@oxyhq/services 5.8.11 → 5.9.1

package/src/core/index.ts

@@ -66,7 +66,6 @@ export class OxyServices {
   private client: AxiosInstance;
   private accessToken: string | null = null;
   private refreshToken: string | null = null;
-  private refreshPromise: Promise<{ accessToken: string; refreshToken: string }> | null = null;
 
   /**
    * Creates a new instance of the OxyServices client
@@ -82,14 +81,25 @@ export class OxyServices {
     this.client.interceptors.request.use(async (req: InternalAxiosRequestConfig) => {
       if (!this.accessToken) {
         return req;
-      }        // Check if token is expired and refresh if needed
-        try {
-          const decoded = jwtDecode<JwtPayload>(this.accessToken);
-          const currentTime = Math.floor(Date.now() / 1000);
-        
+      }
+      
+      // Check if token is expired and refresh if needed
+      try {
+        const decoded = jwtDecode<JwtPayload>(this.accessToken);
+        const currentTime = Math.floor(Date.now() / 1000);
+      
         // If token expires in less than 60 seconds, refresh it
         if (decoded.exp - currentTime < 60) {
-          await this.refreshTokens();
+          // For session-based tokens, get a new token from the session
+          if (decoded.sessionId) {
+            try {
+              const res = await this.client.get(`/secure-session/token/${decoded.sessionId}`);
+              this.accessToken = res.data.accessToken;
+            } catch (refreshError) {
+              // If refresh fails, clear tokens
+              this.clearTokens();
+            }
+          }
         }
       } catch (error) {
         // If token can't be decoded, continue with request and let server handle it
@@ -109,19 +119,25 @@ export class OxyServices {
         // If the error is due to an expired token and we haven't tried refreshing yet
         if (
           error.response?.status === 401 &&
-          this.refreshToken &&
+          this.accessToken &&
           originalRequest &&
           !originalRequest.headers?.['X-Retry-After-Refresh']
         ) {
           try {
-            await this.refreshTokens();
-            // Retry the original request with new token
-            const newRequest = { ...originalRequest };
-            if (newRequest.headers) {
-              newRequest.headers.Authorization = `Bearer ${this.accessToken}`;
-              newRequest.headers['X-Retry-After-Refresh'] = 'true';
+            // Check if token is session-based and try to refresh
+            const decoded = jwtDecode<JwtPayload>(this.accessToken);
+            if (decoded.sessionId) {
+              const res = await this.client.get(`/secure-session/token/${decoded.sessionId}`);
+              this.accessToken = res.data.accessToken;
+              
+              // Retry the original request with new token
+              const newRequest = { ...originalRequest };
+              if (newRequest.headers) {
+                newRequest.headers.Authorization = `Bearer ${this.accessToken}`;
+                newRequest.headers['X-Retry-After-Refresh'] = 'true';
+              }
+              return this.client(newRequest);
             }
-            return this.client(newRequest);
           } catch (refreshError) {
             // If refresh fails, force user to login again
             this.clearTokens();
@@ -156,44 +172,17 @@ export class OxyServices {
   }
 
   /**
-   * Gets the currently authenticated user ID from the token
-   * @returns The user ID or null if not authenticated
-   */
-  public getCurrentUserId(): string | null {
-    if (!this.accessToken) return null;
-    
-    try {
-      const decoded = jwtDecode<JwtPayload>(this.accessToken);
-      
-      // Check for both userId (preferred) and id (fallback) for compatibility
-      return decoded.userId || (decoded as any).id || null;
-    } catch (error) {
-      return null;
-    }
-  }
-  
-  /**
-   * Internal method to check if we have an access token
-   * @private
-   * @returns Boolean indicating if access token exists
-   * @internal - Use `isAuthenticated` from useOxy() context in UI components instead
-   */
-  private hasAccessToken(): boolean {
-    return this.accessToken !== null;
-  }
-
-  /**
-   * Sets authentication tokens directly (useful for initializing from storage)
-   * @param accessToken - JWT access token
-   * @param refreshToken - Refresh token for getting new access tokens
+   * Set authentication tokens manually
+   * @param accessToken - The access token
+   * @param refreshToken - The refresh token (optional for session-based auth)
    */
-  public setTokens(accessToken: string, refreshToken: string): void {
+  public setTokens(accessToken: string, refreshToken: string = ''): void {
     this.accessToken = accessToken;
     this.refreshToken = refreshToken;
   }
-  
+
   /**
-   * Clears all authentication tokens
+   * Clear stored authentication tokens
    */
   public clearTokens(): void {
     this.accessToken = null;
@@ -201,89 +190,28 @@ export class OxyServices {
   }
 
   /**
-   * Sign up a new user
-   * @param username - Desired username
-   * @param email - User's email address
-   * @param password - User's password
-   * @returns Object containing the message, token and user data
-   */
-  async signUp(username: string, email: string, password: string): Promise<{ message: string; token: string; user: User }> {
-    try {
-      const res = await this.client.post('/auth/signup', { username, email, password });
-      const { message, token, user } = res.data;
-      this.accessToken = token;
-      return { message, token, user };
-    } catch (error) {
-      throw this.handleError(error);
-    }
-  }
-
-  /**
-   * Log in and store tokens
-   * @param username - User's username or email
-   * @param password - User's password
-   * @returns Login response containing tokens and user data
-   */
-  async login(username: string, password: string): Promise<LoginResponse> {
-    try {
-      const res = await this.client.post('/auth/login', { username, password });
-      const { accessToken, refreshToken, user } = res.data;
-      this.accessToken = accessToken;
-      this.refreshToken = refreshToken;
-      return { accessToken, refreshToken, user };
-    } catch (error) {
-      throw this.handleError(error);
-    }
-  }
-
-  /**
-   * Log out user
+   * Get the current user ID from the stored token
+   * @returns User ID or null if not authenticated
    */
-  async logout(): Promise<void> {
-    if (!this.refreshToken) return;
+  public getCurrentUserId(): string | null {
+    if (!this.accessToken) return null;
     
     try {
-      await this.client.post('/auth/logout', { refreshToken: this.refreshToken });
+      const decoded = jwtDecode<JwtPayload>(this.accessToken);
+      return decoded.userId || decoded.id || null;
     } catch (error) {
-      console.warn('Error during logout', error);
-    } finally {
-      this.accessToken = null;
-      this.refreshToken = null;
+      return null;
     }
   }
-
+  
   /**
-   * Refresh access and refresh tokens
-   * @returns New tokens
+   * Internal method to check if we have an access token
+   * @private
+   * @returns Boolean indicating if access token exists
+   * @internal - Use `isAuthenticated` from useOxy() context in UI components instead
    */
-  async refreshTokens(): Promise<{ accessToken: string; refreshToken: string }> {
-    if (!this.refreshToken) {
-      throw new Error('No refresh token available');
-    }
-    
-    // If a refresh is already in progress, return that promise
-    if (this.refreshPromise) {
-      return this.refreshPromise;
-    }
-    
-    // Create a new refresh promise
-    this.refreshPromise = (async () => {
-      try {
-        const res = await this.client.post('/auth/refresh', { refreshToken: this.refreshToken });
-        const { accessToken, refreshToken } = res.data;
-        this.accessToken = accessToken;
-        this.refreshToken = refreshToken;
-        return { accessToken, refreshToken };
-      } catch (error) {
-        this.accessToken = null;
-        this.refreshToken = null;
-        throw this.handleError(error);
-      } finally {
-        this.refreshPromise = null;
-      }
-    })();
-    
-    return this.refreshPromise;
+  private hasAccessToken(): boolean {
+    return this.accessToken !== null;
   }
 
   /**
@@ -292,6 +220,22 @@ export class OxyServices {
    */
   async validate(): Promise<boolean> {
     try {
+      // Check if token contains sessionId (new session-based system)
+      if (this.accessToken) {
+        try {
+          const decoded = jwtDecode<JwtPayload>(this.accessToken);
+          if (decoded.sessionId) {
+            // Use session-based validation
+            const res = await this.client.get(`/secure-session/validate/${decoded.sessionId}`);
+            return res.data.valid;
+          }
+        } catch (decodeError) {
+          // If token can't be decoded, fall back to old validation
+          console.warn('Error decoding JWT token for session validation:', decodeError);
+        }
+      }
+      
+      // Fall back to old validation method
       const res = await this.client.get('/auth/validate');
       return res.data.valid;
     } catch (error) {
@@ -301,59 +245,6 @@ export class OxyServices {
 
   /* Session Management Methods */
 
-  /**
-   * Get active sessions for the authenticated user
-   * @returns Array of active session objects
-   */
-  async getUserSessions(): Promise<any[]> {
-    try {
-      const res = await this.client.get('/sessions');
-      return res.data;
-    } catch (error) {
-      throw this.handleError(error);
-    }
-  }
-
-  /**
-   * Logout from a specific session
-   * @param sessionId - The session ID to logout from
-   * @returns Success status
-   */
-  async logoutSession(sessionId: string): Promise<{ success: boolean; message: string }> {
-    try {
-      const res = await this.client.delete(`/sessions/${sessionId}`);
-      return res.data;
-    } catch (error) {
-      throw this.handleError(error);
-    }
-  }
-
-  /**
-   * Logout from all other sessions (keep current session active)
-   * @returns Success status
-   */
-  async logoutOtherSessions(): Promise<{ success: boolean; message: string }> {
-    try {
-      const res = await this.client.post('/sessions/logout-others');
-      return res.data;
-    } catch (error) {
-      throw this.handleError(error);
-    }
-  }
-
-  /**
-   * Logout from all sessions
-   * @returns Success status
-   */
-  async logoutAllSessions(): Promise<{ success: boolean; message: string }> {
-    try {
-      const res = await this.client.post('/sessions/logout-all');
-      return res.data;
-    } catch (error) {
-      throw this.handleError(error);
-    }
-  }
-
   /**
    * Get device sessions for a specific session ID
    * @param sessionId - The session ID to get device sessions for
@@ -1177,12 +1068,41 @@ export class OxyServices {
   }
 
   /**
-   * Secure login that returns only session data (no tokens stored locally)
+   * Sign up a new user and create a session
+   * @param username - Desired username
+   * @param email - User's email address
+   * @param password - User's password
+   * @returns Object containing the message, token and user data
+   */
+  async signUp(username: string, email: string, password: string): Promise<{ message: string; token: string; user: User }> {
+    try {
+      // First, create the user account
+      const res = await this.client.post('/secure-session/register', { username, email, password });
+      const { message, user } = res.data;
+      
+      // Then log them in to create a session
+      const loginRes = await this.secureLogin(username, password);
+      
+      // Get the access token for the session
+      const tokenRes = await this.getTokenBySession(loginRes.sessionId);
+      
+      return { 
+        message, 
+        token: tokenRes.accessToken, 
+        user: loginRes.user as User
+      };
+    } catch (error) {
+      throw this.handleError(error);
+    }
+  }
+
+  /**
+   * Secure login that creates a device-based session
    * @param username - User's username or email
    * @param password - User's password
-   * @param deviceName - Optional device name for session tracking
-   * @param deviceFingerprint - Device fingerprint for enhanced security
-   * @returns Secure login response with session data
+   * @param deviceName - Optional device name
+   * @param deviceFingerprint - Optional device fingerprint
+   * @returns Login response with session data
    */
   async secureLogin(username: string, password: string, deviceName?: string, deviceFingerprint?: any): Promise<SecureLoginResponse> {
     try {
@@ -1362,132 +1282,50 @@ export class OxyServices {
   }
 
   /**
-   * Utility method to help implement authentication middleware in Express.js applications
-   * This creates a function that can be used as Express middleware to validate tokens
-   * @param options - Configuration options for the middleware
+   * Create authentication middleware for Express.js applications
+   * This is the recommended way to protect routes in server applications
    * @returns Express middleware function
    */
-  public createAuthenticateTokenMiddleware(options: {
-    loadFullUser?: boolean; // Whether to load full user object or just user ID
-    onError?: (error: ApiError) => any; // Custom error handler
-  } = {}) {
-    const { loadFullUser = true, onError } = options;
-    
+  public createAuthMiddleware() {
     return async (req: any, res: any, next: any) => {
       try {
-        const authHeader = req.headers['authorization'];
-        const token = authHeader && authHeader.split(' ')[1]; // Bearer TOKEN
+        const authHeader = req.headers.authorization;
         
-        if (!token) {
-          const error = {
-            message: 'Access token required',
-            code: 'MISSING_TOKEN',
-            status: 401
-          };
-          
-          if (onError) {
-            return onError(error);
-          }
-          
-          return res.status(401).json({ 
-            message: 'Access token required',
-            code: 'MISSING_TOKEN'
-          });
-        }
-        
-        // Create a temporary OxyServices instance with the token to validate it
-        const tempOxyServices = new OxyServices({
-          baseURL: this.client.defaults.baseURL || ''
-        });
-        tempOxyServices.setTokens(token, ''); // Set access token
-        
-        // Validate token using the validate method
-        const isValid = await tempOxyServices.validate();
-        
-        if (!isValid) {
-          const error = {
-            message: 'Invalid or expired token',
-            code: 'INVALID_TOKEN',
-            status: 403
-          };
-          
-          if (onError) {
-            return onError(error);
-          }
-          
-          return res.status(403).json({ 
-            message: 'Invalid or expired token',
-            code: 'INVALID_TOKEN'
+        if (!authHeader?.startsWith('Bearer ')) {
+          return res.status(401).json({
+            error: 'Authentication required',
+            message: 'Invalid or missing authorization header'
           });
         }
+
+        const token = authHeader.split(' ')[1];
         
-        // Get user ID from token using JWT decode instead of relying on getCurrentUserId
-        let userId: string | null = null;
-        try {
-          const decoded = jwtDecode<JwtPayload>(token);
-          userId = decoded.userId || decoded.id;
-        } catch (decodeError) {
-          const error = {
-            message: 'Invalid token payload',
-            code: 'INVALID_PAYLOAD',
-            status: 403
-          };
-          
-          if (onError) {
-            return onError(error);
-          }
-          
-          return res.status(403).json({ 
-            message: 'Invalid token payload',
-            code: 'INVALID_PAYLOAD'
-          });
-        }
+        // Use the authenticateToken method
+        const result = await this.authenticateToken(token);
         
-        if (!userId) {
-          const error = {
-            message: 'Invalid token payload',
-            code: 'INVALID_PAYLOAD',
-            status: 403
-          };
-          
-          if (onError) {
-            return onError(error);
-          }
-          
-          return res.status(403).json({ 
-            message: 'Invalid token payload',
-            code: 'INVALID_PAYLOAD'
+        if (!result.valid) {
+          return res.status(401).json({
+            error: 'Invalid token',
+            message: result.error || 'The provided authentication token is invalid'
           });
         }
         
         // Set user information on request object
-        req.userId = userId;
+        req.userId = result.userId || undefined;
         req.accessToken = token;
         
-        // Optionally load full user data
-        if (loadFullUser) {
-          try {
-            const userProfile = await tempOxyServices.getUserById(userId);
-            req.user = userProfile;
-          } catch (userError) {
-            // If we can't load user, continue with just ID
-            req.user = { id: userId };
-          }
-        } else {
-          req.user = { id: userId };
+        if (result.user) {
+          req.user = result.user;
+        } else if (result.userId) {
+          req.user = { id: result.userId };
         }
         
         next();
       } catch (error) {
-        const apiError = this.handleError(error);
-        
-        if (onError) {
-          return onError(apiError);
-        }
-        
-        return res.status(apiError.status || 500).json({ 
-          message: apiError.message,
-          code: apiError.code
+        console.error('Auth middleware error:', error);
+        return res.status(500).json({
+          error: 'Server error',
+          message: 'An error occurred while authenticating your request'
         });
       }
     };
@@ -1513,55 +1351,76 @@ export class OxyServices {
         };
       }
       
-      // Create a temporary OxyServices instance with the token
-      const tempOxyServices = new OxyServices({
-        baseURL: this.client.defaults.baseURL || ''
-      });
-      tempOxyServices.setTokens(token, '');
-      
-      // Validate token
-      const isValid = await tempOxyServices.validate();
-      
-      if (!isValid) {
-        return {
-          valid: false,
-          error: 'Invalid or expired token'
-        };
-      }
-      
-      // Get user ID from token using JWT decode
-      let userId: string | null = null;
+      // Check if token contains sessionId (new session-based system)
       try {
         const decoded = jwtDecode<JwtPayload>(token);
-        userId = decoded.userId || decoded.id;
+        const userId = decoded.userId || decoded.id;
+        
+        if (decoded.sessionId) {
+          // Use session-based validation
+          const tempOxyServices = new OxyServices({
+            baseURL: this.client.defaults.baseURL || ''
+          });
+          tempOxyServices.setTokens(token, '');
+          
+          const validation = await tempOxyServices.validateSession(decoded.sessionId);
+          
+          if (validation.valid) {
+            return {
+              valid: true,
+              userId,
+              user: validation.user
+            };
+          } else {
+            return {
+              valid: false,
+              error: 'Invalid or expired session'
+            };
+          }
+        } else {
+          // Use old validation method
+          const tempOxyServices = new OxyServices({
+            baseURL: this.client.defaults.baseURL || ''
+          });
+          tempOxyServices.setTokens(token, '');
+          
+          const isValid = await tempOxyServices.validate();
+          
+          if (!isValid) {
+            return {
+              valid: false,
+              error: 'Invalid or expired token'
+            };
+          }
+          
+          if (!userId) {
+            return {
+              valid: false,
+              error: 'Invalid token payload'
+            };
+          }
+          
+          // Try to get user profile
+          let user;
+          try {
+            user = await tempOxyServices.getUserById(userId);
+          } catch (error) {
+            // Continue without full user data
+            user = { id: userId };
+          }
+          
+          return {
+            valid: true,
+            userId,
+            user
+          };
+        }
       } catch (decodeError) {
         return {
           valid: false,
           error: 'Invalid token payload'
         };
       }
-      
-      if (!userId) {
-        return {
-          valid: false,
-          error: 'Invalid token payload'
-        };
-      }
-      
-      // Try to get user profile
-      let user;
-      try {
-        user = await tempOxyServices.getUserById(userId);
-      } catch (error) {
-        // Continue without full user data
-        user = { id: userId };
-      }
-      
-      return {
-        valid: true,
-        userId,
-        user
-      };
     } catch (error) {
       return {
         valid: false,
@@ -1909,6 +1768,15 @@ export default OxyServices;
 export * from '../models/interfaces';
 export * from '../models/secureSession';
 
+// Clean middleware exports - these will be available for server-side use
+// Note: These require Express.js and are only for server-side applications
+export type { AuthRequest, SimpleAuthRequest } from '../types/middleware';
+
+// Export a simple function to create auth middleware
+export const createAuthMiddleware = (oxyServices: OxyServices) => {
+  return oxyServices.createAuthMiddleware();
+};
+
 if (typeof FormData === 'undefined') {
   console.warn('[OxyHQ/Services] FormData is not available. If you are using Hermes, add "import \'react-native-url-polyfill/auto\'" at the top of your app entry file.');
 }

package/src/index.ts

@@ -10,6 +10,10 @@
 export { OxyServices } from './core';
 export { OXY_CLOUD_URL } from './core';
 
+// Middleware exports (for server-side use)
+export type { AuthRequest, SimpleAuthRequest } from './types/middleware';
+export { createAuthMiddleware } from './core';
+
 // React context
 export { 
   OxyContextProvider, // Backward compatibility

package/src/node/index.ts

@@ -4,15 +4,11 @@
 
 // ------------- Core Imports -------------
 import { OxyServices, OXY_CLOUD_URL } from '../core'; // Adjusted path
-import { createAuth } from './createAuth';
 import * as Models from '../models/interfaces'; // Adjusted path
 
 // ------------- Core Exports -------------
 export { OxyServices, OXY_CLOUD_URL };
 
-// Zero-config auth and session router
-export { createAuth };
-
 // ------------- Model Exports -------------
 export { Models };  // Export all models as a namespace
 export * from '../models/interfaces'; // Export all models directly