@invonetwork/web-sdk 1.2.0 → 1.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md CHANGED
@@ -4,6 +4,16 @@ All notable changes to `@invonetwork/web-sdk` are documented here. This project
4
4
  [Semantic Versioning](https://semver.org/). Releases are managed with
5
5
  [changesets](https://github.com/changesets/changesets).
6
6
 
7
+ ## [1.2.1] — 2026-07-01
8
+
9
+ **Fix — browser "Illegal invocation".** The SDK invoked its fetch as `this.fetchImpl(...)`,
10
+ so the browser's native `fetch` ran with the wrong `this` and threw
11
+ `TypeError: Illegal invocation` — breaking every browser `InvoClient` read
12
+ (balance/destinations/pending) and the passkey ceremonies when using the default global
13
+ `fetch` (retries then made it slow on top). The fetch impl is now bound to `globalThis`
14
+ (harmless for a custom `fetch`). No API change. Node/tests were unaffected, which is why it
15
+ slipped through — added a `this`-sensitive regression test.
16
+
7
17
  ## [1.2.0] — 2026-07-01
8
18
 
9
19
  Two more server-side capabilities on `InvoServer`.
@@ -73,7 +83,7 @@ Start of the **discovery layer** for send/transfer UIs.
73
83
 
74
84
  ## [0.6.0] — 2026-07-01
75
85
 
76
- Three additive browser flows the dashboard needed, built to the live backend contracts.
86
+ Three additive browser flows for partner front-ends, built to the live backend contracts.
77
87
 
78
88
  - **`InvoClient.getPendingCollect()`** — the player's own pending-to-collect list
79
89
  (player-token `GET /api/sdk/transfers/pending`), PII-free. Each row's `kind`
package/README.md CHANGED
@@ -117,6 +117,11 @@ const client = new InvoClient({
117
117
 
118
118
  The WebAuthn ceremony still runs in the browser (it must — it's `navigator.credentials`), but transport/auth stays behind your proxy. You keep the SDK's ceremony handling, token-refresh, typed holds, and error classifiers either way.
119
119
 
120
+ **Running `InvoServer` in the proxy** (for the game-secret writes — initiate, checkout, purchase — so the secret leaves the browser): see the drop-in reference at [`examples/proxy-server.ts`](examples/proxy-server.ts). Its actor resolver is pluggable:
121
+
122
+ - **Real partner** (one login = one player) — derive the acting player from your **session**.
123
+ - **Trusted first-party rig** (an internal tool that impersonates arbitrary test players) — the caller names `playerEmail`, guarded by a shared-secret header (`INVO_PROXY_TRUSTED_SECRET`), the same trusted pattern as a `player_email` token minter. Never expose this mode to end-user browsers.
124
+
120
125
  > **Lowest-risk first step:** adopt just `linkDevice` (passkey ↔ app device interchange) — it's purely additive and needs no refactor. See [Passkeys](#passkeys-enroll-approve-link).
121
126
 
122
127
  ## Before you go live
@@ -104,7 +104,7 @@ var _Http = class _Http {
104
104
  "No fetch implementation available. Use Node >=18, or pass `fetch` in the config."
105
105
  );
106
106
  }
107
- this.fetchImpl = f;
107
+ this.fetchImpl = f.bind(globalThis);
108
108
  this.userAgent = opts.userAgent;
109
109
  this.maxRetries = Math.max(0, opts.maxRetries ?? 2);
110
110
  this.retryBaseDelayMs = opts.retryBaseDelayMs ?? 250;
@@ -308,5 +308,5 @@ function toDestinationsResult(raw, direction) {
308
308
  }
309
309
 
310
310
  export { Http, InvoError, assertSecureBaseUrl, toDestinationsResult };
311
- //# sourceMappingURL=chunk-P65XQ6VF.js.map
312
- //# sourceMappingURL=chunk-P65XQ6VF.js.map
311
+ //# sourceMappingURL=chunk-U3EDJUQI.js.map
312
+ //# sourceMappingURL=chunk-U3EDJUQI.js.map
package/dist/index.cjs CHANGED
@@ -106,7 +106,7 @@ var _Http = class _Http {
106
106
  "No fetch implementation available. Use Node >=18, or pass `fetch` in the config."
107
107
  );
108
108
  }
109
- this.fetchImpl = f;
109
+ this.fetchImpl = f.bind(globalThis);
110
110
  this.userAgent = opts.userAgent;
111
111
  this.maxRetries = Math.max(0, opts.maxRetries ?? 2);
112
112
  this.retryBaseDelayMs = opts.retryBaseDelayMs ?? 250;
package/dist/index.js CHANGED
@@ -1,5 +1,5 @@
1
- import { assertSecureBaseUrl, Http, toDestinationsResult, InvoError } from './chunk-P65XQ6VF.js';
2
- export { InvoError } from './chunk-P65XQ6VF.js';
1
+ import { assertSecureBaseUrl, Http, toDestinationsResult, InvoError } from './chunk-U3EDJUQI.js';
2
+ export { InvoError } from './chunk-U3EDJUQI.js';
3
3
 
4
4
  // src/shared/webauthn.ts
5
5
  function b64urlToBuffer(value) {
package/dist/server.cjs CHANGED
@@ -108,7 +108,7 @@ var _Http = class _Http {
108
108
  "No fetch implementation available. Use Node >=18, or pass `fetch` in the config."
109
109
  );
110
110
  }
111
- this.fetchImpl = f;
111
+ this.fetchImpl = f.bind(globalThis);
112
112
  this.userAgent = opts.userAgent;
113
113
  this.maxRetries = Math.max(0, opts.maxRetries ?? 2);
114
114
  this.retryBaseDelayMs = opts.retryBaseDelayMs ?? 250;
@@ -469,7 +469,7 @@ async function hmacHexSubtle(secret, message) {
469
469
  }
470
470
 
471
471
  // src/server.ts
472
- var DEFAULT_UA = "invonetwork-web-sdk/1.2.0 (+https://invo.network)";
472
+ var DEFAULT_UA = "invonetwork-web-sdk/1.2.1 (+https://invo.network)";
473
473
  var MAX_USD_AMOUNT = 999.99;
474
474
  var MAX_ITEM_PRICE = 999999.99;
475
475
  function invalidInput(label, value, why) {
package/dist/server.js CHANGED
@@ -1,5 +1,5 @@
1
- import { InvoError, assertSecureBaseUrl, Http, toDestinationsResult } from './chunk-P65XQ6VF.js';
2
- export { InvoError } from './chunk-P65XQ6VF.js';
1
+ import { InvoError, assertSecureBaseUrl, Http, toDestinationsResult } from './chunk-U3EDJUQI.js';
2
+ export { InvoError } from './chunk-U3EDJUQI.js';
3
3
  import { createHmac } from 'crypto';
4
4
 
5
5
  var DEFAULT_TOLERANCE_SEC = 300;
@@ -161,7 +161,7 @@ async function hmacHexSubtle(secret, message) {
161
161
  }
162
162
 
163
163
  // src/server.ts
164
- var DEFAULT_UA = "invonetwork-web-sdk/1.2.0 (+https://invo.network)";
164
+ var DEFAULT_UA = "invonetwork-web-sdk/1.2.1 (+https://invo.network)";
165
165
  var MAX_USD_AMOUNT = 999.99;
166
166
  var MAX_ITEM_PRICE = 999999.99;
167
167
  function invalidInput(label, value, why) {
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@invonetwork/web-sdk",
3
- "version": "1.2.0",
3
+ "version": "1.2.1",
4
4
  "description": "INVO Web SDK — currency purchase + passkey (WebAuthn) verification for partner web platforms.",
5
5
  "license": "SEE LICENSE IN LICENSE",
6
6
  "private": false,