@oxyhq/services 10.0.0 → 10.2.0

package/src/ui/components/SignInModal.tsx

@@ -35,6 +35,7 @@ import { Loading } from '@oxyhq/bloom/loading';
 import { useOxy } from '../context/OxyContext';
 import OxyLogo from './OxyLogo';
 import { createDebugLogger } from '@oxyhq/core';
+import { completeDeviceFlowSignIn } from '../../utils/deviceFlowSignIn';
 
 const debug = createDebugLogger('SignInModal');
 
@@ -153,16 +154,18 @@ const SignInModal: React.FC = () => {
         isProcessingRef.current = true;
 
         try {
-            // Plant the bearer + refresh tokens for this newly-authorized
-            // session. Single-use — replay attempts on this sessionToken
-            // are rejected by the API.
-            await oxyServices.claimSessionByToken(sessionToken);
-
-            // Now the SDK has a bearer token, the normal session
-            // management path can hydrate state from the sessionId.
-            if (switchSession) {
-                await switchSession(sessionId);
+            // Claim the first access token with the secret sessionToken, then
+            // hydrate the session. Shared with the native `OxyAuthScreen` via
+            // `completeDeviceFlowSignIn` so the two paths cannot drift.
+            if (!switchSession) {
+                throw new Error('Session management unavailable');
             }
+            await completeDeviceFlowSignIn({
+                oxyServices,
+                sessionId,
+                sessionToken,
+                switchSession,
+            });
 
             hideSignInModal();
         } catch (err) {
@@ -230,8 +233,14 @@ const SignInModal: React.FC = () => {
         });
     }, [oxyServices, handleAuthSuccess, cleanup]);
 
-    // Start polling for authorization (fallback)
+    // Start polling for authorization.
+    //
+    // Idempotent: if a poll interval is already running this is a no-op, so the
+    // `connect_error` path (which also calls this) cannot stack a second
+    // interval on top of the always-on poll started in `generateAuthSession`.
     const startPolling = useCallback((sessionToken: string) => {
+        if (pollingIntervalRef.current) return;
+
         pollingIntervalRef.current = setInterval(async () => {
             if (isProcessingRef.current) return;
 
@@ -289,13 +298,18 @@ const SignInModal: React.FC = () => {
 
             setAuthSession({ sessionToken, expiresAt });
             setIsWaiting(true);
+            // Socket is the fast path; the poll is a transport-independent
+            // backstop that guarantees completion even if the socket connects
+            // but silently never delivers auth_update (RN transport /
+            // idle-timeout).
             connectSocket(sessionToken);
+            startPolling(sessionToken);
         } catch (err: unknown) {
             setError((err instanceof Error ? err.message : null) || 'Failed to create auth session');
         } finally {
             setIsLoading(false);
         }
-    }, [oxyServices, connectSocket, clientId]);
+    }, [oxyServices, connectSocket, startPolling, clientId]);
 
     // Generate a cryptographically random session token.
     // 16 random bytes -> 32 hex chars (128 bits of entropy) — unguessable.

package/src/ui/context/OxyContext.tsx

@@ -97,7 +97,7 @@ export interface OxyContextState {
   // Session management
   logout: (targetSessionId?: string) => Promise<void>;
   logoutAll: () => Promise<void>;
-  switchSession: (sessionId: string) => Promise<void>;
+  switchSession: (sessionId: string) => Promise<User>;
   removeSession: (sessionId: string) => Promise<void>;
   refreshSessions: () => Promise<void>;
   setLanguage: (languageId: string) => Promise<void>;
@@ -1555,8 +1555,12 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
   });
 
   const switchSessionForContext = useCallback(
-    async (sessionId: string): Promise<void> => {
-      await switchSession(sessionId);
+    async (sessionId: string): Promise<User> => {
+      // Propagate the activated user so callers (the device-flow sign-in,
+      // `useSwitchSession`'s cache write, account chooser) receive it. The
+      // underlying session-management `switchSession` already resolves the
+      // `User`; the previous `Promise<void>` wrapper discarded it.
+      return switchSession(sessionId);
     },
     [switchSession],
   );
@@ -1776,7 +1780,7 @@ const LOADING_STATE: OxyContextState = {
   handlePopupSession: () => rejectMissingProvider<void>(),
   logout: () => rejectMissingProvider<void>(),
   logoutAll: () => rejectMissingProvider<void>(),
-  switchSession: () => rejectMissingProvider<void>(),
+  switchSession: () => rejectMissingProvider<User>(),
   removeSession: () => rejectMissingProvider<void>(),
   refreshSessions: () => rejectMissingProvider<void>(),
   setLanguage: () => rejectMissingProvider<void>(),

package/src/ui/screens/OxyAuthScreen.tsx

@@ -30,6 +30,7 @@ import { useOxy } from '../context/OxyContext';
 import QRCode from 'react-native-qrcode-svg';
 import OxyLogo from '../components/OxyLogo';
 import { createDebugLogger } from '@oxyhq/core';
+import { completeDeviceFlowSignIn } from '../../utils/deviceFlowSignIn';
 
 const debug = createDebugLogger('OxyAuthScreen');
 
@@ -119,7 +120,7 @@ const OxyAuthScreen: React.FC<BaseScreenProps> = ({
   theme,
 }) => {
   const bloomTheme = useTheme();
-  const { oxyServices, signIn, switchSession, clientId } = useOxy();
+  const { oxyServices, switchSession, clientId } = useOxy();
 
   const [authSession, setAuthSession] = useState<AuthSession | null>(null);
   const [isLoading, setIsLoading] = useState(true);
@@ -132,25 +133,42 @@ const OxyAuthScreen: React.FC<BaseScreenProps> = ({
   const isProcessingRef = useRef(false);
   const linkingHandledRef = useRef(false);
 
-  // Handle successful authorization
-  const handleAuthSuccess = useCallback(async (sessionId: string) => {
+  // Handle successful authorization.
+  //
+  // The auth-session socket / poll (or deep-link return) hands us the
+  // authorized `sessionId`. Before any session-management code can touch it we
+  // MUST first exchange the secret `sessionToken` (held only by this client,
+  // generated for THIS flow) for the first access token via
+  // `claimSessionByToken` — the device-flow equivalent of OAuth's
+  // code-for-token exchange (RFC 8628 §3.4).
+  //
+  // Without that exchange the SDK has no bearer token, so the subsequent
+  // `switchSession` -> `getTokenBySession` call (`GET /session/token/:id`) 401s
+  // against the C1-hardened API — the session is authorized server-side but the
+  // app never becomes authenticated and the sheet sits "Waiting for
+  // authorization..." forever. Once `claimSessionByToken` plants the tokens in
+  // the HttpService, the rest of the session wiring flows through the normal
+  // `switchSession` path. This mirrors `SignInModal`'s web flow exactly.
+  const handleAuthSuccess = useCallback(async (sessionId: string, sessionToken: string) => {
     if (isProcessingRef.current) return;
     isProcessingRef.current = true;
 
     try {
-      // Switch to the new session (this will get token, user data, and update state)
-      if (switchSession) {
-        const user = await switchSession(sessionId);
-        if (onAuthenticated) {
-          onAuthenticated(user);
-        }
-      } else {
-        // Fallback if switchSession not available (shouldn't happen, but for safety)
-        await oxyServices.getTokenBySession(sessionId);
-        const user = await oxyServices.getUserBySession(sessionId);
-        if (onAuthenticated) {
-          onAuthenticated(user);
-        }
+      // Claim the first access token with the secret sessionToken, then
+      // hydrate the session. The claim step is what the native screen was
+      // previously missing — see `completeDeviceFlowSignIn`. `switchSession`
+      // is always provided by the context here; the helper requires it.
+      if (!switchSession) {
+        throw new Error('Session management unavailable');
+      }
+      const user = await completeDeviceFlowSignIn({
+        oxyServices,
+        sessionId,
+        sessionToken,
+        switchSession,
+      });
+      if (onAuthenticated) {
+        onAuthenticated(user);
       }
     } catch (err) {
       debug.error('Error completing auth:', err);
@@ -189,7 +207,9 @@ const OxyAuthScreen: React.FC<BaseScreenProps> = ({
 
       if (payload.status === 'authorized' && payload.sessionId) {
         cleanup();
-        handleAuthSuccess(payload.sessionId);
+        // `sessionToken` is this flow's secret credential (in closure) — pass
+        // it through so `handleAuthSuccess` can claim the first access token.
+        handleAuthSuccess(payload.sessionId, sessionToken);
       } else if (payload.status === 'cancelled') {
         cleanup();
         setError('Authorization was denied.');
@@ -201,8 +221,11 @@ const OxyAuthScreen: React.FC<BaseScreenProps> = ({
 
     socket.on('connect_error', (err) => {
       debug.log('Socket connection error, falling back to polling:', (err instanceof Error ? err.message : null));
-      // Fall back to polling if socket fails
+      // Realtime transport errored — reflect the honest connection state. The
+      // poll is already running (started unconditionally in
+      // `generateAuthSession`), so `startPolling` here is a no-op backstop.
       socket.disconnect();
+      setConnectionType('polling');
       startPolling(sessionToken);
     });
 
@@ -211,9 +234,13 @@ const OxyAuthScreen: React.FC<BaseScreenProps> = ({
     });
   }, [oxyServices, handleAuthSuccess]);
 
-  // Start polling for authorization (fallback)
+  // Start polling for authorization.
+  //
+  // Idempotent: if a poll interval is already running this is a no-op, so the
+  // `connect_error` path (which also calls this) cannot stack a second interval
+  // on top of the always-on poll started in `generateAuthSession`.
   const startPolling = useCallback((sessionToken: string) => {
-    setConnectionType('polling');
+    if (pollingIntervalRef.current) return;
 
     pollingIntervalRef.current = setInterval(async () => {
       if (isProcessingRef.current) return;
@@ -228,7 +255,9 @@ const OxyAuthScreen: React.FC<BaseScreenProps> = ({
 
         if (response.authorized && response.sessionId) {
           cleanup();
-          handleAuthSuccess(response.sessionId);
+          // Pass the original sessionToken (in closure) through; the claim
+          // exchange needs it to mint the first access token.
+          handleAuthSuccess(response.sessionId, sessionToken);
         } else if (response.status === 'cancelled') {
           cleanup();
           setError('Authorization was denied.');
@@ -290,14 +319,17 @@ const OxyAuthScreen: React.FC<BaseScreenProps> = ({
       setAuthSession({ sessionToken, expiresAt });
       setIsWaiting(true);
 
-      // Try socket first, will fall back to polling if needed
+      // Socket is the fast path; the poll is a transport-independent backstop
+      // that guarantees completion even if the socket connects but silently
+      // never delivers auth_update (RN transport / idle-timeout).
       connectSocket(sessionToken);
+      startPolling(sessionToken);
     } catch (err: unknown) {
       setError((err instanceof Error ? err.message : null) || 'Failed to create auth session');
     } finally {
       setIsLoading(false);
     }
-  }, [oxyServices, connectSocket, clientId]);
+  }, [oxyServices, connectSocket, startPolling, clientId]);
 
   // Generate a random session token
   const generateSessionToken = (): string => {
@@ -379,10 +411,20 @@ const OxyAuthScreen: React.FC<BaseScreenProps> = ({
     }
 
     if (params.sessionId) {
+      // The deep-link return carries only `session_id` — the secret
+      // `sessionToken` for this flow lives in component state (generated in
+      // `generateAuthSession`). Without it we cannot claim the first access
+      // token, so the flow would 401 in `handleAuthSuccess`. If it is somehow
+      // unavailable, fall through to the socket/poll path (which carries the
+      // token in closure) rather than attempting an unauthenticated claim.
+      const flowSessionToken = authSession?.sessionToken;
+      if (!flowSessionToken) {
+        return;
+      }
       cleanup();
-      handleAuthSuccess(params.sessionId);
+      handleAuthSuccess(params.sessionId, flowSessionToken);
     }
-  }, [cleanup, handleAuthSuccess]);
+  }, [authSession, cleanup, handleAuthSuccess]);
 
   useEffect(() => {
     if (Platform.OS === 'web') {

package/src/utils/__tests__/deviceFlowSignIn.test.ts

@@ -0,0 +1,104 @@
+/**
+ * @jest-environment node
+ *
+ * Regression coverage for the NATIVE device-flow sign-in bug:
+ *
+ *   On native, tapping "Sign In with Oxy" opens `OxyAuthScreen`, which creates
+ *   a device-flow AuthSession and opens auth.oxy.so/authorize. The user signs
+ *   in successfully, the API authorizes the session and notifies the client via
+ *   the auth-session socket — but the screen then called `switchSession`
+ *   DIRECTLY without first claiming the bearer with the secret `sessionToken`.
+ *   `switchSession` -> `getTokenBySession` (`GET /session/token/:id`) requires a
+ *   bearer the client did not yet hold, so it 401'd: the session was authorized
+ *   server-side but the app never became authenticated ("nothing happens").
+ *
+ *   The web `SignInModal` already claimed first; the native screen did not.
+ *   `completeDeviceFlowSignIn` consolidates the claim->switch sequence so both
+ *   paths are identical. These tests pin the ORDER (claim before switch) and the
+ *   fail-fast behaviour.
+ */
+
+import type { User } from '@oxyhq/core';
+import {
+  completeDeviceFlowSignIn,
+  type DeviceFlowClient,
+} from '../deviceFlowSignIn';
+
+const SESSION_ID = 'session-id-123';
+const SESSION_TOKEN = 'a'.repeat(32);
+const USER = { id: 'user-1', username: 'nate', privacySettings: {} } as User;
+
+describe('completeDeviceFlowSignIn', () => {
+  it('claims the sessionToken BEFORE switching the session', async () => {
+    const order: string[] = [];
+
+    const oxyServices: DeviceFlowClient = {
+      claimSessionByToken: jest.fn(async (token: string) => {
+        expect(token).toBe(SESSION_TOKEN);
+        order.push('claim');
+      }),
+    };
+    const switchSession = jest.fn(async (sessionId: string): Promise<User> => {
+      expect(sessionId).toBe(SESSION_ID);
+      order.push('switch');
+      return USER;
+    });
+
+    const user = await completeDeviceFlowSignIn({
+      oxyServices,
+      sessionId: SESSION_ID,
+      sessionToken: SESSION_TOKEN,
+      switchSession,
+    });
+
+    expect(order).toEqual(['claim', 'switch']);
+    expect(oxyServices.claimSessionByToken).toHaveBeenCalledWith(SESSION_TOKEN);
+    expect(switchSession).toHaveBeenCalledWith(SESSION_ID);
+    expect(user).toBe(USER);
+  });
+
+  it('does NOT switch the session when the claim fails (the native regression)', async () => {
+    const claimError = new Error('claim failed (401)');
+    const oxyServices: DeviceFlowClient = {
+      claimSessionByToken: jest.fn(async () => {
+        throw claimError;
+      }),
+    };
+    const switchSession = jest.fn(async (): Promise<User> => USER);
+
+    await expect(
+      completeDeviceFlowSignIn({
+        oxyServices,
+        sessionId: SESSION_ID,
+        sessionToken: SESSION_TOKEN,
+        switchSession,
+      }),
+    ).rejects.toThrow('claim failed (401)');
+
+    // The bearer was never planted, so we must not attempt the bearer-protected
+    // switch — surfacing the failure to the caller instead.
+    expect(switchSession).not.toHaveBeenCalled();
+  });
+
+  it('propagates a switchSession failure after a successful claim', async () => {
+    const switchError = new Error('session invalid');
+    const oxyServices: DeviceFlowClient = {
+      claimSessionByToken: jest.fn(async () => undefined),
+    };
+    const switchSession = jest.fn(async (): Promise<User> => {
+      throw switchError;
+    });
+
+    await expect(
+      completeDeviceFlowSignIn({
+        oxyServices,
+        sessionId: SESSION_ID,
+        sessionToken: SESSION_TOKEN,
+        switchSession,
+      }),
+    ).rejects.toThrow('session invalid');
+
+    expect(oxyServices.claimSessionByToken).toHaveBeenCalledTimes(1);
+    expect(switchSession).toHaveBeenCalledTimes(1);
+  });
+});

package/src/utils/deviceFlowSignIn.ts

@@ -0,0 +1,76 @@
+/**
+ * Shared, pure orchestration for completing the cross-app device-flow sign-in
+ * (the QR-code / "Open Oxy Auth" path used on native and web).
+ *
+ * THE BUG THIS FIXES (native): once another authenticated device approves the
+ * pending AuthSession, the originating client is notified (socket / poll /
+ * deep-link) with the authorized `sessionId`. Before any session-management
+ * code can use it, the client MUST exchange the secret 128-bit `sessionToken`
+ * (held only by this client, generated for THIS flow) for the first access
+ * token via `claimSessionByToken` — the device-flow equivalent of OAuth's
+ * code-for-token exchange (RFC 8628 §3.4).
+ *
+ * Skipping the claim leaves the SDK with NO bearer token, so the subsequent
+ * `switchSession` -> `getTokenBySession` (`GET /session/token/:id`) call 401s
+ * against the C1-hardened API: the session is authorized server-side but the
+ * app never becomes authenticated and the UI sits "Waiting for
+ * authorization..." forever. The web `SignInModal` already claimed first; the
+ * native `OxyAuthScreen` did not. Consolidating the claim→switch sequence here
+ * keeps both paths identical and unit-testable, and prevents future drift.
+ */
+
+import type { User } from '@oxyhq/core';
+
+/**
+ * The minimal `OxyServices` surface this orchestration needs. Kept as a
+ * structural type (rather than importing the full client) so the helper is
+ * trivially unit-testable with a stub and never pulls the RN/Expo runtime into
+ * a test bundle.
+ */
+export interface DeviceFlowClient {
+  /**
+   * Exchange the device-flow `sessionToken` for the first access + refresh
+   * token, planting them on the client. Single-use; replay is rejected by the
+   * API. No bearer required — the high-entropy `sessionToken` IS the credential.
+   */
+  claimSessionByToken: (sessionToken: string) => Promise<unknown>;
+}
+
+export interface CompleteDeviceFlowSignInOptions {
+  /** The OxyServices client (or any object exposing `claimSessionByToken`). */
+  oxyServices: DeviceFlowClient;
+  /** The authorized device session id, delivered by the socket / poll / link. */
+  sessionId: string;
+  /**
+   * The secret `sessionToken` generated for THIS flow and registered via
+   * `POST /auth/session/create`. Required to claim the first access token.
+   */
+  sessionToken: string;
+  /**
+   * The session-management `switchSession` from `useOxy()`. Hydrates the
+   * activated session (validates, fetches the user, persists, updates state).
+   * Runs AFTER the bearer is planted so its bearer-protected calls succeed.
+   */
+  switchSession: (sessionId: string) => Promise<User>;
+}
+
+/**
+ * Complete a device-flow sign-in: claim the first access token with the secret
+ * `sessionToken` (planting the bearer), then hydrate the session via
+ * `switchSession`. Returns the authenticated user.
+ *
+ * Throws if either the claim or the switch fails; callers surface a retry UI.
+ */
+export async function completeDeviceFlowSignIn({
+  oxyServices,
+  sessionId,
+  sessionToken,
+  switchSession,
+}: CompleteDeviceFlowSignInOptions): Promise<User> {
+  // 1) Plant the bearer + refresh tokens. Without this the bearer-protected
+  //    `getTokenBySession` inside `switchSession` 401s (the native regression).
+  await oxyServices.claimSessionByToken(sessionToken);
+
+  // 2) Bearer is now planted — hydrate the session through the normal path.
+  return switchSession(sessionId);
+}