@opendatalabs/vana-sdk 3.0.0 → 3.0.1-pr.147.a4abdb1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/account/personal-server-lite-owner-binding.cjs +81 -0
- package/dist/account/personal-server-lite-owner-binding.cjs.map +1 -0
- package/dist/account/personal-server-lite-owner-binding.d.ts +30 -0
- package/dist/account/personal-server-lite-owner-binding.js +59 -0
- package/dist/account/personal-server-lite-owner-binding.js.map +1 -0
- package/dist/account/personal-server-lite-owner-binding.test.d.ts +1 -0
- package/dist/account/personal-server-registration.cjs +196 -0
- package/dist/account/personal-server-registration.cjs.map +1 -0
- package/dist/account/personal-server-registration.d.ts +66 -0
- package/dist/account/personal-server-registration.js +172 -0
- package/dist/account/personal-server-registration.js.map +1 -0
- package/dist/account/personal-server-registration.test.d.ts +1 -0
- package/dist/auth/web3-signed.cjs +28 -3
- package/dist/auth/web3-signed.cjs.map +1 -1
- package/dist/auth/web3-signed.js +28 -3
- package/dist/auth/web3-signed.js.map +1 -1
- package/dist/index.browser.d.ts +5 -0
- package/dist/index.browser.js +562 -16
- package/dist/index.browser.js.map +4 -4
- package/dist/index.node.cjs +580 -16
- package/dist/index.node.cjs.map +4 -4
- package/dist/index.node.d.ts +5 -0
- package/dist/index.node.js +562 -16
- package/dist/index.node.js.map +4 -4
- package/dist/protocol/eip712.cjs.map +1 -1
- package/dist/protocol/eip712.d.ts +1 -1
- package/dist/protocol/eip712.js.map +1 -1
- package/dist/protocol/grants.cjs +146 -0
- package/dist/protocol/grants.cjs.map +1 -0
- package/dist/protocol/grants.d.ts +31 -0
- package/dist/protocol/grants.js +123 -0
- package/dist/protocol/grants.js.map +1 -0
- package/dist/protocol/grants.test.d.ts +1 -0
- package/dist/protocol/personal-server-lite-owner-binding.cjs +93 -0
- package/dist/protocol/personal-server-lite-owner-binding.cjs.map +1 -0
- package/dist/protocol/personal-server-lite-owner-binding.d.ts +44 -0
- package/dist/protocol/personal-server-lite-owner-binding.js +65 -0
- package/dist/protocol/personal-server-lite-owner-binding.js.map +1 -0
- package/dist/protocol/personal-server-lite-owner-binding.test.d.ts +1 -0
- package/dist/protocol/personal-server-registration.cjs +122 -0
- package/dist/protocol/personal-server-registration.cjs.map +1 -0
- package/dist/protocol/personal-server-registration.d.ts +62 -0
- package/dist/protocol/personal-server-registration.js +97 -0
- package/dist/protocol/personal-server-registration.js.map +1 -0
- package/dist/protocol/personal-server-registration.test.d.ts +1 -0
- package/dist/storage/index.cjs.map +1 -1
- package/dist/storage/index.d.ts +1 -1
- package/dist/storage/index.js.map +1 -1
- package/dist/storage/providers/vana-storage.cjs +1 -1
- package/dist/storage/providers/vana-storage.cjs.map +1 -1
- package/dist/storage/providers/vana-storage.d.ts +2 -2
- package/dist/storage/providers/vana-storage.js +1 -1
- package/dist/storage/providers/vana-storage.js.map +1 -1
- package/dist/types/ps-errors.cjs +37 -12
- package/dist/types/ps-errors.cjs.map +1 -1
- package/dist/types/ps-errors.d.ts +7 -6
- package/dist/types/ps-errors.js +37 -12
- package/dist/types/ps-errors.js.map +1 -1
- package/package.json +1 -1
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"sources":["../../src/account/personal-server-registration.ts"],"sourcesContent":["/**\n * Optional first-party Account integration for Personal Server registration.\n *\n * The protocol helper lives in `protocol/personal-server-registration`.\n * This module is only for callers that want to use an Account deployment's\n * constrained silent-sign endpoint.\n *\n * @category Account\n */\n\nimport { isAddress, type Address, type Hex } from \"viem\";\nimport {\n buildPersonalServerRegistrationTypedData,\n type BuildPersonalServerRegistrationTypedDataInput,\n type PersonalServerRegistrationSignature,\n type PersonalServerRegistrationSigner,\n type PersonalServerRegistrationTypedData,\n} from \"../protocol/personal-server-registration\";\n\nexport const ACCOUNT_PERSONAL_SERVER_REGISTRATION_INTENT =\n \"personal_server.server_registration.v1\" as const;\n\nexport type AccountPersonalServerRegistrationIntent =\n typeof ACCOUNT_PERSONAL_SERVER_REGISTRATION_INTENT;\n\nexport type AccountPersonalServerRegistrationStatus =\n | \"signed\"\n | \"confirmation_required\"\n | \"fallback_required\";\n\nexport interface AccountPersonalServerRegistrationRequest extends Omit<\n BuildPersonalServerRegistrationTypedDataInput,\n \"ownerAddress\"\n> {}\n\nexport interface AccountPersonalServerRegistrationConfig {\n /**\n * Origin for the Account deployment to call, e.g. an app-dev Account origin.\n * No production origin is assumed by the SDK.\n */\n accountOrigin: string;\n /**\n * Path for Account's constrained PS registration silent-sign endpoint.\n */\n endpointPath?: string;\n /**\n * Optional fetch implementation for tests and non-default runtimes.\n */\n fetchImpl?: typeof fetch;\n /**\n * Optional signer used when Account says user confirmation is required and\n * returns typed data for the caller to sign interactively.\n */\n fallbackSigner?: PersonalServerRegistrationSigner;\n}\n\nexport type AccountPersonalServerRegistrationSignature =\n PersonalServerRegistrationSignature & {\n intent: AccountPersonalServerRegistrationIntent;\n };\n\nexport interface AccountSignedPersonalServerRegistration {\n status: \"signed\";\n result: AccountPersonalServerRegistrationSignature;\n}\n\nexport interface AccountConfirmationRequiredPersonalServerRegistration {\n status: \"confirmation_required\";\n typedData: PersonalServerRegistrationTypedData;\n signerAddress?: Address;\n}\n\nexport interface AccountFallbackSignedPersonalServerRegistration {\n status: \"fallback_signed\";\n accountStatus: \"confirmation_required\";\n result: AccountPersonalServerRegistrationSignature;\n}\n\nexport type AccountPersonalServerRegistrationResult =\n | AccountSignedPersonalServerRegistration\n | AccountConfirmationRequiredPersonalServerRegistration\n | AccountFallbackSignedPersonalServerRegistration;\n\nexport class AccountPersonalServerRegistrationError extends Error {\n status: number;\n code?: string;\n details?: unknown;\n\n constructor(input: {\n status: number;\n message: string;\n code?: string;\n details?: unknown;\n }) {\n super(input.message);\n this.name = \"AccountPersonalServerRegistrationError\";\n this.status = input.status;\n this.code = input.code;\n this.details = input.details;\n }\n}\n\ninterface AccountSilentSignResponse {\n status: AccountPersonalServerRegistrationStatus;\n signature?: Hex;\n signerAddress?: Address;\n signer?: { address?: Address };\n typedData?: PersonalServerRegistrationTypedData;\n typed_data?: PersonalServerRegistrationTypedData;\n error?: unknown;\n}\n\n// Account-owned route policy. Protocol signing primitives deliberately do not\n// define Account intent names or API paths.\nconst DEFAULT_ACCOUNT_PS_REGISTRATION_PATH =\n \"/api/v1/intents/personal-server-registration/sign\";\n\nfunction trimTrailingSlash(value: string): string {\n return value.replace(/\\/+$/, \"\");\n}\n\nfunction assertAddress(value: Address, name: string): void {\n if (!isAddress(value)) {\n throw new Error(`${name} must be a valid EVM address`);\n }\n}\n\nasync function parseAccountResponse(\n response: Response,\n): Promise<AccountSilentSignResponse> {\n const body = (await response.json().catch(() => undefined)) as unknown;\n\n if (!response.ok) {\n throw new AccountPersonalServerRegistrationError({\n status: response.status,\n code: accountErrorCode(body),\n message: accountErrorMessage(response.status, body),\n details: body,\n });\n }\n\n return body as AccountSilentSignResponse;\n}\n\nfunction accountErrorMessage(status: number, body: unknown): string {\n const nestedMessage = nestedAccountErrorField(body, \"message\");\n if (nestedMessage) {\n return nestedMessage;\n }\n\n if (isRecord(body) && typeof body.message === \"string\") {\n return body.message;\n }\n\n const code = accountErrorCode(body);\n if (code) {\n return `Account PS registration signing failed: ${code}`;\n }\n\n return `Account PS registration signing failed: ${status}`;\n}\n\nfunction accountErrorCode(body: unknown): string | undefined {\n const nestedCode = nestedAccountErrorField(body, \"code\");\n if (nestedCode) {\n return nestedCode;\n }\n\n if (isRecord(body)) {\n if (typeof body.code === \"string\") {\n return body.code;\n }\n if (typeof body.error === \"string\") {\n return body.error;\n }\n }\n\n return undefined;\n}\n\nfunction nestedAccountErrorField(\n body: unknown,\n field: \"code\" | \"message\",\n): string | undefined {\n if (!isRecord(body) || !isRecord(body.error)) {\n return undefined;\n }\n\n const value = body.error[field];\n return typeof value === \"string\" ? value : undefined;\n}\n\nfunction isRecord(value: unknown): value is Record<string, unknown> {\n return typeof value === \"object\" && value !== null;\n}\n\nfunction normalizeAccountResponse(\n response: AccountSilentSignResponse,\n): AccountSilentSignResponse {\n return {\n ...response,\n status:\n response.status === \"fallback_required\"\n ? \"confirmation_required\"\n : response.status,\n signerAddress: response.signerAddress ?? response.signer?.address,\n typedData: response.typedData ?? response.typed_data,\n };\n}\n\nfunction buildSignedResult(\n response: Required<\n Pick<AccountSilentSignResponse, \"signature\" | \"signerAddress\">\n > &\n Pick<AccountSilentSignResponse, \"typedData\">,\n request: AccountPersonalServerRegistrationRequest,\n): AccountPersonalServerRegistrationSignature {\n assertAddress(response.signerAddress, \"signerAddress\");\n\n return {\n signature: response.signature,\n signerAddress: response.signerAddress,\n typedData:\n response.typedData ??\n buildPersonalServerRegistrationTypedData({\n ownerAddress: response.signerAddress,\n ...request,\n }),\n intent: ACCOUNT_PERSONAL_SERVER_REGISTRATION_INTENT,\n };\n}\n\nexport async function signPersonalServerRegistrationWithAccount(\n config: AccountPersonalServerRegistrationConfig,\n request: AccountPersonalServerRegistrationRequest,\n): Promise<AccountPersonalServerRegistrationResult> {\n assertAddress(request.serverAddress, \"serverAddress\");\n\n const fetchImpl = config.fetchImpl ?? globalThis.fetch.bind(globalThis);\n const endpoint = new URL(\n config.endpointPath ?? DEFAULT_ACCOUNT_PS_REGISTRATION_PATH,\n `${trimTrailingSlash(config.accountOrigin)}/`,\n );\n\n const response = await fetchImpl(endpoint, {\n method: \"POST\",\n headers: { \"content-type\": \"application/json\" },\n credentials: \"include\",\n body: JSON.stringify({\n intent: ACCOUNT_PERSONAL_SERVER_REGISTRATION_INTENT,\n serverAddress: request.serverAddress,\n serverPublicKey: request.serverPublicKey,\n serverUrl: request.serverUrl,\n config: request.config,\n chainId: request.chainId,\n verifyingContract: request.verifyingContract,\n }),\n });\n const body = normalizeAccountResponse(await parseAccountResponse(response));\n\n if (body.status === \"signed\") {\n if (!body.signature || !body.signerAddress) {\n throw new Error(\n \"Account signed response must include signature and signerAddress\",\n );\n }\n\n return {\n status: \"signed\",\n result: buildSignedResult(\n {\n signature: body.signature,\n signerAddress: body.signerAddress,\n typedData: body.typedData,\n },\n request,\n ),\n };\n }\n\n if (body.status === \"confirmation_required\") {\n if (!body.typedData) {\n throw new Error(\n \"Account confirmation_required response must include typedData\",\n );\n }\n\n if (!config.fallbackSigner) {\n return {\n status: \"confirmation_required\",\n typedData: body.typedData,\n signerAddress: body.signerAddress,\n };\n }\n\n const signature = await config.fallbackSigner.signTypedData(body.typedData);\n\n return {\n status: \"fallback_signed\",\n accountStatus: \"confirmation_required\",\n result: {\n signature,\n signerAddress: config.fallbackSigner.address,\n typedData: body.typedData,\n intent: ACCOUNT_PERSONAL_SERVER_REGISTRATION_INTENT,\n },\n };\n }\n\n throw new Error(\n `Unsupported Account PS registration signing status: ${String(body.status)}`,\n );\n}\n"],"mappings":"AAUA,SAAS,iBAAyC;AAClD;AAAA,EACE;AAAA,OAKK;AAEA,MAAM,8CACX;AA+DK,MAAM,+CAA+C,MAAM;AAAA,EAChE;AAAA,EACA;AAAA,EACA;AAAA,EAEA,YAAY,OAKT;AACD,UAAM,MAAM,OAAO;AACnB,SAAK,OAAO;AACZ,SAAK,SAAS,MAAM;AACpB,SAAK,OAAO,MAAM;AAClB,SAAK,UAAU,MAAM;AAAA,EACvB;AACF;AAcA,MAAM,uCACJ;AAEF,SAAS,kBAAkB,OAAuB;AAChD,SAAO,MAAM,QAAQ,QAAQ,EAAE;AACjC;AAEA,SAAS,cAAc,OAAgB,MAAoB;AACzD,MAAI,CAAC,UAAU,KAAK,GAAG;AACrB,UAAM,IAAI,MAAM,GAAG,IAAI,8BAA8B;AAAA,EACvD;AACF;AAEA,eAAe,qBACb,UACoC;AACpC,QAAM,OAAQ,MAAM,SAAS,KAAK,EAAE,MAAM,MAAM,MAAS;AAEzD,MAAI,CAAC,SAAS,IAAI;AAChB,UAAM,IAAI,uCAAuC;AAAA,MAC/C,QAAQ,SAAS;AAAA,MACjB,MAAM,iBAAiB,IAAI;AAAA,MAC3B,SAAS,oBAAoB,SAAS,QAAQ,IAAI;AAAA,MAClD,SAAS;AAAA,IACX,CAAC;AAAA,EACH;AAEA,SAAO;AACT;AAEA,SAAS,oBAAoB,QAAgB,MAAuB;AAClE,QAAM,gBAAgB,wBAAwB,MAAM,SAAS;AAC7D,MAAI,eAAe;AACjB,WAAO;AAAA,EACT;AAEA,MAAI,SAAS,IAAI,KAAK,OAAO,KAAK,YAAY,UAAU;AACtD,WAAO,KAAK;AAAA,EACd;AAEA,QAAM,OAAO,iBAAiB,IAAI;AAClC,MAAI,MAAM;AACR,WAAO,2CAA2C,IAAI;AAAA,EACxD;AAEA,SAAO,2CAA2C,MAAM;AAC1D;AAEA,SAAS,iBAAiB,MAAmC;AAC3D,QAAM,aAAa,wBAAwB,MAAM,MAAM;AACvD,MAAI,YAAY;AACd,WAAO;AAAA,EACT;AAEA,MAAI,SAAS,IAAI,GAAG;AAClB,QAAI,OAAO,KAAK,SAAS,UAAU;AACjC,aAAO,KAAK;AAAA,IACd;AACA,QAAI,OAAO,KAAK,UAAU,UAAU;AAClC,aAAO,KAAK;AAAA,IACd;AAAA,EACF;AAEA,SAAO;AACT;AAEA,SAAS,wBACP,MACA,OACoB;AACpB,MAAI,CAAC,SAAS,IAAI,KAAK,CAAC,SAAS,KAAK,KAAK,GAAG;AAC5C,WAAO;AAAA,EACT;AAEA,QAAM,QAAQ,KAAK,MAAM,KAAK;AAC9B,SAAO,OAAO,UAAU,WAAW,QAAQ;AAC7C;AAEA,SAAS,SAAS,OAAkD;AAClE,SAAO,OAAO,UAAU,YAAY,UAAU;AAChD;AAEA,SAAS,yBACP,UAC2B;AAC3B,SAAO;AAAA,IACL,GAAG;AAAA,IACH,QACE,SAAS,WAAW,sBAChB,0BACA,SAAS;AAAA,IACf,eAAe,SAAS,iBAAiB,SAAS,QAAQ;AAAA,IAC1D,WAAW,SAAS,aAAa,SAAS;AAAA,EAC5C;AACF;AAEA,SAAS,kBACP,UAIA,SAC4C;AAC5C,gBAAc,SAAS,eAAe,eAAe;AAErD,SAAO;AAAA,IACL,WAAW,SAAS;AAAA,IACpB,eAAe,SAAS;AAAA,IACxB,WACE,SAAS,aACT,yCAAyC;AAAA,MACvC,cAAc,SAAS;AAAA,MACvB,GAAG;AAAA,IACL,CAAC;AAAA,IACH,QAAQ;AAAA,EACV;AACF;AAEA,eAAsB,0CACpB,QACA,SACkD;AAClD,gBAAc,QAAQ,eAAe,eAAe;AAEpD,QAAM,YAAY,OAAO,aAAa,WAAW,MAAM,KAAK,UAAU;AACtE,QAAM,WAAW,IAAI;AAAA,IACnB,OAAO,gBAAgB;AAAA,IACvB,GAAG,kBAAkB,OAAO,aAAa,CAAC;AAAA,EAC5C;AAEA,QAAM,WAAW,MAAM,UAAU,UAAU;AAAA,IACzC,QAAQ;AAAA,IACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,IAC9C,aAAa;AAAA,IACb,MAAM,KAAK,UAAU;AAAA,MACnB,QAAQ;AAAA,MACR,eAAe,QAAQ;AAAA,MACvB,iBAAiB,QAAQ;AAAA,MACzB,WAAW,QAAQ;AAAA,MACnB,QAAQ,QAAQ;AAAA,MAChB,SAAS,QAAQ;AAAA,MACjB,mBAAmB,QAAQ;AAAA,IAC7B,CAAC;AAAA,EACH,CAAC;AACD,QAAM,OAAO,yBAAyB,MAAM,qBAAqB,QAAQ,CAAC;AAE1E,MAAI,KAAK,WAAW,UAAU;AAC5B,QAAI,CAAC,KAAK,aAAa,CAAC,KAAK,eAAe;AAC1C,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAEA,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,QAAQ;AAAA,QACN;AAAA,UACE,WAAW,KAAK;AAAA,UAChB,eAAe,KAAK;AAAA,UACpB,WAAW,KAAK;AAAA,QAClB;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,MAAI,KAAK,WAAW,yBAAyB;AAC3C,QAAI,CAAC,KAAK,WAAW;AACnB,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAEA,QAAI,CAAC,OAAO,gBAAgB;AAC1B,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,WAAW,KAAK;AAAA,QAChB,eAAe,KAAK;AAAA,MACtB;AAAA,IACF;AAEA,UAAM,YAAY,MAAM,OAAO,eAAe,cAAc,KAAK,SAAS;AAE1E,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,eAAe;AAAA,MACf,QAAQ;AAAA,QACN;AAAA,QACA,eAAe,OAAO,eAAe;AAAA,QACrC,WAAW,KAAK;AAAA,QAChB,QAAQ;AAAA,MACV;AAAA,IACF;AAAA,EACF;AAEA,QAAM,IAAI;AAAA,IACR,uDAAuD,OAAO,KAAK,MAAM,CAAC;AAAA,EAC5E;AACF;","names":[]}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
export {};
|
|
@@ -34,6 +34,30 @@ function base64urlDecode(input) {
|
|
|
34
34
|
base64 += "=".repeat(padLength);
|
|
35
35
|
return new TextDecoder().decode((0, import_encoding.fromBase64)(base64));
|
|
36
36
|
}
|
|
37
|
+
function isFiniteNumber(value) {
|
|
38
|
+
return typeof value === "number" && Number.isFinite(value);
|
|
39
|
+
}
|
|
40
|
+
function parsePayload(value) {
|
|
41
|
+
if (value === null || typeof value !== "object" || Array.isArray(value)) {
|
|
42
|
+
throw new import_errors.InvalidSignatureError({ reason: "Invalid payload shape" });
|
|
43
|
+
}
|
|
44
|
+
const payload = value;
|
|
45
|
+
if (typeof payload["aud"] !== "string" || typeof payload["method"] !== "string" || typeof payload["uri"] !== "string" || typeof payload["bodyHash"] !== "string" || !isFiniteNumber(payload["iat"]) || !isFiniteNumber(payload["exp"])) {
|
|
46
|
+
throw new import_errors.InvalidSignatureError({ reason: "Invalid payload claims" });
|
|
47
|
+
}
|
|
48
|
+
if (payload["grantId"] !== void 0 && typeof payload["grantId"] !== "string") {
|
|
49
|
+
throw new import_errors.InvalidSignatureError({ reason: "Invalid grantId claim" });
|
|
50
|
+
}
|
|
51
|
+
return {
|
|
52
|
+
aud: payload["aud"],
|
|
53
|
+
method: payload["method"],
|
|
54
|
+
uri: payload["uri"],
|
|
55
|
+
bodyHash: payload["bodyHash"],
|
|
56
|
+
iat: payload["iat"],
|
|
57
|
+
exp: payload["exp"],
|
|
58
|
+
grantId: payload["grantId"]
|
|
59
|
+
};
|
|
60
|
+
}
|
|
37
61
|
function parseWeb3SignedHeader(headerValue) {
|
|
38
62
|
if (!headerValue) {
|
|
39
63
|
throw new import_errors.MissingAuthError();
|
|
@@ -54,8 +78,9 @@ function parseWeb3SignedHeader(headerValue) {
|
|
|
54
78
|
let payload;
|
|
55
79
|
try {
|
|
56
80
|
const decoded = base64urlDecode(payloadBase64);
|
|
57
|
-
payload = JSON.parse(decoded);
|
|
58
|
-
} catch {
|
|
81
|
+
payload = parsePayload(JSON.parse(decoded));
|
|
82
|
+
} catch (err) {
|
|
83
|
+
if (err instanceof import_errors.InvalidSignatureError) throw err;
|
|
59
84
|
throw new import_errors.InvalidSignatureError({ reason: "Invalid payload encoding" });
|
|
60
85
|
}
|
|
61
86
|
return {
|
|
@@ -98,7 +123,7 @@ async function verifyWeb3Signed(params) {
|
|
|
98
123
|
actual: payload.uri
|
|
99
124
|
});
|
|
100
125
|
}
|
|
101
|
-
if (params.bodyBytes !== void 0
|
|
126
|
+
if (params.bodyBytes !== void 0) {
|
|
102
127
|
const expectedBodyHash = (0, import_web3_signed_builder.computeBodyHash)(params.bodyBytes);
|
|
103
128
|
if (payload.bodyHash !== expectedBodyHash) {
|
|
104
129
|
throw new import_errors.InvalidSignatureError({
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../src/auth/web3-signed.ts"],"sourcesContent":["/**\n * Web3Signed Authorization header parsing and verification.\n *\n * @remarks\n * Header format: `\"Web3Signed {base64url(payload)}.{signature}\"`.\n * Payload is JSON with fields `aud`, `method`, `uri`, `bodyHash`, `iat`, `exp`,\n * and optional `grantId`. The signature is EIP-191 over the base64url-encoded\n * payload string.\n *\n * Ported from `personal-server-ts` (`packages/core/src/auth/web3-signed.ts`).\n * Adjusted to be isomorphic (no `Buffer`) and to use SDK-local error types.\n *\n * @category Auth\n */\n\nimport { recoverMessageAddress } from \"viem\";\nimport { fromBase64 } from \"../utils/encoding\";\nimport {\n MissingAuthError,\n InvalidSignatureError,\n ExpiredTokenError,\n} from \"./errors\";\nimport { computeBodyHash } from \"./web3-signed-builder\";\n\nexport interface Web3SignedPayload {\n aud: string;\n method: string;\n uri: string;\n bodyHash: string;\n iat: number;\n exp: number;\n grantId?: string;\n}\n\nexport interface VerifiedAuth {\n signer: `0x${string}`;\n payload: Web3SignedPayload;\n}\n\nconst WEB3_SIGNED_PREFIX = \"Web3Signed \";\nconst CLOCK_SKEW_SECONDS = 60;\n\n/** Decode a base64url string (no padding) to UTF-8. */\nfunction base64urlDecode(input: string): string {\n let base64 = input.replace(/-/g, \"+\").replace(/_/g, \"/\");\n const padLength = (4 - (base64.length % 4)) % 4;\n base64 += \"=\".repeat(padLength);\n return new TextDecoder().decode(fromBase64(base64));\n}\n\n/**\n * Parse a `\"Web3Signed <base64url>.<signature>\"` header value.\n *\n * @throws {MissingAuthError} If the header is missing or empty.\n * @throws {InvalidSignatureError} If the format is invalid.\n */\nexport function parseWeb3SignedHeader(headerValue: string | undefined): {\n payloadBase64: string;\n payload: Web3SignedPayload;\n signature: `0x${string}`;\n} {\n if (!headerValue) {\n throw new MissingAuthError();\n }\n\n if (!headerValue.startsWith(WEB3_SIGNED_PREFIX)) {\n throw new InvalidSignatureError({ reason: \"Missing Web3Signed prefix\" });\n }\n\n const value = headerValue.slice(WEB3_SIGNED_PREFIX.length);\n const dotIndex = value.indexOf(\".\");\n if (dotIndex === -1 || dotIndex === 0 || dotIndex === value.length - 1) {\n throw new InvalidSignatureError({ reason: \"Invalid header format\" });\n }\n\n const payloadBase64 = value.slice(0, dotIndex);\n const signatureStr = value.slice(dotIndex + 1);\n\n if (!signatureStr.startsWith(\"0x\")) {\n throw new InvalidSignatureError({ reason: \"Invalid signature format\" });\n }\n\n let payload: Web3SignedPayload;\n try {\n const decoded = base64urlDecode(payloadBase64);\n payload = JSON.parse(decoded)
|
|
1
|
+
{"version":3,"sources":["../../src/auth/web3-signed.ts"],"sourcesContent":["/**\n * Web3Signed Authorization header parsing and verification.\n *\n * @remarks\n * Header format: `\"Web3Signed {base64url(payload)}.{signature}\"`.\n * Payload is JSON with fields `aud`, `method`, `uri`, `bodyHash`, `iat`, `exp`,\n * and optional `grantId`. The signature is EIP-191 over the base64url-encoded\n * payload string.\n *\n * Ported from `personal-server-ts` (`packages/core/src/auth/web3-signed.ts`).\n * Adjusted to be isomorphic (no `Buffer`) and to use SDK-local error types.\n *\n * @category Auth\n */\n\nimport { recoverMessageAddress } from \"viem\";\nimport { fromBase64 } from \"../utils/encoding\";\nimport {\n MissingAuthError,\n InvalidSignatureError,\n ExpiredTokenError,\n} from \"./errors\";\nimport { computeBodyHash } from \"./web3-signed-builder\";\n\nexport interface Web3SignedPayload {\n aud: string;\n method: string;\n uri: string;\n bodyHash: string;\n iat: number;\n exp: number;\n grantId?: string;\n}\n\nexport interface VerifiedAuth {\n signer: `0x${string}`;\n payload: Web3SignedPayload;\n}\n\nconst WEB3_SIGNED_PREFIX = \"Web3Signed \";\nconst CLOCK_SKEW_SECONDS = 60;\n\n/** Decode a base64url string (no padding) to UTF-8. */\nfunction base64urlDecode(input: string): string {\n let base64 = input.replace(/-/g, \"+\").replace(/_/g, \"/\");\n const padLength = (4 - (base64.length % 4)) % 4;\n base64 += \"=\".repeat(padLength);\n return new TextDecoder().decode(fromBase64(base64));\n}\n\nfunction isFiniteNumber(value: unknown): value is number {\n return typeof value === \"number\" && Number.isFinite(value);\n}\n\nfunction parsePayload(value: unknown): Web3SignedPayload {\n if (value === null || typeof value !== \"object\" || Array.isArray(value)) {\n throw new InvalidSignatureError({ reason: \"Invalid payload shape\" });\n }\n\n const payload = value as Record<string, unknown>;\n if (\n typeof payload[\"aud\"] !== \"string\" ||\n typeof payload[\"method\"] !== \"string\" ||\n typeof payload[\"uri\"] !== \"string\" ||\n typeof payload[\"bodyHash\"] !== \"string\" ||\n !isFiniteNumber(payload[\"iat\"]) ||\n !isFiniteNumber(payload[\"exp\"])\n ) {\n throw new InvalidSignatureError({ reason: \"Invalid payload claims\" });\n }\n\n if (\n payload[\"grantId\"] !== undefined &&\n typeof payload[\"grantId\"] !== \"string\"\n ) {\n throw new InvalidSignatureError({ reason: \"Invalid grantId claim\" });\n }\n\n return {\n aud: payload[\"aud\"],\n method: payload[\"method\"],\n uri: payload[\"uri\"],\n bodyHash: payload[\"bodyHash\"],\n iat: payload[\"iat\"],\n exp: payload[\"exp\"],\n grantId: payload[\"grantId\"],\n };\n}\n\n/**\n * Parse a `\"Web3Signed <base64url>.<signature>\"` header value.\n *\n * @throws {MissingAuthError} If the header is missing or empty.\n * @throws {InvalidSignatureError} If the format is invalid.\n */\nexport function parseWeb3SignedHeader(headerValue: string | undefined): {\n payloadBase64: string;\n payload: Web3SignedPayload;\n signature: `0x${string}`;\n} {\n if (!headerValue) {\n throw new MissingAuthError();\n }\n\n if (!headerValue.startsWith(WEB3_SIGNED_PREFIX)) {\n throw new InvalidSignatureError({ reason: \"Missing Web3Signed prefix\" });\n }\n\n const value = headerValue.slice(WEB3_SIGNED_PREFIX.length);\n const dotIndex = value.indexOf(\".\");\n if (dotIndex === -1 || dotIndex === 0 || dotIndex === value.length - 1) {\n throw new InvalidSignatureError({ reason: \"Invalid header format\" });\n }\n\n const payloadBase64 = value.slice(0, dotIndex);\n const signatureStr = value.slice(dotIndex + 1);\n\n if (!signatureStr.startsWith(\"0x\")) {\n throw new InvalidSignatureError({ reason: \"Invalid signature format\" });\n }\n\n let payload: Web3SignedPayload;\n try {\n const decoded = base64urlDecode(payloadBase64);\n payload = parsePayload(JSON.parse(decoded));\n } catch (err) {\n if (err instanceof InvalidSignatureError) throw err;\n throw new InvalidSignatureError({ reason: \"Invalid payload encoding\" });\n }\n\n return {\n payloadBase64,\n payload,\n signature: signatureStr as `0x${string}`,\n };\n}\n\n/**\n * Full verification: parse header, recover signer via EIP-191, check claims.\n *\n * @remarks\n * Steps:\n * 1. Parse header to base64url + signature.\n * 2. Recover signer via {@link recoverMessageAddress} (EIP-191) over the base64url payload string.\n * 3. Check `aud === expectedOrigin`, `method === expectedMethod`, `uri === expectedPath`.\n * 4. Optionally check `bodyHash` against `bodyBytes`.\n * 5. Check `iat`/`exp` within a 60s clock skew.\n *\n * @returns The recovered signer address and parsed payload.\n */\nexport async function verifyWeb3Signed(params: {\n headerValue: string | undefined;\n expectedOrigin: string;\n expectedMethod: string;\n expectedPath: string;\n bodyBytes?: Uint8Array;\n now?: number;\n}): Promise<VerifiedAuth> {\n const { payloadBase64, payload, signature } = parseWeb3SignedHeader(\n params.headerValue,\n );\n\n let signer: `0x${string}`;\n try {\n signer = await recoverMessageAddress({\n message: payloadBase64,\n signature,\n });\n } catch {\n throw new InvalidSignatureError({ reason: \"Signature recovery failed\" });\n }\n\n if (payload.aud !== params.expectedOrigin) {\n throw new InvalidSignatureError({\n reason: \"Audience mismatch\",\n expected: params.expectedOrigin,\n actual: payload.aud,\n });\n }\n\n if (payload.method !== params.expectedMethod) {\n throw new InvalidSignatureError({\n reason: \"Method mismatch\",\n expected: params.expectedMethod,\n actual: payload.method,\n });\n }\n\n if (payload.uri !== params.expectedPath) {\n throw new InvalidSignatureError({\n reason: \"URI mismatch\",\n expected: params.expectedPath,\n actual: payload.uri,\n });\n }\n\n if (params.bodyBytes !== undefined) {\n const expectedBodyHash = computeBodyHash(params.bodyBytes);\n if (payload.bodyHash !== expectedBodyHash) {\n throw new InvalidSignatureError({\n reason: \"Body hash mismatch\",\n expected: expectedBodyHash,\n actual: payload.bodyHash,\n });\n }\n }\n\n const now = params.now ?? Math.floor(Date.now() / 1000);\n\n if (payload.exp < now - CLOCK_SKEW_SECONDS) {\n throw new ExpiredTokenError({ reason: \"Token expired\" });\n }\n\n if (payload.iat > now + CLOCK_SKEW_SECONDS) {\n throw new ExpiredTokenError({ reason: \"Token issued in the future\" });\n }\n\n return { signer, payload };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAeA,kBAAsC;AACtC,sBAA2B;AAC3B,oBAIO;AACP,iCAAgC;AAiBhC,MAAM,qBAAqB;AAC3B,MAAM,qBAAqB;AAG3B,SAAS,gBAAgB,OAAuB;AAC9C,MAAI,SAAS,MAAM,QAAQ,MAAM,GAAG,EAAE,QAAQ,MAAM,GAAG;AACvD,QAAM,aAAa,IAAK,OAAO,SAAS,KAAM;AAC9C,YAAU,IAAI,OAAO,SAAS;AAC9B,SAAO,IAAI,YAAY,EAAE,WAAO,4BAAW,MAAM,CAAC;AACpD;AAEA,SAAS,eAAe,OAAiC;AACvD,SAAO,OAAO,UAAU,YAAY,OAAO,SAAS,KAAK;AAC3D;AAEA,SAAS,aAAa,OAAmC;AACvD,MAAI,UAAU,QAAQ,OAAO,UAAU,YAAY,MAAM,QAAQ,KAAK,GAAG;AACvE,UAAM,IAAI,oCAAsB,EAAE,QAAQ,wBAAwB,CAAC;AAAA,EACrE;AAEA,QAAM,UAAU;AAChB,MACE,OAAO,QAAQ,KAAK,MAAM,YAC1B,OAAO,QAAQ,QAAQ,MAAM,YAC7B,OAAO,QAAQ,KAAK,MAAM,YAC1B,OAAO,QAAQ,UAAU,MAAM,YAC/B,CAAC,eAAe,QAAQ,KAAK,CAAC,KAC9B,CAAC,eAAe,QAAQ,KAAK,CAAC,GAC9B;AACA,UAAM,IAAI,oCAAsB,EAAE,QAAQ,yBAAyB,CAAC;AAAA,EACtE;AAEA,MACE,QAAQ,SAAS,MAAM,UACvB,OAAO,QAAQ,SAAS,MAAM,UAC9B;AACA,UAAM,IAAI,oCAAsB,EAAE,QAAQ,wBAAwB,CAAC;AAAA,EACrE;AAEA,SAAO;AAAA,IACL,KAAK,QAAQ,KAAK;AAAA,IAClB,QAAQ,QAAQ,QAAQ;AAAA,IACxB,KAAK,QAAQ,KAAK;AAAA,IAClB,UAAU,QAAQ,UAAU;AAAA,IAC5B,KAAK,QAAQ,KAAK;AAAA,IAClB,KAAK,QAAQ,KAAK;AAAA,IAClB,SAAS,QAAQ,SAAS;AAAA,EAC5B;AACF;AAQO,SAAS,sBAAsB,aAIpC;AACA,MAAI,CAAC,aAAa;AAChB,UAAM,IAAI,+BAAiB;AAAA,EAC7B;AAEA,MAAI,CAAC,YAAY,WAAW,kBAAkB,GAAG;AAC/C,UAAM,IAAI,oCAAsB,EAAE,QAAQ,4BAA4B,CAAC;AAAA,EACzE;AAEA,QAAM,QAAQ,YAAY,MAAM,mBAAmB,MAAM;AACzD,QAAM,WAAW,MAAM,QAAQ,GAAG;AAClC,MAAI,aAAa,MAAM,aAAa,KAAK,aAAa,MAAM,SAAS,GAAG;AACtE,UAAM,IAAI,oCAAsB,EAAE,QAAQ,wBAAwB,CAAC;AAAA,EACrE;AAEA,QAAM,gBAAgB,MAAM,MAAM,GAAG,QAAQ;AAC7C,QAAM,eAAe,MAAM,MAAM,WAAW,CAAC;AAE7C,MAAI,CAAC,aAAa,WAAW,IAAI,GAAG;AAClC,UAAM,IAAI,oCAAsB,EAAE,QAAQ,2BAA2B,CAAC;AAAA,EACxE;AAEA,MAAI;AACJ,MAAI;AACF,UAAM,UAAU,gBAAgB,aAAa;AAC7C,cAAU,aAAa,KAAK,MAAM,OAAO,CAAC;AAAA,EAC5C,SAAS,KAAK;AACZ,QAAI,eAAe,oCAAuB,OAAM;AAChD,UAAM,IAAI,oCAAsB,EAAE,QAAQ,2BAA2B,CAAC;AAAA,EACxE;AAEA,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,WAAW;AAAA,EACb;AACF;AAeA,eAAsB,iBAAiB,QAOb;AACxB,QAAM,EAAE,eAAe,SAAS,UAAU,IAAI;AAAA,IAC5C,OAAO;AAAA,EACT;AAEA,MAAI;AACJ,MAAI;AACF,aAAS,UAAM,mCAAsB;AAAA,MACnC,SAAS;AAAA,MACT;AAAA,IACF,CAAC;AAAA,EACH,QAAQ;AACN,UAAM,IAAI,oCAAsB,EAAE,QAAQ,4BAA4B,CAAC;AAAA,EACzE;AAEA,MAAI,QAAQ,QAAQ,OAAO,gBAAgB;AACzC,UAAM,IAAI,oCAAsB;AAAA,MAC9B,QAAQ;AAAA,MACR,UAAU,OAAO;AAAA,MACjB,QAAQ,QAAQ;AAAA,IAClB,CAAC;AAAA,EACH;AAEA,MAAI,QAAQ,WAAW,OAAO,gBAAgB;AAC5C,UAAM,IAAI,oCAAsB;AAAA,MAC9B,QAAQ;AAAA,MACR,UAAU,OAAO;AAAA,MACjB,QAAQ,QAAQ;AAAA,IAClB,CAAC;AAAA,EACH;AAEA,MAAI,QAAQ,QAAQ,OAAO,cAAc;AACvC,UAAM,IAAI,oCAAsB;AAAA,MAC9B,QAAQ;AAAA,MACR,UAAU,OAAO;AAAA,MACjB,QAAQ,QAAQ;AAAA,IAClB,CAAC;AAAA,EACH;AAEA,MAAI,OAAO,cAAc,QAAW;AAClC,UAAM,uBAAmB,4CAAgB,OAAO,SAAS;AACzD,QAAI,QAAQ,aAAa,kBAAkB;AACzC,YAAM,IAAI,oCAAsB;AAAA,QAC9B,QAAQ;AAAA,QACR,UAAU;AAAA,QACV,QAAQ,QAAQ;AAAA,MAClB,CAAC;AAAA,IACH;AAAA,EACF;AAEA,QAAM,MAAM,OAAO,OAAO,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAEtD,MAAI,QAAQ,MAAM,MAAM,oBAAoB;AAC1C,UAAM,IAAI,gCAAkB,EAAE,QAAQ,gBAAgB,CAAC;AAAA,EACzD;AAEA,MAAI,QAAQ,MAAM,MAAM,oBAAoB;AAC1C,UAAM,IAAI,gCAAkB,EAAE,QAAQ,6BAA6B,CAAC;AAAA,EACtE;AAEA,SAAO,EAAE,QAAQ,QAAQ;AAC3B;","names":[]}
|
package/dist/auth/web3-signed.js
CHANGED
|
@@ -14,6 +14,30 @@ function base64urlDecode(input) {
|
|
|
14
14
|
base64 += "=".repeat(padLength);
|
|
15
15
|
return new TextDecoder().decode(fromBase64(base64));
|
|
16
16
|
}
|
|
17
|
+
function isFiniteNumber(value) {
|
|
18
|
+
return typeof value === "number" && Number.isFinite(value);
|
|
19
|
+
}
|
|
20
|
+
function parsePayload(value) {
|
|
21
|
+
if (value === null || typeof value !== "object" || Array.isArray(value)) {
|
|
22
|
+
throw new InvalidSignatureError({ reason: "Invalid payload shape" });
|
|
23
|
+
}
|
|
24
|
+
const payload = value;
|
|
25
|
+
if (typeof payload["aud"] !== "string" || typeof payload["method"] !== "string" || typeof payload["uri"] !== "string" || typeof payload["bodyHash"] !== "string" || !isFiniteNumber(payload["iat"]) || !isFiniteNumber(payload["exp"])) {
|
|
26
|
+
throw new InvalidSignatureError({ reason: "Invalid payload claims" });
|
|
27
|
+
}
|
|
28
|
+
if (payload["grantId"] !== void 0 && typeof payload["grantId"] !== "string") {
|
|
29
|
+
throw new InvalidSignatureError({ reason: "Invalid grantId claim" });
|
|
30
|
+
}
|
|
31
|
+
return {
|
|
32
|
+
aud: payload["aud"],
|
|
33
|
+
method: payload["method"],
|
|
34
|
+
uri: payload["uri"],
|
|
35
|
+
bodyHash: payload["bodyHash"],
|
|
36
|
+
iat: payload["iat"],
|
|
37
|
+
exp: payload["exp"],
|
|
38
|
+
grantId: payload["grantId"]
|
|
39
|
+
};
|
|
40
|
+
}
|
|
17
41
|
function parseWeb3SignedHeader(headerValue) {
|
|
18
42
|
if (!headerValue) {
|
|
19
43
|
throw new MissingAuthError();
|
|
@@ -34,8 +58,9 @@ function parseWeb3SignedHeader(headerValue) {
|
|
|
34
58
|
let payload;
|
|
35
59
|
try {
|
|
36
60
|
const decoded = base64urlDecode(payloadBase64);
|
|
37
|
-
payload = JSON.parse(decoded);
|
|
38
|
-
} catch {
|
|
61
|
+
payload = parsePayload(JSON.parse(decoded));
|
|
62
|
+
} catch (err) {
|
|
63
|
+
if (err instanceof InvalidSignatureError) throw err;
|
|
39
64
|
throw new InvalidSignatureError({ reason: "Invalid payload encoding" });
|
|
40
65
|
}
|
|
41
66
|
return {
|
|
@@ -78,7 +103,7 @@ async function verifyWeb3Signed(params) {
|
|
|
78
103
|
actual: payload.uri
|
|
79
104
|
});
|
|
80
105
|
}
|
|
81
|
-
if (params.bodyBytes !== void 0
|
|
106
|
+
if (params.bodyBytes !== void 0) {
|
|
82
107
|
const expectedBodyHash = computeBodyHash(params.bodyBytes);
|
|
83
108
|
if (payload.bodyHash !== expectedBodyHash) {
|
|
84
109
|
throw new InvalidSignatureError({
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../src/auth/web3-signed.ts"],"sourcesContent":["/**\n * Web3Signed Authorization header parsing and verification.\n *\n * @remarks\n * Header format: `\"Web3Signed {base64url(payload)}.{signature}\"`.\n * Payload is JSON with fields `aud`, `method`, `uri`, `bodyHash`, `iat`, `exp`,\n * and optional `grantId`. The signature is EIP-191 over the base64url-encoded\n * payload string.\n *\n * Ported from `personal-server-ts` (`packages/core/src/auth/web3-signed.ts`).\n * Adjusted to be isomorphic (no `Buffer`) and to use SDK-local error types.\n *\n * @category Auth\n */\n\nimport { recoverMessageAddress } from \"viem\";\nimport { fromBase64 } from \"../utils/encoding\";\nimport {\n MissingAuthError,\n InvalidSignatureError,\n ExpiredTokenError,\n} from \"./errors\";\nimport { computeBodyHash } from \"./web3-signed-builder\";\n\nexport interface Web3SignedPayload {\n aud: string;\n method: string;\n uri: string;\n bodyHash: string;\n iat: number;\n exp: number;\n grantId?: string;\n}\n\nexport interface VerifiedAuth {\n signer: `0x${string}`;\n payload: Web3SignedPayload;\n}\n\nconst WEB3_SIGNED_PREFIX = \"Web3Signed \";\nconst CLOCK_SKEW_SECONDS = 60;\n\n/** Decode a base64url string (no padding) to UTF-8. */\nfunction base64urlDecode(input: string): string {\n let base64 = input.replace(/-/g, \"+\").replace(/_/g, \"/\");\n const padLength = (4 - (base64.length % 4)) % 4;\n base64 += \"=\".repeat(padLength);\n return new TextDecoder().decode(fromBase64(base64));\n}\n\n/**\n * Parse a `\"Web3Signed <base64url>.<signature>\"` header value.\n *\n * @throws {MissingAuthError} If the header is missing or empty.\n * @throws {InvalidSignatureError} If the format is invalid.\n */\nexport function parseWeb3SignedHeader(headerValue: string | undefined): {\n payloadBase64: string;\n payload: Web3SignedPayload;\n signature: `0x${string}`;\n} {\n if (!headerValue) {\n throw new MissingAuthError();\n }\n\n if (!headerValue.startsWith(WEB3_SIGNED_PREFIX)) {\n throw new InvalidSignatureError({ reason: \"Missing Web3Signed prefix\" });\n }\n\n const value = headerValue.slice(WEB3_SIGNED_PREFIX.length);\n const dotIndex = value.indexOf(\".\");\n if (dotIndex === -1 || dotIndex === 0 || dotIndex === value.length - 1) {\n throw new InvalidSignatureError({ reason: \"Invalid header format\" });\n }\n\n const payloadBase64 = value.slice(0, dotIndex);\n const signatureStr = value.slice(dotIndex + 1);\n\n if (!signatureStr.startsWith(\"0x\")) {\n throw new InvalidSignatureError({ reason: \"Invalid signature format\" });\n }\n\n let payload: Web3SignedPayload;\n try {\n const decoded = base64urlDecode(payloadBase64);\n payload = JSON.parse(decoded)
|
|
1
|
+
{"version":3,"sources":["../../src/auth/web3-signed.ts"],"sourcesContent":["/**\n * Web3Signed Authorization header parsing and verification.\n *\n * @remarks\n * Header format: `\"Web3Signed {base64url(payload)}.{signature}\"`.\n * Payload is JSON with fields `aud`, `method`, `uri`, `bodyHash`, `iat`, `exp`,\n * and optional `grantId`. The signature is EIP-191 over the base64url-encoded\n * payload string.\n *\n * Ported from `personal-server-ts` (`packages/core/src/auth/web3-signed.ts`).\n * Adjusted to be isomorphic (no `Buffer`) and to use SDK-local error types.\n *\n * @category Auth\n */\n\nimport { recoverMessageAddress } from \"viem\";\nimport { fromBase64 } from \"../utils/encoding\";\nimport {\n MissingAuthError,\n InvalidSignatureError,\n ExpiredTokenError,\n} from \"./errors\";\nimport { computeBodyHash } from \"./web3-signed-builder\";\n\nexport interface Web3SignedPayload {\n aud: string;\n method: string;\n uri: string;\n bodyHash: string;\n iat: number;\n exp: number;\n grantId?: string;\n}\n\nexport interface VerifiedAuth {\n signer: `0x${string}`;\n payload: Web3SignedPayload;\n}\n\nconst WEB3_SIGNED_PREFIX = \"Web3Signed \";\nconst CLOCK_SKEW_SECONDS = 60;\n\n/** Decode a base64url string (no padding) to UTF-8. */\nfunction base64urlDecode(input: string): string {\n let base64 = input.replace(/-/g, \"+\").replace(/_/g, \"/\");\n const padLength = (4 - (base64.length % 4)) % 4;\n base64 += \"=\".repeat(padLength);\n return new TextDecoder().decode(fromBase64(base64));\n}\n\nfunction isFiniteNumber(value: unknown): value is number {\n return typeof value === \"number\" && Number.isFinite(value);\n}\n\nfunction parsePayload(value: unknown): Web3SignedPayload {\n if (value === null || typeof value !== \"object\" || Array.isArray(value)) {\n throw new InvalidSignatureError({ reason: \"Invalid payload shape\" });\n }\n\n const payload = value as Record<string, unknown>;\n if (\n typeof payload[\"aud\"] !== \"string\" ||\n typeof payload[\"method\"] !== \"string\" ||\n typeof payload[\"uri\"] !== \"string\" ||\n typeof payload[\"bodyHash\"] !== \"string\" ||\n !isFiniteNumber(payload[\"iat\"]) ||\n !isFiniteNumber(payload[\"exp\"])\n ) {\n throw new InvalidSignatureError({ reason: \"Invalid payload claims\" });\n }\n\n if (\n payload[\"grantId\"] !== undefined &&\n typeof payload[\"grantId\"] !== \"string\"\n ) {\n throw new InvalidSignatureError({ reason: \"Invalid grantId claim\" });\n }\n\n return {\n aud: payload[\"aud\"],\n method: payload[\"method\"],\n uri: payload[\"uri\"],\n bodyHash: payload[\"bodyHash\"],\n iat: payload[\"iat\"],\n exp: payload[\"exp\"],\n grantId: payload[\"grantId\"],\n };\n}\n\n/**\n * Parse a `\"Web3Signed <base64url>.<signature>\"` header value.\n *\n * @throws {MissingAuthError} If the header is missing or empty.\n * @throws {InvalidSignatureError} If the format is invalid.\n */\nexport function parseWeb3SignedHeader(headerValue: string | undefined): {\n payloadBase64: string;\n payload: Web3SignedPayload;\n signature: `0x${string}`;\n} {\n if (!headerValue) {\n throw new MissingAuthError();\n }\n\n if (!headerValue.startsWith(WEB3_SIGNED_PREFIX)) {\n throw new InvalidSignatureError({ reason: \"Missing Web3Signed prefix\" });\n }\n\n const value = headerValue.slice(WEB3_SIGNED_PREFIX.length);\n const dotIndex = value.indexOf(\".\");\n if (dotIndex === -1 || dotIndex === 0 || dotIndex === value.length - 1) {\n throw new InvalidSignatureError({ reason: \"Invalid header format\" });\n }\n\n const payloadBase64 = value.slice(0, dotIndex);\n const signatureStr = value.slice(dotIndex + 1);\n\n if (!signatureStr.startsWith(\"0x\")) {\n throw new InvalidSignatureError({ reason: \"Invalid signature format\" });\n }\n\n let payload: Web3SignedPayload;\n try {\n const decoded = base64urlDecode(payloadBase64);\n payload = parsePayload(JSON.parse(decoded));\n } catch (err) {\n if (err instanceof InvalidSignatureError) throw err;\n throw new InvalidSignatureError({ reason: \"Invalid payload encoding\" });\n }\n\n return {\n payloadBase64,\n payload,\n signature: signatureStr as `0x${string}`,\n };\n}\n\n/**\n * Full verification: parse header, recover signer via EIP-191, check claims.\n *\n * @remarks\n * Steps:\n * 1. Parse header to base64url + signature.\n * 2. Recover signer via {@link recoverMessageAddress} (EIP-191) over the base64url payload string.\n * 3. Check `aud === expectedOrigin`, `method === expectedMethod`, `uri === expectedPath`.\n * 4. Optionally check `bodyHash` against `bodyBytes`.\n * 5. Check `iat`/`exp` within a 60s clock skew.\n *\n * @returns The recovered signer address and parsed payload.\n */\nexport async function verifyWeb3Signed(params: {\n headerValue: string | undefined;\n expectedOrigin: string;\n expectedMethod: string;\n expectedPath: string;\n bodyBytes?: Uint8Array;\n now?: number;\n}): Promise<VerifiedAuth> {\n const { payloadBase64, payload, signature } = parseWeb3SignedHeader(\n params.headerValue,\n );\n\n let signer: `0x${string}`;\n try {\n signer = await recoverMessageAddress({\n message: payloadBase64,\n signature,\n });\n } catch {\n throw new InvalidSignatureError({ reason: \"Signature recovery failed\" });\n }\n\n if (payload.aud !== params.expectedOrigin) {\n throw new InvalidSignatureError({\n reason: \"Audience mismatch\",\n expected: params.expectedOrigin,\n actual: payload.aud,\n });\n }\n\n if (payload.method !== params.expectedMethod) {\n throw new InvalidSignatureError({\n reason: \"Method mismatch\",\n expected: params.expectedMethod,\n actual: payload.method,\n });\n }\n\n if (payload.uri !== params.expectedPath) {\n throw new InvalidSignatureError({\n reason: \"URI mismatch\",\n expected: params.expectedPath,\n actual: payload.uri,\n });\n }\n\n if (params.bodyBytes !== undefined) {\n const expectedBodyHash = computeBodyHash(params.bodyBytes);\n if (payload.bodyHash !== expectedBodyHash) {\n throw new InvalidSignatureError({\n reason: \"Body hash mismatch\",\n expected: expectedBodyHash,\n actual: payload.bodyHash,\n });\n }\n }\n\n const now = params.now ?? Math.floor(Date.now() / 1000);\n\n if (payload.exp < now - CLOCK_SKEW_SECONDS) {\n throw new ExpiredTokenError({ reason: \"Token expired\" });\n }\n\n if (payload.iat > now + CLOCK_SKEW_SECONDS) {\n throw new ExpiredTokenError({ reason: \"Token issued in the future\" });\n }\n\n return { signer, payload };\n}\n"],"mappings":"AAeA,SAAS,6BAA6B;AACtC,SAAS,kBAAkB;AAC3B;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,OACK;AACP,SAAS,uBAAuB;AAiBhC,MAAM,qBAAqB;AAC3B,MAAM,qBAAqB;AAG3B,SAAS,gBAAgB,OAAuB;AAC9C,MAAI,SAAS,MAAM,QAAQ,MAAM,GAAG,EAAE,QAAQ,MAAM,GAAG;AACvD,QAAM,aAAa,IAAK,OAAO,SAAS,KAAM;AAC9C,YAAU,IAAI,OAAO,SAAS;AAC9B,SAAO,IAAI,YAAY,EAAE,OAAO,WAAW,MAAM,CAAC;AACpD;AAEA,SAAS,eAAe,OAAiC;AACvD,SAAO,OAAO,UAAU,YAAY,OAAO,SAAS,KAAK;AAC3D;AAEA,SAAS,aAAa,OAAmC;AACvD,MAAI,UAAU,QAAQ,OAAO,UAAU,YAAY,MAAM,QAAQ,KAAK,GAAG;AACvE,UAAM,IAAI,sBAAsB,EAAE,QAAQ,wBAAwB,CAAC;AAAA,EACrE;AAEA,QAAM,UAAU;AAChB,MACE,OAAO,QAAQ,KAAK,MAAM,YAC1B,OAAO,QAAQ,QAAQ,MAAM,YAC7B,OAAO,QAAQ,KAAK,MAAM,YAC1B,OAAO,QAAQ,UAAU,MAAM,YAC/B,CAAC,eAAe,QAAQ,KAAK,CAAC,KAC9B,CAAC,eAAe,QAAQ,KAAK,CAAC,GAC9B;AACA,UAAM,IAAI,sBAAsB,EAAE,QAAQ,yBAAyB,CAAC;AAAA,EACtE;AAEA,MACE,QAAQ,SAAS,MAAM,UACvB,OAAO,QAAQ,SAAS,MAAM,UAC9B;AACA,UAAM,IAAI,sBAAsB,EAAE,QAAQ,wBAAwB,CAAC;AAAA,EACrE;AAEA,SAAO;AAAA,IACL,KAAK,QAAQ,KAAK;AAAA,IAClB,QAAQ,QAAQ,QAAQ;AAAA,IACxB,KAAK,QAAQ,KAAK;AAAA,IAClB,UAAU,QAAQ,UAAU;AAAA,IAC5B,KAAK,QAAQ,KAAK;AAAA,IAClB,KAAK,QAAQ,KAAK;AAAA,IAClB,SAAS,QAAQ,SAAS;AAAA,EAC5B;AACF;AAQO,SAAS,sBAAsB,aAIpC;AACA,MAAI,CAAC,aAAa;AAChB,UAAM,IAAI,iBAAiB;AAAA,EAC7B;AAEA,MAAI,CAAC,YAAY,WAAW,kBAAkB,GAAG;AAC/C,UAAM,IAAI,sBAAsB,EAAE,QAAQ,4BAA4B,CAAC;AAAA,EACzE;AAEA,QAAM,QAAQ,YAAY,MAAM,mBAAmB,MAAM;AACzD,QAAM,WAAW,MAAM,QAAQ,GAAG;AAClC,MAAI,aAAa,MAAM,aAAa,KAAK,aAAa,MAAM,SAAS,GAAG;AACtE,UAAM,IAAI,sBAAsB,EAAE,QAAQ,wBAAwB,CAAC;AAAA,EACrE;AAEA,QAAM,gBAAgB,MAAM,MAAM,GAAG,QAAQ;AAC7C,QAAM,eAAe,MAAM,MAAM,WAAW,CAAC;AAE7C,MAAI,CAAC,aAAa,WAAW,IAAI,GAAG;AAClC,UAAM,IAAI,sBAAsB,EAAE,QAAQ,2BAA2B,CAAC;AAAA,EACxE;AAEA,MAAI;AACJ,MAAI;AACF,UAAM,UAAU,gBAAgB,aAAa;AAC7C,cAAU,aAAa,KAAK,MAAM,OAAO,CAAC;AAAA,EAC5C,SAAS,KAAK;AACZ,QAAI,eAAe,sBAAuB,OAAM;AAChD,UAAM,IAAI,sBAAsB,EAAE,QAAQ,2BAA2B,CAAC;AAAA,EACxE;AAEA,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,WAAW;AAAA,EACb;AACF;AAeA,eAAsB,iBAAiB,QAOb;AACxB,QAAM,EAAE,eAAe,SAAS,UAAU,IAAI;AAAA,IAC5C,OAAO;AAAA,EACT;AAEA,MAAI;AACJ,MAAI;AACF,aAAS,MAAM,sBAAsB;AAAA,MACnC,SAAS;AAAA,MACT;AAAA,IACF,CAAC;AAAA,EACH,QAAQ;AACN,UAAM,IAAI,sBAAsB,EAAE,QAAQ,4BAA4B,CAAC;AAAA,EACzE;AAEA,MAAI,QAAQ,QAAQ,OAAO,gBAAgB;AACzC,UAAM,IAAI,sBAAsB;AAAA,MAC9B,QAAQ;AAAA,MACR,UAAU,OAAO;AAAA,MACjB,QAAQ,QAAQ;AAAA,IAClB,CAAC;AAAA,EACH;AAEA,MAAI,QAAQ,WAAW,OAAO,gBAAgB;AAC5C,UAAM,IAAI,sBAAsB;AAAA,MAC9B,QAAQ;AAAA,MACR,UAAU,OAAO;AAAA,MACjB,QAAQ,QAAQ;AAAA,IAClB,CAAC;AAAA,EACH;AAEA,MAAI,QAAQ,QAAQ,OAAO,cAAc;AACvC,UAAM,IAAI,sBAAsB;AAAA,MAC9B,QAAQ;AAAA,MACR,UAAU,OAAO;AAAA,MACjB,QAAQ,QAAQ;AAAA,IAClB,CAAC;AAAA,EACH;AAEA,MAAI,OAAO,cAAc,QAAW;AAClC,UAAM,mBAAmB,gBAAgB,OAAO,SAAS;AACzD,QAAI,QAAQ,aAAa,kBAAkB;AACzC,YAAM,IAAI,sBAAsB;AAAA,QAC9B,QAAQ;AAAA,QACR,UAAU;AAAA,QACV,QAAQ,QAAQ;AAAA,MAClB,CAAC;AAAA,IACH;AAAA,EACF;AAEA,QAAM,MAAM,OAAO,OAAO,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAEtD,MAAI,QAAQ,MAAM,MAAM,oBAAoB;AAC1C,UAAM,IAAI,kBAAkB,EAAE,QAAQ,gBAAgB,CAAC;AAAA,EACzD;AAEA,MAAI,QAAQ,MAAM,MAAM,oBAAoB;AAC1C,UAAM,IAAI,kBAAkB,EAAE,QAAQ,6BAA6B,CAAC;AAAA,EACtE;AAEA,SAAO,EAAE,QAAQ,QAAQ;AAC3B;","names":[]}
|
package/dist/index.browser.d.ts
CHANGED
|
@@ -35,6 +35,11 @@ export { parseWeb3SignedHeader, verifyWeb3Signed, type Web3SignedPayload, type V
|
|
|
35
35
|
export { buildWeb3SignedHeader, computeBodyHash, type Web3SignedSignFn, } from "./auth/web3-signed-builder";
|
|
36
36
|
export { MissingAuthError, InvalidSignatureError, ExpiredTokenError, } from "./auth/errors";
|
|
37
37
|
export { fileRegistrationDomain, grantRegistrationDomain, grantRevocationDomain, serverRegistrationDomain, builderRegistrationDomain, FILE_REGISTRATION_TYPES, GRANT_REGISTRATION_TYPES, GRANT_REVOCATION_TYPES, SERVER_REGISTRATION_TYPES, BUILDER_REGISTRATION_TYPES, type DataPortabilityContracts, type DataPortabilityGatewayConfig, type FileRegistrationMessage, type GrantRegistrationMessage, type GrantRevocationMessage, type ServerRegistrationMessage, type BuilderRegistrationMessage, } from "./protocol/eip712";
|
|
38
|
+
export { PERSONAL_SERVER_REGISTRATION_DEFAULT_CHAIN_ID, PERSONAL_SERVER_REGISTRATION_DEFAULT_VERIFYING_CONTRACT, personalServerRegistrationDomain, createViemPersonalServerRegistrationSigner, buildPersonalServerRegistrationTypedData, buildPersonalServerRegistrationSignature, registerPersonalServerSignature, type PersonalServerRegistrationTypedData, type PersonalServerRegistrationSigner, type PersonalServerRegistrationDomainInput, type ViemPersonalServerRegistrationWalletClient, type ViemPersonalServerRegistrationSignerSource, type BuildPersonalServerRegistrationTypedDataInput, type BuildPersonalServerRegistrationSignatureInput, type PersonalServerRegistrationSignature, } from "./protocol/personal-server-registration";
|
|
39
|
+
export { PERSONAL_SERVER_LITE_OWNER_BINDING_VERSION, PERSONAL_SERVER_LITE_OWNER_BINDING_PURPOSE, PERSONAL_SERVER_LITE_OWNER_BINDING_PREFIX, buildPersonalServerLiteOwnerBindingMessage, createViemPersonalServerLiteOwnerBindingSigner, buildPersonalServerLiteOwnerBindingSignature, signPersonalServerLiteOwnerBinding, type PersonalServerLiteOwnerBindingPurpose, type PersonalServerLiteOwnerBindingMessage, type PersonalServerLiteOwnerBindingSigner, type ViemPersonalServerLiteOwnerBindingWalletClient, type ViemPersonalServerLiteOwnerBindingSignerSource, type BuildPersonalServerLiteOwnerBindingSignatureInput, type PersonalServerLiteOwnerBindingSignature, } from "./protocol/personal-server-lite-owner-binding";
|
|
40
|
+
export { ACCOUNT_PERSONAL_SERVER_REGISTRATION_INTENT, AccountPersonalServerRegistrationError, signPersonalServerRegistrationWithAccount, type AccountPersonalServerRegistrationIntent, type AccountPersonalServerRegistrationSignature, type AccountPersonalServerRegistrationStatus, type AccountPersonalServerRegistrationRequest, type AccountPersonalServerRegistrationConfig, type AccountSignedPersonalServerRegistration, type AccountConfirmationRequiredPersonalServerRegistration, type AccountFallbackSignedPersonalServerRegistration, type AccountPersonalServerRegistrationResult, } from "./account/personal-server-registration";
|
|
41
|
+
export { AccountPersonalServerLiteOwnerBindingError, signPersonalServerLiteOwnerBindingWithAccountClient, type AccountPersonalServerLiteOwnerBindingClient, type SignPersonalServerLiteOwnerBindingWithAccountClientConfig, } from "./account/personal-server-lite-owner-binding";
|
|
42
|
+
export { isDataPortabilityGatewayConfig, parseGrantRegistrationPayload, verifyGrantRegistration, type DataPortabilityGrantPayload, type VerifyGrantRegistrationInput, type VerifyGrantRegistrationResult, } from "./protocol/grants";
|
|
38
43
|
export { ScopeSchema, parseScope, scopeToPathSegments, scopeMatchesPattern, scopeCoveredByGrant, type Scope, type ParsedScope, } from "./protocol/scopes";
|
|
39
44
|
export { DataFileEnvelopeSchema, createDataFileEnvelope, IngestResponseSchema, type DataFileEnvelope, type IngestResponse, } from "./protocol/data-file";
|
|
40
45
|
export { createGatewayClient, type GatewayEnvelope, type GatewayProof, type Builder, type Schema, type ServerInfo, type GatewayGrantResponse, type GrantListItem, type FileRecord, type FileListResult, type RegisterServerParams, type RegisterServerResult, type RegisterFileParams, type CreateGrantParams, type RevokeGrantParams, type GatewayClient, } from "./protocol/gateway";
|