@bsv/sdk 1.4.9 → 1.4.11

package/docs/README.md

@@ -7,13 +7,15 @@ The documentation is split into various pages, each covering a set of related fu
 - [Transaction](./transaction.md) — Covers transaction construction, signing, broadcasters, fee models, merkle proofs, and SPV structures like BUMP
 - [Messages](./messages.md) — Covers generalizable message signing, verification, encryption and decryption
 - [TOTP](./totp.md) - Covers Time-based One Time Password, useful for validating counterparties across unsecured mediums.
-- [Wallet](./wallet-substrates.md) - Covers the Wallet Substrates for communication between applications and wallets using a standard interface.
+- [Wallet](./wallet.md) - Covers the Wallet interface for communication between applications and wallets using a standard interface.
+- [Wallet Substrates](./wallet-substrates.md) - Covers the Wallet Substrates which facilitate communication between apps and wallets.
 - [Overlay Tools](./overlay-tools.md) - Covers the use of Overlays for broadcast of transactions based on topics, as well as distributed lookup of tokens.
 - [Auth](./auth.md) - Mutual Authentication and Service Monetization Framework
+- [Storage](./storage.md) — Covers a UHRP client for storing and retrieving data from distributed data storage services by hash.
 - [Compat](./compat.md) — Covers deprecated functionality for legacy systems like BIP32 and ECIES
 
 ## Swagger
 
 [BRC-100](https://brc.dev/100) defines a Unified, Vendor-Neutral, Unchanging, and Open BSV Blockchain Standard Wallet-to-Application Interface which is implemented in this library within the WalletClient class. The API is laid out here as a swagger openapi document to offer a fast-track to understanding the interface which is implemented across multiple substrates. The JSON api is generally considered a developer friendly introduction to the WalletClient, where an binary equivalent ABI may be preferred for production use cases.
 
-- [Wallet JSON API Swagger](./swagger)
+- [Wallet JSON API Swagger](./swagger)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bsv/sdk",
-  "version": "1.4.9",
+  "version": "1.4.11",
   "type": "module",
   "description": "BSV Blockchain Software Development Kit",
   "main": "dist/cjs/mod.js",

package/src/auth/clients/AuthFetch.ts

@@ -349,22 +349,30 @@ export class AuthFetch {
     }
 
     // Construct headers to send / sign:
-    // - Custom headers prefixed with x-bsv are included
-    // - x-bsv-auth headers are not allowed
-    // - content-type and authorization are signed by client
-    const includedHeaders: [string, string][] = []
+    // Ensures clients only provided supported HTTP request headers
+    // - Include custom headers prefixed with x-bsv (excluding those starting with x-bsv-auth)
+    // - Include a normalized version of the content-type header
+    // - Include the authorization header
+    const includedHeaders: Array<[string, string]> = []
     for (let [k, v] of Object.entries(headers)) {
       k = k.toLowerCase() // We will always sign lower-case header keys
-      if (k.startsWith('x-bsv-') || k === 'content-type' || k === 'authorization') {
+      if (k.startsWith('x-bsv-') || k === 'authorization') {
         if (k.startsWith('x-bsv-auth')) {
           throw new Error('No BSV auth headers allowed here!')
         }
         includedHeaders.push([k, v])
+      } else if (k.startsWith('content-type')) {
+        // Normalize the Content-Type header by removing any parameters (e.g., "; charset=utf-8")
+        v = v.split(';')[0].trim()
+        includedHeaders.push([k, v])
       } else {
         throw new Error('Unsupported header in the simplified fetch implementation. Only content-type, authorization, and x-bsv-* headers are supported.')
       }
     }
 
+    // Sort the headers by key to ensure a consistent order for signing and verification.
+    includedHeaders.sort(([keyA], [keyB]) => keyA.localeCompare(keyB))
+
     // nHeaders
     writer.writeVarIntNum(includedHeaders.length)
     for (let i = 0; i < includedHeaders.length; i++) {

package/src/auth/transports/SimplifiedFetchTransport.ts

@@ -152,25 +152,20 @@ export class SimplifiedFetchTransport implements Transport {
       payloadWriter.write(Utils.toArray(response.headers.get('x-bsv-auth-request-id'), 'base64'))
       payloadWriter.writeVarIntNum(response.status)
 
-      // Filter out headers the server signed:
-      // - Custom headers prefixed with x-bsv are included, except auth
-      // - x-bsv-auth headers are not allowed
-      // - authorization header is signed by the server
+      // PARSE RESPONSE HEADERS FROM SERVER --------------------------------
+      // Parse response headers from the server and include only the signed headers:
+      // - Include custom headers prefixed with x-bsv (excluding those starting with x-bsv-auth)
+      // - Include the authorization header
       const includedHeaders: [string, string][] = []
-      // Collect headers into a raw array for sorting
-      const headersArray: [string, string][] = []
       response.headers.forEach((value, key) => {
         const lowerKey = key.toLowerCase()
-        if (lowerKey.startsWith('x-bsv-') || lowerKey === 'authorization') {
-          if (!lowerKey.startsWith('x-bsv-auth')) {
-            headersArray.push([lowerKey, value])
-          }
+        if ((lowerKey.startsWith('x-bsv-') || lowerKey === 'authorization') && !lowerKey.startsWith('x-bsv-auth')) {
+          includedHeaders.push([lowerKey, value])
         }
       })
 
-      // Sort headers explicitly to match server-side order
-      headersArray.sort(([keyA], [keyB]) => keyA.localeCompare(keyB))
-      includedHeaders.push(...headersArray)
+      // Sort the headers by key to ensure a consistent order for signing and verification.
+      includedHeaders.sort(([keyA], [keyB]) => keyA.localeCompare(keyB))
 
       // nHeaders
       payloadWriter.writeVarIntNum(includedHeaders.length)