@oxyhq/services 5.8.11 → 5.9.1

package/lib/module/core/index.js

@@ -23,7 +23,6 @@ export { DeviceManager } from '../utils/deviceManager';
 export class OxyServices {
   accessToken = null;
   refreshToken = null;
-  refreshPromise = null;
 
   /**
    * Creates a new instance of the OxyServices client
@@ -39,14 +38,25 @@ export class OxyServices {
     this.client.interceptors.request.use(async req => {
       if (!this.accessToken) {
         return req;
-      } // Check if token is expired and refresh if needed
+      }
+
+      // Check if token is expired and refresh if needed
       try {
         const decoded = jwtDecode(this.accessToken);
         const currentTime = Math.floor(Date.now() / 1000);
 
         // If token expires in less than 60 seconds, refresh it
         if (decoded.exp - currentTime < 60) {
-          await this.refreshTokens();
+          // For session-based tokens, get a new token from the session
+          if (decoded.sessionId) {
+            try {
+              const res = await this.client.get(`/secure-session/token/${decoded.sessionId}`);
+              this.accessToken = res.data.accessToken;
+            } catch (refreshError) {
+              // If refresh fails, clear tokens
+              this.clearTokens();
+            }
+          }
         }
       } catch (error) {
         // If token can't be decoded, continue with request and let server handle it
@@ -61,18 +71,24 @@ export class OxyServices {
     this.client.interceptors.response.use(response => response, async error => {
       const originalRequest = error.config;
       // If the error is due to an expired token and we haven't tried refreshing yet
-      if (error.response?.status === 401 && this.refreshToken && originalRequest && !originalRequest.headers?.['X-Retry-After-Refresh']) {
+      if (error.response?.status === 401 && this.accessToken && originalRequest && !originalRequest.headers?.['X-Retry-After-Refresh']) {
         try {
-          await this.refreshTokens();
-          // Retry the original request with new token
-          const newRequest = {
-            ...originalRequest
-          };
-          if (newRequest.headers) {
-            newRequest.headers.Authorization = `Bearer ${this.accessToken}`;
-            newRequest.headers['X-Retry-After-Refresh'] = 'true';
+          // Check if token is session-based and try to refresh
+          const decoded = jwtDecode(this.accessToken);
+          if (decoded.sessionId) {
+            const res = await this.client.get(`/secure-session/token/${decoded.sessionId}`);
+            this.accessToken = res.data.accessToken;
+
+            // Retry the original request with new token
+            const newRequest = {
+              ...originalRequest
+            };
+            if (newRequest.headers) {
+              newRequest.headers.Authorization = `Bearer ${this.accessToken}`;
+              newRequest.headers['X-Retry-After-Refresh'] = 'true';
+            }
+            return this.client(newRequest);
           }
-          return this.client(newRequest);
         } catch (refreshError) {
           // If refresh fails, force user to login again
           this.clearTokens();
@@ -105,43 +121,17 @@ export class OxyServices {
   }
 
   /**
-   * Gets the currently authenticated user ID from the token
-   * @returns The user ID or null if not authenticated
+   * Set authentication tokens manually
+   * @param accessToken - The access token
+   * @param refreshToken - The refresh token (optional for session-based auth)
    */
-  getCurrentUserId() {
-    if (!this.accessToken) return null;
-    try {
-      const decoded = jwtDecode(this.accessToken);
-
-      // Check for both userId (preferred) and id (fallback) for compatibility
-      return decoded.userId || decoded.id || null;
-    } catch (error) {
-      return null;
-    }
-  }
-
-  /**
-   * Internal method to check if we have an access token
-   * @private
-   * @returns Boolean indicating if access token exists
-   * @internal - Use `isAuthenticated` from useOxy() context in UI components instead
-   */
-  hasAccessToken() {
-    return this.accessToken !== null;
-  }
-
-  /**
-   * Sets authentication tokens directly (useful for initializing from storage)
-   * @param accessToken - JWT access token
-   * @param refreshToken - Refresh token for getting new access tokens
-   */
-  setTokens(accessToken, refreshToken) {
+  setTokens(accessToken, refreshToken = '') {
     this.accessToken = accessToken;
     this.refreshToken = refreshToken;
   }
 
   /**
-   * Clears all authentication tokens
+   * Clear stored authentication tokens
    */
   clearTokens() {
     this.accessToken = null;
@@ -149,120 +139,27 @@ export class OxyServices {
   }
 
   /**
-   * Sign up a new user
-   * @param username - Desired username
-   * @param email - User's email address
-   * @param password - User's password
-   * @returns Object containing the message, token and user data
-   */
-  async signUp(username, email, password) {
-    try {
-      const res = await this.client.post('/auth/signup', {
-        username,
-        email,
-        password
-      });
-      const {
-        message,
-        token,
-        user
-      } = res.data;
-      this.accessToken = token;
-      return {
-        message,
-        token,
-        user
-      };
-    } catch (error) {
-      throw this.handleError(error);
-    }
-  }
-
-  /**
-   * Log in and store tokens
-   * @param username - User's username or email
-   * @param password - User's password
-   * @returns Login response containing tokens and user data
+   * Get the current user ID from the stored token
+   * @returns User ID or null if not authenticated
    */
-  async login(username, password) {
-    try {
-      const res = await this.client.post('/auth/login', {
-        username,
-        password
-      });
-      const {
-        accessToken,
-        refreshToken,
-        user
-      } = res.data;
-      this.accessToken = accessToken;
-      this.refreshToken = refreshToken;
-      return {
-        accessToken,
-        refreshToken,
-        user
-      };
-    } catch (error) {
-      throw this.handleError(error);
-    }
-  }
-
-  /**
-   * Log out user
-   */
-  async logout() {
-    if (!this.refreshToken) return;
+  getCurrentUserId() {
+    if (!this.accessToken) return null;
     try {
-      await this.client.post('/auth/logout', {
-        refreshToken: this.refreshToken
-      });
+      const decoded = jwtDecode(this.accessToken);
+      return decoded.userId || decoded.id || null;
     } catch (error) {
-      console.warn('Error during logout', error);
-    } finally {
-      this.accessToken = null;
-      this.refreshToken = null;
+      return null;
     }
   }
 
   /**
-   * Refresh access and refresh tokens
-   * @returns New tokens
+   * Internal method to check if we have an access token
+   * @private
+   * @returns Boolean indicating if access token exists
+   * @internal - Use `isAuthenticated` from useOxy() context in UI components instead
    */
-  async refreshTokens() {
-    if (!this.refreshToken) {
-      throw new Error('No refresh token available');
-    }
-
-    // If a refresh is already in progress, return that promise
-    if (this.refreshPromise) {
-      return this.refreshPromise;
-    }
-
-    // Create a new refresh promise
-    this.refreshPromise = (async () => {
-      try {
-        const res = await this.client.post('/auth/refresh', {
-          refreshToken: this.refreshToken
-        });
-        const {
-          accessToken,
-          refreshToken
-        } = res.data;
-        this.accessToken = accessToken;
-        this.refreshToken = refreshToken;
-        return {
-          accessToken,
-          refreshToken
-        };
-      } catch (error) {
-        this.accessToken = null;
-        this.refreshToken = null;
-        throw this.handleError(error);
-      } finally {
-        this.refreshPromise = null;
-      }
-    })();
-    return this.refreshPromise;
+  hasAccessToken() {
+    return this.accessToken !== null;
   }
 
   /**
@@ -271,6 +168,22 @@ export class OxyServices {
    */
   async validate() {
     try {
+      // Check if token contains sessionId (new session-based system)
+      if (this.accessToken) {
+        try {
+          const decoded = jwtDecode(this.accessToken);
+          if (decoded.sessionId) {
+            // Use session-based validation
+            const res = await this.client.get(`/secure-session/validate/${decoded.sessionId}`);
+            return res.data.valid;
+          }
+        } catch (decodeError) {
+          // If token can't be decoded, fall back to old validation
+          console.warn('Error decoding JWT token for session validation:', decodeError);
+        }
+      }
+
+      // Fall back to old validation method
       const res = await this.client.get('/auth/validate');
       return res.data.valid;
     } catch (error) {
@@ -280,59 +193,6 @@ export class OxyServices {
 
   /* Session Management Methods */
 
-  /**
-   * Get active sessions for the authenticated user
-   * @returns Array of active session objects
-   */
-  async getUserSessions() {
-    try {
-      const res = await this.client.get('/sessions');
-      return res.data;
-    } catch (error) {
-      throw this.handleError(error);
-    }
-  }
-
-  /**
-   * Logout from a specific session
-   * @param sessionId - The session ID to logout from
-   * @returns Success status
-   */
-  async logoutSession(sessionId) {
-    try {
-      const res = await this.client.delete(`/sessions/${sessionId}`);
-      return res.data;
-    } catch (error) {
-      throw this.handleError(error);
-    }
-  }
-
-  /**
-   * Logout from all other sessions (keep current session active)
-   * @returns Success status
-   */
-  async logoutOtherSessions() {
-    try {
-      const res = await this.client.post('/sessions/logout-others');
-      return res.data;
-    } catch (error) {
-      throw this.handleError(error);
-    }
-  }
-
-  /**
-   * Logout from all sessions
-   * @returns Success status
-   */
-  async logoutAllSessions() {
-    try {
-      const res = await this.client.post('/sessions/logout-all');
-      return res.data;
-    } catch (error) {
-      throw this.handleError(error);
-    }
-  }
-
   /**
    * Get device sessions for a specific session ID
    * @param sessionId - The session ID to get device sessions for
@@ -1157,12 +1017,47 @@ export class OxyServices {
   }
 
   /**
-   * Secure login that returns only session data (no tokens stored locally)
+   * Sign up a new user and create a session
+   * @param username - Desired username
+   * @param email - User's email address
+   * @param password - User's password
+   * @returns Object containing the message, token and user data
+   */
+  async signUp(username, email, password) {
+    try {
+      // First, create the user account
+      const res = await this.client.post('/secure-session/register', {
+        username,
+        email,
+        password
+      });
+      const {
+        message,
+        user
+      } = res.data;
+
+      // Then log them in to create a session
+      const loginRes = await this.secureLogin(username, password);
+
+      // Get the access token for the session
+      const tokenRes = await this.getTokenBySession(loginRes.sessionId);
+      return {
+        message,
+        token: tokenRes.accessToken,
+        user: loginRes.user
+      };
+    } catch (error) {
+      throw this.handleError(error);
+    }
+  }
+
+  /**
+   * Secure login that creates a device-based session
    * @param username - User's username or email
    * @param password - User's password
-   * @param deviceName - Optional device name for session tracking
-   * @param deviceFingerprint - Device fingerprint for enhanced security
-   * @returns Secure login response with session data
+   * @param deviceName - Optional device name
+   * @param deviceFingerprint - Optional device fingerprint
+   * @returns Login response with session data
    */
   async secureLogin(username, password, deviceName, deviceFingerprint) {
     try {
@@ -1340,122 +1235,47 @@ export class OxyServices {
   }
 
   /**
-   * Utility method to help implement authentication middleware in Express.js applications
-   * This creates a function that can be used as Express middleware to validate tokens
-   * @param options - Configuration options for the middleware
+   * Create authentication middleware for Express.js applications
+   * This is the recommended way to protect routes in server applications
    * @returns Express middleware function
    */
-  createAuthenticateTokenMiddleware(options = {}) {
-    const {
-      loadFullUser = true,
-      onError
-    } = options;
+  createAuthMiddleware() {
     return async (req, res, next) => {
       try {
-        const authHeader = req.headers['authorization'];
-        const token = authHeader && authHeader.split(' ')[1]; // Bearer TOKEN
-
-        if (!token) {
-          const error = {
-            message: 'Access token required',
-            code: 'MISSING_TOKEN',
-            status: 401
-          };
-          if (onError) {
-            return onError(error);
-          }
+        const authHeader = req.headers.authorization;
+        if (!authHeader?.startsWith('Bearer ')) {
           return res.status(401).json({
-            message: 'Access token required',
-            code: 'MISSING_TOKEN'
-          });
-        }
-
-        // Create a temporary OxyServices instance with the token to validate it
-        const tempOxyServices = new OxyServices({
-          baseURL: this.client.defaults.baseURL || ''
-        });
-        tempOxyServices.setTokens(token, ''); // Set access token
-
-        // Validate token using the validate method
-        const isValid = await tempOxyServices.validate();
-        if (!isValid) {
-          const error = {
-            message: 'Invalid or expired token',
-            code: 'INVALID_TOKEN',
-            status: 403
-          };
-          if (onError) {
-            return onError(error);
-          }
-          return res.status(403).json({
-            message: 'Invalid or expired token',
-            code: 'INVALID_TOKEN'
+            error: 'Authentication required',
+            message: 'Invalid or missing authorization header'
           });
         }
+        const token = authHeader.split(' ')[1];
 
-        // Get user ID from token using JWT decode instead of relying on getCurrentUserId
-        let userId = null;
-        try {
-          const decoded = jwtDecode(token);
-          userId = decoded.userId || decoded.id;
-        } catch (decodeError) {
-          const error = {
-            message: 'Invalid token payload',
-            code: 'INVALID_PAYLOAD',
-            status: 403
-          };
-          if (onError) {
-            return onError(error);
-          }
-          return res.status(403).json({
-            message: 'Invalid token payload',
-            code: 'INVALID_PAYLOAD'
-          });
-        }
-        if (!userId) {
-          const error = {
-            message: 'Invalid token payload',
-            code: 'INVALID_PAYLOAD',
-            status: 403
-          };
-          if (onError) {
-            return onError(error);
-          }
-          return res.status(403).json({
-            message: 'Invalid token payload',
-            code: 'INVALID_PAYLOAD'
+        // Use the authenticateToken method
+        const result = await this.authenticateToken(token);
+        if (!result.valid) {
+          return res.status(401).json({
+            error: 'Invalid token',
+            message: result.error || 'The provided authentication token is invalid'
           });
         }
 
         // Set user information on request object
-        req.userId = userId;
+        req.userId = result.userId || undefined;
         req.accessToken = token;
-
-        // Optionally load full user data
-        if (loadFullUser) {
-          try {
-            const userProfile = await tempOxyServices.getUserById(userId);
-            req.user = userProfile;
-          } catch (userError) {
-            // If we can't load user, continue with just ID
-            req.user = {
-              id: userId
-            };
-          }
-        } else {
+        if (result.user) {
+          req.user = result.user;
+        } else if (result.userId) {
           req.user = {
-            id: userId
+            id: result.userId
           };
         }
         next();
       } catch (error) {
-        const apiError = this.handleError(error);
-        if (onError) {
-          return onError(apiError);
-        }
-        return res.status(apiError.status || 500).json({
-          message: apiError.message,
-          code: apiError.code
+        console.error('Auth middleware error:', error);
+        return res.status(500).json({
+          error: 'Server error',
+          message: 'An error occurred while authenticating your request'
         });
       }
     };
@@ -1476,54 +1296,71 @@ export class OxyServices {
         };
       }
 
-      // Create a temporary OxyServices instance with the token
-      const tempOxyServices = new OxyServices({
-        baseURL: this.client.defaults.baseURL || ''
-      });
-      tempOxyServices.setTokens(token, '');
-
-      // Validate token
-      const isValid = await tempOxyServices.validate();
-      if (!isValid) {
-        return {
-          valid: false,
-          error: 'Invalid or expired token'
-        };
-      }
-
-      // Get user ID from token using JWT decode
-      let userId = null;
+      // Check if token contains sessionId (new session-based system)
       try {
         const decoded = jwtDecode(token);
-        userId = decoded.userId || decoded.id;
+        const userId = decoded.userId || decoded.id;
+        if (decoded.sessionId) {
+          // Use session-based validation
+          const tempOxyServices = new OxyServices({
+            baseURL: this.client.defaults.baseURL || ''
+          });
+          tempOxyServices.setTokens(token, '');
+          const validation = await tempOxyServices.validateSession(decoded.sessionId);
+          if (validation.valid) {
+            return {
+              valid: true,
+              userId,
+              user: validation.user
+            };
+          } else {
+            return {
+              valid: false,
+              error: 'Invalid or expired session'
+            };
+          }
+        } else {
+          // Use old validation method
+          const tempOxyServices = new OxyServices({
+            baseURL: this.client.defaults.baseURL || ''
+          });
+          tempOxyServices.setTokens(token, '');
+          const isValid = await tempOxyServices.validate();
+          if (!isValid) {
+            return {
+              valid: false,
+              error: 'Invalid or expired token'
+            };
+          }
+          if (!userId) {
+            return {
+              valid: false,
+              error: 'Invalid token payload'
+            };
+          }
+
+          // Try to get user profile
+          let user;
+          try {
+            user = await tempOxyServices.getUserById(userId);
+          } catch (error) {
+            // Continue without full user data
+            user = {
+              id: userId
+            };
+          }
+          return {
+            valid: true,
+            userId,
+            user
+          };
+        }
       } catch (decodeError) {
         return {
           valid: false,
           error: 'Invalid token payload'
         };
       }
-      if (!userId) {
-        return {
-          valid: false,
-          error: 'Invalid token payload'
-        };
-      }
-
-      // Try to get user profile
-      let user;
-      try {
-        user = await tempOxyServices.getUserById(userId);
-      } catch (error) {
-        // Continue without full user data
-        user = {
-          id: userId
-        };
-      }
-      return {
-        valid: true,
-        userId,
-        user
-      };
     } catch (error) {
       return {
         valid: false,
@@ -1858,6 +1695,14 @@ export default OxyServices;
 // Re-export all models and types for convenience
 export * from '../models/interfaces';
 export * from '../models/secureSession';
+
+// Clean middleware exports - these will be available for server-side use
+// Note: These require Express.js and are only for server-side applications
+
+// Export a simple function to create auth middleware
+export const createAuthMiddleware = oxyServices => {
+  return oxyServices.createAuthMiddleware();
+};
 if (typeof FormData === 'undefined') {
   console.warn('[OxyHQ/Services] FormData is not available. If you are using Hermes, add "import \'react-native-url-polyfill/auto\'" at the top of your app entry file.');
 }