@oxyhq/core 3.4.1 → 3.4.3

package/dist/cjs/mixins/OxyServices.sso.js

@@ -33,8 +33,7 @@ const debug = (0, debugUtils_1.createDebugLogger)('SSO');
  *
  * Exposed as a module-level helper (in addition to the instance method below)
  * so consumers that do not yet hold an `OxyServices` instance can still mint a
- * bounce state. Reuses the same `crypto.randomUUID`-based generator the popup
- * mixin uses for its CSRF state, with a `getRandomValues` fallback.
+ * bounce state. Uses `crypto.randomUUID` with a `getRandomValues` fallback.
  */
 function generateSsoState() {
     if (typeof crypto !== 'undefined' && crypto.randomUUID) {
@@ -55,8 +54,8 @@ function OxyServicesSsoMixin(Base) {
         /**
          * Generate cryptographically secure state for the SSO bounce (CSRF
          * protection). Delegates to the module-level {@link generateSsoState}
-         * helper, which uses the same `crypto.randomUUID`-based generator the popup
-         * mixin's `generateState()` uses — one shared secure-random implementation.
+         * helper, which uses `crypto.randomUUID` when available and falls back to
+         * `crypto.getRandomValues`.
          */
         generateSsoState() {
             return generateSsoState();
@@ -127,7 +126,7 @@ function OxyServicesSsoMixin(Base) {
             // Plant the access token exactly like exchangeIdTokenForSession does.
             // The SSO exchange does not return a refresh token (the central store
             // holds the refresh credential), so default it to an empty string.
-            this.httpService.setTokens(payload.accessToken, '');
+            this.httpService.setTokens(payload.accessToken);
             debug.log('SSO exchange complete:', { hasSession: !!payload.sessionId });
             const session = {
                 sessionId: payload.sessionId,

package/dist/cjs/mixins/OxyServices.utility.js

@@ -262,20 +262,12 @@ function OxyServicesUtilityMixin(Base) {
                     return true;
                 };
                 try {
-                    // Extract token from Authorization header or query params.
+                    // Extract token from Authorization header.
                     // Node/Express normalizes `Authorization` to a string; we guard
                     // against the (legal but unusual) string[] case anyway.
                     const rawAuthHeader = req.headers.authorization;
                     const authHeader = Array.isArray(rawAuthHeader) ? rawAuthHeader[0] : rawAuthHeader;
-                    let token = authHeader?.startsWith('Bearer ') ? authHeader.substring(7) : null;
-                    // Fallback to query params (useful for WebSocket upgrades)
-                    if (!token) {
-                        const q = req.query || {};
-                        if (typeof q.token === 'string' && q.token)
-                            token = q.token;
-                        else if (typeof q.access_token === 'string' && q.access_token)
-                            token = q.access_token;
-                    }
+                    const token = authHeader?.startsWith('Bearer ') ? authHeader.substring(7) : null;
                     if (debug) {
                         loggerUtils_1.logger.debug(`[oxy.auth] ${req.method} ${req.path} | token: ${!!token}`, {
                             component: 'auth',
@@ -423,13 +415,14 @@ function OxyServicesUtilityMixin(Base) {
                         }
                         // Validate required service token fields
                         const appId = decoded.appId;
-                        if (!appId) {
+                        const credentialId = decoded.credentialId;
+                        if (!appId || typeof credentialId !== 'string' || credentialId.length === 0) {
                             if (optional) {
                                 req.userId = null;
                                 req.user = null;
                                 return next();
                             }
-                            const error = { error: 'INVALID_SERVICE_TOKEN', message: 'Invalid service token: missing appId', code: 'INVALID_SERVICE_TOKEN', status: 401 };
+                            const error = { error: 'INVALID_SERVICE_TOKEN', message: 'Invalid service token: missing required claims', code: 'INVALID_SERVICE_TOKEN', status: 401 };
                             if (onError)
                                 return onError(error);
                             return res.status(401).json(error);
@@ -474,10 +467,8 @@ function OxyServicesUtilityMixin(Base) {
                         req.serviceApp = {
                             appId,
                             appName: decoded.appName || 'unknown',
+                            credentialId,
                             scopes: Array.isArray(decoded.scopes) ? decoded.scopes : [],
-                            ...(typeof decoded.credentialId === 'string' && decoded.credentialId.length > 0
-                                ? { credentialId: decoded.credentialId }
-                                : {}),
                         };
                         if (debug) {
                             loggerUtils_1.logger.debug(`[oxy.auth] Service token OK app=${decoded.appName} delegateUser=${oxyUserId || '(none)'}`, {

package/dist/cjs/mixins/index.js

@@ -11,7 +11,7 @@ exports.composeOxyServices = composeOxyServices;
 const OxyServices_base_1 = require("../OxyServices.base");
 const OxyServices_auth_1 = require("./OxyServices.auth");
 const OxyServices_fedcm_1 = require("./OxyServices.fedcm");
-const OxyServices_popup_1 = require("./OxyServices.popup");
+const OxyServices_silent_1 = require("./OxyServices.silent");
 const OxyServices_redirect_1 = require("./OxyServices.redirect");
 const OxyServices_sso_1 = require("./OxyServices.sso");
 const OxyServices_user_1 = require("./OxyServices.user");
@@ -37,7 +37,7 @@ const OxyServices_appData_1 = require("./OxyServices.appData");
  *
  * Order matters for dependencies:
  * 1. Base auth mixin first (required by all others)
- * 2. Cross-domain auth mixins (FedCM, Popup, Redirect)
+ * 2. Cross-domain auth mixins (FedCM, silent iframe, Redirect)
  * 3. User mixin (requires auth)
  * 4. Feature mixins (can depend on user)
  * 5. Utility mixin last (augments all)
@@ -49,13 +49,12 @@ const MIXIN_PIPELINE = [
     OxyServices_auth_1.OxyServicesAuthMixin,
     // Cross-domain authentication (web-only)
     // - FedCM: Modern browser-native identity federation (Google-style)
-    // - Popup: OAuth2-style popup authentication
+    // - Silent: iframe-based restore for first-party IdP hosts
     // - Redirect: Traditional redirect-based authentication
     OxyServices_fedcm_1.OxyServicesFedCMMixin,
-    OxyServices_popup_1.OxyServicesPopupAuthMixin,
+    OxyServices_silent_1.OxyServicesSilentAuthMixin,
     OxyServices_redirect_1.OxyServicesRedirectAuthMixin,
-    // Central cross-domain SSO (opaque-code exchange). After Popup so it can
-    // reuse the popup mixin's secure-random `generateState()`.
+    // Central cross-domain SSO (opaque-code exchange).
     OxyServices_sso_1.OxyServicesSsoMixin,
     // User management (requires auth)
     OxyServices_user_1.OxyServicesUserMixin,

package/dist/cjs/server/index.js

@@ -0,0 +1,21 @@
+"use strict";
+/**
+ * @oxyhq/core/server — Server-only utilities for Oxy backends
+ *
+ * This subpath export provides Express middleware and Node.js-specific
+ * utilities that are not available in React Native or browser environments.
+ *
+ * @example
+ * ```ts
+ * import { createOxyRateLimit } from '@oxyhq/core/server';
+ * import { oxyClient } from '@oxyhq/core';
+ *
+ * const oxy = oxyClient({ apiUrl: 'https://api.oxy.so' });
+ *
+ * app.use(createOxyRateLimit(oxy, { store: redisStore }));
+ * ```
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createOxyRateLimit = void 0;
+var rateLimit_1 = require("./rateLimit");
+Object.defineProperty(exports, "createOxyRateLimit", { enumerable: true, get: function () { return rateLimit_1.createOxyRateLimit; } });

package/dist/cjs/server/rateLimit.js

@@ -0,0 +1,77 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createOxyRateLimit = createOxyRateLimit;
+const express_rate_limit_1 = __importDefault(require("express-rate-limit"));
+/**
+ * Built-in exemptions. A media app's cover-art/avatar fan-out and HLS
+ * sub-requests must not consume the coarse global budget; health probes from
+ * the load balancer must never be limited; CORS preflight is not a real call.
+ */
+function isBuiltInExempt(req) {
+    const path = req.path;
+    return (req.method === 'OPTIONS' ||
+        path.startsWith('/files/upload') ||
+        path.includes('/images/') ||
+        path.includes('/media/') ||
+        path.startsWith('/api/stream/') ||
+        path.includes('/stream/') ||
+        path === '/health' ||
+        path.endsWith('/health'));
+}
+/** IPv6-safe IP key generator (replaces colons to avoid Redis namespace issues). */
+function ipKeyGenerator(ip) {
+    return ip.replace(/:/g, '_');
+}
+/** Resolve the rate-limit key: per authenticated user, else per (IPv6-safe) IP. */
+function resolveKey(req) {
+    const userId = req.userId ?? req.user?.id ?? req.user?._id;
+    if (userId) {
+        return `user:${userId}`;
+    }
+    const ip = req.ip || req.socket.remoteAddress || 'unknown';
+    return ipKeyGenerator(ip);
+}
+/**
+ * Build the composed Oxy rate-limit middleware. See module docs for rationale.
+ */
+function createOxyRateLimit(oxy, options = {}) {
+    const { authenticatedMax = 5000, anonymousMax = 600, windowMs = 15 * 60 * 1000, store, exempt, message = 'Too many requests, please try again later.', auth, } = options;
+    // Idempotent optional-auth resolver. Reuses the SAME session resolution as
+    // every protected route, so the limiter keys by the real user identity.
+    const resolveSession = oxy.auth({ ...auth, optional: true });
+    const skip = (req) => isBuiltInExempt(req) || (exempt ? exempt(req) : false);
+    const limiter = (0, express_rate_limit_1.default)({
+        windowMs,
+        ...(store ? { store } : {}),
+        max: (req) => {
+            const authed = req;
+            const userId = authed.userId ?? authed.user?.id ?? authed.user?._id;
+            return userId ? authenticatedMax : anonymousMax;
+        },
+        keyGenerator: (req) => resolveKey(req),
+        message,
+        standardHeaders: true,
+        legacyHeaders: false,
+        skip,
+    });
+    return (req, res, next) => {
+        // Skipped paths bypass BOTH session resolution and limiting — cheap and
+        // safe for static/streaming/health traffic.
+        if (skip(req)) {
+            next();
+            return;
+        }
+        resolveSession(req, res, (err) => {
+            if (err) {
+                // Optional auth never rejects; a token error just means "anonymous".
+                // Swallow the error and continue to limit as anonymous.
+                next();
+                return;
+            }
+            limiter(req, res, next);
+        });
+    };
+}

package/dist/cjs/shared/utils/debugUtils.js

@@ -58,7 +58,7 @@ const debugError = (prefix, ...args) => {
 exports.debugError = debugError;
 /**
  * Create a namespaced debug logger
- * @param namespace - Logger namespace (e.g., 'FedCM', 'PopupAuth')
+ * @param namespace - Logger namespace (e.g., 'FedCM', 'SilentAuth')
  * @returns Object with log, warn, error methods
  *
  * @example

package/dist/cjs/utils/accountUtils.js

@@ -146,10 +146,10 @@ const mergeAccountsFromRefreshAll = (stored, fresh) => {
     }
     const merged = fresh.map((entry) => {
         const previous = storedByAuthuser.get(entry.authuser);
-        // `entry.user` is null on the SDK legacy-fallback path; preserve any
-        // previously cached identity for that slot rather than overwriting
-        // it with blanks, and let the AuthManager's getCurrentUser() hydration
-        // refresh it on the next snapshot.
+        // Preserve any previously cached identity for a slot that arrives
+        // without a user shape rather than overwriting it with blanks, and let
+        // AuthManager's getCurrentUser() hydration refresh it on the next
+        // snapshot.
         const wireUser = entry.user;
         const username = wireUser?.username ?? previous?.username ?? '';
         const displayName = (0, exports.getAccountDisplayName)({

package/dist/cjs/utils/authHelpers.js

@@ -31,25 +31,32 @@ class AuthenticationFailedError extends Error {
 exports.AuthenticationFailedError = AuthenticationFailedError;
 /**
  * Ensures a valid token exists before making authenticated API calls.
- * If no valid token exists and an active session ID is available,
- * attempts to refresh the token using the session.
+ * If no valid token exists, callers may provide a session synchronizer that
+ * uses the platform-appropriate new flow (cookie restore, device claim, or
+ * native secure restore). This helper never exchanges a session id for a token.
  *
  * @throws {SessionSyncRequiredError} If the session needs to be synced (offline session)
  */
-async function ensureValidToken(oxyServices, activeSessionId) {
-    if (oxyServices.hasValidToken() || !activeSessionId) {
+async function ensureValidToken(oxyServices, _activeSessionId, syncSession) {
+    if (oxyServices.hasValidToken()) {
         return;
     }
-    try {
-        await oxyServices.getTokenBySession(activeSessionId);
-    }
-    catch (tokenError) {
-        const errorMessage = tokenError instanceof Error ? tokenError.message : String(tokenError);
-        if (errorMessage.includes('AUTH_REQUIRED_OFFLINE_SESSION') || errorMessage.includes('offline')) {
-            throw new SessionSyncRequiredError();
+    if (syncSession) {
+        try {
+            await syncSession();
+            if (oxyServices.hasValidToken()) {
+                return;
+            }
+        }
+        catch (syncError) {
+            const errorMessage = syncError instanceof Error ? syncError.message : String(syncError);
+            if (errorMessage.includes('AUTH_REQUIRED_OFFLINE_SESSION') || errorMessage.includes('offline')) {
+                throw new SessionSyncRequiredError();
+            }
+            throw syncError;
         }
-        throw tokenError;
     }
+    throw new SessionSyncRequiredError('No active access token is available. Sync the session before calling authenticated APIs.');
 }
 /**
  * Checks if an error is an authentication error (401 or auth-related message)
@@ -79,10 +86,9 @@ async function withAuthErrorHandling(apiCall, options) {
         if (!isAuthenticationError(error)) {
             throw error;
         }
-        if (options?.syncSession && options?.activeSessionId && options?.oxyServices) {
+        if (options?.syncSession && options?.oxyServices) {
             try {
                 await options.syncSession();
-                await options.oxyServices.getTokenBySession(options.activeSessionId);
                 return await apiCall();
             }
             catch {
@@ -105,7 +111,7 @@ async function withAuthErrorHandling(apiCall, options) {
  * ```
  */
 async function authenticatedApiCall(oxyServices, activeSessionId, apiCall, syncSession) {
-    await ensureValidToken(oxyServices, activeSessionId);
+    await ensureValidToken(oxyServices, activeSessionId, syncSession);
     return withAuthErrorHandling(apiCall, {
         syncSession,
         activeSessionId,

package/dist/cjs/utils/coldBoot.js

@@ -5,7 +5,7 @@
  *
  * On a fresh page load / app launch the SDK may have several ways to recover an
  * existing session (silent FedCM, a persisted refresh token, a cross-domain
- * claim, an explicit popup flow, …). They must be attempted in a *deterministic
+ * claim, a redirect SSO return, ...). They must be attempted in a deterministic
  * order*, and the FIRST one that yields a session wins — every later step is
  * skipped. This module encodes exactly that contract and nothing else.
  *
@@ -84,8 +84,8 @@ async function runColdBoot(options) {
             }
             let result;
             try {
-                // Without a deadline: legacy behaviour — await the step directly.
-                // With a deadline: race the step against the shared deadline. The
+                // Without a deadline, await the step directly. With a deadline, race
+                // the step against the shared deadline. The
                 // step's `run()` still STARTS synchronously up to its first `await`
                 // (so a terminal step's synchronous navigation side effect always
                 // executes), but a non-settling step can no longer block the loop —

package/dist/cjs/utils/fapiAutoDetect.js

@@ -9,7 +9,7 @@
  * Clerk-style multi-domain SSO depends on the IdP being reachable on a
  * subdomain of the RP's own apex (e.g. `auth.mention.earth` CNAMEd to the
  * central Oxy IdP). That way every FedCM endpoint, the session cookie,
- * and any popup/redirect target are same-site with the RP — the only way
+ * and any redirect target are same-site with the RP — the only way
  * to get first-party cookies in Safari ITP and Firefox Total Cookie
  * Protection.
  *