@stellar/stellar-sdk 14.3.3 → 14.4.1

package/lib/rpc/utils.js

@@ -5,5 +5,5 @@ Object.defineProperty(exports, "__esModule", {
 });
 exports.hasOwnProperty = hasOwnProperty;
 function hasOwnProperty(obj, prop) {
-  return obj.hasOwnProperty(prop);
+  return Object.prototype.hasOwnProperty.call(obj, prop);
 }

package/lib/webauth/challenge_transaction.d.ts

@@ -0,0 +1,235 @@
+import { Keypair, Transaction } from "@stellar/stellar-base";
+import { ServerApi } from "../horizon/server_api";
+/**
+ * Returns a valid {@link https://stellar.org/protocol/sep-10 | SEP-10}
+ * challenge transaction which you can use for Stellar Web Authentication.
+ * @param serverKeypair Keypair for server's signing account.
+ * @param clientAccountID The stellar account (G...) or muxed account
+ *    (M...) that the wallet wishes to authenticate with the server.
+ * @param homeDomain The fully qualified domain name of the service
+ *    requiring authentication
+ * @param timeout Challenge duration (default to 5 minutes).
+ * @param networkPassphrase The network passphrase. If you pass this
+ *    argument then timeout is required.
+ * @param webAuthDomain The fully qualified domain name of the service
+ *    issuing the challenge.
+ * @param memo The memo to attach to the challenge transaction. The
+ *    memo must be of type `id`. If the `clientaccountID` is a muxed account,
+ *    memos cannot be used.
+ * @param clientDomain The fully qualified domain of the client
+ *    requesting the challenge. Only necessary when the 'client_domain'
+ *    parameter is passed.
+ * @param clientSigningKey The public key assigned to the SIGNING_KEY
+ *    attribute specified on the stellar.toml hosted on the client domain. Only
+ *    necessary when the 'client_domain' parameter is passed.
+ * @returns A base64 encoded string of the raw TransactionEnvelope xdr
+ *    struct for the transaction.
+ * @throws {Error} Will throw if `clientAccountID is a muxed account, and `memo`
+ *    is present.
+ * @throws {Error} Will throw if `clientDomain` is provided, but
+ *    `clientSigningKey` is missing
+ * @see {@link https://stellar.org/protocol/sep-10 | SEP-10: Stellar Web Auth}
+ * @example
+ * import { Keypair, Networks, WebAuth } from 'stellar-sdk'
+ *
+ * let serverKeyPair = Keypair.fromSecret("server-secret")
+ * let challenge = WebAuth.buildChallengeTx(
+ *    serverKeyPair,
+ *    "client-stellar-account-id",
+ *    "stellar.org",
+ *    300,
+ *    Networks.TESTNET);
+ */
+export declare function buildChallengeTx(serverKeypair: Keypair, clientAccountID: string, homeDomain: string, timeout: number | undefined, networkPassphrase: string, webAuthDomain: string, memo?: string | null, clientDomain?: string | null, clientSigningKey?: string | null): string;
+/**
+ * Reads a SEP-10 challenge transaction and returns the decoded transaction and
+ * client account ID contained within.
+ *
+ * It also verifies that the transaction has been signed by the server.
+ *
+ * It does not verify that the transaction has been signed by the client or that
+ * any signatures other than the server's on the transaction are valid. Use one
+ * of the following functions to completely verify the transaction:
+ *
+ * - {@link module:WebAuth~verifyChallengeTxThreshold}
+ * - {@link module:WebAuth~verifyChallengeTxSigners}
+ * @param challengeTx SEP0010 challenge transaction in base64.
+ * @param serverAccountID The server's stellar account (public key).
+ * @param networkPassphrase The network passphrase, e.g.: 'Test SDF
+ *    Network ; September 2015' (see {@link Networks})
+ * @param homeDomains The home domain that is expected
+ *    to be included in the first Manage Data operation's string key. If an
+ *    array is provided, one of the domain names in the array must match.
+ * @param webAuthDomain The home domain that is expected to be included
+ *    as the value of the Manage Data operation with the 'web_auth_domain' key.
+ *    If no such operation is included, this parameter is not used.
+ * @returns The actual transaction and the
+ *    Stellar public key (master key) used to sign the Manage Data operation,
+ *    the matched home domain, and the memo attached to the transaction, which
+ *    will be null if not present.
+ * @see {@link https://stellar.org/protocol/sep-10 | SEP-10: Stellar Web Auth}
+ */
+export declare function readChallengeTx(challengeTx: string, serverAccountID: string, networkPassphrase: string, homeDomains: string | string[], webAuthDomain: string): {
+    tx: Transaction;
+    clientAccountID: string;
+    matchedHomeDomain: string;
+    memo: string | null;
+};
+/**
+ * Verifies that for a SEP 10 challenge transaction all signatures on the
+ * transaction are accounted for. A transaction is verified if it is signed by
+ * the server account, and all other signatures match a signer that has been
+ * provided as an argument (as the accountIDs list). Additional signers can be
+ * provided that do not have a signature, but all signatures must be matched to
+ * a signer (accountIDs) for verification to succeed. If verification succeeds,
+ * a list of signers that were found is returned, not including the server
+ * account ID.
+ *
+ * Signers that are not prefixed as an address/account ID strkey (G...) will be
+ * ignored.
+ *
+ * Errors will be raised if:
+ * - The transaction is invalid according to
+ * {@link module:WebAuth~readChallengeTx}.
+ * - No client signatures are found on the transaction.
+ * - One or more signatures in the transaction are not identifiable as the
+ * server account or one of the signers provided in the arguments.
+ * @param challengeTx SEP0010 challenge transaction in base64.
+ * @param serverAccountID The server's stellar account (public key).
+ * @param networkPassphrase The network passphrase, e.g.: 'Test SDF
+ *    Network ; September 2015' (see {@link Networks}).
+ * @param signers The signers public keys. This list should
+ *    contain the public keys for all signers that have signed the transaction.
+ * @param homeDomains The home domain(s) that should
+ *    be included in the first Manage Data operation's string key. Required in
+ *    readChallengeTx().
+ * @param webAuthDomain The home domain that is expected to be included
+ *    as the value of the Manage Data operation with the 'web_auth_domain' key,
+ *    if present. Used in readChallengeTx().
+ * @returns The list of signers public keys that have signed
+ *    the transaction, excluding the server account ID.
+ * @see {@link https://stellar.org/protocol/sep-10|SEP-10: Stellar Web Auth}
+ * @example
+ * import { Networks, TransactionBuilder, WebAuth }  from 'stellar-sdk';
+ *
+ * const serverKP = Keypair.random();
+ * const clientKP1 = Keypair.random();
+ * const clientKP2 = Keypair.random();
+ *
+ * // Challenge, possibly built in the server side
+ * const challenge = WebAuth.buildChallengeTx(
+ *   serverKP,
+ *   clientKP1.publicKey(),
+ *   "SDF",
+ *   300,
+ *   Networks.TESTNET
+ * );
+ *
+ * // clock.tick(200);  // Simulates a 200 ms delay when communicating from server to client
+ *
+ * // Transaction gathered from a challenge, possibly from the client side
+ * const transaction = TransactionBuilder.fromXDR(challenge, Networks.TESTNET);
+ * transaction.sign(clientKP1, clientKP2);
+ * const signedChallenge = transaction
+ *         .toEnvelope()
+ *         .toXDR("base64")
+ *         .toString();
+ *
+ * // The result below should be equal to [clientKP1.publicKey(), clientKP2.publicKey()]
+ * WebAuth.verifyChallengeTxSigners(
+ *    signedChallenge,
+ *    serverKP.publicKey(),
+ *    Networks.TESTNET,
+ *    threshold,
+ *    [clientKP1.publicKey(), clientKP2.publicKey()]
+ * );
+ */
+export declare function verifyChallengeTxSigners(challengeTx: string, serverAccountID: string, networkPassphrase: string, signers: string[], homeDomains: string | string[], webAuthDomain: string): string[];
+/**
+ * Verifies that for a SEP-10 challenge transaction all signatures on the
+ * transaction are accounted for and that the signatures meet a threshold on an
+ * account. A transaction is verified if it is signed by the server account, and
+ * all other signatures match a signer that has been provided as an argument,
+ * and those signatures meet a threshold on the account.
+ *
+ * Signers that are not prefixed as an address/account ID strkey (G...) will be
+ * ignored.
+ *
+ * Errors will be raised if:
+ * - The transaction is invalid according to
+ * {@link module:WebAuth~readChallengeTx}.
+ * - No client signatures are found on the transaction.
+ * - One or more signatures in the transaction are not identifiable as the
+ * server account or one of the signers provided in the arguments.
+ * - The signatures are all valid but do not meet the threshold.
+ * @param challengeTx SEP0010 challenge transaction in base64.
+ * @param serverAccountID The server's stellar account (public key).
+ * @param networkPassphrase The network passphrase, e.g.: 'Test SDF
+ *    Network ; September 2015' (see {@link Networks}).
+ * @param threshold The required signatures threshold for verifying
+ *    this transaction.
+ * @param signerSummary a map of all
+ *    authorized signers to their weights. It's used to validate if the
+ *    transaction signatures have met the given threshold.
+ * @param homeDomains The home domain(s) that should
+ *    be included in the first Manage Data operation's string key. Required in
+ *    verifyChallengeTxSigners() => readChallengeTx().
+ * @param webAuthDomain The home domain that is expected to be included
+ *    as the value of the Manage Data operation with the 'web_auth_domain' key,
+ *    if present. Used in verifyChallengeTxSigners() => readChallengeTx().
+ * @returns The list of signers public keys that have signed
+ *    the transaction, excluding the server account ID, given that the threshold
+ *    was met.
+ * @throws {module:WebAuth.InvalidChallengeError} Will throw if the collective
+ *    weight of the transaction's signers does not meet the necessary threshold
+ *    to verify this transaction.
+ * @see {@link https://stellar.org/protocol/sep-10 | SEP-10: Stellar Web Auth}
+ * @example
+ * import { Networks, TransactionBuilder, WebAuth } from 'stellar-sdk';
+ *
+ * const serverKP = Keypair.random();
+ * const clientKP1 = Keypair.random();
+ * const clientKP2 = Keypair.random();
+ *
+ * // Challenge, possibly built in the server side
+ * const challenge = WebAuth.buildChallengeTx(
+ *   serverKP,
+ *   clientKP1.publicKey(),
+ *   "SDF",
+ *   300,
+ *   Networks.TESTNET
+ * );
+ *
+ * // clock.tick(200);  // Simulates a 200 ms delay when communicating from server to client
+ *
+ * // Transaction gathered from a challenge, possibly from the client side
+ * const transaction = TransactionBuilder.fromXDR(challenge, Networks.TESTNET);
+ * transaction.sign(clientKP1, clientKP2);
+ * const signedChallenge = transaction
+ *         .toEnvelope()
+ *         .toXDR("base64")
+ *         .toString();
+ *
+ * // Defining the threshold and signerSummary
+ * const threshold = 3;
+ * const signerSummary = [
+ *    {
+ *      key: this.clientKP1.publicKey(),
+ *      weight: 1,
+ *    },
+ *    {
+ *      key: this.clientKP2.publicKey(),
+ *      weight: 2,
+ *    },
+ *  ];
+ *
+ * // The result below should be equal to [clientKP1.publicKey(), clientKP2.publicKey()]
+ * WebAuth.verifyChallengeTxThreshold(
+ *    signedChallenge,
+ *    serverKP.publicKey(),
+ *    Networks.TESTNET,
+ *    threshold,
+ *    signerSummary
+ * );
+ */
+export declare function verifyChallengeTxThreshold(challengeTx: string, serverAccountID: string, networkPassphrase: string, threshold: number, signerSummary: ServerApi.AccountRecordSigners[], homeDomains: string | string[], webAuthDomain: string): string[];

package/lib/webauth/challenge_transaction.js

@@ -0,0 +1,307 @@
+"use strict";
+
+Object.defineProperty(exports, "__esModule", {
+  value: true
+});
+exports.buildChallengeTx = buildChallengeTx;
+exports.readChallengeTx = readChallengeTx;
+exports.verifyChallengeTxSigners = verifyChallengeTxSigners;
+exports.verifyChallengeTxThreshold = verifyChallengeTxThreshold;
+var _stellarBase = require("@stellar/stellar-base");
+var _randombytes = _interopRequireDefault(require("randombytes"));
+var _errors = require("./errors");
+var _utils = require("./utils");
+var _utils2 = require("../utils");
+function _interopRequireDefault(e) { return e && e.__esModule ? e : { default: e }; }
+function _toConsumableArray(r) { return _arrayWithoutHoles(r) || _iterableToArray(r) || _unsupportedIterableToArray(r) || _nonIterableSpread(); }
+function _nonIterableSpread() { throw new TypeError("Invalid attempt to spread non-iterable instance.\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method."); }
+function _arrayWithoutHoles(r) { if (Array.isArray(r)) return _arrayLikeToArray(r); }
+function _createForOfIteratorHelper(r, e) { var t = "undefined" != typeof Symbol && r[Symbol.iterator] || r["@@iterator"]; if (!t) { if (Array.isArray(r) || (t = _unsupportedIterableToArray(r)) || e && r && "number" == typeof r.length) { t && (r = t); var _n = 0, F = function F() {}; return { s: F, n: function n() { return _n >= r.length ? { done: !0 } : { done: !1, value: r[_n++] }; }, e: function e(r) { throw r; }, f: F }; } throw new TypeError("Invalid attempt to iterate non-iterable instance.\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method."); } var o, a = !0, u = !1; return { s: function s() { t = t.call(r); }, n: function n() { var r = t.next(); return a = r.done, r; }, e: function e(r) { u = !0, o = r; }, f: function f() { try { a || null == t.return || t.return(); } finally { if (u) throw o; } } }; }
+function _typeof(o) { "@babel/helpers - typeof"; return _typeof = "function" == typeof Symbol && "symbol" == typeof Symbol.iterator ? function (o) { return typeof o; } : function (o) { return o && "function" == typeof Symbol && o.constructor === Symbol && o !== Symbol.prototype ? "symbol" : typeof o; }, _typeof(o); }
+function _toArray(r) { return _arrayWithHoles(r) || _iterableToArray(r) || _unsupportedIterableToArray(r) || _nonIterableRest(); }
+function _nonIterableRest() { throw new TypeError("Invalid attempt to destructure non-iterable instance.\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method."); }
+function _unsupportedIterableToArray(r, a) { if (r) { if ("string" == typeof r) return _arrayLikeToArray(r, a); var t = {}.toString.call(r).slice(8, -1); return "Object" === t && r.constructor && (t = r.constructor.name), "Map" === t || "Set" === t ? Array.from(r) : "Arguments" === t || /^(?:Ui|I)nt(?:8|16|32)(?:Clamped)?Array$/.test(t) ? _arrayLikeToArray(r, a) : void 0; } }
+function _arrayLikeToArray(r, a) { (null == a || a > r.length) && (a = r.length); for (var e = 0, n = Array(a); e < a; e++) n[e] = r[e]; return n; }
+function _iterableToArray(r) { if ("undefined" != typeof Symbol && null != r[Symbol.iterator] || null != r["@@iterator"]) return Array.from(r); }
+function _arrayWithHoles(r) { if (Array.isArray(r)) return r; }
+function buildChallengeTx(serverKeypair, clientAccountID, homeDomain) {
+  var timeout = arguments.length > 3 && arguments[3] !== undefined ? arguments[3] : 300;
+  var networkPassphrase = arguments.length > 4 ? arguments[4] : undefined;
+  var webAuthDomain = arguments.length > 5 ? arguments[5] : undefined;
+  var memo = arguments.length > 6 && arguments[6] !== undefined ? arguments[6] : null;
+  var clientDomain = arguments.length > 7 && arguments[7] !== undefined ? arguments[7] : null;
+  var clientSigningKey = arguments.length > 8 && arguments[8] !== undefined ? arguments[8] : null;
+  if (clientAccountID.startsWith("M") && memo) {
+    throw Error("memo cannot be used if clientAccountID is a muxed account");
+  }
+  var account = new _stellarBase.Account(serverKeypair.publicKey(), "-1");
+  var now = Math.floor(Date.now() / 1000);
+  var value = (0, _randombytes.default)(48).toString("base64");
+  var builder = new _stellarBase.TransactionBuilder(account, {
+    fee: _stellarBase.BASE_FEE,
+    networkPassphrase: networkPassphrase,
+    timebounds: {
+      minTime: now,
+      maxTime: now + timeout
+    }
+  }).addOperation(_stellarBase.Operation.manageData({
+    name: "".concat(homeDomain, " auth"),
+    value: value,
+    source: clientAccountID
+  })).addOperation(_stellarBase.Operation.manageData({
+    name: "web_auth_domain",
+    value: webAuthDomain,
+    source: account.accountId()
+  }));
+  if (clientDomain) {
+    if (!clientSigningKey) {
+      throw Error("clientSigningKey is required if clientDomain is provided");
+    }
+    builder.addOperation(_stellarBase.Operation.manageData({
+      name: "client_domain",
+      value: clientDomain,
+      source: clientSigningKey
+    }));
+  }
+  if (memo) {
+    builder.addMemo(_stellarBase.Memo.id(memo));
+  }
+  var transaction = builder.build();
+  transaction.sign(serverKeypair);
+  return transaction.toEnvelope().toXDR("base64").toString();
+}
+function readChallengeTx(challengeTx, serverAccountID, networkPassphrase, homeDomains, webAuthDomain) {
+  var _transaction$timeBoun;
+  if (serverAccountID.startsWith("M")) {
+    throw Error("Invalid serverAccountID: multiplexed accounts are not supported.");
+  }
+  var transaction;
+  try {
+    transaction = new _stellarBase.Transaction(challengeTx, networkPassphrase);
+  } catch (_unused) {
+    try {
+      transaction = new _stellarBase.FeeBumpTransaction(challengeTx, networkPassphrase);
+    } catch (_unused2) {
+      throw new _errors.InvalidChallengeError("Invalid challenge: unable to deserialize challengeTx transaction string");
+    }
+    throw new _errors.InvalidChallengeError("Invalid challenge: expected a Transaction but received a FeeBumpTransaction");
+  }
+  var sequence = Number.parseInt(transaction.sequence, 10);
+  if (sequence !== 0) {
+    throw new _errors.InvalidChallengeError("The transaction sequence number should be zero");
+  }
+  if (transaction.source !== serverAccountID) {
+    throw new _errors.InvalidChallengeError("The transaction source account is not equal to the server's account");
+  }
+  if (transaction.operations.length < 1) {
+    throw new _errors.InvalidChallengeError("The transaction should contain at least one operation");
+  }
+  var _transaction$operatio = _toArray(transaction.operations),
+    operation = _transaction$operatio[0],
+    subsequentOperations = _transaction$operatio.slice(1);
+  if (!operation.source) {
+    throw new _errors.InvalidChallengeError("The transaction's operation should contain a source account");
+  }
+  var clientAccountID = operation.source;
+  var memo = null;
+  if (transaction.memo.type !== _stellarBase.MemoNone) {
+    if (clientAccountID.startsWith("M")) {
+      throw new _errors.InvalidChallengeError("The transaction has a memo but the client account ID is a muxed account");
+    }
+    if (transaction.memo.type !== _stellarBase.MemoID) {
+      throw new _errors.InvalidChallengeError("The transaction's memo must be of type `id`");
+    }
+    memo = transaction.memo.value;
+  }
+  if (operation.type !== "manageData") {
+    throw new _errors.InvalidChallengeError("The transaction's operation type should be 'manageData'");
+  }
+  if (transaction.timeBounds && Number.parseInt((_transaction$timeBoun = transaction.timeBounds) === null || _transaction$timeBoun === void 0 ? void 0 : _transaction$timeBoun.maxTime, 10) === _stellarBase.TimeoutInfinite) {
+    throw new _errors.InvalidChallengeError("The transaction requires non-infinite timebounds");
+  }
+  if (!_utils2.Utils.validateTimebounds(transaction, 60 * 5)) {
+    throw new _errors.InvalidChallengeError("The transaction has expired");
+  }
+  if (operation.value === undefined) {
+    throw new _errors.InvalidChallengeError("The transaction's operation values should not be null");
+  }
+  if (!operation.value) {
+    throw new _errors.InvalidChallengeError("The transaction's operation value should not be null");
+  }
+  if (Buffer.from(operation.value.toString(), "base64").length !== 48) {
+    throw new _errors.InvalidChallengeError("The transaction's operation value should be a 64 bytes base64 random string");
+  }
+  if (!homeDomains) {
+    throw new _errors.InvalidChallengeError("Invalid homeDomains: a home domain must be provided for verification");
+  }
+  var matchedHomeDomain;
+  if (typeof homeDomains === "string") {
+    if ("".concat(homeDomains, " auth") === operation.name) {
+      matchedHomeDomain = homeDomains;
+    }
+  } else if (Array.isArray(homeDomains)) {
+    matchedHomeDomain = homeDomains.find(function (domain) {
+      return "".concat(domain, " auth") === operation.name;
+    });
+  } else {
+    throw new _errors.InvalidChallengeError("Invalid homeDomains: homeDomains type is ".concat(_typeof(homeDomains), " but should be a string or an array"));
+  }
+  if (!matchedHomeDomain) {
+    throw new _errors.InvalidChallengeError("Invalid homeDomains: the transaction's operation key name does not match the expected home domain");
+  }
+  var _iterator = _createForOfIteratorHelper(subsequentOperations),
+    _step;
+  try {
+    for (_iterator.s(); !(_step = _iterator.n()).done;) {
+      var op = _step.value;
+      if (op.type !== "manageData") {
+        throw new _errors.InvalidChallengeError("The transaction has operations that are not of type 'manageData'");
+      }
+      if (op.source !== serverAccountID && op.name !== "client_domain") {
+        throw new _errors.InvalidChallengeError("The transaction has operations that are unrecognized");
+      }
+      if (op.name === "web_auth_domain") {
+        if (op.value === undefined) {
+          throw new _errors.InvalidChallengeError("'web_auth_domain' operation value should not be null");
+        }
+        if (op.value.compare(Buffer.from(webAuthDomain))) {
+          throw new _errors.InvalidChallengeError("'web_auth_domain' operation value does not match ".concat(webAuthDomain));
+        }
+      }
+    }
+  } catch (err) {
+    _iterator.e(err);
+  } finally {
+    _iterator.f();
+  }
+  if (!(0, _utils.verifyTxSignedBy)(transaction, serverAccountID)) {
+    throw new _errors.InvalidChallengeError("Transaction not signed by server: '".concat(serverAccountID, "'"));
+  }
+  return {
+    tx: transaction,
+    clientAccountID: clientAccountID,
+    matchedHomeDomain: matchedHomeDomain,
+    memo: memo
+  };
+}
+function verifyChallengeTxSigners(challengeTx, serverAccountID, networkPassphrase, signers, homeDomains, webAuthDomain) {
+  var _readChallengeTx = readChallengeTx(challengeTx, serverAccountID, networkPassphrase, homeDomains, webAuthDomain),
+    tx = _readChallengeTx.tx;
+  var serverKP;
+  try {
+    serverKP = _stellarBase.Keypair.fromPublicKey(serverAccountID);
+  } catch (err) {
+    throw new Error("Couldn't infer keypair from the provided 'serverAccountID': ".concat(err.message));
+  }
+  var clientSigners = new Set();
+  var _iterator2 = _createForOfIteratorHelper(signers),
+    _step2;
+  try {
+    for (_iterator2.s(); !(_step2 = _iterator2.n()).done;) {
+      var signer = _step2.value;
+      if (signer === serverKP.publicKey()) {
+        continue;
+      }
+      if (signer.charAt(0) !== "G") {
+        continue;
+      }
+      clientSigners.add(signer);
+    }
+  } catch (err) {
+    _iterator2.e(err);
+  } finally {
+    _iterator2.f();
+  }
+  if (clientSigners.size === 0) {
+    throw new _errors.InvalidChallengeError("No verifiable client signers provided, at least one G... address must be provided");
+  }
+  var clientSigningKey;
+  var _iterator3 = _createForOfIteratorHelper(tx.operations),
+    _step3;
+  try {
+    for (_iterator3.s(); !(_step3 = _iterator3.n()).done;) {
+      var op = _step3.value;
+      if (op.type === "manageData" && op.name === "client_domain") {
+        if (clientSigningKey) {
+          throw new _errors.InvalidChallengeError("Found more than one client_domain operation");
+        }
+        clientSigningKey = op.source;
+      }
+    }
+  } catch (err) {
+    _iterator3.e(err);
+  } finally {
+    _iterator3.f();
+  }
+  var allSigners = [serverKP.publicKey()].concat(_toConsumableArray(Array.from(clientSigners)));
+  if (clientSigningKey) {
+    allSigners.push(clientSigningKey);
+  }
+  var signersFound = (0, _utils.gatherTxSigners)(tx, allSigners);
+  var serverSignatureFound = false;
+  var clientSigningKeySignatureFound = false;
+  var _iterator4 = _createForOfIteratorHelper(signersFound),
+    _step4;
+  try {
+    for (_iterator4.s(); !(_step4 = _iterator4.n()).done;) {
+      var _signer = _step4.value;
+      if (_signer === serverKP.publicKey()) {
+        serverSignatureFound = true;
+      }
+      if (_signer === clientSigningKey) {
+        clientSigningKeySignatureFound = true;
+      }
+    }
+  } catch (err) {
+    _iterator4.e(err);
+  } finally {
+    _iterator4.f();
+  }
+  if (!serverSignatureFound) {
+    throw new _errors.InvalidChallengeError("Transaction not signed by server: '".concat(serverKP.publicKey(), "'"));
+  }
+  if (clientSigningKey && !clientSigningKeySignatureFound) {
+    throw new _errors.InvalidChallengeError("Transaction not signed by the source account of the 'client_domain' " + "ManageData operation");
+  }
+  if (signersFound.length === 1) {
+    throw new _errors.InvalidChallengeError("None of the given signers match the transaction signatures");
+  }
+  if (signersFound.length !== tx.signatures.length) {
+    throw new _errors.InvalidChallengeError("Transaction has unrecognized signatures");
+  }
+  signersFound.splice(signersFound.indexOf(serverKP.publicKey()), 1);
+  if (clientSigningKey) {
+    signersFound.splice(signersFound.indexOf(clientSigningKey), 1);
+  }
+  return signersFound;
+}
+function verifyChallengeTxThreshold(challengeTx, serverAccountID, networkPassphrase, threshold, signerSummary, homeDomains, webAuthDomain) {
+  var signers = signerSummary.map(function (signer) {
+    return signer.key;
+  });
+  var signersFound = verifyChallengeTxSigners(challengeTx, serverAccountID, networkPassphrase, signers, homeDomains, webAuthDomain);
+  var weight = 0;
+  var _iterator5 = _createForOfIteratorHelper(signersFound),
+    _step5;
+  try {
+    var _loop = function _loop() {
+      var _signerSummary$find;
+      var signer = _step5.value;
+      var sigWeight = ((_signerSummary$find = signerSummary.find(function (s) {
+        return s.key === signer;
+      })) === null || _signerSummary$find === void 0 ? void 0 : _signerSummary$find.weight) || 0;
+      weight += sigWeight;
+    };
+    for (_iterator5.s(); !(_step5 = _iterator5.n()).done;) {
+      _loop();
+    }
+  } catch (err) {
+    _iterator5.e(err);
+  } finally {
+    _iterator5.f();
+  }
+  if (weight < threshold) {
+    throw new _errors.InvalidChallengeError("signers with weight ".concat(weight, " do not meet threshold ").concat(threshold, "\""));
+  }
+  return signersFound;
+}

package/lib/webauth/index.d.ts

@@ -1,2 +1,3 @@
 export * from "./utils";
 export { InvalidChallengeError } from "./errors";
+export * from "./challenge_transaction";

package/lib/webauth/index.js

@@ -24,4 +24,16 @@ Object.keys(_utils).forEach(function (key) {
     }
   });
 });
-var _errors = require("./errors");
+var _errors = require("./errors");
+var _challenge_transaction = require("./challenge_transaction");
+Object.keys(_challenge_transaction).forEach(function (key) {
+  if (key === "default" || key === "__esModule") return;
+  if (Object.prototype.hasOwnProperty.call(_exportNames, key)) return;
+  if (key in exports && exports[key] === _challenge_transaction[key]) return;
+  Object.defineProperty(exports, key, {
+    enumerable: true,
+    get: function get() {
+      return _challenge_transaction[key];
+    }
+  });
+});