@oxyhq/core 3.4.1 → 3.4.3

package/dist/esm/CrossDomainAuth.js

@@ -5,8 +5,7 @@
  * selects the best authentication method based on browser capabilities:
  *
  * 1. FedCM (if supported) - Modern, Google-style browser-native auth
- * 2. Popup (fallback) - OAuth2-style popup window
- * 3. Redirect (final fallback) - Traditional full-page redirect
+ * 2. Redirect (fallback) - Tokenless central SSO full-page redirect
  *
  * Usage:
  * ```typescript
@@ -17,8 +16,8 @@
  * // Automatic method selection
  * const session = await auth.signIn();
  *
- * // Or use specific method
- * const session = await auth.signInWithPopup();
+ * // Or use a specific method
+ * auth.signInWithRedirect();
  * ```
  */
 import { logger } from './utils/loggerUtils.js';
@@ -31,53 +30,23 @@ export class CrossDomainAuth {
      *
      * Tries methods in this order:
      * 1. FedCM (if supported and not in private browsing)
-     * 2. Popup (if not blocked)
-     * 3. Redirect (always works)
+     * 2. Redirect (always works)
      *
      * @param options - Authentication options
      * @returns Session with user data and access token
      */
     async signIn(options = {}) {
         const method = options.method || 'auto';
-        // If specific method requested, use it directly. The caller MAY have
-        // pre-opened a popup on the raw click (the standard pattern in
-        // WebOxyProvider / services useAuth). For the FedCM and redirect paths
-        // that popup is unused — close it so it doesn't linger as an orphaned
-        // blank window. Close in both success and failure paths.
         if (method === 'fedcm') {
-            try {
-                const session = await this.signInWithFedCM(options);
-                this.closeOrphanPopup(options.popup);
-                return session;
-            }
-            catch (error) {
-                this.closeOrphanPopup(options.popup);
-                throw error;
-            }
-        }
-        if (method === 'popup') {
-            return this.signInWithPopup(options);
+            return this.signInWithFedCM(options);
         }
         if (method === 'redirect') {
-            this.closeOrphanPopup(options.popup);
             this.signInWithRedirect(options);
             return null; // Redirect doesn't return immediately
         }
-        // Auto mode: Try methods in order of preference
+        // Auto mode: try methods in order of preference.
         return this.autoSignIn(options);
     }
-    /**
-     * Close a caller-supplied popup window that is no longer needed (e.g. the
-     * resolved auth method didn't end up using it). Safe against null / already
-     * closed handles.
-     *
-     * @private
-     */
-    closeOrphanPopup(popup) {
-        if (popup && !popup.closed) {
-            popup.close();
-        }
-    }
     /**
      * Automatic sign-in with progressive enhancement
      *
@@ -88,27 +57,13 @@ export class CrossDomainAuth {
         if (this.isFedCMSupported()) {
             try {
                 options.onMethodSelected?.('fedcm');
-                const session = await this.signInWithFedCM(options);
-                // FedCM succeeded — close the pre-opened popup so it doesn't linger
-                // as an orphaned blank window.
-                this.closeOrphanPopup(options.popup);
-                return session;
+                return await this.signInWithFedCM(options);
             }
             catch (error) {
-                logger.warn('FedCM failed, trying popup', { component: 'CrossDomainAuth', method: 'autoSignIn' }, error);
+                logger.warn('FedCM failed, falling back to redirect', { component: 'CrossDomainAuth', method: 'autoSignIn' }, error);
             }
         }
-        // 2. Try popup (good UX, widely supported)
-        try {
-            options.onMethodSelected?.('popup');
-            return await this.signInWithPopup(options);
-        }
-        catch (error) {
-            logger.warn('Popup failed, falling back to redirect', { component: 'CrossDomainAuth', method: 'autoSignIn' }, error);
-            // Popup path failed — close the pre-opened popup before redirecting.
-            this.closeOrphanPopup(options.popup);
-        }
-        // 3. Fallback to redirect (always works)
+        // 2. Fallback to redirect (always works)
         options.onMethodSelected?.('redirect');
         this.signInWithRedirect(options);
         return null;
@@ -116,26 +71,13 @@ export class CrossDomainAuth {
     /**
      * Sign in using FedCM (Federated Credential Management)
      *
-     * Best method - browser-native, no popups, Google-like experience
+     * Best method - browser-native, Google-like experience
      */
     async signInWithFedCM(options = {}) {
         return this.oxyServices.signInWithFedCM({
             context: options.isSignup ? 'signup' : 'signin',
         });
     }
-    /**
-     * Sign in using popup window
-     *
-     * Good method - preserves app state, no full page reload
-     */
-    async signInWithPopup(options = {}) {
-        return this.oxyServices.signInWithPopup({
-            mode: options.isSignup ? 'signup' : 'login',
-            width: options.popupDimensions?.width,
-            height: options.popupDimensions?.height,
-            popup: options.popup ?? undefined,
-        });
-    }
     /**
      * Sign in using full-page redirect
      *
@@ -159,7 +101,7 @@ export class CrossDomainAuth {
      * Silent sign-in (check for existing session)
      *
      * Tries to automatically sign in without user interaction.
-     * Works with both FedCM and popup/iframe methods.
+     * Works with FedCM and iframe-based silent auth.
      *
      * @returns Session if user is already signed in, null otherwise
      */
@@ -186,22 +128,13 @@ export class CrossDomainAuth {
         }
     }
     /**
-     * Restore session from storage
+     * Restore session from storage.
      *
-     * For redirect method - restores previously authenticated session from localStorage
+     * Access tokens are no longer persisted in browser storage; providers restore
+     * through refresh cookies / SSO code exchange instead.
      */
     restoreSession() {
-        return this.oxyServices.restoreSession?.() || false;
-    }
-    /**
-     * Open a blank popup SYNCHRONOUSLY (call from a raw user-gesture handler
-     * BEFORE any `await`). Returns `null` if the popup was blocked. Pass the
-     * handle into `signIn({ popup })` / `signInWithPopup({ popup })` so the
-     * popup is not blocked by Chrome after any prior `await` consumed the
-     * transient user activation. Delegates to `OxyServices.openBlankPopup`.
-     */
-    openBlankPopup(width, height) {
-        return this.oxyServices.openBlankPopup(width, height);
+        return false;
     }
     /**
      * Check if FedCM is supported in current browser
@@ -225,8 +158,8 @@ export class CrossDomainAuth {
         }
         if (typeof window !== 'undefined') {
             return {
-                method: 'popup',
-                reason: 'Browser environment - popup preserves app state',
+                method: 'redirect',
+                reason: 'Browser environment - redirect SSO works without token callback URLs',
             };
         }
         return {
@@ -239,8 +172,7 @@ export class CrossDomainAuth {
      *
      * This handles:
      * 1. Redirect callback (if returning from auth.oxy.so)
-     * 2. Session restoration (from localStorage)
-     * 3. Silent sign-in (check for existing SSO session)
+     * 2. Silent sign-in (check for existing SSO session)
      *
      * @returns Session if user is authenticated, null otherwise
      */
@@ -250,26 +182,7 @@ export class CrossDomainAuth {
         if (callbackSession) {
             return callbackSession;
         }
-        // 2. Try to restore existing session from storage
-        const restored = this.restoreSession();
-        if (restored) {
-            // Verify session is still valid by fetching user
-            try {
-                const user = await this.oxyServices.getCurrentUser();
-                if (user) {
-                    return {
-                        sessionId: this.oxyServices.getStoredSessionId?.() || '',
-                        deviceId: '',
-                        expiresAt: new Date(Date.now() + 24 * 60 * 60 * 1000).toISOString(),
-                        user,
-                    };
-                }
-            }
-            catch (error) {
-                logger.debug('stored session invalid', { component: 'CrossDomainAuth', method: 'initialize' }, error);
-            }
-        }
-        // 3. Try silent sign-in (check for SSO session at auth.oxy.so)
+        // 2. Try silent sign-in (check for SSO session at auth.oxy.so)
         return await this.silentSignIn();
     }
 }

package/dist/esm/HttpService.js

@@ -57,23 +57,17 @@ function fnv1a32(str) {
 class TokenStore {
     constructor() {
         this.accessToken = null;
-        this.refreshToken = null;
         this.csrfToken = null;
         this.csrfTokenFetchPromise = null;
     }
-    setTokens(accessToken, refreshToken = '') {
+    setTokens(accessToken) {
         this.accessToken = accessToken;
-        this.refreshToken = refreshToken;
     }
     getAccessToken() {
         return this.accessToken;
     }
-    getRefreshToken() {
-        return this.refreshToken;
-    }
     clearTokens() {
         this.accessToken = null;
-        this.refreshToken = null;
     }
     hasAccessToken() {
         return !!this.accessToken;
@@ -105,13 +99,12 @@ export class HttpService {
     constructor(config) {
         this.tokenRefreshPromise = null;
         this.tokenRefreshCooldownUntil = 0;
-        this._onTokenRefreshed = null;
+        this.authRefreshHandler = null;
         /**
          * Fan-out listeners notified on EVERY access-token change on this instance:
-         * explicit `setTokens`, `clearTokens`, a successful silent refresh, and the
-         * internal 401-driven clear. Unlike the single-slot `_onTokenRefreshed`
-         * (owned by AuthManager for the refresh path only), this is a Set so multiple
-         * independent observers can mirror token state without clobbering each other.
+         * explicit `setTokens`, `clearTokens`, an AuthManager-owned refresh, and the
+         * internal 401-driven clear. This is a Set so multiple independent observers
+         * can mirror token state without clobbering each other.
          *
          * Each listener receives the resulting access token, or `null` when cleared.
          */
@@ -298,23 +291,13 @@ export class HttpService {
                     clearTimeout(timeoutId);
                 // Handle response
                 if (!response.ok) {
-                    // On 401, attempt token refresh and retry once before giving up
+                    // On 401, delegate refresh to AuthManager and retry once before
+                    // giving up. HttpService deliberately does not know any session
+                    // routes; the AuthManager is the single session authority.
                     if (response.status === 401 && !config._isAuthRetry) {
-                        const currentToken = this.tokenStore.getAccessToken();
-                        if (currentToken) {
-                            try {
-                                const decoded = jwtDecode(currentToken);
-                                if (decoded.sessionId) {
-                                    const refreshResult = await this._refreshTokenFromSession(decoded.sessionId);
-                                    if (refreshResult) {
-                                        // Retry the request with the new token
-                                        return this.request({ ...config, _isAuthRetry: true, retry: false });
-                                    }
-                                }
-                            }
-                            catch {
-                                // Token decode failed, fall through to clear
-                            }
+                        const refreshed = await this.refreshAccessToken('response-401');
+                        if (refreshed) {
+                            return this.request({ ...config, _isAuthRetry: true, retry: false });
                         }
                         // Refresh failed or no token — clear tokens and stale CSRF
                         this.tokenStore.clearTokens();
@@ -341,7 +324,7 @@ export class HttpService {
                     if (contentType && contentType.includes('application/json')) {
                         try {
                             const errorData = await response.json();
-                            // Check both 'message' and 'error' fields for backwards compatibility
+                            // Accept either structured error field from API responses.
                             if (errorData?.message) {
                                 errorMessage = errorData.message;
                             }
@@ -708,26 +691,10 @@ export class HttpService {
             const decoded = jwtDecode(accessToken);
             const currentTime = Math.floor(Date.now() / 1000);
             // If token expires in less than 60 seconds, refresh it
-            if (decoded.exp && decoded.exp - currentTime < 60 && decoded.sessionId) {
-                // Skip if we recently failed a refresh (15s cooldown to prevent storms)
-                if (Date.now() < this.tokenRefreshCooldownUntil) {
-                    return `Bearer ${accessToken}`;
-                }
-                // Deduplicate concurrent refresh attempts. The promise is shared
-                // across all concurrent callers and cleared only after it settles,
-                // so every awaiter receives the same result.
-                if (!this.tokenRefreshPromise) {
-                    this.tokenRefreshPromise = this._refreshTokenFromSession(decoded.sessionId)
-                        .then((result) => {
-                        if (!result)
-                            this.tokenRefreshCooldownUntil = Date.now() + 15000;
-                        return result;
-                    })
-                        .finally(() => { this.tokenRefreshPromise = null; });
-                }
-                const result = await this.tokenRefreshPromise;
-                if (result)
-                    return result;
+            if (decoded.exp && decoded.exp - currentTime < 60) {
+                const refreshed = await this.refreshAccessToken('preflight');
+                if (refreshed)
+                    return `Bearer ${refreshed}`;
                 // Refresh failed — don't use the expired token (would cause 401 loop)
                 return null;
             }
@@ -738,28 +705,37 @@ export class HttpService {
             return null;
         }
     }
-    async _refreshTokenFromSession(sessionId) {
-        try {
-            const refreshUrl = `${this.baseURL}/session/token/${sessionId}`;
-            const response = await fetch(refreshUrl, {
-                method: 'GET',
-                headers: { 'Accept': 'application/json' },
-                signal: AbortSignal.timeout(5000),
-                credentials: 'include',
-            });
-            if (response.ok) {
-                const { accessToken: newToken } = await response.json();
-                this.tokenStore.setTokens(newToken);
-                this._onTokenRefreshed?.(newToken);
-                this.notifyTokenChange();
-                this.logger.debug('Token refreshed');
-                return `Bearer ${newToken}`;
-            }
+    async refreshAccessToken(reason) {
+        if (!this.authRefreshHandler) {
+            return null;
+        }
+        if (Date.now() < this.tokenRefreshCooldownUntil) {
+            return null;
         }
-        catch (refreshError) {
-            this.logger.warn('Token refresh failed, using current token');
+        if (!this.tokenRefreshPromise) {
+            this.tokenRefreshPromise = this.authRefreshHandler(reason)
+                .then((newToken) => {
+                if (!newToken) {
+                    this.tokenRefreshCooldownUntil = Date.now() + 15000;
+                    return null;
+                }
+                if (this.tokenStore.getAccessToken() !== newToken) {
+                    this.tokenStore.setTokens(newToken);
+                    this.notifyTokenChange();
+                }
+                this.logger.debug('Token refreshed via AuthManager');
+                return newToken;
+            })
+                .catch((error) => {
+                this.logger.warn('Token refresh failed:', error);
+                this.tokenRefreshCooldownUntil = Date.now() + 15000;
+                return null;
+            })
+                .finally(() => {
+                this.tokenRefreshPromise = null;
+            });
         }
-        return null;
+        return this.tokenRefreshPromise;
     }
     /**
      * Unwrap standardized API response format
@@ -815,12 +791,12 @@ export class HttpService {
         return this._actingAsUserId;
     }
     // Token management
-    setTokens(accessToken, refreshToken = '') {
-        this.tokenStore.setTokens(accessToken, refreshToken);
+    setTokens(accessToken) {
+        this.tokenStore.setTokens(accessToken);
         this.notifyTokenChange();
     }
-    set onTokenRefreshed(callback) {
-        this._onTokenRefreshed = callback;
+    setAuthRefreshHandler(handler) {
+        this.authRefreshHandler = handler;
     }
     clearTokens() {
         this.tokenStore.clearTokens();

package/dist/esm/OxyServices.base.js

@@ -127,8 +127,8 @@ export class OxyServicesBase {
     /**
      * Set authentication tokens
      */
-    setTokens(accessToken, refreshToken = '') {
-        this.httpService.setTokens(accessToken, refreshToken);
+    setTokens(accessToken) {
+        this.httpService.setTokens(accessToken);
     }
     /**
      * Clear stored authentication tokens

package/dist/esm/i18n/index.js

@@ -41,8 +41,14 @@ export function translate(locale, key, vars) {
     const lang = locale && DICTS[locale] ? locale : FALLBACK;
     const dict = DICTS[lang] || DICTS[FALLBACK];
     let val = getNested(dict, key);
+    // Per-key fallback to the English dictionary when a key is missing from the
+    // resolved (non-English) locale. Without this, a key present in en-US but not
+    // yet translated in e.g. es-ES would render the raw dotted key to users.
+    if (typeof val !== 'string' && lang !== FALLBACK) {
+        val = getNested(DICTS[FALLBACK], key);
+    }
     if (typeof val !== 'string')
-        return key; // fallback to key if missing
+        return key; // last resort: echo the key when truly absent everywhere
     if (vars) {
         Object.keys(vars).forEach(k => {
             const token = `{{${k}}}`;

package/dist/esm/i18n/locales/ar-SA.json

@@ -103,7 +103,9 @@
             "createAccount": "إنشاء حساب",
             "signIn": "تسجيل الدخول",
             "verify": "التحقق",
-            "resetPassword": "إعادة تعيين كلمة المرور"
+            "resetPassword": "إعادة تعيين كلمة المرور",
+            "signedOut": "تم تسجيل الخروج",
+            "close": "إغلاق"
         },
         "links": {
             "recoverAccount": "استعادة حسابك",
@@ -115,7 +117,10 @@
             "password": "كلمة المرور",
             "confirmPassword": "تأكيد كلمة المرور"
         },
-        "revoke": "Revoke"
+        "revoke": "Revoke",
+        "errors": {
+            "signOutAllFailed": "حدثت مشكلة أثناء تسجيل الخروج من جميع الحسابات. يرجى المحاولة مرة أخرى."
+        }
     },
     "notifications": {
         "title": "Notifications",
@@ -198,5 +203,16 @@
             "revoked": "Revoked access for {{name}}",
             "revokeFailed": "Failed to revoke access"
         }
+    },
+    "accountMenu": {
+        "label": "قائمة الحساب",
+        "manage": "إدارة حساب Oxy الخاص بك",
+        "addAnother": "إضافة حساب آخر",
+        "signOutAll": "تسجيل الخروج من جميع الحسابات",
+        "open": "قائمة الحساب",
+        "openHint": "يفتح قائمة الحساب",
+        "openWithUser": "قائمة حساب {{name}}",
+        "switching": "جارٍ تبديل الحساب…",
+        "signOutAccount": "تسجيل خروج {{name}}"
     }
 }

package/dist/esm/i18n/locales/ca-ES.json

@@ -103,7 +103,9 @@
             "createAccount": "Crear compte",
             "signIn": "Iniciar sessió",
             "verify": "Verificar",
-            "resetPassword": "Restablir contrasenya"
+            "resetPassword": "Restablir contrasenya",
+            "signedOut": "Sessió tancada",
+            "close": "Tanca"
         },
         "links": {
             "recoverAccount": "Recuperar el teu compte",
@@ -115,7 +117,10 @@
             "password": "Contrasenya",
             "confirmPassword": "Confirmar contrasenya"
         },
-        "revoke": "Revoke"
+        "revoke": "Revoke",
+        "errors": {
+            "signOutAllFailed": "Hi ha hagut un problema en tancar la sessió de tots els comptes. Torna-ho a provar."
+        }
     },
     "notifications": {
         "title": "Notifications",
@@ -198,5 +203,16 @@
             "revoked": "Revoked access for {{name}}",
             "revokeFailed": "Failed to revoke access"
         }
+    },
+    "accountMenu": {
+        "label": "Menú del compte",
+        "manage": "Gestiona el teu compte d'Oxy",
+        "addAnother": "Afegeix un altre compte",
+        "signOutAll": "Tanca la sessió de tots els comptes",
+        "open": "Menú del compte",
+        "openHint": "Obre el menú del compte",
+        "openWithUser": "Menú del compte de {{name}}",
+        "switching": "Canviant de compte…",
+        "signOutAccount": "Tanca la sessió de {{name}}"
     }
 }

package/dist/esm/i18n/locales/de-DE.json

@@ -103,7 +103,9 @@
             "createAccount": "Konto erstellen",
             "signIn": "Anmelden",
             "verify": "Überprüfen",
-            "resetPassword": "Passwort zurücksetzen"
+            "resetPassword": "Passwort zurücksetzen",
+            "signedOut": "Abgemeldet",
+            "close": "Schließen"
         },
         "links": {
             "recoverAccount": "Ihr Konto wiederherstellen",
@@ -115,7 +117,10 @@
             "password": "Passwort",
             "confirmPassword": "Passwort bestätigen"
         },
-        "revoke": "Revoke"
+        "revoke": "Revoke",
+        "errors": {
+            "signOutAllFailed": "Beim Abmelden von allen Konten ist ein Problem aufgetreten. Bitte versuchen Sie es erneut."
+        }
     },
     "notifications": {
         "title": "Notifications",
@@ -198,5 +203,16 @@
             "revoked": "Revoked access for {{name}}",
             "revokeFailed": "Failed to revoke access"
         }
+    },
+    "accountMenu": {
+        "label": "Kontomenü",
+        "manage": "Ihr Oxy-Konto verwalten",
+        "addAnother": "Weiteres Konto hinzufügen",
+        "signOutAll": "Von allen Konten abmelden",
+        "open": "Kontomenü",
+        "openHint": "Öffnet das Kontomenü",
+        "openWithUser": "Kontomenü für {{name}}",
+        "switching": "Konto wird gewechselt…",
+        "signOutAccount": "{{name}} abmelden"
     }
 }

package/dist/esm/i18n/locales/en-US.json

@@ -1038,7 +1038,8 @@
     },
     "common": {
         "errors": {
-            "signOutFailed": "There was a problem signing you out. Please try again."
+            "signOutFailed": "There was a problem signing you out. Please try again.",
+            "signOutAllFailed": "There was a problem signing out of all accounts. Please try again."
         },
         "confirms": {
             "signOut": "Are you sure you want to sign out?",
@@ -1057,7 +1058,9 @@
             "signIn": "Sign In",
             "signOut": "Sign Out",
             "verify": "Verify",
-            "resetPassword": "Reset Password"
+            "resetPassword": "Reset Password",
+            "signedOut": "Signed out",
+            "close": "Close"
         },
         "cancel": "Cancel",
         "revoke": "Revoke",
@@ -1495,5 +1498,16 @@
             "revoked": "Revoked access for {{name}}",
             "revokeFailed": "Failed to revoke access"
         }
+    },
+    "accountMenu": {
+        "label": "Account menu",
+        "manage": "Manage your Oxy Account",
+        "addAnother": "Add another account",
+        "signOutAll": "Sign out of all accounts",
+        "open": "Account menu",
+        "openHint": "Opens the account menu",
+        "openWithUser": "Account menu for {{name}}",
+        "switching": "Switching account…",
+        "signOutAccount": "Sign out {{name}}"
     }
 }

package/dist/esm/i18n/locales/es-ES.json

@@ -281,7 +281,9 @@
             "signIn": "Entrar",
             "signOut": "Cerrar sesión",
             "verify": "Verificar",
-            "resetPassword": "Restablecer contraseña"
+            "resetPassword": "Restablecer contraseña",
+            "signedOut": "Sesión cerrada",
+            "close": "Cerrar"
         },
         "cancel": "Cancelar",
         "revoke": "Revocar",
@@ -302,7 +304,8 @@
             "confirmPassword": "Confirmar contraseña"
         },
         "errors": {
-            "signOutFailed": "Hubo un problema al cerrar sesión. Inténtalo de nuevo."
+            "signOutFailed": "Hubo un problema al cerrar sesión. Inténtalo de nuevo.",
+            "signOutAllFailed": "Hubo un problema al cerrar sesión en todas las cuentas. Inténtalo de nuevo."
         },
         "confirms": {
             "signOut": "¿Seguro que quieres cerrar sesión?",
@@ -1495,5 +1498,16 @@
             "revoked": "Acceso revocado para {{name}}",
             "revokeFailed": "No se ha podido revocar el acceso"
         }
+    },
+    "accountMenu": {
+        "label": "Menú de cuenta",
+        "manage": "Gestiona tu cuenta de Oxy",
+        "addAnother": "Añadir otra cuenta",
+        "signOutAll": "Cerrar sesión en todas las cuentas",
+        "open": "Menú de cuenta",
+        "openHint": "Abre el menú de cuenta",
+        "openWithUser": "Menú de cuenta de {{name}}",
+        "switching": "Cambiando de cuenta…",
+        "signOutAccount": "Cerrar sesión de {{name}}"
     }
 }