@oxyhq/core 2.3.0 → 2.3.2

package/dist/esm/index.js

@@ -105,7 +105,7 @@ export { CENTRAL_AUTH_URL, CENTRAL_IDP_APEX, resolveCentralAuthUrl } from './uti
 export { parseSsoReturnFragment, consumeSsoReturn } from './utils/ssoReturn.js';
 export { generateSsoState } from './mixins/OxyServices.sso.js';
 // SSO bounce — per-origin sessionStorage keys, bounce URL builder, predicates
-export { SSO_CALLBACK_PATH, SSO_GUARD_TTL_MS, ssoStateKey, ssoGuardKey, ssoDestKey, ssoNoSessionKey, ssoNavigate, buildSsoBounceUrl, isCentralIdPOrigin, guardActive, } from './utils/ssoBounce.js';
+export { SSO_CALLBACK_PATH, SSO_GUARD_TTL_MS, ssoStateKey, ssoGuardKey, ssoDestKey, ssoNoSessionKey, ssoAttemptedKey, ssoNavigate, buildSsoBounceUrl, isCentralIdPOrigin, guardActive, } from './utils/ssoBounce.js';
 export { runColdBoot } from './utils/coldBoot.js';
 // ---------------------------------------------------------------------------
 // Constants

package/dist/esm/utils/ssoBounce.js

@@ -26,11 +26,15 @@
  *      the session, then restores the original destination.
  *
  * Loop proof (logged-out): first load all steps skip → `sso-bounce` sets
- * guard/state/dest and navigates; the IdP (no central session) returns
+ * guard/state/dest + the outcome-independent attempted-flag
+ * ({@link ssoAttemptedKey}) and navigates; the IdP (no central session) returns
  * `#oxy_sso=none`; the callback load's `sso-return` sees `none`, sets the
  * NO_SESSION flag ({@link ssoNoSessionKey}), and `sso-bounce` is then disabled.
  * Exactly ONE bounce, no loop. An interrupted bounce (user hit back
  * mid-redirect) self-heals once the {@link SSO_GUARD_TTL_MS} guard TTL lapses.
+ * The attempted-flag is the definitive, outcome-INDEPENDENT loop breaker: it is
+ * set pre-bounce so even if the return-side NO_SESSION write never lands, the
+ * bounce can never re-fire this tab after the self-heal TTL lapses.
  *
  * All state lives in `sessionStorage` (per tab, cleared on tab close) and is
  * keyed per-origin so two RPs hosted in the same browser never collide. The
@@ -58,6 +62,7 @@ const STATE_KEY_PREFIX = 'oxy_sso_state:';
 const GUARD_KEY_PREFIX = 'oxy_sso_guard:';
 const DEST_KEY_PREFIX = 'oxy_sso_dest:';
 const NO_SESSION_KEY_PREFIX = 'oxy_sso_no_session:';
+const ATTEMPTED_KEY_PREFIX = 'oxy_sso_attempted:';
 /** Per-origin CSRF state key (matched on return to defeat fragment forgery). */
 export function ssoStateKey(origin) {
     return `${STATE_KEY_PREFIX}${origin}`;
@@ -78,6 +83,18 @@ export function ssoDestKey(origin) {
 export function ssoNoSessionKey(origin) {
     return `${NO_SESSION_KEY_PREFIX}${origin}`;
 }
+/**
+ * Per-origin, OUTCOME-INDEPENDENT once-guard. Set in `sessionStorage` BEFORE
+ * the terminal SSO bounce navigates. Gates the bounce so the silent
+ * cross-domain probe fires AT MOST ONCE per tab session — independent of
+ * whether the return-side NO_SESSION flag ever lands. The definitive loop
+ * breaker; survives the 30s self-heal `ssoGuardKey` TTL. Cleared only on an
+ * explicit sign-out/clear so a later cold boot (after the user signs in
+ * centrally) can probe again.
+ */
+export function ssoAttemptedKey(origin) {
+    return `${ATTEMPTED_KEY_PREFIX}${origin}`;
+}
 /**
  * Perform the terminal top-level SSO bounce navigation.
  *

package/dist/esm/utils/ssoReturn.js

@@ -20,7 +20,7 @@
  * an oxy_sso fragment at all (i.e. `oxy_sso` is absent or an unrecognised
  * value), so the caller can ignore unrelated fragments without special-casing.
  */
-import { SSO_CALLBACK_PATH, ssoStateKey, ssoGuardKey, ssoDestKey, ssoNoSessionKey, } from './ssoBounce.js';
+import { SSO_CALLBACK_PATH, ssoStateKey, ssoGuardKey, ssoDestKey, ssoNoSessionKey, ssoAttemptedKey, } from './ssoBounce.js';
 const VALID_KINDS = new Set(['ok', 'none', 'error']);
 /**
  * Parse an SSO return fragment.
@@ -86,14 +86,20 @@ export function parseSsoReturnFragment(hash) {
  *     or a `Referer` header even if a later step throws.
  *   - `state` must match (CSRF). A mismatch or a missing code sets the
  *     NO_SESSION flag so `sso-bounce` is disabled (no rebounce loop).
- *   - `none`/`error` outcomes set the NO_SESSION flag (the load2 half of the
- *     loop proof).
+ *   - `none`/`error` outcomes set BOTH the NO_SESSION flag and the
+ *     outcome-independent attempted-flag (the load2 half of the loop proof).
  *   - A throwing exchange is caught, reported via `onExchangeError`, and
  *     treated exactly like "no session" (never loops, never rethrows).
- *   - After a successful exchange landing on {@link SSO_CALLBACK_PATH}, the real
- *     destination is restored from the DEST key — same-origin only (an
- *     attacker-planted cross-origin or relative-evil dest is rejected). The
- *     DEST key is removed unconditionally.
+ *   - On EVERY consumed outcome (ok, none, error, state-mismatch, no-code,
+ *     failed-exchange, no-sessionId) — not just ok — if the page landed on
+ *     {@link SSO_CALLBACK_PATH}, the real pre-bounce destination is restored
+ *     from the DEST key so the user is never stranded on the internal callback
+ *     path. Same-origin only (an attacker-planted cross-origin or relative-evil
+ *     dest is rejected). The DEST key is removed unconditionally.
+ *   - After a same-origin dest restore (which uses `history.replaceState`, that
+ *     does NOT itself emit `popstate`), a synthetic `popstate` is dispatched so
+ *     URL-driven routers (Expo Router / React Navigation web) re-sync to the
+ *     restored route. It is NOT dispatched when the dest is rejected/absent.
  *
  * Total: this function NEVER throws. Off-web it is a no-op returning `null`.
  *
@@ -112,6 +118,21 @@ export async function consumeSsoReturn(oxy, deps = {}) {
     const location = deps.location ?? window.location;
     const history = deps.history ?? window.history;
     const onExchangeError = deps.onExchangeError;
+    // Default: emit a synthetic `popstate` so URL-driven routers re-sync after a
+    // `history.replaceState` (which does NOT emit `popstate` on its own). Feature-
+    // detected end to end so it never throws in any environment.
+    const dispatchPopState = deps.dispatchPopState ??
+        (() => {
+            if (typeof window === 'undefined' || typeof window.dispatchEvent !== 'function') {
+                return;
+            }
+            if (typeof PopStateEvent !== 'undefined') {
+                window.dispatchEvent(new PopStateEvent('popstate'));
+            }
+            else if (typeof Event !== 'undefined') {
+                window.dispatchEvent(new Event('popstate'));
+            }
+        });
     const ret = parseSsoReturnFragment(location.hash);
     if (!ret) {
         // Not an oxy_sso fragment — nothing to do (do NOT touch any flags).
@@ -129,17 +150,47 @@ export async function consumeSsoReturn(oxy, deps = {}) {
     storage.removeItem(ssoGuardKey(origin));
     const markNoSession = () => {
         storage.setItem(ssoNoSessionKey(origin), '1');
+        // A return was consumed, so the probe definitively happened. Set the
+        // outcome-independent attempted-flag too so the bounce can never re-fire
+        // even if some consumer path skipped setting it pre-bounce.
+        storage.setItem(ssoAttemptedKey(origin), '1');
+    };
+    // Restore the user's real pre-bounce destination so they are never stranded
+    // on the internal callback path — invoked on EVERY consumed outcome, not just
+    // success. Same-origin only — never honour a cross-origin/protocol-relative
+    // dest that could have been planted to redirect the user. The DEST key is
+    // removed unconditionally. After a successful same-origin restore a synthetic
+    // `popstate` is dispatched so URL-driven routers re-sync.
+    const restoreDest = () => {
+        if (location.pathname === SSO_CALLBACK_PATH) {
+            const dest = storage.getItem(ssoDestKey(origin));
+            if (dest) {
+                try {
+                    const destUrl = new URL(dest, origin);
+                    if (destUrl.origin === origin) {
+                        history.replaceState(null, '', destUrl.pathname + destUrl.search + destUrl.hash);
+                        dispatchPopState();
+                    }
+                }
+                catch {
+                    // Malformed stored destination — leave the URL on the callback path.
+                }
+            }
+        }
+        storage.removeItem(ssoDestKey(origin));
     };
     if (ret.kind === 'none' || ret.kind === 'error') {
         // The central IdP had no session (or the bounce failed). Record it so we do
         // not bounce again this tab — the definitive loop breaker.
         markNoSession();
+        restoreDest();
         return null;
     }
     if (!stateOk || !ret.code) {
         // Forged / replayed / stale fragment, or a malformed ok with no code. Treat
         // exactly like "no session": never exchange, never loop.
         markNoSession();
+        restoreDest();
         return null;
     }
     let session;
@@ -149,31 +200,14 @@ export async function consumeSsoReturn(oxy, deps = {}) {
     catch (error) {
         onExchangeError?.(error);
         markNoSession();
+        restoreDest();
         return null;
     }
     if (!session?.sessionId) {
         markNoSession();
+        restoreDest();
         return null;
     }
-    // If we landed on the internal callback path, restore the user's real
-    // destination (captured at bounce time). Same-origin only — never honour a
-    // cross-origin destination that could have been planted to redirect the
-    // freshly signed-in user. `new URL(dest, origin)` tolerates relative dests
-    // and is still re-checked against the page origin.
-    if (location.pathname === SSO_CALLBACK_PATH) {
-        const dest = storage.getItem(ssoDestKey(origin));
-        if (dest) {
-            try {
-                const destUrl = new URL(dest, origin);
-                if (destUrl.origin === origin) {
-                    history.replaceState(null, '', destUrl.pathname + destUrl.search + destUrl.hash);
-                }
-            }
-            catch {
-                // Malformed stored destination — leave the URL on the callback path.
-            }
-        }
-    }
-    storage.removeItem(ssoDestKey(origin));
+    restoreDest();
     return session;
 }