@0xsequence/wallet-wdk 3.0.2 → 3.0.3

package/dist/sequence/wallets.js

@@ -1,8 +1,38 @@
 import { Wallet as CoreWallet, Envelope, Signers, State } from '@0xsequence/wallet-core';
 import { Config, Constants, Payload } from '@0xsequence/wallet-primitives';
 import { Address, Provider, RpcTransport } from 'ox';
+import { AuthCodeHandler } from './handlers/authcode.js';
+import { IdTokenHandler } from './handlers/idtoken.js';
 import { MnemonicHandler } from './handlers/mnemonic.js';
 import { Kinds } from './types/signer.js';
+function getSignupHandlerKey(kind) {
+    if (kind === 'google-pkce') {
+        return Kinds.LoginGoogle;
+    }
+    if (kind.startsWith('custom-')) {
+        return kind;
+    }
+    return 'login-' + kind;
+}
+function getSignerKindForSignup(kind) {
+    if (kind === 'google-id-token' || kind === 'google-pkce') {
+        return Kinds.LoginGoogle;
+    }
+    if (kind.startsWith('custom-')) {
+        return kind;
+    }
+    return ('login-' + kind);
+}
+function getIdTokenSignupHandler(shared, kind) {
+    const handler = shared.handlers.get(kind);
+    if (!handler) {
+        throw new Error('handler-not-registered');
+    }
+    if (!(handler instanceof IdTokenHandler)) {
+        throw new Error('handler-does-not-support-id-token');
+    }
+    return handler;
+}
 export function isLoginToWalletArgs(args) {
     return 'wallet' in args;
 }
@@ -13,7 +43,10 @@ export function isLoginToPasskeyArgs(args) {
     return 'kind' in args && args.kind === 'passkey';
 }
 export function isAuthCodeArgs(args) {
-    return 'kind' in args && (args.kind === 'google-pkce' || args.kind === 'apple');
+    return 'code' in args && 'commitment' in args;
+}
+export function isIdTokenArgs(args) {
+    return 'idToken' in args;
 }
 function buildCappedTree(members) {
     const loginMemberWeight = 1n;
@@ -277,9 +310,22 @@ export class Wallets {
                     loginEmail: returnedEmail,
                 };
             }
+            case 'google-id-token': {
+                const handler = getIdTokenSignupHandler(this.shared, Kinds.LoginGoogle);
+                const [signer, metadata] = await handler.completeAuth(args.idToken);
+                const loginEmail = metadata.email;
+                this.shared.modules.logger.log('Created new id token signer:', signer.address);
+                return {
+                    signer,
+                    extra: {
+                        signerKind: Kinds.LoginGoogle,
+                    },
+                    loginEmail,
+                };
+            }
             case 'google-pkce':
             case 'apple': {
-                const handler = this.shared.handlers.get('login-' + args.kind);
+                const handler = this.shared.handlers.get(getSignupHandlerKey(args.kind));
                 if (!handler) {
                     throw new Error('handler-not-registered');
                 }
@@ -289,14 +335,24 @@ export class Wallets {
                 return {
                     signer,
                     extra: {
-                        signerKind: 'login-' + args.kind,
+                        signerKind: getSignerKindForSignup(args.kind),
                     },
                     loginEmail,
                 };
             }
         }
         if (args.kind.startsWith('custom-')) {
-            // TODO: support other custom auth methods (e.g. id-token)
+            if (isIdTokenArgs(args)) {
+                const handler = getIdTokenSignupHandler(this.shared, args.kind);
+                const [signer, metadata] = await handler.completeAuth(args.idToken);
+                return {
+                    signer,
+                    extra: {
+                        signerKind: args.kind,
+                    },
+                    loginEmail: metadata.email,
+                };
+            }
             const handler = this.shared.handlers.get(args.kind);
             if (!handler) {
                 throw new Error('handler-not-registered');
@@ -313,11 +369,14 @@ export class Wallets {
         throw new Error('invalid-signup-kind');
     }
     async startSignUpWithRedirect(args) {
-        const kind = args.kind.startsWith('custom-') ? args.kind : 'login-' + args.kind;
+        const kind = getSignupHandlerKey(args.kind);
         const handler = this.shared.handlers.get(kind);
         if (!handler) {
             throw new Error('handler-not-registered');
         }
+        if (!(handler instanceof AuthCodeHandler)) {
+            throw new Error('handler-does-not-support-redirect');
+        }
         return handler.commitAuth(args.target, true);
     }
     async completeRedirect(args) {
@@ -338,11 +397,14 @@ export class Wallets {
             });
         }
         else {
-            const kind = commitment.kind.startsWith('custom-') ? commitment.kind : 'login-' + commitment.kind;
-            const handler = this.shared.handlers.get(kind);
+            const handlerKind = getSignupHandlerKey(commitment.kind);
+            const handler = this.shared.handlers.get(handlerKind);
             if (!handler) {
                 throw new Error('handler-not-registered');
             }
+            if (!(handler instanceof AuthCodeHandler)) {
+                throw new Error('handler-does-not-support-redirect');
+            }
             await handler.completeAuth(commitment, args.code);
         }
         if (!commitment.target) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@0xsequence/wallet-wdk",
-  "version": "3.0.2",
+  "version": "3.0.3",
   "license": "Apache-2.0",
   "type": "module",
   "publishConfig": {
@@ -30,11 +30,11 @@
     "jwt-decode": "^4.0.0",
     "ox": "^0.9.17",
     "uuid": "^13.0.0",
-    "@0xsequence/guard": "^3.0.2",
-    "@0xsequence/relayer": "^3.0.2",
-    "@0xsequence/identity-instrument": "^3.0.2",
-    "@0xsequence/wallet-primitives": "^3.0.2",
-    "@0xsequence/wallet-core": "^3.0.2"
+    "@0xsequence/relayer": "^3.0.3",
+    "@0xsequence/guard": "^3.0.3",
+    "@0xsequence/identity-instrument": "^3.0.3",
+    "@0xsequence/wallet-core": "^3.0.3",
+    "@0xsequence/wallet-primitives": "^3.0.3"
   },
   "scripts": {
     "build": "tsc",

package/src/sequence/handlers/authcode.ts

@@ -6,6 +6,7 @@ import * as Identity from '@0xsequence/identity-instrument'
 import { SignerUnavailable, SignerReady, SignerActionable, BaseSignatureRequest } from '../types/signature-request.js'
 import { IdentitySigner } from '../../identity/signer.js'
 import { IdentityHandler } from './identity.js'
+import { Kinds } from '../types/signer.js'
 import type { NavigationLike, WdkEnv } from '../../env.js'
 
 export class AuthCodeHandler extends IdentityHandler implements Handler {
@@ -26,6 +27,11 @@ export class AuthCodeHandler extends IdentityHandler implements Handler {
   }
 
   public get kind() {
+    if (this.signupKind === 'google-pkce') {
+      // Keep Google PKCE on the canonical kind so Google signers created before
+      // canonicalization still resolve as `login-google`.
+      return Kinds.LoginGoogle
+    }
     return 'login-' + this.signupKind
   }
 

package/src/sequence/handlers/identity.ts

@@ -81,6 +81,10 @@ export class IdentityHandler {
     return new IdentitySigner(this.nitro, authKey, this.env.crypto)
   }
 
+  protected async clearAuthKeySigner(address: string): Promise<void> {
+    await this.authKeys.delBySigner(address)
+  }
+
   private async getAuthKey(signer: string): Promise<Db.AuthKey | undefined> {
     let authKey = await this.authKeys.getBySigner(signer)
     if (!signer && !authKey) {

package/src/sequence/handlers/idtoken.ts

@@ -0,0 +1,140 @@
+import { Address, Hex } from 'ox'
+import { Signers } from '@0xsequence/wallet-core'
+import { Handler } from './handler.js'
+import * as Identity from '@0xsequence/identity-instrument'
+import * as Db from '../../dbs/index.js'
+import { Signatures } from '../signatures.js'
+import { SignerActionable, SignerReady, SignerUnavailable, BaseSignatureRequest } from '../types/signature-request.js'
+import { IdentitySigner } from '../../identity/signer.js'
+import { IdentityHandler } from './identity.js'
+import { Kinds } from '../types/signer.js'
+import type { WdkEnv } from '../../env.js'
+
+type RespondFn = (idToken: string) => Promise<void>
+
+export type PromptIdTokenHandler = (kind: 'google-id-token' | `custom-${string}`, respond: RespondFn) => Promise<void>
+
+export class IdTokenHandler extends IdentityHandler implements Handler {
+  private onPromptIdToken: undefined | PromptIdTokenHandler
+
+  constructor(
+    public readonly signupKind: 'google-id-token' | `custom-${string}`,
+    public readonly issuer: string,
+    public readonly audience: string,
+    nitro: Identity.IdentityInstrument,
+    signatures: Signatures,
+    authKeys: Db.AuthKeys,
+    env?: WdkEnv,
+  ) {
+    super(nitro, authKeys, signatures, Identity.IdentityType.OIDC, env)
+  }
+
+  public get kind() {
+    if (this.signupKind === 'google-id-token') {
+      return Kinds.LoginGoogle
+    }
+    return 'login-' + this.signupKind
+  }
+
+  public registerUI(onPromptIdToken: PromptIdTokenHandler) {
+    this.onPromptIdToken = onPromptIdToken
+    return () => {
+      this.onPromptIdToken = undefined
+    }
+  }
+
+  public unregisterUI() {
+    this.onPromptIdToken = undefined
+  }
+
+  public async completeAuth(idToken: string): Promise<[IdentitySigner, { [key: string]: string }]> {
+    const challenge = new Identity.IdTokenChallenge(this.issuer, this.audience, idToken)
+    await this.nitroCommitVerifier(challenge)
+    const { signer: identitySigner, email } = await this.nitroCompleteAuth(challenge)
+
+    return [identitySigner, { email }]
+  }
+
+  public async getSigner(): Promise<{ signer: Signers.Signer & Signers.Witnessable; email: string }> {
+    const onPromptIdToken = this.onPromptIdToken
+    if (!onPromptIdToken) {
+      throw new Error('id-token-handler-ui-not-registered')
+    }
+
+    return await this.handleAuth(onPromptIdToken)
+  }
+
+  async status(
+    address: Address.Address,
+    _imageHash: Hex.Hex | undefined,
+    request: BaseSignatureRequest,
+  ): Promise<SignerUnavailable | SignerReady | SignerActionable> {
+    const signer = await this.getAuthKeySigner(address)
+    if (signer) {
+      return {
+        address,
+        handler: this,
+        status: 'ready',
+        handle: async () => {
+          await this.sign(signer, request)
+          return true
+        },
+      }
+    }
+
+    const onPromptIdToken = this.onPromptIdToken
+    if (!onPromptIdToken) {
+      return {
+        address,
+        handler: this,
+        reason: 'ui-not-registered',
+        status: 'unavailable',
+      }
+    }
+
+    return {
+      address,
+      handler: this,
+      status: 'actionable',
+      message: 'request-id-token',
+      handle: async () => {
+        try {
+          const { signer } = await this.handleAuth(onPromptIdToken)
+          const signerAddress = (await signer.address) as Address.Address
+          if (!Address.isEqual(signerAddress, address)) {
+            // ID-token auth prompts are keyed by provider kind, not the requested signer address.
+            // For example, a user can pick a different Google account in the account picker and
+            // return a token for a different identity than this request expects.
+            await this.clearAuthKeySigner(signerAddress)
+            throw new Error('id-token-signer-mismatch')
+          }
+          return true
+        } catch {
+          return false
+        }
+      },
+    }
+  }
+
+  private handleAuth(
+    onPromptIdToken: PromptIdTokenHandler,
+  ): Promise<{ signer: Signers.Signer & Signers.Witnessable; email: string }> {
+    // eslint-disable-next-line no-async-promise-executor
+    return new Promise(async (resolve, reject) => {
+      try {
+        const respond: RespondFn = async (idToken) => {
+          try {
+            const [signer, metadata] = await this.completeAuth(idToken)
+            resolve({ signer, email: metadata.email || '' })
+          } catch (error) {
+            reject(error)
+          }
+        }
+
+        await onPromptIdToken(this.signupKind, respond)
+      } catch (error) {
+        reject(error)
+      }
+    })
+  }
+}

package/src/sequence/handlers/index.ts

@@ -3,4 +3,5 @@ export { DevicesHandler } from './devices.js'
 export { PasskeysHandler } from './passkeys.js'
 export { OtpHandler } from './otp.js'
 export { AuthCodePkceHandler } from './authcode-pkce.js'
+export { IdTokenHandler } from './idtoken.js'
 export { MnemonicHandler } from './mnemonic.js'

package/src/sequence/manager.ts

@@ -14,6 +14,7 @@ import {
   AuthCodePkceHandler,
   DevicesHandler,
   Handler,
+  IdTokenHandler,
   MnemonicHandler,
   OtpHandler,
   PasskeysHandler,
@@ -31,9 +32,25 @@ import { Wallets, WalletsInterface } from './wallets.js'
 import { GuardHandler, PromptCodeHandler } from './handlers/guard.js'
 import { PasskeyCredential } from '../dbs/index.js'
 import { PromptMnemonicHandler } from './handlers/mnemonic.js'
+import { PromptIdTokenHandler } from './handlers/idtoken.js'
 import { PromptOtpHandler } from './handlers/otp.js'
 import { defaultPasskeyProvider, type PasskeyProvider } from './passkeys-provider.js'
 
+type CustomIdentityProvider =
+  | {
+      kind: `custom-${string}`
+      authMethod: 'id-token'
+      issuer: string
+      clientId: string
+    }
+  | {
+      kind: `custom-${string}`
+      authMethod: 'authcode' | 'authcode-pkce'
+      issuer: string
+      oauthUrl: string
+      clientId: string
+    }
+
 export type ManagerOptions = {
   verbose?: boolean
 
@@ -85,18 +102,13 @@ export type ManagerOptions = {
     google?: {
       enabled: boolean
       clientId: string
+      authMethod?: 'authcode-pkce' | 'id-token'
     }
     apple?: {
       enabled: boolean
       clientId: string
     }
-    customProviders?: {
-      kind: `custom-${string}`
-      authMethod: 'id-token' | 'authcode' | 'authcode-pkce'
-      issuer: string
-      oauthUrl: string
-      clientId: string
-    }[]
+    customProviders?: CustomIdentityProvider[]
   }
 }
 
@@ -112,18 +124,13 @@ export type ResolvedIdentityOptions = {
   google: {
     enabled: boolean
     clientId: string
+    authMethod: 'authcode-pkce' | 'id-token'
   }
   apple: {
     enabled: boolean
     clientId: string
   }
-  customProviders?: {
-    kind: `custom-${string}`
-    authMethod: 'id-token' | 'authcode' | 'authcode-pkce'
-    issuer: string
-    oauthUrl: string
-    clientId: string
-  }[]
+  customProviders?: CustomIdentityProvider[]
 }
 
 export type ResolvedManagerOptions = {
@@ -248,6 +255,7 @@ export const ManagerOptionsDefaults = {
     google: {
       enabled: false,
       clientId: '',
+      authMethod: 'authcode-pkce' as const,
     },
     apple: {
       enabled: false,
@@ -677,20 +685,35 @@ export class Manager {
       shared.handlers.set(Kinds.LoginEmailOtp, this.otpHandler)
     }
     if (ops.identity.google?.enabled) {
-      shared.handlers.set(
-        Kinds.LoginGooglePkce,
-        new AuthCodePkceHandler(
-          'google-pkce',
-          'https://accounts.google.com',
-          'https://accounts.google.com/o/oauth2/v2/auth',
-          ops.identity.google.clientId,
-          identityInstrument,
-          modules.signatures,
-          shared.databases.authCommitments,
-          shared.databases.authKeys,
-          shared.env,
-        ),
-      )
+      if (ops.identity.google.authMethod === 'id-token') {
+        shared.handlers.set(
+          Kinds.LoginGoogle,
+          new IdTokenHandler(
+            'google-id-token',
+            'https://accounts.google.com',
+            ops.identity.google.clientId,
+            identityInstrument,
+            modules.signatures,
+            shared.databases.authKeys,
+            shared.env,
+          ),
+        )
+      } else {
+        shared.handlers.set(
+          Kinds.LoginGoogle,
+          new AuthCodePkceHandler(
+            'google-pkce',
+            'https://accounts.google.com',
+            'https://accounts.google.com/o/oauth2/v2/auth',
+            ops.identity.google.clientId,
+            identityInstrument,
+            modules.signatures,
+            shared.databases.authCommitments,
+            shared.databases.authKeys,
+            shared.env,
+          ),
+        )
+      }
     }
     if (ops.identity.apple?.enabled) {
       shared.handlers.set(
@@ -712,7 +735,19 @@ export class Manager {
       for (const provider of ops.identity.customProviders) {
         switch (provider.authMethod) {
           case 'id-token':
-            throw new Error('id-token is not supported yet')
+            shared.handlers.set(
+              provider.kind,
+              new IdTokenHandler(
+                provider.kind,
+                provider.issuer,
+                provider.clientId,
+                identityInstrument,
+                modules.signatures,
+                shared.databases.authKeys,
+                shared.env,
+              ),
+            )
+            break
           case 'authcode':
             shared.handlers.set(
               provider.kind,
@@ -770,6 +805,20 @@ export class Manager {
     return this.otpHandler?.registerUI(onPromptOtp) || (() => {})
   }
 
+  public registerIdTokenUI(onPromptIdToken: PromptIdTokenHandler) {
+    const unregisters: (() => void)[] = []
+
+    this.shared.handlers.forEach((handler) => {
+      if (handler instanceof IdTokenHandler) {
+        unregisters.push(handler.registerUI(onPromptIdToken))
+      }
+    })
+
+    return () => {
+      unregisters.forEach((unregister) => unregister())
+    }
+  }
+
   public registerGuardUI(onPromptCode: PromptCodeHandler) {
     return this.guardHandler?.registerUI(onPromptCode) || (() => {})
   }

package/src/sequence/sessions.ts

@@ -9,7 +9,9 @@ import {
   SessionConfig,
 } from '@0xsequence/wallet-primitives'
 import { Address, Bytes, Hash, Hex } from 'ox'
+import { AuthCodeHandler } from './handlers/authcode.js'
 import { AuthCodePkceHandler } from './handlers/authcode-pkce.js'
+import { IdTokenHandler } from './handlers/idtoken.js'
 import { IdentityHandler, identityTypeToHex } from './handlers/identity.js'
 import { Handler } from './handlers/index.js'
 import { ManagerOptionsDefaults, Shared } from './manager.js'
@@ -362,7 +364,11 @@ export class Sessions implements SessionsInterface {
     let audienceHash: Hex.Hex = '0x'
     if (handler instanceof IdentityHandler) {
       identityType = handler.identityType
-      if (handler instanceof AuthCodePkceHandler) {
+      if (
+        handler instanceof AuthCodeHandler ||
+        handler instanceof AuthCodePkceHandler ||
+        handler instanceof IdTokenHandler
+      ) {
         issuerHash = Hash.keccak256(Hex.fromString(handler.issuer))
         audienceHash = Hash.keccak256(Hex.fromString(handler.audience))
       }

package/src/sequence/signers.ts

@@ -12,6 +12,11 @@ function toKnownKind(kind: string): Kind {
     return kind as Kind
   }
 
+  if (kind === 'login-google-pkce') {
+    // Normalize legacy Google PKCE witnesses while the canonical signer kind is `login-google`.
+    return Kinds.LoginGoogle
+  }
+
   if (Object.values(Kinds).includes(kind as (typeof Kinds)[keyof typeof Kinds])) {
     return kind as Kind
   }

package/src/sequence/types/signer.ts

@@ -5,7 +5,7 @@ export const Kinds = {
   LoginPasskey: 'login-passkey',
   LoginMnemonic: 'login-mnemonic', // Todo: do not name it login-mnemonic, just mnemonic
   LoginEmailOtp: 'login-email-otp',
-  LoginGooglePkce: 'login-google-pkce',
+  LoginGoogle: 'login-google',
   LoginApple: 'login-apple',
   Recovery: 'recovery-extension',
   Guard: 'guard-extension',

package/src/sequence/types/wallet.ts

@@ -36,7 +36,7 @@ export interface Wallet {
 
   /**
    * A string identifier for the authentication method used for this session.
-   * Examples: 'login-mnemonic', 'login-passkey', 'login-google-pkce'.
+   * Examples: 'login-mnemonic', 'login-passkey', 'login-google'.
    * @property
    */
   loginType: string