@oxyhq/core 1.11.14 → 1.11.16

package/dist/cjs/index.js

@@ -29,8 +29,8 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.isRateLimitError = exports.isNotFoundError = exports.isForbiddenError = exports.isUnauthorizedError = exports.isAlreadyRegisteredError = exports.getErrorMessage = exports.getErrorStatus = exports.HttpStatus = exports.getSystemColorScheme = exports.systemPrefersDarkMode = exports.getOppositeTheme = exports.normalizeColorScheme = exports.normalizeTheme = exports.getContrastTextColor = exports.isLightColor = exports.withOpacity = exports.rgbToHex = exports.hexToRgb = exports.lightenColor = exports.darkenColor = exports.isAndroid = exports.isIOS = exports.isNative = exports.isWeb = exports.setPlatformOS = exports.getPlatformOS = exports.isRTLLocale = exports.normalizeLanguageCode = exports.getNativeLanguageName = exports.getLanguageName = exports.getLanguageMetadata = exports.SUPPORTED_LANGUAGES = exports.DeviceManager = exports.TopicSource = exports.TopicType = exports.IdentityPersistError = exports.IdentityAlreadyExistsError = exports.RecoveryPhraseService = exports.SignatureService = exports.KeyManager = exports.ServiceCredentialMismatchError = exports.createCrossDomainAuth = exports.CrossDomainAuth = exports.createAuthManager = exports.AuthManager = exports.oxyClient = exports.OXY_CLOUD_URL = exports.OxyAuthenticationTimeoutError = exports.OxyAuthenticationError = exports.OxyServices = void 0;
-exports.formatPublicKeyHandle = exports.getAccountFallbackHandle = exports.getAccountDisplayName = exports.createQuickAccount = exports.buildAccountsArray = exports.updateAvatarVisibility = exports.logPerformance = exports.logPayment = exports.logDevice = exports.logUser = exports.logSession = exports.logApi = exports.logAuth = exports.LogLevel = exports.logger = exports.retryAsync = exports.validateRequiredFields = exports.handleHttpError = exports.createApiError = exports.ErrorCodes = exports.packageInfo = exports.sessionsArraysEqual = exports.normalizeAndSortSessions = exports.mergeSessions = exports.authenticatedApiCall = exports.withAuthErrorHandling = exports.isAuthenticationError = exports.ensureValidToken = exports.AuthenticationFailedError = exports.SessionSyncRequiredError = exports.translate = exports.createDebugLogger = exports.debugError = exports.debugWarn = exports.debugLog = exports.isDev = exports.withRetry = exports.delay = exports.shouldAllowRequest = exports.recordSuccess = exports.recordFailure = exports.calculateBackoffInterval = exports.createCircuitBreakerState = exports.DEFAULT_CIRCUIT_BREAKER_CONFIG = exports.isRetryableError = exports.isNetworkError = exports.isServerError = void 0;
+exports.isNotFoundError = exports.isForbiddenError = exports.isUnauthorizedError = exports.isAlreadyRegisteredError = exports.getErrorMessage = exports.getErrorStatus = exports.HttpStatus = exports.getSystemColorScheme = exports.systemPrefersDarkMode = exports.getOppositeTheme = exports.normalizeColorScheme = exports.normalizeTheme = exports.getContrastTextColor = exports.isLightColor = exports.withOpacity = exports.rgbToHex = exports.hexToRgb = exports.lightenColor = exports.darkenColor = exports.isAndroid = exports.isIOS = exports.isNative = exports.isWeb = exports.setPlatformOS = exports.getPlatformOS = exports.isRTLLocale = exports.normalizeLanguageCode = exports.getNativeLanguageName = exports.getLanguageName = exports.getLanguageMetadata = exports.SUPPORTED_LANGUAGES = exports.DeviceManager = exports.TopicSource = exports.TopicType = exports.IdentityPersistError = exports.IdentityAlreadyExistsError = exports.RecoveryPhraseService = exports.SignatureService = exports.KeyManager = exports.OxyAppDataIdentifierError = exports.ServiceCredentialMismatchError = exports.createCrossDomainAuth = exports.CrossDomainAuth = exports.createAuthManager = exports.AuthManager = exports.oxyClient = exports.OXY_CLOUD_URL = exports.OxyAuthenticationTimeoutError = exports.OxyAuthenticationError = exports.OxyServices = void 0;
+exports.formatPublicKeyHandle = exports.getAccountFallbackHandle = exports.getAccountDisplayName = exports.createQuickAccount = exports.buildAccountsArray = exports.updateAvatarVisibility = exports.logPerformance = exports.logPayment = exports.logDevice = exports.logUser = exports.logSession = exports.logApi = exports.logAuth = exports.LogLevel = exports.logger = exports.retryAsync = exports.validateRequiredFields = exports.handleHttpError = exports.createApiError = exports.ErrorCodes = exports.packageInfo = exports.sessionsArraysEqual = exports.normalizeAndSortSessions = exports.mergeSessions = exports.authenticatedApiCall = exports.withAuthErrorHandling = exports.isAuthenticationError = exports.ensureValidToken = exports.AuthenticationFailedError = exports.SessionSyncRequiredError = exports.translate = exports.createDebugLogger = exports.debugError = exports.debugWarn = exports.debugLog = exports.isDev = exports.withRetry = exports.delay = exports.shouldAllowRequest = exports.recordSuccess = exports.recordFailure = exports.calculateBackoffInterval = exports.createCircuitBreakerState = exports.DEFAULT_CIRCUIT_BREAKER_CONFIG = exports.isRetryableError = exports.isNetworkError = exports.isServerError = exports.isRateLimitError = void 0;
 // Ensure crypto polyfills are loaded before anything else
 require("./crypto/polyfill");
 // --- Core API Client ---
@@ -50,6 +50,8 @@ Object.defineProperty(exports, "CrossDomainAuth", { enumerable: true, get: funct
 Object.defineProperty(exports, "createCrossDomainAuth", { enumerable: true, get: function () { return CrossDomainAuth_1.createCrossDomainAuth; } });
 var OxyServices_auth_1 = require("./mixins/OxyServices.auth");
 Object.defineProperty(exports, "ServiceCredentialMismatchError", { enumerable: true, get: function () { return OxyServices_auth_1.ServiceCredentialMismatchError; } });
+var OxyServices_appData_1 = require("./mixins/OxyServices.appData");
+Object.defineProperty(exports, "OxyAppDataIdentifierError", { enumerable: true, get: function () { return OxyServices_appData_1.OxyAppDataIdentifierError; } });
 // --- Crypto / Identity ---
 var crypto_1 = require("./crypto");
 Object.defineProperty(exports, "KeyManager", { enumerable: true, get: function () { return crypto_1.KeyManager; } });

package/dist/cjs/mixins/OxyServices.appData.js

@@ -0,0 +1,108 @@
+"use strict";
+/**
+ * Per-user App-Data Mixin
+ *
+ * Thin client around `/users/me/app-data/...` — a generic per-user JSON KV
+ * store on the API. Authenticated callers can read, write, list, and delete
+ * entries scoped to their own user account.
+ *
+ * Identifier rules (must match the API):
+ *   - Both `namespace` and `key` must match `/^[a-z0-9_-]{1,64}$/u`.
+ *
+ * Limits (enforced by the API):
+ *   - Serialized JSON values are capped at 64 KB.
+ *   - Writes are rate-limited to 100 / minute / user.
+ *
+ * Intended use cases are small bits of cross-device app state — e.g. Academy
+ * course progress, "last viewed" markers, dismissed banner flags. Do not use
+ * this for large blobs or anything that needs server-side querying; it's a
+ * write-it-and-read-it-back store.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OxyAppDataIdentifierError = void 0;
+exports.OxyServicesAppDataMixin = OxyServicesAppDataMixin;
+/**
+ * Identifier validator — mirror of the API regex. Validating client-side
+ * gives consumers a clean throw before the request even leaves the device.
+ */
+const APP_DATA_IDENTIFIER_PATTERN = /^[a-z0-9_-]{1,64}$/u;
+/** Thrown when a namespace or key fails the kebab/snake-case validator. */
+class OxyAppDataIdentifierError extends Error {
+    constructor(field, value) {
+        super(`Invalid app-data ${field} "${value}": must match [a-z0-9_-]{1,64} (lowercase letters, digits, dashes, underscores).`);
+        this.name = 'OxyAppDataIdentifierError';
+    }
+}
+exports.OxyAppDataIdentifierError = OxyAppDataIdentifierError;
+function assertIdentifier(field, value) {
+    if (!APP_DATA_IDENTIFIER_PATTERN.test(value)) {
+        throw new OxyAppDataIdentifierError(field, value);
+    }
+}
+function OxyServicesAppDataMixin(Base) {
+    return class extends Base {
+        constructor(...args) {
+            super(...args);
+        }
+        /**
+         * Read the value stored under `(namespace, key)` for the current user.
+         *
+         * @returns The previously-stored value, or `null` if nothing has been
+         *   stored yet. Never throws on "not found" — a missing entry is
+         *   semantically a `null` value.
+         */
+        async getAppData(namespace, key) {
+            assertIdentifier('namespace', namespace);
+            assertIdentifier('key', key);
+            return this.withAuthRetry(async () => {
+                const response = await this.makeRequest('GET', `/users/me/app-data/${encodeURIComponent(namespace)}/${encodeURIComponent(key)}`, undefined, { cache: false });
+                return response?.value ?? null;
+            }, 'getAppData');
+        }
+        /**
+         * Upsert the value under `(namespace, key)` for the current user.
+         *
+         * Returns the value the server confirmed it stored — typically the same
+         * value the caller passed in, but consumers should prefer the returned
+         * value (the API is the source of truth).
+         *
+         * @throws OxyAppDataIdentifierError when namespace or key is malformed.
+         */
+        async setAppData(namespace, key, value) {
+            assertIdentifier('namespace', namespace);
+            assertIdentifier('key', key);
+            return this.withAuthRetry(async () => {
+                const response = await this.makeRequest('PUT', `/users/me/app-data/${encodeURIComponent(namespace)}/${encodeURIComponent(key)}`, { value }, { cache: false });
+                // The server echoes the stored value back; fall back to the caller's
+                // input only if the server somehow omitted it (defensive — the route
+                // always sets it).
+                return (response?.value ?? value);
+            }, 'setAppData');
+        }
+        /**
+         * Delete the value stored under `(namespace, key)` for the current user.
+         *
+         * Idempotent — resolves successfully whether or not the entry existed.
+         */
+        async deleteAppData(namespace, key) {
+            assertIdentifier('namespace', namespace);
+            assertIdentifier('key', key);
+            await this.withAuthRetry(async () => {
+                await this.makeRequest('DELETE', `/users/me/app-data/${encodeURIComponent(namespace)}/${encodeURIComponent(key)}`, undefined, { cache: false });
+            }, 'deleteAppData');
+        }
+        /**
+         * List every entry stored under `namespace` for the current user.
+         *
+         * Returns an empty object when the namespace contains no entries (the
+         * endpoint never 404s on an empty namespace).
+         */
+        async listAppData(namespace) {
+            assertIdentifier('namespace', namespace);
+            return this.withAuthRetry(async () => {
+                const response = await this.makeRequest('GET', `/users/me/app-data/${encodeURIComponent(namespace)}`, undefined, { cache: false });
+                return response?.entries ?? {};
+            }, 'listAppData');
+        }
+    };
+}

package/dist/cjs/mixins/OxyServices.popup.js

@@ -172,8 +172,48 @@ function OxyServicesPopupAuthMixin(Base) {
                 document.body.appendChild(iframe);
                 try {
                     const session = await this.waitForIframeAuth(iframe, timeout, clientId);
-                    if (session && session.accessToken) {
-                        this.httpService.setTokens(session.accessToken);
+                    // Bail early on incomplete responses. The iframe contract requires
+                    // both an access token and a session id; anything less is unusable.
+                    // Returning `null` here (without installing the token) prevents a
+                    // stale credential from being committed to HttpService when the
+                    // user is actually signed out — that pattern caused a `getCurrentUser`
+                    // -> 401 -> token-clear loop in consumer apps because callers gated
+                    // on `session?.user` and never installed the user via
+                    // `handleAuthSuccess`, while HttpService quietly held the token.
+                    const accessToken = session ? session.accessToken : undefined;
+                    if (!session || !accessToken || !session.sessionId) {
+                        return null;
+                    }
+                    // Snapshot the previous token so we can roll back if the user
+                    // lookup below fails — this avoids leaving a half-committed session
+                    // (token installed, user missing) which would let the next
+                    // authenticated request 401 with no way to recover.
+                    const previousAccessToken = this.httpService.getAccessToken();
+                    this.httpService.setTokens(accessToken);
+                    // The iframe typically returns `{ sessionId, accessToken }` without
+                    // user data. Fetch the user explicitly so callers receive a
+                    // fully-formed session and never need a second `/users/me` round
+                    // trip. If this fails the session is unusable — revert the token
+                    // and return null so the caller treats this exactly like a
+                    // missing-session response.
+                    if (!session.user) {
+                        try {
+                            const userData = await this.makeRequest('GET', `/session/user/${session.sessionId}`, undefined, { cache: false, retry: false });
+                            if (!userData) {
+                                throw new Error('Empty user response');
+                            }
+                            session.user = userData;
+                        }
+                        catch (userError) {
+                            debug.warn('silentSignIn: failed to fetch user data, rolling back token', userError);
+                            if (previousAccessToken) {
+                                this.httpService.setTokens(previousAccessToken);
+                            }
+                            else {
+                                this.httpService.clearTokens();
+                            }
+                            return null;
+                        }
                     }
                     return session;
                 }

package/dist/cjs/mixins/index.js

@@ -29,6 +29,7 @@ const OxyServices_features_1 = require("./OxyServices.features");
 const OxyServices_topics_1 = require("./OxyServices.topics");
 const OxyServices_managedAccounts_1 = require("./OxyServices.managedAccounts");
 const OxyServices_contacts_1 = require("./OxyServices.contacts");
+const OxyServices_appData_1 = require("./OxyServices.appData");
 /**
  * Mixin pipeline - applied in order from first to last.
  *
@@ -68,6 +69,7 @@ const MIXIN_PIPELINE = [
     OxyServices_topics_1.OxyServicesTopicsMixin,
     OxyServices_managedAccounts_1.OxyServicesManagedAccountsMixin,
     OxyServices_contacts_1.OxyServicesContactsMixin,
+    OxyServices_appData_1.OxyServicesAppDataMixin,
     // Utility (last, can use all above)
     OxyServices_utility_1.OxyServicesUtilityMixin,
 ];