diff --git a/packages/@magic-ext/oauth2/src/index.ts b/packages/@magic-ext/oauth2/src/index.ts index da60a5f02..4f25a7212 100644 --- a/packages/@magic-ext/oauth2/src/index.ts +++ b/packages/@magic-ext/oauth2/src/index.ts @@ -78,6 +78,7 @@ export class OAuthExtension extends Extension.Internal<'oauth2'> { // New path: store codeVerifier + all OAuth metadata at the SDK (parent page) level. // sessionStorage persists across same-tab redirects but never enters the iframe. sessionStorage.setItem(PKCE_STORAGE_KEY, JSON.stringify({ codeVerifier, ...successResult.pkceMetadata })); + localStorage.setItem(PKCE_STORAGE_KEY, JSON.stringify({ codeVerifier, ...successResult.pkceMetadata })); } if (successResult?.oauthAuthoriationURI) { @@ -213,8 +214,18 @@ export class OAuthExtension extends Extension.Internal<'oauth2'> { const promiEvent = this.utils.createPromiEvent( async (resolve, reject) => { + if (!clientMetadata) { + return reject( + this.createError( + 'MISSING_PKCE_METADATA', + 'OAuth session metadata not found — the session may have expired or storage was cleared', + {}, + ), + ); + } + if (hasStateMismatch) { - reject( + return reject( this.createError( 'STATE_MISMATCH', 'OAuth state parameter mismatch — request may have been tampered with', @@ -313,13 +324,19 @@ export class OAuthExtension extends Extension.Internal<'oauth2'> { } { let hasStateMismatch = false; // Retrieve and immediately clear the full PKCE metadata stored at SDK level. - const stored = sessionStorage.getItem(PKCE_STORAGE_KEY); + const storedInSession = sessionStorage.getItem(PKCE_STORAGE_KEY); + const storedInLocal = localStorage.getItem(PKCE_STORAGE_KEY); sessionStorage.removeItem(PKCE_STORAGE_KEY); + localStorage.removeItem(PKCE_STORAGE_KEY); // clientMetadata contains { codeVerifier, state, redirectUri, appID, provider }. // Forwarding it lets the embedded-wallet verify handler skip its iframe storage entirely. // When absent (old embedded-wallet path), the handler falls back to its stored metadata. - const clientMetadata = stored ? (JSON.parse(stored) as Record) : undefined; + const clientMetadata = storedInSession + ? (JSON.parse(storedInSession) as Record) + : storedInLocal + ? (JSON.parse(storedInLocal) as Record) + : undefined; // State verification for the new PKCE path. // The extension generated the state, so it verifies it here — before any RPC call — as CSRF protection. diff --git a/yarn.lock b/yarn.lock index cb13fe094..a89ab255a 100644 --- a/yarn.lock +++ b/yarn.lock @@ -3299,7 +3299,7 @@ __metadata: version: 0.0.0-use.local resolution: "@magic-ext/algorand@workspace:packages/@magic-ext/algorand" dependencies: - "@magic-sdk/provider": ^33.4.1 + "@magic-sdk/provider": ^33.5.0 languageName: unknown linkType: soft @@ -3308,7 +3308,7 @@ __metadata: resolution: "@magic-ext/aptos@workspace:packages/@magic-ext/aptos" dependencies: "@aptos-labs/wallet-adapter-core": ^7.10.1 - "@magic-sdk/provider": ^33.4.1 + "@magic-sdk/provider": ^33.5.0 aptos: ^1.22.1 peerDependencies: "@aptos-labs/wallet-adapter-core": ^7.10.1 @@ -3320,7 +3320,7 @@ __metadata: version: 0.0.0-use.local resolution: "@magic-ext/avalanche@workspace:packages/@magic-ext/avalanche" dependencies: - "@magic-sdk/provider": ^33.4.1 + "@magic-sdk/provider": ^33.5.0 languageName: unknown linkType: soft @@ -3328,7 +3328,7 @@ __metadata: version: 0.0.0-use.local resolution: "@magic-ext/bitcoin@workspace:packages/@magic-ext/bitcoin" dependencies: - "@magic-sdk/provider": ^33.4.1 + "@magic-sdk/provider": ^33.5.0 languageName: unknown linkType: soft @@ -3336,7 +3336,7 @@ __metadata: version: 0.0.0-use.local resolution: "@magic-ext/conflux@workspace:packages/@magic-ext/conflux" dependencies: - "@magic-sdk/provider": ^33.4.1 + "@magic-sdk/provider": ^33.5.0 languageName: unknown linkType: soft @@ -3344,7 +3344,7 @@ __metadata: version: 0.0.0-use.local resolution: "@magic-ext/cosmos@workspace:packages/@magic-ext/cosmos" dependencies: - "@magic-sdk/provider": ^33.4.1 + "@magic-sdk/provider": ^33.5.0 languageName: unknown linkType: soft @@ -3352,7 +3352,7 @@ __metadata: version: 0.0.0-use.local resolution: "@magic-ext/ed25519@workspace:packages/@magic-ext/ed25519" dependencies: - "@magic-sdk/provider": ^33.4.1 + "@magic-sdk/provider": ^33.5.0 languageName: unknown linkType: soft @@ -3360,8 +3360,8 @@ __metadata: version: 0.0.0-use.local resolution: "@magic-ext/evm@workspace:packages/@magic-ext/evm" dependencies: - "@magic-sdk/provider": ^33.4.1 - "@magic-sdk/types": ^27.4.0 + "@magic-sdk/provider": ^33.5.0 + "@magic-sdk/types": ^27.5.0 languageName: unknown linkType: soft @@ -3369,8 +3369,8 @@ __metadata: version: 0.0.0-use.local resolution: "@magic-ext/farcaster@workspace:packages/@magic-ext/farcaster" dependencies: - "@magic-sdk/provider": ^33.4.1 - "@magic-sdk/types": ^27.4.0 + "@magic-sdk/provider": ^33.5.0 + "@magic-sdk/types": ^27.5.0 languageName: unknown linkType: soft @@ -3378,7 +3378,7 @@ __metadata: version: 0.0.0-use.local resolution: "@magic-ext/flow@workspace:packages/@magic-ext/flow" dependencies: - "@magic-sdk/provider": ^33.4.1 + "@magic-sdk/provider": ^33.5.0 "@onflow/fcl": ^1.4.1 "@onflow/types": ^1.1.0 peerDependencies: @@ -3391,8 +3391,8 @@ __metadata: version: 0.0.0-use.local resolution: "@magic-ext/gdkms@workspace:packages/@magic-ext/gdkms" dependencies: - "@magic-sdk/provider": ^33.4.1 - "@magic-sdk/types": ^27.4.0 + "@magic-sdk/provider": ^33.5.0 + "@magic-sdk/types": ^27.5.0 languageName: unknown linkType: soft @@ -3400,7 +3400,7 @@ __metadata: version: 0.0.0-use.local resolution: "@magic-ext/harmony@workspace:packages/@magic-ext/harmony" dependencies: - "@magic-sdk/provider": ^33.4.1 + "@magic-sdk/provider": ^33.5.0 languageName: unknown linkType: soft @@ -3408,7 +3408,7 @@ __metadata: version: 0.0.0-use.local resolution: "@magic-ext/hedera@workspace:packages/@magic-ext/hedera" dependencies: - "@magic-sdk/provider": ^33.4.1 + "@magic-sdk/provider": ^33.5.0 peerDependencies: "@hashgraph/sdk": ^2.31.0 languageName: unknown @@ -3418,7 +3418,7 @@ __metadata: version: 0.0.0-use.local resolution: "@magic-ext/icon@workspace:packages/@magic-ext/icon" dependencies: - "@magic-sdk/provider": ^33.4.1 + "@magic-sdk/provider": ^33.5.0 languageName: unknown linkType: soft @@ -3426,7 +3426,7 @@ __metadata: version: 0.0.0-use.local resolution: "@magic-ext/kadena@workspace:packages/@magic-ext/kadena" dependencies: - "@magic-sdk/provider": ^33.4.1 + "@magic-sdk/provider": ^33.5.0 languageName: unknown linkType: soft @@ -3434,7 +3434,7 @@ __metadata: version: 0.0.0-use.local resolution: "@magic-ext/near@workspace:packages/@magic-ext/near" dependencies: - "@magic-sdk/provider": ^33.4.1 + "@magic-sdk/provider": ^33.5.0 languageName: unknown linkType: soft @@ -3442,7 +3442,7 @@ __metadata: version: 0.0.0-use.local resolution: "@magic-ext/oauth2@workspace:packages/@magic-ext/oauth2" dependencies: - "@magic-sdk/provider": ^33.4.1 + "@magic-sdk/provider": ^33.5.0 "@types/crypto-js": 4.2.0 crypto-js: ^4.2.0 languageName: unknown @@ -3452,7 +3452,7 @@ __metadata: version: 0.0.0-use.local resolution: "@magic-ext/oidc@workspace:packages/@magic-ext/oidc" dependencies: - "@magic-sdk/provider": ^33.4.1 + "@magic-sdk/provider": ^33.5.0 languageName: unknown linkType: soft @@ -3460,7 +3460,7 @@ __metadata: version: 0.0.0-use.local resolution: "@magic-ext/polkadot@workspace:packages/@magic-ext/polkadot" dependencies: - "@magic-sdk/provider": ^33.4.1 + "@magic-sdk/provider": ^33.5.0 languageName: unknown linkType: soft @@ -3468,8 +3468,8 @@ __metadata: version: 0.0.0-use.local resolution: "@magic-ext/react-native-bare-oauth@workspace:packages/@magic-ext/react-native-bare-oauth" dependencies: - "@magic-sdk/react-native-bare": ^34.2.1 - "@magic-sdk/types": ^27.4.0 + "@magic-sdk/react-native-bare": ^34.3.0 + "@magic-sdk/types": ^27.5.0 "@types/crypto-js": 4.2.0 crypto-js: ^4.2.0 react-native-inappbrowser-reborn: ^3.7.0 @@ -3483,8 +3483,8 @@ __metadata: version: 0.0.0-use.local resolution: "@magic-ext/react-native-expo-oauth@workspace:packages/@magic-ext/react-native-expo-oauth" dependencies: - "@magic-sdk/react-native-expo": ^34.2.1 - "@magic-sdk/types": ^27.4.0 + "@magic-sdk/react-native-expo": ^34.3.0 + "@magic-sdk/types": ^27.5.0 "@react-native-async-storage/async-storage": ^2.1.2 "@types/crypto-js": ~4.2.0 crypto-js: ^4.2.0 @@ -3500,7 +3500,7 @@ __metadata: version: 0.0.0-use.local resolution: "@magic-ext/siwe@workspace:packages/@magic-ext/siwe" dependencies: - "@magic-sdk/provider": ^33.4.1 + "@magic-sdk/provider": ^33.5.0 ethers: ^6.0.0 siwe: ^3.0.0 peerDependencies: @@ -3512,7 +3512,7 @@ __metadata: version: 0.0.0-use.local resolution: "@magic-ext/solana@workspace:packages/@magic-ext/solana" dependencies: - "@magic-sdk/provider": ^33.4.1 + "@magic-sdk/provider": ^33.5.0 "@solana/web3.js": ^1.87.2 peerDependencies: "@solana/web3.js": ^1.87.2 @@ -3523,7 +3523,7 @@ __metadata: version: 0.0.0-use.local resolution: "@magic-ext/sui@workspace:packages/@magic-ext/sui" dependencies: - "@magic-sdk/provider": ^33.4.1 + "@magic-sdk/provider": ^33.5.0 languageName: unknown linkType: soft @@ -3531,7 +3531,7 @@ __metadata: version: 0.0.0-use.local resolution: "@magic-ext/taquito@workspace:packages/@magic-ext/taquito" dependencies: - "@magic-sdk/provider": ^33.4.1 + "@magic-sdk/provider": ^33.5.0 languageName: unknown linkType: soft @@ -3539,7 +3539,7 @@ __metadata: version: 0.0.0-use.local resolution: "@magic-ext/terra@workspace:packages/@magic-ext/terra" dependencies: - "@magic-sdk/provider": ^33.4.1 + "@magic-sdk/provider": ^33.5.0 languageName: unknown linkType: soft @@ -3547,7 +3547,7 @@ __metadata: version: 0.0.0-use.local resolution: "@magic-ext/tezos@workspace:packages/@magic-ext/tezos" dependencies: - "@magic-sdk/provider": ^33.4.1 + "@magic-sdk/provider": ^33.5.0 languageName: unknown linkType: soft @@ -3555,8 +3555,8 @@ __metadata: version: 0.0.0-use.local resolution: "@magic-ext/wallet-kit@workspace:packages/@magic-ext/wallet-kit" dependencies: - "@magic-sdk/provider": ^33.4.1 - "@magic-sdk/types": ^27.4.0 + "@magic-sdk/provider": ^33.5.0 + "@magic-sdk/types": ^27.5.0 "@magiclabs/ui-components": ^1.49.3 "@pandacss/dev": ^0.35.0 "@reown/appkit": ^1.8.0 @@ -3589,7 +3589,7 @@ __metadata: version: 0.0.0-use.local resolution: "@magic-ext/webauthn@workspace:packages/@magic-ext/webauthn" dependencies: - "@magic-sdk/provider": ^33.4.1 + "@magic-sdk/provider": ^33.5.0 languageName: unknown linkType: soft @@ -3597,16 +3597,16 @@ __metadata: version: 0.0.0-use.local resolution: "@magic-ext/zilliqa@workspace:packages/@magic-ext/zilliqa" dependencies: - "@magic-sdk/provider": ^33.4.1 + "@magic-sdk/provider": ^33.5.0 languageName: unknown linkType: soft -"@magic-sdk/provider@^33.4.1, @magic-sdk/provider@workspace:packages/@magic-sdk/provider": +"@magic-sdk/provider@^33.5.0, @magic-sdk/provider@workspace:packages/@magic-sdk/provider": version: 0.0.0-use.local resolution: "@magic-sdk/provider@workspace:packages/@magic-sdk/provider" dependencies: "@babel/plugin-transform-modules-commonjs": ^7.9.6 - "@magic-sdk/types": ^27.4.0 + "@magic-sdk/types": ^27.5.0 eventemitter3: ^4.0.4 localforage: ^1.7.4 tslib: ^2.3.1 @@ -3615,13 +3615,13 @@ __metadata: languageName: unknown linkType: soft -"@magic-sdk/react-native-bare@^34.2.1, @magic-sdk/react-native-bare@workspace:packages/@magic-sdk/react-native-bare": +"@magic-sdk/react-native-bare@^34.3.0, @magic-sdk/react-native-bare@workspace:packages/@magic-sdk/react-native-bare": version: 0.0.0-use.local resolution: "@magic-sdk/react-native-bare@workspace:packages/@magic-sdk/react-native-bare" dependencies: "@aveq-research/localforage-asyncstorage-driver": ^3.0.1 - "@magic-sdk/provider": ^33.4.1 - "@magic-sdk/types": ^27.4.0 + "@magic-sdk/provider": ^33.5.0 + "@magic-sdk/types": ^27.5.0 "@magiclabs/react-native-device-crypto": ^0.1.1 "@react-native-async-storage/async-storage": ^2.1.2 "@react-native-community/netinfo": ">11.0.0" @@ -3656,13 +3656,13 @@ __metadata: languageName: unknown linkType: soft -"@magic-sdk/react-native-expo@^34.2.1, @magic-sdk/react-native-expo@workspace:packages/@magic-sdk/react-native-expo": +"@magic-sdk/react-native-expo@^34.3.0, @magic-sdk/react-native-expo@workspace:packages/@magic-sdk/react-native-expo": version: 0.0.0-use.local resolution: "@magic-sdk/react-native-expo@workspace:packages/@magic-sdk/react-native-expo" dependencies: "@aveq-research/localforage-asyncstorage-driver": ^3.0.1 - "@magic-sdk/provider": ^33.4.1 - "@magic-sdk/types": ^27.4.0 + "@magic-sdk/provider": ^33.5.0 + "@magic-sdk/types": ^27.5.0 "@react-native-async-storage/async-storage": ^1.15.5 "@react-native-community/netinfo": ">11.0.0" "@react-native/assets-registry": ^0.78.2 @@ -3696,7 +3696,7 @@ __metadata: languageName: unknown linkType: soft -"@magic-sdk/types@^27.4.0, @magic-sdk/types@workspace:packages/@magic-sdk/types": +"@magic-sdk/types@^27.5.0, @magic-sdk/types@workspace:packages/@magic-sdk/types": version: 0.0.0-use.local resolution: "@magic-sdk/types@workspace:packages/@magic-sdk/types" languageName: unknown @@ -19224,8 +19224,8 @@ __metadata: version: 0.0.0-use.local resolution: "magic-sdk@workspace:packages/magic-sdk" dependencies: - "@magic-sdk/provider": ^33.4.1 - "@magic-sdk/types": ^27.4.0 + "@magic-sdk/provider": ^33.5.0 + "@magic-sdk/types": ^27.5.0 localforage: ^1.7.4 languageName: unknown linkType: soft