@oxyhq/core 1.11.12 → 1.11.14

package/dist/esm/mixins/OxyServices.auth.js

@@ -1,31 +1,87 @@
 import { OxyAuthenticationError } from '../OxyServices.errors.js';
+import { loadNodeCrypto } from '../utils/platformCrypto.js';
+import { logger } from '../utils/loggerUtils.js';
+/**
+ * Sentinel error raised when getServiceToken() is called with a known apiKey
+ * but a non-matching secret. Indicates either credential drift in the caller
+ * or a cross-tenant cache lookup attempt. Surface as a 401-equivalent.
+ */
+export class ServiceCredentialMismatchError extends Error {
+    constructor() {
+        super('Service credential mismatch: provided secret does not match the secret stored for this apiKey');
+        this.name = 'ServiceCredentialMismatchError';
+    }
+}
 export function OxyServicesAuthMixin(Base) {
     return class extends Base {
         constructor(...args) {
             super(...args);
-            /** @internal */ this._serviceToken = null;
-            /** @internal */ this._serviceTokenExp = 0;
-            /** @internal */ this._serviceApiKey = null;
-            /** @internal */ this._serviceApiSecret = null;
+            /**
+             * Per-credential token cache.
+             *
+             * Keyed by SHA-256(apiKey). Each entry carries:
+             *   - the issued service JWT
+             *   - its expiry timestamp
+             *   - the secret that produced it (Buffer for constant-time compare)
+             *   - an optional in-flight promise to deduplicate concurrent refreshes
+             *
+             * The previous implementation kept ONE token/exp pair per OxyServices
+             * instance. That meant calling `getServiceToken(keyA, secretA)` populated
+             * the cache, and a subsequent `getServiceToken(keyB, secretB)` (different
+             * tenant) would receive tenant A's token. This is fixed by routing every
+             * lookup through the Map.
+             *
+             * @internal
+             */
+            this._serviceTokenCache = new Map();
+            /** @internal Raw apiKey stored by configureServiceAuth() for use by getServiceToken() */
+            this._serviceApiKey = null;
+            /** @internal Raw apiSecret stored by configureServiceAuth() for use by getServiceToken() */
+            this._serviceApiSecret = null;
+        }
+        /**
+         * Hash an apiKey into a stable Map cache key. Uses Node's SHA-256 — service
+         * tokens are only ever issued by a Node host (the SDK on web/RN never has
+         * the apiSecret in the first place), so we can rely on Node crypto here.
+         *
+         * @internal
+         */
+        async _hashApiKey(apiKey) {
+            const nodeCrypto = await loadNodeCrypto();
+            return nodeCrypto.createHash('sha256').update(apiKey).digest('hex');
         }
         /**
          * Configure service credentials for internal service-to-service communication.
          * Call this once at startup so that getServiceToken() and makeServiceRequest()
          * can automatically obtain and refresh tokens.
          *
+         * Calling this with credentials that differ from a previously-configured pair
+         * is allowed — each `(apiKey, apiSecret)` pair is cached independently, so
+         * legitimate multi-tenant hosts that need to switch credentials cannot leak
+         * one tenant's token to another tenant on the same instance.
+         *
          * @param apiKey - DeveloperApp API key (oxy_dk_*)
          * @param apiSecret - DeveloperApp API secret
          */
         configureServiceAuth(apiKey, apiSecret) {
             this._serviceApiKey = apiKey;
             this._serviceApiSecret = apiSecret;
-            // Invalidate any cached token
-            this._serviceToken = null;
-            this._serviceTokenExp = 0;
         }
         /**
          * Get a service token for internal service-to-service communication.
-         * Tokens are short-lived (1h) and automatically cached/refreshed.
+         * Tokens are short-lived (1h) and automatically cached/refreshed per
+         * `(apiKey, apiSecret)` pair.
+         *
+         * Concurrent callers for the same credential pair share a single in-flight
+         * request to avoid hammering `/auth/service-token` when the cache is empty
+         * or expired.
+         *
+         * **Security guarantee:** if the cache already holds a token for this
+         * apiKey but the supplied apiSecret does not constant-time match the
+         * secret that originally produced that token, this method throws
+         * `ServiceCredentialMismatchError` instead of returning the cached token.
+         * This prevents an attacker who learned a peer's apiKey from extracting
+         * their service token by polling with a wrong secret.
          *
          * @param apiKey - DeveloperApp API key (optional if configureServiceAuth was called)
          * @param apiSecret - DeveloperApp API secret (optional if configureServiceAuth was called)
@@ -36,14 +92,89 @@ export function OxyServicesAuthMixin(Base) {
             if (!key || !secret) {
                 throw new Error('Service credentials not provided. Call configureServiceAuth() or pass apiKey and apiSecret.');
             }
-            // Return cached token if still valid (with 60s buffer)
-            if (this._serviceToken && this._serviceTokenExp > Date.now() + 60000) {
-                return this._serviceToken;
+            const cacheKey = await this._hashApiKey(key);
+            const now = Date.now();
+            const providedSecretBuf = Buffer.from(secret, 'utf8');
+            let entry = this._serviceTokenCache.get(cacheKey);
+            // Verify the secret on every cache hit, regardless of token freshness.
+            // Constant-time compare prevents timing oracles on the stored secret.
+            if (entry) {
+                const nodeCrypto = await loadNodeCrypto();
+                const storedSecretBuf = entry.secretBuf;
+                const lengthMatch = storedSecretBuf.length === providedSecretBuf.length;
+                // Always run timingSafeEqual on equal-length inputs to keep timing flat.
+                // When lengths differ, run against a zero-padded copy of the same length
+                // to avoid an early-return timing signal.
+                const compareBuf = lengthMatch
+                    ? providedSecretBuf
+                    : Buffer.alloc(storedSecretBuf.length);
+                const compareResult = nodeCrypto.timingSafeEqual(storedSecretBuf, compareBuf);
+                if (!lengthMatch || !compareResult) {
+                    logger.warn('[oxy.auth] Service token cache hit with mismatched secret', {
+                        component: 'auth',
+                        method: 'getServiceToken',
+                    });
+                    throw new ServiceCredentialMismatchError();
+                }
+                // Return cached token if still valid (with 60s buffer for clock drift)
+                if (entry.token && entry.expiresAt > now + 60000) {
+                    return entry.token;
+                }
+                // If a fetch is already in-flight for this credential, share its result
+                if (entry.pending) {
+                    return entry.pending;
+                }
             }
+            else {
+                // First time seeing this apiKey on this instance — seed an empty entry
+                // so concurrent callers serialize on the same promise.
+                entry = {
+                    token: '',
+                    expiresAt: 0,
+                    secretBuf: providedSecretBuf,
+                    pending: null,
+                };
+                this._serviceTokenCache.set(cacheKey, entry);
+            }
+            const pending = this._doFetchServiceToken(key, secret, cacheKey, providedSecretBuf);
+            entry.pending = pending;
+            try {
+                return await pending;
+            }
+            finally {
+                // Clear the in-flight slot; the entry itself (with fresh token / expiry)
+                // is updated inside _doFetchServiceToken before we land here.
+                const settled = this._serviceTokenCache.get(cacheKey);
+                if (settled) {
+                    settled.pending = null;
+                }
+            }
+        }
+        /**
+         * Perform the actual /auth/service-token request and cache the result.
+         * Separated so getServiceToken() can deduplicate concurrent calls.
+         * @internal
+         */
+        async _doFetchServiceToken(key, secret, cacheKey, secretBuf) {
             const response = await this.makeRequest('POST', '/auth/service-token', { apiKey: key, apiSecret: secret }, { cache: false, retry: false });
-            this._serviceToken = response.token;
-            this._serviceTokenExp = Date.now() + response.expiresIn * 1000;
-            return this._serviceToken;
+            const expiresAt = Date.now() + response.expiresIn * 1000;
+            // Update the entry in-place so any caller that already grabbed a reference
+            // (via `_serviceTokenCache.get(...)`) sees the fresh state.
+            const entry = this._serviceTokenCache.get(cacheKey);
+            if (entry) {
+                entry.token = response.token;
+                entry.expiresAt = expiresAt;
+                entry.secretBuf = secretBuf;
+            }
+            else {
+                this._serviceTokenCache.set(cacheKey, {
+                    token: response.token,
+                    expiresAt,
+                    secretBuf,
+                    pending: null,
+                });
+            }
+            return response.token;
         }
         /**
          * Make an authenticated request on behalf of a user using a service token.

package/dist/esm/mixins/OxyServices.contacts.js

@@ -0,0 +1,47 @@
+/**
+ * Contact Discovery Mixin
+ *
+ * Privacy-preserving discovery of which address-book contacts are on Oxy.
+ *
+ * The client hashes emails and phones locally before calling the API.
+ * The server responds with only Oxy user IDs and the hashes that matched,
+ * so the consumer can map each match back to the local contact that
+ * produced it.
+ *
+ * Hashing rules (must match the server `utils/contactHash.ts` exactly):
+ *   - SHA-256, hex-encoded, lowercase
+ *   - Email: `value.trim().toLowerCase()` then digest
+ *   - Phone: trim → keep a single leading "+" → strip non-digits → prepend "+"
+ *     if missing → digest
+ *
+ * Mobile clients can compute these digests with `expo-crypto`'s
+ * `digestStringAsync(SHA256, value, { encoding: HEX })`. Web clients should
+ * use `SubtleCrypto.digest('SHA-256', ...)`.
+ */
+export function OxyServicesContactsMixin(Base) {
+    return class extends Base {
+        constructor(...args) {
+            super(...args);
+        }
+        /**
+         * Discover which of the caller's contacts are on Oxy.
+         *
+         * @param hashedEmails - SHA-256 hex digests of normalized emails.
+         * @param hashedPhones - SHA-256 hex digests of normalized phone numbers.
+         * @returns Matches mapping each hashed identifier to the Oxy user ID it
+         *   resolved to. Empty arrays are valid for either parameter, but at
+         *   least one must be non-empty.
+         *
+         * The server enforces a 200-hash cap per channel per request — callers
+         * should batch larger address books client-side.
+         */
+        async discoverContacts(hashedEmails, hashedPhones) {
+            try {
+                return await this.makeRequest('POST', '/contacts/discover', { hashedEmails, hashedPhones }, { cache: false });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+    };
+}

package/dist/esm/mixins/OxyServices.features.js

@@ -291,16 +291,5 @@ export function OxyServicesFeaturesMixin(Base) {
                 throw this.handleError(error);
             }
         }
-        // ==================
-        // ACCOUNT
-        // ==================
-        /**
-         * Delete user account (requires password confirmation)
-         */
-        async deleteAccount(password) {
-            return this.withAuthRetry(async () => {
-                await this.makeRequest('DELETE', '/account', { password }, { cache: false });
-            }, 'deleteAccount');
-        }
     };
 }

package/dist/esm/mixins/OxyServices.fedcm.js

@@ -311,10 +311,11 @@ export function OxyServicesFedCMMixin(Base) {
                                     {
                                         configURL: options.configURL,
                                         clientId: options.clientId,
-                                        // Send nonce at both levels for backward compatibility
-                                        nonce: options.nonce, // For older browsers
+                                        // Older browsers read `nonce` at the top level; Chrome 145+
+                                        // expects it inside `params`. Send both for full coverage.
+                                        nonce: options.nonce,
                                         params: {
-                                            nonce: options.nonce, // For Chrome 145+
+                                            nonce: options.nonce,
                                         },
                                         ...(options.loginHint && { loginHint: options.loginHint }),
                                     },

package/dist/esm/mixins/OxyServices.language.js

@@ -2,6 +2,7 @@
  * Language Methods Mixin
  */
 import { normalizeLanguageCode, getLanguageMetadata, getLanguageName, getNativeLanguageName } from '../utils/languageUtils.js';
+import { loadAsyncStorage } from '../utils/platformCrypto.js';
 import { isDev } from '../shared/utils/debugUtils.js';
 export function OxyServicesLanguageMixin(Base) {
     return class extends Base {
@@ -15,9 +16,10 @@ export function OxyServicesLanguageMixin(Base) {
             const isReactNative = typeof navigator !== 'undefined' && navigator.product === 'ReactNative';
             if (isReactNative) {
                 try {
-                    // Variable indirection prevents bundlers (Vite, webpack) from statically resolving this
-                    const moduleName = '@react-native-async-storage/async-storage';
-                    const asyncStorageModule = await import(/* @vite-ignore */ moduleName);
+                    // `loadAsyncStorage` is per-platform: the RN variant statically imports
+                    // @react-native-async-storage/async-storage, the default variant throws
+                    // (never called outside RN because of the `isReactNative` gate above).
+                    const asyncStorageModule = await loadAsyncStorage();
                     const storage = asyncStorageModule.default;
                     return {
                         getItem: storage.getItem.bind(storage),

package/dist/esm/mixins/OxyServices.redirect.js

@@ -149,12 +149,16 @@ export function OxyServicesRedirectAuthMixin(Base) {
                 // Store tokens
                 this.storeTokens(accessToken, sessionId);
                 this.httpService.setTokens(accessToken);
-                // Build session response (minimal - we'll fetch full user data separately)
+                // Build session response (minimal — full user data is fetched separately
+                // by the caller via getCurrentUser() once tokens are stored).
                 const session = {
                     sessionId,
                     deviceId: '', // Not available in redirect flow
                     expiresAt: expiresAt || new Date(Date.now() + 24 * 60 * 60 * 1000).toISOString(),
-                    user: {}, // Will be fetched separately
+                    // Placeholder user — caller MUST fetch real user data via getCurrentUser()
+                    // before exposing this session to the application. The empty id signals
+                    // that the user payload has not yet been populated.
+                    user: { id: '', username: '' },
                 };
                 // Clean up URL (remove auth parameters)
                 this.cleanAuthCallbackUrl(url);

package/dist/esm/mixins/OxyServices.security.js

@@ -20,8 +20,19 @@ export function OxyServicesSecurityMixin(Base) {
                     params.offset = offset;
                 if (eventType)
                     params.eventType = eventType;
-                const response = await this.makeRequest('GET', '/security/activity', params, { cache: false });
-                return response;
+                // The API responds with the standard paginated envelope:
+                //   { data: SecurityActivity[], pagination: { total, limit, offset, hasMore } }
+                // SecurityActivityResponse is the flattened shape consumers expect.
+                const raw = await this.makeRequest('GET', '/security/activity', params, { cache: false });
+                const requestedLimit = typeof params.limit === 'number' ? params.limit : 0;
+                const requestedOffset = typeof params.offset === 'number' ? params.offset : 0;
+                return {
+                    data: raw.data ?? [],
+                    total: raw.pagination?.total ?? raw.data?.length ?? 0,
+                    limit: raw.pagination?.limit ?? requestedLimit,
+                    offset: raw.pagination?.offset ?? requestedOffset,
+                    hasMore: raw.pagination?.hasMore ?? false,
+                };
             }
             catch (error) {
                 throw this.handleError(error);

package/dist/esm/mixins/OxyServices.user.js

@@ -1,4 +1,6 @@
 import { buildSearchParams, buildPaginationParams } from '../utils/apiUtils.js';
+import { KeyManager } from '../crypto/keyManager.js';
+import { SignatureService } from '../crypto/signatureService.js';
 export function OxyServicesUserMixin(Base) {
     return class extends Base {
         constructor(...args) {
@@ -41,37 +43,22 @@ export function OxyServicesUserMixin(Base) {
                     cache: true,
                     cacheTTL: 2 * 60 * 1000, // 2 minutes cache
                 });
-                // New API shape: { data: User[], pagination: {...} }
-                const isSearchProfilesResponse = (payload) => typeof payload === 'object' &&
-                    payload !== null &&
-                    Array.isArray(payload.data);
-                if (isSearchProfilesResponse(response)) {
-                    const typedResponse = response;
-                    const paginationInfo = typedResponse.pagination ?? {
-                        total: typedResponse.data.length,
-                        limit: pagination?.limit ?? typedResponse.data.length,
-                        offset: pagination?.offset ?? 0,
-                        hasMore: typedResponse.data.length === (pagination?.limit ?? typedResponse.data.length) &&
-                            (pagination?.limit ?? typedResponse.data.length) > 0,
-                    };
-                    return {
-                        data: typedResponse.data,
-                        pagination: paginationInfo,
-                    };
+                if (typeof response !== 'object' ||
+                    response === null ||
+                    !Array.isArray(response.data)) {
+                    throw new Error('Unexpected search response format');
                 }
-                // Legacy API shape: returns raw User[]
-                if (Array.isArray(response)) {
-                    const fallbackLimit = pagination?.limit ?? response.length;
-                    const fallbackPagination = {
-                        total: response.length,
-                        limit: fallbackLimit,
-                        offset: pagination?.offset ?? 0,
-                        hasMore: fallbackLimit > 0 && response.length === fallbackLimit,
-                    };
-                    return { data: response, pagination: fallbackPagination };
-                }
-                // If response is unexpected, throw an error
-                throw new Error('Unexpected search response format');
+                const paginationInfo = response.pagination ?? {
+                    total: response.data.length,
+                    limit: pagination?.limit ?? response.data.length,
+                    offset: pagination?.offset ?? 0,
+                    hasMore: response.data.length === (pagination?.limit ?? response.data.length) &&
+                        (pagination?.limit ?? response.data.length) > 0,
+                };
+                return {
+                    data: response.data,
+                    pagination: paginationInfo,
+                };
             }
             catch (error) {
                 throw this.handleError(error);
@@ -153,12 +140,31 @@ export function OxyServicesUserMixin(Base) {
             }, 'getCurrentUser');
         }
         /**
-         * Update user profile
-         * TanStack Query handles offline queuing automatically
+         * Update user profile.
+         *
+         * Invalidates the SDK-side response cache for every endpoint that
+         * returns the current user (`GET /users/me`, `GET /session/user/*`,
+         * `GET /users/<id>`, `GET /profiles/username/*`) so the next read
+         * doesn't return a stale snapshot. Without this, a follow-up
+         * `getUserBySession` call inside the 2-minute cache window can return
+         * the pre-update user — most visibly during onboarding, where it
+         * causes the username step to flicker back as if nothing was saved.
+         *
+         * TanStack Query handles offline queuing automatically.
          */
         async updateProfile(updates) {
             try {
-                return await this.makeRequest('PUT', '/users/me', updates, { cache: false });
+                const result = await this.makeRequest('PUT', '/users/me', updates, { cache: false });
+                // Bust every cached representation of the current user. We use a
+                // prefix sweep rather than an enumeration because the SDK never
+                // tracks the set of active session IDs centrally.
+                this.clearCacheByPrefix('GET:/session/user/');
+                this.clearCacheByPrefix('GET:/users/me');
+                this.clearCacheByPrefix('GET:/profiles/username/');
+                if (result?.id) {
+                    this.clearCacheEntry(`GET:/users/${result.id}`);
+                }
+                return result;
             }
             catch (error) {
                 const errorAny = error;
@@ -242,14 +248,29 @@ export function OxyServicesUserMixin(Base) {
             }
         }
         /**
-         * Delete account permanently
-         * @param password - User password for confirmation
-         * @param confirmText - Confirmation text (usually username)
+         * Delete account permanently.
+         *
+         * Signs `delete:{publicKey}:{timestamp}` with the locally-stored identity
+         * private key and submits the signature alongside the confirmation text
+         * (must equal the user's username). The signature is the cryptographic
+         * proof of ownership — only the device holding the private key can issue
+         * a valid signature, so no password is required.
+         *
+         * @param confirmText - Must equal the user's username (verified server-side)
+         * @throws If no identity is stored on this device, or signing fails
          */
-        async deleteAccount(password, confirmText) {
+        async deleteAccount(confirmText) {
             try {
+                const publicKey = await KeyManager.getPublicKey();
+                if (!publicKey) {
+                    throw new Error('No identity found on this device. Account deletion requires the device that holds your identity key.');
+                }
+                const timestamp = Date.now();
+                const message = `delete:${publicKey}:${timestamp}`;
+                const signature = await SignatureService.sign(message);
                 return await this.makeRequest('DELETE', '/users/me', {
-                    password,
+                    signature,
+                    timestamp,
                     confirmText,
                 }, { cache: false });
             }