@farcaster/snap 1.16.0 → 1.16.2

package/dist/schemas.d.ts

@@ -68,12 +68,17 @@ export type SnapHandlerResult = {
     effects?: z.input<typeof snapResponseSchema>["effects"];
     ui: SnapSpecInput;
 };
+/**
+ * @deprecated `nonce` and `audience` are currently optional for backward
+ * compatibility but will become **required** in a future major version.
+ * Clients should always include both fields.
+ */
 export declare const payloadSchema: z.ZodObject<{
     fid: z.ZodNumber;
     inputs: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodUnion<readonly [z.ZodString, z.ZodNumber, z.ZodBoolean, z.ZodArray<z.ZodString>]>>>;
     timestamp: z.ZodNumber;
-    nonce: z.ZodString;
-    audience: z.ZodString;
+    nonce: z.ZodOptional<z.ZodString>;
+    audience: z.ZodOptional<z.ZodString>;
 }, z.core.$strip>;
 export type SnapPayload = z.infer<typeof payloadSchema>;
 export declare const ACTION_TYPE_GET: "get";
@@ -86,8 +91,8 @@ declare const snapPostActionSchema: z.ZodObject<{
     fid: z.ZodNumber;
     inputs: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodUnion<readonly [z.ZodString, z.ZodNumber, z.ZodBoolean, z.ZodArray<z.ZodString>]>>>;
     timestamp: z.ZodNumber;
-    nonce: z.ZodString;
-    audience: z.ZodString;
+    nonce: z.ZodOptional<z.ZodString>;
+    audience: z.ZodOptional<z.ZodString>;
     type: z.ZodLiteral<"post">;
 }, z.core.$strip>;
 export type SnapPostAction = z.infer<typeof snapPostActionSchema>;
@@ -97,8 +102,8 @@ export declare const snapActionSchema: z.ZodDiscriminatedUnion<[z.ZodObject<{
     fid: z.ZodNumber;
     inputs: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodUnion<readonly [z.ZodString, z.ZodNumber, z.ZodBoolean, z.ZodArray<z.ZodString>]>>>;
     timestamp: z.ZodNumber;
-    nonce: z.ZodString;
-    audience: z.ZodString;
+    nonce: z.ZodOptional<z.ZodString>;
+    audience: z.ZodOptional<z.ZodString>;
     type: z.ZodLiteral<"post">;
 }, z.core.$strip>], "type">;
 export type SnapAction = z.infer<typeof snapActionSchema>;

package/dist/schemas.js

@@ -31,13 +31,20 @@ const postInputValueSchema = z.union([
     z.boolean(),
     z.array(z.string()),
 ]);
+/**
+ * @deprecated `nonce` and `audience` are currently optional for backward
+ * compatibility but will become **required** in a future major version.
+ * Clients should always include both fields.
+ */
 export const payloadSchema = z
     .object({
     fid: z.number().int().nonnegative(),
     inputs: z.record(z.string(), postInputValueSchema).default({}),
     timestamp: z.number().int(),
-    nonce: z.string(),
-    audience: z.string(),
+    /** @deprecated Will become required. Clients should always send a unique nonce. */
+    nonce: z.string().optional(),
+    /** @deprecated Will become required. Clients should always send the target server origin. */
+    audience: z.string().optional(),
 })
     .strip();
 export const ACTION_TYPE_GET = "get";

package/dist/server/parseRequest.js

@@ -77,33 +77,32 @@ export async function parseRequest(request, options = {}) {
             },
         };
     }
-    let expectedOrigin = options.requestOrigin;
-    if (expectedOrigin === undefined) {
-        try {
-            expectedOrigin = new URL(request.url).origin;
+    // Deprecation: nonce and audience will become required in a future major version.
+    if (body.nonce === undefined || body.audience === undefined) {
+        console.warn("[snap] POST payload is missing nonce and/or audience. " +
+            "These fields will be required in a future major version. " +
+            "Please update your client to include both fields.");
+    }
+    if (body.audience !== undefined) {
+        let expectedOrigin = options.requestOrigin;
+        if (expectedOrigin === undefined) {
+            try {
+                expectedOrigin = new URL(request.url).origin;
+            }
+            catch {
+                // do nothing
+            }
         }
-        catch {
-            // do nothing
+        if (expectedOrigin !== undefined && body.audience !== expectedOrigin) {
+            return {
+                success: false,
+                error: {
+                    type: "origin_mismatch",
+                    message: `payload audience "${body.audience}" does not match expected origin "${expectedOrigin}"`,
+                },
+            };
         }
     }
-    if (expectedOrigin === undefined) {
-        return {
-            success: false,
-            error: {
-                type: "origin_mismatch",
-                message: "request origin is required for validation",
-            },
-        };
-    }
-    if (body.audience !== expectedOrigin) {
-        return {
-            success: false,
-            error: {
-                type: "origin_mismatch",
-                message: `payload audience "${body.audience}" does not match expected origin "${expectedOrigin}"`,
-            },
-        };
-    }
     return {
         success: true,
         action: {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@farcaster/snap",
-  "version": "1.16.0",
+  "version": "1.16.2",
   "description": "Farcaster Snaps 🫰",
   "repository": {
     "type": "git",

package/src/schemas.ts

@@ -81,13 +81,20 @@ const postInputValueSchema = z.union([
   z.array(z.string()),
 ]);
 
+/**
+ * @deprecated `nonce` and `audience` are currently optional for backward
+ * compatibility but will become **required** in a future major version.
+ * Clients should always include both fields.
+ */
 export const payloadSchema = z
   .object({
     fid: z.number().int().nonnegative(),
     inputs: z.record(z.string(), postInputValueSchema).default({}),
     timestamp: z.number().int(),
-    nonce: z.string(),
-    audience: z.string(),
+    /** @deprecated Will become required. Clients should always send a unique nonce. */
+    nonce: z.string().optional(),
+    /** @deprecated Will become required. Clients should always send the target server origin. */
+    audience: z.string().optional(),
   })
   .strip();
 

package/src/server/parseRequest.ts

@@ -52,6 +52,7 @@ export type ParseRequestOptions = {
    * The origin of the request. Derived from the request when not provided.
    */
   requestOrigin?: string;
+
 };
 
 export type ParseRequestResult =
@@ -147,33 +148,34 @@ export async function parseRequest(
     };
   }
 
-  let expectedOrigin = options.requestOrigin;
-  if (expectedOrigin === undefined) {
-    try {
-      expectedOrigin = new URL(request.url).origin;
-    } catch {
-      // do nothing
-    }
+  // Deprecation: nonce and audience will become required in a future major version.
+  if (body.nonce === undefined || body.audience === undefined) {
+    console.warn(
+      "[snap] POST payload is missing nonce and/or audience. " +
+        "These fields will be required in a future major version. " +
+        "Please update your client to include both fields.",
+    );
   }
 
-  if (expectedOrigin === undefined) {
-    return {
-      success: false,
-      error: {
-        type: "origin_mismatch",
-        message: "request origin is required for validation",
-      },
-    };
-  }
+  if (body.audience !== undefined) {
+    let expectedOrigin = options.requestOrigin;
+    if (expectedOrigin === undefined) {
+      try {
+        expectedOrigin = new URL(request.url).origin;
+      } catch {
+        // do nothing
+      }
+    }
 
-  if (body.audience !== expectedOrigin) {
-    return {
-      success: false,
-      error: {
-        type: "origin_mismatch",
-        message: `payload audience "${body.audience}" does not match expected origin "${expectedOrigin}"`,
-      },
-    };
+    if (expectedOrigin !== undefined && body.audience !== expectedOrigin) {
+      return {
+        success: false,
+        error: {
+          type: "origin_mismatch",
+          message: `payload audience "${body.audience}" does not match expected origin "${expectedOrigin}"`,
+        },
+      };
+    }
   }
 
   return {