npm - @lumiapassport/ui-kit - Versions diffs - 1.2.0 → 1.3.0 - Mend

@lumiapassport/ui-kit 1.2.0 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/dist/iframe/main.js CHANGED Viewed

@@ -678,6 +678,546 @@ var init_keccak256 = __esm({
   }
 });
+// src/iframe/lib/backup/crypto-utils.ts
+var crypto_utils_exports = {};
+__export(crypto_utils_exports, {
+  base64ToBytes: () => base64ToBytes,
+  bytesToBase64: () => bytesToBase64,
+  bytesToHex: () => bytesToHex2,
+  decryptKeyshare: () => decryptKeyshare,
+  deriveBackupPasswordFromPasskey: () => deriveBackupPasswordFromPasskey,
+  deriveKEKFromPasskey: () => deriveKEKFromPasskey,
+  deriveKeyFromPassword: () => deriveKeyFromPassword,
+  encryptKeyshare: () => encryptKeyshare,
+  envelopeDecryptKeyshare: () => envelopeDecryptKeyshare,
+  envelopeDecryptKeyshareWithPassword: () => envelopeDecryptKeyshareWithPassword,
+  envelopeEncryptKeyshare: () => envelopeEncryptKeyshare,
+  envelopeEncryptKeyshareWithPassword: () => envelopeEncryptKeyshareWithPassword
+});
+function base64ToBytes(base64) {
+  const binaryString = atob(base64);
+  const bytes = new Uint8Array(binaryString.length);
+  for (let i = 0; i < binaryString.length; i++) {
+    bytes[i] = binaryString.charCodeAt(i);
+  }
+  return bytes;
+}
+function bytesToBase64(bytes) {
+  let binary = "";
+  const len = bytes.byteLength;
+  for (let i = 0; i < len; i++) {
+    binary += String.fromCharCode(bytes[i]);
+  }
+  return btoa(binary);
+}
+function bytesToHex2(bytes) {
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+async function deriveKeyFromPassword(password, salt) {
+  const encoder3 = new TextEncoder();
+  const passwordKey = await crypto.subtle.importKey(
+    "raw",
+    encoder3.encode(password),
+    { name: "PBKDF2" },
+    false,
+    ["deriveBits", "deriveKey"]
+  );
+  return crypto.subtle.deriveKey(
+    {
+      name: "PBKDF2",
+      salt,
+      iterations: 15e4,
+      hash: "SHA-256"
+    },
+    passwordKey,
+    { name: "AES-GCM", length: 256 },
+    false,
+    ["encrypt", "decrypt"]
+  );
+}
+async function deriveKEKFromPasskey(userId, requiredCredentialId) {
+  const challenge = crypto.getRandomValues(new Uint8Array(32));
+  const allowCredentials = requiredCredentialId ? [
+    {
+      type: "public-key",
+      id: base64ToBytes(requiredCredentialId),
+      transports: ["internal"]
+    }
+  ] : void 0;
+  const credential = await navigator.credentials.get({
+    publicKey: {
+      challenge,
+      rpId: window.location.hostname,
+      userVerification: "required",
+      allowCredentials,
+      extensions: {
+        prf: {
+          eval: {
+            first: new TextEncoder().encode(`backup-kek-${userId}`)
+          }
+        }
+      }
+    }
+  });
+  if (!credential?.getClientExtensionResults) {
+    throw new Error("Passkey authentication failed");
+  }
+  const prfResults = credential.getClientExtensionResults();
+  if (!prfResults?.prf?.results?.first) {
+    throw new Error("PRF extension not supported or failed");
+  }
+  const resultCredentialId = bytesToBase64(new Uint8Array(credential.rawId));
+  return {
+    kek: prfResults.prf.results.first,
+    credentialId: resultCredentialId
+  };
+}
+async function deriveBackupPasswordFromPasskey(userId, credentialId) {
+  const challenge = crypto.getRandomValues(new Uint8Array(32));
+  const allowCredentials = credentialId ? [
+    {
+      type: "public-key",
+      id: base64ToBytes(credentialId),
+      transports: ["internal"]
+    }
+  ] : void 0;
+  const credential = await navigator.credentials.get({
+    publicKey: {
+      challenge,
+      rpId: window.location.hostname,
+      userVerification: "required",
+      allowCredentials,
+      extensions: {
+        prf: {
+          eval: {
+            first: new TextEncoder().encode(`backup-password-${userId}`)
+          }
+        }
+      }
+    }
+  });
+  if (!credential?.getClientExtensionResults) {
+    throw new Error("Passkey authentication failed");
+  }
+  const prfResults = credential.getClientExtensionResults();
+  if (!prfResults?.prf?.results?.first) {
+    throw new Error("PRF extension not supported or failed");
+  }
+  const prfOutput = new Uint8Array(prfResults.prf.results.first);
+  const password = bytesToBase64(prfOutput);
+  const resultCredentialId = bytesToBase64(
+    new Uint8Array(credential.rawId)
+  );
+  return { password, credentialId: resultCredentialId };
+}
+async function encryptKeyshare(data, password, encryptionMethod, credentialId) {
+  const encoder3 = new TextEncoder();
+  const plaintext = JSON.stringify(data);
+  const salt = crypto.getRandomValues(new Uint8Array(16));
+  const passwordKey = await crypto.subtle.importKey("raw", encoder3.encode(password), "PBKDF2", false, ["deriveBits"]);
+  const keyMaterial = await crypto.subtle.deriveBits({ name: "PBKDF2", salt, iterations: 1e5, hash: "SHA-256" }, passwordKey, 256);
+  const key = await crypto.subtle.importKey("raw", keyMaterial, "AES-GCM", false, ["encrypt"]);
+  const iv = crypto.getRandomValues(new Uint8Array(12));
+  const encryptedData = await crypto.subtle.encrypt({ name: "AES-GCM", iv }, key, encoder3.encode(plaintext));
+  const checksumData = `${data.userId}:${data.sessionId}:${encryptionMethod}`;
+  const checksumBuffer = await crypto.subtle.digest("SHA-256", encoder3.encode(checksumData));
+  const checksum = bytesToBase64(new Uint8Array(checksumBuffer));
+  const timestamp = Date.now();
+  return {
+    data: bytesToBase64(new Uint8Array(encryptedData)),
+    iv: bytesToBase64(iv),
+    salt: bytesToBase64(salt),
+    version: "1.0",
+    checksum,
+    magic: "LUMIA_BACKUP_V1",
+    encryptionMethod,
+    createdAt: timestamp,
+    credentialId: encryptionMethod === "passkey" ? credentialId : void 0
+  };
+}
+async function envelopeEncryptKeyshare(data, userId) {
+  const { kek: kekBytes, credentialId } = await deriveKEKFromPasskey(userId);
+  console.log("[envelopeEncryptKeyshare] Using credential ID for encryption:", credentialId);
+  const dek = crypto.getRandomValues(new Uint8Array(32));
+  const kek = await crypto.subtle.importKey("raw", kekBytes, "AES-GCM", false, ["encrypt"]);
+  const plaintext = JSON.stringify(data);
+  const plaintextBytes = new TextEncoder().encode(plaintext);
+  const dekCryptoKey = await crypto.subtle.importKey("raw", dek, "AES-GCM", false, ["encrypt"]);
+  const dataIv = crypto.getRandomValues(new Uint8Array(12));
+  const encryptedData = await crypto.subtle.encrypt({ name: "AES-GCM", iv: dataIv }, dekCryptoKey, plaintextBytes);
+  const wrapIv = crypto.getRandomValues(new Uint8Array(12));
+  const wrappedDekData = await crypto.subtle.encrypt({ name: "AES-GCM", iv: wrapIv }, kek, dek);
+  const ciphertextWithIv = new Uint8Array(dataIv.length + encryptedData.byteLength);
+  ciphertextWithIv.set(dataIv, 0);
+  ciphertextWithIv.set(new Uint8Array(encryptedData), dataIv.length);
+  const wrappedDekWithIv = new Uint8Array(wrapIv.length + wrappedDekData.byteLength);
+  wrappedDekWithIv.set(wrapIv, 0);
+  wrappedDekWithIv.set(new Uint8Array(wrappedDekData), wrapIv.length);
+  return {
+    ciphertext_share: bytesToBase64(ciphertextWithIv),
+    wrapped_dek: bytesToBase64(wrappedDekWithIv),
+    kdf: { prf: "webauthn-prf", hkdf: "hkdf-sha256", info: "client-share" },
+    alg: { data: "aes-256-gcm", wrap: "aes-256-gcm" },
+    aad: { userId: data.userId, version: 1, deviceId: "lumia-ui-kit" },
+    createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+    expiresAt: null,
+    encryptionMethod: "passkey",
+    credentialId: credentialId || void 0
+  };
+}
+async function envelopeEncryptKeyshareWithPassword(data, password) {
+  console.log("[envelopeEncryptKeyshareWithPassword] Encrypting with password");
+  const dek = crypto.getRandomValues(new Uint8Array(32));
+  const salt = crypto.getRandomValues(new Uint8Array(16));
+  const kekKey = await deriveKeyFromPassword(password, salt);
+  const plaintext = JSON.stringify(data);
+  const plaintextBytes = new TextEncoder().encode(plaintext);
+  const dekCryptoKey = await crypto.subtle.importKey("raw", dek, "AES-GCM", false, ["encrypt"]);
+  const dataIv = crypto.getRandomValues(new Uint8Array(12));
+  const encryptedData = await crypto.subtle.encrypt({ name: "AES-GCM", iv: dataIv }, dekCryptoKey, plaintextBytes);
+  const wrapIv = crypto.getRandomValues(new Uint8Array(12));
+  const wrappedDekData = await crypto.subtle.encrypt({ name: "AES-GCM", iv: wrapIv }, kekKey, dek);
+  const ciphertextWithIv = new Uint8Array(dataIv.length + encryptedData.byteLength);
+  ciphertextWithIv.set(dataIv, 0);
+  ciphertextWithIv.set(new Uint8Array(encryptedData), dataIv.length);
+  const wrappedDekWithIv = new Uint8Array(salt.length + wrapIv.length + wrappedDekData.byteLength);
+  wrappedDekWithIv.set(salt, 0);
+  wrappedDekWithIv.set(wrapIv, salt.length);
+  wrappedDekWithIv.set(new Uint8Array(wrappedDekData), salt.length + wrapIv.length);
+  return {
+    ciphertext_share: bytesToBase64(ciphertextWithIv),
+    wrapped_dek: bytesToBase64(wrappedDekWithIv),
+    kdf: { prf: "pbkdf2", hkdf: "hkdf-sha256", info: "client-share" },
+    alg: { data: "aes-256-gcm", wrap: "aes-256-gcm" },
+    aad: { userId: data.userId, version: 1, deviceId: "lumia-ui-kit" },
+    createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+    expiresAt: null,
+    encryptionMethod: "password"
+  };
+}
+async function envelopeDecryptKeyshare(envelope, userId) {
+  console.log("[iframe][envelopeDecryptKeyshare] Starting decryption process");
+  console.log("[iframe][envelopeDecryptKeyshare] Envelope credential ID:", envelope.credentialId);
+  console.log("[iframe][envelopeDecryptKeyshare] Deriving KEK from passkey...");
+  const { kek: kekBytes } = await deriveKEKFromPasskey(userId, envelope.credentialId);
+  console.log("[iframe][envelopeDecryptKeyshare] KEK bytes length:", kekBytes.byteLength);
+  console.log("[iframe][envelopeDecryptKeyshare] Importing KEK as crypto key...");
+  const kek = await crypto.subtle.importKey("raw", kekBytes, "AES-GCM", false, ["decrypt"]);
+  console.log("[iframe][envelopeDecryptKeyshare] Decrypting wrapped DEK...");
+  const wrappedDekWithIv = base64ToBytes(envelope.wrapped_dek);
+  console.log("[iframe][envelopeDecryptKeyshare] Wrapped DEK with IV length:", wrappedDekWithIv.length);
+  const wrapIv = wrappedDekWithIv.slice(0, 12);
+  const wrappedDekData = wrappedDekWithIv.slice(12);
+  console.log("[iframe][envelopeDecryptKeyshare] Wrap IV length:", wrapIv.length, "Wrapped DEK data length:", wrappedDekData.length);
+  try {
+    const dekBytes = await crypto.subtle.decrypt({ name: "AES-GCM", iv: wrapIv }, kek, wrappedDekData);
+    console.log("[iframe][envelopeDecryptKeyshare] DEK decrypted successfully, length:", dekBytes.byteLength);
+    console.log("[iframe][envelopeDecryptKeyshare] Importing DEK as crypto key...");
+    const dekCryptoKey = await crypto.subtle.importKey("raw", dekBytes, "AES-GCM", false, ["decrypt"]);
+    console.log("[iframe][envelopeDecryptKeyshare] Decrypting main data...");
+    const ciphertextWithIv = base64ToBytes(envelope.ciphertext_share);
+    console.log("[iframe][envelopeDecryptKeyshare] Ciphertext with IV length:", ciphertextWithIv.length);
+    const dataIv = ciphertextWithIv.slice(0, 12);
+    const encryptedData = ciphertextWithIv.slice(12);
+    console.log("[iframe][envelopeDecryptKeyshare] Data IV length:", dataIv.length, "Encrypted data length:", encryptedData.length);
+    const decryptedData = await crypto.subtle.decrypt({ name: "AES-GCM", iv: dataIv }, dekCryptoKey, encryptedData);
+    console.log("[iframe][envelopeDecryptKeyshare] Main data decrypted successfully, length:", decryptedData.byteLength);
+    console.log("[iframe][envelopeDecryptKeyshare] Parsing JSON...");
+    const plaintext = new TextDecoder().decode(decryptedData);
+    const result = JSON.parse(plaintext);
+    console.log("[iframe][envelopeDecryptKeyshare] Decryption completed successfully");
+    return result;
+  } catch (error) {
+    console.error("[iframe][envelopeDecryptKeyshare] Decryption failed:", error);
+    if (error instanceof Error && error.name === "OperationError") {
+      const credentialHint = envelope.credentialId ? `The backup requires a specific passkey (ID: ${envelope.credentialId.slice(-8)}...)` : "The backup was encrypted with a different passkey than the one you selected";
+      throw new Error(`Passkey mismatch: ${credentialHint}. If you have multiple passkeys, please try again and select the correct passkey that was used when creating this backup.`);
+    }
+    throw new Error("Failed to decrypt keyshare: " + (error instanceof Error ? error.message : String(error)));
+  }
+}
+async function envelopeDecryptKeyshareWithPassword(envelope, password) {
+  console.log("[iframe][envelopeDecryptKeyshareWithPassword] Starting password-based decryption");
+  const wrappedDekWithSaltAndIv = base64ToBytes(envelope.wrapped_dek);
+  const salt = wrappedDekWithSaltAndIv.slice(0, 16);
+  const wrapIv = wrappedDekWithSaltAndIv.slice(16, 28);
+  const wrappedDekData = wrappedDekWithSaltAndIv.slice(28);
+  console.log("[iframe][envelopeDecryptKeyshareWithPassword] Salt length:", salt.length, "Wrap IV length:", wrapIv.length, "Wrapped DEK data length:", wrappedDekData.length);
+  try {
+    const kekKey = await deriveKeyFromPassword(password, salt);
+    const dekBytes = await crypto.subtle.decrypt({ name: "AES-GCM", iv: wrapIv }, kekKey, wrappedDekData);
+    console.log("[iframe][envelopeDecryptKeyshareWithPassword] DEK decrypted successfully, length:", dekBytes.byteLength);
+    const dekCryptoKey = await crypto.subtle.importKey("raw", dekBytes, "AES-GCM", false, ["decrypt"]);
+    const ciphertextWithIv = base64ToBytes(envelope.ciphertext_share);
+    const dataIv = ciphertextWithIv.slice(0, 12);
+    const encryptedData = ciphertextWithIv.slice(12);
+    const decryptedData = await crypto.subtle.decrypt({ name: "AES-GCM", iv: dataIv }, dekCryptoKey, encryptedData);
+    console.log("[iframe][envelopeDecryptKeyshareWithPassword] Main data decrypted successfully");
+    const plaintext = new TextDecoder().decode(decryptedData);
+    const result = JSON.parse(plaintext);
+    console.log("[iframe][envelopeDecryptKeyshareWithPassword] Decryption completed successfully");
+    return result;
+  } catch (error) {
+    console.error("[iframe][envelopeDecryptKeyshareWithPassword] Decryption failed:", error);
+    if (error instanceof Error && error.name === "OperationError") {
+      throw new Error("Incorrect password: Unable to decrypt the backup with the provided password.");
+    }
+    throw new Error("Failed to decrypt keyshare with password: " + (error instanceof Error ? error.message : String(error)));
+  }
+}
+async function decryptKeyshare(encryptedBackup, password) {
+  console.log("[iframe][decryptKeyshare] Starting file backup decryption");
+  if (encryptedBackup.magic && encryptedBackup.magic !== "LUMIA_BACKUP_V1") {
+    throw new Error("Invalid backup file format");
+  }
+  if (encryptedBackup.version && encryptedBackup.version !== "1.0") {
+    throw new Error(`Unsupported backup version: ${encryptedBackup.version}`);
+  }
+  try {
+    const decoder = new TextDecoder();
+    const dataField = encryptedBackup.data || encryptedBackup.encryptedData;
+    if (!encryptedBackup.salt || !encryptedBackup.iv || !dataField) {
+      console.error("[iframe][decryptKeyshare] Backup structure:", Object.keys(encryptedBackup));
+      throw new Error("Missing required encrypted backup fields (salt, iv, data/encryptedData)");
+    }
+    const salt = base64ToBytes(encryptedBackup.salt);
+    const iv = base64ToBytes(encryptedBackup.iv);
+    const encryptedData = base64ToBytes(dataField);
+    const encoder3 = new TextEncoder();
+    const passwordKey = await crypto.subtle.importKey(
+      "raw",
+      encoder3.encode(password),
+      "PBKDF2",
+      false,
+      ["deriveBits"]
+    );
+    const keyMaterial = await crypto.subtle.deriveBits(
+      {
+        name: "PBKDF2",
+        salt,
+        iterations: 1e5,
+        // File backups use 100,000 iterations
+        hash: "SHA-256"
+      },
+      passwordKey,
+      256
+    );
+    const key = await crypto.subtle.importKey(
+      "raw",
+      keyMaterial,
+      "AES-GCM",
+      false,
+      ["decrypt"]
+    );
+    const decryptedData = await crypto.subtle.decrypt(
+      { name: "AES-GCM", iv },
+      key,
+      encryptedData
+    );
+    const plaintext = decoder.decode(decryptedData);
+    const backupData = JSON.parse(plaintext);
+    if (encryptedBackup.checksum) {
+      const expected = `${backupData.userId}:${backupData.sessionId}:${encryptedBackup.encryptionMethod || "password"}`;
+      const expectedBuf = await crypto.subtle.digest("SHA-256", encoder3.encode(expected));
+      const expectedChecksum = bytesToBase64(new Uint8Array(expectedBuf));
+      if (expectedChecksum !== encryptedBackup.checksum) {
+        throw new Error("Backup integrity check failed - file may be corrupted or tampered with");
+      }
+    }
+    console.log("[iframe][decryptKeyshare] File backup decrypted successfully");
+    return backupData;
+  } catch (error) {
+    const message = error?.message || String(error);
+    const name = error?.name || "Error";
+    if (name === "OperationError" || message.includes("decrypt")) {
+      throw new Error("Incorrect password - unable to decrypt backup file");
+    }
+    if (error instanceof SyntaxError || message.includes("JSON")) {
+      throw new Error("Corrupted backup file - decryption succeeded but data is invalid");
+    }
+    throw new Error(`Failed to decrypt backup: ${message}`);
+  }
+}
+var init_crypto_utils = __esm({
+  "src/iframe/lib/backup/crypto-utils.ts"() {
+  }
+});
+// src/iframe/lib/backup/server-backup.ts
+var server_backup_exports = {};
+__export(server_backup_exports, {
+  backupToServer: () => backupToServer,
+  restoreFromServer: () => restoreFromServer
+});
+async function getShareVaultToken(scopes, accessToken) {
+  const headers = {
+    "Content-Type": "application/json"
+  };
+  if (accessToken) {
+    headers["Authorization"] = `Bearer ${accessToken}`;
+  }
+  const response = await fetch(`${TSS_URL}/api/auth/token/exchange`, {
+    method: "POST",
+    headers,
+    credentials: "include",
+    body: JSON.stringify({
+      scopes,
+      audience: "lumia-passport-share-vault-service",
+      ttl: 300
+    })
+  });
+  if (!response.ok) {
+    throw new Error(`Failed to get Share Vault token: ${response.status}`);
+  }
+  const data = await response.json();
+  if (!data?.resourceToken) {
+    throw new Error("Invalid token response");
+  }
+  return data.resourceToken;
+}
+async function uploadShareToVault(encryptedShare, accessToken) {
+  const token = await getShareVaultToken(["share:put"], accessToken);
+  const idempotencyKey = crypto.randomUUID ? crypto.randomUUID() : `backup-${Date.now()}`;
+  const response = await fetch(`${SHARE_VAULT_URL}/v1/shares/me`, {
+    method: "PUT",
+    headers: {
+      "Content-Type": "application/json",
+      "Authorization": `Bearer ${token}`,
+      "Idempotency-Key": idempotencyKey
+    },
+    body: JSON.stringify(encryptedShare)
+  });
+  if (!response.ok) {
+    const errorText = await response.text();
+    throw new Error(`Failed to upload share: ${response.status} ${response.statusText} - ${errorText}`);
+  }
+}
+async function backupToServer(data, tokenClient, password, accessToken) {
+  let encryptedShare;
+  if (password) {
+    encryptedShare = await envelopeEncryptKeyshareWithPassword(data, password);
+  } else {
+    encryptedShare = await envelopeEncryptKeyshare(data, data.userId);
+  }
+  await uploadShareToVault(encryptedShare, accessToken);
+}
+async function downloadShareFromVault(accessToken) {
+  const token = await getShareVaultToken(["share:get"], accessToken);
+  const response = await fetch(`${SHARE_VAULT_URL}/v1/shares/me`, {
+    method: "GET",
+    headers: {
+      "Authorization": `Bearer ${token}`,
+      "X-Client-Device-Id": "lumia-ui-kit",
+      "X-Client-Device-Name": "Lumia UI Kit"
+    }
+  });
+  if (!response.ok) {
+    if (response.status === 404) {
+      throw new Error("No backup found on server for this user");
+    }
+    const errorText = await response.text();
+    throw new Error(`Failed to download share: ${response.status} ${response.statusText} - ${errorText}`);
+  }
+  const envelope = await response.json();
+  if (!envelope.ciphertext_share || !envelope.wrapped_dek || !envelope.kdf || !envelope.alg || !envelope.aad) {
+    throw new Error("Invalid envelope structure received from Share Vault");
+  }
+  return envelope;
+}
+async function restoreFromServer(userId, tokenClient, password, accessToken) {
+  console.log("[iframe][restoreFromServer] Starting restore for userId:", userId);
+  console.log("[iframe][restoreFromServer] Using password:", !!password);
+  console.log("[iframe][restoreFromServer] Downloading share from vault...");
+  const envelope = await downloadShareFromVault(accessToken);
+  console.log("[iframe][restoreFromServer] Envelope encryption method:", envelope.encryptionMethod);
+  const { envelopeDecryptKeyshare: envelopeDecryptKeyshare2, envelopeDecryptKeyshareWithPassword: envelopeDecryptKeyshareWithPassword2 } = await Promise.resolve().then(() => (init_crypto_utils(), crypto_utils_exports));
+  const backupData = password ? await envelopeDecryptKeyshareWithPassword2(envelope, password) : await envelopeDecryptKeyshare2(envelope, userId);
+  if (backupData.userId !== userId) {
+    throw new Error("Server backup does not match current user");
+  }
+  console.log("[iframe][restoreFromServer] Decryption successful, returning backup data");
+  return backupData;
+}
+var SHARE_VAULT_URL, TSS_URL;
+var init_server_backup = __esm({
+  "src/iframe/lib/backup/server-backup.ts"() {
+    init_crypto_utils();
+    SHARE_VAULT_URL = typeof window.__LUMIA_SERVICES__ !== "undefined" && window.__LUMIA_SERVICES__?.shareVaultUrl || "https://api.lumiapassport.com/vault";
+    TSS_URL = typeof window.__LUMIA_SERVICES__ !== "undefined" && window.__LUMIA_SERVICES__?.tssUrl || "https://api.lumiapassport.com/tss";
+  }
+});
+// src/iframe/lib/backup/local-backup.ts
+var local_backup_exports = {};
+__export(local_backup_exports, {
+  backupToLocalFile: () => backupToLocalFile,
+  restoreFromLocalFile: () => restoreFromLocalFile
+});
+async function backupToLocalFile(data, password) {
+  let encryptionPassword = password;
+  let credentialId;
+  if (!encryptionPassword) {
+    const result = await deriveBackupPasswordFromPasskey(data.userId);
+    encryptionPassword = result.password;
+    credentialId = result.credentialId;
+  }
+  const encrypted = await encryptKeyshare(
+    data,
+    encryptionPassword,
+    password ? "password" : "passkey",
+    credentialId
+  );
+  const backupData = {
+    ...encrypted,
+    userId: data.userId,
+    createdAt: data.createdAt
+  };
+  const blob = new Blob([JSON.stringify(backupData, null, 2)], {
+    type: "application/json"
+  });
+  const url = URL.createObjectURL(blob);
+  const a = document.createElement("a");
+  a.href = url;
+  a.download = `lumia-passport-backup-${data.userId}-${Date.now()}.json`;
+  document.body.appendChild(a);
+  a.click();
+  document.body.removeChild(a);
+  URL.revokeObjectURL(url);
+}
+async function restoreFromLocalFile(fileContent, userId, password) {
+  console.log("[iframe][restoreFromLocalFile] Starting restore from local file");
+  const encryptedBackup = JSON.parse(fileContent);
+  let decryptionPassword;
+  let credentialId;
+  if (password) {
+    decryptionPassword = password;
+  } else {
+    const credentialIdFromBackup = encryptedBackup.encryptionMethod === "passkey" ? encryptedBackup.credentialId : void 0;
+    const result = await deriveBackupPasswordFromPasskey(
+      userId,
+      credentialIdFromBackup
+    ).catch(() => {
+      throw new Error(
+        "Restore requires either password or passkey authentication"
+      );
+    });
+    decryptionPassword = result.password;
+    credentialId = result.credentialId;
+  }
+  const { decryptKeyshare: decryptKeyshare2 } = await Promise.resolve().then(() => (init_crypto_utils(), crypto_utils_exports));
+  const backupData = await decryptKeyshare2(encryptedBackup, decryptionPassword);
+  if (backupData.userId !== userId) {
+    throw new Error("Backup file does not match current user");
+  }
+  console.log("[iframe][restoreFromLocalFile] Restore successful");
+  return backupData;
+}
+var init_local_backup = __esm({
+  "src/iframe/lib/backup/local-backup.ts"() {
+    init_crypto_utils();
+  }
+});
 // src/iframe/lib/secure-messenger.ts
 var SecureMessenger = class {
   constructor() {
@@ -843,6 +1383,12 @@ var SecureMessenger = class {
       "CHECK_KEYSHARE",
       "GET_TRUSTED_APPS",
       "REMOVE_TRUSTED_APP",
+      "CREATE_BACKUP",
+      "ENCRYPT_BACKUP_DATA",
+      "RESTORE_BACKUP",
+      "RESTORE_FROM_FILE",
+      "GET_BACKUP_STATUS",
+      "GET_CLOUD_PROVIDERS",
       "REQUEST_NEW_TOKEN",
       "RESPONSE",
       "ERROR",
@@ -2622,11 +3168,477 @@ var AuthorizationManager = class {
   }
 };
+// src/iframe/lib/backup-manager.ts
+init_server_backup();
+init_local_backup();
+// src/iframe/lib/backup/cloud-backup.ts
+init_crypto_utils();
+// src/iframe/lib/backup/cloudStorage.ts
+var GoogleDriveProvider = class {
+  constructor() {
+    this.name = "Google Drive";
+    this.id = "google-drive";
+    this.icon = "\u{1F4C1}";
+    // Can be replaced with proper icon
+    this.accessToken = null;
+    this.CLIENT_ID = typeof window.__GOOGLE_DRIVE_CLIENT_ID__ !== "undefined" && window.__GOOGLE_DRIVE_CLIENT_ID__ || "";
+    this.DISCOVERY_DOC = "https://www.googleapis.com/discovery/v1/apis/drive/v3/rest";
+    this.SCOPES = "https://www.googleapis.com/auth/drive.file https://www.googleapis.com/auth/drive.appdata";
+    this.gapiInitialized = false;
+    this.gisInitialized = false;
+    this.initializeAPIs();
+  }
+  async initializeAPIs() {
+    if (!window.gapi) {
+      await this.loadScript("https://apis.google.com/js/api.js");
+    }
+    if (!window.google?.accounts) {
+      await this.loadScript("https://accounts.google.com/gsi/client");
+    }
+    if (!this.gapiInitialized) {
+      await new Promise((resolve) => {
+        window.gapi.load("client", resolve);
+      });
+      await window.gapi.client.init({
+        discoveryDocs: [this.DISCOVERY_DOC]
+      });
+      this.gapiInitialized = true;
+      console.log("[GoogleDrive] Google API client initialized");
+    }
+    if (!this.gisInitialized) {
+      this.gisInitialized = true;
+      console.log("[GoogleDrive] Google Identity Services initialized");
+    }
+  }
+  loadScript(src) {
+    return new Promise((resolve, reject) => {
+      if (document.querySelector(`script[src="${src}"]`)) {
+        resolve();
+        return;
+      }
+      const script = document.createElement("script");
+      script.src = src;
+      script.onload = () => resolve();
+      script.onerror = () => reject(new Error(`Failed to load ${src}`));
+      document.head.appendChild(script);
+    });
+  }
+  isAvailable() {
+    return !!this.CLIENT_ID && typeof window !== "undefined";
+  }
+  async authenticate() {
+    if (!this.isAvailable()) {
+      throw new Error(
+        "Google Drive integration is not available in this environment"
+      );
+    }
+    await this.initializeAPIs();
+    return new Promise((resolve, reject) => {
+      try {
+        const tokenClient = window.google.accounts.oauth2.initTokenClient({
+          client_id: this.CLIENT_ID,
+          scope: this.SCOPES,
+          callback: (response) => {
+            if (response.error) {
+              console.error("[GoogleDrive] Authentication error:", response.error);
+              reject(new Error(`Google Drive authentication failed: ${response.error}`));
+              return;
+            }
+            this.accessToken = response.access_token;
+            window.gapi.client.setToken({ access_token: this.accessToken });
+            console.log("[GoogleDrive] Successfully authenticated");
+            resolve(true);
+          }
+        });
+        tokenClient.requestAccessToken({ prompt: "consent" });
+      } catch (error) {
+        console.error("[GoogleDrive] Authentication initialization failed:", error);
+        reject(new Error(`Google Drive authentication setup failed: ${error}`));
+      }
+    });
+  }
+  isAuthenticated() {
+    return !!this.accessToken;
+  }
+  async signOut() {
+    if (this.accessToken) {
+      window.google?.accounts.oauth2.revoke(this.accessToken);
+      this.accessToken = null;
+      window.gapi?.client.setToken(null);
+      console.log("[GoogleDrive] Signed out successfully");
+    }
+  }
+  async upload(fileName, content, usePrivateStorage = true) {
+    if (!this.isAuthenticated()) {
+      throw new Error("Not authenticated with Google Drive");
+    }
+    await this.initializeAPIs();
+    if (usePrivateStorage) {
+      try {
+        const fileId = await this.uploadToAppDataFolder(fileName, content);
+        console.log("[GoogleDrive] File uploaded to appDataFolder successfully:", fileId);
+        return fileId;
+      } catch (error) {
+        console.warn("[GoogleDrive] AppDataFolder upload failed, trying fallback to regular folder:", error);
+        const fileId = await this.uploadToAppFolder(fileName, content);
+        console.log("[GoogleDrive] File uploaded to app folder successfully:", fileId);
+        return fileId;
+      }
+    } else {
+      try {
+        const fileId = await this.uploadToAppFolder(fileName, content);
+        console.log("[GoogleDrive] File uploaded to app folder successfully:", fileId);
+        return fileId;
+      } catch (error) {
+        console.error("[GoogleDrive] Upload failed:", error);
+        throw new Error(
+          `Failed to upload to Google Drive: ${error instanceof Error ? error.message : String(error)}`
+        );
+      }
+    }
+  }
+  async uploadToAppDataFolder(fileName, content) {
+    const metadata = {
+      name: fileName,
+      parents: ["appDataFolder"]
+      // Store in app-specific folder for privacy
+    };
+    return this.performUpload(metadata, content);
+  }
+  async uploadToAppFolder(fileName, content) {
+    const folderName = "Lumia Passport Backups";
+    const folderId = await this.findOrCreateFolder(folderName);
+    const metadata = {
+      name: fileName,
+      parents: [folderId]
+    };
+    return this.performUpload(metadata, content);
+  }
+  async findOrCreateFolder(folderName) {
+    const searchResponse = await fetch(
+      `https://www.googleapis.com/drive/v3/files?q=name='${folderName}' and mimeType='application/vnd.google-apps.folder' and trashed=false`,
+      {
+        headers: { Authorization: `Bearer ${this.accessToken}` }
+      }
+    );
+    if (!searchResponse.ok) {
+      throw new Error(`Failed to search for folder: ${searchResponse.status}`);
+    }
+    const searchResult = await searchResponse.json();
+    if (searchResult.files && searchResult.files.length > 0) {
+      return searchResult.files[0].id;
+    }
+    const createResponse = await fetch("https://www.googleapis.com/drive/v3/files", {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${this.accessToken}`,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({
+        name: folderName,
+        mimeType: "application/vnd.google-apps.folder"
+      })
+    });
+    if (!createResponse.ok) {
+      throw new Error(`Failed to create folder: ${createResponse.status}`);
+    }
+    const createResult = await createResponse.json();
+    console.log(`[GoogleDrive] Created folder '${folderName}':`, createResult.id);
+    return createResult.id;
+  }
+  async performUpload(metadata, content) {
+    const form = new FormData();
+    form.append("metadata", new Blob([JSON.stringify(metadata)], { type: "application/json" }));
+    form.append("file", new Blob([content], { type: "application/json" }));
+    const response = await fetch(
+      "https://www.googleapis.com/upload/drive/v3/files?uploadType=multipart",
+      {
+        method: "POST",
+        headers: {
+          Authorization: `Bearer ${this.accessToken}`
+        },
+        body: form
+      }
+    );
+    if (!response.ok) {
+      const errorText = await response.text();
+      throw new Error(
+        `Google Drive upload failed: ${response.status} ${response.statusText} - ${errorText}`
+      );
+    }
+    const result = await response.json();
+    return result.id;
+  }
+};
+function getAvailableCloudProviders() {
+  const providers = [];
+  const googleDrive = new GoogleDriveProvider();
+  if (googleDrive.isAvailable()) {
+    providers.push(googleDrive);
+  }
+  return providers;
+}
+// src/iframe/lib/backup/cloud-backup.ts
+async function backupToCloud(data, providerId, password) {
+  const encryptionMethod = password ? "password" : "passkey";
+  let backupPassword;
+  let credentialId;
+  if (password) {
+    backupPassword = password;
+  } else {
+    const result = await deriveBackupPasswordFromPasskey(data.userId).catch(() => {
+      throw new Error("Backup requires either custom password or passkey authentication");
+    });
+    backupPassword = result.password;
+    credentialId = result.credentialId;
+    console.log("[backupToCloud] Using credential ID from passkey:", credentialId);
+  }
+  const encryptedBackup = await encryptKeyshare(data, backupPassword, encryptionMethod, credentialId);
+  const timestamp = Date.now();
+  const fileName = `lumia-keyshare-backup-${data.userId}-${timestamp}.json`;
+  const fileContent = JSON.stringify(encryptedBackup, null, 2);
+  const providers = getAvailableCloudProviders();
+  if (providers.length === 0) {
+    throw new Error(
+      "No cloud storage providers available in this environment"
+    );
+  }
+  const provider = providerId ? providers.find((p) => p.id === providerId) : providers[0];
+  if (!provider) {
+    throw new Error(
+      providerId ? `Cloud provider '${providerId}' not available` : "No cloud storage provider available"
+    );
+  }
+  console.info(`[BACKUP] Using ${provider.name} for cloud backup`);
+  if (!provider.isAuthenticated()) {
+    console.info(`[BACKUP] Authenticating with ${provider.name}`);
+    const authenticated = await provider.authenticate();
+    if (!authenticated) {
+      throw new Error(`Failed to authenticate with ${provider.name}`);
+    }
+  }
+  console.info(`[BACKUP] Uploading backup to ${provider.name}`);
+  const fileId = await provider.upload(fileName, fileContent, true);
+  console.info(`[BACKUP] Successfully uploaded backup to ${provider.name}, file ID: ${fileId}`);
+}
+function getCloudProviders() {
+  const providers = getAvailableCloudProviders();
+  return providers.map((p) => ({
+    id: p.id,
+    name: p.name,
+    available: p.isAvailable()
+  }));
+}
+// src/iframe/lib/backup-manager.ts
+var BACKUP_VERSION = "1.0";
+var BackupManager = class {
+  constructor() {
+    this.tokenClient = new TokenRefreshApiClient();
+    console.log("[iframe][BackupManager] Initialized");
+  }
+  /**
+   * Get current keyshare data from iframe storage
+   */
+  getCurrentKeyshareBackupData(userId) {
+    console.log("[iframe][BackupManager] Getting keyshare data for userId:", userId);
+    try {
+      const keyshareData = localStorage.getItem(`tss.${userId}.keyshare`);
+      const sessionId = localStorage.getItem(`tss.${userId}.sessionId`);
+      const ownerAddress = localStorage.getItem(`tss.${userId}.ownerAddress`);
+      console.log("[iframe][BackupManager] localStorage keys check:", {
+        hasKeyshare: !!keyshareData,
+        hasSession: !!sessionId,
+        hasOwner: !!ownerAddress,
+        keyshareLength: keyshareData?.length
+      });
+      if (!keyshareData || !sessionId || !ownerAddress) {
+        console.warn("[iframe][BackupManager] Missing keyshare data - cannot create backup");
+        return null;
+      }
+      console.log("[iframe][BackupManager] Successfully retrieved all keyshare data");
+      return {
+        userId,
+        sessionId,
+        keyshare: keyshareData,
+        ownerAddress,
+        createdAt: Date.now(),
+        version: BACKUP_VERSION
+      };
+    } catch (error) {
+      console.error("[iframe][BackupManager] Error getting keyshare data:", error);
+      return null;
+    }
+  }
+  /**
+   * Get backup status for all methods
+   */
+  getBackupStatus(userId) {
+    const statusData = localStorage.getItem(`lumia-passport.backup.status.${userId}`);
+    if (statusData) {
+      try {
+        return JSON.parse(statusData);
+      } catch (error) {
+        console.error("[iframe][BackupManager] Failed to parse backup status:", error);
+      }
+    }
+    return {
+      server: { lastBackup: void 0, error: void 0 },
+      cloud: { lastBackup: void 0, error: void 0 },
+      local: { lastBackup: void 0, error: void 0 }
+    };
+  }
+  /**
+   * Update backup status for a specific method
+   */
+  updateBackupStatus(userId, method, status) {
+    const currentStatus = this.getBackupStatus(userId);
+    currentStatus[method] = { ...currentStatus[method], ...status };
+    localStorage.setItem(
+      `lumia-passport.backup.status.${userId}`,
+      JSON.stringify(currentStatus)
+    );
+    console.log(`[iframe][BackupManager] Updated ${method} backup status for ${userId}`);
+  }
+  /**
+   * Create backup using specified method
+   */
+  async createBackup(userId, request, accessToken) {
+    console.log("[iframe][BackupManager] Create backup request:", request);
+    const data = this.getCurrentKeyshareBackupData(userId);
+    if (!data) {
+      const error = "No keyshare data found for backup";
+      console.error("[iframe][BackupManager]", error);
+      return {
+        success: false,
+        method: request.method,
+        timestamp: Date.now(),
+        error
+      };
+    }
+    try {
+      switch (request.method) {
+        case "server":
+          await backupToServer(data, this.tokenClient, request.password, accessToken);
+          break;
+        case "local":
+          await backupToLocalFile(data, request.password);
+          break;
+        case "cloud":
+          await backupToCloud(data, request.cloudProvider, request.password);
+          break;
+        default:
+          throw new Error(`Unknown backup method: ${request.method}`);
+      }
+      const timestamp = Date.now();
+      this.updateBackupStatus(userId, request.method, {
+        lastBackup: timestamp,
+        error: void 0
+      });
+      console.log(`[iframe][BackupManager] \u2705 ${request.method} backup completed`);
+      return {
+        success: true,
+        method: request.method,
+        timestamp
+      };
+    } catch (error) {
+      const errorMessage = error.message || "Backup failed";
+      console.error("[iframe][BackupManager] Backup failed:", errorMessage);
+      this.updateBackupStatus(userId, request.method, {
+        error: errorMessage
+      });
+      return {
+        success: false,
+        method: request.method,
+        timestamp: Date.now(),
+        error: errorMessage
+      };
+    }
+  }
+  /**
+   * Restore keyshare from server backup
+   */
+  async restoreFromServer(userId, password, accessToken) {
+    console.log("[iframe][BackupManager] Restore from server request for userId:", userId);
+    try {
+      const { restoreFromServer: restoreFromServer2 } = await Promise.resolve().then(() => (init_server_backup(), server_backup_exports));
+      const backupData = await restoreFromServer2(userId, this.tokenClient, password, accessToken);
+      console.log("[iframe][BackupManager] \u2705 Server restore completed");
+      localStorage.setItem(`tss.${userId}.keyshare`, backupData.keyshare);
+      localStorage.setItem(`tss.${userId}.sessionId`, backupData.sessionId);
+      localStorage.setItem(`tss.${userId}.ownerAddress`, backupData.ownerAddress);
+      console.log("[iframe][BackupManager] Keyshare saved to localStorage");
+      return backupData;
+    } catch (error) {
+      const errorMessage = error.message || "Restore failed";
+      console.error("[iframe][BackupManager] Restore failed:", errorMessage);
+      throw error;
+    }
+  }
+  /**
+   * Encrypt backup data without uploading (for cloud/local backups)
+   * Returns encrypted data that parent can upload/download
+   */
+  async encryptBackupData(userId, password) {
+    console.log("[iframe][BackupManager] Encrypting backup data for userId:", userId);
+    const data = this.getCurrentKeyshareBackupData(userId);
+    if (!data) {
+      throw new Error("No keyshare data found for backup");
+    }
+    const { encryptKeyshare: encryptKeyshare2, deriveBackupPasswordFromPasskey: deriveBackupPasswordFromPasskey2 } = await Promise.resolve().then(() => (init_crypto_utils(), crypto_utils_exports));
+    let encryptionPassword = password;
+    let credentialId;
+    if (!encryptionPassword) {
+      const result = await deriveBackupPasswordFromPasskey2(userId);
+      encryptionPassword = result.password;
+      credentialId = result.credentialId;
+    }
+    const encrypted = await encryptKeyshare2(
+      data,
+      encryptionPassword,
+      password ? "password" : "passkey",
+      credentialId
+    );
+    console.log("[iframe][BackupManager] \u2705 Backup data encrypted");
+    return encrypted;
+  }
+  /**
+   * Restore keyshare from local file backup
+   */
+  async restoreFromLocalFile(fileContent, userId, password) {
+    console.log("[iframe][BackupManager] Restore from local file request for userId:", userId);
+    try {
+      const { restoreFromLocalFile: restoreFromLocalFile2 } = await Promise.resolve().then(() => (init_local_backup(), local_backup_exports));
+      const backupData = await restoreFromLocalFile2(fileContent, userId, password);
+      console.log("[iframe][BackupManager] \u2705 Local file restore completed");
+      localStorage.setItem(`tss.${userId}.keyshare`, backupData.keyshare);
+      localStorage.setItem(`tss.${userId}.sessionId`, backupData.sessionId);
+      localStorage.setItem(`tss.${userId}.ownerAddress`, backupData.ownerAddress);
+      console.log("[iframe][BackupManager] Keyshare saved to localStorage");
+      return backupData;
+    } catch (error) {
+      const errorMessage = error.message || "Local file restore failed";
+      console.error("[iframe][BackupManager] Local file restore failed:", errorMessage);
+      throw error;
+    }
+  }
+  /**
+   * Get available cloud providers
+   */
+  getAvailableCloudProviders() {
+    return getCloudProviders();
+  }
+};
 // src/iframe/main.ts
+var IFRAME_VERSION = "1.2.1";
 var IframeWallet = class {
   constructor() {
     console.log("=".repeat(60));
-    console.log("  Lumia Passport Secure Wallet - iframe version 0.1.8");
+    console.log(`  Lumia Passport Secure Wallet - iframe version ${IFRAME_VERSION}`);
     console.log("=".repeat(60));
     this.messenger = new SecureMessenger();
     this.sessionManager = new SessionManager();
@@ -2635,6 +3647,7 @@ var IframeWallet = class {
     this.authManager = new AuthorizationManager();
     this.storage = new StorageManager();
     this.trustedApps = new TrustedAppsManager();
+    this.backupManager = new BackupManager();
   }
   async initialize() {
     console.log("[iframe] Initializing Lumia Passport Secure Wallet...");
@@ -2666,7 +3679,13 @@ var IframeWallet = class {
   }
   async handleMessage(message, origin) {
     const { type, messageId, projectId } = message;
-    console.log(`[iframe] \u{1F4E8} Message: ${type} from ${origin.substring(0, 30)}...`);
+    console.log(`[iframe] \u{1F4E8} Message received:`, {
+      type,
+      messageId: messageId.substring(0, 20),
+      origin: origin.substring(0, 30),
+      hasData: !!message.data,
+      dataKeys: message.data ? Object.keys(message.data) : []
+    });
     try {
       switch (type) {
         case "SDK_AUTH":
@@ -2693,6 +3712,24 @@ var IframeWallet = class {
         case "REMOVE_TRUSTED_APP":
           await this.handleRemoveTrustedApp(message, origin);
           break;
+        case "CREATE_BACKUP":
+          await this.handleCreateBackup(message, origin);
+          break;
+        case "GET_BACKUP_STATUS":
+          await this.handleGetBackupStatus(message, origin);
+          break;
+        case "GET_CLOUD_PROVIDERS":
+          await this.handleGetCloudProviders(message, origin);
+          break;
+        case "RESTORE_BACKUP":
+          await this.handleRestoreBackup(message, origin);
+          break;
+        case "RESTORE_FROM_FILE":
+          await this.handleRestoreFromFile(message, origin);
+          break;
+        case "ENCRYPT_BACKUP_DATA":
+          await this.handleEncryptBackupData(message, origin);
+          break;
         default:
           throw new Error(`Unknown message type: ${type}`);
       }
@@ -2903,6 +3940,218 @@ var IframeWallet = class {
     );
     console.log(`[iframe] \u2705 REMOVE_TRUSTED_APP: App removed`);
   }
+  async handleCreateBackup(message, origin) {
+    const { sessionToken, userId, backupRequest, accessToken } = message.data;
+    const { messageId } = message;
+    console.log(`[iframe] CREATE_BACKUP received:`, { userId, method: backupRequest?.method, hasSessionToken: !!sessionToken, hasAccessToken: !!accessToken, origin });
+    if (!userId) {
+      console.error("[iframe] CREATE_BACKUP: userId is missing!");
+      this.messenger.sendError(messageId, "userId is required", origin);
+      return;
+    }
+    if (!backupRequest) {
+      console.error("[iframe] CREATE_BACKUP: backupRequest is missing!");
+      this.messenger.sendError(messageId, "backupRequest is required", origin);
+      return;
+    }
+    if (!this.sessionManager.validateSession(sessionToken, origin)) {
+      console.error("[iframe] CREATE_BACKUP: Session validation failed", { sessionToken, origin });
+      this.messenger.sendError(messageId, "Invalid session", origin);
+      return;
+    }
+    console.log("[iframe] CREATE_BACKUP: Session validated, creating backup...");
+    try {
+      const result = await this.backupManager.createBackup(userId, backupRequest, accessToken);
+      console.log("[iframe] CREATE_BACKUP: Backup result:", result);
+      this.messenger.sendResponse(
+        messageId,
+        {
+          type: "LUMIA_PASSPORT_BACKUP_CREATED",
+          result
+        },
+        origin
+      );
+      if (result.success) {
+        console.log(`[iframe] \u2705 CREATE_BACKUP: Backup created successfully`);
+      } else {
+        console.error(`[iframe] \u274C CREATE_BACKUP: Backup failed - ${result.error}`);
+      }
+    } catch (error) {
+      console.error("[iframe] CREATE_BACKUP: Exception:", error);
+      this.messenger.sendError(messageId, error.message || "Backup failed", origin);
+    }
+  }
+  async handleGetBackupStatus(message, origin) {
+    const { sessionToken, userId } = message.data;
+    const { messageId } = message;
+    console.log(`[iframe] GET_BACKUP_STATUS: userId=${userId}`);
+    if (!this.sessionManager.validateSession(sessionToken, origin)) {
+      console.error("[iframe] GET_BACKUP_STATUS: Session validation failed");
+      throw new Error("Invalid session");
+    }
+    const status = this.backupManager.getBackupStatus(userId);
+    this.messenger.sendResponse(
+      messageId,
+      {
+        type: "LUMIA_PASSPORT_BACKUP_STATUS",
+        status
+      },
+      origin
+    );
+    console.log(`[iframe] \u2705 GET_BACKUP_STATUS: Status retrieved`);
+  }
+  async handleGetCloudProviders(message, origin) {
+    const { sessionToken } = message.data;
+    const { messageId } = message;
+    console.log(`[iframe] GET_CLOUD_PROVIDERS`);
+    if (!this.sessionManager.validateSession(sessionToken, origin)) {
+      console.error("[iframe] GET_CLOUD_PROVIDERS: Session validation failed");
+      throw new Error("Invalid session");
+    }
+    const providers = this.backupManager.getAvailableCloudProviders();
+    this.messenger.sendResponse(
+      messageId,
+      {
+        type: "LUMIA_PASSPORT_CLOUD_PROVIDERS",
+        providers
+      },
+      origin
+    );
+    console.log(`[iframe] \u2705 GET_CLOUD_PROVIDERS: Providers retrieved`);
+  }
+  async handleRestoreBackup(message, origin) {
+    const { sessionToken, userId, password, accessToken } = message.data;
+    const { messageId } = message;
+    console.log(`[iframe] RESTORE_BACKUP received:`, { userId, hasPassword: !!password, hasSessionToken: !!sessionToken, hasAccessToken: !!accessToken, origin });
+    if (!userId) {
+      console.error("[iframe] RESTORE_BACKUP: userId is missing!");
+      this.messenger.sendError(messageId, "userId is required", origin);
+      return;
+    }
+    if (!this.sessionManager.validateSession(sessionToken, origin)) {
+      console.error("[iframe] RESTORE_BACKUP: Session validation failed", { sessionToken, origin });
+      this.messenger.sendError(messageId, "Invalid session", origin);
+      return;
+    }
+    console.log("[iframe] RESTORE_BACKUP: Session validated, restoring backup...");
+    try {
+      const backupData = await this.backupManager.restoreFromServer(userId, password, accessToken);
+      console.log("[iframe] RESTORE_BACKUP: Restore successful");
+      this.messenger.sendResponse(
+        messageId,
+        {
+          type: "LUMIA_PASSPORT_BACKUP_RESTORED",
+          result: {
+            success: true,
+            timestamp: Date.now(),
+            data: backupData
+          }
+        },
+        origin
+      );
+      console.log(`[iframe] \u2705 RESTORE_BACKUP: Backup restored successfully`);
+    } catch (error) {
+      console.error("[iframe] RESTORE_BACKUP: Exception:", error);
+      this.messenger.sendResponse(
+        messageId,
+        {
+          type: "LUMIA_PASSPORT_BACKUP_RESTORED",
+          result: {
+            success: false,
+            timestamp: Date.now(),
+            error: error.message || "Restore failed"
+          }
+        },
+        origin
+      );
+      console.log(`[iframe] \u274C RESTORE_BACKUP: Restore failed - ${error.message}`);
+    }
+  }
+  async handleRestoreFromFile(message, origin) {
+    const { sessionToken, userId, fileContent, password } = message.data;
+    const { messageId } = message;
+    console.log(`[iframe] RESTORE_FROM_FILE received:`, { userId, hasPassword: !!password, hasFileContent: !!fileContent, hasSessionToken: !!sessionToken, origin });
+    if (!userId) {
+      console.error("[iframe] RESTORE_FROM_FILE: userId is missing!");
+      this.messenger.sendError(messageId, "userId is required", origin);
+      return;
+    }
+    if (!fileContent) {
+      console.error("[iframe] RESTORE_FROM_FILE: fileContent is missing!");
+      this.messenger.sendError(messageId, "fileContent is required", origin);
+      return;
+    }
+    if (!this.sessionManager.validateSession(sessionToken, origin)) {
+      console.error("[iframe] RESTORE_FROM_FILE: Session validation failed", { sessionToken, origin });
+      this.messenger.sendError(messageId, "Invalid session", origin);
+      return;
+    }
+    console.log("[iframe] RESTORE_FROM_FILE: Session validated, restoring from file...");
+    try {
+      const backupData = await this.backupManager.restoreFromLocalFile(fileContent, userId, password);
+      console.log("[iframe] RESTORE_FROM_FILE: Restore successful");
+      this.messenger.sendResponse(
+        messageId,
+        {
+          type: "LUMIA_PASSPORT_FILE_RESTORED",
+          result: {
+            success: true,
+            timestamp: Date.now(),
+            data: backupData
+          }
+        },
+        origin
+      );
+      console.log(`[iframe] \u2705 RESTORE_FROM_FILE: File restored successfully`);
+    } catch (error) {
+      console.error("[iframe] RESTORE_FROM_FILE: Exception:", error);
+      this.messenger.sendResponse(
+        messageId,
+        {
+          type: "LUMIA_PASSPORT_FILE_RESTORED",
+          result: {
+            success: false,
+            timestamp: Date.now(),
+            error: error.message || "File restore failed"
+          }
+        },
+        origin
+      );
+      console.log(`[iframe] \u274C RESTORE_FROM_FILE: Restore failed - ${error.message}`);
+    }
+  }
+  async handleEncryptBackupData(message, origin) {
+    const { sessionToken, userId, password } = message.data;
+    const { messageId } = message;
+    console.log(`[iframe] ENCRYPT_BACKUP_DATA received:`, { userId, hasPassword: !!password, hasSessionToken: !!sessionToken, origin });
+    if (!userId) {
+      console.error("[iframe] ENCRYPT_BACKUP_DATA: userId is missing!");
+      this.messenger.sendError(messageId, "userId is required", origin);
+      return;
+    }
+    if (!this.sessionManager.validateSession(sessionToken, origin)) {
+      console.error("[iframe] ENCRYPT_BACKUP_DATA: Session validation failed", { sessionToken, origin });
+      this.messenger.sendError(messageId, "Invalid session", origin);
+      return;
+    }
+    console.log("[iframe] ENCRYPT_BACKUP_DATA: Session validated, encrypting backup data...");
+    try {
+      const encryptedData = await this.backupManager.encryptBackupData(userId, password);
+      console.log("[iframe] ENCRYPT_BACKUP_DATA: Encryption successful");
+      this.messenger.sendResponse(
+        messageId,
+        {
+          type: "LUMIA_PASSPORT_BACKUP_ENCRYPTED",
+          encryptedData
+        },
+        origin
+      );
+      console.log(`[iframe] \u2705 ENCRYPT_BACKUP_DATA: Data encrypted successfully`);
+    } catch (error) {
+      console.error("[iframe] ENCRYPT_BACKUP_DATA: Exception:", error);
+      this.messenger.sendError(messageId, error.message || "Encryption failed", origin);
+    }
+  }
   displayReadyIndicator() {
     const app = document.getElementById("app");
     if (!app) return;