@icp-sdk/auth 4.0.1 → 4.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/dist/esm/client/auth-client.js +15 -2
  2. package/dist/esm/client/auth-client.js.map +1 -1
  3. package/package.json +1 -1
  4. package/src/client/auth-client.ts +25 -2
package/dist/esm/client/auth-client.js CHANGED
@@ -123,7 +123,6 @@ class AuthClient {
123
123
  if (!key) {
124
124
  if (keyType === ED25519_KEY_LABEL) {
125
125
  key = Ed25519KeyIdentity.generate();
126
- await storage.set(KEY_STORAGE_KEY, JSON.stringify(key.toJSON()));
127
126
  } else {
128
127
  if (options.storage && keyType === ECDSA_KEY_LABEL) {
129
128
  console.warn(
@@ -131,8 +130,8 @@ class AuthClient {
131
130
  );
132
131
  }
133
132
  key = await ECDSAKeyIdentity.generate();
134
- await storage.set(KEY_STORAGE_KEY, key.getKeyPair());
135
133
  }
134
+ await persistKey(storage, key);
136
135
  }
137
136
  return new AuthClient(identity, key, chain, storage, idleManager, options);
138
137
  }
@@ -181,6 +180,7 @@ class AuthClient {
181
180
  if (this._chain) {
182
181
  await this._storage.set(KEY_STORAGE_DELEGATION, JSON.stringify(this._chain.toJSON()));
183
182
  }
183
+ await persistKey(this._storage, this._key);
184
184
  onSuccess?.(message);
185
185
  }
186
186
  getIdentity() {
@@ -321,6 +321,19 @@ function mergeLoginOptions(loginOptions, otherLoginOptions) {
321
321
  customValues
322
322
  };
323
323
  }
324
+ function toStoredKey(key) {
325
+ if (key instanceof ECDSAKeyIdentity) {
326
+ return key.getKeyPair();
327
+ }
328
+ if (key instanceof Ed25519KeyIdentity) {
329
+ return JSON.stringify(key.toJSON());
330
+ }
331
+ throw new Error("Unsupported key type");
332
+ }
333
+ async function persistKey(storage, key) {
334
+ const serialized = toStoredKey(key);
335
+ await storage.set(KEY_STORAGE_KEY, serialized);
336
+ }
324
337
  export {
325
338
  AuthClient,
326
339
  ERROR_USER_INTERRUPT
package/dist/esm/client/auth-client.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"auth-client.js","sources":["../../../src/client/auth-client.ts"],"sourcesContent":["import {\n AnonymousIdentity,\n type DerEncodedPublicKey,\n type Identity,\n type Signature,\n type SignIdentity,\n} from '@icp-sdk/core/agent';\nimport {\n Delegation,\n DelegationChain,\n DelegationIdentity,\n ECDSAKeyIdentity,\n Ed25519KeyIdentity,\n isDelegationValid,\n PartialDelegationIdentity,\n type PartialIdentity,\n} from '@icp-sdk/core/identity';\nimport type { Principal } from '@icp-sdk/core/principal';\nimport { IdleManager, type IdleManagerOptions } from './idle-manager.ts';\nimport {\n type AuthClientStorage,\n IdbStorage,\n KEY_STORAGE_DELEGATION,\n KEY_STORAGE_KEY,\n KEY_VECTOR,\n LocalStorage,\n} from './storage.ts';\n\nconst NANOSECONDS_PER_SECOND = BigInt(1_000_000_000);\nconst SECONDS_PER_HOUR = BigInt(3_600);\nconst NANOSECONDS_PER_HOUR = NANOSECONDS_PER_SECOND * SECONDS_PER_HOUR;\n\nconst IDENTITY_PROVIDER_DEFAULT = 'https://identity.internetcomputer.org';\nconst IDENTITY_PROVIDER_ENDPOINT = '#authorize';\n\nconst DEFAULT_MAX_TIME_TO_LIVE = BigInt(8) * NANOSECONDS_PER_HOUR;\n\nconst ECDSA_KEY_LABEL = 'ECDSA';\nconst ED25519_KEY_LABEL = 'Ed25519';\ntype BaseKeyType = typeof ECDSA_KEY_LABEL | typeof ED25519_KEY_LABEL;\n\nconst INTERRUPT_CHECK_INTERVAL = 500;\n\nexport const ERROR_USER_INTERRUPT = 'UserInterrupt';\n\n/**\n * List of options for creating an {@link AuthClient}.\n */\nexport interface AuthClientCreateOptions {\n /**\n * An {@link SignIdentity} or {@link PartialIdentity} to authenticate via delegation.\n */\n identity?: SignIdentity | PartialIdentity;\n /**\n * Optional storage with get, set, and remove. Uses {@link IdbStorage} by default.\n * @see {@link AuthClientStorage}\n */\n storage?: AuthClientStorage;\n\n /**\n * Type to use for the base key.\n *\n * If you are using a custom storage provider that does not support CryptoKey storage,\n * you should use `Ed25519` as the key type, as it can serialize to a string.\n * @default 'ECDSA'\n */\n keyType?: BaseKeyType;\n\n /**\n * Options to handle idle timeouts\n * @default after 10 minutes, invalidates the identity\n */\n idleOptions?: IdleOptions;\n\n /**\n * Options to handle login, passed to the login method\n */\n loginOptions?: AuthClientLoginOptions;\n}\n\nexport interface IdleOptions extends IdleManagerOptions {\n /**\n * Disables idle functionality for {@link IdleManager}\n * @default false\n */\n disableIdle?: boolean;\n\n /**\n * Disables default idle behavior - call logout & reload window\n * @default false\n */\n disableDefaultIdleCallback?: boolean;\n}\n\nexport type OnSuccessFunc =\n | (() => void | Promise<void>)\n | ((message: InternetIdentityAuthResponseSuccess) => void | Promise<void>);\n\nexport type OnErrorFunc = (error?: string) => void | Promise<void>;\n\nexport interface AuthClientLoginOptions {\n /**\n * Identity provider\n * @default \"https://identity.internetcomputer.org\"\n */\n identityProvider?: string | URL;\n /**\n * Expiration of the authentication in nanoseconds\n * @default BigInt(8) hours * BigInt(3_600_000_000_000) nanoseconds\n */\n maxTimeToLive?: bigint;\n /**\n * If present, indicates whether or not the Identity Provider should allow the user to authenticate and/or register using a temporary key/PIN identity. Authenticating dapps may want to prevent users from using Temporary keys/PIN identities because Temporary keys/PIN identities are less secure than Passkeys (webauthn credentials) and because Temporary keys/PIN identities generally only live in a browser database (which may get cleared by the browser/OS).\n */\n allowPinAuthentication?: boolean;\n /**\n * Origin for Identity Provider to use while generating the delegated identity. For II, the derivation origin must authorize this origin by setting a record at `<derivation-origin>/.well-known/ii-alternative-origins`.\n * @see https://github.com/dfinity/internet-identity/blob/main/docs/internet-identity-spec.adoc\n */\n derivationOrigin?: string | URL;\n /**\n * Auth Window feature config string\n * @example \"toolbar=0,location=0,menubar=0,width=500,height=500,left=100,top=100\"\n */\n windowOpenerFeatures?: string;\n /**\n * Callback once login has completed\n */\n onSuccess?: OnSuccessFunc;\n /**\n * Callback in case authentication fails\n */\n onError?: OnErrorFunc;\n /**\n * Extra values to be passed in the login request during the authorize-ready phase\n */\n customValues?: Record<string, unknown>;\n}\n\ninterface InternetIdentityAuthRequest {\n kind: 'authorize-client';\n sessionPublicKey: Uint8Array;\n maxTimeToLive?: bigint;\n allowPinAuthentication?: boolean;\n derivationOrigin?: string;\n}\n\nexport interface InternetIdentityAuthResponseSuccess {\n kind: 'authorize-client-success';\n delegations: {\n delegation: {\n pubkey: Uint8Array;\n expiration: bigint;\n targets?: Principal[];\n };\n signature: Uint8Array;\n }[];\n userPublicKey: Uint8Array;\n authnMethod: 'passkey' | 'pin' | 'recovery';\n}\n\ninterface AuthReadyMessage {\n kind: 'authorize-ready';\n}\n\ninterface AuthResponseSuccess {\n kind: 'authorize-client-success';\n delegations: {\n delegation: {\n pubkey: Uint8Array;\n expiration: bigint;\n targets?: Principal[];\n };\n signature: Uint8Array;\n }[];\n userPublicKey: Uint8Array;\n authnMethod: 'passkey' | 'pin' | 'recovery';\n}\n\ninterface AuthResponseFailure {\n kind: 'authorize-client-failure';\n text: string;\n}\n\ntype IdentityServiceResponseMessage = AuthReadyMessage | AuthResponse;\ntype AuthResponse = AuthResponseSuccess | AuthResponseFailure;\n\n/**\n * Tool to manage authentication and identity\n * @see {@link AuthClient}\n */\nexport class AuthClient {\n /**\n * Create an AuthClient to manage authentication and identity\n * @param {AuthClientCreateOptions} options - Options for creating an {@link AuthClient}\n * @see {@link AuthClientCreateOptions}\n * @param options.identity Optional Identity to use as the base\n * @see {@link SignIdentity}\n * @param options.storage Storage mechanism for delegation credentials\n * @see {@link AuthClientStorage}\n * @param options.keyType Type of key to use for the base key\n * @param {IdleOptions} options.idleOptions Configures an {@link IdleManager}\n * @see {@link IdleOptions}\n * Default behavior is to clear stored identity and reload the page when a user goes idle, unless you set the disableDefaultIdleCallback flag or pass in a custom idle callback.\n * @example\n * const authClient = await AuthClient.create({\n * idleOptions: {\n * disableIdle: true\n * }\n * })\n */\n public static async create(options: AuthClientCreateOptions = {}): Promise<AuthClient> {\n const storage = options.storage ?? new IdbStorage();\n const keyType = options.keyType ?? ECDSA_KEY_LABEL;\n\n let key: null | SignIdentity | PartialIdentity = null;\n if (options.identity) {\n key = options.identity;\n } else {\n let maybeIdentityStorage = await storage.get(KEY_STORAGE_KEY);\n if (!maybeIdentityStorage) {\n // Attempt to migrate from localstorage\n try {\n const fallbackLocalStorage = new LocalStorage();\n const localChain = await fallbackLocalStorage.get(KEY_STORAGE_DELEGATION);\n const localKey = await fallbackLocalStorage.get(KEY_STORAGE_KEY);\n // not relevant for Ed25519\n if (localChain && localKey && keyType === ECDSA_KEY_LABEL) {\n console.log('Discovered an identity stored in localstorage. Migrating to IndexedDB');\n await storage.set(KEY_STORAGE_DELEGATION, localChain);\n await storage.set(KEY_STORAGE_KEY, localKey);\n\n maybeIdentityStorage = localChain;\n // clean up\n await fallbackLocalStorage.remove(KEY_STORAGE_DELEGATION);\n await fallbackLocalStorage.remove(KEY_STORAGE_KEY);\n }\n } catch (error) {\n console.error(`error while attempting to recover localstorage: ${error}`);\n }\n }\n if (maybeIdentityStorage) {\n try {\n if (typeof maybeIdentityStorage === 'object') {\n if (keyType === ED25519_KEY_LABEL && typeof maybeIdentityStorage === 'string') {\n key = Ed25519KeyIdentity.fromJSON(maybeIdentityStorage);\n } else {\n key = await ECDSAKeyIdentity.fromKeyPair(maybeIdentityStorage);\n }\n } else if (typeof maybeIdentityStorage === 'string') {\n // This is a legacy identity, which is a serialized Ed25519KeyIdentity.\n key = Ed25519KeyIdentity.fromJSON(maybeIdentityStorage);\n }\n } catch {\n // Ignore this, this means that the localStorage value isn't a valid Ed25519KeyIdentity or ECDSAKeyIdentity\n // serialization.\n }\n }\n }\n\n let identity: SignIdentity | PartialIdentity = new AnonymousIdentity() as PartialIdentity;\n let chain: null | DelegationChain = null;\n if (key) {\n try {\n const chainStorage = await storage.get(KEY_STORAGE_DELEGATION);\n if (typeof chainStorage === 'object' && chainStorage !== null) {\n throw new Error(\n 'Delegation chain is incorrectly stored. A delegation chain should be stored as a string.',\n );\n }\n\n if (options.identity) {\n identity = options.identity;\n } else if (chainStorage) {\n chain = DelegationChain.fromJSON(chainStorage);\n\n // Verify that the delegation isn't expired.\n if (!isDelegationValid(chain)) {\n await _deleteStorage(storage);\n key = null;\n } else {\n // If the key is a public key, then we create a PartialDelegationIdentity.\n if ('toDer' in key) {\n identity = PartialDelegationIdentity.fromDelegation(key, chain);\n // otherwise, we create a DelegationIdentity.\n } else {\n identity = DelegationIdentity.fromDelegation(key, chain);\n }\n }\n }\n } catch (e) {\n console.error(e);\n // If there was a problem loading the chain, delete the key.\n await _deleteStorage(storage);\n key = null;\n }\n }\n let idleManager: IdleManager | undefined;\n if (options.idleOptions?.disableIdle) {\n idleManager = undefined;\n }\n // if there is a delegation chain or provided identity, setup idleManager\n else if (chain || options.identity) {\n idleManager = IdleManager.create(options.idleOptions);\n }\n\n if (!key) {\n // Create a new key (whether or not one was in storage).\n if (keyType === ED25519_KEY_LABEL) {\n key = Ed25519KeyIdentity.generate();\n await storage.set(KEY_STORAGE_KEY, JSON.stringify((key as Ed25519KeyIdentity).toJSON()));\n } else {\n if (options.storage && keyType === ECDSA_KEY_LABEL) {\n console.warn(\n `You are using a custom storage provider that may not support CryptoKey storage. If you are using a custom storage provider that does not support CryptoKey storage, you should use '${ED25519_KEY_LABEL}' as the key type, as it can serialize to a string`,\n );\n }\n key = await ECDSAKeyIdentity.generate();\n await storage.set(KEY_STORAGE_KEY, (key as ECDSAKeyIdentity).getKeyPair());\n }\n }\n\n return new AuthClient(identity, key, chain, storage, idleManager, options);\n }\n\n protected constructor(\n private _identity: Identity | PartialIdentity,\n private _key: SignIdentity | PartialIdentity,\n private _chain: DelegationChain | null,\n private _storage: AuthClientStorage,\n public idleManager: IdleManager | undefined,\n private _createOptions: AuthClientCreateOptions | undefined,\n // A handle on the IdP window.\n private _idpWindow?: Window,\n // The event handler for processing events from the IdP.\n private _eventHandler?: (event: MessageEvent) => void,\n ) {\n this._registerDefaultIdleCallback();\n }\n\n private _registerDefaultIdleCallback() {\n const idleOptions = this._createOptions?.idleOptions;\n /**\n * Default behavior is to clear stored identity and reload the page.\n * By either setting the disableDefaultIdleCallback flag or passing in a custom idle callback, we will ignore this config\n */\n if (!idleOptions?.onIdle && !idleOptions?.disableDefaultIdleCallback) {\n this.idleManager?.registerCallback(() => {\n this.logout();\n location.reload();\n });\n }\n }\n\n private async _handleSuccess(\n message: InternetIdentityAuthResponseSuccess,\n onSuccess?: OnSuccessFunc,\n ) {\n const delegations = message.delegations.map((signedDelegation) => {\n return {\n delegation: new Delegation(\n signedDelegation.delegation.pubkey,\n signedDelegation.delegation.expiration,\n signedDelegation.delegation.targets,\n ),\n signature: signedDelegation.signature as Signature,\n };\n });\n\n const delegationChain = DelegationChain.fromDelegations(\n delegations,\n message.userPublicKey as DerEncodedPublicKey,\n );\n\n const key = this._key;\n if (!key) {\n return;\n }\n\n this._chain = delegationChain;\n\n if ('toDer' in key) {\n this._identity = PartialDelegationIdentity.fromDelegation(key, this._chain);\n } else {\n this._identity = DelegationIdentity.fromDelegation(key, this._chain);\n }\n\n this._idpWindow?.close();\n const idleOptions = this._createOptions?.idleOptions;\n // create the idle manager on a successful login if we haven't disabled it\n // and it doesn't already exist.\n if (!this.idleManager && !idleOptions?.disableIdle) {\n this.idleManager = IdleManager.create(idleOptions);\n this._registerDefaultIdleCallback();\n }\n\n this._removeEventListener();\n delete this._idpWindow;\n\n if (this._chain) {\n await this._storage.set(KEY_STORAGE_DELEGATION, JSON.stringify(this._chain.toJSON()));\n }\n\n // onSuccess should be the last thing to do to avoid consumers\n // interfering by navigating or refreshing the page\n onSuccess?.(message);\n }\n\n public getIdentity(): Identity {\n return this._identity;\n }\n\n public async isAuthenticated(): Promise<boolean> {\n return (\n !this.getIdentity().getPrincipal().isAnonymous() &&\n this._chain !== null &&\n isDelegationValid(this._chain)\n );\n }\n\n /**\n * AuthClient Login - Opens up a new window to authenticate with Internet Identity\n * @param {AuthClientLoginOptions} options - Options for logging in, merged with the options set during creation if any. Note: we only perform a shallow merge for the `customValues` property.\n * @param options.identityProvider Identity provider\n * @param options.maxTimeToLive Expiration of the authentication in nanoseconds\n * @param options.allowPinAuthentication If present, indicates whether or not the Identity Provider should allow the user to authenticate and/or register using a temporary key/PIN identity. Authenticating dapps may want to prevent users from using Temporary keys/PIN identities because Temporary keys/PIN identities are less secure than Passkeys (webauthn credentials) and because Temporary keys/PIN identities generally only live in a browser database (which may get cleared by the browser/OS).\n * @param options.derivationOrigin Origin for Identity Provider to use while generating the delegated identity\n * @param options.windowOpenerFeatures Configures the opened authentication window\n * @param options.onSuccess Callback once login has completed\n * @param options.onError Callback in case authentication fails\n * @param options.customValues Extra values to be passed in the login request during the authorize-ready phase. Note: we only perform a shallow merge for the `customValues` property.\n * @example\n * const authClient = await AuthClient.create();\n * authClient.login({\n * identityProvider: 'http://<canisterID>.127.0.0.1:8000',\n * maxTimeToLive: BigInt (7) * BigInt(24) * BigInt(3_600_000_000_000), // 1 week\n * windowOpenerFeatures: \"toolbar=0,location=0,menubar=0,width=500,height=500,left=100,top=100\",\n * onSuccess: () => {\n * console.log('Login Successful!');\n * },\n * onError: (error) => {\n * console.error('Login Failed: ', error);\n * }\n * });\n */\n public async login(options?: AuthClientLoginOptions): Promise<void> {\n // Merge the passed options with the options set during creation\n const loginOptions = mergeLoginOptions(this._createOptions?.loginOptions, options);\n\n // Set default maxTimeToLive to 8 hours\n const maxTimeToLive = loginOptions?.maxTimeToLive ?? DEFAULT_MAX_TIME_TO_LIVE;\n\n // Create the URL of the IDP. (e.g. https://XXXX/#authorize)\n const identityProviderUrl = new URL(\n loginOptions?.identityProvider?.toString() || IDENTITY_PROVIDER_DEFAULT,\n );\n // Set the correct hash if it isn't already set.\n identityProviderUrl.hash = IDENTITY_PROVIDER_ENDPOINT;\n\n // If `login` has been called previously, then close/remove any previous windows\n // and event listeners.\n this._idpWindow?.close();\n this._removeEventListener();\n\n // Add an event listener to handle responses.\n this._eventHandler = this._getEventHandler(identityProviderUrl, {\n maxTimeToLive,\n ...loginOptions,\n });\n window.addEventListener('message', this._eventHandler);\n\n // Open a new window with the IDP provider.\n this._idpWindow =\n window.open(\n identityProviderUrl.toString(),\n 'idpWindow',\n loginOptions?.windowOpenerFeatures,\n ) ?? undefined;\n\n // Check if the _idpWindow is closed by user.\n const checkInterruption = (): void => {\n // The _idpWindow is opened and not yet closed by the client\n if (this._idpWindow) {\n if (this._idpWindow.closed) {\n this._handleFailure(ERROR_USER_INTERRUPT, loginOptions?.onError);\n } else {\n setTimeout(checkInterruption, INTERRUPT_CHECK_INTERVAL);\n }\n }\n };\n checkInterruption();\n }\n\n private _getEventHandler(identityProviderUrl: URL, options?: AuthClientLoginOptions) {\n return async (event: MessageEvent) => {\n if (event.origin !== identityProviderUrl.origin) {\n // Ignore any event that is not from the identity provider\n return;\n }\n\n const message = event.data as IdentityServiceResponseMessage;\n\n switch (message.kind) {\n case 'authorize-ready': {\n // IDP is ready. Send a message to request authorization.\n const request: InternetIdentityAuthRequest = {\n kind: 'authorize-client',\n sessionPublicKey: new Uint8Array(this._key?.getPublicKey().toDer()),\n maxTimeToLive: options?.maxTimeToLive,\n allowPinAuthentication: options?.allowPinAuthentication,\n derivationOrigin: options?.derivationOrigin?.toString(),\n // Pass any custom values to the IDP.\n ...options?.customValues,\n };\n this._idpWindow?.postMessage(request, identityProviderUrl.origin);\n break;\n }\n case 'authorize-client-success':\n // Create the delegation chain and store it.\n try {\n await this._handleSuccess(message, options?.onSuccess);\n } catch (err) {\n this._handleFailure((err as Error).message, options?.onError);\n }\n break;\n case 'authorize-client-failure':\n this._handleFailure(message.text, options?.onError);\n break;\n default:\n break;\n }\n };\n }\n\n private _handleFailure(errorMessage?: string, onError?: (error?: string) => void): void {\n this._idpWindow?.close();\n onError?.(errorMessage);\n this._removeEventListener();\n delete this._idpWindow;\n }\n\n private _removeEventListener() {\n if (this._eventHandler) {\n window.removeEventListener('message', this._eventHandler);\n }\n this._eventHandler = undefined;\n }\n\n public async logout(options: { returnTo?: string } = {}): Promise<void> {\n await _deleteStorage(this._storage);\n\n // Reset this auth client to a non-authenticated state.\n this._identity = new AnonymousIdentity();\n this._chain = null;\n\n if (options.returnTo) {\n try {\n window.history.pushState({}, '', options.returnTo);\n } catch {\n window.location.href = options.returnTo;\n }\n }\n }\n}\n\nasync function _deleteStorage(storage: AuthClientStorage) {\n await storage.remove(KEY_STORAGE_KEY);\n await storage.remove(KEY_STORAGE_DELEGATION);\n await storage.remove(KEY_VECTOR);\n}\n\nfunction mergeLoginOptions(\n loginOptions: AuthClientLoginOptions | undefined,\n otherLoginOptions: AuthClientLoginOptions | undefined,\n): AuthClientLoginOptions | undefined {\n if (!loginOptions && !otherLoginOptions) {\n return undefined;\n }\n\n const customValues =\n loginOptions?.customValues || otherLoginOptions?.customValues\n ? {\n ...loginOptions?.customValues,\n ...otherLoginOptions?.customValues,\n }\n : undefined;\n\n return {\n ...loginOptions,\n ...otherLoginOptions,\n customValues,\n };\n}\n"],"names":[],"mappings":";;;;AA4BA,MAAM,yBAAyB,OAAO,GAAa;AACnD,MAAM,mBAAmB,OAAO,IAAK;AACrC,MAAM,uBAAuB,yBAAyB;AAEtD,MAAM,4BAA4B;AAClC,MAAM,6BAA6B;AAEnC,MAAM,2BAA2B,OAAO,CAAC,IAAI;AAE7C,MAAM,kBAAkB;AACxB,MAAM,oBAAoB;AAG1B,MAAM,2BAA2B;AAE1B,MAAM,uBAAuB;AAoJ7B,MAAM,WAAW;AAAA,EAsIZ,YACA,WACA,MACA,QACA,UACD,aACC,gBAEA,YAEA,eACR;AAVQ,SAAA,YAAA;AACA,SAAA,OAAA;AACA,SAAA,SAAA;AACA,SAAA,WAAA;AACD,SAAA,cAAA;AACC,SAAA,iBAAA;AAEA,SAAA,aAAA;AAEA,SAAA,gBAAA;AAER,SAAK,6BAAA;AAAA,EACP;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA/HA,aAAoB,OAAO,UAAmC,IAAyB;AACrF,UAAM,UAAU,QAAQ,WAAW,IAAI,WAAA;AACvC,UAAM,UAAU,QAAQ,WAAW;AAEnC,QAAI,MAA6C;AACjD,QAAI,QAAQ,UAAU;AACpB,YAAM,QAAQ;AAAA,IAChB,OAAO;AACL,UAAI,uBAAuB,MAAM,QAAQ,IAAI,eAAe;AAC5D,UAAI,CAAC,sBAAsB;AAEzB,YAAI;AACF,gBAAM,uBAAuB,IAAI,aAAA;AACjC,gBAAM,aAAa,MAAM,qBAAqB,IAAI,sBAAsB;AACxE,gBAAM,WAAW,MAAM,qBAAqB,IAAI,eAAe;AAE/D,cAAI,cAAc,YAAY,YAAY,iBAAiB;AACzD,oBAAQ,IAAI,uEAAuE;AACnF,kBAAM,QAAQ,IAAI,wBAAwB,UAAU;AACpD,kBAAM,QAAQ,IAAI,iBAAiB,QAAQ;AAE3C,mCAAuB;AAEvB,kBAAM,qBAAqB,OAAO,sBAAsB;AACxD,kBAAM,qBAAqB,OAAO,eAAe;AAAA,UACnD;AAAA,QACF,SAAS,OAAO;AACd,kBAAQ,MAAM,mDAAmD,KAAK,EAAE;AAAA,QAC1E;AAAA,MACF;AACA,UAAI,sBAAsB;AACxB,YAAI;AACF,cAAI,OAAO,yBAAyB,UAAU;AAC5C,gBAAI,YAAY,qBAAqB,OAAO,yBAAyB,UAAU;AAC7E,oBAAM,mBAAmB,SAAS,oBAAoB;AAAA,YACxD,OAAO;AACL,oBAAM,MAAM,iBAAiB,YAAY,oBAAoB;AAAA,YAC/D;AAAA,UACF,WAAW,OAAO,yBAAyB,UAAU;AAEnD,kBAAM,mBAAmB,SAAS,oBAAoB;AAAA,UACxD;AAAA,QACF,QAAQ;AAAA,QAGR;AAAA,MACF;AAAA,IACF;AAEA,QAAI,WAA2C,IAAI,kBAAA;AACnD,QAAI,QAAgC;AACpC,QAAI,KAAK;AACP,UAAI;AACF,cAAM,eAAe,MAAM,QAAQ,IAAI,sBAAsB;AAC7D,YAAI,OAAO,iBAAiB,YAAY,iBAAiB,MAAM;AAC7D,gBAAM,IAAI;AAAA,YACR;AAAA,UAAA;AAAA,QAEJ;AAEA,YAAI,QAAQ,UAAU;AACpB,qBAAW,QAAQ;AAAA,QACrB,WAAW,cAAc;AACvB,kBAAQ,gBAAgB,SAAS,YAAY;AAG7C,cAAI,CAAC,kBAAkB,KAAK,GAAG;AAC7B,kBAAM,eAAe,OAAO;AAC5B,kBAAM;AAAA,UACR,OAAO;AAEL,gBAAI,WAAW,KAAK;AAClB,yBAAW,0BAA0B,eAAe,KAAK,KAAK;AAAA,YAEhE,OAAO;AACL,yBAAW,mBAAmB,eAAe,KAAK,KAAK;AAAA,YACzD;AAAA,UACF;AAAA,QACF;AAAA,MACF,SAAS,GAAG;AACV,gBAAQ,MAAM,CAAC;AAEf,cAAM,eAAe,OAAO;AAC5B,cAAM;AAAA,MACR;AAAA,IACF;AACA,QAAI;AACJ,QAAI,QAAQ,aAAa,aAAa;AACpC,oBAAc;AAAA,IAChB,WAES,SAAS,QAAQ,UAAU;AAClC,oBAAc,YAAY,OAAO,QAAQ,WAAW;AAAA,IACtD;AAEA,QAAI,CAAC,KAAK;AAER,UAAI,YAAY,mBAAmB;AACjC,cAAM,mBAAmB,SAAA;AACzB,cAAM,QAAQ,IAAI,iBAAiB,KAAK,UAAW,IAA2B,OAAA,CAAQ,CAAC;AAAA,MACzF,OAAO;AACL,YAAI,QAAQ,WAAW,YAAY,iBAAiB;AAClD,kBAAQ;AAAA,YACN,uLAAuL,iBAAiB;AAAA,UAAA;AAAA,QAE5M;AACA,cAAM,MAAM,iBAAiB,SAAA;AAC7B,cAAM,QAAQ,IAAI,iBAAkB,IAAyB,YAAY;AAAA,MAC3E;AAAA,IACF;AAEA,WAAO,IAAI,WAAW,UAAU,KAAK,OAAO,SAAS,aAAa,OAAO;AAAA,EAC3E;AAAA,EAiBQ,+BAA+B;AACrC,UAAM,cAAc,KAAK,gBAAgB;AAKzC,QAAI,CAAC,aAAa,UAAU,CAAC,aAAa,4BAA4B;AACpE,WAAK,aAAa,iBAAiB,MAAM;AACvC,aAAK,OAAA;AACL,iBAAS,OAAA;AAAA,MACX,CAAC;AAAA,IACH;AAAA,EACF;AAAA,EAEA,MAAc,eACZ,SACA,WACA;AACA,UAAM,cAAc,QAAQ,YAAY,IAAI,CAAC,qBAAqB;AAChE,aAAO;AAAA,QACL,YAAY,IAAI;AAAA,UACd,iBAAiB,WAAW;AAAA,UAC5B,iBAAiB,WAAW;AAAA,UAC5B,iBAAiB,WAAW;AAAA,QAAA;AAAA,QAE9B,WAAW,iBAAiB;AAAA,MAAA;AAAA,IAEhC,CAAC;AAED,UAAM,kBAAkB,gBAAgB;AAAA,MACtC;AAAA,MACA,QAAQ;AAAA,IAAA;AAGV,UAAM,MAAM,KAAK;AACjB,QAAI,CAAC,KAAK;AACR;AAAA,IACF;AAEA,SAAK,SAAS;AAEd,QAAI,WAAW,KAAK;AAClB,WAAK,YAAY,0BAA0B,eAAe,KAAK,KAAK,MAAM;AAAA,IAC5E,OAAO;AACL,WAAK,YAAY,mBAAmB,eAAe,KAAK,KAAK,MAAM;AAAA,IACrE;AAEA,SAAK,YAAY,MAAA;AACjB,UAAM,cAAc,KAAK,gBAAgB;AAGzC,QAAI,CAAC,KAAK,eAAe,CAAC,aAAa,aAAa;AAClD,WAAK,cAAc,YAAY,OAAO,WAAW;AACjD,WAAK,6BAAA;AAAA,IACP;AAEA,SAAK,qBAAA;AACL,WAAO,KAAK;AAEZ,QAAI,KAAK,QAAQ;AACf,YAAM,KAAK,SAAS,IAAI,wBAAwB,KAAK,UAAU,KAAK,OAAO,OAAA,CAAQ,CAAC;AAAA,IACtF;AAIA,gBAAY,OAAO;AAAA,EACrB;AAAA,EAEO,cAAwB;AAC7B,WAAO,KAAK;AAAA,EACd;AAAA,EAEA,MAAa,kBAAoC;AAC/C,WACE,CAAC,KAAK,cAAc,aAAA,EAAe,YAAA,KACnC,KAAK,WAAW,QAChB,kBAAkB,KAAK,MAAM;AAAA,EAEjC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA2BA,MAAa,MAAM,SAAiD;AAElE,UAAM,eAAe,kBAAkB,KAAK,gBAAgB,cAAc,OAAO;AAGjF,UAAM,gBAAgB,cAAc,iBAAiB;AAGrD,UAAM,sBAAsB,IAAI;AAAA,MAC9B,cAAc,kBAAkB,cAAc;AAAA,IAAA;AAGhD,wBAAoB,OAAO;AAI3B,SAAK,YAAY,MAAA;AACjB,SAAK,qBAAA;AAGL,SAAK,gBAAgB,KAAK,iBAAiB,qBAAqB;AAAA,MAC9D;AAAA,MACA,GAAG;AAAA,IAAA,CACJ;AACD,WAAO,iBAAiB,WAAW,KAAK,aAAa;AAGrD,SAAK,aACH,OAAO;AAAA,MACL,oBAAoB,SAAA;AAAA,MACpB;AAAA,MACA,cAAc;AAAA,IAAA,KACX;AAGP,UAAM,oBAAoB,MAAY;AAEpC,UAAI,KAAK,YAAY;AACnB,YAAI,KAAK,WAAW,QAAQ;AAC1B,eAAK,eAAe,sBAAsB,cAAc,OAAO;AAAA,QACjE,OAAO;AACL,qBAAW,mBAAmB,wBAAwB;AAAA,QACxD;AAAA,MACF;AAAA,IACF;AACA,sBAAA;AAAA,EACF;AAAA,EAEQ,iBAAiB,qBAA0B,SAAkC;AACnF,WAAO,OAAO,UAAwB;AACpC,UAAI,MAAM,WAAW,oBAAoB,QAAQ;AAE/C;AAAA,MACF;AAEA,YAAM,UAAU,MAAM;AAEtB,cAAQ,QAAQ,MAAA;AAAA,QACd,KAAK,mBAAmB;AAEtB,gBAAM,UAAuC;AAAA,YAC3C,MAAM;AAAA,YACN,kBAAkB,IAAI,WAAW,KAAK,MAAM,aAAA,EAAe,OAAO;AAAA,YAClE,eAAe,SAAS;AAAA,YACxB,wBAAwB,SAAS;AAAA,YACjC,kBAAkB,SAAS,kBAAkB,SAAA;AAAA;AAAA,YAE7C,GAAG,SAAS;AAAA,UAAA;AAEd,eAAK,YAAY,YAAY,SAAS,oBAAoB,MAAM;AAChE;AAAA,QACF;AAAA,QACA,KAAK;AAEH,cAAI;AACF,kBAAM,KAAK,eAAe,SAAS,SAAS,SAAS;AAAA,UACvD,SAAS,KAAK;AACZ,iBAAK,eAAgB,IAAc,SAAS,SAAS,OAAO;AAAA,UAC9D;AACA;AAAA,QACF,KAAK;AACH,eAAK,eAAe,QAAQ,MAAM,SAAS,OAAO;AAClD;AAAA,MAEA;AAAA,IAEN;AAAA,EACF;AAAA,EAEQ,eAAe,cAAuB,SAA0C;AACtF,SAAK,YAAY,MAAA;AACjB,cAAU,YAAY;AACtB,SAAK,qBAAA;AACL,WAAO,KAAK;AAAA,EACd;AAAA,EAEQ,uBAAuB;AAC7B,QAAI,KAAK,eAAe;AACtB,aAAO,oBAAoB,WAAW,KAAK,aAAa;AAAA,IAC1D;AACA,SAAK,gBAAgB;AAAA,EACvB;AAAA,EAEA,MAAa,OAAO,UAAiC,IAAmB;AACtE,UAAM,eAAe,KAAK,QAAQ;AAGlC,SAAK,YAAY,IAAI,kBAAA;AACrB,SAAK,SAAS;AAEd,QAAI,QAAQ,UAAU;AACpB,UAAI;AACF,eAAO,QAAQ,UAAU,CAAA,GAAI,IAAI,QAAQ,QAAQ;AAAA,MACnD,QAAQ;AACN,eAAO,SAAS,OAAO,QAAQ;AAAA,MACjC;AAAA,IACF;AAAA,EACF;AACF;AAEA,eAAe,eAAe,SAA4B;AACxD,QAAM,QAAQ,OAAO,eAAe;AACpC,QAAM,QAAQ,OAAO,sBAAsB;AAC3C,QAAM,QAAQ,OAAO,UAAU;AACjC;AAEA,SAAS,kBACP,cACA,mBACoC;AACpC,MAAI,CAAC,gBAAgB,CAAC,mBAAmB;AACvC,WAAO;AAAA,EACT;AAEA,QAAM,eACJ,cAAc,gBAAgB,mBAAmB,eAC7C;AAAA,IACE,GAAG,cAAc;AAAA,IACjB,GAAG,mBAAmB;AAAA,EAAA,IAExB;AAEN,SAAO;AAAA,IACL,GAAG;AAAA,IACH,GAAG;AAAA,IACH;AAAA,EAAA;AAEJ;"}
1
+ {"version":3,"file":"auth-client.js","sources":["../../../src/client/auth-client.ts"],"sourcesContent":["import {\n AnonymousIdentity,\n type DerEncodedPublicKey,\n type Identity,\n type Signature,\n type SignIdentity,\n} from '@icp-sdk/core/agent';\nimport {\n Delegation,\n DelegationChain,\n DelegationIdentity,\n ECDSAKeyIdentity,\n Ed25519KeyIdentity,\n isDelegationValid,\n PartialDelegationIdentity,\n type PartialIdentity,\n} from '@icp-sdk/core/identity';\nimport type { Principal } from '@icp-sdk/core/principal';\nimport { IdleManager, type IdleManagerOptions } from './idle-manager.ts';\nimport {\n type AuthClientStorage,\n IdbStorage,\n KEY_STORAGE_DELEGATION,\n KEY_STORAGE_KEY,\n KEY_VECTOR,\n LocalStorage,\n type StoredKey,\n} from './storage.ts';\n\nconst NANOSECONDS_PER_SECOND = BigInt(1_000_000_000);\nconst SECONDS_PER_HOUR = BigInt(3_600);\nconst NANOSECONDS_PER_HOUR = NANOSECONDS_PER_SECOND * SECONDS_PER_HOUR;\n\nconst IDENTITY_PROVIDER_DEFAULT = 'https://identity.internetcomputer.org';\nconst IDENTITY_PROVIDER_ENDPOINT = '#authorize';\n\nconst DEFAULT_MAX_TIME_TO_LIVE = BigInt(8) * NANOSECONDS_PER_HOUR;\n\nconst ECDSA_KEY_LABEL = 'ECDSA';\nconst ED25519_KEY_LABEL = 'Ed25519';\ntype BaseKeyType = typeof ECDSA_KEY_LABEL | typeof ED25519_KEY_LABEL;\n\nconst INTERRUPT_CHECK_INTERVAL = 500;\n\nexport const ERROR_USER_INTERRUPT = 'UserInterrupt';\n\n/**\n * List of options for creating an {@link AuthClient}.\n */\nexport interface AuthClientCreateOptions {\n /**\n * An {@link SignIdentity} or {@link PartialIdentity} to authenticate via delegation.\n */\n identity?: SignIdentity | PartialIdentity;\n /**\n * Optional storage with get, set, and remove. Uses {@link IdbStorage} by default.\n * @see {@link AuthClientStorage}\n */\n storage?: AuthClientStorage;\n\n /**\n * Type to use for the base key.\n *\n * If you are using a custom storage provider that does not support CryptoKey storage,\n * you should use `Ed25519` as the key type, as it can serialize to a string.\n * @default 'ECDSA'\n */\n keyType?: BaseKeyType;\n\n /**\n * Options to handle idle timeouts\n * @default after 10 minutes, invalidates the identity\n */\n idleOptions?: IdleOptions;\n\n /**\n * Options to handle login, passed to the login method\n */\n loginOptions?: AuthClientLoginOptions;\n}\n\nexport interface IdleOptions extends IdleManagerOptions {\n /**\n * Disables idle functionality for {@link IdleManager}\n * @default false\n */\n disableIdle?: boolean;\n\n /**\n * Disables default idle behavior - call logout & reload window\n * @default false\n */\n disableDefaultIdleCallback?: boolean;\n}\n\nexport type OnSuccessFunc =\n | (() => void | Promise<void>)\n | ((message: InternetIdentityAuthResponseSuccess) => void | Promise<void>);\n\nexport type OnErrorFunc = (error?: string) => void | Promise<void>;\n\nexport interface AuthClientLoginOptions {\n /**\n * Identity provider\n * @default \"https://identity.internetcomputer.org\"\n */\n identityProvider?: string | URL;\n /**\n * Expiration of the authentication in nanoseconds\n * @default BigInt(8) hours * BigInt(3_600_000_000_000) nanoseconds\n */\n maxTimeToLive?: bigint;\n /**\n * If present, indicates whether or not the Identity Provider should allow the user to authenticate and/or register using a temporary key/PIN identity. Authenticating dapps may want to prevent users from using Temporary keys/PIN identities because Temporary keys/PIN identities are less secure than Passkeys (webauthn credentials) and because Temporary keys/PIN identities generally only live in a browser database (which may get cleared by the browser/OS).\n */\n allowPinAuthentication?: boolean;\n /**\n * Origin for Identity Provider to use while generating the delegated identity. For II, the derivation origin must authorize this origin by setting a record at `<derivation-origin>/.well-known/ii-alternative-origins`.\n * @see https://github.com/dfinity/internet-identity/blob/main/docs/internet-identity-spec.adoc\n */\n derivationOrigin?: string | URL;\n /**\n * Auth Window feature config string\n * @example \"toolbar=0,location=0,menubar=0,width=500,height=500,left=100,top=100\"\n */\n windowOpenerFeatures?: string;\n /**\n * Callback once login has completed\n */\n onSuccess?: OnSuccessFunc;\n /**\n * Callback in case authentication fails\n */\n onError?: OnErrorFunc;\n /**\n * Extra values to be passed in the login request during the authorize-ready phase\n */\n customValues?: Record<string, unknown>;\n}\n\ninterface InternetIdentityAuthRequest {\n kind: 'authorize-client';\n sessionPublicKey: Uint8Array;\n maxTimeToLive?: bigint;\n allowPinAuthentication?: boolean;\n derivationOrigin?: string;\n}\n\nexport interface InternetIdentityAuthResponseSuccess {\n kind: 'authorize-client-success';\n delegations: {\n delegation: {\n pubkey: Uint8Array;\n expiration: bigint;\n targets?: Principal[];\n };\n signature: Uint8Array;\n }[];\n userPublicKey: Uint8Array;\n authnMethod: 'passkey' | 'pin' | 'recovery';\n}\n\ninterface AuthReadyMessage {\n kind: 'authorize-ready';\n}\n\ninterface AuthResponseSuccess {\n kind: 'authorize-client-success';\n delegations: {\n delegation: {\n pubkey: Uint8Array;\n expiration: bigint;\n targets?: Principal[];\n };\n signature: Uint8Array;\n }[];\n userPublicKey: Uint8Array;\n authnMethod: 'passkey' | 'pin' | 'recovery';\n}\n\ninterface AuthResponseFailure {\n kind: 'authorize-client-failure';\n text: string;\n}\n\ntype IdentityServiceResponseMessage = AuthReadyMessage | AuthResponse;\ntype AuthResponse = AuthResponseSuccess | AuthResponseFailure;\n\n/**\n * Tool to manage authentication and identity\n * @see {@link AuthClient}\n */\nexport class AuthClient {\n /**\n * Create an AuthClient to manage authentication and identity\n * @param {AuthClientCreateOptions} options - Options for creating an {@link AuthClient}\n * @see {@link AuthClientCreateOptions}\n * @param options.identity Optional Identity to use as the base\n * @see {@link SignIdentity}\n * @param options.storage Storage mechanism for delegation credentials\n * @see {@link AuthClientStorage}\n * @param options.keyType Type of key to use for the base key\n * @param {IdleOptions} options.idleOptions Configures an {@link IdleManager}\n * @see {@link IdleOptions}\n * Default behavior is to clear stored identity and reload the page when a user goes idle, unless you set the disableDefaultIdleCallback flag or pass in a custom idle callback.\n * @example\n * const authClient = await AuthClient.create({\n * idleOptions: {\n * disableIdle: true\n * }\n * })\n */\n public static async create(options: AuthClientCreateOptions = {}): Promise<AuthClient> {\n const storage = options.storage ?? new IdbStorage();\n const keyType = options.keyType ?? ECDSA_KEY_LABEL;\n\n let key: null | SignIdentity | PartialIdentity = null;\n if (options.identity) {\n key = options.identity;\n } else {\n let maybeIdentityStorage = await storage.get(KEY_STORAGE_KEY);\n if (!maybeIdentityStorage) {\n // Attempt to migrate from localstorage\n try {\n const fallbackLocalStorage = new LocalStorage();\n const localChain = await fallbackLocalStorage.get(KEY_STORAGE_DELEGATION);\n const localKey = await fallbackLocalStorage.get(KEY_STORAGE_KEY);\n // not relevant for Ed25519\n if (localChain && localKey && keyType === ECDSA_KEY_LABEL) {\n console.log('Discovered an identity stored in localstorage. Migrating to IndexedDB');\n await storage.set(KEY_STORAGE_DELEGATION, localChain);\n await storage.set(KEY_STORAGE_KEY, localKey);\n\n maybeIdentityStorage = localChain;\n // clean up\n await fallbackLocalStorage.remove(KEY_STORAGE_DELEGATION);\n await fallbackLocalStorage.remove(KEY_STORAGE_KEY);\n }\n } catch (error) {\n console.error(`error while attempting to recover localstorage: ${error}`);\n }\n }\n if (maybeIdentityStorage) {\n try {\n if (typeof maybeIdentityStorage === 'object') {\n if (keyType === ED25519_KEY_LABEL && typeof maybeIdentityStorage === 'string') {\n key = Ed25519KeyIdentity.fromJSON(maybeIdentityStorage);\n } else {\n key = await ECDSAKeyIdentity.fromKeyPair(maybeIdentityStorage);\n }\n } else if (typeof maybeIdentityStorage === 'string') {\n // This is a legacy identity, which is a serialized Ed25519KeyIdentity.\n key = Ed25519KeyIdentity.fromJSON(maybeIdentityStorage);\n }\n } catch {\n // Ignore this, this means that the localStorage value isn't a valid Ed25519KeyIdentity or ECDSAKeyIdentity\n // serialization.\n }\n }\n }\n\n let identity: SignIdentity | PartialIdentity = new AnonymousIdentity() as PartialIdentity;\n let chain: null | DelegationChain = null;\n if (key) {\n try {\n const chainStorage = await storage.get(KEY_STORAGE_DELEGATION);\n if (typeof chainStorage === 'object' && chainStorage !== null) {\n throw new Error(\n 'Delegation chain is incorrectly stored. A delegation chain should be stored as a string.',\n );\n }\n\n if (options.identity) {\n identity = options.identity;\n } else if (chainStorage) {\n chain = DelegationChain.fromJSON(chainStorage);\n\n // Verify that the delegation isn't expired.\n if (!isDelegationValid(chain)) {\n await _deleteStorage(storage);\n key = null;\n } else {\n // If the key is a public key, then we create a PartialDelegationIdentity.\n if ('toDer' in key) {\n identity = PartialDelegationIdentity.fromDelegation(key, chain);\n // otherwise, we create a DelegationIdentity.\n } else {\n identity = DelegationIdentity.fromDelegation(key, chain);\n }\n }\n }\n } catch (e) {\n console.error(e);\n // If there was a problem loading the chain, delete the key.\n await _deleteStorage(storage);\n key = null;\n }\n }\n let idleManager: IdleManager | undefined;\n if (options.idleOptions?.disableIdle) {\n idleManager = undefined;\n }\n // if there is a delegation chain or provided identity, setup idleManager\n else if (chain || options.identity) {\n idleManager = IdleManager.create(options.idleOptions);\n }\n\n if (!key) {\n // Create a new key (whether or not one was in storage).\n if (keyType === ED25519_KEY_LABEL) {\n key = Ed25519KeyIdentity.generate();\n } else {\n if (options.storage && keyType === ECDSA_KEY_LABEL) {\n console.warn(\n `You are using a custom storage provider that may not support CryptoKey storage. If you are using a custom storage provider that does not support CryptoKey storage, you should use '${ED25519_KEY_LABEL}' as the key type, as it can serialize to a string`,\n );\n }\n key = await ECDSAKeyIdentity.generate();\n }\n await persistKey(storage, key);\n }\n\n return new AuthClient(identity, key, chain, storage, idleManager, options);\n }\n\n protected constructor(\n private _identity: Identity | PartialIdentity,\n private _key: SignIdentity | PartialIdentity,\n private _chain: DelegationChain | null,\n private _storage: AuthClientStorage,\n public idleManager: IdleManager | undefined,\n private _createOptions: AuthClientCreateOptions | undefined,\n // A handle on the IdP window.\n private _idpWindow?: Window,\n // The event handler for processing events from the IdP.\n private _eventHandler?: (event: MessageEvent) => void,\n ) {\n this._registerDefaultIdleCallback();\n }\n\n private _registerDefaultIdleCallback() {\n const idleOptions = this._createOptions?.idleOptions;\n /**\n * Default behavior is to clear stored identity and reload the page.\n * By either setting the disableDefaultIdleCallback flag or passing in a custom idle callback, we will ignore this config\n */\n if (!idleOptions?.onIdle && !idleOptions?.disableDefaultIdleCallback) {\n this.idleManager?.registerCallback(() => {\n this.logout();\n location.reload();\n });\n }\n }\n\n private async _handleSuccess(\n message: InternetIdentityAuthResponseSuccess,\n onSuccess?: OnSuccessFunc,\n ) {\n const delegations = message.delegations.map((signedDelegation) => {\n return {\n delegation: new Delegation(\n signedDelegation.delegation.pubkey,\n signedDelegation.delegation.expiration,\n signedDelegation.delegation.targets,\n ),\n signature: signedDelegation.signature as Signature,\n };\n });\n\n const delegationChain = DelegationChain.fromDelegations(\n delegations,\n message.userPublicKey as DerEncodedPublicKey,\n );\n\n const key = this._key;\n if (!key) {\n return;\n }\n\n this._chain = delegationChain;\n\n if ('toDer' in key) {\n this._identity = PartialDelegationIdentity.fromDelegation(key, this._chain);\n } else {\n this._identity = DelegationIdentity.fromDelegation(key, this._chain);\n }\n\n this._idpWindow?.close();\n const idleOptions = this._createOptions?.idleOptions;\n // create the idle manager on a successful login if we haven't disabled it\n // and it doesn't already exist.\n if (!this.idleManager && !idleOptions?.disableIdle) {\n this.idleManager = IdleManager.create(idleOptions);\n this._registerDefaultIdleCallback();\n }\n\n this._removeEventListener();\n delete this._idpWindow;\n\n if (this._chain) {\n await this._storage.set(KEY_STORAGE_DELEGATION, JSON.stringify(this._chain.toJSON()));\n }\n\n // Ensure the stored key in persistent storage matches the in-memory key that\n // was used to obtain the delegation. This avoids key/delegation mismatches\n // across multiple tabs overwriting each other's cached keys.\n await persistKey(this._storage, this._key);\n\n // onSuccess should be the last thing to do to avoid consumers\n // interfering by navigating or refreshing the page\n onSuccess?.(message);\n }\n\n public getIdentity(): Identity {\n return this._identity;\n }\n\n public async isAuthenticated(): Promise<boolean> {\n return (\n !this.getIdentity().getPrincipal().isAnonymous() &&\n this._chain !== null &&\n isDelegationValid(this._chain)\n );\n }\n\n /**\n * AuthClient Login - Opens up a new window to authenticate with Internet Identity\n * @param {AuthClientLoginOptions} options - Options for logging in, merged with the options set during creation if any. Note: we only perform a shallow merge for the `customValues` property.\n * @param options.identityProvider Identity provider\n * @param options.maxTimeToLive Expiration of the authentication in nanoseconds\n * @param options.allowPinAuthentication If present, indicates whether or not the Identity Provider should allow the user to authenticate and/or register using a temporary key/PIN identity. Authenticating dapps may want to prevent users from using Temporary keys/PIN identities because Temporary keys/PIN identities are less secure than Passkeys (webauthn credentials) and because Temporary keys/PIN identities generally only live in a browser database (which may get cleared by the browser/OS).\n * @param options.derivationOrigin Origin for Identity Provider to use while generating the delegated identity\n * @param options.windowOpenerFeatures Configures the opened authentication window\n * @param options.onSuccess Callback once login has completed\n * @param options.onError Callback in case authentication fails\n * @param options.customValues Extra values to be passed in the login request during the authorize-ready phase. Note: we only perform a shallow merge for the `customValues` property.\n * @example\n * const authClient = await AuthClient.create();\n * authClient.login({\n * identityProvider: 'http://<canisterID>.127.0.0.1:8000',\n * maxTimeToLive: BigInt (7) * BigInt(24) * BigInt(3_600_000_000_000), // 1 week\n * windowOpenerFeatures: \"toolbar=0,location=0,menubar=0,width=500,height=500,left=100,top=100\",\n * onSuccess: () => {\n * console.log('Login Successful!');\n * },\n * onError: (error) => {\n * console.error('Login Failed: ', error);\n * }\n * });\n */\n public async login(options?: AuthClientLoginOptions): Promise<void> {\n // Merge the passed options with the options set during creation\n const loginOptions = mergeLoginOptions(this._createOptions?.loginOptions, options);\n\n // Set default maxTimeToLive to 8 hours\n const maxTimeToLive = loginOptions?.maxTimeToLive ?? DEFAULT_MAX_TIME_TO_LIVE;\n\n // Create the URL of the IDP. (e.g. https://XXXX/#authorize)\n const identityProviderUrl = new URL(\n loginOptions?.identityProvider?.toString() || IDENTITY_PROVIDER_DEFAULT,\n );\n // Set the correct hash if it isn't already set.\n identityProviderUrl.hash = IDENTITY_PROVIDER_ENDPOINT;\n\n // If `login` has been called previously, then close/remove any previous windows\n // and event listeners.\n this._idpWindow?.close();\n this._removeEventListener();\n\n // Add an event listener to handle responses.\n this._eventHandler = this._getEventHandler(identityProviderUrl, {\n maxTimeToLive,\n ...loginOptions,\n });\n window.addEventListener('message', this._eventHandler);\n\n // Open a new window with the IDP provider.\n this._idpWindow =\n window.open(\n identityProviderUrl.toString(),\n 'idpWindow',\n loginOptions?.windowOpenerFeatures,\n ) ?? undefined;\n\n // Check if the _idpWindow is closed by user.\n const checkInterruption = (): void => {\n // The _idpWindow is opened and not yet closed by the client\n if (this._idpWindow) {\n if (this._idpWindow.closed) {\n this._handleFailure(ERROR_USER_INTERRUPT, loginOptions?.onError);\n } else {\n setTimeout(checkInterruption, INTERRUPT_CHECK_INTERVAL);\n }\n }\n };\n checkInterruption();\n }\n\n private _getEventHandler(identityProviderUrl: URL, options?: AuthClientLoginOptions) {\n return async (event: MessageEvent) => {\n if (event.origin !== identityProviderUrl.origin) {\n // Ignore any event that is not from the identity provider\n return;\n }\n\n const message = event.data as IdentityServiceResponseMessage;\n\n switch (message.kind) {\n case 'authorize-ready': {\n // IDP is ready. Send a message to request authorization.\n const request: InternetIdentityAuthRequest = {\n kind: 'authorize-client',\n sessionPublicKey: new Uint8Array(this._key?.getPublicKey().toDer()),\n maxTimeToLive: options?.maxTimeToLive,\n allowPinAuthentication: options?.allowPinAuthentication,\n derivationOrigin: options?.derivationOrigin?.toString(),\n // Pass any custom values to the IDP.\n ...options?.customValues,\n };\n this._idpWindow?.postMessage(request, identityProviderUrl.origin);\n break;\n }\n case 'authorize-client-success':\n // Create the delegation chain and store it.\n try {\n await this._handleSuccess(message, options?.onSuccess);\n } catch (err) {\n this._handleFailure((err as Error).message, options?.onError);\n }\n break;\n case 'authorize-client-failure':\n this._handleFailure(message.text, options?.onError);\n break;\n default:\n break;\n }\n };\n }\n\n private _handleFailure(errorMessage?: string, onError?: (error?: string) => void): void {\n this._idpWindow?.close();\n onError?.(errorMessage);\n this._removeEventListener();\n delete this._idpWindow;\n }\n\n private _removeEventListener() {\n if (this._eventHandler) {\n window.removeEventListener('message', this._eventHandler);\n }\n this._eventHandler = undefined;\n }\n\n public async logout(options: { returnTo?: string } = {}): Promise<void> {\n await _deleteStorage(this._storage);\n\n // Reset this auth client to a non-authenticated state.\n this._identity = new AnonymousIdentity();\n this._chain = null;\n\n if (options.returnTo) {\n try {\n window.history.pushState({}, '', options.returnTo);\n } catch {\n window.location.href = options.returnTo;\n }\n }\n }\n}\n\nasync function _deleteStorage(storage: AuthClientStorage) {\n await storage.remove(KEY_STORAGE_KEY);\n await storage.remove(KEY_STORAGE_DELEGATION);\n await storage.remove(KEY_VECTOR);\n}\n\nfunction mergeLoginOptions(\n loginOptions: AuthClientLoginOptions | undefined,\n otherLoginOptions: AuthClientLoginOptions | undefined,\n): AuthClientLoginOptions | undefined {\n if (!loginOptions && !otherLoginOptions) {\n return undefined;\n }\n\n const customValues =\n loginOptions?.customValues || otherLoginOptions?.customValues\n ? {\n ...loginOptions?.customValues,\n ...otherLoginOptions?.customValues,\n }\n : undefined;\n\n return {\n ...loginOptions,\n ...otherLoginOptions,\n customValues,\n };\n}\n\nfunction toStoredKey(key: SignIdentity | PartialIdentity): StoredKey {\n if (key instanceof ECDSAKeyIdentity) {\n return key.getKeyPair();\n }\n if (key instanceof Ed25519KeyIdentity) {\n return JSON.stringify(key.toJSON());\n }\n throw new Error('Unsupported key type');\n}\n\nasync function persistKey(\n storage: AuthClientStorage,\n key: SignIdentity | PartialIdentity,\n): Promise<void> {\n const serialized = toStoredKey(key);\n await storage.set(KEY_STORAGE_KEY, serialized);\n}\n"],"names":[],"mappings":";;;;AA6BA,MAAM,yBAAyB,OAAO,GAAa;AACnD,MAAM,mBAAmB,OAAO,IAAK;AACrC,MAAM,uBAAuB,yBAAyB;AAEtD,MAAM,4BAA4B;AAClC,MAAM,6BAA6B;AAEnC,MAAM,2BAA2B,OAAO,CAAC,IAAI;AAE7C,MAAM,kBAAkB;AACxB,MAAM,oBAAoB;AAG1B,MAAM,2BAA2B;AAE1B,MAAM,uBAAuB;AAoJ7B,MAAM,WAAW;AAAA,EAqIZ,YACA,WACA,MACA,QACA,UACD,aACC,gBAEA,YAEA,eACR;AAVQ,SAAA,YAAA;AACA,SAAA,OAAA;AACA,SAAA,SAAA;AACA,SAAA,WAAA;AACD,SAAA,cAAA;AACC,SAAA,iBAAA;AAEA,SAAA,aAAA;AAEA,SAAA,gBAAA;AAER,SAAK,6BAAA;AAAA,EACP;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA9HA,aAAoB,OAAO,UAAmC,IAAyB;AACrF,UAAM,UAAU,QAAQ,WAAW,IAAI,WAAA;AACvC,UAAM,UAAU,QAAQ,WAAW;AAEnC,QAAI,MAA6C;AACjD,QAAI,QAAQ,UAAU;AACpB,YAAM,QAAQ;AAAA,IAChB,OAAO;AACL,UAAI,uBAAuB,MAAM,QAAQ,IAAI,eAAe;AAC5D,UAAI,CAAC,sBAAsB;AAEzB,YAAI;AACF,gBAAM,uBAAuB,IAAI,aAAA;AACjC,gBAAM,aAAa,MAAM,qBAAqB,IAAI,sBAAsB;AACxE,gBAAM,WAAW,MAAM,qBAAqB,IAAI,eAAe;AAE/D,cAAI,cAAc,YAAY,YAAY,iBAAiB;AACzD,oBAAQ,IAAI,uEAAuE;AACnF,kBAAM,QAAQ,IAAI,wBAAwB,UAAU;AACpD,kBAAM,QAAQ,IAAI,iBAAiB,QAAQ;AAE3C,mCAAuB;AAEvB,kBAAM,qBAAqB,OAAO,sBAAsB;AACxD,kBAAM,qBAAqB,OAAO,eAAe;AAAA,UACnD;AAAA,QACF,SAAS,OAAO;AACd,kBAAQ,MAAM,mDAAmD,KAAK,EAAE;AAAA,QAC1E;AAAA,MACF;AACA,UAAI,sBAAsB;AACxB,YAAI;AACF,cAAI,OAAO,yBAAyB,UAAU;AAC5C,gBAAI,YAAY,qBAAqB,OAAO,yBAAyB,UAAU;AAC7E,oBAAM,mBAAmB,SAAS,oBAAoB;AAAA,YACxD,OAAO;AACL,oBAAM,MAAM,iBAAiB,YAAY,oBAAoB;AAAA,YAC/D;AAAA,UACF,WAAW,OAAO,yBAAyB,UAAU;AAEnD,kBAAM,mBAAmB,SAAS,oBAAoB;AAAA,UACxD;AAAA,QACF,QAAQ;AAAA,QAGR;AAAA,MACF;AAAA,IACF;AAEA,QAAI,WAA2C,IAAI,kBAAA;AACnD,QAAI,QAAgC;AACpC,QAAI,KAAK;AACP,UAAI;AACF,cAAM,eAAe,MAAM,QAAQ,IAAI,sBAAsB;AAC7D,YAAI,OAAO,iBAAiB,YAAY,iBAAiB,MAAM;AAC7D,gBAAM,IAAI;AAAA,YACR;AAAA,UAAA;AAAA,QAEJ;AAEA,YAAI,QAAQ,UAAU;AACpB,qBAAW,QAAQ;AAAA,QACrB,WAAW,cAAc;AACvB,kBAAQ,gBAAgB,SAAS,YAAY;AAG7C,cAAI,CAAC,kBAAkB,KAAK,GAAG;AAC7B,kBAAM,eAAe,OAAO;AAC5B,kBAAM;AAAA,UACR,OAAO;AAEL,gBAAI,WAAW,KAAK;AAClB,yBAAW,0BAA0B,eAAe,KAAK,KAAK;AAAA,YAEhE,OAAO;AACL,yBAAW,mBAAmB,eAAe,KAAK,KAAK;AAAA,YACzD;AAAA,UACF;AAAA,QACF;AAAA,MACF,SAAS,GAAG;AACV,gBAAQ,MAAM,CAAC;AAEf,cAAM,eAAe,OAAO;AAC5B,cAAM;AAAA,MACR;AAAA,IACF;AACA,QAAI;AACJ,QAAI,QAAQ,aAAa,aAAa;AACpC,oBAAc;AAAA,IAChB,WAES,SAAS,QAAQ,UAAU;AAClC,oBAAc,YAAY,OAAO,QAAQ,WAAW;AAAA,IACtD;AAEA,QAAI,CAAC,KAAK;AAER,UAAI,YAAY,mBAAmB;AACjC,cAAM,mBAAmB,SAAA;AAAA,MAC3B,OAAO;AACL,YAAI,QAAQ,WAAW,YAAY,iBAAiB;AAClD,kBAAQ;AAAA,YACN,uLAAuL,iBAAiB;AAAA,UAAA;AAAA,QAE5M;AACA,cAAM,MAAM,iBAAiB,SAAA;AAAA,MAC/B;AACA,YAAM,WAAW,SAAS,GAAG;AAAA,IAC/B;AAEA,WAAO,IAAI,WAAW,UAAU,KAAK,OAAO,SAAS,aAAa,OAAO;AAAA,EAC3E;AAAA,EAiBQ,+BAA+B;AACrC,UAAM,cAAc,KAAK,gBAAgB;AAKzC,QAAI,CAAC,aAAa,UAAU,CAAC,aAAa,4BAA4B;AACpE,WAAK,aAAa,iBAAiB,MAAM;AACvC,aAAK,OAAA;AACL,iBAAS,OAAA;AAAA,MACX,CAAC;AAAA,IACH;AAAA,EACF;AAAA,EAEA,MAAc,eACZ,SACA,WACA;AACA,UAAM,cAAc,QAAQ,YAAY,IAAI,CAAC,qBAAqB;AAChE,aAAO;AAAA,QACL,YAAY,IAAI;AAAA,UACd,iBAAiB,WAAW;AAAA,UAC5B,iBAAiB,WAAW;AAAA,UAC5B,iBAAiB,WAAW;AAAA,QAAA;AAAA,QAE9B,WAAW,iBAAiB;AAAA,MAAA;AAAA,IAEhC,CAAC;AAED,UAAM,kBAAkB,gBAAgB;AAAA,MACtC;AAAA,MACA,QAAQ;AAAA,IAAA;AAGV,UAAM,MAAM,KAAK;AACjB,QAAI,CAAC,KAAK;AACR;AAAA,IACF;AAEA,SAAK,SAAS;AAEd,QAAI,WAAW,KAAK;AAClB,WAAK,YAAY,0BAA0B,eAAe,KAAK,KAAK,MAAM;AAAA,IAC5E,OAAO;AACL,WAAK,YAAY,mBAAmB,eAAe,KAAK,KAAK,MAAM;AAAA,IACrE;AAEA,SAAK,YAAY,MAAA;AACjB,UAAM,cAAc,KAAK,gBAAgB;AAGzC,QAAI,CAAC,KAAK,eAAe,CAAC,aAAa,aAAa;AAClD,WAAK,cAAc,YAAY,OAAO,WAAW;AACjD,WAAK,6BAAA;AAAA,IACP;AAEA,SAAK,qBAAA;AACL,WAAO,KAAK;AAEZ,QAAI,KAAK,QAAQ;AACf,YAAM,KAAK,SAAS,IAAI,wBAAwB,KAAK,UAAU,KAAK,OAAO,OAAA,CAAQ,CAAC;AAAA,IACtF;AAKA,UAAM,WAAW,KAAK,UAAU,KAAK,IAAI;AAIzC,gBAAY,OAAO;AAAA,EACrB;AAAA,EAEO,cAAwB;AAC7B,WAAO,KAAK;AAAA,EACd;AAAA,EAEA,MAAa,kBAAoC;AAC/C,WACE,CAAC,KAAK,cAAc,aAAA,EAAe,YAAA,KACnC,KAAK,WAAW,QAChB,kBAAkB,KAAK,MAAM;AAAA,EAEjC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA2BA,MAAa,MAAM,SAAiD;AAElE,UAAM,eAAe,kBAAkB,KAAK,gBAAgB,cAAc,OAAO;AAGjF,UAAM,gBAAgB,cAAc,iBAAiB;AAGrD,UAAM,sBAAsB,IAAI;AAAA,MAC9B,cAAc,kBAAkB,cAAc;AAAA,IAAA;AAGhD,wBAAoB,OAAO;AAI3B,SAAK,YAAY,MAAA;AACjB,SAAK,qBAAA;AAGL,SAAK,gBAAgB,KAAK,iBAAiB,qBAAqB;AAAA,MAC9D;AAAA,MACA,GAAG;AAAA,IAAA,CACJ;AACD,WAAO,iBAAiB,WAAW,KAAK,aAAa;AAGrD,SAAK,aACH,OAAO;AAAA,MACL,oBAAoB,SAAA;AAAA,MACpB;AAAA,MACA,cAAc;AAAA,IAAA,KACX;AAGP,UAAM,oBAAoB,MAAY;AAEpC,UAAI,KAAK,YAAY;AACnB,YAAI,KAAK,WAAW,QAAQ;AAC1B,eAAK,eAAe,sBAAsB,cAAc,OAAO;AAAA,QACjE,OAAO;AACL,qBAAW,mBAAmB,wBAAwB;AAAA,QACxD;AAAA,MACF;AAAA,IACF;AACA,sBAAA;AAAA,EACF;AAAA,EAEQ,iBAAiB,qBAA0B,SAAkC;AACnF,WAAO,OAAO,UAAwB;AACpC,UAAI,MAAM,WAAW,oBAAoB,QAAQ;AAE/C;AAAA,MACF;AAEA,YAAM,UAAU,MAAM;AAEtB,cAAQ,QAAQ,MAAA;AAAA,QACd,KAAK,mBAAmB;AAEtB,gBAAM,UAAuC;AAAA,YAC3C,MAAM;AAAA,YACN,kBAAkB,IAAI,WAAW,KAAK,MAAM,aAAA,EAAe,OAAO;AAAA,YAClE,eAAe,SAAS;AAAA,YACxB,wBAAwB,SAAS;AAAA,YACjC,kBAAkB,SAAS,kBAAkB,SAAA;AAAA;AAAA,YAE7C,GAAG,SAAS;AAAA,UAAA;AAEd,eAAK,YAAY,YAAY,SAAS,oBAAoB,MAAM;AAChE;AAAA,QACF;AAAA,QACA,KAAK;AAEH,cAAI;AACF,kBAAM,KAAK,eAAe,SAAS,SAAS,SAAS;AAAA,UACvD,SAAS,KAAK;AACZ,iBAAK,eAAgB,IAAc,SAAS,SAAS,OAAO;AAAA,UAC9D;AACA;AAAA,QACF,KAAK;AACH,eAAK,eAAe,QAAQ,MAAM,SAAS,OAAO;AAClD;AAAA,MAEA;AAAA,IAEN;AAAA,EACF;AAAA,EAEQ,eAAe,cAAuB,SAA0C;AACtF,SAAK,YAAY,MAAA;AACjB,cAAU,YAAY;AACtB,SAAK,qBAAA;AACL,WAAO,KAAK;AAAA,EACd;AAAA,EAEQ,uBAAuB;AAC7B,QAAI,KAAK,eAAe;AACtB,aAAO,oBAAoB,WAAW,KAAK,aAAa;AAAA,IAC1D;AACA,SAAK,gBAAgB;AAAA,EACvB;AAAA,EAEA,MAAa,OAAO,UAAiC,IAAmB;AACtE,UAAM,eAAe,KAAK,QAAQ;AAGlC,SAAK,YAAY,IAAI,kBAAA;AACrB,SAAK,SAAS;AAEd,QAAI,QAAQ,UAAU;AACpB,UAAI;AACF,eAAO,QAAQ,UAAU,CAAA,GAAI,IAAI,QAAQ,QAAQ;AAAA,MACnD,QAAQ;AACN,eAAO,SAAS,OAAO,QAAQ;AAAA,MACjC;AAAA,IACF;AAAA,EACF;AACF;AAEA,eAAe,eAAe,SAA4B;AACxD,QAAM,QAAQ,OAAO,eAAe;AACpC,QAAM,QAAQ,OAAO,sBAAsB;AAC3C,QAAM,QAAQ,OAAO,UAAU;AACjC;AAEA,SAAS,kBACP,cACA,mBACoC;AACpC,MAAI,CAAC,gBAAgB,CAAC,mBAAmB;AACvC,WAAO;AAAA,EACT;AAEA,QAAM,eACJ,cAAc,gBAAgB,mBAAmB,eAC7C;AAAA,IACE,GAAG,cAAc;AAAA,IACjB,GAAG,mBAAmB;AAAA,EAAA,IAExB;AAEN,SAAO;AAAA,IACL,GAAG;AAAA,IACH,GAAG;AAAA,IACH;AAAA,EAAA;AAEJ;AAEA,SAAS,YAAY,KAAgD;AACnE,MAAI,eAAe,kBAAkB;AACnC,WAAO,IAAI,WAAA;AAAA,EACb;AACA,MAAI,eAAe,oBAAoB;AACrC,WAAO,KAAK,UAAU,IAAI,OAAA,CAAQ;AAAA,EACpC;AACA,QAAM,IAAI,MAAM,sBAAsB;AACxC;AAEA,eAAe,WACb,SACA,KACe;AACf,QAAM,aAAa,YAAY,GAAG;AAClC,QAAM,QAAQ,IAAI,iBAAiB,UAAU;AAC/C;"}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@icp-sdk/auth",
3
- "version": "4.0.1",
3
+ "version": "4.0.2",
4
4
  "author": "DFINITY Stiftung <sdk@dfinity.org>",
5
5
  "license": "Apache-2.0",
6
6
  "description": "Authentication library for Internet Computer web apps",
package/src/client/auth-client.ts CHANGED
@@ -24,6 +24,7 @@ import {
24
24
  KEY_STORAGE_KEY,
25
25
  KEY_VECTOR,
26
26
  LocalStorage,
27
+ type StoredKey,
27
28
  } from './storage.ts';
28
29
 
29
30
  const NANOSECONDS_PER_SECOND = BigInt(1_000_000_000);
@@ -308,7 +309,6 @@ export class AuthClient {
308
309
  // Create a new key (whether or not one was in storage).
309
310
  if (keyType === ED25519_KEY_LABEL) {
310
311
  key = Ed25519KeyIdentity.generate();
311
- await storage.set(KEY_STORAGE_KEY, JSON.stringify((key as Ed25519KeyIdentity).toJSON()));
312
312
  } else {
313
313
  if (options.storage && keyType === ECDSA_KEY_LABEL) {
314
314
  console.warn(
@@ -316,8 +316,8 @@ export class AuthClient {
316
316
  );
317
317
  }
318
318
  key = await ECDSAKeyIdentity.generate();
319
- await storage.set(KEY_STORAGE_KEY, (key as ECDSAKeyIdentity).getKeyPair());
320
319
  }
320
+ await persistKey(storage, key);
321
321
  }
322
322
 
323
323
  return new AuthClient(identity, key, chain, storage, idleManager, options);
@@ -401,6 +401,11 @@ export class AuthClient {
401
401
  await this._storage.set(KEY_STORAGE_DELEGATION, JSON.stringify(this._chain.toJSON()));
402
402
  }
403
403
 
404
+ // Ensure the stored key in persistent storage matches the in-memory key that
405
+ // was used to obtain the delegation. This avoids key/delegation mismatches
406
+ // across multiple tabs overwriting each other's cached keys.
407
+ await persistKey(this._storage, this._key);
408
+
404
409
  // onSuccess should be the last thing to do to avoid consumers
405
410
  // interfering by navigating or refreshing the page
406
411
  onSuccess?.(message);
@@ -591,3 +596,21 @@ function mergeLoginOptions(
591
596
  customValues,
592
597
  };
593
598
  }
599
+
600
+ function toStoredKey(key: SignIdentity | PartialIdentity): StoredKey {
601
+ if (key instanceof ECDSAKeyIdentity) {
602
+ return key.getKeyPair();
603
+ }
604
+ if (key instanceof Ed25519KeyIdentity) {
605
+ return JSON.stringify(key.toJSON());
606
+ }
607
+ throw new Error('Unsupported key type');
608
+ }
609
+
610
+ async function persistKey(
611
+ storage: AuthClientStorage,
612
+ key: SignIdentity | PartialIdentity,
613
+ ): Promise<void> {
614
+ const serialized = toStoredKey(key);
615
+ await storage.set(KEY_STORAGE_KEY, serialized);
616
+ }