@oxyhq/core 3.4.0 → 3.4.2

package/dist/esm/i18n/locales/zh-CN.json

@@ -103,7 +103,9 @@
             "createAccount": "创建账户",
             "signIn": "登录",
             "verify": "验证",
-            "resetPassword": "重置密码"
+            "resetPassword": "重置密码",
+            "signedOut": "已退出",
+            "close": "关闭"
         },
         "links": {
             "recoverAccount": "恢复您的账户",
@@ -115,7 +117,10 @@
             "password": "密码",
             "confirmPassword": "确认密码"
         },
-        "revoke": "Revoke"
+        "revoke": "Revoke",
+        "errors": {
+            "signOutAllFailed": "退出所有账户时出现问题。请重试。"
+        }
     },
     "notifications": {
         "title": "Notifications",
@@ -198,5 +203,16 @@
             "revoked": "Revoked access for {{name}}",
             "revokeFailed": "Failed to revoke access"
         }
+    },
+    "accountMenu": {
+        "label": "账户菜单",
+        "manage": "管理您的 Oxy 账户",
+        "addAnother": "添加其他账户",
+        "signOutAll": "退出所有账户",
+        "open": "账户菜单",
+        "openHint": "打开账户菜单",
+        "openWithUser": "{{name}} 的账户菜单",
+        "switching": "正在切换账户…",
+        "signOutAccount": "退出 {{name}}"
     }
 }

package/dist/esm/mixins/OxyServices.auth.js

@@ -303,14 +303,10 @@ export function OxyServicesAuthMixin(Base) {
                 // Plant the freshly-minted tokens, mirroring `claimSessionByToken`.
                 // `/auth/verify` returns the first access token (and refresh token) in
                 // its body, so installing it here means callers get an authenticated
-                // client without a second round-trip — and, critically, without
-                // falling back to the bearer-protected `GET /session/token/:sessionId`
-                // (C1 hardening), which 401s for a brand-new identity that has no
-                // bearer yet. `accessToken`/`refreshToken` are optional on
-                // SessionLoginResponse; only plant when an access token is present and
-                // default the refresh token to an empty string.
+                // client without a second round-trip. Refresh stays in the httpOnly
+                // cookie slot set by the API.
                 if (res?.accessToken) {
-                    this.setTokens(res.accessToken, res.refreshToken ?? '');
+                    this.setTokens(res.accessToken);
                 }
                 return res;
             }
@@ -373,24 +369,6 @@ export function OxyServicesAuthMixin(Base) {
                 throw this.handleError(error);
             }
         }
-        /**
-         * Get access token by session ID
-         *
-         * SECURITY: this endpoint requires the caller to already hold a
-         * bearer token whose user owns the referenced session (C1 hardening
-         * in the API). For the device-flow / QR sign-in case where the
-         * client has no bearer token yet, use `claimSessionByToken` instead.
-         */
-        async getTokenBySession(sessionId) {
-            try {
-                const res = await this.makeRequest('GET', `/session/token/${sessionId}`, undefined, { cache: false, retry: false });
-                this.setTokens(res.accessToken);
-                return res;
-            }
-            catch (error) {
-                throw this.handleError(error);
-            }
-        }
         /**
          * Exchange a device-flow sessionToken for the first access token.
          *
@@ -418,7 +396,7 @@ export function OxyServicesAuthMixin(Base) {
                     sessionToken,
                     ...(options.deviceFingerprint ? { deviceFingerprint: options.deviceFingerprint } : {}),
                 }, { cache: false, retry: false });
-                this.setTokens(res.accessToken, res.refreshToken);
+                this.setTokens(res.accessToken);
                 return res;
             }
             catch (error) {
@@ -430,19 +408,14 @@ export function OxyServicesAuthMixin(Base) {
          * (Google-style multi-account rebuild).
          *
          * Calls `POST {sessionBaseUrl}/auth/refresh-all` with `credentials: 'include'`
-         * and NO bearer. The browser attaches every `oxy_rt*` cookie it has; the
-         * server rotates each in parallel and returns one entry per VALID account.
+         * and NO bearer. The browser attaches every indexed `oxy_rt_${authuser}`
+         * cookie it has; the server rotates each in parallel and returns one entry
+         * per VALID account.
          *
          * Failure handling:
          * - 401 → no signed-in accounts on this device → returns `{ accounts: [] }`
          *   (NOT an error; this is the cold-boot "not signed in" path).
-         * - 404 → server is older than the multi-account endpoint. We fall back to
-         *   `POST /auth/refresh` (single-slot) and wrap its response in the
-         *   refresh-all shape so callers can treat the two paths uniformly. The
-         *   fallback entry has `authuser: 0` (the legacy slot maps to slot 0 by
-         *   convention) and a minimal `user` shape — consumers needing the full
-         *   user must fetch it separately. Always exactly one account in this
-         *   shape.
+         * - 404 → endpoint not deployed → returns `{ accounts: [] }`.
          * - Any other non-2xx → throws via `handleError`.
          *
          * The refresh cookie itself never enters JS — only the rotated access
@@ -489,22 +462,7 @@ export function OxyServicesAuthMixin(Base) {
                 return { accounts: [] };
             }
             if (response.status === 404) {
-                // Legacy single-account refresh fallback. Wrap the response so the
-                // caller can treat both paths identically.
-                const legacy = await this._refreshCookieRaw();
-                if (!legacy) {
-                    return { accounts: [] };
-                }
-                const fallbackAccount = {
-                    authuser: 0,
-                    accessToken: legacy.accessToken,
-                    expiresAt: legacy.expiresAt,
-                    sessionId: this._decodeSessionIdFromAccessToken(legacy.accessToken) ?? '',
-                    // Legacy /auth/refresh does NOT project the user shape; the caller
-                    // (AuthManager) is expected to hydrate via /users/me after planting.
-                    user: null,
-                };
-                return { accounts: [fallbackAccount] };
+                return { accounts: [] };
             }
             if (!response.ok) {
                 throw this.handleError(new Error(`Refresh-all failed with HTTP ${response.status}`));
@@ -524,11 +482,11 @@ export function OxyServicesAuthMixin(Base) {
                 if (!userId || !e.user.username) {
                     continue;
                 }
-                // Normalise the legacy un-suffixed cookie (`authuser: null` on the
-                // wire) to slot 0. The SDK surface always operates on numeric indices.
-                const authuser = typeof e.authuser === 'number' ? e.authuser : 0;
+                if (typeof e.authuser !== 'number') {
+                    continue;
+                }
                 accounts.push({
-                    authuser,
+                    authuser: e.authuser,
                     accessToken: e.accessToken,
                     expiresAt: e.expiresAt,
                     sessionId: e.sessionId,
@@ -549,9 +507,8 @@ export function OxyServicesAuthMixin(Base) {
          *
          * When `authuser` is provided, the server rotates ONLY that slot
          * (`oxy_rt_${authuser}`) — sibling accounts on the same device stay
-         * untouched. When omitted, the server picks the lowest indexed slot
-         * present (legacy fallback applies). The refresh cookie itself never
-         * enters JS.
+         * untouched. When omitted, the server picks the lowest indexed slot present.
+         * The refresh cookie itself never enters JS.
          *
          * Returns `null` on 401 (no cookie / expired / reused) so the caller can
          * fall through cleanly to the unauthenticated path.
@@ -606,9 +563,7 @@ export function OxyServicesAuthMixin(Base) {
         }
         /**
          * Internal: raw `POST /auth/refresh[?authuser=N]` call returning the
-         * minted access token. Returns `null` on 401 / non-2xx. Used as both the
-         * implementation of `refreshTokenViaCookie` and the legacy fallback for
-         * `refreshAllSessions` against older servers.
+         * minted access token. Returns `null` on 401 / non-2xx.
          *
          * @internal
          */
@@ -636,11 +591,13 @@ export function OxyServicesAuthMixin(Base) {
                 return null;
             }
             const expiresAt = typeof payload.expiresAt === 'string' ? payload.expiresAt : '';
-            const respAuthuser = typeof payload.authuser === 'number' ? payload.authuser : null;
+            if (typeof payload.authuser !== 'number') {
+                return null;
+            }
             return {
                 accessToken: payload.accessToken,
                 expiresAt,
-                authuser: respAuthuser,
+                authuser: payload.authuser,
             };
         }
         /**

package/dist/esm/mixins/OxyServices.fedcm.js

@@ -84,7 +84,7 @@ let fedCMActiveController = null;
  * - Firefox: Not yet supported (fallback required)
  *
  * Key Features:
- * - No redirects or popups required
+ * - No redirects or secondary windows required
  * - Browser-native UI prompts
  * - Privacy-preserving (IdP can't track users)
  * - Automatic SSO across domains
@@ -125,7 +125,7 @@ export function OxyServicesFedCMMixin(Base) {
              *
              * This provides a Google-style authentication experience:
              * - Browser shows native "Sign in with Oxy" prompt
-             * - No redirect or popup required
+             * - No redirect or secondary window required
              * - User approves → credential exchange happens in browser
              * - All apps automatically get SSO after first sign-in
              *
@@ -139,8 +139,8 @@ export function OxyServicesFedCMMixin(Base) {
              *   const session = await oxyServices.signInWithFedCM();
              *   console.log('Signed in:', session.user);
              * } catch (error) {
-             *   // Fallback to popup or redirect auth
-             *   await oxyServices.signInWithPopup();
+             *   // Fallback to redirect auth
+             *   oxyServices.signInWithRedirect();
              * }
              * ```
              */
@@ -205,11 +205,10 @@ export function OxyServicesFedCMMixin(Base) {
                 debug.log('Interactive sign-in: Got credential, exchanging for session');
                 // Exchange FedCM ID token for Oxy session
                 const session = await this.exchangeIdTokenForSession(credential.token);
-                // Store access token in HttpService. `accessToken`/`refreshToken` are
-                // declared optional on SessionLoginResponse; default the refresh token to
-                // an empty string when the exchange did not return one.
+                // Store the access token in HttpService. Refresh stays in the httpOnly
+                // cookie slot set by the API.
                 if (session?.accessToken) {
-                    this.httpService.setTokens(session.accessToken, session.refreshToken ?? '');
+                    this.httpService.setTokens(session.accessToken);
                 }
                 // Store the user ID as loginHint for future FedCM requests — only now, after
                 // a real successful exchange, so we never persist a hint that cannot resolve.
@@ -360,11 +359,10 @@ export function OxyServicesFedCMMixin(Base) {
                     debug.error('Silent SSO: Exchange returned session without user:', session);
                     return null;
                 }
-                // Set the access token. `accessToken`/`refreshToken` are declared optional
-                // on SessionLoginResponse; default the refresh token to an empty string when
-                // the exchange did not return one.
+                // Store the access token. Refresh stays in the httpOnly cookie slot set by
+                // the API.
                 if (session.accessToken) {
-                    this.httpService.setTokens(session.accessToken, session.refreshToken ?? '');
+                    this.httpService.setTokens(session.accessToken);
                     debug.log('Silent SSO: Access token set');
                 }
                 else {