@oxyhq/core 1.11.22 → 1.11.24

package/src/mixins/OxyServices.fedcm.ts

@@ -66,6 +66,33 @@ function isUnknownModeEnumError(error: unknown): boolean {
   );
 }
 
+/**
+ * Detect a `navigator.credentials.get` rejection that is consistent with
+ * "the supplied loginHint matched no account at the IdP".
+ *
+ * When an RP passes a `loginHint` and the IdP returns accounts but NONE of them
+ * declare that hint in their `login_hints`, Chrome filters every account out,
+ * greys it in the chooser ("You can't sign in using this account"), logs
+ * "Accounts were received, but none matched the login hint…", and ultimately
+ * rejects the credential request — surfacing as a `NotAllowedError` /
+ * `AbortError` (the same shape as a user-cancelled or timed-out request). A
+ * stale hint left over from a previously-signed-in/test account therefore hard
+ * -blocks sign-in.
+ *
+ * We can only safely apply the clear-and-retry recovery when a `loginHint` was
+ * actually supplied; without one this is just a normal cancel/timeout and must
+ * NOT be retried. Callers gate on `hadLoginHint` before calling this.
+ */
+function isPossibleHintMismatchError(error: unknown): boolean {
+  if (!(error instanceof Error)) return false;
+  // FedCM surfaces a filtered-out / no-eligible-account outcome as
+  // NotAllowedError (current Chrome) or AbortError (our own timeout abort while
+  // the chooser had no selectable account). Both are indistinguishable from a
+  // genuine user cancel at the API level, so the gate on "a hint was supplied"
+  // (in the caller) is what makes the retry safe and targeted.
+  return error.name === 'NotAllowedError' || error.name === 'AbortError';
+}
+
 // Minimal structural types for the FedCM `navigator.credentials.get` surface.
 // The DOM lib does not ship these in every TypeScript version we build against,
 // so we model only the fields this mixin reads/writes. This lets the FedCM code
@@ -129,6 +156,11 @@ const FEDCM_LOGIN_HINT_KEY = 'oxy_fedcm_login_hint';
 let fedCMRequestInProgress = false;
 let fedCMRequestPromise: Promise<FedCMTokenResult | null> | null = null;
 let currentMediationMode: string | null = null;
+// AbortController of the in-flight request, exposed at module scope so an
+// arriving INTERACTIVE request can abort a slow/hung SILENT one instead of
+// blocking on it (see requestIdentityCredential). Set when a request starts,
+// cleared in that request's `finally`.
+let fedCMActiveController: AbortController | null = null;
 
 /**
  * Federated Credential Management (FedCM) Authentication Mixin
@@ -159,13 +191,23 @@ export function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(Base: T)
   public static readonly DEFAULT_CONFIG_URL = 'https://auth.oxy.so/fedcm.json';
 
   public resolveFedcmConfigUrl(): string {
+    // `DEFAULT_CONFIG_URL` is a static on the composed class; read it off the
+    // most-derived constructor through a typed cast (not `any`).
+    const configCtor = this.constructor as typeof OxyServicesBase & {
+      DEFAULT_CONFIG_URL: string;
+    };
     return this.config.authWebUrl
       ? `${this.config.authWebUrl}/fedcm.json`
-      : (this.constructor as any).DEFAULT_CONFIG_URL;
+      : configCtor.DEFAULT_CONFIG_URL;
   }
 
   public static readonly FEDCM_TIMEOUT = 15000; // 15 seconds for interactive
-  public static readonly FEDCM_SILENT_TIMEOUT = 3000; // 3 seconds for silent mediation
+  // Silent mediation runs on page load (e.g. re-signing-in a user whose stored
+  // session was cleared after a cold-boot token fetch 401'd). The real silent
+  // round-trip — mint nonce → navigator.credentials.get → /fedcm/exchange — was
+  // measured to take more than 3s for live users, so a 3s budget timed out and
+  // left them signed out on reload. 10s gives ample margin while staying bounded.
+  public static readonly FEDCM_SILENT_TIMEOUT = 10000; // 10 seconds for silent mediation
 
   /**
    * Check if FedCM is supported in the current browser
@@ -213,77 +255,121 @@ export function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(Base: T)
       );
     }
 
-    try {
-      // Prefer a server-minted, origin-bound nonce so the downstream
-      // `/fedcm/exchange` can validate it. A caller-supplied nonce is
-      // respected as-is for advanced use cases.
-      const nonce = options.nonce || (await this.getFedcmNonce());
-      const clientId = this.getClientId();
-
-      // Use provided loginHint, or fall back to stored last-used account ID
-      const loginHint = options.loginHint || this.getStoredLoginHint();
-
-      debug.log('Interactive sign-in: Requesting credential for', clientId, loginHint ? `(hint: ${loginHint})` : '');
-
-      // Request credential from browser's native identity flow.
-      // mode: 'active' signals this is a user-gesture-initiated (button) flow.
-      // 'active' is the current W3C spec value; requestIdentityCredential
-      // transparently retries with the legacy 'button' value for Chrome 125–131.
-      const credential = await this.requestIdentityCredential({
-        configURL: this.resolveFedcmConfigUrl(),
-        clientId,
-        nonce,
-        context: options.context,
-        loginHint,
-        mode: 'active',
-      });
+    // Use provided loginHint, or fall back to stored last-used account ID.
+    const initialLoginHint = options.loginHint || this.getStoredLoginHint();
 
-      if (!credential || !credential.token) {
-        throw new OxyAuthenticationError('No credential received from browser');
+    try {
+      return await this.attemptInteractiveSignIn(options, initialLoginHint);
+    } catch (error) {
+      // A STALE loginHint (e.g. left over from a previously-signed-in or test
+      // account) that matches no account at the IdP makes Chrome filter out
+      // every account and reject the request — indistinguishable from a user
+      // cancel. When that happens AND we supplied a hint, clear the bad hint
+      // and retry the credential request ONCE with no hint, which lets the
+      // chooser surface the genuinely available account(s). We only do this for
+      // a hint we pulled from storage (not a caller-supplied one), and only
+      // once, so a real cancel never loops.
+      const usedStoredHint = !!initialLoginHint && !options.loginHint;
+      if (usedStoredHint && isPossibleHintMismatchError(error)) {
+        debug.log(
+          'Interactive sign-in: stored loginHint matched no account; clearing it and retrying without a hint'
+        );
+        this.clearLoginHint();
+        return await this.attemptInteractiveSignIn(options, undefined);
       }
+      throw this.normalizeInteractiveSignInError(error);
+    }
+  }
 
-      debug.log('Interactive sign-in: Got credential, exchanging for session');
+  /**
+   * Run a single interactive FedCM credential request + token exchange for the
+   * given (possibly undefined) loginHint. A successful exchange plants the
+   * access token and persists the user id as the future loginHint — the hint is
+   * therefore only ever stored after a GENUINELY successful sign-in, never
+   * speculatively.
+   *
+   * @private
+   */
+  public async attemptInteractiveSignIn(
+    options: FedCMAuthOptions,
+    loginHint: string | undefined
+  ): Promise<SessionLoginResponse> {
+    // Prefer a server-minted, origin-bound nonce so the downstream
+    // `/fedcm/exchange` can validate it. A caller-supplied nonce is
+    // respected as-is for advanced use cases.
+    const nonce = options.nonce || (await this.getFedcmNonce());
+    const clientId = this.getClientId();
 
-      // Exchange FedCM ID token for Oxy session
-      const session = await this.exchangeIdTokenForSession(credential.token);
+    debug.log('Interactive sign-in: Requesting credential for', clientId, loginHint ? `(hint: ${loginHint})` : '');
 
-      // Store access token in HttpService. `accessToken`/`refreshToken` are
-      // declared optional on SessionLoginResponse; default the refresh token to
-      // an empty string when the exchange did not return one.
-      if (session?.accessToken) {
-        this.httpService.setTokens(session.accessToken, session.refreshToken ?? '');
-      }
+    // Request credential from browser's native identity flow.
+    // mode: 'active' signals this is a user-gesture-initiated (button) flow.
+    // 'active' is the current W3C spec value; requestIdentityCredential
+    // transparently retries with the legacy 'button' value for Chrome 125–131.
+    const credential = await this.requestIdentityCredential({
+      configURL: this.resolveFedcmConfigUrl(),
+      clientId,
+      nonce,
+      context: options.context,
+      loginHint,
+      mode: 'active',
+    });
 
-      // Store the user ID as loginHint for future FedCM requests
-      if (session?.user?.id) {
-        this.storeLoginHint(session.user.id);
-      }
+    if (!credential || !credential.token) {
+      throw new OxyAuthenticationError('No credential received from browser');
+    }
 
-      debug.log('Interactive sign-in: Success!', { userId: session?.user?.id });
+    debug.log('Interactive sign-in: Got credential, exchanging for session');
 
-      return session;
-    } catch (error) {
-      debug.log('Interactive sign-in failed:', error);
-      const errorMessage = error instanceof Error ? error.message : String(error);
-      // FedCM aborts/network failures surface as DOMException/Error instances,
-      // both of which carry a `name`. Anything else has no meaningful name.
-      const errorName = error instanceof Error ? error.name : '';
-
-      if (errorName === 'AbortError') {
-        throw new OxyAuthenticationError('Sign-in was cancelled by user');
-      }
-      if (errorName === 'NetworkError') {
-        throw new OxyAuthenticationError('Network error during sign-in. Please check your connection.');
-      }
-      if (errorMessage.includes('multiple accounts')) {
-        throw new OxyAuthenticationError('Please sign out and sign in again to use FedCM with a single account');
-      }
-      if (errorMessage.includes('retrieving a token') || errorMessage.includes('Error retrieving')) {
-        debug.error('FedCM token retrieval error - this may be a browser or IdP configuration issue');
-        throw new OxyAuthenticationError('Authentication failed. Please try again or use an alternative sign-in method.');
-      }
-      throw error;
+    // Exchange FedCM ID token for Oxy session
+    const session = await this.exchangeIdTokenForSession(credential.token);
+
+    // Store access token in HttpService. `accessToken`/`refreshToken` are
+    // declared optional on SessionLoginResponse; default the refresh token to
+    // an empty string when the exchange did not return one.
+    if (session?.accessToken) {
+      this.httpService.setTokens(session.accessToken, session.refreshToken ?? '');
     }
+
+    // Store the user ID as loginHint for future FedCM requests — only now, after
+    // a real successful exchange, so we never persist a hint that cannot resolve.
+    if (session?.user?.id) {
+      this.storeLoginHint(session.user.id);
+    }
+
+    debug.log('Interactive sign-in: Success!', { userId: session?.user?.id });
+
+    return session;
+  }
+
+  /**
+   * Map a raw FedCM/exchange failure to a user-facing {@link OxyAuthenticationError}
+   * (or pass it through). Extracted so the clear-and-retry path can reuse the
+   * exact same error normalisation as the first attempt.
+   *
+   * @private
+   */
+  public normalizeInteractiveSignInError(error: unknown): unknown {
+    debug.log('Interactive sign-in failed:', error);
+    const errorMessage = error instanceof Error ? error.message : String(error);
+    // FedCM aborts/network failures surface as DOMException/Error instances,
+    // both of which carry a `name`. Anything else has no meaningful name.
+    const errorName = error instanceof Error ? error.name : '';
+
+    if (errorName === 'AbortError') {
+      return new OxyAuthenticationError('Sign-in was cancelled by user');
+    }
+    if (errorName === 'NetworkError') {
+      return new OxyAuthenticationError('Network error during sign-in. Please check your connection.');
+    }
+    if (errorMessage.includes('multiple accounts')) {
+      return new OxyAuthenticationError('Please sign out and sign in again to use FedCM with a single account');
+    }
+    if (errorMessage.includes('retrieving a token') || errorMessage.includes('Error retrieving')) {
+      debug.error('FedCM token retrieval error - this may be a browser or IdP configuration issue');
+      return new OxyAuthenticationError('Authentication failed. Please try again or use an alternative sign-in method.');
+    }
+    return error;
   }
 
   /**
@@ -457,15 +543,20 @@ export function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(Base: T)
     // If a request is already in progress...
     if (fedCMRequestInProgress && fedCMRequestPromise) {
       debug.log('Request already in progress, waiting...');
-      // If current request is silent and new request is interactive,
-      // wait for silent to finish, then make the interactive request
+      // If the in-flight request is SILENT and this new one is INTERACTIVE,
+      // abort the silent and proceed immediately. The silent round-trip can be
+      // slow (it runs on page load and may stall in the browser), and a user who
+      // just clicked "Sign In" must never be made to wait on — or be blocked by —
+      // it. Awaiting the silent here is what previously let a hung silent
+      // request deadlock the sign-in button, so we deliberately do NOT await it:
+      // we abort it (its own `finally` resets the lock as it settles) and fall
+      // through to start the interactive request synchronously below.
       if (currentMediationMode === 'silent' && isInteractive) {
-        try {
-          await fedCMRequestPromise;
-        } catch {
-          // Ignore silent request errors
-        }
-        // Now fall through to make the interactive request
+        debug.log('Aborting in-flight silent request to make way for interactive request');
+        fedCMActiveController?.abort();
+        // Fall through. The interactive request synchronously overwrites the
+        // lock globals (below); the aborted silent's `finally` uses identity
+        // guards so it cannot later clobber this interactive request's state.
       } else {
         // Same type of request - wait for the existing one
         try {
@@ -479,10 +570,17 @@ export function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(Base: T)
     fedCMRequestInProgress = true;
     currentMediationMode = requestedMediation;
     const controller = new AbortController();
-    // Use shorter timeout for silent mediation since it should be quick
+    fedCMActiveController = controller;
+    // Use shorter timeout for silent mediation since it should be quick.
+    // The timeout constants are static on the composed class; read them off the
+    // most-derived constructor through a typed cast (not `any`).
+    const timeoutCtor = this.constructor as typeof OxyServicesBase & {
+      FEDCM_SILENT_TIMEOUT: number;
+      FEDCM_TIMEOUT: number;
+    };
     const timeoutMs = requestedMediation === 'silent'
-      ? (this.constructor as any).FEDCM_SILENT_TIMEOUT
-      : (this.constructor as any).FEDCM_TIMEOUT;
+      ? timeoutCtor.FEDCM_SILENT_TIMEOUT
+      : timeoutCtor.FEDCM_TIMEOUT;
     const timeout = setTimeout(() => {
       debug.log('Request timed out after', timeoutMs, 'ms (mediation:', requestedMediation + ')');
       controller.abort();
@@ -562,9 +660,20 @@ export function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(Base: T)
         throw error;
       } finally {
         clearTimeout(timeout);
-        fedCMRequestInProgress = false;
-        fedCMRequestPromise = null;
-        currentMediationMode = null;
+        // Only reset the shared lock if it still belongs to THIS request. When an
+        // interactive request aborts a slow silent one, the silent settles (and
+        // runs this `finally`) AFTER the interactive has already taken over the
+        // lock and installed its own controller/promise. Guarding on identity
+        // (`fedCMActiveController === controller`) ensures the settling silent
+        // cannot null out the interactive request's in-progress state. The
+        // request that still owns the lock clears it; the superseded one is a
+        // no-op here.
+        if (fedCMActiveController === controller) {
+          fedCMRequestInProgress = false;
+          fedCMRequestPromise = null;
+          currentMediationMode = null;
+          fedCMActiveController = null;
+        }
       }
     })();
 

package/src/mixins/__tests__/fedcm.test.ts

@@ -321,3 +321,234 @@ describe('OxyServices FedCM mode enum (active/passive)', () => {
     expect(call.identity.mode).toBeUndefined();
   });
 });
+
+/**
+ * Stale-loginHint clear-and-retry regression tests.
+ *
+ * A loginHint left over from a previously-signed-in/test account (persisted in
+ * `oxy_fedcm_login_hint`) that matches NO account at the IdP makes Chrome
+ * filter out every account, grey it in the chooser, and reject
+ * `navigator.credentials.get` — indistinguishable from a user cancel. The
+ * interactive flow must recover by clearing the bad hint and retrying ONCE with
+ * no hint, so the genuinely available account becomes selectable again. These
+ * tests lock that behaviour in.
+ */
+describe('OxyServices FedCM stale loginHint clear-and-retry', () => {
+  afterEach(() => {
+    clearBrowserGlobals();
+    jest.restoreAllMocks();
+  });
+
+  it('clears a stale stored hint and retries the get() once with no hint, then succeeds', async () => {
+    const hintsSeen: Array<string | undefined> = [];
+    installBrowserGlobals({
+      credentialsGet: async (opts) => {
+        const hint = opts.identity.providers[0].loginHint;
+        hintsSeen.push(hint);
+        if (hint) {
+          // First attempt carries the stale stored hint → Chrome filtered out
+          // every account and rejected the request (NotAllowedError).
+          const err = new Error('Accounts were received, but none matched the login hint.');
+          err.name = 'NotAllowedError';
+          throw err;
+        }
+        // Retry with NO hint → the available account resolves.
+        return { type: 'identity', token: 'recovered-id-token', isAutoSelected: false };
+      },
+    });
+
+    const oxy = new OxyServices({ baseURL: 'https://api.oxy.so' });
+    // Seed a stale hint in localStorage (a previously-signed-in/test account).
+    localStorage.setItem('oxy_fedcm_login_hint', 'stale-user-id');
+
+    const exchanged: string[] = [];
+    mintAndExchange(oxy, exchanged);
+
+    const session = await oxy.signInWithFedCM();
+
+    // The first get() saw the stale hint; the second saw none.
+    expect(hintsSeen).toEqual(['stale-user-id', undefined]);
+    // The token from the hint-less retry was exchanged for a session.
+    expect(session.sessionId).toBe('sess_mode');
+    expect(exchanged).toEqual(['recovered-id-token']);
+    // The stale hint was cleared and replaced with the freshly signed-in id.
+    expect(localStorage.getItem('oxy_fedcm_login_hint')).toBe('user_mode');
+  });
+
+  it('does NOT retry when there was no stored hint (a genuine cancel surfaces)', async () => {
+    let callCount = 0;
+    installBrowserGlobals({
+      credentialsGet: async () => {
+        callCount += 1;
+        const err = new Error('User cancelled the sign-in.');
+        err.name = 'NotAllowedError';
+        throw err;
+      },
+    });
+
+    const oxy = new OxyServices({ baseURL: 'https://api.oxy.so' });
+    // No hint in storage → a NotAllowedError is a real cancel, not a mismatch,
+    // so the error must surface (no clear-and-retry).
+    jest.spyOn(oxy, 'makeRequest').mockImplementation(async (_method: string, url: string) => {
+      if (url === '/fedcm/nonce') {
+        return { nonce: 'n', expiresAt: new Date(Date.now() + 60000).toISOString() } as never;
+      }
+      throw new Error(`unexpected request to ${url}`);
+    });
+
+    await expect(oxy.signInWithFedCM()).rejects.toThrow('User cancelled the sign-in.');
+    // Exactly one attempt — no clear-and-retry without a stored hint.
+    expect(callCount).toBe(1);
+  });
+
+  it('does NOT clear or retry a caller-supplied loginHint (only stored hints are cleared)', async () => {
+    let callCount = 0;
+    installBrowserGlobals({
+      credentialsGet: async () => {
+        callCount += 1;
+        const err = new Error('Accounts were received, but none matched the login hint.');
+        err.name = 'NotAllowedError';
+        throw err;
+      },
+    });
+
+    const oxy = new OxyServices({ baseURL: 'https://api.oxy.so' });
+    // A leftover stored hint must be untouched: the caller explicitly chose the
+    // hint, so we must not silently discard it nor retry behind their back.
+    localStorage.setItem('oxy_fedcm_login_hint', 'persisted-hint');
+    jest.spyOn(oxy, 'makeRequest').mockImplementation(async (_method: string, url: string) => {
+      if (url === '/fedcm/nonce') {
+        return { nonce: 'n', expiresAt: new Date(Date.now() + 60000).toISOString() } as never;
+      }
+      throw new Error(`unexpected request to ${url}`);
+    });
+
+    await expect(oxy.signInWithFedCM({ loginHint: 'caller-hint' })).rejects.toBeTruthy();
+    // Exactly one attempt — caller-supplied hints are never auto-cleared/retried.
+    expect(callCount).toBe(1);
+    // The stored hint was left intact.
+    expect(localStorage.getItem('oxy_fedcm_login_hint')).toBe('persisted-hint');
+  });
+});
+
+/**
+ * FedCM single-flight lock: interactive-aborts-silent regression tests.
+ *
+ * FedCM only allows one `navigator.credentials.get` at a time. Silent SSO runs
+ * on page load and the real round-trip can be slow (or stall in the browser).
+ * If an INTERACTIVE request (the user clicked "Sign In") arrives while a SILENT
+ * one is still in flight, it must NOT wait on the silent — awaiting a hung
+ * silent request previously deadlocked the sign-in button. Instead it aborts the
+ * in-flight silent and proceeds immediately. These tests lock that in, and pin
+ * the silent timeout so the on-load silent round-trip has enough budget.
+ */
+
+// `navigator.credentials.get` receives an AbortSignal we want to observe in the
+// lock tests, which the shared `CredentialGetCall` shape omits. Model it here.
+interface CredentialGetCallWithSignal {
+  identity: { providers: Array<{ loginHint?: string }>; mode?: string };
+  mediation: string;
+  signal?: AbortSignal;
+}
+
+describe('OxyServices FedCM single-flight lock (interactive aborts silent)', () => {
+  afterEach(() => {
+    clearBrowserGlobals();
+    jest.restoreAllMocks();
+  });
+
+  it('aborts an in-progress silent request and proceeds with the interactive one', async () => {
+    let silentSignal: AbortSignal | undefined;
+    let silentAborted = false;
+    let interactiveRan = false;
+
+    const store = new Map<string, string>();
+    const localStorageStub = {
+      getItem: (k: string) => (store.has(k) ? (store.get(k) as string) : null),
+      setItem: (k: string, v: string) => { store.set(k, v); },
+      removeItem: (k: string) => { store.delete(k); },
+    };
+
+    const credentialsGet = (opts: CredentialGetCallWithSignal): Promise<unknown> => {
+      if (opts.mediation === 'silent') {
+        // The silent request HANGS: it only settles when its signal is aborted,
+        // exactly like a real slow/stalled silent round-trip. This is what must
+        // NOT block the interactive request.
+        silentSignal = opts.signal;
+        return new Promise((_resolve, reject) => {
+          const signal = opts.signal;
+          if (!signal) return; // never settles without a signal (shouldn't happen)
+          signal.addEventListener('abort', () => {
+            silentAborted = true;
+            const err = new Error('The operation was aborted.');
+            err.name = 'AbortError';
+            reject(err);
+          });
+        });
+      }
+      // Interactive request resolves immediately with a usable credential.
+      interactiveRan = true;
+      return Promise.resolve({ type: 'identity', token: 'interactive-token', isAutoSelected: false });
+    };
+
+    const nav = { credentials: { get: (opts: CredentialGetCallWithSignal) => credentialsGet(opts) } };
+    const win = {
+      location: { origin: ORIGIN, hostname: 'accounts.oxy.so' },
+      IdentityCredential: function IdentityCredential() {},
+      navigator: nav,
+      localStorage: localStorageStub,
+    };
+    (globalThis as unknown as { window: unknown }).window = win;
+    (globalThis as unknown as { navigator: unknown }).navigator = nav;
+    (globalThis as unknown as { localStorage: unknown }).localStorage = localStorageStub;
+    (globalThis as unknown as { IdentityCredential: unknown }).IdentityCredential = win.IdentityCredential;
+
+    const oxy = new OxyServices({ baseURL: 'https://api.oxy.so' });
+    const exchanged: string[] = [];
+    jest
+      .spyOn(oxy, 'makeRequest')
+      .mockImplementation(async (_method: string, url: string, data?: unknown) => {
+        if (url === '/fedcm/nonce') {
+          return { nonce: 'server-nonce', expiresAt: new Date(Date.now() + 60000).toISOString() } as never;
+        }
+        if (url === '/fedcm/exchange') {
+          exchanged.push((data as { id_token: string }).id_token);
+          return {
+            sessionId: 'sess_lock',
+            deviceId: 'dev_lock',
+            expiresAt: new Date(Date.now() + 60000).toISOString(),
+            accessToken: 'access_lock',
+            user: { id: 'user_lock', username: 'tester' },
+          } as never;
+        }
+        throw new Error(`unexpected request to ${url}`);
+      });
+
+    // Kick off the silent request (it will hang) WITHOUT awaiting it.
+    const silentPromise = oxy.silentSignInWithFedCM();
+    // Let the silent request reach navigator.credentials.get and register its
+    // abort listener (it awaits the nonce mint first).
+    await new Promise((resolve) => setTimeout(resolve, 0));
+    expect(silentSignal).toBeDefined();
+    expect(silentAborted).toBe(false);
+
+    // Now the user clicks "Sign In": the interactive request must abort the
+    // hung silent one and complete on its own — never block on it.
+    const session = await oxy.signInWithFedCM();
+
+    expect(silentAborted).toBe(true);
+    expect(interactiveRan).toBe(true);
+    expect(session.sessionId).toBe('sess_lock');
+    expect(exchanged).toEqual(['interactive-token']);
+
+    // The aborted silent resolves cleanly to null (its own error path), never
+    // throwing and never leaving the lock stuck.
+    await expect(silentPromise).resolves.toBeNull();
+  });
+});
+
+describe('OxyServices FedCM silent timeout', () => {
+  it('uses a 10s silent timeout (enough budget for the real on-load round-trip)', () => {
+    expect(OxyServices.FEDCM_SILENT_TIMEOUT).toBe(10000);
+  });
+});