@oxyhq/core 1.11.20 → 1.11.21

package/dist/esm/mixins/OxyServices.auth.js

@@ -247,7 +247,7 @@ export function OxyServicesAuthMixin(Base) {
          */
         async verifyChallenge(publicKey, challenge, signature, timestamp, deviceName, deviceFingerprint) {
             try {
-                return await this.makeRequest('POST', '/auth/verify', {
+                const res = await this.makeRequest('POST', '/auth/verify', {
                     publicKey,
                     challenge,
                     signature,
@@ -255,6 +255,19 @@ export function OxyServicesAuthMixin(Base) {
                     deviceName,
                     deviceFingerprint,
                 }, { cache: false });
+                // Plant the freshly-minted tokens, mirroring `claimSessionByToken`.
+                // `/auth/verify` returns the first access token (and refresh token) in
+                // its body, so installing it here means callers get an authenticated
+                // client without a second round-trip — and, critically, without
+                // falling back to the bearer-protected `GET /session/token/:sessionId`
+                // (C1 hardening), which 401s for a brand-new identity that has no
+                // bearer yet. `accessToken`/`refreshToken` are optional on
+                // SessionLoginResponse; only plant when an access token is present and
+                // default the refresh token to an empty string.
+                if (res?.accessToken) {
+                    this.setTokens(res.accessToken, res.refreshToken ?? '');
+                }
+                return res;
             }
             catch (error) {
                 throw this.handleError(error);

package/dist/esm/mixins/OxyServices.fedcm.js

@@ -39,6 +39,44 @@ const FEDCM_LOGIN_HINT_KEY = 'oxy_fedcm_login_hint';
 let fedCMRequestInProgress = false;
 let fedCMRequestPromise = null;
 let currentMediationMode = null;
+/**
+ * Page-load-persistent memo for SILENT FedCM sign-in.
+ *
+ * Silent SSO (`mediation: 'silent'`) is the one FedCM flow that runs WITHOUT a
+ * user gesture — on app startup / provider mount. Multiple consumers
+ * (`@oxyhq/auth`'s `WebOxyProvider` / `useWebSSO`, `@oxyhq/services`'
+ * `useWebSSO`) can each mount and trigger it, and a remount storm (route churn,
+ * React StrictMode double-invoke, error-boundary recovery) previously turned
+ * into a `navigator.credentials.get` storm. This memo collapses every silent
+ * attempt for a given `origin + baseURL` into AT MOST ONE browser credential
+ * request per page load:
+ *
+ *   - the FIRST silent call runs the real flow and stores its in-flight promise;
+ *   - concurrent silent calls share that same in-flight promise;
+ *   - once it settles, the memo retains the resolved value (a session OR `null`)
+ *     and every subsequent silent call returns it WITHOUT re-invoking the
+ *     browser.
+ *
+ * Keyed on `origin + baseURL` (not the OxyServices instance) so it survives
+ * instance churn across remounts. Intentionally never cleared: only a fresh
+ * page load — which starts a fresh module scope — can change the IdP session
+ * state that silent mediation observes.
+ *
+ * This guard is SILENT-ONLY. Interactive flows (`signInWithFedCM`,
+ * `mediation: 'optional'|'required'`, `mode: 'active'|'passive'`) must always
+ * be able to re-prompt and are never memoized here.
+ */
+const silentSSOMemo = new Map();
+/**
+ * Test-only reset of the page-load silent-SSO memo. The memo is module-scoped
+ * and never cleared at runtime (a fresh page load resets it naturally), but
+ * tests sharing one module instance need to start from a clean slate.
+ *
+ * @internal
+ */
+export function __resetSilentSSOMemoForTests() {
+    silentSSOMemo.clear();
+}
 /**
  * Federated Credential Management (FedCM) Authentication Mixin
  *
@@ -210,6 +248,47 @@ export function OxyServicesFedCMMixin(Base) {
                     debug.log('Silent SSO: FedCM not supported in this browser');
                     return null;
                 }
+                // Page-load run-once guard. The first silent attempt for this
+                // origin + API runs; concurrent callers share the in-flight promise; once
+                // it settles, every later caller gets the memoized result (session OR
+                // null) WITHOUT re-invoking `navigator.credentials.get`. This is the single
+                // chokepoint for silent SSO across all consumers and remounts.
+                const memoKey = this.silentSSOMemoKey();
+                const existing = silentSSOMemo.get(memoKey);
+                if (existing) {
+                    debug.log('Silent SSO: Returning memoized page-load result (no re-invocation)');
+                    return existing;
+                }
+                const attempt = this._performSilentSignInWithFedCM();
+                silentSSOMemo.set(memoKey, attempt);
+                return attempt;
+            }
+            /**
+             * Build the page-load silent-SSO memo key from the current origin and the
+             * configured API base URL. Two providers pointed at the same API from the
+             * same origin share a single silent attempt per page load.
+             *
+             * @internal
+             */
+            silentSSOMemoKey() {
+                const origin = typeof window !== 'undefined' ? window.location.origin : 'no-origin';
+                let baseURL = '';
+                try {
+                    baseURL = this.getBaseURL();
+                }
+                catch {
+                    baseURL = '';
+                }
+                return `${origin}|${baseURL}`;
+            }
+            /**
+             * Perform the actual silent FedCM sign-in. Always wrapped by
+             * {@link silentSignInWithFedCM}'s page-load memo — never call this directly
+             * (doing so bypasses the run-once guard).
+             *
+             * @internal
+             */
+            async _performSilentSignInWithFedCM() {
                 const clientId = this.getClientId();
                 debug.log('Silent SSO: Starting for', clientId);
                 // Only try silent mediation (no UI) - works if user previously consented.