@oxyhq/services 5.8.10 → 5.9.0

package/lib/module/core/index.js

@@ -23,7 +23,6 @@ export { DeviceManager } from '../utils/deviceManager';
 export class OxyServices {
   accessToken = null;
   refreshToken = null;
-  refreshPromise = null;
 
   /**
    * Creates a new instance of the OxyServices client
@@ -39,14 +38,25 @@ export class OxyServices {
     this.client.interceptors.request.use(async req => {
       if (!this.accessToken) {
         return req;
-      } // Check if token is expired and refresh if needed
+      }
+
+      // Check if token is expired and refresh if needed
       try {
         const decoded = jwtDecode(this.accessToken);
         const currentTime = Math.floor(Date.now() / 1000);
 
         // If token expires in less than 60 seconds, refresh it
         if (decoded.exp - currentTime < 60) {
-          await this.refreshTokens();
+          // For session-based tokens, get a new token from the session
+          if (decoded.sessionId) {
+            try {
+              const res = await this.client.get(`/secure-session/token/${decoded.sessionId}`);
+              this.accessToken = res.data.accessToken;
+            } catch (refreshError) {
+              // If refresh fails, clear tokens
+              this.clearTokens();
+            }
+          }
         }
       } catch (error) {
         // If token can't be decoded, continue with request and let server handle it
@@ -61,18 +71,24 @@ export class OxyServices {
     this.client.interceptors.response.use(response => response, async error => {
       const originalRequest = error.config;
       // If the error is due to an expired token and we haven't tried refreshing yet
-      if (error.response?.status === 401 && this.refreshToken && originalRequest && !originalRequest.headers?.['X-Retry-After-Refresh']) {
+      if (error.response?.status === 401 && this.accessToken && originalRequest && !originalRequest.headers?.['X-Retry-After-Refresh']) {
         try {
-          await this.refreshTokens();
-          // Retry the original request with new token
-          const newRequest = {
-            ...originalRequest
-          };
-          if (newRequest.headers) {
-            newRequest.headers.Authorization = `Bearer ${this.accessToken}`;
-            newRequest.headers['X-Retry-After-Refresh'] = 'true';
+          // Check if token is session-based and try to refresh
+          const decoded = jwtDecode(this.accessToken);
+          if (decoded.sessionId) {
+            const res = await this.client.get(`/secure-session/token/${decoded.sessionId}`);
+            this.accessToken = res.data.accessToken;
+
+            // Retry the original request with new token
+            const newRequest = {
+              ...originalRequest
+            };
+            if (newRequest.headers) {
+              newRequest.headers.Authorization = `Bearer ${this.accessToken}`;
+              newRequest.headers['X-Retry-After-Refresh'] = 'true';
+            }
+            return this.client(newRequest);
           }
-          return this.client(newRequest);
         } catch (refreshError) {
           // If refresh fails, force user to login again
           this.clearTokens();
@@ -105,43 +121,17 @@ export class OxyServices {
   }
 
   /**
-   * Gets the currently authenticated user ID from the token
-   * @returns The user ID or null if not authenticated
-   */
-  getCurrentUserId() {
-    if (!this.accessToken) return null;
-    try {
-      const decoded = jwtDecode(this.accessToken);
-
-      // Check for both userId (preferred) and id (fallback) for compatibility
-      return decoded.userId || decoded.id || null;
-    } catch (error) {
-      return null;
-    }
-  }
-
-  /**
-   * Internal method to check if we have an access token
-   * @private
-   * @returns Boolean indicating if access token exists
-   * @internal - Use `isAuthenticated` from useOxy() context in UI components instead
+   * Set authentication tokens manually
+   * @param accessToken - The access token
+   * @param refreshToken - The refresh token (optional for session-based auth)
    */
-  hasAccessToken() {
-    return this.accessToken !== null;
-  }
-
-  /**
-   * Sets authentication tokens directly (useful for initializing from storage)
-   * @param accessToken - JWT access token
-   * @param refreshToken - Refresh token for getting new access tokens
-   */
-  setTokens(accessToken, refreshToken) {
+  setTokens(accessToken, refreshToken = '') {
     this.accessToken = accessToken;
     this.refreshToken = refreshToken;
   }
 
   /**
-   * Clears all authentication tokens
+   * Clear stored authentication tokens
    */
   clearTokens() {
     this.accessToken = null;
@@ -149,120 +139,27 @@ export class OxyServices {
   }
 
   /**
-   * Sign up a new user
-   * @param username - Desired username
-   * @param email - User's email address
-   * @param password - User's password
-   * @returns Object containing the message, token and user data
-   */
-  async signUp(username, email, password) {
-    try {
-      const res = await this.client.post('/auth/signup', {
-        username,
-        email,
-        password
-      });
-      const {
-        message,
-        token,
-        user
-      } = res.data;
-      this.accessToken = token;
-      return {
-        message,
-        token,
-        user
-      };
-    } catch (error) {
-      throw this.handleError(error);
-    }
-  }
-
-  /**
-   * Log in and store tokens
-   * @param username - User's username or email
-   * @param password - User's password
-   * @returns Login response containing tokens and user data
-   */
-  async login(username, password) {
-    try {
-      const res = await this.client.post('/auth/login', {
-        username,
-        password
-      });
-      const {
-        accessToken,
-        refreshToken,
-        user
-      } = res.data;
-      this.accessToken = accessToken;
-      this.refreshToken = refreshToken;
-      return {
-        accessToken,
-        refreshToken,
-        user
-      };
-    } catch (error) {
-      throw this.handleError(error);
-    }
-  }
-
-  /**
-   * Log out user
+   * Get the current user ID from the stored token
+   * @returns User ID or null if not authenticated
    */
-  async logout() {
-    if (!this.refreshToken) return;
+  getCurrentUserId() {
+    if (!this.accessToken) return null;
     try {
-      await this.client.post('/auth/logout', {
-        refreshToken: this.refreshToken
-      });
+      const decoded = jwtDecode(this.accessToken);
+      return decoded.userId || decoded.id || null;
     } catch (error) {
-      console.warn('Error during logout', error);
-    } finally {
-      this.accessToken = null;
-      this.refreshToken = null;
+      return null;
     }
   }
 
   /**
-   * Refresh access and refresh tokens
-   * @returns New tokens
+   * Internal method to check if we have an access token
+   * @private
+   * @returns Boolean indicating if access token exists
+   * @internal - Use `isAuthenticated` from useOxy() context in UI components instead
    */
-  async refreshTokens() {
-    if (!this.refreshToken) {
-      throw new Error('No refresh token available');
-    }
-
-    // If a refresh is already in progress, return that promise
-    if (this.refreshPromise) {
-      return this.refreshPromise;
-    }
-
-    // Create a new refresh promise
-    this.refreshPromise = (async () => {
-      try {
-        const res = await this.client.post('/auth/refresh', {
-          refreshToken: this.refreshToken
-        });
-        const {
-          accessToken,
-          refreshToken
-        } = res.data;
-        this.accessToken = accessToken;
-        this.refreshToken = refreshToken;
-        return {
-          accessToken,
-          refreshToken
-        };
-      } catch (error) {
-        this.accessToken = null;
-        this.refreshToken = null;
-        throw this.handleError(error);
-      } finally {
-        this.refreshPromise = null;
-      }
-    })();
-    return this.refreshPromise;
+  hasAccessToken() {
+    return this.accessToken !== null;
   }
 
   /**
@@ -271,6 +168,22 @@ export class OxyServices {
    */
   async validate() {
     try {
+      // Check if token contains sessionId (new session-based system)
+      if (this.accessToken) {
+        try {
+          const decoded = jwtDecode(this.accessToken);
+          if (decoded.sessionId) {
+            // Use session-based validation
+            const res = await this.client.get(`/secure-session/validate/${decoded.sessionId}`);
+            return res.data.valid;
+          }
+        } catch (decodeError) {
+          // If token can't be decoded, fall back to old validation
+          console.warn('Error decoding JWT token for session validation:', decodeError);
+        }
+      }
+
+      // Fall back to old validation method
       const res = await this.client.get('/auth/validate');
       return res.data.valid;
     } catch (error) {
@@ -280,59 +193,6 @@ export class OxyServices {
 
   /* Session Management Methods */
 
-  /**
-   * Get active sessions for the authenticated user
-   * @returns Array of active session objects
-   */
-  async getUserSessions() {
-    try {
-      const res = await this.client.get('/sessions');
-      return res.data;
-    } catch (error) {
-      throw this.handleError(error);
-    }
-  }
-
-  /**
-   * Logout from a specific session
-   * @param sessionId - The session ID to logout from
-   * @returns Success status
-   */
-  async logoutSession(sessionId) {
-    try {
-      const res = await this.client.delete(`/sessions/${sessionId}`);
-      return res.data;
-    } catch (error) {
-      throw this.handleError(error);
-    }
-  }
-
-  /**
-   * Logout from all other sessions (keep current session active)
-   * @returns Success status
-   */
-  async logoutOtherSessions() {
-    try {
-      const res = await this.client.post('/sessions/logout-others');
-      return res.data;
-    } catch (error) {
-      throw this.handleError(error);
-    }
-  }
-
-  /**
-   * Logout from all sessions
-   * @returns Success status
-   */
-  async logoutAllSessions() {
-    try {
-      const res = await this.client.post('/sessions/logout-all');
-      return res.data;
-    } catch (error) {
-      throw this.handleError(error);
-    }
-  }
-
   /**
    * Get device sessions for a specific session ID
    * @param sessionId - The session ID to get device sessions for
@@ -1157,12 +1017,47 @@ export class OxyServices {
   }
 
   /**
-   * Secure login that returns only session data (no tokens stored locally)
+   * Sign up a new user and create a session
+   * @param username - Desired username
+   * @param email - User's email address
+   * @param password - User's password
+   * @returns Object containing the message, token and user data
+   */
+  async signUp(username, email, password) {
+    try {
+      // First, create the user account
+      const res = await this.client.post('/secure-session/register', {
+        username,
+        email,
+        password
+      });
+      const {
+        message,
+        user
+      } = res.data;
+
+      // Then log them in to create a session
+      const loginRes = await this.secureLogin(username, password);
+
+      // Get the access token for the session
+      const tokenRes = await this.getTokenBySession(loginRes.sessionId);
+      return {
+        message,
+        token: tokenRes.accessToken,
+        user: loginRes.user
+      };
+    } catch (error) {
+      throw this.handleError(error);
+    }
+  }
+
+  /**
+   * Secure login that creates a device-based session
    * @param username - User's username or email
    * @param password - User's password
-   * @param deviceName - Optional device name for session tracking
-   * @param deviceFingerprint - Device fingerprint for enhanced security
-   * @returns Secure login response with session data
+   * @param deviceName - Optional device name
+   * @param deviceFingerprint - Optional device fingerprint
+   * @returns Login response with session data
    */
   async secureLogin(username, password, deviceName, deviceFingerprint) {
     try {
@@ -1370,34 +1265,42 @@ export class OxyServices {
           });
         }
 
-        // Create a temporary OxyServices instance with the token to validate it
-        const tempOxyServices = new OxyServices({
-          baseURL: this.client.defaults.baseURL || ''
-        });
-        tempOxyServices.setTokens(token, ''); // Set access token
-
-        // Validate token using the validate method
-        const isValid = await tempOxyServices.validate();
-        if (!isValid) {
-          const error = {
-            message: 'Invalid or expired token',
-            code: 'INVALID_TOKEN',
-            status: 403
-          };
-          if (onError) {
-            return onError(error);
-          }
-          return res.status(403).json({
-            message: 'Invalid or expired token',
-            code: 'INVALID_TOKEN'
-          });
-        }
-
-        // Get user ID from token using JWT decode instead of relying on getCurrentUserId
+        // Check if token contains sessionId (new session-based system)
+        let isValid = false;
         let userId = null;
         try {
           const decoded = jwtDecode(token);
           userId = decoded.userId || decoded.id;
+          if (decoded.sessionId) {
+            // Use session-based validation
+            const tempOxyServices = new OxyServices({
+              baseURL: this.client.defaults.baseURL || ''
+            });
+            tempOxyServices.setTokens(token, '');
+            const validation = await tempOxyServices.validateSession(decoded.sessionId);
+            isValid = validation.valid;
+            if (isValid && loadFullUser) {
+              req.user = validation.user;
+            }
+          } else {
+            // Use old validation method
+            const tempOxyServices = new OxyServices({
+              baseURL: this.client.defaults.baseURL || ''
+            });
+            tempOxyServices.setTokens(token, '');
+            isValid = await tempOxyServices.validate();
+            if (isValid && loadFullUser) {
+              try {
+                const userProfile = await tempOxyServices.getUserById(userId);
+                req.user = userProfile;
+              } catch (userError) {
+                // If we can't load user, continue with just ID
+                req.user = {
+                  id: userId
+                };
+              }
+            }
+          }
         } catch (decodeError) {
           const error = {
             message: 'Invalid token payload',
@@ -1412,6 +1315,20 @@ export class OxyServices {
             code: 'INVALID_PAYLOAD'
           });
         }
+        if (!isValid) {
+          const error = {
+            message: 'Invalid or expired token',
+            code: 'INVALID_TOKEN',
+            status: 403
+          };
+          if (onError) {
+            return onError(error);
+          }
+          return res.status(403).json({
+            message: 'Invalid or expired token',
+            code: 'INVALID_TOKEN'
+          });
+        }
         if (!userId) {
           const error = {
             message: 'Invalid token payload',
@@ -1431,18 +1348,8 @@ export class OxyServices {
         req.userId = userId;
         req.accessToken = token;
 
-        // Optionally load full user data
-        if (loadFullUser) {
-          try {
-            const userProfile = await tempOxyServices.getUserById(userId);
-            req.user = userProfile;
-          } catch (userError) {
-            // If we can't load user, continue with just ID
-            req.user = {
-              id: userId
-            };
-          }
-        } else {
+        // Set user object if not already set by session validation
+        if (!req.user) {
           req.user = {
             id: userId
           };
@@ -1476,54 +1383,71 @@ export class OxyServices {
         };
       }
 
-      // Create a temporary OxyServices instance with the token
-      const tempOxyServices = new OxyServices({
-        baseURL: this.client.defaults.baseURL || ''
-      });
-      tempOxyServices.setTokens(token, '');
-
-      // Validate token
-      const isValid = await tempOxyServices.validate();
-      if (!isValid) {
-        return {
-          valid: false,
-          error: 'Invalid or expired token'
-        };
-      }
-
-      // Get user ID from token using JWT decode
-      let userId = null;
+      // Check if token contains sessionId (new session-based system)
       try {
         const decoded = jwtDecode(token);
-        userId = decoded.userId || decoded.id;
+        const userId = decoded.userId || decoded.id;
+        if (decoded.sessionId) {
+          // Use session-based validation
+          const tempOxyServices = new OxyServices({
+            baseURL: this.client.defaults.baseURL || ''
+          });
+          tempOxyServices.setTokens(token, '');
+          const validation = await tempOxyServices.validateSession(decoded.sessionId);
+          if (validation.valid) {
+            return {
+              valid: true,
+              userId,
+              user: validation.user
+            };
+          } else {
+            return {
+              valid: false,
+              error: 'Invalid or expired session'
+            };
+          }
+        } else {
+          // Use old validation method
+          const tempOxyServices = new OxyServices({
+            baseURL: this.client.defaults.baseURL || ''
+          });
+          tempOxyServices.setTokens(token, '');
+          const isValid = await tempOxyServices.validate();
+          if (!isValid) {
+            return {
+              valid: false,
+              error: 'Invalid or expired token'
+            };
+          }
+          if (!userId) {
+            return {
+              valid: false,
+              error: 'Invalid token payload'
+            };
+          }
+
+          // Try to get user profile
+          let user;
+          try {
+            user = await tempOxyServices.getUserById(userId);
+          } catch (error) {
+            // Continue without full user data
+            user = {
+              id: userId
+            };
+          }
+          return {
+            valid: true,
+            userId,
+            user
+          };
+        }
       } catch (decodeError) {
         return {
           valid: false,
           error: 'Invalid token payload'
         };
       }
-      if (!userId) {
-        return {
-          valid: false,
-          error: 'Invalid token payload'
-        };
-      }
-
-      // Try to get user profile
-      let user;
-      try {
-        user = await tempOxyServices.getUserById(userId);
-      } catch (error) {
-        // Continue without full user data
-        user = {
-          id: userId
-        };
-      }
-      return {
-        valid: true,
-        userId,
-        user
-      };
     } catch (error) {
       return {
         valid: false,