@oxyhq/core 1.7.0 → 1.8.1

package/src/mixins/OxyServices.fedcm.ts

@@ -111,12 +111,14 @@ export function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(Base: T)
       debug.log('Interactive sign-in: Requesting credential for', clientId, loginHint ? `(hint: ${loginHint})` : '');
 
       // Request credential from browser's native identity flow
+      // mode: 'button' signals this is a user-gesture-initiated flow (Chrome 125+)
       const credential = await this.requestIdentityCredential({
         configURL: (this.constructor as any).DEFAULT_CONFIG_URL,
         clientId,
         nonce,
         context: options.context,
         loginHint,
+        mode: 'button',
       });
 
       if (!credential || !credential.token) {
@@ -205,7 +207,7 @@ export function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(Base: T)
     // We intentionally do NOT fall back to optional mediation here because
     // this runs on app startup — showing browser UI without user action is bad UX.
     // Optional/interactive mediation should only happen when the user clicks "Sign In".
-    let credential: { token: string } | null = null;
+    let credential: { token: string; isAutoSelected: boolean } | null = null;
 
     const loginHint = this.getStoredLoginHint();
 
@@ -308,7 +310,8 @@ export function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(Base: T)
     context?: string;
     loginHint?: string;
     mediation?: 'silent' | 'optional' | 'required';
-  }): Promise<{ token: string } | null> {
+    mode?: 'button' | 'widget';
+  }): Promise<{ token: string; isAutoSelected: boolean } | null> {
     const requestedMediation = options.mediation || 'optional';
     const isInteractive = requestedMediation !== 'silent';
 
@@ -356,7 +359,7 @@ export function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(Base: T)
       try {
         debug.log('Calling navigator.credentials.get with mediation:', requestedMediation);
         // Type assertion needed as FedCM types may not be in all TypeScript versions
-        const credential = (await (navigator.credentials as any).get({
+        const credentialOptions: any = {
           identity: {
             providers: [
               {
@@ -370,10 +373,12 @@ export function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(Base: T)
                 ...(options.loginHint && { loginHint: options.loginHint }),
               },
             ],
+            ...(options.mode && { mode: options.mode }),
           },
           mediation: requestedMediation,
           signal: controller.signal,
-        })) as any;
+        };
+        const credential = (await (navigator.credentials as any).get(credentialOptions)) as any;
 
         debug.log('navigator.credentials.get returned:', {
           hasCredential: !!credential,
@@ -386,8 +391,9 @@ export function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(Base: T)
           return null;
         }
 
-        debug.log('Got valid identity credential with token');
-        return { token: credential.token };
+        const isAutoSelected = !!credential.isAutoSelected;
+        debug.log('Got valid identity credential with token', { isAutoSelected });
+        return { token: credential.token, isAutoSelected };
       } catch (error) {
         const errorName = error instanceof Error ? error.name : 'Unknown';
         const errorMessage = error instanceof Error ? error.message : String(error);
@@ -438,25 +444,31 @@ export function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(Base: T)
   /**
    * Revoke FedCM credential (sign out)
    *
-   * This tells the browser to forget the FedCM credential for this app.
-   * The user will need to re-authenticate next time.
+   * Uses IdentityCredential.disconnect() to tell the browser to forget
+   * the RP-IdP-account association. This resets the "returning account"
+   * state, which is required for silent mediation to work again.
    */
   async revokeFedCMCredential(): Promise<void> {
+    // Read hint before clearing so we can pass it to disconnect()
+    const accountHint = this.getStoredLoginHint();
+    this.clearLoginHint();
+
     if (!this.isFedCMSupported()) {
       return;
     }
 
     try {
-      // FedCM logout API (if available)
-      if ('IdentityCredential' in window && 'logout' in (window as any).IdentityCredential) {
+      if ('IdentityCredential' in window && 'disconnect' in (window as any).IdentityCredential) {
         const clientId = this.getClientId();
-        await (window as any).IdentityCredential.logout({
+        await (window as any).IdentityCredential.disconnect({
           configURL: (this.constructor as any).DEFAULT_CONFIG_URL,
           clientId,
+          accountHint: accountHint || '*',
         });
+        debug.log('FedCM credential disconnected');
       }
     } catch (error) {
-      // Silent failure
+      debug.log('FedCM disconnect failed (non-critical):', error instanceof Error ? error.message : String(error));
     }
   }
 
@@ -521,6 +533,16 @@ export function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(Base: T)
       // Storage full or blocked
     }
   }
+
+  /** @internal */
+  public clearLoginHint(): void {
+    if (typeof window === 'undefined') return;
+    try {
+      localStorage.removeItem(FEDCM_LOGIN_HINT_KEY);
+    } catch {
+      // Storage blocked
+    }
+  }
   };
 }
 

package/src/types/expo-crypto.d.ts

@@ -0,0 +1,16 @@
+declare module 'expo-crypto' {
+  export enum CryptoDigestAlgorithm {
+    SHA256 = 'SHA-256',
+    SHA384 = 'SHA-384',
+    SHA512 = 'SHA-512',
+  }
+
+  export function digestStringAsync(
+    algorithm: CryptoDigestAlgorithm,
+    data: string,
+  ): Promise<string>;
+
+  export function getRandomBytes(byteCount: number): Uint8Array;
+
+  export function getRandomBytesAsync(byteCount: number): Promise<Uint8Array>;
+}

package/src/types/expo-secure-store.d.ts

@@ -0,0 +1,17 @@
+declare module 'expo-secure-store' {
+  export interface SecureStoreOptions {
+    keychainAccessible?: number;
+    keychainAccessGroup?: string;
+    keychainService?: string;
+    requireAuthentication?: boolean;
+  }
+
+  export const WHEN_UNLOCKED: number;
+  export const AFTER_FIRST_UNLOCK: number;
+  export const WHEN_UNLOCKED_THIS_DEVICE_ONLY: number;
+  export const AFTER_FIRST_UNLOCK_THIS_DEVICE_ONLY: number;
+
+  export function getItemAsync(key: string, options?: SecureStoreOptions): Promise<string | null>;
+  export function setItemAsync(key: string, value: string, options?: SecureStoreOptions): Promise<void>;
+  export function deleteItemAsync(key: string, options?: SecureStoreOptions): Promise<void>;
+}

package/src/utils/accountUtils.ts

@@ -0,0 +1,69 @@
+/**
+ * Shared account types and pure helper functions.
+ * Used by both @oxyhq/services (React Native) and @oxyhq/auth (Web) account stores.
+ */
+
+export interface QuickAccount {
+    sessionId: string;
+    userId?: string;
+    username: string;
+    displayName: string;
+    avatar?: string;
+    avatarUrl?: string;
+}
+
+/**
+ * Build an ordered array of QuickAccounts from a map and order list.
+ */
+export const buildAccountsArray = (
+    accounts: Record<string, QuickAccount>,
+    order: string[]
+): QuickAccount[] => {
+    const result: QuickAccount[] = [];
+    for (const id of order) {
+        const account = accounts[id];
+        if (account) result.push(account);
+    }
+    return result;
+};
+
+/**
+ * Create a QuickAccount from user data returned by the API.
+ *
+ * @param sessionId - Session identifier
+ * @param userData - Raw user object from the API
+ * @param existingAccount - Previously cached account (to preserve avatarUrl if unchanged)
+ * @param getFileDownloadUrl - Function to generate avatar download URL from file ID
+ */
+export const createQuickAccount = (
+    sessionId: string,
+    userData: {
+        name?: { full?: string; first?: string };
+        username?: string;
+        id?: string;
+        _id?: { toString(): string } | string;
+        avatar?: string;
+    },
+    existingAccount?: QuickAccount,
+    getFileDownloadUrl?: (fileId: string, variant: string) => string
+): QuickAccount => {
+    const displayName = userData.name?.full || userData.name?.first || userData.username || 'Account';
+    const userId = userData.id || (typeof userData._id === 'string' ? userData._id : userData._id?.toString());
+
+    // Preserve existing avatarUrl if avatar hasn't changed (prevents image reload)
+    let avatarUrl: string | undefined;
+    if (existingAccount && existingAccount.avatar === userData.avatar && existingAccount.avatarUrl) {
+        avatarUrl = existingAccount.avatarUrl;
+    } else if (userData.avatar && getFileDownloadUrl) {
+        avatarUrl = getFileDownloadUrl(userData.avatar, 'thumb');
+    }
+
+    return {
+        sessionId,
+        userId,
+        username: userData.username || '',
+        displayName,
+        avatar: userData.avatar,
+        avatarUrl,
+    };
+};

package/src/utils/avatarUtils.ts

@@ -0,0 +1,37 @@
+/**
+ * Minimal interface for services that can update asset visibility.
+ * Kept loose to avoid mixin type-inference issues with the OxyServices class.
+ */
+export interface AssetVisibilityService {
+  assetUpdateVisibility(fileId: string, visibility: 'private' | 'public' | 'unlisted'): Promise<unknown>;
+}
+
+/**
+ * Updates file visibility to public for avatar use.
+ * Logs non-404 errors to help debug upload issues.
+ *
+ * @param fileId - The file ID to update visibility for
+ * @param oxyServices - OxyServices instance (or any object with assetUpdateVisibility)
+ * @param contextName - Context name for error logging
+ */
+export async function updateAvatarVisibility(
+  fileId: string | undefined,
+  oxyServices: AssetVisibilityService,
+  contextName: string = 'AvatarUtils'
+): Promise<void> {
+  if (!fileId || fileId.startsWith('temp-')) {
+    return;
+  }
+
+  try {
+    await oxyServices.assetUpdateVisibility(fileId, 'public');
+  } catch (visError: unknown) {
+    // 404 is expected when asset doesn't exist yet — skip logging
+    const status = (visError instanceof Error && 'status' in visError)
+      ? (visError as Error & { status: number }).status
+      : undefined;
+    if (status !== 404) {
+      console.error(`[${contextName}] Failed to update avatar visibility for ${fileId}:`, visError);
+    }
+  }
+}