@pooflabs/core 0.0.46 → 0.0.47-rc1

package/dist/index.mjs

@@ -376,6 +376,28 @@ class WebSessionManager {
     static async storeSession(address, accessToken, idToken, refreshToken) {
         if (typeof window === "undefined")
             return;
+        // JWT-wallet binding: refuse to store a session whose idToken is bound
+        // to a different wallet than `address`. Prevents races that would otherwise
+        // leave localStorage with mismatched address/token state.
+        try {
+            const payloadB64 = idToken.split(".")[1];
+            if (payloadB64) {
+                const payload = JSON.parse(this.decodeBase64Url(payloadB64));
+                const tokenWallet = payload["custom:walletAddress"];
+                if (tokenWallet && tokenWallet !== address) {
+                    throw new Error(`[WebSessionManager] Refusing to store session: address (${address}) does not match idToken custom:walletAddress (${tokenWallet})`);
+                }
+                if (!tokenWallet) {
+                    console.warn("[WebSessionManager] storeSession: idToken has no custom:walletAddress claim — writing without validation");
+                }
+            }
+        }
+        catch (err) {
+            if (typeof (err === null || err === void 0 ? void 0 : err.message) === "string" && err.message.includes("Refusing to store session")) {
+                throw err;
+            }
+            console.warn("[WebSessionManager] storeSession: failed to decode idToken for validation:", err);
+        }
         const config = await getConfig();
         const currentAppId = config.appId;
         localStorage.setItem(this.TAROBASE_SESSION_STORAGE_KEY, JSON.stringify({
@@ -3166,12 +3188,6 @@ async function genSolanaMessage(address, nonce) {
 // Serialization Helpers
 // ─────────────────────────────────────────────────────────────
 function isHexString(value) {
-    // Only strings can be hex-encoded. Numbers, BNs, and other shapes coming back
-    // from the API for u64Val/i64Val should fall through to `new BN(value)` which
-    // accepts those shapes natively. Without this guard, calling .startsWith on a
-    // non-string blows up with TypeError.
-    if (typeof value !== "string")
-        return false;
     // Matches strings containing only 0-9, a-f, or A-F (optionally prefixed with 0x)
     let testValue = value;
     // Handle negative values
@@ -3267,11 +3283,8 @@ async function buildSetDocumentsTransaction(connection, idl, anchorProvider, pay
     }
     else if (idl.address === "poof4b5pk1L9tmThvBmaABjcyjfhFGbMbQP5BXk2QZp") {
         const program = new Program(idl, anchorProvider);
-        // Targets `set_documents_v2` (Vec<u8> ra_indices). The on-chain program
-        // also exposes the legacy `set_documents` (Vec<u64>) so SDKs already on npm
-        // continue to work — but new releases of this SDK speak v2 only.
         tx = await program.methods
-            .setDocumentsV2(args.app_id, prepareAnchorArgs(args.documents), args.delete_paths, args.txData, simulate)
+            .setDocuments(args.app_id, prepareAnchorArgs(args.documents), args.delete_paths, args.txData, simulate)
             .preInstructions(instructions)
             .accounts({
             payer: payerPublicKey
@@ -3626,17 +3639,11 @@ async function makeApiRequest(method, urlPath, data, _overrides) {
         if (_overrides === null || _overrides === void 0 ? void 0 : _overrides.headers) {
             Object.assign(headers, _overrides.headers);
         }
-        // Writes (PUT/POST/DELETE) can take significantly longer than reads —
-        // server-side they may trigger ad-hoc LUT creation (create + extend +
-        // wait-for-finalization, ~15-30s on mainnet). Use a larger default for
-        // non-GET so the SDK doesn't time out before client-api responds.
-        const isRead = method.toUpperCase() === "GET";
-        const defaultTimeout = isRead ? 30000 : 90000;
         const requestConfig = {
             method,
             url: `${config.apiUrl}${urlPath.startsWith("/") ? urlPath : `/${urlPath}`}`,
             headers,
-            timeout: (_a = _overrides === null || _overrides === void 0 ? void 0 : _overrides.timeout) !== null && _a !== void 0 ? _a : defaultTimeout,
+            timeout: (_a = _overrides === null || _overrides === void 0 ? void 0 : _overrides.timeout) !== null && _a !== void 0 ? _a : 30000,
         };
         if (method !== "GET" && method !== "get") {
             requestConfig.data = data ? JSON.stringify(data) : {};
@@ -4281,38 +4288,21 @@ async function setMany(many, options) {
             setDocumentData: tx.transactionArgs.setDocumentData,
             deletePaths: tx.transactionArgs.deletePaths,
             idl: tx.idl,
-            txData: (_b = (_a = tx.txData) === null || _a === void 0 ? void 0 : _a.map((txData) => ({
-                pluginFunctionKey: txData.pluginFunctionKey,
-                txData: bufferExports.Buffer.from(txData.txData),
-                // raIndices is Vec<u8> on-chain (serialized as Buffer/bytes). The server may send
-                // it as a Buffer, a number[], a Uint8Array, or — over JSON — as Node's serialized
-                // Buffer shape {type: "Buffer", data: number[]} (the default `JSON.stringify(buf)`
-                // output). Normalise all of those to Buffer here. Each value must fit in u8 (matches
-                // Solana's instruction-level account indexing); throw clearly if anything is out of range.
-                raIndices: (() => {
-                    const raw = txData.raIndices;
-                    if (raw == null)
-                        return bufferExports.Buffer.alloc(0);
-                    if (bufferExports.Buffer.isBuffer(raw))
-                        return raw;
-                    if (raw instanceof Uint8Array)
-                        return bufferExports.Buffer.from(raw);
-                    // Node's JSON-serialised Buffer: {type: "Buffer", data: number[]}
-                    const arrayLike = Array.isArray(raw)
-                        ? raw
-                        : (raw && typeof raw === 'object' && Array.isArray(raw.data))
-                            ? raw.data
-                            : (() => { throw new Error(`raIndices has unexpected shape: ${typeof raw}`); })();
-                    const bytes = arrayLike.map((raIndex) => {
-                        const n = isHexString(raIndex) ? parseInt(raIndex, 16) : Number(raIndex);
-                        if (!Number.isInteger(n) || n < 0 || n > 255) {
-                            throw new Error(`raIndex ${raIndex} is not a valid u8 (must be integer in 0..255)`);
+            txData: (_b = (_a = tx.txData) === null || _a === void 0 ? void 0 : _a.map((txData) => {
+                var _a;
+                return ({
+                    pluginFunctionKey: txData.pluginFunctionKey,
+                    txData: bufferExports.Buffer.from(txData.txData),
+                    raIndices: (_a = txData.raIndices) === null || _a === void 0 ? void 0 : _a.map((raIndex) => {
+                        if (isHexString(raIndex)) {
+                            return new BN(raIndex, "hex");
                         }
-                        return n;
-                    });
-                    return bufferExports.Buffer.from(bytes);
-                })(),
-            }))) !== null && _b !== void 0 ? _b : [],
+                        else {
+                            return new BN(raIndex);
+                        }
+                    }),
+                });
+            })) !== null && _b !== void 0 ? _b : [],
         };
         const config = await getConfig();
         const solTransaction = {
@@ -5294,6 +5284,28 @@ class ReactNativeSessionManager {
     /* STORE                                                              */
     /* ------------------------------------------------------------------ */
     static async storeSession(address, accessToken, idToken, refreshToken) {
+        // JWT-wallet binding: refuse to store a session whose idToken is bound
+        // to a different wallet than `address`. Prevents races that would otherwise
+        // leave storage with mismatched address/token state.
+        try {
+            const payloadB64 = idToken.split(".")[1];
+            if (payloadB64) {
+                const payload = JSON.parse(this.decodeBase64Url(payloadB64));
+                const tokenWallet = payload["custom:walletAddress"];
+                if (tokenWallet && tokenWallet !== address) {
+                    throw new Error(`[ReactNativeSessionManager] Refusing to store session: address (${address}) does not match idToken custom:walletAddress (${tokenWallet})`);
+                }
+                if (!tokenWallet) {
+                    console.warn("[ReactNativeSessionManager] storeSession: idToken has no custom:walletAddress claim — writing without validation");
+                }
+            }
+        }
+        catch (err) {
+            if (typeof (err === null || err === void 0 ? void 0 : err.message) === "string" && err.message.includes("Refusing to store session")) {
+                throw err;
+            }
+            console.warn("[ReactNativeSessionManager] storeSession: failed to decode idToken for validation:", err);
+        }
         const config = await getConfig();
         const currentAppId = config.appId;
         this.getStorage().setItem(this.TAROBASE_SESSION_STORAGE_KEY, JSON.stringify({