npm - @icp-sdk/auth - Versions diffs - 4.0.1 → 4.1.0 - Mend

@icp-sdk/auth 4.0.1 → 4.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/esm/client/auth-client.d.ts +2 -0
package/dist/esm/client/auth-client.js +58 -2
package/dist/esm/client/auth-client.js.map +1 -1
package/package.json +4 -2
package/src/client/auth-client.ts +84 -2

package/dist/esm/client/auth-client.d.ts CHANGED Viewed

@@ -116,6 +116,7 @@ export declare class AuthClient {
     private _createOptions;
     private _idpWindow?;
     private _eventHandler?;
+    private _signer;
     /**
      * Create an AuthClient to manage authentication and identity
      * @param {AuthClientCreateOptions} options - Options for creating an {@link AuthClient}
@@ -167,6 +168,7 @@ export declare class AuthClient {
      * });
      */
     login(options?: AuthClientLoginOptions): Promise<void>;
+    loginWithIcrc29(options?: AuthClientLoginOptions): Promise<void>;
     private _getEventHandler;
     private _handleFailure;
     private _removeEventListener;

package/dist/esm/client/auth-client.js CHANGED Viewed

@@ -1,5 +1,7 @@
 import { AnonymousIdentity } from "@icp-sdk/core/agent";
 import { Ed25519KeyIdentity, ECDSAKeyIdentity, DelegationChain, isDelegationValid, PartialDelegationIdentity, DelegationIdentity, Delegation } from "@icp-sdk/core/identity";
+import { Signer } from "@slide-computer/signer";
+import { PostMessageTransport } from "@slide-computer/signer-web";
 import { IdleManager } from "./idle-manager.js";
 import { IdbStorage, KEY_STORAGE_KEY, LocalStorage, KEY_STORAGE_DELEGATION, KEY_VECTOR } from "./storage.js";
 const NANOSECONDS_PER_SECOND = BigInt(1e9);
@@ -7,6 +9,7 @@ const SECONDS_PER_HOUR = BigInt(3600);
 const NANOSECONDS_PER_HOUR = NANOSECONDS_PER_SECOND * SECONDS_PER_HOUR;
 const IDENTITY_PROVIDER_DEFAULT = "https://identity.internetcomputer.org";
 const IDENTITY_PROVIDER_ENDPOINT = "#authorize";
+const IDENTITY_PROVIDER_ICRC29_DEFAULT = "https://id.ai/authorize";
 const DEFAULT_MAX_TIME_TO_LIVE = BigInt(8) * NANOSECONDS_PER_HOUR;
 const ECDSA_KEY_LABEL = "ECDSA";
 const ED25519_KEY_LABEL = "Ed25519";
@@ -24,6 +27,7 @@ class AuthClient {
     this._eventHandler = _eventHandler;
     this._registerDefaultIdleCallback();
   }
+  _signer = void 0;
   /**
    * Create an AuthClient to manage authentication and identity
    * @param {AuthClientCreateOptions} options - Options for creating an {@link AuthClient}
@@ -123,7 +127,6 @@ class AuthClient {
     if (!key) {
       if (keyType === ED25519_KEY_LABEL) {
         key = Ed25519KeyIdentity.generate();
-        await storage.set(KEY_STORAGE_KEY, JSON.stringify(key.toJSON()));
       } else {
         if (options.storage && keyType === ECDSA_KEY_LABEL) {
           console.warn(
@@ -131,8 +134,8 @@ class AuthClient {
           );
         }
         key = await ECDSAKeyIdentity.generate();
-        await storage.set(KEY_STORAGE_KEY, key.getKeyPair());
       }
+      await persistKey(storage, key);
     }
     return new AuthClient(identity, key, chain, storage, idleManager, options);
   }
@@ -181,6 +184,7 @@ class AuthClient {
     if (this._chain) {
       await this._storage.set(KEY_STORAGE_DELEGATION, JSON.stringify(this._chain.toJSON()));
     }
+    await persistKey(this._storage, this._key);
     onSuccess?.(message);
   }
   getIdentity() {
@@ -244,6 +248,45 @@ class AuthClient {
     };
     checkInterruption();
   }
+  async loginWithIcrc29(options) {
+    const loginOptions = mergeLoginOptions(this._createOptions?.loginOptions, options);
+    const maxTimeToLive = loginOptions?.maxTimeToLive ?? DEFAULT_MAX_TIME_TO_LIVE;
+    const identityProviderUrl = new URL(
+      loginOptions?.identityProvider?.toString() || IDENTITY_PROVIDER_ICRC29_DEFAULT
+    );
+    this._signer?.closeChannel();
+    const transport = new PostMessageTransport({
+      url: identityProviderUrl.toString(),
+      windowOpenerFeatures: loginOptions?.windowOpenerFeatures
+    });
+    this._signer = new Signer({
+      transport,
+      derivationOrigin: loginOptions?.derivationOrigin?.toString()
+    });
+    const key = this._key;
+    if (!key) {
+      return;
+    }
+    const delegation = await this._signer.delegation({
+      publicKey: this._key.getPublicKey().toDer(),
+      maxTimeToLive
+    });
+    this._chain = delegation;
+    if ("toDer" in key) {
+      this._identity = PartialDelegationIdentity.fromDelegation(key, this._chain);
+    } else {
+      this._identity = DelegationIdentity.fromDelegation(key, this._chain);
+    }
+    if (this._chain) {
+      await this._storage.set(KEY_STORAGE_DELEGATION, JSON.stringify(this._chain.toJSON()));
+    }
+    options?.onSuccess?.({
+      kind: "authorize-client-success",
+      delegations: delegation.delegations,
+      userPublicKey: this._key?.getPublicKey().toDer(),
+      authnMethod: "passkey"
+    });
+  }
   _getEventHandler(identityProviderUrl, options) {
     return async (event) => {
       if (event.origin !== identityProviderUrl.origin) {
@@ -321,6 +364,19 @@ function mergeLoginOptions(loginOptions, otherLoginOptions) {
     customValues
   };
 }
+function toStoredKey(key) {
+  if (key instanceof ECDSAKeyIdentity) {
+    return key.getKeyPair();
+  }
+  if (key instanceof Ed25519KeyIdentity) {
+    return JSON.stringify(key.toJSON());
+  }
+  throw new Error("Unsupported key type");
+}
+async function persistKey(storage, key) {
+  const serialized = toStoredKey(key);
+  await storage.set(KEY_STORAGE_KEY, serialized);
+}
 export {
   AuthClient,
   ERROR_USER_INTERRUPT

package/dist/esm/client/auth-client.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"auth-client.js","sources":["../../../src/client/auth-client.ts"],"sourcesContent":["import {\n AnonymousIdentity,\n type DerEncodedPublicKey,\n type Identity,\n type Signature,\n type SignIdentity,\n} from '@icp-sdk/core/agent';\nimport {\n Delegation,\n DelegationChain,\n DelegationIdentity,\n ECDSAKeyIdentity,\n Ed25519KeyIdentity,\n isDelegationValid,\n PartialDelegationIdentity,\n type PartialIdentity,\n} from '@icp-sdk/core/identity';\nimport type { Principal } from '@icp-sdk/core/principal';\nimport { IdleManager, type IdleManagerOptions } from './idle-manager.ts';\nimport {\n type AuthClientStorage,\n IdbStorage,\n KEY_STORAGE_DELEGATION,\n KEY_STORAGE_KEY,\n KEY_VECTOR,\n LocalStorage,\n} from './storage.ts';\n\nconst NANOSECONDS_PER_SECOND = BigInt(1_000_000_000);\nconst SECONDS_PER_HOUR = BigInt(3_600);\nconst NANOSECONDS_PER_HOUR = NANOSECONDS_PER_SECOND * SECONDS_PER_HOUR;\n\nconst IDENTITY_PROVIDER_DEFAULT = 'https://identity.internetcomputer.org';\nconst IDENTITY_PROVIDER_ENDPOINT = '#authorize';\n\nconst DEFAULT_MAX_TIME_TO_LIVE = BigInt(8) * NANOSECONDS_PER_HOUR;\n\nconst ECDSA_KEY_LABEL = 'ECDSA';\nconst ED25519_KEY_LABEL = 'Ed25519';\ntype BaseKeyType = typeof ECDSA_KEY_LABEL \| typeof ED25519_KEY_LABEL;\n\nconst INTERRUPT_CHECK_INTERVAL = 500;\n\nexport const ERROR_USER_INTERRUPT = 'UserInterrupt';\n\n/*\n List of options for creating an {@link AuthClient}.\n /\nexport interface AuthClientCreateOptions {\n /\n An {@link SignIdentity} or {@link PartialIdentity} to authenticate via delegation.\n /\n identity?: SignIdentity \| PartialIdentity;\n /\n Optional storage with get, set, and remove. Uses {@link IdbStorage} by default.\n * @see {@link AuthClientStorage}\n /\n storage?: AuthClientStorage;\n\n /\n Type to use for the base key.\n \n If you are using a custom storage provider that does not support CryptoKey storage,\n * you should use `Ed25519` as the key type, as it can serialize to a string.\n * @default 'ECDSA'\n /\n keyType?: BaseKeyType;\n\n /\n Options to handle idle timeouts\n * @default after 10 minutes, invalidates the identity\n /\n idleOptions?: IdleOptions;\n\n /\n Options to handle login, passed to the login method\n /\n loginOptions?: AuthClientLoginOptions;\n}\n\nexport interface IdleOptions extends IdleManagerOptions {\n /\n Disables idle functionality for {@link IdleManager}\n * @default false\n /\n disableIdle?: boolean;\n\n /\n Disables default idle behavior - call logout & reload window\n * @default false\n /\n disableDefaultIdleCallback?: boolean;\n}\n\nexport type OnSuccessFunc =\n \| (() => void \| Promise<void>)\n \| ((message: InternetIdentityAuthResponseSuccess) => void \| Promise<void>);\n\nexport type OnErrorFunc = (error?: string) => void \| Promise<void>;\n\nexport interface AuthClientLoginOptions {\n /\n Identity provider\n * @default \"https://identity.internetcomputer.org\"\n /\n identityProvider?: string \| URL;\n /\n Expiration of the authentication in nanoseconds\n * @default BigInt(8) hours * BigInt(3_600_000_000_000) nanoseconds\n /\n maxTimeToLive?: bigint;\n /\n If present, indicates whether or not the Identity Provider should allow the user to authenticate and/or register using a temporary key/PIN identity. Authenticating dapps may want to prevent users from using Temporary keys/PIN identities because Temporary keys/PIN identities are less secure than Passkeys (webauthn credentials) and because Temporary keys/PIN identities generally only live in a browser database (which may get cleared by the browser/OS).\n /\n allowPinAuthentication?: boolean;\n /\n Origin for Identity Provider to use while generating the delegated identity. For II, the derivation origin must authorize this origin by setting a record at `<derivation-origin>/.well-known/ii-alternative-origins`.\n * @see https://github.com/dfinity/internet-identity/blob/main/docs/internet-identity-spec.adoc\n /\n derivationOrigin?: string \| URL;\n /\n Auth Window feature config string\n * @example \"toolbar=0,location=0,menubar=0,width=500,height=500,left=100,top=100\"\n /\n windowOpenerFeatures?: string;\n /\n Callback once login has completed\n /\n onSuccess?: OnSuccessFunc;\n /\n Callback in case authentication fails\n /\n onError?: OnErrorFunc;\n /\n Extra values to be passed in the login request during the authorize-ready phase\n /\n customValues?: Record<string, unknown>;\n}\n\ninterface InternetIdentityAuthRequest {\n kind: 'authorize-client';\n sessionPublicKey: Uint8Array;\n maxTimeToLive?: bigint;\n allowPinAuthentication?: boolean;\n derivationOrigin?: string;\n}\n\nexport interface InternetIdentityAuthResponseSuccess {\n kind: 'authorize-client-success';\n delegations: {\n delegation: {\n pubkey: Uint8Array;\n expiration: bigint;\n targets?: Principal[];\n };\n signature: Uint8Array;\n }[];\n userPublicKey: Uint8Array;\n authnMethod: 'passkey' \| 'pin' \| 'recovery';\n}\n\ninterface AuthReadyMessage {\n kind: 'authorize-ready';\n}\n\ninterface AuthResponseSuccess {\n kind: 'authorize-client-success';\n delegations: {\n delegation: {\n pubkey: Uint8Array;\n expiration: bigint;\n targets?: Principal[];\n };\n signature: Uint8Array;\n }[];\n userPublicKey: Uint8Array;\n authnMethod: 'passkey' \| 'pin' \| 'recovery';\n}\n\ninterface AuthResponseFailure {\n kind: 'authorize-client-failure';\n text: string;\n}\n\ntype IdentityServiceResponseMessage = AuthReadyMessage \| AuthResponse;\ntype AuthResponse = AuthResponseSuccess \| AuthResponseFailure;\n\n/\n Tool to manage authentication and identity\n * @see {@link AuthClient}\n /\nexport class AuthClient {\n /\n Create an AuthClient to manage authentication and identity\n * @param {AuthClientCreateOptions} options - Options for creating an {@link AuthClient}\n * @see {@link AuthClientCreateOptions}\n * @param options.identity Optional Identity to use as the base\n * @see {@link SignIdentity}\n * @param options.storage Storage mechanism for delegation credentials\n * @see {@link AuthClientStorage}\n * @param options.keyType Type of key to use for the base key\n * @param {IdleOptions} options.idleOptions Configures an {@link IdleManager}\n * @see {@link IdleOptions}\n * Default behavior is to clear stored identity and reload the page when a user goes idle, unless you set the disableDefaultIdleCallback flag or pass in a custom idle callback.\n * @example\n * const authClient = await AuthClient.create({\n * idleOptions: {\n * disableIdle: true\n * }\n * })\n /\n public static async create(options: AuthClientCreateOptions = {}): Promise<AuthClient> {\n const storage = options.storage ?? new IdbStorage();\n const keyType = options.keyType ?? ECDSA_KEY_LABEL;\n\n let key: null \| SignIdentity \| PartialIdentity = null;\n if (options.identity) {\n key = options.identity;\n } else {\n let maybeIdentityStorage = await storage.get(KEY_STORAGE_KEY);\n if (!maybeIdentityStorage) {\n // Attempt to migrate from localstorage\n try {\n const fallbackLocalStorage = new LocalStorage();\n const localChain = await fallbackLocalStorage.get(KEY_STORAGE_DELEGATION);\n const localKey = await fallbackLocalStorage.get(KEY_STORAGE_KEY);\n // not relevant for Ed25519\n if (localChain && localKey && keyType === ECDSA_KEY_LABEL) {\n console.log('Discovered an identity stored in localstorage. Migrating to IndexedDB');\n await storage.set(KEY_STORAGE_DELEGATION, localChain);\n await storage.set(KEY_STORAGE_KEY, localKey);\n\n maybeIdentityStorage = localChain;\n // clean up\n await fallbackLocalStorage.remove(KEY_STORAGE_DELEGATION);\n await fallbackLocalStorage.remove(KEY_STORAGE_KEY);\n }\n } catch (error) {\n console.error(`error while attempting to recover localstorage: ${error}`);\n }\n }\n if (maybeIdentityStorage) {\n try {\n if (typeof maybeIdentityStorage === 'object') {\n if (keyType === ED25519_KEY_LABEL && typeof maybeIdentityStorage === 'string') {\n key = Ed25519KeyIdentity.fromJSON(maybeIdentityStorage);\n } else {\n key = await ECDSAKeyIdentity.fromKeyPair(maybeIdentityStorage);\n }\n } else if (typeof maybeIdentityStorage === 'string') {\n // This is a legacy identity, which is a serialized Ed25519KeyIdentity.\n key = Ed25519KeyIdentity.fromJSON(maybeIdentityStorage);\n }\n } catch {\n // Ignore this, this means that the localStorage value isn't a valid Ed25519KeyIdentity or ECDSAKeyIdentity\n // serialization.\n }\n }\n }\n\n let identity: SignIdentity \| PartialIdentity = new AnonymousIdentity() as PartialIdentity;\n let chain: null \| DelegationChain = null;\n if (key) {\n try {\n const chainStorage = await storage.get(KEY_STORAGE_DELEGATION);\n if (typeof chainStorage === 'object' && chainStorage !== null) {\n throw new Error(\n 'Delegation chain is incorrectly stored. A delegation chain should be stored as a string.',\n );\n }\n\n if (options.identity) {\n identity = options.identity;\n } else if (chainStorage) {\n chain = DelegationChain.fromJSON(chainStorage);\n\n // Verify that the delegation isn't expired.\n if (!isDelegationValid(chain)) {\n await _deleteStorage(storage);\n key = null;\n } else {\n // If the key is a public key, then we create a PartialDelegationIdentity.\n if ('toDer' in key) {\n identity = PartialDelegationIdentity.fromDelegation(key, chain);\n // otherwise, we create a DelegationIdentity.\n } else {\n identity = DelegationIdentity.fromDelegation(key, chain);\n }\n }\n }\n } catch (e) {\n console.error(e);\n // If there was a problem loading the chain, delete the key.\n await _deleteStorage(storage);\n key = null;\n }\n }\n let idleManager: IdleManager \| undefined;\n if (options.idleOptions?.disableIdle) {\n idleManager = undefined;\n }\n // if there is a delegation chain or provided identity, setup idleManager\n else if (chain \|\| options.identity) {\n idleManager = IdleManager.create(options.idleOptions);\n }\n\n if (!key) {\n // Create a new key (whether or not one was in storage).\n if (keyType === ED25519_KEY_LABEL) {\n key = Ed25519KeyIdentity.generate();\n await storage.set(KEY_STORAGE_KEY, JSON.stringify((key as Ed25519KeyIdentity).toJSON()));\n } else {\n if (options.storage && keyType === ECDSA_KEY_LABEL) {\n console.warn(\n `You are using a custom storage provider that may not support CryptoKey storage. If you are using a custom storage provider that does not support CryptoKey storage, you should use '${ED25519_KEY_LABEL}' as the key type, as it can serialize to a string`,\n );\n }\n key = await ECDSAKeyIdentity.generate();\n await storage.set(KEY_STORAGE_KEY, (key as ECDSAKeyIdentity).getKeyPair());\n }\n }\n\n return new AuthClient(identity, key, chain, storage, idleManager, options);\n }\n\n protected constructor(\n private _identity: Identity \| PartialIdentity,\n private _key: SignIdentity \| PartialIdentity,\n private _chain: DelegationChain \| null,\n private _storage: AuthClientStorage,\n public idleManager: IdleManager \| undefined,\n private _createOptions: AuthClientCreateOptions \| undefined,\n // A handle on the IdP window.\n private _idpWindow?: Window,\n // The event handler for processing events from the IdP.\n private _eventHandler?: (event: MessageEvent) => void,\n ) {\n this._registerDefaultIdleCallback();\n }\n\n private _registerDefaultIdleCallback() {\n const idleOptions = this._createOptions?.idleOptions;\n /\n Default behavior is to clear stored identity and reload the page.\n * By either setting the disableDefaultIdleCallback flag or passing in a custom idle callback, we will ignore this config\n /\n if (!idleOptions?.onIdle && !idleOptions?.disableDefaultIdleCallback) {\n this.idleManager?.registerCallback(() => {\n this.logout();\n location.reload();\n });\n }\n }\n\n private async _handleSuccess(\n message: InternetIdentityAuthResponseSuccess,\n onSuccess?: OnSuccessFunc,\n ) {\n const delegations = message.delegations.map((signedDelegation) => {\n return {\n delegation: new Delegation(\n signedDelegation.delegation.pubkey,\n signedDelegation.delegation.expiration,\n signedDelegation.delegation.targets,\n ),\n signature: signedDelegation.signature as Signature,\n };\n });\n\n const delegationChain = DelegationChain.fromDelegations(\n delegations,\n message.userPublicKey as DerEncodedPublicKey,\n );\n\n const key = this._key;\n if (!key) {\n return;\n }\n\n this._chain = delegationChain;\n\n if ('toDer' in key) {\n this._identity = PartialDelegationIdentity.fromDelegation(key, this._chain);\n } else {\n this._identity = DelegationIdentity.fromDelegation(key, this._chain);\n }\n\n this._idpWindow?.close();\n const idleOptions = this._createOptions?.idleOptions;\n // create the idle manager on a successful login if we haven't disabled it\n // and it doesn't already exist.\n if (!this.idleManager && !idleOptions?.disableIdle) {\n this.idleManager = IdleManager.create(idleOptions);\n this._registerDefaultIdleCallback();\n }\n\n this._removeEventListener();\n delete this._idpWindow;\n\n if (this._chain) {\n await this._storage.set(KEY_STORAGE_DELEGATION, JSON.stringify(this._chain.toJSON()));\n }\n\n // onSuccess should be the last thing to do to avoid consumers\n // interfering by navigating or refreshing the page\n onSuccess?.(message);\n }\n\n public getIdentity(): Identity {\n return this._identity;\n }\n\n public async isAuthenticated(): Promise<boolean> {\n return (\n !this.getIdentity().getPrincipal().isAnonymous() &&\n this._chain !== null &&\n isDelegationValid(this._chain)\n );\n }\n\n /\n AuthClient Login - Opens up a new window to authenticate with Internet Identity\n * @param {AuthClientLoginOptions} options - Options for logging in, merged with the options set during creation if any. Note: we only perform a shallow merge for the `customValues` property.\n * @param options.identityProvider Identity provider\n * @param options.maxTimeToLive Expiration of the authentication in nanoseconds\n * @param options.allowPinAuthentication If present, indicates whether or not the Identity Provider should allow the user to authenticate and/or register using a temporary key/PIN identity. Authenticating dapps may want to prevent users from using Temporary keys/PIN identities because Temporary keys/PIN identities are less secure than Passkeys (webauthn credentials) and because Temporary keys/PIN identities generally only live in a browser database (which may get cleared by the browser/OS).\n * @param options.derivationOrigin Origin for Identity Provider to use while generating the delegated identity\n * @param options.windowOpenerFeatures Configures the opened authentication window\n * @param options.onSuccess Callback once login has completed\n * @param options.onError Callback in case authentication fails\n * @param options.customValues Extra values to be passed in the login request during the authorize-ready phase. Note: we only perform a shallow merge for the `customValues` property.\n * @example\n * const authClient = await AuthClient.create();\n * authClient.login({\n * identityProvider: 'http://<canisterID>.127.0.0.1:8000',\n * maxTimeToLive: BigInt (7) * BigInt(24) * BigInt(3_600_000_000_000), // 1 week\n * windowOpenerFeatures: \"toolbar=0,location=0,menubar=0,width=500,height=500,left=100,top=100\",\n * onSuccess: () => {\n * console.log('Login Successful!');\n * },\n * onError: (error) => {\n * console.error('Login Failed: ', error);\n * }\n * });\n */\n public async login(options?: AuthClientLoginOptions): Promise<void> {\n // Merge the passed options with the options set during creation\n const loginOptions = mergeLoginOptions(this._createOptions?.loginOptions, options);\n\n // Set default maxTimeToLive to 8 hours\n const maxTimeToLive = loginOptions?.maxTimeToLive ?? DEFAULT_MAX_TIME_TO_LIVE;\n\n // Create the URL of the IDP. (e.g. https://XXXX/#authorize)\n const identityProviderUrl = new URL(\n loginOptions?.identityProvider?.toString() \|\| IDENTITY_PROVIDER_DEFAULT,\n );\n // Set the correct hash if it isn't already set.\n identityProviderUrl.hash = IDENTITY_PROVIDER_ENDPOINT;\n\n // If `login` has been called previously, then close/remove any previous windows\n // and event listeners.\n this._idpWindow?.close();\n this._removeEventListener();\n\n // Add an event listener to handle responses.\n this._eventHandler = this._getEventHandler(identityProviderUrl, {\n maxTimeToLive,\n ...loginOptions,\n });\n window.addEventListener('message', this._eventHandler);\n\n // Open a new window with the IDP provider.\n this._idpWindow =\n window.open(\n identityProviderUrl.toString(),\n 'idpWindow',\n loginOptions?.windowOpenerFeatures,\n ) ?? undefined;\n\n // Check if the _idpWindow is closed by user.\n const checkInterruption = (): void => {\n // The _idpWindow is opened and not yet closed by the client\n if (this._idpWindow) {\n if (this._idpWindow.closed) {\n this._handleFailure(ERROR_USER_INTERRUPT, loginOptions?.onError);\n } else {\n setTimeout(checkInterruption, INTERRUPT_CHECK_INTERVAL);\n }\n }\n };\n checkInterruption();\n }\n\n private _getEventHandler(identityProviderUrl: URL, options?: AuthClientLoginOptions) {\n return async (event: MessageEvent) => {\n if (event.origin !== identityProviderUrl.origin) {\n // Ignore any event that is not from the identity provider\n return;\n }\n\n const message = event.data as IdentityServiceResponseMessage;\n\n switch (message.kind) {\n case 'authorize-ready': {\n // IDP is ready. Send a message to request authorization.\n const request: InternetIdentityAuthRequest = {\n kind: 'authorize-client',\n sessionPublicKey: new Uint8Array(this._key?.getPublicKey().toDer()),\n maxTimeToLive: options?.maxTimeToLive,\n allowPinAuthentication: options?.allowPinAuthentication,\n derivationOrigin: options?.derivationOrigin?.toString(),\n // Pass any custom values to the IDP.\n ...options?.customValues,\n };\n this._idpWindow?.postMessage(request, identityProviderUrl.origin);\n break;\n }\n case 'authorize-client-success':\n // Create the delegation chain and store it.\n try {\n await this._handleSuccess(message, options?.onSuccess);\n } catch (err) {\n this._handleFailure((err as Error).message, options?.onError);\n }\n break;\n case 'authorize-client-failure':\n this._handleFailure(message.text, options?.onError);\n break;\n default:\n break;\n }\n };\n }\n\n private _handleFailure(errorMessage?: string, onError?: (error?: string) => void): void {\n this._idpWindow?.close();\n onError?.(errorMessage);\n this._removeEventListener();\n delete this._idpWindow;\n }\n\n private _removeEventListener() {\n if (this._eventHandler) {\n window.removeEventListener('message', this._eventHandler);\n }\n this._eventHandler = undefined;\n }\n\n public async logout(options: { returnTo?: string } = {}): Promise<void> {\n await _deleteStorage(this._storage);\n\n // Reset this auth client to a non-authenticated state.\n this._identity = new AnonymousIdentity();\n this._chain = null;\n\n if (options.returnTo) {\n try {\n window.history.pushState({}, '', options.returnTo);\n } catch {\n window.location.href = options.returnTo;\n }\n }\n }\n}\n\nasync function _deleteStorage(storage: AuthClientStorage) {\n await storage.remove(KEY_STORAGE_KEY);\n await storage.remove(KEY_STORAGE_DELEGATION);\n await storage.remove(KEY_VECTOR);\n}\n\nfunction mergeLoginOptions(\n loginOptions: AuthClientLoginOptions \| undefined,\n otherLoginOptions: AuthClientLoginOptions \| undefined,\n): AuthClientLoginOptions \| undefined {\n if (!loginOptions && !otherLoginOptions) {\n return undefined;\n }\n\n const customValues =\n loginOptions?.customValues \|\| otherLoginOptions?.customValues\n ? {\n ...loginOptions?.customValues,\n ...otherLoginOptions?.customValues,\n }\n : undefined;\n\n return {\n ...loginOptions,\n ...otherLoginOptions,\n customValues,\n };\n}\n"],"names":[],"mappings":";;;;AA4BA,MAAM,yBAAyB,OAAO,GAAa;AACnD,MAAM,mBAAmB,OAAO,IAAK;AACrC,MAAM,uBAAuB,yBAAyB;AAEtD,MAAM,4BAA4B;AAClC,MAAM,6BAA6B;AAEnC,MAAM,2BAA2B,OAAO,CAAC,IAAI;AAE7C,MAAM,kBAAkB;AACxB,MAAM,oBAAoB;AAG1B,MAAM,2BAA2B;AAE1B,MAAM,uBAAuB;AAoJ7B,MAAM,WAAW;AAAA,EAsIZ,YACA,WACA,MACA,QACA,UACD,aACC,gBAEA,YAEA,eACR;AAVQ,SAAA,YAAA;AACA,SAAA,OAAA;AACA,SAAA,SAAA;AACA,SAAA,WAAA;AACD,SAAA,cAAA;AACC,SAAA,iBAAA;AAEA,SAAA,aAAA;AAEA,SAAA,gBAAA;AAER,SAAK,6BAAA;AAAA,EACP;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA/HA,aAAoB,OAAO,UAAmC,IAAyB;AACrF,UAAM,UAAU,QAAQ,WAAW,IAAI,WAAA;AACvC,UAAM,UAAU,QAAQ,WAAW;AAEnC,QAAI,MAA6C;AACjD,QAAI,QAAQ,UAAU;AACpB,YAAM,QAAQ;AAAA,IAChB,OAAO;AACL,UAAI,uBAAuB,MAAM,QAAQ,IAAI,eAAe;AAC5D,UAAI,CAAC,sBAAsB;AAEzB,YAAI;AACF,gBAAM,uBAAuB,IAAI,aAAA;AACjC,gBAAM,aAAa,MAAM,qBAAqB,IAAI,sBAAsB;AACxE,gBAAM,WAAW,MAAM,qBAAqB,IAAI,eAAe;AAE/D,cAAI,cAAc,YAAY,YAAY,iBAAiB;AACzD,oBAAQ,IAAI,uEAAuE;AACnF,kBAAM,QAAQ,IAAI,wBAAwB,UAAU;AACpD,kBAAM,QAAQ,IAAI,iBAAiB,QAAQ;AAE3C,mCAAuB;AAEvB,kBAAM,qBAAqB,OAAO,sBAAsB;AACxD,kBAAM,qBAAqB,OAAO,eAAe;AAAA,UACnD;AAAA,QACF,SAAS,OAAO;AACd,kBAAQ,MAAM,mDAAmD,KAAK,EAAE;AAAA,QAC1E;AAAA,MACF;AACA,UAAI,sBAAsB;AACxB,YAAI;AACF,cAAI,OAAO,yBAAyB,UAAU;AAC5C,gBAAI,YAAY,qBAAqB,OAAO,yBAAyB,UAAU;AAC7E,oBAAM,mBAAmB,SAAS,oBAAoB;AAAA,YACxD,OAAO;AACL,oBAAM,MAAM,iBAAiB,YAAY,oBAAoB;AAAA,YAC/D;AAAA,UACF,WAAW,OAAO,yBAAyB,UAAU;AAEnD,kBAAM,mBAAmB,SAAS,oBAAoB;AAAA,UACxD;AAAA,QACF,QAAQ;AAAA,QAGR;AAAA,MACF;AAAA,IACF;AAEA,QAAI,WAA2C,IAAI,kBAAA;AACnD,QAAI,QAAgC;AACpC,QAAI,KAAK;AACP,UAAI;AACF,cAAM,eAAe,MAAM,QAAQ,IAAI,sBAAsB;AAC7D,YAAI,OAAO,iBAAiB,YAAY,iBAAiB,MAAM;AAC7D,gBAAM,IAAI;AAAA,YACR;AAAA,UAAA;AAAA,QAEJ;AAEA,YAAI,QAAQ,UAAU;AACpB,qBAAW,QAAQ;AAAA,QACrB,WAAW,cAAc;AACvB,kBAAQ,gBAAgB,SAAS,YAAY;AAG7C,cAAI,CAAC,kBAAkB,KAAK,GAAG;AAC7B,kBAAM,eAAe,OAAO;AAC5B,kBAAM;AAAA,UACR,OAAO;AAEL,gBAAI,WAAW,KAAK;AAClB,yBAAW,0BAA0B,eAAe,KAAK,KAAK;AAAA,YAEhE,OAAO;AACL,yBAAW,mBAAmB,eAAe,KAAK,KAAK;AAAA,YACzD;AAAA,UACF;AAAA,QACF;AAAA,MACF,SAAS,GAAG;AACV,gBAAQ,MAAM,CAAC;AAEf,cAAM,eAAe,OAAO;AAC5B,cAAM;AAAA,MACR;AAAA,IACF;AACA,QAAI;AACJ,QAAI,QAAQ,aAAa,aAAa;AACpC,oBAAc;AAAA,IAChB,WAES,SAAS,QAAQ,UAAU;AAClC,oBAAc,YAAY,OAAO,QAAQ,WAAW;AAAA,IACtD;AAEA,QAAI,CAAC,KAAK;AAER,UAAI,YAAY,mBAAmB;AACjC,cAAM,mBAAmB,SAAA;AACzB,cAAM,QAAQ,IAAI,iBAAiB,KAAK,UAAW,IAA2B,OAAA,CAAQ,CAAC;AAAA,MACzF,OAAO;AACL,YAAI,QAAQ,WAAW,YAAY,iBAAiB;AAClD,kBAAQ;AAAA,YACN,uLAAuL,iBAAiB;AAAA,UAAA;AAAA,QAE5M;AACA,cAAM,MAAM,iBAAiB,SAAA;AAC7B,cAAM,QAAQ,IAAI,iBAAkB,IAAyB,YAAY;AAAA,MAC3E;AAAA,IACF;AAEA,WAAO,IAAI,WAAW,UAAU,KAAK,OAAO,SAAS,aAAa,OAAO;AAAA,EAC3E;AAAA,EAiBQ,+BAA+B;AACrC,UAAM,cAAc,KAAK,gBAAgB;AAKzC,QAAI,CAAC,aAAa,UAAU,CAAC,aAAa,4BAA4B;AACpE,WAAK,aAAa,iBAAiB,MAAM;AACvC,aAAK,OAAA;AACL,iBAAS,OAAA;AAAA,MACX,CAAC;AAAA,IACH;AAAA,EACF;AAAA,EAEA,MAAc,eACZ,SACA,WACA;AACA,UAAM,cAAc,QAAQ,YAAY,IAAI,CAAC,qBAAqB;AAChE,aAAO;AAAA,QACL,YAAY,IAAI;AAAA,UACd,iBAAiB,WAAW;AAAA,UAC5B,iBAAiB,WAAW;AAAA,UAC5B,iBAAiB,WAAW;AAAA,QAAA;AAAA,QAE9B,WAAW,iBAAiB;AAAA,MAAA;AAAA,IAEhC,CAAC;AAED,UAAM,kBAAkB,gBAAgB;AAAA,MACtC;AAAA,MACA,QAAQ;AAAA,IAAA;AAGV,UAAM,MAAM,KAAK;AACjB,QAAI,CAAC,KAAK;AACR;AAAA,IACF;AAEA,SAAK,SAAS;AAEd,QAAI,WAAW,KAAK;AAClB,WAAK,YAAY,0BAA0B,eAAe,KAAK,KAAK,MAAM;AAAA,IAC5E,OAAO;AACL,WAAK,YAAY,mBAAmB,eAAe,KAAK,KAAK,MAAM;AAAA,IACrE;AAEA,SAAK,YAAY,MAAA;AACjB,UAAM,cAAc,KAAK,gBAAgB;AAGzC,QAAI,CAAC,KAAK,eAAe,CAAC,aAAa,aAAa;AAClD,WAAK,cAAc,YAAY,OAAO,WAAW;AACjD,WAAK,6BAAA;AAAA,IACP;AAEA,SAAK,qBAAA;AACL,WAAO,KAAK;AAEZ,QAAI,KAAK,QAAQ;AACf,YAAM,KAAK,SAAS,IAAI,wBAAwB,KAAK,UAAU,KAAK,OAAO,OAAA,CAAQ,CAAC;AAAA,IACtF;AAIA,gBAAY,OAAO;AAAA,EACrB;AAAA,EAEO,cAAwB;AAC7B,WAAO,KAAK;AAAA,EACd;AAAA,EAEA,MAAa,kBAAoC;AAC/C,WACE,CAAC,KAAK,cAAc,aAAA,EAAe,YAAA,KACnC,KAAK,WAAW,QAChB,kBAAkB,KAAK,MAAM;AAAA,EAEjC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA2BA,MAAa,MAAM,SAAiD;AAElE,UAAM,eAAe,kBAAkB,KAAK,gBAAgB,cAAc,OAAO;AAGjF,UAAM,gBAAgB,cAAc,iBAAiB;AAGrD,UAAM,sBAAsB,IAAI;AAAA,MAC9B,cAAc,kBAAkB,cAAc;AAAA,IAAA;AAGhD,wBAAoB,OAAO;AAI3B,SAAK,YAAY,MAAA;AACjB,SAAK,qBAAA;AAGL,SAAK,gBAAgB,KAAK,iBAAiB,qBAAqB;AAAA,MAC9D;AAAA,MACA,GAAG;AAAA,IAAA,CACJ;AACD,WAAO,iBAAiB,WAAW,KAAK,aAAa;AAGrD,SAAK,aACH,OAAO;AAAA,MACL,oBAAoB,SAAA;AAAA,MACpB;AAAA,MACA,cAAc;AAAA,IAAA,KACX;AAGP,UAAM,oBAAoB,MAAY;AAEpC,UAAI,KAAK,YAAY;AACnB,YAAI,KAAK,WAAW,QAAQ;AAC1B,eAAK,eAAe,sBAAsB,cAAc,OAAO;AAAA,QACjE,OAAO;AACL,qBAAW,mBAAmB,wBAAwB;AAAA,QACxD;AAAA,MACF;AAAA,IACF;AACA,sBAAA;AAAA,EACF;AAAA,EAEQ,iBAAiB,qBAA0B,SAAkC;AACnF,WAAO,OAAO,UAAwB;AACpC,UAAI,MAAM,WAAW,oBAAoB,QAAQ;AAE/C;AAAA,MACF;AAEA,YAAM,UAAU,MAAM;AAEtB,cAAQ,QAAQ,MAAA;AAAA,QACd,KAAK,mBAAmB;AAEtB,gBAAM,UAAuC;AAAA,YAC3C,MAAM;AAAA,YACN,kBAAkB,IAAI,WAAW,KAAK,MAAM,aAAA,EAAe,OAAO;AAAA,YAClE,eAAe,SAAS;AAAA,YACxB,wBAAwB,SAAS;AAAA,YACjC,kBAAkB,SAAS,kBAAkB,SAAA;AAAA;AAAA,YAE7C,GAAG,SAAS;AAAA,UAAA;AAEd,eAAK,YAAY,YAAY,SAAS,oBAAoB,MAAM;AAChE;AAAA,QACF;AAAA,QACA,KAAK;AAEH,cAAI;AACF,kBAAM,KAAK,eAAe,SAAS,SAAS,SAAS;AAAA,UACvD,SAAS,KAAK;AACZ,iBAAK,eAAgB,IAAc,SAAS,SAAS,OAAO;AAAA,UAC9D;AACA;AAAA,QACF,KAAK;AACH,eAAK,eAAe,QAAQ,MAAM,SAAS,OAAO;AAClD;AAAA,MAEA;AAAA,IAEN;AAAA,EACF;AAAA,EAEQ,eAAe,cAAuB,SAA0C;AACtF,SAAK,YAAY,MAAA;AACjB,cAAU,YAAY;AACtB,SAAK,qBAAA;AACL,WAAO,KAAK;AAAA,EACd;AAAA,EAEQ,uBAAuB;AAC7B,QAAI,KAAK,eAAe;AACtB,aAAO,oBAAoB,WAAW,KAAK,aAAa;AAAA,IAC1D;AACA,SAAK,gBAAgB;AAAA,EACvB;AAAA,EAEA,MAAa,OAAO,UAAiC,IAAmB;AACtE,UAAM,eAAe,KAAK,QAAQ;AAGlC,SAAK,YAAY,IAAI,kBAAA;AACrB,SAAK,SAAS;AAEd,QAAI,QAAQ,UAAU;AACpB,UAAI;AACF,eAAO,QAAQ,UAAU,CAAA,GAAI,IAAI,QAAQ,QAAQ;AAAA,MACnD,QAAQ;AACN,eAAO,SAAS,OAAO,QAAQ;AAAA,MACjC;AAAA,IACF;AAAA,EACF;AACF;AAEA,eAAe,eAAe,SAA4B;AACxD,QAAM,QAAQ,OAAO,eAAe;AACpC,QAAM,QAAQ,OAAO,sBAAsB;AAC3C,QAAM,QAAQ,OAAO,UAAU;AACjC;AAEA,SAAS,kBACP,cACA,mBACoC;AACpC,MAAI,CAAC,gBAAgB,CAAC,mBAAmB;AACvC,WAAO;AAAA,EACT;AAEA,QAAM,eACJ,cAAc,gBAAgB,mBAAmB,eAC7C;AAAA,IACE,GAAG,cAAc;AAAA,IACjB,GAAG,mBAAmB;AAAA,EAAA,IAExB;AAEN,SAAO;AAAA,IACL,GAAG;AAAA,IACH,GAAG;AAAA,IACH;AAAA,EAAA;AAEJ;"}
1	+ {"version":3,"file":"auth-client.js","sources":["../../../src/client/auth-client.ts"],"sourcesContent":["import {\n AnonymousIdentity,\n type DerEncodedPublicKey,\n type Identity,\n type Signature,\n type SignIdentity,\n} from '@icp-sdk/core/agent';\nimport {\n Delegation,\n DelegationChain,\n DelegationIdentity,\n ECDSAKeyIdentity,\n Ed25519KeyIdentity,\n isDelegationValid,\n PartialDelegationIdentity,\n type PartialIdentity,\n} from '@icp-sdk/core/identity';\nimport type { Principal } from '@icp-sdk/core/principal';\nimport { Signer } from '@slide-computer/signer';\nimport { PostMessageTransport } from '@slide-computer/signer-web';\nimport { IdleManager, type IdleManagerOptions } from './idle-manager.ts';\nimport {\n type AuthClientStorage,\n IdbStorage,\n KEY_STORAGE_DELEGATION,\n KEY_STORAGE_KEY,\n KEY_VECTOR,\n LocalStorage,\n type StoredKey,\n} from './storage.ts';\n\nconst NANOSECONDS_PER_SECOND = BigInt(1_000_000_000);\nconst SECONDS_PER_HOUR = BigInt(3_600);\nconst NANOSECONDS_PER_HOUR = NANOSECONDS_PER_SECOND * SECONDS_PER_HOUR;\n\nconst IDENTITY_PROVIDER_DEFAULT = 'https://identity.internetcomputer.org';\nconst IDENTITY_PROVIDER_ENDPOINT = '#authorize';\nconst IDENTITY_PROVIDER_ICRC29_DEFAULT = 'https://id.ai/authorize';\n\nconst DEFAULT_MAX_TIME_TO_LIVE = BigInt(8) * NANOSECONDS_PER_HOUR;\n\nconst ECDSA_KEY_LABEL = 'ECDSA';\nconst ED25519_KEY_LABEL = 'Ed25519';\ntype BaseKeyType = typeof ECDSA_KEY_LABEL \| typeof ED25519_KEY_LABEL;\n\nconst INTERRUPT_CHECK_INTERVAL = 500;\n\nexport const ERROR_USER_INTERRUPT = 'UserInterrupt';\n\n/*\n List of options for creating an {@link AuthClient}.\n /\nexport interface AuthClientCreateOptions {\n /\n An {@link SignIdentity} or {@link PartialIdentity} to authenticate via delegation.\n /\n identity?: SignIdentity \| PartialIdentity;\n /\n Optional storage with get, set, and remove. Uses {@link IdbStorage} by default.\n * @see {@link AuthClientStorage}\n /\n storage?: AuthClientStorage;\n\n /\n Type to use for the base key.\n \n If you are using a custom storage provider that does not support CryptoKey storage,\n * you should use `Ed25519` as the key type, as it can serialize to a string.\n * @default 'ECDSA'\n /\n keyType?: BaseKeyType;\n\n /\n Options to handle idle timeouts\n * @default after 10 minutes, invalidates the identity\n /\n idleOptions?: IdleOptions;\n\n /\n Options to handle login, passed to the login method\n /\n loginOptions?: AuthClientLoginOptions;\n}\n\nexport interface IdleOptions extends IdleManagerOptions {\n /\n Disables idle functionality for {@link IdleManager}\n * @default false\n /\n disableIdle?: boolean;\n\n /\n Disables default idle behavior - call logout & reload window\n * @default false\n /\n disableDefaultIdleCallback?: boolean;\n}\n\nexport type OnSuccessFunc =\n \| (() => void \| Promise<void>)\n \| ((message: InternetIdentityAuthResponseSuccess) => void \| Promise<void>);\n\nexport type OnErrorFunc = (error?: string) => void \| Promise<void>;\n\nexport interface AuthClientLoginOptions {\n /\n Identity provider\n * @default \"https://identity.internetcomputer.org\"\n /\n identityProvider?: string \| URL;\n /\n Expiration of the authentication in nanoseconds\n * @default BigInt(8) hours * BigInt(3_600_000_000_000) nanoseconds\n /\n maxTimeToLive?: bigint;\n /\n If present, indicates whether or not the Identity Provider should allow the user to authenticate and/or register using a temporary key/PIN identity. Authenticating dapps may want to prevent users from using Temporary keys/PIN identities because Temporary keys/PIN identities are less secure than Passkeys (webauthn credentials) and because Temporary keys/PIN identities generally only live in a browser database (which may get cleared by the browser/OS).\n /\n allowPinAuthentication?: boolean;\n /\n Origin for Identity Provider to use while generating the delegated identity. For II, the derivation origin must authorize this origin by setting a record at `<derivation-origin>/.well-known/ii-alternative-origins`.\n * @see https://github.com/dfinity/internet-identity/blob/main/docs/internet-identity-spec.adoc\n /\n derivationOrigin?: string \| URL;\n /\n Auth Window feature config string\n * @example \"toolbar=0,location=0,menubar=0,width=500,height=500,left=100,top=100\"\n /\n windowOpenerFeatures?: string;\n /\n Callback once login has completed\n /\n onSuccess?: OnSuccessFunc;\n /\n Callback in case authentication fails\n /\n onError?: OnErrorFunc;\n /\n Extra values to be passed in the login request during the authorize-ready phase\n /\n customValues?: Record<string, unknown>;\n}\n\ninterface InternetIdentityAuthRequest {\n kind: 'authorize-client';\n sessionPublicKey: Uint8Array;\n maxTimeToLive?: bigint;\n allowPinAuthentication?: boolean;\n derivationOrigin?: string;\n}\n\nexport interface InternetIdentityAuthResponseSuccess {\n kind: 'authorize-client-success';\n delegations: {\n delegation: {\n pubkey: Uint8Array;\n expiration: bigint;\n targets?: Principal[];\n };\n signature: Uint8Array;\n }[];\n userPublicKey: Uint8Array;\n authnMethod: 'passkey' \| 'pin' \| 'recovery';\n}\n\ninterface AuthReadyMessage {\n kind: 'authorize-ready';\n}\n\ninterface AuthResponseSuccess {\n kind: 'authorize-client-success';\n delegations: {\n delegation: {\n pubkey: Uint8Array;\n expiration: bigint;\n targets?: Principal[];\n };\n signature: Uint8Array;\n }[];\n userPublicKey: Uint8Array;\n authnMethod: 'passkey' \| 'pin' \| 'recovery';\n}\n\ninterface AuthResponseFailure {\n kind: 'authorize-client-failure';\n text: string;\n}\n\ntype IdentityServiceResponseMessage = AuthReadyMessage \| AuthResponse;\ntype AuthResponse = AuthResponseSuccess \| AuthResponseFailure;\n\n/\n Tool to manage authentication and identity\n * @see {@link AuthClient}\n /\nexport class AuthClient {\n private _signer: Signer<PostMessageTransport> \| undefined = undefined;\n\n /\n Create an AuthClient to manage authentication and identity\n * @param {AuthClientCreateOptions} options - Options for creating an {@link AuthClient}\n * @see {@link AuthClientCreateOptions}\n * @param options.identity Optional Identity to use as the base\n * @see {@link SignIdentity}\n * @param options.storage Storage mechanism for delegation credentials\n * @see {@link AuthClientStorage}\n * @param options.keyType Type of key to use for the base key\n * @param {IdleOptions} options.idleOptions Configures an {@link IdleManager}\n * @see {@link IdleOptions}\n * Default behavior is to clear stored identity and reload the page when a user goes idle, unless you set the disableDefaultIdleCallback flag or pass in a custom idle callback.\n * @example\n * const authClient = await AuthClient.create({\n * idleOptions: {\n * disableIdle: true\n * }\n * })\n /\n public static async create(options: AuthClientCreateOptions = {}): Promise<AuthClient> {\n const storage = options.storage ?? new IdbStorage();\n const keyType = options.keyType ?? ECDSA_KEY_LABEL;\n\n let key: null \| SignIdentity \| PartialIdentity = null;\n if (options.identity) {\n key = options.identity;\n } else {\n let maybeIdentityStorage = await storage.get(KEY_STORAGE_KEY);\n if (!maybeIdentityStorage) {\n // Attempt to migrate from localstorage\n try {\n const fallbackLocalStorage = new LocalStorage();\n const localChain = await fallbackLocalStorage.get(KEY_STORAGE_DELEGATION);\n const localKey = await fallbackLocalStorage.get(KEY_STORAGE_KEY);\n // not relevant for Ed25519\n if (localChain && localKey && keyType === ECDSA_KEY_LABEL) {\n console.log('Discovered an identity stored in localstorage. Migrating to IndexedDB');\n await storage.set(KEY_STORAGE_DELEGATION, localChain);\n await storage.set(KEY_STORAGE_KEY, localKey);\n\n maybeIdentityStorage = localChain;\n // clean up\n await fallbackLocalStorage.remove(KEY_STORAGE_DELEGATION);\n await fallbackLocalStorage.remove(KEY_STORAGE_KEY);\n }\n } catch (error) {\n console.error(`error while attempting to recover localstorage: ${error}`);\n }\n }\n if (maybeIdentityStorage) {\n try {\n if (typeof maybeIdentityStorage === 'object') {\n if (keyType === ED25519_KEY_LABEL && typeof maybeIdentityStorage === 'string') {\n key = Ed25519KeyIdentity.fromJSON(maybeIdentityStorage);\n } else {\n key = await ECDSAKeyIdentity.fromKeyPair(maybeIdentityStorage);\n }\n } else if (typeof maybeIdentityStorage === 'string') {\n // This is a legacy identity, which is a serialized Ed25519KeyIdentity.\n key = Ed25519KeyIdentity.fromJSON(maybeIdentityStorage);\n }\n } catch {\n // Ignore this, this means that the localStorage value isn't a valid Ed25519KeyIdentity or ECDSAKeyIdentity\n // serialization.\n }\n }\n }\n\n let identity: SignIdentity \| PartialIdentity = new AnonymousIdentity() as PartialIdentity;\n let chain: null \| DelegationChain = null;\n if (key) {\n try {\n const chainStorage = await storage.get(KEY_STORAGE_DELEGATION);\n if (typeof chainStorage === 'object' && chainStorage !== null) {\n throw new Error(\n 'Delegation chain is incorrectly stored. A delegation chain should be stored as a string.',\n );\n }\n\n if (options.identity) {\n identity = options.identity;\n } else if (chainStorage) {\n chain = DelegationChain.fromJSON(chainStorage);\n\n // Verify that the delegation isn't expired.\n if (!isDelegationValid(chain)) {\n await _deleteStorage(storage);\n key = null;\n } else {\n // If the key is a public key, then we create a PartialDelegationIdentity.\n if ('toDer' in key) {\n identity = PartialDelegationIdentity.fromDelegation(key, chain);\n // otherwise, we create a DelegationIdentity.\n } else {\n identity = DelegationIdentity.fromDelegation(key, chain);\n }\n }\n }\n } catch (e) {\n console.error(e);\n // If there was a problem loading the chain, delete the key.\n await _deleteStorage(storage);\n key = null;\n }\n }\n let idleManager: IdleManager \| undefined;\n if (options.idleOptions?.disableIdle) {\n idleManager = undefined;\n }\n // if there is a delegation chain or provided identity, setup idleManager\n else if (chain \|\| options.identity) {\n idleManager = IdleManager.create(options.idleOptions);\n }\n\n if (!key) {\n // Create a new key (whether or not one was in storage).\n if (keyType === ED25519_KEY_LABEL) {\n key = Ed25519KeyIdentity.generate();\n } else {\n if (options.storage && keyType === ECDSA_KEY_LABEL) {\n console.warn(\n `You are using a custom storage provider that may not support CryptoKey storage. If you are using a custom storage provider that does not support CryptoKey storage, you should use '${ED25519_KEY_LABEL}' as the key type, as it can serialize to a string`,\n );\n }\n key = await ECDSAKeyIdentity.generate();\n }\n await persistKey(storage, key);\n }\n\n return new AuthClient(identity, key, chain, storage, idleManager, options);\n }\n\n protected constructor(\n private _identity: Identity \| PartialIdentity,\n private _key: SignIdentity \| PartialIdentity,\n private _chain: DelegationChain \| null,\n private _storage: AuthClientStorage,\n public idleManager: IdleManager \| undefined,\n private _createOptions: AuthClientCreateOptions \| undefined,\n // A handle on the IdP window.\n private _idpWindow?: Window,\n // The event handler for processing events from the IdP.\n private _eventHandler?: (event: MessageEvent) => void,\n ) {\n this._registerDefaultIdleCallback();\n }\n\n private _registerDefaultIdleCallback() {\n const idleOptions = this._createOptions?.idleOptions;\n /\n Default behavior is to clear stored identity and reload the page.\n * By either setting the disableDefaultIdleCallback flag or passing in a custom idle callback, we will ignore this config\n /\n if (!idleOptions?.onIdle && !idleOptions?.disableDefaultIdleCallback) {\n this.idleManager?.registerCallback(() => {\n this.logout();\n location.reload();\n });\n }\n }\n\n private async _handleSuccess(\n message: InternetIdentityAuthResponseSuccess,\n onSuccess?: OnSuccessFunc,\n ) {\n const delegations = message.delegations.map((signedDelegation) => {\n return {\n delegation: new Delegation(\n signedDelegation.delegation.pubkey,\n signedDelegation.delegation.expiration,\n signedDelegation.delegation.targets,\n ),\n signature: signedDelegation.signature as Signature,\n };\n });\n\n const delegationChain = DelegationChain.fromDelegations(\n delegations,\n message.userPublicKey as DerEncodedPublicKey,\n );\n\n const key = this._key;\n if (!key) {\n return;\n }\n\n this._chain = delegationChain;\n\n if ('toDer' in key) {\n this._identity = PartialDelegationIdentity.fromDelegation(key, this._chain);\n } else {\n this._identity = DelegationIdentity.fromDelegation(key, this._chain);\n }\n\n this._idpWindow?.close();\n const idleOptions = this._createOptions?.idleOptions;\n // create the idle manager on a successful login if we haven't disabled it\n // and it doesn't already exist.\n if (!this.idleManager && !idleOptions?.disableIdle) {\n this.idleManager = IdleManager.create(idleOptions);\n this._registerDefaultIdleCallback();\n }\n\n this._removeEventListener();\n delete this._idpWindow;\n\n if (this._chain) {\n await this._storage.set(KEY_STORAGE_DELEGATION, JSON.stringify(this._chain.toJSON()));\n }\n\n // Ensure the stored key in persistent storage matches the in-memory key that\n // was used to obtain the delegation. This avoids key/delegation mismatches\n // across multiple tabs overwriting each other's cached keys.\n await persistKey(this._storage, this._key);\n\n // onSuccess should be the last thing to do to avoid consumers\n // interfering by navigating or refreshing the page\n onSuccess?.(message);\n }\n\n public getIdentity(): Identity {\n return this._identity;\n }\n\n public async isAuthenticated(): Promise<boolean> {\n return (\n !this.getIdentity().getPrincipal().isAnonymous() &&\n this._chain !== null &&\n isDelegationValid(this._chain)\n );\n }\n\n /\n AuthClient Login - Opens up a new window to authenticate with Internet Identity\n * @param {AuthClientLoginOptions} options - Options for logging in, merged with the options set during creation if any. Note: we only perform a shallow merge for the `customValues` property.\n * @param options.identityProvider Identity provider\n * @param options.maxTimeToLive Expiration of the authentication in nanoseconds\n * @param options.allowPinAuthentication If present, indicates whether or not the Identity Provider should allow the user to authenticate and/or register using a temporary key/PIN identity. Authenticating dapps may want to prevent users from using Temporary keys/PIN identities because Temporary keys/PIN identities are less secure than Passkeys (webauthn credentials) and because Temporary keys/PIN identities generally only live in a browser database (which may get cleared by the browser/OS).\n * @param options.derivationOrigin Origin for Identity Provider to use while generating the delegated identity\n * @param options.windowOpenerFeatures Configures the opened authentication window\n * @param options.onSuccess Callback once login has completed\n * @param options.onError Callback in case authentication fails\n * @param options.customValues Extra values to be passed in the login request during the authorize-ready phase. Note: we only perform a shallow merge for the `customValues` property.\n * @example\n * const authClient = await AuthClient.create();\n * authClient.login({\n * identityProvider: 'http://<canisterID>.127.0.0.1:8000',\n * maxTimeToLive: BigInt (7) * BigInt(24) * BigInt(3_600_000_000_000), // 1 week\n * windowOpenerFeatures: \"toolbar=0,location=0,menubar=0,width=500,height=500,left=100,top=100\",\n * onSuccess: () => {\n * console.log('Login Successful!');\n * },\n * onError: (error) => {\n * console.error('Login Failed: ', error);\n * }\n * });\n */\n public async login(options?: AuthClientLoginOptions): Promise<void> {\n // Merge the passed options with the options set during creation\n const loginOptions = mergeLoginOptions(this._createOptions?.loginOptions, options);\n\n // Set default maxTimeToLive to 8 hours\n const maxTimeToLive = loginOptions?.maxTimeToLive ?? DEFAULT_MAX_TIME_TO_LIVE;\n\n // Create the URL of the IDP. (e.g. https://XXXX/#authorize)\n const identityProviderUrl = new URL(\n loginOptions?.identityProvider?.toString() \|\| IDENTITY_PROVIDER_DEFAULT,\n );\n // Set the correct hash if it isn't already set.\n identityProviderUrl.hash = IDENTITY_PROVIDER_ENDPOINT;\n\n // If `login` has been called previously, then close/remove any previous windows\n // and event listeners.\n this._idpWindow?.close();\n this._removeEventListener();\n\n // Add an event listener to handle responses.\n this._eventHandler = this._getEventHandler(identityProviderUrl, {\n maxTimeToLive,\n ...loginOptions,\n });\n window.addEventListener('message', this._eventHandler);\n\n // Open a new window with the IDP provider.\n this._idpWindow =\n window.open(\n identityProviderUrl.toString(),\n 'idpWindow',\n loginOptions?.windowOpenerFeatures,\n ) ?? undefined;\n\n // Check if the _idpWindow is closed by user.\n const checkInterruption = (): void => {\n // The _idpWindow is opened and not yet closed by the client\n if (this._idpWindow) {\n if (this._idpWindow.closed) {\n this._handleFailure(ERROR_USER_INTERRUPT, loginOptions?.onError);\n } else {\n setTimeout(checkInterruption, INTERRUPT_CHECK_INTERVAL);\n }\n }\n };\n checkInterruption();\n }\n\n public async loginWithIcrc29(options?: AuthClientLoginOptions): Promise<void> {\n // Merge the passed options with the options set during creation\n const loginOptions = mergeLoginOptions(this._createOptions?.loginOptions, options);\n\n // Set default maxTimeToLive to 8 hours\n const maxTimeToLive = loginOptions?.maxTimeToLive ?? DEFAULT_MAX_TIME_TO_LIVE;\n\n // Create the URL of the IDP. (e.g. https://XXXX/authorize?openid=<selected-open-id>)\n const identityProviderUrl = new URL(\n loginOptions?.identityProvider?.toString() \|\| IDENTITY_PROVIDER_ICRC29_DEFAULT,\n );\n\n // If `login` has been called previously, then close previous channels.\n this._signer?.closeChannel();\n\n const transport = new PostMessageTransport({\n url: identityProviderUrl.toString(),\n windowOpenerFeatures: loginOptions?.windowOpenerFeatures,\n });\n this._signer = new Signer({\n transport,\n derivationOrigin: loginOptions?.derivationOrigin?.toString(),\n });\n\n const key = this._key;\n if (!key) {\n return;\n }\n\n const delegation = await this._signer.delegation({\n publicKey: this._key.getPublicKey().toDer(),\n maxTimeToLive,\n });\n\n this._chain = delegation;\n\n if ('toDer' in key) {\n this._identity = PartialDelegationIdentity.fromDelegation(key, this._chain);\n } else {\n this._identity = DelegationIdentity.fromDelegation(key, this._chain);\n }\n\n if (this._chain) {\n await this._storage.set(KEY_STORAGE_DELEGATION, JSON.stringify(this._chain.toJSON()));\n }\n\n options?.onSuccess?.({\n kind: 'authorize-client-success',\n delegations: delegation.delegations,\n userPublicKey: this._key?.getPublicKey().toDer(),\n authnMethod: 'passkey',\n });\n }\n\n private _getEventHandler(identityProviderUrl: URL, options?: AuthClientLoginOptions) {\n return async (event: MessageEvent) => {\n if (event.origin !== identityProviderUrl.origin) {\n // Ignore any event that is not from the identity provider\n return;\n }\n\n const message = event.data as IdentityServiceResponseMessage;\n\n switch (message.kind) {\n case 'authorize-ready': {\n // IDP is ready. Send a message to request authorization.\n const request: InternetIdentityAuthRequest = {\n kind: 'authorize-client',\n sessionPublicKey: new Uint8Array(this._key?.getPublicKey().toDer()),\n maxTimeToLive: options?.maxTimeToLive,\n allowPinAuthentication: options?.allowPinAuthentication,\n derivationOrigin: options?.derivationOrigin?.toString(),\n // Pass any custom values to the IDP.\n ...options?.customValues,\n };\n this._idpWindow?.postMessage(request, identityProviderUrl.origin);\n break;\n }\n case 'authorize-client-success':\n // Create the delegation chain and store it.\n try {\n await this._handleSuccess(message, options?.onSuccess);\n } catch (err) {\n this._handleFailure((err as Error).message, options?.onError);\n }\n break;\n case 'authorize-client-failure':\n this._handleFailure(message.text, options?.onError);\n break;\n default:\n break;\n }\n };\n }\n\n private _handleFailure(errorMessage?: string, onError?: (error?: string) => void): void {\n this._idpWindow?.close();\n onError?.(errorMessage);\n this._removeEventListener();\n delete this._idpWindow;\n }\n\n private _removeEventListener() {\n if (this._eventHandler) {\n window.removeEventListener('message', this._eventHandler);\n }\n this._eventHandler = undefined;\n }\n\n public async logout(options: { returnTo?: string } = {}): Promise<void> {\n await _deleteStorage(this._storage);\n\n // Reset this auth client to a non-authenticated state.\n this._identity = new AnonymousIdentity();\n this._chain = null;\n\n if (options.returnTo) {\n try {\n window.history.pushState({}, '', options.returnTo);\n } catch {\n window.location.href = options.returnTo;\n }\n }\n }\n}\n\nasync function _deleteStorage(storage: AuthClientStorage) {\n await storage.remove(KEY_STORAGE_KEY);\n await storage.remove(KEY_STORAGE_DELEGATION);\n await storage.remove(KEY_VECTOR);\n}\n\nfunction mergeLoginOptions(\n loginOptions: AuthClientLoginOptions \| undefined,\n otherLoginOptions: AuthClientLoginOptions \| undefined,\n): AuthClientLoginOptions \| undefined {\n if (!loginOptions && !otherLoginOptions) {\n return undefined;\n }\n\n const customValues =\n loginOptions?.customValues \|\| otherLoginOptions?.customValues\n ? {\n ...loginOptions?.customValues,\n ...otherLoginOptions?.customValues,\n }\n : undefined;\n\n return {\n ...loginOptions,\n ...otherLoginOptions,\n customValues,\n };\n}\n\nfunction toStoredKey(key: SignIdentity \| PartialIdentity): StoredKey {\n if (key instanceof ECDSAKeyIdentity) {\n return key.getKeyPair();\n }\n if (key instanceof Ed25519KeyIdentity) {\n return JSON.stringify(key.toJSON());\n }\n throw new Error('Unsupported key type');\n}\n\nasync function persistKey(\n storage: AuthClientStorage,\n key: SignIdentity \| PartialIdentity,\n): Promise<void> {\n const serialized = toStoredKey(key);\n await storage.set(KEY_STORAGE_KEY, serialized);\n}\n"],"names":[],"mappings":";;;;;;AA+BA,MAAM,yBAAyB,OAAO,GAAa;AACnD,MAAM,mBAAmB,OAAO,IAAK;AACrC,MAAM,uBAAuB,yBAAyB;AAEtD,MAAM,4BAA4B;AAClC,MAAM,6BAA6B;AACnC,MAAM,mCAAmC;AAEzC,MAAM,2BAA2B,OAAO,CAAC,IAAI;AAE7C,MAAM,kBAAkB;AACxB,MAAM,oBAAoB;AAG1B,MAAM,2BAA2B;AAE1B,MAAM,uBAAuB;AAoJ7B,MAAM,WAAW;AAAA,EAuIZ,YACA,WACA,MACA,QACA,UACD,aACC,gBAEA,YAEA,eACR;AAVQ,SAAA,YAAA;AACA,SAAA,OAAA;AACA,SAAA,SAAA;AACA,SAAA,WAAA;AACD,SAAA,cAAA;AACC,SAAA,iBAAA;AAEA,SAAA,aAAA;AAEA,SAAA,gBAAA;AAER,SAAK,6BAAA;AAAA,EACP;AAAA,EAnJQ,UAAoD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAqB5D,aAAoB,OAAO,UAAmC,IAAyB;AACrF,UAAM,UAAU,QAAQ,WAAW,IAAI,WAAA;AACvC,UAAM,UAAU,QAAQ,WAAW;AAEnC,QAAI,MAA6C;AACjD,QAAI,QAAQ,UAAU;AACpB,YAAM,QAAQ;AAAA,IAChB,OAAO;AACL,UAAI,uBAAuB,MAAM,QAAQ,IAAI,eAAe;AAC5D,UAAI,CAAC,sBAAsB;AAEzB,YAAI;AACF,gBAAM,uBAAuB,IAAI,aAAA;AACjC,gBAAM,aAAa,MAAM,qBAAqB,IAAI,sBAAsB;AACxE,gBAAM,WAAW,MAAM,qBAAqB,IAAI,eAAe;AAE/D,cAAI,cAAc,YAAY,YAAY,iBAAiB;AACzD,oBAAQ,IAAI,uEAAuE;AACnF,kBAAM,QAAQ,IAAI,wBAAwB,UAAU;AACpD,kBAAM,QAAQ,IAAI,iBAAiB,QAAQ;AAE3C,mCAAuB;AAEvB,kBAAM,qBAAqB,OAAO,sBAAsB;AACxD,kBAAM,qBAAqB,OAAO,eAAe;AAAA,UACnD;AAAA,QACF,SAAS,OAAO;AACd,kBAAQ,MAAM,mDAAmD,KAAK,EAAE;AAAA,QAC1E;AAAA,MACF;AACA,UAAI,sBAAsB;AACxB,YAAI;AACF,cAAI,OAAO,yBAAyB,UAAU;AAC5C,gBAAI,YAAY,qBAAqB,OAAO,yBAAyB,UAAU;AAC7E,oBAAM,mBAAmB,SAAS,oBAAoB;AAAA,YACxD,OAAO;AACL,oBAAM,MAAM,iBAAiB,YAAY,oBAAoB;AAAA,YAC/D;AAAA,UACF,WAAW,OAAO,yBAAyB,UAAU;AAEnD,kBAAM,mBAAmB,SAAS,oBAAoB;AAAA,UACxD;AAAA,QACF,QAAQ;AAAA,QAGR;AAAA,MACF;AAAA,IACF;AAEA,QAAI,WAA2C,IAAI,kBAAA;AACnD,QAAI,QAAgC;AACpC,QAAI,KAAK;AACP,UAAI;AACF,cAAM,eAAe,MAAM,QAAQ,IAAI,sBAAsB;AAC7D,YAAI,OAAO,iBAAiB,YAAY,iBAAiB,MAAM;AAC7D,gBAAM,IAAI;AAAA,YACR;AAAA,UAAA;AAAA,QAEJ;AAEA,YAAI,QAAQ,UAAU;AACpB,qBAAW,QAAQ;AAAA,QACrB,WAAW,cAAc;AACvB,kBAAQ,gBAAgB,SAAS,YAAY;AAG7C,cAAI,CAAC,kBAAkB,KAAK,GAAG;AAC7B,kBAAM,eAAe,OAAO;AAC5B,kBAAM;AAAA,UACR,OAAO;AAEL,gBAAI,WAAW,KAAK;AAClB,yBAAW,0BAA0B,eAAe,KAAK,KAAK;AAAA,YAEhE,OAAO;AACL,yBAAW,mBAAmB,eAAe,KAAK,KAAK;AAAA,YACzD;AAAA,UACF;AAAA,QACF;AAAA,MACF,SAAS,GAAG;AACV,gBAAQ,MAAM,CAAC;AAEf,cAAM,eAAe,OAAO;AAC5B,cAAM;AAAA,MACR;AAAA,IACF;AACA,QAAI;AACJ,QAAI,QAAQ,aAAa,aAAa;AACpC,oBAAc;AAAA,IAChB,WAES,SAAS,QAAQ,UAAU;AAClC,oBAAc,YAAY,OAAO,QAAQ,WAAW;AAAA,IACtD;AAEA,QAAI,CAAC,KAAK;AAER,UAAI,YAAY,mBAAmB;AACjC,cAAM,mBAAmB,SAAA;AAAA,MAC3B,OAAO;AACL,YAAI,QAAQ,WAAW,YAAY,iBAAiB;AAClD,kBAAQ;AAAA,YACN,uLAAuL,iBAAiB;AAAA,UAAA;AAAA,QAE5M;AACA,cAAM,MAAM,iBAAiB,SAAA;AAAA,MAC/B;AACA,YAAM,WAAW,SAAS,GAAG;AAAA,IAC/B;AAEA,WAAO,IAAI,WAAW,UAAU,KAAK,OAAO,SAAS,aAAa,OAAO;AAAA,EAC3E;AAAA,EAiBQ,+BAA+B;AACrC,UAAM,cAAc,KAAK,gBAAgB;AAKzC,QAAI,CAAC,aAAa,UAAU,CAAC,aAAa,4BAA4B;AACpE,WAAK,aAAa,iBAAiB,MAAM;AACvC,aAAK,OAAA;AACL,iBAAS,OAAA;AAAA,MACX,CAAC;AAAA,IACH;AAAA,EACF;AAAA,EAEA,MAAc,eACZ,SACA,WACA;AACA,UAAM,cAAc,QAAQ,YAAY,IAAI,CAAC,qBAAqB;AAChE,aAAO;AAAA,QACL,YAAY,IAAI;AAAA,UACd,iBAAiB,WAAW;AAAA,UAC5B,iBAAiB,WAAW;AAAA,UAC5B,iBAAiB,WAAW;AAAA,QAAA;AAAA,QAE9B,WAAW,iBAAiB;AAAA,MAAA;AAAA,IAEhC,CAAC;AAED,UAAM,kBAAkB,gBAAgB;AAAA,MACtC;AAAA,MACA,QAAQ;AAAA,IAAA;AAGV,UAAM,MAAM,KAAK;AACjB,QAAI,CAAC,KAAK;AACR;AAAA,IACF;AAEA,SAAK,SAAS;AAEd,QAAI,WAAW,KAAK;AAClB,WAAK,YAAY,0BAA0B,eAAe,KAAK,KAAK,MAAM;AAAA,IAC5E,OAAO;AACL,WAAK,YAAY,mBAAmB,eAAe,KAAK,KAAK,MAAM;AAAA,IACrE;AAEA,SAAK,YAAY,MAAA;AACjB,UAAM,cAAc,KAAK,gBAAgB;AAGzC,QAAI,CAAC,KAAK,eAAe,CAAC,aAAa,aAAa;AAClD,WAAK,cAAc,YAAY,OAAO,WAAW;AACjD,WAAK,6BAAA;AAAA,IACP;AAEA,SAAK,qBAAA;AACL,WAAO,KAAK;AAEZ,QAAI,KAAK,QAAQ;AACf,YAAM,KAAK,SAAS,IAAI,wBAAwB,KAAK,UAAU,KAAK,OAAO,OAAA,CAAQ,CAAC;AAAA,IACtF;AAKA,UAAM,WAAW,KAAK,UAAU,KAAK,IAAI;AAIzC,gBAAY,OAAO;AAAA,EACrB;AAAA,EAEO,cAAwB;AAC7B,WAAO,KAAK;AAAA,EACd;AAAA,EAEA,MAAa,kBAAoC;AAC/C,WACE,CAAC,KAAK,cAAc,aAAA,EAAe,YAAA,KACnC,KAAK,WAAW,QAChB,kBAAkB,KAAK,MAAM;AAAA,EAEjC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA2BA,MAAa,MAAM,SAAiD;AAElE,UAAM,eAAe,kBAAkB,KAAK,gBAAgB,cAAc,OAAO;AAGjF,UAAM,gBAAgB,cAAc,iBAAiB;AAGrD,UAAM,sBAAsB,IAAI;AAAA,MAC9B,cAAc,kBAAkB,cAAc;AAAA,IAAA;AAGhD,wBAAoB,OAAO;AAI3B,SAAK,YAAY,MAAA;AACjB,SAAK,qBAAA;AAGL,SAAK,gBAAgB,KAAK,iBAAiB,qBAAqB;AAAA,MAC9D;AAAA,MACA,GAAG;AAAA,IAAA,CACJ;AACD,WAAO,iBAAiB,WAAW,KAAK,aAAa;AAGrD,SAAK,aACH,OAAO;AAAA,MACL,oBAAoB,SAAA;AAAA,MACpB;AAAA,MACA,cAAc;AAAA,IAAA,KACX;AAGP,UAAM,oBAAoB,MAAY;AAEpC,UAAI,KAAK,YAAY;AACnB,YAAI,KAAK,WAAW,QAAQ;AAC1B,eAAK,eAAe,sBAAsB,cAAc,OAAO;AAAA,QACjE,OAAO;AACL,qBAAW,mBAAmB,wBAAwB;AAAA,QACxD;AAAA,MACF;AAAA,IACF;AACA,sBAAA;AAAA,EACF;AAAA,EAEA,MAAa,gBAAgB,SAAiD;AAE5E,UAAM,eAAe,kBAAkB,KAAK,gBAAgB,cAAc,OAAO;AAGjF,UAAM,gBAAgB,cAAc,iBAAiB;AAGrD,UAAM,sBAAsB,IAAI;AAAA,MAC9B,cAAc,kBAAkB,cAAc;AAAA,IAAA;AAIhD,SAAK,SAAS,aAAA;AAEd,UAAM,YAAY,IAAI,qBAAqB;AAAA,MACzC,KAAK,oBAAoB,SAAA;AAAA,MACzB,sBAAsB,cAAc;AAAA,IAAA,CACrC;AACD,SAAK,UAAU,IAAI,OAAO;AAAA,MACxB;AAAA,MACA,kBAAkB,cAAc,kBAAkB,SAAA;AAAA,IAAS,CAC5D;AAED,UAAM,MAAM,KAAK;AACjB,QAAI,CAAC,KAAK;AACR;AAAA,IACF;AAEA,UAAM,aAAa,MAAM,KAAK,QAAQ,WAAW;AAAA,MAC/C,WAAW,KAAK,KAAK,aAAA,EAAe,MAAA;AAAA,MACpC;AAAA,IAAA,CACD;AAED,SAAK,SAAS;AAEd,QAAI,WAAW,KAAK;AAClB,WAAK,YAAY,0BAA0B,eAAe,KAAK,KAAK,MAAM;AAAA,IAC5E,OAAO;AACL,WAAK,YAAY,mBAAmB,eAAe,KAAK,KAAK,MAAM;AAAA,IACrE;AAEA,QAAI,KAAK,QAAQ;AACf,YAAM,KAAK,SAAS,IAAI,wBAAwB,KAAK,UAAU,KAAK,OAAO,OAAA,CAAQ,CAAC;AAAA,IACtF;AAEA,aAAS,YAAY;AAAA,MACnB,MAAM;AAAA,MACN,aAAa,WAAW;AAAA,MACxB,eAAe,KAAK,MAAM,aAAA,EAAe,MAAA;AAAA,MACzC,aAAa;AAAA,IAAA,CACd;AAAA,EACH;AAAA,EAEQ,iBAAiB,qBAA0B,SAAkC;AACnF,WAAO,OAAO,UAAwB;AACpC,UAAI,MAAM,WAAW,oBAAoB,QAAQ;AAE/C;AAAA,MACF;AAEA,YAAM,UAAU,MAAM;AAEtB,cAAQ,QAAQ,MAAA;AAAA,QACd,KAAK,mBAAmB;AAEtB,gBAAM,UAAuC;AAAA,YAC3C,MAAM;AAAA,YACN,kBAAkB,IAAI,WAAW,KAAK,MAAM,aAAA,EAAe,OAAO;AAAA,YAClE,eAAe,SAAS;AAAA,YACxB,wBAAwB,SAAS;AAAA,YACjC,kBAAkB,SAAS,kBAAkB,SAAA;AAAA;AAAA,YAE7C,GAAG,SAAS;AAAA,UAAA;AAEd,eAAK,YAAY,YAAY,SAAS,oBAAoB,MAAM;AAChE;AAAA,QACF;AAAA,QACA,KAAK;AAEH,cAAI;AACF,kBAAM,KAAK,eAAe,SAAS,SAAS,SAAS;AAAA,UACvD,SAAS,KAAK;AACZ,iBAAK,eAAgB,IAAc,SAAS,SAAS,OAAO;AAAA,UAC9D;AACA;AAAA,QACF,KAAK;AACH,eAAK,eAAe,QAAQ,MAAM,SAAS,OAAO;AAClD;AAAA,MAEA;AAAA,IAEN;AAAA,EACF;AAAA,EAEQ,eAAe,cAAuB,SAA0C;AACtF,SAAK,YAAY,MAAA;AACjB,cAAU,YAAY;AACtB,SAAK,qBAAA;AACL,WAAO,KAAK;AAAA,EACd;AAAA,EAEQ,uBAAuB;AAC7B,QAAI,KAAK,eAAe;AACtB,aAAO,oBAAoB,WAAW,KAAK,aAAa;AAAA,IAC1D;AACA,SAAK,gBAAgB;AAAA,EACvB;AAAA,EAEA,MAAa,OAAO,UAAiC,IAAmB;AACtE,UAAM,eAAe,KAAK,QAAQ;AAGlC,SAAK,YAAY,IAAI,kBAAA;AACrB,SAAK,SAAS;AAEd,QAAI,QAAQ,UAAU;AACpB,UAAI;AACF,eAAO,QAAQ,UAAU,CAAA,GAAI,IAAI,QAAQ,QAAQ;AAAA,MACnD,QAAQ;AACN,eAAO,SAAS,OAAO,QAAQ;AAAA,MACjC;AAAA,IACF;AAAA,EACF;AACF;AAEA,eAAe,eAAe,SAA4B;AACxD,QAAM,QAAQ,OAAO,eAAe;AACpC,QAAM,QAAQ,OAAO,sBAAsB;AAC3C,QAAM,QAAQ,OAAO,UAAU;AACjC;AAEA,SAAS,kBACP,cACA,mBACoC;AACpC,MAAI,CAAC,gBAAgB,CAAC,mBAAmB;AACvC,WAAO;AAAA,EACT;AAEA,QAAM,eACJ,cAAc,gBAAgB,mBAAmB,eAC7C;AAAA,IACE,GAAG,cAAc;AAAA,IACjB,GAAG,mBAAmB;AAAA,EAAA,IAExB;AAEN,SAAO;AAAA,IACL,GAAG;AAAA,IACH,GAAG;AAAA,IACH;AAAA,EAAA;AAEJ;AAEA,SAAS,YAAY,KAAgD;AACnE,MAAI,eAAe,kBAAkB;AACnC,WAAO,IAAI,WAAA;AAAA,EACb;AACA,MAAI,eAAe,oBAAoB;AACrC,WAAO,KAAK,UAAU,IAAI,OAAA,CAAQ;AAAA,EACpC;AACA,QAAM,IAAI,MAAM,sBAAsB;AACxC;AAEA,eAAe,WACb,SACA,KACe;AACf,QAAM,aAAa,YAAY,GAAG;AAClC,QAAM,QAAQ,IAAI,iBAAiB,UAAU;AAC/C;"}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@icp-sdk/auth",
-  "version": "4.0.1",
+  "version": "4.1.0",
   "author": "DFINITY Stiftung <sdk@dfinity.org>",
   "license": "Apache-2.0",
   "description": "Authentication library for Internet Computer web apps",
@@ -56,7 +56,9 @@
     "@icp-sdk/core": "^4.0.4"
   },
   "dependencies": {
-    "idb": "^7.1.1"
+    "idb": "^7.1.1",
+    "@slide-computer/signer": "^4.0.0",
+    "@slide-computer/signer-web": "^4.0.0"
   },
   "scripts": {
     "build": "vite build && pnpm lint:package",

package/src/client/auth-client.ts CHANGED Viewed

@@ -16,6 +16,8 @@ import {
   type PartialIdentity,
 } from '@icp-sdk/core/identity';
 import type { Principal } from '@icp-sdk/core/principal';
+import { Signer } from '@slide-computer/signer';
+import { PostMessageTransport } from '@slide-computer/signer-web';
 import { IdleManager, type IdleManagerOptions } from './idle-manager.ts';
 import {
   type AuthClientStorage,
@@ -24,6 +26,7 @@ import {
   KEY_STORAGE_KEY,
   KEY_VECTOR,
   LocalStorage,
+  type StoredKey,
 } from './storage.ts';
 const NANOSECONDS_PER_SECOND = BigInt(1_000_000_000);
@@ -32,6 +35,7 @@ const NANOSECONDS_PER_HOUR = NANOSECONDS_PER_SECOND * SECONDS_PER_HOUR;
 const IDENTITY_PROVIDER_DEFAULT = 'https://identity.internetcomputer.org';
 const IDENTITY_PROVIDER_ENDPOINT = '#authorize';
+const IDENTITY_PROVIDER_ICRC29_DEFAULT = 'https://id.ai/authorize';
 const DEFAULT_MAX_TIME_TO_LIVE = BigInt(8) * NANOSECONDS_PER_HOUR;
@@ -190,6 +194,8 @@ type AuthResponse = AuthResponseSuccess | AuthResponseFailure;
  * @see {@link AuthClient}
  */
 export class AuthClient {
+  private _signer: Signer<PostMessageTransport> | undefined = undefined;
   /**
    * Create an AuthClient to manage authentication and identity
    * @param {AuthClientCreateOptions} options - Options for creating an {@link AuthClient}
@@ -308,7 +314,6 @@ export class AuthClient {
       // Create a new key (whether or not one was in storage).
       if (keyType === ED25519_KEY_LABEL) {
         key = Ed25519KeyIdentity.generate();
-        await storage.set(KEY_STORAGE_KEY, JSON.stringify((key as Ed25519KeyIdentity).toJSON()));
       } else {
         if (options.storage && keyType === ECDSA_KEY_LABEL) {
           console.warn(
@@ -316,8 +321,8 @@ export class AuthClient {
           );
         }
         key = await ECDSAKeyIdentity.generate();
-        await storage.set(KEY_STORAGE_KEY, (key as ECDSAKeyIdentity).getKeyPair());
       }
+      await persistKey(storage, key);
     }
     return new AuthClient(identity, key, chain, storage, idleManager, options);
@@ -401,6 +406,11 @@ export class AuthClient {
       await this._storage.set(KEY_STORAGE_DELEGATION, JSON.stringify(this._chain.toJSON()));
     }
+    // Ensure the stored key in persistent storage matches the in-memory key that
+    // was used to obtain the delegation. This avoids key/delegation mismatches
+    // across multiple tabs overwriting each other's cached keys.
+    await persistKey(this._storage, this._key);
     // onSuccess should be the last thing to do to avoid consumers
     // interfering by navigating or refreshing the page
     onSuccess?.(message);
@@ -491,6 +501,60 @@ export class AuthClient {
     checkInterruption();
   }
+  public async loginWithIcrc29(options?: AuthClientLoginOptions): Promise<void> {
+    // Merge the passed options with the options set during creation
+    const loginOptions = mergeLoginOptions(this._createOptions?.loginOptions, options);
+    // Set default maxTimeToLive to 8 hours
+    const maxTimeToLive = loginOptions?.maxTimeToLive ?? DEFAULT_MAX_TIME_TO_LIVE;
+    // Create the URL of the IDP. (e.g. https://XXXX/authorize?openid=<selected-open-id>)
+    const identityProviderUrl = new URL(
+      loginOptions?.identityProvider?.toString() || IDENTITY_PROVIDER_ICRC29_DEFAULT,
+    );
+    // If `login` has been called previously, then close previous channels.
+    this._signer?.closeChannel();
+    const transport = new PostMessageTransport({
+      url: identityProviderUrl.toString(),
+      windowOpenerFeatures: loginOptions?.windowOpenerFeatures,
+    });
+    this._signer = new Signer({
+      transport,
+      derivationOrigin: loginOptions?.derivationOrigin?.toString(),
+    });
+    const key = this._key;
+    if (!key) {
+      return;
+    }
+    const delegation = await this._signer.delegation({
+      publicKey: this._key.getPublicKey().toDer(),
+      maxTimeToLive,
+    });
+    this._chain = delegation;
+    if ('toDer' in key) {
+      this._identity = PartialDelegationIdentity.fromDelegation(key, this._chain);
+    } else {
+      this._identity = DelegationIdentity.fromDelegation(key, this._chain);
+    }
+    if (this._chain) {
+      await this._storage.set(KEY_STORAGE_DELEGATION, JSON.stringify(this._chain.toJSON()));
+    }
+    options?.onSuccess?.({
+      kind: 'authorize-client-success',
+      delegations: delegation.delegations,
+      userPublicKey: this._key?.getPublicKey().toDer(),
+      authnMethod: 'passkey',
+    });
+  }
   private _getEventHandler(identityProviderUrl: URL, options?: AuthClientLoginOptions) {
     return async (event: MessageEvent) => {
       if (event.origin !== identityProviderUrl.origin) {
@@ -591,3 +655,21 @@ function mergeLoginOptions(
     customValues,
   };
 }
+function toStoredKey(key: SignIdentity | PartialIdentity): StoredKey {
+  if (key instanceof ECDSAKeyIdentity) {
+    return key.getKeyPair();
+  }
+  if (key instanceof Ed25519KeyIdentity) {
+    return JSON.stringify(key.toJSON());
+  }
+  throw new Error('Unsupported key type');
+}
+async function persistKey(
+  storage: AuthClientStorage,
+  key: SignIdentity | PartialIdentity,
+): Promise<void> {
+  const serialized = toStoredKey(key);
+  await storage.set(KEY_STORAGE_KEY, serialized);
+}