@phantom/browser-sdk 1.0.4 → 1.0.5

package/dist/index.js

@@ -2764,7 +2764,7 @@ var BrowserAuthProvider = class {
         // OAuth session management - defaults to allow refresh unless explicitly clearing after logout
         clear_previous_session: (phantomOptions.clearPreviousSession ?? false).toString(),
         allow_refresh: (phantomOptions.allowRefresh ?? true).toString(),
-        sdk_version: "1.0.4",
+        sdk_version: "1.0.5",
         sdk_type: "browser",
         platform: detectBrowser().name,
         algorithm: phantomOptions.algorithm || import_constants3.DEFAULT_AUTHENTICATOR_ALGORITHM
@@ -2904,8 +2904,8 @@ var Auth2AuthProvider = class {
    *
    * Called by EmbeddedProvider.handleRedirectAuth() after the stamper has
    * already been initialized and a pending Session has been saved to storage.
-   * We store the PKCE code_verifier and salt into that session so they survive
-   * the page redirect without ever touching sessionStorage.
+   * We store the PKCE code_verifier into that session so it survives the page
+   * redirect without ever touching sessionStorage.
    */
   async authenticate(options) {
     if (!this.stamper.getKeyInfo()) {
@@ -2916,12 +2916,11 @@ var Auth2AuthProvider = class {
       throw new Error("Stamper key pair not found.");
     }
     const codeVerifier = (0, import_auth2.createCodeVerifier)();
-    const salt = (0, import_auth2.createSalt)();
     const session = await this.storage.getSession();
     if (!session) {
       throw new Error("Session not found.");
     }
-    await this.storage.saveSession({ ...session, pkceCodeVerifier: codeVerifier, salt });
+    await this.storage.saveSession({ ...session, pkceCodeVerifier: codeVerifier });
     const url = await (0, import_auth2.createConnectStartUrl)({
       keyPair,
       connectLoginUrl: this.auth2ProviderOptions.connectLoginUrl,
@@ -2930,7 +2929,8 @@ var Auth2AuthProvider = class {
       sessionId: options.sessionId,
       provider: options.provider,
       codeVerifier,
-      salt
+      // The P-256 ephemeral key is unique per wallet, so no additional salt is needed.
+      salt: ""
     });
     Auth2AuthProvider.navigate(url);
   }
@@ -2972,17 +2972,14 @@ var Auth2AuthProvider = class {
       code,
       codeVerifier
     });
-    this.stamper.idToken = idToken;
-    this.stamper.salt = session?.salt;
+    await this.stamper.setIdToken(idToken);
     await this.storage.saveSession({
       ...session,
       status: "completed",
       bearerToken,
       authUserId,
-      pkceCodeVerifier: void 0,
+      pkceCodeVerifier: void 0
       // no longer needed after code exchange
-      salt: void 0
-      // no longer needed after nonce binding is complete
     });
     const { organizationId, walletId } = await this.kms.discoverOrganizationAndWalletId(bearerToken, authUserId);
     return {
@@ -3012,17 +3009,21 @@ var Auth2Stamper = class {
   constructor(dbName) {
     this.dbName = dbName;
     this.db = null;
-    this.keyPair = null;
+    this._keyPair = null;
     this._keyInfo = null;
+    this._idToken = null;
     this.algorithm = import_sdk_types.Algorithm.secp256r1;
-    this.type = "PKI";
+    this.type = "OIDC";
   }
   async init() {
     await this.openDB();
-    const stored = await this.loadKeyPair();
+    const stored = await this.loadRecord();
     if (stored) {
-      this.keyPair = stored.keyPair;
+      this._keyPair = stored.keyPair;
       this._keyInfo = stored.keyInfo;
+      if (stored.idToken) {
+        this._idToken = stored.idToken;
+      }
       return this._keyInfo;
     }
     return this.generateAndStore();
@@ -3031,41 +3032,54 @@ var Auth2Stamper = class {
     return this._keyInfo;
   }
   getCryptoKeyPair() {
-    return this.keyPair;
+    return this._keyPair;
+  }
+  /**
+   * Arms the stamper with the OIDC id token for subsequent KMS stamp() calls.
+   *
+   * Persists the token to IndexedDB alongside the key pair so that
+   * auto-connect can restore it on the next page load without a new login.
+   */
+  async setIdToken(idToken) {
+    if (!this.db) {
+      await this.openDB();
+    }
+    this._idToken = idToken;
+    const existing = await this.loadRecord();
+    if (existing) {
+      await this.storeRecord({ ...existing, idToken });
+    }
   }
   async stamp(params) {
-    if (!this.keyPair || !this._keyInfo) {
+    if (!this._keyPair || !this._keyInfo || this._idToken === null) {
       throw new Error("Auth2Stamper not initialized. Call init() first.");
     }
     const signatureRaw = await crypto.subtle.sign(
       { name: "ECDSA", hash: "SHA-256" },
-      this.keyPair.privateKey,
+      this._keyPair.privateKey,
       new Uint8Array(params.data)
     );
     const rawPublicKey = import_bs582.default.decode(this._keyInfo.publicKey);
-    if (this.idToken === void 0 || this.salt === void 0) {
-      throw new Error("Auth2Stamper not initialized with idToken or salt.");
-    }
     const stampData = {
-      kind: "OIDC",
-      idToken: this.idToken,
+      kind: this.type,
+      idToken: this._idToken,
       publicKey: (0, import_base64url.base64urlEncode)(rawPublicKey),
-      algorithm: "Secp256r1",
-      salt: this.salt,
+      algorithm: this.algorithm,
+      // The P-256 ephemeral key is unique per wallet, so no additional salt is needed.
+      salt: "",
       signature: (0, import_base64url.base64urlEncode)(new Uint8Array(signatureRaw))
     };
     return (0, import_base64url.base64urlEncode)(new TextEncoder().encode(JSON.stringify(stampData)));
   }
   async resetKeyPair() {
-    await this.clearStoredKey();
-    this.keyPair = null;
-    this._keyInfo = null;
+    await this.clear();
     return this.generateAndStore();
   }
   async clear() {
-    await this.clearStoredKey();
-    this.keyPair = null;
+    await this.clearStoredRecord();
+    this._keyPair = null;
     this._keyInfo = null;
+    this._idToken = null;
   }
   // Auth2 doesn't use key rotation; provide minimal no-op implementations.
   async rotateKeyPair() {
@@ -3090,13 +3104,13 @@ var Auth2Stamper = class {
     const publicKeyBase58 = import_bs582.default.encode(rawPublicKey);
     const keyIdBuffer = await crypto.subtle.digest("SHA-256", rawPublicKey.buffer);
     const keyId = (0, import_base64url.base64urlEncode)(new Uint8Array(keyIdBuffer)).substring(0, 16);
-    this.keyPair = keyPair;
+    this._keyPair = keyPair;
     this._keyInfo = {
       keyId,
       publicKey: publicKeyBase58,
       createdAt: Date.now()
     };
-    await this.storeKeyPair(keyPair, this._keyInfo);
+    await this.storeRecord({ keyPair, keyInfo: this._keyInfo });
     return this._keyInfo;
   }
   async openDB() {
@@ -3115,7 +3129,7 @@ var Auth2Stamper = class {
       };
     });
   }
-  async loadKeyPair() {
+  async loadRecord() {
     return new Promise((resolve, reject) => {
       if (!this.db) {
         throw new Error("Database not initialized");
@@ -3129,12 +3143,12 @@ var Auth2Stamper = class {
       };
     });
   }
-  async storeKeyPair(keyPair, keyInfo) {
+  async storeRecord(record) {
     return new Promise((resolve, reject) => {
       if (!this.db) {
         throw new Error("Database not initialized");
       }
-      const request = this.db.transaction([STORE_NAME], "readwrite").objectStore(STORE_NAME).put({ keyPair, keyInfo }, ACTIVE_KEY);
+      const request = this.db.transaction([STORE_NAME], "readwrite").objectStore(STORE_NAME).put(record, ACTIVE_KEY);
       request.onsuccess = () => {
         resolve();
       };
@@ -3143,7 +3157,7 @@ var Auth2Stamper = class {
       };
     });
   }
-  async clearStoredKey() {
+  async clearStoredRecord() {
     return new Promise((resolve, reject) => {
       if (!this.db) {
         throw new Error("Database not initialized");
@@ -3320,7 +3334,7 @@ var EmbeddedProvider = class extends import_embedded_provider_core.EmbeddedProvi
         [import_constants4.ANALYTICS_HEADERS.CLIENT]: browserName,
         [import_constants4.ANALYTICS_HEADERS.APP_ID]: config.appId,
         [import_constants4.ANALYTICS_HEADERS.WALLET_TYPE]: config.embeddedWalletType,
-        [import_constants4.ANALYTICS_HEADERS.SDK_VERSION]: "1.0.4"
+        [import_constants4.ANALYTICS_HEADERS.SDK_VERSION]: "1.0.5"
         // Replaced at build time
       }
     };

package/dist/index.mjs

@@ -2714,7 +2714,7 @@ var BrowserAuthProvider = class {
         // OAuth session management - defaults to allow refresh unless explicitly clearing after logout
         clear_previous_session: (phantomOptions.clearPreviousSession ?? false).toString(),
         allow_refresh: (phantomOptions.allowRefresh ?? true).toString(),
-        sdk_version: "1.0.4",
+        sdk_version: "1.0.5",
         sdk_type: "browser",
         platform: detectBrowser().name,
         algorithm: phantomOptions.algorithm || DEFAULT_AUTHENTICATOR_ALGORITHM
@@ -2838,7 +2838,6 @@ var BrowserAuthProvider = class {
 // src/providers/embedded/adapters/Auth2AuthProvider.ts
 import {
   createCodeVerifier,
-  createSalt,
   createConnectStartUrl,
   exchangeAuthCode,
   Auth2KmsRpcClient
@@ -2860,8 +2859,8 @@ var Auth2AuthProvider = class {
    *
    * Called by EmbeddedProvider.handleRedirectAuth() after the stamper has
    * already been initialized and a pending Session has been saved to storage.
-   * We store the PKCE code_verifier and salt into that session so they survive
-   * the page redirect without ever touching sessionStorage.
+   * We store the PKCE code_verifier into that session so it survives the page
+   * redirect without ever touching sessionStorage.
    */
   async authenticate(options) {
     if (!this.stamper.getKeyInfo()) {
@@ -2872,12 +2871,11 @@ var Auth2AuthProvider = class {
       throw new Error("Stamper key pair not found.");
     }
     const codeVerifier = createCodeVerifier();
-    const salt = createSalt();
     const session = await this.storage.getSession();
     if (!session) {
       throw new Error("Session not found.");
     }
-    await this.storage.saveSession({ ...session, pkceCodeVerifier: codeVerifier, salt });
+    await this.storage.saveSession({ ...session, pkceCodeVerifier: codeVerifier });
     const url = await createConnectStartUrl({
       keyPair,
       connectLoginUrl: this.auth2ProviderOptions.connectLoginUrl,
@@ -2886,7 +2884,8 @@ var Auth2AuthProvider = class {
       sessionId: options.sessionId,
       provider: options.provider,
       codeVerifier,
-      salt
+      // The P-256 ephemeral key is unique per wallet, so no additional salt is needed.
+      salt: ""
     });
     Auth2AuthProvider.navigate(url);
   }
@@ -2928,17 +2927,14 @@ var Auth2AuthProvider = class {
       code,
       codeVerifier
     });
-    this.stamper.idToken = idToken;
-    this.stamper.salt = session?.salt;
+    await this.stamper.setIdToken(idToken);
     await this.storage.saveSession({
       ...session,
       status: "completed",
       bearerToken,
       authUserId,
-      pkceCodeVerifier: void 0,
+      pkceCodeVerifier: void 0
       // no longer needed after code exchange
-      salt: void 0
-      // no longer needed after nonce binding is complete
     });
     const { organizationId, walletId } = await this.kms.discoverOrganizationAndWalletId(bearerToken, authUserId);
     return {
@@ -2968,17 +2964,21 @@ var Auth2Stamper = class {
   constructor(dbName) {
     this.dbName = dbName;
     this.db = null;
-    this.keyPair = null;
+    this._keyPair = null;
     this._keyInfo = null;
+    this._idToken = null;
     this.algorithm = Algorithm.secp256r1;
-    this.type = "PKI";
+    this.type = "OIDC";
   }
   async init() {
     await this.openDB();
-    const stored = await this.loadKeyPair();
+    const stored = await this.loadRecord();
     if (stored) {
-      this.keyPair = stored.keyPair;
+      this._keyPair = stored.keyPair;
       this._keyInfo = stored.keyInfo;
+      if (stored.idToken) {
+        this._idToken = stored.idToken;
+      }
       return this._keyInfo;
     }
     return this.generateAndStore();
@@ -2987,41 +2987,54 @@ var Auth2Stamper = class {
     return this._keyInfo;
   }
   getCryptoKeyPair() {
-    return this.keyPair;
+    return this._keyPair;
+  }
+  /**
+   * Arms the stamper with the OIDC id token for subsequent KMS stamp() calls.
+   *
+   * Persists the token to IndexedDB alongside the key pair so that
+   * auto-connect can restore it on the next page load without a new login.
+   */
+  async setIdToken(idToken) {
+    if (!this.db) {
+      await this.openDB();
+    }
+    this._idToken = idToken;
+    const existing = await this.loadRecord();
+    if (existing) {
+      await this.storeRecord({ ...existing, idToken });
+    }
   }
   async stamp(params) {
-    if (!this.keyPair || !this._keyInfo) {
+    if (!this._keyPair || !this._keyInfo || this._idToken === null) {
       throw new Error("Auth2Stamper not initialized. Call init() first.");
     }
     const signatureRaw = await crypto.subtle.sign(
       { name: "ECDSA", hash: "SHA-256" },
-      this.keyPair.privateKey,
+      this._keyPair.privateKey,
       new Uint8Array(params.data)
     );
     const rawPublicKey = bs582.decode(this._keyInfo.publicKey);
-    if (this.idToken === void 0 || this.salt === void 0) {
-      throw new Error("Auth2Stamper not initialized with idToken or salt.");
-    }
     const stampData = {
-      kind: "OIDC",
-      idToken: this.idToken,
+      kind: this.type,
+      idToken: this._idToken,
       publicKey: base64urlEncode(rawPublicKey),
-      algorithm: "Secp256r1",
-      salt: this.salt,
+      algorithm: this.algorithm,
+      // The P-256 ephemeral key is unique per wallet, so no additional salt is needed.
+      salt: "",
       signature: base64urlEncode(new Uint8Array(signatureRaw))
     };
     return base64urlEncode(new TextEncoder().encode(JSON.stringify(stampData)));
   }
   async resetKeyPair() {
-    await this.clearStoredKey();
-    this.keyPair = null;
-    this._keyInfo = null;
+    await this.clear();
     return this.generateAndStore();
   }
   async clear() {
-    await this.clearStoredKey();
-    this.keyPair = null;
+    await this.clearStoredRecord();
+    this._keyPair = null;
     this._keyInfo = null;
+    this._idToken = null;
   }
   // Auth2 doesn't use key rotation; provide minimal no-op implementations.
   async rotateKeyPair() {
@@ -3046,13 +3059,13 @@ var Auth2Stamper = class {
     const publicKeyBase58 = bs582.encode(rawPublicKey);
     const keyIdBuffer = await crypto.subtle.digest("SHA-256", rawPublicKey.buffer);
     const keyId = base64urlEncode(new Uint8Array(keyIdBuffer)).substring(0, 16);
-    this.keyPair = keyPair;
+    this._keyPair = keyPair;
     this._keyInfo = {
       keyId,
       publicKey: publicKeyBase58,
       createdAt: Date.now()
     };
-    await this.storeKeyPair(keyPair, this._keyInfo);
+    await this.storeRecord({ keyPair, keyInfo: this._keyInfo });
     return this._keyInfo;
   }
   async openDB() {
@@ -3071,7 +3084,7 @@ var Auth2Stamper = class {
       };
     });
   }
-  async loadKeyPair() {
+  async loadRecord() {
     return new Promise((resolve, reject) => {
       if (!this.db) {
         throw new Error("Database not initialized");
@@ -3085,12 +3098,12 @@ var Auth2Stamper = class {
       };
     });
   }
-  async storeKeyPair(keyPair, keyInfo) {
+  async storeRecord(record) {
     return new Promise((resolve, reject) => {
       if (!this.db) {
         throw new Error("Database not initialized");
       }
-      const request = this.db.transaction([STORE_NAME], "readwrite").objectStore(STORE_NAME).put({ keyPair, keyInfo }, ACTIVE_KEY);
+      const request = this.db.transaction([STORE_NAME], "readwrite").objectStore(STORE_NAME).put(record, ACTIVE_KEY);
       request.onsuccess = () => {
         resolve();
       };
@@ -3099,7 +3112,7 @@ var Auth2Stamper = class {
       };
     });
   }
-  async clearStoredKey() {
+  async clearStoredRecord() {
     return new Promise((resolve, reject) => {
       if (!this.db) {
         throw new Error("Database not initialized");
@@ -3276,7 +3289,7 @@ var EmbeddedProvider = class extends CoreEmbeddedProvider {
         [ANALYTICS_HEADERS.CLIENT]: browserName,
         [ANALYTICS_HEADERS.APP_ID]: config.appId,
         [ANALYTICS_HEADERS.WALLET_TYPE]: config.embeddedWalletType,
-        [ANALYTICS_HEADERS.SDK_VERSION]: "1.0.4"
+        [ANALYTICS_HEADERS.SDK_VERSION]: "1.0.5"
         // Replaced at build time
       }
     };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@phantom/browser-sdk",
-  "version": "1.0.4",
+  "version": "1.0.5",
   "description": "Browser SDK for Phantom Wallet",
   "repository": {
     "type": "git",
@@ -33,16 +33,16 @@
     "prettier": "prettier --write \"src/**/*.{ts,tsx}\""
   },
   "dependencies": {
-    "@phantom/auth2": "^1.0.0",
-    "@phantom/base64url": "^1.0.4",
-    "@phantom/browser-injected-sdk": "^1.0.4",
-    "@phantom/chain-interfaces": "^1.0.4",
-    "@phantom/client": "^1.0.4",
-    "@phantom/constants": "^1.0.4",
-    "@phantom/embedded-provider-core": "^1.0.4",
-    "@phantom/indexed-db-stamper": "^1.0.4",
-    "@phantom/parsers": "^1.0.4",
-    "@phantom/sdk-types": "^1.0.4",
+    "@phantom/auth2": "^1.0.1",
+    "@phantom/base64url": "^1.0.5",
+    "@phantom/browser-injected-sdk": "^1.0.5",
+    "@phantom/chain-interfaces": "^1.0.5",
+    "@phantom/client": "^1.0.5",
+    "@phantom/constants": "^1.0.5",
+    "@phantom/embedded-provider-core": "^1.0.5",
+    "@phantom/indexed-db-stamper": "^1.0.5",
+    "@phantom/parsers": "^1.0.5",
+    "@phantom/sdk-types": "^1.0.5",
     "axios": "^1.10.0",
     "bs58": "^6.0.0",
     "buffer": "^6.0.3",