@account-kit/signer 4.17.0 → 4.18.0-alpha.4

package/src/client/base.ts

@@ -4,7 +4,7 @@ import EventEmitter from "eventemitter3";
 import { jwtDecode } from "jwt-decode";
 import { sha256, type Hex } from "viem";
 import { NotAuthenticatedError, OAuthProvidersError } from "../errors.js";
-import { addOpenIdIfAbsent, getDefaultScopeAndClaims } from "../oauth.js";
+import { getDefaultProviderCustomization } from "../oauth.js";
 import type { OauthMode } from "../signer.js";
 import { base64UrlEncode } from "../utils/base64UrlEncode.js";
 import { resolveRelativeUrl } from "../utils/resolveRelativeUrl.js";
@@ -17,6 +17,8 @@ import type {
   EmailAuthParams,
   GetOauthProviderUrlArgs,
   GetWebAuthnAttestationResult,
+  JwtParams,
+  JwtResponse,
   OauthConfig,
   OauthParams,
   OauthState,
@@ -27,6 +29,7 @@ import type {
   SignupResponse,
   User,
 } from "./types.js";
+import { VERSION } from "../version.js";
 
 export interface BaseSignerClientParams {
   stamper: TurnkeyClient["stamper"];
@@ -153,6 +156,10 @@ export abstract class BaseSignerClient<TExportWalletParams = unknown> {
     args: Omit<OtpParams, "targetPublicKey">
   ): Promise<{ bundle: string }>;
 
+  public abstract submitJwt(
+    args: Omit<JwtParams, "targetPublicKey">
+  ): Promise<JwtResponse>;
+
   public abstract disconnect(): Promise<void>;
 
   public abstract exportWallet(params: TExportWalletParams): Promise<boolean>;
@@ -382,6 +389,7 @@ export abstract class BaseSignerClient<TExportWalletParams = unknown> {
     const basePath = "/signer";
 
     const headers = new Headers();
+    headers.append("Alchemy-AA-Sdk-Version", VERSION);
     headers.append("Content-Type", "application/json");
     if (this.connectionConfig.apiKey) {
       headers.append("Authorization", `Bearer ${this.connectionConfig.apiKey}`);
@@ -540,6 +548,7 @@ export abstract class BaseSignerClient<TExportWalletParams = unknown> {
       auth0Connection,
       scope: providedScope,
       claims: providedClaims,
+      otherParameters: providedOtherParameters,
       mode,
       redirectUrl,
       expirationSeconds,
@@ -562,23 +571,20 @@ export abstract class BaseSignerClient<TExportWalletParams = unknown> {
       throw new Error(`No auth provider found with id ${authProviderId}`);
     }
 
-    let scope: string;
-    let claims: string | undefined;
-
-    if (providedScope) {
-      scope = addOpenIdIfAbsent(providedScope);
-      claims = providedClaims;
-    } else {
-      if (isCustomProvider) {
-        throw new Error("scope must be provided for a custom provider");
-      }
-      const scopeAndClaims = getDefaultScopeAndClaims(authProviderId);
-      if (!scopeAndClaims) {
-        throw new Error(
-          `Default scope not known for provider ${authProviderId}`
-        );
-      }
-      ({ scope, claims } = scopeAndClaims);
+    let scope: string | undefined = providedScope;
+    let claims: string | undefined = providedClaims;
+    let otherParameters: Record<string, string> | undefined =
+      providedOtherParameters;
+
+    if (!isCustomProvider) {
+      const defaultCustomization =
+        getDefaultProviderCustomization(authProviderId);
+      scope ??= defaultCustomization?.scope;
+      claims ??= defaultCustomization?.claims;
+      otherParameters ??= defaultCustomization?.otherParameters;
+    }
+    if (!scope) {
+      throw new Error(`Default scope not known for provider ${authProviderId}`);
     }
     const { authEndpoint, clientId } = authProvider;
 
@@ -611,10 +617,7 @@ export abstract class BaseSignerClient<TExportWalletParams = unknown> {
       prompt: "select_account",
       client_id: clientId,
       nonce,
-      // Fixes Facebook mobile login so that `window.opener` doesn't get nullified.
-      ...(mode === "popup" && authProvider.id === "facebook"
-        ? { sdk: "joey" }
-        : {}),
+      ...otherParameters,
     };
     if (claims) {
       params.claims = claims;

package/src/client/index.ts

@@ -14,8 +14,10 @@ import type {
   CredentialCreationOptionOverrides,
   EmailAuthParams,
   ExportWalletParams,
+  JwtParams,
   OauthConfig,
   OtpParams,
+  JwtResponse,
   User,
 } from "./types.js";
 
@@ -245,6 +247,44 @@ export class AlchemySignerWebClient extends BaseSignerClient<ExportWalletParams>
     return { bundle: credentialBundle };
   }
 
+  /**
+   * Authenticates using a custom issued JWT
+   *
+   * @example
+   * ```ts
+   * import { AlchemySignerWebClient } from "@account-kit/signer";
+   *
+   * const client = new AlchemySignerWebClient({
+   *  connection: {
+   *    apiKey: "your-api-key",
+   *  },
+   *  iframeConfig: {
+   *   iframeContainerId: "signer-iframe-container",
+   *  },
+   * });
+   *
+   * const account = await client.submitJwt({
+   *   jwt: "custom-issued-jwt",
+   *   authProvider: "auth-provider-name",
+   * });
+   * ```
+   *
+   * @param {Omit<JwtParams, "targetPublicKey">} args The parameters for the JWT request, excluding the target public key.
+   * @returns {Promise<{ bundle: string }>} A promise that resolves to an object containing the credential bundle.
+   */
+  public override async submitJwt(
+    args: Omit<JwtParams, "targetPublicKey">
+  ): Promise<JwtResponse> {
+    this.eventEmitter.emit("authenticating", { type: "custom-jwt" });
+    const targetPublicKey = await this.initIframeStamper();
+    return this.request("/v1/auth-jwt", {
+      jwt: args.jwt,
+      targetPublicKey,
+      authProvider: args.authProvider,
+      expirationSeconds: args?.expirationSeconds,
+    });
+  }
+
   /**
    * Completes auth for the user by injecting a credential bundle and retrieving
    * the user information based on the provided organization ID. Emits events

package/src/client/types.ts

@@ -68,6 +68,19 @@ export type OtpParams = {
   expirationSeconds?: number;
 };
 
+export type JwtParams = {
+  jwt: string;
+  targetPublicKey: string;
+  authProvider: string;
+  expirationSeconds?: number;
+};
+
+export type JwtResponse = {
+  isSignUp: boolean;
+  orgId: string;
+  credentialBundle: string;
+};
+
 export type SignupResponse = {
   orgId: string;
   userId?: string;
@@ -168,6 +181,11 @@ export type SignerEndpoints = [
     Body: OtpParams;
     Response: { credentialBundle: string };
   },
+  {
+    Route: "/v1/auth-jwt";
+    Body: JwtParams;
+    Response: JwtResponse;
+  },
   {
     Route: "/v1/signer-config";
     Body: {};
@@ -176,7 +194,7 @@ export type SignerEndpoints = [
 ];
 
 export type AuthenticatingEventMetadata = {
-  type: "email" | "passkey" | "oauth" | "otp" | "otpVerify";
+  type: "email" | "passkey" | "oauth" | "otp" | "otpVerify" | "custom-jwt";
 };
 
 export type AlchemySignerClientEvents = {
@@ -187,6 +205,7 @@ export type AlchemySignerClientEvents = {
   connectedPasskey(user: User): void;
   connectedOauth(user: User, bundle: string): void;
   connectedOtp(user: User, bundle: string): void;
+  connectedJwt(user: User, bundle: string): void;
   disconnected(): void;
 };
 

package/src/metrics.ts

@@ -14,7 +14,8 @@ export type SignerEventsSchema = [
             | "oauthReturn";
           provider?: never;
         }
-      | { authType: "oauth"; provider: string };
+      | { authType: "oauth"; provider: string }
+      | { authType: "custom-jwt"; provider: string };
   },
   {
     EventName: "signer_sign_message";

package/src/oauth.ts

@@ -1,27 +1,41 @@
 import type { KnownAuthProvider } from "./signer";
 
-export type ScopeAndClaims = {
+export type AuthProviderCustomization = {
   scope: string;
   claims?: string;
+  otherParameters?: Record<string, string>;
 };
 
-const DEFAULT_SCOPE_AND_CLAIMS: Record<KnownAuthProvider, ScopeAndClaims> = {
+const DEFAULT_PROVIDER_CUSTOMIZATION: Record<
+  KnownAuthProvider,
+  AuthProviderCustomization
+> = {
   google: { scope: "openid email" },
   apple: { scope: "openid email" },
-  facebook: { scope: "openid email" },
+  facebook: {
+    scope: "openid email",
+    // Fixes Facebook mobile login so that `window.opener` doesn't get nullified.
+    otherParameters: { sdk: "joey" },
+  },
+  twitch: {
+    scope: "openid user:read:email",
+    claims: JSON.stringify({ id_token: { email: null } }),
+    // Forces Twitch to show the login page even if the user is already logged in.
+    otherParameters: { force_verify: "true" },
+  },
   auth0: { scope: "openid email" },
 };
 
 /**
- * Returns the default scope and claims when using a known auth provider
+ * Returns the default customization parameters when using a known auth provider
  *
  * @param {string} knownAuthProviderId id of a known auth provider, e.g. "google"
- * @returns {ScopeAndClaims | undefined} default scope and claims
+ * @returns {AuthProviderCustomization | undefined} default customization parameters
  */
-export function getDefaultScopeAndClaims(
+export function getDefaultProviderCustomization(
   knownAuthProviderId: KnownAuthProvider
-): ScopeAndClaims | undefined {
-  return DEFAULT_SCOPE_AND_CLAIMS[knownAuthProviderId];
+): AuthProviderCustomization | undefined {
+  return DEFAULT_PROVIDER_CUSTOMIZATION[knownAuthProviderId];
 }
 
 /**

package/src/session/manager.ts

@@ -92,6 +92,7 @@ export class SessionManager {
     switch (existingSession.type) {
       case "email":
       case "oauth":
+      case "custom-jwt":
       case "otp": {
         const connectedEventName = (() => {
           switch (existingSession.type) {
@@ -101,6 +102,8 @@ export class SessionManager {
               return "connectedOauth";
             case "otp":
               return "connectedOtp";
+            case "custom-jwt":
+              return "connectedJwt";
           }
         })();
         const result = await this.client
@@ -203,7 +206,7 @@ export class SessionManager {
   private setSession = (
     session_:
       | Omit<
-          Extract<Session, { type: "email" | "oauth" | "otp" }>,
+          Extract<Session, { type: "email" | "oauth" | "otp" | "custom-jwt" }>,
           "expirationDateMs"
         >
       | Omit<Extract<Session, { type: "passkey" }>, "expirationDateMs">
@@ -276,6 +279,8 @@ export class SessionManager {
       },
       connectedOauth: (user, bundle) =>
         this.setSessionWithUserAndBundle({ type: "oauth", user, bundle }),
+      connectedJwt: (user, bundle) =>
+        this.setSessionWithUserAndBundle({ type: "custom-jwt", user, bundle }),
       connectedOtp: (user, bundle) => {
         this.setSessionWithUserAndBundle({ type: "otp", user, bundle });
       },
@@ -331,7 +336,7 @@ export class SessionManager {
     user,
     bundle,
   }: {
-    type: "email" | "oauth" | "otp";
+    type: "email" | "oauth" | "otp" | "custom-jwt";
     user: User;
     bundle: string;
   }) => {

package/src/session/types.ts

@@ -2,7 +2,7 @@ import type { User } from "../client/types";
 
 export type Session =
   | {
-      type: "email" | "oauth" | "otp";
+      type: "email" | "oauth" | "otp" | "custom-jwt";
       bundle: string;
       expirationDateMs: number;
       user: User;

package/src/signer.ts

@@ -35,8 +35,13 @@ export type AuthParams =
       type: "oauth";
       scope?: string;
       claims?: string;
+      otherParameters?: Record<string, string>;
     } & OauthProviderConfig &
       OauthRedirectConfig)
+  | ({
+      type: "custom-jwt";
+      jwt: string;
+    } & OauthProviderConfig)
   | {
       type: "oauthReturn";
       bundle: string;
@@ -70,7 +75,12 @@ export type OauthRedirectConfig =
   | { mode: "redirect"; redirectUrl: string }
   | { mode: "popup"; redirectUrl?: never };
 
-export type KnownAuthProvider = "google" | "apple" | "facebook" | "auth0";
+export type KnownAuthProvider =
+  | "google"
+  | "apple"
+  | "facebook"
+  | "twitch"
+  | "auth0";
 
 export type OauthMode = "redirect" | "popup";
 

package/src/types.ts

@@ -19,6 +19,7 @@ export enum AlchemySignerStatus {
   AUTHENTICATING_OAUTH = "AUTHENTICATING_OAUTH",
   AWAITING_EMAIL_AUTH = "AWAITING_EMAIL_AUTH",
   AWAITING_OTP_AUTH = "AWAITING_OTP_AUTH",
+  AUTHENTICATING_JWT = "AUTHENTICATING_JWT",
 }
 
 export interface ErrorInfo {

package/src/version.ts

@@ -1,3 +1,3 @@
 // This file is autogenerated by inject-version.ts. Any changes will be
 // overwritten on commit!
-export const VERSION = "4.17.0";
+export const VERSION = "4.18.0-alpha.4";