release(v4.6.1): bind globalThis.fetch in browser-receiver-sensitive call sites

Browsers' Window.fetch is a WebIDL bound operation; storing it as this.fetchImpl / this.fetchFn and calling via the instance receiver threw "Illegal invocation" on the first request. Bind once at construction in InboxClient, LongPollBridge, and SseBridge. Reported by Prism (multi-device E2EE terminal), blocking every browser consumer of the v4.6 transport stack on inbox.start() / bridge.connect(). WsBridge unaffected (uses WebSocket). Node/Bun fetch tolerates a free receiver, so the bug never surfaced server-side — added regression tests that install a strict-receiver globalThis.fetch to catch the issue without an actual browser harness. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-07 23:00:58 +02:00
parent 2c400d7094
commit 8746571d2a
31 changed files with 243 additions and 28 deletions
--- a/packages/shade-inbox/package.json
+++ b/packages/shade-inbox/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@shade/inbox",
-  "version": "4.6.0",
+  "version": "4.6.1",
  "type": "module",
  "main": "src/index.ts",
  "types": "src/index.ts",
--- a/packages/shade-inbox/src/client.ts
+++ b/packages/shade-inbox/src/client.ts
@@ -52,7 +52,14 @@ export class InboxClient {
  private readonly fetchImpl: typeof fetch;

  constructor(private readonly options: InboxClientOptions) {
-    this.fetchImpl = options.fetch ?? globalThis.fetch;
+    // Bind once. The browser's `globalThis.fetch` is a WebIDL bound
+    // operation that throws "Illegal invocation" when called as a method
+    // on another object (which is what `this.fetchImpl(...)` does).
+    // Node/Bun fetch tolerates a free receiver, but binding is harmless.
+    // A consumer-supplied `options.fetch` is bound to the global too —
+    // a fetch that requires a specific receiver must bind itself.
+    const f = options.fetch ?? globalThis.fetch;
+    this.fetchImpl = f.bind(globalThis);
  }

  /**
--- a/packages/shade-inbox/tests/client.test.ts
+++ b/packages/shade-inbox/tests/client.test.ts
@@ -281,3 +281,48 @@ describe('tamper detection', () => {
    expect(result.received).toBe(0);
  });
 });
+
+describe('InboxClient — default fetch is bound to globalThis', () => {
+  // Regression: browsers' `fetch` is a WebIDL bound operation that throws
+  // "Illegal invocation" when called as a method on another object. The
+  // class stores `fetchImpl` and calls `this.fetchImpl(...)`, which strips
+  // the Window receiver. Constructor must `bind(globalThis)`.
+  test('default path passes globalThis as `this` (no Illegal invocation)', async () => {
+    const realFetch = globalThis.fetch;
+    let observedReceiver: unknown = 'unset';
+    function strictFetch(this: unknown, _input: unknown, _init?: unknown): Promise<Response> {
+      observedReceiver = this;
+      if (this !== globalThis) {
+        throw new TypeError("Failed to execute 'fetch' on 'Window': Illegal invocation");
+      }
+      return Promise.resolve(
+        new Response('{}', {
+          status: 200,
+          headers: { 'content-type': 'application/json' },
+        }),
+      );
+    }
+    Object.defineProperty(globalThis, 'fetch', {
+      configurable: true,
+      writable: true,
+      value: strictFetch,
+    });
+    try {
+      const id = await makeIdentity();
+      const client = new InboxClient({
+        baseUrl: 'http://example.invalid',
+        crypto,
+        signingPrivateKey: id.signingPrivateKey,
+        // No `fetch` override on purpose — this exercises the default path.
+      });
+      await client.register({ address: 'whoever', signingKey: id.signingPublicKey });
+      expect(observedReceiver).toBe(globalThis);
+    } finally {
+      Object.defineProperty(globalThis, 'fetch', {
+        configurable: true,
+        writable: true,
+        value: realFetch,
+      });
+    }
+  });
+});