@arcblock/did-connect-core 4.0.1 → 4.0.3

package/dist/index.cjs

@@ -0,0 +1,1378 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  ConnectError: () => ConnectError,
+  DEFAULTS: () => DEFAULTS,
+  DID_PREFIX: () => DID_PREFIX,
+  ERROR_CODES: () => ERROR_CODES,
+  EmailFlow: () => EmailFlow,
+  FetchHttpAdapter: () => FetchHttpAdapter,
+  OAuthFlow: () => OAuthFlow,
+  PasskeyFlow: () => PasskeyFlow,
+  STORAGE_KEYS: () => STORAGE_KEYS,
+  SessionManager: () => SessionManager,
+  TERMINAL_STATUSES: () => TERMINAL_STATUSES,
+  TOKEN_STATUS: () => TOKEN_STATUS,
+  TokenSession: () => TokenSession,
+  VERSION: () => VERSION,
+  buildActionPrefix: () => buildActionPrefix,
+  decodeConnectUrl: () => decodeConnectUrl,
+  encodeConnectUrl: () => encodeConnectUrl,
+  getApiErrorMessage: () => getApiErrorMessage,
+  getBrowserLocale: () => getBrowserLocale,
+  getConnectedInfo: () => getConnectedInfo,
+  getDidChainLabel: () => getDidChainLabel,
+  getDidDisplayParts: () => getDidDisplayParts,
+  getWebAuthnErrorMessage: () => getWebAuthnErrorMessage,
+  isEthereumDid: () => isEthereumDid,
+  openPopup: () => openPopup,
+  parseNextWorkflow: () => parseNextWorkflow,
+  parseTokenFromUrl: () => parseTokenFromUrl,
+  stringifyParams: () => stringifyParams,
+  truncateDid: () => truncateDid,
+  waitForPopupMessage: () => waitForPopupMessage
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/constants.ts
+var TOKEN_STATUS = {
+  CREATED: "created",
+  SCANNED: "scanned",
+  SUCCEED: "succeed",
+  ERROR: "error",
+  TIMEOUT: "timeout",
+  BUSY: "busy",
+  FORBIDDEN: "forbidden"
+};
+var TERMINAL_STATUSES = /* @__PURE__ */ new Set(["succeed", "error", "timeout"]);
+var DEFAULTS = {
+  API_PREFIX: "/api/did",
+  SERVICE_PREFIX: "/.well-known/service",
+  ACTION: "login",
+  TOKEN_TIMEOUT: 3e5,
+  CHECK_INTERVAL: 2e3,
+  TOKEN_KEY: "_t_",
+  TOKEN_DELIVERY: "cookie",
+  CREATE_THROTTLE: 500,
+  AUTO_CHECK_INTERVAL: 6e4
+};
+var STORAGE_KEYS = {
+  SESSION_TOKEN: "login_token",
+  REFRESH_TOKEN: "refresh_token",
+  ENC_KEY: "__encKey",
+  DEC_KEY: "__decKey",
+  CSRF_TOKEN: "x-csrf-token",
+  CONNECTED_DID: "connected_did",
+  CONNECTED_PK: "connected_pk",
+  CONNECTED_APP: "connected_app",
+  CONNECTED_WALLET_OS: "connected_wallet_os"
+};
+
+// src/did-display.ts
+var DID_PREFIX = "did:abt:";
+function isEthereumDid(did) {
+  if (!did || typeof did !== "string") return false;
+  const address = did.replace(DID_PREFIX, "");
+  return /^(0x)?[0-9a-f]{40}$/i.test(address);
+}
+function truncateDid(did, startChars = 8, endChars = 6) {
+  if (!did || typeof did !== "string") return "";
+  if (did.length <= startChars + endChars + 3) return did;
+  return `${did.slice(0, startChars)}...${did.slice(-endChars)}`;
+}
+function getDidChainLabel(did) {
+  return isEthereumDid(did) ? "ETH" : "ABT";
+}
+function getDidDisplayParts(did, options = {}) {
+  if (!did || typeof did !== "string") {
+    return { prefix: "DID: ABT:", chainLabel: "ABT", address: "", compact: "", copyText: "" };
+  }
+  const { startChars = 8, endChars = 6 } = options;
+  const isEth = isEthereumDid(did);
+  const address = did.replace(DID_PREFIX, "");
+  const chainLabel = isEth ? "ETH" : "ABT";
+  const includePrefix = options.includePrefix ?? !isEth;
+  return {
+    prefix: `DID: ${chainLabel}:`,
+    chainLabel,
+    address,
+    compact: truncateDid(address, startChars, endChars),
+    copyText: includePrefix ? `${DID_PREFIX}${address}` : address
+  };
+}
+
+// src/errors.ts
+var ERROR_CODES = {
+  TOKEN_EXPIRED: "TOKEN_EXPIRED",
+  TOKEN_NOT_FOUND: "TOKEN_NOT_FOUND",
+  TOKEN_TIMEOUT: "TOKEN_TIMEOUT",
+  ALREADY_EXIST: "ALREADY_EXIST",
+  ALREADY_BIND: "ALREADY_BIND",
+  NETWORK_ERROR: "NETWORK_ERROR",
+  INVALID_RESPONSE: "INVALID_RESPONSE",
+  UNAUTHORIZED: "UNAUTHORIZED",
+  FORBIDDEN: "FORBIDDEN"
+};
+var ConnectError = class extends Error {
+  code;
+  constructor(code, message) {
+    super(message);
+    this.name = "ConnectError";
+    this.code = code;
+  }
+};
+
+// src/email-flow.ts
+var EmailFlow = class {
+  _servicePrefix;
+  _http;
+  constructor(config, http) {
+    this._servicePrefix = config.servicePrefix ?? DEFAULTS.SERVICE_PREFIX;
+    this._http = http;
+  }
+  /**
+   * Send a verification code to the given email address.
+   * POST {servicePrefix}/api/email/sendCode
+   * Returns { id: string } — the code ID for subsequent checkStatus.
+   */
+  async sendCode(email, locale) {
+    if (email == null) {
+      throw new ConnectError(ERROR_CODES.INVALID_RESPONSE, "Email is required");
+    }
+    const url = `${this._servicePrefix}/api/email/sendCode`;
+    return this._http.post(url, { email, locale });
+  }
+  /**
+   * Check verification code status.
+   * GET {servicePrefix}/api/email/status?codeId=...
+   */
+  async checkStatus(codeId) {
+    if (!codeId) {
+      throw new ConnectError(ERROR_CODES.INVALID_RESPONSE, "codeId is required");
+    }
+    const url = `${this._servicePrefix}/api/email/status`;
+    return this._http.get(url, {
+      params: { codeId }
+    });
+  }
+  /**
+   * Login with verification code or magic token.
+   * POST {servicePrefix}/api/email/login
+   * Returns AuthResult (same shape as OAuth login).
+   */
+  async login(params) {
+    const url = `${this._servicePrefix}/api/email/login`;
+    return this._http.post(url, params);
+  }
+};
+
+// src/fetch-adapter.ts
+var FetchHttpAdapter = class {
+  _defaultHeaders;
+  _onRequest;
+  constructor(options) {
+    this._defaultHeaders = options?.headers ?? {};
+    this._onRequest = options?.onRequest;
+  }
+  async get(url, options) {
+    this._validateUrl(url);
+    const queryString = options?.params ? this._serializeParams(options.params) : "";
+    const fullUrl = queryString ? `${url}${url.includes("?") ? "&" : "?"}${queryString}` : url;
+    const headers = {
+      ...this._defaultHeaders,
+      ...options?.headers
+    };
+    let init = {
+      method: "GET",
+      headers,
+      signal: options?.signal
+    };
+    if (this._onRequest) {
+      init = this._onRequest(fullUrl, init);
+    }
+    return this._execute(fullUrl, init);
+  }
+  async post(url, body, options) {
+    this._validateUrl(url);
+    const queryString = options?.params ? this._serializeParams(options.params) : "";
+    const fullUrl = queryString ? `${url}${url.includes("?") ? "&" : "?"}${queryString}` : url;
+    const headers = {
+      "Content-Type": "application/json",
+      ...this._defaultHeaders,
+      ...options?.headers
+    };
+    let init = {
+      method: "POST",
+      headers,
+      body: body !== void 0 ? JSON.stringify(body) : void 0,
+      signal: options?.signal
+    };
+    if (this._onRequest) {
+      init = this._onRequest(fullUrl, init);
+    }
+    return this._execute(fullUrl, init);
+  }
+  _validateUrl(url) {
+    if (!url?.trim()) {
+      throw new ConnectError(ERROR_CODES.NETWORK_ERROR, "Request URL must not be empty");
+    }
+    if (url.trim().toLowerCase().startsWith("javascript:")) {
+      throw new ConnectError(ERROR_CODES.NETWORK_ERROR, "Invalid URL protocol");
+    }
+  }
+  async _execute(url, init) {
+    let response;
+    try {
+      response = await globalThis.fetch(url, init);
+    } catch (err) {
+      if (err?.name === "AbortError") {
+        throw err;
+      }
+      throw new ConnectError(ERROR_CODES.NETWORK_ERROR, `Network request failed: ${err?.message ?? "Unknown error"}`);
+    }
+    if (!response.ok) {
+      let errorMessage = "";
+      let errorCode = "";
+      try {
+        const body = await response.text();
+        try {
+          const json = JSON.parse(body);
+          if (json.error) errorMessage = json.error;
+          if (json.code) errorCode = json.code;
+        } catch {
+          errorMessage = body;
+        }
+      } catch {
+      }
+      const code = errorCode === "FORBIDDEN" ? ERROR_CODES.FORBIDDEN : ERROR_CODES.NETWORK_ERROR;
+      throw new ConnectError(
+        code,
+        errorMessage || `HTTP ${response.status} ${response.statusText || "Error"}`
+      );
+    }
+    if (response.status === 204) {
+      return null;
+    }
+    const text = await response.text();
+    if (!text.trim()) {
+      return null;
+    }
+    const contentType = response.headers.get("content-type") ?? "";
+    if (!contentType.includes("application/json") && !contentType.includes("+json")) {
+      throw new ConnectError(ERROR_CODES.INVALID_RESPONSE, `Expected JSON response but received: ${contentType || "unknown content type"}`);
+    }
+    try {
+      return JSON.parse(text);
+    } catch {
+      throw new ConnectError(ERROR_CODES.INVALID_RESPONSE, "Failed to parse JSON response");
+    }
+  }
+  _serializeParams(params) {
+    const parts = [];
+    for (const key of Object.keys(params)) {
+      const value = params[key];
+      if (value === null || value === void 0) {
+        continue;
+      }
+      if (Array.isArray(value)) {
+        for (const item of value) {
+          if (item === null || item === void 0) {
+            continue;
+          }
+          parts.push(`${encodeURIComponent(key)}=${encodeURIComponent(String(item))}`);
+        }
+      } else if (typeof value === "boolean") {
+        parts.push(`${encodeURIComponent(key)}=${value ? "true" : "false"}`);
+      } else {
+        parts.push(`${encodeURIComponent(key)}=${encodeURIComponent(String(value))}`);
+      }
+    }
+    return parts.join("&");
+  }
+};
+
+// src/oauth-flow.ts
+var OAuthFlow = class {
+  _servicePrefix;
+  _http;
+  constructor(config, http) {
+    this._servicePrefix = config.servicePrefix ?? DEFAULTS.SERVICE_PREFIX;
+    this._http = http;
+  }
+  /**
+   * Fetch enabled OAuth providers.
+   * GET {servicePrefix}/api/oauth/configs
+   * Response: { providers: OAuthProvider[] }
+   */
+  async getProviders() {
+    const url = `${this._servicePrefix}/api/oauth/configs`;
+    const res = await this._http.get(url);
+    if (!res || !Array.isArray(res.providers)) {
+      return [];
+    }
+    return res.providers;
+  }
+  /**
+   * Exchange an OAuth authorization code for a session.
+   * POST {servicePrefix}/api/oauth/login
+   */
+  async exchangeCode(provider, code, params) {
+    if (code == null) {
+      throw new ConnectError(ERROR_CODES.INVALID_RESPONSE, "OAuth code is required");
+    }
+    const url = `${this._servicePrefix}/api/oauth/login`;
+    return this._http.post(url, { provider, code, ...params });
+  }
+  /**
+   * Bind an OAuth account to the current user.
+   * POST {servicePrefix}/api/oauth/bind
+   */
+  async bind(provider, code, params) {
+    const url = `${this._servicePrefix}/api/oauth/bind`;
+    return this._http.post(url, { provider, code, ...params });
+  }
+  /**
+   * Unbind an OAuth account.
+   * POST {servicePrefix}/api/oauth/unbind
+   */
+  async unbind(provider, accountDid) {
+    const url = `${this._servicePrefix}/api/oauth/unbind`;
+    return this._http.post(url, { provider, accountDid });
+  }
+  /**
+   * Fetch available OAuth passports (switchable accounts).
+   * GET {servicePrefix}/api/oauth/passports
+   */
+  async getPassports() {
+    const url = `${this._servicePrefix}/api/oauth/passports`;
+    const res = await this._http.get(url);
+    return Array.isArray(res) ? res : [];
+  }
+};
+
+// src/passkey-flow.ts
+var PasskeyFlow = class {
+  _servicePrefix;
+  _http;
+  constructor(config, http) {
+    this._servicePrefix = config.servicePrefix ?? DEFAULTS.SERVICE_PREFIX;
+    this._http = http;
+  }
+  /**
+   * Get WebAuthn registration options (challenge, etc.).
+   * GET {servicePrefix}/api/passkey/register
+   */
+  async getRegisterOptions(params) {
+    const url = `${this._servicePrefix}/api/passkey/register`;
+    return this._http.get(url, { params });
+  }
+  /**
+   * Submit a registration credential.
+   * POST {servicePrefix}/api/passkey/register?challenge=...
+   */
+  async submitRegistration(credential, params) {
+    if (credential == null) {
+      throw new ConnectError(ERROR_CODES.INVALID_RESPONSE, "Credential is required");
+    }
+    const url = `${this._servicePrefix}/api/passkey/register`;
+    return this._http.post(url, credential, { params });
+  }
+  /**
+   * Get WebAuthn authentication options (challenge, etc.).
+   * GET {servicePrefix}/api/passkey/auth
+   */
+  async getAuthOptions(params) {
+    const url = `${this._servicePrefix}/api/passkey/auth`;
+    return this._http.get(url, { params });
+  }
+  /**
+   * Submit an authentication credential.
+   * POST {servicePrefix}/api/passkey/auth?challenge=...&targetAppPid=...
+   */
+  async submitAuthentication(credential, params) {
+    if (credential == null) {
+      throw new ConnectError(ERROR_CODES.INVALID_RESPONSE, "Credential is required");
+    }
+    const url = `${this._servicePrefix}/api/passkey/auth`;
+    return this._http.post(url, credential, { params });
+  }
+  /**
+   * Fetch passkey passport list.
+   * GET {servicePrefix}/api/passkey/passports
+   */
+  async getPassports() {
+    const url = `${this._servicePrefix}/api/passkey/passports`;
+    const res = await this._http.get(url);
+    return Array.isArray(res) ? res : [];
+  }
+};
+
+// src/session-manager.ts
+var SessionManager = class {
+  // -- state ----------------------------------------------------------------
+  _state = {
+    user: null,
+    loading: false,
+    error: null,
+    initialized: false
+  };
+  // -- deps -----------------------------------------------------------------
+  _config;
+  _http;
+  _storage;
+  // -- token keys -----------------------------------------------------------
+  _tokenKey;
+  _refreshTokenKey;
+  // -- auto-check -----------------------------------------------------------
+  _autoCheckTimer = null;
+  _autoCheckInterval;
+  // -- events ---------------------------------------------------------------
+  _listeners = /* @__PURE__ */ new Map();
+  // -- concurrency ----------------------------------------------------------
+  _refreshing = null;
+  // -- lifecycle ------------------------------------------------------------
+  _destroyed = false;
+  // =========================================================================
+  // Constructor
+  // =========================================================================
+  constructor(config, http, storage, options) {
+    this._config = {
+      ...config,
+      apiPrefix: config.apiPrefix ?? DEFAULTS.API_PREFIX,
+      action: config.action ?? DEFAULTS.ACTION,
+      servicePrefix: config.servicePrefix ?? DEFAULTS.SERVICE_PREFIX,
+      tokenTimeout: config.tokenTimeout ?? DEFAULTS.TOKEN_TIMEOUT,
+      checkInterval: config.checkInterval ?? DEFAULTS.CHECK_INTERVAL,
+      tokenDelivery: config.tokenDelivery ?? DEFAULTS.TOKEN_DELIVERY
+    };
+    this._http = http;
+    this._storage = storage;
+    this._tokenKey = options?.tokenKey ?? STORAGE_KEYS.SESSION_TOKEN;
+    this._refreshTokenKey = options?.refreshTokenKey ?? STORAGE_KEYS.REFRESH_TOKEN;
+    this._autoCheckInterval = options?.autoCheckInterval ?? DEFAULTS.AUTO_CHECK_INTERVAL;
+  }
+  // =========================================================================
+  // Public getters
+  // =========================================================================
+  get state() {
+    return this._state;
+  }
+  // =========================================================================
+  // Public methods
+  // =========================================================================
+  /**
+   * Fetch the current session from the server.
+   *
+   * The server may rotate tokens transparently — if `nextToken` /
+   * `nextRefreshToken` are present in the response they are persisted and
+   * a `tokenRefreshed` event is emitted.
+   */
+  async getSession() {
+    const url = `${this._config.apiPrefix}/session`;
+    const token = this._storage.get(this._tokenKey);
+    const headers = {};
+    if (token) {
+      headers.Authorization = `Bearer ${token}`;
+    }
+    try {
+      const res = await this._http.get(url, { headers });
+      if (res.nextToken) {
+        this._storage.set(this._tokenKey, res.nextToken);
+      }
+      if (res.nextRefreshToken) {
+        this._storage.set(this._refreshTokenKey, res.nextRefreshToken);
+      }
+      if (res.nextToken || res.nextRefreshToken) {
+        this._emit("tokenRefreshed");
+      }
+      const user = res.user ?? null;
+      this._setState({ user, error: null });
+      this._emit("userChange", user);
+      return user;
+    } catch (err) {
+      if (_isUnauthorized(err)) {
+        try {
+          await this.refreshSession();
+          return await this._getSessionDirect();
+        } catch {
+        }
+      }
+      const message = _errorMessage(err);
+      this._setState({ error: message });
+      this._emit("error", new ConnectError(ERROR_CODES.NETWORK_ERROR, message));
+      return null;
+    }
+  }
+  /**
+   * Refresh the session token using the stored refresh token.
+   *
+   * Concurrent calls are de-duplicated: only the first caller performs the
+   * network request; subsequent callers await the same promise.
+   */
+  async refreshSession() {
+    if (this._refreshing !== null) {
+      await this._refreshing;
+      return;
+    }
+    let resolve;
+    let _reject;
+    this._refreshing = new Promise((res, rej) => {
+      resolve = res;
+      _reject = rej;
+    });
+    try {
+      const refreshToken = this._storage.get(this._refreshTokenKey);
+      if (!refreshToken) {
+        await this.logout();
+        resolve();
+        return;
+      }
+      const url = `${this._config.apiPrefix}/refreshSession`;
+      const res = await this._http.post(url, null, {
+        headers: { Authorization: `Bearer ${refreshToken}` }
+      });
+      const newToken = res.token ?? res.sessionToken;
+      const newRefreshToken = res.refreshToken;
+      if (newToken) {
+        this._storage.set(this._tokenKey, newToken);
+      }
+      if (newRefreshToken) {
+        this._storage.set(this._refreshTokenKey, newRefreshToken);
+      }
+      this._emit("tokenRefreshed");
+      resolve();
+    } catch (_err) {
+      await this.logout();
+      resolve();
+    } finally {
+      this._refreshing = null;
+    }
+  }
+  /**
+   * Clear tokens and reset session state.
+   */
+  async logout() {
+    try {
+      this._storage.remove(this._tokenKey);
+    } catch {
+    }
+    try {
+      this._storage.remove(this._refreshTokenKey);
+    } catch {
+    }
+    this._setState({ user: null, error: null });
+    this._emit("logout");
+    this._emit("userChange", null);
+  }
+  /**
+   * Whether a user is currently authenticated.
+   */
+  isAuthenticated() {
+    return this._state.user !== null;
+  }
+  /**
+   * Restore session from storage on startup.
+   *
+   * Typically called once during application bootstrap. Sets `initialized`
+   * to `true` when complete regardless of outcome.
+   */
+  async restore() {
+    this._setState({ loading: true });
+    try {
+      const token = this._storage.get(this._tokenKey);
+      if (token) {
+        await this.getSession();
+      } else {
+        this._setState({ user: null });
+      }
+    } catch {
+    } finally {
+      this._setState({ initialized: true, loading: false });
+      this._emit("userChange", this._state.user);
+    }
+  }
+  /**
+   * Start a periodic timer that checks whether the current token is past
+   * its midlife point and proactively refreshes it.
+   */
+  startAutoCheck() {
+    if (this._autoCheckTimer !== null) {
+      this.stopAutoCheck();
+    }
+    this._autoCheckTimer = setInterval(() => {
+      this._checkToken();
+    }, this._autoCheckInterval);
+  }
+  /**
+   * Stop the periodic auto-check timer.
+   */
+  stopAutoCheck() {
+    if (this._autoCheckTimer !== null) {
+      clearInterval(this._autoCheckTimer);
+      this._autoCheckTimer = null;
+    }
+  }
+  /**
+   * Tear down the manager. Idempotent — safe to call multiple times.
+   */
+  destroy() {
+    if (this._destroyed) {
+      return;
+    }
+    this.stopAutoCheck();
+    this._listeners.clear();
+    this._destroyed = true;
+  }
+  // =========================================================================
+  // Event methods
+  // =========================================================================
+  /**
+   * Register an event handler. Returns `this` for chaining.
+   */
+  on(event, handler) {
+    let set = this._listeners.get(event);
+    if (!set) {
+      set = /* @__PURE__ */ new Set();
+      this._listeners.set(event, set);
+    }
+    set.add(handler);
+    return this;
+  }
+  /**
+   * Remove a previously registered event handler. Returns `this` for chaining.
+   */
+  off(event, handler) {
+    const set = this._listeners.get(event);
+    if (set) {
+      set.delete(handler);
+      if (set.size === 0) {
+        this._listeners.delete(event);
+      }
+    }
+    return this;
+  }
+  // =========================================================================
+  // Private helpers
+  // =========================================================================
+  /**
+   * Emit an event to all registered listeners.
+   */
+  _emit(event, ...args) {
+    const set = this._listeners.get(event);
+    if (!set) return;
+    for (const handler of set) {
+      try {
+        handler(...args);
+      } catch {
+      }
+    }
+  }
+  /**
+   * Merge a partial state update into `_state`.
+   */
+  _setState(patch) {
+    this._state = { ...this._state, ...patch };
+  }
+  /**
+   * Direct HTTP call for session — used as the single retry path after
+   * refreshSession() to avoid infinite recursion through getSession().
+   */
+  async _getSessionDirect() {
+    const url = `${this._config.apiPrefix}/session`;
+    const token = this._storage.get(this._tokenKey);
+    const headers = {};
+    if (token) {
+      headers.Authorization = `Bearer ${token}`;
+    }
+    const res = await this._http.get(url, { headers });
+    if (res.nextToken) {
+      this._storage.set(this._tokenKey, res.nextToken);
+    }
+    if (res.nextRefreshToken) {
+      this._storage.set(this._refreshTokenKey, res.nextRefreshToken);
+    }
+    if (res.nextToken || res.nextRefreshToken) {
+      this._emit("tokenRefreshed");
+    }
+    const user = res.user ?? null;
+    this._setState({ user, error: null });
+    this._emit("userChange", user);
+    return user;
+  }
+  /**
+   * Check whether the current token is past its midlife and, if so,
+   * proactively trigger a refresh.
+   *
+   * "Midlife" means more than half of the token's lifetime has elapsed:
+   *   `(exp - now) < (now - iat)`
+   */
+  _checkToken() {
+    let token;
+    try {
+      token = this._storage.get(this._tokenKey);
+    } catch {
+      return;
+    }
+    if (!token) return;
+    const payload = this._decodeJwt(token);
+    if (!payload) return;
+    const { exp, iat } = payload;
+    if (exp == null || iat == null) return;
+    const now = Math.floor(Date.now() / 1e3);
+    if (exp - now < now - iat) {
+      void this.refreshSession();
+    }
+  }
+  /**
+   * Decode a JWT payload without verifying the signature.
+   *
+   * Security hardening:
+   * - Rejects payloads larger than 1 MB after decode (OOM protection)
+   * - Strips `__proto__` from parsed object (prototype pollution prevention)
+   *
+   * @returns Parsed payload or `null` on any failure.
+   */
+  _decodeJwt(token) {
+    try {
+      const parts = token.split(".");
+      if (parts.length !== 3) return null;
+      const payload = parts[1];
+      let base64 = payload.replace(/-/g, "+").replace(/_/g, "/");
+      const padLength = (4 - base64.length % 4) % 4;
+      base64 += "=".repeat(padLength);
+      const decoded = atob(base64);
+      if (decoded.length > 1048576) return null;
+      const parsed = JSON.parse(decoded);
+      if ("__proto__" in parsed) {
+        delete parsed.__proto__;
+      }
+      return parsed;
+    } catch {
+      return null;
+    }
+  }
+};
+function _isUnauthorized(err) {
+  if (err == null || typeof err !== "object") return false;
+  const e = err;
+  if (e.response && typeof e.response === "object" && e.response.status === 401) return true;
+  if (e.status === 401) return true;
+  if (e.statusCode === 401) return true;
+  if (typeof e.message === "string" && /\b401\b/.test(e.message)) return true;
+  return false;
+}
+function _errorMessage(err) {
+  if (err instanceof Error) return err.message;
+  if (typeof err === "string") return err;
+  return "Unknown error";
+}
+
+// src/utils.ts
+function encodeConnectUrl(url) {
+  if (url == null) {
+    throw new TypeError("encodeConnectUrl: input must not be null or undefined");
+  }
+  if (url === "") return "";
+  const base64 = btoa(unescape(encodeURIComponent(url)));
+  return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function decodeConnectUrl(encoded) {
+  if (encoded == null) {
+    throw new TypeError("decodeConnectUrl: input must not be null or undefined");
+  }
+  if (encoded === "") return "";
+  try {
+    let base64 = encoded.replace(/-/g, "+").replace(/_/g, "/");
+    const pad = base64.length % 4;
+    if (pad === 2) base64 += "==";
+    else if (pad === 3) base64 += "=";
+    else if (pad === 1) base64 += "===";
+    return decodeURIComponent(escape(atob(base64)));
+  } catch {
+    return "";
+  }
+}
+function parseTokenFromUrl(url, tokenKey) {
+  if (!url) return null;
+  const key = tokenKey || DEFAULTS.TOKEN_KEY;
+  try {
+    const parsed = new URL(url, "http://placeholder");
+    return parsed.searchParams.get(key) ?? null;
+  } catch {
+    return null;
+  }
+}
+function parseNextWorkflow(url, tokenKey) {
+  if (!url) return null;
+  const token = parseTokenFromUrl(url, tokenKey);
+  if (!token) return null;
+  try {
+    const parsed = new URL(url, "http://placeholder");
+    const key = tokenKey || DEFAULTS.TOKEN_KEY;
+    parsed.searchParams.delete(key);
+    const isAbsolute = /^https?:\/\//i.test(url);
+    const nextUrl = isAbsolute ? parsed.toString() : `${parsed.pathname}${parsed.search}`;
+    return { nextUrl, token };
+  } catch {
+    return null;
+  }
+}
+function getApiErrorMessage(err, defaultMsg) {
+  const fallback = defaultMsg || "Unknown error";
+  if (!err) return fallback;
+  try {
+    const data = err?.response?.data;
+    if (data) {
+      if (typeof data.error === "string" && data.error) return data.error;
+      if (typeof data.message === "string" && data.message) return data.message;
+    }
+    if (typeof err.message === "string" && err.message) return err.message;
+  } catch {
+  }
+  return fallback;
+}
+var WEBAUTHN_ERROR_MAP = {
+  NotAllowedError: "The operation was cancelled or timed out. Please try again.",
+  SecurityError: "The operation is not allowed in this context (check your domain or HTTPS settings).",
+  InvalidStateError: "This authenticator is already registered. Please use a different one.",
+  NotSupportedError: "This browser or device does not support the requested credential type.",
+  AbortError: "The operation was aborted.",
+  ConstraintError: "The authenticator does not meet the required constraints.",
+  UnknownError: "An unknown error occurred with the authenticator.",
+  NetworkError: "A network error occurred during the WebAuthn operation.",
+  DataError: "The provided data is invalid for a WebAuthn operation.",
+  TimeoutError: "The operation timed out. Please try again."
+};
+function getWebAuthnErrorMessage(err, defaultMsg) {
+  if (!err) return defaultMsg || "Unknown error";
+  const name = err.name;
+  if (typeof name === "string" && name in WEBAUTHN_ERROR_MAP) {
+    return WEBAUTHN_ERROR_MAP[name];
+  }
+  return getApiErrorMessage(err, defaultMsg);
+}
+function getBrowserLocale() {
+  try {
+    if (typeof navigator !== "undefined" && navigator.language) {
+      return navigator.language;
+    }
+  } catch {
+  }
+  return "en";
+}
+function openPopup(url, options) {
+  if (typeof window === "undefined" || typeof window.open !== "function") {
+    return null;
+  }
+  if (/^\s*javascript\s*:/i.test(url)) {
+    throw new Error("openPopup: javascript: URLs are not allowed");
+  }
+  const width = options?.width ?? 480;
+  const height = options?.height ?? 640;
+  const left = Math.round((window.screen.width - width) / 2);
+  const top = Math.round((window.screen.height - height) / 2);
+  const features = `width=${width},height=${height},left=${left},top=${top},resizable=yes,scrollbars=yes,status=yes`;
+  const popup = window.open(url, "_blank", features);
+  return popup ?? null;
+}
+function waitForPopupMessage(popup, options) {
+  const timeout = options?.timeout ?? 3e5;
+  const origin = options?.origin;
+  return new Promise((resolve, reject) => {
+    let timer;
+    let pollTimer;
+    function cleanup() {
+      if (typeof window !== "undefined") {
+        window.removeEventListener("message", onMessage);
+      }
+      if (timer !== void 0) clearTimeout(timer);
+      if (pollTimer !== void 0) clearInterval(pollTimer);
+    }
+    function onMessage(event) {
+      if (origin && event.origin !== origin) return;
+      if (event.source !== popup) return;
+      cleanup();
+      resolve(event.data);
+    }
+    if (typeof window === "undefined") {
+      reject(new Error("waitForPopupMessage: not in a browser environment"));
+      return;
+    }
+    window.addEventListener("message", onMessage);
+    timer = setTimeout(() => {
+      cleanup();
+      reject(new Error("waitForPopupMessage: timed out"));
+    }, timeout);
+    pollTimer = setInterval(() => {
+      try {
+        if (popup.closed) {
+          cleanup();
+          reject(new Error("waitForPopupMessage: popup was closed"));
+        }
+      } catch {
+      }
+    }, 500);
+  });
+}
+function buildActionPrefix(config) {
+  const apiPrefix = config.apiPrefix ?? DEFAULTS.API_PREFIX;
+  const action = config.action ?? DEFAULTS.ACTION;
+  const prefix = apiPrefix.replace(/\/+$/, "");
+  const act = action.replace(/^\/+/, "");
+  return `${prefix}/${act}`;
+}
+function stringifyParams(params) {
+  const parts = [];
+  const keys = Object.keys(params);
+  for (let i = 0; i < keys.length; i++) {
+    const key = keys[i];
+    const value = params[key];
+    if (value == null) continue;
+    if (Array.isArray(value)) {
+      for (let j = 0; j < value.length; j++) {
+        const item = value[j];
+        if (item == null) continue;
+        parts.push(`${encodeURIComponent(key)}=${encodeURIComponent(String(item))}`);
+      }
+    } else if (typeof value === "boolean") {
+      parts.push(`${encodeURIComponent(key)}=${value ? "true" : "false"}`);
+    } else {
+      parts.push(`${encodeURIComponent(key)}=${encodeURIComponent(String(value))}`);
+    }
+  }
+  return parts.join("&");
+}
+function getConnectedInfo(storage) {
+  return {
+    did: storage.get(STORAGE_KEYS.CONNECTED_DID) ?? void 0,
+    pk: storage.get(STORAGE_KEYS.CONNECTED_PK) ?? void 0,
+    app: storage.get(STORAGE_KEYS.CONNECTED_APP) ?? void 0,
+    walletOS: storage.get(STORAGE_KEYS.CONNECTED_WALLET_OS) ?? void 0
+  };
+}
+
+// src/token-session.ts
+function makeInitialState() {
+  return {
+    token: null,
+    url: null,
+    status: null,
+    error: null,
+    appInfo: null,
+    memberAppInfo: null,
+    loading: false
+  };
+}
+var TokenSession = class {
+  // -- State --
+  _state;
+  _config;
+  _http;
+  // -- Polling --
+  _pollTimer = null;
+  _checkCount = 0;
+  _maxCheckCount;
+  // -- Realtime --
+  _realtimeUnsub = null;
+  _realtime;
+  // -- Storage --
+  _storage;
+  // -- Throttle --
+  _lastCreateTime = 0;
+  // -- Hand-rolled EventEmitter --
+  _listeners = /* @__PURE__ */ new Map();
+  // -- Lifecycle --
+  _destroyed = false;
+  // --------------------------------------------------------------------------
+  // Constructor
+  // --------------------------------------------------------------------------
+  constructor(config, http, options) {
+    this._config = this._fillDefaults(config);
+    this._http = http;
+    this._realtime = options?.realtime;
+    this._storage = options?.storage;
+    this._state = makeInitialState();
+    if (this._config.checkInterval <= 0) {
+      this._maxCheckCount = Infinity;
+    } else {
+      this._maxCheckCount = Math.ceil(
+        this._config.tokenTimeout / this._config.checkInterval
+      );
+    }
+  }
+  // --------------------------------------------------------------------------
+  // Public getters
+  // --------------------------------------------------------------------------
+  /** Return a shallow read-only copy of the current state. */
+  get state() {
+    return Object.freeze({ ...this._state });
+  }
+  // --------------------------------------------------------------------------
+  // Public methods
+  // --------------------------------------------------------------------------
+  /**
+   * Create a new connect token via the server.
+   *
+   * Throttled: calls within 500 ms of each other are silently ignored.
+   * Any active polling is stopped before the request is made.
+   */
+  async create(params) {
+    if (Date.now() - this._lastCreateTime < DEFAULTS.CREATE_THROTTLE) {
+      return this.state;
+    }
+    if (this._pollTimer !== null || this._realtimeUnsub !== null) {
+      this.stopPolling();
+    }
+    this._state.loading = true;
+    this._emit("statusChange", this.state);
+    const url = `${buildActionPrefix(this._config)}/token`;
+    const queryParams = {};
+    if (params) {
+      if (params.locale != null) queryParams.locale = params.locale;
+      if (params.provider != null) {
+        queryParams.provider = params.provider;
+      } else {
+        queryParams.provider = "wallet";
+      }
+      if (params.encKey != null) queryParams.__encKey = params.encKey;
+      if (params.autoConnect != null) queryParams.autoConnect = params.autoConnect;
+      if (params.visitorId != null) queryParams.visitorId = params.visitorId;
+      if (params.sourceToken != null) queryParams.sourceToken = params.sourceToken;
+      if (params.forceConnected != null) queryParams.forceConnected = params.forceConnected;
+      if (params.connectUrl != null) queryParams.connectUrl = params.connectUrl;
+      if (params.extraParams) {
+        Object.assign(queryParams, params.extraParams);
+      }
+    } else {
+      queryParams.provider = "wallet";
+    }
+    try {
+      const response = await this._http.get(url, {
+        params: queryParams
+      });
+      this._state.token = response.token ?? null;
+      this._state.url = response.url ?? null;
+      this._state.status = TOKEN_STATUS.CREATED;
+      this._state.appInfo = response.appInfo ?? null;
+      this._state.memberAppInfo = response.memberAppInfo ?? null;
+      this._state.loading = false;
+      this._state.error = null;
+      this._state.successResult = void 0;
+      this._state.connectedDid = void 0;
+      this._state.mfaCode = void 0;
+      this._state.saveConnect = void 0;
+      this._lastCreateTime = Date.now();
+      this._emit("statusChange", this.state);
+      return this.state;
+    } catch (err) {
+      this._state.loading = false;
+      this._state.error = err?.message ?? "Failed to create token";
+      this._state.status = TOKEN_STATUS.ERROR;
+      this._emit("statusChange", this.state);
+      this._emit("error", new ConnectError(ERROR_CODES.NETWORK_ERROR, this._state.error));
+      throw err;
+    }
+  }
+  /**
+   * Check the current token status against the server.
+   *
+   * Throws if no token has been created yet.
+   */
+  async checkStatus() {
+    if (!this._state.token) {
+      throw new ConnectError(
+        ERROR_CODES.TOKEN_NOT_FOUND,
+        "No token available. Call create() first."
+      );
+    }
+    const url = `${buildActionPrefix(this._config)}/status`;
+    const params = {
+      [DEFAULTS.TOKEN_KEY]: this._state.token
+    };
+    if (this._config.appPid) {
+    }
+    try {
+      const response = await this._http.get(url, { params });
+      const status = response.status;
+      if (status) this._state.status = status;
+      if (response.error !== void 0) this._state.error = response.error;
+      if (response.connectedDid !== void 0) this._state.connectedDid = response.connectedDid;
+      if (response.mfaCode !== void 0) this._state.mfaCode = response.mfaCode;
+      if (response.saveConnect !== void 0) this._state.saveConnect = response.saveConnect;
+      if (status === TOKEN_STATUS.FORBIDDEN) {
+        this._state.status = TOKEN_STATUS.ERROR;
+        this._state.error = response.error || "Access forbidden";
+        this._emit("error", new ConnectError(ERROR_CODES.UNAUTHORIZED, this._state.error));
+        this.stopPolling();
+      } else if (status === TOKEN_STATUS.SUCCEED) {
+        if (this._config.tokenDelivery === "response") {
+          this._state.successResult = response;
+        }
+        this._emit("succeed", this.state);
+        this.stopPolling();
+      } else if (status === TOKEN_STATUS.ERROR) {
+        this._emit(
+          "error",
+          new ConnectError(ERROR_CODES.INVALID_RESPONSE, this._state.error || "Unknown error")
+        );
+        this.stopPolling();
+      } else if (status === TOKEN_STATUS.TIMEOUT) {
+        this._emit("timeout", this.state);
+        this.stopPolling();
+      }
+      this._emit("statusChange", this.state);
+      return this.state;
+    } catch (err) {
+      throw err;
+    }
+  }
+  /**
+   * Cancel the current token by notifying the server, then stop polling.
+   *
+   * Silently returns if there is no active token.
+   */
+  async cancel() {
+    if (!this._state.token) return;
+    const url = `${buildActionPrefix(this._config)}/timeout`;
+    const params = {
+      [DEFAULTS.TOKEN_KEY]: this._state.token
+    };
+    try {
+      await this._http.get(url, { params });
+    } catch {
+    }
+    this.stopPolling();
+  }
+  /**
+   * Begin polling for status updates.
+   *
+   * If a RealtimeAdapter was provided, subscribes to the realtime channel
+   * instead of interval polling. Falls back to interval on subscription error.
+   */
+  startPolling() {
+    if (!this._state.token) return;
+    this._checkCount = 0;
+    if (this._realtime) {
+      try {
+        const channel = `relay:${this._config.appPid}:${this._state.token}`;
+        this._realtimeUnsub = this._realtime.subscribe(channel, (data) => {
+          this._handleRealtimeMessage(data);
+        });
+        return;
+      } catch {
+        this._realtimeUnsub = null;
+      }
+    }
+    if (this._config.checkInterval > 0) {
+      this._pollTimer = setInterval(() => {
+        this._pollOnce();
+      }, this._config.checkInterval);
+    }
+  }
+  /**
+   * Stop all polling — clears interval timer and realtime subscription.
+   */
+  stopPolling() {
+    if (this._pollTimer !== null) {
+      clearInterval(this._pollTimer);
+      this._pollTimer = null;
+    }
+    if (this._realtimeUnsub) {
+      this._realtimeUnsub();
+      this._realtimeUnsub = null;
+    }
+  }
+  /**
+   * Reset the session to its initial state.
+   *
+   * Stops polling and clears all token data, but preserves event listeners.
+   */
+  reset() {
+    this.stopPolling();
+    this._state = makeInitialState();
+    this._checkCount = 0;
+  }
+  /**
+   * Permanently tear down this session.
+   *
+   * Idempotent — subsequent calls are no-ops. Clears listeners, stops polling,
+   * and nulls out token data.
+   */
+  destroy() {
+    if (this._destroyed) return;
+    this.stopPolling();
+    this._state.token = null;
+    this._state.successResult = void 0;
+    this._listeners.clear();
+    this._destroyed = true;
+  }
+  // --------------------------------------------------------------------------
+  // Event methods (hand-rolled EventEmitter)
+  // --------------------------------------------------------------------------
+  /**
+   * Register an event handler. Returns `this` for chaining.
+   *
+   * Events:
+   * - `statusChange` — fired on every state mutation, payload: `TokenState`
+   * - `succeed`      — token auth completed successfully, payload: `TokenState`
+   * - `error`        — an error occurred, payload: `ConnectError`
+   * - `timeout`      — token or poll timed out, payload: `TokenState`
+   */
+  on(event, handler) {
+    let set = this._listeners.get(event);
+    if (!set) {
+      set = /* @__PURE__ */ new Set();
+      this._listeners.set(event, set);
+    }
+    set.add(handler);
+    return this;
+  }
+  /**
+   * Remove an event handler. Returns `this` for chaining.
+   */
+  off(event, handler) {
+    const set = this._listeners.get(event);
+    if (set) {
+      set.delete(handler);
+      if (set.size === 0) {
+        this._listeners.delete(event);
+      }
+    }
+    return this;
+  }
+  // --------------------------------------------------------------------------
+  // Private methods
+  // --------------------------------------------------------------------------
+  /** Emit an event to all registered handlers. */
+  _emit(event, ...args) {
+    const set = this._listeners.get(event);
+    if (!set || set.size === 0) return;
+    for (const handler of [...set]) {
+      try {
+        handler(...args);
+      } catch {
+      }
+    }
+  }
+  /** Single poll tick — called by setInterval. */
+  _pollOnce() {
+    this._checkCount++;
+    if (this._checkCount >= this._maxCheckCount) {
+      this._handleTimeout();
+      return;
+    }
+    this.checkStatus().catch(() => {
+    });
+  }
+  /** Handle poll timeout (max iterations reached). */
+  _handleTimeout() {
+    this.stopPolling();
+    this._state.status = TOKEN_STATUS.TIMEOUT;
+    this._emit("timeout", this.state);
+    this._emit("statusChange", this.state);
+  }
+  /** Handle an incoming realtime message for the subscribed token channel. */
+  _handleRealtimeMessage(data) {
+    if (!data || typeof data !== "object") return;
+    const status = data.status;
+    if (!status) return;
+    this._state.status = status;
+    if (data.error !== void 0) this._state.error = data.error;
+    if (data.connectedDid !== void 0) this._state.connectedDid = data.connectedDid;
+    if (data.mfaCode !== void 0) this._state.mfaCode = data.mfaCode;
+    if (data.saveConnect !== void 0) this._state.saveConnect = data.saveConnect;
+    if (status === TOKEN_STATUS.FORBIDDEN) {
+      this._state.status = TOKEN_STATUS.ERROR;
+      this._state.error = data.error || "Access forbidden";
+      this._emit("error", new ConnectError(ERROR_CODES.UNAUTHORIZED, this._state.error));
+      this.stopPolling();
+    } else if (status === TOKEN_STATUS.SUCCEED) {
+      if (this._config.tokenDelivery === "response") {
+        this._state.successResult = data;
+      }
+      this._emit("succeed", this.state);
+      this.stopPolling();
+    } else if (status === TOKEN_STATUS.ERROR) {
+      this._emit(
+        "error",
+        new ConnectError(ERROR_CODES.INVALID_RESPONSE, this._state.error || "Unknown error")
+      );
+      this.stopPolling();
+    } else if (status === TOKEN_STATUS.TIMEOUT) {
+      this._emit("timeout", this.state);
+      this.stopPolling();
+    }
+    this._emit("statusChange", this.state);
+  }
+  /** Fill optional ConnectConfig fields with DEFAULTS. */
+  _fillDefaults(config) {
+    return {
+      appPid: config.appPid,
+      appName: config.appName,
+      appDescription: config.appDescription ?? "",
+      appIcon: config.appIcon ?? "",
+      appUrl: config.appUrl ?? "",
+      apiPrefix: config.apiPrefix ?? DEFAULTS.API_PREFIX,
+      action: config.action ?? DEFAULTS.ACTION,
+      servicePrefix: config.servicePrefix ?? DEFAULTS.SERVICE_PREFIX,
+      tokenTimeout: config.tokenTimeout ?? DEFAULTS.TOKEN_TIMEOUT,
+      checkInterval: config.checkInterval ?? DEFAULTS.CHECK_INTERVAL,
+      tokenDelivery: config.tokenDelivery ?? DEFAULTS.TOKEN_DELIVERY
+    };
+  }
+};
+
+// src/index.ts
+var VERSION = "4.0.0-beta.0";
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  ConnectError,
+  DEFAULTS,
+  DID_PREFIX,
+  ERROR_CODES,
+  EmailFlow,
+  FetchHttpAdapter,
+  OAuthFlow,
+  PasskeyFlow,
+  STORAGE_KEYS,
+  SessionManager,
+  TERMINAL_STATUSES,
+  TOKEN_STATUS,
+  TokenSession,
+  VERSION,
+  buildActionPrefix,
+  decodeConnectUrl,
+  encodeConnectUrl,
+  getApiErrorMessage,
+  getBrowserLocale,
+  getConnectedInfo,
+  getDidChainLabel,
+  getDidDisplayParts,
+  getWebAuthnErrorMessage,
+  isEthereumDid,
+  openPopup,
+  parseNextWorkflow,
+  parseTokenFromUrl,
+  stringifyParams,
+  truncateDid,
+  waitForPopupMessage
+});

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@arcblock/did-connect-core",
-  "version": "4.0.1",
+  "version": "4.0.3",
   "description": "Framework-agnostic DID Connect protocol client — types, state machines, adapters",
   "type": "module",
   "main": "./dist/index.js",
@@ -8,7 +8,8 @@
   "exports": {
     ".": {
       "types": "./dist/index.d.ts",
-      "import": "./dist/index.js"
+      "import": "./dist/index.js",
+      "require": "./dist/index.cjs"
     },
     "./ui": {
       "types": "./dist/ui/index.d.ts",
@@ -29,7 +30,7 @@
     "qrcode-generator": "^2.0.4"
   },
   "scripts": {
-    "build": "tsc && node build-ui.mjs",
+    "build": "tsc && node build-ui.mjs && esbuild src/index.ts --bundle --format=cjs --platform=node --target=node20 --outfile=dist/index.cjs",
     "lint": "biome check src/",
     "test": "vitest run",
     "test:coverage": "vitest run --coverage",