@oxyhq/core 2.2.2 → 2.3.1

package/dist/esm/index.js

@@ -105,7 +105,7 @@ export { CENTRAL_AUTH_URL, CENTRAL_IDP_APEX, resolveCentralAuthUrl } from './uti
 export { parseSsoReturnFragment, consumeSsoReturn } from './utils/ssoReturn.js';
 export { generateSsoState } from './mixins/OxyServices.sso.js';
 // SSO bounce — per-origin sessionStorage keys, bounce URL builder, predicates
-export { SSO_CALLBACK_PATH, SSO_GUARD_TTL_MS, ssoStateKey, ssoGuardKey, ssoDestKey, ssoNoSessionKey, ssoNavigate, buildSsoBounceUrl, isCentralIdPOrigin, guardActive, } from './utils/ssoBounce.js';
+export { SSO_CALLBACK_PATH, SSO_GUARD_TTL_MS, ssoStateKey, ssoGuardKey, ssoDestKey, ssoNoSessionKey, ssoAttemptedKey, ssoNavigate, buildSsoBounceUrl, isCentralIdPOrigin, guardActive, } from './utils/ssoBounce.js';
 export { runColdBoot } from './utils/coldBoot.js';
 // ---------------------------------------------------------------------------
 // Constants

package/dist/esm/utils/ssoBounce.js

@@ -26,11 +26,15 @@
  *      the session, then restores the original destination.
  *
  * Loop proof (logged-out): first load all steps skip → `sso-bounce` sets
- * guard/state/dest and navigates; the IdP (no central session) returns
+ * guard/state/dest + the outcome-independent attempted-flag
+ * ({@link ssoAttemptedKey}) and navigates; the IdP (no central session) returns
  * `#oxy_sso=none`; the callback load's `sso-return` sees `none`, sets the
  * NO_SESSION flag ({@link ssoNoSessionKey}), and `sso-bounce` is then disabled.
  * Exactly ONE bounce, no loop. An interrupted bounce (user hit back
  * mid-redirect) self-heals once the {@link SSO_GUARD_TTL_MS} guard TTL lapses.
+ * The attempted-flag is the definitive, outcome-INDEPENDENT loop breaker: it is
+ * set pre-bounce so even if the return-side NO_SESSION write never lands, the
+ * bounce can never re-fire this tab after the self-heal TTL lapses.
  *
  * All state lives in `sessionStorage` (per tab, cleared on tab close) and is
  * keyed per-origin so two RPs hosted in the same browser never collide. The
@@ -58,6 +62,7 @@ const STATE_KEY_PREFIX = 'oxy_sso_state:';
 const GUARD_KEY_PREFIX = 'oxy_sso_guard:';
 const DEST_KEY_PREFIX = 'oxy_sso_dest:';
 const NO_SESSION_KEY_PREFIX = 'oxy_sso_no_session:';
+const ATTEMPTED_KEY_PREFIX = 'oxy_sso_attempted:';
 /** Per-origin CSRF state key (matched on return to defeat fragment forgery). */
 export function ssoStateKey(origin) {
     return `${STATE_KEY_PREFIX}${origin}`;
@@ -78,6 +83,18 @@ export function ssoDestKey(origin) {
 export function ssoNoSessionKey(origin) {
     return `${NO_SESSION_KEY_PREFIX}${origin}`;
 }
+/**
+ * Per-origin, OUTCOME-INDEPENDENT once-guard. Set in `sessionStorage` BEFORE
+ * the terminal SSO bounce navigates. Gates the bounce so the silent
+ * cross-domain probe fires AT MOST ONCE per tab session — independent of
+ * whether the return-side NO_SESSION flag ever lands. The definitive loop
+ * breaker; survives the 30s self-heal `ssoGuardKey` TTL. Cleared only on an
+ * explicit sign-out/clear so a later cold boot (after the user signs in
+ * centrally) can probe again.
+ */
+export function ssoAttemptedKey(origin) {
+    return `${ATTEMPTED_KEY_PREFIX}${origin}`;
+}
 /**
  * Perform the terminal top-level SSO bounce navigation.
  *

package/dist/esm/utils/ssoReturn.js

@@ -20,7 +20,7 @@
  * an oxy_sso fragment at all (i.e. `oxy_sso` is absent or an unrecognised
  * value), so the caller can ignore unrelated fragments without special-casing.
  */
-import { SSO_CALLBACK_PATH, ssoStateKey, ssoGuardKey, ssoDestKey, ssoNoSessionKey, } from './ssoBounce.js';
+import { SSO_CALLBACK_PATH, ssoStateKey, ssoGuardKey, ssoDestKey, ssoNoSessionKey, ssoAttemptedKey, } from './ssoBounce.js';
 const VALID_KINDS = new Set(['ok', 'none', 'error']);
 /**
  * Parse an SSO return fragment.
@@ -86,8 +86,8 @@ export function parseSsoReturnFragment(hash) {
  *     or a `Referer` header even if a later step throws.
  *   - `state` must match (CSRF). A mismatch or a missing code sets the
  *     NO_SESSION flag so `sso-bounce` is disabled (no rebounce loop).
- *   - `none`/`error` outcomes set the NO_SESSION flag (the load2 half of the
- *     loop proof).
+ *   - `none`/`error` outcomes set BOTH the NO_SESSION flag and the
+ *     outcome-independent attempted-flag (the load2 half of the loop proof).
  *   - A throwing exchange is caught, reported via `onExchangeError`, and
  *     treated exactly like "no session" (never loops, never rethrows).
  *   - After a successful exchange landing on {@link SSO_CALLBACK_PATH}, the real
@@ -129,6 +129,10 @@ export async function consumeSsoReturn(oxy, deps = {}) {
     storage.removeItem(ssoGuardKey(origin));
     const markNoSession = () => {
         storage.setItem(ssoNoSessionKey(origin), '1');
+        // A return was consumed, so the probe definitively happened. Set the
+        // outcome-independent attempted-flag too so the bounce can never re-fire
+        // even if some consumer path skipped setting it pre-bounce.
+        storage.setItem(ssoAttemptedKey(origin), '1');
     };
     if (ret.kind === 'none' || ret.kind === 'error') {
         // The central IdP had no session (or the bounce failed). Record it so we do