@mybucks.online/core 2.0.0 → 2.1.0

package/README.md

@@ -99,7 +99,7 @@ To make the wallet more secure and resilient against attacks, and to meet standa
 
 **Token generation (default)**  
 - Legacy encoded the transfer-link token by **concatenating** passphrase, pin and network with a delimiter, which is ambiguous for some inputs.  
-- The default uses **ABI encoding** for the payload so there is no concatenation ambiguity.  
+- The default uses a **compact length-prefixed** payload (version byte + lengths + UTF-8 bytes) so there is no concatenation ambiguity and the URL fragment stays short.  
 - `parseToken` accepts both legacy and default token formats automatically and returns `[passphrase, pin, network, legacy]`, where `legacy` is `true` if the token was in legacy format.
 
 Use `generateHash(passphrase, pin, cb, true)` or `generateToken(passphrase, pin, network, true)` only when you need to match existing legacy wallets or tokens.
@@ -119,6 +119,6 @@ Find the docs [here](https://docs.mybucks.online).
 - https://app.mybucks.online  
   passphrase: **DemoAccount5&**  
   PIN: **112324**
-- https://app.mybucks.online/#wallet=VWnsSGRGVtb0FjY291bnQ1JgIxMTIzMjQCb3B0aW1pc20=_wNovT
-- https://app.mybucks.online/#wallet=1jpFD8RGVtb0FjY291bnQ1JgIxMTIzMjQCYmFzZQ==fhk-GL
+- https://app.mybucks.online/#wallet=Db1zfXAg1EZW1vQWNjb3VudDUmBjExMjMyNAhvcHRpbWlzbQ==mlUEbO (default)
+- https://app.mybucks.online/#wallet=VWnsSGRGVtb0FjY291bnQ1JgIxMTIzMjQCb3B0aW1pc20=_wNovT (legacy)
 - https://codesandbox.io/p/sandbox/mybucks-online-key-generation-sandbox-lt53c3

package/index.js

@@ -135,7 +135,9 @@ export function getTronWalletAddress(hash) {
 }
 
 const URL_DELIMITER = "\u0002";
-const TOKEN_VERSION_ABI = 0x02;
+// Version byte for the default (non-legacy) token format.
+// Uses a compact length-prefixed encoding for passphrase, pin and network.
+const TOKEN_VERSION_COMPACT = 0x02;
 
 const NETWORKS = [
   "ethereum",
@@ -151,12 +153,12 @@ const NETWORKS = [
  * This function generates a transfer-link token by encoding passphrase, pin and network, and adding random padding.
  * The transfer-link enables users to send their full ownership of a wallet account to another user for gifting or airdropping.
  * Passphrase and PIN are validated by length (see PASSPHRASE_MIN/MAX_LENGTH, PIN_MIN/MAX_LENGTH) and zxcvbn; invalid or weak values are rejected (returns null).
- * When legacy is false, payload is ABI-encoded to avoid concatenation ambiguity; when true, uses URL_DELIMITER concatenation.
+ * When legacy is false, payload is compact length-prefixed (version 0x02) to avoid concatenation ambiguity and keep the URL fragment short; when true, uses URL_DELIMITER concatenation.
  *
  * @param {string} passphrase - Length in [PASSPHRASE_MIN_LENGTH, PASSPHRASE_MAX_LENGTH], zxcvbn score >= 3
  * @param {string} pin - Length in [PIN_MIN_LENGTH, PIN_MAX_LENGTH], zxcvbn score >= 1
  * @param {string} network - ethereum | polygon | arbitrum | optimism | bsc | avalanche | base | tron
- * @param {boolean} legacy - when true, use URL_DELIMITER concatenation; when false, use ABI encoding for the payload
+ * @param {boolean} legacy - when true, use URL_DELIMITER concatenation; when false, use compact length-prefixed encoding for the payload
  * @returns A string formatted as a transfer-link token, which can be appended to `https://app.mybucks.online#wallet=`, or null if invalid/weak
  */
 export function generateToken(passphrase, pin, network, legacy = false) {
@@ -194,14 +196,19 @@ export function generateToken(passphrase, pin, network, legacy = false) {
       "utf-8",
     );
   } else {
-    const encoded = abi.encode(
-      ["string", "string", "string"],
-      [passphrase, pin, network],
-    );
-    const encodedBuffer = Buffer.from(encoded.slice(2), "hex");
+    // Default format: compact length-prefixed encoding.
+    const passphraseBytes = Buffer.from(passphrase, "utf-8");
+    const pinBytes = Buffer.from(pin, "utf-8");
+    const networkBytes = Buffer.from(network, "utf-8");
+
     payloadBuffer = Buffer.concat([
-      Buffer.from([TOKEN_VERSION_ABI]),
-      encodedBuffer,
+      Buffer.from([TOKEN_VERSION_COMPACT]),
+      Buffer.from([passphraseBytes.length]),
+      passphraseBytes,
+      Buffer.from([pinBytes.length]),
+      pinBytes,
+      Buffer.from([networkBytes.length]),
+      networkBytes,
     ]);
   }
 
@@ -212,20 +219,24 @@ export function generateToken(passphrase, pin, network, legacy = false) {
 
 /**
  * This function parses a transfer-link token generated by generateToken().
- * Tokens with version byte 0x02 are ABI-decoded; otherwise payload is treated as legacy (UTF-8 + URL_DELIMITER).
+ * Tokens whose payload starts with 0x02 are decoded as compact length-prefixed; otherwise payload is treated as legacy (UTF-8 + URL_DELIMITER).
  * @param {string} token - token string returned by generateToken()
- * @returns {[string, string, string, boolean]} [passphrase, pin, network, legacy] - legacy is true if token was in legacy format, false if ABI-encoded
+ * @returns {[string, string, string, boolean]} [passphrase, pin, network, legacy] - legacy is true if token was in legacy format, false if compact-encoded
  */
 export function parseToken(token) {
   const payload = token.slice(6, token.length - 6);
   const decoded = Buffer.from(payload, "base64");
 
-  if (decoded[0] === TOKEN_VERSION_ABI) {
-    const hex = "0x" + decoded.subarray(1).toString("hex");
-    const [passphrase, pin, network] = abi.decode(
-      ["string", "string", "string"],
-      hex,
-    );
+  if (decoded[0] === TOKEN_VERSION_COMPACT) {
+    let i = 1;
+    const lenP = decoded[i++];
+    const passphrase = decoded.subarray(i, i + lenP).toString("utf-8");
+    i += lenP;
+    const lenI = decoded[i++];
+    const pin = decoded.subarray(i, i + lenI).toString("utf-8");
+    i += lenI;
+    const lenN = decoded[i++];
+    const network = decoded.subarray(i, i + lenN).toString("utf-8");
     return [passphrase, pin, network, false];
   }
   const str = decoded.toString("utf-8");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mybucks.online/core",
-  "version": "2.0.0",
+  "version": "2.1.0",
   "description": "Core module of Mybucks.online Crypto Wallet",
   "main": "index.js",
   "type": "module",
@@ -38,7 +38,7 @@
     "ethers": "^6.13.5",
     "nanoid": "^5.0.9",
     "scrypt-js": "^3.0.1",
-    "tronweb": "^6.0.1",
+    "tronweb": "^6.2.2",
     "zxcvbn": "^4.4.2"
   }
 }

package/test/index.test.js

@@ -21,6 +21,7 @@ const DEMO_WALLET_EVM_ADDRESS = "0xC3Bb18Ed137577e5482fA7C6AEaca8b3F68Dafba";
 const DEMO_WALLET_TRON_ADDRESS = "TTp8uDeig42XdefAoTGWTj61uNMYvEVnXR";
 
 const DEMO_LEGACY_TOKEN = "VWnsSGRGVtb0FjY291bnQ1JgIxMTIzMjQCb3B0aW1pc20=_wNovT";
+const DEMO_DEFAULT_TOKEN = "Db1zfXAg1EZW1vQWNjb3VudDUmBjExMjMyNAhvcHRpbWlzbQ==mlUEbO";
 
 describe("generateHash (default)", () => {
   test("should return empty string if passphrase or pin is blank", async () => {
@@ -282,6 +283,13 @@ describe("generateToken", () => {
       );
     }
   });
+
+  test("should handle passphrase containing URL_DELIMITER when legacy=false", () => {
+    const delimiter = String.fromCharCode(2);
+    const trickyPassphrase = `Demo${delimiter}Account5&`;
+    const token = generateToken(trickyPassphrase, DEMO_PIN, DEMO_NETWORK, false);
+    assert.ok(token !== null);
+  });
 });
 
 describe("parseToken", () => {
@@ -310,6 +318,14 @@ describe("parseToken", () => {
     assert.strictEqual(network, DEMO_NETWORK);
     assert.strictEqual(legacy, true);
   });
+
+  test("should parse DEMO_DEFAULT_TOKEN and return DEMO_PASSPHRASE, DEMO_PIN, DEMO_NETWORK and legacy=false", () => {
+    const [passphrase, pin, network, legacy] = parseToken(DEMO_DEFAULT_TOKEN);
+    assert.strictEqual(passphrase, DEMO_PASSPHRASE);
+    assert.strictEqual(pin, DEMO_PIN);
+    assert.strictEqual(network, DEMO_NETWORK);
+    assert.strictEqual(legacy, false);
+  });
 });
 
 describe("generateToken and parseToken", () => {
@@ -325,6 +341,20 @@ describe("generateToken and parseToken", () => {
     assert.strictEqual(network, testNetwork);
   });
 
+  test("should round-trip passphrase containing URL_DELIMITER when legacy=false", () => {
+    const delimiter = String.fromCharCode(2);
+    const testPassphrase = `My${delimiter}-1st-car-was-a-red-Ford-2005!`;
+    const testPin = "909011";
+    const testNetwork = "polygon";
+    const token = generateToken(testPassphrase, testPin, testNetwork, false);
+
+    const [passphrase, pin, network, legacy] = parseToken(token);
+    assert.strictEqual(passphrase, testPassphrase);
+    assert.strictEqual(pin, testPin);
+    assert.strictEqual(network, testNetwork);
+    assert.strictEqual(legacy, false);
+  });
+
   test("should round-trip when legacy=true", () => {
     const testPassphrase = "My-1st-car-was-a-red-Ford-2005!";
     const testPin = "909011";
@@ -336,4 +366,20 @@ describe("generateToken and parseToken", () => {
     assert.strictEqual(pin, testPin);
     assert.strictEqual(network, testNetwork);
   });
+
+  test("should not safely round-trip passphrase containing URL_DELIMITER when legacy=true", () => {
+    const delimiter = String.fromCharCode(2);
+    const testPassphrase = `My${delimiter}-1st-car-was-a-red-Ford-2005!`;
+    const testPin = "909011";
+    const testNetwork = "polygon";
+    const token = generateToken(testPassphrase, testPin, testNetwork, true);
+
+    const [passphrase, pin, network, legacy] = parseToken(token);
+    assert.notStrictEqual(
+      passphrase,
+      testPassphrase,
+      "legacy format cannot safely encode passphrase containing URL_DELIMITER",
+    );
+    assert.strictEqual(legacy, true);
+  });
 });