@blazium/ton-connect-mobile 1.0.0

package/dist/adapters/web.js

@@ -0,0 +1,147 @@
+"use strict";
+/**
+ * Web platform adapter
+ * Handles deep linking and storage for web environments
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.WebAdapter = void 0;
+/**
+ * Web platform adapter implementation
+ * Uses browser APIs for deep linking and localStorage for storage
+ */
+class WebAdapter {
+    constructor() {
+        this.urlListeners = [];
+        this.isListening = false;
+        // Set up URL listener
+        this.setupURLListener();
+    }
+    setupURLListener() {
+        // Listen for hash changes (web deep links)
+        if (typeof window !== 'undefined') {
+            window.addEventListener('hashchange', () => {
+                this.handleURLChange();
+            });
+            // Also check on popstate (browser back/forward)
+            window.addEventListener('popstate', () => {
+                this.handleURLChange();
+            });
+            this.isListening = true;
+        }
+    }
+    handleURLChange() {
+        if (typeof window === 'undefined')
+            return;
+        const url = window.location.href;
+        this.urlListeners.forEach((listener) => {
+            try {
+                listener(url);
+            }
+            catch (error) {
+                // Ignore errors in listeners
+            }
+        });
+    }
+    async openURL(url) {
+        try {
+            if (typeof window !== 'undefined') {
+                // For web, we can use window.open or window.location
+                // For deep links to mobile wallets, we'll use window.location
+                if (url.startsWith('tonconnect://')) {
+                    // Try to open in new window/tab, fallback to current window
+                    const opened = window.open(url, '_blank');
+                    if (!opened) {
+                        // Popup blocked, try current window
+                        window.location.href = url;
+                    }
+                    return true;
+                }
+                else {
+                    window.location.href = url;
+                    return true;
+                }
+            }
+            return false;
+        }
+        catch (error) {
+            return false;
+        }
+    }
+    async getInitialURL() {
+        if (typeof window !== 'undefined') {
+            return window.location.href;
+        }
+        return null;
+    }
+    addURLListener(callback) {
+        this.urlListeners.push(callback);
+        // Immediately check current URL
+        if (typeof window !== 'undefined') {
+            try {
+                callback(window.location.href);
+            }
+            catch (error) {
+                // Ignore errors
+            }
+        }
+        // Return unsubscribe function
+        return () => {
+            const index = this.urlListeners.indexOf(callback);
+            if (index > -1) {
+                this.urlListeners.splice(index, 1);
+            }
+        };
+    }
+    async setItem(key, value) {
+        if (typeof window === 'undefined' || !window.localStorage) {
+            throw new Error('localStorage is not available');
+        }
+        try {
+            window.localStorage.setItem(key, value);
+        }
+        catch (error) {
+            throw new Error(`Failed to set storage item: ${error?.message || error}`);
+        }
+    }
+    async getItem(key) {
+        if (typeof window === 'undefined' || !window.localStorage) {
+            return null;
+        }
+        try {
+            return window.localStorage.getItem(key);
+        }
+        catch (error) {
+            return null;
+        }
+    }
+    async removeItem(key) {
+        if (typeof window === 'undefined' || !window.localStorage) {
+            return;
+        }
+        try {
+            window.localStorage.removeItem(key);
+        }
+        catch (error) {
+            // Ignore errors on remove
+        }
+    }
+    async randomBytes(length) {
+        // Use crypto.getRandomValues (available in modern browsers)
+        if (typeof window !== 'undefined' && window.crypto && window.crypto.getRandomValues) {
+            const bytes = new Uint8Array(length);
+            window.crypto.getRandomValues(bytes);
+            return bytes;
+        }
+        // Fallback: should not happen in modern browsers
+        throw new Error('Cryptographically secure random number generation not available. ' +
+            'Please use a modern browser with crypto.getRandomValues support.');
+    }
+    /**
+     * Cleanup resources
+     */
+    destroy() {
+        this.urlListeners = [];
+        this.isListening = false;
+    }
+}
+exports.WebAdapter = WebAdapter;

package/dist/core/crypto.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Cryptographic utilities for TonConnect
+ * Uses tweetnacl for signature verification
+ */
+import { ConnectionResponsePayload } from '../types';
+/**
+ * Verify connection proof signature
+ * The proof is signed by the wallet to verify authenticity
+ */
+export declare function verifyConnectionProof(response: ConnectionResponsePayload, manifestUrl: string): boolean;
+/**
+ * Verify transaction signature
+ *
+ * WARNING: This function only performs basic format validation.
+ * Full signature verification requires parsing the BOC (Bag of Cells) and
+ * verifying the signature against the transaction hash, which requires
+ * TON library integration (@ton/core or @ton/crypto).
+ *
+ * For production use, transaction signatures should be verified server-side
+ * using proper TON libraries.
+ *
+ * @returns false - Always returns false to be safe until proper implementation
+ */
+export declare function verifyTransactionSignature(boc: string, signature: string, publicKey: string): boolean;
+/**
+ * Generate random session ID
+ */
+export declare function generateSessionId(): string;

package/dist/core/crypto.js

@@ -0,0 +1,183 @@
+"use strict";
+/**
+ * Cryptographic utilities for TonConnect
+ * Uses tweetnacl for signature verification
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.verifyConnectionProof = verifyConnectionProof;
+exports.verifyTransactionSignature = verifyTransactionSignature;
+exports.generateSessionId = generateSessionId;
+// eslint-disable-next-line @typescript-eslint/no-var-requires
+const nacl = require('tweetnacl');
+/**
+ * Decode base64 string to Uint8Array
+ */
+function decodeBase64(base64) {
+    // Remove padding and convert URL-safe to standard base64
+    const cleanBase64 = base64.replace(/-/g, '+').replace(/_/g, '/');
+    const padded = cleanBase64 + '='.repeat((4 - (cleanBase64.length % 4)) % 4);
+    const chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';
+    const bytes = [];
+    let buffer = 0;
+    let bitsCollected = 0;
+    for (let i = 0; i < padded.length; i++) {
+        const ch = padded[i];
+        if (ch === '=')
+            break;
+        const index = chars.indexOf(ch);
+        if (index === -1)
+            continue;
+        buffer = (buffer << 6) | index;
+        bitsCollected += 6;
+        if (bitsCollected >= 8) {
+            bitsCollected -= 8;
+            bytes.push((buffer >> bitsCollected) & 0xff);
+            buffer &= (1 << bitsCollected) - 1;
+        }
+    }
+    return new Uint8Array(bytes);
+}
+/**
+ * Get TextEncoder with fallback
+ */
+function getTextEncoder() {
+    if (typeof TextEncoder !== 'undefined') {
+        return new TextEncoder();
+    }
+    // Fallback implementation for older React Native
+    throw new Error('TextEncoder is not available. Please use React Native 0.59+ or add a polyfill.');
+}
+/**
+ * Verify connection proof signature
+ * The proof is signed by the wallet to verify authenticity
+ */
+function verifyConnectionProof(response, manifestUrl) {
+    // HIGH FIX: Log warning if proof is missing but allow for compatibility
+    if (!response.proof) {
+        console.warn('TON Connect: Connection proof missing - wallet may not support proof verification');
+        // Allow connection for compatibility, but log warning
+        return true;
+    }
+    try {
+        const { timestamp, domain, signature } = response.proof;
+        // Validate proof structure
+        if (typeof timestamp !== 'number' || !domain || typeof domain.lengthBytes !== 'number' || typeof domain.value !== 'string' || typeof signature !== 'string') {
+            return false;
+        }
+        // Build the message that was signed
+        // Format: <timestamp>.<domain_length>.<domain_value>.<address>.<publicKey>
+        const domainLength = domain.lengthBytes;
+        const message = `${timestamp}.${domainLength}.${domain.value}.${response.address}.${response.publicKey}`;
+        // Convert public key from hex to Uint8Array
+        const publicKeyBytes = hexToBytes(response.publicKey);
+        if (publicKeyBytes.length !== 32) {
+            return false;
+        }
+        // Convert signature from base64 to Uint8Array
+        const signatureBytes = decodeBase64(signature);
+        if (signatureBytes.length !== 64) {
+            return false;
+        }
+        // Verify signature using nacl
+        const encoder = getTextEncoder();
+        const messageBytes = encoder.encode(message);
+        return nacl.sign.detached.verify(messageBytes, signatureBytes, publicKeyBytes);
+    }
+    catch (error) {
+        // If verification fails, return false
+        console.error('TON Connect: Proof verification error:', error);
+        return false;
+    }
+}
+/**
+ * Verify transaction signature
+ *
+ * WARNING: This function only performs basic format validation.
+ * Full signature verification requires parsing the BOC (Bag of Cells) and
+ * verifying the signature against the transaction hash, which requires
+ * TON library integration (@ton/core or @ton/crypto).
+ *
+ * For production use, transaction signatures should be verified server-side
+ * using proper TON libraries.
+ *
+ * @returns false - Always returns false to be safe until proper implementation
+ */
+function verifyTransactionSignature(boc, signature, publicKey) {
+    // CRITICAL FIX: This function does not actually verify signatures
+    // It only checks format. For security, we return false until proper implementation.
+    try {
+        // Basic format validation
+        if (!boc || typeof boc !== 'string' || boc.length === 0) {
+            return false;
+        }
+        if (!signature || typeof signature !== 'string' || signature.length === 0) {
+            return false;
+        }
+        if (!publicKey || typeof publicKey !== 'string' || publicKey.length === 0) {
+            return false;
+        }
+        // Convert public key from hex to Uint8Array
+        const publicKeyBytes = hexToBytes(publicKey);
+        if (publicKeyBytes.length !== 32) {
+            return false;
+        }
+        // Convert signature from base64 to Uint8Array
+        const signatureBytes = decodeBase64(signature);
+        if (signatureBytes.length !== 64) {
+            return false;
+        }
+        // Convert BOC from base64 to Uint8Array
+        const bocBytes = decodeBase64(boc);
+        if (bocBytes.length === 0) {
+            return false;
+        }
+        // CRITICAL: Return false - actual signature verification requires TON library
+        // TODO: Integrate @ton/core or @ton/crypto for proper BOC parsing and signature verification
+        console.warn('TON Connect: Transaction signature verification not fully implemented. Signature format is valid but not cryptographically verified. Verify server-side using @ton/core.');
+        return false; // Fail-safe: reject until properly implemented
+    }
+    catch (error) {
+        console.error('TON Connect: Transaction signature verification error:', error);
+        return false;
+    }
+}
+/**
+ * Convert hex string to Uint8Array
+ */
+function hexToBytes(hex) {
+    // Remove 0x prefix if present
+    const cleanHex = hex.startsWith('0x') ? hex.slice(2) : hex;
+    // Handle odd-length hex strings
+    const paddedHex = cleanHex.length % 2 === 0 ? cleanHex : '0' + cleanHex;
+    const bytes = new Uint8Array(paddedHex.length / 2);
+    for (let i = 0; i < paddedHex.length; i += 2) {
+        bytes[i / 2] = parseInt(paddedHex.substr(i, 2), 16);
+    }
+    return bytes;
+}
+/**
+ * Generate cryptographically secure random bytes
+ */
+function getSecureRandomBytes(length) {
+    const bytes = new Uint8Array(length);
+    // Try to use crypto.getRandomValues (available in React Native with polyfill)
+    // eslint-disable-next-line no-undef
+    if (typeof globalThis !== 'undefined' && globalThis.crypto && globalThis.crypto.getRandomValues) {
+        globalThis.crypto.getRandomValues(bytes);
+        return bytes;
+    }
+    // HIGH FIX: Throw error instead of using insecure Math.random()
+    throw new Error('Cryptographically secure random number generation not available. ' +
+        'Please install react-native-get-random-values or use React Native 0.59+');
+}
+/**
+ * Generate random session ID
+ */
+function generateSessionId() {
+    // HIGH FIX: Use secure random bytes
+    const bytes = getSecureRandomBytes(32);
+    // Convert to hex string
+    return Array.from(bytes)
+        .map((b) => b.toString(16).padStart(2, '0'))
+        .join('');
+}

package/dist/core/index.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Core protocol exports
+ */
+export * from './protocol';
+export * from './crypto';

package/dist/core/index.js

@@ -0,0 +1,21 @@
+"use strict";
+/**
+ * Core protocol exports
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./protocol"), exports);
+__exportStar(require("./crypto"), exports);

package/dist/core/protocol.d.ts

@@ -0,0 +1,50 @@
+/**
+ * Core TonConnect protocol implementation
+ * Pure TypeScript, no platform dependencies
+ */
+import { ConnectionResponsePayload, TransactionResponsePayload, ErrorResponse, WalletInfo, SendTransactionRequest } from '../types';
+/**
+ * Encode JSON to base64 URL-safe string
+ */
+export declare function encodeBase64URL(data: unknown): string;
+/**
+ * Decode base64 URL-safe string to JSON
+ */
+export declare function decodeBase64URL<T>(encoded: string): T;
+/**
+ * Build connection request URL
+ * Format: tonconnect://connect?<base64_encoded_payload>
+ */
+export declare function buildConnectionRequest(manifestUrl: string, returnScheme: string): string;
+/**
+ * Build transaction request URL
+ * Format: tonconnect://send-transaction?<base64_encoded_payload>
+ */
+export declare function buildTransactionRequest(manifestUrl: string, request: SendTransactionRequest, returnScheme: string): string;
+/**
+ * Parse callback URL
+ * Format: <scheme>://tonconnect?<base64_encoded_response>
+ */
+export declare function parseCallbackURL(url: string, scheme: string): {
+    type: 'connect' | 'transaction' | 'error' | 'unknown';
+    data: ConnectionResponsePayload | TransactionResponsePayload | ErrorResponse | null;
+};
+/**
+ * Extract wallet info from connection response
+ */
+export declare function extractWalletInfo(response: ConnectionResponsePayload): WalletInfo;
+/**
+ * Validate connection response
+ */
+export declare function validateConnectionResponse(response: ConnectionResponsePayload): boolean;
+/**
+ * Validate transaction response
+ */
+export declare function validateTransactionResponse(response: TransactionResponsePayload): boolean;
+/**
+ * Validate transaction request
+ */
+export declare function validateTransactionRequest(request: SendTransactionRequest): {
+    valid: boolean;
+    error?: string;
+};