@oxyhq/core 1.11.9 → 1.11.11

package/dist/esm/AuthManager.js

@@ -102,17 +102,106 @@ export class AuthManager {
         this.currentUser = null;
         this.refreshTimer = null;
         this.refreshPromise = null;
+        /** Tracks the access token this instance last knew about, for cross-tab adoption. */
+        this._lastKnownAccessToken = null;
+        /** BroadcastChannel for coordinating token refreshes across browser tabs. */
+        this._broadcastChannel = null;
+        /** Set to true when another tab broadcasts a successful refresh, so this tab can skip its own. */
+        this._otherTabRefreshed = false;
         this.oxyServices = oxyServices;
+        const crossTabSync = config.crossTabSync ?? (typeof BroadcastChannel !== 'undefined');
         this.config = {
             storage: config.storage ?? this.getDefaultStorage(),
             autoRefresh: config.autoRefresh ?? true,
             refreshBuffer: config.refreshBuffer ?? 5 * 60 * 1000, // 5 minutes
+            crossTabSync,
         };
         this.storage = this.config.storage;
         // Persist tokens to storage when HttpService refreshes them automatically
         this.oxyServices.httpService.onTokenRefreshed = (accessToken) => {
+            this._lastKnownAccessToken = accessToken;
             this.storage.setItem(STORAGE_KEYS.ACCESS_TOKEN, accessToken);
         };
+        // Setup cross-tab coordination in browser environments
+        if (this.config.crossTabSync) {
+            this._initBroadcastChannel();
+        }
+    }
+    /**
+     * Initialize BroadcastChannel for cross-tab token refresh coordination.
+     * Only called in browser environments where BroadcastChannel is available.
+     */
+    _initBroadcastChannel() {
+        if (typeof BroadcastChannel === 'undefined')
+            return;
+        try {
+            this._broadcastChannel = new BroadcastChannel('oxy_auth_sync');
+            this._broadcastChannel.onmessage = (event) => {
+                this._handleCrossTabMessage(event.data);
+            };
+        }
+        catch {
+            // BroadcastChannel not supported or blocked (e.g., opaque origins)
+            this._broadcastChannel = null;
+        }
+    }
+    /**
+     * Handle messages from other tabs about token refresh activity.
+     */
+    async _handleCrossTabMessage(message) {
+        if (!message || !message.type)
+            return;
+        switch (message.type) {
+            case 'tokens_refreshed': {
+                // Another tab successfully refreshed. Signal to cancel our pending refresh.
+                this._otherTabRefreshed = true;
+                // Adopt the new tokens from shared storage
+                const newToken = await this.storage.getItem(STORAGE_KEYS.ACCESS_TOKEN);
+                if (newToken && newToken !== this._lastKnownAccessToken) {
+                    this._lastKnownAccessToken = newToken;
+                    this.oxyServices.httpService.setTokens(newToken);
+                    // Re-read session for updated expiry and schedule next refresh
+                    const sessionJson = await this.storage.getItem(STORAGE_KEYS.SESSION);
+                    if (sessionJson) {
+                        try {
+                            const session = JSON.parse(sessionJson);
+                            if (session.expiresAt && this.config.autoRefresh) {
+                                this.setupTokenRefresh(session.expiresAt);
+                            }
+                        }
+                        catch {
+                            // Ignore parse errors
+                        }
+                    }
+                }
+                break;
+            }
+            case 'signed_out': {
+                // Another tab signed out. Clear our local state to stay consistent.
+                if (this.refreshTimer) {
+                    clearTimeout(this.refreshTimer);
+                    this.refreshTimer = null;
+                }
+                this.refreshPromise = null;
+                this._lastKnownAccessToken = null;
+                this.oxyServices.httpService.setTokens('');
+                this.currentUser = null;
+                this.notifyListeners();
+                break;
+            }
+            // 'refresh_starting' is informational; we don't need to act on it currently
+        }
+    }
+    /**
+     * Broadcast a message to other tabs.
+     */
+    _broadcast(message) {
+        try {
+            this._broadcastChannel?.postMessage(message);
+        }
+        catch {
+            // Channel closed or unavailable
+        }
     }
     /**
      * Get default storage based on environment.
@@ -159,6 +248,7 @@ export class AuthManager {
     async handleAuthSuccess(session, method = 'credentials') {
         // Store tokens
         if (session.accessToken) {
+            this._lastKnownAccessToken = session.accessToken;
             await this.storage.setItem(STORAGE_KEYS.ACCESS_TOKEN, session.accessToken);
             this.oxyServices.httpService.setTokens(session.accessToken);
         }
@@ -223,6 +313,8 @@ export class AuthManager {
         }
     }
     async _doRefreshToken() {
+        // Reset the cross-tab flag before starting
+        this._otherTabRefreshed = false;
         // Get session info to find sessionId for token refresh
         const sessionJson = await this.storage.getItem(STORAGE_KEYS.SESSION);
         if (!sessionJson) {
@@ -239,8 +331,22 @@ export class AuthManager {
             console.error('AuthManager: Failed to parse session from storage.', err);
             return false;
         }
+        // Record the token we know about before attempting refresh
+        const tokenBeforeRefresh = this._lastKnownAccessToken;
+        // Broadcast that we're starting a refresh (informational for other tabs)
+        this._broadcast({ type: 'refresh_starting', sessionId, timestamp: Date.now() });
         try {
             await retryAsync(async () => {
+                // Before each attempt, check if another tab already refreshed
+                if (this._otherTabRefreshed) {
+                    const adoptedToken = await this.storage.getItem(STORAGE_KEYS.ACCESS_TOKEN);
+                    if (adoptedToken && adoptedToken !== tokenBeforeRefresh) {
+                        // Another tab succeeded. Adopt its tokens and short-circuit.
+                        this._lastKnownAccessToken = adoptedToken;
+                        this.oxyServices.httpService.setTokens(adoptedToken);
+                        return;
+                    }
+                }
                 const httpService = this.oxyServices.httpService;
                 // Use session-based token endpoint which handles auto-refresh server-side
                 const response = await httpService.request({
@@ -253,6 +359,7 @@ export class AuthManager {
                     throw new Error('No access token in refresh response');
                 }
                 // Update access token in storage and HTTP client
+                this._lastKnownAccessToken = response.accessToken;
                 await this.storage.setItem(STORAGE_KEYS.ACCESS_TOKEN, response.accessToken);
                 this.oxyServices.httpService.setTokens(response.accessToken);
                 // Update session expiry and schedule next refresh
@@ -270,6 +377,8 @@ export class AuthManager {
                         this.setupTokenRefresh(response.expiresAt);
                     }
                 }
+                // Broadcast success so other tabs can adopt these tokens
+                this._broadcast({ type: 'tokens_refreshed', sessionId, timestamp: Date.now() });
             }, 2, // 2 retries = 3 total attempts
             1000, // 1s base delay with exponential backoff + jitter
             (error) => {
@@ -282,7 +391,41 @@ export class AuthManager {
             return true;
         }
         catch {
-            // All retry attempts exhausted, clear session
+            // All retry attempts exhausted. Before clearing the session, check if
+            // another tab managed to refresh successfully while we were retrying.
+            // Since all tabs share the same storage (localStorage), a successful
+            // refresh from another tab will have written a different access token.
+            const currentStoredToken = await this.storage.getItem(STORAGE_KEYS.ACCESS_TOKEN);
+            if (currentStoredToken && currentStoredToken !== tokenBeforeRefresh) {
+                // Another tab refreshed successfully. Adopt its tokens instead of logging out.
+                this._lastKnownAccessToken = currentStoredToken;
+                this.oxyServices.httpService.setTokens(currentStoredToken);
+                // Restore user from storage in case it was updated
+                const userJson = await this.storage.getItem(STORAGE_KEYS.USER);
+                if (userJson) {
+                    try {
+                        this.currentUser = JSON.parse(userJson);
+                    }
+                    catch {
+                        // Ignore parse errors
+                    }
+                }
+                // Re-read session expiry and schedule next refresh
+                const updatedSessionJson = await this.storage.getItem(STORAGE_KEYS.SESSION);
+                if (updatedSessionJson) {
+                    try {
+                        const session = JSON.parse(updatedSessionJson);
+                        if (session.expiresAt && this.config.autoRefresh) {
+                            this.setupTokenRefresh(session.expiresAt);
+                        }
+                    }
+                    catch {
+                        // Ignore parse errors
+                    }
+                }
+                return true;
+            }
+            // No other tab rescued us -- truly clear the session
             await this.clearSession();
             this.currentUser = null;
             this.notifyListeners();
@@ -324,8 +467,11 @@ export class AuthManager {
         }
         // Clear HTTP client tokens
         this.oxyServices.httpService.setTokens('');
+        this._lastKnownAccessToken = null;
         // Clear storage
         await this.clearSession();
+        // Notify other tabs so they also sign out
+        this._broadcast({ type: 'signed_out', timestamp: Date.now() });
         // Update state and notify
         this.currentUser = null;
         this.notifyListeners();
@@ -400,6 +546,7 @@ export class AuthManager {
             // Restore token to HTTP client
             const token = await this.storage.getItem(STORAGE_KEYS.ACCESS_TOKEN);
             if (token) {
+                this._lastKnownAccessToken = token;
                 this.oxyServices.httpService.setTokens(token);
             }
             // Check session expiry
@@ -440,6 +587,16 @@ export class AuthManager {
             this.refreshTimer = null;
         }
         this.listeners.clear();
+        // Close BroadcastChannel
+        if (this._broadcastChannel) {
+            try {
+                this._broadcastChannel.close();
+            }
+            catch {
+                // Ignore close errors
+            }
+            this._broadcastChannel = null;
+        }
     }
 }
 /**

package/dist/esm/HttpService.js

@@ -81,6 +81,8 @@ export class HttpService {
         this.tokenRefreshPromise = null;
         this.tokenRefreshCooldownUntil = 0;
         this._onTokenRefreshed = null;
+        // Acting-as identity for managed accounts
+        this._actingAsUserId = null;
         // Performance monitoring
         this.requestMetrics = {
             totalRequests: 0,
@@ -197,6 +199,10 @@ export class HttpService {
                         hasNativeAppHeader: headers['X-Native-App'] === 'true',
                     });
                 }
+                // Add X-Acting-As header for managed account identity delegation
+                if (this._actingAsUserId) {
+                    headers['X-Acting-As'] = this._actingAsUserId;
+                }
                 // Merge custom headers if provided
                 if (config.headers) {
                     Object.entries(config.headers).forEach(([key, value]) => {
@@ -579,6 +585,13 @@ export class HttpService {
     async delete(url, config) {
         return this.request({ method: 'DELETE', url, ...config });
     }
+    // Acting-as identity management (managed accounts)
+    setActingAs(userId) {
+        this._actingAsUserId = userId;
+    }
+    getActingAs() {
+        return this._actingAsUserId;
+    }
     // Token management
     setTokens(accessToken, refreshToken = '') {
         this.tokenStore.setTokens(accessToken, refreshToken);

package/dist/esm/OxyServices.base.js

@@ -138,6 +138,27 @@ export class OxyServicesBase {
     getAccessToken() {
         return this.httpService.getAccessToken();
     }
+    /**
+     * Set the acting-as identity for managed accounts.
+     *
+     * When set, all subsequent API requests will include the `X-Acting-As` header,
+     * causing the server to attribute actions to the managed account. The
+     * authenticated user must be an authorized manager of the target account.
+     *
+     * Pass `null` to clear and revert to the authenticated user's own identity.
+     *
+     * @param userId - The managed account user ID, or null to clear
+     */
+    setActingAs(userId) {
+        this.httpService.setActingAs(userId);
+    }
+    /**
+     * Get the current acting-as identity (managed account user ID), or null
+     * if operating as the authenticated user's own identity.
+     */
+    getActingAs() {
+        return this.httpService.getActingAs();
+    }
     /**
      * Wait for authentication to be ready
      *

package/dist/esm/crypto/keyManager.js

@@ -91,13 +91,11 @@ async function getSecureRandomBytes(length) {
         return Crypto.getRandomBytes(length);
     }
     // In Node.js, use Node's crypto module
-    // Use Function constructor to prevent Metro bundler from statically analyzing this require
-    // This ensures the require is only evaluated in Node.js runtime, not during Metro bundling
+    // Variable indirection prevents bundlers (Vite, webpack) from statically resolving this
     try {
-        // eslint-disable-next-line @typescript-eslint/no-implied-eval
-        const getCrypto = new Function('return require("crypto")');
-        const crypto = getCrypto();
-        return new Uint8Array(crypto.randomBytes(length));
+        const cryptoModuleName = 'crypto';
+        const nodeCrypto = await import(cryptoModuleName);
+        return new Uint8Array(nodeCrypto.randomBytes(length));
     }
     catch (error) {
         // Fallback to expo-crypto if Node crypto fails

package/dist/esm/crypto/polyfill.js

@@ -27,27 +27,35 @@ if (!globalObject.Buffer) {
 }
 // Cache for expo-crypto module (lazy loaded only in React Native)
 let expoCryptoModule = null;
-let expoCryptoLoadAttempted = false;
-function getRandomBytesSync(byteCount) {
-    if (!expoCryptoLoadAttempted) {
-        expoCryptoLoadAttempted = true;
+let expoCryptoLoadPromise = null;
+/**
+ * Eagerly start loading expo-crypto. The module is cached once resolved so
+ * the synchronous getRandomValues shim can read from it immediately.
+ * Uses dynamic import with variable indirection to prevent ESM bundlers
+ * (Vite, webpack) from statically resolving the specifier.
+ */
+function startExpoCryptoLoad() {
+    if (expoCryptoLoadPromise)
+        return;
+    expoCryptoLoadPromise = (async () => {
         try {
-            // Only use require() in CJS environments (Metro/Node). In ESM (Vite/browser),
-            // crypto.getRandomValues exists natively so this code path is never reached.
-            if (typeof require !== 'undefined') {
-                const moduleName = 'expo-crypto';
-                expoCryptoModule = require(moduleName);
-            }
+            const moduleName = 'expo-crypto';
+            expoCryptoModule = await import(moduleName);
         }
         catch {
             // expo-crypto not available — expected in non-RN environments
         }
-    }
+    })();
+}
+function getRandomBytesSync(byteCount) {
+    // Kick off loading if not already started (should have been started at module init)
+    startExpoCryptoLoad();
     if (expoCryptoModule) {
         return expoCryptoModule.getRandomBytes(byteCount);
     }
     throw new Error('No crypto.getRandomValues implementation available. ' +
-        'In React Native, install expo-crypto.');
+        'In React Native, install expo-crypto. ' +
+        'If expo-crypto is installed, ensure the polyfill module is imported early enough for the async load to complete.');
 }
 const cryptoPolyfill = {
     getRandomValues(array) {
@@ -59,9 +67,12 @@ const cryptoPolyfill = {
 };
 // Only polyfill if crypto or crypto.getRandomValues is not available
 if (typeof globalObject.crypto === 'undefined') {
+    // Start loading expo-crypto eagerly so it is ready by the time getRandomValues is called
+    startExpoCryptoLoad();
     globalObject.crypto = cryptoPolyfill;
 }
 else if (typeof globalObject.crypto.getRandomValues !== 'function') {
+    startExpoCryptoLoad();
     globalObject.crypto.getRandomValues = cryptoPolyfill.getRandomValues;
 }
 export { Buffer };

package/dist/esm/crypto/signatureService.js

@@ -63,11 +63,11 @@ export class SignatureService {
                 .join('');
         }
         // In Node.js, use Node's crypto module
+        // Variable indirection prevents bundlers (Vite, webpack) from statically resolving this
         if (isNodeJS()) {
             try {
-                // eslint-disable-next-line @typescript-eslint/no-implied-eval
-                const getCrypto = new Function('return require("crypto")');
-                const nodeCrypto = getCrypto();
+                const cryptoModuleName = 'crypto';
+                const nodeCrypto = await import(cryptoModuleName);
                 return nodeCrypto.randomBytes(32).toString('hex');
             }
             catch {
@@ -134,7 +134,10 @@ export class SignatureService {
                 // In React Native, use async verify instead
                 throw new Error('verifySync should only be used in Node.js. Use verify() in React Native.');
             }
-            // Use Function constructor to prevent Metro bundler from statically analyzing this require
+            // Intentionally using Function constructor here: this method is synchronous by design
+            // (Node.js backend hot-path) so we cannot use `await import()`. The Function constructor
+            // prevents Metro/bundlers from statically resolving the require. This is acceptable because
+            // verifySync is gated by isNodeJS() and will never execute in browser/RN environments.
             // eslint-disable-next-line @typescript-eslint/no-implied-eval
             const getCrypto = new Function('return require("crypto")');
             const crypto = getCrypto();

package/dist/esm/mixins/OxyServices.fedcm.js

@@ -34,6 +34,11 @@ export function OxyServicesFedCMMixin(Base) {
             constructor(...args) {
                 super(...args);
             }
+            resolveFedcmConfigUrl() {
+                return this.config.authWebUrl
+                    ? `${this.config.authWebUrl}/fedcm.json`
+                    : this.constructor.DEFAULT_CONFIG_URL;
+            }
             /**
              * Check if FedCM is supported in the current browser
              */
@@ -85,7 +90,7 @@ export function OxyServicesFedCMMixin(Base) {
                     // Request credential from browser's native identity flow
                     // mode: 'button' signals this is a user-gesture-initiated flow (Chrome 125+)
                     const credential = await this.requestIdentityCredential({
-                        configURL: (this.config.authWebUrl ? `${this.config.authWebUrl}/fedcm.json` : this.constructor.DEFAULT_CONFIG_URL),
+                        configURL: this.resolveFedcmConfigUrl(),
                         clientId,
                         nonce,
                         context: options.context,
@@ -175,7 +180,7 @@ export function OxyServicesFedCMMixin(Base) {
                     const nonce = this.generateNonce();
                     debug.log('Silent SSO: Attempting silent mediation...', loginHint ? `(hint: ${loginHint})` : '');
                     credential = await this.requestIdentityCredential({
-                        configURL: (this.config.authWebUrl ? `${this.config.authWebUrl}/fedcm.json` : this.constructor.DEFAULT_CONFIG_URL),
+                        configURL: this.resolveFedcmConfigUrl(),
                         clientId,
                         nonce,
                         loginHint,
@@ -389,7 +394,7 @@ export function OxyServicesFedCMMixin(Base) {
                     if ('IdentityCredential' in window && 'disconnect' in window.IdentityCredential) {
                         const clientId = this.getClientId();
                         await window.IdentityCredential.disconnect({
-                            configURL: (this.config.authWebUrl ? `${this.config.authWebUrl}/fedcm.json` : this.constructor.DEFAULT_CONFIG_URL),
+                            configURL: this.resolveFedcmConfigUrl(),
                             clientId,
                             accountHint: accountHint || '*',
                         });
@@ -408,7 +413,7 @@ export function OxyServicesFedCMMixin(Base) {
             getFedCMConfig() {
                 return {
                     enabled: this.isFedCMSupported(),
-                    configURL: (this.config.authWebUrl ? `${this.config.authWebUrl}/fedcm.json` : this.constructor.DEFAULT_CONFIG_URL),
+                    configURL: this.resolveFedcmConfigUrl(),
                     clientId: this.getClientId(),
                 };
             }

package/dist/esm/mixins/OxyServices.managedAccounts.js

@@ -0,0 +1,114 @@
+export function OxyServicesManagedAccountsMixin(Base) {
+    return class extends Base {
+        constructor(...args) {
+            super(...args);
+        }
+        /**
+         * Create a new managed account (sub-account).
+         *
+         * The server creates a User document with `isManagedAccount: true` and links
+         * it to the authenticated user as owner.
+         */
+        async createManagedAccount(data) {
+            try {
+                return await this.makeRequest('POST', '/managed-accounts', data, {
+                    cache: false,
+                });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * List all accounts the authenticated user manages.
+         */
+        async getManagedAccounts() {
+            try {
+                return await this.makeRequest('GET', '/managed-accounts', undefined, {
+                    cache: true,
+                    cacheTTL: 2 * 60 * 1000, // 2 minutes cache
+                });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Get details for a specific managed account.
+         */
+        async getManagedAccountDetails(accountId) {
+            try {
+                return await this.makeRequest('GET', `/managed-accounts/${accountId}`, undefined, {
+                    cache: true,
+                    cacheTTL: 2 * 60 * 1000,
+                });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Update a managed account's profile data.
+         * Requires owner or admin role.
+         */
+        async updateManagedAccount(accountId, data) {
+            try {
+                return await this.makeRequest('PUT', `/managed-accounts/${accountId}`, data, {
+                    cache: false,
+                });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Delete a managed account permanently.
+         * Requires owner role.
+         */
+        async deleteManagedAccount(accountId) {
+            try {
+                await this.makeRequest('DELETE', `/managed-accounts/${accountId}`, undefined, {
+                    cache: false,
+                });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Add a manager to a managed account.
+         * Requires owner or admin role on the account.
+         *
+         * @param accountId - The managed account to add the manager to
+         * @param userId - The user to grant management access
+         * @param role - The role to assign: 'admin' or 'editor'
+         */
+        async addManager(accountId, userId, role) {
+            try {
+                await this.makeRequest('POST', `/managed-accounts/${accountId}/managers`, { userId, role }, {
+                    cache: false,
+                });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Remove a manager from a managed account.
+         * Requires owner role.
+         *
+         * @param accountId - The managed account
+         * @param userId - The manager to remove
+         */
+        async removeManager(accountId, userId) {
+            try {
+                await this.makeRequest('DELETE', `/managed-accounts/${accountId}/managers/${userId}`, undefined, {
+                    cache: false,
+                });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+    };
+}

package/dist/esm/mixins/OxyServices.popup.js

@@ -29,6 +29,10 @@ export function OxyServicesPopupAuthMixin(Base) {
             constructor(...args) {
                 super(...args);
             }
+            /** Resolve auth URL from config or static default (method, not getter — getters break in TS mixins) */
+            resolveAuthUrl() {
+                return this.config.authWebUrl || this.constructor.DEFAULT_AUTH_URL;
+            }
             /**
              * Sign in using popup window
              *
@@ -71,7 +75,7 @@ export function OxyServicesPopupAuthMixin(Base) {
                     state,
                     nonce,
                     clientId: window.location.origin,
-                    redirectUri: `${(this.config.authWebUrl || this.constructor.DEFAULT_AUTH_URL)}/auth/callback`,
+                    redirectUri: `${this.resolveAuthUrl()}/auth/callback`,
                 });
                 const popup = this.openCenteredPopup(authUrl, 'Oxy Sign In', width, height);
                 if (!popup) {
@@ -159,7 +163,7 @@ export function OxyServicesPopupAuthMixin(Base) {
                 iframe.style.width = '0';
                 iframe.style.height = '0';
                 iframe.style.border = 'none';
-                const silentUrl = `${(this.config.authWebUrl || this.constructor.DEFAULT_AUTH_URL)}/auth/silent?` + `client_id=${encodeURIComponent(clientId)}&` + `nonce=${nonce}`;
+                const silentUrl = `${this.resolveAuthUrl()}/auth/silent?` + `client_id=${encodeURIComponent(clientId)}&` + `nonce=${nonce}`;
                 iframe.src = silentUrl;
                 document.body.appendChild(iframe);
                 try {
@@ -210,7 +214,7 @@ export function OxyServicesPopupAuthMixin(Base) {
                         reject(new OxyAuthenticationError('Authentication timeout'));
                     }, timeout);
                     const messageHandler = (event) => {
-                        const authUrl = (this.config.authWebUrl || this.constructor.DEFAULT_AUTH_URL);
+                        const authUrl = this.resolveAuthUrl();
                         // Log all messages for debugging
                         if (event.data && typeof event.data === 'object' && event.data.type) {
                             debug.log('Message received:', {
@@ -282,7 +286,7 @@ export function OxyServicesPopupAuthMixin(Base) {
                     }, timeout);
                     const messageHandler = (event) => {
                         // Verify origin
-                        if (event.origin !== (this.config.authWebUrl || this.constructor.DEFAULT_AUTH_URL)) {
+                        if (event.origin !== this.resolveAuthUrl()) {
                             return;
                         }
                         const { type, session } = event.data;
@@ -305,7 +309,7 @@ export function OxyServicesPopupAuthMixin(Base) {
              * @private
              */
             buildAuthUrl(params) {
-                const url = new URL(`${(this.config.authWebUrl || this.constructor.DEFAULT_AUTH_URL)}/${params.mode}`);
+                const url = new URL(`${this.resolveAuthUrl()}/${params.mode}`);
                 url.searchParams.set('response_type', 'token');
                 url.searchParams.set('client_id', params.clientId);
                 url.searchParams.set('redirect_uri', params.redirectUri);