@oxyhq/core 2.4.1 → 3.1.0

package/dist/esm/OxyServices.js

@@ -20,7 +20,7 @@ import { composeOxyServices } from './mixins/index.js';
  * - **Payment**: Payment processing
  * - **Karma**: Karma system
  * - **Assets**: File upload and asset management
- * - **Developer**: Developer API management
+ * - **Applications**: Application, membership, and credential management
  * - **Location**: Location-based features
  * - **Analytics**: Analytics tracking
  * - **Devices**: Device management

package/dist/esm/mixins/OxyServices.applications.js

@@ -0,0 +1,211 @@
+import { CACHE_TIMES } from './mixinHelpers.js';
+export function OxyServicesApplicationsMixin(Base) {
+    return class extends Base {
+        constructor(...args) {
+            super(...args);
+        }
+        /**
+         * List applications the current user is an active member of.
+         */
+        async getApplications() {
+            try {
+                const res = await this.makeRequest('GET', '/applications', undefined, { cache: true, cacheTTL: CACHE_TIMES.MEDIUM });
+                return res.applications ?? [];
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Create a new application. The caller becomes its `owner`.
+         * @param data - Application configuration. Staff-only fields are ignored.
+         */
+        async createApplication(data) {
+            try {
+                const res = await this.makeRequest('POST', '/applications', data, { cache: false });
+                return res.application;
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Fetch a single application by id.
+         * @param applicationId - The application's Mongo `_id`.
+         */
+        async getApplication(applicationId) {
+            try {
+                const res = await this.makeRequest('GET', `/applications/${applicationId}`, undefined, { cache: true, cacheTTL: CACHE_TIMES.LONG });
+                return res.application;
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Update an application's mutable fields.
+         * @param applicationId - The application's Mongo `_id`.
+         * @param data - Subset of updatable fields. Staff-only fields are ignored.
+         */
+        async updateApplication(applicationId, data) {
+            try {
+                const res = await this.makeRequest('PATCH', `/applications/${applicationId}`, data, { cache: false });
+                return res.application;
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Soft-delete an application (owner only).
+         * @param applicationId - The application's Mongo `_id`.
+         */
+        async deleteApplication(applicationId) {
+            try {
+                return await this.makeRequest('DELETE', `/applications/${applicationId}`, undefined, { cache: false });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * List members of an application.
+         * @param applicationId - The application's Mongo `_id`.
+         */
+        async getApplicationMembers(applicationId) {
+            try {
+                const res = await this.makeRequest('GET', `/applications/${applicationId}/members`, undefined, { cache: true, cacheTTL: CACHE_TIMES.MEDIUM });
+                return res.members ?? [];
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Add a member to an application.
+         * @param applicationId - The application's Mongo `_id`.
+         * @param data - Target user id and role (never `owner`).
+         */
+        async inviteApplicationMember(applicationId, data) {
+            try {
+                const res = await this.makeRequest('POST', `/applications/${applicationId}/members`, data, { cache: false });
+                return res.member;
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Change a member's role.
+         * @param applicationId - The application's Mongo `_id`.
+         * @param memberId - The member's Mongo `_id`.
+         * @param data - New role.
+         */
+        async updateApplicationMember(applicationId, memberId, data) {
+            try {
+                const res = await this.makeRequest('PATCH', `/applications/${applicationId}/members/${memberId}`, data, { cache: false });
+                return res.member;
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Remove a member from an application.
+         * @param applicationId - The application's Mongo `_id`.
+         * @param memberId - The member's Mongo `_id`.
+         */
+        async removeApplicationMember(applicationId, memberId) {
+            try {
+                return await this.makeRequest('DELETE', `/applications/${applicationId}/members/${memberId}`, undefined, { cache: false });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Transfer ownership of an application to another member (owner only).
+         * Demotes the current owner to `admin` and promotes the target to `owner`.
+         * @param applicationId - The application's Mongo `_id`.
+         * @param data - Target user id.
+         */
+        async transferApplicationOwnership(applicationId, data) {
+            try {
+                return await this.makeRequest('POST', `/applications/${applicationId}/transfer-ownership`, data, { cache: false });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * List an application's credentials. The response NEVER includes secrets.
+         * @param applicationId - The application's Mongo `_id`.
+         */
+        async getApplicationCredentials(applicationId) {
+            try {
+                const res = await this.makeRequest('GET', `/applications/${applicationId}/credentials`, undefined, { cache: true, cacheTTL: CACHE_TIMES.MEDIUM });
+                return res.credentials ?? [];
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Create a credential. The plaintext `secret` is returned exactly ONCE;
+         * the server stores only a hash and will never return it again.
+         * @param applicationId - The application's Mongo `_id`.
+         * @param data - Credential configuration.
+         */
+        async createApplicationCredential(applicationId, data) {
+            try {
+                return await this.makeRequest('POST', `/applications/${applicationId}/credentials`, data, { cache: false });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Rotate a credential's secret. The new plaintext `secret` is returned
+         * exactly ONCE, along with audit fields: `rotatedFrom` (the previous
+         * credentialId) and `graceExpiresAt` (ISO string for the grace window during
+         * which the old credential is still honoured).
+         * @param applicationId - The application's Mongo `_id`.
+         * @param credentialId - The credential's Mongo `_id`.
+         */
+        async rotateApplicationCredential(applicationId, credentialId) {
+            try {
+                return await this.makeRequest('POST', `/applications/${applicationId}/credentials/${credentialId}/rotate`, undefined, { cache: false });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Revoke a credential (`status='revoked'`). Revoked credentials can no
+         * longer authenticate.
+         * @param applicationId - The application's Mongo `_id`.
+         * @param credentialId - The credential's Mongo `_id`.
+         */
+        async revokeApplicationCredential(applicationId, credentialId) {
+            try {
+                return await this.makeRequest('DELETE', `/applications/${applicationId}/credentials/${credentialId}`, undefined, { cache: false });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Fetch usage statistics for an application.
+         * @param applicationId - The application's Mongo `_id`.
+         * @param period - Time window (defaults to the server default).
+         */
+        async getApplicationUsage(applicationId, period) {
+            try {
+                return await this.makeRequest('GET', `/applications/${applicationId}/usage`, period ? { period } : undefined, { cache: true, cacheTTL: CACHE_TIMES.SHORT });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+    };
+}

package/dist/esm/mixins/OxyServices.auth.js

@@ -60,8 +60,8 @@ export function OxyServicesAuthMixin(Base) {
          * legitimate multi-tenant hosts that need to switch credentials cannot leak
          * one tenant's token to another tenant on the same instance.
          *
-         * @param apiKey - DeveloperApp API key (oxy_dk_*)
-         * @param apiSecret - DeveloperApp API secret
+         * @param apiKey - Application credential public key (oxy_dk_*)
+         * @param apiSecret - Application credential secret
          */
         configureServiceAuth(apiKey, apiSecret) {
             this._serviceApiKey = apiKey;
@@ -83,8 +83,8 @@ export function OxyServicesAuthMixin(Base) {
          * This prevents an attacker who learned a peer's apiKey from extracting
          * their service token by polling with a wrong secret.
          *
-         * @param apiKey - DeveloperApp API key (optional if configureServiceAuth was called)
-         * @param apiSecret - DeveloperApp API secret (optional if configureServiceAuth was called)
+         * @param apiKey - Application credential public key (optional if configureServiceAuth was called)
+         * @param apiSecret - Application credential secret (optional if configureServiceAuth was called)
          */
         async getServiceToken(apiKey, apiSecret) {
             const key = apiKey || this._serviceApiKey;

package/dist/esm/mixins/OxyServices.utility.js

@@ -472,6 +472,9 @@ export function OxyServicesUtilityMixin(Base) {
                             appId,
                             appName: decoded.appName || 'unknown',
                             scopes: Array.isArray(decoded.scopes) ? decoded.scopes : [],
+                            ...(typeof decoded.credentialId === 'string' && decoded.credentialId.length > 0
+                                ? { credentialId: decoded.credentialId }
+                                : {}),
                         };
                         if (debug) {
                             logger.debug(`[oxy.auth] Service token OK app=${decoded.appName} delegateUser=${oxyUserId || '(none)'}`, {

package/dist/esm/mixins/index.js

@@ -16,7 +16,7 @@ import { OxyServicesLanguageMixin } from './OxyServices.language.js';
 import { OxyServicesPaymentMixin } from './OxyServices.payment.js';
 import { OxyServicesKarmaMixin } from './OxyServices.karma.js';
 import { OxyServicesAssetsMixin } from './OxyServices.assets.js';
-import { OxyServicesDeveloperMixin } from './OxyServices.developer.js';
+import { OxyServicesApplicationsMixin } from './OxyServices.applications.js';
 import { OxyServicesLocationMixin } from './OxyServices.location.js';
 import { OxyServicesAnalyticsMixin } from './OxyServices.analytics.js';
 import { OxyServicesDevicesMixin } from './OxyServices.devices.js';
@@ -60,7 +60,7 @@ const MIXIN_PIPELINE = [
     OxyServicesPaymentMixin,
     OxyServicesKarmaMixin,
     OxyServicesAssetsMixin,
-    OxyServicesDeveloperMixin,
+    OxyServicesApplicationsMixin,
     OxyServicesLocationMixin,
     OxyServicesAnalyticsMixin,
     OxyServicesDevicesMixin,