@oxyhq/services 8.3.1 → 8.4.0

package/lib/module/ui/utils/ssoBounce.js

@@ -1,148 +0,0 @@
-"use strict";
-
-/**
- * Central cross-domain SSO bounce — per-origin sessionStorage keys and small
- * pure predicates shared by the cold-boot `sso-return` / `sso-bounce` steps and
- * the bfcache `pageshow` re-evaluation.
- *
- * TRUE central SSO (Google/Meta/Clerk style) works like this for a Relying
- * Party (mention.earth, homiio.com, alia.onl, …) with no local session:
- *
- *   1. `sso-bounce` (terminal, once): top-level navigate to
- *      `auth.oxy.so/sso?prompt=none&client_id=<origin>&return_to=<origin>/__oxy/sso-callback&state=<s>`.
- *      Before navigating it records, in this origin's `sessionStorage`, the CSRF
- *      `state`, a guard timestamp (loop breaker), and the real destination URL
- *      to restore after the callback.
- *   2. The central IdP worker reads its first-party `fedcm_session`, mints a
- *      session, stores it under an opaque single-use `code`, and 303-redirects
- *      back to `<origin>/__oxy/sso-callback#oxy_sso=ok&code=<code>&state=<s>`
- *      (or `#oxy_sso=none` / `#oxy_sso=error`).
- *   3. `sso-return` parses the fragment (`parseSsoReturnFragment` from core),
- *      validates `state`, exchanges the `code` via `oxyServices.exchangeSsoCode`,
- *      and commits the session — then restores the original destination.
- *
- * Loop proof (logged-out): first load all steps skip → `sso-bounce` sets
- * guard/state/dest and navigates; the IdP (no central session) returns
- * `#oxy_sso=none`; the callback load's `sso-return` sees `none`, sets the
- * no-session flag, and `sso-bounce` is then disabled. Exactly ONE bounce, no
- * loop. An interrupted bounce (user hit back mid-redirect) self-heals once the
- * 30s guard TTL lapses.
- *
- * All state lives in `sessionStorage` (per tab, cleared on tab close) and is
- * keyed per-origin so two RPs hosted in the same browser never collide. This
- * module is pure with respect to navigation: it only reads/writes
- * `sessionStorage` and parses URLs; it performs no redirects itself.
- */
-
-import { CENTRAL_AUTH_URL } from '@oxyhq/core';
-
-/**
- * The RP callback path the central IdP redirects back to. The SSO result is
- * delivered in the fragment of this URL; `sso-return` consumes it and then
- * restores the user's real destination.
- */
-export const SSO_CALLBACK_PATH = '/__oxy/sso-callback';
-
-/**
- * Self-healing TTL (ms) for the bounce guard. If a bounce is interrupted before
- * the callback lands (e.g. the user navigates back mid-redirect), the guard
- * would otherwise pin the RP signed-out forever. After this window the guard is
- * treated as stale and a fresh single bounce is permitted.
- */
-export const SSO_GUARD_TTL_MS = 30_000;
-const STATE_KEY_PREFIX = 'oxy_sso_state:';
-const GUARD_KEY_PREFIX = 'oxy_sso_guard:';
-const DEST_KEY_PREFIX = 'oxy_sso_dest:';
-const NO_SESSION_KEY_PREFIX = 'oxy_sso_no_session:';
-
-/**
- * Perform the terminal top-level SSO bounce navigation.
- *
- * A thin wrapper over `window.location.assign(url)` so the single navigation
- * seam lives in one place (and stays mockable in tests, where jsdom's
- * `Location.assign` is a non-configurable native method). In production this is
- * exactly `window.location.assign` — the document is torn down and replaced by
- * the central IdP page. Off-browser it is a no-op (native never bounces).
- */
-export function ssoNavigate(url) {
-  if (typeof window === 'undefined' || typeof window.location === 'undefined') {
-    return;
-  }
-  window.location.assign(url);
-}
-
-/** Per-origin CSRF state key (matched on return to defeat fragment forgery). */
-export function ssoStateKey(origin) {
-  return `${STATE_KEY_PREFIX}${origin}`;
-}
-
-/** Per-origin bounce guard key (a timestamp; loop breaker + self-heal TTL). */
-export function ssoGuardKey(origin) {
-  return `${GUARD_KEY_PREFIX}${origin}`;
-}
-
-/** Per-origin destination key (the real URL to restore after the callback). */
-export function ssoDestKey(origin) {
-  return `${DEST_KEY_PREFIX}${origin}`;
-}
-
-/**
- * Per-origin "the central IdP has no session for me" key. Set after a
- * `none`/`error` return (or a failed/forged exchange) so `sso-bounce` does not
- * fire again this tab — the definitive loop breaker.
- */
-export function ssoNoSessionKey(origin) {
-  return `${NO_SESSION_KEY_PREFIX}${origin}`;
-}
-
-/**
- * Whether `origin` IS the central IdP origin. We must never bounce while on
- * `auth.oxy.so` itself (it would bounce to itself). Compared by URL origin so a
- * trailing-slash / path difference never defeats the guard.
- */
-export function isCentralIdPOrigin(origin) {
-  let centralOrigin;
-  try {
-    centralOrigin = new URL(CENTRAL_AUTH_URL).origin;
-  } catch {
-    return false;
-  }
-  let candidateOrigin;
-  try {
-    candidateOrigin = new URL(origin).origin;
-  } catch {
-    return false;
-  }
-  return candidateOrigin === centralOrigin;
-}
-
-/**
- * Read the bounce guard and decide whether it is still ACTIVE.
- *
- * Active means: a guard value is present AND it parses to a finite timestamp AND
- * less than {@link SSO_GUARD_TTL_MS} has elapsed since it was set. An active
- * guard disables `sso-bounce` (a bounce is already in flight this tab). A
- * missing, malformed, or expired guard is NOT active, so a fresh bounce may
- * proceed (this is the 30s self-heal for an interrupted bounce).
- *
- * @param storage - The session storage to read (injected for testability).
- * @param origin - The page origin whose guard to evaluate.
- * @param now - Current epoch ms (injected for deterministic tests).
- */
-export function guardActive(storage, origin, now) {
-  let raw;
-  try {
-    raw = storage.getItem(ssoGuardKey(origin));
-  } catch {
-    return false;
-  }
-  if (raw === null || raw.length === 0) {
-    return false;
-  }
-  const stamp = Number(raw);
-  if (!Number.isFinite(stamp)) {
-    return false;
-  }
-  return now - stamp < SSO_GUARD_TTL_MS;
-}
-//# sourceMappingURL=ssoBounce.js.map

package/lib/module/ui/utils/ssoBounce.js.map

@@ -1 +0,0 @@
-{"version":3,"names":["CENTRAL_AUTH_URL","SSO_CALLBACK_PATH","SSO_GUARD_TTL_MS","STATE_KEY_PREFIX","GUARD_KEY_PREFIX","DEST_KEY_PREFIX","NO_SESSION_KEY_PREFIX","ssoNavigate","url","window","location","assign","ssoStateKey","origin","ssoGuardKey","ssoDestKey","ssoNoSessionKey","isCentralIdPOrigin","centralOrigin","URL","candidateOrigin","guardActive","storage","now","raw","getItem","length","stamp","Number","isFinite"],"sourceRoot":"../../../../src","sources":["ui/utils/ssoBounce.ts"],"mappings":";;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEA,SAASA,gBAAgB,QAAQ,aAAa;;AAE9C;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,iBAAiB,GAAG,qBAAqB;;AAEtD;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,gBAAgB,GAAG,MAAM;AAEtC,MAAMC,gBAAgB,GAAG,gBAAgB;AACzC,MAAMC,gBAAgB,GAAG,gBAAgB;AACzC,MAAMC,eAAe,GAAG,eAAe;AACvC,MAAMC,qBAAqB,GAAG,qBAAqB;;AAEnD;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,SAASC,WAAWA,CAACC,GAAW,EAAQ;EAC7C,IAAI,OAAOC,MAAM,KAAK,WAAW,IAAI,OAAOA,MAAM,CAACC,QAAQ,KAAK,WAAW,EAAE;IAC3E;EACF;EACAD,MAAM,CAACC,QAAQ,CAACC,MAAM,CAACH,GAAG,CAAC;AAC7B;;AAEA;AACA,OAAO,SAASI,WAAWA,CAACC,MAAc,EAAU;EAClD,OAAO,GAAGV,gBAAgB,GAAGU,MAAM,EAAE;AACvC;;AAEA;AACA,OAAO,SAASC,WAAWA,CAACD,MAAc,EAAU;EAClD,OAAO,GAAGT,gBAAgB,GAAGS,MAAM,EAAE;AACvC;;AAEA;AACA,OAAO,SAASE,UAAUA,CAACF,MAAc,EAAU;EACjD,OAAO,GAAGR,eAAe,GAAGQ,MAAM,EAAE;AACtC;;AAEA;AACA;AACA;AACA;AACA;AACA,OAAO,SAASG,eAAeA,CAACH,MAAc,EAAU;EACtD,OAAO,GAAGP,qBAAqB,GAAGO,MAAM,EAAE;AAC5C;;AAEA;AACA;AACA;AACA;AACA;AACA,OAAO,SAASI,kBAAkBA,CAACJ,MAAc,EAAW;EAC1D,IAAIK,aAAqB;EACzB,IAAI;IACFA,aAAa,GAAG,IAAIC,GAAG,CAACnB,gBAAgB,CAAC,CAACa,MAAM;EAClD,CAAC,CAAC,MAAM;IACN,OAAO,KAAK;EACd;EACA,IAAIO,eAAuB;EAC3B,IAAI;IACFA,eAAe,GAAG,IAAID,GAAG,CAACN,MAAM,CAAC,CAACA,MAAM;EAC1C,CAAC,CAAC,MAAM;IACN,OAAO,KAAK;EACd;EACA,OAAOO,eAAe,KAAKF,aAAa;AAC1C;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,SAASG,WAAWA,CAACC,OAAgB,EAAET,MAAc,EAAEU,GAAW,EAAW;EAClF,IAAIC,GAAkB;EACtB,IAAI;IACFA,GAAG,GAAGF,OAAO,CAACG,OAAO,CAACX,WAAW,CAACD,MAAM,CAAC,CAAC;EAC5C,CAAC,CAAC,MAAM;IACN,OAAO,KAAK;EACd;EACA,IAAIW,GAAG,KAAK,IAAI,IAAIA,GAAG,CAACE,MAAM,KAAK,CAAC,EAAE;IACpC,OAAO,KAAK;EACd;EACA,MAAMC,KAAK,GAAGC,MAAM,CAACJ,GAAG,CAAC;EACzB,IAAI,CAACI,MAAM,CAACC,QAAQ,CAACF,KAAK,CAAC,EAAE;IAC3B,OAAO,KAAK;EACd;EACA,OAAOJ,GAAG,GAAGI,KAAK,GAAGzB,gBAAgB;AACvC","ignoreList":[]}

package/lib/typescript/commonjs/ui/utils/ssoBounce.d.ts

@@ -1,89 +0,0 @@
-/**
- * Central cross-domain SSO bounce — per-origin sessionStorage keys and small
- * pure predicates shared by the cold-boot `sso-return` / `sso-bounce` steps and
- * the bfcache `pageshow` re-evaluation.
- *
- * TRUE central SSO (Google/Meta/Clerk style) works like this for a Relying
- * Party (mention.earth, homiio.com, alia.onl, …) with no local session:
- *
- *   1. `sso-bounce` (terminal, once): top-level navigate to
- *      `auth.oxy.so/sso?prompt=none&client_id=<origin>&return_to=<origin>/__oxy/sso-callback&state=<s>`.
- *      Before navigating it records, in this origin's `sessionStorage`, the CSRF
- *      `state`, a guard timestamp (loop breaker), and the real destination URL
- *      to restore after the callback.
- *   2. The central IdP worker reads its first-party `fedcm_session`, mints a
- *      session, stores it under an opaque single-use `code`, and 303-redirects
- *      back to `<origin>/__oxy/sso-callback#oxy_sso=ok&code=<code>&state=<s>`
- *      (or `#oxy_sso=none` / `#oxy_sso=error`).
- *   3. `sso-return` parses the fragment (`parseSsoReturnFragment` from core),
- *      validates `state`, exchanges the `code` via `oxyServices.exchangeSsoCode`,
- *      and commits the session — then restores the original destination.
- *
- * Loop proof (logged-out): first load all steps skip → `sso-bounce` sets
- * guard/state/dest and navigates; the IdP (no central session) returns
- * `#oxy_sso=none`; the callback load's `sso-return` sees `none`, sets the
- * no-session flag, and `sso-bounce` is then disabled. Exactly ONE bounce, no
- * loop. An interrupted bounce (user hit back mid-redirect) self-heals once the
- * 30s guard TTL lapses.
- *
- * All state lives in `sessionStorage` (per tab, cleared on tab close) and is
- * keyed per-origin so two RPs hosted in the same browser never collide. This
- * module is pure with respect to navigation: it only reads/writes
- * `sessionStorage` and parses URLs; it performs no redirects itself.
- */
-/**
- * The RP callback path the central IdP redirects back to. The SSO result is
- * delivered in the fragment of this URL; `sso-return` consumes it and then
- * restores the user's real destination.
- */
-export declare const SSO_CALLBACK_PATH = "/__oxy/sso-callback";
-/**
- * Self-healing TTL (ms) for the bounce guard. If a bounce is interrupted before
- * the callback lands (e.g. the user navigates back mid-redirect), the guard
- * would otherwise pin the RP signed-out forever. After this window the guard is
- * treated as stale and a fresh single bounce is permitted.
- */
-export declare const SSO_GUARD_TTL_MS = 30000;
-/**
- * Perform the terminal top-level SSO bounce navigation.
- *
- * A thin wrapper over `window.location.assign(url)` so the single navigation
- * seam lives in one place (and stays mockable in tests, where jsdom's
- * `Location.assign` is a non-configurable native method). In production this is
- * exactly `window.location.assign` — the document is torn down and replaced by
- * the central IdP page. Off-browser it is a no-op (native never bounces).
- */
-export declare function ssoNavigate(url: string): void;
-/** Per-origin CSRF state key (matched on return to defeat fragment forgery). */
-export declare function ssoStateKey(origin: string): string;
-/** Per-origin bounce guard key (a timestamp; loop breaker + self-heal TTL). */
-export declare function ssoGuardKey(origin: string): string;
-/** Per-origin destination key (the real URL to restore after the callback). */
-export declare function ssoDestKey(origin: string): string;
-/**
- * Per-origin "the central IdP has no session for me" key. Set after a
- * `none`/`error` return (or a failed/forged exchange) so `sso-bounce` does not
- * fire again this tab — the definitive loop breaker.
- */
-export declare function ssoNoSessionKey(origin: string): string;
-/**
- * Whether `origin` IS the central IdP origin. We must never bounce while on
- * `auth.oxy.so` itself (it would bounce to itself). Compared by URL origin so a
- * trailing-slash / path difference never defeats the guard.
- */
-export declare function isCentralIdPOrigin(origin: string): boolean;
-/**
- * Read the bounce guard and decide whether it is still ACTIVE.
- *
- * Active means: a guard value is present AND it parses to a finite timestamp AND
- * less than {@link SSO_GUARD_TTL_MS} has elapsed since it was set. An active
- * guard disables `sso-bounce` (a bounce is already in flight this tab). A
- * missing, malformed, or expired guard is NOT active, so a fresh bounce may
- * proceed (this is the 30s self-heal for an interrupted bounce).
- *
- * @param storage - The session storage to read (injected for testability).
- * @param origin - The page origin whose guard to evaluate.
- * @param now - Current epoch ms (injected for deterministic tests).
- */
-export declare function guardActive(storage: Storage, origin: string, now: number): boolean;
-//# sourceMappingURL=ssoBounce.d.ts.map

package/lib/typescript/commonjs/ui/utils/ssoBounce.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"ssoBounce.d.ts","sourceRoot":"","sources":["../../../../../src/ui/utils/ssoBounce.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAIH;;;;GAIG;AACH,eAAO,MAAM,iBAAiB,wBAAwB,CAAC;AAEvD;;;;;GAKG;AACH,eAAO,MAAM,gBAAgB,QAAS,CAAC;AAOvC;;;;;;;;GAQG;AACH,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CAK7C;AAED,gFAAgF;AAChF,wBAAgB,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAElD;AAED,+EAA+E;AAC/E,wBAAgB,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAElD;AAED,+EAA+E;AAC/E,wBAAgB,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAEjD;AAED;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAEtD;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAc1D;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,WAAW,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAelF"}

package/lib/typescript/module/ui/utils/ssoBounce.d.ts

@@ -1,89 +0,0 @@
-/**
- * Central cross-domain SSO bounce — per-origin sessionStorage keys and small
- * pure predicates shared by the cold-boot `sso-return` / `sso-bounce` steps and
- * the bfcache `pageshow` re-evaluation.
- *
- * TRUE central SSO (Google/Meta/Clerk style) works like this for a Relying
- * Party (mention.earth, homiio.com, alia.onl, …) with no local session:
- *
- *   1. `sso-bounce` (terminal, once): top-level navigate to
- *      `auth.oxy.so/sso?prompt=none&client_id=<origin>&return_to=<origin>/__oxy/sso-callback&state=<s>`.
- *      Before navigating it records, in this origin's `sessionStorage`, the CSRF
- *      `state`, a guard timestamp (loop breaker), and the real destination URL
- *      to restore after the callback.
- *   2. The central IdP worker reads its first-party `fedcm_session`, mints a
- *      session, stores it under an opaque single-use `code`, and 303-redirects
- *      back to `<origin>/__oxy/sso-callback#oxy_sso=ok&code=<code>&state=<s>`
- *      (or `#oxy_sso=none` / `#oxy_sso=error`).
- *   3. `sso-return` parses the fragment (`parseSsoReturnFragment` from core),
- *      validates `state`, exchanges the `code` via `oxyServices.exchangeSsoCode`,
- *      and commits the session — then restores the original destination.
- *
- * Loop proof (logged-out): first load all steps skip → `sso-bounce` sets
- * guard/state/dest and navigates; the IdP (no central session) returns
- * `#oxy_sso=none`; the callback load's `sso-return` sees `none`, sets the
- * no-session flag, and `sso-bounce` is then disabled. Exactly ONE bounce, no
- * loop. An interrupted bounce (user hit back mid-redirect) self-heals once the
- * 30s guard TTL lapses.
- *
- * All state lives in `sessionStorage` (per tab, cleared on tab close) and is
- * keyed per-origin so two RPs hosted in the same browser never collide. This
- * module is pure with respect to navigation: it only reads/writes
- * `sessionStorage` and parses URLs; it performs no redirects itself.
- */
-/**
- * The RP callback path the central IdP redirects back to. The SSO result is
- * delivered in the fragment of this URL; `sso-return` consumes it and then
- * restores the user's real destination.
- */
-export declare const SSO_CALLBACK_PATH = "/__oxy/sso-callback";
-/**
- * Self-healing TTL (ms) for the bounce guard. If a bounce is interrupted before
- * the callback lands (e.g. the user navigates back mid-redirect), the guard
- * would otherwise pin the RP signed-out forever. After this window the guard is
- * treated as stale and a fresh single bounce is permitted.
- */
-export declare const SSO_GUARD_TTL_MS = 30000;
-/**
- * Perform the terminal top-level SSO bounce navigation.
- *
- * A thin wrapper over `window.location.assign(url)` so the single navigation
- * seam lives in one place (and stays mockable in tests, where jsdom's
- * `Location.assign` is a non-configurable native method). In production this is
- * exactly `window.location.assign` — the document is torn down and replaced by
- * the central IdP page. Off-browser it is a no-op (native never bounces).
- */
-export declare function ssoNavigate(url: string): void;
-/** Per-origin CSRF state key (matched on return to defeat fragment forgery). */
-export declare function ssoStateKey(origin: string): string;
-/** Per-origin bounce guard key (a timestamp; loop breaker + self-heal TTL). */
-export declare function ssoGuardKey(origin: string): string;
-/** Per-origin destination key (the real URL to restore after the callback). */
-export declare function ssoDestKey(origin: string): string;
-/**
- * Per-origin "the central IdP has no session for me" key. Set after a
- * `none`/`error` return (or a failed/forged exchange) so `sso-bounce` does not
- * fire again this tab — the definitive loop breaker.
- */
-export declare function ssoNoSessionKey(origin: string): string;
-/**
- * Whether `origin` IS the central IdP origin. We must never bounce while on
- * `auth.oxy.so` itself (it would bounce to itself). Compared by URL origin so a
- * trailing-slash / path difference never defeats the guard.
- */
-export declare function isCentralIdPOrigin(origin: string): boolean;
-/**
- * Read the bounce guard and decide whether it is still ACTIVE.
- *
- * Active means: a guard value is present AND it parses to a finite timestamp AND
- * less than {@link SSO_GUARD_TTL_MS} has elapsed since it was set. An active
- * guard disables `sso-bounce` (a bounce is already in flight this tab). A
- * missing, malformed, or expired guard is NOT active, so a fresh bounce may
- * proceed (this is the 30s self-heal for an interrupted bounce).
- *
- * @param storage - The session storage to read (injected for testability).
- * @param origin - The page origin whose guard to evaluate.
- * @param now - Current epoch ms (injected for deterministic tests).
- */
-export declare function guardActive(storage: Storage, origin: string, now: number): boolean;
-//# sourceMappingURL=ssoBounce.d.ts.map

package/lib/typescript/module/ui/utils/ssoBounce.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"ssoBounce.d.ts","sourceRoot":"","sources":["../../../../../src/ui/utils/ssoBounce.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAIH;;;;GAIG;AACH,eAAO,MAAM,iBAAiB,wBAAwB,CAAC;AAEvD;;;;;GAKG;AACH,eAAO,MAAM,gBAAgB,QAAS,CAAC;AAOvC;;;;;;;;GAQG;AACH,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CAK7C;AAED,gFAAgF;AAChF,wBAAgB,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAElD;AAED,+EAA+E;AAC/E,wBAAgB,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAElD;AAED,+EAA+E;AAC/E,wBAAgB,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAEjD;AAED;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAEtD;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAc1D;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,WAAW,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAelF"}

package/src/ui/utils/ssoBounce.ts

@@ -1,146 +0,0 @@
-/**
- * Central cross-domain SSO bounce — per-origin sessionStorage keys and small
- * pure predicates shared by the cold-boot `sso-return` / `sso-bounce` steps and
- * the bfcache `pageshow` re-evaluation.
- *
- * TRUE central SSO (Google/Meta/Clerk style) works like this for a Relying
- * Party (mention.earth, homiio.com, alia.onl, …) with no local session:
- *
- *   1. `sso-bounce` (terminal, once): top-level navigate to
- *      `auth.oxy.so/sso?prompt=none&client_id=<origin>&return_to=<origin>/__oxy/sso-callback&state=<s>`.
- *      Before navigating it records, in this origin's `sessionStorage`, the CSRF
- *      `state`, a guard timestamp (loop breaker), and the real destination URL
- *      to restore after the callback.
- *   2. The central IdP worker reads its first-party `fedcm_session`, mints a
- *      session, stores it under an opaque single-use `code`, and 303-redirects
- *      back to `<origin>/__oxy/sso-callback#oxy_sso=ok&code=<code>&state=<s>`
- *      (or `#oxy_sso=none` / `#oxy_sso=error`).
- *   3. `sso-return` parses the fragment (`parseSsoReturnFragment` from core),
- *      validates `state`, exchanges the `code` via `oxyServices.exchangeSsoCode`,
- *      and commits the session — then restores the original destination.
- *
- * Loop proof (logged-out): first load all steps skip → `sso-bounce` sets
- * guard/state/dest and navigates; the IdP (no central session) returns
- * `#oxy_sso=none`; the callback load's `sso-return` sees `none`, sets the
- * no-session flag, and `sso-bounce` is then disabled. Exactly ONE bounce, no
- * loop. An interrupted bounce (user hit back mid-redirect) self-heals once the
- * 30s guard TTL lapses.
- *
- * All state lives in `sessionStorage` (per tab, cleared on tab close) and is
- * keyed per-origin so two RPs hosted in the same browser never collide. This
- * module is pure with respect to navigation: it only reads/writes
- * `sessionStorage` and parses URLs; it performs no redirects itself.
- */
-
-import { CENTRAL_AUTH_URL } from '@oxyhq/core';
-
-/**
- * The RP callback path the central IdP redirects back to. The SSO result is
- * delivered in the fragment of this URL; `sso-return` consumes it and then
- * restores the user's real destination.
- */
-export const SSO_CALLBACK_PATH = '/__oxy/sso-callback';
-
-/**
- * Self-healing TTL (ms) for the bounce guard. If a bounce is interrupted before
- * the callback lands (e.g. the user navigates back mid-redirect), the guard
- * would otherwise pin the RP signed-out forever. After this window the guard is
- * treated as stale and a fresh single bounce is permitted.
- */
-export const SSO_GUARD_TTL_MS = 30_000;
-
-const STATE_KEY_PREFIX = 'oxy_sso_state:';
-const GUARD_KEY_PREFIX = 'oxy_sso_guard:';
-const DEST_KEY_PREFIX = 'oxy_sso_dest:';
-const NO_SESSION_KEY_PREFIX = 'oxy_sso_no_session:';
-
-/**
- * Perform the terminal top-level SSO bounce navigation.
- *
- * A thin wrapper over `window.location.assign(url)` so the single navigation
- * seam lives in one place (and stays mockable in tests, where jsdom's
- * `Location.assign` is a non-configurable native method). In production this is
- * exactly `window.location.assign` — the document is torn down and replaced by
- * the central IdP page. Off-browser it is a no-op (native never bounces).
- */
-export function ssoNavigate(url: string): void {
-  if (typeof window === 'undefined' || typeof window.location === 'undefined') {
-    return;
-  }
-  window.location.assign(url);
-}
-
-/** Per-origin CSRF state key (matched on return to defeat fragment forgery). */
-export function ssoStateKey(origin: string): string {
-  return `${STATE_KEY_PREFIX}${origin}`;
-}
-
-/** Per-origin bounce guard key (a timestamp; loop breaker + self-heal TTL). */
-export function ssoGuardKey(origin: string): string {
-  return `${GUARD_KEY_PREFIX}${origin}`;
-}
-
-/** Per-origin destination key (the real URL to restore after the callback). */
-export function ssoDestKey(origin: string): string {
-  return `${DEST_KEY_PREFIX}${origin}`;
-}
-
-/**
- * Per-origin "the central IdP has no session for me" key. Set after a
- * `none`/`error` return (or a failed/forged exchange) so `sso-bounce` does not
- * fire again this tab — the definitive loop breaker.
- */
-export function ssoNoSessionKey(origin: string): string {
-  return `${NO_SESSION_KEY_PREFIX}${origin}`;
-}
-
-/**
- * Whether `origin` IS the central IdP origin. We must never bounce while on
- * `auth.oxy.so` itself (it would bounce to itself). Compared by URL origin so a
- * trailing-slash / path difference never defeats the guard.
- */
-export function isCentralIdPOrigin(origin: string): boolean {
-  let centralOrigin: string;
-  try {
-    centralOrigin = new URL(CENTRAL_AUTH_URL).origin;
-  } catch {
-    return false;
-  }
-  let candidateOrigin: string;
-  try {
-    candidateOrigin = new URL(origin).origin;
-  } catch {
-    return false;
-  }
-  return candidateOrigin === centralOrigin;
-}
-
-/**
- * Read the bounce guard and decide whether it is still ACTIVE.
- *
- * Active means: a guard value is present AND it parses to a finite timestamp AND
- * less than {@link SSO_GUARD_TTL_MS} has elapsed since it was set. An active
- * guard disables `sso-bounce` (a bounce is already in flight this tab). A
- * missing, malformed, or expired guard is NOT active, so a fresh bounce may
- * proceed (this is the 30s self-heal for an interrupted bounce).
- *
- * @param storage - The session storage to read (injected for testability).
- * @param origin - The page origin whose guard to evaluate.
- * @param now - Current epoch ms (injected for deterministic tests).
- */
-export function guardActive(storage: Storage, origin: string, now: number): boolean {
-  let raw: string | null;
-  try {
-    raw = storage.getItem(ssoGuardKey(origin));
-  } catch {
-    return false;
-  }
-  if (raw === null || raw.length === 0) {
-    return false;
-  }
-  const stamp = Number(raw);
-  if (!Number.isFinite(stamp)) {
-    return false;
-  }
-  return now - stamp < SSO_GUARD_TTL_MS;
-}