@oxyhq/services 5.17.17 → 5.17.18

package/src/crypto/polyfill.ts

@@ -5,12 +5,12 @@
  * before any crypto operations are performed.
  * 
  * Polyfills included:
- * - Buffer: Required by crypto libraries
- * - crypto.getRandomValues: Required for secure random number generation
+ * - Buffer: Required by bip39 and other crypto libraries
+ * - crypto.getRandomValues: Required by bip39 for secure random number generation
  */
 
 // Import Buffer polyfill for React Native compatibility
-// Some crypto libraries depend on Buffer which isn't available in React Native
+// Libraries like bip39 depend on Buffer which isn't available in React Native
 import { Buffer } from 'buffer';
 
 // Get the global object in a cross-platform way
@@ -30,7 +30,7 @@ if (!globalObject.Buffer) {
 }
 
 // Polyfill crypto.getRandomValues for React Native
-// This is required by crypto libraries for secure random number generation
+// This is required by bip39 and other crypto libraries
 type CryptoLike = {
   getRandomValues: <T extends ArrayBufferView>(array: T) => T;
 };
@@ -76,5 +76,6 @@ if (typeof globalObject.crypto === 'undefined') {
   (globalObject.crypto as CryptoLike).getRandomValues = cryptoPolyfill.getRandomValues;
 }
 
-// No longer re-exporting `Buffer` from this module; import from 'buffer' where needed.
+// Re-export Buffer for convenience
+export { Buffer };
 

package/src/crypto/recoveryPhrase.ts

@@ -0,0 +1,166 @@
+/**
+ * Recovery Phrase Service - BIP39 Mnemonic Generation
+ * 
+ * Handles generation and restoration of recovery phrases (mnemonic seeds)
+ * for backing up and restoring user identities.
+ * 
+ * Note: This module requires the polyfill to be loaded first (done via crypto/index.ts)
+ */
+
+import * as bip39 from 'bip39';
+import { KeyManager } from './keyManager';
+
+/**
+ * Convert Uint8Array or array-like to hexadecimal string
+ * Works in both Node.js and React Native without depending on Buffer
+ */
+function toHex(data: Uint8Array | ArrayLike<number>): string {
+  // Convert to array of numbers if needed
+  const bytes = data instanceof Uint8Array ? data : new Uint8Array(data);
+  return Array.from(bytes)
+    .map(b => b.toString(16).padStart(2, '0'))
+    .join('');
+}
+
+export interface RecoveryPhraseResult {
+  phrase: string;
+  words: string[];
+  publicKey: string;
+}
+
+export class RecoveryPhraseService {
+  /**
+   * Generate a new identity with a recovery phrase
+   * Returns the mnemonic phrase (should only be shown once to the user)
+   */
+  static async generateIdentityWithRecovery(): Promise<RecoveryPhraseResult> {
+    // Generate 128-bit entropy for 12-word mnemonic
+    const mnemonic = bip39.generateMnemonic(128);
+    
+    // Derive private key from mnemonic
+    // Using the seed directly as the private key (simplified approach)
+    const seed = await bip39.mnemonicToSeed(mnemonic);
+    
+    // Use first 32 bytes of seed as private key
+    const seedSlice = seed.subarray ? seed.subarray(0, 32) : seed.slice(0, 32);
+    const privateKeyHex = toHex(seedSlice);
+    
+    // Import the derived key pair
+    const publicKey = await KeyManager.importKeyPair(privateKeyHex);
+
+    return {
+      phrase: mnemonic,
+      words: mnemonic.split(' '),
+      publicKey,
+    };
+  }
+
+  /**
+   * Generate a 24-word recovery phrase for higher security
+   */
+  static async generateIdentityWithRecovery24(): Promise<RecoveryPhraseResult> {
+    // Generate 256-bit entropy for 24-word mnemonic
+    const mnemonic = bip39.generateMnemonic(256);
+    
+    const seed = await bip39.mnemonicToSeed(mnemonic);
+    const seedSlice = seed.subarray ? seed.subarray(0, 32) : seed.slice(0, 32);
+    const privateKeyHex = toHex(seedSlice);
+    const publicKey = await KeyManager.importKeyPair(privateKeyHex);
+
+    return {
+      phrase: mnemonic,
+      words: mnemonic.split(' '),
+      publicKey,
+    };
+  }
+
+  /**
+   * Restore an identity from a recovery phrase
+   */
+  static async restoreFromPhrase(phrase: string): Promise<string> {
+    // Normalize and validate the phrase
+    const normalizedPhrase = phrase.trim().toLowerCase();
+    
+    if (!bip39.validateMnemonic(normalizedPhrase)) {
+      throw new Error('Invalid recovery phrase. Please check the words and try again.');
+    }
+
+    // Derive the same private key from the mnemonic
+    const seed = await bip39.mnemonicToSeed(normalizedPhrase);
+    const seedSlice = seed.subarray ? seed.subarray(0, 32) : seed.slice(0, 32);
+    const privateKeyHex = toHex(seedSlice);
+    
+    // Import and store the key pair
+    const publicKey = await KeyManager.importKeyPair(privateKeyHex);
+
+    return publicKey;
+  }
+
+  /**
+   * Validate a recovery phrase without importing it
+   */
+  static validatePhrase(phrase: string): boolean {
+    const normalizedPhrase = phrase.trim().toLowerCase();
+    return bip39.validateMnemonic(normalizedPhrase);
+  }
+
+  /**
+   * Get the word list for autocomplete/validation
+   */
+  static getWordList(): string[] {
+    return bip39.wordlists.english;
+  }
+
+  /**
+   * Check if a word is valid in the BIP39 word list
+   */
+  static isValidWord(word: string): boolean {
+    return bip39.wordlists.english.includes(word.toLowerCase());
+  }
+
+  /**
+   * Get suggestions for a partial word
+   */
+  static getSuggestions(partial: string, limit: number = 5): string[] {
+    const lowerPartial = partial.toLowerCase();
+    return bip39.wordlists.english
+      .filter((word: string) => word.startsWith(lowerPartial))
+      .slice(0, limit);
+  }
+
+  /**
+   * Derive the public key from a phrase without storing
+   * Useful for verification before importing
+   */
+  static async derivePublicKeyFromPhrase(phrase: string): Promise<string> {
+    const normalizedPhrase = phrase.trim().toLowerCase();
+    
+    if (!bip39.validateMnemonic(normalizedPhrase)) {
+      throw new Error('Invalid recovery phrase');
+    }
+
+    const seed = await bip39.mnemonicToSeed(normalizedPhrase);
+    const seedSlice = seed.subarray ? seed.subarray(0, 32) : seed.slice(0, 32);
+    const privateKeyHex = toHex(seedSlice);
+    
+    return KeyManager.derivePublicKey(privateKeyHex);
+  }
+
+  /**
+   * Convert a phrase to its word array
+   */
+  static phraseToWords(phrase: string): string[] {
+    return phrase.trim().toLowerCase().split(/\s+/);
+  }
+
+  /**
+   * Convert a word array to a phrase string
+   */
+  static wordsToPhrase(words: string[]): string {
+    return words.map(w => w.toLowerCase().trim()).join(' ');
+  }
+}
+
+export default RecoveryPhraseService;
+
+

package/src/crypto/signatureService.ts

@@ -0,0 +1,323 @@
+/**
+ * Signature Service - ECDSA Digital Signatures
+ * 
+ * Handles signing and verification of messages using ECDSA secp256k1.
+ * Used for authenticating requests and proving identity ownership.
+ */
+
+import { ec as EC } from 'elliptic';
+import { KeyManager } from './keyManager';
+
+// Lazy import for expo-crypto
+let ExpoCrypto: typeof import('expo-crypto') | null = null;
+
+const ec = new EC('secp256k1');
+
+/**
+ * Check if we're in a React Native environment
+ */
+function isReactNative(): boolean {
+  return typeof navigator !== 'undefined' && navigator.product === 'ReactNative';
+}
+
+/**
+ * Check if we're in a Node.js environment
+ */
+function isNodeJS(): boolean {
+  return typeof process !== 'undefined' && process.versions != null && process.versions.node != null;
+}
+
+/**
+ * Initialize expo-crypto module
+ */
+async function initExpoCrypto(): Promise<typeof import('expo-crypto')> {
+  if (!ExpoCrypto) {
+    ExpoCrypto = await import('expo-crypto');
+  }
+  return ExpoCrypto;
+}
+
+/**
+ * Compute SHA-256 hash of a string
+ */
+async function sha256(message: string): Promise<string> {
+  // In React Native, always use expo-crypto
+  if (isReactNative() || !isNodeJS()) {
+    const Crypto = await initExpoCrypto();
+    return Crypto.digestStringAsync(
+      Crypto.CryptoDigestAlgorithm.SHA256,
+      message
+    );
+  }
+  
+  // In Node.js, use Node's crypto module
+  // Use Function constructor to prevent Metro bundler from statically analyzing this require
+  // This ensures the require is only evaluated in Node.js runtime, not during Metro bundling
+  try {
+    // eslint-disable-next-line @typescript-eslint/no-implied-eval
+    const getCrypto = new Function('return require("crypto")');
+    const crypto = getCrypto();
+    return crypto.createHash('sha256').update(message).digest('hex');
+  } catch (error) {
+    // Fallback to expo-crypto if Node crypto fails
+    const Crypto = await initExpoCrypto();
+    return Crypto.digestStringAsync(
+      Crypto.CryptoDigestAlgorithm.SHA256,
+      message
+    );
+  }
+}
+
+export interface SignedMessage {
+  message: string;
+  signature: string;
+  publicKey: string;
+  timestamp: number;
+}
+
+export interface AuthChallenge {
+  challenge: string;
+  publicKey: string;
+  timestamp: number;
+}
+
+export class SignatureService {
+  /**
+   * Generate a random challenge string (for offline use)
+   * Uses expo-crypto in React Native, crypto.randomBytes in Node.js
+   */
+  static async generateChallenge(): Promise<string> {
+    if (isReactNative() || !isNodeJS()) {
+      // Use expo-crypto for React Native (expo-random is deprecated)
+      const Crypto = await initExpoCrypto();
+      const randomBytes = await Crypto.getRandomBytesAsync(32);
+      return Array.from(randomBytes)
+        .map((b: number) => b.toString(16).padStart(2, '0'))
+        .join('');
+    }
+    
+    // Node.js fallback
+    try {
+      // eslint-disable-next-line @typescript-eslint/no-implied-eval
+      const getCrypto = new Function('return require("crypto")');
+      const crypto = getCrypto();
+      return crypto.randomBytes(32).toString('hex');
+    } catch (error) {
+      // Fallback to expo-crypto if Node crypto fails
+      const Crypto = await initExpoCrypto();
+      const randomBytes = await Crypto.getRandomBytesAsync(32);
+      return Array.from(randomBytes)
+        .map((b: number) => b.toString(16).padStart(2, '0'))
+        .join('');
+    }
+  }
+
+  /**
+   * Hash a message using SHA-256
+   */
+  static async hashMessage(message: string): Promise<string> {
+    return sha256(message);
+  }
+
+  /**
+   * Sign a message using the stored private key
+   * Returns the signature in DER format (hex encoded)
+   */
+  static async sign(message: string): Promise<string> {
+    const keyPair = await KeyManager.getKeyPairObject();
+    if (!keyPair) {
+      throw new Error('No identity found. Please create or import an identity first.');
+    }
+
+    const messageHash = await sha256(message);
+    const signature = keyPair.sign(messageHash);
+    return signature.toDER('hex');
+  }
+
+  /**
+   * Sign a message with an explicit private key (without storing)
+   * Useful for one-time operations or testing
+   */
+  static async signWithKey(message: string, privateKey: string): Promise<string> {
+    const keyPair = ec.keyFromPrivate(privateKey);
+    const messageHash = await sha256(message);
+    const signature = keyPair.sign(messageHash);
+    return signature.toDER('hex');
+  }
+
+  /**
+   * Verify a signature against a message and public key
+   */
+  static async verify(message: string, signature: string, publicKey: string): Promise<boolean> {
+    try {
+      const key = ec.keyFromPublic(publicKey, 'hex');
+      const messageHash = await sha256(message);
+      return key.verify(messageHash, signature);
+    } catch {
+      return false;
+    }
+  }
+
+  /**
+   * Synchronous verification (for Node.js backend)
+   * Uses crypto module directly for hashing
+   * Note: This method should only be used in Node.js environments
+   */
+  static verifySync(message: string, signature: string, publicKey: string): boolean {
+    try {
+      if (!isNodeJS()) {
+        // In React Native, use async verify instead
+        throw new Error('verifySync should only be used in Node.js. Use verify() in React Native.');
+      }
+      // Use Function constructor to prevent Metro bundler from statically analyzing this require
+      // eslint-disable-next-line @typescript-eslint/no-implied-eval
+      const getCrypto = new Function('return require("crypto")');
+      const crypto = getCrypto();
+      const key = ec.keyFromPublic(publicKey, 'hex');
+      const messageHash = crypto.createHash('sha256').update(message).digest('hex');
+      return key.verify(messageHash, signature);
+    } catch {
+      return false;
+    }
+  }
+
+  /**
+   * Create a signed message object with metadata
+   */
+  static async createSignedMessage(message: string): Promise<SignedMessage> {
+    const publicKey = await KeyManager.getPublicKey();
+    if (!publicKey) {
+      throw new Error('No identity found. Please create or import an identity first.');
+    }
+
+    const timestamp = Date.now();
+    const messageWithTimestamp = `${message}:${timestamp}`;
+    const signature = await SignatureService.sign(messageWithTimestamp);
+
+    return {
+      message,
+      signature,
+      publicKey,
+      timestamp,
+    };
+  }
+
+  /**
+   * Verify a signed message object
+   * Checks both signature validity and timestamp freshness
+   */
+  static async verifySignedMessage(
+    signedMessage: SignedMessage,
+    maxAgeMs: number = 5 * 60 * 1000 // 5 minutes default
+  ): Promise<boolean> {
+    const { message, signature, publicKey, timestamp } = signedMessage;
+
+    // Check timestamp freshness
+    const now = Date.now();
+    if (now - timestamp > maxAgeMs) {
+      return false;
+    }
+
+    // Verify signature
+    const messageWithTimestamp = `${message}:${timestamp}`;
+    return SignatureService.verify(messageWithTimestamp, signature, publicKey);
+  }
+
+  /**
+   * Create a signed authentication challenge response
+   * Used for challenge-response authentication
+   */
+  static async signChallenge(challenge: string): Promise<AuthChallenge> {
+    const publicKey = await KeyManager.getPublicKey();
+    if (!publicKey) {
+      throw new Error('No identity found. Please create or import an identity first.');
+    }
+
+    const timestamp = Date.now();
+    const message = `auth:${publicKey}:${challenge}:${timestamp}`;
+    const signature = await SignatureService.sign(message);
+
+    return {
+      challenge: signature,
+      publicKey,
+      timestamp,
+    };
+  }
+
+  /**
+   * Verify a challenge response
+   */
+  static async verifyChallengeResponse(
+    originalChallenge: string,
+    response: AuthChallenge,
+    maxAgeMs: number = 5 * 60 * 1000
+  ): Promise<boolean> {
+    const { challenge: signature, publicKey, timestamp } = response;
+
+    // Check timestamp freshness
+    const now = Date.now();
+    if (now - timestamp > maxAgeMs) {
+      return false;
+    }
+
+    const message = `auth:${publicKey}:${originalChallenge}:${timestamp}`;
+    return SignatureService.verify(message, signature, publicKey);
+  }
+
+  /**
+   * Create a registration signature
+   * Used when registering a new identity with the server
+   * Format matches server expectation: oxy:register:{publicKey}:{timestamp}
+   */
+  static async createRegistrationSignature(): Promise<{ signature: string; publicKey: string; timestamp: number }> {
+    const publicKey = await KeyManager.getPublicKey();
+    if (!publicKey) {
+      throw new Error('No identity found. Please create or import an identity first.');
+    }
+
+    const timestamp = Date.now();
+    const message = `oxy:register:${publicKey}:${timestamp}`;
+    const signature = await SignatureService.sign(message);
+
+    return {
+      signature,
+      publicKey,
+      timestamp,
+    };
+  }
+
+  /**
+   * Sign arbitrary data for API requests
+   * Creates a canonical string representation and signs it
+   */
+  static async signRequestData(data: Record<string, unknown>): Promise<{
+    signature: string;
+    publicKey: string;
+    timestamp: number;
+  }> {
+    const publicKey = await KeyManager.getPublicKey();
+    if (!publicKey) {
+      throw new Error('No identity found. Please create or import an identity first.');
+    }
+
+    const timestamp = Date.now();
+    
+    // Create canonical string representation
+    const sortedKeys = Object.keys(data).sort();
+    const canonicalParts = sortedKeys.map(key => `${key}:${JSON.stringify(data[key])}`);
+    const canonicalString = canonicalParts.join('|');
+    
+    const message = `request:${publicKey}:${timestamp}:${canonicalString}`;
+    const signature = await SignatureService.sign(message);
+
+    return {
+      signature,
+      publicKey,
+      timestamp,
+    };
+  }
+}
+
+export default SignatureService;
+
+

package/src/i18n/locales/en-US.json

@@ -237,7 +237,7 @@
     "enterCode": "Enter the 6‑digit code from your authenticator app.",
     "newPassword": "Set New Password",
     "resetSuccess": "Your password has been reset! You can now sign in.",
-    "noEmail": "We no longer send recovery emails. Please use your backup file to restore your identity. Contact support if you need assistance.",
+    "noEmail": "We no longer send recovery emails. Please use your recovery phrase to restore your identity. Contact support if you need assistance.",
     "password": {
       "minLength": "Password must be at least 8 characters long",
       "mismatch": "Passwords do not match",

package/src/index.ts

@@ -4,21 +4,32 @@
  * This exports everything but uses environment detection to avoid crashes.
  * - Frontend: Full UI + Core functionality
  * - Backend: Core functionality only (UI components are no-ops)
- * 
- * NOTE: Identity management (KeyManager, SignatureService) belongs ONLY in the Accounts app.
- * Services SDK handles tokens/sessions, NOT identity.
  */
 
 // IMPORTANT: Import crypto module first to ensure polyfills are loaded
 // before any other code that might use Buffer or other polyfilled APIs
 import './crypto/polyfill';
 
+// Crypto/Identity exports (must be before core to ensure polyfills are available)
+export { 
+  KeyManager, 
+  SignatureService, 
+  RecoveryPhraseService 
+} from './crypto';
+
 // Core exports
 export { OxyServices, OxyAuthenticationError, OxyAuthenticationTimeoutError } from './core';
 export { OXY_CLOUD_URL, oxyClient } from './core';
 
-// Type exports from crypto (types only - no identity implementation)
-export type { BackupData } from './crypto';
+// Cross-domain authentication (Web SSO via FedCM/popup/redirect)
+export { CrossDomainAuth, createCrossDomainAuth } from './core';
+export type { CrossDomainAuthOptions } from './core';
+export type { 
+  KeyPair, 
+  SignedMessage, 
+  AuthChallenge, 
+  RecoveryPhraseResult 
+} from './crypto';
 
 // React context
 export { useOxy } from './ui/context/OxyContext';
@@ -177,7 +188,8 @@ export {
   ErrorCodes, 
   createApiError, 
   handleHttpError, 
-  validateRequiredFields
+  validateRequiredFields,
+  retryWithBackoff 
 } from './utils/errorUtils';
 export * from './utils/validationUtils';
 export { 
@@ -193,12 +205,4 @@ export {
   logPerformance
 } from './utils/loggerUtils';
 export * from './utils/asyncUtils';
-export * from './utils/hookUtils';
-
-// Avatar and account utilities
-export { 
-  refreshAvatarInStore, 
-  refreshAccountInStore, 
-  updateAvatarVisibility,
-  updateProfileWithAvatar
-} from './ui/utils/avatarUtils';
+export * from './utils/hookUtils';

package/src/models/interfaces.ts

@@ -1,6 +1,8 @@
 export interface OxyConfig {
   baseURL: string;
   cloudURL?: string;
+  authWebUrl?: string;
+  authRedirectUri?: string;
   // Performance & caching options
   enableCache?: boolean;
   cacheTTL?: number; // Cache TTL in milliseconds (default: 5 minutes)
@@ -21,23 +23,9 @@ export interface OxyConfig {
   onRequestError?: (url: string, method: string, error: Error) => void;
 }
 
-/**
- * User Model
- * 
- * IMPORTANT: 
- * - id: MongoDB ObjectId (24 hex characters) - PRIMARY IDENTIFIER for all internal operations
- * - publicKey: Cryptographic public key (130 hex characters) - LOOKUP KEY for authentication and identity operations
- * 
- * Never use publicKey as an ID. Always use id (ObjectId) for:
- * - Database queries
- * - Session userId
- * - Token userId
- * - Socket room names
- * - API route parameters (unless explicitly doing publicKey lookup)
- */
 export interface User {
-  id: string;           // MongoDB ObjectId - PRIMARY IDENTIFIER (always 24 hex chars)
-  publicKey: string;    // Cryptographic public key - LOOKUP KEY (130 hex chars for secp256k1)
+  id: string;
+  publicKey: string;
   username: string;
   email?: string;
   // Avatar file id (asset id)

package/src/models/session.ts

@@ -1,16 +1,9 @@
-/**
- * Client Session Model
- * 
- * IMPORTANT:
- * - userId: MongoDB ObjectId (24 hex characters), never publicKey
- * - Used for session management and user identification
- */
 export interface ClientSession {
   sessionId: string;
   deviceId: string;
   expiresAt: string;
   lastActive: string;
-  userId?: string;  // MongoDB ObjectId - PRIMARY IDENTIFIER (never publicKey)
+  userId?: string;
   isCurrent?: boolean;
 }
 
@@ -29,7 +22,5 @@ export interface SessionLoginResponse {
   sessionId: string;
   deviceId: string;
   expiresAt: string;
-  accessToken: string;
-  refreshToken: string;
   user: MinimalUserData;
-}
+} 

package/src/types/bip39.d.ts

@@ -0,0 +1,32 @@
+declare module 'bip39' {
+  export interface Wordlist {
+    [index: number]: string;
+    length: number;
+    getWord(index: number): string;
+    getWordIndex(word: string): number;
+  }
+
+  export const wordlists: {
+    english: string[];
+    chinese_simplified: string[];
+    chinese_traditional: string[];
+    french: string[];
+    italian: string[];
+    japanese: string[];
+    korean: string[];
+    spanish: string[];
+  };
+
+  // Use Uint8Array instead of Buffer for React Native compatibility
+  // In Node.js, Buffer extends Uint8Array so this is compatible
+  export function generateMnemonic(strength?: number, rng?: (size: number) => Uint8Array, wordlist?: string[]): string;
+  export function mnemonicToSeed(mnemonic: string, passphrase?: string): Promise<Uint8Array>;
+  export function mnemonicToSeedSync(mnemonic: string, passphrase?: string): Uint8Array;
+  export function mnemonicToEntropy(mnemonic: string, wordlist?: string[]): string;
+  export function entropyToMnemonic(entropy: string, wordlist?: string[]): string;
+  export function validateMnemonic(mnemonic: string, wordlist?: string[]): boolean;
+  export function mnemonicToSeedHex(mnemonic: string, passphrase?: string): Promise<string>;
+  export function mnemonicToSeedHexSync(mnemonic: string, passphrase?: string): string;
+}
+
+