@oxyhq/core 3.1.0 → 3.4.0

package/dist/esm/mixins/OxyServices.reputation.js

@@ -0,0 +1,241 @@
+import { CACHE_TIMES } from './mixinHelpers.js';
+/** Cache-key prefix for every cached `GET /reputation/...` response. */
+const REPUTATION_CACHE_PREFIX = 'GET:/reputation/';
+export function OxyServicesReputationMixin(Base) {
+    return class extends Base {
+        constructor(...args) {
+            super(...args);
+        }
+        /**
+         * Get a user's cached reputation balance — derived totals, per-category
+         * breakdown, trust tier, capped influence weights, and reliability signals.
+         * @param userId - The subject user's `_id` or publicKey.
+         */
+        async getReputationBalance(userId) {
+            try {
+                return await this.makeRequest('GET', `/reputation/${encodeURIComponent(userId)}/balance`, undefined, { cache: true, cacheTTL: CACHE_TIMES.MEDIUM });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Get the reputation leaderboard, ordered by lifetime total descending.
+         * @param limit - Page size (server-capped).
+         * @param offset - Page offset.
+         */
+        async getReputationLeaderboard(limit, offset) {
+            try {
+                const params = {};
+                if (limit !== undefined)
+                    params.limit = limit;
+                if (offset !== undefined)
+                    params.offset = offset;
+                const res = await this.makeRequest('GET', '/reputation/leaderboard', Object.keys(params).length > 0 ? params : undefined, { cache: true, cacheTTL: CACHE_TIMES.LONG });
+                return res.data ?? [];
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * List the enabled reputation rules (for client display).
+         */
+        async getReputationRules() {
+            try {
+                const res = await this.makeRequest('GET', '/reputation/rules', undefined, { cache: true, cacheTTL: CACHE_TIMES.EXTRA_LONG });
+                return res.rules ?? [];
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Get a user's paginated reputation ledger, newest first (auth required).
+         * @param userId - The subject user's `_id` or publicKey.
+         * @param limit - Page size (server-capped).
+         * @param offset - Page offset.
+         */
+        async getReputationTransactions(userId, limit, offset) {
+            try {
+                const params = {};
+                if (limit !== undefined)
+                    params.limit = limit;
+                if (offset !== undefined)
+                    params.offset = offset;
+                const res = await this.makeRequest('GET', `/reputation/${encodeURIComponent(userId)}/transactions`, Object.keys(params).length > 0 ? params : undefined, { cache: true, cacheTTL: CACHE_TIMES.SHORT });
+                return res.data ?? [];
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Get a user's capped influence weight for a given context (auth required).
+         * @param userId - The subject user's `_id` or publicKey.
+         * @param context - The weight axis to read (defaults server-side to `default`).
+         */
+        async getReputationInfluence(userId, context) {
+            try {
+                return await this.makeRequest('GET', `/reputation/${encodeURIComponent(userId)}/influence`, context ? { context } : undefined, { cache: true, cacheTTL: CACHE_TIMES.MEDIUM });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Award (or penalise) reputation to a user by `actionType`. Restricted to
+         * service tokens and platform staff. Invalidates cached reputation reads.
+         * @param input - The award payload (subject, action, source, target, etc.).
+         */
+        async awardReputation(input) {
+            try {
+                const res = await this.makeRequest('POST', '/reputation/award', input, { cache: false });
+                this.clearCacheByPrefix(REPUTATION_CACHE_PREFIX);
+                return res.transaction;
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Open a dispute against a transaction (auth required; the disputer is the
+         * authenticated user and must own the transaction).
+         * @param input - The transaction id, reason, and optional evidence.
+         */
+        async createReputationDispute(input) {
+            try {
+                const res = await this.makeRequest('POST', '/reputation/disputes', input, { cache: false });
+                this.clearCacheByPrefix(REPUTATION_CACHE_PREFIX);
+                return res.dispute;
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * List a user's own reputation disputes (auth required; the caller must be
+         * the subject or platform staff).
+         * @param userId - The subject user's `_id` or publicKey.
+         * @param limit - Page size (server-capped).
+         * @param offset - Page offset.
+         */
+        async getUserReputationDisputes(userId, limit, offset) {
+            try {
+                const params = {};
+                if (limit !== undefined)
+                    params.limit = limit;
+                if (offset !== undefined)
+                    params.offset = offset;
+                const res = await this.makeRequest('GET', `/reputation/${encodeURIComponent(userId)}/disputes`, Object.keys(params).length > 0 ? params : undefined, { cache: true, cacheTTL: CACHE_TIMES.SHORT });
+                return res.data ?? [];
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        // =========================================================================
+        // STAFF / ADMIN METHODS (require staff privileges server-side)
+        // =========================================================================
+        /**
+         * Create or update a reputation rule, keyed by `actionType` (staff only).
+         * Invalidates the cached rule list.
+         * @param input - The rule definition.
+         */
+        async upsertReputationRule(input) {
+            try {
+                const res = await this.makeRequest('POST', '/reputation/rules', input, { cache: false });
+                this.clearCacheByPrefix(REPUTATION_CACHE_PREFIX);
+                return res.rule;
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Reverse a transaction (staff only): mark the original `reversed` and append
+         * a compensating `active` reversal with negated points. Invalidates cached
+         * reputation reads.
+         * @param transactionId - The transaction's id.
+         * @param input - Optional reason for the reversal.
+         */
+        async reverseReputationTransaction(transactionId, input) {
+            try {
+                const res = await this.makeRequest('POST', `/reputation/transactions/${encodeURIComponent(transactionId)}/reverse`, input ?? {}, { cache: false });
+                this.clearCacheByPrefix(REPUTATION_CACHE_PREFIX);
+                return res;
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Void a transaction (staff only): mark it `voided` so it is excluded from
+         * the balance, with NO compensating entry. Invalidates cached reputation
+         * reads.
+         * @param transactionId - The transaction's id.
+         * @param input - Optional reason for the void.
+         */
+        async voidReputationTransaction(transactionId, input) {
+            try {
+                const res = await this.makeRequest('POST', `/reputation/transactions/${encodeURIComponent(transactionId)}/void`, input ?? {}, { cache: false });
+                this.clearCacheByPrefix(REPUTATION_CACHE_PREFIX);
+                return res.transaction;
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Force a recompute of a user's balance snapshot from their active ledger
+         * (staff only). Invalidates cached reputation reads.
+         * @param userId - The subject user's `_id` or publicKey.
+         */
+        async recalculateReputation(userId) {
+            try {
+                const res = await this.makeRequest('POST', `/reputation/${encodeURIComponent(userId)}/recalculate`, undefined, { cache: false });
+                this.clearCacheByPrefix(REPUTATION_CACHE_PREFIX);
+                return res;
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Get the open dispute queue across all users (staff only).
+         * @param limit - Page size (server-capped).
+         * @param offset - Page offset.
+         */
+        async getReputationDisputeQueue(limit, offset) {
+            try {
+                const params = {};
+                if (limit !== undefined)
+                    params.limit = limit;
+                if (offset !== undefined)
+                    params.offset = offset;
+                const res = await this.makeRequest('GET', '/reputation/disputes', Object.keys(params).length > 0 ? params : undefined, { cache: true, cacheTTL: CACHE_TIMES.SHORT });
+                return res.data ?? [];
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Resolve a dispute (staff only). Accepting reverses the disputed
+         * transaction; rejecting restores it to `active`. Invalidates cached
+         * reputation reads.
+         * @param disputeId - The dispute's id.
+         * @param input - The resolution (`accepted` or `rejected`).
+         */
+        async resolveReputationDispute(disputeId, input) {
+            try {
+                const res = await this.makeRequest('POST', `/reputation/disputes/${encodeURIComponent(disputeId)}/resolve`, input, { cache: false });
+                this.clearCacheByPrefix(REPUTATION_CACHE_PREFIX);
+                return res.dispute;
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+    };
+}

package/dist/esm/mixins/OxyServices.workspaces.js

@@ -0,0 +1,143 @@
+import { CACHE_TIMES } from './mixinHelpers.js';
+export function OxyServicesWorkspacesMixin(Base) {
+    return class extends Base {
+        constructor(...args) {
+            super(...args);
+        }
+        /**
+         * List workspaces the current user is an active member of.
+         */
+        async getWorkspaces() {
+            try {
+                const res = await this.makeRequest('GET', '/workspaces', undefined, { cache: true, cacheTTL: CACHE_TIMES.MEDIUM });
+                return res.workspaces ?? [];
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Create a new team workspace. The caller becomes its `owner`.
+         * @param data - Workspace configuration.
+         */
+        async createWorkspace(data) {
+            try {
+                const res = await this.makeRequest('POST', '/workspaces', data, { cache: false });
+                return res.workspace;
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Fetch a single workspace by id.
+         * @param workspaceId - The workspace's Mongo `_id`.
+         */
+        async getWorkspace(workspaceId) {
+            try {
+                const res = await this.makeRequest('GET', `/workspaces/${encodeURIComponent(workspaceId)}`, undefined, { cache: true, cacheTTL: CACHE_TIMES.LONG });
+                return res.workspace;
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Update a workspace's mutable fields.
+         * @param workspaceId - The workspace's Mongo `_id`.
+         * @param data - Subset of updatable fields.
+         */
+        async updateWorkspace(workspaceId, data) {
+            try {
+                const res = await this.makeRequest('PATCH', `/workspaces/${encodeURIComponent(workspaceId)}`, data, { cache: false });
+                return res.workspace;
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Soft-delete a workspace (owner only).
+         * @param workspaceId - The workspace's Mongo `_id`.
+         */
+        async deleteWorkspace(workspaceId) {
+            try {
+                return await this.makeRequest('DELETE', `/workspaces/${encodeURIComponent(workspaceId)}`, undefined, { cache: false });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * List members of a workspace.
+         * @param workspaceId - The workspace's Mongo `_id`.
+         */
+        async getWorkspaceMembers(workspaceId) {
+            try {
+                const res = await this.makeRequest('GET', `/workspaces/${encodeURIComponent(workspaceId)}/members`, undefined, { cache: true, cacheTTL: CACHE_TIMES.MEDIUM });
+                return res.members ?? [];
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Add a member to a workspace.
+         * @param workspaceId - The workspace's Mongo `_id`.
+         * @param data - Target user's username or email and role (never `owner`).
+         *   The server resolves `usernameOrEmail` to a user; an unknown value yields
+         *   a 404 "User not found".
+         */
+        async inviteWorkspaceMember(workspaceId, data) {
+            try {
+                const res = await this.makeRequest('POST', `/workspaces/${encodeURIComponent(workspaceId)}/members`, data, { cache: false });
+                return res.member;
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Change a member's role.
+         * @param workspaceId - The workspace's Mongo `_id`.
+         * @param memberId - The member's Mongo `_id`.
+         * @param data - New role (never `owner`).
+         */
+        async updateWorkspaceMember(workspaceId, memberId, data) {
+            try {
+                const res = await this.makeRequest('PATCH', `/workspaces/${encodeURIComponent(workspaceId)}/members/${encodeURIComponent(memberId)}`, data, { cache: false });
+                return res.member;
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Remove a member from a workspace.
+         * @param workspaceId - The workspace's Mongo `_id`.
+         * @param memberId - The member's Mongo `_id`.
+         */
+        async removeWorkspaceMember(workspaceId, memberId) {
+            try {
+                return await this.makeRequest('DELETE', `/workspaces/${encodeURIComponent(workspaceId)}/members/${encodeURIComponent(memberId)}`, undefined, { cache: false });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Transfer ownership of a workspace to another member (owner only).
+         * Demotes the current owner and promotes the target to `owner`.
+         * @param workspaceId - The workspace's Mongo `_id`.
+         * @param data - Target user id.
+         */
+        async transferWorkspaceOwnership(workspaceId, data) {
+            try {
+                return await this.makeRequest('POST', `/workspaces/${encodeURIComponent(workspaceId)}/transfer-ownership`, data, { cache: false });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+    };
+}

package/dist/esm/mixins/index.js

@@ -14,9 +14,10 @@ import { OxyServicesUserMixin } from './OxyServices.user.js';
 import { OxyServicesPrivacyMixin } from './OxyServices.privacy.js';
 import { OxyServicesLanguageMixin } from './OxyServices.language.js';
 import { OxyServicesPaymentMixin } from './OxyServices.payment.js';
-import { OxyServicesKarmaMixin } from './OxyServices.karma.js';
+import { OxyServicesReputationMixin } from './OxyServices.reputation.js';
 import { OxyServicesAssetsMixin } from './OxyServices.assets.js';
 import { OxyServicesApplicationsMixin } from './OxyServices.applications.js';
+import { OxyServicesWorkspacesMixin } from './OxyServices.workspaces.js';
 import { OxyServicesLocationMixin } from './OxyServices.location.js';
 import { OxyServicesAnalyticsMixin } from './OxyServices.analytics.js';
 import { OxyServicesDevicesMixin } from './OxyServices.devices.js';
@@ -58,9 +59,10 @@ const MIXIN_PIPELINE = [
     // Feature mixins
     OxyServicesLanguageMixin,
     OxyServicesPaymentMixin,
-    OxyServicesKarmaMixin,
+    OxyServicesReputationMixin,
     OxyServicesAssetsMixin,
     OxyServicesApplicationsMixin,
+    OxyServicesWorkspacesMixin,
     OxyServicesLocationMixin,
     OxyServicesAnalyticsMixin,
     OxyServicesDevicesMixin,

package/dist/esm/utils/accountUtils.js

@@ -17,11 +17,16 @@ export const formatPublicKeyHandle = (publicKey) => {
  * Resolve a friendly display name for a user.
  *
  * Order of preference:
- *  1. `name.full`, or composed `name.first name.last`
+ *  1. `name.full`, or composed `name.first name.last` (FIRST-NAME-ONLY SAFE —
+ *     a user with only a first name resolves to that first name, never to the
+ *     lowercase username; this is the exact drift bug the auth app hit).
  *  2. `name` (when stored as a plain string)
- *  3. `username`
- *  4. `Account 0x12345678…` (derived from publicKey, when present)
- *  5. Translated fallback (e.g. "Unnamed")
+ *  3. `displayName` (server `displayName` virtual — `username || truncatedKey`).
+ *     Placed AFTER the structured name on purpose: the server virtual ignores
+ *     `name`, so preferring it first would re-introduce the first-only bug.
+ *  4. `username`
+ *  5. `Account 0x12345678…` (derived from publicKey, when present)
+ *  6. Translated fallback (e.g. "Unnamed")
  *
  * The translation key `common.unnamed` is used for the final fallback. If the
  * caller does not pass a locale, the default English translation is used.
@@ -29,7 +34,7 @@ export const formatPublicKeyHandle = (publicKey) => {
 export const getAccountDisplayName = (user, locale) => {
     if (!user)
         return translate(locale, 'common.unnamed');
-    const { name, username, publicKey } = user;
+    const { name, displayName, username, publicKey } = user;
     if (name && typeof name === 'object') {
         if (typeof name.full === 'string' && name.full.trim())
             return name.full.trim();
@@ -42,6 +47,8 @@ export const getAccountDisplayName = (user, locale) => {
     else if (typeof name === 'string' && name.trim()) {
         return name.trim();
     }
+    if (typeof displayName === 'string' && displayName.trim())
+        return displayName.trim();
     if (typeof username === 'string' && username.trim())
         return username.trim();
     if (typeof publicKey === 'string' && publicKey.length > 0) {

package/dist/esm/utils/ssoReturn.js

@@ -92,14 +92,22 @@ export function parseSsoReturnFragment(hash) {
  *     treated exactly like "no session" (never loops, never rethrows).
  *   - On EVERY consumed outcome (ok, none, error, state-mismatch, no-code,
  *     failed-exchange, no-sessionId) — not just ok — if the page landed on
- *     {@link SSO_CALLBACK_PATH}, the real pre-bounce destination is restored
- *     from the DEST key so the user is never stranded on the internal callback
- *     path. Same-origin only (an attacker-planted cross-origin or relative-evil
- *     dest is rejected). The DEST key is removed unconditionally.
- *   - After a same-origin dest restore (which uses `history.replaceState`, that
- *     does NOT itself emit `popstate`), a synthetic `popstate` is dispatched so
- *     URL-driven routers (Expo Router / React Navigation web) re-sync to the
- *     restored route. It is NOT dispatched when the dest is rejected/absent.
+ *     {@link SSO_CALLBACK_PATH}, the user is taken to a same-origin TARGET so
+ *     they are never stranded on the internal callback path (which is an
+ *     unregistered route in every consumer router → a hard 404). The target is
+ *     the stored DEST when it parses as same-origin (an attacker-planted
+ *     cross-origin / protocol-relative dest is rejected), ELSE the app root
+ *     (`origin + '/'`). The DEST key is removed unconditionally.
+ *   - For the `ok` outcome the target is applied via a SOFT
+ *     `history.replaceState` + synthetic `popstate` so the freshly exchanged
+ *     in-memory session the provider is about to commit is preserved (no
+ *     reload). `popstate` is dispatched only on the `ok` same-origin restore.
+ *   - For every NON-`ok` outcome there is no in-memory session to preserve, and
+ *     the consumer router has ALREADY synchronously rendered its 404 for the
+ *     unregistered callback route — a soft replaceState+popstate does not
+ *     reliably make it re-resolve. So these outcomes perform a HARD
+ *     full-document navigation to the target (`hardRedirect`), which is both
+ *     safe (nothing to lose) and guaranteed to clear the 404 in every router.
  *
  * Total: this function NEVER throws. Off-web it is a no-op returning `null`.
  *
@@ -133,6 +141,17 @@ export async function consumeSsoReturn(oxy, deps = {}) {
                 window.dispatchEvent(new Event('popstate'));
             }
         });
+    // Default: a hard, full-document navigation used to leave the callback path
+    // on non-`ok` outcomes. Feature-detected end to end so it never throws in any
+    // environment (SSR / native / a stubbed location without `replace`).
+    const hardRedirect = deps.hardRedirect ??
+        ((url) => {
+            if (typeof window !== 'undefined' &&
+                window.location &&
+                typeof window.location.replace === 'function') {
+                window.location.replace(url);
+            }
+        });
     const ret = parseSsoReturnFragment(location.hash);
     if (!ret) {
         // Not an oxy_sso fragment — nothing to do (do NOT touch any flags).
@@ -155,42 +174,62 @@ export async function consumeSsoReturn(oxy, deps = {}) {
         // even if some consumer path skipped setting it pre-bounce.
         storage.setItem(ssoAttemptedKey(origin), '1');
     };
-    // Restore the user's real pre-bounce destination so they are never stranded
-    // on the internal callback path — invoked on EVERY consumed outcome, not just
-    // success. Same-origin only — never honour a cross-origin/protocol-relative
-    // dest that could have been planted to redirect the user. The DEST key is
-    // removed unconditionally. After a successful same-origin restore a synthetic
-    // `popstate` is dispatched so URL-driven routers re-sync.
-    const restoreDest = () => {
-        if (location.pathname === SSO_CALLBACK_PATH) {
-            const dest = storage.getItem(ssoDestKey(origin));
-            if (dest) {
-                try {
-                    const destUrl = new URL(dest, origin);
-                    if (destUrl.origin === origin) {
-                        history.replaceState(null, '', destUrl.pathname + destUrl.search + destUrl.hash);
-                        dispatchPopState();
-                    }
-                }
-                catch {
-                    // Malformed stored destination — leave the URL on the callback path.
+    // Compute the same-origin TARGET to leave the callback path for. Returns the
+    // stored DEST when present AND it parses as same-origin (never honour a
+    // cross-origin / protocol-relative dest that could have been planted to
+    // redirect the user), ELSE the app root (`origin + '/'`) so the user is never
+    // stranded on the internal callback path even when no dest was stored. The
+    // DEST key is removed unconditionally. Returns the relative path+search+hash
+    // (so it can be fed to either `history.replaceState` or a `hardRedirect`),
+    // or `null` when the page is not on the callback path (nothing to leave).
+    const consumeCallbackTarget = () => {
+        if (location.pathname !== SSO_CALLBACK_PATH) {
+            // Not on the callback path — still drop the dest key (consumed) but there
+            // is nothing to navigate away from.
+            storage.removeItem(ssoDestKey(origin));
+            return null;
+        }
+        const dest = storage.getItem(ssoDestKey(origin));
+        storage.removeItem(ssoDestKey(origin));
+        if (dest) {
+            try {
+                const destUrl = new URL(dest, origin);
+                if (destUrl.origin === origin) {
+                    return destUrl.pathname + destUrl.search + destUrl.hash;
                 }
             }
+            catch {
+                // Malformed stored destination — fall through to the app-root fallback.
+            }
+        }
+        // No dest, a cross-origin/protocol-relative dest, or an unparseable dest:
+        // fall back to the app root so the router always leaves the 404.
+        return '/';
+    };
+    // Non-`ok` outcomes: there is no in-memory session to preserve, and the
+    // consumer router has already rendered its 404 for the unregistered callback
+    // route — a soft replaceState+popstate does not reliably make it re-resolve.
+    // Perform a HARD full-document navigation to the target (safe: nothing to
+    // lose; guaranteed: every router leaves the 404). Off the callback path this
+    // is a no-op (target is null).
+    const leaveCallbackHard = () => {
+        const target = consumeCallbackTarget();
+        if (target !== null) {
+            hardRedirect(origin + target);
         }
-        storage.removeItem(ssoDestKey(origin));
     };
     if (ret.kind === 'none' || ret.kind === 'error') {
         // The central IdP had no session (or the bounce failed). Record it so we do
         // not bounce again this tab — the definitive loop breaker.
         markNoSession();
-        restoreDest();
+        leaveCallbackHard();
         return null;
     }
     if (!stateOk || !ret.code) {
         // Forged / replayed / stale fragment, or a malformed ok with no code. Treat
         // exactly like "no session": never exchange, never loop.
         markNoSession();
-        restoreDest();
+        leaveCallbackHard();
         return null;
     }
     let session;
@@ -200,14 +239,22 @@ export async function consumeSsoReturn(oxy, deps = {}) {
     catch (error) {
         onExchangeError?.(error);
         markNoSession();
-        restoreDest();
+        leaveCallbackHard();
         return null;
     }
     if (!session?.sessionId) {
         markNoSession();
-        restoreDest();
+        leaveCallbackHard();
         return null;
     }
-    restoreDest();
+    // `ok`: the provider is about to commit the freshly exchanged in-memory
+    // session — do NOT hard-redirect (a full navigation would discard it). Use a
+    // SOFT `history.replaceState` to the target + a synthetic `popstate` so
+    // URL-driven routers re-sync to the restored route without a reload.
+    const target = consumeCallbackTarget();
+    if (target !== null) {
+        history.replaceState(null, '', target);
+        dispatchPopState();
+    }
     return session;
 }