@rift-finance/wallet 1.4.33 → 3.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.d.ts +4 -0
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +10 -1
- package/dist/index.js.map +1 -1
- package/dist/services/Deposits.js +2 -2
- package/dist/services/Deposits.js.map +1 -1
- package/dist/services/assets.js +7 -7
- package/dist/services/assets.js.map +1 -1
- package/dist/services/auth.d.ts +18 -1
- package/dist/services/auth.d.ts.map +1 -1
- package/dist/services/auth.js +42 -19
- package/dist/services/auth.js.map +1 -1
- package/dist/services/bridge.js +3 -3
- package/dist/services/bridge.js.map +1 -1
- package/dist/services/defi.js +1 -1
- package/dist/services/defi.js.map +1 -1
- package/dist/services/kyc.js +7 -7
- package/dist/services/kyc.js.map +1 -1
- package/dist/services/merchant.js +3 -3
- package/dist/services/merchant.js.map +1 -1
- package/dist/services/notifications.d.ts +23 -19
- package/dist/services/notifications.d.ts.map +1 -1
- package/dist/services/notifications.js +28 -43
- package/dist/services/notifications.js.map +1 -1
- package/dist/services/offramp.js +8 -8
- package/dist/services/offramp.js.map +1 -1
- package/dist/services/oidc-helper.d.ts +101 -0
- package/dist/services/oidc-helper.d.ts.map +1 -0
- package/dist/services/oidc-helper.js +171 -0
- package/dist/services/oidc-helper.js.map +1 -0
- package/dist/services/onramp_v2.js +3 -3
- package/dist/services/onramp_v2.js.map +1 -1
- package/dist/services/passkey-helper.d.ts +82 -0
- package/dist/services/passkey-helper.d.ts.map +1 -0
- package/dist/services/passkey-helper.js +229 -0
- package/dist/services/passkey-helper.js.map +1 -0
- package/dist/services/signer.js +4 -4
- package/dist/services/signer.js.map +1 -1
- package/dist/services/transactions.js +3 -3
- package/dist/services/transactions.js.map +1 -1
- package/dist/services/user-management.js +4 -4
- package/dist/services/user-management.js.map +1 -1
- package/dist/services/vault.js +19 -19
- package/dist/services/vault.js.map +1 -1
- package/dist/services/wallet-connect.js +6 -6
- package/dist/services/wallet-connect.js.map +1 -1
- package/dist/services/wallet.js +2 -2
- package/dist/services/wallet.js.map +1 -1
- package/dist/types.d.ts +84 -6
- package/dist/types.d.ts.map +1 -1
- package/dist/types.js +21 -0
- package/dist/types.js.map +1 -1
- package/package.json +41 -41
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"notifications.d.ts","sourceRoot":"","sources":["../../src/services/notifications.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAC9C,OAAO,EACL,WAAW,EACX,+BAA+B,EAC/B,wBAAwB,EACxB,uBAAuB,EACvB,uBAAuB,EACvB,wBAAwB,EACxB,4BAA4B,EAC7B,MAAM,UAAU,CAAC;AAElB,qBAAa,mBAAoB,SAAQ,WAAW;IAClD
|
|
1
|
+
{"version":3,"file":"notifications.d.ts","sourceRoot":"","sources":["../../src/services/notifications.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAC9C,OAAO,EACL,WAAW,EACX,+BAA+B,EAC/B,wBAAwB,EACxB,uBAAuB,EACvB,uBAAuB,EACvB,wBAAwB,EACxB,4BAA4B,EAC7B,MAAM,UAAU,CAAC;AAElB;;;;;;;;;GASG;AACH,qBAAa,mBAAoB,SAAQ,WAAW;IAClD,wEAAwE;IAClE,oBAAoB,CACxB,QAAQ,EAAE,+BAA+B,GACxC,OAAO,CAAC,WAAW,CAAC;QAAE,YAAY,EAAE,wBAAwB,CAAA;KAAE,CAAC,CAAC;IAMnE,wEAAwE;IAClE,WAAW,CAAC,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;IAIpE,wEAAwE;IAClE,oBAAoB,IAAI,OAAO,CACnC,WAAW,CAAC;QACV,aAAa,EAAE,4BAA4B,EAAE,CAAC;QAC9C,WAAW,EAAE,MAAM,CAAC;QACpB,UAAU,EAAE,MAAM,CAAC;KACpB,CAAC,CACH;IAID,wEAAwE;IAClE,sBAAsB,IAAI,OAAO,CAAC,WAAW,CAAC;QAAE,YAAY,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAI9E;;;;OAIG;IACG,oBAAoB,CACxB,OAAO,EAAE,uBAAuB,GAC/B,OAAO,CAAC,WAAW,CAAC;QAAE,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAY9C;;OAEG;IACG,wBAAwB,CAC5B,OAAO,EAAE,uBAAuB,GAC/B,OAAO,CAAC,WAAW,CAAC,wBAAwB,CAAC,CAAC;CAWlD"}
|
|
@@ -2,49 +2,43 @@
|
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
3
|
exports.NotificationService = void 0;
|
|
4
4
|
const base_service_1 = require("../base-service");
|
|
5
|
+
/**
|
|
6
|
+
* NotificationService — email-only in v1.
|
|
7
|
+
*
|
|
8
|
+
* The backend dropped push notifications (Pusher Beams, Webpushr, Firebase)
|
|
9
|
+
* and the per-device subscription registry. The remaining surface is
|
|
10
|
+
* email delivery via Resend, branded per project. We keep the class
|
|
11
|
+
* signatures of the push methods for backwards compatibility but they
|
|
12
|
+
* now throw a clear error so callers can find them quickly. Use
|
|
13
|
+
* `sendTestNotification` and `sendToAllUserSubscribers` to deliver email.
|
|
14
|
+
*/
|
|
5
15
|
class NotificationService extends base_service_1.BaseService {
|
|
6
|
-
/**
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
async registerSubscription(request) {
|
|
10
|
-
return this.authenticatedRequest({
|
|
11
|
-
method: "POST",
|
|
12
|
-
url: "/notifications/register",
|
|
13
|
-
data: {
|
|
14
|
-
subscriberId: request.subscriberId,
|
|
15
|
-
deviceInfo: request.deviceInfo,
|
|
16
|
-
platform: request.platform,
|
|
17
|
-
},
|
|
18
|
-
});
|
|
16
|
+
/** @deprecated Push notifications are removed in v1. No-op (throws). */
|
|
17
|
+
async registerSubscription(_request) {
|
|
18
|
+
throw new Error("registerSubscription was removed in v1 — push notifications are no longer supported. Email is delivered automatically to the user's recorded email.");
|
|
19
19
|
}
|
|
20
|
-
/**
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
async unsubscribe(subscriberId) {
|
|
24
|
-
return this.authenticatedRequest({
|
|
25
|
-
method: "POST",
|
|
26
|
-
url: "/notifications/unsubscribe",
|
|
27
|
-
data: { subscriberId },
|
|
28
|
-
});
|
|
20
|
+
/** @deprecated Push notifications are removed in v1. No-op (throws). */
|
|
21
|
+
async unsubscribe(_subscriberId) {
|
|
22
|
+
throw new Error("unsubscribe was removed in v1 — there are no per-device push subscriptions to remove.");
|
|
29
23
|
}
|
|
30
|
-
/**
|
|
31
|
-
* Get all notification subscriptions for the current user
|
|
32
|
-
*/
|
|
24
|
+
/** @deprecated Push notifications are removed in v1. No-op (throws). */
|
|
33
25
|
async getUserSubscriptions() {
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
26
|
+
throw new Error("getUserSubscriptions was removed in v1 — there are no per-device push subscriptions to list.");
|
|
27
|
+
}
|
|
28
|
+
/** @deprecated Push notifications are removed in v1. No-op (throws). */
|
|
29
|
+
async deleteAllSubscriptions() {
|
|
30
|
+
throw new Error("deleteAllSubscriptions was removed in v1 — there are no per-device push subscriptions to delete.");
|
|
38
31
|
}
|
|
39
32
|
/**
|
|
40
|
-
* Send a test notification to
|
|
33
|
+
* Send a test email notification to the authenticated user. The legacy
|
|
34
|
+
* `subscriberId` field is ignored (kept on the request shape for source
|
|
35
|
+
* compatibility); delivery is to the user's recorded email.
|
|
41
36
|
*/
|
|
42
37
|
async sendTestNotification(request) {
|
|
43
38
|
return this.authenticatedRequest({
|
|
44
39
|
method: "POST",
|
|
45
|
-
url: "/notifications/test",
|
|
40
|
+
url: "/v1/notifications/test",
|
|
46
41
|
data: {
|
|
47
|
-
subscriberId: request.subscriberId,
|
|
48
42
|
message: request.message,
|
|
49
43
|
targetUrl: request.targetUrl,
|
|
50
44
|
title: request.title,
|
|
@@ -52,12 +46,12 @@ class NotificationService extends base_service_1.BaseService {
|
|
|
52
46
|
});
|
|
53
47
|
}
|
|
54
48
|
/**
|
|
55
|
-
* Send notification to
|
|
49
|
+
* Send a notification email to the authenticated user.
|
|
56
50
|
*/
|
|
57
51
|
async sendToAllUserSubscribers(request) {
|
|
58
52
|
return this.authenticatedRequest({
|
|
59
53
|
method: "POST",
|
|
60
|
-
url: "/notifications/
|
|
54
|
+
url: "/v1/notifications/messages",
|
|
61
55
|
data: {
|
|
62
56
|
message: request.message,
|
|
63
57
|
targetUrl: request.targetUrl,
|
|
@@ -65,15 +59,6 @@ class NotificationService extends base_service_1.BaseService {
|
|
|
65
59
|
},
|
|
66
60
|
});
|
|
67
61
|
}
|
|
68
|
-
/**
|
|
69
|
-
* Delete all notification subscriptions for the current user
|
|
70
|
-
*/
|
|
71
|
-
async deleteAllSubscriptions() {
|
|
72
|
-
return this.authenticatedRequest({
|
|
73
|
-
method: "DELETE",
|
|
74
|
-
url: "/notifications/subscriptions",
|
|
75
|
-
});
|
|
76
|
-
}
|
|
77
62
|
}
|
|
78
63
|
exports.NotificationService = NotificationService;
|
|
79
64
|
//# sourceMappingURL=notifications.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"notifications.js","sourceRoot":"","sources":["../../src/services/notifications.ts"],"names":[],"mappings":";;;AAAA,kDAA8C;AAW9C,MAAa,mBAAoB,SAAQ,0BAAW;IAClD
|
|
1
|
+
{"version":3,"file":"notifications.js","sourceRoot":"","sources":["../../src/services/notifications.ts"],"names":[],"mappings":";;;AAAA,kDAA8C;AAW9C;;;;;;;;;GASG;AACH,MAAa,mBAAoB,SAAQ,0BAAW;IAClD,wEAAwE;IACxE,KAAK,CAAC,oBAAoB,CACxB,QAAyC;QAEzC,MAAM,IAAI,KAAK,CACb,qJAAqJ,CACtJ,CAAC;IACJ,CAAC;IAED,wEAAwE;IACxE,KAAK,CAAC,WAAW,CAAC,aAAqB;QACrC,MAAM,IAAI,KAAK,CAAC,uFAAuF,CAAC,CAAC;IAC3G,CAAC;IAED,wEAAwE;IACxE,KAAK,CAAC,oBAAoB;QAOxB,MAAM,IAAI,KAAK,CAAC,8FAA8F,CAAC,CAAC;IAClH,CAAC;IAED,wEAAwE;IACxE,KAAK,CAAC,sBAAsB;QAC1B,MAAM,IAAI,KAAK,CAAC,kGAAkG,CAAC,CAAC;IACtH,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,oBAAoB,CACxB,OAAgC;QAEhC,OAAO,IAAI,CAAC,oBAAoB,CAAqC;YACnE,MAAM,EAAE,MAAM;YACd,GAAG,EAAE,wBAAwB;YAC7B,IAAI,EAAE;gBACJ,OAAO,EAAE,OAAO,CAAC,OAAO;gBACxB,SAAS,EAAE,OAAO,CAAC,SAAS;gBAC5B,KAAK,EAAE,OAAO,CAAC,KAAK;aACrB;SACF,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,wBAAwB,CAC5B,OAAgC;QAEhC,OAAO,IAAI,CAAC,oBAAoB,CAAwC;YACtE,MAAM,EAAE,MAAM;YACd,GAAG,EAAE,4BAA4B;YACjC,IAAI,EAAE;gBACJ,OAAO,EAAE,OAAO,CAAC,OAAO;gBACxB,SAAS,EAAE,OAAO,CAAC,SAAS;gBAC5B,KAAK,EAAE,OAAO,CAAC,KAAK;aACrB;SACF,CAAC,CAAC;IACL,CAAC;CACF;AAlED,kDAkEC"}
|
package/dist/services/offramp.js
CHANGED
|
@@ -14,27 +14,27 @@ class OfframpService extends base_service_1.BaseService {
|
|
|
14
14
|
async previewExchangeRate(request) {
|
|
15
15
|
return this.authenticatedRequest({
|
|
16
16
|
method: "POST",
|
|
17
|
-
url: "/
|
|
17
|
+
url: "/v1/rates/quote",
|
|
18
18
|
data: request,
|
|
19
19
|
});
|
|
20
20
|
}
|
|
21
21
|
async getSupportedInstitutions(currency) {
|
|
22
22
|
return this.authenticatedRequest({
|
|
23
23
|
method: "GET",
|
|
24
|
-
url: `/
|
|
24
|
+
url: `/v1/rails/${currency}/payment-methods`,
|
|
25
25
|
});
|
|
26
26
|
}
|
|
27
27
|
async sendPaymentLink(request) {
|
|
28
28
|
return this.authenticatedRequest({
|
|
29
29
|
method: "POST",
|
|
30
|
-
url: "/
|
|
30
|
+
url: "/v1/invoices/notifications",
|
|
31
31
|
data: request,
|
|
32
32
|
});
|
|
33
33
|
}
|
|
34
34
|
async pay(request) {
|
|
35
35
|
return this.authenticatedRequest({
|
|
36
36
|
method: "POST",
|
|
37
|
-
url: "/
|
|
37
|
+
url: "/v1/offramps",
|
|
38
38
|
data: request,
|
|
39
39
|
});
|
|
40
40
|
}
|
|
@@ -46,14 +46,14 @@ class OfframpService extends base_service_1.BaseService {
|
|
|
46
46
|
async createOrder(request) {
|
|
47
47
|
return this.authenticatedRequest({
|
|
48
48
|
method: "POST",
|
|
49
|
-
url: "/
|
|
49
|
+
url: "/v1/offramps",
|
|
50
50
|
data: request,
|
|
51
51
|
});
|
|
52
52
|
}
|
|
53
53
|
async getWithdrawalFee(amount) {
|
|
54
54
|
return this.authenticatedRequest({
|
|
55
55
|
method: "POST",
|
|
56
|
-
url: "/
|
|
56
|
+
url: "/v1/rates/withdrawal-fee",
|
|
57
57
|
data: { amount }
|
|
58
58
|
});
|
|
59
59
|
}
|
|
@@ -65,7 +65,7 @@ class OfframpService extends base_service_1.BaseService {
|
|
|
65
65
|
async pollOrderStatus(request) {
|
|
66
66
|
return this.authenticatedRequest({
|
|
67
67
|
method: "GET",
|
|
68
|
-
url: "/
|
|
68
|
+
url: "/v1/offramps/by-code",
|
|
69
69
|
params: request
|
|
70
70
|
});
|
|
71
71
|
}
|
|
@@ -76,7 +76,7 @@ class OfframpService extends base_service_1.BaseService {
|
|
|
76
76
|
async getOrders() {
|
|
77
77
|
return this.authenticatedRequest({
|
|
78
78
|
method: "GET",
|
|
79
|
-
url: "/
|
|
79
|
+
url: "/v1/offramps",
|
|
80
80
|
});
|
|
81
81
|
}
|
|
82
82
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"offramp.js","sourceRoot":"","sources":["../../src/services/offramp.ts"],"names":[],"mappings":";;;AAAA,kDAA8C;AAoB9C,MAAa,cAAe,SAAQ,0BAAW;IAC7C,YAAY,UAA0B;QACpC,KAAK,CAAC,UAAU,CAAC,CAAC;IACpB,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,mBAAmB,CACvB,OAAmC;QAEnC,OAAO,IAAI,CAAC,oBAAoB,CAA8B;YAC5D,MAAM,EAAE,MAAM;YACd,GAAG,EAAE,
|
|
1
|
+
{"version":3,"file":"offramp.js","sourceRoot":"","sources":["../../src/services/offramp.ts"],"names":[],"mappings":";;;AAAA,kDAA8C;AAoB9C,MAAa,cAAe,SAAQ,0BAAW;IAC7C,YAAY,UAA0B;QACpC,KAAK,CAAC,UAAU,CAAC,CAAC;IACpB,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,mBAAmB,CACvB,OAAmC;QAEnC,OAAO,IAAI,CAAC,oBAAoB,CAA8B;YAC5D,MAAM,EAAE,MAAM;YACd,GAAG,EAAE,iBAAiB;YACtB,IAAI,EAAE,OAAO;SACd,CAAC,CAAC;IACL,CAAC;IAGD,KAAK,CAAC,wBAAwB,CAAC,QAAyB;QACtD,OAAO,IAAI,CAAC,oBAAoB,CAAmC;YACjE,MAAM,EAAE,KAAK;YACb,GAAG,EAAE,aAAa,QAAQ,kBAAkB;SAC7C,CAAC,CAAC;IACL,CAAC;IAGD,KAAK,CAAC,eAAe,CAAC,OAA+B;QACnD,OAAO,IAAI,CAAC,oBAAoB,CAA0B;YACxD,MAAM,EAAE,MAAM;YACd,GAAG,EAAE,4BAA4B;YACjC,IAAI,EAAE,OAAO;SACd,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,GAAG,CAAE,OAAmB;QAC5B,OAAO,IAAI,CAAC,oBAAoB,CAAc;YAC5C,MAAM,EAAE,MAAM;YACd,GAAG,EAAE,cAAc;YACnB,IAAI,EAAE,OAAO;SACd,CAAC,CAAC;IACL,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,WAAW,CACf,OAAkC;QAElC,OAAO,IAAI,CAAC,oBAAoB,CAA6B;YAC3D,MAAM,EAAE,MAAM;YACd,GAAG,EAAE,cAAc;YACnB,IAAI,EAAE,OAAO;SACd,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,gBAAgB,CAAC,MAAc;QACnC,OAAO,IAAI,CAAC,oBAAoB,CAA2B;YACzD,MAAM,EAAE,MAAM;YACd,GAAG,EAAE,0BAA0B;YAC/B,IAAI,EAAC,EAAC,MAAM,EAAC;SACd,CAAC,CAAC;IACL,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,eAAe,CACnB,OAAgC;QAEhC,OAAO,IAAI,CAAC,oBAAoB,CAA2B;YACzD,MAAM,EAAE,KAAK;YACb,GAAG,EAAE,sBAAsB;YAC3B,MAAM,EAAE,OAAO;SAEhB,CAAC,CAAC;IACL,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,SAAS;QACb,OAAO,IAAI,CAAC,oBAAoB,CAA2B;YACzD,MAAM,EAAE,KAAK;YACb,GAAG,EAAE,cAAc;SACpB,CAAC,CAAC;IACL,CAAC;CACF;AA9FD,wCA8FC"}
|
|
@@ -0,0 +1,101 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* OIDC helper — browser-only.
|
|
3
|
+
*
|
|
4
|
+
* Wraps the Google Identity Services (GIS) flow to produce id_tokens
|
|
5
|
+
* with a `nonce` claim bound to a specific user-op hash. The enclave
|
|
6
|
+
* verifies that nonce matches the prehash it's about to sign, so a
|
|
7
|
+
* stolen token can only authorise the exact transaction it was minted
|
|
8
|
+
* for.
|
|
9
|
+
*
|
|
10
|
+
* Typical usage:
|
|
11
|
+
*
|
|
12
|
+
* // 1. Once, when the user clicks "Sign in with Google":
|
|
13
|
+
* const enrolment = await OidcHelper.fetchEnrolment({ clientId, nonce: enrolNonce });
|
|
14
|
+
* await sdk.auth.migrateToV3({ enrolledMethods: [enrolment.method] });
|
|
15
|
+
*
|
|
16
|
+
* // 2. Per transaction, when the user clicks "Send":
|
|
17
|
+
* const userOpHashHex = await sdk.transactions.previewUserOpHash({ ... });
|
|
18
|
+
* const proof = await OidcHelper.sign({ clientId, userOpHashHex });
|
|
19
|
+
* await sdk.transactions.send({ ..., authProof: proof });
|
|
20
|
+
*
|
|
21
|
+
* Requires the Google Sign-In script to be reachable from the page —
|
|
22
|
+
* we load it dynamically on first use, no <script> tag needed.
|
|
23
|
+
*
|
|
24
|
+
* Apple support: SAME shape, different IdP. Add `OidcHelper.signWithApple`
|
|
25
|
+
* later — the spec is identical, only the script URL + payload differ.
|
|
26
|
+
*/
|
|
27
|
+
import type { AuthProof, EnrolledMethod } from "../types";
|
|
28
|
+
interface GisAccountsId {
|
|
29
|
+
initialize: (config: {
|
|
30
|
+
client_id: string;
|
|
31
|
+
nonce?: string;
|
|
32
|
+
callback: (resp: {
|
|
33
|
+
credential: string;
|
|
34
|
+
}) => void;
|
|
35
|
+
auto_select?: boolean;
|
|
36
|
+
cancel_on_tap_outside?: boolean;
|
|
37
|
+
use_fedcm_for_prompt?: boolean;
|
|
38
|
+
}) => void;
|
|
39
|
+
prompt: (listener?: (n: unknown) => void) => void;
|
|
40
|
+
renderButton: (el: HTMLElement, options: Record<string, unknown>) => void;
|
|
41
|
+
disableAutoSelect: () => void;
|
|
42
|
+
}
|
|
43
|
+
declare global {
|
|
44
|
+
interface Window {
|
|
45
|
+
google?: {
|
|
46
|
+
accounts?: {
|
|
47
|
+
id?: GisAccountsId;
|
|
48
|
+
};
|
|
49
|
+
};
|
|
50
|
+
}
|
|
51
|
+
}
|
|
52
|
+
export interface OidcEnrolmentResult {
|
|
53
|
+
/** Pass this directly to signup / login / migrateToV3 as enrolledMethods[i]. */
|
|
54
|
+
method: EnrolledMethod;
|
|
55
|
+
/** The raw id_token — useful if you also want to send it as a one-shot authProof. */
|
|
56
|
+
idToken: string;
|
|
57
|
+
}
|
|
58
|
+
export declare class OidcHelper {
|
|
59
|
+
/**
|
|
60
|
+
* Fetch a Google id_token for enrolment. The user picks a Google
|
|
61
|
+
* account in the consent flow. The returned `method` is what you
|
|
62
|
+
* pass to `auth.migrateToV3()` or as `enrolledMethods` at signup.
|
|
63
|
+
*
|
|
64
|
+
* The `nonce` here is anti-replay for enrolment only — you can use
|
|
65
|
+
* any opaque value (a random UUID is fine). For per-transaction
|
|
66
|
+
* signing, use `sign()` instead, which binds nonce=user_op_hash.
|
|
67
|
+
*/
|
|
68
|
+
static fetchEnrolment(opts: {
|
|
69
|
+
clientId: string;
|
|
70
|
+
/** Random opaque value. Defaults to a fresh crypto.randomUUID(). */
|
|
71
|
+
nonce?: string;
|
|
72
|
+
/** Where to render the Google button. Required. */
|
|
73
|
+
buttonContainer: HTMLElement;
|
|
74
|
+
/** Optional button visual config — see GIS docs. */
|
|
75
|
+
buttonOptions?: Record<string, unknown>;
|
|
76
|
+
}): Promise<OidcEnrolmentResult>;
|
|
77
|
+
/**
|
|
78
|
+
* Sign a specific user-op hash via Google. The id_token's `nonce`
|
|
79
|
+
* claim will equal `userOpHashHex` (no 0x prefix), which the enclave
|
|
80
|
+
* uses to bind this proof to this specific transaction.
|
|
81
|
+
*
|
|
82
|
+
* `clientId` MUST be the same one you used at enrolment (it ends up
|
|
83
|
+
* in the JWT's `aud` claim, which the enclave checks against its
|
|
84
|
+
* pinned accept list).
|
|
85
|
+
*/
|
|
86
|
+
static sign(opts: {
|
|
87
|
+
clientId: string;
|
|
88
|
+
/** 32-byte hash, hex, with or without 0x prefix. */
|
|
89
|
+
userOpHashHex: string;
|
|
90
|
+
buttonContainer: HTMLElement;
|
|
91
|
+
buttonOptions?: Record<string, unknown>;
|
|
92
|
+
}): Promise<AuthProof>;
|
|
93
|
+
/**
|
|
94
|
+
* Lower-level: render a Google Sign-In button and wait for the user
|
|
95
|
+
* to click it. Returns the raw id_token. Used internally by both
|
|
96
|
+
* fetchEnrolment and sign.
|
|
97
|
+
*/
|
|
98
|
+
private static requestIdToken;
|
|
99
|
+
}
|
|
100
|
+
export {};
|
|
101
|
+
//# sourceMappingURL=oidc-helper.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"oidc-helper.d.ts","sourceRoot":"","sources":["../../src/services/oidc-helper.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,OAAO,KAAK,EAAE,SAAS,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAI1D,UAAU,aAAa;IACrB,UAAU,EAAE,CAAC,MAAM,EAAE;QACnB,SAAS,EAAE,MAAM,CAAC;QAClB,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,QAAQ,EAAE,CAAC,IAAI,EAAE;YAAE,UAAU,EAAE,MAAM,CAAA;SAAE,KAAK,IAAI,CAAC;QACjD,WAAW,CAAC,EAAE,OAAO,CAAC;QACtB,qBAAqB,CAAC,EAAE,OAAO,CAAC;QAChC,oBAAoB,CAAC,EAAE,OAAO,CAAC;KAChC,KAAK,IAAI,CAAC;IACX,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,EAAE,OAAO,KAAK,IAAI,KAAK,IAAI,CAAC;IAClD,YAAY,EAAE,CACZ,EAAE,EAAE,WAAW,EACf,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC7B,IAAI,CAAC;IACV,iBAAiB,EAAE,MAAM,IAAI,CAAC;CAC/B;AAED,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,MAAM;QACd,MAAM,CAAC,EAAE;YAAE,QAAQ,CAAC,EAAE;gBAAE,EAAE,CAAC,EAAE,aAAa,CAAA;aAAE,CAAA;SAAE,CAAC;KAChD;CACF;AA6DD,MAAM,WAAW,mBAAmB;IAClC,gFAAgF;IAChF,MAAM,EAAE,cAAc,CAAC;IACvB,qFAAqF;IACrF,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,qBAAa,UAAU;IACrB;;;;;;;;OAQG;WACU,cAAc,CAAC,IAAI,EAAE;QAChC,QAAQ,EAAE,MAAM,CAAC;QACjB,oEAAoE;QACpE,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,mDAAmD;QACnD,eAAe,EAAE,WAAW,CAAC;QAC7B,oDAAoD;QACpD,aAAa,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KACzC,GAAG,OAAO,CAAC,mBAAmB,CAAC;IAchC;;;;;;;;OAQG;WACU,IAAI,CAAC,IAAI,EAAE;QACtB,QAAQ,EAAE,MAAM,CAAC;QACjB,oDAAoD;QACpD,aAAa,EAAE,MAAM,CAAC;QACtB,eAAe,EAAE,WAAW,CAAC;QAC7B,aAAa,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KACzC,GAAG,OAAO,CAAC,SAAS,CAAC;IActB;;;;OAIG;mBACkB,cAAc;CAuCpC"}
|
|
@@ -0,0 +1,171 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* OIDC helper — browser-only.
|
|
4
|
+
*
|
|
5
|
+
* Wraps the Google Identity Services (GIS) flow to produce id_tokens
|
|
6
|
+
* with a `nonce` claim bound to a specific user-op hash. The enclave
|
|
7
|
+
* verifies that nonce matches the prehash it's about to sign, so a
|
|
8
|
+
* stolen token can only authorise the exact transaction it was minted
|
|
9
|
+
* for.
|
|
10
|
+
*
|
|
11
|
+
* Typical usage:
|
|
12
|
+
*
|
|
13
|
+
* // 1. Once, when the user clicks "Sign in with Google":
|
|
14
|
+
* const enrolment = await OidcHelper.fetchEnrolment({ clientId, nonce: enrolNonce });
|
|
15
|
+
* await sdk.auth.migrateToV3({ enrolledMethods: [enrolment.method] });
|
|
16
|
+
*
|
|
17
|
+
* // 2. Per transaction, when the user clicks "Send":
|
|
18
|
+
* const userOpHashHex = await sdk.transactions.previewUserOpHash({ ... });
|
|
19
|
+
* const proof = await OidcHelper.sign({ clientId, userOpHashHex });
|
|
20
|
+
* await sdk.transactions.send({ ..., authProof: proof });
|
|
21
|
+
*
|
|
22
|
+
* Requires the Google Sign-In script to be reachable from the page —
|
|
23
|
+
* we load it dynamically on first use, no <script> tag needed.
|
|
24
|
+
*
|
|
25
|
+
* Apple support: SAME shape, different IdP. Add `OidcHelper.signWithApple`
|
|
26
|
+
* later — the spec is identical, only the script URL + payload differ.
|
|
27
|
+
*/
|
|
28
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
29
|
+
exports.OidcHelper = void 0;
|
|
30
|
+
const GIS_SRC = "https://accounts.google.com/gsi/client";
|
|
31
|
+
function assertBrowser() {
|
|
32
|
+
if (typeof window === "undefined" || typeof document === "undefined") {
|
|
33
|
+
throw new Error("OidcHelper can only be used in a browser — it depends on Google Identity Services. On the server, call your backend's OAuth-handling endpoint instead.");
|
|
34
|
+
}
|
|
35
|
+
}
|
|
36
|
+
async function loadGis() {
|
|
37
|
+
assertBrowser();
|
|
38
|
+
if (window.google?.accounts?.id)
|
|
39
|
+
return window.google.accounts.id;
|
|
40
|
+
await new Promise((resolve, reject) => {
|
|
41
|
+
const existing = document.querySelector(`script[src="${GIS_SRC}"]`);
|
|
42
|
+
if (existing) {
|
|
43
|
+
// Wait for it to load.
|
|
44
|
+
existing.addEventListener("load", () => resolve(), { once: true });
|
|
45
|
+
existing.addEventListener("error", () => reject(new Error("GIS script failed")), { once: true });
|
|
46
|
+
// If it's already loaded, the event has fired and we'll hang.
|
|
47
|
+
// Resolve immediately if google.accounts.id already exists.
|
|
48
|
+
if (window.google?.accounts?.id)
|
|
49
|
+
resolve();
|
|
50
|
+
return;
|
|
51
|
+
}
|
|
52
|
+
const s = document.createElement("script");
|
|
53
|
+
s.src = GIS_SRC;
|
|
54
|
+
s.async = true;
|
|
55
|
+
s.defer = true;
|
|
56
|
+
s.onload = () => resolve();
|
|
57
|
+
s.onerror = () => reject(new Error("failed to load Google Identity Services script"));
|
|
58
|
+
document.head.appendChild(s);
|
|
59
|
+
});
|
|
60
|
+
if (!window.google?.accounts?.id) {
|
|
61
|
+
throw new Error("Google Identity Services loaded but accounts.id is not available");
|
|
62
|
+
}
|
|
63
|
+
return window.google.accounts.id;
|
|
64
|
+
}
|
|
65
|
+
/**
|
|
66
|
+
* Decoded subset of the id_token claims we need to construct an
|
|
67
|
+
* `EnrolledMethod`. Decoded client-side; the enclave does the real
|
|
68
|
+
* verification — this is just to populate (iss, sub) for the user.
|
|
69
|
+
*/
|
|
70
|
+
function decodeJwtUnverified(jwt) {
|
|
71
|
+
const parts = jwt.split(".");
|
|
72
|
+
if (parts.length !== 3)
|
|
73
|
+
throw new Error("not a JWT");
|
|
74
|
+
// base64url-decode the payload
|
|
75
|
+
const payloadB64 = parts[1].replace(/-/g, "+").replace(/_/g, "/");
|
|
76
|
+
const padded = payloadB64 + "===".slice(0, (4 - (payloadB64.length % 4)) % 4);
|
|
77
|
+
const json = atob(padded);
|
|
78
|
+
const obj = JSON.parse(json);
|
|
79
|
+
if (!obj.iss || !obj.sub) {
|
|
80
|
+
throw new Error("id_token missing iss or sub");
|
|
81
|
+
}
|
|
82
|
+
return { iss: obj.iss, sub: obj.sub };
|
|
83
|
+
}
|
|
84
|
+
class OidcHelper {
|
|
85
|
+
/**
|
|
86
|
+
* Fetch a Google id_token for enrolment. The user picks a Google
|
|
87
|
+
* account in the consent flow. The returned `method` is what you
|
|
88
|
+
* pass to `auth.migrateToV3()` or as `enrolledMethods` at signup.
|
|
89
|
+
*
|
|
90
|
+
* The `nonce` here is anti-replay for enrolment only — you can use
|
|
91
|
+
* any opaque value (a random UUID is fine). For per-transaction
|
|
92
|
+
* signing, use `sign()` instead, which binds nonce=user_op_hash.
|
|
93
|
+
*/
|
|
94
|
+
static async fetchEnrolment(opts) {
|
|
95
|
+
const idToken = await OidcHelper.requestIdToken({
|
|
96
|
+
clientId: opts.clientId,
|
|
97
|
+
nonce: opts.nonce ?? crypto.randomUUID(),
|
|
98
|
+
buttonContainer: opts.buttonContainer,
|
|
99
|
+
buttonOptions: opts.buttonOptions,
|
|
100
|
+
});
|
|
101
|
+
const { iss, sub } = decodeJwtUnverified(idToken);
|
|
102
|
+
return {
|
|
103
|
+
method: { kind: "oidc", iss, sub },
|
|
104
|
+
idToken,
|
|
105
|
+
};
|
|
106
|
+
}
|
|
107
|
+
/**
|
|
108
|
+
* Sign a specific user-op hash via Google. The id_token's `nonce`
|
|
109
|
+
* claim will equal `userOpHashHex` (no 0x prefix), which the enclave
|
|
110
|
+
* uses to bind this proof to this specific transaction.
|
|
111
|
+
*
|
|
112
|
+
* `clientId` MUST be the same one you used at enrolment (it ends up
|
|
113
|
+
* in the JWT's `aud` claim, which the enclave checks against its
|
|
114
|
+
* pinned accept list).
|
|
115
|
+
*/
|
|
116
|
+
static async sign(opts) {
|
|
117
|
+
const nonce = opts.userOpHashHex.replace(/^0x/i, "").toLowerCase();
|
|
118
|
+
if (!/^[0-9a-f]{64}$/.test(nonce)) {
|
|
119
|
+
throw new Error("userOpHashHex must be 32 bytes hex");
|
|
120
|
+
}
|
|
121
|
+
const idToken = await OidcHelper.requestIdToken({
|
|
122
|
+
clientId: opts.clientId,
|
|
123
|
+
nonce,
|
|
124
|
+
buttonContainer: opts.buttonContainer,
|
|
125
|
+
buttonOptions: opts.buttonOptions,
|
|
126
|
+
});
|
|
127
|
+
return { kind: "oidc", id_token: idToken };
|
|
128
|
+
}
|
|
129
|
+
/**
|
|
130
|
+
* Lower-level: render a Google Sign-In button and wait for the user
|
|
131
|
+
* to click it. Returns the raw id_token. Used internally by both
|
|
132
|
+
* fetchEnrolment and sign.
|
|
133
|
+
*/
|
|
134
|
+
static async requestIdToken(opts) {
|
|
135
|
+
const gis = await loadGis();
|
|
136
|
+
return new Promise((resolve, reject) => {
|
|
137
|
+
let resolved = false;
|
|
138
|
+
try {
|
|
139
|
+
gis.initialize({
|
|
140
|
+
client_id: opts.clientId,
|
|
141
|
+
nonce: opts.nonce,
|
|
142
|
+
callback: (resp) => {
|
|
143
|
+
if (resolved)
|
|
144
|
+
return;
|
|
145
|
+
resolved = true;
|
|
146
|
+
if (!resp.credential) {
|
|
147
|
+
reject(new Error("Google returned no credential"));
|
|
148
|
+
return;
|
|
149
|
+
}
|
|
150
|
+
resolve(resp.credential);
|
|
151
|
+
},
|
|
152
|
+
auto_select: false,
|
|
153
|
+
cancel_on_tap_outside: false,
|
|
154
|
+
});
|
|
155
|
+
// Clear and render fresh button so the latest nonce sticks.
|
|
156
|
+
opts.buttonContainer.innerHTML = "";
|
|
157
|
+
gis.renderButton(opts.buttonContainer, {
|
|
158
|
+
theme: "outline",
|
|
159
|
+
size: "large",
|
|
160
|
+
text: "signin_with",
|
|
161
|
+
...opts.buttonOptions,
|
|
162
|
+
});
|
|
163
|
+
}
|
|
164
|
+
catch (e) {
|
|
165
|
+
reject(e);
|
|
166
|
+
}
|
|
167
|
+
});
|
|
168
|
+
}
|
|
169
|
+
}
|
|
170
|
+
exports.OidcHelper = OidcHelper;
|
|
171
|
+
//# sourceMappingURL=oidc-helper.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"oidc-helper.js","sourceRoot":"","sources":["../../src/services/oidc-helper.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;;;AAIH,MAAM,OAAO,GAAG,wCAAwC,CAAC;AAyBzD,SAAS,aAAa;IACpB,IAAI,OAAO,MAAM,KAAK,WAAW,IAAI,OAAO,QAAQ,KAAK,WAAW,EAAE,CAAC;QACrE,MAAM,IAAI,KAAK,CACb,wJAAwJ,CACzJ,CAAC;IACJ,CAAC;AACH,CAAC;AAED,KAAK,UAAU,OAAO;IACpB,aAAa,EAAE,CAAC;IAChB,IAAI,MAAM,CAAC,MAAM,EAAE,QAAQ,EAAE,EAAE;QAAE,OAAO,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;IAElE,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC1C,MAAM,QAAQ,GAAG,QAAQ,CAAC,aAAa,CACrC,eAAe,OAAO,IAAI,CAC3B,CAAC;QACF,IAAI,QAAQ,EAAE,CAAC;YACb,uBAAuB;YACvB,QAAQ,CAAC,gBAAgB,CAAC,MAAM,EAAE,GAAG,EAAE,CAAC,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC;YACnE,QAAQ,CAAC,gBAAgB,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC;YACjG,8DAA8D;YAC9D,4DAA4D;YAC5D,IAAI,MAAM,CAAC,MAAM,EAAE,QAAQ,EAAE,EAAE;gBAAE,OAAO,EAAE,CAAC;YAC3C,OAAO;QACT,CAAC;QACD,MAAM,CAAC,GAAG,QAAQ,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC;QAC3C,CAAC,CAAC,GAAG,GAAG,OAAO,CAAC;QAChB,CAAC,CAAC,KAAK,GAAG,IAAI,CAAC;QACf,CAAC,CAAC,KAAK,GAAG,IAAI,CAAC;QACf,CAAC,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC;QAC3B,CAAC,CAAC,OAAO,GAAG,GAAG,EAAE,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC,CAAC;QACtF,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC;IAC/B,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;IACtF,CAAC;IACD,OAAO,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;AACnC,CAAC;AAED;;;;GAIG;AACH,SAAS,mBAAmB,CAAC,GAAW;IACtC,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC7B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,WAAW,CAAC,CAAC;IACrD,+BAA+B;IAC/B,MAAM,UAAU,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAClE,MAAM,MAAM,GAAG,UAAU,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC9E,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;IAC1B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAmC,CAAC;IAC/D,IAAI,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;IACjD,CAAC;IACD,OAAO,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,CAAC;AACxC,CAAC;AASD,MAAa,UAAU;IACrB;;;;;;;;OAQG;IACH,MAAM,CAAC,KAAK,CAAC,cAAc,CAAC,IAQ3B;QACC,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,cAAc,CAAC;YAC9C,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,KAAK,EAAE,IAAI,CAAC,KAAK,IAAI,MAAM,CAAC,UAAU,EAAE;YACxC,eAAe,EAAE,IAAI,CAAC,eAAe;YACrC,aAAa,EAAE,IAAI,CAAC,aAAa;SAClC,CAAC,CAAC;QACH,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,mBAAmB,CAAC,OAAO,CAAC,CAAC;QAClD,OAAO;YACL,MAAM,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE;YAClC,OAAO;SACR,CAAC;IACJ,CAAC;IAED;;;;;;;;OAQG;IACH,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,IAMjB;QACC,MAAM,KAAK,GAAG,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;QACnE,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YAClC,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;QACxD,CAAC;QACD,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,cAAc,CAAC;YAC9C,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,KAAK;YACL,eAAe,EAAE,IAAI,CAAC,eAAe;YACrC,aAAa,EAAE,IAAI,CAAC,aAAa;SAClC,CAAC,CAAC;QACH,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC;IAC7C,CAAC;IAED;;;;OAIG;IACK,MAAM,CAAC,KAAK,CAAC,cAAc,CAAC,IAKnC;QACC,MAAM,GAAG,GAAG,MAAM,OAAO,EAAE,CAAC;QAE5B,OAAO,IAAI,OAAO,CAAS,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YAC7C,IAAI,QAAQ,GAAG,KAAK,CAAC;YACrB,IAAI,CAAC;gBACH,GAAG,CAAC,UAAU,CAAC;oBACb,SAAS,EAAE,IAAI,CAAC,QAAQ;oBACxB,KAAK,EAAE,IAAI,CAAC,KAAK;oBACjB,QAAQ,EAAE,CAAC,IAAI,EAAE,EAAE;wBACjB,IAAI,QAAQ;4BAAE,OAAO;wBACrB,QAAQ,GAAG,IAAI,CAAC;wBAChB,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;4BACrB,MAAM,CAAC,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC,CAAC;4BACnD,OAAO;wBACT,CAAC;wBACD,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;oBAC3B,CAAC;oBACD,WAAW,EAAE,KAAK;oBAClB,qBAAqB,EAAE,KAAK;iBAC7B,CAAC,CAAC;gBACH,4DAA4D;gBAC5D,IAAI,CAAC,eAAe,CAAC,SAAS,GAAG,EAAE,CAAC;gBACpC,GAAG,CAAC,YAAY,CAAC,IAAI,CAAC,eAAe,EAAE;oBACrC,KAAK,EAAE,SAAS;oBAChB,IAAI,EAAE,OAAO;oBACb,IAAI,EAAE,aAAa;oBACnB,GAAG,IAAI,CAAC,aAAa;iBACtB,CAAC,CAAC;YACL,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,MAAM,CAAC,CAAC,CAAC,CAAC;YACZ,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;CACF;AAzGD,gCAyGC"}
|
|
@@ -9,14 +9,14 @@ class OnrampServiceV2 extends base_service_1.BaseService {
|
|
|
9
9
|
async buy(request) {
|
|
10
10
|
return this.authenticatedRequest({
|
|
11
11
|
method: "POST",
|
|
12
|
-
url: "/
|
|
12
|
+
url: "/v1/onramps",
|
|
13
13
|
data: request,
|
|
14
14
|
});
|
|
15
15
|
}
|
|
16
16
|
async getOnrampStatus(transactionCode) {
|
|
17
17
|
return this.authenticatedRequest({
|
|
18
18
|
method: "POST",
|
|
19
|
-
url: `/
|
|
19
|
+
url: `/v1/onramps/by-code`,
|
|
20
20
|
data: {
|
|
21
21
|
transaction_code: transactionCode,
|
|
22
22
|
},
|
|
@@ -25,7 +25,7 @@ class OnrampServiceV2 extends base_service_1.BaseService {
|
|
|
25
25
|
async getOnrampOrders(userId) {
|
|
26
26
|
return this.authenticatedRequest({
|
|
27
27
|
method: "GET",
|
|
28
|
-
url: `/
|
|
28
|
+
url: `/v1/onramps`,
|
|
29
29
|
params: {
|
|
30
30
|
userId,
|
|
31
31
|
},
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"onramp_v2.js","sourceRoot":"","sources":["../../src/services/onramp_v2.ts"],"names":[],"mappings":";;;AAAA,kDAA8C;AAU9C,MAAa,eAAgB,SAAQ,0BAAW;IAC9C,YAAY,UAA0B;QACpC,KAAK,CAAC,UAAU,CAAC,CAAC;IACpB,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,OAAmB;QAC3B,OAAO,IAAI,CAAC,oBAAoB,CAAc;YAC5C,MAAM,EAAE,MAAM;YACd,GAAG,EAAE,
|
|
1
|
+
{"version":3,"file":"onramp_v2.js","sourceRoot":"","sources":["../../src/services/onramp_v2.ts"],"names":[],"mappings":";;;AAAA,kDAA8C;AAU9C,MAAa,eAAgB,SAAQ,0BAAW;IAC9C,YAAY,UAA0B;QACpC,KAAK,CAAC,UAAU,CAAC,CAAC;IACpB,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,OAAmB;QAC3B,OAAO,IAAI,CAAC,oBAAoB,CAAc;YAC5C,MAAM,EAAE,MAAM;YACd,GAAG,EAAE,aAAa;YAClB,IAAI,EAAE,OAAO;SACd,CAAC,CAAC;IACL,CAAC;IAGD,KAAK,CAAC,eAAe,CAAC,eAAuB;QAC3C,OAAO,IAAI,CAAC,oBAAoB,CAAuB;YACrD,MAAM,EAAE,MAAM;YACd,GAAG,EAAE,qBAAqB;YAC1B,IAAI,EAAE;gBACJ,gBAAgB,EAAE,eAAe;aAClC;SACF,CAAC,CAAC;IACL,CAAC;IAGD,KAAK,CAAC,eAAe,CAAC,MAAc;QAClC,OAAO,IAAI,CAAC,oBAAoB,CAAyB;YACvD,MAAM,EAAE,KAAK;YACb,GAAG,EAAE,aAAa;YAClB,MAAM,EAAE;gBACN,MAAM;aACP;SACF,CAAC,CAAC;IACL,CAAC;CACF;AAlCD,0CAkCC"}
|
|
@@ -0,0 +1,82 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Passkey helper — browser-only.
|
|
3
|
+
*
|
|
4
|
+
* Wraps `navigator.credentials.create()` and `navigator.credentials.get()`
|
|
5
|
+
* with all the small encoding ceremonies the enclave expects:
|
|
6
|
+
*
|
|
7
|
+
* - Extracts X / Y coordinates from the SPKI-encoded public key the
|
|
8
|
+
* browser hands us and re-packs them as a COSE_Key CBOR blob (which
|
|
9
|
+
* is what the enclave's `webauthn_verification` module parses).
|
|
10
|
+
* - Binds the assertion's challenge to a specific user-op hash so the
|
|
11
|
+
* proof is non-replayable across transactions.
|
|
12
|
+
* - Returns ready-to-send `EnrolledMethod` / `AuthProof` objects.
|
|
13
|
+
*
|
|
14
|
+
* Algorithm: ES256 / P-256 (COSE alg -7). Covers virtually all modern
|
|
15
|
+
* platform authenticators (iOS Secure Enclave, Android Keystore, Windows
|
|
16
|
+
* Hello on TPM, most YubiKey models).
|
|
17
|
+
*
|
|
18
|
+
* Note about RP-ID: the enclave's pinned policy accepts a list of RP-IDs
|
|
19
|
+
* (typically your top-level domain + "localhost" for dev). You must pass
|
|
20
|
+
* the SAME `rpId` to enrol() and sign() — passkeys are bound to one RP.
|
|
21
|
+
*/
|
|
22
|
+
import type { AuthProof, EnrolledMethod } from "../types";
|
|
23
|
+
/** Quick capability check for "should I offer a passkey UI?". */
|
|
24
|
+
export declare function isPasskeySupported(): boolean;
|
|
25
|
+
/**
|
|
26
|
+
* Async capability check that also asks "does this device have a built-in
|
|
27
|
+
* authenticator (Touch ID, Face ID, Windows Hello)?". Returns false on
|
|
28
|
+
* desktops without biometric hardware unless a roaming key is connected.
|
|
29
|
+
*/
|
|
30
|
+
export declare function isPlatformPasskeySupported(): Promise<boolean>;
|
|
31
|
+
export interface PasskeyEnrolmentResult {
|
|
32
|
+
/** Pass to signup / login / migrateToV3 as enrolledMethods[i]. */
|
|
33
|
+
method: EnrolledMethod;
|
|
34
|
+
/** Raw credential ID (base64-padded). Same value as method.cred_id_b64. */
|
|
35
|
+
credentialIdB64: string;
|
|
36
|
+
/** Raw COSE_Key bytes (base64-padded). Same as method.cose_pubkey_b64. */
|
|
37
|
+
cosePublicKeyB64: string;
|
|
38
|
+
}
|
|
39
|
+
export declare class PasskeyHelper {
|
|
40
|
+
/**
|
|
41
|
+
* Run a WebAuthn enrolment ceremony. Prompts the user for biometric /
|
|
42
|
+
* device PIN. Returns an `EnrolledMethod` ready to pass to the SDK.
|
|
43
|
+
*
|
|
44
|
+
* `rpId` should be your eTLD+1 (e.g. "riftfi.xyz") or "localhost" for
|
|
45
|
+
* dev. The SAME rpId must appear in the enclave's pinned policy
|
|
46
|
+
* (see WebAuthnPolicy.accepted_rp_ids).
|
|
47
|
+
*/
|
|
48
|
+
static enrol(opts: {
|
|
49
|
+
rpId: string;
|
|
50
|
+
rpName: string;
|
|
51
|
+
/** User identifier — any opaque 16-32 byte value. Defaults to randomUUID bytes. */
|
|
52
|
+
userId?: Uint8Array;
|
|
53
|
+
/** Display string for the user — usually email or username. */
|
|
54
|
+
userName: string;
|
|
55
|
+
userDisplayName?: string;
|
|
56
|
+
/**
|
|
57
|
+
* If true (default), requires biometric / PIN verification at enrolment.
|
|
58
|
+
* Set to false for "device PIN only" or roaming-key-only flows.
|
|
59
|
+
*/
|
|
60
|
+
requireUserVerification?: boolean;
|
|
61
|
+
}): Promise<PasskeyEnrolmentResult>;
|
|
62
|
+
/**
|
|
63
|
+
* Produce an `AuthProof` for a specific user-op hash. Prompts the
|
|
64
|
+
* user for biometric / PIN. The assertion's challenge is the raw
|
|
65
|
+
* 32-byte hash, so the resulting proof is bound to this exact
|
|
66
|
+
* transaction.
|
|
67
|
+
*
|
|
68
|
+
* Pass the SAME `rpId` you used at enrolment.
|
|
69
|
+
*
|
|
70
|
+
* `allowedCredentialIdB64` — restrict to a specific credential. Pass
|
|
71
|
+
* the one you stored at enrolment. If omitted, the browser picks
|
|
72
|
+
* among all credentials for this RP (discoverable credentials).
|
|
73
|
+
*/
|
|
74
|
+
static sign(opts: {
|
|
75
|
+
rpId: string;
|
|
76
|
+
/** 32-byte hash, hex, with or without 0x prefix. */
|
|
77
|
+
userOpHashHex: string;
|
|
78
|
+
allowedCredentialIdB64?: string;
|
|
79
|
+
requireUserVerification?: boolean;
|
|
80
|
+
}): Promise<AuthProof>;
|
|
81
|
+
}
|
|
82
|
+
//# sourceMappingURL=passkey-helper.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"passkey-helper.d.ts","sourceRoot":"","sources":["../../src/services/passkey-helper.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,KAAK,EAAE,SAAS,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAc1D,iEAAiE;AACjE,wBAAgB,kBAAkB,IAAI,OAAO,CAO5C;AAED;;;;GAIG;AACH,wBAAsB,0BAA0B,IAAI,OAAO,CAAC,OAAO,CAAC,CAOnE;AAuED,MAAM,WAAW,sBAAsB;IACrC,kEAAkE;IAClE,MAAM,EAAE,cAAc,CAAC;IACvB,2EAA2E;IAC3E,eAAe,EAAE,MAAM,CAAC;IACxB,0EAA0E;IAC1E,gBAAgB,EAAE,MAAM,CAAC;CAC1B;AAED,qBAAa,aAAa;IACxB;;;;;;;OAOG;WACU,KAAK,CAAC,IAAI,EAAE;QACvB,IAAI,EAAE,MAAM,CAAC;QACb,MAAM,EAAE,MAAM,CAAC;QACf,mFAAmF;QACnF,MAAM,CAAC,EAAE,UAAU,CAAC;QACpB,+DAA+D;QAC/D,QAAQ,EAAE,MAAM,CAAC;QACjB,eAAe,CAAC,EAAE,MAAM,CAAC;QACzB;;;WAGG;QACH,uBAAuB,CAAC,EAAE,OAAO,CAAC;KACnC,GAAG,OAAO,CAAC,sBAAsB,CAAC;IA8CnC;;;;;;;;;;;OAWG;WACU,IAAI,CAAC,IAAI,EAAE;QACtB,IAAI,EAAE,MAAM,CAAC;QACb,oDAAoD;QACpD,aAAa,EAAE,MAAM,CAAC;QACtB,sBAAsB,CAAC,EAAE,MAAM,CAAC;QAChC,uBAAuB,CAAC,EAAE,OAAO,CAAC;KACnC,GAAG,OAAO,CAAC,SAAS,CAAC;CAmCvB"}
|