@openfort/openfort-js 0.7.4 → 0.7.6

package/dist/index.cjs

@@ -9,10 +9,30 @@ var bytes = require('@ethersproject/bytes');
 var events = require('events');
 var uuid = require('uuid');
 var jose = require('jose');
+var crypto = require('crypto');
 var secp256k1 = require('@noble/curves/secp256k1');
 var signingKey = require('@ethersproject/signing-key');
 var transactions = require('@ethersproject/transactions');
 
+function _interopNamespaceDefault(e) {
+    var n = Object.create(null);
+    if (e) {
+        Object.keys(e).forEach(function (k) {
+            if (k !== 'default') {
+                var d = Object.getOwnPropertyDescriptor(e, k);
+                Object.defineProperty(n, k, d.get ? d : {
+                    enumerable: true,
+                    get: function () { return e[k]; }
+                });
+            }
+        });
+    }
+    n.default = e;
+    return Object.freeze(n);
+}
+
+var crypto__namespace = /*#__PURE__*/_interopNamespaceDefault(crypto);
+
 exports.EmbeddedState = void 0;
 (function (EmbeddedState) {
     EmbeddedState[EmbeddedState["NONE"] = 0] = "NONE";
@@ -61,6 +81,11 @@ exports.OAuthProvider = void 0;
     OAuthProvider["TWITTER"] = "twitter";
     OAuthProvider["FACEBOOK"] = "facebook";
 })(exports.OAuthProvider || (exports.OAuthProvider = {}));
+var CodeChallengeMethodEnum;
+(function (CodeChallengeMethodEnum) {
+    CodeChallengeMethodEnum["PLAIN"] = "plain";
+    CodeChallengeMethodEnum["S256"] = "S256";
+})(CodeChallengeMethodEnum || (CodeChallengeMethodEnum = {}));
 
 /* tslint:disable */
 /* eslint-disable */
@@ -1287,13 +1312,13 @@ const AuthenticationApiAxiosParamCreator = function (configuration) {
         /**
          * Start the Email Verification process for a player.
          * @summary Request an Email Verification.
-         * @param {RequestResetPasswordRequest} requestResetPasswordRequest
+         * @param {RequestVerifyEmailRequest} requestVerifyEmailRequest
          * @param {*} [options] Override http request option.
          * @throws {RequiredError}
          */
-        requestEmailVerification: async (requestResetPasswordRequest, options = {}) => {
-            // verify required parameter 'requestResetPasswordRequest' is not null or undefined
-            assertParamExists('requestEmailVerification', 'requestResetPasswordRequest', requestResetPasswordRequest);
+        requestEmailVerification: async (requestVerifyEmailRequest, options = {}) => {
+            // verify required parameter 'requestVerifyEmailRequest' is not null or undefined
+            assertParamExists('requestEmailVerification', 'requestVerifyEmailRequest', requestVerifyEmailRequest);
             const localVarPath = `/iam/v1/password/email/request_verification`;
             // use dummy base URL string because the URL constructor only accepts absolute URLs.
             const localVarUrlObj = new URL(localVarPath, DUMMY_BASE_URL);
@@ -1311,7 +1336,7 @@ const AuthenticationApiAxiosParamCreator = function (configuration) {
             setSearchParams(localVarUrlObj, localVarQueryParameter);
             let headersFromBaseOptions = baseOptions && baseOptions.headers ? baseOptions.headers : {};
             localVarRequestOptions.headers = { ...localVarHeaderParameter, ...headersFromBaseOptions, ...options.headers };
-            localVarRequestOptions.data = serializeDataIfNeeded(requestResetPasswordRequest, localVarRequestOptions, configuration);
+            localVarRequestOptions.data = serializeDataIfNeeded(requestVerifyEmailRequest, localVarRequestOptions, configuration);
             return {
                 url: toPathString(localVarUrlObj),
                 options: localVarRequestOptions,
@@ -1512,13 +1537,13 @@ const AuthenticationApiAxiosParamCreator = function (configuration) {
         /**
          * Verify a player\'s email address.
          * @summary Verify an email.
-         * @param {ResetPasswordRequest} resetPasswordRequest
+         * @param {VerifyEmailRequest} verifyEmailRequest
          * @param {*} [options] Override http request option.
          * @throws {RequiredError}
          */
-        verifyEmail: async (resetPasswordRequest, options = {}) => {
-            // verify required parameter 'resetPasswordRequest' is not null or undefined
-            assertParamExists('verifyEmail', 'resetPasswordRequest', resetPasswordRequest);
+        verifyEmail: async (verifyEmailRequest, options = {}) => {
+            // verify required parameter 'verifyEmailRequest' is not null or undefined
+            assertParamExists('verifyEmail', 'verifyEmailRequest', verifyEmailRequest);
             const localVarPath = `/iam/v1/password/email/verify`;
             // use dummy base URL string because the URL constructor only accepts absolute URLs.
             const localVarUrlObj = new URL(localVarPath, DUMMY_BASE_URL);
@@ -1536,7 +1561,7 @@ const AuthenticationApiAxiosParamCreator = function (configuration) {
             setSearchParams(localVarUrlObj, localVarQueryParameter);
             let headersFromBaseOptions = baseOptions && baseOptions.headers ? baseOptions.headers : {};
             localVarRequestOptions.headers = { ...localVarHeaderParameter, ...headersFromBaseOptions, ...options.headers };
-            localVarRequestOptions.data = serializeDataIfNeeded(resetPasswordRequest, localVarRequestOptions, configuration);
+            localVarRequestOptions.data = serializeDataIfNeeded(verifyEmailRequest, localVarRequestOptions, configuration);
             return {
                 url: toPathString(localVarUrlObj),
                 options: localVarRequestOptions,
@@ -1768,12 +1793,12 @@ const AuthenticationApiFp = function (configuration) {
         /**
          * Start the Email Verification process for a player.
          * @summary Request an Email Verification.
-         * @param {RequestResetPasswordRequest} requestResetPasswordRequest
+         * @param {RequestVerifyEmailRequest} requestVerifyEmailRequest
          * @param {*} [options] Override http request option.
          * @throws {RequiredError}
          */
-        async requestEmailVerification(requestResetPasswordRequest, options) {
-            const localVarAxiosArgs = await localVarAxiosParamCreator.requestEmailVerification(requestResetPasswordRequest, options);
+        async requestEmailVerification(requestVerifyEmailRequest, options) {
+            const localVarAxiosArgs = await localVarAxiosParamCreator.requestEmailVerification(requestVerifyEmailRequest, options);
             return createRequestFunction(localVarAxiosArgs, globalAxios, BASE_PATH, configuration);
         },
         /**
@@ -1845,12 +1870,12 @@ const AuthenticationApiFp = function (configuration) {
         /**
          * Verify a player\'s email address.
          * @summary Verify an email.
-         * @param {ResetPasswordRequest} resetPasswordRequest
+         * @param {VerifyEmailRequest} verifyEmailRequest
          * @param {*} [options] Override http request option.
          * @throws {RequiredError}
          */
-        async verifyEmail(resetPasswordRequest, options) {
-            const localVarAxiosArgs = await localVarAxiosParamCreator.verifyEmail(resetPasswordRequest, options);
+        async verifyEmail(verifyEmailRequest, options) {
+            const localVarAxiosArgs = await localVarAxiosParamCreator.verifyEmail(verifyEmailRequest, options);
             return createRequestFunction(localVarAxiosArgs, globalAxios, BASE_PATH, configuration);
         },
         /**
@@ -2037,7 +2062,7 @@ class AuthenticationApi extends BaseAPI {
      * @memberof AuthenticationApi
      */
     requestEmailVerification(requestParameters, options) {
-        return AuthenticationApiFp(this.configuration).requestEmailVerification(requestParameters.requestResetPasswordRequest, options).then((request) => request(this.axios, this.basePath));
+        return AuthenticationApiFp(this.configuration).requestEmailVerification(requestParameters.requestVerifyEmailRequest, options).then((request) => request(this.axios, this.basePath));
     }
     /**
      * Start the Reset process for a player\'s password.
@@ -2114,7 +2139,7 @@ class AuthenticationApi extends BaseAPI {
      * @memberof AuthenticationApi
      */
     verifyEmail(requestParameters, options) {
-        return AuthenticationApiFp(this.configuration).verifyEmail(requestParameters.resetPasswordRequest, options).then((request) => request(this.axios, this.basePath));
+        return AuthenticationApiFp(this.configuration).verifyEmail(requestParameters.verifyEmailRequest, options).then((request) => request(this.axios, this.basePath));
     }
     /**
      * The endpoint verifies the token generated by OAuth provider and retrieves a corresponding player.  Returns the latest 10 transaction intents for the player.
@@ -4505,12 +4530,42 @@ var SignerType;
 
 const isBrowser = () => typeof document !== 'undefined';
 
+const KEY_PKCE_STATE = 'pkce_state';
+const KEY_PKCE_VERIFIER = 'pkce_verifier';
+class DeviceCredentialsManager {
+    savePKCEData(data) {
+        localStorage.setItem(KEY_PKCE_STATE, data.state);
+        localStorage.setItem(KEY_PKCE_VERIFIER, data.verifier);
+    }
+    getPKCEData() {
+        const state = localStorage.getItem(KEY_PKCE_STATE);
+        const verifier = localStorage.getItem(KEY_PKCE_VERIFIER);
+        if (state && verifier) {
+            return { state, verifier };
+        }
+        return null;
+    }
+}
+
+function base64URLEncode(str) {
+    return str.toString('base64')
+        .replace(/\+/g, '-')
+        .replace(/\//g, '_')
+        .replace(/=/g, '');
+}
+function sha256(buffer) {
+    return crypto__namespace.createHash('sha256').update(buffer).digest();
+}
 class AuthManager {
     config;
+    deviceCredentialsManager;
+    instanceManager;
     backendApiClients;
-    constructor(config, backendApiClients) {
+    constructor(config, backendApiClients, instanceManager) {
         this.config = config;
+        this.deviceCredentialsManager = new DeviceCredentialsManager();
         this.backendApiClients = backendApiClients;
+        this.instanceManager = instanceManager;
     }
     async initOAuth(provider, usePooling, options) {
         const request = {
@@ -4521,7 +4576,7 @@ class AuthManager {
             },
         };
         const result = await this.backendApiClients.authenticationApi.initOAuth(request);
-        if (isBrowser() && !options?.skipBrowserRedirect) {
+        if (isBrowser() && options?.skipBrowserRedirect) {
             window.location.assign(result.data.url);
         }
         return {
@@ -4558,6 +4613,13 @@ class AuthManager {
                 // eslint-disable-next-line no-await-in-loop
                 const response = await this.backendApiClients.authenticationApi.poolOAuth(request);
                 if (response.status === 200) {
+                    this.instanceManager.setAccessToken({
+                        token: response.data.token,
+                        thirdPartyProvider: null,
+                        thirdPartyTokenType: null,
+                    });
+                    this.instanceManager.setRefreshToken(response.data.refreshToken);
+                    this.instanceManager.setPlayerID(response.data.player.id);
                     return response.data;
                 }
             }
@@ -4574,7 +4636,7 @@ class AuthManager {
         }
         throw new Error('Failed to pool OAuth, try again later');
     }
-    // Deprecated
+    // @deprecated
     async authenticateOAuth(provider, token, tokenType) {
         const request = {
             authenticateOAuthRequest: {
@@ -4632,6 +4694,83 @@ class AuthManager {
         const response = await this.backendApiClients.authenticationApi.loginEmailPassword(request);
         return response.data;
     }
+    async requestResetPassword(email, redirectUrl) {
+        const verifier = base64URLEncode(crypto__namespace.randomBytes(32));
+        const challenge = base64URLEncode(sha256(verifier));
+        // https://auth0.com/docs/secure/attack-protection/state-parameters
+        const state = base64URLEncode(crypto__namespace.randomBytes(32));
+        this.deviceCredentialsManager.savePKCEData({ state, verifier });
+        const request = {
+            requestResetPasswordRequest: {
+                email,
+                redirectUrl,
+                challenge: {
+                    codeChallenge: challenge,
+                    method: CodeChallengeMethodEnum.S256,
+                },
+            },
+        };
+        await this.backendApiClients.authenticationApi.requestResetPassword(request);
+    }
+    async resetPassword(email, password, state) {
+        const pkceData = this.deviceCredentialsManager.getPKCEData();
+        if (!pkceData) {
+            throw new Error('No code verifier or state for PKCE');
+        }
+        if (state !== pkceData.state) {
+            throw new Error('Provided state does not match stored state');
+        }
+        const request = {
+            resetPasswordRequest: {
+                email,
+                password,
+                state,
+                challenge: {
+                    codeVerifier: pkceData.verifier,
+                    method: CodeChallengeMethodEnum.S256,
+                },
+            },
+        };
+        await this.backendApiClients.authenticationApi.resetPassword(request);
+    }
+    async requestEmailVerification(email, redirectUrl) {
+        const verifier = base64URLEncode(crypto__namespace.randomBytes(32));
+        const challenge = base64URLEncode(sha256(verifier));
+        // https://auth0.com/docs/secure/attack-protection/state-parameters
+        const state = base64URLEncode(crypto__namespace.randomBytes(32));
+        this.deviceCredentialsManager.savePKCEData({ state, verifier });
+        const request = {
+            requestVerifyEmailRequest: {
+                email,
+                redirectUrl,
+                challenge: {
+                    codeChallenge: challenge,
+                    method: CodeChallengeMethodEnum.S256,
+                },
+            },
+        };
+        await this.backendApiClients.authenticationApi.requestEmailVerification(request);
+    }
+    async verifyEmail(email, state) {
+        const pkceData = this.deviceCredentialsManager.getPKCEData();
+        if (!pkceData) {
+            throw new Error('No code verifier or state for PKCE');
+        }
+        if (state !== pkceData.state) {
+            throw new Error('Provided state does not match stored state');
+        }
+        const request = {
+            verifyEmailRequest: {
+                email,
+                token: state,
+                challenge: {
+                    codeVerifier: pkceData.verifier,
+                    method: CodeChallengeMethodEnum.S256,
+                },
+            },
+        };
+        await this.backendApiClients.authenticationApi.verifyEmail(request);
+    }
     async signupEmailPassword(email, password, name) {
         const request = {
             signupRequest: {
@@ -4643,23 +4782,6 @@ class AuthManager {
         const response = await this.backendApiClients.authenticationApi.signupEmailPassword(request);
         return response.data;
     }
-    async getJWK() {
-        const request = {
-            publishableKey: this.config.baseConfiguration.publishableKey,
-        };
-        const response = await this.backendApiClients.authenticationApi.getJwks(request);
-        if (response.data.keys.length === 0) {
-            throw new Error('No keys found');
-        }
-        const jwtKey = response.data.keys[0];
-        return {
-            kty: jwtKey.kty,
-            crv: jwtKey.crv,
-            x: jwtKey.x,
-            y: jwtKey.y,
-            alg: jwtKey.alg,
-        };
-    }
     async validateCredentials(accessToken, refreshToken, jwk) {
         try {
             const key = (await jose.importJWK({
@@ -4722,7 +4844,6 @@ const accountTypeStorageKey = 'openfort.account_type';
 const accountAddressStorageKey = 'openfort.account_address';
 
 class InstanceManager {
-    authManager;
     authToken = null;
     refreshToken = null;
     signerType = null;
@@ -4735,12 +4856,15 @@ class InstanceManager {
     temporalStorage;
     persistentStorage;
     secureStorage;
+    config;
+    backendApiClients;
     playerId = null;
-    constructor(temporalStorage, persistentStorage, secureStorage, authManager) {
+    constructor(temporalStorage, persistentStorage, secureStorage, config, backendApiClients) {
         this.temporalStorage = temporalStorage;
         this.persistentStorage = persistentStorage;
         this.secureStorage = secureStorage;
-        this.authManager = authManager;
+        this.config = config;
+        this.backendApiClients = backendApiClients;
     }
     getAccessToken() {
         if (!this.authToken) {
@@ -4852,7 +4976,21 @@ class InstanceManager {
             }
         }
         if (!this.jwk) {
-            this.jwk = await this.authManager.getJWK();
+            const request = {
+                publishableKey: this.config.baseConfiguration.publishableKey,
+            };
+            const response = await this.backendApiClients.authenticationApi.getJwks(request);
+            if (response.data.keys.length === 0) {
+                throw new Error('No keys found');
+            }
+            const jwtKey = response.data.keys[0];
+            this.jwk = {
+                kty: jwtKey.kty,
+                crv: jwtKey.crv,
+                x: jwtKey.x,
+                y: jwtKey.y,
+                alg: jwtKey.alg,
+            };
         }
         return this.jwk;
     }
@@ -5546,15 +5684,15 @@ class Openfort {
     signer;
     authManager;
     config;
-    instanceManager;
     backendApiClients;
+    instanceManager;
     iframeManager;
     openfortEventEmitter;
     constructor(sdkConfiguration) {
         this.config = new SDKConfiguration(sdkConfiguration);
         this.backendApiClients = new BackendApiClients(this.config.openfortAPIConfig);
-        this.authManager = new AuthManager(this.config, this.backendApiClients);
-        this.instanceManager = new InstanceManager(new SessionStorage(), new LocalStorage(), new LocalStorage(), this.authManager);
+        this.instanceManager = new InstanceManager(new SessionStorage(), new LocalStorage(), new LocalStorage(), this.config, this.backendApiClients);
+        this.authManager = new AuthManager(this.config, this.backendApiClients, this.instanceManager);
         this.openfortEventEmitter = new TypedEventEmitter();
         this.iframeManager = new IframeManager(this.config);
     }
@@ -5691,8 +5829,21 @@ class Openfort {
         });
         return result;
     }
+    async requestEmailVerification(email, redirectUrl) {
+        await this.authManager.requestEmailVerification(email, redirectUrl);
+    }
+    async resetPassword(email, password, state) {
+        await this.authManager.resetPassword(email, password, state);
+    }
+    async requestResetPassword(email, redirectUrl) {
+        await this.authManager.requestResetPassword(email, redirectUrl);
+    }
+    async verifyEmail(email, state) {
+        await this.authManager.verifyEmail(email, state);
+    }
     async initOAuth(provider, usePooling, options) {
-        return await this.authManager.initOAuth(provider, usePooling, options);
+        const authResponse = await this.authManager.initOAuth(provider, usePooling, options);
+        return authResponse;
     }
     async initLinkOAuth(provider, playerToken, usePooling, options) {
         return await this.authManager.initLinkOAuth(provider, playerToken, usePooling, options);
@@ -5700,6 +5851,7 @@ class Openfort {
     async poolOAuth(key) {
         return await this.authManager.poolOAuth(key);
     }
+    // @deprecated
     async authenticateWithOAuth(provider, token, tokenType) {
         this.instanceManager.removeAccessToken();
         this.instanceManager.removeRefreshToken();
@@ -5773,7 +5925,7 @@ class Openfort {
         const result = await this.backendApiClients.transactionIntentsApi.signature(request);
         return result.data;
     }
-    async signMessage(message) {
+    async signMessage(message, options) {
         await this.recoverSigner();
         if (!this.signer) {
             throw new NoSignerConfigured('No signer configured');
@@ -5781,7 +5933,8 @@ class Openfort {
         if (this.signer.useCredentials()) {
             await this.validateAndRefreshToken();
         }
-        return await this.signer.sign(message, false, true);
+        const { hashMessage = true, arrayifyMessage = false } = options || {};
+        return await this.signer.sign(message, arrayifyMessage, hashMessage);
     }
     async signTypedData(domain, types, value) {
         await this.recoverSigner();

package/dist/index.d.ts

@@ -1,4 +1,4 @@
-import { SessionKey, AuthResponse, OAuthProvider as OAuthProvider$1, InitializeOAuthOptions as InitializeOAuthOptions$1, InitAuthResponse, TokenType as TokenType$1, SIWEInitResponse, ThirdPartyOAuthProvider as ThirdPartyOAuthProvider$1, AuthPlayerResponse as AuthPlayerResponse$1, TransactionIntentResponse as TransactionIntentResponse$1, SessionResponse as SessionResponse$1, EmbeddedState as EmbeddedState$1, SDKOverrides as SDKOverrides$1 } from 'types';
+import { SessionKey, AuthResponse, OAuthProvider as OAuthProvider$1, InitializeOAuthOptions as InitializeOAuthOptions$1, InitAuthResponse, TokenType as TokenType$1, SIWEInitResponse, ThirdPartyOAuthProvider as ThirdPartyOAuthProvider$1, AuthPlayerResponse as AuthPlayerResponse$1, Auth, TransactionIntentResponse as TransactionIntentResponse$1, SessionResponse as SessionResponse$1, EmbeddedState as EmbeddedState$1, SDKOverrides as SDKOverrides$1 } from 'types';
 import { SDKConfiguration as SDKConfiguration$1 } from 'config';
 import { Provider as Provider$1 } from 'evm/types';
 
@@ -71,8 +71,8 @@ declare class Openfort {
     private signer?;
     private readonly authManager;
     private readonly config;
-    private readonly instanceManager;
     private readonly backendApiClients;
+    private readonly instanceManager;
     private readonly iframeManager;
     private readonly openfortEventEmitter;
     constructor(sdkConfiguration: SDKConfiguration$1);
@@ -87,6 +87,10 @@ declare class Openfort {
     private newEmbeddedSigner;
     loginWithEmailPassword(email: string, password: string): Promise<AuthResponse>;
     signUpWithEmailPassword(email: string, password: string, name?: string): Promise<AuthResponse>;
+    requestEmailVerification(email: string, redirectUrl: string): Promise<void>;
+    resetPassword(email: string, password: string, state: string): Promise<void>;
+    requestResetPassword(email: string, redirectUrl: string): Promise<void>;
+    verifyEmail(email: string, state: string): Promise<void>;
     initOAuth(provider: OAuthProvider$1, usePooling?: boolean, options?: InitializeOAuthOptions$1): Promise<InitAuthResponse>;
     initLinkOAuth(provider: OAuthProvider$1, playerToken: string, usePooling?: boolean, options?: InitializeOAuthOptions$1): Promise<InitAuthResponse>;
     poolOAuth(key: string): Promise<AuthResponse>;
@@ -94,9 +98,12 @@ declare class Openfort {
     initSIWE(address: string): Promise<SIWEInitResponse>;
     authenticateWithThirdPartyProvider(provider: ThirdPartyOAuthProvider$1, token: string, tokenType: TokenType$1): Promise<AuthPlayerResponse$1>;
     authenticateWithSIWE(signature: string, message: string, walletClientType: string, connectorType: string): Promise<AuthResponse>;
-    private storeCredentials;
+    storeCredentials(auth: Auth): void;
     sendSignatureTransactionIntentRequest(transactionIntentId: string, userOperationHash?: string | null, signature?: string | null): Promise<TransactionIntentResponse$1>;
-    signMessage(message: string | Uint8Array): Promise<string>;
+    signMessage(message: string | Uint8Array, options?: {
+        hashMessage?: boolean;
+        arrayifyMessage?: boolean;
+    }): Promise<string>;
     signTypedData(domain: TypedDataDomain, types: Record<string, Array<TypedDataField>>, value: Record<string, any>): Promise<string>;
     sendRegisterSessionRequest(sessionId: string, signature: string, optimistic?: boolean): Promise<SessionResponse$1>;
     private recoverSigner;
@@ -106,7 +113,7 @@ declare class Openfort {
     isAuthenticated(): Promise<boolean>;
     getAccessToken(): string | null;
     isLoaded(): boolean;
-    private validateAndRefreshToken;
+    validateAndRefreshToken(): Promise<void>;
 }
 
 declare enum ShieldAuthProvider {
@@ -357,6 +364,7 @@ interface LinkedAccountResponse {
     'provider': AuthProvider;
     'email'?: string;
     'externalUserId'?: string;
+    'verified'?: boolean;
     'disabled': boolean;
     'updatedAt'?: number;
     'address'?: string;

package/dist/index.js

@@ -5,6 +5,7 @@ import { hexlify, joinSignature, arrayify } from '@ethersproject/bytes';
 import { EventEmitter } from 'events';
 import { v4 } from 'uuid';
 import { importJWK, jwtVerify, errors } from 'jose';
+import * as crypto from 'crypto';
 import { secp256k1 } from '@noble/curves/secp256k1';
 import { SigningKey } from '@ethersproject/signing-key';
 import { computeAddress } from '@ethersproject/transactions';
@@ -57,6 +58,11 @@ var OAuthProvider;
     OAuthProvider["TWITTER"] = "twitter";
     OAuthProvider["FACEBOOK"] = "facebook";
 })(OAuthProvider || (OAuthProvider = {}));
+var CodeChallengeMethodEnum;
+(function (CodeChallengeMethodEnum) {
+    CodeChallengeMethodEnum["PLAIN"] = "plain";
+    CodeChallengeMethodEnum["S256"] = "S256";
+})(CodeChallengeMethodEnum || (CodeChallengeMethodEnum = {}));
 
 /* tslint:disable */
 /* eslint-disable */
@@ -1283,13 +1289,13 @@ const AuthenticationApiAxiosParamCreator = function (configuration) {
         /**
          * Start the Email Verification process for a player.
          * @summary Request an Email Verification.
-         * @param {RequestResetPasswordRequest} requestResetPasswordRequest
+         * @param {RequestVerifyEmailRequest} requestVerifyEmailRequest
          * @param {*} [options] Override http request option.
          * @throws {RequiredError}
          */
-        requestEmailVerification: async (requestResetPasswordRequest, options = {}) => {
-            // verify required parameter 'requestResetPasswordRequest' is not null or undefined
-            assertParamExists('requestEmailVerification', 'requestResetPasswordRequest', requestResetPasswordRequest);
+        requestEmailVerification: async (requestVerifyEmailRequest, options = {}) => {
+            // verify required parameter 'requestVerifyEmailRequest' is not null or undefined
+            assertParamExists('requestEmailVerification', 'requestVerifyEmailRequest', requestVerifyEmailRequest);
             const localVarPath = `/iam/v1/password/email/request_verification`;
             // use dummy base URL string because the URL constructor only accepts absolute URLs.
             const localVarUrlObj = new URL(localVarPath, DUMMY_BASE_URL);
@@ -1307,7 +1313,7 @@ const AuthenticationApiAxiosParamCreator = function (configuration) {
             setSearchParams(localVarUrlObj, localVarQueryParameter);
             let headersFromBaseOptions = baseOptions && baseOptions.headers ? baseOptions.headers : {};
             localVarRequestOptions.headers = { ...localVarHeaderParameter, ...headersFromBaseOptions, ...options.headers };
-            localVarRequestOptions.data = serializeDataIfNeeded(requestResetPasswordRequest, localVarRequestOptions, configuration);
+            localVarRequestOptions.data = serializeDataIfNeeded(requestVerifyEmailRequest, localVarRequestOptions, configuration);
             return {
                 url: toPathString(localVarUrlObj),
                 options: localVarRequestOptions,
@@ -1508,13 +1514,13 @@ const AuthenticationApiAxiosParamCreator = function (configuration) {
         /**
          * Verify a player\'s email address.
          * @summary Verify an email.
-         * @param {ResetPasswordRequest} resetPasswordRequest
+         * @param {VerifyEmailRequest} verifyEmailRequest
          * @param {*} [options] Override http request option.
          * @throws {RequiredError}
          */
-        verifyEmail: async (resetPasswordRequest, options = {}) => {
-            // verify required parameter 'resetPasswordRequest' is not null or undefined
-            assertParamExists('verifyEmail', 'resetPasswordRequest', resetPasswordRequest);
+        verifyEmail: async (verifyEmailRequest, options = {}) => {
+            // verify required parameter 'verifyEmailRequest' is not null or undefined
+            assertParamExists('verifyEmail', 'verifyEmailRequest', verifyEmailRequest);
             const localVarPath = `/iam/v1/password/email/verify`;
             // use dummy base URL string because the URL constructor only accepts absolute URLs.
             const localVarUrlObj = new URL(localVarPath, DUMMY_BASE_URL);
@@ -1532,7 +1538,7 @@ const AuthenticationApiAxiosParamCreator = function (configuration) {
             setSearchParams(localVarUrlObj, localVarQueryParameter);
             let headersFromBaseOptions = baseOptions && baseOptions.headers ? baseOptions.headers : {};
             localVarRequestOptions.headers = { ...localVarHeaderParameter, ...headersFromBaseOptions, ...options.headers };
-            localVarRequestOptions.data = serializeDataIfNeeded(resetPasswordRequest, localVarRequestOptions, configuration);
+            localVarRequestOptions.data = serializeDataIfNeeded(verifyEmailRequest, localVarRequestOptions, configuration);
             return {
                 url: toPathString(localVarUrlObj),
                 options: localVarRequestOptions,
@@ -1764,12 +1770,12 @@ const AuthenticationApiFp = function (configuration) {
         /**
          * Start the Email Verification process for a player.
          * @summary Request an Email Verification.
-         * @param {RequestResetPasswordRequest} requestResetPasswordRequest
+         * @param {RequestVerifyEmailRequest} requestVerifyEmailRequest
          * @param {*} [options] Override http request option.
          * @throws {RequiredError}
          */
-        async requestEmailVerification(requestResetPasswordRequest, options) {
-            const localVarAxiosArgs = await localVarAxiosParamCreator.requestEmailVerification(requestResetPasswordRequest, options);
+        async requestEmailVerification(requestVerifyEmailRequest, options) {
+            const localVarAxiosArgs = await localVarAxiosParamCreator.requestEmailVerification(requestVerifyEmailRequest, options);
             return createRequestFunction(localVarAxiosArgs, globalAxios, BASE_PATH, configuration);
         },
         /**
@@ -1841,12 +1847,12 @@ const AuthenticationApiFp = function (configuration) {
         /**
          * Verify a player\'s email address.
          * @summary Verify an email.
-         * @param {ResetPasswordRequest} resetPasswordRequest
+         * @param {VerifyEmailRequest} verifyEmailRequest
          * @param {*} [options] Override http request option.
          * @throws {RequiredError}
          */
-        async verifyEmail(resetPasswordRequest, options) {
-            const localVarAxiosArgs = await localVarAxiosParamCreator.verifyEmail(resetPasswordRequest, options);
+        async verifyEmail(verifyEmailRequest, options) {
+            const localVarAxiosArgs = await localVarAxiosParamCreator.verifyEmail(verifyEmailRequest, options);
             return createRequestFunction(localVarAxiosArgs, globalAxios, BASE_PATH, configuration);
         },
         /**
@@ -2033,7 +2039,7 @@ class AuthenticationApi extends BaseAPI {
      * @memberof AuthenticationApi
      */
     requestEmailVerification(requestParameters, options) {
-        return AuthenticationApiFp(this.configuration).requestEmailVerification(requestParameters.requestResetPasswordRequest, options).then((request) => request(this.axios, this.basePath));
+        return AuthenticationApiFp(this.configuration).requestEmailVerification(requestParameters.requestVerifyEmailRequest, options).then((request) => request(this.axios, this.basePath));
     }
     /**
      * Start the Reset process for a player\'s password.
@@ -2110,7 +2116,7 @@ class AuthenticationApi extends BaseAPI {
      * @memberof AuthenticationApi
      */
     verifyEmail(requestParameters, options) {
-        return AuthenticationApiFp(this.configuration).verifyEmail(requestParameters.resetPasswordRequest, options).then((request) => request(this.axios, this.basePath));
+        return AuthenticationApiFp(this.configuration).verifyEmail(requestParameters.verifyEmailRequest, options).then((request) => request(this.axios, this.basePath));
     }
     /**
      * The endpoint verifies the token generated by OAuth provider and retrieves a corresponding player.  Returns the latest 10 transaction intents for the player.
@@ -4501,12 +4507,42 @@ var SignerType;
 
 const isBrowser = () => typeof document !== 'undefined';
 
+const KEY_PKCE_STATE = 'pkce_state';
+const KEY_PKCE_VERIFIER = 'pkce_verifier';
+class DeviceCredentialsManager {
+    savePKCEData(data) {
+        localStorage.setItem(KEY_PKCE_STATE, data.state);
+        localStorage.setItem(KEY_PKCE_VERIFIER, data.verifier);
+    }
+    getPKCEData() {
+        const state = localStorage.getItem(KEY_PKCE_STATE);
+        const verifier = localStorage.getItem(KEY_PKCE_VERIFIER);
+        if (state && verifier) {
+            return { state, verifier };
+        }
+        return null;
+    }
+}
+
+function base64URLEncode(str) {
+    return str.toString('base64')
+        .replace(/\+/g, '-')
+        .replace(/\//g, '_')
+        .replace(/=/g, '');
+}
+function sha256(buffer) {
+    return crypto.createHash('sha256').update(buffer).digest();
+}
 class AuthManager {
     config;
+    deviceCredentialsManager;
+    instanceManager;
     backendApiClients;
-    constructor(config, backendApiClients) {
+    constructor(config, backendApiClients, instanceManager) {
         this.config = config;
+        this.deviceCredentialsManager = new DeviceCredentialsManager();
         this.backendApiClients = backendApiClients;
+        this.instanceManager = instanceManager;
     }
     async initOAuth(provider, usePooling, options) {
         const request = {
@@ -4517,7 +4553,7 @@ class AuthManager {
             },
         };
         const result = await this.backendApiClients.authenticationApi.initOAuth(request);
-        if (isBrowser() && !options?.skipBrowserRedirect) {
+        if (isBrowser() && options?.skipBrowserRedirect) {
             window.location.assign(result.data.url);
         }
         return {
@@ -4554,6 +4590,13 @@ class AuthManager {
                 // eslint-disable-next-line no-await-in-loop
                 const response = await this.backendApiClients.authenticationApi.poolOAuth(request);
                 if (response.status === 200) {
+                    this.instanceManager.setAccessToken({
+                        token: response.data.token,
+                        thirdPartyProvider: null,
+                        thirdPartyTokenType: null,
+                    });
+                    this.instanceManager.setRefreshToken(response.data.refreshToken);
+                    this.instanceManager.setPlayerID(response.data.player.id);
                     return response.data;
                 }
             }
@@ -4570,7 +4613,7 @@ class AuthManager {
         }
         throw new Error('Failed to pool OAuth, try again later');
     }
-    // Deprecated
+    // @deprecated
     async authenticateOAuth(provider, token, tokenType) {
         const request = {
             authenticateOAuthRequest: {
@@ -4628,6 +4671,83 @@ class AuthManager {
         const response = await this.backendApiClients.authenticationApi.loginEmailPassword(request);
         return response.data;
     }
+    async requestResetPassword(email, redirectUrl) {
+        const verifier = base64URLEncode(crypto.randomBytes(32));
+        const challenge = base64URLEncode(sha256(verifier));
+        // https://auth0.com/docs/secure/attack-protection/state-parameters
+        const state = base64URLEncode(crypto.randomBytes(32));
+        this.deviceCredentialsManager.savePKCEData({ state, verifier });
+        const request = {
+            requestResetPasswordRequest: {
+                email,
+                redirectUrl,
+                challenge: {
+                    codeChallenge: challenge,
+                    method: CodeChallengeMethodEnum.S256,
+                },
+            },
+        };
+        await this.backendApiClients.authenticationApi.requestResetPassword(request);
+    }
+    async resetPassword(email, password, state) {
+        const pkceData = this.deviceCredentialsManager.getPKCEData();
+        if (!pkceData) {
+            throw new Error('No code verifier or state for PKCE');
+        }
+        if (state !== pkceData.state) {
+            throw new Error('Provided state does not match stored state');
+        }
+        const request = {
+            resetPasswordRequest: {
+                email,
+                password,
+                state,
+                challenge: {
+                    codeVerifier: pkceData.verifier,
+                    method: CodeChallengeMethodEnum.S256,
+                },
+            },
+        };
+        await this.backendApiClients.authenticationApi.resetPassword(request);
+    }
+    async requestEmailVerification(email, redirectUrl) {
+        const verifier = base64URLEncode(crypto.randomBytes(32));
+        const challenge = base64URLEncode(sha256(verifier));
+        // https://auth0.com/docs/secure/attack-protection/state-parameters
+        const state = base64URLEncode(crypto.randomBytes(32));
+        this.deviceCredentialsManager.savePKCEData({ state, verifier });
+        const request = {
+            requestVerifyEmailRequest: {
+                email,
+                redirectUrl,
+                challenge: {
+                    codeChallenge: challenge,
+                    method: CodeChallengeMethodEnum.S256,
+                },
+            },
+        };
+        await this.backendApiClients.authenticationApi.requestEmailVerification(request);
+    }
+    async verifyEmail(email, state) {
+        const pkceData = this.deviceCredentialsManager.getPKCEData();
+        if (!pkceData) {
+            throw new Error('No code verifier or state for PKCE');
+        }
+        if (state !== pkceData.state) {
+            throw new Error('Provided state does not match stored state');
+        }
+        const request = {
+            verifyEmailRequest: {
+                email,
+                token: state,
+                challenge: {
+                    codeVerifier: pkceData.verifier,
+                    method: CodeChallengeMethodEnum.S256,
+                },
+            },
+        };
+        await this.backendApiClients.authenticationApi.verifyEmail(request);
+    }
     async signupEmailPassword(email, password, name) {
         const request = {
             signupRequest: {
@@ -4639,23 +4759,6 @@ class AuthManager {
         const response = await this.backendApiClients.authenticationApi.signupEmailPassword(request);
         return response.data;
     }
-    async getJWK() {
-        const request = {
-            publishableKey: this.config.baseConfiguration.publishableKey,
-        };
-        const response = await this.backendApiClients.authenticationApi.getJwks(request);
-        if (response.data.keys.length === 0) {
-            throw new Error('No keys found');
-        }
-        const jwtKey = response.data.keys[0];
-        return {
-            kty: jwtKey.kty,
-            crv: jwtKey.crv,
-            x: jwtKey.x,
-            y: jwtKey.y,
-            alg: jwtKey.alg,
-        };
-    }
     async validateCredentials(accessToken, refreshToken, jwk) {
         try {
             const key = (await importJWK({
@@ -4718,7 +4821,6 @@ const accountTypeStorageKey = 'openfort.account_type';
 const accountAddressStorageKey = 'openfort.account_address';
 
 class InstanceManager {
-    authManager;
     authToken = null;
     refreshToken = null;
     signerType = null;
@@ -4731,12 +4833,15 @@ class InstanceManager {
     temporalStorage;
     persistentStorage;
     secureStorage;
+    config;
+    backendApiClients;
     playerId = null;
-    constructor(temporalStorage, persistentStorage, secureStorage, authManager) {
+    constructor(temporalStorage, persistentStorage, secureStorage, config, backendApiClients) {
         this.temporalStorage = temporalStorage;
         this.persistentStorage = persistentStorage;
         this.secureStorage = secureStorage;
-        this.authManager = authManager;
+        this.config = config;
+        this.backendApiClients = backendApiClients;
     }
     getAccessToken() {
         if (!this.authToken) {
@@ -4848,7 +4953,21 @@ class InstanceManager {
             }
         }
         if (!this.jwk) {
-            this.jwk = await this.authManager.getJWK();
+            const request = {
+                publishableKey: this.config.baseConfiguration.publishableKey,
+            };
+            const response = await this.backendApiClients.authenticationApi.getJwks(request);
+            if (response.data.keys.length === 0) {
+                throw new Error('No keys found');
+            }
+            const jwtKey = response.data.keys[0];
+            this.jwk = {
+                kty: jwtKey.kty,
+                crv: jwtKey.crv,
+                x: jwtKey.x,
+                y: jwtKey.y,
+                alg: jwtKey.alg,
+            };
         }
         return this.jwk;
     }
@@ -5542,15 +5661,15 @@ class Openfort {
     signer;
     authManager;
     config;
-    instanceManager;
     backendApiClients;
+    instanceManager;
     iframeManager;
     openfortEventEmitter;
     constructor(sdkConfiguration) {
         this.config = new SDKConfiguration(sdkConfiguration);
         this.backendApiClients = new BackendApiClients(this.config.openfortAPIConfig);
-        this.authManager = new AuthManager(this.config, this.backendApiClients);
-        this.instanceManager = new InstanceManager(new SessionStorage(), new LocalStorage(), new LocalStorage(), this.authManager);
+        this.instanceManager = new InstanceManager(new SessionStorage(), new LocalStorage(), new LocalStorage(), this.config, this.backendApiClients);
+        this.authManager = new AuthManager(this.config, this.backendApiClients, this.instanceManager);
         this.openfortEventEmitter = new TypedEventEmitter();
         this.iframeManager = new IframeManager(this.config);
     }
@@ -5687,8 +5806,21 @@ class Openfort {
         });
         return result;
     }
+    async requestEmailVerification(email, redirectUrl) {
+        await this.authManager.requestEmailVerification(email, redirectUrl);
+    }
+    async resetPassword(email, password, state) {
+        await this.authManager.resetPassword(email, password, state);
+    }
+    async requestResetPassword(email, redirectUrl) {
+        await this.authManager.requestResetPassword(email, redirectUrl);
+    }
+    async verifyEmail(email, state) {
+        await this.authManager.verifyEmail(email, state);
+    }
     async initOAuth(provider, usePooling, options) {
-        return await this.authManager.initOAuth(provider, usePooling, options);
+        const authResponse = await this.authManager.initOAuth(provider, usePooling, options);
+        return authResponse;
     }
     async initLinkOAuth(provider, playerToken, usePooling, options) {
         return await this.authManager.initLinkOAuth(provider, playerToken, usePooling, options);
@@ -5696,6 +5828,7 @@ class Openfort {
     async poolOAuth(key) {
         return await this.authManager.poolOAuth(key);
     }
+    // @deprecated
     async authenticateWithOAuth(provider, token, tokenType) {
         this.instanceManager.removeAccessToken();
         this.instanceManager.removeRefreshToken();
@@ -5769,7 +5902,7 @@ class Openfort {
         const result = await this.backendApiClients.transactionIntentsApi.signature(request);
         return result.data;
     }
-    async signMessage(message) {
+    async signMessage(message, options) {
         await this.recoverSigner();
         if (!this.signer) {
             throw new NoSignerConfigured('No signer configured');
@@ -5777,7 +5910,8 @@ class Openfort {
         if (this.signer.useCredentials()) {
             await this.validateAndRefreshToken();
         }
-        return await this.signer.sign(message, false, true);
+        const { hashMessage = true, arrayifyMessage = false } = options || {};
+        return await this.signer.sign(message, arrayifyMessage, hashMessage);
     }
     async signTypedData(domain, types, value) {
         await this.recoverSigner();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openfort/openfort-js",
-  "version": "0.7.4",
+  "version": "0.7.6",
   "author": "Openfort (https://www.openfort.xyz)",
   "bugs": "https://github.com/openfort-xyz/openfort-js/issues",
   "repository": "openfort-xyz/openfort-js.git",