@oxyhq/core 1.11.21 → 1.11.22
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +6 -2
- package/dist/cjs/.tsbuildinfo +1 -1
- package/dist/cjs/mixins/OxyServices.fedcm.js +0 -80
- package/dist/esm/.tsbuildinfo +1 -1
- package/dist/esm/mixins/OxyServices.fedcm.js +0 -79
- package/dist/types/.tsbuildinfo +1 -1
- package/dist/types/mixins/OxyServices.fedcm.d.ts +0 -24
- package/package.json +1 -1
- package/src/mixins/OxyServices.fedcm.ts +0 -83
- package/src/mixins/__tests__/fedcm.test.ts +0 -182
|
@@ -39,44 +39,6 @@ const FEDCM_LOGIN_HINT_KEY = 'oxy_fedcm_login_hint';
|
|
|
39
39
|
let fedCMRequestInProgress = false;
|
|
40
40
|
let fedCMRequestPromise = null;
|
|
41
41
|
let currentMediationMode = null;
|
|
42
|
-
/**
|
|
43
|
-
* Page-load-persistent memo for SILENT FedCM sign-in.
|
|
44
|
-
*
|
|
45
|
-
* Silent SSO (`mediation: 'silent'`) is the one FedCM flow that runs WITHOUT a
|
|
46
|
-
* user gesture — on app startup / provider mount. Multiple consumers
|
|
47
|
-
* (`@oxyhq/auth`'s `WebOxyProvider` / `useWebSSO`, `@oxyhq/services`'
|
|
48
|
-
* `useWebSSO`) can each mount and trigger it, and a remount storm (route churn,
|
|
49
|
-
* React StrictMode double-invoke, error-boundary recovery) previously turned
|
|
50
|
-
* into a `navigator.credentials.get` storm. This memo collapses every silent
|
|
51
|
-
* attempt for a given `origin + baseURL` into AT MOST ONE browser credential
|
|
52
|
-
* request per page load:
|
|
53
|
-
*
|
|
54
|
-
* - the FIRST silent call runs the real flow and stores its in-flight promise;
|
|
55
|
-
* - concurrent silent calls share that same in-flight promise;
|
|
56
|
-
* - once it settles, the memo retains the resolved value (a session OR `null`)
|
|
57
|
-
* and every subsequent silent call returns it WITHOUT re-invoking the
|
|
58
|
-
* browser.
|
|
59
|
-
*
|
|
60
|
-
* Keyed on `origin + baseURL` (not the OxyServices instance) so it survives
|
|
61
|
-
* instance churn across remounts. Intentionally never cleared: only a fresh
|
|
62
|
-
* page load — which starts a fresh module scope — can change the IdP session
|
|
63
|
-
* state that silent mediation observes.
|
|
64
|
-
*
|
|
65
|
-
* This guard is SILENT-ONLY. Interactive flows (`signInWithFedCM`,
|
|
66
|
-
* `mediation: 'optional'|'required'`, `mode: 'active'|'passive'`) must always
|
|
67
|
-
* be able to re-prompt and are never memoized here.
|
|
68
|
-
*/
|
|
69
|
-
const silentSSOMemo = new Map();
|
|
70
|
-
/**
|
|
71
|
-
* Test-only reset of the page-load silent-SSO memo. The memo is module-scoped
|
|
72
|
-
* and never cleared at runtime (a fresh page load resets it naturally), but
|
|
73
|
-
* tests sharing one module instance need to start from a clean slate.
|
|
74
|
-
*
|
|
75
|
-
* @internal
|
|
76
|
-
*/
|
|
77
|
-
export function __resetSilentSSOMemoForTests() {
|
|
78
|
-
silentSSOMemo.clear();
|
|
79
|
-
}
|
|
80
42
|
/**
|
|
81
43
|
* Federated Credential Management (FedCM) Authentication Mixin
|
|
82
44
|
*
|
|
@@ -248,47 +210,6 @@ export function OxyServicesFedCMMixin(Base) {
|
|
|
248
210
|
debug.log('Silent SSO: FedCM not supported in this browser');
|
|
249
211
|
return null;
|
|
250
212
|
}
|
|
251
|
-
// Page-load run-once guard. The first silent attempt for this
|
|
252
|
-
// origin + API runs; concurrent callers share the in-flight promise; once
|
|
253
|
-
// it settles, every later caller gets the memoized result (session OR
|
|
254
|
-
// null) WITHOUT re-invoking `navigator.credentials.get`. This is the single
|
|
255
|
-
// chokepoint for silent SSO across all consumers and remounts.
|
|
256
|
-
const memoKey = this.silentSSOMemoKey();
|
|
257
|
-
const existing = silentSSOMemo.get(memoKey);
|
|
258
|
-
if (existing) {
|
|
259
|
-
debug.log('Silent SSO: Returning memoized page-load result (no re-invocation)');
|
|
260
|
-
return existing;
|
|
261
|
-
}
|
|
262
|
-
const attempt = this._performSilentSignInWithFedCM();
|
|
263
|
-
silentSSOMemo.set(memoKey, attempt);
|
|
264
|
-
return attempt;
|
|
265
|
-
}
|
|
266
|
-
/**
|
|
267
|
-
* Build the page-load silent-SSO memo key from the current origin and the
|
|
268
|
-
* configured API base URL. Two providers pointed at the same API from the
|
|
269
|
-
* same origin share a single silent attempt per page load.
|
|
270
|
-
*
|
|
271
|
-
* @internal
|
|
272
|
-
*/
|
|
273
|
-
silentSSOMemoKey() {
|
|
274
|
-
const origin = typeof window !== 'undefined' ? window.location.origin : 'no-origin';
|
|
275
|
-
let baseURL = '';
|
|
276
|
-
try {
|
|
277
|
-
baseURL = this.getBaseURL();
|
|
278
|
-
}
|
|
279
|
-
catch {
|
|
280
|
-
baseURL = '';
|
|
281
|
-
}
|
|
282
|
-
return `${origin}|${baseURL}`;
|
|
283
|
-
}
|
|
284
|
-
/**
|
|
285
|
-
* Perform the actual silent FedCM sign-in. Always wrapped by
|
|
286
|
-
* {@link silentSignInWithFedCM}'s page-load memo — never call this directly
|
|
287
|
-
* (doing so bypasses the run-once guard).
|
|
288
|
-
*
|
|
289
|
-
* @internal
|
|
290
|
-
*/
|
|
291
|
-
async _performSilentSignInWithFedCM() {
|
|
292
213
|
const clientId = this.getClientId();
|
|
293
214
|
debug.log('Silent SSO: Starting for', clientId);
|
|
294
215
|
// Only try silent mediation (no UI) - works if user previously consented.
|