@pooflabs/web 0.0.83 → 0.0.84

package/dist/{index-B7yaLhND.esm.js → index-XHbmzFFO.esm.js}

@@ -4,21 +4,6 @@ import * as anchor from '@coral-xyz/anchor';
 import { Program } from '@coral-xyz/anchor';
 import * as React$2 from 'react';
 
-function _mergeNamespaces(n, m) {
-	m.forEach(function (e) {
-		e && typeof e !== 'string' && !Array.isArray(e) && Object.keys(e).forEach(function (k) {
-			if (k !== 'default' && !(k in n)) {
-				var d = Object.getOwnPropertyDescriptor(e, k);
-				Object.defineProperty(n, k, d.get ? d : {
-					enumerable: true,
-					get: function () { return e[k]; }
-				});
-			}
-		});
-	});
-	return Object.freeze(n);
-}
-
 function getDefaultExportFromCjs$1 (x) {
 	return x && x.__esModule && Object.prototype.hasOwnProperty.call(x, 'default') ? x['default'] : x;
 }
@@ -6764,6 +6749,28 @@ class WebSessionManager {
     static async storeSession(address, accessToken, idToken, refreshToken) {
         if (typeof window === "undefined")
             return;
+        // JWT-wallet binding: refuse to store a session whose idToken is bound
+        // to a different wallet than `address`. Prevents races that would otherwise
+        // leave localStorage with mismatched address/token state.
+        try {
+            const payloadB64 = idToken.split(".")[1];
+            if (payloadB64) {
+                const payload = JSON.parse(this.decodeBase64Url(payloadB64));
+                const tokenWallet = payload["custom:walletAddress"];
+                if (tokenWallet && tokenWallet !== address) {
+                    throw new Error(`[WebSessionManager] Refusing to store session: address (${address}) does not match idToken custom:walletAddress (${tokenWallet})`);
+                }
+                if (!tokenWallet) {
+                    console.warn("[WebSessionManager] storeSession: idToken has no custom:walletAddress claim — writing without validation");
+                }
+            }
+        }
+        catch (err) {
+            if (typeof (err === null || err === void 0 ? void 0 : err.message) === "string" && err.message.includes("Refusing to store session")) {
+                throw err;
+            }
+            console.warn("[WebSessionManager] storeSession: failed to decode idToken for validation:", err);
+        }
         const config = await getConfig();
         const currentAppId = config.appId;
         localStorage.setItem(this.TAROBASE_SESSION_STORAGE_KEY, JSON.stringify({
@@ -9462,11 +9469,11 @@ function requireSrc$1 () {
 }
 
 var bs58$1;
-var hasRequiredBs58$1;
+var hasRequiredBs58;
 
-function requireBs58$1 () {
-	if (hasRequiredBs58$1) return bs58$1;
-	hasRequiredBs58$1 = 1;
+function requireBs58 () {
+	if (hasRequiredBs58) return bs58$1;
+	hasRequiredBs58 = 1;
 	var basex = requireSrc$1();
 	var ALPHABET = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz';
 
@@ -9474,8 +9481,8 @@ function requireBs58$1 () {
 	return bs58$1;
 }
 
-var bs58Exports$1 = requireBs58$1();
-var bs58$2 = /*@__PURE__*/getDefaultExportFromCjs(bs58Exports$1);
+var bs58Exports = requireBs58();
+var bs58 = /*@__PURE__*/getDefaultExportFromCjs(bs58Exports);
 
 // ─────────────────────────────────────────────────────────────
 // Local implementation of getSimulationComputeUnits
@@ -9737,7 +9744,7 @@ function loadKeypairFromEnv() {
     try {
         const secretKey = secret.trim().startsWith("[")
             ? Uint8Array.from(JSON.parse(secret))
-            : bs58$2.decode(secret.trim());
+            : bs58.decode(secret.trim());
         return Keypair.fromSecretKey(secretKey);
     }
     catch (err) {
@@ -11682,6 +11689,28 @@ class ReactNativeSessionManager {
     /* STORE                                                              */
     /* ------------------------------------------------------------------ */
     static async storeSession(address, accessToken, idToken, refreshToken) {
+        // JWT-wallet binding: refuse to store a session whose idToken is bound
+        // to a different wallet than `address`. Prevents races that would otherwise
+        // leave storage with mismatched address/token state.
+        try {
+            const payloadB64 = idToken.split(".")[1];
+            if (payloadB64) {
+                const payload = JSON.parse(this.decodeBase64Url(payloadB64));
+                const tokenWallet = payload["custom:walletAddress"];
+                if (tokenWallet && tokenWallet !== address) {
+                    throw new Error(`[ReactNativeSessionManager] Refusing to store session: address (${address}) does not match idToken custom:walletAddress (${tokenWallet})`);
+                }
+                if (!tokenWallet) {
+                    console.warn("[ReactNativeSessionManager] storeSession: idToken has no custom:walletAddress claim — writing without validation");
+                }
+            }
+        }
+        catch (err) {
+            if (typeof (err === null || err === void 0 ? void 0 : err.message) === "string" && err.message.includes("Refusing to store session")) {
+                throw err;
+            }
+            console.warn("[ReactNativeSessionManager] storeSession: failed to decode idToken for validation:", err);
+        }
         const config = await getConfig();
         const currentAppId = config.appId;
         this.getStorage().setItem(this.TAROBASE_SESSION_STORAGE_KEY, JSON.stringify({
@@ -15680,7 +15709,7 @@ async function loadDependencies() {
         const [reactModule, reactDomModule, phantomModule] = await Promise.all([
             import('react'),
             import('react-dom/client'),
-            import('./index-CP_wLmYu.esm.js')
+            import('./index-CH2G5Y9i.esm.js')
         ]);
         // Extract default export from ESM module namespace
         // Dynamic import() returns { default: Module, ...exports }, not the module directly
@@ -15826,6 +15855,17 @@ class PhantomWalletProvider {
             const isMobile = detectMobile();
             const hasPhantomInjected = discoveredWallets.some((w) => w.id === 'phantom');
             const showDeeplink = isMobile && sdkProviders.includes('deeplink') && !hasPhantomInjected;
+            // Treat MWA's own wallet-standard registrations as not-injected, so the MWA
+            // button still appears when only MWA is present (e.g. Android Chrome on Seeker).
+            const hasInjectedWallet = discoveredWallets.some((w) => {
+                var _a, _b;
+                const id = String((_a = w.id) !== null && _a !== void 0 ? _a : '').toLowerCase();
+                const name = String((_b = w.name) !== null && _b !== void 0 ? _b : '').toLowerCase();
+                return (id !== 'mobile-wallet-adapter' &&
+                    id !== 'remote-mobile-wallet-adapter' &&
+                    name !== 'mobile wallet adapter' &&
+                    name !== 'remote mobile wallet adapter');
+            });
             // Track previous modal state to detect closes
             const prevModalOpen = React$1.useRef(false);
             // Track when modal was closed because user selected a wallet (not dismissed)
@@ -15874,6 +15914,16 @@ class PhantomWalletProvider {
                     if (!(phantom === null || phantom === void 0 ? void 0 : phantom.isConnected) || (phantom === null || phantom === void 0 ? void 0 : phantom.isLoading) || that.loginInProgress || that.autoLoginInProgress || that.pendingLogin) {
                         return;
                     }
+                    // Don't clobber a session owned by MWA on Seeker. MWA marks the
+                    // auth method as soon as login starts (see solana-mobile-wallet-provider),
+                    // and clears it on logout, so this guard is correct in both
+                    // steady-state and post-logout cases.
+                    try {
+                        if (getPlatform().storage.getItem('tarobase_last_auth_method') === 'mobile-wallet-adapter') {
+                            return;
+                        }
+                    }
+                    catch (_b) { }
                     // Need solana to be available AND connected for signing
                     if (!solana || !solanaHook.isAvailable || !solana.connected) {
                         return;
@@ -15903,12 +15953,21 @@ class PhantomWalletProvider {
                         const signatureBytes = signResult.signature;
                         const signature = bufferExports.Buffer.from(signatureBytes).toString('base64');
                         const createSessionResult = await createSessionWithSignature(publicKey, messageText, signature);
+                        // Pre-write guard: MWA may have started a login while we were
+                        // in flight. If MWA owns the auth method now, abort before we
+                        // overwrite its session (or its in-flight session).
+                        try {
+                            if (getPlatform().storage.getItem('tarobase_last_auth_method') === 'mobile-wallet-adapter') {
+                                return;
+                            }
+                        }
+                        catch (_c) { }
                         await WebSessionManager.storeSession(publicKey, createSessionResult.accessToken, createSessionResult.idToken, createSessionResult.refreshToken);
                         // Mark auth method so clearIncompatibleSession() doesn't wipe this session
                         try {
                             getPlatform().storage.setItem('tarobase_last_auth_method', 'phantom');
                         }
-                        catch (_b) { }
+                        catch (_d) { }
                         setCurrentUser({ provider: that, address: publicKey });
                     }
                     catch (error) {
@@ -16264,8 +16323,9 @@ class PhantomWalletProvider {
                 }), 'Open Phantom app'));
             }
             // Mobile Wallet Adapter button — shown on Android when MWA callback is available
+            // and no injected wallet is present (hides button inside Phantom/Solflare/etc. in-app browsers).
             const isAndroid = detectAndroid();
-            if (isAndroid && that.onSwitchToMWA) {
+            if (isAndroid && that.onSwitchToMWA && !hasInjectedWallet) {
                 walletButtons.push(React$1.createElement('button', {
                     key: 'mobile-wallet',
                     style: buttonStyle('mobile-wallet'),
@@ -20307,26 +20367,16 @@ function requireSrc () {
 	return src;
 }
 
-var bs58;
-var hasRequiredBs58;
-
-function requireBs58 () {
-	if (hasRequiredBs58) return bs58;
-	hasRequiredBs58 = 1;
-	var basex = requireSrc();
-	var ALPHABET = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz';
-
-	bs58 = basex(ALPHABET);
-	return bs58;
-}
+var srcExports = requireSrc();
+var basex = /*@__PURE__*/getDefaultExportFromCjs$1(srcExports);
 
-var bs58Exports = requireBs58();
-var base58 = /*@__PURE__*/getDefaultExportFromCjs$1(bs58Exports);
+var ALPHABET = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz';
+var base58 = basex(ALPHABET);
 
-var index = /*#__PURE__*/_mergeNamespaces({
+var index = /*#__PURE__*/Object.freeze({
 	__proto__: null,
 	default: base58
-}, [bs58Exports]);
+});
 
 const SURFNET_RPC_URL$1 = "https://surfpool.fly.dev";
 let React;
@@ -21240,7 +21290,7 @@ async function loadMwaProtocol() {
         return mwaProtocolLoadPromise;
     mwaProtocolLoadPromise = (async () => {
         try {
-            mwaProtocolModule = await import('./index.browser-vUinl_9y.esm.js');
+            mwaProtocolModule = await import('./index.browser-D8VWPXTZ.esm.js');
         }
         catch (e) {
             console.warn('[SolanaMobileWallet] @solana-mobile/mobile-wallet-adapter-protocol-web3js not installed. Install it to enable Seeker wallet support.');
@@ -21262,7 +21312,7 @@ async function registerMobileWalletAdapter(config) {
     if (typeof window === 'undefined')
         return;
     try {
-        const walletStandardMobile = await import('./index.browser-B_wQp2A8.esm.js');
+        const walletStandardMobile = await import('./index.browser-Cgj7Hs6n.esm.js');
         const registerMwa = walletStandardMobile.registerMwa || ((_a = walletStandardMobile.default) === null || _a === void 0 ? void 0 : _a.registerMwa);
         if (!registerMwa) {
             console.warn('[SolanaMobileWallet] registerMwa not found in @solana-mobile/wallet-standard-mobile');
@@ -21392,6 +21442,19 @@ class SolanaMobileWalletProvider {
     async login() {
         var _a, _b, _c, _d, _e;
         setAuthLoading(true);
+        // Mark the auth method early so a concurrent Phantom auto-create can see
+        // 'mobile-wallet-adapter' during our slow transact() / session-creation
+        // roundtrip and back off (see phantom-wallet-provider autoCreateSession).
+        // Capture the previous value so we can restore it if login fails.
+        let prevAuthMethod = null;
+        try {
+            prevAuthMethod = getPlatform().storage.getItem('tarobase_last_auth_method');
+        }
+        catch (_f) { }
+        try {
+            getPlatform().storage.setItem('tarobase_last_auth_method', 'mobile-wallet-adapter');
+        }
+        catch (_g) { }
         try {
             await loadMwaProtocol();
             const { transact } = mwaProtocolModule;
@@ -21457,12 +21520,22 @@ class SolanaMobileWalletProvider {
             try {
                 getPlatform().storage.setItem('tarobase_last_auth_method', 'mobile-wallet-adapter');
             }
-            catch (_f) { }
+            catch (_h) { }
             const user = { provider: this, address: result.base58Address };
             setCurrentUser(user);
             return user;
         }
         catch (error) {
+            // Restore the previous auth method since this login attempt failed.
+            try {
+                if (prevAuthMethod === null) {
+                    getPlatform().storage.removeItem('tarobase_last_auth_method');
+                }
+                else {
+                    getPlatform().storage.setItem('tarobase_last_auth_method', prevAuthMethod);
+                }
+            }
+            catch (_j) { }
             const isUserRejection = (error === null || error === void 0 ? void 0 : error.code) === 4001 ||
                 ((_a = error === null || error === void 0 ? void 0 : error.message) === null || _a === void 0 ? void 0 : _a.toLowerCase().includes('user rejected')) ||
                 ((_b = error === null || error === void 0 ? void 0 : error.message) === null || _b === void 0 ? void 0 : _b.toLowerCase().includes('user denied')) ||
@@ -21508,6 +21581,12 @@ class SolanaMobileWalletProvider {
         this.authorizedPublicKey = null;
         this.publicKeyObj = null;
         WebSessionManager.clearSession();
+        // Clear the auth-method marker so Phantom auto-create is unblocked
+        // for any subsequent fresh login on this device.
+        try {
+            getPlatform().storage.removeItem('tarobase_last_auth_method');
+        }
+        catch (_a) { }
         setCurrentUser(null);
     }
     async signMessage(message) {
@@ -22171,4 +22250,4 @@ class PrivyExpoProvider {
 }
 
 export { getCachedData as $, subscribe as A, useAuth as B, deserializeTransaction as C, getIdToken as D, setPlatform as E, getPlatform as F, PrivyWalletProvider as G, DEFAULT_TEST_ADDRESS as H, isMobileWalletAvailable as I, registerMobileWalletAdapter as J, PrivyExpoProvider as K, InsufficientBalanceError as L, MockAuthProvider as M, ServerSessionManager as N, OffchainAuthProvider as O, PhantomWalletProvider as P, buildSetDocumentsTransaction as Q, ReactNativeSessionManager as R, SolanaMobileWalletProvider as S, clearCache as T, closeAllSubscriptions as U, convertRemainingAccounts as V, WebSessionManager as W, createSessionWithPrivy as X, createSessionWithSignature as Y, genAuthNonce as Z, genSolanaMessage as _, base58 as a, getMany as a0, reconnectWithNewAuth as a1, refreshSession as a2, signSessionCreateMessage as a3, bufferExports as b, getCurrentUser as c, onAuthLoadingChanged as d, getAuthLoading as e, logout as f, getDefaultExportFromCjs$1 as g, getConfig as h, init as i, getAuthProvider as j, get as k, login as l, setMany as m, setFile as n, onAuthStateChanged as o, getFiles as p, runQueryMany as q, runQuery as r, set as s, runExpression as t, runExpressionMany as u, signMessage as v, signTransaction as w, signAndSubmitTransaction as x, count as y, aggregate as z };
-//# sourceMappingURL=index-B7yaLhND.esm.js.map
+//# sourceMappingURL=index-XHbmzFFO.esm.js.map