@oxyhq/auth 2.0.4 → 2.0.6

package/src/hooks/useSessionSocket.ts

@@ -27,12 +27,40 @@ function readTokenFromStorage(): string | null {
   if (typeof window === 'undefined') return null;
   try {
     return window.localStorage.getItem(LS_ACCESS_TOKEN_KEY);
-  } catch {
+  } catch (err) {
+    console.warn('[oxy.session-socket] localStorage read failed:', err);
     return null;
   }
 }
 
-type SocketIOFactory = (uri: string, opts?: Record<string, unknown>) => unknown;
+/**
+ * Minimal subset of the socket.io-client Socket API used by this hook.
+ * We avoid importing socket.io-client types directly because the package
+ * is an optional peer dependency.
+ *
+ * `on()` uses a generic per-call handler signature because each socket event
+ * carries its own payload shape.
+ */
+interface MinimalSocket {
+  id?: string;
+  disconnected: boolean;
+  connect: () => void;
+  disconnect: () => void;
+  on<Args extends unknown[] = unknown[]>(
+    event: string,
+    handler: (...args: Args) => void
+  ): void;
+}
+
+/**
+ * Socket extended with a private property used to track the cross-tab
+ * storage event listener so cleanup can remove it.
+ */
+interface SocketWithStorageHandler extends MinimalSocket {
+  __oxyStorageHandler?: (event: StorageEvent) => void;
+}
+
+type SocketIOFactory = (uri: string, opts?: Record<string, unknown>) => MinimalSocket;
 
 let _io: SocketIOFactory | null = null;
 let _ioLoadAttempted = false;
@@ -42,11 +70,14 @@ async function getSocketIO(): Promise<SocketIOFactory | null> {
   if (_ioLoadAttempted) return null;
   _ioLoadAttempted = true;
   try {
-    // eslint-disable-next-line @typescript-eslint/no-require-imports
-    const mod: any = await import('socket.io-client');
-    _io = (mod.io ?? mod.default) as SocketIOFactory;
+    const mod = (await import('socket.io-client')) as {
+      io?: SocketIOFactory;
+      default?: SocketIOFactory;
+    };
+    _io = mod.io ?? mod.default ?? null;
     return _io;
-  } catch {
+  } catch (err) {
+    console.warn('[oxy.session-socket] socket.io-client import failed:', err);
     debug.warn('socket.io-client is not installed. useSessionSocket will be disabled. Install it with: bun add socket.io-client');
     return null;
   }
@@ -72,7 +103,7 @@ export function useSessionSocket(options?: UseSessionSocketOptions) {
     return active?.deviceId ?? null;
   }, [sessions, activeSessionId]);
 
-  const socketRef = useRef<any>(null);
+  const socketRef = useRef<SocketWithStorageHandler | null>(null);
 
   // Store callbacks and values in refs to avoid reconnecting when they change
   const clearSessionStateRef = useRef(clearSessionState);
@@ -128,7 +159,7 @@ export function useSessionSocket(options?: UseSessionSocketOptions) {
       // If no token is available at all, we skip the initial connect and let
       // the storage listener or retry logic connect when a token appears.
       const token = resolveToken();
-      socketRef.current = ioFn(baseURL, {
+      const socket: SocketWithStorageHandler = ioFn(baseURL, {
         transports: ['websocket'],
         autoConnect: !!token, // don't auto-connect when there is no token
         auth: (cb: (data: { token: string }) => void) => {
@@ -145,7 +176,7 @@ export function useSessionSocket(options?: UseSessionSocketOptions) {
           cb({ token: resolved });
         },
       });
-      const socket = socketRef.current;
+      socketRef.current = socket;
 
       // Server auto-joins the user to `user:<userId>` room on connection
       const handleConnect = () => {
@@ -188,6 +219,27 @@ export function useSessionSocket(options?: UseSessionSocketOptions) {
         return Promise.resolve();
       };
 
+      const triggerLocalSignOut = async (toastMessage: string, errorContext: string) => {
+        if (onRemoteSignOutRef.current) {
+          onRemoteSignOutRef.current();
+        } else {
+          toast.info(toastMessage);
+        }
+        // Clear local state since the server has already removed the session.
+        // Await so storage cleanup completes before any subsequent navigation.
+        try {
+          await clearSessionStateRef.current();
+        } catch (error) {
+          if (process.env.NODE_ENV !== 'production') {
+            logger.error(
+              `Failed to clear session state after ${errorContext}`,
+              error instanceof Error ? error : new Error(String(error)),
+              { component: 'useSessionSocket' },
+            );
+          }
+        }
+      };
+
       const handleSessionUpdate = async (data: {
         type: string;
         sessionId?: string;
@@ -199,96 +251,74 @@ export function useSessionSocket(options?: UseSessionSocketOptions) {
         const currentActiveSessionId = activeSessionIdRef.current;
         const deviceId = currentDeviceIdRef.current;
 
-        // Handle different event types
-        if (data.type === 'session_removed') {
-          // Track removed session
-          if (data.sessionId && onSessionRemovedRef.current) {
-            onSessionRemovedRef.current(data.sessionId);
-          }
-
-          // If the removed sessionId matches the current activeSessionId, immediately clear state
-          if (data.sessionId === currentActiveSessionId) {
-            if (onRemoteSignOutRef.current) {
-              onRemoteSignOutRef.current();
-            } else {
-              toast.info('You have been signed out remotely.');
+        // Strict whitelist. Every event type that may sign the user out must
+        // appear in the switch. Anything unknown falls through to `default`,
+        // which only logs in dev. This guards against future server-side event
+        // additions (e.g. `session_created` after a successful sign-in)
+        // accidentally triggering sign-out via a fallback branch that compares
+        // `data.sessionId === currentActiveSessionId` — that branch would match
+        // the user's NEW session id and trigger an instant remote sign-out
+        // toast on every login.
+        switch (data.type) {
+          case 'session_removed': {
+            if (data.sessionId && onSessionRemovedRef.current) {
+              onSessionRemovedRef.current(data.sessionId);
             }
-            try {
-              await clearSessionStateRef.current();
-            } catch (error) {
-              if (process.env.NODE_ENV !== 'production') {
-                logger.error('Failed to clear session state after session_removed', error instanceof Error ? error : new Error(String(error)), { component: 'useSessionSocket' });
-              }
+            if (data.sessionId && data.sessionId === currentActiveSessionId) {
+              await triggerLocalSignOut('You have been signed out remotely.', 'session_removed');
+            } else {
+              refreshSessions();
             }
-          } else {
-            refreshSessions();
+            break;
           }
-        } else if (data.type === 'device_removed') {
-          // Track all removed sessions from this device
-          if (data.sessionIds && onSessionRemovedRef.current) {
-            for (const sessionId of data.sessionIds) {
-              onSessionRemovedRef.current(sessionId);
+          case 'device_removed': {
+            if (data.sessionIds && onSessionRemovedRef.current) {
+              for (const sessionId of data.sessionIds) {
+                onSessionRemovedRef.current(sessionId);
+              }
             }
-          }
-
-          // If the removed deviceId matches the current device, immediately clear state
-          if (data.deviceId && data.deviceId === deviceId) {
-            if (onRemoteSignOutRef.current) {
-              onRemoteSignOutRef.current();
+            if (data.deviceId && deviceId && data.deviceId === deviceId) {
+              await triggerLocalSignOut(
+                'This device has been removed. You have been signed out.',
+                'device_removed',
+              );
             } else {
-              toast.info('This device has been removed. You have been signed out.');
-            }
-            try {
-              await clearSessionStateRef.current();
-            } catch (error) {
-              if (process.env.NODE_ENV !== 'production') {
-                logger.error('Failed to clear session state after device_removed', error instanceof Error ? error : new Error(String(error)), { component: 'useSessionSocket' });
-              }
+              refreshSessions();
             }
-          } else {
-            refreshSessions();
+            break;
           }
-        } else if (data.type === 'sessions_removed') {
-          // Track all removed sessions
-          if (data.sessionIds && onSessionRemovedRef.current) {
-            for (const sessionId of data.sessionIds) {
-              onSessionRemovedRef.current(sessionId);
+          case 'sessions_removed': {
+            if (data.sessionIds && onSessionRemovedRef.current) {
+              for (const sessionId of data.sessionIds) {
+                onSessionRemovedRef.current(sessionId);
+              }
             }
-          }
-
-          // If the current activeSessionId is in the removed sessionIds list, immediately clear state
-          if (data.sessionIds && currentActiveSessionId && data.sessionIds.includes(currentActiveSessionId)) {
-            if (onRemoteSignOutRef.current) {
-              onRemoteSignOutRef.current();
+            if (
+              data.sessionIds &&
+              currentActiveSessionId &&
+              data.sessionIds.includes(currentActiveSessionId)
+            ) {
+              await triggerLocalSignOut('You have been signed out remotely.', 'sessions_removed');
             } else {
-              toast.info('You have been signed out remotely.');
+              refreshSessions();
             }
-            try {
-              await clearSessionStateRef.current();
-            } catch (error) {
-              if (process.env.NODE_ENV !== 'production') {
-                logger.error('Failed to clear session state after sessions_removed', error instanceof Error ? error : new Error(String(error)), { component: 'useSessionSocket' });
-              }
-            }
-          } else {
+            break;
+          }
+          case 'session_created':
+          case 'session_update': {
+            // Lifecycle event for the current user. Just resync the sessions
+            // list — never sign out.
             refreshSessions();
+            break;
           }
-        } else {
-          // For other event types (e.g., session_created), refresh sessions
-          refreshSessions();
-
-          // If the current session was logged out (legacy behavior), handle it specially
-          if (data.sessionId === currentActiveSessionId) {
-            if (onRemoteSignOutRef.current) {
-              onRemoteSignOutRef.current();
-            } else {
-              toast.info('You have been signed out remotely.');
-            }
-            try {
-              await clearSessionStateRef.current();
-            } catch (error) {
-              debug.error('Failed to clear session state after session_update:', error);
+          default: {
+            if (process.env.NODE_ENV !== 'production') {
+              logger.warn('Unknown session socket event type', {
+                component: 'useSessionSocket',
+                type: data.type,
+              });
             }
+            break;
           }
         }
       };
@@ -311,7 +341,7 @@ export function useSessionSocket(options?: UseSessionSocketOptions) {
       if (typeof window !== 'undefined') {
         window.addEventListener('storage', handleStorageEvent);
         // Store the handler so cleanup can remove it
-        (socket as any).__oxyStorageHandler = handleStorageEvent;
+        socket.__oxyStorageHandler = handleStorageEvent;
       }
     });
 
@@ -320,12 +350,14 @@ export function useSessionSocket(options?: UseSessionSocketOptions) {
       if (authRetryTimer) {
         clearTimeout(authRetryTimer);
       }
-      if (socketRef.current) {
+      const currentSocket = socketRef.current;
+      if (currentSocket) {
         // Remove cross-tab storage listener
-        if (typeof window !== 'undefined' && (socketRef.current as any).__oxyStorageHandler) {
-          window.removeEventListener('storage', (socketRef.current as any).__oxyStorageHandler);
+        const storageHandler = currentSocket.__oxyStorageHandler;
+        if (typeof window !== 'undefined' && storageHandler) {
+          window.removeEventListener('storage', storageHandler);
         }
-        socketRef.current.disconnect();
+        currentSocket.disconnect();
         socketRef.current = null;
       }
     };

package/src/index.ts

@@ -74,6 +74,10 @@ export {
   useSecurityInfo,
   useSecurityActivity,
   useRecentSecurityActivity,
+  useAppData,
+  useAppDataNamespace,
+  appDataQueryKeys,
+  isMissingAppDataEndpointError,
 } from './hooks/queries';
 
 // --- Mutation Hooks ---
@@ -88,6 +92,8 @@ export {
   useLogoutAll,
   useUpdateDeviceName,
   useRemoveDevice,
+  useSetAppData,
+  useDeleteAppData,
 } from './hooks/mutations';
 
 export {
@@ -104,7 +110,7 @@ export { useWebSSO, isWebBrowser } from './hooks/useWebSSO';
 export { useSessionSocket } from './hooks/useSessionSocket';
 export type { UseSessionSocketOptions } from './hooks/useSessionSocket';
 export { useAssets, setOxyAssetInstance } from './hooks/useAssets';
-export { useFileDownloadUrl, setOxyFileUrlInstance } from './hooks/useFileDownloadUrl';
+export { useFileDownloadUrl } from './hooks/useFileDownloadUrl';
 export { useFollow, useFollowerCounts } from './hooks/useFollow';
 export { useFileFiltering } from './hooks/useFileFiltering';
 export type { ViewMode, SortBy, SortOrder } from './hooks/useFileFiltering';

package/src/utils/sessionHelpers.ts

@@ -68,7 +68,9 @@ export const mapSessionsToClient = (
 };
 
 /**
- * Fetch device sessions with fallback to the legacy session endpoint when needed.
+ * Fetch device sessions, falling back to the per-user session endpoint
+ * if the device endpoint is unavailable (older API versions or disabled
+ * device-grouping feature flag).
  *
  * @param oxyServices - Oxy service instance
  * @param sessionId - Session identifier to fetch

package/src/utils/storageHelpers.ts

@@ -19,7 +19,8 @@ const MEMORY_STORAGE = (): StorageInterface => {
 
   return {
     async getItem(key: string) {
-      return store.has(key) ? store.get(key)! : null;
+      const value = store.get(key);
+      return value === undefined ? null : value;
     },
     async setItem(key: string, value: string) {
       store.set(key, value);
@@ -46,29 +47,33 @@ const createWebStorage = (): StorageInterface => {
     async getItem(key: string) {
       try {
         return window.localStorage.getItem(key);
-      } catch {
+      } catch (err) {
+        console.warn('[oxy.storage] localStorage.getItem failed:', err);
         return null;
       }
     },
     async setItem(key: string, value: string) {
       try {
         window.localStorage.setItem(key, value);
-      } catch {
-        // Ignore quota or access issues for now.
+      } catch (err) {
+        // Quota exceeded or storage disabled (e.g., Safari private mode).
+        // Surface to logs so it is debuggable, but do not throw so callers
+        // can keep functioning with degraded persistence.
+        console.warn('[oxy.storage] localStorage.setItem failed:', err);
       }
     },
     async removeItem(key: string) {
       try {
         window.localStorage.removeItem(key);
-      } catch {
-        // Ignore failures.
+      } catch (err) {
+        console.warn('[oxy.storage] localStorage.removeItem failed:', err);
       }
     },
     async clear() {
       try {
         window.localStorage.clear();
-      } catch {
-        // Ignore failures.
+      } catch (err) {
+        console.warn('[oxy.storage] localStorage.clear failed:', err);
       }
     },
   };
@@ -76,6 +81,31 @@ const createWebStorage = (): StorageInterface => {
 
 let asyncStorageInstance: StorageInterface | null = null;
 
+/**
+ * Structural type for the React Native AsyncStorage default export.
+ * Only includes the methods this SDK uses.
+ */
+interface AsyncStorageLike {
+  getItem: (key: string) => Promise<string | null>;
+  setItem: (key: string, value: string) => Promise<void>;
+  removeItem: (key: string) => Promise<void>;
+  clear: () => Promise<void>;
+}
+
+/**
+ * Type guard verifying that an imported value exposes the AsyncStorage API.
+ */
+const isAsyncStorageLike = (value: unknown): value is AsyncStorageLike => {
+  if (typeof value !== 'object' || value === null) return false;
+  const candidate = value as Record<string, unknown>;
+  return (
+    typeof candidate.getItem === 'function' &&
+    typeof candidate.setItem === 'function' &&
+    typeof candidate.removeItem === 'function' &&
+    typeof candidate.clear === 'function'
+  );
+};
+
 /**
  * Lazily import React Native AsyncStorage implementation.
  */
@@ -87,8 +117,17 @@ const createNativeStorage = async (): Promise<StorageInterface> => {
   try {
     // Variable indirection prevents bundlers (Vite, webpack) from statically resolving this
     const moduleName = '@react-native-async-storage/async-storage';
-    const asyncStorageModule = await import(moduleName);
-    asyncStorageInstance = asyncStorageModule.default as unknown as StorageInterface;
+    const asyncStorageModule = (await import(moduleName)) as { default?: unknown };
+    const candidate = asyncStorageModule.default;
+    if (!isAsyncStorageLike(candidate)) {
+      throw new Error('AsyncStorage default export does not match expected API');
+    }
+    asyncStorageInstance = {
+      getItem: (key) => candidate.getItem(key),
+      setItem: (key, value) => candidate.setItem(key, value),
+      removeItem: (key) => candidate.removeItem(key),
+      clear: () => candidate.clear(),
+    };
     return asyncStorageInstance;
   } catch (error) {
     if (process.env.NODE_ENV !== 'production') {