@farcaster/snap 1.17.1 → 1.18.0

package/dist/schemas.d.ts

@@ -68,17 +68,12 @@ export type SnapHandlerResult = {
     effects?: z.input<typeof snapResponseSchema>["effects"];
     ui: SnapSpecInput;
 };
-/**
- * @deprecated `nonce` and `audience` are currently optional for backward
- * compatibility but will become **required** in a future major version.
- * Clients should always include both fields.
- */
 export declare const payloadSchema: z.ZodObject<{
     fid: z.ZodNumber;
     inputs: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodUnion<readonly [z.ZodString, z.ZodNumber, z.ZodBoolean, z.ZodArray<z.ZodString>]>>>;
     timestamp: z.ZodNumber;
-    nonce: z.ZodOptional<z.ZodString>;
-    audience: z.ZodOptional<z.ZodString>;
+    nonce: z.ZodString;
+    audience: z.ZodString;
 }, z.core.$strip>;
 export type SnapPayload = z.infer<typeof payloadSchema>;
 export declare const ACTION_TYPE_GET: "get";
@@ -91,8 +86,8 @@ declare const snapPostActionSchema: z.ZodObject<{
     fid: z.ZodNumber;
     inputs: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodUnion<readonly [z.ZodString, z.ZodNumber, z.ZodBoolean, z.ZodArray<z.ZodString>]>>>;
     timestamp: z.ZodNumber;
-    nonce: z.ZodOptional<z.ZodString>;
-    audience: z.ZodOptional<z.ZodString>;
+    nonce: z.ZodString;
+    audience: z.ZodString;
     type: z.ZodLiteral<"post">;
 }, z.core.$strip>;
 export type SnapPostAction = z.infer<typeof snapPostActionSchema>;
@@ -102,8 +97,8 @@ export declare const snapActionSchema: z.ZodDiscriminatedUnion<[z.ZodObject<{
     fid: z.ZodNumber;
     inputs: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodUnion<readonly [z.ZodString, z.ZodNumber, z.ZodBoolean, z.ZodArray<z.ZodString>]>>>;
     timestamp: z.ZodNumber;
-    nonce: z.ZodOptional<z.ZodString>;
-    audience: z.ZodOptional<z.ZodString>;
+    nonce: z.ZodString;
+    audience: z.ZodString;
     type: z.ZodLiteral<"post">;
 }, z.core.$strip>], "type">;
 export type SnapAction = z.infer<typeof snapActionSchema>;

package/dist/schemas.js

@@ -31,20 +31,13 @@ const postInputValueSchema = z.union([
     z.boolean(),
     z.array(z.string()),
 ]);
-/**
- * @deprecated `nonce` and `audience` are currently optional for backward
- * compatibility but will become **required** in a future major version.
- * Clients should always include both fields.
- */
 export const payloadSchema = z
     .object({
     fid: z.number().int().nonnegative(),
     inputs: z.record(z.string(), postInputValueSchema).default({}),
     timestamp: z.number().int(),
-    /** @deprecated Will become required. Clients should always send a unique nonce. */
-    nonce: z.string().optional(),
-    /** @deprecated Will become required. Clients should always send the target server origin. */
-    audience: z.string().optional(),
+    nonce: z.string(),
+    audience: z.string(),
 })
     .strip();
 export const ACTION_TYPE_GET = "get";

package/dist/server/parseRequest.js

@@ -77,36 +77,29 @@ export async function parseRequest(request, options = {}) {
             },
         };
     }
-    // Deprecation: nonce and audience will become required in a future major version.
-    if (body.nonce === undefined || body.audience === undefined) {
-        console.warn("[snap] POST payload is missing nonce and/or audience. " +
-            "These fields will be required in a future major version. " +
-            "Please update your client to include both fields.");
-    }
-    if (body.audience !== undefined) {
-        let expectedOrigin = options.requestOrigin;
-        if (expectedOrigin === undefined) {
-            try {
-                const url = new URL(request.url);
-                const proto = request.headers.get("x-forwarded-proto") ??
-                    url.protocol.replace(":", "");
-                const host = request.headers.get("x-forwarded-host") ?? url.host;
-                expectedOrigin = `${proto}://${host}`;
-            }
-            catch {
-                // do nothing
-            }
+    // Audience validation: ensure the payload audience matches the server origin.
+    let expectedOrigin = options.requestOrigin;
+    if (expectedOrigin === undefined) {
+        try {
+            const url = new URL(request.url);
+            const proto = request.headers.get("x-forwarded-proto") ??
+                url.protocol.replace(":", "");
+            const host = request.headers.get("x-forwarded-host") ?? url.host;
+            expectedOrigin = `${proto}://${host}`;
         }
-        if (expectedOrigin !== undefined && body.audience !== expectedOrigin) {
-            return {
-                success: false,
-                error: {
-                    type: "origin_mismatch",
-                    message: `payload audience "${body.audience}" does not match expected origin "${expectedOrigin}"`,
-                },
-            };
+        catch {
+            // do nothing
         }
     }
+    if (expectedOrigin !== undefined && body.audience !== expectedOrigin) {
+        return {
+            success: false,
+            error: {
+                type: "origin_mismatch",
+                message: `payload audience "${body.audience}" does not match expected origin "${expectedOrigin}"`,
+            },
+        };
+    }
     return {
         success: true,
         action: {

package/dist/ui/catalog.d.ts

@@ -10,7 +10,11 @@ export declare const snapJsonRenderCatalog: import("@json-render/core").Catalog<
         root: import("@json-render/core").SchemaType<"string", unknown>;
         elements: import("@json-render/core").SchemaType<"record", import("@json-render/core").SchemaType<"object", {
             type: import("@json-render/core").SchemaType<"ref", string>;
-            props: import("@json-render/core").SchemaType<"propsOf", string>;
+            props: {
+                optional: true;
+                kind: "propsOf";
+                inner?: string;
+            };
             children: {
                 optional: true;
                 kind: "array";

package/dist/ui/schema.d.ts

@@ -7,7 +7,11 @@ export declare const snapJsonRenderSchema: import("@json-render/core").Schema<{
         root: import("@json-render/core").SchemaType<"string", unknown>;
         elements: import("@json-render/core").SchemaType<"record", import("@json-render/core").SchemaType<"object", {
             type: import("@json-render/core").SchemaType<"ref", string>;
-            props: import("@json-render/core").SchemaType<"propsOf", string>;
+            props: {
+                optional: true;
+                kind: "propsOf";
+                inner?: string;
+            };
             children: {
                 optional: true;
                 kind: "array";

package/dist/ui/schema.js

@@ -8,7 +8,7 @@ export const snapJsonRenderSchema = defineSchema((s) => ({
         root: s.string(),
         elements: s.record(s.object({
             type: s.ref("catalog.components"),
-            props: s.propsOf("catalog.components"),
+            props: { ...s.propsOf("catalog.components"), optional: true },
             children: { ...s.array(s.string()), optional: true },
         })),
     }),

package/dist/validator.js

@@ -1,5 +1,6 @@
 import { snapResponseSchema } from "./schemas.js";
 import { MAX_CHILDREN, MAX_DEPTH, MAX_ELEMENTS, MAX_ROOT_CHILDREN, SPEC_VERSION_1 } from "./constants.js";
+import { snapJsonRenderCatalog } from "./ui/catalog.js";
 // ─── Helpers ──────────────────────────────────────────
 /** Actions whose `params.target` must be a valid URL. */
 const URL_TARGET_ACTIONS = new Set(["submit", "open_url", "open_mini_app"]);
@@ -202,6 +203,10 @@ export function validateSnapResponse(json) {
         if (urlIssues.length > 0) {
             return { valid: false, issues: urlIssues };
         }
+        const catalogResult = snapJsonRenderCatalog.validate(ui);
+        if (!catalogResult.success) {
+            return { valid: false, issues: catalogResult.error?.issues ?? [] };
+        }
     }
     return { valid: true, issues: [] };
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@farcaster/snap",
-  "version": "1.17.1",
+  "version": "1.18.0",
   "description": "Farcaster Snaps 🫰",
   "repository": {
     "type": "git",

package/src/schemas.ts

@@ -81,20 +81,13 @@ const postInputValueSchema = z.union([
   z.array(z.string()),
 ]);
 
-/**
- * @deprecated `nonce` and `audience` are currently optional for backward
- * compatibility but will become **required** in a future major version.
- * Clients should always include both fields.
- */
 export const payloadSchema = z
   .object({
     fid: z.number().int().nonnegative(),
     inputs: z.record(z.string(), postInputValueSchema).default({}),
     timestamp: z.number().int(),
-    /** @deprecated Will become required. Clients should always send a unique nonce. */
-    nonce: z.string().optional(),
-    /** @deprecated Will become required. Clients should always send the target server origin. */
-    audience: z.string().optional(),
+    nonce: z.string(),
+    audience: z.string(),
   })
   .strip();
 

package/src/server/parseRequest.ts

@@ -148,39 +148,29 @@ export async function parseRequest(
     };
   }
 
-  // Deprecation: nonce and audience will become required in a future major version.
-  if (body.nonce === undefined || body.audience === undefined) {
-    console.warn(
-      "[snap] POST payload is missing nonce and/or audience. " +
-        "These fields will be required in a future major version. " +
-        "Please update your client to include both fields.",
-    );
-  }
-
-  if (body.audience !== undefined) {
-    let expectedOrigin = options.requestOrigin;
-    if (expectedOrigin === undefined) {
-      try {
-        const url = new URL(request.url);
-        const proto =
-          request.headers.get("x-forwarded-proto") ??
-          url.protocol.replace(":", "");
-        const host = request.headers.get("x-forwarded-host") ?? url.host;
-        expectedOrigin = `${proto}://${host}`;
-      } catch {
-        // do nothing
-      }
+  // Audience validation: ensure the payload audience matches the server origin.
+  let expectedOrigin = options.requestOrigin;
+  if (expectedOrigin === undefined) {
+    try {
+      const url = new URL(request.url);
+      const proto =
+        request.headers.get("x-forwarded-proto") ??
+        url.protocol.replace(":", "");
+      const host = request.headers.get("x-forwarded-host") ?? url.host;
+      expectedOrigin = `${proto}://${host}`;
+    } catch {
+      // do nothing
     }
+  }
 
-    if (expectedOrigin !== undefined && body.audience !== expectedOrigin) {
-      return {
-        success: false,
-        error: {
-          type: "origin_mismatch",
-          message: `payload audience "${body.audience}" does not match expected origin "${expectedOrigin}"`,
-        },
-      };
-    }
+  if (expectedOrigin !== undefined && body.audience !== expectedOrigin) {
+    return {
+      success: false,
+      error: {
+        type: "origin_mismatch",
+        message: `payload audience "${body.audience}" does not match expected origin "${expectedOrigin}"`,
+      },
+    };
   }
 
   return {

package/src/ui/schema.ts

@@ -11,7 +11,7 @@ export const snapJsonRenderSchema = defineSchema(
       elements: s.record(
         s.object({
           type: s.ref("catalog.components"),
-          props: s.propsOf("catalog.components"),
+          props: { ...s.propsOf("catalog.components"), optional: true },
           children: { ...s.array(s.string()), optional: true },
         }),
       ),

package/src/validator.ts

@@ -1,6 +1,7 @@
 import { z } from "zod";
 import { snapResponseSchema } from "./schemas";
 import { MAX_CHILDREN, MAX_DEPTH, MAX_ELEMENTS, MAX_ROOT_CHILDREN, SPEC_VERSION_1 } from "./constants";
+import { snapJsonRenderCatalog } from "./ui/catalog.js";
 
 export type ValidationResult = {
   valid: boolean;
@@ -255,6 +256,11 @@ export function validateSnapResponse(json: unknown): ValidationResult {
     if (urlIssues.length > 0) {
       return { valid: false, issues: urlIssues };
     }
+
+    const catalogResult = snapJsonRenderCatalog.validate(ui);
+    if (!catalogResult.success) {
+      return { valid: false, issues: catalogResult.error?.issues ?? [] };
+    }
   }
 
   return { valid: true, issues: [] };