npm - @tatchi-xyz/sdk - Versions diffs - 0.16.0 → 0.17.0 - Mend

@tatchi-xyz/sdk 0.16.0 → 0.17.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (470) hide show

package/dist/esm/react/sdk/src/core/WebAuthnManager/touchIdPrompt.js CHANGED Viewed

@@ -1,11 +1,12 @@
+import { __esm } from "../../../../_virtual/rolldown_runtime.js";
 import { base64UrlDecode } from "../../utils/base64.js";
 import { init_encoders } from "../../utils/encoders.js";
-import { outputAs32Bytes } from "../types/vrf-worker.js";
-import { generateChaCha20Salt, generateEd25519Salt, serializeAuthenticationCredentialWithPRF } from "./credentialsHelpers.js";
+import { init_vrf_worker, outputAs32Bytes } from "../types/vrf-worker.js";
+import { generateChaCha20Salt, generateEd25519Salt, init_credentialsHelpers, serializeAuthenticationCredentialWithPRF } from "./credentialsHelpers.js";
 import { executeWebAuthnWithParentFallbacksSafari } from "./WebAuthnFallbacks/safari-fallbacks.js";
+import { init_WebAuthnFallbacks } from "./WebAuthnFallbacks/index.js";
 //#region src/core/WebAuthnManager/touchIdPrompt.ts
-init_encoders();
 function isRegistrableSuffix(host, cand) {
 	if (!host || !cand) return false;
 	if (host === cand) return true;
@@ -24,184 +25,6 @@ function authenticatorsToAllowCredentials(authenticators) {
 		transports: auth.transports
 	}));
 }
-/**
-* TouchIdPrompt prompts for touchID,
-* creates credentials,
-* manages WebAuthn touchID prompts,
-* and generates credentials, and PRF Outputs
-*/
-var TouchIdPrompt = class TouchIdPrompt {
-	rpIdOverride;
-	safariGetWebauthnRegistrationFallback;
-	abortController;
-	removePageAbortHandlers;
-	removeExternalAbortListener;
-	constructor(rpIdOverride, safariGetWebauthnRegistrationFallback = false) {
-		this.rpIdOverride = rpIdOverride;
-		this.safariGetWebauthnRegistrationFallback = safariGetWebauthnRegistrationFallback === true;
-	}
-	getRpId() {
-		try {
-			return resolveRpId(this.rpIdOverride, window?.location?.hostname);
-		} catch {
-			return this.rpIdOverride || "";
-		}
-	}
-	static _inIframe() {
-		try {
-			return window.self !== window.top;
-		} catch {
-			return true;
-		}
-	}
-	/**
-	* Get authentication credentials
-	* @param nearAccountId - NEAR account ID to authenticate
-	* @param challenge - VRF challenge bytes
-	* @param allowCredentials - Array of allowed credentials for authentication
-	* @returns WebAuthn credential with only the first PRF output
-	*/
-	async getAuthenticationCredentialsSerialized({ nearAccountId, challenge, allowCredentials }) {
-		const credentialMaybe = await this.getAuthenticationCredentialsInternal({
-			nearAccountId,
-			challenge,
-			allowCredentials
-		});
-		if (isSerializedAuthenticationCredential(credentialMaybe)) return credentialMaybe;
-		return serializeAuthenticationCredentialWithPRF({
-			credential: credentialMaybe,
-			firstPrfOutput: true,
-			secondPrfOutput: false
-		});
-	}
-	/**
-	*  Same as getAuthenticationCredentialsSerialized but returns both PRF outputs
-	*  (PRF.first + PRF.second).
-	* @param nearAccountId - NEAR account ID to authenticate
-	* @param challenge - VRF challenge bytes
-	* @param allowCredentials - Array of allowed credentials for authentication
-	* @returns
-	*/
-	async getAuthenticationCredentialsSerializedDualPrf({ nearAccountId, challenge, allowCredentials }) {
-		const credentialMaybe = await this.getAuthenticationCredentialsInternal({
-			nearAccountId,
-			challenge,
-			allowCredentials
-		});
-		if (isSerializedAuthenticationCredential(credentialMaybe)) return credentialMaybe;
-		return serializeAuthenticationCredentialWithPRF({
-			credential: credentialMaybe,
-			firstPrfOutput: true,
-			secondPrfOutput: true
-		});
-	}
-	/**
-	* Internal method for generating WebAuthn registration credentials with PRF output
-	* @param nearAccountId - NEAR account ID for PRF salts and keypair derivation (always base account)
-	* @param challenge - Random challenge bytes for the registration ceremony
-	* @param deviceNumber - Device number for device-specific user ID.
-	* @returns Credential with PRF output
-	*/
-	async generateRegistrationCredentialsInternal({ nearAccountId, challenge, deviceNumber }) {
-		this.abortController = new AbortController();
-		this.removePageAbortHandlers = TouchIdPrompt.attachPageAbortHandlers(this.abortController);
-		const rpId = this.getRpId();
-		const publicKey = {
-			challenge: outputAs32Bytes(challenge),
-			rp: {
-				name: "WebAuthn VRF Passkey",
-				id: rpId
-			},
-			user: {
-				id: new TextEncoder().encode(generateDeviceSpecificUserId(nearAccountId, deviceNumber)),
-				name: generateDeviceSpecificUserId(nearAccountId, deviceNumber),
-				displayName: generateUserFriendlyDisplayName(nearAccountId, deviceNumber)
-			},
-			pubKeyCredParams: [{
-				alg: -7,
-				type: "public-key"
-			}, {
-				alg: -257,
-				type: "public-key"
-			}],
-			authenticatorSelection: {
-				residentKey: "required",
-				userVerification: "preferred"
-			},
-			timeout: 6e4,
-			attestation: "none",
-			extensions: { prf: { eval: {
-				first: generateChaCha20Salt(nearAccountId),
-				second: generateEd25519Salt(nearAccountId)
-			} } }
-		};
-		try {
-			const result = await executeWebAuthnWithParentFallbacksSafari("create", publicKey, {
-				rpId,
-				inIframe: TouchIdPrompt._inIframe(),
-				timeoutMs: publicKey.timeout,
-				abortSignal: this.abortController.signal
-			});
-			return result;
-		} finally {
-			this.removePageAbortHandlers?.();
-			this.removePageAbortHandlers = void 0;
-			this.removeExternalAbortListener?.();
-			this.removeExternalAbortListener = void 0;
-			this.abortController = void 0;
-		}
-	}
-	/**
-	* Internal method for getting WebAuthn authentication credentials with PRF output
-	* @param nearAccountId - NEAR account ID to authenticate
-	* @param challenge - VRF challenge bytes to use for WebAuthn authentication
-	* @param authenticators - List of stored authenticator data for the user
-	* @returns WebAuthn credential with PRF output (HKDF derivation done in WASM worker)
-	* ```ts
-	* const credential = await touchIdPrompt.getCredentials({
-	*   nearAccountId,
-	*   challenge,
-	*   authenticators,
-	* });
-	* ```
-	*/
-	async getAuthenticationCredentialsInternal({ nearAccountId, challenge, allowCredentials }) {
-		this.abortController = new AbortController();
-		this.removePageAbortHandlers = TouchIdPrompt.attachPageAbortHandlers(this.abortController);
-		const rpId = this.getRpId();
-		const publicKey = {
-			challenge: outputAs32Bytes(challenge),
-			rpId,
-			allowCredentials: allowCredentials.map((credential) => ({
-				id: base64UrlDecode(credential.id),
-				type: "public-key",
-				transports: credential.transports
-			})),
-			userVerification: "preferred",
-			timeout: 6e4,
-			extensions: { prf: { eval: {
-				first: generateChaCha20Salt(nearAccountId),
-				second: generateEd25519Salt(nearAccountId)
-			} } }
-		};
-		try {
-			const result = await executeWebAuthnWithParentFallbacksSafari("get", publicKey, {
-				rpId,
-				inIframe: TouchIdPrompt._inIframe(),
-				timeoutMs: publicKey.timeout,
-				permitGetBridgeOnAncestorError: this.safariGetWebauthnRegistrationFallback,
-				abortSignal: this.abortController.signal
-			});
-			return result;
-		} finally {
-			this.removePageAbortHandlers?.();
-			this.removePageAbortHandlers = void 0;
-			this.removeExternalAbortListener?.();
-			this.removeExternalAbortListener = void 0;
-			this.abortController = void 0;
-		}
-	}
-};
 function isSerializedAuthenticationCredential(x) {
 	if (!x || typeof x !== "object") return false;
 	const obj = x;
@@ -239,29 +62,209 @@ function generateUserFriendlyDisplayName(nearAccountId, deviceNumber) {
 	if (deviceNumber === void 0 || deviceNumber === 1) return baseUsername;
 	return `${baseUsername} (device ${deviceNumber})`;
 }
-(function(_TouchIdPrompt) {
-	function attachPageAbortHandlers(controller) {
-		const onVisibility = () => {
-			if (document.hidden) controller.abort();
-		};
-		const onPageHide = () => {
-			controller.abort();
-		};
-		const onBeforeUnload = () => {
-			controller.abort();
-		};
-		document.addEventListener("visibilitychange", onVisibility, { passive: true });
-		window.addEventListener("pagehide", onPageHide, { passive: true });
-		window.addEventListener("beforeunload", onBeforeUnload, { passive: true });
-		return () => {
-			document.removeEventListener("visibilitychange", onVisibility);
-			window.removeEventListener("pagehide", onPageHide);
-			window.removeEventListener("beforeunload", onBeforeUnload);
-		};
-	}
-	_TouchIdPrompt.attachPageAbortHandlers = attachPageAbortHandlers;
-})(TouchIdPrompt || (TouchIdPrompt = {}));
+var TouchIdPrompt;
+var init_touchIdPrompt = __esm({ "src/core/WebAuthnManager/touchIdPrompt.ts": (() => {
+	init_encoders();
+	init_vrf_worker();
+	init_credentialsHelpers();
+	init_WebAuthnFallbacks();
+	TouchIdPrompt = class TouchIdPrompt {
+		rpIdOverride;
+		safariGetWebauthnRegistrationFallback;
+		abortController;
+		removePageAbortHandlers;
+		removeExternalAbortListener;
+		constructor(rpIdOverride, safariGetWebauthnRegistrationFallback = false) {
+			this.rpIdOverride = rpIdOverride;
+			this.safariGetWebauthnRegistrationFallback = safariGetWebauthnRegistrationFallback === true;
+		}
+		getRpId() {
+			try {
+				return resolveRpId(this.rpIdOverride, window?.location?.hostname);
+			} catch {
+				return this.rpIdOverride || "";
+			}
+		}
+		static _inIframe() {
+			try {
+				return window.self !== window.top;
+			} catch {
+				return true;
+			}
+		}
+		/**
+		* Get authentication credentials
+		* @param nearAccountId - NEAR account ID to authenticate
+		* @param challenge - VRF challenge bytes
+		* @param allowCredentials - Array of allowed credentials for authentication
+		* @returns WebAuthn credential with only the first PRF output
+		*/
+		async getAuthenticationCredentialsSerialized({ nearAccountId, challenge, allowCredentials }) {
+			const credentialMaybe = await this.getAuthenticationCredentialsInternal({
+				nearAccountId,
+				challenge,
+				allowCredentials
+			});
+			if (isSerializedAuthenticationCredential(credentialMaybe)) return credentialMaybe;
+			return serializeAuthenticationCredentialWithPRF({
+				credential: credentialMaybe,
+				firstPrfOutput: true,
+				secondPrfOutput: false
+			});
+		}
+		/**
+		*  Same as getAuthenticationCredentialsSerialized but returns both PRF outputs
+		*  (PRF.first + PRF.second).
+		* @param nearAccountId - NEAR account ID to authenticate
+		* @param challenge - VRF challenge bytes
+		* @param allowCredentials - Array of allowed credentials for authentication
+		* @returns
+		*/
+		async getAuthenticationCredentialsSerializedDualPrf({ nearAccountId, challenge, allowCredentials }) {
+			const credentialMaybe = await this.getAuthenticationCredentialsInternal({
+				nearAccountId,
+				challenge,
+				allowCredentials
+			});
+			if (isSerializedAuthenticationCredential(credentialMaybe)) return credentialMaybe;
+			return serializeAuthenticationCredentialWithPRF({
+				credential: credentialMaybe,
+				firstPrfOutput: true,
+				secondPrfOutput: true
+			});
+		}
+		/**
+		* Internal method for generating WebAuthn registration credentials with PRF output
+		* @param nearAccountId - NEAR account ID for PRF salts and keypair derivation (always base account)
+		* @param challenge - Random challenge bytes for the registration ceremony
+		* @param deviceNumber - Device number for device-specific user ID.
+		* @returns Credential with PRF output
+		*/
+		async generateRegistrationCredentialsInternal({ nearAccountId, challenge, deviceNumber }) {
+			this.abortController = new AbortController();
+			this.removePageAbortHandlers = TouchIdPrompt.attachPageAbortHandlers(this.abortController);
+			const rpId = this.getRpId();
+			const publicKey = {
+				challenge: outputAs32Bytes(challenge),
+				rp: {
+					name: "WebAuthn VRF Passkey",
+					id: rpId
+				},
+				user: {
+					id: new TextEncoder().encode(generateDeviceSpecificUserId(nearAccountId, deviceNumber)),
+					name: generateDeviceSpecificUserId(nearAccountId, deviceNumber),
+					displayName: generateUserFriendlyDisplayName(nearAccountId, deviceNumber)
+				},
+				pubKeyCredParams: [{
+					alg: -7,
+					type: "public-key"
+				}, {
+					alg: -257,
+					type: "public-key"
+				}],
+				authenticatorSelection: {
+					residentKey: "required",
+					userVerification: "preferred"
+				},
+				timeout: 6e4,
+				attestation: "none",
+				extensions: { prf: { eval: {
+					first: generateChaCha20Salt(nearAccountId),
+					second: generateEd25519Salt(nearAccountId)
+				} } }
+			};
+			try {
+				const result = await executeWebAuthnWithParentFallbacksSafari("create", publicKey, {
+					rpId,
+					inIframe: TouchIdPrompt._inIframe(),
+					timeoutMs: publicKey.timeout,
+					abortSignal: this.abortController.signal
+				});
+				return result;
+			} finally {
+				this.removePageAbortHandlers?.();
+				this.removePageAbortHandlers = void 0;
+				this.removeExternalAbortListener?.();
+				this.removeExternalAbortListener = void 0;
+				this.abortController = void 0;
+			}
+		}
+		/**
+		* Internal method for getting WebAuthn authentication credentials with PRF output
+		* @param nearAccountId - NEAR account ID to authenticate
+		* @param challenge - VRF challenge bytes to use for WebAuthn authentication
+		* @param authenticators - List of stored authenticator data for the user
+		* @returns WebAuthn credential with PRF output (HKDF derivation done in WASM worker)
+		* ```ts
+		* const credential = await touchIdPrompt.getCredentials({
+		*   nearAccountId,
+		*   challenge,
+		*   authenticators,
+		* });
+		* ```
+		*/
+		async getAuthenticationCredentialsInternal({ nearAccountId, challenge, allowCredentials }) {
+			this.abortController = new AbortController();
+			this.removePageAbortHandlers = TouchIdPrompt.attachPageAbortHandlers(this.abortController);
+			const rpId = this.getRpId();
+			const publicKey = {
+				challenge: outputAs32Bytes(challenge),
+				rpId,
+				allowCredentials: allowCredentials.map((credential) => ({
+					id: base64UrlDecode(credential.id),
+					type: "public-key",
+					transports: credential.transports
+				})),
+				userVerification: "preferred",
+				timeout: 6e4,
+				extensions: { prf: { eval: {
+					first: generateChaCha20Salt(nearAccountId),
+					second: generateEd25519Salt(nearAccountId)
+				} } }
+			};
+			try {
+				const result = await executeWebAuthnWithParentFallbacksSafari("get", publicKey, {
+					rpId,
+					inIframe: TouchIdPrompt._inIframe(),
+					timeoutMs: publicKey.timeout,
+					permitGetBridgeOnAncestorError: this.safariGetWebauthnRegistrationFallback,
+					abortSignal: this.abortController.signal
+				});
+				return result;
+			} finally {
+				this.removePageAbortHandlers?.();
+				this.removePageAbortHandlers = void 0;
+				this.removeExternalAbortListener?.();
+				this.removeExternalAbortListener = void 0;
+				this.abortController = void 0;
+			}
+		}
+	};
+	(function(_TouchIdPrompt) {
+		function attachPageAbortHandlers(controller) {
+			const onVisibility = () => {
+				if (document.hidden) controller.abort();
+			};
+			const onPageHide = () => {
+				controller.abort();
+			};
+			const onBeforeUnload = () => {
+				controller.abort();
+			};
+			document.addEventListener("visibilitychange", onVisibility, { passive: true });
+			window.addEventListener("pagehide", onPageHide, { passive: true });
+			window.addEventListener("beforeunload", onBeforeUnload, { passive: true });
+			return () => {
+				document.removeEventListener("visibilitychange", onVisibility);
+				window.removeEventListener("pagehide", onPageHide);
+				window.removeEventListener("beforeunload", onBeforeUnload);
+			};
+		}
+		_TouchIdPrompt.attachPageAbortHandlers = attachPageAbortHandlers;
+	})(TouchIdPrompt || (TouchIdPrompt = {}));
+}) });
 //#endregion
-export { TouchIdPrompt, authenticatorsToAllowCredentials };
+init_touchIdPrompt();
+export { TouchIdPrompt, authenticatorsToAllowCredentials, init_touchIdPrompt };
 //# sourceMappingURL=touchIdPrompt.js.map

package/dist/esm/react/sdk/src/core/WebAuthnManager/touchIdPrompt.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"touchIdPrompt.js","names":["publicKey: PublicKeyCredentialCreationOptions","publicKey: PublicKeyCredentialRequestOptions"],"sources":["../../../../../../../src/core/WebAuthnManager/touchIdPrompt.ts"],"sourcesContent":["import { ClientAuthenticatorData } from '../IndexedDBManager';\nimport { base64UrlDecode } from '../../utils/encoders';\nimport { outputAs32Bytes, VRFChallenge } from '../types/vrf-worker';\nimport { serializeAuthenticationCredentialWithPRF, generateChaCha20Salt, generateEd25519Salt } from './credentialsHelpers';\nimport type {\n WebAuthnAuthenticationCredential,\n WebAuthnRegistrationCredential\n} from '../types/webauthn';\nimport { executeWebAuthnWithParentFallbacksSafari } from './WebAuthnFallbacks';\n// Local rpId policy helpers (moved back from WebAuthnFallbacks)\nfunction isRegistrableSuffix(host: string, cand: string): boolean {\n if (!host \|\| !cand) return false;\n if (host === cand) return true;\n return host.endsWith('.' + cand);\n}\n\nfunction resolveRpId(override: string \| undefined, host: string \| undefined): string {\n const h = (host \|\| '').toLowerCase();\n const ov = (override \|\| '').toLowerCase();\n if (ov && h && isRegistrableSuffix(h, ov)) return ov;\n return h \|\| ov \|\| '';\n}\n\nexport interface RegisterCredentialsArgs {\n nearAccountId: string, // NEAR account ID for PRF salts and keypair derivation (always base account)\n challenge: VRFChallenge,\n deviceNumber?: number, // Optional device number for device-specific user ID (0, 1, 2, etc.)\n}\n\nexport interface AuthenticateCredentialsArgs {\n nearAccountId: string,\n challenge: VRFChallenge,\n allowCredentials: AllowCredential[],\n}\n\nexport interface AllowCredential {\n id: string,\n type: string,\n transports: AuthenticatorTransport[]\n}\n\nexport function authenticatorsToAllowCredentials(\n authenticators: ClientAuthenticatorData[]\n): AllowCredential[] {\n return authenticators.map(auth => ({\n id: auth.credentialId,\n type: 'public-key',\n transports: auth.transports as AuthenticatorTransport[]\n }));\n}\n\n/*\n TouchIdPrompt prompts for touchID,\n * creates credentials,\n * manages WebAuthn touchID prompts,\n * and generates credentials, and PRF Outputs\n /\nexport class TouchIdPrompt {\n private rpIdOverride?: string;\n private safariGetWebauthnRegistrationFallback: boolean;\n // create() only: internal abort controller + cleanup hooks\n private abortController?: AbortController;\n private removePageAbortHandlers?: () => void;\n private removeExternalAbortListener?: () => void;\n\n constructor(rpIdOverride?: string, safariGetWebauthnRegistrationFallback = false) {\n this.rpIdOverride = rpIdOverride;\n this.safariGetWebauthnRegistrationFallback = safariGetWebauthnRegistrationFallback === true;\n }\n\n getRpId(): string {\n try {\n return resolveRpId(this.rpIdOverride, window?.location?.hostname);\n } catch {\n return this.rpIdOverride \|\| '';\n }\n }\n\n // Utility helpers for cross‑origin fallback\n private static _inIframe(): boolean {\n try { return window.self !== window.top; } catch { return true; }\n }\n\n /\n Get authentication credentials\n * @param nearAccountId - NEAR account ID to authenticate\n * @param challenge - VRF challenge bytes\n * @param allowCredentials - Array of allowed credentials for authentication\n * @returns WebAuthn credential with only the first PRF output\n /\n async getAuthenticationCredentialsSerialized({\n nearAccountId,\n challenge,\n allowCredentials,\n }: {\n nearAccountId: string\n challenge: VRFChallenge\n allowCredentials: AllowCredential[]\n }): Promise<WebAuthnAuthenticationCredential> {\n const credentialMaybe = (await this.getAuthenticationCredentialsInternal({\n nearAccountId,\n challenge,\n allowCredentials,\n })) as unknown;\n // Support parent-bridge fallback returning an already-serialized credential\n if (isSerializedAuthenticationCredential(credentialMaybe)) {\n return credentialMaybe;\n }\n return serializeAuthenticationCredentialWithPRF({\n credential: credentialMaybe as PublicKeyCredential,\n firstPrfOutput: true,\n secondPrfOutput: false,\n })\n }\n\n /\n Same as getAuthenticationCredentialsSerialized but returns both PRF outputs\n * (PRF.first + PRF.second).\n * @param nearAccountId - NEAR account ID to authenticate\n * @param challenge - VRF challenge bytes\n * @param allowCredentials - Array of allowed credentials for authentication\n * @returns\n /\n async getAuthenticationCredentialsSerializedDualPrf({\n nearAccountId,\n challenge,\n allowCredentials,\n }: {\n nearAccountId: string,\n challenge: VRFChallenge,\n allowCredentials: AllowCredential[],\n }): Promise<WebAuthnAuthenticationCredential> {\n const credentialMaybe = (await this.getAuthenticationCredentialsInternal({\n nearAccountId,\n challenge,\n allowCredentials,\n })) as unknown;\n // Support parent-bridge fallback returning an already-serialized credential\n if (isSerializedAuthenticationCredential(credentialMaybe)) {\n return credentialMaybe;\n }\n return serializeAuthenticationCredentialWithPRF({\n credential: credentialMaybe as PublicKeyCredential,\n firstPrfOutput: true,\n secondPrfOutput: true,\n });\n }\n\n /\n Internal method for generating WebAuthn registration credentials with PRF output\n * @param nearAccountId - NEAR account ID for PRF salts and keypair derivation (always base account)\n * @param challenge - Random challenge bytes for the registration ceremony\n * @param deviceNumber - Device number for device-specific user ID.\n * @returns Credential with PRF output\n /\n async generateRegistrationCredentialsInternal({\n nearAccountId,\n challenge,\n deviceNumber,\n }: RegisterCredentialsArgs): Promise<PublicKeyCredential> {\n // New controller per create() call\n this.abortController = new AbortController();\n this.removePageAbortHandlers = TouchIdPrompt.attachPageAbortHandlers(this.abortController);\n // Single source of truth for rpId: use getRpId().\n const rpId = this.getRpId();\n const publicKey: PublicKeyCredentialCreationOptions = {\n challenge: outputAs32Bytes(challenge) as BufferSource,\n rp: {\n name: 'WebAuthn VRF Passkey',\n id: rpId\n },\n user: {\n id: new TextEncoder().encode(generateDeviceSpecificUserId(nearAccountId, deviceNumber)),\n name: generateDeviceSpecificUserId(nearAccountId, deviceNumber),\n displayName: generateUserFriendlyDisplayName(nearAccountId, deviceNumber)\n },\n pubKeyCredParams: [\n { alg: -7, type: 'public-key' },\n { alg: -257, type: 'public-key' }\n ],\n authenticatorSelection: {\n residentKey: 'required',\n userVerification: 'preferred'\n },\n timeout: 60000,\n attestation: 'none',\n extensions: {\n prf: {\n eval: {\n // Always use NEAR account ID for PRF salts to ensure consistent keypair derivation across devices\n first: generateChaCha20Salt(nearAccountId) as BufferSource, // ChaCha20Poly1305 encryption keys\n second: generateEd25519Salt(nearAccountId) as BufferSource // Ed25519 signing keys\n }\n }\n },\n };\n try {\n const result = await executeWebAuthnWithParentFallbacksSafari('create', publicKey, {\n rpId,\n inIframe: TouchIdPrompt._inIframe(),\n timeoutMs: publicKey.timeout as number \| undefined,\n // Pass AbortSignal through when supported; Safari bridge path may ignore it.\n abortSignal: this.abortController.signal,\n });\n return result as PublicKeyCredential;\n } finally {\n this.removePageAbortHandlers?.();\n this.removePageAbortHandlers = undefined;\n this.removeExternalAbortListener?.();\n this.removeExternalAbortListener = undefined;\n this.abortController = undefined;\n }\n }\n\n /\n Internal method for getting WebAuthn authentication credentials with PRF output\n * @param nearAccountId - NEAR account ID to authenticate\n * @param challenge - VRF challenge bytes to use for WebAuthn authentication\n * @param authenticators - List of stored authenticator data for the user\n * @returns WebAuthn credential with PRF output (HKDF derivation done in WASM worker)\n * ```ts\n * const credential = await touchIdPrompt.getCredentials({\n * nearAccountId,\n * challenge,\n * authenticators,\n * });\n * ```\n /\n async getAuthenticationCredentialsInternal({\n nearAccountId,\n challenge,\n allowCredentials,\n }: AuthenticateCredentialsArgs): Promise<PublicKeyCredential> {\n // New controller per get() call\n this.abortController = new AbortController();\n this.removePageAbortHandlers = TouchIdPrompt.attachPageAbortHandlers(this.abortController);\n // Single source of truth for rpId: use getRpId().\n const rpId = this.getRpId();\n const publicKey: PublicKeyCredentialRequestOptions = {\n challenge: outputAs32Bytes(challenge) as BufferSource,\n rpId,\n allowCredentials: allowCredentials.map((credential) => ({\n id: base64UrlDecode(credential.id) as BufferSource,\n type: 'public-key' as PublicKeyCredentialType,\n transports: credential.transports,\n })),\n userVerification: 'preferred' as UserVerificationRequirement,\n timeout: 60000,\n extensions: {\n prf: {\n eval: {\n // Always use NEAR account ID for PRF salts to ensure consistent keypair derivation across devices\n first: generateChaCha20Salt(nearAccountId) as BufferSource, // ChaCha20Poly1305 encryption keys\n second: generateEd25519Salt(nearAccountId) as BufferSource // Ed25519 signing keys\n }\n }\n }\n };\n try {\n const result = await executeWebAuthnWithParentFallbacksSafari('get', publicKey, {\n rpId,\n inIframe: TouchIdPrompt._inIframe(),\n timeoutMs: publicKey.timeout as number \| undefined,\n permitGetBridgeOnAncestorError: this.safariGetWebauthnRegistrationFallback,\n abortSignal: this.abortController.signal,\n });\n return result as PublicKeyCredential;\n } finally {\n this.removePageAbortHandlers?.();\n this.removePageAbortHandlers = undefined;\n this.removeExternalAbortListener?.();\n this.removeExternalAbortListener = undefined;\n this.abortController = undefined;\n }\n }\n}\n\n// Type guard for already-serialized authentication credential\nfunction isSerializedAuthenticationCredential(x: unknown): x is WebAuthnAuthenticationCredential {\n if (!x \|\| typeof x !== 'object') return false;\n const obj = x as { response?: unknown };\n const resp = obj.response as { authenticatorData?: unknown } \| undefined;\n return typeof resp?.authenticatorData === 'string';\n}\n\n/\n Generate device-specific user ID to prevent Chrome sync conflicts\n * Creates technical identifiers with full account context\n \n @param nearAccountId - The NEAR account ID (e.g., \"serp120.w3a-v1.testnet\")\n * @param deviceNumber - The device number (optional, undefined for device 1, 2 for device 2, etc.)\n * @returns Technical identifier:\n * - Device 1: \"serp120.web3-authn.testnet\"\n * - Device 2: \"serp120.web3-authn.testnet (2)\"\n * - Device 3: \"serp120.web3-authn.testnet (3)\"\n /\nexport function generateDeviceSpecificUserId(nearAccountId: string, deviceNumber?: number): string {\n // If no device number provided or device number is 1, this is the first device\n if (deviceNumber === undefined \|\| deviceNumber === 1) {\n return nearAccountId;\n }\n // For additional devices, add device number in parentheses\n return `${nearAccountId} (${deviceNumber})`;\n}\n\n/\n Generate user-friendly display name for passkey manager UI\n * Creates clean, intuitive names that users will see\n \n @param nearAccountId - The NEAR account ID (e.g., \"serp120.w3a-v1.testnet\")\n * @param deviceNumber - The device number (optional, undefined for device 1, 2 for device 2, etc.)\n * @returns User-friendly display name:\n * - Device 1: \"serp120\"\n * - Device 2: \"serp120 (device 2)\"\n * - Device 3: \"serp120 (device 3)\"\n */\nfunction generateUserFriendlyDisplayName(nearAccountId: string, deviceNumber?: number): string {\n // Extract the base username (everything before the first dot)\n const baseUsername = nearAccountId.split('.')[0];\n // If no device number provided or device number is 1, this is the first device\n if (deviceNumber === undefined \|\| deviceNumber === 1) {\n return baseUsername;\n }\n // For additional devices, add device number with friendly label\n return `${baseUsername} (device ${deviceNumber})`;\n}\n\n// Abort native WebAuthn when page is being hidden or unloaded\n// Centralized here to keep WebAuthn lifecycle concerns alongside native calls.\nexport namespace TouchIdPrompt {\n export function attachPageAbortHandlers(controller: AbortController): () => void {\n const onVisibility = () => { if (document.hidden) controller.abort(); };\n const onPageHide = () => { controller.abort(); };\n const onBeforeUnload = () => { controller.abort(); };\n document.addEventListener('visibilitychange', onVisibility, { passive: true });\n window.addEventListener('pagehide', onPageHide, { passive: true });\n window.addEventListener('beforeunload', onBeforeUnload, { passive: true });\n return () => {\n document.removeEventListener('visibilitychange', onVisibility);\n window.removeEventListener('pagehide', onPageHide);\n window.removeEventListener('beforeunload', onBeforeUnload);\n };\n }\n}\n"],"mappings":";;;;;;;;AAUA,SAAS,oBAAoB,MAAc,MAAuB;AAChE,KAAI,CAAC,QAAQ,CAAC,KAAM,QAAO;AAC3B,KAAI,SAAS,KAAM,QAAO;AAC1B,QAAO,KAAK,SAAS,MAAM;;AAG7B,SAAS,YAAY,UAA8B,MAAkC;CACnF,MAAM,KAAK,QAAQ,IAAI;CACvB,MAAM,MAAM,YAAY,IAAI;AAC5B,KAAI,MAAM,KAAK,oBAAoB,GAAG,IAAK,QAAO;AAClD,QAAO,KAAK,MAAM;;AAqBpB,SAAgB,iCACd,gBACmB;AACnB,QAAO,eAAe,KAAI,UAAS;EACjC,IAAI,KAAK;EACT,MAAM;EACN,YAAY,KAAK;;;;;;;;;AAUrB,IAAa,gBAAb,MAAa,cAAc;CACzB,AAAQ;CACR,AAAQ;CAER,AAAQ;CACR,AAAQ;CACR,AAAQ;CAER,YAAY,cAAuB,wCAAwC,OAAO;AAChF,OAAK,eAAe;AACpB,OAAK,wCAAwC,0CAA0C;;CAGzF,UAAkB;AAChB,MAAI;AACF,UAAO,YAAY,KAAK,cAAc,QAAQ,UAAU;UAClD;AACN,UAAO,KAAK,gBAAgB;;;CAKhC,OAAe,YAAqB;AAClC,MAAI;AAAE,UAAO,OAAO,SAAS,OAAO;UAAa;AAAE,UAAO;;;;;;;;;;CAU5D,MAAM,uCAAuC,EAC3C,eACA,WACA,oBAK4C;EAC5C,MAAM,kBAAmB,MAAM,KAAK,qCAAqC;GACvE;GACA;GACA;;AAGF,MAAI,qCAAqC,iBACvC,QAAO;AAET,SAAO,yCAAyC;GAC9C,YAAY;GACZ,gBAAgB;GAChB,iBAAiB;;;;;;;;;;;CAYrB,MAAM,8CAA8C,EAClD,eACA,WACA,oBAK4C;EAC5C,MAAM,kBAAmB,MAAM,KAAK,qCAAqC;GACvE;GACA;GACA;;AAGF,MAAI,qCAAqC,iBACvC,QAAO;AAET,SAAO,yCAAyC;GAC9C,YAAY;GACZ,gBAAgB;GAChB,iBAAiB;;;;;;;;;;CAWrB,MAAM,wCAAwC,EAC5C,eACA,WACA,gBACwD;AAExD,OAAK,kBAAkB,IAAI;AAC3B,OAAK,0BAA0B,cAAc,wBAAwB,KAAK;EAE1E,MAAM,OAAO,KAAK;EAClB,MAAMA,YAAgD;GACpD,WAAW,gBAAgB;GAC3B,IAAI;IACF,MAAM;IACN,IAAI;;GAEN,MAAM;IACJ,IAAI,IAAI,cAAc,OAAO,6BAA6B,eAAe;IACzE,MAAM,6BAA6B,eAAe;IAClD,aAAa,gCAAgC,eAAe;;GAE9D,kBAAkB,CAChB;IAAE,KAAK;IAAI,MAAM;MACjB;IAAE,KAAK;IAAM,MAAM;;GAErB,wBAAwB;IACtB,aAAa;IACb,kBAAkB;;GAEpB,SAAS;GACT,aAAa;GACb,YAAY,EACV,KAAK,EACH,MAAM;IAEJ,OAAO,qBAAqB;IAC5B,QAAQ,oBAAoB;;;AAKpC,MAAI;GACF,MAAM,SAAS,MAAM,yCAAyC,UAAU,WAAW;IACjF;IACA,UAAU,cAAc;IACxB,WAAW,UAAU;IAErB,aAAa,KAAK,gBAAgB;;AAEpC,UAAO;YACC;AACR,QAAK;AACL,QAAK,0BAA0B;AAC/B,QAAK;AACL,QAAK,8BAA8B;AACnC,QAAK,kBAAkB;;;;;;;;;;;;;;;;;CAkB3B,MAAM,qCAAqC,EACzC,eACA,WACA,oBAC4D;AAE5D,OAAK,kBAAkB,IAAI;AAC3B,OAAK,0BAA0B,cAAc,wBAAwB,KAAK;EAE1E,MAAM,OAAO,KAAK;EAClB,MAAMC,YAA+C;GACnD,WAAW,gBAAgB;GAC3B;GACA,kBAAkB,iBAAiB,KAAK,gBAAgB;IACtD,IAAI,gBAAgB,WAAW;IAC/B,MAAM;IACN,YAAY,WAAW;;GAEzB,kBAAkB;GAClB,SAAS;GACT,YAAY,EACV,KAAK,EACH,MAAM;IAEJ,OAAO,qBAAqB;IAC5B,QAAQ,oBAAoB;;;AAKpC,MAAI;GACF,MAAM,SAAS,MAAM,yCAAyC,OAAO,WAAW;IAC9E;IACA,UAAU,cAAc;IACxB,WAAW,UAAU;IACrB,gCAAgC,KAAK;IACrC,aAAa,KAAK,gBAAgB;;AAEpC,UAAO;YACC;AACR,QAAK;AACL,QAAK,0BAA0B;AAC/B,QAAK;AACL,QAAK,8BAA8B;AACnC,QAAK,kBAAkB;;;;AAM7B,SAAS,qCAAqC,GAAmD;AAC/F,KAAI,CAAC,KAAK,OAAO,MAAM,SAAU,QAAO;CACxC,MAAM,MAAM;CACZ,MAAM,OAAO,IAAI;AACjB,QAAO,OAAO,MAAM,sBAAsB;;;;;;;;;;;;;AAc5C,SAAgB,6BAA6B,eAAuB,cAA+B;AAEjG,KAAI,iBAAiB,UAAa,iBAAiB,EACjD,QAAO;AAGT,QAAO,GAAG,cAAc,IAAI,aAAa;;;;;;;;;;;;;AAc3C,SAAS,gCAAgC,eAAuB,cAA+B;CAE7F,MAAM,eAAe,cAAc,MAAM,KAAK;AAE9C,KAAI,iBAAiB,UAAa,iBAAiB,EACjD,QAAO;AAGT,QAAO,GAAG,aAAa,WAAW,aAAa;;;CAMxC,SAAS,wBAAwB,YAAyC;EAC/E,MAAM,qBAAqB;AAAE,OAAI,SAAS,OAAQ,YAAW;;EAC7D,MAAM,mBAAmB;AAAE,cAAW;;EACtC,MAAM,uBAAuB;AAAE,cAAW;;AAC1C,WAAS,iBAAiB,oBAAoB,cAAc,EAAE,SAAS;AACvE,SAAO,iBAAiB,YAAY,YAAY,EAAE,SAAS;AAC3D,SAAO,iBAAiB,gBAAgB,gBAAgB,EAAE,SAAS;AACnE,eAAa;AACX,YAAS,oBAAoB,oBAAoB;AACjD,UAAO,oBAAoB,YAAY;AACvC,UAAO,oBAAoB,gBAAgB"}
1	+ {"version":3,"file":"touchIdPrompt.js","names":["publicKey: PublicKeyCredentialCreationOptions","publicKey: PublicKeyCredentialRequestOptions"],"sources":["../../../../../../../src/core/WebAuthnManager/touchIdPrompt.ts"],"sourcesContent":["import { ClientAuthenticatorData } from '../IndexedDBManager';\nimport { base64UrlDecode } from '../../utils/encoders';\nimport { outputAs32Bytes, VRFChallenge } from '../types/vrf-worker';\nimport { serializeAuthenticationCredentialWithPRF, generateChaCha20Salt, generateEd25519Salt } from './credentialsHelpers';\nimport type {\n WebAuthnAuthenticationCredential,\n WebAuthnRegistrationCredential\n} from '../types/webauthn';\nimport { executeWebAuthnWithParentFallbacksSafari } from './WebAuthnFallbacks';\n// Local rpId policy helpers (moved back from WebAuthnFallbacks)\nfunction isRegistrableSuffix(host: string, cand: string): boolean {\n if (!host \|\| !cand) return false;\n if (host === cand) return true;\n return host.endsWith('.' + cand);\n}\n\nfunction resolveRpId(override: string \| undefined, host: string \| undefined): string {\n const h = (host \|\| '').toLowerCase();\n const ov = (override \|\| '').toLowerCase();\n if (ov && h && isRegistrableSuffix(h, ov)) return ov;\n return h \|\| ov \|\| '';\n}\n\nexport interface RegisterCredentialsArgs {\n nearAccountId: string, // NEAR account ID for PRF salts and keypair derivation (always base account)\n challenge: VRFChallenge,\n deviceNumber?: number, // Optional device number for device-specific user ID (0, 1, 2, etc.)\n}\n\nexport interface AuthenticateCredentialsArgs {\n nearAccountId: string,\n challenge: VRFChallenge,\n allowCredentials: AllowCredential[],\n}\n\nexport interface AllowCredential {\n id: string,\n type: string,\n transports: AuthenticatorTransport[]\n}\n\nexport function authenticatorsToAllowCredentials(\n authenticators: ClientAuthenticatorData[]\n): AllowCredential[] {\n return authenticators.map(auth => ({\n id: auth.credentialId,\n type: 'public-key',\n transports: auth.transports as AuthenticatorTransport[]\n }));\n}\n\n/*\n TouchIdPrompt prompts for touchID,\n * creates credentials,\n * manages WebAuthn touchID prompts,\n * and generates credentials, and PRF Outputs\n /\nexport class TouchIdPrompt {\n private rpIdOverride?: string;\n private safariGetWebauthnRegistrationFallback: boolean;\n // create() only: internal abort controller + cleanup hooks\n private abortController?: AbortController;\n private removePageAbortHandlers?: () => void;\n private removeExternalAbortListener?: () => void;\n\n constructor(rpIdOverride?: string, safariGetWebauthnRegistrationFallback = false) {\n this.rpIdOverride = rpIdOverride;\n this.safariGetWebauthnRegistrationFallback = safariGetWebauthnRegistrationFallback === true;\n }\n\n getRpId(): string {\n try {\n return resolveRpId(this.rpIdOverride, window?.location?.hostname);\n } catch {\n return this.rpIdOverride \|\| '';\n }\n }\n\n // Utility helpers for cross‑origin fallback\n private static _inIframe(): boolean {\n try { return window.self !== window.top; } catch { return true; }\n }\n\n /\n Get authentication credentials\n * @param nearAccountId - NEAR account ID to authenticate\n * @param challenge - VRF challenge bytes\n * @param allowCredentials - Array of allowed credentials for authentication\n * @returns WebAuthn credential with only the first PRF output\n /\n async getAuthenticationCredentialsSerialized({\n nearAccountId,\n challenge,\n allowCredentials,\n }: {\n nearAccountId: string\n challenge: VRFChallenge\n allowCredentials: AllowCredential[]\n }): Promise<WebAuthnAuthenticationCredential> {\n const credentialMaybe = (await this.getAuthenticationCredentialsInternal({\n nearAccountId,\n challenge,\n allowCredentials,\n })) as unknown;\n // Support parent-bridge fallback returning an already-serialized credential\n if (isSerializedAuthenticationCredential(credentialMaybe)) {\n return credentialMaybe;\n }\n return serializeAuthenticationCredentialWithPRF({\n credential: credentialMaybe as PublicKeyCredential,\n firstPrfOutput: true,\n secondPrfOutput: false,\n })\n }\n\n /\n Same as getAuthenticationCredentialsSerialized but returns both PRF outputs\n * (PRF.first + PRF.second).\n * @param nearAccountId - NEAR account ID to authenticate\n * @param challenge - VRF challenge bytes\n * @param allowCredentials - Array of allowed credentials for authentication\n * @returns\n /\n async getAuthenticationCredentialsSerializedDualPrf({\n nearAccountId,\n challenge,\n allowCredentials,\n }: {\n nearAccountId: string,\n challenge: VRFChallenge,\n allowCredentials: AllowCredential[],\n }): Promise<WebAuthnAuthenticationCredential> {\n const credentialMaybe = (await this.getAuthenticationCredentialsInternal({\n nearAccountId,\n challenge,\n allowCredentials,\n })) as unknown;\n // Support parent-bridge fallback returning an already-serialized credential\n if (isSerializedAuthenticationCredential(credentialMaybe)) {\n return credentialMaybe;\n }\n return serializeAuthenticationCredentialWithPRF({\n credential: credentialMaybe as PublicKeyCredential,\n firstPrfOutput: true,\n secondPrfOutput: true,\n });\n }\n\n /\n Internal method for generating WebAuthn registration credentials with PRF output\n * @param nearAccountId - NEAR account ID for PRF salts and keypair derivation (always base account)\n * @param challenge - Random challenge bytes for the registration ceremony\n * @param deviceNumber - Device number for device-specific user ID.\n * @returns Credential with PRF output\n /\n async generateRegistrationCredentialsInternal({\n nearAccountId,\n challenge,\n deviceNumber,\n }: RegisterCredentialsArgs): Promise<PublicKeyCredential> {\n // New controller per create() call\n this.abortController = new AbortController();\n this.removePageAbortHandlers = TouchIdPrompt.attachPageAbortHandlers(this.abortController);\n // Single source of truth for rpId: use getRpId().\n const rpId = this.getRpId();\n const publicKey: PublicKeyCredentialCreationOptions = {\n challenge: outputAs32Bytes(challenge) as BufferSource,\n rp: {\n name: 'WebAuthn VRF Passkey',\n id: rpId\n },\n user: {\n id: new TextEncoder().encode(generateDeviceSpecificUserId(nearAccountId, deviceNumber)),\n name: generateDeviceSpecificUserId(nearAccountId, deviceNumber),\n displayName: generateUserFriendlyDisplayName(nearAccountId, deviceNumber)\n },\n pubKeyCredParams: [\n { alg: -7, type: 'public-key' },\n { alg: -257, type: 'public-key' }\n ],\n authenticatorSelection: {\n residentKey: 'required',\n userVerification: 'preferred'\n },\n timeout: 60000,\n attestation: 'none',\n extensions: {\n prf: {\n eval: {\n // Always use NEAR account ID for PRF salts to ensure consistent keypair derivation across devices\n first: generateChaCha20Salt(nearAccountId) as BufferSource, // ChaCha20Poly1305 encryption keys\n second: generateEd25519Salt(nearAccountId) as BufferSource // Ed25519 signing keys\n }\n }\n },\n };\n try {\n const result = await executeWebAuthnWithParentFallbacksSafari('create', publicKey, {\n rpId,\n inIframe: TouchIdPrompt._inIframe(),\n timeoutMs: publicKey.timeout as number \| undefined,\n // Pass AbortSignal through when supported; Safari bridge path may ignore it.\n abortSignal: this.abortController.signal,\n });\n return result as PublicKeyCredential;\n } finally {\n this.removePageAbortHandlers?.();\n this.removePageAbortHandlers = undefined;\n this.removeExternalAbortListener?.();\n this.removeExternalAbortListener = undefined;\n this.abortController = undefined;\n }\n }\n\n /\n Internal method for getting WebAuthn authentication credentials with PRF output\n * @param nearAccountId - NEAR account ID to authenticate\n * @param challenge - VRF challenge bytes to use for WebAuthn authentication\n * @param authenticators - List of stored authenticator data for the user\n * @returns WebAuthn credential with PRF output (HKDF derivation done in WASM worker)\n * ```ts\n * const credential = await touchIdPrompt.getCredentials({\n * nearAccountId,\n * challenge,\n * authenticators,\n * });\n * ```\n /\n async getAuthenticationCredentialsInternal({\n nearAccountId,\n challenge,\n allowCredentials,\n }: AuthenticateCredentialsArgs): Promise<PublicKeyCredential> {\n // New controller per get() call\n this.abortController = new AbortController();\n this.removePageAbortHandlers = TouchIdPrompt.attachPageAbortHandlers(this.abortController);\n // Single source of truth for rpId: use getRpId().\n const rpId = this.getRpId();\n const publicKey: PublicKeyCredentialRequestOptions = {\n challenge: outputAs32Bytes(challenge) as BufferSource,\n rpId,\n allowCredentials: allowCredentials.map((credential) => ({\n id: base64UrlDecode(credential.id) as BufferSource,\n type: 'public-key' as PublicKeyCredentialType,\n transports: credential.transports,\n })),\n userVerification: 'preferred' as UserVerificationRequirement,\n timeout: 60000,\n extensions: {\n prf: {\n eval: {\n // Always use NEAR account ID for PRF salts to ensure consistent keypair derivation across devices\n first: generateChaCha20Salt(nearAccountId) as BufferSource, // ChaCha20Poly1305 encryption keys\n second: generateEd25519Salt(nearAccountId) as BufferSource // Ed25519 signing keys\n }\n }\n }\n };\n try {\n const result = await executeWebAuthnWithParentFallbacksSafari('get', publicKey, {\n rpId,\n inIframe: TouchIdPrompt._inIframe(),\n timeoutMs: publicKey.timeout as number \| undefined,\n permitGetBridgeOnAncestorError: this.safariGetWebauthnRegistrationFallback,\n abortSignal: this.abortController.signal,\n });\n return result as PublicKeyCredential;\n } finally {\n this.removePageAbortHandlers?.();\n this.removePageAbortHandlers = undefined;\n this.removeExternalAbortListener?.();\n this.removeExternalAbortListener = undefined;\n this.abortController = undefined;\n }\n }\n}\n\n// Type guard for already-serialized authentication credential\nfunction isSerializedAuthenticationCredential(x: unknown): x is WebAuthnAuthenticationCredential {\n if (!x \|\| typeof x !== 'object') return false;\n const obj = x as { response?: unknown };\n const resp = obj.response as { authenticatorData?: unknown } \| undefined;\n return typeof resp?.authenticatorData === 'string';\n}\n\n/\n Generate device-specific user ID to prevent Chrome sync conflicts\n * Creates technical identifiers with full account context\n \n @param nearAccountId - The NEAR account ID (e.g., \"serp120.w3a-v1.testnet\")\n * @param deviceNumber - The device number (optional, undefined for device 1, 2 for device 2, etc.)\n * @returns Technical identifier:\n * - Device 1: \"serp120.web3-authn.testnet\"\n * - Device 2: \"serp120.web3-authn.testnet (2)\"\n * - Device 3: \"serp120.web3-authn.testnet (3)\"\n /\nexport function generateDeviceSpecificUserId(nearAccountId: string, deviceNumber?: number): string {\n // If no device number provided or device number is 1, this is the first device\n if (deviceNumber === undefined \|\| deviceNumber === 1) {\n return nearAccountId;\n }\n // For additional devices, add device number in parentheses\n return `${nearAccountId} (${deviceNumber})`;\n}\n\n/\n Generate user-friendly display name for passkey manager UI\n * Creates clean, intuitive names that users will see\n \n @param nearAccountId - The NEAR account ID (e.g., \"serp120.w3a-v1.testnet\")\n * @param deviceNumber - The device number (optional, undefined for device 1, 2 for device 2, etc.)\n * @returns User-friendly display name:\n * - Device 1: \"serp120\"\n * - Device 2: \"serp120 (device 2)\"\n * - Device 3: \"serp120 (device 3)\"\n */\nfunction generateUserFriendlyDisplayName(nearAccountId: string, deviceNumber?: number): string {\n // Extract the base username (everything before the first dot)\n const baseUsername = nearAccountId.split('.')[0];\n // If no device number provided or device number is 1, this is the first device\n if (deviceNumber === undefined \|\| deviceNumber === 1) {\n return baseUsername;\n }\n // For additional devices, add device number with friendly label\n return `${baseUsername} (device ${deviceNumber})`;\n}\n\n// Abort native WebAuthn when page is being hidden or unloaded\n// Centralized here to keep WebAuthn lifecycle concerns alongside native calls.\nexport namespace TouchIdPrompt {\n export function attachPageAbortHandlers(controller: AbortController): () => void {\n const onVisibility = () => { if (document.hidden) controller.abort(); };\n const onPageHide = () => { controller.abort(); };\n const onBeforeUnload = () => { controller.abort(); };\n document.addEventListener('visibilitychange', onVisibility, { passive: true });\n window.addEventListener('pagehide', onPageHide, { passive: true });\n window.addEventListener('beforeunload', onBeforeUnload, { passive: true });\n return () => {\n document.removeEventListener('visibilitychange', onVisibility);\n window.removeEventListener('pagehide', onPageHide);\n window.removeEventListener('beforeunload', onBeforeUnload);\n };\n }\n}\n"],"mappings":";;;;;;;;;AAUA,SAAS,oBAAoB,MAAc,MAAuB;AAChE,KAAI,CAAC,QAAQ,CAAC,KAAM,QAAO;AAC3B,KAAI,SAAS,KAAM,QAAO;AAC1B,QAAO,KAAK,SAAS,MAAM;;AAG7B,SAAS,YAAY,UAA8B,MAAkC;CACnF,MAAM,KAAK,QAAQ,IAAI;CACvB,MAAM,MAAM,YAAY,IAAI;AAC5B,KAAI,MAAM,KAAK,oBAAoB,GAAG,IAAK,QAAO;AAClD,QAAO,KAAK,MAAM;;AAqBpB,SAAgB,iCACd,gBACmB;AACnB,QAAO,eAAe,KAAI,UAAS;EACjC,IAAI,KAAK;EACT,MAAM;EACN,YAAY,KAAK;;;AAuOrB,SAAS,qCAAqC,GAAmD;AAC/F,KAAI,CAAC,KAAK,OAAO,MAAM,SAAU,QAAO;CACxC,MAAM,MAAM;CACZ,MAAM,OAAO,IAAI;AACjB,QAAO,OAAO,MAAM,sBAAsB;;;;;;;;;;;;;AAc5C,SAAgB,6BAA6B,eAAuB,cAA+B;AAEjG,KAAI,iBAAiB,UAAa,iBAAiB,EACjD,QAAO;AAGT,QAAO,GAAG,cAAc,IAAI,aAAa;;;;;;;;;;;;;AAc3C,SAAS,gCAAgC,eAAuB,cAA+B;CAE7F,MAAM,eAAe,cAAc,MAAM,KAAK;AAE9C,KAAI,iBAAiB,UAAa,iBAAiB,EACjD,QAAO;AAGT,QAAO,GAAG,aAAa,WAAW,aAAa;;;;;;;;CA3QpC,gBAAb,MAAa,cAAc;EACzB,AAAQ;EACR,AAAQ;EAER,AAAQ;EACR,AAAQ;EACR,AAAQ;EAER,YAAY,cAAuB,wCAAwC,OAAO;AAChF,QAAK,eAAe;AACpB,QAAK,wCAAwC,0CAA0C;;EAGzF,UAAkB;AAChB,OAAI;AACF,WAAO,YAAY,KAAK,cAAc,QAAQ,UAAU;WAClD;AACN,WAAO,KAAK,gBAAgB;;;EAKhC,OAAe,YAAqB;AAClC,OAAI;AAAE,WAAO,OAAO,SAAS,OAAO;WAAa;AAAE,WAAO;;;;;;;;;;EAU5D,MAAM,uCAAuC,EAC3C,eACA,WACA,oBAK4C;GAC5C,MAAM,kBAAmB,MAAM,KAAK,qCAAqC;IACvE;IACA;IACA;;AAGF,OAAI,qCAAqC,iBACvC,QAAO;AAET,UAAO,yCAAyC;IAC9C,YAAY;IACZ,gBAAgB;IAChB,iBAAiB;;;;;;;;;;;EAYrB,MAAM,8CAA8C,EAClD,eACA,WACA,oBAK4C;GAC5C,MAAM,kBAAmB,MAAM,KAAK,qCAAqC;IACvE;IACA;IACA;;AAGF,OAAI,qCAAqC,iBACvC,QAAO;AAET,UAAO,yCAAyC;IAC9C,YAAY;IACZ,gBAAgB;IAChB,iBAAiB;;;;;;;;;;EAWrB,MAAM,wCAAwC,EAC5C,eACA,WACA,gBACwD;AAExD,QAAK,kBAAkB,IAAI;AAC3B,QAAK,0BAA0B,cAAc,wBAAwB,KAAK;GAE1E,MAAM,OAAO,KAAK;GAClB,MAAMA,YAAgD;IACpD,WAAW,gBAAgB;IAC3B,IAAI;KACF,MAAM;KACN,IAAI;;IAEN,MAAM;KACJ,IAAI,IAAI,cAAc,OAAO,6BAA6B,eAAe;KACzE,MAAM,6BAA6B,eAAe;KAClD,aAAa,gCAAgC,eAAe;;IAE9D,kBAAkB,CAChB;KAAE,KAAK;KAAI,MAAM;OACjB;KAAE,KAAK;KAAM,MAAM;;IAErB,wBAAwB;KACtB,aAAa;KACb,kBAAkB;;IAEpB,SAAS;IACT,aAAa;IACb,YAAY,EACV,KAAK,EACH,MAAM;KAEJ,OAAO,qBAAqB;KAC5B,QAAQ,oBAAoB;;;AAKpC,OAAI;IACF,MAAM,SAAS,MAAM,yCAAyC,UAAU,WAAW;KACjF;KACA,UAAU,cAAc;KACxB,WAAW,UAAU;KAErB,aAAa,KAAK,gBAAgB;;AAEpC,WAAO;aACC;AACR,SAAK;AACL,SAAK,0BAA0B;AAC/B,SAAK;AACL,SAAK,8BAA8B;AACnC,SAAK,kBAAkB;;;;;;;;;;;;;;;;;EAkB3B,MAAM,qCAAqC,EACzC,eACA,WACA,oBAC4D;AAE5D,QAAK,kBAAkB,IAAI;AAC3B,QAAK,0BAA0B,cAAc,wBAAwB,KAAK;GAE1E,MAAM,OAAO,KAAK;GAClB,MAAMC,YAA+C;IACnD,WAAW,gBAAgB;IAC3B;IACA,kBAAkB,iBAAiB,KAAK,gBAAgB;KACtD,IAAI,gBAAgB,WAAW;KAC/B,MAAM;KACN,YAAY,WAAW;;IAEzB,kBAAkB;IAClB,SAAS;IACT,YAAY,EACV,KAAK,EACH,MAAM;KAEJ,OAAO,qBAAqB;KAC5B,QAAQ,oBAAoB;;;AAKpC,OAAI;IACF,MAAM,SAAS,MAAM,yCAAyC,OAAO,WAAW;KAC9E;KACA,UAAU,cAAc;KACxB,WAAW,UAAU;KACrB,gCAAgC,KAAK;KACrC,aAAa,KAAK,gBAAgB;;AAEpC,WAAO;aACC;AACR,SAAK;AACL,SAAK,0BAA0B;AAC/B,SAAK;AACL,SAAK,8BAA8B;AACnC,SAAK,kBAAkB;;;;AAyDtB;EACE,SAAS,wBAAwB,YAAyC;GAC/E,MAAM,qBAAqB;AAAE,QAAI,SAAS,OAAQ,YAAW;;GAC7D,MAAM,mBAAmB;AAAE,eAAW;;GACtC,MAAM,uBAAuB;AAAE,eAAW;;AAC1C,YAAS,iBAAiB,oBAAoB,cAAc,EAAE,SAAS;AACvE,UAAO,iBAAiB,YAAY,YAAY,EAAE,SAAS;AAC3D,UAAO,iBAAiB,gBAAgB,gBAAgB,EAAE,SAAS;AACnE,gBAAa;AACX,aAAS,oBAAoB,oBAAoB;AACjD,WAAO,oBAAoB,YAAY;AACvC,WAAO,oBAAoB,gBAAgB"}

package/dist/esm/react/sdk/src/core/WebAuthnManager/userHandle.js CHANGED Viewed

@@ -1,8 +1,9 @@
 import { init_validation, validateNearAccountId } from "../../utils/validation.js";
 import { base64UrlDecode } from "../../utils/base64.js";
-import "../../utils/index.js";
+import { init_utils } from "../../utils/index.js";
 //#region src/core/WebAuthnManager/userHandle.ts
+init_utils();
 init_validation();
 /**
 * Parse a WebAuthn userHandle into a NEAR account ID.

package/dist/esm/react/sdk/src/core/WebAuthnManager/userHandle.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"userHandle.js","names":["bytes: Uint8Array \| null"],"sources":["../../../../../../../src/core/WebAuthnManager/userHandle.ts"],"sourcesContent":["import { base64UrlDecode } from '../../utils';\nimport { validateNearAccountId } from '../../utils/validation';\n\n/*\n Parse a WebAuthn userHandle into a NEAR account ID.\n * Accepts either a base64url string (serialized) or an ArrayBuffer-like value.\n * Strips optional device suffixes like \" (2)\" appended during registration.\n * Returns a validated account ID string or null if invalid/unavailable.\n */\nexport function parseAccountIdFromUserHandle(userHandle: unknown): string \| null {\n try {\n let bytes: Uint8Array \| null = null;\n if (typeof userHandle === 'string' && userHandle.length > 0) {\n try { bytes = base64UrlDecode(userHandle); } catch { bytes = null; }\n } else if (userHandle && typeof (userHandle as any).byteLength === 'number') {\n try { bytes = new Uint8Array(userHandle as ArrayBuffer); } catch { bytes = null; }\n }\n if (!bytes \|\| bytes.byteLength === 0) return null;\n\n const decoded = new TextDecoder().decode(bytes);\n const base = decoded.replace(/ \$\\d+\$$/g, '');\n return validateNearAccountId(base).valid ? base : null;\n } catch {\n return null;\n }\n}\n\n"],"mappings":"~~;;;;;;;;;;;;~~AASA,SAAgB,6BAA6B,YAAoC;AAC/E,KAAI;EACF,IAAIA,QAA2B;AAC/B,MAAI,OAAO,eAAe,YAAY,WAAW,SAAS,EACxD,KAAI;AAAE,WAAQ,gBAAgB;UAAqB;AAAE,WAAQ;;WACpD,cAAc,OAAQ,WAAmB,eAAe,SACjE,KAAI;AAAE,WAAQ,IAAI,WAAW;UAAoC;AAAE,WAAQ;;AAE7E,MAAI,CAAC,SAAS,MAAM,eAAe,EAAG,QAAO;EAE7C,MAAM,UAAU,IAAI,cAAc,OAAO;EACzC,MAAM,OAAO,QAAQ,QAAQ,cAAc;AAC3C,SAAO,sBAAsB,MAAM,QAAQ,OAAO;SAC5C;AACN,SAAO"}
1	+ {"version":3,"file":"userHandle.js","names":["bytes: Uint8Array \| null"],"sources":["../../../../../../../src/core/WebAuthnManager/userHandle.ts"],"sourcesContent":["import { base64UrlDecode } from '../../utils';\nimport { validateNearAccountId } from '../../utils/validation';\n\n/*\n Parse a WebAuthn userHandle into a NEAR account ID.\n * Accepts either a base64url string (serialized) or an ArrayBuffer-like value.\n * Strips optional device suffixes like \" (2)\" appended during registration.\n * Returns a validated account ID string or null if invalid/unavailable.\n */\nexport function parseAccountIdFromUserHandle(userHandle: unknown): string \| null {\n try {\n let bytes: Uint8Array \| null = null;\n if (typeof userHandle === 'string' && userHandle.length > 0) {\n try { bytes = base64UrlDecode(userHandle); } catch { bytes = null; }\n } else if (userHandle && typeof (userHandle as any).byteLength === 'number') {\n try { bytes = new Uint8Array(userHandle as ArrayBuffer); } catch { bytes = null; }\n }\n if (!bytes \|\| bytes.byteLength === 0) return null;\n\n const decoded = new TextDecoder().decode(bytes);\n const base = decoded.replace(/ \$\\d+\$$/g, '');\n return validateNearAccountId(base).valid ? base : null;\n } catch {\n return null;\n }\n}\n\n"],"mappings":";;;;;;;;;;;;;AASA,SAAgB,6BAA6B,YAAoC;AAC/E,KAAI;EACF,IAAIA,QAA2B;AAC/B,MAAI,OAAO,eAAe,YAAY,WAAW,SAAS,EACxD,KAAI;AAAE,WAAQ,gBAAgB;UAAqB;AAAE,WAAQ;;WACpD,cAAc,OAAQ,WAAmB,eAAe,SACjE,KAAI;AAAE,WAAQ,IAAI,WAAW;UAAoC;AAAE,WAAQ;;AAE7E,MAAI,CAAC,SAAS,MAAM,eAAe,EAAG,QAAO;EAE7C,MAAM,UAAU,IAAI,cAAc,OAAO;EACzC,MAAM,OAAO,QAAQ,QAAQ,cAAc;AAC3C,SAAO,sBAAsB,MAAM,QAAQ,OAAO;SAC5C;AACN,SAAO"}

package/dist/esm/react/sdk/src/core/defaultConfigs.js CHANGED Viewed

@@ -54,7 +54,7 @@ function buildConfigsFromEnv(overrides = {}) {
 var PASSKEY_MANAGER_DEFAULT_CONFIGS, DEFAULT_EMAIL_RECOVERY_CONTRACTS;
 var init_defaultConfigs = __esm({ "src/core/defaultConfigs.ts": (() => {
 	PASSKEY_MANAGER_DEFAULT_CONFIGS = {
-		nearRpcUrl: "https://test.rpc.fastnear.com",
+		nearRpcUrl: "https://test.rpc.fastnear.com, https://rpc.testnet.near.org",
 		nearNetwork: "testnet",
 		contractId: "w3a-v1.testnet",
 		nearExplorerUrl: "https://testnet.nearblocks.io",

package/dist/esm/react/sdk/src/core/defaultConfigs.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"defaultConfigs.js","names":["merged: TatchiConfigs","PASSKEY_MANAGER_DEFAULT_CONFIGS: TatchiConfigs","DEFAULT_EMAIL_RECOVERY_CONTRACTS: EmailRecoveryContracts"],"sources":["../../../../../../src/core/defaultConfigs.ts"],"sourcesContent":["import type { EmailRecoveryContracts, TatchiConfigs, TatchiConfigsInput } from './types/tatchi';\n\n// Default SDK configs suitable for local dev.\n// Cross-origin wallet isolation is recommended; set iframeWallet in your app config when you have a dedicated origin.\n// Consumers can shallow-merge overrides by field.\n\nexport const PASSKEY_MANAGER_DEFAULT_CONFIGS: TatchiConfigs = {\n // You can provide a single URL or a comma-separated list for failover.\n // First URL is treated as primary, subsequent URLs are fallbacks.\n // nearRpcUrl: 'https://rpc.testnet.near.org',\n nearRpcUrl: 'https://test.rpc.fastnear.com',\n nearNetwork: 'testnet',\n contractId: 'w3a-v1.testnet',\n nearExplorerUrl: 'https://testnet.nearblocks.io',\n // Warm signing session defaults used by login/unlock flows.\n // Enforcement (TTL/uses) is owned by the VRF worker; signer workers remain one-shot.\n signingSessionDefaults: {\n ttlMs: 0, // 0 minutes\n remainingUses: 0, // default to requiring a touchID prompt for each transaction\n },\n relayer: {\n // accountId: 'w3a-v1.testnet',\n // No default relayer URL. Force apps to configure via env/overrides.\n // Using an empty string triggers early validation errors in code paths that require it.\n url: '',\n delegateActionRoute: '/signed-delegate',\n emailRecovery: {\n // Require at least 0.01 NEAR available to start email recovery.\n minBalanceYocto: '10000000000000000000000', // 0.01 NEAR\n // Poll every 4 seconds for verification status / access key.\n pollingIntervalMs: 4000,\n // Stop polling after 30 minutes.\n maxPollingDurationMs: 30 * 60 * 1000,\n // Expire pending recovery records after 30 minutes.\n pendingTtlMs: 30 * 60 * 1000,\n // Default recovery mailbox for examples / docs.\n mailtoAddress: 'recover@web3authn.org',\n // EmailDKIMVerifier contract that stores verification results.\n dkimVerifierAccountId: 'email-dkim-verifier-v1.testnet',\n // View method used to fetch VerificationResult by request_id.\n verificationViewMethod: 'get_verification_result',\n },\n },\n vrfWorkerConfigs: {\n shamir3pass: {\n // default Shamir's P in vrf-wasm-worker, needs to match relay server's Shamir P\n p: '3N5w46AIGjGT2v5Vua_TMD5Ywfa9U2F7-WzW8SNDsIM',\n // No default relay server URL to avoid accidental localhost usage in non-dev envs\n // Defaults to relayer.url when undefined\n relayServerUrl: '',\n applyServerLockRoute: '/vrf/apply-server-lock',\n removeServerLockRoute: '/vrf/remove-server-lock',\n }\n },\n emailRecoveryContracts: {\n emailRecovererGlobalContract: 'w3a-email-recoverer-v1.testnet',\n zkEmailVerifierContract: 'zk-email-verifier-v1.testnet',\n emailDkimVerifierContract: 'email-dkim-verifier-v1.testnet',\n },\n // Configure iframeWallet in application code to point at your dedicated wallet origin when available.\n iframeWallet: {\n walletOrigin: 'https://wallet.example.localhost',\n walletServicePath: '/wallet-service',\n sdkBasePath: '/sdk',\n rpIdOverride: 'example.localhost',\n }\n};\n\nexport const DEFAULT_EMAIL_RECOVERY_CONTRACTS: EmailRecoveryContracts = {\n emailRecovererGlobalContract: PASSKEY_MANAGER_DEFAULT_CONFIGS.emailRecoveryContracts.emailDkimVerifierContract,\n zkEmailVerifierContract: PASSKEY_MANAGER_DEFAULT_CONFIGS.emailRecoveryContracts.zkEmailVerifierContract,\n emailDkimVerifierContract: PASSKEY_MANAGER_DEFAULT_CONFIGS.emailRecoveryContracts.emailDkimVerifierContract,\n};\n\n// Merge defaults with overrides\nexport function buildConfigsFromEnv(overrides: TatchiConfigsInput = {}): TatchiConfigs {\n\n const defaults = PASSKEY_MANAGER_DEFAULT_CONFIGS;\n const relayerUrl = overrides.relayer?.url ?? defaults.relayer?.url ?? '';\n // Prefer explicit override for relayer URL; fall back to default preset.\n // Used below to default VRF relayServerUrl when it is undefined.\n const relayServerUrlDefault = relayerUrl;\n\n const merged: TatchiConfigs = {\n nearRpcUrl: overrides.nearRpcUrl ?? defaults.nearRpcUrl,\n nearNetwork: overrides.nearNetwork ?? defaults.nearNetwork,\n contractId: overrides.contractId ?? defaults.contractId,\n nearExplorerUrl: overrides.nearExplorerUrl ?? defaults.nearExplorerUrl,\n walletTheme: overrides.walletTheme ?? defaults.walletTheme,\n signingSessionDefaults: {\n ttlMs: overrides.signingSessionDefaults?.ttlMs\n ?? defaults.signingSessionDefaults?.ttlMs,\n remainingUses: overrides.signingSessionDefaults?.remainingUses\n ?? defaults.signingSessionDefaults?.remainingUses,\n },\n relayer: {\n url: relayerUrl,\n delegateActionRoute: overrides.relayer?.delegateActionRoute\n ?? defaults.relayer?.delegateActionRoute,\n emailRecovery: {\n minBalanceYocto: overrides.relayer?.emailRecovery?.minBalanceYocto\n ?? defaults.relayer?.emailRecovery?.minBalanceYocto,\n pollingIntervalMs: overrides.relayer?.emailRecovery?.pollingIntervalMs\n ?? defaults.relayer?.emailRecovery?.pollingIntervalMs,\n maxPollingDurationMs: overrides.relayer?.emailRecovery?.maxPollingDurationMs\n ?? defaults.relayer?.emailRecovery?.maxPollingDurationMs,\n pendingTtlMs: overrides.relayer?.emailRecovery?.pendingTtlMs\n ?? defaults.relayer?.emailRecovery?.pendingTtlMs,\n mailtoAddress: overrides.relayer?.emailRecovery?.mailtoAddress\n ?? defaults.relayer?.emailRecovery?.mailtoAddress,\n dkimVerifierAccountId: overrides.relayer?.emailRecovery?.dkimVerifierAccountId\n ?? defaults.relayer?.emailRecovery?.dkimVerifierAccountId,\n verificationViewMethod: overrides.relayer?.emailRecovery?.verificationViewMethod\n ?? defaults.relayer?.emailRecovery?.verificationViewMethod,\n },\n },\n authenticatorOptions: overrides.authenticatorOptions ?? defaults.authenticatorOptions,\n vrfWorkerConfigs: {\n shamir3pass: {\n p: overrides.vrfWorkerConfigs?.shamir3pass?.p\n ?? defaults.vrfWorkerConfigs?.shamir3pass?.p,\n relayServerUrl: overrides.vrfWorkerConfigs?.shamir3pass?.relayServerUrl\n ?? defaults.vrfWorkerConfigs?.shamir3pass?.relayServerUrl\n ?? relayServerUrlDefault,\n applyServerLockRoute: overrides.vrfWorkerConfigs?.shamir3pass?.applyServerLockRoute\n ?? defaults.vrfWorkerConfigs?.shamir3pass?.applyServerLockRoute,\n removeServerLockRoute: overrides.vrfWorkerConfigs?.shamir3pass?.removeServerLockRoute\n ?? defaults.vrfWorkerConfigs?.shamir3pass?.removeServerLockRoute,\n },\n },\n emailRecoveryContracts: {\n emailRecovererGlobalContract: overrides.emailRecoveryContracts?.emailRecovererGlobalContract\n ?? defaults.emailRecoveryContracts?.emailRecovererGlobalContract,\n zkEmailVerifierContract: overrides.emailRecoveryContracts?.zkEmailVerifierContract\n ?? defaults.emailRecoveryContracts?.zkEmailVerifierContract,\n emailDkimVerifierContract: overrides.emailRecoveryContracts?.emailDkimVerifierContract\n ?? defaults.emailRecoveryContracts?.emailDkimVerifierContract,\n },\n iframeWallet: {\n walletOrigin: overrides.iframeWallet?.walletOrigin\n ?? defaults.iframeWallet?.walletOrigin,\n walletServicePath: overrides.iframeWallet?.walletServicePath\n ?? defaults.iframeWallet?.walletServicePath\n ?? '/wallet-service',\n sdkBasePath: overrides.iframeWallet?.sdkBasePath\n ?? defaults.iframeWallet?.sdkBasePath\n ?? '/sdk',\n rpIdOverride: overrides.iframeWallet?.rpIdOverride\n ?? defaults.iframeWallet?.rpIdOverride,\n }\n };\n if (!merged.contractId) {\n throw new Error('[configPresets] Missing required config: contractId');\n }\n if (!merged.relayer.url) {\n throw new Error('[configPresets] Missing required config: relayer.url');\n }\n return merged;\n}\n"],"mappings":";;;AA2EA,SAAgB,oBAAoB,YAAgC,IAAmB;CAErF,MAAM,WAAW;CACjB,MAAM,aAAa,UAAU,SAAS,OAAO,SAAS,SAAS,OAAO;CAGtE,MAAM,wBAAwB;CAE9B,MAAMA,SAAwB;EAC5B,YAAY,UAAU,cAAc,SAAS;EAC7C,aAAa,UAAU,eAAe,SAAS;EAC/C,YAAY,UAAU,cAAc,SAAS;EAC7C,iBAAiB,UAAU,mBAAmB,SAAS;EACvD,aAAa,UAAU,eAAe,SAAS;EAC/C,wBAAwB;GACtB,OAAO,UAAU,wBAAwB,SACpC,SAAS,wBAAwB;GACtC,eAAe,UAAU,wBAAwB,iBAC5C,SAAS,wBAAwB;;EAExC,SAAS;GACP,KAAK;GACL,qBAAqB,UAAU,SAAS,uBACnC,SAAS,SAAS;GACvB,eAAe;IACb,iBAAiB,UAAU,SAAS,eAAe,mBAC9C,SAAS,SAAS,eAAe;IACtC,mBAAmB,UAAU,SAAS,eAAe,qBAChD,SAAS,SAAS,eAAe;IACtC,sBAAsB,UAAU,SAAS,eAAe,wBACnD,SAAS,SAAS,eAAe;IACtC,cAAc,UAAU,SAAS,eAAe,gBAC3C,SAAS,SAAS,eAAe;IACtC,eAAe,UAAU,SAAS,eAAe,iBAC5C,SAAS,SAAS,eAAe;IACtC,uBAAuB,UAAU,SAAS,eAAe,yBACpD,SAAS,SAAS,eAAe;IACtC,wBAAwB,UAAU,SAAS,eAAe,0BACrD,SAAS,SAAS,eAAe;;;EAG1C,sBAAsB,UAAU,wBAAwB,SAAS;EACjE,kBAAkB,EAChB,aAAa;GACX,GAAG,UAAU,kBAAkB,aAAa,KACvC,SAAS,kBAAkB,aAAa;GAC7C,gBAAgB,UAAU,kBAAkB,aAAa,kBACpD,SAAS,kBAAkB,aAAa,kBACxC;GACL,sBAAsB,UAAU,kBAAkB,aAAa,wBAC1D,SAAS,kBAAkB,aAAa;GAC7C,uBAAuB,UAAU,kBAAkB,aAAa,yBAC3D,SAAS,kBAAkB,aAAa;;EAGjD,wBAAwB;GACtB,8BAA8B,UAAU,wBAAwB,gCAC3D,SAAS,wBAAwB;GACtC,yBAAyB,UAAU,wBAAwB,2BACtD,SAAS,wBAAwB;GACtC,2BAA2B,UAAU,wBAAwB,6BACxD,SAAS,wBAAwB;;EAExC,cAAc;GACZ,cAAc,UAAU,cAAc,gBACjC,SAAS,cAAc;GAC5B,mBAAmB,UAAU,cAAc,qBACtC,SAAS,cAAc,qBACvB;GACL,aAAa,UAAU,cAAc,eAChC,SAAS,cAAc,eACvB;GACL,cAAc,UAAU,cAAc,gBACjC,SAAS,cAAc;;;AAGhC,KAAI,CAAC,OAAO,WACV,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,OAAO,QAAQ,IAClB,OAAM,IAAI,MAAM;AAElB,QAAO;;;;CAvJIC,kCAAiD;EAI5D,YAAY;EACZ,aAAa;EACb,YAAY;EACZ,iBAAiB;EAGjB,wBAAwB;GACtB,OAAO;GACP,eAAe;;EAEjB,SAAS;GAIP,KAAK;GACL,qBAAqB;GACrB,eAAe;IAEb,iBAAiB;IAEjB,mBAAmB;IAEnB,sBAAsB,OAAU;IAEhC,cAAc,OAAU;IAExB,eAAe;IAEf,uBAAuB;IAEvB,wBAAwB;;;EAG5B,kBAAkB,EAChB,aAAa;GAEX,GAAG;GAGH,gBAAgB;GAChB,sBAAsB;GACtB,uBAAuB;;EAG3B,wBAAwB;GACtB,8BAA8B;GAC9B,yBAAyB;GACzB,2BAA2B;;EAG7B,cAAc;GACZ,cAAc;GACd,mBAAmB;GACnB,aAAa;GACb,cAAc;;;CAILC,mCAA2D;EACtE,8BAA8B,gCAAgC,uBAAuB;EACrF,yBAAyB,gCAAgC,uBAAuB;EAChF,2BAA2B,gCAAgC,uBAAuB"}
1	+ {"version":3,"file":"defaultConfigs.js","names":["merged: TatchiConfigs","PASSKEY_MANAGER_DEFAULT_CONFIGS: TatchiConfigs","DEFAULT_EMAIL_RECOVERY_CONTRACTS: EmailRecoveryContracts"],"sources":["../../../../../../src/core/defaultConfigs.ts"],"sourcesContent":["import type { EmailRecoveryContracts, TatchiConfigs, TatchiConfigsInput } from './types/tatchi';\n\n// Default SDK configs suitable for local dev.\n// Cross-origin wallet isolation is recommended; set iframeWallet in your app config when you have a dedicated origin.\n// Consumers can shallow-merge overrides by field.\n\nexport const PASSKEY_MANAGER_DEFAULT_CONFIGS: TatchiConfigs = {\n // You can provide a single URL or a comma-separated list for failover.\n // First URL is treated as primary, subsequent URLs are fallbacks.\n nearRpcUrl: 'https://test.rpc.fastnear.com, https://rpc.testnet.near.org',\n nearNetwork: 'testnet',\n contractId: 'w3a-v1.testnet',\n nearExplorerUrl: 'https://testnet.nearblocks.io',\n // Warm signing session defaults used by login/unlock flows.\n // Enforcement (TTL/uses) is owned by the VRF worker; signer workers remain one-shot.\n signingSessionDefaults: {\n ttlMs: 0, // 0 minutes\n remainingUses: 0, // default to requiring a touchID prompt for each transaction\n },\n relayer: {\n // accountId: 'w3a-v1.testnet',\n // No default relayer URL. Force apps to configure via env/overrides.\n // Using an empty string triggers early validation errors in code paths that require it.\n url: '',\n delegateActionRoute: '/signed-delegate',\n emailRecovery: {\n // Require at least 0.01 NEAR available to start email recovery.\n minBalanceYocto: '10000000000000000000000', // 0.01 NEAR\n // Poll every 4 seconds for verification status / access key.\n pollingIntervalMs: 4000,\n // Stop polling after 30 minutes.\n maxPollingDurationMs: 30 * 60 * 1000,\n // Expire pending recovery records after 30 minutes.\n pendingTtlMs: 30 * 60 * 1000,\n // Default recovery mailbox for examples / docs.\n mailtoAddress: 'recover@web3authn.org',\n // EmailDKIMVerifier contract that stores verification results.\n dkimVerifierAccountId: 'email-dkim-verifier-v1.testnet',\n // View method used to fetch VerificationResult by request_id.\n verificationViewMethod: 'get_verification_result',\n },\n },\n vrfWorkerConfigs: {\n shamir3pass: {\n // default Shamir's P in vrf-wasm-worker, needs to match relay server's Shamir P\n p: '3N5w46AIGjGT2v5Vua_TMD5Ywfa9U2F7-WzW8SNDsIM',\n // No default relay server URL to avoid accidental localhost usage in non-dev envs\n // Defaults to relayer.url when undefined\n relayServerUrl: '',\n applyServerLockRoute: '/vrf/apply-server-lock',\n removeServerLockRoute: '/vrf/remove-server-lock',\n }\n },\n emailRecoveryContracts: {\n emailRecovererGlobalContract: 'w3a-email-recoverer-v1.testnet',\n zkEmailVerifierContract: 'zk-email-verifier-v1.testnet',\n emailDkimVerifierContract: 'email-dkim-verifier-v1.testnet',\n },\n // Configure iframeWallet in application code to point at your dedicated wallet origin when available.\n iframeWallet: {\n walletOrigin: 'https://wallet.example.localhost',\n walletServicePath: '/wallet-service',\n sdkBasePath: '/sdk',\n rpIdOverride: 'example.localhost',\n }\n};\n\nexport const DEFAULT_EMAIL_RECOVERY_CONTRACTS: EmailRecoveryContracts = {\n emailRecovererGlobalContract: PASSKEY_MANAGER_DEFAULT_CONFIGS.emailRecoveryContracts.emailDkimVerifierContract,\n zkEmailVerifierContract: PASSKEY_MANAGER_DEFAULT_CONFIGS.emailRecoveryContracts.zkEmailVerifierContract,\n emailDkimVerifierContract: PASSKEY_MANAGER_DEFAULT_CONFIGS.emailRecoveryContracts.emailDkimVerifierContract,\n};\n\n// Merge defaults with overrides\nexport function buildConfigsFromEnv(overrides: TatchiConfigsInput = {}): TatchiConfigs {\n\n const defaults = PASSKEY_MANAGER_DEFAULT_CONFIGS;\n const relayerUrl = overrides.relayer?.url ?? defaults.relayer?.url ?? '';\n // Prefer explicit override for relayer URL; fall back to default preset.\n // Used below to default VRF relayServerUrl when it is undefined.\n const relayServerUrlDefault = relayerUrl;\n\n const merged: TatchiConfigs = {\n nearRpcUrl: overrides.nearRpcUrl ?? defaults.nearRpcUrl,\n nearNetwork: overrides.nearNetwork ?? defaults.nearNetwork,\n contractId: overrides.contractId ?? defaults.contractId,\n nearExplorerUrl: overrides.nearExplorerUrl ?? defaults.nearExplorerUrl,\n walletTheme: overrides.walletTheme ?? defaults.walletTheme,\n signingSessionDefaults: {\n ttlMs: overrides.signingSessionDefaults?.ttlMs\n ?? defaults.signingSessionDefaults?.ttlMs,\n remainingUses: overrides.signingSessionDefaults?.remainingUses\n ?? defaults.signingSessionDefaults?.remainingUses,\n },\n relayer: {\n url: relayerUrl,\n delegateActionRoute: overrides.relayer?.delegateActionRoute\n ?? defaults.relayer?.delegateActionRoute,\n emailRecovery: {\n minBalanceYocto: overrides.relayer?.emailRecovery?.minBalanceYocto\n ?? defaults.relayer?.emailRecovery?.minBalanceYocto,\n pollingIntervalMs: overrides.relayer?.emailRecovery?.pollingIntervalMs\n ?? defaults.relayer?.emailRecovery?.pollingIntervalMs,\n maxPollingDurationMs: overrides.relayer?.emailRecovery?.maxPollingDurationMs\n ?? defaults.relayer?.emailRecovery?.maxPollingDurationMs,\n pendingTtlMs: overrides.relayer?.emailRecovery?.pendingTtlMs\n ?? defaults.relayer?.emailRecovery?.pendingTtlMs,\n mailtoAddress: overrides.relayer?.emailRecovery?.mailtoAddress\n ?? defaults.relayer?.emailRecovery?.mailtoAddress,\n dkimVerifierAccountId: overrides.relayer?.emailRecovery?.dkimVerifierAccountId\n ?? defaults.relayer?.emailRecovery?.dkimVerifierAccountId,\n verificationViewMethod: overrides.relayer?.emailRecovery?.verificationViewMethod\n ?? defaults.relayer?.emailRecovery?.verificationViewMethod,\n },\n },\n authenticatorOptions: overrides.authenticatorOptions ?? defaults.authenticatorOptions,\n vrfWorkerConfigs: {\n shamir3pass: {\n p: overrides.vrfWorkerConfigs?.shamir3pass?.p\n ?? defaults.vrfWorkerConfigs?.shamir3pass?.p,\n relayServerUrl: overrides.vrfWorkerConfigs?.shamir3pass?.relayServerUrl\n ?? defaults.vrfWorkerConfigs?.shamir3pass?.relayServerUrl\n ?? relayServerUrlDefault,\n applyServerLockRoute: overrides.vrfWorkerConfigs?.shamir3pass?.applyServerLockRoute\n ?? defaults.vrfWorkerConfigs?.shamir3pass?.applyServerLockRoute,\n removeServerLockRoute: overrides.vrfWorkerConfigs?.shamir3pass?.removeServerLockRoute\n ?? defaults.vrfWorkerConfigs?.shamir3pass?.removeServerLockRoute,\n },\n },\n emailRecoveryContracts: {\n emailRecovererGlobalContract: overrides.emailRecoveryContracts?.emailRecovererGlobalContract\n ?? defaults.emailRecoveryContracts?.emailRecovererGlobalContract,\n zkEmailVerifierContract: overrides.emailRecoveryContracts?.zkEmailVerifierContract\n ?? defaults.emailRecoveryContracts?.zkEmailVerifierContract,\n emailDkimVerifierContract: overrides.emailRecoveryContracts?.emailDkimVerifierContract\n ?? defaults.emailRecoveryContracts?.emailDkimVerifierContract,\n },\n iframeWallet: {\n walletOrigin: overrides.iframeWallet?.walletOrigin\n ?? defaults.iframeWallet?.walletOrigin,\n walletServicePath: overrides.iframeWallet?.walletServicePath\n ?? defaults.iframeWallet?.walletServicePath\n ?? '/wallet-service',\n sdkBasePath: overrides.iframeWallet?.sdkBasePath\n ?? defaults.iframeWallet?.sdkBasePath\n ?? '/sdk',\n rpIdOverride: overrides.iframeWallet?.rpIdOverride\n ?? defaults.iframeWallet?.rpIdOverride,\n }\n };\n if (!merged.contractId) {\n throw new Error('[configPresets] Missing required config: contractId');\n }\n if (!merged.relayer.url) {\n throw new Error('[configPresets] Missing required config: relayer.url');\n }\n return merged;\n}\n"],"mappings":";;;AA0EA,SAAgB,oBAAoB,YAAgC,IAAmB;CAErF,MAAM,WAAW;CACjB,MAAM,aAAa,UAAU,SAAS,OAAO,SAAS,SAAS,OAAO;CAGtE,MAAM,wBAAwB;CAE9B,MAAMA,SAAwB;EAC5B,YAAY,UAAU,cAAc,SAAS;EAC7C,aAAa,UAAU,eAAe,SAAS;EAC/C,YAAY,UAAU,cAAc,SAAS;EAC7C,iBAAiB,UAAU,mBAAmB,SAAS;EACvD,aAAa,UAAU,eAAe,SAAS;EAC/C,wBAAwB;GACtB,OAAO,UAAU,wBAAwB,SACpC,SAAS,wBAAwB;GACtC,eAAe,UAAU,wBAAwB,iBAC5C,SAAS,wBAAwB;;EAExC,SAAS;GACP,KAAK;GACL,qBAAqB,UAAU,SAAS,uBACnC,SAAS,SAAS;GACvB,eAAe;IACb,iBAAiB,UAAU,SAAS,eAAe,mBAC9C,SAAS,SAAS,eAAe;IACtC,mBAAmB,UAAU,SAAS,eAAe,qBAChD,SAAS,SAAS,eAAe;IACtC,sBAAsB,UAAU,SAAS,eAAe,wBACnD,SAAS,SAAS,eAAe;IACtC,cAAc,UAAU,SAAS,eAAe,gBAC3C,SAAS,SAAS,eAAe;IACtC,eAAe,UAAU,SAAS,eAAe,iBAC5C,SAAS,SAAS,eAAe;IACtC,uBAAuB,UAAU,SAAS,eAAe,yBACpD,SAAS,SAAS,eAAe;IACtC,wBAAwB,UAAU,SAAS,eAAe,0BACrD,SAAS,SAAS,eAAe;;;EAG1C,sBAAsB,UAAU,wBAAwB,SAAS;EACjE,kBAAkB,EAChB,aAAa;GACX,GAAG,UAAU,kBAAkB,aAAa,KACvC,SAAS,kBAAkB,aAAa;GAC7C,gBAAgB,UAAU,kBAAkB,aAAa,kBACpD,SAAS,kBAAkB,aAAa,kBACxC;GACL,sBAAsB,UAAU,kBAAkB,aAAa,wBAC1D,SAAS,kBAAkB,aAAa;GAC7C,uBAAuB,UAAU,kBAAkB,aAAa,yBAC3D,SAAS,kBAAkB,aAAa;;EAGjD,wBAAwB;GACtB,8BAA8B,UAAU,wBAAwB,gCAC3D,SAAS,wBAAwB;GACtC,yBAAyB,UAAU,wBAAwB,2BACtD,SAAS,wBAAwB;GACtC,2BAA2B,UAAU,wBAAwB,6BACxD,SAAS,wBAAwB;;EAExC,cAAc;GACZ,cAAc,UAAU,cAAc,gBACjC,SAAS,cAAc;GAC5B,mBAAmB,UAAU,cAAc,qBACtC,SAAS,cAAc,qBACvB;GACL,aAAa,UAAU,cAAc,eAChC,SAAS,cAAc,eACvB;GACL,cAAc,UAAU,cAAc,gBACjC,SAAS,cAAc;;;AAGhC,KAAI,CAAC,OAAO,WACV,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,OAAO,QAAQ,IAClB,OAAM,IAAI,MAAM;AAElB,QAAO;;;;CAtJIC,kCAAiD;EAG5D,YAAY;EACZ,aAAa;EACb,YAAY;EACZ,iBAAiB;EAGjB,wBAAwB;GACtB,OAAO;GACP,eAAe;;EAEjB,SAAS;GAIP,KAAK;GACL,qBAAqB;GACrB,eAAe;IAEb,iBAAiB;IAEjB,mBAAmB;IAEnB,sBAAsB,OAAU;IAEhC,cAAc,OAAU;IAExB,eAAe;IAEf,uBAAuB;IAEvB,wBAAwB;;;EAG5B,kBAAkB,EAChB,aAAa;GAEX,GAAG;GAGH,gBAAgB;GAChB,sBAAsB;GACtB,uBAAuB;;EAG3B,wBAAwB;GACtB,8BAA8B;GAC9B,yBAAyB;GACzB,2BAA2B;;EAG7B,cAAc;GACZ,cAAc;GACd,mBAAmB;GACnB,aAAa;GACb,cAAc;;;CAILC,mCAA2D;EACtE,8BAA8B,gCAAgC,uBAAuB;EACrF,yBAAyB,gCAAgC,uBAAuB;EAChF,2BAA2B,gCAAgC,uBAAuB"}

package/dist/esm/react/sdk/src/core/types/vrf-worker.js CHANGED Viewed

@@ -1,8 +1,8 @@
+import { __esm } from "../../../../_virtual/rolldown_runtime.js";
 import { base64UrlDecode, base64UrlEncode } from "../../utils/base64.js";
 import { init_encoders } from "../../utils/encoders.js";
 //#region src/core/types/vrf-worker.ts
-init_encoders();
 /**
 * Decode VRF output and use first 32 bytes as WebAuthn challenge
 * @param vrfChallenge - VRF challenge object
@@ -56,7 +56,11 @@ function createRandomVRFChallenge() {
 		blockHash: void 0
 	};
 }
+var init_vrf_worker = __esm({ "src/core/types/vrf-worker.ts": (() => {
+	init_encoders();
+}) });
 //#endregion
-export { createRandomVRFChallenge, outputAs32Bytes, validateVRFChallenge };
+init_vrf_worker();
+export { createRandomVRFChallenge, init_vrf_worker, outputAs32Bytes, validateVRFChallenge };
 //# sourceMappingURL=vrf-worker.js.map

package/dist/esm/react/sdk/src/utils/index.js CHANGED Viewed

@@ -1,14 +1,20 @@
+import { __esm } from "../../../_virtual/rolldown_runtime.js";
 import { init_validation, validateNearAccountId } from "./validation.js";
 import { base64Decode, base64Encode, base64UrlDecode, base64UrlEncode } from "./base64.js";
 import { base58Encode } from "./base58.js";
 import { init_encoders } from "./encoders.js";
 import { errorMessage, getNearShortErrorMessage, getTouchIdCancellationMessage, getUserFriendlyErrorMessage, init_errors, isTouchIdCancellationError, toError } from "./errors.js";
-import { detectDeviceType, getOptimalCameraFacingMode, hasActiveUserActivation, isIOS, isMobileDevice, isSafari, needsExplicitActivation } from "../../../deviceDetection.js";
+import { detectDeviceType, getOptimalCameraFacingMode, hasActiveUserActivation, init_deviceDetection, isIOS, isMobileDevice, isSafari, needsExplicitActivation } from "../../../deviceDetection.js";
 //#region src/utils/index.ts
-init_encoders();
-init_validation();
-init_errors();
+var init_utils = __esm({ "src/utils/index.ts": (() => {
+	init_encoders();
+	init_validation();
+	init_errors();
+	init_deviceDetection();
+}) });
 //#endregion
+init_utils();
+export { init_utils };
 //# sourceMappingURL=index.js.map