@cartridge/controller 0.13.5 → 0.13.7

package/src/lookup.ts

@@ -1,8 +1,43 @@
-import { LookupRequest, LookupResponse } from "./types";
-import { num } from "starknet";
+import {
+  AuthOption,
+  HeadlessUsernameLookupResult,
+  IMPLEMENTED_AUTH_OPTIONS,
+  LookupRequest,
+  LookupResponse,
+} from "./types";
+import { constants, num } from "starknet";
 import { API_URL } from "./constants";
 
 const cache = new Map<string, string>();
+const QUERY_URL = `${API_URL}/query`;
+
+type LookupSigner = {
+  isOriginal: boolean;
+  isRevoked: boolean;
+  metadata: {
+    __typename: string;
+    eip191?: Array<{
+      provider: string;
+      ethAddress: string;
+    }> | null;
+  };
+};
+
+type LookupSignersQueryResponse = {
+  data?: {
+    account?: {
+      username: string;
+      controllers?: {
+        edges?: Array<{
+          node?: {
+            signers?: LookupSigner[] | null;
+          } | null;
+        } | null> | null;
+      } | null;
+    } | null;
+  };
+  errors?: Array<{ message?: string }>;
+};
 
 async function lookup(request: LookupRequest): Promise<LookupResponse> {
   if (!request.addresses?.length && !request.usernames?.length) {
@@ -24,6 +59,139 @@ async function lookup(request: LookupRequest): Promise<LookupResponse> {
   return response.json();
 }
 
+async function queryLookupSigners(
+  username: string,
+): Promise<LookupSignersQueryResponse> {
+  const response = await fetch(QUERY_URL, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+    },
+    body: JSON.stringify({
+      query: `
+        query LookupSigners($username: String!) {
+          account(username: $username) {
+            username
+            controllers(first: 1) {
+              edges {
+                node {
+                  signers {
+                    isOriginal
+                    isRevoked
+                    metadata {
+                      __typename
+                      ... on Eip191Credentials {
+                        eip191 {
+                          provider
+                          ethAddress
+                        }
+                      }
+                    }
+                  }
+                }
+              }
+            }
+          }
+        }
+      `,
+      variables: { username },
+    }),
+  });
+
+  if (!response.ok) {
+    throw new Error(`HTTP error! status: ${response.status}`);
+  }
+
+  return response.json();
+}
+
+function normalizeProvider(provider: string): AuthOption | undefined {
+  const normalized = provider.toLowerCase() as AuthOption;
+  if (!HEADLESS_AUTH_OPTIONS.includes(normalized)) {
+    return undefined;
+  }
+  return normalized;
+}
+
+const HEADLESS_AUTH_OPTIONS: AuthOption[] = [
+  "google",
+  "webauthn",
+  "discord",
+  "walletconnect",
+  "password",
+  "metamask",
+  "rabby",
+  "phantom-evm",
+].filter((option) => IMPLEMENTED_AUTH_OPTIONS.includes(option));
+
+function normalizeSignerOptions(
+  signers: LookupSigner[] | undefined,
+  chainId: string,
+): AuthOption[] {
+  if (!signers || signers.length === 0) {
+    return [];
+  }
+
+  const isMainnet = chainId === constants.StarknetChainId.SN_MAIN;
+  const available = signers.filter(
+    (signer) => !signer.isRevoked && (isMainnet || signer.isOriginal),
+  );
+
+  const signerSet = new Set<AuthOption>();
+  for (const signer of available) {
+    switch (signer.metadata.__typename) {
+      case "WebauthnCredentials":
+        signerSet.add("webauthn");
+        break;
+      case "PasswordCredentials":
+        signerSet.add("password");
+        break;
+      case "Eip191Credentials":
+        signer.metadata.eip191?.forEach((entry) => {
+          const provider = normalizeProvider(entry.provider);
+          if (provider) {
+            signerSet.add(provider);
+          }
+        });
+        break;
+      default:
+        break;
+    }
+  }
+
+  return HEADLESS_AUTH_OPTIONS.filter((option) => signerSet.has(option));
+}
+
+export async function lookupUsername(
+  username: string,
+  chainId: string,
+): Promise<HeadlessUsernameLookupResult> {
+  const response = await queryLookupSigners(username);
+  if (response.errors?.length) {
+    throw new Error(response.errors[0].message || "Lookup query failed");
+  }
+
+  const account = response.data?.account;
+  if (!account) {
+    return {
+      username,
+      exists: false,
+      signers: [],
+    };
+  }
+
+  const controller = account.controllers?.edges?.[0]?.node;
+  const signers = normalizeSignerOptions(
+    controller?.signers ?? undefined,
+    chainId,
+  );
+  return {
+    username: account.username,
+    exists: true,
+    signers,
+  };
+}
+
 export async function lookupUsernames(
   usernames: string[],
 ): Promise<Map<string, string>> {

package/src/session/provider.ts

@@ -4,14 +4,14 @@ import {
   signerToGuid,
   subscribeCreateSession,
 } from "@cartridge/controller-wasm";
-import { SessionPolicies } from "@cartridge/presets";
+import { loadConfig, SessionPolicies } from "@cartridge/presets";
 import { AddStarknetChainParameters } from "@starknet-io/types-js";
 import { encode } from "starknet";
 import { API_URL, KEYCHAIN_URL } from "../constants";
-import { ParsedSessionPolicies } from "../policies";
+import { parsePolicies, ParsedSessionPolicies } from "../policies";
 import BaseProvider from "../provider";
 import { AuthOptions } from "../types";
-import { toWasmPolicies } from "../utils";
+import { getPresetSessionPolicies, toWasmPolicies } from "../utils";
 import SessionAccount from "./account";
 
 interface SessionRegistration {
@@ -29,7 +29,9 @@ interface SessionRegistration {
 export type SessionOptions = {
   rpc: string;
   chainId: string;
-  policies: SessionPolicies;
+  policies?: SessionPolicies;
+  preset?: string;
+  shouldOverridePresetPolicies?: boolean;
   redirectUrl: string;
   disconnectRedirectUrl?: string;
   keychainUrl?: string;
@@ -47,10 +49,12 @@ export default class SessionProvider extends BaseProvider {
   protected _redirectUrl: string;
   protected _disconnectRedirectUrl?: string;
   protected _policies: ParsedSessionPolicies;
+  protected _preset?: string;
+  private _ready: Promise<void>;
   protected _keychainUrl: string;
   protected _apiUrl: string;
-  protected _publicKey: string;
-  protected _sessionKeyGuid: string;
+  protected _publicKey!: string;
+  protected _sessionKeyGuid!: string;
   protected _signupOptions?: AuthOptions;
   public reopenBrowser: boolean = true;
 
@@ -58,6 +62,8 @@ export default class SessionProvider extends BaseProvider {
     rpc,
     chainId,
     policies,
+    preset,
+    shouldOverridePresetPolicies,
     redirectUrl,
     disconnectRedirectUrl,
     keychainUrl,
@@ -66,27 +72,27 @@ export default class SessionProvider extends BaseProvider {
   }: SessionOptions) {
     super();
 
-    this._policies = {
-      verified: false,
-      contracts: policies.contracts
-        ? Object.fromEntries(
-            Object.entries(policies.contracts).map(([address, contract]) => [
-              address,
-              {
-                ...contract,
-                methods: contract.methods.map((method) => ({
-                  ...method,
-                  authorized: true,
-                })),
-              },
-            ]),
-          )
-        : undefined,
-      messages: policies.messages?.map((message) => ({
-        ...message,
-        authorized: true,
-      })),
-    };
+    if (!policies && !preset) {
+      throw new Error("Either `policies` or `preset` must be provided");
+    }
+
+    // Policy precedence logic (matching ControllerProvider):
+    // 1. If shouldOverridePresetPolicies is true and policies are provided, use policies
+    // 2. Otherwise, if preset is defined, resolve policies from preset
+    // 3. Otherwise, use provided policies
+    if ((!preset || shouldOverridePresetPolicies) && policies) {
+      this._policies = parsePolicies(policies);
+    } else {
+      this._preset = preset;
+      if (policies) {
+        console.warn(
+          "[Controller] Both `preset` and `policies` provided to SessionProvider. " +
+            "Policies are ignored when preset is set. " +
+            "Use `shouldOverridePresetPolicies: true` to override.",
+        );
+      }
+      this._policies = { verified: false };
+    }
 
     this._rpcUrl = rpc;
     this._chainId = chainId;
@@ -96,6 +102,33 @@ export default class SessionProvider extends BaseProvider {
     this._apiUrl = apiUrl ?? API_URL;
     this._signupOptions = signupOptions;
 
+    // Eagerly start async init: resolve preset policies (if any),
+    // then try to restore an existing session from storage.
+    // All public async methods await this before proceeding.
+    this._ready = this._init();
+
+    if (typeof window !== "undefined") {
+      (window as any).starknet_controller_session = this;
+    }
+  }
+
+  private async _init(): Promise<void> {
+    if (this._preset) {
+      const config = await loadConfig(this._preset);
+      if (!config) {
+        throw new Error(`Failed to load preset: ${this._preset}`);
+      }
+
+      const sessionPolicies = getPresetSessionPolicies(config, this._chainId);
+      if (!sessionPolicies) {
+        throw new Error(
+          `No policies found for chain ${this._chainId} in preset ${this._preset}`,
+        );
+      }
+
+      this._policies = parsePolicies(sessionPolicies);
+    }
+
     const account = this.tryRetrieveFromQueryOrStorage();
     if (!account) {
       const pk = stark.randomAddress();
@@ -125,10 +158,6 @@ export default class SessionProvider extends BaseProvider {
         starknet: { privateKey: encode.addHexPrefix(jsonPk.privKey) },
       });
     }
-
-    if (typeof window !== "undefined") {
-      (window as any).starknet_controller_session = this;
-    }
   }
 
   private validatePoliciesSubset(
@@ -218,25 +247,18 @@ export default class SessionProvider extends BaseProvider {
   }
 
   async username() {
-    await this.tryRetrieveFromQueryOrStorage();
+    await this._ready;
     return this._username;
   }
 
   async probe(): Promise<WalletAccount | undefined> {
-    if (this.account) {
-      return this.account;
-    }
-
-    this.account = this.tryRetrieveFromQueryOrStorage();
+    await this._ready;
     return this.account;
   }
 
   async connect(): Promise<WalletAccount | undefined> {
-    if (this.account) {
-      return this.account;
-    }
+    await this._ready;
 
-    this.account = this.tryRetrieveFromQueryOrStorage();
     if (this.account) {
       return this.account;
     }
@@ -259,13 +281,18 @@ export default class SessionProvider extends BaseProvider {
         this._sessionKeyGuid = signerToGuid({
           starknet: { privateKey: encode.addHexPrefix(pk) },
         });
-        let url = `${
-          this._keychainUrl
-        }/session?public_key=${this._publicKey}&redirect_uri=${
-          this._redirectUrl
-        }&redirect_query_name=startapp&policies=${JSON.stringify(
-          this._policies,
-        )}&rpc_url=${this._rpcUrl}`;
+        let url =
+          `${this._keychainUrl}` +
+          `/session?public_key=${this._publicKey}` +
+          `&redirect_uri=${this._redirectUrl}` +
+          `&redirect_query_name=startapp` +
+          `&rpc_url=${this._rpcUrl}`;
+
+        if (this._preset) {
+          url += `&preset=${encodeURIComponent(this._preset)}`;
+        } else {
+          url += `&policies=${encodeURIComponent(JSON.stringify(this._policies))}`;
+        }
 
         if (this._signupOptions) {
           url += `&signers=${encodeURIComponent(JSON.stringify(this._signupOptions))}`;

package/src/types.ts

@@ -120,6 +120,12 @@ export interface LookupResponse {
   results: LookupResult[];
 }
 
+export interface HeadlessUsernameLookupResult {
+  username: string;
+  exists: boolean;
+  signers: AuthOption[];
+}
+
 export enum FeeSource {
   PAYMASTER = "PAYMASTER",
   CREDITS = "CREDITS",

package/src/utils.ts

@@ -48,6 +48,19 @@ export function normalizeCalls(calls: Call | Call[]) {
   });
 }
 
+export function getPresetSessionPolicies(
+  config: Record<string, unknown>,
+  chainId: string,
+): SessionPolicies | undefined {
+  const decodedChainId = shortString.decodeShortString(chainId);
+  const chains = config.chains as
+    | Record<string, Record<string, unknown>>
+    | undefined;
+  const chainConfig = chains?.[decodedChainId];
+  if (!chainConfig?.policies) return undefined;
+  return toSessionPolicies(chainConfig.policies as Policies);
+}
+
 export function toSessionPolicies(policies: Policies): SessionPolicies {
   return Array.isArray(policies)
     ? policies.reduce<SessionPolicies>(
@@ -92,9 +105,10 @@ export function toSessionPolicies(policies: Policies): SessionPolicies {
 /**
  * Converts parsed session policies to WASM-compatible Policy objects.
  *
- * IMPORTANT: Policies are sorted canonically before hashing. Without this,
- * Object.keys/entries reordering can cause identical policies to produce
- * different merkle roots, leading to "session/not-registered" errors.
+ * IMPORTANT: Policies are sorted canonically and addresses are normalized
+ * via getChecksumAddress before hashing. Without this, Object.keys/entries
+ * reordering or inconsistent address casing can cause identical policies to
+ * produce different merkle roots, leading to "session/not-registered" errors.
  * See: https://github.com/cartridge-gg/controller/issues/2357
  */
 export function toWasmPolicies(policies: ParsedSessionPolicies): Policy[] {
@@ -110,7 +124,7 @@ export function toWasmPolicies(policies: ParsedSessionPolicies): Policy[] {
             if (m.entrypoint === "approve") {
               if ("spender" in m && "amount" in m && m.spender && m.amount) {
                 const approvalPolicy: ApprovalPolicy = {
-                  target,
+                  target: getChecksumAddress(target),
                   spender: m.spender,
                   amount: String(m.amount),
                 };
@@ -127,7 +141,7 @@ export function toWasmPolicies(policies: ParsedSessionPolicies): Policy[] {
 
             // For non-approve methods and legacy approve, create a regular CallPolicy
             return {
-              target,
+              target: getChecksumAddress(target),
               method: hash.getSelectorFromName(m.entrypoint),
               authorized: !!m.authorized,
             };