@account-kit/signer 4.9.0 → 4.11.0

package/dist/types/version.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"version.d.ts","sourceRoot":"","sources":["../../src/version.ts"],"names":[],"mappings":"AAEA,eAAO,MAAM,OAAO,UAAU,CAAC"}
+{"version":3,"file":"version.d.ts","sourceRoot":"","sources":["../../src/version.ts"],"names":[],"mappings":"AAEA,eAAO,MAAM,OAAO,WAAW,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@account-kit/signer",
-  "version": "4.9.0",
+  "version": "4.11.0",
   "description": "Core interfaces and clients for interfacing with the Alchemy Signer API",
   "author": "Alchemy",
   "license": "MIT",
@@ -49,8 +49,8 @@
     "vitest": "^2.0.4"
   },
   "dependencies": {
-    "@aa-sdk/core": "^4.9.0",
-    "@account-kit/logging": "^4.9.0",
+    "@aa-sdk/core": "^4.11.0",
+    "@account-kit/logging": "^4.11.0",
     "@turnkey/http": "^2.6.2",
     "@turnkey/iframe-stamper": "^1.0.0",
     "@turnkey/viem": "^0.4.8",
@@ -73,5 +73,5 @@
     "url": "https://github.com/alchemyplatform/aa-sdk/issues"
   },
   "homepage": "https://github.com/alchemyplatform/aa-sdk#readme",
-  "gitHead": "9cd4dc759879defa6ac90f1ae7f8a378d9d1666f"
+  "gitHead": "789a1db1e3cfdca61393d8328693dd9d1a4ebb0f"
 }

package/src/client/base.ts

@@ -2,19 +2,22 @@ import { ConnectionConfigSchema, type ConnectionConfig } from "@aa-sdk/core";
 import { TurnkeyClient, type TSignedRequest } from "@turnkey/http";
 import EventEmitter from "eventemitter3";
 import { jwtDecode } from "jwt-decode";
-import type { Hex } from "viem";
-import { NotAuthenticatedError } from "../errors.js";
+import { sha256, type Hex } from "viem";
+import { NotAuthenticatedError, OAuthProvidersError } from "../errors.js";
 import { base64UrlEncode } from "../utils/base64UrlEncode.js";
 import { assertNever } from "../utils/typeAssertions.js";
+import { resolveRelativeUrl } from "../utils/resolveRelativeUrl.js";
 import type {
   AlchemySignerClientEvent,
   AlchemySignerClientEvents,
   AuthenticatingEventMetadata,
   CreateAccountParams,
   EmailAuthParams,
+  GetOauthProviderUrlArgs,
   GetWebAuthnAttestationResult,
   OauthConfig,
   OauthParams,
+  OauthState,
   OtpParams,
   SignerBody,
   SignerResponse,
@@ -22,6 +25,8 @@ import type {
   SignupResponse,
   User,
 } from "./types.js";
+import type { OauthMode } from "../signer.js";
+import { addOpenIdIfAbsent, getDefaultScopeAndClaims } from "../oauth.js";
 
 export interface BaseSignerClientParams {
   stamper: TurnkeyClient["stamper"];
@@ -46,7 +51,6 @@ export abstract class BaseSignerClient<TExportWalletParams = unknown> {
   protected rootOrg: string;
   protected eventEmitter: EventEmitter<AlchemySignerClientEvents>;
   protected oauthConfig: OauthConfig | undefined;
-
   /**
    * Create a new instance of the Alchemy Signer client
    *
@@ -139,7 +143,7 @@ export abstract class BaseSignerClient<TExportWalletParams = unknown> {
 
   public abstract oauthWithRedirect(
     args: Extract<OauthParams, { mode: "redirect" }>
-  ): Promise<never>;
+  ): Promise<User | never>;
 
   public abstract oauthWithPopup(
     args: Extract<OauthParams, { mode: "popup" }>
@@ -471,6 +475,158 @@ export abstract class BaseSignerClient<TExportWalletParams = unknown> {
     return result;
   };
 
+  /**
+   * Returns the authentication url for the selected OAuth Proivder
+   *
+   * @example
+   * ```ts
+   *
+   * cosnt oauthParams = {
+   *  authProviderId: "google",
+   *  isCustomProvider: false,
+   *  auth0Connection: undefined,
+   *  scope: undefined,
+   *  claims: undefined,
+   *  mode: "redirect",
+   *  redirectUrl: "https://your-url-path/oauth-return",
+   *  expirationSeconds: 3000
+   * };
+   *
+   * const turnkeyPublicKey = await this.initIframeStamper();
+   * const oauthCallbackUrl = this.oauthCallbackUrl;
+   * const oauthConfig = this.getOauthConfig() // Optional value for OauthConfig()
+   * const usesRelativeUrl = true // Optional value to determine if we use a relative (or absolute) url for the `redirect_url`
+   *
+   * const oauthProviderUrl = getOauthProviderUrl({
+   *  oauthParams,
+   *  turnkeyPublicKey,
+   *  oauthCallbackUrl
+   * })
+   *
+   * ```
+   * @param {GetOauthProviderUrlArgs} args Required. The Oauth provider's auth parameters
+   *
+   * @returns {Promise<string>} returns the Oauth provider's url
+   */
+  protected getOauthProviderUrl = async (
+    args: GetOauthProviderUrlArgs
+  ): Promise<string> => {
+    const {
+      oauthParams,
+      turnkeyPublicKey,
+      oauthCallbackUrl,
+      oauthConfig,
+      usesRelativeUrl = true,
+    } = args;
+
+    const {
+      authProviderId,
+      isCustomProvider,
+      auth0Connection,
+      scope: providedScope,
+      claims: providedClaims,
+      mode,
+      redirectUrl,
+      expirationSeconds,
+    } = oauthParams;
+
+    const { codeChallenge, requestKey, authProviders } =
+      oauthConfig ?? (await this.getOauthConfigForMode(mode));
+
+    if (!authProviders) {
+      throw new OAuthProvidersError();
+    }
+
+    const authProvider = authProviders.find(
+      (provider) =>
+        provider.id === authProviderId &&
+        !!provider.isCustomProvider === !!isCustomProvider
+    );
+
+    if (!authProvider) {
+      throw new Error(`No auth provider found with id ${authProviderId}`);
+    }
+
+    let scope: string;
+    let claims: string | undefined;
+
+    if (providedScope) {
+      scope = addOpenIdIfAbsent(providedScope);
+      claims = providedClaims;
+    } else {
+      if (isCustomProvider) {
+        throw new Error("scope must be provided for a custom provider");
+      }
+      const scopeAndClaims = getDefaultScopeAndClaims(authProviderId);
+      if (!scopeAndClaims) {
+        throw new Error(
+          `Default scope not known for provider ${authProviderId}`
+        );
+      }
+      ({ scope, claims } = scopeAndClaims);
+    }
+    const { authEndpoint, clientId } = authProvider;
+
+    const nonce = this.getOauthNonce(turnkeyPublicKey);
+    const stateObject: OauthState = {
+      authProviderId,
+      isCustomProvider,
+      requestKey,
+      turnkeyPublicKey,
+      expirationSeconds,
+      redirectUrl:
+        mode === "redirect"
+          ? usesRelativeUrl
+            ? resolveRelativeUrl(redirectUrl)
+            : redirectUrl
+          : undefined,
+      openerOrigin: mode === "popup" ? window.location.origin : undefined,
+    };
+    const state = base64UrlEncode(
+      new TextEncoder().encode(JSON.stringify(stateObject))
+    );
+    const authUrl = new URL(authEndpoint);
+    const params: Record<string, string> = {
+      redirect_uri: oauthCallbackUrl,
+      response_type: "code",
+      scope,
+      state,
+      code_challenge: codeChallenge,
+      code_challenge_method: "S256",
+      prompt: "select_account",
+      client_id: clientId,
+      nonce,
+    };
+    if (claims) {
+      params.claims = claims;
+    }
+    if (auth0Connection) {
+      params.connection = auth0Connection;
+    }
+
+    Object.keys(params).forEach((param) => {
+      params[param] && authUrl.searchParams.append(param, params[param]);
+    });
+
+    const [urlPath, searchParams] = authUrl.href.split("?");
+
+    return `${urlPath?.replace(/\/$/, "")}?${searchParams}`;
+  };
+
+  private getOauthConfigForMode = async (
+    mode: OauthMode
+  ): Promise<OauthConfig> => {
+    if (this.oauthConfig) {
+      return this.oauthConfig;
+    } else if (mode === "redirect") {
+      return this.initOauth();
+    } else {
+      throw new Error(
+        "enablePopupOauth must be set in configuration or signer.preparePopupOauth must be called before using popup-based OAuth login"
+      );
+    }
+  };
+
   // eslint-disable-next-line eslint-rules/require-jsdoc-on-reexported-functions
   protected pollActivityCompletion = async <
     T extends keyof Awaited<
@@ -520,4 +676,14 @@ export abstract class BaseSignerClient<TExportWalletParams = unknown> {
     return this.pollActivityCompletion(activity, organizationId, resultKey);
   };
   // #endregion
+
+  /**
+   * Turnkey requires the nonce in the id token to be in this format.
+   *
+   * @param {string} turnkeyPublicKey key from a Turnkey iframe
+   * @returns {string} nonce to be used in OIDC
+   */
+  protected getOauthNonce = (turnkeyPublicKey: string): string => {
+    return sha256(new TextEncoder().encode(turnkeyPublicKey)).slice(2);
+  };
 }

package/src/client/index.ts

@@ -3,9 +3,7 @@ import { getWebAuthnAttestation } from "@turnkey/http";
 import { IframeStamper } from "@turnkey/iframe-stamper";
 import { WebauthnStamper } from "@turnkey/webauthn-stamper";
 import { z } from "zod";
-import { OAuthProvidersError } from "../errors.js";
-import { getDefaultScopeAndClaims, getOauthNonce } from "../oauth.js";
-import type { AuthParams, OauthMode } from "../signer.js";
+import type { AuthParams } from "../signer.js";
 import { base64UrlEncode } from "../utils/base64UrlEncode.js";
 import { generateRandomBuffer } from "../utils/generateRandomBuffer.js";
 import { BaseSignerClient } from "./base.js";
@@ -17,7 +15,6 @@ import type {
   EmailAuthParams,
   ExportWalletParams,
   OauthConfig,
-  OauthParams,
   OtpParams,
   User,
 } from "./types.js";
@@ -46,16 +43,6 @@ export type AlchemySignerClientParams = z.input<
   typeof AlchemySignerClientParamsSchema
 >;
 
-type OauthState = {
-  authProviderId: string;
-  isCustomProvider?: boolean;
-  requestKey: string;
-  turnkeyPublicKey: string;
-  expirationSeconds?: number;
-  redirectUrl?: string;
-  openerOrigin?: string;
-};
-
 /**
  * A lower level client used by the AlchemySigner used to communicate with
  * Alchemy's signer service.
@@ -462,7 +449,15 @@ export class AlchemySignerWebClient extends BaseSignerClient<ExportWalletParams>
   public override oauthWithRedirect = async (
     args: Extract<AuthParams, { type: "oauth"; mode: "redirect" }>
   ): Promise<never> => {
-    const providerUrl = await this.getOauthProviderUrl(args);
+    const turnkeyPublicKey = await this.initIframeStamper();
+
+    const oauthParams = args;
+    const providerUrl = await this.getOauthProviderUrl({
+      oauthParams,
+      turnkeyPublicKey,
+      oauthCallbackUrl: this.oauthCallbackUrl,
+    });
+
     window.location.href = providerUrl;
     return new Promise((_, reject) =>
       setTimeout(() => reject("Failed to redirect to OAuth provider"), 1000)
@@ -498,7 +493,13 @@ export class AlchemySignerWebClient extends BaseSignerClient<ExportWalletParams>
   public override oauthWithPopup = async (
     args: Extract<AuthParams, { type: "oauth"; mode: "popup" }>
   ): Promise<User> => {
-    const providerUrl = await this.getOauthProviderUrl(args);
+    const turnkeyPublicKey = await this.initIframeStamper();
+    const oauthParams = args;
+    const providerUrl = await this.getOauthProviderUrl({
+      oauthParams,
+      turnkeyPublicKey,
+      oauthCallbackUrl: this.oauthCallbackUrl,
+    });
     const popup = window.open(
       providerUrl,
       "_blank",
@@ -556,85 +557,6 @@ export class AlchemySignerWebClient extends BaseSignerClient<ExportWalletParams>
     });
   };
 
-  private getOauthProviderUrl = async (args: OauthParams): Promise<string> => {
-    const {
-      authProviderId,
-      isCustomProvider,
-      auth0Connection,
-      scope: providedScope,
-      claims: providedClaims,
-      mode,
-      redirectUrl,
-      expirationSeconds,
-    } = args;
-    const { codeChallenge, requestKey, authProviders } =
-      await this.getOauthConfigForMode(mode);
-    if (!authProviders) {
-      throw new OAuthProvidersError();
-    }
-    const authProvider = authProviders.find(
-      (provider) =>
-        provider.id === authProviderId &&
-        !!provider.isCustomProvider === !!isCustomProvider
-    );
-    if (!authProvider) {
-      throw new Error(`No auth provider found with id ${authProviderId}`);
-    }
-    let scope: string;
-    let claims: string | undefined;
-    if (providedScope) {
-      scope = addOpenIdIfAbsent(providedScope);
-      claims = providedClaims;
-    } else {
-      if (isCustomProvider) {
-        throw new Error("scope must be provided for a custom provider");
-      }
-      const scopeAndClaims = getDefaultScopeAndClaims(authProviderId);
-      if (!scopeAndClaims) {
-        throw new Error(
-          `Default scope not known for provider ${authProviderId}`
-        );
-      }
-      ({ scope, claims } = scopeAndClaims);
-    }
-    const { authEndpoint, clientId } = authProvider;
-    const turnkeyPublicKey = await this.initIframeStamper();
-    const nonce = getOauthNonce(turnkeyPublicKey);
-    const stateObject: OauthState = {
-      authProviderId,
-      isCustomProvider,
-      requestKey,
-      turnkeyPublicKey,
-      expirationSeconds,
-      redirectUrl:
-        mode === "redirect" ? resolveRelativeUrl(redirectUrl) : undefined,
-      openerOrigin: mode === "popup" ? window.location.origin : undefined,
-    };
-    const state = base64UrlEncode(
-      new TextEncoder().encode(JSON.stringify(stateObject))
-    );
-    const authUrl = new URL(authEndpoint);
-    const params: Record<string, string> = {
-      redirect_uri: this.oauthCallbackUrl,
-      response_type: "code",
-      scope,
-      state,
-      code_challenge: codeChallenge,
-      code_challenge_method: "S256",
-      prompt: "select_account",
-      client_id: clientId,
-      nonce,
-    };
-    if (claims) {
-      params.claims = claims;
-    }
-    if (auth0Connection) {
-      params.connection = auth0Connection;
-    }
-    authUrl.search = new URLSearchParams(params).toString();
-    return authUrl.toString();
-  };
-
   private initIframeStamper = async () => {
     if (!this.iframeStamper.publicKey()) {
       await this.iframeStamper.init();
@@ -720,41 +642,9 @@ export class AlchemySignerWebClient extends BaseSignerClient<ExportWalletParams>
 
     // swap the stamper back in case the user logged in with a different stamper (passkeys)
     this.setStamper(currentStamper);
-    const nonce = getOauthNonce(publicKey);
+    const nonce = this.getOauthNonce(publicKey);
     return this.request("/v1/prepare-oauth", { nonce });
   };
-
-  private getOauthConfigForMode = async (
-    mode: OauthMode
-  ): Promise<OauthConfig> => {
-    if (this.oauthConfig) {
-      return this.oauthConfig;
-    } else if (mode === "redirect") {
-      return this.initOauth();
-    } else {
-      throw new Error(
-        "enablePopupOauth must be set in configuration or signer.preparePopupOauth must be called before using popup-based OAuth login"
-      );
-    }
-  };
-}
-
-function resolveRelativeUrl(url: string): string {
-  // Funny trick.
-  const a = document.createElement("a");
-  a.href = url;
-  return a.href;
-}
-
-/**
- * "openid" is a required scope in the OIDC protocol. Insert it if the user
- * forgot.
- *
- * @param {string} scope scope param which may be missing "openid"
- * @returns {string} scope which most definitely contains "openid"
- */
-function addOpenIdIfAbsent(scope: string): string {
-  return scope.match(/\bopenid\b/) ? scope : `openid ${scope}`;
 }
 
 /**

package/src/client/types.ts

@@ -99,7 +99,9 @@ export type SignerEndpoints = [
   {
     Route: "/v1/signup";
     Body:
-      | (Omit<EmailAuthParams, "redirectParams"> & { redirectParams?: string })
+      | (Omit<EmailAuthParams, "redirectParams"> & {
+          redirectParams?: string;
+        })
       | {
           passkey: {
             challenge: string;
@@ -117,7 +119,9 @@ export type SignerEndpoints = [
   },
   {
     Route: "/v1/auth";
-    Body: Omit<EmailAuthParams, "redirectParams"> & { redirectParams?: string };
+    Body: Omit<EmailAuthParams, "redirectParams"> & {
+      redirectParams?: string;
+    };
     Response: {
       orgId: string;
       otpId?: string;
@@ -177,3 +181,21 @@ export type GetWebAuthnAttestationResult = {
   challenge: ArrayBuffer;
   authenticatorUserId: ArrayBuffer;
 };
+
+export type OauthState = {
+  authProviderId: string;
+  isCustomProvider?: boolean;
+  requestKey: string;
+  turnkeyPublicKey: string;
+  expirationSeconds?: number;
+  redirectUrl?: string;
+  openerOrigin?: string;
+};
+
+export type GetOauthProviderUrlArgs = {
+  oauthParams: OauthParams;
+  turnkeyPublicKey: string;
+  oauthCallbackUrl: string;
+  oauthConfig?: OauthConfig;
+  usesRelativeUrl?: boolean;
+};

package/src/errors.ts

@@ -18,6 +18,8 @@ export class NotAuthenticatedError extends BaseError {
 export class OAuthProvidersError extends BaseError {
   override name = "OAuthProvidersError";
   constructor() {
-    super("OAuth providers not found", { docsPath: "/react/getting-started" });
+    super("OAuth providers not found", {
+      docsPath: "/react/getting-started",
+    });
   }
 }

package/src/index.ts

@@ -14,3 +14,4 @@ export type * from "./signer.js";
 export { AlchemyWebSigner } from "./signer.js";
 export type * from "./types.js";
 export { AlchemySignerStatus } from "./types.js";
+export { OAuthProvidersError, NotAuthenticatedError } from "./errors.js";

package/src/oauth.ts

@@ -1,16 +1,5 @@
-import { sha256 } from "viem";
 import type { KnownAuthProvider } from "./signer";
 
-/**
- * Turnkey requires the nonce in the id token to be in this format.
- *
- * @param {string} turnkeyPublicKey key from a Turnkey iframe
- * @returns {string} nonce to be used in OIDC
- */
-export function getOauthNonce(turnkeyPublicKey: string): string {
-  return sha256(new TextEncoder().encode(turnkeyPublicKey)).slice(2);
-}
-
 export type ScopeAndClaims = {
   scope: string;
   claims?: string;
@@ -34,3 +23,14 @@ export function getDefaultScopeAndClaims(
 ): ScopeAndClaims | undefined {
   return DEFAULT_SCOPE_AND_CLAIMS[knownAuthProviderId];
 }
+
+/**
+ * "openid" is a required scope in the OIDC protocol. Insert it if the user
+ * forgot.
+ *
+ * @param {string} scope scope param which may be missing "openid"
+ * @returns {string} scope which most definitely contains "openid"
+ */
+export function addOpenIdIfAbsent(scope: string): string {
+  return scope.match(/\bopenid\b/) ? scope : `openid ${scope}`;
+}

package/src/utils/resolveRelativeUrl.ts

@@ -0,0 +1,6 @@
+export function resolveRelativeUrl(url: string): string {
+  // Funny trick.
+  const a = document.createElement("a");
+  a.href = url;
+  return a.href;
+}

package/src/version.ts

@@ -1,3 +1,3 @@
 // This file is autogenerated by inject-version.ts. Any changes will be
 // overwritten on commit!
-export const VERSION = "4.9.0";
+export const VERSION = "4.11.0";