@oxyhq/core 1.11.10 → 1.11.12

package/dist/esm/HttpService.js

@@ -16,7 +16,6 @@ import { TTLCache, registerCacheForCleanup } from './utils/cache.js';
 import { RequestDeduplicator, RequestQueue, SimpleLogger } from './utils/requestUtils.js';
 import { retryAsync } from './utils/asyncUtils.js';
 import { handleHttpError } from './utils/errorUtils.js';
-import { isDev } from './shared/utils/debugUtils.js';
 import { jwtDecode } from 'jwt-decode';
 import { isNative, getPlatformOS } from './utils/platform.js';
 /**
@@ -81,6 +80,8 @@ export class HttpService {
         this.tokenRefreshPromise = null;
         this.tokenRefreshCooldownUntil = 0;
         this._onTokenRefreshed = null;
+        // Acting-as identity for managed accounts
+        this._actingAsUserId = null;
         // Performance monitoring
         this.requestMetrics = {
             totalRequests: 0,
@@ -185,9 +186,12 @@ export class HttpService {
                 if (isNativeApp && isStateChangingMethod) {
                     headers['X-Native-App'] = 'true';
                 }
-                // Debug logging for CSRF issues
-                if (isStateChangingMethod && isDev()) {
-                    console.log('[HttpService] CSRF Debug:', {
+                // Debug logging for CSRF issues — routed through the SimpleLogger so
+                // it only fires when consumers opt in via `enableLogging`. Previously
+                // this was a bare console.log that leaked noise into every host app's
+                // stdout in development.
+                if (isStateChangingMethod) {
+                    this.logger.debug('CSRF Debug:', {
                         url,
                         method,
                         isNativeApp,
@@ -197,6 +201,10 @@ export class HttpService {
                         hasNativeAppHeader: headers['X-Native-App'] === 'true',
                     });
                 }
+                // Add X-Acting-As header for managed account identity delegation
+                if (this._actingAsUserId) {
+                    headers['X-Acting-As'] = this._actingAsUserId;
+                }
                 // Merge custom headers if provided
                 if (config.headers) {
                     Object.entries(config.headers).forEach(([key, value]) => {
@@ -403,23 +411,20 @@ export class HttpService {
         // Return cached token if available
         const cachedToken = this.tokenStore.getCsrfToken();
         if (cachedToken) {
-            if (isDev())
-                console.log('[HttpService] Using cached CSRF token');
+            this.logger.debug('Using cached CSRF token');
             return cachedToken;
         }
         // Deduplicate concurrent CSRF token fetches
         const existingPromise = this.tokenStore.getCsrfTokenFetchPromise();
         if (existingPromise) {
-            if (isDev())
-                console.log('[HttpService] Waiting for existing CSRF fetch');
+            this.logger.debug('Waiting for existing CSRF fetch');
             return existingPromise;
         }
         const fetchPromise = (async () => {
             const maxAttempts = 2;
             for (let attempt = 1; attempt <= maxAttempts; attempt++) {
                 try {
-                    if (isDev())
-                        console.log('[HttpService] Fetching CSRF token from:', `${this.baseURL}/csrf-token`, `(attempt ${attempt})`);
+                    this.logger.debug('Fetching CSRF token from:', `${this.baseURL}/csrf-token`, `(attempt ${attempt})`);
                     // Use AbortController for timeout (more compatible than AbortSignal.timeout)
                     const controller = new AbortController();
                     const timeoutId = setTimeout(() => controller.abort(), 5000);
@@ -430,12 +435,10 @@ export class HttpService {
                         signal: controller.signal,
                     });
                     clearTimeout(timeoutId);
-                    if (isDev())
-                        console.log('[HttpService] CSRF fetch response:', response.status, response.ok);
+                    this.logger.debug('CSRF fetch response:', response.status, response.ok);
                     if (response.ok) {
                         const data = await response.json();
-                        if (isDev())
-                            console.log('[HttpService] CSRF response data:', data);
+                        this.logger.debug('CSRF response data:', data);
                         const token = data.csrfToken || null;
                         this.tokenStore.setCsrfToken(token);
                         this.logger.debug('CSRF token fetched');
@@ -448,13 +451,11 @@ export class HttpService {
                         this.logger.debug('CSRF token from header');
                         return headerToken;
                     }
-                    if (isDev())
-                        console.log('[HttpService] CSRF fetch failed with status:', response.status);
+                    this.logger.debug('CSRF fetch failed with status:', response.status);
                     this.logger.warn('Failed to fetch CSRF token:', response.status);
                 }
                 catch (error) {
-                    if (isDev())
-                        console.log('[HttpService] CSRF fetch error:', error);
+                    this.logger.debug('CSRF fetch error:', error);
                     this.logger.warn('CSRF token fetch error:', error);
                 }
                 // Wait before retry (500ms)
@@ -579,6 +580,13 @@ export class HttpService {
     async delete(url, config) {
         return this.request({ method: 'DELETE', url, ...config });
     }
+    // Acting-as identity management (managed accounts)
+    setActingAs(userId) {
+        this._actingAsUserId = userId;
+    }
+    getActingAs() {
+        return this._actingAsUserId;
+    }
     // Token management
     setTokens(accessToken, refreshToken = '') {
         this.tokenStore.setTokens(accessToken, refreshToken);

package/dist/esm/OxyServices.base.js

@@ -138,6 +138,27 @@ export class OxyServicesBase {
     getAccessToken() {
         return this.httpService.getAccessToken();
     }
+    /**
+     * Set the acting-as identity for managed accounts.
+     *
+     * When set, all subsequent API requests will include the `X-Acting-As` header,
+     * causing the server to attribute actions to the managed account. The
+     * authenticated user must be an authorized manager of the target account.
+     *
+     * Pass `null` to clear and revert to the authenticated user's own identity.
+     *
+     * @param userId - The managed account user ID, or null to clear
+     */
+    setActingAs(userId) {
+        this.httpService.setActingAs(userId);
+    }
+    /**
+     * Get the current acting-as identity (managed account user ID), or null
+     * if operating as the authenticated user's own identity.
+     */
+    getActingAs() {
+        return this.httpService.getActingAs();
+    }
     /**
      * Wait for authentication to be ready
      *

package/dist/esm/crypto/keyManager.js

@@ -45,7 +45,7 @@ async function initSecureStore() {
         try {
             // Variable indirection prevents bundlers (Vite, webpack) from statically resolving this
             const moduleName = 'expo-secure-store';
-            SecureStore = await import(moduleName);
+            SecureStore = await import(/* @vite-ignore */ moduleName);
         }
         catch (error) {
             const errorMessage = error instanceof Error ? error.message : String(error);
@@ -68,7 +68,7 @@ async function initExpoCrypto() {
     if (!ExpoCrypto) {
         // Variable indirection prevents bundlers (Vite, webpack) from statically resolving this
         const moduleName = 'expo-crypto';
-        ExpoCrypto = await import(moduleName);
+        ExpoCrypto = await import(/* @vite-ignore */ moduleName);
     }
     return ExpoCrypto;
 }
@@ -94,7 +94,7 @@ async function getSecureRandomBytes(length) {
     // Variable indirection prevents bundlers (Vite, webpack) from statically resolving this
     try {
         const cryptoModuleName = 'crypto';
-        const nodeCrypto = await import(cryptoModuleName);
+        const nodeCrypto = await import(/* @vite-ignore */ cryptoModuleName);
         return new Uint8Array(nodeCrypto.randomBytes(length));
     }
     catch (error) {

package/dist/esm/crypto/polyfill.js

@@ -40,7 +40,7 @@ function startExpoCryptoLoad() {
     expoCryptoLoadPromise = (async () => {
         try {
             const moduleName = 'expo-crypto';
-            expoCryptoModule = await import(moduleName);
+            expoCryptoModule = await import(/* @vite-ignore */ moduleName);
         }
         catch {
             // expo-crypto not available — expected in non-RN environments

package/dist/esm/crypto/signatureService.js

@@ -8,20 +8,24 @@ import _cjs_elliptic from 'elliptic';
 const { ec: EC } = _cjs_elliptic;
 import { KeyManager } from './keyManager.js';
 import { isReactNative, isNodeJS } from '../utils/platform.js';
-// Lazy import for expo-crypto
+// Lazy imports for platform-specific crypto
 let ExpoCrypto = null;
+let NodeCrypto = null;
 const ec = new EC('secp256k1');
-/**
- * Initialize expo-crypto module
- */
 async function initExpoCrypto() {
     if (!ExpoCrypto) {
-        // Variable indirection prevents bundlers (Vite, webpack) from statically resolving this
         const moduleName = 'expo-crypto';
-        ExpoCrypto = await import(moduleName);
+        ExpoCrypto = await import(/* @vite-ignore */ moduleName);
     }
     return ExpoCrypto;
 }
+async function initNodeCrypto() {
+    if (!NodeCrypto) {
+        const moduleName = 'crypto';
+        NodeCrypto = await import(/* @vite-ignore */ moduleName);
+    }
+    return NodeCrypto;
+}
 /**
  * Compute SHA-256 hash of a string
  */
@@ -31,10 +35,9 @@ async function sha256(message) {
         const Crypto = await initExpoCrypto();
         return Crypto.digestStringAsync(Crypto.CryptoDigestAlgorithm.SHA256, message);
     }
-    // In Node.js, use Node's crypto module
     if (isNodeJS()) {
         try {
-            const nodeCrypto = await import('crypto');
+            const nodeCrypto = await initNodeCrypto();
             return nodeCrypto.createHash('sha256').update(message).digest('hex');
         }
         catch {
@@ -62,12 +65,9 @@ export class SignatureService {
                 .map((b) => b.toString(16).padStart(2, '0'))
                 .join('');
         }
-        // In Node.js, use Node's crypto module
-        // Variable indirection prevents bundlers (Vite, webpack) from statically resolving this
         if (isNodeJS()) {
             try {
-                const cryptoModuleName = 'crypto';
-                const nodeCrypto = await import(cryptoModuleName);
+                const nodeCrypto = await initNodeCrypto();
                 return nodeCrypto.randomBytes(32).toString('hex');
             }
             catch {

package/dist/esm/mixins/OxyServices.language.js

@@ -17,7 +17,7 @@ export function OxyServicesLanguageMixin(Base) {
                 try {
                     // Variable indirection prevents bundlers (Vite, webpack) from statically resolving this
                     const moduleName = '@react-native-async-storage/async-storage';
-                    const asyncStorageModule = await import(moduleName);
+                    const asyncStorageModule = await import(/* @vite-ignore */ moduleName);
                     const storage = asyncStorageModule.default;
                     return {
                         getItem: storage.getItem.bind(storage),

package/dist/esm/mixins/OxyServices.managedAccounts.js

@@ -0,0 +1,114 @@
+export function OxyServicesManagedAccountsMixin(Base) {
+    return class extends Base {
+        constructor(...args) {
+            super(...args);
+        }
+        /**
+         * Create a new managed account (sub-account).
+         *
+         * The server creates a User document with `isManagedAccount: true` and links
+         * it to the authenticated user as owner.
+         */
+        async createManagedAccount(data) {
+            try {
+                return await this.makeRequest('POST', '/managed-accounts', data, {
+                    cache: false,
+                });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * List all accounts the authenticated user manages.
+         */
+        async getManagedAccounts() {
+            try {
+                return await this.makeRequest('GET', '/managed-accounts', undefined, {
+                    cache: true,
+                    cacheTTL: 2 * 60 * 1000, // 2 minutes cache
+                });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Get details for a specific managed account.
+         */
+        async getManagedAccountDetails(accountId) {
+            try {
+                return await this.makeRequest('GET', `/managed-accounts/${accountId}`, undefined, {
+                    cache: true,
+                    cacheTTL: 2 * 60 * 1000,
+                });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Update a managed account's profile data.
+         * Requires owner or admin role.
+         */
+        async updateManagedAccount(accountId, data) {
+            try {
+                return await this.makeRequest('PUT', `/managed-accounts/${accountId}`, data, {
+                    cache: false,
+                });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Delete a managed account permanently.
+         * Requires owner role.
+         */
+        async deleteManagedAccount(accountId) {
+            try {
+                await this.makeRequest('DELETE', `/managed-accounts/${accountId}`, undefined, {
+                    cache: false,
+                });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Add a manager to a managed account.
+         * Requires owner or admin role on the account.
+         *
+         * @param accountId - The managed account to add the manager to
+         * @param userId - The user to grant management access
+         * @param role - The role to assign: 'admin' or 'editor'
+         */
+        async addManager(accountId, userId, role) {
+            try {
+                await this.makeRequest('POST', `/managed-accounts/${accountId}/managers`, { userId, role }, {
+                    cache: false,
+                });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Remove a manager from a managed account.
+         * Requires owner role.
+         *
+         * @param accountId - The managed account
+         * @param userId - The manager to remove
+         */
+        async removeManager(accountId, userId) {
+            try {
+                await this.makeRequest('DELETE', `/managed-accounts/${accountId}/managers/${userId}`, undefined, {
+                    cache: false,
+                });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+    };
+}

package/dist/esm/mixins/OxyServices.user.js

@@ -18,6 +18,17 @@ export function OxyServicesUserMixin(Base) {
                 throw this.handleError(error);
             }
         }
+        /**
+         * Lightweight username lookup for login flows.
+         * Returns minimal public info: exists, color, avatar, displayName.
+         * Faster than getProfileByUsername — no stats, no formatting.
+         */
+        async lookupUsername(username) {
+            return await this.makeRequest('GET', `/auth/lookup/${encodeURIComponent(username)}`, undefined, {
+                cache: true,
+                cacheTTL: 60 * 1000, // 1 minute cache
+            });
+        }
         /**
          * Search user profiles
          */

package/dist/esm/mixins/OxyServices.utility.js

@@ -10,6 +10,41 @@ export function OxyServicesUtilityMixin(Base) {
     return class extends Base {
         constructor(...args) {
             super(...args);
+            /** @internal In-memory cache for acting-as verification results (TTL: 5 min) */
+            this._actingAsCache = new Map();
+        }
+        /**
+         * Verify that a user is authorized to act as a managed account.
+         * Results are cached in-memory for 5 minutes to avoid repeated API calls.
+         *
+         * @internal Used by the auth() middleware — not part of the public API
+         */
+        async verifyActingAs(userId, accountId) {
+            const cacheKey = `${userId}:${accountId}`;
+            const now = Date.now();
+            // Check cache
+            const cached = this._actingAsCache.get(cacheKey);
+            if (cached && cached.expiresAt > now) {
+                return cached.result;
+            }
+            // Query the API
+            try {
+                const result = await this.makeRequest('GET', '/managed-accounts/verify', { accountId, userId }, { cache: false, retry: false, timeout: 5000 });
+                // Cache successful result for 5 minutes
+                this._actingAsCache.set(cacheKey, {
+                    result: result && result.authorized ? result : null,
+                    expiresAt: now + 5 * 60 * 1000,
+                });
+                return result && result.authorized ? result : null;
+            }
+            catch {
+                // Cache negative result for 1 minute to avoid hammering on transient errors
+                this._actingAsCache.set(cacheKey, {
+                    result: null,
+                    expiresAt: now + 1 * 60 * 1000,
+                });
+                return null;
+            }
         }
         /**
          * Fetch link metadata
@@ -72,6 +107,45 @@ export function OxyServicesUtilityMixin(Base) {
             const oxyInstance = this;
             // Return an async middleware function
             return async (req, res, next) => {
+                // Process X-Acting-As header for managed account identity delegation.
+                // Called after successful authentication, before next(). If the header
+                // is present, verifies authorization and swaps the request identity to
+                // the managed account, preserving the original user for audit trails.
+                const processActingAs = async () => {
+                    const actingAsUserId = req.headers['x-acting-as'];
+                    if (!actingAsUserId)
+                        return true; // No header, proceed normally
+                    const verification = await oxyInstance.verifyActingAs(req.userId, actingAsUserId);
+                    if (!verification) {
+                        const error = {
+                            error: 'ACTING_AS_UNAUTHORIZED',
+                            message: 'Not authorized to act as this account',
+                            code: 'ACTING_AS_UNAUTHORIZED',
+                            status: 403,
+                        };
+                        if (onError) {
+                            onError(error);
+                        }
+                        else {
+                            res.status(403).json(error);
+                        }
+                        return false;
+                    }
+                    // Preserve original user for audit trails
+                    req.originalUser = { id: req.userId, ...req.user };
+                    req.actingAs = { userId: actingAsUserId, role: verification.role };
+                    // Swap user identity to the managed account
+                    req.userId = actingAsUserId;
+                    req.user = { id: actingAsUserId };
+                    // Also set _id for routes that use Pattern B (req.user._id)
+                    if (req.user) {
+                        req.user._id = actingAsUserId;
+                    }
+                    if (debug) {
+                        console.log(`[oxy.auth] Acting as ${actingAsUserId} (role=${verification.role}) original=${req.originalUser.id}`);
+                    }
+                    return true;
+                };
                 try {
                     // Extract token from Authorization header or query params
                     const authHeader = req.headers['authorization'];
@@ -294,7 +368,10 @@ export function OxyServicesUtilityMixin(Base) {
                             if (debug) {
                                 console.log(`[oxy.auth] OK user=${userId} session=${decoded.sessionId}`);
                             }
-                            return next();
+                            // Process X-Acting-As header before proceeding
+                            if (await processActingAs())
+                                return next();
+                            return;
                         }
                         catch (validationError) {
                             if (debug) {
@@ -345,7 +422,9 @@ export function OxyServicesUtilityMixin(Base) {
                     if (debug) {
                         console.log(`[oxy.auth] OK user=${userId} (no session)`);
                     }
-                    next();
+                    // Process X-Acting-As header before proceeding
+                    if (await processActingAs())
+                        next();
                 }
                 catch (error) {
                     const apiError = oxyInstance.handleError(error);

package/dist/esm/mixins/index.js

@@ -23,6 +23,7 @@ import { OxyServicesSecurityMixin } from './OxyServices.security.js';
 import { OxyServicesUtilityMixin } from './OxyServices.utility.js';
 import { OxyServicesFeaturesMixin } from './OxyServices.features.js';
 import { OxyServicesTopicsMixin } from './OxyServices.topics.js';
+import { OxyServicesManagedAccountsMixin } from './OxyServices.managedAccounts.js';
 /**
  * Mixin pipeline - applied in order from first to last.
  *
@@ -60,6 +61,7 @@ const MIXIN_PIPELINE = [
     OxyServicesSecurityMixin,
     OxyServicesFeaturesMixin,
     OxyServicesTopicsMixin,
+    OxyServicesManagedAccountsMixin,
     // Utility (last, can use all above)
     OxyServicesUtilityMixin,
 ];

package/dist/esm/utils/asyncUtils.js

@@ -30,18 +30,47 @@ export async function parallelWithErrorHandling(operations, errorHandler) {
     const results = await Promise.allSettled(operations.map((op, index) => withErrorHandling(op, error => errorHandler?.(error, index))));
     return results.map(result => result.status === 'fulfilled' ? result.value : null);
 }
+/**
+ * Extract an HTTP status code from an error value, tolerating both the
+ * axios-style nested shape (`error.response.status`) and the flat shape
+ * produced by {@link handleHttpError} / fetch-based clients (`error.status`).
+ *
+ * Centralising this lookup prevents retry predicates from silently falling
+ * through when one of the two shapes is missing, which previously caused
+ * @oxyhq/core to retry 4xx responses and turn sub-10ms failures into
+ * multi-second stalls for every missing-resource lookup.
+ */
+function extractHttpStatus(error) {
+    if (!error || typeof error !== 'object')
+        return undefined;
+    const candidate = error;
+    const flat = candidate.status;
+    if (typeof flat === 'number' && Number.isFinite(flat))
+        return flat;
+    const nested = candidate.response?.status;
+    if (typeof nested === 'number' && Number.isFinite(nested))
+        return nested;
+    return undefined;
+}
 /**
  * Retry an async operation with exponential backoff
  *
- * By default, does not retry on 4xx errors (client errors).
- * Use shouldRetry callback to customize retry behavior.
+ * By default, does not retry on 4xx errors (client errors). The default
+ * predicate accepts both the axios-style `error.response.status` and the
+ * flat `error.status` shape produced by {@link handleHttpError}, so callers
+ * never accidentally retry a deterministic client failure.
+ *
+ * Use the `shouldRetry` callback to customize retry behavior.
  */
 export async function retryAsync(operation, maxRetries = 3, baseDelay = 1000, shouldRetry) {
     let lastError;
-    // Default shouldRetry: don't retry on 4xx errors
+    // Default shouldRetry: don't retry on 4xx errors (client errors).
+    // Checks BOTH `error.status` (flat shape from handleHttpError / fetch
+    // clients) AND `error.response.status` (axios-style shape) so neither
+    // representation can leak a client error into the retry loop.
     const defaultShouldRetry = (error) => {
-        // Don't retry on 4xx errors (client errors)
-        if (error?.response?.status >= 400 && error?.response?.status < 500) {
+        const status = extractHttpStatus(error);
+        if (status !== undefined && status >= 400 && status < 500) {
             return false;
         }
         return true;

package/dist/esm/utils/deviceManager.js

@@ -17,7 +17,7 @@ export class DeviceManager {
             try {
                 // Variable indirection prevents bundlers (Vite, webpack) from statically resolving this
                 const moduleName = '@react-native-async-storage/async-storage';
-                const asyncStorageModule = await import(moduleName);
+                const asyncStorageModule = await import(/* @vite-ignore */ moduleName);
                 const storage = asyncStorageModule.default;
                 return {
                     getItem: storage.getItem.bind(storage),