@portal-hq/web 3.6.2-alpha → 3.7.0

package/lib/esm/passkeys/index.js

@@ -0,0 +1,390 @@
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __rest = (this && this.__rest) || function (s, e) {
+    var t = {};
+    for (var p in s) if (Object.prototype.hasOwnProperty.call(s, p) && e.indexOf(p) < 0)
+        t[p] = s[p];
+    if (s != null && typeof Object.getOwnPropertySymbols === "function")
+        for (var i = 0, p = Object.getOwnPropertySymbols(s); i < p.length; i++) {
+            if (e.indexOf(p[i]) < 0 && Object.prototype.propertyIsEnumerable.call(s, p[i]))
+                t[p[i]] = s[p[i]];
+        }
+    return t;
+};
+export class PasskeyService {
+    constructor({ defaultDomain, getJwt, fetchImpl }) {
+        this.defaultDomain = defaultDomain;
+        this.getJwt = getJwt;
+        this.fetchImpl = fetchImpl !== null && fetchImpl !== void 0 ? fetchImpl : fetch.bind(globalThis);
+    }
+    /**
+     * Generate MPC backup share and register a passkey in the top-level window
+     * while storing the provided encryption key with the relying party.
+     */
+    registerPasskeyAndStoreKey(params) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const { customDomain, encryptionKey } = params;
+            const { origin, relyingPartyOrigins, relyingPartyId, relyingPartyName } = this.resolveParams(params);
+            const status = yield this.getStatus(origin, relyingPartyId);
+            const normalizedStatus = status === null || status === void 0 ? void 0 : status.toLowerCase();
+            const shouldRegister = !normalizedStatus ||
+                normalizedStatus === 'not registered' ||
+                normalizedStatus === 'registered';
+            if (!shouldRegister) {
+                yield this.loginAndStoreKey({
+                    customDomain,
+                    relyingPartyId,
+                    relyingPartyOrigins,
+                    encryptionKey,
+                });
+                return;
+            }
+            const begin = yield this.postJson(`${origin}/passkeys/begin-registration`, {
+                relyingParty: relyingPartyId,
+                relyingPartyName,
+                relyingPartyOrigins,
+            });
+            const credential = yield this.createCredential(begin.options.publicKey);
+            const attestation = serializeAttestationCredential(credential);
+            yield this.postJsonVoid(`${origin}/passkeys/finish-registration`, {
+                sessionId: begin.sessionId,
+                relyingParty: relyingPartyId,
+                relyingPartyOrigins,
+                attestation,
+                encryptionKey,
+            });
+        });
+    }
+    /**
+     * Authenticate with passkey in the current browsing context and return the encryption key.
+     */
+    authenticatePasskeyAndRetrieveKey(params) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const { origin, relyingPartyOrigins, relyingPartyId, relyingPartyName } = this.resolveParams(params);
+            const begin = yield this.postJson(`${origin}/passkeys/begin-authentication`, {
+                relyingParty: relyingPartyId,
+                relyingPartyName,
+                relyingPartyOrigins,
+            });
+            const credential = yield this.getCredential(begin.options.publicKey);
+            const assertion = serializeAssertionCredential(credential);
+            const finish = yield this.postJson(`${origin}/passkeys/finish-authentication`, {
+                sessionId: begin.sessionId,
+                relyingParty: relyingPartyId,
+                relyingPartyOrigins,
+                assertion,
+            });
+            if (!(finish === null || finish === void 0 ? void 0 : finish.encryptionKey)) {
+                throw new Error('Passkey authentication succeeded but no encryption key was returned.');
+            }
+            return finish.encryptionKey;
+        });
+    }
+    /**
+     * Register a passkey without tying it to an encryption key.
+     * The encryption key can be stored later using authenticatePasskeyAndWriteKey.
+     */
+    registerPasskey(params) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const { origin, relyingPartyOrigins, relyingPartyId, relyingPartyName } = this.resolveParams(params);
+            const status = yield this.getStatus(origin, relyingPartyId);
+            const normalizedStatus = status === null || status === void 0 ? void 0 : status.toLowerCase();
+            if (normalizedStatus && normalizedStatus !== 'not registered' && normalizedStatus !== 'registered') {
+                throw new Error(`Passkey already exists with status: ${status}. Cannot register new credential.`);
+            }
+            const begin = yield this.postJson(`${origin}/passkeys/begin-credential-registration`, {
+                relyingParty: relyingPartyId,
+                relyingPartyName,
+                relyingPartyOrigins,
+            });
+            const credential = yield this.createCredential(begin.options.publicKey);
+            const attestation = serializeAttestationCredential(credential);
+            yield this.postJsonVoid(`${origin}/passkeys/finish-credential-registration`, {
+                sessionId: begin.sessionId,
+                relyingParty: relyingPartyId,
+                relyingPartyOrigins,
+                attestation,
+            });
+        });
+    }
+    /**
+     * Authenticate with passkey and store an encryption key.
+     * Used after registerPasskey to associate an encryption key with the passkey.
+     */
+    authenticatePasskeyAndWriteKey(params) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const { encryptionKey } = params;
+            const { origin, relyingPartyOrigins, relyingPartyId, relyingPartyName } = this.resolveParams(params);
+            const begin = yield this.postJson(`${origin}/passkeys/begin-login`, {
+                relyingParty: relyingPartyId,
+                relyingPartyName,
+                relyingPartyOrigins,
+            });
+            const credential = yield this.getCredential(begin.options.publicKey);
+            const assertion = serializeAssertionCredential(credential);
+            yield this.postJsonVoid(`${origin}/passkeys/finish-login/write`, {
+                sessionId: begin.sessionId,
+                relyingParty: relyingPartyId,
+                relyingPartyOrigins,
+                assertion,
+                encryptionKey,
+            });
+        });
+    }
+    /**
+     * Utility used by combined backup flow to produce reusable payloads.
+     */
+    generateBackupSharePayload(cipherText, encryptionKey) {
+        return {
+            cipherText,
+            encryptionKey,
+        };
+    }
+    createCredential(options) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const publicKey = decodeCreationOptions(options);
+            const credential = (yield navigator.credentials.create({
+                publicKey,
+            }));
+            if (!credential) {
+                throw new Error('Passkey registration was cancelled or failed to create credential.');
+            }
+            return credential;
+        });
+    }
+    loginAndStoreKey(params) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const { customDomain, relyingPartyId, relyingPartyOrigins, encryptionKey } = params;
+            const origin = this.normalizeDomain(customDomain);
+            const begin = yield this.postJson(`${origin}/passkeys/begin-login`, {
+                relyingParty: relyingPartyId,
+                relyingPartyOrigins,
+            });
+            const credential = yield this.getCredential(begin.options.publicKey);
+            const assertion = serializeAssertionCredential(credential);
+            yield this.postJsonVoid(`${origin}/passkeys/finish-login/write`, {
+                sessionId: begin.sessionId,
+                relyingParty: relyingPartyId,
+                relyingPartyOrigins,
+                assertion,
+                encryptionKey,
+            });
+        });
+    }
+    getStatus(origin, relyingPartyId) {
+        return __awaiter(this, void 0, void 0, function* () {
+            try {
+                const query = new URLSearchParams({ relyingParty: relyingPartyId });
+                const url = `${origin}/passkeys/status?${query.toString()}`;
+                const response = yield this.fetchImpl(url, {
+                    method: 'GET',
+                    headers: yield this.buildHeaders(),
+                });
+                if (!response.ok) {
+                    return undefined;
+                }
+                const raw = yield response.text();
+                if (!raw) {
+                    return undefined;
+                }
+                const data = JSON.parse(raw);
+                return data.status;
+            }
+            catch (error) {
+                console.warn('[Portal] Failed to fetch passkey status', error);
+                return undefined;
+            }
+        });
+    }
+    getCredential(options) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const publicKey = decodeRequestOptions(options);
+            const credential = (yield navigator.credentials.get({
+                publicKey,
+            }));
+            if (!credential) {
+                throw new Error('Passkey authentication was cancelled or failed to resolve credential.');
+            }
+            return credential;
+        });
+    }
+    normalizeDomain(customDomain) {
+        const domain = customDomain !== null && customDomain !== void 0 ? customDomain : this.defaultDomain;
+        if (!domain) {
+            throw new Error('Passkey domain is not configured.');
+        }
+        if (domain.startsWith('http://') || domain.startsWith('https://')) {
+            return domain;
+        }
+        return `https://${domain}`;
+    }
+    buildRelyingPartyOrigins(origin) {
+        var _a;
+        const set = new Set([origin]);
+        if (typeof window !== 'undefined' && ((_a = window.location) === null || _a === void 0 ? void 0 : _a.origin)) {
+            set.add(window.location.origin);
+        }
+        return Array.from(set);
+    }
+    resolveParams(options) {
+        const origin = this.normalizeDomain(options.customDomain);
+        const relyingPartyOrigins = this.buildRelyingPartyOrigins(origin);
+        return {
+            origin,
+            relyingPartyOrigins,
+            relyingPartyId: options.relyingPartyId,
+            relyingPartyName: options.relyingPartyName,
+        };
+    }
+    postJson(url, body) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const response = yield this.fetchImpl(url, {
+                method: 'POST',
+                headers: yield this.buildHeaders(),
+                body: JSON.stringify(body),
+            });
+            if (!response.ok) {
+                const text = yield safeReadText(response);
+                throw new Error(`Passkey request failed (${response.status} ${response.statusText}): ${text}`);
+            }
+            return response.json();
+        });
+    }
+    postJsonVoid(url, body) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const response = yield this.fetchImpl(url, {
+                method: 'POST',
+                headers: yield this.buildHeaders(),
+                body: JSON.stringify(body),
+            });
+            if (!response.ok) {
+                const text = yield safeReadText(response);
+                throw new Error(`Passkey request failed (${response.status} ${response.statusText}): ${text}`);
+            }
+        });
+    }
+    buildHeaders() {
+        return __awaiter(this, void 0, void 0, function* () {
+            const jwt = yield this.getJwt();
+            return {
+                'Content-Type': 'application/json',
+                Authorization: `Bearer ${jwt}`,
+            };
+        });
+    }
+}
+const decodeCreationOptions = (options) => {
+    const { excludeCredentials } = options, rest = __rest(options, ["excludeCredentials"]);
+    const publicKey = Object.assign(Object.assign({}, rest), { challenge: base64UrlToArrayBuffer(options.challenge), user: Object.assign(Object.assign({}, options.user), { id: base64UrlToArrayBuffer(options.user.id) }) });
+    if (excludeCredentials) {
+        publicKey.excludeCredentials = excludeCredentials.map((credential) => ({
+            type: credential.type,
+            id: base64UrlToArrayBuffer(credential.id),
+            transports: credential.transports,
+        }));
+    }
+    return publicKey;
+};
+const decodeRequestOptions = (options) => {
+    const { allowCredentials } = options, rest = __rest(options, ["allowCredentials"]);
+    const publicKey = Object.assign(Object.assign({}, rest), { challenge: base64UrlToArrayBuffer(options.challenge) });
+    if (allowCredentials) {
+        publicKey.allowCredentials = allowCredentials.map((credential) => ({
+            type: credential.type,
+            id: base64UrlToArrayBuffer(credential.id),
+            transports: credential.transports,
+        }));
+    }
+    return publicKey;
+};
+const serializeAttestationCredential = (credential) => {
+    var _a;
+    const { response } = credential;
+    const attestationResponse = response;
+    const payload = {
+        id: credential.id,
+        rawId: arrayBufferToBase64Url(credential.rawId),
+        type: credential.type,
+        response: {
+            clientDataJSON: arrayBufferToBase64Url(attestationResponse.clientDataJSON),
+            attestationObject: attestationResponse.attestationObject
+                ? arrayBufferToBase64Url(attestationResponse.attestationObject)
+                : undefined,
+            transports: (_a = attestationResponse.getTransports) === null || _a === void 0 ? void 0 : _a.call(attestationResponse),
+        },
+        clientExtensionResults: credential.getClientExtensionResults(),
+    };
+    return JSON.stringify(payload);
+};
+const serializeAssertionCredential = (credential) => {
+    const { response } = credential;
+    const assertionResponse = response;
+    const payload = {
+        id: credential.id,
+        rawId: arrayBufferToBase64Url(credential.rawId),
+        type: credential.type,
+        response: {
+            clientDataJSON: arrayBufferToBase64Url(assertionResponse.clientDataJSON),
+            authenticatorData: arrayBufferToBase64Url(assertionResponse.authenticatorData),
+            signature: arrayBufferToBase64Url(assertionResponse.signature),
+            userHandle: assertionResponse.userHandle
+                ? arrayBufferToBase64Url(assertionResponse.userHandle)
+                : null,
+        },
+        clientExtensionResults: credential.getClientExtensionResults(),
+    };
+    return JSON.stringify(payload);
+};
+const base64UrlToArrayBuffer = (value) => {
+    const normalized = value.replace(/-/g, '+').replace(/_/g, '/');
+    const padded = normalized.padEnd(normalized.length + ((4 - (normalized.length % 4)) % 4), '=');
+    const binary = typeof atob === 'function'
+        ? atob(padded)
+        : decodeWithBufferFallback(padded);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+        bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes.buffer;
+};
+const arrayBufferToBase64Url = (buffer) => {
+    const bytes = new Uint8Array(buffer);
+    let binary = '';
+    for (let i = 0; i < bytes.byteLength; i++) {
+        binary += String.fromCharCode(bytes[i]);
+    }
+    const base64 = typeof btoa === 'function'
+        ? btoa(binary)
+        : encodeWithBufferFallback(binary);
+    return base64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+};
+const safeReadText = (response) => __awaiter(void 0, void 0, void 0, function* () {
+    try {
+        return yield response.text();
+    }
+    catch (error) {
+        return error.message;
+    }
+});
+export default PasskeyService;
+const decodeWithBufferFallback = (value) => {
+    const bufferCtor = globalThis.Buffer;
+    if (bufferCtor) {
+        return bufferCtor.from(value, 'base64').toString('binary');
+    }
+    throw new Error('Base64 decoding is not supported in this environment.');
+};
+const encodeWithBufferFallback = (binary) => {
+    const bufferCtor = globalThis.Buffer;
+    if (bufferCtor) {
+        return bufferCtor.from(binary, 'binary').toString('base64');
+    }
+    throw new Error('Base64 encoding is not supported in this environment.');
+};

package/lib/esm/passkeys/types.js

@@ -0,0 +1 @@
+export {};

package/lib/esm/provider/index.js

@@ -257,7 +257,7 @@ class Provider {
      * @param args The arguments of the request being made
      * @returns Promise<any>
      */
-    request({ chainId: requestChainId, method, params, }) {
+    request({ chainId: requestChainId, method, params, sponsorGas, }) {
         return __awaiter(this, void 0, void 0, function* () {
             const isSignerMethod = signerMethods.includes(method);
             const chainId = this.getCAIP2ChainId(requestChainId);
@@ -285,6 +285,7 @@ class Provider {
                     chainId,
                     method,
                     params,
+                    sponsorGas,
                 });
                 if (transactionHash) {
                     this.emit('portal_signatureReceived', {
@@ -400,7 +401,7 @@ class Provider {
      * @param args The arguments of the request being made
      * @returns Promise<any>
      */
-    handleSigningRequest({ chainId, method, params, }) {
+    handleSigningRequest({ chainId, method, params, sponsorGas, }) {
         return __awaiter(this, void 0, void 0, function* () {
             const isApproved = passiveSignerMethods.includes(method)
                 ? true
@@ -432,6 +433,7 @@ class Provider {
                         method,
                         params: this.buildParams(method, params),
                         rpcUrl: this.portal.getRpcUrl(chainId),
+                        sponsorGas,
                     });
                     return result;
                 }
@@ -445,6 +447,7 @@ class Provider {
                         method,
                         params: this.buildParams(method, params),
                         rpcUrl: this.portal.getRpcUrl(chainId),
+                        sponsorGas,
                     });
                     return result;
                 }