@oxyhq/services 5.20.1 → 5.20.3

package/src/core/mixins/OxyServices.popup.ts

@@ -111,6 +111,25 @@ export function OxyServicesPopupAuthMixin<T extends typeof OxyServicesBase>(Base
         this.httpService.setTokens((session as any).accessToken);
       }
 
+      // Fetch user data using the session ID
+      // The callback page only sends sessionId/accessToken, not user data
+      if (session && session.sessionId && !session.user) {
+        try {
+          const userData = await this.makeRequest<any>(
+            'GET',
+            `/api/session/user/${session.sessionId}`,
+            undefined,
+            { cache: false }
+          );
+          if (userData) {
+            (session as any).user = userData;
+          }
+        } catch (userError) {
+          console.warn('[PopupAuth] Failed to fetch user data:', userError);
+          // Continue without user data - caller can fetch separately
+        }
+      }
+
       return session;
     } catch (error) {
       throw error;
@@ -238,8 +257,21 @@ export function OxyServicesPopupAuthMixin<T extends typeof OxyServicesBase>(Base
       }, timeout);
 
       const messageHandler = (event: MessageEvent) => {
+        const authUrl = (this.constructor as any).AUTH_URL;
+
+        // Log all messages for debugging
+        if (event.data && typeof event.data === 'object' && event.data.type) {
+          console.log('[PopupAuth] Message received:', {
+            origin: event.origin,
+            expectedOrigin: authUrl,
+            type: event.data.type,
+            hasSession: !!event.data.session,
+            hasError: !!event.data.error,
+          });
+        }
+
         // CRITICAL: Verify origin to prevent XSS attacks
-        if (event.origin !== (this.constructor as any).AUTH_URL) {
+        if (event.origin !== authUrl) {
           return;
         }
 
@@ -249,9 +281,12 @@ export function OxyServicesPopupAuthMixin<T extends typeof OxyServicesBase>(Base
           return;
         }
 
+        console.log('[PopupAuth] Valid auth response:', { state, expectedState, hasSession: !!session, error });
+
         // Verify state parameter to prevent CSRF attacks
         if (state !== expectedState) {
           cleanup();
+          console.error('[PopupAuth] State mismatch');
           reject(new OxyAuthenticationError('Invalid state parameter. Possible CSRF attack.'));
           return;
         }
@@ -259,10 +294,13 @@ export function OxyServicesPopupAuthMixin<T extends typeof OxyServicesBase>(Base
         cleanup();
 
         if (error) {
+          console.error('[PopupAuth] Auth error:', error);
           reject(new OxyAuthenticationError(error));
         } else if (session) {
+          console.log('[PopupAuth] Session received successfully');
           resolve(session);
         } else {
+          console.error('[PopupAuth] No session in response');
           reject(new OxyAuthenticationError('No session received from authentication server'));
         }
       };

package/src/ui/context/OxyContext.tsx

@@ -55,6 +55,18 @@ export interface OxyContextState {
   // Authentication
   signIn: (publicKey: string, deviceName?: string) => Promise<User>;
 
+  /**
+   * Handle session from popup authentication
+   * Updates auth state, persists session to storage
+   */
+  handlePopupSession: (session: {
+    sessionId: string;
+    accessToken?: string;
+    expiresAt?: string;
+    user: User;
+    deviceId?: string;
+  }) => Promise<void>;
+
   // Session management
   logout: (targetSessionId?: string) => Promise<void>;
   logoutAll: () => Promise<void>;
@@ -414,11 +426,19 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
   }, [restoreSessionsFromStorage, storage]);
 
   // Web SSO: Automatically check for cross-domain session on web platforms
+  // Also used for popup auth - updates all state and persists session
   const handleWebSSOSession = useCallback(async (session: any) => {
     if (!session?.user || !session?.sessionId) {
+      if (__DEV__) {
+        loggerUtil.warn('handleWebSSOSession called with invalid session', { component: 'OxyContext' }, { session });
+      }
       return;
     }
 
+    if (__DEV__) {
+      loggerUtil.debug('handleWebSSOSession: Updating auth state', { component: 'OxyContext' }, { sessionId: session.sessionId, userId: session.user?.id });
+    }
+
     // Update sessions state
     const clientSession = {
       sessionId: session.sessionId,
@@ -443,6 +463,9 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
         sessionIds.push(session.sessionId);
         await storage.setItem(storageKeys.sessionIds, JSON.stringify(sessionIds));
       }
+      if (__DEV__) {
+        loggerUtil.debug('handleWebSSOSession: Session persisted to storage', { component: 'OxyContext' });
+      }
     }
   }, [updateSessions, setActiveSessionId, loginSuccess, onAuthStateChange, storage, storageKeys]);
 
@@ -571,6 +594,7 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
     hasIdentity,
     getPublicKey,
     signIn,
+    handlePopupSession: handleWebSSOSession,
     logout,
     logoutAll,
     switchSession: switchSessionForContext,
@@ -589,6 +613,7 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
   }), [
     activeSessionId,
     signIn,
+    handleWebSSOSession,
     currentLanguage,
     currentLanguageMetadata,
     currentLanguageName,

package/src/ui/hooks/useAuth.ts

@@ -91,6 +91,7 @@ export function useAuth(): UseAuthReturn {
     isTokenReady,
     error,
     signIn: oxySignIn,
+    handlePopupSession,
     logout,
     logoutAll,
     refreshSessions,
@@ -106,31 +107,25 @@ export function useAuth(): UseAuthReturn {
     const isIdentityProvider = isWebBrowser() &&
       window.location.hostname === 'auth.oxy.so';
 
-    // Web (not on IdP): Use FedCM or popup-based authentication
+    // Web (not on IdP): Use popup-based authentication
+    // We skip FedCM here because:
+    // 1. Silent FedCM already ran on page load (via useWebSSO)
+    // 2. If user is clicking "Sign In", they need interactive auth
+    // 3. Doing FedCM first loses the "user gesture" needed for popups
     if (isWebBrowser() && !publicKey && !isIdentityProvider) {
       try {
-        // Try FedCM first (instant if user already signed in)
-        if ((oxyServices as any).isFedCMSupported?.()) {
-          const fedcmSession = await (oxyServices as any).signInWithFedCM?.();
-          if (fedcmSession?.user) {
-            return fedcmSession.user;
-          }
-        }
-
-        // Fallback to popup (opens auth.oxy.so in popup window)
         const popupSession = await (oxyServices as any).signInWithPopup?.();
         if (popupSession?.user) {
+          // Update context state with the session (this updates user, sessions, storage)
+          await handlePopupSession(popupSession);
           return popupSession.user;
         }
-
-        throw new Error('Sign-in failed');
-      } catch (error) {
-        // If popup blocked or FedCM failed, suggest redirect
-        throw new Error(
-          error instanceof Error && error.message.includes('blocked')
-            ? 'Popup blocked. Please allow popups or try again.'
-            : 'Sign-in failed. Please try again.'
-        );
+        throw new Error('Sign-in failed. Please try again.');
+      } catch (popupError) {
+        if (popupError instanceof Error && popupError.message.includes('blocked')) {
+          throw new Error('Popup blocked. Please allow popups for this site.');
+        }
+        throw popupError;
       }
     }
 
@@ -169,7 +164,7 @@ export function useAuth(): UseAuthReturn {
     }
 
     throw new Error('No authentication method available');
-  }, [oxySignIn, hasIdentity, getPublicKey, showBottomSheet, oxyServices]);
+  }, [oxySignIn, hasIdentity, getPublicKey, showBottomSheet, oxyServices, handlePopupSession]);
 
   const signOut = useCallback(async (): Promise<void> => {
     await logout();