@oxyhq/core 2.3.2 → 2.4.1

package/dist/esm/AuthManager.js

@@ -729,9 +729,10 @@ export class AuthManager {
      * Returns the active user on success, or `null` when neither path
      * restored a session.
      */
-    async initialize() {
-        // 1. Cookie path (preferred).
-        const cookieResult = await this.restoreFromCookies();
+    async initialize(options = {}) {
+        // 1. Cookie path (preferred). Forward the optional cold-boot fail-fast
+        // timeout so a cross-domain stall cannot hang provider init.
+        const cookieResult = await this.restoreFromCookies(options);
         if (cookieResult.accounts.length > 0) {
             return this.currentUser;
         }
@@ -948,7 +949,7 @@ export class AuthManager {
      * proceed unauthenticated. State is NOT cleared on failure; existing
      * accounts (if any) remain intact.
      */
-    async restoreFromCookies() {
+    async restoreFromCookies(options = {}) {
         // Cross-tab cascade debounce. If we restored within the last
         // _RESTORE_DEBOUNCE_MS for the currently-active slot, skip the network
         // round-trip and return the cached registry verbatim. A burst of N
@@ -966,7 +967,9 @@ export class AuthManager {
         }
         let snapshot;
         try {
-            snapshot = await this.oxyServices.refreshAllSessions();
+            // Forward the optional cold-boot fail-fast timeout. Undefined (the warm
+            // cross-tab cascade default) preserves the wait-indefinitely behaviour.
+            snapshot = await this.oxyServices.refreshAllSessions({ timeout: options.timeout });
         }
         catch {
             return { accounts: [], activeAuthuser: null };

package/dist/esm/mixins/OxyServices.auth.js

@@ -449,19 +449,42 @@ export function OxyServicesAuthMixin(Base) {
          * tokens do. Each access token still needs to be planted via
          * `setTokens(...)` (or per-account in-memory storage) at the consumer.
          */
-        async refreshAllSessions() {
+        async refreshAllSessions(options = {}) {
             const url = `${this.getSessionBaseUrl().replace(/\/$/, '')}/auth/refresh-all`;
+            // Optional bounded abort (see `RefreshAllOptions.timeout`). A positive
+            // timeout arms an `AbortController` that aborts the in-flight request; an
+            // abort is treated as "no signed-in accounts on this device" — the same
+            // outcome as a 401 — so a cross-domain stall falls through cleanly instead
+            // of hanging the cold boot.
+            const timeout = typeof options.timeout === 'number' && options.timeout > 0 ? options.timeout : undefined;
+            const controller = timeout !== undefined ? new AbortController() : undefined;
+            const timeoutId = timeout !== undefined && controller
+                ? setTimeout(() => controller.abort(), timeout)
+                : undefined;
             let response;
             try {
                 response = await fetch(url, {
                     method: 'POST',
                     credentials: 'include',
                     headers: { Accept: 'application/json' },
+                    signal: controller?.signal,
                 });
             }
             catch (error) {
+                // A bounded-timeout abort is the "not signed in / cross-domain stall"
+                // path, NOT an error. The browser raises a DOMException named
+                // 'AbortError' (some runtimes use a generic Error); match on the name so
+                // we never throw the timeout into the cold-boot error handler.
+                if (error instanceof Error && error.name === 'AbortError') {
+                    return { accounts: [] };
+                }
                 throw this.handleError(error);
             }
+            finally {
+                if (timeoutId !== undefined) {
+                    clearTimeout(timeoutId);
+                }
+            }
             if (response.status === 401) {
                 return { accounts: [] };
             }

package/dist/esm/mixins/OxyServices.fedcm.js

@@ -290,6 +290,20 @@ export function OxyServicesFedCMMixin(Base) {
                 // Optional/interactive mediation should only happen when the user clicks "Sign In".
                 let credential = null;
                 const loginHint = this.getStoredLoginHint();
+                // Fast-skip: with no stored login hint this browser has never completed a
+                // FedCM sign-in for any Oxy account, so silent mediation cannot return a
+                // credential — the IdP has nothing to silently re-issue. Doing the full
+                // round-trip anyway (mint a nonce via `POST /fedcm/nonce`, then a
+                // `navigator.credentials.get` that aborts after `FEDCM_SILENT_TIMEOUT`) is
+                // pure latency in the cold-boot critical path. Return `null` immediately so
+                // the next cold-boot step (stored-session / iframe / bounce) runs without
+                // the wasted nonce mint + abort wait. A genuinely associated browser always
+                // has a hint (it is stored only after a real exchange), so this never skips
+                // a recoverable session.
+                if (!loginHint) {
+                    debug.log('Silent SSO: No stored login hint — skipping silent mediation (no association on this browser)');
+                    return null;
+                }
                 try {
                     // Server-minted, origin-bound nonce — required for `/fedcm/exchange`
                     // to accept the resulting ID token (anti-replay binding).
@@ -427,6 +441,34 @@ export function OxyServicesFedCMMixin(Base) {
                     debug.log('Request timed out after', timeoutMs, 'ms (mediation:', requestedMediation + ')');
                     controller.abort();
                 }, timeoutMs);
+                // Hard settle guarantee for the timeout path.
+                //
+                // The `setTimeout` above aborts the request's `AbortController`, which is
+                // the COOPERATIVE cancel signal. For a regular `fetch` an abort deterministically
+                // rejects the awaited promise — but `navigator.credentials.get()` is a
+                // browser-internal FedCM primitive whose abort behaviour is NOT guaranteed
+                // to settle the awaited promise in every Chrome version / internal state
+                // (the credential request can sit "pending" while the browser-side flow is
+                // stuck, ignoring the signal). If that happens, `await credentials.get(...)`
+                // never resolves OR rejects, this IIFE hangs forever, and — because this is
+                // ONE step of the ordered cold-boot sequence — the whole cold boot hangs and
+                // the terminal `/sso` bounce never fires. That was the production hang.
+                //
+                // `settlePromise` races the credential lookup against a timer that ALWAYS
+                // resolves to `null` shortly after the abort deadline. The abort still fires
+                // first (so the browser is asked to cancel), but even if `credentials.get`
+                // never settles, the race resolves and the step falls through cleanly to the
+                // next cold-boot step. The small `FEDCM_ABORT_SETTLE_GRACE_MS` margin gives a
+                // well-behaved browser the chance to surface its own AbortError (preserving
+                // the existing error path) before we force a clean `null`.
+                let settleTimer;
+                const settlePromise = new Promise((resolve) => {
+                    const ctor = this.constructor;
+                    settleTimer = setTimeout(() => {
+                        debug.log('Request hard-settled to null', timeoutMs + ctor.FEDCM_ABORT_SETTLE_GRACE_MS, 'ms (credentials.get never settled after abort)');
+                        resolve(null);
+                    }, timeoutMs + ctor.FEDCM_ABORT_SETTLE_GRACE_MS);
+                });
                 // Normalise the caller's mode to the modern W3C value first. A modern
                 // browser accepts it; an older one (Chrome 125–131) rejects it with a
                 // synchronous TypeError, in which case we retry with the legacy value.
@@ -463,7 +505,13 @@ export function OxyServicesFedCMMixin(Base) {
                         debug.log('Calling navigator.credentials.get with mediation:', requestedMediation, modernMode ? `mode: ${modernMode}` : '');
                         let credential;
                         try {
-                            credential = await credentials.get(buildCredentialOptions(modernMode));
+                            // Race the browser FedCM lookup against the hard settle guarantee so
+                            // a `credentials.get` that ignores the abort signal can never hang
+                            // the cold boot (see `settlePromise`).
+                            credential = await Promise.race([
+                                credentials.get(buildCredentialOptions(modernMode)),
+                                settlePromise,
+                            ]);
                         }
                         catch (modeError) {
                             // Chrome 125–131 only knows the legacy 'button'/'widget' enum and
@@ -472,7 +520,10 @@ export function OxyServicesFedCMMixin(Base) {
                             if (modernMode && isUnknownModeEnumError(modeError)) {
                                 const legacyMode = MODERN_TO_LEGACY_MODE[modernMode];
                                 debug.log(`Browser rejected modern mode '${modernMode}'; retrying with legacy mode '${legacyMode}'`);
-                                credential = await credentials.get(buildCredentialOptions(legacyMode));
+                                credential = await Promise.race([
+                                    credentials.get(buildCredentialOptions(legacyMode)),
+                                    settlePromise,
+                                ]);
                             }
                             else {
                                 throw modeError;
@@ -499,6 +550,9 @@ export function OxyServicesFedCMMixin(Base) {
                     }
                     finally {
                         clearTimeout(timeout);
+                        if (settleTimer !== undefined) {
+                            clearTimeout(settleTimer);
+                        }
                         // Only reset the shared lock if it still belongs to THIS request. When an
                         // interactive request aborts a slow silent one, the silent settles (and
                         // runs this `finally`) AFTER the interactive has already taken over the
@@ -737,13 +791,28 @@ export function OxyServicesFedCMMixin(Base) {
         _a.DEFAULT_CONFIG_URL = 'https://auth.oxy.so/fedcm.json',
         _a.FEDCM_TIMEOUT = 15000 // 15 seconds for interactive
     ,
-        // Silent mediation runs on page load (e.g. re-signing-in a user whose stored
-        // session was cleared after a cold-boot token fetch 401'd). The real silent
-        // round-trip — mint nonce → navigator.credentials.get → /fedcm/exchange — was
-        // measured to take more than 3s for live users, so a 3s budget timed out and
-        // left them signed out on reload. 10s gives ample margin while staying bounded.
-        _a.FEDCM_SILENT_TIMEOUT = 10000 // 10 seconds for silent mediation
+        // Silent mediation runs on page load as ONE step of the ordered cold-boot
+        // sequence (mint nonce → navigator.credentials.get → /fedcm/exchange). The
+        // real round-trip was measured at >3s for live users, so the budget must stay
+        // comfortably above 3s. It must ALSO be tight: on a logged-out browser this
+        // step never resolves a credential, and every millisecond it spends timing
+        // out is pure latency in front of the steps that actually hold the answer
+        // (stored-session bearer, the per-apex silent iframe, the /sso bounce). 4s is
+        // the floor that preserves the >3s success margin while bounding the dead
+        // wait — down from the previous 10s, which alone could account for most of a
+        // 20-30s cold-boot stall. Do NOT lower below 4s (it would clip live success).
+        _a.FEDCM_SILENT_TIMEOUT = 4000 // 4 seconds for silent mediation
     ,
+        // Grace margin between the cooperative abort deadline (`FEDCM_SILENT_TIMEOUT`
+        // / `FEDCM_TIMEOUT`) and the HARD settle of `requestIdentityCredential`. The
+        // abort fires first; a well-behaved browser surfaces its own `AbortError`
+        // within this window (keeping the existing error path intact). If — as seen
+        // in production — `navigator.credentials.get()` ignores the abort and the
+        // awaited promise never settles, the hard settle resolves the request to
+        // `null` this many ms later, guaranteeing the cold-boot step always settles.
+        // 500ms is ample for a browser to deliver an abort rejection while keeping the
+        // worst-case dead wait tight (silent: 4.5s, interactive: 15.5s).
+        _a.FEDCM_ABORT_SETTLE_GRACE_MS = 500,
         _a;
 }
 // Export the mixin function as both named and default

package/dist/esm/mixins/OxyServices.popup.js

@@ -407,8 +407,24 @@ export function OxyServicesPopupAuthMixin(Base) {
                         cleanup();
                         resolve(session || null);
                     };
+                    // Fail-fast on a load failure. When the per-apex `/auth/silent` host is
+                    // unreachable, blocked by CSP `frame-ancestors`/`X-Frame-Options`, or the
+                    // network drops, the iframe never posts a message — without this handler
+                    // the silent restore would block for the FULL `timeout` (dead latency in
+                    // the cold-boot critical path). `onerror`/`onabort` fire on a failed load,
+                    // so resolve `null` immediately and let the next cold-boot step run. The
+                    // success path posts a message and is handled above; these only catch the
+                    // no-message failure modes.
+                    const failFast = () => {
+                        cleanup();
+                        resolve(null);
+                    };
+                    iframe.onerror = failFast;
+                    iframe.onabort = failFast;
                     const cleanup = () => {
                         clearTimeout(timeoutId);
+                        iframe.onerror = null;
+                        iframe.onabort = null;
                         window.removeEventListener('message', messageHandler);
                     };
                     window.addEventListener('message', messageHandler);

package/dist/esm/utils/coldBoot.js

@@ -22,6 +22,15 @@
  * `onStepError` and treated as a non-fatal skip, so one broken recovery path
  * can never prevent a later, healthy one from succeeding.
  */
+/**
+ * The unique sentinel a step's `run()` resolves to (via the internal race)
+ * when the overall cold-boot deadline expires before that step settled. It is
+ * NOT a {@link ColdBootStepResult} — the runner detects it by identity and
+ * treats it as "this step did not settle in time; move on".
+ *
+ * @internal
+ */
+const DEADLINE_EXPIRED = Symbol('coldBoot.deadlineExpired');
 /**
  * Run the ordered cold-boot steps and resolve to the first recovered session,
  * or `unauthenticated` if none recovers one.
@@ -38,31 +47,71 @@
  *   4. After the loop with no winner → `{ kind: 'unauthenticated' }`.
  */
 export async function runColdBoot(options) {
-    const { steps, onStepError } = options;
-    for (const step of steps) {
-        if (step.enabled) {
-            let isEnabled;
+    const { steps, onStepError, overallDeadlineMs, onStepDeadline } = options;
+    // Arm the optional overall deadline. The budget is SHARED across the whole
+    // loop (not reset per step): a single timer resolves a reusable
+    // `DEADLINE_EXPIRED` sentinel that every per-step race can observe. Once it
+    // fires, later steps race against an already-resolved promise and so never
+    // block, yet the loop keeps iterating so the terminal step still fires.
+    const deadlineMs = typeof overallDeadlineMs === 'number' &&
+        Number.isFinite(overallDeadlineMs) &&
+        overallDeadlineMs > 0
+        ? overallDeadlineMs
+        : null;
+    let deadlineTimer;
+    let deadlinePromise;
+    if (deadlineMs !== null) {
+        deadlinePromise = new Promise((resolve) => {
+            deadlineTimer = setTimeout(() => resolve(DEADLINE_EXPIRED), deadlineMs);
+        });
+    }
+    try {
+        for (const step of steps) {
+            if (step.enabled) {
+                let isEnabled;
+                try {
+                    isEnabled = step.enabled();
+                }
+                catch (error) {
+                    onStepError?.(step.id, error);
+                    continue;
+                }
+                if (!isEnabled)
+                    continue;
+            }
+            let result;
             try {
-                isEnabled = step.enabled();
+                // Without a deadline: legacy behaviour — await the step directly.
+                // With a deadline: race the step against the shared deadline. The
+                // step's `run()` still STARTS synchronously up to its first `await`
+                // (so a terminal step's synchronous navigation side effect always
+                // executes), but a non-settling step can no longer block the loop —
+                // the race resolves with the sentinel and we move on.
+                result = deadlinePromise
+                    ? await Promise.race([step.run(), deadlinePromise])
+                    : await step.run();
             }
             catch (error) {
                 onStepError?.(step.id, error);
                 continue;
             }
-            if (!isEnabled)
+            if (result === DEADLINE_EXPIRED) {
+                // The deadline tripped before this step settled. Abandon the await and
+                // continue: subsequent steps race against the already-resolved deadline
+                // (so they cannot block), which lets a terminal side-effect step still
+                // run while guaranteeing the loop terminates promptly.
+                onStepDeadline?.(step.id);
                 continue;
+            }
+            if (result.kind === 'session') {
+                return { kind: 'session', via: step.id, session: result.session };
+            }
         }
-        let result;
-        try {
-            result = await step.run();
-        }
-        catch (error) {
-            onStepError?.(step.id, error);
-            continue;
-        }
-        if (result.kind === 'session') {
-            return { kind: 'session', via: step.id, session: result.session };
+        return { kind: 'unauthenticated' };
+    }
+    finally {
+        if (deadlineTimer !== undefined) {
+            clearTimeout(deadlineTimer);
         }
     }
-    return { kind: 'unauthenticated' };
 }