@oxyhq/core 2.3.1 → 2.4.0

package/dist/esm/AuthManager.js

@@ -729,9 +729,10 @@ export class AuthManager {
      * Returns the active user on success, or `null` when neither path
      * restored a session.
      */
-    async initialize() {
-        // 1. Cookie path (preferred).
-        const cookieResult = await this.restoreFromCookies();
+    async initialize(options = {}) {
+        // 1. Cookie path (preferred). Forward the optional cold-boot fail-fast
+        // timeout so a cross-domain stall cannot hang provider init.
+        const cookieResult = await this.restoreFromCookies(options);
         if (cookieResult.accounts.length > 0) {
             return this.currentUser;
         }
@@ -948,7 +949,7 @@ export class AuthManager {
      * proceed unauthenticated. State is NOT cleared on failure; existing
      * accounts (if any) remain intact.
      */
-    async restoreFromCookies() {
+    async restoreFromCookies(options = {}) {
         // Cross-tab cascade debounce. If we restored within the last
         // _RESTORE_DEBOUNCE_MS for the currently-active slot, skip the network
         // round-trip and return the cached registry verbatim. A burst of N
@@ -966,7 +967,9 @@ export class AuthManager {
         }
         let snapshot;
         try {
-            snapshot = await this.oxyServices.refreshAllSessions();
+            // Forward the optional cold-boot fail-fast timeout. Undefined (the warm
+            // cross-tab cascade default) preserves the wait-indefinitely behaviour.
+            snapshot = await this.oxyServices.refreshAllSessions({ timeout: options.timeout });
         }
         catch {
             return { accounts: [], activeAuthuser: null };

package/dist/esm/mixins/OxyServices.auth.js

@@ -449,19 +449,42 @@ export function OxyServicesAuthMixin(Base) {
          * tokens do. Each access token still needs to be planted via
          * `setTokens(...)` (or per-account in-memory storage) at the consumer.
          */
-        async refreshAllSessions() {
+        async refreshAllSessions(options = {}) {
             const url = `${this.getSessionBaseUrl().replace(/\/$/, '')}/auth/refresh-all`;
+            // Optional bounded abort (see `RefreshAllOptions.timeout`). A positive
+            // timeout arms an `AbortController` that aborts the in-flight request; an
+            // abort is treated as "no signed-in accounts on this device" — the same
+            // outcome as a 401 — so a cross-domain stall falls through cleanly instead
+            // of hanging the cold boot.
+            const timeout = typeof options.timeout === 'number' && options.timeout > 0 ? options.timeout : undefined;
+            const controller = timeout !== undefined ? new AbortController() : undefined;
+            const timeoutId = timeout !== undefined && controller
+                ? setTimeout(() => controller.abort(), timeout)
+                : undefined;
             let response;
             try {
                 response = await fetch(url, {
                     method: 'POST',
                     credentials: 'include',
                     headers: { Accept: 'application/json' },
+                    signal: controller?.signal,
                 });
             }
             catch (error) {
+                // A bounded-timeout abort is the "not signed in / cross-domain stall"
+                // path, NOT an error. The browser raises a DOMException named
+                // 'AbortError' (some runtimes use a generic Error); match on the name so
+                // we never throw the timeout into the cold-boot error handler.
+                if (error instanceof Error && error.name === 'AbortError') {
+                    return { accounts: [] };
+                }
                 throw this.handleError(error);
             }
+            finally {
+                if (timeoutId !== undefined) {
+                    clearTimeout(timeoutId);
+                }
+            }
             if (response.status === 401) {
                 return { accounts: [] };
             }

package/dist/esm/mixins/OxyServices.fedcm.js

@@ -290,6 +290,20 @@ export function OxyServicesFedCMMixin(Base) {
                 // Optional/interactive mediation should only happen when the user clicks "Sign In".
                 let credential = null;
                 const loginHint = this.getStoredLoginHint();
+                // Fast-skip: with no stored login hint this browser has never completed a
+                // FedCM sign-in for any Oxy account, so silent mediation cannot return a
+                // credential — the IdP has nothing to silently re-issue. Doing the full
+                // round-trip anyway (mint a nonce via `POST /fedcm/nonce`, then a
+                // `navigator.credentials.get` that aborts after `FEDCM_SILENT_TIMEOUT`) is
+                // pure latency in the cold-boot critical path. Return `null` immediately so
+                // the next cold-boot step (stored-session / iframe / bounce) runs without
+                // the wasted nonce mint + abort wait. A genuinely associated browser always
+                // has a hint (it is stored only after a real exchange), so this never skips
+                // a recoverable session.
+                if (!loginHint) {
+                    debug.log('Silent SSO: No stored login hint — skipping silent mediation (no association on this browser)');
+                    return null;
+                }
                 try {
                     // Server-minted, origin-bound nonce — required for `/fedcm/exchange`
                     // to accept the resulting ID token (anti-replay binding).
@@ -737,12 +751,17 @@ export function OxyServicesFedCMMixin(Base) {
         _a.DEFAULT_CONFIG_URL = 'https://auth.oxy.so/fedcm.json',
         _a.FEDCM_TIMEOUT = 15000 // 15 seconds for interactive
     ,
-        // Silent mediation runs on page load (e.g. re-signing-in a user whose stored
-        // session was cleared after a cold-boot token fetch 401'd). The real silent
-        // round-trip — mint nonce → navigator.credentials.get → /fedcm/exchange — was
-        // measured to take more than 3s for live users, so a 3s budget timed out and
-        // left them signed out on reload. 10s gives ample margin while staying bounded.
-        _a.FEDCM_SILENT_TIMEOUT = 10000 // 10 seconds for silent mediation
+        // Silent mediation runs on page load as ONE step of the ordered cold-boot
+        // sequence (mint nonce → navigator.credentials.get → /fedcm/exchange). The
+        // real round-trip was measured at >3s for live users, so the budget must stay
+        // comfortably above 3s. It must ALSO be tight: on a logged-out browser this
+        // step never resolves a credential, and every millisecond it spends timing
+        // out is pure latency in front of the steps that actually hold the answer
+        // (stored-session bearer, the per-apex silent iframe, the /sso bounce). 4s is
+        // the floor that preserves the >3s success margin while bounding the dead
+        // wait — down from the previous 10s, which alone could account for most of a
+        // 20-30s cold-boot stall. Do NOT lower below 4s (it would clip live success).
+        _a.FEDCM_SILENT_TIMEOUT = 4000 // 4 seconds for silent mediation
     ,
         _a;
 }

package/dist/esm/mixins/OxyServices.popup.js

@@ -407,8 +407,24 @@ export function OxyServicesPopupAuthMixin(Base) {
                         cleanup();
                         resolve(session || null);
                     };
+                    // Fail-fast on a load failure. When the per-apex `/auth/silent` host is
+                    // unreachable, blocked by CSP `frame-ancestors`/`X-Frame-Options`, or the
+                    // network drops, the iframe never posts a message — without this handler
+                    // the silent restore would block for the FULL `timeout` (dead latency in
+                    // the cold-boot critical path). `onerror`/`onabort` fire on a failed load,
+                    // so resolve `null` immediately and let the next cold-boot step run. The
+                    // success path posts a message and is handled above; these only catch the
+                    // no-message failure modes.
+                    const failFast = () => {
+                        cleanup();
+                        resolve(null);
+                    };
+                    iframe.onerror = failFast;
+                    iframe.onabort = failFast;
                     const cleanup = () => {
                         clearTimeout(timeoutId);
+                        iframe.onerror = null;
+                        iframe.onabort = null;
                         window.removeEventListener('message', messageHandler);
                     };
                     window.addEventListener('message', messageHandler);

package/dist/esm/utils/ssoReturn.js

@@ -90,10 +90,16 @@ export function parseSsoReturnFragment(hash) {
  *     outcome-independent attempted-flag (the load2 half of the loop proof).
  *   - A throwing exchange is caught, reported via `onExchangeError`, and
  *     treated exactly like "no session" (never loops, never rethrows).
- *   - After a successful exchange landing on {@link SSO_CALLBACK_PATH}, the real
- *     destination is restored from the DEST key — same-origin only (an
- *     attacker-planted cross-origin or relative-evil dest is rejected). The
- *     DEST key is removed unconditionally.
+ *   - On EVERY consumed outcome (ok, none, error, state-mismatch, no-code,
+ *     failed-exchange, no-sessionId) — not just ok — if the page landed on
+ *     {@link SSO_CALLBACK_PATH}, the real pre-bounce destination is restored
+ *     from the DEST key so the user is never stranded on the internal callback
+ *     path. Same-origin only (an attacker-planted cross-origin or relative-evil
+ *     dest is rejected). The DEST key is removed unconditionally.
+ *   - After a same-origin dest restore (which uses `history.replaceState`, that
+ *     does NOT itself emit `popstate`), a synthetic `popstate` is dispatched so
+ *     URL-driven routers (Expo Router / React Navigation web) re-sync to the
+ *     restored route. It is NOT dispatched when the dest is rejected/absent.
  *
  * Total: this function NEVER throws. Off-web it is a no-op returning `null`.
  *
@@ -112,6 +118,21 @@ export async function consumeSsoReturn(oxy, deps = {}) {
     const location = deps.location ?? window.location;
     const history = deps.history ?? window.history;
     const onExchangeError = deps.onExchangeError;
+    // Default: emit a synthetic `popstate` so URL-driven routers re-sync after a
+    // `history.replaceState` (which does NOT emit `popstate` on its own). Feature-
+    // detected end to end so it never throws in any environment.
+    const dispatchPopState = deps.dispatchPopState ??
+        (() => {
+            if (typeof window === 'undefined' || typeof window.dispatchEvent !== 'function') {
+                return;
+            }
+            if (typeof PopStateEvent !== 'undefined') {
+                window.dispatchEvent(new PopStateEvent('popstate'));
+            }
+            else if (typeof Event !== 'undefined') {
+                window.dispatchEvent(new Event('popstate'));
+            }
+        });
     const ret = parseSsoReturnFragment(location.hash);
     if (!ret) {
         // Not an oxy_sso fragment — nothing to do (do NOT touch any flags).
@@ -134,16 +155,42 @@ export async function consumeSsoReturn(oxy, deps = {}) {
         // even if some consumer path skipped setting it pre-bounce.
         storage.setItem(ssoAttemptedKey(origin), '1');
     };
+    // Restore the user's real pre-bounce destination so they are never stranded
+    // on the internal callback path — invoked on EVERY consumed outcome, not just
+    // success. Same-origin only — never honour a cross-origin/protocol-relative
+    // dest that could have been planted to redirect the user. The DEST key is
+    // removed unconditionally. After a successful same-origin restore a synthetic
+    // `popstate` is dispatched so URL-driven routers re-sync.
+    const restoreDest = () => {
+        if (location.pathname === SSO_CALLBACK_PATH) {
+            const dest = storage.getItem(ssoDestKey(origin));
+            if (dest) {
+                try {
+                    const destUrl = new URL(dest, origin);
+                    if (destUrl.origin === origin) {
+                        history.replaceState(null, '', destUrl.pathname + destUrl.search + destUrl.hash);
+                        dispatchPopState();
+                    }
+                }
+                catch {
+                    // Malformed stored destination — leave the URL on the callback path.
+                }
+            }
+        }
+        storage.removeItem(ssoDestKey(origin));
+    };
     if (ret.kind === 'none' || ret.kind === 'error') {
         // The central IdP had no session (or the bounce failed). Record it so we do
         // not bounce again this tab — the definitive loop breaker.
         markNoSession();
+        restoreDest();
         return null;
     }
     if (!stateOk || !ret.code) {
         // Forged / replayed / stale fragment, or a malformed ok with no code. Treat
         // exactly like "no session": never exchange, never loop.
         markNoSession();
+        restoreDest();
         return null;
     }
     let session;
@@ -153,31 +200,14 @@ export async function consumeSsoReturn(oxy, deps = {}) {
     catch (error) {
         onExchangeError?.(error);
         markNoSession();
+        restoreDest();
         return null;
     }
     if (!session?.sessionId) {
         markNoSession();
+        restoreDest();
         return null;
     }
-    // If we landed on the internal callback path, restore the user's real
-    // destination (captured at bounce time). Same-origin only — never honour a
-    // cross-origin destination that could have been planted to redirect the
-    // freshly signed-in user. `new URL(dest, origin)` tolerates relative dests
-    // and is still re-checked against the page origin.
-    if (location.pathname === SSO_CALLBACK_PATH) {
-        const dest = storage.getItem(ssoDestKey(origin));
-        if (dest) {
-            try {
-                const destUrl = new URL(dest, origin);
-                if (destUrl.origin === origin) {
-                    history.replaceState(null, '', destUrl.pathname + destUrl.search + destUrl.hash);
-                }
-            }
-            catch {
-                // Malformed stored destination — leave the URL on the callback path.
-            }
-        }
-    }
-    storage.removeItem(ssoDestKey(origin));
+    restoreDest();
     return session;
 }