@polkadot/extension-base 0.60.1 → 0.61.2

package/background/handlers/State.d.ts

@@ -44,7 +44,7 @@ export default class State {
     readonly signSubject: BehaviorSubject<SigningRequest[]>;
     readonly authUrlSubjects: Record<string, BehaviorSubject<AuthUrlInfo>>;
     defaultAuthAccountSelection: string[];
-    constructor(providers?: Providers);
+    constructor(providers?: Providers, rateLimitInterval?: number);
     init(): Promise<void>;
     get knownMetadata(): MetadataDef[];
     get numAuthRequests(): number;
@@ -90,6 +90,7 @@ export default class State {
     rpcUnsubscribe(request: RequestRpcUnsubscribe, port: chrome.runtime.Port): Promise<boolean>;
     saveMetadata(meta: MetadataDef): Promise<void>;
     setNotification(notification: string): boolean;
+    private handleSignRequest;
     sign(url: string, request: RequestSign, account: AccountJson): Promise<ResponseSigning>;
 }
 export {};

package/background/handlers/State.js

@@ -64,6 +64,9 @@ async function extractMetadata(store) {
 }
 export default class State {
     #authUrls = new Map();
+    #lastRequestTimestamps = new Map();
+    #maxEntries = 10;
+    #rateLimitInterval = 3000; // 3 seconds
     #authRequests = {};
     #metaStore = new MetadataStore();
     // Map of providers currently injected in tabs
@@ -80,8 +83,10 @@ export default class State {
     signSubject = new BehaviorSubject([]);
     authUrlSubjects = {};
     defaultAuthAccountSelection = [];
-    constructor(providers = {}) {
+    constructor(providers = {}, rateLimitInterval = 3000) {
+        assert(rateLimitInterval >= 0, 'Expects non-negative number for rateLimitInterval');
         this.#providers = providers;
+        this.#rateLimitInterval = rateLimitInterval;
     }
     async init() {
         await extractMetadata(this.#metaStore);
@@ -437,8 +442,27 @@ export default class State {
         this.#notification = notification;
         return true;
     }
+    handleSignRequest(origin) {
+        const now = Date.now();
+        const lastTime = this.#lastRequestTimestamps.get(origin) || 0;
+        if (now - lastTime < this.#rateLimitInterval) {
+            throw new Error('Rate limit exceeded. Try again later.');
+        }
+        // If we're about to exceed max entries, evict the oldest
+        if (!this.#lastRequestTimestamps.has(origin) && this.#lastRequestTimestamps.size >= this.#maxEntries) {
+            const oldestKey = this.#lastRequestTimestamps.keys().next().value;
+            oldestKey && this.#lastRequestTimestamps.delete(oldestKey);
+        }
+        this.#lastRequestTimestamps.set(origin, now);
+    }
     sign(url, request, account) {
         const id = getId();
+        try {
+            this.handleSignRequest(url);
+        }
+        catch (error) {
+            return Promise.reject(error);
+        }
         return new Promise((resolve, reject) => {
             this.#signRequests[id] = {
                 ...this.signComplete(id, resolve, reject),

package/background/handlers/Tabs.d.ts

@@ -20,6 +20,7 @@ export default class Tabs {
     private rpcSubscribeConnected;
     private rpcUnsubscribe;
     private redirectPhishingLanding;
+    private parseUrl;
     private redirectIfPhishing;
     handle<TMessageType extends MessageTypes>(id: string, type: TMessageType, request: RequestTypes[TMessageType], url: string, port?: chrome.runtime.Port): Promise<ResponseTypes[keyof ResponseTypes]>;
 }

package/background/handlers/Tabs.js

@@ -1,4 +1,5 @@
 import { combineLatest } from 'rxjs';
+import { parse } from 'tldts';
 import { checkIfDenied } from '@polkadot/phishing';
 import { keyring } from '@polkadot/ui-keyring';
 import { accounts as accountsObservable } from '@polkadot/ui-keyring/observable/accounts';
@@ -142,6 +143,19 @@ export default class Tabs {
                 .forEach((id) => withErrorLog(() => chrome.tabs.update(id, { url })));
         });
     }
+    parseUrl(rawUrl) {
+        let from = 'extension';
+        if (rawUrl) {
+            try {
+                const { hostname } = parse(rawUrl);
+                from = hostname || '<unknown>'; // Only use the hostname
+            }
+            catch {
+                from = '<unknown>';
+            }
+        }
+        return from;
+    }
     async redirectIfPhishing(url) {
         const isInDenyList = await checkIfDenied(url);
         if (isInDenyList) {
@@ -152,7 +166,8 @@ export default class Tabs {
     }
     async handle(id, type, request, url, port) {
         if (type === 'pub(phishing.redirectIfDenied)') {
-            return this.redirectIfPhishing(url);
+            const parsedUrl = this.parseUrl(url);
+            return this.redirectIfPhishing(parsedUrl);
         }
         if (type !== 'pub(authorize.tab)') {
             this.#state.ensureUrlAuthorized(url);

package/cjs/background/handlers/State.d.ts

@@ -44,7 +44,7 @@ export default class State {
     readonly signSubject: BehaviorSubject<SigningRequest[]>;
     readonly authUrlSubjects: Record<string, BehaviorSubject<AuthUrlInfo>>;
     defaultAuthAccountSelection: string[];
-    constructor(providers?: Providers);
+    constructor(providers?: Providers, rateLimitInterval?: number);
     init(): Promise<void>;
     get knownMetadata(): MetadataDef[];
     get numAuthRequests(): number;
@@ -90,6 +90,7 @@ export default class State {
     rpcUnsubscribe(request: RequestRpcUnsubscribe, port: chrome.runtime.Port): Promise<boolean>;
     saveMetadata(meta: MetadataDef): Promise<void>;
     setNotification(notification: string): boolean;
+    private handleSignRequest;
     sign(url: string, request: RequestSign, account: AccountJson): Promise<ResponseSigning>;
 }
 export {};

package/cjs/background/handlers/State.js

@@ -67,6 +67,9 @@ async function extractMetadata(store) {
 }
 class State {
     #authUrls = new Map();
+    #lastRequestTimestamps = new Map();
+    #maxEntries = 10;
+    #rateLimitInterval = 3000; // 3 seconds
     #authRequests = {};
     #metaStore = new index_js_1.MetadataStore();
     // Map of providers currently injected in tabs
@@ -83,8 +86,10 @@ class State {
     signSubject = new rxjs_1.BehaviorSubject([]);
     authUrlSubjects = {};
     defaultAuthAccountSelection = [];
-    constructor(providers = {}) {
+    constructor(providers = {}, rateLimitInterval = 3000) {
+        (0, util_1.assert)(rateLimitInterval >= 0, 'Expects non-negative number for rateLimitInterval');
         this.#providers = providers;
+        this.#rateLimitInterval = rateLimitInterval;
     }
     async init() {
         await extractMetadata(this.#metaStore);
@@ -440,8 +445,27 @@ class State {
         this.#notification = notification;
         return true;
     }
+    handleSignRequest(origin) {
+        const now = Date.now();
+        const lastTime = this.#lastRequestTimestamps.get(origin) || 0;
+        if (now - lastTime < this.#rateLimitInterval) {
+            throw new Error('Rate limit exceeded. Try again later.');
+        }
+        // If we're about to exceed max entries, evict the oldest
+        if (!this.#lastRequestTimestamps.has(origin) && this.#lastRequestTimestamps.size >= this.#maxEntries) {
+            const oldestKey = this.#lastRequestTimestamps.keys().next().value;
+            oldestKey && this.#lastRequestTimestamps.delete(oldestKey);
+        }
+        this.#lastRequestTimestamps.set(origin, now);
+    }
     sign(url, request, account) {
         const id = (0, getId_js_1.getId)();
+        try {
+            this.handleSignRequest(url);
+        }
+        catch (error) {
+            return Promise.reject(error);
+        }
         return new Promise((resolve, reject) => {
             this.#signRequests[id] = {
                 ...this.signComplete(id, resolve, reject),

package/cjs/background/handlers/Tabs.d.ts

@@ -20,6 +20,7 @@ export default class Tabs {
     private rpcSubscribeConnected;
     private rpcUnsubscribe;
     private redirectPhishingLanding;
+    private parseUrl;
     private redirectIfPhishing;
     handle<TMessageType extends MessageTypes>(id: string, type: TMessageType, request: RequestTypes[TMessageType], url: string, port?: chrome.runtime.Port): Promise<ResponseTypes[keyof ResponseTypes]>;
 }

package/cjs/background/handlers/Tabs.js

@@ -2,6 +2,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 const tslib_1 = require("tslib");
 const rxjs_1 = require("rxjs");
+const tldts_1 = require("tldts");
 const phishing_1 = require("@polkadot/phishing");
 const ui_keyring_1 = require("@polkadot/ui-keyring");
 const accounts_1 = require("@polkadot/ui-keyring/observable/accounts");
@@ -145,6 +146,19 @@ class Tabs {
                 .forEach((id) => (0, helpers_js_1.withErrorLog)(() => chrome.tabs.update(id, { url })));
         });
     }
+    parseUrl(rawUrl) {
+        let from = 'extension';
+        if (rawUrl) {
+            try {
+                const { hostname } = (0, tldts_1.parse)(rawUrl);
+                from = hostname || '<unknown>'; // Only use the hostname
+            }
+            catch {
+                from = '<unknown>';
+            }
+        }
+        return from;
+    }
     async redirectIfPhishing(url) {
         const isInDenyList = await (0, phishing_1.checkIfDenied)(url);
         if (isInDenyList) {
@@ -155,7 +169,8 @@ class Tabs {
     }
     async handle(id, type, request, url, port) {
         if (type === 'pub(phishing.redirectIfDenied)') {
-            return this.redirectIfPhishing(url);
+            const parsedUrl = this.parseUrl(url);
+            return this.redirectIfPhishing(parsedUrl);
         }
         if (type !== 'pub(authorize.tab)') {
             this.#state.ensureUrlAuthorized(url);

package/cjs/packageInfo.js

@@ -1,4 +1,4 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.packageInfo = void 0;
-exports.packageInfo = { name: '@polkadot/extension-base', path: typeof __dirname === 'string' ? __dirname : 'auto', type: 'cjs', version: '0.60.1' };
+exports.packageInfo = { name: '@polkadot/extension-base', path: typeof __dirname === 'string' ? __dirname : 'auto', type: 'cjs', version: '0.61.2' };

package/package.json

@@ -18,7 +18,7 @@
     "./cjs/packageDetect.js"
   ],
   "type": "module",
-  "version": "0.60.1",
+  "version": "0.61.2",
   "main": "./cjs/index.js",
   "module": "./index.js",
   "types": "./index.d.ts",
@@ -479,21 +479,22 @@
     }
   },
   "dependencies": {
-    "@polkadot/api": "^16.2.2",
-    "@polkadot/extension-chains": "0.60.1",
-    "@polkadot/extension-dapp": "0.60.1",
-    "@polkadot/extension-inject": "0.60.1",
-    "@polkadot/keyring": "^13.5.2",
-    "@polkadot/networks": "^13.5.2",
-    "@polkadot/phishing": "^0.25.13",
-    "@polkadot/rpc-provider": "^16.2.2",
-    "@polkadot/types": "^16.2.2",
-    "@polkadot/ui-keyring": "^3.15.1",
-    "@polkadot/ui-settings": "^3.15.1",
-    "@polkadot/util": "^13.5.2",
-    "@polkadot/util-crypto": "^13.5.2",
+    "@polkadot/api": "^16.3.1",
+    "@polkadot/extension-chains": "0.61.2",
+    "@polkadot/extension-dapp": "0.61.2",
+    "@polkadot/extension-inject": "0.61.2",
+    "@polkadot/keyring": "^13.5.3",
+    "@polkadot/networks": "^13.5.3",
+    "@polkadot/phishing": "^0.25.14",
+    "@polkadot/rpc-provider": "^16.3.1",
+    "@polkadot/types": "^16.3.1",
+    "@polkadot/ui-keyring": "^3.15.2",
+    "@polkadot/ui-settings": "^3.15.2",
+    "@polkadot/util": "^13.5.3",
+    "@polkadot/util-crypto": "^13.5.3",
     "eventemitter3": "^5.0.1",
     "rxjs": "^7.8.1",
+    "tldts": "^7.0.8",
     "tslib": "^2.8.1"
   }
 }

package/packageInfo.js

@@ -1 +1 @@
-export const packageInfo = { name: '@polkadot/extension-base', path: (import.meta && import.meta.url) ? new URL(import.meta.url).pathname.substring(0, new URL(import.meta.url).pathname.lastIndexOf('/') + 1) : 'auto', type: 'esm', version: '0.60.1' };
+export const packageInfo = { name: '@polkadot/extension-base', path: (import.meta && import.meta.url) ? new URL(import.meta.url).pathname.substring(0, new URL(import.meta.url).pathname.lastIndexOf('/') + 1) : 'auto', type: 'esm', version: '0.61.2' };