@oxyhq/services 5.17.17 → 5.18.0

package/lib/typescript/utils/errorUtils.d.ts

@@ -44,4 +44,10 @@ export declare function validateRequiredFields(data: Record<string, unknown>, fi
  * Safe error logging with context
  */
 export declare function logError(error: unknown, context?: string): void;
+/**
+ * Retry function with exponential backoff
+ * Re-exports retryAsync for backward compatibility
+ * @deprecated Use retryAsync from asyncUtils instead
+ */
+export { retryAsync as retryWithBackoff } from './asyncUtils';
 //# sourceMappingURL=errorUtils.d.ts.map

package/lib/typescript/utils/errorUtils.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"errorUtils.d.ts","sourceRoot":"","sources":["../../../src/utils/errorUtils.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAGrD;;GAEG;AAEH;;GAEG;AACH,eAAO,MAAM,UAAU;;;;;;;;;;;;;;;;;CA0Bb,CAAC;AAEX;;GAEG;AACH,wBAAgB,cAAc,CAC5B,OAAO,EAAE,MAAM,EACf,IAAI,GAAE,MAAkC,EACxC,MAAM,SAAM,EACZ,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAChC,QAAQ,CAOV;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,OAAO,GAAG,QAAQ,CA+FxD;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAqB7D;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,CAU5F;AAED;;GAEG;AACH,wBAAgB,QAAQ,CAAC,KAAK,EAAE,OAAO,EAAE,OAAO,CAAC,EAAE,MAAM,GAAG,IAAI,CAa/D"}
+{"version":3,"file":"errorUtils.d.ts","sourceRoot":"","sources":["../../../src/utils/errorUtils.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAGrD;;GAEG;AAEH;;GAEG;AACH,eAAO,MAAM,UAAU;;;;;;;;;;;;;;;;;CA0Bb,CAAC;AAEX;;GAEG;AACH,wBAAgB,cAAc,CAC5B,OAAO,EAAE,MAAM,EACf,IAAI,GAAE,MAAkC,EACxC,MAAM,SAAM,EACZ,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAChC,QAAQ,CAOV;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,OAAO,GAAG,QAAQ,CA+FxD;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAqB7D;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,CAU5F;AAED;;GAEG;AACH,wBAAgB,QAAQ,CAAC,KAAK,EAAE,OAAO,EAAE,OAAO,CAAC,EAAE,MAAM,GAAG,IAAI,CAa/D;AAED;;;;GAIG;AACH,OAAO,EAAE,UAAU,IAAI,gBAAgB,EAAE,MAAM,cAAc,CAAC"}

package/lib/typescript/utils/validationUtils.d.ts

@@ -9,6 +9,10 @@ export declare const EMAIL_REGEX: RegExp;
  * Username validation regex (alphanumeric, underscores, and hyphens, 3-30 chars)
  */
 export declare const USERNAME_REGEX: RegExp;
+/**
+ * Password validation regex (at least 8 chars, 1 uppercase, 1 lowercase, 1 number)
+ */
+export declare const PASSWORD_REGEX: RegExp;
 /**
  * Validate email format
  */
@@ -17,6 +21,10 @@ export declare function isValidEmail(email: string): boolean;
  * Validate username format
  */
 export declare function isValidUsername(username: string): boolean;
+/**
+ * Validate password strength
+ */
+export declare function isValidPassword(password: string): boolean;
 /**
  * Validate required string
  */

package/lib/typescript/utils/validationUtils.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"validationUtils.d.ts","sourceRoot":"","sources":["../../../src/utils/validationUtils.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH;;GAEG;AACH,eAAO,MAAM,WAAW,QAA+B,CAAC;AAExD;;GAEG;AACH,eAAO,MAAM,cAAc,QAA0B,CAAC;AAGtD;;GAEG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAEnD;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAEzD;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAExD;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAExD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAEzD;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAEpD;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAErD;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAGjD;AAED;;GAEG;AACH,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAO/C;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAGvD;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAEtE;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,GAAG,OAAO,CAGjF;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAGpD;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAOlD;AAED;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAOnD;AAED;;GAEG;AACH,wBAAgB,4BAA4B,CAAC,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,GAAG,OAAO,GAAG,UAAU,GAAG,MAAM,GAAG,IAAI,CAiBjH"}
+{"version":3,"file":"validationUtils.d.ts","sourceRoot":"","sources":["../../../src/utils/validationUtils.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH;;GAEG;AACH,eAAO,MAAM,WAAW,QAA+B,CAAC;AAExD;;GAEG;AACH,eAAO,MAAM,cAAc,QAA0B,CAAC;AAEtD;;GAEG;AAEH,eAAO,MAAM,cAAc,QAAY,CAAC;AAExC;;GAEG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAEnD;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAEzD;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAEzD;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAExD;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAExD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAEzD;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAEpD;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAErD;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAGjD;AAED;;GAEG;AACH,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAO/C;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAGvD;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAEtE;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,GAAG,OAAO,CAGjF;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAGpD;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAOlD;AAED;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAOnD;AAED;;GAEG;AACH,wBAAgB,4BAA4B,CAAC,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,GAAG,OAAO,GAAG,UAAU,GAAG,MAAM,GAAG,IAAI,CAiBjH"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@oxyhq/services",
-  "version": "5.17.17",
+  "version": "5.18.0",
   "description": "Reusable OxyHQ module to handle authentication, user management, karma system, device-based session management and more 🚀",
   "main": "lib/commonjs/index.js",
   "module": "lib/module/index.js",
@@ -77,7 +77,7 @@
   "scripts": {
     "typescript": "tsc --skipLibCheck --noEmit",
     "lint": "biome lint --error-on-warnings ./src",
-    "build": "bob build && npm run copy-assets && npm run copy-dts && npm run delete-dts.js && npm run delete-debug-view",
+    "build": "npx react-native-builder-bob build && npm run copy-assets && npm run copy-dts && npm run delete-dts.js && npm run delete-debug-view",
     "test": "jest",
     "test:watch": "jest --watch",
     "test:coverage": "jest --coverage",
@@ -94,6 +94,7 @@
     "@react-native-community/netinfo": "^11.4.1",
     "@tanstack/react-query": "^5.59.0",
     "axios": "^1.9.0",
+    "bip39": "^3.1.0",
     "buffer": "^6.0.3",
     "elliptic": "^6.6.1",
     "expo-blur": "~15.0.8",
@@ -111,7 +112,10 @@
     "sonner": "^2.0.4",
     "sonner-native": "^0.20.0",
     "zod": "^3.25.64",
-    "zustand": "^5.0.9"
+    "zustand": "^5.0.6",
+    "@types/react": "~19.1.0",
+    "copyfiles": "^2.4.1",
+    "typescript": "^5.9.2"
   },
   "devDependencies": {
     "@biomejs/biome": "^1.9.4",
@@ -126,8 +130,6 @@
     "@types/jest": "^29.5.14",
     "@types/jwt-decode": "^2.2.1",
     "@types/node": "^20.19.9",
-    "@types/react": "~19.1.0",
-    "copyfiles": "^2.4.1",
     "expo-file-system": "~19.0.0",
     "expo-font": "~14.0.9",
     "expo-haptics": "~14.0.0",
@@ -142,8 +144,7 @@
     "react-native-safe-area-context": "~5.6.0",
     "react-native-svg": "15.11.2",
     "release-it": "^19.0.6",
-    "ts-jest": "^29.4.0",
-    "typescript": "^5.9.2"
+    "ts-jest": "^29.4.0"
   },
   "peerDependencies": {
     "@expo/vector-icons": "^15.0.3",

package/src/core/CrossDomainAuth.ts

@@ -0,0 +1,307 @@
+/**
+ * Cross-Domain Authentication Helper
+ *
+ * Provides a simplified API for cross-domain SSO authentication that automatically
+ * selects the best authentication method based on browser capabilities:
+ *
+ * 1. FedCM (if supported) - Modern, Google-style browser-native auth
+ * 2. Popup (fallback) - OAuth2-style popup window
+ * 3. Redirect (final fallback) - Traditional full-page redirect
+ *
+ * Usage:
+ * ```typescript
+ * import { CrossDomainAuth } from '@oxyhq/services';
+ *
+ * const auth = new CrossDomainAuth(oxyServices);
+ *
+ * // Automatic method selection
+ * const session = await auth.signIn();
+ *
+ * // Or use specific method
+ * const session = await auth.signInWithPopup();
+ * ```
+ */
+
+import type { OxyServices } from './OxyServices';
+import type { SessionLoginResponse } from '../models/session';
+
+export interface CrossDomainAuthOptions {
+  /**
+   * Preferred authentication method
+   * - 'auto': Automatically select best method (default)
+   * - 'fedcm': Use FedCM (browser-native)
+   * - 'popup': Use popup window
+   * - 'redirect': Use full-page redirect
+   */
+  method?: 'auto' | 'fedcm' | 'popup' | 'redirect';
+
+  /**
+   * Custom redirect URI (for redirect method)
+   */
+  redirectUri?: string;
+
+  /**
+   * Whether to open signup page instead of login
+   */
+  isSignup?: boolean;
+
+  /**
+   * Popup window dimensions (for popup method)
+   */
+  popupDimensions?: {
+    width?: number;
+    height?: number;
+  };
+
+  /**
+   * Callback when auth method is selected
+   */
+  onMethodSelected?: (method: 'fedcm' | 'popup' | 'redirect') => void;
+}
+
+export class CrossDomainAuth {
+  constructor(private oxyServices: OxyServices) {}
+
+  /**
+   * Sign in with automatic method selection
+   *
+   * Tries methods in this order:
+   * 1. FedCM (if supported and not in private browsing)
+   * 2. Popup (if not blocked)
+   * 3. Redirect (always works)
+   *
+   * @param options - Authentication options
+   * @returns Session with user data and access token
+   */
+  async signIn(options: CrossDomainAuthOptions = {}): Promise<SessionLoginResponse | null> {
+    const method = options.method || 'auto';
+
+    // If specific method requested, use it directly
+    if (method === 'fedcm') {
+      return this.signInWithFedCM(options);
+    }
+
+    if (method === 'popup') {
+      return this.signInWithPopup(options);
+    }
+
+    if (method === 'redirect') {
+      this.signInWithRedirect(options);
+      return null; // Redirect doesn't return immediately
+    }
+
+    // Auto mode: Try methods in order of preference
+    return this.autoSignIn(options);
+  }
+
+  /**
+   * Automatic sign-in with progressive enhancement
+   *
+   * @private
+   */
+  private async autoSignIn(options: CrossDomainAuthOptions): Promise<SessionLoginResponse | null> {
+    // 1. Try FedCM first (best UX, most modern)
+    if (this.isFedCMSupported()) {
+      try {
+        options.onMethodSelected?.('fedcm');
+        return await this.signInWithFedCM(options);
+      } catch (error) {
+        console.warn('[CrossDomainAuth] FedCM failed, trying popup...', error);
+      }
+    }
+
+    // 2. Try popup (good UX, widely supported)
+    try {
+      options.onMethodSelected?.('popup');
+      return await this.signInWithPopup(options);
+    } catch (error) {
+      console.warn('[CrossDomainAuth] Popup failed, falling back to redirect...', error);
+    }
+
+    // 3. Fallback to redirect (always works)
+    options.onMethodSelected?.('redirect');
+    this.signInWithRedirect(options);
+    return null;
+  }
+
+  /**
+   * Sign in using FedCM (Federated Credential Management)
+   *
+   * Best method - browser-native, no popups, Google-like experience
+   */
+  async signInWithFedCM(options: CrossDomainAuthOptions = {}): Promise<SessionLoginResponse> {
+    return (this.oxyServices as any).signInWithFedCM({
+      context: options.isSignup ? 'signup' : 'signin',
+    });
+  }
+
+  /**
+   * Sign in using popup window
+   *
+   * Good method - preserves app state, no full page reload
+   */
+  async signInWithPopup(options: CrossDomainAuthOptions = {}): Promise<SessionLoginResponse> {
+    return (this.oxyServices as any).signInWithPopup({
+      mode: options.isSignup ? 'signup' : 'login',
+      width: options.popupDimensions?.width,
+      height: options.popupDimensions?.height,
+    });
+  }
+
+  /**
+   * Sign in using full-page redirect
+   *
+   * Fallback method - works everywhere but loses app state
+   */
+  signInWithRedirect(options: CrossDomainAuthOptions = {}): void {
+    (this.oxyServices as any).signInWithRedirect({
+      redirectUri: options.redirectUri,
+      mode: options.isSignup ? 'signup' : 'login',
+    });
+  }
+
+  /**
+   * Handle redirect callback
+   *
+   * Call this on app startup to check if we're returning from auth redirect
+   */
+  handleRedirectCallback(): SessionLoginResponse | null {
+    return (this.oxyServices as any).handleAuthCallback();
+  }
+
+  /**
+   * Silent sign-in (check for existing session)
+   *
+   * Tries to automatically sign in without user interaction.
+   * Works with both FedCM and popup/iframe methods.
+   *
+   * @returns Session if user is already signed in, null otherwise
+   */
+  async silentSignIn(): Promise<SessionLoginResponse | null> {
+    // Try FedCM silent sign-in first (if supported)
+    if (this.isFedCMSupported()) {
+      try {
+        const session = await (this.oxyServices as any).silentSignInWithFedCM();
+        if (session) {
+          return session;
+        }
+      } catch (error) {
+        console.warn('[CrossDomainAuth] FedCM silent sign-in failed:', error);
+      }
+    }
+
+    // Fallback to iframe-based silent auth
+    try {
+      return await (this.oxyServices as any).silentSignIn();
+    } catch (error) {
+      console.warn('[CrossDomainAuth] Silent sign-in failed:', error);
+      return null;
+    }
+  }
+
+  /**
+   * Restore session from storage
+   *
+   * For redirect method - restores previously authenticated session from localStorage
+   */
+  restoreSession(): boolean {
+    return (this.oxyServices as any).restoreSession?.() || false;
+  }
+
+  /**
+   * Check if FedCM is supported in current browser
+   */
+  isFedCMSupported(): boolean {
+    return (this.oxyServices as any).constructor.isFedCMSupported?.() || false;
+  }
+
+  /**
+   * Get recommended authentication method for current environment
+   *
+   * @returns Recommended method name and reason
+   */
+  getRecommendedMethod(): { method: 'fedcm' | 'popup' | 'redirect'; reason: string } {
+    if (this.isFedCMSupported()) {
+      return {
+        method: 'fedcm',
+        reason: 'FedCM is supported - provides best UX with browser-native auth',
+      };
+    }
+
+    if (typeof window !== 'undefined') {
+      return {
+        method: 'popup',
+        reason: 'Browser environment - popup preserves app state',
+      };
+    }
+
+    return {
+      method: 'redirect',
+      reason: 'Fallback method - works in all environments',
+    };
+  }
+
+  /**
+   * Initialize cross-domain auth on app startup
+   *
+   * This handles:
+   * 1. Redirect callback (if returning from auth.oxy.so)
+   * 2. Session restoration (from localStorage)
+   * 3. Silent sign-in (check for existing SSO session)
+   *
+   * @returns Session if user is authenticated, null otherwise
+   */
+  async initialize(): Promise<SessionLoginResponse | null> {
+    // 1. Check if this is a redirect callback
+    const callbackSession = this.handleRedirectCallback();
+    if (callbackSession) {
+      return callbackSession;
+    }
+
+    // 2. Try to restore existing session from storage
+    const restored = this.restoreSession();
+    if (restored) {
+      // Verify session is still valid by fetching user
+      try {
+        const user = await (this.oxyServices as any).getCurrentUser();
+        if (user) {
+          return {
+            sessionId: (this.oxyServices as any).getStoredSessionId?.() || '',
+            deviceId: '',
+            expiresAt: new Date(Date.now() + 24 * 60 * 60 * 1000).toISOString(),
+            user,
+          };
+        }
+      } catch (error) {
+        console.warn('[CrossDomainAuth] Stored session invalid:', error);
+      }
+    }
+
+    // 3. Try silent sign-in (check for SSO session at auth.oxy.so)
+    return await this.silentSignIn();
+  }
+}
+
+/**
+ * Helper function to create CrossDomainAuth instance
+ *
+ * @example
+ * ```typescript
+ * import { createCrossDomainAuth } from '@oxyhq/services';
+ *
+ * const oxyServices = new OxyServices({ baseURL: 'https://api.oxy.so' });
+ * const auth = createCrossDomainAuth(oxyServices);
+ *
+ * // On app startup
+ * const session = await auth.initialize();
+ * if (session) {
+ *   console.log('User is signed in:', session.user);
+ * }
+ *
+ * // Sign in button click
+ * const session = await auth.signIn();
+ * ```
+ */
+export function createCrossDomainAuth(oxyServices: OxyServices): CrossDomainAuth {
+  return new CrossDomainAuth(oxyServices);
+}

package/src/core/HttpService.ts

@@ -17,8 +17,17 @@ import { TTLCache, registerCacheForCleanup } from '../utils/cache';
 import { RequestDeduplicator, RequestQueue, SimpleLogger } from '../utils/requestUtils';
 import { retryAsync } from '../utils/asyncUtils';
 import { handleHttpError } from '../utils/errorUtils';
+import { jwtDecode } from 'jwt-decode';
 import type { OxyConfig } from '../models/interfaces';
 
+interface JwtPayload {
+  exp?: number;
+  userId?: string;
+  id?: string;
+  sessionId?: string;
+  [key: string]: any;
+}
+
 export interface RequestOptions {
   cache?: boolean;
   cacheTTL?: number;
@@ -37,8 +46,45 @@ interface RequestConfig extends RequestOptions {
   params?: Record<string, unknown>;
 }
 
-// Token management moved to TokenService - import it instead
-import { tokenService } from './services/TokenService';
+/**
+ * Token store for authentication (singleton)
+ */
+class TokenStore {
+  private static instance: TokenStore;
+  private accessToken: string | null = null;
+  private refreshToken: string | null = null;
+
+  private constructor() {}
+
+  static getInstance(): TokenStore {
+    if (!TokenStore.instance) {
+      TokenStore.instance = new TokenStore();
+    }
+    return TokenStore.instance;
+  }
+
+  setTokens(accessToken: string, refreshToken = ''): void {
+    this.accessToken = accessToken;
+    this.refreshToken = refreshToken;
+  }
+
+  getAccessToken(): string | null {
+    return this.accessToken;
+  }
+
+  getRefreshToken(): string | null {
+    return this.refreshToken;
+  }
+
+  clearTokens(): void {
+    this.accessToken = null;
+    this.refreshToken = null;
+  }
+
+  hasAccessToken(): boolean {
+    return !!this.accessToken;
+  }
+}
 
 /**
  * Unified HTTP Service
@@ -48,6 +94,7 @@ import { tokenService } from './services/TokenService';
  */
 export class HttpService {
   private baseURL: string;
+  private tokenStore: TokenStore;
   private cache: TTLCache<any>;
   private deduplicator: RequestDeduplicator;
   private requestQueue: RequestQueue;
@@ -67,9 +114,7 @@ export class HttpService {
   constructor(config: OxyConfig) {
     this.config = config;
     this.baseURL = config.baseURL;
-    
-    // Initialize TokenService with baseURL
-    tokenService.initialize(this.baseURL);
+    this.tokenStore = TokenStore.getInstance();
     
     this.logger = new SimpleLogger(
       config.enableLogging || false,
@@ -216,7 +261,7 @@ export class HttpService {
         // Handle response
         if (!response.ok) {
           if (response.status === 401) {
-            tokenService.clearTokens();
+            this.tokenStore.clearTokens();
           }
           
           // Try to parse error response (handle empty/malformed JSON)
@@ -224,9 +269,12 @@ export class HttpService {
           const contentType = response.headers.get('content-type');
           if (contentType && contentType.includes('application/json')) {
             try {
-              const errorData = await response.json() as { message?: string } | null;
+              const errorData = await response.json() as { message?: string; error?: string } | null;
+              // Check both 'message' and 'error' fields for backwards compatibility
               if (errorData?.message) {
                 errorMessage = errorData.message;
+              } else if (errorData?.error) {
+                errorMessage = errorData.error;
               }
             } catch (parseError) {
               // Malformed JSON or empty response - use status text
@@ -370,10 +418,45 @@ export class HttpService {
 
   /**
    * Get auth header with automatic token refresh
-   * Uses TokenService for all token operations
    */
   private async getAuthHeader(): Promise<string | null> {
-    return await tokenService.getAuthHeader();
+    const accessToken = this.tokenStore.getAccessToken();
+    if (!accessToken) {
+      return null;
+    }
+
+    try {
+      const decoded = jwtDecode<JwtPayload>(accessToken);
+      const currentTime = Math.floor(Date.now() / 1000);
+
+      // If token expires in less than 60 seconds, refresh it
+      if (decoded.exp && decoded.exp - currentTime < 60 && decoded.sessionId) {
+        try {
+          const refreshUrl = `${this.baseURL}/api/session/token/${decoded.sessionId}`;
+          
+          // Use AbortSignal.timeout for consistent timeout handling
+          const response = await fetch(refreshUrl, {
+            method: 'GET',
+            headers: { 'Accept': 'application/json' },
+            signal: AbortSignal.timeout(5000),
+          });
+
+          if (response.ok) {
+            const { accessToken: newToken } = await response.json();
+            this.tokenStore.setTokens(newToken);
+            this.logger.debug('Token refreshed');
+            return `Bearer ${newToken}`;
+          }
+        } catch (refreshError) {
+          this.logger.warn('Token refresh failed, using current token');
+        }
+      }
+
+      return `Bearer ${accessToken}`;
+    } catch (error) {
+      this.logger.error('Error processing token:', error);
+      return `Bearer ${accessToken}`;
+    }
   }
 
   /**
@@ -478,21 +561,21 @@ export class HttpService {
     return { data: result as T };
   }
 
-  // Token management - delegates to TokenService
+  // Token management
   setTokens(accessToken: string, refreshToken = ''): void {
-    tokenService.setTokens(accessToken, refreshToken);
+    this.tokenStore.setTokens(accessToken, refreshToken);
   }
 
   clearTokens(): void {
-    tokenService.clearTokens();
+    this.tokenStore.clearTokens();
   }
 
   getAccessToken(): string | null {
-    return tokenService.getAccessToken();
+    return this.tokenStore.getAccessToken();
   }
 
   hasAccessToken(): boolean {
-    return tokenService.hasAccessToken();
+    return this.tokenStore.hasAccessToken();
   }
 
   getBaseURL(): string {
@@ -526,10 +609,10 @@ export class HttpService {
   // Test-only utility
   static __resetTokensForTests(): void {
     try {
-      tokenService.clearTokens();
+      TokenStore.getInstance().clearTokens();
     } catch (error) {
       // Silently fail in test cleanup - this is expected behavior
-      // TokenService might not be initialized in some test scenarios
+      // TokenStore might not be initialized in some test scenarios
     }
   }
 }

package/src/core/OxyServices.base.ts

@@ -3,16 +3,24 @@
  * 
  * Contains core infrastructure, HTTP client, request management, and error handling
  */
+import { jwtDecode } from 'jwt-decode';
 import type { OxyConfig as OxyConfigBase, ApiError, User } from '../models/interfaces';
 import { handleHttpError } from '../utils/errorUtils';
 import { HttpService, type RequestOptions } from './HttpService';
 import { OxyAuthenticationError, OxyAuthenticationTimeoutError } from './OxyServices.errors';
-import { tokenService } from './services/TokenService';
 
 export interface OxyConfig extends OxyConfigBase {
   cloudURL?: string;
 }
 
+interface JwtPayload {
+  exp?: number;
+  userId?: string;
+  id?: string;
+  sessionId?: string;
+  [key: string]: any;
+}
+
 /**
  * Base class for OxyServices with core infrastructure
  */
@@ -127,10 +135,19 @@ export class OxyServicesBase {
 
   /**
    * Get the current user ID from the access token
-   * Returns MongoDB ObjectId (never publicKey)
    */
   public getCurrentUserId(): string | null {
-    return tokenService.getUserIdFromToken();
+    const accessToken = this.httpService.getAccessToken();
+    if (!accessToken) {
+      return null;
+    }
+    
+    try {
+      const decoded = jwtDecode<JwtPayload>(accessToken);
+      return decoded.userId || decoded.id || null;
+    } catch (error) {
+      return null;
+    }
   }
 
   /**

package/src/core/OxyServices.ts

@@ -96,20 +96,24 @@ import { composeOxyServices } from './mixins';
  * ```
  */
 // Compose all mixins into the final OxyServices class
-const OxyServicesComposed: ReturnType<typeof composeOxyServices> = composeOxyServices();
+const OxyServicesComposed = composeOxyServices();
 
 // Export as a named class to avoid TypeScript issues with anonymous class types
-export class OxyServices extends OxyServicesComposed {
+export class OxyServices extends (OxyServicesComposed as any) {
   constructor(config: OxyConfig) {
     super(config);
   }
 }
 
+// Type augmentation to expose mixin methods to TypeScript
+// This allows proper type checking while avoiding complex mixin type inference
+export interface OxyServices extends InstanceType<ReturnType<typeof composeOxyServices>> {}
+
 // Re-export error classes for convenience
 export { OxyAuthenticationError, OxyAuthenticationTimeoutError };
 
 /**
- * Default Oxy Cloud URL
+ * Export the default Oxy Cloud URL (for backward compatibility)
  */
 export const OXY_CLOUD_URL = 'https://cloud.oxy.so';