npm - @bsv/sdk - Versions diffs - 1.4.10 → 1.4.12 - Mend

@bsv/sdk 1.4.10 → 1.4.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (24) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@bsv/sdk",
-  "version": "1.4.10",
+  "version": "1.4.12",
   "type": "module",
   "description": "BSV Blockchain Software Development Kit",
   "main": "dist/cjs/mod.js",

package/src/auth/clients/AuthFetch.ts CHANGED Viewed

@@ -349,10 +349,11 @@ export class AuthFetch {
     }
     // Construct headers to send / sign:
-    // - Custom headers prefixed with x-bsv are included
-    // - x-bsv-auth headers are not allowed
-    // - content-type and authorization are signed by client
-    const includedHeaders: [string, string][] = []
+    // Ensures clients only provided supported HTTP request headers
+    // - Include custom headers prefixed with x-bsv (excluding those starting with x-bsv-auth)
+    // - Include a normalized version of the content-type header
+    // - Include the authorization header
+    const includedHeaders: Array<[string, string]> = []
     for (let [k, v] of Object.entries(headers)) {
       k = k.toLowerCase() // We will always sign lower-case header keys
       if (k.startsWith('x-bsv-') || k === 'authorization') {
@@ -362,13 +363,16 @@ export class AuthFetch {
         includedHeaders.push([k, v])
       } else if (k.startsWith('content-type')) {
         // Normalize the Content-Type header by removing any parameters (e.g., "; charset=utf-8")
-        v = (v as string).split(';')[0].trim()
+        v = v.split(';')[0].trim()
         includedHeaders.push([k, v])
       } else {
         throw new Error('Unsupported header in the simplified fetch implementation. Only content-type, authorization, and x-bsv-* headers are supported.')
       }
     }
+    // Sort the headers by key to ensure a consistent order for signing and verification.
+    includedHeaders.sort(([keyA], [keyB]) => keyA.localeCompare(keyB))
     // nHeaders
     writer.writeVarIntNum(includedHeaders.length)
     for (let i = 0; i < includedHeaders.length; i++) {

package/src/auth/transports/SimplifiedFetchTransport.ts CHANGED Viewed

@@ -152,25 +152,20 @@ export class SimplifiedFetchTransport implements Transport {
       payloadWriter.write(Utils.toArray(response.headers.get('x-bsv-auth-request-id'), 'base64'))
       payloadWriter.writeVarIntNum(response.status)
-      // Filter out headers the server signed:
-      // - Custom headers prefixed with x-bsv are included, except auth
-      // - x-bsv-auth headers are not allowed
-      // - authorization header is signed by the server
+      // PARSE RESPONSE HEADERS FROM SERVER --------------------------------
+      // Parse response headers from the server and include only the signed headers:
+      // - Include custom headers prefixed with x-bsv (excluding those starting with x-bsv-auth)
+      // - Include the authorization header
       const includedHeaders: [string, string][] = []
-      // Collect headers into a raw array for sorting
-      const headersArray: [string, string][] = []
       response.headers.forEach((value, key) => {
         const lowerKey = key.toLowerCase()
-        if (lowerKey.startsWith('x-bsv-') || lowerKey === 'authorization') {
-          if (!lowerKey.startsWith('x-bsv-auth')) {
-            headersArray.push([lowerKey, value])
-          }
+        if ((lowerKey.startsWith('x-bsv-') || lowerKey === 'authorization') && !lowerKey.startsWith('x-bsv-auth')) {
+          includedHeaders.push([lowerKey, value])
         }
       })
-      // Sort headers explicitly to match server-side order
-      headersArray.sort(([keyA], [keyB]) => keyA.localeCompare(keyB))
-      includedHeaders.push(...headersArray)
+      // Sort the headers by key to ensure a consistent order for signing and verification.
+      includedHeaders.sort(([keyA], [keyB]) => keyA.localeCompare(keyB))
       // nHeaders
       payloadWriter.writeVarIntNum(includedHeaders.length)

package/src/registry/RegistryClient.ts CHANGED Viewed

@@ -199,6 +199,12 @@ export class RegistryClient {
       throw new Error('Invalid registry record. Missing txid, outputIndex, or lockingScript.')
     }
+    // Check if the registry record belongs to the current user
+    const currentIdentityKey = (await this.wallet.getPublicKey({ identityKey: true })).publicKey
+    if (registryRecord.registryOperator !== currentIdentityKey) {
+      throw new Error('This registry token does not belong to the current wallet.')
+    }
     // Create a descriptive label for the item we’re revoking
     const itemIdentifier =
       registryRecord.definitionType === 'basket'
@@ -421,12 +427,6 @@ export class RegistryClient {
         throw new Error(`Unsupported definition type: ${definitionType as string}`)
     }
-    // Enforce that the pushdrop belongs to the CURRENT identity key
-    const currentIdentityKey = (await this.wallet.getPublicKey({ identityKey: true })).publicKey
-    if (registryOperator !== currentIdentityKey) {
-      throw new Error('This registry token does not belong to the current wallet.')
-    }
     // Return the typed data plus the operator key
     return { ...parsedData, registryOperator }
   }