@pollar/core 0.8.0 → 0.8.2

package/dist/index.mjs

@@ -1,3 +1,5 @@
+import { sha256 as sha256$1 } from '@noble/hashes/sha2';
+
 var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
@@ -182,11 +184,8 @@ function defaultKeyManager(storage, apiKey) {
   }
   return _factory(storage, apiKey);
 }
-
-// src/lib/sha256.ts
 async function sha256(data) {
-  const buf = await crypto.subtle.digest("SHA-256", data);
-  return new Uint8Array(buf);
+  return sha256$1(data);
 }
 
 // src/lib/api-key-hash.ts
@@ -979,6 +978,26 @@ async function pollRampTransaction(api, txId, { intervalMs = 5e3, timeoutMs = 6e
   throw new Error("Ramp transaction polling timed out");
 }
 
+// src/lib/random-uuid.ts
+function randomUUID() {
+  const c = globalThis.crypto;
+  if (c && typeof c.randomUUID === "function") {
+    return c.randomUUID();
+  }
+  if (c && typeof c.getRandomValues === "function") {
+    const bytes = new Uint8Array(16);
+    c.getRandomValues(bytes);
+    bytes[6] = bytes[6] & 15 | 64;
+    bytes[8] = bytes[8] & 63 | 128;
+    const hex = [];
+    for (let i = 0; i < 16; i++) hex.push(bytes[i].toString(16).padStart(2, "0"));
+    return `${hex.slice(0, 4).join("")}-${hex.slice(4, 6).join("")}-${hex.slice(6, 8).join("")}-${hex.slice(8, 10).join("")}-${hex.slice(10, 16).join("")}`;
+  }
+  throw new Error(
+    "[PollarClient] No secure random source available (crypto.randomUUID / crypto.getRandomValues). DPoP requires a secure context (HTTPS) or, in React Native, the `react-native-get-random-values` polyfill."
+  );
+}
+
 // src/dpop.ts
 async function buildProof(args, keyManager) {
   const jwk = await keyManager.getPublicJwk();
@@ -988,7 +1007,7 @@ async function buildProof(args, keyManager) {
     jwk
   };
   const payload = {
-    jti: generateJti(),
+    jti: randomUUID(),
     htm: args.htm.toUpperCase(),
     htu: normalizeHtu(args.htu),
     iat: Math.floor(Date.now() / 1e3)
@@ -1022,24 +1041,6 @@ function normalizeHtu(rawUrl) {
   const portPart = port ? `:${port}` : "";
   return `${scheme}//${host}${portPart}${url.pathname}`;
 }
-function generateJti() {
-  const c = globalThis.crypto;
-  if (c && typeof c.randomUUID === "function") {
-    return c.randomUUID();
-  }
-  if (c && typeof c.getRandomValues === "function") {
-    const bytes = new Uint8Array(16);
-    c.getRandomValues(bytes);
-    bytes[6] = bytes[6] & 15 | 64;
-    bytes[8] = bytes[8] & 63 | 128;
-    const hex = [];
-    for (let i = 0; i < 16; i++) hex.push(bytes[i].toString(16).padStart(2, "0"));
-    return `${hex.slice(0, 4).join("")}-${hex.slice(4, 6).join("")}-${hex.slice(6, 8).join("")}-${hex.slice(8, 10).join("")}-${hex.slice(10, 16).join("")}`;
-  }
-  throw new Error(
-    "[PollarClient:dpop] No secure random source available (crypto.randomUUID / crypto.getRandomValues). DPoP requires a secure context (HTTPS) or, in React Native, the `react-native-get-random-values` polyfill."
-  );
-}
 
 // src/storage/web.ts
 var LOG_PREFIX = "[PollarClient:storage]";
@@ -1182,6 +1183,8 @@ function defaultVisibilityProvider() {
 // src/types.ts
 var AUTH_ERROR_CODES = {
   SESSION_CREATE_FAILED: "SESSION_CREATE_FAILED",
+  SESSION_EXPIRED: "SESSION_EXPIRED",
+  SESSION_INVALID: "SESSION_INVALID",
   EMAIL_SEND_FAILED: "EMAIL_SEND_FAILED",
   EMAIL_VERIFY_FAILED: "EMAIL_VERIFY_FAILED",
   EMAIL_CODE_EXPIRED: "EMAIL_CODE_EXPIRED",
@@ -1495,7 +1498,32 @@ async function readWalletType(storage, apiKeyHash) {
   return storage.get(walletTypeStorageKey(apiKeyHash));
 }
 
+// src/lib/abort.ts
+function abortError() {
+  if (typeof DOMException !== "undefined") {
+    return new DOMException("Aborted", "AbortError");
+  }
+  const err = new Error("Aborted");
+  err.name = "AbortError";
+  return err;
+}
+function throwIfAborted(signal) {
+  if (signal?.aborted) throw abortError();
+}
+
 // src/client/stream.ts
+var SessionStatusError = class extends Error {
+  constructor(code) {
+    super(`[PollarClient] Session status terminal: ${code}`);
+    this.code = code;
+    this.name = "SessionStatusError";
+  }
+};
+function terminalStatusCode(parsed) {
+  const err = parsed?.error;
+  if (err === "INVALID_CLIENT_SESSION_ID" || err === "EXPIRED_CLIENT_ID") return err;
+  return null;
+}
 function abortableDelay(ms, signal) {
   return new Promise((resolve, reject) => {
     const t = setTimeout(resolve, ms);
@@ -1503,7 +1531,7 @@ function abortableDelay(ms, signal) {
       "abort",
       () => {
         clearTimeout(t);
-        reject(new DOMException("Aborted", "AbortError"));
+        reject(abortError());
       },
       { once: true }
     );
@@ -1518,7 +1546,7 @@ async function streamUntilFound(api, clientSessionId, check, retryDelayMs = 200,
     else await new Promise((r) => setTimeout(r, ms));
   };
   while (true) {
-    signal?.throwIfAborted();
+    throwIfAborted(signal);
     let data, error;
     try {
       ({ data, error } = await api.GET("/auth/session/status/{clientSessionId}", {
@@ -1541,7 +1569,7 @@ async function streamUntilFound(api, clientSessionId, check, retryDelayMs = 200,
     let sawAnyChunk = false;
     try {
       while (true) {
-        signal?.throwIfAborted();
+        throwIfAborted(signal);
         const { done, value } = await reader.read();
         if (done) {
           streamDone = true;
@@ -1552,17 +1580,22 @@ async function streamUntilFound(api, clientSessionId, check, retryDelayMs = 200,
         for (const message of chunk.split("\n\n").filter(Boolean)) {
           const dataLine = message.split("\n").find((l) => l.startsWith("data:"));
           if (!dataLine) continue;
+          let parsed;
           try {
-            const parsed = JSON.parse(dataLine.slice("data:".length).trim());
-            if (check(parsed)) {
-              return parsed;
-            }
+            parsed = JSON.parse(dataLine.slice("data:".length).trim());
           } catch {
+            continue;
+          }
+          const terminal = terminalStatusCode(parsed);
+          if (terminal) throw new SessionStatusError(terminal);
+          if (check(parsed)) {
+            return parsed;
           }
         }
       }
     } catch (e) {
       if (e instanceof Error && e.name === "AbortError") throw e;
+      if (e instanceof SessionStatusError) throw e;
       console.warn(e);
     } finally {
       reader.releaseLock();
@@ -1573,12 +1606,72 @@ async function streamUntilFound(api, clientSessionId, check, retryDelayMs = 200,
     if (delay) await sleep(delay);
   }
 }
+async function pollUntilFound(baseUrl, clientSessionId, check, intervalMs = 500, signal) {
+  const url = `${baseUrl}/auth/session/status/${encodeURIComponent(clientSessionId)}/poll`;
+  let backoff = intervalMs;
+  const sleep = async (ms) => {
+    if (ms <= 0) return;
+    if (signal) await abortableDelay(ms, signal);
+    else await new Promise((r) => setTimeout(r, ms));
+  };
+  while (true) {
+    throwIfAborted(signal);
+    let envelope = null;
+    let httpStatus = 0;
+    try {
+      const response = await fetch(url, { headers: { accept: "application/json" }, signal: signal ?? null });
+      httpStatus = response.status;
+      envelope = await response.json().catch(() => null);
+    } catch (e) {
+      if (e instanceof Error && e.name === "AbortError") throw e;
+      console.warn(e);
+    }
+    if (httpStatus === 404 || envelope?.code === "INVALID_CLIENT_SESSION_ID") {
+      throw new SessionStatusError("INVALID_CLIENT_SESSION_ID");
+    }
+    if (httpStatus === 410 || envelope?.code === "EXPIRED_CLIENT_ID") {
+      throw new SessionStatusError("EXPIRED_CLIENT_ID");
+    }
+    if (envelope?.success && envelope.content && check(envelope.content)) {
+      return envelope.content;
+    }
+    if (envelope) backoff = intervalMs;
+    else backoff = Math.min(backoff * 2, MAX_BACKOFF_MS);
+    await sleep(backoff);
+  }
+}
+function waitForSessionReady(args) {
+  const { api, baseUrl, clientSessionId, check, useStreaming, retryDelayMs, signal } = args;
+  return useStreaming ? streamUntilFound(api, clientSessionId, check, retryDelayMs ?? 200, signal) : pollUntilFound(baseUrl, clientSessionId, check, retryDelayMs ?? 500, signal);
+}
 
 // src/client/auth/authenticate.ts
 async function authenticate(clientSessionId, deps, expectedWallet) {
-  const { api, signal, setAuthState, storeSession, clearSession } = deps;
+  const { api, basePath, useStreaming, signal, setAuthState, storeSession, clearSession } = deps;
   setAuthState({ step: "authenticating" });
-  await streamUntilFound(api, clientSessionId, (data2) => data2?.status === "READY", 200, signal);
+  try {
+    await waitForSessionReady({
+      api,
+      baseUrl: basePath,
+      clientSessionId,
+      check: (data2) => data2?.status === "READY",
+      useStreaming,
+      signal
+    });
+  } catch (err) {
+    if (err instanceof SessionStatusError) {
+      const expired = err.code === "EXPIRED_CLIENT_ID";
+      setAuthState({
+        step: "error",
+        previousStep: "authenticating",
+        message: expired ? "Login session expired \u2014 please try again" : "Login session is no longer valid \u2014 please try again",
+        errorCode: expired ? AUTH_ERROR_CODES.SESSION_EXPIRED : AUTH_ERROR_CODES.SESSION_INVALID
+      });
+      await clearSession();
+      return;
+    }
+    throw err;
+  }
   const dpopJwk = await deps.getPublicJwk();
   const { data } = await api.POST("/auth/login", {
     body: {
@@ -1702,26 +1795,36 @@ function severOpener(popup) {
   } catch {
   }
 }
-async function loginOAuth(provider, deps) {
-  const { setAuthState, basePath, apiKey } = deps;
-  const popup = window.open("about:blank", "_blank");
+var defaultWebOAuthOpener = async ({ getUrl }) => {
+  const popup = typeof window !== "undefined" ? window.open("about:blank", "_blank") : null;
   severOpener(popup);
-  const clientSessionId = await createAuthSession(deps);
-  if (!clientSessionId) {
+  const url = await getUrl();
+  if (!url) {
     popup?.close();
     return;
   }
-  setAuthState({ step: "opening_oauth", provider });
-  const url = new URL(`${basePath}/auth/${provider}`);
-  url.searchParams.set("api_key", apiKey);
-  url.searchParams.set("client_session_id", clientSessionId);
-  url.searchParams.set("redirect_uri", window.location.origin);
   if (popup) {
-    popup.location.href = url.toString();
+    popup.location.href = url;
     severOpener(popup);
-  } else {
-    window.open(url.toString(), "_blank", "noopener,noreferrer");
+  } else if (typeof window !== "undefined") {
+    window.open(url, "_blank", "noopener,noreferrer");
   }
+};
+async function loginOAuth(provider, deps) {
+  const { setAuthState, basePath, apiKey, openAuthUrl, redirectUri, signal } = deps;
+  let clientSessionId = null;
+  const getUrl = async () => {
+    clientSessionId = await createAuthSession(deps);
+    if (!clientSessionId) return null;
+    setAuthState({ step: "opening_oauth", provider });
+    const url = new URL(`${basePath}/auth/${provider}`);
+    url.searchParams.set("api_key", apiKey);
+    url.searchParams.set("client_session_id", clientSessionId);
+    url.searchParams.set("redirect_uri", redirectUri);
+    return url.toString();
+  };
+  await openAuthUrl({ provider, getUrl, redirectUri, signal });
+  if (!clientSessionId) return;
   await authenticate(clientSessionId, deps);
 }
 
@@ -1731,10 +1834,10 @@ function withSignal(promise, signal) {
     promise,
     new Promise((_, reject) => {
       if (signal.aborted) {
-        reject(new DOMException("Aborted", "AbortError"));
+        reject(abortError());
         return;
       }
-      signal.addEventListener("abort", () => reject(new DOMException("Aborted", "AbortError")), { once: true });
+      signal.addEventListener("abort", () => reject(abortError()), { once: true });
     })
   ]);
 }
@@ -1782,6 +1885,8 @@ async function loginWallet(type, deps) {
 
 // src/client/client.ts
 var isBrowser = typeof window !== "undefined" && typeof localStorage !== "undefined";
+var isReactNative = typeof navigator !== "undefined" && navigator.product === "ReactNative";
+var isClientRuntime = isBrowser || isReactNative;
 var REFRESH_SKEW_SECONDS = 60;
 function warnServerSide(method) {
   console.warn(
@@ -1837,7 +1942,7 @@ var PollarClient = class {
     this._walletAdapter = null;
     this._loginController = null;
     this.apiKey = config.apiKey;
-    this.id = crypto.randomUUID();
+    this.id = randomUUID();
     this.basePath = `${config.baseUrl || "https://sdk.api.pollar.xyz"}/v1`;
     this._storage = config.storage ?? defaultStorage({
       onDegrade: (reason, error) => {
@@ -1851,10 +1956,12 @@ var PollarClient = class {
     this._deviceLabel = config.deviceLabel;
     this._visibilityProvider = config.visibilityProvider ?? defaultVisibilityProvider();
     this._maxIdleMs = config.maxIdleMs;
+    this._openAuthUrl = config.openAuthUrl ?? defaultWebOAuthOpener;
+    this._oauthRedirectUri = config.oauthRedirectUri ?? (isBrowser ? window.location.origin : "");
     this._api = createApiClient(this.basePath);
     this._wireMiddlewares();
     this._networkState = { step: "connected", network: config.stellarNetwork ?? "testnet" };
-    if (!isBrowser) {
+    if (!isClientRuntime) {
       warnServerSide("constructor");
       this._initialized = Promise.resolve();
       return;
@@ -1880,7 +1987,7 @@ var PollarClient = class {
   // ─── Lifecycle ────────────────────────────────────────────────────────────
   async _initialize() {
     this._apiKeyHash = await hashApiKey(this.apiKey);
-    if (typeof window !== "undefined") {
+    if (isBrowser) {
       const sessionKey = sessionStorageKey(this._apiKeyHash);
       const handler = (e) => {
         if (e.key === sessionKey) {
@@ -1902,7 +2009,7 @@ var PollarClient = class {
   }
   /** Detach the cross-tab storage listener and abort any in-flight login. */
   destroy() {
-    if (this._storageEventHandler && typeof window !== "undefined") {
+    if (this._storageEventHandler && isBrowser) {
       window.removeEventListener("storage", this._storageEventHandler);
       this._storageEventHandler = null;
     }
@@ -2185,7 +2292,7 @@ var PollarClient = class {
   }
   // ─── Login (unified entry point) ─────────────────────────────────────────
   login(options) {
-    if (!isBrowser) {
+    if (!isClientRuntime) {
       warnServerSide("login");
       return;
     }
@@ -2196,7 +2303,9 @@ var PollarClient = class {
         loginOAuth(options.provider, {
           ...deps,
           basePath: this.basePath,
-          apiKey: this.apiKey
+          apiKey: this.apiKey,
+          openAuthUrl: this._openAuthUrl,
+          redirectUri: this._oauthRedirectUri
         }).catch((err) => this._handleFlowError(err));
       } else if (options.provider === "email") {
         const { email } = options;
@@ -2212,7 +2321,7 @@ var PollarClient = class {
   }
   // ─── Email OTP flow (3 steps) ─────────────────────────────────────────────
   beginEmailLogin() {
-    if (!isBrowser) {
+    if (!isClientRuntime) {
       warnServerSide("beginEmailLogin");
       return;
     }
@@ -2220,7 +2329,7 @@ var PollarClient = class {
     initEmailSession(this._flowDeps(controller.signal)).catch((err) => this._handleFlowError(err));
   }
   sendEmailCode(email) {
-    if (!isBrowser) {
+    if (!isClientRuntime) {
       warnServerSide("sendEmailCode");
       return;
     }
@@ -2232,7 +2341,7 @@ var PollarClient = class {
     sendEmailCode(email, clientSessionId, this._flowDeps(signal)).catch((err) => this._handleFlowError(err));
   }
   verifyEmailCode(code) {
-    if (!isBrowser) {
+    if (!isClientRuntime) {
       warnServerSide("verifyEmailCode");
       return;
     }
@@ -2250,7 +2359,7 @@ var PollarClient = class {
   }
   // ─── Wallet flow (single call) ────────────────────────────────────────────
   loginWallet(type) {
-    if (!isBrowser) {
+    if (!isClientRuntime) {
       warnServerSide("loginWallet");
       return;
     }
@@ -2276,7 +2385,7 @@ var PollarClient = class {
    * across all devices.
    */
   async logout(options = {}) {
-    if (!isBrowser) {
+    if (!isClientRuntime) {
       warnServerSide("logout");
       return;
     }
@@ -2306,7 +2415,7 @@ var PollarClient = class {
    * `current` flag identifies which entry corresponds to this client.
    */
   async listSessions() {
-    if (!isBrowser) {
+    if (!isClientRuntime) {
       warnServerSide("listSessions");
       return [];
     }
@@ -2325,7 +2434,7 @@ var PollarClient = class {
    * does NOT clear local state — call `logout()` for that case.
    */
   async revokeSession(familyId) {
-    if (!isBrowser) {
+    if (!isClientRuntime) {
       warnServerSide("revokeSession");
       return;
     }
@@ -2823,6 +2932,11 @@ var PollarClient = class {
   _flowDeps(signal) {
     return {
       api: this._api,
+      basePath: this.basePath,
+      // SSE status streaming works on web; React Native's `fetch` has no
+      // readable `response.body`, so those clients poll the non-streaming
+      // status endpoint instead. `isBrowser` is false in RN and SSR alike.
+      useStreaming: isBrowser,
       signal,
       setAuthState: this._setAuthState.bind(this),
       storeSession: this._storeSession.bind(this),