@oxyhq/services 8.3.1 → 8.4.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@oxyhq/services",
-  "version": "8.3.1",
+  "version": "8.4.1",
   "description": "OxyHQ Expo/React Native SDK — UI components, screens, and native features",
   "main": "lib/commonjs/index.js",
   "module": "lib/module/index.js",
@@ -160,7 +160,7 @@
   "peerDependencies": {
     "@expo/vector-icons": "^15.0.3",
     "@oxyhq/bloom": ">=0.5.0",
-    "@oxyhq/core": "^2.2.1",
+    "@oxyhq/core": "^2.3.0",
     "@react-native-community/netinfo": "^11.4.1",
     "@tanstack/query-async-storage-persister": "^5.100",
     "@tanstack/query-sync-storage-persister": "^5.100",

package/src/ui/context/OxyContext.tsx

@@ -14,18 +14,22 @@ import type { User, ApiError, SessionLoginResponse } from '@oxyhq/core';
 import type { ManagedAccount, CreateManagedAccountInput } from '@oxyhq/core';
 import { KeyManager } from '@oxyhq/core';
 import type { ClientSession } from '@oxyhq/core';
-import { runColdBoot, resolveCentralAuthUrl, parseSsoReturnFragment, autoDetectAuthWebUrl } from '@oxyhq/core';
-import { toast } from '@oxyhq/bloom';
 import {
-  SSO_CALLBACK_PATH,
+  runColdBoot,
+  resolveCentralAuthUrl,
+  autoDetectAuthWebUrl,
   ssoStateKey,
   ssoGuardKey,
   ssoDestKey,
   ssoNoSessionKey,
+  ssoAttemptedKey,
   isCentralIdPOrigin,
   guardActive,
-} from '../utils/ssoBounce';
-import * as ssoBounce from '../utils/ssoBounce';
+  ssoNavigate,
+  buildSsoBounceUrl,
+  consumeSsoReturn,
+} from '@oxyhq/core';
+import { toast } from '@oxyhq/bloom';
 import { useAuthStore, type AuthState } from '../stores/authStore';
 import { useShallow } from 'zustand/react/shallow';
 import { useSessionSocket } from '../hooks/useSessionSocket';
@@ -745,99 +749,42 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
     storageKeys.sessionIds,
   ]);
 
-  // Central cross-domain SSO return handler (web). Parses the IdP redirect
-  // fragment, validates the CSRF `state`, exchanges the opaque single-use code
-  // for the real session, commits it, and restores the user's pre-bounce
-  // destination. Shared by the `sso-return` cold-boot step AND the bfcache
-  // `pageshow` re-evaluation, so the same security-critical logic runs exactly
-  // once per delivered fragment regardless of how the page was (re)shown.
+  // Central cross-domain SSO return handler (web). A THIN wrapper over core's
+  // `consumeSsoReturn`, which performs the entire security-critical kernel —
+  // parse the IdP redirect fragment, validate the CSRF `state`, strip the
+  // fragment FIRST, exchange the opaque single-use code, restore the user's
+  // pre-bounce destination (same-origin only), and set the per-origin
+  // NO_SESSION loop breaker on every non-ok outcome — and RETURNS the exchanged
+  // session (or `null`) WITHOUT committing. We preserve services' contract by
+  // committing the returned session here via `handleWebSSOSession`. Shared by
+  // the `sso-return` cold-boot step AND the bfcache `pageshow` re-evaluation, so
+  // the same kernel runs exactly once per delivered fragment regardless of how
+  // the page was (re)shown.
   //
   // Returns `true` when a session was committed (caller short-circuits), `false`
-  // otherwise. On ANY non-ok outcome — `none`/`error`, state mismatch, missing
-  // code, or a failed/forged exchange — it sets the per-origin NO_SESSION flag
-  // so `sso-bounce` is disabled and the page cannot loop. Off-browser it is a
-  // no-op returning `false` (native never reaches it).
+  // otherwise. Off-browser `consumeSsoReturn` is a no-op returning `null`, so
+  // this returns `false` (native never reaches it).
   const runSsoReturn = useCallback(async (): Promise<boolean> => {
-    if (!isWebBrowser()) {
-      return false;
-    }
-
-    const ret = parseSsoReturnFragment(window.location.hash);
-    if (!ret) {
-      // Not an oxy_sso fragment — nothing to do (do NOT touch any flags).
-      return false;
-    }
-
-    const origin = window.location.origin;
-    const expectedState = window.sessionStorage.getItem(ssoStateKey(origin));
-    const stateOk = !!ret.state && !!expectedState && ret.state === expectedState;
-
-    // Strip the fragment FIRST so the opaque code never lingers in the address
-    // bar, history, or a copy-paste — even if a later step throws.
-    window.history.replaceState(null, '', window.location.pathname + window.location.search);
-    window.sessionStorage.removeItem(ssoStateKey(origin));
-
-    const markNoSession = () => {
-      window.sessionStorage.setItem(ssoNoSessionKey(origin), '1');
-    };
-
-    if (ret.kind === 'none' || ret.kind === 'error') {
-      // The central IdP had no session (or the bounce failed). Record it so we
-      // do not bounce again this tab — the definitive loop breaker.
-      markNoSession();
-      return false;
-    }
-
-    if (!stateOk || !ret.code) {
-      // Forged / replayed / stale fragment, or a malformed ok with no code.
-      // Treat exactly like "no session": never exchange, never loop.
-      markNoSession();
+    const session = await consumeSsoReturn(oxyServices, {
+      isWeb: isWebBrowser,
+      onExchangeError: (error) => {
+        if (__DEV__) {
+          loggerUtil.debug(
+            'SSO code exchange failed (treating as no session)',
+            { component: 'OxyContext', method: 'runSsoReturn' },
+            error,
+          );
+        }
+      },
+    });
+    if (!session) {
       return false;
     }
-
     const commitWebSession = handleWebSSOSessionRef.current;
-    let session: SessionLoginResponse;
-    try {
-      session = await oxyServices.exchangeSsoCode(ret.code);
-    } catch (error) {
-      if (__DEV__) {
-        loggerUtil.debug(
-          'SSO code exchange failed (treating as no session)',
-          { component: 'OxyContext', method: 'runSsoReturn' },
-          error,
-        );
-      }
-      markNoSession();
-      return false;
-    }
-
-    if (!session?.sessionId || !commitWebSession) {
-      markNoSession();
+    if (!commitWebSession) {
       return false;
     }
-
     await commitWebSession(session);
-
-    // Restore the user's real destination captured before the bounce. We only
-    // rewrite the URL when we are sitting on the callback path — otherwise the
-    // current URL is already the destination.
-    if (window.location.pathname === SSO_CALLBACK_PATH) {
-      const dest = window.sessionStorage.getItem(ssoDestKey(origin));
-      if (dest) {
-        try {
-          const destUrl = new URL(dest);
-          // Same-origin only — never honour a cross-origin destination that
-          // could have been planted to redirect the freshly signed-in user.
-          if (destUrl.origin === origin) {
-            window.history.replaceState(null, '', destUrl.pathname + destUrl.search + destUrl.hash);
-          }
-        } catch {
-          // Malformed stored destination — leave the URL on the callback path.
-        }
-      }
-    }
-    window.sessionStorage.removeItem(ssoDestKey(origin));
-
     return true;
   }, [oxyServices]);
 
@@ -1001,6 +948,9 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
               if (window.sessionStorage.getItem(ssoNoSessionKey(origin)) === '1') {
                 return false;
               }
+              if (window.sessionStorage.getItem(ssoAttemptedKey(origin)) === '1') {
+                return false;
+              }
               if (guardActive(window.sessionStorage, origin, Date.now())) {
                 return false;
               }
@@ -1012,18 +962,18 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
               window.sessionStorage.setItem(ssoStateKey(origin), state);
               window.sessionStorage.setItem(ssoGuardKey(origin), String(Date.now()));
               window.sessionStorage.setItem(ssoDestKey(origin), window.location.href);
+              // OUTCOME-INDEPENDENT once-guard: mark the probe attempted the instant we
+              // commit to the bounce, so even if the callback never lands cleanly no
+              // second bounce can ever fire this tab (the definitive loop breaker).
+              window.sessionStorage.setItem(ssoAttemptedKey(origin), '1');
 
-              const url = new URL('/sso', resolveCentralAuthUrl(oxyServices.config?.authWebUrl));
-              url.searchParams.set('prompt', 'none');
-              url.searchParams.set('client_id', origin);
-              url.searchParams.set('return_to', origin + SSO_CALLBACK_PATH);
-              url.searchParams.set('state', state);
+              const url = buildSsoBounceUrl(origin, state, oxyServices.config?.authWebUrl);
 
               // TERMINAL: the document is torn down by this navigation. The
               // `skip` below is only reached if `assign` is a no-op (e.g. the
               // navigation is blocked); in that case we fall through
               // unauthenticated, which is correct.
-              ssoBounce.ssoNavigate(url.toString());
+              ssoNavigate(url);
               return { kind: 'skip' };
             },
           },

package/src/ui/context/hooks/useAuthOperations.ts

@@ -9,7 +9,7 @@ import type { StorageInterface } from '../../utils/storageHelpers';
 import type { OxyServices } from '@oxyhq/core';
 import { SignatureService } from '@oxyhq/core';
 import { isWebBrowser } from '../../hooks/useWebSSO';
-import { clearActiveAuthuser } from '../../utils/activeAuthuser';
+import { clearActiveAuthuser, clearSsoBounceState } from '../../utils/activeAuthuser';
 
 /** Type guard for error objects with optional code and status properties */
 function isErrorWithCodeOrStatus(error: unknown): error is { code?: string; status?: number; message?: string } {
@@ -323,6 +323,9 @@ export const useAuthOperations = ({
           if (filteredSessions.length > 0) {
             await switchSession(filteredSessions[0].sessionId);
           } else {
+            // Genuine FULL sign-out (no sessions remain): clear the per-origin
+            // SSO bounce state so a fresh deliberate sign-in can re-probe.
+            clearSsoBounceState();
             await clearSessionState();
             return;
           }
@@ -331,6 +334,8 @@ export const useAuthOperations = ({
         const isInvalid = isInvalidSessionError(error);
 
         if (isInvalid && targetSessionId === activeSessionId) {
+          // The active session is invalid → full sign-out; clear SSO state too.
+          clearSsoBounceState();
           await clearSessionState();
           return;
         }
@@ -390,6 +395,9 @@ export const useAuthOperations = ({
       } else {
         await oxyServices.logoutAllSessions(activeSessionId);
       }
+      // logoutAll is ALWAYS a full sign-out: clear the per-origin SSO bounce
+      // state (web-guarded internally) so a fresh sign-in can re-probe.
+      clearSsoBounceState();
       await clearSessionState();
     } catch (error) {
       handleAuthError(error, {

package/src/ui/utils/activeAuthuser.ts

@@ -18,12 +18,24 @@
  * outside the browser.
  */
 
+import {
+  ssoAttemptedKey,
+  ssoNoSessionKey,
+  ssoGuardKey,
+  ssoStateKey,
+  ssoDestKey,
+} from '@oxyhq/core';
+
 const ACTIVE_AUTHUSER_KEY = 'oxy_active_authuser';
 
 function hasLocalStorage(): boolean {
   return typeof window !== 'undefined' && typeof window.localStorage !== 'undefined';
 }
 
+function hasSessionStorage(): boolean {
+  return typeof window !== 'undefined' && typeof window.sessionStorage !== 'undefined';
+}
+
 /**
  * Read the persisted active `authuser` slot index.
  *
@@ -75,4 +87,26 @@ export function clearActiveAuthuser(): void {
   }
 }
 
+/**
+ * Clear all per-origin SSO bounce sessionStorage keys. Called ONLY on EXPLICIT
+ * user sign-out (logout / logoutAll) — never on a cold-boot failure path — so a
+ * fresh deliberate sign-in can re-probe the central IdP. Clearing on cold-boot
+ * failure would reintroduce the redirect loop.
+ *
+ * No-ops on native and on any storage failure (best-effort).
+ */
+export function clearSsoBounceState(): void {
+  if (!hasSessionStorage()) return;
+  const origin = window.location.origin;
+  try {
+    window.sessionStorage.removeItem(ssoAttemptedKey(origin));
+    window.sessionStorage.removeItem(ssoNoSessionKey(origin));
+    window.sessionStorage.removeItem(ssoGuardKey(origin));
+    window.sessionStorage.removeItem(ssoStateKey(origin));
+    window.sessionStorage.removeItem(ssoDestKey(origin));
+  } catch {
+    // Best-effort; swallow SecurityError (e.g. Safari private mode).
+  }
+}
+
 export { ACTIVE_AUTHUSER_KEY };

package/lib/commonjs/ui/utils/ssoBounce.js

@@ -1,158 +0,0 @@
-"use strict";
-
-Object.defineProperty(exports, "__esModule", {
-  value: true
-});
-exports.SSO_GUARD_TTL_MS = exports.SSO_CALLBACK_PATH = void 0;
-exports.guardActive = guardActive;
-exports.isCentralIdPOrigin = isCentralIdPOrigin;
-exports.ssoDestKey = ssoDestKey;
-exports.ssoGuardKey = ssoGuardKey;
-exports.ssoNavigate = ssoNavigate;
-exports.ssoNoSessionKey = ssoNoSessionKey;
-exports.ssoStateKey = ssoStateKey;
-var _core = require("@oxyhq/core");
-/**
- * Central cross-domain SSO bounce — per-origin sessionStorage keys and small
- * pure predicates shared by the cold-boot `sso-return` / `sso-bounce` steps and
- * the bfcache `pageshow` re-evaluation.
- *
- * TRUE central SSO (Google/Meta/Clerk style) works like this for a Relying
- * Party (mention.earth, homiio.com, alia.onl, …) with no local session:
- *
- *   1. `sso-bounce` (terminal, once): top-level navigate to
- *      `auth.oxy.so/sso?prompt=none&client_id=<origin>&return_to=<origin>/__oxy/sso-callback&state=<s>`.
- *      Before navigating it records, in this origin's `sessionStorage`, the CSRF
- *      `state`, a guard timestamp (loop breaker), and the real destination URL
- *      to restore after the callback.
- *   2. The central IdP worker reads its first-party `fedcm_session`, mints a
- *      session, stores it under an opaque single-use `code`, and 303-redirects
- *      back to `<origin>/__oxy/sso-callback#oxy_sso=ok&code=<code>&state=<s>`
- *      (or `#oxy_sso=none` / `#oxy_sso=error`).
- *   3. `sso-return` parses the fragment (`parseSsoReturnFragment` from core),
- *      validates `state`, exchanges the `code` via `oxyServices.exchangeSsoCode`,
- *      and commits the session — then restores the original destination.
- *
- * Loop proof (logged-out): first load all steps skip → `sso-bounce` sets
- * guard/state/dest and navigates; the IdP (no central session) returns
- * `#oxy_sso=none`; the callback load's `sso-return` sees `none`, sets the
- * no-session flag, and `sso-bounce` is then disabled. Exactly ONE bounce, no
- * loop. An interrupted bounce (user hit back mid-redirect) self-heals once the
- * 30s guard TTL lapses.
- *
- * All state lives in `sessionStorage` (per tab, cleared on tab close) and is
- * keyed per-origin so two RPs hosted in the same browser never collide. This
- * module is pure with respect to navigation: it only reads/writes
- * `sessionStorage` and parses URLs; it performs no redirects itself.
- */
-
-/**
- * The RP callback path the central IdP redirects back to. The SSO result is
- * delivered in the fragment of this URL; `sso-return` consumes it and then
- * restores the user's real destination.
- */
-const SSO_CALLBACK_PATH = exports.SSO_CALLBACK_PATH = '/__oxy/sso-callback';
-
-/**
- * Self-healing TTL (ms) for the bounce guard. If a bounce is interrupted before
- * the callback lands (e.g. the user navigates back mid-redirect), the guard
- * would otherwise pin the RP signed-out forever. After this window the guard is
- * treated as stale and a fresh single bounce is permitted.
- */
-const SSO_GUARD_TTL_MS = exports.SSO_GUARD_TTL_MS = 30_000;
-const STATE_KEY_PREFIX = 'oxy_sso_state:';
-const GUARD_KEY_PREFIX = 'oxy_sso_guard:';
-const DEST_KEY_PREFIX = 'oxy_sso_dest:';
-const NO_SESSION_KEY_PREFIX = 'oxy_sso_no_session:';
-
-/**
- * Perform the terminal top-level SSO bounce navigation.
- *
- * A thin wrapper over `window.location.assign(url)` so the single navigation
- * seam lives in one place (and stays mockable in tests, where jsdom's
- * `Location.assign` is a non-configurable native method). In production this is
- * exactly `window.location.assign` — the document is torn down and replaced by
- * the central IdP page. Off-browser it is a no-op (native never bounces).
- */
-function ssoNavigate(url) {
-  if (typeof window === 'undefined' || typeof window.location === 'undefined') {
-    return;
-  }
-  window.location.assign(url);
-}
-
-/** Per-origin CSRF state key (matched on return to defeat fragment forgery). */
-function ssoStateKey(origin) {
-  return `${STATE_KEY_PREFIX}${origin}`;
-}
-
-/** Per-origin bounce guard key (a timestamp; loop breaker + self-heal TTL). */
-function ssoGuardKey(origin) {
-  return `${GUARD_KEY_PREFIX}${origin}`;
-}
-
-/** Per-origin destination key (the real URL to restore after the callback). */
-function ssoDestKey(origin) {
-  return `${DEST_KEY_PREFIX}${origin}`;
-}
-
-/**
- * Per-origin "the central IdP has no session for me" key. Set after a
- * `none`/`error` return (or a failed/forged exchange) so `sso-bounce` does not
- * fire again this tab — the definitive loop breaker.
- */
-function ssoNoSessionKey(origin) {
-  return `${NO_SESSION_KEY_PREFIX}${origin}`;
-}
-
-/**
- * Whether `origin` IS the central IdP origin. We must never bounce while on
- * `auth.oxy.so` itself (it would bounce to itself). Compared by URL origin so a
- * trailing-slash / path difference never defeats the guard.
- */
-function isCentralIdPOrigin(origin) {
-  let centralOrigin;
-  try {
-    centralOrigin = new URL(_core.CENTRAL_AUTH_URL).origin;
-  } catch {
-    return false;
-  }
-  let candidateOrigin;
-  try {
-    candidateOrigin = new URL(origin).origin;
-  } catch {
-    return false;
-  }
-  return candidateOrigin === centralOrigin;
-}
-
-/**
- * Read the bounce guard and decide whether it is still ACTIVE.
- *
- * Active means: a guard value is present AND it parses to a finite timestamp AND
- * less than {@link SSO_GUARD_TTL_MS} has elapsed since it was set. An active
- * guard disables `sso-bounce` (a bounce is already in flight this tab). A
- * missing, malformed, or expired guard is NOT active, so a fresh bounce may
- * proceed (this is the 30s self-heal for an interrupted bounce).
- *
- * @param storage - The session storage to read (injected for testability).
- * @param origin - The page origin whose guard to evaluate.
- * @param now - Current epoch ms (injected for deterministic tests).
- */
-function guardActive(storage, origin, now) {
-  let raw;
-  try {
-    raw = storage.getItem(ssoGuardKey(origin));
-  } catch {
-    return false;
-  }
-  if (raw === null || raw.length === 0) {
-    return false;
-  }
-  const stamp = Number(raw);
-  if (!Number.isFinite(stamp)) {
-    return false;
-  }
-  return now - stamp < SSO_GUARD_TTL_MS;
-}
-//# sourceMappingURL=ssoBounce.js.map

package/lib/commonjs/ui/utils/ssoBounce.js.map

@@ -1 +0,0 @@
-{"version":3,"names":["_core","require","SSO_CALLBACK_PATH","exports","SSO_GUARD_TTL_MS","STATE_KEY_PREFIX","GUARD_KEY_PREFIX","DEST_KEY_PREFIX","NO_SESSION_KEY_PREFIX","ssoNavigate","url","window","location","assign","ssoStateKey","origin","ssoGuardKey","ssoDestKey","ssoNoSessionKey","isCentralIdPOrigin","centralOrigin","URL","CENTRAL_AUTH_URL","candidateOrigin","guardActive","storage","now","raw","getItem","length","stamp","Number","isFinite"],"sourceRoot":"../../../../src","sources":["ui/utils/ssoBounce.ts"],"mappings":";;;;;;;;;;;;;AAkCA,IAAAA,KAAA,GAAAC,OAAA;AAlCA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAIA;AACA;AACA;AACA;AACA;AACO,MAAMC,iBAAiB,GAAAC,OAAA,CAAAD,iBAAA,GAAG,qBAAqB;;AAEtD;AACA;AACA;AACA;AACA;AACA;AACO,MAAME,gBAAgB,GAAAD,OAAA,CAAAC,gBAAA,GAAG,MAAM;AAEtC,MAAMC,gBAAgB,GAAG,gBAAgB;AACzC,MAAMC,gBAAgB,GAAG,gBAAgB;AACzC,MAAMC,eAAe,GAAG,eAAe;AACvC,MAAMC,qBAAqB,GAAG,qBAAqB;;AAEnD;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,SAASC,WAAWA,CAACC,GAAW,EAAQ;EAC7C,IAAI,OAAOC,MAAM,KAAK,WAAW,IAAI,OAAOA,MAAM,CAACC,QAAQ,KAAK,WAAW,EAAE;IAC3E;EACF;EACAD,MAAM,CAACC,QAAQ,CAACC,MAAM,CAACH,GAAG,CAAC;AAC7B;;AAEA;AACO,SAASI,WAAWA,CAACC,MAAc,EAAU;EAClD,OAAO,GAAGV,gBAAgB,GAAGU,MAAM,EAAE;AACvC;;AAEA;AACO,SAASC,WAAWA,CAACD,MAAc,EAAU;EAClD,OAAO,GAAGT,gBAAgB,GAAGS,MAAM,EAAE;AACvC;;AAEA;AACO,SAASE,UAAUA,CAACF,MAAc,EAAU;EACjD,OAAO,GAAGR,eAAe,GAAGQ,MAAM,EAAE;AACtC;;AAEA;AACA;AACA;AACA;AACA;AACO,SAASG,eAAeA,CAACH,MAAc,EAAU;EACtD,OAAO,GAAGP,qBAAqB,GAAGO,MAAM,EAAE;AAC5C;;AAEA;AACA;AACA;AACA;AACA;AACO,SAASI,kBAAkBA,CAACJ,MAAc,EAAW;EAC1D,IAAIK,aAAqB;EACzB,IAAI;IACFA,aAAa,GAAG,IAAIC,GAAG,CAACC,sBAAgB,CAAC,CAACP,MAAM;EAClD,CAAC,CAAC,MAAM;IACN,OAAO,KAAK;EACd;EACA,IAAIQ,eAAuB;EAC3B,IAAI;IACFA,eAAe,GAAG,IAAIF,GAAG,CAACN,MAAM,CAAC,CAACA,MAAM;EAC1C,CAAC,CAAC,MAAM;IACN,OAAO,KAAK;EACd;EACA,OAAOQ,eAAe,KAAKH,aAAa;AAC1C;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,SAASI,WAAWA,CAACC,OAAgB,EAAEV,MAAc,EAAEW,GAAW,EAAW;EAClF,IAAIC,GAAkB;EACtB,IAAI;IACFA,GAAG,GAAGF,OAAO,CAACG,OAAO,CAACZ,WAAW,CAACD,MAAM,CAAC,CAAC;EAC5C,CAAC,CAAC,MAAM;IACN,OAAO,KAAK;EACd;EACA,IAAIY,GAAG,KAAK,IAAI,IAAIA,GAAG,CAACE,MAAM,KAAK,CAAC,EAAE;IACpC,OAAO,KAAK;EACd;EACA,MAAMC,KAAK,GAAGC,MAAM,CAACJ,GAAG,CAAC;EACzB,IAAI,CAACI,MAAM,CAACC,QAAQ,CAACF,KAAK,CAAC,EAAE;IAC3B,OAAO,KAAK;EACd;EACA,OAAOJ,GAAG,GAAGI,KAAK,GAAG1B,gBAAgB;AACvC","ignoreList":[]}

package/lib/module/ui/utils/ssoBounce.js

@@ -1,148 +0,0 @@
-"use strict";
-
-/**
- * Central cross-domain SSO bounce — per-origin sessionStorage keys and small
- * pure predicates shared by the cold-boot `sso-return` / `sso-bounce` steps and
- * the bfcache `pageshow` re-evaluation.
- *
- * TRUE central SSO (Google/Meta/Clerk style) works like this for a Relying
- * Party (mention.earth, homiio.com, alia.onl, …) with no local session:
- *
- *   1. `sso-bounce` (terminal, once): top-level navigate to
- *      `auth.oxy.so/sso?prompt=none&client_id=<origin>&return_to=<origin>/__oxy/sso-callback&state=<s>`.
- *      Before navigating it records, in this origin's `sessionStorage`, the CSRF
- *      `state`, a guard timestamp (loop breaker), and the real destination URL
- *      to restore after the callback.
- *   2. The central IdP worker reads its first-party `fedcm_session`, mints a
- *      session, stores it under an opaque single-use `code`, and 303-redirects
- *      back to `<origin>/__oxy/sso-callback#oxy_sso=ok&code=<code>&state=<s>`
- *      (or `#oxy_sso=none` / `#oxy_sso=error`).
- *   3. `sso-return` parses the fragment (`parseSsoReturnFragment` from core),
- *      validates `state`, exchanges the `code` via `oxyServices.exchangeSsoCode`,
- *      and commits the session — then restores the original destination.
- *
- * Loop proof (logged-out): first load all steps skip → `sso-bounce` sets
- * guard/state/dest and navigates; the IdP (no central session) returns
- * `#oxy_sso=none`; the callback load's `sso-return` sees `none`, sets the
- * no-session flag, and `sso-bounce` is then disabled. Exactly ONE bounce, no
- * loop. An interrupted bounce (user hit back mid-redirect) self-heals once the
- * 30s guard TTL lapses.
- *
- * All state lives in `sessionStorage` (per tab, cleared on tab close) and is
- * keyed per-origin so two RPs hosted in the same browser never collide. This
- * module is pure with respect to navigation: it only reads/writes
- * `sessionStorage` and parses URLs; it performs no redirects itself.
- */
-
-import { CENTRAL_AUTH_URL } from '@oxyhq/core';
-
-/**
- * The RP callback path the central IdP redirects back to. The SSO result is
- * delivered in the fragment of this URL; `sso-return` consumes it and then
- * restores the user's real destination.
- */
-export const SSO_CALLBACK_PATH = '/__oxy/sso-callback';
-
-/**
- * Self-healing TTL (ms) for the bounce guard. If a bounce is interrupted before
- * the callback lands (e.g. the user navigates back mid-redirect), the guard
- * would otherwise pin the RP signed-out forever. After this window the guard is
- * treated as stale and a fresh single bounce is permitted.
- */
-export const SSO_GUARD_TTL_MS = 30_000;
-const STATE_KEY_PREFIX = 'oxy_sso_state:';
-const GUARD_KEY_PREFIX = 'oxy_sso_guard:';
-const DEST_KEY_PREFIX = 'oxy_sso_dest:';
-const NO_SESSION_KEY_PREFIX = 'oxy_sso_no_session:';
-
-/**
- * Perform the terminal top-level SSO bounce navigation.
- *
- * A thin wrapper over `window.location.assign(url)` so the single navigation
- * seam lives in one place (and stays mockable in tests, where jsdom's
- * `Location.assign` is a non-configurable native method). In production this is
- * exactly `window.location.assign` — the document is torn down and replaced by
- * the central IdP page. Off-browser it is a no-op (native never bounces).
- */
-export function ssoNavigate(url) {
-  if (typeof window === 'undefined' || typeof window.location === 'undefined') {
-    return;
-  }
-  window.location.assign(url);
-}
-
-/** Per-origin CSRF state key (matched on return to defeat fragment forgery). */
-export function ssoStateKey(origin) {
-  return `${STATE_KEY_PREFIX}${origin}`;
-}
-
-/** Per-origin bounce guard key (a timestamp; loop breaker + self-heal TTL). */
-export function ssoGuardKey(origin) {
-  return `${GUARD_KEY_PREFIX}${origin}`;
-}
-
-/** Per-origin destination key (the real URL to restore after the callback). */
-export function ssoDestKey(origin) {
-  return `${DEST_KEY_PREFIX}${origin}`;
-}
-
-/**
- * Per-origin "the central IdP has no session for me" key. Set after a
- * `none`/`error` return (or a failed/forged exchange) so `sso-bounce` does not
- * fire again this tab — the definitive loop breaker.
- */
-export function ssoNoSessionKey(origin) {
-  return `${NO_SESSION_KEY_PREFIX}${origin}`;
-}
-
-/**
- * Whether `origin` IS the central IdP origin. We must never bounce while on
- * `auth.oxy.so` itself (it would bounce to itself). Compared by URL origin so a
- * trailing-slash / path difference never defeats the guard.
- */
-export function isCentralIdPOrigin(origin) {
-  let centralOrigin;
-  try {
-    centralOrigin = new URL(CENTRAL_AUTH_URL).origin;
-  } catch {
-    return false;
-  }
-  let candidateOrigin;
-  try {
-    candidateOrigin = new URL(origin).origin;
-  } catch {
-    return false;
-  }
-  return candidateOrigin === centralOrigin;
-}
-
-/**
- * Read the bounce guard and decide whether it is still ACTIVE.
- *
- * Active means: a guard value is present AND it parses to a finite timestamp AND
- * less than {@link SSO_GUARD_TTL_MS} has elapsed since it was set. An active
- * guard disables `sso-bounce` (a bounce is already in flight this tab). A
- * missing, malformed, or expired guard is NOT active, so a fresh bounce may
- * proceed (this is the 30s self-heal for an interrupted bounce).
- *
- * @param storage - The session storage to read (injected for testability).
- * @param origin - The page origin whose guard to evaluate.
- * @param now - Current epoch ms (injected for deterministic tests).
- */
-export function guardActive(storage, origin, now) {
-  let raw;
-  try {
-    raw = storage.getItem(ssoGuardKey(origin));
-  } catch {
-    return false;
-  }
-  if (raw === null || raw.length === 0) {
-    return false;
-  }
-  const stamp = Number(raw);
-  if (!Number.isFinite(stamp)) {
-    return false;
-  }
-  return now - stamp < SSO_GUARD_TTL_MS;
-}
-//# sourceMappingURL=ssoBounce.js.map

package/lib/module/ui/utils/ssoBounce.js.map

@@ -1 +0,0 @@
-{"version":3,"names":["CENTRAL_AUTH_URL","SSO_CALLBACK_PATH","SSO_GUARD_TTL_MS","STATE_KEY_PREFIX","GUARD_KEY_PREFIX","DEST_KEY_PREFIX","NO_SESSION_KEY_PREFIX","ssoNavigate","url","window","location","assign","ssoStateKey","origin","ssoGuardKey","ssoDestKey","ssoNoSessionKey","isCentralIdPOrigin","centralOrigin","URL","candidateOrigin","guardActive","storage","now","raw","getItem","length","stamp","Number","isFinite"],"sourceRoot":"../../../../src","sources":["ui/utils/ssoBounce.ts"],"mappings":";;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEA,SAASA,gBAAgB,QAAQ,aAAa;;AAE9C;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,iBAAiB,GAAG,qBAAqB;;AAEtD;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,gBAAgB,GAAG,MAAM;AAEtC,MAAMC,gBAAgB,GAAG,gBAAgB;AACzC,MAAMC,gBAAgB,GAAG,gBAAgB;AACzC,MAAMC,eAAe,GAAG,eAAe;AACvC,MAAMC,qBAAqB,GAAG,qBAAqB;;AAEnD;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,SAASC,WAAWA,CAACC,GAAW,EAAQ;EAC7C,IAAI,OAAOC,MAAM,KAAK,WAAW,IAAI,OAAOA,MAAM,CAACC,QAAQ,KAAK,WAAW,EAAE;IAC3E;EACF;EACAD,MAAM,CAACC,QAAQ,CAACC,MAAM,CAACH,GAAG,CAAC;AAC7B;;AAEA;AACA,OAAO,SAASI,WAAWA,CAACC,MAAc,EAAU;EAClD,OAAO,GAAGV,gBAAgB,GAAGU,MAAM,EAAE;AACvC;;AAEA;AACA,OAAO,SAASC,WAAWA,CAACD,MAAc,EAAU;EAClD,OAAO,GAAGT,gBAAgB,GAAGS,MAAM,EAAE;AACvC;;AAEA;AACA,OAAO,SAASE,UAAUA,CAACF,MAAc,EAAU;EACjD,OAAO,GAAGR,eAAe,GAAGQ,MAAM,EAAE;AACtC;;AAEA;AACA;AACA;AACA;AACA;AACA,OAAO,SAASG,eAAeA,CAACH,MAAc,EAAU;EACtD,OAAO,GAAGP,qBAAqB,GAAGO,MAAM,EAAE;AAC5C;;AAEA;AACA;AACA;AACA;AACA;AACA,OAAO,SAASI,kBAAkBA,CAACJ,MAAc,EAAW;EAC1D,IAAIK,aAAqB;EACzB,IAAI;IACFA,aAAa,GAAG,IAAIC,GAAG,CAACnB,gBAAgB,CAAC,CAACa,MAAM;EAClD,CAAC,CAAC,MAAM;IACN,OAAO,KAAK;EACd;EACA,IAAIO,eAAuB;EAC3B,IAAI;IACFA,eAAe,GAAG,IAAID,GAAG,CAACN,MAAM,CAAC,CAACA,MAAM;EAC1C,CAAC,CAAC,MAAM;IACN,OAAO,KAAK;EACd;EACA,OAAOO,eAAe,KAAKF,aAAa;AAC1C;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,SAASG,WAAWA,CAACC,OAAgB,EAAET,MAAc,EAAEU,GAAW,EAAW;EAClF,IAAIC,GAAkB;EACtB,IAAI;IACFA,GAAG,GAAGF,OAAO,CAACG,OAAO,CAACX,WAAW,CAACD,MAAM,CAAC,CAAC;EAC5C,CAAC,CAAC,MAAM;IACN,OAAO,KAAK;EACd;EACA,IAAIW,GAAG,KAAK,IAAI,IAAIA,GAAG,CAACE,MAAM,KAAK,CAAC,EAAE;IACpC,OAAO,KAAK;EACd;EACA,MAAMC,KAAK,GAAGC,MAAM,CAACJ,GAAG,CAAC;EACzB,IAAI,CAACI,MAAM,CAACC,QAAQ,CAACF,KAAK,CAAC,EAAE;IAC3B,OAAO,KAAK;EACd;EACA,OAAOJ,GAAG,GAAGI,KAAK,GAAGzB,gBAAgB;AACvC","ignoreList":[]}