@farcaster/snap 1.16.0 → 1.16.1

package/dist/schemas.d.ts

@@ -72,8 +72,8 @@ export declare const payloadSchema: z.ZodObject<{
     fid: z.ZodNumber;
     inputs: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodUnion<readonly [z.ZodString, z.ZodNumber, z.ZodBoolean, z.ZodArray<z.ZodString>]>>>;
     timestamp: z.ZodNumber;
-    nonce: z.ZodString;
-    audience: z.ZodString;
+    nonce: z.ZodOptional<z.ZodString>;
+    audience: z.ZodOptional<z.ZodString>;
 }, z.core.$strip>;
 export type SnapPayload = z.infer<typeof payloadSchema>;
 export declare const ACTION_TYPE_GET: "get";
@@ -86,8 +86,8 @@ declare const snapPostActionSchema: z.ZodObject<{
     fid: z.ZodNumber;
     inputs: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodUnion<readonly [z.ZodString, z.ZodNumber, z.ZodBoolean, z.ZodArray<z.ZodString>]>>>;
     timestamp: z.ZodNumber;
-    nonce: z.ZodString;
-    audience: z.ZodString;
+    nonce: z.ZodOptional<z.ZodString>;
+    audience: z.ZodOptional<z.ZodString>;
     type: z.ZodLiteral<"post">;
 }, z.core.$strip>;
 export type SnapPostAction = z.infer<typeof snapPostActionSchema>;
@@ -97,8 +97,8 @@ export declare const snapActionSchema: z.ZodDiscriminatedUnion<[z.ZodObject<{
     fid: z.ZodNumber;
     inputs: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodUnion<readonly [z.ZodString, z.ZodNumber, z.ZodBoolean, z.ZodArray<z.ZodString>]>>>;
     timestamp: z.ZodNumber;
-    nonce: z.ZodString;
-    audience: z.ZodString;
+    nonce: z.ZodOptional<z.ZodString>;
+    audience: z.ZodOptional<z.ZodString>;
     type: z.ZodLiteral<"post">;
 }, z.core.$strip>], "type">;
 export type SnapAction = z.infer<typeof snapActionSchema>;

package/dist/schemas.js

@@ -36,8 +36,8 @@ export const payloadSchema = z
     fid: z.number().int().nonnegative(),
     inputs: z.record(z.string(), postInputValueSchema).default({}),
     timestamp: z.number().int(),
-    nonce: z.string(),
-    audience: z.string(),
+    nonce: z.string().optional(),
+    audience: z.string().optional(),
 })
     .strip();
 export const ACTION_TYPE_GET = "get";

package/dist/server/parseRequest.js

@@ -77,33 +77,28 @@ export async function parseRequest(request, options = {}) {
             },
         };
     }
-    let expectedOrigin = options.requestOrigin;
-    if (expectedOrigin === undefined) {
-        try {
-            expectedOrigin = new URL(request.url).origin;
+    // Audience validation: only enforce when the client sends an audience field.
+    // v1 clients may not include nonce/audience yet.
+    if (body.audience !== undefined) {
+        let expectedOrigin = options.requestOrigin;
+        if (expectedOrigin === undefined) {
+            try {
+                expectedOrigin = new URL(request.url).origin;
+            }
+            catch {
+                // do nothing
+            }
         }
-        catch {
-            // do nothing
+        if (expectedOrigin !== undefined && body.audience !== expectedOrigin) {
+            return {
+                success: false,
+                error: {
+                    type: "origin_mismatch",
+                    message: `payload audience "${body.audience}" does not match expected origin "${expectedOrigin}"`,
+                },
+            };
         }
     }
-    if (expectedOrigin === undefined) {
-        return {
-            success: false,
-            error: {
-                type: "origin_mismatch",
-                message: "request origin is required for validation",
-            },
-        };
-    }
-    if (body.audience !== expectedOrigin) {
-        return {
-            success: false,
-            error: {
-                type: "origin_mismatch",
-                message: `payload audience "${body.audience}" does not match expected origin "${expectedOrigin}"`,
-            },
-        };
-    }
     return {
         success: true,
         action: {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@farcaster/snap",
-  "version": "1.16.0",
+  "version": "1.16.1",
   "description": "Farcaster Snaps 🫰",
   "repository": {
     "type": "git",

package/src/schemas.ts

@@ -86,8 +86,8 @@ export const payloadSchema = z
     fid: z.number().int().nonnegative(),
     inputs: z.record(z.string(), postInputValueSchema).default({}),
     timestamp: z.number().int(),
-    nonce: z.string(),
-    audience: z.string(),
+    nonce: z.string().optional(),
+    audience: z.string().optional(),
   })
   .strip();
 

package/src/server/parseRequest.ts

@@ -52,6 +52,7 @@ export type ParseRequestOptions = {
    * The origin of the request. Derived from the request when not provided.
    */
   requestOrigin?: string;
+
 };
 
 export type ParseRequestResult =
@@ -147,33 +148,27 @@ export async function parseRequest(
     };
   }
 
-  let expectedOrigin = options.requestOrigin;
-  if (expectedOrigin === undefined) {
-    try {
-      expectedOrigin = new URL(request.url).origin;
-    } catch {
-      // do nothing
+  // Audience validation: only enforce when the client sends an audience field.
+  // v1 clients may not include nonce/audience yet.
+  if (body.audience !== undefined) {
+    let expectedOrigin = options.requestOrigin;
+    if (expectedOrigin === undefined) {
+      try {
+        expectedOrigin = new URL(request.url).origin;
+      } catch {
+        // do nothing
+      }
     }
-  }
-
-  if (expectedOrigin === undefined) {
-    return {
-      success: false,
-      error: {
-        type: "origin_mismatch",
-        message: "request origin is required for validation",
-      },
-    };
-  }
 
-  if (body.audience !== expectedOrigin) {
-    return {
-      success: false,
-      error: {
-        type: "origin_mismatch",
-        message: `payload audience "${body.audience}" does not match expected origin "${expectedOrigin}"`,
-      },
-    };
+    if (expectedOrigin !== undefined && body.audience !== expectedOrigin) {
+      return {
+        success: false,
+        error: {
+          type: "origin_mismatch",
+          message: `payload audience "${body.audience}" does not match expected origin "${expectedOrigin}"`,
+        },
+      };
+    }
   }
 
   return {