@oxyhq/services 5.17.17 → 5.17.18

package/src/core/mixins/OxyServices.auth.ts

@@ -1,8 +1,7 @@
 /**
  * Authentication Methods Mixin
  * 
- * Public key authentication using ECDSA signatures.
- * No passwords required - authentication is done via challenge-response.
+ * Supports password-based login (email/username) and public key challenge-response.
  */
 import type { User } from '../../models/interfaces';
 import type { SessionLoginResponse } from '../../models/session';
@@ -14,6 +13,23 @@ export interface ChallengeResponse {
   expiresAt: string;
 }
 
+export interface RegistrationRequest {
+  publicKey: string;
+  username: string;
+  email?: string;
+  signature: string;
+  timestamp: number;
+}
+
+export interface ChallengeVerifyRequest {
+  publicKey: string;
+  challenge: string;
+  signature: string;
+  timestamp: number;
+  deviceName?: string;
+  deviceFingerprint?: string;
+}
+
 export interface PublicKeyCheckResponse {
   registered: boolean;
   message: string;
@@ -26,21 +42,26 @@ export function OxyServicesAuthMixin<T extends typeof OxyServicesBase>(Base: T)
     }
 
     /**
-     * Register a new identity (bootstrap - no session required)
-     * 
-     * Register a new identity (public key only).
-     * Profile data should be synced separately via updateProfile after sign-in.
+     * Register a new identity with public key authentication
+     * Identity is purely cryptographic - username and profile data are optional
      * 
      * @param publicKey - The user's ECDSA public key (hex)
-     * @returns Object containing userId and user data
+     * @param signature - Signature of the registration request
+     * @param timestamp - Timestamp when the signature was created
      */
-    async registerIdentity(publicKey: string): Promise<{ userId: string; user: User }> {
+    async register(
+      publicKey: string,
+      signature: string,
+      timestamp: number
+    ): Promise<{ message: string; user: User }> {
       try {
-        const res = await this.makeRequest<{ userId: string; user: User }>('POST', '/api/identity/register', {
+        const res = await this.makeRequest<{ message: string; user: User }>('POST', '/api/auth/register', {
           publicKey,
+          signature,
+          timestamp,
         }, { cache: false });
 
-        if (!res || !res.userId) {
+        if (!res || (typeof res === 'object' && Object.keys(res).length === 0)) {
           throw new OxyAuthenticationError('Registration failed', 'REGISTER_FAILED', 400);
         }
 
@@ -54,12 +75,12 @@ export function OxyServicesAuthMixin<T extends typeof OxyServicesBase>(Base: T)
      * Request an authentication challenge
      * The client must sign this challenge with their private key
      * 
-     * @param userId - The user's ID (ObjectId)
+     * @param publicKey - The user's public key
      */
-    async requestChallenge(userId: string): Promise<ChallengeResponse> {
+    async requestChallenge(publicKey: string): Promise<ChallengeResponse> {
       try {
         return await this.makeRequest<ChallengeResponse>('POST', '/api/auth/challenge', {
-          userId,
+          publicKey,
         }, { cache: false });
       } catch (error) {
         throw this.handleError(error);
@@ -69,16 +90,16 @@ export function OxyServicesAuthMixin<T extends typeof OxyServicesBase>(Base: T)
     /**
      * Verify a signed challenge and create a session
      * 
-     * @param userId - The user's ID (ObjectId)
-     * @param nonce - The nonce (challenge) string from requestChallenge
+     * @param publicKey - The user's public key
+     * @param challenge - The challenge string from requestChallenge
      * @param signature - Signature of the auth message
      * @param timestamp - Timestamp when the signature was created
      * @param deviceName - Optional device name
      * @param deviceFingerprint - Optional device fingerprint
      */
     async verifyChallenge(
-      userId: string,
-      nonce: string,
+      publicKey: string,
+      challenge: string,
       signature: string,
       timestamp: number,
       deviceName?: string,
@@ -86,8 +107,8 @@ export function OxyServicesAuthMixin<T extends typeof OxyServicesBase>(Base: T)
     ): Promise<SessionLoginResponse> {
       try {
         return await this.makeRequest<SessionLoginResponse>('POST', '/api/auth/verify', {
-          userId,
-          nonce,
+          publicKey,
+          challenge,
           signature,
           timestamp,
           deviceName,
@@ -116,7 +137,6 @@ export function OxyServicesAuthMixin<T extends typeof OxyServicesBase>(Base: T)
 
     /**
      * Get user by public key
-     * Services never caches profile - always fetch fresh from backend
      */
     async getUserByPublicKey(publicKey: string): Promise<User> {
       try {
@@ -124,7 +144,7 @@ export function OxyServicesAuthMixin<T extends typeof OxyServicesBase>(Base: T)
           'GET',
           `/api/auth/user/${encodeURIComponent(publicKey)}`,
           undefined,
-          { cache: false } // Services never caches profile - only tokens
+          { cache: true, cacheTTL: 2 * 60 * 1000 }
         );
       } catch (error) {
         throw this.handleError(error);
@@ -133,12 +153,12 @@ export function OxyServicesAuthMixin<T extends typeof OxyServicesBase>(Base: T)
 
     /**
      * Get user by session ID
-     * Services never caches profile - always fetch fresh from backend
      */
     async getUserBySession(sessionId: string): Promise<User> {
       try {
         return await this.makeRequest<User>('GET', `/api/session/user/${sessionId}`, undefined, {
-          cache: false, // Services never caches profile - only tokens
+          cache: true,
+          cacheTTL: 2 * 60 * 1000,
         });
       } catch (error) {
         throw this.handleError(error);
@@ -161,7 +181,8 @@ export function OxyServicesAuthMixin<T extends typeof OxyServicesBase>(Base: T)
           '/api/session/users/batch',
           { sessionIds: uniqueSessionIds },
           {
-            cache: false,
+            cache: true,
+            cacheTTL: 2 * 60 * 1000,
             deduplicate: true,
           }
         );
@@ -173,23 +194,16 @@ export function OxyServicesAuthMixin<T extends typeof OxyServicesBase>(Base: T)
     /**
      * Get access token by session ID
      */
-    async getTokenBySession(
-      sessionId: string,
-      deviceId?: string
-    ): Promise<{ accessToken: string; refreshToken: string; expiresAt: string; sessionId: string; deviceId: string }> {
+    async getTokenBySession(sessionId: string): Promise<{ accessToken: string; expiresAt: string }> {
       try {
-        const res = await this.makeRequest<{ accessToken: string; refreshToken: string; expiresAt: string; sessionId: string; deviceId: string }>(
+        const res = await this.makeRequest<{ accessToken: string; expiresAt: string }>(
           'GET',
           `/api/session/token/${sessionId}`,
           undefined,
-          { 
-            cache: false, 
-            retry: false,
-            headers: deviceId ? { 'x-device-id': deviceId } : undefined,
-          }
+          { cache: false, retry: false }
         );
-
-        this.setTokens(res.accessToken, res.refreshToken);
+        
+        this.setTokens(res.accessToken);
         
         return res;
       } catch (error) {
@@ -285,5 +299,60 @@ export function OxyServicesAuthMixin<T extends typeof OxyServicesBase>(Base: T)
       }
     }
 
+    /**
+     * Register a new user with email/username and password
+     */
+    async signUp(
+      username: string,
+      email: string,
+      password: string,
+      deviceName?: string,
+      deviceFingerprint?: any
+    ): Promise<SessionLoginResponse> {
+      try {
+        return await this.makeRequest<SessionLoginResponse>('POST', '/api/auth/signup', {
+          username,
+          email,
+          password,
+          deviceName,
+          deviceFingerprint,
+        }, { cache: false });
+      } catch (error) {
+        throw this.handleError(error);
+      }
+    }
+
+    /**
+     * Sign in with email or username and password
+     */
+    async signIn(
+      identifier: string,
+      password: string,
+      deviceName?: string,
+      deviceFingerprint?: any
+    ): Promise<SessionLoginResponse> {
+      try {
+        return await this.makeRequest<SessionLoginResponse>('POST', '/api/auth/login', {
+          identifier,
+          password,
+          deviceName,
+          deviceFingerprint,
+        }, { cache: false });
+      } catch (error) {
+        throw this.handleError(error);
+      }
+    }
+
+    /**
+     * Convenience helper for email sign-in
+     */
+    async signInWithEmail(
+      email: string,
+      password: string,
+      deviceName?: string,
+      deviceFingerprint?: any
+    ): Promise<SessionLoginResponse> {
+      return this.signIn(email, password, deviceName, deviceFingerprint);
+    }
   };
 }

package/src/core/mixins/OxyServices.fedcm.ts

@@ -0,0 +1,315 @@
+import type { OxyServicesBase } from '../OxyServices.base';
+import { OxyAuthenticationError } from '../OxyServices.errors';
+import type { SessionLoginResponse } from '../../models/session';
+
+export interface FedCMAuthOptions {
+  nonce?: string;
+  context?: 'signin' | 'signup' | 'continue' | 'use';
+}
+
+export interface FedCMConfig {
+  enabled: boolean;
+  configURL: string;
+  clientId?: string;
+}
+
+/**
+ * Federated Credential Management (FedCM) Authentication Mixin
+ *
+ * Implements the modern browser-native identity federation API that enables
+ * Google-style cross-domain authentication without third-party cookies.
+ *
+ * Browser Support:
+ * - Chrome 108+
+ * - Safari 16.4+
+ * - Edge 108+
+ * - Firefox: Not yet supported (fallback required)
+ *
+ * Key Features:
+ * - No redirects or popups required
+ * - Browser-native UI prompts
+ * - Privacy-preserving (IdP can't track users)
+ * - Automatic SSO across domains
+ * - Silent re-authentication support
+ *
+ * @see https://developer.mozilla.org/en-US/docs/Web/API/FedCM_API
+ */
+export function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(Base: T) {
+  return class extends Base {
+    constructor(...args: any[]) {
+      super(...(args as [any]));
+    }
+  public static readonly DEFAULT_CONFIG_URL = 'https://auth.oxy.so/fedcm.json';
+  public static readonly FEDCM_TIMEOUT = 60000; // 1 minute
+
+  /**
+   * Check if FedCM is supported in the current browser
+   */
+  static isFedCMSupported(): boolean {
+    if (typeof window === 'undefined') return false;
+    return 'IdentityCredential' in window && 'navigator' in window && 'credentials' in navigator;
+  }
+
+  /**
+   * Instance method to check FedCM support
+   */
+  isFedCMSupported(): boolean {
+    return (this.constructor as typeof OxyServicesBase & { isFedCMSupported: () => boolean }).isFedCMSupported();
+  }
+
+  /**
+   * Sign in using FedCM (Federated Credential Management API)
+   *
+   * This provides a Google-style authentication experience:
+   * - Browser shows native "Sign in with Oxy" prompt
+   * - No redirect or popup required
+   * - User approves → credential exchange happens in browser
+   * - All apps automatically get SSO after first sign-in
+   *
+   * @param options - Authentication options
+   * @returns Session with access token and user data
+   * @throws {OxyAuthenticationError} If FedCM not supported or user cancels
+   *
+   * @example
+   * ```typescript
+   * try {
+   *   const session = await oxyServices.signInWithFedCM();
+   *   console.log('Signed in:', session.user);
+   * } catch (error) {
+   *   // Fallback to popup or redirect auth
+   *   await oxyServices.signInWithPopup();
+   * }
+   * ```
+   */
+  async signInWithFedCM(options: FedCMAuthOptions = {}): Promise<SessionLoginResponse> {
+    if (!this.isFedCMSupported()) {
+      throw new OxyAuthenticationError(
+        'FedCM not supported in this browser. Please update your browser or use an alternative sign-in method.'
+      );
+    }
+
+    try {
+      const nonce = options.nonce || this.generateNonce();
+      const clientId = this.getClientId();
+
+      // Request credential from browser's native identity flow
+      const credential = await this.requestIdentityCredential({
+        configURL: (this.constructor as any).DEFAULT_CONFIG_URL,
+        clientId,
+        nonce,
+        context: options.context,
+      });
+
+      if (!credential || !credential.token) {
+        throw new OxyAuthenticationError('No credential received from browser');
+      }
+
+      // Exchange FedCM ID token for Oxy session
+      const session = await this.exchangeIdTokenForSession(credential.token);
+
+      // Store access token in HttpService (extract from response or get from session)
+      if (session && (session as any).accessToken) {
+        this.httpService.setTokens((session as any).accessToken);
+      }
+
+      return session;
+    } catch (error) {
+      if ((error as any).name === 'AbortError') {
+        throw new OxyAuthenticationError('Sign-in was cancelled by user');
+      }
+      if ((error as any).name === 'NetworkError') {
+        throw new OxyAuthenticationError('Network error during sign-in. Please check your connection.');
+      }
+      throw error;
+    }
+  }
+
+  /**
+   * Silent sign-in using FedCM
+   *
+   * Attempts to automatically re-authenticate the user without any UI.
+   * This is what enables "instant sign-in" across all Oxy domains after
+   * the user has signed in once.
+   *
+   * The browser will:
+   * 1. Check if user has previously signed in to Oxy
+   * 2. Check if user is still signed in at auth.oxy.so
+   * 3. If yes, automatically provide credential without prompting
+   *
+   * @returns Session if user is already signed in, null otherwise
+   *
+   * @example
+   * ```typescript
+   * // On app startup
+   * useEffect(() => {
+   *   const checkAuth = async () => {
+   *     const session = await oxyServices.silentSignInWithFedCM();
+   *     if (session) {
+   *       setUser(session.user);
+   *     } else {
+   *       // Show sign-in button
+   *     }
+   *   };
+   *   checkAuth();
+   * }, []);
+   * ```
+   */
+  async silentSignInWithFedCM(): Promise<SessionLoginResponse | null> {
+    if (!this.isFedCMSupported()) {
+      return null;
+    }
+
+    try {
+      const nonce = this.generateNonce();
+      const clientId = this.getClientId();
+
+      // Request credential with silent mediation (no UI)
+      const credential = await this.requestIdentityCredential({
+        configURL: (this.constructor as any).DEFAULT_CONFIG_URL,
+        clientId,
+        nonce,
+        mediation: 'silent',
+      });
+
+      if (!credential || !credential.token) {
+        return null;
+      }
+
+      const session = await this.exchangeIdTokenForSession(credential.token);
+      if (session && (session as any).accessToken) {
+        this.httpService.setTokens((session as any).accessToken);
+      }
+
+      return session;
+    } catch (error) {
+      // Silent failures are expected and should not throw
+      return null;
+    }
+  }
+
+  /**
+   * Request identity credential from browser using FedCM API
+   *
+   * @private
+   */
+  public async requestIdentityCredential(options: {
+    configURL: string;
+    clientId: string;
+    nonce: string;
+    context?: string;
+    mediation?: 'silent' | 'optional' | 'required';
+  }): Promise<{ token: string } | null> {
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), (this.constructor as any).FEDCM_TIMEOUT);
+
+    try {
+      // Type assertion needed as FedCM types may not be in all TypeScript versions
+      const credential = (await (navigator.credentials as any).get({
+        identity: {
+          providers: [
+            {
+              configURL: options.configURL,
+              clientId: options.clientId,
+              nonce: options.nonce,
+              ...(options.context && { loginHint: options.context }),
+            },
+          ],
+        },
+        mediation: options.mediation || 'optional',
+        signal: controller.signal,
+      })) as any;
+
+      if (!credential || credential.type !== 'identity') {
+        return null;
+      }
+
+      return { token: credential.token };
+    } finally {
+      clearTimeout(timeout);
+    }
+  }
+
+  /**
+   * Exchange FedCM ID token for Oxy session
+   *
+   * The ID token is a JWT issued by auth.oxy.so that proves the user's
+   * identity. We exchange it for a full Oxy session with access token.
+   *
+   * @private
+   */
+  public async exchangeIdTokenForSession(idToken: string): Promise<SessionLoginResponse> {
+    return this.makeRequest<SessionLoginResponse>(
+      'POST',
+      '/api/auth/fedcm/exchange',
+      { id_token: idToken },
+      { cache: false }
+    );
+  }
+
+  /**
+   * Revoke FedCM credential (sign out)
+   *
+   * This tells the browser to forget the FedCM credential for this app.
+   * The user will need to re-authenticate next time.
+   */
+  async revokeFedCMCredential(): Promise<void> {
+    if (!this.isFedCMSupported()) {
+      return;
+    }
+
+    try {
+      // FedCM logout API (if available)
+      if ('IdentityCredential' in window && 'logout' in (window as any).IdentityCredential) {
+        const clientId = this.getClientId();
+        await (window as any).IdentityCredential.logout({
+          configURL: (this.constructor as any).DEFAULT_CONFIG_URL,
+          clientId,
+        });
+      }
+    } catch (error) {
+      // Silent failure
+    }
+  }
+
+  /**
+   * Get configuration for FedCM
+   *
+   * @returns FedCM configuration with browser support info
+   */
+  getFedCMConfig(): FedCMConfig {
+    return {
+      enabled: this.isFedCMSupported(),
+      configURL: (this.constructor as any).DEFAULT_CONFIG_URL,
+      clientId: this.getClientId(),
+    };
+  }
+
+  /**
+   * Generate a cryptographically secure nonce for FedCM
+   *
+   * @private
+   */
+  public generateNonce(): string {
+    if (typeof window !== 'undefined' && window.crypto && window.crypto.randomUUID) {
+      return window.crypto.randomUUID();
+    }
+    // Fallback for older browsers
+    return `${Date.now()}-${Math.random().toString(36).substring(2, 15)}`;
+  }
+
+  /**
+   * Get the client ID for this origin
+   *
+   * @private
+   */
+  public getClientId(): string {
+    if (typeof window === 'undefined') {
+      return 'unknown';
+    }
+    return window.location.origin;
+  }
+  };
+}
+
+// Export the mixin function as both named and default
+export { OxyServicesFedCMMixin as FedCMMixin };