@t402/extensions 2.0.0 → 2.3.0

package/dist/cjs/index.js

@@ -31,15 +31,29 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 var src_exports = {};
 __export(src_exports, {
   BAZAAR: () => BAZAAR,
+  SIWX_EXTENSION_KEY: () => SIWX_EXTENSION_KEY,
+  SIWX_HEADER_NAME: () => SIWX_HEADER_NAME,
   bazaarResourceServerExtension: () => bazaarResourceServerExtension,
+  constructMessage: () => constructMessage,
+  createSIWxMessage: () => createSIWxMessage,
+  createSIWxPayload: () => createSIWxPayload,
+  createSIWxTypedData: () => createSIWxTypedData,
   declareDiscoveryExtension: () => declareDiscoveryExtension,
+  declareSIWxExtension: () => declareSIWxExtension,
+  encodeSIWxHeader: () => encodeSIWxHeader,
   extractDiscoveryInfo: () => extractDiscoveryInfo,
   extractDiscoveryInfoFromExtension: () => extractDiscoveryInfoFromExtension,
   extractDiscoveryInfoV1: () => extractDiscoveryInfoV1,
   extractResourceMetadataV1: () => extractResourceMetadataV1,
+  hashMessage: () => hashMessage,
   isDiscoverableV1: () => isDiscoverableV1,
+  parseSIWxHeader: () => parseSIWxHeader,
+  signSIWxMessage: () => signSIWxMessage,
   validateAndExtract: () => validateAndExtract,
   validateDiscoveryExtension: () => validateDiscoveryExtension,
+  validateSIWxMessage: () => validateSIWxMessage,
+  verifyEIP6492Signature: () => verifyEIP6492Signature,
+  verifySIWxSignature: () => verifySIWxSignature,
   withBazaar: () => withBazaar
 });
 module.exports = __toCommonJS(src_exports);
@@ -474,18 +488,428 @@ function withBazaar(client) {
   };
   return extended;
 }
+
+// src/sign-in-with-x/server.ts
+var import_crypto = require("crypto");
+var import_sha3 = require("@noble/hashes/sha3");
+var import_secp256k1 = require("@noble/curves/secp256k1");
+var import_utils = require("@noble/hashes/utils");
+var SIWX_SCHEMA = {
+  type: "object",
+  required: ["domain", "address", "uri", "version", "chainId", "nonce", "issuedAt", "signature"],
+  properties: {
+    domain: { type: "string" },
+    address: { type: "string" },
+    statement: { type: "string" },
+    uri: { type: "string" },
+    version: { type: "string" },
+    chainId: { type: "string" },
+    nonce: { type: "string" },
+    issuedAt: { type: "string", format: "date-time" },
+    expirationTime: { type: "string", format: "date-time" },
+    notBefore: { type: "string", format: "date-time" },
+    requestId: { type: "string" },
+    resources: { type: "array", items: { type: "string" } },
+    signature: { type: "string" }
+  }
+};
+var EIP1271_MAGIC_VALUE = "0x1626ba7e";
+function extractDomain(resourceUri) {
+  try {
+    const url = new URL(resourceUri);
+    return url.host;
+  } catch {
+    return resourceUri.replace(/^https?:\/\//, "").split("/")[0];
+  }
+}
+function generateNonce() {
+  return (0, import_crypto.randomBytes)(16).toString("hex");
+}
+function declareSIWxExtension(options) {
+  const domain = extractDomain(options.resourceUri);
+  const now = /* @__PURE__ */ new Date();
+  const expirationTime = options.expirationTime || new Date(now.getTime() + 5 * 60 * 1e3).toISOString();
+  const info = {
+    domain,
+    uri: options.resourceUri,
+    statement: options.statement,
+    version: options.version || "1",
+    chainId: options.network,
+    nonce: generateNonce(),
+    issuedAt: now.toISOString(),
+    expirationTime,
+    resources: [options.resourceUri],
+    signatureScheme: options.signatureScheme
+  };
+  return {
+    info,
+    schema: SIWX_SCHEMA
+  };
+}
+function parseSIWxHeader(header) {
+  if (!header) {
+    throw new Error("Missing SIWx header");
+  }
+  try {
+    const decoded = Buffer.from(header, "base64").toString("utf-8");
+    const payload = JSON.parse(decoded);
+    const required = [
+      "domain",
+      "address",
+      "uri",
+      "version",
+      "chainId",
+      "nonce",
+      "issuedAt",
+      "signature"
+    ];
+    for (const field of required) {
+      if (!(field in payload)) {
+        throw new Error(`Missing required field: ${field}`);
+      }
+    }
+    return payload;
+  } catch (error) {
+    if (error instanceof SyntaxError) {
+      throw new Error("Invalid SIWx header: malformed JSON");
+    }
+    throw error;
+  }
+}
+function validateSIWxMessage(message, expectedResourceUri, options = {}) {
+  const { maxAge = 5 * 60 * 1e3, checkNonce } = options;
+  const expectedDomain = extractDomain(expectedResourceUri);
+  if (message.domain !== expectedDomain) {
+    return {
+      valid: false,
+      error: `Domain mismatch: expected ${expectedDomain}, got ${message.domain}`
+    };
+  }
+  if (message.uri !== expectedResourceUri) {
+    return {
+      valid: false,
+      error: `URI mismatch: expected ${expectedResourceUri}, got ${message.uri}`
+    };
+  }
+  if (message.version !== "1") {
+    return { valid: false, error: `Unsupported version: ${message.version}` };
+  }
+  const issuedAt = new Date(message.issuedAt);
+  const now = /* @__PURE__ */ new Date();
+  if (now.getTime() - issuedAt.getTime() > maxAge) {
+    return { valid: false, error: "Message has expired (issuedAt too old)" };
+  }
+  if (message.expirationTime) {
+    const expiration = new Date(message.expirationTime);
+    if (expiration < now) {
+      return { valid: false, error: "Message has expired" };
+    }
+  }
+  if (message.notBefore) {
+    const notBefore = new Date(message.notBefore);
+    if (notBefore > now) {
+      return { valid: false, error: "Message not yet valid (notBefore in future)" };
+    }
+  }
+  if (checkNonce && !checkNonce(message.nonce)) {
+    return { valid: false, error: "Invalid nonce (replay attack detected)" };
+  }
+  return { valid: true };
+}
+async function verifySIWxSignature(message, signature, options = {}) {
+  const { checkSmartWallet = false } = options;
+  try {
+    const messageText = constructMessage(message);
+    const messageHash = hashMessage(messageText);
+    const recoveredAddress = recoverAddress(messageHash, signature);
+    if (recoveredAddress.toLowerCase() !== message.address.toLowerCase()) {
+      if (checkSmartWallet && options.provider) {
+        const isValidSmartWallet = await verifySmartWalletSignature(
+          message.address,
+          messageHash,
+          signature,
+          options.provider
+        );
+        if (isValidSmartWallet) {
+          return { valid: true, address: message.address };
+        }
+      }
+      return {
+        valid: false,
+        address: recoveredAddress,
+        error: `Signature mismatch: expected ${message.address}, recovered ${recoveredAddress}`
+      };
+    }
+    return { valid: true, address: recoveredAddress };
+  } catch (error) {
+    return {
+      valid: false,
+      error: `Signature verification failed: ${error instanceof Error ? error.message : "unknown error"}`
+    };
+  }
+}
+function constructMessage(payload) {
+  const lines = [];
+  lines.push(`${payload.domain} wants you to sign in with your ${payload.chainId} account:`);
+  lines.push(payload.address);
+  lines.push("");
+  if (payload.statement) {
+    lines.push(payload.statement);
+    lines.push("");
+  }
+  lines.push(`URI: ${payload.uri}`);
+  lines.push(`Version: ${payload.version}`);
+  lines.push(`Chain ID: ${payload.chainId}`);
+  lines.push(`Nonce: ${payload.nonce}`);
+  lines.push(`Issued At: ${payload.issuedAt}`);
+  if (payload.expirationTime) {
+    lines.push(`Expiration Time: ${payload.expirationTime}`);
+  }
+  if (payload.notBefore) {
+    lines.push(`Not Before: ${payload.notBefore}`);
+  }
+  if (payload.requestId) {
+    lines.push(`Request ID: ${payload.requestId}`);
+  }
+  if (payload.resources && payload.resources.length > 0) {
+    lines.push("Resources:");
+    for (const resource of payload.resources) {
+      lines.push(`- ${resource}`);
+    }
+  }
+  return lines.join("\n");
+}
+function hashMessage(message) {
+  const messageBytes = new TextEncoder().encode(message);
+  const prefix = `Ethereum Signed Message:
+${messageBytes.length}`;
+  const prefixBytes = new TextEncoder().encode(prefix);
+  const combined = new Uint8Array(prefixBytes.length + messageBytes.length);
+  combined.set(prefixBytes, 0);
+  combined.set(messageBytes, prefixBytes.length);
+  const hash = (0, import_sha3.keccak_256)(combined);
+  return "0x" + (0, import_utils.bytesToHex)(hash);
+}
+function recoverAddress(messageHash, signature) {
+  const sigHex = signature.startsWith("0x") ? signature.slice(2) : signature;
+  const hashHex = messageHash.startsWith("0x") ? messageHash.slice(2) : messageHash;
+  if (sigHex.length !== 130) {
+    throw new Error(`Invalid signature length: expected 130 hex chars, got ${sigHex.length}`);
+  }
+  const r = BigInt("0x" + sigHex.slice(0, 64));
+  const s = BigInt("0x" + sigHex.slice(64, 128));
+  let v = parseInt(sigHex.slice(128, 130), 16);
+  if (v >= 27) {
+    v -= 27;
+  }
+  if (v !== 0 && v !== 1) {
+    throw new Error(`Invalid recovery id: ${v}`);
+  }
+  const sig = new import_secp256k1.secp256k1.Signature(r, s).addRecoveryBit(v);
+  const hashBytes = (0, import_utils.hexToBytes)(hashHex);
+  const publicKey = sig.recoverPublicKey(hashBytes);
+  const pubKeyBytes = publicKey.toRawBytes(false).slice(1);
+  const addressHash = (0, import_sha3.keccak_256)(pubKeyBytes);
+  const addressBytes = addressHash.slice(-20);
+  const address = "0x" + (0, import_utils.bytesToHex)(addressBytes);
+  return toChecksumAddress(address);
+}
+function toChecksumAddress(address) {
+  const addr = address.toLowerCase().replace("0x", "");
+  const hash = (0, import_utils.bytesToHex)((0, import_sha3.keccak_256)(new TextEncoder().encode(addr)));
+  let checksummed = "0x";
+  for (let i = 0; i < 40; i++) {
+    if (parseInt(hash[i], 16) >= 8) {
+      checksummed += addr[i].toUpperCase();
+    } else {
+      checksummed += addr[i];
+    }
+  }
+  return checksummed;
+}
+async function verifySmartWalletSignature(walletAddress, messageHash, signature, provider) {
+  function isEthProvider(p) {
+    return typeof p === "object" && p !== null && "request" in p;
+  }
+  if (!isEthProvider(provider)) {
+    return false;
+  }
+  try {
+    const hashHex = messageHash.startsWith("0x") ? messageHash : "0x" + messageHash;
+    const sigHex = signature.startsWith("0x") ? signature : "0x" + signature;
+    const data = "0x1626ba7e" + hashHex.slice(2).padStart(64, "0") + // bytes32 hash
+    "0000000000000000000000000000000000000000000000000000000000000040" + // offset to bytes
+    (sigHex.length / 2 - 1).toString(16).padStart(64, "0") + // bytes length
+    sigHex.slice(2).padEnd(Math.ceil((sigHex.length - 2) / 64) * 64, "0");
+    const result = await provider.request({
+      method: "eth_call",
+      params: [{ to: walletAddress, data }, "latest"]
+    });
+    return result.toLowerCase().startsWith(EIP1271_MAGIC_VALUE);
+  } catch {
+    return false;
+  }
+}
+async function verifyEIP6492Signature(walletAddress, messageHash, signature, provider) {
+  const EIP6492_SUFFIX = "6492649264926492649264926492649264926492649264926492649264926492";
+  const sigHex = signature.startsWith("0x") ? signature.slice(2) : signature;
+  if (sigHex.endsWith(EIP6492_SUFFIX)) {
+    console.warn("EIP-6492 deployment signatures not yet fully implemented");
+    return false;
+  }
+  return verifySmartWalletSignature(walletAddress, messageHash, signature, provider);
+}
+
+// src/sign-in-with-x/client.ts
+function encodeSIWxHeader(payload) {
+  const json = JSON.stringify(payload);
+  if (typeof Buffer !== "undefined") {
+    return Buffer.from(json, "utf-8").toString("base64");
+  }
+  return btoa(json);
+}
+function createSIWxMessage(serverInfo, address) {
+  const payload = {
+    domain: serverInfo.domain,
+    address,
+    statement: serverInfo.statement,
+    uri: serverInfo.uri,
+    version: serverInfo.version,
+    chainId: serverInfo.chainId,
+    nonce: serverInfo.nonce,
+    issuedAt: serverInfo.issuedAt,
+    expirationTime: serverInfo.expirationTime,
+    notBefore: serverInfo.notBefore,
+    requestId: serverInfo.requestId,
+    resources: serverInfo.resources,
+    signature: ""
+    // Will be added after signing
+  };
+  return constructMessage(payload);
+}
+function createSIWxTypedData(serverInfo, address) {
+  const chainIdParts = serverInfo.chainId.split(":");
+  const chainIdNum = chainIdParts.length > 1 ? parseInt(chainIdParts[1], 10) : parseInt(chainIdParts[0], 10);
+  return {
+    domain: {
+      name: serverInfo.domain,
+      version: serverInfo.version,
+      chainId: chainIdNum
+    },
+    types: {
+      SIWx: [
+        { name: "domain", type: "string" },
+        { name: "address", type: "address" },
+        { name: "statement", type: "string" },
+        { name: "uri", type: "string" },
+        { name: "version", type: "string" },
+        { name: "chainId", type: "string" },
+        { name: "nonce", type: "string" },
+        { name: "issuedAt", type: "string" },
+        { name: "expirationTime", type: "string" },
+        { name: "resources", type: "string[]" }
+      ]
+    },
+    primaryType: "SIWx",
+    message: {
+      domain: serverInfo.domain,
+      address,
+      statement: serverInfo.statement || "",
+      uri: serverInfo.uri,
+      version: serverInfo.version,
+      chainId: serverInfo.chainId,
+      nonce: serverInfo.nonce,
+      issuedAt: serverInfo.issuedAt,
+      expirationTime: serverInfo.expirationTime || "",
+      resources: serverInfo.resources || []
+    }
+  };
+}
+async function signSIWxMessage(message, signer, options) {
+  const scheme = options?.signatureScheme || "eip191";
+  switch (scheme) {
+    case "eip191":
+      if (!signer.signMessage) {
+        throw new Error("Signer does not support personal_sign (EIP-191)");
+      }
+      return signer.signMessage(message);
+    case "eip712":
+      if (!signer.signTypedData) {
+        throw new Error("Signer does not support signTypedData (EIP-712)");
+      }
+      if (!options?.serverInfo) {
+        throw new Error("EIP-712 signing requires serverInfo in options");
+      }
+      const typedData = createSIWxTypedData(options.serverInfo, signer.address);
+      return signer.signTypedData(typedData);
+    case "eip1271":
+    case "eip6492":
+      if (!signer.signMessage) {
+        throw new Error("Signer does not support signing");
+      }
+      return signer.signMessage(message);
+    case "siws":
+      if (!signer.signMessage) {
+        throw new Error("Signer does not support signing");
+      }
+      return signer.signMessage(message);
+    case "sep10":
+      throw new Error("Stellar SEP-10 signing not yet implemented");
+    default:
+      throw new Error(`Unknown signature scheme: ${scheme}`);
+  }
+}
+async function createSIWxPayload(serverExtension, signer) {
+  const { info } = serverExtension;
+  const message = createSIWxMessage(info, signer.address);
+  const signature = await signSIWxMessage(message, signer, {
+    signatureScheme: info.signatureScheme,
+    serverInfo: info
+  });
+  return {
+    domain: info.domain,
+    address: signer.address,
+    statement: info.statement,
+    uri: info.uri,
+    version: info.version,
+    chainId: info.chainId,
+    nonce: info.nonce,
+    issuedAt: info.issuedAt,
+    expirationTime: info.expirationTime,
+    notBefore: info.notBefore,
+    requestId: info.requestId,
+    resources: info.resources,
+    signature
+  };
+}
+var SIWX_EXTENSION_KEY = "siwx";
+var SIWX_HEADER_NAME = "X-T402-SIWx";
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   BAZAAR,
+  SIWX_EXTENSION_KEY,
+  SIWX_HEADER_NAME,
   bazaarResourceServerExtension,
+  constructMessage,
+  createSIWxMessage,
+  createSIWxPayload,
+  createSIWxTypedData,
   declareDiscoveryExtension,
+  declareSIWxExtension,
+  encodeSIWxHeader,
   extractDiscoveryInfo,
   extractDiscoveryInfoFromExtension,
   extractDiscoveryInfoV1,
   extractResourceMetadataV1,
+  hashMessage,
   isDiscoverableV1,
+  parseSIWxHeader,
+  signSIWxMessage,
   validateAndExtract,
   validateDiscoveryExtension,
+  validateSIWxMessage,
+  verifyEIP6492Signature,
+  verifySIWxSignature,
   withBazaar
 });
 //# sourceMappingURL=index.js.map