@bsv/sdk 1.4.10 → 1.4.11

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bsv/sdk",
-  "version": "1.4.10",
+  "version": "1.4.11",
   "type": "module",
   "description": "BSV Blockchain Software Development Kit",
   "main": "dist/cjs/mod.js",

package/src/auth/clients/AuthFetch.ts

@@ -349,10 +349,11 @@ export class AuthFetch {
     }
 
     // Construct headers to send / sign:
-    // - Custom headers prefixed with x-bsv are included
-    // - x-bsv-auth headers are not allowed
-    // - content-type and authorization are signed by client
-    const includedHeaders: [string, string][] = []
+    // Ensures clients only provided supported HTTP request headers
+    // - Include custom headers prefixed with x-bsv (excluding those starting with x-bsv-auth)
+    // - Include a normalized version of the content-type header
+    // - Include the authorization header
+    const includedHeaders: Array<[string, string]> = []
     for (let [k, v] of Object.entries(headers)) {
       k = k.toLowerCase() // We will always sign lower-case header keys
       if (k.startsWith('x-bsv-') || k === 'authorization') {
@@ -362,13 +363,16 @@ export class AuthFetch {
         includedHeaders.push([k, v])
       } else if (k.startsWith('content-type')) {
         // Normalize the Content-Type header by removing any parameters (e.g., "; charset=utf-8")
-        v = (v as string).split(';')[0].trim()
+        v = v.split(';')[0].trim()
         includedHeaders.push([k, v])
       } else {
         throw new Error('Unsupported header in the simplified fetch implementation. Only content-type, authorization, and x-bsv-* headers are supported.')
       }
     }
 
+    // Sort the headers by key to ensure a consistent order for signing and verification.
+    includedHeaders.sort(([keyA], [keyB]) => keyA.localeCompare(keyB))
+
     // nHeaders
     writer.writeVarIntNum(includedHeaders.length)
     for (let i = 0; i < includedHeaders.length; i++) {

package/src/auth/transports/SimplifiedFetchTransport.ts

@@ -152,25 +152,20 @@ export class SimplifiedFetchTransport implements Transport {
       payloadWriter.write(Utils.toArray(response.headers.get('x-bsv-auth-request-id'), 'base64'))
       payloadWriter.writeVarIntNum(response.status)
 
-      // Filter out headers the server signed:
-      // - Custom headers prefixed with x-bsv are included, except auth
-      // - x-bsv-auth headers are not allowed
-      // - authorization header is signed by the server
+      // PARSE RESPONSE HEADERS FROM SERVER --------------------------------
+      // Parse response headers from the server and include only the signed headers:
+      // - Include custom headers prefixed with x-bsv (excluding those starting with x-bsv-auth)
+      // - Include the authorization header
       const includedHeaders: [string, string][] = []
-      // Collect headers into a raw array for sorting
-      const headersArray: [string, string][] = []
       response.headers.forEach((value, key) => {
         const lowerKey = key.toLowerCase()
-        if (lowerKey.startsWith('x-bsv-') || lowerKey === 'authorization') {
-          if (!lowerKey.startsWith('x-bsv-auth')) {
-            headersArray.push([lowerKey, value])
-          }
+        if ((lowerKey.startsWith('x-bsv-') || lowerKey === 'authorization') && !lowerKey.startsWith('x-bsv-auth')) {
+          includedHeaders.push([lowerKey, value])
         }
       })
 
-      // Sort headers explicitly to match server-side order
-      headersArray.sort(([keyA], [keyB]) => keyA.localeCompare(keyB))
-      includedHeaders.push(...headersArray)
+      // Sort the headers by key to ensure a consistent order for signing and verification.
+      includedHeaders.sort(([keyA], [keyB]) => keyA.localeCompare(keyB))
 
       // nHeaders
       payloadWriter.writeVarIntNum(includedHeaders.length)