@oxyhq/core 1.11.9 → 1.11.11

package/dist/cjs/AuthManager.js

@@ -106,17 +106,106 @@ class AuthManager {
         this.currentUser = null;
         this.refreshTimer = null;
         this.refreshPromise = null;
+        /** Tracks the access token this instance last knew about, for cross-tab adoption. */
+        this._lastKnownAccessToken = null;
+        /** BroadcastChannel for coordinating token refreshes across browser tabs. */
+        this._broadcastChannel = null;
+        /** Set to true when another tab broadcasts a successful refresh, so this tab can skip its own. */
+        this._otherTabRefreshed = false;
         this.oxyServices = oxyServices;
+        const crossTabSync = config.crossTabSync ?? (typeof BroadcastChannel !== 'undefined');
         this.config = {
             storage: config.storage ?? this.getDefaultStorage(),
             autoRefresh: config.autoRefresh ?? true,
             refreshBuffer: config.refreshBuffer ?? 5 * 60 * 1000, // 5 minutes
+            crossTabSync,
         };
         this.storage = this.config.storage;
         // Persist tokens to storage when HttpService refreshes them automatically
         this.oxyServices.httpService.onTokenRefreshed = (accessToken) => {
+            this._lastKnownAccessToken = accessToken;
             this.storage.setItem(STORAGE_KEYS.ACCESS_TOKEN, accessToken);
         };
+        // Setup cross-tab coordination in browser environments
+        if (this.config.crossTabSync) {
+            this._initBroadcastChannel();
+        }
+    }
+    /**
+     * Initialize BroadcastChannel for cross-tab token refresh coordination.
+     * Only called in browser environments where BroadcastChannel is available.
+     */
+    _initBroadcastChannel() {
+        if (typeof BroadcastChannel === 'undefined')
+            return;
+        try {
+            this._broadcastChannel = new BroadcastChannel('oxy_auth_sync');
+            this._broadcastChannel.onmessage = (event) => {
+                this._handleCrossTabMessage(event.data);
+            };
+        }
+        catch {
+            // BroadcastChannel not supported or blocked (e.g., opaque origins)
+            this._broadcastChannel = null;
+        }
+    }
+    /**
+     * Handle messages from other tabs about token refresh activity.
+     */
+    async _handleCrossTabMessage(message) {
+        if (!message || !message.type)
+            return;
+        switch (message.type) {
+            case 'tokens_refreshed': {
+                // Another tab successfully refreshed. Signal to cancel our pending refresh.
+                this._otherTabRefreshed = true;
+                // Adopt the new tokens from shared storage
+                const newToken = await this.storage.getItem(STORAGE_KEYS.ACCESS_TOKEN);
+                if (newToken && newToken !== this._lastKnownAccessToken) {
+                    this._lastKnownAccessToken = newToken;
+                    this.oxyServices.httpService.setTokens(newToken);
+                    // Re-read session for updated expiry and schedule next refresh
+                    const sessionJson = await this.storage.getItem(STORAGE_KEYS.SESSION);
+                    if (sessionJson) {
+                        try {
+                            const session = JSON.parse(sessionJson);
+                            if (session.expiresAt && this.config.autoRefresh) {
+                                this.setupTokenRefresh(session.expiresAt);
+                            }
+                        }
+                        catch {
+                            // Ignore parse errors
+                        }
+                    }
+                }
+                break;
+            }
+            case 'signed_out': {
+                // Another tab signed out. Clear our local state to stay consistent.
+                if (this.refreshTimer) {
+                    clearTimeout(this.refreshTimer);
+                    this.refreshTimer = null;
+                }
+                this.refreshPromise = null;
+                this._lastKnownAccessToken = null;
+                this.oxyServices.httpService.setTokens('');
+                this.currentUser = null;
+                this.notifyListeners();
+                break;
+            }
+            // 'refresh_starting' is informational; we don't need to act on it currently
+        }
+    }
+    /**
+     * Broadcast a message to other tabs.
+     */
+    _broadcast(message) {
+        try {
+            this._broadcastChannel?.postMessage(message);
+        }
+        catch {
+            // Channel closed or unavailable
+        }
     }
     /**
      * Get default storage based on environment.
@@ -163,6 +252,7 @@ class AuthManager {
     async handleAuthSuccess(session, method = 'credentials') {
         // Store tokens
         if (session.accessToken) {
+            this._lastKnownAccessToken = session.accessToken;
             await this.storage.setItem(STORAGE_KEYS.ACCESS_TOKEN, session.accessToken);
             this.oxyServices.httpService.setTokens(session.accessToken);
         }
@@ -227,6 +317,8 @@ class AuthManager {
         }
     }
     async _doRefreshToken() {
+        // Reset the cross-tab flag before starting
+        this._otherTabRefreshed = false;
         // Get session info to find sessionId for token refresh
         const sessionJson = await this.storage.getItem(STORAGE_KEYS.SESSION);
         if (!sessionJson) {
@@ -243,8 +335,22 @@ class AuthManager {
             console.error('AuthManager: Failed to parse session from storage.', err);
             return false;
         }
+        // Record the token we know about before attempting refresh
+        const tokenBeforeRefresh = this._lastKnownAccessToken;
+        // Broadcast that we're starting a refresh (informational for other tabs)
+        this._broadcast({ type: 'refresh_starting', sessionId, timestamp: Date.now() });
         try {
             await (0, asyncUtils_1.retryAsync)(async () => {
+                // Before each attempt, check if another tab already refreshed
+                if (this._otherTabRefreshed) {
+                    const adoptedToken = await this.storage.getItem(STORAGE_KEYS.ACCESS_TOKEN);
+                    if (adoptedToken && adoptedToken !== tokenBeforeRefresh) {
+                        // Another tab succeeded. Adopt its tokens and short-circuit.
+                        this._lastKnownAccessToken = adoptedToken;
+                        this.oxyServices.httpService.setTokens(adoptedToken);
+                        return;
+                    }
+                }
                 const httpService = this.oxyServices.httpService;
                 // Use session-based token endpoint which handles auto-refresh server-side
                 const response = await httpService.request({
@@ -257,6 +363,7 @@ class AuthManager {
                     throw new Error('No access token in refresh response');
                 }
                 // Update access token in storage and HTTP client
+                this._lastKnownAccessToken = response.accessToken;
                 await this.storage.setItem(STORAGE_KEYS.ACCESS_TOKEN, response.accessToken);
                 this.oxyServices.httpService.setTokens(response.accessToken);
                 // Update session expiry and schedule next refresh
@@ -274,6 +381,8 @@ class AuthManager {
                         this.setupTokenRefresh(response.expiresAt);
                     }
                 }
+                // Broadcast success so other tabs can adopt these tokens
+                this._broadcast({ type: 'tokens_refreshed', sessionId, timestamp: Date.now() });
             }, 2, // 2 retries = 3 total attempts
             1000, // 1s base delay with exponential backoff + jitter
             (error) => {
@@ -286,7 +395,41 @@ class AuthManager {
             return true;
         }
         catch {
-            // All retry attempts exhausted, clear session
+            // All retry attempts exhausted. Before clearing the session, check if
+            // another tab managed to refresh successfully while we were retrying.
+            // Since all tabs share the same storage (localStorage), a successful
+            // refresh from another tab will have written a different access token.
+            const currentStoredToken = await this.storage.getItem(STORAGE_KEYS.ACCESS_TOKEN);
+            if (currentStoredToken && currentStoredToken !== tokenBeforeRefresh) {
+                // Another tab refreshed successfully. Adopt its tokens instead of logging out.
+                this._lastKnownAccessToken = currentStoredToken;
+                this.oxyServices.httpService.setTokens(currentStoredToken);
+                // Restore user from storage in case it was updated
+                const userJson = await this.storage.getItem(STORAGE_KEYS.USER);
+                if (userJson) {
+                    try {
+                        this.currentUser = JSON.parse(userJson);
+                    }
+                    catch {
+                        // Ignore parse errors
+                    }
+                }
+                // Re-read session expiry and schedule next refresh
+                const updatedSessionJson = await this.storage.getItem(STORAGE_KEYS.SESSION);
+                if (updatedSessionJson) {
+                    try {
+                        const session = JSON.parse(updatedSessionJson);
+                        if (session.expiresAt && this.config.autoRefresh) {
+                            this.setupTokenRefresh(session.expiresAt);
+                        }
+                    }
+                    catch {
+                        // Ignore parse errors
+                    }
+                }
+                return true;
+            }
+            // No other tab rescued us -- truly clear the session
             await this.clearSession();
             this.currentUser = null;
             this.notifyListeners();
@@ -328,8 +471,11 @@ class AuthManager {
         }
         // Clear HTTP client tokens
         this.oxyServices.httpService.setTokens('');
+        this._lastKnownAccessToken = null;
         // Clear storage
         await this.clearSession();
+        // Notify other tabs so they also sign out
+        this._broadcast({ type: 'signed_out', timestamp: Date.now() });
         // Update state and notify
         this.currentUser = null;
         this.notifyListeners();
@@ -404,6 +550,7 @@ class AuthManager {
             // Restore token to HTTP client
             const token = await this.storage.getItem(STORAGE_KEYS.ACCESS_TOKEN);
             if (token) {
+                this._lastKnownAccessToken = token;
                 this.oxyServices.httpService.setTokens(token);
             }
             // Check session expiry
@@ -444,6 +591,16 @@ class AuthManager {
             this.refreshTimer = null;
         }
         this.listeners.clear();
+        // Close BroadcastChannel
+        if (this._broadcastChannel) {
+            try {
+                this._broadcastChannel.close();
+            }
+            catch {
+                // Ignore close errors
+            }
+            this._broadcastChannel = null;
+        }
     }
 }
 exports.AuthManager = AuthManager;

package/dist/cjs/HttpService.js

@@ -84,6 +84,8 @@ class HttpService {
         this.tokenRefreshPromise = null;
         this.tokenRefreshCooldownUntil = 0;
         this._onTokenRefreshed = null;
+        // Acting-as identity for managed accounts
+        this._actingAsUserId = null;
         // Performance monitoring
         this.requestMetrics = {
             totalRequests: 0,
@@ -200,6 +202,10 @@ class HttpService {
                         hasNativeAppHeader: headers['X-Native-App'] === 'true',
                     });
                 }
+                // Add X-Acting-As header for managed account identity delegation
+                if (this._actingAsUserId) {
+                    headers['X-Acting-As'] = this._actingAsUserId;
+                }
                 // Merge custom headers if provided
                 if (config.headers) {
                     Object.entries(config.headers).forEach(([key, value]) => {
@@ -582,6 +588,13 @@ class HttpService {
     async delete(url, config) {
         return this.request({ method: 'DELETE', url, ...config });
     }
+    // Acting-as identity management (managed accounts)
+    setActingAs(userId) {
+        this._actingAsUserId = userId;
+    }
+    getActingAs() {
+        return this._actingAsUserId;
+    }
     // Token management
     setTokens(accessToken, refreshToken = '') {
         this.tokenStore.setTokens(accessToken, refreshToken);

package/dist/cjs/OxyServices.base.js

@@ -141,6 +141,27 @@ class OxyServicesBase {
     getAccessToken() {
         return this.httpService.getAccessToken();
     }
+    /**
+     * Set the acting-as identity for managed accounts.
+     *
+     * When set, all subsequent API requests will include the `X-Acting-As` header,
+     * causing the server to attribute actions to the managed account. The
+     * authenticated user must be an authorized manager of the target account.
+     *
+     * Pass `null` to clear and revert to the authenticated user's own identity.
+     *
+     * @param userId - The managed account user ID, or null to clear
+     */
+    setActingAs(userId) {
+        this.httpService.setActingAs(userId);
+    }
+    /**
+     * Get the current acting-as identity (managed account user ID), or null
+     * if operating as the authenticated user's own identity.
+     */
+    getActingAs() {
+        return this.httpService.getActingAs();
+    }
     /**
      * Wait for authentication to be ready
      *

package/dist/cjs/crypto/keyManager.js

@@ -126,13 +126,11 @@ async function getSecureRandomBytes(length) {
         return Crypto.getRandomBytes(length);
     }
     // In Node.js, use Node's crypto module
-    // Use Function constructor to prevent Metro bundler from statically analyzing this require
-    // This ensures the require is only evaluated in Node.js runtime, not during Metro bundling
+    // Variable indirection prevents bundlers (Vite, webpack) from statically resolving this
     try {
-        // eslint-disable-next-line @typescript-eslint/no-implied-eval
-        const getCrypto = new Function('return require("crypto")');
-        const crypto = getCrypto();
-        return new Uint8Array(crypto.randomBytes(length));
+        const cryptoModuleName = 'crypto';
+        const nodeCrypto = await Promise.resolve(`${cryptoModuleName}`).then(s => __importStar(require(s)));
+        return new Uint8Array(nodeCrypto.randomBytes(length));
     }
     catch (error) {
         // Fallback to expo-crypto if Node crypto fails

package/dist/cjs/crypto/polyfill.js

@@ -8,6 +8,39 @@
  * - Browser/Node.js: Uses native crypto
  * - React Native: Falls back to expo-crypto if native crypto unavailable
  */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.Buffer = void 0;
 const buffer_1 = require("buffer");
@@ -30,27 +63,35 @@ if (!globalObject.Buffer) {
 }
 // Cache for expo-crypto module (lazy loaded only in React Native)
 let expoCryptoModule = null;
-let expoCryptoLoadAttempted = false;
-function getRandomBytesSync(byteCount) {
-    if (!expoCryptoLoadAttempted) {
-        expoCryptoLoadAttempted = true;
+let expoCryptoLoadPromise = null;
+/**
+ * Eagerly start loading expo-crypto. The module is cached once resolved so
+ * the synchronous getRandomValues shim can read from it immediately.
+ * Uses dynamic import with variable indirection to prevent ESM bundlers
+ * (Vite, webpack) from statically resolving the specifier.
+ */
+function startExpoCryptoLoad() {
+    if (expoCryptoLoadPromise)
+        return;
+    expoCryptoLoadPromise = (async () => {
         try {
-            // Only use require() in CJS environments (Metro/Node). In ESM (Vite/browser),
-            // crypto.getRandomValues exists natively so this code path is never reached.
-            if (typeof require !== 'undefined') {
-                const moduleName = 'expo-crypto';
-                expoCryptoModule = require(moduleName);
-            }
+            const moduleName = 'expo-crypto';
+            expoCryptoModule = await Promise.resolve(`${moduleName}`).then(s => __importStar(require(s)));
         }
         catch {
             // expo-crypto not available — expected in non-RN environments
         }
-    }
+    })();
+}
+function getRandomBytesSync(byteCount) {
+    // Kick off loading if not already started (should have been started at module init)
+    startExpoCryptoLoad();
     if (expoCryptoModule) {
         return expoCryptoModule.getRandomBytes(byteCount);
     }
     throw new Error('No crypto.getRandomValues implementation available. ' +
-        'In React Native, install expo-crypto.');
+        'In React Native, install expo-crypto. ' +
+        'If expo-crypto is installed, ensure the polyfill module is imported early enough for the async load to complete.');
 }
 const cryptoPolyfill = {
     getRandomValues(array) {
@@ -62,8 +103,11 @@ const cryptoPolyfill = {
 };
 // Only polyfill if crypto or crypto.getRandomValues is not available
 if (typeof globalObject.crypto === 'undefined') {
+    // Start loading expo-crypto eagerly so it is ready by the time getRandomValues is called
+    startExpoCryptoLoad();
     globalObject.crypto = cryptoPolyfill;
 }
 else if (typeof globalObject.crypto.getRandomValues !== 'function') {
+    startExpoCryptoLoad();
     globalObject.crypto.getRandomValues = cryptoPolyfill.getRandomValues;
 }

package/dist/cjs/crypto/signatureService.js

@@ -98,11 +98,11 @@ class SignatureService {
                 .join('');
         }
         // In Node.js, use Node's crypto module
+        // Variable indirection prevents bundlers (Vite, webpack) from statically resolving this
         if ((0, platform_1.isNodeJS)()) {
             try {
-                // eslint-disable-next-line @typescript-eslint/no-implied-eval
-                const getCrypto = new Function('return require("crypto")');
-                const nodeCrypto = getCrypto();
+                const cryptoModuleName = 'crypto';
+                const nodeCrypto = await Promise.resolve(`${cryptoModuleName}`).then(s => __importStar(require(s)));
                 return nodeCrypto.randomBytes(32).toString('hex');
             }
             catch {
@@ -169,7 +169,10 @@ class SignatureService {
                 // In React Native, use async verify instead
                 throw new Error('verifySync should only be used in Node.js. Use verify() in React Native.');
             }
-            // Use Function constructor to prevent Metro bundler from statically analyzing this require
+            // Intentionally using Function constructor here: this method is synchronous by design
+            // (Node.js backend hot-path) so we cannot use `await import()`. The Function constructor
+            // prevents Metro/bundlers from statically resolving the require. This is acceptable because
+            // verifySync is gated by isNodeJS() and will never execute in browser/RN environments.
             // eslint-disable-next-line @typescript-eslint/no-implied-eval
             const getCrypto = new Function('return require("crypto")');
             const crypto = getCrypto();

package/dist/cjs/mixins/OxyServices.fedcm.js

@@ -38,6 +38,11 @@ function OxyServicesFedCMMixin(Base) {
             constructor(...args) {
                 super(...args);
             }
+            resolveFedcmConfigUrl() {
+                return this.config.authWebUrl
+                    ? `${this.config.authWebUrl}/fedcm.json`
+                    : this.constructor.DEFAULT_CONFIG_URL;
+            }
             /**
              * Check if FedCM is supported in the current browser
              */
@@ -89,7 +94,7 @@ function OxyServicesFedCMMixin(Base) {
                     // Request credential from browser's native identity flow
                     // mode: 'button' signals this is a user-gesture-initiated flow (Chrome 125+)
                     const credential = await this.requestIdentityCredential({
-                        configURL: (this.config.authWebUrl ? `${this.config.authWebUrl}/fedcm.json` : this.constructor.DEFAULT_CONFIG_URL),
+                        configURL: this.resolveFedcmConfigUrl(),
                         clientId,
                         nonce,
                         context: options.context,
@@ -179,7 +184,7 @@ function OxyServicesFedCMMixin(Base) {
                     const nonce = this.generateNonce();
                     debug.log('Silent SSO: Attempting silent mediation...', loginHint ? `(hint: ${loginHint})` : '');
                     credential = await this.requestIdentityCredential({
-                        configURL: (this.config.authWebUrl ? `${this.config.authWebUrl}/fedcm.json` : this.constructor.DEFAULT_CONFIG_URL),
+                        configURL: this.resolveFedcmConfigUrl(),
                         clientId,
                         nonce,
                         loginHint,
@@ -393,7 +398,7 @@ function OxyServicesFedCMMixin(Base) {
                     if ('IdentityCredential' in window && 'disconnect' in window.IdentityCredential) {
                         const clientId = this.getClientId();
                         await window.IdentityCredential.disconnect({
-                            configURL: (this.config.authWebUrl ? `${this.config.authWebUrl}/fedcm.json` : this.constructor.DEFAULT_CONFIG_URL),
+                            configURL: this.resolveFedcmConfigUrl(),
                             clientId,
                             accountHint: accountHint || '*',
                         });
@@ -412,7 +417,7 @@ function OxyServicesFedCMMixin(Base) {
             getFedCMConfig() {
                 return {
                     enabled: this.isFedCMSupported(),
-                    configURL: (this.config.authWebUrl ? `${this.config.authWebUrl}/fedcm.json` : this.constructor.DEFAULT_CONFIG_URL),
+                    configURL: this.resolveFedcmConfigUrl(),
                     clientId: this.getClientId(),
                 };
             }

package/dist/cjs/mixins/OxyServices.managedAccounts.js

@@ -0,0 +1,117 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OxyServicesManagedAccountsMixin = OxyServicesManagedAccountsMixin;
+function OxyServicesManagedAccountsMixin(Base) {
+    return class extends Base {
+        constructor(...args) {
+            super(...args);
+        }
+        /**
+         * Create a new managed account (sub-account).
+         *
+         * The server creates a User document with `isManagedAccount: true` and links
+         * it to the authenticated user as owner.
+         */
+        async createManagedAccount(data) {
+            try {
+                return await this.makeRequest('POST', '/managed-accounts', data, {
+                    cache: false,
+                });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * List all accounts the authenticated user manages.
+         */
+        async getManagedAccounts() {
+            try {
+                return await this.makeRequest('GET', '/managed-accounts', undefined, {
+                    cache: true,
+                    cacheTTL: 2 * 60 * 1000, // 2 minutes cache
+                });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Get details for a specific managed account.
+         */
+        async getManagedAccountDetails(accountId) {
+            try {
+                return await this.makeRequest('GET', `/managed-accounts/${accountId}`, undefined, {
+                    cache: true,
+                    cacheTTL: 2 * 60 * 1000,
+                });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Update a managed account's profile data.
+         * Requires owner or admin role.
+         */
+        async updateManagedAccount(accountId, data) {
+            try {
+                return await this.makeRequest('PUT', `/managed-accounts/${accountId}`, data, {
+                    cache: false,
+                });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Delete a managed account permanently.
+         * Requires owner role.
+         */
+        async deleteManagedAccount(accountId) {
+            try {
+                await this.makeRequest('DELETE', `/managed-accounts/${accountId}`, undefined, {
+                    cache: false,
+                });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Add a manager to a managed account.
+         * Requires owner or admin role on the account.
+         *
+         * @param accountId - The managed account to add the manager to
+         * @param userId - The user to grant management access
+         * @param role - The role to assign: 'admin' or 'editor'
+         */
+        async addManager(accountId, userId, role) {
+            try {
+                await this.makeRequest('POST', `/managed-accounts/${accountId}/managers`, { userId, role }, {
+                    cache: false,
+                });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Remove a manager from a managed account.
+         * Requires owner role.
+         *
+         * @param accountId - The managed account
+         * @param userId - The manager to remove
+         */
+        async removeManager(accountId, userId) {
+            try {
+                await this.makeRequest('DELETE', `/managed-accounts/${accountId}/managers/${userId}`, undefined, {
+                    cache: false,
+                });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+    };
+}

package/dist/cjs/mixins/OxyServices.popup.js

@@ -33,6 +33,10 @@ function OxyServicesPopupAuthMixin(Base) {
             constructor(...args) {
                 super(...args);
             }
+            /** Resolve auth URL from config or static default (method, not getter — getters break in TS mixins) */
+            resolveAuthUrl() {
+                return this.config.authWebUrl || this.constructor.DEFAULT_AUTH_URL;
+            }
             /**
              * Sign in using popup window
              *
@@ -75,7 +79,7 @@ function OxyServicesPopupAuthMixin(Base) {
                     state,
                     nonce,
                     clientId: window.location.origin,
-                    redirectUri: `${(this.config.authWebUrl || this.constructor.DEFAULT_AUTH_URL)}/auth/callback`,
+                    redirectUri: `${this.resolveAuthUrl()}/auth/callback`,
                 });
                 const popup = this.openCenteredPopup(authUrl, 'Oxy Sign In', width, height);
                 if (!popup) {
@@ -163,7 +167,7 @@ function OxyServicesPopupAuthMixin(Base) {
                 iframe.style.width = '0';
                 iframe.style.height = '0';
                 iframe.style.border = 'none';
-                const silentUrl = `${(this.config.authWebUrl || this.constructor.DEFAULT_AUTH_URL)}/auth/silent?` + `client_id=${encodeURIComponent(clientId)}&` + `nonce=${nonce}`;
+                const silentUrl = `${this.resolveAuthUrl()}/auth/silent?` + `client_id=${encodeURIComponent(clientId)}&` + `nonce=${nonce}`;
                 iframe.src = silentUrl;
                 document.body.appendChild(iframe);
                 try {
@@ -214,7 +218,7 @@ function OxyServicesPopupAuthMixin(Base) {
                         reject(new OxyServices_errors_1.OxyAuthenticationError('Authentication timeout'));
                     }, timeout);
                     const messageHandler = (event) => {
-                        const authUrl = (this.config.authWebUrl || this.constructor.DEFAULT_AUTH_URL);
+                        const authUrl = this.resolveAuthUrl();
                         // Log all messages for debugging
                         if (event.data && typeof event.data === 'object' && event.data.type) {
                             debug.log('Message received:', {
@@ -286,7 +290,7 @@ function OxyServicesPopupAuthMixin(Base) {
                     }, timeout);
                     const messageHandler = (event) => {
                         // Verify origin
-                        if (event.origin !== (this.config.authWebUrl || this.constructor.DEFAULT_AUTH_URL)) {
+                        if (event.origin !== this.resolveAuthUrl()) {
                             return;
                         }
                         const { type, session } = event.data;
@@ -309,7 +313,7 @@ function OxyServicesPopupAuthMixin(Base) {
              * @private
              */
             buildAuthUrl(params) {
-                const url = new URL(`${(this.config.authWebUrl || this.constructor.DEFAULT_AUTH_URL)}/${params.mode}`);
+                const url = new URL(`${this.resolveAuthUrl()}/${params.mode}`);
                 url.searchParams.set('response_type', 'token');
                 url.searchParams.set('client_id', params.clientId);
                 url.searchParams.set('redirect_uri', params.redirectUri);