@oxyhq/core 2.4.0 → 3.0.0

package/dist/esm/OxyServices.js

@@ -20,7 +20,7 @@ import { composeOxyServices } from './mixins/index.js';
  * - **Payment**: Payment processing
  * - **Karma**: Karma system
  * - **Assets**: File upload and asset management
- * - **Developer**: Developer API management
+ * - **Applications**: Application, membership, and credential management
  * - **Location**: Location-based features
  * - **Analytics**: Analytics tracking
  * - **Devices**: Device management

package/dist/esm/mixins/OxyServices.applications.js

@@ -0,0 +1,209 @@
+import { CACHE_TIMES } from './mixinHelpers.js';
+export function OxyServicesApplicationsMixin(Base) {
+    return class extends Base {
+        constructor(...args) {
+            super(...args);
+        }
+        /**
+         * List applications the current user is an active member of.
+         */
+        async getApplications() {
+            try {
+                const res = await this.makeRequest('GET', '/applications', undefined, { cache: true, cacheTTL: CACHE_TIMES.MEDIUM });
+                return res.applications ?? [];
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Create a new application. The caller becomes its `owner`.
+         * @param data - Application configuration. Staff-only fields are ignored.
+         */
+        async createApplication(data) {
+            try {
+                const res = await this.makeRequest('POST', '/applications', data, { cache: false });
+                return res.application;
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Fetch a single application by id.
+         * @param applicationId - The application's Mongo `_id`.
+         */
+        async getApplication(applicationId) {
+            try {
+                const res = await this.makeRequest('GET', `/applications/${applicationId}`, undefined, { cache: true, cacheTTL: CACHE_TIMES.LONG });
+                return res.application;
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Update an application's mutable fields.
+         * @param applicationId - The application's Mongo `_id`.
+         * @param data - Subset of updatable fields. Staff-only fields are ignored.
+         */
+        async updateApplication(applicationId, data) {
+            try {
+                const res = await this.makeRequest('PATCH', `/applications/${applicationId}`, data, { cache: false });
+                return res.application;
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Soft-delete an application (owner only).
+         * @param applicationId - The application's Mongo `_id`.
+         */
+        async deleteApplication(applicationId) {
+            try {
+                return await this.makeRequest('DELETE', `/applications/${applicationId}`, undefined, { cache: false });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * List members of an application.
+         * @param applicationId - The application's Mongo `_id`.
+         */
+        async getApplicationMembers(applicationId) {
+            try {
+                const res = await this.makeRequest('GET', `/applications/${applicationId}/members`, undefined, { cache: true, cacheTTL: CACHE_TIMES.MEDIUM });
+                return res.members ?? [];
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Add a member to an application.
+         * @param applicationId - The application's Mongo `_id`.
+         * @param data - Target user id and role (never `owner`).
+         */
+        async inviteApplicationMember(applicationId, data) {
+            try {
+                const res = await this.makeRequest('POST', `/applications/${applicationId}/members`, data, { cache: false });
+                return res.member;
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Change a member's role.
+         * @param applicationId - The application's Mongo `_id`.
+         * @param memberId - The member's Mongo `_id`.
+         * @param data - New role.
+         */
+        async updateApplicationMember(applicationId, memberId, data) {
+            try {
+                const res = await this.makeRequest('PATCH', `/applications/${applicationId}/members/${memberId}`, data, { cache: false });
+                return res.member;
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Remove a member from an application.
+         * @param applicationId - The application's Mongo `_id`.
+         * @param memberId - The member's Mongo `_id`.
+         */
+        async removeApplicationMember(applicationId, memberId) {
+            try {
+                return await this.makeRequest('DELETE', `/applications/${applicationId}/members/${memberId}`, undefined, { cache: false });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Transfer ownership of an application to another member (owner only).
+         * Demotes the current owner to `admin` and promotes the target to `owner`.
+         * @param applicationId - The application's Mongo `_id`.
+         * @param data - Target user id.
+         */
+        async transferApplicationOwnership(applicationId, data) {
+            try {
+                return await this.makeRequest('POST', `/applications/${applicationId}/transfer-ownership`, data, { cache: false });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * List an application's credentials. The response NEVER includes secrets.
+         * @param applicationId - The application's Mongo `_id`.
+         */
+        async getApplicationCredentials(applicationId) {
+            try {
+                const res = await this.makeRequest('GET', `/applications/${applicationId}/credentials`, undefined, { cache: true, cacheTTL: CACHE_TIMES.MEDIUM });
+                return res.credentials ?? [];
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Create a credential. The plaintext `secret` is returned exactly ONCE;
+         * the server stores only a hash and will never return it again.
+         * @param applicationId - The application's Mongo `_id`.
+         * @param data - Credential configuration.
+         */
+        async createApplicationCredential(applicationId, data) {
+            try {
+                return await this.makeRequest('POST', `/applications/${applicationId}/credentials`, data, { cache: false });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Rotate a credential's secret. The new plaintext `secret` is returned
+         * exactly ONCE.
+         * @param applicationId - The application's Mongo `_id`.
+         * @param credentialId - The credential's Mongo `_id`.
+         */
+        async rotateApplicationCredential(applicationId, credentialId) {
+            try {
+                return await this.makeRequest('POST', `/applications/${applicationId}/credentials/${credentialId}/rotate`, undefined, { cache: false });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Revoke a credential (`status='revoked'`). Revoked credentials can no
+         * longer authenticate.
+         * @param applicationId - The application's Mongo `_id`.
+         * @param credentialId - The credential's Mongo `_id`.
+         */
+        async revokeApplicationCredential(applicationId, credentialId) {
+            try {
+                return await this.makeRequest('DELETE', `/applications/${applicationId}/credentials/${credentialId}`, undefined, { cache: false });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Fetch usage statistics for an application.
+         * @param applicationId - The application's Mongo `_id`.
+         * @param period - Time window (defaults to the server default).
+         */
+        async getApplicationUsage(applicationId, period) {
+            try {
+                return await this.makeRequest('GET', `/applications/${applicationId}/usage`, period ? { period } : undefined, { cache: true, cacheTTL: CACHE_TIMES.SHORT });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+    };
+}

package/dist/esm/mixins/OxyServices.auth.js

@@ -60,8 +60,8 @@ export function OxyServicesAuthMixin(Base) {
          * legitimate multi-tenant hosts that need to switch credentials cannot leak
          * one tenant's token to another tenant on the same instance.
          *
-         * @param apiKey - DeveloperApp API key (oxy_dk_*)
-         * @param apiSecret - DeveloperApp API secret
+         * @param apiKey - Application credential public key (oxy_dk_*)
+         * @param apiSecret - Application credential secret
          */
         configureServiceAuth(apiKey, apiSecret) {
             this._serviceApiKey = apiKey;
@@ -83,8 +83,8 @@ export function OxyServicesAuthMixin(Base) {
          * This prevents an attacker who learned a peer's apiKey from extracting
          * their service token by polling with a wrong secret.
          *
-         * @param apiKey - DeveloperApp API key (optional if configureServiceAuth was called)
-         * @param apiSecret - DeveloperApp API secret (optional if configureServiceAuth was called)
+         * @param apiKey - Application credential public key (optional if configureServiceAuth was called)
+         * @param apiSecret - Application credential secret (optional if configureServiceAuth was called)
          */
         async getServiceToken(apiKey, apiSecret) {
             const key = apiKey || this._serviceApiKey;

package/dist/esm/mixins/OxyServices.fedcm.js

@@ -441,6 +441,34 @@ export function OxyServicesFedCMMixin(Base) {
                     debug.log('Request timed out after', timeoutMs, 'ms (mediation:', requestedMediation + ')');
                     controller.abort();
                 }, timeoutMs);
+                // Hard settle guarantee for the timeout path.
+                //
+                // The `setTimeout` above aborts the request's `AbortController`, which is
+                // the COOPERATIVE cancel signal. For a regular `fetch` an abort deterministically
+                // rejects the awaited promise — but `navigator.credentials.get()` is a
+                // browser-internal FedCM primitive whose abort behaviour is NOT guaranteed
+                // to settle the awaited promise in every Chrome version / internal state
+                // (the credential request can sit "pending" while the browser-side flow is
+                // stuck, ignoring the signal). If that happens, `await credentials.get(...)`
+                // never resolves OR rejects, this IIFE hangs forever, and — because this is
+                // ONE step of the ordered cold-boot sequence — the whole cold boot hangs and
+                // the terminal `/sso` bounce never fires. That was the production hang.
+                //
+                // `settlePromise` races the credential lookup against a timer that ALWAYS
+                // resolves to `null` shortly after the abort deadline. The abort still fires
+                // first (so the browser is asked to cancel), but even if `credentials.get`
+                // never settles, the race resolves and the step falls through cleanly to the
+                // next cold-boot step. The small `FEDCM_ABORT_SETTLE_GRACE_MS` margin gives a
+                // well-behaved browser the chance to surface its own AbortError (preserving
+                // the existing error path) before we force a clean `null`.
+                let settleTimer;
+                const settlePromise = new Promise((resolve) => {
+                    const ctor = this.constructor;
+                    settleTimer = setTimeout(() => {
+                        debug.log('Request hard-settled to null', timeoutMs + ctor.FEDCM_ABORT_SETTLE_GRACE_MS, 'ms (credentials.get never settled after abort)');
+                        resolve(null);
+                    }, timeoutMs + ctor.FEDCM_ABORT_SETTLE_GRACE_MS);
+                });
                 // Normalise the caller's mode to the modern W3C value first. A modern
                 // browser accepts it; an older one (Chrome 125–131) rejects it with a
                 // synchronous TypeError, in which case we retry with the legacy value.
@@ -477,7 +505,13 @@ export function OxyServicesFedCMMixin(Base) {
                         debug.log('Calling navigator.credentials.get with mediation:', requestedMediation, modernMode ? `mode: ${modernMode}` : '');
                         let credential;
                         try {
-                            credential = await credentials.get(buildCredentialOptions(modernMode));
+                            // Race the browser FedCM lookup against the hard settle guarantee so
+                            // a `credentials.get` that ignores the abort signal can never hang
+                            // the cold boot (see `settlePromise`).
+                            credential = await Promise.race([
+                                credentials.get(buildCredentialOptions(modernMode)),
+                                settlePromise,
+                            ]);
                         }
                         catch (modeError) {
                             // Chrome 125–131 only knows the legacy 'button'/'widget' enum and
@@ -486,7 +520,10 @@ export function OxyServicesFedCMMixin(Base) {
                             if (modernMode && isUnknownModeEnumError(modeError)) {
                                 const legacyMode = MODERN_TO_LEGACY_MODE[modernMode];
                                 debug.log(`Browser rejected modern mode '${modernMode}'; retrying with legacy mode '${legacyMode}'`);
-                                credential = await credentials.get(buildCredentialOptions(legacyMode));
+                                credential = await Promise.race([
+                                    credentials.get(buildCredentialOptions(legacyMode)),
+                                    settlePromise,
+                                ]);
                             }
                             else {
                                 throw modeError;
@@ -513,6 +550,9 @@ export function OxyServicesFedCMMixin(Base) {
                     }
                     finally {
                         clearTimeout(timeout);
+                        if (settleTimer !== undefined) {
+                            clearTimeout(settleTimer);
+                        }
                         // Only reset the shared lock if it still belongs to THIS request. When an
                         // interactive request aborts a slow silent one, the silent settles (and
                         // runs this `finally`) AFTER the interactive has already taken over the
@@ -763,6 +803,16 @@ export function OxyServicesFedCMMixin(Base) {
         // 20-30s cold-boot stall. Do NOT lower below 4s (it would clip live success).
         _a.FEDCM_SILENT_TIMEOUT = 4000 // 4 seconds for silent mediation
     ,
+        // Grace margin between the cooperative abort deadline (`FEDCM_SILENT_TIMEOUT`
+        // / `FEDCM_TIMEOUT`) and the HARD settle of `requestIdentityCredential`. The
+        // abort fires first; a well-behaved browser surfaces its own `AbortError`
+        // within this window (keeping the existing error path intact). If — as seen
+        // in production — `navigator.credentials.get()` ignores the abort and the
+        // awaited promise never settles, the hard settle resolves the request to
+        // `null` this many ms later, guaranteeing the cold-boot step always settles.
+        // 500ms is ample for a browser to deliver an abort rejection while keeping the
+        // worst-case dead wait tight (silent: 4.5s, interactive: 15.5s).
+        _a.FEDCM_ABORT_SETTLE_GRACE_MS = 500,
         _a;
 }
 // Export the mixin function as both named and default

package/dist/esm/mixins/index.js

@@ -16,7 +16,7 @@ import { OxyServicesLanguageMixin } from './OxyServices.language.js';
 import { OxyServicesPaymentMixin } from './OxyServices.payment.js';
 import { OxyServicesKarmaMixin } from './OxyServices.karma.js';
 import { OxyServicesAssetsMixin } from './OxyServices.assets.js';
-import { OxyServicesDeveloperMixin } from './OxyServices.developer.js';
+import { OxyServicesApplicationsMixin } from './OxyServices.applications.js';
 import { OxyServicesLocationMixin } from './OxyServices.location.js';
 import { OxyServicesAnalyticsMixin } from './OxyServices.analytics.js';
 import { OxyServicesDevicesMixin } from './OxyServices.devices.js';
@@ -60,7 +60,7 @@ const MIXIN_PIPELINE = [
     OxyServicesPaymentMixin,
     OxyServicesKarmaMixin,
     OxyServicesAssetsMixin,
-    OxyServicesDeveloperMixin,
+    OxyServicesApplicationsMixin,
     OxyServicesLocationMixin,
     OxyServicesAnalyticsMixin,
     OxyServicesDevicesMixin,

package/dist/esm/utils/coldBoot.js

@@ -22,6 +22,15 @@
  * `onStepError` and treated as a non-fatal skip, so one broken recovery path
  * can never prevent a later, healthy one from succeeding.
  */
+/**
+ * The unique sentinel a step's `run()` resolves to (via the internal race)
+ * when the overall cold-boot deadline expires before that step settled. It is
+ * NOT a {@link ColdBootStepResult} — the runner detects it by identity and
+ * treats it as "this step did not settle in time; move on".
+ *
+ * @internal
+ */
+const DEADLINE_EXPIRED = Symbol('coldBoot.deadlineExpired');
 /**
  * Run the ordered cold-boot steps and resolve to the first recovered session,
  * or `unauthenticated` if none recovers one.
@@ -38,31 +47,71 @@
  *   4. After the loop with no winner → `{ kind: 'unauthenticated' }`.
  */
 export async function runColdBoot(options) {
-    const { steps, onStepError } = options;
-    for (const step of steps) {
-        if (step.enabled) {
-            let isEnabled;
+    const { steps, onStepError, overallDeadlineMs, onStepDeadline } = options;
+    // Arm the optional overall deadline. The budget is SHARED across the whole
+    // loop (not reset per step): a single timer resolves a reusable
+    // `DEADLINE_EXPIRED` sentinel that every per-step race can observe. Once it
+    // fires, later steps race against an already-resolved promise and so never
+    // block, yet the loop keeps iterating so the terminal step still fires.
+    const deadlineMs = typeof overallDeadlineMs === 'number' &&
+        Number.isFinite(overallDeadlineMs) &&
+        overallDeadlineMs > 0
+        ? overallDeadlineMs
+        : null;
+    let deadlineTimer;
+    let deadlinePromise;
+    if (deadlineMs !== null) {
+        deadlinePromise = new Promise((resolve) => {
+            deadlineTimer = setTimeout(() => resolve(DEADLINE_EXPIRED), deadlineMs);
+        });
+    }
+    try {
+        for (const step of steps) {
+            if (step.enabled) {
+                let isEnabled;
+                try {
+                    isEnabled = step.enabled();
+                }
+                catch (error) {
+                    onStepError?.(step.id, error);
+                    continue;
+                }
+                if (!isEnabled)
+                    continue;
+            }
+            let result;
             try {
-                isEnabled = step.enabled();
+                // Without a deadline: legacy behaviour — await the step directly.
+                // With a deadline: race the step against the shared deadline. The
+                // step's `run()` still STARTS synchronously up to its first `await`
+                // (so a terminal step's synchronous navigation side effect always
+                // executes), but a non-settling step can no longer block the loop —
+                // the race resolves with the sentinel and we move on.
+                result = deadlinePromise
+                    ? await Promise.race([step.run(), deadlinePromise])
+                    : await step.run();
             }
             catch (error) {
                 onStepError?.(step.id, error);
                 continue;
             }
-            if (!isEnabled)
+            if (result === DEADLINE_EXPIRED) {
+                // The deadline tripped before this step settled. Abandon the await and
+                // continue: subsequent steps race against the already-resolved deadline
+                // (so they cannot block), which lets a terminal side-effect step still
+                // run while guaranteeing the loop terminates promptly.
+                onStepDeadline?.(step.id);
                 continue;
+            }
+            if (result.kind === 'session') {
+                return { kind: 'session', via: step.id, session: result.session };
+            }
         }
-        let result;
-        try {
-            result = await step.run();
-        }
-        catch (error) {
-            onStepError?.(step.id, error);
-            continue;
-        }
-        if (result.kind === 'session') {
-            return { kind: 'session', via: step.id, session: result.session };
+        return { kind: 'unauthenticated' };
+    }
+    finally {
+        if (deadlineTimer !== undefined) {
+            clearTimeout(deadlineTimer);
         }
     }
-    return { kind: 'unauthenticated' };
 }