@oxyhq/auth 2.0.8 → 2.0.9

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@oxyhq/auth",
-  "version": "2.0.8",
+  "version": "2.0.9",
   "description": "OxyHQ Web Authentication SDK — headless auth with React hooks for Next.js, Vite, and web apps",
   "main": "dist/cjs/index.js",
   "module": "dist/esm/index.js",

package/src/WebOxyProvider.tsx

@@ -59,36 +59,20 @@ export interface WebOxyContextValue extends WebAuthState, WebAuthActions {
 const WebOxyContext = createContext<WebOxyContextValue | null>(null);
 
 /**
- * Module-level run-once guard for the provider's silent sign-in step.
+ * Module-level run-once guard for FedCM silent sign-in.
  *
  * The init effect runs again whenever the provider remounts (route change,
  * StrictMode double-invoke, error-boundary recovery). The redirect-callback
- * and local-session-restore steps are cheap and idempotent, but
- * `crossDomainAuth.silentSignIn()` is NOT: it first tries FedCM silent
- * mediation (`navigator.credentials.get`) and, if that yields nothing, falls
- * back to an iframe-based silent auth against `/auth/silent`.
- *
- * The FedCM leg is now centrally memoized inside `@oxyhq/core`'s
- * `silentSignInWithFedCM` (at-most-once `navigator.credentials.get` per page
- * load). The iframe fallback, however, is a SEPARATE mechanism the core guard
- * does not cover — without this guard a remount storm would create a hidden
- * iframe per remount. So this guard is intentionally retained to keep the
- * provider's WHOLE silent step run-once. Keyed on `origin + baseURL` to match
- * the core guard's keying (so the two stay in lockstep) and to survive
- * instance churn; never cleared because only a fresh page load can change the
- * IdP/iframe session state.
+ * and local-session-restore steps are cheap and idempotent, but the FedCM
+ * `silentSignIn()` step triggers `navigator.credentials.get`, which must fire
+ * AT MOST ONCE per page load — otherwise a remount storm becomes a credential
+ * request storm. Keyed by origin so the guard survives instance churn; never
+ * cleared because only a fresh page load can change the IdP session state.
  */
-const silentSignInAttempted = new Set<string>();
-
-function silentSignInKey(oxyServices: OxyServices): string {
-  const origin = typeof window !== 'undefined' ? window.location.origin : 'no-origin';
-  let baseURL = '';
-  try {
-    baseURL = oxyServices.getBaseURL();
-  } catch {
-    baseURL = '';
-  }
-  return `${origin}|${baseURL}`;
+const fedcmSilentSignInAttempted = new Set<string>();
+
+function silentSignInKey(): string {
+  return typeof window !== 'undefined' ? window.location.origin : 'no-origin';
 }
 
 export interface WebOxyProviderProps {
@@ -224,14 +208,12 @@ export function WebOxyProvider({
           }
         }
 
-        // Silent sign-in: run AT MOST ONCE per page load. A remount (route
-        // change / StrictMode / error recovery) must not re-trigger the
-        // browser credential request OR the iframe fallback. The FedCM leg is
-        // additionally memoized in core; this guard also covers the iframe
-        // fallback that core does not.
-        const ssoKey = silentSignInKey(oxyServices);
-        if (!silentSignInAttempted.has(ssoKey)) {
-          silentSignInAttempted.add(ssoKey);
+        // FedCM silent sign-in: run AT MOST ONCE per page load. A remount
+        // (route change / StrictMode / error recovery) must not re-trigger
+        // the browser credential request.
+        const ssoKey = silentSignInKey();
+        if (!fedcmSilentSignInAttempted.has(ssoKey)) {
+          fedcmSilentSignInAttempted.add(ssoKey);
           try {
             const session = await crossDomainAuth.silentSignIn();
             if (mounted && session?.user) {

package/src/hooks/useWebSSO.ts

@@ -38,6 +38,36 @@ interface UseWebSSOResult {
   isFedCMSupported: boolean;
 }
 
+/**
+ * Module-level guard tracking which (origin + API) signatures have already
+ * had a silent SSO attempt this page load.
+ *
+ * A per-component `useRef` guard resets whenever the provider remounts (route
+ * churn, StrictMode double-invoke, error-boundary recovery), which previously
+ * allowed silent SSO to re-fire and — combined with a routing redirect loop —
+ * produced an accelerating `navigator.credentials.get` retry storm. Keying the
+ * guard on a stable signature instead of the component instance makes silent
+ * SSO fire EXACTLY ONCE per page load regardless of how many times the
+ * provider mounts. The set is intentionally never cleared: a fresh page load
+ * (the only thing that can change the answer) starts a fresh module scope.
+ */
+const silentSSOAttempted = new Set<string>();
+
+/**
+ * Build a stable signature for the silent-SSO run-once guard. Two providers
+ * pointed at the same API from the same origin share one attempt.
+ */
+function ssoSignature(oxyServices: OxyServices): string {
+  const origin = typeof window !== 'undefined' ? window.location.origin : 'no-origin';
+  let baseURL = '';
+  try {
+    baseURL = oxyServices.getBaseURL();
+  } catch {
+    baseURL = '';
+  }
+  return `${origin}|${baseURL}`;
+}
+
 /**
  * Check if we're running in a web browser environment (not React Native)
  */
@@ -160,12 +190,12 @@ export function useWebSSO({
 
   // Auto-check SSO on mount (web only, FedCM only, not on auth domain).
   //
-  // `hasCheckedRef` is a cheap per-instance fast-path so effect re-runs (from
-  // changing deps) within one mount never re-fire. The page-load run-once
-  // guarantee — silent SSO invoking `navigator.credentials.get` AT MOST ONCE
-  // per page load across remounts / StrictMode / multiple consumers — lives in
-  // `@oxyhq/core`'s `silentSignInWithFedCM`, which memoizes the first silent
-  // attempt's result for this origin + API. The hook therefore calls it freely.
+  // Run-once is enforced by TWO guards:
+  //   1. `hasCheckedRef` — cheap per-instance fast-path so effect re-runs
+  //      (from changing deps) within one mount never re-fire.
+  //   2. `silentSSOAttempted` — module-level, survives remounts/StrictMode so
+  //      silent SSO fires exactly once per page load even if the provider
+  //      unmounts and remounts.
   useEffect(() => {
     if (!enabled || !isWebBrowser() || hasCheckedRef.current || isIdentityProvider()) {
       if (isIdentityProvider()) {
@@ -174,14 +204,23 @@ export function useWebSSO({
       return;
     }
 
+    const signature = ssoSignature(oxyServices);
+    if (silentSSOAttempted.has(signature)) {
+      // Already attempted this page load (e.g. before a remount) — do not
+      // re-fire. Mark the local fast-path too so subsequent re-renders skip.
+      hasCheckedRef.current = true;
+      return;
+    }
+
     hasCheckedRef.current = true;
+    silentSSOAttempted.add(signature);
 
     if (fedCMSupported) {
       checkSSO();
     } else {
       onSSOUnavailable?.();
     }
-  }, [enabled, checkSSO, fedCMSupported, onSSOUnavailable]);
+  }, [enabled, checkSSO, fedCMSupported, onSSOUnavailable, oxyServices]);
 
   return {
     checkSSO,