@pooflabs/core 0.0.42 → 0.0.43

package/dist/index.mjs

@@ -6,6 +6,261 @@ import { Program } from '@coral-xyz/anchor';
 import BN from 'bn.js';
 import ReconnectingWebSocket from 'reconnecting-websocket';
 
+function getDefaultExportFromCjs (x) {
+	return x && x.__esModule && Object.prototype.hasOwnProperty.call(x, 'default') ? x['default'] : x;
+}
+
+var isRetryAllowed$1;
+var hasRequiredIsRetryAllowed;
+
+function requireIsRetryAllowed () {
+	if (hasRequiredIsRetryAllowed) return isRetryAllowed$1;
+	hasRequiredIsRetryAllowed = 1;
+
+	const denyList = new Set([
+		'ENOTFOUND',
+		'ENETUNREACH',
+
+		// SSL errors from https://github.com/nodejs/node/blob/fc8e3e2cdc521978351de257030db0076d79e0ab/src/crypto/crypto_common.cc#L301-L328
+		'UNABLE_TO_GET_ISSUER_CERT',
+		'UNABLE_TO_GET_CRL',
+		'UNABLE_TO_DECRYPT_CERT_SIGNATURE',
+		'UNABLE_TO_DECRYPT_CRL_SIGNATURE',
+		'UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY',
+		'CERT_SIGNATURE_FAILURE',
+		'CRL_SIGNATURE_FAILURE',
+		'CERT_NOT_YET_VALID',
+		'CERT_HAS_EXPIRED',
+		'CRL_NOT_YET_VALID',
+		'CRL_HAS_EXPIRED',
+		'ERROR_IN_CERT_NOT_BEFORE_FIELD',
+		'ERROR_IN_CERT_NOT_AFTER_FIELD',
+		'ERROR_IN_CRL_LAST_UPDATE_FIELD',
+		'ERROR_IN_CRL_NEXT_UPDATE_FIELD',
+		'OUT_OF_MEM',
+		'DEPTH_ZERO_SELF_SIGNED_CERT',
+		'SELF_SIGNED_CERT_IN_CHAIN',
+		'UNABLE_TO_GET_ISSUER_CERT_LOCALLY',
+		'UNABLE_TO_VERIFY_LEAF_SIGNATURE',
+		'CERT_CHAIN_TOO_LONG',
+		'CERT_REVOKED',
+		'INVALID_CA',
+		'PATH_LENGTH_EXCEEDED',
+		'INVALID_PURPOSE',
+		'CERT_UNTRUSTED',
+		'CERT_REJECTED',
+		'HOSTNAME_MISMATCH'
+	]);
+
+	// TODO: Use `error?.code` when targeting Node.js 14
+	isRetryAllowed$1 = error => !denyList.has(error && error.code);
+	return isRetryAllowed$1;
+}
+
+var isRetryAllowedExports = requireIsRetryAllowed();
+var isRetryAllowed = /*@__PURE__*/getDefaultExportFromCjs(isRetryAllowedExports);
+
+const namespace = 'axios-retry';
+function isNetworkError(error) {
+    const CODE_EXCLUDE_LIST = ['ERR_CANCELED', 'ECONNABORTED'];
+    if (error.response) {
+        return false;
+    }
+    if (!error.code) {
+        return false;
+    }
+    // Prevents retrying timed out & cancelled requests
+    if (CODE_EXCLUDE_LIST.includes(error.code)) {
+        return false;
+    }
+    // Prevents retrying unsafe errors
+    return isRetryAllowed(error);
+}
+const SAFE_HTTP_METHODS = ['get', 'head', 'options'];
+const IDEMPOTENT_HTTP_METHODS = SAFE_HTTP_METHODS.concat(['put', 'delete']);
+function isRetryableError(error) {
+    return (error.code !== 'ECONNABORTED' &&
+        (!error.response ||
+            error.response.status === 429 ||
+            (error.response.status >= 500 && error.response.status <= 599)));
+}
+function isSafeRequestError(error) {
+    if (!error.config?.method) {
+        // Cannot determine if the request can be retried
+        return false;
+    }
+    return isRetryableError(error) && SAFE_HTTP_METHODS.indexOf(error.config.method) !== -1;
+}
+function isIdempotentRequestError(error) {
+    if (!error.config?.method) {
+        // Cannot determine if the request can be retried
+        return false;
+    }
+    return isRetryableError(error) && IDEMPOTENT_HTTP_METHODS.indexOf(error.config.method) !== -1;
+}
+function isNetworkOrIdempotentRequestError(error) {
+    return isNetworkError(error) || isIdempotentRequestError(error);
+}
+function retryAfter(error = undefined) {
+    const retryAfterHeader = error?.response?.headers['retry-after'];
+    if (!retryAfterHeader) {
+        return 0;
+    }
+    // if the retry after header is a number, convert it to milliseconds
+    let retryAfterMs = (Number(retryAfterHeader) || 0) * 1000;
+    // If the retry after header is a date, get the number of milliseconds until that date
+    if (retryAfterMs === 0) {
+        retryAfterMs = (new Date(retryAfterHeader).valueOf() || 0) - Date.now();
+    }
+    return Math.max(0, retryAfterMs);
+}
+function noDelay(_retryNumber = 0, error = undefined) {
+    return Math.max(0, retryAfter(error));
+}
+function exponentialDelay(retryNumber = 0, error = undefined, delayFactor = 100) {
+    const calculatedDelay = 2 ** retryNumber * delayFactor;
+    const delay = Math.max(calculatedDelay, retryAfter(error));
+    const randomSum = delay * 0.2 * Math.random(); // 0-20% of the delay
+    return delay + randomSum;
+}
+/**
+ * Linear delay
+ * @param {number | undefined} delayFactor - delay factor in milliseconds (default: 100)
+ * @returns {function} (retryNumber: number, error: AxiosError | undefined) => number
+ */
+function linearDelay(delayFactor = 100) {
+    return (retryNumber = 0, error = undefined) => {
+        const delay = retryNumber * delayFactor;
+        return Math.max(delay, retryAfter(error));
+    };
+}
+const DEFAULT_OPTIONS = {
+    retries: 3,
+    retryCondition: isNetworkOrIdempotentRequestError,
+    retryDelay: noDelay,
+    shouldResetTimeout: false,
+    onRetry: () => { },
+    onMaxRetryTimesExceeded: () => { },
+    validateResponse: null
+};
+function getRequestOptions(config, defaultOptions) {
+    return { ...DEFAULT_OPTIONS, ...defaultOptions, ...config[namespace] };
+}
+function setCurrentState(config, defaultOptions, resetLastRequestTime = false) {
+    const currentState = getRequestOptions(config, defaultOptions || {});
+    currentState.retryCount = currentState.retryCount || 0;
+    if (!currentState.lastRequestTime || resetLastRequestTime) {
+        currentState.lastRequestTime = Date.now();
+    }
+    config[namespace] = currentState;
+    return currentState;
+}
+function fixConfig(axiosInstance, config) {
+    // @ts-ignore
+    if (axiosInstance.defaults.agent === config.agent) {
+        // @ts-ignore
+        delete config.agent;
+    }
+    if (axiosInstance.defaults.httpAgent === config.httpAgent) {
+        delete config.httpAgent;
+    }
+    if (axiosInstance.defaults.httpsAgent === config.httpsAgent) {
+        delete config.httpsAgent;
+    }
+}
+async function shouldRetry(currentState, error) {
+    const { retries, retryCondition } = currentState;
+    const shouldRetryOrPromise = (currentState.retryCount || 0) < retries && retryCondition(error);
+    // This could be a promise
+    if (typeof shouldRetryOrPromise === 'object') {
+        try {
+            const shouldRetryPromiseResult = await shouldRetryOrPromise;
+            // keep return true unless shouldRetryPromiseResult return false for compatibility
+            return shouldRetryPromiseResult !== false;
+        }
+        catch (_err) {
+            return false;
+        }
+    }
+    return shouldRetryOrPromise;
+}
+async function handleRetry(axiosInstance, currentState, error, config) {
+    currentState.retryCount += 1;
+    const { retryDelay, shouldResetTimeout, onRetry } = currentState;
+    const delay = retryDelay(currentState.retryCount, error);
+    // Axios fails merging this configuration to the default configuration because it has an issue
+    // with circular structures: https://github.com/mzabriskie/axios/issues/370
+    fixConfig(axiosInstance, config);
+    if (!shouldResetTimeout && config.timeout && currentState.lastRequestTime) {
+        const lastRequestDuration = Date.now() - currentState.lastRequestTime;
+        const timeout = config.timeout - lastRequestDuration - delay;
+        if (timeout <= 0) {
+            return Promise.reject(error);
+        }
+        config.timeout = timeout;
+    }
+    config.transformRequest = [(data) => data];
+    await onRetry(currentState.retryCount, error, config);
+    if (config.signal?.aborted) {
+        return Promise.resolve(axiosInstance(config));
+    }
+    return new Promise((resolve) => {
+        const abortListener = () => {
+            clearTimeout(timeout);
+            resolve(axiosInstance(config));
+        };
+        const timeout = setTimeout(() => {
+            resolve(axiosInstance(config));
+            if (config.signal?.removeEventListener) {
+                config.signal.removeEventListener('abort', abortListener);
+            }
+        }, delay);
+        if (config.signal?.addEventListener) {
+            config.signal.addEventListener('abort', abortListener, { once: true });
+        }
+    });
+}
+async function handleMaxRetryTimesExceeded(currentState, error) {
+    if (currentState.retryCount >= currentState.retries)
+        await currentState.onMaxRetryTimesExceeded(error, currentState.retryCount);
+}
+const axiosRetry = (axiosInstance, defaultOptions) => {
+    const requestInterceptorId = axiosInstance.interceptors.request.use((config) => {
+        setCurrentState(config, defaultOptions, true);
+        if (config[namespace]?.validateResponse) {
+            // by setting this, all HTTP responses will be go through the error interceptor first
+            config.validateStatus = () => false;
+        }
+        return config;
+    });
+    const responseInterceptorId = axiosInstance.interceptors.response.use(null, async (error) => {
+        const { config } = error;
+        // If we have no information to retry the request
+        if (!config) {
+            return Promise.reject(error);
+        }
+        const currentState = setCurrentState(config, defaultOptions);
+        if (error.response && currentState.validateResponse?.(error.response)) {
+            // no issue with response
+            return error.response;
+        }
+        if (await shouldRetry(currentState, error)) {
+            return handleRetry(axiosInstance, currentState, error, config);
+        }
+        await handleMaxRetryTimesExceeded(currentState, error);
+        return Promise.reject(error);
+    });
+    return { requestInterceptorId, responseInterceptorId };
+};
+// Compatibility with CommonJS
+axiosRetry.isNetworkError = isNetworkError;
+axiosRetry.isSafeRequestError = isSafeRequestError;
+axiosRetry.isIdempotentRequestError = isIdempotentRequestError;
+axiosRetry.isNetworkOrIdempotentRequestError = isNetworkOrIdempotentRequestError;
+axiosRetry.exponentialDelay = exponentialDelay;
+axiosRetry.linearDelay = linearDelay;
+axiosRetry.isRetryableError = isRetryableError;
+
 let axiosClient;
 async function getAxiosAuthClient() {
     if (!axiosClient) {
@@ -15,6 +270,7 @@ async function getAxiosAuthClient() {
             headers: {
                 'Content-Type': 'application/json',
             },
+            timeout: 30000, // 30s timeout, matching makeApiRequest
         });
     }
     return axiosClient;
@@ -61,15 +317,41 @@ async function createSessionWithPrivy(authToken, address, privyIdToken) {
     });
     return response.data;
 }
+// Deduplicate concurrent refreshSession calls to prevent multiple code paths
+// (WebSocket reconnection, periodic refresh, API 401 retry) from all hitting
+// /session/refresh simultaneously.
+// Note: module-level state is shared across requests in SSR/Node — acceptable
+// since there is only one active session per server instance (same pattern as
+// refreshInFlight in api.ts).
+let refreshInFlight$1 = null;
+let refreshInFlightToken = null;
 async function refreshSession(refreshToken) {
-    const client = await getAxiosAuthClient();
-    const config = await getConfig();
-    const appId = config.appId;
-    const response = await client.post('/session/refresh', {
-        refreshToken,
-        appId
-    });
-    return response.data;
+    if (refreshInFlight$1 && refreshInFlightToken === refreshToken) {
+        return refreshInFlight$1;
+    }
+    refreshInFlightToken = refreshToken;
+    let currentFlight;
+    currentFlight = refreshInFlight$1 = (async () => {
+        try {
+            const client = await getAxiosAuthClient();
+            const config = await getConfig();
+            const appId = config.appId;
+            const response = await client.post('/session/refresh', {
+                refreshToken,
+                appId
+            });
+            return response.data;
+        }
+        finally {
+            // Only clear if we're still the active in-flight request.
+            // A second call with a different token may have replaced us.
+            if (refreshInFlight$1 === currentFlight) {
+                refreshInFlight$1 = null;
+                refreshInFlightToken = null;
+            }
+        }
+    })();
+    return refreshInFlight$1;
 }
 async function signSessionCreateMessage(_signMessageFunction) {
 }
@@ -207,14 +489,10 @@ class WebSessionManager {
 WebSessionManager.TAROBASE_SESSION_STORAGE_KEY = "tarobase_session_storage";
 
 var webSessionManager = /*#__PURE__*/Object.freeze({
-    __proto__: null,
-    WebSessionManager: WebSessionManager
+	__proto__: null,
+	WebSessionManager: WebSessionManager
 });
 
-function getDefaultExportFromCjs (x) {
-	return x && x.__esModule && Object.prototype.hasOwnProperty.call(x, 'default') ? x['default'] : x;
-}
-
 var buffer = {};
 
 var base64Js = {};
@@ -3011,7 +3289,19 @@ async function buildSetDocumentsTransaction(connection, idl, anchorProvider, pay
         }
     }
     else if (lutKey != null) {
-        const { value: table } = await connection.getAddressLookupTable(new PublicKey(lutKey));
+        // The LUT may have just been created server-side and the client's RPC node
+        // may not have indexed it yet (load-balancer split). Retry with exponential
+        // back-off; first retry at 100 ms almost always resolves it.
+        let table = null;
+        for (let attempt = 0; attempt < 5; attempt++) {
+            const { value } = await connection.getAddressLookupTable(new PublicKey(lutKey));
+            if (value) {
+                table = value;
+                break;
+            }
+            if (attempt < 4)
+                await new Promise(r => setTimeout(r, 100 * Math.pow(2, attempt)));
+        }
         if (!table)
             throw new Error('LUT not found after creation/extend');
         lookupTables.push(table);
@@ -3146,8 +3436,8 @@ class ServerSessionManager {
 ServerSessionManager.instance = new ServerSessionManager();
 
 var serverSessionManager = /*#__PURE__*/Object.freeze({
-    __proto__: null,
-    ServerSessionManager: ServerSessionManager
+	__proto__: null,
+	ServerSessionManager: ServerSessionManager
 });
 
 /**
@@ -3246,6 +3536,23 @@ async function updateIdTokenAndAccessToken(idToken, accessToken, isServer = fals
     await WebSessionManager.updateIdTokenAndAccessToken(idToken, accessToken);
 }
 
+const apiClient = axios.create();
+axiosRetry(apiClient, {
+    retries: 2,
+    retryCondition: (error) => {
+        var _a, _b;
+        // Only retry GET requests on network errors (ECONNRESET, ETIMEDOUT, etc.)
+        // Writes (POST/PUT) are not retried — the server may have processed
+        // the request before the connection was reset.
+        return axiosRetry.isNetworkError(error) && ((_b = (_a = error.config) === null || _a === void 0 ? void 0 : _a.method) === null || _b === void 0 ? void 0 : _b.toLowerCase()) === 'get';
+    },
+    retryDelay: axiosRetry.exponentialDelay,
+    shouldResetTimeout: true,
+    onRetry: (retryCount, error, requestConfig) => {
+        var _a;
+        console.warn(`[tarobase-sdk] retry ${retryCount} for ${(_a = requestConfig.method) === null || _a === void 0 ? void 0 : _a.toUpperCase()} ${requestConfig.url} — ${error.code || error.message}`);
+    },
+});
 const refreshInFlight = new Map();
 async function refreshAuthSessionOnce(appId, isServer) {
     const key = `${isServer ? "server" : "web"}:${appId}`;
@@ -3292,6 +3599,7 @@ async function makeApiRequest(method, urlPath, data, _overrides) {
         ServerSessionManager.instance.clearSession();
     };
     async function executeRequest() {
+        var _a;
         // When _getAuthHeaders is provided (wallet client), use it as the sole auth source.
         // Otherwise use the global createAuthHeader (default path).
         const authHeader = (_overrides === null || _overrides === void 0 ? void 0 : _overrides._getAuthHeaders)
@@ -3313,11 +3621,12 @@ async function makeApiRequest(method, urlPath, data, _overrides) {
             method,
             url: `${config.apiUrl}${urlPath.startsWith("/") ? urlPath : `/${urlPath}`}`,
             headers,
+            timeout: (_a = _overrides === null || _overrides === void 0 ? void 0 : _overrides.timeout) !== null && _a !== void 0 ? _a : 30000,
         };
         if (method !== "GET" && method !== "get") {
             requestConfig.data = data ? JSON.stringify(data) : {};
         }
-        const response = await axios(requestConfig);
+        const response = await apiClient(requestConfig);
         return { data: response.data, status: response.status, headers: response.headers };
     }
     try {
@@ -4253,6 +4562,7 @@ function scheduleTokenRefresh(connection, isServer) {
     // This replaces the old single setTimeout approach which was unreliable for long
     // delays (browsers throttle/suspend timers in background tabs).
     connection.tokenRefreshTimer = setInterval(async () => {
+        var _a, _b;
         try {
             const currentToken = await getIdToken(isServer);
             if (!currentToken)
@@ -4283,6 +4593,17 @@ function scheduleTokenRefresh(connection, isServer) {
                     }
                 }
                 catch (refreshError) {
+                    // If the refresh token itself is invalid (401/403), stop retrying —
+                    // the token won't magically become valid next interval, and continuing
+                    // to hammer /session/refresh causes 429 rate-limit storms.
+                    if (((_a = refreshError === null || refreshError === void 0 ? void 0 : refreshError.response) === null || _a === void 0 ? void 0 : _a.status) === 401 || ((_b = refreshError === null || refreshError === void 0 ? void 0 : refreshError.response) === null || _b === void 0 ? void 0 : _b.status) === 403) {
+                        console.warn('[WS v2] Refresh token rejected (401/403), stopping periodic refresh');
+                        if (connection.tokenRefreshTimer) {
+                            clearInterval(connection.tokenRefreshTimer);
+                            connection.tokenRefreshTimer = null;
+                        }
+                        return;
+                    }
                     console.warn('[WS v2] Proactive token refresh failed, will retry next interval:', refreshError);
                 }
             }
@@ -4293,6 +4614,7 @@ function scheduleTokenRefresh(connection, isServer) {
     }, TOKEN_CHECK_INTERVAL);
 }
 async function getFreshAuthToken(isServer) {
+    var _a, _b;
     const currentToken = await getIdToken(isServer);
     if (!currentToken) {
         return null;
@@ -4315,6 +4637,17 @@ async function getFreshAuthToken(isServer) {
     }
     catch (error) {
         console.error('[WS v2] Error refreshing token:', error);
+        // If the refresh token is permanently invalid (401/403), clear the stale
+        // session from storage so future attempts don't keep retrying with it.
+        if (!isServer && (((_a = error === null || error === void 0 ? void 0 : error.response) === null || _a === void 0 ? void 0 : _a.status) === 401 || ((_b = error === null || error === void 0 ? void 0 : error.response) === null || _b === void 0 ? void 0 : _b.status) === 403)) {
+            try {
+                const { WebSessionManager } = await Promise.resolve().then(function () { return webSessionManager; });
+                WebSessionManager.clearSession();
+            }
+            catch (clearError) {
+                console.warn('[WS v2] Failed to clear stale session:', clearError);
+            }
+        }
     }
     // Return null instead of the expired token to prevent infinite 401 reconnect storms.
     // The server accepts unauthenticated connections; auth-required subscriptions will
@@ -4435,7 +4768,16 @@ async function getOrCreateConnection(appId, isServer) {
     ws.addEventListener('open', () => {
         connection.isConnecting = false;
         connection.isConnected = true;
-        connection.consecutiveAuthFailures = 0;
+        // NOTE: Do NOT reset consecutiveAuthFailures here. It is reset when a
+        // fresh auth token is actually obtained (in urlProvider, line ~389) or on
+        // an explicit auth change (reconnectWithNewAuthV2, line ~854). Resetting
+        // on every 'open' event created an infinite loop: auth fails 5x → connect
+        // without auth → open resets counter → disconnect → auth fails 5x again →
+        // repeat forever, hammering /session/refresh and causing 429s.
+        //
+        // An elevated counter is safe for anonymous/guest sessions: when there's no
+        // token at all (getIdToken returns null), the counter is never checked —
+        // urlProvider skips straight to unauthenticated connection.
         // Schedule periodic token freshness checks
         scheduleTokenRefresh(connection, isServer);
         // Re-subscribe to all existing subscriptions after reconnect