@0xsequence/wallet-wdk 3.0.4 → 3.0.5

package/dist/sequence/wallets.js

@@ -4,6 +4,7 @@ import { Address, Provider, RpcTransport } from 'ox';
 import { AuthCodeHandler } from './handlers/authcode.js';
 import { IdTokenHandler } from './handlers/idtoken.js';
 import { MnemonicHandler } from './handlers/mnemonic.js';
+import { Actions } from './types/index.js';
 import { Kinds } from './types/signer.js';
 function getSignupHandlerKey(kind) {
     if (kind === 'google-pkce') {
@@ -51,6 +52,19 @@ export function isAuthCodeArgs(args) {
 export function isIdTokenArgs(args) {
     return 'idToken' in args;
 }
+function addLoginSignerToSignupArgs(args) {
+    switch (args.kind) {
+        case 'mnemonic':
+            return { kind: 'mnemonic', mnemonic: args.mnemonic };
+        case 'email-otp':
+            return { kind: 'email-otp', email: args.email };
+        default: {
+            // google-id-token, apple-id-token, custom-*
+            const _args = args;
+            return { kind: _args.kind, idToken: _args.idToken };
+        }
+    }
+}
 function buildCappedTree(members) {
     const loginMemberWeight = 1n;
     if (members.length === 0) {
@@ -381,35 +395,81 @@ export class Wallets {
         if (!(handler instanceof AuthCodeHandler)) {
             throw new Error('handler-does-not-support-redirect');
         }
-        return handler.commitAuth(args.target, true);
+        return handler.commitAuth(args.target, { type: 'auth' });
+    }
+    async startAddLoginSignerWithRedirect(args) {
+        const walletEntry = await this.get(args.wallet);
+        if (!walletEntry) {
+            throw new Error('wallet-not-found');
+        }
+        if (walletEntry.status !== 'ready') {
+            throw new Error('wallet-not-ready');
+        }
+        const kind = getSignupHandlerKey(args.kind);
+        const handler = this.shared.handlers.get(kind);
+        if (!handler) {
+            throw new Error('handler-not-registered');
+        }
+        if (!(handler instanceof AuthCodeHandler)) {
+            throw new Error('handler-does-not-support-redirect');
+        }
+        return handler.commitAuth(args.target, { type: 'add-signer', wallet: args.wallet });
     }
     async completeRedirect(args) {
         const commitment = await this.shared.databases.authCommitments.get(args.state);
         if (!commitment) {
             throw new Error('invalid-state');
         }
-        // commitment.isSignUp and signUp also mean 'signIn' from wallet's perspective
-        if (commitment.isSignUp) {
-            await this.signUp({
-                kind: commitment.kind,
-                commitment,
-                code: args.code,
-                noGuard: args.noGuard,
-                target: commitment.target,
-                isRedirect: true,
-                use4337: args.use4337,
-            });
-        }
-        else {
-            const handlerKind = getSignupHandlerKey(commitment.kind);
-            const handler = this.shared.handlers.get(handlerKind);
-            if (!handler) {
-                throw new Error('handler-not-registered');
+        switch (commitment.type) {
+            case 'add-signer': {
+                const handlerKind = getSignupHandlerKey(commitment.kind);
+                const handler = this.shared.handlers.get(handlerKind);
+                if (!handler) {
+                    throw new Error('handler-not-registered');
+                }
+                if (!(handler instanceof AuthCodeHandler)) {
+                    throw new Error('handler-does-not-support-redirect');
+                }
+                const walletAddress = commitment.wallet;
+                const walletEntry = await this.get(walletAddress);
+                if (!walletEntry) {
+                    throw new Error('wallet-not-found');
+                }
+                if (walletEntry.status !== 'ready') {
+                    throw new Error('wallet-not-ready');
+                }
+                const [signer] = await handler.completeAuth(commitment, args.code);
+                const signerKind = getSignerKindForSignup(commitment.kind);
+                await this.addLoginSignerFromPrepared(walletAddress, {
+                    signer,
+                    extra: { signerKind },
+                });
+                break;
+            }
+            case 'auth': {
+                await this.signUp({
+                    kind: commitment.kind,
+                    commitment,
+                    code: args.code,
+                    noGuard: args.noGuard,
+                    target: commitment.target,
+                    isRedirect: true,
+                    use4337: args.use4337,
+                });
+                break;
             }
-            if (!(handler instanceof AuthCodeHandler)) {
-                throw new Error('handler-does-not-support-redirect');
+            case 'reauth': {
+                const handlerKind = getSignupHandlerKey(commitment.kind);
+                const handler = this.shared.handlers.get(handlerKind);
+                if (!handler) {
+                    throw new Error('handler-not-registered');
+                }
+                if (!(handler instanceof AuthCodeHandler)) {
+                    throw new Error('handler-does-not-support-redirect');
+                }
+                await handler.completeAuth(commitment, args.code);
+                break;
             }
-            await handler.completeAuth(commitment, args.code);
         }
         if (!commitment.target) {
             throw new Error('invalid-state');
@@ -741,6 +801,67 @@ export class Wallets {
             loginDate: new Date().toISOString(),
         });
     }
+    async addLoginSigner(args) {
+        const walletEntry = await this.get(args.wallet);
+        if (!walletEntry) {
+            throw new Error('wallet-not-found');
+        }
+        if (walletEntry.status !== 'ready') {
+            throw new Error('wallet-not-ready');
+        }
+        const signupArgs = addLoginSignerToSignupArgs(args);
+        const loginSigner = await this.prepareSignUp(signupArgs);
+        return this.addLoginSignerFromPrepared(args.wallet, loginSigner);
+    }
+    async completeAddLoginSigner(requestId) {
+        const request = await this.shared.modules.signatures.get(requestId);
+        if (request.action !== Actions.AddLoginSigner) {
+            throw new Error('invalid-request-action');
+        }
+        await this.completeConfigurationUpdate(requestId);
+    }
+    async removeLoginSigner(args) {
+        const walletEntry = await this.get(args.wallet);
+        if (!walletEntry) {
+            throw new Error('wallet-not-found');
+        }
+        if (walletEntry.status !== 'ready') {
+            throw new Error('wallet-not-ready');
+        }
+        const { loginTopology, modules } = await this.getConfigurationParts(args.wallet);
+        const existingSigners = Config.getSigners(loginTopology);
+        const allExistingAddresses = [...existingSigners.signers, ...existingSigners.sapientSigners.map((s) => s.address)];
+        if (!allExistingAddresses.some((addr) => Address.isEqual(addr, args.signerAddress))) {
+            throw new Error('signer-not-found');
+        }
+        const remainingMembers = [
+            ...existingSigners.signers
+                .filter((x) => x !== Constants.ZeroAddress && !Address.isEqual(x, args.signerAddress))
+                .map((x) => ({ address: x })),
+            ...existingSigners.sapientSigners
+                .filter((x) => !Address.isEqual(x.address, args.signerAddress))
+                .map((x) => ({ address: x.address, imageHash: x.imageHash })),
+        ];
+        if (remainingMembers.length < 1) {
+            throw new Error('cannot-remove-last-login-signer');
+        }
+        const nextLoginTopology = buildCappedTree(remainingMembers);
+        if (this.shared.modules.sessions.hasSessionModule(modules)) {
+            await this.shared.modules.sessions.removeIdentitySignerFromModules(modules, args.signerAddress);
+        }
+        if (this.shared.modules.recovery.hasRecoveryModule(modules)) {
+            await this.shared.modules.recovery.removeRecoverySignerFromModules(modules, args.signerAddress);
+        }
+        const requestId = await this.requestConfigurationUpdate(args.wallet, { loginTopology: nextLoginTopology, modules }, Actions.RemoveLoginSigner, 'wallet-webapp');
+        return requestId;
+    }
+    async completeRemoveLoginSigner(requestId) {
+        const request = await this.shared.modules.signatures.get(requestId);
+        if (request.action !== Actions.RemoveLoginSigner) {
+            throw new Error('invalid-request-action');
+        }
+        await this.completeConfigurationUpdate(requestId);
+    }
     async logout(wallet, options) {
         const walletEntry = await this.shared.databases.manager.get(wallet);
         if (!walletEntry) {
@@ -913,4 +1034,35 @@ export class Wallets {
         }, action, 'wallet-webapp');
         return requestId;
     }
+    async addLoginSignerFromPrepared(wallet, loginSigner) {
+        const newSignerAddress = await loginSigner.signer.address;
+        const { loginTopology, modules } = await this.getConfigurationParts(wallet);
+        // Check for duplicate signer
+        const existingSigners = Config.getSigners(loginTopology);
+        const allExistingAddresses = [...existingSigners.signers, ...existingSigners.sapientSigners.map((s) => s.address)];
+        if (allExistingAddresses.some((addr) => Address.isEqual(addr, newSignerAddress))) {
+            throw new Error('signer-already-exists');
+        }
+        // Build new login topology with the additional signer
+        const existingMembers = [
+            ...existingSigners.signers.filter((x) => x !== Constants.ZeroAddress).map((x) => ({ address: x })),
+            ...existingSigners.sapientSigners.map((x) => ({ address: x.address, imageHash: x.imageHash })),
+        ];
+        const newMember = {
+            address: newSignerAddress,
+            imageHash: Signers.isSapientSigner(loginSigner.signer) ? await loginSigner.signer.imageHash : undefined,
+        };
+        const nextLoginTopology = buildCappedTree([...existingMembers, newMember]);
+        // Add non-sapient login signer to sessions module identity signers
+        if (!Signers.isSapientSigner(loginSigner.signer) && this.shared.modules.sessions.hasSessionModule(modules)) {
+            await this.shared.modules.sessions.addIdentitySignerToModules(modules, newSignerAddress);
+        }
+        // Add to recovery module if present
+        if (this.shared.modules.recovery.hasRecoveryModule(modules)) {
+            await this.shared.modules.recovery.addRecoverySignerToModules(modules, newSignerAddress);
+        }
+        // Witness so the wallet becomes discoverable via the new credential
+        await loginSigner.signer.witness(this.shared.sequence.stateProvider, wallet, loginSigner.extra);
+        return this.requestConfigurationUpdate(wallet, { loginTopology: nextLoginTopology, modules }, Actions.AddLoginSigner, 'wallet-webapp');
+    }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@0xsequence/wallet-wdk",
-  "version": "3.0.4",
+  "version": "3.0.5",
   "license": "Apache-2.0",
   "type": "module",
   "publishConfig": {
@@ -21,8 +21,8 @@
     "happy-dom": "^20.7.0",
     "typescript": "^5.9.3",
     "vitest": "^4.0.18",
-    "@repo/eslint-config": "^0.0.1",
-    "@repo/typescript-config": "^0.0.1"
+    "@repo/typescript-config": "^0.0.1",
+    "@repo/eslint-config": "^0.0.1"
   },
   "dependencies": {
     "@0xsequence/tee-verifier": "^0.1.2",
@@ -30,11 +30,11 @@
     "jwt-decode": "^4.0.0",
     "ox": "^0.9.17",
     "uuid": "^13.0.0",
-    "@0xsequence/guard": "^3.0.4",
-    "@0xsequence/identity-instrument": "^3.0.4",
-    "@0xsequence/wallet-core": "^3.0.4",
-    "@0xsequence/relayer": "^3.0.4",
-    "@0xsequence/wallet-primitives": "^3.0.4"
+    "@0xsequence/identity-instrument": "^3.0.5",
+    "@0xsequence/guard": "^3.0.5",
+    "@0xsequence/wallet-core": "^3.0.5",
+    "@0xsequence/relayer": "^3.0.5",
+    "@0xsequence/wallet-primitives": "^3.0.5"
   },
   "scripts": {
     "build": "tsc",

package/src/dbs/auth-commitments.ts

@@ -3,6 +3,11 @@ import { IDBPDatabase, IDBPTransaction } from 'idb'
 
 const TABLE_NAME = 'auth-commitments'
 
+export type CommitAuthArgs =
+  | { type: 'auth'; state?: string }
+  | { type: 'reauth'; state: string; signer: string }
+  | { type: 'add-signer'; wallet: string; state?: string }
+
 export type AuthCommitment = {
   id: string
   kind: 'google-pkce' | 'apple' | `custom-${string}`
@@ -10,9 +15,7 @@ export type AuthCommitment = {
   verifier?: string
   challenge?: string
   target: string
-  isSignUp: boolean
-  signer?: string
-}
+} & ({ type: 'auth' } | { type: 'reauth'; signer: string } | { type: 'add-signer'; wallet: string })
 
 export class AuthCommitments extends Generic<AuthCommitment, 'id'> {
   constructor(dbName: string = 'sequence-auth-commitments') {

package/src/dbs/index.ts

@@ -1,4 +1,4 @@
-export type { AuthCommitment } from './auth-commitments.js'
+export type { AuthCommitment, CommitAuthArgs } from './auth-commitments.js'
 export { AuthCommitments } from './auth-commitments.js'
 
 export type { AuthKey } from './auth-keys.js'

package/src/sequence/handlers/authcode-pkce.ts

@@ -6,6 +6,7 @@ import * as Identity from '@0xsequence/identity-instrument'
 import { IdentitySigner } from '../../identity/signer.js'
 import { AuthCodeHandler } from './authcode.js'
 import type { WdkEnv } from '../../env.js'
+import type { CommitAuthArgs } from '../../dbs/auth-commitments.js'
 
 export class AuthCodePkceHandler extends AuthCodeHandler implements Handler {
   constructor(
@@ -22,25 +23,30 @@ export class AuthCodePkceHandler extends AuthCodeHandler implements Handler {
     super(signupKind, issuer, oauthUrl, audience, nitro, signatures, commitments, authKeys, env)
   }
 
-  public async commitAuth(target: string, isSignUp: boolean, state?: string, signer?: string) {
+  public async commitAuth(target: string, args: CommitAuthArgs) {
     let challenge = new Identity.AuthCodePkceChallenge(this.issuer, this.audience, this.redirectUri)
-    if (signer) {
-      challenge = challenge.withSigner({ address: signer, keyType: Identity.KeyType.Ethereum_Secp256k1 })
+    if (args.type === 'reauth') {
+      challenge = challenge.withSigner({ address: args.signer, keyType: Identity.KeyType.Ethereum_Secp256k1 })
     }
     const { verifier, loginHint, challenge: codeChallenge } = await this.nitroCommitVerifier(challenge)
-    if (!state) {
-      state = Hex.fromBytes(Bytes.random(32))
-    }
+    const state = args.state ?? Hex.fromBytes(Bytes.random(32))
 
-    await this.commitments.set({
+    const base = {
       id: state,
-      kind: this.signupKind,
+      kind: this.signupKind as Db.AuthCommitment['kind'],
       verifier,
       challenge: codeChallenge,
       target,
       metadata: {},
-      isSignUp,
-    })
+    }
+
+    if (args.type === 'reauth') {
+      await this.commitments.set({ ...base, type: 'reauth', signer: args.signer })
+    } else if (args.type === 'add-signer') {
+      await this.commitments.set({ ...base, type: 'add-signer', wallet: args.wallet })
+    } else {
+      await this.commitments.set({ ...base, type: 'auth' })
+    }
 
     const searchParams = this.serializeQuery({
       code_challenge: codeChallenge,

package/src/sequence/handlers/authcode.ts

@@ -8,6 +8,7 @@ import { IdentitySigner } from '../../identity/signer.js'
 import { IdentityHandler } from './identity.js'
 import { Kinds } from '../types/signer.js'
 import type { NavigationLike, WdkEnv } from '../../env.js'
+import type { CommitAuthArgs } from '../../dbs/auth-commitments.js'
 
 export class AuthCodeHandler extends IdentityHandler implements Handler {
   protected redirectUri: string = ''
@@ -39,19 +40,23 @@ export class AuthCodeHandler extends IdentityHandler implements Handler {
     this.redirectUri = redirectUri
   }
 
-  public async commitAuth(target: string, isSignUp: boolean, state?: string, signer?: string) {
-    if (!state) {
-      state = Hex.fromBytes(Bytes.random(32))
-    }
+  public async commitAuth(target: string, args: CommitAuthArgs) {
+    const state = args.state ?? Hex.fromBytes(Bytes.random(32))
 
-    await this.commitments.set({
+    const base = {
       id: state,
-      kind: this.signupKind,
-      signer,
+      kind: this.signupKind as Db.AuthCommitment['kind'],
       target,
       metadata: {},
-      isSignUp,
-    })
+    }
+
+    if (args.type === 'reauth') {
+      await this.commitments.set({ ...base, type: 'reauth', signer: args.signer })
+    } else if (args.type === 'add-signer') {
+      await this.commitments.set({ ...base, type: 'add-signer', wallet: args.wallet })
+    } else {
+      await this.commitments.set({ ...base, type: 'auth' })
+    }
 
     const searchParams = this.serializeQuery({
       client_id: this.audience,
@@ -69,7 +74,7 @@ export class AuthCodeHandler extends IdentityHandler implements Handler {
     code: string,
   ): Promise<[IdentitySigner, { [key: string]: string }]> {
     let challenge = new Identity.AuthCodeChallenge(this.issuer, this.audience, this.redirectUri, code)
-    if (commitment.signer) {
+    if (commitment.type === 'reauth') {
       challenge = challenge.withSigner({ address: commitment.signer, keyType: Identity.KeyType.Ethereum_Secp256k1 })
     }
     await this.nitroCommitVerifier(challenge)
@@ -103,7 +108,11 @@ export class AuthCodeHandler extends IdentityHandler implements Handler {
       message: 'request-redirect',
       handle: async () => {
         const navigation = this.getNavigation()
-        const url = await this.commitAuth(navigation.getPathname(), false, request.id, address)
+        const url = await this.commitAuth(navigation.getPathname(), {
+          type: 'reauth',
+          state: request.id,
+          signer: address,
+        })
         navigation.redirect(url)
         return true
       },

package/src/sequence/index.ts

@@ -9,12 +9,15 @@ export { Sessions } from './sessions.js'
 export { Signatures } from './signatures.js'
 export type {
   StartSignUpWithRedirectArgs,
+  StartAddLoginSignerWithRedirectArgs,
   CommonSignupArgs,
   PasskeySignupArgs,
   MnemonicSignupArgs,
   EmailOtpSignupArgs,
   CompleteRedirectArgs,
   SignupArgs,
+  AddLoginSignerArgs,
+  RemoveLoginSignerArgs,
   LoginToWalletArgs,
   LoginToMnemonicArgs,
   LoginToPasskeyArgs,

package/src/sequence/types/signature-request.ts

@@ -13,6 +13,8 @@ export type ActionToPayload = {
   [Actions.Recovery]: Payload.Recovery<Payload.Calls>
   [Actions.AddRecoverySigner]: Payload.ConfigUpdate
   [Actions.RemoveRecoverySigner]: Payload.ConfigUpdate
+  [Actions.AddLoginSigner]: Payload.ConfigUpdate
+  [Actions.RemoveLoginSigner]: Payload.ConfigUpdate
   [Actions.SessionImplicitAuthorize]: Payload.SessionImplicitAuthorize
 }
 
@@ -26,6 +28,8 @@ export const Actions = {
   Recovery: 'recovery',
   AddRecoverySigner: 'add-recovery-signer',
   RemoveRecoverySigner: 'remove-recovery-signer',
+  AddLoginSigner: 'add-login-signer',
+  RemoveLoginSigner: 'remove-login-signer',
   SessionImplicitAuthorize: 'session-implicit-authorize',
 } as const