@cubist-labs/cubesigner-sdk 0.1.77 → 0.2.15

package/src/key.ts

@@ -1,6 +1,6 @@
-import { CubeSigner, KeyPolicy } from ".";
-import { components } from "./client";
-import { assertOk } from "./util";
+import { KeyPolicy } from "./role";
+import { KeyInfoApi, KeyTypeApi, UpdateKeyRequest, SchemaKeyType } from "./schema_types";
+import { CubeSignerClient } from "./client";
 
 /** Secp256k1 key type */
 export enum Secp256k1 {
@@ -37,13 +37,6 @@ export type Stark = typeof Stark;
 /** Key type */
 export type KeyType = Secp256k1 | Bls | Ed25519 | Mnemonic | Stark;
 
-/** Schema key type (i.e., key type at the API level) */
-type SchemaKeyType = components["schemas"]["KeyType"];
-
-type UpdateKeyRequest = components["schemas"]["UpdateKeyRequest"];
-type KeyInfoApi = components["schemas"]["KeyInfo"];
-type KeyTypeApi = components["schemas"]["KeyType"];
-
 /** Additional properties (for backward compatibility) */
 export interface KeyInfo extends KeyInfoApi {
   /** Alias for key_id */
@@ -76,20 +69,24 @@ export function toKeyInfo(key: KeyInfoApi): KeyInfo {
 /** Signing keys. */
 export class Key {
   /** The CubeSigner instance that this key is associated with */
-  readonly #cs: CubeSigner;
+  readonly #csc: CubeSignerClient;
+
   /** The organization that this key is in */
-  readonly orgId: string;
+  get orgId() {
+    return this.#csc.orgId;
+  }
+
   /**
    * The id of the key: "Key#" followed by a unique identifier specific to
    * the type of key (such as a public key for BLS or an ethereum address for Secp)
    * @example Key#0x8e3484687e66cdd26cf04c3647633ab4f3570148
-   * */
+   */
   readonly id: string;
 
   /**
    * A unique identifier specific to the type of key, such as a public key or an ethereum address
    * @example 0x8e3484687e66cdd26cf04c3647633ab4f3570148
-   * */
+   */
   readonly materialId: string;
 
   /**
@@ -97,7 +94,7 @@ export class Key {
    * - secp256k1 keys use 65-byte uncompressed SECG format
    * - BLS keys use 48-byte compressed BLS12-381 (ZCash) format
    * @example 0x04d2688b6bc2ce7f9879b9e745f3c4dc177908c5cef0c1b64cff19ae7ff27dee623c64fe9d9c325c7fbbc748bbd5f607ce14dd83e28ebbbb7d3e7f2ffb70a79431
-   * */
+   */
   readonly publicKey: string;
 
   /** The type of key. */
@@ -151,15 +148,16 @@ export class Key {
   /**
    * @description Owner of the key
    * @example User#c3b9379c-4e8c-4216-bd0a-65ace53cf98f
-   * */
+   */
   async owner(): Promise<string> {
     const data = await this.fetch();
     return data.owner;
   }
 
-  /** Set the owner of the key. Only the key (or org) owner can change the owner of the key.
+  /**
+   * Set the owner of the key. Only the key (or org) owner can change the owner of the key.
    * @param {string} owner The user-id of the new owner of the key.
-   * */
+   */
   async setOwner(owner: string) {
     await this.update({ owner });
   }
@@ -168,149 +166,56 @@ export class Key {
    * Delete this key.
    */
   async delete() {
-    await this.#cs.deleteKey(this.orgId, this.id);
+    await this.#csc.keyDelete(this.id);
   }
 
   // --------------------------------------------------------------------------
   // -- INTERNAL --------------------------------------------------------------
   // --------------------------------------------------------------------------
 
-  /** Create a new key.
-   * @param {CubeSigner} cs The CubeSigner instance to use for signing.
-   * @param {string} orgId The id of the organization to which the key belongs.
+  /**
+   * Create a new key.
+   *
+   * @param {CubeSignerClient} csc The CubeSigner instance to use for signing.
    * @param {KeyInfo} data The JSON response from the API server.
    * @internal
-   * */
-  constructor(cs: CubeSigner, orgId: string, data: KeyInfoApi) {
-    this.#cs = cs;
-    this.orgId = orgId;
+   */
+  constructor(csc: CubeSignerClient, data: KeyInfoApi) {
+    this.#csc = csc;
     this.id = data.key_id;
     this.materialId = data.material_id;
     this.publicKey = data.public_key;
   }
 
-  /** Update the key.
+  /**
+   * Update the key.
    * @param {UpdateKeyRequest} request The JSON request to send to the API server.
    * @return {KeyInfo} The JSON response from the API server.
-   * */
+   */
   private async update(request: UpdateKeyRequest): Promise<KeyInfo> {
-    const resp = await (
-      await this.#cs.management()
-    ).patch("/v0/org/{org_id}/keys/{key_id}", {
-      params: { path: { org_id: this.orgId, key_id: this.id } },
-      body: request,
-      parseAs: "json",
-    });
-    return toKeyInfo(assertOk(resp));
-  }
-
-  /** Create new signing keys.
-   * @param {CubeSigner} cs The CubeSigner instance to use for signing.
-   * @param {string} orgId The id of the organization to which the key belongs.
-   * @param {KeyType} keyType The type of key to create.
-   * @param {number} count The number of keys to create.
-   * @param {string?} ownerId The owner of the keys. Defaults to the session's user.
-   * @return {Key[]} The new keys.
-   * @internal
-   * */
-  static async createKeys(
-    cs: CubeSigner,
-    orgId: string,
-    keyType: KeyType,
-    count: number,
-    ownerId?: string,
-  ): Promise<Key[]> {
-    const chain_id = 0; // not used anymore
-    const resp = await (
-      await cs.management()
-    ).post("/v0/org/{org_id}/keys", {
-      params: { path: { org_id: orgId } },
-      body: {
-        count,
-        chain_id,
-        key_type: keyType,
-        owner: ownerId || null,
-      },
-      parseAs: "json",
-    });
-    const data = assertOk(resp);
-    return data.keys.map((k) => new Key(cs, orgId, k));
+    const data = await this.#csc.keyUpdate(this.id, request);
+    return toKeyInfo(data);
   }
 
   /**
-   * Derives a key of a specified type using a supplied derivation path and an existing long-lived mnemonic.
+   * Fetch the key information.
    *
-   * The owner of the derived key will be the owner of the mnemonic.
-   *
-   * @param {CubeSigner} cs The CubeSigner instance to use for key creation.
-   * @param {string} orgId The id of the organization to which the key belongs.
-   * @param {KeyType} keyType The type of key to create.
-   * @param {string[]} derivationPaths Derivation paths from which to derive new keys.
-   * @param {string} mnemonicId materialId of mnemonic key used to derive the new key.
-   *
-   * @return {Key[]} The newly derived keys.
-   */
-  static async deriveKeys(
-    cs: CubeSigner,
-    orgId: string,
-    keyType: KeyType,
-    derivationPaths: string[],
-    mnemonicId: string,
-  ): Promise<Key[]> {
-    const resp = await (
-      await cs.management()
-    ).put("/v0/org/{org_id}/derive_key", {
-      params: { path: { org_id: orgId } },
-      body: {
-        derivation_path: derivationPaths,
-        mnemonic_id: mnemonicId,
-        key_type: keyType,
-      },
-      parseAs: "json",
-    });
-    const data = assertOk(resp);
-    return data.keys.map((k) => new Key(cs, orgId, k));
-  }
-
-  /** Get a key by id.
-   * @param {CubeSigner} cs The CubeSigner instance to use for signing.
-   * @param {string} orgId The id of the organization to which the key belongs.
-   * @param {string} keyId The id of the key to get.
-   * @return {Key} The key.
-   * @internal
-   * */
-  static async getKey(cs: CubeSigner, orgId: string, keyId: string): Promise<Key> {
-    const resp = await (
-      await cs.management()
-    ).get("/v0/org/{org_id}/keys/{key_id}", {
-      params: { path: { org_id: orgId, key_id: keyId } },
-      parseAs: "json",
-    });
-    const data = assertOk(resp);
-    return new Key(cs, orgId, data);
-  }
-
-  /** Fetches the key information.
    * @return {KeyInfo} The key information.
    * @internal
-   * */
+   */
   private async fetch(): Promise<KeyInfo> {
-    const resp = await (
-      await this.#cs.management()
-    ).get("/v0/org/{org_id}/keys/{key_id}", {
-      params: { path: { org_id: this.orgId, key_id: this.id } },
-      parseAs: "json",
-    });
-    const data = assertOk(resp);
+    const data = await this.#csc.keyGet(this.id);
     return toKeyInfo(data);
   }
 }
 
-/** Convert a schema key type to a key type.
+/**
+ * Convert a schema key type to a key type.
+ *
  * @param {SchemaKeyType} ty The schema key type.
  * @return {KeyType} The key type.
  * @internal
- * */
+ */
 export function fromSchemaKeyType(ty: SchemaKeyType): KeyType {
   switch (ty) {
     case "SecpEthAddr":

package/src/{fido.ts → mfa.ts}

@@ -1,42 +1,78 @@
 /* eslint-disable @typescript-eslint/no-explicit-any */
 
-import { CubeSigner, MfaRequestInfo, SignerSession } from ".";
-import { components } from "./schema";
+import {
+  ApiAddFidoChallenge,
+  ApiMfaFidoChallenge,
+  MfaRequestInfo,
+  PublicKeyCredential,
+  TotpInfo,
+} from "./schema_types";
 import { decodeBase64Url, encodeToBase64Url } from "./util";
+import { CubeSignerApi } from "./api";
+
+/** MFA receipt */
+export interface MfaReceipt {
+  /** MFA request ID */
+  mfaId: string;
+  /** Corresponding org ID */
+  mfaOrgId: string;
+  /** MFA confirmation code */
+  mfaConf: string;
+}
+
+/** TOTP challenge that must be answered before user's TOTP is updated */
+export class TotpChallenge {
+  readonly #api: CubeSignerApi;
+  readonly #totpInfo: TotpInfo;
+
+  /** The id of the challenge */
+  get totpId() {
+    return this.#totpInfo.totp_id;
+  }
 
-export type ApiAddFidoChallenge =
-  components["responses"]["FidoCreateChallengeResponse"]["content"]["application/json"];
+  /** The new TOTP configuration */
+  get totpUrl() {
+    return this.#totpInfo.totp_url;
+  }
+
+  /**
+   * @param {CubeSignerApi} api Used when answering the challenge.
+   * @param {TotpInfo} totpInfo TOTP challenge information.
+   */
+  constructor(api: CubeSignerApi, totpInfo: TotpInfo) {
+    this.#api = api;
+    this.#totpInfo = totpInfo;
+  }
 
-export type ApiMfaFidoChallenge =
-  components["responses"]["FidoAssertChallenge"]["content"]["application/json"];
+  /**
+   * Answer the challenge with the code that corresponds to `this.totpUrl`.
+   * @param {string} code 6-digit code that corresponds to `this.totpUrl`.
+   */
+  async answer(code: string) {
+    if (!/^\d{1,6}$/.test(code)) {
+      throw new Error(`Invalid TOTP code: ${code}; it must be a 6-digit string`);
+    }
 
-export type PublicKeyCredentialCreationOptions =
-  components["schemas"]["PublicKeyCredentialCreationOptions"];
-export type PublicKeyCredentialRequestOptions =
-  components["schemas"]["PublicKeyCredentialRequestOptions"];
-export type PublicKeyCredentialParameters = components["schemas"]["PublicKeyCredentialParameters"];
-export type PublicKeyCredentialDescriptor = components["schemas"]["PublicKeyCredentialDescriptor"];
-export type AuthenticatorSelectionCriteria =
-  components["schemas"]["AuthenticatorSelectionCriteria"];
-export type PublicKeyCredentialUserEntity = components["schemas"]["PublicKeyCredentialUserEntity"];
-export type PublicKeyCredential = components["schemas"]["PublicKeyCredential"];
+    await this.#api.userResetTotpComplete(this.totpId, code);
+  }
+}
 
 /**
  * Returned after creating a request to add a new FIDO device.
  * Provides some helper methods for answering this challenge.
  */
 export class AddFidoChallenge {
-  readonly #cs: CubeSigner;
+  readonly #api: CubeSignerApi;
   readonly challengeId: string;
   readonly options: any;
 
   /**
    * Constructor
-   * @param {CubeSigner} cs CubeSigner instance used to request to add a FIDO device
+   * @param {CubeSignerApi} api The API client used to request to add a FIDO device
    * @param {ApiAddFidoChallenge} challenge The challenge returned by the remote end.
    */
-  constructor(cs: CubeSigner, challenge: ApiAddFidoChallenge) {
-    this.#cs = cs;
+  constructor(api: CubeSignerApi, challenge: ApiAddFidoChallenge) {
+    this.#api = api;
     this.challengeId = challenge.challenge_id;
 
     // fix options returned from the server: rename fields and decode base64 fields to uint8[]
@@ -44,12 +80,6 @@ export class AddFidoChallenge {
       ...challenge.options,
       challenge: decodeBase64Url(challenge.options.challenge),
     };
-    this.options.pubKeyCredParams ??= challenge.options.pub_key_cred_params;
-    this.options.excludeCredentials ??= challenge.options.exclude_credentials;
-    this.options.authenticatorSelection ??= challenge.options.authenticator_selection;
-    delete this.options.pub_key_cred_params;
-    delete this.options.exclude_credentials;
-    delete this.options.authenticator_selection;
 
     if (challenge.options.user) {
       this.options.user.id = decodeBase64Url(challenge.options.user.id);
@@ -88,7 +118,7 @@ export class AddFidoChallenge {
         attestationObject: encodeToBase64Url(cred.response.attestationObject),
       },
     };
-    await this.#cs.addFidoComplete(this.challengeId, answer);
+    await this.#api.userRegisterFidoComplete(this.challengeId, answer);
   }
 }
 
@@ -97,18 +127,18 @@ export class AddFidoChallenge {
  * Provides some helper methods for answering this challenge.
  */
 export class MfaFidoChallenge {
-  readonly #ss: SignerSession;
+  readonly #api: CubeSignerApi;
   readonly mfaId: string;
   readonly challengeId: string;
   readonly options: any;
 
   /**
-   * @param {SignerSession} ss The session used to initiate MFA approval using FIDO
+   * @param {CubeSignerApi} api The API client used to initiate MFA approval using FIDO
    * @param {string} mfaId The MFA request id.
    * @param {ApiMfaFidoChallenge} challenge The challenge returned by the remote end
    */
-  constructor(ss: SignerSession, mfaId: string, challenge: ApiMfaFidoChallenge) {
-    this.#ss = ss;
+  constructor(api: CubeSignerApi, mfaId: string, challenge: ApiMfaFidoChallenge) {
+    this.#api = api;
     this.mfaId = mfaId;
     this.challengeId = challenge.challenge_id;
 
@@ -117,12 +147,6 @@ export class MfaFidoChallenge {
       ...challenge.options,
       challenge: decodeBase64Url(challenge.options.challenge),
     };
-    this.options.rpId ??= challenge.options.rp_id;
-    this.options.allowCredentials ??= challenge.options.allow_credentials;
-    this.options.userVerification ??= challenge.options.user_verification;
-    delete this.options.rp_id;
-    delete this.options.allow_credentials;
-    delete this.options.user_verification;
 
     for (const credential of this.options.allowCredentials ?? []) {
       credential.id = decodeBase64Url(credential.id);
@@ -161,6 +185,6 @@ export class MfaFidoChallenge {
         signature: encodeToBase64Url(cred.response.signature),
       },
     };
-    return await this.#ss.fidoApproveComplete(this.mfaId, this.challengeId, answer);
+    return await this.#api.mfaApproveFidoComplete(this.mfaId, this.challengeId, answer);
   }
 }