@oxyhq/services 5.16.40 → 5.16.41

package/src/core/identity-session/IdentitySessionCore.ts

@@ -0,0 +1,464 @@
+/**
+ * Identity Session Core
+ * 
+ * Main orchestrator for identity and session management.
+ * Provides a unified API for all identity and session operations.
+ */
+
+import type { PlatformAdapter } from '../../adapters';
+import type { Identity, Session, Device, BackupData, IdentitySessionEvent } from './types';
+import { IdentityManager } from './IdentityManager';
+import { SessionManager } from './SessionManager';
+import { DeviceManager } from './DeviceManager';
+import { RefreshManager } from './RefreshManager';
+import {
+  createIdentitySessionError,
+  IdentitySessionErrorCodes,
+} from './errors';
+
+/**
+ * Identity Session Core Class
+ */
+export class IdentitySessionCore {
+  private adapter: PlatformAdapter;
+  private identityManager: IdentityManager;
+  private sessionManager: SessionManager;
+  private deviceManager: DeviceManager;
+  private refreshManager: RefreshManager;
+  private baseURL: string | null = null;
+  private eventListeners: Set<(event: IdentitySessionEvent) => void> = new Set();
+  private initialized: boolean = false;
+
+  constructor(adapter: PlatformAdapter, baseURL?: string) {
+    this.adapter = adapter;
+    this.baseURL = baseURL || null;
+
+    // Initialize managers
+    this.identityManager = new IdentityManager(adapter);
+    this.deviceManager = new DeviceManager(adapter);
+    this.refreshManager = new RefreshManager(adapter, baseURL);
+    this.sessionManager = new SessionManager(
+      adapter,
+      this.deviceManager,
+      this.refreshManager,
+      baseURL
+    );
+  }
+
+  /**
+   * Set base URL for API requests
+   */
+  setBaseURL(baseURL: string): void {
+    this.baseURL = baseURL;
+    this.sessionManager.setBaseURL(baseURL);
+    this.refreshManager.setBaseURL(baseURL);
+  }
+
+  /**
+   * Initialize the core (load data from storage)
+   */
+  async initialize(): Promise<void> {
+    if (this.initialized) {
+      return;
+    }
+
+    await this.sessionManager.initialize();
+    this.initialized = true;
+  }
+
+  /**
+   * Emit an event to all subscribers
+   */
+  private emit(event: IdentitySessionEvent): void {
+    this.eventListeners.forEach(listener => {
+      try {
+        listener(event);
+      } catch (error) {
+        console.error('[IdentitySessionCore] Error in event listener:', error);
+      }
+    });
+  }
+
+  // ==================== Identity Operations ====================
+
+  /**
+   * Get current identity (SOLO NATIVE)
+   */
+  async getCurrentIdentity(): Promise<Identity | null> {
+    if (this.adapter.platform !== 'native') {
+      return null; // Identity only exists on native
+    }
+
+    const publicKey = await this.identityManager.getPublicKey();
+    if (!publicKey) {
+      return null;
+    }
+
+    // Identity object would need to be fetched from server
+    // For now, return a minimal identity object
+    return {
+      id: '', // Would be fetched from server
+      publicKey,
+    } as Identity;
+  }
+
+  /**
+   * Create a new identity (SOLO NATIVE)
+   */
+  async createIdentity(username?: string): Promise<Identity> {
+    if (this.adapter.platform !== 'native') {
+      throw createIdentitySessionError(
+        IdentitySessionErrorCodes.IDENTITY_NOT_AVAILABLE_ON_WEB,
+        'Identity creation is only available on native platforms'
+      );
+    }
+
+    try {
+      const publicKey = await this.identityManager.createIdentity();
+      
+      const identity: Identity = {
+        id: '', // Will be set after sync with server
+        publicKey,
+        username,
+      };
+
+      this.emit({ type: 'identity:created', identity });
+      return identity;
+    } catch (error) {
+      throw createIdentitySessionError(
+        IdentitySessionErrorCodes.IDENTITY_CREATION_FAILED,
+        `Failed to create identity: ${error instanceof Error ? error.message : String(error)}`
+      );
+    }
+  }
+
+  /**
+   * Import identity from backup (SOLO NATIVE)
+   */
+  async importIdentity(backupData: BackupData, password: string): Promise<Identity> {
+    if (this.adapter.platform !== 'native') {
+      throw createIdentitySessionError(
+        IdentitySessionErrorCodes.IDENTITY_NOT_AVAILABLE_ON_WEB,
+        'Identity import is only available on native platforms'
+      );
+    }
+
+    try {
+      const publicKey = await this.identityManager.decryptAndImportBackup(backupData, password);
+      
+      const identity: Identity = {
+        id: '', // Will be set after sync with server
+        publicKey,
+      };
+
+      this.emit({ type: 'identity:imported', identity });
+      return identity;
+    } catch (error) {
+      throw createIdentitySessionError(
+        IdentitySessionErrorCodes.IDENTITY_IMPORT_FAILED,
+        `Failed to import identity: ${error instanceof Error ? error.message : String(error)}`
+      );
+    }
+  }
+
+  /**
+   * Delete identity (SOLO NATIVE)
+   */
+  async deleteIdentity(
+    skipBackup: boolean = false,
+    force: boolean = false,
+    userConfirmed: boolean = false
+  ): Promise<void> {
+    if (this.adapter.platform !== 'native') {
+      throw createIdentitySessionError(
+        IdentitySessionErrorCodes.IDENTITY_NOT_AVAILABLE_ON_WEB,
+        'Identity deletion is only available on native platforms'
+      );
+    }
+
+    try {
+      await this.identityManager.deleteIdentity(skipBackup, force, userConfirmed);
+      this.emit({ type: 'identity:deleted' });
+    } catch (error) {
+      throw createIdentitySessionError(
+        IdentitySessionErrorCodes.IDENTITY_DELETE_FAILED,
+        `Failed to delete identity: ${error instanceof Error ? error.message : String(error)}`
+      );
+    }
+  }
+
+  /**
+   * Sign a challenge (SOLO NATIVE)
+   */
+  async signChallenge(challenge: string): Promise<string> {
+    if (this.adapter.platform !== 'native') {
+      throw createIdentitySessionError(
+        IdentitySessionErrorCodes.IDENTITY_NOT_AVAILABLE_ON_WEB,
+        'Challenge signing is only available on native platforms'
+      );
+    }
+
+    try {
+      return await this.identityManager.signChallenge(challenge);
+    } catch (error) {
+      throw createIdentitySessionError(
+        IdentitySessionErrorCodes.IDENTITY_NOT_FOUND,
+        `Failed to sign challenge: ${error instanceof Error ? error.message : String(error)}`
+      );
+    }
+  }
+
+  /**
+   * Generate a random challenge string
+   */
+  async generateChallenge(): Promise<string> {
+    const randomBytes = await this.adapter.crypto.getRandomBytes(32);
+    return Array.from(randomBytes, byte => byte.toString(16).padStart(2, '0')).join('');
+  }
+
+  /**
+   * Create a registration signature (SOLO NATIVE)
+   */
+  async createRegistrationSignature(): Promise<{ signature: string; publicKey: string; timestamp: number }> {
+    if (this.adapter.platform !== 'native') {
+      throw createIdentitySessionError(
+        IdentitySessionErrorCodes.IDENTITY_NOT_AVAILABLE_ON_WEB,
+        'Registration signature is only available on native platforms'
+      );
+    }
+
+    const publicKey = await this.identityManager.getPublicKey();
+    if (!publicKey) {
+      throw createIdentitySessionError(
+        IdentitySessionErrorCodes.IDENTITY_NOT_FOUND,
+        'No identity found. Please create or import an identity first.'
+      );
+    }
+
+    const timestamp = Date.now();
+    const message = `oxy:register:${publicKey}:${timestamp}`;
+    const messageHash = await this.adapter.crypto.digestStringAsync('SHA256', message);
+    const signature = await this.identityManager.signChallenge(messageHash);
+
+    return {
+      signature,
+      publicKey,
+      timestamp,
+    };
+  }
+
+  /**
+   * Sign challenge for authentication (SOLO NATIVE)
+   * Returns AuthChallenge object with signature, publicKey, and timestamp
+   */
+  async signChallengeForAuth(challenge: string): Promise<{ challenge: string; signature: string; publicKey: string; timestamp: number }> {
+    if (this.adapter.platform !== 'native') {
+      throw createIdentitySessionError(
+        IdentitySessionErrorCodes.IDENTITY_NOT_AVAILABLE_ON_WEB,
+        'Challenge signing is only available on native platforms'
+      );
+    }
+
+    const publicKey = await this.identityManager.getPublicKey();
+    if (!publicKey) {
+      throw createIdentitySessionError(
+        IdentitySessionErrorCodes.IDENTITY_NOT_FOUND,
+        'No identity found. Please create or import an identity first.'
+      );
+    }
+
+    const timestamp = Date.now();
+    const message = `auth:${publicKey}:${challenge}:${timestamp}`;
+    const messageHash = await this.adapter.crypto.digestStringAsync('SHA256', message);
+    const signature = await this.identityManager.signChallenge(messageHash);
+
+    return {
+      challenge,
+      signature,
+      publicKey,
+      timestamp,
+    };
+  }
+
+  /**
+   * Check if identity exists
+   */
+  async hasIdentity(): Promise<boolean> {
+    return await this.identityManager.hasIdentity();
+  }
+
+  /**
+   * Get public key
+   */
+  async getPublicKey(): Promise<string | null> {
+    return await this.identityManager.getPublicKey();
+  }
+
+  // ==================== Session Operations ====================
+
+  /**
+   * Get current session (Native + Web)
+   */
+  async getSession(): Promise<Session | null> {
+    return await this.sessionManager.getSession();
+  }
+
+  /**
+   * Get all sessions (Native + Web)
+   */
+  async getAllSessions(): Promise<Session[]> {
+    return await this.sessionManager.getAllSessions();
+  }
+
+  /**
+   * Get active session ID (Native + Web)
+   */
+  async getActiveSessionId(): Promise<string | null> {
+    return await this.sessionManager.getActiveSessionId();
+  }
+
+  /**
+   * Create a new session (sign in) (Native + Web)
+   */
+  async createSession(deviceName?: string): Promise<Session> {
+    if (this.adapter.platform !== 'native') {
+      throw createIdentitySessionError(
+        IdentitySessionErrorCodes.IDENTITY_NOT_AVAILABLE_ON_WEB,
+        'Session creation requires identity, which is only available on native platforms'
+      );
+    }
+
+    const publicKey = await this.identityManager.getPublicKey();
+    if (!publicKey) {
+      throw createIdentitySessionError(
+        IdentitySessionErrorCodes.IDENTITY_NOT_FOUND,
+        'No identity found. Please create or import an identity first.'
+      );
+    }
+
+    // Generate challenge and sign it
+    const timestamp = Date.now();
+    const challenge = `auth:${publicKey}:${timestamp}`;
+    const signature = await this.identityManager.signChallenge(challenge);
+
+    try {
+      const session = await this.sessionManager.createSession(
+        publicKey,
+        signature,
+        timestamp,
+        deviceName
+      );
+
+      this.emit({ type: 'session:created', session });
+      return session;
+    } catch (error) {
+      throw createIdentitySessionError(
+        IdentitySessionErrorCodes.SESSION_CREATION_FAILED,
+        `Failed to create session: ${error instanceof Error ? error.message : String(error)}`
+      );
+    }
+  }
+
+  /**
+   * Refresh current session (Native + Web)
+   */
+  async refreshSession(): Promise<Session> {
+    try {
+      const session = await this.sessionManager.refreshSession();
+      this.emit({ type: 'session:refreshed', session });
+      return session;
+    } catch (error) {
+      throw createIdentitySessionError(
+        IdentitySessionErrorCodes.SESSION_REFRESH_FAILED,
+        `Failed to refresh session: ${error instanceof Error ? error.message : String(error)}`
+      );
+    }
+  }
+
+  /**
+   * Invalidate a session (Native + Web)
+   */
+  async invalidateSession(sessionId?: string): Promise<void> {
+    try {
+      await this.sessionManager.invalidateSession(sessionId);
+      const targetSessionId = sessionId || await this.sessionManager.getActiveSessionId();
+      if (targetSessionId) {
+        this.emit({ type: 'session:invalidated', sessionId: targetSessionId });
+      }
+    } catch (error) {
+      throw createIdentitySessionError(
+        IdentitySessionErrorCodes.SESSION_INVALID,
+        `Failed to invalidate session: ${error instanceof Error ? error.message : String(error)}`
+      );
+    }
+  }
+
+  /**
+   * Invalidate all sessions (Native + Web)
+   */
+  async invalidateAllSessions(): Promise<void> {
+    try {
+      await this.sessionManager.invalidateAllSessions();
+      this.emit({ type: 'session:all-invalidated' });
+    } catch (error) {
+      throw createIdentitySessionError(
+        IdentitySessionErrorCodes.SESSION_INVALID,
+        `Failed to invalidate all sessions: ${error instanceof Error ? error.message : String(error)}`
+      );
+    }
+  }
+
+  // ==================== Device Operations ====================
+
+  /**
+   * Get current device (Native + Web)
+   */
+  async getCurrentDevice(): Promise<Device | null> {
+    return await this.deviceManager.getCurrentDevice();
+  }
+
+  // ==================== Subscriptions ====================
+
+  /**
+   * Subscribe to identity and session events
+   */
+  subscribe(callback: (event: IdentitySessionEvent) => void): () => void {
+    this.eventListeners.add(callback);
+
+    // Return unsubscribe function
+    return () => {
+      this.eventListeners.delete(callback);
+    };
+  }
+
+  // ==================== Internal Access ====================
+
+  /**
+   * Get identity manager (for advanced operations)
+   */
+  getIdentityManager(): IdentityManager {
+    return this.identityManager;
+  }
+
+  /**
+   * Get session manager (for advanced operations)
+   */
+  getSessionManager(): SessionManager {
+    return this.sessionManager;
+  }
+
+  /**
+   * Get device manager (for advanced operations)
+   */
+  getDeviceManager(): DeviceManager {
+    return this.deviceManager;
+  }
+
+  /**
+   * Get refresh manager (for advanced operations)
+   */
+  getRefreshManager(): RefreshManager {
+    return this.refreshManager;
+  }
+}
+

package/src/core/identity-session/RefreshManager.ts

@@ -0,0 +1,189 @@
+/**
+ * Refresh Manager
+ * 
+ * Manages token refresh operations (Native + Web)
+ */
+
+import { jwtDecode } from 'jwt-decode';
+import type { PlatformAdapter } from '../../adapters';
+import {
+  createIdentitySessionError,
+  IdentitySessionErrorCodes,
+} from './errors';
+
+interface AccessTokenPayload {
+  userId: string;      // MongoDB ObjectId
+  sessionId: string;   // Session UUID
+  deviceId: string;    // Device identifier
+  type: 'access';
+  iat?: number;
+  exp?: number;
+}
+
+/**
+ * Refresh Manager Class
+ */
+export class RefreshManager {
+  private adapter: PlatformAdapter;
+  private baseURL: string | null = null;
+  private refreshPromise: Promise<void> | null = null;
+
+  constructor(adapter: PlatformAdapter, baseURL?: string) {
+    this.adapter = adapter;
+    this.baseURL = baseURL || null;
+  }
+
+  /**
+   * Set base URL for API requests
+   */
+  setBaseURL(baseURL: string): void {
+    this.baseURL = baseURL;
+  }
+
+  /**
+   * Check if token is expiring soon (within 60 seconds)
+   */
+  isTokenExpiringSoon(accessToken: string | null): boolean {
+    if (!accessToken) return false;
+
+    try {
+      const decoded = jwtDecode<AccessTokenPayload>(accessToken);
+      if (!decoded.exp) return false;
+
+      const currentTime = Math.floor(Date.now() / 1000);
+      return decoded.exp - currentTime < 60; // Expiring within 60 seconds
+    } catch {
+      return false;
+    }
+  }
+
+  /**
+   * Get userId from access token
+   */
+  getUserIdFromToken(accessToken: string | null): string | null {
+    if (!accessToken) return null;
+
+    try {
+      const decoded = jwtDecode<AccessTokenPayload>(accessToken);
+      return decoded.userId || null;
+    } catch {
+      return null;
+    }
+  }
+
+  /**
+   * Refresh access token if expiring soon
+   */
+  async refreshTokenIfNeeded(
+    getAccessToken: () => string | null,
+    setTokens: (accessToken: string, refreshToken?: string) => void,
+    clearTokens: () => void
+  ): Promise<void> {
+    // If already refreshing, wait for that promise
+    if (this.refreshPromise) {
+      return this.refreshPromise;
+    }
+
+    const accessToken = getAccessToken();
+    if (!accessToken) {
+      return; // No token to refresh
+    }
+
+    // If token not expiring soon, no refresh needed
+    if (!this.isTokenExpiringSoon(accessToken)) {
+      return;
+    }
+
+    // Start refresh
+    this.refreshPromise = this._performRefresh(
+      accessToken,
+      setTokens,
+      clearTokens
+    ).finally(() => {
+      this.refreshPromise = null;
+    });
+
+    return this.refreshPromise;
+  }
+
+  /**
+   * Perform token refresh
+   */
+  private async _performRefresh(
+    accessToken: string,
+    setTokens: (accessToken: string, refreshToken?: string) => void,
+    clearTokens: () => void
+  ): Promise<void> {
+    if (!this.baseURL) {
+      throw createIdentitySessionError(
+        IdentitySessionErrorCodes.SESSION_REFRESH_FAILED,
+        'Base URL not set for refresh operations'
+      );
+    }
+
+    try {
+      const decoded = jwtDecode<AccessTokenPayload>(accessToken);
+      if (!decoded.sessionId) {
+        throw createIdentitySessionError(
+          IdentitySessionErrorCodes.MALFORMED_TOKEN,
+          'Token missing sessionId'
+        );
+      }
+
+      const refreshUrl = `${this.baseURL}/api/session/token/${decoded.sessionId}`;
+
+      const response = await this.adapter.fetch.fetch(refreshUrl, {
+        method: 'GET',
+        headers: { 'Accept': 'application/json' },
+        signal: AbortSignal.timeout(5000),
+      });
+
+      if (!response.ok) {
+        if (response.status === 401 || response.status === 403) {
+          // Token is invalid, clear it
+          clearTokens();
+          throw createIdentitySessionError(
+            IdentitySessionErrorCodes.TOKEN_EXPIRED,
+            'Token refresh failed: token is invalid'
+          );
+        }
+        throw createIdentitySessionError(
+          IdentitySessionErrorCodes.SESSION_REFRESH_FAILED,
+          `Token refresh failed: ${response.status}`
+        );
+      }
+
+      const data = await response.json();
+      const newAccessToken = data.accessToken;
+
+      if (!newAccessToken) {
+        throw createIdentitySessionError(
+          IdentitySessionErrorCodes.SESSION_REFRESH_FAILED,
+          'No access token in refresh response'
+        );
+      }
+
+      // Validate new token has correct userId format (ObjectId)
+      const newDecoded = jwtDecode<AccessTokenPayload>(newAccessToken);
+      if (newDecoded.userId && !/^[0-9a-fA-F]{24}$/.test(newDecoded.userId)) {
+        throw createIdentitySessionError(
+          IdentitySessionErrorCodes.MALFORMED_TOKEN,
+          `Invalid userId format in refreshed token: ${newDecoded.userId.substring(0, 20)}...`
+        );
+      }
+
+      setTokens(newAccessToken, data.refreshToken);
+    } catch (error) {
+      // Clear tokens on refresh failure (likely expired or invalid)
+      clearTokens();
+      if (error instanceof Error && error.name === 'IdentitySessionError') {
+        throw error;
+      }
+      throw createIdentitySessionError(
+        IdentitySessionErrorCodes.SESSION_REFRESH_FAILED,
+        `Token refresh failed: ${error instanceof Error ? error.message : String(error)}`
+      );
+    }
+  }
+}
+