@oxyhq/core 1.11.9 → 1.11.11

package/src/mixins/OxyServices.popup.ts

@@ -44,6 +44,12 @@ export function OxyServicesPopupAuthMixin<T extends typeof OxyServicesBase>(Base
       super(...(args as [any]));
     }
   public static readonly DEFAULT_AUTH_URL = 'https://auth.oxy.so';
+
+  /** Resolve auth URL from config or static default (method, not getter — getters break in TS mixins) */
+  public resolveAuthUrl(): string {
+    return this.config.authWebUrl || (this.constructor as any).DEFAULT_AUTH_URL;
+  }
+
   public static readonly POPUP_WIDTH = 500;
   public static readonly POPUP_HEIGHT = 700;
   public static readonly POPUP_TIMEOUT = 60000; // 1 minute
@@ -95,7 +101,7 @@ export function OxyServicesPopupAuthMixin<T extends typeof OxyServicesBase>(Base
       state,
       nonce,
       clientId: window.location.origin,
-      redirectUri: `${(this.config.authWebUrl || (this.constructor as any).DEFAULT_AUTH_URL)}/auth/callback`,
+      redirectUri: `${this.resolveAuthUrl()}/auth/callback`,
     });
 
     const popup = this.openCenteredPopup(authUrl, 'Oxy Sign In', width, height);
@@ -198,7 +204,7 @@ export function OxyServicesPopupAuthMixin<T extends typeof OxyServicesBase>(Base
     iframe.style.height = '0';
     iframe.style.border = 'none';
 
-    const silentUrl = `${(this.config.authWebUrl || (this.constructor as any).DEFAULT_AUTH_URL)}/auth/silent?` + `client_id=${encodeURIComponent(clientId)}&` + `nonce=${nonce}`;
+    const silentUrl = `${this.resolveAuthUrl()}/auth/silent?` + `client_id=${encodeURIComponent(clientId)}&` + `nonce=${nonce}`;
 
     iframe.src = silentUrl;
     document.body.appendChild(iframe);
@@ -260,7 +266,7 @@ export function OxyServicesPopupAuthMixin<T extends typeof OxyServicesBase>(Base
       }, timeout);
 
       const messageHandler = (event: MessageEvent) => {
-        const authUrl = (this.config.authWebUrl || (this.constructor as any).DEFAULT_AUTH_URL);
+        const authUrl = this.resolveAuthUrl();
 
         // Log all messages for debugging
         if (event.data && typeof event.data === 'object' && event.data.type) {
@@ -347,7 +353,7 @@ export function OxyServicesPopupAuthMixin<T extends typeof OxyServicesBase>(Base
 
       const messageHandler = (event: MessageEvent) => {
         // Verify origin
-        if (event.origin !== (this.config.authWebUrl || (this.constructor as any).DEFAULT_AUTH_URL)) {
+        if (event.origin !== this.resolveAuthUrl()) {
           return;
         }
 
@@ -382,7 +388,7 @@ export function OxyServicesPopupAuthMixin<T extends typeof OxyServicesBase>(Base
     clientId: string;
     redirectUri: string;
   }): string {
-    const url = new URL(`${(this.config.authWebUrl || (this.constructor as any).DEFAULT_AUTH_URL)}/${params.mode}`);
+    const url = new URL(`${this.resolveAuthUrl()}/${params.mode}`);
     url.searchParams.set('response_type', 'token');
     url.searchParams.set('client_id', params.clientId);
     url.searchParams.set('redirect_uri', params.redirectUri);

package/src/mixins/OxyServices.utility.ts

@@ -20,6 +20,15 @@ interface JwtPayload {
   [key: string]: any;
 }
 
+/**
+ * Result from the managed-accounts verification endpoint.
+ * Indicates whether a user is authorized to act as a given managed account.
+ */
+interface ActingAsVerification {
+  authorized: boolean;
+  role: 'owner' | 'admin' | 'editor';
+}
+
 /**
  * Service app metadata attached to requests authenticated with service tokens
  */
@@ -50,9 +59,55 @@ interface AuthMiddlewareOptions {
 
 export function OxyServicesUtilityMixin<T extends typeof OxyServicesBase>(Base: T) {
   return class extends Base {
+    /** @internal In-memory cache for acting-as verification results (TTL: 5 min) */
+    _actingAsCache = new Map<string, { result: ActingAsVerification | null; expiresAt: number }>();
+
     constructor(...args: any[]) {
       super(...(args as [any]));
     }
+
+    /**
+     * Verify that a user is authorized to act as a managed account.
+     * Results are cached in-memory for 5 minutes to avoid repeated API calls.
+     *
+     * @internal Used by the auth() middleware — not part of the public API
+     */
+    async verifyActingAs(userId: string, accountId: string): Promise<ActingAsVerification | null> {
+      const cacheKey = `${userId}:${accountId}`;
+      const now = Date.now();
+
+      // Check cache
+      const cached = this._actingAsCache.get(cacheKey);
+      if (cached && cached.expiresAt > now) {
+        return cached.result;
+      }
+
+      // Query the API
+      try {
+        const result = await this.makeRequest<ActingAsVerification>(
+          'GET',
+          '/managed-accounts/verify',
+          { accountId, userId },
+          { cache: false, retry: false, timeout: 5000 }
+        );
+
+        // Cache successful result for 5 minutes
+        this._actingAsCache.set(cacheKey, {
+          result: result && result.authorized ? result : null,
+          expiresAt: now + 5 * 60 * 1000,
+        });
+
+        return result && result.authorized ? result : null;
+      } catch {
+        // Cache negative result for 1 minute to avoid hammering on transient errors
+        this._actingAsCache.set(cacheKey, {
+          result: null,
+          expiresAt: now + 1 * 60 * 1000,
+        });
+        return null;
+      }
+    }
+
     /**
      * Fetch link metadata
      */
@@ -125,6 +180,49 @@ export function OxyServicesUtilityMixin<T extends typeof OxyServicesBase>(Base:
 
       // Return an async middleware function
       return async (req: any, res: any, next: any) => {
+        // Process X-Acting-As header for managed account identity delegation.
+        // Called after successful authentication, before next(). If the header
+        // is present, verifies authorization and swaps the request identity to
+        // the managed account, preserving the original user for audit trails.
+        const processActingAs = async (): Promise<boolean> => {
+          const actingAsUserId = req.headers['x-acting-as'] as string | undefined;
+          if (!actingAsUserId) return true; // No header, proceed normally
+
+          const verification = await oxyInstance.verifyActingAs(req.userId, actingAsUserId);
+          if (!verification) {
+            const error = {
+              error: 'ACTING_AS_UNAUTHORIZED',
+              message: 'Not authorized to act as this account',
+              code: 'ACTING_AS_UNAUTHORIZED',
+              status: 403,
+            };
+            if (onError) {
+              onError(error);
+            } else {
+              res.status(403).json(error);
+            }
+            return false;
+          }
+
+          // Preserve original user for audit trails
+          req.originalUser = { id: req.userId, ...req.user };
+          req.actingAs = { userId: actingAsUserId, role: verification.role };
+
+          // Swap user identity to the managed account
+          req.userId = actingAsUserId;
+          req.user = { id: actingAsUserId } as any;
+          // Also set _id for routes that use Pattern B (req.user._id)
+          if (req.user) {
+            (req.user as any)._id = actingAsUserId;
+          }
+
+          if (debug) {
+            console.log(`[oxy.auth] Acting as ${actingAsUserId} (role=${verification.role}) original=${req.originalUser.id}`);
+          }
+
+          return true;
+        };
+
         try {
           // Extract token from Authorization header or query params
           const authHeader = req.headers['authorization'];
@@ -360,7 +458,9 @@ export function OxyServicesUtilityMixin<T extends typeof OxyServicesBase>(Base:
                 console.log(`[oxy.auth] OK user=${userId} session=${decoded.sessionId}`);
               }
 
-              return next();
+              // Process X-Acting-As header before proceeding
+              if (await processActingAs()) return next();
+              return;
             } catch (validationError) {
               if (debug) {
                 console.log(`[oxy.auth] Session validation failed:`, validationError);
@@ -414,7 +514,8 @@ export function OxyServicesUtilityMixin<T extends typeof OxyServicesBase>(Base:
             console.log(`[oxy.auth] OK user=${userId} (no session)`);
           }
 
-          next();
+          // Process X-Acting-As header before proceeding
+          if (await processActingAs()) next();
         } catch (error) {
           const apiError = oxyInstance.handleError(error) as any;
 

package/src/mixins/index.ts

@@ -24,6 +24,7 @@ import { OxyServicesSecurityMixin } from './OxyServices.security';
 import { OxyServicesUtilityMixin } from './OxyServices.utility';
 import { OxyServicesFeaturesMixin } from './OxyServices.features';
 import { OxyServicesTopicsMixin } from './OxyServices.topics';
+import { OxyServicesManagedAccountsMixin } from './OxyServices.managedAccounts';
 
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
 type MixinFunction = (Base: any) => any;
@@ -68,6 +69,7 @@ const MIXIN_PIPELINE: MixinFunction[] = [
     OxyServicesSecurityMixin,
     OxyServicesFeaturesMixin,
     OxyServicesTopicsMixin,
+    OxyServicesManagedAccountsMixin,
 
     // Utility (last, can use all above)
     OxyServicesUtilityMixin,

package/src/models/interfaces.ts

@@ -74,6 +74,9 @@ export interface User {
   automation?: {
     ownerId?: string;
   };
+  // Managed account fields
+  isManagedAccount?: boolean;
+  managedBy?: string;
   [key: string]: unknown;
 }