npm - @nokinc-flur/sdk - Versions diffs - 1.1.1 → 1.1.3 - Mend

@nokinc-flur/sdk 1.1.1 → 1.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.cjs CHANGED Viewed

@@ -29,6 +29,8 @@ __export(index_exports, {
   AccountSchema: () => AccountSchema,
   ApiCredentialPublicSchema: () => ApiCredentialPublicSchema,
   ArtifactHeaderSchema: () => ArtifactHeaderSchema,
+  AttestationSecurityLevelSchema: () => AttestationSecurityLevelSchema,
+  CLAIM_DOMAIN_V2: () => CLAIM_DOMAIN_V2,
   COLLECTION_INTENT_STATUSES: () => COLLECTION_INTENT_STATUSES,
   COLLECTION_PAYMENT_STATUSES: () => COLLECTION_PAYMENT_STATUSES,
   CUSTODIAL_MODES: () => CUSTODIAL_MODES,
@@ -47,6 +49,7 @@ __export(index_exports, {
   CreatePayoutInputSchema: () => CreatePayoutInputSchema,
   CreateWithdrawalInputSchema: () => CreateWithdrawalInputSchema,
   CreateWithdrawalResultSchema: () => CreateWithdrawalResultSchema,
+  DeviceKeyAlgSchema: () => DeviceKeyAlgSchema,
   DeviceKeyRecordSchema: () => DeviceKeyRecordSchema,
   DisableOfflineInputSchema: () => DisableOfflineInputSchema,
   DisableOfflineResultSchema: () => DisableOfflineResultSchema,
@@ -91,6 +94,8 @@ __export(index_exports, {
   OfflineStateResultSchema: () => OfflineStateResultSchema,
   OfflineStatusResultSchema: () => OfflineStatusResultSchema,
   OfflineTokenSchema: () => OfflineTokenSchema,
+  P256EnrollmentChallengeInputSchema: () => P256EnrollmentChallengeInputSchema,
+  P256EnrollmentChallengeResultSchema: () => P256EnrollmentChallengeResultSchema,
   PARTNER_FUNDING_DIRECTIONS: () => PARTNER_FUNDING_DIRECTIONS,
   PARTNER_FUNDING_STATUSES: () => PARTNER_FUNDING_STATUSES,
   PARTNER_KINDS: () => PARTNER_KINDS,
@@ -114,6 +119,8 @@ __export(index_exports, {
   PayoutEventInputSchema: () => PayoutEventInputSchema,
   ProviderEventInputSchema: () => ProviderEventInputSchema,
   ProviderEventRecordSchema: () => ProviderEventRecordSchema,
+  ProvisionOfflineAllowanceInputSchema: () => ProvisionOfflineAllowanceInputSchema,
+  ProvisionOfflineAllowanceResultSchema: () => ProvisionOfflineAllowanceResultSchema,
   PublicCollectionIntentSchema: () => PublicCollectionIntentSchema,
   RECEIPT_CHANNELS: () => RECEIPT_CHANNELS,
   RECEIPT_KINDS: () => RECEIPT_KINDS,
@@ -125,6 +132,7 @@ __export(index_exports, {
   RecordPayoutEventResultSchema: () => RecordPayoutEventResultSchema,
   RedemptionSchema: () => RedemptionSchema,
   RegisterDeviceKeyInputSchema: () => RegisterDeviceKeyInputSchema,
+  RegisterDeviceKeyP256InputSchema: () => RegisterDeviceKeyP256InputSchema,
   ReversalRecordArtifactSchema: () => ReversalRecordArtifactSchema,
   RevokeDeviceKeyInputSchema: () => RevokeDeviceKeyInputSchema,
   SETTLEMENT_SCHEDULES: () => SETTLEMENT_SCHEDULES,
@@ -147,6 +155,8 @@ __export(index_exports, {
   buildPaymentRequest: () => buildPaymentRequest,
   buildReceipt: () => buildReceipt,
   buildRedemption: () => buildRedemption,
+  canonicalClaimSigningBytes: () => canonicalClaimSigningBytes,
+  canonicalClaimSigningPayload: () => canonicalClaimSigningPayload,
   canonicalJSONBytes: () => canonicalJSONBytes,
   canonicalJSONStringify: () => canonicalJSONStringify,
   canonicalRequestString: () => canonicalRequestString,
@@ -171,6 +181,8 @@ __export(index_exports, {
   createPassesClient: () => createPassesClient,
   createReceiptArtifactUri: () => createReceiptArtifactUri,
   createReceiptsClient: () => createReceiptsClient,
+  createSoftwareEd25519Signer: () => createSoftwareEd25519Signer,
+  createSoftwareP256Signer: () => createSoftwareP256Signer,
   decodeArtifactUri: () => decodeArtifactUri,
   decodeAuthorizationQR: () => decodeAuthorizationQR,
   decodeBase45: () => decodeBase45,
@@ -212,6 +224,7 @@ __export(index_exports, {
   verifyArtifactUri: () => verifyArtifactUri,
   verifyAuthorization: () => verifyAuthorization,
   verifyCanonical: () => verifyCanonical,
+  verifyClaimSignature: () => verifyClaimSignature,
   verifyOAC: () => verifyOAC,
   verifyPass: () => verifyPass,
   verifyPaymentRequest: () => verifyPaymentRequest,
@@ -3144,15 +3157,45 @@ var import_zod13 = require("zod");
 var Hex64 = import_zod13.z.string().regex(/^[0-9a-f]{64}$/i);
 var HexAny = import_zod13.z.string().regex(/^[0-9a-f]+$/i);
 var Sha256Hex = import_zod13.z.string().regex(/^[0-9a-f]{64}$/i);
+var Base64Std = import_zod13.z.string().regex(/^[A-Za-z0-9+/]+={0,2}$/);
 var RegisterDeviceKeyInputSchema = import_zod13.z.object({
   deviceId: import_zod13.z.string().min(1).max(128),
   publicKeyHex: Hex64
 });
+var AttestationSecurityLevelSchema = import_zod13.z.enum([
+  "STRONGBOX",
+  "TEE",
+  "SECURE_ENCLAVE",
+  "SOFTWARE"
+]);
+var DeviceKeyAlgSchema = import_zod13.z.enum(["ed25519", "p256"]);
+var RegisterDeviceKeyP256InputSchema = import_zod13.z.object({
+  deviceId: import_zod13.z.string().min(1).max(128),
+  /** P-256 SubjectPublicKeyInfo DER, base64. */
+  publicKeySpkiB64: Base64Std.min(64).max(4096),
+  /** Base64 of the server-issued enrollment challenge string. */
+  challengeB64: Base64Std.min(8).max(1024),
+  /** iOS App Attest payload or Android X.509 Key Attestation chain. */
+  attestationChainB64: import_zod13.z.array(Base64Std.min(16).max(16384)).min(1).max(16),
+  securityLevel: AttestationSecurityLevelSchema
+});
+var P256EnrollmentChallengeInputSchema = import_zod13.z.object({
+  deviceId: import_zod13.z.string().min(1).max(128)
+});
+var P256EnrollmentChallengeResultSchema = import_zod13.z.object({
+  challenge: import_zod13.z.string().min(16),
+  expiresAtMs: import_zod13.z.number().int().positive()
+});
 var DeviceKeyRecordSchema = import_zod13.z.object({
   id: import_zod13.z.string().uuid(),
   userId: import_zod13.z.string().uuid(),
   deviceId: import_zod13.z.string(),
-  publicKeyHex: Hex64,
+  alg: DeviceKeyAlgSchema.default("ed25519"),
+  publicKeyHex: Hex64.nullable().default(null),
+  publicKeySpkiB64: Base64Std.nullable().default(null),
+  securityLevel: AttestationSecurityLevelSchema.nullable().default(null),
+  hardwareBacked: import_zod13.z.boolean().default(false),
+  attestedAtMs: import_zod13.z.number().int().nonnegative().nullable().default(null),
   createdAtMs: import_zod13.z.number().int().nonnegative(),
   revokedAtMs: import_zod13.z.number().int().nonnegative().nullable()
 });
@@ -3161,7 +3204,9 @@ var ConsumerOACSchema = import_zod13.z.object({
   issuerId: import_zod13.z.string().min(1).max(64),
   userId: import_zod13.z.string().uuid(),
   deviceId: import_zod13.z.string().min(1).max(128),
-  devicePubkeyHex: Hex64,
+  alg: import_zod13.z.enum(["ed25519", "p256"]).optional(),
+  devicePubkeyHex: Hex64.optional(),
+  devicePubkeySpkiB64: Base64Std.min(64).max(4096).optional(),
   perTxCapKobo: import_zod13.z.number().int().positive(),
   cumulativeCapKobo: import_zod13.z.number().int().positive(),
   currency: import_zod13.z.string().length(3),
@@ -3169,7 +3214,16 @@ var ConsumerOACSchema = import_zod13.z.object({
   validUntilMs: import_zod13.z.number().int().nonnegative(),
   counterSeed: import_zod13.z.number().int().nonnegative(),
   issuedAtMs: import_zod13.z.number().int().nonnegative()
-});
+}).refine(
+  (o) => {
+    const alg = o.alg ?? "ed25519";
+    if (alg === "ed25519") {
+      return Boolean(o.devicePubkeyHex) && !o.devicePubkeySpkiB64;
+    }
+    return Boolean(o.devicePubkeySpkiB64) && !o.devicePubkeyHex;
+  },
+  { message: "OAC device pubkey shape must match alg" }
+);
 var SignedConsumerOACSchema = import_zod13.z.object({
   oac: ConsumerOACSchema,
   issuerSig: HexAny,
@@ -3205,6 +3259,7 @@ var EnableOfflineInputSchema = import_zod13.z.object({
   installId: import_zod13.z.string().min(1).max(128),
   partnerId: import_zod13.z.string().min(1).max(64).optional()
 });
+var ProvisionOfflineAllowanceInputSchema = EnableOfflineInputSchema;
 var DisableOfflineInputSchema = import_zod13.z.object({
   deviceId: import_zod13.z.string().min(1).max(128),
   installId: import_zod13.z.string().min(1).max(128).optional(),
@@ -3242,6 +3297,7 @@ var EnableOfflineResultSchema = import_zod13.z.object({
   hold: OfflineHoldRecordSchema,
   oac: OACRecordSchema
 });
+var ProvisionOfflineAllowanceResultSchema = EnableOfflineResultSchema;
 var DisableOfflineResultSchema = import_zod13.z.object({
   hold: OfflineHoldRecordSchema,
   trusted: import_zod13.z.boolean(),
@@ -3254,7 +3310,10 @@ var OfflineStatusResultSchema = import_zod13.z.object({
 var OfflineStateResultSchema = import_zod13.z.object({
   active: OACRecordSchema.nullable()
 });
+var ClaimAlgSchema = import_zod13.z.enum(["ed25519", "p256"]);
 var ConsumerPaymentClaimSchema = import_zod13.z.object({
+  /** Algorithm discriminator. Omit / 'ed25519' for V1 clients. */
+  alg: ClaimAlgSchema.optional(),
   oacId: import_zod13.z.string().uuid(),
   encounterId: Sha256Hex.optional(),
   payerUserId: import_zod13.z.string().uuid(),
@@ -3267,11 +3326,28 @@ var ConsumerPaymentClaimSchema = import_zod13.z.object({
   occurredAtMs: import_zod13.z.number().int().nonnegative(),
   completedAtMs: import_zod13.z.number().int().nonnegative().optional(),
   contextId: import_zod13.z.string().max(128).optional(),
-  payerPubkeyHex: Hex64,
-  payerSignature: HexAny,
+  // ed25519 path
+  payerPubkeyHex: Hex64.optional(),
+  payerSignature: HexAny.optional(),
   payeePubkeyHex: Hex64.optional(),
-  payeeSignature: HexAny.optional()
-});
+  payeeSignature: HexAny.optional(),
+  // p256 path
+  payerPubkeySpkiB64: import_zod13.z.string().min(64).max(4096).optional(),
+  payerSignatureDerB64: import_zod13.z.string().min(16).max(2048).optional(),
+  payeePubkeySpkiB64: import_zod13.z.string().min(64).max(4096).optional(),
+  payeeSignatureDerB64: import_zod13.z.string().min(16).max(2048).optional()
+}).refine(
+  (c) => {
+    const alg = c.alg ?? "ed25519";
+    if (alg === "ed25519") {
+      return Boolean(c.payerPubkeyHex) && Boolean(c.payerSignature);
+    }
+    return Boolean(c.payerPubkeySpkiB64) && Boolean(c.payerSignatureDerB64);
+  },
+  {
+    message: "payer key/signature fields must match alg (ed25519: hex; p256: SPKI+DER b64)"
+  }
+);
 var ConsumerSettlementSchema = import_zod13.z.object({
   settlementId: import_zod13.z.string().uuid(),
   settlementKey: Sha256Hex,
@@ -3336,6 +3412,18 @@ function createMeOfflineClient(opts) {
       RegisterDeviceKeyInputSchema.parse(input),
       (raw) => DeviceKeyRecordSchema.parse(raw)
     ),
+    issueP256EnrollmentChallenge: (input) => call(
+      "POST",
+      "/v1/me/offline/keys/p256/challenge",
+      P256EnrollmentChallengeInputSchema.parse(input),
+      (raw) => P256EnrollmentChallengeResultSchema.parse(raw)
+    ),
+    registerDeviceKeyP256: (input) => call(
+      "POST",
+      "/v1/me/offline/keys/p256",
+      RegisterDeviceKeyP256InputSchema.parse(input),
+      (raw) => DeviceKeyRecordSchema.parse(raw)
+    ),
     listDeviceKeys: () => call(
       "GET",
       "/v1/me/offline/keys",
@@ -3348,6 +3436,12 @@ function createMeOfflineClient(opts) {
       RevokeDeviceKeyInputSchema.parse(input),
       () => void 0
     ),
+    provisionAllowance: (input) => call(
+      "POST",
+      "/v1/me/offline/allowance",
+      ProvisionOfflineAllowanceInputSchema.parse(input),
+      (raw) => ProvisionOfflineAllowanceResultSchema.parse(raw)
+    ),
     enable: (input) => call(
       "POST",
       "/v1/me/offline/enable",
@@ -3393,6 +3487,148 @@ function createMeOfflineClient(opts) {
   };
 }
+// src/me-offline/signer.ts
+var import_ed255198 = require("@noble/curves/ed25519");
+var import_nist = require("@noble/curves/nist");
+var import_utils3 = require("@noble/hashes/utils");
+var CLAIM_DOMAIN_V2 = "flur:consumer-offline:v2:claim";
+function canonicalClaimSigningPayload(claim) {
+  return {
+    domain: CLAIM_DOMAIN_V2,
+    alg: claim.alg,
+    oacId: claim.oacId,
+    payerUserId: claim.payerUserId,
+    payeeUserId: claim.payeeUserId,
+    payerDeviceId: claim.payerDeviceId,
+    payerNonce: claim.payerNonce,
+    payeeNonce: claim.payeeNonce,
+    amountKobo: claim.amountKobo,
+    currency: claim.currency,
+    occurredAtMs: claim.occurredAtMs,
+    completedAtMs: claim.completedAtMs ?? null,
+    contextId: claim.contextId ?? null
+  };
+}
+function canonicalClaimSigningBytes(claim) {
+  return canonicalJSONBytes(canonicalClaimSigningPayload(claim));
+}
+function bytesToBase64(bytes) {
+  if (typeof Buffer !== "undefined") {
+    return Buffer.from(bytes).toString("base64");
+  }
+  let bin = "";
+  for (let i = 0; i < bytes.length; i++) bin += String.fromCharCode(bytes[i]);
+  return btoa(bin);
+}
+function base64ToBytes(b64) {
+  if (typeof Buffer !== "undefined") {
+    return new Uint8Array(Buffer.from(b64, "base64"));
+  }
+  const bin = atob(b64);
+  const out = new Uint8Array(bin.length);
+  for (let i = 0; i < bin.length; i++) out[i] = bin.charCodeAt(i);
+  return out;
+}
+var P256_SPKI_HEADER = new Uint8Array([
+  48,
+  89,
+  48,
+  19,
+  6,
+  7,
+  42,
+  134,
+  72,
+  206,
+  61,
+  2,
+  1,
+  6,
+  8,
+  42,
+  134,
+  72,
+  206,
+  61,
+  3,
+  1,
+  7,
+  3,
+  66,
+  0
+]);
+function p256PublicKeyToSpkiB64(rawUncompressed) {
+  if (rawUncompressed.length !== 65 || rawUncompressed[0] !== 4) {
+    throw new Error("p256: expected 65-byte uncompressed point");
+  }
+  const out = new Uint8Array(P256_SPKI_HEADER.length + rawUncompressed.length);
+  out.set(P256_SPKI_HEADER, 0);
+  out.set(rawUncompressed, P256_SPKI_HEADER.length);
+  return bytesToBase64(out);
+}
+function p256SpkiB64ToPublicKey(spkiB64) {
+  const spki = base64ToBytes(spkiB64);
+  if (spki.length !== P256_SPKI_HEADER.length + 65) {
+    throw new Error("p256: invalid SPKI length");
+  }
+  for (let i = 0; i < P256_SPKI_HEADER.length; i++) {
+    if (spki[i] !== P256_SPKI_HEADER[i]) {
+      throw new Error("p256: invalid SPKI header");
+    }
+  }
+  return spki.slice(P256_SPKI_HEADER.length);
+}
+function createSoftwareEd25519Signer(privateKey) {
+  const pub = import_ed255198.ed25519.getPublicKey(privateKey);
+  return {
+    alg: "ed25519",
+    async getPublicKey() {
+      return { alg: "ed25519", publicKey: (0, import_utils3.bytesToHex)(pub) };
+    },
+    async sign(bytes) {
+      const sig = import_ed255198.ed25519.sign(bytes, privateKey);
+      return { alg: "ed25519", signature: (0, import_utils3.bytesToHex)(sig) };
+    }
+  };
+}
+function createSoftwareP256Signer(privateKey) {
+  const raw = import_nist.p256.getPublicKey(privateKey, false);
+  const spkiB64 = p256PublicKeyToSpkiB64(raw);
+  return {
+    alg: "p256",
+    async getPublicKey() {
+      return { alg: "p256", publicKey: spkiB64 };
+    },
+    async sign(bytes) {
+      const sig = import_nist.p256.sign(bytes, privateKey, { prehash: true });
+      const der = sig.toBytes("der");
+      return { alg: "p256", signature: bytesToBase64(der) };
+    }
+  };
+}
+function verifyClaimSignature(input) {
+  try {
+    if (input.alg === "ed25519") {
+      return import_ed255198.ed25519.verify(
+        (0, import_utils3.hexToBytes)(input.signature),
+        input.bytes,
+        (0, import_utils3.hexToBytes)(input.publicKey)
+      );
+    }
+    if (input.alg === "p256") {
+      const sigDer = base64ToBytes(input.signature);
+      const pub = p256SpkiB64ToPublicKey(input.publicKey);
+      return import_nist.p256.verify(sigDer, input.bytes, pub, {
+        prehash: true,
+        format: "der"
+      });
+    }
+    return false;
+  } catch {
+    return false;
+  }
+}
 // src/partner-funding/client.ts
 var import_zod14 = require("zod");
 var MinorString = import_zod14.z.string().regex(/^-?\d+$/);
@@ -4120,6 +4356,8 @@ function createOfflinePaymentAuthorizationArtifactUri(input) {
   AccountSchema,
   ApiCredentialPublicSchema,
   ArtifactHeaderSchema,
+  AttestationSecurityLevelSchema,
+  CLAIM_DOMAIN_V2,
   COLLECTION_INTENT_STATUSES,
   COLLECTION_PAYMENT_STATUSES,
   CUSTODIAL_MODES,
@@ -4138,6 +4376,7 @@ function createOfflinePaymentAuthorizationArtifactUri(input) {
   CreatePayoutInputSchema,
   CreateWithdrawalInputSchema,
   CreateWithdrawalResultSchema,
+  DeviceKeyAlgSchema,
   DeviceKeyRecordSchema,
   DisableOfflineInputSchema,
   DisableOfflineResultSchema,
@@ -4182,6 +4421,8 @@ function createOfflinePaymentAuthorizationArtifactUri(input) {
   OfflineStateResultSchema,
   OfflineStatusResultSchema,
   OfflineTokenSchema,
+  P256EnrollmentChallengeInputSchema,
+  P256EnrollmentChallengeResultSchema,
   PARTNER_FUNDING_DIRECTIONS,
   PARTNER_FUNDING_STATUSES,
   PARTNER_KINDS,
@@ -4205,6 +4446,8 @@ function createOfflinePaymentAuthorizationArtifactUri(input) {
   PayoutEventInputSchema,
   ProviderEventInputSchema,
   ProviderEventRecordSchema,
+  ProvisionOfflineAllowanceInputSchema,
+  ProvisionOfflineAllowanceResultSchema,
   PublicCollectionIntentSchema,
   RECEIPT_CHANNELS,
   RECEIPT_KINDS,
@@ -4216,6 +4459,7 @@ function createOfflinePaymentAuthorizationArtifactUri(input) {
   RecordPayoutEventResultSchema,
   RedemptionSchema,
   RegisterDeviceKeyInputSchema,
+  RegisterDeviceKeyP256InputSchema,
   ReversalRecordArtifactSchema,
   RevokeDeviceKeyInputSchema,
   SETTLEMENT_SCHEDULES,
@@ -4238,6 +4482,8 @@ function createOfflinePaymentAuthorizationArtifactUri(input) {
   buildPaymentRequest,
   buildReceipt,
   buildRedemption,
+  canonicalClaimSigningBytes,
+  canonicalClaimSigningPayload,
   canonicalJSONBytes,
   canonicalJSONStringify,
   canonicalRequestString,
@@ -4262,6 +4508,8 @@ function createOfflinePaymentAuthorizationArtifactUri(input) {
   createPassesClient,
   createReceiptArtifactUri,
   createReceiptsClient,
+  createSoftwareEd25519Signer,
+  createSoftwareP256Signer,
   decodeArtifactUri,
   decodeAuthorizationQR,
   decodeBase45,
@@ -4303,6 +4551,7 @@ function createOfflinePaymentAuthorizationArtifactUri(input) {
   verifyArtifactUri,
   verifyAuthorization,
   verifyCanonical,
+  verifyClaimSignature,
   verifyOAC,
   verifyPass,
   verifyPaymentRequest,