@avaprotocol/sdk-js 3.2.0 → 3.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/CHANGELOG.md +10 -0
  2. package/dist/index.js +13 -2
  3. package/dist/index.mjs +13 -2
  4. package/dist/v4/auth.d.ts.map +1 -1
  5. package/dist/v4/auth.js +10 -2
  6. package/package.json +1 -1
package/CHANGELOG.md CHANGED
@@ -1,5 +1,15 @@
1
1
  # @avaprotocol/sdk-js
2
2
 
3
+ ## 3.2.1
4
+
5
+ ### Patch Changes
6
+
7
+ - 3ce791f: `buildAuthMessage` now rejects URIs without an explicit `http:` or `https:` scheme.
8
+
9
+ The WHATWG URL parser accepts strings like `localhost:3000` as valid URLs with scheme `localhost`, so the previous validation (`new URL(uri)` inside a try/catch) let bare authority strings through. A signature scoped to a phantom `localhost:` scheme can't be trusted by anything verifying against the real origin — callers passing such values were getting incorrect behavior.
10
+
11
+ Existing callers using `http://localhost:3000`, `https://app.example.com`, etc. are unaffected.
12
+
3
13
  ## 3.2.0
4
14
 
5
15
  ### Minor Changes
package/dist/index.js CHANGED
@@ -210,11 +210,22 @@ function buildAuthMessage(input) {
210
210
  "buildAuthMessage: uri must be a non-empty string (the origin the user is signing into, e.g. window.location.origin)."
211
211
  );
212
212
  }
213
+ let parsed;
213
214
  try {
214
- new URL(trimmedUri);
215
+ parsed = new URL(trimmedUri);
215
216
  } catch {
216
217
  throw new Error(
217
- "buildAuthMessage: uri must be a valid URL (e.g. window.location.origin)."
218
+ `buildAuthMessage: uri must be a valid URL (got ${JSON.stringify(trimmedUri)}); use the http(s) origin the user is signing into.`
219
+ );
220
+ }
221
+ if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
222
+ throw new Error(
223
+ `buildAuthMessage: uri scheme must be http or https (got ${parsed.protocol}); use the origin the user is signing into.`
224
+ );
225
+ }
226
+ if (!parsed.hostname) {
227
+ throw new Error(
228
+ `buildAuthMessage: uri must include a host (got ${JSON.stringify(trimmedUri)}); use the origin the user is signing into.`
218
229
  );
219
230
  }
220
231
  if (!Number.isInteger(input.chainId) || input.chainId <= 0) {
package/dist/index.mjs CHANGED
@@ -162,11 +162,22 @@ function buildAuthMessage(input) {
162
162
  "buildAuthMessage: uri must be a non-empty string (the origin the user is signing into, e.g. window.location.origin)."
163
163
  );
164
164
  }
165
+ let parsed;
165
166
  try {
166
- new URL(trimmedUri);
167
+ parsed = new URL(trimmedUri);
167
168
  } catch {
168
169
  throw new Error(
169
- "buildAuthMessage: uri must be a valid URL (e.g. window.location.origin)."
170
+ `buildAuthMessage: uri must be a valid URL (got ${JSON.stringify(trimmedUri)}); use the http(s) origin the user is signing into.`
171
+ );
172
+ }
173
+ if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
174
+ throw new Error(
175
+ `buildAuthMessage: uri scheme must be http or https (got ${parsed.protocol}); use the origin the user is signing into.`
176
+ );
177
+ }
178
+ if (!parsed.hostname) {
179
+ throw new Error(
180
+ `buildAuthMessage: uri must include a host (got ${JSON.stringify(trimmedUri)}); use the origin the user is signing into.`
170
181
  );
171
182
  }
172
183
  if (!Number.isInteger(input.chainId) || input.chainId <= 0) {
package/dist/v4/auth.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/v4/auth.ts"],"names":[],"mappings":"AAEA;;;;;;;GAOG;AACH,eAAO,MAAM,aAAa,kLAOT,CAAC;AAElB,MAAM,WAAW,qBAAqB;IACpC,wEAAwE;IACxE,YAAY,EAAE,MAAM,CAAC;IACrB;;;;;;;;;OASG;IACH,GAAG,EAAE,MAAM,CAAC;IACZ;;;;;;;;;;;;;OAaG;IACH,OAAO,EAAE,MAAM,CAAC;IAChB;;;;;;OAMG;IACH,OAAO,EAAE,MAAM,CAAC;IAChB,oDAAoD;IACpD,QAAQ,CAAC,EAAE,IAAI,CAAC;IAChB,mDAAmD;IACnD,QAAQ,CAAC,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,QAAQ,EAAE,IAAI,CAAC;CACzB;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,qBAAqB,GAAG,gBAAgB,CA0C/E;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,eAAe,CACnC,UAAU,EAAE,MAAM,EAClB,KAAK,EAAE,IAAI,CAAC,qBAAqB,EAAE,cAAc,CAAC,GAAG;IAAE,YAAY,CAAC,EAAE,MAAM,CAAA;CAAE,GAC7E,OAAO,CAAC;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAC;IAAC,YAAY,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,IAAI,CAAA;CAAE,CAAC,CA4BvF"}
1
+ {"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/v4/auth.ts"],"names":[],"mappings":"AAEA;;;;;;;GAOG;AACH,eAAO,MAAM,aAAa,kLAOT,CAAC;AAElB,MAAM,WAAW,qBAAqB;IACpC,wEAAwE;IACxE,YAAY,EAAE,MAAM,CAAC;IACrB;;;;;;;;;OASG;IACH,GAAG,EAAE,MAAM,CAAC;IACZ;;;;;;;;;;;;;OAaG;IACH,OAAO,EAAE,MAAM,CAAC;IAChB;;;;;;OAMG;IACH,OAAO,EAAE,MAAM,CAAC;IAChB,oDAAoD;IACpD,QAAQ,CAAC,EAAE,IAAI,CAAC;IAChB,mDAAmD;IACnD,QAAQ,CAAC,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,QAAQ,EAAE,IAAI,CAAC;CACzB;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,qBAAqB,GAAG,gBAAgB,CAsD/E;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,eAAe,CACnC,UAAU,EAAE,MAAM,EAClB,KAAK,EAAE,IAAI,CAAC,qBAAqB,EAAE,cAAc,CAAC,GAAG;IAAE,YAAY,CAAC,EAAE,MAAM,CAAA;CAAE,GAC7E,OAAO,CAAC;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAC;IAAC,YAAY,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,IAAI,CAAA;CAAE,CAAC,CA4BvF"}
package/dist/v4/auth.js CHANGED
@@ -33,11 +33,19 @@ export function buildAuthMessage(input) {
33
33
  if (!trimmedUri) {
34
34
  throw new Error("buildAuthMessage: uri must be a non-empty string (the origin the user is signing into, e.g. window.location.origin).");
35
35
  }
36
+ // WHATWG URL treats `localhost:3000` as scheme `localhost:` — require an http(s) origin with a host.
37
+ let parsed;
36
38
  try {
37
- new URL(trimmedUri);
39
+ parsed = new URL(trimmedUri);
38
40
  }
39
41
  catch {
40
- throw new Error("buildAuthMessage: uri must be a valid URL (e.g. window.location.origin).");
42
+ throw new Error(`buildAuthMessage: uri must be a valid URL (got ${JSON.stringify(trimmedUri)}); use the http(s) origin the user is signing into.`);
43
+ }
44
+ if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
45
+ throw new Error(`buildAuthMessage: uri scheme must be http or https (got ${parsed.protocol}); use the origin the user is signing into.`);
46
+ }
47
+ if (!parsed.hostname) {
48
+ throw new Error(`buildAuthMessage: uri must include a host (got ${JSON.stringify(trimmedUri)}); use the origin the user is signing into.`);
41
49
  }
42
50
  if (!Number.isInteger(input.chainId) || input.chainId <= 0) {
43
51
  throw new Error("buildAuthMessage: chainId must be a positive integer (the wallet's currently-connected chain).");
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@avaprotocol/sdk-js",
3
- "version": "3.2.0",
3
+ "version": "3.2.1",
4
4
  "description": "TypeScript SDK for Ava Protocol's AVS REST API. Resource-grouped sub-clients, fetch transport, EIP-191 auth.",
5
5
  "main": "dist/index.js",
6
6
  "types": "dist/index.d.ts",