@ledgerhq/ledger-key-ring-protocol 0.5.3-next.0 → 0.5.4-next.2

package/lib/sdk.js

@@ -1,13 +1,4 @@
 "use strict";
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
@@ -21,14 +12,18 @@ const errors_1 = require("@ledgerhq/errors");
 const errors_2 = require("./errors");
 const auth_1 = require("./auth");
 class SDK {
+    context;
+    hwDeviceProvider;
+    lifecycle;
+    api;
     constructor(context, hwDeviceProvider, lifecyle) {
-        this.jwt = undefined;
-        this.jwtHash = "";
         this.context = context;
         this.hwDeviceProvider = hwDeviceProvider;
         this.lifecycle = lifecyle;
         this.api = (0, api_1.default)(context.apiBaseUrl);
     }
+    jwt = undefined;
+    jwtHash = "";
     withAuth(trustchain, memberCredentials, job, policy, ignorePermissionsChecks) {
         const hash = trustchain.rootId + " " + memberCredentials.pubkey;
         if (this.jwtHash !== hash) {
@@ -50,267 +45,237 @@ class SDK {
             return job(jwt);
         }, this.jwt, () => this.auth(trustchain, memberCredentials), jwt => this.api.refreshAuth(jwt), policy);
     }
-    initMemberCredentials() {
-        return __awaiter(this, void 0, void 0, function* () {
-            const kp = hw_ledger_key_ring_protocol_1.crypto.randomKeypair();
-            return convertKeyPairToLiveCredentials(kp);
-        });
+    async initMemberCredentials() {
+        const kp = hw_ledger_key_ring_protocol_1.crypto.randomKeypair();
+        return convertKeyPairToLiveCredentials(kp);
     }
-    getOrCreateTrustchain(deviceId, memberCredentials, callbacks, topic, currentTrustchain) {
-        return __awaiter(this, void 0, void 0, function* () {
-            var _a;
-            this.invalidateJwt();
-            let type = types_1.TrustchainResultType.restored;
-            const withJwt = job => this.hwDeviceProvider.withJwt(deviceId, job, "cache", callbacks);
-            const withHw = job => this.hwDeviceProvider.withHw(deviceId, job, callbacks);
-            let trustchains = yield withJwt(this.api.getTrustchains);
-            (_a = callbacks === null || callbacks === void 0 ? void 0 : callbacks.onInitialResponse) === null || _a === void 0 ? void 0 : _a.call(callbacks, trustchains);
-            if (currentTrustchain) {
-                yield this.restoreTrustchain(currentTrustchain, memberCredentials).then(() => {
-                    throw Object.keys(trustchains).includes(currentTrustchain.rootId)
-                        ? new errors_2.TrustchainAlreadyInitialized()
-                        : new errors_2.TrustchainAlreadyInitializedWithOtherSeed();
-                }, () => {
-                    // The user was ejected from the trustchain therefore we can continue
-                });
-            }
-            if (Object.keys(trustchains).length === 0) {
-                (0, logs_1.log)("trustchain", "getOrCreateTrustchain: no trustchain yet, let's create one");
-                type = types_1.TrustchainResultType.created;
-                const streamTree = yield this.hwDeviceProvider.withHw(deviceId, hw => hw_ledger_key_ring_protocol_1.StreamTree.createNewTree(hw, { topic }));
-                yield streamTree.getRoot().resolve(); // double checks the signatures are correct before sending to the backend
-                const commandStream = hw_ledger_key_ring_protocol_1.CommandStreamEncoder.encode(streamTree.getRoot().blocks);
-                yield withJwt(jwt => this.api.postSeed(jwt, hw_ledger_key_ring_protocol_1.crypto.to_hex(commandStream)));
-                // deviceJwt have changed, proactively refresh it
-                yield this.hwDeviceProvider.refreshJwt(deviceId, callbacks);
-                trustchains = yield withJwt(this.api.getTrustchains);
-            }
-            // we find our trustchain root id
-            let trustchainRootId;
-            const trustchainRootPath = "m/";
-            for (const [trustchainId, info] of Object.entries(trustchains)) {
-                for (const path in info) {
-                    if (path === trustchainRootPath) {
-                        trustchainRootId = trustchainId;
-                    }
+    async getOrCreateTrustchain(deviceId, memberCredentials, callbacks, topic, currentTrustchain) {
+        this.invalidateJwt();
+        let type = types_1.TrustchainResultType.restored;
+        const withJwt = job => this.hwDeviceProvider.withJwt(deviceId, job, "cache", callbacks);
+        const withHw = job => this.hwDeviceProvider.withHw(deviceId, job, callbacks);
+        let trustchains = await withJwt(this.api.getTrustchains);
+        callbacks?.onInitialResponse?.(trustchains);
+        if (currentTrustchain) {
+            await this.restoreTrustchain(currentTrustchain, memberCredentials).then(() => {
+                throw Object.keys(trustchains).includes(currentTrustchain.rootId)
+                    ? new errors_2.TrustchainAlreadyInitialized()
+                    : new errors_2.TrustchainAlreadyInitializedWithOtherSeed();
+            }, () => {
+                // The user was ejected from the trustchain therefore we can continue
+            });
+        }
+        if (Object.keys(trustchains).length === 0) {
+            (0, logs_1.log)("trustchain", "getOrCreateTrustchain: no trustchain yet, let's create one");
+            type = types_1.TrustchainResultType.created;
+            const streamTree = await this.hwDeviceProvider.withHw(deviceId, hw => hw_ledger_key_ring_protocol_1.StreamTree.createNewTree(hw, { topic }));
+            await streamTree.getRoot().resolve(); // double checks the signatures are correct before sending to the backend
+            const commandStream = hw_ledger_key_ring_protocol_1.CommandStreamEncoder.encode(streamTree.getRoot().blocks);
+            await withJwt(jwt => this.api.postSeed(jwt, hw_ledger_key_ring_protocol_1.crypto.to_hex(commandStream)));
+            // deviceJwt have changed, proactively refresh it
+            await this.hwDeviceProvider.refreshJwt(deviceId, callbacks);
+            trustchains = await withJwt(this.api.getTrustchains);
+        }
+        // we find our trustchain root id
+        let trustchainRootId;
+        const trustchainRootPath = "m/";
+        for (const [trustchainId, info] of Object.entries(trustchains)) {
+            for (const path in info) {
+                if (path === trustchainRootPath) {
+                    trustchainRootId = trustchainId;
                 }
             }
-            invariant(trustchainRootId, "trustchainRootId should be defined");
-            (0, logs_1.log)("trustchain", "getOrCreateTrustchain rootId=" + trustchainRootId);
-            // make a stream tree from all the trustchains associated to this root id
-            let { streamTree } = yield withJwt(jwt => this.fetchTrustchain(jwt, trustchainRootId));
-            const path = streamTree.getApplicationRootPath(this.context.applicationId);
-            const child = streamTree.getChild(path);
-            let shouldShare = true;
-            if (child) {
-                const resolved = yield child.resolve();
-                const members = resolved.getMembers();
-                shouldShare = !members.some(m => hw_ledger_key_ring_protocol_1.crypto.to_hex(m) === memberCredentials.pubkey); // not already a member
-            }
-            if (shouldShare) {
-                if (type === types_1.TrustchainResultType.restored)
-                    type = types_1.TrustchainResultType.updated;
-                streamTree = yield this.pushMember(streamTree, path, trustchainRootId, withJwt, withHw, {
-                    id: memberCredentials.pubkey,
-                    name: this.context.name,
-                    permissions: hw_ledger_key_ring_protocol_1.Permissions.OWNER,
-                });
-            }
-            const walletSyncEncryptionKey = yield extractEncryptionKey(streamTree, path, memberCredentials);
-            const trustchain = {
-                rootId: trustchainRootId,
-                walletSyncEncryptionKey,
-                applicationPath: path,
-            };
-            return { type, trustchain };
-        });
-    }
-    restoreTrustchain(trustchain, memberCredentials) {
-        return __awaiter(this, void 0, void 0, function* () {
-            const { streamTree, applicationRootPath } = yield this.withAuth(trustchain, memberCredentials, jwt => this.fetchTrustchainAndResolve(jwt, trustchain.rootId, this.context.applicationId), "refresh", true);
-            const walletSyncEncryptionKey = yield extractEncryptionKey(streamTree, applicationRootPath, memberCredentials);
-            return {
-                rootId: trustchain.rootId,
-                walletSyncEncryptionKey,
-                applicationPath: applicationRootPath,
-            };
-        });
-    }
-    getMembers(trustchain, memberCredentials) {
-        return __awaiter(this, void 0, void 0, function* () {
-            const { resolved } = yield this.withAuth(trustchain, memberCredentials, jwt => this.fetchTrustchainAndResolve(jwt, trustchain.rootId, this.context.applicationId));
-            const members = resolved.getMembersData();
-            if (!members.some(m => m.id === memberCredentials.pubkey)) {
-                throw new errors_2.TrustchainEjected("Not a member of trustchain");
-            }
-            return members;
-        });
-    }
-    removeMember(deviceId, trustchain, memberCredentials, member, callbacks) {
-        return __awaiter(this, void 0, void 0, function* () {
-            var _a;
-            this.invalidateJwt();
-            const withJwt = job => this.hwDeviceProvider.withJwt(deviceId, job, "cache", callbacks);
-            const withHw = job => this.hwDeviceProvider.withHw(deviceId, job, callbacks);
-            // invariant because the sdk does not support this case, and the UI should not allows it.
-            invariant(memberCredentials.pubkey !== member.id, "removeMember must not be used to remove the current member.");
-            const afterRotation = yield ((_a = this.lifecycle) === null || _a === void 0 ? void 0 : _a.onTrustchainRotation(this, trustchain, memberCredentials));
-            const applicationId = this.context.applicationId;
-            const trustchainId = trustchain.rootId;
-            // eslint-disable-next-line prefer-const
-            let { resolved, streamTree, applicationRootPath } = yield withJwt(jwt => this.fetchTrustchainAndResolve(jwt, trustchainId, applicationId));
-            const members = resolved.getMembersData();
-            const withoutMember = members.filter(m => m.id !== member.id);
-            invariant(withoutMember.length < members.length, "member not found"); // invariant because the UI should not allow this case.
-            const withoutMemberOrMe = withoutMember.filter(m => m.id !== memberCredentials.pubkey);
-            const softwareDevice = getSoftwareDevice(memberCredentials);
-            const newPath = streamTree.getApplicationRootPath(applicationId, 1);
-            // We close the current trustchain with the hardware wallet in order to get a user confirmation of the action
-            const sendCloseStreamToAPI = yield this.closeStream(streamTree, applicationRootPath, trustchainId, withJwt, withHw);
-            // derive a new branch of the tree on the new path
-            streamTree = yield this.pushMember(streamTree, newPath, trustchainId, withJwt, withHw, {
+        }
+        invariant(trustchainRootId, "trustchainRootId should be defined");
+        (0, logs_1.log)("trustchain", "getOrCreateTrustchain rootId=" + trustchainRootId);
+        // make a stream tree from all the trustchains associated to this root id
+        let { streamTree } = await withJwt(jwt => this.fetchTrustchain(jwt, trustchainRootId));
+        const path = streamTree.getApplicationRootPath(this.context.applicationId);
+        const child = streamTree.getChild(path);
+        let shouldShare = true;
+        if (child) {
+            const resolved = await child.resolve();
+            const members = resolved.getMembers();
+            shouldShare = !members.some(m => hw_ledger_key_ring_protocol_1.crypto.to_hex(m) === memberCredentials.pubkey); // not already a member
+        }
+        if (shouldShare) {
+            if (type === types_1.TrustchainResultType.restored)
+                type = types_1.TrustchainResultType.updated;
+            streamTree = await this.pushMember(streamTree, path, trustchainRootId, withJwt, withHw, {
                 id: memberCredentials.pubkey,
                 name: this.context.name,
                 permissions: hw_ledger_key_ring_protocol_1.Permissions.OWNER,
             });
-            // add the remaining members
-            const withSw = (job) => job(softwareDevice);
-            for (const m of withoutMemberOrMe) {
-                streamTree = yield this.pushMember(streamTree, newPath, trustchainId, withJwt, withSw, m);
-            }
-            const walletSyncEncryptionKey = yield extractEncryptionKey(streamTree, newPath, memberCredentials);
-            // we send the close stream to the API only after the new stream is created in case user cancelled the process in the middle.
-            yield sendCloseStreamToAPI();
-            // deviceJwt have changed, proactively refresh it
-            yield this.hwDeviceProvider.refreshJwt(deviceId, callbacks);
-            const newTrustchain = {
-                rootId: trustchainId,
-                walletSyncEncryptionKey,
-                applicationPath: newPath,
-            };
-            if (afterRotation)
-                yield afterRotation(newTrustchain);
-            // refresh the jwt with the new trustchain
-            this.jwt = yield this.withAuth(newTrustchain, memberCredentials, jwt => Promise.resolve(jwt), "refresh");
-            return newTrustchain;
-        });
+        }
+        const walletSyncEncryptionKey = await extractEncryptionKey(streamTree, path, memberCredentials);
+        const trustchain = {
+            rootId: trustchainRootId,
+            walletSyncEncryptionKey,
+            applicationPath: path,
+        };
+        return { type, trustchain };
+    }
+    async restoreTrustchain(trustchain, memberCredentials) {
+        const { streamTree, applicationRootPath } = await this.withAuth(trustchain, memberCredentials, jwt => this.fetchTrustchainAndResolve(jwt, trustchain.rootId, this.context.applicationId), "refresh", true);
+        const walletSyncEncryptionKey = await extractEncryptionKey(streamTree, applicationRootPath, memberCredentials);
+        return {
+            rootId: trustchain.rootId,
+            walletSyncEncryptionKey,
+            applicationPath: applicationRootPath,
+        };
+    }
+    async getMembers(trustchain, memberCredentials) {
+        const { resolved } = await this.withAuth(trustchain, memberCredentials, jwt => this.fetchTrustchainAndResolve(jwt, trustchain.rootId, this.context.applicationId));
+        const members = resolved.getMembersData();
+        if (!members.some(m => m.id === memberCredentials.pubkey)) {
+            throw new errors_2.TrustchainEjected("Not a member of trustchain");
+        }
+        return members;
     }
-    addMember(trustchain, memberCredentials, member) {
-        return __awaiter(this, void 0, void 0, function* () {
-            const withJwt = f => this.withAuth(trustchain, memberCredentials, f);
-            const { streamTree, applicationRootPath } = yield withJwt(jwt => this.fetchTrustchainAndResolve(jwt, trustchain.rootId, this.context.applicationId));
-            const softwareDevice = getSoftwareDevice(memberCredentials);
-            const withSw = (job) => job(softwareDevice);
-            yield this.pushMember(streamTree, applicationRootPath, trustchain.rootId, withJwt, withSw, member);
+    async removeMember(deviceId, trustchain, memberCredentials, member, callbacks) {
+        this.invalidateJwt();
+        const withJwt = job => this.hwDeviceProvider.withJwt(deviceId, job, "cache", callbacks);
+        const withHw = job => this.hwDeviceProvider.withHw(deviceId, job, callbacks);
+        // invariant because the sdk does not support this case, and the UI should not allows it.
+        invariant(memberCredentials.pubkey !== member.id, "removeMember must not be used to remove the current member.");
+        const afterRotation = await this.lifecycle?.onTrustchainRotation(this, trustchain, memberCredentials);
+        const applicationId = this.context.applicationId;
+        const trustchainId = trustchain.rootId;
+        // eslint-disable-next-line prefer-const
+        let { resolved, streamTree, applicationRootPath } = await withJwt(jwt => this.fetchTrustchainAndResolve(jwt, trustchainId, applicationId));
+        const members = resolved.getMembersData();
+        const withoutMember = members.filter(m => m.id !== member.id);
+        invariant(withoutMember.length < members.length, "member not found"); // invariant because the UI should not allow this case.
+        const withoutMemberOrMe = withoutMember.filter(m => m.id !== memberCredentials.pubkey);
+        const softwareDevice = getSoftwareDevice(memberCredentials);
+        const newPath = streamTree.getApplicationRootPath(applicationId, 1);
+        // We close the current trustchain with the hardware wallet in order to get a user confirmation of the action
+        const sendCloseStreamToAPI = await this.closeStream(streamTree, applicationRootPath, trustchainId, withJwt, withHw);
+        // derive a new branch of the tree on the new path
+        streamTree = await this.pushMember(streamTree, newPath, trustchainId, withJwt, withHw, {
+            id: memberCredentials.pubkey,
+            name: this.context.name,
+            permissions: hw_ledger_key_ring_protocol_1.Permissions.OWNER,
         });
+        // add the remaining members
+        const withSw = (job) => job(softwareDevice);
+        for (const m of withoutMemberOrMe) {
+            streamTree = await this.pushMember(streamTree, newPath, trustchainId, withJwt, withSw, m);
+        }
+        const walletSyncEncryptionKey = await extractEncryptionKey(streamTree, newPath, memberCredentials);
+        // we send the close stream to the API only after the new stream is created in case user cancelled the process in the middle.
+        await sendCloseStreamToAPI();
+        // deviceJwt have changed, proactively refresh it
+        await this.hwDeviceProvider.refreshJwt(deviceId, callbacks);
+        const newTrustchain = {
+            rootId: trustchainId,
+            walletSyncEncryptionKey,
+            applicationPath: newPath,
+        };
+        if (afterRotation)
+            await afterRotation(newTrustchain);
+        // refresh the jwt with the new trustchain
+        this.jwt = await this.withAuth(newTrustchain, memberCredentials, jwt => Promise.resolve(jwt), "refresh");
+        return newTrustchain;
+    }
+    async addMember(trustchain, memberCredentials, member) {
+        const withJwt = f => this.withAuth(trustchain, memberCredentials, f);
+        const { streamTree, applicationRootPath } = await withJwt(jwt => this.fetchTrustchainAndResolve(jwt, trustchain.rootId, this.context.applicationId));
+        const softwareDevice = getSoftwareDevice(memberCredentials);
+        const withSw = (job) => job(softwareDevice);
+        await this.pushMember(streamTree, applicationRootPath, trustchain.rootId, withJwt, withSw, member);
     }
     invalidateJwt() {
         this.jwt = undefined;
         this.hwDeviceProvider.clearJwt();
     }
-    destroyTrustchain(trustchain, memberCredentials) {
-        return __awaiter(this, void 0, void 0, function* () {
-            yield this.withAuth(trustchain, memberCredentials, jwt => this.api.deleteTrustchain(jwt, trustchain.rootId));
-            this.invalidateJwt();
-        });
+    async destroyTrustchain(trustchain, memberCredentials) {
+        await this.withAuth(trustchain, memberCredentials, jwt => this.api.deleteTrustchain(jwt, trustchain.rootId));
+        this.invalidateJwt();
     }
-    encryptUserData(trustchain, input) {
-        return __awaiter(this, void 0, void 0, function* () {
-            const key = hw_ledger_key_ring_protocol_1.crypto.from_hex(trustchain.walletSyncEncryptionKey);
-            const encrypted = yield hw_ledger_key_ring_protocol_1.crypto.encryptUserData(key, input);
-            return encrypted;
-        });
+    async encryptUserData(trustchain, input) {
+        const key = hw_ledger_key_ring_protocol_1.crypto.from_hex(trustchain.walletSyncEncryptionKey);
+        const encrypted = await hw_ledger_key_ring_protocol_1.crypto.encryptUserData(key, input);
+        return encrypted;
     }
-    decryptUserData(trustchain, data) {
-        return __awaiter(this, void 0, void 0, function* () {
-            const key = hw_ledger_key_ring_protocol_1.crypto.from_hex(trustchain.walletSyncEncryptionKey);
-            const decrypted = yield hw_ledger_key_ring_protocol_1.crypto.decryptUserData(key, data);
-            return decrypted;
-        });
+    async decryptUserData(trustchain, data) {
+        const key = hw_ledger_key_ring_protocol_1.crypto.from_hex(trustchain.walletSyncEncryptionKey);
+        const decrypted = await hw_ledger_key_ring_protocol_1.crypto.decryptUserData(key, data);
+        return decrypted;
     }
-    fetchTrustchain(jwt, trustchainId) {
-        return __awaiter(this, void 0, void 0, function* () {
-            const trustchainData = yield this.api.getTrustchain(jwt, trustchainId);
-            const streamTree = hw_ledger_key_ring_protocol_1.StreamTree.deserialize(trustchainData);
-            return { streamTree };
-        });
-    }
-    fetchTrustchainAndResolve(jwt, trustchainId, applicationId) {
-        return __awaiter(this, void 0, void 0, function* () {
-            const { streamTree } = yield this.fetchTrustchain(jwt, trustchainId);
-            const applicationRootPath = streamTree.getApplicationRootPath(applicationId);
-            const applicationNode = streamTree.getChild(applicationRootPath);
-            invariant(applicationNode, "could not find the application stream.");
-            const resolved = yield applicationNode.resolve();
-            return { resolved, streamTree, applicationRootPath, applicationNode };
-        });
+    async fetchTrustchain(jwt, trustchainId) {
+        const trustchainData = await this.api.getTrustchain(jwt, trustchainId);
+        const streamTree = hw_ledger_key_ring_protocol_1.StreamTree.deserialize(trustchainData);
+        return { streamTree };
     }
-    auth(trustchain, memberCredentials) {
-        return __awaiter(this, void 0, void 0, function* () {
-            const challenge = yield this.api.getAuthenticationChallenge();
-            const data = hw_ledger_key_ring_protocol_1.crypto.from_hex(challenge.tlv);
-            const [parsed, _] = hw_ledger_key_ring_protocol_1.Challenge.fromBytes(data);
-            const hash = yield hw_ledger_key_ring_protocol_1.crypto.hash(parsed.getUnsignedTLV());
-            const keypair = convertLiveCredentialsToKeyPair(memberCredentials);
-            const response = yield this.api
-                .postChallengeResponse({
-                challenge: challenge.json,
-                signature: {
-                    credential: credentialForPubKey(memberCredentials.pubkey),
-                    signature: hw_ledger_key_ring_protocol_1.crypto.to_hex(yield hw_ledger_key_ring_protocol_1.crypto.sign(hash, keypair)),
-                    attestation: hw_ledger_key_ring_protocol_1.crypto.to_hex(liveAuthentication(trustchain.rootId)),
-                },
-            })
-                .catch(e => {
-                if (e instanceof errors_1.LedgerAPI4xx &&
-                    (e.message.includes("Not a member of trustchain") ||
-                        e.message.includes("You are not member"))) {
-                    throw new errors_2.TrustchainEjected(e.message);
-                }
-                throw e;
-            });
-            return response;
-        });
+    async fetchTrustchainAndResolve(jwt, trustchainId, applicationId) {
+        const { streamTree } = await this.fetchTrustchain(jwt, trustchainId);
+        const applicationRootPath = streamTree.getApplicationRootPath(applicationId);
+        const applicationNode = streamTree.getChild(applicationRootPath);
+        invariant(applicationNode, "could not find the application stream.");
+        const resolved = await applicationNode.resolve();
+        return { resolved, streamTree, applicationRootPath, applicationNode };
     }
-    pushMember(streamTree, path, trustchainId, withJwt, withDevice, member) {
-        return __awaiter(this, void 0, void 0, function* () {
-            const isMemberAlreadyInStreamTree = yield isMemberInStreamTree(streamTree, path, member);
-            if (isMemberAlreadyInStreamTree) {
-                return streamTree;
-            }
-            const isNewDerivation = !streamTree.getChild(path);
-            streamTree = yield withDevice(device => streamTree.share(path, device, hw_ledger_key_ring_protocol_1.crypto.from_hex(member.id), member.name, member.permissions));
-            const child = streamTree.getChild(path);
-            invariant(child, "StreamTree.share failed to create the child stream.");
-            yield child.resolve(); // double checks the signatures are correct before sending to the backend
-            if (isNewDerivation) {
-                const commandStream = hw_ledger_key_ring_protocol_1.CommandStreamEncoder.encode(child.blocks);
-                yield withJwt(jwt => this.api.postDerivation(jwt, trustchainId, hw_ledger_key_ring_protocol_1.crypto.to_hex(commandStream)));
-            }
-            else {
-                const commandStream = hw_ledger_key_ring_protocol_1.CommandStreamEncoder.encode([child.blocks[child.blocks.length - 1]]);
-                const request = {
-                    path,
-                    blocks: [hw_ledger_key_ring_protocol_1.crypto.to_hex(commandStream)],
-                };
-                yield withJwt(jwt => this.api.putCommands(jwt, trustchainId, request));
+    async auth(trustchain, memberCredentials) {
+        const challenge = await this.api.getAuthenticationChallenge();
+        const data = hw_ledger_key_ring_protocol_1.crypto.from_hex(challenge.tlv);
+        const [parsed, _] = hw_ledger_key_ring_protocol_1.Challenge.fromBytes(data);
+        const hash = await hw_ledger_key_ring_protocol_1.crypto.hash(parsed.getUnsignedTLV());
+        const keypair = convertLiveCredentialsToKeyPair(memberCredentials);
+        const response = await this.api
+            .postChallengeResponse({
+            challenge: challenge.json,
+            signature: {
+                credential: credentialForPubKey(memberCredentials.pubkey),
+                signature: hw_ledger_key_ring_protocol_1.crypto.to_hex(await hw_ledger_key_ring_protocol_1.crypto.sign(hash, keypair)),
+                attestation: hw_ledger_key_ring_protocol_1.crypto.to_hex(liveAuthentication(trustchain.rootId)),
+            },
+        })
+            .catch(e => {
+            if (e instanceof errors_1.LedgerAPI4xx &&
+                (e.message.includes("Not a member of trustchain") ||
+                    e.message.includes("You are not member"))) {
+                throw new errors_2.TrustchainEjected(e.message);
             }
-            return streamTree;
+            throw e;
         });
+        return response;
     }
-    closeStream(streamTree, path, trustchainId, withJwt, withDevice) {
-        return __awaiter(this, void 0, void 0, function* () {
-            streamTree = yield withDevice(device => streamTree.close(path, device));
-            const child = streamTree.getChild(path);
-            invariant(child, "StreamTree.close failed to create the child stream.");
-            yield child.resolve(); // double checks the signatures are correct before sending to the backend
+    async pushMember(streamTree, path, trustchainId, withJwt, withDevice, member) {
+        const isMemberAlreadyInStreamTree = await isMemberInStreamTree(streamTree, path, member);
+        if (isMemberAlreadyInStreamTree) {
+            return streamTree;
+        }
+        const isNewDerivation = !streamTree.getChild(path);
+        streamTree = await withDevice(device => streamTree.share(path, device, hw_ledger_key_ring_protocol_1.crypto.from_hex(member.id), member.name, member.permissions));
+        const child = streamTree.getChild(path);
+        invariant(child, "StreamTree.share failed to create the child stream.");
+        await child.resolve(); // double checks the signatures are correct before sending to the backend
+        if (isNewDerivation) {
+            const commandStream = hw_ledger_key_ring_protocol_1.CommandStreamEncoder.encode(child.blocks);
+            await withJwt(jwt => this.api.postDerivation(jwt, trustchainId, hw_ledger_key_ring_protocol_1.crypto.to_hex(commandStream)));
+        }
+        else {
             const commandStream = hw_ledger_key_ring_protocol_1.CommandStreamEncoder.encode([child.blocks[child.blocks.length - 1]]);
             const request = {
                 path,
                 blocks: [hw_ledger_key_ring_protocol_1.crypto.to_hex(commandStream)],
             };
-            return () => withJwt(jwt => this.api.putCommands(jwt, trustchainId, request));
-        });
+            await withJwt(jwt => this.api.putCommands(jwt, trustchainId, request));
+        }
+        return streamTree;
+    }
+    async closeStream(streamTree, path, trustchainId, withJwt, withDevice) {
+        streamTree = await withDevice(device => streamTree.close(path, device));
+        const child = streamTree.getChild(path);
+        invariant(child, "StreamTree.close failed to create the child stream.");
+        await child.resolve(); // double checks the signatures are correct before sending to the backend
+        const commandStream = hw_ledger_key_ring_protocol_1.CommandStreamEncoder.encode([child.blocks[child.blocks.length - 1]]);
+        const request = {
+            path,
+            blocks: [hw_ledger_key_ring_protocol_1.crypto.to_hex(commandStream)],
+        };
+        return () => withJwt(jwt => this.api.putCommands(jwt, trustchainId, request));
     }
 }
 exports.SDK = SDK;
@@ -332,22 +297,20 @@ function getSoftwareDevice(memberCredentials) {
     const kp = convertLiveCredentialsToKeyPair(memberCredentials);
     return new hw_ledger_key_ring_protocol_1.SoftwareDevice(kp);
 }
-function extractEncryptionKey(streamTree, path, memberCredentials) {
-    return __awaiter(this, void 0, void 0, function* () {
-        const softwareDevice = getSoftwareDevice(memberCredentials);
-        const pathNumbers = hw_ledger_key_ring_protocol_1.DerivationPath.toIndexArray(path);
-        try {
-            const key = yield softwareDevice.readKey(streamTree, pathNumbers);
-            // private key is in the first 32 bytes
-            return hw_ledger_key_ring_protocol_1.crypto.to_hex(key.slice(0, 32));
-        }
-        catch (e) {
-            if (e instanceof Error) {
-                throw new errors_2.TrustchainEjected(e.message);
-            }
-            throw e;
+async function extractEncryptionKey(streamTree, path, memberCredentials) {
+    const softwareDevice = getSoftwareDevice(memberCredentials);
+    const pathNumbers = hw_ledger_key_ring_protocol_1.DerivationPath.toIndexArray(path);
+    try {
+        const key = await softwareDevice.readKey(streamTree, pathNumbers);
+        // private key is in the first 32 bytes
+        return hw_ledger_key_ring_protocol_1.crypto.to_hex(key.slice(0, 32));
+    }
+    catch (e) {
+        if (e instanceof Error) {
+            throw new errors_2.TrustchainEjected(e.message);
         }
-    });
+        throw e;
+    }
 }
 // spec https://ledgerhq.atlassian.net/wiki/spaces/TA/pages/4335960138/ARCH+LedgerLive+Auth+specifications
 function liveAuthentication(rootId) {
@@ -366,15 +329,13 @@ function invariant(condition, message) {
         throw new Error(message);
     }
 }
-function isMemberInStreamTree(streamTree, path, member) {
-    return __awaiter(this, void 0, void 0, function* () {
-        const child = streamTree.getChild(path);
-        if (!child) {
-            return false;
-        }
-        const resolved = yield child.resolve();
-        const members = resolved.getMembersData();
-        return members.some(m => m.id === member.id);
-    });
+async function isMemberInStreamTree(streamTree, path, member) {
+    const child = streamTree.getChild(path);
+    if (!child) {
+        return false;
+    }
+    const resolved = await child.resolve();
+    const members = resolved.getMembersData();
+    return members.some(m => m.id === member.id);
 }
 //# sourceMappingURL=sdk.js.map