npm - @tatchi-xyz/sdk - Versions diffs - 0.16.0 → 0.17.0 - Mend

@tatchi-xyz/sdk 0.16.0 → 0.17.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (470) hide show

package/dist/esm/core/WebAuthnManager/VrfWorkerManager/handlers/generateVrfChallenge.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"generateVrfChallenge.js","names":["message: VRFWorkerMessage<WasmGenerateVrfChallengeRequest>"],"sources":["../../../../../../src/core/WebAuthnManager/VrfWorkerManager/handlers/generateVrfChallenge.ts"],"sourcesContent":["import type {\n VRFInputData,\n VRFWorkerMessage,\n WasmGenerateVrfChallengeRequest,\n} from '../../../types/vrf-worker';\nimport { validateVRFChallenge, type VRFChallenge } from '../../../types/vrf-worker';\nimport type { VrfWorkerManagerHandlerContext } from './types';\n\n/*\n Generate a VRF challenge and cache it under `sessionId` inside the VRF worker.\n \n This is used by SecureConfirm flows so later steps (e.g. contract verification) can rely on\n * worker-owned challenge data instead of JS-provided state.\n /\nexport async function generateVrfChallengeForSession(\n ctx: VrfWorkerManagerHandlerContext,\n inputData: VRFInputData,\n sessionId: string\n): Promise<VRFChallenge> {\n return generateVrfChallengeInternal(ctx, inputData, sessionId);\n}\n\n/\n Generate a one-off VRF challenge without caching it in the VRF worker.\n \n Used for standalone WebAuthn prompts where we don't need to later look up the challenge by `sessionId`.\n */\nexport async function generateVrfChallengeOnce(\n ctx: VrfWorkerManagerHandlerContext,\n inputData: VRFInputData\n): Promise<VRFChallenge> {\n return generateVrfChallengeInternal(ctx, inputData);\n}\n\nasync function generateVrfChallengeInternal(\n ctx: VrfWorkerManagerHandlerContext,\n inputData: VRFInputData,\n sessionId?: string\n): Promise<VRFChallenge> {\n await ctx.ensureWorkerReady(true);\n const message: VRFWorkerMessage<WasmGenerateVrfChallengeRequest> = {\n type: 'GENERATE_VRF_CHALLENGE',\n id: ctx.generateMessageId(),\n payload: {\n sessionId,\n vrfInputData: {\n userId: inputData.userId,\n rpId: inputData.rpId,\n blockHeight: String(inputData.blockHeight),\n blockHash: inputData.blockHash,\n },\n },\n };\n\n const response = await ctx.sendMessage(message);\n\n if (!response.success \|\| !response.data) {\n throw new Error(`VRF challenge generation failed: ${response.error}`);\n }\n\n const data = response.data as unknown as VRFChallenge;\n console.debug('VRF Manager: VRF challenge generated successfully');\n return validateVRFChallenge(data);\n}\n"],"mappings":"~~;;;;;;;;;~~AAcA,eAAsB,+BACpB,KACA,WACA,WACuB;AACvB,QAAO,6BAA6B,KAAK,WAAW;;;;;;;AAQtD,eAAsB,yBACpB,KACA,WACuB;AACvB,QAAO,6BAA6B,KAAK;;AAG3C,eAAe,6BACb,KACA,WACA,WACuB;AACvB,OAAM,IAAI,kBAAkB;CAC5B,MAAMA,UAA6D;EACjE,MAAM;EACN,IAAI,IAAI;EACR,SAAS;GACP;GACA,cAAc;IACZ,QAAQ,UAAU;IAClB,MAAM,UAAU;IAChB,aAAa,OAAO,UAAU;IAC9B,WAAW,UAAU;;;;CAK3B,MAAM,WAAW,MAAM,IAAI,YAAY;AAEvC,KAAI,CAAC,SAAS,WAAW,CAAC,SAAS,KACjC,OAAM,IAAI,MAAM,oCAAoC,SAAS;CAG/D,MAAM,OAAO,SAAS;AACtB,SAAQ,MAAM;AACd,QAAO,qBAAqB"}
1	+ {"version":3,"file":"generateVrfChallenge.js","names":["message: VRFWorkerMessage<WasmGenerateVrfChallengeRequest>"],"sources":["../../../../../../src/core/WebAuthnManager/VrfWorkerManager/handlers/generateVrfChallenge.ts"],"sourcesContent":["import type {\n VRFInputData,\n VRFWorkerMessage,\n WasmGenerateVrfChallengeRequest,\n} from '../../../types/vrf-worker';\nimport { validateVRFChallenge, type VRFChallenge } from '../../../types/vrf-worker';\nimport type { VrfWorkerManagerHandlerContext } from './types';\n\n/*\n Generate a VRF challenge and cache it under `sessionId` inside the VRF worker.\n \n This is used by SecureConfirm flows so later steps (e.g. contract verification) can rely on\n * worker-owned challenge data instead of JS-provided state.\n /\nexport async function generateVrfChallengeForSession(\n ctx: VrfWorkerManagerHandlerContext,\n inputData: VRFInputData,\n sessionId: string\n): Promise<VRFChallenge> {\n return generateVrfChallengeInternal(ctx, inputData, sessionId);\n}\n\n/\n Generate a one-off VRF challenge without caching it in the VRF worker.\n \n Used for standalone WebAuthn prompts where we don't need to later look up the challenge by `sessionId`.\n */\nexport async function generateVrfChallengeOnce(\n ctx: VrfWorkerManagerHandlerContext,\n inputData: VRFInputData\n): Promise<VRFChallenge> {\n return generateVrfChallengeInternal(ctx, inputData);\n}\n\nasync function generateVrfChallengeInternal(\n ctx: VrfWorkerManagerHandlerContext,\n inputData: VRFInputData,\n sessionId?: string\n): Promise<VRFChallenge> {\n await ctx.ensureWorkerReady(true);\n const message: VRFWorkerMessage<WasmGenerateVrfChallengeRequest> = {\n type: 'GENERATE_VRF_CHALLENGE',\n id: ctx.generateMessageId(),\n payload: {\n sessionId,\n vrfInputData: {\n userId: inputData.userId,\n rpId: inputData.rpId,\n blockHeight: String(inputData.blockHeight),\n blockHash: inputData.blockHash,\n },\n },\n };\n\n const response = await ctx.sendMessage(message);\n\n if (!response.success \|\| !response.data) {\n throw new Error(`VRF challenge generation failed: ${response.error}`);\n }\n\n const data = response.data as unknown as VRFChallenge;\n console.debug('VRF Manager: VRF challenge generated successfully');\n return validateVRFChallenge(data);\n}\n"],"mappings":";;;;;;;;;;AAcA,eAAsB,+BACpB,KACA,WACA,WACuB;AACvB,QAAO,6BAA6B,KAAK,WAAW;;;;;;;AAQtD,eAAsB,yBACpB,KACA,WACuB;AACvB,QAAO,6BAA6B,KAAK;;AAG3C,eAAe,6BACb,KACA,WACA,WACuB;AACvB,OAAM,IAAI,kBAAkB;CAC5B,MAAMA,UAA6D;EACjE,MAAM;EACN,IAAI,IAAI;EACR,SAAS;GACP;GACA,cAAc;IACZ,QAAQ,UAAU;IAClB,MAAM,UAAU;IAChB,aAAa,OAAO,UAAU;IAC9B,WAAW,UAAU;;;;CAK3B,MAAM,WAAW,MAAM,IAAI,YAAY;AAEvC,KAAI,CAAC,SAAS,WAAW,CAAC,SAAS,KACjC,OAAM,IAAI,MAAM,oCAAoC,SAAS;CAG/D,MAAM,OAAO,SAAS;AACtB,SAAQ,MAAM;AACd,QAAO,qBAAqB"}

package/dist/esm/core/WebAuthnManager/VrfWorkerManager/handlers/generateVrfKeypairBootstrap.js CHANGED Viewed

@@ -1,6 +1,7 @@
-import { validateVRFChallenge } from "../../../types/vrf-worker.js";
+import { init_vrf_worker, validateVRFChallenge } from "../../../types/vrf-worker.js";
 //#region src/core/WebAuthnManager/VrfWorkerManager/handlers/generateVrfKeypairBootstrap.ts
+init_vrf_worker();
 /**
 * Registration bootstrap: generate a fresh random VRF keypair in the VRF worker and (optionally)
 * generate a VRF challenge from it.

package/dist/esm/core/WebAuthnManager/VrfWorkerManager/handlers/generateVrfKeypairBootstrap.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"generateVrfKeypairBootstrap.js","names":["message: VRFWorkerMessage<WasmGenerateVrfKeypairBootstrapRequest>","error: any"],"sources":["../../../../../../src/core/WebAuthnManager/VrfWorkerManager/handlers/generateVrfKeypairBootstrap.ts"],"sourcesContent":["import type { VRFInputData } from '../../../types/vrf-worker';\nimport { validateVRFChallenge, type VRFChallenge } from '../../../types/vrf-worker';\nimport type { VRFWorkerMessage, WasmGenerateVrfKeypairBootstrapRequest } from '../../../types/vrf-worker';\nimport type { VrfWorkerManagerHandlerContext } from './types';\n\n/*\n Registration bootstrap: generate a fresh random VRF keypair in the VRF worker and (optionally)\n * generate a VRF challenge from it.\n \n This solves the \"chicken-and-egg\" problem during registration where you need a VRF challenge\n * before you have PRF outputs to encrypt the VRF keypair. The generated VRF keypair lives in\n * VRF worker memory until it is later encrypted with PRF output.\n */\nexport async function generateVrfKeypairBootstrap(\n ctx: VrfWorkerManagerHandlerContext,\n args: {\n vrfInputData: VRFInputData;\n saveInMemory: boolean;\n sessionId?: string;\n }\n): Promise<{\n vrfPublicKey: string;\n vrfChallenge: VRFChallenge;\n}> {\n await ctx.ensureWorkerReady();\n try {\n const message: VRFWorkerMessage<WasmGenerateVrfKeypairBootstrapRequest> = {\n type: 'GENERATE_VRF_KEYPAIR_BOOTSTRAP',\n id: ctx.generateMessageId(),\n payload: {\n // Include VRF input data if provided for challenge generation\n sessionId: args.sessionId,\n vrfInputData: args.vrfInputData\n ? {\n userId: args.vrfInputData.userId,\n rpId: args.vrfInputData.rpId,\n blockHeight: String(args.vrfInputData.blockHeight),\n blockHash: args.vrfInputData.blockHash,\n }\n : undefined,\n },\n };\n\n const response = await ctx.sendMessage(message);\n\n if (!response.success \|\| !response.data) {\n throw new Error(`VRF bootstrap keypair generation failed: ${response.error}`);\n }\n const data = response.data as { vrf_challenge_data?: VRFChallenge; vrfPublicKey?: string };\n const challengeData = data.vrf_challenge_data as VRFChallenge \| undefined;\n if (!challengeData) {\n throw new Error('VRF challenge data failed to be generated');\n }\n const vrfPublicKey = data.vrfPublicKey \|\| challengeData.vrfPublicKey;\n if (!vrfPublicKey) {\n throw new Error('VRF public key missing in bootstrap response');\n }\n if (args.vrfInputData && args.saveInMemory) {\n // Track the account ID for this VRF session if saving in memory\n ctx.setCurrentVrfAccountId(args.vrfInputData.userId);\n }\n\n // TODO: strong types generated by Rust wasm-bindgen\n return {\n vrfPublicKey,\n vrfChallenge: validateVRFChallenge({\n vrfInput: challengeData.vrfInput,\n vrfOutput: challengeData.vrfOutput,\n vrfProof: challengeData.vrfProof,\n vrfPublicKey: challengeData.vrfPublicKey,\n userId: challengeData.userId,\n rpId: challengeData.rpId,\n blockHeight: challengeData.blockHeight,\n blockHash: challengeData.blockHash,\n })\n }\n\n } catch (error: any) {\n console.error('VRF Manager: Bootstrap VRF keypair generation failed:', error);\n throw new Error(`Failed to generate bootstrap VRF keypair: ${error.message}`);\n }\n}\n"],"mappings":"~~;;;;;;;;;;;~~AAaA,eAAsB,4BACpB,KACA,MAQC;AACD,OAAM,IAAI;AACV,KAAI;EACF,MAAMA,UAAoE;GACxE,MAAM;GACN,IAAI,IAAI;GACR,SAAS;IAEP,WAAW,KAAK;IAChB,cAAc,KAAK,eACf;KACE,QAAQ,KAAK,aAAa;KAC1B,MAAM,KAAK,aAAa;KACxB,aAAa,OAAO,KAAK,aAAa;KACtC,WAAW,KAAK,aAAa;QAE/B;;;EAIR,MAAM,WAAW,MAAM,IAAI,YAAY;AAEvC,MAAI,CAAC,SAAS,WAAW,CAAC,SAAS,KACjC,OAAM,IAAI,MAAM,4CAA4C,SAAS;EAEvE,MAAM,OAAO,SAAS;EACtB,MAAM,gBAAgB,KAAK;AAC3B,MAAI,CAAC,cACH,OAAM,IAAI,MAAM;EAElB,MAAM,eAAe,KAAK,gBAAgB,cAAc;AACxD,MAAI,CAAC,aACH,OAAM,IAAI,MAAM;AAElB,MAAI,KAAK,gBAAgB,KAAK,aAE5B,KAAI,uBAAuB,KAAK,aAAa;AAI/C,SAAO;GACL;GACA,cAAc,qBAAqB;IACjC,UAAU,cAAc;IACxB,WAAW,cAAc;IACzB,UAAU,cAAc;IACxB,cAAc,cAAc;IAC5B,QAAQ,cAAc;IACtB,MAAM,cAAc;IACpB,aAAa,cAAc;IAC3B,WAAW,cAAc;;;UAItBC,OAAY;AACnB,UAAQ,MAAM,yDAAyD;AACvE,QAAM,IAAI,MAAM,6CAA6C,MAAM"}
1	+ {"version":3,"file":"generateVrfKeypairBootstrap.js","names":["message: VRFWorkerMessage<WasmGenerateVrfKeypairBootstrapRequest>","error: any"],"sources":["../../../../../../src/core/WebAuthnManager/VrfWorkerManager/handlers/generateVrfKeypairBootstrap.ts"],"sourcesContent":["import type { VRFInputData } from '../../../types/vrf-worker';\nimport { validateVRFChallenge, type VRFChallenge } from '../../../types/vrf-worker';\nimport type { VRFWorkerMessage, WasmGenerateVrfKeypairBootstrapRequest } from '../../../types/vrf-worker';\nimport type { VrfWorkerManagerHandlerContext } from './types';\n\n/*\n Registration bootstrap: generate a fresh random VRF keypair in the VRF worker and (optionally)\n * generate a VRF challenge from it.\n \n This solves the \"chicken-and-egg\" problem during registration where you need a VRF challenge\n * before you have PRF outputs to encrypt the VRF keypair. The generated VRF keypair lives in\n * VRF worker memory until it is later encrypted with PRF output.\n */\nexport async function generateVrfKeypairBootstrap(\n ctx: VrfWorkerManagerHandlerContext,\n args: {\n vrfInputData: VRFInputData;\n saveInMemory: boolean;\n sessionId?: string;\n }\n): Promise<{\n vrfPublicKey: string;\n vrfChallenge: VRFChallenge;\n}> {\n await ctx.ensureWorkerReady();\n try {\n const message: VRFWorkerMessage<WasmGenerateVrfKeypairBootstrapRequest> = {\n type: 'GENERATE_VRF_KEYPAIR_BOOTSTRAP',\n id: ctx.generateMessageId(),\n payload: {\n // Include VRF input data if provided for challenge generation\n sessionId: args.sessionId,\n vrfInputData: args.vrfInputData\n ? {\n userId: args.vrfInputData.userId,\n rpId: args.vrfInputData.rpId,\n blockHeight: String(args.vrfInputData.blockHeight),\n blockHash: args.vrfInputData.blockHash,\n }\n : undefined,\n },\n };\n\n const response = await ctx.sendMessage(message);\n\n if (!response.success \|\| !response.data) {\n throw new Error(`VRF bootstrap keypair generation failed: ${response.error}`);\n }\n const data = response.data as { vrf_challenge_data?: VRFChallenge; vrfPublicKey?: string };\n const challengeData = data.vrf_challenge_data as VRFChallenge \| undefined;\n if (!challengeData) {\n throw new Error('VRF challenge data failed to be generated');\n }\n const vrfPublicKey = data.vrfPublicKey \|\| challengeData.vrfPublicKey;\n if (!vrfPublicKey) {\n throw new Error('VRF public key missing in bootstrap response');\n }\n if (args.vrfInputData && args.saveInMemory) {\n // Track the account ID for this VRF session if saving in memory\n ctx.setCurrentVrfAccountId(args.vrfInputData.userId);\n }\n\n // TODO: strong types generated by Rust wasm-bindgen\n return {\n vrfPublicKey,\n vrfChallenge: validateVRFChallenge({\n vrfInput: challengeData.vrfInput,\n vrfOutput: challengeData.vrfOutput,\n vrfProof: challengeData.vrfProof,\n vrfPublicKey: challengeData.vrfPublicKey,\n userId: challengeData.userId,\n rpId: challengeData.rpId,\n blockHeight: challengeData.blockHeight,\n blockHash: challengeData.blockHash,\n })\n }\n\n } catch (error: any) {\n console.error('VRF Manager: Bootstrap VRF keypair generation failed:', error);\n throw new Error(`Failed to generate bootstrap VRF keypair: ${error.message}`);\n }\n}\n"],"mappings":";;;;;;;;;;;;AAaA,eAAsB,4BACpB,KACA,MAQC;AACD,OAAM,IAAI;AACV,KAAI;EACF,MAAMA,UAAoE;GACxE,MAAM;GACN,IAAI,IAAI;GACR,SAAS;IAEP,WAAW,KAAK;IAChB,cAAc,KAAK,eACf;KACE,QAAQ,KAAK,aAAa;KAC1B,MAAM,KAAK,aAAa;KACxB,aAAa,OAAO,KAAK,aAAa;KACtC,WAAW,KAAK,aAAa;QAE/B;;;EAIR,MAAM,WAAW,MAAM,IAAI,YAAY;AAEvC,MAAI,CAAC,SAAS,WAAW,CAAC,SAAS,KACjC,OAAM,IAAI,MAAM,4CAA4C,SAAS;EAEvE,MAAM,OAAO,SAAS;EACtB,MAAM,gBAAgB,KAAK;AAC3B,MAAI,CAAC,cACH,OAAM,IAAI,MAAM;EAElB,MAAM,eAAe,KAAK,gBAAgB,cAAc;AACxD,MAAI,CAAC,aACH,OAAM,IAAI,MAAM;AAElB,MAAI,KAAK,gBAAgB,KAAK,aAE5B,KAAI,uBAAuB,KAAK,aAAa;AAI/C,SAAO;GACL;GACA,cAAc,qBAAqB;IACjC,UAAU,cAAc;IACxB,WAAW,cAAc;IACzB,UAAU,cAAc;IACxB,cAAc,cAAc;IAC5B,QAAQ,cAAc;IACtB,MAAM,cAAc;IACpB,aAAa,cAAc;IAC3B,WAAW,cAAc;;;UAItBC,OAAY;AACnB,UAAQ,MAAM,yDAAyD;AACvE,QAAM,IAAI,MAAM,6CAA6C,MAAM"}

package/dist/esm/core/WebAuthnManager/WebAuthnFallbacks/index.js ADDED Viewed

@@ -0,0 +1,12 @@
+import { __esm } from "../../../_virtual/rolldown_runtime.js";
+import { WebAuthnBridgeMessage, executeWebAuthnWithParentFallbacksSafari, init_safari_fallbacks } from "./safari-fallbacks.js";
+//#region src/core/WebAuthnManager/WebAuthnFallbacks/index.ts
+var init_WebAuthnFallbacks = __esm({ "src/core/WebAuthnManager/WebAuthnFallbacks/index.ts": (() => {
+	init_safari_fallbacks();
+}) });
+//#endregion
+init_WebAuthnFallbacks();
+export { init_WebAuthnFallbacks };
+//# sourceMappingURL=index.js.map

package/dist/esm/core/WebAuthnManager/WebAuthnFallbacks/index.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.js","names":[],"sources":["../../../../../src/core/WebAuthnManager/WebAuthnFallbacks/index.ts"],"sourcesContent":["export {\n executeWebAuthnWithParentFallbacksSafari,\n WebAuthnBridgeMessage,\n} from './safari-fallbacks';\n"],"mappings":""}

package/dist/esm/core/WebAuthnManager/WebAuthnFallbacks/safari-fallbacks.js CHANGED Viewed

@@ -1,10 +1,6 @@
+import { __esm } from "../../../_virtual/rolldown_runtime.js";
 //#region src/core/WebAuthnManager/WebAuthnFallbacks/safari-fallbacks.ts
-const WebAuthnBridgeMessage = {
-	Create: "WALLET_WEBAUTHN_CREATE",
-	Get: "WALLET_WEBAUTHN_GET",
-	CreateResult: "WALLET_WEBAUTHN_CREATE_RESULT",
-	GetResult: "WALLET_WEBAUTHN_GET_RESULT"
-};
 function getResultTypeFor(kind) {
 	return kind === WebAuthnBridgeMessage.Get ? WebAuthnBridgeMessage.GetResult : WebAuthnBridgeMessage.CreateResult;
 }
@@ -107,54 +103,6 @@ async function requestParentDomainWebAuthn(kind, publicKey, client, timeoutMs) {
 	if (kind === "create") return client.request(WebAuthnBridgeMessage.Create, publicKey, timeoutMs);
 	return client.request(WebAuthnBridgeMessage.Get, publicKey, timeoutMs);
 }
-var WindowParentDomainWebAuthnClient = class {
-	async request(kind, publicKey, timeoutMs = 6e4) {
-		const requestId = `${kind}:${Date.now()}:${Math.random().toString(36).slice(2)}`;
-		const resultType = getResultTypeFor(kind);
-		return new Promise((resolve) => {
-			let settled = false;
-			const finish = (val) => {
-				if (!settled) {
-					settled = true;
-					resolve(val);
-				}
-			};
-			const onMessage = (ev) => {
-				const payload = ev?.data;
-				if (!payload || typeof payload.type !== "string") return;
-				const t = payload.type;
-				if (t !== resultType) return;
-				const rid = payload.requestId;
-				if (rid !== requestId) return;
-				window.removeEventListener("message", onMessage);
-				const ok = !!payload.ok;
-				const cred = payload.credential;
-				const err = payload.error;
-				if (ok && cred) return finish({
-					ok: true,
-					credential: cred
-				});
-				return finish({
-					ok: false,
-					error: typeof err === "string" ? err : void 0
-				});
-			};
-			window.addEventListener("message", onMessage);
-			window.parent?.postMessage({
-				type: kind,
-				requestId,
-				publicKey
-			}, "*");
-			setTimeout(() => {
-				window.removeEventListener("message", onMessage);
-				finish({
-					ok: false,
-					timeout: true
-				});
-			}, timeoutMs);
-		});
-	}
-};
 function notAllowedError(message) {
 	const e = new Error(message);
 	e.name = "NotAllowedError";
@@ -191,7 +139,65 @@ async function attemptRefocus(maxRetries = 2, delays = [50, 120]) {
 	}
 	return document.hasFocus();
 }
+var WebAuthnBridgeMessage, WindowParentDomainWebAuthnClient;
+var init_safari_fallbacks = __esm({ "src/core/WebAuthnManager/WebAuthnFallbacks/safari-fallbacks.ts": (() => {
+	WebAuthnBridgeMessage = {
+		Create: "WALLET_WEBAUTHN_CREATE",
+		Get: "WALLET_WEBAUTHN_GET",
+		CreateResult: "WALLET_WEBAUTHN_CREATE_RESULT",
+		GetResult: "WALLET_WEBAUTHN_GET_RESULT"
+	};
+	WindowParentDomainWebAuthnClient = class {
+		async request(kind, publicKey, timeoutMs = 6e4) {
+			const requestId = `${kind}:${Date.now()}:${Math.random().toString(36).slice(2)}`;
+			const resultType = getResultTypeFor(kind);
+			return new Promise((resolve) => {
+				let settled = false;
+				const finish = (val) => {
+					if (!settled) {
+						settled = true;
+						resolve(val);
+					}
+				};
+				const onMessage = (ev) => {
+					const payload = ev?.data;
+					if (!payload || typeof payload.type !== "string") return;
+					const t = payload.type;
+					if (t !== resultType) return;
+					const rid = payload.requestId;
+					if (rid !== requestId) return;
+					window.removeEventListener("message", onMessage);
+					const ok = !!payload.ok;
+					const cred = payload.credential;
+					const err = payload.error;
+					if (ok && cred) return finish({
+						ok: true,
+						credential: cred
+					});
+					return finish({
+						ok: false,
+						error: typeof err === "string" ? err : void 0
+					});
+				};
+				window.addEventListener("message", onMessage);
+				window.parent?.postMessage({
+					type: kind,
+					requestId,
+					publicKey
+				}, "*");
+				setTimeout(() => {
+					window.removeEventListener("message", onMessage);
+					finish({
+						ok: false,
+						timeout: true
+					});
+				}, timeoutMs);
+			});
+		}
+	};
+}) });
 //#endregion
-export { WebAuthnBridgeMessage, executeWebAuthnWithParentFallbacksSafari };
+init_safari_fallbacks();
+export { WebAuthnBridgeMessage, executeWebAuthnWithParentFallbacksSafari, init_safari_fallbacks };
 //# sourceMappingURL=safari-fallbacks.js.map

package/dist/esm/core/WebAuthnManager/WebAuthnFallbacks/safari-fallbacks.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"safari-fallbacks.js","names":["be: unknown","e: unknown"],"sources":["../../../../../src/core/WebAuthnManager/WebAuthnFallbacks/safari-fallbacks.ts"],"sourcesContent":["// Safari/WebAuthn fallbacks: centralized retry + top-level bridge\n// - Encapsulates Safari-specific error handling (ancestor-origin, not-focused)\n// - Bridges create/get to top-level via postMessage when needed\n// - Keeps helpers private to reduce file count and surface area\n\ntype Kind = 'create' \| 'get';\n\n// Typed message names for parent-domain bridge\nexport const WebAuthnBridgeMessage = {\n Create: 'WALLET_WEBAUTHN_CREATE',\n Get: 'WALLET_WEBAUTHN_GET',\n CreateResult: 'WALLET_WEBAUTHN_CREATE_RESULT',\n GetResult: 'WALLET_WEBAUTHN_GET_RESULT',\n} as const;\n\nexport type BridgeKind = typeof WebAuthnBridgeMessage.Create \| typeof WebAuthnBridgeMessage.Get;\nexport type BridgeResultKind = typeof WebAuthnBridgeMessage.CreateResult \| typeof WebAuthnBridgeMessage.GetResult;\n\ntype ResultTypeFor<K extends BridgeKind> =\n K extends typeof WebAuthnBridgeMessage.Get\n ? typeof WebAuthnBridgeMessage.GetResult\n : typeof WebAuthnBridgeMessage.CreateResult;\n\nfunction getResultTypeFor<K extends BridgeKind>(kind: K): ResultTypeFor<K> {\n return (kind === WebAuthnBridgeMessage.Get\n ? WebAuthnBridgeMessage.GetResult\n : WebAuthnBridgeMessage.CreateResult) as ResultTypeFor<K>;\n}\n\ntype BridgeOk = { ok: true; credential: unknown };\ntype BridgeErr = { ok: false; error?: string; timeout?: boolean };\ntype BridgeResponse = BridgeOk \| BridgeErr;\n\n// Client interface used to request WebAuthn from the parent/top-level context\nexport type ParentDomainWebAuthnClient = {\n request<K extends BridgeKind>(\n kind: K,\n publicKey: PublicKeyCredentialCreationOptions \| PublicKeyCredentialRequestOptions,\n timeoutMs?: number,\n ): Promise<BridgeResponse>;\n};\n\nexport interface OrchestratorDeps {\n rpId: string;\n inIframe: boolean;\n timeoutMs?: number;\n bridgeClient?: ParentDomainWebAuthnClient;\n // Gate for ancestor-error on GET; bridges for focus errors are always allowed when in iframe.\n permitGetBridgeOnAncestorError?: boolean;\n // Optional AbortSignal to cancel native navigator.credentials operations.\n // Note: parent-bridge path may not be abortable.\n abortSignal?: AbortSignal;\n}\n\n/*\n Execute a WebAuthn operation with Safari-aware fallbacks.\n \n Steps:\n * 1) Try native WebAuthn via navigator.credentials.{create\|get}\n * 2) If the failure matches Safari's ancestor-origin restriction and we are in an iframe,\n * ask the parent/top-level window to perform the WebAuthn operation (bridge). If the\n * parent reports a user cancellation, throw NotAllowedError; if it times out, continue.\n * 3) If the failure matches Safari's \"document not focused\" path, first attempt to refocus\n * and retry native once; if still blocked and in an iframe, ask the parent window to handle it.\n * 4) Generic last resort: when in an iframe (constrained context), always attempt the parent\n * WebAuthn once even if the error wasn't recognized as a Safari-specific case. If the parent\n * path times out, surface a deterministic timeout error without re-trying native again.\n * 5) Otherwise, rethrow the original error.\n /\nexport async function executeWebAuthnWithParentFallbacksSafari(\n kind: Kind,\n publicKey: PublicKeyCredentialCreationOptions \| PublicKeyCredentialRequestOptions,\n deps: OrchestratorDeps,\n): Promise<PublicKeyCredential \| unknown> {\n\n const {\n rpId,\n inIframe,\n timeoutMs = 60000,\n permitGetBridgeOnAncestorError = true\n } = deps;\n const bridgeClient = deps.bridgeClient \|\| new WindowParentDomainWebAuthnClient();\n\n const isTestForceNativeFail = (): boolean => {\n const g = (globalThis as any);\n const w = (typeof window !== 'undefined' ? (window as any) : undefined);\n return !!(g && g.__W3A_TEST_FORCE_NATIVE_FAIL) \|\| !!(w && w.__W3A_TEST_FORCE_NATIVE_FAIL);\n };\n const bumpCounter = (key: string) => {\n const g = (globalThis as any);\n g[key] = (g[key] \|\| 0) + 1;\n };\n\n // Test harness fast-path: when explicitly forcing native fail, skip native and go straight to bridge.\n // Still bump native attempt counters for determinism in tests.\n if (isTestForceNativeFail()) {\n if (kind === 'create') bumpCounter('__W3A_TEST_NATIVE_CREATE_ATTEMPTS');\n else bumpCounter('__W3A_TEST_NATIVE_GET_ATTEMPTS');\n try {\n const bridged = await requestParentDomainWebAuthn(kind, publicKey, bridgeClient, timeoutMs);\n if (bridged?.ok) return bridged.credential;\n if (bridged && !bridged.timeout) {\n throw notAllowedError(bridged.error \|\| 'WebAuthn cancelled or failed (bridge)');\n }\n throw new Error('WebAuthn bridge timeout');\n } catch (be: unknown) {\n // Ensure consistent error type for unit tests\n throw notAllowedError((be as any)?.message \|\| 'WebAuthn bridge failed');\n }\n }\n\n const tryNative = async () => {\n if (kind === 'create') {\n bumpCounter('__W3A_TEST_NATIVE_CREATE_ATTEMPTS');\n if (isTestForceNativeFail()) throw notAllowedError('Forced native fail (create)');\n // Build options with optional AbortSignal\n return await navigator.credentials.create({\n publicKey: publicKey as PublicKeyCredentialCreationOptions,\n ...(deps.abortSignal ? { signal: deps.abortSignal } : {}),\n });\n } else {\n bumpCounter('__W3A_TEST_NATIVE_GET_ATTEMPTS');\n if (isTestForceNativeFail()) throw notAllowedError('Forced native fail (get)');\n return await navigator.credentials.get({\n publicKey: publicKey as PublicKeyCredentialRequestOptions,\n ...(deps.abortSignal ? { signal: deps.abortSignal } : {}),\n });\n }\n };\n\n // Step 1: native attempt\n try {\n return await tryNative();\n } catch (e: unknown) {\n // If the user explicitly cancelled (generic NotAllowedError without Safari-specific hints),\n // do not attempt any bridge fallbacks that would re-prompt Touch ID. Propagate immediately.\n // This avoids double prompts when a user cancels the native sheet.\n const name = safeName(e);\n if (name === 'NotAllowedError' && !isAncestorOriginError(e) && !isDocumentNotFocusedError(e)) {\n throw e;\n }\n\n // Step 2: ancestor-origin restriction → parent bridge (when in iframe)\n if (isAncestorOriginError(e) && inIframe) {\n if (kind === 'get' && !permitGetBridgeOnAncestorError) {\n throw e;\n }\n try {\n const bridgedCredentials = await requestParentDomainWebAuthn(kind, publicKey, bridgeClient, timeoutMs);\n if (bridgedCredentials?.ok) return bridgedCredentials.credential;\n if (bridgedCredentials && !bridgedCredentials.timeout) {\n throw notAllowedError(bridgedCredentials.error \|\| 'WebAuthn get cancelled or failed (bridge)');\n }\n } catch (be: unknown) {\n throw notAllowedError((be as any)?.message \|\| 'WebAuthn bridge failed');\n }\n }\n\n // Step 3: document-not-focused → refocus + retry native; then parent bridge if still blocked\n if (isDocumentNotFocusedError(e)) {\n const focused = await attemptRefocus();\n if (focused) {\n try { return await tryNative(); } catch {}\n }\n if (inIframe) {\n try {\n const bridgedCredentials = await requestParentDomainWebAuthn(kind, publicKey, bridgeClient, timeoutMs);\n if (bridgedCredentials?.ok) return bridgedCredentials.credential;\n if (bridgedCredentials && !bridgedCredentials.timeout) {\n throw notAllowedError(bridgedCredentials.error \|\| 'WebAuthn get cancelled or failed (bridge)');\n }\n } catch (be: unknown) {\n throw notAllowedError((be as any)?.message \|\| 'WebAuthn bridge failed');\n }\n }\n }\n\n // Step 4: generic last-resort bridge path for constrained iframe contexts\n if (inIframe) {\n try {\n const bridgedCredentials = await requestParentDomainWebAuthn(kind, publicKey, bridgeClient, timeoutMs);\n if (bridgedCredentials?.ok) return bridgedCredentials.credential;\n if (bridgedCredentials && !bridgedCredentials.timeout) {\n throw notAllowedError(bridgedCredentials.error \|\| 'WebAuthn cancelled or failed (bridge)');\n }\n // Timeout: surface an explicit error without re‑trying native again\n throw new Error('WebAuthn bridge timeout');\n } catch (be: unknown) {\n throw notAllowedError((be as any)?.message \|\| 'WebAuthn bridge failed');\n }\n }\n\n // Step 5: not an iframe or no recognized fallback – rethrow original error\n throw e;\n }\n}\n\n// Request the parent/top-level window to perform the WebAuthn operation\nexport async function requestParentDomainWebAuthn(\n kind: Kind,\n publicKey: PublicKeyCredentialCreationOptions \| PublicKeyCredentialRequestOptions,\n client: ParentDomainWebAuthnClient,\n timeoutMs: number,\n): Promise<BridgeResponse> {\n if (kind === 'create') {\n return client.request(WebAuthnBridgeMessage.Create, publicKey as PublicKeyCredentialCreationOptions, timeoutMs);\n }\n return client.request(WebAuthnBridgeMessage.Get, publicKey as PublicKeyCredentialRequestOptions, timeoutMs);\n}\n\n// Default bridge client using window.parent postMessage protocol\nexport class WindowParentDomainWebAuthnClient implements ParentDomainWebAuthnClient {\n async request<K extends BridgeKind>(\n kind: K,\n publicKey: PublicKeyCredentialCreationOptions \| PublicKeyCredentialRequestOptions,\n timeoutMs = 60000,\n ): Promise<BridgeResponse> {\n const requestId = `${kind}:${Date.now()}:${Math.random().toString(36).slice(2)}`;\n const resultType = getResultTypeFor(kind);\n\n return new Promise((resolve) => {\n let settled = false;\n const finish = (val: BridgeResponse) => { if (!settled) { settled = true; resolve(val); } };\n\n const onMessage = (ev: MessageEvent) => {\n const payload = ev?.data as unknown;\n if (!payload \|\| typeof (payload as { type?: unknown }).type !== 'string') return;\n const t = (payload as { type: string }).type;\n if (t !== resultType) return;\n const rid = (payload as { requestId?: unknown }).requestId;\n if (rid !== requestId) return;\n window.removeEventListener('message', onMessage);\n const ok = !!(payload as { ok?: unknown }).ok;\n const cred = (payload as { credential?: unknown }).credential;\n const err = (payload as { error?: unknown }).error;\n if (ok && cred) return finish({ ok: true, credential: cred });\n return finish({ ok: false, error: typeof err === 'string' ? err : undefined });\n };\n window.addEventListener('message', onMessage);\n window.parent?.postMessage({ type: kind, requestId, publicKey } as { type: K; requestId: string; publicKey: any }, '');\n setTimeout(() => { window.removeEventListener('message', onMessage); finish({ ok: false, timeout: true }); }, timeoutMs);\n });\n }\n}\n\nfunction notAllowedError(message: string): Error {\n const e = new Error(message);\n (e as any).name = 'NotAllowedError';\n return e;\n}\n\n// Private: error classification helpers\nfunction isAncestorOriginError(err: unknown): boolean {\n const msg = safeMessage(err);\n return /origin of the document is not the same as its ancestors/i.test(msg);\n}\n\nfunction isDocumentNotFocusedError(err: unknown): boolean {\n const name = safeName(err);\n const msg = safeMessage(err);\n const isNotAllowed = name === 'NotAllowedError';\n const mentionsFocus = /document is not focused\|not focused\|focus/i.test(msg);\n return Boolean(isNotAllowed && mentionsFocus);\n}\n\nfunction safeMessage(err: unknown): string {\n return String((err as { message?: unknown })?.message \|\| '');\n}\n\nfunction safeName(err: unknown): string {\n const n = (err as { name?: unknown })?.name;\n return typeof n === 'string' ? n : '';\n}\n\n// Private: focus utility to mitigate Safari focus issues\nasync function attemptRefocus(maxRetries = 2, delays: number[] = [50, 120]): Promise<boolean> {\n (window as any).focus?.();\n (document?.body as any)?.focus?.();\n\n const wait = (ms: number) => new Promise(r => setTimeout(r, ms));\n const total = Math.max(0, maxRetries);\n for (let i = 0; i <= total; i++) {\n const d = delays[i] ?? delays[delays.length - 1] ?? 80;\n await wait(d);\n if (document.hasFocus()) return true;\n (window as any).focus?.();\n }\n return document.hasFocus();\n}\n"],"mappings":";AAQA,MAAa,wBAAwB;CACnC,QAAQ;CACR,KAAK;CACL,cAAc;CACd,WAAW;;AAWb,SAAS,iBAAuC,MAA2B;AACzE,QAAQ,SAAS,sBAAsB,MACnC,sBAAsB,YACtB,sBAAsB;;;;;;;;;;;;;;;;;AA2C5B,eAAsB,yCACpB,MACA,WACA,MACwC;CAExC,MAAM,EACJ,MACA,UACA,YAAY,KACZ,iCAAiC,SAC/B;CACJ,MAAM,eAAe,KAAK,gBAAgB,IAAI;CAE9C,MAAM,8BAAuC;EAC3C,MAAM,IAAK;EACX,MAAM,IAAK,OAAO,WAAW,cAAe,SAAiB;AAC7D,SAAO,CAAC,EAAE,KAAK,EAAE,iCAAiC,CAAC,EAAE,KAAK,EAAE;;CAE9D,MAAM,eAAe,QAAgB;EACnC,MAAM,IAAK;AACX,IAAE,QAAQ,EAAE,QAAQ,KAAK;;AAK3B,KAAI,yBAAyB;AAC3B,MAAI,SAAS,SAAU,aAAY;MAC9B,aAAY;AACjB,MAAI;GACF,MAAM,UAAU,MAAM,4BAA4B,MAAM,WAAW,cAAc;AACjF,OAAI,SAAS,GAAI,QAAO,QAAQ;AAChC,OAAI,WAAW,CAAC,QAAQ,QACtB,OAAM,gBAAgB,QAAQ,SAAS;AAEzC,SAAM,IAAI,MAAM;WACTA,IAAa;AAEpB,SAAM,gBAAiB,IAAY,WAAW;;;CAIlD,MAAM,YAAY,YAAY;AAC5B,MAAI,SAAS,UAAU;AACrB,eAAY;AACZ,OAAI,wBAAyB,OAAM,gBAAgB;AAEnD,UAAO,MAAM,UAAU,YAAY,OAAO;IAC7B;IACX,GAAI,KAAK,cAAc,EAAE,QAAQ,KAAK,gBAAgB;;SAEnD;AACL,eAAY;AACZ,OAAI,wBAAyB,OAAM,gBAAgB;AACnD,UAAO,MAAM,UAAU,YAAY,IAAI;IAC1B;IACX,GAAI,KAAK,cAAc,EAAE,QAAQ,KAAK,gBAAgB;;;;AAM5D,KAAI;AACF,SAAO,MAAM;UACNC,GAAY;EAInB,MAAM,OAAO,SAAS;AACtB,MAAI,SAAS,qBAAqB,CAAC,sBAAsB,MAAM,CAAC,0BAA0B,GACxF,OAAM;AAIR,MAAI,sBAAsB,MAAM,UAAU;AACxC,OAAI,SAAS,SAAS,CAAC,+BACrB,OAAM;AAER,OAAI;IACF,MAAM,qBAAqB,MAAM,4BAA4B,MAAM,WAAW,cAAc;AAC5F,QAAI,oBAAoB,GAAI,QAAO,mBAAmB;AACtD,QAAI,sBAAsB,CAAC,mBAAmB,QAC5C,OAAM,gBAAgB,mBAAmB,SAAS;YAE7CD,IAAa;AACpB,UAAM,gBAAiB,IAAY,WAAW;;;AAKlD,MAAI,0BAA0B,IAAI;GAChC,MAAM,UAAU,MAAM;AACtB,OAAI,QACF,KAAI;AAAE,WAAO,MAAM;WAAqB;AAE1C,OAAI,SACF,KAAI;IACF,MAAM,qBAAqB,MAAM,4BAA4B,MAAM,WAAW,cAAc;AAC5F,QAAI,oBAAoB,GAAI,QAAO,mBAAmB;AACtD,QAAI,sBAAsB,CAAC,mBAAmB,QAC5C,OAAM,gBAAgB,mBAAmB,SAAS;YAE7CA,IAAa;AACpB,UAAM,gBAAiB,IAAY,WAAW;;;AAMpD,MAAI,SACF,KAAI;GACF,MAAM,qBAAqB,MAAM,4BAA4B,MAAM,WAAW,cAAc;AAC5F,OAAI,oBAAoB,GAAI,QAAO,mBAAmB;AACtD,OAAI,sBAAsB,CAAC,mBAAmB,QAC5C,OAAM,gBAAgB,mBAAmB,SAAS;AAGpD,SAAM,IAAI,MAAM;WACTA,IAAa;AACpB,SAAM,gBAAiB,IAAY,WAAW;;AAKlD,QAAM;;;AAKV,eAAsB,4BACpB,MACA,WACA,QACA,WACyB;AACzB,KAAI,SAAS,SACX,QAAO,OAAO,QAAQ,sBAAsB,QAAQ,WAAiD;AAEvG,QAAO,OAAO,QAAQ,sBAAsB,KAAK,WAAgD;;AAInG,IAAa,mCAAb,MAAoF;CAClF,MAAM,QACJ,MACA,WACA,YAAY,KACa;EACzB,MAAM,YAAY,GAAG,KAAK,GAAG,KAAK,MAAM,GAAG,KAAK,SAAS,SAAS,IAAI,MAAM;EAC5E,MAAM,aAAa,iBAAiB;AAEpC,SAAO,IAAI,SAAS,YAAY;GAC9B,IAAI,UAAU;GACd,MAAM,UAAU,QAAwB;AAAE,QAAI,CAAC,SAAS;AAAE,eAAU;AAAM,aAAQ;;;GAElF,MAAM,aAAa,OAAqB;IACtC,MAAM,UAAU,IAAI;AACpB,QAAI,CAAC,WAAW,OAAQ,QAA+B,SAAS,SAAU;IAC1E,MAAM,IAAK,QAA6B;AACxC,QAAI,MAAM,WAAY;IACtB,MAAM,MAAO,QAAoC;AACjD,QAAI,QAAQ,UAAW;AACvB,WAAO,oBAAoB,WAAW;IACtC,MAAM,KAAK,CAAC,CAAE,QAA6B;IAC3C,MAAM,OAAQ,QAAqC;IACnD,MAAM,MAAO,QAAgC;AAC7C,QAAI,MAAM,KAAM,QAAO,OAAO;KAAE,IAAI;KAAM,YAAY;;AACtD,WAAO,OAAO;KAAE,IAAI;KAAO,OAAO,OAAO,QAAQ,WAAW,MAAM;;;AAEpE,UAAO,iBAAiB,WAAW;AACnC,UAAO,QAAQ,YAAY;IAAE,MAAM;IAAM;IAAW;MAA+D;AACnH,oBAAiB;AAAE,WAAO,oBAAoB,WAAW;AAAY,WAAO;KAAE,IAAI;KAAO,SAAS;;MAAY;;;;AAKpH,SAAS,gBAAgB,SAAwB;CAC/C,MAAM,IAAI,IAAI,MAAM;AACpB,CAAC,EAAU,OAAO;AAClB,QAAO;;AAIT,SAAS,sBAAsB,KAAuB;CACpD,MAAM,MAAM,YAAY;AACxB,QAAO,2DAA2D,KAAK;;AAGzE,SAAS,0BAA0B,KAAuB;CACxD,MAAM,OAAO,SAAS;CACtB,MAAM,MAAM,YAAY;CACxB,MAAM,eAAe,SAAS;CAC9B,MAAM,gBAAgB,6CAA6C,KAAK;AACxE,QAAO,QAAQ,gBAAgB;;AAGjC,SAAS,YAAY,KAAsB;AACzC,QAAO,OAAQ,KAA+B,WAAW;;AAG3D,SAAS,SAAS,KAAsB;CACtC,MAAM,IAAK,KAA4B;AACvC,QAAO,OAAO,MAAM,WAAW,IAAI;;AAIrC,eAAe,eAAe,aAAa,GAAG,SAAmB,CAAC,IAAI,MAAwB;AAC5F,CAAC,OAAe;AAChB,EAAC,UAAU,OAAc;CAEzB,MAAM,QAAQ,OAAe,IAAI,SAAQ,MAAK,WAAW,GAAG;CAC5D,MAAM,QAAQ,KAAK,IAAI,GAAG;AAC1B,MAAK,IAAI,IAAI,GAAG,KAAK,OAAO,KAAK;EAC/B,MAAM,IAAI,OAAO,MAAM,OAAO,OAAO,SAAS,MAAM;AACpD,QAAM,KAAK;AACX,MAAI,SAAS,WAAY,QAAO;AAChC,EAAC,OAAe;;AAElB,QAAO,SAAS"}
1	+ {"version":3,"file":"safari-fallbacks.js","names":["be: unknown","e: unknown"],"sources":["../../../../../src/core/WebAuthnManager/WebAuthnFallbacks/safari-fallbacks.ts"],"sourcesContent":["// Safari/WebAuthn fallbacks: centralized retry + top-level bridge\n// - Encapsulates Safari-specific error handling (ancestor-origin, not-focused)\n// - Bridges create/get to top-level via postMessage when needed\n// - Keeps helpers private to reduce file count and surface area\n\ntype Kind = 'create' \| 'get';\n\n// Typed message names for parent-domain bridge\nexport const WebAuthnBridgeMessage = {\n Create: 'WALLET_WEBAUTHN_CREATE',\n Get: 'WALLET_WEBAUTHN_GET',\n CreateResult: 'WALLET_WEBAUTHN_CREATE_RESULT',\n GetResult: 'WALLET_WEBAUTHN_GET_RESULT',\n} as const;\n\nexport type BridgeKind = typeof WebAuthnBridgeMessage.Create \| typeof WebAuthnBridgeMessage.Get;\nexport type BridgeResultKind = typeof WebAuthnBridgeMessage.CreateResult \| typeof WebAuthnBridgeMessage.GetResult;\n\ntype ResultTypeFor<K extends BridgeKind> =\n K extends typeof WebAuthnBridgeMessage.Get\n ? typeof WebAuthnBridgeMessage.GetResult\n : typeof WebAuthnBridgeMessage.CreateResult;\n\nfunction getResultTypeFor<K extends BridgeKind>(kind: K): ResultTypeFor<K> {\n return (kind === WebAuthnBridgeMessage.Get\n ? WebAuthnBridgeMessage.GetResult\n : WebAuthnBridgeMessage.CreateResult) as ResultTypeFor<K>;\n}\n\ntype BridgeOk = { ok: true; credential: unknown };\ntype BridgeErr = { ok: false; error?: string; timeout?: boolean };\ntype BridgeResponse = BridgeOk \| BridgeErr;\n\n// Client interface used to request WebAuthn from the parent/top-level context\nexport type ParentDomainWebAuthnClient = {\n request<K extends BridgeKind>(\n kind: K,\n publicKey: PublicKeyCredentialCreationOptions \| PublicKeyCredentialRequestOptions,\n timeoutMs?: number,\n ): Promise<BridgeResponse>;\n};\n\nexport interface OrchestratorDeps {\n rpId: string;\n inIframe: boolean;\n timeoutMs?: number;\n bridgeClient?: ParentDomainWebAuthnClient;\n // Gate for ancestor-error on GET; bridges for focus errors are always allowed when in iframe.\n permitGetBridgeOnAncestorError?: boolean;\n // Optional AbortSignal to cancel native navigator.credentials operations.\n // Note: parent-bridge path may not be abortable.\n abortSignal?: AbortSignal;\n}\n\n/*\n Execute a WebAuthn operation with Safari-aware fallbacks.\n \n Steps:\n * 1) Try native WebAuthn via navigator.credentials.{create\|get}\n * 2) If the failure matches Safari's ancestor-origin restriction and we are in an iframe,\n * ask the parent/top-level window to perform the WebAuthn operation (bridge). If the\n * parent reports a user cancellation, throw NotAllowedError; if it times out, continue.\n * 3) If the failure matches Safari's \"document not focused\" path, first attempt to refocus\n * and retry native once; if still blocked and in an iframe, ask the parent window to handle it.\n * 4) Generic last resort: when in an iframe (constrained context), always attempt the parent\n * WebAuthn once even if the error wasn't recognized as a Safari-specific case. If the parent\n * path times out, surface a deterministic timeout error without re-trying native again.\n * 5) Otherwise, rethrow the original error.\n /\nexport async function executeWebAuthnWithParentFallbacksSafari(\n kind: Kind,\n publicKey: PublicKeyCredentialCreationOptions \| PublicKeyCredentialRequestOptions,\n deps: OrchestratorDeps,\n): Promise<PublicKeyCredential \| unknown> {\n\n const {\n rpId,\n inIframe,\n timeoutMs = 60000,\n permitGetBridgeOnAncestorError = true\n } = deps;\n const bridgeClient = deps.bridgeClient \|\| new WindowParentDomainWebAuthnClient();\n\n const isTestForceNativeFail = (): boolean => {\n const g = (globalThis as any);\n const w = (typeof window !== 'undefined' ? (window as any) : undefined);\n return !!(g && g.__W3A_TEST_FORCE_NATIVE_FAIL) \|\| !!(w && w.__W3A_TEST_FORCE_NATIVE_FAIL);\n };\n const bumpCounter = (key: string) => {\n const g = (globalThis as any);\n g[key] = (g[key] \|\| 0) + 1;\n };\n\n // Test harness fast-path: when explicitly forcing native fail, skip native and go straight to bridge.\n // Still bump native attempt counters for determinism in tests.\n if (isTestForceNativeFail()) {\n if (kind === 'create') bumpCounter('__W3A_TEST_NATIVE_CREATE_ATTEMPTS');\n else bumpCounter('__W3A_TEST_NATIVE_GET_ATTEMPTS');\n try {\n const bridged = await requestParentDomainWebAuthn(kind, publicKey, bridgeClient, timeoutMs);\n if (bridged?.ok) return bridged.credential;\n if (bridged && !bridged.timeout) {\n throw notAllowedError(bridged.error \|\| 'WebAuthn cancelled or failed (bridge)');\n }\n throw new Error('WebAuthn bridge timeout');\n } catch (be: unknown) {\n // Ensure consistent error type for unit tests\n throw notAllowedError((be as any)?.message \|\| 'WebAuthn bridge failed');\n }\n }\n\n const tryNative = async () => {\n if (kind === 'create') {\n bumpCounter('__W3A_TEST_NATIVE_CREATE_ATTEMPTS');\n if (isTestForceNativeFail()) throw notAllowedError('Forced native fail (create)');\n // Build options with optional AbortSignal\n return await navigator.credentials.create({\n publicKey: publicKey as PublicKeyCredentialCreationOptions,\n ...(deps.abortSignal ? { signal: deps.abortSignal } : {}),\n });\n } else {\n bumpCounter('__W3A_TEST_NATIVE_GET_ATTEMPTS');\n if (isTestForceNativeFail()) throw notAllowedError('Forced native fail (get)');\n return await navigator.credentials.get({\n publicKey: publicKey as PublicKeyCredentialRequestOptions,\n ...(deps.abortSignal ? { signal: deps.abortSignal } : {}),\n });\n }\n };\n\n // Step 1: native attempt\n try {\n return await tryNative();\n } catch (e: unknown) {\n // If the user explicitly cancelled (generic NotAllowedError without Safari-specific hints),\n // do not attempt any bridge fallbacks that would re-prompt Touch ID. Propagate immediately.\n // This avoids double prompts when a user cancels the native sheet.\n const name = safeName(e);\n if (name === 'NotAllowedError' && !isAncestorOriginError(e) && !isDocumentNotFocusedError(e)) {\n throw e;\n }\n\n // Step 2: ancestor-origin restriction → parent bridge (when in iframe)\n if (isAncestorOriginError(e) && inIframe) {\n if (kind === 'get' && !permitGetBridgeOnAncestorError) {\n throw e;\n }\n try {\n const bridgedCredentials = await requestParentDomainWebAuthn(kind, publicKey, bridgeClient, timeoutMs);\n if (bridgedCredentials?.ok) return bridgedCredentials.credential;\n if (bridgedCredentials && !bridgedCredentials.timeout) {\n throw notAllowedError(bridgedCredentials.error \|\| 'WebAuthn get cancelled or failed (bridge)');\n }\n } catch (be: unknown) {\n throw notAllowedError((be as any)?.message \|\| 'WebAuthn bridge failed');\n }\n }\n\n // Step 3: document-not-focused → refocus + retry native; then parent bridge if still blocked\n if (isDocumentNotFocusedError(e)) {\n const focused = await attemptRefocus();\n if (focused) {\n try { return await tryNative(); } catch {}\n }\n if (inIframe) {\n try {\n const bridgedCredentials = await requestParentDomainWebAuthn(kind, publicKey, bridgeClient, timeoutMs);\n if (bridgedCredentials?.ok) return bridgedCredentials.credential;\n if (bridgedCredentials && !bridgedCredentials.timeout) {\n throw notAllowedError(bridgedCredentials.error \|\| 'WebAuthn get cancelled or failed (bridge)');\n }\n } catch (be: unknown) {\n throw notAllowedError((be as any)?.message \|\| 'WebAuthn bridge failed');\n }\n }\n }\n\n // Step 4: generic last-resort bridge path for constrained iframe contexts\n if (inIframe) {\n try {\n const bridgedCredentials = await requestParentDomainWebAuthn(kind, publicKey, bridgeClient, timeoutMs);\n if (bridgedCredentials?.ok) return bridgedCredentials.credential;\n if (bridgedCredentials && !bridgedCredentials.timeout) {\n throw notAllowedError(bridgedCredentials.error \|\| 'WebAuthn cancelled or failed (bridge)');\n }\n // Timeout: surface an explicit error without re‑trying native again\n throw new Error('WebAuthn bridge timeout');\n } catch (be: unknown) {\n throw notAllowedError((be as any)?.message \|\| 'WebAuthn bridge failed');\n }\n }\n\n // Step 5: not an iframe or no recognized fallback – rethrow original error\n throw e;\n }\n}\n\n// Request the parent/top-level window to perform the WebAuthn operation\nexport async function requestParentDomainWebAuthn(\n kind: Kind,\n publicKey: PublicKeyCredentialCreationOptions \| PublicKeyCredentialRequestOptions,\n client: ParentDomainWebAuthnClient,\n timeoutMs: number,\n): Promise<BridgeResponse> {\n if (kind === 'create') {\n return client.request(WebAuthnBridgeMessage.Create, publicKey as PublicKeyCredentialCreationOptions, timeoutMs);\n }\n return client.request(WebAuthnBridgeMessage.Get, publicKey as PublicKeyCredentialRequestOptions, timeoutMs);\n}\n\n// Default bridge client using window.parent postMessage protocol\nexport class WindowParentDomainWebAuthnClient implements ParentDomainWebAuthnClient {\n async request<K extends BridgeKind>(\n kind: K,\n publicKey: PublicKeyCredentialCreationOptions \| PublicKeyCredentialRequestOptions,\n timeoutMs = 60000,\n ): Promise<BridgeResponse> {\n const requestId = `${kind}:${Date.now()}:${Math.random().toString(36).slice(2)}`;\n const resultType = getResultTypeFor(kind);\n\n return new Promise((resolve) => {\n let settled = false;\n const finish = (val: BridgeResponse) => { if (!settled) { settled = true; resolve(val); } };\n\n const onMessage = (ev: MessageEvent) => {\n const payload = ev?.data as unknown;\n if (!payload \|\| typeof (payload as { type?: unknown }).type !== 'string') return;\n const t = (payload as { type: string }).type;\n if (t !== resultType) return;\n const rid = (payload as { requestId?: unknown }).requestId;\n if (rid !== requestId) return;\n window.removeEventListener('message', onMessage);\n const ok = !!(payload as { ok?: unknown }).ok;\n const cred = (payload as { credential?: unknown }).credential;\n const err = (payload as { error?: unknown }).error;\n if (ok && cred) return finish({ ok: true, credential: cred });\n return finish({ ok: false, error: typeof err === 'string' ? err : undefined });\n };\n window.addEventListener('message', onMessage);\n window.parent?.postMessage({ type: kind, requestId, publicKey } as { type: K; requestId: string; publicKey: any }, '');\n setTimeout(() => { window.removeEventListener('message', onMessage); finish({ ok: false, timeout: true }); }, timeoutMs);\n });\n }\n}\n\nfunction notAllowedError(message: string): Error {\n const e = new Error(message);\n (e as any).name = 'NotAllowedError';\n return e;\n}\n\n// Private: error classification helpers\nfunction isAncestorOriginError(err: unknown): boolean {\n const msg = safeMessage(err);\n return /origin of the document is not the same as its ancestors/i.test(msg);\n}\n\nfunction isDocumentNotFocusedError(err: unknown): boolean {\n const name = safeName(err);\n const msg = safeMessage(err);\n const isNotAllowed = name === 'NotAllowedError';\n const mentionsFocus = /document is not focused\|not focused\|focus/i.test(msg);\n return Boolean(isNotAllowed && mentionsFocus);\n}\n\nfunction safeMessage(err: unknown): string {\n return String((err as { message?: unknown })?.message \|\| '');\n}\n\nfunction safeName(err: unknown): string {\n const n = (err as { name?: unknown })?.name;\n return typeof n === 'string' ? n : '';\n}\n\n// Private: focus utility to mitigate Safari focus issues\nasync function attemptRefocus(maxRetries = 2, delays: number[] = [50, 120]): Promise<boolean> {\n (window as any).focus?.();\n (document?.body as any)?.focus?.();\n\n const wait = (ms: number) => new Promise(r => setTimeout(r, ms));\n const total = Math.max(0, maxRetries);\n for (let i = 0; i <= total; i++) {\n const d = delays[i] ?? delays[delays.length - 1] ?? 80;\n await wait(d);\n if (document.hasFocus()) return true;\n (window as any).focus?.();\n }\n return document.hasFocus();\n}\n"],"mappings":";;;AAuBA,SAAS,iBAAuC,MAA2B;AACzE,QAAQ,SAAS,sBAAsB,MACnC,sBAAsB,YACtB,sBAAsB;;;;;;;;;;;;;;;;;AA2C5B,eAAsB,yCACpB,MACA,WACA,MACwC;CAExC,MAAM,EACJ,MACA,UACA,YAAY,KACZ,iCAAiC,SAC/B;CACJ,MAAM,eAAe,KAAK,gBAAgB,IAAI;CAE9C,MAAM,8BAAuC;EAC3C,MAAM,IAAK;EACX,MAAM,IAAK,OAAO,WAAW,cAAe,SAAiB;AAC7D,SAAO,CAAC,EAAE,KAAK,EAAE,iCAAiC,CAAC,EAAE,KAAK,EAAE;;CAE9D,MAAM,eAAe,QAAgB;EACnC,MAAM,IAAK;AACX,IAAE,QAAQ,EAAE,QAAQ,KAAK;;AAK3B,KAAI,yBAAyB;AAC3B,MAAI,SAAS,SAAU,aAAY;MAC9B,aAAY;AACjB,MAAI;GACF,MAAM,UAAU,MAAM,4BAA4B,MAAM,WAAW,cAAc;AACjF,OAAI,SAAS,GAAI,QAAO,QAAQ;AAChC,OAAI,WAAW,CAAC,QAAQ,QACtB,OAAM,gBAAgB,QAAQ,SAAS;AAEzC,SAAM,IAAI,MAAM;WACTA,IAAa;AAEpB,SAAM,gBAAiB,IAAY,WAAW;;;CAIlD,MAAM,YAAY,YAAY;AAC5B,MAAI,SAAS,UAAU;AACrB,eAAY;AACZ,OAAI,wBAAyB,OAAM,gBAAgB;AAEnD,UAAO,MAAM,UAAU,YAAY,OAAO;IAC7B;IACX,GAAI,KAAK,cAAc,EAAE,QAAQ,KAAK,gBAAgB;;SAEnD;AACL,eAAY;AACZ,OAAI,wBAAyB,OAAM,gBAAgB;AACnD,UAAO,MAAM,UAAU,YAAY,IAAI;IAC1B;IACX,GAAI,KAAK,cAAc,EAAE,QAAQ,KAAK,gBAAgB;;;;AAM5D,KAAI;AACF,SAAO,MAAM;UACNC,GAAY;EAInB,MAAM,OAAO,SAAS;AACtB,MAAI,SAAS,qBAAqB,CAAC,sBAAsB,MAAM,CAAC,0BAA0B,GACxF,OAAM;AAIR,MAAI,sBAAsB,MAAM,UAAU;AACxC,OAAI,SAAS,SAAS,CAAC,+BACrB,OAAM;AAER,OAAI;IACF,MAAM,qBAAqB,MAAM,4BAA4B,MAAM,WAAW,cAAc;AAC5F,QAAI,oBAAoB,GAAI,QAAO,mBAAmB;AACtD,QAAI,sBAAsB,CAAC,mBAAmB,QAC5C,OAAM,gBAAgB,mBAAmB,SAAS;YAE7CD,IAAa;AACpB,UAAM,gBAAiB,IAAY,WAAW;;;AAKlD,MAAI,0BAA0B,IAAI;GAChC,MAAM,UAAU,MAAM;AACtB,OAAI,QACF,KAAI;AAAE,WAAO,MAAM;WAAqB;AAE1C,OAAI,SACF,KAAI;IACF,MAAM,qBAAqB,MAAM,4BAA4B,MAAM,WAAW,cAAc;AAC5F,QAAI,oBAAoB,GAAI,QAAO,mBAAmB;AACtD,QAAI,sBAAsB,CAAC,mBAAmB,QAC5C,OAAM,gBAAgB,mBAAmB,SAAS;YAE7CA,IAAa;AACpB,UAAM,gBAAiB,IAAY,WAAW;;;AAMpD,MAAI,SACF,KAAI;GACF,MAAM,qBAAqB,MAAM,4BAA4B,MAAM,WAAW,cAAc;AAC5F,OAAI,oBAAoB,GAAI,QAAO,mBAAmB;AACtD,OAAI,sBAAsB,CAAC,mBAAmB,QAC5C,OAAM,gBAAgB,mBAAmB,SAAS;AAGpD,SAAM,IAAI,MAAM;WACTA,IAAa;AACpB,SAAM,gBAAiB,IAAY,WAAW;;AAKlD,QAAM;;;AAKV,eAAsB,4BACpB,MACA,WACA,QACA,WACyB;AACzB,KAAI,SAAS,SACX,QAAO,OAAO,QAAQ,sBAAsB,QAAQ,WAAiD;AAEvG,QAAO,OAAO,QAAQ,sBAAsB,KAAK,WAAgD;;AAsCnG,SAAS,gBAAgB,SAAwB;CAC/C,MAAM,IAAI,IAAI,MAAM;AACpB,CAAC,EAAU,OAAO;AAClB,QAAO;;AAIT,SAAS,sBAAsB,KAAuB;CACpD,MAAM,MAAM,YAAY;AACxB,QAAO,2DAA2D,KAAK;;AAGzE,SAAS,0BAA0B,KAAuB;CACxD,MAAM,OAAO,SAAS;CACtB,MAAM,MAAM,YAAY;CACxB,MAAM,eAAe,SAAS;CAC9B,MAAM,gBAAgB,6CAA6C,KAAK;AACxE,QAAO,QAAQ,gBAAgB;;AAGjC,SAAS,YAAY,KAAsB;AACzC,QAAO,OAAQ,KAA+B,WAAW;;AAG3D,SAAS,SAAS,KAAsB;CACtC,MAAM,IAAK,KAA4B;AACvC,QAAO,OAAO,MAAM,WAAW,IAAI;;AAIrC,eAAe,eAAe,aAAa,GAAG,SAAmB,CAAC,IAAI,MAAwB;AAC5F,CAAC,OAAe;AAChB,EAAC,UAAU,OAAc;CAEzB,MAAM,QAAQ,OAAe,IAAI,SAAQ,MAAK,WAAW,GAAG;CAC5D,MAAM,QAAQ,KAAK,IAAI,GAAG;AAC1B,MAAK,IAAI,IAAI,GAAG,KAAK,OAAO,KAAK;EAC/B,MAAM,IAAI,OAAO,MAAM,OAAO,OAAO,SAAS,MAAM;AACpD,QAAM,KAAK;AACX,MAAI,SAAS,WAAY,QAAO;AAChC,EAAC,OAAe;;AAElB,QAAO,SAAS;;;;CAvRL,wBAAwB;EACnC,QAAQ;EACR,KAAK;EACL,cAAc;EACd,WAAW;;CAuMA,mCAAb,MAAoF;EAClF,MAAM,QACJ,MACA,WACA,YAAY,KACa;GACzB,MAAM,YAAY,GAAG,KAAK,GAAG,KAAK,MAAM,GAAG,KAAK,SAAS,SAAS,IAAI,MAAM;GAC5E,MAAM,aAAa,iBAAiB;AAEpC,UAAO,IAAI,SAAS,YAAY;IAC9B,IAAI,UAAU;IACd,MAAM,UAAU,QAAwB;AAAE,SAAI,CAAC,SAAS;AAAE,gBAAU;AAAM,cAAQ;;;IAElF,MAAM,aAAa,OAAqB;KACtC,MAAM,UAAU,IAAI;AACpB,SAAI,CAAC,WAAW,OAAQ,QAA+B,SAAS,SAAU;KAC1E,MAAM,IAAK,QAA6B;AACxC,SAAI,MAAM,WAAY;KACtB,MAAM,MAAO,QAAoC;AACjD,SAAI,QAAQ,UAAW;AACvB,YAAO,oBAAoB,WAAW;KACtC,MAAM,KAAK,CAAC,CAAE,QAA6B;KAC3C,MAAM,OAAQ,QAAqC;KACnD,MAAM,MAAO,QAAgC;AAC7C,SAAI,MAAM,KAAM,QAAO,OAAO;MAAE,IAAI;MAAM,YAAY;;AACtD,YAAO,OAAO;MAAE,IAAI;MAAO,OAAO,OAAO,QAAQ,WAAW,MAAM;;;AAEpE,WAAO,iBAAiB,WAAW;AACnC,WAAO,QAAQ,YAAY;KAAE,MAAM;KAAM;KAAW;OAA+D;AACnH,qBAAiB;AAAE,YAAO,oBAAoB,WAAW;AAAY,YAAO;MAAE,IAAI;MAAO,SAAS;;OAAY"}

package/dist/esm/core/WebAuthnManager/credentialsHelpers.js CHANGED Viewed

@@ -1,9 +1,9 @@
+import { __esm } from "../../_virtual/rolldown_runtime.js";
 import { init_validation, isArray, isObject, isString } from "../WalletIframe/validation.js";
 import { base64UrlEncode } from "../../utils/base64.js";
-import "../../utils/index.js";
+import { init_utils } from "../../utils/index.js";
 //#region src/core/WebAuthnManager/credentialsHelpers.ts
-init_validation();
 /**
 * Serialize PublicKeyCredential for both authentication and registration for WASM worker
 * - Uses base64url encoding for WASM compatibility
@@ -277,7 +277,12 @@ function normalizeClientExtensionOutputs(input) {
 	}
 	return out;
 }
+var init_credentialsHelpers = __esm({ "src/core/WebAuthnManager/credentialsHelpers.ts": (() => {
+	init_utils();
+	init_validation();
+}) });
 //#endregion
-export { generateChaCha20Salt, generateEd25519Salt, isSerializedRegistrationCredential, normalizeRegistrationCredential, removePrfOutputGuard, serializeAuthenticationCredentialWithPRF, serializeRegistrationCredential, serializeRegistrationCredentialWithPRF };
+init_credentialsHelpers();
+export { generateChaCha20Salt, generateEd25519Salt, init_credentialsHelpers, isSerializedRegistrationCredential, normalizeRegistrationCredential, removePrfOutputGuard, serializeAuthenticationCredentialWithPRF, serializeRegistrationCredential, serializeRegistrationCredentialWithPRF };
 //# sourceMappingURL=credentialsHelpers.js.map

package/dist/esm/core/WebAuthnManager/index.js CHANGED Viewed

@@ -2,8 +2,8 @@ import { init_accountIds, toAccountId } from "../types/accountIds.js";
 import { IndexedDBManager, init_IndexedDBManager } from "../IndexedDBManager/index.js";
 import { onEmbeddedBaseChange } from "../sdkPaths/base.js";
 import { resolveWorkerBaseOrigin } from "../sdkPaths/workers.js";
-import { TouchIdPrompt } from "./touchIdPrompt.js";
-import { getLastLoggedInDeviceNumber } from "./SignerWorkerManager/getDeviceNumber.js";
+import { TouchIdPrompt, init_touchIdPrompt } from "./touchIdPrompt.js";
+import { getLastLoggedInDeviceNumber, init_getDeviceNumber } from "./SignerWorkerManager/getDeviceNumber.js";
 import { SignerWorkerManager } from "./SignerWorkerManager/index.js";
 import { VrfWorkerManager } from "./VrfWorkerManager/index.js";
 import userPreferences_default from "./userPreferences.js";
@@ -12,7 +12,9 @@ import { __isWalletIframeHostMode } from "../WalletIframe/host-mode.js";
 //#region src/core/WebAuthnManager/index.ts
 init_IndexedDBManager();
+init_touchIdPrompt();
 init_accountIds();
+init_getDeviceNumber();
 /**
 * WebAuthnManager - Main orchestrator for WebAuthn operations
 *
@@ -535,6 +537,7 @@ var WebAuthnManager = class {
 	async storeUserData(userData) {
 		await IndexedDBManager.clientDB.storeWebAuthnUserData({
 			...userData,
+			deviceNumber: userData.deviceNumber ?? 1,
 			version: userData.version || 2
 		});
 	}
@@ -590,10 +593,12 @@ var WebAuthnManager = class {
 		return await IndexedDBManager.clientDB.registerUser(storeUserData);
 	}
 	async storeAuthenticator(authenticatorData) {
+		const deviceNumber = Number(authenticatorData.deviceNumber);
+		const normalizedDeviceNumber = Number.isSafeInteger(deviceNumber) && deviceNumber >= 1 ? deviceNumber : 1;
 		const authData = {
 			...authenticatorData,
 			nearAccountId: toAccountId(authenticatorData.nearAccountId),
-			deviceNumber: authenticatorData.deviceNumber || 1
+			deviceNumber: normalizedDeviceNumber
 		};
 		return await IndexedDBManager.clientDB.storeAuthenticator(authData);
 	}