@oxyhq/services 5.16.22 → 5.16.24

package/src/core/HttpService.ts

@@ -17,17 +17,8 @@ import { TTLCache, registerCacheForCleanup } from '../utils/cache';
 import { RequestDeduplicator, RequestQueue, SimpleLogger } from '../utils/requestUtils';
 import { retryAsync } from '../utils/asyncUtils';
 import { handleHttpError } from '../utils/errorUtils';
-import { jwtDecode } from 'jwt-decode';
 import type { OxyConfig } from '../models/interfaces';
 
-interface JwtPayload {
-  exp?: number;
-  userId?: string;
-  id?: string;
-  sessionId?: string;
-  [key: string]: any;
-}
-
 export interface RequestOptions {
   cache?: boolean;
   cacheTTL?: number;
@@ -46,45 +37,8 @@ interface RequestConfig extends RequestOptions {
   params?: Record<string, unknown>;
 }
 
-/**
- * Token store for authentication (singleton)
- */
-class TokenStore {
-  private static instance: TokenStore;
-  private accessToken: string | null = null;
-  private refreshToken: string | null = null;
-
-  private constructor() {}
-
-  static getInstance(): TokenStore {
-    if (!TokenStore.instance) {
-      TokenStore.instance = new TokenStore();
-    }
-    return TokenStore.instance;
-  }
-
-  setTokens(accessToken: string, refreshToken = ''): void {
-    this.accessToken = accessToken;
-    this.refreshToken = refreshToken;
-  }
-
-  getAccessToken(): string | null {
-    return this.accessToken;
-  }
-
-  getRefreshToken(): string | null {
-    return this.refreshToken;
-  }
-
-  clearTokens(): void {
-    this.accessToken = null;
-    this.refreshToken = null;
-  }
-
-  hasAccessToken(): boolean {
-    return !!this.accessToken;
-  }
-}
+// Token management moved to TokenService - import it instead
+import { tokenService } from './services/TokenService';
 
 /**
  * Unified HTTP Service
@@ -94,7 +48,6 @@ class TokenStore {
  */
 export class HttpService {
   private baseURL: string;
-  private tokenStore: TokenStore;
   private cache: TTLCache<any>;
   private deduplicator: RequestDeduplicator;
   private requestQueue: RequestQueue;
@@ -114,7 +67,9 @@ export class HttpService {
   constructor(config: OxyConfig) {
     this.config = config;
     this.baseURL = config.baseURL;
-    this.tokenStore = TokenStore.getInstance();
+    
+    // Initialize TokenService with baseURL
+    tokenService.initialize(this.baseURL);
     
     this.logger = new SimpleLogger(
       config.enableLogging || false,
@@ -261,7 +216,7 @@ export class HttpService {
         // Handle response
         if (!response.ok) {
           if (response.status === 401) {
-            this.tokenStore.clearTokens();
+            tokenService.clearTokens();
           }
           
           // Try to parse error response (handle empty/malformed JSON)
@@ -415,45 +370,10 @@ export class HttpService {
 
   /**
    * Get auth header with automatic token refresh
+   * Uses TokenService for all token operations
    */
   private async getAuthHeader(): Promise<string | null> {
-    const accessToken = this.tokenStore.getAccessToken();
-    if (!accessToken) {
-      return null;
-    }
-
-    try {
-      const decoded = jwtDecode<JwtPayload>(accessToken);
-      const currentTime = Math.floor(Date.now() / 1000);
-
-      // If token expires in less than 60 seconds, refresh it
-      if (decoded.exp && decoded.exp - currentTime < 60 && decoded.sessionId) {
-        try {
-          const refreshUrl = `${this.baseURL}/api/session/token/${decoded.sessionId}`;
-          
-          // Use AbortSignal.timeout for consistent timeout handling
-          const response = await fetch(refreshUrl, {
-            method: 'GET',
-            headers: { 'Accept': 'application/json' },
-            signal: AbortSignal.timeout(5000),
-          });
-
-          if (response.ok) {
-            const { accessToken: newToken } = await response.json();
-            this.tokenStore.setTokens(newToken);
-            this.logger.debug('Token refreshed');
-            return `Bearer ${newToken}`;
-          }
-        } catch (refreshError) {
-          this.logger.warn('Token refresh failed, using current token');
-        }
-      }
-
-      return `Bearer ${accessToken}`;
-    } catch (error) {
-      this.logger.error('Error processing token:', error);
-      return `Bearer ${accessToken}`;
-    }
+    return await tokenService.getAuthHeader();
   }
 
   /**
@@ -558,21 +478,21 @@ export class HttpService {
     return { data: result as T };
   }
 
-  // Token management
+  // Token management - delegates to TokenService
   setTokens(accessToken: string, refreshToken = ''): void {
-    this.tokenStore.setTokens(accessToken, refreshToken);
+    tokenService.setTokens(accessToken, refreshToken);
   }
 
   clearTokens(): void {
-    this.tokenStore.clearTokens();
+    tokenService.clearTokens();
   }
 
   getAccessToken(): string | null {
-    return this.tokenStore.getAccessToken();
+    return tokenService.getAccessToken();
   }
 
   hasAccessToken(): boolean {
-    return this.tokenStore.hasAccessToken();
+    return tokenService.hasAccessToken();
   }
 
   getBaseURL(): string {
@@ -606,10 +526,10 @@ export class HttpService {
   // Test-only utility
   static __resetTokensForTests(): void {
     try {
-      TokenStore.getInstance().clearTokens();
+      tokenService.clearTokens();
     } catch (error) {
       // Silently fail in test cleanup - this is expected behavior
-      // TokenStore might not be initialized in some test scenarios
+      // TokenService might not be initialized in some test scenarios
     }
   }
 }

package/src/core/OxyServices.base.ts

@@ -3,24 +3,16 @@
  * 
  * Contains core infrastructure, HTTP client, request management, and error handling
  */
-import { jwtDecode } from 'jwt-decode';
 import type { OxyConfig as OxyConfigBase, ApiError, User } from '../models/interfaces';
 import { handleHttpError } from '../utils/errorUtils';
 import { HttpService, type RequestOptions } from './HttpService';
 import { OxyAuthenticationError, OxyAuthenticationTimeoutError } from './OxyServices.errors';
+import { tokenService } from './services/TokenService';
 
 export interface OxyConfig extends OxyConfigBase {
   cloudURL?: string;
 }
 
-interface JwtPayload {
-  exp?: number;
-  userId?: string;
-  id?: string;
-  sessionId?: string;
-  [key: string]: any;
-}
-
 /**
  * Base class for OxyServices with core infrastructure
  */
@@ -135,19 +127,10 @@ export class OxyServicesBase {
 
   /**
    * Get the current user ID from the access token
+   * Returns MongoDB ObjectId (never publicKey)
    */
   public getCurrentUserId(): string | null {
-    const accessToken = this.httpService.getAccessToken();
-    if (!accessToken) {
-      return null;
-    }
-    
-    try {
-      const decoded = jwtDecode<JwtPayload>(accessToken);
-      return decoded.userId || decoded.id || null;
-    } catch (error) {
-      return null;
-    }
+    return tokenService.getUserIdFromToken();
   }
 
   /**

package/src/core/services/SessionService.ts

@@ -0,0 +1,173 @@
+/**
+ * SessionService - Single Source of Truth for Session Management
+ * 
+ * Handles all session operations: creation, validation, refresh, invalidation.
+ * Manages active session state and provides session data to other services.
+ * 
+ * Architecture:
+ * - Single source of truth for session operations
+ * - Handles both online and offline sessions
+ * - Integrates with TokenService for token management
+ * - userId is always MongoDB ObjectId, never publicKey
+ */
+
+import type { OxyServices } from '../OxyServices';
+import { tokenService } from './TokenService';
+import type { ClientSession, SessionLoginResponse } from '../../models/session';
+import type { User } from '../../models/interfaces';
+
+export interface Session {
+  sessionId: string;
+  deviceId: string;
+  userId: string;  // MongoDB ObjectId - PRIMARY IDENTIFIER
+  expiresAt: string;
+  lastActive: string;
+  isCurrent: boolean;
+  isOffline?: boolean;
+}
+
+/**
+ * SessionService - Singleton pattern for global session management
+ */
+class SessionService {
+  private static instance: SessionService;
+  private oxyServices: OxyServices | null = null;
+  private activeSession: Session | null = null;
+  private sessions: Session[] = [];
+
+  private constructor() {}
+
+  static getInstance(): SessionService {
+    if (!SessionService.instance) {
+      SessionService.instance = new SessionService();
+    }
+    return SessionService.instance;
+  }
+
+  /**
+   * Initialize SessionService with OxyServices instance
+   */
+  initialize(oxyServices: OxyServices): void {
+    this.oxyServices = oxyServices;
+  }
+
+  /**
+   * Get active session
+   */
+  getActiveSession(): Session | null {
+    return this.activeSession;
+  }
+
+  /**
+   * Get all sessions
+   */
+  getAllSessions(): Session[] {
+    return [...this.sessions];
+  }
+
+  /**
+   * Create a new session (sign in)
+   * @param publicKey - User's public key for authentication
+   * @returns User object and session data
+   */
+  async createSession(publicKey: string): Promise<{ user: User; session: Session }> {
+    if (!this.oxyServices) {
+      throw new Error('SessionService not initialized with OxyServices');
+    }
+
+    // This will be implemented by delegating to existing sign-in logic
+    // For now, this is a placeholder that shows the interface
+    throw new Error('SessionService.createSession not yet implemented - use existing signIn flow');
+  }
+
+  /**
+   * Refresh current session
+   */
+  async refreshSession(): Promise<Session> {
+    if (!this.activeSession) {
+      throw new Error('No active session to refresh');
+    }
+
+    // Refresh token first
+    await tokenService.refreshTokenIfNeeded();
+
+    // Then refresh session data from server
+    // Implementation will be added
+    return this.activeSession;
+  }
+
+  /**
+   * Validate current session
+   */
+  async validateSession(): Promise<boolean> {
+    if (!this.activeSession) {
+      return false;
+    }
+
+    // Check if session expired
+    if (new Date(this.activeSession.expiresAt) < new Date()) {
+      return false;
+    }
+
+    // Check if token is valid
+    const token = tokenService.getAccessToken();
+    if (!token) {
+      return false;
+    }
+
+    // Additional validation can be added here
+    return true;
+  }
+
+  /**
+   * Invalidate current session (sign out)
+   */
+  async invalidateSession(): Promise<void> {
+    if (!this.activeSession || !this.oxyServices) {
+      return;
+    }
+
+    try {
+      // Call API to invalidate session on server
+      await this.oxyServices.makeRequest('POST', `/api/session/${this.activeSession.sessionId}/logout`, undefined, { cache: false });
+    } catch (error) {
+      // Continue with local cleanup even if API call fails
+      console.warn('Failed to invalidate session on server:', error);
+    }
+
+    // Clear tokens
+    tokenService.clearTokens();
+
+    // Clear active session
+    this.activeSession = null;
+    this.sessions = this.sessions.filter(s => s.sessionId !== this.activeSession?.sessionId);
+  }
+
+  /**
+   * Set active session (internal use)
+   */
+  setActiveSession(session: Session): void {
+    this.activeSession = session;
+    
+    // Update sessions list
+    const existingIndex = this.sessions.findIndex(s => s.sessionId === session.sessionId);
+    if (existingIndex >= 0) {
+      this.sessions[existingIndex] = session;
+    } else {
+      this.sessions.push(session);
+    }
+  }
+
+  /**
+   * Clear all sessions (logout all)
+   */
+  clearAllSessions(): void {
+    this.activeSession = null;
+    this.sessions = [];
+    tokenService.clearTokens();
+  }
+}
+
+// Export singleton instance
+export const sessionService = SessionService.getInstance();
+

package/src/core/services/TokenService.ts

@@ -0,0 +1,226 @@
+/**
+ * TokenService - Single Source of Truth for Token Management
+ * 
+ * Handles all token storage, retrieval, refresh, and validation.
+ * Used by HttpService, SocketService, and other services that need tokens.
+ * 
+ * Architecture:
+ * - Single storage location (no duplication)
+ * - Automatic token refresh when expiring soon
+ * - Type-safe token payload handling
+ * - userId is always MongoDB ObjectId, never publicKey
+ */
+
+import { jwtDecode } from 'jwt-decode';
+
+/**
+ * AccessTokenPayload - Matches the token payload structure from API
+ * userId is always MongoDB ObjectId (24 hex characters), never publicKey
+ */
+interface AccessTokenPayload {
+  userId: string;      // MongoDB ObjectId - PRIMARY IDENTIFIER
+  sessionId: string;   // Session UUID
+  deviceId: string;   // Device identifier
+  type: 'access';
+  iat?: number;        // Issued at (added by JWT)
+  exp?: number;        // Expiration (added by JWT)
+}
+
+interface TokenStore {
+  accessToken: string | null;
+  refreshToken: string | null;
+}
+
+/**
+ * TokenService - Singleton pattern for global token management
+ */
+class TokenService {
+  private static instance: TokenService;
+  private tokenStore: TokenStore = {
+    accessToken: null,
+    refreshToken: null,
+  };
+  private refreshPromise: Promise<void> | null = null;
+  private baseURL: string | null = null;
+
+  private constructor() {}
+
+  static getInstance(): TokenService {
+    if (!TokenService.instance) {
+      TokenService.instance = new TokenService();
+    }
+    return TokenService.instance;
+  }
+
+  /**
+   * Initialize TokenService with base URL for refresh requests
+   */
+  initialize(baseURL: string): void {
+    this.baseURL = baseURL;
+  }
+
+  /**
+   * Get current access token
+   */
+  getAccessToken(): string | null {
+    return this.tokenStore.accessToken;
+  }
+
+  /**
+   * Get current refresh token
+   */
+  getRefreshToken(): string | null {
+    return this.tokenStore.refreshToken;
+  }
+
+  /**
+   * Set tokens (called after login or token refresh)
+   */
+  setTokens(accessToken: string, refreshToken: string = ''): void {
+    this.tokenStore.accessToken = accessToken;
+    this.tokenStore.refreshToken = refreshToken || this.tokenStore.refreshToken;
+  }
+
+  /**
+   * Clear all tokens (called on logout)
+   */
+  clearTokens(): void {
+    this.tokenStore.accessToken = null;
+    this.tokenStore.refreshToken = null;
+    this.refreshPromise = null;
+  }
+
+  /**
+   * Check if access token exists
+   */
+  hasAccessToken(): boolean {
+    return !!this.tokenStore.accessToken;
+  }
+
+  /**
+   * Check if token is expiring soon (within 60 seconds)
+   */
+  isTokenExpiringSoon(): boolean {
+    const token = this.tokenStore.accessToken;
+    if (!token) return false;
+
+    try {
+      const decoded = jwtDecode<AccessTokenPayload>(token);
+      if (!decoded.exp) return false;
+
+      const currentTime = Math.floor(Date.now() / 1000);
+      return decoded.exp - currentTime < 60; // Expiring within 60 seconds
+    } catch {
+      return false;
+    }
+  }
+
+  /**
+   * Get userId from current access token
+   * Returns MongoDB ObjectId (never publicKey)
+   */
+  getUserIdFromToken(): string | null {
+    const token = this.tokenStore.accessToken;
+    if (!token) return null;
+
+    try {
+      const decoded = jwtDecode<AccessTokenPayload>(token);
+      return decoded.userId || null;
+    } catch {
+      return null;
+    }
+  }
+
+  /**
+   * Refresh access token if expiring soon
+   * Returns promise that resolves when token is refreshed (or already valid)
+   */
+  async refreshTokenIfNeeded(): Promise<void> {
+    // If already refreshing, wait for that promise
+    if (this.refreshPromise) {
+      return this.refreshPromise;
+    }
+
+    // If token not expiring soon, no refresh needed
+    if (!this.isTokenExpiringSoon()) {
+      return;
+    }
+
+    // Start refresh
+    this.refreshPromise = this._performRefresh();
+    
+    try {
+      await this.refreshPromise;
+    } finally {
+      this.refreshPromise = null;
+    }
+  }
+
+  /**
+   * Perform token refresh
+   */
+  private async _performRefresh(): Promise<void> {
+    const token = this.tokenStore.accessToken;
+    if (!token) {
+      throw new Error('No access token to refresh');
+    }
+
+    try {
+      const decoded = jwtDecode<AccessTokenPayload>(token);
+      if (!decoded.sessionId) {
+        throw new Error('Token missing sessionId');
+      }
+
+      if (!this.baseURL) {
+        throw new Error('TokenService not initialized with baseURL');
+      }
+
+      const refreshUrl = `${this.baseURL}/api/session/token/${decoded.sessionId}`;
+      
+      const response = await fetch(refreshUrl, {
+        method: 'GET',
+        headers: { 'Accept': 'application/json' },
+        signal: AbortSignal.timeout(5000),
+      });
+
+      if (!response.ok) {
+        throw new Error(`Token refresh failed: ${response.status}`);
+      }
+
+      const { accessToken: newToken } = await response.json();
+      
+      if (!newToken) {
+        throw new Error('No access token in refresh response');
+      }
+
+      // Validate new token has correct userId format (ObjectId)
+      const newDecoded = jwtDecode<AccessTokenPayload>(newToken);
+      if (newDecoded.userId && !/^[0-9a-fA-F]{24}$/.test(newDecoded.userId)) {
+        throw new Error(`Invalid userId format in refreshed token: ${newDecoded.userId.substring(0, 20)}...`);
+      }
+
+      this.setTokens(newToken);
+    } catch (error) {
+      // Clear tokens on refresh failure (likely expired or invalid)
+      this.clearTokens();
+      throw error;
+    }
+  }
+
+  /**
+   * Get authorization header with automatic refresh
+   */
+  async getAuthHeader(): Promise<string | null> {
+    // Refresh if needed
+    await this.refreshTokenIfNeeded().catch(() => {
+      // Ignore refresh errors, will use current token or return null
+    });
+
+    const token = this.tokenStore.accessToken;
+    return token ? `Bearer ${token}` : null;
+  }
+}
+
+// Export singleton instance
+export const tokenService = TokenService.getInstance();
+

package/src/models/interfaces.ts

@@ -21,9 +21,23 @@ export interface OxyConfig {
   onRequestError?: (url: string, method: string, error: Error) => void;
 }
 
+/**
+ * User Model
+ * 
+ * IMPORTANT: 
+ * - id: MongoDB ObjectId (24 hex characters) - PRIMARY IDENTIFIER for all internal operations
+ * - publicKey: Cryptographic public key (130 hex characters) - LOOKUP KEY for authentication and identity operations
+ * 
+ * Never use publicKey as an ID. Always use id (ObjectId) for:
+ * - Database queries
+ * - Session userId
+ * - Token userId
+ * - Socket room names
+ * - API route parameters (unless explicitly doing publicKey lookup)
+ */
 export interface User {
-  id: string;
-  publicKey: string;
+  id: string;           // MongoDB ObjectId - PRIMARY IDENTIFIER (always 24 hex chars)
+  publicKey: string;    // Cryptographic public key - LOOKUP KEY (130 hex chars for secp256k1)
   username: string;
   email?: string;
   // Avatar file id (asset id)

package/src/models/session.ts

@@ -1,9 +1,16 @@
+/**
+ * Client Session Model
+ * 
+ * IMPORTANT:
+ * - userId: MongoDB ObjectId (24 hex characters), never publicKey
+ * - Used for session management and user identification
+ */
 export interface ClientSession {
   sessionId: string;
   deviceId: string;
   expiresAt: string;
   lastActive: string;
-  userId?: string;
+  userId?: string;  // MongoDB ObjectId - PRIMARY IDENTIFIER (never publicKey)
   isCurrent?: boolean;
 }