@oxyhq/core 1.0.0

package/dist/types/mixins/OxyServices.popup.d.ts

@@ -0,0 +1,205 @@
+import type { OxyServicesBase } from '../OxyServices.base';
+import type { SessionLoginResponse } from '../models/session';
+export interface PopupAuthOptions {
+    width?: number;
+    height?: number;
+    timeout?: number;
+    mode?: 'login' | 'signup';
+}
+export interface SilentAuthOptions {
+    timeout?: number;
+}
+/**
+ * Popup-based Cross-Domain Authentication Mixin
+ *
+ * Implements OAuth2-style authentication using popup windows and postMessage.
+ * This is the primary authentication method for modern browsers, providing a
+ * Google-like experience without full page redirects.
+ *
+ * Flow:
+ * 1. Opens small popup window to auth.oxy.so
+ * 2. User signs in (auth.oxy.so sets its own first-party cookie)
+ * 3. auth.oxy.so sends token back via postMessage
+ * 4. Popup closes, parent app has the session
+ *
+ * Features:
+ * - No full page redirect (preserves app state)
+ * - Works across different domains (homiio.com, mention.earth, etc.)
+ * - Silent refresh using hidden iframe for seamless SSO
+ * - CSRF protection via state parameter
+ * - XSS protection via origin validation
+ *
+ * Browser Support: All modern browsers (IE11+)
+ */
+export declare function OxyServicesPopupAuthMixin<T extends typeof OxyServicesBase>(Base: T): {
+    new (...args: any[]): {
+        /**
+         * Sign in using popup window
+         *
+         * Opens a centered popup window to auth.oxy.so where the user can sign in.
+         * The popup automatically closes after successful authentication and the
+         * session is returned to the parent window.
+         *
+         * @param options - Popup configuration options
+         * @returns Session with access token and user data
+         * @throws {OxyAuthenticationError} If popup is blocked or auth fails
+         *
+         * @example
+         * ```typescript
+         * const handleSignIn = async () => {
+         *   try {
+         *     const session = await oxyServices.signInWithPopup();
+         *     console.log('Signed in:', session.user);
+         *   } catch (error) {
+         *     if (error.message.includes('blocked')) {
+         *       alert('Please allow popups for this site');
+         *     }
+         *   }
+         * };
+         * ```
+         */
+        signInWithPopup(options?: PopupAuthOptions): Promise<SessionLoginResponse>;
+        /**
+         * Sign up using popup window
+         *
+         * Same as signInWithPopup but opens the signup page by default.
+         *
+         * @param options - Popup configuration options
+         * @returns Session with access token and user data
+         */
+        signUpWithPopup(options?: PopupAuthOptions): Promise<SessionLoginResponse>;
+        /**
+         * Silent sign-in using hidden iframe
+         *
+         * Attempts to automatically re-authenticate the user without any UI.
+         * This is what enables seamless SSO across all Oxy domains.
+         *
+         * How it works:
+         * 1. Creates hidden iframe pointing to auth.oxy.so/silent-auth
+         * 2. If user has valid session at auth.oxy.so, it sends token via postMessage
+         * 3. If not, iframe responds with null (no error thrown)
+         *
+         * This should be called on app startup to check for existing sessions.
+         *
+         * @param options - Silent auth options
+         * @returns Session if user is signed in, null otherwise
+         *
+         * @example
+         * ```typescript
+         * useEffect(() => {
+         *   const checkAuth = async () => {
+         *     const session = await oxyServices.silentSignIn();
+         *     if (session) {
+         *       setUser(session.user);
+         *     }
+         *   };
+         *   checkAuth();
+         * }, []);
+         * ```
+         */
+        silentSignIn(options?: SilentAuthOptions): Promise<SessionLoginResponse | null>;
+        /**
+         * Open a centered popup window
+         *
+         * @private
+         */
+        openCenteredPopup(url: string, title: string, width: number, height: number): Window | null;
+        /**
+         * Wait for authentication response from popup
+         *
+         * @private
+         */
+        waitForPopupAuth(popup: Window, expectedState: string, timeout: number): Promise<SessionLoginResponse>;
+        /**
+         * Wait for authentication response from iframe
+         *
+         * @private
+         */
+        waitForIframeAuth(iframe: HTMLIFrameElement, timeout: number, expectedOrigin: string): Promise<SessionLoginResponse | null>;
+        /**
+         * Build authentication URL with query parameters
+         *
+         * @private
+         */
+        buildAuthUrl(params: {
+            mode: string;
+            state: string;
+            nonce: string;
+            clientId: string;
+            redirectUri: string;
+        }): string;
+        /**
+         * Generate cryptographically secure state for CSRF protection
+         *
+         * @private
+         */
+        generateState(): string;
+        /**
+         * Generate nonce for replay attack prevention
+         *
+         * @private
+         */
+        generateNonce(): string;
+        /**
+         * Store auth state in session storage
+         *
+         * @private
+         */
+        storeAuthState(state: string, nonce: string): void;
+        /**
+         * Clear auth state from session storage
+         *
+         * @private
+         */
+        clearAuthState(state: string): void;
+        httpService: import("../HttpService").HttpService;
+        cloudURL: string;
+        config: import("../OxyServices.base").OxyConfig;
+        makeRequest<T_1>(method: "GET" | "POST" | "PUT" | "PATCH" | "DELETE", url: string, data?: any, options?: import("../HttpService").RequestOptions): Promise<T_1>;
+        getBaseURL(): string;
+        getClient(): import("../HttpService").HttpService;
+        getMetrics(): {
+            totalRequests: number;
+            successfulRequests: number;
+            failedRequests: number;
+            cacheHits: number;
+            cacheMisses: number;
+            averageResponseTime: number;
+        };
+        clearCache(): void;
+        clearCacheEntry(key: string): void;
+        getCacheStats(): {
+            size: number;
+            hits: number;
+            misses: number;
+            hitRate: number;
+        };
+        getCloudURL(): string;
+        setTokens(accessToken: string, refreshToken?: string): void;
+        clearTokens(): void;
+        getCurrentUserId(): string | null;
+        hasValidToken(): boolean;
+        getAccessToken(): string | null;
+        waitForAuth(timeoutMs?: number): Promise<boolean>;
+        withAuthRetry<T_1>(operation: () => Promise<T_1>, operationName: string, options?: {
+            maxRetries?: number;
+            retryDelay?: number;
+            authTimeoutMs?: number;
+        }): Promise<T_1>;
+        validate(): Promise<boolean>;
+        handleError(error: unknown): Error;
+        healthCheck(): Promise<{
+            status: string;
+            users?: number;
+            timestamp?: string;
+            [key: string]: any;
+        }>;
+    };
+    readonly AUTH_URL: "https://auth.oxy.so";
+    readonly POPUP_WIDTH: 500;
+    readonly POPUP_HEIGHT: 700;
+    readonly POPUP_TIMEOUT: 60000;
+    readonly SILENT_TIMEOUT: 5000;
+    __resetTokensForTests(): void;
+} & T;
+export { OxyServicesPopupAuthMixin as PopupAuthMixin };

package/dist/types/mixins/OxyServices.privacy.d.ts

@@ -0,0 +1,122 @@
+/**
+ * Privacy Methods Mixin (Blocked & Restricted Users)
+ */
+import type { BlockedUser, RestrictedUser } from '../models/interfaces';
+import type { OxyServicesBase } from '../OxyServices.base';
+export declare function OxyServicesPrivacyMixin<T extends typeof OxyServicesBase>(Base: T): {
+    new (...args: any[]): {
+        /**
+         * Extract user ID from blocked/restricted user object
+         */
+        extractUserId(userIdField: string | {
+            _id: string;
+            username?: string;
+            avatar?: string;
+        }): string;
+        /**
+         * Check if a user is in a list (blocked or restricted)
+         */
+        isUserInList<T_1 extends BlockedUser | RestrictedUser>(userId: string, getUserList: () => Promise<T_1[]>, getIdField: (item: T_1) => string | {
+            _id: string;
+            username?: string;
+            avatar?: string;
+        }): Promise<boolean>;
+        /**
+         * Get list of blocked users
+         * @returns Array of blocked users
+         */
+        getBlockedUsers(): Promise<BlockedUser[]>;
+        /**
+         * Block a user
+         * @param userId - The user ID to block
+         * @returns Success message
+         */
+        blockUser(userId: string): Promise<{
+            message: string;
+        }>;
+        /**
+         * Unblock a user
+         * @param userId - The user ID to unblock
+         * @returns Success message
+         */
+        unblockUser(userId: string): Promise<{
+            message: string;
+        }>;
+        /**
+         * Check if a user is blocked
+         * @param userId - The user ID to check
+         * @returns True if the user is blocked, false otherwise
+         */
+        isUserBlocked(userId: string): Promise<boolean>;
+        /**
+         * Get list of restricted users
+         * @returns Array of restricted users
+         */
+        getRestrictedUsers(): Promise<RestrictedUser[]>;
+        /**
+         * Restrict a user (limit their interactions without fully blocking)
+         * @param userId - The user ID to restrict
+         * @returns Success message
+         */
+        restrictUser(userId: string): Promise<{
+            message: string;
+        }>;
+        /**
+         * Unrestrict a user
+         * @param userId - The user ID to unrestrict
+         * @returns Success message
+         */
+        unrestrictUser(userId: string): Promise<{
+            message: string;
+        }>;
+        /**
+         * Check if a user is restricted
+         * @param userId - The user ID to check
+         * @returns True if the user is restricted, false otherwise
+         */
+        isUserRestricted(userId: string): Promise<boolean>;
+        httpService: import("../HttpService").HttpService;
+        cloudURL: string;
+        config: import("../OxyServices.base").OxyConfig;
+        makeRequest<T_1>(method: "GET" | "POST" | "PUT" | "PATCH" | "DELETE", url: string, data?: any, options?: import("../HttpService").RequestOptions): Promise<T_1>;
+        getBaseURL(): string;
+        getClient(): import("../HttpService").HttpService;
+        getMetrics(): {
+            totalRequests: number;
+            successfulRequests: number;
+            failedRequests: number;
+            cacheHits: number;
+            cacheMisses: number;
+            averageResponseTime: number;
+        };
+        clearCache(): void;
+        clearCacheEntry(key: string): void;
+        getCacheStats(): {
+            size: number;
+            hits: number;
+            misses: number;
+            hitRate: number;
+        };
+        getCloudURL(): string;
+        setTokens(accessToken: string, refreshToken?: string): void;
+        clearTokens(): void;
+        getCurrentUserId(): string | null;
+        hasValidToken(): boolean;
+        getAccessToken(): string | null;
+        waitForAuth(timeoutMs?: number): Promise<boolean>;
+        withAuthRetry<T_1>(operation: () => Promise<T_1>, operationName: string, options?: {
+            maxRetries?: number;
+            retryDelay?: number;
+            authTimeoutMs?: number;
+        }): Promise<T_1>;
+        validate(): Promise<boolean>;
+        handleError(error: unknown): Error;
+        healthCheck(): Promise<{
+            status: string;
+            users?: number;
+            timestamp?: string;
+            [key: string]: any;
+        }>;
+    };
+    __resetTokensForTests(): void;
+} & T;

package/dist/types/mixins/OxyServices.redirect.d.ts

@@ -0,0 +1,245 @@
+import type { OxyServicesBase } from '../OxyServices.base';
+import type { SessionLoginResponse } from '../models/session';
+export interface RedirectAuthOptions {
+    redirectUri?: string;
+    mode?: 'login' | 'signup';
+    preserveUrl?: boolean;
+}
+/**
+ * Redirect-based Cross-Domain Authentication Mixin
+ *
+ * Implements traditional OAuth2 redirect flow as a fallback when popup or
+ * FedCM are not available or fail (e.g., mobile browsers, popup blockers).
+ *
+ * Flow:
+ * 1. Save current URL
+ * 2. Redirect to auth.oxy.so/login
+ * 3. User signs in
+ * 4. Redirect back with token in URL
+ * 5. Extract token, restore session, clean URL
+ *
+ * Features:
+ * - Works on all browsers (including old mobile browsers)
+ * - Automatic URL cleanup after auth
+ * - State preservation option
+ * - CSRF protection via state parameter
+ *
+ * Trade-offs:
+ * - Loses JavaScript app state (full page navigation)
+ * - Visible redirect (user sees navigation)
+ * - Slower perceived performance
+ */
+export declare function OxyServicesRedirectAuthMixin<T extends typeof OxyServicesBase>(Base: T): {
+    new (...args: any[]): {
+        /**
+         * Sign in using full page redirect
+         *
+         * Redirects the user to auth.oxy.so for authentication. After successful
+         * sign-in, the user will be redirected back to the current page (or custom
+         * redirect URI) with authentication tokens in the URL.
+         *
+         * Call handleAuthCallback() on app startup to complete the flow.
+         *
+         * @param options - Redirect configuration options
+         *
+         * @example
+         * ```typescript
+         * // Initiate sign-in
+         * const handleSignIn = () => {
+         *   oxyServices.signInWithRedirect();
+         * };
+         *
+         * // Handle callback on app startup
+         * useEffect(() => {
+         *   const session = oxyServices.handleAuthCallback();
+         *   if (session) {
+         *     setUser(session.user);
+         *   }
+         * }, []);
+         * ```
+         */
+        signInWithRedirect(options?: RedirectAuthOptions): void;
+        /**
+         * Sign up using full page redirect
+         *
+         * Same as signInWithRedirect but opens the signup page by default.
+         */
+        signUpWithRedirect(options?: RedirectAuthOptions): void;
+        /**
+         * Handle authentication callback
+         *
+         * Call this on app startup to check if the current page load is a
+         * redirect back from the authentication server. If it is, this method
+         * will extract the tokens, store them, and clean up the URL.
+         *
+         * @returns Session data if this is a callback, null otherwise
+         * @throws {OxyAuthenticationError} If state validation fails (CSRF attack)
+         *
+         * @example
+         * ```typescript
+         * // In your app's root component or startup logic
+         * useEffect(() => {
+         *   try {
+         *     const session = oxyServices.handleAuthCallback();
+         *     if (session) {
+         *       console.log('Logged in:', session.user);
+         *       setUser(session.user);
+         *     } else {
+         *       // Not a callback, check for existing session
+         *       const restored = oxyServices.restoreSession();
+         *       if (!restored) {
+         *         // No session, show login button
+         *       }
+         *     }
+         *   } catch (error) {
+         *     console.error('Auth callback failed:', error);
+         *   }
+         * }, []);
+         * ```
+         */
+        handleAuthCallback(): SessionLoginResponse | null;
+        /**
+         * Restore session from storage
+         *
+         * Attempts to restore a previously authenticated session from localStorage.
+         * Call this on app startup if handleAuthCallback() returns null.
+         *
+         * @returns True if session was restored, false otherwise
+         *
+         * @example
+         * ```typescript
+         * useEffect(() => {
+         *   const session = oxyServices.handleAuthCallback();
+         *   if (!session) {
+         *     const restored = oxyServices.restoreSession();
+         *     if (!restored) {
+         *       // No session, user needs to sign in
+         *       setShowLogin(true);
+         *     }
+         *   }
+         * }, []);
+         * ```
+         */
+        restoreSession(): boolean;
+        /**
+         * Clear stored session
+         *
+         * Removes all authentication data from storage. Call this on logout.
+         */
+        clearStoredSession(): void;
+        /**
+         * Get stored session ID
+         */
+        getStoredSessionId(): string | null;
+        /**
+         * Build authentication URL with query parameters
+         *
+         * @private
+         */
+        buildAuthUrl(params: {
+            mode: string;
+            redirectUri: string;
+            state: string;
+            nonce: string;
+            clientId: string;
+        }): string;
+        /**
+         * Store tokens in localStorage
+         *
+         * @private
+         */
+        storeTokens(accessToken: string, sessionId: string): void;
+        /**
+         * Generate cryptographically secure state for CSRF protection
+         *
+         * @private
+         */
+        generateState(): string;
+        /**
+         * Generate nonce for replay attack prevention
+         *
+         * @private
+         */
+        generateNonce(): string;
+        /**
+         * Store auth state in session storage
+         *
+         * @private
+         */
+        storeAuthState(state: string, nonce: string): void;
+        /**
+         * Get stored state
+         *
+         * @private
+         */
+        getStoredState(): string | null;
+        /**
+         * Clear auth state from storage
+         *
+         * @private
+         */
+        clearAuthState(): void;
+        /**
+         * Save pre-authentication URL to restore later
+         *
+         * @private
+         */
+        savePreAuthUrl(url: string): void;
+        /**
+         * Clean authentication parameters from URL
+         *
+         * @private
+         */
+        cleanAuthCallbackUrl(url: URL): void;
+        httpService: import("../HttpService").HttpService;
+        cloudURL: string;
+        config: import("../OxyServices.base").OxyConfig;
+        makeRequest<T_1>(method: "GET" | "POST" | "PUT" | "PATCH" | "DELETE", url: string, data?: any, options?: import("../HttpService").RequestOptions): Promise<T_1>;
+        getBaseURL(): string;
+        getClient(): import("../HttpService").HttpService;
+        getMetrics(): {
+            totalRequests: number;
+            successfulRequests: number;
+            failedRequests: number;
+            cacheHits: number;
+            cacheMisses: number;
+            averageResponseTime: number;
+        };
+        clearCache(): void;
+        clearCacheEntry(key: string): void;
+        getCacheStats(): {
+            size: number;
+            hits: number;
+            misses: number;
+            hitRate: number;
+        };
+        getCloudURL(): string;
+        setTokens(accessToken: string, refreshToken?: string): void;
+        clearTokens(): void;
+        getCurrentUserId(): string | null;
+        hasValidToken(): boolean;
+        getAccessToken(): string | null;
+        waitForAuth(timeoutMs?: number): Promise<boolean>;
+        withAuthRetry<T_1>(operation: () => Promise<T_1>, operationName: string, options?: {
+            maxRetries?: number;
+            retryDelay?: number;
+            authTimeoutMs?: number;
+        }): Promise<T_1>;
+        validate(): Promise<boolean>;
+        handleError(error: unknown): Error;
+        healthCheck(): Promise<{
+            status: string;
+            users?: number;
+            timestamp?: string;
+            [key: string]: any;
+        }>;
+    };
+    readonly AUTH_URL: "https://auth.oxy.so";
+    readonly TOKEN_STORAGE_KEY: "oxy_access_token";
+    readonly SESSION_STORAGE_KEY: "oxy_session_id";
+    readonly STATE_STORAGE_KEY: "oxy_auth_state";
+    readonly PRE_AUTH_URL_KEY: "oxy_pre_auth_url";
+    readonly NONCE_STORAGE_KEY: "oxy_auth_nonce";
+    __resetTokensForTests(): void;
+} & T;
+export { OxyServicesRedirectAuthMixin as RedirectAuthMixin };

package/dist/types/mixins/OxyServices.security.d.ts

@@ -0,0 +1,78 @@
+/**
+ * Security Methods Mixin
+ */
+import type { OxyServicesBase } from '../OxyServices.base';
+import type { SecurityActivity, SecurityActivityResponse, SecurityEventType } from '../models/interfaces';
+export declare function OxyServicesSecurityMixin<T extends typeof OxyServicesBase>(Base: T): {
+    new (...args: any[]): {
+        /**
+         * Get user's security activity with pagination
+         * @param limit - Number of results (default: 50, max: 100)
+         * @param offset - Pagination offset (default: 0)
+         * @param eventType - Optional filter by event type
+         * @returns Security activity response with pagination
+         */
+        getSecurityActivity(limit?: number, offset?: number, eventType?: SecurityEventType): Promise<SecurityActivityResponse>;
+        /**
+         * Get recent security activity (convenience method)
+         * @param limit - Number of recent events to fetch (default: 10)
+         * @returns Array of recent security activities
+         */
+        getRecentSecurityActivity(limit?: number): Promise<SecurityActivity[]>;
+        /**
+         * Log private key exported event
+         * @param deviceId - Optional device ID for tracking
+         * @returns Promise that resolves when event is logged
+         */
+        logPrivateKeyExported(deviceId?: string): Promise<void>;
+        /**
+         * Log backup created event
+         * @param deviceId - Optional device ID for tracking
+         * @returns Promise that resolves when event is logged
+         */
+        logBackupCreated(deviceId?: string): Promise<void>;
+        httpService: import("../HttpService").HttpService;
+        cloudURL: string;
+        config: import("../OxyServices.base").OxyConfig;
+        makeRequest<T_1>(method: "GET" | "POST" | "PUT" | "PATCH" | "DELETE", url: string, data?: any, options?: import("../HttpService").RequestOptions): Promise<T_1>;
+        getBaseURL(): string;
+        getClient(): import("../HttpService").HttpService;
+        getMetrics(): {
+            totalRequests: number;
+            successfulRequests: number;
+            failedRequests: number;
+            cacheHits: number;
+            cacheMisses: number;
+            averageResponseTime: number;
+        };
+        clearCache(): void;
+        clearCacheEntry(key: string): void;
+        getCacheStats(): {
+            size: number;
+            hits: number;
+            misses: number;
+            hitRate: number;
+        };
+        getCloudURL(): string;
+        setTokens(accessToken: string, refreshToken?: string): void;
+        clearTokens(): void;
+        getCurrentUserId(): string | null;
+        hasValidToken(): boolean;
+        getAccessToken(): string | null;
+        waitForAuth(timeoutMs?: number): Promise<boolean>;
+        withAuthRetry<T_1>(operation: () => Promise<T_1>, operationName: string, options?: {
+            maxRetries?: number;
+            retryDelay?: number;
+            authTimeoutMs?: number;
+        }): Promise<T_1>;
+        validate(): Promise<boolean>;
+        handleError(error: unknown): Error;
+        healthCheck(): Promise<{
+            status: string;
+            users?: number;
+            timestamp?: string;
+            [key: string]: any;
+        }>;
+    };
+    __resetTokensForTests(): void;
+} & T;