@oxyhq/core 1.11.23 → 2.0.0

package/dist/cjs/mixins/OxyServices.auth.js

@@ -385,6 +385,241 @@ function OxyServicesAuthMixin(Base) {
                 throw this.handleError(error);
             }
         }
+        /**
+         * Refresh every device-local refresh-cookie slot in a single round trip
+         * (Google-style multi-account rebuild).
+         *
+         * Calls `POST {sessionBaseUrl}/auth/refresh-all` with `credentials: 'include'`
+         * and NO bearer. The browser attaches every `oxy_rt*` cookie it has; the
+         * server rotates each in parallel and returns one entry per VALID account.
+         *
+         * Failure handling:
+         * - 401 → no signed-in accounts on this device → returns `{ accounts: [] }`
+         *   (NOT an error; this is the cold-boot "not signed in" path).
+         * - 404 → server is older than the multi-account endpoint. We fall back to
+         *   `POST /auth/refresh` (single-slot) and wrap its response in the
+         *   refresh-all shape so callers can treat the two paths uniformly. The
+         *   fallback entry has `authuser: 0` (the legacy slot maps to slot 0 by
+         *   convention) and a minimal `user` shape — consumers needing the full
+         *   user must fetch it separately. Always exactly one account in this
+         *   shape.
+         * - Any other non-2xx → throws via `handleError`.
+         *
+         * The refresh cookie itself never enters JS — only the rotated access
+         * tokens do. Each access token still needs to be planted via
+         * `setTokens(...)` (or per-account in-memory storage) at the consumer.
+         */
+        async refreshAllSessions() {
+            const url = `${this.getSessionBaseUrl().replace(/\/$/, '')}/auth/refresh-all`;
+            let response;
+            try {
+                response = await fetch(url, {
+                    method: 'POST',
+                    credentials: 'include',
+                    headers: { Accept: 'application/json' },
+                });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+            if (response.status === 401) {
+                return { accounts: [] };
+            }
+            if (response.status === 404) {
+                // Legacy single-account refresh fallback. Wrap the response so the
+                // caller can treat both paths identically.
+                const legacy = await this._refreshCookieRaw();
+                if (!legacy) {
+                    return { accounts: [] };
+                }
+                const fallbackAccount = {
+                    authuser: 0,
+                    accessToken: legacy.accessToken,
+                    expiresAt: legacy.expiresAt,
+                    sessionId: this._decodeSessionIdFromAccessToken(legacy.accessToken) ?? '',
+                    // Legacy /auth/refresh does NOT project the user shape; the caller
+                    // (AuthManager) is expected to hydrate via /users/me after planting.
+                    user: null,
+                };
+                return { accounts: [fallbackAccount] };
+            }
+            if (!response.ok) {
+                throw this.handleError(new Error(`Refresh-all failed with HTTP ${response.status}`));
+            }
+            const payload = (await response.json());
+            const raw = Array.isArray(payload.accounts) ? payload.accounts : [];
+            const accounts = [];
+            for (const entry of raw) {
+                if (entry === null || typeof entry !== 'object') {
+                    continue;
+                }
+                const e = entry;
+                if (!e.accessToken || !e.expiresAt || !e.sessionId || !e.user) {
+                    continue;
+                }
+                const userId = e.user.id ?? e.user._id;
+                if (!userId || !e.user.username) {
+                    continue;
+                }
+                // Normalise the legacy un-suffixed cookie (`authuser: null` on the
+                // wire) to slot 0. The SDK surface always operates on numeric indices.
+                const authuser = typeof e.authuser === 'number' ? e.authuser : 0;
+                accounts.push({
+                    authuser,
+                    accessToken: e.accessToken,
+                    expiresAt: e.expiresAt,
+                    sessionId: e.sessionId,
+                    user: {
+                        id: userId,
+                        username: e.user.username,
+                        name: e.user.name,
+                        avatar: e.user.avatar ?? null,
+                        email: e.user.email,
+                        color: e.user.color ?? null,
+                    },
+                });
+            }
+            return { accounts };
+        }
+        /**
+         * Rotate a single refresh-cookie slot and return the fresh access token.
+         *
+         * When `authuser` is provided, the server rotates ONLY that slot
+         * (`oxy_rt_${authuser}`) — sibling accounts on the same device stay
+         * untouched. When omitted, the server picks the lowest indexed slot
+         * present (legacy fallback applies). The refresh cookie itself never
+         * enters JS.
+         *
+         * Returns `null` on 401 (no cookie / expired / reused) so the caller can
+         * fall through cleanly to the unauthenticated path.
+         */
+        async refreshTokenViaCookie(opts = {}) {
+            const result = await this._refreshCookieRaw(opts.authuser);
+            return result;
+        }
+        /**
+         * Sign out a single device-local account by its authuser slot index.
+         *
+         * Revokes that slot's refresh-token family and deactivates its session;
+         * sibling indexed slots stay signed in. The browser-side `oxy_rt_${n}`
+         * cookie is cleared by the server's `Set-Cookie` response header.
+         */
+        async logoutSessionByAuthuser(authuser) {
+            const url = `${this.getSessionBaseUrl().replace(/\/$/, '')}/auth/logout?authuser=${encodeURIComponent(String(authuser))}`;
+            try {
+                const response = await fetch(url, {
+                    method: 'POST',
+                    credentials: 'include',
+                    headers: { Accept: 'application/json' },
+                });
+                if (!response.ok && response.status !== 401) {
+                    throw new Error(`Logout (authuser=${authuser}) failed with HTTP ${response.status}`);
+                }
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Sign out EVERY device-local account on this device by clearing every
+         * presented refresh-cookie slot at once. Revokes every family + clears
+         * every slot. Always succeeds (idempotent on unknown/garbage tokens).
+         */
+        async logoutAllSessionsViaCookie() {
+            const url = `${this.getSessionBaseUrl().replace(/\/$/, '')}/auth/logout`;
+            try {
+                const response = await fetch(url, {
+                    method: 'POST',
+                    credentials: 'include',
+                    headers: { Accept: 'application/json' },
+                });
+                if (!response.ok && response.status !== 401) {
+                    throw new Error(`Logout-all failed with HTTP ${response.status}`);
+                }
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Internal: raw `POST /auth/refresh[?authuser=N]` call returning the
+         * minted access token. Returns `null` on 401 / non-2xx. Used as both the
+         * implementation of `refreshTokenViaCookie` and the legacy fallback for
+         * `refreshAllSessions` against older servers.
+         *
+         * @internal
+         */
+        async _refreshCookieRaw(authuser) {
+            const base = this.getSessionBaseUrl().replace(/\/$/, '');
+            const url = typeof authuser === 'number'
+                ? `${base}/auth/refresh?authuser=${encodeURIComponent(String(authuser))}`
+                : `${base}/auth/refresh`;
+            let response;
+            try {
+                response = await fetch(url, {
+                    method: 'POST',
+                    credentials: 'include',
+                    headers: { Accept: 'application/json' },
+                });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+            if (!response.ok) {
+                return null;
+            }
+            const payload = (await response.json());
+            if (typeof payload.accessToken !== 'string' || !payload.accessToken) {
+                return null;
+            }
+            const expiresAt = typeof payload.expiresAt === 'string' ? payload.expiresAt : '';
+            const respAuthuser = typeof payload.authuser === 'number' ? payload.authuser : null;
+            return {
+                accessToken: payload.accessToken,
+                expiresAt,
+                authuser: respAuthuser,
+            };
+        }
+        /**
+         * Internal: decode (without verifying) the `sessionId` claim from a
+         * server-signed access token. The server already verified the signature;
+         * the client only reads the claim to drive multi-session state.
+         *
+         * @internal
+         */
+        _decodeSessionIdFromAccessToken(token) {
+            if (!token || typeof token !== 'string') {
+                return null;
+            }
+            const segments = token.split('.');
+            if (segments.length !== 3) {
+                return null;
+            }
+            const payloadSegment = segments[1];
+            if (!payloadSegment) {
+                return null;
+            }
+            try {
+                const base64 = payloadSegment.replace(/-/g, '+').replace(/_/g, '/');
+                const padded = base64.padEnd(base64.length + ((4 - (base64.length % 4)) % 4), '=');
+                if (typeof atob !== 'function') {
+                    return null;
+                }
+                const json = decodeURIComponent(atob(padded)
+                    .split('')
+                    .map((char) => `%${`00${char.charCodeAt(0).toString(16)}`.slice(-2)}`)
+                    .join(''));
+                const parsed = JSON.parse(json);
+                if (parsed === null || typeof parsed !== 'object') {
+                    return null;
+                }
+                const claims = parsed;
+                return typeof claims.sessionId === 'string' ? claims.sessionId : null;
+            }
+            catch {
+                return null;
+            }
+        }
         /**
          * Get sessions by session ID
          */

package/dist/cjs/mixins/OxyServices.fedcm.js

@@ -37,12 +37,44 @@ function isUnknownModeEnumError(error) {
         ((message.includes('active') || message.includes('passive')) &&
             (message.includes('enum') || message.includes('not a valid'))));
 }
+/**
+ * Detect a `navigator.credentials.get` rejection that is consistent with
+ * "the supplied loginHint matched no account at the IdP".
+ *
+ * When an RP passes a `loginHint` and the IdP returns accounts but NONE of them
+ * declare that hint in their `login_hints`, Chrome filters every account out,
+ * greys it in the chooser ("You can't sign in using this account"), logs
+ * "Accounts were received, but none matched the login hint…", and ultimately
+ * rejects the credential request — surfacing as a `NotAllowedError` /
+ * `AbortError` (the same shape as a user-cancelled or timed-out request). A
+ * stale hint left over from a previously-signed-in/test account therefore hard
+ * -blocks sign-in.
+ *
+ * We can only safely apply the clear-and-retry recovery when a `loginHint` was
+ * actually supplied; without one this is just a normal cancel/timeout and must
+ * NOT be retried. Callers gate on `hadLoginHint` before calling this.
+ */
+function isPossibleHintMismatchError(error) {
+    if (!(error instanceof Error))
+        return false;
+    // FedCM surfaces a filtered-out / no-eligible-account outcome as
+    // NotAllowedError (current Chrome) or AbortError (our own timeout abort while
+    // the chooser had no selectable account). Both are indistinguishable from a
+    // genuine user cancel at the API level, so the gate on "a hint was supplied"
+    // (in the caller) is what makes the retry safe and targeted.
+    return error.name === 'NotAllowedError' || error.name === 'AbortError';
+}
 const FEDCM_LOGIN_HINT_KEY = 'oxy_fedcm_login_hint';
 // Global lock to prevent concurrent FedCM requests
 // FedCM only allows one navigator.credentials.get request at a time
 let fedCMRequestInProgress = false;
 let fedCMRequestPromise = null;
 let currentMediationMode = null;
+// AbortController of the in-flight request, exposed at module scope so an
+// arriving INTERACTIVE request can abort a slow/hung SILENT one instead of
+// blocking on it (see requestIdentityCredential). Set when a request starts,
+// cleared in that request's `finally`.
+let fedCMActiveController = null;
 /**
  * Federated Credential Management (FedCM) Authentication Mixin
  *
@@ -71,9 +103,12 @@ function OxyServicesFedCMMixin(Base) {
                 super(...args);
             }
             resolveFedcmConfigUrl() {
+                // `DEFAULT_CONFIG_URL` is a static on the composed class; read it off the
+                // most-derived constructor through a typed cast (not `any`).
+                const configCtor = this.constructor;
                 return this.config.authWebUrl
                     ? `${this.config.authWebUrl}/fedcm.json`
-                    : this.constructor.DEFAULT_CONFIG_URL;
+                    : configCtor.DEFAULT_CONFIG_URL;
             }
             /**
              * Check if FedCM is supported in the current browser
@@ -117,67 +152,104 @@ function OxyServicesFedCMMixin(Base) {
                 if (!this.isFedCMSupported()) {
                     throw new OxyServices_errors_1.OxyAuthenticationError('FedCM not supported in this browser. Please update your browser or use an alternative sign-in method.');
                 }
+                // Use provided loginHint, or fall back to stored last-used account ID.
+                const initialLoginHint = options.loginHint || this.getStoredLoginHint();
                 try {
-                    // Prefer a server-minted, origin-bound nonce so the downstream
-                    // `/fedcm/exchange` can validate it. A caller-supplied nonce is
-                    // respected as-is for advanced use cases.
-                    const nonce = options.nonce || (await this.getFedcmNonce());
-                    const clientId = this.getClientId();
-                    // Use provided loginHint, or fall back to stored last-used account ID
-                    const loginHint = options.loginHint || this.getStoredLoginHint();
-                    debug.log('Interactive sign-in: Requesting credential for', clientId, loginHint ? `(hint: ${loginHint})` : '');
-                    // Request credential from browser's native identity flow.
-                    // mode: 'active' signals this is a user-gesture-initiated (button) flow.
-                    // 'active' is the current W3C spec value; requestIdentityCredential
-                    // transparently retries with the legacy 'button' value for Chrome 125–131.
-                    const credential = await this.requestIdentityCredential({
-                        configURL: this.resolveFedcmConfigUrl(),
-                        clientId,
-                        nonce,
-                        context: options.context,
-                        loginHint,
-                        mode: 'active',
-                    });
-                    if (!credential || !credential.token) {
-                        throw new OxyServices_errors_1.OxyAuthenticationError('No credential received from browser');
-                    }
-                    debug.log('Interactive sign-in: Got credential, exchanging for session');
-                    // Exchange FedCM ID token for Oxy session
-                    const session = await this.exchangeIdTokenForSession(credential.token);
-                    // Store access token in HttpService. `accessToken`/`refreshToken` are
-                    // declared optional on SessionLoginResponse; default the refresh token to
-                    // an empty string when the exchange did not return one.
-                    if (session?.accessToken) {
-                        this.httpService.setTokens(session.accessToken, session.refreshToken ?? '');
-                    }
-                    // Store the user ID as loginHint for future FedCM requests
-                    if (session?.user?.id) {
-                        this.storeLoginHint(session.user.id);
-                    }
-                    debug.log('Interactive sign-in: Success!', { userId: session?.user?.id });
-                    return session;
+                    return await this.attemptInteractiveSignIn(options, initialLoginHint);
                 }
                 catch (error) {
-                    debug.log('Interactive sign-in failed:', error);
-                    const errorMessage = error instanceof Error ? error.message : String(error);
-                    // FedCM aborts/network failures surface as DOMException/Error instances,
-                    // both of which carry a `name`. Anything else has no meaningful name.
-                    const errorName = error instanceof Error ? error.name : '';
-                    if (errorName === 'AbortError') {
-                        throw new OxyServices_errors_1.OxyAuthenticationError('Sign-in was cancelled by user');
-                    }
-                    if (errorName === 'NetworkError') {
-                        throw new OxyServices_errors_1.OxyAuthenticationError('Network error during sign-in. Please check your connection.');
+                    // A STALE loginHint (e.g. left over from a previously-signed-in or test
+                    // account) that matches no account at the IdP makes Chrome filter out
+                    // every account and reject the request — indistinguishable from a user
+                    // cancel. When that happens AND we supplied a hint, clear the bad hint
+                    // and retry the credential request ONCE with no hint, which lets the
+                    // chooser surface the genuinely available account(s). We only do this for
+                    // a hint we pulled from storage (not a caller-supplied one), and only
+                    // once, so a real cancel never loops.
+                    const usedStoredHint = !!initialLoginHint && !options.loginHint;
+                    if (usedStoredHint && isPossibleHintMismatchError(error)) {
+                        debug.log('Interactive sign-in: stored loginHint matched no account; clearing it and retrying without a hint');
+                        this.clearLoginHint();
+                        return await this.attemptInteractiveSignIn(options, undefined);
                     }
-                    if (errorMessage.includes('multiple accounts')) {
-                        throw new OxyServices_errors_1.OxyAuthenticationError('Please sign out and sign in again to use FedCM with a single account');
-                    }
-                    if (errorMessage.includes('retrieving a token') || errorMessage.includes('Error retrieving')) {
-                        debug.error('FedCM token retrieval error - this may be a browser or IdP configuration issue');
-                        throw new OxyServices_errors_1.OxyAuthenticationError('Authentication failed. Please try again or use an alternative sign-in method.');
-                    }
-                    throw error;
+                    throw this.normalizeInteractiveSignInError(error);
+                }
+            }
+            /**
+             * Run a single interactive FedCM credential request + token exchange for the
+             * given (possibly undefined) loginHint. A successful exchange plants the
+             * access token and persists the user id as the future loginHint — the hint is
+             * therefore only ever stored after a GENUINELY successful sign-in, never
+             * speculatively.
+             *
+             * @private
+             */
+            async attemptInteractiveSignIn(options, loginHint) {
+                // Prefer a server-minted, origin-bound nonce so the downstream
+                // `/fedcm/exchange` can validate it. A caller-supplied nonce is
+                // respected as-is for advanced use cases.
+                const nonce = options.nonce || (await this.getFedcmNonce());
+                const clientId = this.getClientId();
+                debug.log('Interactive sign-in: Requesting credential for', clientId, loginHint ? `(hint: ${loginHint})` : '');
+                // Request credential from browser's native identity flow.
+                // mode: 'active' signals this is a user-gesture-initiated (button) flow.
+                // 'active' is the current W3C spec value; requestIdentityCredential
+                // transparently retries with the legacy 'button' value for Chrome 125–131.
+                const credential = await this.requestIdentityCredential({
+                    configURL: this.resolveFedcmConfigUrl(),
+                    clientId,
+                    nonce,
+                    context: options.context,
+                    loginHint,
+                    mode: 'active',
+                });
+                if (!credential || !credential.token) {
+                    throw new OxyServices_errors_1.OxyAuthenticationError('No credential received from browser');
+                }
+                debug.log('Interactive sign-in: Got credential, exchanging for session');
+                // Exchange FedCM ID token for Oxy session
+                const session = await this.exchangeIdTokenForSession(credential.token);
+                // Store access token in HttpService. `accessToken`/`refreshToken` are
+                // declared optional on SessionLoginResponse; default the refresh token to
+                // an empty string when the exchange did not return one.
+                if (session?.accessToken) {
+                    this.httpService.setTokens(session.accessToken, session.refreshToken ?? '');
                 }
+                // Store the user ID as loginHint for future FedCM requests — only now, after
+                // a real successful exchange, so we never persist a hint that cannot resolve.
+                if (session?.user?.id) {
+                    this.storeLoginHint(session.user.id);
+                }
+                debug.log('Interactive sign-in: Success!', { userId: session?.user?.id });
+                return session;
+            }
+            /**
+             * Map a raw FedCM/exchange failure to a user-facing {@link OxyAuthenticationError}
+             * (or pass it through). Extracted so the clear-and-retry path can reuse the
+             * exact same error normalisation as the first attempt.
+             *
+             * @private
+             */
+            normalizeInteractiveSignInError(error) {
+                debug.log('Interactive sign-in failed:', error);
+                const errorMessage = error instanceof Error ? error.message : String(error);
+                // FedCM aborts/network failures surface as DOMException/Error instances,
+                // both of which carry a `name`. Anything else has no meaningful name.
+                const errorName = error instanceof Error ? error.name : '';
+                if (errorName === 'AbortError') {
+                    return new OxyServices_errors_1.OxyAuthenticationError('Sign-in was cancelled by user');
+                }
+                if (errorName === 'NetworkError') {
+                    return new OxyServices_errors_1.OxyAuthenticationError('Network error during sign-in. Please check your connection.');
+                }
+                if (errorMessage.includes('multiple accounts')) {
+                    return new OxyServices_errors_1.OxyAuthenticationError('Please sign out and sign in again to use FedCM with a single account');
+                }
+                if (errorMessage.includes('retrieving a token') || errorMessage.includes('Error retrieving')) {
+                    debug.error('FedCM token retrieval error - this may be a browser or IdP configuration issue');
+                    return new OxyServices_errors_1.OxyAuthenticationError('Authentication failed. Please try again or use an alternative sign-in method.');
+                }
+                return error;
             }
             /**
              * Silent sign-in using FedCM
@@ -319,16 +391,20 @@ function OxyServicesFedCMMixin(Base) {
                 // If a request is already in progress...
                 if (fedCMRequestInProgress && fedCMRequestPromise) {
                     debug.log('Request already in progress, waiting...');
-                    // If current request is silent and new request is interactive,
-                    // wait for silent to finish, then make the interactive request
+                    // If the in-flight request is SILENT and this new one is INTERACTIVE,
+                    // abort the silent and proceed immediately. The silent round-trip can be
+                    // slow (it runs on page load and may stall in the browser), and a user who
+                    // just clicked "Sign In" must never be made to wait on — or be blocked by —
+                    // it. Awaiting the silent here is what previously let a hung silent
+                    // request deadlock the sign-in button, so we deliberately do NOT await it:
+                    // we abort it (its own `finally` resets the lock as it settles) and fall
+                    // through to start the interactive request synchronously below.
                     if (currentMediationMode === 'silent' && isInteractive) {
-                        try {
-                            await fedCMRequestPromise;
-                        }
-                        catch {
-                            // Ignore silent request errors
-                        }
-                        // Now fall through to make the interactive request
+                        debug.log('Aborting in-flight silent request to make way for interactive request');
+                        fedCMActiveController?.abort();
+                        // Fall through. The interactive request synchronously overwrites the
+                        // lock globals (below); the aborted silent's `finally` uses identity
+                        // guards so it cannot later clobber this interactive request's state.
                     }
                     else {
                         // Same type of request - wait for the existing one
@@ -343,10 +419,14 @@ function OxyServicesFedCMMixin(Base) {
                 fedCMRequestInProgress = true;
                 currentMediationMode = requestedMediation;
                 const controller = new AbortController();
-                // Use shorter timeout for silent mediation since it should be quick
+                fedCMActiveController = controller;
+                // Use shorter timeout for silent mediation since it should be quick.
+                // The timeout constants are static on the composed class; read them off the
+                // most-derived constructor through a typed cast (not `any`).
+                const timeoutCtor = this.constructor;
                 const timeoutMs = requestedMediation === 'silent'
-                    ? this.constructor.FEDCM_SILENT_TIMEOUT
-                    : this.constructor.FEDCM_TIMEOUT;
+                    ? timeoutCtor.FEDCM_SILENT_TIMEOUT
+                    : timeoutCtor.FEDCM_TIMEOUT;
                 const timeout = setTimeout(() => {
                     debug.log('Request timed out after', timeoutMs, 'ms (mediation:', requestedMediation + ')');
                     controller.abort();
@@ -423,9 +503,20 @@ function OxyServicesFedCMMixin(Base) {
                     }
                     finally {
                         clearTimeout(timeout);
-                        fedCMRequestInProgress = false;
-                        fedCMRequestPromise = null;
-                        currentMediationMode = null;
+                        // Only reset the shared lock if it still belongs to THIS request. When an
+                        // interactive request aborts a slow silent one, the silent settles (and
+                        // runs this `finally`) AFTER the interactive has already taken over the
+                        // lock and installed its own controller/promise. Guarding on identity
+                        // (`fedCMActiveController === controller`) ensures the settling silent
+                        // cannot null out the interactive request's in-progress state. The
+                        // request that still owns the lock clears it; the superseded one is a
+                        // no-op here.
+                        if (fedCMActiveController === controller) {
+                            fedCMRequestInProgress = false;
+                            fedCMRequestPromise = null;
+                            currentMediationMode = null;
+                            fedCMActiveController = null;
+                        }
                     }
                 })();
                 return fedCMRequestPromise;
@@ -610,11 +701,52 @@ function OxyServicesFedCMMixin(Base) {
                     // Storage blocked
                 }
             }
+            /**
+             * List the authenticated user's authorized RP apps.
+             *
+             * Returns the intersection of the user's FedCM grants and the currently-
+             * approved RP catalog — what powers the "Connected apps" management UI in
+             * @oxyhq/services. Requires a real user session; service tokens are
+             * rejected by the underlying endpoint.
+             */
+            async listAuthorizedApps() {
+                try {
+                    const response = await this.makeRequest('GET', '/fedcm/me/authorized-apps', undefined, {
+                        cache: true,
+                        cacheTTL: 30 * 1000, // 30 second cache — short, this drives a manageable UI
+                    });
+                    return response.apps ?? [];
+                }
+                catch (error) {
+                    throw this.handleError(error);
+                }
+            }
+            /**
+             * Revoke the authenticated user's authorization for a specific RP origin.
+             *
+             * The next FedCM sign-in from that origin will require explicit re-consent.
+             * The corresponding cache entry is invalidated so a subsequent
+             * `listAuthorizedApps()` call sees fresh data.
+             */
+            async revokeAuthorizedApp(origin) {
+                try {
+                    await this.makeRequest('DELETE', `/fedcm/me/authorized-apps/${encodeURIComponent(origin)}`, undefined, { cache: false });
+                    this.clearCacheEntry('GET:/fedcm/me/authorized-apps');
+                }
+                catch (error) {
+                    throw this.handleError(error);
+                }
+            }
         },
         _a.DEFAULT_CONFIG_URL = 'https://auth.oxy.so/fedcm.json',
         _a.FEDCM_TIMEOUT = 15000 // 15 seconds for interactive
     ,
-        _a.FEDCM_SILENT_TIMEOUT = 3000 // 3 seconds for silent mediation
+        // Silent mediation runs on page load (e.g. re-signing-in a user whose stored
+        // session was cleared after a cold-boot token fetch 401'd). The real silent
+        // round-trip — mint nonce → navigator.credentials.get → /fedcm/exchange — was
+        // measured to take more than 3s for live users, so a 3s budget timed out and
+        // left them signed out on reload. 10s gives ample margin while staying bounded.
+        _a.FEDCM_SILENT_TIMEOUT = 10000 // 10 seconds for silent mediation
     ,
         _a;
 }