npm - @tatchi-xyz/sdk - Versions diffs - 0.20.0 → 0.31.0 - Mend

@tatchi-xyz/sdk 0.20.0 → 0.31.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2491) hide show

package/dist/esm/react/sdk/src/core/TatchiPasskey/login.js DELETED Viewed

@@ -1,569 +0,0 @@
-import { __esm } from "../../../../_virtual/rolldown_runtime.js";
-import { IndexedDBManager, init_IndexedDBManager } from "../IndexedDBManager/index.js";
-import { createRandomVRFChallenge, init_vrf_worker } from "../types/vrf-worker.js";
-import { getUserFriendlyErrorMessage, init_errors } from "../../utils/errors.js";
-import { authenticatorsToAllowCredentials, init_touchIdPrompt } from "../WebAuthnManager/touchIdPrompt.js";
-import { LoginPhase, LoginStatus, init_sdkSentEvents } from "../types/sdkSentEvents.js";
-import { init_rpcCalls, verifyAuthenticationResponse } from "../rpcCalls.js";
-//#region src/core/TatchiPasskey/login.ts
-/**
-* Core login function that handles passkey authentication without React dependencies.
-*
-* - Unlocks the VRF keypair (Shamir 3‑pass auto‑unlock when possible; falls back to TouchID).
-* - Updates local login state and returns success with account/public key info.
-* - Optional: mints a server session when `options.session` is provided.
-*   - Generates a fresh, chain‑anchored VRF challenge (using latest block).
-*   - Collects a WebAuthn assertion over the VRF output and posts to the relay route
-*     (defaults to `/verify-authentication-response`).
-*   - When `kind: 'jwt'`, returns the token in `result.jwt`.
-*   - When `kind: 'cookie'`, the server sets an HttpOnly cookie and no JWT is returned.
-*/
-async function loginAndCreateSession(context, nearAccountId, options) {
-	const { onEvent, onError, afterCall } = options || {};
-	const { webAuthnManager } = context;
-	onEvent?.({
-		step: 1,
-		phase: LoginPhase.STEP_1_PREPARATION,
-		status: LoginStatus.PROGRESS,
-		message: `Starting login for ${nearAccountId}`
-	});
-	const prevStatus = await webAuthnManager.checkVrfStatus();
-	const prevVrfAccountId = prevStatus?.active ? prevStatus.nearAccountId : null;
-	const rollbackVrfOnFailure = async () => {
-		const status = await webAuthnManager.checkVrfStatus();
-		const current = status?.active ? status.nearAccountId : null;
-		if (current && current !== prevVrfAccountId) await logoutAndClearSession(context);
-	};
-	try {
-		if (!window.isSecureContext) {
-			const errorMessage = "Passkey operations require a secure context (HTTPS or localhost).";
-			const error = new Error(errorMessage);
-			onError?.(error);
-			onEvent?.({
-				step: 0,
-				phase: LoginPhase.LOGIN_ERROR,
-				status: LoginStatus.ERROR,
-				message: errorMessage,
-				error: errorMessage
-			});
-			const result = {
-				success: false,
-				error: errorMessage
-			};
-			return result;
-		}
-		const wantsSession = options?.session?.kind == "jwt" || options?.session?.kind == "cookie";
-		const base = await handleLoginUnlockVRF(context, nearAccountId, onEvent, onError, afterCall, true);
-		if (!base.result.success) return base.result;
-		const attachSigningSession = async (result) => {
-			if (!result?.success) return result;
-			try {
-				const signingSession = await webAuthnManager.getWarmSigningSessionStatus(nearAccountId);
-				return {
-					...result,
-					signingSession
-				};
-			} catch {
-				return result;
-			}
-		};
-		const ttlMsDefault = context.configs.signingSessionDefaults.ttlMs;
-		const remainingUsesDefault = context.configs.signingSessionDefaults.remainingUses;
-		const ttlMs = options?.signingSession?.ttlMs ?? ttlMsDefault;
-		const remainingUses = options?.signingSession?.remainingUses ?? remainingUsesDefault;
-		if (wantsSession) {
-			const { kind, relayUrl: relayUrlOverride, route: routeOverride } = options.session;
-			const relayUrl = (relayUrlOverride || context.configs.relayer.url).trim();
-			const route = (routeOverride || "/verify-authentication-response").trim();
-			if (!relayUrl) {
-				console.warn("No relayUrl provided for session");
-				await mintWarmSigningSession({
-					context,
-					nearAccountId,
-					onEvent,
-					credential: base.unlockCredential,
-					ttlMs,
-					remainingUses
-				});
-				const finalResult$1 = await attachSigningSession(base.result);
-				onEvent?.({
-					step: 4,
-					phase: LoginPhase.STEP_4_LOGIN_COMPLETE,
-					status: LoginStatus.SUCCESS,
-					message: "Login completed successfully",
-					nearAccountId,
-					clientNearPublicKey: base.result?.clientNearPublicKey || ""
-				});
-				await afterCall?.(true, finalResult$1);
-				return finalResult$1;
-			}
-			try {
-				const blockInfo = await context.nearClient.viewBlock({ finality: "final" });
-				const txBlockHash = blockInfo?.header?.hash;
-				const txBlockHeight = String(blockInfo.header?.height ?? "");
-				const vrfChallenge = await webAuthnManager.generateVrfChallengeOnce({
-					userId: nearAccountId,
-					rpId: webAuthnManager.getRpId(),
-					blockHash: txBlockHash,
-					blockHeight: txBlockHeight
-				});
-				const authenticators = await webAuthnManager.getAuthenticatorsByUser(nearAccountId);
-				const credential = await webAuthnManager.getAuthenticationCredentialsSerialized({
-					nearAccountId,
-					challenge: vrfChallenge,
-					allowCredentials: authenticatorsToAllowCredentials(authenticators)
-				});
-				try {
-					if (authenticators.length > 1) {
-						const rawId = credential.rawId;
-						const matched = authenticators.find((a) => a.credentialId === rawId);
-						if (matched && typeof matched.deviceNumber === "number") await context.webAuthnManager.setLastUser(nearAccountId, matched.deviceNumber);
-					}
-				} catch {}
-				await mintWarmSigningSession({
-					context,
-					nearAccountId,
-					onEvent,
-					credential,
-					ttlMs,
-					remainingUses
-				});
-				const v = await verifyAuthenticationResponse(relayUrl, route, kind, vrfChallenge, credential);
-				if (v.success && v.verified) {
-					const finalResult$1 = await attachSigningSession({
-						...base.result,
-						jwt: v.jwt
-					});
-					onEvent?.({
-						step: 4,
-						phase: LoginPhase.STEP_4_LOGIN_COMPLETE,
-						status: LoginStatus.SUCCESS,
-						message: "Login completed successfully",
-						nearAccountId,
-						clientNearPublicKey: base.result?.clientNearPublicKey || ""
-					});
-					await afterCall?.(true, finalResult$1);
-					return finalResult$1;
-				}
-				const errMsg = v.error || "Session verification failed";
-				await rollbackVrfOnFailure();
-				onEvent?.({
-					step: 0,
-					phase: LoginPhase.LOGIN_ERROR,
-					status: LoginStatus.ERROR,
-					message: errMsg,
-					error: errMsg
-				});
-				await afterCall?.(false);
-				return {
-					success: false,
-					error: errMsg
-				};
-			} catch (e) {
-				console.error("Failed to start session: ", e);
-				const errMsg = getUserFriendlyErrorMessage(e, "login") || e?.message || "Session verification failed";
-				await rollbackVrfOnFailure();
-				onError?.(e);
-				onEvent?.({
-					step: 0,
-					phase: LoginPhase.LOGIN_ERROR,
-					status: LoginStatus.ERROR,
-					message: errMsg,
-					error: errMsg
-				});
-				await afterCall?.(false);
-				return {
-					success: false,
-					error: errMsg
-				};
-			}
-		}
-		await mintWarmSigningSession({
-			context,
-			nearAccountId,
-			onEvent,
-			credential: base.unlockCredential,
-			ttlMs,
-			remainingUses
-		});
-		const finalResult = await attachSigningSession(base.result);
-		onEvent?.({
-			step: 4,
-			phase: LoginPhase.STEP_4_LOGIN_COMPLETE,
-			status: LoginStatus.SUCCESS,
-			message: "Login completed successfully",
-			nearAccountId,
-			clientNearPublicKey: base.result?.clientNearPublicKey || ""
-		});
-		await afterCall?.(true, finalResult);
-		return finalResult;
-	} catch (err) {
-		await rollbackVrfOnFailure();
-		onError?.(err);
-		const errorMessage = getUserFriendlyErrorMessage(err, "login") || err?.message || "Login failed";
-		onEvent?.({
-			step: 0,
-			phase: LoginPhase.LOGIN_ERROR,
-			status: LoginStatus.ERROR,
-			message: errorMessage,
-			error: errorMessage
-		});
-		const result = {
-			success: false,
-			error: errorMessage
-		};
-		afterCall?.(false);
-		return result;
-	}
-}
-/**
-* Mint or refresh a "warm signing session" in the VRF worker.
-*
-* Notes:
-* - Reuses a previously collected WebAuthn credential when provided (e.g. TouchID fallback),
-*   to avoid prompting the user twice in a single login flow.
-* - Session TTL/remainingUses policy is enforced by the VRF worker.
-*/
-async function mintWarmSigningSession(args) {
-	const { context, nearAccountId, onEvent, credential, ttlMs, remainingUses } = args;
-	const { webAuthnManager } = context;
-	onEvent?.({
-		step: 3,
-		phase: LoginPhase.STEP_3_VRF_UNLOCK,
-		status: LoginStatus.PROGRESS,
-		message: "Unlocking warm signing session..."
-	});
-	let effectiveCredential = credential;
-	if (!effectiveCredential) {
-		const challenge = createRandomVRFChallenge();
-		const authenticators = await webAuthnManager.getAuthenticatorsByUser(nearAccountId);
-		const { authenticatorsForPrompt } = await IndexedDBManager.clientDB.ensureCurrentPasskey(nearAccountId, authenticators);
-		effectiveCredential = await webAuthnManager.getAuthenticationCredentialsSerialized({
-			nearAccountId,
-			challenge,
-			allowCredentials: authenticatorsToAllowCredentials(authenticatorsForPrompt)
-		});
-	}
-	await webAuthnManager.mintSigningSessionFromCredential({
-		nearAccountId,
-		credential: effectiveCredential,
-		ttlMs,
-		remainingUses
-	});
-	onEvent?.({
-		step: 3,
-		phase: LoginPhase.STEP_3_VRF_UNLOCK,
-		status: LoginStatus.SUCCESS,
-		message: "Warm signing session unlocked"
-	});
-}
-/**
-* Handle onchain (serverless) login using VRF flow per docs/vrf_challenges.md
-*
-* VRF AUTHENTICATION FLOW:
-* 1. Unlock VRF keypair in VRF Worker memory, either
-*      - Decrypt via Shamir 3-pass (when Relayer is present), or
-*      - Re-derive the VRF via credentials inside VRF worker dynamically
-* 2. Generate VRF challenge using stored VRF keypair + NEAR block data (no TouchID needed)
-* 3. Use VRF output as WebAuthn challenge for authentication
-* 4. Verify VRF proof and WebAuthn response on contract simultaneously
-*      - VRF proof assures WebAuthn challenge is fresh and valid (replay protection)
-*      - WebAuthn verification for origin + biometric credentials + device authenticity
-*/
-async function handleLoginUnlockVRF(context, nearAccountId, onEvent, onError, afterCall, deferCompletionHooks) {
-	const { webAuthnManager } = context;
-	try {
-		const [lastUser, latestByAccount, authenticators] = await Promise.all([
-			webAuthnManager.getLastUser(),
-			IndexedDBManager.clientDB.getLastDBUpdatedUser(nearAccountId),
-			webAuthnManager.getAuthenticatorsByUser(nearAccountId)
-		]);
-		let userData = null;
-		if (latestByAccount && latestByAccount.nearAccountId === nearAccountId) userData = latestByAccount;
-		else if (lastUser && lastUser.nearAccountId === nearAccountId) userData = lastUser;
-		else userData = await webAuthnManager.getUserByDevice(nearAccountId, 1);
-		if (!userData) throw new Error(`User data not found for ${nearAccountId} in IndexedDB. Please register an account.`);
-		if (!userData.clientNearPublicKey) throw new Error(`No NEAR public key found for ${nearAccountId}. Please register an account.`);
-		if (!userData.encryptedVrfKeypair?.encryptedVrfDataB64u || !userData.encryptedVrfKeypair?.chacha20NonceB64u) throw new Error("No VRF credentials found. Please register an account.");
-		if (authenticators.length === 0) throw new Error(`No authenticators found for account ${nearAccountId}. Please register.`);
-		onEvent?.({
-			step: 2,
-			phase: LoginPhase.STEP_2_WEBAUTHN_ASSERTION,
-			status: LoginStatus.PROGRESS,
-			message: "Unlocking VRF keys..."
-		});
-		let unlockResult = { success: false };
-		let usedFallbackTouchId = false;
-		let unlockCredential;
-		let activeDeviceNumber = userData.deviceNumber;
-		let effectiveUserData = userData;
-		const hasServerEncrypted = !!userData.serverEncryptedVrfKeypair;
-		const relayerUrl = context.configs.relayer?.url;
-		const useShamir3PassVRFKeyUnlock = hasServerEncrypted && !!relayerUrl && !!userData.serverEncryptedVrfKeypair?.serverKeyId;
-		if (useShamir3PassVRFKeyUnlock) try {
-			const shamir = userData.serverEncryptedVrfKeypair;
-			if (!shamir.ciphertextVrfB64u || !shamir.kek_s_b64u) throw new Error("Missing Shamir3Pass fields (ciphertextVrfB64u/kek_s_b64u)");
-			unlockResult = await webAuthnManager.shamir3PassDecryptVrfKeypair({
-				nearAccountId,
-				kek_s_b64u: shamir.kek_s_b64u,
-				ciphertextVrfB64u: shamir.ciphertextVrfB64u,
-				serverKeyId: shamir.serverKeyId
-			});
-			if (unlockResult.success) {
-				const vrfStatus = await webAuthnManager.checkVrfStatus();
-				const active = vrfStatus.active && vrfStatus.nearAccountId === nearAccountId;
-				if (!active) unlockResult = {
-					success: false,
-					error: "VRF session inactive after Shamir3Pass"
-				};
-				if (active) await webAuthnManager.maybeProactiveShamirRefresh(nearAccountId);
-			} else throw new Error(`Shamir3Pass auto-unlock failed: ${unlockResult.error}`);
-		} catch (error) {
-			unlockResult = {
-				success: false,
-				error: error.message
-			};
-		}
-		if (!unlockResult.success) {
-			const fallback = await fallbackUnlockVrfKeypairWithTouchId({
-				webAuthnManager,
-				nearAccountId,
-				authenticators,
-				userData,
-				onEvent
-			});
-			unlockResult = fallback.unlockResult;
-			usedFallbackTouchId = fallback.usedFallbackTouchId;
-			unlockCredential = fallback.unlockCredential;
-			effectiveUserData = fallback.effectiveUserData;
-			activeDeviceNumber = fallback.activeDeviceNumber;
-		}
-		if (!unlockResult.success) throw new Error(`Failed to unlock VRF keypair: ${unlockResult.error}`);
-		onEvent?.({
-			step: 3,
-			phase: LoginPhase.STEP_3_VRF_UNLOCK,
-			status: LoginStatus.SUCCESS,
-			message: "VRF keypair unlocked successfully"
-		});
-		try {
-			const relayerUrl$1 = context.configs.relayer?.url;
-			if (usedFallbackTouchId && relayerUrl$1) {
-				const refreshed = await webAuthnManager.shamir3PassEncryptCurrentVrfKeypair();
-				await webAuthnManager.updateServerEncryptedVrfKeypair(nearAccountId, refreshed);
-			}
-		} catch (refreshErr) {
-			console.warn("Non-fatal: Failed to refresh serverEncryptedVrfKeypair:", refreshErr?.message || refreshErr);
-		}
-		try {
-			if (typeof activeDeviceNumber === "number" && Number.isFinite(activeDeviceNumber)) await webAuthnManager.setLastUser(nearAccountId, activeDeviceNumber);
-			else if (typeof userData.deviceNumber === "number") await webAuthnManager.setLastUser(nearAccountId, userData.deviceNumber);
-		} catch {}
-		await webAuthnManager.updateLastLogin(nearAccountId);
-		const result = {
-			success: true,
-			loggedInNearAccountId: nearAccountId,
-			clientNearPublicKey: effectiveUserData?.clientNearPublicKey,
-			nearAccountId
-		};
-		if (!deferCompletionHooks) {
-			onEvent?.({
-				step: 4,
-				phase: LoginPhase.STEP_4_LOGIN_COMPLETE,
-				status: LoginStatus.SUCCESS,
-				message: "Login completed successfully",
-				nearAccountId,
-				clientNearPublicKey: effectiveUserData?.clientNearPublicKey || ""
-			});
-			afterCall?.(true, result);
-		}
-		return {
-			result,
-			usedFallbackTouchId,
-			unlockCredential
-		};
-	} catch (error) {
-		const errorMessage = getUserFriendlyErrorMessage(error, "login");
-		onError?.(error);
-		onEvent?.({
-			step: 0,
-			phase: LoginPhase.LOGIN_ERROR,
-			status: LoginStatus.ERROR,
-			message: errorMessage,
-			error: errorMessage
-		});
-		const result = {
-			success: false,
-			error: errorMessage
-		};
-		afterCall?.(false);
-		return {
-			result,
-			usedFallbackTouchId: false
-		};
-	}
-}
-/**
-* TouchID fallback path for VRF unlock.
-*
-* Used when Shamir 3-pass auto-unlock fails/unavailable:
-* - Prompts WebAuthn to obtain a serialized credential with PRF.first + PRF.second.
-* - Aligns the local encrypted VRF keypair blob with the passkey the user actually chose
-*   (important when multiple devices/passkeys exist for the same account).
-* - Unlocks the VRF keypair inside the VRF worker and returns updated effective user context.
-*/
-async function fallbackUnlockVrfKeypairWithTouchId(args) {
-	const { webAuthnManager, nearAccountId, authenticators, userData, onEvent } = args;
-	onEvent?.({
-		step: 2,
-		phase: LoginPhase.STEP_2_WEBAUTHN_ASSERTION,
-		status: LoginStatus.PROGRESS,
-		message: "Logging in, unlocking VRF credentials..."
-	});
-	const challenge = createRandomVRFChallenge();
-	const credential = await webAuthnManager.getAuthenticationCredentialsSerializedDualPrf({
-		nearAccountId,
-		challenge,
-		credentialIds: authenticators.map((a) => a.credentialId)
-	});
-	let effectiveUserData = userData;
-	let activeDeviceNumber = userData.deviceNumber;
-	if (authenticators.length > 1) {
-		const rawId = credential.rawId;
-		const matched = authenticators.find((a) => a.credentialId === rawId);
-		if (matched) try {
-			const byDevice = await IndexedDBManager.clientDB.getUserByDevice(nearAccountId, matched.deviceNumber);
-			if (byDevice) {
-				effectiveUserData = byDevice;
-				activeDeviceNumber = matched.deviceNumber;
-			}
-		} catch {}
-	}
-	const unlockResult = await webAuthnManager.unlockVRFKeypair({
-		nearAccountId,
-		encryptedVrfKeypair: {
-			encryptedVrfDataB64u: effectiveUserData.encryptedVrfKeypair.encryptedVrfDataB64u,
-			chacha20NonceB64u: effectiveUserData.encryptedVrfKeypair.chacha20NonceB64u
-		},
-		credential
-	});
-	return {
-		unlockResult,
-		usedFallbackTouchId: unlockResult.success,
-		unlockCredential: credential,
-		effectiveUserData,
-		activeDeviceNumber
-	};
-}
-/**
-* High-level login snapshot used by React contexts/UI.
-*
-* Returns:
-* - `login`: derived from IndexedDB last-user pointer + VRF worker status
-* - `signingSession`: warm signing session status when available
-*
-* The `nearAccountId` argument is treated as a "query hint" and must match the
-* last logged-in account to be considered logged in (prevents accidental cross-account reads).
-*/
-async function getLoginSession(context, nearAccountId) {
-	const login = await getLoginStateInternal(context, nearAccountId);
-	if (!login?.isLoggedIn || !login.nearAccountId) return {
-		login,
-		signingSession: null
-	};
-	try {
-		const signingSession = await context.webAuthnManager.getWarmSigningSessionStatus(login.nearAccountId);
-		return {
-			login,
-			signingSession
-		};
-	} catch {
-		return {
-			login,
-			signingSession: null
-		};
-	}
-}
-/**
-* Internal helper for computing `LoginState`.
-*
-* Implementation detail:
-* - Trusts the IndexedDB last-user pointer for account selection, then confirms
-*   that the VRF worker is actually active for that same account.
-*/
-async function getLoginStateInternal(context, nearAccountId) {
-	const { webAuthnManager } = context;
-	try {
-		const lastUser = await webAuthnManager.getLastUser();
-		const targetAccountId = nearAccountId ?? lastUser?.nearAccountId ?? null;
-		if (!lastUser || targetAccountId && lastUser.nearAccountId !== targetAccountId) return {
-			isLoggedIn: false,
-			nearAccountId: targetAccountId || null,
-			publicKey: null,
-			vrfActive: false,
-			userData: null
-		};
-		const userData = lastUser;
-		const publicKey = userData?.clientNearPublicKey || null;
-		const vrfStatus = await webAuthnManager.checkVrfStatus();
-		const vrfActive = vrfStatus.active && vrfStatus.nearAccountId === targetAccountId;
-		const isLoggedIn = !!(userData && userData.clientNearPublicKey && vrfActive);
-		return {
-			isLoggedIn,
-			nearAccountId: targetAccountId,
-			publicKey,
-			vrfActive,
-			userData,
-			vrfSessionDuration: vrfStatus.sessionDuration || 0
-		};
-	} catch (error) {
-		console.warn("Error getting login state:", error);
-		return {
-			isLoggedIn: false,
-			nearAccountId: nearAccountId || null,
-			publicKey: null,
-			vrfActive: false,
-			userData: null
-		};
-	}
-}
-/**
-* List recently used accounts from IndexedDB.
-*
-* Used for account picker UIs and initial app bootstrap state.
-*/
-async function getRecentLogins(context) {
-	const { webAuthnManager } = context;
-	const allUsersData = await webAuthnManager.getAllUsers();
-	const accountIds = allUsersData.map((user) => user.nearAccountId);
-	const lastUsedAccount = await webAuthnManager.getLastUser();
-	return {
-		accountIds,
-		lastUsedAccount
-	};
-}
-/**
-* Clear the active VRF session and any client-side nonce caches.
-*
-* This is the canonical "logout" operation for the SDK (does not delete accounts).
-*/
-async function logoutAndClearSession(context) {
-	const { webAuthnManager } = context;
-	await webAuthnManager.clearVrfSession();
-	try {
-		webAuthnManager.getNonceManager().clear();
-	} catch {}
-}
-var init_login = __esm({ "src/core/TatchiPasskey/login.ts": (() => {
-	init_sdkSentEvents();
-	init_errors();
-	init_vrf_worker();
-	init_touchIdPrompt();
-	init_IndexedDBManager();
-	init_rpcCalls();
-}) });
-//#endregion
-init_login();
-export { getLoginSession, getRecentLogins, init_login, loginAndCreateSession, logoutAndClearSession };
-//# sourceMappingURL=login.js.map

package/dist/esm/react/sdk/src/core/TatchiPasskey/login.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"login.js","names":["signingSession: SigningSessionStatus","finalResult","e: any","err: any","unlockResult: { success: boolean; error?: string }","unlockCredential: WebAuthnAuthenticationCredential | undefined","error: any","relayerUrl","refreshErr: any","result: LoginResult"],"sources":["../../../../../../../src/core/TatchiPasskey/login.ts"],"sourcesContent":["import type {\n AfterCall,\n LoginHooksOptions,\n LoginSSEvent,\n} from '../types/sdkSentEvents';\nimport { LoginPhase, LoginStatus } from '../types/sdkSentEvents';\nimport type {\n GetRecentLoginsResult,\n LoginAndCreateSessionResult,\n LoginResult,\n LoginSession,\n LoginState,\n SigningSessionStatus,\n} from '../types/tatchi';\nimport type { PasskeyManagerContext } from './index';\nimport type { AccountId } from '../types/accountIds';\nimport type { WebAuthnAuthenticationCredential } from '../types/webauthn';\nimport { getUserFriendlyErrorMessage } from '../../utils/errors';\nimport { createRandomVRFChallenge, ServerEncryptedVrfKeypair, VRFChallenge } from '../types/vrf-worker';\nimport { authenticatorsToAllowCredentials } from '../WebAuthnManager/touchIdPrompt';\nimport { IndexedDBManager } from '../IndexedDBManager';\nimport type { ClientAuthenticatorData, ClientUserData } from '../IndexedDBManager';\nimport { verifyAuthenticationResponse } from '../rpcCalls';\n\n/**\n * Core login function that handles passkey authentication without React dependencies.\n *\n * - Unlocks the VRF keypair (Shamir 3‑pass auto‑unlock when possible; falls back to TouchID).\n * - Updates local login state and returns success with account/public key info.\n * - Optional: mints a server session when `options.session` is provided.\n * - Generates a fresh, chain‑anchored VRF challenge (using latest block).\n * - Collects a WebAuthn assertion over the VRF output and posts to the relay route\n * (defaults to `/verify-authentication-response`).\n * - When `kind: 'jwt'`, returns the token in `result.jwt`.\n * - When `kind: 'cookie'`, the server sets an HttpOnly cookie and no JWT is returned.\n */\nexport async function loginAndCreateSession(\n context: PasskeyManagerContext,\n nearAccountId: AccountId,\n options?: LoginHooksOptions\n): Promise<LoginAndCreateSessionResult> {\n\n const { onEvent, onError, afterCall } = options || {};\n const { webAuthnManager } = context;\n\n onEvent?.({\n step: 1,\n phase: LoginPhase.STEP_1_PREPARATION,\n status: LoginStatus.PROGRESS,\n message: `Starting login for ${nearAccountId}`\n });\n\n const prevStatus = await webAuthnManager.checkVrfStatus();\n const prevVrfAccountId = prevStatus?.active ? prevStatus.nearAccountId : null;\n\n // If this call activates VRF then fails, clear the partial session.\n const rollbackVrfOnFailure = async () => {\n const status = await webAuthnManager.checkVrfStatus();\n const current = status?.active ? status.nearAccountId : null;\n if (current && current !== prevVrfAccountId) {\n await logoutAndClearSession(context);\n }\n };\n\n try {\n // Validation\n if (!window.isSecureContext) {\n const errorMessage = 'Passkey operations require a secure context (HTTPS or localhost).';\n const error = new Error(errorMessage);\n onError?.(error);\n onEvent?.({\n step: 0,\n phase: LoginPhase.LOGIN_ERROR,\n status: LoginStatus.ERROR,\n message: errorMessage,\n error: errorMessage\n });\n const result = { success: false, error: errorMessage };\n return result;\n }\n\n // Handle login and unlock VRF keypair in VRF WASM worker for WebAuthn challenge generation\n const wantsSession = options?.session?.kind == 'jwt' || options?.session?.kind == 'cookie';\n const base = await handleLoginUnlockVRF(\n context,\n nearAccountId,\n onEvent,\n onError,\n afterCall,\n // Defer final 'login-complete' event & afterCall until warm signing session is minted\n true\n );\n // If base login failed, just return\n if (!base.result.success) return base.result;\n\n const attachSigningSession = async (result: LoginResult): Promise<LoginAndCreateSessionResult> => {\n if (!result?.success) return result;\n try {\n const signingSession: SigningSessionStatus = await webAuthnManager.getWarmSigningSessionStatus(nearAccountId);\n return { ...result, signingSession };\n } catch {\n return result;\n }\n };\n\n // Resolve default warm signing session policy from configs.\n const ttlMsDefault = context.configs.signingSessionDefaults.ttlMs;\n const remainingUsesDefault = context.configs.signingSessionDefaults.remainingUses;\n const ttlMs = options?.signingSession?.ttlMs ?? ttlMsDefault;\n const remainingUses = options?.signingSession?.remainingUses ?? remainingUsesDefault;\n\n // Optionally mint a server session (JWT or HttpOnly cookie).\n // When requested, we also mint the warm signing session using the same WebAuthn prompt\n // so Shamir auto-unlock remains a single-prompt login UX.\n if (wantsSession) {\n const { kind, relayUrl: relayUrlOverride, route: routeOverride } = options!.session!;\n const relayUrl = (relayUrlOverride || context.configs.relayer.url).trim();\n const route = (routeOverride || '/verify-authentication-response').trim();\n if (!relayUrl) {\n // No relay; return base result without session\n console.warn(\"No relayUrl provided for session\");\n // Ensure a warm signing session is minted for local signing UX.\n await mintWarmSigningSession({\n context,\n nearAccountId,\n onEvent,\n credential: base.unlockCredential,\n ttlMs,\n remainingUses,\n });\n\n const finalResult = await attachSigningSession(base.result);\n // Emit completion now since we deferred it\n onEvent?.({\n step: 4,\n phase: LoginPhase.STEP_4_LOGIN_COMPLETE,\n status: LoginStatus.SUCCESS,\n message: 'Login completed successfully',\n nearAccountId: nearAccountId,\n clientNearPublicKey: base.result?.clientNearPublicKey || ''\n } as unknown as LoginSSEvent);\n await afterCall?.(true, finalResult);\n return finalResult;\n }\n try {\n // Build a fresh VRF challenge using current block\n const blockInfo = await context.nearClient.viewBlock({ finality: 'final' });\n const txBlockHash = blockInfo?.header?.hash;\n const txBlockHeight = String(blockInfo.header?.height ?? '');\n const vrfChallenge = await webAuthnManager.generateVrfChallengeOnce({\n userId: nearAccountId,\n rpId: webAuthnManager.getRpId(),\n blockHash: txBlockHash,\n blockHeight: txBlockHeight,\n });\n const authenticators = await webAuthnManager.getAuthenticatorsByUser(nearAccountId);\n const credential = await webAuthnManager.getAuthenticationCredentialsSerialized({\n nearAccountId,\n challenge: vrfChallenge,\n allowCredentials: authenticatorsToAllowCredentials(authenticators),\n });\n\n // Align lastUser deviceNumber with the passkey actually chosen for session minting.\n try {\n if (authenticators.length > 1) {\n const rawId = credential.rawId;\n const matched = authenticators.find((a) => a.credentialId === rawId);\n if (matched && typeof matched.deviceNumber === 'number') {\n await context.webAuthnManager.setLastUser(nearAccountId, matched.deviceNumber);\n }\n }\n } catch {\n // Non-fatal; session minting can proceed even if last-user update fails here.\n }\n\n // Mint the warm signing session using the same prompt used for server-session verification.\n await mintWarmSigningSession({\n context,\n nearAccountId,\n onEvent,\n credential,\n ttlMs,\n remainingUses,\n });\n\n const v = await verifyAuthenticationResponse(relayUrl, route, kind as 'jwt' | 'cookie', vrfChallenge, credential);\n if (v.success && v.verified) {\n const finalResult = await attachSigningSession({ ...base.result, jwt: v.jwt });\n // Now fire completion event and afterCall since we deferred them\n onEvent?.({\n step: 4,\n phase: LoginPhase.STEP_4_LOGIN_COMPLETE,\n status: LoginStatus.SUCCESS,\n message: 'Login completed successfully',\n nearAccountId: nearAccountId,\n clientNearPublicKey: base.result?.clientNearPublicKey || ''\n } as unknown as LoginSSEvent);\n await afterCall?.(true, finalResult);\n return finalResult;\n }\n // Session verification returned an error; surface error and afterCall(false)\n const errMsg = v.error || 'Session verification failed';\n await rollbackVrfOnFailure();\n onEvent?.({\n step: 0,\n phase: LoginPhase.LOGIN_ERROR,\n status: LoginStatus.ERROR,\n message: errMsg,\n error: errMsg\n } as unknown as LoginSSEvent);\n await afterCall?.(false as any);\n return { success: false, error: errMsg };\n } catch (e: any) {\n console.error(\"Failed to start session: \", e);\n const errMsg = getUserFriendlyErrorMessage(e, 'login') || (e?.message || 'Session verification failed');\n await rollbackVrfOnFailure();\n onError?.(e);\n onEvent?.({\n step: 0,\n phase: LoginPhase.LOGIN_ERROR,\n status: LoginStatus.ERROR,\n message: errMsg,\n error: errMsg\n } as unknown as LoginSSEvent);\n await afterCall?.(false as any);\n return { success: false, error: errMsg };\n }\n }\n\n // No server session requested: mint/refresh the warm signing session.\n await mintWarmSigningSession({\n context,\n nearAccountId,\n onEvent,\n credential: base.unlockCredential,\n ttlMs,\n remainingUses,\n });\n\n const finalResult = await attachSigningSession(base.result);\n // Fire completion event and afterCall since we deferred them.\n onEvent?.({\n step: 4,\n phase: LoginPhase.STEP_4_LOGIN_COMPLETE,\n status: LoginStatus.SUCCESS,\n message: 'Login completed successfully',\n nearAccountId: nearAccountId,\n clientNearPublicKey: base.result?.clientNearPublicKey || ''\n } as unknown as LoginSSEvent);\n await afterCall?.(true, finalResult);\n return finalResult;\n\n } catch (err: any) {\n\n await rollbackVrfOnFailure();\n onError?.(err);\n const errorMessage = getUserFriendlyErrorMessage(err, 'login') || err?.message || 'Login failed';\n onEvent?.({\n step: 0,\n phase: LoginPhase.LOGIN_ERROR,\n status: LoginStatus.ERROR,\n message: errorMessage,\n error: errorMessage\n });\n const result = { success: false, error: errorMessage };\n afterCall?.(false);\n return result;\n }\n}\n\n/**\n * Mint or refresh a \"warm signing session\" in the VRF worker.\n *\n * Notes:\n * - Reuses a previously collected WebAuthn credential when provided (e.g. TouchID fallback),\n * to avoid prompting the user twice in a single login flow.\n * - Session TTL/remainingUses policy is enforced by the VRF worker.\n */\nasync function mintWarmSigningSession(args: {\n context: PasskeyManagerContext;\n nearAccountId: AccountId;\n onEvent?: (event: LoginSSEvent) => void;\n credential?: WebAuthnAuthenticationCredential;\n ttlMs: number;\n remainingUses: number;\n}): Promise<void> {\n const { context, nearAccountId, onEvent, credential, ttlMs, remainingUses } = args;\n const { webAuthnManager } = context;\n\n onEvent?.({\n step: 3,\n phase: LoginPhase.STEP_3_VRF_UNLOCK,\n status: LoginStatus.PROGRESS,\n message: 'Unlocking warm signing session...'\n });\n\n // If we already performed a TouchID ceremony (e.g., VRF unlock fallback),\n // reuse that credential to avoid a second prompt.\n let effectiveCredential = credential;\n if (!effectiveCredential) {\n const challenge = createRandomVRFChallenge();\n const authenticators = await webAuthnManager.getAuthenticatorsByUser(nearAccountId);\n const { authenticatorsForPrompt } = await IndexedDBManager.clientDB.ensureCurrentPasskey(\n nearAccountId,\n authenticators,\n );\n effectiveCredential = await webAuthnManager.getAuthenticationCredentialsSerialized({\n nearAccountId,\n challenge: challenge as VRFChallenge,\n allowCredentials: authenticatorsToAllowCredentials(authenticatorsForPrompt),\n });\n }\n\n await webAuthnManager.mintSigningSessionFromCredential({\n nearAccountId,\n credential: effectiveCredential,\n ttlMs,\n remainingUses,\n });\n\n onEvent?.({\n step: 3,\n phase: LoginPhase.STEP_3_VRF_UNLOCK,\n status: LoginStatus.SUCCESS,\n message: 'Warm signing session unlocked'\n });\n}\n\n/**\n * Handle onchain (serverless) login using VRF flow per docs/vrf_challenges.md\n *\n * VRF AUTHENTICATION FLOW:\n * 1. Unlock VRF keypair in VRF Worker memory, either\n * - Decrypt via Shamir 3-pass (when Relayer is present), or\n * - Re-derive the VRF via credentials inside VRF worker dynamically\n * 2. Generate VRF challenge using stored VRF keypair + NEAR block data (no TouchID needed)\n * 3. Use VRF output as WebAuthn challenge for authentication\n * 4. Verify VRF proof and WebAuthn response on contract simultaneously\n * - VRF proof assures WebAuthn challenge is fresh and valid (replay protection)\n * - WebAuthn verification for origin + biometric credentials + device authenticity\n */\nasync function handleLoginUnlockVRF(\n context: PasskeyManagerContext,\n nearAccountId: AccountId,\n onEvent?: (event: LoginSSEvent) => void,\n onError?: (error: Error) => void,\n afterCall?: AfterCall<any>,\n deferCompletionHooks?: boolean,\n): Promise<{\n result: LoginResult;\n usedFallbackTouchId: boolean;\n unlockCredential?: WebAuthnAuthenticationCredential;\n}> {\n const { webAuthnManager } = context;\n\n try {\n // Step 1: Get VRF credentials and authenticators, and validate them\n const [lastUser, latestByAccount, authenticators] = await Promise.all([\n webAuthnManager.getLastUser(),\n IndexedDBManager.clientDB.getLastDBUpdatedUser(nearAccountId),\n webAuthnManager.getAuthenticatorsByUser(nearAccountId),\n ]);\n\n // Prefer the most recently updated record for this account; fall back to lastUser pointer.\n let userData = null as (typeof lastUser) | null;\n if (latestByAccount && latestByAccount.nearAccountId === nearAccountId) {\n userData = latestByAccount;\n } else if (lastUser && lastUser.nearAccountId === nearAccountId) {\n userData = lastUser;\n } else {\n userData = await webAuthnManager.getUserByDevice(nearAccountId, 1);\n }\n\n // Validate user data and authenticators\n if (!userData) {\n throw new Error(`User data not found for ${nearAccountId} in IndexedDB. Please register an account.`);\n }\n if (!userData.clientNearPublicKey) {\n throw new Error(`No NEAR public key found for ${nearAccountId}. Please register an account.`);\n }\n if (\n !userData.encryptedVrfKeypair?.encryptedVrfDataB64u ||\n !userData.encryptedVrfKeypair?.chacha20NonceB64u\n ) {\n throw new Error('No VRF credentials found. Please register an account.');\n }\n if (authenticators.length === 0) {\n throw new Error(`No authenticators found for account ${nearAccountId}. Please register.`);\n }\n\n // Step 2: Try Shamir 3-pass commutative unlock first (no TouchID required), fallback to TouchID\n onEvent?.({\n step: 2,\n phase: LoginPhase.STEP_2_WEBAUTHN_ASSERTION,\n status: LoginStatus.PROGRESS,\n message: 'Unlocking VRF keys...'\n });\n\n let unlockResult: { success: boolean; error?: string } = { success: false };\n let usedFallbackTouchId = false;\n let unlockCredential: WebAuthnAuthenticationCredential | undefined;\n let activeDeviceNumber = userData.deviceNumber;\n // Effective user row whose VRF/NEAR keys are actually used for this login.\n // May be switched when multiple devices exist and the user picks a different passkey.\n let effectiveUserData = userData;\n\n const hasServerEncrypted = !!userData.serverEncryptedVrfKeypair;\n const relayerUrl = context.configs.relayer?.url;\n const useShamir3PassVRFKeyUnlock = hasServerEncrypted && !!relayerUrl && !!userData.serverEncryptedVrfKeypair?.serverKeyId;\n\n if (useShamir3PassVRFKeyUnlock) {\n try {\n const shamir = userData.serverEncryptedVrfKeypair as ServerEncryptedVrfKeypair;\n if (!shamir.ciphertextVrfB64u || !shamir.kek_s_b64u) {\n throw new Error('Missing Shamir3Pass fields (ciphertextVrfB64u/kek_s_b64u)');\n }\n\n unlockResult = await webAuthnManager.shamir3PassDecryptVrfKeypair({\n nearAccountId,\n kek_s_b64u: shamir.kek_s_b64u,\n ciphertextVrfB64u: shamir.ciphertextVrfB64u,\n serverKeyId: shamir.serverKeyId,\n });\n\n if (unlockResult.success) {\n const vrfStatus = await webAuthnManager.checkVrfStatus();\n const active = vrfStatus.active && vrfStatus.nearAccountId === nearAccountId;\n if (!active) {\n unlockResult = { success: false, error: 'VRF session inactive after Shamir3Pass' };\n }\n if (active) {\n // Proactive rotation if serverKeyId changed and we unlocked via Shamir\n await webAuthnManager.maybeProactiveShamirRefresh(nearAccountId);\n }\n } else {\n throw new Error(`Shamir3Pass auto-unlock failed: ${unlockResult.error}`);\n }\n } catch (error: any) {\n unlockResult = { success: false, error: error.message };\n }\n }\n\n // Fallback to TouchID if Shamir3Pass decryption failed\n if (!unlockResult.success) {\n const fallback = await fallbackUnlockVrfKeypairWithTouchId({\n webAuthnManager,\n nearAccountId,\n authenticators,\n userData,\n onEvent,\n });\n unlockResult = fallback.unlockResult;\n usedFallbackTouchId = fallback.usedFallbackTouchId;\n unlockCredential = fallback.unlockCredential;\n effectiveUserData = fallback.effectiveUserData;\n activeDeviceNumber = fallback.activeDeviceNumber;\n }\n\n if (!unlockResult.success) {\n throw new Error(`Failed to unlock VRF keypair: ${unlockResult.error}`);\n }\n\n onEvent?.({\n step: 3,\n phase: LoginPhase.STEP_3_VRF_UNLOCK,\n status: LoginStatus.SUCCESS,\n message: 'VRF keypair unlocked successfully'\n });\n\n // Proactive refresh: if Shamir3Pass failed and we used TouchID, re-encrypt under current server key\n try {\n const relayerUrl = context.configs.relayer?.url;\n if (usedFallbackTouchId && relayerUrl) {\n const refreshed = await webAuthnManager.shamir3PassEncryptCurrentVrfKeypair();\n await webAuthnManager.updateServerEncryptedVrfKeypair(nearAccountId, refreshed);\n }\n } catch (refreshErr: any) {\n console.warn('Non-fatal: Failed to refresh serverEncryptedVrfKeypair:', refreshErr?.message || refreshErr);\n }\n\n // Step 3: Update local data and return success\n // Ensure last-user deviceNumber reflects the passkey actually used for login.\n try {\n if (typeof activeDeviceNumber === 'number' && Number.isFinite(activeDeviceNumber)) {\n await webAuthnManager.setLastUser(nearAccountId, activeDeviceNumber);\n } else if (typeof userData.deviceNumber === 'number') {\n await webAuthnManager.setLastUser(nearAccountId, userData.deviceNumber);\n }\n } catch {\n // Non-fatal; continue even if last-user update fails.\n }\n await webAuthnManager.updateLastLogin(nearAccountId);\n\n const result: LoginResult = {\n success: true,\n loggedInNearAccountId: nearAccountId,\n // Ensure the clientNearPublicKey reflects the device whose VRF credentials\n // are actually active for this login.\n clientNearPublicKey: effectiveUserData?.clientNearPublicKey!, // non-null, validated above\n nearAccountId: nearAccountId\n };\n\n if (!deferCompletionHooks) {\n onEvent?.({\n step: 4,\n phase: LoginPhase.STEP_4_LOGIN_COMPLETE,\n status: LoginStatus.SUCCESS,\n message: 'Login completed successfully',\n nearAccountId: nearAccountId,\n clientNearPublicKey: effectiveUserData?.clientNearPublicKey || ''\n });\n afterCall?.(true, result);\n }\n return { result, usedFallbackTouchId, unlockCredential };\n\n } catch (error: any) {\n // Use centralized error handling\n const errorMessage = getUserFriendlyErrorMessage(error, 'login');\n\n onError?.(error);\n onEvent?.({\n step: 0,\n phase: LoginPhase.LOGIN_ERROR,\n status: LoginStatus.ERROR,\n message: errorMessage,\n error: errorMessage\n });\n\n const result: LoginResult = { success: false, error: errorMessage };\n afterCall?.(false);\n return { result, usedFallbackTouchId: false };\n }\n}\n\n/**\n * TouchID fallback path for VRF unlock.\n *\n * Used when Shamir 3-pass auto-unlock fails/unavailable:\n * - Prompts WebAuthn to obtain a serialized credential with PRF.first + PRF.second.\n * - Aligns the local encrypted VRF keypair blob with the passkey the user actually chose\n * (important when multiple devices/passkeys exist for the same account).\n * - Unlocks the VRF keypair inside the VRF worker and returns updated effective user context.\n */\nasync function fallbackUnlockVrfKeypairWithTouchId(args: {\n webAuthnManager: PasskeyManagerContext['webAuthnManager'];\n nearAccountId: AccountId;\n authenticators: ClientAuthenticatorData[];\n userData: ClientUserData;\n onEvent?: (event: LoginSSEvent) => void;\n}): Promise<{\n unlockResult: { success: boolean; error?: string };\n usedFallbackTouchId: boolean;\n unlockCredential: WebAuthnAuthenticationCredential;\n effectiveUserData: ClientUserData;\n activeDeviceNumber: number;\n}> {\n const { webAuthnManager, nearAccountId, authenticators, userData, onEvent } = args;\n\n onEvent?.({\n step: 2,\n phase: LoginPhase.STEP_2_WEBAUTHN_ASSERTION,\n status: LoginStatus.PROGRESS,\n message: 'Logging in, unlocking VRF credentials...'\n });\n\n const challenge = createRandomVRFChallenge();\n const credential = await webAuthnManager.getAuthenticationCredentialsSerializedDualPrf({\n nearAccountId,\n challenge: challenge as VRFChallenge,\n credentialIds: authenticators.map((a) => a.credentialId),\n });\n\n let effectiveUserData = userData;\n let activeDeviceNumber = userData.deviceNumber;\n\n // If multiple authenticators exist, align VRF credentials with the passkey\n // the user actually chose, based on credentialId → deviceNumber.\n if (authenticators.length > 1) {\n const rawId = credential.rawId;\n const matched = authenticators.find(a => a.credentialId === rawId);\n if (matched) {\n try {\n const byDevice = await IndexedDBManager.clientDB.getUserByDevice(nearAccountId, matched.deviceNumber);\n if (byDevice) {\n effectiveUserData = byDevice;\n activeDeviceNumber = matched.deviceNumber;\n }\n } catch {\n // If lookup by device fails, fall back to the base userData.\n }\n }\n }\n\n const unlockResult = await webAuthnManager.unlockVRFKeypair({\n nearAccountId: nearAccountId,\n encryptedVrfKeypair: {\n encryptedVrfDataB64u: effectiveUserData.encryptedVrfKeypair.encryptedVrfDataB64u,\n chacha20NonceB64u: effectiveUserData.encryptedVrfKeypair.chacha20NonceB64u,\n },\n credential: credential,\n });\n\n return {\n unlockResult,\n usedFallbackTouchId: unlockResult.success,\n unlockCredential: credential,\n effectiveUserData,\n activeDeviceNumber,\n };\n}\n\n/**\n * High-level login snapshot used by React contexts/UI.\n *\n * Returns:\n * - `login`: derived from IndexedDB last-user pointer + VRF worker status\n * - `signingSession`: warm signing session status when available\n *\n * The `nearAccountId` argument is treated as a \"query hint\" and must match the\n * last logged-in account to be considered logged in (prevents accidental cross-account reads).\n */\nexport async function getLoginSession(\n context: PasskeyManagerContext,\n nearAccountId?: AccountId\n): Promise<LoginSession> {\n const login = await getLoginStateInternal(context, nearAccountId);\n if (!login?.isLoggedIn || !login.nearAccountId) return { login, signingSession: null };\n try {\n const signingSession = await context.webAuthnManager.getWarmSigningSessionStatus(login.nearAccountId);\n return { login, signingSession };\n } catch {\n return { login, signingSession: null };\n }\n}\n\n/**\n * Internal helper for computing `LoginState`.\n *\n * Implementation detail:\n * - Trusts the IndexedDB last-user pointer for account selection, then confirms\n * that the VRF worker is actually active for that same account.\n */\nasync function getLoginStateInternal(\n context: PasskeyManagerContext,\n nearAccountId?: AccountId\n): Promise<LoginState> {\n const { webAuthnManager } = context;\n try {\n // Determine target account strictly from the last logged-in device.\n const lastUser = await webAuthnManager.getLastUser();\n const targetAccountId = nearAccountId ?? lastUser?.nearAccountId ?? null;\n\n // If caller requested a specific account, it must match the last logged-in account.\n if (!lastUser || (targetAccountId && lastUser.nearAccountId !== targetAccountId)) {\n return {\n isLoggedIn: false,\n nearAccountId: targetAccountId || null,\n publicKey: null,\n vrfActive: false,\n userData: null\n };\n }\n\n const userData = lastUser;\n const publicKey = userData?.clientNearPublicKey || null;\n\n // Check actual VRF worker status\n const vrfStatus = await webAuthnManager.checkVrfStatus();\n const vrfActive = vrfStatus.active && vrfStatus.nearAccountId === targetAccountId;\n\n // Determine if user is considered \"logged in\"\n // User is logged in if they have user data and VRF is active\n const isLoggedIn = !!(userData && userData.clientNearPublicKey && vrfActive);\n\n return {\n isLoggedIn,\n nearAccountId: targetAccountId,\n publicKey,\n vrfActive,\n userData,\n vrfSessionDuration: vrfStatus.sessionDuration || 0\n };\n\n } catch (error: any) {\n console.warn('Error getting login state:', error);\n return {\n isLoggedIn: false,\n nearAccountId: nearAccountId || null,\n publicKey: null,\n vrfActive: false,\n userData: null\n };\n }\n}\n\n/**\n * List recently used accounts from IndexedDB.\n *\n * Used for account picker UIs and initial app bootstrap state.\n */\nexport async function getRecentLogins(\n context: PasskeyManagerContext\n): Promise<GetRecentLoginsResult> {\n const { webAuthnManager } = context;\n // Get all user accounts from IndexDB\n const allUsersData = await webAuthnManager.getAllUsers();\n const accountIds = allUsersData.map(user => user.nearAccountId);\n // Get last used account for initial state\n const lastUsedAccount = await webAuthnManager.getLastUser();\n return {\n accountIds,\n lastUsedAccount,\n };\n}\n\n/**\n * Clear the active VRF session and any client-side nonce caches.\n *\n * This is the canonical \"logout\" operation for the SDK (does not delete accounts).\n */\nexport async function logoutAndClearSession(context: PasskeyManagerContext): Promise<void> {\n const { webAuthnManager } = context;\n await webAuthnManager.clearVrfSession();\n try { webAuthnManager.getNonceManager().clear(); } catch {}\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;AAoCA,eAAsB,sBACpB,SACA,eACA,SACsC;CAEtC,MAAM,EAAE,SAAS,SAAS,cAAc,WAAW;CACnD,MAAM,EAAE,oBAAoB;AAE5B,WAAU;EACR,MAAM;EACN,OAAO,WAAW;EAClB,QAAQ,YAAY;EACpB,SAAS,sBAAsB;;CAGjC,MAAM,aAAa,MAAM,gBAAgB;CACzC,MAAM,mBAAmB,YAAY,SAAS,WAAW,gBAAgB;CAGzE,MAAM,uBAAuB,YAAY;EACvC,MAAM,SAAS,MAAM,gBAAgB;EACrC,MAAM,UAAU,QAAQ,SAAS,OAAO,gBAAgB;AACxD,MAAI,WAAW,YAAY,iBACzB,OAAM,sBAAsB;;AAIhC,KAAI;AAEF,MAAI,CAAC,OAAO,iBAAiB;GAC3B,MAAM,eAAe;GACrB,MAAM,QAAQ,IAAI,MAAM;AACxB,aAAU;AACV,aAAU;IACR,MAAM;IACN,OAAO,WAAW;IAClB,QAAQ,YAAY;IACpB,SAAS;IACT,OAAO;;GAET,MAAM,SAAS;IAAE,SAAS;IAAO,OAAO;;AACxC,UAAO;;EAIT,MAAM,eAAe,SAAS,SAAS,QAAQ,SAAS,SAAS,SAAS,QAAQ;EAClF,MAAM,OAAO,MAAM,qBACjB,SACA,eACA,SACA,SACA,WAEA;AAGF,MAAI,CAAC,KAAK,OAAO,QAAS,QAAO,KAAK;EAEtC,MAAM,uBAAuB,OAAO,WAA8D;AAChG,OAAI,CAAC,QAAQ,QAAS,QAAO;AAC7B,OAAI;IACF,MAAMA,iBAAuC,MAAM,gBAAgB,4BAA4B;AAC/F,WAAO;KAAE,GAAG;KAAQ;;WACd;AACN,WAAO;;;EAKX,MAAM,eAAe,QAAQ,QAAQ,uBAAuB;EAC5D,MAAM,uBAAuB,QAAQ,QAAQ,uBAAuB;EACpE,MAAM,QAAQ,SAAS,gBAAgB,SAAS;EAChD,MAAM,gBAAgB,SAAS,gBAAgB,iBAAiB;AAKhE,MAAI,cAAc;GAChB,MAAM,EAAE,MAAM,UAAU,kBAAkB,OAAO,kBAAkB,QAAS;GAC5E,MAAM,YAAY,oBAAoB,QAAQ,QAAQ,QAAQ,KAAK;GACnE,MAAM,SAAS,iBAAiB,mCAAmC;AACnE,OAAI,CAAC,UAAU;AAEb,YAAQ,KAAK;AAEb,UAAM,uBAAuB;KAC3B;KACA;KACA;KACA,YAAY,KAAK;KACjB;KACA;;IAGF,MAAMC,gBAAc,MAAM,qBAAqB,KAAK;AAEpD,cAAU;KACR,MAAM;KACN,OAAO,WAAW;KAClB,QAAQ,YAAY;KACpB,SAAS;KACM;KACf,qBAAqB,KAAK,QAAQ,uBAAuB;;AAE3D,UAAM,YAAY,MAAMA;AACxB,WAAOA;;AAET,OAAI;IAEF,MAAM,YAAY,MAAM,QAAQ,WAAW,UAAU,EAAE,UAAU;IACjE,MAAM,cAAc,WAAW,QAAQ;IACvC,MAAM,gBAAgB,OAAO,UAAU,QAAQ,UAAU;IACzD,MAAM,eAAe,MAAM,gBAAgB,yBAAyB;KAClE,QAAQ;KACR,MAAM,gBAAgB;KACtB,WAAW;KACX,aAAa;;IAEf,MAAM,iBAAiB,MAAM,gBAAgB,wBAAwB;IACrE,MAAM,aAAa,MAAM,gBAAgB,uCAAuC;KAC9E;KACA,WAAW;KACX,kBAAkB,iCAAiC;;AAIrD,QAAI;AACF,SAAI,eAAe,SAAS,GAAG;MAC7B,MAAM,QAAQ,WAAW;MACzB,MAAM,UAAU,eAAe,MAAM,MAAM,EAAE,iBAAiB;AAC9D,UAAI,WAAW,OAAO,QAAQ,iBAAiB,SAC7C,OAAM,QAAQ,gBAAgB,YAAY,eAAe,QAAQ;;YAG/D;AAKR,UAAM,uBAAuB;KAC3B;KACA;KACA;KACA;KACA;KACA;;IAGF,MAAM,IAAI,MAAM,6BAA6B,UAAU,OAAO,MAA0B,cAAc;AACtG,QAAI,EAAE,WAAW,EAAE,UAAU;KAC3B,MAAMA,gBAAc,MAAM,qBAAqB;MAAE,GAAG,KAAK;MAAQ,KAAK,EAAE;;AAExE,eAAU;MACR,MAAM;MACN,OAAO,WAAW;MAClB,QAAQ,YAAY;MACpB,SAAS;MACM;MACf,qBAAqB,KAAK,QAAQ,uBAAuB;;AAE3D,WAAM,YAAY,MAAMA;AACxB,YAAOA;;IAGT,MAAM,SAAS,EAAE,SAAS;AAC1B,UAAM;AACN,cAAU;KACR,MAAM;KACN,OAAO,WAAW;KAClB,QAAQ,YAAY;KACpB,SAAS;KACT,OAAO;;AAET,UAAM,YAAY;AAClB,WAAO;KAAE,SAAS;KAAO,OAAO;;YACzBC,GAAQ;AACf,YAAQ,MAAM,6BAA6B;IAC3C,MAAM,SAAS,4BAA4B,GAAG,YAAa,GAAG,WAAW;AACzE,UAAM;AACN,cAAU;AACV,cAAU;KACR,MAAM;KACN,OAAO,WAAW;KAClB,QAAQ,YAAY;KACpB,SAAS;KACT,OAAO;;AAET,UAAM,YAAY;AAClB,WAAO;KAAE,SAAS;KAAO,OAAO;;;;AAKpC,QAAM,uBAAuB;GAC3B;GACA;GACA;GACA,YAAY,KAAK;GACjB;GACA;;EAGF,MAAM,cAAc,MAAM,qBAAqB,KAAK;AAEpD,YAAU;GACR,MAAM;GACN,OAAO,WAAW;GAClB,QAAQ,YAAY;GACpB,SAAS;GACM;GACf,qBAAqB,KAAK,QAAQ,uBAAuB;;AAE3D,QAAM,YAAY,MAAM;AACxB,SAAO;UAEAC,KAAU;AAEjB,QAAM;AACN,YAAU;EACV,MAAM,eAAe,4BAA4B,KAAK,YAAY,KAAK,WAAW;AAClF,YAAU;GACR,MAAM;GACN,OAAO,WAAW;GAClB,QAAQ,YAAY;GACpB,SAAS;GACT,OAAO;;EAET,MAAM,SAAS;GAAE,SAAS;GAAO,OAAO;;AACxC,cAAY;AACZ,SAAO;;;;;;;;;;;AAYX,eAAe,uBAAuB,MAOpB;CAChB,MAAM,EAAE,SAAS,eAAe,SAAS,YAAY,OAAO,kBAAkB;CAC9E,MAAM,EAAE,oBAAoB;AAE5B,WAAU;EACR,MAAM;EACN,OAAO,WAAW;EAClB,QAAQ,YAAY;EACpB,SAAS;;CAKX,IAAI,sBAAsB;AAC1B,KAAI,CAAC,qBAAqB;EACxB,MAAM,YAAY;EAClB,MAAM,iBAAiB,MAAM,gBAAgB,wBAAwB;EACrE,MAAM,EAAE,4BAA4B,MAAM,iBAAiB,SAAS,qBAClE,eACA;AAEF,wBAAsB,MAAM,gBAAgB,uCAAuC;GACjF;GACW;GACX,kBAAkB,iCAAiC;;;AAIvD,OAAM,gBAAgB,iCAAiC;EACrD;EACA,YAAY;EACZ;EACA;;AAGF,WAAU;EACR,MAAM;EACN,OAAO,WAAW;EAClB,QAAQ,YAAY;EACpB,SAAS;;;;;;;;;;;;;;;;AAiBb,eAAe,qBACb,SACA,eACA,SACA,SACA,WACA,sBAKC;CACD,MAAM,EAAE,oBAAoB;AAE5B,KAAI;EAEF,MAAM,CAAC,UAAU,iBAAiB,kBAAkB,MAAM,QAAQ,IAAI;GACpE,gBAAgB;GAChB,iBAAiB,SAAS,qBAAqB;GAC/C,gBAAgB,wBAAwB;;EAI1C,IAAI,WAAW;AACf,MAAI,mBAAmB,gBAAgB,kBAAkB,cACvD,YAAW;WACF,YAAY,SAAS,kBAAkB,cAChD,YAAW;MAEX,YAAW,MAAM,gBAAgB,gBAAgB,eAAe;AAIlE,MAAI,CAAC,SACH,OAAM,IAAI,MAAM,2BAA2B,cAAc;AAE3D,MAAI,CAAC,SAAS,oBACZ,OAAM,IAAI,MAAM,gCAAgC,cAAc;AAEhE,MACE,CAAC,SAAS,qBAAqB,wBAC/B,CAAC,SAAS,qBAAqB,kBAE/B,OAAM,IAAI,MAAM;AAElB,MAAI,eAAe,WAAW,EAC5B,OAAM,IAAI,MAAM,uCAAuC,cAAc;AAIvE,YAAU;GACR,MAAM;GACN,OAAO,WAAW;GAClB,QAAQ,YAAY;GACpB,SAAS;;EAGX,IAAIC,eAAqD,EAAE,SAAS;EACpE,IAAI,sBAAsB;EAC1B,IAAIC;EACJ,IAAI,qBAAqB,SAAS;EAGlC,IAAI,oBAAoB;EAExB,MAAM,qBAAqB,CAAC,CAAC,SAAS;EACtC,MAAM,aAAa,QAAQ,QAAQ,SAAS;EAC5C,MAAM,6BAA6B,sBAAsB,CAAC,CAAC,cAAc,CAAC,CAAC,SAAS,2BAA2B;AAE/G,MAAI,2BACF,KAAI;GACF,MAAM,SAAS,SAAS;AACxB,OAAI,CAAC,OAAO,qBAAqB,CAAC,OAAO,WACvC,OAAM,IAAI,MAAM;AAGlB,kBAAe,MAAM,gBAAgB,6BAA6B;IAChE;IACA,YAAY,OAAO;IACnB,mBAAmB,OAAO;IAC1B,aAAa,OAAO;;AAGtB,OAAI,aAAa,SAAS;IACxB,MAAM,YAAY,MAAM,gBAAgB;IACxC,MAAM,SAAS,UAAU,UAAU,UAAU,kBAAkB;AAC/D,QAAI,CAAC,OACH,gBAAe;KAAE,SAAS;KAAO,OAAO;;AAE1C,QAAI,OAEF,OAAM,gBAAgB,4BAA4B;SAGpD,OAAM,IAAI,MAAM,mCAAmC,aAAa;WAE3DC,OAAY;AACnB,kBAAe;IAAE,SAAS;IAAO,OAAO,MAAM;;;AAKlD,MAAI,CAAC,aAAa,SAAS;GACzB,MAAM,WAAW,MAAM,oCAAoC;IACzD;IACA;IACA;IACA;IACA;;AAEF,kBAAe,SAAS;AACxB,yBAAsB,SAAS;AAC/B,sBAAmB,SAAS;AAC5B,uBAAoB,SAAS;AAC7B,wBAAqB,SAAS;;AAGhC,MAAI,CAAC,aAAa,QAChB,OAAM,IAAI,MAAM,iCAAiC,aAAa;AAGhE,YAAU;GACR,MAAM;GACN,OAAO,WAAW;GAClB,QAAQ,YAAY;GACpB,SAAS;;AAIX,MAAI;GACF,MAAMC,eAAa,QAAQ,QAAQ,SAAS;AAC5C,OAAI,uBAAuBA,cAAY;IACrC,MAAM,YAAY,MAAM,gBAAgB;AACxC,UAAM,gBAAgB,gCAAgC,eAAe;;WAEhEC,YAAiB;AACxB,WAAQ,KAAK,2DAA2D,YAAY,WAAW;;AAKjG,MAAI;AACF,OAAI,OAAO,uBAAuB,YAAY,OAAO,SAAS,oBAC5D,OAAM,gBAAgB,YAAY,eAAe;YACxC,OAAO,SAAS,iBAAiB,SAC1C,OAAM,gBAAgB,YAAY,eAAe,SAAS;UAEtD;AAGR,QAAM,gBAAgB,gBAAgB;EAEtC,MAAMC,SAAsB;GAC1B,SAAS;GACT,uBAAuB;GAGvB,qBAAqB,mBAAmB;GACzB;;AAGjB,MAAI,CAAC,sBAAsB;AACzB,aAAU;IACR,MAAM;IACN,OAAO,WAAW;IAClB,QAAQ,YAAY;IACpB,SAAS;IACM;IACf,qBAAqB,mBAAmB,uBAAuB;;AAEjE,eAAY,MAAM;;AAEpB,SAAO;GAAE;GAAQ;GAAqB;;UAE/BH,OAAY;EAEnB,MAAM,eAAe,4BAA4B,OAAO;AAExD,YAAU;AACV,YAAU;GACR,MAAM;GACN,OAAO,WAAW;GAClB,QAAQ,YAAY;GACpB,SAAS;GACT,OAAO;;EAGT,MAAMG,SAAsB;GAAE,SAAS;GAAO,OAAO;;AACrD,cAAY;AACZ,SAAO;GAAE;GAAQ,qBAAqB;;;;;;;;;;;;;AAa1C,eAAe,oCAAoC,MAYhD;CACD,MAAM,EAAE,iBAAiB,eAAe,gBAAgB,UAAU,YAAY;AAE9E,WAAU;EACR,MAAM;EACN,OAAO,WAAW;EAClB,QAAQ,YAAY;EACpB,SAAS;;CAGX,MAAM,YAAY;CAClB,MAAM,aAAa,MAAM,gBAAgB,8CAA8C;EACrF;EACW;EACX,eAAe,eAAe,KAAK,MAAM,EAAE;;CAG7C,IAAI,oBAAoB;CACxB,IAAI,qBAAqB,SAAS;AAIlC,KAAI,eAAe,SAAS,GAAG;EAC7B,MAAM,QAAQ,WAAW;EACzB,MAAM,UAAU,eAAe,MAAK,MAAK,EAAE,iBAAiB;AAC5D,MAAI,QACF,KAAI;GACF,MAAM,WAAW,MAAM,iBAAiB,SAAS,gBAAgB,eAAe,QAAQ;AACxF,OAAI,UAAU;AACZ,wBAAoB;AACpB,yBAAqB,QAAQ;;UAEzB;;CAMZ,MAAM,eAAe,MAAM,gBAAgB,iBAAiB;EAC3C;EACf,qBAAqB;GACnB,sBAAsB,kBAAkB,oBAAoB;GAC5D,mBAAmB,kBAAkB,oBAAoB;;EAE/C;;AAGd,QAAO;EACL;EACA,qBAAqB,aAAa;EAClC,kBAAkB;EAClB;EACA;;;;;;;;;;;;;AAcJ,eAAsB,gBACpB,SACA,eACuB;CACvB,MAAM,QAAQ,MAAM,sBAAsB,SAAS;AACnD,KAAI,CAAC,OAAO,cAAc,CAAC,MAAM,cAAe,QAAO;EAAE;EAAO,gBAAgB;;AAChF,KAAI;EACF,MAAM,iBAAiB,MAAM,QAAQ,gBAAgB,4BAA4B,MAAM;AACvF,SAAO;GAAE;GAAO;;SACV;AACN,SAAO;GAAE;GAAO,gBAAgB;;;;;;;;;;;AAWpC,eAAe,sBACb,SACA,eACqB;CACrB,MAAM,EAAE,oBAAoB;AAC5B,KAAI;EAEF,MAAM,WAAW,MAAM,gBAAgB;EACvC,MAAM,kBAAkB,iBAAiB,UAAU,iBAAiB;AAGpE,MAAI,CAAC,YAAa,mBAAmB,SAAS,kBAAkB,gBAC9D,QAAO;GACL,YAAY;GACZ,eAAe,mBAAmB;GAClC,WAAW;GACX,WAAW;GACX,UAAU;;EAId,MAAM,WAAW;EACjB,MAAM,YAAY,UAAU,uBAAuB;EAGnD,MAAM,YAAY,MAAM,gBAAgB;EACxC,MAAM,YAAY,UAAU,UAAU,UAAU,kBAAkB;EAIlE,MAAM,aAAa,CAAC,EAAE,YAAY,SAAS,uBAAuB;AAElE,SAAO;GACL;GACA,eAAe;GACf;GACA;GACA;GACA,oBAAoB,UAAU,mBAAmB;;UAG5CH,OAAY;AACnB,UAAQ,KAAK,8BAA8B;AAC3C,SAAO;GACL,YAAY;GACZ,eAAe,iBAAiB;GAChC,WAAW;GACX,WAAW;GACX,UAAU;;;;;;;;;AAUhB,eAAsB,gBACpB,SACgC;CAChC,MAAM,EAAE,oBAAoB;CAE5B,MAAM,eAAe,MAAM,gBAAgB;CAC3C,MAAM,aAAa,aAAa,KAAI,SAAQ,KAAK;CAEjD,MAAM,kBAAkB,MAAM,gBAAgB;AAC9C,QAAO;EACL;EACA;;;;;;;;AASJ,eAAsB,sBAAsB,SAA+C;CACzF,MAAM,EAAE,oBAAoB;AAC5B,OAAM,gBAAgB;AACtB,KAAI;AAAE,kBAAgB,kBAAkB;SAAiB"}