@bandeira-tech/b3nd-web 0.3.0 → 0.3.2

package/dist/{chunk-4C4YY2X7.js → chunk-EF5ZUB4O.js}

@@ -1,3 +1,6 @@
+import {
+  HttpClient
+} from "./chunk-OY4CDOHY.js";
 import {
   createAuthenticatedMessage,
   createSignedEncryptedMessage,
@@ -5,11 +8,9 @@ import {
   decrypt,
   encodeHex,
   encrypt,
+  verify,
   verifyPayload
 } from "./chunk-JN75UL5C.js";
-import {
-  HttpClient
-} from "./chunk-LFUC4ETD.js";
 
 // wallet-server/interfaces.ts
 var defaultLogger = {
@@ -511,6 +512,89 @@ async function proxyRead(proxyClient, credentialClient, serverPublicKey, usernam
     };
   }
 }
+async function proxyReadMulti(proxyClient, credentialClient, serverPublicKey, username, serverEncryptionPrivateKeyPem, uris) {
+  if (uris.length > 50) {
+    return {
+      success: false,
+      results: [],
+      summary: { total: uris.length, succeeded: 0, failed: uris.length },
+      error: "Maximum 50 URIs per request"
+    };
+  }
+  try {
+    const [accountKey, userEncryptionKey] = await Promise.all([
+      loadUserAccountKey(
+        credentialClient,
+        serverPublicKey,
+        username,
+        serverEncryptionPrivateKeyPem
+      ),
+      loadUserEncryptionKey(
+        credentialClient,
+        serverPublicKey,
+        username,
+        serverEncryptionPrivateKeyPem
+      )
+    ]);
+    const resolvedUris = uris.map(
+      (uri) => uri.replace(/:key/g, accountKey.publicKeyHex)
+    );
+    const multiResult = await proxyClient.readMulti(resolvedUris);
+    const privateKey = await pemToCryptoKey(
+      userEncryptionKey.privateKeyPem,
+      "X25519"
+    );
+    const results = await Promise.all(
+      multiResult.results.map(async (item, i) => {
+        const originalUri = uris[i];
+        if (!item.success) {
+          return {
+            uri: originalUri,
+            success: false,
+            error: "error" in item ? item.error : "Read failed"
+          };
+        }
+        const result = {
+          uri: originalUri,
+          success: true,
+          record: "record" in item ? item.record : void 0
+        };
+        if (result.record?.data) {
+          try {
+            const data = result.record.data;
+            if (typeof data === "object" && data.payload && typeof data.payload === "object") {
+              const payload = data.payload;
+              if (payload.data && payload.nonce && payload.ephemeralPublicKey) {
+                const encryptedPayload = {
+                  data: payload.data,
+                  nonce: payload.nonce,
+                  ephemeralPublicKey: payload.ephemeralPublicKey
+                };
+                const decrypted = await decrypt(encryptedPayload, privateKey);
+                return { ...result, decrypted };
+              }
+            }
+          } catch {
+          }
+        }
+        return result;
+      })
+    );
+    const succeeded = results.filter((r) => r.success).length;
+    return {
+      success: succeeded > 0,
+      results,
+      summary: { total: uris.length, succeeded, failed: uris.length - succeeded }
+    };
+  } catch (error) {
+    return {
+      success: false,
+      results: [],
+      summary: { total: uris.length, succeeded: 0, failed: uris.length },
+      error: `Proxy read-multi failed: ${error instanceof Error ? error.message : String(error)}`
+    };
+  }
+}
 
 // wallet-server/auth.ts
 function generateSalt() {
@@ -597,7 +681,7 @@ async function createUser(client, serverPublicKey, username, password, serverIde
   );
   return { salt, hash };
 }
-async function authenticateUser(client, serverPublicKey, username, password, serverIdentityPublicKeyHex, serverEncryptionPrivateKeyPem, appScope, logger) {
+async function authenticateUser(client, serverPublicKey, username, password, serverEncryptionPrivateKeyPem, appScope, logger) {
   const passwordPath = await deriveObfuscatedPath(
     serverPublicKey,
     username,
@@ -629,7 +713,6 @@ async function changePassword(client, serverPublicKey, username, oldPassword, ne
     serverPublicKey,
     username,
     oldPassword,
-    serverIdentityPublicKeyHex,
     serverEncryptionPrivateKeyPem,
     appScope
   );
@@ -1003,7 +1086,6 @@ var PasswordCredentialHandler = class {
       context.serverPublicKey,
       username,
       password,
-      context.serverIdentityPublicKeyHex,
       context.serverEncryptionPrivateKeyPem,
       context.appKey,
       context.logger
@@ -1310,13 +1392,42 @@ var WalletServerCore = class {
   async writeBootstrapState(path, state) {
     await this.storage.writeTextFile(path, JSON.stringify(state, null, 2));
   }
-  async sessionExists(appKey, sessionKey) {
-    const input = new TextEncoder().encode(sessionKey);
-    const digest = await crypto.subtle.digest("SHA-256", input);
-    const sigHex = Array.from(new Uint8Array(digest)).map((b) => b.toString(16).padStart(2, "0")).join("").substring(0, 32);
-    const uri = `mutable://accounts/${appKey}/sessions/${sigHex}`;
+  /**
+   * Validate that a session is approved by the app.
+   * Sessions are keypairs - the sessionPubkey is used directly as the identifier.
+   * App approves sessions by writing 1 to mutable://accounts/{appKey}/sessions/{sessionPubkey}
+   *
+   * @param appKey - The app's public key
+   * @param sessionPubkey - The session's public key (hex encoded)
+   * @returns { valid: true } if approved, { valid: false, reason } if not
+   */
+  async sessionExists(appKey, sessionPubkey) {
+    const uri = `mutable://accounts/${appKey}/sessions/${sessionPubkey}`;
     const res = await this.proxyClient.read(uri);
-    return res.success;
+    if (!res.success) {
+      return { valid: false, reason: "session_not_approved" };
+    }
+    if (res.record?.data === 1) {
+      return { valid: true };
+    }
+    if (res.record?.data === 0) {
+      return { valid: false, reason: "session_revoked" };
+    }
+    return { valid: false, reason: "invalid_session_status" };
+  }
+  /**
+   * Verify that a login request signature is valid for the given session pubkey.
+   * The signature should be over the stringified login payload (without the signature field).
+   * Uses SDK crypto for consistent verification across the codebase.
+   */
+  async verifySessionSignature(sessionPubkey, signature, payload) {
+    try {
+      const { sessionSignature: _, ...signedPayload } = payload;
+      return await verify(sessionPubkey, signature, signedPayload);
+    } catch (error) {
+      this.logger.error("Session signature verification failed:", error);
+      return false;
+    }
   }
   createApp() {
     const app = new Hono();
@@ -1418,12 +1529,33 @@ var WalletServerCore = class {
         if (!appKey) {
           return c.json({ success: false, error: "appKey is required" }, 400);
         }
+        if (!payload.sessionPubkey) {
+          return c.json({ success: false, error: "sessionPubkey is required" }, 400);
+        }
+        if (!payload.sessionSignature) {
+          return c.json({ success: false, error: "sessionSignature is required" }, 400);
+        }
         if (!payload.type) {
           return c.json({
             success: false,
             error: `type is required. Supported: ${getSupportedCredentialTypes().join(", ")}`
           }, 400);
         }
+        const signatureValid = await this.verifySessionSignature(
+          payload.sessionPubkey,
+          payload.sessionSignature,
+          payload
+        );
+        if (!signatureValid) {
+          return c.json({ success: false, error: "Invalid session signature" }, 401);
+        }
+        const sessionResult = await this.sessionExists(appKey, payload.sessionPubkey);
+        if (!sessionResult.valid) {
+          return c.json({
+            success: false,
+            error: sessionResult.reason === "session_revoked" ? "Session has been revoked" : sessionResult.reason === "session_not_approved" ? "Session not approved by app" : "Invalid session"
+          }, 401);
+        }
         const handler = getCredentialHandler(payload.type);
         let googleClientId;
         if (payload.type === "google") {
@@ -1485,8 +1617,11 @@ var WalletServerCore = class {
         if (!appKey) {
           return c.json({ success: false, error: "appKey is required" }, 400);
         }
-        if (!payload.session) {
-          return c.json({ success: false, error: "session is required" }, 400);
+        if (!payload.sessionPubkey) {
+          return c.json({ success: false, error: "sessionPubkey is required" }, 400);
+        }
+        if (!payload.sessionSignature) {
+          return c.json({ success: false, error: "sessionSignature is required" }, 400);
         }
         if (!payload.type) {
           return c.json({
@@ -1494,8 +1629,20 @@ var WalletServerCore = class {
             error: `type is required. Supported: ${getSupportedCredentialTypes().join(", ")}`
           }, 400);
         }
-        if (!await this.sessionExists(appKey, payload.session)) {
-          return c.json({ success: false, error: "Invalid session" }, 401);
+        const signatureValid = await this.verifySessionSignature(
+          payload.sessionPubkey,
+          payload.sessionSignature,
+          payload
+        );
+        if (!signatureValid) {
+          return c.json({ success: false, error: "Invalid session signature" }, 401);
+        }
+        const sessionResult = await this.sessionExists(appKey, payload.sessionPubkey);
+        if (!sessionResult.valid) {
+          return c.json({
+            success: false,
+            error: sessionResult.reason === "session_revoked" ? "Session has been revoked" : sessionResult.reason === "session_not_approved" ? "Session not approved by app" : "Invalid session"
+          }, 401);
         }
         const handler = getCredentialHandler(payload.type);
         let googleClientId;
@@ -1751,6 +1898,36 @@ var WalletServerCore = class {
         return c.json({ success: false, error: message }, 500);
       }
     });
+    app.post("/api/v1/proxy/read-multi", async (c) => {
+      try {
+        const authHeader = c.req.header("Authorization");
+        if (!authHeader?.startsWith("Bearer ")) {
+          return c.json({ success: false, error: "Authorization required" }, 401);
+        }
+        const token = authHeader.substring(7);
+        const payload = await verifyJwt(token, this.config.jwtSecret);
+        const body = await c.req.json();
+        if (!Array.isArray(body.uris)) {
+          return c.json({ success: false, error: "uris must be an array" }, 400);
+        }
+        const result = await proxyReadMulti(
+          this.proxyClient,
+          this.credentialClient,
+          serverPublicKey,
+          payload.username,
+          serverEncryptionPrivateKeyPem,
+          body.uris
+        );
+        return c.json(result);
+      } catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        if (message.includes("expired")) {
+          return c.json({ success: false, error: message }, 401);
+        }
+        this.logger.error("Proxy read-multi error:", error);
+        return c.json({ success: false, error: message }, 500);
+      }
+    });
     return app;
   }
 };

package/dist/{chunk-IILPY4TK.js → chunk-FDJZ4P2M.js}

@@ -1,15 +1,16 @@
-import {
-  MemoryClient,
-  createTestSchema
-} from "./chunk-OXHGNAQJ.js";
 import {
   WalletServerCore
-} from "./chunk-4C4YY2X7.js";
+} from "./chunk-EF5ZUB4O.js";
 import {
   exportPrivateKeyPem,
   generateEncryptionKeyPair,
-  generateSigningKeyPair
+  generateSigningKeyPair,
+  signWithHex
 } from "./chunk-JN75UL5C.js";
+import {
+  MemoryClient,
+  createTestSchema
+} from "./chunk-O53KW746.js";
 
 // wallet/client.ts
 var WalletClient = class {
@@ -143,19 +144,34 @@ var WalletClient = class {
     throw new Error("Use resetPasswordWithToken(appKey, username, resetToken, newPassword)");
   }
   /**
-   * Sign up with app token (scoped to an app)
+   * Sign up with session keypair (scoped to an app)
+   *
+   * The session must be approved by the app beforehand:
+   * 1. Client writes request to: immutable://inbox/{appKey}/sessions/{sessionPubkey} = 1
+   * 2. App approves by writing: mutable://accounts/{appKey}/sessions/{sessionPubkey} = 1
+   * 3. Client calls this method with the session keypair
+   *
+   * @param appKey - The app's public key
+   * @param session - Session keypair (generated via generateSessionKeypair)
+   * @param credentials - User credentials (username/password)
    */
-  async signupWithToken(appKey, tokenOrCredentials, maybeCredentials) {
-    const credentials = typeof tokenOrCredentials === "string" ? maybeCredentials : tokenOrCredentials;
-    if (!credentials) throw new Error("credentials are required");
+  async signupWithToken(appKey, session, credentials) {
+    if (!session?.publicKeyHex || !session?.privateKeyHex) {
+      throw new Error("session keypair is required");
+    }
+    const payloadToSign = {
+      sessionPubkey: session.publicKeyHex,
+      type: "password",
+      username: credentials.username,
+      password: credentials.password
+    };
+    const sessionSignature = await signWithHex(session.privateKeyHex, payloadToSign);
     const response = await this.fetchImpl(this.buildAppKeyUrl("/auth/signup", appKey), {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify({
-        token: typeof tokenOrCredentials === "string" ? tokenOrCredentials : void 0,
-        type: "password",
-        username: credentials.username,
-        password: credentials.password
+        ...payloadToSign,
+        sessionSignature
       })
     });
     const data = await response.json();
@@ -165,21 +181,34 @@ var WalletClient = class {
     return { username: data.username, token: data.token, expiresIn: data.expiresIn };
   }
   /**
-   * Login with app token and session (scoped to an app)
+   * Login with session keypair (scoped to an app)
+   *
+   * The session must be approved by the app beforehand:
+   * 1. Client writes request to: immutable://inbox/{appKey}/sessions/{sessionPubkey} = 1
+   * 2. App approves by writing: mutable://accounts/{appKey}/sessions/{sessionPubkey} = 1
+   * 3. Client calls this method with the session keypair
+   *
+   * @param appKey - The app's public key
+   * @param session - Session keypair (generated via generateSessionKeypair)
+   * @param credentials - User credentials (username/password)
    */
-  async loginWithTokenSession(appKey, tokenOrSession, sessionOrCredentials, maybeCredentials) {
-    const session = typeof sessionOrCredentials === "string" && maybeCredentials ? sessionOrCredentials : tokenOrSession;
-    const credentials = maybeCredentials || sessionOrCredentials;
-    if (!session || typeof session !== "string") throw new Error("session is required");
+  async loginWithTokenSession(appKey, session, credentials) {
+    if (!session?.publicKeyHex || !session?.privateKeyHex) {
+      throw new Error("session keypair is required");
+    }
+    const payloadToSign = {
+      sessionPubkey: session.publicKeyHex,
+      type: "password",
+      username: credentials.username,
+      password: credentials.password
+    };
+    const sessionSignature = await signWithHex(session.privateKeyHex, payloadToSign);
     const response = await this.fetchImpl(this.buildAppKeyUrl("/auth/login", appKey), {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify({
-        token: typeof tokenOrSession === "string" && maybeCredentials ? tokenOrSession : void 0,
-        session,
-        type: "password",
-        username: credentials.username,
-        password: credentials.password
+        ...payloadToSign,
+        sessionSignature
       })
     });
     const data = await response.json();
@@ -299,6 +328,31 @@ var WalletClient = class {
     const data = await response.json();
     return data;
   }
+  /**
+   * Proxy multiple read requests through the wallet server
+   * Reads multiple URIs in a single request (max 50 URIs)
+   * The server decrypts encrypted data using user's encryption key
+   * Requires active authentication session
+   *
+   * @returns ProxyReadMultiResponse - check `success` for overall result, `results` for per-URI results
+   */
+  async proxyReadMulti(request) {
+    if (!this.currentSession) {
+      throw new Error("Not authenticated. Please login first.");
+    }
+    const response = await this.fetchImpl(
+      `${this.walletServerUrl}${this.apiBasePath}/proxy/read-multi`,
+      {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${this.currentSession.token}`
+        },
+        body: JSON.stringify({ uris: request.uris })
+      }
+    );
+    return await response.json();
+  }
   /**
    * Convenience method: Get current user's public keys
    * Requires active authentication session
@@ -356,22 +410,37 @@ var WalletClient = class {
     };
   }
   /**
-   * Login with Google OAuth (scoped to app token and session)
+   * Login with Google OAuth (scoped to app token and session keypair)
    * Returns session data with Google profile info - call setSession() to activate it
    *
+   * The session must be approved by the app beforehand.
+   *
+   * @param appKey - The app's public key
    * @param token - App token from app server
-   * @param session - Session key from app server
+   * @param session - Session keypair (generated via generateSessionKeypair)
    * @param googleIdToken - Google ID token from Google Sign-In
    * @returns GoogleAuthSession with username, JWT token, and Google profile info
    */
   async loginWithGoogle(appKey, token, session, googleIdToken) {
     if (!token) throw new Error("token is required");
-    if (!session) throw new Error("session is required");
+    if (!session?.publicKeyHex || !session?.privateKeyHex) {
+      throw new Error("session keypair is required");
+    }
     if (!googleIdToken) throw new Error("googleIdToken is required");
+    const payloadToSign = {
+      token,
+      sessionPubkey: session.publicKeyHex,
+      type: "google",
+      googleIdToken
+    };
+    const sessionSignature = await signWithHex(session.privateKeyHex, payloadToSign);
     const response = await this.fetchImpl(this.buildAppKeyUrl("/auth/login", appKey), {
       method: "POST",
       headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({ token, session, type: "google", googleIdToken })
+      body: JSON.stringify({
+        ...payloadToSign,
+        sessionSignature
+      })
     });
     const data = await response.json();
     if (!response.ok || !data.success) {
@@ -387,6 +456,13 @@ var WalletClient = class {
     };
   }
 };
+async function generateSessionKeypair() {
+  const keyPair = await generateSigningKeyPair();
+  return {
+    publicKeyHex: keyPair.publicKeyHex,
+    privateKeyHex: keyPair.privateKeyHex
+  };
+}
 
 // wallet/memory-client.ts
 async function generateTestServerKeys() {
@@ -541,14 +617,32 @@ var MemoryWalletClient = class _MemoryWalletClient {
   async login(_credentials) {
     throw new Error("Use loginWithTokenSession(appKey, session, credentials) \u2014 app token + session required");
   }
-  async signupWithToken(appKey, tokenOrCredentials, maybeCredentials) {
-    const credentials = typeof tokenOrCredentials === "string" ? maybeCredentials : tokenOrCredentials;
-    if (!credentials) throw new Error("credentials are required");
-    const response = await this.request("POST", `/auth/signup/${appKey}`, {
-      token: typeof tokenOrCredentials === "string" ? tokenOrCredentials : void 0,
+  /**
+   * Sign up with session keypair (scoped to an app)
+   *
+   * The session must be approved by the app beforehand:
+   * 1. Client writes request to: immutable://inbox/{appKey}/sessions/{sessionPubkey} = 1
+   * 2. App approves by writing: mutable://accounts/{appKey}/sessions/{sessionPubkey} = 1
+   * 3. Client calls this method with the session keypair
+   *
+   * @param appKey - The app's public key
+   * @param session - Session keypair (generated via generateSessionKeypair)
+   * @param credentials - User credentials (username/password)
+   */
+  async signupWithToken(appKey, session, credentials) {
+    if (!session?.publicKeyHex || !session?.privateKeyHex) {
+      throw new Error("session keypair is required");
+    }
+    const payloadToSign = {
+      sessionPubkey: session.publicKeyHex,
       type: "password",
       username: credentials.username,
       password: credentials.password
+    };
+    const sessionSignature = await signWithHex(session.privateKeyHex, payloadToSign);
+    const response = await this.request("POST", `/auth/signup/${appKey}`, {
+      ...payloadToSign,
+      sessionSignature
     });
     const data = await response.json();
     if (!response.ok || !data.success) {
@@ -560,16 +654,32 @@ var MemoryWalletClient = class _MemoryWalletClient {
       expiresIn: data.expiresIn
     };
   }
-  async loginWithTokenSession(appKey, tokenOrSession, sessionOrCredentials, maybeCredentials) {
-    const session = typeof sessionOrCredentials === "string" && maybeCredentials ? sessionOrCredentials : tokenOrSession;
-    const credentials = maybeCredentials || sessionOrCredentials;
-    if (!session || typeof session !== "string") throw new Error("session is required");
-    const response = await this.request("POST", `/auth/login/${appKey}`, {
-      token: typeof tokenOrSession === "string" && maybeCredentials ? tokenOrSession : void 0,
-      session,
+  /**
+   * Login with session keypair (scoped to an app)
+   *
+   * The session must be approved by the app beforehand:
+   * 1. Client writes request to: immutable://inbox/{appKey}/sessions/{sessionPubkey} = 1
+   * 2. App approves by writing: mutable://accounts/{appKey}/sessions/{sessionPubkey} = 1
+   * 3. Client calls this method with the session keypair
+   *
+   * @param appKey - The app's public key
+   * @param session - Session keypair (generated via generateSessionKeypair)
+   * @param credentials - User credentials (username/password)
+   */
+  async loginWithTokenSession(appKey, session, credentials) {
+    if (!session?.publicKeyHex || !session?.privateKeyHex) {
+      throw new Error("session keypair is required");
+    }
+    const payloadToSign = {
+      sessionPubkey: session.publicKeyHex,
       type: "password",
       username: credentials.username,
       password: credentials.password
+    };
+    const sessionSignature = await signWithHex(session.privateKeyHex, payloadToSign);
+    const response = await this.request("POST", `/auth/login/${appKey}`, {
+      ...payloadToSign,
+      sessionSignature
     });
     const data = await response.json();
     if (!response.ok || !data.success) {
@@ -675,6 +785,12 @@ var MemoryWalletClient = class _MemoryWalletClient {
     const data = await response.json();
     return data;
   }
+  async proxyReadMulti(request) {
+    const response = await this.authRequest("POST", "/proxy/read-multi", {
+      uris: request.uris
+    });
+    return await response.json();
+  }
   // ============================================================
   // Google OAuth (for completeness - may not work without real Google)
   // ============================================================
@@ -699,15 +815,34 @@ var MemoryWalletClient = class _MemoryWalletClient {
       picture: data.picture
     };
   }
+  /**
+   * Login with Google OAuth (scoped to app token and session keypair)
+   * Returns session data with Google profile info - call setSession() to activate it
+   *
+   * The session must be approved by the app beforehand.
+   *
+   * @param appKey - The app's public key
+   * @param token - App token from app server
+   * @param session - Session keypair (generated via generateSessionKeypair)
+   * @param googleIdToken - Google ID token from Google Sign-In
+   * @returns GoogleAuthSession with username, JWT token, and Google profile info
+   */
   async loginWithGoogle(appKey, token, session, googleIdToken) {
     if (!token) throw new Error("token is required");
-    if (!session) throw new Error("session is required");
+    if (!session?.publicKeyHex || !session?.privateKeyHex) {
+      throw new Error("session keypair is required");
+    }
     if (!googleIdToken) throw new Error("googleIdToken is required");
-    const response = await this.request("POST", `/auth/login/${appKey}`, {
+    const payloadToSign = {
       token,
-      session,
+      sessionPubkey: session.publicKeyHex,
       type: "google",
       googleIdToken
+    };
+    const sessionSignature = await signWithHex(session.privateKeyHex, payloadToSign);
+    const response = await this.request("POST", `/auth/login/${appKey}`, {
+      ...payloadToSign,
+      sessionSignature
     });
     const data = await response.json();
     if (!response.ok || !data.success) {
@@ -755,16 +890,30 @@ async function createTestEnvironment(config = {}) {
     wallet,
     serverKeys,
     async signupTestUser(appKey, username, password) {
-      const session = await wallet.signupWithToken(appKey, { username, password });
+      const keypair = await generateSigningKeyPair();
+      const sessionKeypair = {
+        publicKeyHex: keypair.publicKeyHex,
+        privateKeyHex: keypair.privateKeyHex
+      };
+      const sessionUri = `mutable://accounts/${appKey}/sessions/${sessionKeypair.publicKeyHex}`;
+      await backend.write(sessionUri, 1);
+      const session = await wallet.signupWithToken(appKey, sessionKeypair, { username, password });
       wallet.setSession(session);
       const keys = await wallet.getPublicKeys(appKey);
-      return { session, keys };
+      return { session, keys, sessionKeypair };
     },
-    async loginTestUser(appKey, sessionKey, username, password) {
-      const session = await wallet.loginWithTokenSession(appKey, sessionKey, { username, password });
+    async loginTestUser(appKey, username, password) {
+      const keypair = await generateSigningKeyPair();
+      const sessionKeypair = {
+        publicKeyHex: keypair.publicKeyHex,
+        privateKeyHex: keypair.privateKeyHex
+      };
+      const sessionUri = `mutable://accounts/${appKey}/sessions/${sessionKeypair.publicKeyHex}`;
+      await backend.write(sessionUri, 1);
+      const session = await wallet.loginWithTokenSession(appKey, sessionKeypair, { username, password });
       wallet.setSession(session);
       const keys = await wallet.getPublicKeys(appKey);
-      return { session, keys };
+      return { session, keys, sessionKeypair };
     },
     async cleanup() {
       await backend.cleanup();
@@ -775,6 +924,7 @@ async function createTestEnvironment(config = {}) {
 
 export {
   WalletClient,
+  generateSessionKeypair,
   generateTestServerKeys,
   MemoryWalletClient,
   createTestEnvironment