@oxyhq/services 5.17.17 → 5.17.18

package/src/core/mixins/OxyServices.redirect.ts

@@ -0,0 +1,397 @@
+import type { OxyServicesBase } from '../OxyServices.base';
+import { OxyAuthenticationError } from '../OxyServices.errors';
+import type { SessionLoginResponse } from '../../models/session';
+
+export interface RedirectAuthOptions {
+  redirectUri?: string;
+  mode?: 'login' | 'signup';
+  preserveUrl?: boolean;
+}
+
+/**
+ * Redirect-based Cross-Domain Authentication Mixin
+ *
+ * Implements traditional OAuth2 redirect flow as a fallback when popup or
+ * FedCM are not available or fail (e.g., mobile browsers, popup blockers).
+ *
+ * Flow:
+ * 1. Save current URL
+ * 2. Redirect to auth.oxy.so/login
+ * 3. User signs in
+ * 4. Redirect back with token in URL
+ * 5. Extract token, restore session, clean URL
+ *
+ * Features:
+ * - Works on all browsers (including old mobile browsers)
+ * - Automatic URL cleanup after auth
+ * - State preservation option
+ * - CSRF protection via state parameter
+ *
+ * Trade-offs:
+ * - Loses JavaScript app state (full page navigation)
+ * - Visible redirect (user sees navigation)
+ * - Slower perceived performance
+ */
+export function OxyServicesRedirectAuthMixin<T extends typeof OxyServicesBase>(Base: T) {
+  return class extends Base {
+    constructor(...args: any[]) {
+      super(...(args as [any]));
+    }
+  public static readonly AUTH_URL = 'https://auth.oxy.so';
+  public static readonly TOKEN_STORAGE_KEY = 'oxy_access_token';
+  public static readonly SESSION_STORAGE_KEY = 'oxy_session_id';
+  public static readonly STATE_STORAGE_KEY = 'oxy_auth_state';
+  public static readonly PRE_AUTH_URL_KEY = 'oxy_pre_auth_url';
+  public static readonly NONCE_STORAGE_KEY = 'oxy_auth_nonce';
+
+  /**
+   * Sign in using full page redirect
+   *
+   * Redirects the user to auth.oxy.so for authentication. After successful
+   * sign-in, the user will be redirected back to the current page (or custom
+   * redirect URI) with authentication tokens in the URL.
+   *
+   * Call handleAuthCallback() on app startup to complete the flow.
+   *
+   * @param options - Redirect configuration options
+   *
+   * @example
+   * ```typescript
+   * // Initiate sign-in
+   * const handleSignIn = () => {
+   *   oxyServices.signInWithRedirect();
+   * };
+   *
+   * // Handle callback on app startup
+   * useEffect(() => {
+   *   const session = oxyServices.handleAuthCallback();
+   *   if (session) {
+   *     setUser(session.user);
+   *   }
+   * }, []);
+   * ```
+   */
+  signInWithRedirect(options: RedirectAuthOptions = {}): void {
+    if (typeof window === 'undefined') {
+      throw new OxyAuthenticationError('Redirect authentication requires browser environment');
+    }
+
+    const redirectUri = options.redirectUri || window.location.href;
+    const mode = options.mode || 'login';
+    const state = this.generateState();
+    const nonce = this.generateNonce();
+
+    // Store state for CSRF protection
+    this.storeAuthState(state, nonce);
+
+    // Save current URL to restore after auth (optional)
+    if (options.preserveUrl !== false) {
+      this.savePreAuthUrl(window.location.href);
+    }
+
+    const authUrl = this.buildAuthUrl({
+      mode,
+      redirectUri,
+      state,
+      nonce,
+      clientId: window.location.origin,
+    });
+
+    // Perform redirect
+    window.location.href = authUrl;
+  }
+
+  /**
+   * Sign up using full page redirect
+   *
+   * Same as signInWithRedirect but opens the signup page by default.
+   */
+  signUpWithRedirect(options: RedirectAuthOptions = {}): void {
+    this.signInWithRedirect({ ...options, mode: 'signup' });
+  }
+
+  /**
+   * Handle authentication callback
+   *
+   * Call this on app startup to check if the current page load is a
+   * redirect back from the authentication server. If it is, this method
+   * will extract the tokens, store them, and clean up the URL.
+   *
+   * @returns Session data if this is a callback, null otherwise
+   * @throws {OxyAuthenticationError} If state validation fails (CSRF attack)
+   *
+   * @example
+   * ```typescript
+   * // In your app's root component or startup logic
+   * useEffect(() => {
+   *   try {
+   *     const session = oxyServices.handleAuthCallback();
+   *     if (session) {
+   *       console.log('Logged in:', session.user);
+   *       setUser(session.user);
+   *     } else {
+   *       // Not a callback, check for existing session
+   *       const restored = oxyServices.restoreSession();
+   *       if (!restored) {
+   *         // No session, show login button
+   *       }
+   *     }
+   *   } catch (error) {
+   *     console.error('Auth callback failed:', error);
+   *   }
+   * }, []);
+   * ```
+   */
+  handleAuthCallback(): SessionLoginResponse | null {
+    if (typeof window === 'undefined') {
+      return null;
+    }
+
+    const url = new URL(window.location.href);
+    const accessToken = url.searchParams.get('access_token');
+    const sessionId = url.searchParams.get('session_id');
+    const expiresAt = url.searchParams.get('expires_at');
+    const state = url.searchParams.get('state');
+    const error = url.searchParams.get('error');
+    const errorDescription = url.searchParams.get('error_description');
+
+    // Check if this is an error callback
+    if (error) {
+      this.clearAuthState();
+      throw new OxyAuthenticationError(errorDescription || error);
+    }
+
+    // Check if this is an auth callback
+    if (!accessToken || !sessionId) {
+      return null; // Not a callback
+    }
+
+    // Verify state to prevent CSRF attacks
+    const savedState = this.getStoredState();
+    if (!savedState || state !== savedState) {
+      this.clearAuthState();
+      throw new OxyAuthenticationError('Invalid state parameter. Possible CSRF attack.');
+    }
+
+    // Store tokens
+    this.storeTokens(accessToken, sessionId);
+    this.httpService.setTokens(accessToken);
+
+    // Build session response (minimal - we'll fetch full user data separately)
+    const session: SessionLoginResponse = {
+      sessionId,
+      deviceId: '', // Not available in redirect flow
+      expiresAt: expiresAt || new Date(Date.now() + 24 * 60 * 60 * 1000).toISOString(),
+      user: {} as any, // Will be fetched separately
+    };
+
+    // Clean up URL (remove auth parameters)
+    this.cleanAuthCallbackUrl(url);
+
+    // Clean up storage
+    this.clearAuthState();
+
+    return session;
+  }
+
+  /**
+   * Restore session from storage
+   *
+   * Attempts to restore a previously authenticated session from localStorage.
+   * Call this on app startup if handleAuthCallback() returns null.
+   *
+   * @returns True if session was restored, false otherwise
+   *
+   * @example
+   * ```typescript
+   * useEffect(() => {
+   *   const session = oxyServices.handleAuthCallback();
+   *   if (!session) {
+   *     const restored = oxyServices.restoreSession();
+   *     if (!restored) {
+   *       // No session, user needs to sign in
+   *       setShowLogin(true);
+   *     }
+   *   }
+   * }, []);
+   * ```
+   */
+  restoreSession(): boolean {
+    if (typeof window === 'undefined') {
+      return false;
+    }
+
+    const token = localStorage.getItem((this.constructor as any).TOKEN_STORAGE_KEY);
+    const sessionId = localStorage.getItem((this.constructor as any).SESSION_STORAGE_KEY);
+
+    if (token && sessionId) {
+      this.httpService.setTokens(token);
+      return true;
+    }
+
+    return false;
+  }
+
+  /**
+   * Clear stored session
+   *
+   * Removes all authentication data from storage. Call this on logout.
+   */
+  clearStoredSession(): void {
+    if (typeof window === 'undefined') {
+      return;
+    }
+
+    localStorage.removeItem((this.constructor as any).TOKEN_STORAGE_KEY);
+    localStorage.removeItem((this.constructor as any).SESSION_STORAGE_KEY);
+    this.httpService.clearTokens();
+  }
+
+  /**
+   * Get stored session ID
+   */
+  getStoredSessionId(): string | null {
+    if (typeof window === 'undefined') {
+      return null;
+    }
+
+    return localStorage.getItem((this.constructor as any).SESSION_STORAGE_KEY);
+  }
+
+  /**
+   * Build authentication URL with query parameters
+   *
+   * @private
+   */
+  public buildAuthUrl(params: {
+    mode: string;
+    redirectUri: string;
+    state: string;
+    nonce: string;
+    clientId: string;
+  }): string {
+    const url = new URL(`${(this.constructor as any).AUTH_URL}/${params.mode}`);
+    url.searchParams.set('redirect_uri', params.redirectUri);
+    url.searchParams.set('state', params.state);
+    url.searchParams.set('nonce', params.nonce);
+    url.searchParams.set('client_id', params.clientId);
+    url.searchParams.set('response_type', 'token');
+    return url.toString();
+  }
+
+  /**
+   * Store tokens in localStorage
+   *
+   * @private
+   */
+  public storeTokens(accessToken: string, sessionId: string): void {
+    if (typeof window === 'undefined') {
+      return;
+    }
+
+    localStorage.setItem((this.constructor as any).TOKEN_STORAGE_KEY, accessToken);
+    localStorage.setItem((this.constructor as any).SESSION_STORAGE_KEY, sessionId);
+  }
+
+  /**
+   * Generate cryptographically secure state for CSRF protection
+   *
+   * @private
+   */
+  public generateState(): string {
+    if (typeof window !== 'undefined' && window.crypto && window.crypto.randomUUID) {
+      return window.crypto.randomUUID();
+    }
+    return `${Date.now()}-${Math.random().toString(36).substring(2, 15)}`;
+  }
+
+  /**
+   * Generate nonce for replay attack prevention
+   *
+   * @private
+   */
+  public generateNonce(): string {
+    if (typeof window !== 'undefined' && window.crypto && window.crypto.randomUUID) {
+      return window.crypto.randomUUID();
+    }
+    return `${Date.now()}-${Math.random().toString(36).substring(2, 15)}`;
+  }
+
+  /**
+   * Store auth state in session storage
+   *
+   * @private
+   */
+  public storeAuthState(state: string, nonce: string): void {
+    if (typeof window === 'undefined') {
+      return;
+    }
+
+    sessionStorage.setItem((this.constructor as any).STATE_STORAGE_KEY, state);
+    sessionStorage.setItem((this.constructor as any).NONCE_STORAGE_KEY, nonce);
+  }
+
+  /**
+   * Get stored state
+   *
+   * @private
+   */
+  public getStoredState(): string | null {
+    if (typeof window === 'undefined') {
+      return null;
+    }
+
+    return sessionStorage.getItem((this.constructor as any).STATE_STORAGE_KEY);
+  }
+
+  /**
+   * Clear auth state from storage
+   *
+   * @private
+   */
+  public clearAuthState(): void {
+    if (typeof window === 'undefined') {
+      return;
+    }
+
+    sessionStorage.removeItem((this.constructor as any).STATE_STORAGE_KEY);
+    sessionStorage.removeItem((this.constructor as any).NONCE_STORAGE_KEY);
+    sessionStorage.removeItem((this.constructor as any).PRE_AUTH_URL_KEY);
+  }
+
+  /**
+   * Save pre-authentication URL to restore later
+   *
+   * @private
+   */
+  public savePreAuthUrl(url: string): void {
+    if (typeof window === 'undefined') {
+      return;
+    }
+
+    sessionStorage.setItem((this.constructor as any).PRE_AUTH_URL_KEY, url);
+  }
+
+  /**
+   * Clean authentication parameters from URL
+   *
+   * @private
+   */
+  public cleanAuthCallbackUrl(url: URL): void {
+    // Remove auth parameters
+    url.searchParams.delete('access_token');
+    url.searchParams.delete('session_id');
+    url.searchParams.delete('expires_at');
+    url.searchParams.delete('state');
+    url.searchParams.delete('nonce');
+    url.searchParams.delete('error');
+    url.searchParams.delete('error_description');
+
+    // Update URL without reloading page
+    window.history.replaceState({}, '', url.toString());
+  }
+  };
+}
+
+// Export the mixin function as both named and default
+export { OxyServicesRedirectAuthMixin as RedirectAuthMixin };

package/src/core/mixins/OxyServices.user.ts

@@ -16,7 +16,8 @@ export function OxyServicesUserMixin<T extends typeof OxyServicesBase>(Base: T)
     async getProfileByUsername(username: string): Promise<User> {
       try {
         return await this.makeRequest<User>('GET', `/api/profiles/username/${username}`, undefined, {
-          cache: false, // Never cache profiles
+          cache: true,
+          cacheTTL: 5 * 60 * 1000, // 5 minutes cache for profiles
         });
       } catch (error) {
         throw this.handleError(error);
@@ -37,7 +38,8 @@ export function OxyServicesUserMixin<T extends typeof OxyServicesBase>(Base: T)
           '/api/profiles/search',
           paramsObj,
           {
-            cache: false, // Never cache profiles
+            cache: true,
+            cacheTTL: 2 * 60 * 1000, // 2 minutes cache
           }
         );
 
@@ -95,7 +97,7 @@ export function OxyServicesUserMixin<T extends typeof OxyServicesBase>(Base: T)
       [key: string]: any;
     }>> {
       return this.withAuthRetry(async () => {
-        return await this.makeRequest('GET', '/api/profiles/recommendations', undefined, { cache: false });
+        return await this.makeRequest('GET', '/api/profiles/recommendations', undefined, { cache: true });
       }, 'getProfileRecommendations');
     }
 
@@ -105,7 +107,8 @@ export function OxyServicesUserMixin<T extends typeof OxyServicesBase>(Base: T)
     async getUserById(userId: string): Promise<User> {
       try {
         return await this.makeRequest<User>('GET', `/api/users/${userId}`, undefined, {
-          cache: false, // Never cache profiles
+          cache: true,
+          cacheTTL: 5 * 60 * 1000, // 5 minutes cache
         });
       } catch (error) {
         throw this.handleError(error);
@@ -114,41 +117,54 @@ export function OxyServicesUserMixin<T extends typeof OxyServicesBase>(Base: T)
 
     /**
      * Get current user
-     * Services never caches profile - always fetch fresh from backend
      */
     async getCurrentUser(): Promise<User> {
       return this.withAuthRetry(async () => {
         return await this.makeRequest<User>('GET', '/api/users/me', undefined, {
-          cache: false, // Services never caches profile - only tokens
+          cache: true,
+          cacheTTL: 1 * 60 * 1000, // 1 minute cache for current user
         });
       }, 'getCurrentUser');
     }
 
     /**
      * Update user profile
+     * TanStack Query handles offline queuing automatically
      */
     async updateProfile(updates: Record<string, any>): Promise<User> {
       try {
         return await this.makeRequest<User>('PUT', '/api/users/me', updates, { cache: false });
       } catch (error) {
+        const errorAny = error as any;
+        const errorMessage = error instanceof Error ? error.message : String(error);
+        const status = errorAny?.status || errorAny?.response?.status;
+        
+        // Check if it's an authentication error (401)
+        const isAuthError = status === 401 || 
+          errorMessage.includes('Authentication required') ||
+          errorMessage.includes('Invalid or missing authorization header');
+
+        // If authentication error and we don't have a token, this might be an offline session
+        // The caller should handle syncing the session before retrying
+        if (isAuthError && !this.hasValidToken()) {
+          // Re-throw with a specific message so the caller knows to sync
+          throw new Error('AUTH_REQUIRED_OFFLINE_SESSION: Session needs to be synced to get a token');
+        }
+
         throw this.handleError(error);
       }
     }
 
     /**
      * Get privacy settings for a user
-     * @param userId - The user ID (MongoDB ObjectId, defaults to current user)
+     * @param userId - The user ID (defaults to current user)
      */
     async getPrivacySettings(userId?: string): Promise<any> {
       try {
-        // Use getCurrentUserId() which returns MongoDB ObjectId from JWT token
-        // Never use getCurrentUser().id as it may be set to publicKey
-        const id = userId || this.getCurrentUserId();
-        if (!id) {
-          throw new Error('User ID is required');
-        }
+        const id = userId || (await this.getCurrentUser()).id;
         return await this.makeRequest<any>('GET', `/api/privacy/${id}/privacy`, undefined, {
-          cache: false,
+          cache: true,
+          cacheTTL: 2 * 60 * 1000, // 2 minutes cache
         });
       } catch (error) {
         throw this.handleError(error);
@@ -158,16 +174,11 @@ export function OxyServicesUserMixin<T extends typeof OxyServicesBase>(Base: T)
     /**
      * Update privacy settings
      * @param settings - Partial privacy settings object
-     * @param userId - The user ID (MongoDB ObjectId, defaults to current user)
+     * @param userId - The user ID (defaults to current user)
      */
     async updatePrivacySettings(settings: Record<string, any>, userId?: string): Promise<any> {
       try {
-        // Use getCurrentUserId() which returns MongoDB ObjectId from JWT token
-        // Never use getCurrentUser().id as it may be set to publicKey
-        const id = userId || this.getCurrentUserId();
-        if (!id) {
-          throw new Error('User ID is required');
-        }
+        const id = userId || (await this.getCurrentUser()).id;
         return await this.makeRequest<any>('PATCH', `/api/privacy/${id}/privacy`, settings, {
           cache: false,
         });
@@ -254,7 +265,8 @@ export function OxyServicesUserMixin<T extends typeof OxyServicesBase>(Base: T)
     async getFollowStatus(userId: string): Promise<{ isFollowing: boolean }> {
       try {
         return await this.makeRequest('GET', `/api/users/${userId}/follow-status`, undefined, {
-          cache: false,
+          cache: true,
+          cacheTTL: 1 * 60 * 1000, // 1 minute cache
         });
       } catch (error) {
         throw this.handleError(error);
@@ -271,7 +283,8 @@ export function OxyServicesUserMixin<T extends typeof OxyServicesBase>(Base: T)
       try {
         const params = buildPaginationParams(pagination || {});
         const response = await this.makeRequest<{ data: User[]; pagination: { total: number; hasMore: boolean } }>('GET', `/api/users/${userId}/followers`, params, {
-          cache: false,
+          cache: true,
+          cacheTTL: 2 * 60 * 1000, // 2 minutes cache
         });
         return {
           followers: response.data || [],
@@ -293,7 +306,8 @@ export function OxyServicesUserMixin<T extends typeof OxyServicesBase>(Base: T)
       try {
         const params = buildPaginationParams(pagination || {});
         const response = await this.makeRequest<{ data: User[]; pagination: { total: number; hasMore: boolean } }>('GET', `/api/users/${userId}/following`, params, {
-          cache: false,
+          cache: true,
+          cacheTTL: 2 * 60 * 1000, // 2 minutes cache
         });
         return {
           following: response.data || [],
@@ -375,3 +389,4 @@ export function OxyServicesUserMixin<T extends typeof OxyServicesBase>(Base: T)
     }
   };
 }
+

package/src/core/mixins/index.ts

@@ -7,6 +7,9 @@
 
 import { OxyServicesBase } from '../OxyServices.base';
 import { OxyServicesAuthMixin } from './OxyServices.auth';
+import { OxyServicesFedCMMixin } from './OxyServices.fedcm';
+import { OxyServicesPopupAuthMixin } from './OxyServices.popup';
+import { OxyServicesRedirectAuthMixin } from './OxyServices.redirect';
 import { OxyServicesUserMixin } from './OxyServices.user';
 import { OxyServicesPrivacyMixin } from './OxyServices.privacy';
 import { OxyServicesLanguageMixin } from './OxyServices.language';
@@ -22,10 +25,15 @@ import { OxyServicesUtilityMixin } from './OxyServices.utility';
 
 /**
  * Composes all OxyServices mixins in the correct order
- * 
+ *
  * Order matters for mixins - dependencies should be applied first.
  * This function ensures consistent composition across the codebase.
- * 
+ *
+ * New cross-domain auth mixins added:
+ * - FedCM: Modern browser-native identity federation (Google-style)
+ * - Popup: OAuth2-style popup authentication
+ * - Redirect: Traditional redirect-based authentication
+ *
  * @returns The fully composed OxyServices class with all mixins applied
  */
 export function composeOxyServices() {
@@ -41,7 +49,15 @@ export function composeOxyServices() {
                     OxyServicesLanguageMixin(
                       OxyServicesPrivacyMixin(
                         OxyServicesUserMixin(
-                          OxyServicesAuthMixin(OxyServicesBase)
+                          // Cross-domain authentication mixins (web-only)
+                          OxyServicesRedirectAuthMixin(
+                            OxyServicesPopupAuthMixin(
+                              OxyServicesFedCMMixin(
+                                // Base authentication mixin
+                                OxyServicesAuthMixin(OxyServicesBase)
+                              )
+                            )
+                          )
                         )
                       )
                     )

package/src/crypto/index.ts

@@ -1,14 +1,25 @@
 /**
  * Oxy Crypto Module
  * 
- * Provides type definitions and polyfills for crypto operations.
- * Identity management (KeyManager, SignatureService) belongs ONLY in the Accounts app.
+ * Provides cryptographic identity management for the Oxy ecosystem.
+ * Handles key generation, secure storage, digital signatures, and recovery phrases.
  */
 
-// Import polyfills first - this ensures Buffer is available for crypto libraries
+// Import polyfills first - this ensures Buffer is available for bip39 and other libraries
 import './polyfill';
 
-// Only export types - actual identity operations are in Accounts app
-export { type BackupData } from './types';
+export { KeyManager, type KeyPair } from './keyManager';
+export { 
+  SignatureService, 
+  type SignedMessage, 
+  type AuthChallenge 
+} from './signatureService';
+export { 
+  RecoveryPhraseService, 
+  type RecoveryPhraseResult 
+} from './recoveryPhrase';
+
+// Re-export for convenience
+export { KeyManager as default } from './keyManager';