@oxyhq/core 1.0.2 → 1.2.0

package/src/AuthManager.ts

@@ -10,13 +10,13 @@
 import type { OxyServices } from './OxyServices';
 import type { HttpService } from './HttpService';
 import type { SessionLoginResponse, MinimalUserData } from './models/session';
+import { retryAsync } from './utils/asyncUtils';
 
 /**
- * OxyServices with optional FedCM methods (provided by FedCM mixin).
+ * OxyServices already declares revokeFedCMCredential via mixin type augmentation.
+ * This alias is kept for readability in the signOut method.
  */
-interface OxyServicesWithFedCM extends OxyServices {
-  revokeFedCMCredential?: () => Promise<void>;
-}
+type OxyServicesWithFedCM = OxyServices;
 
 /**
  * Storage adapter interface for platform-agnostic storage.
@@ -142,6 +142,7 @@ export class AuthManager {
   private listeners: Set<AuthStateChangeCallback> = new Set();
   private currentUser: MinimalUserData | null = null;
   private refreshTimer: ReturnType<typeof setTimeout> | null = null;
+  private refreshPromise: Promise<boolean> | null = null;
   private config: Required<AuthManagerConfig>;
 
   constructor(oxyServices: OxyServices, config: AuthManagerConfig = {}) {
@@ -261,28 +262,53 @@ export class AuthManager {
   }
 
   /**
-   * Refresh the access token.
+   * Refresh the access token. Deduplicates concurrent calls so only one
+   * refresh request is in-flight at a time.
    */
   async refreshToken(): Promise<boolean> {
+    // If a refresh is already in-flight, return the same promise
+    if (this.refreshPromise) {
+      return this.refreshPromise;
+    }
+
+    this.refreshPromise = this._doRefreshToken();
+    try {
+      return await this.refreshPromise;
+    } finally {
+      this.refreshPromise = null;
+    }
+  }
+
+  private async _doRefreshToken(): Promise<boolean> {
     const refreshToken = await this.storage.getItem(STORAGE_KEYS.REFRESH_TOKEN);
     if (!refreshToken) {
       return false;
     }
 
     try {
-      // Cast httpService to proper type (needed due to mixin composition)
-      const httpService = this.oxyServices.httpService as HttpService;
-      const response = await httpService.request<SessionLoginResponse>({
-        method: 'POST',
-        url: '/api/auth/refresh',
-        data: { refreshToken },
-        cache: false,
-      });
-
-      await this.handleAuthSuccess(response, 'credentials');
+      await retryAsync(
+        async () => {
+          const httpService = this.oxyServices.httpService as HttpService;
+          const response = await httpService.request<SessionLoginResponse>({
+            method: 'POST',
+            url: '/api/auth/refresh',
+            data: { refreshToken },
+            cache: false,
+          });
+          await this.handleAuthSuccess(response, 'credentials');
+        },
+        2,    // 2 retries = 3 total attempts
+        1000, // 1s base delay with exponential backoff + jitter
+        (error: any) => {
+          // Don't retry on 4xx client errors (invalid/revoked token)
+          const status = error?.status ?? error?.response?.status;
+          if (status && status >= 400 && status < 500) return false;
+          return true;
+        }
+      );
       return true;
     } catch {
-      // Refresh failed, clear session and update state
+      // All retry attempts exhausted, clear session
       await this.clearSession();
       this.currentUser = null;
       this.notifyListeners();

package/src/CrossDomainAuth.ts

@@ -10,7 +10,7 @@
  *
  * Usage:
  * ```typescript
- * import { CrossDomainAuth } from '@oxyhq/services';
+ * import { CrossDomainAuth } from '@oxyhq/core';
  *
  * const auth = new CrossDomainAuth(oxyServices);
  *
@@ -287,7 +287,7 @@ export class CrossDomainAuth {
  *
  * @example
  * ```typescript
- * import { createCrossDomainAuth } from '@oxyhq/services';
+ * import { createCrossDomainAuth } from '@oxyhq/core';
  *
  * const oxyServices = new OxyServices({ baseURL: 'https://api.oxy.so' });
  * const auth = createCrossDomainAuth(oxyServices);

package/src/HttpService.ts

@@ -17,6 +17,7 @@ import { TTLCache, registerCacheForCleanup } from './utils/cache';
 import { RequestDeduplicator, RequestQueue, SimpleLogger } from './utils/requestUtils';
 import { retryAsync } from './utils/asyncUtils';
 import { handleHttpError } from './utils/errorUtils';
+import { isDev } from './shared/utils/debugUtils';
 import { jwtDecode } from 'jwt-decode';
 import { isNative, getPlatformOS } from './utils/platform';
 import type { OxyConfig } from './models/interfaces';
@@ -130,6 +131,7 @@ export class HttpService {
   private requestQueue: RequestQueue;
   private logger: SimpleLogger;
   private config: OxyConfig;
+  private tokenRefreshPromise: Promise<string | null> | null = null;
 
   // Performance monitoring
   private requestMetrics = {
@@ -279,7 +281,7 @@ export class HttpService {
         }
 
         // Debug logging for CSRF issues
-        if (isStateChangingMethod && __DEV__) {
+        if (isStateChangingMethod && isDev()) {
           console.log('[HttpService] CSRF Debug:', {
             url,
             method,
@@ -484,20 +486,20 @@ export class HttpService {
     // Return cached token if available
     const cachedToken = this.tokenStore.getCsrfToken();
     if (cachedToken) {
-      if (__DEV__) console.log('[HttpService] Using cached CSRF token');
+      if (isDev()) console.log('[HttpService] Using cached CSRF token');
       return cachedToken;
     }
 
     // Deduplicate concurrent CSRF token fetches
     const existingPromise = this.tokenStore.getCsrfTokenFetchPromise();
     if (existingPromise) {
-      if (__DEV__) console.log('[HttpService] Waiting for existing CSRF fetch');
+      if (isDev()) console.log('[HttpService] Waiting for existing CSRF fetch');
       return existingPromise;
     }
 
     const fetchPromise = (async () => {
       try {
-        if (__DEV__) console.log('[HttpService] Fetching CSRF token from:', `${this.baseURL}/api/csrf-token`);
+        if (isDev()) console.log('[HttpService] Fetching CSRF token from:', `${this.baseURL}/api/csrf-token`);
 
         // Use AbortController for timeout (more compatible than AbortSignal.timeout)
         const controller = new AbortController();
@@ -512,11 +514,11 @@ export class HttpService {
 
         clearTimeout(timeoutId);
 
-        if (__DEV__) console.log('[HttpService] CSRF fetch response:', response.status, response.ok);
+        if (isDev()) console.log('[HttpService] CSRF fetch response:', response.status, response.ok);
 
         if (response.ok) {
           const data = await response.json() as { csrfToken?: string };
-          if (__DEV__) console.log('[HttpService] CSRF response data:', data);
+          if (isDev()) console.log('[HttpService] CSRF response data:', data);
           const token = data.csrfToken || null;
           this.tokenStore.setCsrfToken(token);
           this.logger.debug('CSRF token fetched');
@@ -531,11 +533,11 @@ export class HttpService {
           return headerToken;
         }
 
-        if (__DEV__) console.log('[HttpService] CSRF fetch failed with status:', response.status);
+        if (isDev()) console.log('[HttpService] CSRF fetch failed with status:', response.status);
         this.logger.warn('Failed to fetch CSRF token:', response.status);
         return null;
       } catch (error) {
-        if (__DEV__) console.log('[HttpService] CSRF fetch error:', error);
+        if (isDev()) console.log('[HttpService] CSRF fetch error:', error);
         this.logger.warn('CSRF token fetch error:', error);
         return null;
       } finally {
@@ -562,25 +564,15 @@ export class HttpService {
 
       // If token expires in less than 60 seconds, refresh it
       if (decoded.exp && decoded.exp - currentTime < 60 && decoded.sessionId) {
+        // Deduplicate concurrent refresh attempts
+        if (!this.tokenRefreshPromise) {
+          this.tokenRefreshPromise = this._refreshTokenFromSession(decoded.sessionId);
+        }
         try {
-          const refreshUrl = `${this.baseURL}/api/session/token/${decoded.sessionId}`;
-          
-          // Use AbortSignal.timeout for consistent timeout handling
-          const response = await fetch(refreshUrl, {
-            method: 'GET',
-            headers: { 'Accept': 'application/json' },
-            signal: AbortSignal.timeout(5000),
-            credentials: 'include', // Include cookies for cross-origin requests
-          });
-
-          if (response.ok) {
-            const { accessToken: newToken } = await response.json();
-            this.tokenStore.setTokens(newToken);
-            this.logger.debug('Token refreshed');
-            return `Bearer ${newToken}`;
-          }
-        } catch (refreshError) {
-          this.logger.warn('Token refresh failed, using current token');
+          const result = await this.tokenRefreshPromise;
+          if (result) return result;
+        } finally {
+          this.tokenRefreshPromise = null;
         }
       }
 
@@ -591,6 +583,28 @@ export class HttpService {
     }
   }
 
+  private async _refreshTokenFromSession(sessionId: string): Promise<string | null> {
+    try {
+      const refreshUrl = `${this.baseURL}/api/session/token/${sessionId}`;
+      const response = await fetch(refreshUrl, {
+        method: 'GET',
+        headers: { 'Accept': 'application/json' },
+        signal: AbortSignal.timeout(5000),
+        credentials: 'include',
+      });
+
+      if (response.ok) {
+        const { accessToken: newToken } = await response.json();
+        this.tokenStore.setTokens(newToken);
+        this.logger.debug('Token refreshed');
+        return `Bearer ${newToken}`;
+      }
+    } catch (refreshError) {
+      this.logger.warn('Token refresh failed, using current token');
+    }
+    return null;
+  }
+
   /**
    * Unwrap standardized API response format
    */

package/src/OxyServices.base.ts

@@ -131,21 +131,38 @@ export class OxyServicesBase {
    */
   public clearTokens(): void {
     this.httpService.clearTokens();
+    this._cachedUserId = undefined;
+    this._cachedAccessToken = null;
   }
 
+  /** @internal */ _cachedUserId: string | null | undefined = undefined;
+  /** @internal */ _cachedAccessToken: string | null = null;
+
   /**
-   * Get the current user ID from the access token
+   * Get the current user ID from the access token.
+   * Caches the decoded value and invalidates when the token changes.
    */
   public getCurrentUserId(): string | null {
     const accessToken = this.httpService.getAccessToken();
+
+    // Return cached value if token hasn't changed
+    if (accessToken === this._cachedAccessToken && this._cachedUserId !== undefined) {
+      return this._cachedUserId;
+    }
+
+    this._cachedAccessToken = accessToken;
+
     if (!accessToken) {
+      this._cachedUserId = null;
       return null;
     }
-    
+
     try {
       const decoded = jwtDecode<JwtPayload>(accessToken);
-      return decoded.userId || decoded.id || null;
-    } catch (error) {
+      this._cachedUserId = decoded.userId || decoded.id || null;
+      return this._cachedUserId;
+    } catch {
+      this._cachedUserId = null;
       return null;
     }
   }

package/src/OxyServices.ts

@@ -58,6 +58,10 @@
  */
 import { OxyServicesBase, type OxyConfig } from './OxyServices.base';
 import { OxyAuthenticationError, OxyAuthenticationTimeoutError } from './OxyServices.errors';
+import type { SessionLoginResponse } from './models/session';
+import type { FedCMAuthOptions, FedCMConfig } from './mixins/OxyServices.fedcm';
+import type { PopupAuthOptions } from './mixins/OxyServices.popup';
+import type { RedirectAuthOptions } from './mixins/OxyServices.redirect';
 
 // Import mixin composition helper
 import { composeOxyServices } from './mixins';
@@ -106,8 +110,25 @@ export class OxyServices extends (OxyServicesComposed as any) {
 }
 
 // Type augmentation to expose mixin methods to TypeScript
-// This allows proper type checking while avoiding complex mixin type inference
-export interface OxyServices extends InstanceType<ReturnType<typeof composeOxyServices>> {}
+// This allows proper type checking while avoiding complex mixin type inference.
+// Explicit declarations are added for cross-domain auth methods that downstream
+// packages (auth-sdk, services) need without casting to `any`.
+export interface OxyServices extends InstanceType<ReturnType<typeof composeOxyServices>> {
+  // FedCM authentication
+  isFedCMSupported(): boolean;
+  signInWithFedCM(options?: FedCMAuthOptions): Promise<SessionLoginResponse>;
+  silentSignInWithFedCM(): Promise<SessionLoginResponse | null>;
+  revokeFedCMCredential(): Promise<void>;
+  getFedCMConfig(): FedCMConfig;
+
+  // Popup authentication
+  signInWithPopup(options?: PopupAuthOptions): Promise<SessionLoginResponse>;
+  signUpWithPopup(options?: PopupAuthOptions): Promise<SessionLoginResponse>;
+
+  // Redirect authentication
+  signInWithRedirect(options?: RedirectAuthOptions): void;
+  signUpWithRedirect(options?: RedirectAuthOptions): void;
+}
 
 // Re-export error classes for convenience
 export { OxyAuthenticationError, OxyAuthenticationTimeoutError };

package/src/crypto/keyManager.ts

@@ -9,6 +9,7 @@ import { ec as EC } from 'elliptic';
 import type { ECKeyPair } from 'elliptic';
 import { isWeb, isIOS, isAndroid } from '../utils/platform';
 import { logger } from '../utils/loggerUtils';
+import { isDev } from '../shared/utils/debugUtils';
 
 // Lazy imports for React Native specific modules
 let SecureStore: typeof import('expo-secure-store') | null = null;
@@ -49,7 +50,9 @@ const ANDROID_ACCOUNT_TYPE = 'com.oxy.account';
 async function initSecureStore(): Promise<typeof import('expo-secure-store')> {
   if (!SecureStore) {
     try {
-      SecureStore = await import('expo-secure-store');
+      // Variable indirection prevents bundlers (Vite, webpack) from statically resolving this
+      const moduleName = 'expo-secure-store';
+      SecureStore = await import(moduleName);
     } catch (error) {
       const errorMessage = error instanceof Error ? error.message : String(error);
       throw new Error(`Failed to load expo-secure-store: ${errorMessage}. Make sure expo-secure-store is installed and properly configured.`);
@@ -85,9 +88,11 @@ function isWebPlatform(): boolean {
 
 async function initExpoCrypto(): Promise<typeof import('expo-crypto')> {
   if (!ExpoCrypto) {
-    ExpoCrypto = await import('expo-crypto');
+    // Variable indirection prevents bundlers (Vite, webpack) from statically resolving this
+    const moduleName = 'expo-crypto';
+    ExpoCrypto = await import(moduleName);
   }
-  return ExpoCrypto;
+  return ExpoCrypto!;
 }
 
 /**
@@ -238,7 +243,7 @@ export class KeyManager {
     KeyManager.cachedSharedPublicKey = publicKey;
     KeyManager.cachedHasSharedIdentity = true;
 
-    if (__DEV__) {
+    if (isDev()) {
       logger.debug('Shared identity created successfully', { component: 'KeyManager' });
     }
 
@@ -277,7 +282,7 @@ export class KeyManager {
 
       return publicKey;
     } catch (error) {
-      if (__DEV__) {
+      if (isDev()) {
         logger.warn('Failed to get shared public key', { component: 'KeyManager' }, error);
       }
       KeyManager.cachedSharedPublicKey = null;
@@ -312,7 +317,7 @@ export class KeyManager {
 
       return privateKey;
     } catch (error) {
-      if (__DEV__) {
+      if (isDev()) {
         logger.warn('Failed to get shared private key', { component: 'KeyManager' }, error);
       }
       return null;
@@ -343,7 +348,7 @@ export class KeyManager {
 
       return hasShared;
     } catch (error) {
-      if (__DEV__) {
+      if (isDev()) {
         logger.warn('Failed to check shared identity', { component: 'KeyManager' }, error);
       }
       KeyManager.cachedHasSharedIdentity = false;
@@ -392,7 +397,7 @@ export class KeyManager {
     KeyManager.cachedSharedPublicKey = publicKey;
     KeyManager.cachedHasSharedIdentity = true;
 
-    if (__DEV__) {
+    if (isDev()) {
       logger.debug('Shared identity imported successfully', { component: 'KeyManager' });
     }
 
@@ -431,11 +436,11 @@ export class KeyManager {
         await store.setItemAsync(STORAGE_KEYS.SHARED_SESSION_TOKEN, accessToken);
       }
 
-      if (__DEV__) {
+      if (isDev()) {
         logger.debug('Shared session stored successfully', { component: 'KeyManager' });
       }
     } catch (error) {
-      if (__DEV__) {
+      if (isDev()) {
         logger.error('Failed to store shared session', error, { component: 'KeyManager' });
       }
       throw error;
@@ -479,7 +484,7 @@ export class KeyManager {
 
       return { sessionId, accessToken };
     } catch (error) {
-      if (__DEV__) {
+      if (isDev()) {
         logger.warn('Failed to get shared session', { component: 'KeyManager' }, error);
       }
       return null;
@@ -512,11 +517,11 @@ export class KeyManager {
         await store.deleteItemAsync(STORAGE_KEYS.SHARED_SESSION_TOKEN);
       }
 
-      if (__DEV__) {
+      if (isDev()) {
         logger.debug('Shared session cleared successfully', { component: 'KeyManager' });
       }
     } catch (error) {
-      if (__DEV__) {
+      if (isDev()) {
         logger.error('Failed to clear shared session', error, { component: 'KeyManager' });
       }
     }
@@ -540,7 +545,7 @@ export class KeyManager {
       // Check if we already have a shared identity
       const hasShared = await KeyManager.hasSharedIdentity();
       if (hasShared) {
-        if (__DEV__) {
+        if (isDev()) {
           logger.debug('Shared identity already exists, skipping migration', { component: 'KeyManager' });
         }
         return true;
@@ -549,7 +554,7 @@ export class KeyManager {
       // Get local identity
       const privateKey = await KeyManager.getPrivateKey();
       if (!privateKey) {
-        if (__DEV__) {
+        if (isDev()) {
           logger.debug('No local identity to migrate', { component: 'KeyManager' });
         }
         return false;
@@ -558,13 +563,13 @@ export class KeyManager {
       // Import to shared storage
       await KeyManager.importSharedIdentity(privateKey);
 
-      if (__DEV__) {
+      if (isDev()) {
         logger.debug('Successfully migrated local identity to shared identity', { component: 'KeyManager' });
       }
 
       return true;
     } catch (error) {
-      if (__DEV__) {
+      if (isDev()) {
         logger.error('Failed to migrate to shared identity', error, { component: 'KeyManager' });
       }
       return false;
@@ -635,7 +640,7 @@ export class KeyManager {
     } catch (error) {
       // If secure store is not available, return null (no identity)
       // This allows the app to continue functioning even if secure store fails to load
-      if (__DEV__) {
+      if (isDev()) {
         logger.warn('Failed to access secure store', { component: 'KeyManager' }, error);
       }
       return null;
@@ -665,7 +670,7 @@ export class KeyManager {
       // If secure store is not available, return null (no identity)
       // Cache null to avoid repeated failed attempts
       KeyManager.cachedPublicKey = null;
-      if (__DEV__) {
+      if (isDev()) {
         logger.warn('Failed to access secure store', { component: 'KeyManager' }, error);
       }
       return null;
@@ -695,7 +700,7 @@ export class KeyManager {
       // If we can't check, assume no identity (safer default)
       // Cache false to avoid repeated failed attempts
       KeyManager.cachedHasIdentity = false;
-      if (__DEV__) {
+      if (isDev()) {
         logger.warn('Failed to check identity', { component: 'KeyManager' }, error);
       }
       return false;
@@ -736,11 +741,11 @@ export class KeyManager {
     if (!skipBackup) {
       try {
         const backupSuccess = await KeyManager.backupIdentity();
-        if (!backupSuccess && typeof __DEV__ !== 'undefined' && __DEV__) {
+        if (!backupSuccess && isDev()) {
           logger.warn('Failed to backup identity before deletion - proceeding anyway', { component: 'KeyManager' });
         }
       } catch (backupError) {
-        if (typeof __DEV__ !== 'undefined' && __DEV__) {
+        if (isDev()) {
           logger.warn('Failed to backup identity before deletion', { component: 'KeyManager' }, backupError);
         }
       }
@@ -790,7 +795,7 @@ export class KeyManager {
 
       return true;
     } catch (error) {
-      if (typeof __DEV__ !== 'undefined' && __DEV__) {
+      if (isDev()) {
         logger.error('Failed to backup identity', error, { component: 'KeyManager' });
       }
       return false;
@@ -836,7 +841,7 @@ export class KeyManager {
 
       return true;
     } catch (error) {
-      if (typeof __DEV__ !== 'undefined' && __DEV__) {
+      if (isDev()) {
         logger.error('Identity integrity check failed', error, { component: 'KeyManager' });
       }
       return false;
@@ -893,7 +898,7 @@ export class KeyManager {
 
       return false;
     } catch (error) {
-      if (typeof __DEV__ !== 'undefined' && __DEV__) {
+      if (isDev()) {
         logger.error('Failed to restore identity from backup', error, { component: 'KeyManager' });
       }
       return false;

package/src/crypto/polyfill.ts

@@ -37,7 +37,12 @@ function getRandomBytesSync(byteCount: number): Uint8Array {
   if (!expoCryptoLoadAttempted) {
     expoCryptoLoadAttempted = true;
     try {
-      expoCryptoModule = require('expo-crypto');
+      // Only use require() in CJS environments (Metro/Node). In ESM (Vite/browser),
+      // crypto.getRandomValues exists natively so this code path is never reached.
+      if (typeof require !== 'undefined') {
+        const moduleName = 'expo-crypto';
+        expoCryptoModule = require(moduleName);
+      }
     } catch {
       // expo-crypto not available — expected in non-RN environments
     }