@invonetwork/web-sdk 1.2.0 → 1.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +11 -1
- package/README.md +5 -0
- package/dist/{chunk-P65XQ6VF.js → chunk-U3EDJUQI.js} +3 -3
- package/dist/index.cjs +1 -1
- package/dist/index.js +2 -2
- package/dist/server.cjs +2 -2
- package/dist/server.js +3 -3
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -4,6 +4,16 @@ All notable changes to `@invonetwork/web-sdk` are documented here. This project
|
|
|
4
4
|
[Semantic Versioning](https://semver.org/). Releases are managed with
|
|
5
5
|
[changesets](https://github.com/changesets/changesets).
|
|
6
6
|
|
|
7
|
+
## [1.2.1] — 2026-07-01
|
|
8
|
+
|
|
9
|
+
**Fix — browser "Illegal invocation".** The SDK invoked its fetch as `this.fetchImpl(...)`,
|
|
10
|
+
so the browser's native `fetch` ran with the wrong `this` and threw
|
|
11
|
+
`TypeError: Illegal invocation` — breaking every browser `InvoClient` read
|
|
12
|
+
(balance/destinations/pending) and the passkey ceremonies when using the default global
|
|
13
|
+
`fetch` (retries then made it slow on top). The fetch impl is now bound to `globalThis`
|
|
14
|
+
(harmless for a custom `fetch`). No API change. Node/tests were unaffected, which is why it
|
|
15
|
+
slipped through — added a `this`-sensitive regression test.
|
|
16
|
+
|
|
7
17
|
## [1.2.0] — 2026-07-01
|
|
8
18
|
|
|
9
19
|
Two more server-side capabilities on `InvoServer`.
|
|
@@ -73,7 +83,7 @@ Start of the **discovery layer** for send/transfer UIs.
|
|
|
73
83
|
|
|
74
84
|
## [0.6.0] — 2026-07-01
|
|
75
85
|
|
|
76
|
-
Three additive browser flows
|
|
86
|
+
Three additive browser flows for partner front-ends, built to the live backend contracts.
|
|
77
87
|
|
|
78
88
|
- **`InvoClient.getPendingCollect()`** — the player's own pending-to-collect list
|
|
79
89
|
(player-token `GET /api/sdk/transfers/pending`), PII-free. Each row's `kind`
|
package/README.md
CHANGED
|
@@ -117,6 +117,11 @@ const client = new InvoClient({
|
|
|
117
117
|
|
|
118
118
|
The WebAuthn ceremony still runs in the browser (it must — it's `navigator.credentials`), but transport/auth stays behind your proxy. You keep the SDK's ceremony handling, token-refresh, typed holds, and error classifiers either way.
|
|
119
119
|
|
|
120
|
+
**Running `InvoServer` in the proxy** (for the game-secret writes — initiate, checkout, purchase — so the secret leaves the browser): see the drop-in reference at [`examples/proxy-server.ts`](examples/proxy-server.ts). Its actor resolver is pluggable:
|
|
121
|
+
|
|
122
|
+
- **Real partner** (one login = one player) — derive the acting player from your **session**.
|
|
123
|
+
- **Trusted first-party rig** (an internal tool that impersonates arbitrary test players) — the caller names `playerEmail`, guarded by a shared-secret header (`INVO_PROXY_TRUSTED_SECRET`), the same trusted pattern as a `player_email` token minter. Never expose this mode to end-user browsers.
|
|
124
|
+
|
|
120
125
|
> **Lowest-risk first step:** adopt just `linkDevice` (passkey ↔ app device interchange) — it's purely additive and needs no refactor. See [Passkeys](#passkeys-enroll-approve-link).
|
|
121
126
|
|
|
122
127
|
## Before you go live
|
|
@@ -104,7 +104,7 @@ var _Http = class _Http {
|
|
|
104
104
|
"No fetch implementation available. Use Node >=18, or pass `fetch` in the config."
|
|
105
105
|
);
|
|
106
106
|
}
|
|
107
|
-
this.fetchImpl = f;
|
|
107
|
+
this.fetchImpl = f.bind(globalThis);
|
|
108
108
|
this.userAgent = opts.userAgent;
|
|
109
109
|
this.maxRetries = Math.max(0, opts.maxRetries ?? 2);
|
|
110
110
|
this.retryBaseDelayMs = opts.retryBaseDelayMs ?? 250;
|
|
@@ -308,5 +308,5 @@ function toDestinationsResult(raw, direction) {
|
|
|
308
308
|
}
|
|
309
309
|
|
|
310
310
|
export { Http, InvoError, assertSecureBaseUrl, toDestinationsResult };
|
|
311
|
-
//# sourceMappingURL=chunk-
|
|
312
|
-
//# sourceMappingURL=chunk-
|
|
311
|
+
//# sourceMappingURL=chunk-U3EDJUQI.js.map
|
|
312
|
+
//# sourceMappingURL=chunk-U3EDJUQI.js.map
|
package/dist/index.cjs
CHANGED
|
@@ -106,7 +106,7 @@ var _Http = class _Http {
|
|
|
106
106
|
"No fetch implementation available. Use Node >=18, or pass `fetch` in the config."
|
|
107
107
|
);
|
|
108
108
|
}
|
|
109
|
-
this.fetchImpl = f;
|
|
109
|
+
this.fetchImpl = f.bind(globalThis);
|
|
110
110
|
this.userAgent = opts.userAgent;
|
|
111
111
|
this.maxRetries = Math.max(0, opts.maxRetries ?? 2);
|
|
112
112
|
this.retryBaseDelayMs = opts.retryBaseDelayMs ?? 250;
|
package/dist/index.js
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
|
-
import { assertSecureBaseUrl, Http, toDestinationsResult, InvoError } from './chunk-
|
|
2
|
-
export { InvoError } from './chunk-
|
|
1
|
+
import { assertSecureBaseUrl, Http, toDestinationsResult, InvoError } from './chunk-U3EDJUQI.js';
|
|
2
|
+
export { InvoError } from './chunk-U3EDJUQI.js';
|
|
3
3
|
|
|
4
4
|
// src/shared/webauthn.ts
|
|
5
5
|
function b64urlToBuffer(value) {
|
package/dist/server.cjs
CHANGED
|
@@ -108,7 +108,7 @@ var _Http = class _Http {
|
|
|
108
108
|
"No fetch implementation available. Use Node >=18, or pass `fetch` in the config."
|
|
109
109
|
);
|
|
110
110
|
}
|
|
111
|
-
this.fetchImpl = f;
|
|
111
|
+
this.fetchImpl = f.bind(globalThis);
|
|
112
112
|
this.userAgent = opts.userAgent;
|
|
113
113
|
this.maxRetries = Math.max(0, opts.maxRetries ?? 2);
|
|
114
114
|
this.retryBaseDelayMs = opts.retryBaseDelayMs ?? 250;
|
|
@@ -469,7 +469,7 @@ async function hmacHexSubtle(secret, message) {
|
|
|
469
469
|
}
|
|
470
470
|
|
|
471
471
|
// src/server.ts
|
|
472
|
-
var DEFAULT_UA = "invonetwork-web-sdk/1.2.
|
|
472
|
+
var DEFAULT_UA = "invonetwork-web-sdk/1.2.1 (+https://invo.network)";
|
|
473
473
|
var MAX_USD_AMOUNT = 999.99;
|
|
474
474
|
var MAX_ITEM_PRICE = 999999.99;
|
|
475
475
|
function invalidInput(label, value, why) {
|
package/dist/server.js
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
|
-
import { InvoError, assertSecureBaseUrl, Http, toDestinationsResult } from './chunk-
|
|
2
|
-
export { InvoError } from './chunk-
|
|
1
|
+
import { InvoError, assertSecureBaseUrl, Http, toDestinationsResult } from './chunk-U3EDJUQI.js';
|
|
2
|
+
export { InvoError } from './chunk-U3EDJUQI.js';
|
|
3
3
|
import { createHmac } from 'crypto';
|
|
4
4
|
|
|
5
5
|
var DEFAULT_TOLERANCE_SEC = 300;
|
|
@@ -161,7 +161,7 @@ async function hmacHexSubtle(secret, message) {
|
|
|
161
161
|
}
|
|
162
162
|
|
|
163
163
|
// src/server.ts
|
|
164
|
-
var DEFAULT_UA = "invonetwork-web-sdk/1.2.
|
|
164
|
+
var DEFAULT_UA = "invonetwork-web-sdk/1.2.1 (+https://invo.network)";
|
|
165
165
|
var MAX_USD_AMOUNT = 999.99;
|
|
166
166
|
var MAX_ITEM_PRICE = 999999.99;
|
|
167
167
|
function invalidInput(label, value, why) {
|
package/package.json
CHANGED