@swype-org/react-sdk 0.1.86 → 0.1.87

package/dist/index.d.cts

@@ -189,11 +189,13 @@ interface UserConfig {
     passkey?: {
         credentialId: string;
         publicKey: string;
+        lastVerificationToken?: string | null;
     } | null;
     /** All registered WebAuthn passkey credentials for this user */
     passkeys?: {
         credentialId: string;
         publicKey: string;
+        lastVerificationToken?: string | null;
     }[];
 }
 /** Theme mode */
@@ -466,6 +468,12 @@ interface PasskeyVerifyPopupOptions {
     rpId: string;
     /** Populated by `findDevicePasskeyViaPopup`; not set by callers. */
     channelId?: string;
+    /** Populated by `findDevicePasskeyViaPopup`; not set by callers. */
+    verificationToken?: string;
+    /** Privy JWT so the popup can report verification server-side. */
+    authToken?: string;
+    /** Core API base URL for server-side passkey activity reporting. */
+    apiBaseUrl?: string;
 }
 /**
  * Opens a same-origin pop-up window on the Swype domain to check whether
@@ -475,6 +483,11 @@ interface PasskeyVerifyPopupOptions {
  * inside a cross-origin iframe. The popup runs on the Swype domain where
  * the rpId matches, so WebAuthn works.
  *
+ * When `authToken` and `apiBaseUrl` are provided, the popup also writes a
+ * verification token to the backend. If Safari's ITP blocks both
+ * BroadcastChannel and window.opener.postMessage, the opener falls back to
+ * checking the server for the matching token after the popup closes.
+ *
  * Must be called from a user-gesture handler (e.g. button click) to
  * avoid the browser's pop-up blocker.
  *

package/dist/index.d.ts

@@ -189,11 +189,13 @@ interface UserConfig {
     passkey?: {
         credentialId: string;
         publicKey: string;
+        lastVerificationToken?: string | null;
     } | null;
     /** All registered WebAuthn passkey credentials for this user */
     passkeys?: {
         credentialId: string;
         publicKey: string;
+        lastVerificationToken?: string | null;
     }[];
 }
 /** Theme mode */
@@ -466,6 +468,12 @@ interface PasskeyVerifyPopupOptions {
     rpId: string;
     /** Populated by `findDevicePasskeyViaPopup`; not set by callers. */
     channelId?: string;
+    /** Populated by `findDevicePasskeyViaPopup`; not set by callers. */
+    verificationToken?: string;
+    /** Privy JWT so the popup can report verification server-side. */
+    authToken?: string;
+    /** Core API base URL for server-side passkey activity reporting. */
+    apiBaseUrl?: string;
 }
 /**
  * Opens a same-origin pop-up window on the Swype domain to check whether
@@ -475,6 +483,11 @@ interface PasskeyVerifyPopupOptions {
  * inside a cross-origin iframe. The popup runs on the Swype domain where
  * the rpId matches, so WebAuthn works.
  *
+ * When `authToken` and `apiBaseUrl` are provided, the popup also writes a
+ * verification token to the backend. If Safari's ITP blocks both
+ * BroadcastChannel and window.opener.postMessage, the opener falls back to
+ * checking the server for the matching token after the popup closes.
+ *
  * Must be called from a user-gesture handler (e.g. button click) to
  * avoid the browser's pop-up blocker.
  *

package/dist/index.js

@@ -801,7 +801,12 @@ var VERIFY_POPUP_TIMEOUT_MS = 6e4;
 function findDevicePasskeyViaPopup(options) {
   return new Promise((resolve, reject) => {
     const channelId = `swype-pv-${Date.now()}-${Math.random().toString(36).slice(2)}`;
-    const payload = { ...options, channelId };
+    const verificationToken = crypto.randomUUID();
+    const payload = {
+      ...options,
+      channelId,
+      verificationToken
+    };
     const encoded = btoa(JSON.stringify(payload));
     const popupUrl = `${window.location.origin}/passkey-verify#${encoded}`;
     const popup = window.open(popupUrl, "swype-passkey-verify");
@@ -821,7 +826,15 @@ function findDevicePasskeyViaPopup(options) {
         setTimeout(() => {
           if (!settled) {
             cleanup();
-            resolve(null);
+            checkServerForVerifiedPasskey(
+              options.authToken,
+              options.apiBaseUrl,
+              verificationToken
+            ).then((credentialId) => {
+              resolve(credentialId);
+            }).catch(() => {
+              resolve(null);
+            });
           }
         }, POPUP_CLOSED_GRACE_MS);
       }
@@ -857,6 +870,17 @@ function findDevicePasskeyViaPopup(options) {
     }
   });
 }
+async function checkServerForVerifiedPasskey(authToken, apiBaseUrl, verificationToken) {
+  if (!authToken || !apiBaseUrl) return null;
+  const res = await fetch(`${apiBaseUrl}/v1/users/config`, {
+    headers: { Authorization: `Bearer ${authToken}` }
+  });
+  if (!res.ok) return null;
+  const body = await res.json();
+  const passkeys = body.config.passkeys ?? [];
+  const matched = passkeys.find((p) => p.lastVerificationToken === verificationToken);
+  return matched?.credentialId ?? null;
+}
 async function checkServerForNewPasskey(authToken, apiBaseUrl, existingCredentialIds) {
   if (!authToken || !apiBaseUrl) return null;
   const res = await fetch(`${apiBaseUrl}/v1/users/config`, {
@@ -5588,14 +5612,16 @@ function SwypePaymentInner({
     setVerifyingPasskeyPopup(true);
     setError(null);
     try {
+      const token = await getAccessToken();
       const matched = await findDevicePasskeyViaPopup({
         credentialIds: knownCredentialIds,
-        rpId: resolvePasskeyRpId()
+        rpId: resolvePasskeyRpId(),
+        authToken: token ?? void 0,
+        apiBaseUrl
       });
       if (matched) {
         setActiveCredentialId(matched);
         window.localStorage.setItem(ACTIVE_CREDENTIAL_STORAGE_KEY, matched);
-        const token = await getAccessToken();
         if (token) {
           reportPasskeyActivity(apiBaseUrl, token, matched).catch(() => {
           });