@fourt/sdk 1.2.2 → 1.3.0

package/dist/index.js

@@ -1,3 +1,10 @@
+var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
+  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
+}) : x)(function(x) {
+  if (typeof require !== "undefined") return require.apply(this, arguments);
+  throw Error('Dynamic require of "' + x + '" is not supported');
+});
+
 // src/session/index.ts
 import { createStore } from "zustand";
 import { persist, createJSONStorage } from "zustand/middleware";
@@ -136,34 +143,95 @@ var SessionStore = class {
   }
 };
 
-// src/modules/auth/email.ts
-var EmailModule = class {
+// src/modules/auth/email/magicLink.ts
+var MagicLinkModule = class {
   constructor(_webSignerClient) {
     this._webSignerClient = _webSignerClient;
   }
   /**
-   * Initialize user authentication process using email.
+   * Completes authentication with magic link that contains a bundle.
    *
-   * @param params {EmailInitializeAuthParams} params to initialize the user authentication process.
-   * @returns {Promise<void>} promise that resolves to the result of the authentication process.
+   * @param params {CompleteAuthWithBundleParams} params received as URL params necessary to complete authentication process.
+   * @returns {Promise<void>} promise that completes the authentication process.
    */
-  async initialize(params) {
-    return this._webSignerClient.emailAuth(params);
+  async complete(params) {
+    return this._webSignerClient.completeAuthWithBundle({
+      ...params,
+      sessionType: "email" /* Email */
+    });
+  }
+};
+
+// src/errors/SDKError.ts
+var SDKError = class extends Error {
+  _props;
+  constructor(message, props) {
+    super(message);
+    this._props = props;
+  }
+  get message() {
+    return this._props.message;
+  }
+};
+
+// src/errors/NotFoundError.ts
+var NotFoundError = class _NotFoundError extends SDKError {
+  constructor(props) {
+    super(_NotFoundError.name, props);
+  }
+};
+
+// src/modules/auth/email/otp.ts
+var OtpModule = class {
+  constructor(_webSignerClient) {
+    this._webSignerClient = _webSignerClient;
   }
   /**
-   * Completes authentication with bundle after user receives the bundle and subOrgId as URL params.
+   * Completes authentication with OTP code after user receives the bundle and subOrgId.
    *
-   * @param params {CompleteAuthWithBundleParams} params received as URL params necessary to complete authentication process.
+   * @param params {OtpAuthParams} params to complete the authentication process.
    * @returns {Promise<void>} promise that completes the authentication process.
    */
   async complete(params) {
+    const { auth } = await this._webSignerClient.otpAuth(params);
+    if (!auth)
+      throw new NotFoundError({
+        message: "No OTP authentication response returned."
+      });
     return this._webSignerClient.completeAuthWithBundle({
-      ...params,
+      bundle: auth.credentialBundle,
+      subOrgId: auth.subOrgId,
       sessionType: "email" /* Email */
     });
   }
 };
 
+// src/modules/auth/email.ts
+var EmailModule = class {
+  constructor(_webSignerClient) {
+    this._webSignerClient = _webSignerClient;
+    this._magicLinkModule = new MagicLinkModule(this._webSignerClient);
+    this._otpModule = new OtpModule(this._webSignerClient);
+  }
+  _magicLinkModule;
+  _otpModule;
+  /**
+   * Initialize user authentication process using email.
+   *
+   * @param params {EmailInitializeAuthParams} params to initialize the user authentication process.
+   * @returns {Promise<void>} promise that resolves to the result of the authentication process.
+   */
+  async initialize(params) {
+    return this._webSignerClient.emailAuth(params);
+  }
+  get magicLink() {
+    return this._magicLinkModule;
+  }
+  get otp() {
+    return this._otpModule;
+  }
+};
+
 // src/modules/auth/passkeys.ts
 var PasskeysModule = class {
   constructor(_webSignerClient) {
@@ -173,7 +241,6 @@ var PasskeysModule = class {
    * Signs in a user using Passkeys.
    *
    * @param params {WebauthnSignInParams} params for the sign-in process.
-   * @returns {Promise<void>} promise that resolves to the result of the sign-in process.
    */
   async signIn(params) {
     return this._webSignerClient.webauthnSignIn(params);
@@ -182,7 +249,40 @@ var PasskeysModule = class {
 
 // src/modules/auth/oauth/google.ts
 import * as jose from "jose";
-import { sha256 } from "sha.js";
+
+// src/lib/sha256.ts
+var LibSha256 = class {
+  /**
+   * Compute SHA-256 and return hex string using Web Crypto when available.
+   * Falls back to Node's crypto.createHash when running in Node.
+   */
+  static async sha256Hex(input) {
+    let data;
+    if (typeof input === "string") {
+      data = new TextEncoder().encode(input);
+    } else if (input instanceof Uint8Array) {
+      data = input;
+    } else {
+      data = new Uint8Array(input);
+    }
+    const subtle = typeof globalThis !== "undefined" && globalThis.crypto?.subtle ? globalThis.crypto.subtle : void 0;
+    if (subtle) {
+      const hash = await subtle.digest("SHA-256", data);
+      return Array.from(new Uint8Array(hash)).map((b) => b.toString(16).padStart(2, "0")).join("");
+    }
+    try {
+      const nodeCrypto = __require("crypto");
+      const hash = nodeCrypto.createHash("sha256").update(data).digest("hex");
+      return hash;
+    } catch {
+      throw new Error(
+        "No crypto provider available. Provide a global crypto.subtle or run in Node 18+."
+      );
+    }
+  }
+};
+
+// src/modules/auth/oauth/google.ts
 var GoogleModule = class {
   constructor(_webSignerClient) {
     this._webSignerClient = _webSignerClient;
@@ -200,7 +300,7 @@ var GoogleModule = class {
     ).href;
     url.searchParams.set("redirect_uri", internalUrl);
     const publicKey = await this._webSignerClient.getIframePublicKey();
-    const nonce = new sha256().update(publicKey).digest("hex");
+    const nonce = await LibSha256.sha256Hex(publicKey);
     url.searchParams.set("nonce", nonce);
     const state = new jose.UnsecuredJWT({
       apiKey: this._webSignerClient.configuration.apiKey,
@@ -214,18 +314,6 @@ var GoogleModule = class {
   }
 };
 
-// src/errors/SDKError.ts
-var SDKError = class extends Error {
-  _props;
-  constructor(message, props) {
-    super(message);
-    this._props = props;
-  }
-  get message() {
-    return this._props.message;
-  }
-};
-
 // src/errors/BadRequestError.ts
 var BadRequestError = class _BadRequestError extends SDKError {
   constructor(props) {
@@ -276,7 +364,6 @@ var FacebookModule = class {
 
 // src/modules/auth/oauth/apple.ts
 import * as jose3 from "jose";
-import { sha256 as sha2562 } from "sha.js";
 var AppleModule = class {
   constructor(_webSignerClient) {
     this._webSignerClient = _webSignerClient;
@@ -294,7 +381,7 @@ var AppleModule = class {
     ).href;
     url.searchParams.set("redirect_uri", internalUrl);
     const publicKey = await this._webSignerClient.getIframePublicKey();
-    const nonce = new sha2562().update(publicKey).digest("hex");
+    const nonce = await LibSha256.sha256Hex(publicKey);
     url.searchParams.set("nonce", nonce);
     const state = new jose3.UnsecuredJWT({
       apiKey: this._webSignerClient.configuration.apiKey,
@@ -414,13 +501,29 @@ import { IframeStamper } from "@turnkey/iframe-stamper";
 import { WebauthnStamper } from "@turnkey/webauthn-stamper";
 
 // src/lib/base64.ts
-import { Buffer } from "buffer";
 var LibBase64 = class {
+  // Convert an ArrayBuffer to base64url (no padding)
   static fromBuffer(buffer) {
-    return Buffer.from(buffer).toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
-  }
-  static toBuffer(base64) {
-    return Buffer.from(base64, "base64").buffer;
+    const bytes = new Uint8Array(buffer);
+    const CHUNK_SIZE = 32768;
+    let binary = "";
+    for (let i = 0; i < bytes.length; i += CHUNK_SIZE) {
+      const chunk = bytes.subarray(i, i + CHUNK_SIZE);
+      binary += String.fromCharCode(...chunk);
+    }
+    const base64 = typeof btoa === "function" ? btoa(binary) : Buffer.from(bytes).toString("base64");
+    return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+  }
+  // Convert base64url (no padding) to ArrayBuffer
+  static toBuffer(base64url) {
+    let base64 = base64url.replace(/-/g, "+").replace(/_/g, "/");
+    const pad = base64.length % 4;
+    if (pad) base64 += "=".repeat(4 - pad);
+    const binary = typeof atob === "function" ? atob(base64) : Buffer.from(base64, "base64").toString("binary");
+    const len = binary.length;
+    const bytes = new Uint8Array(len);
+    for (let i = 0; i < len; i++) bytes[i] = binary.charCodeAt(i);
+    return bytes.buffer;
   }
 };
 
@@ -449,13 +552,6 @@ var UnauthorizedError = class _UnauthorizedError extends SDKError {
   }
 };
 
-// src/errors/NotFoundError.ts
-var NotFoundError = class _NotFoundError extends SDKError {
-  constructor(props) {
-    super(_NotFoundError.name, props);
-  }
-};
-
 // src/errors/GenericError.ts
 var GenericError = class _GenericError extends SDKError {
   constructor(props) {
@@ -470,23 +566,8 @@ var UnauthenticatedError = class _UnauthenticatedError extends SDKError {
   }
 };
 
-// src/types/routes.ts
-var ROUTE_METHOD_MAP = {
-  "/v1/signup": "POST",
-  "/v1/email-auth": "POST",
-  "/v1/lookup": "POST",
-  "/v1/signin": "POST",
-  "/v1/sign": "POST",
-  "/v1/oauth/init": "POST",
-  "/v1/refresh": "POST",
-  "/v1/csrf-token": "GET",
-  "/v1/logout": "POST",
-  "/v1/me": "GET"
-};
-
 // src/signer/index.ts
-import { jwtDecode } from "jwt-decode";
-import { differenceInMilliseconds, isBefore, subMinutes } from "date-fns";
+import { decodeJwt } from "jose";
 var SignerClient = class {
   _turnkeyClient;
   _configuration;
@@ -514,14 +595,14 @@ var SignerClient = class {
   async getUser() {
     if (this._sessionStore.user) return this._sessionStore.user;
     try {
-      const user = await this.request("/v1/me");
+      const user = await this.request("/v1/me", "GET");
       this._sessionStore.user = user;
       return user;
     } catch (error) {
       if (error instanceof UnauthorizedError) {
         try {
           await this._refreshToken();
-          const user = await this.request("/v1/me");
+          const user = await this.request("/v1/me", "GET");
           this._sessionStore.user = user;
           return user;
         } catch (error2) {
@@ -569,8 +650,8 @@ var SignerClient = class {
   }
   _isTokenExpired(token) {
     try {
-      const decoded = jwtDecode(token);
-      if (decoded.exp) {
+      const decoded = decodeJwt(token);
+      if (typeof decoded.exp === "number") {
         return decoded.exp * 1e3 <= Date.now();
       }
       return true;
@@ -581,7 +662,7 @@ var SignerClient = class {
   async logout() {
     if (this._refreshTimer) clearTimeout(this._refreshTimer);
     this._refreshTimer = void 0;
-    await this.request("/v1/logout");
+    await this.request("/v1/logout", "POST");
     this._sessionStore.clearAll();
   }
   async signRawMessage(msg) {
@@ -601,7 +682,7 @@ var SignerClient = class {
         signWith: this._sessionStore.user.walletAddress
       }
     });
-    const { signature } = await this.request("/v1/sign", {
+    const { signature } = await this.request("/v1/sign", "POST", {
       stampedRequest
     });
     return signature;
@@ -614,7 +695,7 @@ var SignerClient = class {
   }
   async lookUpUser(email) {
     try {
-      const { subOrgId } = await this.request("/v1/lookup", { email });
+      const { subOrgId } = await this.request("/v1/lookup", "POST", { email });
       return subOrgId;
     } catch (error) {
       if (!(error instanceof SDKError)) throw error;
@@ -635,9 +716,13 @@ var SignerClient = class {
     const stampedRequest = await this._turnkeyClient.stampGetWhoami({
       organizationId: orgId
     });
-    const { user, token, csrfToken } = await this.request("/v1/signin", {
-      stampedRequest
-    });
+    const { user, token, csrfToken } = await this.request(
+      "/v1/signin",
+      "POST",
+      {
+        stampedRequest
+      }
+    );
     const credentialId = (() => {
       try {
         return JSON.parse(stampedRequest?.stamp.stampHeaderValue).credentialId;
@@ -653,7 +738,7 @@ var SignerClient = class {
     this._sessionStore.csrfToken = csrfToken;
     this._scheduleRefresh(token);
   }
-  async request(route, body) {
+  async request(route, method, body) {
     const url = new URL(`${route}`, this._configuration.apiUrl);
     const token = this._sessionStore.token;
     const csrfToken = this._sessionStore.csrfToken;
@@ -668,8 +753,8 @@ var SignerClient = class {
       headers["X-CSRF-Token"] = csrfToken;
     }
     const response = await fetch(url, {
-      method: ROUTE_METHOD_MAP[route],
-      body: JSON.stringify(body),
+      method,
+      body: method === "POST" ? JSON.stringify(body) : void 0,
       headers,
       credentials: "include"
     });
@@ -692,13 +777,24 @@ var SignerClient = class {
     }
     return { ...data };
   }
+  /**
+   * Compute milliseconds until refresh time.
+   * - expSeconds is the JWT exp claim (seconds).
+   * - earlyMinutes is how many minutes before exp to refresh (default 2).
+   * Returns 0 if refresh time is already past.
+   */
+  _computeRefreshDelayMs(expSeconds, earlyMinutes = 2) {
+    const expiryMs = expSeconds * 1e3;
+    const refreshMs = expiryMs - earlyMinutes * 60 * 1e3;
+    const now = Date.now();
+    const delay = refreshMs - now;
+    return delay <= 0 ? 0 : delay;
+  }
   _scheduleRefresh(token) {
     try {
-      const decoded = jwtDecode(token);
+      const decoded = decodeJwt(token);
       if (!decoded.exp) return;
-      const expiryDate = new Date(decoded.exp * 1e3);
-      const refreshDate = subMinutes(expiryDate, 2);
-      const delay = isBefore(refreshDate, /* @__PURE__ */ new Date()) ? 0 : differenceInMilliseconds(refreshDate, /* @__PURE__ */ new Date());
+      const delay = this._computeRefreshDelayMs(decoded.exp, 2);
       if (this._refreshTimer) clearTimeout(this._refreshTimer);
       this._refreshTimer = setTimeout(() => {
         this._refreshTimer = void 0;
@@ -714,10 +810,10 @@ var SignerClient = class {
       const RETRY_DELAY_MS = 5e3;
       try {
         if (!this._sessionStore.csrfToken) {
-          const { csrfToken } = await this.request("/v1/csrf-token");
+          const { csrfToken } = await this.request("/v1/csrf-token", "GET");
           this._sessionStore.csrfToken = csrfToken;
         }
-        const refreshPromise = this.request("/v1/refresh");
+        const refreshPromise = this.request("/v1/refresh", "POST");
         const data = await Promise.race([
           refreshPromise,
           new Promise(
@@ -832,7 +928,7 @@ var WebSignerClient = class extends SignerClient {
    * @param {string} provider provider for which we are getting the URL, currently google or apple
    */
   async getOAuthInitUrl(provider) {
-    const { url } = await this.request("/v1/oauth/init", {
+    const { url } = await this.request("/v1/oauth/init", "POST", {
       provider
     });
     return url;
@@ -863,21 +959,65 @@ var WebSignerClient = class extends SignerClient {
     }
   }
   /**
-   * Handle auth user process with email.
+   * Handles auth user process with email according to the method of the used app.
    *
-   * @param {EmailInitializeAuthParams} params Params needed for the initialization of the auth process
+   * @param {EmailInitializeAuthParams} params params needed for the initialization of the auth process
    */
   async emailAuth(params) {
-    const existingUserSubOrgId = await this.lookUpUser(params.email);
-    if (!existingUserSubOrgId) {
-      await this._createAccount({ method: "email", ...params });
+    const method = await this._getEmailAuthMethod();
+    if (method === "magiclink") {
+      const existingUserSubOrgId = await this.lookUpUser(params.email);
+      if (!existingUserSubOrgId) {
+        await this._createAccount({ method: "email", ...params });
+      } else {
+        await this._signInWithEmail(params);
+      }
+      return { method };
+    } else if (method === "otp") {
+      const { init } = await this._initOtpAuth({ email: params.email });
+      if (!init?.otpId)
+        throw new NotFoundError({ message: "No OTP init response returned." });
+      return {
+        method,
+        otpId: init.otpId
+      };
     } else {
-      await this._signInWithEmail(params);
+      throw new Error("Invalid email authentication method.");
     }
   }
   async getIframePublicKey() {
     return await this._initIframeStamper();
   }
+  /**
+   * Verifies the provided otp code.
+   *
+   * @param {OtpAuthParams} params params needed for otp code verification
+   */
+  async otpAuth(params) {
+    return this.request("/v1/otp-auth", "POST", {
+      auth: {
+        email: params.email,
+        otpCode: params.otpCode,
+        otpId: params.otpId,
+        targetPublicKey: await this.getIframePublicKey()
+      }
+    });
+  }
+  /**
+   * Gets the email authentication method of the app.
+   */
+  async _getEmailAuthMethod() {
+    const { method } = await this.request("/v1/email-auth", "GET");
+    return method;
+  }
+  /**
+   * Starts email authentication process via otp.
+   */
+  async _initOtpAuth(params) {
+    return this.request("/v1/otp-auth", "POST", {
+      init: { email: params.email }
+    });
+  }
   /**
    * Completes the authentication process with a credential bundle.
    *
@@ -924,7 +1064,7 @@ var WebSignerClient = class extends SignerClient {
     expirationSeconds,
     redirectUrl
   }) {
-    return this.request("/v1/email-auth", {
+    return this.request("/v1/email-auth", "POST", {
       email,
       targetPublicKey: await this.getIframePublicKey(),
       expirationSeconds,
@@ -940,13 +1080,17 @@ var WebSignerClient = class extends SignerClient {
     const { challenge, attestation } = await this._webauthnGenerateAttestation(
       params.email
     );
-    const { user, token, csrfToken } = await this.request("/v1/signup", {
-      passkey: {
-        challenge: LibBase64.fromBuffer(challenge),
-        attestation
-      },
-      email: params.email
-    });
+    const { user, token, csrfToken } = await this.request(
+      "/v1/signup",
+      "POST",
+      {
+        passkey: {
+          challenge: LibBase64.fromBuffer(challenge),
+          attestation
+        },
+        email: params.email
+      }
+    );
     this._sessionStore.user = {
       ...user,
       credentialId: attestation.credentialId
@@ -963,7 +1107,7 @@ var WebSignerClient = class extends SignerClient {
    */
   async _createEmailAccount(params) {
     const { email, expirationSeconds, redirectUrl } = params;
-    const response = await this.request("/v1/signup", {
+    const response = await this.request("/v1/signup", "POST", {
       email,
       iframe: {
         targetPublicKey: await this.getIframePublicKey(),