npm - @oxyhq/core - Versions diffs - 1.11.20 → 1.11.22 - Mend

@oxyhq/core 1.11.20 → 1.11.22

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/README.md +6 -2
package/dist/cjs/.tsbuildinfo +1 -1
package/dist/cjs/mixins/OxyServices.auth.js +14 -1
package/dist/esm/.tsbuildinfo +1 -1
package/dist/esm/mixins/OxyServices.auth.js +14 -1
package/dist/types/.tsbuildinfo +1 -1
package/package.json +1 -1
package/src/mixins/OxyServices.auth.ts +16 -1
package/src/mixins/__tests__/verifyChallenge.test.ts +135 -0

package/dist/esm/mixins/OxyServices.auth.js CHANGED Viewed

@@ -247,7 +247,7 @@ export function OxyServicesAuthMixin(Base) {
          */
         async verifyChallenge(publicKey, challenge, signature, timestamp, deviceName, deviceFingerprint) {
             try {
-                return await this.makeRequest('POST', '/auth/verify', {
+                const res = await this.makeRequest('POST', '/auth/verify', {
                     publicKey,
                     challenge,
                     signature,
@@ -255,6 +255,19 @@ export function OxyServicesAuthMixin(Base) {
                     deviceName,
                     deviceFingerprint,
                 }, { cache: false });
+                // Plant the freshly-minted tokens, mirroring `claimSessionByToken`.
+                // `/auth/verify` returns the first access token (and refresh token) in
+                // its body, so installing it here means callers get an authenticated
+                // client without a second round-trip — and, critically, without
+                // falling back to the bearer-protected `GET /session/token/:sessionId`
+                // (C1 hardening), which 401s for a brand-new identity that has no
+                // bearer yet. `accessToken`/`refreshToken` are optional on
+                // SessionLoginResponse; only plant when an access token is present and
+                // default the refresh token to an empty string.
+                if (res?.accessToken) {
+                    this.setTokens(res.accessToken, res.refreshToken ?? '');
+                }
+                return res;
             }
             catch (error) {
                 throw this.handleError(error);