@oxyhq/core 3.8.1 → 3.9.0

package/src/mixins/OxyServices.workspaces.ts

@@ -140,6 +140,9 @@ export function OxyServicesWorkspacesMixin<T extends typeof OxyServicesBase>(Bas
           data,
           { cache: false },
         );
+        // Bust the cached workspace list so the new workspace appears on the
+        // next `getWorkspaces()` read within the TTL window.
+        this.clearCacheEntry('GET:/workspaces');
         return res.workspace;
       } catch (error) {
         throw this.handleError(error);
@@ -180,6 +183,9 @@ export function OxyServicesWorkspacesMixin<T extends typeof OxyServicesBase>(Bas
           data,
           { cache: false },
         );
+        // Bust the cached detail and list — both surface workspace fields.
+        this.clearCacheEntry(`GET:/workspaces/${encodeURIComponent(workspaceId)}`);
+        this.clearCacheEntry('GET:/workspaces');
         return res.workspace;
       } catch (error) {
         throw this.handleError(error);
@@ -192,12 +198,17 @@ export function OxyServicesWorkspacesMixin<T extends typeof OxyServicesBase>(Bas
      */
     async deleteWorkspace(workspaceId: string): Promise<WorkspaceSuccessResult> {
       try {
-        return await this.makeRequest<WorkspaceSuccessResult>(
+        const result = await this.makeRequest<WorkspaceSuccessResult>(
           'DELETE',
           `/workspaces/${encodeURIComponent(workspaceId)}`,
           undefined,
           { cache: false },
         );
+        // Bust every cached representation of the deleted workspace.
+        this.clearCacheEntry(`GET:/workspaces/${encodeURIComponent(workspaceId)}`);
+        this.clearCacheEntry(`GET:/workspaces/${encodeURIComponent(workspaceId)}/members`);
+        this.clearCacheEntry('GET:/workspaces');
+        return result;
       } catch (error) {
         throw this.handleError(error);
       }
@@ -239,6 +250,7 @@ export function OxyServicesWorkspacesMixin<T extends typeof OxyServicesBase>(Bas
           data,
           { cache: false },
         );
+        this._invalidateWorkspaceMembership(workspaceId);
         return res.member;
       } catch (error) {
         throw this.handleError(error);
@@ -263,6 +275,7 @@ export function OxyServicesWorkspacesMixin<T extends typeof OxyServicesBase>(Bas
           data,
           { cache: false },
         );
+        this._invalidateWorkspaceMembership(workspaceId);
         return res.member;
       } catch (error) {
         throw this.handleError(error);
@@ -279,12 +292,14 @@ export function OxyServicesWorkspacesMixin<T extends typeof OxyServicesBase>(Bas
       memberId: string,
     ): Promise<WorkspaceSuccessResult> {
       try {
-        return await this.makeRequest<WorkspaceSuccessResult>(
+        const result = await this.makeRequest<WorkspaceSuccessResult>(
           'DELETE',
           `/workspaces/${encodeURIComponent(workspaceId)}/members/${encodeURIComponent(memberId)}`,
           undefined,
           { cache: false },
         );
+        this._invalidateWorkspaceMembership(workspaceId);
+        return result;
       } catch (error) {
         throw this.handleError(error);
       }
@@ -301,15 +316,36 @@ export function OxyServicesWorkspacesMixin<T extends typeof OxyServicesBase>(Bas
       data: TransferWorkspaceOwnershipInput,
     ): Promise<WorkspaceSuccessResult> {
       try {
-        return await this.makeRequest<WorkspaceSuccessResult>(
+        const result = await this.makeRequest<WorkspaceSuccessResult>(
           'POST',
           `/workspaces/${encodeURIComponent(workspaceId)}/transfer-ownership`,
           data,
           { cache: false },
         );
+        // Ownership change alters roles in the member list AND the detail, and
+        // can change which workspaces the caller "owns" in the list view.
+        this._invalidateWorkspaceMembership(workspaceId);
+        this.clearCacheEntry('GET:/workspaces');
+        return result;
       } catch (error) {
         throw this.handleError(error);
       }
     }
+
+    /**
+     * Bust the cached member list and detail for a workspace after a membership
+     * mutation. The member list (`getWorkspaceMembers`) and the detail
+     * (`getWorkspace`, which can embed member counts) both go stale when the
+     * member set or a member's role changes.
+     *
+     * Internal helper (leading underscore); not part of the supported public
+     * surface. Public rather than `private` because mixins compose into an
+     * exported anonymous class, where TypeScript cannot represent a private
+     * member in the emitted declaration file (TS4094).
+     */
+    _invalidateWorkspaceMembership(workspaceId: string): void {
+      this.clearCacheEntry(`GET:/workspaces/${encodeURIComponent(workspaceId)}/members`);
+      this.clearCacheEntry(`GET:/workspaces/${encodeURIComponent(workspaceId)}`);
+    }
   };
 }

package/src/mixins/__tests__/privacyCacheInvalidation.test.ts

@@ -0,0 +1,147 @@
+/**
+ * Privacy / list cache-invalidation tests.
+ *
+ * The privacy reads cache their GET responses (identity-scoped):
+ *  - `getBlockedUsers()`     → `GET:/privacy/blocked`        (~1 min TTL)
+ *  - `getRestrictedUsers()`  → `GET:/privacy/restricted`     (~1 min TTL)
+ *  - `getPrivacySettings(id)`→ `GET:/privacy/<id>/privacy`   (~2 min TTL)
+ *
+ * Each corresponding write MUST invalidate the matching cached GET, otherwise a
+ * consumer that re-reads within the TTL window observes the STALE pre-write
+ * value (mirrors the follow/unfollow follow-status invalidation contract).
+ */
+
+import { OxyServices } from '../../OxyServices';
+
+/** Build a non-verified JWT whose payload decodes to the given claims. */
+function makeJwt(payload: Record<string, unknown>): string {
+  const b64url = (obj: Record<string, unknown>): string =>
+    Buffer.from(JSON.stringify(obj)).toString('base64url');
+  const fullPayload = { exp: Math.floor(Date.now() / 1000) + 3600, ...payload };
+  return `${b64url({ alg: 'none', typ: 'JWT' })}.${b64url(fullPayload)}.sig`;
+}
+
+/** A JSON `Response` mimicking the API's `{ data: ... }` success envelope. */
+function jsonResponse(data: unknown): Response {
+  return new Response(JSON.stringify({ data }), {
+    status: 200,
+    headers: { 'content-type': 'application/json' },
+  });
+}
+
+describe('privacy cache invalidation', () => {
+  let originalFetch: typeof globalThis.fetch;
+  let fetchMock: jest.Mock<Promise<Response>, [RequestInfo | URL, RequestInit?]>;
+  let oxy: OxyServices;
+
+  beforeEach(() => {
+    originalFetch = globalThis.fetch;
+    fetchMock = jest.fn();
+    globalThis.fetch = fetchMock as unknown as typeof globalThis.fetch;
+    oxy = new OxyServices({ baseURL: 'http://test.invalid' });
+    oxy.httpService.setTokens(makeJwt({ userId: 'me' }));
+  });
+
+  afterEach(() => {
+    globalThis.fetch = originalFetch;
+    jest.clearAllMocks();
+  });
+
+  it('busts the cached blocked list after blockUser', async () => {
+    // 1) Warm the cache: empty blocked list.
+    fetchMock.mockResolvedValueOnce(jsonResponse([]));
+    expect(await oxy.getBlockedUsers()).toEqual([]);
+    expect(fetchMock).toHaveBeenCalledTimes(1);
+
+    // A second read within the TTL is a cache hit (no extra network call).
+    await oxy.getBlockedUsers();
+    expect(fetchMock).toHaveBeenCalledTimes(1);
+
+    // 2) Block a user — must invalidate the cached list.
+    fetchMock.mockResolvedValueOnce(jsonResponse({ message: 'ok' }));
+    await oxy.blockUser('target-1');
+    expect(fetchMock).toHaveBeenCalledTimes(2);
+
+    // 3) Re-read MUST re-fetch and observe the new entry.
+    fetchMock.mockResolvedValueOnce(jsonResponse([{ blockedId: 'target-1' }]));
+    const after = await oxy.getBlockedUsers();
+    expect(fetchMock).toHaveBeenCalledTimes(3);
+    expect(after).toEqual([{ blockedId: 'target-1' }]);
+  });
+
+  it('busts the cached blocked list after unblockUser', async () => {
+    fetchMock.mockResolvedValueOnce(jsonResponse([{ blockedId: 'target-1' }]));
+    await oxy.getBlockedUsers();
+    expect(fetchMock).toHaveBeenCalledTimes(1);
+
+    fetchMock.mockResolvedValueOnce(jsonResponse({ message: 'ok' }));
+    await oxy.unblockUser('target-1');
+    expect(fetchMock).toHaveBeenCalledTimes(2);
+
+    fetchMock.mockResolvedValueOnce(jsonResponse([]));
+    expect(await oxy.getBlockedUsers()).toEqual([]);
+    expect(fetchMock).toHaveBeenCalledTimes(3);
+  });
+
+  it('busts the cached restricted list after restrictUser / unrestrictUser', async () => {
+    fetchMock.mockResolvedValueOnce(jsonResponse([]));
+    await oxy.getRestrictedUsers();
+    expect(fetchMock).toHaveBeenCalledTimes(1);
+
+    fetchMock.mockResolvedValueOnce(jsonResponse({ message: 'ok' }));
+    await oxy.restrictUser('target-2');
+    expect(fetchMock).toHaveBeenCalledTimes(2);
+
+    fetchMock.mockResolvedValueOnce(jsonResponse([{ restrictedId: 'target-2' }]));
+    expect(await oxy.getRestrictedUsers()).toEqual([{ restrictedId: 'target-2' }]);
+    expect(fetchMock).toHaveBeenCalledTimes(3);
+
+    fetchMock.mockResolvedValueOnce(jsonResponse({ message: 'ok' }));
+    await oxy.unrestrictUser('target-2');
+    expect(fetchMock).toHaveBeenCalledTimes(4);
+
+    fetchMock.mockResolvedValueOnce(jsonResponse([]));
+    expect(await oxy.getRestrictedUsers()).toEqual([]);
+    expect(fetchMock).toHaveBeenCalledTimes(5);
+  });
+
+  it('busts the cached privacy settings (same id) after updatePrivacySettings', async () => {
+    // Warm the settings cache for an explicit id (avoids a getCurrentUser call).
+    fetchMock.mockResolvedValueOnce(jsonResponse({ isPrivateAccount: false }));
+    expect(await oxy.getPrivacySettings('me')).toEqual({ isPrivateAccount: false });
+    expect(fetchMock).toHaveBeenCalledTimes(1);
+
+    // Cache hit on the second read.
+    await oxy.getPrivacySettings('me');
+    expect(fetchMock).toHaveBeenCalledTimes(1);
+
+    // Update — must invalidate `GET:/privacy/me/privacy`.
+    fetchMock.mockResolvedValueOnce(jsonResponse({ isPrivateAccount: true }));
+    await oxy.updatePrivacySettings({ isPrivateAccount: true }, 'me');
+    expect(fetchMock).toHaveBeenCalledTimes(2);
+
+    // Re-read MUST re-fetch and observe the new value.
+    fetchMock.mockResolvedValueOnce(jsonResponse({ isPrivateAccount: true }));
+    const after = await oxy.getPrivacySettings('me');
+    expect(fetchMock).toHaveBeenCalledTimes(3);
+    expect(after).toEqual({ isPrivateAccount: true });
+  });
+
+  it('invalidates the exact logical keys on block/restrict/settings writes', async () => {
+    const clearSpy = jest.spyOn(oxy, 'clearCacheEntry');
+
+    fetchMock.mockResolvedValueOnce(jsonResponse({ message: 'ok' }));
+    await oxy.blockUser('u1');
+    expect(clearSpy).toHaveBeenCalledWith('GET:/privacy/blocked');
+
+    fetchMock.mockResolvedValueOnce(jsonResponse({ message: 'ok' }));
+    await oxy.restrictUser('u2');
+    expect(clearSpy).toHaveBeenCalledWith('GET:/privacy/restricted');
+
+    fetchMock.mockResolvedValueOnce(jsonResponse({ isPrivateAccount: true }));
+    await oxy.updatePrivacySettings({ isPrivateAccount: true }, 'me');
+    expect(clearSpy).toHaveBeenCalledWith('GET:/privacy/me/privacy');
+
+    clearSpy.mockRestore();
+  });
+});

package/src/models/interfaces.ts

@@ -29,8 +29,20 @@ export interface OxyConfig {
    */
   clientId?: string;
   // Performance & caching options
+  /**
+   * Enable the per-instance GET response cache. Defaults to `true` (5-minute
+   * TTL). Set to `false` to disable caching entirely for this instance — GET
+   * responses are then never stored and never served from cache, so every read
+   * hits the network. Useful for a linked backend client where another layer
+   * (e.g. React Query) is the single cache authority and the SDK's own cache
+   * would otherwise serve stale data after a write.
+   */
   enableCache?: boolean;
-  cacheTTL?: number; // Cache TTL in milliseconds (default: 5 minutes)
+  /**
+   * Cache TTL in milliseconds (default: 5 minutes). A value `<= 0` disables the
+   * per-instance GET response cache, equivalent to `enableCache: false`.
+   */
+  cacheTTL?: number;
   enableRequestDeduplication?: boolean;
   enableRetry?: boolean;
   maxRetries?: number;

package/src/utils/cache.ts

@@ -91,11 +91,18 @@ export class TTLCache<T> {
    * Set a value in cache
    * @param key Cache key
    * @param data Data to cache
-   * @param ttl Optional TTL override (uses default if not provided)
+   * @param ttl Optional TTL override (uses default if not provided). An
+   *   explicit `0` or negative value is honored as "already expired" — the
+   *   entry is stored with `expiresAt <= now`, so the next `get`/`has` treats
+   *   it as a miss — rather than silently falling back to the default TTL.
    */
   set(key: string, data: T, ttl?: number): void {
     const now = Date.now();
-    const expiresAt = now + (ttl || this.defaultTTL);
+    // Distinguish "no override provided" (undefined → use default) from an
+    // explicit `0`/negative (do not cache). `ttl || this.defaultTTL` collapsed
+    // both into the default, making `cacheTTL:0` impossible to honor.
+    const effectiveTTL = ttl === undefined ? this.defaultTTL : ttl;
+    const expiresAt = now + effectiveTTL;
     this.cache.set(key, { data, timestamp: now, expiresAt });
   }
 

package/dist/cjs/mixins/OxyServices.popup.js

@@ -1,263 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.OxyServicesPopupAuthMixin = OxyServicesPopupAuthMixin;
-exports.PopupAuthMixin = OxyServicesPopupAuthMixin;
-const OxyServices_errors_1 = require("../OxyServices.errors");
-const debugUtils_1 = require("../shared/utils/debugUtils");
-const debug = (0, debugUtils_1.createDebugLogger)("PopupAuth");
-/**
- * Cross-domain browser auth helpers.
- *
- * Popup sign-in is intentionally fail-closed in the clean session model because
- * the historical implementation required bearer-token callback URLs. FedCM,
- * redirect SSO, and silent iframe SSO are the supported browser paths.
- */
-function OxyServicesPopupAuthMixin(Base) {
-    var _a;
-    return _a = class extends Base {
-            constructor(...args) {
-                super(...args);
-            }
-            /** Resolve auth URL from config or static default (method, not getter — getters break in TS mixins) */
-            resolveAuthUrl() {
-                return (this.config.authWebUrl || this.constructor.DEFAULT_AUTH_URL);
-            }
-            /**
-             * Removed popup sign-in. Closes a caller-supplied popup handle and throws.
-             */
-            async signInWithPopup(options = {}) {
-                if (typeof window === "undefined") {
-                    throw new OxyServices_errors_1.OxyAuthenticationError("Popup authentication requires browser environment");
-                }
-                if (options.popup && !options.popup.closed) {
-                    options.popup.close();
-                }
-                throw new OxyServices_errors_1.OxyAuthenticationError("Popup authentication has been removed because it required access-token callback URLs. Use FedCM or redirect authentication.");
-            }
-            /**
-             * Removed popup signup. Closes a caller-supplied popup handle and throws.
-             */
-            async signUpWithPopup(options = {}) {
-                return this.signInWithPopup({ ...options, mode: "signup" });
-            }
-            /**
-             * Silent sign-in using hidden iframe
-             *
-             * Attempts to automatically re-authenticate the user without any UI.
-             * This is what enables seamless SSO across all Oxy domains.
-             *
-             * How it works:
-             * 1. Creates hidden iframe pointing to auth.oxy.so/silent-auth
-             * 2. If user has valid session at auth.oxy.so, it exchanges an opaque SSO code
-             * 3. If not, iframe responds with null (no error thrown)
-             *
-             * This should be called on app startup to check for existing sessions.
-             *
-             * @param options - Silent auth options
-             * @returns Session if user is signed in, null otherwise
-             *
-             * @example
-             * ```typescript
-             * useEffect(() => {
-             *   const checkAuth = async () => {
-             *     const session = await oxyServices.silentSignIn();
-             *     if (session) {
-             *       setUser(session.user);
-             *     }
-             *   };
-             *   checkAuth();
-             * }, []);
-             * ```
-             */
-            async silentSignIn(options = {}) {
-                if (typeof window === "undefined") {
-                    return null;
-                }
-                const timeout = options.timeout || this.constructor.SILENT_TIMEOUT;
-                const nonce = this.generateNonce();
-                const clientId = window.location.origin;
-                // Resolve the IdP origin for the iframe. An explicit per-apex override (the
-                // durable cross-domain reload path — see `SilentAuthOptions.authWebUrlOverride`)
-                // wins over the instance's configured central auth URL. The SAME origin is
-                // handed to `waitForIframeAuth` so the postMessage origin check matches the
-                // exact host the iframe was loaded from.
-                const authOrigin = options.authWebUrlOverride && options.authWebUrlOverride.length > 0
-                    ? options.authWebUrlOverride
-                    : this.resolveAuthUrl();
-                const iframe = document.createElement("iframe");
-                iframe.style.display = "none";
-                iframe.style.position = "absolute";
-                iframe.style.width = "0";
-                iframe.style.height = "0";
-                iframe.style.border = "none";
-                const silentUrl = `${authOrigin}/auth/silent?` +
-                    `client_id=${encodeURIComponent(clientId)}&` +
-                    `nonce=${nonce}`;
-                iframe.src = silentUrl;
-                document.body.appendChild(iframe);
-                try {
-                    const session = await this.waitForIframeAuth(iframe, timeout, authOrigin);
-                    // Bail early on incomplete responses. The iframe contract requires
-                    // both an access token and a session id; anything less is unusable.
-                    // Returning `null` here (without installing the token) prevents a
-                    // stale credential from being committed to HttpService when the
-                    // user is actually signed out — that pattern caused a `getCurrentUser`
-                    // -> 401 -> token-clear loop in consumer apps because callers gated
-                    // on `session?.user` and never installed the user via
-                    // `handleAuthSuccess`, while HttpService quietly held the token.
-                    const accessToken = session
-                        ? session.accessToken
-                        : undefined;
-                    if (!session || !accessToken || !session.sessionId) {
-                        return null;
-                    }
-                    // Snapshot the previous token so we can roll back if the user
-                    // lookup below fails — this avoids leaving a half-committed session
-                    // (token installed, user missing) which would let the next
-                    // authenticated request 401 with no way to recover.
-                    const previousAccessToken = this.httpService.getAccessToken();
-                    this.httpService.setTokens(accessToken);
-                    // The iframe typically returns `{ sessionId, accessToken }` without
-                    // user data. Fetch the user explicitly so callers receive a
-                    // fully-formed session and never need a second `/users/me` round
-                    // trip. If this fails the session is unusable — revert the token
-                    // and return null so the caller treats this exactly like a
-                    // missing-session response.
-                    if (!session.user) {
-                        try {
-                            const userData = await this.makeRequest("GET", `/session/user/${session.sessionId}`, undefined, { cache: false, retry: false });
-                            if (!userData) {
-                                throw new Error("Empty user response");
-                            }
-                            session.user = userData;
-                        }
-                        catch (userError) {
-                            debug.warn("silentSignIn: failed to fetch user data, rolling back token", userError);
-                            if (previousAccessToken) {
-                                this.httpService.setTokens(previousAccessToken);
-                            }
-                            else {
-                                this.httpService.clearTokens();
-                            }
-                            return null;
-                        }
-                    }
-                    return session;
-                }
-                catch (error) {
-                    return null;
-                }
-                finally {
-                    document.body.removeChild(iframe);
-                }
-            }
-            /**
-             * Open a blank, centered popup window SYNCHRONOUSLY.
-             *
-             * Kept only so legacy callers can pass a handle to the removed popup method,
-             * which closes it before throwing. New auth code should use FedCM or redirect.
-             */
-            openBlankPopup(width, height) {
-                if (typeof window === "undefined") {
-                    return null;
-                }
-                const ctor = this.constructor;
-                const w = width ?? ctor.POPUP_WIDTH;
-                const h = height ?? ctor.POPUP_HEIGHT;
-                return this.openCenteredPopup("about:blank", "Oxy Sign In", w, h);
-            }
-            /**
-             * Open a centered popup window
-             *
-             * @private
-             */
-            openCenteredPopup(url, title, width, height) {
-                const left = window.screenX + (window.outerWidth - width) / 2;
-                const top = window.screenY + (window.outerHeight - height) / 2;
-                const features = [
-                    `width=${width}`,
-                    `height=${height}`,
-                    `left=${left}`,
-                    `top=${top}`,
-                    "toolbar=no",
-                    "menubar=no",
-                    "scrollbars=yes",
-                    "resizable=yes",
-                    "status=no",
-                    "location=no",
-                ].join(",");
-                return window.open(url, title, features);
-            }
-            /**
-             * Wait for authentication response from iframe
-             *
-             * @private
-             */
-            async waitForIframeAuth(iframe, timeout, expectedOrigin) {
-                return new Promise((resolve) => {
-                    const timeoutId = setTimeout(() => {
-                        cleanup();
-                        resolve(null); // Silent failure - don't throw
-                    }, timeout);
-                    const messageHandler = (event) => {
-                        // Verify origin against the EXACT host the iframe was loaded from
-                        // (`expectedOrigin`). For the per-apex durable-restore path this is
-                        // `auth.<rp-apex>`, not the instance's central `resolveAuthUrl()` — so
-                        // we must honour the caller-supplied origin, never re-derive it here.
-                        if (event.origin !== expectedOrigin) {
-                            return;
-                        }
-                        const { type, session } = event.data;
-                        if (type !== "oxy_silent_auth") {
-                            return;
-                        }
-                        cleanup();
-                        resolve(session || null);
-                    };
-                    // Fail-fast on a load failure. When the per-apex `/auth/silent` host is
-                    // unreachable, blocked by CSP `frame-ancestors`/`X-Frame-Options`, or the
-                    // network drops, the iframe never posts a message — without this handler
-                    // the silent restore would block for the FULL `timeout` (dead latency in
-                    // the cold-boot critical path). `onerror`/`onabort` fire on a failed load,
-                    // so resolve `null` immediately and let the next cold-boot step run. The
-                    // success path posts a message and is handled above; these only catch the
-                    // no-message failure modes.
-                    const failFast = () => {
-                        cleanup();
-                        resolve(null);
-                    };
-                    iframe.onerror = failFast;
-                    iframe.onabort = failFast;
-                    const cleanup = () => {
-                        clearTimeout(timeoutId);
-                        iframe.onerror = null;
-                        iframe.onabort = null;
-                        window.removeEventListener("message", messageHandler);
-                    };
-                    window.addEventListener("message", messageHandler);
-                });
-            }
-            /**
-             * Generate nonce for replay attack prevention
-             *
-             * @private
-             */
-            generateNonce() {
-                if (typeof crypto !== "undefined" && crypto.randomUUID) {
-                    return crypto.randomUUID();
-                }
-                if (typeof crypto !== "undefined" && crypto.getRandomValues) {
-                    const bytes = new Uint8Array(16);
-                    crypto.getRandomValues(bytes);
-                    return Array.from(bytes, (b) => b.toString(16).padStart(2, "0")).join("");
-                }
-                throw new Error("No secure random source available for nonce generation");
-            }
-        },
-        _a.DEFAULT_AUTH_URL = "https://auth.oxy.so",
-        _a.POPUP_WIDTH = 500,
-        _a.POPUP_HEIGHT = 700,
-        _a.SILENT_TIMEOUT = 5000 // 5 seconds
-    ,
-        _a;
-}