@oxyhq/core 3.8.0 → 3.8.1

package/dist/esm/mixins/OxyServices.user.js

@@ -230,6 +230,17 @@ export function OxyServicesUserMixin(Base) {
          * by `id`); each is run through `normalizeUserIdentity`, matching
          * `getUserById`.
          *
+         * **Service-token auth (required).** `/users/by-ids` is a server-to-server
+         * bulk fetch of PUBLIC user data and is called via `makeServiceRequest`,
+         * which attaches `Authorization: Bearer <serviceToken>`. oxy-api's CSRF
+         * middleware skips bearer-authenticated requests, so the calling client
+         * MUST be service-configured (`configureServiceAuth(apiKey, apiSecret)`)
+         * before invoking this method; otherwise `getServiceToken()` throws because
+         * no credentials are available. (A plain user-session request fails here:
+         * server-to-server there is no cookie jar, so the auto-attached
+         * `X-CSRF-Token` has no matching cookie and oxy-api rejects the POST with
+         * 403 "CSRF token missing".)
+         *
          * Resilience: chunks are independent. A failed chunk is logged and skipped
          * — the method returns every user that resolved successfully rather than
          * discarding the whole call on one chunk's failure. An empty/whitespace-only
@@ -250,7 +261,7 @@ export function OxyServicesUserMixin(Base) {
             // Run chunks concurrently; a single chunk failure must not sink the rest.
             const settled = await Promise.all(chunks.map(async (chunk) => {
                 try {
-                    const users = await this.makeRequest('POST', '/users/by-ids', { ids: chunk }, { cache: false });
+                    const users = await this.makeServiceRequest('POST', '/users/by-ids', { ids: chunk });
                     return Array.isArray(users) ? users.map((user) => normalizeUserIdentity(user)) : [];
                 }
                 catch (error) {