@wvdsh/sdk-js 1.3.1 → 1.3.3

package/dist/index.d.ts

@@ -1139,8 +1139,12 @@ declare class WavedashSDK extends EventTarget {
      * fetcher wired into `ConvexClient.setAuth` and honors `forceRefresh` so the
      * server can invalidate a stale token.
      *
+     * Same-origin POST to /auth/refresh on the play domain — the
+     * gameplaySession cookie set by the play server during playKey exchange
+     * authenticates the request, so no cross-origin credentials handling needed.
+     *
      * Concurrent callers share a single in-flight fetch to avoid duplicate
-     * requests to the parent's gameplay-token endpoint.
+     * refresh round-trips.
      */
     private getAuthToken;
     /**
@@ -1150,8 +1154,11 @@ declare class WavedashSDK extends EventTarget {
      */
     ensureGameplayJwt(): Promise<string>;
     /**
-     * Set up listeners for page unload events to end gameplay session.
-     * Uses both beforeunload and pagehide for maximum reliability.
+     * Set up listeners that flush the end-of-session request when the iframe
+     * is going away. We listen for three signals:
+     *   - `beforeunload` / `pagehide` on our own window: covers tab close, hard
+     *     reload, and top-level navigation of the parent.
+     *   - `END_SESSION` postMessage from the parent: covers parent SPA navigation
      */
     private setupSessionEndListeners;
 }

package/dist/index.js

@@ -3033,18 +3033,13 @@ var WavedashLogger = class {
 };
 
 // src/utils/parentOrigin.ts
-function deriveParentOrigin() {
-  if (typeof window === "undefined") return "";
-  const iframeHost = window.location.host;
-  const match = iframeHost.match(/^[\w-]+\.(builds|local)\.(.+)$/);
-  if (match) {
-    const parentDomain = match[2];
-    return `${window.location.protocol}//${parentDomain}`;
-  }
-  console.error(`Invalid iframe hostname pattern: ${iframeHost}`);
-  return "";
+var _parentOrigin = "";
+function setParentOrigin(origin) {
+  _parentOrigin = origin;
+}
+function getParentOrigin() {
+  return _parentOrigin;
 }
-var parentOrigin = deriveParentOrigin();
 
 // src/utils/iframeMessenger.ts
 var RESPONSE_TIMEOUT_MS = 15e3;
@@ -3052,7 +3047,7 @@ var IFrameMessenger = class {
   constructor() {
     // Arrow function automatically captures 'this' from the class instance
     this.handleMessage = (event) => {
-      if (event.origin !== parentOrigin) {
+      if (event.origin !== getParentOrigin()) {
         if (event.source !== window) {
           console.warn(`Ignored message from untrusted origin: ${event.origin}`);
         }
@@ -3097,12 +3092,14 @@ var IFrameMessenger = class {
     this.listeners.get(type)?.delete(listener);
   }
   postToParent(requestType, data) {
+    const parentOrigin = getParentOrigin();
     if (typeof window === "undefined" || !parentOrigin) return false;
     window.parent.postMessage({ type: requestType, ...data }, parentOrigin);
     return true;
   }
   async requestFromParent(requestType, data) {
     return new Promise((resolve, reject) => {
+      const parentOrigin = getParentOrigin();
       if (typeof window === "undefined" || !parentOrigin) {
         reject(new Error("Parent origin not found"));
         return;
@@ -4175,8 +4172,12 @@ var WavedashSDK = class extends EventTarget {
    * fetcher wired into `ConvexClient.setAuth` and honors `forceRefresh` so the
    * server can invalidate a stale token.
    *
+   * Same-origin POST to /auth/refresh on the play domain — the
+   * gameplaySession cookie set by the play server during playKey exchange
+   * authenticates the request, so no cross-origin credentials handling needed.
+   *
    * Concurrent callers share a single in-flight fetch to avoid duplicate
-   * requests to the parent's gameplay-token endpoint.
+   * refresh round-trips.
    */
   getAuthToken(forceRefresh = false) {
     if (!forceRefresh && this.gameplayJwt) {
@@ -4186,14 +4187,12 @@ var WavedashSDK = class extends EventTarget {
       return this.gameplayJwtPromise;
     }
     const promise = (async () => {
-      const response = await fetch(
-        `${parentOrigin}/auth/gameplay_token/${this.gameCloudId}`,
-        {
-          credentials: "include"
-        }
-      );
+      const response = await fetch("/auth/refresh", {
+        method: "POST",
+        credentials: "same-origin"
+      });
       if (!response.ok) {
-        throw new Error(`Failed to fetch gameplay token: ${response.status}`);
+        throw new Error(`Failed to refresh gameplay token: ${response.status}`);
       }
       this.gameplayJwt = await response.text();
       return this.gameplayJwt;
@@ -4214,48 +4213,48 @@ var WavedashSDK = class extends EventTarget {
     return this.getAuthToken();
   }
   /**
-   * Set up listeners for page unload events to end gameplay session.
-   * Uses both beforeunload and pagehide for maximum reliability.
+   * Set up listeners that flush the end-of-session request when the iframe
+   * is going away. We listen for three signals:
+   *   - `beforeunload` / `pagehide` on our own window: covers tab close, hard
+   *     reload, and top-level navigation of the parent.
+   *   - `END_SESSION` postMessage from the parent: covers parent SPA navigation
    */
   setupSessionEndListeners() {
     const endSessionEndpoint = `${this.convexHttpUrl}/gameplay/end-session`;
-    void this.ensureGameplayJwt().then(
-      (jwt) => fetch(endSessionEndpoint, {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/json",
-          Authorization: `Bearer ${jwt}`
-        },
-        body: JSON.stringify({ _type: "warmup" })
-      })
-    ).catch(() => {
-    });
-    const endGameplaySession = (_event) => {
+    const endGameplaySession = () => {
       if (this.sessionEndSent) return;
+      if (!this.gameplayJwt) return;
       this.sessionEndSent = true;
       const pendingData = this.statsManager.getPendingData();
       this.lobbyManager.destroy();
       this.heartbeatManager.destroy();
       this.statsManager.destroy();
-      const sessionEndData = {};
+      const body = {
+        gameplayJwt: this.gameplayJwt
+      };
       if (pendingData?.stats?.length) {
-        sessionEndData.stats = pendingData.stats;
+        body.stats = pendingData.stats;
       }
       if (pendingData?.achievements?.length) {
-        sessionEndData.achievements = pendingData.achievements;
+        body.achievements = pendingData.achievements;
+      }
+      const payload = JSON.stringify(body);
+      const beaconSent = navigator?.sendBeacon?.(endSessionEndpoint, payload);
+      if (!beaconSent) {
+        fetch(endSessionEndpoint, {
+          method: "POST",
+          body: payload,
+          keepalive: true
+        }).catch(() => {
+        });
       }
-      fetch(endSessionEndpoint, {
-        method: "POST",
-        body: JSON.stringify(sessionEndData),
-        keepalive: true,
-        headers: {
-          "Content-Type": "application/json",
-          Authorization: `Bearer ${this.gameplayJwt}`
-        }
-      });
     };
     window.addEventListener("beforeunload", endGameplaySession);
     window.addEventListener("pagehide", endGameplaySession);
+    iframeMessenger.addEventListener(
+      IFRAME_MESSAGE_TYPE5.END_SESSION,
+      endGameplaySession
+    );
   }
 };
 function setupWavedashSDK() {
@@ -4278,6 +4277,7 @@ function setupWavedashSDK() {
       `Wavedash SDK: failed to parse ?${UrlParams.SdkConfig}= as JSON: ${message}`
     );
   }
+  setParentOrigin(sdkConfig.parentOrigin);
   const sdk = new WavedashSDK(sdkConfig);
   window.Wavedash = sdk;
   window.WavedashJS = sdk;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wvdsh/sdk-js",
-  "version": "1.3.1",
+  "version": "1.3.3",
   "type": "module",
   "description": "Wavedash JavaScript SDK",
   "main": "./dist/client.js",
@@ -49,7 +49,7 @@
     "typescript-eslint": "^8.52.0"
   },
   "dependencies": {
-    "@wvdsh/api": "^0.1.3",
+    "@wvdsh/api": "^0.1.10",
     "convex": "^1.34.0",
     "lodash.debounce": "^4.0.8"
   }