@0xsequence/wallet-core 0.0.0-20250520201059

package/src/relayer/pk-relayer.ts

@@ -0,0 +1,110 @@
+import { Payload } from '@0xsequence/wallet-primitives'
+import { Address, Hex, Provider, Secp256k1, TransactionEnvelopeEip1559, TransactionReceipt } from 'ox'
+import { LocalRelayer } from './local.js'
+import { FeeOption, FeeQuote, OperationStatus, Relayer } from './relayer.js'
+
+export class PkRelayer implements Relayer {
+  public readonly id = 'pk'
+  private readonly relayer: LocalRelayer
+
+  constructor(
+    privateKey: Hex.Hex,
+    private readonly provider: Provider.Provider,
+  ) {
+    const relayerAddress = Address.fromPublicKey(Secp256k1.getPublicKey({ privateKey }))
+    this.relayer = new LocalRelayer({
+      sendTransaction: async (args, chainId) => {
+        const providerChainId = BigInt(await this.provider.request({ method: 'eth_chainId' }))
+        if (providerChainId !== chainId) {
+          throw new Error('Provider chain id does not match relayer chain id')
+        }
+
+        const oxArgs = { ...args, to: args.to as `0x${string}`, data: args.data as `0x${string}` }
+        // Estimate gas with a safety buffer
+        const estimatedGas = BigInt(await this.provider.request({ method: 'eth_estimateGas', params: [oxArgs] }))
+        const safeGasLimit = estimatedGas > 21000n ? (estimatedGas * 12n) / 10n : 50000n
+
+        // Get base fee and priority fee
+        const baseFee = BigInt(await this.provider.request({ method: 'eth_gasPrice' }))
+        const priorityFee = 100000000n // 0.1 gwei priority fee
+        const maxFeePerGas = baseFee + priorityFee
+
+        // Check sender have enough balance
+        const senderBalance = BigInt(
+          await this.provider.request({ method: 'eth_getBalance', params: [relayerAddress, 'latest'] }),
+        )
+        if (senderBalance < maxFeePerGas * safeGasLimit) {
+          console.log('Sender balance:', senderBalance.toString(), 'wei')
+          throw new Error('Sender has insufficient balance to pay for gas')
+        }
+        const nonce = BigInt(
+          await this.provider.request({
+            method: 'eth_getTransactionCount',
+            params: [relayerAddress, 'latest'],
+          }),
+        )
+
+        // Build the relay envelope
+        const relayEnvelope = TransactionEnvelopeEip1559.from({
+          chainId: Number(chainId),
+          type: 'eip1559',
+          from: relayerAddress,
+          to: oxArgs.to,
+          data: oxArgs.data,
+          gas: safeGasLimit,
+          maxFeePerGas: maxFeePerGas,
+          maxPriorityFeePerGas: priorityFee,
+          nonce: nonce,
+          value: 0n,
+        })
+        const relayerSignature = Secp256k1.sign({
+          payload: TransactionEnvelopeEip1559.getSignPayload(relayEnvelope),
+          privateKey: privateKey,
+        })
+        const signedRelayEnvelope = TransactionEnvelopeEip1559.from(relayEnvelope, {
+          signature: relayerSignature,
+        })
+        const tx = await this.provider.request({
+          method: 'eth_sendRawTransaction',
+          params: [TransactionEnvelopeEip1559.serialize(signedRelayEnvelope)],
+        })
+        return tx
+      },
+      getTransactionReceipt: async (txHash: string, chainId: bigint) => {
+        Hex.assert(txHash)
+
+        const providerChainId = BigInt(await this.provider.request({ method: 'eth_chainId' }))
+        if (providerChainId !== chainId) {
+          throw new Error('Provider chain id does not match relayer chain id')
+        }
+
+        const rpcReceipt = await this.provider.request({ method: 'eth_getTransactionReceipt', params: [txHash] })
+        if (!rpcReceipt) {
+          return 'unknown'
+        }
+        const receipt = TransactionReceipt.fromRpc(rpcReceipt)
+        return receipt.status === 'success' ? 'success' : 'failed'
+      },
+    })
+  }
+
+  feeOptions(
+    wallet: Address.Address,
+    chainId: bigint,
+    calls: Payload.Call[],
+  ): Promise<{ options: FeeOption[]; quote?: FeeQuote }> {
+    return this.relayer.feeOptions(wallet, chainId, calls)
+  }
+
+  async relay(to: Address.Address, data: Hex.Hex, chainId: bigint, _?: FeeQuote): Promise<{ opHash: Hex.Hex }> {
+    const providerChainId = BigInt(await this.provider.request({ method: 'eth_chainId' }))
+    if (providerChainId !== chainId) {
+      throw new Error('Provider chain id does not match relayer chain id')
+    }
+    return this.relayer.relay(to, data, chainId)
+  }
+
+  status(opHash: Hex.Hex, chainId: bigint): Promise<OperationStatus> {
+    return this.relayer.status(opHash, chainId)
+  }
+}

package/src/relayer/relayer.ts

@@ -0,0 +1,52 @@
+import { Payload } from '@0xsequence/wallet-primitives'
+import { Address, Hex } from 'ox'
+
+export interface FeeOption {
+  token: Address.Address
+  to: string
+  value: string
+  gasLimit: number
+}
+
+export interface FeeQuote {
+  _tag: 'FeeQuote'
+  _quote: unknown
+}
+
+export type OperationUknownStatus = {
+  status: 'unknown'
+}
+
+export type OperationPendingStatus = {
+  status: 'pending'
+}
+
+export type OperationConfirmedStatus = {
+  status: 'confirmed'
+  transactionHash: Hex.Hex
+}
+
+export type OperationFailedStatus = {
+  status: 'failed'
+  reason: string
+}
+
+export type OperationStatus =
+  | OperationUknownStatus
+  | OperationPendingStatus
+  | OperationConfirmedStatus
+  | OperationFailedStatus
+
+export interface Relayer {
+  id: string
+
+  feeOptions(
+    wallet: Address.Address,
+    chainId: bigint,
+    calls: Payload.Call[],
+  ): Promise<{ options: FeeOption[]; quote?: FeeQuote }>
+
+  relay(to: Address.Address, data: Hex.Hex, chainId: bigint, quote?: FeeQuote): Promise<{ opHash: Hex.Hex }>
+
+  status(opHash: Hex.Hex, chainId: bigint): Promise<OperationStatus>
+}

package/src/signers/index.ts

@@ -0,0 +1,44 @@
+import { Config, Payload, Signature } from '@0xsequence/wallet-primitives'
+import { Address, Hex } from 'ox'
+import * as State from '../state/index.js'
+
+export * as Pk from './pk/index.js'
+export * as Passkey from './passkey.js'
+export * as Session from './session/index.js'
+export * from './session-manager.js'
+
+export interface Signer {
+  readonly address: MaybePromise<Address.Address>
+
+  sign: (
+    wallet: Address.Address,
+    chainId: bigint,
+    payload: Payload.Parented,
+  ) => Config.SignerSignature<Signature.SignatureOfSignerLeaf>
+}
+
+export interface SapientSigner {
+  readonly address: MaybePromise<Address.Address>
+  readonly imageHash: MaybePromise<Hex.Hex | undefined>
+
+  signSapient: (
+    wallet: Address.Address,
+    chainId: bigint,
+    payload: Payload.Parented,
+    imageHash: Hex.Hex,
+  ) => Config.SignerSignature<Signature.SignatureOfSapientSignerLeaf>
+}
+
+export interface Witnessable {
+  witness: (stateWriter: State.Writer, wallet: Address.Address, extra?: Object) => Promise<void>
+}
+
+type MaybePromise<T> = T | Promise<T>
+
+export function isSapientSigner(signer: Signer | SapientSigner): signer is SapientSigner {
+  return 'signSapient' in signer
+}
+
+export function isSigner(signer: Signer | SapientSigner): signer is Signer {
+  return 'sign' in signer
+}

package/src/signers/passkey.ts

@@ -0,0 +1,284 @@
+import { Hex, Bytes, Address, P256, Hash } from 'ox'
+import { Payload, Extensions } from '@0xsequence/wallet-primitives'
+import type { Signature as SignatureTypes } from '@0xsequence/wallet-primitives'
+import { WebAuthnP256 } from 'ox'
+import { State } from '../index.js'
+import { SapientSigner, Witnessable } from './index.js'
+
+export type PasskeyOptions = {
+  extensions: Pick<Extensions.Extensions, 'passkeys'>
+  publicKey: Extensions.Passkeys.PublicKey
+  credentialId: string
+  embedMetadata?: boolean
+  metadata?: Extensions.Passkeys.PasskeyMetadata
+}
+
+export type CreaetePasskeyOptions = {
+  stateProvider?: State.Provider
+  requireUserVerification?: boolean
+  credentialName?: string
+  embedMetadata?: boolean
+}
+
+export type WitnessMessage = {
+  action: 'consent-to-be-part-of-wallet'
+  wallet: Address.Address
+  publicKey: Extensions.Passkeys.PublicKey
+  timestamp: number
+  metadata?: Extensions.Passkeys.PasskeyMetadata
+}
+
+export function isWitnessMessage(message: unknown): message is WitnessMessage {
+  return (
+    typeof message === 'object' &&
+    message !== null &&
+    'action' in message &&
+    message.action === 'consent-to-be-part-of-wallet'
+  )
+}
+
+export class Passkey implements SapientSigner, Witnessable {
+  public readonly credentialId: string
+
+  public readonly publicKey: Extensions.Passkeys.PublicKey
+  public readonly address: Address.Address
+  public readonly imageHash: Hex.Hex
+  public readonly embedMetadata: boolean
+  public readonly metadata?: Extensions.Passkeys.PasskeyMetadata
+
+  constructor(options: PasskeyOptions) {
+    this.address = options.extensions.passkeys
+    this.publicKey = options.publicKey
+    this.credentialId = options.credentialId
+    this.embedMetadata = options.embedMetadata ?? false
+    this.imageHash = Extensions.Passkeys.rootFor(options.publicKey)
+    this.metadata = options.metadata
+  }
+
+  static async loadFromWitness(
+    stateReader: State.Reader,
+    extensions: Pick<Extensions.Extensions, 'passkeys'>,
+    wallet: Address.Address,
+    imageHash: Hex.Hex,
+  ) {
+    // In the witness we will find the public key, and may find the credential id
+    const witness = await stateReader.getWitnessForSapient(wallet, extensions.passkeys, imageHash)
+    if (!witness) {
+      throw new Error('Witness for wallet not found')
+    }
+
+    const payload = witness.payload
+    if (!Payload.isMessage(payload)) {
+      throw new Error('Witness payload is not a message')
+    }
+
+    const message = JSON.parse(Hex.toString(payload.message))
+    if (!isWitnessMessage(message)) {
+      throw new Error('Witness payload is not a witness message')
+    }
+
+    const metadata = message.publicKey.metadata || message.metadata
+    if (typeof metadata === 'string' || !metadata) {
+      throw new Error('Metadata does not contain credential id')
+    }
+
+    const decodedSignature = Extensions.Passkeys.decode(Bytes.fromHex(witness.signature.data))
+
+    return new Passkey({
+      credentialId: metadata.credentialId,
+      extensions,
+      publicKey: message.publicKey,
+      embedMetadata: decodedSignature.embedMetadata,
+      metadata,
+    })
+  }
+
+  static async create(extensions: Pick<Extensions.Extensions, 'passkeys'>, options?: CreaetePasskeyOptions) {
+    const name = options?.credentialName ?? `Sequence (${Date.now()})`
+
+    const credential = await WebAuthnP256.createCredential({
+      user: {
+        name,
+      },
+    })
+
+    const x = Hex.fromNumber(credential.publicKey.x)
+    const y = Hex.fromNumber(credential.publicKey.y)
+
+    const metadata = {
+      credentialId: credential.id,
+    }
+
+    const passkey = new Passkey({
+      credentialId: credential.id,
+      extensions,
+      publicKey: {
+        requireUserVerification: options?.requireUserVerification ?? true,
+        x,
+        y,
+        metadata: options?.embedMetadata ? metadata : undefined,
+      },
+      embedMetadata: options?.embedMetadata,
+      metadata,
+    })
+
+    if (options?.stateProvider) {
+      await options.stateProvider.saveTree(Extensions.Passkeys.toTree(passkey.publicKey))
+    }
+
+    return passkey
+  }
+
+  static async find(
+    stateReader: State.Reader,
+    extensions: Pick<Extensions.Extensions, 'passkeys'>,
+  ): Promise<Passkey | undefined> {
+    const response = await WebAuthnP256.sign({ challenge: Hex.random(32) })
+    if (!response.raw) throw new Error('No credential returned')
+
+    const authenticatorDataBytes = Bytes.fromHex(response.metadata.authenticatorData)
+    const clientDataHash = Hash.sha256(Bytes.fromString(response.metadata.clientDataJSON), { as: 'Bytes' })
+    const messageSignedByAuthenticator = Bytes.concat(authenticatorDataBytes, clientDataHash)
+
+    const messageHash = Hash.sha256(messageSignedByAuthenticator, { as: 'Bytes' }) // Use Bytes output
+
+    const publicKey1 = P256.recoverPublicKey({
+      payload: messageHash,
+      signature: {
+        r: BigInt(response.signature.r),
+        s: BigInt(response.signature.s),
+        yParity: 0,
+      },
+    })
+
+    const publicKey2 = P256.recoverPublicKey({
+      payload: messageHash,
+      signature: {
+        r: BigInt(response.signature.r),
+        s: BigInt(response.signature.s),
+        yParity: 1,
+      },
+    })
+
+    // Compute the imageHash for all public key combinations
+    // - requireUserVerification: true / false
+    // - embedMetadata: true / false
+
+    const base1 = {
+      x: Hex.fromNumber(publicKey1.x),
+      y: Hex.fromNumber(publicKey1.y),
+    }
+
+    const base2 = {
+      x: Hex.fromNumber(publicKey2.x),
+      y: Hex.fromNumber(publicKey2.y),
+    }
+
+    const metadata = {
+      credentialId: response.raw.id,
+    }
+
+    const imageHashes = [
+      Extensions.Passkeys.rootFor({ ...base1, requireUserVerification: true }),
+      Extensions.Passkeys.rootFor({ ...base1, requireUserVerification: false }),
+      Extensions.Passkeys.rootFor({ ...base1, requireUserVerification: true, metadata }),
+      Extensions.Passkeys.rootFor({ ...base1, requireUserVerification: false, metadata }),
+      Extensions.Passkeys.rootFor({ ...base2, requireUserVerification: true }),
+      Extensions.Passkeys.rootFor({ ...base2, requireUserVerification: false }),
+      Extensions.Passkeys.rootFor({ ...base2, requireUserVerification: true, metadata }),
+      Extensions.Passkeys.rootFor({ ...base2, requireUserVerification: false, metadata }),
+    ]
+
+    // Find wallets for all possible image hashes
+    const signers = await Promise.all(
+      imageHashes.map(async (imageHash) => {
+        const wallets = await stateReader.getWalletsForSapient(extensions.passkeys, imageHash)
+        return Object.keys(wallets).map((wallet) => ({
+          wallet: Address.from(wallet),
+          imageHash,
+        }))
+      }),
+    )
+
+    // Flatten and remove duplicates
+    const flattened = signers
+      .flat()
+      .filter(
+        (v, i, self) => self.findIndex((t) => Address.isEqual(t.wallet, v.wallet) && t.imageHash === v.imageHash) === i,
+      )
+
+    // If there are no signers, return undefined
+    if (flattened.length === 0) {
+      return undefined
+    }
+
+    // If there are multiple signers log a warning
+    // but we still return the first one
+    if (flattened.length > 1) {
+      console.warn('Multiple signers found for passkey', flattened)
+    }
+
+    return Passkey.loadFromWitness(stateReader, extensions, flattened[0]!.wallet, flattened[0]!.imageHash)
+  }
+
+  async signSapient(
+    wallet: Address.Address,
+    chainId: bigint,
+    payload: Payload.Parented,
+    imageHash: Hex.Hex,
+  ): Promise<SignatureTypes.SignatureOfSapientSignerLeaf> {
+    if (this.imageHash !== imageHash) {
+      // TODO: This should never get called, why do we have this?
+      throw new Error('Unexpected image hash')
+    }
+
+    const challenge = Hex.fromBytes(Payload.hash(wallet, chainId, payload))
+
+    const response = await WebAuthnP256.sign({
+      challenge,
+      credentialId: this.credentialId,
+      userVerification: this.publicKey.requireUserVerification ? 'required' : 'discouraged',
+    })
+
+    const authenticatorData = Bytes.fromHex(response.metadata.authenticatorData)
+    const rBytes = Bytes.fromNumber(response.signature.r)
+    const sBytes = Bytes.fromNumber(response.signature.s)
+
+    const signature = Extensions.Passkeys.encode({
+      publicKey: this.publicKey,
+      r: rBytes,
+      s: sBytes,
+      authenticatorData,
+      clientDataJSON: response.metadata.clientDataJSON,
+      embedMetadata: this.embedMetadata,
+    })
+
+    return {
+      address: this.address,
+      data: Bytes.toHex(signature),
+      type: 'sapient_compact',
+    }
+  }
+
+  async witness(stateWriter: State.Writer, wallet: Address.Address, extra?: Object): Promise<void> {
+    const payload = Payload.fromMessage(
+      Hex.fromString(
+        JSON.stringify({
+          action: 'consent-to-be-part-of-wallet',
+          wallet,
+          publicKey: this.publicKey,
+          metadata: this.metadata,
+          timestamp: Date.now(),
+          ...extra,
+        } as WitnessMessage),
+      ),
+    )
+
+    const signature = await this.signSapient(wallet, 0n, payload, this.imageHash)
+    await stateWriter.saveWitnesses(wallet, 0n, payload, {
+      type: 'unrecovered-signer',
+      weight: 1n,
+      signature,
+    })
+  }
+}

package/src/signers/pk/encrypted.ts

@@ -0,0 +1,153 @@
+import { Hex, Address, PublicKey, Secp256k1, Bytes } from 'ox'
+import { PkStore } from './index.js'
+
+export interface EncryptedData {
+  iv: Uint8Array
+  data: ArrayBuffer
+  keyPointer: string
+  address: Address.Address
+  publicKey: PublicKey.PublicKey
+}
+
+export class EncryptedPksDb {
+  private tableName: string
+  private dbName: string = 'pk-db'
+  private dbVersion: number = 1
+
+  constructor(
+    private readonly localStorageKeyPrefix: string = 'e_pk_key_',
+    tableName: string = 'e_pk',
+  ) {
+    this.tableName = tableName
+  }
+
+  private openDB(): Promise<IDBDatabase> {
+    return new Promise((resolve, reject) => {
+      const request = indexedDB.open(this.dbName, this.dbVersion)
+      request.onupgradeneeded = () => {
+        const db = request.result
+        if (!db.objectStoreNames.contains(this.tableName)) {
+          db.createObjectStore(this.tableName)
+        }
+      }
+      request.onsuccess = () => resolve(request.result)
+      request.onerror = () => reject(request.error)
+    })
+  }
+
+  private async putData(key: string, value: any): Promise<void> {
+    const db = await this.openDB()
+    return new Promise((resolve, reject) => {
+      const tx = db.transaction(this.tableName, 'readwrite')
+      const store = tx.objectStore(this.tableName)
+      const request = store.put(value, key)
+      request.onsuccess = () => resolve()
+      request.onerror = () => reject(request.error)
+    })
+  }
+
+  private async getData<T>(key: string): Promise<T | undefined> {
+    const db = await this.openDB()
+    return new Promise((resolve, reject) => {
+      const tx = db.transaction(this.tableName, 'readonly')
+      const store = tx.objectStore(this.tableName)
+      const request = store.get(key)
+      request.onsuccess = () => resolve(request.result)
+      request.onerror = () => reject(request.error)
+    })
+  }
+
+  private async getAllData<T>(): Promise<T[]> {
+    const db = await this.openDB()
+    return new Promise((resolve, reject) => {
+      const tx = db.transaction(this.tableName, 'readonly')
+      const store = tx.objectStore(this.tableName)
+      const request = store.getAll()
+      request.onsuccess = () => resolve(request.result)
+      request.onerror = () => reject(request.error)
+    })
+  }
+
+  async generateAndStore(): Promise<EncryptedData> {
+    const encryptionKey = await window.crypto.subtle.generateKey({ name: 'AES-GCM', length: 256 }, true, [
+      'encrypt',
+      'decrypt',
+    ])
+
+    const privateKey = Hex.random(32)
+
+    const publicKey = Secp256k1.getPublicKey({ privateKey })
+    const address = Address.fromPublicKey(publicKey)
+    const keyPointer = this.localStorageKeyPrefix + address
+
+    const exportedKey = await window.crypto.subtle.exportKey('jwk', encryptionKey)
+    window.localStorage.setItem(keyPointer, JSON.stringify(exportedKey))
+
+    const encoder = new TextEncoder()
+    const encodedPk = encoder.encode(privateKey)
+    const iv = window.crypto.getRandomValues(new Uint8Array(12))
+    const encryptedBuffer = await window.crypto.subtle.encrypt({ name: 'AES-GCM', iv }, encryptionKey, encodedPk)
+
+    const encrypted: EncryptedData = {
+      iv,
+      data: encryptedBuffer,
+      keyPointer,
+      address,
+      publicKey,
+    }
+
+    const dbKey = `pk_${address}`
+    await this.putData(dbKey, encrypted)
+    return encrypted
+  }
+
+  async getEncryptedEntry(address: Address.Address): Promise<EncryptedData | undefined> {
+    const dbKey = `pk_${address}`
+    return this.getData<EncryptedData>(dbKey)
+  }
+
+  async getEncryptedPkStore(address: Address.Address): Promise<EncryptedPkStore | undefined> {
+    const entry = await this.getEncryptedEntry(address)
+    if (!entry) return
+    return new EncryptedPkStore(entry)
+  }
+
+  async listAddresses(): Promise<Address.Address[]> {
+    const allEntries = await this.getAllData<EncryptedData>()
+    return allEntries.map((entry) => entry.address)
+  }
+
+  async remove(address: Address.Address) {
+    const dbKey = `pk_${address}`
+    await this.putData(dbKey, undefined)
+    const keyPointer = this.localStorageKeyPrefix + address
+    window.localStorage.removeItem(keyPointer)
+  }
+}
+
+export class EncryptedPkStore implements PkStore {
+  constructor(private readonly encrypted: EncryptedData) {}
+
+  address(): Address.Address {
+    return this.encrypted.address
+  }
+
+  publicKey(): PublicKey.PublicKey {
+    return this.encrypted.publicKey
+  }
+
+  async signDigest(digest: Bytes.Bytes): Promise<{ r: bigint; s: bigint; yParity: number }> {
+    const keyJson = window.localStorage.getItem(this.encrypted.keyPointer)
+    if (!keyJson) throw new Error('Encryption key not found in localStorage')
+    const jwk = JSON.parse(keyJson)
+    const encryptionKey = await window.crypto.subtle.importKey('jwk', jwk, { name: 'AES-GCM' }, false, ['decrypt'])
+    const decryptedBuffer = await window.crypto.subtle.decrypt(
+      { name: 'AES-GCM', iv: this.encrypted.iv },
+      encryptionKey,
+      this.encrypted.data,
+    )
+    const decoder = new TextDecoder()
+    const privateKey = decoder.decode(decryptedBuffer) as Hex.Hex
+    return Secp256k1.sign({ payload: digest, privateKey })
+  }
+}