@0xmonaco/react 0.8.4 → 0.8.7-develop.0e951a5

package/dist/hooks/useAuth/types.d.ts

@@ -1,4 +1,4 @@
-import type { AuthState, ChallengeResponse, TokenRefreshResponse } from "@0xmonaco/types";
+import type { AuthState, ChallengeResponse, SessionRefreshResponse } from "@0xmonaco/types";
 import type { AuthenticationStatus } from "../../provider";
 export interface UseAuthState {
     /** Current authentication status */
@@ -6,25 +6,30 @@ export interface UseAuthState {
 }
 export interface UseAuthReturn extends UseAuthState {
     /**
-     * Complete authentication flow. Returns AuthState with accessToken and refreshToken.
+     * Complete authentication flow. Generates a session keypair, has the wallet
+     * authorize it, and returns the AuthState (including the session keypair).
      * @param options - Optional configuration
      * @param options.connectWebSocket - Auto-connect all authenticated WebSocket channels after login (currently Orders) (default: false)
      */
     login: (options?: {
         connectWebSocket?: boolean;
     }) => Promise<AuthState>;
-    /** Logout user and clear state. Revokes the refresh token on the server. */
+    /** Logout user and clear state. Revokes the session on the server. */
     logout: () => Promise<void>;
-    /** Refresh authentication tokens using the stored refresh token. */
+    /** Refresh the current session, extending its expiry. */
     refreshAuth: () => Promise<AuthState>;
     /** Sign a challenge message with the connected wallet. */
     signChallenge: (message: string) => Promise<string>;
-    /** Create authentication challenge for the given address. */
-    createChallenge: (address: string) => Promise<ChallengeResponse>;
-    /** Complete authentication with signature. Returns tokens. */
+    /**
+     * Create an authentication challenge for the given address, binding the
+     * provided session public key. Advanced/manual flow — most callers should
+     * use `login`/`authenticate`, which manage the keypair for you.
+     */
+    createChallenge: (address: string, sessionPublicKey: string) => Promise<ChallengeResponse>;
+    /** Complete authentication with signature. Returns the AuthState. */
     authenticate: () => Promise<AuthState>;
-    /** Refresh access token. Pass the refreshToken from authState. */
-    refreshToken: (refreshToken: string) => Promise<TokenRefreshResponse>;
-    /** Revoke the current session's refresh token on the server. */
-    revokeToken: () => Promise<void>;
+    /** Extend the current session's expiry (signed with the active session key). */
+    refreshSession: () => Promise<SessionRefreshResponse>;
+    /** Revoke the current session on the server. */
+    revokeSession: () => Promise<void>;
 }

package/dist/hooks/useAuth/useAuth.js

@@ -65,14 +65,16 @@ export const useAuth = () => {
             throw new Error("Message is required and cannot be empty");
         return await sdk.auth.signChallenge(message);
     }, [sdk]);
-    const createChallenge = useCallback(async (address) => {
+    const createChallenge = useCallback(async (address, sessionPublicKey) => {
         if (!sdk)
             throw new Error("SDK not available");
         if (!address?.trim())
             throw new Error("Address is required and cannot be empty");
+        if (!sessionPublicKey?.trim())
+            throw new Error("Session public key is required and cannot be empty");
         if (!clientId?.trim())
             throw new Error("Client ID is required and cannot be empty");
-        return await sdk.auth.createChallenge(address, clientId);
+        return await sdk.auth.createChallenge(address, clientId, sessionPublicKey);
     }, [sdk, clientId]);
     const authenticate = useCallback(async () => {
         if (!sdk)
@@ -84,26 +86,19 @@ export const useAuth = () => {
             const result = await sdk.auth.authenticate(clientId);
             const authenticated = sdk.isAuthenticated();
             setAuthenticationStatus(authenticated ? AuthenticationStatus.AUTHENTICATED : AuthenticationStatus.UNAUTHENTICATED);
-            return {
-                accessToken: result.accessToken,
-                refreshToken: result.refreshToken,
-                expiresAt: result.expiresAt,
-                user: result.user,
-            };
+            return result;
         }
         catch (error) {
             setAuthenticationStatus(AuthenticationStatus.UNAUTHENTICATED);
             throw error;
         }
     }, [sdk, clientId, setAuthenticationStatus]);
-    const refreshToken = useCallback(async (token) => {
+    const refreshSession = useCallback(async () => {
         if (!sdk)
             throw new Error("SDK not available");
-        if (!token?.trim())
-            throw new Error("Refresh token is required and cannot be empty");
         setAuthenticationStatus(AuthenticationStatus.AUTHENTICATING);
         try {
-            const result = await sdk.auth.refreshToken(token);
+            const result = await sdk.auth.refreshSession();
             const authenticated = sdk.isAuthenticated();
             setAuthenticationStatus(authenticated ? AuthenticationStatus.AUTHENTICATED : AuthenticationStatus.UNAUTHENTICATED);
             return result;
@@ -113,12 +108,12 @@ export const useAuth = () => {
             throw error;
         }
     }, [sdk, setAuthenticationStatus]);
-    const revokeToken = useCallback(async () => {
+    const revokeSession = useCallback(async () => {
         if (!sdk)
             throw new Error("SDK not available");
         setAuthenticationStatus(AuthenticationStatus.AUTHENTICATING);
         try {
-            await sdk.auth.revokeToken();
+            await sdk.auth.revokeSession();
             const authenticated = sdk.isAuthenticated();
             setAuthenticationStatus(authenticated ? AuthenticationStatus.AUTHENTICATED : AuthenticationStatus.UNAUTHENTICATED);
         }
@@ -133,10 +128,10 @@ export const useAuth = () => {
         // Primary auth actions
         login,
         logout,
-        // Token management
+        // Session management
         refreshAuth,
-        refreshToken,
-        revokeToken,
+        refreshSession,
+        revokeSession,
         // Low-level auth functions
         authenticate,
         signChallenge,

package/dist/hooks/useTokenLifecycle/useTokenLifecycle.js

@@ -53,8 +53,8 @@ export const useTokenLifecycle = (sdk, config = {}) => {
             return refreshPromiseRef.current;
         }
         const currentAuthState = currentAuthStateRef.current;
-        if (!currentAuthState?.refreshToken) {
-            console.warn("No refresh token available for token refresh");
+        if (!currentAuthState) {
+            console.warn("No active session available for refresh");
             return null;
         }
         const refreshPromise = (async () => {

package/dist/hooks/useUserMovements/useUserMovements.js

@@ -75,7 +75,7 @@ export function useUserMovements(options = {}) {
         sdk.profile
             .getPaginatedUserMovements({ page_size: requestLimit, entry_type, transaction_type, asset_id })
             .then(async (response) => {
-            // Combine latest_movements (from Redis) with movements (from PostgreSQL)
+            // Combine latest_movements (from the live engine cache) with movements (from PostgreSQL)
             // latest_movements contains real-time data that may not yet be in PostgreSQL
             // Deduplicate by id, preferring latest_movements (newer data)
             const latestMovements = (response.latest_movements || []).map((m) => ledgerMovementToEvent(m, userId));

package/dist/hooks/useUserOrders/useUserOrders.js

@@ -25,7 +25,7 @@ export function useUserOrders(maxOrders = 50) {
                 page: 1,
                 page_size: maxOrders,
             });
-            // Combine latest_orders (from Redis) with orders (from PostgreSQL)
+            // Combine latest_orders (from the live engine cache) with orders (from PostgreSQL)
             // latest_orders contains real-time data that may not yet be in PostgreSQL
             // Deduplicate by id, preferring latest_orders (newer data)
             const latestOrders = response.latest_orders || [];

package/dist/utils/tokenStorage.d.ts

@@ -2,14 +2,18 @@ import type { AuthState } from "@0xmonaco/types";
 /**
  * Save auth state to localStorage
  *
- * @security This function stores authentication tokens (including refresh tokens) in localStorage,
- * which is accessible to any JavaScript running on the page. This makes tokens vulnerable to XSS attacks.
+ * @security This function stores the session keypair (including the private
+ * key) in localStorage, which is accessible to any JavaScript running on the
+ * page. This is the same XSS exposure as the previous JWT-based scheme — an
+ * attacker who can read localStorage can act as the user until the session
+ * expires either way.
  *
  * Security recommendations:
  * - Implement Content Security Policy (CSP) headers to mitigate XSS risks
  * - Sanitize all user input to prevent XSS vulnerabilities
  * - Consider the tradeoffs: localStorage provides persistence across sessions but sacrifices XSS protection
- * - For high-security requirements, consider httpOnly cookies (requires backend changes)
+ * - For higher-security requirements, back the session key with a
+ *   non-extractable WebCrypto key (out of scope for this default helper)
  *
  * @param authState - The authentication state to persist
  */

package/dist/utils/tokenStorage.js

@@ -5,22 +5,26 @@ const STORAGE_KEY = "monaco_auth_state";
 /**
  * Save auth state to localStorage
  *
- * @security This function stores authentication tokens (including refresh tokens) in localStorage,
- * which is accessible to any JavaScript running on the page. This makes tokens vulnerable to XSS attacks.
+ * @security This function stores the session keypair (including the private
+ * key) in localStorage, which is accessible to any JavaScript running on the
+ * page. This is the same XSS exposure as the previous JWT-based scheme — an
+ * attacker who can read localStorage can act as the user until the session
+ * expires either way.
  *
  * Security recommendations:
  * - Implement Content Security Policy (CSP) headers to mitigate XSS risks
  * - Sanitize all user input to prevent XSS vulnerabilities
  * - Consider the tradeoffs: localStorage provides persistence across sessions but sacrifices XSS protection
- * - For high-security requirements, consider httpOnly cookies (requires backend changes)
+ * - For higher-security requirements, back the session key with a
+ *   non-extractable WebCrypto key (out of scope for this default helper)
  *
  * @param authState - The authentication state to persist
  */
 export function saveAuthState(authState) {
     try {
         const data = JSON.stringify({
-            accessToken: authState.accessToken,
-            refreshToken: authState.refreshToken,
+            sessionPublicKey: authState.sessionPublicKey,
+            sessionPrivateKey: authState.sessionPrivateKey,
             expiresAt: authState.expiresAt,
             user: authState.user,
         });
@@ -41,10 +45,10 @@ export function loadAuthState() {
             return null;
         const parsed = JSON.parse(data);
         // Validate required fields and types
-        if (typeof parsed.accessToken !== "string" ||
-            parsed.accessToken.length === 0 ||
-            typeof parsed.refreshToken !== "string" ||
-            parsed.refreshToken.length === 0 ||
+        if (typeof parsed.sessionPublicKey !== "string" ||
+            parsed.sessionPublicKey.length === 0 ||
+            typeof parsed.sessionPrivateKey !== "string" ||
+            parsed.sessionPrivateKey.length === 0 ||
             typeof parsed.expiresAt !== "number" ||
             !Number.isFinite(parsed.expiresAt) ||
             parsed.expiresAt <= 0 ||
@@ -58,8 +62,8 @@ export function loadAuthState() {
             return null;
         }
         return {
-            accessToken: parsed.accessToken,
-            refreshToken: parsed.refreshToken,
+            sessionPublicKey: parsed.sessionPublicKey,
+            sessionPrivateKey: parsed.sessionPrivateKey,
             expiresAt: parsed.expiresAt,
             user: parsed.user,
         };

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@0xmonaco/react",
-	"version": "0.8.4",
+	"version": "0.8.7-develop.0e951a5",
 	"type": "module",
 	"repository": {
 		"type": "git",
@@ -20,8 +20,8 @@
 		"lint": "biome lint ."
 	},
 	"dependencies": {
-		"@0xmonaco/core": "0.8.4",
-		"@0xmonaco/types": "0.8.4"
+		"@0xmonaco/core": "0.8.7-develop.0e951a5",
+		"@0xmonaco/types": "0.8.7-develop.0e951a5"
 	},
 	"devDependencies": {
 		"@types/react": "^19.1.12",
@@ -29,8 +29,8 @@
 	},
 	"peerDependencies": {
 		"react": "^17.0.0 || ^18.0.0 || ^19.0.0",
-		"wagmi": "^2.0.0 || ^3.0.0",
-		"viem": "^2.45.2"
+		"viem": "^2.45.2",
+		"wagmi": "^2.0.0 || ^3.0.0"
 	},
 	"exports": {
 		".": {