@oxyhq/auth 2.0.7 → 2.0.8

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@oxyhq/auth",
-  "version": "2.0.7",
+  "version": "2.0.8",
   "description": "OxyHQ Web Authentication SDK — headless auth with React hooks for Next.js, Vite, and web apps",
   "main": "dist/cjs/index.js",
   "module": "dist/esm/index.js",

package/src/WebOxyProvider.tsx

@@ -59,20 +59,36 @@ export interface WebOxyContextValue extends WebAuthState, WebAuthActions {
 const WebOxyContext = createContext<WebOxyContextValue | null>(null);
 
 /**
- * Module-level run-once guard for FedCM silent sign-in.
+ * Module-level run-once guard for the provider's silent sign-in step.
  *
  * The init effect runs again whenever the provider remounts (route change,
  * StrictMode double-invoke, error-boundary recovery). The redirect-callback
- * and local-session-restore steps are cheap and idempotent, but the FedCM
- * `silentSignIn()` step triggers `navigator.credentials.get`, which must fire
- * AT MOST ONCE per page load — otherwise a remount storm becomes a credential
- * request storm. Keyed by origin so the guard survives instance churn; never
- * cleared because only a fresh page load can change the IdP session state.
+ * and local-session-restore steps are cheap and idempotent, but
+ * `crossDomainAuth.silentSignIn()` is NOT: it first tries FedCM silent
+ * mediation (`navigator.credentials.get`) and, if that yields nothing, falls
+ * back to an iframe-based silent auth against `/auth/silent`.
+ *
+ * The FedCM leg is now centrally memoized inside `@oxyhq/core`'s
+ * `silentSignInWithFedCM` (at-most-once `navigator.credentials.get` per page
+ * load). The iframe fallback, however, is a SEPARATE mechanism the core guard
+ * does not cover — without this guard a remount storm would create a hidden
+ * iframe per remount. So this guard is intentionally retained to keep the
+ * provider's WHOLE silent step run-once. Keyed on `origin + baseURL` to match
+ * the core guard's keying (so the two stay in lockstep) and to survive
+ * instance churn; never cleared because only a fresh page load can change the
+ * IdP/iframe session state.
  */
-const fedcmSilentSignInAttempted = new Set<string>();
-
-function silentSignInKey(): string {
-  return typeof window !== 'undefined' ? window.location.origin : 'no-origin';
+const silentSignInAttempted = new Set<string>();
+
+function silentSignInKey(oxyServices: OxyServices): string {
+  const origin = typeof window !== 'undefined' ? window.location.origin : 'no-origin';
+  let baseURL = '';
+  try {
+    baseURL = oxyServices.getBaseURL();
+  } catch {
+    baseURL = '';
+  }
+  return `${origin}|${baseURL}`;
 }
 
 export interface WebOxyProviderProps {
@@ -208,12 +224,14 @@ export function WebOxyProvider({
           }
         }
 
-        // FedCM silent sign-in: run AT MOST ONCE per page load. A remount
-        // (route change / StrictMode / error recovery) must not re-trigger
-        // the browser credential request.
-        const ssoKey = silentSignInKey();
-        if (!fedcmSilentSignInAttempted.has(ssoKey)) {
-          fedcmSilentSignInAttempted.add(ssoKey);
+        // Silent sign-in: run AT MOST ONCE per page load. A remount (route
+        // change / StrictMode / error recovery) must not re-trigger the
+        // browser credential request OR the iframe fallback. The FedCM leg is
+        // additionally memoized in core; this guard also covers the iframe
+        // fallback that core does not.
+        const ssoKey = silentSignInKey(oxyServices);
+        if (!silentSignInAttempted.has(ssoKey)) {
+          silentSignInAttempted.add(ssoKey);
           try {
             const session = await crossDomainAuth.silentSignIn();
             if (mounted && session?.user) {

package/src/hooks/useWebSSO.ts

@@ -38,36 +38,6 @@ interface UseWebSSOResult {
   isFedCMSupported: boolean;
 }
 
-/**
- * Module-level guard tracking which (origin + API) signatures have already
- * had a silent SSO attempt this page load.
- *
- * A per-component `useRef` guard resets whenever the provider remounts (route
- * churn, StrictMode double-invoke, error-boundary recovery), which previously
- * allowed silent SSO to re-fire and — combined with a routing redirect loop —
- * produced an accelerating `navigator.credentials.get` retry storm. Keying the
- * guard on a stable signature instead of the component instance makes silent
- * SSO fire EXACTLY ONCE per page load regardless of how many times the
- * provider mounts. The set is intentionally never cleared: a fresh page load
- * (the only thing that can change the answer) starts a fresh module scope.
- */
-const silentSSOAttempted = new Set<string>();
-
-/**
- * Build a stable signature for the silent-SSO run-once guard. Two providers
- * pointed at the same API from the same origin share one attempt.
- */
-function ssoSignature(oxyServices: OxyServices): string {
-  const origin = typeof window !== 'undefined' ? window.location.origin : 'no-origin';
-  let baseURL = '';
-  try {
-    baseURL = oxyServices.getBaseURL();
-  } catch {
-    baseURL = '';
-  }
-  return `${origin}|${baseURL}`;
-}
-
 /**
  * Check if we're running in a web browser environment (not React Native)
  */
@@ -190,12 +160,12 @@ export function useWebSSO({
 
   // Auto-check SSO on mount (web only, FedCM only, not on auth domain).
   //
-  // Run-once is enforced by TWO guards:
-  //   1. `hasCheckedRef` — cheap per-instance fast-path so effect re-runs
-  //      (from changing deps) within one mount never re-fire.
-  //   2. `silentSSOAttempted` — module-level, survives remounts/StrictMode so
-  //      silent SSO fires exactly once per page load even if the provider
-  //      unmounts and remounts.
+  // `hasCheckedRef` is a cheap per-instance fast-path so effect re-runs (from
+  // changing deps) within one mount never re-fire. The page-load run-once
+  // guarantee — silent SSO invoking `navigator.credentials.get` AT MOST ONCE
+  // per page load across remounts / StrictMode / multiple consumers — lives in
+  // `@oxyhq/core`'s `silentSignInWithFedCM`, which memoizes the first silent
+  // attempt's result for this origin + API. The hook therefore calls it freely.
   useEffect(() => {
     if (!enabled || !isWebBrowser() || hasCheckedRef.current || isIdentityProvider()) {
       if (isIdentityProvider()) {
@@ -204,23 +174,14 @@ export function useWebSSO({
       return;
     }
 
-    const signature = ssoSignature(oxyServices);
-    if (silentSSOAttempted.has(signature)) {
-      // Already attempted this page load (e.g. before a remount) — do not
-      // re-fire. Mark the local fast-path too so subsequent re-renders skip.
-      hasCheckedRef.current = true;
-      return;
-    }
-
     hasCheckedRef.current = true;
-    silentSSOAttempted.add(signature);
 
     if (fedCMSupported) {
       checkSSO();
     } else {
       onSSOUnavailable?.();
     }
-  }, [enabled, checkSSO, fedCMSupported, onSSOUnavailable, oxyServices]);
+  }, [enabled, checkSSO, fedCMSupported, onSSOUnavailable]);
 
   return {
     checkSSO,