@cubist-labs/cubesigner-sdk 0.1.50 → 0.2.2

package/src/schema_types.ts

@@ -0,0 +1,103 @@
+import { MfaPolicy } from "./role";
+import { components } from "./schema";
+import { JsonMap } from "./util";
+
+type schemas = components["schemas"];
+
+export type UserInfo = schemas["UserInfo"];
+export type ConfiguredMfa = schemas["ConfiguredMfa"];
+export type RatchetConfig = schemas["RatchetConfig"];
+export type IdentityProof = schemas["IdentityProof"];
+export type TotpInfo = schemas["TotpInfo"];
+
+export type OidcAuthResponse = schemas["NewSessionResponse"];
+export type ApiAddFidoChallenge = schemas["FidoCreateChallengeResponse"];
+export type ApiMfaFidoChallenge = schemas["FidoAssertChallenge"];
+
+export type PublicKeyCredentialCreationOptions = schemas["PublicKeyCredentialCreationOptions"];
+export type PublicKeyCredentialRequestOptions = schemas["PublicKeyCredentialRequestOptions"];
+export type PublicKeyCredentialParameters = schemas["PublicKeyCredentialParameters"];
+export type PublicKeyCredentialDescriptor = schemas["PublicKeyCredentialDescriptor"];
+export type AuthenticatorSelectionCriteria = schemas["AuthenticatorSelectionCriteria"];
+export type PublicKeyCredentialUserEntity = schemas["PublicKeyCredentialUserEntity"];
+export type PublicKeyCredential = schemas["PublicKeyCredential"];
+
+export type OrgInfo = schemas["OrgInfo"];
+export type UserIdInfo = schemas["UserIdInfo"];
+export type UpdateOrgRequest = schemas["UpdateOrgRequest"];
+export type UpdateOrgResponse = schemas["UpdateOrgResponse"];
+
+export type OidcIdentity = schemas["OIDCIdentity"];
+export type MemberRole = schemas["MemberRole"];
+
+export type SchemaKeyType = schemas["KeyType"];
+
+export type ListKeysResponse = schemas["PaginatedListKeysResponse"];
+export type UpdateKeyRequest = schemas["UpdateKeyRequest"];
+export type KeyInfoApi = schemas["KeyInfo"];
+export type KeyInRoleInfo = schemas["KeyInRoleInfo"];
+export type UserInRoleInfo = schemas["UserInRoleInfo"];
+export type KeyTypeApi = schemas["KeyType"];
+
+export type ListRolesResponse = schemas["PaginatedListRolesResponse"];
+export type ListRoleKeysResponse = schemas["PaginatedListRoleKeysResponse"];
+export type ListRoleUsersResponse = schemas["PaginatedListRoleUsersResponse"];
+export type UpdateRoleRequest = schemas["UpdateRoleRequest"];
+export type KeyWithPoliciesInfo = schemas["KeyInRoleInfo"];
+export type RoleInfo = schemas["RoleInfo"];
+
+export type SessionInfo = schemas["SessionInfo"];
+export type ClientSessionInfo = schemas["ClientSessionInfo"];
+export type NewSessionResponse = schemas["NewSessionResponse"];
+export type SessionsResponse = schemas["PaginatedSessionsResponse"];
+
+export type CreateSignerSessionRequest = schemas["CreateTokenRequest"];
+export type RefreshSignerSessionRequest = schemas["AuthData"];
+
+export type EvmSignRequest = schemas["Eth1SignRequest"];
+export type EvmSignResponse = schemas["Eth1SignResponse"];
+export type Eth2SignRequest = schemas["Eth2SignRequest"];
+export type Eth2SignResponse = schemas["Eth2SignResponse"];
+export type Eth2StakeRequest = schemas["StakeRequest"];
+export type Eth2StakeResponse = schemas["StakeResponse"];
+export type Eth2UnstakeRequest = schemas["UnstakeRequest"];
+export type Eth2UnstakeResponse = schemas["UnstakeResponse"];
+export type BlobSignRequest = schemas["BlobSignRequest"];
+export type BlobSignResponse = schemas["BlobSignResponse"];
+export type BtcSignRequest = schemas["BtcSignRequest"];
+export type BtcSignResponse = schemas["BtcSignResponse"];
+export type SolanaSignRequest = schemas["SolanaSignRequest"];
+export type SolanaSignResponse = schemas["SolanaSignResponse"];
+export type AvaSignRequest = schemas["AvaSignRequest"];
+export type AvaSignResponse = schemas["AvaSignResponse"];
+
+export type AcceptedResponse = schemas["AcceptedResponse"];
+export type ErrorResponse = schemas["ErrorResponse"];
+export type BtcSignatureKind = schemas["BtcSignatureKind"];
+
+export type MfaType = schemas["MfaType"];
+export type MfaRequestInfo = schemas["MfaRequestInfo"];
+
+/** Options for a new OIDC user */
+export interface CreateOidcUserOptions {
+  /** The role of an OIDC user, default is "Alien" */
+  memberRole?: MemberRole;
+  /** Optional MFA policy to associate with the user account */
+  mfaPolicy?: MfaPolicy;
+}
+
+/** Ava P- or X-chain transaction */
+export type AvaTx = { P: AvaPChainTx } | { X: AvaXChainTx };
+
+/** Ava P-chain transaction */
+export type AvaPChainTx =
+  | { AddPermissionlessValidator: JsonMap }
+  | { AddSubnetValidator: JsonMap }
+  | { AddValidator: JsonMap }
+  | { CreateChain: JsonMap }
+  | { CreateSubnet: JsonMap }
+  | { Export: JsonMap }
+  | { Import: JsonMap };
+
+/** Ava X-chain transaction */
+export type AvaXChainTx = { Base: JsonMap } | { Export: JsonMap } | { Import: JsonMap };

package/src/session/session_manager.ts

@@ -1,6 +1,6 @@
 import { SessionStorage } from "..";
 import { EnvInterface } from "../env";
-import { paths, Client } from "../client";
+import { Client, paths } from "../client";
 import createClient from "openapi-fetch";
 
 const DEFAULT_EXPIRATION_BUFFER_SECS = 30;
@@ -98,7 +98,7 @@ export abstract class SessionManager<U> {
    * @return {boolean} True if the timestamp has expired
    */
   protected hasExpired(exp: number, buffer?: number): boolean {
-    return exp < new Date().getTime() / 1000 + (buffer || DEFAULT_EXPIRATION_BUFFER_SECS);
+    return exp < new Date().getTime() + (buffer || DEFAULT_EXPIRATION_BUFFER_SECS) * 1000;
   }
 
   /**

package/src/session/session_storage.ts

@@ -44,7 +44,7 @@ export class MemorySessionStorage<U> implements SessionStorage<U> {
 
 /** Stores session information in a JSON file */
 export class JsonFileSessionStorage<U> implements SessionStorage<U> {
-  #filePath: string;
+  readonly #filePath: string;
 
   /**
    * Store session information.

package/src/session/signer_session_manager.ts

@@ -1,16 +1,13 @@
-import { CubeSigner, EnvInterface } from "..";
-import { assertOk } from "../util";
-import { components, paths, Client } from "../client";
+import { EnvInterface } from "..";
+import {
+  ClientSessionInfo,
+  NewSessionResponse,
+  RefreshSignerSessionRequest,
+} from "../schema_types";
+import { Client } from "../client";
 import { HasEnv, OrgSessionManager } from "./session_manager";
 import { MemorySessionStorage, SessionStorage } from "./session_storage";
-
-export type ClientSessionInfo = components["schemas"]["ClientSessionInfo"];
-export type NewSessionResponse = components["schemas"]["NewSessionResponse"];
-
-export type CreateSignerSessionRequest =
-  paths["/v0/org/{org_id}/roles/{role_id}/tokens"]["post"]["requestBody"]["content"]["application/json"];
-export type RefreshSignerSessionRequest =
-  paths["/v1/org/{org_id}/token/refresh"]["patch"]["requestBody"]["content"]["application/json"];
+import { assertOk } from "../util";
 
 /** JSON representation of our "signer session" file format */
 export interface SignerSessionObject {
@@ -38,17 +35,12 @@ export interface SignerSessionLifetime {
   auth: number;
   /** Refresh token lifetime (in seconds). Defaults to one day (86400). */
   refresh?: number;
+  /** Grace lifetime (in seconds). Defaults to 30 seconds (30). */
+  grace?: number;
 }
 
-const defaultSignerSessionLifetime: SignerSessionLifetime = {
-  session: 604800,
-  auth: 300,
-  refresh: 86400,
-};
-
 /** Manager for signer sessions. */
 export class SignerSessionManager extends OrgSessionManager<SignerSessionData> {
-  readonly cs?: CubeSigner;
   #client: Client;
 
   /**
@@ -61,29 +53,27 @@ export class SignerSessionManager extends OrgSessionManager<SignerSessionData> {
   }
 
   /**
-   * Returns a client with the current session and refreshes the current
-   * session. May **UPDATE/MUTATE** self.
+   * Refreshes the current session if needed, then returns a client using the current session.
+   *
+   * May **UPDATE/MUTATE** self.
    */
   async client(): Promise<Client> {
     await this.refreshIfNeeded();
     return this.#client;
   }
 
+  /**
+   * @return {Client} A client using the current session (without attempting to refresh it).
+   */
+  clientNoRefresh(): Client {
+    return this.#client;
+  }
+
   /** Revokes the session. */
   async revoke(): Promise<void> {
-    if (!this.cs) {
-      throw new Error("No management session available");
-    }
-    const session = await this.storage.retrieve();
-    const resp = await (
-      await this.cs.management()
-    ).del("/v0/org/{org_id}/session/{session_id}", {
-      params: {
-        path: {
-          org_id: session.org_id,
-          session_id: session.session_info.session_id,
-        },
-      },
+    const client = await this.client();
+    const resp = await client.del("/v0/org/{org_id}/session/self", {
+      params: { path: { org_id: this.orgId } },
       parseAs: "json",
     });
     assertOk(resp);
@@ -96,17 +86,18 @@ export class SignerSessionManager extends OrgSessionManager<SignerSessionData> {
    */
   async isStale(): Promise<boolean> {
     const session = await this.storage.retrieve();
-    return this.hasExpired(session.session_info.auth_token_exp);
+    return this.hasExpired(session.session_info.auth_token_exp * 1000);
   }
 
   /**
    * Refreshes the session and **UPDATES/MUTATES** self.
    */
   async refresh(): Promise<void> {
-    const session = await this.storage.retrieve();
-    const csi = session.session_info;
+    const currSession = await this.storage.retrieve();
+
+    const csi = currSession.session_info;
     const resp = await this.#client.patch("/v1/org/{org_id}/token/refresh", {
-      params: { path: { org_id: session.org_id } },
+      params: { path: { org_id: this.orgId } },
       body: <RefreshSignerSessionRequest>{
         epoch_num: csi.epoch,
         epoch_token: csi.epoch_token,
@@ -115,62 +106,14 @@ export class SignerSessionManager extends OrgSessionManager<SignerSessionData> {
       parseAs: "json",
     });
     const data = assertOk(resp);
-    await this.storage.save(<SignerSessionData>{
-      ...session,
+    const newSession = <SignerSessionData>{
+      ...currSession,
       session_info: data.session_info,
       token: data.token,
-    });
-    this.#client = this.createClient(data.token);
-  }
-
-  /**
-   * Create a new signer session.
-   * @param {CubeSigner} cs The CubeSigner instance
-   * @param {SignerSessionStorage} storage The session storage to use
-   * @param {string} orgId Org ID
-   * @param {string} roleId Role ID
-   * @param {string} purpose The purpose of the session
-   * @param {SignerSessionLifetime} ttl Lifetime settings
-   * @return {Promise<SignerSessionManager>} New signer session
-   */
-  static async create(
-    cs: CubeSigner,
-    storage: SignerSessionStorage,
-    orgId: string,
-    roleId: string,
-    purpose: string,
-    ttl?: SignerSessionLifetime,
-  ): Promise<SignerSessionManager> {
-    const resp = await (
-      await cs.management()
-    ).post("/v0/org/{org_id}/roles/{role_id}/tokens", {
-      params: { path: { org_id: orgId, role_id: roleId } },
-      body: {
-        purpose,
-        auth_lifetime: ttl?.auth || defaultSignerSessionLifetime.auth,
-        refresh_lifetime: ttl?.refresh || defaultSignerSessionLifetime.refresh,
-        session_lifetime: ttl?.session || defaultSignerSessionLifetime.session,
-      },
-      parseAs: "json",
-    });
-    const data = assertOk(resp);
-    const session_info = data.session_info;
-    if (!session_info) {
-      throw new Error("Signer session info missing");
-    }
-    const sessionData = {
-      org_id: orgId,
-      role_id: roleId,
-      purpose,
-      token: data.token,
-      session_info,
-      // Keep compatibility with tokens produced by CLI
-      env: {
-        ["Dev-CubeSignerStack"]: cs.env,
-      },
     };
-    await storage.save(sessionData);
-    return new SignerSessionManager(sessionData, storage, cs);
+
+    await this.storage.save(newSession);
+    this.#client = this.createClient(newSession.token);
   }
 
   /**
@@ -202,36 +145,23 @@ export class SignerSessionManager extends OrgSessionManager<SignerSessionData> {
 
   /**
    * Uses an existing session to create a new signer session manager.
+   *
    * @param {SignerSessionStorage} storage The session storage to use
-   * @param {CubeSigner} cs Optional CubeSigner instance.
-   *    Currently used for token revocation; will be completely removed
-   *    since token revocation should not require management session.
    * @return {Promise<SingerSession>} New signer session manager
    */
-  static async loadFromStorage(
-    storage: SignerSessionStorage,
-    cs?: CubeSigner,
-  ): Promise<SignerSessionManager> {
+  static async loadFromStorage(storage: SignerSessionStorage): Promise<SignerSessionManager> {
     const session = await storage.retrieve();
-    return new SignerSessionManager(session, storage, cs);
+    return new SignerSessionManager(session, storage);
   }
 
   /**
    * Constructor.
+   *
    * @param {SignerSessionData} sessionData Session data
    * @param {SignerSessionStorage} storage The session storage to use
-   * @param {CubeSigner} cs Optional CubeSigner instance.
-   *    Currently used for token revocation; will be completely removed
-   *    since token revocation should not require management session.
-   * @internal
    */
-  private constructor(
-    sessionData: SignerSessionData,
-    storage: SignerSessionStorage,
-    cs?: CubeSigner,
-  ) {
+  constructor(sessionData: SignerSessionData, storage: SignerSessionStorage) {
     super(sessionData.env["Dev-CubeSignerStack"], sessionData.org_id, storage);
-    this.cs = cs;
     this.#client = this.createClient(sessionData.token);
   }
 }