[WALLET-63] Remove PAR from browser distribution#13
Merged
Conversation
Pushed Authorization Requests require sending the client_secret, so move
PAR (and client_secret handling) out of the browser-reachable base client
into the Node-only client. The browser distribution can no longer make PAR
requests or hold a secret.
Also:
- Right-size init() params per export: BrowserInitParams vs NodeInitParams,
with request-building fields validated at call time.
- Introduce a named TrustRoot ("development" | "production") for verification;
verify() requires it explicitly (no derivation from environment).
- camelCase consumer-authored params (clientId, callbackUri, responseMode,
loginHint, transactionData); map to snake_case at the wire boundary.
- ProofCredentialV1 exposes idiomatic property accessors instead of
zero-arg getter methods.
- Standardize thrown errors as strings.
- Update README to match the new API.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Pushed Authorization Requests (PAR) require sending the
client_secret. This PR removes the ability to make PAR from the browser distribution so the secret can never be exposed front-channel — PAR (andclient_secrethandling) now lives only in the Node-only client. Verified against the built bundles: no PAR/client_secret/request_uriartifacts in the browser graph.While reworking initialization, this also right-sizes the public API per export and tightens naming.
Changes
pushAuthorizationRequestandclient_secretout of the browser-reachablebase_client.tsintonode_client.ts. The browser'sgetAuthorizationRequestURLbuilds only the plain authorize URL.init()per export.BrowserInitParams(environment,clientId,callbackUri,responseMode?) vsNodeInitParams(all optional, two roles: verify + request-building). Required request-building fields are validated at call time with clear messages.TrustRoot = "development" | "production".verify/verifyVPTokenrequiretrustRootexplicitly — no derivation fromenvironment. A verify-only server now passes one field instead of four irrelevant ones.clientId,callbackUri,responseMode,loginHint,transactionData), mapped to snake_case at the wire boundary.ProofCredentialV1exposes idiomatic property accessors (cred.isOver18,get dateOfBirth) instead of zero-arg getter methods.Breaking changes
Yes — renamed init/request fields, new
initparam shapes, verify now requirestrustRoot, browser PAR removed, andProofCredentialV1accessors are properties. Warrants a minor version bump on release.Testing
No unit test suite exists in this package and there is no
testscript, so the gate is:yarn check-all(format, lint, typecheck, publint) — passes.yarn build+ browser-graph grep — nojose/@sd-jwt/@owf/node:leaks, and no PAR/client_secretartifacts in the browser bundle.QA skip.
🤖 Generated with Claude Code