npm - @tatchi-xyz/sdk - Versions diffs - 0.16.0 → 0.18.0 - Mend

@tatchi-xyz/sdk 0.16.0 → 0.18.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (501) hide show

package/dist/esm/react/sdk/src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/flows/transactions.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"transactions.js","names":["uiVrfChallenge: VRFChallenge \| undefined","uiVrfChallengeForUi: Partial<VRFChallenge> \| undefined","err: unknown","contractId: string \| undefined","nearRpcUrl: string \| undefined"],"sources":["../../../../../../../../../../src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/flows/transactions.ts"],"sourcesContent":["import type { VrfWorkerManagerContext } from '../../';\nimport type { ConfirmationConfig } from '../../../../types/signer-worker';\nimport {\n SecureConfirmationType,\n TransactionSummary,\n SigningSecureConfirmRequest,\n SigningAuthMode,\n} from '../types';\nimport { VRFChallenge, TransactionContext } from '../../../../types';\nimport {\n getNearAccountId,\n getIntentDigest,\n getTxCount,\n isUserCancelledSecureConfirm,\n ERROR_MESSAGES,\n getSignTransactionPayload,\n} from './index';\nimport { toAccountId } from '../../../../types/accountIds';\nimport { getLastLoggedInDeviceNumber } from '../../../SignerWorkerManager/getDeviceNumber';\nimport { toError } from '../../../../../utils/errors';\nimport { PASSKEY_MANAGER_DEFAULT_CONFIGS } from '../../../../defaultConfigs';\nimport { createConfirmSession } from '../adapters/session';\nimport { createConfirmTxFlowAdapters } from '../adapters/createAdapters';\n\nfunction getSigningAuthMode(request: SigningSecureConfirmRequest): SigningAuthMode {\n if (request.type === SecureConfirmationType.SIGN_TRANSACTION) {\n return getSignTransactionPayload(request).signingAuthMode ?? 'webauthn';\n }\n if (request.type === SecureConfirmationType.SIGN_NEP413_MESSAGE) {\n const p = request.payload as any;\n return (p?.signingAuthMode as SigningAuthMode \| undefined) ?? 'webauthn';\n }\n return 'webauthn';\n}\n\nexport async function handleTransactionSigningFlow(\n ctx: VrfWorkerManagerContext,\n request: SigningSecureConfirmRequest,\n worker: Worker,\n opts: { confirmationConfig: ConfirmationConfig; transactionSummary: TransactionSummary },\n): Promise<void> {\n const { confirmationConfig, transactionSummary } = opts;\n const adapters = createConfirmTxFlowAdapters(ctx);\n const session = createConfirmSession({\n adapters,\n worker,\n request,\n confirmationConfig,\n transactionSummary,\n });\n const nearAccountId = getNearAccountId(request);\n const signingAuthMode = getSigningAuthMode(request);\n const usesNeeded = getTxCount(request);\n\n // 1) NEAR context + nonce reservation\n const nearRpc = await adapters.near.fetchNearContext({ nearAccountId, txCount: usesNeeded, reserveNonces: true });\n if (nearRpc.error && !nearRpc.transactionContext) {\n // eslint-disable-next-line no-console\n console.error('[SigningFlow] fetchNearContext failed', { error: nearRpc.error, details: nearRpc.details });\n return session.confirmAndCloseModal({\n requestId: request.requestId,\n intentDigest: getIntentDigest(request),\n confirmed: false,\n error: `${ERROR_MESSAGES.nearRpcFailed}: ${nearRpc.details}`,\n });\n }\n session.setReservedNonces(nearRpc.reservedNonces);\n let transactionContext = nearRpc.transactionContext as TransactionContext;\n\n // 2) Security context shown in the confirmer (rpId + block height).\n // For warmSession signing we still want to show this context even though\n // we won't collect a WebAuthn credential.\n const rpId = adapters.vrf.getRpId();\n let uiVrfChallenge: VRFChallenge \| undefined;\n let uiVrfChallengeForUi: Partial<VRFChallenge> \| undefined = rpId\n ? {\n userId: nearAccountId,\n rpId,\n blockHeight: transactionContext.txBlockHeight,\n blockHash: transactionContext.txBlockHash,\n }\n : undefined;\n\n // Initial VRF challenge (only needed for WebAuthn credential collection)\n if (signingAuthMode === 'webauthn') {\n uiVrfChallenge = await adapters.vrf.generateVrfChallengeForSession(\n {\n userId: nearAccountId,\n rpId,\n blockHeight: transactionContext.txBlockHeight,\n blockHash: transactionContext.txBlockHash,\n },\n request.requestId,\n );\n uiVrfChallengeForUi = uiVrfChallenge;\n }\n\n // 3) UI confirm\n const { confirmed, error: uiError } = await session.promptUser({ vrfChallenge: uiVrfChallengeForUi });\n if (!confirmed) {\n return session.confirmAndCloseModal({\n requestId: request.requestId,\n intentDigest: getIntentDigest(request),\n confirmed: false,\n error: uiError,\n });\n }\n\n // 4) Warm session: dispense WrapKeySeed and skip WebAuthn\n if (signingAuthMode === 'warmSession') {\n try {\n await adapters.vrf.dispenseSessionKey({ sessionId: request.requestId, uses: usesNeeded });\n } catch (err: unknown) {\n const msg = String((toError(err))?.message \|\| err \|\| '');\n return session.confirmAndCloseModal({\n requestId: request.requestId,\n intentDigest: getIntentDigest(request),\n confirmed: false,\n error: msg \|\| 'Failed to dispense warm session key',\n });\n }\n\n session.confirmAndCloseModal({\n requestId: request.requestId,\n intentDigest: getIntentDigest(request),\n confirmed: true,\n transactionContext,\n });\n return;\n }\n\n // 5) JIT refresh VRF + ctx (best-effort)\n try {\n const refreshed = await adapters.vrf.maybeRefreshVrfChallenge(request, nearAccountId);\n uiVrfChallenge = refreshed.vrfChallenge;\n transactionContext = refreshed.transactionContext;\n session.updateUI({ vrfChallenge: uiVrfChallenge });\n } catch (e) {\n console.debug('[SigningFlow] VRF JIT refresh skipped', e);\n }\n\n // 6) Collect authentication credential\n try {\n if (!uiVrfChallenge) {\n throw new Error('Missing vrfChallenge for WebAuthn signing flow');\n }\n const serializedCredential = await adapters.webauthn.collectAuthenticationCredentialWithPRF({\n nearAccountId,\n vrfChallenge: uiVrfChallenge,\n onBeforePrompt: ({ authenticatorsForPrompt, vrfChallenge }) => {\n console.debug('[SigningFlow] Authenticators for transaction signing', {\n nearAccountId,\n authenticatorCount: authenticatorsForPrompt.length,\n authenticators: authenticatorsForPrompt.map(a => ({\n deviceNumber: a.deviceNumber,\n vrfPublicKey: a.vrfPublicKey,\n credentialId: a.credentialId,\n })),\n vrfChallengePublicKey: vrfChallenge.vrfPublicKey,\n });\n },\n });\n\n // 5c) Derive WrapKeySeed inside the VRF worker and deliver it to the signer worker via\n // the reserved WrapKeySeed MessagePort. Main thread only sees wrapKeySalt metadata.\n try {\n // Ensure VRF session is active and bound to the same account we are signing for.\n const vrfStatus = await adapters.vrf.checkVrfStatus();\n if (!vrfStatus.active) {\n throw new Error('VRF keypair not active in memory. VRF session may have expired or was not properly initialized. Please refresh and try again.');\n }\n if (!vrfStatus.nearAccountId \|\| String(vrfStatus.nearAccountId) !== String(toAccountId(nearAccountId))) {\n throw new Error('VRF session is active but bound to a different account than the one being signed. Please log in again on this device.');\n }\n\n const deviceNumber = await getLastLoggedInDeviceNumber(toAccountId(nearAccountId), ctx.indexedDB.clientDB);\n const encryptedKeyData = await ctx.indexedDB.nearKeysDB.getEncryptedKey(nearAccountId, deviceNumber);\n // For v2+ vaults, wrapKeySalt is the canonical salt.\n const wrapKeySalt = encryptedKeyData?.wrapKeySalt \|\| '';\n if (!wrapKeySalt) {\n throw new Error('Missing wrapKeySalt in vault; re-register to upgrade vault format.');\n }\n\n // Extract contract verification context when available.\n // - SIGN_TRANSACTION: use per-request rpcCall (already normalized by caller).\n // - SIGN_NEP413_MESSAGE: allow per-request override; fall back to PASSKEY_MANAGER_DEFAULT_CONFIGS.\n let contractId: string \| undefined;\n let nearRpcUrl: string \| undefined;\n if (request.type === SecureConfirmationType.SIGN_TRANSACTION) {\n const payload = getSignTransactionPayload(request);\n contractId = payload?.rpcCall?.contractId;\n nearRpcUrl = payload?.rpcCall?.nearRpcUrl;\n } else if (request.type === SecureConfirmationType.SIGN_NEP413_MESSAGE) {\n const payload = request.payload as any;\n contractId = payload?.contractId\n \|\| PASSKEY_MANAGER_DEFAULT_CONFIGS.contractId;\n nearRpcUrl = payload?.nearRpcUrl\n \|\| PASSKEY_MANAGER_DEFAULT_CONFIGS.nearRpcUrl;\n }\n\n await adapters.vrf.mintSessionKeysAndSendToSigner({\n sessionId: request.requestId,\n wrapKeySalt,\n contractId,\n nearRpcUrl,\n credential: serializedCredential,\n });\n\n } catch (err) {\n console.error('[SigningFlow] WrapKeySeed derivation failed:', err);\n throw err; // Don't silently ignore - propagate the error\n }\n\n // 6) Respond; keep nonces reserved for worker to use\n session.confirmAndCloseModal({\n requestId: request.requestId,\n intentDigest: getIntentDigest(request),\n confirmed: true,\n credential: serializedCredential,\n // prfOutput intentionally omitted to keep signer PRF-free\n // WrapKeySeed travels only over the dedicated VRF→Signer MessagePort; do not echo in the main-thread envelope\n vrfChallenge: uiVrfChallenge,\n transactionContext,\n });\n } catch (err: unknown) {\n // Treat TouchID/FaceID cancellation and related errors as a negative decision\n const cancelled = isUserCancelledSecureConfirm(err);\n // For missing PRF outputs, surface the error to caller (defensive path tests expect a throw)\n const msg = String((toError(err))?.message \|\| err \|\| '');\n if (/Missing PRF result/i.test(msg) \|\| /Missing PRF results/i.test(msg)) {\n // Ensure UI is closed and nonces released, then rethrow\n return session.cleanupAndRethrow(err);\n }\n if (cancelled) {\n window.parent?.postMessage({ type: 'WALLET_UI_CLOSED' }, '*');\n }\n const isWrongPasskeyError = /multiple passkeys \$devicenumbers\$ for account/i.test(msg);\n return session.confirmAndCloseModal({\n requestId: request.requestId,\n intentDigest: getIntentDigest(request),\n confirmed: false,\n error: cancelled\n ? ERROR_MESSAGES.cancelled\n : (isWrongPasskeyError ? msg : ERROR_MESSAGES.collectCredentialsFailed),\n });\n }\n}\n"],"mappings":";;;;;;;;;;;;;;AAwBA,SAAS,mBAAmB,SAAuD;AACjF,KAAI,QAAQ,SAAS,uBAAuB,iBAC1C,QAAO,0BAA0B,SAAS,mBAAmB;AAE/D,KAAI,QAAQ,SAAS,uBAAuB,qBAAqB;EAC/D,MAAM,IAAI,QAAQ;AAClB,SAAQ,GAAG,mBAAmD;;AAEhE,QAAO;;AAGT,eAAsB,6BACpB,KACA,SACA,QACA,MACe;CACf,MAAM,EAAE,oBAAoB,uBAAuB;CACnD,MAAM,WAAW,4BAA4B;CAC7C,MAAM,UAAU,qBAAqB;EACnC;EACA;EACA;EACA;EACA;;CAEF,MAAM,gBAAgB,iBAAiB;CACvC,MAAM,kBAAkB,mBAAmB;CAC3C,MAAM,aAAa,WAAW;CAG9B,MAAM,UAAU,MAAM,SAAS,KAAK,iBAAiB;EAAE;EAAe,SAAS;EAAY,eAAe;;AAC1G,KAAI,QAAQ,SAAS,CAAC,QAAQ,oBAAoB;AAEhD,UAAQ,MAAM,yCAAyC;GAAE,OAAO,QAAQ;GAAO,SAAS,QAAQ;;AAChG,SAAO,QAAQ,qBAAqB;GAClC,WAAW,QAAQ;GACnB,cAAc,gBAAgB;GAC9B,WAAW;GACX,OAAO,GAAG,eAAe,cAAc,IAAI,QAAQ;;;AAGvD,SAAQ,kBAAkB,QAAQ;CAClC,IAAI,qBAAqB,QAAQ;CAKjC,MAAM,OAAO,SAAS,IAAI;CAC1B,IAAIA;CACJ,IAAIC,sBAAyD,OACzD;EACE,QAAQ;EACR;EACA,aAAa,mBAAmB;EAChC,WAAW,mBAAmB;KAEhC;AAGJ,KAAI,oBAAoB,YAAY;AAClC,mBAAiB,MAAM,SAAS,IAAI,+BAClC;GACE,QAAQ;GACR;GACA,aAAa,mBAAmB;GAChC,WAAW,mBAAmB;KAEhC,QAAQ;AAEV,wBAAsB;;CAIxB,MAAM,EAAE,WAAW,OAAO,YAAY,MAAM,QAAQ,WAAW,EAAE,cAAc;AAC/E,KAAI,CAAC,UACH,QAAO,QAAQ,qBAAqB;EAClC,WAAW,QAAQ;EACnB,cAAc,gBAAgB;EAC9B,WAAW;EACX,OAAO;;AAKX,KAAI,oBAAoB,eAAe;AACrC,MAAI;AACF,SAAM,SAAS,IAAI,mBAAmB;IAAE,WAAW,QAAQ;IAAW,MAAM;;WACrEC,KAAc;GACrB,MAAM,MAAM,OAAQ,QAAQ,MAAO,WAAW,OAAO;AACrD,UAAO,QAAQ,qBAAqB;IAClC,WAAW,QAAQ;IACnB,cAAc,gBAAgB;IAC9B,WAAW;IACX,OAAO,OAAO;;;AAIlB,UAAQ,qBAAqB;GAC3B,WAAW,QAAQ;GACnB,cAAc,gBAAgB;GAC9B,WAAW;GACX;;AAEF;;AAIF,KAAI;EACF,MAAM,YAAY,MAAM,SAAS,IAAI,yBAAyB,SAAS;AACvE,mBAAiB,UAAU;AAC3B,uBAAqB,UAAU;AAC/B,UAAQ,SAAS,EAAE,cAAc;UAC1B,GAAG;AACV,UAAQ,MAAM,yCAAyC;;AAIzD,KAAI;AACF,MAAI,CAAC,eACH,OAAM,IAAI,MAAM;EAElB,MAAM,uBAAuB,MAAM,SAAS,SAAS,uCAAuC;GAC1F;GACA,cAAc;GACd,iBAAiB,EAAE,yBAAyB,mBAAmB;AAC7D,YAAQ,MAAM,wDAAwD;KACpE;KACA,oBAAoB,wBAAwB;KAC5C,gBAAgB,wBAAwB,KAAI,OAAM;MAChD,cAAc,EAAE;MAChB,cAAc,EAAE;MAChB,cAAc,EAAE;;KAElB,uBAAuB,aAAa;;;;AAO1C,MAAI;GAEF,MAAM,YAAY,MAAM,SAAS,IAAI;AACrC,OAAI,CAAC,UAAU,OACb,OAAM,IAAI,MAAM;AAElB,OAAI,CAAC,UAAU,iBAAiB,OAAO,UAAU,mBAAmB,OAAO,YAAY,gBACrF,OAAM,IAAI,MAAM;GAGlB,MAAM,eAAe,MAAM,4BAA4B,YAAY,gBAAgB,IAAI,UAAU;GACjG,MAAM,mBAAmB,MAAM,IAAI,UAAU,WAAW,gBAAgB,eAAe;GAEvF,MAAM,cAAc,kBAAkB,eAAe;AACrD,OAAI,CAAC,YACH,OAAM,IAAI,MAAM;GAMlB,IAAIC;GACJ,IAAIC;AACJ,OAAI,QAAQ,SAAS,uBAAuB,kBAAkB;IAC5D,MAAM,UAAU,0BAA0B;AAC1C,iBAAa,SAAS,SAAS;AAC/B,iBAAa,SAAS,SAAS;cACtB,QAAQ,SAAS,uBAAuB,qBAAqB;IACtE,MAAM,UAAU,QAAQ;AACxB,iBAAa,SAAS,cACjB,gCAAgC;AACrC,iBAAa,SAAS,cACjB,gCAAgC;;AAGvC,SAAM,SAAS,IAAI,+BAA+B;IAChD,WAAW,QAAQ;IACnB;IACA;IACA;IACA,YAAY;;WAGP,KAAK;AACZ,WAAQ,MAAM,gDAAgD;AAC9D,SAAM;;AAIR,UAAQ,qBAAqB;GAC3B,WAAW,QAAQ;GACnB,cAAc,gBAAgB;GAC9B,WAAW;GACX,YAAY;GAGZ,cAAc;GACd;;UAEKF,KAAc;EAErB,MAAM,YAAY,6BAA6B;EAE/C,MAAM,MAAM,OAAQ,QAAQ,MAAO,WAAW,OAAO;AACrD,MAAI,sBAAsB,KAAK,QAAQ,uBAAuB,KAAK,KAEjE,QAAO,QAAQ,kBAAkB;AAEnC,MAAI,UACF,QAAO,QAAQ,YAAY,EAAE,MAAM,sBAAsB;EAE3D,MAAM,sBAAsB,mDAAmD,KAAK;AACpF,SAAO,QAAQ,qBAAqB;GAClC,WAAW,QAAQ;GACnB,cAAc,gBAAgB;GAC9B,WAAW;GACX,OAAO,YACH,eAAe,YACd,sBAAsB,MAAM,eAAe"}
1	+ {"version":3,"file":"transactions.js","names":["uiVrfChallenge: VRFChallenge \| undefined","uiVrfChallengeForUi: Partial<VRFChallenge> \| undefined","err: unknown","contractId: string \| undefined","nearRpcUrl: string \| undefined"],"sources":["../../../../../../../../../../src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/flows/transactions.ts"],"sourcesContent":["import type { VrfWorkerManagerContext } from '../../';\nimport type { ConfirmationConfig } from '../../../../types/signer-worker';\nimport {\n SecureConfirmationType,\n TransactionSummary,\n SigningSecureConfirmRequest,\n SigningAuthMode,\n} from '../types';\nimport { VRFChallenge, TransactionContext } from '../../../../types';\nimport {\n getNearAccountId,\n getIntentDigest,\n getTxCount,\n isUserCancelledSecureConfirm,\n ERROR_MESSAGES,\n getSignTransactionPayload,\n} from './index';\nimport { toAccountId } from '../../../../types/accountIds';\nimport { getLastLoggedInDeviceNumber } from '../../../SignerWorkerManager/getDeviceNumber';\nimport { toError } from '../../../../../utils/errors';\nimport { PASSKEY_MANAGER_DEFAULT_CONFIGS } from '../../../../defaultConfigs';\nimport { createConfirmSession } from '../adapters/session';\nimport { createConfirmTxFlowAdapters } from '../adapters/createAdapters';\n\nfunction getSigningAuthMode(request: SigningSecureConfirmRequest): SigningAuthMode {\n if (request.type === SecureConfirmationType.SIGN_TRANSACTION) {\n return getSignTransactionPayload(request).signingAuthMode ?? 'webauthn';\n }\n if (request.type === SecureConfirmationType.SIGN_NEP413_MESSAGE) {\n const p = request.payload as any;\n return (p?.signingAuthMode as SigningAuthMode \| undefined) ?? 'webauthn';\n }\n return 'webauthn';\n}\n\nexport async function handleTransactionSigningFlow(\n ctx: VrfWorkerManagerContext,\n request: SigningSecureConfirmRequest,\n worker: Worker,\n opts: { confirmationConfig: ConfirmationConfig; transactionSummary: TransactionSummary },\n): Promise<void> {\n const { confirmationConfig, transactionSummary } = opts;\n const adapters = createConfirmTxFlowAdapters(ctx);\n const session = createConfirmSession({\n adapters,\n worker,\n request,\n confirmationConfig,\n transactionSummary,\n });\n const nearAccountId = getNearAccountId(request);\n const signingAuthMode = getSigningAuthMode(request);\n const usesNeeded = getTxCount(request);\n\n // 1) NEAR context + nonce reservation\n const nearRpc = await adapters.near.fetchNearContext({ nearAccountId, txCount: usesNeeded, reserveNonces: true });\n if (nearRpc.error && !nearRpc.transactionContext) {\n // eslint-disable-next-line no-console\n console.error('[SigningFlow] fetchNearContext failed', { error: nearRpc.error, details: nearRpc.details });\n return session.confirmAndCloseModal({\n requestId: request.requestId,\n intentDigest: getIntentDigest(request),\n confirmed: false,\n error: `${ERROR_MESSAGES.nearRpcFailed}: ${nearRpc.details}`,\n });\n }\n session.setReservedNonces(nearRpc.reservedNonces);\n let transactionContext = nearRpc.transactionContext as TransactionContext;\n\n // 2) Security context shown in the confirmer (rpId + block height).\n // For warmSession signing we still want to show this context even though\n // we won't collect a WebAuthn credential.\n const rpId = adapters.vrf.getRpId();\n let uiVrfChallenge: VRFChallenge \| undefined;\n let uiVrfChallengeForUi: Partial<VRFChallenge> \| undefined = rpId\n ? {\n userId: nearAccountId,\n rpId,\n blockHeight: transactionContext.txBlockHeight,\n blockHash: transactionContext.txBlockHash,\n }\n : undefined;\n\n // Initial VRF challenge (only needed for WebAuthn credential collection)\n if (signingAuthMode === 'webauthn') {\n uiVrfChallenge = await adapters.vrf.generateVrfChallengeForSession(\n {\n userId: nearAccountId,\n rpId,\n blockHeight: transactionContext.txBlockHeight,\n blockHash: transactionContext.txBlockHash,\n },\n request.requestId,\n );\n uiVrfChallengeForUi = uiVrfChallenge;\n }\n\n // 3) UI confirm\n const { confirmed, error: uiError } = await session.promptUser({ vrfChallenge: uiVrfChallengeForUi });\n if (!confirmed) {\n return session.confirmAndCloseModal({\n requestId: request.requestId,\n intentDigest: getIntentDigest(request),\n confirmed: false,\n error: uiError,\n });\n }\n\n // 4) Warm session: dispense WrapKeySeed and skip WebAuthn\n if (signingAuthMode === 'warmSession') {\n try {\n await adapters.vrf.dispenseSessionKey({ sessionId: request.requestId, uses: usesNeeded });\n } catch (err: unknown) {\n const msg = String((toError(err))?.message \|\| err \|\| '');\n return session.confirmAndCloseModal({\n requestId: request.requestId,\n intentDigest: getIntentDigest(request),\n confirmed: false,\n error: msg \|\| 'Failed to dispense warm session key',\n });\n }\n\n session.confirmAndCloseModal({\n requestId: request.requestId,\n intentDigest: getIntentDigest(request),\n confirmed: true,\n transactionContext,\n });\n return;\n }\n\n // 5) JIT refresh VRF + ctx (best-effort)\n try {\n const refreshed = await adapters.vrf.maybeRefreshVrfChallenge(request, nearAccountId);\n uiVrfChallenge = refreshed.vrfChallenge;\n transactionContext = refreshed.transactionContext;\n session.updateUI({ vrfChallenge: uiVrfChallenge });\n } catch (e) {\n console.debug('[SigningFlow] VRF JIT refresh skipped', e);\n }\n\n // 6) Collect authentication credential\n try {\n if (!uiVrfChallenge) {\n throw new Error('Missing vrfChallenge for WebAuthn signing flow');\n }\n const serializedCredential = await adapters.webauthn.collectAuthenticationCredentialWithPRF({\n nearAccountId,\n vrfChallenge: uiVrfChallenge,\n });\n\n // 5c) Derive WrapKeySeed inside the VRF worker and deliver it to the signer worker via\n // the reserved WrapKeySeed MessagePort. Main thread only sees wrapKeySalt metadata.\n let contractId: string \| undefined;\n let nearRpcUrl: string \| undefined;\n try {\n // Ensure VRF session is active and bound to the same account we are signing for.\n const vrfStatus = await adapters.vrf.checkVrfStatus();\n if (!vrfStatus.active) {\n throw new Error('VRF keypair not active in memory. VRF session may have expired or was not properly initialized. Please refresh and try again.');\n }\n if (!vrfStatus.nearAccountId \|\| String(vrfStatus.nearAccountId) !== String(toAccountId(nearAccountId))) {\n throw new Error('VRF session is active but bound to a different account than the one being signed. Please log in again on this device.');\n }\n\n const deviceNumber = await getLastLoggedInDeviceNumber(toAccountId(nearAccountId), ctx.indexedDB.clientDB);\n const encryptedKeyData = await ctx.indexedDB.nearKeysDB.getEncryptedKey(nearAccountId, deviceNumber);\n // For v2+ vaults, wrapKeySalt is the canonical salt.\n const wrapKeySalt = encryptedKeyData?.wrapKeySalt \|\| '';\n if (!wrapKeySalt) {\n throw new Error('Missing wrapKeySalt in vault; re-register to upgrade vault format.');\n }\n\n // Extract contract verification context when available.\n // - SIGN_TRANSACTION: use per-request rpcCall (already normalized by caller).\n // - SIGN_NEP413_MESSAGE: allow per-request override; fall back to PASSKEY_MANAGER_DEFAULT_CONFIGS.\n if (request.type === SecureConfirmationType.SIGN_TRANSACTION) {\n const payload = getSignTransactionPayload(request);\n contractId = payload?.rpcCall?.contractId;\n nearRpcUrl = payload?.rpcCall?.nearRpcUrl;\n } else if (request.type === SecureConfirmationType.SIGN_NEP413_MESSAGE) {\n const payload = request.payload as any;\n contractId = payload?.contractId\n \|\| PASSKEY_MANAGER_DEFAULT_CONFIGS.contractId;\n nearRpcUrl = payload?.nearRpcUrl\n \|\| PASSKEY_MANAGER_DEFAULT_CONFIGS.nearRpcUrl;\n }\n\n await adapters.vrf.mintSessionKeysAndSendToSigner({\n sessionId: request.requestId,\n wrapKeySalt,\n contractId,\n nearRpcUrl,\n credential: serializedCredential,\n });\n\t } catch (err) {\n\t console.error('[SigningFlow] WrapKeySeed derivation failed:', err);\n\t throw err; // Don't silently ignore - propagate the error\n\t }\n\n // 6) Respond; keep nonces reserved for worker to use\n session.confirmAndCloseModal({\n requestId: request.requestId,\n intentDigest: getIntentDigest(request),\n confirmed: true,\n credential: serializedCredential,\n // prfOutput intentionally omitted to keep signer PRF-free\n // WrapKeySeed travels only over the dedicated VRF→Signer MessagePort; do not echo in the main-thread envelope\n vrfChallenge: uiVrfChallenge,\n transactionContext,\n });\n } catch (err: unknown) {\n // Treat TouchID/FaceID cancellation and related errors as a negative decision\n const cancelled = isUserCancelledSecureConfirm(err);\n // For missing PRF outputs, surface the error to caller (defensive path tests expect a throw)\n const msg = String((toError(err))?.message \|\| err \|\| '');\n if (/Missing PRF result/i.test(msg) \|\| /Missing PRF results/i.test(msg)) {\n // Ensure UI is closed and nonces released, then rethrow\n return session.cleanupAndRethrow(err);\n }\n if (cancelled) {\n window.parent?.postMessage({ type: 'WALLET_UI_CLOSED' }, '*');\n }\n const isWrongPasskeyError = /multiple passkeys \$devicenumbers\$ for account/i.test(msg);\n return session.confirmAndCloseModal({\n requestId: request.requestId,\n intentDigest: getIntentDigest(request),\n confirmed: false,\n error: cancelled\n ? ERROR_MESSAGES.cancelled\n : (isWrongPasskeyError ? msg : ERROR_MESSAGES.collectCredentialsFailed),\n });\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;AAwBA,SAAS,mBAAmB,SAAuD;AACjF,KAAI,QAAQ,SAAS,uBAAuB,iBAC1C,QAAO,0BAA0B,SAAS,mBAAmB;AAE/D,KAAI,QAAQ,SAAS,uBAAuB,qBAAqB;EAC/D,MAAM,IAAI,QAAQ;AAClB,SAAQ,GAAG,mBAAmD;;AAEhE,QAAO;;AAGT,eAAsB,6BACpB,KACA,SACA,QACA,MACe;CACf,MAAM,EAAE,oBAAoB,uBAAuB;CACnD,MAAM,WAAW,4BAA4B;CAC7C,MAAM,UAAU,qBAAqB;EACnC;EACA;EACA;EACA;EACA;;CAEF,MAAM,gBAAgB,iBAAiB;CACvC,MAAM,kBAAkB,mBAAmB;CAC3C,MAAM,aAAa,WAAW;CAG9B,MAAM,UAAU,MAAM,SAAS,KAAK,iBAAiB;EAAE;EAAe,SAAS;EAAY,eAAe;;AAC1G,KAAI,QAAQ,SAAS,CAAC,QAAQ,oBAAoB;AAEhD,UAAQ,MAAM,yCAAyC;GAAE,OAAO,QAAQ;GAAO,SAAS,QAAQ;;AAChG,SAAO,QAAQ,qBAAqB;GAClC,WAAW,QAAQ;GACnB,cAAc,gBAAgB;GAC9B,WAAW;GACX,OAAO,GAAG,eAAe,cAAc,IAAI,QAAQ;;;AAGvD,SAAQ,kBAAkB,QAAQ;CAClC,IAAI,qBAAqB,QAAQ;CAKjC,MAAM,OAAO,SAAS,IAAI;CAC1B,IAAIA;CACJ,IAAIC,sBAAyD,OACzD;EACE,QAAQ;EACR;EACA,aAAa,mBAAmB;EAChC,WAAW,mBAAmB;KAEhC;AAGJ,KAAI,oBAAoB,YAAY;AAClC,mBAAiB,MAAM,SAAS,IAAI,+BAClC;GACE,QAAQ;GACR;GACA,aAAa,mBAAmB;GAChC,WAAW,mBAAmB;KAEhC,QAAQ;AAEV,wBAAsB;;CAIxB,MAAM,EAAE,WAAW,OAAO,YAAY,MAAM,QAAQ,WAAW,EAAE,cAAc;AAC/E,KAAI,CAAC,UACH,QAAO,QAAQ,qBAAqB;EAClC,WAAW,QAAQ;EACnB,cAAc,gBAAgB;EAC9B,WAAW;EACX,OAAO;;AAKX,KAAI,oBAAoB,eAAe;AACrC,MAAI;AACF,SAAM,SAAS,IAAI,mBAAmB;IAAE,WAAW,QAAQ;IAAW,MAAM;;WACrEC,KAAc;GACrB,MAAM,MAAM,OAAQ,QAAQ,MAAO,WAAW,OAAO;AACrD,UAAO,QAAQ,qBAAqB;IAClC,WAAW,QAAQ;IACnB,cAAc,gBAAgB;IAC9B,WAAW;IACX,OAAO,OAAO;;;AAIlB,UAAQ,qBAAqB;GAC3B,WAAW,QAAQ;GACnB,cAAc,gBAAgB;GAC9B,WAAW;GACX;;AAEF;;AAIF,KAAI;EACF,MAAM,YAAY,MAAM,SAAS,IAAI,yBAAyB,SAAS;AACvE,mBAAiB,UAAU;AAC3B,uBAAqB,UAAU;AAC/B,UAAQ,SAAS,EAAE,cAAc;UAC1B,GAAG;AACV,UAAQ,MAAM,yCAAyC;;AAIzD,KAAI;AACF,MAAI,CAAC,eACH,OAAM,IAAI,MAAM;EAElB,MAAM,uBAAuB,MAAM,SAAS,SAAS,uCAAuC;GAC1F;GACA,cAAc;;EAKhB,IAAIC;EACJ,IAAIC;AACJ,MAAI;GAEF,MAAM,YAAY,MAAM,SAAS,IAAI;AACrC,OAAI,CAAC,UAAU,OACb,OAAM,IAAI,MAAM;AAElB,OAAI,CAAC,UAAU,iBAAiB,OAAO,UAAU,mBAAmB,OAAO,YAAY,gBACrF,OAAM,IAAI,MAAM;GAGlB,MAAM,eAAe,MAAM,4BAA4B,YAAY,gBAAgB,IAAI,UAAU;GACjG,MAAM,mBAAmB,MAAM,IAAI,UAAU,WAAW,gBAAgB,eAAe;GAEvF,MAAM,cAAc,kBAAkB,eAAe;AACrD,OAAI,CAAC,YACH,OAAM,IAAI,MAAM;AAMlB,OAAI,QAAQ,SAAS,uBAAuB,kBAAkB;IAC5D,MAAM,UAAU,0BAA0B;AAC1C,iBAAa,SAAS,SAAS;AAC/B,iBAAa,SAAS,SAAS;cACtB,QAAQ,SAAS,uBAAuB,qBAAqB;IACtE,MAAM,UAAU,QAAQ;AACxB,iBAAa,SAAS,cACjB,gCAAgC;AACrC,iBAAa,SAAS,cACjB,gCAAgC;;AAGvC,SAAM,SAAS,IAAI,+BAA+B;IAChD,WAAW,QAAQ;IACnB;IACA;IACA;IACA,YAAY;;WAEN,KAAK;AACZ,WAAQ,MAAM,gDAAgD;AAC9D,SAAM;;AAIT,UAAQ,qBAAqB;GAC3B,WAAW,QAAQ;GACnB,cAAc,gBAAgB;GAC9B,WAAW;GACX,YAAY;GAGZ,cAAc;GACd;;UAEKF,KAAc;EAErB,MAAM,YAAY,6BAA6B;EAE/C,MAAM,MAAM,OAAQ,QAAQ,MAAO,WAAW,OAAO;AACrD,MAAI,sBAAsB,KAAK,QAAQ,uBAAuB,KAAK,KAEjE,QAAO,QAAQ,kBAAkB;AAEnC,MAAI,UACF,QAAO,QAAQ,YAAY,EAAE,MAAM,sBAAsB;EAE3D,MAAM,sBAAsB,mDAAmD,KAAK;AACpF,SAAO,QAAQ,qBAAqB;GAClC,WAAW,QAAQ;GACnB,cAAc,gBAAgB;GAC9B,WAAW;GACX,OAAO,YACH,eAAe,YACd,sBAAsB,MAAM,eAAe"}

package/dist/esm/react/sdk/src/core/WebAuthnManager/VrfWorkerManager/handlers/deriveVrfKeypairFromPrf.js CHANGED Viewed

@@ -1,6 +1,7 @@
-import { validateVRFChallenge } from "../../../types/vrf-worker.js";
+import { init_vrf_worker, validateVRFChallenge } from "../../../types/vrf-worker.js";
 //#region src/core/WebAuthnManager/VrfWorkerManager/handlers/deriveVrfKeypairFromPrf.ts
+init_vrf_worker();
 /**
 * Derive deterministic VRF keypair from PRF output embedded in a WebAuthn credential.
 */

package/dist/esm/react/sdk/src/core/WebAuthnManager/VrfWorkerManager/handlers/deriveVrfKeypairFromPrf.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"deriveVrfKeypairFromPrf.js","names":["message: VRFWorkerMessage<WasmDeriveVrfKeypairFromPrfRequest>"],"sources":["../../../../../../../../../src/core/WebAuthnManager/VrfWorkerManager/handlers/deriveVrfKeypairFromPrf.ts"],"sourcesContent":["import type { AccountId } from '../../../types/accountIds';\nimport type {\n EncryptedVRFKeypair,\n ServerEncryptedVrfKeypair,\n VRFInputData,\n VRFWorkerMessage,\n WasmDeriveVrfKeypairFromPrfRequest,\n} from '../../../types/vrf-worker';\nimport { validateVRFChallenge, type VRFChallenge } from '../../../types/vrf-worker';\nimport type { WebAuthnAuthenticationCredential, WebAuthnRegistrationCredential } from '../../../types/webauthn';\nimport type { VrfWorkerManagerHandlerContext } from './types';\n\n/*\n Derive deterministic VRF keypair from PRF output embedded in a WebAuthn credential.\n */\nexport async function deriveVrfKeypairFromPrf(\n ctx: VrfWorkerManagerHandlerContext,\n args: {\n credential: WebAuthnRegistrationCredential \| WebAuthnAuthenticationCredential;\n nearAccountId: AccountId;\n vrfInputData?: VRFInputData;\n saveInMemory?: boolean;\n }\n): Promise<{\n vrfPublicKey: string;\n vrfChallenge: VRFChallenge \| null;\n encryptedVrfKeypair: EncryptedVRFKeypair;\n serverEncryptedVrfKeypair: ServerEncryptedVrfKeypair \| null;\n}> {\n const saveInMemory = args.saveInMemory ?? true;\n await ctx.ensureWorkerReady();\n\n const vrfInputData = args.vrfInputData;\n const hasVrfInputData = vrfInputData?.blockHash\n && vrfInputData?.blockHeight\n && vrfInputData?.userId\n && vrfInputData?.rpId;\n\n const message: VRFWorkerMessage<WasmDeriveVrfKeypairFromPrfRequest> = {\n type: 'DERIVE_VRF_KEYPAIR_FROM_PRF',\n id: ctx.generateMessageId(),\n payload: {\n credential: args.credential,\n nearAccountId: args.nearAccountId,\n saveInMemory,\n vrfInputData: hasVrfInputData ? {\n userId: vrfInputData.userId,\n rpId: vrfInputData.rpId,\n blockHeight: String(vrfInputData.blockHeight),\n blockHash: vrfInputData.blockHash,\n } : undefined,\n }\n };\n\n const response = await ctx.sendMessage(message);\n\n if (!response.success \|\| !response.data) {\n throw new Error(`VRF keypair derivation failed: ${response.error}`);\n }\n const data = response.data as {\n vrfPublicKey?: string;\n vrfChallengeData?: VRFChallenge;\n encryptedVrfKeypair: EncryptedVRFKeypair;\n serverEncryptedVrfKeypair?: ServerEncryptedVrfKeypair \| null;\n };\n\n const vrfPublicKey = data.vrfPublicKey \|\| data.vrfChallengeData?.vrfPublicKey;\n if (!vrfPublicKey) {\n throw new Error('VRF public key not found in response');\n }\n if (!data.encryptedVrfKeypair) {\n throw new Error('Encrypted VRF keypair not found in response');\n }\n\n const vrfChallenge = data.vrfChallengeData\n ? validateVRFChallenge({\n vrfInput: data.vrfChallengeData.vrfInput,\n vrfOutput: data.vrfChallengeData.vrfOutput,\n vrfProof: data.vrfChallengeData.vrfProof,\n vrfPublicKey: data.vrfChallengeData.vrfPublicKey,\n userId: data.vrfChallengeData.userId,\n rpId: data.vrfChallengeData.rpId,\n blockHeight: data.vrfChallengeData.blockHeight,\n blockHash: data.vrfChallengeData.blockHash,\n })\n : null;\n\n if (saveInMemory) {\n ctx.setCurrentVrfAccountId(args.nearAccountId);\n console.debug(`VRF Manager: VRF keypair loaded in memory for ${args.nearAccountId}`);\n }\n\n return {\n vrfPublicKey,\n vrfChallenge,\n encryptedVrfKeypair: data.encryptedVrfKeypair,\n serverEncryptedVrfKeypair: data.serverEncryptedVrfKeypair \|\| null,\n };\n}\n"],"mappings":"~~;;;;;;~~AAeA,eAAsB,wBACpB,KACA,MAWC;CACD,MAAM,eAAe,KAAK,gBAAgB;AAC1C,OAAM,IAAI;CAEV,MAAM,eAAe,KAAK;CAC1B,MAAM,kBAAkB,cAAc,aACjC,cAAc,eACd,cAAc,UACd,cAAc;CAEnB,MAAMA,UAAgE;EACpE,MAAM;EACN,IAAI,IAAI;EACR,SAAS;GACP,YAAY,KAAK;GACjB,eAAe,KAAK;GACpB;GACA,cAAc,kBAAkB;IAC9B,QAAQ,aAAa;IACrB,MAAM,aAAa;IACnB,aAAa,OAAO,aAAa;IACjC,WAAW,aAAa;OACtB;;;CAIR,MAAM,WAAW,MAAM,IAAI,YAAY;AAEvC,KAAI,CAAC,SAAS,WAAW,CAAC,SAAS,KACjC,OAAM,IAAI,MAAM,kCAAkC,SAAS;CAE7D,MAAM,OAAO,SAAS;CAOtB,MAAM,eAAe,KAAK,gBAAgB,KAAK,kBAAkB;AACjE,KAAI,CAAC,aACH,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,KAAK,oBACR,OAAM,IAAI,MAAM;CAGlB,MAAM,eAAe,KAAK,mBACtB,qBAAqB;EACrB,UAAU,KAAK,iBAAiB;EAChC,WAAW,KAAK,iBAAiB;EACjC,UAAU,KAAK,iBAAiB;EAChC,cAAc,KAAK,iBAAiB;EACpC,QAAQ,KAAK,iBAAiB;EAC9B,MAAM,KAAK,iBAAiB;EAC5B,aAAa,KAAK,iBAAiB;EACnC,WAAW,KAAK,iBAAiB;MAEjC;AAEJ,KAAI,cAAc;AAChB,MAAI,uBAAuB,KAAK;AAChC,UAAQ,MAAM,iDAAiD,KAAK;;AAGtE,QAAO;EACL;EACA;EACA,qBAAqB,KAAK;EAC1B,2BAA2B,KAAK,6BAA6B"}
1	+ {"version":3,"file":"deriveVrfKeypairFromPrf.js","names":["message: VRFWorkerMessage<WasmDeriveVrfKeypairFromPrfRequest>"],"sources":["../../../../../../../../../src/core/WebAuthnManager/VrfWorkerManager/handlers/deriveVrfKeypairFromPrf.ts"],"sourcesContent":["import type { AccountId } from '../../../types/accountIds';\nimport type {\n EncryptedVRFKeypair,\n ServerEncryptedVrfKeypair,\n VRFInputData,\n VRFWorkerMessage,\n WasmDeriveVrfKeypairFromPrfRequest,\n} from '../../../types/vrf-worker';\nimport { validateVRFChallenge, type VRFChallenge } from '../../../types/vrf-worker';\nimport type { WebAuthnAuthenticationCredential, WebAuthnRegistrationCredential } from '../../../types/webauthn';\nimport type { VrfWorkerManagerHandlerContext } from './types';\n\n/*\n Derive deterministic VRF keypair from PRF output embedded in a WebAuthn credential.\n */\nexport async function deriveVrfKeypairFromPrf(\n ctx: VrfWorkerManagerHandlerContext,\n args: {\n credential: WebAuthnRegistrationCredential \| WebAuthnAuthenticationCredential;\n nearAccountId: AccountId;\n vrfInputData?: VRFInputData;\n saveInMemory?: boolean;\n }\n): Promise<{\n vrfPublicKey: string;\n vrfChallenge: VRFChallenge \| null;\n encryptedVrfKeypair: EncryptedVRFKeypair;\n serverEncryptedVrfKeypair: ServerEncryptedVrfKeypair \| null;\n}> {\n const saveInMemory = args.saveInMemory ?? true;\n await ctx.ensureWorkerReady();\n\n const vrfInputData = args.vrfInputData;\n const hasVrfInputData = vrfInputData?.blockHash\n && vrfInputData?.blockHeight\n && vrfInputData?.userId\n && vrfInputData?.rpId;\n\n const message: VRFWorkerMessage<WasmDeriveVrfKeypairFromPrfRequest> = {\n type: 'DERIVE_VRF_KEYPAIR_FROM_PRF',\n id: ctx.generateMessageId(),\n payload: {\n credential: args.credential,\n nearAccountId: args.nearAccountId,\n saveInMemory,\n vrfInputData: hasVrfInputData ? {\n userId: vrfInputData.userId,\n rpId: vrfInputData.rpId,\n blockHeight: String(vrfInputData.blockHeight),\n blockHash: vrfInputData.blockHash,\n } : undefined,\n }\n };\n\n const response = await ctx.sendMessage(message);\n\n if (!response.success \|\| !response.data) {\n throw new Error(`VRF keypair derivation failed: ${response.error}`);\n }\n const data = response.data as {\n vrfPublicKey?: string;\n vrfChallengeData?: VRFChallenge;\n encryptedVrfKeypair: EncryptedVRFKeypair;\n serverEncryptedVrfKeypair?: ServerEncryptedVrfKeypair \| null;\n };\n\n const vrfPublicKey = data.vrfPublicKey \|\| data.vrfChallengeData?.vrfPublicKey;\n if (!vrfPublicKey) {\n throw new Error('VRF public key not found in response');\n }\n if (!data.encryptedVrfKeypair) {\n throw new Error('Encrypted VRF keypair not found in response');\n }\n\n const vrfChallenge = data.vrfChallengeData\n ? validateVRFChallenge({\n vrfInput: data.vrfChallengeData.vrfInput,\n vrfOutput: data.vrfChallengeData.vrfOutput,\n vrfProof: data.vrfChallengeData.vrfProof,\n vrfPublicKey: data.vrfChallengeData.vrfPublicKey,\n userId: data.vrfChallengeData.userId,\n rpId: data.vrfChallengeData.rpId,\n blockHeight: data.vrfChallengeData.blockHeight,\n blockHash: data.vrfChallengeData.blockHash,\n })\n : null;\n\n if (saveInMemory) {\n ctx.setCurrentVrfAccountId(args.nearAccountId);\n console.debug(`VRF Manager: VRF keypair loaded in memory for ${args.nearAccountId}`);\n }\n\n return {\n vrfPublicKey,\n vrfChallenge,\n encryptedVrfKeypair: data.encryptedVrfKeypair,\n serverEncryptedVrfKeypair: data.serverEncryptedVrfKeypair \|\| null,\n };\n}\n"],"mappings":";;;;;;;AAeA,eAAsB,wBACpB,KACA,MAWC;CACD,MAAM,eAAe,KAAK,gBAAgB;AAC1C,OAAM,IAAI;CAEV,MAAM,eAAe,KAAK;CAC1B,MAAM,kBAAkB,cAAc,aACjC,cAAc,eACd,cAAc,UACd,cAAc;CAEnB,MAAMA,UAAgE;EACpE,MAAM;EACN,IAAI,IAAI;EACR,SAAS;GACP,YAAY,KAAK;GACjB,eAAe,KAAK;GACpB;GACA,cAAc,kBAAkB;IAC9B,QAAQ,aAAa;IACrB,MAAM,aAAa;IACnB,aAAa,OAAO,aAAa;IACjC,WAAW,aAAa;OACtB;;;CAIR,MAAM,WAAW,MAAM,IAAI,YAAY;AAEvC,KAAI,CAAC,SAAS,WAAW,CAAC,SAAS,KACjC,OAAM,IAAI,MAAM,kCAAkC,SAAS;CAE7D,MAAM,OAAO,SAAS;CAOtB,MAAM,eAAe,KAAK,gBAAgB,KAAK,kBAAkB;AACjE,KAAI,CAAC,aACH,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,KAAK,oBACR,OAAM,IAAI,MAAM;CAGlB,MAAM,eAAe,KAAK,mBACtB,qBAAqB;EACrB,UAAU,KAAK,iBAAiB;EAChC,WAAW,KAAK,iBAAiB;EACjC,UAAU,KAAK,iBAAiB;EAChC,cAAc,KAAK,iBAAiB;EACpC,QAAQ,KAAK,iBAAiB;EAC9B,MAAM,KAAK,iBAAiB;EAC5B,aAAa,KAAK,iBAAiB;EACnC,WAAW,KAAK,iBAAiB;MAEjC;AAEJ,KAAI,cAAc;AAChB,MAAI,uBAAuB,KAAK;AAChC,UAAQ,MAAM,iDAAiD,KAAK;;AAGtE,QAAO;EACL;EACA;EACA,qBAAqB,KAAK;EAC1B,2BAA2B,KAAK,6BAA6B"}

package/dist/esm/react/sdk/src/core/WebAuthnManager/VrfWorkerManager/handlers/generateVrfChallenge.js CHANGED Viewed

@@ -1,6 +1,7 @@
-import { validateVRFChallenge } from "../../../types/vrf-worker.js";
+import { init_vrf_worker, validateVRFChallenge } from "../../../types/vrf-worker.js";
 //#region src/core/WebAuthnManager/VrfWorkerManager/handlers/generateVrfChallenge.ts
+init_vrf_worker();
 /**
 * Generate a VRF challenge and cache it under `sessionId` inside the VRF worker.
 *

package/dist/esm/react/sdk/src/core/WebAuthnManager/VrfWorkerManager/handlers/generateVrfChallenge.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"generateVrfChallenge.js","names":["message: VRFWorkerMessage<WasmGenerateVrfChallengeRequest>"],"sources":["../../../../../../../../../src/core/WebAuthnManager/VrfWorkerManager/handlers/generateVrfChallenge.ts"],"sourcesContent":["import type {\n VRFInputData,\n VRFWorkerMessage,\n WasmGenerateVrfChallengeRequest,\n} from '../../../types/vrf-worker';\nimport { validateVRFChallenge, type VRFChallenge } from '../../../types/vrf-worker';\nimport type { VrfWorkerManagerHandlerContext } from './types';\n\n/*\n Generate a VRF challenge and cache it under `sessionId` inside the VRF worker.\n \n This is used by SecureConfirm flows so later steps (e.g. contract verification) can rely on\n * worker-owned challenge data instead of JS-provided state.\n /\nexport async function generateVrfChallengeForSession(\n ctx: VrfWorkerManagerHandlerContext,\n inputData: VRFInputData,\n sessionId: string\n): Promise<VRFChallenge> {\n return generateVrfChallengeInternal(ctx, inputData, sessionId);\n}\n\n/\n Generate a one-off VRF challenge without caching it in the VRF worker.\n \n Used for standalone WebAuthn prompts where we don't need to later look up the challenge by `sessionId`.\n */\nexport async function generateVrfChallengeOnce(\n ctx: VrfWorkerManagerHandlerContext,\n inputData: VRFInputData\n): Promise<VRFChallenge> {\n return generateVrfChallengeInternal(ctx, inputData);\n}\n\nasync function generateVrfChallengeInternal(\n ctx: VrfWorkerManagerHandlerContext,\n inputData: VRFInputData,\n sessionId?: string\n): Promise<VRFChallenge> {\n await ctx.ensureWorkerReady(true);\n const message: VRFWorkerMessage<WasmGenerateVrfChallengeRequest> = {\n type: 'GENERATE_VRF_CHALLENGE',\n id: ctx.generateMessageId(),\n payload: {\n sessionId,\n vrfInputData: {\n userId: inputData.userId,\n rpId: inputData.rpId,\n blockHeight: String(inputData.blockHeight),\n blockHash: inputData.blockHash,\n },\n },\n };\n\n const response = await ctx.sendMessage(message);\n\n if (!response.success \|\| !response.data) {\n throw new Error(`VRF challenge generation failed: ${response.error}`);\n }\n\n const data = response.data as unknown as VRFChallenge;\n console.debug('VRF Manager: VRF challenge generated successfully');\n return validateVRFChallenge(data);\n}\n"],"mappings":"~~;;;;;;;;;~~AAcA,eAAsB,+BACpB,KACA,WACA,WACuB;AACvB,QAAO,6BAA6B,KAAK,WAAW;;;;;;;AAQtD,eAAsB,yBACpB,KACA,WACuB;AACvB,QAAO,6BAA6B,KAAK;;AAG3C,eAAe,6BACb,KACA,WACA,WACuB;AACvB,OAAM,IAAI,kBAAkB;CAC5B,MAAMA,UAA6D;EACjE,MAAM;EACN,IAAI,IAAI;EACR,SAAS;GACP;GACA,cAAc;IACZ,QAAQ,UAAU;IAClB,MAAM,UAAU;IAChB,aAAa,OAAO,UAAU;IAC9B,WAAW,UAAU;;;;CAK3B,MAAM,WAAW,MAAM,IAAI,YAAY;AAEvC,KAAI,CAAC,SAAS,WAAW,CAAC,SAAS,KACjC,OAAM,IAAI,MAAM,oCAAoC,SAAS;CAG/D,MAAM,OAAO,SAAS;AACtB,SAAQ,MAAM;AACd,QAAO,qBAAqB"}
1	+ {"version":3,"file":"generateVrfChallenge.js","names":["message: VRFWorkerMessage<WasmGenerateVrfChallengeRequest>"],"sources":["../../../../../../../../../src/core/WebAuthnManager/VrfWorkerManager/handlers/generateVrfChallenge.ts"],"sourcesContent":["import type {\n VRFInputData,\n VRFWorkerMessage,\n WasmGenerateVrfChallengeRequest,\n} from '../../../types/vrf-worker';\nimport { validateVRFChallenge, type VRFChallenge } from '../../../types/vrf-worker';\nimport type { VrfWorkerManagerHandlerContext } from './types';\n\n/*\n Generate a VRF challenge and cache it under `sessionId` inside the VRF worker.\n \n This is used by SecureConfirm flows so later steps (e.g. contract verification) can rely on\n * worker-owned challenge data instead of JS-provided state.\n /\nexport async function generateVrfChallengeForSession(\n ctx: VrfWorkerManagerHandlerContext,\n inputData: VRFInputData,\n sessionId: string\n): Promise<VRFChallenge> {\n return generateVrfChallengeInternal(ctx, inputData, sessionId);\n}\n\n/\n Generate a one-off VRF challenge without caching it in the VRF worker.\n \n Used for standalone WebAuthn prompts where we don't need to later look up the challenge by `sessionId`.\n */\nexport async function generateVrfChallengeOnce(\n ctx: VrfWorkerManagerHandlerContext,\n inputData: VRFInputData\n): Promise<VRFChallenge> {\n return generateVrfChallengeInternal(ctx, inputData);\n}\n\nasync function generateVrfChallengeInternal(\n ctx: VrfWorkerManagerHandlerContext,\n inputData: VRFInputData,\n sessionId?: string\n): Promise<VRFChallenge> {\n await ctx.ensureWorkerReady(true);\n const message: VRFWorkerMessage<WasmGenerateVrfChallengeRequest> = {\n type: 'GENERATE_VRF_CHALLENGE',\n id: ctx.generateMessageId(),\n payload: {\n sessionId,\n vrfInputData: {\n userId: inputData.userId,\n rpId: inputData.rpId,\n blockHeight: String(inputData.blockHeight),\n blockHash: inputData.blockHash,\n },\n },\n };\n\n const response = await ctx.sendMessage(message);\n\n if (!response.success \|\| !response.data) {\n throw new Error(`VRF challenge generation failed: ${response.error}`);\n }\n\n const data = response.data as unknown as VRFChallenge;\n console.debug('VRF Manager: VRF challenge generated successfully');\n return validateVRFChallenge(data);\n}\n"],"mappings":";;;;;;;;;;AAcA,eAAsB,+BACpB,KACA,WACA,WACuB;AACvB,QAAO,6BAA6B,KAAK,WAAW;;;;;;;AAQtD,eAAsB,yBACpB,KACA,WACuB;AACvB,QAAO,6BAA6B,KAAK;;AAG3C,eAAe,6BACb,KACA,WACA,WACuB;AACvB,OAAM,IAAI,kBAAkB;CAC5B,MAAMA,UAA6D;EACjE,MAAM;EACN,IAAI,IAAI;EACR,SAAS;GACP;GACA,cAAc;IACZ,QAAQ,UAAU;IAClB,MAAM,UAAU;IAChB,aAAa,OAAO,UAAU;IAC9B,WAAW,UAAU;;;;CAK3B,MAAM,WAAW,MAAM,IAAI,YAAY;AAEvC,KAAI,CAAC,SAAS,WAAW,CAAC,SAAS,KACjC,OAAM,IAAI,MAAM,oCAAoC,SAAS;CAG/D,MAAM,OAAO,SAAS;AACtB,SAAQ,MAAM;AACd,QAAO,qBAAqB"}

package/dist/esm/react/sdk/src/core/WebAuthnManager/VrfWorkerManager/handlers/generateVrfKeypairBootstrap.js CHANGED Viewed

@@ -1,6 +1,7 @@
-import { validateVRFChallenge } from "../../../types/vrf-worker.js";
+import { init_vrf_worker, validateVRFChallenge } from "../../../types/vrf-worker.js";
 //#region src/core/WebAuthnManager/VrfWorkerManager/handlers/generateVrfKeypairBootstrap.ts
+init_vrf_worker();
 /**
 * Registration bootstrap: generate a fresh random VRF keypair in the VRF worker and (optionally)
 * generate a VRF challenge from it.

package/dist/esm/react/sdk/src/core/WebAuthnManager/VrfWorkerManager/handlers/generateVrfKeypairBootstrap.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"generateVrfKeypairBootstrap.js","names":["message: VRFWorkerMessage<WasmGenerateVrfKeypairBootstrapRequest>","error: any"],"sources":["../../../../../../../../../src/core/WebAuthnManager/VrfWorkerManager/handlers/generateVrfKeypairBootstrap.ts"],"sourcesContent":["import type { VRFInputData } from '../../../types/vrf-worker';\nimport { validateVRFChallenge, type VRFChallenge } from '../../../types/vrf-worker';\nimport type { VRFWorkerMessage, WasmGenerateVrfKeypairBootstrapRequest } from '../../../types/vrf-worker';\nimport type { VrfWorkerManagerHandlerContext } from './types';\n\n/*\n Registration bootstrap: generate a fresh random VRF keypair in the VRF worker and (optionally)\n * generate a VRF challenge from it.\n \n This solves the \"chicken-and-egg\" problem during registration where you need a VRF challenge\n * before you have PRF outputs to encrypt the VRF keypair. The generated VRF keypair lives in\n * VRF worker memory until it is later encrypted with PRF output.\n */\nexport async function generateVrfKeypairBootstrap(\n ctx: VrfWorkerManagerHandlerContext,\n args: {\n vrfInputData: VRFInputData;\n saveInMemory: boolean;\n sessionId?: string;\n }\n): Promise<{\n vrfPublicKey: string;\n vrfChallenge: VRFChallenge;\n}> {\n await ctx.ensureWorkerReady();\n try {\n const message: VRFWorkerMessage<WasmGenerateVrfKeypairBootstrapRequest> = {\n type: 'GENERATE_VRF_KEYPAIR_BOOTSTRAP',\n id: ctx.generateMessageId(),\n payload: {\n // Include VRF input data if provided for challenge generation\n sessionId: args.sessionId,\n vrfInputData: args.vrfInputData\n ? {\n userId: args.vrfInputData.userId,\n rpId: args.vrfInputData.rpId,\n blockHeight: String(args.vrfInputData.blockHeight),\n blockHash: args.vrfInputData.blockHash,\n }\n : undefined,\n },\n };\n\n const response = await ctx.sendMessage(message);\n\n if (!response.success \|\| !response.data) {\n throw new Error(`VRF bootstrap keypair generation failed: ${response.error}`);\n }\n const data = response.data as { vrf_challenge_data?: VRFChallenge; vrfPublicKey?: string };\n const challengeData = data.vrf_challenge_data as VRFChallenge \| undefined;\n if (!challengeData) {\n throw new Error('VRF challenge data failed to be generated');\n }\n const vrfPublicKey = data.vrfPublicKey \|\| challengeData.vrfPublicKey;\n if (!vrfPublicKey) {\n throw new Error('VRF public key missing in bootstrap response');\n }\n if (args.vrfInputData && args.saveInMemory) {\n // Track the account ID for this VRF session if saving in memory\n ctx.setCurrentVrfAccountId(args.vrfInputData.userId);\n }\n\n // TODO: strong types generated by Rust wasm-bindgen\n return {\n vrfPublicKey,\n vrfChallenge: validateVRFChallenge({\n vrfInput: challengeData.vrfInput,\n vrfOutput: challengeData.vrfOutput,\n vrfProof: challengeData.vrfProof,\n vrfPublicKey: challengeData.vrfPublicKey,\n userId: challengeData.userId,\n rpId: challengeData.rpId,\n blockHeight: challengeData.blockHeight,\n blockHash: challengeData.blockHash,\n })\n }\n\n } catch (error: any) {\n console.error('VRF Manager: Bootstrap VRF keypair generation failed:', error);\n throw new Error(`Failed to generate bootstrap VRF keypair: ${error.message}`);\n }\n}\n"],"mappings":"~~;;;;;;;;;;;~~AAaA,eAAsB,4BACpB,KACA,MAQC;AACD,OAAM,IAAI;AACV,KAAI;EACF,MAAMA,UAAoE;GACxE,MAAM;GACN,IAAI,IAAI;GACR,SAAS;IAEP,WAAW,KAAK;IAChB,cAAc,KAAK,eACf;KACE,QAAQ,KAAK,aAAa;KAC1B,MAAM,KAAK,aAAa;KACxB,aAAa,OAAO,KAAK,aAAa;KACtC,WAAW,KAAK,aAAa;QAE/B;;;EAIR,MAAM,WAAW,MAAM,IAAI,YAAY;AAEvC,MAAI,CAAC,SAAS,WAAW,CAAC,SAAS,KACjC,OAAM,IAAI,MAAM,4CAA4C,SAAS;EAEvE,MAAM,OAAO,SAAS;EACtB,MAAM,gBAAgB,KAAK;AAC3B,MAAI,CAAC,cACH,OAAM,IAAI,MAAM;EAElB,MAAM,eAAe,KAAK,gBAAgB,cAAc;AACxD,MAAI,CAAC,aACH,OAAM,IAAI,MAAM;AAElB,MAAI,KAAK,gBAAgB,KAAK,aAE5B,KAAI,uBAAuB,KAAK,aAAa;AAI/C,SAAO;GACL;GACA,cAAc,qBAAqB;IACjC,UAAU,cAAc;IACxB,WAAW,cAAc;IACzB,UAAU,cAAc;IACxB,cAAc,cAAc;IAC5B,QAAQ,cAAc;IACtB,MAAM,cAAc;IACpB,aAAa,cAAc;IAC3B,WAAW,cAAc;;;UAItBC,OAAY;AACnB,UAAQ,MAAM,yDAAyD;AACvE,QAAM,IAAI,MAAM,6CAA6C,MAAM"}
1	+ {"version":3,"file":"generateVrfKeypairBootstrap.js","names":["message: VRFWorkerMessage<WasmGenerateVrfKeypairBootstrapRequest>","error: any"],"sources":["../../../../../../../../../src/core/WebAuthnManager/VrfWorkerManager/handlers/generateVrfKeypairBootstrap.ts"],"sourcesContent":["import type { VRFInputData } from '../../../types/vrf-worker';\nimport { validateVRFChallenge, type VRFChallenge } from '../../../types/vrf-worker';\nimport type { VRFWorkerMessage, WasmGenerateVrfKeypairBootstrapRequest } from '../../../types/vrf-worker';\nimport type { VrfWorkerManagerHandlerContext } from './types';\n\n/*\n Registration bootstrap: generate a fresh random VRF keypair in the VRF worker and (optionally)\n * generate a VRF challenge from it.\n \n This solves the \"chicken-and-egg\" problem during registration where you need a VRF challenge\n * before you have PRF outputs to encrypt the VRF keypair. The generated VRF keypair lives in\n * VRF worker memory until it is later encrypted with PRF output.\n */\nexport async function generateVrfKeypairBootstrap(\n ctx: VrfWorkerManagerHandlerContext,\n args: {\n vrfInputData: VRFInputData;\n saveInMemory: boolean;\n sessionId?: string;\n }\n): Promise<{\n vrfPublicKey: string;\n vrfChallenge: VRFChallenge;\n}> {\n await ctx.ensureWorkerReady();\n try {\n const message: VRFWorkerMessage<WasmGenerateVrfKeypairBootstrapRequest> = {\n type: 'GENERATE_VRF_KEYPAIR_BOOTSTRAP',\n id: ctx.generateMessageId(),\n payload: {\n // Include VRF input data if provided for challenge generation\n sessionId: args.sessionId,\n vrfInputData: args.vrfInputData\n ? {\n userId: args.vrfInputData.userId,\n rpId: args.vrfInputData.rpId,\n blockHeight: String(args.vrfInputData.blockHeight),\n blockHash: args.vrfInputData.blockHash,\n }\n : undefined,\n },\n };\n\n const response = await ctx.sendMessage(message);\n\n if (!response.success \|\| !response.data) {\n throw new Error(`VRF bootstrap keypair generation failed: ${response.error}`);\n }\n const data = response.data as { vrf_challenge_data?: VRFChallenge; vrfPublicKey?: string };\n const challengeData = data.vrf_challenge_data as VRFChallenge \| undefined;\n if (!challengeData) {\n throw new Error('VRF challenge data failed to be generated');\n }\n const vrfPublicKey = data.vrfPublicKey \|\| challengeData.vrfPublicKey;\n if (!vrfPublicKey) {\n throw new Error('VRF public key missing in bootstrap response');\n }\n if (args.vrfInputData && args.saveInMemory) {\n // Track the account ID for this VRF session if saving in memory\n ctx.setCurrentVrfAccountId(args.vrfInputData.userId);\n }\n\n // TODO: strong types generated by Rust wasm-bindgen\n return {\n vrfPublicKey,\n vrfChallenge: validateVRFChallenge({\n vrfInput: challengeData.vrfInput,\n vrfOutput: challengeData.vrfOutput,\n vrfProof: challengeData.vrfProof,\n vrfPublicKey: challengeData.vrfPublicKey,\n userId: challengeData.userId,\n rpId: challengeData.rpId,\n blockHeight: challengeData.blockHeight,\n blockHash: challengeData.blockHash,\n })\n }\n\n } catch (error: any) {\n console.error('VRF Manager: Bootstrap VRF keypair generation failed:', error);\n throw new Error(`Failed to generate bootstrap VRF keypair: ${error.message}`);\n }\n}\n"],"mappings":";;;;;;;;;;;;AAaA,eAAsB,4BACpB,KACA,MAQC;AACD,OAAM,IAAI;AACV,KAAI;EACF,MAAMA,UAAoE;GACxE,MAAM;GACN,IAAI,IAAI;GACR,SAAS;IAEP,WAAW,KAAK;IAChB,cAAc,KAAK,eACf;KACE,QAAQ,KAAK,aAAa;KAC1B,MAAM,KAAK,aAAa;KACxB,aAAa,OAAO,KAAK,aAAa;KACtC,WAAW,KAAK,aAAa;QAE/B;;;EAIR,MAAM,WAAW,MAAM,IAAI,YAAY;AAEvC,MAAI,CAAC,SAAS,WAAW,CAAC,SAAS,KACjC,OAAM,IAAI,MAAM,4CAA4C,SAAS;EAEvE,MAAM,OAAO,SAAS;EACtB,MAAM,gBAAgB,KAAK;AAC3B,MAAI,CAAC,cACH,OAAM,IAAI,MAAM;EAElB,MAAM,eAAe,KAAK,gBAAgB,cAAc;AACxD,MAAI,CAAC,aACH,OAAM,IAAI,MAAM;AAElB,MAAI,KAAK,gBAAgB,KAAK,aAE5B,KAAI,uBAAuB,KAAK,aAAa;AAI/C,SAAO;GACL;GACA,cAAc,qBAAqB;IACjC,UAAU,cAAc;IACxB,WAAW,cAAc;IACzB,UAAU,cAAc;IACxB,cAAc,cAAc;IAC5B,QAAQ,cAAc;IACtB,MAAM,cAAc;IACpB,aAAa,cAAc;IAC3B,WAAW,cAAc;;;UAItBC,OAAY;AACnB,UAAQ,MAAM,yDAAyD;AACvE,QAAM,IAAI,MAAM,6CAA6C,MAAM"}

package/dist/esm/react/sdk/src/core/WebAuthnManager/WebAuthnFallbacks/index.js ADDED Viewed

@@ -0,0 +1,12 @@
+import { __esm } from "../../../../../_virtual/rolldown_runtime.js";
+import { WebAuthnBridgeMessage, executeWebAuthnWithParentFallbacksSafari, init_safari_fallbacks } from "./safari-fallbacks.js";
+//#region src/core/WebAuthnManager/WebAuthnFallbacks/index.ts
+var init_WebAuthnFallbacks = __esm({ "src/core/WebAuthnManager/WebAuthnFallbacks/index.ts": (() => {
+	init_safari_fallbacks();
+}) });
+//#endregion
+init_WebAuthnFallbacks();
+export { init_WebAuthnFallbacks };
+//# sourceMappingURL=index.js.map

package/dist/esm/react/sdk/src/core/WebAuthnManager/WebAuthnFallbacks/index.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.js","names":[],"sources":["../../../../../../../../src/core/WebAuthnManager/WebAuthnFallbacks/index.ts"],"sourcesContent":["export {\n executeWebAuthnWithParentFallbacksSafari,\n WebAuthnBridgeMessage,\n} from './safari-fallbacks';\n"],"mappings":""}

package/dist/esm/react/sdk/src/core/WebAuthnManager/WebAuthnFallbacks/safari-fallbacks.js CHANGED Viewed

@@ -1,10 +1,6 @@
+import { __esm } from "../../../../../_virtual/rolldown_runtime.js";
 //#region src/core/WebAuthnManager/WebAuthnFallbacks/safari-fallbacks.ts
-const WebAuthnBridgeMessage = {
-	Create: "WALLET_WEBAUTHN_CREATE",
-	Get: "WALLET_WEBAUTHN_GET",
-	CreateResult: "WALLET_WEBAUTHN_CREATE_RESULT",
-	GetResult: "WALLET_WEBAUTHN_GET_RESULT"
-};
 function getResultTypeFor(kind) {
 	return kind === WebAuthnBridgeMessage.Get ? WebAuthnBridgeMessage.GetResult : WebAuthnBridgeMessage.CreateResult;
 }
@@ -107,54 +103,6 @@ async function requestParentDomainWebAuthn(kind, publicKey, client, timeoutMs) {
 	if (kind === "create") return client.request(WebAuthnBridgeMessage.Create, publicKey, timeoutMs);
 	return client.request(WebAuthnBridgeMessage.Get, publicKey, timeoutMs);
 }
-var WindowParentDomainWebAuthnClient = class {
-	async request(kind, publicKey, timeoutMs = 6e4) {
-		const requestId = `${kind}:${Date.now()}:${Math.random().toString(36).slice(2)}`;
-		const resultType = getResultTypeFor(kind);
-		return new Promise((resolve) => {
-			let settled = false;
-			const finish = (val) => {
-				if (!settled) {
-					settled = true;
-					resolve(val);
-				}
-			};
-			const onMessage = (ev) => {
-				const payload = ev?.data;
-				if (!payload || typeof payload.type !== "string") return;
-				const t = payload.type;
-				if (t !== resultType) return;
-				const rid = payload.requestId;
-				if (rid !== requestId) return;
-				window.removeEventListener("message", onMessage);
-				const ok = !!payload.ok;
-				const cred = payload.credential;
-				const err = payload.error;
-				if (ok && cred) return finish({
-					ok: true,
-					credential: cred
-				});
-				return finish({
-					ok: false,
-					error: typeof err === "string" ? err : void 0
-				});
-			};
-			window.addEventListener("message", onMessage);
-			window.parent?.postMessage({
-				type: kind,
-				requestId,
-				publicKey
-			}, "*");
-			setTimeout(() => {
-				window.removeEventListener("message", onMessage);
-				finish({
-					ok: false,
-					timeout: true
-				});
-			}, timeoutMs);
-		});
-	}
-};
 function notAllowedError(message) {
 	const e = new Error(message);
 	e.name = "NotAllowedError";
@@ -191,7 +139,65 @@ async function attemptRefocus(maxRetries = 2, delays = [50, 120]) {
 	}
 	return document.hasFocus();
 }
+var WebAuthnBridgeMessage, WindowParentDomainWebAuthnClient;
+var init_safari_fallbacks = __esm({ "src/core/WebAuthnManager/WebAuthnFallbacks/safari-fallbacks.ts": (() => {
+	WebAuthnBridgeMessage = {
+		Create: "WALLET_WEBAUTHN_CREATE",
+		Get: "WALLET_WEBAUTHN_GET",
+		CreateResult: "WALLET_WEBAUTHN_CREATE_RESULT",
+		GetResult: "WALLET_WEBAUTHN_GET_RESULT"
+	};
+	WindowParentDomainWebAuthnClient = class {
+		async request(kind, publicKey, timeoutMs = 6e4) {
+			const requestId = `${kind}:${Date.now()}:${Math.random().toString(36).slice(2)}`;
+			const resultType = getResultTypeFor(kind);
+			return new Promise((resolve) => {
+				let settled = false;
+				const finish = (val) => {
+					if (!settled) {
+						settled = true;
+						resolve(val);
+					}
+				};
+				const onMessage = (ev) => {
+					const payload = ev?.data;
+					if (!payload || typeof payload.type !== "string") return;
+					const t = payload.type;
+					if (t !== resultType) return;
+					const rid = payload.requestId;
+					if (rid !== requestId) return;
+					window.removeEventListener("message", onMessage);
+					const ok = !!payload.ok;
+					const cred = payload.credential;
+					const err = payload.error;
+					if (ok && cred) return finish({
+						ok: true,
+						credential: cred
+					});
+					return finish({
+						ok: false,
+						error: typeof err === "string" ? err : void 0
+					});
+				};
+				window.addEventListener("message", onMessage);
+				window.parent?.postMessage({
+					type: kind,
+					requestId,
+					publicKey
+				}, "*");
+				setTimeout(() => {
+					window.removeEventListener("message", onMessage);
+					finish({
+						ok: false,
+						timeout: true
+					});
+				}, timeoutMs);
+			});
+		}
+	};
+}) });
 //#endregion
-export { WebAuthnBridgeMessage, executeWebAuthnWithParentFallbacksSafari };
+init_safari_fallbacks();
+export { WebAuthnBridgeMessage, executeWebAuthnWithParentFallbacksSafari, init_safari_fallbacks };
 //# sourceMappingURL=safari-fallbacks.js.map

package/dist/esm/react/sdk/src/core/WebAuthnManager/WebAuthnFallbacks/safari-fallbacks.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"safari-fallbacks.js","names":["be: unknown","e: unknown"],"sources":["../../../../../../../../src/core/WebAuthnManager/WebAuthnFallbacks/safari-fallbacks.ts"],"sourcesContent":["// Safari/WebAuthn fallbacks: centralized retry + top-level bridge\n// - Encapsulates Safari-specific error handling (ancestor-origin, not-focused)\n// - Bridges create/get to top-level via postMessage when needed\n// - Keeps helpers private to reduce file count and surface area\n\ntype Kind = 'create' \| 'get';\n\n// Typed message names for parent-domain bridge\nexport const WebAuthnBridgeMessage = {\n Create: 'WALLET_WEBAUTHN_CREATE',\n Get: 'WALLET_WEBAUTHN_GET',\n CreateResult: 'WALLET_WEBAUTHN_CREATE_RESULT',\n GetResult: 'WALLET_WEBAUTHN_GET_RESULT',\n} as const;\n\nexport type BridgeKind = typeof WebAuthnBridgeMessage.Create \| typeof WebAuthnBridgeMessage.Get;\nexport type BridgeResultKind = typeof WebAuthnBridgeMessage.CreateResult \| typeof WebAuthnBridgeMessage.GetResult;\n\ntype ResultTypeFor<K extends BridgeKind> =\n K extends typeof WebAuthnBridgeMessage.Get\n ? typeof WebAuthnBridgeMessage.GetResult\n : typeof WebAuthnBridgeMessage.CreateResult;\n\nfunction getResultTypeFor<K extends BridgeKind>(kind: K): ResultTypeFor<K> {\n return (kind === WebAuthnBridgeMessage.Get\n ? WebAuthnBridgeMessage.GetResult\n : WebAuthnBridgeMessage.CreateResult) as ResultTypeFor<K>;\n}\n\ntype BridgeOk = { ok: true; credential: unknown };\ntype BridgeErr = { ok: false; error?: string; timeout?: boolean };\ntype BridgeResponse = BridgeOk \| BridgeErr;\n\n// Client interface used to request WebAuthn from the parent/top-level context\nexport type ParentDomainWebAuthnClient = {\n request<K extends BridgeKind>(\n kind: K,\n publicKey: PublicKeyCredentialCreationOptions \| PublicKeyCredentialRequestOptions,\n timeoutMs?: number,\n ): Promise<BridgeResponse>;\n};\n\nexport interface OrchestratorDeps {\n rpId: string;\n inIframe: boolean;\n timeoutMs?: number;\n bridgeClient?: ParentDomainWebAuthnClient;\n // Gate for ancestor-error on GET; bridges for focus errors are always allowed when in iframe.\n permitGetBridgeOnAncestorError?: boolean;\n // Optional AbortSignal to cancel native navigator.credentials operations.\n // Note: parent-bridge path may not be abortable.\n abortSignal?: AbortSignal;\n}\n\n/*\n Execute a WebAuthn operation with Safari-aware fallbacks.\n \n Steps:\n * 1) Try native WebAuthn via navigator.credentials.{create\|get}\n * 2) If the failure matches Safari's ancestor-origin restriction and we are in an iframe,\n * ask the parent/top-level window to perform the WebAuthn operation (bridge). If the\n * parent reports a user cancellation, throw NotAllowedError; if it times out, continue.\n * 3) If the failure matches Safari's \"document not focused\" path, first attempt to refocus\n * and retry native once; if still blocked and in an iframe, ask the parent window to handle it.\n * 4) Generic last resort: when in an iframe (constrained context), always attempt the parent\n * WebAuthn once even if the error wasn't recognized as a Safari-specific case. If the parent\n * path times out, surface a deterministic timeout error without re-trying native again.\n * 5) Otherwise, rethrow the original error.\n /\nexport async function executeWebAuthnWithParentFallbacksSafari(\n kind: Kind,\n publicKey: PublicKeyCredentialCreationOptions \| PublicKeyCredentialRequestOptions,\n deps: OrchestratorDeps,\n): Promise<PublicKeyCredential \| unknown> {\n\n const {\n rpId,\n inIframe,\n timeoutMs = 60000,\n permitGetBridgeOnAncestorError = true\n } = deps;\n const bridgeClient = deps.bridgeClient \|\| new WindowParentDomainWebAuthnClient();\n\n const isTestForceNativeFail = (): boolean => {\n const g = (globalThis as any);\n const w = (typeof window !== 'undefined' ? (window as any) : undefined);\n return !!(g && g.__W3A_TEST_FORCE_NATIVE_FAIL) \|\| !!(w && w.__W3A_TEST_FORCE_NATIVE_FAIL);\n };\n const bumpCounter = (key: string) => {\n const g = (globalThis as any);\n g[key] = (g[key] \|\| 0) + 1;\n };\n\n // Test harness fast-path: when explicitly forcing native fail, skip native and go straight to bridge.\n // Still bump native attempt counters for determinism in tests.\n if (isTestForceNativeFail()) {\n if (kind === 'create') bumpCounter('__W3A_TEST_NATIVE_CREATE_ATTEMPTS');\n else bumpCounter('__W3A_TEST_NATIVE_GET_ATTEMPTS');\n try {\n const bridged = await requestParentDomainWebAuthn(kind, publicKey, bridgeClient, timeoutMs);\n if (bridged?.ok) return bridged.credential;\n if (bridged && !bridged.timeout) {\n throw notAllowedError(bridged.error \|\| 'WebAuthn cancelled or failed (bridge)');\n }\n throw new Error('WebAuthn bridge timeout');\n } catch (be: unknown) {\n // Ensure consistent error type for unit tests\n throw notAllowedError((be as any)?.message \|\| 'WebAuthn bridge failed');\n }\n }\n\n const tryNative = async () => {\n if (kind === 'create') {\n bumpCounter('__W3A_TEST_NATIVE_CREATE_ATTEMPTS');\n if (isTestForceNativeFail()) throw notAllowedError('Forced native fail (create)');\n // Build options with optional AbortSignal\n return await navigator.credentials.create({\n publicKey: publicKey as PublicKeyCredentialCreationOptions,\n ...(deps.abortSignal ? { signal: deps.abortSignal } : {}),\n });\n } else {\n bumpCounter('__W3A_TEST_NATIVE_GET_ATTEMPTS');\n if (isTestForceNativeFail()) throw notAllowedError('Forced native fail (get)');\n return await navigator.credentials.get({\n publicKey: publicKey as PublicKeyCredentialRequestOptions,\n ...(deps.abortSignal ? { signal: deps.abortSignal } : {}),\n });\n }\n };\n\n // Step 1: native attempt\n try {\n return await tryNative();\n } catch (e: unknown) {\n // If the user explicitly cancelled (generic NotAllowedError without Safari-specific hints),\n // do not attempt any bridge fallbacks that would re-prompt Touch ID. Propagate immediately.\n // This avoids double prompts when a user cancels the native sheet.\n const name = safeName(e);\n if (name === 'NotAllowedError' && !isAncestorOriginError(e) && !isDocumentNotFocusedError(e)) {\n throw e;\n }\n\n // Step 2: ancestor-origin restriction → parent bridge (when in iframe)\n if (isAncestorOriginError(e) && inIframe) {\n if (kind === 'get' && !permitGetBridgeOnAncestorError) {\n throw e;\n }\n try {\n const bridgedCredentials = await requestParentDomainWebAuthn(kind, publicKey, bridgeClient, timeoutMs);\n if (bridgedCredentials?.ok) return bridgedCredentials.credential;\n if (bridgedCredentials && !bridgedCredentials.timeout) {\n throw notAllowedError(bridgedCredentials.error \|\| 'WebAuthn get cancelled or failed (bridge)');\n }\n } catch (be: unknown) {\n throw notAllowedError((be as any)?.message \|\| 'WebAuthn bridge failed');\n }\n }\n\n // Step 3: document-not-focused → refocus + retry native; then parent bridge if still blocked\n if (isDocumentNotFocusedError(e)) {\n const focused = await attemptRefocus();\n if (focused) {\n try { return await tryNative(); } catch {}\n }\n if (inIframe) {\n try {\n const bridgedCredentials = await requestParentDomainWebAuthn(kind, publicKey, bridgeClient, timeoutMs);\n if (bridgedCredentials?.ok) return bridgedCredentials.credential;\n if (bridgedCredentials && !bridgedCredentials.timeout) {\n throw notAllowedError(bridgedCredentials.error \|\| 'WebAuthn get cancelled or failed (bridge)');\n }\n } catch (be: unknown) {\n throw notAllowedError((be as any)?.message \|\| 'WebAuthn bridge failed');\n }\n }\n }\n\n // Step 4: generic last-resort bridge path for constrained iframe contexts\n if (inIframe) {\n try {\n const bridgedCredentials = await requestParentDomainWebAuthn(kind, publicKey, bridgeClient, timeoutMs);\n if (bridgedCredentials?.ok) return bridgedCredentials.credential;\n if (bridgedCredentials && !bridgedCredentials.timeout) {\n throw notAllowedError(bridgedCredentials.error \|\| 'WebAuthn cancelled or failed (bridge)');\n }\n // Timeout: surface an explicit error without re‑trying native again\n throw new Error('WebAuthn bridge timeout');\n } catch (be: unknown) {\n throw notAllowedError((be as any)?.message \|\| 'WebAuthn bridge failed');\n }\n }\n\n // Step 5: not an iframe or no recognized fallback – rethrow original error\n throw e;\n }\n}\n\n// Request the parent/top-level window to perform the WebAuthn operation\nexport async function requestParentDomainWebAuthn(\n kind: Kind,\n publicKey: PublicKeyCredentialCreationOptions \| PublicKeyCredentialRequestOptions,\n client: ParentDomainWebAuthnClient,\n timeoutMs: number,\n): Promise<BridgeResponse> {\n if (kind === 'create') {\n return client.request(WebAuthnBridgeMessage.Create, publicKey as PublicKeyCredentialCreationOptions, timeoutMs);\n }\n return client.request(WebAuthnBridgeMessage.Get, publicKey as PublicKeyCredentialRequestOptions, timeoutMs);\n}\n\n// Default bridge client using window.parent postMessage protocol\nexport class WindowParentDomainWebAuthnClient implements ParentDomainWebAuthnClient {\n async request<K extends BridgeKind>(\n kind: K,\n publicKey: PublicKeyCredentialCreationOptions \| PublicKeyCredentialRequestOptions,\n timeoutMs = 60000,\n ): Promise<BridgeResponse> {\n const requestId = `${kind}:${Date.now()}:${Math.random().toString(36).slice(2)}`;\n const resultType = getResultTypeFor(kind);\n\n return new Promise((resolve) => {\n let settled = false;\n const finish = (val: BridgeResponse) => { if (!settled) { settled = true; resolve(val); } };\n\n const onMessage = (ev: MessageEvent) => {\n const payload = ev?.data as unknown;\n if (!payload \|\| typeof (payload as { type?: unknown }).type !== 'string') return;\n const t = (payload as { type: string }).type;\n if (t !== resultType) return;\n const rid = (payload as { requestId?: unknown }).requestId;\n if (rid !== requestId) return;\n window.removeEventListener('message', onMessage);\n const ok = !!(payload as { ok?: unknown }).ok;\n const cred = (payload as { credential?: unknown }).credential;\n const err = (payload as { error?: unknown }).error;\n if (ok && cred) return finish({ ok: true, credential: cred });\n return finish({ ok: false, error: typeof err === 'string' ? err : undefined });\n };\n window.addEventListener('message', onMessage);\n window.parent?.postMessage({ type: kind, requestId, publicKey } as { type: K; requestId: string; publicKey: any }, '');\n setTimeout(() => { window.removeEventListener('message', onMessage); finish({ ok: false, timeout: true }); }, timeoutMs);\n });\n }\n}\n\nfunction notAllowedError(message: string): Error {\n const e = new Error(message);\n (e as any).name = 'NotAllowedError';\n return e;\n}\n\n// Private: error classification helpers\nfunction isAncestorOriginError(err: unknown): boolean {\n const msg = safeMessage(err);\n return /origin of the document is not the same as its ancestors/i.test(msg);\n}\n\nfunction isDocumentNotFocusedError(err: unknown): boolean {\n const name = safeName(err);\n const msg = safeMessage(err);\n const isNotAllowed = name === 'NotAllowedError';\n const mentionsFocus = /document is not focused\|not focused\|focus/i.test(msg);\n return Boolean(isNotAllowed && mentionsFocus);\n}\n\nfunction safeMessage(err: unknown): string {\n return String((err as { message?: unknown })?.message \|\| '');\n}\n\nfunction safeName(err: unknown): string {\n const n = (err as { name?: unknown })?.name;\n return typeof n === 'string' ? n : '';\n}\n\n// Private: focus utility to mitigate Safari focus issues\nasync function attemptRefocus(maxRetries = 2, delays: number[] = [50, 120]): Promise<boolean> {\n (window as any).focus?.();\n (document?.body as any)?.focus?.();\n\n const wait = (ms: number) => new Promise(r => setTimeout(r, ms));\n const total = Math.max(0, maxRetries);\n for (let i = 0; i <= total; i++) {\n const d = delays[i] ?? delays[delays.length - 1] ?? 80;\n await wait(d);\n if (document.hasFocus()) return true;\n (window as any).focus?.();\n }\n return document.hasFocus();\n}\n"],"mappings":";AAQA,MAAa,wBAAwB;CACnC,QAAQ;CACR,KAAK;CACL,cAAc;CACd,WAAW;;AAWb,SAAS,iBAAuC,MAA2B;AACzE,QAAQ,SAAS,sBAAsB,MACnC,sBAAsB,YACtB,sBAAsB;;;;;;;;;;;;;;;;;AA2C5B,eAAsB,yCACpB,MACA,WACA,MACwC;CAExC,MAAM,EACJ,MACA,UACA,YAAY,KACZ,iCAAiC,SAC/B;CACJ,MAAM,eAAe,KAAK,gBAAgB,IAAI;CAE9C,MAAM,8BAAuC;EAC3C,MAAM,IAAK;EACX,MAAM,IAAK,OAAO,WAAW,cAAe,SAAiB;AAC7D,SAAO,CAAC,EAAE,KAAK,EAAE,iCAAiC,CAAC,EAAE,KAAK,EAAE;;CAE9D,MAAM,eAAe,QAAgB;EACnC,MAAM,IAAK;AACX,IAAE,QAAQ,EAAE,QAAQ,KAAK;;AAK3B,KAAI,yBAAyB;AAC3B,MAAI,SAAS,SAAU,aAAY;MAC9B,aAAY;AACjB,MAAI;GACF,MAAM,UAAU,MAAM,4BAA4B,MAAM,WAAW,cAAc;AACjF,OAAI,SAAS,GAAI,QAAO,QAAQ;AAChC,OAAI,WAAW,CAAC,QAAQ,QACtB,OAAM,gBAAgB,QAAQ,SAAS;AAEzC,SAAM,IAAI,MAAM;WACTA,IAAa;AAEpB,SAAM,gBAAiB,IAAY,WAAW;;;CAIlD,MAAM,YAAY,YAAY;AAC5B,MAAI,SAAS,UAAU;AACrB,eAAY;AACZ,OAAI,wBAAyB,OAAM,gBAAgB;AAEnD,UAAO,MAAM,UAAU,YAAY,OAAO;IAC7B;IACX,GAAI,KAAK,cAAc,EAAE,QAAQ,KAAK,gBAAgB;;SAEnD;AACL,eAAY;AACZ,OAAI,wBAAyB,OAAM,gBAAgB;AACnD,UAAO,MAAM,UAAU,YAAY,IAAI;IAC1B;IACX,GAAI,KAAK,cAAc,EAAE,QAAQ,KAAK,gBAAgB;;;;AAM5D,KAAI;AACF,SAAO,MAAM;UACNC,GAAY;EAInB,MAAM,OAAO,SAAS;AACtB,MAAI,SAAS,qBAAqB,CAAC,sBAAsB,MAAM,CAAC,0BAA0B,GACxF,OAAM;AAIR,MAAI,sBAAsB,MAAM,UAAU;AACxC,OAAI,SAAS,SAAS,CAAC,+BACrB,OAAM;AAER,OAAI;IACF,MAAM,qBAAqB,MAAM,4BAA4B,MAAM,WAAW,cAAc;AAC5F,QAAI,oBAAoB,GAAI,QAAO,mBAAmB;AACtD,QAAI,sBAAsB,CAAC,mBAAmB,QAC5C,OAAM,gBAAgB,mBAAmB,SAAS;YAE7CD,IAAa;AACpB,UAAM,gBAAiB,IAAY,WAAW;;;AAKlD,MAAI,0BAA0B,IAAI;GAChC,MAAM,UAAU,MAAM;AACtB,OAAI,QACF,KAAI;AAAE,WAAO,MAAM;WAAqB;AAE1C,OAAI,SACF,KAAI;IACF,MAAM,qBAAqB,MAAM,4BAA4B,MAAM,WAAW,cAAc;AAC5F,QAAI,oBAAoB,GAAI,QAAO,mBAAmB;AACtD,QAAI,sBAAsB,CAAC,mBAAmB,QAC5C,OAAM,gBAAgB,mBAAmB,SAAS;YAE7CA,IAAa;AACpB,UAAM,gBAAiB,IAAY,WAAW;;;AAMpD,MAAI,SACF,KAAI;GACF,MAAM,qBAAqB,MAAM,4BAA4B,MAAM,WAAW,cAAc;AAC5F,OAAI,oBAAoB,GAAI,QAAO,mBAAmB;AACtD,OAAI,sBAAsB,CAAC,mBAAmB,QAC5C,OAAM,gBAAgB,mBAAmB,SAAS;AAGpD,SAAM,IAAI,MAAM;WACTA,IAAa;AACpB,SAAM,gBAAiB,IAAY,WAAW;;AAKlD,QAAM;;;AAKV,eAAsB,4BACpB,MACA,WACA,QACA,WACyB;AACzB,KAAI,SAAS,SACX,QAAO,OAAO,QAAQ,sBAAsB,QAAQ,WAAiD;AAEvG,QAAO,OAAO,QAAQ,sBAAsB,KAAK,WAAgD;;AAInG,IAAa,mCAAb,MAAoF;CAClF,MAAM,QACJ,MACA,WACA,YAAY,KACa;EACzB,MAAM,YAAY,GAAG,KAAK,GAAG,KAAK,MAAM,GAAG,KAAK,SAAS,SAAS,IAAI,MAAM;EAC5E,MAAM,aAAa,iBAAiB;AAEpC,SAAO,IAAI,SAAS,YAAY;GAC9B,IAAI,UAAU;GACd,MAAM,UAAU,QAAwB;AAAE,QAAI,CAAC,SAAS;AAAE,eAAU;AAAM,aAAQ;;;GAElF,MAAM,aAAa,OAAqB;IACtC,MAAM,UAAU,IAAI;AACpB,QAAI,CAAC,WAAW,OAAQ,QAA+B,SAAS,SAAU;IAC1E,MAAM,IAAK,QAA6B;AACxC,QAAI,MAAM,WAAY;IACtB,MAAM,MAAO,QAAoC;AACjD,QAAI,QAAQ,UAAW;AACvB,WAAO,oBAAoB,WAAW;IACtC,MAAM,KAAK,CAAC,CAAE,QAA6B;IAC3C,MAAM,OAAQ,QAAqC;IACnD,MAAM,MAAO,QAAgC;AAC7C,QAAI,MAAM,KAAM,QAAO,OAAO;KAAE,IAAI;KAAM,YAAY;;AACtD,WAAO,OAAO;KAAE,IAAI;KAAO,OAAO,OAAO,QAAQ,WAAW,MAAM;;;AAEpE,UAAO,iBAAiB,WAAW;AACnC,UAAO,QAAQ,YAAY;IAAE,MAAM;IAAM;IAAW;MAA+D;AACnH,oBAAiB;AAAE,WAAO,oBAAoB,WAAW;AAAY,WAAO;KAAE,IAAI;KAAO,SAAS;;MAAY;;;;AAKpH,SAAS,gBAAgB,SAAwB;CAC/C,MAAM,IAAI,IAAI,MAAM;AACpB,CAAC,EAAU,OAAO;AAClB,QAAO;;AAIT,SAAS,sBAAsB,KAAuB;CACpD,MAAM,MAAM,YAAY;AACxB,QAAO,2DAA2D,KAAK;;AAGzE,SAAS,0BAA0B,KAAuB;CACxD,MAAM,OAAO,SAAS;CACtB,MAAM,MAAM,YAAY;CACxB,MAAM,eAAe,SAAS;CAC9B,MAAM,gBAAgB,6CAA6C,KAAK;AACxE,QAAO,QAAQ,gBAAgB;;AAGjC,SAAS,YAAY,KAAsB;AACzC,QAAO,OAAQ,KAA+B,WAAW;;AAG3D,SAAS,SAAS,KAAsB;CACtC,MAAM,IAAK,KAA4B;AACvC,QAAO,OAAO,MAAM,WAAW,IAAI;;AAIrC,eAAe,eAAe,aAAa,GAAG,SAAmB,CAAC,IAAI,MAAwB;AAC5F,CAAC,OAAe;AAChB,EAAC,UAAU,OAAc;CAEzB,MAAM,QAAQ,OAAe,IAAI,SAAQ,MAAK,WAAW,GAAG;CAC5D,MAAM,QAAQ,KAAK,IAAI,GAAG;AAC1B,MAAK,IAAI,IAAI,GAAG,KAAK,OAAO,KAAK;EAC/B,MAAM,IAAI,OAAO,MAAM,OAAO,OAAO,SAAS,MAAM;AACpD,QAAM,KAAK;AACX,MAAI,SAAS,WAAY,QAAO;AAChC,EAAC,OAAe;;AAElB,QAAO,SAAS"}
1	+ {"version":3,"file":"safari-fallbacks.js","names":["be: unknown","e: unknown"],"sources":["../../../../../../../../src/core/WebAuthnManager/WebAuthnFallbacks/safari-fallbacks.ts"],"sourcesContent":["// Safari/WebAuthn fallbacks: centralized retry + top-level bridge\n// - Encapsulates Safari-specific error handling (ancestor-origin, not-focused)\n// - Bridges create/get to top-level via postMessage when needed\n// - Keeps helpers private to reduce file count and surface area\n\ntype Kind = 'create' \| 'get';\n\n// Typed message names for parent-domain bridge\nexport const WebAuthnBridgeMessage = {\n Create: 'WALLET_WEBAUTHN_CREATE',\n Get: 'WALLET_WEBAUTHN_GET',\n CreateResult: 'WALLET_WEBAUTHN_CREATE_RESULT',\n GetResult: 'WALLET_WEBAUTHN_GET_RESULT',\n} as const;\n\nexport type BridgeKind = typeof WebAuthnBridgeMessage.Create \| typeof WebAuthnBridgeMessage.Get;\nexport type BridgeResultKind = typeof WebAuthnBridgeMessage.CreateResult \| typeof WebAuthnBridgeMessage.GetResult;\n\ntype ResultTypeFor<K extends BridgeKind> =\n K extends typeof WebAuthnBridgeMessage.Get\n ? typeof WebAuthnBridgeMessage.GetResult\n : typeof WebAuthnBridgeMessage.CreateResult;\n\nfunction getResultTypeFor<K extends BridgeKind>(kind: K): ResultTypeFor<K> {\n return (kind === WebAuthnBridgeMessage.Get\n ? WebAuthnBridgeMessage.GetResult\n : WebAuthnBridgeMessage.CreateResult) as ResultTypeFor<K>;\n}\n\ntype BridgeOk = { ok: true; credential: unknown };\ntype BridgeErr = { ok: false; error?: string; timeout?: boolean };\ntype BridgeResponse = BridgeOk \| BridgeErr;\n\n// Client interface used to request WebAuthn from the parent/top-level context\nexport type ParentDomainWebAuthnClient = {\n request<K extends BridgeKind>(\n kind: K,\n publicKey: PublicKeyCredentialCreationOptions \| PublicKeyCredentialRequestOptions,\n timeoutMs?: number,\n ): Promise<BridgeResponse>;\n};\n\nexport interface OrchestratorDeps {\n rpId: string;\n inIframe: boolean;\n timeoutMs?: number;\n bridgeClient?: ParentDomainWebAuthnClient;\n // Gate for ancestor-error on GET; bridges for focus errors are always allowed when in iframe.\n permitGetBridgeOnAncestorError?: boolean;\n // Optional AbortSignal to cancel native navigator.credentials operations.\n // Note: parent-bridge path may not be abortable.\n abortSignal?: AbortSignal;\n}\n\n/*\n Execute a WebAuthn operation with Safari-aware fallbacks.\n \n Steps:\n * 1) Try native WebAuthn via navigator.credentials.{create\|get}\n * 2) If the failure matches Safari's ancestor-origin restriction and we are in an iframe,\n * ask the parent/top-level window to perform the WebAuthn operation (bridge). If the\n * parent reports a user cancellation, throw NotAllowedError; if it times out, continue.\n * 3) If the failure matches Safari's \"document not focused\" path, first attempt to refocus\n * and retry native once; if still blocked and in an iframe, ask the parent window to handle it.\n * 4) Generic last resort: when in an iframe (constrained context), always attempt the parent\n * WebAuthn once even if the error wasn't recognized as a Safari-specific case. If the parent\n * path times out, surface a deterministic timeout error without re-trying native again.\n * 5) Otherwise, rethrow the original error.\n /\nexport async function executeWebAuthnWithParentFallbacksSafari(\n kind: Kind,\n publicKey: PublicKeyCredentialCreationOptions \| PublicKeyCredentialRequestOptions,\n deps: OrchestratorDeps,\n): Promise<PublicKeyCredential \| unknown> {\n\n const {\n rpId,\n inIframe,\n timeoutMs = 60000,\n permitGetBridgeOnAncestorError = true\n } = deps;\n const bridgeClient = deps.bridgeClient \|\| new WindowParentDomainWebAuthnClient();\n\n const isTestForceNativeFail = (): boolean => {\n const g = (globalThis as any);\n const w = (typeof window !== 'undefined' ? (window as any) : undefined);\n return !!(g && g.__W3A_TEST_FORCE_NATIVE_FAIL) \|\| !!(w && w.__W3A_TEST_FORCE_NATIVE_FAIL);\n };\n const bumpCounter = (key: string) => {\n const g = (globalThis as any);\n g[key] = (g[key] \|\| 0) + 1;\n };\n\n // Test harness fast-path: when explicitly forcing native fail, skip native and go straight to bridge.\n // Still bump native attempt counters for determinism in tests.\n if (isTestForceNativeFail()) {\n if (kind === 'create') bumpCounter('__W3A_TEST_NATIVE_CREATE_ATTEMPTS');\n else bumpCounter('__W3A_TEST_NATIVE_GET_ATTEMPTS');\n try {\n const bridged = await requestParentDomainWebAuthn(kind, publicKey, bridgeClient, timeoutMs);\n if (bridged?.ok) return bridged.credential;\n if (bridged && !bridged.timeout) {\n throw notAllowedError(bridged.error \|\| 'WebAuthn cancelled or failed (bridge)');\n }\n throw new Error('WebAuthn bridge timeout');\n } catch (be: unknown) {\n // Ensure consistent error type for unit tests\n throw notAllowedError((be as any)?.message \|\| 'WebAuthn bridge failed');\n }\n }\n\n const tryNative = async () => {\n if (kind === 'create') {\n bumpCounter('__W3A_TEST_NATIVE_CREATE_ATTEMPTS');\n if (isTestForceNativeFail()) throw notAllowedError('Forced native fail (create)');\n // Build options with optional AbortSignal\n return await navigator.credentials.create({\n publicKey: publicKey as PublicKeyCredentialCreationOptions,\n ...(deps.abortSignal ? { signal: deps.abortSignal } : {}),\n });\n } else {\n bumpCounter('__W3A_TEST_NATIVE_GET_ATTEMPTS');\n if (isTestForceNativeFail()) throw notAllowedError('Forced native fail (get)');\n return await navigator.credentials.get({\n publicKey: publicKey as PublicKeyCredentialRequestOptions,\n ...(deps.abortSignal ? { signal: deps.abortSignal } : {}),\n });\n }\n };\n\n // Step 1: native attempt\n try {\n return await tryNative();\n } catch (e: unknown) {\n // If the user explicitly cancelled (generic NotAllowedError without Safari-specific hints),\n // do not attempt any bridge fallbacks that would re-prompt Touch ID. Propagate immediately.\n // This avoids double prompts when a user cancels the native sheet.\n const name = safeName(e);\n if (name === 'NotAllowedError' && !isAncestorOriginError(e) && !isDocumentNotFocusedError(e)) {\n throw e;\n }\n\n // Step 2: ancestor-origin restriction → parent bridge (when in iframe)\n if (isAncestorOriginError(e) && inIframe) {\n if (kind === 'get' && !permitGetBridgeOnAncestorError) {\n throw e;\n }\n try {\n const bridgedCredentials = await requestParentDomainWebAuthn(kind, publicKey, bridgeClient, timeoutMs);\n if (bridgedCredentials?.ok) return bridgedCredentials.credential;\n if (bridgedCredentials && !bridgedCredentials.timeout) {\n throw notAllowedError(bridgedCredentials.error \|\| 'WebAuthn get cancelled or failed (bridge)');\n }\n } catch (be: unknown) {\n throw notAllowedError((be as any)?.message \|\| 'WebAuthn bridge failed');\n }\n }\n\n // Step 3: document-not-focused → refocus + retry native; then parent bridge if still blocked\n if (isDocumentNotFocusedError(e)) {\n const focused = await attemptRefocus();\n if (focused) {\n try { return await tryNative(); } catch {}\n }\n if (inIframe) {\n try {\n const bridgedCredentials = await requestParentDomainWebAuthn(kind, publicKey, bridgeClient, timeoutMs);\n if (bridgedCredentials?.ok) return bridgedCredentials.credential;\n if (bridgedCredentials && !bridgedCredentials.timeout) {\n throw notAllowedError(bridgedCredentials.error \|\| 'WebAuthn get cancelled or failed (bridge)');\n }\n } catch (be: unknown) {\n throw notAllowedError((be as any)?.message \|\| 'WebAuthn bridge failed');\n }\n }\n }\n\n // Step 4: generic last-resort bridge path for constrained iframe contexts\n if (inIframe) {\n try {\n const bridgedCredentials = await requestParentDomainWebAuthn(kind, publicKey, bridgeClient, timeoutMs);\n if (bridgedCredentials?.ok) return bridgedCredentials.credential;\n if (bridgedCredentials && !bridgedCredentials.timeout) {\n throw notAllowedError(bridgedCredentials.error \|\| 'WebAuthn cancelled or failed (bridge)');\n }\n // Timeout: surface an explicit error without re‑trying native again\n throw new Error('WebAuthn bridge timeout');\n } catch (be: unknown) {\n throw notAllowedError((be as any)?.message \|\| 'WebAuthn bridge failed');\n }\n }\n\n // Step 5: not an iframe or no recognized fallback – rethrow original error\n throw e;\n }\n}\n\n// Request the parent/top-level window to perform the WebAuthn operation\nexport async function requestParentDomainWebAuthn(\n kind: Kind,\n publicKey: PublicKeyCredentialCreationOptions \| PublicKeyCredentialRequestOptions,\n client: ParentDomainWebAuthnClient,\n timeoutMs: number,\n): Promise<BridgeResponse> {\n if (kind === 'create') {\n return client.request(WebAuthnBridgeMessage.Create, publicKey as PublicKeyCredentialCreationOptions, timeoutMs);\n }\n return client.request(WebAuthnBridgeMessage.Get, publicKey as PublicKeyCredentialRequestOptions, timeoutMs);\n}\n\n// Default bridge client using window.parent postMessage protocol\nexport class WindowParentDomainWebAuthnClient implements ParentDomainWebAuthnClient {\n async request<K extends BridgeKind>(\n kind: K,\n publicKey: PublicKeyCredentialCreationOptions \| PublicKeyCredentialRequestOptions,\n timeoutMs = 60000,\n ): Promise<BridgeResponse> {\n const requestId = `${kind}:${Date.now()}:${Math.random().toString(36).slice(2)}`;\n const resultType = getResultTypeFor(kind);\n\n return new Promise((resolve) => {\n let settled = false;\n const finish = (val: BridgeResponse) => { if (!settled) { settled = true; resolve(val); } };\n\n const onMessage = (ev: MessageEvent) => {\n const payload = ev?.data as unknown;\n if (!payload \|\| typeof (payload as { type?: unknown }).type !== 'string') return;\n const t = (payload as { type: string }).type;\n if (t !== resultType) return;\n const rid = (payload as { requestId?: unknown }).requestId;\n if (rid !== requestId) return;\n window.removeEventListener('message', onMessage);\n const ok = !!(payload as { ok?: unknown }).ok;\n const cred = (payload as { credential?: unknown }).credential;\n const err = (payload as { error?: unknown }).error;\n if (ok && cred) return finish({ ok: true, credential: cred });\n return finish({ ok: false, error: typeof err === 'string' ? err : undefined });\n };\n window.addEventListener('message', onMessage);\n window.parent?.postMessage({ type: kind, requestId, publicKey } as { type: K; requestId: string; publicKey: any }, '');\n setTimeout(() => { window.removeEventListener('message', onMessage); finish({ ok: false, timeout: true }); }, timeoutMs);\n });\n }\n}\n\nfunction notAllowedError(message: string): Error {\n const e = new Error(message);\n (e as any).name = 'NotAllowedError';\n return e;\n}\n\n// Private: error classification helpers\nfunction isAncestorOriginError(err: unknown): boolean {\n const msg = safeMessage(err);\n return /origin of the document is not the same as its ancestors/i.test(msg);\n}\n\nfunction isDocumentNotFocusedError(err: unknown): boolean {\n const name = safeName(err);\n const msg = safeMessage(err);\n const isNotAllowed = name === 'NotAllowedError';\n const mentionsFocus = /document is not focused\|not focused\|focus/i.test(msg);\n return Boolean(isNotAllowed && mentionsFocus);\n}\n\nfunction safeMessage(err: unknown): string {\n return String((err as { message?: unknown })?.message \|\| '');\n}\n\nfunction safeName(err: unknown): string {\n const n = (err as { name?: unknown })?.name;\n return typeof n === 'string' ? n : '';\n}\n\n// Private: focus utility to mitigate Safari focus issues\nasync function attemptRefocus(maxRetries = 2, delays: number[] = [50, 120]): Promise<boolean> {\n (window as any).focus?.();\n (document?.body as any)?.focus?.();\n\n const wait = (ms: number) => new Promise(r => setTimeout(r, ms));\n const total = Math.max(0, maxRetries);\n for (let i = 0; i <= total; i++) {\n const d = delays[i] ?? delays[delays.length - 1] ?? 80;\n await wait(d);\n if (document.hasFocus()) return true;\n (window as any).focus?.();\n }\n return document.hasFocus();\n}\n"],"mappings":";;;AAuBA,SAAS,iBAAuC,MAA2B;AACzE,QAAQ,SAAS,sBAAsB,MACnC,sBAAsB,YACtB,sBAAsB;;;;;;;;;;;;;;;;;AA2C5B,eAAsB,yCACpB,MACA,WACA,MACwC;CAExC,MAAM,EACJ,MACA,UACA,YAAY,KACZ,iCAAiC,SAC/B;CACJ,MAAM,eAAe,KAAK,gBAAgB,IAAI;CAE9C,MAAM,8BAAuC;EAC3C,MAAM,IAAK;EACX,MAAM,IAAK,OAAO,WAAW,cAAe,SAAiB;AAC7D,SAAO,CAAC,EAAE,KAAK,EAAE,iCAAiC,CAAC,EAAE,KAAK,EAAE;;CAE9D,MAAM,eAAe,QAAgB;EACnC,MAAM,IAAK;AACX,IAAE,QAAQ,EAAE,QAAQ,KAAK;;AAK3B,KAAI,yBAAyB;AAC3B,MAAI,SAAS,SAAU,aAAY;MAC9B,aAAY;AACjB,MAAI;GACF,MAAM,UAAU,MAAM,4BAA4B,MAAM,WAAW,cAAc;AACjF,OAAI,SAAS,GAAI,QAAO,QAAQ;AAChC,OAAI,WAAW,CAAC,QAAQ,QACtB,OAAM,gBAAgB,QAAQ,SAAS;AAEzC,SAAM,IAAI,MAAM;WACTA,IAAa;AAEpB,SAAM,gBAAiB,IAAY,WAAW;;;CAIlD,MAAM,YAAY,YAAY;AAC5B,MAAI,SAAS,UAAU;AACrB,eAAY;AACZ,OAAI,wBAAyB,OAAM,gBAAgB;AAEnD,UAAO,MAAM,UAAU,YAAY,OAAO;IAC7B;IACX,GAAI,KAAK,cAAc,EAAE,QAAQ,KAAK,gBAAgB;;SAEnD;AACL,eAAY;AACZ,OAAI,wBAAyB,OAAM,gBAAgB;AACnD,UAAO,MAAM,UAAU,YAAY,IAAI;IAC1B;IACX,GAAI,KAAK,cAAc,EAAE,QAAQ,KAAK,gBAAgB;;;;AAM5D,KAAI;AACF,SAAO,MAAM;UACNC,GAAY;EAInB,MAAM,OAAO,SAAS;AACtB,MAAI,SAAS,qBAAqB,CAAC,sBAAsB,MAAM,CAAC,0BAA0B,GACxF,OAAM;AAIR,MAAI,sBAAsB,MAAM,UAAU;AACxC,OAAI,SAAS,SAAS,CAAC,+BACrB,OAAM;AAER,OAAI;IACF,MAAM,qBAAqB,MAAM,4BAA4B,MAAM,WAAW,cAAc;AAC5F,QAAI,oBAAoB,GAAI,QAAO,mBAAmB;AACtD,QAAI,sBAAsB,CAAC,mBAAmB,QAC5C,OAAM,gBAAgB,mBAAmB,SAAS;YAE7CD,IAAa;AACpB,UAAM,gBAAiB,IAAY,WAAW;;;AAKlD,MAAI,0BAA0B,IAAI;GAChC,MAAM,UAAU,MAAM;AACtB,OAAI,QACF,KAAI;AAAE,WAAO,MAAM;WAAqB;AAE1C,OAAI,SACF,KAAI;IACF,MAAM,qBAAqB,MAAM,4BAA4B,MAAM,WAAW,cAAc;AAC5F,QAAI,oBAAoB,GAAI,QAAO,mBAAmB;AACtD,QAAI,sBAAsB,CAAC,mBAAmB,QAC5C,OAAM,gBAAgB,mBAAmB,SAAS;YAE7CA,IAAa;AACpB,UAAM,gBAAiB,IAAY,WAAW;;;AAMpD,MAAI,SACF,KAAI;GACF,MAAM,qBAAqB,MAAM,4BAA4B,MAAM,WAAW,cAAc;AAC5F,OAAI,oBAAoB,GAAI,QAAO,mBAAmB;AACtD,OAAI,sBAAsB,CAAC,mBAAmB,QAC5C,OAAM,gBAAgB,mBAAmB,SAAS;AAGpD,SAAM,IAAI,MAAM;WACTA,IAAa;AACpB,SAAM,gBAAiB,IAAY,WAAW;;AAKlD,QAAM;;;AAKV,eAAsB,4BACpB,MACA,WACA,QACA,WACyB;AACzB,KAAI,SAAS,SACX,QAAO,OAAO,QAAQ,sBAAsB,QAAQ,WAAiD;AAEvG,QAAO,OAAO,QAAQ,sBAAsB,KAAK,WAAgD;;AAsCnG,SAAS,gBAAgB,SAAwB;CAC/C,MAAM,IAAI,IAAI,MAAM;AACpB,CAAC,EAAU,OAAO;AAClB,QAAO;;AAIT,SAAS,sBAAsB,KAAuB;CACpD,MAAM,MAAM,YAAY;AACxB,QAAO,2DAA2D,KAAK;;AAGzE,SAAS,0BAA0B,KAAuB;CACxD,MAAM,OAAO,SAAS;CACtB,MAAM,MAAM,YAAY;CACxB,MAAM,eAAe,SAAS;CAC9B,MAAM,gBAAgB,6CAA6C,KAAK;AACxE,QAAO,QAAQ,gBAAgB;;AAGjC,SAAS,YAAY,KAAsB;AACzC,QAAO,OAAQ,KAA+B,WAAW;;AAG3D,SAAS,SAAS,KAAsB;CACtC,MAAM,IAAK,KAA4B;AACvC,QAAO,OAAO,MAAM,WAAW,IAAI;;AAIrC,eAAe,eAAe,aAAa,GAAG,SAAmB,CAAC,IAAI,MAAwB;AAC5F,CAAC,OAAe;AAChB,EAAC,UAAU,OAAc;CAEzB,MAAM,QAAQ,OAAe,IAAI,SAAQ,MAAK,WAAW,GAAG;CAC5D,MAAM,QAAQ,KAAK,IAAI,GAAG;AAC1B,MAAK,IAAI,IAAI,GAAG,KAAK,OAAO,KAAK;EAC/B,MAAM,IAAI,OAAO,MAAM,OAAO,OAAO,SAAS,MAAM;AACpD,QAAM,KAAK;AACX,MAAI,SAAS,WAAY,QAAO;AAChC,EAAC,OAAe;;AAElB,QAAO,SAAS;;;;CAvRL,wBAAwB;EACnC,QAAQ;EACR,KAAK;EACL,cAAc;EACd,WAAW;;CAuMA,mCAAb,MAAoF;EAClF,MAAM,QACJ,MACA,WACA,YAAY,KACa;GACzB,MAAM,YAAY,GAAG,KAAK,GAAG,KAAK,MAAM,GAAG,KAAK,SAAS,SAAS,IAAI,MAAM;GAC5E,MAAM,aAAa,iBAAiB;AAEpC,UAAO,IAAI,SAAS,YAAY;IAC9B,IAAI,UAAU;IACd,MAAM,UAAU,QAAwB;AAAE,SAAI,CAAC,SAAS;AAAE,gBAAU;AAAM,cAAQ;;;IAElF,MAAM,aAAa,OAAqB;KACtC,MAAM,UAAU,IAAI;AACpB,SAAI,CAAC,WAAW,OAAQ,QAA+B,SAAS,SAAU;KAC1E,MAAM,IAAK,QAA6B;AACxC,SAAI,MAAM,WAAY;KACtB,MAAM,MAAO,QAAoC;AACjD,SAAI,QAAQ,UAAW;AACvB,YAAO,oBAAoB,WAAW;KACtC,MAAM,KAAK,CAAC,CAAE,QAA6B;KAC3C,MAAM,OAAQ,QAAqC;KACnD,MAAM,MAAO,QAAgC;AAC7C,SAAI,MAAM,KAAM,QAAO,OAAO;MAAE,IAAI;MAAM,YAAY;;AACtD,YAAO,OAAO;MAAE,IAAI;MAAO,OAAO,OAAO,QAAQ,WAAW,MAAM;;;AAEpE,WAAO,iBAAiB,WAAW;AACnC,WAAO,QAAQ,YAAY;KAAE,MAAM;KAAM;KAAW;OAA+D;AACnH,qBAAiB;AAAE,YAAO,oBAAoB,WAAW;AAAY,YAAO;MAAE,IAAI;MAAO,SAAS;;OAAY"}

package/dist/esm/react/sdk/src/core/WebAuthnManager/credentialsHelpers.js CHANGED Viewed

@@ -1,9 +1,9 @@
+import { __esm } from "../../../../_virtual/rolldown_runtime.js";
 import { init_validation, isArray, isObject, isString } from "../WalletIframe/validation.js";
 import { base64UrlEncode } from "../../utils/base64.js";
-import "../../utils/index.js";
+import { init_utils } from "../../utils/index.js";
 //#region src/core/WebAuthnManager/credentialsHelpers.ts
-init_validation();
 /**
 * Serialize PublicKeyCredential for both authentication and registration for WASM worker
 * - Uses base64url encoding for WASM compatibility
@@ -277,7 +277,12 @@ function normalizeClientExtensionOutputs(input) {
 	}
 	return out;
 }
+var init_credentialsHelpers = __esm({ "src/core/WebAuthnManager/credentialsHelpers.ts": (() => {
+	init_utils();
+	init_validation();
+}) });
 //#endregion
-export { generateChaCha20Salt, generateEd25519Salt, isSerializedRegistrationCredential, normalizeRegistrationCredential, removePrfOutputGuard, serializeAuthenticationCredentialWithPRF, serializeRegistrationCredential, serializeRegistrationCredentialWithPRF };
+init_credentialsHelpers();
+export { generateChaCha20Salt, generateEd25519Salt, init_credentialsHelpers, isSerializedRegistrationCredential, normalizeRegistrationCredential, removePrfOutputGuard, serializeAuthenticationCredentialWithPRF, serializeRegistrationCredential, serializeRegistrationCredentialWithPRF };
 //# sourceMappingURL=credentialsHelpers.js.map

package/dist/esm/react/sdk/src/core/WebAuthnManager/index.js CHANGED Viewed

@@ -2,8 +2,8 @@ import { init_accountIds, toAccountId } from "../types/accountIds.js";
 import { IndexedDBManager, init_IndexedDBManager } from "../IndexedDBManager/index.js";
 import { onEmbeddedBaseChange } from "../sdkPaths/base.js";
 import { resolveWorkerBaseOrigin } from "../sdkPaths/workers.js";
-import { TouchIdPrompt } from "./touchIdPrompt.js";
-import { getLastLoggedInDeviceNumber } from "./SignerWorkerManager/getDeviceNumber.js";
+import { TouchIdPrompt, init_touchIdPrompt } from "./touchIdPrompt.js";
+import { getLastLoggedInDeviceNumber, init_getDeviceNumber } from "./SignerWorkerManager/getDeviceNumber.js";
 import { SignerWorkerManager } from "./SignerWorkerManager/index.js";
 import { VrfWorkerManager } from "./VrfWorkerManager/index.js";
 import userPreferences_default from "./userPreferences.js";
@@ -12,7 +12,9 @@ import { __isWalletIframeHostMode } from "../WalletIframe/host-mode.js";
 //#region src/core/WebAuthnManager/index.ts
 init_IndexedDBManager();
+init_touchIdPrompt();
 init_accountIds();
+init_getDeviceNumber();
 /**
 * WebAuthnManager - Main orchestrator for WebAuthn operations
 *
@@ -535,6 +537,7 @@ var WebAuthnManager = class {
 	async storeUserData(userData) {
 		await IndexedDBManager.clientDB.storeWebAuthnUserData({
 			...userData,
+			deviceNumber: userData.deviceNumber ?? 1,
 			version: userData.version || 2
 		});
 	}
@@ -590,10 +593,12 @@ var WebAuthnManager = class {
 		return await IndexedDBManager.clientDB.registerUser(storeUserData);
 	}
 	async storeAuthenticator(authenticatorData) {
+		const deviceNumber = Number(authenticatorData.deviceNumber);
+		const normalizedDeviceNumber = Number.isSafeInteger(deviceNumber) && deviceNumber >= 1 ? deviceNumber : 1;
 		const authData = {
 			...authenticatorData,
 			nearAccountId: toAccountId(authenticatorData.nearAccountId),
-			deviceNumber: authenticatorData.deviceNumber || 1
+			deviceNumber: normalizedDeviceNumber
 		};
 		return await IndexedDBManager.clientDB.storeAuthenticator(authData);
 	}