npm - @oxyhq/core - Versions diffs - 2.4.0 → 2.4.1 - Mend

@oxyhq/core 2.4.0 → 2.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/dist/cjs/.tsbuildinfo +1 -1
package/dist/cjs/mixins/OxyServices.fedcm.js +52 -2
package/dist/cjs/utils/coldBoot.js +66 -17
package/dist/esm/.tsbuildinfo +1 -1
package/dist/esm/mixins/OxyServices.fedcm.js +52 -2
package/dist/esm/utils/coldBoot.js +66 -17
package/dist/types/.tsbuildinfo +1 -1
package/dist/types/mixins/OxyServices.fedcm.d.ts +1 -0
package/dist/types/utils/coldBoot.d.ts +26 -0
package/package.json +1 -1
package/src/mixins/OxyServices.fedcm.ts +56 -2
package/src/mixins/__tests__/fedcm.test.ts +52 -0
package/src/utils/__tests__/coldBoot.test.ts +150 -0
package/src/utils/coldBoot.ts +96 -17

package/dist/esm/mixins/OxyServices.fedcm.js CHANGED Viewed

@@ -441,6 +441,34 @@ export function OxyServicesFedCMMixin(Base) {
                     debug.log('Request timed out after', timeoutMs, 'ms (mediation:', requestedMediation + ')');
                     controller.abort();
                 }, timeoutMs);
+                // Hard settle guarantee for the timeout path.
+                //
+                // The `setTimeout` above aborts the request's `AbortController`, which is
+                // the COOPERATIVE cancel signal. For a regular `fetch` an abort deterministically
+                // rejects the awaited promise — but `navigator.credentials.get()` is a
+                // browser-internal FedCM primitive whose abort behaviour is NOT guaranteed
+                // to settle the awaited promise in every Chrome version / internal state
+                // (the credential request can sit "pending" while the browser-side flow is
+                // stuck, ignoring the signal). If that happens, `await credentials.get(...)`
+                // never resolves OR rejects, this IIFE hangs forever, and — because this is
+                // ONE step of the ordered cold-boot sequence — the whole cold boot hangs and
+                // the terminal `/sso` bounce never fires. That was the production hang.
+                //
+                // `settlePromise` races the credential lookup against a timer that ALWAYS
+                // resolves to `null` shortly after the abort deadline. The abort still fires
+                // first (so the browser is asked to cancel), but even if `credentials.get`
+                // never settles, the race resolves and the step falls through cleanly to the
+                // next cold-boot step. The small `FEDCM_ABORT_SETTLE_GRACE_MS` margin gives a
+                // well-behaved browser the chance to surface its own AbortError (preserving
+                // the existing error path) before we force a clean `null`.
+                let settleTimer;
+                const settlePromise = new Promise((resolve) => {
+                    const ctor = this.constructor;
+                    settleTimer = setTimeout(() => {
+                        debug.log('Request hard-settled to null', timeoutMs + ctor.FEDCM_ABORT_SETTLE_GRACE_MS, 'ms (credentials.get never settled after abort)');
+                        resolve(null);
+                    }, timeoutMs + ctor.FEDCM_ABORT_SETTLE_GRACE_MS);
+                });
                 // Normalise the caller's mode to the modern W3C value first. A modern
                 // browser accepts it; an older one (Chrome 125–131) rejects it with a
                 // synchronous TypeError, in which case we retry with the legacy value.
@@ -477,7 +505,13 @@ export function OxyServicesFedCMMixin(Base) {
                         debug.log('Calling navigator.credentials.get with mediation:', requestedMediation, modernMode ? `mode: ${modernMode}` : '');
                         let credential;
                         try {
-                            credential = await credentials.get(buildCredentialOptions(modernMode));
+                            // Race the browser FedCM lookup against the hard settle guarantee so
+                            // a `credentials.get` that ignores the abort signal can never hang
+                            // the cold boot (see `settlePromise`).
+                            credential = await Promise.race([
+                                credentials.get(buildCredentialOptions(modernMode)),
+                                settlePromise,
+                            ]);
                         }
                         catch (modeError) {
                             // Chrome 125–131 only knows the legacy 'button'/'widget' enum and
@@ -486,7 +520,10 @@ export function OxyServicesFedCMMixin(Base) {
                             if (modernMode && isUnknownModeEnumError(modeError)) {
                                 const legacyMode = MODERN_TO_LEGACY_MODE[modernMode];
                                 debug.log(`Browser rejected modern mode '${modernMode}'; retrying with legacy mode '${legacyMode}'`);
-                                credential = await credentials.get(buildCredentialOptions(legacyMode));
+                                credential = await Promise.race([
+                                    credentials.get(buildCredentialOptions(legacyMode)),
+                                    settlePromise,
+                                ]);
                             }
                             else {
                                 throw modeError;
@@ -513,6 +550,9 @@ export function OxyServicesFedCMMixin(Base) {
                     }
                     finally {
                         clearTimeout(timeout);
+                        if (settleTimer !== undefined) {
+                            clearTimeout(settleTimer);
+                        }
                         // Only reset the shared lock if it still belongs to THIS request. When an
                         // interactive request aborts a slow silent one, the silent settles (and
                         // runs this `finally`) AFTER the interactive has already taken over the
@@ -763,6 +803,16 @@ export function OxyServicesFedCMMixin(Base) {
         // 20-30s cold-boot stall. Do NOT lower below 4s (it would clip live success).
         _a.FEDCM_SILENT_TIMEOUT = 4000 // 4 seconds for silent mediation
     ,
+        // Grace margin between the cooperative abort deadline (`FEDCM_SILENT_TIMEOUT`
+        // / `FEDCM_TIMEOUT`) and the HARD settle of `requestIdentityCredential`. The
+        // abort fires first; a well-behaved browser surfaces its own `AbortError`
+        // within this window (keeping the existing error path intact). If — as seen
+        // in production — `navigator.credentials.get()` ignores the abort and the
+        // awaited promise never settles, the hard settle resolves the request to
+        // `null` this many ms later, guaranteeing the cold-boot step always settles.
+        // 500ms is ample for a browser to deliver an abort rejection while keeping the
+        // worst-case dead wait tight (silent: 4.5s, interactive: 15.5s).
+        _a.FEDCM_ABORT_SETTLE_GRACE_MS = 500,
         _a;
 }
 // Export the mixin function as both named and default

package/dist/esm/utils/coldBoot.js CHANGED Viewed

@@ -22,6 +22,15 @@
  * `onStepError` and treated as a non-fatal skip, so one broken recovery path
  * can never prevent a later, healthy one from succeeding.
  */
+/**
+ * The unique sentinel a step's `run()` resolves to (via the internal race)
+ * when the overall cold-boot deadline expires before that step settled. It is
+ * NOT a {@link ColdBootStepResult} — the runner detects it by identity and
+ * treats it as "this step did not settle in time; move on".
+ *
+ * @internal
+ */
+const DEADLINE_EXPIRED = Symbol('coldBoot.deadlineExpired');
 /**
  * Run the ordered cold-boot steps and resolve to the first recovered session,
  * or `unauthenticated` if none recovers one.
@@ -38,31 +47,71 @@
  *   4. After the loop with no winner → `{ kind: 'unauthenticated' }`.
  */
 export async function runColdBoot(options) {
-    const { steps, onStepError } = options;
-    for (const step of steps) {
-        if (step.enabled) {
-            let isEnabled;
+    const { steps, onStepError, overallDeadlineMs, onStepDeadline } = options;
+    // Arm the optional overall deadline. The budget is SHARED across the whole
+    // loop (not reset per step): a single timer resolves a reusable
+    // `DEADLINE_EXPIRED` sentinel that every per-step race can observe. Once it
+    // fires, later steps race against an already-resolved promise and so never
+    // block, yet the loop keeps iterating so the terminal step still fires.
+    const deadlineMs = typeof overallDeadlineMs === 'number' &&
+        Number.isFinite(overallDeadlineMs) &&
+        overallDeadlineMs > 0
+        ? overallDeadlineMs
+        : null;
+    let deadlineTimer;
+    let deadlinePromise;
+    if (deadlineMs !== null) {
+        deadlinePromise = new Promise((resolve) => {
+            deadlineTimer = setTimeout(() => resolve(DEADLINE_EXPIRED), deadlineMs);
+        });
+    }
+    try {
+        for (const step of steps) {
+            if (step.enabled) {
+                let isEnabled;
+                try {
+                    isEnabled = step.enabled();
+                }
+                catch (error) {
+                    onStepError?.(step.id, error);
+                    continue;
+                }
+                if (!isEnabled)
+                    continue;
+            }
+            let result;
             try {
-                isEnabled = step.enabled();
+                // Without a deadline: legacy behaviour — await the step directly.
+                // With a deadline: race the step against the shared deadline. The
+                // step's `run()` still STARTS synchronously up to its first `await`
+                // (so a terminal step's synchronous navigation side effect always
+                // executes), but a non-settling step can no longer block the loop —
+                // the race resolves with the sentinel and we move on.
+                result = deadlinePromise
+                    ? await Promise.race([step.run(), deadlinePromise])
+                    : await step.run();
             }
             catch (error) {
                 onStepError?.(step.id, error);
                 continue;
             }
-            if (!isEnabled)
+            if (result === DEADLINE_EXPIRED) {
+                // The deadline tripped before this step settled. Abandon the await and
+                // continue: subsequent steps race against the already-resolved deadline
+                // (so they cannot block), which lets a terminal side-effect step still
+                // run while guaranteeing the loop terminates promptly.
+                onStepDeadline?.(step.id);
                 continue;
+            }
+            if (result.kind === 'session') {
+                return { kind: 'session', via: step.id, session: result.session };
+            }
         }
-        let result;
-        try {
-            result = await step.run();
-        }
-        catch (error) {
-            onStepError?.(step.id, error);
-            continue;
-        }
-        if (result.kind === 'session') {
-            return { kind: 'session', via: step.id, session: result.session };
+        return { kind: 'unauthenticated' };
+    }
+    finally {
+        if (deadlineTimer !== undefined) {
+            clearTimeout(deadlineTimer);
         }
     }
-    return { kind: 'unauthenticated' };
 }