@oxyhq/core 3.4.1 → 3.4.2

package/dist/esm/mixins/OxyServices.popup.js

@@ -1,27 +1,12 @@
-import { OxyAuthenticationError } from '../OxyServices.errors.js';
-import { createDebugLogger } from '../shared/utils/debugUtils.js';
-const debug = createDebugLogger('PopupAuth');
+import { OxyAuthenticationError } from "../OxyServices.errors.js";
+import { createDebugLogger } from "../shared/utils/debugUtils.js";
+const debug = createDebugLogger("PopupAuth");
 /**
- * Popup-based Cross-Domain Authentication Mixin
+ * Cross-domain browser auth helpers.
  *
- * Implements OAuth2-style authentication using popup windows and postMessage.
- * This is the primary authentication method for modern browsers, providing a
- * Google-like experience without full page redirects.
- *
- * Flow:
- * 1. Opens small popup window to auth.oxy.so
- * 2. User signs in (auth.oxy.so sets its own first-party cookie)
- * 3. auth.oxy.so sends token back via postMessage
- * 4. Popup closes, parent app has the session
- *
- * Features:
- * - No full page redirect (preserves app state)
- * - Works across different domains (homiio.com, mention.earth, etc.)
- * - Silent refresh using hidden iframe for seamless SSO
- * - CSRF protection via state parameter
- * - XSS protection via origin validation
- *
- * Browser Support: All modern browsers (IE11+)
+ * Popup sign-in is intentionally fail-closed in the clean session model because
+ * the historical implementation required bearer-token callback URLs. FedCM,
+ * redirect SSO, and silent iframe SSO are the supported browser paths.
  */
 export function OxyServicesPopupAuthMixin(Base) {
     var _a;
@@ -31,125 +16,25 @@ export function OxyServicesPopupAuthMixin(Base) {
             }
             /** Resolve auth URL from config or static default (method, not getter — getters break in TS mixins) */
             resolveAuthUrl() {
-                return this.config.authWebUrl || this.constructor.DEFAULT_AUTH_URL;
+                return (this.config.authWebUrl || this.constructor.DEFAULT_AUTH_URL);
             }
             /**
-             * Sign in using popup window
-             *
-             * Opens a centered popup window to auth.oxy.so where the user can sign in.
-             * The popup automatically closes after successful authentication and the
-             * session is returned to the parent window.
-             *
-             * @param options - Popup configuration options
-             * @returns Session with access token and user data
-             * @throws {OxyAuthenticationError} If popup is blocked or auth fails
-             *
-             * @example
-             * ```typescript
-             * const handleSignIn = async () => {
-             *   try {
-             *     const session = await oxyServices.signInWithPopup();
-             *     console.log('Signed in:', session.user);
-             *   } catch (error) {
-             *     if (error.message.includes('blocked')) {
-             *       alert('Please allow popups for this site');
-             *     }
-             *   }
-             * };
-             * ```
+             * Removed popup sign-in. Closes a caller-supplied popup handle and throws.
              */
             async signInWithPopup(options = {}) {
-                if (typeof window === 'undefined') {
-                    throw new OxyAuthenticationError('Popup authentication requires browser environment');
-                }
-                const state = this.generateState();
-                const nonce = this.generateNonce();
-                // Store state for CSRF protection
-                this.storeAuthState(state, nonce);
-                const width = options.width || this.constructor.POPUP_WIDTH;
-                const height = options.height || this.constructor.POPUP_HEIGHT;
-                const timeout = options.timeout || this.constructor.POPUP_TIMEOUT;
-                const mode = options.mode || 'login';
-                const authUrl = this.buildAuthUrl({
-                    mode,
-                    state,
-                    nonce,
-                    clientId: window.location.origin,
-                    redirectUri: `${this.resolveAuthUrl()}/auth/callback`,
-                });
-                // If the caller pre-opened a popup on the raw user gesture (recommended
-                // path — see `openBlankPopup` and `PopupAuthOptions.popup`), navigate it
-                // to the auth URL instead of issuing a fresh `window.open` (which would
-                // be blocked once any prior `await` has consumed the user activation).
-                let popup;
-                const preOpened = options.popup ?? null;
-                if (preOpened) {
-                    if (preOpened.closed) {
-                        // The pre-opened popup is gone — distinguish a user cancel (they
-                        // closed the blank window before sign-in could navigate it) from a
-                        // blocker rejection. Lumping these together as "Popup blocked" is
-                        // misleading: the popup was NOT blocked, it was opened successfully
-                        // and then dismissed.
-                        throw new OxyAuthenticationError('Sign-in window was closed before authentication could start.');
-                    }
-                    try {
-                        preOpened.location.replace(authUrl);
-                    }
-                    catch (replaceError) {
-                        // `location.replace` can throw in sandboxed / cross-origin-locked
-                        // environments. Fall back to `href` assignment, which is more
-                        // permissive. Logged at debug-level so consumers can correlate
-                        // unusual sign-in behaviour without producing noise in normal flows.
-                        debug.warn('location.replace failed, falling back to location.href', replaceError);
-                        preOpened.location.href = authUrl;
-                    }
-                    popup = preOpened;
-                }
-                else {
-                    popup = this.openCenteredPopup(authUrl, 'Oxy Sign In', width, height);
+                if (typeof window === "undefined") {
+                    throw new OxyAuthenticationError("Popup authentication requires browser environment");
                 }
-                if (!popup) {
-                    throw new OxyAuthenticationError('Popup blocked. Please allow popups for this site and try again.');
-                }
-                try {
-                    const session = await this.waitForPopupAuth(popup, state, timeout);
-                    // Store access token if present
-                    if (session && session.accessToken) {
-                        this.httpService.setTokens(session.accessToken);
-                    }
-                    // Fetch user data using the session ID
-                    // The callback page only sends sessionId/accessToken, not user data
-                    if (session && session.sessionId && !session.user) {
-                        try {
-                            const userData = await this.makeRequest('GET', `/session/user/${session.sessionId}`, undefined, { cache: false });
-                            if (userData) {
-                                session.user = userData;
-                            }
-                        }
-                        catch (userError) {
-                            debug.warn('Failed to fetch user data:', userError);
-                            // Continue without user data - caller can fetch separately
-                        }
-                    }
-                    return session;
-                }
-                catch (error) {
-                    throw error;
-                }
-                finally {
-                    this.clearAuthState(state);
+                if (options.popup && !options.popup.closed) {
+                    options.popup.close();
                 }
+                throw new OxyAuthenticationError("Popup authentication has been removed because it required access-token callback URLs. Use FedCM or redirect authentication.");
             }
             /**
-             * Sign up using popup window
-             *
-             * Same as signInWithPopup but opens the signup page by default.
-             *
-             * @param options - Popup configuration options
-             * @returns Session with access token and user data
+             * Removed popup signup. Closes a caller-supplied popup handle and throws.
              */
             async signUpWithPopup(options = {}) {
-                return this.signInWithPopup({ ...options, mode: 'signup' });
+                return this.signInWithPopup({ ...options, mode: "signup" });
             }
             /**
              * Silent sign-in using hidden iframe
@@ -159,7 +44,7 @@ export function OxyServicesPopupAuthMixin(Base) {
              *
              * How it works:
              * 1. Creates hidden iframe pointing to auth.oxy.so/silent-auth
-             * 2. If user has valid session at auth.oxy.so, it sends token via postMessage
+             * 2. If user has valid session at auth.oxy.so, it exchanges an opaque SSO code
              * 3. If not, iframe responds with null (no error thrown)
              *
              * This should be called on app startup to check for existing sessions.
@@ -181,7 +66,7 @@ export function OxyServicesPopupAuthMixin(Base) {
              * ```
              */
             async silentSignIn(options = {}) {
-                if (typeof window === 'undefined') {
+                if (typeof window === "undefined") {
                     return null;
                 }
                 const timeout = options.timeout || this.constructor.SILENT_TIMEOUT;
@@ -195,13 +80,15 @@ export function OxyServicesPopupAuthMixin(Base) {
                 const authOrigin = options.authWebUrlOverride && options.authWebUrlOverride.length > 0
                     ? options.authWebUrlOverride
                     : this.resolveAuthUrl();
-                const iframe = document.createElement('iframe');
-                iframe.style.display = 'none';
-                iframe.style.position = 'absolute';
-                iframe.style.width = '0';
-                iframe.style.height = '0';
-                iframe.style.border = 'none';
-                const silentUrl = `${authOrigin}/auth/silent?` + `client_id=${encodeURIComponent(clientId)}&` + `nonce=${nonce}`;
+                const iframe = document.createElement("iframe");
+                iframe.style.display = "none";
+                iframe.style.position = "absolute";
+                iframe.style.width = "0";
+                iframe.style.height = "0";
+                iframe.style.border = "none";
+                const silentUrl = `${authOrigin}/auth/silent?` +
+                    `client_id=${encodeURIComponent(clientId)}&` +
+                    `nonce=${nonce}`;
                 iframe.src = silentUrl;
                 document.body.appendChild(iframe);
                 try {
@@ -214,7 +101,9 @@ export function OxyServicesPopupAuthMixin(Base) {
                     // -> 401 -> token-clear loop in consumer apps because callers gated
                     // on `session?.user` and never installed the user via
                     // `handleAuthSuccess`, while HttpService quietly held the token.
-                    const accessToken = session ? session.accessToken : undefined;
+                    const accessToken = session
+                        ? session.accessToken
+                        : undefined;
                     if (!session || !accessToken || !session.sessionId) {
                         return null;
                     }
@@ -232,14 +121,14 @@ export function OxyServicesPopupAuthMixin(Base) {
                     // missing-session response.
                     if (!session.user) {
                         try {
-                            const userData = await this.makeRequest('GET', `/session/user/${session.sessionId}`, undefined, { cache: false, retry: false });
+                            const userData = await this.makeRequest("GET", `/session/user/${session.sessionId}`, undefined, { cache: false, retry: false });
                             if (!userData) {
-                                throw new Error('Empty user response');
+                                throw new Error("Empty user response");
                             }
                             session.user = userData;
                         }
                         catch (userError) {
-                            debug.warn('silentSignIn: failed to fetch user data, rolling back token', userError);
+                            debug.warn("silentSignIn: failed to fetch user data, rolling back token", userError);
                             if (previousAccessToken) {
                                 this.httpService.setTokens(previousAccessToken);
                             }
@@ -261,32 +150,17 @@ export function OxyServicesPopupAuthMixin(Base) {
             /**
              * Open a blank, centered popup window SYNCHRONOUSLY.
              *
-             * Use this in a click (or other user-gesture) handler BEFORE any `await`
-             * to capture the transient user-activation. Pass the returned handle into
-             * `signInWithPopup({ popup })` once the async portion of the flow runs.
-             *
-             * Returns `null` if the browser's popup blocker rejected the open.
-             *
-             * @example
-             * ```typescript
-             * const onSignInClick = () => {
-             *   const popup = oxyServices.openBlankPopup();
-             *   (async () => {
-             *     const silent = await oxyServices.silentSignInWithFedCM();
-             *     if (silent) { popup?.close(); return; }
-             *     await oxyServices.signInWithPopup({ popup });
-             *   })();
-             * };
-             * ```
+             * Kept only so legacy callers can pass a handle to the removed popup method,
+             * which closes it before throwing. New auth code should use FedCM or redirect.
              */
             openBlankPopup(width, height) {
-                if (typeof window === 'undefined') {
+                if (typeof window === "undefined") {
                     return null;
                 }
                 const ctor = this.constructor;
                 const w = width ?? ctor.POPUP_WIDTH;
                 const h = height ?? ctor.POPUP_HEIGHT;
-                return this.openCenteredPopup('about:blank', 'Oxy Sign In', w, h);
+                return this.openCenteredPopup("about:blank", "Oxy Sign In", w, h);
             }
             /**
              * Open a centered popup window
@@ -301,86 +175,15 @@ export function OxyServicesPopupAuthMixin(Base) {
                     `height=${height}`,
                     `left=${left}`,
                     `top=${top}`,
-                    'toolbar=no',
-                    'menubar=no',
-                    'scrollbars=yes',
-                    'resizable=yes',
-                    'status=no',
-                    'location=no',
-                ].join(',');
+                    "toolbar=no",
+                    "menubar=no",
+                    "scrollbars=yes",
+                    "resizable=yes",
+                    "status=no",
+                    "location=no",
+                ].join(",");
                 return window.open(url, title, features);
             }
-            /**
-             * Wait for authentication response from popup
-             *
-             * @private
-             */
-            async waitForPopupAuth(popup, expectedState, timeout) {
-                return new Promise((resolve, reject) => {
-                    const timeoutId = setTimeout(() => {
-                        cleanup();
-                        reject(new OxyAuthenticationError('Authentication timeout'));
-                    }, timeout);
-                    const messageHandler = (event) => {
-                        const authUrl = this.resolveAuthUrl();
-                        // Log all messages for debugging
-                        if (event.data && typeof event.data === 'object' && event.data.type) {
-                            debug.log('Message received:', {
-                                origin: event.origin,
-                                expectedOrigin: authUrl,
-                                type: event.data.type,
-                                hasSession: !!event.data.session,
-                                hasError: !!event.data.error,
-                            });
-                        }
-                        // CRITICAL: Verify origin to prevent XSS attacks
-                        if (event.origin !== authUrl) {
-                            return;
-                        }
-                        const { type, state, session, error } = event.data;
-                        if (type !== 'oxy_auth_response') {
-                            return;
-                        }
-                        debug.log('Valid auth response:', { state, expectedState, hasSession: !!session, error });
-                        // Verify state parameter to prevent CSRF attacks
-                        if (state !== expectedState) {
-                            cleanup();
-                            debug.error('State mismatch');
-                            reject(new OxyAuthenticationError('Invalid state parameter. Possible CSRF attack.'));
-                            return;
-                        }
-                        cleanup();
-                        if (error) {
-                            debug.error('Auth error:', error);
-                            reject(new OxyAuthenticationError(error));
-                        }
-                        else if (session) {
-                            debug.log('Session received successfully');
-                            resolve(session);
-                        }
-                        else {
-                            debug.error('No session in response');
-                            reject(new OxyAuthenticationError('No session received from authentication server'));
-                        }
-                    };
-                    // Poll to detect if user closed the popup
-                    const pollInterval = setInterval(() => {
-                        if (popup.closed) {
-                            cleanup();
-                            reject(new OxyAuthenticationError('Authentication cancelled by user'));
-                        }
-                    }, 500);
-                    const cleanup = () => {
-                        clearTimeout(timeoutId);
-                        clearInterval(pollInterval);
-                        window.removeEventListener('message', messageHandler);
-                        if (!popup.closed) {
-                            popup.close();
-                        }
-                    };
-                    window.addEventListener('message', messageHandler);
-                });
-            }
             /**
              * Wait for authentication response from iframe
              *
@@ -401,7 +204,7 @@ export function OxyServicesPopupAuthMixin(Base) {
                             return;
                         }
                         const { type, session } = event.data;
-                        if (type !== 'oxy_silent_auth') {
+                        if (type !== "oxy_silent_auth") {
                             return;
                         }
                         cleanup();
@@ -425,83 +228,31 @@ export function OxyServicesPopupAuthMixin(Base) {
                         clearTimeout(timeoutId);
                         iframe.onerror = null;
                         iframe.onabort = null;
-                        window.removeEventListener('message', messageHandler);
+                        window.removeEventListener("message", messageHandler);
                     };
-                    window.addEventListener('message', messageHandler);
+                    window.addEventListener("message", messageHandler);
                 });
             }
-            /**
-             * Build authentication URL with query parameters
-             *
-             * @private
-             */
-            buildAuthUrl(params) {
-                const url = new URL(`${this.resolveAuthUrl()}/${params.mode}`);
-                url.searchParams.set('response_type', 'token');
-                url.searchParams.set('client_id', params.clientId);
-                url.searchParams.set('redirect_uri', params.redirectUri);
-                url.searchParams.set('state', params.state);
-                url.searchParams.set('nonce', params.nonce);
-                return url.toString();
-            }
-            /**
-             * Generate cryptographically secure state for CSRF protection
-             *
-             * @private
-             */
-            generateState() {
-                if (typeof crypto !== 'undefined' && crypto.randomUUID) {
-                    return crypto.randomUUID();
-                }
-                if (typeof crypto !== 'undefined' && crypto.getRandomValues) {
-                    const bytes = new Uint8Array(16);
-                    crypto.getRandomValues(bytes);
-                    return Array.from(bytes, b => b.toString(16).padStart(2, '0')).join('');
-                }
-                throw new Error('No secure random source available for state generation');
-            }
             /**
              * Generate nonce for replay attack prevention
              *
              * @private
              */
             generateNonce() {
-                if (typeof crypto !== 'undefined' && crypto.randomUUID) {
+                if (typeof crypto !== "undefined" && crypto.randomUUID) {
                     return crypto.randomUUID();
                 }
-                if (typeof crypto !== 'undefined' && crypto.getRandomValues) {
+                if (typeof crypto !== "undefined" && crypto.getRandomValues) {
                     const bytes = new Uint8Array(16);
                     crypto.getRandomValues(bytes);
-                    return Array.from(bytes, b => b.toString(16).padStart(2, '0')).join('');
-                }
-                throw new Error('No secure random source available for nonce generation');
-            }
-            /**
-             * Store auth state in session storage
-             *
-             * @private
-             */
-            storeAuthState(state, nonce) {
-                if (typeof window !== 'undefined' && window.sessionStorage) {
-                    sessionStorage.setItem(`oxy_auth_state_${state}`, JSON.stringify({ nonce, timestamp: Date.now() }));
-                }
-            }
-            /**
-             * Clear auth state from session storage
-             *
-             * @private
-             */
-            clearAuthState(state) {
-                if (typeof window !== 'undefined' && window.sessionStorage) {
-                    sessionStorage.removeItem(`oxy_auth_state_${state}`);
+                    return Array.from(bytes, (b) => b.toString(16).padStart(2, "0")).join("");
                 }
+                throw new Error("No secure random source available for nonce generation");
             }
         },
-        _a.DEFAULT_AUTH_URL = 'https://auth.oxy.so',
+        _a.DEFAULT_AUTH_URL = "https://auth.oxy.so",
         _a.POPUP_WIDTH = 500,
         _a.POPUP_HEIGHT = 700,
-        _a.POPUP_TIMEOUT = 60000 // 1 minute
-    ,
         _a.SILENT_TIMEOUT = 5000 // 5 seconds
     ,
         _a;