@pooflabs/core 0.0.45 → 0.0.47-rc1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.js +44 -0
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +44 -0
- package/dist/index.mjs.map +1 -1
- package/package.json +1 -1
package/dist/index.mjs
CHANGED
|
@@ -376,6 +376,28 @@ class WebSessionManager {
|
|
|
376
376
|
static async storeSession(address, accessToken, idToken, refreshToken) {
|
|
377
377
|
if (typeof window === "undefined")
|
|
378
378
|
return;
|
|
379
|
+
// JWT-wallet binding: refuse to store a session whose idToken is bound
|
|
380
|
+
// to a different wallet than `address`. Prevents races that would otherwise
|
|
381
|
+
// leave localStorage with mismatched address/token state.
|
|
382
|
+
try {
|
|
383
|
+
const payloadB64 = idToken.split(".")[1];
|
|
384
|
+
if (payloadB64) {
|
|
385
|
+
const payload = JSON.parse(this.decodeBase64Url(payloadB64));
|
|
386
|
+
const tokenWallet = payload["custom:walletAddress"];
|
|
387
|
+
if (tokenWallet && tokenWallet !== address) {
|
|
388
|
+
throw new Error(`[WebSessionManager] Refusing to store session: address (${address}) does not match idToken custom:walletAddress (${tokenWallet})`);
|
|
389
|
+
}
|
|
390
|
+
if (!tokenWallet) {
|
|
391
|
+
console.warn("[WebSessionManager] storeSession: idToken has no custom:walletAddress claim — writing without validation");
|
|
392
|
+
}
|
|
393
|
+
}
|
|
394
|
+
}
|
|
395
|
+
catch (err) {
|
|
396
|
+
if (typeof (err === null || err === void 0 ? void 0 : err.message) === "string" && err.message.includes("Refusing to store session")) {
|
|
397
|
+
throw err;
|
|
398
|
+
}
|
|
399
|
+
console.warn("[WebSessionManager] storeSession: failed to decode idToken for validation:", err);
|
|
400
|
+
}
|
|
379
401
|
const config = await getConfig();
|
|
380
402
|
const currentAppId = config.appId;
|
|
381
403
|
localStorage.setItem(this.TAROBASE_SESSION_STORAGE_KEY, JSON.stringify({
|
|
@@ -5262,6 +5284,28 @@ class ReactNativeSessionManager {
|
|
|
5262
5284
|
/* STORE */
|
|
5263
5285
|
/* ------------------------------------------------------------------ */
|
|
5264
5286
|
static async storeSession(address, accessToken, idToken, refreshToken) {
|
|
5287
|
+
// JWT-wallet binding: refuse to store a session whose idToken is bound
|
|
5288
|
+
// to a different wallet than `address`. Prevents races that would otherwise
|
|
5289
|
+
// leave storage with mismatched address/token state.
|
|
5290
|
+
try {
|
|
5291
|
+
const payloadB64 = idToken.split(".")[1];
|
|
5292
|
+
if (payloadB64) {
|
|
5293
|
+
const payload = JSON.parse(this.decodeBase64Url(payloadB64));
|
|
5294
|
+
const tokenWallet = payload["custom:walletAddress"];
|
|
5295
|
+
if (tokenWallet && tokenWallet !== address) {
|
|
5296
|
+
throw new Error(`[ReactNativeSessionManager] Refusing to store session: address (${address}) does not match idToken custom:walletAddress (${tokenWallet})`);
|
|
5297
|
+
}
|
|
5298
|
+
if (!tokenWallet) {
|
|
5299
|
+
console.warn("[ReactNativeSessionManager] storeSession: idToken has no custom:walletAddress claim — writing without validation");
|
|
5300
|
+
}
|
|
5301
|
+
}
|
|
5302
|
+
}
|
|
5303
|
+
catch (err) {
|
|
5304
|
+
if (typeof (err === null || err === void 0 ? void 0 : err.message) === "string" && err.message.includes("Refusing to store session")) {
|
|
5305
|
+
throw err;
|
|
5306
|
+
}
|
|
5307
|
+
console.warn("[ReactNativeSessionManager] storeSession: failed to decode idToken for validation:", err);
|
|
5308
|
+
}
|
|
5265
5309
|
const config = await getConfig();
|
|
5266
5310
|
const currentAppId = config.appId;
|
|
5267
5311
|
this.getStorage().setItem(this.TAROBASE_SESSION_STORAGE_KEY, JSON.stringify({
|