@fourt/sdk 1.1.6 → 1.2.0

package/dist/index.js

@@ -1,16 +1,15 @@
 // src/session/index.ts
 import { createStore } from "zustand";
-import { createJSONStorage, persist } from "zustand/middleware";
+import { persist, createJSONStorage } from "zustand/middleware";
 var SessionStore = class {
   _store;
-  /**
-   * Initializes a new instance of the `SessionStore` class by creating a new `zustand`store with the initial state.
-   */
   constructor() {
     this._store = createStore()(
       persist(this._getInitialState, {
-        name: "fourt.io-signer-session",
-        storage: createJSONStorage(() => localStorage)
+        name: "fourt-session",
+        storage: createJSONStorage(() => localStorage),
+        // keep only these keys in persisted storage
+        partialize: (state) => ({ bundle: state.bundle, type: state.type })
       })
     );
   }
@@ -366,26 +365,29 @@ var UserModule = class {
     this._webSignerClient = _webSignerClient;
   }
   /**
-   * Gets the user information.
-   *
-   * @returns {User | undefined} user information.
+   * Retrieves information for the authenticated user.
+   * Assumes a user is already logged in, otherwise it will throw an error.
    */
-  get info() {
-    return this._webSignerClient.user;
+  async getInfo() {
+    return this._webSignerClient.getUser();
   }
-  /**  Gets the user token.
-   *
-   * @returns {string | undefined} user token.
+  /**
+   * Checks if a user is currently logged in to the fourt.io SDK.
    */
-  get token() {
+  async isLoggedIn() {
+    return this._webSignerClient.isLoggedIn();
+  }
+  /**
+   * Generates an access token with a lifespan of 15 minutes.
+   * Assumes a user is already logged in, otherwise it will throw an error.
+   */
+  async getToken() {
     return this._webSignerClient.getToken();
   }
   /**
    * Logs out the user.
-   *
-   * @returns {void}
    */
-  logout() {
+  async logout() {
     return this._webSignerClient.logout();
   }
 };
@@ -452,24 +454,28 @@ var UnauthenticatedError = class _UnauthenticatedError extends SDKError {
   }
 };
 
-// src/types/Routes.ts
+// src/types/routes.ts
 var ROUTE_METHOD_MAP = {
   "/v1/signup": "POST",
   "/v1/email-auth": "POST",
   "/v1/lookup": "POST",
   "/v1/signin": "POST",
   "/v1/sign": "POST",
-  "v1/oauth/init": "POST"
+  "/v1/oauth/init": "POST",
+  "/v1/refresh": "POST",
+  "/v1/logout": "POST",
+  "/v1/me": "GET"
 };
 
 // src/signer/index.ts
 import { jwtDecode } from "jwt-decode";
-import { isPast, secondsToMilliseconds } from "date-fns";
+import { differenceInMilliseconds, isBefore, subMinutes } from "date-fns";
 var SignerClient = class {
   _turnkeyClient;
   _configuration;
   _sessionStore;
-  _user;
+  _refreshPromise;
+  _refreshTimer;
   constructor({
     stamper,
     configuration: { apiUrl, paymasterRpcUrl, ...requiredConfiguration }
@@ -485,54 +491,97 @@ var SignerClient = class {
     };
     this._sessionStore = new SessionStore();
   }
-  logout() {
-    this._user = void 0;
-    this.sessionStore.clearAll();
-  }
   get configuration() {
     return this._configuration;
   }
-  get user() {
-    if (this._user) return this._user;
-    if (!this.sessionStore.token) {
-      this.sessionStore.clearAll();
-      return void 0;
-    }
-    const decodedToken = jwtDecode(this.sessionStore.token);
-    if (decodedToken.exp && isPast(new Date(secondsToMilliseconds(decodedToken.exp)))) {
-      this.sessionStore.clearAll();
-      return void 0;
+  async getUser() {
+    if (this._sessionStore.user) return this._sessionStore.user;
+    try {
+      const user = await this.request("/v1/me");
+      this._sessionStore.user = user;
+      return user;
+    } catch (error) {
+      if (error instanceof UnauthorizedError) {
+        try {
+          await this._refreshToken();
+          const user = await this.request("/v1/me");
+          this._sessionStore.user = user;
+          return user;
+        } catch (error2) {
+          throw error2;
+        }
+      }
+      throw error;
     }
-    if (this.sessionStore.user) this._user = this.sessionStore.user;
-    return this._user;
   }
-  set user(value) {
-    this._user = value;
+  async isLoggedIn() {
+    const token = this._sessionStore.token;
+    if (token && !this._isTokenExpired(token)) return true;
+    try {
+      await this._refreshToken();
+      return !!this._sessionStore.token;
+    } catch {
+      return false;
+    }
   }
-  set stamper(stamper) {
-    this._turnkeyClient.stamper = stamper;
+  async getToken() {
+    if (!this._sessionStore.token) {
+      try {
+        await this._refreshToken();
+      } catch {
+        throw new UnauthorizedError({
+          message: "No token found, user might not be logged in"
+        });
+      }
+    } else if (this._isTokenExpired(this._sessionStore.token)) {
+      try {
+        await this._refreshToken();
+      } catch {
+        throw new UnauthorizedError({
+          message: "Token expired and refresh failed"
+        });
+      }
+    }
+    const token = this._sessionStore.token;
+    if (!token) {
+      throw new UnauthorizedError({
+        message: "No token found, user might not be logged in"
+      });
+    }
+    return token;
   }
-  get stamper() {
-    return this._turnkeyClient.stamper;
+  _isTokenExpired(token) {
+    try {
+      const decoded = jwtDecode(token);
+      if (decoded.exp) {
+        return decoded.exp * 1e3 <= Date.now();
+      }
+      return true;
+    } catch {
+      return true;
+    }
   }
-  get sessionStore() {
-    return this._sessionStore;
+  async logout() {
+    if (this._refreshTimer) clearTimeout(this._refreshTimer);
+    this._refreshTimer = void 0;
+    await this.request("/v1/logout");
+    this._sessionStore.clearAll();
   }
   async signRawMessage(msg) {
-    if (!this._user) {
+    if (!this._sessionStore.token || !this._sessionStore.user) {
       throw new UnauthorizedError({
         message: "SignerClient must be authenticated to sign a message"
       });
     }
     const stampedRequest = await this._turnkeyClient.stampSignRawPayload({
-      organizationId: this._user.subOrgId,
+      organizationId: this._sessionStore.user.subOrgId,
       type: "ACTIVITY_TYPE_SIGN_RAW_PAYLOAD_V2",
       timestampMs: Date.now().toString(),
       parameters: {
         encoding: "PAYLOAD_ENCODING_HEXADECIMAL",
         hashFunction: "HASH_FUNCTION_NO_OP",
         payload: msg,
-        signWith: this._user.walletAddress
+        signWith: this._sessionStore.user.walletAddress
       }
     });
     const { signature } = await this.request("/v1/sign", {
@@ -540,8 +589,11 @@ var SignerClient = class {
     });
     return signature;
   }
-  getToken() {
-    return this._sessionStore.token;
+  set stamper(stamper) {
+    this._turnkeyClient.stamper = stamper;
+  }
+  get stamper() {
+    return this._turnkeyClient.stamper;
   }
   async lookUpUser(email) {
     try {
@@ -561,7 +613,7 @@ var SignerClient = class {
     }
   }
   async whoAmI(subOrgId) {
-    const orgId = subOrgId || this._user?.subOrgId;
+    const orgId = subOrgId || this._sessionStore.user?.subOrgId;
     if (!orgId) throw new BadRequestError({ message: "No orgId provided" });
     const stampedRequest = await this._turnkeyClient.stampGetWhoami({
       organizationId: orgId
@@ -576,19 +628,20 @@ var SignerClient = class {
         return void 0;
       }
     })();
-    this._user = {
+    this._sessionStore.user = {
       ...user,
       credentialId
     };
-    this.sessionStore.user = this.user;
-    this.sessionStore.token = token;
+    this._sessionStore.token = token;
+    this._scheduleRefresh(token);
   }
   async request(route, body) {
     const url = new URL(`${route}`, this._configuration.apiUrl);
-    const token = this.sessionStore.token;
+    const token = this._sessionStore.token;
     const headers = {
       "Content-Type": "application/json",
-      "X-FOURT-KEY": this._configuration.apiKey
+      "X-FOURT-KEY": this._configuration.apiKey,
+      "X-CSRF-TOKEN": this._getCookie("csrfToken") ?? ""
     };
     if (token) {
       headers["Authorization"] = `Bearer ${token}`;
@@ -603,7 +656,6 @@ var SignerClient = class {
     if (error) {
       switch (error.kind) {
         case "UnauthorizedError": {
-          this.logout();
           throw new UnauthorizedError({ message: error.message });
         }
         case "NotFoundError": {
@@ -619,11 +671,88 @@ var SignerClient = class {
     }
     return { ...data };
   }
+  _scheduleRefresh(token) {
+    try {
+      const decoded = jwtDecode(token);
+      if (!decoded.exp) return;
+      const expiryDate = new Date(decoded.exp * 1e3);
+      const refreshDate = subMinutes(expiryDate, 2);
+      const delay = isBefore(refreshDate, /* @__PURE__ */ new Date()) ? 0 : differenceInMilliseconds(refreshDate, /* @__PURE__ */ new Date());
+      if (this._refreshTimer) clearTimeout(this._refreshTimer);
+      this._refreshTimer = setTimeout(() => {
+        this._refreshTimer = void 0;
+        this._refreshToken();
+      }, delay);
+    } catch {
+    }
+  }
+  async _refreshToken() {
+    if (this._refreshPromise) return this._refreshPromise;
+    this._refreshPromise = (async () => {
+      const TIMEOUT_MS = 1e4;
+      const RETRY_DELAY_MS = 5e3;
+      try {
+        const refreshPromise = this.request("/v1/refresh");
+        const data = await Promise.race([
+          refreshPromise,
+          new Promise(
+            (_, reject) => setTimeout(() => reject(new Error("Refresh timeout")), TIMEOUT_MS)
+          )
+        ]);
+        if (!data || !data.token) {
+          throw new UnauthorizedError({
+            message: "Refresh did not return a token"
+          });
+        }
+        this._sessionStore.token = data.token;
+        this._scheduleRefresh(data.token);
+      } catch (error) {
+        if (error instanceof UnauthorizedError) {
+          try {
+            this._sessionStore.clearAll();
+          } catch {
+          }
+          throw error;
+        }
+        if (this._refreshTimer) clearTimeout(this._refreshTimer);
+        const MAX_RETRIES = 5;
+        let retryCount = 0;
+        this._refreshTimer = setTimeout(() => {
+          this._refreshTimer = void 0;
+          void this._refreshToken().catch(() => {
+            retryCount++;
+            if (retryCount <= MAX_RETRIES) {
+              const nextDelay = Math.min(
+                RETRY_DELAY_MS * 2 ** (retryCount - 1),
+                6e4
+              );
+              this._refreshTimer = setTimeout(() => {
+                this._refreshTimer = void 0;
+                void this._refreshToken().catch(() => {
+                });
+              }, nextDelay);
+            }
+          });
+        }, RETRY_DELAY_MS);
+        throw error;
+      } finally {
+        this._refreshPromise = void 0;
+      }
+    })();
+    return this._refreshPromise;
+  }
+  _getCookie(name) {
+    if (typeof document === "undefined") return null;
+    const match = document.cookie.match(new RegExp("(^| )" + name + "=([^;]+)"));
+    return match ? decodeURIComponent(match[2]) : null;
+  }
 };
 
 // src/signer/web.ts
 var WebSignerClient = class extends SignerClient {
-  _stampers;
+  iframeStamper;
+  webauthnStamper;
+  iframeConfig;
   oauthConfiguration;
   /**
    * Initializes a new instance of the `WebSignerClient` class.
@@ -636,54 +765,56 @@ var WebSignerClient = class extends SignerClient {
     iframe,
     oauth
   }) {
-    const iframeContainerId = iframe?.iframeContainerId ?? "fourt-signer-iframe-container";
+    const iframeConfig = {
+      iframeElementId: iframe?.iframeElementId ?? "turnkey-iframe",
+      iframeContainerId: iframe?.iframeContainerId ?? "signer-iframe-container"
+    };
     const iframeContainer = document.createElement("div");
-    iframeContainer.id = iframeContainerId;
+    iframeContainer.id = iframeConfig.iframeContainerId;
     iframeContainer.style.display = "none";
     document.body.appendChild(iframeContainer);
-    const webauthnStamper = new WebauthnStamper({ rpId: webauthn.rpId });
     const iframeStamper = new IframeStamper({
       iframeUrl: "https://auth.turnkey.com",
-      iframeElementId: iframe?.iframeElementId ?? "turnkey-iframe",
-      iframeContainer: document.getElementById(iframeContainerId)
+      iframeElementId: iframeConfig.iframeElementId,
+      iframeContainer: document.getElementById(iframeConfig.iframeContainerId)
     });
     super({
       stamper: iframeStamper,
       // Initialized to iframeStamper; can be either webauthnStamper or iframeStamper
       configuration
     });
-    this._stampers = {
-      webauthn: webauthnStamper,
-      iframe: iframeStamper
-    };
+    this.iframeStamper = iframeStamper;
+    this.iframeConfig = iframeConfig;
+    this.webauthnStamper = new WebauthnStamper({ rpId: webauthn.rpId });
     this.oauthConfiguration = oauth;
   }
+  async logout() {
+    super.logout();
+    this.iframeStamper.clear();
+    const stamper = new IframeStamper({
+      iframeUrl: "https://auth.turnkey.com",
+      iframeElementId: this.iframeConfig.iframeElementId,
+      iframeContainer: document.getElementById(
+        this.iframeConfig.iframeContainerId
+      )
+    });
+    this.iframeStamper = stamper;
+    await this._initIframeStamper();
+  }
   async signRawMessage(msg) {
-    await this.updateStamper();
+    await this._updateStamper();
     return super.signRawMessage(msg);
   }
-  async logout() {
-    this._stampers.iframe.clear();
-    await this._stampers.iframe.init();
-    return super.logout();
-  }
   /**
-   * Checks for an existing session and if exists, updates the stamper accordingly.
+   * Get the pre-filled URL for initiating oauth with a specific provider.
    *
+   * @param {string} provider provider for which we are getting the URL, currently google or apple
    */
-  async updateStamper() {
-    if (this._sessionStore.type === void 0 && (this._sessionStore.bundle === void 0 || this._sessionStore.token === void 0))
-      return;
-    if (this._sessionStore.type === "passkeys" /* Passkeys */) {
-      this.stamper = this._stampers.webauthn;
-    } else {
-      this.stamper = this._stampers.iframe;
-      await this.completeAuthWithBundle({
-        bundle: this._sessionStore.bundle,
-        subOrgId: this.user?.subOrgId,
-        sessionType: this._sessionStore.type
-      });
-    }
+  async getOAuthInitUrl(provider) {
+    const { url } = await this.request("/v1/oauth/init", {
+      provider
+    });
+    return url;
   }
   /**
    * Signs in a user with webauthn.
@@ -695,15 +826,15 @@ var WebSignerClient = class extends SignerClient {
     if (!existingUserSubOrgId) {
       await this._createAccount({ method: "webauthn", email });
     } else {
-      this.stamper = this._stampers.webauthn;
+      this.stamper = this.webauthnStamper;
       await this.whoAmI(existingUserSubOrgId);
       this._sessionStore.type = "passkeys" /* Passkeys */;
-      if (!this.user || !this.user.credentialId) {
+      if (!this._sessionStore.user || !this._sessionStore.user.credentialId) {
         return;
       }
-      this._stampers.webauthn.allowCredentials = [
+      this.webauthnStamper.allowCredentials = [
         {
-          id: LibBase64.toBuffer(this.user.credentialId),
+          id: LibBase64.toBuffer(this._sessionStore.user.credentialId),
           type: "public-key",
           transports: ["internal", "usb"]
         }
@@ -726,23 +857,6 @@ var WebSignerClient = class extends SignerClient {
   async getIframePublicKey() {
     return await this._initIframeStamper();
   }
-  /**
-   * Signs in a user with email.
-   *
-   * @param {EmailInitializeAuthParams} params params for the sign in
-   */
-  async _signInWithEmail({
-    email,
-    expirationSeconds,
-    redirectUrl
-  }) {
-    return this.request("/v1/email-auth", {
-      email,
-      targetPublicKey: await this.getIframePublicKey(),
-      expirationSeconds,
-      redirectUrl: redirectUrl.toString()
-    });
-  }
   /**
    * Completes the authentication process with a credential bundle.
    *
@@ -754,7 +868,7 @@ var WebSignerClient = class extends SignerClient {
     sessionType
   }) {
     await this._initIframeStamper();
-    const result = await this._stampers.iframe.injectCredentialBundle(bundle);
+    const result = await this.iframeStamper.injectCredentialBundle(bundle);
     if (!result) {
       throw new Error("Failed to inject credential bundle");
     }
@@ -762,6 +876,40 @@ var WebSignerClient = class extends SignerClient {
     this._sessionStore.type = sessionType;
     this._sessionStore.bundle = bundle;
   }
+  /**
+   * Checks for an existing session and if exists, updates the stamper accordingly.
+   */
+  async _updateStamper() {
+    if (this._sessionStore.type === void 0 && (this._sessionStore.bundle === void 0 || this._sessionStore.token === void 0))
+      return;
+    if (this._sessionStore.type === "passkeys" /* Passkeys */) {
+      this.stamper = this.webauthnStamper;
+    } else {
+      this.stamper = this.iframeStamper;
+      await this.completeAuthWithBundle({
+        bundle: this._sessionStore.bundle,
+        subOrgId: this._sessionStore.user?.subOrgId,
+        sessionType: this._sessionStore.type
+      });
+    }
+  }
+  /**
+   * Signs in a user with email.
+   *
+   * @param {EmailInitializeAuthParams} params params for the sign in
+   */
+  async _signInWithEmail({
+    email,
+    expirationSeconds,
+    redirectUrl
+  }) {
+    return this.request("/v1/email-auth", {
+      email,
+      targetPublicKey: await this.getIframePublicKey(),
+      expirationSeconds,
+      redirectUrl: redirectUrl.toString()
+    });
+  }
   /**
    * Creates a passkey account using the webauthn stamper.
    *
@@ -771,28 +919,20 @@ var WebSignerClient = class extends SignerClient {
     const { challenge, attestation } = await this._webauthnGenerateAttestation(
       params.email
     );
-    const {
-      token,
-      user: { id, email, subOrgId, walletAddress, salt, smartAccountAddress }
-    } = await this.request("/v1/signup", {
+    const { token, user } = await this.request("/v1/signup", {
       passkey: {
         challenge: LibBase64.fromBuffer(challenge),
         attestation
       },
       email: params.email
     });
-    this.user = {
-      id,
-      email,
-      subOrgId,
-      walletAddress,
-      salt,
-      smartAccountAddress,
+    this._sessionStore.user = {
+      ...user,
       credentialId: attestation.credentialId
     };
-    this._sessionStore.user = this.user;
     this._sessionStore.type = "passkeys" /* Passkeys */;
     this._sessionStore.token = token;
+    this._scheduleRefresh(token);
   }
   /**
    * Creates an email account using the iframe stamper.
@@ -863,22 +1003,11 @@ var WebSignerClient = class extends SignerClient {
     return { challenge, attestation, authenticatorUserId };
   }
   async _initIframeStamper() {
-    if (!this._stampers.iframe.publicKey()) {
-      await this._stampers.iframe.init();
+    if (!this.iframeStamper.publicKey()) {
+      await this.iframeStamper.init();
     }
-    this.stamper = this._stampers.iframe;
-    return this._stampers.iframe.publicKey();
-  }
-  /**
-   * Get the pre-filled URL for initiating oauth with a specific provider.
-   *
-   * @param {string} provider provider for which we are getting the URL, currently google or apple
-   */
-  async getOAuthInitUrl(provider) {
-    const { url } = await this.request("v1/oauth/init", {
-      provider
-    });
-    return url;
+    this.stamper = this.iframeStamper;
+    return this.iframeStamper.publicKey();
   }
 };
 
@@ -902,13 +1031,13 @@ var ViemModule = class {
     this._signerClient = _signerClient;
   }
   async toLocalAccount() {
-    const user = this._signerClient.user;
+    const user = await this._signerClient.getUser();
     if (!user) {
       throw new UnauthenticatedError({ message: "Signer not authenticated" });
     }
     return toAccount({
       address: user.walletAddress,
-      signMessage: (msg) => this.signMessage(msg.message),
+      signMessage: ({ message }) => this.signMessage(message),
       signTypedData: (typedDataDefinition) => this.signTypedData(typedDataDefinition),
       signTransaction: this.signTransaction
     });
@@ -917,7 +1046,7 @@ var ViemModule = class {
     client,
     owner
   }) {
-    const user = this._signerClient.user;
+    const user = await this._signerClient.getUser();
     if (!user) {
       throw new UnauthenticatedError({ message: "Signer not authenticated" });
     }
@@ -953,7 +1082,7 @@ var ViemModule = class {
   }
   async signTransaction(transaction, options) {
     const serializeFn = options?.serializer ?? serializeTransaction;
-    const serializedTx = serializeFn(transaction);
+    const serializedTx = await serializeFn(transaction);
     const signatureHex = await this._signerClient.signRawMessage(
       keccak256(serializedTx)
     );