@opendatalabs/vana-sdk 2.3.0 → 3.0.1-canary.b068ac6

package/dist/auth/token-store.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/auth/token-store.ts"],"sourcesContent":["/**\n * Token storage primitives for OAuth grant and access tokens.\n *\n * @remarks\n * Defines the {@link TokenStore} interface and a default in-memory\n * implementation. Persistent backends (e.g., browser storage, secure\n * keychains) are intentionally not provided here — consumers can implement\n * the interface for their environment.\n *\n * @category Auth\n * @module auth/token-store\n */\n\n/**\n * A persisted token record.\n */\nexport interface TokenRecord {\n  /** The opaque token value. */\n  token: string;\n  /** Optional expiration as a Unix timestamp in seconds. */\n  expiresAt?: number;\n}\n\n/**\n * Async key/value store for token records.\n */\nexport interface TokenStore {\n  /**\n   * Returns the record for `key`, or `null` if missing or expired.\n   */\n  get(key: string): Promise<TokenRecord | null>;\n  /**\n   * Stores `record` under `key`, overwriting any existing entry.\n   */\n  set(key: string, record: TokenRecord): Promise<void>;\n  /**\n   * Removes the entry for `key`. No-op if `key` is absent.\n   */\n  delete(key: string): Promise<void>;\n  /**\n   * Removes all entries.\n   */\n  clear(): Promise<void>;\n}\n\n/**\n * In-memory {@link TokenStore} implementation.\n *\n * @remarks\n * Expired entries are evicted lazily on read. Records are shallow-copied on\n * `set` and `get` so caller mutations do not leak into stored state.\n */\nexport class InMemoryTokenStore implements TokenStore {\n  readonly #records = new Map<string, TokenRecord>();\n\n  public get(key: string): Promise<TokenRecord | null> {\n    const record = this.#records.get(key);\n    if (record === undefined) return Promise.resolve(null);\n    if (\n      record.expiresAt !== undefined &&\n      record.expiresAt <= Math.floor(Date.now() / 1000)\n    ) {\n      this.#records.delete(key);\n      return Promise.resolve(null);\n    }\n    return Promise.resolve({ ...record });\n  }\n\n  public set(key: string, record: TokenRecord): Promise<void> {\n    this.#records.set(key, { ...record });\n    return Promise.resolve();\n  }\n\n  public delete(key: string): Promise<void> {\n    this.#records.delete(key);\n    return Promise.resolve();\n  }\n\n  public clear(): Promise<void> {\n    this.#records.clear();\n    return Promise.resolve();\n  }\n\n  /**\n   * Returns the number of stored entries (including any not yet\n   * lazily evicted). Intended for tests and diagnostics.\n   */\n  public get size(): number {\n    return this.#records.size;\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAoDO,MAAM,mBAAyC;AAAA,EAC3C,WAAW,oBAAI,IAAyB;AAAA,EAE1C,IAAI,KAA0C;AACnD,UAAM,SAAS,KAAK,SAAS,IAAI,GAAG;AACpC,QAAI,WAAW,OAAW,QAAO,QAAQ,QAAQ,IAAI;AACrD,QACE,OAAO,cAAc,UACrB,OAAO,aAAa,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,GAChD;AACA,WAAK,SAAS,OAAO,GAAG;AACxB,aAAO,QAAQ,QAAQ,IAAI;AAAA,IAC7B;AACA,WAAO,QAAQ,QAAQ,EAAE,GAAG,OAAO,CAAC;AAAA,EACtC;AAAA,EAEO,IAAI,KAAa,QAAoC;AAC1D,SAAK,SAAS,IAAI,KAAK,EAAE,GAAG,OAAO,CAAC;AACpC,WAAO,QAAQ,QAAQ;AAAA,EACzB;AAAA,EAEO,OAAO,KAA4B;AACxC,SAAK,SAAS,OAAO,GAAG;AACxB,WAAO,QAAQ,QAAQ;AAAA,EACzB;AAAA,EAEO,QAAuB;AAC5B,SAAK,SAAS,MAAM;AACpB,WAAO,QAAQ,QAAQ;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,IAAW,OAAe;AACxB,WAAO,KAAK,SAAS;AAAA,EACvB;AACF;","names":[]}

package/dist/auth/token-store.d.ts

@@ -0,0 +1,61 @@
+/**
+ * Token storage primitives for OAuth grant and access tokens.
+ *
+ * @remarks
+ * Defines the {@link TokenStore} interface and a default in-memory
+ * implementation. Persistent backends (e.g., browser storage, secure
+ * keychains) are intentionally not provided here — consumers can implement
+ * the interface for their environment.
+ *
+ * @category Auth
+ * @module auth/token-store
+ */
+/**
+ * A persisted token record.
+ */
+export interface TokenRecord {
+    /** The opaque token value. */
+    token: string;
+    /** Optional expiration as a Unix timestamp in seconds. */
+    expiresAt?: number;
+}
+/**
+ * Async key/value store for token records.
+ */
+export interface TokenStore {
+    /**
+     * Returns the record for `key`, or `null` if missing or expired.
+     */
+    get(key: string): Promise<TokenRecord | null>;
+    /**
+     * Stores `record` under `key`, overwriting any existing entry.
+     */
+    set(key: string, record: TokenRecord): Promise<void>;
+    /**
+     * Removes the entry for `key`. No-op if `key` is absent.
+     */
+    delete(key: string): Promise<void>;
+    /**
+     * Removes all entries.
+     */
+    clear(): Promise<void>;
+}
+/**
+ * In-memory {@link TokenStore} implementation.
+ *
+ * @remarks
+ * Expired entries are evicted lazily on read. Records are shallow-copied on
+ * `set` and `get` so caller mutations do not leak into stored state.
+ */
+export declare class InMemoryTokenStore implements TokenStore {
+    #private;
+    get(key: string): Promise<TokenRecord | null>;
+    set(key: string, record: TokenRecord): Promise<void>;
+    delete(key: string): Promise<void>;
+    clear(): Promise<void>;
+    /**
+     * Returns the number of stored entries (including any not yet
+     * lazily evicted). Intended for tests and diagnostics.
+     */
+    get size(): number;
+}

package/dist/auth/token-store.js

@@ -0,0 +1,35 @@
+class InMemoryTokenStore {
+  #records = /* @__PURE__ */ new Map();
+  get(key) {
+    const record = this.#records.get(key);
+    if (record === void 0) return Promise.resolve(null);
+    if (record.expiresAt !== void 0 && record.expiresAt <= Math.floor(Date.now() / 1e3)) {
+      this.#records.delete(key);
+      return Promise.resolve(null);
+    }
+    return Promise.resolve({ ...record });
+  }
+  set(key, record) {
+    this.#records.set(key, { ...record });
+    return Promise.resolve();
+  }
+  delete(key) {
+    this.#records.delete(key);
+    return Promise.resolve();
+  }
+  clear() {
+    this.#records.clear();
+    return Promise.resolve();
+  }
+  /**
+   * Returns the number of stored entries (including any not yet
+   * lazily evicted). Intended for tests and diagnostics.
+   */
+  get size() {
+    return this.#records.size;
+  }
+}
+export {
+  InMemoryTokenStore
+};
+//# sourceMappingURL=token-store.js.map

package/dist/auth/token-store.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/auth/token-store.ts"],"sourcesContent":["/**\n * Token storage primitives for OAuth grant and access tokens.\n *\n * @remarks\n * Defines the {@link TokenStore} interface and a default in-memory\n * implementation. Persistent backends (e.g., browser storage, secure\n * keychains) are intentionally not provided here — consumers can implement\n * the interface for their environment.\n *\n * @category Auth\n * @module auth/token-store\n */\n\n/**\n * A persisted token record.\n */\nexport interface TokenRecord {\n  /** The opaque token value. */\n  token: string;\n  /** Optional expiration as a Unix timestamp in seconds. */\n  expiresAt?: number;\n}\n\n/**\n * Async key/value store for token records.\n */\nexport interface TokenStore {\n  /**\n   * Returns the record for `key`, or `null` if missing or expired.\n   */\n  get(key: string): Promise<TokenRecord | null>;\n  /**\n   * Stores `record` under `key`, overwriting any existing entry.\n   */\n  set(key: string, record: TokenRecord): Promise<void>;\n  /**\n   * Removes the entry for `key`. No-op if `key` is absent.\n   */\n  delete(key: string): Promise<void>;\n  /**\n   * Removes all entries.\n   */\n  clear(): Promise<void>;\n}\n\n/**\n * In-memory {@link TokenStore} implementation.\n *\n * @remarks\n * Expired entries are evicted lazily on read. Records are shallow-copied on\n * `set` and `get` so caller mutations do not leak into stored state.\n */\nexport class InMemoryTokenStore implements TokenStore {\n  readonly #records = new Map<string, TokenRecord>();\n\n  public get(key: string): Promise<TokenRecord | null> {\n    const record = this.#records.get(key);\n    if (record === undefined) return Promise.resolve(null);\n    if (\n      record.expiresAt !== undefined &&\n      record.expiresAt <= Math.floor(Date.now() / 1000)\n    ) {\n      this.#records.delete(key);\n      return Promise.resolve(null);\n    }\n    return Promise.resolve({ ...record });\n  }\n\n  public set(key: string, record: TokenRecord): Promise<void> {\n    this.#records.set(key, { ...record });\n    return Promise.resolve();\n  }\n\n  public delete(key: string): Promise<void> {\n    this.#records.delete(key);\n    return Promise.resolve();\n  }\n\n  public clear(): Promise<void> {\n    this.#records.clear();\n    return Promise.resolve();\n  }\n\n  /**\n   * Returns the number of stored entries (including any not yet\n   * lazily evicted). Intended for tests and diagnostics.\n   */\n  public get size(): number {\n    return this.#records.size;\n  }\n}\n"],"mappings":"AAoDO,MAAM,mBAAyC;AAAA,EAC3C,WAAW,oBAAI,IAAyB;AAAA,EAE1C,IAAI,KAA0C;AACnD,UAAM,SAAS,KAAK,SAAS,IAAI,GAAG;AACpC,QAAI,WAAW,OAAW,QAAO,QAAQ,QAAQ,IAAI;AACrD,QACE,OAAO,cAAc,UACrB,OAAO,aAAa,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,GAChD;AACA,WAAK,SAAS,OAAO,GAAG;AACxB,aAAO,QAAQ,QAAQ,IAAI;AAAA,IAC7B;AACA,WAAO,QAAQ,QAAQ,EAAE,GAAG,OAAO,CAAC;AAAA,EACtC;AAAA,EAEO,IAAI,KAAa,QAAoC;AAC1D,SAAK,SAAS,IAAI,KAAK,EAAE,GAAG,OAAO,CAAC;AACpC,WAAO,QAAQ,QAAQ;AAAA,EACzB;AAAA,EAEO,OAAO,KAA4B;AACxC,SAAK,SAAS,OAAO,GAAG;AACxB,WAAO,QAAQ,QAAQ;AAAA,EACzB;AAAA,EAEO,QAAuB;AAC5B,SAAK,SAAS,MAAM;AACpB,WAAO,QAAQ,QAAQ;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,IAAW,OAAe;AACxB,WAAO,KAAK,SAAS;AAAA,EACvB;AACF;","names":[]}

package/dist/auth/web3-signed-builder.cjs

@@ -0,0 +1,70 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var web3_signed_builder_exports = {};
+__export(web3_signed_builder_exports, {
+  buildWeb3SignedHeader: () => buildWeb3SignedHeader,
+  computeBodyHash: () => computeBodyHash
+});
+module.exports = __toCommonJS(web3_signed_builder_exports);
+var import_sha2 = require("@noble/hashes/sha2");
+var import_viem = require("viem");
+var import_encoding = require("../utils/encoding");
+const EMPTY_BODY_HASH = "sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855";
+const DEFAULT_TTL_SECONDS = 300;
+function base64urlEncode(input) {
+  return (0, import_encoding.toBase64)(input).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function computeBodyHash(body) {
+  if (!body || body.length === 0) {
+    return EMPTY_BODY_HASH;
+  }
+  const digest = (0, import_sha2.sha256)(body);
+  return `sha256:${(0, import_viem.bytesToHex)(digest).slice(2)}`;
+}
+async function buildWeb3SignedHeader(params) {
+  const now = Math.floor(Date.now() / 1e3);
+  const iat = params.iat ?? now;
+  const exp = params.exp ?? iat + DEFAULT_TTL_SECONDS;
+  const payload = {
+    aud: params.aud,
+    bodyHash: params.bodyHash ?? computeBodyHash(params.body),
+    exp,
+    iat,
+    method: params.method,
+    uri: params.uri
+  };
+  if (params.grantId !== void 0) {
+    payload["grantId"] = params.grantId;
+  }
+  const sortedPayload = Object.keys(payload).sort().reduce((acc, key) => {
+    acc[key] = payload[key];
+    return acc;
+  }, {});
+  const payloadJson = JSON.stringify(sortedPayload);
+  const payloadBytes = new TextEncoder().encode(payloadJson);
+  const payloadBase64 = base64urlEncode(payloadBytes);
+  const signature = await params.signMessage(payloadBase64);
+  return `Web3Signed ${payloadBase64}.${signature}`;
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  buildWeb3SignedHeader,
+  computeBodyHash
+});
+//# sourceMappingURL=web3-signed-builder.cjs.map

package/dist/auth/web3-signed-builder.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/auth/web3-signed-builder.ts"],"sourcesContent":["/**\n * Builder for Web3Signed Authorization headers.\n *\n * @remarks\n * Ported from `personal-server-ts`\n * (`packages/core/src/signing/request-signer.ts`). The original was wired\n * to a Node-only `ServerAccount` and `node:crypto`. This isomorphic version\n * accepts any `signMessage` callback (viem accounts, wallet clients, etc.)\n * and uses `@noble/hashes` for SHA-256 so it runs in browsers and Workers.\n *\n * Wire format is identical to PS — payload is JSON with sorted keys,\n * base64url-encoded, signed via EIP-191.\n *\n * @category Auth\n */\n\nimport { sha256 } from \"@noble/hashes/sha2\";\nimport { bytesToHex } from \"viem\";\nimport { toBase64 } from \"../utils/encoding\";\n\n/**\n * Sign-message callback compatible with viem `LocalAccount`/`WalletClient`-style\n * signers. Must produce an EIP-191 (`personal_sign`) signature.\n */\nexport type Web3SignedSignFn = (message: string) => Promise<`0x${string}`>;\n\n/** SHA-256 of the empty string — bodyHash for empty bodies. */\nconst EMPTY_BODY_HASH =\n  \"sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\";\n\n/** Default token lifetime (seconds). */\nconst DEFAULT_TTL_SECONDS = 300;\n\n/** Base64url encode bytes (no padding). */\nfunction base64urlEncode(input: Uint8Array): string {\n  return toBase64(input)\n    .replace(/\\+/g, \"-\")\n    .replace(/\\//g, \"_\")\n    .replace(/=+$/, \"\");\n}\n\n/** Compute the `sha256:<hex>` bodyHash claim for a request body. */\nexport function computeBodyHash(body: Uint8Array | undefined): string {\n  if (!body || body.length === 0) {\n    return EMPTY_BODY_HASH;\n  }\n  const digest = sha256(body);\n  return `sha256:${bytesToHex(digest).slice(2)}`;\n}\n\n/**\n * Build a Web3Signed Authorization header value.\n *\n * @returns The full header value (`\"Web3Signed <base64url>.<sig>\"`).\n */\nexport async function buildWeb3SignedHeader(params: {\n  /** EIP-191 signer (e.g. viem `account.signMessage`). */\n  signMessage: Web3SignedSignFn;\n  /** Expected origin (e.g. `\"https://ps.example.com\"`). */\n  aud: string;\n  /** HTTP method (e.g. `\"GET\"`). */\n  method: string;\n  /** Request URI/path (e.g. `\"/v1/data/instagram.profile\"`). */\n  uri: string;\n  /** Optional request body — when present, used to compute `bodyHash`. */\n  body?: Uint8Array;\n  /** Issued-at (unix seconds). Defaults to now. */\n  iat?: number;\n  /** Expiry (unix seconds). Defaults to `iat + 300`. */\n  exp?: number;\n  /** Optional grant id, attached as the `grantId` claim. */\n  grantId?: string;\n  /** Pre-computed `bodyHash` claim — overrides `body`. */\n  bodyHash?: string;\n}): Promise<string> {\n  const now = Math.floor(Date.now() / 1000);\n  const iat = params.iat ?? now;\n  const exp = params.exp ?? iat + DEFAULT_TTL_SECONDS;\n\n  const payload: Record<string, unknown> = {\n    aud: params.aud,\n    bodyHash: params.bodyHash ?? computeBodyHash(params.body),\n    exp,\n    iat,\n    method: params.method,\n    uri: params.uri,\n  };\n\n  if (params.grantId !== undefined) {\n    payload[\"grantId\"] = params.grantId;\n  }\n\n  // Sort keys for deterministic serialization.\n  const sortedPayload = Object.keys(payload)\n    .sort()\n    .reduce<Record<string, unknown>>((acc, key) => {\n      acc[key] = payload[key];\n      return acc;\n    }, {});\n\n  const payloadJson = JSON.stringify(sortedPayload);\n  const payloadBytes = new TextEncoder().encode(payloadJson);\n  const payloadBase64 = base64urlEncode(payloadBytes);\n\n  const signature = await params.signMessage(payloadBase64);\n\n  return `Web3Signed ${payloadBase64}.${signature}`;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAgBA,kBAAuB;AACvB,kBAA2B;AAC3B,sBAAyB;AASzB,MAAM,kBACJ;AAGF,MAAM,sBAAsB;AAG5B,SAAS,gBAAgB,OAA2B;AAClD,aAAO,0BAAS,KAAK,EAClB,QAAQ,OAAO,GAAG,EAClB,QAAQ,OAAO,GAAG,EAClB,QAAQ,OAAO,EAAE;AACtB;AAGO,SAAS,gBAAgB,MAAsC;AACpE,MAAI,CAAC,QAAQ,KAAK,WAAW,GAAG;AAC9B,WAAO;AAAA,EACT;AACA,QAAM,aAAS,oBAAO,IAAI;AAC1B,SAAO,cAAU,wBAAW,MAAM,EAAE,MAAM,CAAC,CAAC;AAC9C;AAOA,eAAsB,sBAAsB,QAmBxB;AAClB,QAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACxC,QAAM,MAAM,OAAO,OAAO;AAC1B,QAAM,MAAM,OAAO,OAAO,MAAM;AAEhC,QAAM,UAAmC;AAAA,IACvC,KAAK,OAAO;AAAA,IACZ,UAAU,OAAO,YAAY,gBAAgB,OAAO,IAAI;AAAA,IACxD;AAAA,IACA;AAAA,IACA,QAAQ,OAAO;AAAA,IACf,KAAK,OAAO;AAAA,EACd;AAEA,MAAI,OAAO,YAAY,QAAW;AAChC,YAAQ,SAAS,IAAI,OAAO;AAAA,EAC9B;AAGA,QAAM,gBAAgB,OAAO,KAAK,OAAO,EACtC,KAAK,EACL,OAAgC,CAAC,KAAK,QAAQ;AAC7C,QAAI,GAAG,IAAI,QAAQ,GAAG;AACtB,WAAO;AAAA,EACT,GAAG,CAAC,CAAC;AAEP,QAAM,cAAc,KAAK,UAAU,aAAa;AAChD,QAAM,eAAe,IAAI,YAAY,EAAE,OAAO,WAAW;AACzD,QAAM,gBAAgB,gBAAgB,YAAY;AAElD,QAAM,YAAY,MAAM,OAAO,YAAY,aAAa;AAExD,SAAO,cAAc,aAAa,IAAI,SAAS;AACjD;","names":[]}

package/dist/auth/web3-signed-builder.d.ts

@@ -0,0 +1,47 @@
+/**
+ * Builder for Web3Signed Authorization headers.
+ *
+ * @remarks
+ * Ported from `personal-server-ts`
+ * (`packages/core/src/signing/request-signer.ts`). The original was wired
+ * to a Node-only `ServerAccount` and `node:crypto`. This isomorphic version
+ * accepts any `signMessage` callback (viem accounts, wallet clients, etc.)
+ * and uses `@noble/hashes` for SHA-256 so it runs in browsers and Workers.
+ *
+ * Wire format is identical to PS — payload is JSON with sorted keys,
+ * base64url-encoded, signed via EIP-191.
+ *
+ * @category Auth
+ */
+/**
+ * Sign-message callback compatible with viem `LocalAccount`/`WalletClient`-style
+ * signers. Must produce an EIP-191 (`personal_sign`) signature.
+ */
+export type Web3SignedSignFn = (message: string) => Promise<`0x${string}`>;
+/** Compute the `sha256:<hex>` bodyHash claim for a request body. */
+export declare function computeBodyHash(body: Uint8Array | undefined): string;
+/**
+ * Build a Web3Signed Authorization header value.
+ *
+ * @returns The full header value (`"Web3Signed <base64url>.<sig>"`).
+ */
+export declare function buildWeb3SignedHeader(params: {
+    /** EIP-191 signer (e.g. viem `account.signMessage`). */
+    signMessage: Web3SignedSignFn;
+    /** Expected origin (e.g. `"https://ps.example.com"`). */
+    aud: string;
+    /** HTTP method (e.g. `"GET"`). */
+    method: string;
+    /** Request URI/path (e.g. `"/v1/data/instagram.profile"`). */
+    uri: string;
+    /** Optional request body — when present, used to compute `bodyHash`. */
+    body?: Uint8Array;
+    /** Issued-at (unix seconds). Defaults to now. */
+    iat?: number;
+    /** Expiry (unix seconds). Defaults to `iat + 300`. */
+    exp?: number;
+    /** Optional grant id, attached as the `grantId` claim. */
+    grantId?: string;
+    /** Pre-computed `bodyHash` claim — overrides `body`. */
+    bodyHash?: string;
+}): Promise<string>;

package/dist/auth/web3-signed-builder.js

@@ -0,0 +1,45 @@
+import { sha256 } from "@noble/hashes/sha2";
+import { bytesToHex } from "viem";
+import { toBase64 } from "../utils/encoding";
+const EMPTY_BODY_HASH = "sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855";
+const DEFAULT_TTL_SECONDS = 300;
+function base64urlEncode(input) {
+  return toBase64(input).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function computeBodyHash(body) {
+  if (!body || body.length === 0) {
+    return EMPTY_BODY_HASH;
+  }
+  const digest = sha256(body);
+  return `sha256:${bytesToHex(digest).slice(2)}`;
+}
+async function buildWeb3SignedHeader(params) {
+  const now = Math.floor(Date.now() / 1e3);
+  const iat = params.iat ?? now;
+  const exp = params.exp ?? iat + DEFAULT_TTL_SECONDS;
+  const payload = {
+    aud: params.aud,
+    bodyHash: params.bodyHash ?? computeBodyHash(params.body),
+    exp,
+    iat,
+    method: params.method,
+    uri: params.uri
+  };
+  if (params.grantId !== void 0) {
+    payload["grantId"] = params.grantId;
+  }
+  const sortedPayload = Object.keys(payload).sort().reduce((acc, key) => {
+    acc[key] = payload[key];
+    return acc;
+  }, {});
+  const payloadJson = JSON.stringify(sortedPayload);
+  const payloadBytes = new TextEncoder().encode(payloadJson);
+  const payloadBase64 = base64urlEncode(payloadBytes);
+  const signature = await params.signMessage(payloadBase64);
+  return `Web3Signed ${payloadBase64}.${signature}`;
+}
+export {
+  buildWeb3SignedHeader,
+  computeBodyHash
+};
+//# sourceMappingURL=web3-signed-builder.js.map

package/dist/auth/web3-signed-builder.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/auth/web3-signed-builder.ts"],"sourcesContent":["/**\n * Builder for Web3Signed Authorization headers.\n *\n * @remarks\n * Ported from `personal-server-ts`\n * (`packages/core/src/signing/request-signer.ts`). The original was wired\n * to a Node-only `ServerAccount` and `node:crypto`. This isomorphic version\n * accepts any `signMessage` callback (viem accounts, wallet clients, etc.)\n * and uses `@noble/hashes` for SHA-256 so it runs in browsers and Workers.\n *\n * Wire format is identical to PS — payload is JSON with sorted keys,\n * base64url-encoded, signed via EIP-191.\n *\n * @category Auth\n */\n\nimport { sha256 } from \"@noble/hashes/sha2\";\nimport { bytesToHex } from \"viem\";\nimport { toBase64 } from \"../utils/encoding\";\n\n/**\n * Sign-message callback compatible with viem `LocalAccount`/`WalletClient`-style\n * signers. Must produce an EIP-191 (`personal_sign`) signature.\n */\nexport type Web3SignedSignFn = (message: string) => Promise<`0x${string}`>;\n\n/** SHA-256 of the empty string — bodyHash for empty bodies. */\nconst EMPTY_BODY_HASH =\n  \"sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\";\n\n/** Default token lifetime (seconds). */\nconst DEFAULT_TTL_SECONDS = 300;\n\n/** Base64url encode bytes (no padding). */\nfunction base64urlEncode(input: Uint8Array): string {\n  return toBase64(input)\n    .replace(/\\+/g, \"-\")\n    .replace(/\\//g, \"_\")\n    .replace(/=+$/, \"\");\n}\n\n/** Compute the `sha256:<hex>` bodyHash claim for a request body. */\nexport function computeBodyHash(body: Uint8Array | undefined): string {\n  if (!body || body.length === 0) {\n    return EMPTY_BODY_HASH;\n  }\n  const digest = sha256(body);\n  return `sha256:${bytesToHex(digest).slice(2)}`;\n}\n\n/**\n * Build a Web3Signed Authorization header value.\n *\n * @returns The full header value (`\"Web3Signed <base64url>.<sig>\"`).\n */\nexport async function buildWeb3SignedHeader(params: {\n  /** EIP-191 signer (e.g. viem `account.signMessage`). */\n  signMessage: Web3SignedSignFn;\n  /** Expected origin (e.g. `\"https://ps.example.com\"`). */\n  aud: string;\n  /** HTTP method (e.g. `\"GET\"`). */\n  method: string;\n  /** Request URI/path (e.g. `\"/v1/data/instagram.profile\"`). */\n  uri: string;\n  /** Optional request body — when present, used to compute `bodyHash`. */\n  body?: Uint8Array;\n  /** Issued-at (unix seconds). Defaults to now. */\n  iat?: number;\n  /** Expiry (unix seconds). Defaults to `iat + 300`. */\n  exp?: number;\n  /** Optional grant id, attached as the `grantId` claim. */\n  grantId?: string;\n  /** Pre-computed `bodyHash` claim — overrides `body`. */\n  bodyHash?: string;\n}): Promise<string> {\n  const now = Math.floor(Date.now() / 1000);\n  const iat = params.iat ?? now;\n  const exp = params.exp ?? iat + DEFAULT_TTL_SECONDS;\n\n  const payload: Record<string, unknown> = {\n    aud: params.aud,\n    bodyHash: params.bodyHash ?? computeBodyHash(params.body),\n    exp,\n    iat,\n    method: params.method,\n    uri: params.uri,\n  };\n\n  if (params.grantId !== undefined) {\n    payload[\"grantId\"] = params.grantId;\n  }\n\n  // Sort keys for deterministic serialization.\n  const sortedPayload = Object.keys(payload)\n    .sort()\n    .reduce<Record<string, unknown>>((acc, key) => {\n      acc[key] = payload[key];\n      return acc;\n    }, {});\n\n  const payloadJson = JSON.stringify(sortedPayload);\n  const payloadBytes = new TextEncoder().encode(payloadJson);\n  const payloadBase64 = base64urlEncode(payloadBytes);\n\n  const signature = await params.signMessage(payloadBase64);\n\n  return `Web3Signed ${payloadBase64}.${signature}`;\n}\n"],"mappings":"AAgBA,SAAS,cAAc;AACvB,SAAS,kBAAkB;AAC3B,SAAS,gBAAgB;AASzB,MAAM,kBACJ;AAGF,MAAM,sBAAsB;AAG5B,SAAS,gBAAgB,OAA2B;AAClD,SAAO,SAAS,KAAK,EAClB,QAAQ,OAAO,GAAG,EAClB,QAAQ,OAAO,GAAG,EAClB,QAAQ,OAAO,EAAE;AACtB;AAGO,SAAS,gBAAgB,MAAsC;AACpE,MAAI,CAAC,QAAQ,KAAK,WAAW,GAAG;AAC9B,WAAO;AAAA,EACT;AACA,QAAM,SAAS,OAAO,IAAI;AAC1B,SAAO,UAAU,WAAW,MAAM,EAAE,MAAM,CAAC,CAAC;AAC9C;AAOA,eAAsB,sBAAsB,QAmBxB;AAClB,QAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACxC,QAAM,MAAM,OAAO,OAAO;AAC1B,QAAM,MAAM,OAAO,OAAO,MAAM;AAEhC,QAAM,UAAmC;AAAA,IACvC,KAAK,OAAO;AAAA,IACZ,UAAU,OAAO,YAAY,gBAAgB,OAAO,IAAI;AAAA,IACxD;AAAA,IACA;AAAA,IACA,QAAQ,OAAO;AAAA,IACf,KAAK,OAAO;AAAA,EACd;AAEA,MAAI,OAAO,YAAY,QAAW;AAChC,YAAQ,SAAS,IAAI,OAAO;AAAA,EAC9B;AAGA,QAAM,gBAAgB,OAAO,KAAK,OAAO,EACtC,KAAK,EACL,OAAgC,CAAC,KAAK,QAAQ;AAC7C,QAAI,GAAG,IAAI,QAAQ,GAAG;AACtB,WAAO;AAAA,EACT,GAAG,CAAC,CAAC;AAEP,QAAM,cAAc,KAAK,UAAU,aAAa;AAChD,QAAM,eAAe,IAAI,YAAY,EAAE,OAAO,WAAW;AACzD,QAAM,gBAAgB,gBAAgB,YAAY;AAElD,QAAM,YAAY,MAAM,OAAO,YAAY,aAAa;AAExD,SAAO,cAAc,aAAa,IAAI,SAAS;AACjD;","names":[]}

package/dist/auth/web3-signed.cjs

@@ -0,0 +1,150 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var web3_signed_exports = {};
+__export(web3_signed_exports, {
+  parseWeb3SignedHeader: () => parseWeb3SignedHeader,
+  verifyWeb3Signed: () => verifyWeb3Signed
+});
+module.exports = __toCommonJS(web3_signed_exports);
+var import_viem = require("viem");
+var import_encoding = require("../utils/encoding");
+var import_errors = require("./errors");
+var import_web3_signed_builder = require("./web3-signed-builder");
+const WEB3_SIGNED_PREFIX = "Web3Signed ";
+const CLOCK_SKEW_SECONDS = 60;
+function base64urlDecode(input) {
+  let base64 = input.replace(/-/g, "+").replace(/_/g, "/");
+  const padLength = (4 - base64.length % 4) % 4;
+  base64 += "=".repeat(padLength);
+  return new TextDecoder().decode((0, import_encoding.fromBase64)(base64));
+}
+function isFiniteNumber(value) {
+  return typeof value === "number" && Number.isFinite(value);
+}
+function parsePayload(value) {
+  if (value === null || typeof value !== "object" || Array.isArray(value)) {
+    throw new import_errors.InvalidSignatureError({ reason: "Invalid payload shape" });
+  }
+  const payload = value;
+  if (typeof payload["aud"] !== "string" || typeof payload["method"] !== "string" || typeof payload["uri"] !== "string" || typeof payload["bodyHash"] !== "string" || !isFiniteNumber(payload["iat"]) || !isFiniteNumber(payload["exp"])) {
+    throw new import_errors.InvalidSignatureError({ reason: "Invalid payload claims" });
+  }
+  if (payload["grantId"] !== void 0 && typeof payload["grantId"] !== "string") {
+    throw new import_errors.InvalidSignatureError({ reason: "Invalid grantId claim" });
+  }
+  return {
+    aud: payload["aud"],
+    method: payload["method"],
+    uri: payload["uri"],
+    bodyHash: payload["bodyHash"],
+    iat: payload["iat"],
+    exp: payload["exp"],
+    grantId: payload["grantId"]
+  };
+}
+function parseWeb3SignedHeader(headerValue) {
+  if (!headerValue) {
+    throw new import_errors.MissingAuthError();
+  }
+  if (!headerValue.startsWith(WEB3_SIGNED_PREFIX)) {
+    throw new import_errors.InvalidSignatureError({ reason: "Missing Web3Signed prefix" });
+  }
+  const value = headerValue.slice(WEB3_SIGNED_PREFIX.length);
+  const dotIndex = value.indexOf(".");
+  if (dotIndex === -1 || dotIndex === 0 || dotIndex === value.length - 1) {
+    throw new import_errors.InvalidSignatureError({ reason: "Invalid header format" });
+  }
+  const payloadBase64 = value.slice(0, dotIndex);
+  const signatureStr = value.slice(dotIndex + 1);
+  if (!signatureStr.startsWith("0x")) {
+    throw new import_errors.InvalidSignatureError({ reason: "Invalid signature format" });
+  }
+  let payload;
+  try {
+    const decoded = base64urlDecode(payloadBase64);
+    payload = parsePayload(JSON.parse(decoded));
+  } catch (err) {
+    if (err instanceof import_errors.InvalidSignatureError) throw err;
+    throw new import_errors.InvalidSignatureError({ reason: "Invalid payload encoding" });
+  }
+  return {
+    payloadBase64,
+    payload,
+    signature: signatureStr
+  };
+}
+async function verifyWeb3Signed(params) {
+  const { payloadBase64, payload, signature } = parseWeb3SignedHeader(
+    params.headerValue
+  );
+  let signer;
+  try {
+    signer = await (0, import_viem.recoverMessageAddress)({
+      message: payloadBase64,
+      signature
+    });
+  } catch {
+    throw new import_errors.InvalidSignatureError({ reason: "Signature recovery failed" });
+  }
+  if (payload.aud !== params.expectedOrigin) {
+    throw new import_errors.InvalidSignatureError({
+      reason: "Audience mismatch",
+      expected: params.expectedOrigin,
+      actual: payload.aud
+    });
+  }
+  if (payload.method !== params.expectedMethod) {
+    throw new import_errors.InvalidSignatureError({
+      reason: "Method mismatch",
+      expected: params.expectedMethod,
+      actual: payload.method
+    });
+  }
+  if (payload.uri !== params.expectedPath) {
+    throw new import_errors.InvalidSignatureError({
+      reason: "URI mismatch",
+      expected: params.expectedPath,
+      actual: payload.uri
+    });
+  }
+  if (params.bodyBytes !== void 0) {
+    const expectedBodyHash = (0, import_web3_signed_builder.computeBodyHash)(params.bodyBytes);
+    if (payload.bodyHash !== expectedBodyHash) {
+      throw new import_errors.InvalidSignatureError({
+        reason: "Body hash mismatch",
+        expected: expectedBodyHash,
+        actual: payload.bodyHash
+      });
+    }
+  }
+  const now = params.now ?? Math.floor(Date.now() / 1e3);
+  if (payload.exp < now - CLOCK_SKEW_SECONDS) {
+    throw new import_errors.ExpiredTokenError({ reason: "Token expired" });
+  }
+  if (payload.iat > now + CLOCK_SKEW_SECONDS) {
+    throw new import_errors.ExpiredTokenError({ reason: "Token issued in the future" });
+  }
+  return { signer, payload };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  parseWeb3SignedHeader,
+  verifyWeb3Signed
+});
+//# sourceMappingURL=web3-signed.cjs.map

package/dist/auth/web3-signed.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/auth/web3-signed.ts"],"sourcesContent":["/**\n * Web3Signed Authorization header parsing and verification.\n *\n * @remarks\n * Header format: `\"Web3Signed {base64url(payload)}.{signature}\"`.\n * Payload is JSON with fields `aud`, `method`, `uri`, `bodyHash`, `iat`, `exp`,\n * and optional `grantId`. The signature is EIP-191 over the base64url-encoded\n * payload string.\n *\n * Ported from `personal-server-ts` (`packages/core/src/auth/web3-signed.ts`).\n * Adjusted to be isomorphic (no `Buffer`) and to use SDK-local error types.\n *\n * @category Auth\n */\n\nimport { recoverMessageAddress } from \"viem\";\nimport { fromBase64 } from \"../utils/encoding\";\nimport {\n  MissingAuthError,\n  InvalidSignatureError,\n  ExpiredTokenError,\n} from \"./errors\";\nimport { computeBodyHash } from \"./web3-signed-builder\";\n\nexport interface Web3SignedPayload {\n  aud: string;\n  method: string;\n  uri: string;\n  bodyHash: string;\n  iat: number;\n  exp: number;\n  grantId?: string;\n}\n\nexport interface VerifiedAuth {\n  signer: `0x${string}`;\n  payload: Web3SignedPayload;\n}\n\nconst WEB3_SIGNED_PREFIX = \"Web3Signed \";\nconst CLOCK_SKEW_SECONDS = 60;\n\n/** Decode a base64url string (no padding) to UTF-8. */\nfunction base64urlDecode(input: string): string {\n  let base64 = input.replace(/-/g, \"+\").replace(/_/g, \"/\");\n  const padLength = (4 - (base64.length % 4)) % 4;\n  base64 += \"=\".repeat(padLength);\n  return new TextDecoder().decode(fromBase64(base64));\n}\n\nfunction isFiniteNumber(value: unknown): value is number {\n  return typeof value === \"number\" && Number.isFinite(value);\n}\n\nfunction parsePayload(value: unknown): Web3SignedPayload {\n  if (value === null || typeof value !== \"object\" || Array.isArray(value)) {\n    throw new InvalidSignatureError({ reason: \"Invalid payload shape\" });\n  }\n\n  const payload = value as Record<string, unknown>;\n  if (\n    typeof payload[\"aud\"] !== \"string\" ||\n    typeof payload[\"method\"] !== \"string\" ||\n    typeof payload[\"uri\"] !== \"string\" ||\n    typeof payload[\"bodyHash\"] !== \"string\" ||\n    !isFiniteNumber(payload[\"iat\"]) ||\n    !isFiniteNumber(payload[\"exp\"])\n  ) {\n    throw new InvalidSignatureError({ reason: \"Invalid payload claims\" });\n  }\n\n  if (\n    payload[\"grantId\"] !== undefined &&\n    typeof payload[\"grantId\"] !== \"string\"\n  ) {\n    throw new InvalidSignatureError({ reason: \"Invalid grantId claim\" });\n  }\n\n  return {\n    aud: payload[\"aud\"],\n    method: payload[\"method\"],\n    uri: payload[\"uri\"],\n    bodyHash: payload[\"bodyHash\"],\n    iat: payload[\"iat\"],\n    exp: payload[\"exp\"],\n    grantId: payload[\"grantId\"],\n  };\n}\n\n/**\n * Parse a `\"Web3Signed <base64url>.<signature>\"` header value.\n *\n * @throws {MissingAuthError} If the header is missing or empty.\n * @throws {InvalidSignatureError} If the format is invalid.\n */\nexport function parseWeb3SignedHeader(headerValue: string | undefined): {\n  payloadBase64: string;\n  payload: Web3SignedPayload;\n  signature: `0x${string}`;\n} {\n  if (!headerValue) {\n    throw new MissingAuthError();\n  }\n\n  if (!headerValue.startsWith(WEB3_SIGNED_PREFIX)) {\n    throw new InvalidSignatureError({ reason: \"Missing Web3Signed prefix\" });\n  }\n\n  const value = headerValue.slice(WEB3_SIGNED_PREFIX.length);\n  const dotIndex = value.indexOf(\".\");\n  if (dotIndex === -1 || dotIndex === 0 || dotIndex === value.length - 1) {\n    throw new InvalidSignatureError({ reason: \"Invalid header format\" });\n  }\n\n  const payloadBase64 = value.slice(0, dotIndex);\n  const signatureStr = value.slice(dotIndex + 1);\n\n  if (!signatureStr.startsWith(\"0x\")) {\n    throw new InvalidSignatureError({ reason: \"Invalid signature format\" });\n  }\n\n  let payload: Web3SignedPayload;\n  try {\n    const decoded = base64urlDecode(payloadBase64);\n    payload = parsePayload(JSON.parse(decoded));\n  } catch (err) {\n    if (err instanceof InvalidSignatureError) throw err;\n    throw new InvalidSignatureError({ reason: \"Invalid payload encoding\" });\n  }\n\n  return {\n    payloadBase64,\n    payload,\n    signature: signatureStr as `0x${string}`,\n  };\n}\n\n/**\n * Full verification: parse header, recover signer via EIP-191, check claims.\n *\n * @remarks\n * Steps:\n * 1. Parse header to base64url + signature.\n * 2. Recover signer via {@link recoverMessageAddress} (EIP-191) over the base64url payload string.\n * 3. Check `aud === expectedOrigin`, `method === expectedMethod`, `uri === expectedPath`.\n * 4. Optionally check `bodyHash` against `bodyBytes`.\n * 5. Check `iat`/`exp` within a 60s clock skew.\n *\n * @returns The recovered signer address and parsed payload.\n */\nexport async function verifyWeb3Signed(params: {\n  headerValue: string | undefined;\n  expectedOrigin: string;\n  expectedMethod: string;\n  expectedPath: string;\n  bodyBytes?: Uint8Array;\n  now?: number;\n}): Promise<VerifiedAuth> {\n  const { payloadBase64, payload, signature } = parseWeb3SignedHeader(\n    params.headerValue,\n  );\n\n  let signer: `0x${string}`;\n  try {\n    signer = await recoverMessageAddress({\n      message: payloadBase64,\n      signature,\n    });\n  } catch {\n    throw new InvalidSignatureError({ reason: \"Signature recovery failed\" });\n  }\n\n  if (payload.aud !== params.expectedOrigin) {\n    throw new InvalidSignatureError({\n      reason: \"Audience mismatch\",\n      expected: params.expectedOrigin,\n      actual: payload.aud,\n    });\n  }\n\n  if (payload.method !== params.expectedMethod) {\n    throw new InvalidSignatureError({\n      reason: \"Method mismatch\",\n      expected: params.expectedMethod,\n      actual: payload.method,\n    });\n  }\n\n  if (payload.uri !== params.expectedPath) {\n    throw new InvalidSignatureError({\n      reason: \"URI mismatch\",\n      expected: params.expectedPath,\n      actual: payload.uri,\n    });\n  }\n\n  if (params.bodyBytes !== undefined) {\n    const expectedBodyHash = computeBodyHash(params.bodyBytes);\n    if (payload.bodyHash !== expectedBodyHash) {\n      throw new InvalidSignatureError({\n        reason: \"Body hash mismatch\",\n        expected: expectedBodyHash,\n        actual: payload.bodyHash,\n      });\n    }\n  }\n\n  const now = params.now ?? Math.floor(Date.now() / 1000);\n\n  if (payload.exp < now - CLOCK_SKEW_SECONDS) {\n    throw new ExpiredTokenError({ reason: \"Token expired\" });\n  }\n\n  if (payload.iat > now + CLOCK_SKEW_SECONDS) {\n    throw new ExpiredTokenError({ reason: \"Token issued in the future\" });\n  }\n\n  return { signer, payload };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAeA,kBAAsC;AACtC,sBAA2B;AAC3B,oBAIO;AACP,iCAAgC;AAiBhC,MAAM,qBAAqB;AAC3B,MAAM,qBAAqB;AAG3B,SAAS,gBAAgB,OAAuB;AAC9C,MAAI,SAAS,MAAM,QAAQ,MAAM,GAAG,EAAE,QAAQ,MAAM,GAAG;AACvD,QAAM,aAAa,IAAK,OAAO,SAAS,KAAM;AAC9C,YAAU,IAAI,OAAO,SAAS;AAC9B,SAAO,IAAI,YAAY,EAAE,WAAO,4BAAW,MAAM,CAAC;AACpD;AAEA,SAAS,eAAe,OAAiC;AACvD,SAAO,OAAO,UAAU,YAAY,OAAO,SAAS,KAAK;AAC3D;AAEA,SAAS,aAAa,OAAmC;AACvD,MAAI,UAAU,QAAQ,OAAO,UAAU,YAAY,MAAM,QAAQ,KAAK,GAAG;AACvE,UAAM,IAAI,oCAAsB,EAAE,QAAQ,wBAAwB,CAAC;AAAA,EACrE;AAEA,QAAM,UAAU;AAChB,MACE,OAAO,QAAQ,KAAK,MAAM,YAC1B,OAAO,QAAQ,QAAQ,MAAM,YAC7B,OAAO,QAAQ,KAAK,MAAM,YAC1B,OAAO,QAAQ,UAAU,MAAM,YAC/B,CAAC,eAAe,QAAQ,KAAK,CAAC,KAC9B,CAAC,eAAe,QAAQ,KAAK,CAAC,GAC9B;AACA,UAAM,IAAI,oCAAsB,EAAE,QAAQ,yBAAyB,CAAC;AAAA,EACtE;AAEA,MACE,QAAQ,SAAS,MAAM,UACvB,OAAO,QAAQ,SAAS,MAAM,UAC9B;AACA,UAAM,IAAI,oCAAsB,EAAE,QAAQ,wBAAwB,CAAC;AAAA,EACrE;AAEA,SAAO;AAAA,IACL,KAAK,QAAQ,KAAK;AAAA,IAClB,QAAQ,QAAQ,QAAQ;AAAA,IACxB,KAAK,QAAQ,KAAK;AAAA,IAClB,UAAU,QAAQ,UAAU;AAAA,IAC5B,KAAK,QAAQ,KAAK;AAAA,IAClB,KAAK,QAAQ,KAAK;AAAA,IAClB,SAAS,QAAQ,SAAS;AAAA,EAC5B;AACF;AAQO,SAAS,sBAAsB,aAIpC;AACA,MAAI,CAAC,aAAa;AAChB,UAAM,IAAI,+BAAiB;AAAA,EAC7B;AAEA,MAAI,CAAC,YAAY,WAAW,kBAAkB,GAAG;AAC/C,UAAM,IAAI,oCAAsB,EAAE,QAAQ,4BAA4B,CAAC;AAAA,EACzE;AAEA,QAAM,QAAQ,YAAY,MAAM,mBAAmB,MAAM;AACzD,QAAM,WAAW,MAAM,QAAQ,GAAG;AAClC,MAAI,aAAa,MAAM,aAAa,KAAK,aAAa,MAAM,SAAS,GAAG;AACtE,UAAM,IAAI,oCAAsB,EAAE,QAAQ,wBAAwB,CAAC;AAAA,EACrE;AAEA,QAAM,gBAAgB,MAAM,MAAM,GAAG,QAAQ;AAC7C,QAAM,eAAe,MAAM,MAAM,WAAW,CAAC;AAE7C,MAAI,CAAC,aAAa,WAAW,IAAI,GAAG;AAClC,UAAM,IAAI,oCAAsB,EAAE,QAAQ,2BAA2B,CAAC;AAAA,EACxE;AAEA,MAAI;AACJ,MAAI;AACF,UAAM,UAAU,gBAAgB,aAAa;AAC7C,cAAU,aAAa,KAAK,MAAM,OAAO,CAAC;AAAA,EAC5C,SAAS,KAAK;AACZ,QAAI,eAAe,oCAAuB,OAAM;AAChD,UAAM,IAAI,oCAAsB,EAAE,QAAQ,2BAA2B,CAAC;AAAA,EACxE;AAEA,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,WAAW;AAAA,EACb;AACF;AAeA,eAAsB,iBAAiB,QAOb;AACxB,QAAM,EAAE,eAAe,SAAS,UAAU,IAAI;AAAA,IAC5C,OAAO;AAAA,EACT;AAEA,MAAI;AACJ,MAAI;AACF,aAAS,UAAM,mCAAsB;AAAA,MACnC,SAAS;AAAA,MACT;AAAA,IACF,CAAC;AAAA,EACH,QAAQ;AACN,UAAM,IAAI,oCAAsB,EAAE,QAAQ,4BAA4B,CAAC;AAAA,EACzE;AAEA,MAAI,QAAQ,QAAQ,OAAO,gBAAgB;AACzC,UAAM,IAAI,oCAAsB;AAAA,MAC9B,QAAQ;AAAA,MACR,UAAU,OAAO;AAAA,MACjB,QAAQ,QAAQ;AAAA,IAClB,CAAC;AAAA,EACH;AAEA,MAAI,QAAQ,WAAW,OAAO,gBAAgB;AAC5C,UAAM,IAAI,oCAAsB;AAAA,MAC9B,QAAQ;AAAA,MACR,UAAU,OAAO;AAAA,MACjB,QAAQ,QAAQ;AAAA,IAClB,CAAC;AAAA,EACH;AAEA,MAAI,QAAQ,QAAQ,OAAO,cAAc;AACvC,UAAM,IAAI,oCAAsB;AAAA,MAC9B,QAAQ;AAAA,MACR,UAAU,OAAO;AAAA,MACjB,QAAQ,QAAQ;AAAA,IAClB,CAAC;AAAA,EACH;AAEA,MAAI,OAAO,cAAc,QAAW;AAClC,UAAM,uBAAmB,4CAAgB,OAAO,SAAS;AACzD,QAAI,QAAQ,aAAa,kBAAkB;AACzC,YAAM,IAAI,oCAAsB;AAAA,QAC9B,QAAQ;AAAA,QACR,UAAU;AAAA,QACV,QAAQ,QAAQ;AAAA,MAClB,CAAC;AAAA,IACH;AAAA,EACF;AAEA,QAAM,MAAM,OAAO,OAAO,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAEtD,MAAI,QAAQ,MAAM,MAAM,oBAAoB;AAC1C,UAAM,IAAI,gCAAkB,EAAE,QAAQ,gBAAgB,CAAC;AAAA,EACzD;AAEA,MAAI,QAAQ,MAAM,MAAM,oBAAoB;AAC1C,UAAM,IAAI,gCAAkB,EAAE,QAAQ,6BAA6B,CAAC;AAAA,EACtE;AAEA,SAAO,EAAE,QAAQ,QAAQ;AAC3B;","names":[]}

package/dist/auth/web3-signed.d.ts

@@ -0,0 +1,59 @@
+/**
+ * Web3Signed Authorization header parsing and verification.
+ *
+ * @remarks
+ * Header format: `"Web3Signed {base64url(payload)}.{signature}"`.
+ * Payload is JSON with fields `aud`, `method`, `uri`, `bodyHash`, `iat`, `exp`,
+ * and optional `grantId`. The signature is EIP-191 over the base64url-encoded
+ * payload string.
+ *
+ * Ported from `personal-server-ts` (`packages/core/src/auth/web3-signed.ts`).
+ * Adjusted to be isomorphic (no `Buffer`) and to use SDK-local error types.
+ *
+ * @category Auth
+ */
+export interface Web3SignedPayload {
+    aud: string;
+    method: string;
+    uri: string;
+    bodyHash: string;
+    iat: number;
+    exp: number;
+    grantId?: string;
+}
+export interface VerifiedAuth {
+    signer: `0x${string}`;
+    payload: Web3SignedPayload;
+}
+/**
+ * Parse a `"Web3Signed <base64url>.<signature>"` header value.
+ *
+ * @throws {MissingAuthError} If the header is missing or empty.
+ * @throws {InvalidSignatureError} If the format is invalid.
+ */
+export declare function parseWeb3SignedHeader(headerValue: string | undefined): {
+    payloadBase64: string;
+    payload: Web3SignedPayload;
+    signature: `0x${string}`;
+};
+/**
+ * Full verification: parse header, recover signer via EIP-191, check claims.
+ *
+ * @remarks
+ * Steps:
+ * 1. Parse header to base64url + signature.
+ * 2. Recover signer via {@link recoverMessageAddress} (EIP-191) over the base64url payload string.
+ * 3. Check `aud === expectedOrigin`, `method === expectedMethod`, `uri === expectedPath`.
+ * 4. Optionally check `bodyHash` against `bodyBytes`.
+ * 5. Check `iat`/`exp` within a 60s clock skew.
+ *
+ * @returns The recovered signer address and parsed payload.
+ */
+export declare function verifyWeb3Signed(params: {
+    headerValue: string | undefined;
+    expectedOrigin: string;
+    expectedMethod: string;
+    expectedPath: string;
+    bodyBytes?: Uint8Array;
+    now?: number;
+}): Promise<VerifiedAuth>;

package/dist/auth/web3-signed.js

@@ -0,0 +1,129 @@
+import { recoverMessageAddress } from "viem";
+import { fromBase64 } from "../utils/encoding";
+import {
+  MissingAuthError,
+  InvalidSignatureError,
+  ExpiredTokenError
+} from "./errors";
+import { computeBodyHash } from "./web3-signed-builder";
+const WEB3_SIGNED_PREFIX = "Web3Signed ";
+const CLOCK_SKEW_SECONDS = 60;
+function base64urlDecode(input) {
+  let base64 = input.replace(/-/g, "+").replace(/_/g, "/");
+  const padLength = (4 - base64.length % 4) % 4;
+  base64 += "=".repeat(padLength);
+  return new TextDecoder().decode(fromBase64(base64));
+}
+function isFiniteNumber(value) {
+  return typeof value === "number" && Number.isFinite(value);
+}
+function parsePayload(value) {
+  if (value === null || typeof value !== "object" || Array.isArray(value)) {
+    throw new InvalidSignatureError({ reason: "Invalid payload shape" });
+  }
+  const payload = value;
+  if (typeof payload["aud"] !== "string" || typeof payload["method"] !== "string" || typeof payload["uri"] !== "string" || typeof payload["bodyHash"] !== "string" || !isFiniteNumber(payload["iat"]) || !isFiniteNumber(payload["exp"])) {
+    throw new InvalidSignatureError({ reason: "Invalid payload claims" });
+  }
+  if (payload["grantId"] !== void 0 && typeof payload["grantId"] !== "string") {
+    throw new InvalidSignatureError({ reason: "Invalid grantId claim" });
+  }
+  return {
+    aud: payload["aud"],
+    method: payload["method"],
+    uri: payload["uri"],
+    bodyHash: payload["bodyHash"],
+    iat: payload["iat"],
+    exp: payload["exp"],
+    grantId: payload["grantId"]
+  };
+}
+function parseWeb3SignedHeader(headerValue) {
+  if (!headerValue) {
+    throw new MissingAuthError();
+  }
+  if (!headerValue.startsWith(WEB3_SIGNED_PREFIX)) {
+    throw new InvalidSignatureError({ reason: "Missing Web3Signed prefix" });
+  }
+  const value = headerValue.slice(WEB3_SIGNED_PREFIX.length);
+  const dotIndex = value.indexOf(".");
+  if (dotIndex === -1 || dotIndex === 0 || dotIndex === value.length - 1) {
+    throw new InvalidSignatureError({ reason: "Invalid header format" });
+  }
+  const payloadBase64 = value.slice(0, dotIndex);
+  const signatureStr = value.slice(dotIndex + 1);
+  if (!signatureStr.startsWith("0x")) {
+    throw new InvalidSignatureError({ reason: "Invalid signature format" });
+  }
+  let payload;
+  try {
+    const decoded = base64urlDecode(payloadBase64);
+    payload = parsePayload(JSON.parse(decoded));
+  } catch (err) {
+    if (err instanceof InvalidSignatureError) throw err;
+    throw new InvalidSignatureError({ reason: "Invalid payload encoding" });
+  }
+  return {
+    payloadBase64,
+    payload,
+    signature: signatureStr
+  };
+}
+async function verifyWeb3Signed(params) {
+  const { payloadBase64, payload, signature } = parseWeb3SignedHeader(
+    params.headerValue
+  );
+  let signer;
+  try {
+    signer = await recoverMessageAddress({
+      message: payloadBase64,
+      signature
+    });
+  } catch {
+    throw new InvalidSignatureError({ reason: "Signature recovery failed" });
+  }
+  if (payload.aud !== params.expectedOrigin) {
+    throw new InvalidSignatureError({
+      reason: "Audience mismatch",
+      expected: params.expectedOrigin,
+      actual: payload.aud
+    });
+  }
+  if (payload.method !== params.expectedMethod) {
+    throw new InvalidSignatureError({
+      reason: "Method mismatch",
+      expected: params.expectedMethod,
+      actual: payload.method
+    });
+  }
+  if (payload.uri !== params.expectedPath) {
+    throw new InvalidSignatureError({
+      reason: "URI mismatch",
+      expected: params.expectedPath,
+      actual: payload.uri
+    });
+  }
+  if (params.bodyBytes !== void 0) {
+    const expectedBodyHash = computeBodyHash(params.bodyBytes);
+    if (payload.bodyHash !== expectedBodyHash) {
+      throw new InvalidSignatureError({
+        reason: "Body hash mismatch",
+        expected: expectedBodyHash,
+        actual: payload.bodyHash
+      });
+    }
+  }
+  const now = params.now ?? Math.floor(Date.now() / 1e3);
+  if (payload.exp < now - CLOCK_SKEW_SECONDS) {
+    throw new ExpiredTokenError({ reason: "Token expired" });
+  }
+  if (payload.iat > now + CLOCK_SKEW_SECONDS) {
+    throw new ExpiredTokenError({ reason: "Token issued in the future" });
+  }
+  return { signer, payload };
+}
+export {
+  parseWeb3SignedHeader,
+  verifyWeb3Signed
+};
+//# sourceMappingURL=web3-signed.js.map