@subwallet/extension-base 1.3.74-1 → 1.3.75-2

package/background/KoniTypes.d.ts

@@ -397,6 +397,9 @@ export declare type RequestSaveBrowserConfig = {
 export declare type RequestSaveOSConfig = {
     osConfig: OSConfig;
 };
+export interface RequestSaveSubscanApiKey {
+    apiKey: string;
+}
 export interface RandomTestRequest {
     start: number;
     end: number;
@@ -1976,6 +1979,8 @@ export interface KoniRequestSignatures {
     'pri(settings.saveAppConfig)': [RequestSaveAppConfig, boolean];
     'pri(settings.saveBrowserConfig)': [RequestSaveBrowserConfig, boolean];
     'pri(settings.saveOSConfig)': [RequestSaveOSConfig, boolean];
+    'pri(settings.saveSubscanApiKey)': [RequestSaveSubscanApiKey, boolean];
+    'pri(settings.getSubscanApiKey)': [null, string | null];
     'pri(yield.subscribePoolInfo)': [null, YieldPoolInfo[], YieldPoolInfo[]];
     'pri(yield.subscribeYieldPosition)': [null, YieldPositionInfo[], YieldPositionInfo[]];
     'pri(yield.subscribeYieldReward)': [null, EarningRewardJson, EarningRewardJson];

package/cjs/constants/environment.js

@@ -3,7 +3,7 @@
 Object.defineProperty(exports, "__esModule", {
   value: true
 });
-exports.isProductionMode = exports.SW_EXTERNAL_SERVICES_API = exports.BACKEND_API_URL = exports.APP_VERSION = void 0;
+exports.isProductionMode = exports.SW_EXTERNAL_SERVICES_API = exports.SUBSCAN_GATEWAY_URL = exports.BACKEND_API_URL = exports.APP_VERSION = void 0;
 // Copyright 2019-2022 @subwallet/extension-base authors & contributors
 // SPDX-License-Identifier: Apache-2.0
 
@@ -16,4 +16,6 @@ exports.isProductionMode = isProductionMode;
 const BACKEND_API_URL = process.env.SUBWALLET_API || (isProductionMode ? 'https://sw-services.subwallet.app/api' : 'https://be-dev.subwallet.app/api');
 exports.BACKEND_API_URL = BACKEND_API_URL;
 const SW_EXTERNAL_SERVICES_API = process.env.SW_EXTERNAL_SERVICES_API || (isProductionMode ? 'https://external-services.subwallet.app' : 'https://external-services-dev.subwallet.app');
-exports.SW_EXTERNAL_SERVICES_API = SW_EXTERNAL_SERVICES_API;
+exports.SW_EXTERNAL_SERVICES_API = SW_EXTERNAL_SERVICES_API;
+const SUBSCAN_GATEWAY_URL = process.env.SUBSCAN_GATEWAY_URL || 'https://gateway-dev.konistudio.xyz';
+exports.SUBSCAN_GATEWAY_URL = SUBSCAN_GATEWAY_URL;

package/cjs/koni/background/handlers/Extension.js

@@ -3884,14 +3884,23 @@ class KoniExtension {
     this.#koniState.saveEnvConfig('osConfig', request.osConfig);
     return true;
   }
+  async saveSubscanApiKey(_ref60) {
+    let {
+      apiKey
+    } = _ref60;
+    return await this.#koniState.saveSubscanApiKey(apiKey);
+  }
+  async getSubscanApiKey() {
+    return await this.#koniState.getSubscanApiKey();
+  }
 
   /// Wallet connect
 
   // Connect
-  async connectWalletConnect(_ref60) {
+  async connectWalletConnect(_ref61) {
     let {
       uri
-    } = _ref60;
+    } = _ref61;
     await this.#koniState.walletConnectService.connect(uri);
     return true;
   }
@@ -3904,11 +3913,11 @@ class KoniExtension {
     });
     return this.#koniState.requestService.allConnectWCRequests;
   }
-  async approveWalletConnectSession(_ref61) {
+  async approveWalletConnectSession(_ref62) {
     let {
       accounts: selectedAccounts,
       id
-    } = _ref61;
+    } = _ref62;
     const request = this.#koniState.requestService.getConnectWCRequest(id);
     if ((0, _helpers2.isProposalExpired)(request.request.params)) {
       throw new Error('The proposal has been expired');
@@ -3920,8 +3929,8 @@ class KoniExtension {
     const availableNamespaces = {};
     const namespaces = {};
     const chainInfoMap = this.#koniState.getChainInfoMap();
-    Object.entries(requiredNamespaces).forEach(_ref62 => {
-      let [key, namespace] = _ref62;
+    Object.entries(requiredNamespaces).forEach(_ref63 => {
+      let [key, namespace] = _ref63;
       if ((0, _helpers2.isSupportWalletConnectNamespace)(key)) {
         if (namespace.chains) {
           const unSupportChains = namespace.chains.filter(chain => !(0, _helpers2.isSupportWalletConnectChain)(chain, chainInfoMap));
@@ -3934,8 +3943,8 @@ class KoniExtension {
         throw new Error((0, _utils1.getSdkError)('UNSUPPORTED_NAMESPACE_KEY').message + ' ' + key);
       }
     });
-    Object.entries(optionalNamespaces).forEach(_ref63 => {
-      let [key, namespace] = _ref63;
+    Object.entries(optionalNamespaces).forEach(_ref64 => {
+      let [key, namespace] = _ref64;
       if ((0, _helpers2.isSupportWalletConnectNamespace)(key)) {
         if (namespace.chains) {
           const supportChains = namespace.chains.filter(chain => (0, _helpers2.isSupportWalletConnectChain)(chain, chainInfoMap)) || [];
@@ -3959,8 +3968,8 @@ class KoniExtension {
         }
       }
     });
-    Object.entries(availableNamespaces).forEach(_ref64 => {
-      let [key, namespace] = _ref64;
+    Object.entries(availableNamespaces).forEach(_ref65 => {
+      let [key, namespace] = _ref65;
       if (namespace.chains) {
         const accounts = selectedAccounts.filter(address => {
           const [_namespace] = address.split(':');
@@ -3984,10 +3993,10 @@ class KoniExtension {
     request.resolve();
     return true;
   }
-  async rejectWalletConnectSession(_ref65) {
+  async rejectWalletConnectSession(_ref66) {
     let {
       id
-    } = _ref65;
+    } = _ref66;
     const request = this.#koniState.requestService.getConnectWCRequest(id);
     const wcId = request.request.id;
     if ((0, _helpers2.isProposalExpired)(request.request.params)) {
@@ -4009,10 +4018,10 @@ class KoniExtension {
     });
     return this.#koniState.walletConnectService.sessions;
   }
-  async disconnectWalletConnectSession(_ref66) {
+  async disconnectWalletConnectSession(_ref67) {
     let {
       topic
-    } = _ref66;
+    } = _ref67;
     await this.#koniState.walletConnectService.disconnect(topic);
     return true;
   }
@@ -4025,18 +4034,18 @@ class KoniExtension {
     });
     return this.#koniState.requestService.allNotSupportWCRequests;
   }
-  approveWalletConnectNotSupport(_ref67) {
+  approveWalletConnectNotSupport(_ref68) {
     let {
       id
-    } = _ref67;
+    } = _ref68;
     const request = this.#koniState.requestService.getNotSupportWCRequest(id);
     request.resolve();
     return true;
   }
-  rejectWalletConnectNotSupport(_ref68) {
+  rejectWalletConnectNotSupport(_ref69) {
     let {
       id
-    } = _ref68;
+    } = _ref69;
     const request = this.#koniState.requestService.getNotSupportWCRequest(id);
     request.reject(new Error('USER_REJECTED'));
     return true;
@@ -4044,11 +4053,11 @@ class KoniExtension {
 
   /// Manta
 
-  async enableMantaPay(_ref69) {
+  async enableMantaPay(_ref70) {
     let {
       address,
       password
-    } = _ref69;
+    } = _ref70;
     // always takes the current account
     function timeout() {
       return new Promise(resolve => setTimeout(resolve, 1500));
@@ -4138,11 +4147,11 @@ class KoniExtension {
   async disableMantaPay(address) {
     return this.#koniState.disableMantaPay(address);
   }
-  async isTonBounceableAddress(_ref70) {
+  async isTonBounceableAddress(_ref71) {
     let {
       address,
       chain
-    } = _ref70;
+    } = _ref71;
     try {
       const tonApi = this.#koniState.getTonApi(chain);
       const state = await tonApi.getAccountState(address);
@@ -4188,10 +4197,10 @@ class KoniExtension {
 
   /* Metadata */
 
-  async findRawMetadata(_ref71) {
+  async findRawMetadata(_ref72) {
     let {
       genesisHash
-    } = _ref71;
+    } = _ref72;
     const {
       metadata,
       specVersion,
@@ -4205,20 +4214,20 @@ class KoniExtension {
       userExtensions
     };
   }
-  async calculateMetadataHash(_ref72) {
+  async calculateMetadataHash(_ref73) {
     let {
       chain
-    } = _ref72;
+    } = _ref73;
     const hash = await this.#koniState.calculateMetadataHash(chain);
     return {
       metadataHash: hash || ''
     };
   }
-  async shortenMetadata(_ref73) {
+  async shortenMetadata(_ref74) {
     let {
       chain,
       txBlob
-    } = _ref73;
+    } = _ref74;
     const shorten = await this.#koniState.shortenMetadata(chain, txBlob);
     return {
       txMetadata: shorten || ''
@@ -4595,18 +4604,18 @@ class KoniExtension {
 
   /* Campaign */
 
-  unlockDotCheckCanMint(_ref74) {
+  unlockDotCheckCanMint(_ref75) {
     let {
       address,
       network,
       slug
-    } = _ref74;
+    } = _ref75;
     return this.#koniState.mintCampaignService.unlockDotCampaign.canMint(address, slug, network);
   }
-  unlockDotSubscribeMintedData(id, port, _ref75) {
+  unlockDotSubscribeMintedData(id, port, _ref76) {
     let {
       transactionId
-    } = _ref75;
+    } = _ref76;
     const cb = (0, _subscriptions.createSubscription)(id, port);
     const subscription = this.#koniState.mintCampaignService.unlockDotCampaign.subscribeMintedNft(transactionId, cb);
     this.createUnsubscriptionHandle(id, subscription.unsubscribe);
@@ -4638,10 +4647,10 @@ class KoniExtension {
     });
     return filterBanner(await this.#koniState.campaignService.getProcessingCampaign());
   }
-  async completeCampaignBanner(_ref76) {
+  async completeCampaignBanner(_ref77) {
     let {
       slug
-    } = _ref76;
+    } = _ref77;
     const campaign = await this.#koniState.dbService.getCampaign(slug);
     if (campaign) {
       await this.#koniState.dbService.upsertCampaign({
@@ -5176,8 +5185,8 @@ class KoniExtension {
                         resolve();
                       }
                     };
-                    this.#koniState.balanceService.subscribeTransferableBalance(address, waitXcmData.chain, waitXcmData.token, waitXcmData.nextTxType, onRs).then(_ref77 => {
-                      let [_unsub, rs] = _ref77;
+                    this.#koniState.balanceService.subscribeTransferableBalance(address, waitXcmData.chain, waitXcmData.token, waitXcmData.nextTxType, onRs).then(_ref78 => {
+                      let [_unsub, rs] = _ref78;
                       unsub = _unsub;
                       onRs(rs);
                     }).catch(console.error);
@@ -5838,6 +5847,10 @@ class KoniExtension {
         return this.saveBrowserConfig(request);
       case 'pri(settings.saveOSConfig)':
         return this.saveOSConfig(request);
+      case 'pri(settings.saveSubscanApiKey)':
+        return await this.saveSubscanApiKey(request);
+      case 'pri(settings.getSubscanApiKey)':
+        return await this.getSubscanApiKey();
 
       /// Keyring state
       case 'pri(keyring.subscribe)':

package/cjs/koni/background/handlers/State.js

@@ -69,6 +69,8 @@ function _interopRequireWildcard(e, t) { if ("function" == typeof WeakMap) var r
 // eslint-disable-next-line @typescript-eslint/no-var-requires,@typescript-eslint/no-unsafe-assignment
 const passworder = require('browser-passworder');
 const ERROR_CONFIRMATION_TYPE = ['errorConnectNetwork'];
+const SUBSCAN_API_KEY_STORAGE = 'subscan_api_key';
+const SUBSCAN_SECRET_STORAGE = 'subscan_secret';
 
 // List of providers passed into constructor. This is the list of providers
 // exposed by the extension.
@@ -228,6 +230,8 @@ class KoniState {
   }
   afterChainServiceInit() {
     this.subscanService.setSubscanChainMap(this.chainService.getSubscanChainMap());
+    // Sync Subscan API key
+    this.syncSubscanApiKey().catch(console.error);
   }
   async init() {
     await this.eventService.waitCryptoReady;
@@ -1612,6 +1616,84 @@ class KoniState {
       return null;
     }
   }
+  async getExtensionSecret() {
+    const result = await _storage.SWStorage.instance.getItem(SUBSCAN_SECRET_STORAGE);
+    let secret = result;
+    if (!secret) {
+      secret = crypto.randomUUID();
+      await _storage.SWStorage.instance.setItem(SUBSCAN_SECRET_STORAGE, secret);
+    }
+    return secret;
+  }
+
+  // Generate password used to encrypt/decrypt Subscan API key
+  // Password = extensionId + extension secret
+  // -> Bind encrypted data to THIS extension instance
+  // -> Prevent other extensions/apps from decrypting the stored API key
+  async getSubscanApiCipherPassword() {
+    var _chrome, _chrome$runtime;
+    const secret = await this.getExtensionSecret();
+    const extensionId = ((_chrome = chrome) === null || _chrome === void 0 ? void 0 : (_chrome$runtime = _chrome.runtime) === null || _chrome$runtime === void 0 ? void 0 : _chrome$runtime.id) || 'subwallet';
+    return `${extensionId}:${secret}`;
+  }
+  async saveSubscanApiKey(apiKey) {
+    try {
+      // Get cipher password used for encryption
+      const cipherPassword = await this.getSubscanApiCipherPassword();
+
+      // Encrypt API key before saving to storage
+      // -> Avoid storing API key as plain text
+      // -> Prevent leakage if storage is inspected
+      // eslint-disable-next-line @typescript-eslint/no-unsafe-call,@typescript-eslint/no-unsafe-member-access,@typescript-eslint/no-unsafe-assignment
+      const encryptedData = await passworder.encrypt(cipherPassword, {
+        apiKey
+      });
+
+      // Persist encrypted API key to extension storage
+      await _storage.SWStorage.instance.setItem(SUBSCAN_API_KEY_STORAGE, JSON.stringify(encryptedData));
+
+      // Sync API key to Subscan service instance
+      // -> Ensure API calls immediately use the latest key
+      await this.syncSubscanApiKey();
+      return true;
+    } catch (e) {
+      console.error(e);
+      return false;
+    }
+  }
+  async getSubscanApiKey() {
+    try {
+      // Read encrypted API key from storage
+      const encryptedData = await _storage.SWStorage.instance.getItem(SUBSCAN_API_KEY_STORAGE);
+      if (!encryptedData) {
+        return null;
+      }
+
+      // Recreate cipher password for decryption
+      const cipherPassword = await this.getSubscanApiCipherPassword();
+
+      // Decrypt stored API key
+      // eslint-disable-next-line @typescript-eslint/no-unsafe-call,@typescript-eslint/no-unsafe-member-access,@typescript-eslint/no-unsafe-assignment
+      const decryptedData = await passworder.decrypt(cipherPassword, JSON.parse(encryptedData));
+
+      // Return API key if exists
+      return decryptedData.apiKey || null;
+    } catch (e) {
+      console.error(e);
+      return null;
+    }
+  }
+
+  // Sync decrypted API key to Subscan service
+  // -> Allows service layer to use API key for authenticated requests
+  async syncSubscanApiKey() {
+    try {
+      const apiKey = await this.getSubscanApiKey();
+      this.subscanService.setApiKey(apiKey);
+    } catch (e) {
+      console.error('Failed to sync Subscan API key:', e);
+    }
+  }
   onCheckToRemindUser() {
     this.onHandleRemindExportAccount().catch(console.error);
   }

package/cjs/packageInfo.js

@@ -13,6 +13,6 @@ const packageInfo = {
   name: '@subwallet/extension-base',
   path: typeof __dirname === 'string' ? __dirname : 'auto',
   type: 'cjs',
-  version: '1.3.74-1'
+  version: '1.3.75-2'
 };
 exports.packageInfo = packageInfo;

package/cjs/services/subscan-service/index.js

@@ -5,7 +5,8 @@ Object.defineProperty(exports, "__esModule", {
 });
 exports.SubscanService = void 0;
 var _SWError = require("@subwallet/extension-base/background/errors/SWError");
-var _constants = require("@subwallet/extension-base/koni/api/nft/ordinal_nft/constants");
+var _constants = require("@subwallet/extension-base/constants");
+var _constants2 = require("@subwallet/extension-base/koni/api/nft/ordinal_nft/constants");
 var _subscanChainMap = require("@subwallet/extension-base/services/subscan-service/subscan-chain-map");
 var _base = require("@subwallet/extension-base/strategy/api-request-strategy/context/base");
 var _apiRequestStrategyV = require("@subwallet/extension-base/strategy/api-request-strategy-v2");
@@ -15,11 +16,15 @@ var _utils = require("@subwallet/extension-base/utils");
 
 const QUERY_ROW = 100;
 class SubscanService extends _apiRequestStrategyV.BaseApiRequestStrategyV2 {
+  apiKey = null;
   constructor(subscanChainMap, options) {
     const context = new _base.BaseApiRequestContext(options);
     super(context);
     this.subscanChainMap = subscanChainMap;
   }
+  setApiKey(key) {
+    this.apiKey = key;
+  }
   getApiUrl(chain, path) {
     const subscanChain = this.subscanChainMap[chain];
     if (!subscanChain) {
@@ -28,11 +33,26 @@ class SubscanService extends _apiRequestStrategyV.BaseApiRequestStrategyV2 {
     return `https://${subscanChain}.api.subscan.io/${path}`;
   }
   postRequest(url, body) {
+    const parsed = new URL(url);
+    const headers = {
+      'Content-Type': 'application/json'
+    };
+    if (this.apiKey) {
+      headers['X-API-Key'] = this.apiKey;
+    }
+    if (_utils.targetIsWeb) {
+      const suffix = '.api.subscan.io';
+      const subscanChain = parsed.hostname.endsWith(suffix) ? parsed.hostname.slice(0, -suffix.length) : parsed.hostname;
+      headers['x-network'] = subscanChain;
+      return fetch(`${_constants.SUBSCAN_GATEWAY_URL}${parsed.pathname}${parsed.search}`, {
+        method: 'POST',
+        headers,
+        body: JSON.stringify(body)
+      });
+    }
     return fetch(url, {
       method: 'POST',
-      headers: {
-        'Content-Type': 'application/json'
-      },
+      headers,
       body: JSON.stringify(body)
     });
   }
@@ -244,7 +264,7 @@ class SubscanService extends _apiRequestStrategyV.BaseApiRequestStrategyV2 {
   getAccountRemarkEvents(groupId, chain, address) {
     return this.addRequest(async () => {
       const rs = await this.postRequest(this.getApiUrl(chain, 'api/v2/scan/events'), {
-        ..._constants.BASE_FETCH_ORDINAL_EVENT_DATA,
+        ..._constants2.BASE_FETCH_ORDINAL_EVENT_DATA,
         address
       });
       if (rs.status !== 200) {
@@ -272,7 +292,15 @@ class SubscanService extends _apiRequestStrategyV.BaseApiRequestStrategyV2 {
 
   static getInstance() {
     if (!SubscanService._instance) {
-      SubscanService._instance = new SubscanService(_subscanChainMap.SUBSCAN_API_CHAIN_MAP);
+      // Subscan API allows only ~2 requests per second.
+      // However, each request from the webapp also triggers an OPTIONS request (CORS preflight),
+      // which Subscan counts towards the quota as well → effectively 1 call = 2 requests.
+      // To avoid hitting the rate limit, we configure the queue
+      // to allow only 1 request per second.
+      SubscanService._instance = new SubscanService(_subscanChainMap.SUBSCAN_API_CHAIN_MAP, {
+        limitRate: 1,
+        intervalCheck: 1000
+      });
     }
     return SubscanService._instance;
   }

package/constants/environment.d.ts

@@ -2,3 +2,4 @@ export declare const APP_VERSION: string;
 export declare const isProductionMode: boolean;
 export declare const BACKEND_API_URL: string;
 export declare const SW_EXTERNAL_SERVICES_API: string;
+export declare const SUBSCAN_GATEWAY_URL: string;

package/constants/environment.js

@@ -6,4 +6,5 @@ const branchName = process.env.BRANCH_NAME || 'subwallet-dev';
 export const APP_VERSION = process.env.PKG_VERSION || '';
 export const isProductionMode = PRODUCTION_BRANCHES.indexOf(branchName) > -1;
 export const BACKEND_API_URL = process.env.SUBWALLET_API || (isProductionMode ? 'https://sw-services.subwallet.app/api' : 'https://be-dev.subwallet.app/api');
-export const SW_EXTERNAL_SERVICES_API = process.env.SW_EXTERNAL_SERVICES_API || (isProductionMode ? 'https://external-services.subwallet.app' : 'https://external-services-dev.subwallet.app');
+export const SW_EXTERNAL_SERVICES_API = process.env.SW_EXTERNAL_SERVICES_API || (isProductionMode ? 'https://external-services.subwallet.app' : 'https://external-services-dev.subwallet.app');
+export const SUBSCAN_GATEWAY_URL = process.env.SUBSCAN_GATEWAY_URL || 'https://gateway-dev.konistudio.xyz';

package/koni/background/handlers/Extension.d.ts

@@ -225,6 +225,8 @@ export default class KoniExtension {
     private saveAppConfig;
     private saveBrowserConfig;
     private saveOSConfig;
+    private saveSubscanApiKey;
+    private getSubscanApiKey;
     private connectWalletConnect;
     private connectWCSubscribe;
     private approveWalletConnectSession;

package/koni/background/handlers/Extension.js

@@ -3806,6 +3806,14 @@ export default class KoniExtension {
     this.#koniState.saveEnvConfig('osConfig', request.osConfig);
     return true;
   }
+  async saveSubscanApiKey({
+    apiKey
+  }) {
+    return await this.#koniState.saveSubscanApiKey(apiKey);
+  }
+  async getSubscanApiKey() {
+    return await this.#koniState.getSubscanApiKey();
+  }
 
   /// Wallet connect
 
@@ -5741,6 +5749,10 @@ export default class KoniExtension {
         return this.saveBrowserConfig(request);
       case 'pri(settings.saveOSConfig)':
         return this.saveOSConfig(request);
+      case 'pri(settings.saveSubscanApiKey)':
+        return await this.saveSubscanApiKey(request);
+      case 'pri(settings.getSubscanApiKey)':
+        return await this.getSubscanApiKey();
 
       /// Keyring state
       case 'pri(keyring.subscribe)':

package/koni/background/handlers/State.d.ts

@@ -252,6 +252,11 @@ export default class KoniState {
     private onHandleRemindExportAccount;
     setStorageFromWS({ key, value }: StorageDataInterface): Promise<boolean>;
     getStorageFromWS(key: string): Promise<string | null>;
+    private getExtensionSecret;
+    private getSubscanApiCipherPassword;
+    saveSubscanApiKey(apiKey: string): Promise<boolean>;
+    getSubscanApiKey(): Promise<string | null>;
+    private syncSubscanApiKey;
     onCheckToRemindUser(): void;
     onInstall(): void;
     get activeNetworks(): Record<string, _ChainInfo>;

package/koni/background/handlers/State.js

@@ -62,6 +62,8 @@ import { KoniSubscription } from "../subscription.js";
 // eslint-disable-next-line @typescript-eslint/no-var-requires,@typescript-eslint/no-unsafe-assignment
 const passworder = require('browser-passworder');
 const ERROR_CONFIRMATION_TYPE = ['errorConnectNetwork'];
+const SUBSCAN_API_KEY_STORAGE = 'subscan_api_key';
+const SUBSCAN_SECRET_STORAGE = 'subscan_secret';
 
 // List of providers passed into constructor. This is the list of providers
 // exposed by the extension.
@@ -219,6 +221,8 @@ export default class KoniState {
   }
   afterChainServiceInit() {
     this.subscanService.setSubscanChainMap(this.chainService.getSubscanChainMap());
+    // Sync Subscan API key
+    this.syncSubscanApiKey().catch(console.error);
   }
   async init() {
     await this.eventService.waitCryptoReady;
@@ -1581,6 +1585,84 @@ export default class KoniState {
       return null;
     }
   }
+  async getExtensionSecret() {
+    const result = await SWStorage.instance.getItem(SUBSCAN_SECRET_STORAGE);
+    let secret = result;
+    if (!secret) {
+      secret = crypto.randomUUID();
+      await SWStorage.instance.setItem(SUBSCAN_SECRET_STORAGE, secret);
+    }
+    return secret;
+  }
+
+  // Generate password used to encrypt/decrypt Subscan API key
+  // Password = extensionId + extension secret
+  // -> Bind encrypted data to THIS extension instance
+  // -> Prevent other extensions/apps from decrypting the stored API key
+  async getSubscanApiCipherPassword() {
+    var _chrome, _chrome$runtime;
+    const secret = await this.getExtensionSecret();
+    const extensionId = ((_chrome = chrome) === null || _chrome === void 0 ? void 0 : (_chrome$runtime = _chrome.runtime) === null || _chrome$runtime === void 0 ? void 0 : _chrome$runtime.id) || 'subwallet';
+    return `${extensionId}:${secret}`;
+  }
+  async saveSubscanApiKey(apiKey) {
+    try {
+      // Get cipher password used for encryption
+      const cipherPassword = await this.getSubscanApiCipherPassword();
+
+      // Encrypt API key before saving to storage
+      // -> Avoid storing API key as plain text
+      // -> Prevent leakage if storage is inspected
+      // eslint-disable-next-line @typescript-eslint/no-unsafe-call,@typescript-eslint/no-unsafe-member-access,@typescript-eslint/no-unsafe-assignment
+      const encryptedData = await passworder.encrypt(cipherPassword, {
+        apiKey
+      });
+
+      // Persist encrypted API key to extension storage
+      await SWStorage.instance.setItem(SUBSCAN_API_KEY_STORAGE, JSON.stringify(encryptedData));
+
+      // Sync API key to Subscan service instance
+      // -> Ensure API calls immediately use the latest key
+      await this.syncSubscanApiKey();
+      return true;
+    } catch (e) {
+      console.error(e);
+      return false;
+    }
+  }
+  async getSubscanApiKey() {
+    try {
+      // Read encrypted API key from storage
+      const encryptedData = await SWStorage.instance.getItem(SUBSCAN_API_KEY_STORAGE);
+      if (!encryptedData) {
+        return null;
+      }
+
+      // Recreate cipher password for decryption
+      const cipherPassword = await this.getSubscanApiCipherPassword();
+
+      // Decrypt stored API key
+      // eslint-disable-next-line @typescript-eslint/no-unsafe-call,@typescript-eslint/no-unsafe-member-access,@typescript-eslint/no-unsafe-assignment
+      const decryptedData = await passworder.decrypt(cipherPassword, JSON.parse(encryptedData));
+
+      // Return API key if exists
+      return decryptedData.apiKey || null;
+    } catch (e) {
+      console.error(e);
+      return null;
+    }
+  }
+
+  // Sync decrypted API key to Subscan service
+  // -> Allows service layer to use API key for authenticated requests
+  async syncSubscanApiKey() {
+    try {
+      const apiKey = await this.getSubscanApiKey();
+      this.subscanService.setApiKey(apiKey);
+    } catch (e) {
+      console.error('Failed to sync Subscan API key:', e);
+    }
+  }
   onCheckToRemindUser() {
     this.onHandleRemindExportAccount().catch(console.error);
   }

package/package.json

@@ -17,7 +17,7 @@
     "./cjs/detectPackage.js"
   ],
   "type": "module",
-  "version": "1.3.74-1",
+  "version": "1.3.75-2",
   "main": "./cjs/index.js",
   "module": "./index.js",
   "types": "./index.d.ts",
@@ -3009,10 +3009,10 @@
     "@substrate/connect": "^0.8.9",
     "@subwallet-monorepos/subwallet-services-sdk": "0.1.16",
     "@subwallet/chain-list": "0.2.124",
-    "@subwallet/extension-base": "^1.3.74-1",
-    "@subwallet/extension-chains": "^1.3.74-1",
-    "@subwallet/extension-dapp": "^1.3.74-1",
-    "@subwallet/extension-inject": "^1.3.74-1",
+    "@subwallet/extension-base": "^1.3.75-2",
+    "@subwallet/extension-chains": "^1.3.75-2",
+    "@subwallet/extension-dapp": "^1.3.75-2",
+    "@subwallet/extension-inject": "^1.3.75-2",
     "@subwallet/keyring": "^0.1.14",
     "@subwallet/ui-keyring": "^0.1.14",
     "@ton/core": "^0.56.3",

package/packageInfo.js

@@ -7,5 +7,5 @@ export const packageInfo = {
   name: '@subwallet/extension-base',
   path: (import.meta && import.meta.url) ? new URL(import.meta.url).pathname.substring(0, new URL(import.meta.url).pathname.lastIndexOf('/') + 1) : 'auto',
   type: 'esm',
-  version: '1.3.74-1'
+  version: '1.3.75-2'
 };

package/services/subscan-service/index.d.ts

@@ -4,7 +4,9 @@ import { BaseApiRequestStrategyV2 } from '@subwallet/extension-base/strategy/api
 import { SubscanEventBaseItemData, SubscanExtrinsicParam } from '@subwallet/extension-base/types';
 export declare class SubscanService extends BaseApiRequestStrategyV2 {
     private subscanChainMap;
+    private apiKey;
     constructor(subscanChainMap: Record<string, string>, options?: Partial<ApiRequestContextProps>);
+    setApiKey(key: string | null): void;
     private getApiUrl;
     private postRequest;
     isRateLimited(e: Error): boolean;

package/services/subscan-service/index.js

@@ -2,18 +2,23 @@
 // SPDX-License-Identifier: Apache-2.0
 
 import { SWError } from '@subwallet/extension-base/background/errors/SWError';
+import { SUBSCAN_GATEWAY_URL } from '@subwallet/extension-base/constants';
 import { BASE_FETCH_ORDINAL_EVENT_DATA } from '@subwallet/extension-base/koni/api/nft/ordinal_nft/constants';
 import { SUBSCAN_API_CHAIN_MAP } from '@subwallet/extension-base/services/subscan-service/subscan-chain-map';
 import { BaseApiRequestContext } from '@subwallet/extension-base/strategy/api-request-strategy/context/base';
 import { BaseApiRequestStrategyV2 } from '@subwallet/extension-base/strategy/api-request-strategy-v2';
-import { wait } from '@subwallet/extension-base/utils';
+import { targetIsWeb, wait } from '@subwallet/extension-base/utils';
 const QUERY_ROW = 100;
 export class SubscanService extends BaseApiRequestStrategyV2 {
+  apiKey = null;
   constructor(subscanChainMap, options) {
     const context = new BaseApiRequestContext(options);
     super(context);
     this.subscanChainMap = subscanChainMap;
   }
+  setApiKey(key) {
+    this.apiKey = key;
+  }
   getApiUrl(chain, path) {
     const subscanChain = this.subscanChainMap[chain];
     if (!subscanChain) {
@@ -22,11 +27,26 @@ export class SubscanService extends BaseApiRequestStrategyV2 {
     return `https://${subscanChain}.api.subscan.io/${path}`;
   }
   postRequest(url, body) {
+    const parsed = new URL(url);
+    const headers = {
+      'Content-Type': 'application/json'
+    };
+    if (this.apiKey) {
+      headers['X-API-Key'] = this.apiKey;
+    }
+    if (targetIsWeb) {
+      const suffix = '.api.subscan.io';
+      const subscanChain = parsed.hostname.endsWith(suffix) ? parsed.hostname.slice(0, -suffix.length) : parsed.hostname;
+      headers['x-network'] = subscanChain;
+      return fetch(`${SUBSCAN_GATEWAY_URL}${parsed.pathname}${parsed.search}`, {
+        method: 'POST',
+        headers,
+        body: JSON.stringify(body)
+      });
+    }
     return fetch(url, {
       method: 'POST',
-      headers: {
-        'Content-Type': 'application/json'
-      },
+      headers,
       body: JSON.stringify(body)
     });
   }
@@ -256,7 +276,15 @@ export class SubscanService extends BaseApiRequestStrategyV2 {
 
   static getInstance() {
     if (!SubscanService._instance) {
-      SubscanService._instance = new SubscanService(SUBSCAN_API_CHAIN_MAP);
+      // Subscan API allows only ~2 requests per second.
+      // However, each request from the webapp also triggers an OPTIONS request (CORS preflight),
+      // which Subscan counts towards the quota as well → effectively 1 call = 2 requests.
+      // To avoid hitting the rate limit, we configure the queue
+      // to allow only 1 request per second.
+      SubscanService._instance = new SubscanService(SUBSCAN_API_CHAIN_MAP, {
+        limitRate: 1,
+        intervalCheck: 1000
+      });
     }
     return SubscanService._instance;
   }