@dynamic-labs/waas 4.89.0 → 4.90.0

package/CHANGELOG.md

@@ -1,4 +1,23 @@
 
+## [4.90.0](https://github.com/dynamic-labs/dynamic-auth/compare/v4.89.0...v4.90.0) (2026-06-19)
+
+
+### Features
+
+* add microsoft to social providers list ([#11631](https://github.com/dynamic-labs/dynamic-auth/issues/11631)) ([761b82d](https://github.com/dynamic-labs/dynamic-auth/commit/761b82dea2e2e86ec1c8b3fc8bab32ed72492132))
+* **sdk-react-core:** preconnect to waas iframe origin at auth-flow start ([#11549](https://github.com/dynamic-labs/dynamic-auth/issues/11549)) ([1bb810c](https://github.com/dynamic-labs/dynamic-auth/commit/1bb810c4eb3d592b43f62c1eaf5450a0e42981c9)), closes [dynamic-labs/dynamic-wallet-sdk#1314](https://github.com/dynamic-labs/dynamic-wallet-sdk/issues/1314)
+* **waas:** opt into SDK eager key-share recovery, drop host RECOVER loop (DYNT-1125) ([#11620](https://github.com/dynamic-labs/dynamic-auth/issues/11620)) ([4bef955](https://github.com/dynamic-labs/dynamic-auth/commit/4bef955b902a7e484ba8bd6323582843bb692a17))
+* **wallet-connector-core:** add isMidnightConnector util + Midnight interface hooks ([#11005](https://github.com/dynamic-labs/dynamic-auth/issues/11005)) ([55117a8](https://github.com/dynamic-labs/dynamic-auth/commit/55117a8cf59640d00b358f68be8df6b29231fab5))
+
+
+### Bug Fixes
+
+* **sdk-react-core:** gate smart-wallet init on user:basic scope ([#11624](https://github.com/dynamic-labs/dynamic-auth/issues/11624)) ([9f891a4](https://github.com/dynamic-labs/dynamic-auth/commit/9f891a46a191532acdd4a91b74c4586089ef0e1a)), closes [#11623](https://github.com/dynamic-labs/dynamic-auth/issues/11623) [#11623](https://github.com/dynamic-labs/dynamic-auth/issues/11623) [#11626](https://github.com/dynamic-labs/dynamic-auth/issues/11626)
+* **sdk-react-core:** search wallet list by metadata name in addition to connector name ([#11638](https://github.com/dynamic-labs/dynamic-auth/issues/11638)) ([a647614](https://github.com/dynamic-labs/dynamic-auth/commit/a647614bcba769e09ef59bf1ddb925ce9835842e))
+* **waas:** rebuild WaaS client on session change after step-up reauth ([#11581](https://github.com/dynamic-labs/dynamic-auth/issues/11581)) ([2b7093e](https://github.com/dynamic-labs/dynamic-auth/commit/2b7093e27f57f1dfcdd303361d436d9bf33e28a9))
+* **waas:** refuse to build WaaS client while auth scope is pending (createRooms 401 chokepoint) ([#11623](https://github.com/dynamic-labs/dynamic-auth/issues/11623)) ([08755f0](https://github.com/dynamic-labs/dynamic-auth/commit/08755f0bda2b74c7bcdff3d0ac9c228a5205ad6e)), closes [#11624](https://github.com/dynamic-labs/dynamic-auth/issues/11624)
+* **wallet-connect:** skip address comparison on reconnect when expectedAddress is empty ([#11639](https://github.com/dynamic-labs/dynamic-auth/issues/11639)) ([8d665cf](https://github.com/dynamic-labs/dynamic-auth/commit/8d665cf3bf1fb0e498d71f14cc8a53d91593c23d))
+
 ## [4.89.0](https://github.com/dynamic-labs/dynamic-auth/compare/v4.88.6...v4.89.0) (2026-06-16)
 
 

package/package.cjs

@@ -3,6 +3,6 @@
 
 Object.defineProperty(exports, '__esModule', { value: true });
 
-var version = "4.89.0";
+var version = "4.90.0";
 
 exports.version = version;

package/package.js

@@ -1,4 +1,4 @@
 'use client'
-var version = "4.89.0";
+var version = "4.90.0";
 
 export { version };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@dynamic-labs/waas",
-  "version": "4.89.0",
+  "version": "4.90.0",
   "type": "module",
   "author": "Dynamic Labs, Inc.",
   "license": "MIT",
@@ -16,18 +16,18 @@
     "./package.json": "./package.json"
   },
   "dependencies": {
-    "@dynamic-labs-sdk/client": "1.8.2",
-    "@dynamic-labs/assert-package-version": "4.89.0",
-    "@dynamic-labs/sdk-api-core": "0.0.1015",
-    "@dynamic-labs-wallet/browser-wallet-client": "1.0.16",
-    "@dynamic-labs-wallet/forward-mpc-client": "0.10.1",
-    "@dynamic-labs/ethereum-core": "4.89.0",
-    "@dynamic-labs/logger": "4.89.0",
-    "@dynamic-labs/solana-core": "4.89.0",
-    "@dynamic-labs/sui-core": "4.89.0",
-    "@dynamic-labs/utils": "4.89.0",
-    "@dynamic-labs/wallet-book": "4.89.0",
-    "@dynamic-labs/wallet-connector-core": "4.89.0"
+    "@dynamic-labs-sdk/client": "1.12.1",
+    "@dynamic-labs/assert-package-version": "4.90.0",
+    "@dynamic-labs/sdk-api-core": "0.0.1046",
+    "@dynamic-labs-wallet/browser-wallet-client": "1.0.42",
+    "@dynamic-labs-wallet/forward-mpc-client": "0.12.0",
+    "@dynamic-labs/ethereum-core": "4.90.0",
+    "@dynamic-labs/logger": "4.90.0",
+    "@dynamic-labs/solana-core": "4.90.0",
+    "@dynamic-labs/sui-core": "4.90.0",
+    "@dynamic-labs/utils": "4.90.0",
+    "@dynamic-labs/wallet-book": "4.90.0",
+    "@dynamic-labs/wallet-connector-core": "4.90.0"
   },
   "peerDependencies": {}
 }

package/src/DynamicWaasMixin.cjs

@@ -11,6 +11,7 @@ var _package = require('../package.cjs');
 var constants = require('../utils/constants.cjs');
 var createWaasClientSecureStorage = require('../utils/createWaasClientSecureStorage.cjs');
 var instrumentation = require('../utils/instrumentation.cjs');
+var tokenHasPendingAuthScope = require('../utils/tokenHasPendingAuthScope.cjs');
 
 // Fallback error code used when a thrown value carries no code, or when
 // formatting the error itself fails.
@@ -35,9 +36,6 @@ const withDynamicWaas = (BaseClass) => {
         setGetAuthTokenFunction(getAuthToken) {
             this.getAuthToken = getAuthToken;
         }
-        setOnUnauthorizedFunction(onUnauthorized) {
-            this.onUnauthorized = onUnauthorized;
-        }
         setWaasAuthMode(authMode) {
             this.authMode = authMode;
         }
@@ -194,14 +192,15 @@ const withDynamicWaas = (BaseClass) => {
                     baseClientKeysharesRelayApiUrl: this.baseClientKeysharesRelayApiUrl,
                     baseMPCRelayApiUrl: this.relayUrl || constants.DEFAULT_BASE_MPC_RELAY_API_URL,
                     chainName: this.chainName,
+                    // Opt into the SDK self-driving eager key-share recovery on auth-token
+                    // arrival, so the host no longer runs its own per-wallet RECOVER loop.
+                    eagerlyRecoverKeyShares: true,
                     environmentId: this.environmentId,
                     sdkVersion: _package.version,
-                }, Object.assign(Object.assign(Object.assign({}, (utils.PlatformService.isWaasSecureStorageSupported
+                }, Object.assign(Object.assign({}, (utils.PlatformService.isWaasSecureStorageSupported
                     ? { secureStorage: createWaasClientSecureStorage.createWaasClientSecureStorage() }
                     : {})), (this.getSignedSessionId
                     ? { getSignedSessionId: this.getSignedSessionId }
-                    : {})), (this.onUnauthorized
-                    ? { onUnauthorized: this.onUnauthorized }
                     : {})));
                 this.instrumentAsync({
                     context: traceContext,
@@ -212,9 +211,29 @@ const withDynamicWaas = (BaseClass) => {
                 return client;
             });
         }
-        getWaasWalletClient(traceContext) {
-            return _tslib.__awaiter(this, void 0, void 0, function* () {
+        getWaasWalletClient(traceContext_1) {
+            return _tslib.__awaiter(this, arguments, void 0, function* (traceContext, { forceRebuild = false } = {}) {
+                var _a;
+                // forceRebuild drops the cached client so the iframe re-auths with the
+                // fresh session (e.g. after a step-up reauth) instead of 401-ing on the
+                // stale cached token. Callers must only force a rebuild when a token is
+                // available (see getWaasWalletConnector's live-token guard); otherwise
+                // createDynamicWaasClient would throw "Auth token is required".
+                if (forceRebuild) {
+                    this.dynamicWaasClient = undefined;
+                }
                 if (!this.dynamicWaasClient) {
+                    // Chokepoint: never build + initialize the iframe client while the auth
+                    // token is still pending MFA/KYC/device registration. The iframe's
+                    // init-time room-cache pre-warm fires `createRooms` using the token
+                    // captured at construction — before any per-operation token resync
+                    // exists to correct it. Built during the pending window, that pre-warm
+                    // 401s and trips the iframe's unauthorized → forced-logout path. Every
+                    // WaaS caller funnels through here, so this single guard covers auto
+                    // wallet creation, ZeroDev smart-wallet init, getWallet, etc.
+                    if (tokenHasPendingAuthScope.tokenHasPendingAuthScope((_a = this.getAuthToken) === null || _a === void 0 ? void 0 : _a.call(this))) {
+                        throw new utils.WaasAuthScopePendingError();
+                    }
                     this.dynamicWaasClient = yield this.createDynamicWaasClient(traceContext);
                 }
                 return this.dynamicWaasClient;
@@ -612,9 +631,18 @@ const withDynamicWaas = (BaseClass) => {
         }
         endSession(reason) {
             return _tslib.__awaiter(this, void 0, void 0, function* () {
-                const waasClient = yield this.getWaasWalletClient();
-                if (!waasClient) {
-                    return;
+                // Building the wallet client requires an auth token (createDynamicWaasClient
+                // throws in header auth mode when none is present); the new scope guard in
+                // getWaasWalletClient also throws during pending-auth (MFA/KYC/device). On
+                // logout we must not let either throw abort logout — the security-critical
+                // key share removal below does not need the client. Only the iframe cleanup
+                // does, so we proceed without it if the client can't be obtained.
+                let waasClient;
+                try {
+                    waasClient = yield this.getWaasWalletClient();
+                }
+                catch (error) {
+                    this.instrument('[endSession] getWaasWalletClient failed; proceeding', Object.assign({ key: 'endSession-getClient-failed', time: 0 }, this.buildErrorInstrumentContext(error)));
                 }
                 // When a session token expires, we preserve key shares in storage instead
                 // of clearing them. Customers with short-lived sessions (minutes) were
@@ -646,9 +674,13 @@ const withDynamicWaas = (BaseClass) => {
                     // iframe cleanup's request-channel timeout. The iframe handler already
                     // swallows its own errors, and the DOM teardown obsoletes anything it
                     // misses. Promise.resolve guards against a non-promise return in tests.
-                    void Promise.resolve(waasClient.cleanup()).catch((error) => {
-                        this.instrument('[endSession] background iframe cleanup failed', Object.assign({ key: 'endSession-cleanup-failed', time: 0 }, this.buildErrorInstrumentContext(error)));
-                    });
+                    // Skipped when the client could not be built/obtained (no token, or
+                    // pending-auth scope guard) — there is no iframe to tear down then.
+                    if (waasClient) {
+                        void Promise.resolve(waasClient.cleanup()).catch((error) => {
+                            this.instrument('[endSession] background iframe cleanup failed', Object.assign({ key: 'endSession-cleanup-failed', time: 0 }, this.buildErrorInstrumentContext(error)));
+                        });
+                    }
                 }
                 this.dynamicWaasClient = undefined;
             });

package/src/DynamicWaasMixin.d.ts

@@ -23,7 +23,6 @@ export declare const withDynamicWaas: <T extends abstract new (...args: any[]) =
     getElevatedAccessToken?: ((props: {
         scope: TokenScope;
     }) => Promise<string | undefined>) | undefined;
-    onUnauthorized?: (() => void | Promise<void>) | undefined;
     environmentId?: string | undefined;
     baseApiUrl?: string | undefined;
     relayUrl?: string | undefined;
@@ -35,7 +34,6 @@ export declare const withDynamicWaas: <T extends abstract new (...args: any[]) =
     __exportHandler: WaasExportHandler;
     validateActiveWallet(expectedAddress: string): Promise<void>;
     setGetAuthTokenFunction(getAuthToken: () => string): void;
-    setOnUnauthorizedFunction(onUnauthorized: () => void | Promise<void>): void;
     setWaasAuthMode(authMode: 'cookie' | 'header'): void;
     setGetMfaTokenFunction(getMfaToken: (props?: {
         mfaAction?: MFAAction;
@@ -76,7 +74,9 @@ export declare const withDynamicWaas: <T extends abstract new (...args: any[]) =
         password?: string;
     }): Promise<void>;
     createDynamicWaasClient(traceContext?: TraceContext): Promise<DynamicWalletClient>;
-    getWaasWalletClient(traceContext?: TraceContext): Promise<DynamicWalletClient>;
+    getWaasWalletClient(traceContext?: TraceContext, { forceRebuild }?: {
+        forceRebuild?: boolean;
+    }): Promise<DynamicWalletClient>;
     createWalletAccount({ thresholdSignatureScheme, password, bitcoinConfig, }?: {
         thresholdSignatureScheme?: string;
         password?: string;

package/src/DynamicWaasMixin.js

@@ -2,11 +2,12 @@
 import { __awaiter } from '../_virtual/_tslib.js';
 import { DynamicWalletClient } from '@dynamic-labs-wallet/browser-wallet-client';
 import { MFAAction, TokenScope } from '@dynamic-labs/sdk-api-core';
-import { DynamicError, UserRejectedRequestError, PlatformService } from '@dynamic-labs/utils';
+import { DynamicError, UserRejectedRequestError, PlatformService, WaasAuthScopePendingError } from '@dynamic-labs/utils';
 import { version } from '../package.js';
 import { DEFAULT_BASE_API_URL, DEFAULT_BASE_MPC_RELAY_API_URL } from '../utils/constants.js';
 import { createWaasClientSecureStorage } from '../utils/createWaasClientSecureStorage.js';
 import { InstrumentationTimer } from '../utils/instrumentation.js';
+import { tokenHasPendingAuthScope } from '../utils/tokenHasPendingAuthScope.js';
 
 // Fallback error code used when a thrown value carries no code, or when
 // formatting the error itself fails.
@@ -31,9 +32,6 @@ const withDynamicWaas = (BaseClass) => {
         setGetAuthTokenFunction(getAuthToken) {
             this.getAuthToken = getAuthToken;
         }
-        setOnUnauthorizedFunction(onUnauthorized) {
-            this.onUnauthorized = onUnauthorized;
-        }
         setWaasAuthMode(authMode) {
             this.authMode = authMode;
         }
@@ -190,14 +188,15 @@ const withDynamicWaas = (BaseClass) => {
                     baseClientKeysharesRelayApiUrl: this.baseClientKeysharesRelayApiUrl,
                     baseMPCRelayApiUrl: this.relayUrl || DEFAULT_BASE_MPC_RELAY_API_URL,
                     chainName: this.chainName,
+                    // Opt into the SDK self-driving eager key-share recovery on auth-token
+                    // arrival, so the host no longer runs its own per-wallet RECOVER loop.
+                    eagerlyRecoverKeyShares: true,
                     environmentId: this.environmentId,
                     sdkVersion: version,
-                }, Object.assign(Object.assign(Object.assign({}, (PlatformService.isWaasSecureStorageSupported
+                }, Object.assign(Object.assign({}, (PlatformService.isWaasSecureStorageSupported
                     ? { secureStorage: createWaasClientSecureStorage() }
                     : {})), (this.getSignedSessionId
                     ? { getSignedSessionId: this.getSignedSessionId }
-                    : {})), (this.onUnauthorized
-                    ? { onUnauthorized: this.onUnauthorized }
                     : {})));
                 this.instrumentAsync({
                     context: traceContext,
@@ -208,9 +207,29 @@ const withDynamicWaas = (BaseClass) => {
                 return client;
             });
         }
-        getWaasWalletClient(traceContext) {
-            return __awaiter(this, void 0, void 0, function* () {
+        getWaasWalletClient(traceContext_1) {
+            return __awaiter(this, arguments, void 0, function* (traceContext, { forceRebuild = false } = {}) {
+                var _a;
+                // forceRebuild drops the cached client so the iframe re-auths with the
+                // fresh session (e.g. after a step-up reauth) instead of 401-ing on the
+                // stale cached token. Callers must only force a rebuild when a token is
+                // available (see getWaasWalletConnector's live-token guard); otherwise
+                // createDynamicWaasClient would throw "Auth token is required".
+                if (forceRebuild) {
+                    this.dynamicWaasClient = undefined;
+                }
                 if (!this.dynamicWaasClient) {
+                    // Chokepoint: never build + initialize the iframe client while the auth
+                    // token is still pending MFA/KYC/device registration. The iframe's
+                    // init-time room-cache pre-warm fires `createRooms` using the token
+                    // captured at construction — before any per-operation token resync
+                    // exists to correct it. Built during the pending window, that pre-warm
+                    // 401s and trips the iframe's unauthorized → forced-logout path. Every
+                    // WaaS caller funnels through here, so this single guard covers auto
+                    // wallet creation, ZeroDev smart-wallet init, getWallet, etc.
+                    if (tokenHasPendingAuthScope((_a = this.getAuthToken) === null || _a === void 0 ? void 0 : _a.call(this))) {
+                        throw new WaasAuthScopePendingError();
+                    }
                     this.dynamicWaasClient = yield this.createDynamicWaasClient(traceContext);
                 }
                 return this.dynamicWaasClient;
@@ -608,9 +627,18 @@ const withDynamicWaas = (BaseClass) => {
         }
         endSession(reason) {
             return __awaiter(this, void 0, void 0, function* () {
-                const waasClient = yield this.getWaasWalletClient();
-                if (!waasClient) {
-                    return;
+                // Building the wallet client requires an auth token (createDynamicWaasClient
+                // throws in header auth mode when none is present); the new scope guard in
+                // getWaasWalletClient also throws during pending-auth (MFA/KYC/device). On
+                // logout we must not let either throw abort logout — the security-critical
+                // key share removal below does not need the client. Only the iframe cleanup
+                // does, so we proceed without it if the client can't be obtained.
+                let waasClient;
+                try {
+                    waasClient = yield this.getWaasWalletClient();
+                }
+                catch (error) {
+                    this.instrument('[endSession] getWaasWalletClient failed; proceeding', Object.assign({ key: 'endSession-getClient-failed', time: 0 }, this.buildErrorInstrumentContext(error)));
                 }
                 // When a session token expires, we preserve key shares in storage instead
                 // of clearing them. Customers with short-lived sessions (minutes) were
@@ -642,9 +670,13 @@ const withDynamicWaas = (BaseClass) => {
                     // iframe cleanup's request-channel timeout. The iframe handler already
                     // swallows its own errors, and the DOM teardown obsoletes anything it
                     // misses. Promise.resolve guards against a non-promise return in tests.
-                    void Promise.resolve(waasClient.cleanup()).catch((error) => {
-                        this.instrument('[endSession] background iframe cleanup failed', Object.assign({ key: 'endSession-cleanup-failed', time: 0 }, this.buildErrorInstrumentContext(error)));
-                    });
+                    // Skipped when the client could not be built/obtained (no token, or
+                    // pending-auth scope guard) — there is no iframe to tear down then.
+                    if (waasClient) {
+                        void Promise.resolve(waasClient.cleanup()).catch((error) => {
+                            this.instrument('[endSession] background iframe cleanup failed', Object.assign({ key: 'endSession-cleanup-failed', time: 0 }, this.buildErrorInstrumentContext(error)));
+                        });
+                    }
                 }
                 this.dynamicWaasClient = undefined;
             });

package/utils/tokenHasPendingAuthScope.cjs

@@ -0,0 +1,55 @@
+'use client'
+'use strict';
+
+Object.defineProperty(exports, '__esModule', { value: true });
+
+var sdkApiCore = require('@dynamic-labs/sdk-api-core');
+
+// Scopes that mean the user has not finished authenticating (MFA / KYC /
+// device registration still pending). A JWT carrying any of these has not
+// upgraded to `user:basic`, and the WaaS backend rejects calls made with it
+// (e.g. createRooms) with a 401.
+//
+// Note `user:basic` and `waasBackupToken` are intentionally NOT in this list:
+// backup / recovery flows legitimately run with a `waasBackupToken` scope, so
+// only the pending-auth scopes below should block WaaS client creation.
+const PENDING_AUTH_SCOPES = [
+    sdkApiCore.JwtScope.RequiresAdditionalAuth,
+    sdkApiCore.JwtScope.UserDataForm,
+    sdkApiCore.JwtScope.Deviceregister,
+];
+const decodeScope = (authToken) => {
+    const payload = authToken === null || authToken === void 0 ? void 0 : authToken.split('.')[1];
+    if (!payload) {
+        return undefined;
+    }
+    try {
+        return JSON.parse(atob(payload)).scope;
+    }
+    catch (_a) {
+        return undefined;
+    }
+};
+/**
+ * Returns true when the auth token still carries a pending-authentication
+ * scope (`requiresAdditionalAuth` / `userDataForm` / `device:register`).
+ *
+ * The WaaS iframe's API client is a shared, mutable axios instance. The token
+ * captured at client construction is what the init-time room-cache pre-warm
+ * `createRooms` uses — it runs before any per-operation token resync. So if the
+ * client is built during this pending window, that pre-warm fires with the
+ * stale pre-`user:basic` token and 401s; the iframe reports the 401 back to the
+ * host, which force-logs-out the user. Callers must therefore refuse to build
+ * the client until the token clears (the vulnerable window is construction +
+ * init, not the whole client lifetime).
+ *
+ * A token with no decodable scope is treated as not-pending (returns false):
+ * the backend remains the source of truth and will reject anything invalid.
+ */
+const tokenHasPendingAuthScope = (authToken) => {
+    var _a, _b;
+    const scopes = (_b = (_a = decodeScope(authToken)) === null || _a === void 0 ? void 0 : _a.split(' ')) !== null && _b !== void 0 ? _b : [];
+    return scopes.some((scope) => PENDING_AUTH_SCOPES.includes(scope));
+};
+
+exports.tokenHasPendingAuthScope = tokenHasPendingAuthScope;

package/utils/tokenHasPendingAuthScope.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Returns true when the auth token still carries a pending-authentication
+ * scope (`requiresAdditionalAuth` / `userDataForm` / `device:register`).
+ *
+ * The WaaS iframe's API client is a shared, mutable axios instance. The token
+ * captured at client construction is what the init-time room-cache pre-warm
+ * `createRooms` uses — it runs before any per-operation token resync. So if the
+ * client is built during this pending window, that pre-warm fires with the
+ * stale pre-`user:basic` token and 401s; the iframe reports the 401 back to the
+ * host, which force-logs-out the user. Callers must therefore refuse to build
+ * the client until the token clears (the vulnerable window is construction +
+ * init, not the whole client lifetime).
+ *
+ * A token with no decodable scope is treated as not-pending (returns false):
+ * the backend remains the source of truth and will reject anything invalid.
+ */
+export declare const tokenHasPendingAuthScope: (authToken?: string) => boolean;

package/utils/tokenHasPendingAuthScope.js

@@ -0,0 +1,51 @@
+'use client'
+import { JwtScope } from '@dynamic-labs/sdk-api-core';
+
+// Scopes that mean the user has not finished authenticating (MFA / KYC /
+// device registration still pending). A JWT carrying any of these has not
+// upgraded to `user:basic`, and the WaaS backend rejects calls made with it
+// (e.g. createRooms) with a 401.
+//
+// Note `user:basic` and `waasBackupToken` are intentionally NOT in this list:
+// backup / recovery flows legitimately run with a `waasBackupToken` scope, so
+// only the pending-auth scopes below should block WaaS client creation.
+const PENDING_AUTH_SCOPES = [
+    JwtScope.RequiresAdditionalAuth,
+    JwtScope.UserDataForm,
+    JwtScope.Deviceregister,
+];
+const decodeScope = (authToken) => {
+    const payload = authToken === null || authToken === void 0 ? void 0 : authToken.split('.')[1];
+    if (!payload) {
+        return undefined;
+    }
+    try {
+        return JSON.parse(atob(payload)).scope;
+    }
+    catch (_a) {
+        return undefined;
+    }
+};
+/**
+ * Returns true when the auth token still carries a pending-authentication
+ * scope (`requiresAdditionalAuth` / `userDataForm` / `device:register`).
+ *
+ * The WaaS iframe's API client is a shared, mutable axios instance. The token
+ * captured at client construction is what the init-time room-cache pre-warm
+ * `createRooms` uses — it runs before any per-operation token resync. So if the
+ * client is built during this pending window, that pre-warm fires with the
+ * stale pre-`user:basic` token and 401s; the iframe reports the 401 back to the
+ * host, which force-logs-out the user. Callers must therefore refuse to build
+ * the client until the token clears (the vulnerable window is construction +
+ * init, not the whole client lifetime).
+ *
+ * A token with no decodable scope is treated as not-pending (returns false):
+ * the backend remains the source of truth and will reject anything invalid.
+ */
+const tokenHasPendingAuthScope = (authToken) => {
+    var _a, _b;
+    const scopes = (_b = (_a = decodeScope(authToken)) === null || _a === void 0 ? void 0 : _a.split(' ')) !== null && _b !== void 0 ? _b : [];
+    return scopes.some((scope) => PENDING_AUTH_SCOPES.includes(scope));
+};
+
+export { tokenHasPendingAuthScope };