@oxyhq/core 3.4.0 → 3.4.2

package/dist/esm/mixins/OxyServices.sso.js

@@ -29,8 +29,7 @@ const debug = createDebugLogger('SSO');
  *
  * Exposed as a module-level helper (in addition to the instance method below)
  * so consumers that do not yet hold an `OxyServices` instance can still mint a
- * bounce state. Reuses the same `crypto.randomUUID`-based generator the popup
- * mixin uses for its CSRF state, with a `getRandomValues` fallback.
+ * bounce state. Uses `crypto.randomUUID` with a `getRandomValues` fallback.
  */
 export function generateSsoState() {
     if (typeof crypto !== 'undefined' && crypto.randomUUID) {
@@ -51,8 +50,8 @@ export function OxyServicesSsoMixin(Base) {
         /**
          * Generate cryptographically secure state for the SSO bounce (CSRF
          * protection). Delegates to the module-level {@link generateSsoState}
-         * helper, which uses the same `crypto.randomUUID`-based generator the popup
-         * mixin's `generateState()` uses — one shared secure-random implementation.
+         * helper, which uses `crypto.randomUUID` when available and falls back to
+         * `crypto.getRandomValues`.
          */
         generateSsoState() {
             return generateSsoState();
@@ -123,7 +122,7 @@ export function OxyServicesSsoMixin(Base) {
             // Plant the access token exactly like exchangeIdTokenForSession does.
             // The SSO exchange does not return a refresh token (the central store
             // holds the refresh credential), so default it to an empty string.
-            this.httpService.setTokens(payload.accessToken, '');
+            this.httpService.setTokens(payload.accessToken);
             debug.log('SSO exchange complete:', { hasSession: !!payload.sessionId });
             const session = {
                 sessionId: payload.sessionId,

package/dist/esm/mixins/OxyServices.utility.js

@@ -259,20 +259,12 @@ export function OxyServicesUtilityMixin(Base) {
                     return true;
                 };
                 try {
-                    // Extract token from Authorization header or query params.
+                    // Extract token from Authorization header.
                     // Node/Express normalizes `Authorization` to a string; we guard
                     // against the (legal but unusual) string[] case anyway.
                     const rawAuthHeader = req.headers.authorization;
                     const authHeader = Array.isArray(rawAuthHeader) ? rawAuthHeader[0] : rawAuthHeader;
-                    let token = authHeader?.startsWith('Bearer ') ? authHeader.substring(7) : null;
-                    // Fallback to query params (useful for WebSocket upgrades)
-                    if (!token) {
-                        const q = req.query || {};
-                        if (typeof q.token === 'string' && q.token)
-                            token = q.token;
-                        else if (typeof q.access_token === 'string' && q.access_token)
-                            token = q.access_token;
-                    }
+                    const token = authHeader?.startsWith('Bearer ') ? authHeader.substring(7) : null;
                     if (debug) {
                         logger.debug(`[oxy.auth] ${req.method} ${req.path} | token: ${!!token}`, {
                             component: 'auth',
@@ -420,13 +412,14 @@ export function OxyServicesUtilityMixin(Base) {
                         }
                         // Validate required service token fields
                         const appId = decoded.appId;
-                        if (!appId) {
+                        const credentialId = decoded.credentialId;
+                        if (!appId || typeof credentialId !== 'string' || credentialId.length === 0) {
                             if (optional) {
                                 req.userId = null;
                                 req.user = null;
                                 return next();
                             }
-                            const error = { error: 'INVALID_SERVICE_TOKEN', message: 'Invalid service token: missing appId', code: 'INVALID_SERVICE_TOKEN', status: 401 };
+                            const error = { error: 'INVALID_SERVICE_TOKEN', message: 'Invalid service token: missing required claims', code: 'INVALID_SERVICE_TOKEN', status: 401 };
                             if (onError)
                                 return onError(error);
                             return res.status(401).json(error);
@@ -471,10 +464,8 @@ export function OxyServicesUtilityMixin(Base) {
                         req.serviceApp = {
                             appId,
                             appName: decoded.appName || 'unknown',
+                            credentialId,
                             scopes: Array.isArray(decoded.scopes) ? decoded.scopes : [],
-                            ...(typeof decoded.credentialId === 'string' && decoded.credentialId.length > 0
-                                ? { credentialId: decoded.credentialId }
-                                : {}),
                         };
                         if (debug) {
                             logger.debug(`[oxy.auth] Service token OK app=${decoded.appName} delegateUser=${oxyUserId || '(none)'}`, {

package/dist/esm/mixins/index.js

@@ -7,7 +7,7 @@
 import { OxyServicesBase } from '../OxyServices.base.js';
 import { OxyServicesAuthMixin } from './OxyServices.auth.js';
 import { OxyServicesFedCMMixin } from './OxyServices.fedcm.js';
-import { OxyServicesPopupAuthMixin } from './OxyServices.popup.js';
+import { OxyServicesSilentAuthMixin } from './OxyServices.silent.js';
 import { OxyServicesRedirectAuthMixin } from './OxyServices.redirect.js';
 import { OxyServicesSsoMixin } from './OxyServices.sso.js';
 import { OxyServicesUserMixin } from './OxyServices.user.js';
@@ -33,7 +33,7 @@ import { OxyServicesAppDataMixin } from './OxyServices.appData.js';
  *
  * Order matters for dependencies:
  * 1. Base auth mixin first (required by all others)
- * 2. Cross-domain auth mixins (FedCM, Popup, Redirect)
+ * 2. Cross-domain auth mixins (FedCM, silent iframe, Redirect)
  * 3. User mixin (requires auth)
  * 4. Feature mixins (can depend on user)
  * 5. Utility mixin last (augments all)
@@ -45,13 +45,12 @@ const MIXIN_PIPELINE = [
     OxyServicesAuthMixin,
     // Cross-domain authentication (web-only)
     // - FedCM: Modern browser-native identity federation (Google-style)
-    // - Popup: OAuth2-style popup authentication
+    // - Silent: iframe-based restore for first-party IdP hosts
     // - Redirect: Traditional redirect-based authentication
     OxyServicesFedCMMixin,
-    OxyServicesPopupAuthMixin,
+    OxyServicesSilentAuthMixin,
     OxyServicesRedirectAuthMixin,
-    // Central cross-domain SSO (opaque-code exchange). After Popup so it can
-    // reuse the popup mixin's secure-random `generateState()`.
+    // Central cross-domain SSO (opaque-code exchange).
     OxyServicesSsoMixin,
     // User management (requires auth)
     OxyServicesUserMixin,

package/dist/esm/server/index.js

@@ -0,0 +1,17 @@
+/**
+ * @oxyhq/core/server — Server-only utilities for Oxy backends
+ *
+ * This subpath export provides Express middleware and Node.js-specific
+ * utilities that are not available in React Native or browser environments.
+ *
+ * @example
+ * ```ts
+ * import { createOxyRateLimit } from '@oxyhq/core/server';
+ * import { oxyClient } from '@oxyhq/core';
+ *
+ * const oxy = oxyClient({ apiUrl: 'https://api.oxy.so' });
+ *
+ * app.use(createOxyRateLimit(oxy, { store: redisStore }));
+ * ```
+ */
+export { createOxyRateLimit } from './rateLimit.js';

package/dist/esm/server/rateLimit.js

@@ -0,0 +1,71 @@
+import rateLimit from 'express-rate-limit';
+/**
+ * Built-in exemptions. A media app's cover-art/avatar fan-out and HLS
+ * sub-requests must not consume the coarse global budget; health probes from
+ * the load balancer must never be limited; CORS preflight is not a real call.
+ */
+function isBuiltInExempt(req) {
+    const path = req.path;
+    return (req.method === 'OPTIONS' ||
+        path.startsWith('/files/upload') ||
+        path.includes('/images/') ||
+        path.includes('/media/') ||
+        path.startsWith('/api/stream/') ||
+        path.includes('/stream/') ||
+        path === '/health' ||
+        path.endsWith('/health'));
+}
+/** IPv6-safe IP key generator (replaces colons to avoid Redis namespace issues). */
+function ipKeyGenerator(ip) {
+    return ip.replace(/:/g, '_');
+}
+/** Resolve the rate-limit key: per authenticated user, else per (IPv6-safe) IP. */
+function resolveKey(req) {
+    const userId = req.userId ?? req.user?.id ?? req.user?._id;
+    if (userId) {
+        return `user:${userId}`;
+    }
+    const ip = req.ip || req.socket?.remoteAddress || 'unknown';
+    return ipKeyGenerator(ip);
+}
+/**
+ * Build the composed Oxy rate-limit middleware. See module docs for rationale.
+ */
+export function createOxyRateLimit(oxy, options = {}) {
+    const { authenticatedMax = 5000, anonymousMax = 600, windowMs = 15 * 60 * 1000, store, exempt, message = 'Too many requests, please try again later.', auth, } = options;
+    // Idempotent optional-auth resolver. Reuses the SAME session resolution as
+    // every protected route, so the limiter keys by the real user identity.
+    const resolveSession = oxy.auth({ ...auth, optional: true });
+    const skip = (req) => isBuiltInExempt(req) || (exempt ? exempt(req) : false);
+    const limiter = rateLimit({
+        windowMs,
+        ...(store ? { store } : {}),
+        max: ((req) => {
+            const authed = req;
+            const userId = authed.userId ?? authed.user?.id ?? authed.user?._id;
+            return userId ? authenticatedMax : anonymousMax;
+        }),
+        keyGenerator: ((req) => resolveKey(req)),
+        message,
+        standardHeaders: true,
+        legacyHeaders: false,
+        skip: skip,
+    });
+    return ((req, res, next) => {
+        // Skipped paths bypass BOTH session resolution and limiting — cheap and
+        // safe for static/streaming/health traffic.
+        if (skip(req)) {
+            next();
+            return;
+        }
+        resolveSession(req, res, (err) => {
+            if (err) {
+                // Optional auth never rejects; a token error just means "anonymous".
+                // Swallow the error and continue to limit as anonymous.
+                next();
+                return;
+            }
+            limiter(req, res, next);
+        });
+    });
+}

package/dist/esm/shared/utils/debugUtils.js

@@ -51,7 +51,7 @@ export const debugError = (prefix, ...args) => {
 };
 /**
  * Create a namespaced debug logger
- * @param namespace - Logger namespace (e.g., 'FedCM', 'PopupAuth')
+ * @param namespace - Logger namespace (e.g., 'FedCM', 'SilentAuth')
  * @returns Object with log, warn, error methods
  *
  * @example

package/dist/esm/utils/accountUtils.js

@@ -138,10 +138,10 @@ export const mergeAccountsFromRefreshAll = (stored, fresh) => {
     }
     const merged = fresh.map((entry) => {
         const previous = storedByAuthuser.get(entry.authuser);
-        // `entry.user` is null on the SDK legacy-fallback path; preserve any
-        // previously cached identity for that slot rather than overwriting
-        // it with blanks, and let the AuthManager's getCurrentUser() hydration
-        // refresh it on the next snapshot.
+        // Preserve any previously cached identity for a slot that arrives
+        // without a user shape rather than overwriting it with blanks, and let
+        // AuthManager's getCurrentUser() hydration refresh it on the next
+        // snapshot.
         const wireUser = entry.user;
         const username = wireUser?.username ?? previous?.username ?? '';
         const displayName = getAccountDisplayName({

package/dist/esm/utils/authHelpers.js

@@ -22,25 +22,32 @@ export class AuthenticationFailedError extends Error {
 }
 /**
  * Ensures a valid token exists before making authenticated API calls.
- * If no valid token exists and an active session ID is available,
- * attempts to refresh the token using the session.
+ * If no valid token exists, callers may provide a session synchronizer that
+ * uses the platform-appropriate new flow (cookie restore, device claim, or
+ * native secure restore). This helper never exchanges a session id for a token.
  *
  * @throws {SessionSyncRequiredError} If the session needs to be synced (offline session)
  */
-export async function ensureValidToken(oxyServices, activeSessionId) {
-    if (oxyServices.hasValidToken() || !activeSessionId) {
+export async function ensureValidToken(oxyServices, _activeSessionId, syncSession) {
+    if (oxyServices.hasValidToken()) {
         return;
     }
-    try {
-        await oxyServices.getTokenBySession(activeSessionId);
-    }
-    catch (tokenError) {
-        const errorMessage = tokenError instanceof Error ? tokenError.message : String(tokenError);
-        if (errorMessage.includes('AUTH_REQUIRED_OFFLINE_SESSION') || errorMessage.includes('offline')) {
-            throw new SessionSyncRequiredError();
+    if (syncSession) {
+        try {
+            await syncSession();
+            if (oxyServices.hasValidToken()) {
+                return;
+            }
+        }
+        catch (syncError) {
+            const errorMessage = syncError instanceof Error ? syncError.message : String(syncError);
+            if (errorMessage.includes('AUTH_REQUIRED_OFFLINE_SESSION') || errorMessage.includes('offline')) {
+                throw new SessionSyncRequiredError();
+            }
+            throw syncError;
         }
-        throw tokenError;
     }
+    throw new SessionSyncRequiredError('No active access token is available. Sync the session before calling authenticated APIs.');
 }
 /**
  * Checks if an error is an authentication error (401 or auth-related message)
@@ -70,10 +77,9 @@ export async function withAuthErrorHandling(apiCall, options) {
         if (!isAuthenticationError(error)) {
             throw error;
         }
-        if (options?.syncSession && options?.activeSessionId && options?.oxyServices) {
+        if (options?.syncSession && options?.oxyServices) {
             try {
                 await options.syncSession();
-                await options.oxyServices.getTokenBySession(options.activeSessionId);
                 return await apiCall();
             }
             catch {
@@ -96,7 +102,7 @@ export async function withAuthErrorHandling(apiCall, options) {
  * ```
  */
 export async function authenticatedApiCall(oxyServices, activeSessionId, apiCall, syncSession) {
-    await ensureValidToken(oxyServices, activeSessionId);
+    await ensureValidToken(oxyServices, activeSessionId, syncSession);
     return withAuthErrorHandling(apiCall, {
         syncSession,
         activeSessionId,

package/dist/esm/utils/coldBoot.js

@@ -4,7 +4,7 @@
  *
  * On a fresh page load / app launch the SDK may have several ways to recover an
  * existing session (silent FedCM, a persisted refresh token, a cross-domain
- * claim, an explicit popup flow, …). They must be attempted in a *deterministic
+ * claim, a redirect SSO return, ...). They must be attempted in a deterministic
  * order*, and the FIRST one that yields a session wins — every later step is
  * skipped. This module encodes exactly that contract and nothing else.
  *
@@ -81,8 +81,8 @@ export async function runColdBoot(options) {
             }
             let result;
             try {
-                // Without a deadline: legacy behaviour — await the step directly.
-                // With a deadline: race the step against the shared deadline. The
+                // Without a deadline, await the step directly. With a deadline, race
+                // the step against the shared deadline. The
                 // step's `run()` still STARTS synchronously up to its first `await`
                 // (so a terminal step's synchronous navigation side effect always
                 // executes), but a non-settling step can no longer block the loop —

package/dist/esm/utils/fapiAutoDetect.js

@@ -8,7 +8,7 @@
  * Clerk-style multi-domain SSO depends on the IdP being reachable on a
  * subdomain of the RP's own apex (e.g. `auth.mention.earth` CNAMEd to the
  * central Oxy IdP). That way every FedCM endpoint, the session cookie,
- * and any popup/redirect target are same-site with the RP — the only way
+ * and any redirect target are same-site with the RP — the only way
  * to get first-party cookies in Safari ITP and Firefox Total Cookie
  * Protection.
  *