@oxyhq/core 1.11.11 → 1.11.13

package/dist/esm/CrossDomainAuth.js

@@ -164,7 +164,9 @@ export class CrossDomainAuth {
      * Check if FedCM is supported in current browser
      */
     isFedCMSupported() {
-        return this.oxyServices.constructor.isFedCMSupported?.() || false;
+        // FedCM support is exposed both as a static and an instance method on
+        // OxyServices; the instance method is reliable across mixin composition.
+        return this.oxyServices.isFedCMSupported?.() || false;
     }
     /**
      * Get recommended authentication method for current environment

package/dist/esm/HttpService.js

@@ -16,14 +16,39 @@ import { TTLCache, registerCacheForCleanup } from './utils/cache.js';
 import { RequestDeduplicator, RequestQueue, SimpleLogger } from './utils/requestUtils.js';
 import { retryAsync } from './utils/asyncUtils.js';
 import { handleHttpError } from './utils/errorUtils.js';
-import { isDev } from './shared/utils/debugUtils.js';
 import { jwtDecode } from 'jwt-decode';
-import { isNative, getPlatformOS } from './utils/platform.js';
+import { isNative, isReactNative, getPlatformOS } from './utils/platform.js';
 /**
  * Check if we're running in a native app environment (React Native, not web)
  * This is used to determine CSRF handling mode
  */
 const isNativeApp = isNative();
+/**
+ * FNV-1a 32-bit non-cryptographic hash.
+ *
+ * Used by the cache-key generator for large payloads where full JSON
+ * inclusion would balloon the cache map keys. Content-addressed: every
+ * byte of the input contributes to the digest, so two payloads with the
+ * same top-level shape but different field values produce different keys
+ * (the previous `keys + length` heuristic collided on these).
+ *
+ * Trade-offs:
+ *  - 32 bits is ample for an in-process cache (collision risk negligible
+ *    at our key counts; we also prefix with method + url which further
+ *    partitions the keyspace).
+ *  - Not cryptographically secure — never use for security decisions.
+ *  - Zero dependencies, branch-free hot loop, ~1 GiB/s on V8.
+ */
+function fnv1a32(str) {
+    let h = 0x811c9dc5;
+    for (let i = 0; i < str.length; i++) {
+        h ^= str.charCodeAt(i);
+        // h * 16777619 mod 2^32, written as shift-and-add for portability and
+        // to avoid 53-bit JS number truncation in the intermediate multiply.
+        h = (h + ((h << 1) + (h << 4) + (h << 7) + (h << 8) + (h << 24))) >>> 0;
+    }
+    return h.toString(16).padStart(8, '0');
+}
 /**
  * Token store for authentication (instance-based)
  * Each HttpService gets its own TokenStore to prevent conflicts
@@ -103,31 +128,53 @@ export class HttpService {
         this.requestQueue = new RequestQueue(config.maxConcurrentRequests || 10, config.requestQueueSize || 100);
     }
     /**
-     * Robust FormData detection that works in browser and Node.js environments
-     * Checks multiple conditions to handle different FormData implementations
+     * Robust FormData detection that works in browser, React Native, and
+     * Node.js polyfill environments.
+     *
+     * Why we don't use `instanceof FormData` alone:
+     *  - React Native's FormData is a separate class, not the browser one —
+     *    `instanceof FormData` is true only inside the JS runtime that
+     *    instantiated the value (browser-side polyfills also have their own).
+     *  - The Node.js `form-data` polyfill ships its own constructor.
+     *
+     * Why we explicitly reject `URLSearchParams`:
+     *  - `URLSearchParams` ALSO exposes `append` / `get` / `has`, so the
+     *    duck-type fallback below would have misidentified it as FormData.
+     *  - We want urlencoded payloads to take the JSON-stringify path so the
+     *    server receives them as `application/x-www-form-urlencoded` instead
+     *    of an empty multipart body.
      */
     isFormData(data) {
-        if (!data) {
+        if (!data || typeof data !== 'object') {
             return false;
         }
-        // Primary check: instanceof FormData (works in browser and Node.js with proper polyfills)
-        if (data instanceof FormData) {
+        // Reject URLSearchParams up front: it shares the duck-typed surface
+        // (append / get / has) but is a fundamentally different content type.
+        // The caller routes URLSearchParams through the regular body path.
+        if (typeof URLSearchParams !== 'undefined' && data instanceof URLSearchParams) {
+            return false;
+        }
+        // Primary check: instanceof FormData. Works whenever the value was
+        // constructed by the same runtime/realm that exposes `FormData`.
+        if (typeof FormData !== 'undefined' && data instanceof FormData) {
             return true;
         }
-        // Fallback: Check constructor name (handles Node.js polyfills like form-data)
-        if (typeof data === 'object' && data !== null) {
-            const constructorName = data.constructor?.name;
-            if (constructorName === 'FormData' || constructorName === 'FormDataImpl') {
-                return true;
-            }
-            // Additional check: Look for FormData-like methods
-            if (typeof data.append === 'function' &&
-                typeof data.get === 'function' &&
-                typeof data.has === 'function') {
-                return true;
-            }
+        // Fallback: detect Node / RN polyfills by constructor name. Limited to
+        // the small handful of known names so we don't accept arbitrary
+        // user-supplied objects with a coincidental `name`.
+        const constructorName = data.constructor?.name;
+        if (constructorName === 'FormData' || constructorName === 'FormDataImpl') {
+            return true;
         }
-        return false;
+        // Last-resort duck typing — require the full FormData write surface
+        // (`append`, `get`, `has`, `getAll`, `delete`) so plain objects with
+        // an `append` method don't accidentally match.
+        const candidate = data;
+        return (typeof candidate.append === 'function' &&
+            typeof candidate.get === 'function' &&
+            typeof candidate.has === 'function' &&
+            typeof candidate.getAll === 'function' &&
+            typeof candidate.delete === 'function');
     }
     /**
      * Main request method - handles everything in one place
@@ -187,9 +234,12 @@ export class HttpService {
                 if (isNativeApp && isStateChangingMethod) {
                     headers['X-Native-App'] = 'true';
                 }
-                // Debug logging for CSRF issues
-                if (isStateChangingMethod && isDev()) {
-                    console.log('[HttpService] CSRF Debug:', {
+                // Debug logging for CSRF issues — routed through the SimpleLogger so
+                // it only fires when consumers opt in via `enableLogging`. Previously
+                // this was a bare console.log that leaked noise into every host app's
+                // stdout in development.
+                if (isStateChangingMethod) {
+                    this.logger.debug('CSRF Debug:', {
                         url,
                         method,
                         isNativeApp,
@@ -218,13 +268,22 @@ export class HttpService {
                 const bodyValue = method !== 'GET' && data
                     ? (isFormData ? data : JSON.stringify(data))
                     : undefined;
-                const response = await fetch(fullUrl, {
-                    method,
-                    headers,
-                    body: bodyValue,
-                    signal: controller.signal,
-                    credentials: 'include', // Include cookies for cross-origin requests (CSRF, session)
-                });
+                // React Native FormData workaround:
+                // Expo SDK 56's "winter fetch" rejects RN file descriptors `{uri, type, name}`
+                // in FormDataPart conversion (`Unsupported FormDataPart implementation`).
+                // RN's native XMLHttpRequest handles those descriptors correctly, so we
+                // route multipart uploads through XHR on RN only. JSON, text, etc. still
+                // use fetch on every platform.
+                const useXhrForUpload = isFormData && isReactNative() && typeof XMLHttpRequest !== 'undefined';
+                const response = useXhrForUpload
+                    ? await this.uploadViaXHR(fullUrl, method, headers, bodyValue, controller.signal, timeout)
+                    : await fetch(fullUrl, {
+                        method,
+                        headers,
+                        body: bodyValue,
+                        signal: controller.signal,
+                        credentials: 'include', // Include cookies for cross-origin requests (CSRF, session)
+                    });
                 if (timeoutId)
                     clearTimeout(timeoutId);
                 // Handle response
@@ -364,25 +423,131 @@ export class HttpService {
         }
         return result;
     }
+    /**
+     * Upload via XMLHttpRequest (React Native FormData workaround).
+     *
+     * Expo SDK 56's "winter fetch" cannot serialize RN file descriptors
+     * (`{uri, type, name}`) — `convertFormDataAsync` rejects them as
+     * `Unsupported FormDataPart implementation`. RN's native XHR streams
+     * the file from disk correctly, so multipart uploads go through XHR
+     * on RN only.
+     *
+     * Returns a standard `Response` so downstream parsing in `request()`
+     * (status checks, 401/403 retries, JSON/blob/text parsing) is identical
+     * to the fetch path.
+     */
+    uploadViaXHR(url, method, headers, body, abortSignal, timeout) {
+        return new Promise((resolve, reject) => {
+            const xhr = new XMLHttpRequest();
+            xhr.open(method, url, true);
+            // withCredentials mirrors fetch's `credentials: 'include'` so the
+            // session cookie and CSRF cookie continue to flow.
+            xhr.withCredentials = true;
+            // Forward headers but skip Content-Type — XHR sets the multipart
+            // boundary automatically and overriding it breaks the upload.
+            for (const [key, value] of Object.entries(headers)) {
+                if (key.toLowerCase() === 'content-type')
+                    continue;
+                try {
+                    xhr.setRequestHeader(key, value);
+                }
+                catch (headerError) {
+                    // Some headers (e.g. forbidden header names) cannot be set —
+                    // log and continue rather than failing the whole upload.
+                    this.logger.warn('XHR setRequestHeader failed:', key, headerError);
+                }
+            }
+            xhr.responseType = 'text';
+            if (timeout > 0) {
+                xhr.timeout = timeout;
+            }
+            const onAbort = () => {
+                try {
+                    xhr.abort();
+                }
+                catch { /* xhr already finished */ }
+            };
+            if (abortSignal.aborted) {
+                reject(new DOMException('The user aborted a request.', 'AbortError'));
+                return;
+            }
+            abortSignal.addEventListener('abort', onAbort);
+            const cleanup = () => {
+                abortSignal.removeEventListener('abort', onAbort);
+            };
+            xhr.onload = () => {
+                cleanup();
+                const responseHeaders = HttpService.parseXHRHeaders(xhr.getAllResponseHeaders());
+                resolve(new Response(xhr.responseText, {
+                    status: xhr.status,
+                    statusText: xhr.statusText,
+                    headers: responseHeaders,
+                }));
+            };
+            xhr.onerror = () => {
+                cleanup();
+                reject(new TypeError('Network request failed'));
+            };
+            xhr.ontimeout = () => {
+                cleanup();
+                reject(new DOMException('The request timed out.', 'TimeoutError'));
+            };
+            xhr.onabort = () => {
+                cleanup();
+                reject(new DOMException('The user aborted a request.', 'AbortError'));
+            };
+            xhr.send(body);
+        });
+    }
+    /**
+     * Parse raw header string from `XMLHttpRequest.getAllResponseHeaders()`
+     * into a `Headers`-compatible object.
+     */
+    static parseXHRHeaders(rawHeaders) {
+        const headers = new Headers();
+        if (!rawHeaders)
+            return headers;
+        // RFC 7230 line terminator is CRLF; some XHR implementations use LF only.
+        const lines = rawHeaders.trim().split(/\r?\n/);
+        for (const line of lines) {
+            const colonIndex = line.indexOf(':');
+            if (colonIndex <= 0)
+                continue;
+            const key = line.slice(0, colonIndex).trim();
+            const value = line.slice(colonIndex + 1).trim();
+            if (key) {
+                try {
+                    headers.append(key, value);
+                }
+                catch {
+                    // Invalid header name/value — skip.
+                }
+            }
+        }
+        return headers;
+    }
     /**
      * Generate cache key efficiently
-     * Uses simple hash for large objects to avoid expensive JSON.stringify
+     * Uses a content-addressed hash for large payloads so two requests with
+     * the same shape but different values never collide on the same key
+     * (which would silently serve stale data — e.g. paginated search results,
+     * large object updates).
      */
     generateCacheKey(method, url, data) {
         if (!data || (typeof data === 'object' && Object.keys(data).length === 0)) {
             return `${method}:${url}`;
         }
-        // For small objects, use JSON.stringify
+        // For small objects, the full serialization IS the key — fastest and
+        // guaranteed to be content-addressed.
         const dataStr = JSON.stringify(data);
         if (dataStr.length < 1000) {
             return `${method}:${url}:${dataStr}`;
         }
-        // For large objects, use a simple hash based on keys and values length
-        // This avoids expensive serialization while still being unique enough
-        const hash = typeof data === 'object' && data !== null
-            ? Object.keys(data).sort().join(',') + ':' + dataStr.length
-            : String(data).substring(0, 100);
-        return `${method}:${url}:${hash}`;
+        // For large payloads, hash the full serialized string so the key remains
+        // content-addressed (any byte change yields a different hash). Previous
+        // implementation hashed `keys + length` which collided for any two
+        // payloads with the same top-level keys and serialized length.
+        return `${method}:${url}:${fnv1a32(dataStr)}`;
     }
     /**
      * Build full URL with query params
@@ -409,23 +574,20 @@ export class HttpService {
         // Return cached token if available
         const cachedToken = this.tokenStore.getCsrfToken();
         if (cachedToken) {
-            if (isDev())
-                console.log('[HttpService] Using cached CSRF token');
+            this.logger.debug('Using cached CSRF token');
             return cachedToken;
         }
         // Deduplicate concurrent CSRF token fetches
         const existingPromise = this.tokenStore.getCsrfTokenFetchPromise();
         if (existingPromise) {
-            if (isDev())
-                console.log('[HttpService] Waiting for existing CSRF fetch');
+            this.logger.debug('Waiting for existing CSRF fetch');
             return existingPromise;
         }
         const fetchPromise = (async () => {
             const maxAttempts = 2;
             for (let attempt = 1; attempt <= maxAttempts; attempt++) {
                 try {
-                    if (isDev())
-                        console.log('[HttpService] Fetching CSRF token from:', `${this.baseURL}/csrf-token`, `(attempt ${attempt})`);
+                    this.logger.debug('Fetching CSRF token from:', `${this.baseURL}/csrf-token`, `(attempt ${attempt})`);
                     // Use AbortController for timeout (more compatible than AbortSignal.timeout)
                     const controller = new AbortController();
                     const timeoutId = setTimeout(() => controller.abort(), 5000);
@@ -436,12 +598,10 @@ export class HttpService {
                         signal: controller.signal,
                     });
                     clearTimeout(timeoutId);
-                    if (isDev())
-                        console.log('[HttpService] CSRF fetch response:', response.status, response.ok);
+                    this.logger.debug('CSRF fetch response:', response.status, response.ok);
                     if (response.ok) {
                         const data = await response.json();
-                        if (isDev())
-                            console.log('[HttpService] CSRF response data:', data);
+                        this.logger.debug('CSRF response data:', data);
                         const token = data.csrfToken || null;
                         this.tokenStore.setCsrfToken(token);
                         this.logger.debug('CSRF token fetched');
@@ -454,13 +614,11 @@ export class HttpService {
                         this.logger.debug('CSRF token from header');
                         return headerToken;
                     }
-                    if (isDev())
-                        console.log('[HttpService] CSRF fetch failed with status:', response.status);
+                    this.logger.debug('CSRF fetch failed with status:', response.status);
                     this.logger.warn('Failed to fetch CSRF token:', response.status);
                 }
                 catch (error) {
-                    if (isDev())
-                        console.log('[HttpService] CSRF fetch error:', error);
+                    this.logger.debug('CSRF fetch error:', error);
                     this.logger.warn('CSRF token fetch error:', error);
                 }
                 // Wait before retry (500ms)
@@ -619,6 +777,24 @@ export class HttpService {
     clearCacheEntry(key) {
         this.cache.delete(key);
     }
+    /**
+     * Delete every cache entry whose key starts with `prefix`.
+     *
+     * Used by mutations that don't know the exact downstream cache keys —
+     * e.g. `updateProfile` invalidating all `GET:/session/user/*` entries
+     * without having to track every active session ID. Returns the number of
+     * deleted entries (for observability in tests).
+     */
+    clearCacheByPrefix(prefix) {
+        let removed = 0;
+        for (const key of this.cache.keys()) {
+            if (key.startsWith(prefix)) {
+                this.cache.delete(key);
+                removed++;
+            }
+        }
+        return removed;
+    }
     getCacheStats() {
         const cacheStats = this.cache.getStats();
         const total = this.requestMetrics.cacheHits + this.requestMetrics.cacheMisses;

package/dist/esm/OxyServices.base.js

@@ -75,6 +75,15 @@ export class OxyServicesBase {
     clearCacheEntry(key) {
         this.httpService.clearCacheEntry(key);
     }
+    /**
+     * Clear every cache entry whose key starts with `prefix`.
+     * Useful for mutations that invalidate a family of GET responses
+     * without enumerating each one (e.g. all session-user lookups after
+     * a profile update).
+     */
+    clearCacheByPrefix(prefix) {
+        return this.httpService.clearCacheByPrefix(prefix);
+    }
     /**
      * Get cache statistics
      */

package/dist/esm/OxyServices.js

@@ -34,9 +34,14 @@ import { composeOxyServices } from './mixins/index.js';
  * });
  * ```
  */
-// Compose all mixins into the final OxyServices class
+// Compose all mixins into the final OxyServices class. The composed runtime
+// class augments OxyServicesBase with every mixin's methods (see mixins/index.ts).
+// Statically, TypeScript sees this as a constructor producing OxyServicesBase;
+// the additional methods are exposed via interface merging on `OxyServices` below.
 const OxyServicesComposed = composeOxyServices();
-// Export as a named class to avoid TypeScript issues with anonymous class types
+// Export as a named class to avoid TypeScript issues with anonymous class types.
+// We extend the composed constructor directly — its public surface is broadened
+// to the full mixin set via the interface declaration that follows.
 export class OxyServices extends OxyServicesComposed {
     constructor(config) {
         super(config);
@@ -45,7 +50,7 @@ export class OxyServices extends OxyServicesComposed {
 // Re-export error classes for convenience
 export { OxyAuthenticationError, OxyAuthenticationTimeoutError };
 /**
- * Export the default Oxy Cloud URL (for backward compatibility)
+ * Default Oxy Cloud URL — used when no `cloudURL` is provided to OxyServices.
  */
 export const OXY_CLOUD_URL = 'https://cloud.oxy.so';
 /**

package/dist/esm/crypto/index.js

@@ -6,7 +6,7 @@
  */
 // Import polyfills first - this ensures Buffer is available for bip39 and other libraries
 import './polyfill.js';
-export { KeyManager } from './keyManager.js';
+export { KeyManager, IdentityAlreadyExistsError, IdentityPersistError, } from './keyManager.js';
 export { SignatureService } from './signatureService.js';
 export { RecoveryPhraseService } from './recoveryPhrase.js';
 // Re-export for convenience