@oxyhq/services 5.17.8 → 5.17.9

package/src/ui/context/hooks/useAuthOperations.ts

@@ -1,13 +1,11 @@
 import { useCallback } from 'react';
 import type { ApiError, User } from '../../../models/interfaces';
 import type { AuthState } from '../../stores/authStore';
-import type { ClientSession } from '../../../models/session';
-import { DeviceManager } from '../../../utils/deviceManager';
+import type { ClientSession, SessionLoginResponse } from '../../../models/session';
 import { fetchSessionsWithFallback } from '../../utils/sessionHelpers';
 import { handleAuthError, isInvalidSessionError } from '../../utils/errorHandlers';
 import type { StorageInterface } from '../../utils/storageHelpers';
 import type { OxyServices } from '../../../core';
-import { KeyManager, SignatureService } from '../../../crypto';
 
 export interface UseAuthOperationsOptions {
   oxyServices: OxyServices;
@@ -30,22 +28,25 @@ export interface UseAuthOperationsOptions {
 }
 
 export interface UseAuthOperationsResult {
-  /** Sign in with existing identity on device */
-  signIn: (deviceName?: string) => Promise<User>;
+  /** Complete sign-in after external challenge-response (Accounts app signs, Services completes session) */
+  completeSignIn: (sessionResponse: SessionLoginResponse) => Promise<User>;
   /** Logout from current session */
   logout: (targetSessionId?: string) => Promise<void>;
   /** Logout from all sessions */
   logoutAll: () => Promise<void>;
 }
 
-const LOGIN_ERROR_CODE = 'LOGIN_ERROR';
 const LOGOUT_ERROR_CODE = 'LOGOUT_ERROR';
 const LOGOUT_ALL_ERROR_CODE = 'LOGOUT_ALL_ERROR';
 
 
 /**
- * Authentication operations using public key cryptography.
- * No passwords required - identity is based on ECDSA key pairs.
+ * Authentication operations for Services SDK.
+ * 
+ * ARCHITECTURE:
+ * - Services SDK only handles tokens/sessions (NOT identity)
+ * - Accounts app handles identity (KeyManager, SignatureService, challenge signing)
+ * - completeSignIn() accepts already-verified session from Accounts app
  */
 export const useAuthOperations = ({
   oxyServices,
@@ -68,148 +69,82 @@ export const useAuthOperations = ({
 }: UseAuthOperationsOptions): UseAuthOperationsResult => {
   
   /**
-   * Internal function to perform challenge-response sign in
+   * Complete sign-in after external authentication.
+   * 
+   * This is called by Accounts app AFTER it has:
+   * 1. Requested challenge from backend
+   * 2. Signed challenge locally with private key
+   * 3. Verified challenge with backend to get sessionResponse
+   * 
+   * Services SDK only stores tokens and manages session state.
+   * 
+   * @param sessionResponse - Session data from verifyChallenge API call
    */
-  const performSignIn = useCallback(
-    async (publicKey: string, deviceName?: string): Promise<User> => {
-      const deviceFingerprintObj = DeviceManager.getDeviceFingerprint();
-      const deviceFingerprint = JSON.stringify(deviceFingerprintObj);
-      const deviceInfo = await DeviceManager.getDeviceInfo();
-      const defaultDeviceName = deviceInfo.deviceName || DeviceManager.getDefaultDeviceName();
-      const finalDeviceName = deviceName || defaultDeviceName;
-
-      // Look up user by public key
-      const userLookup = await oxyServices.getUserByPublicKey(publicKey);
-      const userId = userLookup.id;
-
-      // Request challenge
-      const challengeResponse = await oxyServices.requestChallenge(userId);
-      const challenge = challengeResponse.challenge;
-
-      // Sign the challenge
-      const { challenge: signature, timestamp } = await SignatureService.signChallenge(challenge);
-
-      // Verify and create session
-      let sessionResponse;
-      try {
-        sessionResponse = await oxyServices.verifyChallenge(
-          userId,
-          challenge,
-          signature,
-          timestamp,
-          finalDeviceName,
-          deviceFingerprint,
-        );
-      } catch (verifyError) {
-        if (__DEV__) {
-          console.error('[useAuthOperations] verifyChallenge failed:', {
-            error: verifyError,
-            userId,
-            challengeLength: challenge?.length,
-            signatureLength: signature?.length,
-            timestamp,
-            timeSinceChallenge: Date.now() - timestamp,
-          });
-        }
-        throw verifyError;
-      }
-
-      // Store tokens
-      oxyServices.setTokens(sessionResponse.accessToken, sessionResponse.refreshToken);
+  const completeSignIn = useCallback(
+    async (sessionResponse: SessionLoginResponse): Promise<User> => {
+      if (!storage) throw new Error('Storage not initialized');
 
-      // Get full user data
-      const fullUser = await oxyServices.getUserBySession(sessionResponse.sessionId);
+      setAuthState({ isLoading: true, error: null });
 
-      // Fetch device sessions
-      let allDeviceSessions: ClientSession[] = [];
       try {
-        allDeviceSessions = await fetchSessionsWithFallback(oxyServices, sessionResponse.sessionId, {
-          fallbackDeviceId: sessionResponse.deviceId,
-          fallbackUserId: fullUser.id,
-          logger,
-        });
-      } catch (error) {
-        if (__DEV__) {
-          console.warn('Failed to fetch device sessions after login:', error);
-        }
-      }
+        // Store tokens (Services' only responsibility)
+        oxyServices.setTokens(sessionResponse.accessToken, sessionResponse.refreshToken);
 
-      // Check for existing session for same user
-      const existingSession = allDeviceSessions.find(
-        (session) =>
-          session.userId?.toString() === fullUser.id?.toString() &&
-          session.sessionId !== sessionResponse.sessionId,
-      );
+        // Get full user data
+        const fullUser = await oxyServices.getUserBySession(sessionResponse.sessionId);
 
-      if (existingSession) {
-        // Logout duplicate session
+        // Fetch device sessions
+        let allDeviceSessions: ClientSession[] = [];
         try {
-          await oxyServices.logoutSession(sessionResponse.sessionId, sessionResponse.sessionId);
-        } catch (logoutError) {
+          allDeviceSessions = await fetchSessionsWithFallback(oxyServices, sessionResponse.sessionId, {
+            fallbackDeviceId: sessionResponse.deviceId,
+            fallbackUserId: fullUser.id,
+            logger,
+          });
+        } catch (error) {
           if (__DEV__) {
-            console.warn('Failed to logout duplicate session:', logoutError);
+            console.warn('Failed to fetch device sessions after login:', error);
           }
         }
-        await switchSession(existingSession.sessionId);
-        updateSessions(
-          allDeviceSessions.filter((session) => session.sessionId !== sessionResponse.sessionId),
-          { merge: false },
-        );
-        onAuthStateChange?.(fullUser);
-        return fullUser;
-      }
-
-      setActiveSessionId(sessionResponse.sessionId);
-      await saveActiveSessionId(sessionResponse.sessionId);
-      updateSessions(allDeviceSessions, { merge: true });
-
-      await applyLanguagePreference(fullUser);
-      loginSuccess();
-      onAuthStateChange?.(fullUser);
-
-      return fullUser;
-    },
-    [
-      applyLanguagePreference,
-      logger,
-      loginSuccess,
-      onAuthStateChange,
-      oxyServices,
-      saveActiveSessionId,
-      setActiveSessionId,
-      switchSession,
-      updateSessions,
-    ],
-  );
-
-
-  /**
-   * Sign in with existing identity on device
-   */
-  const signIn = useCallback(
-    async (deviceName?: string): Promise<User> => {
-      if (!storage) throw new Error('Storage not initialized');
 
-      setAuthState({ isLoading: true, error: null });
+        // Check for existing session for same user
+        const existingSession = allDeviceSessions.find(
+          (session) =>
+            session.userId?.toString() === fullUser.id?.toString() &&
+            session.sessionId !== sessionResponse.sessionId,
+        );
 
-      try {
-        // Get stored public key
-        const publicKey = await KeyManager.getPublicKey();
-        if (!publicKey) {
-          throw new Error('No identity found on this device. Please create or import an identity.');
+        if (existingSession) {
+          // Logout duplicate session
+          try {
+            await oxyServices.logoutSession(sessionResponse.sessionId, sessionResponse.sessionId);
+          } catch (logoutError) {
+            if (__DEV__) {
+              console.warn('Failed to logout duplicate session:', logoutError);
+            }
+          }
+          await switchSession(existingSession.sessionId);
+          updateSessions(
+            allDeviceSessions.filter((session) => session.sessionId !== sessionResponse.sessionId),
+            { merge: false },
+          );
+          onAuthStateChange?.(fullUser);
+          return fullUser;
         }
 
-        // Ensure identity is registered before attempting sign-in
-        const { registered } = await oxyServices.checkPublicKeyRegistered(publicKey);
-        if (!registered) {
-          throw new Error('Identity is not registered. Please register your identity in the Accounts app before signing in.');
-        }
+        setActiveSessionId(sessionResponse.sessionId);
+        await saveActiveSessionId(sessionResponse.sessionId);
+        updateSessions(allDeviceSessions, { merge: true });
 
-        return await performSignIn(publicKey, deviceName);
+        await applyLanguagePreference(fullUser);
+        loginSuccess();
+        onAuthStateChange?.(fullUser);
+
+        return fullUser;
       } catch (error) {
         const message = handleAuthError(error, {
           defaultMessage: 'Sign in failed',
-          code: LOGIN_ERROR_CODE,
+          code: 'COMPLETE_SIGNIN_ERROR',
           onError,
           setAuthError: (msg: string) => setAuthState({ error: msg }),
           logger,
@@ -220,7 +155,21 @@ export const useAuthOperations = ({
         setAuthState({ isLoading: false });
       }
     },
-    [storage, setAuthState, performSignIn, loginFailure, onError, logger, oxyServices],
+    [
+      storage,
+      setAuthState,
+      oxyServices,
+      logger,
+      saveActiveSessionId,
+      setActiveSessionId,
+      switchSession,
+      updateSessions,
+      applyLanguagePreference,
+      loginSuccess,
+      onAuthStateChange,
+      onError,
+      loginFailure,
+    ],
   );
 
 
@@ -304,7 +253,7 @@ export const useAuthOperations = ({
   }, [activeSessionId, clearSessionState, logger, onError, oxyServices, setAuthState]);
 
   return {
-    signIn,
+    completeSignIn,
     logout,
     logoutAll,
   };

package/src/ui/screens/OxyAuthScreen.tsx

@@ -60,7 +60,7 @@ const OxyAuthScreen: React.FC<BaseScreenProps> = ({
 }) => {
   const themeValue = (theme === 'light' || theme === 'dark') ? theme : 'light';
   const colors = useThemeColors(themeValue);
-  const { oxyServices, signIn, switchSession } = useOxy();
+  const { oxyServices, switchSession } = useOxy();
 
   const [authSession, setAuthSession] = useState<AuthSession | null>(null);
   const [isLoading, setIsLoading] = useState(true);

package/src/ui/stores/authStore.ts

@@ -1,44 +1,83 @@
+/**
+ * Auth Store (Services SDK)
+ * 
+ * === ARCHITECTURE: Services owns sessions/tokens, NOT identity ===
+ * 
+ * This store manages authentication state:
+ * - isAuthenticated: Valid tokens AND online (REQUIRES NETWORK)
+ * - isOnline: Network connectivity state
+ * - isLoading: Auth operation in progress
+ * - error: Last auth error
+ * 
+ * CRITICAL RULES:
+ * ✓ isAuthenticated = true ONLY when:
+ *   1. Valid access/refresh tokens exist
+ *   2. Network is available (isOnline = true)
+ * 
+ * ✗ isAuthenticated must be false when:
+ *   - Offline (even if tokens exist)
+ *   - No valid tokens
+ *   - Tokens expired
+ * 
+ * WHY: Authentication requires server validation. Without network,
+ * we cannot verify tokens are still valid or refresh them.
+ */
+
 import { create } from 'zustand';
 
 export interface AuthState {
   isAuthenticated: boolean;
+  isOnline: boolean;
   isLoading: boolean;
   error: string | null;
   
-  // Identity sync state (offline-first)
-  isIdentitySynced: boolean;
-  isSyncing: boolean;
-  
+  // Actions
+  setOnline: (online: boolean) => void;
   loginSuccess: () => void;
   loginFailure: (error: string) => void;
   logout: () => void;
   
-  // Identity sync actions
-  setIdentitySynced: (synced: boolean) => void;
-  setSyncing: (syncing: boolean) => void;
+  // Helpers
+  canAuthenticate: () => boolean;
 }
 
-export const useAuthStore = create<AuthState>((set: (state: Partial<AuthState>) => void) => ({
+export const useAuthStore = create<AuthState>((set, get) => ({
   isAuthenticated: false,
+  isOnline: true, // Assume online initially
   isLoading: false,
   error: null,
   
-  // Identity sync state (offline-first)
-  isIdentitySynced: false, // Registration/identity sync not confirmed until done
-  isSyncing: false,
+  setOnline: (online: boolean) => {
+    set({ isOnline: online });
+    // If we go offline, we can't be authenticated
+    if (!online) {
+      set({ isAuthenticated: false });
+    }
+  },
   
   loginSuccess: () => set({ 
     isLoading: false, 
-    isAuthenticated: true,
-    isIdentitySynced: true, // If login succeeded, registration is complete
+    isAuthenticated: get().isOnline, // Only authenticated if online
+    error: null,
   }),
-  loginFailure: (error: string) => set({ isLoading: false, error }),
+  
+  loginFailure: (error: string) => set({ 
+    isLoading: false, 
+    isAuthenticated: false,
+    error 
+  }),
+  
   logout: () => set({ 
     isAuthenticated: false,
-    isSyncing: false,
+    error: null,
   }),
   
-  // Identity sync actions
-  setIdentitySynced: (synced: boolean) => set({ isIdentitySynced: synced }),
-  setSyncing: (syncing: boolean) => set({ isSyncing: syncing }),
+  /**
+   * Check if user can authenticate
+   * Requires both valid tokens (checked by caller) and network
+   */
+  canAuthenticate: () => {
+    const state = get();
+    return state.isOnline;
+  },
 })); 

package/src/ui/utils/avatarUtils.ts

@@ -61,7 +61,6 @@ export function refreshAvatarInStore(
  * @param oxyServices - OxyServices instance
  * @param activeSessionId - Active session ID
  * @param queryClient - TanStack Query client
- * @param syncIdentity - Optional sync identity function for handling auth errors
  * @returns Promise that resolves with updated user data
  */
 export async function updateProfileWithAvatar(
@@ -69,29 +68,15 @@ export async function updateProfileWithAvatar(
   oxyServices: OxyServices,
   activeSessionId: string | null,
   queryClient: QueryClient,
-  options?: { syncIdentity?: () => Promise<User>; deviceId?: string }
+  options?: { deviceId?: string }
 ): Promise<User> {
-  const { syncIdentity, deviceId } = options || {};
+  const { deviceId } = options || {};
   // Ensure we have a valid token before making the request
   if (!oxyServices.hasValidToken() && activeSessionId) {
     try {
       await oxyServices.getTokenBySession(activeSessionId, deviceId);
     } catch (tokenError) {
-      const errorMessage = tokenError instanceof Error ? tokenError.message : String(tokenError);
-      if (errorMessage.includes('AUTH_REQUIRED_OFFLINE_SESSION') || errorMessage.includes('offline')) {
-        if (syncIdentity) {
-          try {
-            await syncIdentity();
-            await oxyServices.getTokenBySession(activeSessionId, deviceId);
-          } catch (syncError) {
-            throw new Error('Session needs to be synced. Please try again.');
-          }
-        } else {
-          throw tokenError;
-        }
-      } else {
-        throw tokenError;
-      }
+      throw tokenError;
     }
   }
 
@@ -120,24 +105,7 @@ export async function updateProfileWithAvatar(
     
     // Handle authentication errors
       if (status === 401 || errorMessage.includes('Authentication required') || errorMessage.includes('Invalid or missing authorization header')) {
-        if (activeSessionId && syncIdentity) {
-          try {
-            await syncIdentity();
-            await oxyServices.getTokenBySession(activeSessionId, deviceId);
-            // Retry the update after getting token
-            return await updateProfileWithAvatar(
-              updates,
-              oxyServices,
-              activeSessionId,
-              queryClient,
-              { syncIdentity, deviceId }
-            );
-          } catch (retryError) {
-            throw new Error('Authentication failed. Please sign in again.');
-          }
-        } else {
-        throw new Error('No active session. Please sign in.');
-      }
+        throw new Error('Authentication failed. Please sign in again.');
     }
     
     throw error;