@oxyhq/core 1.11.13 → 1.11.15

package/dist/cjs/index.js

@@ -29,8 +29,8 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.isNetworkError = exports.isServerError = exports.isRateLimitError = exports.isNotFoundError = exports.isForbiddenError = exports.isUnauthorizedError = exports.isAlreadyRegisteredError = exports.getErrorMessage = exports.getErrorStatus = exports.HttpStatus = exports.getSystemColorScheme = exports.systemPrefersDarkMode = exports.getOppositeTheme = exports.normalizeColorScheme = exports.normalizeTheme = exports.getContrastTextColor = exports.isLightColor = exports.withOpacity = exports.rgbToHex = exports.hexToRgb = exports.lightenColor = exports.darkenColor = exports.isAndroid = exports.isIOS = exports.isNative = exports.isWeb = exports.setPlatformOS = exports.getPlatformOS = exports.normalizeLanguageCode = exports.getNativeLanguageName = exports.getLanguageName = exports.getLanguageMetadata = exports.SUPPORTED_LANGUAGES = exports.DeviceManager = exports.TopicSource = exports.TopicType = exports.IdentityPersistError = exports.IdentityAlreadyExistsError = exports.RecoveryPhraseService = exports.SignatureService = exports.KeyManager = exports.createCrossDomainAuth = exports.CrossDomainAuth = exports.createAuthManager = exports.AuthManager = exports.oxyClient = exports.OXY_CLOUD_URL = exports.OxyAuthenticationTimeoutError = exports.OxyAuthenticationError = exports.OxyServices = void 0;
-exports.formatPublicKeyHandle = exports.getAccountFallbackHandle = exports.getAccountDisplayName = exports.createQuickAccount = exports.buildAccountsArray = exports.updateAvatarVisibility = exports.logPerformance = exports.logPayment = exports.logDevice = exports.logUser = exports.logSession = exports.logApi = exports.logAuth = exports.LogLevel = exports.logger = exports.retryAsync = exports.validateRequiredFields = exports.handleHttpError = exports.createApiError = exports.ErrorCodes = exports.packageInfo = exports.sessionsArraysEqual = exports.normalizeAndSortSessions = exports.mergeSessions = exports.authenticatedApiCall = exports.withAuthErrorHandling = exports.isAuthenticationError = exports.ensureValidToken = exports.AuthenticationFailedError = exports.SessionSyncRequiredError = exports.translate = exports.createDebugLogger = exports.debugError = exports.debugWarn = exports.debugLog = exports.isDev = exports.withRetry = exports.delay = exports.shouldAllowRequest = exports.recordSuccess = exports.recordFailure = exports.calculateBackoffInterval = exports.createCircuitBreakerState = exports.DEFAULT_CIRCUIT_BREAKER_CONFIG = exports.isRetryableError = void 0;
+exports.isRateLimitError = exports.isNotFoundError = exports.isForbiddenError = exports.isUnauthorizedError = exports.isAlreadyRegisteredError = exports.getErrorMessage = exports.getErrorStatus = exports.HttpStatus = exports.getSystemColorScheme = exports.systemPrefersDarkMode = exports.getOppositeTheme = exports.normalizeColorScheme = exports.normalizeTheme = exports.getContrastTextColor = exports.isLightColor = exports.withOpacity = exports.rgbToHex = exports.hexToRgb = exports.lightenColor = exports.darkenColor = exports.isAndroid = exports.isIOS = exports.isNative = exports.isWeb = exports.setPlatformOS = exports.getPlatformOS = exports.isRTLLocale = exports.normalizeLanguageCode = exports.getNativeLanguageName = exports.getLanguageName = exports.getLanguageMetadata = exports.SUPPORTED_LANGUAGES = exports.DeviceManager = exports.TopicSource = exports.TopicType = exports.IdentityPersistError = exports.IdentityAlreadyExistsError = exports.RecoveryPhraseService = exports.SignatureService = exports.KeyManager = exports.ServiceCredentialMismatchError = exports.createCrossDomainAuth = exports.CrossDomainAuth = exports.createAuthManager = exports.AuthManager = exports.oxyClient = exports.OXY_CLOUD_URL = exports.OxyAuthenticationTimeoutError = exports.OxyAuthenticationError = exports.OxyServices = void 0;
+exports.formatPublicKeyHandle = exports.getAccountFallbackHandle = exports.getAccountDisplayName = exports.createQuickAccount = exports.buildAccountsArray = exports.updateAvatarVisibility = exports.logPerformance = exports.logPayment = exports.logDevice = exports.logUser = exports.logSession = exports.logApi = exports.logAuth = exports.LogLevel = exports.logger = exports.retryAsync = exports.validateRequiredFields = exports.handleHttpError = exports.createApiError = exports.ErrorCodes = exports.packageInfo = exports.sessionsArraysEqual = exports.normalizeAndSortSessions = exports.mergeSessions = exports.authenticatedApiCall = exports.withAuthErrorHandling = exports.isAuthenticationError = exports.ensureValidToken = exports.AuthenticationFailedError = exports.SessionSyncRequiredError = exports.translate = exports.createDebugLogger = exports.debugError = exports.debugWarn = exports.debugLog = exports.isDev = exports.withRetry = exports.delay = exports.shouldAllowRequest = exports.recordSuccess = exports.recordFailure = exports.calculateBackoffInterval = exports.createCircuitBreakerState = exports.DEFAULT_CIRCUIT_BREAKER_CONFIG = exports.isRetryableError = exports.isNetworkError = exports.isServerError = void 0;
 // Ensure crypto polyfills are loaded before anything else
 require("./crypto/polyfill");
 // --- Core API Client ---
@@ -48,6 +48,8 @@ Object.defineProperty(exports, "createAuthManager", { enumerable: true, get: fun
 var CrossDomainAuth_1 = require("./CrossDomainAuth");
 Object.defineProperty(exports, "CrossDomainAuth", { enumerable: true, get: function () { return CrossDomainAuth_1.CrossDomainAuth; } });
 Object.defineProperty(exports, "createCrossDomainAuth", { enumerable: true, get: function () { return CrossDomainAuth_1.createCrossDomainAuth; } });
+var OxyServices_auth_1 = require("./mixins/OxyServices.auth");
+Object.defineProperty(exports, "ServiceCredentialMismatchError", { enumerable: true, get: function () { return OxyServices_auth_1.ServiceCredentialMismatchError; } });
 // --- Crypto / Identity ---
 var crypto_1 = require("./crypto");
 Object.defineProperty(exports, "KeyManager", { enumerable: true, get: function () { return crypto_1.KeyManager; } });
@@ -71,6 +73,7 @@ Object.defineProperty(exports, "getLanguageMetadata", { enumerable: true, get: f
 Object.defineProperty(exports, "getLanguageName", { enumerable: true, get: function () { return languageUtils_1.getLanguageName; } });
 Object.defineProperty(exports, "getNativeLanguageName", { enumerable: true, get: function () { return languageUtils_1.getNativeLanguageName; } });
 Object.defineProperty(exports, "normalizeLanguageCode", { enumerable: true, get: function () { return languageUtils_1.normalizeLanguageCode; } });
+Object.defineProperty(exports, "isRTLLocale", { enumerable: true, get: function () { return languageUtils_1.isRTLLocale; } });
 // --- Platform Detection ---
 var platform_1 = require("./utils/platform");
 Object.defineProperty(exports, "getPlatformOS", { enumerable: true, get: function () { return platform_1.getPlatformOS; } });

package/dist/cjs/mixins/OxyServices.auth.js

@@ -1,43 +1,92 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.ServiceCredentialMismatchError = void 0;
 exports.OxyServicesAuthMixin = OxyServicesAuthMixin;
 const OxyServices_errors_1 = require("../OxyServices.errors");
+const platformCrypto_1 = require("../utils/platformCrypto");
+const loggerUtils_1 = require("../utils/loggerUtils");
+/**
+ * Sentinel error raised when getServiceToken() is called with a known apiKey
+ * but a non-matching secret. Indicates either credential drift in the caller
+ * or a cross-tenant cache lookup attempt. Surface as a 401-equivalent.
+ */
+class ServiceCredentialMismatchError extends Error {
+    constructor() {
+        super('Service credential mismatch: provided secret does not match the secret stored for this apiKey');
+        this.name = 'ServiceCredentialMismatchError';
+    }
+}
+exports.ServiceCredentialMismatchError = ServiceCredentialMismatchError;
 function OxyServicesAuthMixin(Base) {
     return class extends Base {
         constructor(...args) {
             super(...args);
-            /** @internal */ this._serviceToken = null;
-            /** @internal */ this._serviceTokenExp = 0;
-            /** @internal */ this._serviceApiKey = null;
-            /** @internal */ this._serviceApiSecret = null;
             /**
-             * In-flight promise for service token fetch. Used to deduplicate concurrent
-             * calls to getServiceToken() — pattern mirrors AuthManager.refreshToken().
+             * Per-credential token cache.
+             *
+             * Keyed by SHA-256(apiKey). Each entry carries:
+             *   - the issued service JWT
+             *   - its expiry timestamp
+             *   - the secret that produced it (Buffer for constant-time compare)
+             *   - an optional in-flight promise to deduplicate concurrent refreshes
+             *
+             * The previous implementation kept ONE token/exp pair per OxyServices
+             * instance. That meant calling `getServiceToken(keyA, secretA)` populated
+             * the cache, and a subsequent `getServiceToken(keyB, secretB)` (different
+             * tenant) would receive tenant A's token. This is fixed by routing every
+             * lookup through the Map.
+             *
              * @internal
              */
-            this._serviceTokenPromise = null;
+            this._serviceTokenCache = new Map();
+            /** @internal Raw apiKey stored by configureServiceAuth() for use by getServiceToken() */
+            this._serviceApiKey = null;
+            /** @internal Raw apiSecret stored by configureServiceAuth() for use by getServiceToken() */
+            this._serviceApiSecret = null;
+        }
+        /**
+         * Hash an apiKey into a stable Map cache key. Uses Node's SHA-256 — service
+         * tokens are only ever issued by a Node host (the SDK on web/RN never has
+         * the apiSecret in the first place), so we can rely on Node crypto here.
+         *
+         * @internal
+         */
+        async _hashApiKey(apiKey) {
+            const nodeCrypto = await (0, platformCrypto_1.loadNodeCrypto)();
+            return nodeCrypto.createHash('sha256').update(apiKey).digest('hex');
         }
         /**
          * Configure service credentials for internal service-to-service communication.
          * Call this once at startup so that getServiceToken() and makeServiceRequest()
          * can automatically obtain and refresh tokens.
          *
+         * Calling this with credentials that differ from a previously-configured pair
+         * is allowed — each `(apiKey, apiSecret)` pair is cached independently, so
+         * legitimate multi-tenant hosts that need to switch credentials cannot leak
+         * one tenant's token to another tenant on the same instance.
+         *
          * @param apiKey - DeveloperApp API key (oxy_dk_*)
          * @param apiSecret - DeveloperApp API secret
          */
         configureServiceAuth(apiKey, apiSecret) {
             this._serviceApiKey = apiKey;
             this._serviceApiSecret = apiSecret;
-            // Invalidate any cached token
-            this._serviceToken = null;
-            this._serviceTokenExp = 0;
         }
         /**
          * Get a service token for internal service-to-service communication.
-         * Tokens are short-lived (1h) and automatically cached/refreshed.
+         * Tokens are short-lived (1h) and automatically cached/refreshed per
+         * `(apiKey, apiSecret)` pair.
+         *
+         * Concurrent callers for the same credential pair share a single in-flight
+         * request to avoid hammering `/auth/service-token` when the cache is empty
+         * or expired.
          *
-         * Concurrent callers share a single in-flight request to avoid hammering
-         * `/auth/service-token` when the cache is empty or expired.
+         * **Security guarantee:** if the cache already holds a token for this
+         * apiKey but the supplied apiSecret does not constant-time match the
+         * secret that originally produced that token, this method throws
+         * `ServiceCredentialMismatchError` instead of returning the cached token.
+         * This prevents an attacker who learned a peer's apiKey from extracting
+         * their service token by polling with a wrong secret.
          *
          * @param apiKey - DeveloperApp API key (optional if configureServiceAuth was called)
          * @param apiSecret - DeveloperApp API secret (optional if configureServiceAuth was called)
@@ -48,20 +97,62 @@ function OxyServicesAuthMixin(Base) {
             if (!key || !secret) {
                 throw new Error('Service credentials not provided. Call configureServiceAuth() or pass apiKey and apiSecret.');
             }
-            // Return cached token if still valid (with 60s buffer)
-            if (this._serviceToken && this._serviceTokenExp > Date.now() + 60000) {
-                return this._serviceToken;
-            }
-            // If a fetch is already in-flight, share the same promise
-            if (this._serviceTokenPromise) {
-                return this._serviceTokenPromise;
+            const cacheKey = await this._hashApiKey(key);
+            const now = Date.now();
+            const providedSecretBuf = Buffer.from(secret, 'utf8');
+            let entry = this._serviceTokenCache.get(cacheKey);
+            // Verify the secret on every cache hit, regardless of token freshness.
+            // Constant-time compare prevents timing oracles on the stored secret.
+            if (entry) {
+                const nodeCrypto = await (0, platformCrypto_1.loadNodeCrypto)();
+                const storedSecretBuf = entry.secretBuf;
+                const lengthMatch = storedSecretBuf.length === providedSecretBuf.length;
+                // Always run timingSafeEqual on equal-length inputs to keep timing flat.
+                // When lengths differ, run against a zero-padded copy of the same length
+                // to avoid an early-return timing signal.
+                const compareBuf = lengthMatch
+                    ? providedSecretBuf
+                    : Buffer.alloc(storedSecretBuf.length);
+                const compareResult = nodeCrypto.timingSafeEqual(storedSecretBuf, compareBuf);
+                if (!lengthMatch || !compareResult) {
+                    loggerUtils_1.logger.warn('[oxy.auth] Service token cache hit with mismatched secret', {
+                        component: 'auth',
+                        method: 'getServiceToken',
+                    });
+                    throw new ServiceCredentialMismatchError();
+                }
+                // Return cached token if still valid (with 60s buffer for clock drift)
+                if (entry.token && entry.expiresAt > now + 60000) {
+                    return entry.token;
+                }
+                // If a fetch is already in-flight for this credential, share its result
+                if (entry.pending) {
+                    return entry.pending;
+                }
             }
-            this._serviceTokenPromise = this._doFetchServiceToken(key, secret);
+            else {
+                // First time seeing this apiKey on this instance — seed an empty entry
+                // so concurrent callers serialize on the same promise.
+                entry = {
+                    token: '',
+                    expiresAt: 0,
+                    secretBuf: providedSecretBuf,
+                    pending: null,
+                };
+                this._serviceTokenCache.set(cacheKey, entry);
+            }
+            const pending = this._doFetchServiceToken(key, secret, cacheKey, providedSecretBuf);
+            entry.pending = pending;
             try {
-                return await this._serviceTokenPromise;
+                return await pending;
             }
             finally {
-                this._serviceTokenPromise = null;
+                // Clear the in-flight slot; the entry itself (with fresh token / expiry)
+                // is updated inside _doFetchServiceToken before we land here.
+                const settled = this._serviceTokenCache.get(cacheKey);
+                if (settled) {
+                    settled.pending = null;
+                }
             }
         }
         /**
@@ -69,11 +160,26 @@ function OxyServicesAuthMixin(Base) {
          * Separated so getServiceToken() can deduplicate concurrent calls.
          * @internal
          */
-        async _doFetchServiceToken(key, secret) {
+        async _doFetchServiceToken(key, secret, cacheKey, secretBuf) {
             const response = await this.makeRequest('POST', '/auth/service-token', { apiKey: key, apiSecret: secret }, { cache: false, retry: false });
-            this._serviceToken = response.token;
-            this._serviceTokenExp = Date.now() + response.expiresIn * 1000;
-            return this._serviceToken;
+            const expiresAt = Date.now() + response.expiresIn * 1000;
+            // Update the entry in-place so any caller that already grabbed a reference
+            // (via `_serviceTokenCache.get(...)`) sees the fresh state.
+            const entry = this._serviceTokenCache.get(cacheKey);
+            if (entry) {
+                entry.token = response.token;
+                entry.expiresAt = expiresAt;
+                entry.secretBuf = secretBuf;
+            }
+            else {
+                this._serviceTokenCache.set(cacheKey, {
+                    token: response.token,
+                    expiresAt,
+                    secretBuf,
+                    pending: null,
+                });
+            }
+            return response.token;
         }
         /**
          * Make an authenticated request on behalf of a user using a service token.

package/dist/cjs/mixins/OxyServices.popup.js

@@ -172,8 +172,48 @@ function OxyServicesPopupAuthMixin(Base) {
                 document.body.appendChild(iframe);
                 try {
                     const session = await this.waitForIframeAuth(iframe, timeout, clientId);
-                    if (session && session.accessToken) {
-                        this.httpService.setTokens(session.accessToken);
+                    // Bail early on incomplete responses. The iframe contract requires
+                    // both an access token and a session id; anything less is unusable.
+                    // Returning `null` here (without installing the token) prevents a
+                    // stale credential from being committed to HttpService when the
+                    // user is actually signed out — that pattern caused a `getCurrentUser`
+                    // -> 401 -> token-clear loop in consumer apps because callers gated
+                    // on `session?.user` and never installed the user via
+                    // `handleAuthSuccess`, while HttpService quietly held the token.
+                    const accessToken = session ? session.accessToken : undefined;
+                    if (!session || !accessToken || !session.sessionId) {
+                        return null;
+                    }
+                    // Snapshot the previous token so we can roll back if the user
+                    // lookup below fails — this avoids leaving a half-committed session
+                    // (token installed, user missing) which would let the next
+                    // authenticated request 401 with no way to recover.
+                    const previousAccessToken = this.httpService.getAccessToken();
+                    this.httpService.setTokens(accessToken);
+                    // The iframe typically returns `{ sessionId, accessToken }` without
+                    // user data. Fetch the user explicitly so callers receive a
+                    // fully-formed session and never need a second `/users/me` round
+                    // trip. If this fails the session is unusable — revert the token
+                    // and return null so the caller treats this exactly like a
+                    // missing-session response.
+                    if (!session.user) {
+                        try {
+                            const userData = await this.makeRequest('GET', `/session/user/${session.sessionId}`, undefined, { cache: false, retry: false });
+                            if (!userData) {
+                                throw new Error('Empty user response');
+                            }
+                            session.user = userData;
+                        }
+                        catch (userError) {
+                            debug.warn('silentSignIn: failed to fetch user data, rolling back token', userError);
+                            if (previousAccessToken) {
+                                this.httpService.setTokens(previousAccessToken);
+                            }
+                            else {
+                                this.httpService.clearTokens();
+                            }
+                            return null;
+                        }
                     }
                     return session;
                 }