@pooflabs/core 0.0.45 → 0.0.47-rc1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.js +44 -0
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +44 -0
- package/dist/index.mjs.map +1 -1
- package/package.json +1 -1
package/dist/index.js
CHANGED
|
@@ -396,6 +396,28 @@ class WebSessionManager {
|
|
|
396
396
|
static async storeSession(address, accessToken, idToken, refreshToken) {
|
|
397
397
|
if (typeof window === "undefined")
|
|
398
398
|
return;
|
|
399
|
+
// JWT-wallet binding: refuse to store a session whose idToken is bound
|
|
400
|
+
// to a different wallet than `address`. Prevents races that would otherwise
|
|
401
|
+
// leave localStorage with mismatched address/token state.
|
|
402
|
+
try {
|
|
403
|
+
const payloadB64 = idToken.split(".")[1];
|
|
404
|
+
if (payloadB64) {
|
|
405
|
+
const payload = JSON.parse(this.decodeBase64Url(payloadB64));
|
|
406
|
+
const tokenWallet = payload["custom:walletAddress"];
|
|
407
|
+
if (tokenWallet && tokenWallet !== address) {
|
|
408
|
+
throw new Error(`[WebSessionManager] Refusing to store session: address (${address}) does not match idToken custom:walletAddress (${tokenWallet})`);
|
|
409
|
+
}
|
|
410
|
+
if (!tokenWallet) {
|
|
411
|
+
console.warn("[WebSessionManager] storeSession: idToken has no custom:walletAddress claim — writing without validation");
|
|
412
|
+
}
|
|
413
|
+
}
|
|
414
|
+
}
|
|
415
|
+
catch (err) {
|
|
416
|
+
if (typeof (err === null || err === void 0 ? void 0 : err.message) === "string" && err.message.includes("Refusing to store session")) {
|
|
417
|
+
throw err;
|
|
418
|
+
}
|
|
419
|
+
console.warn("[WebSessionManager] storeSession: failed to decode idToken for validation:", err);
|
|
420
|
+
}
|
|
399
421
|
const config = await getConfig();
|
|
400
422
|
const currentAppId = config.appId;
|
|
401
423
|
localStorage.setItem(this.TAROBASE_SESSION_STORAGE_KEY, JSON.stringify({
|
|
@@ -5282,6 +5304,28 @@ class ReactNativeSessionManager {
|
|
|
5282
5304
|
/* STORE */
|
|
5283
5305
|
/* ------------------------------------------------------------------ */
|
|
5284
5306
|
static async storeSession(address, accessToken, idToken, refreshToken) {
|
|
5307
|
+
// JWT-wallet binding: refuse to store a session whose idToken is bound
|
|
5308
|
+
// to a different wallet than `address`. Prevents races that would otherwise
|
|
5309
|
+
// leave storage with mismatched address/token state.
|
|
5310
|
+
try {
|
|
5311
|
+
const payloadB64 = idToken.split(".")[1];
|
|
5312
|
+
if (payloadB64) {
|
|
5313
|
+
const payload = JSON.parse(this.decodeBase64Url(payloadB64));
|
|
5314
|
+
const tokenWallet = payload["custom:walletAddress"];
|
|
5315
|
+
if (tokenWallet && tokenWallet !== address) {
|
|
5316
|
+
throw new Error(`[ReactNativeSessionManager] Refusing to store session: address (${address}) does not match idToken custom:walletAddress (${tokenWallet})`);
|
|
5317
|
+
}
|
|
5318
|
+
if (!tokenWallet) {
|
|
5319
|
+
console.warn("[ReactNativeSessionManager] storeSession: idToken has no custom:walletAddress claim — writing without validation");
|
|
5320
|
+
}
|
|
5321
|
+
}
|
|
5322
|
+
}
|
|
5323
|
+
catch (err) {
|
|
5324
|
+
if (typeof (err === null || err === void 0 ? void 0 : err.message) === "string" && err.message.includes("Refusing to store session")) {
|
|
5325
|
+
throw err;
|
|
5326
|
+
}
|
|
5327
|
+
console.warn("[ReactNativeSessionManager] storeSession: failed to decode idToken for validation:", err);
|
|
5328
|
+
}
|
|
5285
5329
|
const config = await getConfig();
|
|
5286
5330
|
const currentAppId = config.appId;
|
|
5287
5331
|
this.getStorage().setItem(this.TAROBASE_SESSION_STORAGE_KEY, JSON.stringify({
|