@cartridge/controller 0.5.8 → 0.6.0

package/src/policies.ts

@@ -0,0 +1,49 @@
+import {
+  ContractPolicy,
+  Method,
+  SessionPolicies,
+  SignMessagePolicy,
+} from "@cartridge/presets";
+
+export type ParsedSessionPolicies = {
+  verified: boolean;
+  contracts?: SessionContracts;
+  messages?: SessionMessages;
+};
+
+export type SessionContracts = Record<
+  string,
+  Omit<ContractPolicy, "methods"> & {
+    methods: (Method & { authorized?: boolean })[];
+  }
+>;
+
+export type SessionMessages = (SignMessagePolicy & {
+  authorized?: boolean;
+})[];
+
+export function parsePolicies(
+  policies: SessionPolicies,
+): ParsedSessionPolicies {
+  return {
+    verified: false,
+    contracts: policies.contracts
+      ? Object.fromEntries(
+          Object.entries(policies.contracts).map(([address, contract]) => [
+            address,
+            {
+              ...contract,
+              methods: contract.methods.map((method) => ({
+                ...method,
+                authorized: true,
+              })),
+            },
+          ]),
+        )
+      : undefined,
+    messages: policies.messages?.map((message) => ({
+      ...message,
+      authorized: true,
+    })),
+  };
+}

package/src/provider.ts

@@ -16,6 +16,9 @@ import {
 import manifest from "../package.json";
 
 import { icon } from "./icon";
+import { Mutex } from "./mutex";
+
+const mutex = new Mutex();
 
 export default abstract class BaseProvider implements StarknetWindowObject {
   public id = "controller";
@@ -26,10 +29,37 @@ export default abstract class BaseProvider implements StarknetWindowObject {
   public account?: WalletAccount;
   public subscriptions: WalletEvents[] = [];
 
+  private _probePromise: Promise<WalletAccount | undefined> | null = null;
+
+  protected async safeProbe(): Promise<WalletAccount | undefined> {
+    // If we already have an account, return it
+    if (this.account) {
+      return this.account;
+    }
+
+    // If we're already probing, wait for the existing probe
+    if (this._probePromise) {
+      return this._probePromise;
+    }
+
+    const release = await mutex.obtain();
+    return await new Promise<WalletAccount | undefined>(async (resolve) => {
+      try {
+        this._probePromise = this.probe();
+        const result = await this._probePromise;
+        resolve(result);
+      } finally {
+        this._probePromise = null;
+      }
+    }).finally(() => {
+      release();
+    });
+  }
+
   request: RequestFn = async (call) => {
     switch (call.type) {
       case "wallet_getPermissions":
-        await this.probe();
+        await this.safeProbe();
 
         if (this.account) {
           return [Permission.ACCOUNTS];
@@ -45,7 +75,8 @@ export default abstract class BaseProvider implements StarknetWindowObject {
         const silentMode =
           call.params && (call.params as RequestAccountsParameters).silent_mode;
 
-        this.account = await this.probe();
+        this.account = await this.safeProbe();
+
         if (!this.account && !silentMode) {
           this.account = await this.connect();
         }

package/src/session/account.ts

@@ -33,6 +33,7 @@ export default class SessionAccount extends WalletAccount {
   ) {
     super({ nodeUrl: rpcUrl }, provider);
 
+    this.address = address;
     this.controller = CartridgeSessionAccount.new_as_registered(
       rpcUrl,
       privateKey,

package/src/session/provider.ts

@@ -6,6 +6,7 @@ import BaseProvider from "../provider";
 import { toWasmPolicies } from "../utils";
 import { SessionPolicies } from "@cartridge/presets";
 import { AddStarknetChainParameters } from "@starknet-io/types-js";
+import { ParsedSessionPolicies } from "../policies";
 
 interface SessionRegistration {
   username: string;
@@ -20,6 +21,7 @@ export type SessionOptions = {
   chainId: string;
   policies: SessionPolicies;
   redirectUrl: string;
+  keychainUrl?: string;
 };
 
 export default class SessionProvider extends BaseProvider {
@@ -30,39 +32,110 @@ export default class SessionProvider extends BaseProvider {
   protected _rpcUrl: string;
   protected _username?: string;
   protected _redirectUrl: string;
-  protected _policies: SessionPolicies;
+  protected _policies: ParsedSessionPolicies;
+  protected _keychainUrl: string;
 
-  constructor({ rpc, chainId, policies, redirectUrl }: SessionOptions) {
+  constructor({
+    rpc,
+    chainId,
+    policies,
+    redirectUrl,
+    keychainUrl,
+  }: SessionOptions) {
     super();
 
+    this._policies = {
+      verified: false,
+      contracts: policies.contracts
+        ? Object.fromEntries(
+            Object.entries(policies.contracts).map(([address, contract]) => [
+              address,
+              {
+                ...contract,
+                methods: contract.methods.map((method) => ({
+                  ...method,
+                  authorized: true,
+                })),
+              },
+            ]),
+          )
+        : undefined,
+      messages: policies.messages?.map((message) => ({
+        ...message,
+        authorized: true,
+      })),
+    };
+
     this._rpcUrl = rpc;
     this._chainId = chainId;
     this._redirectUrl = redirectUrl;
-    this._policies = policies;
+    this._keychainUrl = keychainUrl || KEYCHAIN_URL;
 
     if (typeof window !== "undefined") {
       (window as any).starknet_controller_session = this;
     }
   }
 
+  private validatePoliciesSubset(
+    newPolicies: ParsedSessionPolicies,
+    existingPolicies: ParsedSessionPolicies,
+  ): boolean {
+    if (newPolicies.contracts) {
+      if (!existingPolicies.contracts) return false;
+
+      for (const [address, contract] of Object.entries(newPolicies.contracts)) {
+        const existingContract = existingPolicies.contracts[address];
+        if (!existingContract) return false;
+
+        for (const method of contract.methods) {
+          const existingMethod = existingContract.methods.find(
+            (m) => m.entrypoint === method.entrypoint,
+          );
+          if (!existingMethod || !existingMethod.authorized) return false;
+        }
+      }
+    }
+
+    if (newPolicies.messages) {
+      if (!existingPolicies.messages) return false;
+
+      for (const message of newPolicies.messages) {
+        const existingMessage = existingPolicies.messages.find(
+          (m) =>
+            JSON.stringify(m.domain) === JSON.stringify(message.domain) &&
+            JSON.stringify(m.types) === JSON.stringify(message.types),
+        );
+        if (!existingMessage || !existingMessage.authorized) return false;
+      }
+    }
+
+    return true;
+  }
+
   async username() {
     await this.tryRetrieveFromQueryOrStorage();
     return this._username;
   }
 
   async probe(): Promise<WalletAccount | undefined> {
-    await this.tryRetrieveFromQueryOrStorage();
-    return;
+    if (this.account) {
+      return this.account;
+    }
+
+    this.account = await this.tryRetrieveFromQueryOrStorage();
+    return this.account;
   }
 
   async connect(): Promise<WalletAccount | undefined> {
-    await this.tryRetrieveFromQueryOrStorage();
+    if (this.account) {
+      return this.account;
+    }
 
+    this.account = await this.tryRetrieveFromQueryOrStorage();
     if (this.account) {
-      return;
+      return this.account;
     }
 
-    // Generate a random local key pair
     const pk = stark.randomAddress();
     const publicKey = ec.starkCurve.getStarkKey(pk);
 
@@ -74,7 +147,11 @@ export default class SessionProvider extends BaseProvider {
       }),
     );
 
-    const url = `${KEYCHAIN_URL}/session?public_key=${publicKey}&redirect_uri=${
+    localStorage.setItem("sessionPolicies", JSON.stringify(this._policies));
+
+    const url = `${
+      this._keychainUrl
+    }/session?public_key=${publicKey}&redirect_uri=${
       this._redirectUrl
     }&redirect_query_name=startapp&policies=${JSON.stringify(
       this._policies,
@@ -83,7 +160,7 @@ export default class SessionProvider extends BaseProvider {
     localStorage.setItem("lastUsedConnector", this.id);
     window.open(url, "_blank");
 
-    return;
+    return this.account;
   }
 
   switchStarknetChain(_chainId: string): Promise<boolean> {
@@ -97,12 +174,17 @@ export default class SessionProvider extends BaseProvider {
   disconnect(): Promise<void> {
     localStorage.removeItem("sessionSigner");
     localStorage.removeItem("session");
+    localStorage.removeItem("sessionPolicies");
     this.account = undefined;
     this._username = undefined;
     return Promise.resolve();
   }
 
   async tryRetrieveFromQueryOrStorage() {
+    if (this.account) {
+      return this.account;
+    }
+
     const signerString = localStorage.getItem("sessionSigner");
     const signer = signerString ? JSON.parse(signerString) : null;
     let sessionRegistration: SessionRegistration | null = null;
@@ -135,6 +217,47 @@ export default class SessionProvider extends BaseProvider {
       return;
     }
 
+    // Check expiration
+    const expirationTime = parseInt(sessionRegistration.expiresAt) * 1000;
+    console.log("Session expiration check:", {
+      expirationTime,
+      currentTime: Date.now(),
+      expired: Date.now() >= expirationTime,
+    });
+    if (Date.now() >= expirationTime) {
+      console.log("Session expired, clearing stored session");
+      this.clearStoredSession();
+      return;
+    }
+
+    // Check stored policies
+    const storedPoliciesStr = localStorage.getItem("sessionPolicies");
+    console.log("Checking stored policies:", {
+      storedPoliciesStr,
+      currentPolicies: this._policies,
+    });
+    if (storedPoliciesStr) {
+      const storedPolicies = JSON.parse(
+        storedPoliciesStr,
+      ) as ParsedSessionPolicies;
+
+      const isValid = this.validatePoliciesSubset(
+        this._policies,
+        storedPolicies,
+      );
+      console.log("Policy validation result:", {
+        isValid,
+        storedPolicies,
+        requestedPolicies: this._policies,
+      });
+
+      if (!isValid) {
+        console.log("Policy validation failed, clearing stored session");
+        this.clearStoredSession();
+        return;
+      }
+    }
+
     this._username = sessionRegistration.username;
     this.account = new SessionAccount(this, {
       rpcUrl: this._rpcUrl,
@@ -148,4 +271,10 @@ export default class SessionProvider extends BaseProvider {
 
     return this.account;
   }
+
+  private clearStoredSession(): void {
+    localStorage.removeItem("sessionSigner");
+    localStorage.removeItem("session");
+    localStorage.removeItem("sessionPolicies");
+  }
 }

package/src/telegram/provider.ts

@@ -12,6 +12,7 @@ import BaseProvider from "../provider";
 import { toWasmPolicies } from "../utils";
 import { SessionPolicies } from "@cartridge/presets";
 import { AddStarknetChainParameters } from "@starknet-io/types-js";
+import { ParsedSessionPolicies, parsePolicies } from "../policies";
 
 interface SessionRegistration {
   username: string;
@@ -25,7 +26,7 @@ export default class TelegramProvider extends BaseProvider {
   private _tmaUrl: string;
   protected _chainId: string;
   protected _username?: string;
-  protected _policies: SessionPolicies;
+  protected _policies: ParsedSessionPolicies;
   private _rpcUrl: string;
 
   constructor({
@@ -44,7 +45,7 @@ export default class TelegramProvider extends BaseProvider {
     this._rpcUrl = rpc;
     this._tmaUrl = tmaUrl;
     this._chainId = chainId;
-    this._policies = policies;
+    this._policies = parsePolicies(policies);
 
     if (typeof window !== "undefined") {
       (window as any).starknet_controller = this;

package/src/utils.ts

@@ -2,13 +2,17 @@ import {
   addAddressPadding,
   Call,
   CallData,
+  constants,
   getChecksumAddress,
   hash,
+  shortString,
   typedData,
   TypedDataRevision,
 } from "starknet";
 import wasm from "@cartridge/account-wasm/controller";
 import { Policies, SessionPolicies } from "@cartridge/presets";
+import { ChainId } from "@starknet-io/types-js";
+import { ParsedSessionPolicies } from "./policies";
 
 // Whitelist of allowed property names to prevent prototype pollution
 const ALLOWED_PROPERTIES = new Set([
@@ -85,13 +89,14 @@ export function toSessionPolicies(policies: Policies): SessionPolicies {
     : policies;
 }
 
-export function toWasmPolicies(policies: SessionPolicies): wasm.Policy[] {
+export function toWasmPolicies(policies: ParsedSessionPolicies): wasm.Policy[] {
   return [
     ...Object.entries(policies.contracts ?? {}).flatMap(
       ([target, { methods }]) =>
         toArray(methods).map((m) => ({
           target,
           method: m.entrypoint,
+          authorized: m.authorized,
         })),
     ),
     ...(policies.messages ?? []).map((p) => {
@@ -109,6 +114,7 @@ export function toWasmPolicies(policies: SessionPolicies): wasm.Policy[] {
 
       return {
         scope_hash: hash.computePoseidonHash(domainHash, typeHash),
+        authorized: p.authorized,
       };
     }),
   ];
@@ -129,3 +135,28 @@ export function humanizeString(str: string): string {
       .replace(/^\w/, (c) => c.toUpperCase())
   );
 }
+
+export function parseChainId(url: URL): ChainId {
+  const parts = url.pathname.split("/");
+
+  if (parts.includes("starknet")) {
+    if (parts.includes("mainnet")) {
+      return constants.StarknetChainId.SN_MAIN;
+    } else if (parts.includes("sepolia")) {
+      return constants.StarknetChainId.SN_SEPOLIA;
+    }
+  } else if (parts.length >= 3) {
+    const projectName = parts[2];
+    if (parts.includes("katana")) {
+      return shortString.encodeShortString(
+        `WP_${projectName.toUpperCase().replace(/-/g, "_")}`,
+      ) as ChainId;
+    } else if (parts.includes("mainnet")) {
+      return shortString.encodeShortString(
+        `GG_${projectName.toUpperCase().replace(/-/g, "_")}`,
+      ) as ChainId;
+    }
+  }
+
+  throw new Error(`Chain ${url.toString()} not supported`);
+}

package/tsconfig.json

@@ -5,8 +5,7 @@
     "rootDir": ".",
     "outDir": "./dist",
     "composite": false,
-    "incremental": false,
-    "moduleResolution": "node"
+    "incremental": false
   },
   "include": ["src/**/*", "package.json"]
 }