@dynamic-labs-sdk/client 0.17.1 → 0.17.3

package/dist/index.esm.js

@@ -1,10 +1,10 @@
-import { A as randomString, B as version, C as InvalidExternalAuthError, D as isCookieEnabled, F as setDefaultClient, L as BaseError, N as NONCE_POOL_SIZE, O as assertDefined, P as getDefaultClient, R as getCore, S as LinkCredentialError, a as DYNAMIC_ICONIC_SPRITE_URL, b as MfaRateLimitedError, c as CHAINS_INFO_MAP, d as UnauthorizedError, g as createStorageKeySchema, j as CLIENT_SDK_NAME, k as ValueMustBeDefinedError, l as fetchAndStoreNonces, o as SDK_API_CORE_VERSION, s as getChainFromVerifiedCredentialChain, t as InvalidParamError, u as createApiClient, v as getNonce, w as APIError, x as MfaInvalidOtpError, y as SandboxMaximumThresholdReachedError, z as name } from "./InvalidParamError-3-1rSNtf.esm.js";
-import { A as isEqualShallow, C as isServerSideRendering, D as REFRESH_USER_STATE_FROM_COOKIE_TRACKER_KEY, E as INITIALIZE_STORAGE_SYNC_TRACKER_KEY, N as createLocalStorageAdapter, O as generateSessionKeys, S as createDeferredPromise, T as GENERATE_SESSION_KEYS_TRACKER_KEY, _ as NoNetworkProvidersError, a as updateWalletProviderKeysForVerifiedCredentials, c as createSignInMessageStatement, d as createVisit, f as hasExtension, g as WalletAlreadyLinkedToAnotherUserError, h as isCaptchaRequired, i as getNetworksData, j as createStorage, k as subscribeWithSelector, l as formatSignInMessage, m as consumeCaptchaToken, o as verifyMessageSignatureOwnership, p as setCaptchaToken, s as removeUnverifiedWalletAccount, t as getNetworkProviderFromNetworkId, u as setUnverifiedWalletAccounts, v as createLogger, w as FETCH_PROJECT_SETTINGS_TRACKER_KEY, x as CannotTrackError, y as createCrossTabBroadcast } from "./getNetworkProviderFromNetworkId-C7jp--76.esm.js";
-import { D as onceEvent, E as onEvent, O as setCookie, S as splitWalletProviderKey, T as offEvent, _ as getWalletAccounts, b as formatWalletAccountId, c as getWalletProviders, d as DYNAMIC_AUTH_COOKIE_NAME, f as getWalletProviderFromWalletAccount, g as NoWalletProviderFoundError, i as restoreUserSharesForAllWalletAccounts, l as checkAndRaiseWalletAccountsChangedEvent, n as getWalletProviderByKey, r as updateAuthFromVerifyResponse, t as getVerifiedCredentialForWalletAccount, u as emitWalletAccountsChangedEvent, w as emitEvent, x as normalizeAddress } from "./getVerifiedCredentialForWalletAccount-DLtDL1Gl.esm.js";
-import { n as refreshAuth, t as NotWaasWalletAccountError } from "./NotWaasWalletAccountError-DVIcEgHJ.esm.js";
-import { n as getMfaMethods, r as consumeMfaToken, t as isMfaRequiredForAction } from "./isMfaRequiredForAction-CPTFDCJp.esm.js";
+import { A as NONCE_POOL_SIZE, D as randomString, E as ValueMustBeDefinedError, F as getCore, I as name, L as version, M as setDefaultClient, O as CLIENT_SDK_NAME, P as BaseError, S as getElevatedAccessToken, T as assertDefined, _ as MfaRateLimitedError, a as DYNAMIC_ICONIC_SPRITE_URL, b as InvalidExternalAuthError, c as CHAINS_INFO_MAP, d as UnauthorizedError, g as SandboxMaximumThresholdReachedError, h as getNonce, j as getDefaultClient, l as fetchAndStoreNonces, o as SDK_API_CORE_VERSION, s as getChainFromVerifiedCredentialChain, t as InvalidParamError, u as createApiClient, v as MfaInvalidOtpError, w as isCookieEnabled, x as APIError, y as LinkCredentialError } from "./InvalidParamError-C8bqZx25.esm.js";
+import { A as getBuffer, C as CannotTrackError, D as INITIALIZE_STORAGE_SYNC_TRACKER_KEY, E as GENERATE_SESSION_KEYS_TRACKER_KEY, F as createLocalStorageAdapter, I as subscribeWithSelector, L as isEqualShallow, M as createStorageKeySchema, N as createStorage, O as REFRESH_USER_STATE_FROM_COOKIE_TRACKER_KEY, T as FETCH_PROJECT_SETTINGS_TRACKER_KEY, _ as NoNetworkProvidersError, a as updateWalletProviderKeysForVerifiedCredentials, b as createLogger, c as createSignInMessageStatement, d as createVisit, f as hasExtension, g as WalletAlreadyLinkedToAnotherUserError, h as isCaptchaRequired, i as getNetworksData, j as generateSessionKeys, k as isServerSideRendering, l as formatSignInMessage, m as consumeCaptchaToken, o as verifyMessageSignatureOwnership, p as setCaptchaToken, s as removeUnverifiedWalletAccount, t as getNetworkProviderFromNetworkId, u as setUnverifiedWalletAccounts, v as createRealtimeService, w as createDeferredPromise, x as createCrossTabBroadcast, y as createIndexedDBKeychainService } from "./getNetworkProviderFromNetworkId-n7VUDpn0.esm.js";
+import { D as onceEvent, E as onEvent, O as setCookie, S as splitWalletProviderKey, T as offEvent, _ as getWalletAccounts, b as formatWalletAccountId, c as getWalletProviders, d as DYNAMIC_AUTH_COOKIE_NAME, f as getWalletProviderFromWalletAccount, g as NoWalletProviderFoundError, i as restoreUserSharesForAllWalletAccounts, l as checkAndRaiseWalletAccountsChangedEvent, n as getWalletProviderByKey, r as updateAuthFromVerifyResponse, t as getVerifiedCredentialForWalletAccount, u as emitWalletAccountsChangedEvent, w as emitEvent, x as normalizeAddress } from "./getVerifiedCredentialForWalletAccount-Cs7AcMKQ.esm.js";
+import { n as refreshAuth, t as NotWaasWalletAccountError } from "./NotWaasWalletAccountError-C-_6uyUM.esm.js";
+import { n as getMfaMethods, r as consumeMfaToken, t as isMfaRequiredForAction } from "./isMfaRequiredForAction-CM26tbT2.esm.js";
 import { assertPackageVersion } from "@dynamic-labs-sdk/assert-package-version";
-import { AuthModeEnum, ExchangeKeyEnum, JwtVerifiedCredentialFormatEnum, MFAAction, MfaBackupCodeAcknowledgement, ProviderEnum, WaasBackupOptionsEnum, WalletProviderEnum } from "@dynamic-labs/sdk-api-core";
+import { AuthModeEnum, ExchangeKeyEnum, JwtVerifiedCredentialFormatEnum, MFAAction, MfaBackupCodeAcknowledgement, ProviderEnum, TokenScope, WaasBackupOptionsEnum, WalletProviderEnum } from "@dynamic-labs/sdk-api-core";
 import * as z from "zod/mini";
 import EventEmitter, { EventEmitter as EventEmitter$1 } from "eventemitter3";
 import { browserSupportsWebAuthn, startAuthentication, startRegistration } from "@simplewebauthn/browser";
@@ -203,6 +203,7 @@ const logout = async (client = getDefaultClient()) => {
 		*/
 		if (isCookieEnabled(client)) setCookie(`${DYNAMIC_AUTH_COOKIE_NAME}=; Max-Age=-99999999; path=/; SameSite=Lax`);
 	}
+	await core.keychain.removeKey("session");
 	core.state.set({
 		captchaToken: null,
 		elevatedAccessTokens: [],
@@ -296,20 +297,6 @@ const setupCrossTabEventSync = (client) => {
 	core.crossTabBroadcast.on("deviceRegistrationCompleted", handleCrossTabDeviceRegistrationCompleted);
 };
 
-//#endregion
-//#region src/modules/state/raiseStateEvents/raiseStateEvents.ts
-const raiseStateEvents = (client) => {
-	getCore(client).state.subscribe((value, previous) => {
-		Object.entries(stateChangeEvents).forEach(([key, event]) => {
-			if (isEqualShallow(value[key], previous[key])) return;
-			emitEvent({
-				args: { [key]: value[key] },
-				event
-			}, client);
-		});
-	});
-};
-
 //#endregion
 //#region src/modules/wallets/unverifiedWalletAccounts/schema.ts
 const unverifiedWalletAccountSchema = z.object({
@@ -362,6 +349,87 @@ const sessionStorageKeySchema = createStorageKeySchema({
 	})
 });
 
+//#endregion
+//#region src/modules/keychainMigration/migrateSessionKeyToKeychain/KeyMigrationError.ts
+var KeyMigrationError = class extends BaseError {
+	constructor(expectedPublicKey, importedPublicKey) {
+		super({
+			cause: null,
+			code: "key_migration_public_key_mismatch",
+			docsUrl: null,
+			name: "KeyMigrationError",
+			shortMessage: `Public key mismatch after import: expected "${expectedPublicKey}", got "${importedPublicKey}"`
+		});
+	}
+};
+
+//#endregion
+//#region src/modules/keychainMigration/migrateSessionKeyToKeychain/migrateSessionKeyToKeychain.ts
+/**
+* Migrates legacy session keys from the hydrated state into the IndexedDB keychain
+* as non-extractable CryptoKey objects.
+*
+* Must run after hydrateStateWithStorage so that state.sessionKeys already holds
+* the legacy base64 blob (or the new public key hex if already migrated).
+*
+* Idempotent: skips if the keychain already has a `session` key.
+* Throws on failure — callers should handle errors (e.g. .catch(() => logout(client))).
+*/
+const migrateSessionKeyToKeychain = async ({ keychain, logger, state, storage }) => {
+	if (isServerSideRendering()) return;
+	logger.debug("[migrateSessionKeyToKeychain] Checking for existing session key in keychain");
+	if (await keychain.hasKey("session")) {
+		logger.debug("[migrateSessionKeyToKeychain] Session key already exists in keychain, skipping migration");
+		return;
+	}
+	const encodedSessionKeys = state.get().sessionKeys;
+	if (!encodedSessionKeys) {
+		logger.debug("[migrateSessionKeyToKeychain] No session keys in state, nothing to migrate");
+		return;
+	}
+	let blob;
+	try {
+		blob = JSON.parse(getBuffer().from(encodedSessionKeys, "base64").toString());
+	} catch {
+		logger.debug("[migrateSessionKeyToKeychain] Session keys are not a legacy blob, skipping migration");
+		return;
+	}
+	const { privateKeyJwk, publicKey } = blob;
+	if (!privateKeyJwk || !publicKey) {
+		logger.debug("[migrateSessionKeyToKeychain] Legacy blob missing privateKeyJwk or publicKey, skipping migration");
+		return;
+	}
+	logger.debug("[migrateSessionKeyToKeychain] Found legacy session key, importing into keychain", { expectedPublicKey: publicKey });
+	const importedPublicKey = await keychain.importKey("session", privateKeyJwk);
+	logger.debug("[migrateSessionKeyToKeychain] Key imported", {
+		expectedPublicKey: publicKey,
+		importedPublicKey
+	});
+	if (importedPublicKey !== publicKey) throw new KeyMigrationError(publicKey, importedPublicKey);
+	logger.debug("[migrateSessionKeyToKeychain] Public key validated, updating state and storage");
+	state.set({ sessionKeys: importedPublicKey });
+	const currentSession = await storage.getItem(sessionStorageKeySchema);
+	if (currentSession) await storage.setItem(sessionStorageKeySchema, {
+		...currentSession,
+		sessionKeys: importedPublicKey
+	});
+	logger.debug("[migrateSessionKeyToKeychain] Migration complete");
+};
+
+//#endregion
+//#region src/modules/state/raiseStateEvents/raiseStateEvents.ts
+const raiseStateEvents = (client) => {
+	getCore(client).state.subscribe((value, previous) => {
+		Object.entries(stateChangeEvents).forEach(([key, event]) => {
+			if (isEqualShallow(value[key], previous[key])) return;
+			emitEvent({
+				args: { [key]: value[key] },
+				event
+			}, client);
+		});
+	});
+};
+
 //#endregion
 //#region src/modules/storageSync/hydrateStateWithStorage/hydrateStateWithStorage.ts
 const hydrateStateWithStorage = async (client) => {
@@ -477,6 +545,14 @@ const initializeClient = async (client = getDefaultClient()) => {
 	setupCrossTabEventSync(client);
 	const initializeStorageSyncPromise = initializeStorageSync(client);
 	const fetchProjectSettingsPromise = initializeStorageSyncPromise.then(async () => {
+		await migrateSessionKeyToKeychain({
+			keychain: core.keychain,
+			logger: core.logger,
+			state: core.state,
+			storage: core.storage
+		}).catch(() => logout(client));
+		if (core.state.get().sessionKeys && !await core.keychain.hasKey("session")) await logout(client);
+	}).then(async () => {
 		if (!core.state.get().projectSettings) await fetchProjectSettings(client);
 	});
 	fetchProjectSettingsPromise.then(() => prefetchNoncesIfNeeded(client)).catch((error) => {
@@ -625,6 +701,59 @@ const createWebFetch = () => {
 	return window.fetch.bind(window);
 };
 
+//#endregion
+//#region src/services/instrumentation/constants.ts
+const DEFAULT_PII_FIELDS = [
+	"password",
+	"token",
+	"secret",
+	"privateKey",
+	"mnemonic",
+	"seed",
+	"email",
+	"phone",
+	"ssn",
+	"address",
+	"authorization"
+];
+
+//#endregion
+//#region src/services/instrumentation/createInstrumentation/createInstrumentation.ts
+const buildPiiFields = (customFields = []) => {
+	const merged = [...DEFAULT_PII_FIELDS, ...customFields];
+	return [...new Set(merged)];
+};
+/**
+* Creates the instrumentation service that gates event emission behind an
+* enabled flag and delegates to a pluggable transport.
+*
+* The transport is intentionally optional at creation time — it is wired in
+* later via setTransport so the SDK can initialise without one. Events logged
+* before a transport is set are simply dropped.
+*
+* Custom piiFields are merged with and deduplicated against the defaults so
+* callers only need to list additional fields, not replicate the baseline.
+*/
+const createInstrumentation = ({ config: inputConfig } = {}) => {
+	let transport;
+	const config = {
+		enabled: inputConfig?.enabled ?? true,
+		piiFields: buildPiiFields(inputConfig?.piiFields)
+	};
+	return {
+		config,
+		log: (event) => {
+			if (config.enabled) transport?.log(event);
+		},
+		setEnabled: (value) => {
+			config.enabled = value;
+		},
+		setTransport: (t) => {
+			transport = t;
+		}
+	};
+};
+
 //#endregion
 //#region src/services/navigate/createNavigationHandler/createNavigationHandler.ts
 /**
@@ -840,9 +969,13 @@ const createCore = (config) => {
 	const debouncedMutex = createDebouncedMutex();
 	const eventEmitter = createEventEmitter();
 	const initTrack = createAsyncTrack();
+	const sdkSessionId = randomString({ length: 32 });
+	const instrumentation = createInstrumentation({ config: config.instrumentation });
 	const runtimeServices = createRuntimeServices();
 	const passkey = config.coreConfig?.passkey ?? createWebPasskeyService();
+	const realtime = config.coreConfig?.realtime ?? createRealtimeService();
 	const deviceSigner = config.coreConfig?.deviceSigner;
+	const keychain = config.coreConfig?.keychain ?? createIndexedDBKeychainService({ dbName: `dynamic_${config.environmentId}_keychain` });
 	return {
 		apiBaseUrl,
 		crossTabBroadcast: config.coreConfig?.crossTabBroadcast ?? createCrossTabBroadcast({ channelName: `dynamic_${config.environmentId}_broadcast` }),
@@ -854,6 +987,8 @@ const createCore = (config) => {
 		fetch,
 		getApiHeaders: config.coreConfig?.getApiHeaders ?? (() => ({})),
 		initTrack,
+		instrumentation,
+		keychain,
 		logger,
 		metadata: {
 			...config.metadata,
@@ -862,7 +997,9 @@ const createCore = (config) => {
 		navigate,
 		openDeeplink,
 		passkey,
+		realtime,
 		runtimeServices,
+		sdkSessionId,
 		state,
 		storage,
 		transformers: config.transformers,
@@ -1285,47 +1422,6 @@ const signInWithExternalJwt = async ({ externalJwt, sessionPublicKey } = {}, cli
 	return response;
 };
 
-//#endregion
-//#region src/modules/auth/getElevatedAccessToken/getElevatedAccessToken.ts
-/**
-* Gets an elevated access token by scope.
-*
-* This function retrieves an elevated access token that contains the specified scope.
-* Expired tokens are automatically filtered out.
-*
-* If the token has `singleUse: true`, it will be automatically
-* consumed (removed from state) after retrieval. Otherwise, it remains in state
-* for future use.
-*
-* @param params - The parameters object.
-* @param params.scope - The scope to match (e.g., 'wallet:export').
-* @param [client] - The Dynamic client instance. Only required when using multiple Dynamic clients.
-* @returns The elevated access token if found and not expired, or undefined if not found or expired.
-*
-* @example
-* ```typescript
-* const token = getElevatedAccessToken({ scope: 'wallet:export' });
-* if (token) {
-*   // Use the token
-*   // Token is automatically consumed if singleUse: true
-* }
-* ```
-*/
-const getElevatedAccessToken = ({ scope }, client = getDefaultClient()) => {
-	const core = getCore(client);
-	const now = /* @__PURE__ */ new Date();
-	const elevatedAccessTokens = core.state.get().elevatedAccessTokens || [];
-	const validTokens = elevatedAccessTokens.filter((token$1) => !token$1.expiresAt || token$1.expiresAt > now);
-	if (validTokens.length !== elevatedAccessTokens.length) core.state.set({ elevatedAccessTokens: validTokens });
-	const token = validTokens.find((token$1) => token$1.scopes.includes(scope));
-	if (!token) return;
-	if (token.singleUse) {
-		const updatedTokens = validTokens.filter((t) => t !== token);
-		core.state.set({ elevatedAccessTokens: updatedTokens });
-	}
-	return token.token;
-};
-
 //#endregion
 //#region src/modules/auth/passkeys/deletePasskey/deletePasskey.ts
 /**
@@ -1337,7 +1433,10 @@ const getElevatedAccessToken = ({ scope }, client = getDefaultClient()) => {
 */
 const deletePasskey = async ({ passkeyId }, client = getDefaultClient()) => {
 	const core = getCore(client);
-	await createApiClient({ includeMfaToken: true }, client).deletePasskey({
+	await createApiClient({
+		elevatedAccessTokenScope: TokenScope.Credentialunlink,
+		includeMfaToken: true
+	}, client).deletePasskey({
 		deleteUserPasskeyRequest: { passkeyId },
 		environmentId: core.environmentId
 	});
@@ -1370,7 +1469,7 @@ const getPasskeyRegistrationOptions = async (client) => {
 //#region src/modules/auth/passkeys/serverRegisterPasskey/serverRegisterPasskey.ts
 const serverRegisterPasskey = async ({ registration, createMfaToken }, client) => {
 	const core = getCore(client);
-	return await createApiClient({}, client).registerPasskey({
+	return await createApiClient({ elevatedAccessTokenScope: TokenScope.Credentiallink }, client).registerPasskey({
 		environmentId: core.environmentId,
 		passkeyRegisterRequest: {
 			...registration,
@@ -3039,23 +3138,27 @@ const createNewMfaRecoveryCodes = async (client = getDefaultClient()) => {
 /**
 * Deletes a specific MFA device from the user's account.
 *
-* This function removes a multi-factor authentication device such as
-* a TOTP authenticator from the user's registered devices.
+* When an elevated access token for `credential:unlink` is available,
+* it is sent via the `x-dyn-elevated-access-token` header and the
+* MFA auth token is not required. Otherwise, `mfaAuthToken` must be
+* provided for backward compatibility with the legacy MFA flow.
 *
 * @param params.deviceId - The unique identifier of the MFA device to delete.
-* @param params.mfaAuthToken - The MFA authentication token required for device deletion.
+* @param params.mfaAuthToken - The MFA authentication token. Optional when using elevated access tokens.
 * @param [client] - The Dynamic client instance. Only required when using multiple Dynamic clients.
 * @returns A promise that resolves when the MFA device is successfully deleted.
 */
 const deleteMfaDevice = async ({ deviceId, mfaAuthToken }, client = getDefaultClient()) => {
 	const core = getCore(client);
-	const apiClient = createApiClient({}, client);
 	assertDefined(deviceId, "deviceId is required");
-	assertDefined(mfaAuthToken, "mfaAuthToken is required");
-	return apiClient.deleteMfaDevice({
+	if (!getElevatedAccessToken({
+		consume: false,
+		scope: TokenScope.Credentialunlink
+	}, client)) assertDefined(mfaAuthToken, "mfaAuthToken is required");
+	return createApiClient({ elevatedAccessTokenScope: TokenScope.Credentialunlink }, client).deleteMfaDevice({
 		environmentId: core.environmentId,
 		mfaDeviceId: deviceId,
-		xMfaAuthToken: mfaAuthToken
+		xMfaAuthToken: mfaAuthToken ?? ""
 	});
 };
 
@@ -3142,7 +3245,7 @@ const isUserMissingMfaAuth = (client = getDefaultClient()) => {
 */
 const registerTotpMfaDevice = async (client = getDefaultClient()) => {
 	const core = getCore(client);
-	return createApiClient({}, client).registerTotpMfaDevice({ environmentId: core.environmentId });
+	return createApiClient({ elevatedAccessTokenScope: TokenScope.Credentiallink }, client).registerTotpMfaDevice({ environmentId: core.environmentId });
 };
 
 //#endregion