@oxyhq/core 1.0.0

package/dist/cjs/mixins/OxyServices.popup.js

@@ -0,0 +1,371 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OxyServicesPopupAuthMixin = OxyServicesPopupAuthMixin;
+exports.PopupAuthMixin = OxyServicesPopupAuthMixin;
+const OxyServices_errors_1 = require("../OxyServices.errors");
+const debugUtils_1 = require("../shared/utils/debugUtils");
+const debug = (0, debugUtils_1.createDebugLogger)('PopupAuth');
+/**
+ * Popup-based Cross-Domain Authentication Mixin
+ *
+ * Implements OAuth2-style authentication using popup windows and postMessage.
+ * This is the primary authentication method for modern browsers, providing a
+ * Google-like experience without full page redirects.
+ *
+ * Flow:
+ * 1. Opens small popup window to auth.oxy.so
+ * 2. User signs in (auth.oxy.so sets its own first-party cookie)
+ * 3. auth.oxy.so sends token back via postMessage
+ * 4. Popup closes, parent app has the session
+ *
+ * Features:
+ * - No full page redirect (preserves app state)
+ * - Works across different domains (homiio.com, mention.earth, etc.)
+ * - Silent refresh using hidden iframe for seamless SSO
+ * - CSRF protection via state parameter
+ * - XSS protection via origin validation
+ *
+ * Browser Support: All modern browsers (IE11+)
+ */
+function OxyServicesPopupAuthMixin(Base) {
+    var _a;
+    return _a = class extends Base {
+            constructor(...args) {
+                super(...args);
+            }
+            /**
+             * Sign in using popup window
+             *
+             * Opens a centered popup window to auth.oxy.so where the user can sign in.
+             * The popup automatically closes after successful authentication and the
+             * session is returned to the parent window.
+             *
+             * @param options - Popup configuration options
+             * @returns Session with access token and user data
+             * @throws {OxyAuthenticationError} If popup is blocked or auth fails
+             *
+             * @example
+             * ```typescript
+             * const handleSignIn = async () => {
+             *   try {
+             *     const session = await oxyServices.signInWithPopup();
+             *     console.log('Signed in:', session.user);
+             *   } catch (error) {
+             *     if (error.message.includes('blocked')) {
+             *       alert('Please allow popups for this site');
+             *     }
+             *   }
+             * };
+             * ```
+             */
+            async signInWithPopup(options = {}) {
+                if (typeof window === 'undefined') {
+                    throw new OxyServices_errors_1.OxyAuthenticationError('Popup authentication requires browser environment');
+                }
+                const state = this.generateState();
+                const nonce = this.generateNonce();
+                // Store state for CSRF protection
+                this.storeAuthState(state, nonce);
+                const width = options.width || this.constructor.POPUP_WIDTH;
+                const height = options.height || this.constructor.POPUP_HEIGHT;
+                const timeout = options.timeout || this.constructor.POPUP_TIMEOUT;
+                const mode = options.mode || 'login';
+                const authUrl = this.buildAuthUrl({
+                    mode,
+                    state,
+                    nonce,
+                    clientId: window.location.origin,
+                    redirectUri: `${this.constructor.AUTH_URL}/auth/callback`,
+                });
+                const popup = this.openCenteredPopup(authUrl, 'Oxy Sign In', width, height);
+                if (!popup) {
+                    throw new OxyServices_errors_1.OxyAuthenticationError('Popup blocked. Please allow popups for this site and try again.');
+                }
+                try {
+                    const session = await this.waitForPopupAuth(popup, state, timeout);
+                    // Store access token if present
+                    if (session && session.accessToken) {
+                        this.httpService.setTokens(session.accessToken);
+                    }
+                    // Fetch user data using the session ID
+                    // The callback page only sends sessionId/accessToken, not user data
+                    if (session && session.sessionId && !session.user) {
+                        try {
+                            const userData = await this.makeRequest('GET', `/api/session/user/${session.sessionId}`, undefined, { cache: false });
+                            if (userData) {
+                                session.user = userData;
+                            }
+                        }
+                        catch (userError) {
+                            debug.warn('Failed to fetch user data:', userError);
+                            // Continue without user data - caller can fetch separately
+                        }
+                    }
+                    return session;
+                }
+                catch (error) {
+                    throw error;
+                }
+                finally {
+                    this.clearAuthState(state);
+                }
+            }
+            /**
+             * Sign up using popup window
+             *
+             * Same as signInWithPopup but opens the signup page by default.
+             *
+             * @param options - Popup configuration options
+             * @returns Session with access token and user data
+             */
+            async signUpWithPopup(options = {}) {
+                return this.signInWithPopup({ ...options, mode: 'signup' });
+            }
+            /**
+             * Silent sign-in using hidden iframe
+             *
+             * Attempts to automatically re-authenticate the user without any UI.
+             * This is what enables seamless SSO across all Oxy domains.
+             *
+             * How it works:
+             * 1. Creates hidden iframe pointing to auth.oxy.so/silent-auth
+             * 2. If user has valid session at auth.oxy.so, it sends token via postMessage
+             * 3. If not, iframe responds with null (no error thrown)
+             *
+             * This should be called on app startup to check for existing sessions.
+             *
+             * @param options - Silent auth options
+             * @returns Session if user is signed in, null otherwise
+             *
+             * @example
+             * ```typescript
+             * useEffect(() => {
+             *   const checkAuth = async () => {
+             *     const session = await oxyServices.silentSignIn();
+             *     if (session) {
+             *       setUser(session.user);
+             *     }
+             *   };
+             *   checkAuth();
+             * }, []);
+             * ```
+             */
+            async silentSignIn(options = {}) {
+                if (typeof window === 'undefined') {
+                    return null;
+                }
+                const timeout = options.timeout || this.constructor.SILENT_TIMEOUT;
+                const nonce = this.generateNonce();
+                const clientId = window.location.origin;
+                const iframe = document.createElement('iframe');
+                iframe.style.display = 'none';
+                iframe.style.position = 'absolute';
+                iframe.style.width = '0';
+                iframe.style.height = '0';
+                iframe.style.border = 'none';
+                const silentUrl = `${this.constructor.AUTH_URL}/auth/silent?` + `client_id=${encodeURIComponent(clientId)}&` + `nonce=${nonce}`;
+                iframe.src = silentUrl;
+                document.body.appendChild(iframe);
+                try {
+                    const session = await this.waitForIframeAuth(iframe, timeout, clientId);
+                    if (session && session.accessToken) {
+                        this.httpService.setTokens(session.accessToken);
+                    }
+                    return session;
+                }
+                catch (error) {
+                    return null;
+                }
+                finally {
+                    document.body.removeChild(iframe);
+                }
+            }
+            /**
+             * Open a centered popup window
+             *
+             * @private
+             */
+            openCenteredPopup(url, title, width, height) {
+                const left = window.screenX + (window.outerWidth - width) / 2;
+                const top = window.screenY + (window.outerHeight - height) / 2;
+                const features = [
+                    `width=${width}`,
+                    `height=${height}`,
+                    `left=${left}`,
+                    `top=${top}`,
+                    'toolbar=no',
+                    'menubar=no',
+                    'scrollbars=yes',
+                    'resizable=yes',
+                    'status=no',
+                    'location=no',
+                ].join(',');
+                return window.open(url, title, features);
+            }
+            /**
+             * Wait for authentication response from popup
+             *
+             * @private
+             */
+            async waitForPopupAuth(popup, expectedState, timeout) {
+                return new Promise((resolve, reject) => {
+                    const timeoutId = setTimeout(() => {
+                        cleanup();
+                        reject(new OxyServices_errors_1.OxyAuthenticationError('Authentication timeout'));
+                    }, timeout);
+                    const messageHandler = (event) => {
+                        const authUrl = this.constructor.AUTH_URL;
+                        // Log all messages for debugging
+                        if (event.data && typeof event.data === 'object' && event.data.type) {
+                            debug.log('Message received:', {
+                                origin: event.origin,
+                                expectedOrigin: authUrl,
+                                type: event.data.type,
+                                hasSession: !!event.data.session,
+                                hasError: !!event.data.error,
+                            });
+                        }
+                        // CRITICAL: Verify origin to prevent XSS attacks
+                        if (event.origin !== authUrl) {
+                            return;
+                        }
+                        const { type, state, session, error } = event.data;
+                        if (type !== 'oxy_auth_response') {
+                            return;
+                        }
+                        debug.log('Valid auth response:', { state, expectedState, hasSession: !!session, error });
+                        // Verify state parameter to prevent CSRF attacks
+                        if (state !== expectedState) {
+                            cleanup();
+                            debug.error('State mismatch');
+                            reject(new OxyServices_errors_1.OxyAuthenticationError('Invalid state parameter. Possible CSRF attack.'));
+                            return;
+                        }
+                        cleanup();
+                        if (error) {
+                            debug.error('Auth error:', error);
+                            reject(new OxyServices_errors_1.OxyAuthenticationError(error));
+                        }
+                        else if (session) {
+                            debug.log('Session received successfully');
+                            resolve(session);
+                        }
+                        else {
+                            debug.error('No session in response');
+                            reject(new OxyServices_errors_1.OxyAuthenticationError('No session received from authentication server'));
+                        }
+                    };
+                    // Poll to detect if user closed the popup
+                    const pollInterval = setInterval(() => {
+                        if (popup.closed) {
+                            cleanup();
+                            reject(new OxyServices_errors_1.OxyAuthenticationError('Authentication cancelled by user'));
+                        }
+                    }, 500);
+                    const cleanup = () => {
+                        clearTimeout(timeoutId);
+                        clearInterval(pollInterval);
+                        window.removeEventListener('message', messageHandler);
+                        if (!popup.closed) {
+                            popup.close();
+                        }
+                    };
+                    window.addEventListener('message', messageHandler);
+                });
+            }
+            /**
+             * Wait for authentication response from iframe
+             *
+             * @private
+             */
+            async waitForIframeAuth(iframe, timeout, expectedOrigin) {
+                return new Promise((resolve) => {
+                    const timeoutId = setTimeout(() => {
+                        cleanup();
+                        resolve(null); // Silent failure - don't throw
+                    }, timeout);
+                    const messageHandler = (event) => {
+                        // Verify origin
+                        if (event.origin !== this.constructor.AUTH_URL) {
+                            return;
+                        }
+                        const { type, session } = event.data;
+                        if (type !== 'oxy_silent_auth') {
+                            return;
+                        }
+                        cleanup();
+                        resolve(session || null);
+                    };
+                    const cleanup = () => {
+                        clearTimeout(timeoutId);
+                        window.removeEventListener('message', messageHandler);
+                    };
+                    window.addEventListener('message', messageHandler);
+                });
+            }
+            /**
+             * Build authentication URL with query parameters
+             *
+             * @private
+             */
+            buildAuthUrl(params) {
+                const url = new URL(`${this.constructor.AUTH_URL}/${params.mode}`);
+                url.searchParams.set('response_type', 'token');
+                url.searchParams.set('client_id', params.clientId);
+                url.searchParams.set('redirect_uri', params.redirectUri);
+                url.searchParams.set('state', params.state);
+                url.searchParams.set('nonce', params.nonce);
+                return url.toString();
+            }
+            /**
+             * Generate cryptographically secure state for CSRF protection
+             *
+             * @private
+             */
+            generateState() {
+                if (typeof window !== 'undefined' && window.crypto && window.crypto.randomUUID) {
+                    return window.crypto.randomUUID();
+                }
+                return `${Date.now()}-${Math.random().toString(36).substring(2, 15)}`;
+            }
+            /**
+             * Generate nonce for replay attack prevention
+             *
+             * @private
+             */
+            generateNonce() {
+                if (typeof window !== 'undefined' && window.crypto && window.crypto.randomUUID) {
+                    return window.crypto.randomUUID();
+                }
+                return `${Date.now()}-${Math.random().toString(36).substring(2, 15)}`;
+            }
+            /**
+             * Store auth state in session storage
+             *
+             * @private
+             */
+            storeAuthState(state, nonce) {
+                if (typeof window !== 'undefined' && window.sessionStorage) {
+                    sessionStorage.setItem(`oxy_auth_state_${state}`, JSON.stringify({ nonce, timestamp: Date.now() }));
+                }
+            }
+            /**
+             * Clear auth state from session storage
+             *
+             * @private
+             */
+            clearAuthState(state) {
+                if (typeof window !== 'undefined' && window.sessionStorage) {
+                    sessionStorage.removeItem(`oxy_auth_state_${state}`);
+                }
+            }
+        },
+        _a.AUTH_URL = 'https://auth.oxy.so',
+        _a.POPUP_WIDTH = 500,
+        _a.POPUP_HEIGHT = 700,
+        _a.POPUP_TIMEOUT = 60000 // 1 minute
+    ,
+        _a.SILENT_TIMEOUT = 5000 // 5 seconds
+    ,
+        _a;
+}

package/dist/cjs/mixins/OxyServices.privacy.js

@@ -0,0 +1,162 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OxyServicesPrivacyMixin = OxyServicesPrivacyMixin;
+function OxyServicesPrivacyMixin(Base) {
+    return class extends Base {
+        constructor(...args) {
+            super(...args);
+        }
+        /**
+         * Extract user ID from blocked/restricted user object
+         */
+        extractUserId(userIdField) {
+            return typeof userIdField === 'string' ? userIdField : userIdField._id;
+        }
+        /**
+         * Check if a user is in a list (blocked or restricted)
+         */
+        async isUserInList(userId, getUserList, getIdField) {
+            try {
+                if (!userId) {
+                    return false;
+                }
+                const users = await getUserList();
+                return users.some(item => {
+                    const itemId = this.extractUserId(getIdField(item));
+                    return itemId === userId;
+                });
+            }
+            catch (error) {
+                // If there's an error, assume not in list to avoid breaking functionality
+                if (__DEV__) {
+                    console.warn('Error checking user list:', error);
+                }
+                return false;
+            }
+        }
+        // ============================================================================
+        // BLOCKED USERS METHODS
+        // ============================================================================
+        /**
+         * Get list of blocked users
+         * @returns Array of blocked users
+         */
+        async getBlockedUsers() {
+            try {
+                return await this.makeRequest('GET', '/api/privacy/blocked', undefined, {
+                    cache: true,
+                    cacheTTL: 1 * 60 * 1000, // 1 minute cache
+                });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Block a user
+         * @param userId - The user ID to block
+         * @returns Success message
+         */
+        async blockUser(userId) {
+            try {
+                if (!userId) {
+                    throw new Error('User ID is required');
+                }
+                return await this.makeRequest('POST', `/api/privacy/blocked/${userId}`, undefined, {
+                    cache: false,
+                });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Unblock a user
+         * @param userId - The user ID to unblock
+         * @returns Success message
+         */
+        async unblockUser(userId) {
+            try {
+                if (!userId) {
+                    throw new Error('User ID is required');
+                }
+                return await this.makeRequest('DELETE', `/api/privacy/blocked/${userId}`, undefined, {
+                    cache: false,
+                });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Check if a user is blocked
+         * @param userId - The user ID to check
+         * @returns True if the user is blocked, false otherwise
+         */
+        async isUserBlocked(userId) {
+            return this.isUserInList(userId, () => this.getBlockedUsers(), (block) => block.blockedId);
+        }
+        // ============================================================================
+        // RESTRICTED USERS METHODS
+        // ============================================================================
+        /**
+         * Get list of restricted users
+         * @returns Array of restricted users
+         */
+        async getRestrictedUsers() {
+            try {
+                return await this.makeRequest('GET', '/api/privacy/restricted', undefined, {
+                    cache: true,
+                    cacheTTL: 1 * 60 * 1000, // 1 minute cache
+                });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Restrict a user (limit their interactions without fully blocking)
+         * @param userId - The user ID to restrict
+         * @returns Success message
+         */
+        async restrictUser(userId) {
+            try {
+                if (!userId) {
+                    throw new Error('User ID is required');
+                }
+                return await this.makeRequest('POST', `/api/privacy/restricted/${userId}`, undefined, {
+                    cache: false,
+                });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Unrestrict a user
+         * @param userId - The user ID to unrestrict
+         * @returns Success message
+         */
+        async unrestrictUser(userId) {
+            try {
+                if (!userId) {
+                    throw new Error('User ID is required');
+                }
+                return await this.makeRequest('DELETE', `/api/privacy/restricted/${userId}`, undefined, {
+                    cache: false,
+                });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Check if a user is restricted
+         * @param userId - The user ID to check
+         * @returns True if the user is restricted, false otherwise
+         */
+        async isUserRestricted(userId) {
+            return this.isUserInList(userId, () => this.getRestrictedUsers(), (restrict) => restrict.restrictedId);
+        }
+    };
+}