSessionSocketOptions) {
     return active?.deviceId ?? null;
   }, [sessions, activeSessionId]);
 
-  const socketRef = useRef<any>(null);
+  const socketRef = useRef<SocketWithStorageHandler | null>(null);
 
   // Store callbacks and values in refs to avoid reconnecting when they change
   const clearSessionStateRef = useRef(clearSessionState);
@@ -66,139 +139,227 @@ export function useSessionSocket(options?: UseSessionSocketOptions) {
       socketRef.current = null;
     }
 
-    // Connect with auth token; use callback so reconnections get a fresh token
-    socketRef.current = io(baseURL, {
-      transports: ['websocket'],
-      auth: (cb: (data: { token: string }) => void) => {
-        const token = oxyServices.getAccessToken();
-        cb({ token: token ?? '' });
-      },
-    });
-    const socket = socketRef.current;
-
-    // Server auto-joins the user to `user:<userId>` room on connection
-    const handleConnect = () => {
-      debug.log('Socket connected:', socket.id);
-    };
+    let cancelled = false;
+    let authRetryCount = 0;
+    let authRetryTimer: ReturnType<typeof setTimeout> | null = null;
 
-    const refreshSessions = () => {
-      invalidateSessionQueries(queryClientRef.current);
-      return Promise.resolve();
+    /**
+     * Resolve the best available access token.
+     * Prefers the in-memory token from OxyServices; falls back to
+     * localStorage which may have been updated by another tab.
+     */
+    const resolveToken = (): string | null => {
+      return oxyServices.getAccessToken() || readTokenFromStorage();
     };
 
-    const handleSessionUpdate = async (data: {
-      type: string;
-      sessionId?: string;
-      deviceId?: string;
-      sessionIds?: string[]
-    }) => {
-      debug.log('Received session_update:', data);
-
-      const currentActiveSessionId = activeSessionIdRef.current;
-      const deviceId = currentDeviceIdRef.current;
-
-      // Handle different event types
-      if (data.type === 'session_removed') {
-        // Track removed session
-        if (data.sessionId && onSessionRemovedRef.current) {
-          onSessionRemovedRef.current(data.sessionId);
-        }
+    getSocketIO().then((ioFn) => {
+      if (cancelled || !ioFn) return;
 
-        // If the removed sessionId matches the current activeSessionId, immediately clear state
-        if (data.sessionId === currentActiveSessionId) {
-          if (onRemoteSignOutRef.current) {
-            onRemoteSignOutRef.current();
-          } else {
-            toast.info('You have been signed out remotely.');
-          }
-          try {
-            await clearSessionStateRef.current();
-          } catch (error) {
-            if (__DEV__) {
-              logger.error('Failed to clear session state after session_removed', error instanceof Error ? error : new Error(String(error)), { component: 'useSessionSocket' });
+      // Connect with auth token; use callback so reconnections get a fresh token.
+      // If no token is available at all, we skip the initial connect and let
+      // the storage listener or retry logic connect when a token appears.
+      const token = resolveToken();
+      const socket: SocketWithStorageHandler = ioFn(baseURL, {
+        transports: ['websocket'],
+        autoConnect: !!token, // don't auto-connect when there is no token
+        auth: (cb: (data: { token: string }) => void) => {
+          const resolved = resolveToken();
+          if (!resolved) {
+            // No token available -- disconnect gracefully instead of sending
+            // an empty string that the server will reject.
+            debug.warn('No access token available for socket auth; disconnecting.');
+            if (socketRef.current) {
+              socketRef.current.disconnect();
             }
+            return;
           }
+          cb({ token: resolved });
+        },
+      });
+      socketRef.current = socket;
+
+      // Server auto-joins the user to `user:<userId>` room on connection
+      const handleConnect = () => {
+        debug.log('Socket connected:', socket.id);
+        // Successful connection resets the auth retry counter.
+        authRetryCount = 0;
+      };
+
+      /**
+       * Handle socket disconnection. When the disconnect reason indicates an
+       * auth failure (server rejected the token), schedule a short retry so
+       * that an in-progress token refresh can complete before the next attempt.
+       */
+      const handleDisconnect = (reason: string) => {
+        debug.log('Socket disconnected:', reason);
+        // "io server disconnect" = server forcibly closed the connection (auth failure).
+        // "transport error" can also happen when the auth callback aborted.
+        if (
+          (reason === 'io server disconnect' || reason === 'transport error') &&
+          authRetryCount < MAX_AUTH_RETRIES &&
+          !cancelled
+        ) {
+          authRetryCount++;
+          debug.log(
+            `Auth-related disconnect; scheduling retry ${authRetryCount}/${MAX_AUTH_RETRIES} in ${AUTH_RETRY_DELAY_MS}ms`
+          );
+          authRetryTimer = setTimeout(() => {
+            if (cancelled) return;
+            const retryToken = resolveToken();
+            if (retryToken && socketRef.current) {
+              debug.log('Retrying socket connection with refreshed token');
+              socketRef.current.connect();
+            }
+          }, AUTH_RETRY_DELAY_MS);
+        }
+      };
+
+      const refreshSessions = () => {
+        invalidateSessionQueries(queryClientRef.current);
+        return Promise.resolve();
+      };
+
+      const triggerLocalSignOut = async (toastMessage: string, errorContext: string) => {
+        if (onRemoteSignOutRef.current) {
+          onRemoteSignOutRef.current();
         } else {
-          refreshSessions();
+          toast.info(toastMessage);
         }
-      } else if (data.type === 'device_removed') {
-        // Track all removed sessions from this device
-        if (data.sessionIds && onSessionRemovedRef.current) {
-          for (const sessionId of data.sessionIds) {
-            onSessionRemovedRef.current(sessionId);
+        // Clear local state since the server has already removed the session.
+        // Await so storage cleanup completes before any subsequent navigation.
+        try {
+          await clearSessionStateRef.current();
+        } catch (error) {
+          if (process.env.NODE_ENV !== 'production') {
+            logger.error(
+              `Failed to clear session state after ${errorContext}`,
+              error instanceof Error ? error : new Error(String(error)),
+              { component: 'useSessionSocket' },
+            );
           }
         }
+      };
 
-        // If the removed deviceId matches the current device, immediately clear state
-        if (data.deviceId && data.deviceId === deviceId) {
-          if (onRemoteSignOutRef.current) {
-            onRemoteSignOutRef.current();
-          } else {
-            toast.info('This device has been removed. You have been signed out.');
+      const handleSessionUpdate = async (data: {
+        type: string;
+        sessionId?: string;
+        deviceId?: string;
+        sessionIds?: string[]
+      }) => {
+        debug.log('Received session_update:', data);
+
+        const currentActiveSessionId = activeSessionIdRef.current;
+        const deviceId = currentDeviceIdRef.current;
+
+        // Strict whitelist. Every event type that may sign the user out must
+        // appear in the switch. Anything unknown falls through to `default`,
+        // which only logs in dev. This guards against future server-side event
+        // additions (e.g. `session_created` after a successful sign-in)
+        // accidentally triggering sign-out via a fallback branch that compares
+        // `data.sessionId === currentActiveSessionId` — that branch would match
+        // the user's NEW session id and trigger an instant remote sign-out
+        // toast on every login.
+        switch (data.type) {
+          case 'session_removed': {
+            if (data.sessionId && onSessionRemovedRef.current) {
+              onSessionRemovedRef.current(data.sessionId);
+            }
+            if (data.sessionId && data.sessionId === currentActiveSessionId) {
+              await triggerLocalSignOut('You have been signed out remotely.', 'session_removed');
+            } else {
+              refreshSessions();
+            }
+            break;
           }
-          try {
-            await clearSessionStateRef.current();
-          } catch (error) {
-            if (__DEV__) {
-              logger.error('Failed to clear session state after device_removed', error instanceof Error ? error : new Error(String(error)), { component: 'useSessionSocket' });
+          case 'device_removed': {
+            if (data.sessionIds && onSessionRemovedRef.current) {
+              for (const sessionId of data.sessionIds) {
+                onSessionRemovedRef.current(sessionId);
+              }
             }
+            if (data.deviceId && deviceId && data.deviceId === deviceId) {
+              await triggerLocalSignOut(
+                'This device has been removed. You have been signed out.',
+                'device_removed',
+              );
+            } else {
+              refreshSessions();
+            }
+            break;
           }
-        } else {
-          refreshSessions();
-        }
-      } else if (data.type === 'sessions_removed') {
-        // Track all removed sessions
-        if (data.sessionIds && onSessionRemovedRef.current) {
-          for (const sessionId of data.sessionIds) {
-            onSessionRemovedRef.current(sessionId);
+          case 'sessions_removed': {
+            if (data.sessionIds && onSessionRemovedRef.current) {
+              for (const sessionId of data.sessionIds) {
+                onSessionRemovedRef.current(sessionId);
+              }
+            }
+            if (
+              data.sessionIds &&
+              currentActiveSessionId &&
+              data.sessionIds.includes(currentActiveSessionId)
+            ) {
+              await triggerLocalSignOut('You have been signed out remotely.', 'sessions_removed');
+            } else {
+              refreshSessions();
+            }
+            break;
           }
-        }
-
-        // If the current activeSessionId is in the removed sessionIds list, immediately clear state
-        if (data.sessionIds && currentActiveSessionId && data.sessionIds.includes(currentActiveSessionId)) {
-          if (onRemoteSignOutRef.current) {
-            onRemoteSignOutRef.current();
-          } else {
-            toast.info('You have been signed out remotely.');
+          case 'session_created':
+          case 'session_update': {
+            // Lifecycle event for the current user. Just resync the sessions
+            // list — never sign out.
+            refreshSessions();
+            break;
           }
-          try {
-            await clearSessionStateRef.current();
-          } catch (error) {
-            if (__DEV__) {
-              logger.error('Failed to clear session state after sessions_removed', error instanceof Error ? error : new Error(String(error)), { component: 'useSessionSocket' });
+          default: {
+            if (process.env.NODE_ENV !== 'production') {
+              logger.warn('Unknown session socket event type', {
+                component: 'useSessionSocket',
+                type: data.type,
+              });
             }
+            break;
           }
-        } else {
-          refreshSessions();
         }
-      } else {
-        // For other event types (e.g., session_created), refresh sessions
-        refreshSessions();
-
-        // If the current session was logged out (legacy behavior), handle it specially
-        if (data.sessionId === currentActiveSessionId) {
-          if (onRemoteSignOutRef.current) {
-            onRemoteSignOutRef.current();
-          } else {
-            toast.info('You have been signed out remotely.');
-          }
-          try {
-            await clearSessionStateRef.current();
-          } catch (error) {
-            debug.error('Failed to clear session state after session_update:', error);
-          }
+      };
+
+      socket.on('connect', handleConnect);
+      socket.on('disconnect', handleDisconnect);
+      socket.on('session_update', handleSessionUpdate);
+
+      // Listen for cross-tab token updates via the Storage event.
+      // When another tab writes a fresh access token to localStorage,
+      // reconnect this tab's socket if it was disconnected.
+      const handleStorageEvent = (e: StorageEvent) => {
+        if (e.key === LS_ACCESS_TOKEN_KEY && e.newValue && socketRef.current?.disconnected) {
+          debug.log('Cross-tab token update detected; reconnecting socket');
+          authRetryCount = 0; // reset retries since we got a fresh token
+          socketRef.current.connect();
         }
-      }
-    };
+      };
 
-    socket.on('connect', handleConnect);
-    socket.on('session_update', handleSessionUpdate);
+      if (typeof window !== 'undefined') {
+        window.addEventListener('storage', handleStorageEvent);
+        // Store the handler so cleanup can remove it
+        socket.__oxyStorageHandler = handleStorageEvent;
+      }
+    });
 
     return () => {
-      socket.off('connect', handleConnect);
-      socket.off('session_update', handleSessionUpdate);
-      socket.disconnect();
-      socketRef.current = null;
+      cancelled = true;
+      if (authRetryTimer) {
+        clearTimeout(authRetryTimer);
+      }
+      const currentSocket = socketRef.current;
+      if (currentSocket) {
+        // Remove cross-tab storage listener
+        const storageHandler = currentSocket.__oxyStorageHandler;
+        if (typeof window !== 'undefined' && storageHandler) {
+          window.removeEventListener('storage', storageHandler);
+        }
+        currentSocket.disconnect();
+        socketRef.current = null;
+      }
     };
   }, [userId, baseURL]); // Only depend on userId and baseURL - callbacks are in refs
 }

package/src/index.ts

@@ -46,6 +46,17 @@ export {
   useAssetUsageCount,
   useIsAssetLinked,
 } from './stores/assetStore';
+export {
+  useAccountStore,
+  useAccounts,
+  useAccountLoading,
+  useAccountError,
+  useAccountLoadingSession,
+} from './stores/accountStore';
+export type { QuickAccount } from './stores/accountStore';
+export {
+  useFollowStore,
+} from './stores/followStore';
 
 // --- Query Hooks ---
 export {
@@ -89,10 +100,11 @@ export type {
 } from './hooks/mutations/mutationFactory';
 
 // --- Custom Hooks ---
+export { useWebSSO, isWebBrowser } from './hooks/useWebSSO';
 export { useSessionSocket } from './hooks/useSessionSocket';
 export type { UseSessionSocketOptions } from './hooks/useSessionSocket';
 export { useAssets, setOxyAssetInstance } from './hooks/useAssets';
-export { useFileDownloadUrl, setOxyFileUrlInstance } from './hooks/useFileDownloadUrl';
+export { useFileDownloadUrl } from './hooks/useFileDownloadUrl';
 export { useFollow, useFollowerCounts } from './hooks/useFollow';
 export { useFileFiltering } from './hooks/useFileFiltering';
 export type { ViewMode, SortBy, SortOrder } from './hooks/useFileFiltering';

package/src/stores/accountStore.ts

@@ -233,7 +233,7 @@ export const useAccountStore = create<AccountState>((set, get) => ({
                 get().setAccounts(ordered);
             } catch (error) {
                 const errorMessage = error instanceof Error ? error.message : 'Failed to load accounts';
-                if (__DEV__) {
+                if (process.env.NODE_ENV !== 'production') {
                     console.error('AccountStore: Failed to load accounts:', error);
                 }
                 set({ error: errorMessage });
@@ -242,7 +242,7 @@ export const useAccountStore = create<AccountState>((set, get) => ({
             }
         } catch (error) {
             const errorMessage = error instanceof Error ? error.message : 'Failed to load accounts';
-            if (__DEV__) {
+            if (process.env.NODE_ENV !== 'production') {
                 console.error('AccountStore: Failed to load accounts:', error);
             }
             set({ error: errorMessage, loading: false });

package/src/utils/sessionHelpers.ts

@@ -68,7 +68,9 @@ export const mapSessionsToClient = (
 };
 
 /**
- * Fetch device sessions with fallback to the legacy session endpoint when needed.
+ * Fetch device sessions, falling back to the per-user session endpoint
+ * if the device endpoint is unavailable (older API versions or disabled
+ * device-grouping feature flag).
  *
  * @param oxyServices - Oxy service instance
  * @param sessionId - Session identifier to fetch
@@ -87,7 +89,7 @@ export const fetchSessionsWithFallback = async (
     const deviceSessions = await oxyServices.getDeviceSessions(sessionId);
     return mapSessionsToClient(deviceSessions, fallbackDeviceId, fallbackUserId);
   } catch (error) {
-    if (__DEV__ && logger) {
+    if (process.env.NODE_ENV !== 'production' && logger) {
       logger('Failed to get device sessions, falling back to user sessions', error);
     }
 

package/src/utils/storageHelpers.ts

@@ -19,7 +19,8 @@ const MEMORY_STORAGE = (): StorageInterface => {
 
   return {
     async getItem(key: string) {
-      return store.has(key) ? store.get(key)! : null;
+      const value = store.get(key);
+      return value === undefined ? null : value;
     },
     async setItem(key: string, value: string) {
       store.set(key, value);
@@ -46,29 +47,33 @@ const createWebStorage = (): StorageInterface => {
     async getItem(key: string) {
       try {
         return window.localStorage.getItem(key);
-      } catch {
+      } catch (err) {
+        console.warn('[oxy.storage] localStorage.getItem failed:', err);
         return null;
       }
     },
     async setItem(key: string, value: string) {
       try {
         window.localStorage.setItem(key, value);
-      } catch {
-        // Ignore quota or access issues for now.
+      } catch (err) {
+        // Quota exceeded or storage disabled (e.g., Safari private mode).
+        // Surface to logs so it is debuggable, but do not throw so callers
+        // can keep functioning with degraded persistence.
+        console.warn('[oxy.storage] localStorage.setItem failed:', err);
       }
     },
     async removeItem(key: string) {
       try {
         window.localStorage.removeItem(key);
-      } catch {
-        // Ignore failures.
+      } catch (err) {
+        console.warn('[oxy.storage] localStorage.removeItem failed:', err);
       }
     },
     async clear() {
       try {
         window.localStorage.clear();
-      } catch {
-        // Ignore failures.
+      } catch (err) {
+        console.warn('[oxy.storage] localStorage.clear failed:', err);
       }
     },
   };
@@ -76,6 +81,31 @@ const createWebStorage = (): StorageInterface => {
 
 let asyncStorageInstance: StorageInterface | null = null;
 
+/**
+ * Structural type for the React Native AsyncStorage default export.
+ * Only includes the methods this SDK uses.
+ */
+interface AsyncStorageLike {
+  getItem: (key: string) => Promise<string | null>;
+  setItem: (key: string, value: string) => Promise<void>;
+  removeItem: (key: string) => Promise<void>;
+  clear: () => Promise<void>;
+}
+
+/**
+ * Type guard verifying that an imported value exposes the AsyncStorage API.
+ */
+const isAsyncStorageLike = (value: unknown): value is AsyncStorageLike => {
+  if (typeof value !== 'object' || value === null) return false;
+  const candidate = value as Record<string, unknown>;
+  return (
+    typeof candidate.getItem === 'function' &&
+    typeof candidate.setItem === 'function' &&
+    typeof candidate.removeItem === 'function' &&
+    typeof candidate.clear === 'function'
+  );
+};
+
 /**
  * Lazily import React Native AsyncStorage implementation.
  */
@@ -87,11 +117,20 @@ const createNativeStorage = async (): Promise<StorageInterface> => {
   try {
     // Variable indirection prevents bundlers (Vite, webpack) from statically resolving this
     const moduleName = '@react-native-async-storage/async-storage';
-    const asyncStorageModule = await import(moduleName);
-    asyncStorageInstance = asyncStorageModule.default as unknown as StorageInterface;
+    const asyncStorageModule = (await import(moduleName)) as { default?: unknown };
+    const candidate = asyncStorageModule.default;
+    if (!isAsyncStorageLike(candidate)) {
+      throw new Error('AsyncStorage default export does not match expected API');
+    }
+    asyncStorageInstance = {
+      getItem: (key) => candidate.getItem(key),
+      setItem: (key, value) => candidate.setItem(key, value),
+      removeItem: (key) => candidate.removeItem(key),
+      clear: () => candidate.clear(),
+    };
     return asyncStorageInstance;
   } catch (error) {
-    if (__DEV__) {
+    if (process.env.NODE_ENV !== 'production') {
       console.error('Failed to import AsyncStorage:', error);
     }
     throw new Error('AsyncStorage is required in React Native environment');

package/src/global.d.ts

@@ -1 +0,0 @@
-declare const __DEV__: boolean;