@oxyhq/services 8.3.0 → 8.4.0

package/src/ui/context/OxyContext.tsx

@@ -14,18 +14,21 @@ import type { User, ApiError, SessionLoginResponse } from '@oxyhq/core';
 import type { ManagedAccount, CreateManagedAccountInput } from '@oxyhq/core';
 import { KeyManager } from '@oxyhq/core';
 import type { ClientSession } from '@oxyhq/core';
-import { runColdBoot, resolveCentralAuthUrl, parseSsoReturnFragment } from '@oxyhq/core';
-import { toast } from '@oxyhq/bloom';
 import {
-  SSO_CALLBACK_PATH,
+  runColdBoot,
+  resolveCentralAuthUrl,
+  autoDetectAuthWebUrl,
   ssoStateKey,
   ssoGuardKey,
   ssoDestKey,
   ssoNoSessionKey,
   isCentralIdPOrigin,
   guardActive,
-} from '../utils/ssoBounce';
-import * as ssoBounce from '../utils/ssoBounce';
+  ssoNavigate,
+  buildSsoBounceUrl,
+  consumeSsoReturn,
+} from '@oxyhq/core';
+import { toast } from '@oxyhq/bloom';
 import { useAuthStore, type AuthState } from '../stores/authStore';
 import { useShallow } from 'zustand/react/shallow';
 import { useSessionSocket } from '../hooks/useSessionSocket';
@@ -745,99 +748,42 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
     storageKeys.sessionIds,
   ]);
 
-  // Central cross-domain SSO return handler (web). Parses the IdP redirect
-  // fragment, validates the CSRF `state`, exchanges the opaque single-use code
-  // for the real session, commits it, and restores the user's pre-bounce
-  // destination. Shared by the `sso-return` cold-boot step AND the bfcache
-  // `pageshow` re-evaluation, so the same security-critical logic runs exactly
-  // once per delivered fragment regardless of how the page was (re)shown.
+  // Central cross-domain SSO return handler (web). A THIN wrapper over core's
+  // `consumeSsoReturn`, which performs the entire security-critical kernel —
+  // parse the IdP redirect fragment, validate the CSRF `state`, strip the
+  // fragment FIRST, exchange the opaque single-use code, restore the user's
+  // pre-bounce destination (same-origin only), and set the per-origin
+  // NO_SESSION loop breaker on every non-ok outcome — and RETURNS the exchanged
+  // session (or `null`) WITHOUT committing. We preserve services' contract by
+  // committing the returned session here via `handleWebSSOSession`. Shared by
+  // the `sso-return` cold-boot step AND the bfcache `pageshow` re-evaluation, so
+  // the same kernel runs exactly once per delivered fragment regardless of how
+  // the page was (re)shown.
   //
   // Returns `true` when a session was committed (caller short-circuits), `false`
-  // otherwise. On ANY non-ok outcome — `none`/`error`, state mismatch, missing
-  // code, or a failed/forged exchange — it sets the per-origin NO_SESSION flag
-  // so `sso-bounce` is disabled and the page cannot loop. Off-browser it is a
-  // no-op returning `false` (native never reaches it).
+  // otherwise. Off-browser `consumeSsoReturn` is a no-op returning `null`, so
+  // this returns `false` (native never reaches it).
   const runSsoReturn = useCallback(async (): Promise<boolean> => {
-    if (!isWebBrowser()) {
-      return false;
-    }
-
-    const ret = parseSsoReturnFragment(window.location.hash);
-    if (!ret) {
-      // Not an oxy_sso fragment — nothing to do (do NOT touch any flags).
-      return false;
-    }
-
-    const origin = window.location.origin;
-    const expectedState = window.sessionStorage.getItem(ssoStateKey(origin));
-    const stateOk = !!ret.state && !!expectedState && ret.state === expectedState;
-
-    // Strip the fragment FIRST so the opaque code never lingers in the address
-    // bar, history, or a copy-paste — even if a later step throws.
-    window.history.replaceState(null, '', window.location.pathname + window.location.search);
-    window.sessionStorage.removeItem(ssoStateKey(origin));
-
-    const markNoSession = () => {
-      window.sessionStorage.setItem(ssoNoSessionKey(origin), '1');
-    };
-
-    if (ret.kind === 'none' || ret.kind === 'error') {
-      // The central IdP had no session (or the bounce failed). Record it so we
-      // do not bounce again this tab — the definitive loop breaker.
-      markNoSession();
-      return false;
-    }
-
-    if (!stateOk || !ret.code) {
-      // Forged / replayed / stale fragment, or a malformed ok with no code.
-      // Treat exactly like "no session": never exchange, never loop.
-      markNoSession();
+    const session = await consumeSsoReturn(oxyServices, {
+      isWeb: isWebBrowser,
+      onExchangeError: (error) => {
+        if (__DEV__) {
+          loggerUtil.debug(
+            'SSO code exchange failed (treating as no session)',
+            { component: 'OxyContext', method: 'runSsoReturn' },
+            error,
+          );
+        }
+      },
+    });
+    if (!session) {
       return false;
     }
-
     const commitWebSession = handleWebSSOSessionRef.current;
-    let session: SessionLoginResponse;
-    try {
-      session = await oxyServices.exchangeSsoCode(ret.code);
-    } catch (error) {
-      if (__DEV__) {
-        loggerUtil.debug(
-          'SSO code exchange failed (treating as no session)',
-          { component: 'OxyContext', method: 'runSsoReturn' },
-          error,
-        );
-      }
-      markNoSession();
-      return false;
-    }
-
-    if (!session?.sessionId || !commitWebSession) {
-      markNoSession();
+    if (!commitWebSession) {
       return false;
     }
-
     await commitWebSession(session);
-
-    // Restore the user's real destination captured before the bounce. We only
-    // rewrite the URL when we are sitting on the callback path — otherwise the
-    // current URL is already the destination.
-    if (window.location.pathname === SSO_CALLBACK_PATH) {
-      const dest = window.sessionStorage.getItem(ssoDestKey(origin));
-      if (dest) {
-        try {
-          const destUrl = new URL(dest);
-          // Same-origin only — never honour a cross-origin destination that
-          // could have been planted to redirect the freshly signed-in user.
-          if (destUrl.origin === origin) {
-            window.history.replaceState(null, '', destUrl.pathname + destUrl.search + destUrl.hash);
-          }
-        } catch {
-          // Malformed stored destination — leave the URL on the callback path.
-        }
-      }
-    }
-    window.sessionStorage.removeItem(ssoDestKey(origin));
-
     return true;
   }, [oxyServices]);
 
@@ -847,9 +793,13 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
   // web-only step is gated by `isWebBrowser()`, so on native ONLY
   // `stored-session` runs.
   //
-  // Order (web): redirect callback → SSO return → FedCM silent → cookie restore
-  // → stored session → SSO bounce (terminal). Order (native): stored session
-  // only (every web-only step is disabled off-browser).
+  // Order (web): redirect callback → SSO return → FedCM silent (central) →
+  // silent iframe (per-apex, the durable reload path) → cookie restore →
+  // stored session → SSO bounce (terminal). The per-apex silent iframe is what
+  // restores a durable cross-domain session on reload WITHOUT a top-level
+  // bounce, so when it wins `sso-bounce` never fires (no flash, no loop).
+  // Order (native): stored session only (every web-only step is disabled
+  // off-browser).
   const restoreSessionsFromStorage = useCallback(async (): Promise<void> => {
     if (!storage) {
       return;
@@ -916,7 +866,44 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
             },
           },
           {
-            // 3) Refresh-cookie restore (first-party only). On `*.oxy.so` the
+            // 3) First-party silent iframe at the PER-APEX IdP — the DURABLE
+            // cross-domain reload-restore path. The durable session lives as a
+            // first-party `fedcm_session` cookie on `auth.<rp-apex>` (e.g.
+            // `auth.mention.earth`), established during the `/sso` bounce's
+            // `/sso/establish` hop. That host is SAME-SITE to the RP page, so
+            // the cookie is first-party under Safari ITP / Firefox TCP — and
+            // an iframe read is NOT a top-level navigation, so it restores on
+            // reload with NO flash and works in a backgrounded tab. This is the
+            // step that prevents the re-bounce loop: when it finds a session,
+            // the terminal `sso-bounce` never fires.
+            //
+            // The instance is configured with `authWebUrl=auth.oxy.so` (central,
+            // for the bounce + FedCM), so we explicitly point the iframe at the
+            // per-apex host via `autoDetectAuthWebUrl()` and `silentSignIn`'s
+            // `authWebUrlOverride`. On a `*.oxy.so` RP the per-apex host IS the
+            // central host (`auth.oxy.so`), so this is a same-host no-op-
+            // equivalent. When auto-detection bails (localhost/IP/single-label)
+            // there is no per-apex IdP and the step skips. Web only; on native
+            // `isWebBrowser()` gates it off, so native never runs an iframe.
+            id: 'silent-iframe',
+            enabled: () => isWebBrowser(),
+            run: async () => {
+              const perApexAuthUrl = autoDetectAuthWebUrl();
+              if (!perApexAuthUrl || !commitWebSession) {
+                return { kind: 'skip' };
+              }
+              const session = await oxyServices.silentSignIn?.({
+                authWebUrlOverride: perApexAuthUrl,
+              });
+              if (!session?.user || !session?.sessionId) {
+                return { kind: 'skip' };
+              }
+              await commitWebSession(session);
+              return { kind: 'session', session: true };
+            },
+          },
+          {
+            // 4) Refresh-cookie restore (first-party only). On `*.oxy.so` the
             // httpOnly `oxy_rt_${n}` cookies ride along and resurrect every
             // device-local slot. On a cross-domain RP (mention.earth, …) the
             // cookie is `Domain=oxy.so` so it never reaches `api.<apex>` —
@@ -930,7 +917,7 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
             },
           },
           {
-            // 4) Stored-session bearer restore. NO `enabled` gate — runs on ALL
+            // 5) Stored-session bearer restore. NO `enabled` gate — runs on ALL
             // platforms. This is native's ONLY restore path (every web-only step
             // is disabled off-browser, so native reaches exactly this).
             id: 'stored-session',
@@ -940,7 +927,7 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
             },
           },
           {
-            // 5) SSO bounce (TERMINAL, web only, at most once). No local session
+            // 6) SSO bounce (TERMINAL, web only, at most once). No local session
             // was found by any step above. Top-level navigate to the central
             // `auth.oxy.so/sso?prompt=none` so the IdP can either mint a session
             // (returning an opaque code we exchange on the callback) or report
@@ -972,17 +959,13 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
               window.sessionStorage.setItem(ssoGuardKey(origin), String(Date.now()));
               window.sessionStorage.setItem(ssoDestKey(origin), window.location.href);
 
-              const url = new URL('/sso', resolveCentralAuthUrl(oxyServices.config?.authWebUrl));
-              url.searchParams.set('prompt', 'none');
-              url.searchParams.set('client_id', origin);
-              url.searchParams.set('return_to', origin + SSO_CALLBACK_PATH);
-              url.searchParams.set('state', state);
+              const url = buildSsoBounceUrl(origin, state, oxyServices.config?.authWebUrl);
 
               // TERMINAL: the document is torn down by this navigation. The
               // `skip` below is only reached if `assign` is a no-op (e.g. the
               // navigation is blocked); in that case we fall through
               // unauthenticated, which is correct.
-              ssoBounce.ssoNavigate(url.toString());
+              ssoNavigate(url);
               return { kind: 'skip' };
             },
           },

package/lib/commonjs/ui/utils/ssoBounce.js

@@ -1,158 +0,0 @@
-"use strict";
-
-Object.defineProperty(exports, "__esModule", {
-  value: true
-});
-exports.SSO_GUARD_TTL_MS = exports.SSO_CALLBACK_PATH = void 0;
-exports.guardActive = guardActive;
-exports.isCentralIdPOrigin = isCentralIdPOrigin;
-exports.ssoDestKey = ssoDestKey;
-exports.ssoGuardKey = ssoGuardKey;
-exports.ssoNavigate = ssoNavigate;
-exports.ssoNoSessionKey = ssoNoSessionKey;
-exports.ssoStateKey = ssoStateKey;
-var _core = require("@oxyhq/core");
-/**
- * Central cross-domain SSO bounce — per-origin sessionStorage keys and small
- * pure predicates shared by the cold-boot `sso-return` / `sso-bounce` steps and
- * the bfcache `pageshow` re-evaluation.
- *
- * TRUE central SSO (Google/Meta/Clerk style) works like this for a Relying
- * Party (mention.earth, homiio.com, alia.onl, …) with no local session:
- *
- *   1. `sso-bounce` (terminal, once): top-level navigate to
- *      `auth.oxy.so/sso?prompt=none&client_id=<origin>&return_to=<origin>/__oxy/sso-callback&state=<s>`.
- *      Before navigating it records, in this origin's `sessionStorage`, the CSRF
- *      `state`, a guard timestamp (loop breaker), and the real destination URL
- *      to restore after the callback.
- *   2. The central IdP worker reads its first-party `fedcm_session`, mints a
- *      session, stores it under an opaque single-use `code`, and 303-redirects
- *      back to `<origin>/__oxy/sso-callback#oxy_sso=ok&code=<code>&state=<s>`
- *      (or `#oxy_sso=none` / `#oxy_sso=error`).
- *   3. `sso-return` parses the fragment (`parseSsoReturnFragment` from core),
- *      validates `state`, exchanges the `code` via `oxyServices.exchangeSsoCode`,
- *      and commits the session — then restores the original destination.
- *
- * Loop proof (logged-out): first load all steps skip → `sso-bounce` sets
- * guard/state/dest and navigates; the IdP (no central session) returns
- * `#oxy_sso=none`; the callback load's `sso-return` sees `none`, sets the
- * no-session flag, and `sso-bounce` is then disabled. Exactly ONE bounce, no
- * loop. An interrupted bounce (user hit back mid-redirect) self-heals once the
- * 30s guard TTL lapses.
- *
- * All state lives in `sessionStorage` (per tab, cleared on tab close) and is
- * keyed per-origin so two RPs hosted in the same browser never collide. This
- * module is pure with respect to navigation: it only reads/writes
- * `sessionStorage` and parses URLs; it performs no redirects itself.
- */
-
-/**
- * The RP callback path the central IdP redirects back to. The SSO result is
- * delivered in the fragment of this URL; `sso-return` consumes it and then
- * restores the user's real destination.
- */
-const SSO_CALLBACK_PATH = exports.SSO_CALLBACK_PATH = '/__oxy/sso-callback';
-
-/**
- * Self-healing TTL (ms) for the bounce guard. If a bounce is interrupted before
- * the callback lands (e.g. the user navigates back mid-redirect), the guard
- * would otherwise pin the RP signed-out forever. After this window the guard is
- * treated as stale and a fresh single bounce is permitted.
- */
-const SSO_GUARD_TTL_MS = exports.SSO_GUARD_TTL_MS = 30_000;
-const STATE_KEY_PREFIX = 'oxy_sso_state:';
-const GUARD_KEY_PREFIX = 'oxy_sso_guard:';
-const DEST_KEY_PREFIX = 'oxy_sso_dest:';
-const NO_SESSION_KEY_PREFIX = 'oxy_sso_no_session:';
-
-/**
- * Perform the terminal top-level SSO bounce navigation.
- *
- * A thin wrapper over `window.location.assign(url)` so the single navigation
- * seam lives in one place (and stays mockable in tests, where jsdom's
- * `Location.assign` is a non-configurable native method). In production this is
- * exactly `window.location.assign` — the document is torn down and replaced by
- * the central IdP page. Off-browser it is a no-op (native never bounces).
- */
-function ssoNavigate(url) {
-  if (typeof window === 'undefined' || typeof window.location === 'undefined') {
-    return;
-  }
-  window.location.assign(url);
-}
-
-/** Per-origin CSRF state key (matched on return to defeat fragment forgery). */
-function ssoStateKey(origin) {
-  return `${STATE_KEY_PREFIX}${origin}`;
-}
-
-/** Per-origin bounce guard key (a timestamp; loop breaker + self-heal TTL). */
-function ssoGuardKey(origin) {
-  return `${GUARD_KEY_PREFIX}${origin}`;
-}
-
-/** Per-origin destination key (the real URL to restore after the callback). */
-function ssoDestKey(origin) {
-  return `${DEST_KEY_PREFIX}${origin}`;
-}
-
-/**
- * Per-origin "the central IdP has no session for me" key. Set after a
- * `none`/`error` return (or a failed/forged exchange) so `sso-bounce` does not
- * fire again this tab — the definitive loop breaker.
- */
-function ssoNoSessionKey(origin) {
-  return `${NO_SESSION_KEY_PREFIX}${origin}`;
-}
-
-/**
- * Whether `origin` IS the central IdP origin. We must never bounce while on
- * `auth.oxy.so` itself (it would bounce to itself). Compared by URL origin so a
- * trailing-slash / path difference never defeats the guard.
- */
-function isCentralIdPOrigin(origin) {
-  let centralOrigin;
-  try {
-    centralOrigin = new URL(_core.CENTRAL_AUTH_URL).origin;
-  } catch {
-    return false;
-  }
-  let candidateOrigin;
-  try {
-    candidateOrigin = new URL(origin).origin;
-  } catch {
-    return false;
-  }
-  return candidateOrigin === centralOrigin;
-}
-
-/**
- * Read the bounce guard and decide whether it is still ACTIVE.
- *
- * Active means: a guard value is present AND it parses to a finite timestamp AND
- * less than {@link SSO_GUARD_TTL_MS} has elapsed since it was set. An active
- * guard disables `sso-bounce` (a bounce is already in flight this tab). A
- * missing, malformed, or expired guard is NOT active, so a fresh bounce may
- * proceed (this is the 30s self-heal for an interrupted bounce).
- *
- * @param storage - The session storage to read (injected for testability).
- * @param origin - The page origin whose guard to evaluate.
- * @param now - Current epoch ms (injected for deterministic tests).
- */
-function guardActive(storage, origin, now) {
-  let raw;
-  try {
-    raw = storage.getItem(ssoGuardKey(origin));
-  } catch {
-    return false;
-  }
-  if (raw === null || raw.length === 0) {
-    return false;
-  }
-  const stamp = Number(raw);
-  if (!Number.isFinite(stamp)) {
-    return false;
-  }
-  return now - stamp < SSO_GUARD_TTL_MS;
-}
-//# sourceMappingURL=ssoBounce.js.map

package/lib/commonjs/ui/utils/ssoBounce.js.map

@@ -1 +0,0 @@
-{"version":3,"names":["_core","require","SSO_CALLBACK_PATH","exports","SSO_GUARD_TTL_MS","STATE_KEY_PREFIX","GUARD_KEY_PREFIX","DEST_KEY_PREFIX","NO_SESSION_KEY_PREFIX","ssoNavigate","url","window","location","assign","ssoStateKey","origin","ssoGuardKey","ssoDestKey","ssoNoSessionKey","isCentralIdPOrigin","centralOrigin","URL","CENTRAL_AUTH_URL","candidateOrigin","guardActive","storage","now","raw","getItem","length","stamp","Number","isFinite"],"sourceRoot":"../../../../src","sources":["ui/utils/ssoBounce.ts"],"mappings":";;;;;;;;;;;;;AAkCA,IAAAA,KAAA,GAAAC,OAAA;AAlCA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAIA;AACA;AACA;AACA;AACA;AACO,MAAMC,iBAAiB,GAAAC,OAAA,CAAAD,iBAAA,GAAG,qBAAqB;;AAEtD;AACA;AACA;AACA;AACA;AACA;AACO,MAAME,gBAAgB,GAAAD,OAAA,CAAAC,gBAAA,GAAG,MAAM;AAEtC,MAAMC,gBAAgB,GAAG,gBAAgB;AACzC,MAAMC,gBAAgB,GAAG,gBAAgB;AACzC,MAAMC,eAAe,GAAG,eAAe;AACvC,MAAMC,qBAAqB,GAAG,qBAAqB;;AAEnD;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,SAASC,WAAWA,CAACC,GAAW,EAAQ;EAC7C,IAAI,OAAOC,MAAM,KAAK,WAAW,IAAI,OAAOA,MAAM,CAACC,QAAQ,KAAK,WAAW,EAAE;IAC3E;EACF;EACAD,MAAM,CAACC,QAAQ,CAACC,MAAM,CAACH,GAAG,CAAC;AAC7B;;AAEA;AACO,SAASI,WAAWA,CAACC,MAAc,EAAU;EAClD,OAAO,GAAGV,gBAAgB,GAAGU,MAAM,EAAE;AACvC;;AAEA;AACO,SAASC,WAAWA,CAACD,MAAc,EAAU;EAClD,OAAO,GAAGT,gBAAgB,GAAGS,MAAM,EAAE;AACvC;;AAEA;AACO,SAASE,UAAUA,CAACF,MAAc,EAAU;EACjD,OAAO,GAAGR,eAAe,GAAGQ,MAAM,EAAE;AACtC;;AAEA;AACA;AACA;AACA;AACA;AACO,SAASG,eAAeA,CAACH,MAAc,EAAU;EACtD,OAAO,GAAGP,qBAAqB,GAAGO,MAAM,EAAE;AAC5C;;AAEA;AACA;AACA;AACA;AACA;AACO,SAASI,kBAAkBA,CAACJ,MAAc,EAAW;EAC1D,IAAIK,aAAqB;EACzB,IAAI;IACFA,aAAa,GAAG,IAAIC,GAAG,CAACC,sBAAgB,CAAC,CAACP,MAAM;EAClD,CAAC,CAAC,MAAM;IACN,OAAO,KAAK;EACd;EACA,IAAIQ,eAAuB;EAC3B,IAAI;IACFA,eAAe,GAAG,IAAIF,GAAG,CAACN,MAAM,CAAC,CAACA,MAAM;EAC1C,CAAC,CAAC,MAAM;IACN,OAAO,KAAK;EACd;EACA,OAAOQ,eAAe,KAAKH,aAAa;AAC1C;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,SAASI,WAAWA,CAACC,OAAgB,EAAEV,MAAc,EAAEW,GAAW,EAAW;EAClF,IAAIC,GAAkB;EACtB,IAAI;IACFA,GAAG,GAAGF,OAAO,CAACG,OAAO,CAACZ,WAAW,CAACD,MAAM,CAAC,CAAC;EAC5C,CAAC,CAAC,MAAM;IACN,OAAO,KAAK;EACd;EACA,IAAIY,GAAG,KAAK,IAAI,IAAIA,GAAG,CAACE,MAAM,KAAK,CAAC,EAAE;IACpC,OAAO,KAAK;EACd;EACA,MAAMC,KAAK,GAAGC,MAAM,CAACJ,GAAG,CAAC;EACzB,IAAI,CAACI,MAAM,CAACC,QAAQ,CAACF,KAAK,CAAC,EAAE;IAC3B,OAAO,KAAK;EACd;EACA,OAAOJ,GAAG,GAAGI,KAAK,GAAG1B,gBAAgB;AACvC","ignoreList":[]}

package/lib/module/ui/utils/ssoBounce.js

@@ -1,148 +0,0 @@
-"use strict";
-
-/**
- * Central cross-domain SSO bounce — per-origin sessionStorage keys and small
- * pure predicates shared by the cold-boot `sso-return` / `sso-bounce` steps and
- * the bfcache `pageshow` re-evaluation.
- *
- * TRUE central SSO (Google/Meta/Clerk style) works like this for a Relying
- * Party (mention.earth, homiio.com, alia.onl, …) with no local session:
- *
- *   1. `sso-bounce` (terminal, once): top-level navigate to
- *      `auth.oxy.so/sso?prompt=none&client_id=<origin>&return_to=<origin>/__oxy/sso-callback&state=<s>`.
- *      Before navigating it records, in this origin's `sessionStorage`, the CSRF
- *      `state`, a guard timestamp (loop breaker), and the real destination URL
- *      to restore after the callback.
- *   2. The central IdP worker reads its first-party `fedcm_session`, mints a
- *      session, stores it under an opaque single-use `code`, and 303-redirects
- *      back to `<origin>/__oxy/sso-callback#oxy_sso=ok&code=<code>&state=<s>`
- *      (or `#oxy_sso=none` / `#oxy_sso=error`).
- *   3. `sso-return` parses the fragment (`parseSsoReturnFragment` from core),
- *      validates `state`, exchanges the `code` via `oxyServices.exchangeSsoCode`,
- *      and commits the session — then restores the original destination.
- *
- * Loop proof (logged-out): first load all steps skip → `sso-bounce` sets
- * guard/state/dest and navigates; the IdP (no central session) returns
- * `#oxy_sso=none`; the callback load's `sso-return` sees `none`, sets the
- * no-session flag, and `sso-bounce` is then disabled. Exactly ONE bounce, no
- * loop. An interrupted bounce (user hit back mid-redirect) self-heals once the
- * 30s guard TTL lapses.
- *
- * All state lives in `sessionStorage` (per tab, cleared on tab close) and is
- * keyed per-origin so two RPs hosted in the same browser never collide. This
- * module is pure with respect to navigation: it only reads/writes
- * `sessionStorage` and parses URLs; it performs no redirects itself.
- */
-
-import { CENTRAL_AUTH_URL } from '@oxyhq/core';
-
-/**
- * The RP callback path the central IdP redirects back to. The SSO result is
- * delivered in the fragment of this URL; `sso-return` consumes it and then
- * restores the user's real destination.
- */
-export const SSO_CALLBACK_PATH = '/__oxy/sso-callback';
-
-/**
- * Self-healing TTL (ms) for the bounce guard. If a bounce is interrupted before
- * the callback lands (e.g. the user navigates back mid-redirect), the guard
- * would otherwise pin the RP signed-out forever. After this window the guard is
- * treated as stale and a fresh single bounce is permitted.
- */
-export const SSO_GUARD_TTL_MS = 30_000;
-const STATE_KEY_PREFIX = 'oxy_sso_state:';
-const GUARD_KEY_PREFIX = 'oxy_sso_guard:';
-const DEST_KEY_PREFIX = 'oxy_sso_dest:';
-const NO_SESSION_KEY_PREFIX = 'oxy_sso_no_session:';
-
-/**
- * Perform the terminal top-level SSO bounce navigation.
- *
- * A thin wrapper over `window.location.assign(url)` so the single navigation
- * seam lives in one place (and stays mockable in tests, where jsdom's
- * `Location.assign` is a non-configurable native method). In production this is
- * exactly `window.location.assign` — the document is torn down and replaced by
- * the central IdP page. Off-browser it is a no-op (native never bounces).
- */
-export function ssoNavigate(url) {
-  if (typeof window === 'undefined' || typeof window.location === 'undefined') {
-    return;
-  }
-  window.location.assign(url);
-}
-
-/** Per-origin CSRF state key (matched on return to defeat fragment forgery). */
-export function ssoStateKey(origin) {
-  return `${STATE_KEY_PREFIX}${origin}`;
-}
-
-/** Per-origin bounce guard key (a timestamp; loop breaker + self-heal TTL). */
-export function ssoGuardKey(origin) {
-  return `${GUARD_KEY_PREFIX}${origin}`;
-}
-
-/** Per-origin destination key (the real URL to restore after the callback). */
-export function ssoDestKey(origin) {
-  return `${DEST_KEY_PREFIX}${origin}`;
-}
-
-/**
- * Per-origin "the central IdP has no session for me" key. Set after a
- * `none`/`error` return (or a failed/forged exchange) so `sso-bounce` does not
- * fire again this tab — the definitive loop breaker.
- */
-export function ssoNoSessionKey(origin) {
-  return `${NO_SESSION_KEY_PREFIX}${origin}`;
-}
-
-/**
- * Whether `origin` IS the central IdP origin. We must never bounce while on
- * `auth.oxy.so` itself (it would bounce to itself). Compared by URL origin so a
- * trailing-slash / path difference never defeats the guard.
- */
-export function isCentralIdPOrigin(origin) {
-  let centralOrigin;
-  try {
-    centralOrigin = new URL(CENTRAL_AUTH_URL).origin;
-  } catch {
-    return false;
-  }
-  let candidateOrigin;
-  try {
-    candidateOrigin = new URL(origin).origin;
-  } catch {
-    return false;
-  }
-  return candidateOrigin === centralOrigin;
-}
-
-/**
- * Read the bounce guard and decide whether it is still ACTIVE.
- *
- * Active means: a guard value is present AND it parses to a finite timestamp AND
- * less than {@link SSO_GUARD_TTL_MS} has elapsed since it was set. An active
- * guard disables `sso-bounce` (a bounce is already in flight this tab). A
- * missing, malformed, or expired guard is NOT active, so a fresh bounce may
- * proceed (this is the 30s self-heal for an interrupted bounce).
- *
- * @param storage - The session storage to read (injected for testability).
- * @param origin - The page origin whose guard to evaluate.
- * @param now - Current epoch ms (injected for deterministic tests).
- */
-export function guardActive(storage, origin, now) {
-  let raw;
-  try {
-    raw = storage.getItem(ssoGuardKey(origin));
-  } catch {
-    return false;
-  }
-  if (raw === null || raw.length === 0) {
-    return false;
-  }
-  const stamp = Number(raw);
-  if (!Number.isFinite(stamp)) {
-    return false;
-  }
-  return now - stamp < SSO_GUARD_TTL_MS;
-}
-//# sourceMappingURL=ssoBounce.js.map

package/lib/module/ui/utils/ssoBounce.js.map

@@ -1 +0,0 @@
-{"version":3,"names":["CENTRAL_AUTH_URL","SSO_CALLBACK_PATH","SSO_GUARD_TTL_MS","STATE_KEY_PREFIX","GUARD_KEY_PREFIX","DEST_KEY_PREFIX","NO_SESSION_KEY_PREFIX","ssoNavigate","url","window","location","assign","ssoStateKey","origin","ssoGuardKey","ssoDestKey","ssoNoSessionKey","isCentralIdPOrigin","centralOrigin","URL","candidateOrigin","guardActive","storage","now","raw","getItem","length","stamp","Number","isFinite"],"sourceRoot":"../../../../src","sources":["ui/utils/ssoBounce.ts"],"mappings":";;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEA,SAASA,gBAAgB,QAAQ,aAAa;;AAE9C;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,iBAAiB,GAAG,qBAAqB;;AAEtD;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,gBAAgB,GAAG,MAAM;AAEtC,MAAMC,gBAAgB,GAAG,gBAAgB;AACzC,MAAMC,gBAAgB,GAAG,gBAAgB;AACzC,MAAMC,eAAe,GAAG,eAAe;AACvC,MAAMC,qBAAqB,GAAG,qBAAqB;;AAEnD;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,SAASC,WAAWA,CAACC,GAAW,EAAQ;EAC7C,IAAI,OAAOC,MAAM,KAAK,WAAW,IAAI,OAAOA,MAAM,CAACC,QAAQ,KAAK,WAAW,EAAE;IAC3E;EACF;EACAD,MAAM,CAACC,QAAQ,CAACC,MAAM,CAACH,GAAG,CAAC;AAC7B;;AAEA;AACA,OAAO,SAASI,WAAWA,CAACC,MAAc,EAAU;EAClD,OAAO,GAAGV,gBAAgB,GAAGU,MAAM,EAAE;AACvC;;AAEA;AACA,OAAO,SAASC,WAAWA,CAACD,MAAc,EAAU;EAClD,OAAO,GAAGT,gBAAgB,GAAGS,MAAM,EAAE;AACvC;;AAEA;AACA,OAAO,SAASE,UAAUA,CAACF,MAAc,EAAU;EACjD,OAAO,GAAGR,eAAe,GAAGQ,MAAM,EAAE;AACtC;;AAEA;AACA;AACA;AACA;AACA;AACA,OAAO,SAASG,eAAeA,CAACH,MAAc,EAAU;EACtD,OAAO,GAAGP,qBAAqB,GAAGO,MAAM,EAAE;AAC5C;;AAEA;AACA;AACA;AACA;AACA;AACA,OAAO,SAASI,kBAAkBA,CAACJ,MAAc,EAAW;EAC1D,IAAIK,aAAqB;EACzB,IAAI;IACFA,aAAa,GAAG,IAAIC,GAAG,CAACnB,gBAAgB,CAAC,CAACa,MAAM;EAClD,CAAC,CAAC,MAAM;IACN,OAAO,KAAK;EACd;EACA,IAAIO,eAAuB;EAC3B,IAAI;IACFA,eAAe,GAAG,IAAID,GAAG,CAACN,MAAM,CAAC,CAACA,MAAM;EAC1C,CAAC,CAAC,MAAM;IACN,OAAO,KAAK;EACd;EACA,OAAOO,eAAe,KAAKF,aAAa;AAC1C;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,SAASG,WAAWA,CAACC,OAAgB,EAAET,MAAc,EAAEU,GAAW,EAAW;EAClF,IAAIC,GAAkB;EACtB,IAAI;IACFA,GAAG,GAAGF,OAAO,CAACG,OAAO,CAACX,WAAW,CAACD,MAAM,CAAC,CAAC;EAC5C,CAAC,CAAC,MAAM;IACN,OAAO,KAAK;EACd;EACA,IAAIW,GAAG,KAAK,IAAI,IAAIA,GAAG,CAACE,MAAM,KAAK,CAAC,EAAE;IACpC,OAAO,KAAK;EACd;EACA,MAAMC,KAAK,GAAGC,MAAM,CAACJ,GAAG,CAAC;EACzB,IAAI,CAACI,MAAM,CAACC,QAAQ,CAACF,KAAK,CAAC,EAAE;IAC3B,OAAO,KAAK;EACd;EACA,OAAOJ,GAAG,GAAGI,KAAK,GAAGzB,gBAAgB;AACvC","ignoreList":[]}

package/lib/typescript/commonjs/ui/utils/ssoBounce.d.ts

@@ -1,89 +0,0 @@
-/**
- * Central cross-domain SSO bounce — per-origin sessionStorage keys and small
- * pure predicates shared by the cold-boot `sso-return` / `sso-bounce` steps and
- * the bfcache `pageshow` re-evaluation.
- *
- * TRUE central SSO (Google/Meta/Clerk style) works like this for a Relying
- * Party (mention.earth, homiio.com, alia.onl, …) with no local session:
- *
- *   1. `sso-bounce` (terminal, once): top-level navigate to
- *      `auth.oxy.so/sso?prompt=none&client_id=<origin>&return_to=<origin>/__oxy/sso-callback&state=<s>`.
- *      Before navigating it records, in this origin's `sessionStorage`, the CSRF
- *      `state`, a guard timestamp (loop breaker), and the real destination URL
- *      to restore after the callback.
- *   2. The central IdP worker reads its first-party `fedcm_session`, mints a
- *      session, stores it under an opaque single-use `code`, and 303-redirects
- *      back to `<origin>/__oxy/sso-callback#oxy_sso=ok&code=<code>&state=<s>`
- *      (or `#oxy_sso=none` / `#oxy_sso=error`).
- *   3. `sso-return` parses the fragment (`parseSsoReturnFragment` from core),
- *      validates `state`, exchanges the `code` via `oxyServices.exchangeSsoCode`,
- *      and commits the session — then restores the original destination.
- *
- * Loop proof (logged-out): first load all steps skip → `sso-bounce` sets
- * guard/state/dest and navigates; the IdP (no central session) returns
- * `#oxy_sso=none`; the callback load's `sso-return` sees `none`, sets the
- * no-session flag, and `sso-bounce` is then disabled. Exactly ONE bounce, no
- * loop. An interrupted bounce (user hit back mid-redirect) self-heals once the
- * 30s guard TTL lapses.
- *
- * All state lives in `sessionStorage` (per tab, cleared on tab close) and is
- * keyed per-origin so two RPs hosted in the same browser never collide. This
- * module is pure with respect to navigation: it only reads/writes
- * `sessionStorage` and parses URLs; it performs no redirects itself.
- */
-/**
- * The RP callback path the central IdP redirects back to. The SSO result is
- * delivered in the fragment of this URL; `sso-return` consumes it and then
- * restores the user's real destination.
- */
-export declare const SSO_CALLBACK_PATH = "/__oxy/sso-callback";
-/**
- * Self-healing TTL (ms) for the bounce guard. If a bounce is interrupted before
- * the callback lands (e.g. the user navigates back mid-redirect), the guard
- * would otherwise pin the RP signed-out forever. After this window the guard is
- * treated as stale and a fresh single bounce is permitted.
- */
-export declare const SSO_GUARD_TTL_MS = 30000;
-/**
- * Perform the terminal top-level SSO bounce navigation.
- *
- * A thin wrapper over `window.location.assign(url)` so the single navigation
- * seam lives in one place (and stays mockable in tests, where jsdom's
- * `Location.assign` is a non-configurable native method). In production this is
- * exactly `window.location.assign` — the document is torn down and replaced by
- * the central IdP page. Off-browser it is a no-op (native never bounces).
- */
-export declare function ssoNavigate(url: string): void;
-/** Per-origin CSRF state key (matched on return to defeat fragment forgery). */
-export declare function ssoStateKey(origin: string): string;
-/** Per-origin bounce guard key (a timestamp; loop breaker + self-heal TTL). */
-export declare function ssoGuardKey(origin: string): string;
-/** Per-origin destination key (the real URL to restore after the callback). */
-export declare function ssoDestKey(origin: string): string;
-/**
- * Per-origin "the central IdP has no session for me" key. Set after a
- * `none`/`error` return (or a failed/forged exchange) so `sso-bounce` does not
- * fire again this tab — the definitive loop breaker.
- */
-export declare function ssoNoSessionKey(origin: string): string;
-/**
- * Whether `origin` IS the central IdP origin. We must never bounce while on
- * `auth.oxy.so` itself (it would bounce to itself). Compared by URL origin so a
- * trailing-slash / path difference never defeats the guard.
- */
-export declare function isCentralIdPOrigin(origin: string): boolean;
-/**
- * Read the bounce guard and decide whether it is still ACTIVE.
- *
- * Active means: a guard value is present AND it parses to a finite timestamp AND
- * less than {@link SSO_GUARD_TTL_MS} has elapsed since it was set. An active
- * guard disables `sso-bounce` (a bounce is already in flight this tab). A
- * missing, malformed, or expired guard is NOT active, so a fresh bounce may
- * proceed (this is the 30s self-heal for an interrupted bounce).
- *
- * @param storage - The session storage to read (injected for testability).
- * @param origin - The page origin whose guard to evaluate.
- * @param now - Current epoch ms (injected for deterministic tests).
- */
-export declare function guardActive(storage: Storage, origin: string, now: number): boolean;
-//# sourceMappingURL=ssoBounce.d.ts.map