@openfort/react 1.0.6 → 1.0.8

package/build/components/Pages/SelectWalletToRecover/index.js

@@ -6,19 +6,50 @@ import { toSolanaUserWallet } from '../../../hooks/openfort/walletTypes.js';
 import { useResolvedIdentity } from '../../../hooks/useResolvedIdentity.js';
 import { useOpenfortCore } from '../../../openfort/useOpenfort.js';
 import { useSolanaEmbeddedWallet } from '../../../solana/hooks/useSolanaEmbeddedWallet.js';
+import styled from '../../../styles/styled/index.js';
 import 'detect-browser';
 import 'react';
 import { truncateEthAddress } from '../../../utils/format.js';
 import { walletConfigs } from '../../../wallets/walletConfigs.js';
 import Button from '../../Common/Button/index.js';
 import { ModalHeading } from '../../Common/Modal/styles.js';
-import { WalletRecoveryIcon } from '../../Common/WalletRecoveryIcon/index.js';
+import { RECOVERY_METHOD_LABEL, WalletRecoveryIcon } from '../../Common/WalletRecoveryIcon/index.js';
 import { recoverRoute } from '../../Openfort/routeHelpers.js';
 import { routes } from '../../Openfort/types.js';
 import { useOpenfort } from '../../Openfort/useOpenfort.js';
 import { PageContent } from '../../PageContent/index.js';
 import { ProvidersButton, ProviderLabel, ProviderIcon } from '../Providers/styles.js';
 
+const RecoveryTag = styled.span `
+  display: inline-flex;
+  align-items: center;
+  padding: 2px 8px;
+  border-radius: 6px;
+  font-size: 11px;
+  font-weight: 600;
+  line-height: 16px;
+  white-space: nowrap;
+  background: var(--ck-body-background-secondary, #f0f0f0);
+  color: var(--ck-body-color-muted, #999);
+`;
+const WalletListScroll = styled.div `
+  max-height: min(400px, 50vh);
+  overflow-x: hidden;
+  overflow-y: auto;
+
+  &::-webkit-scrollbar {
+    width: 4px;
+  }
+  &::-webkit-scrollbar-track {
+    background: transparent;
+  }
+  &::-webkit-scrollbar-thumb {
+    background: var(--ck-body-color-muted, #c47a2a);
+    border-radius: 4px;
+  }
+  scrollbar-width: thin;
+  scrollbar-color: var(--ck-body-color-muted, #c47a2a) transparent;
+`;
 function WalletRow({ chainType, wallet, }) {
     var _a;
     const { setRoute } = useOpenfort();
@@ -54,16 +85,23 @@ function WalletRow({ chainType, wallet, }) {
         }
         setRoute(recoverRoute(chainType, wallet));
     };
-    return (jsx(ProvidersButton, { children: jsxs(Button, { onClick: handleClick, children: [jsx(ProviderLabel, { children: display }), jsx(ProviderIcon, { children: walletIcon() })] }) }));
+    const tag = wallet.recoveryMethod != null ? RECOVERY_METHOD_LABEL[wallet.recoveryMethod] : undefined;
+    return (jsx(ProvidersButton, { children: jsxs(Button, { onClick: handleClick, children: [jsxs(ProviderLabel, { children: [display, tag && jsx(RecoveryTag, { children: tag })] }), jsx(ProviderIcon, { children: walletIcon() })] }) }));
 }
+/** Connected-page routes that indicate the user navigated here from "Manage wallets" */
+const CONNECTED_ROUTES = new Set([routes.CONNECTED, routes.ETH_CONNECTED, routes.SOL_CONNECTED]);
 function SelectWalletToRecover() {
     const { chainType } = useOpenfortCore();
+    const { previousRoute } = useOpenfort();
     const ethereumWallet = useEthereumEmbeddedWallet();
     const solanaWallet = useSolanaEmbeddedWallet();
     const embeddedWallet = chainType === ChainTypeEnum.EVM ? ethereumWallet : solanaWallet;
     const wallets = embeddedWallet.wallets;
     const list = wallets.map((wallet) => jsx(WalletRow, { chainType: chainType, wallet: wallet }, wallet.id));
-    return (jsxs(PageContent, { onBack: routes.PROVIDERS, logoutOnBack: true, children: [jsx(ModalHeading, { children: "Select a wallet to recover" }), list] }));
+    // When arriving from a connected page (Manage wallets), go back there without logging out.
+    // When arriving from the login flow, go back to providers and log out.
+    const fromConnected = previousRoute != null && CONNECTED_ROUTES.has(previousRoute.route);
+    return (jsxs(PageContent, { onBack: fromConnected ? 'back' : routes.PROVIDERS, logoutOnBack: !fromConnected, children: [jsx(ModalHeading, { children: "Select a wallet" }), jsx(WalletListScroll, { children: list })] }));
 }
 
 export { SelectWalletToRecover as default };

package/build/components/Pages/SelectWalletToRecover/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sources":[],"sourcesContent":[],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;"}
+{"version":3,"file":"index.js","sources":[],"sourcesContent":[],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;"}

package/build/ethereum/hooks/useEthereumEmbeddedWallet.js

@@ -139,6 +139,11 @@ function useEthereumEmbeddedWallet(options) {
                 ...(accountType !== DEFAULT_ACCOUNT_TYPE && { chainId: (_d = createOptions === null || createOptions === void 0 ? void 0 : createOptions.chainId) !== null && _d !== void 0 ? _d : creationChainId }),
                 recoveryParams,
             });
+            // Set the address before fetching accounts or setting connected state.
+            // This prevents a race where the sync effect sees status='connected' but
+            // no activeEmbeddedAddress and disconnects (especially for the first wallet
+            // when embeddedAccounts is still empty).
+            setActiveEmbeddedAddress(account.address);
             await updateEmbeddedAccounts({ silent: true });
             const provider = await getEmbeddedEthereumProvider();
             const connectedWallet = buildConnectedWallet(account, 0, async () => provider, {
@@ -151,7 +156,6 @@ function useEthereumEmbeddedWallet(options) {
                 provider,
                 error: null,
             });
-            setActiveEmbeddedAddress(account.address);
             (_e = createOptions === null || createOptions === void 0 ? void 0 : createOptions.onSuccess) === null || _e === void 0 ? void 0 : _e.call(createOptions, { account });
             return account;
         }

package/build/ethereum/hooks/useEthereumEmbeddedWallet.js.map

@@ -1 +1 @@
-{"version":3,"file":"useEthereumEmbeddedWallet.js","sources":[],"sourcesContent":[],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;"}
+{"version":3,"file":"useEthereumEmbeddedWallet.js","sources":[],"sourcesContent":[],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;"}

package/build/hooks/openfort/auth/useAuthCallback.d.ts

@@ -1,4 +1,4 @@
-import type { UIAuthProvider } from '../../../components/Openfort/types';
+import { UIAuthProvider } from '../../../components/Openfort/types';
 import { OpenfortError } from '../../../core/errors';
 import type { OpenfortHookOptions } from '../../../types';
 import type { CreateWalletPostAuthOptions } from './useConnectToWalletPostAuth';

package/build/hooks/openfort/auth/useAuthCallback.js

@@ -1,6 +1,8 @@
 import { useState, useRef, useEffect } from 'react';
+import { UIAuthProvider } from '../../../components/Openfort/types.js';
 import { OpenfortError, OpenfortReactErrorType } from '../../../types.js';
 import { logger } from '../../../utils/logger.js';
+import { parseCallbackUrl, suppressReferrer } from '../../../utils/urlSecurity.js';
 import { useEmailAuth } from './useEmailAuth.js';
 import { useOAuth } from './useOAuth.js';
 
@@ -79,17 +81,27 @@ const useAuthCallback = ({ enabled = true, // Automatically handle OAuth and ema
         if (callbackProcessedRef.current)
             return;
         callbackProcessedRef.current = true;
+        // Parse callback URL (fixes OF-1013 duplicate `?` issue)
+        const url = parseCallbackUrl(window.location.href);
+        const rawProvider = url.searchParams.get('openfortAuthProvider');
+        // Allowlist: UIAuthProvider values + callback-only providers set by buildCallbackUrl
+        const validProviders = new Set([
+            ...Object.values(UIAuthProvider),
+            'email', // set by buildCallbackUrl for email verification
+            'password', // set by buildCallbackUrl for password reset
+        ]);
+        if (!rawProvider || !validProviders.has(rawProvider)) {
+            return;
+        }
+        // Validated against the allowlist above
+        const openfortAuthProvider = rawProvider;
+        // Suppress Referer SYNCHRONOUSLY — before any async work — so that
+        // subresource requests cannot leak access_token to third parties.
+        const restoreReferrer = suppressReferrer();
         (async () => {
             var _a, _b, _c;
-            // redirectUrl is not working with query params OF-1013
-            const fixedUrl = window.location.href.replace('?state=', '&state=');
-            const url = new URL(fixedUrl);
-            const openfortAuthProvider = url.searchParams.get('openfortAuthProvider');
-            if (!openfortAuthProvider) {
-                return;
-            }
             setProvider(openfortAuthProvider);
-            if (openfortAuthProvider === 'email') {
+            if (openfortAuthProvider === 'email' || openfortAuthProvider === 'password') {
                 // Email verification flow
                 // The backend verifies the email server-side via /auth/verify-email?token=...
                 // and then redirects here. If a `state` token is present we verify client-side
@@ -101,6 +113,7 @@ const useAuthCallback = ({ enabled = true, // Automatically handle OAuth and ema
                         url.searchParams.delete(key);
                     });
                     window.history.replaceState({}, document.title, url.toString());
+                    restoreReferrer();
                 };
                 if (state && email) {
                     // State present — verify client-side as well
@@ -130,6 +143,7 @@ const useAuthCallback = ({ enabled = true, // Automatically handle OAuth and ema
                     removeParams();
                 }
                 else {
+                    restoreReferrer();
                     const err = new OpenfortError('No email found in URL', OpenfortReactErrorType.AUTHENTICATION_ERROR);
                     logger.error('No email found in URL');
                     (_b = hookOptions.onError) === null || _b === void 0 ? void 0 : _b.call(hookOptions, err);
@@ -142,6 +156,7 @@ const useAuthCallback = ({ enabled = true, // Automatically handle OAuth and ema
                 const userId = url.searchParams.get('user_id');
                 const token = url.searchParams.get('access_token');
                 if (!userId || !token) {
+                    restoreReferrer();
                     logger.error(`Missing user id or access token`, {
                         hasUserId: !!userId,
                         hasToken: !!token,
@@ -157,6 +172,7 @@ const useAuthCallback = ({ enabled = true, // Automatically handle OAuth and ema
                         url.searchParams.delete(key);
                     });
                     window.history.replaceState({}, document.title, url.toString());
+                    restoreReferrer();
                 };
                 logger.log('callback', { userId });
                 const options = {

package/build/hooks/openfort/auth/useAuthCallback.js.map

@@ -1 +1 @@
-{"version":3,"file":"useAuthCallback.js","sources":[],"sourcesContent":[],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;"}
+{"version":3,"file":"useAuthCallback.js","sources":[],"sourcesContent":[],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;"}

package/build/hooks/useResolvedIdentity.js

@@ -61,7 +61,10 @@ function useResolvedIdentity(options) {
     var _a, _b, _c, _d, _e;
     const { address, chainType = ChainTypeEnum.EVM, ensChainId = 0, enabled = true } = options;
     const { walletConfig } = useOpenfort();
-    const rpcUrl = (_c = (_b = (_a = walletConfig === null || walletConfig === void 0 ? void 0 : walletConfig.ethereum) === null || _a === void 0 ? void 0 : _a.rpcUrls) === null || _b === void 0 ? void 0 : _b[ensChainId]) !== null && _c !== void 0 ? _c : getDefaultEthereumRpcUrl(ensChainId);
+    // Only resolve RPC URL for mainnet (ensChainId === 1) — chainId 0 means "do not resolve"
+    const rpcUrl = ensChainId === 1
+        ? ((_c = (_b = (_a = walletConfig === null || walletConfig === void 0 ? void 0 : walletConfig.ethereum) === null || _a === void 0 ? void 0 : _a.rpcUrls) === null || _b === void 0 ? void 0 : _b[ensChainId]) !== null && _c !== void 0 ? _c : getDefaultEthereumRpcUrl(ensChainId))
+        : undefined;
     const isEnabled = enabled && !!address && address.length > 0 && ensChainId === 1 && !!rpcUrl;
     const { data, error, isLoading } = useAsyncData({
         queryKey: ['identity', chainType, address, ensChainId],

package/build/hooks/useResolvedIdentity.js.map

@@ -1 +1 @@
-{"version":3,"file":"useResolvedIdentity.js","sources":[],"sourcesContent":[],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;"}
+{"version":3,"file":"useResolvedIdentity.js","sources":[],"sourcesContent":[],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;"}

package/build/openfort/CoreOpenfortProvider.js

@@ -219,6 +219,7 @@ const CoreOpenfortProvider = ({ children, onConnect, onDisconnect, openfortConfi
         storeActiveEmbeddedAddress,
         chainType,
         store,
+        walletConfig,
     });
     // Current chain for EVM provider reconfiguration
     const evmChainId = (strategy === null || strategy === void 0 ? void 0 : strategy.chainType) === ChainTypeEnum.EVM ? (bridge ? bridge.chainId : strategy === null || strategy === void 0 ? void 0 : strategy.getChainId()) : undefined;

package/build/openfort/CoreOpenfortProvider.js.map

@@ -1 +1 @@
-{"version":3,"file":"CoreOpenfortProvider.js","sources":[],"sourcesContent":[],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;"}
+{"version":3,"file":"CoreOpenfortProvider.js","sources":[],"sourcesContent":[],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;"}

package/build/openfort/hooks/useActiveAddressSync.d.ts

@@ -1,5 +1,6 @@
 import { type ChainTypeEnum, type Openfort } from '@openfort/openfort-js';
 import type { StoreApi } from 'zustand/vanilla';
+import type { OpenfortWalletConfig } from '../../components/Openfort/types';
 import type { OpenfortStore } from '../store';
 type Params = {
     openfort: Openfort;
@@ -8,13 +9,16 @@ type Params = {
     storeActiveEmbeddedAddress: OpenfortStore['activeEmbeddedAddress'];
     chainType: ChainTypeEnum;
     store: StoreApi<OpenfortStore>;
+    walletConfig: OpenfortWalletConfig | undefined;
 };
 /**
  * Syncs the active embedded address into the store.
  *
  * - Clears address when there are no accounts or user is logged out.
- * - When READY: asks the SDK for its active wallet, falls back to the first
- *   account for the current chain.
+ * - When connectOnLogin is false and the session went through
+ *   EMBEDDED_SIGNER_NOT_CONFIGURED (login flow), skips auto-seeding at READY
+ *   so the user must pick a wallet explicitly.
+ * - Returning sessions (SDK starts directly at READY) always auto-seed.
  */
-export declare function useActiveAddressSync({ openfort, storeEmbeddedAccounts, storeEmbeddedState, storeActiveEmbeddedAddress, chainType, store, }: Params): void;
+export declare function useActiveAddressSync({ openfort, storeEmbeddedAccounts, storeEmbeddedState, storeActiveEmbeddedAddress, chainType, store, walletConfig, }: Params): void;
 export {};

package/build/openfort/hooks/useActiveAddressSync.js

@@ -1,18 +1,30 @@
 import { EmbeddedState } from '@openfort/openfort-js';
-import { useEffect } from 'react';
+import { useRef, useEffect } from 'react';
 import { firstEmbeddedAddress } from '../../core/strategyUtils.js';
 
 /**
  * Syncs the active embedded address into the store.
  *
  * - Clears address when there are no accounts or user is logged out.
- * - When READY: asks the SDK for its active wallet, falls back to the first
- *   account for the current chain.
+ * - When connectOnLogin is false and the session went through
+ *   EMBEDDED_SIGNER_NOT_CONFIGURED (login flow), skips auto-seeding at READY
+ *   so the user must pick a wallet explicitly.
+ * - Returning sessions (SDK starts directly at READY) always auto-seed.
  */
-function useActiveAddressSync({ openfort, storeEmbeddedAccounts, storeEmbeddedState, storeActiveEmbeddedAddress, chainType, store, }) {
+function useActiveAddressSync({ openfort, storeEmbeddedAccounts, storeEmbeddedState, storeActiveEmbeddedAddress, chainType, store, walletConfig, }) {
+    var _a;
+    const connectOnLogin = (_a = walletConfig === null || walletConfig === void 0 ? void 0 : walletConfig.connectOnLogin) !== null && _a !== void 0 ? _a : true;
+    // Track whether the current session went through EMBEDDED_SIGNER_NOT_CONFIGURED
+    // (i.e. a login flow, not a returning session). When connectOnLogin is false, we
+    // skip auto-seeding at READY only for login flows — returning sessions (where the
+    // SDK starts directly at READY with a configured signer) should always auto-seed.
+    const sawSignerNotConfiguredRef = useRef(false);
     useEffect(() => {
         if (!openfort || !(storeEmbeddedAccounts === null || storeEmbeddedAccounts === void 0 ? void 0 : storeEmbeddedAccounts.length)) {
-            if (!(storeEmbeddedAccounts === null || storeEmbeddedAccounts === void 0 ? void 0 : storeEmbeddedAccounts.length)) {
+            // Only clear the address on genuine logout (no user). During wallet creation
+            // the accounts list is briefly empty while updateEmbeddedAccounts refetches —
+            // clearing here would undo the address that create() just set.
+            if (!(storeEmbeddedAccounts === null || storeEmbeddedAccounts === void 0 ? void 0 : storeEmbeddedAccounts.length) && !store.getState().user) {
                 store.getState().setActiveEmbeddedAddress(undefined);
             }
             return;
@@ -23,13 +35,16 @@ function useActiveAddressSync({ openfort, storeEmbeddedAccounts, storeEmbeddedSt
         if (storeEmbeddedState === EmbeddedState.UNAUTHENTICATED || storeEmbeddedState === EmbeddedState.NONE) {
             if (!store.getState().user) {
                 store.getState().setActiveEmbeddedAddress(undefined);
+                sawSignerNotConfiguredRef.current = false;
             }
             return;
         }
         // Bootstrap recovery: when signer is not yet configured and no address is set,
         // seed the active address so useAutoRecovery can trigger and drive state → READY.
+        // Skip when connectOnLogin is false — the user should explicitly choose a wallet.
         if (storeEmbeddedState === EmbeddedState.EMBEDDED_SIGNER_NOT_CONFIGURED) {
-            if (storeActiveEmbeddedAddress === undefined) {
+            sawSignerNotConfiguredRef.current = true;
+            if (connectOnLogin && storeActiveEmbeddedAddress === undefined) {
                 const first = firstEmbeddedAddress(storeEmbeddedAccounts, chainType);
                 if (first)
                     store.getState().setActiveEmbeddedAddress(first);
@@ -42,6 +57,13 @@ function useActiveAddressSync({ openfort, storeEmbeddedAccounts, storeEmbeddedSt
         // Already have an address — nothing to resolve
         if (storeActiveEmbeddedAddress !== undefined)
             return;
+        // Login flow with connectOnLogin=false: the session went through
+        // EMBEDDED_SIGNER_NOT_CONFIGURED, so don't auto-seed. The user must pick
+        // a wallet via the UI. create() and setActive() set the address directly,
+        // so they bypass this check.
+        if (!connectOnLogin && sawSignerNotConfiguredRef.current) {
+            return;
+        }
         // Priority 1: ask the SDK for its active wallet
         let cancelled = false;
         openfort.embeddedWallet
@@ -69,7 +91,15 @@ function useActiveAddressSync({ openfort, storeEmbeddedAccounts, storeEmbeddedSt
         return () => {
             cancelled = true;
         };
-    }, [openfort, storeEmbeddedAccounts, storeEmbeddedState, storeActiveEmbeddedAddress, chainType, store]);
+    }, [
+        openfort,
+        storeEmbeddedAccounts,
+        storeEmbeddedState,
+        storeActiveEmbeddedAddress,
+        chainType,
+        store,
+        connectOnLogin,
+    ]);
 }
 
 export { useActiveAddressSync };

package/build/openfort/hooks/useActiveAddressSync.js.map

@@ -1 +1 @@
-{"version":3,"file":"useActiveAddressSync.js","sources":[],"sourcesContent":[],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;"}
+{"version":3,"file":"useActiveAddressSync.js","sources":[],"sourcesContent":[],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;"}

package/build/solana/hooks/useSolanaEmbeddedWallet.js

@@ -123,6 +123,7 @@ function useSolanaEmbeddedWallet(options) {
                 accountType: AccountTypeEnum.EOA,
                 recoveryParams,
             });
+            setActiveEmbeddedAddress(account.address);
             await updateEmbeddedAccounts({ silent: true });
             const provider = createProviderForAccount(account);
             const connectedWallet = {
@@ -139,7 +140,6 @@ function useSolanaEmbeddedWallet(options) {
                 provider,
                 error: null,
             });
-            setActiveEmbeddedAddress(account.address);
             (_a = createOptions === null || createOptions === void 0 ? void 0 : createOptions.onSuccess) === null || _a === void 0 ? void 0 : _a.call(createOptions, { account });
             return account;
         }

package/build/utils/rpc.d.ts

@@ -6,10 +6,6 @@
  */
 import type { Chain } from 'viem';
 import type { SolanaCluster } from '../solana/types';
-/**
- * Get default Ethereum RPC URL for a chain ID.
- * Returns the viem/chains default RPC when known, falls back to Sepolia.
- */
 export declare function getDefaultEthereumRpcUrl(chainId: number): string;
 /**
  * Get default Solana RPC URL for a cluster.

package/build/utils/rpc.js

@@ -30,11 +30,15 @@ const DEFAULT_SOLANA_RPC_URLS = {
  * Get default Ethereum RPC URL for a chain ID.
  * Returns the viem/chains default RPC when known, falls back to Sepolia.
  */
+const warnedChainIds = new Set();
 function getDefaultEthereumRpcUrl(chainId) {
     const chain = KNOWN_CHAINS[chainId];
     const rpcUrl = chain === null || chain === void 0 ? void 0 : chain.rpcUrls.default.http[0];
     if (!rpcUrl) {
-        logger.warn(`No default Ethereum RPC URL found for chain ${chainId}. Configure rpcUrls in OpenfortProvider for better reliability and rate limits.`);
+        if (!warnedChainIds.has(chainId)) {
+            warnedChainIds.add(chainId);
+            logger.warn(`No default Ethereum RPC URL found for chain ${chainId}. Configure rpcUrls in OpenfortProvider for better reliability and rate limits.`);
+        }
         return sepolia.rpcUrls.default.http[0];
     }
     return rpcUrl;

package/build/utils/rpc.js.map

@@ -1 +1 @@
-{"version":3,"file":"rpc.js","sources":[],"sourcesContent":[],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;"}
+{"version":3,"file":"rpc.js","sources":[],"sourcesContent":[],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;"}

package/build/utils/urlSecurity.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Utilities for secure handling of OAuth callback URLs containing tokens.
+ *
+ * Prevents Referer-header leakage of access tokens and provides robust
+ * URL parsing for the OF-1013 workaround (duplicate `?` in redirect URLs).
+ */
+/**
+ * Injects a `<meta name="referrer" content="no-referrer">` tag so that
+ * any subresource request fired before `history.replaceState` strips the
+ * tokens will NOT leak the full URL (including access_token) via the
+ * Referer header.
+ *
+ * Call this **synchronously** — before any `await` — when the URL
+ * contains sensitive query parameters.
+ *
+ * @returns A cleanup function that removes the meta tag.
+ */
+export declare function suppressReferrer(): () => void;
+/**
+ * Parses the current `window.location.href`, fixing the OF-1013 issue
+ * where the server redirect produces a URL with a duplicate `?`, e.g.
+ * `https://example.com/callback?existing=1?access_token=xxx&user_id=yyy`.
+ *
+ * Instead of a fragile `.replace('?access_token=', '&access_token=')`
+ * that can mangle values containing the same substring, this finds the
+ * *second* `?` (if any) and replaces it with `&`.
+ */
+export declare function parseCallbackUrl(href: string): URL;

package/build/utils/urlSecurity.js

@@ -0,0 +1,56 @@
+/**
+ * Utilities for secure handling of OAuth callback URLs containing tokens.
+ *
+ * Prevents Referer-header leakage of access tokens and provides robust
+ * URL parsing for the OF-1013 workaround (duplicate `?` in redirect URLs).
+ */
+const REFERRER_META_ID = '__openfort_no_referrer';
+/**
+ * Injects a `<meta name="referrer" content="no-referrer">` tag so that
+ * any subresource request fired before `history.replaceState` strips the
+ * tokens will NOT leak the full URL (including access_token) via the
+ * Referer header.
+ *
+ * Call this **synchronously** — before any `await` — when the URL
+ * contains sensitive query parameters.
+ *
+ * @returns A cleanup function that removes the meta tag.
+ */
+function suppressReferrer() {
+    if (typeof document === 'undefined')
+        return () => { };
+    // Avoid duplicates if called more than once
+    if (document.getElementById(REFERRER_META_ID))
+        return () => { };
+    const meta = document.createElement('meta');
+    meta.id = REFERRER_META_ID;
+    meta.name = 'referrer';
+    meta.content = 'no-referrer';
+    document.head.appendChild(meta);
+    return () => {
+        meta.remove();
+    };
+}
+/**
+ * Parses the current `window.location.href`, fixing the OF-1013 issue
+ * where the server redirect produces a URL with a duplicate `?`, e.g.
+ * `https://example.com/callback?existing=1?access_token=xxx&user_id=yyy`.
+ *
+ * Instead of a fragile `.replace('?access_token=', '&access_token=')`
+ * that can mangle values containing the same substring, this finds the
+ * *second* `?` (if any) and replaces it with `&`.
+ */
+function parseCallbackUrl(href) {
+    const firstQ = href.indexOf('?');
+    if (firstQ === -1)
+        return new URL(href);
+    const secondQ = href.indexOf('?', firstQ + 1);
+    if (secondQ === -1)
+        return new URL(href);
+    // Replace only the second `?` with `&`
+    const fixed = `${href.slice(0, secondQ)}&${href.slice(secondQ + 1)}`;
+    return new URL(fixed);
+}
+
+export { parseCallbackUrl, suppressReferrer };
+//# sourceMappingURL=urlSecurity.js.map

package/build/utils/urlSecurity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"urlSecurity.js","sources":[],"sourcesContent":[],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;"}

package/build/version.d.ts

@@ -1 +1 @@
-export declare const OPENFORT_VERSION = "1.0.6";
+export declare const OPENFORT_VERSION = "1.0.8";

package/build/version.js

@@ -1,4 +1,4 @@
-const OPENFORT_VERSION = '1.0.6';
+const OPENFORT_VERSION = '1.0.8';
 
 export { OPENFORT_VERSION };
 //# sourceMappingURL=version.js.map

package/build/wagmi/useConnectWithSiwe.js

@@ -1,5 +1,5 @@
 import { OpenfortError } from '@openfort/openfort-js';
-import { useCallback } from 'react';
+import { useRef, useCallback } from 'react';
 import { useEthereumBridge } from '../ethereum/OpenfortEthereumBridgeContext.js';
 import { useOpenfortCore } from '../openfort/useOpenfort.js';
 import { createSIWEMessage } from '../siwe/create-siwe-message.js';
@@ -17,27 +17,35 @@ import { logger } from '../utils/logger.js';
  * ```
  */
 function useConnectWithSiwe() {
-    var _a, _b, _c, _d, _e, _f, _g, _h, _j;
     const { client, user, updateUser } = useOpenfortCore();
     const bridge = useEthereumBridge();
-    const address = (_a = bridge === null || bridge === void 0 ? void 0 : bridge.account) === null || _a === void 0 ? void 0 : _a.address;
-    const connector = (_b = bridge === null || bridge === void 0 ? void 0 : bridge.account) === null || _b === void 0 ? void 0 : _b.connector;
-    const chainId = (_c = bridge === null || bridge === void 0 ? void 0 : bridge.chainId) !== null && _c !== void 0 ? _c : 0;
-    const accountChainId = (_f = (_e = (_d = bridge === null || bridge === void 0 ? void 0 : bridge.account) === null || _d === void 0 ? void 0 : _d.chain) === null || _e === void 0 ? void 0 : _e.id) !== null && _f !== void 0 ? _f : bridge === null || bridge === void 0 ? void 0 : bridge.chainId;
-    const chainName = (_h = (_g = bridge === null || bridge === void 0 ? void 0 : bridge.account) === null || _g === void 0 ? void 0 : _g.chain) === null || _h === void 0 ? void 0 : _h.name;
-    const switchChainAsync = (_j = bridge === null || bridge === void 0 ? void 0 : bridge.switchChain) === null || _j === void 0 ? void 0 : _j.switchChainAsync;
-    const signMessage = bridge === null || bridge === void 0 ? void 0 : bridge.signMessage;
-    const connectWithSiwe = useCallback(async ({ onError, onConnect, address: propsAddress, connectorType: propsConnectorType, walletClientType: propsWalletClientType, link = !!user, } = {}) => {
-        var _a, _b;
-        const addressToUse = propsAddress !== null && propsAddress !== void 0 ? propsAddress : address;
-        const connectorType = propsConnectorType !== null && propsConnectorType !== void 0 ? propsConnectorType : connector === null || connector === void 0 ? void 0 : connector.type;
-        const walletClientType = propsWalletClientType !== null && propsWalletClientType !== void 0 ? propsWalletClientType : connector === null || connector === void 0 ? void 0 : connector.id;
-        if (!addressToUse || !connectorType || !walletClientType) {
-            logger.log('No address found', { address: addressToUse, connectorType, walletClientType });
+    // Use a ref so the callback always reads the latest bridge state,
+    // not a stale closure from the last render (critical after connectAsync changes the active connector).
+    const bridgeRef = useRef(bridge);
+    bridgeRef.current = bridge;
+    const userRef = useRef(user);
+    userRef.current = user;
+    const connectWithSiwe = useCallback(async ({ onError, onConnect, address: propsAddress, connectorType: propsConnectorType, walletClientType: propsWalletClientType, link, } = {}) => {
+        var _a, _b, _c, _d, _e, _f, _g, _h, _j, _k, _l, _m, _o;
+        // Read fresh values from the bridge ref — NOT from the stale render closure
+        const b = bridgeRef.current;
+        const currentUser = userRef.current;
+        const shouldLink = link !== null && link !== void 0 ? link : !!currentUser;
+        const address = propsAddress !== null && propsAddress !== void 0 ? propsAddress : (_a = b === null || b === void 0 ? void 0 : b.account) === null || _a === void 0 ? void 0 : _a.address;
+        const connectorType = propsConnectorType !== null && propsConnectorType !== void 0 ? propsConnectorType : (_c = (_b = b === null || b === void 0 ? void 0 : b.account) === null || _b === void 0 ? void 0 : _b.connector) === null || _c === void 0 ? void 0 : _c.type;
+        const walletClientType = propsWalletClientType !== null && propsWalletClientType !== void 0 ? propsWalletClientType : (_e = (_d = b === null || b === void 0 ? void 0 : b.account) === null || _d === void 0 ? void 0 : _d.connector) === null || _e === void 0 ? void 0 : _e.id;
+        const chainId = (_f = b === null || b === void 0 ? void 0 : b.chainId) !== null && _f !== void 0 ? _f : 0;
+        const accountChainId = (_j = (_h = (_g = b === null || b === void 0 ? void 0 : b.account) === null || _g === void 0 ? void 0 : _g.chain) === null || _h === void 0 ? void 0 : _h.id) !== null && _j !== void 0 ? _j : b === null || b === void 0 ? void 0 : b.chainId;
+        const chainName = (_l = (_k = b === null || b === void 0 ? void 0 : b.account) === null || _k === void 0 ? void 0 : _k.chain) === null || _l === void 0 ? void 0 : _l.name;
+        const switchChainAsync = (_m = b === null || b === void 0 ? void 0 : b.switchChain) === null || _m === void 0 ? void 0 : _m.switchChainAsync;
+        const signMessage = b === null || b === void 0 ? void 0 : b.signMessage;
+        if (!address || !connectorType || !walletClientType) {
+            logger.warn('[useConnectWithSiwe] Missing params', { address, connectorType, walletClientType });
             onError === null || onError === void 0 ? void 0 : onError('No address found');
             return;
         }
         if (!signMessage) {
+            logger.warn('[useConnectWithSiwe] No signMessage on bridge');
             onError === null || onError === void 0 ? void 0 : onError('EVM bridge not available (signMessage)');
             return;
         }
@@ -46,46 +54,44 @@ function useConnectWithSiwe() {
                 await switchChainAsync({ chainId });
             }
             let nonce;
-            if (link) {
-                const resp = await client.auth.initLinkSiwe({ address: addressToUse });
+            if (shouldLink) {
+                const resp = await client.auth.initLinkSiwe({ address });
                 nonce = resp.nonce;
             }
             else {
-                const resp = await client.auth.initSiwe({ address: addressToUse });
+                const resp = await client.auth.initSiwe({ address });
                 nonce = resp.nonce;
             }
-            const SIWEMessage = createSIWEMessage(addressToUse, nonce, chainId);
+            const SIWEMessage = createSIWEMessage(address, nonce, chainId);
             if (!SIWEMessage)
                 throw new Error('SIWE message creation failed (window not available)');
             const signature = await signMessage({ message: SIWEMessage });
-            if (link) {
-                logger.log('Linking wallet to user');
+            if (shouldLink) {
                 await client.auth.linkWithSiwe({
                     signature,
                     message: SIWEMessage,
                     connectorType,
                     walletClientType,
-                    address: addressToUse,
+                    address,
                     chainId,
                 });
             }
             else {
-                logger.log('Authenticating with SIWE');
                 await client.auth.loginWithSiwe({
                     signature,
                     message: SIWEMessage,
                     connectorType,
                     walletClientType,
-                    address: addressToUse,
+                    address,
                 });
             }
             await updateUser();
             await Promise.resolve(onConnect === null || onConnect === void 0 ? void 0 : onConnect());
         }
         catch (err) {
-            logger.log('Failed to connect with SIWE', {
-                error: err,
-                status: (_b = (_a = err === null || err === void 0 ? void 0 : err.response) === null || _a === void 0 ? void 0 : _a.status) !== null && _b !== void 0 ? _b : 'unknown',
+            logger.error('[useConnectWithSiwe] SIWE failed', {
+                message: err instanceof Error ? err.message : String(err),
+                status: (_o = err === null || err === void 0 ? void 0 : err.response) === null || _o === void 0 ? void 0 : _o.status,
             });
             if (!onError)
                 return;
@@ -107,7 +113,7 @@ function useConnectWithSiwe() {
             }
             onError(message, err instanceof OpenfortError ? err : undefined);
         }
-    }, [client, user, updateUser, address, chainId, connector, accountChainId, chainName, switchChainAsync, signMessage]);
+    }, [client, updateUser]);
     return { connectWithSiwe };
 }