@pooflabs/web 0.0.83 → 0.0.84

package/dist/{index-DP0xF34Z.js → index-BPlF6-PQ.js}

@@ -22,21 +22,6 @@ function _interopNamespaceDefault(e) {
 	return Object.freeze(n);
 }
 
-function _mergeNamespaces(n, m) {
-	m.forEach(function (e) {
-		e && typeof e !== 'string' && !Array.isArray(e) && Object.keys(e).forEach(function (k) {
-			if (k !== 'default' && !(k in n)) {
-				var d = Object.getOwnPropertyDescriptor(e, k);
-				Object.defineProperty(n, k, d.get ? d : {
-					enumerable: true,
-					get: function () { return e[k]; }
-				});
-			}
-		});
-	});
-	return Object.freeze(n);
-}
-
 var anchor__namespace = /*#__PURE__*/_interopNamespaceDefault(anchor);
 var React__namespace = /*#__PURE__*/_interopNamespaceDefault(React$2);
 
@@ -6785,6 +6770,28 @@ class WebSessionManager {
     static async storeSession(address, accessToken, idToken, refreshToken) {
         if (typeof window === "undefined")
             return;
+        // JWT-wallet binding: refuse to store a session whose idToken is bound
+        // to a different wallet than `address`. Prevents races that would otherwise
+        // leave localStorage with mismatched address/token state.
+        try {
+            const payloadB64 = idToken.split(".")[1];
+            if (payloadB64) {
+                const payload = JSON.parse(this.decodeBase64Url(payloadB64));
+                const tokenWallet = payload["custom:walletAddress"];
+                if (tokenWallet && tokenWallet !== address) {
+                    throw new Error(`[WebSessionManager] Refusing to store session: address (${address}) does not match idToken custom:walletAddress (${tokenWallet})`);
+                }
+                if (!tokenWallet) {
+                    console.warn("[WebSessionManager] storeSession: idToken has no custom:walletAddress claim — writing without validation");
+                }
+            }
+        }
+        catch (err) {
+            if (typeof (err === null || err === void 0 ? void 0 : err.message) === "string" && err.message.includes("Refusing to store session")) {
+                throw err;
+            }
+            console.warn("[WebSessionManager] storeSession: failed to decode idToken for validation:", err);
+        }
         const config = await getConfig();
         const currentAppId = config.appId;
         localStorage.setItem(this.TAROBASE_SESSION_STORAGE_KEY, JSON.stringify({
@@ -9483,11 +9490,11 @@ function requireSrc$1 () {
 }
 
 var bs58$1;
-var hasRequiredBs58$1;
+var hasRequiredBs58;
 
-function requireBs58$1 () {
-	if (hasRequiredBs58$1) return bs58$1;
-	hasRequiredBs58$1 = 1;
+function requireBs58 () {
+	if (hasRequiredBs58) return bs58$1;
+	hasRequiredBs58 = 1;
 	var basex = requireSrc$1();
 	var ALPHABET = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz';
 
@@ -9495,8 +9502,8 @@ function requireBs58$1 () {
 	return bs58$1;
 }
 
-var bs58Exports$1 = requireBs58$1();
-var bs58$2 = /*@__PURE__*/getDefaultExportFromCjs(bs58Exports$1);
+var bs58Exports = requireBs58();
+var bs58 = /*@__PURE__*/getDefaultExportFromCjs(bs58Exports);
 
 // ─────────────────────────────────────────────────────────────
 // Local implementation of getSimulationComputeUnits
@@ -9758,7 +9765,7 @@ function loadKeypairFromEnv() {
     try {
         const secretKey = secret.trim().startsWith("[")
             ? Uint8Array.from(JSON.parse(secret))
-            : bs58$2.decode(secret.trim());
+            : bs58.decode(secret.trim());
         return web3_js.Keypair.fromSecretKey(secretKey);
     }
     catch (err) {
@@ -11703,6 +11710,28 @@ class ReactNativeSessionManager {
     /* STORE                                                              */
     /* ------------------------------------------------------------------ */
     static async storeSession(address, accessToken, idToken, refreshToken) {
+        // JWT-wallet binding: refuse to store a session whose idToken is bound
+        // to a different wallet than `address`. Prevents races that would otherwise
+        // leave storage with mismatched address/token state.
+        try {
+            const payloadB64 = idToken.split(".")[1];
+            if (payloadB64) {
+                const payload = JSON.parse(this.decodeBase64Url(payloadB64));
+                const tokenWallet = payload["custom:walletAddress"];
+                if (tokenWallet && tokenWallet !== address) {
+                    throw new Error(`[ReactNativeSessionManager] Refusing to store session: address (${address}) does not match idToken custom:walletAddress (${tokenWallet})`);
+                }
+                if (!tokenWallet) {
+                    console.warn("[ReactNativeSessionManager] storeSession: idToken has no custom:walletAddress claim — writing without validation");
+                }
+            }
+        }
+        catch (err) {
+            if (typeof (err === null || err === void 0 ? void 0 : err.message) === "string" && err.message.includes("Refusing to store session")) {
+                throw err;
+            }
+            console.warn("[ReactNativeSessionManager] storeSession: failed to decode idToken for validation:", err);
+        }
         const config = await getConfig();
         const currentAppId = config.appId;
         this.getStorage().setItem(this.TAROBASE_SESSION_STORAGE_KEY, JSON.stringify({
@@ -15701,7 +15730,7 @@ async function loadDependencies() {
         const [reactModule, reactDomModule, phantomModule] = await Promise.all([
             import('react'),
             import('react-dom/client'),
-            Promise.resolve().then(function () { return require('./index-FviRSm3S.js'); })
+            Promise.resolve().then(function () { return require('./index-BM6hgCdH.js'); })
         ]);
         // Extract default export from ESM module namespace
         // Dynamic import() returns { default: Module, ...exports }, not the module directly
@@ -15847,6 +15876,17 @@ class PhantomWalletProvider {
             const isMobile = detectMobile();
             const hasPhantomInjected = discoveredWallets.some((w) => w.id === 'phantom');
             const showDeeplink = isMobile && sdkProviders.includes('deeplink') && !hasPhantomInjected;
+            // Treat MWA's own wallet-standard registrations as not-injected, so the MWA
+            // button still appears when only MWA is present (e.g. Android Chrome on Seeker).
+            const hasInjectedWallet = discoveredWallets.some((w) => {
+                var _a, _b;
+                const id = String((_a = w.id) !== null && _a !== void 0 ? _a : '').toLowerCase();
+                const name = String((_b = w.name) !== null && _b !== void 0 ? _b : '').toLowerCase();
+                return (id !== 'mobile-wallet-adapter' &&
+                    id !== 'remote-mobile-wallet-adapter' &&
+                    name !== 'mobile wallet adapter' &&
+                    name !== 'remote mobile wallet adapter');
+            });
             // Track previous modal state to detect closes
             const prevModalOpen = React$1.useRef(false);
             // Track when modal was closed because user selected a wallet (not dismissed)
@@ -15895,6 +15935,16 @@ class PhantomWalletProvider {
                     if (!(phantom === null || phantom === void 0 ? void 0 : phantom.isConnected) || (phantom === null || phantom === void 0 ? void 0 : phantom.isLoading) || that.loginInProgress || that.autoLoginInProgress || that.pendingLogin) {
                         return;
                     }
+                    // Don't clobber a session owned by MWA on Seeker. MWA marks the
+                    // auth method as soon as login starts (see solana-mobile-wallet-provider),
+                    // and clears it on logout, so this guard is correct in both
+                    // steady-state and post-logout cases.
+                    try {
+                        if (getPlatform().storage.getItem('tarobase_last_auth_method') === 'mobile-wallet-adapter') {
+                            return;
+                        }
+                    }
+                    catch (_b) { }
                     // Need solana to be available AND connected for signing
                     if (!solana || !solanaHook.isAvailable || !solana.connected) {
                         return;
@@ -15924,12 +15974,21 @@ class PhantomWalletProvider {
                         const signatureBytes = signResult.signature;
                         const signature = bufferExports.Buffer.from(signatureBytes).toString('base64');
                         const createSessionResult = await createSessionWithSignature(publicKey, messageText, signature);
+                        // Pre-write guard: MWA may have started a login while we were
+                        // in flight. If MWA owns the auth method now, abort before we
+                        // overwrite its session (or its in-flight session).
+                        try {
+                            if (getPlatform().storage.getItem('tarobase_last_auth_method') === 'mobile-wallet-adapter') {
+                                return;
+                            }
+                        }
+                        catch (_c) { }
                         await WebSessionManager.storeSession(publicKey, createSessionResult.accessToken, createSessionResult.idToken, createSessionResult.refreshToken);
                         // Mark auth method so clearIncompatibleSession() doesn't wipe this session
                         try {
                             getPlatform().storage.setItem('tarobase_last_auth_method', 'phantom');
                         }
-                        catch (_b) { }
+                        catch (_d) { }
                         setCurrentUser({ provider: that, address: publicKey });
                     }
                     catch (error) {
@@ -16285,8 +16344,9 @@ class PhantomWalletProvider {
                 }), 'Open Phantom app'));
             }
             // Mobile Wallet Adapter button — shown on Android when MWA callback is available
+            // and no injected wallet is present (hides button inside Phantom/Solflare/etc. in-app browsers).
             const isAndroid = detectAndroid();
-            if (isAndroid && that.onSwitchToMWA) {
+            if (isAndroid && that.onSwitchToMWA && !hasInjectedWallet) {
                 walletButtons.push(React$1.createElement('button', {
                     key: 'mobile-wallet',
                     style: buttonStyle('mobile-wallet'),
@@ -20328,26 +20388,16 @@ function requireSrc () {
 	return src;
 }
 
-var bs58;
-var hasRequiredBs58;
-
-function requireBs58 () {
-	if (hasRequiredBs58) return bs58;
-	hasRequiredBs58 = 1;
-	var basex = requireSrc();
-	var ALPHABET = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz';
-
-	bs58 = basex(ALPHABET);
-	return bs58;
-}
+var srcExports = requireSrc();
+var basex = /*@__PURE__*/getDefaultExportFromCjs$1(srcExports);
 
-var bs58Exports = requireBs58();
-var base58 = /*@__PURE__*/getDefaultExportFromCjs$1(bs58Exports);
+var ALPHABET = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz';
+var base58 = basex(ALPHABET);
 
-var index = /*#__PURE__*/_mergeNamespaces({
+var index = /*#__PURE__*/Object.freeze({
 	__proto__: null,
 	default: base58
-}, [bs58Exports]);
+});
 
 const SURFNET_RPC_URL$1 = "https://surfpool.fly.dev";
 let React;
@@ -21261,7 +21311,7 @@ async function loadMwaProtocol() {
         return mwaProtocolLoadPromise;
     mwaProtocolLoadPromise = (async () => {
         try {
-            mwaProtocolModule = await Promise.resolve().then(function () { return require('./index.browser-BhppfDyf.js'); });
+            mwaProtocolModule = await Promise.resolve().then(function () { return require('./index.browser-BvNsUWjt.js'); });
         }
         catch (e) {
             console.warn('[SolanaMobileWallet] @solana-mobile/mobile-wallet-adapter-protocol-web3js not installed. Install it to enable Seeker wallet support.');
@@ -21283,7 +21333,7 @@ async function registerMobileWalletAdapter(config) {
     if (typeof window === 'undefined')
         return;
     try {
-        const walletStandardMobile = await Promise.resolve().then(function () { return require('./index.browser-_zN3Uapq.js'); });
+        const walletStandardMobile = await Promise.resolve().then(function () { return require('./index.browser-C1QL04xM.js'); });
         const registerMwa = walletStandardMobile.registerMwa || ((_a = walletStandardMobile.default) === null || _a === void 0 ? void 0 : _a.registerMwa);
         if (!registerMwa) {
             console.warn('[SolanaMobileWallet] registerMwa not found in @solana-mobile/wallet-standard-mobile');
@@ -21413,6 +21463,19 @@ class SolanaMobileWalletProvider {
     async login() {
         var _a, _b, _c, _d, _e;
         setAuthLoading(true);
+        // Mark the auth method early so a concurrent Phantom auto-create can see
+        // 'mobile-wallet-adapter' during our slow transact() / session-creation
+        // roundtrip and back off (see phantom-wallet-provider autoCreateSession).
+        // Capture the previous value so we can restore it if login fails.
+        let prevAuthMethod = null;
+        try {
+            prevAuthMethod = getPlatform().storage.getItem('tarobase_last_auth_method');
+        }
+        catch (_f) { }
+        try {
+            getPlatform().storage.setItem('tarobase_last_auth_method', 'mobile-wallet-adapter');
+        }
+        catch (_g) { }
         try {
             await loadMwaProtocol();
             const { transact } = mwaProtocolModule;
@@ -21478,12 +21541,22 @@ class SolanaMobileWalletProvider {
             try {
                 getPlatform().storage.setItem('tarobase_last_auth_method', 'mobile-wallet-adapter');
             }
-            catch (_f) { }
+            catch (_h) { }
             const user = { provider: this, address: result.base58Address };
             setCurrentUser(user);
             return user;
         }
         catch (error) {
+            // Restore the previous auth method since this login attempt failed.
+            try {
+                if (prevAuthMethod === null) {
+                    getPlatform().storage.removeItem('tarobase_last_auth_method');
+                }
+                else {
+                    getPlatform().storage.setItem('tarobase_last_auth_method', prevAuthMethod);
+                }
+            }
+            catch (_j) { }
             const isUserRejection = (error === null || error === void 0 ? void 0 : error.code) === 4001 ||
                 ((_a = error === null || error === void 0 ? void 0 : error.message) === null || _a === void 0 ? void 0 : _a.toLowerCase().includes('user rejected')) ||
                 ((_b = error === null || error === void 0 ? void 0 : error.message) === null || _b === void 0 ? void 0 : _b.toLowerCase().includes('user denied')) ||
@@ -21529,6 +21602,12 @@ class SolanaMobileWalletProvider {
         this.authorizedPublicKey = null;
         this.publicKeyObj = null;
         WebSessionManager.clearSession();
+        // Clear the auth-method marker so Phantom auto-create is unblocked
+        // for any subsequent fresh login on this device.
+        try {
+            getPlatform().storage.removeItem('tarobase_last_auth_method');
+        }
+        catch (_a) { }
         setCurrentUser(null);
     }
     async signMessage(message) {
@@ -22249,4 +22328,4 @@ exports.signSessionCreateMessage = signSessionCreateMessage;
 exports.signTransaction = signTransaction;
 exports.subscribe = subscribe;
 exports.useAuth = useAuth;
-//# sourceMappingURL=index-DP0xF34Z.js.map
+//# sourceMappingURL=index-BPlF6-PQ.js.map