@sparkvault/sdk 1.21.6 → 1.21.8

package/dist/identity/api.d.ts

@@ -28,12 +28,15 @@ export declare class IdentityApi {
     /**
      * Fetch SDK configuration (branding, enabled methods).
      * Uses caching to avoid redundant requests - safe to call multiple times.
+     * If a cached request failed (e.g., transient network error during preload),
+     * clears the cache and retries to avoid permanently caching a rejected promise.
      */
     getConfig(): Promise<SdkConfig>;
     /**
      * Preload the SDK configuration in the background.
      * Called on SDK init when preloadConfig is enabled.
      * The result is cached and used when verify() is called.
+     * If preload fails, getConfig() will clear the cache and retry.
      */
     preloadConfig(): void;
     /**

package/dist/identity/renderer.d.ts

@@ -34,6 +34,12 @@ export declare class IdentityRenderer {
      * Otherwise shows loading state while fetching config.
      */
     start(): Promise<void>;
+    /**
+     * Fetch config with a single retry on network errors.
+     * Handles transient failures common during subdomain switches
+     * (DNS resolution, connection setup, Safari ITP).
+     */
+    private fetchConfigWithRetry;
     /**
      * Close the modal and clean up.
      * Cancels all pending API requests to prevent orphaned operations.

package/dist/identity/utils.d.ts

@@ -7,6 +7,15 @@
 export { CooldownTimer, ExpirationTimer } from './utils/cooldown-timer';
 export type { CooldownTimerConfig, ExpirationTimerConfig } from './utils/cooldown-timer';
 export { arrayBufferToBase64url, base64urlToArrayBuffer, base64urlToString, } from '../utils/base64url';
+/**
+ * Extract the root (registrable) domain from a hostname for cross-subdomain cookies.
+ * Returns the domain prefixed with a dot (e.g., ".client.com") or null when
+ * the domain attribute should not be set (localhost, IP addresses).
+ *
+ * @param hostname - The hostname to extract the root domain from
+ * @returns Root domain with leading dot, or null
+ */
+export declare function getRootDomain(hostname: string): string | null;
 /**
  * Get cookie value by name
  * @param name - Cookie name
@@ -14,7 +23,10 @@ export { arrayBufferToBase64url, base64urlToArrayBuffer, base64urlToString, } fr
  */
 export declare function getCookie(name: string): string | null;
 /**
- * Set cookie with expiration
+ * Set cookie with expiration on the root domain for cross-subdomain access.
+ * The domain is automatically extracted from the current hostname and prefixed
+ * with a dot (e.g., ".client.com") so the cookie is shared across all subdomains.
+ *
  * @param name - Cookie name
  * @param value - Cookie value
  * @param days - Days until expiration

package/dist/sparkvault.cjs.js

@@ -269,6 +269,7 @@ class HttpClient {
     }
     async parseResponse(response) {
         // Handle empty responses (204 No Content, etc.)
+        // Callers expecting no body should use <void> as the generic type parameter.
         const contentLength = response.headers.get('content-length');
         if (response.status === 204 || contentLength === '0') {
             return null;
@@ -543,6 +544,57 @@ function base64urlToString(base64url) {
  * Consolidates duplicated logic from renderer, api, and index.
  */
 // Re-export timer utilities
+/**
+ * Common multi-part public suffixes where the last two labels form the TLD.
+ * Domains under these suffixes need three labels for a valid registrable domain
+ * (e.g., "app.client.co.uk" → registrable domain is "client.co.uk").
+ */
+const MULTI_PART_TLDS = new Set([
+    'co.uk', 'co.jp', 'co.kr', 'co.nz', 'co.za', 'co.in', 'co.id', 'co.th',
+    'com.au', 'com.br', 'com.cn', 'com.mx', 'com.sg', 'com.tw', 'com.hk',
+    'com.ar', 'com.co', 'com.my', 'com.ph', 'com.pk', 'com.tr', 'com.ua',
+    'com.vn', 'com.ng', 'com.eg', 'com.sa', 'com.pe', 'com.ec',
+    'net.au', 'net.br', 'net.cn', 'net.nz',
+    'org.au', 'org.br', 'org.cn', 'org.nz', 'org.uk',
+    'ac.uk', 'gov.uk', 'ac.jp', 'ne.jp', 'or.jp',
+    'ac.kr', 'go.kr', 'or.kr',
+    'ac.nz', 'govt.nz',
+    'ac.za', 'gov.za',
+    'ac.in', 'gov.in', 'net.in', 'org.in',
+]);
+/**
+ * Extract the root (registrable) domain from a hostname for cross-subdomain cookies.
+ * Returns the domain prefixed with a dot (e.g., ".client.com") or null when
+ * the domain attribute should not be set (localhost, IP addresses).
+ *
+ * @param hostname - The hostname to extract the root domain from
+ * @returns Root domain with leading dot, or null
+ */
+function getRootDomain(hostname) {
+    // Localhost — browsers reject domain attribute for localhost
+    if (hostname === 'localhost' || hostname === '127.0.0.1')
+        return null;
+    // IPv4 addresses
+    if (/^\d{1,3}(\.\d{1,3}){3}$/.test(hostname))
+        return null;
+    // IPv6 addresses
+    if (hostname.includes(':'))
+        return null;
+    const parts = hostname.split('.');
+    // Single-label hostnames (no dots)
+    if (parts.length <= 1)
+        return null;
+    // Two-part domain (e.g., "client.com") — already the root
+    if (parts.length === 2)
+        return `.${hostname}`;
+    // Check for multi-part TLD (e.g., "co.uk" in "app.client.co.uk")
+    const lastTwo = parts.slice(-2).join('.');
+    if (MULTI_PART_TLDS.has(lastTwo) && parts.length >= 3) {
+        return `.${parts.slice(-3).join('.')}`;
+    }
+    // Standard TLD — root domain is last two parts (e.g., "app.client.com" → ".client.com")
+    return `.${lastTwo}`;
+}
 /**
  * Get cookie value by name
  * @param name - Cookie name
@@ -553,7 +605,10 @@ function getCookie(name) {
     return match ? match[2] : null;
 }
 /**
- * Set cookie with expiration
+ * Set cookie with expiration on the root domain for cross-subdomain access.
+ * The domain is automatically extracted from the current hostname and prefixed
+ * with a dot (e.g., ".client.com") so the cookie is shared across all subdomains.
+ *
  * @param name - Cookie name
  * @param value - Cookie value
  * @param days - Days until expiration
@@ -562,7 +617,9 @@ function setCookie(name, value, days) {
     const date = new Date();
     date.setTime(date.getTime() + days * 24 * 60 * 60 * 1000);
     const expires = `expires=${date.toUTCString()}`;
-    document.cookie = `${name}=${value}; ${expires}; path=/; SameSite=Lax`;
+    const domain = getRootDomain(window.location.hostname);
+    const domainAttr = domain ? `; domain=${domain}` : '';
+    document.cookie = `${name}=${value}; ${expires}; path=/${domainAttr}; SameSite=Lax`;
 }
 /**
  * Generate cryptographically secure random state string
@@ -614,9 +671,11 @@ class IdentityApi {
         }
         const url = `${this.baseUrl}${endpoint}`;
         const headers = {
-            'Content-Type': 'application/json',
             'Accept': 'application/json',
         };
+        if (body) {
+            headers['Content-Type'] = 'application/json';
+        }
         // Create abort controller for request timeout
         const timeoutController = new AbortController();
         const timeoutId = setTimeout(() => timeoutController.abort(), this.timeoutMs);
@@ -655,15 +714,28 @@ class IdentityApi {
             return (json.data ?? json);
         }
         catch (error) {
-            // Convert AbortError to a more descriptive error
-            if (error instanceof Error && error.name === 'AbortError') {
+            // Convert AbortError to a more descriptive error.
+            // Check error.name directly (DOMException may not extend Error in all environments).
+            if (error != null && typeof error === 'object' && 'name' in error && error.name === 'AbortError') {
                 // Check which signal triggered the abort
                 if (this.closeController.signal.aborted) {
                     throw new IdentityApiError('Request cancelled', 'cancelled', 0);
                 }
                 throw new IdentityApiError('Request timed out', 'timeout', 0);
             }
-            throw error;
+            // Convert TypeError to a user-friendly network error.
+            // WebKit (Safari/iOS) throws TypeError("Load failed"),
+            // Chrome/Firefox throw TypeError("Failed to fetch")
+            // when fetch() fails at the browser level (network error, CORS, DNS, etc.).
+            if (error instanceof TypeError) {
+                throw new IdentityApiError('Unable to connect. Please check your connection and try again.', 'network_error', 0);
+            }
+            // Re-throw IdentityApiError as-is (already has user-friendly message)
+            if (error instanceof IdentityApiError) {
+                throw error;
+            }
+            // Convert any other unexpected errors to a structured error
+            throw new IdentityApiError(error instanceof Error ? error.message : 'An unexpected error occurred', 'unknown_error', 0);
         }
         finally {
             clearTimeout(timeoutId);
@@ -672,21 +744,34 @@ class IdentityApi {
     /**
      * Fetch SDK configuration (branding, enabled methods).
      * Uses caching to avoid redundant requests - safe to call multiple times.
+     * If a cached request failed (e.g., transient network error during preload),
+     * clears the cache and retries to avoid permanently caching a rejected promise.
      */
     async getConfig() {
         if (!this.configCache) {
             this.configCache = this.request('GET', '/config');
         }
-        return this.configCache;
+        try {
+            return await this.configCache;
+        }
+        catch (error) {
+            // Clear failed cache so the next call retries instead of returning
+            // the same rejected promise. This handles transient network failures
+            // (e.g., "Load failed" in Safari) that occurred during preloadConfig().
+            this.configCache = null;
+            throw error;
+        }
     }
     /**
      * Preload the SDK configuration in the background.
      * Called on SDK init when preloadConfig is enabled.
      * The result is cached and used when verify() is called.
+     * If preload fails, getConfig() will clear the cache and retry.
      */
     preloadConfig() {
         if (!this.configCache) {
-            // Fire and forget - errors are handled when getConfig() is awaited
+            // Fire and forget - errors are handled when getConfig() is awaited.
+            // If this fails, getConfig() clears the cache and retries.
             this.configCache = this.request('GET', '/config');
         }
     }
@@ -4415,7 +4500,7 @@ class IdentityRenderer {
             if (!config) {
                 // Config not ready yet - show loading and await it
                 this.setState({ view: 'loading' });
-                config = await this.api.getConfig();
+                config = await this.fetchConfigWithRetry();
             }
             this.verificationState.setConfig(config);
             // Update modal header with branding if provided
@@ -4441,6 +4526,27 @@ class IdentityRenderer {
             this.handleErrorWithRecovery(error, 'config_error');
         }
     }
+    /**
+     * Fetch config with a single retry on network errors.
+     * Handles transient failures common during subdomain switches
+     * (DNS resolution, connection setup, Safari ITP).
+     */
+    async fetchConfigWithRetry() {
+        try {
+            return await this.api.getConfig();
+        }
+        catch (error) {
+            // Only retry on network errors (not API errors like 404, 500, etc.)
+            const isNetworkError = error instanceof IdentityApiError && error.code === 'network_error';
+            if (!isNetworkError) {
+                throw error;
+            }
+            // Wait briefly before retry (exponential backoff: 1s)
+            await new Promise((resolve) => setTimeout(resolve, 1000));
+            // Retry once - getConfig() will clear the failed cache and make a fresh request
+            return this.api.getConfig();
+        }
+    }
     /**
      * Close the modal and clean up.
      * Cancels all pending API requests to prevent orphaned operations.