@oxyhq/core 1.11.23 → 2.0.0

package/src/mixins/OxyServices.fedcm.ts

@@ -66,6 +66,33 @@ function isUnknownModeEnumError(error: unknown): boolean {
   );
 }
 
+/**
+ * Detect a `navigator.credentials.get` rejection that is consistent with
+ * "the supplied loginHint matched no account at the IdP".
+ *
+ * When an RP passes a `loginHint` and the IdP returns accounts but NONE of them
+ * declare that hint in their `login_hints`, Chrome filters every account out,
+ * greys it in the chooser ("You can't sign in using this account"), logs
+ * "Accounts were received, but none matched the login hint…", and ultimately
+ * rejects the credential request — surfacing as a `NotAllowedError` /
+ * `AbortError` (the same shape as a user-cancelled or timed-out request). A
+ * stale hint left over from a previously-signed-in/test account therefore hard
+ * -blocks sign-in.
+ *
+ * We can only safely apply the clear-and-retry recovery when a `loginHint` was
+ * actually supplied; without one this is just a normal cancel/timeout and must
+ * NOT be retried. Callers gate on `hadLoginHint` before calling this.
+ */
+function isPossibleHintMismatchError(error: unknown): boolean {
+  if (!(error instanceof Error)) return false;
+  // FedCM surfaces a filtered-out / no-eligible-account outcome as
+  // NotAllowedError (current Chrome) or AbortError (our own timeout abort while
+  // the chooser had no selectable account). Both are indistinguishable from a
+  // genuine user cancel at the API level, so the gate on "a hint was supplied"
+  // (in the caller) is what makes the retry safe and targeted.
+  return error.name === 'NotAllowedError' || error.name === 'AbortError';
+}
+
 // Minimal structural types for the FedCM `navigator.credentials.get` surface.
 // The DOM lib does not ship these in every TypeScript version we build against,
 // so we model only the fields this mixin reads/writes. This lets the FedCM code
@@ -129,6 +156,11 @@ const FEDCM_LOGIN_HINT_KEY = 'oxy_fedcm_login_hint';
 let fedCMRequestInProgress = false;
 let fedCMRequestPromise: Promise<FedCMTokenResult | null> | null = null;
 let currentMediationMode: string | null = null;
+// AbortController of the in-flight request, exposed at module scope so an
+// arriving INTERACTIVE request can abort a slow/hung SILENT one instead of
+// blocking on it (see requestIdentityCredential). Set when a request starts,
+// cleared in that request's `finally`.
+let fedCMActiveController: AbortController | null = null;
 
 /**
  * Federated Credential Management (FedCM) Authentication Mixin
@@ -159,13 +191,23 @@ export function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(Base: T)
   public static readonly DEFAULT_CONFIG_URL = 'https://auth.oxy.so/fedcm.json';
 
   public resolveFedcmConfigUrl(): string {
+    // `DEFAULT_CONFIG_URL` is a static on the composed class; read it off the
+    // most-derived constructor through a typed cast (not `any`).
+    const configCtor = this.constructor as typeof OxyServicesBase & {
+      DEFAULT_CONFIG_URL: string;
+    };
     return this.config.authWebUrl
       ? `${this.config.authWebUrl}/fedcm.json`
-      : (this.constructor as any).DEFAULT_CONFIG_URL;
+      : configCtor.DEFAULT_CONFIG_URL;
   }
 
   public static readonly FEDCM_TIMEOUT = 15000; // 15 seconds for interactive
-  public static readonly FEDCM_SILENT_TIMEOUT = 3000; // 3 seconds for silent mediation
+  // Silent mediation runs on page load (e.g. re-signing-in a user whose stored
+  // session was cleared after a cold-boot token fetch 401'd). The real silent
+  // round-trip — mint nonce → navigator.credentials.get → /fedcm/exchange — was
+  // measured to take more than 3s for live users, so a 3s budget timed out and
+  // left them signed out on reload. 10s gives ample margin while staying bounded.
+  public static readonly FEDCM_SILENT_TIMEOUT = 10000; // 10 seconds for silent mediation
 
   /**
    * Check if FedCM is supported in the current browser
@@ -213,77 +255,121 @@ export function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(Base: T)
       );
     }
 
-    try {
-      // Prefer a server-minted, origin-bound nonce so the downstream
-      // `/fedcm/exchange` can validate it. A caller-supplied nonce is
-      // respected as-is for advanced use cases.
-      const nonce = options.nonce || (await this.getFedcmNonce());
-      const clientId = this.getClientId();
-
-      // Use provided loginHint, or fall back to stored last-used account ID
-      const loginHint = options.loginHint || this.getStoredLoginHint();
-
-      debug.log('Interactive sign-in: Requesting credential for', clientId, loginHint ? `(hint: ${loginHint})` : '');
-
-      // Request credential from browser's native identity flow.
-      // mode: 'active' signals this is a user-gesture-initiated (button) flow.
-      // 'active' is the current W3C spec value; requestIdentityCredential
-      // transparently retries with the legacy 'button' value for Chrome 125–131.
-      const credential = await this.requestIdentityCredential({
-        configURL: this.resolveFedcmConfigUrl(),
-        clientId,
-        nonce,
-        context: options.context,
-        loginHint,
-        mode: 'active',
-      });
+    // Use provided loginHint, or fall back to stored last-used account ID.
+    const initialLoginHint = options.loginHint || this.getStoredLoginHint();
 
-      if (!credential || !credential.token) {
-        throw new OxyAuthenticationError('No credential received from browser');
+    try {
+      return await this.attemptInteractiveSignIn(options, initialLoginHint);
+    } catch (error) {
+      // A STALE loginHint (e.g. left over from a previously-signed-in or test
+      // account) that matches no account at the IdP makes Chrome filter out
+      // every account and reject the request — indistinguishable from a user
+      // cancel. When that happens AND we supplied a hint, clear the bad hint
+      // and retry the credential request ONCE with no hint, which lets the
+      // chooser surface the genuinely available account(s). We only do this for
+      // a hint we pulled from storage (not a caller-supplied one), and only
+      // once, so a real cancel never loops.
+      const usedStoredHint = !!initialLoginHint && !options.loginHint;
+      if (usedStoredHint && isPossibleHintMismatchError(error)) {
+        debug.log(
+          'Interactive sign-in: stored loginHint matched no account; clearing it and retrying without a hint'
+        );
+        this.clearLoginHint();
+        return await this.attemptInteractiveSignIn(options, undefined);
       }
+      throw this.normalizeInteractiveSignInError(error);
+    }
+  }
 
-      debug.log('Interactive sign-in: Got credential, exchanging for session');
+  /**
+   * Run a single interactive FedCM credential request + token exchange for the
+   * given (possibly undefined) loginHint. A successful exchange plants the
+   * access token and persists the user id as the future loginHint — the hint is
+   * therefore only ever stored after a GENUINELY successful sign-in, never
+   * speculatively.
+   *
+   * @private
+   */
+  public async attemptInteractiveSignIn(
+    options: FedCMAuthOptions,
+    loginHint: string | undefined
+  ): Promise<SessionLoginResponse> {
+    // Prefer a server-minted, origin-bound nonce so the downstream
+    // `/fedcm/exchange` can validate it. A caller-supplied nonce is
+    // respected as-is for advanced use cases.
+    const nonce = options.nonce || (await this.getFedcmNonce());
+    const clientId = this.getClientId();
 
-      // Exchange FedCM ID token for Oxy session
-      const session = await this.exchangeIdTokenForSession(credential.token);
+    debug.log('Interactive sign-in: Requesting credential for', clientId, loginHint ? `(hint: ${loginHint})` : '');
 
-      // Store access token in HttpService. `accessToken`/`refreshToken` are
-      // declared optional on SessionLoginResponse; default the refresh token to
-      // an empty string when the exchange did not return one.
-      if (session?.accessToken) {
-        this.httpService.setTokens(session.accessToken, session.refreshToken ?? '');
-      }
+    // Request credential from browser's native identity flow.
+    // mode: 'active' signals this is a user-gesture-initiated (button) flow.
+    // 'active' is the current W3C spec value; requestIdentityCredential
+    // transparently retries with the legacy 'button' value for Chrome 125–131.
+    const credential = await this.requestIdentityCredential({
+      configURL: this.resolveFedcmConfigUrl(),
+      clientId,
+      nonce,
+      context: options.context,
+      loginHint,
+      mode: 'active',
+    });
 
-      // Store the user ID as loginHint for future FedCM requests
-      if (session?.user?.id) {
-        this.storeLoginHint(session.user.id);
-      }
+    if (!credential || !credential.token) {
+      throw new OxyAuthenticationError('No credential received from browser');
+    }
 
-      debug.log('Interactive sign-in: Success!', { userId: session?.user?.id });
+    debug.log('Interactive sign-in: Got credential, exchanging for session');
 
-      return session;
-    } catch (error) {
-      debug.log('Interactive sign-in failed:', error);
-      const errorMessage = error instanceof Error ? error.message : String(error);
-      // FedCM aborts/network failures surface as DOMException/Error instances,
-      // both of which carry a `name`. Anything else has no meaningful name.
-      const errorName = error instanceof Error ? error.name : '';
-
-      if (errorName === 'AbortError') {
-        throw new OxyAuthenticationError('Sign-in was cancelled by user');
-      }
-      if (errorName === 'NetworkError') {
-        throw new OxyAuthenticationError('Network error during sign-in. Please check your connection.');
-      }
-      if (errorMessage.includes('multiple accounts')) {
-        throw new OxyAuthenticationError('Please sign out and sign in again to use FedCM with a single account');
-      }
-      if (errorMessage.includes('retrieving a token') || errorMessage.includes('Error retrieving')) {
-        debug.error('FedCM token retrieval error - this may be a browser or IdP configuration issue');
-        throw new OxyAuthenticationError('Authentication failed. Please try again or use an alternative sign-in method.');
-      }
-      throw error;
+    // Exchange FedCM ID token for Oxy session
+    const session = await this.exchangeIdTokenForSession(credential.token);
+
+    // Store access token in HttpService. `accessToken`/`refreshToken` are
+    // declared optional on SessionLoginResponse; default the refresh token to
+    // an empty string when the exchange did not return one.
+    if (session?.accessToken) {
+      this.httpService.setTokens(session.accessToken, session.refreshToken ?? '');
+    }
+
+    // Store the user ID as loginHint for future FedCM requests — only now, after
+    // a real successful exchange, so we never persist a hint that cannot resolve.
+    if (session?.user?.id) {
+      this.storeLoginHint(session.user.id);
+    }
+
+    debug.log('Interactive sign-in: Success!', { userId: session?.user?.id });
+
+    return session;
+  }
+
+  /**
+   * Map a raw FedCM/exchange failure to a user-facing {@link OxyAuthenticationError}
+   * (or pass it through). Extracted so the clear-and-retry path can reuse the
+   * exact same error normalisation as the first attempt.
+   *
+   * @private
+   */
+  public normalizeInteractiveSignInError(error: unknown): unknown {
+    debug.log('Interactive sign-in failed:', error);
+    const errorMessage = error instanceof Error ? error.message : String(error);
+    // FedCM aborts/network failures surface as DOMException/Error instances,
+    // both of which carry a `name`. Anything else has no meaningful name.
+    const errorName = error instanceof Error ? error.name : '';
+
+    if (errorName === 'AbortError') {
+      return new OxyAuthenticationError('Sign-in was cancelled by user');
+    }
+    if (errorName === 'NetworkError') {
+      return new OxyAuthenticationError('Network error during sign-in. Please check your connection.');
+    }
+    if (errorMessage.includes('multiple accounts')) {
+      return new OxyAuthenticationError('Please sign out and sign in again to use FedCM with a single account');
     }
+    if (errorMessage.includes('retrieving a token') || errorMessage.includes('Error retrieving')) {
+      debug.error('FedCM token retrieval error - this may be a browser or IdP configuration issue');
+      return new OxyAuthenticationError('Authentication failed. Please try again or use an alternative sign-in method.');
+    }
+    return error;
   }
 
   /**
@@ -457,15 +543,20 @@ export function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(Base: T)
     // If a request is already in progress...
     if (fedCMRequestInProgress && fedCMRequestPromise) {
       debug.log('Request already in progress, waiting...');
-      // If current request is silent and new request is interactive,
-      // wait for silent to finish, then make the interactive request
+      // If the in-flight request is SILENT and this new one is INTERACTIVE,
+      // abort the silent and proceed immediately. The silent round-trip can be
+      // slow (it runs on page load and may stall in the browser), and a user who
+      // just clicked "Sign In" must never be made to wait on — or be blocked by —
+      // it. Awaiting the silent here is what previously let a hung silent
+      // request deadlock the sign-in button, so we deliberately do NOT await it:
+      // we abort it (its own `finally` resets the lock as it settles) and fall
+      // through to start the interactive request synchronously below.
       if (currentMediationMode === 'silent' && isInteractive) {
-        try {
-          await fedCMRequestPromise;
-        } catch {
-          // Ignore silent request errors
-        }
-        // Now fall through to make the interactive request
+        debug.log('Aborting in-flight silent request to make way for interactive request');
+        fedCMActiveController?.abort();
+        // Fall through. The interactive request synchronously overwrites the
+        // lock globals (below); the aborted silent's `finally` uses identity
+        // guards so it cannot later clobber this interactive request's state.
       } else {
         // Same type of request - wait for the existing one
         try {
@@ -479,10 +570,17 @@ export function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(Base: T)
     fedCMRequestInProgress = true;
     currentMediationMode = requestedMediation;
     const controller = new AbortController();
-    // Use shorter timeout for silent mediation since it should be quick
+    fedCMActiveController = controller;
+    // Use shorter timeout for silent mediation since it should be quick.
+    // The timeout constants are static on the composed class; read them off the
+    // most-derived constructor through a typed cast (not `any`).
+    const timeoutCtor = this.constructor as typeof OxyServicesBase & {
+      FEDCM_SILENT_TIMEOUT: number;
+      FEDCM_TIMEOUT: number;
+    };
     const timeoutMs = requestedMediation === 'silent'
-      ? (this.constructor as any).FEDCM_SILENT_TIMEOUT
-      : (this.constructor as any).FEDCM_TIMEOUT;
+      ? timeoutCtor.FEDCM_SILENT_TIMEOUT
+      : timeoutCtor.FEDCM_TIMEOUT;
     const timeout = setTimeout(() => {
       debug.log('Request timed out after', timeoutMs, 'ms (mediation:', requestedMediation + ')');
       controller.abort();
@@ -562,9 +660,20 @@ export function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(Base: T)
         throw error;
       } finally {
         clearTimeout(timeout);
-        fedCMRequestInProgress = false;
-        fedCMRequestPromise = null;
-        currentMediationMode = null;
+        // Only reset the shared lock if it still belongs to THIS request. When an
+        // interactive request aborts a slow silent one, the silent settles (and
+        // runs this `finally`) AFTER the interactive has already taken over the
+        // lock and installed its own controller/promise. Guarding on identity
+        // (`fedCMActiveController === controller`) ensures the settling silent
+        // cannot null out the interactive request's in-progress state. The
+        // request that still owns the lock clears it; the superseded one is a
+        // no-op here.
+        if (fedCMActiveController === controller) {
+          fedCMRequestInProgress = false;
+          fedCMRequestPromise = null;
+          currentMediationMode = null;
+          fedCMActiveController = null;
+        }
       }
     })();
 
@@ -771,8 +880,71 @@ export function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(Base: T)
       // Storage blocked
     }
   }
+
+  /**
+   * List the authenticated user's authorized RP apps.
+   *
+   * Returns the intersection of the user's FedCM grants and the currently-
+   * approved RP catalog — what powers the "Connected apps" management UI in
+   * @oxyhq/services. Requires a real user session; service tokens are
+   * rejected by the underlying endpoint.
+   */
+  async listAuthorizedApps(): Promise<AuthorizedApp[]> {
+    try {
+      const response = await this.makeRequest<{ apps: AuthorizedApp[] }>(
+        'GET',
+        '/fedcm/me/authorized-apps',
+        undefined,
+        {
+          cache: true,
+          cacheTTL: 30 * 1000, // 30 second cache — short, this drives a manageable UI
+        }
+      );
+      return response.apps ?? [];
+    } catch (error) {
+      throw this.handleError(error);
+    }
+  }
+
+  /**
+   * Revoke the authenticated user's authorization for a specific RP origin.
+   *
+   * The next FedCM sign-in from that origin will require explicit re-consent.
+   * The corresponding cache entry is invalidated so a subsequent
+   * `listAuthorizedApps()` call sees fresh data.
+   */
+  async revokeAuthorizedApp(origin: string): Promise<void> {
+    try {
+      await this.makeRequest(
+        'DELETE',
+        `/fedcm/me/authorized-apps/${encodeURIComponent(origin)}`,
+        undefined,
+        { cache: false }
+      );
+      this.clearCacheEntry('GET:/fedcm/me/authorized-apps');
+    } catch (error) {
+      throw this.handleError(error);
+    }
+  }
   };
 }
 
+/**
+ * Public summary of an RP application the user has authorized — mirrors the
+ * `AuthorizedAppSummary` shape returned by `GET /fedcm/me/authorized-apps`.
+ */
+export interface AuthorizedApp {
+  /** Normalised RP origin. */
+  origin: string;
+  /** Friendly display name. */
+  name: string;
+  /** Optional human-readable description. */
+  description?: string;
+  /** ISO-8601 timestamp of when the user first authorized this RP. */
+  firstGrantedAt: string;
+  /** ISO-8601 timestamp of the most recent FedCM exchange for this user+RP. */
+  lastUsedAt: string;
+}
+
 // Export the mixin function as both named and default
 export { OxyServicesFedCMMixin as FedCMMixin };

package/src/mixins/OxyServices.popup.ts

@@ -10,6 +10,23 @@ export interface PopupAuthOptions {
   height?: number;
   timeout?: number;
   mode?: 'login' | 'signup';
+  /**
+   * A popup window handle the caller already opened SYNCHRONOUSLY inside the
+   * user-gesture event handler (e.g. an `onClick`). The mixin will navigate
+   * this window to the auth URL instead of calling `window.open` itself.
+   *
+   * Why this exists: Chrome (and other modern browsers) only honor
+   * `window.open` while a transient user-activation is in scope. The
+   * activation is consumed by the FIRST `await` in the click handler — so any
+   * caller that awaits FedCM / silent SSO before reaching `signInWithPopup`
+   * loses the activation and sees the popup blocked. The caller can dodge
+   * this by opening a blank popup on the raw click via `openBlankPopup()`,
+   * then passing the handle in here.
+   *
+   * `null` is accepted (and is the same as omitting the option) so consumers
+   * can pass through the result of `openBlankPopup()` without an extra guard.
+   */
+  popup?: Window | null;
 }
 
 export interface SilentAuthOptions {
@@ -104,7 +121,37 @@ export function OxyServicesPopupAuthMixin<T extends typeof OxyServicesBase>(Base
       redirectUri: `${this.resolveAuthUrl()}/auth/callback`,
     });
 
-    const popup = this.openCenteredPopup(authUrl, 'Oxy Sign In', width, height);
+    // If the caller pre-opened a popup on the raw user gesture (recommended
+    // path — see `openBlankPopup` and `PopupAuthOptions.popup`), navigate it
+    // to the auth URL instead of issuing a fresh `window.open` (which would
+    // be blocked once any prior `await` has consumed the user activation).
+    let popup: Window | null;
+    const preOpened = options.popup ?? null;
+    if (preOpened) {
+      if (preOpened.closed) {
+        // The pre-opened popup is gone — distinguish a user cancel (they
+        // closed the blank window before sign-in could navigate it) from a
+        // blocker rejection. Lumping these together as "Popup blocked" is
+        // misleading: the popup was NOT blocked, it was opened successfully
+        // and then dismissed.
+        throw new OxyAuthenticationError(
+          'Sign-in window was closed before authentication could start.'
+        );
+      }
+      try {
+        preOpened.location.replace(authUrl);
+      } catch (replaceError) {
+        // `location.replace` can throw in sandboxed / cross-origin-locked
+        // environments. Fall back to `href` assignment, which is more
+        // permissive. Logged at debug-level so consumers can correlate
+        // unusual sign-in behaviour without producing noise in normal flows.
+        debug.warn('location.replace failed, falling back to location.href', replaceError);
+        preOpened.location.href = authUrl;
+      }
+      popup = preOpened;
+    } else {
+      popup = this.openCenteredPopup(authUrl, 'Oxy Sign In', width, height);
+    }
 
     if (!popup) {
       throw new OxyAuthenticationError(
@@ -269,6 +316,37 @@ export function OxyServicesPopupAuthMixin<T extends typeof OxyServicesBase>(Base
     }
   }
 
+  /**
+   * Open a blank, centered popup window SYNCHRONOUSLY.
+   *
+   * Use this in a click (or other user-gesture) handler BEFORE any `await`
+   * to capture the transient user-activation. Pass the returned handle into
+   * `signInWithPopup({ popup })` once the async portion of the flow runs.
+   *
+   * Returns `null` if the browser's popup blocker rejected the open.
+   *
+   * @example
+   * ```typescript
+   * const onSignInClick = () => {
+   *   const popup = oxyServices.openBlankPopup();
+   *   (async () => {
+   *     const silent = await oxyServices.silentSignInWithFedCM();
+   *     if (silent) { popup?.close(); return; }
+   *     await oxyServices.signInWithPopup({ popup });
+   *   })();
+   * };
+   * ```
+   */
+  public openBlankPopup(width?: number, height?: number): Window | null {
+    if (typeof window === 'undefined') {
+      return null;
+    }
+    const ctor = this.constructor as unknown as { POPUP_WIDTH: number; POPUP_HEIGHT: number };
+    const w = width ?? ctor.POPUP_WIDTH;
+    const h = height ?? ctor.POPUP_HEIGHT;
+    return this.openCenteredPopup('about:blank', 'Oxy Sign In', w, h);
+  }
+
   /**
    * Open a centered popup window
    *

package/src/mixins/OxyServices.user.ts

@@ -1,7 +1,15 @@
 /**
  * User Management Methods Mixin
  */
-import type { User, Notification, SearchProfilesResponse, PaginationInfo, PrivacySettings } from '../models/interfaces';
+import type {
+  User,
+  Notification,
+  NotificationPreferences,
+  UserPreferences,
+  SearchProfilesResponse,
+  PaginationInfo,
+  PrivacySettings,
+} from '../models/interfaces';
 import type { OxyServicesBase } from '../OxyServices.base';
 import { buildSearchParams, buildPaginationParams, type PaginationParams } from '../utils/apiUtils';
 import { KeyManager } from '../crypto/keyManager';
@@ -271,6 +279,30 @@ export function OxyServicesUserMixin<T extends typeof OxyServicesBase>(Base: T)
       }
     }
 
+    /**
+     * Update the authenticated user's notification preferences.
+     *
+     * Thin wrapper over `updateProfile` that constrains the patch to known
+     * notification channels — same persistence path, same cache invalidation,
+     * but type-safe at the call site.
+     */
+    async updateNotificationPreferences(
+      preferences: Partial<NotificationPreferences>
+    ): Promise<User> {
+      return this.updateProfile({ notificationPreferences: preferences });
+    }
+
+    /**
+     * Update the authenticated user's general preferences (language, theme,
+     * reduce-motion, timezone). Persisted on the User document via
+     * `PUT /users/me` — same cache-invalidation behaviour as `updateProfile`.
+     */
+    async updateUserPreferences(
+      preferences: Partial<UserPreferences>
+    ): Promise<User> {
+      return this.updateProfile({ userPreferences: preferences });
+    }
+
     /**
      * Request account verification
      */