@pooflabs/web 0.0.47-rc.8 → 0.0.47

package/dist/auth/index.d.ts

@@ -13,5 +13,4 @@ export declare const SOLANA_MAINNET_RPC_URL = "https://celestia-cegncv-fast-main
 export declare const SURFNET_RPC_URL = "https://surfpool.fly.dev";
 export declare function getAuthProvider(config?: Partial<ClientConfig>): Promise<AuthProvider>;
 export declare function login(): Promise<User | null>;
-export declare function getCurrentAuthMethod(): string | null;
 export declare function logout(): Promise<void>;

package/dist/auth/providers/phantom-wallet-provider.d.ts

@@ -27,8 +27,6 @@ export declare class PhantomWalletProvider implements AuthProvider {
     private pendingLogin;
     private loginInProgress;
     private autoLoginInProgress;
-    /** Captured at construction time — true if the URL had Phantom OAuth callback params on page load */
-    private hadOAuthParamsOnLoad;
     private initPromise;
     /** Callback to swap to a Privy provider when the user clicks "Log in with Privy instead" */
     onSwitchToPrivy: (() => Promise<AuthProvider>) | null;
@@ -54,12 +52,6 @@ export declare class PhantomWalletProvider implements AuthProvider {
      */
     login(): Promise<User | null>;
     restoreSession(): Promise<User | null>;
-    /**
-     * Poll for the Tarobase session to be created after an OAuth redirect.
-     * The autoCreateSession React effect creates the session once the Phantom SDK
-     * finishes auto-connecting. We poll SessionManager until it appears or we time out.
-     */
-    private waitForOAuthSession;
     address(): Promise<string | null>;
     runTransaction(_evmTransactionData?: EVMTransaction, solTransactionData?: SolTransaction, options?: SetOptions): Promise<TransactionResult>;
     /**

package/dist/{index-BWUoa715.js → index-7SWQ00_t.js}

@@ -13051,302 +13051,9 @@ function requireBuffer () {
 
 var bufferExports = requireBuffer();
 
-/**
- * Popup Auth Bridge
- *
- * When the SDK runs inside an iframe, OAuth login (Google/Apple) fails because
- * Google blocks iframe rendering via X-Frame-Options. This module opens a popup
- * at the same origin, runs the full auth flow there, and signals back to the
- * iframe via localStorage events + postMessage.
- */
-const POPUP_URL_PARAM = '__tarobase_auth_popup';
-const POPUP_SESSION_KEY = 'tarobase_auth_popup_state';
-const AUTH_COMPLETE_KEY = 'tarobase_auth_complete';
-const POPUP_WINDOW_NAME = 'tarobase_auth';
-const POPUP_FEATURES = 'width=500,height=700,scrollbars=yes,resizable=yes';
-const POPUP_TIMEOUT_MS = 180000;
-const POPUP_POLL_INTERVAL_MS = 500;
-/** Check if the SDK is running inside an iframe */
-function isInIframe() {
-    if (typeof window === 'undefined')
-        return false;
-    try {
-        return window.self !== window.top;
-    }
-    catch (_a) {
-        // Cross-origin iframes throw when accessing window.top
-        return true;
-    }
-}
-/** Check if this window is an auth popup (first load via URL param, or post-redirect via sessionStorage) */
-function isAuthPopup() {
-    if (typeof window === 'undefined')
-        return false;
-    try {
-        const params = new URLSearchParams(window.location.search);
-        if (params.has(POPUP_URL_PARAM))
-            return true;
-    }
-    catch (_a) { }
-    try {
-        const state = sessionStorage.getItem(POPUP_SESSION_KEY);
-        return state === 'pending' || state === 'complete';
-    }
-    catch (_b) { }
-    return false;
-}
-/** Read the popup state from sessionStorage */
-function getPopupState() {
-    if (typeof window === 'undefined')
-        return null;
-    try {
-        return sessionStorage.getItem(POPUP_SESSION_KEY);
-    }
-    catch (_a) {
-        return null;
-    }
-}
-/** Write the popup state to sessionStorage */
-function setPopupState(state) {
-    if (typeof window === 'undefined')
-        return;
-    try {
-        if (state) {
-            sessionStorage.setItem(POPUP_SESSION_KEY, state);
-        }
-        else {
-            sessionStorage.removeItem(POPUP_SESSION_KEY);
-        }
-    }
-    catch (_a) { }
-}
-/** Remove the __tarobase_auth_popup param from the URL without a page reload */
-function cleanPopupParam() {
-    if (typeof window === 'undefined')
-        return;
-    try {
-        const url = new URL(window.location.href);
-        if (url.searchParams.has(POPUP_URL_PARAM)) {
-            url.searchParams.delete(POPUP_URL_PARAM);
-            window.history.replaceState({}, '', url.pathname + url.search + url.hash);
-        }
-    }
-    catch (_a) { }
-}
-/** Show a "Login complete, close this tab" fallback message */
-function showPopupCloseMessage() {
-    var _a, _b;
-    if (typeof document === 'undefined')
-        return;
-    const overlay = document.createElement('div');
-    overlay.id = 'tarobase-popup-close-msg';
-    overlay.style.cssText = [
-        'position:fixed', 'inset:0', 'z-index:2147483647',
-        'background:#000', 'display:flex', 'align-items:center',
-        'justify-content:center', 'flex-direction:column',
-        'font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,sans-serif',
-    ].join(';');
-    overlay.innerHTML = `
-        <div style="text-align:center;color:white;">
-            <p style="font-size:18px;margin:0 0 8px;">Login complete</p>
-            <p style="font-size:14px;color:#999;margin:0;">You can close this tab and return to the app.</p>
-        </div>
-    `;
-    // Remove any existing overlay first
-    (_a = document.getElementById('tarobase-popup-overlay')) === null || _a === void 0 ? void 0 : _a.remove();
-    (_b = document.getElementById('tarobase-popup-close-msg')) === null || _b === void 0 ? void 0 : _b.remove();
-    document.body.appendChild(overlay);
-}
-/** Inject a dark overlay to hide the app UI in the popup (login modal appears on top) */
-function injectPopupOverlay() {
-    if (typeof document === 'undefined')
-        return;
-    const overlay = document.createElement('div');
-    overlay.id = 'tarobase-popup-overlay';
-    overlay.style.cssText = [
-        'position:fixed', 'inset:0', 'z-index:9998',
-        'background:rgba(0,0,0,0.85)', 'display:flex',
-        'align-items:center', 'justify-content:center',
-    ].join(';');
-    overlay.innerHTML = `
-        <div style="text-align:center;color:white;font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,sans-serif;">
-            <p style="font-size:16px;margin:0 0 8px;">Loading login...</p>
-            <p style="font-size:13px;color:#999;margin:0;">Please wait</p>
-        </div>
-    `;
-    document.body.appendChild(overlay);
-}
-/**
- * Signal auth completion to the opener (iframe).
- * Uses both localStorage (reliable cross-tab) and postMessage (faster on desktop).
- */
-function signalAuthComplete(address) {
-    var _a;
-    if (typeof window === 'undefined')
-        return;
-    console.log('[PopupAuth] Signaling auth complete, address:', address);
-    const data = { type: 'TAROBASE_AUTH_COMPLETE', address, timestamp: Date.now() };
-    // Write to localStorage — fires 'storage' event in other same-origin windows
-    try {
-        localStorage.setItem(AUTH_COMPLETE_KEY, JSON.stringify(data));
-        console.log('[PopupAuth] Wrote signal to localStorage');
-    }
-    catch (_b) { }
-    // Also postMessage to opener (faster, backup)
-    try {
-        console.log('[PopupAuth] window.opener exists:', !!window.opener);
-        (_a = window.opener) === null || _a === void 0 ? void 0 : _a.postMessage(data, window.location.origin);
-    }
-    catch (_c) { }
-    // Update popup state
-    setPopupState('complete');
-    // Try to close the popup window
-    try {
-        window.close();
-    }
-    catch (_d) { }
-    // If window.close() didn't work (some mobile browsers block it after redirect),
-    // show a fallback message after a short delay
-    setTimeout(() => {
-        if (typeof window !== 'undefined' && !window.closed) {
-            showPopupCloseMessage();
-        }
-    }, 500);
-}
-/**
- * Open a popup for auth and wait for completion.
- * Returns the logged-in address when the popup signals success.
- */
-function loginViaPopup() {
-    console.log('[PopupAuth] loginViaPopup called, opening popup...');
-    return new Promise((resolve, reject) => {
-        if (typeof window === 'undefined') {
-            reject(new Error('Cannot open popup in non-browser environment'));
-            return;
-        }
-        // Build popup URL: same origin + path, preserve query params, add popup flag
-        const popupUrl = new URL(window.location.href);
-        popupUrl.searchParams.set(POPUP_URL_PARAM, '1');
-        console.log('[PopupAuth] Opening popup at:', popupUrl.toString());
-        const popup = window.open(popupUrl.toString(), POPUP_WINDOW_NAME, POPUP_FEATURES);
-        if (!popup || popup.closed) {
-            reject(new Error('Popup was blocked. Please allow popups for this site and try again.'));
-            return;
-        }
-        console.log('[PopupAuth] Popup opened successfully, waiting for auth signal...');
-        let resolved = false;
-        const cleanup = () => {
-            resolved = true;
-            window.removeEventListener('storage', onStorage);
-            window.removeEventListener('message', onMessage);
-            clearInterval(pollInterval);
-            clearTimeout(timeout);
-            // Clean up the signal key
-            try {
-                localStorage.removeItem(AUTH_COMPLETE_KEY);
-            }
-            catch (_a) { }
-        };
-        const complete = (address) => {
-            if (resolved)
-                return;
-            console.log('[PopupAuth] Auth complete! Address:', address);
-            cleanup();
-            resolve({ address });
-        };
-        const fail = (error) => {
-            if (resolved)
-                return;
-            console.log('[PopupAuth] Auth failed:', error.message);
-            cleanup();
-            reject(error);
-        };
-        // Listen for localStorage changes (cross-tab, same-origin — most reliable)
-        const onStorage = (event) => {
-            if (event.key === AUTH_COMPLETE_KEY && event.newValue) {
-                console.log('[PopupAuth] Received storage event signal');
-                try {
-                    const data = JSON.parse(event.newValue);
-                    if (data.address) {
-                        complete(data.address);
-                    }
-                }
-                catch (_a) { }
-            }
-        };
-        window.addEventListener('storage', onStorage);
-        // Listen for postMessage (backup, faster on desktop)
-        const onMessage = (event) => {
-            var _a, _b;
-            // Validate origin
-            if (event.origin !== window.location.origin)
-                return;
-            if (((_a = event.data) === null || _a === void 0 ? void 0 : _a.type) === 'TAROBASE_AUTH_COMPLETE' && ((_b = event.data) === null || _b === void 0 ? void 0 : _b.address)) {
-                console.log('[PopupAuth] Received postMessage signal');
-                complete(event.data.address);
-            }
-        };
-        window.addEventListener('message', onMessage);
-        // Poll for popup closed without completing auth.
-        // Also check localStorage directly on each tick — storage events may not fire
-        // if the popup closes too quickly after writing (browser tears down the context
-        // before dispatching the event to other browsing contexts).
-        const pollInterval = setInterval(() => {
-            try {
-                // Check localStorage directly for completion signal
-                try {
-                    const stored = localStorage.getItem(AUTH_COMPLETE_KEY);
-                    if (stored) {
-                        console.log('[PopupAuth] Found auth signal in localStorage (poll)');
-                        const data = JSON.parse(stored);
-                        if (data.address) {
-                            complete(data.address);
-                            return;
-                        }
-                    }
-                }
-                catch (_a) { }
-                if (popup.closed && !resolved) {
-                    console.log('[PopupAuth] Popup closed without auth signal');
-                    fail(new Error('User cancelled login'));
-                }
-            }
-            catch (_b) { }
-        }, POPUP_POLL_INTERVAL_MS);
-        // Safety timeout
-        const timeout = setTimeout(() => {
-            if (!resolved) {
-                fail(new Error('Login timed out'));
-                try {
-                    popup.close();
-                }
-                catch (_a) { }
-            }
-        }, POPUP_TIMEOUT_MS);
-    });
-}
-
 const VALID_PROVIDERS = ['injected', 'google', 'apple', 'deeplink'];
 // Storage key for preserving the original path before OAuth redirect
 const PHANTOM_ORIGINAL_PATH_KEY = 'phantom_oauth_original_path';
-// Cookie name for storing the return origin when using an OAuth redirect proxy
-const AUTH_RETURN_COOKIE = 'tarobase_auth_return';
-/**
- * Store the current origin in a cookie on the parent domain so an OAuth redirect
- * proxy page can relay back to this app after the OAuth flow completes.
- */
-function storeReturnOrigin() {
-    if (typeof window === 'undefined' || typeof document === 'undefined')
-        return;
-    const origin = window.location.origin;
-    // Derive parent domain (e.g., foo-preview.poof.new → .poof.new)
-    const parts = window.location.hostname.split('.');
-    const domain = parts.length >= 2 ? '.' + parts.slice(-2).join('.') : window.location.hostname;
-    try {
-        document.cookie = `${AUTH_RETURN_COOKIE}=${encodeURIComponent(origin)}; domain=${domain}; path=/; max-age=300; SameSite=None; Secure`;
-    }
-    catch (_a) { }
-}
 /**
  * Check if the current URL contains Phantom OAuth callback parameters.
  * Phantom uses various params like phantom_encryption_public_key, data, nonce for deeplink callbacks,
@@ -13470,15 +13177,6 @@ function getEffectiveRedirectUrl(configuredRedirectUrl) {
     }
     // If explicitly configured, use that
     if (configuredRedirectUrl) {
-        // If redirecting to a different origin (proxy), store a cookie so the
-        // proxy page knows where to relay the OAuth params back to
-        try {
-            const redirectOrigin = new URL(configuredRedirectUrl).origin;
-            if (redirectOrigin !== window.location.origin) {
-                storeReturnOrigin();
-            }
-        }
-        catch (_a) { }
         return configuredRedirectUrl;
     }
     // Default to origin (base URL) - this is safer than using the full href
@@ -13505,7 +13203,7 @@ async function loadDependencies() {
         const [reactModule, reactDomModule, phantomModule] = await Promise.all([
             import('react'),
             import('react-dom/client'),
-            Promise.resolve().then(function () { return require('./index-Ckn51oy3.js'); })
+            Promise.resolve().then(function () { return require('./index-BEla3UUZ.js'); })
         ]);
         // Extract default export from ESM module namespace
         // Dynamic import() returns { default: Module, ...exports }, not the module directly
@@ -13525,8 +13223,6 @@ class PhantomWalletProvider {
         this.pendingLogin = null;
         this.loginInProgress = false;
         this.autoLoginInProgress = false;
-        /** Captured at construction time — true if the URL had Phantom OAuth callback params on page load */
-        this.hadOAuthParamsOnLoad = false;
         this.initPromise = null;
         /** Callback to swap to a Privy provider when the user clicks "Log in with Privy instead" */
         this.onSwitchToPrivy = null;
@@ -13539,11 +13235,6 @@ class PhantomWalletProvider {
         if (PhantomWalletProvider.instance) {
             return PhantomWalletProvider.instance;
         }
-        // Capture OAuth params BEFORE Phantom SDK loads and cleans them from the URL
-        this.hadOAuthParamsOnLoad = hasPhantomOAuthParams();
-        if (this.hadOAuthParamsOnLoad) {
-            console.log('[PhantomAuth] OAuth callback params detected in URL at construction time');
-        }
         // Resolve providers from config (doesn't need SDK)
         this.resolveProviders();
         // Start async initialization (load SDK and initialize React component)
@@ -13644,32 +13335,18 @@ class PhantomWalletProvider {
             // This handles social login callbacks where user returns from OAuth already connected.
             React$1.useEffect(() => {
                 const autoCreateSession = async () => {
-                    var _a, _b;
+                    var _a;
                     // Only proceed when SDK is ready, connected, has addresses, and not already in a login flow
                     if (!(phantom === null || phantom === void 0 ? void 0 : phantom.isConnected) || (phantom === null || phantom === void 0 ? void 0 : phantom.isLoading) || that.loginInProgress || that.autoLoginInProgress || that.pendingLogin) {
-                        console.log('[PhantomAuth] autoCreateSession skipped:', {
-                            isConnected: phantom === null || phantom === void 0 ? void 0 : phantom.isConnected,
-                            isLoading: phantom === null || phantom === void 0 ? void 0 : phantom.isLoading,
-                            loginInProgress: that.loginInProgress,
-                            autoLoginInProgress: that.autoLoginInProgress,
-                            hasPendingLogin: !!that.pendingLogin,
-                        });
                         return;
                     }
                     // Need solana to be available AND connected for signing
                     if (!solana || !solanaHook.isAvailable || !solana.connected) {
-                        console.log('[PhantomAuth] autoCreateSession waiting for solana:', {
-                            hasSolana: !!solana,
-                            isAvailable: solanaHook.isAvailable,
-                            connected: solana === null || solana === void 0 ? void 0 : solana.connected,
-                        });
                         return;
                     }
-                    console.log('[PhantomAuth] autoCreateSession proceeding, addresses:', (_a = phantom.addresses) === null || _a === void 0 ? void 0 : _a.length);
                     // Find Solana address
-                    const solAddress = (_b = phantom.addresses) === null || _b === void 0 ? void 0 : _b.find((addr) => addr.addressType === AddressType.solana);
+                    const solAddress = (_a = phantom.addresses) === null || _a === void 0 ? void 0 : _a.find((addr) => addr.addressType === AddressType.solana);
                     if (!solAddress) {
-                        console.log('[PhantomAuth] autoCreateSession: no Solana address found');
                         return;
                     }
                     const publicKey = solAddress.address;
@@ -13718,7 +13395,6 @@ class PhantomWalletProvider {
                         }
                     }
                     catch (error) {
-                        console.error('[PhantomAuth] autoCreateSession error:', (error === null || error === void 0 ? void 0 : error.message) || error);
                         // User rejected signing or other error - disconnect fully
                         // Clear stored path since login failed
                         getAndClearOriginalPath();
@@ -14029,10 +13705,8 @@ class PhantomWalletProvider {
             this.pendingLogin = { resolve, reject };
             this.loginInProgress = true;
             // Store current path before OAuth redirect (for social login providers)
-            // so we can redirect back after auth completes.
-            // Skip in popup context — we don't want to navigate the popup after OAuth
-            // redirect; the popup signals back to the iframe and closes instead.
-            if (this.hasSocialProviders() && !isAuthPopup()) {
+            // so we can redirect back after auth completes
+            if (this.hasSocialProviders()) {
                 storeOriginalPath();
             }
             // Open the Phantom connect modal
@@ -14053,46 +13727,8 @@ class PhantomWalletProvider {
         if (session) {
             return { provider: this, address: session.address };
         }
-        // If this page load is a Phantom OAuth callback (e.g., returning from Google/Apple),
-        // the Phantom SDK auto-connects via React useEffect which runs AFTER init() returns.
-        // The autoCreateSession effect then creates the Tarobase session.
-        // Wait for that to complete before returning null, otherwise the caller sees
-        // no session and may trigger premature logout.
-        // Note: We use hadOAuthParamsOnLoad (captured in constructor) because the Phantom SDK
-        // may have already cleaned the OAuth params from the URL by this point.
-        if (this.hadOAuthParamsOnLoad) {
-            console.log('[PhantomAuth] OAuth params detected on page load, waiting for session...');
-            return this.waitForOAuthSession(15000);
-        }
         return null;
     }
-    /**
-     * Poll for the Tarobase session to be created after an OAuth redirect.
-     * The autoCreateSession React effect creates the session once the Phantom SDK
-     * finishes auto-connecting. We poll SessionManager until it appears or we time out.
-     */
-    waitForOAuthSession(timeoutMs) {
-        return new Promise((resolve) => {
-            const startTime = Date.now();
-            const check = async () => {
-                const session = await WebSessionManager.getSession();
-                if (session) {
-                    console.log('[PhantomAuth] OAuth session created, address:', session.address);
-                    resolve({ provider: this, address: session.address });
-                    return;
-                }
-                const elapsed = Date.now() - startTime;
-                if (elapsed > timeoutMs) {
-                    console.log('[PhantomAuth] OAuth session wait timed out after', elapsed, 'ms');
-                    resolve(null);
-                    return;
-                }
-                setTimeout(check, 200);
-            };
-            // Small initial delay to let React effects fire
-            setTimeout(check, 300);
-        });
-    }
     async address() {
         var _a, _b, _c, _d;
         await this.ensureReady();
@@ -34708,6 +34344,9 @@ async function getAuthProvider(config) {
         console.log("[Offchain] Wrapping auth provider for Poofnet transaction tracking");
         currentAuthProvider = new OffchainAuthProvider(currentAuthProvider);
     }
+    // Update core config to reflect the actual auth method being used
+    const coreConfig = await getConfig();
+    coreConfig.authMethod = authMethod;
     return currentAuthProvider;
 }
 async function login$1() {
@@ -34729,9 +34368,6 @@ async function login$1() {
     }
     return null;
 }
-function getCurrentAuthMethod() {
-    return currentAuthMethod;
-}
 async function logout$1() {
     if (!currentAuthProvider) {
         throw new Error("Auth provider not initialized. Please call init() first.");
@@ -34755,12 +34391,6 @@ async function init(newConfig) {
     authProviderInstance = await getAuthProvider(newConfig);
     // Initialize config with auth provider
     await init$1(Object.assign(Object.assign({}, newConfig), { authProvider: authProviderInstance }));
-    // Now that core is initialized, update the auth method on the config
-    const authMethod = getCurrentAuthMethod();
-    if (authMethod) {
-        const coreConfig = await getConfig();
-        coreConfig.authMethod = authMethod;
-    }
     // Wait for restoreSession to complete
     // The appId check is done in SessionManager.getSession which is called by restoreSession
     // If there's an appId mismatch, the session will be cleared and restoreSession will return null
@@ -34773,36 +34403,6 @@ async function init(newConfig) {
     setCurrentUser(user);
     // Mark init as completed
     initCompleted = true;
-    // Handle auth popup context (this window was opened by the SDK for iframe auth)
-    if (isAuthPopup()) {
-        cleanPopupParam();
-        const state = getPopupState();
-        if (state === 'complete')
-            return; // Already signaled
-        injectPopupOverlay();
-        // Listen for auth completion (handles post-OAuth-redirect auto-connect)
-        onAuthStateChanged((popupUser) => {
-            if (popupUser && getPopupState() !== 'complete') {
-                setPopupState('complete');
-                signalAuthComplete(popupUser.address);
-            }
-        });
-        if (!state) {
-            // First load of popup — trigger login automatically
-            setPopupState('pending');
-            if (!currentUser) {
-                login().then((u) => {
-                    if (u && getPopupState() !== 'complete') {
-                        setPopupState('complete');
-                        signalAuthComplete(u.address);
-                    }
-                }).catch(() => {
-                    // User cancelled or error — popup stays open, user can close it
-                });
-            }
-        }
-        // If state === 'pending': post-OAuth redirect — wait for auto-connect via onAuthStateChanged
-    }
 }
 // TODO: Have a way to remove listeners
 function onAuthStateChanged(callback) {
@@ -34830,19 +34430,6 @@ async function login() {
     if (!authProviderInstance) {
         throw new Error('SDK not initialized. Please call init() first.');
     }
-    // If running inside an iframe, use popup bridge for auth
-    // (OAuth redirects are blocked in iframes by Google/Apple X-Frame-Options)
-    if (isInIframe() && !isAuthPopup()) {
-        console.log('[PopupAuth] In iframe, using popup bridge for login');
-        const result = await loginViaPopup();
-        console.log('[PopupAuth] Popup resolved with address:', result.address);
-        // Session tokens are now in shared localStorage (written by popup, same origin)
-        console.log('[PopupAuth] Calling restoreSession...');
-        const user = await authProviderInstance.restoreSession();
-        console.log('[PopupAuth] restoreSession returned:', user ? user.address : null);
-        setCurrentUser(user);
-        return currentUser;
-    }
     const loggedInUser = await login$1();
     setCurrentUser(loggedInUser);
     return currentUser;
@@ -34994,4 +34581,4 @@ exports.signSessionCreateMessage = signSessionCreateMessage;
 exports.signTransaction = signTransaction;
 exports.subscribe = subscribe;
 exports.useAuth = useAuth;
-//# sourceMappingURL=index-BWUoa715.js.map
+//# sourceMappingURL=index-7SWQ00_t.js.map