chore: don't override auth token / client id when hitting in app wallet url

ElasticBottle · ElasticBottle · commit 9663fc7c137d · 2024-10-10T01:50:43.000+08:00
diff --git a/packages/thirdweb/src/utils/fetch.ts b/packages/thirdweb/src/utils/fetch.ts
@@ -47,7 +47,7 @@ export function getClientFetch(client: ThirdwebClient, ecosystem?: Ecosystem) {
 
       // if we have an auth token set, use that (thirdweb.com/dashboard sets this for the user)
       // pay urls should never send the auth token, because we always want the "developer" to be the one making the request, not the "end user"
-      if (authToken && !isPayUrl(url)) {
+      if (authToken && !isPayUrl(url) && !isInAppWalletUrl(url)) {
         headers.set("authorization", `Bearer ${authToken}`);
       } else if (secretKey) {
         headers.set("x-secret-key", secretKey);
@@ -140,6 +140,19 @@ function isPayUrl(url: string): boolean {
   }
 }
 
+function isInAppWalletUrl(url: string): boolean {
+  try {
+    const { hostname } = new URL(url);
+    // pay service hostname always starts with "pay."
+    return (
+      hostname.startsWith("in-app-wallet.") ||
+      hostname.startsWith("embedded-wallet.")
+    );
+  } catch {
+    return false;
+  }
+}
+
 const SDK_NAME = "unified-sdk";
 
 let previousPlatform: [string, string][] | undefined;
