@abraca/dabra 2.21.0 → 2.22.0

package/dist/abracadabra-provider.cjs

@@ -10515,6 +10515,20 @@ var IdentityDocProvider = class extends EventEmitter {
 function fromBase64$3(b64) {
 	return Uint8Array.from(atob(b64), (c) => c.charCodeAt(0));
 }
+/**
+* Decode a base64url-encoded string (e.g. a JWT header/payload segment) to
+* UTF-8 text. `atob` only accepts standard base64, so we translate the
+* url-safe alphabet (`-`/`_`) and re-pad before decoding — otherwise a
+* perfectly valid token whose payload happens to contain `-` or `_` throws
+* and gets misclassified as invalid/expired.
+*/
+function decodeBase64UrlToString(b64url) {
+	let b64 = b64url.replace(/-/g, "+").replace(/_/g, "/");
+	const pad = b64.length % 4;
+	if (pad) b64 += "=".repeat(4 - pad);
+	const bytes = Uint8Array.from(atob(b64), (c) => c.charCodeAt(0));
+	return new TextDecoder().decode(bytes);
+}
 var AbracadabraClient = class {
 	constructor(config) {
 		this.rootListInflight = /* @__PURE__ */ new Map();
@@ -10542,7 +10556,7 @@ var AbracadabraClient = class {
 		if (!this._token) return false;
 		try {
 			const [, payload] = this._token.split(".");
-			const { exp } = JSON.parse(atob(payload));
+			const { exp } = JSON.parse(decodeBase64UrlToString(payload));
 			return typeof exp === "number" && exp * 1e3 > Date.now();
 		} catch {
 			return false;
@@ -10632,9 +10646,17 @@ var AbracadabraClient = class {
 	async renameKey(keyId, deviceName) {
 		await this.request("PATCH", `/auth/keys/${encodeURIComponent(keyId)}`, { body: { deviceName } });
 	}
-	/** Revoke a public key by its ID. */
+	/**
+	* Revoke a public key by its ID. The server treats this as a panic
+	* action: every outstanding JWT for the account is invalidated (a stolen
+	* device's token must die immediately, and tokens carry no per-key
+	* claim), and a fresh token for THIS session is returned and adopted
+	* automatically — so the device performing the revocation stays
+	* authenticated while every other device silently re-auths.
+	*/
 	async revokeKey(keyId) {
-		await this.request("DELETE", `/auth/keys/${encodeURIComponent(keyId)}`);
+		const res = await this.request("DELETE", `/auth/keys/${encodeURIComponent(keyId)}`);
+		if (res && typeof res === "object" && typeof res.token === "string") this.token = res.token;
 	}
 	/** Create a single-use device invite code for pairing a new device to this account. */
 	async createDeviceInvite(opts) {
@@ -11764,7 +11786,11 @@ var TokenManager = class extends EventEmitter {
 		try {
 			const [, payload] = jwt.split(".");
 			if (!payload) return null;
-			const { exp } = JSON.parse(atob(payload));
+			let b64 = payload.replace(/-/g, "+").replace(/_/g, "/");
+			const pad = b64.length % 4;
+			if (pad) b64 += "=".repeat(4 - pad);
+			const json = new TextDecoder().decode(Uint8Array.from(atob(b64), (c) => c.charCodeAt(0)));
+			const { exp } = JSON.parse(json);
 			return typeof exp === "number" ? exp : null;
 		} catch {
 			return null;
@@ -15244,7 +15270,10 @@ var FileBlobStore = class FileBlobStore extends EventEmitter {
 */
 const HKDF_INFO = new TextEncoder().encode("abracadabra-dockey-v1");
 function fromBase64$2(b64) {
-	return Uint8Array.from(atob(b64), (c) => c.charCodeAt(0));
+	let normalized = b64.replace(/-/g, "+").replace(/_/g, "/");
+	const pad = normalized.length % 4;
+	if (pad) normalized += "=".repeat(4 - pad);
+	return Uint8Array.from(atob(normalized), (c) => c.charCodeAt(0));
 }
 var DocKeyManager = class DocKeyManager {
 	constructor() {
@@ -15301,7 +15330,7 @@ var DocKeyManager = class DocKeyManager {
 				if (me.publicKey) {
 					const primaryKey = (await client.listUserKeys(me.id))[0];
 					if (primaryKey?.x25519Key) {
-						const x25519Pub = fromBase64$2(primaryKey.x25519Key.replace(/-/g, "+").replace(/_/g, "/"));
+						const x25519Pub = fromBase64$2(primaryKey.x25519Key);
 						const rewrapped = await this.wrapKeyForRecipient(docKey, x25519Pub, docId);
 						const b64 = (() => {
 							let s = "";