@originals/auth 1.8.1 → 1.8.3

package/src/client/turnkey-did-signer.ts

@@ -1,203 +0,0 @@
-/**
- * Turnkey DID Signer Adapter
- * Adapts Turnkey signing to work with didwebvh-ts signer interface
- * Uses @turnkey/sdk-server for all Turnkey operations (no viem/ethers dependency)
- */
-
-import { Turnkey } from '@turnkey/sdk-server';
-import { OriginalsSDK, encoding } from '@originals/sdk';
-import type { TurnkeyWalletAccount } from '../types';
-import { TurnkeySessionExpiredError, withTokenExpiration } from './turnkey-client';
-
-interface SigningInput {
-  document: Record<string, unknown>;
-  proof: Record<string, unknown>;
-}
-
-interface SigningOutput {
-  proofValue: string;
-}
-
-/**
- * Signer that uses Turnkey for signing DID documents
- * Compatible with didwebvh-ts signer interface
- */
-export class TurnkeyDIDSigner {
-  private turnkeyClient: Turnkey;
-  private signWith: string;
-  private subOrgId: string;
-  private publicKeyMultibase: string;
-  private onExpired?: () => void;
-
-  constructor(
-    turnkeyClient: Turnkey,
-    signWith: string,
-    subOrgId: string,
-    publicKeyMultibase: string,
-    onExpired?: () => void
-  ) {
-    this.turnkeyClient = turnkeyClient;
-    this.signWith = signWith;
-    this.subOrgId = subOrgId;
-    this.publicKeyMultibase = publicKeyMultibase;
-    this.onExpired = onExpired;
-  }
-
-  /**
-   * Sign the document and proof using Turnkey
-   */
-  async sign(input: SigningInput): Promise<SigningOutput> {
-    return withTokenExpiration(async () => {
-      try {
-        // Use SDK's prepareDIDDataForSigning
-        const dataToSign = await OriginalsSDK.prepareDIDDataForSigning(input.document, input.proof);
-
-        // Sign with Turnkey via server SDK
-        const result = await this.turnkeyClient.apiClient().signRawPayload({
-          organizationId: this.subOrgId,
-          signWith: this.signWith,
-          payload: Buffer.from(dataToSign).toString('hex'),
-          encoding: 'PAYLOAD_ENCODING_HEXADECIMAL',
-          hashFunction: 'HASH_FUNCTION_NO_OP',
-        });
-
-        const r = result.r;
-        const s = result.s;
-
-        if (!r || !s) {
-          throw new Error('Invalid signature response from Turnkey');
-        }
-
-        // For Ed25519, combine r+s only (64 bytes total)
-        const cleanR = r.startsWith('0x') ? r.slice(2) : r;
-        const cleanS = s.startsWith('0x') ? s.slice(2) : s;
-        const combinedHex = cleanR + cleanS;
-
-        const signatureBytes = Buffer.from(combinedHex, 'hex');
-
-        if (signatureBytes.length !== 64) {
-          throw new Error(
-            `Invalid Ed25519 signature length: ${signatureBytes.length} (expected 64 bytes)`
-          );
-        }
-
-        const proofValue = encoding.multibase.encode(signatureBytes, 'base58btc');
-
-        return { proofValue };
-      } catch (error) {
-        console.error('[TurnkeyDIDSigner] Error signing with Turnkey:', error);
-
-        const errorStr = JSON.stringify(error);
-        if (
-          errorStr.toLowerCase().includes('api_key_expired') ||
-          errorStr.toLowerCase().includes('expired api key') ||
-          errorStr.toLowerCase().includes('"code":16')
-        ) {
-          console.warn('Detected expired API key in sign method, calling onExpired');
-          if (this.onExpired) {
-            this.onExpired();
-          }
-          throw new TurnkeySessionExpiredError();
-        }
-
-        throw error;
-      }
-    }, this.onExpired);
-  }
-
-  /**
-   * Get the verification method ID for this signer
-   */
-  getVerificationMethodId(): string {
-    return `did:key:${this.publicKeyMultibase}`;
-  }
-
-  /**
-   * Verify a signature
-   */
-  async verify(
-    signature: Uint8Array,
-    message: Uint8Array,
-    publicKey: Uint8Array
-  ): Promise<boolean> {
-    try {
-      return await OriginalsSDK.verifyDIDSignature(signature, message, publicKey);
-    } catch (error) {
-      console.error('[TurnkeyDIDSigner] Error verifying signature:', error);
-      return false;
-    }
-  }
-}
-
-/**
- * Create a DID:WebVH using OriginalsSDK.createDIDOriginal() with Turnkey signing
- */
-export async function createDIDWithTurnkey(params: {
-  turnkeyClient: Turnkey;
-  updateKeyAccount: TurnkeyWalletAccount;
-  subOrgId: string;
-  authKeyPublic: string;
-  assertionKeyPublic: string;
-  updateKeyPublic: string;
-  domain: string;
-  slug: string;
-  onExpired?: () => void;
-}): Promise<{
-  did: string;
-  didDocument: unknown;
-  didLog: unknown;
-}> {
-  const {
-    turnkeyClient,
-    updateKeyAccount,
-    subOrgId,
-    authKeyPublic,
-    assertionKeyPublic,
-    updateKeyPublic,
-    domain,
-    slug,
-    onExpired,
-  } = params;
-
-  // Create Turnkey signer for the update key
-  const signer = new TurnkeyDIDSigner(
-    turnkeyClient,
-    updateKeyAccount.address,
-    subOrgId,
-    updateKeyPublic,
-    onExpired
-  );
-
-  // Use SDK's createDIDOriginal
-  const result = await OriginalsSDK.createDIDOriginal({
-    type: 'did',
-    domain,
-    signer,
-    verifier: signer,
-    updateKeys: [signer.getVerificationMethodId()],
-    verificationMethods: [
-      {
-        id: '#key-0',
-        type: 'Multikey',
-        controller: '',
-        publicKeyMultibase: authKeyPublic,
-      },
-      {
-        id: '#key-1',
-        type: 'Multikey',
-        controller: '',
-        publicKeyMultibase: assertionKeyPublic,
-      },
-    ],
-    paths: [slug],
-    portable: false,
-    authentication: ['#key-0'],
-    assertionMethod: ['#key-1'],
-  });
-
-  return {
-    did: result.did,
-    didDocument: result.doc,
-    didLog: result.log,
-  };
-}

package/src/index.ts

@@ -1,32 +0,0 @@
-/**
- * @originals/auth - Turnkey-based authentication for the Originals Protocol
- *
- * This package provides authentication utilities for both server and client applications.
- *
- * Server-side:
- * ```typescript
- * import { createAuthMiddleware, initiateEmailAuth, verifyEmailAuth } from '@originals/auth/server';
- * ```
- *
- * Client-side (pure functions, no React):
- * ```typescript
- * import { initializeTurnkeyClient, initOtp, completeOtp, fetchWallets } from '@originals/auth/client';
- * ```
- *
- * Types:
- * ```typescript
- * import type { AuthUser, TokenPayload, TurnkeyWallet } from '@originals/auth/types';
- * ```
- */
-
-// Re-export types
-export * from './types';
-
-// Re-export server utilities (for convenience, though subpath is preferred)
-export * from './server';
-
-// Note: Client utilities should be imported from '@originals/auth/client'
-// to avoid bundling React in server environments
-
-
-

package/src/server/email-auth.ts

@@ -1,258 +0,0 @@
-/**
- * Turnkey Email Authentication Service
- * Implements email-based authentication using Turnkey's OTP flow
- */
-
-import { Turnkey } from '@turnkey/sdk-server';
-import { sha256 } from '@noble/hashes/sha2.js';
-import { bytesToHex } from '@noble/hashes/utils.js';
-import type { EmailAuthSession, InitiateAuthResult, VerifyAuthResult } from '../types';
-import { getOrCreateTurnkeySubOrg } from './turnkey-client';
-
-// Session timeout (15 minutes to match Turnkey OTP)
-const SESSION_TIMEOUT = 15 * 60 * 1000;
-
-/**
- * Session storage interface for pluggable session management
- */
-export interface SessionStorage {
-  get(sessionId: string): EmailAuthSession | undefined;
-  set(sessionId: string, session: EmailAuthSession): void;
-  delete(sessionId: string): void;
-  cleanup(): void;
-}
-
-/**
- * Create an in-memory session storage
- * For production, consider using Redis or a database
- */
-export function createInMemorySessionStorage(): SessionStorage {
-  const sessions = new Map<string, EmailAuthSession>();
-
-  // Start cleanup interval
-  const cleanupInterval = setInterval(() => {
-    const now = Date.now();
-    for (const [sessionId, session] of sessions.entries()) {
-      if (now - session.timestamp > SESSION_TIMEOUT) {
-        sessions.delete(sessionId);
-      }
-    }
-  }, 60 * 1000);
-
-  // Keep the interval from preventing process exit
-  if (cleanupInterval.unref) {
-    cleanupInterval.unref();
-  }
-
-  return {
-    get: (sessionId: string) => sessions.get(sessionId),
-    set: (sessionId: string, session: EmailAuthSession) => sessions.set(sessionId, session),
-    delete: (sessionId: string) => sessions.delete(sessionId),
-    cleanup: () => {
-      clearInterval(cleanupInterval);
-      sessions.clear();
-    },
-  };
-}
-
-// Default session storage
-let defaultSessionStorage: SessionStorage | null = null;
-
-function getDefaultSessionStorage(): SessionStorage {
-  if (!defaultSessionStorage) {
-    defaultSessionStorage = createInMemorySessionStorage();
-  }
-  return defaultSessionStorage;
-}
-
-/**
- * Generate a random session ID
- */
-function generateSessionId(): string {
-  return `session_${Date.now()}_${Math.random().toString(36).substring(2, 15)}`;
-}
-
-/**
- * Initiate email authentication using Turnkey OTP
- * Sends a 6-digit OTP code to the user's email
- */
-export async function initiateEmailAuth(
-  email: string,
-  turnkeyClient: Turnkey,
-  sessionStorage?: SessionStorage
-): Promise<InitiateAuthResult> {
-  const storage = sessionStorage ?? getDefaultSessionStorage();
-
-  // Validate email format
-  const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
-  if (!emailRegex.test(email)) {
-    throw new Error('Invalid email format');
-  }
-
-  console.log(`\n🚀 Initiating email auth for: ${email}`);
-
-  // Step 1: Get or create Turnkey sub-organization
-  const subOrgId = await getOrCreateTurnkeySubOrg(email, turnkeyClient);
-
-  // Step 2: Send OTP via Turnkey
-  console.log(`📨 Sending OTP to ${email} via Turnkey...`);
-
-  // Generate a unique user identifier for rate limiting
-  const data = new TextEncoder().encode(email);
-  const hash = sha256(data);
-  const userIdentifier = bytesToHex(hash);
-
-  const otpResult = await turnkeyClient.apiClient().initOtp({
-    otpType: 'OTP_TYPE_EMAIL',
-    contact: email,
-    userIdentifier: userIdentifier,
-    appName: 'Originals',
-    otpLength: 6,
-    alphanumeric: false,
-  });
-
-  const otpId = otpResult.otpId;
-
-  if (!otpId) {
-    throw new Error('Failed to initiate OTP - no OTP ID returned');
-  }
-
-  console.log(`✅ OTP sent! OTP ID: ${otpId}`);
-
-  // Create auth session
-  const sessionId = generateSessionId();
-  storage.set(sessionId, {
-    email,
-    subOrgId,
-    otpId,
-    timestamp: Date.now(),
-    verified: false,
-  });
-
-  console.log('='.repeat(60));
-  console.log(`📧 Check ${email} for the verification code!`);
-  console.log(`   Session ID: ${sessionId}`);
-  console.log(`   Valid for: 15 minutes`);
-  console.log('='.repeat(60) + '\n');
-
-  return {
-    sessionId,
-    message: 'Verification code sent to your email. Check your inbox!',
-  };
-}
-
-/**
- * Verify email authentication code using Turnkey OTP
- */
-export async function verifyEmailAuth(
-  sessionId: string,
-  code: string,
-  turnkeyClient: Turnkey,
-  sessionStorage?: SessionStorage
-): Promise<VerifyAuthResult> {
-  const storage = sessionStorage ?? getDefaultSessionStorage();
-  const session = storage.get(sessionId);
-
-  if (!session) {
-    throw new Error('Invalid or expired session');
-  }
-
-  // Check if session has expired
-  if (Date.now() - session.timestamp > SESSION_TIMEOUT) {
-    storage.delete(sessionId);
-    throw new Error('Session expired. Please request a new code.');
-  }
-
-  if (!session.otpId) {
-    throw new Error('OTP ID not found in session');
-  }
-
-  if (!session.subOrgId) {
-    throw new Error('Sub-organization ID not found');
-  }
-
-  console.log(`\n🔐 Verifying OTP for session ${sessionId}...`);
-
-  try {
-    // Verify the OTP code with Turnkey
-    const verifyResult = await turnkeyClient.apiClient().verifyOtp({
-      otpId: session.otpId,
-      otpCode: code,
-      expirationSeconds: '900', // 15 minutes
-    });
-
-    if (!verifyResult.verificationToken) {
-      throw new Error('OTP verification failed - no verification token returned');
-    }
-
-    console.log(`✅ OTP verified successfully!`);
-
-    // Mark session as verified
-    session.verified = true;
-    storage.set(sessionId, session);
-
-    return {
-      verified: true,
-      email: session.email,
-      subOrgId: session.subOrgId,
-    };
-  } catch (error) {
-    console.error('❌ OTP verification failed:', error);
-    throw new Error(
-      `Invalid verification code: ${error instanceof Error ? error.message : String(error)}`
-    );
-  }
-}
-
-/**
- * Check if a session is verified
- */
-export function isSessionVerified(
-  sessionId: string,
-  sessionStorage?: SessionStorage
-): boolean {
-  const storage = sessionStorage ?? getDefaultSessionStorage();
-  const session = storage.get(sessionId);
-
-  if (!session) return false;
-
-  if (Date.now() - session.timestamp > SESSION_TIMEOUT) {
-    storage.delete(sessionId);
-    return false;
-  }
-
-  return session.verified;
-}
-
-/**
- * Clean up a session after successful login
- */
-export function cleanupSession(
-  sessionId: string,
-  sessionStorage?: SessionStorage
-): void {
-  const storage = sessionStorage ?? getDefaultSessionStorage();
-  storage.delete(sessionId);
-}
-
-/**
- * Get session data
- */
-export function getSession(
-  sessionId: string,
-  sessionStorage?: SessionStorage
-): EmailAuthSession | undefined {
-  const storage = sessionStorage ?? getDefaultSessionStorage();
-  const session = storage.get(sessionId);
-
-  if (!session) return undefined;
-
-  // Check if expired
-  if (Date.now() - session.timestamp > SESSION_TIMEOUT) {
-    storage.delete(sessionId);
-    return undefined;
-  }
-
-  return session;
-}
-

package/src/server/index.ts

@@ -1,42 +0,0 @@
-/**
- * Server-side authentication utilities
- *
- * @example
- * ```typescript
- * import {
- *   createAuthMiddleware,
- *   initiateEmailAuth,
- *   verifyEmailAuth,
- *   signToken,
- *   verifyToken,
- *   createTurnkeyClient,
- *   TurnkeyWebVHSigner
- * } from '@originals/auth/server';
- * ```
- */
-
-export { createTurnkeyClient, getOrCreateTurnkeySubOrg } from './turnkey-client';
-export {
-  initiateEmailAuth,
-  verifyEmailAuth,
-  isSessionVerified,
-  cleanupSession,
-  getSession,
-  type SessionStorage,
-  createInMemorySessionStorage,
-} from './email-auth';
-export {
-  signToken,
-  verifyToken,
-  getAuthCookieConfig,
-  getClearAuthCookieConfig,
-} from './jwt';
-export { createAuthMiddleware } from './middleware';
-export { TurnkeyWebVHSigner, createTurnkeySigner } from './turnkey-signer';
-
-
-
-
-
-
-

package/src/server/jwt.ts

@@ -1,154 +0,0 @@
-/**
- * JWT Authentication Module
- * Implements secure token issuance and validation with HTTP-only cookies
- */
-
-import jwt from 'jsonwebtoken';
-import type { TokenPayload, AuthCookieConfig } from '../types';
-
-// 7 days in seconds
-const DEFAULT_JWT_EXPIRES_IN = 7 * 24 * 60 * 60;
-
-/**
- * Get JWT secret from config or environment
- */
-function getJwtSecret(configSecret?: string): string {
-  const secret = configSecret ?? process.env.JWT_SECRET;
-  if (!secret) {
-    throw new Error('JWT_SECRET environment variable is required');
-  }
-  return secret;
-}
-
-/**
- * Sign a JWT token for a user
- * @param subOrgId - Turnkey sub-organization ID (stable identifier)
- * @param email - User email (metadata)
- * @param sessionToken - Optional Turnkey session token for user authentication
- * @param options - Additional options
- * @returns Signed JWT token string
- */
-export function signToken(
-  subOrgId: string,
-  email: string,
-  sessionToken?: string,
-  options?: {
-    secret?: string;
-    expiresIn?: number;
-    issuer?: string;
-    audience?: string;
-  }
-): string {
-  if (!subOrgId) {
-    throw new Error('Sub-organization ID is required for token signing');
-  }
-
-  const secret = getJwtSecret(options?.secret);
-
-  const payload: Record<string, unknown> = {
-    sub: subOrgId,
-    email,
-  };
-
-  if (sessionToken) {
-    payload.sessionToken = sessionToken;
-  }
-
-  const signOptions: jwt.SignOptions = {
-    expiresIn: options?.expiresIn ?? DEFAULT_JWT_EXPIRES_IN,
-    issuer: options?.issuer ?? 'originals-auth',
-    audience: options?.audience ?? 'originals-api',
-  };
-
-  return jwt.sign(payload, secret, signOptions);
-}
-
-/**
- * Verify and decode a JWT token
- * @param token - JWT token string
- * @param options - Additional options
- * @returns Decoded token payload
- * @throws Error if token is invalid or expired
- */
-export function verifyToken(
-  token: string,
-  options?: {
-    secret?: string;
-    issuer?: string;
-    audience?: string;
-  }
-): TokenPayload {
-  const secret = getJwtSecret(options?.secret);
-
-  try {
-    const payload = jwt.verify(token, secret, {
-      issuer: options?.issuer ?? 'originals-auth',
-      audience: options?.audience ?? 'originals-api',
-    }) as TokenPayload;
-
-    if (!payload.sub) {
-      throw new Error('Token missing sub-organization ID');
-    }
-
-    return payload;
-  } catch (error) {
-    if (error instanceof jwt.TokenExpiredError) {
-      throw new Error('Token has expired');
-    }
-    if (error instanceof jwt.JsonWebTokenError) {
-      throw new Error('Invalid token');
-    }
-    throw error;
-  }
-}
-
-/**
- * Generate a secure cookie configuration for authentication tokens
- * @param token - JWT token to set in cookie
- * @param options - Cookie options
- * @returns Cookie configuration object
- */
-export function getAuthCookieConfig(
-  token: string,
-  options?: {
-    cookieName?: string;
-    maxAge?: number;
-    secure?: boolean;
-  }
-): AuthCookieConfig {
-  const isProduction = process.env.NODE_ENV === 'production';
-
-  return {
-    name: options?.cookieName ?? 'auth_token',
-    value: token,
-    options: {
-      httpOnly: true, // Cannot be accessed by JavaScript (XSS protection)
-      secure: options?.secure ?? isProduction, // HTTPS only in production
-      sameSite: 'strict', // CSRF protection
-      maxAge: options?.maxAge ?? 7 * 24 * 60 * 60 * 1000, // 7 days in milliseconds
-      path: '/', // Available for all routes
-    },
-  };
-}
-
-/**
- * Get cookie configuration for logout (clears the auth cookie)
- * @param cookieName - Name of the cookie to clear
- * @returns Cookie configuration for clearing
- */
-export function getClearAuthCookieConfig(cookieName?: string): AuthCookieConfig {
-  const isProduction = process.env.NODE_ENV === 'production';
-
-  return {
-    name: cookieName ?? 'auth_token',
-    value: '',
-    options: {
-      httpOnly: true,
-      secure: isProduction,
-      sameSite: 'strict',
-      maxAge: 0, // Expire immediately
-      path: '/',
-    },
-  };
-}
-