npm - @oxyhq/core - Versions diffs - 2.1.0 → 2.1.2 - Mend

@oxyhq/core 2.1.0 → 2.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/dist/cjs/.tsbuildinfo +1 -1
package/dist/cjs/CrossDomainAuth.js +6 -5
package/dist/cjs/OxyServices.base.js +16 -3
package/dist/esm/.tsbuildinfo +1 -1
package/dist/esm/CrossDomainAuth.js +6 -5
package/dist/esm/OxyServices.base.js +16 -3
package/dist/types/.tsbuildinfo +1 -1
package/package.json +1 -1
package/src/CrossDomainAuth.ts +6 -5
package/src/OxyServices.base.ts +18 -3
package/src/mixins/__tests__/constructorAuthWebUrl.test.ts +108 -0

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@oxyhq/core",
-  "version": "2.1.0",
+  "version": "2.1.2",
   "description": "OxyHQ SDK Foundation — API client, authentication, cryptographic identity, and shared utilities",
   "main": "dist/cjs/index.js",
   "module": "dist/esm/index.js",

package/src/CrossDomainAuth.ts CHANGED Viewed

@@ -24,6 +24,7 @@
 import type { OxyServices } from './OxyServices';
 import type { SessionLoginResponse } from './models/session';
+import { logger } from './utils/loggerUtils';
 export interface CrossDomainAuthOptions {
   /**
@@ -143,7 +144,7 @@ export class CrossDomainAuth {
         this.closeOrphanPopup(options.popup);
         return session;
       } catch (error) {
-        console.warn('[CrossDomainAuth] FedCM failed, trying popup...', error);
+        logger.warn('FedCM failed, trying popup', { component: 'CrossDomainAuth', method: 'autoSignIn' }, error);
       }
     }
@@ -152,7 +153,7 @@ export class CrossDomainAuth {
       options.onMethodSelected?.('popup');
       return await this.signInWithPopup(options);
     } catch (error) {
-      console.warn('[CrossDomainAuth] Popup failed, falling back to redirect...', error);
+      logger.warn('Popup failed, falling back to redirect', { component: 'CrossDomainAuth', method: 'autoSignIn' }, error);
       // Popup path failed — close the pre-opened popup before redirecting.
       this.closeOrphanPopup(options.popup);
     }
@@ -226,7 +227,7 @@ export class CrossDomainAuth {
           return session;
         }
       } catch (error) {
-        console.warn('[CrossDomainAuth] FedCM silent sign-in failed:', error);
+        logger.debug('FedCM silent sign-in did not resolve', { component: 'CrossDomainAuth', method: 'silentSignIn' }, error);
       }
     }
@@ -234,7 +235,7 @@ export class CrossDomainAuth {
     try {
       return await this.oxyServices.silentSignIn();
     } catch (error) {
-      console.warn('[CrossDomainAuth] Silent sign-in failed:', error);
+      logger.debug('iframe silent sign-in did not resolve', { component: 'CrossDomainAuth', method: 'silentSignIn' }, error);
       return null;
     }
   }
@@ -326,7 +327,7 @@ export class CrossDomainAuth {
           };
         }
       } catch (error) {
-        console.warn('[CrossDomainAuth] Stored session invalid:', error);
+        logger.debug('stored session invalid', { component: 'CrossDomainAuth', method: 'initialize' }, error);
       }
     }

package/src/OxyServices.base.ts CHANGED Viewed

@@ -8,6 +8,7 @@ import type { OxyConfig as OxyConfigBase, ApiError, User } from './models/interf
 import { handleHttpError } from './utils/errorUtils';
 import { HttpService, type RequestOptions } from './HttpService';
 import { OxyAuthenticationError, OxyAuthenticationTimeoutError } from './OxyServices.errors';
+import { autoDetectAuthWebUrl } from './utils/fapiAutoDetect';
 export interface OxyConfig extends OxyConfigBase {
   cloudURL?: string;
@@ -34,11 +35,25 @@ export class OxyServicesBase {
     if (!config || typeof config !== 'object') {
       throw new Error('OxyConfig is required');
     }
-    this.config = config;
-    this.cloudURL = config.cloudURL || 'https://cloud.oxy.so';
+    // Auto-detect the first-party IdP (`auth.<rp-apex>`) when the caller did not
+    // pin `authWebUrl` explicitly. This mirrors the provider-`baseURL` path in
+    // `@oxyhq/services` (OxyContext), so apps that construct their OWN
+    // `OxyServices` instance and pass it to `<OxyProvider oxyServices={...} />`
+    // get the same same-site IdP resolution. On web at `https://mention.earth`
+    // this yields `https://auth.mention.earth`; on native/SSR (no `window`)
+    // `autoDetectAuthWebUrl()` returns `undefined`, leaving the auth mixins'
+    // `DEFAULT_AUTH_URL` fallback in effect — native behavior is unchanged.
+    // An explicit `authWebUrl` always wins (we only fill it when absent).
+    const resolvedConfig: OxyConfig = config.authWebUrl
+      ? config
+      : { ...config, authWebUrl: autoDetectAuthWebUrl() };
+    this.config = resolvedConfig;
+    this.cloudURL = resolvedConfig.cloudURL || 'https://cloud.oxy.so';
     // Initialize unified HTTP service (handles auth, caching, deduplication, queuing, retry)
-    this.httpService = new HttpService(config);
+    this.httpService = new HttpService(resolvedConfig);
   }
   // Test-only utility to reset tokens on this instance between jest tests

package/src/mixins/__tests__/constructorAuthWebUrl.test.ts ADDED Viewed

@@ -0,0 +1,108 @@
+/**
+ * `OxyServices` constructor first-party IdP auto-detection.
+ *
+ * `@oxyhq/services` 8.2.0 added cross-domain SSO that auto-detects the IdP as
+ * `https://auth.<rp-apex>` via `autoDetectAuthWebUrl()`. That detection used to
+ * run ONLY on the provider-`baseURL` branch of OxyContext — apps that construct
+ * their OWN `OxyServices` instance and pass it to
+ * `<OxyProvider oxyServices={...} />` never hit it, so an omitted `authWebUrl`
+ * fell back to the hardcoded `DEFAULT_AUTH_URL` ('https://auth.oxy.so'),
+ * forcing a third-party IdP and breaking Safari/Firefox cross-domain restore.
+ *
+ * The constructor now derives `authWebUrl` itself when the caller omits it, so
+ * BOTH construction paths behave identically:
+ *   - web at `https://mention.earth` -> `https://auth.mention.earth`
+ *   - native/SSR (no `window`)       -> undefined (mixins fall back to
+ *     `DEFAULT_AUTH_URL`, exactly as before)
+ *   - explicit `authWebUrl`          -> respected verbatim (explicit wins)
+ */
+import { OxyServices } from '../../OxyServices';
+// The hardcoded fallback the auth mixins resolve to when `authWebUrl` is unset
+// (`this.config.authWebUrl || DEFAULT_AUTH_URL`). Mirrors the static
+// `DEFAULT_AUTH_URL` on the redirect/popup mixins. Native/SSR must keep
+// resolving to this exact value after the constructor auto-detect change.
+const DEFAULT_AUTH_URL = 'https://auth.oxy.so';
+function installWindowLocation(hostname: string, protocol = 'https:'): void {
+  (globalThis as unknown as { window: unknown }).window = {
+    location: { hostname, protocol },
+  };
+}
+function clearWindow(): void {
+  delete (globalThis as Record<string, unknown>).window;
+}
+describe('OxyServices constructor — first-party authWebUrl auto-detection', () => {
+  afterEach(() => {
+    clearWindow();
+  });
+  it('leaves authWebUrl undefined on native/SSR (no window)', () => {
+    // No `window` is installed -> autoDetectAuthWebUrl() returns undefined.
+    const oxy = new OxyServices({ baseURL: 'https://api.oxy.so' });
+    expect(oxy.config.authWebUrl).toBeUndefined();
+    // Auth flows must still resolve to the hardcoded default on native.
+    expect(oxy.config.authWebUrl || DEFAULT_AUTH_URL).toBe('https://auth.oxy.so');
+  });
+  it('derives auth.<apex> on web when authWebUrl is omitted', () => {
+    installWindowLocation('mention.earth');
+    const oxy = new OxyServices({ baseURL: 'https://api.mention.earth' });
+    expect(oxy.config.authWebUrl).toBe('https://auth.mention.earth');
+  });
+  it('strips a leading subdomain down to the apex on web', () => {
+    installWindowLocation('www.homiio.com');
+    const oxy = new OxyServices({ baseURL: 'https://api.homiio.com' });
+    expect(oxy.config.authWebUrl).toBe('https://auth.homiio.com');
+  });
+  it('derives auth.<host> for preview hosts (e.g. *.pages.dev)', () => {
+    installWindowLocation('foo.pages.dev');
+    const oxy = new OxyServices({ baseURL: 'https://api.oxy.so' });
+    expect(oxy.config.authWebUrl).toBe('https://auth.pages.dev');
+  });
+  it('respects an explicit authWebUrl even when a window is present (explicit wins)', () => {
+    installWindowLocation('mention.earth');
+    const oxy = new OxyServices({
+      baseURL: 'https://api.mention.earth',
+      authWebUrl: 'https://auth.oxy.so',
+    });
+    // The page is mention.earth, but the caller pinned auth.oxy.so — honour it.
+    expect(oxy.config.authWebUrl).toBe('https://auth.oxy.so');
+  });
+  it('does not mutate the caller-supplied config object', () => {
+    installWindowLocation('mention.earth');
+    const input = { baseURL: 'https://api.mention.earth' };
+    const oxy = new OxyServices(input);
+    // The stored config carries the detected IdP...
+    expect(oxy.config.authWebUrl).toBe('https://auth.mention.earth');
+    // ...but the caller's own object reference is untouched.
+    expect((input as { authWebUrl?: string }).authWebUrl).toBeUndefined();
+  });
+  it('falls back to DEFAULT_AUTH_URL on host shapes auto-detect declines (localhost)', () => {
+    installWindowLocation('localhost', 'http:');
+    const oxy = new OxyServices({ baseURL: 'http://localhost:3000' });
+    expect(oxy.config.authWebUrl).toBeUndefined();
+    expect(oxy.config.authWebUrl || DEFAULT_AUTH_URL).toBe('https://auth.oxy.so');
+  });
+});