@oxyhq/core 3.4.4 → 3.4.6

package/dist/cjs/OxyServices.base.js

@@ -88,6 +88,45 @@ class OxyServicesBase {
     getClient() {
         return this.httpService;
     }
+    /**
+     * Create an app/backend HTTP client linked to this Oxy session.
+     *
+     * Use this when an app has its own API origin (for example
+     * `https://api.syra.fm`) but authentication is owned by the canonical
+     * OxyServices instance mounted in OxyProvider. The returned client has its own
+     * base URL, cache and request queue, but its bearer token is kept in lockstep
+     * with this session and its 401 refresh path delegates back to this session.
+     */
+    createLinkedClient(config) {
+        const client = new HttpService_1.HttpService(config);
+        const syncToken = (accessToken) => {
+            const currentAccessToken = client.getAccessToken();
+            if (accessToken) {
+                if (currentAccessToken !== accessToken) {
+                    client.setTokens(accessToken);
+                }
+                return;
+            }
+            if (currentAccessToken) {
+                client.clearTokens();
+            }
+        };
+        syncToken(this.getAccessToken());
+        const unsubscribe = this.onTokensChanged(syncToken);
+        client.setAuthRefreshHandler(async (reason) => {
+            const refreshed = await this.httpService.refreshAccessToken(reason);
+            syncToken(refreshed);
+            return refreshed;
+        });
+        return {
+            client,
+            dispose: () => {
+                unsubscribe();
+                client.setAuthRefreshHandler(null);
+                client.clearTokens();
+            },
+        };
+    }
     /**
      * Get performance metrics
      */

package/dist/cjs/index.js

@@ -20,7 +20,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.normalizeColorScheme = exports.normalizeTheme = exports.getContrastTextColor = exports.isLightColor = exports.withOpacity = exports.rgbToHex = exports.hexToRgb = exports.lightenColor = exports.darkenColor = exports.isAndroid = exports.isIOS = exports.isNative = exports.isWeb = exports.setPlatformOS = exports.getPlatformOS = exports.isRTLLocale = exports.normalizeLanguageCode = exports.getNativeLanguageName = exports.getLanguageName = exports.getLanguageMetadata = exports.SUPPORTED_LANGUAGES = exports.TopicSource = exports.TopicType = exports.SECURITY_EVENT_SEVERITY_MAP = exports.DeviceManager = exports.RecoveryPhraseService = exports.SignatureService = exports.IdentityPersistError = exports.IdentityAlreadyExistsError = exports.KeyManager = exports.sessionsArraysEqual = exports.normalizeAndSortSessions = exports.mergeSessions = exports.authenticatedApiCall = exports.withAuthErrorHandling = exports.isAuthenticationError = exports.ensureValidToken = exports.AuthenticationFailedError = exports.SessionSyncRequiredError = exports.OxyAppDataIdentifierError = exports.ServiceCredentialMismatchError = exports.createCrossDomainAuth = exports.CrossDomainAuth = exports.createAuthManager = exports.AuthManager = exports.oxyClient = exports.OXY_CLOUD_URL = exports.OxyAuthenticationTimeoutError = exports.OxyAuthenticationError = exports.OxyServices = void 0;
 exports.isValidURL = exports.isValidUUID = exports.isValidObject = exports.isValidArray = exports.isRequiredBoolean = exports.isRequiredNumber = exports.isRequiredString = exports.isValidPassword = exports.isValidUsername = exports.isValidEmail = exports.PASSWORD_REGEX = exports.USERNAME_REGEX = exports.EMAIL_REGEX = exports.retryAsync = exports.validateRequiredFields = exports.handleHttpError = exports.createApiError = exports.ErrorCodes = exports.safeJsonParse = exports.buildPaginationParams = exports.buildUrl = exports.buildSearchParams = exports.translate = exports.createDebugLogger = exports.debugError = exports.debugWarn = exports.debugLog = exports.isDev = exports.withRetry = exports.delay = exports.shouldAllowRequest = exports.recordSuccess = exports.recordFailure = exports.calculateBackoffInterval = exports.createCircuitBreakerState = exports.DEFAULT_CIRCUIT_BREAKER_CONFIG = exports.isRetryableError = exports.isNetworkError = exports.isServerError = exports.isRateLimitError = exports.isNotFoundError = exports.isForbiddenError = exports.isUnauthorizedError = exports.isAlreadyRegisteredError = exports.getErrorMessage = exports.getErrorStatus = exports.HttpStatus = exports.getSystemColorScheme = exports.systemPrefersDarkMode = exports.getOppositeTheme = void 0;
-exports.packageInfo = exports.runColdBoot = exports.guardActive = exports.isCentralIdPOrigin = exports.buildSsoBounceUrl = exports.ssoNavigate = exports.ssoAttemptedKey = exports.ssoNoSessionKey = exports.ssoDestKey = exports.ssoGuardKey = exports.ssoStateKey = exports.SSO_GUARD_TTL_MS = exports.SSO_CALLBACK_PATH = exports.generateSsoState = exports.consumeSsoReturn = exports.parseSsoReturnFragment = exports.resolveCentralAuthUrl = exports.CENTRAL_IDP_APEX = exports.CENTRAL_AUTH_URL = exports.MULTIPART_TLDS = exports.registrableApex = exports.autoDetectAuthWebUrl = exports.getAccountColor = exports.mergeAccountsFromRefreshAll = exports.formatPublicKeyHandle = exports.getAccountFallbackHandle = exports.getAccountDisplayName = exports.createQuickAccount = exports.buildAccountsArray = exports.updateAvatarVisibility = exports.logPerformance = exports.logPayment = exports.logDevice = exports.logUser = exports.logSession = exports.logApi = exports.logAuth = exports.LogLevel = exports.logger = exports.validateAndSanitizeUserInput = exports.isValidObjectId = exports.sanitizeHTML = exports.sanitizeString = exports.isValidFileType = exports.isValidFileSize = exports.isValidDate = void 0;
+exports.packageInfo = exports.runColdBoot = exports.guardActive = exports.isCentralIdPOrigin = exports.buildSsoBounceUrl = exports.getSsoCallbackBootstrapScript = exports.ssoNavigate = exports.ssoCallbackBootstrapKey = exports.ssoAttemptedKey = exports.ssoNoSessionKey = exports.ssoDestKey = exports.ssoGuardKey = exports.ssoStateKey = exports.SSO_GUARD_TTL_MS = exports.SSO_CALLBACK_PATH = exports.generateSsoState = exports.consumeSsoReturn = exports.parseSsoReturnFragment = exports.resolveCentralAuthUrl = exports.CENTRAL_IDP_APEX = exports.CENTRAL_AUTH_URL = exports.MULTIPART_TLDS = exports.registrableApex = exports.autoDetectAuthWebUrl = exports.getAccountColor = exports.mergeAccountsFromRefreshAll = exports.formatPublicKeyHandle = exports.getAccountFallbackHandle = exports.getAccountDisplayName = exports.createQuickAccount = exports.buildAccountsArray = exports.updateAvatarVisibility = exports.logPerformance = exports.logPayment = exports.logDevice = exports.logUser = exports.logSession = exports.logApi = exports.logAuth = exports.LogLevel = exports.logger = exports.validateAndSanitizeUserInput = exports.isValidObjectId = exports.sanitizeHTML = exports.sanitizeString = exports.isValidFileType = exports.isValidFileSize = exports.isValidDate = void 0;
 // Ensure crypto polyfills are loaded before anything else
 require("./crypto/polyfill");
 // ---------------------------------------------------------------------------
@@ -251,7 +251,9 @@ Object.defineProperty(exports, "ssoGuardKey", { enumerable: true, get: function
 Object.defineProperty(exports, "ssoDestKey", { enumerable: true, get: function () { return ssoBounce_1.ssoDestKey; } });
 Object.defineProperty(exports, "ssoNoSessionKey", { enumerable: true, get: function () { return ssoBounce_1.ssoNoSessionKey; } });
 Object.defineProperty(exports, "ssoAttemptedKey", { enumerable: true, get: function () { return ssoBounce_1.ssoAttemptedKey; } });
+Object.defineProperty(exports, "ssoCallbackBootstrapKey", { enumerable: true, get: function () { return ssoBounce_1.ssoCallbackBootstrapKey; } });
 Object.defineProperty(exports, "ssoNavigate", { enumerable: true, get: function () { return ssoBounce_1.ssoNavigate; } });
+Object.defineProperty(exports, "getSsoCallbackBootstrapScript", { enumerable: true, get: function () { return ssoBounce_1.getSsoCallbackBootstrapScript; } });
 Object.defineProperty(exports, "buildSsoBounceUrl", { enumerable: true, get: function () { return ssoBounce_1.buildSsoBounceUrl; } });
 Object.defineProperty(exports, "isCentralIdPOrigin", { enumerable: true, get: function () { return ssoBounce_1.isCentralIdPOrigin; } });
 Object.defineProperty(exports, "guardActive", { enumerable: true, get: function () { return ssoBounce_1.guardActive; } });

package/dist/cjs/utils/ssoBounce.js

@@ -49,6 +49,8 @@ exports.ssoGuardKey = ssoGuardKey;
 exports.ssoDestKey = ssoDestKey;
 exports.ssoNoSessionKey = ssoNoSessionKey;
 exports.ssoAttemptedKey = ssoAttemptedKey;
+exports.ssoCallbackBootstrapKey = ssoCallbackBootstrapKey;
+exports.getSsoCallbackBootstrapScript = getSsoCallbackBootstrapScript;
 exports.ssoNavigate = ssoNavigate;
 exports.buildSsoBounceUrl = buildSsoBounceUrl;
 exports.isCentralIdPOrigin = isCentralIdPOrigin;
@@ -75,6 +77,7 @@ const GUARD_KEY_PREFIX = 'oxy_sso_guard:';
 const DEST_KEY_PREFIX = 'oxy_sso_dest:';
 const NO_SESSION_KEY_PREFIX = 'oxy_sso_no_session:';
 const ATTEMPTED_KEY_PREFIX = 'oxy_sso_attempted:';
+const CALLBACK_BOOTSTRAP_KEY_PREFIX = 'oxy_sso_callback_bootstrap:';
 /** Per-origin CSRF state key (matched on return to defeat fragment forgery). */
 function ssoStateKey(origin) {
     return `${STATE_KEY_PREFIX}${origin}`;
@@ -107,6 +110,35 @@ function ssoNoSessionKey(origin) {
 function ssoAttemptedKey(origin) {
     return `${ATTEMPTED_KEY_PREFIX}${origin}`;
 }
+/**
+ * Per-origin marker written by the pre-hydration callback bootstrap.
+ *
+ * Static Expo exports render unknown paths as `+not-found`; on
+ * `/__oxy/sso-callback` that can fail hydration before the React provider has a
+ * chance to run `consumeSsoReturn`. The bootstrap runs in the HTML head, moves
+ * the URL to a hydratable route while preserving the SSO fragment, and writes
+ * this marker so `consumeSsoReturn` still restores the original destination as
+ * if the page were physically on the callback path.
+ */
+function ssoCallbackBootstrapKey(origin) {
+    return `${CALLBACK_BOOTSTRAP_KEY_PREFIX}${origin}`;
+}
+/**
+ * Inline script for Expo/static web apps.
+ *
+ * Must run before the app bundle hydrates. It is intentionally tiny and
+ * dependency-free: if the browser lands on the internal callback route with an
+ * Oxy SSO fragment, it marks the handoff and rewrites the path to `/` while
+ * preserving `#oxy_sso=...`. The normal SDK cold-boot `sso-return` step then
+ * consumes the fragment from a route that can hydrate. If the internal route is
+ * reached without a valid SSO fragment, it leaves the route via a hard root
+ * navigation because there is no session material to preserve.
+ */
+function getSsoCallbackBootstrapScript() {
+    const callbackPath = JSON.stringify(exports.SSO_CALLBACK_PATH);
+    const bootstrapPrefix = JSON.stringify(CALLBACK_BOOTSTRAP_KEY_PREFIX);
+    return `(function(){var p=${callbackPath};if(window.location.pathname!==p)return;var h=window.location.hash||"";if(!/(?:^#|&)oxy_sso=(?:ok|none|error)(?:&|$)/.test(h)){window.location.replace("/");return;}try{window.sessionStorage.setItem(${bootstrapPrefix}+window.location.origin,"1");}catch(e){window.__oxySsoCallbackBootstrapError=e instanceof Error?e.message:String(e);}try{window.history.replaceState(null,"","/"+h);}catch(e){window.__oxySsoCallbackBootstrapError=e instanceof Error?e.message:String(e);window.location.replace("/"+h);}})();`;
+}
 /**
  * Perform the terminal top-level SSO bounce navigation.
  *

package/dist/cjs/utils/ssoReturn.js

@@ -162,6 +162,8 @@ async function consumeSsoReturn(oxy, deps = {}) {
         return null;
     }
     const origin = location.origin;
+    const callbackBootstrapKey = (0, ssoBounce_1.ssoCallbackBootstrapKey)(origin);
+    const wasCallbackBootstrapped = storage.getItem(callbackBootstrapKey) === '1';
     const expectedState = storage.getItem((0, ssoBounce_1.ssoStateKey)(origin));
     const stateOk = !!ret.state && !!expectedState && ret.state === expectedState;
     // Strip the fragment FIRST so the opaque code never lingers in the address
@@ -187,7 +189,8 @@ async function consumeSsoReturn(oxy, deps = {}) {
     // (so it can be fed to either `history.replaceState` or a `hardRedirect`),
     // or `null` when the page is not on the callback path (nothing to leave).
     const consumeCallbackTarget = () => {
-        if (location.pathname !== ssoBounce_1.SSO_CALLBACK_PATH) {
+        storage.removeItem(callbackBootstrapKey);
+        if (location.pathname !== ssoBounce_1.SSO_CALLBACK_PATH && !wasCallbackBootstrapped) {
             // Not on the callback path — still drop the dest key (consumed) but there
             // is nothing to navigate away from.
             storage.removeItem((0, ssoBounce_1.ssoDestKey)(origin));