@oxyhq/core 1.11.24 → 2.0.0

package/src/mixins/OxyServices.auth.ts

@@ -3,7 +3,12 @@
  *
  * Supports password-based login (email/username) and public key challenge-response.
  */
-import type { User } from '../models/interfaces';
+import type {
+  User,
+  RefreshAllResponse,
+  RefreshAllAccount,
+  RefreshCookieResponse,
+} from '../models/interfaces';
 import type { SessionLoginResponse } from '../models/session';
 import type { OxyServicesBase } from '../OxyServices.base';
 import { OxyAuthenticationError } from '../OxyServices.errors';
@@ -536,6 +541,268 @@ export function OxyServicesAuthMixin<T extends typeof OxyServicesBase>(Base: T)
       }
     }
 
+    /**
+     * Refresh every device-local refresh-cookie slot in a single round trip
+     * (Google-style multi-account rebuild).
+     *
+     * Calls `POST {sessionBaseUrl}/auth/refresh-all` with `credentials: 'include'`
+     * and NO bearer. The browser attaches every `oxy_rt*` cookie it has; the
+     * server rotates each in parallel and returns one entry per VALID account.
+     *
+     * Failure handling:
+     * - 401 → no signed-in accounts on this device → returns `{ accounts: [] }`
+     *   (NOT an error; this is the cold-boot "not signed in" path).
+     * - 404 → server is older than the multi-account endpoint. We fall back to
+     *   `POST /auth/refresh` (single-slot) and wrap its response in the
+     *   refresh-all shape so callers can treat the two paths uniformly. The
+     *   fallback entry has `authuser: 0` (the legacy slot maps to slot 0 by
+     *   convention) and a minimal `user` shape — consumers needing the full
+     *   user must fetch it separately. Always exactly one account in this
+     *   shape.
+     * - Any other non-2xx → throws via `handleError`.
+     *
+     * The refresh cookie itself never enters JS — only the rotated access
+     * tokens do. Each access token still needs to be planted via
+     * `setTokens(...)` (or per-account in-memory storage) at the consumer.
+     */
+    async refreshAllSessions(): Promise<RefreshAllResponse> {
+      const url = `${this.getSessionBaseUrl().replace(/\/$/, '')}/auth/refresh-all`;
+
+      let response: Response;
+      try {
+        response = await fetch(url, {
+          method: 'POST',
+          credentials: 'include',
+          headers: { Accept: 'application/json' },
+        });
+      } catch (error) {
+        throw this.handleError(error);
+      }
+
+      if (response.status === 401) {
+        return { accounts: [] };
+      }
+
+      if (response.status === 404) {
+        // Legacy single-account refresh fallback. Wrap the response so the
+        // caller can treat both paths identically.
+        const legacy = await this._refreshCookieRaw();
+        if (!legacy) {
+          return { accounts: [] };
+        }
+        const fallbackAccount: RefreshAllAccount = {
+          authuser: 0,
+          accessToken: legacy.accessToken,
+          expiresAt: legacy.expiresAt,
+          sessionId: this._decodeSessionIdFromAccessToken(legacy.accessToken) ?? '',
+          // Legacy /auth/refresh does NOT project the user shape; the caller
+          // (AuthManager) is expected to hydrate via /users/me after planting.
+          user: null,
+        };
+        return { accounts: [fallbackAccount] };
+      }
+
+      if (!response.ok) {
+        throw this.handleError(
+          new Error(`Refresh-all failed with HTTP ${response.status}`)
+        );
+      }
+
+      const payload = (await response.json()) as { accounts?: unknown };
+      const raw = Array.isArray(payload.accounts) ? payload.accounts : [];
+      const accounts: RefreshAllAccount[] = [];
+
+      for (const entry of raw) {
+        if (entry === null || typeof entry !== 'object') {
+          continue;
+        }
+        const e = entry as {
+          authuser?: number | null;
+          accessToken?: string;
+          expiresAt?: string;
+          sessionId?: string;
+          user?: { id?: string; _id?: string; username?: string; name?: string; avatar?: string | null; email?: string; color?: string | null };
+        };
+        if (!e.accessToken || !e.expiresAt || !e.sessionId || !e.user) {
+          continue;
+        }
+        const userId = e.user.id ?? e.user._id;
+        if (!userId || !e.user.username) {
+          continue;
+        }
+        // Normalise the legacy un-suffixed cookie (`authuser: null` on the
+        // wire) to slot 0. The SDK surface always operates on numeric indices.
+        const authuser = typeof e.authuser === 'number' ? e.authuser : 0;
+        accounts.push({
+          authuser,
+          accessToken: e.accessToken,
+          expiresAt: e.expiresAt,
+          sessionId: e.sessionId,
+          user: {
+            id: userId,
+            username: e.user.username,
+            name: e.user.name,
+            avatar: e.user.avatar ?? null,
+            email: e.user.email,
+            color: e.user.color ?? null,
+          },
+        });
+      }
+
+      return { accounts };
+    }
+
+    /**
+     * Rotate a single refresh-cookie slot and return the fresh access token.
+     *
+     * When `authuser` is provided, the server rotates ONLY that slot
+     * (`oxy_rt_${authuser}`) — sibling accounts on the same device stay
+     * untouched. When omitted, the server picks the lowest indexed slot
+     * present (legacy fallback applies). The refresh cookie itself never
+     * enters JS.
+     *
+     * Returns `null` on 401 (no cookie / expired / reused) so the caller can
+     * fall through cleanly to the unauthenticated path.
+     */
+    async refreshTokenViaCookie(
+      opts: { authuser?: number } = {}
+    ): Promise<RefreshCookieResponse | null> {
+      const result = await this._refreshCookieRaw(opts.authuser);
+      return result;
+    }
+
+    /**
+     * Sign out a single device-local account by its authuser slot index.
+     *
+     * Revokes that slot's refresh-token family and deactivates its session;
+     * sibling indexed slots stay signed in. The browser-side `oxy_rt_${n}`
+     * cookie is cleared by the server's `Set-Cookie` response header.
+     */
+    async logoutSessionByAuthuser(authuser: number): Promise<void> {
+      const url = `${this.getSessionBaseUrl().replace(/\/$/, '')}/auth/logout?authuser=${encodeURIComponent(String(authuser))}`;
+      try {
+        const response = await fetch(url, {
+          method: 'POST',
+          credentials: 'include',
+          headers: { Accept: 'application/json' },
+        });
+        if (!response.ok && response.status !== 401) {
+          throw new Error(`Logout (authuser=${authuser}) failed with HTTP ${response.status}`);
+        }
+      } catch (error) {
+        throw this.handleError(error);
+      }
+    }
+
+    /**
+     * Sign out EVERY device-local account on this device by clearing every
+     * presented refresh-cookie slot at once. Revokes every family + clears
+     * every slot. Always succeeds (idempotent on unknown/garbage tokens).
+     */
+    async logoutAllSessionsViaCookie(): Promise<void> {
+      const url = `${this.getSessionBaseUrl().replace(/\/$/, '')}/auth/logout`;
+      try {
+        const response = await fetch(url, {
+          method: 'POST',
+          credentials: 'include',
+          headers: { Accept: 'application/json' },
+        });
+        if (!response.ok && response.status !== 401) {
+          throw new Error(`Logout-all failed with HTTP ${response.status}`);
+        }
+      } catch (error) {
+        throw this.handleError(error);
+      }
+    }
+
+    /**
+     * Internal: raw `POST /auth/refresh[?authuser=N]` call returning the
+     * minted access token. Returns `null` on 401 / non-2xx. Used as both the
+     * implementation of `refreshTokenViaCookie` and the legacy fallback for
+     * `refreshAllSessions` against older servers.
+     *
+     * @internal
+     */
+    async _refreshCookieRaw(authuser?: number): Promise<RefreshCookieResponse | null> {
+      const base = this.getSessionBaseUrl().replace(/\/$/, '');
+      const url = typeof authuser === 'number'
+        ? `${base}/auth/refresh?authuser=${encodeURIComponent(String(authuser))}`
+        : `${base}/auth/refresh`;
+
+      let response: Response;
+      try {
+        response = await fetch(url, {
+          method: 'POST',
+          credentials: 'include',
+          headers: { Accept: 'application/json' },
+        });
+      } catch (error) {
+        throw this.handleError(error);
+      }
+
+      if (!response.ok) {
+        return null;
+      }
+
+      const payload = (await response.json()) as {
+        accessToken?: unknown;
+        expiresAt?: unknown;
+        authuser?: unknown;
+      };
+      if (typeof payload.accessToken !== 'string' || !payload.accessToken) {
+        return null;
+      }
+      const expiresAt = typeof payload.expiresAt === 'string' ? payload.expiresAt : '';
+      const respAuthuser = typeof payload.authuser === 'number' ? payload.authuser : null;
+      return {
+        accessToken: payload.accessToken,
+        expiresAt,
+        authuser: respAuthuser,
+      };
+    }
+
+    /**
+     * Internal: decode (without verifying) the `sessionId` claim from a
+     * server-signed access token. The server already verified the signature;
+     * the client only reads the claim to drive multi-session state.
+     *
+     * @internal
+     */
+    _decodeSessionIdFromAccessToken(token: string): string | null {
+      if (!token || typeof token !== 'string') {
+        return null;
+      }
+      const segments = token.split('.');
+      if (segments.length !== 3) {
+        return null;
+      }
+      const payloadSegment = segments[1];
+      if (!payloadSegment) {
+        return null;
+      }
+      try {
+        const base64 = payloadSegment.replace(/-/g, '+').replace(/_/g, '/');
+        const padded = base64.padEnd(base64.length + ((4 - (base64.length % 4)) % 4), '=');
+        if (typeof atob !== 'function') {
+          return null;
+        }
+        const json = decodeURIComponent(
+          atob(padded)
+            .split('')
+            .map((char) => `%${`00${char.charCodeAt(0).toString(16)}`.slice(-2)}`)
+            .join(''),
+        );
+        const parsed: unknown = JSON.parse(json);
+        if (parsed === null || typeof parsed !== 'object') {
+          return null;
+        }
+        const claims = parsed as Record<string, unknown>;
+        return typeof claims.sessionId === 'string' ? claims.sessionId : null;
+      } catch {
+        return null;
+      }
+    }
+
     /**
      * Get sessions by session ID
      */

package/src/mixins/OxyServices.fedcm.ts

@@ -880,8 +880,71 @@ export function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(Base: T)
       // Storage blocked
     }
   }
+
+  /**
+   * List the authenticated user's authorized RP apps.
+   *
+   * Returns the intersection of the user's FedCM grants and the currently-
+   * approved RP catalog — what powers the "Connected apps" management UI in
+   * @oxyhq/services. Requires a real user session; service tokens are
+   * rejected by the underlying endpoint.
+   */
+  async listAuthorizedApps(): Promise<AuthorizedApp[]> {
+    try {
+      const response = await this.makeRequest<{ apps: AuthorizedApp[] }>(
+        'GET',
+        '/fedcm/me/authorized-apps',
+        undefined,
+        {
+          cache: true,
+          cacheTTL: 30 * 1000, // 30 second cache — short, this drives a manageable UI
+        }
+      );
+      return response.apps ?? [];
+    } catch (error) {
+      throw this.handleError(error);
+    }
+  }
+
+  /**
+   * Revoke the authenticated user's authorization for a specific RP origin.
+   *
+   * The next FedCM sign-in from that origin will require explicit re-consent.
+   * The corresponding cache entry is invalidated so a subsequent
+   * `listAuthorizedApps()` call sees fresh data.
+   */
+  async revokeAuthorizedApp(origin: string): Promise<void> {
+    try {
+      await this.makeRequest(
+        'DELETE',
+        `/fedcm/me/authorized-apps/${encodeURIComponent(origin)}`,
+        undefined,
+        { cache: false }
+      );
+      this.clearCacheEntry('GET:/fedcm/me/authorized-apps');
+    } catch (error) {
+      throw this.handleError(error);
+    }
+  }
   };
 }
 
+/**
+ * Public summary of an RP application the user has authorized — mirrors the
+ * `AuthorizedAppSummary` shape returned by `GET /fedcm/me/authorized-apps`.
+ */
+export interface AuthorizedApp {
+  /** Normalised RP origin. */
+  origin: string;
+  /** Friendly display name. */
+  name: string;
+  /** Optional human-readable description. */
+  description?: string;
+  /** ISO-8601 timestamp of when the user first authorized this RP. */
+  firstGrantedAt: string;
+  /** ISO-8601 timestamp of the most recent FedCM exchange for this user+RP. */
+  lastUsedAt: string;
+}
+
 // Export the mixin function as both named and default
 export { OxyServicesFedCMMixin as FedCMMixin };

package/src/mixins/OxyServices.popup.ts

@@ -10,6 +10,23 @@ export interface PopupAuthOptions {
   height?: number;
   timeout?: number;
   mode?: 'login' | 'signup';
+  /**
+   * A popup window handle the caller already opened SYNCHRONOUSLY inside the
+   * user-gesture event handler (e.g. an `onClick`). The mixin will navigate
+   * this window to the auth URL instead of calling `window.open` itself.
+   *
+   * Why this exists: Chrome (and other modern browsers) only honor
+   * `window.open` while a transient user-activation is in scope. The
+   * activation is consumed by the FIRST `await` in the click handler — so any
+   * caller that awaits FedCM / silent SSO before reaching `signInWithPopup`
+   * loses the activation and sees the popup blocked. The caller can dodge
+   * this by opening a blank popup on the raw click via `openBlankPopup()`,
+   * then passing the handle in here.
+   *
+   * `null` is accepted (and is the same as omitting the option) so consumers
+   * can pass through the result of `openBlankPopup()` without an extra guard.
+   */
+  popup?: Window | null;
 }
 
 export interface SilentAuthOptions {
@@ -104,7 +121,37 @@ export function OxyServicesPopupAuthMixin<T extends typeof OxyServicesBase>(Base
       redirectUri: `${this.resolveAuthUrl()}/auth/callback`,
     });
 
-    const popup = this.openCenteredPopup(authUrl, 'Oxy Sign In', width, height);
+    // If the caller pre-opened a popup on the raw user gesture (recommended
+    // path — see `openBlankPopup` and `PopupAuthOptions.popup`), navigate it
+    // to the auth URL instead of issuing a fresh `window.open` (which would
+    // be blocked once any prior `await` has consumed the user activation).
+    let popup: Window | null;
+    const preOpened = options.popup ?? null;
+    if (preOpened) {
+      if (preOpened.closed) {
+        // The pre-opened popup is gone — distinguish a user cancel (they
+        // closed the blank window before sign-in could navigate it) from a
+        // blocker rejection. Lumping these together as "Popup blocked" is
+        // misleading: the popup was NOT blocked, it was opened successfully
+        // and then dismissed.
+        throw new OxyAuthenticationError(
+          'Sign-in window was closed before authentication could start.'
+        );
+      }
+      try {
+        preOpened.location.replace(authUrl);
+      } catch (replaceError) {
+        // `location.replace` can throw in sandboxed / cross-origin-locked
+        // environments. Fall back to `href` assignment, which is more
+        // permissive. Logged at debug-level so consumers can correlate
+        // unusual sign-in behaviour without producing noise in normal flows.
+        debug.warn('location.replace failed, falling back to location.href', replaceError);
+        preOpened.location.href = authUrl;
+      }
+      popup = preOpened;
+    } else {
+      popup = this.openCenteredPopup(authUrl, 'Oxy Sign In', width, height);
+    }
 
     if (!popup) {
       throw new OxyAuthenticationError(
@@ -269,6 +316,37 @@ export function OxyServicesPopupAuthMixin<T extends typeof OxyServicesBase>(Base
     }
   }
 
+  /**
+   * Open a blank, centered popup window SYNCHRONOUSLY.
+   *
+   * Use this in a click (or other user-gesture) handler BEFORE any `await`
+   * to capture the transient user-activation. Pass the returned handle into
+   * `signInWithPopup({ popup })` once the async portion of the flow runs.
+   *
+   * Returns `null` if the browser's popup blocker rejected the open.
+   *
+   * @example
+   * ```typescript
+   * const onSignInClick = () => {
+   *   const popup = oxyServices.openBlankPopup();
+   *   (async () => {
+   *     const silent = await oxyServices.silentSignInWithFedCM();
+   *     if (silent) { popup?.close(); return; }
+   *     await oxyServices.signInWithPopup({ popup });
+   *   })();
+   * };
+   * ```
+   */
+  public openBlankPopup(width?: number, height?: number): Window | null {
+    if (typeof window === 'undefined') {
+      return null;
+    }
+    const ctor = this.constructor as unknown as { POPUP_WIDTH: number; POPUP_HEIGHT: number };
+    const w = width ?? ctor.POPUP_WIDTH;
+    const h = height ?? ctor.POPUP_HEIGHT;
+    return this.openCenteredPopup('about:blank', 'Oxy Sign In', w, h);
+  }
+
   /**
    * Open a centered popup window
    *

package/src/mixins/OxyServices.user.ts

@@ -1,7 +1,15 @@
 /**
  * User Management Methods Mixin
  */
-import type { User, Notification, SearchProfilesResponse, PaginationInfo, PrivacySettings } from '../models/interfaces';
+import type {
+  User,
+  Notification,
+  NotificationPreferences,
+  UserPreferences,
+  SearchProfilesResponse,
+  PaginationInfo,
+  PrivacySettings,
+} from '../models/interfaces';
 import type { OxyServicesBase } from '../OxyServices.base';
 import { buildSearchParams, buildPaginationParams, type PaginationParams } from '../utils/apiUtils';
 import { KeyManager } from '../crypto/keyManager';
@@ -271,6 +279,30 @@ export function OxyServicesUserMixin<T extends typeof OxyServicesBase>(Base: T)
       }
     }
 
+    /**
+     * Update the authenticated user's notification preferences.
+     *
+     * Thin wrapper over `updateProfile` that constrains the patch to known
+     * notification channels — same persistence path, same cache invalidation,
+     * but type-safe at the call site.
+     */
+    async updateNotificationPreferences(
+      preferences: Partial<NotificationPreferences>
+    ): Promise<User> {
+      return this.updateProfile({ notificationPreferences: preferences });
+    }
+
+    /**
+     * Update the authenticated user's general preferences (language, theme,
+     * reduce-motion, timezone). Persisted on the User document via
+     * `PUT /users/me` — same cache-invalidation behaviour as `updateProfile`.
+     */
+    async updateUserPreferences(
+      preferences: Partial<UserPreferences>
+    ): Promise<User> {
+      return this.updateProfile({ userPreferences: preferences });
+    }
+
     /**
      * Request account verification
      */