@kawaiininja/fetch 1.0.1 → 1.0.3

package/dist/hooks/useFetch.js

@@ -1,3 +1,4 @@
+import { SecureStoragePlugin } from "capacitor-secure-storage-plugin";
 import { useCallback, useEffect, useMemo, useRef, useState } from "react";
 import { INTERNAL_HEADER } from "../context/ApiContext";
 import { useApiConfig } from "./useApiConfig";
@@ -31,21 +32,58 @@ export const useFetch = (endpoint, baseOptions = {}) => {
         }
     }, []);
     const performFetch = async (url, method, token, body, headers, rest) => {
-        const authToken = typeof window !== "undefined" ? localStorage.getItem("token") : null;
-        const sessionId = typeof window !== "undefined" ? localStorage.getItem("session_id") : null;
+        // 🌍 PLATFORM DETECTION
+        // We check if we are running natively (iOS/Android) or on the Web
+        const platform = typeof window !== "undefined"
+            ? window.Capacitor?.getPlatform() || "web"
+            : "web";
+        const isNative = platform === "ios" || platform === "android";
+        // 🎯 TARGET CHECK (Prevent Credential Leakage)
+        // Only attach sensitive headers if sending to our own API
+        const isInternal = url.startsWith("/") ||
+            (apiUrl("") && url.startsWith(apiUrl(""))) ||
+            false;
         const headersConfig = {
             ...(optionsRef.current.headers || {}),
             ...(headers || {}),
             ...INTERNAL_HEADER,
-            "X-CSRF-Token": token,
-            ...(authToken ? { Authorization: `Bearer ${authToken}` } : {}),
-            ...(sessionId ? { "X-Session-ID": sessionId } : {}),
         };
+        // 🔒 SECURITY STRATEGY: NATIVE (MOBILE)
+        if (isNative && isInternal) {
+            // Mobile relies on manual headers ("Active Courier")
+            // We DO NOT use CSRF tokens on mobile (Cookies generally don't work reliably here)
+            // 🛡️ S-RANK UPGRADE: Use Secure Storage (Async) instead of LocalStorage
+            try {
+                const { value: authToken } = await SecureStoragePlugin.get({
+                    key: "token",
+                }).catch(() => ({ value: null }));
+                const { value: sessionId } = await SecureStoragePlugin.get({
+                    key: "session_id",
+                }).catch(() => ({ value: null }));
+                if (authToken)
+                    headersConfig["Authorization"] = `Bearer ${authToken}`;
+                if (sessionId)
+                    headersConfig["X-Session-ID"] = sessionId;
+            }
+            catch (err) {
+                // Determine if we should log this - might be noisy if keys just don't exist yet
+            }
+        }
+        // 🔒 SECURITY STRATEGY: WEB (BROWSER)
+        if (!isNative && isInternal) {
+            // Web relies on Cookies ("Passive Courier") for Auth
+            // BUT we MUST attach the CSRF Token to prevent attacks
+            if (token)
+                headersConfig["X-CSRF-Token"] = token;
+            // On Web, we DO NOT attach 'Authorization' or 'Session-ID' from localStorage
+            // This minimizes XSS risk. The HttpOnly cookie handles it.
+        }
         return fetch(url, {
             ...optionsRef.current,
             ...rest,
             method,
             signal: abortRef.current.signal,
+            // 🍪 Web: "include" sends cookies. Mobile: ignored/useless but harmless.
             credentials: "include",
             headers: headersConfig,
             body,

package/package.json

@@ -1,40 +1,46 @@
-{
-    "name": "@kawaiininja/fetch",
-    "version": "1.0.1",
-    "description": "Core fetch utility for Onyx Framework",
-    "main": "dist/index.js",
-    "types": "dist/index.d.ts",
-    "module": "dist/index.js",
-    "type": "module",
-    "exports": {
-        ".": "./dist/index.js"
-    },
-    "files": [
-        "dist",
-        "README.md"
-    ],
-    "scripts": {
-        "build": "tsc"
-    },
-    "keywords": [
-        "react",
-        "fetch",
-        "onyx",
-        "kawaiininja",
-        "http"
-    ],
-    "author": "Vinay (4kawaiininja)",
-    "license": "MIT",
-    "peerDependencies": {
-        "react": "^18.0.0 || ^19.0.0",
-        "react-dom": "^18.0.0 || ^19.0.0"
-    },
-    "publishConfig": {
-        "access": "public"
-    },
-    "devDependencies": {
-        "@types/react": "^19.2.7",
-        "@types/react-dom": "^19.2.3",
-        "typescript": "^5.7.0"
-    }
-}
+{
+    "name": "@kawaiininja/fetch",
+    "version": "1.0.3",
+    "description": "Core fetch utility for Onyx Framework",
+    "main": "dist/index.js",
+    "types": "dist/index.d.ts",
+    "module": "dist/index.js",
+    "type": "module",
+    "exports": {
+        ".": "./dist/index.js"
+    },
+    "files": [
+        "dist",
+        "README.md"
+    ],
+    "scripts": {
+        "build": "tsc"
+    },
+    "keywords": [
+        "react",
+        "fetch",
+        "onyx",
+        "kawaiininja",
+        "http"
+    ],
+    "author": "Vinay (4kawaiininja)",
+    "license": "MIT",
+    "peerDependencies": {
+        "react": "^18.0.0 || ^19.0.0",
+        "react-dom": "^18.0.0 || ^19.0.0"
+    },
+    "publishConfig": {
+        "access": "public"
+    },
+    "devDependencies": {
+        "@types/react": "^19.2.7",
+        "@types/react-dom": "^19.2.3",
+        "typescript": "^5.7.0"
+    },
+    "dependencies": {
+        "@capacitor-community/security-provider": "^7.0.0",
+        "@capacitor-community/text-to-speech": "^6.1.0",
+        "@capacitor/core": "^8.0.1",
+        "capacitor-secure-storage-plugin": "^0.13.0"
+    }
+}