@pooflabs/core 0.0.47 → 0.0.48
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.js +44 -0
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +44 -0
- package/dist/index.mjs.map +1 -1
- package/package.json +1 -1
package/dist/index.mjs
CHANGED
|
@@ -376,6 +376,28 @@ class WebSessionManager {
|
|
|
376
376
|
static async storeSession(address, accessToken, idToken, refreshToken) {
|
|
377
377
|
if (typeof window === "undefined")
|
|
378
378
|
return;
|
|
379
|
+
// JWT-wallet binding: refuse to store a session whose idToken is bound
|
|
380
|
+
// to a different wallet than `address`. Prevents races that would otherwise
|
|
381
|
+
// leave localStorage with mismatched address/token state.
|
|
382
|
+
try {
|
|
383
|
+
const payloadB64 = idToken.split(".")[1];
|
|
384
|
+
if (payloadB64) {
|
|
385
|
+
const payload = JSON.parse(this.decodeBase64Url(payloadB64));
|
|
386
|
+
const tokenWallet = payload["custom:walletAddress"];
|
|
387
|
+
if (tokenWallet && tokenWallet !== address) {
|
|
388
|
+
throw new Error(`[WebSessionManager] Refusing to store session: address (${address}) does not match idToken custom:walletAddress (${tokenWallet})`);
|
|
389
|
+
}
|
|
390
|
+
if (!tokenWallet) {
|
|
391
|
+
console.warn("[WebSessionManager] storeSession: idToken has no custom:walletAddress claim — writing without validation");
|
|
392
|
+
}
|
|
393
|
+
}
|
|
394
|
+
}
|
|
395
|
+
catch (err) {
|
|
396
|
+
if (typeof (err === null || err === void 0 ? void 0 : err.message) === "string" && err.message.includes("Refusing to store session")) {
|
|
397
|
+
throw err;
|
|
398
|
+
}
|
|
399
|
+
console.warn("[WebSessionManager] storeSession: failed to decode idToken for validation:", err);
|
|
400
|
+
}
|
|
379
401
|
const config = await getConfig();
|
|
380
402
|
const currentAppId = config.appId;
|
|
381
403
|
localStorage.setItem(this.TAROBASE_SESSION_STORAGE_KEY, JSON.stringify({
|
|
@@ -5294,6 +5316,28 @@ class ReactNativeSessionManager {
|
|
|
5294
5316
|
/* STORE */
|
|
5295
5317
|
/* ------------------------------------------------------------------ */
|
|
5296
5318
|
static async storeSession(address, accessToken, idToken, refreshToken) {
|
|
5319
|
+
// JWT-wallet binding: refuse to store a session whose idToken is bound
|
|
5320
|
+
// to a different wallet than `address`. Prevents races that would otherwise
|
|
5321
|
+
// leave storage with mismatched address/token state.
|
|
5322
|
+
try {
|
|
5323
|
+
const payloadB64 = idToken.split(".")[1];
|
|
5324
|
+
if (payloadB64) {
|
|
5325
|
+
const payload = JSON.parse(this.decodeBase64Url(payloadB64));
|
|
5326
|
+
const tokenWallet = payload["custom:walletAddress"];
|
|
5327
|
+
if (tokenWallet && tokenWallet !== address) {
|
|
5328
|
+
throw new Error(`[ReactNativeSessionManager] Refusing to store session: address (${address}) does not match idToken custom:walletAddress (${tokenWallet})`);
|
|
5329
|
+
}
|
|
5330
|
+
if (!tokenWallet) {
|
|
5331
|
+
console.warn("[ReactNativeSessionManager] storeSession: idToken has no custom:walletAddress claim — writing without validation");
|
|
5332
|
+
}
|
|
5333
|
+
}
|
|
5334
|
+
}
|
|
5335
|
+
catch (err) {
|
|
5336
|
+
if (typeof (err === null || err === void 0 ? void 0 : err.message) === "string" && err.message.includes("Refusing to store session")) {
|
|
5337
|
+
throw err;
|
|
5338
|
+
}
|
|
5339
|
+
console.warn("[ReactNativeSessionManager] storeSession: failed to decode idToken for validation:", err);
|
|
5340
|
+
}
|
|
5297
5341
|
const config = await getConfig();
|
|
5298
5342
|
const currentAppId = config.appId;
|
|
5299
5343
|
this.getStorage().setItem(this.TAROBASE_SESSION_STORAGE_KEY, JSON.stringify({
|