@oxyhq/core 2.2.0 → 2.2.2

package/src/mixins/__tests__/serviceAuth.test.ts

@@ -332,6 +332,98 @@ describe('H1: getServiceToken per-credential cache + secret verification', () =>
   });
 });
 
+// ---------------------------------------------------------------------------
+// invalidateServiceToken — clears the cached service token so the next
+// getServiceToken() mints anew, enabling recovery from a mid-run 401 (e.g.
+// credential revocation) without waiting for natural token expiry.
+// ---------------------------------------------------------------------------
+
+describe('invalidateServiceToken: forces a fresh mint after a same-run 401', () => {
+  let oxy: OxyServices;
+  let makeRequestSpy: jest.SpyInstance;
+
+  beforeEach(() => {
+    oxy = new OxyServices({ baseURL: 'http://test.invalid' });
+    makeRequestSpy = jest.spyOn(oxy as unknown as { makeRequest: jest.Mock }, 'makeRequest');
+  });
+
+  afterEach(() => {
+    makeRequestSpy.mockRestore();
+  });
+
+  it('re-mints on the next getServiceToken() after invalidation (configured credential)', async () => {
+    makeRequestSpy
+      .mockResolvedValueOnce({ token: 'token-first', expiresIn: 3600, appName: 'tenant-A' })
+      .mockResolvedValueOnce({ token: 'token-second', expiresIn: 3600, appName: 'tenant-A' });
+
+    oxy.configureServiceAuth('key-A', 'secret-A');
+
+    const first = await oxy.getServiceToken();
+    // Cached — would normally be returned again without re-minting.
+    const cached = await oxy.getServiceToken();
+    expect(first).toBe('token-first');
+    expect(cached).toBe('token-first');
+    expect(makeRequestSpy).toHaveBeenCalledTimes(1);
+
+    // Simulate a 401: invalidate, then the very next call must mint anew.
+    oxy.invalidateServiceToken();
+
+    const fresh = await oxy.getServiceToken();
+    expect(fresh).toBe('token-second');
+    expect(makeRequestSpy).toHaveBeenCalledTimes(2);
+  });
+
+  it('clears only the targeted apiKey entry, leaving other tenants cached', async () => {
+    makeRequestSpy
+      .mockResolvedValueOnce({ token: 'token-A1', expiresIn: 3600, appName: 'tenant-A' })
+      .mockResolvedValueOnce({ token: 'token-B1', expiresIn: 3600, appName: 'tenant-B' })
+      .mockResolvedValueOnce({ token: 'token-A2', expiresIn: 3600, appName: 'tenant-A' });
+
+    await oxy.getServiceToken('key-A', 'secret-A');
+    await oxy.getServiceToken('key-B', 'secret-B');
+    expect(makeRequestSpy).toHaveBeenCalledTimes(2);
+
+    // Invalidate only tenant A.
+    oxy.invalidateServiceToken('key-A');
+
+    // Tenant A re-mints...
+    const a2 = await oxy.getServiceToken('key-A', 'secret-A');
+    expect(a2).toBe('token-A2');
+    expect(makeRequestSpy).toHaveBeenCalledTimes(3);
+
+    // ...tenant B is still cached (no extra mint).
+    const b1 = await oxy.getServiceToken('key-B', 'secret-B');
+    expect(b1).toBe('token-B1');
+    expect(makeRequestSpy).toHaveBeenCalledTimes(3);
+  });
+
+  it('clears every entry when no key is configured and none is passed', async () => {
+    makeRequestSpy
+      .mockResolvedValueOnce({ token: 'token-A1', expiresIn: 3600, appName: 'tenant-A' })
+      .mockResolvedValueOnce({ token: 'token-B1', expiresIn: 3600, appName: 'tenant-B' })
+      .mockResolvedValueOnce({ token: 'token-A2', expiresIn: 3600, appName: 'tenant-A' })
+      .mockResolvedValueOnce({ token: 'token-B2', expiresIn: 3600, appName: 'tenant-B' });
+
+    await oxy.getServiceToken('key-A', 'secret-A');
+    await oxy.getServiceToken('key-B', 'secret-B');
+    expect(makeRequestSpy).toHaveBeenCalledTimes(2);
+
+    // No configureServiceAuth() and no argument → clear all.
+    oxy.invalidateServiceToken();
+
+    const a2 = await oxy.getServiceToken('key-A', 'secret-A');
+    const b2 = await oxy.getServiceToken('key-B', 'secret-B');
+    expect(a2).toBe('token-A2');
+    expect(b2).toBe('token-B2');
+    expect(makeRequestSpy).toHaveBeenCalledTimes(4);
+  });
+
+  it('is a no-op safe to call when nothing is cached', () => {
+    expect(() => oxy.invalidateServiceToken()).not.toThrow();
+    expect(() => oxy.invalidateServiceToken('key-unknown')).not.toThrow();
+  });
+});
+
 // ---------------------------------------------------------------------------
 // H2 — malformed tokens must yield 401, not 500. Uses class-based error
 // detection so future failure modes can't silently fall through.

package/src/utils/__tests__/authWebUrl.test.ts

@@ -5,13 +5,23 @@
  * `auth.oxy.so` origin is returned. No DOM, no side effects.
  */
 
-import { CENTRAL_AUTH_URL, resolveCentralAuthUrl } from '../authWebUrl';
+import { CENTRAL_AUTH_URL, CENTRAL_IDP_APEX, resolveCentralAuthUrl } from '../authWebUrl';
+
+describe('CENTRAL_IDP_APEX', () => {
+  it('is the central IdP registrable apex', () => {
+    expect(CENTRAL_IDP_APEX).toBe('oxy.so');
+  });
+});
 
 describe('CENTRAL_AUTH_URL', () => {
   it('is the central IdP origin with no trailing slash', () => {
     expect(CENTRAL_AUTH_URL).toBe('https://auth.oxy.so');
     expect(CENTRAL_AUTH_URL.endsWith('/')).toBe(false);
   });
+
+  it('is derived from CENTRAL_IDP_APEX (apex and origin never drift)', () => {
+    expect(CENTRAL_AUTH_URL).toBe(`https://auth.${CENTRAL_IDP_APEX}`);
+  });
 });
 
 describe('resolveCentralAuthUrl', () => {

package/src/utils/__tests__/consumeSsoReturn.test.ts

@@ -0,0 +1,401 @@
+/**
+ * `consumeSsoReturn` — the commit-free, security-critical kernel of the
+ * cross-domain SSO `sso-return` step.
+ *
+ * Every web seam is injected (storage / location / history / isWeb) so the
+ * full CSRF / fragment-strip-order / exchange / dest-restore / loop-breaker
+ * sequence is asserted deterministically without a DOM.
+ */
+
+import { consumeSsoReturn } from '../ssoReturn';
+import {
+  SSO_CALLBACK_PATH,
+  ssoStateKey,
+  ssoGuardKey,
+  ssoDestKey,
+  ssoNoSessionKey,
+} from '../ssoBounce';
+import type { SessionLoginResponse } from '../../models/session';
+
+const ORIGIN = 'https://mention.earth';
+
+function makeStorage(seed: Record<string, string> = {}) {
+  const map = new Map<string, string>(Object.entries(seed));
+  return {
+    map,
+    getItem: (k: string) => (map.has(k) ? (map.get(k) as string) : null),
+    setItem: (k: string, v: string) => {
+      map.set(k, v);
+    },
+    removeItem: (k: string) => {
+      map.delete(k);
+    },
+  };
+}
+
+interface LocationParts {
+  hash: string;
+  origin: string;
+  pathname: string;
+  search: string;
+}
+
+function makeLocation(parts: Partial<LocationParts> = {}): LocationParts {
+  return {
+    hash: parts.hash ?? '',
+    origin: parts.origin ?? ORIGIN,
+    pathname: parts.pathname ?? SSO_CALLBACK_PATH,
+    search: parts.search ?? '',
+  };
+}
+
+function makeHistory() {
+  const calls: Array<[unknown, string, string | undefined]> = [];
+  return {
+    calls,
+    replaceState: (data: unknown, unused: string, url?: string | URL | null) => {
+      calls.push([data, unused, typeof url === 'string' ? url : undefined]);
+    },
+  };
+}
+
+const SESSION: SessionLoginResponse = {
+  sessionId: 'sess-1',
+  deviceId: 'dev-1',
+  expiresAt: '2099-01-01T00:00:00.000Z',
+  user: { id: 'u1', username: 'alice' },
+};
+
+function okExchange() {
+  return { exchangeSsoCode: jest.fn(async () => SESSION) };
+}
+
+describe('consumeSsoReturn', () => {
+  it('returns null off-web (isWeb false) and does nothing', async () => {
+    const oxy = okExchange();
+    const storage = makeStorage();
+    const result = await consumeSsoReturn(oxy, {
+      isWeb: () => false,
+      storage,
+      location: makeLocation({ hash: '#oxy_sso=ok&code=c&state=s' }),
+      history: makeHistory(),
+    });
+
+    expect(result).toBeNull();
+    expect(oxy.exchangeSsoCode).not.toHaveBeenCalled();
+  });
+
+  it('returns null for a non-oxy fragment without touching any flags', async () => {
+    const oxy = okExchange();
+    const storage = makeStorage();
+    const history = makeHistory();
+    const result = await consumeSsoReturn(oxy, {
+      isWeb: () => true,
+      storage,
+      location: makeLocation({ hash: '#section=about' }),
+      history,
+    });
+
+    expect(result).toBeNull();
+    expect(oxy.exchangeSsoCode).not.toHaveBeenCalled();
+    expect(storage.map.has(ssoNoSessionKey(ORIGIN))).toBe(false);
+    // No fragment strip for an unrelated fragment.
+    expect(history.calls).toHaveLength(0);
+  });
+
+  it('sets NO_SESSION and returns null on a "none" outcome', async () => {
+    const oxy = okExchange();
+    const storage = makeStorage({ [ssoStateKey(ORIGIN)]: 's' });
+    const result = await consumeSsoReturn(oxy, {
+      isWeb: () => true,
+      storage,
+      location: makeLocation({ hash: '#oxy_sso=none&state=s' }),
+      history: makeHistory(),
+    });
+
+    expect(result).toBeNull();
+    expect(oxy.exchangeSsoCode).not.toHaveBeenCalled();
+    expect(storage.map.get(ssoNoSessionKey(ORIGIN))).toBe('1');
+    expect(storage.map.has(ssoStateKey(ORIGIN))).toBe(false);
+    expect(storage.map.has(ssoGuardKey(ORIGIN))).toBe(false);
+  });
+
+  it('sets NO_SESSION and returns null on an "error" outcome', async () => {
+    const oxy = okExchange();
+    const storage = makeStorage({ [ssoStateKey(ORIGIN)]: 's' });
+    const result = await consumeSsoReturn(oxy, {
+      isWeb: () => true,
+      storage,
+      location: makeLocation({ hash: '#oxy_sso=error&state=s' }),
+      history: makeHistory(),
+    });
+
+    expect(result).toBeNull();
+    expect(storage.map.get(ssoNoSessionKey(ORIGIN))).toBe('1');
+  });
+
+  it('sets NO_SESSION and returns null on a state mismatch (CSRF)', async () => {
+    const oxy = okExchange();
+    const storage = makeStorage({ [ssoStateKey(ORIGIN)]: 'expected' });
+    const result = await consumeSsoReturn(oxy, {
+      isWeb: () => true,
+      storage,
+      location: makeLocation({ hash: '#oxy_sso=ok&code=c&state=forged' }),
+      history: makeHistory(),
+    });
+
+    expect(result).toBeNull();
+    expect(oxy.exchangeSsoCode).not.toHaveBeenCalled();
+    expect(storage.map.get(ssoNoSessionKey(ORIGIN))).toBe('1');
+  });
+
+  it('sets NO_SESSION and returns null when ok carries no code', async () => {
+    const oxy = okExchange();
+    const storage = makeStorage({ [ssoStateKey(ORIGIN)]: 's' });
+    const result = await consumeSsoReturn(oxy, {
+      isWeb: () => true,
+      storage,
+      location: makeLocation({ hash: '#oxy_sso=ok&state=s' }),
+      history: makeHistory(),
+    });
+
+    expect(result).toBeNull();
+    expect(oxy.exchangeSsoCode).not.toHaveBeenCalled();
+    expect(storage.map.get(ssoNoSessionKey(ORIGIN))).toBe('1');
+  });
+
+  it('exchanges, returns the session, strips the fragment, and removes state/guard keys on ok', async () => {
+    const oxy = okExchange();
+    const storage = makeStorage({
+      [ssoStateKey(ORIGIN)]: 's',
+      [ssoGuardKey(ORIGIN)]: String(Date.now()),
+    });
+    const history = makeHistory();
+    const result = await consumeSsoReturn(oxy, {
+      isWeb: () => true,
+      storage,
+      location: makeLocation({
+        hash: '#oxy_sso=ok&code=opaque-code&state=s',
+        pathname: '/feed',
+        search: '?tab=home',
+      }),
+      history,
+    });
+
+    expect(result).toEqual(SESSION);
+    expect(oxy.exchangeSsoCode).toHaveBeenCalledWith('opaque-code');
+    expect(storage.map.has(ssoStateKey(ORIGIN))).toBe(false);
+    expect(storage.map.has(ssoGuardKey(ORIGIN))).toBe(false);
+    expect(storage.map.has(ssoNoSessionKey(ORIGIN))).toBe(false);
+    // Fragment stripped to pathname+search (the first replaceState).
+    expect(history.calls[0]?.[2]).toBe('/feed?tab=home');
+  });
+
+  it('strips the fragment BEFORE the exchange (opaque code never lingers)', async () => {
+    const order: string[] = [];
+    const storage = makeStorage({ [ssoStateKey(ORIGIN)]: 's' });
+    const history = {
+      replaceState: () => {
+        order.push('replaceState');
+      },
+    };
+    const oxy = {
+      exchangeSsoCode: jest.fn(async () => {
+        order.push('exchange');
+        return SESSION;
+      }),
+    };
+
+    await consumeSsoReturn(oxy, {
+      isWeb: () => true,
+      storage,
+      location: makeLocation({
+        hash: '#oxy_sso=ok&code=c&state=s',
+        pathname: '/somewhere',
+      }),
+      history,
+    });
+
+    expect(order[0]).toBe('replaceState');
+    expect(order).toContain('exchange');
+    expect(order.indexOf('replaceState')).toBeLessThan(order.indexOf('exchange'));
+  });
+
+  it('sets NO_SESSION, returns null, and calls onExchangeError when the exchange throws', async () => {
+    const boom = new Error('exchange failed');
+    const oxy = {
+      exchangeSsoCode: jest.fn(async () => {
+        throw boom;
+      }),
+    };
+    const onExchangeError = jest.fn();
+    const storage = makeStorage({ [ssoStateKey(ORIGIN)]: 's' });
+
+    const result = await consumeSsoReturn(oxy, {
+      isWeb: () => true,
+      storage,
+      location: makeLocation({ hash: '#oxy_sso=ok&code=c&state=s' }),
+      history: makeHistory(),
+      onExchangeError,
+    });
+
+    expect(result).toBeNull();
+    expect(onExchangeError).toHaveBeenCalledWith(boom);
+    expect(storage.map.get(ssoNoSessionKey(ORIGIN))).toBe('1');
+  });
+
+  it('does not throw when the exchange throws and no onExchangeError hook is given', async () => {
+    const oxy = {
+      exchangeSsoCode: jest.fn(async () => {
+        throw new Error('boom');
+      }),
+    };
+    const storage = makeStorage({ [ssoStateKey(ORIGIN)]: 's' });
+
+    await expect(
+      consumeSsoReturn(oxy, {
+        isWeb: () => true,
+        storage,
+        location: makeLocation({ hash: '#oxy_sso=ok&code=c&state=s' }),
+        history: makeHistory(),
+      }),
+    ).resolves.toBeNull();
+  });
+
+  it('sets NO_SESSION when the exchange resolves without a sessionId', async () => {
+    const oxy = {
+      exchangeSsoCode: jest.fn(async () => ({ sessionId: '' }) as SessionLoginResponse),
+    };
+    const storage = makeStorage({ [ssoStateKey(ORIGIN)]: 's' });
+
+    const result = await consumeSsoReturn(oxy, {
+      isWeb: () => true,
+      storage,
+      location: makeLocation({ hash: '#oxy_sso=ok&code=c&state=s' }),
+      history: makeHistory(),
+    });
+
+    expect(result).toBeNull();
+    expect(storage.map.get(ssoNoSessionKey(ORIGIN))).toBe('1');
+  });
+
+  describe('dest restore', () => {
+    it('restores a same-origin destination when on the callback path and removes the dest key', async () => {
+      const oxy = okExchange();
+      const storage = makeStorage({
+        [ssoStateKey(ORIGIN)]: 's',
+        [ssoDestKey(ORIGIN)]: `${ORIGIN}/profile?x=1#frag`,
+      });
+      const history = makeHistory();
+
+      const result = await consumeSsoReturn(oxy, {
+        isWeb: () => true,
+        storage,
+        location: makeLocation({
+          hash: '#oxy_sso=ok&code=c&state=s',
+          pathname: SSO_CALLBACK_PATH,
+        }),
+        history,
+      });
+
+      expect(result).toEqual(SESSION);
+      // First replaceState = fragment strip; last = dest restore.
+      const last = history.calls[history.calls.length - 1];
+      expect(last?.[2]).toBe('/profile?x=1#frag');
+      expect(storage.map.has(ssoDestKey(ORIGIN))).toBe(false);
+    });
+
+    it('restores a relative same-origin destination (new URL(dest, origin))', async () => {
+      const oxy = okExchange();
+      const storage = makeStorage({
+        [ssoStateKey(ORIGIN)]: 's',
+        [ssoDestKey(ORIGIN)]: '/settings?tab=privacy',
+      });
+      const history = makeHistory();
+
+      await consumeSsoReturn(oxy, {
+        isWeb: () => true,
+        storage,
+        location: makeLocation({
+          hash: '#oxy_sso=ok&code=c&state=s',
+          pathname: SSO_CALLBACK_PATH,
+        }),
+        history,
+      });
+
+      const last = history.calls[history.calls.length - 1];
+      expect(last?.[2]).toBe('/settings?tab=privacy');
+      expect(storage.map.has(ssoDestKey(ORIGIN))).toBe(false);
+    });
+
+    it('rejects a cross-origin (attacker-planted) destination but still removes the dest key', async () => {
+      const oxy = okExchange();
+      const storage = makeStorage({
+        [ssoStateKey(ORIGIN)]: 's',
+        [ssoDestKey(ORIGIN)]: 'https://evil.example/phish',
+      });
+      const history = makeHistory();
+
+      await consumeSsoReturn(oxy, {
+        isWeb: () => true,
+        storage,
+        location: makeLocation({
+          hash: '#oxy_sso=ok&code=c&state=s',
+          pathname: SSO_CALLBACK_PATH,
+        }),
+        history,
+      });
+
+      // Only the fragment-strip replaceState should have run — no dest restore.
+      expect(history.calls).toHaveLength(1);
+      expect(storage.map.has(ssoDestKey(ORIGIN))).toBe(false);
+    });
+
+    it('rejects a protocol-relative cross-origin destination', async () => {
+      const oxy = okExchange();
+      const storage = makeStorage({
+        [ssoStateKey(ORIGIN)]: 's',
+        [ssoDestKey(ORIGIN)]: '//evil.example/phish',
+      });
+      const history = makeHistory();
+
+      await consumeSsoReturn(oxy, {
+        isWeb: () => true,
+        storage,
+        location: makeLocation({
+          hash: '#oxy_sso=ok&code=c&state=s',
+          pathname: SSO_CALLBACK_PATH,
+        }),
+        history,
+      });
+
+      expect(history.calls).toHaveLength(1);
+      expect(storage.map.has(ssoDestKey(ORIGIN))).toBe(false);
+    });
+
+    it('does not restore dest when NOT on the callback path, but still removes the dest key', async () => {
+      const oxy = okExchange();
+      const storage = makeStorage({
+        [ssoStateKey(ORIGIN)]: 's',
+        [ssoDestKey(ORIGIN)]: `${ORIGIN}/should-not-apply`,
+      });
+      const history = makeHistory();
+
+      await consumeSsoReturn(oxy, {
+        isWeb: () => true,
+        storage,
+        location: makeLocation({
+          hash: '#oxy_sso=ok&code=c&state=s',
+          pathname: '/already-here',
+          search: '?a=1',
+        }),
+        history,
+      });
+
+      // Only the fragment strip ran.
+      expect(history.calls).toHaveLength(1);
+      expect(history.calls[0]?.[2]).toBe('/already-here?a=1');
+      expect(storage.map.has(ssoDestKey(ORIGIN))).toBe(false);
+    });
+  });
+});

package/src/utils/__tests__/fapiAutoDetect.test.ts

@@ -10,7 +10,7 @@
  * MULTIPART_TLDS guard.
  */
 
-import { autoDetectAuthWebUrl } from '../fapiAutoDetect';
+import { autoDetectAuthWebUrl, registrableApex } from '../fapiAutoDetect';
 
 function loc(hostname: string, protocol = 'https:'): Pick<Location, 'hostname' | 'protocol'> {
   return { hostname, protocol };
@@ -90,4 +90,65 @@ describe('autoDetectAuthWebUrl', () => {
       expect(autoDetectAuthWebUrl(loc('shop.com.au'))).toBeUndefined();
     });
   });
+
+  // Regression guard: the refactor to delegate host handling to `registrableApex`
+  // must not change any of the pre-existing return values.
+  describe('regression — unchanged values after registrableApex extraction', () => {
+    const cases: Array<[string, string | undefined]> = [
+      ['mention.earth', 'https://auth.mention.earth'],
+      ['www.mention.earth', 'https://auth.mention.earth'],
+      ['deep.app.homiio.com', 'https://auth.homiio.com'],
+      ['auth.oxy.so', 'https://auth.oxy.so'],
+      ['auth.mention.earth', 'https://auth.mention.earth'],
+      ['localhost', undefined],
+      ['192.168.1.10', undefined],
+      ['[::1]', undefined],
+      ['intranet', undefined],
+      ['', undefined],
+      ['foo.co.uk', undefined],
+    ];
+    it.each(cases)('autoDetectAuthWebUrl(%s) === %s', (hostname, expected) => {
+      const protocol = hostname === 'localhost' || hostname === '[::1]' ? 'http:' : 'https:';
+      expect(autoDetectAuthWebUrl(loc(hostname, protocol))).toBe(expected);
+    });
+  });
+});
+
+describe('registrableApex', () => {
+  it('returns the eTLD+1 for a normal two-label host', () => {
+    expect(registrableApex('mention.earth')).toBe('mention.earth');
+  });
+
+  it('strips subdomains down to the trailing two labels', () => {
+    expect(registrableApex('www.mention.earth')).toBe('mention.earth');
+    expect(registrableApex('deep.app.homiio.com')).toBe('homiio.com');
+  });
+
+  it('lower-cases the input', () => {
+    expect(registrableApex('WWW.Mention.EARTH')).toBe('mention.earth');
+  });
+
+  it('returns null for a multi-part public suffix (foo.co.uk -> null)', () => {
+    expect(registrableApex('foo.co.uk')).toBeNull();
+    expect(registrableApex('shop.com.au')).toBeNull();
+  });
+
+  it('returns null for IPv4 literals', () => {
+    expect(registrableApex('192.168.1.10')).toBeNull();
+    expect(registrableApex('10.0.0.1')).toBeNull();
+  });
+
+  it('returns null for IPv6 literals and hosts carrying a port', () => {
+    expect(registrableApex('[::1]')).toBeNull();
+    expect(registrableApex('mention.earth:3000')).toBeNull();
+  });
+
+  it('returns null for single-label hosts', () => {
+    expect(registrableApex('intranet')).toBeNull();
+    expect(registrableApex('localhost')).toBeNull();
+  });
+
+  it('returns null for empty input', () => {
+    expect(registrableApex('')).toBeNull();
+  });
 });