npm - @oxyhq/services - Versions diffs - 5.19.0 → 5.20.1 - Mend

@oxyhq/services 5.19.0 → 5.20.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (43) hide show

package/src/ui/hooks/useAuth.ts CHANGED Viewed

@@ -101,8 +101,13 @@ export function useAuth(): UseAuthReturn {
   } = useOxy();
   const signIn = useCallback(async (publicKey?: string): Promise<User> => {
-    // Web: Use popup-based authentication
-    if (isWebBrowser() && !publicKey) {
+    // Check if we're on the identity provider itself (auth.oxy.so)
+    // Only auth.oxy.so has local login forms - accounts.oxy.so is a client app
+    const isIdentityProvider = isWebBrowser() &&
+      window.location.hostname === 'auth.oxy.so';
+    // Web (not on IdP): Use FedCM or popup-based authentication
+    if (isWebBrowser() && !publicKey && !isIdentityProvider) {
       try {
         // Try FedCM first (instant if user already signed in)
         if ((oxyServices as any).isFedCMSupported?.()) {
@@ -145,13 +150,25 @@ export function useAuth(): UseAuthReturn {
       }
     }
-    // No identity - show auth UI (native bottom sheet)
-    showBottomSheet?.('OxyAuth');
+    // No identity - show auth UI
+    if (showBottomSheet) {
+      showBottomSheet('OxyAuth');
+      // Return a promise that resolves when auth completes
+      return new Promise((_, reject) => {
+        reject(new Error('Please complete sign-in in the auth sheet'));
+      });
+    }
+    // Web fallback: navigate to login page on auth domain
+    if (isWebBrowser()) {
+      const loginUrl = window.location.hostname.includes('oxy.so')
+        ? '/login'
+        : 'https://accounts.oxy.so/login';
+      window.location.href = loginUrl;
+      return new Promise(() => {}); // Never resolves, page will redirect
+    }
-    // Return a promise that resolves when auth completes
-    return new Promise((_, reject) => {
-      reject(new Error('Please complete sign-in in the auth sheet'));
-    });
+    throw new Error('No authentication method available');
   }, [oxySignIn, hasIdentity, getPublicKey, showBottomSheet, oxyServices]);
   const signOut = useCallback(async (): Promise<void> => {

package/src/ui/hooks/useWebSSO.ts CHANGED Viewed

@@ -45,6 +45,16 @@ function isWebBrowser(): boolean {
          typeof document.documentElement !== 'undefined';
 }
+/**
+ * Check if we're on the identity provider domain (where FedCM would authenticate against itself)
+ * Only auth.oxy.so is the IdP - accounts.oxy.so is a client app like any other
+ */
+function isIdentityProvider(): boolean {
+  if (!isWebBrowser()) return false;
+  const hostname = window.location.hostname;
+  return hostname === 'auth.oxy.so';
+}
 /**
  * Hook for automatic cross-domain web SSO
  *
@@ -79,6 +89,12 @@ export function useWebSSO({
       return null;
     }
+    // Don't use FedCM on the auth domain itself - it would authenticate against itself
+    if (isIdentityProvider()) {
+      onSSOUnavailable?.();
+      return null;
+    }
     // FedCM is the only reliable cross-domain SSO mechanism
     // Third-party cookies are deprecated and unreliable
     if (!fedCMSupported) {
@@ -111,9 +127,12 @@ export function useWebSSO({
     }
   }, [oxyServices, onSessionFound, onSSOUnavailable, onError, fedCMSupported]);
-  // Auto-check SSO on mount (web only, FedCM only)
+  // Auto-check SSO on mount (web only, FedCM only, not on auth domain)
   useEffect(() => {
-    if (!enabled || !isWebBrowser() || hasCheckedRef.current) {
+    if (!enabled || !isWebBrowser() || hasCheckedRef.current || isIdentityProvider()) {
+      if (isIdentityProvider()) {
+        onSSOUnavailable?.();
+      }
       return;
     }