@oxyhq/core 3.2.0 → 3.4.1

package/dist/cjs/mixins/OxyServices.workspaces.js

@@ -87,7 +87,9 @@ function OxyServicesWorkspacesMixin(Base) {
         /**
          * Add a member to a workspace.
          * @param workspaceId - The workspace's Mongo `_id`.
-         * @param data - Target user id and role (never `owner`).
+         * @param data - Target user's username or email and role (never `owner`).
+         *   The server resolves `usernameOrEmail` to a user; an unknown value yields
+         *   a 404 "User not found".
          */
         async inviteWorkspaceMember(workspaceId, data) {
             try {

package/dist/cjs/mixins/index.js

@@ -18,7 +18,7 @@ const OxyServices_user_1 = require("./OxyServices.user");
 const OxyServices_privacy_1 = require("./OxyServices.privacy");
 const OxyServices_language_1 = require("./OxyServices.language");
 const OxyServices_payment_1 = require("./OxyServices.payment");
-const OxyServices_karma_1 = require("./OxyServices.karma");
+const OxyServices_reputation_1 = require("./OxyServices.reputation");
 const OxyServices_assets_1 = require("./OxyServices.assets");
 const OxyServices_applications_1 = require("./OxyServices.applications");
 const OxyServices_workspaces_1 = require("./OxyServices.workspaces");
@@ -63,7 +63,7 @@ const MIXIN_PIPELINE = [
     // Feature mixins
     OxyServices_language_1.OxyServicesLanguageMixin,
     OxyServices_payment_1.OxyServicesPaymentMixin,
-    OxyServices_karma_1.OxyServicesKarmaMixin,
+    OxyServices_reputation_1.OxyServicesReputationMixin,
     OxyServices_assets_1.OxyServicesAssetsMixin,
     OxyServices_applications_1.OxyServicesApplicationsMixin,
     OxyServices_workspaces_1.OxyServicesWorkspacesMixin,

package/dist/cjs/utils/accountUtils.js

@@ -21,11 +21,16 @@ exports.formatPublicKeyHandle = formatPublicKeyHandle;
  * Resolve a friendly display name for a user.
  *
  * Order of preference:
- *  1. `name.full`, or composed `name.first name.last`
+ *  1. `name.full`, or composed `name.first name.last` (FIRST-NAME-ONLY SAFE —
+ *     a user with only a first name resolves to that first name, never to the
+ *     lowercase username; this is the exact drift bug the auth app hit).
  *  2. `name` (when stored as a plain string)
- *  3. `username`
- *  4. `Account 0x12345678…` (derived from publicKey, when present)
- *  5. Translated fallback (e.g. "Unnamed")
+ *  3. `displayName` (server `displayName` virtual — `username || truncatedKey`).
+ *     Placed AFTER the structured name on purpose: the server virtual ignores
+ *     `name`, so preferring it first would re-introduce the first-only bug.
+ *  4. `username`
+ *  5. `Account 0x12345678…` (derived from publicKey, when present)
+ *  6. Translated fallback (e.g. "Unnamed")
  *
  * The translation key `common.unnamed` is used for the final fallback. If the
  * caller does not pass a locale, the default English translation is used.
@@ -33,7 +38,7 @@ exports.formatPublicKeyHandle = formatPublicKeyHandle;
 const getAccountDisplayName = (user, locale) => {
     if (!user)
         return (0, i18n_1.translate)(locale, 'common.unnamed');
-    const { name, username, publicKey } = user;
+    const { name, displayName, username, publicKey } = user;
     if (name && typeof name === 'object') {
         if (typeof name.full === 'string' && name.full.trim())
             return name.full.trim();
@@ -46,6 +51,8 @@ const getAccountDisplayName = (user, locale) => {
     else if (typeof name === 'string' && name.trim()) {
         return name.trim();
     }
+    if (typeof displayName === 'string' && displayName.trim())
+        return displayName.trim();
     if (typeof username === 'string' && username.trim())
         return username.trim();
     if (typeof publicKey === 'string' && publicKey.length > 0) {

package/dist/cjs/utils/ssoReturn.js

@@ -96,14 +96,22 @@ function parseSsoReturnFragment(hash) {
  *     treated exactly like "no session" (never loops, never rethrows).
  *   - On EVERY consumed outcome (ok, none, error, state-mismatch, no-code,
  *     failed-exchange, no-sessionId) — not just ok — if the page landed on
- *     {@link SSO_CALLBACK_PATH}, the real pre-bounce destination is restored
- *     from the DEST key so the user is never stranded on the internal callback
- *     path. Same-origin only (an attacker-planted cross-origin or relative-evil
- *     dest is rejected). The DEST key is removed unconditionally.
- *   - After a same-origin dest restore (which uses `history.replaceState`, that
- *     does NOT itself emit `popstate`), a synthetic `popstate` is dispatched so
- *     URL-driven routers (Expo Router / React Navigation web) re-sync to the
- *     restored route. It is NOT dispatched when the dest is rejected/absent.
+ *     {@link SSO_CALLBACK_PATH}, the user is taken to a same-origin TARGET so
+ *     they are never stranded on the internal callback path (which is an
+ *     unregistered route in every consumer router → a hard 404). The target is
+ *     the stored DEST when it parses as same-origin (an attacker-planted
+ *     cross-origin / protocol-relative dest is rejected), ELSE the app root
+ *     (`origin + '/'`). The DEST key is removed unconditionally.
+ *   - For the `ok` outcome the target is applied via a SOFT
+ *     `history.replaceState` + synthetic `popstate` so the freshly exchanged
+ *     in-memory session the provider is about to commit is preserved (no
+ *     reload). `popstate` is dispatched only on the `ok` same-origin restore.
+ *   - For every NON-`ok` outcome there is no in-memory session to preserve, and
+ *     the consumer router has ALREADY synchronously rendered its 404 for the
+ *     unregistered callback route — a soft replaceState+popstate does not
+ *     reliably make it re-resolve. So these outcomes perform a HARD
+ *     full-document navigation to the target (`hardRedirect`), which is both
+ *     safe (nothing to lose) and guaranteed to clear the 404 in every router.
  *
  * Total: this function NEVER throws. Off-web it is a no-op returning `null`.
  *
@@ -137,6 +145,17 @@ async function consumeSsoReturn(oxy, deps = {}) {
                 window.dispatchEvent(new Event('popstate'));
             }
         });
+    // Default: a hard, full-document navigation used to leave the callback path
+    // on non-`ok` outcomes. Feature-detected end to end so it never throws in any
+    // environment (SSR / native / a stubbed location without `replace`).
+    const hardRedirect = deps.hardRedirect ??
+        ((url) => {
+            if (typeof window !== 'undefined' &&
+                window.location &&
+                typeof window.location.replace === 'function') {
+                window.location.replace(url);
+            }
+        });
     const ret = parseSsoReturnFragment(location.hash);
     if (!ret) {
         // Not an oxy_sso fragment — nothing to do (do NOT touch any flags).
@@ -159,42 +178,62 @@ async function consumeSsoReturn(oxy, deps = {}) {
         // even if some consumer path skipped setting it pre-bounce.
         storage.setItem((0, ssoBounce_1.ssoAttemptedKey)(origin), '1');
     };
-    // Restore the user's real pre-bounce destination so they are never stranded
-    // on the internal callback path — invoked on EVERY consumed outcome, not just
-    // success. Same-origin only — never honour a cross-origin/protocol-relative
-    // dest that could have been planted to redirect the user. The DEST key is
-    // removed unconditionally. After a successful same-origin restore a synthetic
-    // `popstate` is dispatched so URL-driven routers re-sync.
-    const restoreDest = () => {
-        if (location.pathname === ssoBounce_1.SSO_CALLBACK_PATH) {
-            const dest = storage.getItem((0, ssoBounce_1.ssoDestKey)(origin));
-            if (dest) {
-                try {
-                    const destUrl = new URL(dest, origin);
-                    if (destUrl.origin === origin) {
-                        history.replaceState(null, '', destUrl.pathname + destUrl.search + destUrl.hash);
-                        dispatchPopState();
-                    }
-                }
-                catch {
-                    // Malformed stored destination — leave the URL on the callback path.
+    // Compute the same-origin TARGET to leave the callback path for. Returns the
+    // stored DEST when present AND it parses as same-origin (never honour a
+    // cross-origin / protocol-relative dest that could have been planted to
+    // redirect the user), ELSE the app root (`origin + '/'`) so the user is never
+    // stranded on the internal callback path even when no dest was stored. The
+    // DEST key is removed unconditionally. Returns the relative path+search+hash
+    // (so it can be fed to either `history.replaceState` or a `hardRedirect`),
+    // or `null` when the page is not on the callback path (nothing to leave).
+    const consumeCallbackTarget = () => {
+        if (location.pathname !== ssoBounce_1.SSO_CALLBACK_PATH) {
+            // Not on the callback path — still drop the dest key (consumed) but there
+            // is nothing to navigate away from.
+            storage.removeItem((0, ssoBounce_1.ssoDestKey)(origin));
+            return null;
+        }
+        const dest = storage.getItem((0, ssoBounce_1.ssoDestKey)(origin));
+        storage.removeItem((0, ssoBounce_1.ssoDestKey)(origin));
+        if (dest) {
+            try {
+                const destUrl = new URL(dest, origin);
+                if (destUrl.origin === origin) {
+                    return destUrl.pathname + destUrl.search + destUrl.hash;
                 }
             }
+            catch {
+                // Malformed stored destination — fall through to the app-root fallback.
+            }
+        }
+        // No dest, a cross-origin/protocol-relative dest, or an unparseable dest:
+        // fall back to the app root so the router always leaves the 404.
+        return '/';
+    };
+    // Non-`ok` outcomes: there is no in-memory session to preserve, and the
+    // consumer router has already rendered its 404 for the unregistered callback
+    // route — a soft replaceState+popstate does not reliably make it re-resolve.
+    // Perform a HARD full-document navigation to the target (safe: nothing to
+    // lose; guaranteed: every router leaves the 404). Off the callback path this
+    // is a no-op (target is null).
+    const leaveCallbackHard = () => {
+        const target = consumeCallbackTarget();
+        if (target !== null) {
+            hardRedirect(origin + target);
         }
-        storage.removeItem((0, ssoBounce_1.ssoDestKey)(origin));
     };
     if (ret.kind === 'none' || ret.kind === 'error') {
         // The central IdP had no session (or the bounce failed). Record it so we do
         // not bounce again this tab — the definitive loop breaker.
         markNoSession();
-        restoreDest();
+        leaveCallbackHard();
         return null;
     }
     if (!stateOk || !ret.code) {
         // Forged / replayed / stale fragment, or a malformed ok with no code. Treat
         // exactly like "no session": never exchange, never loop.
         markNoSession();
-        restoreDest();
+        leaveCallbackHard();
         return null;
     }
     let session;
@@ -204,14 +243,22 @@ async function consumeSsoReturn(oxy, deps = {}) {
     catch (error) {
         onExchangeError?.(error);
         markNoSession();
-        restoreDest();
+        leaveCallbackHard();
         return null;
     }
     if (!session?.sessionId) {
         markNoSession();
-        restoreDest();
+        leaveCallbackHard();
         return null;
     }
-    restoreDest();
+    // `ok`: the provider is about to commit the freshly exchanged in-memory
+    // session — do NOT hard-redirect (a full navigation would discard it). Use a
+    // SOFT `history.replaceState` to the target + a synthetic `popstate` so
+    // URL-driven routers re-sync to the restored route without a reload.
+    const target = consumeCallbackTarget();
+    if (target !== null) {
+        history.replaceState(null, '', target);
+        dispatchPopState();
+    }
     return session;
 }