@oxyhq/services 5.16.44 → 5.17.0

package/src/core/mixins/OxyServices.auth.ts

@@ -14,23 +14,6 @@ export interface ChallengeResponse {
   expiresAt: string;
 }
 
-export interface RegistrationRequest {
-  publicKey: string;
-  username: string;
-  email?: string;
-  signature: string;
-  timestamp: number;
-}
-
-export interface ChallengeVerifyRequest {
-  publicKey: string;
-  challenge: string;
-  signature: string;
-  timestamp: number;
-  deviceName?: string;
-  deviceFingerprint?: string;
-}
-
 export interface PublicKeyCheckResponse {
   registered: boolean;
   message: string;
@@ -43,35 +26,32 @@ export function OxyServicesAuthMixin<T extends typeof OxyServicesBase>(Base: T)
     }
 
     /**
-     * Register a new identity with public key authentication
-     * Identity is purely cryptographic - username and profile data are optional
+     * Register a new identity (bootstrap - no session required)
+     * 
+     * This is the ONLY operation that Services allows without an active session.
+     * It's exclusively for the initial bootstrap of Accounts app.
      * 
      * @param publicKey - The user's ECDSA public key (hex)
-     * @param signature - Signature of the registration request
-     * @param timestamp - Timestamp when the signature was created
-     * @param username - Optional username to set during registration
+     * @param name - Optional first name
+     * @param lastName - Optional last name
+     * @param username - Optional username
+     * @returns Object containing userId and user data
      */
-    async register(
+    async registerIdentity(
       publicKey: string,
-      signature: string,
-      timestamp: number,
+      name?: string,
+      lastName?: string,
       username?: string
-    ): Promise<{ message: string; user: User }> {
+    ): Promise<{ userId: string; user: User }> {
       try {
-        const payload: any = {
+        const res = await this.makeRequest<{ userId: string; user: User }>('POST', '/api/identity/register', {
           publicKey,
-          signature,
-          timestamp,
-        };
-        
-        // Include username if provided
-        if (username && username.trim()) {
-          payload.username = username.trim();
-        }
-
-        const res = await this.makeRequest<{ message: string; user: User }>('POST', '/api/auth/register', payload, { cache: false });
+          name,
+          lastName,
+          username,
+        }, { cache: false });
 
-        if (!res || (typeof res === 'object' && Object.keys(res).length === 0)) {
+        if (!res || !res.userId) {
           throw new OxyAuthenticationError('Registration failed', 'REGISTER_FAILED', 400);
         }
 
@@ -85,12 +65,12 @@ export function OxyServicesAuthMixin<T extends typeof OxyServicesBase>(Base: T)
      * Request an authentication challenge
      * The client must sign this challenge with their private key
      * 
-     * @param publicKey - The user's public key
+     * @param userId - The user's ID (ObjectId)
      */
-    async requestChallenge(publicKey: string): Promise<ChallengeResponse> {
+    async requestChallenge(userId: string): Promise<ChallengeResponse> {
       try {
         return await this.makeRequest<ChallengeResponse>('POST', '/api/auth/challenge', {
-          publicKey,
+          userId,
         }, { cache: false });
       } catch (error) {
         throw this.handleError(error);
@@ -100,16 +80,16 @@ export function OxyServicesAuthMixin<T extends typeof OxyServicesBase>(Base: T)
     /**
      * Verify a signed challenge and create a session
      * 
-     * @param publicKey - The user's public key
-     * @param challenge - The challenge string from requestChallenge
+     * @param userId - The user's ID (ObjectId)
+     * @param nonce - The nonce (challenge) string from requestChallenge
      * @param signature - Signature of the auth message
      * @param timestamp - Timestamp when the signature was created
      * @param deviceName - Optional device name
      * @param deviceFingerprint - Optional device fingerprint
      */
     async verifyChallenge(
-      publicKey: string,
-      challenge: string,
+      userId: string,
+      nonce: string,
       signature: string,
       timestamp: number,
       deviceName?: string,
@@ -117,8 +97,8 @@ export function OxyServicesAuthMixin<T extends typeof OxyServicesBase>(Base: T)
     ): Promise<SessionLoginResponse> {
       try {
         return await this.makeRequest<SessionLoginResponse>('POST', '/api/auth/verify', {
-          publicKey,
-          challenge,
+          userId,
+          nonce,
           signature,
           timestamp,
           deviceName,
@@ -147,6 +127,7 @@ export function OxyServicesAuthMixin<T extends typeof OxyServicesBase>(Base: T)
 
     /**
      * Get user by public key
+     * Services never caches profile - always fetch fresh from backend
      */
     async getUserByPublicKey(publicKey: string): Promise<User> {
       try {
@@ -154,7 +135,7 @@ export function OxyServicesAuthMixin<T extends typeof OxyServicesBase>(Base: T)
           'GET',
           `/api/auth/user/${encodeURIComponent(publicKey)}`,
           undefined,
-          { cache: true, cacheTTL: 2 * 60 * 1000 }
+          { cache: false } // Services never caches profile - only tokens
         );
       } catch (error) {
         throw this.handleError(error);
@@ -163,12 +144,12 @@ export function OxyServicesAuthMixin<T extends typeof OxyServicesBase>(Base: T)
 
     /**
      * Get user by session ID
+     * Services never caches profile - always fetch fresh from backend
      */
     async getUserBySession(sessionId: string): Promise<User> {
       try {
         return await this.makeRequest<User>('GET', `/api/session/user/${sessionId}`, undefined, {
-          cache: true,
-          cacheTTL: 2 * 60 * 1000,
+          cache: false, // Services never caches profile - only tokens
         });
       } catch (error) {
         throw this.handleError(error);
@@ -191,8 +172,7 @@ export function OxyServicesAuthMixin<T extends typeof OxyServicesBase>(Base: T)
           '/api/session/users/batch',
           { sessionIds: uniqueSessionIds },
           {
-            cache: true,
-            cacheTTL: 2 * 60 * 1000,
+            cache: false,
             deduplicate: true,
           }
         );
@@ -204,16 +184,23 @@ export function OxyServicesAuthMixin<T extends typeof OxyServicesBase>(Base: T)
     /**
      * Get access token by session ID
      */
-    async getTokenBySession(sessionId: string): Promise<{ accessToken: string; expiresAt: string }> {
+    async getTokenBySession(
+      sessionId: string,
+      deviceId?: string
+    ): Promise<{ accessToken: string; refreshToken: string; expiresAt: string; sessionId: string; deviceId: string }> {
       try {
-        const res = await this.makeRequest<{ accessToken: string; expiresAt: string }>(
+        const res = await this.makeRequest<{ accessToken: string; refreshToken: string; expiresAt: string; sessionId: string; deviceId: string }>(
           'GET',
           `/api/session/token/${sessionId}`,
           undefined,
-          { cache: false, retry: false }
+          { 
+            cache: false, 
+            retry: false,
+            headers: deviceId ? { 'x-device-id': deviceId } : undefined,
+          }
         );
-        
-        this.setTokens(res.accessToken);
+
+        this.setTokens(res.accessToken, res.refreshToken);
         
         return res;
       } catch (error) {
@@ -309,35 +296,5 @@ export function OxyServicesAuthMixin<T extends typeof OxyServicesBase>(Base: T)
       }
     }
 
-    // ==========================================
-    // Deprecated methods - kept for reference
-    // ==========================================
-
-    /**
-     * @deprecated Use register() with public key authentication instead
-     */
-    async signUp(username: string, email: string, password: string): Promise<{ message: string; token: string; user: User }> {
-      throw new OxyAuthenticationError(
-        'Password-based signup is no longer supported. Use register() with public key.',
-        'DEPRECATED',
-        410
-      );
-    }
-
-    /**
-     * @deprecated Use requestChallenge() and verifyChallenge() instead
-     */
-    async signIn(
-      username: string,
-      password: string,
-      deviceName?: string,
-      deviceFingerprint?: any
-    ): Promise<SessionLoginResponse | { mfaRequired: true; mfaToken: string; expiresAt: string }> {
-      throw new OxyAuthenticationError(
-        'Password-based login is no longer supported. Use challenge-response authentication.',
-        'DEPRECATED',
-        410
-      );
-    }
   };
 }

package/src/core/mixins/OxyServices.user.ts

@@ -16,8 +16,7 @@ export function OxyServicesUserMixin<T extends typeof OxyServicesBase>(Base: T)
     async getProfileByUsername(username: string): Promise<User> {
       try {
         return await this.makeRequest<User>('GET', `/api/profiles/username/${username}`, undefined, {
-          cache: true,
-          cacheTTL: 5 * 60 * 1000, // 5 minutes cache for profiles
+          cache: false, // Never cache profiles
         });
       } catch (error) {
         throw this.handleError(error);
@@ -38,8 +37,7 @@ export function OxyServicesUserMixin<T extends typeof OxyServicesBase>(Base: T)
           '/api/profiles/search',
           paramsObj,
           {
-            cache: true,
-            cacheTTL: 2 * 60 * 1000, // 2 minutes cache
+            cache: false, // Never cache profiles
           }
         );
 
@@ -97,7 +95,7 @@ export function OxyServicesUserMixin<T extends typeof OxyServicesBase>(Base: T)
       [key: string]: any;
     }>> {
       return this.withAuthRetry(async () => {
-        return await this.makeRequest('GET', '/api/profiles/recommendations', undefined, { cache: true });
+        return await this.makeRequest('GET', '/api/profiles/recommendations', undefined, { cache: false });
       }, 'getProfileRecommendations');
     }
 
@@ -107,8 +105,7 @@ export function OxyServicesUserMixin<T extends typeof OxyServicesBase>(Base: T)
     async getUserById(userId: string): Promise<User> {
       try {
         return await this.makeRequest<User>('GET', `/api/users/${userId}`, undefined, {
-          cache: true,
-          cacheTTL: 5 * 60 * 1000, // 5 minutes cache
+          cache: false, // Never cache profiles
         });
       } catch (error) {
         throw this.handleError(error);
@@ -117,12 +114,12 @@ export function OxyServicesUserMixin<T extends typeof OxyServicesBase>(Base: T)
 
     /**
      * Get current user
+     * Services never caches profile - always fetch fresh from backend
      */
     async getCurrentUser(): Promise<User> {
       return this.withAuthRetry(async () => {
         return await this.makeRequest<User>('GET', '/api/users/me', undefined, {
-          cache: true,
-          cacheTTL: 1 * 60 * 1000, // 1 minute cache for current user
+          cache: false, // Services never caches profile - only tokens
         });
       }, 'getCurrentUser');
     }
@@ -168,8 +165,7 @@ export function OxyServicesUserMixin<T extends typeof OxyServicesBase>(Base: T)
           throw new Error('User ID is required');
         }
         return await this.makeRequest<any>('GET', `/api/privacy/${id}/privacy`, undefined, {
-          cache: true,
-          cacheTTL: 2 * 60 * 1000, // 2 minutes cache
+          cache: false,
         });
       } catch (error) {
         throw this.handleError(error);
@@ -275,8 +271,7 @@ export function OxyServicesUserMixin<T extends typeof OxyServicesBase>(Base: T)
     async getFollowStatus(userId: string): Promise<{ isFollowing: boolean }> {
       try {
         return await this.makeRequest('GET', `/api/users/${userId}/follow-status`, undefined, {
-          cache: true,
-          cacheTTL: 1 * 60 * 1000, // 1 minute cache
+          cache: false,
         });
       } catch (error) {
         throw this.handleError(error);
@@ -293,8 +288,7 @@ export function OxyServicesUserMixin<T extends typeof OxyServicesBase>(Base: T)
       try {
         const params = buildPaginationParams(pagination || {});
         const response = await this.makeRequest<{ data: User[]; pagination: { total: number; hasMore: boolean } }>('GET', `/api/users/${userId}/followers`, params, {
-          cache: true,
-          cacheTTL: 2 * 60 * 1000, // 2 minutes cache
+          cache: false,
         });
         return {
           followers: response.data || [],
@@ -316,8 +310,7 @@ export function OxyServicesUserMixin<T extends typeof OxyServicesBase>(Base: T)
       try {
         const params = buildPaginationParams(pagination || {});
         const response = await this.makeRequest<{ data: User[]; pagination: { total: number; hasMore: boolean } }>('GET', `/api/users/${userId}/following`, params, {
-          cache: true,
-          cacheTTL: 2 * 60 * 1000, // 2 minutes cache
+          cache: false,
         });
         return {
           following: response.data || [],
@@ -399,4 +392,3 @@ export function OxyServicesUserMixin<T extends typeof OxyServicesBase>(Base: T)
     }
   };
 }
-

package/src/core/services/TokenService.ts

@@ -141,8 +141,22 @@ class TokenService {
       return this.refreshPromise;
     }
 
+    const hasToken = !!this.tokenStore.accessToken;
+    const needsRefresh = this.isTokenExpiringSoon();
+
+    // If no access token but we have refresh token, attempt refresh once
+    if (!hasToken && this.tokenStore.refreshToken) {
+      this.refreshPromise = this._performRefresh();
+      try {
+        await this.refreshPromise;
+      } finally {
+        this.refreshPromise = null;
+      }
+      return;
+    }
+
     // If token not expiring soon, no refresh needed
-    if (!this.isTokenExpiringSoon()) {
+    if (!needsRefresh) {
       return;
     }
 
@@ -160,26 +174,24 @@ class TokenService {
    * Perform token refresh
    */
   private async _performRefresh(): Promise<void> {
-    const token = this.tokenStore.accessToken;
-    if (!token) {
-      throw new Error('No access token to refresh');
+    const refreshToken = this.tokenStore.refreshToken;
+    if (!refreshToken) {
+      throw new Error('No refresh token to refresh');
     }
 
     try {
-      const decoded = jwtDecode<AccessTokenPayload>(token);
-      if (!decoded.sessionId) {
-        throw new Error('Token missing sessionId');
-      }
-
       if (!this.baseURL) {
         throw new Error('TokenService not initialized with baseURL');
       }
 
-      const refreshUrl = `${this.baseURL}/api/session/token/${decoded.sessionId}`;
-      
+      const refreshUrl = `${this.baseURL}/api/auth/refresh`;
       const response = await fetch(refreshUrl, {
-        method: 'GET',
-        headers: { 'Accept': 'application/json' },
+        method: 'POST',
+        headers: { 
+          'Accept': 'application/json',
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify({ refreshToken }),
         signal: AbortSignal.timeout(5000),
       });
 
@@ -187,7 +199,7 @@ class TokenService {
         throw new Error(`Token refresh failed: ${response.status}`);
       }
 
-      const { accessToken: newToken } = await response.json();
+      const { accessToken: newToken, refreshToken: newRefresh } = await response.json();
       
       if (!newToken) {
         throw new Error('No access token in refresh response');
@@ -199,7 +211,7 @@ class TokenService {
         throw new Error(`Invalid userId format in refreshed token: ${newDecoded.userId.substring(0, 20)}...`);
       }
 
-      this.setTokens(newToken);
+      this.setTokens(newToken, newRefresh || refreshToken);
     } catch (error) {
       // Clear tokens on refresh failure (likely expired or invalid)
       this.clearTokens();
@@ -223,4 +235,3 @@ class TokenService {
 
 // Export singleton instance
 export const tokenService = TokenService.getInstance();
-

package/src/crypto/index.ts

@@ -16,9 +16,7 @@ export {
 } from './signatureService';
 export { type BackupData } from './types';
 
-// Export core crypto utilities (shared across platforms)
-export * from './core';
-
 // Re-export for convenience
 export { KeyManager as default } from './keyManager';
 
+

package/src/crypto/keyManager.ts

@@ -1,38 +1,19 @@
 /**
  * Key Manager - ECDSA secp256k1 Key Generation and Storage
  * 
- * ⚠️ **FOR OXY ACCOUNTS APP ONLY**
- * 
- * This module handles secure generation, storage, and retrieval of cryptographic keys.
+ * Handles secure generation, storage, and retrieval of cryptographic keys.
  * Private keys are stored securely using expo-secure-store and never leave the device.
- * 
- * **IMPORTANT**: Third-party apps should NOT use KeyManager directly.
- * Instead, use the OxyServices authentication flows which communicate with the
- * Oxy Accounts app via deep links/QR codes to obtain user authorization.
- * 
- * The Oxy Accounts app is the sole owner of the user's private key and identity.
- * Other apps request authentication from the Accounts app, which signs challenges
- * and returns authorization to the requesting app via the API.
- * 
- * @see {@link https://github.com/OxyHQ/OxyHQServices/blob/main/packages/services/src/crypto/README.md|Crypto Module Documentation}
  */
 
 import { ec as EC } from 'elliptic';
 import type { ECKeyPair } from 'elliptic';
 import { Platform } from 'react-native';
-import {
-  isValidPublicKey as validatePublicKey,
-  isValidPrivateKey as validatePrivateKey,
-  derivePublicKey as derivePublicKeyFromPrivate,
-  shortenPublicKey as shortenKey,
-  getEllipticCurve,
-} from './core';
 
 // Lazy imports for React Native specific modules
 let SecureStore: typeof import('expo-secure-store') | null = null;
 let ExpoCrypto: typeof import('expo-crypto') | null = null;
 
-const ec = getEllipticCurve();
+const ec = new EC('secp256k1');
 
 const STORAGE_KEYS = {
   PRIVATE_KEY: 'oxy_identity_private_key',
@@ -143,9 +124,8 @@ export class KeyManager {
   /**
    * Invalidate cached identity state
    * Called internally when identity is created/deleted/imported
-   * Can also be called externally to force a fresh state check (e.g., on app startup)
    */
-  static invalidateCache(): void {
+  private static invalidateCache(): void {
     KeyManager.cachedPublicKey = null;
     KeyManager.cachedHasIdentity = null;
   }
@@ -454,9 +434,6 @@ export class KeyManager {
       return false; // Identity storage is only available on native platforms
     }
     try {
-      // Invalidate cache before restoring to ensure fresh state
-      KeyManager.invalidateCache();
-      
       const store = await initSecureStore();
       
       // Check if backup exists
@@ -523,21 +500,34 @@ export class KeyManager {
    * Derive public key from a private key (without storing)
    */
   static derivePublicKey(privateKey: string): string {
-    return derivePublicKeyFromPrivate(privateKey);
+    const keyPair = ec.keyFromPrivate(privateKey);
+    return keyPair.getPublic('hex');
   }
 
   /**
    * Validate that a string is a valid public key
    */
   static isValidPublicKey(publicKey: string): boolean {
-    return validatePublicKey(publicKey);
+    try {
+      ec.keyFromPublic(publicKey, 'hex');
+      return true;
+    } catch {
+      return false;
+    }
   }
 
   /**
    * Validate that a string is a valid private key
    */
   static isValidPrivateKey(privateKey: string): boolean {
-    return validatePrivateKey(privateKey);
+    try {
+      const keyPair = ec.keyFromPrivate(privateKey);
+      // Verify it can derive a public key
+      keyPair.getPublic('hex');
+      return true;
+    } catch {
+      return false;
+    }
   }
 
   /**
@@ -545,7 +535,8 @@ export class KeyManager {
    * Format: first 8 chars...last 8 chars
    */
   static shortenPublicKey(publicKey: string): string {
-    return shortenKey(publicKey);
+    if (publicKey.length <= 20) return publicKey;
+    return `${publicKey.slice(0, 8)}...${publicKey.slice(-8)}`;
   }
 }
 

package/src/crypto/polyfill.ts

@@ -76,6 +76,5 @@ if (typeof globalObject.crypto === 'undefined') {
   (globalObject.crypto as CryptoLike).getRandomValues = cryptoPolyfill.getRandomValues;
 }
 
-// Re-export Buffer for convenience
-export { Buffer };
+// No longer re-exporting `Buffer` from this module; import from 'buffer' where needed.
 

package/src/crypto/signatureService.ts

@@ -3,27 +3,15 @@
  * 
  * Handles signing and verification of messages using ECDSA secp256k1.
  * Used for authenticating requests and proving identity ownership.
- * 
- * This service provides async methods for cross-platform compatibility (React Native + Node).
- * For Node.js-only synchronous operations, use the node/signatureService module.
  */
 
+import { ec as EC } from 'elliptic';
 import { KeyManager } from './keyManager';
-import {
-  verifySignatureCore,
-  isValidPublicKey as validatePublicKey,
-  isTimestampFresh,
-  buildAuthMessage,
-  buildRegistrationMessage,
-  buildRequestMessage,
-  shortenPublicKey as shortenKey,
-  getEllipticCurve,
-} from './core';
 
 // Lazy import for expo-crypto
 let ExpoCrypto: typeof import('expo-crypto') | null = null;
 
-const ec = getEllipticCurve();
+const ec = new EC('secp256k1');
 
 /**
  * Check if we're in a React Native environment
@@ -162,8 +150,9 @@ export class SignatureService {
    */
   static async verify(message: string, signature: string, publicKey: string): Promise<boolean> {
     try {
+      const key = ec.keyFromPublic(publicKey, 'hex');
       const messageHash = await sha256(message);
-      return verifySignatureCore(messageHash, signature, publicKey);
+      return key.verify(messageHash, signature);
     } catch {
       return false;
     }
@@ -184,8 +173,9 @@ export class SignatureService {
       // eslint-disable-next-line @typescript-eslint/no-implied-eval
       const getCrypto = new Function('return require("crypto")');
       const crypto = getCrypto();
+      const key = ec.keyFromPublic(publicKey, 'hex');
       const messageHash = crypto.createHash('sha256').update(message).digest('hex');
-      return verifySignatureCore(messageHash, signature, publicKey);
+      return key.verify(messageHash, signature);
     } catch {
       return false;
     }
@@ -223,7 +213,8 @@ export class SignatureService {
     const { message, signature, publicKey, timestamp } = signedMessage;
 
     // Check timestamp freshness
-    if (!isTimestampFresh(timestamp, maxAgeMs)) {
+    const now = Date.now();
+    if (now - timestamp > maxAgeMs) {
       return false;
     }
 
@@ -243,7 +234,7 @@ export class SignatureService {
     }
 
     const timestamp = Date.now();
-    const message = buildAuthMessage(publicKey, challenge, timestamp);
+    const message = `auth:${publicKey}:${challenge}:${timestamp}`;
     const signature = await SignatureService.sign(message);
 
     return {
@@ -264,36 +255,15 @@ export class SignatureService {
     const { challenge: signature, publicKey, timestamp } = response;
 
     // Check timestamp freshness
-    if (!isTimestampFresh(timestamp, maxAgeMs)) {
+    const now = Date.now();
+    if (now - timestamp > maxAgeMs) {
       return false;
     }
 
-    const message = buildAuthMessage(publicKey, originalChallenge, timestamp);
+    const message = `auth:${publicKey}:${originalChallenge}:${timestamp}`;
     return SignatureService.verify(message, signature, publicKey);
   }
 
-  /**
-   * Create a registration signature
-   * Used when registering a new identity with the server
-   * Format matches server expectation: oxy:register:{publicKey}:{timestamp}
-   */
-  static async createRegistrationSignature(): Promise<{ signature: string; publicKey: string; timestamp: number }> {
-    const publicKey = await KeyManager.getPublicKey();
-    if (!publicKey) {
-      throw new Error('No identity found. Please create or import an identity first.');
-    }
-
-    const timestamp = Date.now();
-    const message = buildRegistrationMessage(publicKey, timestamp);
-    const signature = await SignatureService.sign(message);
-
-    return {
-      signature,
-      publicKey,
-      timestamp,
-    };
-  }
-
   /**
    * Sign arbitrary data for API requests
    * Creates a canonical string representation and signs it
@@ -309,7 +279,13 @@ export class SignatureService {
     }
 
     const timestamp = Date.now();
-    const message = buildRequestMessage(publicKey, timestamp, data);
+    
+    // Create canonical string representation
+    const sortedKeys = Object.keys(data).sort();
+    const canonicalParts = sortedKeys.map(key => `${key}:${JSON.stringify(data[key])}`);
+    const canonicalString = canonicalParts.join('|');
+    
+    const message = `request:${publicKey}:${timestamp}:${canonicalString}`;
     const signature = await SignatureService.sign(message);
 
     return {