@tatchi-xyz/sdk 0.31.0 → 0.31.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (173) hide show
  1. package/dist/cjs/core/IndexedDBManager/passkeyClientDB.js +2 -2
  2. package/dist/cjs/core/IndexedDBManager/passkeyClientDB.js.map +1 -1
  3. package/dist/cjs/core/TatchiPasskey/faucets/createAccountRelayServer.js +9 -8
  4. package/dist/cjs/core/TatchiPasskey/faucets/createAccountRelayServer.js.map +1 -1
  5. package/dist/cjs/core/TatchiPasskey/login.js +1 -1
  6. package/dist/cjs/core/TatchiPasskey/login.js.map +1 -1
  7. package/dist/cjs/core/TatchiPasskey/registration.js +67 -56
  8. package/dist/cjs/core/TatchiPasskey/registration.js.map +1 -1
  9. package/dist/cjs/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/adapters/session.js +1 -10
  10. package/dist/cjs/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/adapters/session.js.map +1 -1
  11. package/dist/cjs/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/flows/registration.js +58 -67
  12. package/dist/cjs/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/flows/registration.js.map +1 -1
  13. package/dist/cjs/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/flows/transactions.js +74 -75
  14. package/dist/cjs/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/flows/transactions.js.map +1 -1
  15. package/dist/cjs/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/handleSecureConfirmRequest.js +17 -7
  16. package/dist/cjs/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/handleSecureConfirmRequest.js.map +1 -1
  17. package/dist/cjs/core/WebAuthnManager/index.js +3 -3
  18. package/dist/cjs/core/WebAuthnManager/index.js.map +1 -1
  19. package/dist/cjs/core/defaultConfigs.js +3 -1
  20. package/dist/cjs/core/defaultConfigs.js.map +1 -1
  21. package/dist/cjs/react/components/AccountMenuButton/TransactionSettingsSection.js +3 -3
  22. package/dist/cjs/react/components/AccountMenuButton/TransactionSettingsSection.js.map +1 -1
  23. package/dist/cjs/react/components/PasskeyAuthMenu/{PasskeyAuthMenu-CRlobBrN.css → PasskeyAuthMenu-D2eRb2-S.css} +3 -1
  24. package/dist/cjs/react/components/PasskeyAuthMenu/PasskeyAuthMenu-D2eRb2-S.css.map +1 -0
  25. package/dist/cjs/react/components/PasskeyAuthMenu/preload.js +1 -1
  26. package/dist/cjs/react/components/PasskeyAuthMenu/preload.js.map +1 -1
  27. package/dist/cjs/react/components/PasskeyAuthMenu/shell.js +52 -13
  28. package/dist/cjs/react/components/PasskeyAuthMenu/shell.js.map +1 -1
  29. package/dist/cjs/react/components/PasskeyAuthMenu/skeleton.js +4 -2
  30. package/dist/cjs/react/components/PasskeyAuthMenu/skeleton.js.map +1 -1
  31. package/dist/cjs/react/components/PasskeyAuthMenu/ui/EmailRecoverySlide.js +5 -1
  32. package/dist/cjs/react/components/PasskeyAuthMenu/ui/EmailRecoverySlide.js.map +1 -1
  33. package/dist/cjs/react/index.js +1 -1
  34. package/dist/cjs/react/src/core/IndexedDBManager/passkeyClientDB.js +2 -2
  35. package/dist/cjs/react/src/core/IndexedDBManager/passkeyClientDB.js.map +1 -1
  36. package/dist/cjs/react/src/core/TatchiPasskey/faucets/createAccountRelayServer.js +9 -8
  37. package/dist/cjs/react/src/core/TatchiPasskey/faucets/createAccountRelayServer.js.map +1 -1
  38. package/dist/cjs/react/src/core/TatchiPasskey/login.js +1 -1
  39. package/dist/cjs/react/src/core/TatchiPasskey/login.js.map +1 -1
  40. package/dist/cjs/react/src/core/TatchiPasskey/registration.js +67 -56
  41. package/dist/cjs/react/src/core/TatchiPasskey/registration.js.map +1 -1
  42. package/dist/cjs/react/src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/adapters/session.js +1 -10
  43. package/dist/cjs/react/src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/adapters/session.js.map +1 -1
  44. package/dist/cjs/react/src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/flows/registration.js +58 -67
  45. package/dist/cjs/react/src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/flows/registration.js.map +1 -1
  46. package/dist/cjs/react/src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/flows/transactions.js +74 -75
  47. package/dist/cjs/react/src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/flows/transactions.js.map +1 -1
  48. package/dist/cjs/react/src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/handleSecureConfirmRequest.js +17 -7
  49. package/dist/cjs/react/src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/handleSecureConfirmRequest.js.map +1 -1
  50. package/dist/cjs/react/src/core/WebAuthnManager/index.js +3 -3
  51. package/dist/cjs/react/src/core/WebAuthnManager/index.js.map +1 -1
  52. package/dist/cjs/react/src/core/defaultConfigs.js +3 -1
  53. package/dist/cjs/react/src/core/defaultConfigs.js.map +1 -1
  54. package/dist/cjs/server/core/AuthService.js +49 -6
  55. package/dist/cjs/server/core/AuthService.js.map +1 -1
  56. package/dist/cjs/server/sdk/src/core/defaultConfigs.js.map +1 -1
  57. package/dist/esm/core/IndexedDBManager/passkeyClientDB.js +2 -2
  58. package/dist/esm/core/IndexedDBManager/passkeyClientDB.js.map +1 -1
  59. package/dist/esm/core/TatchiPasskey/faucets/createAccountRelayServer.js +9 -8
  60. package/dist/esm/core/TatchiPasskey/faucets/createAccountRelayServer.js.map +1 -1
  61. package/dist/esm/core/TatchiPasskey/login.js +1 -1
  62. package/dist/esm/core/TatchiPasskey/login.js.map +1 -1
  63. package/dist/esm/core/TatchiPasskey/registration.js +67 -56
  64. package/dist/esm/core/TatchiPasskey/registration.js.map +1 -1
  65. package/dist/esm/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/adapters/session.js +1 -10
  66. package/dist/esm/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/adapters/session.js.map +1 -1
  67. package/dist/esm/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/flows/registration.js +58 -67
  68. package/dist/esm/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/flows/registration.js.map +1 -1
  69. package/dist/esm/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/flows/transactions.js +74 -75
  70. package/dist/esm/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/flows/transactions.js.map +1 -1
  71. package/dist/esm/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/handleSecureConfirmRequest.js +17 -7
  72. package/dist/esm/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/handleSecureConfirmRequest.js.map +1 -1
  73. package/dist/esm/core/WebAuthnManager/index.js +3 -3
  74. package/dist/esm/core/WebAuthnManager/index.js.map +1 -1
  75. package/dist/esm/core/defaultConfigs.js +3 -1
  76. package/dist/esm/core/defaultConfigs.js.map +1 -1
  77. package/dist/esm/react/components/AccountMenuButton/TransactionSettingsSection.js +3 -3
  78. package/dist/esm/react/components/AccountMenuButton/TransactionSettingsSection.js.map +1 -1
  79. package/dist/esm/react/components/PasskeyAuthMenu/{PasskeyAuthMenu-D2VHZ04W.css → PasskeyAuthMenu-qTHAv58Z.css} +3 -1
  80. package/dist/esm/react/components/PasskeyAuthMenu/PasskeyAuthMenu-qTHAv58Z.css.map +1 -0
  81. package/dist/esm/react/components/PasskeyAuthMenu/preload.js +1 -1
  82. package/dist/esm/react/components/PasskeyAuthMenu/preload.js.map +1 -1
  83. package/dist/esm/react/components/PasskeyAuthMenu/shell.js +52 -13
  84. package/dist/esm/react/components/PasskeyAuthMenu/shell.js.map +1 -1
  85. package/dist/esm/react/components/PasskeyAuthMenu/skeleton.js +4 -2
  86. package/dist/esm/react/components/PasskeyAuthMenu/skeleton.js.map +1 -1
  87. package/dist/esm/react/components/PasskeyAuthMenu/ui/EmailRecoverySlide.js +5 -1
  88. package/dist/esm/react/components/PasskeyAuthMenu/ui/EmailRecoverySlide.js.map +1 -1
  89. package/dist/esm/react/index.js +1 -1
  90. package/dist/esm/react/src/core/IndexedDBManager/passkeyClientDB.js +2 -2
  91. package/dist/esm/react/src/core/IndexedDBManager/passkeyClientDB.js.map +1 -1
  92. package/dist/esm/react/src/core/TatchiPasskey/faucets/createAccountRelayServer.js +9 -8
  93. package/dist/esm/react/src/core/TatchiPasskey/faucets/createAccountRelayServer.js.map +1 -1
  94. package/dist/esm/react/src/core/TatchiPasskey/login.js +1 -1
  95. package/dist/esm/react/src/core/TatchiPasskey/login.js.map +1 -1
  96. package/dist/esm/react/src/core/TatchiPasskey/registration.js +67 -56
  97. package/dist/esm/react/src/core/TatchiPasskey/registration.js.map +1 -1
  98. package/dist/esm/react/src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/adapters/session.js +1 -10
  99. package/dist/esm/react/src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/adapters/session.js.map +1 -1
  100. package/dist/esm/react/src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/flows/registration.js +58 -67
  101. package/dist/esm/react/src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/flows/registration.js.map +1 -1
  102. package/dist/esm/react/src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/flows/transactions.js +74 -75
  103. package/dist/esm/react/src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/flows/transactions.js.map +1 -1
  104. package/dist/esm/react/src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/handleSecureConfirmRequest.js +17 -7
  105. package/dist/esm/react/src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/handleSecureConfirmRequest.js.map +1 -1
  106. package/dist/esm/react/src/core/WebAuthnManager/index.js +3 -3
  107. package/dist/esm/react/src/core/WebAuthnManager/index.js.map +1 -1
  108. package/dist/esm/react/src/core/defaultConfigs.js +3 -1
  109. package/dist/esm/react/src/core/defaultConfigs.js.map +1 -1
  110. package/dist/esm/react/styles/styles.css +2 -0
  111. package/dist/esm/sdk/{EmailRecovery-Dl8b4ONg.js → EmailRecovery-Y7rurd4B.js} +3 -3
  112. package/dist/esm/sdk/{EmailRecovery-v9oNO2Tc.js → EmailRecovery-lsjLWApQ.js} +1 -1
  113. package/dist/esm/sdk/{IndexedDBManager-B1cUvdyY.js → IndexedDBManager-CmdN7smS.js} +3 -3
  114. package/dist/esm/sdk/{createAdapters-Dv7ZJPf1.js → createAdapters-4c8mBiD5.js} +2 -11
  115. package/dist/esm/sdk/{createAdapters-Dv7ZJPf1.js.map → createAdapters-4c8mBiD5.js.map} +1 -1
  116. package/dist/esm/sdk/{createAdapters-1Hmc1vVC.js → createAdapters-DF32SIZa.js} +1 -10
  117. package/dist/esm/sdk/{defaultConfigs-BmCU1_qI.js → defaultConfigs-BQqiXif-.js} +3 -1
  118. package/dist/esm/sdk/{emailRecovery-4J-g9tlY.js → emailRecovery-C0LSDleV.js} +5 -5
  119. package/dist/esm/sdk/{getDeviceNumber-f8bfPB9U.js → getDeviceNumber-WiNzKx1x.js} +4 -2
  120. package/dist/esm/sdk/{getDeviceNumber-f8bfPB9U.js.map → getDeviceNumber-WiNzKx1x.js.map} +1 -1
  121. package/dist/esm/sdk/{linkDevice-C98klpcE.js → linkDevice-Ds1GNIDk.js} +4 -4
  122. package/dist/esm/sdk/{localOnly-40zxrBMm.js → localOnly-COpDBMkm.js} +2 -2
  123. package/dist/esm/sdk/{localOnly-40zxrBMm.js.map → localOnly-COpDBMkm.js.map} +1 -1
  124. package/dist/esm/sdk/{localOnly-BZPBj14l.js → localOnly-DQQuqgjJ.js} +1 -1
  125. package/dist/esm/sdk/{login-DnROv3eA.js → login-BKhTuGcy.js} +3 -3
  126. package/dist/esm/sdk/offline-export-app.js +29 -19
  127. package/dist/esm/sdk/offline-export-app.js.map +1 -1
  128. package/dist/esm/sdk/{registration-BP9M3tE1.js → registration-BR2G9tz_.js} +59 -68
  129. package/dist/esm/sdk/{registration-MrAOC8Ub.js → registration-R70lvG_o.js} +60 -69
  130. package/dist/esm/sdk/registration-R70lvG_o.js.map +1 -0
  131. package/dist/esm/sdk/{router-BEGGuWaB.js → router-2aGn-CTp.js} +1 -1
  132. package/dist/esm/sdk/{rpcCalls-CMzj_Va_.js → rpcCalls-BPI0icZG.js} +2 -2
  133. package/dist/esm/sdk/{rpcCalls-B44MZora.js → rpcCalls-BW3M_q3-.js} +1 -1
  134. package/dist/esm/sdk/{scanDevice-Cp-r-Z2T.js → scanDevice-BBSehlMx.js} +4 -4
  135. package/dist/esm/sdk/{syncAccount-CqWCmBVb.js → syncAccount-DEZHBiRa.js} +4 -4
  136. package/dist/esm/sdk/{syncAccount-Dt5jJbEB.js → syncAccount-DHKtl-xh.js} +2 -2
  137. package/dist/esm/sdk/{transactions-DAZrPW-6.js → transactions-Cg1TIUyK.js} +76 -77
  138. package/dist/esm/sdk/{transactions-CrjP8yPD.js → transactions-CxsklyCK.js} +77 -78
  139. package/dist/esm/sdk/transactions-CxsklyCK.js.map +1 -0
  140. package/dist/esm/sdk/wallet-iframe-host.js +116 -94
  141. package/dist/esm/server/core/AuthService.js +49 -6
  142. package/dist/esm/server/core/AuthService.js.map +1 -1
  143. package/dist/esm/server/sdk/src/core/defaultConfigs.js.map +1 -1
  144. package/dist/esm/wasm_vrf_worker/pkg/wasm_vrf_worker_bg.wasm +0 -0
  145. package/dist/types/src/__tests__/setup/bootstrap.d.ts.map +1 -1
  146. package/dist/types/src/core/IndexedDBManager/passkeyClientDB.d.ts +1 -1
  147. package/dist/types/src/core/IndexedDBManager/passkeyClientDB.d.ts.map +1 -1
  148. package/dist/types/src/core/TatchiPasskey/faucets/createAccountRelayServer.d.ts +6 -6
  149. package/dist/types/src/core/TatchiPasskey/faucets/createAccountRelayServer.d.ts.map +1 -1
  150. package/dist/types/src/core/TatchiPasskey/registration.d.ts.map +1 -1
  151. package/dist/types/src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/adapters/session.d.ts +0 -5
  152. package/dist/types/src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/adapters/session.d.ts.map +1 -1
  153. package/dist/types/src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/flows/registration.d.ts.map +1 -1
  154. package/dist/types/src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/flows/transactions.d.ts.map +1 -1
  155. package/dist/types/src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/handleSecureConfirmRequest.d.ts.map +1 -1
  156. package/dist/types/src/core/WebAuthnManager/index.d.ts +1 -1
  157. package/dist/types/src/core/WebAuthnManager/index.d.ts.map +1 -1
  158. package/dist/types/src/core/defaultConfigs.d.ts.map +1 -1
  159. package/dist/types/src/react/components/PasskeyAuthMenu/preload.d.ts.map +1 -1
  160. package/dist/types/src/react/components/PasskeyAuthMenu/shell.d.ts.map +1 -1
  161. package/dist/types/src/react/components/PasskeyAuthMenu/skeleton.d.ts +1 -1
  162. package/dist/types/src/react/components/PasskeyAuthMenu/skeleton.d.ts.map +1 -1
  163. package/dist/types/src/react/components/PasskeyAuthMenu/ui/EmailRecoverySlide.d.ts.map +1 -1
  164. package/dist/types/src/server/core/AuthService.d.ts.map +1 -1
  165. package/dist/workers/offline-export-sw.js +156 -1
  166. package/dist/workers/wasm_vrf_worker_bg.wasm +0 -0
  167. package/dist/workers/web3authn-signer.worker.js +1360 -2
  168. package/dist/workers/web3authn-vrf.worker.js +2857 -2
  169. package/package.json +1 -1
  170. package/dist/cjs/react/components/PasskeyAuthMenu/PasskeyAuthMenu-CRlobBrN.css.map +0 -1
  171. package/dist/esm/react/components/PasskeyAuthMenu/PasskeyAuthMenu-D2VHZ04W.css.map +0 -1
  172. package/dist/esm/sdk/registration-MrAOC8Ub.js.map +0 -1
  173. package/dist/esm/sdk/transactions-CrjP8yPD.js.map +0 -1
package/dist/cjs/server/core/AuthService.js CHANGED
@@ -2,6 +2,7 @@ const require_rolldown_runtime = require('../_virtual/rolldown_runtime.js');
2
2
  const require_validation = require('../sdk/src/utils/validation.js');
3
3
  const require_config = require('./config.js');
4
4
  const require_actions = require('../sdk/src/core/types/actions.js');
5
+ const require_base64 = require('../sdk/src/utils/base64.js');
5
6
  const require_errors = require('../sdk/src/utils/errors.js');
6
7
  const require_NearClient = require('../sdk/src/core/NearClient.js');
7
8
  const require_nearKeys = require('./nearKeys.js');
@@ -21,6 +22,50 @@ src_wasm_signer_worker_pkg_wasm_signer_worker_js = require_rolldown_runtime.__to
21
22
  function isObject(v) {
22
23
  return !!v && typeof v === "object" && !Array.isArray(v);
23
24
  }
25
+ function normalizeU8ArrayLike(input, fieldName) {
26
+ if (input instanceof Uint8Array) return Array.from(input);
27
+ if (typeof input === "string") try {
28
+ return Array.from(require_base64.base64UrlDecode(input));
29
+ } catch (err) {
30
+ throw new Error(`Invalid ${fieldName}: expected base64url string (${require_errors.errorMessage(err) || "decode failed"})`);
31
+ }
32
+ if (Array.isArray(input)) {
33
+ const out = [];
34
+ for (const v of input) {
35
+ const n = Number(v);
36
+ if (!Number.isFinite(n) || n < 0 || n > 255) throw new Error(`Invalid ${fieldName}: expected byte array (0..255)`);
37
+ out.push(Math.floor(n));
38
+ }
39
+ return out;
40
+ }
41
+ throw new Error(`Invalid ${fieldName}: expected number[] or base64url string`);
42
+ }
43
+ function normalizeContractVrfDataForContract(input) {
44
+ if (!isObject(input)) throw new Error("Missing or invalid vrf_data");
45
+ const user_id = require_validation.toOptionalTrimmedString(input.user_id);
46
+ const rp_id = require_validation.toOptionalTrimmedString(input.rp_id);
47
+ const block_height_raw = input.block_height;
48
+ const block_height = typeof block_height_raw === "number" ? block_height_raw : Number(block_height_raw);
49
+ if (!user_id) throw new Error("Missing vrf_data.user_id");
50
+ if (!rp_id) throw new Error("Missing vrf_data.rp_id");
51
+ if (!Number.isFinite(block_height) || block_height <= 0) throw new Error("Invalid vrf_data.block_height");
52
+ const base = {
53
+ vrf_input_data: normalizeU8ArrayLike(input.vrf_input_data, "vrf_data.vrf_input_data"),
54
+ vrf_output: normalizeU8ArrayLike(input.vrf_output, "vrf_data.vrf_output"),
55
+ vrf_proof: normalizeU8ArrayLike(input.vrf_proof, "vrf_data.vrf_proof"),
56
+ public_key: normalizeU8ArrayLike(input.public_key, "vrf_data.public_key"),
57
+ user_id,
58
+ rp_id,
59
+ block_height,
60
+ block_hash: normalizeU8ArrayLike(input.block_hash, "vrf_data.block_hash"),
61
+ intent_digest_32: normalizeU8ArrayLike(input.intent_digest_32, "vrf_data.intent_digest_32")
62
+ };
63
+ if (Object.prototype.hasOwnProperty.call(input, "session_policy_digest_32")) {
64
+ const v = input.session_policy_digest_32;
65
+ if (v != null) base.session_policy_digest_32 = normalizeU8ArrayLike(v, "vrf_data.session_policy_digest_32");
66
+ }
67
+ return base;
68
+ }
24
69
  const SIGNER_WASM_MAIN_PATH = "../../wasm_signer_worker/pkg/wasm_signer_worker_bg.wasm";
25
70
  const SIGNER_WASM_FALLBACK_PATH = "../../../workers/wasm_signer_worker_bg.wasm";
26
71
  function getSignerWasmUrls(logger) {
@@ -329,18 +374,16 @@ var AuthService = class {
329
374
  return this.queueTransaction(async () => {
330
375
  try {
331
376
  if (!require_validation.isValidAccountId(request.new_account_id)) throw new Error(`Invalid account ID format: ${request.new_account_id}`);
332
- this.logger.info(`Checking if account ${request.new_account_id} already exists...`);
333
- const accountExists = await this.checkAccountExists(request.new_account_id);
334
- if (accountExists) throw new Error(`Account ${request.new_account_id} already exists. Cannot create duplicate account.`);
335
- this.logger.info(`Account ${request.new_account_id} is available for atomic creation and registration`);
336
377
  this.logger.info(`Registering account: ${request.new_account_id}`);
337
378
  this.logger.info(`Contract: ${this.config.webAuthnContractId}`);
379
+ const vrf_data = normalizeContractVrfDataForContract(request.vrf_data);
380
+ const deterministic_vrf_public_key = normalizeU8ArrayLike(request.deterministic_vrf_public_key, "deterministic_vrf_public_key");
338
381
  const contractArgs = {
339
382
  new_account_id: request.new_account_id,
340
383
  new_public_key: request.new_public_key,
341
- vrf_data: request.vrf_data,
384
+ vrf_data,
342
385
  webauthn_registration: request.webauthn_registration,
343
- deterministic_vrf_public_key: request.deterministic_vrf_public_key,
386
+ deterministic_vrf_public_key,
344
387
  authenticator_options: request.authenticator_options
345
388
  };
346
389
  const actions = [{
package/dist/cjs/server/core/AuthService.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"AuthService.js","names":["resolved: URL[]","coerceThresholdNodeRole","coerceThresholdEd25519ShareMode","toOptionalTrimmedString","createAuthServiceConfig","coerceLogger","ShamirService","MinimalNearClient","EmailRecoveryService","DEFAULT_EMAIL_RECOVERY_CONTRACTS","formatYoctoToNear","formatGasToTGas","createThresholdSigningService","toPublicKeyStringFromSecretKey","candidates: URL[]","lastError: unknown","module","isValidAccountId","actions: ActionArgsWasm[]","ActionType","validateActionArgsWasm","error: any","errorMessage","parseContractExecutionError","list: unknown[]","toRorOriginOrNull","lastErr: Error | null","error: unknown","toError","executeSignedDelegateWithRelayer","WorkerRequestType","response: unknown","e: unknown","SignedTransaction","body: VerifyAuthenticationRequest","WorkerResponseType"],"sources":["../../../../src/server/core/AuthService.ts"],"sourcesContent":["import { ActionType, type ActionArgsWasm, validateActionArgsWasm } from '../../core/types/actions';\nimport { MinimalNearClient, SignedTransaction, type AccessKeyList } from '../../core/NearClient';\nimport type { FinalExecutionOutcome } from '@near-js/types';\nimport { toPublicKeyStringFromSecretKey } from './nearKeys';\nimport { createAuthServiceConfig } from './config';\nimport { formatGasToTGas, formatYoctoToNear } from './utils';\nimport { parseContractExecutionError } from './errors';\nimport { isValidAccountId, toOptionalTrimmedString, toRorOriginOrNull } from '../../utils/validation';\nimport { coerceThresholdEd25519ShareMode, coerceThresholdNodeRole } from './ThresholdService/config';\nimport type { ThresholdSigningService as ThresholdSigningServiceType } from './ThresholdService';\nimport { createThresholdSigningService } from './ThresholdService';\nimport initSignerWasm, {\n handle_signer_message,\n WorkerRequestType,\n WorkerResponseType,\n type InitInput,\n type WasmTransaction,\n type WasmSignature,\n} from '../../wasm_signer_worker/pkg/wasm_signer_worker.js';\n\nimport type {\n AuthServiceConfig,\n AuthServiceConfigInput,\n AccountCreationRequest,\n AccountCreationResult,\n CreateAccountAndRegisterRequest,\n CreateAccountAndRegisterResult,\n VerifyAuthenticationRequest,\n VerifyAuthenticationResponse,\n SignerWasmModuleSupplier,\n} from './types';\n\nimport { DEFAULT_EMAIL_RECOVERY_CONTRACTS } from '../../core/defaultConfigs';\nimport { EmailRecoveryService } from '../email-recovery';\nimport { ShamirService } from './ShamirService';\nimport { SignedDelegate } from '../../core/types/delegate';\nimport {\n type ExecuteSignedDelegateResult,\n executeSignedDelegateWithRelayer,\n type DelegateActionPolicy,\n} from '../delegateAction';\nimport { coerceLogger, type NormalizedLogger } from './logger';\nimport { errorMessage, toError } from '../../utils/errors';\n\nfunction isObject(v: unknown): v is Record<string, unknown> {\n return !!v && typeof v === 'object' && !Array.isArray(v);\n}\n\n// =============================\n// WASM URL CONSTANTS + HELPERS\n// =============================\n\n// Primary location (preserveModules output)\nconst SIGNER_WASM_MAIN_PATH = '../../wasm_signer_worker/pkg/wasm_signer_worker_bg.wasm';\n// Fallback location (dist/workers copy step)\nconst SIGNER_WASM_FALLBACK_PATH = '../../../workers/wasm_signer_worker_bg.wasm';\n\nfunction getSignerWasmUrls(logger: NormalizedLogger): URL[] {\n const paths = [SIGNER_WASM_MAIN_PATH, SIGNER_WASM_FALLBACK_PATH];\n const resolved: URL[] = [];\n const baseUrl = import.meta.url;\n\n for (const path of paths) {\n try {\n if (!baseUrl) throw new Error('import.meta.url is undefined');\n resolved.push(new URL(path, baseUrl));\n } catch (err) {\n logger.warn(`Failed to resolve signer WASM relative URL for path \"${path}\":`, err);\n }\n }\n\n if (!resolved.length) {\n throw new Error('Unable to resolve signer WASM location from import.meta.url. Provide AuthServiceConfig.signerWasm.moduleOrPath in this runtime.');\n }\n\n return resolved;\n}\n\nfunction summarizeThresholdEd25519Config(cfg: AuthServiceConfig['thresholdEd25519KeyStore']): string {\n if (!cfg) return 'thresholdEd25519: not configured';\n\n const nodeRole = coerceThresholdNodeRole(cfg.THRESHOLD_NODE_ROLE);\n const shareMode = coerceThresholdEd25519ShareMode(cfg.THRESHOLD_ED25519_SHARE_MODE);\n\n const masterSecretSet = (() => {\n if ('kind' in cfg) return false;\n return Boolean(toOptionalTrimmedString(cfg.THRESHOLD_ED25519_MASTER_SECRET_B64U));\n })();\n\n const store = (() => {\n if ('kind' in cfg) {\n if (cfg.kind === 'upstash-redis-rest') return 'upstash';\n if (cfg.kind === 'redis-tcp') return 'redis';\n return 'in-memory';\n }\n const upstashUrl = toOptionalTrimmedString(cfg.UPSTASH_REDIS_REST_URL);\n const upstashToken = toOptionalTrimmedString(cfg.UPSTASH_REDIS_REST_TOKEN);\n const redisUrl = toOptionalTrimmedString(cfg.REDIS_URL);\n return (upstashUrl || upstashToken) ? 'upstash' : (redisUrl ? 'redis' : 'in-memory');\n })();\n\n const parts = [`thresholdEd25519: configured`, `nodeRole=${nodeRole}`, `shareMode=${shareMode}`, `store=${store}`];\n if (masterSecretSet) parts.push('masterSecret=set');\n return parts.join(' ');\n}\n\n/**\n * Framework-agnostic NEAR account service\n * Core business logic for account creation and registration operations\n */\nexport class AuthService {\n private config: AuthServiceConfig;\n private isInitialized = false;\n private nearClient: MinimalNearClient;\n private relayerPublicKey: string = '';\n private signerWasmReady = false;\n private readonly logger: NormalizedLogger;\n private thresholdSigningServiceInitialized = false;\n private thresholdSigningService: ThresholdSigningServiceType | null = null;\n\n // Transaction queue to prevent nonce conflicts\n private transactionQueue: Promise<any> = Promise.resolve();\n private queueStats = { pending: 0, completed: 0, failed: 0 };\n\n // Shamir 3-pass key management (delegated to ShamirService)\n public readonly shamirService: ShamirService | null = null;\n // DKIM/TEE email recovery logic (delegated to EmailRecoveryService)\n public readonly emailRecovery: EmailRecoveryService | null = null;\n\n constructor(config: AuthServiceConfigInput) {\n this.config = createAuthServiceConfig(config);\n this.logger = coerceLogger(this.config.logger);\n const graceFileCandidate = (this.config.shamir?.graceShamirKeysFile || '').trim();\n this.shamirService = new ShamirService(this.config.shamir, graceFileCandidate || 'grace-keys.json');\n this.nearClient = new MinimalNearClient(this.config.nearRpcUrl);\n this.emailRecovery = new EmailRecoveryService({\n relayerAccountId: this.config.relayerAccountId,\n relayerPrivateKey: this.config.relayerPrivateKey,\n networkId: this.config.networkId,\n emailDkimVerifierContract: DEFAULT_EMAIL_RECOVERY_CONTRACTS.emailDkimVerifierContract,\n nearClient: this.nearClient,\n logger: this.config.logger,\n ensureSignerAndRelayerAccount: () => this._ensureSignerAndRelayerAccount(),\n queueTransaction: <T>(fn: () => Promise<T>, label: string) => this.queueTransaction(fn, label),\n fetchTxContext: (accountId: string, publicKey: string) => this.fetchTxContext(accountId, publicKey),\n signWithPrivateKey: (input) => this.signWithPrivateKey(input),\n getRelayerPublicKey: () => this.relayerPublicKey,\n zkEmailProver: this.config.zkEmailProver,\n });\n\n // Log effective configuration at construction time so operators can\n // verify wiring immediately when the service is created.\n this.logger.info(`\n AuthService initialized with:\n • networkId: ${this.config.networkId}\n • nearRpcUrl: ${this.config.nearRpcUrl}\n • relayerAccountId: ${this.config.relayerAccountId}\n • webAuthnContractId: ${this.config.webAuthnContractId}\n • accountInitialBalance: ${this.config.accountInitialBalance} (${formatYoctoToNear(this.config.accountInitialBalance)} NEAR)\n • createAccountAndRegisterGas: ${this.config.createAccountAndRegisterGas} (${formatGasToTGas(this.config.createAccountAndRegisterGas)})\n ${this.config.shamir\n ? `• shamir_p_b64u: ${this.config.shamir.shamir_p_b64u.slice(0, 10)}...\\n • shamir_e_s_b64u: ${this.config.shamir.shamir_e_s_b64u.slice(0, 10)}...\\n • shamir_d_s_b64u: ${this.config.shamir.shamir_d_s_b64u.slice(0, 10)}...`\n : '• shamir: not configured'\n }\n • ${summarizeThresholdEd25519Config(this.config.thresholdEd25519KeyStore)}\n ${this.config.zkEmailProver?.baseUrl\n ? `• zkEmailProver: ${this.config.zkEmailProver.baseUrl}`\n : `• zkEmailProver: not configured`\n }\n `);\n }\n\n async getRelayerAccount(): Promise<{ accountId: string; publicKey: string }> {\n await this._ensureSignerAndRelayerAccount();\n return {\n accountId: this.config.relayerAccountId,\n publicKey: this.relayerPublicKey\n };\n }\n\n async viewAccessKeyList(accountId: string): Promise<AccessKeyList> {\n await this._ensureSignerAndRelayerAccount();\n return this.nearClient.viewAccessKeyList(accountId);\n }\n\n /**\n * Lazily constructs the threshold signing service when `thresholdEd25519KeyStore` is configured.\n * Routers may call this to auto-enable `/threshold-ed25519/*` endpoints.\n */\n getThresholdSigningService(): ThresholdSigningServiceType | null {\n if (this.thresholdSigningServiceInitialized) return this.thresholdSigningService;\n this.thresholdSigningServiceInitialized = true;\n\n if (!this.config.thresholdEd25519KeyStore) {\n this.thresholdSigningService = null;\n return null;\n }\n\n this.thresholdSigningService = createThresholdSigningService({\n authService: this,\n thresholdEd25519KeyStore: this.config.thresholdEd25519KeyStore,\n logger: this.logger,\n isNode: this.isNodeEnvironment(),\n });\n return this.thresholdSigningService;\n }\n\n getWebAuthnContractId(): string {\n return this.config.webAuthnContractId;\n }\n\n async txStatus(txHash: string, senderAccountId: string): Promise<FinalExecutionOutcome> {\n await this._ensureSignerAndRelayerAccount();\n return this.nearClient.txStatus(txHash, senderAccountId);\n }\n\n /**\n * Configure Shamir WASM module override for serverless environments\n * Required for Cloudflare Workers where import.meta.url doesn't work\n */\n private async configureShamirWasmForServerless(): Promise<void> {\n if (!this.config.shamir?.moduleOrPath) {\n return;\n }\n\n const { setShamirWasmModuleOverride } = await import('./shamirWorker.js');\n setShamirWasmModuleOverride(this.config.shamir.moduleOrPath);\n }\n\n private async _ensureSignerAndRelayerAccount(): Promise<void> {\n if (this.isInitialized) {\n return;\n }\n\n // Initialize Shamir 3-pass via ShamirService (if configured)\n if (this.config.shamir && this.shamirService) {\n await this.configureShamirWasmForServerless();\n await this.shamirService.ensureReady();\n }\n\n // Derive public key from configured relayer private key\n try {\n this.relayerPublicKey = toPublicKeyStringFromSecretKey(this.config.relayerPrivateKey);\n } catch (e) {\n this.logger.warn('Failed to derive public key from relayerPrivateKey; ensure it is in ed25519:<base58> format');\n this.relayerPublicKey = '';\n }\n\n // Prepare signer WASM for transaction building/signing\n await this.ensureSignerWasm();\n this.isInitialized = true;\n }\n\n private async ensureSignerWasm(): Promise<void> {\n if (this.signerWasmReady) return;\n const override = this.config.signerWasm?.moduleOrPath;\n if (override) {\n try {\n const moduleOrPath = await this.resolveSignerWasmOverride(override);\n await initSignerWasm({ module_or_path: moduleOrPath as InitInput });\n this.signerWasmReady = true;\n return;\n } catch (e) {\n this.logger.error('Failed to initialize signer WASM via provided override:', e);\n throw e;\n }\n }\n\n let candidates: URL[];\n try {\n candidates = getSignerWasmUrls(this.logger);\n } catch (err) {\n this.logger.error('Failed to resolve signer WASM URLs:', err);\n throw err;\n }\n\n try {\n if (this.isNodeEnvironment()) {\n await this.initSignerWasmForNode(candidates);\n this.signerWasmReady = true;\n return;\n }\n\n let lastError: unknown = null;\n for (const candidate of candidates) {\n try {\n await initSignerWasm({ module_or_path: candidate as InitInput });\n this.signerWasmReady = true;\n return;\n } catch (err) {\n lastError = err;\n this.logger.warn(`Failed to initialize signer WASM from ${candidate.toString()}, trying next candidate...`);\n }\n }\n\n throw lastError ?? new Error('Unable to initialize signer WASM from any candidate URL');\n } catch (e) {\n this.logger.error('Failed to initialize signer WASM:', e);\n throw e instanceof Error ? e : new Error(String(e));\n }\n }\n\n private isNodeEnvironment(): boolean {\n // Detect true Node.js, not Cloudflare Workers with nodejs_compat polyfills.\n const processObj = (globalThis as unknown as { process?: { versions?: { node?: string } } }).process;\n const isNode = Boolean(processObj?.versions?.node);\n // Cloudflare Workers expose WebSocketPair and may polyfill process.\n const webSocketPair = (globalThis as unknown as { WebSocketPair?: unknown }).WebSocketPair;\n const nav = (globalThis as unknown as { navigator?: { userAgent?: unknown } }).navigator;\n const isCloudflareWorker = typeof webSocketPair !== 'undefined'\n || (typeof nav?.userAgent === 'string' && nav.userAgent.includes('Cloudflare-Workers'));\n return isNode && !isCloudflareWorker;\n }\n\n private async resolveSignerWasmOverride(override: SignerWasmModuleSupplier): Promise<InitInput> {\n const candidate = typeof override === 'function'\n ? await (override as () => InitInput | Promise<InitInput>)()\n : await override;\n\n if (!candidate) {\n throw new Error('Signer WASM override resolved to an empty value');\n }\n\n return candidate;\n }\n\n /**\n * Initialize signer WASM in Node by loading the wasm file from disk.\n * Tries multiple candidate locations and falls back to path-based init if needed.\n */\n private async initSignerWasmForNode(candidates: URL[]): Promise<void> {\n const { fileURLToPath } = await import('node:url');\n const { readFile } = await import('node:fs/promises');\n\n // 1) Try reading and compiling bytes\n for (const url of candidates) {\n try {\n const filePath = fileURLToPath(url);\n const bytes = await readFile(filePath);\n // Ensure we pass an ArrayBuffer (not Buffer / SharedArrayBuffer) for WebAssembly.compile\n const ab = new ArrayBuffer(bytes.byteLength);\n new Uint8Array(ab).set(bytes);\n const module = await WebAssembly.compile(ab);\n await initSignerWasm({ module_or_path: module });\n return;\n } catch { } // throw at end of function\n }\n\n // 2) Fallback: pass file path directly (supported in some environments)\n for (const url of candidates) {\n try {\n const filePath = fileURLToPath(url);\n await initSignerWasm({ module_or_path: filePath as unknown as InitInput });\n return;\n } catch { } // throw at end of function\n }\n\n throw new Error('[AuthService] Failed to initialize signer WASM from filesystem candidates');\n }\n\n /**\n * ===== Registration & authentication =====\n *\n * Helpers for creating accounts, registering WebAuthn credentials,\n * and verifying authentication responses.\n */\n\n /**\n * Create a new account with the specified balance\n */\n async createAccount(request: AccountCreationRequest): Promise<AccountCreationResult> {\n await this._ensureSignerAndRelayerAccount();\n\n return this.queueTransaction(async () => {\n try {\n if (!isValidAccountId(request.accountId)) {\n throw new Error(`Invalid account ID format: ${request.accountId}`);\n }\n\n // Check if account already exists\n this.logger.info(`Checking if account ${request.accountId} already exists...`);\n const accountExists = await this.checkAccountExists(request.accountId);\n if (accountExists) {\n throw new Error(`Account ${request.accountId} already exists. Cannot create duplicate account.`);\n }\n this.logger.info(`Account ${request.accountId} is available for creation`);\n\n const initialBalance = this.config.accountInitialBalance;\n\n this.logger.info(`Creating account: ${request.accountId}`);\n this.logger.info(`Initial balance: ${initialBalance} yoctoNEAR`);\n\n // Build actions for CreateAccount + Transfer + AddKey(FullAccess)\n const actions: ActionArgsWasm[] = [\n { action_type: ActionType.CreateAccount },\n { action_type: ActionType.Transfer, deposit: String(initialBalance) },\n {\n action_type: ActionType.AddKey,\n public_key: request.publicKey,\n access_key: JSON.stringify({\n nonce: 0,\n permission: { FullAccess: {} },\n }),\n }\n ];\n\n actions.forEach(validateActionArgsWasm);\n\n // Fetch nonce and block hash for relayer\n const { nextNonce, blockHash } = await this.fetchTxContext(this.config.relayerAccountId, this.relayerPublicKey);\n\n // Sign with relayer private key using WASM\n const signed = await this.signWithPrivateKey({\n nearPrivateKey: this.config.relayerPrivateKey,\n signerAccountId: this.config.relayerAccountId,\n receiverId: request.accountId,\n nonce: nextNonce,\n blockHash: blockHash,\n actions\n });\n\n // Broadcast transaction via MinimalNearClient using a strongly typed SignedTransaction\n const result = await this.nearClient.sendTransaction(signed);\n\n this.logger.info(`Account creation completed: ${result.transaction.hash}`);\n const nearAmount = (Number(BigInt(initialBalance)) / 1e24).toFixed(6);\n return {\n success: true,\n transactionHash: result.transaction.hash,\n accountId: request.accountId,\n message: `Account ${request.accountId} created with ${nearAmount} NEAR initial balance`\n };\n\n } catch (error: any) {\n this.logger.error(`Account creation failed for ${request.accountId}:`, error);\n const msg = errorMessage(error) || 'Unknown account creation error';\n return {\n success: false,\n error: msg,\n message: `Failed to create account ${request.accountId}: ${msg}`\n };\n }\n }, `create account ${request.accountId}`);\n }\n\n /**\n * Create account and register user with WebAuthn in a single atomic transaction\n */\n async createAccountAndRegisterUser(request: CreateAccountAndRegisterRequest): Promise<CreateAccountAndRegisterResult> {\n await this._ensureSignerAndRelayerAccount();\n\n return this.queueTransaction(async () => {\n try {\n if (!isValidAccountId(request.new_account_id)) {\n throw new Error(`Invalid account ID format: ${request.new_account_id}`);\n }\n\n // Check if account already exists\n this.logger.info(`Checking if account ${request.new_account_id} already exists...`);\n const accountExists = await this.checkAccountExists(request.new_account_id);\n if (accountExists) {\n throw new Error(`Account ${request.new_account_id} already exists. Cannot create duplicate account.`);\n }\n this.logger.info(`Account ${request.new_account_id} is available for atomic creation and registration`);\n this.logger.info(`Registering account: ${request.new_account_id}`);\n this.logger.info(`Contract: ${this.config.webAuthnContractId}`);\n\n // Prepare contract arguments\n const contractArgs = {\n new_account_id: request.new_account_id,\n new_public_key: request.new_public_key,\n vrf_data: request.vrf_data,\n webauthn_registration: request.webauthn_registration,\n deterministic_vrf_public_key: request.deterministic_vrf_public_key,\n authenticator_options: request.authenticator_options,\n };\n\n // Build single FunctionCall action\n const actions: ActionArgsWasm[] = [\n {\n action_type: ActionType.FunctionCall,\n method_name: 'create_account_and_register_user',\n args: JSON.stringify(contractArgs),\n gas: String(this.config.createAccountAndRegisterGas),\n deposit: String(this.config.accountInitialBalance)\n }\n ];\n actions.forEach(validateActionArgsWasm);\n\n const { nextNonce, blockHash } = await this.fetchTxContext(this.config.relayerAccountId, this.relayerPublicKey);\n const signed = await this.signWithPrivateKey({\n nearPrivateKey: this.config.relayerPrivateKey,\n signerAccountId: this.config.relayerAccountId,\n receiverId: this.config.webAuthnContractId,\n nonce: nextNonce,\n blockHash,\n actions\n });\n const result = await this.nearClient.sendTransaction(signed);\n\n // Parse contract execution results to detect failures\n const contractError = parseContractExecutionError(result, request.new_account_id);\n if (contractError) {\n this.logger.error(`Contract execution failed for ${request.new_account_id}:`, contractError);\n throw new Error(contractError);\n }\n\n this.logger.info(`Registration completed: ${result.transaction.hash}`);\n return {\n success: true,\n transactionHash: result.transaction.hash,\n message: `Account ${request.new_account_id} created and registered successfully`,\n contractResult: result,\n };\n\n } catch (error: any) {\n this.logger.error(`Atomic registration failed for ${request.new_account_id}:`, error);\n const msg = errorMessage(error) || 'Unknown atomic registration error';\n return {\n success: false,\n error: msg,\n message: `Failed to create and register account ${request.new_account_id}: ${msg}`\n };\n }\n }, `atomic create and register ${request.new_account_id}`);\n }\n\n /**\n * Verify authentication response and issue JWT (VIEW call)\n * Calls the web3authn contract's verify_authentication_response method via view\n * and issues a JWT or session credential upon successful verification\n */\n async verifyAuthenticationResponse(\n request: VerifyAuthenticationRequest\n ): Promise<VerifyAuthenticationResponse> {\n try {\n await this._ensureSignerAndRelayerAccount();\n\n const intentDigest32 = request?.vrf_data?.intent_digest_32;\n if (!Array.isArray(intentDigest32) || intentDigest32.length !== 32) {\n return {\n success: false,\n verified: false,\n code: 'invalid_intent_digest',\n message: 'Missing or invalid vrf_data.intent_digest_32 (expected 32 bytes)',\n };\n }\n const sessionPolicyDigest32 = (request?.vrf_data as { session_policy_digest_32?: unknown })?.session_policy_digest_32;\n if (sessionPolicyDigest32 !== undefined) {\n if (!Array.isArray(sessionPolicyDigest32) || sessionPolicyDigest32.length !== 32) {\n return {\n success: false,\n verified: false,\n code: 'invalid_session_policy_digest',\n message: 'Invalid vrf_data.session_policy_digest_32 (expected 32 bytes when present)',\n };\n }\n }\n\n const args = {\n vrf_data: request.vrf_data,\n webauthn_authentication: request.webauthn_authentication,\n };\n\n // Perform a VIEW function call (no gas) and parse the contract response\n const contractResponse = await this.nearClient.view<typeof args, unknown>({\n account: this.config.webAuthnContractId,\n method: 'verify_authentication_response',\n args\n });\n\n const verified = isObject(contractResponse) && contractResponse.verified === true;\n if (!verified) {\n return {\n success: false,\n verified: false,\n code: 'not_verified',\n message: 'Authentication verification failed',\n contractResponse,\n };\n }\n\n return {\n success: true,\n verified: true,\n sessionCredential: {\n userId: request.vrf_data.user_id,\n issuedAt: new Date().toISOString(),\n expiresAt: new Date(Date.now() + 24 * 60 * 60 * 1000).toISOString(),\n },\n contractResponse,\n };\n } catch (error: any) {\n return {\n success: false,\n verified: false,\n code: 'internal',\n message: error?.message || 'Verification failed',\n };\n }\n }\n\n /**\n * Fetch Related Origin Requests (ROR) allowed origins from a NEAR view method.\n * Defaults: contractId = webAuthnContractId, method = 'get_allowed_origins', args = {}.\n * Returns a sanitized, deduplicated list of absolute origins.\n */\n public async getRorOrigins(opts?: { contractId?: string; method?: string; args?: unknown }): Promise<string[]> {\n const contractId = toOptionalTrimmedString(opts?.contractId) || this.config.webAuthnContractId.trim();\n const method = toOptionalTrimmedString(opts?.method) || 'get_allowed_origins';\n const args = opts?.args ?? {};\n\n try {\n const result = await this.nearClient.view<unknown, unknown>({ account: contractId, method, args });\n let list: unknown[] = [];\n if (Array.isArray(result)) {\n list = result;\n } else if (isObject(result) && Array.isArray(result.origins)) {\n list = result.origins;\n }\n const out = new Set<string>();\n for (const item of list) {\n const norm = toRorOriginOrNull(item);\n if (norm) out.add(norm);\n }\n return Array.from(out);\n } catch (e) {\n this.logger.warn('[AuthService] getRorOrigins failed:', e);\n return [];\n }\n }\n\n /**\n * Account existence helper used by registration flows.\n */\n async checkAccountExists(accountId: string): Promise<boolean> {\n await this._ensureSignerAndRelayerAccount();\n const isNotFound = (m: string) => /does not exist|UNKNOWN_ACCOUNT|unknown\\s+account/i.test(m);\n const isRetryable = (m: string) => /server error|internal|temporar|timeout|too many requests|429|empty response|rpc request failed/i.test(m);\n const attempts = 3;\n let lastErr: Error | null = null;\n for (let i = 1; i <= attempts; i++) {\n try {\n const view = await this.nearClient.viewAccount(accountId);\n return !!view;\n } catch (error: unknown) {\n const err = toError(error);\n lastErr = err;\n const msg = err.message;\n const details = (err as { details?: unknown }).details;\n let detailsBlob = '';\n if (details) {\n try {\n detailsBlob = typeof details === 'string' ? details : JSON.stringify(details);\n } catch {\n detailsBlob = '';\n }\n }\n const combined = `${msg}\\n${detailsBlob}`;\n if (isNotFound(combined)) return false;\n if (isRetryable(msg) && i < attempts) {\n const backoff = 150 * Math.pow(2, i - 1);\n await new Promise((r) => setTimeout(r, backoff));\n continue;\n }\n // As a safety valve for flaky RPCs, treat persistent retryable errors as not-found\n if (isRetryable(msg)) {\n this.logger.warn(`[AuthService] Assuming account '${accountId}' not found after retryable RPC errors:`, msg);\n return false;\n }\n this.logger.error(`Error checking account existence for ${accountId}:`, err);\n throw err;\n }\n }\n throw lastErr || new Error('Unknown error');\n }\n\n /**\n * ===== Delegate actions & transaction execution =====\n *\n * Flows that build and submit on-chain transactions, including NEP-461\n * SignedDelegate meta-transactions.\n */\n\n /**\n * Execute a NEP-461 SignedDelegate by wrapping it in an outer transaction\n * from the relayer account. This method is intended to be called by\n * example relayers (Node/Cloudflare) once a SignedDelegate has been\n * produced by the signer worker and returned to the application.\n *\n * Notes:\n * - Signature and hash computation are performed by the signer worker.\n * This method focuses on expiry/policy enforcement and meta-tx submission.\n * - Nonce/replay protection is left to the integrator; see docs for guidance.\n */\n async executeSignedDelegate(input: {\n hash: string;\n signedDelegate: SignedDelegate;\n policy?: DelegateActionPolicy;\n }): Promise<ExecuteSignedDelegateResult> {\n await this._ensureSignerAndRelayerAccount();\n\n if (!input?.hash || !input?.signedDelegate) {\n return {\n ok: false,\n code: 'invalid_delegate_request',\n error: 'hash and signedDelegate are required',\n };\n }\n\n const senderId = input.signedDelegate?.delegateAction?.senderId ?? 'unknown-sender';\n\n return this.queueTransaction(\n () => executeSignedDelegateWithRelayer({\n nearClient: this.nearClient,\n relayerAccountId: this.config.relayerAccountId,\n relayerPublicKey: this.relayerPublicKey,\n relayerPrivateKey: this.config.relayerPrivateKey,\n hash: input.hash,\n signedDelegate: input.signedDelegate,\n signWithPrivateKey: (args) => this.signWithPrivateKey(args),\n }),\n `execute signed delegate for ${senderId}`,\n );\n }\n\n // === Internal helpers for signing & RPC ===\n private async fetchTxContext(accountId: string, publicKey: string): Promise<{ nextNonce: string; blockHash: string }> {\n // Access key (if missing, assume nonce=0)\n let nonce = 0n;\n try {\n const ak = await this.nearClient.viewAccessKey(accountId, publicKey);\n nonce = BigInt(ak?.nonce ?? 0);\n } catch {\n nonce = 0n;\n }\n // Block\n const block = await this.nearClient.viewBlock({ finality: 'final' });\n const txBlockHash = block.header.hash;\n const nextNonce = (nonce + 1n).toString();\n return { nextNonce, blockHash: txBlockHash };\n }\n\n private async signWithPrivateKey(input: {\n nearPrivateKey: string;\n signerAccountId: string;\n receiverId: string;\n nonce: string;\n blockHash: string;\n actions: ActionArgsWasm[];\n }): Promise<SignedTransaction> {\n await this.ensureSignerWasm();\n const message = {\n type: WorkerRequestType.SignTransactionWithKeyPair,\n payload: {\n nearPrivateKey: input.nearPrivateKey,\n signerAccountId: input.signerAccountId,\n receiverId: input.receiverId,\n nonce: input.nonce,\n blockHash: input.blockHash,\n actions: input.actions\n }\n };\n // uses wasm signer worker's SignTransactionWithKeyPair action,\n // which doesn't require VRF worker session\n let response: unknown;\n try {\n response = await handle_signer_message(message);\n } catch (e: unknown) {\n const msg = errorMessage(e);\n // Log payload for debugging (redacting private key)\n this.logger.error('Signer WASM rejected message:', {\n error: msg,\n payload: JSON.stringify(message, (key, value) =>\n key === 'nearPrivateKey' ? '[REDACTED]' : value\n )\n });\n\n // This specific error is intentionally redacted inside the WASM worker.\n // When it occurs in production, it's commonly due to a JS/WASM version mismatch\n // (the JS message schema changed but an old worker wasm is still deployed).\n if (msg.includes('Invalid payload for SIGN_TRANSACTION_WITH_KEYPAIR')) {\n throw new Error(\n `Signer WASM rejected SIGN_TRANSACTION_WITH_KEYPAIR payload: ${msg}. Rebuild + redeploy the relayer so the bundled \\`wasm_signer_worker.js\\` and \\`wasm_signer_worker_bg.wasm\\` come from the same build.`,\n );\n }\n throw (e instanceof Error ? e : new Error(msg || 'Signing failed'));\n }\n const {\n transaction,\n signature,\n borshBytes\n } = extractFirstSignedTransactionFromWorkerResponse(response);\n\n return new SignedTransaction({\n transaction: transaction,\n signature: signature,\n borsh_bytes: borshBytes,\n });\n }\n\n /**\n * Framework-agnostic: handle verify-authentication request\n * Converts a generic ServerRequest to ServerResponse using this service\n */\n async handleVerifyAuthenticationResponse(request: VerifyAuthenticationRequest): Promise<VerifyAuthenticationResponse> {\n return this.verifyAuthenticationResponse(request);\n }\n\n /**\n * ZK-email recovery helper (stub).\n * Intended to call the global ZkEmailVerifier and per-user recovery contract\n * once zk-email proofs and public inputs are wired through.\n */\n // eslint-disable-next-line @typescript-eslint/no-unused-vars\n async recoverAccountFromZkEmailVerifier(_request: {\n accountId: string;\n proof: unknown;\n publicInputs: unknown;\n }): Promise<{\n success: boolean;\n transactionHash?: string;\n message?: string;\n error?: string;\n }> {\n return {\n success: false,\n error: 'recoverAccountFromZkEmailVerifier is not yet implemented',\n message: 'recoverAccountFromZkEmailVerifier is not yet implemented',\n };\n }\n\n /**\n * Express-style middleware factory for verify-authentication\n */\n verifyAuthenticationMiddleware() {\n return async (req: any, res: any) => {\n try {\n if (!req?.body) {\n res.status(400).json({ error: 'Request body is required' });\n return;\n }\n const body: VerifyAuthenticationRequest = req.body;\n if (!body.vrf_data || !body.webauthn_authentication) {\n res.status(400).json({ code: 'invalid_body', message: 'vrf_data and webauthn_authentication are required' });\n return;\n }\n const result = await this.verifyAuthenticationResponse(body);\n const status = result.success ? 200 : 400;\n if (status !== 200) {\n res.status(status).json({ code: 'not_verified', message: result.message || 'Authentication verification failed' });\n } else {\n res.status(status).json(result);\n }\n } catch (error: any) {\n this.logger.error('Error in verify authentication middleware:', error);\n res.status(500).json({ code: 'internal', message: error?.message || 'Internal server error' });\n }\n };\n }\n\n /**\n * Queue transactions to prevent nonce conflicts\n */\n private async queueTransaction<T>(operation: () => Promise<T>, description: string): Promise<T> {\n this.queueStats.pending++;\n this.logger.debug(`[AuthService] Queueing: ${description} (pending: ${this.queueStats.pending})`);\n\n this.transactionQueue = this.transactionQueue\n .then(async () => {\n try {\n this.logger.debug(`[AuthService] Executing: ${description}`);\n const result = await operation();\n this.queueStats.completed++;\n this.queueStats.pending--;\n this.logger.debug(`[AuthService] Completed: ${description} (pending: ${this.queueStats.pending})`);\n return result;\n } catch (error: any) {\n this.queueStats.failed++;\n this.queueStats.pending--;\n this.logger.error(\n `[AuthService] Failed: ${description} (failed: ${this.queueStats.failed}):`,\n errorMessage(error) || 'unknown error',\n );\n throw error;\n }\n })\n .catch((error) => {\n throw error;\n });\n\n return this.transactionQueue;\n }\n}\n\ninterface WorkerSignedTransactionPayload {\n transaction: WasmTransaction;\n signature: WasmSignature;\n borshBytes?: number[];\n borsh_bytes?: number[];\n}\n\nfunction extractFirstSignedTransactionFromWorkerResponse(response: any): {\n transaction: WasmTransaction;\n signature: WasmSignature;\n borshBytes: number[];\n} {\n const res = (typeof response === 'string' ? JSON.parse(response) : response) as {\n type?: WorkerResponseType;\n payload?: { signedTransactions?: WorkerSignedTransactionPayload[]; error?: string };\n } | undefined;\n\n if (res?.type !== WorkerResponseType.SignTransactionWithKeyPairSuccess) {\n const errMsg = res?.payload?.error || 'Signing failed';\n throw new Error(errMsg);\n }\n\n const payload = res?.payload;\n const signedTxs = (payload?.signedTransactions ?? []) as WorkerSignedTransactionPayload[];\n if (!Array.isArray(signedTxs) || signedTxs.length === 0) {\n throw new Error('No signed transaction returned');\n }\n const first = signedTxs[0];\n const borshBytes = first?.borshBytes ?? first?.borsh_bytes;\n if (!Array.isArray(borshBytes)) {\n throw new Error('Missing borsh bytes');\n }\n return {\n transaction: first.transaction,\n signature: first.signature,\n borshBytes,\n };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AA4CA,SAAS,SAAS,GAA0C;AAC1D,QAAO,CAAC,CAAC,KAAK,OAAO,MAAM,YAAY,CAAC,MAAM,QAAQ;;AAQxD,MAAM,wBAAwB;AAE9B,MAAM,4BAA4B;AAElC,SAAS,kBAAkB,QAAiC;CAC1D,MAAM,QAAQ,CAAC,uBAAuB;CACtC,MAAMA,WAAkB;CACxB,MAAM;AAEN,MAAK,MAAM,QAAQ,MACjB,KAAI;AACF,MAAI,CAAC,QAAS,OAAM,IAAI,MAAM;AAC9B,WAAS,KAAK,IAAI,IAAI,MAAM;UACrB,KAAK;AACZ,SAAO,KAAK,wDAAwD,KAAK,KAAK;;AAIlF,KAAI,CAAC,SAAS,OACZ,OAAM,IAAI,MAAM;AAGlB,QAAO;;AAGT,SAAS,gCAAgC,KAA4D;AACnG,KAAI,CAAC,IAAK,QAAO;CAEjB,MAAM,WAAWC,yCAAwB,IAAI;CAC7C,MAAM,YAAYC,iDAAgC,IAAI;CAEtD,MAAM,yBAAyB;AAC7B,MAAI,UAAU,IAAK,QAAO;AAC1B,SAAO,QAAQC,2CAAwB,IAAI;;CAG7C,MAAM,eAAe;AACnB,MAAI,UAAU,KAAK;AACjB,OAAI,IAAI,SAAS,qBAAsB,QAAO;AAC9C,OAAI,IAAI,SAAS,YAAa,QAAO;AACrC,UAAO;;EAET,MAAM,aAAaA,2CAAwB,IAAI;EAC/C,MAAM,eAAeA,2CAAwB,IAAI;EACjD,MAAM,WAAWA,2CAAwB,IAAI;AAC7C,SAAQ,cAAc,eAAgB,YAAa,WAAW,UAAU;;CAG1E,MAAM,QAAQ;EAAC;EAAgC,YAAY;EAAY,aAAa;EAAa,SAAS;;AAC1G,KAAI,gBAAiB,OAAM,KAAK;AAChC,QAAO,MAAM,KAAK;;;;;;AAOpB,IAAa,cAAb,MAAyB;CACvB,AAAQ;CACR,AAAQ,gBAAgB;CACxB,AAAQ;CACR,AAAQ,mBAA2B;CACnC,AAAQ,kBAAkB;CAC1B,AAAiB;CACjB,AAAQ,qCAAqC;CAC7C,AAAQ,0BAA8D;CAGtE,AAAQ,mBAAiC,QAAQ;CACjD,AAAQ,aAAa;EAAE,SAAS;EAAG,WAAW;EAAG,QAAQ;;CAGzD,AAAgB,gBAAsC;CAEtD,AAAgB,gBAA6C;CAE7D,YAAY,QAAgC;AAC1C,OAAK,SAASC,uCAAwB;AACtC,OAAK,SAASC,4BAAa,KAAK,OAAO;EACvC,MAAM,sBAAsB,KAAK,OAAO,QAAQ,uBAAuB,IAAI;AAC3E,OAAK,gBAAgB,IAAIC,oCAAc,KAAK,OAAO,QAAQ,sBAAsB;AACjF,OAAK,aAAa,IAAIC,qCAAkB,KAAK,OAAO;AACpD,OAAK,gBAAgB,IAAIC,mCAAqB;GAC5C,kBAAkB,KAAK,OAAO;GAC9B,mBAAmB,KAAK,OAAO;GAC/B,WAAW,KAAK,OAAO;GACvB,2BAA2BC,wDAAiC;GAC5D,YAAY,KAAK;GACjB,QAAQ,KAAK,OAAO;GACpB,qCAAqC,KAAK;GAC1C,mBAAsB,IAAsB,UAAkB,KAAK,iBAAiB,IAAI;GACxF,iBAAiB,WAAmB,cAAsB,KAAK,eAAe,WAAW;GACzF,qBAAqB,UAAU,KAAK,mBAAmB;GACvD,2BAA2B,KAAK;GAChC,eAAe,KAAK,OAAO;;AAK7B,OAAK,OAAO,KAAK;;mBAEF,KAAK,OAAO,UAAU;oBACrB,KAAK,OAAO,WAAW;0BACjB,KAAK,OAAO,iBAAiB;4BAC3B,KAAK,OAAO,mBAAmB;+BAC5B,KAAK,OAAO,sBAAsB,IAAIC,gCAAkB,KAAK,OAAO,uBAAuB;qCACrF,KAAK,OAAO,4BAA4B,IAAIC,8BAAgB,KAAK,OAAO,6BAA6B;MACpI,KAAK,OAAO,SACR,oBAAoB,KAAK,OAAO,OAAO,cAAc,MAAM,GAAG,IAAI,8BAA8B,KAAK,OAAO,OAAO,gBAAgB,MAAM,GAAG,IAAI,8BAA8B,KAAK,OAAO,OAAO,gBAAgB,MAAM,GAAG,IAAI,OAC9N,2BACH;QACC,gCAAgC,KAAK,OAAO,0BAA0B;MACxE,KAAK,OAAO,eAAe,UACvB,oBAAoB,KAAK,OAAO,cAAc,YAC9C,kCACH;;;CAIL,MAAM,oBAAuE;AAC3E,QAAM,KAAK;AACX,SAAO;GACL,WAAW,KAAK,OAAO;GACvB,WAAW,KAAK;;;CAIpB,MAAM,kBAAkB,WAA2C;AACjE,QAAM,KAAK;AACX,SAAO,KAAK,WAAW,kBAAkB;;;;;;CAO3C,6BAAiE;AAC/D,MAAI,KAAK,mCAAoC,QAAO,KAAK;AACzD,OAAK,qCAAqC;AAE1C,MAAI,CAAC,KAAK,OAAO,0BAA0B;AACzC,QAAK,0BAA0B;AAC/B,UAAO;;AAGT,OAAK,0BAA0BC,oEAA8B;GAC3D,aAAa;GACb,0BAA0B,KAAK,OAAO;GACtC,QAAQ,KAAK;GACb,QAAQ,KAAK;;AAEf,SAAO,KAAK;;CAGd,wBAAgC;AAC9B,SAAO,KAAK,OAAO;;CAGrB,MAAM,SAAS,QAAgB,iBAAyD;AACtF,QAAM,KAAK;AACX,SAAO,KAAK,WAAW,SAAS,QAAQ;;;;;;CAO1C,MAAc,mCAAkD;AAC9D,MAAI,CAAC,KAAK,OAAO,QAAQ,aACvB;EAGF,MAAM,EAAE,gCAAgC,2CAAM;AAC9C,8BAA4B,KAAK,OAAO,OAAO;;CAGjD,MAAc,iCAAgD;AAC5D,MAAI,KAAK,cACP;AAIF,MAAI,KAAK,OAAO,UAAU,KAAK,eAAe;AAC5C,SAAM,KAAK;AACX,SAAM,KAAK,cAAc;;AAI3B,MAAI;AACF,QAAK,mBAAmBC,gDAA+B,KAAK,OAAO;WAC5D,GAAG;AACV,QAAK,OAAO,KAAK;AACjB,QAAK,mBAAmB;;AAI1B,QAAM,KAAK;AACX,OAAK,gBAAgB;;CAGvB,MAAc,mBAAkC;AAC9C,MAAI,KAAK,gBAAiB;EAC1B,MAAM,WAAW,KAAK,OAAO,YAAY;AACzC,MAAI,SACF,KAAI;GACF,MAAM,eAAe,MAAM,KAAK,0BAA0B;AAC1D,uEAAqB,EAAE,gBAAgB;AACvC,QAAK,kBAAkB;AACvB;WACO,GAAG;AACV,QAAK,OAAO,MAAM,2DAA2D;AAC7E,SAAM;;EAIV,IAAIC;AACJ,MAAI;AACF,gBAAa,kBAAkB,KAAK;WAC7B,KAAK;AACZ,QAAK,OAAO,MAAM,uCAAuC;AACzD,SAAM;;AAGR,MAAI;AACF,OAAI,KAAK,qBAAqB;AAC5B,UAAM,KAAK,sBAAsB;AACjC,SAAK,kBAAkB;AACvB;;GAGF,IAAIC,YAAqB;AACzB,QAAK,MAAM,aAAa,WACtB,KAAI;AACF,wEAAqB,EAAE,gBAAgB;AACvC,SAAK,kBAAkB;AACvB;YACO,KAAK;AACZ,gBAAY;AACZ,SAAK,OAAO,KAAK,yCAAyC,UAAU,WAAW;;AAInF,SAAM,6BAAa,IAAI,MAAM;WACtB,GAAG;AACV,QAAK,OAAO,MAAM,qCAAqC;AACvD,SAAM,aAAa,QAAQ,IAAI,IAAI,MAAM,OAAO;;;CAIpD,AAAQ,oBAA6B;EAEnC,MAAM,aAAc,WAAyE;EAC7F,MAAM,SAAS,QAAQ,YAAY,UAAU;EAE7C,MAAM,gBAAiB,WAAsD;EAC7E,MAAM,MAAO,WAAkE;EAC/E,MAAM,qBAAqB,OAAO,kBAAkB,eAC9C,OAAO,KAAK,cAAc,YAAY,IAAI,UAAU,SAAS;AACnE,SAAO,UAAU,CAAC;;CAGpB,MAAc,0BAA0B,UAAwD;EAC9F,MAAM,YAAY,OAAO,aAAa,aAClC,MAAO,aACP,MAAM;AAEV,MAAI,CAAC,UACH,OAAM,IAAI,MAAM;AAGlB,SAAO;;;;;;CAOT,MAAc,sBAAsB,YAAkC;EACpE,MAAM,EAAE,kBAAkB,MAAM,OAAO;EACvC,MAAM,EAAE,aAAa,MAAM,OAAO;AAGlC,OAAK,MAAM,OAAO,WAChB,KAAI;GACF,MAAM,WAAW,cAAc;GAC/B,MAAM,QAAQ,MAAM,SAAS;GAE7B,MAAM,KAAK,IAAI,YAAY,MAAM;AACjC,OAAI,WAAW,IAAI,IAAI;GACvB,MAAMC,WAAS,MAAM,YAAY,QAAQ;AACzC,uEAAqB,EAAE,gBAAgBA;AACvC;UACM;AAIV,OAAK,MAAM,OAAO,WAChB,KAAI;GACF,MAAM,WAAW,cAAc;AAC/B,uEAAqB,EAAE,gBAAgB;AACvC;UACM;AAGV,QAAM,IAAI,MAAM;;;;;;;;;;;CAalB,MAAM,cAAc,SAAiE;AACnF,QAAM,KAAK;AAEX,SAAO,KAAK,iBAAiB,YAAY;AACvC,OAAI;AACF,QAAI,CAACC,oCAAiB,QAAQ,WAC5B,OAAM,IAAI,MAAM,8BAA8B,QAAQ;AAIxD,SAAK,OAAO,KAAK,uBAAuB,QAAQ,UAAU;IAC1D,MAAM,gBAAgB,MAAM,KAAK,mBAAmB,QAAQ;AAC5D,QAAI,cACF,OAAM,IAAI,MAAM,WAAW,QAAQ,UAAU;AAE/C,SAAK,OAAO,KAAK,WAAW,QAAQ,UAAU;IAE9C,MAAM,iBAAiB,KAAK,OAAO;AAEnC,SAAK,OAAO,KAAK,qBAAqB,QAAQ;AAC9C,SAAK,OAAO,KAAK,oBAAoB,eAAe;IAGpD,MAAMC,UAA4B;KAChC,EAAE,aAAaC,2BAAW;KAC1B;MAAE,aAAaA,2BAAW;MAAU,SAAS,OAAO;;KACpD;MACE,aAAaA,2BAAW;MACxB,YAAY,QAAQ;MACpB,YAAY,KAAK,UAAU;OACzB,OAAO;OACP,YAAY,EAAE,YAAY;;;;AAKhC,YAAQ,QAAQC;IAGhB,MAAM,EAAE,WAAW,cAAc,MAAM,KAAK,eAAe,KAAK,OAAO,kBAAkB,KAAK;IAG9F,MAAM,SAAS,MAAM,KAAK,mBAAmB;KAC3C,gBAAgB,KAAK,OAAO;KAC5B,iBAAiB,KAAK,OAAO;KAC7B,YAAY,QAAQ;KACpB,OAAO;KACI;KACX;;IAIF,MAAM,SAAS,MAAM,KAAK,WAAW,gBAAgB;AAErD,SAAK,OAAO,KAAK,+BAA+B,OAAO,YAAY;IACnE,MAAM,cAAc,OAAO,OAAO,mBAAmB,MAAM,QAAQ;AACnE,WAAO;KACL,SAAS;KACT,iBAAiB,OAAO,YAAY;KACpC,WAAW,QAAQ;KACnB,SAAS,WAAW,QAAQ,UAAU,gBAAgB,WAAW;;YAG5DC,OAAY;AACnB,SAAK,OAAO,MAAM,+BAA+B,QAAQ,UAAU,IAAI;IACvE,MAAM,MAAMC,4BAAa,UAAU;AACnC,WAAO;KACL,SAAS;KACT,OAAO;KACP,SAAS,4BAA4B,QAAQ,UAAU,IAAI;;;KAG9D,kBAAkB,QAAQ;;;;;CAM/B,MAAM,6BAA6B,SAAmF;AACpH,QAAM,KAAK;AAEX,SAAO,KAAK,iBAAiB,YAAY;AACvC,OAAI;AACF,QAAI,CAACL,oCAAiB,QAAQ,gBAC5B,OAAM,IAAI,MAAM,8BAA8B,QAAQ;AAIxD,SAAK,OAAO,KAAK,uBAAuB,QAAQ,eAAe;IAC/D,MAAM,gBAAgB,MAAM,KAAK,mBAAmB,QAAQ;AAC5D,QAAI,cACF,OAAM,IAAI,MAAM,WAAW,QAAQ,eAAe;AAEpD,SAAK,OAAO,KAAK,WAAW,QAAQ,eAAe;AACnD,SAAK,OAAO,KAAK,wBAAwB,QAAQ;AACjD,SAAK,OAAO,KAAK,aAAa,KAAK,OAAO;IAG1C,MAAM,eAAe;KACnB,gBAAgB,QAAQ;KACxB,gBAAgB,QAAQ;KACxB,UAAU,QAAQ;KAClB,uBAAuB,QAAQ;KAC/B,8BAA8B,QAAQ;KACtC,uBAAuB,QAAQ;;IAIjC,MAAMC,UAA4B,CAChC;KACE,aAAaC,2BAAW;KACxB,aAAa;KACb,MAAM,KAAK,UAAU;KACrB,KAAK,OAAO,KAAK,OAAO;KACxB,SAAS,OAAO,KAAK,OAAO;;AAGhC,YAAQ,QAAQC;IAEhB,MAAM,EAAE,WAAW,cAAc,MAAM,KAAK,eAAe,KAAK,OAAO,kBAAkB,KAAK;IAC9F,MAAM,SAAS,MAAM,KAAK,mBAAmB;KAC3C,gBAAgB,KAAK,OAAO;KAC5B,iBAAiB,KAAK,OAAO;KAC7B,YAAY,KAAK,OAAO;KACxB,OAAO;KACP;KACA;;IAEF,MAAM,SAAS,MAAM,KAAK,WAAW,gBAAgB;IAGrD,MAAM,gBAAgBG,6CAA4B,QAAQ,QAAQ;AAClE,QAAI,eAAe;AACjB,UAAK,OAAO,MAAM,iCAAiC,QAAQ,eAAe,IAAI;AAC9E,WAAM,IAAI,MAAM;;AAGlB,SAAK,OAAO,KAAK,2BAA2B,OAAO,YAAY;AAC/D,WAAO;KACL,SAAS;KACT,iBAAiB,OAAO,YAAY;KACpC,SAAS,WAAW,QAAQ,eAAe;KAC3C,gBAAgB;;YAGXF,OAAY;AACnB,SAAK,OAAO,MAAM,kCAAkC,QAAQ,eAAe,IAAI;IAC/E,MAAM,MAAMC,4BAAa,UAAU;AACnC,WAAO;KACL,SAAS;KACT,OAAO;KACP,SAAS,yCAAyC,QAAQ,eAAe,IAAI;;;KAGhF,8BAA8B,QAAQ;;;;;;;CAQ3C,MAAM,6BACJ,SACuC;AACvC,MAAI;AACF,SAAM,KAAK;GAEX,MAAM,iBAAiB,SAAS,UAAU;AAC1C,OAAI,CAAC,MAAM,QAAQ,mBAAmB,eAAe,WAAW,GAC9D,QAAO;IACL,SAAS;IACT,UAAU;IACV,MAAM;IACN,SAAS;;GAGb,MAAM,yBAAyB,SAAS,WAAqD;AAC7F,OAAI,0BAA0B,QAC5B;QAAI,CAAC,MAAM,QAAQ,0BAA0B,sBAAsB,WAAW,GAC5E,QAAO;KACL,SAAS;KACT,UAAU;KACV,MAAM;KACN,SAAS;;;GAKf,MAAM,OAAO;IACX,UAAU,QAAQ;IAClB,yBAAyB,QAAQ;;GAInC,MAAM,mBAAmB,MAAM,KAAK,WAAW,KAA2B;IACxE,SAAS,KAAK,OAAO;IACrB,QAAQ;IACR;;GAGF,MAAM,WAAW,SAAS,qBAAqB,iBAAiB,aAAa;AAC7E,OAAI,CAAC,SACH,QAAO;IACL,SAAS;IACT,UAAU;IACV,MAAM;IACN,SAAS;IACT;;AAIJ,UAAO;IACL,SAAS;IACT,UAAU;IACV,mBAAmB;KACjB,QAAQ,QAAQ,SAAS;KACzB,2BAAU,IAAI,QAAO;KACrB,WAAW,IAAI,KAAK,KAAK,QAAQ,OAAU,KAAK,KAAM;;IAExD;;WAEKD,OAAY;AACnB,UAAO;IACL,SAAS;IACT,UAAU;IACV,MAAM;IACN,SAAS,OAAO,WAAW;;;;;;;;;CAUjC,MAAa,cAAc,MAAoF;EAC7G,MAAM,aAAalB,2CAAwB,MAAM,eAAe,KAAK,OAAO,mBAAmB;EAC/F,MAAM,SAASA,2CAAwB,MAAM,WAAW;EACxD,MAAM,OAAO,MAAM,QAAQ;AAE3B,MAAI;GACF,MAAM,SAAS,MAAM,KAAK,WAAW,KAAuB;IAAE,SAAS;IAAY;IAAQ;;GAC3F,IAAIqB,OAAkB;AACtB,OAAI,MAAM,QAAQ,QAChB,QAAO;YACE,SAAS,WAAW,MAAM,QAAQ,OAAO,SAClD,QAAO,OAAO;GAEhB,MAAM,sBAAM,IAAI;AAChB,QAAK,MAAM,QAAQ,MAAM;IACvB,MAAM,OAAOC,qCAAkB;AAC/B,QAAI,KAAM,KAAI,IAAI;;AAEpB,UAAO,MAAM,KAAK;WACX,GAAG;AACV,QAAK,OAAO,KAAK,uCAAuC;AACxD,UAAO;;;;;;CAOX,MAAM,mBAAmB,WAAqC;AAC5D,QAAM,KAAK;EACX,MAAM,cAAc,MAAc,oDAAoD,KAAK;EAC3F,MAAM,eAAe,MAAc,kGAAkG,KAAK;EAC1I,MAAM,WAAW;EACjB,IAAIC,UAAwB;AAC5B,OAAK,IAAI,IAAI,GAAG,KAAK,UAAU,IAC7B,KAAI;GACF,MAAM,OAAO,MAAM,KAAK,WAAW,YAAY;AAC/C,UAAO,CAAC,CAAC;WACFC,OAAgB;GACvB,MAAM,MAAMC,uBAAQ;AACpB,aAAU;GACV,MAAM,MAAM,IAAI;GAChB,MAAM,UAAW,IAA8B;GAC/C,IAAI,cAAc;AAClB,OAAI,QACF,KAAI;AACF,kBAAc,OAAO,YAAY,WAAW,UAAU,KAAK,UAAU;WAC/D;AACN,kBAAc;;GAGlB,MAAM,WAAW,GAAG,IAAI,IAAI;AAC5B,OAAI,WAAW,UAAW,QAAO;AACjC,OAAI,YAAY,QAAQ,IAAI,UAAU;IACpC,MAAM,UAAU,MAAM,KAAK,IAAI,GAAG,IAAI;AACtC,UAAM,IAAI,SAAS,MAAM,WAAW,GAAG;AACvC;;AAGF,OAAI,YAAY,MAAM;AACpB,SAAK,OAAO,KAAK,mCAAmC,UAAU,0CAA0C;AACxG,WAAO;;AAET,QAAK,OAAO,MAAM,wCAAwC,UAAU,IAAI;AACxE,SAAM;;AAGV,QAAM,2BAAW,IAAI,MAAM;;;;;;;;;;;;;;;;;;;CAqB7B,MAAM,sBAAsB,OAIa;AACvC,QAAM,KAAK;AAEX,MAAI,CAAC,OAAO,QAAQ,CAAC,OAAO,eAC1B,QAAO;GACL,IAAI;GACJ,MAAM;GACN,OAAO;;EAIX,MAAM,WAAW,MAAM,gBAAgB,gBAAgB,YAAY;AAEnE,SAAO,KAAK,uBACJC,iDAAiC;GACrC,YAAY,KAAK;GACjB,kBAAkB,KAAK,OAAO;GAC9B,kBAAkB,KAAK;GACvB,mBAAmB,KAAK,OAAO;GAC/B,MAAM,MAAM;GACZ,gBAAgB,MAAM;GACtB,qBAAqB,SAAS,KAAK,mBAAmB;MAExD,+BAA+B;;CAKnC,MAAc,eAAe,WAAmB,WAAsE;EAEpH,IAAI,QAAQ;AACZ,MAAI;GACF,MAAM,KAAK,MAAM,KAAK,WAAW,cAAc,WAAW;AAC1D,WAAQ,OAAO,IAAI,SAAS;UACtB;AACN,WAAQ;;EAGV,MAAM,QAAQ,MAAM,KAAK,WAAW,UAAU,EAAE,UAAU;EAC1D,MAAM,cAAc,MAAM,OAAO;EACjC,MAAM,aAAa,QAAQ,IAAI;AAC/B,SAAO;GAAE;GAAW,WAAW;;;CAGjC,MAAc,mBAAmB,OAOF;AAC7B,QAAM,KAAK;EACX,MAAM,UAAU;GACd,MAAMC,mEAAkB;GACxB,SAAS;IACP,gBAAgB,MAAM;IACtB,iBAAiB,MAAM;IACvB,YAAY,MAAM;IAClB,OAAO,MAAM;IACb,WAAW,MAAM;IACjB,SAAS,MAAM;;;EAKnB,IAAIC;AACJ,MAAI;AACF,cAAW,kFAA4B;WAChCC,GAAY;GACnB,MAAM,MAAMV,4BAAa;AAEzB,QAAK,OAAO,MAAM,iCAAiC;IACjD,OAAO;IACP,SAAS,KAAK,UAAU,UAAU,KAAK,UACrC,QAAQ,mBAAmB,eAAe;;AAO9C,OAAI,IAAI,SAAS,qDACf,OAAM,IAAI,MACR,+DAA+D,IAAI;AAGvE,SAAO,aAAa,QAAQ,IAAI,IAAI,MAAM,OAAO;;EAEnD,MAAM,EACJ,aACA,WACA,eACE,gDAAgD;AAEpD,SAAO,IAAIW,qCAAkB;GACd;GACF;GACX,aAAa;;;;;;;CAQjB,MAAM,mCAAmC,SAA6E;AACpH,SAAO,KAAK,6BAA6B;;;;;;;CAS3C,MAAM,kCAAkC,UASrC;AACD,SAAO;GACL,SAAS;GACT,OAAO;GACP,SAAS;;;;;;CAOb,iCAAiC;AAC/B,SAAO,OAAO,KAAU,QAAa;AACnC,OAAI;AACF,QAAI,CAAC,KAAK,MAAM;AACd,SAAI,OAAO,KAAK,KAAK,EAAE,OAAO;AAC9B;;IAEF,MAAMC,OAAoC,IAAI;AAC9C,QAAI,CAAC,KAAK,YAAY,CAAC,KAAK,yBAAyB;AACnD,SAAI,OAAO,KAAK,KAAK;MAAE,MAAM;MAAgB,SAAS;;AACtD;;IAEF,MAAM,SAAS,MAAM,KAAK,6BAA6B;IACvD,MAAM,SAAS,OAAO,UAAU,MAAM;AACtC,QAAI,WAAW,IACb,KAAI,OAAO,QAAQ,KAAK;KAAE,MAAM;KAAgB,SAAS,OAAO,WAAW;;QAE3E,KAAI,OAAO,QAAQ,KAAK;YAEnBb,OAAY;AACnB,SAAK,OAAO,MAAM,8CAA8C;AAChE,QAAI,OAAO,KAAK,KAAK;KAAE,MAAM;KAAY,SAAS,OAAO,WAAW;;;;;;;;CAQ1E,MAAc,iBAAoB,WAA6B,aAAiC;AAC9F,OAAK,WAAW;AAChB,OAAK,OAAO,MAAM,2BAA2B,YAAY,aAAa,KAAK,WAAW,QAAQ;AAE9F,OAAK,mBAAmB,KAAK,iBAC1B,KAAK,YAAY;AAChB,OAAI;AACF,SAAK,OAAO,MAAM,4BAA4B;IAC9C,MAAM,SAAS,MAAM;AACrB,SAAK,WAAW;AAChB,SAAK,WAAW;AAChB,SAAK,OAAO,MAAM,4BAA4B,YAAY,aAAa,KAAK,WAAW,QAAQ;AAC/F,WAAO;YACAA,OAAY;AACnB,SAAK,WAAW;AAChB,SAAK,WAAW;AAChB,SAAK,OAAO,MACV,yBAAyB,YAAY,YAAY,KAAK,WAAW,OAAO,KACxEC,4BAAa,UAAU;AAEzB,UAAM;;KAGT,OAAO,UAAU;AAChB,SAAM;;AAGV,SAAO,KAAK;;;AAWhB,SAAS,gDAAgD,UAIvD;CACA,MAAM,MAAO,OAAO,aAAa,WAAW,KAAK,MAAM,YAAY;AAKnE,KAAI,KAAK,SAASa,oEAAmB,mCAAmC;EACtE,MAAM,SAAS,KAAK,SAAS,SAAS;AACtC,QAAM,IAAI,MAAM;;CAGlB,MAAM,UAAU,KAAK;CACrB,MAAM,YAAa,SAAS,sBAAsB;AAClD,KAAI,CAAC,MAAM,QAAQ,cAAc,UAAU,WAAW,EACpD,OAAM,IAAI,MAAM;CAElB,MAAM,QAAQ,UAAU;CACxB,MAAM,aAAa,OAAO,cAAc,OAAO;AAC/C,KAAI,CAAC,MAAM,QAAQ,YACjB,OAAM,IAAI,MAAM;AAElB,QAAO;EACL,aAAa,MAAM;EACnB,WAAW,MAAM;EACjB"}
1
+ {"version":3,"file":"AuthService.js","names":["base64UrlDecode","errorMessage","out: number[]","toOptionalTrimmedString","base: Record<string, unknown>","resolved: URL[]","coerceThresholdNodeRole","coerceThresholdEd25519ShareMode","createAuthServiceConfig","coerceLogger","ShamirService","MinimalNearClient","EmailRecoveryService","DEFAULT_EMAIL_RECOVERY_CONTRACTS","formatYoctoToNear","formatGasToTGas","createThresholdSigningService","toPublicKeyStringFromSecretKey","candidates: URL[]","lastError: unknown","module","isValidAccountId","actions: ActionArgsWasm[]","ActionType","validateActionArgsWasm","error: any","parseContractExecutionError","list: unknown[]","toRorOriginOrNull","lastErr: Error | null","error: unknown","toError","executeSignedDelegateWithRelayer","WorkerRequestType","response: unknown","e: unknown","SignedTransaction","body: VerifyAuthenticationRequest","WorkerResponseType"],"sources":["../../../../src/server/core/AuthService.ts"],"sourcesContent":["import { ActionType, type ActionArgsWasm, validateActionArgsWasm } from '../../core/types/actions';\nimport { MinimalNearClient, SignedTransaction, type AccessKeyList } from '../../core/NearClient';\nimport type { FinalExecutionOutcome } from '@near-js/types';\nimport { toPublicKeyStringFromSecretKey } from './nearKeys';\nimport { createAuthServiceConfig } from './config';\nimport { formatGasToTGas, formatYoctoToNear } from './utils';\nimport { parseContractExecutionError } from './errors';\nimport { isValidAccountId, toOptionalTrimmedString, toRorOriginOrNull } from '../../utils/validation';\nimport { coerceThresholdEd25519ShareMode, coerceThresholdNodeRole } from './ThresholdService/config';\nimport type { ThresholdSigningService as ThresholdSigningServiceType } from './ThresholdService';\nimport { createThresholdSigningService } from './ThresholdService';\nimport initSignerWasm, {\n handle_signer_message,\n WorkerRequestType,\n WorkerResponseType,\n type InitInput,\n type WasmTransaction,\n type WasmSignature,\n} from '../../wasm_signer_worker/pkg/wasm_signer_worker.js';\n\nimport type {\n AuthServiceConfig,\n AuthServiceConfigInput,\n AccountCreationRequest,\n AccountCreationResult,\n CreateAccountAndRegisterRequest,\n CreateAccountAndRegisterResult,\n VerifyAuthenticationRequest,\n VerifyAuthenticationResponse,\n SignerWasmModuleSupplier,\n} from './types';\n\nimport { DEFAULT_EMAIL_RECOVERY_CONTRACTS } from '../../core/defaultConfigs';\nimport { EmailRecoveryService } from '../email-recovery';\nimport { ShamirService } from './ShamirService';\nimport { SignedDelegate } from '../../core/types/delegate';\nimport {\n type ExecuteSignedDelegateResult,\n executeSignedDelegateWithRelayer,\n type DelegateActionPolicy,\n} from '../delegateAction';\nimport { coerceLogger, type NormalizedLogger } from './logger';\nimport { errorMessage, toError } from '../../utils/errors';\nimport { base64UrlDecode } from '../../utils/encoders';\n\nfunction isObject(v: unknown): v is Record<string, unknown> {\n return !!v && typeof v === 'object' && !Array.isArray(v);\n}\n\nfunction normalizeU8ArrayLike(input: unknown, fieldName: string): number[] {\n if (input instanceof Uint8Array) return Array.from(input);\n if (typeof input === 'string') {\n try {\n return Array.from(base64UrlDecode(input));\n } catch (err) {\n throw new Error(`Invalid ${fieldName}: expected base64url string (${errorMessage(err) || 'decode failed'})`);\n }\n }\n if (Array.isArray(input)) {\n const out: number[] = [];\n for (const v of input) {\n const n = Number(v);\n if (!Number.isFinite(n) || n < 0 || n > 255) {\n throw new Error(`Invalid ${fieldName}: expected byte array (0..255)`);\n }\n out.push(Math.floor(n));\n }\n return out;\n }\n throw new Error(`Invalid ${fieldName}: expected number[] or base64url string`);\n}\n\nfunction normalizeContractVrfDataForContract(input: unknown): Record<string, unknown> {\n if (!isObject(input)) throw new Error('Missing or invalid vrf_data');\n const user_id = toOptionalTrimmedString(input.user_id);\n const rp_id = toOptionalTrimmedString(input.rp_id);\n const block_height_raw = input.block_height;\n const block_height = typeof block_height_raw === 'number'\n ? block_height_raw\n : Number(block_height_raw);\n\n if (!user_id) throw new Error('Missing vrf_data.user_id');\n if (!rp_id) throw new Error('Missing vrf_data.rp_id');\n if (!Number.isFinite(block_height) || block_height <= 0) throw new Error('Invalid vrf_data.block_height');\n\n const base: Record<string, unknown> = {\n vrf_input_data: normalizeU8ArrayLike(input.vrf_input_data, 'vrf_data.vrf_input_data'),\n vrf_output: normalizeU8ArrayLike(input.vrf_output, 'vrf_data.vrf_output'),\n vrf_proof: normalizeU8ArrayLike(input.vrf_proof, 'vrf_data.vrf_proof'),\n public_key: normalizeU8ArrayLike(input.public_key, 'vrf_data.public_key'),\n user_id,\n rp_id,\n block_height,\n block_hash: normalizeU8ArrayLike(input.block_hash, 'vrf_data.block_hash'),\n intent_digest_32: normalizeU8ArrayLike(input.intent_digest_32, 'vrf_data.intent_digest_32'),\n };\n\n if (Object.prototype.hasOwnProperty.call(input, 'session_policy_digest_32')) {\n const v = input.session_policy_digest_32;\n if (v != null) {\n base.session_policy_digest_32 = normalizeU8ArrayLike(v, 'vrf_data.session_policy_digest_32');\n }\n }\n\n return base;\n}\n\n// =============================\n// WASM URL CONSTANTS + HELPERS\n// =============================\n\n// Primary location (preserveModules output)\nconst SIGNER_WASM_MAIN_PATH = '../../wasm_signer_worker/pkg/wasm_signer_worker_bg.wasm';\n// Fallback location (dist/workers copy step)\nconst SIGNER_WASM_FALLBACK_PATH = '../../../workers/wasm_signer_worker_bg.wasm';\n\nfunction getSignerWasmUrls(logger: NormalizedLogger): URL[] {\n const paths = [SIGNER_WASM_MAIN_PATH, SIGNER_WASM_FALLBACK_PATH];\n const resolved: URL[] = [];\n const baseUrl = import.meta.url;\n\n for (const path of paths) {\n try {\n if (!baseUrl) throw new Error('import.meta.url is undefined');\n resolved.push(new URL(path, baseUrl));\n } catch (err) {\n logger.warn(`Failed to resolve signer WASM relative URL for path \"${path}\":`, err);\n }\n }\n\n if (!resolved.length) {\n throw new Error('Unable to resolve signer WASM location from import.meta.url. Provide AuthServiceConfig.signerWasm.moduleOrPath in this runtime.');\n }\n\n return resolved;\n}\n\nfunction summarizeThresholdEd25519Config(cfg: AuthServiceConfig['thresholdEd25519KeyStore']): string {\n if (!cfg) return 'thresholdEd25519: not configured';\n\n const nodeRole = coerceThresholdNodeRole(cfg.THRESHOLD_NODE_ROLE);\n const shareMode = coerceThresholdEd25519ShareMode(cfg.THRESHOLD_ED25519_SHARE_MODE);\n\n const masterSecretSet = (() => {\n if ('kind' in cfg) return false;\n return Boolean(toOptionalTrimmedString(cfg.THRESHOLD_ED25519_MASTER_SECRET_B64U));\n })();\n\n const store = (() => {\n if ('kind' in cfg) {\n if (cfg.kind === 'upstash-redis-rest') return 'upstash';\n if (cfg.kind === 'redis-tcp') return 'redis';\n return 'in-memory';\n }\n const upstashUrl = toOptionalTrimmedString(cfg.UPSTASH_REDIS_REST_URL);\n const upstashToken = toOptionalTrimmedString(cfg.UPSTASH_REDIS_REST_TOKEN);\n const redisUrl = toOptionalTrimmedString(cfg.REDIS_URL);\n return (upstashUrl || upstashToken) ? 'upstash' : (redisUrl ? 'redis' : 'in-memory');\n })();\n\n const parts = [`thresholdEd25519: configured`, `nodeRole=${nodeRole}`, `shareMode=${shareMode}`, `store=${store}`];\n if (masterSecretSet) parts.push('masterSecret=set');\n return parts.join(' ');\n}\n\n/**\n * Framework-agnostic NEAR account service\n * Core business logic for account creation and registration operations\n */\nexport class AuthService {\n private config: AuthServiceConfig;\n private isInitialized = false;\n private nearClient: MinimalNearClient;\n private relayerPublicKey: string = '';\n private signerWasmReady = false;\n private readonly logger: NormalizedLogger;\n private thresholdSigningServiceInitialized = false;\n private thresholdSigningService: ThresholdSigningServiceType | null = null;\n\n // Transaction queue to prevent nonce conflicts\n private transactionQueue: Promise<any> = Promise.resolve();\n private queueStats = { pending: 0, completed: 0, failed: 0 };\n\n // Shamir 3-pass key management (delegated to ShamirService)\n public readonly shamirService: ShamirService | null = null;\n // DKIM/TEE email recovery logic (delegated to EmailRecoveryService)\n public readonly emailRecovery: EmailRecoveryService | null = null;\n\n constructor(config: AuthServiceConfigInput) {\n this.config = createAuthServiceConfig(config);\n this.logger = coerceLogger(this.config.logger);\n const graceFileCandidate = (this.config.shamir?.graceShamirKeysFile || '').trim();\n this.shamirService = new ShamirService(this.config.shamir, graceFileCandidate || 'grace-keys.json');\n this.nearClient = new MinimalNearClient(this.config.nearRpcUrl);\n this.emailRecovery = new EmailRecoveryService({\n relayerAccountId: this.config.relayerAccountId,\n relayerPrivateKey: this.config.relayerPrivateKey,\n networkId: this.config.networkId,\n emailDkimVerifierContract: DEFAULT_EMAIL_RECOVERY_CONTRACTS.emailDkimVerifierContract,\n nearClient: this.nearClient,\n logger: this.config.logger,\n ensureSignerAndRelayerAccount: () => this._ensureSignerAndRelayerAccount(),\n queueTransaction: <T>(fn: () => Promise<T>, label: string) => this.queueTransaction(fn, label),\n fetchTxContext: (accountId: string, publicKey: string) => this.fetchTxContext(accountId, publicKey),\n signWithPrivateKey: (input) => this.signWithPrivateKey(input),\n getRelayerPublicKey: () => this.relayerPublicKey,\n zkEmailProver: this.config.zkEmailProver,\n });\n\n // Log effective configuration at construction time so operators can\n // verify wiring immediately when the service is created.\n this.logger.info(`\n AuthService initialized with:\n • networkId: ${this.config.networkId}\n • nearRpcUrl: ${this.config.nearRpcUrl}\n • relayerAccountId: ${this.config.relayerAccountId}\n • webAuthnContractId: ${this.config.webAuthnContractId}\n • accountInitialBalance: ${this.config.accountInitialBalance} (${formatYoctoToNear(this.config.accountInitialBalance)} NEAR)\n • createAccountAndRegisterGas: ${this.config.createAccountAndRegisterGas} (${formatGasToTGas(this.config.createAccountAndRegisterGas)})\n ${this.config.shamir\n ? `• shamir_p_b64u: ${this.config.shamir.shamir_p_b64u.slice(0, 10)}...\\n • shamir_e_s_b64u: ${this.config.shamir.shamir_e_s_b64u.slice(0, 10)}...\\n • shamir_d_s_b64u: ${this.config.shamir.shamir_d_s_b64u.slice(0, 10)}...`\n : '• shamir: not configured'\n }\n • ${summarizeThresholdEd25519Config(this.config.thresholdEd25519KeyStore)}\n ${this.config.zkEmailProver?.baseUrl\n ? `• zkEmailProver: ${this.config.zkEmailProver.baseUrl}`\n : `• zkEmailProver: not configured`\n }\n `);\n }\n\n async getRelayerAccount(): Promise<{ accountId: string; publicKey: string }> {\n await this._ensureSignerAndRelayerAccount();\n return {\n accountId: this.config.relayerAccountId,\n publicKey: this.relayerPublicKey\n };\n }\n\n async viewAccessKeyList(accountId: string): Promise<AccessKeyList> {\n await this._ensureSignerAndRelayerAccount();\n return this.nearClient.viewAccessKeyList(accountId);\n }\n\n /**\n * Lazily constructs the threshold signing service when `thresholdEd25519KeyStore` is configured.\n * Routers may call this to auto-enable `/threshold-ed25519/*` endpoints.\n */\n getThresholdSigningService(): ThresholdSigningServiceType | null {\n if (this.thresholdSigningServiceInitialized) return this.thresholdSigningService;\n this.thresholdSigningServiceInitialized = true;\n\n if (!this.config.thresholdEd25519KeyStore) {\n this.thresholdSigningService = null;\n return null;\n }\n\n this.thresholdSigningService = createThresholdSigningService({\n authService: this,\n thresholdEd25519KeyStore: this.config.thresholdEd25519KeyStore,\n logger: this.logger,\n isNode: this.isNodeEnvironment(),\n });\n return this.thresholdSigningService;\n }\n\n getWebAuthnContractId(): string {\n return this.config.webAuthnContractId;\n }\n\n async txStatus(txHash: string, senderAccountId: string): Promise<FinalExecutionOutcome> {\n await this._ensureSignerAndRelayerAccount();\n return this.nearClient.txStatus(txHash, senderAccountId);\n }\n\n /**\n * Configure Shamir WASM module override for serverless environments\n * Required for Cloudflare Workers where import.meta.url doesn't work\n */\n private async configureShamirWasmForServerless(): Promise<void> {\n if (!this.config.shamir?.moduleOrPath) {\n return;\n }\n\n const { setShamirWasmModuleOverride } = await import('./shamirWorker.js');\n setShamirWasmModuleOverride(this.config.shamir.moduleOrPath);\n }\n\n private async _ensureSignerAndRelayerAccount(): Promise<void> {\n if (this.isInitialized) {\n return;\n }\n\n // Initialize Shamir 3-pass via ShamirService (if configured)\n if (this.config.shamir && this.shamirService) {\n await this.configureShamirWasmForServerless();\n await this.shamirService.ensureReady();\n }\n\n // Derive public key from configured relayer private key\n try {\n this.relayerPublicKey = toPublicKeyStringFromSecretKey(this.config.relayerPrivateKey);\n } catch (e) {\n this.logger.warn('Failed to derive public key from relayerPrivateKey; ensure it is in ed25519:<base58> format');\n this.relayerPublicKey = '';\n }\n\n // Prepare signer WASM for transaction building/signing\n await this.ensureSignerWasm();\n this.isInitialized = true;\n }\n\n private async ensureSignerWasm(): Promise<void> {\n if (this.signerWasmReady) return;\n const override = this.config.signerWasm?.moduleOrPath;\n if (override) {\n try {\n const moduleOrPath = await this.resolveSignerWasmOverride(override);\n await initSignerWasm({ module_or_path: moduleOrPath as InitInput });\n this.signerWasmReady = true;\n return;\n } catch (e) {\n this.logger.error('Failed to initialize signer WASM via provided override:', e);\n throw e;\n }\n }\n\n let candidates: URL[];\n try {\n candidates = getSignerWasmUrls(this.logger);\n } catch (err) {\n this.logger.error('Failed to resolve signer WASM URLs:', err);\n throw err;\n }\n\n try {\n if (this.isNodeEnvironment()) {\n await this.initSignerWasmForNode(candidates);\n this.signerWasmReady = true;\n return;\n }\n\n let lastError: unknown = null;\n for (const candidate of candidates) {\n try {\n await initSignerWasm({ module_or_path: candidate as InitInput });\n this.signerWasmReady = true;\n return;\n } catch (err) {\n lastError = err;\n this.logger.warn(`Failed to initialize signer WASM from ${candidate.toString()}, trying next candidate...`);\n }\n }\n\n throw lastError ?? new Error('Unable to initialize signer WASM from any candidate URL');\n } catch (e) {\n this.logger.error('Failed to initialize signer WASM:', e);\n throw e instanceof Error ? e : new Error(String(e));\n }\n }\n\n private isNodeEnvironment(): boolean {\n // Detect true Node.js, not Cloudflare Workers with nodejs_compat polyfills.\n const processObj = (globalThis as unknown as { process?: { versions?: { node?: string } } }).process;\n const isNode = Boolean(processObj?.versions?.node);\n // Cloudflare Workers expose WebSocketPair and may polyfill process.\n const webSocketPair = (globalThis as unknown as { WebSocketPair?: unknown }).WebSocketPair;\n const nav = (globalThis as unknown as { navigator?: { userAgent?: unknown } }).navigator;\n const isCloudflareWorker = typeof webSocketPair !== 'undefined'\n || (typeof nav?.userAgent === 'string' && nav.userAgent.includes('Cloudflare-Workers'));\n return isNode && !isCloudflareWorker;\n }\n\n private async resolveSignerWasmOverride(override: SignerWasmModuleSupplier): Promise<InitInput> {\n const candidate = typeof override === 'function'\n ? await (override as () => InitInput | Promise<InitInput>)()\n : await override;\n\n if (!candidate) {\n throw new Error('Signer WASM override resolved to an empty value');\n }\n\n return candidate;\n }\n\n /**\n * Initialize signer WASM in Node by loading the wasm file from disk.\n * Tries multiple candidate locations and falls back to path-based init if needed.\n */\n private async initSignerWasmForNode(candidates: URL[]): Promise<void> {\n const { fileURLToPath } = await import('node:url');\n const { readFile } = await import('node:fs/promises');\n\n // 1) Try reading and compiling bytes\n for (const url of candidates) {\n try {\n const filePath = fileURLToPath(url);\n const bytes = await readFile(filePath);\n // Ensure we pass an ArrayBuffer (not Buffer / SharedArrayBuffer) for WebAssembly.compile\n const ab = new ArrayBuffer(bytes.byteLength);\n new Uint8Array(ab).set(bytes);\n const module = await WebAssembly.compile(ab);\n await initSignerWasm({ module_or_path: module });\n return;\n } catch { } // throw at end of function\n }\n\n // 2) Fallback: pass file path directly (supported in some environments)\n for (const url of candidates) {\n try {\n const filePath = fileURLToPath(url);\n await initSignerWasm({ module_or_path: filePath as unknown as InitInput });\n return;\n } catch { } // throw at end of function\n }\n\n throw new Error('[AuthService] Failed to initialize signer WASM from filesystem candidates');\n }\n\n /**\n * ===== Registration & authentication =====\n *\n * Helpers for creating accounts, registering WebAuthn credentials,\n * and verifying authentication responses.\n */\n\n /**\n * Create a new account with the specified balance\n */\n async createAccount(request: AccountCreationRequest): Promise<AccountCreationResult> {\n await this._ensureSignerAndRelayerAccount();\n\n return this.queueTransaction(async () => {\n try {\n if (!isValidAccountId(request.accountId)) {\n throw new Error(`Invalid account ID format: ${request.accountId}`);\n }\n\n // Check if account already exists\n this.logger.info(`Checking if account ${request.accountId} already exists...`);\n const accountExists = await this.checkAccountExists(request.accountId);\n if (accountExists) {\n throw new Error(`Account ${request.accountId} already exists. Cannot create duplicate account.`);\n }\n this.logger.info(`Account ${request.accountId} is available for creation`);\n\n const initialBalance = this.config.accountInitialBalance;\n\n this.logger.info(`Creating account: ${request.accountId}`);\n this.logger.info(`Initial balance: ${initialBalance} yoctoNEAR`);\n\n // Build actions for CreateAccount + Transfer + AddKey(FullAccess)\n const actions: ActionArgsWasm[] = [\n { action_type: ActionType.CreateAccount },\n { action_type: ActionType.Transfer, deposit: String(initialBalance) },\n {\n action_type: ActionType.AddKey,\n public_key: request.publicKey,\n access_key: JSON.stringify({\n nonce: 0,\n permission: { FullAccess: {} },\n }),\n }\n ];\n\n actions.forEach(validateActionArgsWasm);\n\n // Fetch nonce and block hash for relayer\n const { nextNonce, blockHash } = await this.fetchTxContext(this.config.relayerAccountId, this.relayerPublicKey);\n\n // Sign with relayer private key using WASM\n const signed = await this.signWithPrivateKey({\n nearPrivateKey: this.config.relayerPrivateKey,\n signerAccountId: this.config.relayerAccountId,\n receiverId: request.accountId,\n nonce: nextNonce,\n blockHash: blockHash,\n actions\n });\n\n // Broadcast transaction via MinimalNearClient using a strongly typed SignedTransaction\n const result = await this.nearClient.sendTransaction(signed);\n\n this.logger.info(`Account creation completed: ${result.transaction.hash}`);\n const nearAmount = (Number(BigInt(initialBalance)) / 1e24).toFixed(6);\n return {\n success: true,\n transactionHash: result.transaction.hash,\n accountId: request.accountId,\n message: `Account ${request.accountId} created with ${nearAmount} NEAR initial balance`\n };\n\n } catch (error: any) {\n this.logger.error(`Account creation failed for ${request.accountId}:`, error);\n const msg = errorMessage(error) || 'Unknown account creation error';\n return {\n success: false,\n error: msg,\n message: `Failed to create account ${request.accountId}: ${msg}`\n };\n }\n }, `create account ${request.accountId}`);\n }\n\n /**\n * Create account and register user with WebAuthn in a single atomic transaction\n */\n async createAccountAndRegisterUser(request: CreateAccountAndRegisterRequest): Promise<CreateAccountAndRegisterResult> {\n await this._ensureSignerAndRelayerAccount();\n\n return this.queueTransaction(async () => {\n try {\n if (!isValidAccountId(request.new_account_id)) {\n throw new Error(`Invalid account ID format: ${request.new_account_id}`);\n }\n\n this.logger.info(`Registering account: ${request.new_account_id}`);\n this.logger.info(`Contract: ${this.config.webAuthnContractId}`);\n\n const vrf_data = normalizeContractVrfDataForContract((request as unknown as { vrf_data?: unknown }).vrf_data);\n const deterministic_vrf_public_key = normalizeU8ArrayLike(\n (request as unknown as { deterministic_vrf_public_key?: unknown }).deterministic_vrf_public_key,\n 'deterministic_vrf_public_key',\n );\n\n // Prepare contract arguments\n const contractArgs = {\n new_account_id: request.new_account_id,\n new_public_key: request.new_public_key,\n vrf_data,\n webauthn_registration: request.webauthn_registration,\n deterministic_vrf_public_key,\n authenticator_options: request.authenticator_options,\n };\n\n // Build single FunctionCall action\n const actions: ActionArgsWasm[] = [\n {\n action_type: ActionType.FunctionCall,\n method_name: 'create_account_and_register_user',\n args: JSON.stringify(contractArgs),\n gas: String(this.config.createAccountAndRegisterGas),\n deposit: String(this.config.accountInitialBalance)\n }\n ];\n actions.forEach(validateActionArgsWasm);\n\n const { nextNonce, blockHash } = await this.fetchTxContext(this.config.relayerAccountId, this.relayerPublicKey);\n const signed = await this.signWithPrivateKey({\n nearPrivateKey: this.config.relayerPrivateKey,\n signerAccountId: this.config.relayerAccountId,\n receiverId: this.config.webAuthnContractId,\n nonce: nextNonce,\n blockHash,\n actions\n });\n const result = await this.nearClient.sendTransaction(signed);\n\n // Parse contract execution results to detect failures\n const contractError = parseContractExecutionError(result, request.new_account_id);\n if (contractError) {\n this.logger.error(`Contract execution failed for ${request.new_account_id}:`, contractError);\n throw new Error(contractError);\n }\n\n this.logger.info(`Registration completed: ${result.transaction.hash}`);\n return {\n success: true,\n transactionHash: result.transaction.hash,\n message: `Account ${request.new_account_id} created and registered successfully`,\n contractResult: result,\n };\n\n } catch (error: any) {\n this.logger.error(`Atomic registration failed for ${request.new_account_id}:`, error);\n const msg = errorMessage(error) || 'Unknown atomic registration error';\n return {\n success: false,\n error: msg,\n message: `Failed to create and register account ${request.new_account_id}: ${msg}`\n };\n }\n }, `atomic create and register ${request.new_account_id}`);\n }\n\n /**\n * Verify authentication response and issue JWT (VIEW call)\n * Calls the web3authn contract's verify_authentication_response method via view\n * and issues a JWT or session credential upon successful verification\n */\n async verifyAuthenticationResponse(\n request: VerifyAuthenticationRequest\n ): Promise<VerifyAuthenticationResponse> {\n try {\n await this._ensureSignerAndRelayerAccount();\n\n const intentDigest32 = request?.vrf_data?.intent_digest_32;\n if (!Array.isArray(intentDigest32) || intentDigest32.length !== 32) {\n return {\n success: false,\n verified: false,\n code: 'invalid_intent_digest',\n message: 'Missing or invalid vrf_data.intent_digest_32 (expected 32 bytes)',\n };\n }\n const sessionPolicyDigest32 = (request?.vrf_data as { session_policy_digest_32?: unknown })?.session_policy_digest_32;\n if (sessionPolicyDigest32 !== undefined) {\n if (!Array.isArray(sessionPolicyDigest32) || sessionPolicyDigest32.length !== 32) {\n return {\n success: false,\n verified: false,\n code: 'invalid_session_policy_digest',\n message: 'Invalid vrf_data.session_policy_digest_32 (expected 32 bytes when present)',\n };\n }\n }\n\n const args = {\n vrf_data: request.vrf_data,\n webauthn_authentication: request.webauthn_authentication,\n };\n\n // Perform a VIEW function call (no gas) and parse the contract response\n const contractResponse = await this.nearClient.view<typeof args, unknown>({\n account: this.config.webAuthnContractId,\n method: 'verify_authentication_response',\n args\n });\n\n const verified = isObject(contractResponse) && contractResponse.verified === true;\n if (!verified) {\n return {\n success: false,\n verified: false,\n code: 'not_verified',\n message: 'Authentication verification failed',\n contractResponse,\n };\n }\n\n return {\n success: true,\n verified: true,\n sessionCredential: {\n userId: request.vrf_data.user_id,\n issuedAt: new Date().toISOString(),\n expiresAt: new Date(Date.now() + 24 * 60 * 60 * 1000).toISOString(),\n },\n contractResponse,\n };\n } catch (error: any) {\n return {\n success: false,\n verified: false,\n code: 'internal',\n message: error?.message || 'Verification failed',\n };\n }\n }\n\n /**\n * Fetch Related Origin Requests (ROR) allowed origins from a NEAR view method.\n * Defaults: contractId = webAuthnContractId, method = 'get_allowed_origins', args = {}.\n * Returns a sanitized, deduplicated list of absolute origins.\n */\n public async getRorOrigins(opts?: { contractId?: string; method?: string; args?: unknown }): Promise<string[]> {\n const contractId = toOptionalTrimmedString(opts?.contractId) || this.config.webAuthnContractId.trim();\n const method = toOptionalTrimmedString(opts?.method) || 'get_allowed_origins';\n const args = opts?.args ?? {};\n\n try {\n const result = await this.nearClient.view<unknown, unknown>({ account: contractId, method, args });\n let list: unknown[] = [];\n if (Array.isArray(result)) {\n list = result;\n } else if (isObject(result) && Array.isArray(result.origins)) {\n list = result.origins;\n }\n const out = new Set<string>();\n for (const item of list) {\n const norm = toRorOriginOrNull(item);\n if (norm) out.add(norm);\n }\n return Array.from(out);\n } catch (e) {\n this.logger.warn('[AuthService] getRorOrigins failed:', e);\n return [];\n }\n }\n\n /**\n * Account existence helper used by registration flows.\n */\n async checkAccountExists(accountId: string): Promise<boolean> {\n await this._ensureSignerAndRelayerAccount();\n const isNotFound = (m: string) => /does not exist|UNKNOWN_ACCOUNT|unknown\\s+account/i.test(m);\n const isRetryable = (m: string) => /server error|internal|temporar|timeout|too many requests|429|empty response|rpc request failed/i.test(m);\n const attempts = 3;\n let lastErr: Error | null = null;\n for (let i = 1; i <= attempts; i++) {\n try {\n const view = await this.nearClient.viewAccount(accountId);\n return !!view;\n } catch (error: unknown) {\n const err = toError(error);\n lastErr = err;\n const msg = err.message;\n const details = (err as { details?: unknown }).details;\n let detailsBlob = '';\n if (details) {\n try {\n detailsBlob = typeof details === 'string' ? details : JSON.stringify(details);\n } catch {\n detailsBlob = '';\n }\n }\n const combined = `${msg}\\n${detailsBlob}`;\n if (isNotFound(combined)) return false;\n if (isRetryable(msg) && i < attempts) {\n const backoff = 150 * Math.pow(2, i - 1);\n await new Promise((r) => setTimeout(r, backoff));\n continue;\n }\n // As a safety valve for flaky RPCs, treat persistent retryable errors as not-found\n if (isRetryable(msg)) {\n this.logger.warn(`[AuthService] Assuming account '${accountId}' not found after retryable RPC errors:`, msg);\n return false;\n }\n this.logger.error(`Error checking account existence for ${accountId}:`, err);\n throw err;\n }\n }\n throw lastErr || new Error('Unknown error');\n }\n\n /**\n * ===== Delegate actions & transaction execution =====\n *\n * Flows that build and submit on-chain transactions, including NEP-461\n * SignedDelegate meta-transactions.\n */\n\n /**\n * Execute a NEP-461 SignedDelegate by wrapping it in an outer transaction\n * from the relayer account. This method is intended to be called by\n * example relayers (Node/Cloudflare) once a SignedDelegate has been\n * produced by the signer worker and returned to the application.\n *\n * Notes:\n * - Signature and hash computation are performed by the signer worker.\n * This method focuses on expiry/policy enforcement and meta-tx submission.\n * - Nonce/replay protection is left to the integrator; see docs for guidance.\n */\n async executeSignedDelegate(input: {\n hash: string;\n signedDelegate: SignedDelegate;\n policy?: DelegateActionPolicy;\n }): Promise<ExecuteSignedDelegateResult> {\n await this._ensureSignerAndRelayerAccount();\n\n if (!input?.hash || !input?.signedDelegate) {\n return {\n ok: false,\n code: 'invalid_delegate_request',\n error: 'hash and signedDelegate are required',\n };\n }\n\n const senderId = input.signedDelegate?.delegateAction?.senderId ?? 'unknown-sender';\n\n return this.queueTransaction(\n () => executeSignedDelegateWithRelayer({\n nearClient: this.nearClient,\n relayerAccountId: this.config.relayerAccountId,\n relayerPublicKey: this.relayerPublicKey,\n relayerPrivateKey: this.config.relayerPrivateKey,\n hash: input.hash,\n signedDelegate: input.signedDelegate,\n signWithPrivateKey: (args) => this.signWithPrivateKey(args),\n }),\n `execute signed delegate for ${senderId}`,\n );\n }\n\n // === Internal helpers for signing & RPC ===\n private async fetchTxContext(accountId: string, publicKey: string): Promise<{ nextNonce: string; blockHash: string }> {\n // Access key (if missing, assume nonce=0)\n let nonce = 0n;\n try {\n const ak = await this.nearClient.viewAccessKey(accountId, publicKey);\n nonce = BigInt(ak?.nonce ?? 0);\n } catch {\n nonce = 0n;\n }\n // Block\n const block = await this.nearClient.viewBlock({ finality: 'final' });\n const txBlockHash = block.header.hash;\n const nextNonce = (nonce + 1n).toString();\n return { nextNonce, blockHash: txBlockHash };\n }\n\n private async signWithPrivateKey(input: {\n nearPrivateKey: string;\n signerAccountId: string;\n receiverId: string;\n nonce: string;\n blockHash: string;\n actions: ActionArgsWasm[];\n }): Promise<SignedTransaction> {\n await this.ensureSignerWasm();\n const message = {\n type: WorkerRequestType.SignTransactionWithKeyPair,\n payload: {\n nearPrivateKey: input.nearPrivateKey,\n signerAccountId: input.signerAccountId,\n receiverId: input.receiverId,\n nonce: input.nonce,\n blockHash: input.blockHash,\n actions: input.actions\n }\n };\n // uses wasm signer worker's SignTransactionWithKeyPair action,\n // which doesn't require VRF worker session\n let response: unknown;\n try {\n response = await handle_signer_message(message);\n } catch (e: unknown) {\n const msg = errorMessage(e);\n // Log payload for debugging (redacting private key)\n this.logger.error('Signer WASM rejected message:', {\n error: msg,\n payload: JSON.stringify(message, (key, value) =>\n key === 'nearPrivateKey' ? '[REDACTED]' : value\n )\n });\n\n // This specific error is intentionally redacted inside the WASM worker.\n // When it occurs in production, it's commonly due to a JS/WASM version mismatch\n // (the JS message schema changed but an old worker wasm is still deployed).\n if (msg.includes('Invalid payload for SIGN_TRANSACTION_WITH_KEYPAIR')) {\n throw new Error(\n `Signer WASM rejected SIGN_TRANSACTION_WITH_KEYPAIR payload: ${msg}. Rebuild + redeploy the relayer so the bundled \\`wasm_signer_worker.js\\` and \\`wasm_signer_worker_bg.wasm\\` come from the same build.`,\n );\n }\n throw (e instanceof Error ? e : new Error(msg || 'Signing failed'));\n }\n const {\n transaction,\n signature,\n borshBytes\n } = extractFirstSignedTransactionFromWorkerResponse(response);\n\n return new SignedTransaction({\n transaction: transaction,\n signature: signature,\n borsh_bytes: borshBytes,\n });\n }\n\n /**\n * Framework-agnostic: handle verify-authentication request\n * Converts a generic ServerRequest to ServerResponse using this service\n */\n async handleVerifyAuthenticationResponse(request: VerifyAuthenticationRequest): Promise<VerifyAuthenticationResponse> {\n return this.verifyAuthenticationResponse(request);\n }\n\n /**\n * ZK-email recovery helper (stub).\n * Intended to call the global ZkEmailVerifier and per-user recovery contract\n * once zk-email proofs and public inputs are wired through.\n */\n // eslint-disable-next-line @typescript-eslint/no-unused-vars\n async recoverAccountFromZkEmailVerifier(_request: {\n accountId: string;\n proof: unknown;\n publicInputs: unknown;\n }): Promise<{\n success: boolean;\n transactionHash?: string;\n message?: string;\n error?: string;\n }> {\n return {\n success: false,\n error: 'recoverAccountFromZkEmailVerifier is not yet implemented',\n message: 'recoverAccountFromZkEmailVerifier is not yet implemented',\n };\n }\n\n /**\n * Express-style middleware factory for verify-authentication\n */\n verifyAuthenticationMiddleware() {\n return async (req: any, res: any) => {\n try {\n if (!req?.body) {\n res.status(400).json({ error: 'Request body is required' });\n return;\n }\n const body: VerifyAuthenticationRequest = req.body;\n if (!body.vrf_data || !body.webauthn_authentication) {\n res.status(400).json({ code: 'invalid_body', message: 'vrf_data and webauthn_authentication are required' });\n return;\n }\n const result = await this.verifyAuthenticationResponse(body);\n const status = result.success ? 200 : 400;\n if (status !== 200) {\n res.status(status).json({ code: 'not_verified', message: result.message || 'Authentication verification failed' });\n } else {\n res.status(status).json(result);\n }\n } catch (error: any) {\n this.logger.error('Error in verify authentication middleware:', error);\n res.status(500).json({ code: 'internal', message: error?.message || 'Internal server error' });\n }\n };\n }\n\n /**\n * Queue transactions to prevent nonce conflicts\n */\n private async queueTransaction<T>(operation: () => Promise<T>, description: string): Promise<T> {\n this.queueStats.pending++;\n this.logger.debug(`[AuthService] Queueing: ${description} (pending: ${this.queueStats.pending})`);\n\n this.transactionQueue = this.transactionQueue\n .then(async () => {\n try {\n this.logger.debug(`[AuthService] Executing: ${description}`);\n const result = await operation();\n this.queueStats.completed++;\n this.queueStats.pending--;\n this.logger.debug(`[AuthService] Completed: ${description} (pending: ${this.queueStats.pending})`);\n return result;\n } catch (error: any) {\n this.queueStats.failed++;\n this.queueStats.pending--;\n this.logger.error(\n `[AuthService] Failed: ${description} (failed: ${this.queueStats.failed}):`,\n errorMessage(error) || 'unknown error',\n );\n throw error;\n }\n })\n .catch((error) => {\n throw error;\n });\n\n return this.transactionQueue;\n }\n}\n\ninterface WorkerSignedTransactionPayload {\n transaction: WasmTransaction;\n signature: WasmSignature;\n borshBytes?: number[];\n borsh_bytes?: number[];\n}\n\nfunction extractFirstSignedTransactionFromWorkerResponse(response: any): {\n transaction: WasmTransaction;\n signature: WasmSignature;\n borshBytes: number[];\n} {\n const res = (typeof response === 'string' ? JSON.parse(response) : response) as {\n type?: WorkerResponseType;\n payload?: { signedTransactions?: WorkerSignedTransactionPayload[]; error?: string };\n } | undefined;\n\n if (res?.type !== WorkerResponseType.SignTransactionWithKeyPairSuccess) {\n const errMsg = res?.payload?.error || 'Signing failed';\n throw new Error(errMsg);\n }\n\n const payload = res?.payload;\n const signedTxs = (payload?.signedTransactions ?? []) as WorkerSignedTransactionPayload[];\n if (!Array.isArray(signedTxs) || signedTxs.length === 0) {\n throw new Error('No signed transaction returned');\n }\n const first = signedTxs[0];\n const borshBytes = first?.borshBytes ?? first?.borsh_bytes;\n if (!Array.isArray(borshBytes)) {\n throw new Error('Missing borsh bytes');\n }\n return {\n transaction: first.transaction,\n signature: first.signature,\n borshBytes,\n };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;AA6CA,SAAS,SAAS,GAA0C;AAC1D,QAAO,CAAC,CAAC,KAAK,OAAO,MAAM,YAAY,CAAC,MAAM,QAAQ;;AAGxD,SAAS,qBAAqB,OAAgB,WAA6B;AACzE,KAAI,iBAAiB,WAAY,QAAO,MAAM,KAAK;AACnD,KAAI,OAAO,UAAU,SACnB,KAAI;AACF,SAAO,MAAM,KAAKA,+BAAgB;UAC3B,KAAK;AACZ,QAAM,IAAI,MAAM,WAAW,UAAU,+BAA+BC,4BAAa,QAAQ,gBAAgB;;AAG7G,KAAI,MAAM,QAAQ,QAAQ;EACxB,MAAMC,MAAgB;AACtB,OAAK,MAAM,KAAK,OAAO;GACrB,MAAM,IAAI,OAAO;AACjB,OAAI,CAAC,OAAO,SAAS,MAAM,IAAI,KAAK,IAAI,IACtC,OAAM,IAAI,MAAM,WAAW,UAAU;AAEvC,OAAI,KAAK,KAAK,MAAM;;AAEtB,SAAO;;AAET,OAAM,IAAI,MAAM,WAAW,UAAU;;AAGvC,SAAS,oCAAoC,OAAyC;AACpF,KAAI,CAAC,SAAS,OAAQ,OAAM,IAAI,MAAM;CACtC,MAAM,UAAUC,2CAAwB,MAAM;CAC9C,MAAM,QAAQA,2CAAwB,MAAM;CAC5C,MAAM,mBAAmB,MAAM;CAC/B,MAAM,eAAe,OAAO,qBAAqB,WAC7C,mBACA,OAAO;AAEX,KAAI,CAAC,QAAS,OAAM,IAAI,MAAM;AAC9B,KAAI,CAAC,MAAO,OAAM,IAAI,MAAM;AAC5B,KAAI,CAAC,OAAO,SAAS,iBAAiB,gBAAgB,EAAG,OAAM,IAAI,MAAM;CAEzE,MAAMC,OAAgC;EACpC,gBAAgB,qBAAqB,MAAM,gBAAgB;EAC3D,YAAY,qBAAqB,MAAM,YAAY;EACnD,WAAW,qBAAqB,MAAM,WAAW;EACjD,YAAY,qBAAqB,MAAM,YAAY;EACnD;EACA;EACA;EACA,YAAY,qBAAqB,MAAM,YAAY;EACnD,kBAAkB,qBAAqB,MAAM,kBAAkB;;AAGjE,KAAI,OAAO,UAAU,eAAe,KAAK,OAAO,6BAA6B;EAC3E,MAAM,IAAI,MAAM;AAChB,MAAI,KAAK,KACP,MAAK,2BAA2B,qBAAqB,GAAG;;AAI5D,QAAO;;AAQT,MAAM,wBAAwB;AAE9B,MAAM,4BAA4B;AAElC,SAAS,kBAAkB,QAAiC;CAC1D,MAAM,QAAQ,CAAC,uBAAuB;CACtC,MAAMC,WAAkB;CACxB,MAAM;AAEN,MAAK,MAAM,QAAQ,MACjB,KAAI;AACF,MAAI,CAAC,QAAS,OAAM,IAAI,MAAM;AAC9B,WAAS,KAAK,IAAI,IAAI,MAAM;UACrB,KAAK;AACZ,SAAO,KAAK,wDAAwD,KAAK,KAAK;;AAIlF,KAAI,CAAC,SAAS,OACZ,OAAM,IAAI,MAAM;AAGlB,QAAO;;AAGT,SAAS,gCAAgC,KAA4D;AACnG,KAAI,CAAC,IAAK,QAAO;CAEjB,MAAM,WAAWC,yCAAwB,IAAI;CAC7C,MAAM,YAAYC,iDAAgC,IAAI;CAEtD,MAAM,yBAAyB;AAC7B,MAAI,UAAU,IAAK,QAAO;AAC1B,SAAO,QAAQJ,2CAAwB,IAAI;;CAG7C,MAAM,eAAe;AACnB,MAAI,UAAU,KAAK;AACjB,OAAI,IAAI,SAAS,qBAAsB,QAAO;AAC9C,OAAI,IAAI,SAAS,YAAa,QAAO;AACrC,UAAO;;EAET,MAAM,aAAaA,2CAAwB,IAAI;EAC/C,MAAM,eAAeA,2CAAwB,IAAI;EACjD,MAAM,WAAWA,2CAAwB,IAAI;AAC7C,SAAQ,cAAc,eAAgB,YAAa,WAAW,UAAU;;CAG1E,MAAM,QAAQ;EAAC;EAAgC,YAAY;EAAY,aAAa;EAAa,SAAS;;AAC1G,KAAI,gBAAiB,OAAM,KAAK;AAChC,QAAO,MAAM,KAAK;;;;;;AAOpB,IAAa,cAAb,MAAyB;CACvB,AAAQ;CACR,AAAQ,gBAAgB;CACxB,AAAQ;CACR,AAAQ,mBAA2B;CACnC,AAAQ,kBAAkB;CAC1B,AAAiB;CACjB,AAAQ,qCAAqC;CAC7C,AAAQ,0BAA8D;CAGtE,AAAQ,mBAAiC,QAAQ;CACjD,AAAQ,aAAa;EAAE,SAAS;EAAG,WAAW;EAAG,QAAQ;;CAGzD,AAAgB,gBAAsC;CAEtD,AAAgB,gBAA6C;CAE7D,YAAY,QAAgC;AAC1C,OAAK,SAASK,uCAAwB;AACtC,OAAK,SAASC,4BAAa,KAAK,OAAO;EACvC,MAAM,sBAAsB,KAAK,OAAO,QAAQ,uBAAuB,IAAI;AAC3E,OAAK,gBAAgB,IAAIC,oCAAc,KAAK,OAAO,QAAQ,sBAAsB;AACjF,OAAK,aAAa,IAAIC,qCAAkB,KAAK,OAAO;AACpD,OAAK,gBAAgB,IAAIC,mCAAqB;GAC5C,kBAAkB,KAAK,OAAO;GAC9B,mBAAmB,KAAK,OAAO;GAC/B,WAAW,KAAK,OAAO;GACvB,2BAA2BC,wDAAiC;GAC5D,YAAY,KAAK;GACjB,QAAQ,KAAK,OAAO;GACpB,qCAAqC,KAAK;GAC1C,mBAAsB,IAAsB,UAAkB,KAAK,iBAAiB,IAAI;GACxF,iBAAiB,WAAmB,cAAsB,KAAK,eAAe,WAAW;GACzF,qBAAqB,UAAU,KAAK,mBAAmB;GACvD,2BAA2B,KAAK;GAChC,eAAe,KAAK,OAAO;;AAK7B,OAAK,OAAO,KAAK;;mBAEF,KAAK,OAAO,UAAU;oBACrB,KAAK,OAAO,WAAW;0BACjB,KAAK,OAAO,iBAAiB;4BAC3B,KAAK,OAAO,mBAAmB;+BAC5B,KAAK,OAAO,sBAAsB,IAAIC,gCAAkB,KAAK,OAAO,uBAAuB;qCACrF,KAAK,OAAO,4BAA4B,IAAIC,8BAAgB,KAAK,OAAO,6BAA6B;MACpI,KAAK,OAAO,SACR,oBAAoB,KAAK,OAAO,OAAO,cAAc,MAAM,GAAG,IAAI,8BAA8B,KAAK,OAAO,OAAO,gBAAgB,MAAM,GAAG,IAAI,8BAA8B,KAAK,OAAO,OAAO,gBAAgB,MAAM,GAAG,IAAI,OAC9N,2BACH;QACC,gCAAgC,KAAK,OAAO,0BAA0B;MACxE,KAAK,OAAO,eAAe,UACvB,oBAAoB,KAAK,OAAO,cAAc,YAC9C,kCACH;;;CAIL,MAAM,oBAAuE;AAC3E,QAAM,KAAK;AACX,SAAO;GACL,WAAW,KAAK,OAAO;GACvB,WAAW,KAAK;;;CAIpB,MAAM,kBAAkB,WAA2C;AACjE,QAAM,KAAK;AACX,SAAO,KAAK,WAAW,kBAAkB;;;;;;CAO3C,6BAAiE;AAC/D,MAAI,KAAK,mCAAoC,QAAO,KAAK;AACzD,OAAK,qCAAqC;AAE1C,MAAI,CAAC,KAAK,OAAO,0BAA0B;AACzC,QAAK,0BAA0B;AAC/B,UAAO;;AAGT,OAAK,0BAA0BC,oEAA8B;GAC3D,aAAa;GACb,0BAA0B,KAAK,OAAO;GACtC,QAAQ,KAAK;GACb,QAAQ,KAAK;;AAEf,SAAO,KAAK;;CAGd,wBAAgC;AAC9B,SAAO,KAAK,OAAO;;CAGrB,MAAM,SAAS,QAAgB,iBAAyD;AACtF,QAAM,KAAK;AACX,SAAO,KAAK,WAAW,SAAS,QAAQ;;;;;;CAO1C,MAAc,mCAAkD;AAC9D,MAAI,CAAC,KAAK,OAAO,QAAQ,aACvB;EAGF,MAAM,EAAE,gCAAgC,2CAAM;AAC9C,8BAA4B,KAAK,OAAO,OAAO;;CAGjD,MAAc,iCAAgD;AAC5D,MAAI,KAAK,cACP;AAIF,MAAI,KAAK,OAAO,UAAU,KAAK,eAAe;AAC5C,SAAM,KAAK;AACX,SAAM,KAAK,cAAc;;AAI3B,MAAI;AACF,QAAK,mBAAmBC,gDAA+B,KAAK,OAAO;WAC5D,GAAG;AACV,QAAK,OAAO,KAAK;AACjB,QAAK,mBAAmB;;AAI1B,QAAM,KAAK;AACX,OAAK,gBAAgB;;CAGvB,MAAc,mBAAkC;AAC9C,MAAI,KAAK,gBAAiB;EAC1B,MAAM,WAAW,KAAK,OAAO,YAAY;AACzC,MAAI,SACF,KAAI;GACF,MAAM,eAAe,MAAM,KAAK,0BAA0B;AAC1D,uEAAqB,EAAE,gBAAgB;AACvC,QAAK,kBAAkB;AACvB;WACO,GAAG;AACV,QAAK,OAAO,MAAM,2DAA2D;AAC7E,SAAM;;EAIV,IAAIC;AACJ,MAAI;AACF,gBAAa,kBAAkB,KAAK;WAC7B,KAAK;AACZ,QAAK,OAAO,MAAM,uCAAuC;AACzD,SAAM;;AAGR,MAAI;AACF,OAAI,KAAK,qBAAqB;AAC5B,UAAM,KAAK,sBAAsB;AACjC,SAAK,kBAAkB;AACvB;;GAGF,IAAIC,YAAqB;AACzB,QAAK,MAAM,aAAa,WACtB,KAAI;AACF,wEAAqB,EAAE,gBAAgB;AACvC,SAAK,kBAAkB;AACvB;YACO,KAAK;AACZ,gBAAY;AACZ,SAAK,OAAO,KAAK,yCAAyC,UAAU,WAAW;;AAInF,SAAM,6BAAa,IAAI,MAAM;WACtB,GAAG;AACV,QAAK,OAAO,MAAM,qCAAqC;AACvD,SAAM,aAAa,QAAQ,IAAI,IAAI,MAAM,OAAO;;;CAIpD,AAAQ,oBAA6B;EAEnC,MAAM,aAAc,WAAyE;EAC7F,MAAM,SAAS,QAAQ,YAAY,UAAU;EAE7C,MAAM,gBAAiB,WAAsD;EAC7E,MAAM,MAAO,WAAkE;EAC/E,MAAM,qBAAqB,OAAO,kBAAkB,eAC9C,OAAO,KAAK,cAAc,YAAY,IAAI,UAAU,SAAS;AACnE,SAAO,UAAU,CAAC;;CAGpB,MAAc,0BAA0B,UAAwD;EAC9F,MAAM,YAAY,OAAO,aAAa,aAClC,MAAO,aACP,MAAM;AAEV,MAAI,CAAC,UACH,OAAM,IAAI,MAAM;AAGlB,SAAO;;;;;;CAOT,MAAc,sBAAsB,YAAkC;EACpE,MAAM,EAAE,kBAAkB,MAAM,OAAO;EACvC,MAAM,EAAE,aAAa,MAAM,OAAO;AAGlC,OAAK,MAAM,OAAO,WAChB,KAAI;GACF,MAAM,WAAW,cAAc;GAC/B,MAAM,QAAQ,MAAM,SAAS;GAE7B,MAAM,KAAK,IAAI,YAAY,MAAM;AACjC,OAAI,WAAW,IAAI,IAAI;GACvB,MAAMC,WAAS,MAAM,YAAY,QAAQ;AACzC,uEAAqB,EAAE,gBAAgBA;AACvC;UACM;AAIV,OAAK,MAAM,OAAO,WAChB,KAAI;GACF,MAAM,WAAW,cAAc;AAC/B,uEAAqB,EAAE,gBAAgB;AACvC;UACM;AAGV,QAAM,IAAI,MAAM;;;;;;;;;;;CAalB,MAAM,cAAc,SAAiE;AACnF,QAAM,KAAK;AAEX,SAAO,KAAK,iBAAiB,YAAY;AACvC,OAAI;AACF,QAAI,CAACC,oCAAiB,QAAQ,WAC5B,OAAM,IAAI,MAAM,8BAA8B,QAAQ;AAIxD,SAAK,OAAO,KAAK,uBAAuB,QAAQ,UAAU;IAC1D,MAAM,gBAAgB,MAAM,KAAK,mBAAmB,QAAQ;AAC5D,QAAI,cACF,OAAM,IAAI,MAAM,WAAW,QAAQ,UAAU;AAE/C,SAAK,OAAO,KAAK,WAAW,QAAQ,UAAU;IAE9C,MAAM,iBAAiB,KAAK,OAAO;AAEnC,SAAK,OAAO,KAAK,qBAAqB,QAAQ;AAC9C,SAAK,OAAO,KAAK,oBAAoB,eAAe;IAGpD,MAAMC,UAA4B;KAChC,EAAE,aAAaC,2BAAW;KAC1B;MAAE,aAAaA,2BAAW;MAAU,SAAS,OAAO;;KACpD;MACE,aAAaA,2BAAW;MACxB,YAAY,QAAQ;MACpB,YAAY,KAAK,UAAU;OACzB,OAAO;OACP,YAAY,EAAE,YAAY;;;;AAKhC,YAAQ,QAAQC;IAGhB,MAAM,EAAE,WAAW,cAAc,MAAM,KAAK,eAAe,KAAK,OAAO,kBAAkB,KAAK;IAG9F,MAAM,SAAS,MAAM,KAAK,mBAAmB;KAC3C,gBAAgB,KAAK,OAAO;KAC5B,iBAAiB,KAAK,OAAO;KAC7B,YAAY,QAAQ;KACpB,OAAO;KACI;KACX;;IAIF,MAAM,SAAS,MAAM,KAAK,WAAW,gBAAgB;AAErD,SAAK,OAAO,KAAK,+BAA+B,OAAO,YAAY;IACnE,MAAM,cAAc,OAAO,OAAO,mBAAmB,MAAM,QAAQ;AACnE,WAAO;KACL,SAAS;KACT,iBAAiB,OAAO,YAAY;KACpC,WAAW,QAAQ;KACnB,SAAS,WAAW,QAAQ,UAAU,gBAAgB,WAAW;;YAG5DC,OAAY;AACnB,SAAK,OAAO,MAAM,+BAA+B,QAAQ,UAAU,IAAI;IACvE,MAAM,MAAMxB,4BAAa,UAAU;AACnC,WAAO;KACL,SAAS;KACT,OAAO;KACP,SAAS,4BAA4B,QAAQ,UAAU,IAAI;;;KAG9D,kBAAkB,QAAQ;;;;;CAM/B,MAAM,6BAA6B,SAAmF;AACpH,QAAM,KAAK;AAEX,SAAO,KAAK,iBAAiB,YAAY;AACvC,OAAI;AACF,QAAI,CAACoB,oCAAiB,QAAQ,gBAC5B,OAAM,IAAI,MAAM,8BAA8B,QAAQ;AAGxD,SAAK,OAAO,KAAK,wBAAwB,QAAQ;AACjD,SAAK,OAAO,KAAK,aAAa,KAAK,OAAO;IAE1C,MAAM,WAAW,oCAAqC,QAA8C;IACpG,MAAM,+BAA+B,qBAClC,QAAkE,8BACnE;IAIF,MAAM,eAAe;KACnB,gBAAgB,QAAQ;KACxB,gBAAgB,QAAQ;KACxB;KACA,uBAAuB,QAAQ;KAC/B;KACA,uBAAuB,QAAQ;;IAIjC,MAAMC,UAA4B,CAChC;KACE,aAAaC,2BAAW;KACxB,aAAa;KACb,MAAM,KAAK,UAAU;KACrB,KAAK,OAAO,KAAK,OAAO;KACxB,SAAS,OAAO,KAAK,OAAO;;AAGhC,YAAQ,QAAQC;IAEhB,MAAM,EAAE,WAAW,cAAc,MAAM,KAAK,eAAe,KAAK,OAAO,kBAAkB,KAAK;IAC9F,MAAM,SAAS,MAAM,KAAK,mBAAmB;KAC3C,gBAAgB,KAAK,OAAO;KAC5B,iBAAiB,KAAK,OAAO;KAC7B,YAAY,KAAK,OAAO;KACxB,OAAO;KACP;KACA;;IAEF,MAAM,SAAS,MAAM,KAAK,WAAW,gBAAgB;IAGrD,MAAM,gBAAgBE,6CAA4B,QAAQ,QAAQ;AAClE,QAAI,eAAe;AACjB,UAAK,OAAO,MAAM,iCAAiC,QAAQ,eAAe,IAAI;AAC9E,WAAM,IAAI,MAAM;;AAGlB,SAAK,OAAO,KAAK,2BAA2B,OAAO,YAAY;AAC/D,WAAO;KACL,SAAS;KACT,iBAAiB,OAAO,YAAY;KACpC,SAAS,WAAW,QAAQ,eAAe;KAC3C,gBAAgB;;YAGXD,OAAY;AACnB,SAAK,OAAO,MAAM,kCAAkC,QAAQ,eAAe,IAAI;IAC/E,MAAM,MAAMxB,4BAAa,UAAU;AACnC,WAAO;KACL,SAAS;KACT,OAAO;KACP,SAAS,yCAAyC,QAAQ,eAAe,IAAI;;;KAGhF,8BAA8B,QAAQ;;;;;;;CAQ3C,MAAM,6BACJ,SACuC;AACvC,MAAI;AACF,SAAM,KAAK;GAEX,MAAM,iBAAiB,SAAS,UAAU;AAC1C,OAAI,CAAC,MAAM,QAAQ,mBAAmB,eAAe,WAAW,GAC9D,QAAO;IACL,SAAS;IACT,UAAU;IACV,MAAM;IACN,SAAS;;GAGb,MAAM,yBAAyB,SAAS,WAAqD;AAC7F,OAAI,0BAA0B,QAC5B;QAAI,CAAC,MAAM,QAAQ,0BAA0B,sBAAsB,WAAW,GAC5E,QAAO;KACL,SAAS;KACT,UAAU;KACV,MAAM;KACN,SAAS;;;GAKf,MAAM,OAAO;IACX,UAAU,QAAQ;IAClB,yBAAyB,QAAQ;;GAInC,MAAM,mBAAmB,MAAM,KAAK,WAAW,KAA2B;IACxE,SAAS,KAAK,OAAO;IACrB,QAAQ;IACR;;GAGF,MAAM,WAAW,SAAS,qBAAqB,iBAAiB,aAAa;AAC7E,OAAI,CAAC,SACH,QAAO;IACL,SAAS;IACT,UAAU;IACV,MAAM;IACN,SAAS;IACT;;AAIJ,UAAO;IACL,SAAS;IACT,UAAU;IACV,mBAAmB;KACjB,QAAQ,QAAQ,SAAS;KACzB,2BAAU,IAAI,QAAO;KACrB,WAAW,IAAI,KAAK,KAAK,QAAQ,OAAU,KAAK,KAAM;;IAExD;;WAEKwB,OAAY;AACnB,UAAO;IACL,SAAS;IACT,UAAU;IACV,MAAM;IACN,SAAS,OAAO,WAAW;;;;;;;;;CAUjC,MAAa,cAAc,MAAoF;EAC7G,MAAM,aAAatB,2CAAwB,MAAM,eAAe,KAAK,OAAO,mBAAmB;EAC/F,MAAM,SAASA,2CAAwB,MAAM,WAAW;EACxD,MAAM,OAAO,MAAM,QAAQ;AAE3B,MAAI;GACF,MAAM,SAAS,MAAM,KAAK,WAAW,KAAuB;IAAE,SAAS;IAAY;IAAQ;;GAC3F,IAAIwB,OAAkB;AACtB,OAAI,MAAM,QAAQ,QAChB,QAAO;YACE,SAAS,WAAW,MAAM,QAAQ,OAAO,SAClD,QAAO,OAAO;GAEhB,MAAM,sBAAM,IAAI;AAChB,QAAK,MAAM,QAAQ,MAAM;IACvB,MAAM,OAAOC,qCAAkB;AAC/B,QAAI,KAAM,KAAI,IAAI;;AAEpB,UAAO,MAAM,KAAK;WACX,GAAG;AACV,QAAK,OAAO,KAAK,uCAAuC;AACxD,UAAO;;;;;;CAOX,MAAM,mBAAmB,WAAqC;AAC5D,QAAM,KAAK;EACX,MAAM,cAAc,MAAc,oDAAoD,KAAK;EAC3F,MAAM,eAAe,MAAc,kGAAkG,KAAK;EAC1I,MAAM,WAAW;EACjB,IAAIC,UAAwB;AAC5B,OAAK,IAAI,IAAI,GAAG,KAAK,UAAU,IAC7B,KAAI;GACF,MAAM,OAAO,MAAM,KAAK,WAAW,YAAY;AAC/C,UAAO,CAAC,CAAC;WACFC,OAAgB;GACvB,MAAM,MAAMC,uBAAQ;AACpB,aAAU;GACV,MAAM,MAAM,IAAI;GAChB,MAAM,UAAW,IAA8B;GAC/C,IAAI,cAAc;AAClB,OAAI,QACF,KAAI;AACF,kBAAc,OAAO,YAAY,WAAW,UAAU,KAAK,UAAU;WAC/D;AACN,kBAAc;;GAGlB,MAAM,WAAW,GAAG,IAAI,IAAI;AAC5B,OAAI,WAAW,UAAW,QAAO;AACjC,OAAI,YAAY,QAAQ,IAAI,UAAU;IACpC,MAAM,UAAU,MAAM,KAAK,IAAI,GAAG,IAAI;AACtC,UAAM,IAAI,SAAS,MAAM,WAAW,GAAG;AACvC;;AAGF,OAAI,YAAY,MAAM;AACpB,SAAK,OAAO,KAAK,mCAAmC,UAAU,0CAA0C;AACxG,WAAO;;AAET,QAAK,OAAO,MAAM,wCAAwC,UAAU,IAAI;AACxE,SAAM;;AAGV,QAAM,2BAAW,IAAI,MAAM;;;;;;;;;;;;;;;;;;;CAqB7B,MAAM,sBAAsB,OAIa;AACvC,QAAM,KAAK;AAEX,MAAI,CAAC,OAAO,QAAQ,CAAC,OAAO,eAC1B,QAAO;GACL,IAAI;GACJ,MAAM;GACN,OAAO;;EAIX,MAAM,WAAW,MAAM,gBAAgB,gBAAgB,YAAY;AAEnE,SAAO,KAAK,uBACJC,iDAAiC;GACrC,YAAY,KAAK;GACjB,kBAAkB,KAAK,OAAO;GAC9B,kBAAkB,KAAK;GACvB,mBAAmB,KAAK,OAAO;GAC/B,MAAM,MAAM;GACZ,gBAAgB,MAAM;GACtB,qBAAqB,SAAS,KAAK,mBAAmB;MAExD,+BAA+B;;CAKnC,MAAc,eAAe,WAAmB,WAAsE;EAEpH,IAAI,QAAQ;AACZ,MAAI;GACF,MAAM,KAAK,MAAM,KAAK,WAAW,cAAc,WAAW;AAC1D,WAAQ,OAAO,IAAI,SAAS;UACtB;AACN,WAAQ;;EAGV,MAAM,QAAQ,MAAM,KAAK,WAAW,UAAU,EAAE,UAAU;EAC1D,MAAM,cAAc,MAAM,OAAO;EACjC,MAAM,aAAa,QAAQ,IAAI;AAC/B,SAAO;GAAE;GAAW,WAAW;;;CAGjC,MAAc,mBAAmB,OAOF;AAC7B,QAAM,KAAK;EACX,MAAM,UAAU;GACd,MAAMC,mEAAkB;GACxB,SAAS;IACP,gBAAgB,MAAM;IACtB,iBAAiB,MAAM;IACvB,YAAY,MAAM;IAClB,OAAO,MAAM;IACb,WAAW,MAAM;IACjB,SAAS,MAAM;;;EAKnB,IAAIC;AACJ,MAAI;AACF,cAAW,kFAA4B;WAChCC,GAAY;GACnB,MAAM,MAAMlC,4BAAa;AAEzB,QAAK,OAAO,MAAM,iCAAiC;IACjD,OAAO;IACP,SAAS,KAAK,UAAU,UAAU,KAAK,UACrC,QAAQ,mBAAmB,eAAe;;AAO9C,OAAI,IAAI,SAAS,qDACf,OAAM,IAAI,MACR,+DAA+D,IAAI;AAGvE,SAAO,aAAa,QAAQ,IAAI,IAAI,MAAM,OAAO;;EAEnD,MAAM,EACJ,aACA,WACA,eACE,gDAAgD;AAEpD,SAAO,IAAImC,qCAAkB;GACd;GACF;GACX,aAAa;;;;;;;CAQjB,MAAM,mCAAmC,SAA6E;AACpH,SAAO,KAAK,6BAA6B;;;;;;;CAS3C,MAAM,kCAAkC,UASrC;AACD,SAAO;GACL,SAAS;GACT,OAAO;GACP,SAAS;;;;;;CAOb,iCAAiC;AAC/B,SAAO,OAAO,KAAU,QAAa;AACnC,OAAI;AACF,QAAI,CAAC,KAAK,MAAM;AACd,SAAI,OAAO,KAAK,KAAK,EAAE,OAAO;AAC9B;;IAEF,MAAMC,OAAoC,IAAI;AAC9C,QAAI,CAAC,KAAK,YAAY,CAAC,KAAK,yBAAyB;AACnD,SAAI,OAAO,KAAK,KAAK;MAAE,MAAM;MAAgB,SAAS;;AACtD;;IAEF,MAAM,SAAS,MAAM,KAAK,6BAA6B;IACvD,MAAM,SAAS,OAAO,UAAU,MAAM;AACtC,QAAI,WAAW,IACb,KAAI,OAAO,QAAQ,KAAK;KAAE,MAAM;KAAgB,SAAS,OAAO,WAAW;;QAE3E,KAAI,OAAO,QAAQ,KAAK;YAEnBZ,OAAY;AACnB,SAAK,OAAO,MAAM,8CAA8C;AAChE,QAAI,OAAO,KAAK,KAAK;KAAE,MAAM;KAAY,SAAS,OAAO,WAAW;;;;;;;;CAQ1E,MAAc,iBAAoB,WAA6B,aAAiC;AAC9F,OAAK,WAAW;AAChB,OAAK,OAAO,MAAM,2BAA2B,YAAY,aAAa,KAAK,WAAW,QAAQ;AAE9F,OAAK,mBAAmB,KAAK,iBAC1B,KAAK,YAAY;AAChB,OAAI;AACF,SAAK,OAAO,MAAM,4BAA4B;IAC9C,MAAM,SAAS,MAAM;AACrB,SAAK,WAAW;AAChB,SAAK,WAAW;AAChB,SAAK,OAAO,MAAM,4BAA4B,YAAY,aAAa,KAAK,WAAW,QAAQ;AAC/F,WAAO;YACAA,OAAY;AACnB,SAAK,WAAW;AAChB,SAAK,WAAW;AAChB,SAAK,OAAO,MACV,yBAAyB,YAAY,YAAY,KAAK,WAAW,OAAO,KACxExB,4BAAa,UAAU;AAEzB,UAAM;;KAGT,OAAO,UAAU;AAChB,SAAM;;AAGV,SAAO,KAAK;;;AAWhB,SAAS,gDAAgD,UAIvD;CACA,MAAM,MAAO,OAAO,aAAa,WAAW,KAAK,MAAM,YAAY;AAKnE,KAAI,KAAK,SAASqC,oEAAmB,mCAAmC;EACtE,MAAM,SAAS,KAAK,SAAS,SAAS;AACtC,QAAM,IAAI,MAAM;;CAGlB,MAAM,UAAU,KAAK;CACrB,MAAM,YAAa,SAAS,sBAAsB;AAClD,KAAI,CAAC,MAAM,QAAQ,cAAc,UAAU,WAAW,EACpD,OAAM,IAAI,MAAM;CAElB,MAAM,QAAQ,UAAU;CACxB,MAAM,aAAa,OAAO,cAAc,OAAO;AAC/C,KAAI,CAAC,MAAM,QAAQ,YACjB,OAAM,IAAI,MAAM;AAElB,QAAO;EACL,aAAa,MAAM;EACnB,WAAW,MAAM;EACjB"}
package/dist/cjs/server/sdk/src/core/defaultConfigs.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"defaultConfigs.js","names":["PASSKEY_MANAGER_DEFAULT_CONFIGS: TatchiConfigs","DEFAULT_EMAIL_RECOVERY_CONTRACTS: EmailRecoveryContracts"],"sources":["../../../../../../src/core/defaultConfigs.ts"],"sourcesContent":["import type { EmailRecoveryContracts, TatchiConfigs, TatchiConfigsInput } from './types/tatchi';\nimport { coerceSignerMode } from './types/signer-worker';\nimport { toTrimmedString } from '@/utils';\n\n// Default SDK configs suitable for local dev.\n// Cross-origin wallet isolation is recommended; set iframeWallet in your app config when you have a dedicated origin.\n// Consumers can shallow-merge overrides by field.\n\nexport const PASSKEY_MANAGER_DEFAULT_CONFIGS: TatchiConfigs = {\n // You can provide a single URL or a comma-separated list for failover.\n // First URL is treated as primary, subsequent URLs are fallbacks.\n nearRpcUrl: 'https://test.rpc.fastnear.com, https://rpc.testnet.near.org',\n nearNetwork: 'testnet',\n contractId: 'w3a-v1.testnet',\n nearExplorerUrl: 'https://testnet.nearblocks.io',\n signerMode: { mode: 'local-signer' },\n // Warm signing session defaults used by login/unlock flows.\n // Enforcement (TTL/uses) is owned by the VRF worker; signer workers remain one-shot.\n signingSessionDefaults: {\n ttlMs: 0, // 0 minutes\n remainingUses: 0, // default to requiring a touchID prompt for each transaction\n },\n relayer: {\n // accountId: 'w3a-v1.testnet',\n // No default relayer URL. Force apps to configure via env/overrides.\n // Using an empty string triggers early validation errors in code paths that require it.\n url: '',\n delegateActionRoute: '/signed-delegate',\n emailRecovery: {\n // Require at least 0.01 NEAR available to start email recovery.\n minBalanceYocto: '10000000000000000000000', // 0.01 NEAR\n // Poll every 4 seconds for verification status / access key.\n pollingIntervalMs: 4000,\n // Stop polling after 30 minutes.\n maxPollingDurationMs: 30 * 60 * 1000,\n // Expire pending recovery records after 30 minutes.\n pendingTtlMs: 30 * 60 * 1000,\n // Default recovery mailbox for examples / docs.\n mailtoAddress: 'recover@web3authn.org',\n },\n },\n vrfWorkerConfigs: {\n shamir3pass: {\n // default Shamir's P in vrf-wasm-worker, needs to match relay server's Shamir P\n p: '3N5w46AIGjGT2v5Vua_TMD5Ywfa9U2F7-WzW8SNDsIM',\n // No default relay server URL to avoid accidental localhost usage in non-dev envs\n // Defaults to relayer.url when undefined\n relayServerUrl: '',\n applyServerLockRoute: '/vrf/apply-server-lock',\n removeServerLockRoute: '/vrf/remove-server-lock',\n }\n },\n emailRecoveryContracts: {\n emailRecovererGlobalContract: 'w3a-email-recoverer-v1.testnet',\n zkEmailVerifierContract: 'zk-email-verifier-v1.testnet',\n emailDkimVerifierContract: 'email-dkim-verifier-v1.testnet',\n },\n // Configure iframeWallet in application code to point at your dedicated wallet origin when available.\n iframeWallet: {\n walletOrigin: 'https://wallet.example.localhost',\n walletServicePath: '/wallet-service',\n sdkBasePath: '/sdk',\n rpIdOverride: 'example.localhost',\n }\n};\n\n// Default threshold participant identifiers (2P FROST).\n// These are intentionally exported as standalone constants so apps can reuse them when wiring\n// threshold signing across client + server environments.\nexport const THRESHOLD_ED25519_CLIENT_PARTICIPANT_ID = 1 as const;\nexport const THRESHOLD_ED25519_RELAYER_PARTICIPANT_ID = 2 as const;\nexport const THRESHOLD_ED25519_2P_PARTICIPANT_IDS = [\n THRESHOLD_ED25519_CLIENT_PARTICIPANT_ID,\n THRESHOLD_ED25519_RELAYER_PARTICIPANT_ID,\n] as const;\n\n// Threshold node roles.\n// Coordinator is the default because it exposes the public `/threshold-ed25519/sign/*` endpoints.\nexport const THRESHOLD_NODE_ROLE_COORDINATOR = 'coordinator' as const;\nexport const THRESHOLD_NODE_ROLE_DEFAULT = THRESHOLD_NODE_ROLE_COORDINATOR;\n\nexport const DEFAULT_EMAIL_RECOVERY_CONTRACTS: EmailRecoveryContracts = {\n emailRecovererGlobalContract: PASSKEY_MANAGER_DEFAULT_CONFIGS.emailRecoveryContracts.emailRecovererGlobalContract,\n zkEmailVerifierContract: PASSKEY_MANAGER_DEFAULT_CONFIGS.emailRecoveryContracts.zkEmailVerifierContract,\n emailDkimVerifierContract: PASSKEY_MANAGER_DEFAULT_CONFIGS.emailRecoveryContracts.emailDkimVerifierContract,\n};\n\n// Merge defaults with overrides\nexport function buildConfigsFromEnv(overrides: TatchiConfigsInput = {}): TatchiConfigs {\n\n const defaults = PASSKEY_MANAGER_DEFAULT_CONFIGS;\n const relayerUrl = overrides.relayer?.url ?? defaults.relayer?.url ?? '';\n // Prefer explicit override for relayer URL; fall back to default preset.\n // Used below to default VRF relayServerUrl when it is undefined.\n const relayServerUrlDefault = relayerUrl;\n const signerMode = coerceSignerMode(overrides.signerMode, defaults.signerMode);\n\n const merged: TatchiConfigs = {\n nearRpcUrl: overrides.nearRpcUrl ?? defaults.nearRpcUrl,\n nearNetwork: overrides.nearNetwork ?? defaults.nearNetwork,\n contractId: overrides.contractId ?? defaults.contractId,\n nearExplorerUrl: overrides.nearExplorerUrl ?? defaults.nearExplorerUrl,\n walletTheme: overrides.walletTheme ?? defaults.walletTheme,\n signerMode,\n signingSessionDefaults: {\n ttlMs: overrides.signingSessionDefaults?.ttlMs\n ?? defaults.signingSessionDefaults?.ttlMs,\n remainingUses: overrides.signingSessionDefaults?.remainingUses\n ?? defaults.signingSessionDefaults?.remainingUses,\n },\n relayer: {\n url: relayerUrl,\n delegateActionRoute: overrides.relayer?.delegateActionRoute\n ?? defaults.relayer?.delegateActionRoute,\n emailRecovery: {\n minBalanceYocto: overrides.relayer?.emailRecovery?.minBalanceYocto\n ?? defaults.relayer?.emailRecovery?.minBalanceYocto,\n pollingIntervalMs: overrides.relayer?.emailRecovery?.pollingIntervalMs\n ?? defaults.relayer?.emailRecovery?.pollingIntervalMs,\n maxPollingDurationMs: overrides.relayer?.emailRecovery?.maxPollingDurationMs\n ?? defaults.relayer?.emailRecovery?.maxPollingDurationMs,\n pendingTtlMs: overrides.relayer?.emailRecovery?.pendingTtlMs\n ?? defaults.relayer?.emailRecovery?.pendingTtlMs,\n mailtoAddress: overrides.relayer?.emailRecovery?.mailtoAddress\n ?? defaults.relayer?.emailRecovery?.mailtoAddress,\n },\n },\n authenticatorOptions: overrides.authenticatorOptions ?? defaults.authenticatorOptions,\n vrfWorkerConfigs: {\n shamir3pass: {\n p: overrides.vrfWorkerConfigs?.shamir3pass?.p\n ?? defaults.vrfWorkerConfigs?.shamir3pass?.p,\n relayServerUrl: overrides.vrfWorkerConfigs?.shamir3pass?.relayServerUrl\n ?? defaults.vrfWorkerConfigs?.shamir3pass?.relayServerUrl\n ?? relayServerUrlDefault,\n applyServerLockRoute: overrides.vrfWorkerConfigs?.shamir3pass?.applyServerLockRoute\n ?? defaults.vrfWorkerConfigs?.shamir3pass?.applyServerLockRoute,\n removeServerLockRoute: overrides.vrfWorkerConfigs?.shamir3pass?.removeServerLockRoute\n ?? defaults.vrfWorkerConfigs?.shamir3pass?.removeServerLockRoute,\n },\n },\n emailRecoveryContracts: {\n emailRecovererGlobalContract: overrides.emailRecoveryContracts?.emailRecovererGlobalContract\n ?? defaults.emailRecoveryContracts?.emailRecovererGlobalContract,\n zkEmailVerifierContract: overrides.emailRecoveryContracts?.zkEmailVerifierContract\n ?? defaults.emailRecoveryContracts?.zkEmailVerifierContract,\n emailDkimVerifierContract: overrides.emailRecoveryContracts?.emailDkimVerifierContract\n ?? defaults.emailRecoveryContracts?.emailDkimVerifierContract,\n },\n iframeWallet: {\n // Preserve explicit empty-string walletOrigin (\"\") because it is used as a sentinel\n // to disable iframe-wallet mode in tests and some apps.\n walletOrigin: overrides.iframeWallet?.walletOrigin\n ?? defaults.iframeWallet?.walletOrigin,\n rpIdOverride: overrides.iframeWallet?.rpIdOverride\n ?? defaults.iframeWallet?.rpIdOverride,\n // IMPORTANT: the following fields are often wired from CI env vars like `VITE_SDK_BASE_PATH`.\n // When a GitHub Actions env var is missing, expressions like `${{ vars.VITE_SDK_BASE_PATH }}`\n // frequently become the empty string at build-time. Treat empty strings as \"unset\" so we\n // fall back to SDK defaults instead of accidentally generating root-relative URLs like:\n // https://wallet.example.com/w3a-components.css (wrong; should be /sdk/w3a-components.css)\n walletServicePath: toTrimmedString(overrides.iframeWallet?.walletServicePath)\n || toTrimmedString(defaults.iframeWallet?.walletServicePath)\n || '/wallet-service',\n sdkBasePath: toTrimmedString(overrides.iframeWallet?.sdkBasePath)\n || toTrimmedString(defaults.iframeWallet?.sdkBasePath)\n || '/sdk',\n }\n };\n if (!merged.contractId) {\n throw new Error('[configPresets] Missing required config: contractId');\n }\n if (!merged.relayer.url) {\n throw new Error('[configPresets] Missing required config: relayer.url');\n }\n return merged;\n}\n"],"mappings":";;AAQA,MAAaA,kCAAiD;CAG5D,YAAY;CACZ,aAAa;CACb,YAAY;CACZ,iBAAiB;CACjB,YAAY,EAAE,MAAM;CAGpB,wBAAwB;EACtB,OAAO;EACP,eAAe;;CAEjB,SAAS;EAIP,KAAK;EACL,qBAAqB;EACrB,eAAe;GAEb,iBAAiB;GAEjB,mBAAmB;GAEnB,sBAAsB,OAAU;GAEhC,cAAc,OAAU;GAExB,eAAe;;;CAGnB,kBAAkB,EAChB,aAAa;EAEX,GAAG;EAGH,gBAAgB;EAChB,sBAAsB;EACtB,uBAAuB;;CAG3B,wBAAwB;EACtB,8BAA8B;EAC9B,yBAAyB;EACzB,2BAA2B;;CAG7B,cAAc;EACZ,cAAc;EACd,mBAAmB;EACnB,aAAa;EACb,cAAc;;;AAOlB,MAAa,0CAA0C;AACvD,MAAa,2CAA2C;AACxD,MAAa,uCAAuC,CAClD,yCACA;AAQF,MAAaC,mCAA2D;CACtE,8BAA8B,gCAAgC,uBAAuB;CACrF,yBAAyB,gCAAgC,uBAAuB;CAChF,2BAA2B,gCAAgC,uBAAuB"}
1
+ {"version":3,"file":"defaultConfigs.js","names":["PASSKEY_MANAGER_DEFAULT_CONFIGS: TatchiConfigs","DEFAULT_EMAIL_RECOVERY_CONTRACTS: EmailRecoveryContracts"],"sources":["../../../../../../src/core/defaultConfigs.ts"],"sourcesContent":["import type { EmailRecoveryContracts, TatchiConfigs, TatchiConfigsInput } from './types/tatchi';\nimport { coerceSignerMode } from './types/signer-worker';\nimport { toTrimmedString } from '@/utils';\n\n// Default SDK configs suitable for local dev.\n// Cross-origin wallet isolation is recommended; set iframeWallet in your app config when you have a dedicated origin.\n// Consumers can shallow-merge overrides by field.\n\nexport const PASSKEY_MANAGER_DEFAULT_CONFIGS: TatchiConfigs = {\n // You can provide a single URL or a comma-separated list for failover.\n // First URL is treated as primary, subsequent URLs are fallbacks.\n nearRpcUrl: 'https://test.rpc.fastnear.com, https://rpc.testnet.near.org',\n nearNetwork: 'testnet',\n contractId: 'w3a-v1.testnet',\n nearExplorerUrl: 'https://testnet.nearblocks.io',\n signerMode: { mode: 'local-signer' },\n // Warm signing session defaults used by login/unlock flows.\n // Enforcement (TTL/uses) is owned by the VRF worker; signer workers remain one-shot.\n signingSessionDefaults: {\n ttlMs: 0, // 0 minutes\n remainingUses: 0, // default to requiring a touchID prompt for each transaction\n },\n relayer: {\n // accountId: 'w3a-v1.testnet',\n // No default relayer URL. Force apps to configure via env/overrides.\n // Using an empty string triggers early validation errors in code paths that require it.\n url: '',\n delegateActionRoute: '/signed-delegate',\n emailRecovery: {\n // Require at least 0.01 NEAR available to start email recovery.\n minBalanceYocto: '10000000000000000000000', // 0.01 NEAR\n // Poll every 4 seconds for verification status / access key.\n pollingIntervalMs: 4000,\n // Stop polling after 30 minutes.\n maxPollingDurationMs: 30 * 60 * 1000,\n // Expire pending recovery records after 30 minutes.\n pendingTtlMs: 30 * 60 * 1000,\n // Default recovery mailbox for examples / docs.\n mailtoAddress: 'recover@web3authn.org',\n },\n },\n vrfWorkerConfigs: {\n shamir3pass: {\n // default Shamir's P in vrf-wasm-worker, needs to match relay server's Shamir P\n p: '3N5w46AIGjGT2v5Vua_TMD5Ywfa9U2F7-WzW8SNDsIM',\n // No default relay server URL to avoid accidental localhost usage in non-dev envs\n // Defaults to relayer.url when undefined\n relayServerUrl: '',\n applyServerLockRoute: '/vrf/apply-server-lock',\n removeServerLockRoute: '/vrf/remove-server-lock',\n }\n },\n emailRecoveryContracts: {\n emailRecovererGlobalContract: 'w3a-email-recoverer-v1.testnet',\n zkEmailVerifierContract: 'zk-email-verifier-v1.testnet',\n emailDkimVerifierContract: 'email-dkim-verifier-v1.testnet',\n },\n // Configure iframeWallet in application code to point at your dedicated wallet origin when available.\n iframeWallet: {\n walletOrigin: 'https://wallet.example.localhost',\n walletServicePath: '/wallet-service',\n sdkBasePath: '/sdk',\n rpIdOverride: 'example.localhost',\n }\n};\n\n// Default threshold participant identifiers (2P FROST).\n// These are intentionally exported as standalone constants so apps can reuse them when wiring\n// threshold signing across client + server environments.\nexport const THRESHOLD_ED25519_CLIENT_PARTICIPANT_ID = 1 as const;\nexport const THRESHOLD_ED25519_RELAYER_PARTICIPANT_ID = 2 as const;\nexport const THRESHOLD_ED25519_2P_PARTICIPANT_IDS = [\n THRESHOLD_ED25519_CLIENT_PARTICIPANT_ID,\n THRESHOLD_ED25519_RELAYER_PARTICIPANT_ID,\n] as const;\n\n// Threshold node roles.\n// Coordinator is the default because it exposes the public `/threshold-ed25519/sign/*` endpoints.\nexport const THRESHOLD_NODE_ROLE_COORDINATOR = 'coordinator' as const;\nexport const THRESHOLD_NODE_ROLE_DEFAULT = THRESHOLD_NODE_ROLE_COORDINATOR;\n\nexport const DEFAULT_EMAIL_RECOVERY_CONTRACTS: EmailRecoveryContracts = {\n emailRecovererGlobalContract: PASSKEY_MANAGER_DEFAULT_CONFIGS.emailRecoveryContracts.emailRecovererGlobalContract,\n zkEmailVerifierContract: PASSKEY_MANAGER_DEFAULT_CONFIGS.emailRecoveryContracts.zkEmailVerifierContract,\n emailDkimVerifierContract: PASSKEY_MANAGER_DEFAULT_CONFIGS.emailRecoveryContracts.emailDkimVerifierContract,\n};\n\n// Merge defaults with overrides\nexport function buildConfigsFromEnv(overrides: TatchiConfigsInput = {}): TatchiConfigs {\n\n const defaults = PASSKEY_MANAGER_DEFAULT_CONFIGS;\n const relayerUrl = overrides.relayer?.url ?? defaults.relayer?.url ?? '';\n // Prefer explicit override for relayer URL; fall back to default preset.\n // Used below to default VRF relayServerUrl when it is undefined.\n const relayServerUrlDefault = relayerUrl;\n const overrideShamirRelayServerUrl = overrides.vrfWorkerConfigs?.shamir3pass?.relayServerUrl;\n const resolvedShamirRelayServerUrl = overrideShamirRelayServerUrl !== undefined\n ? toTrimmedString(overrideShamirRelayServerUrl) ?? ''\n : toTrimmedString(defaults.vrfWorkerConfigs?.shamir3pass?.relayServerUrl) || relayServerUrlDefault;\n const signerMode = coerceSignerMode(overrides.signerMode, defaults.signerMode);\n\n const merged: TatchiConfigs = {\n nearRpcUrl: overrides.nearRpcUrl ?? defaults.nearRpcUrl,\n nearNetwork: overrides.nearNetwork ?? defaults.nearNetwork,\n contractId: overrides.contractId ?? defaults.contractId,\n nearExplorerUrl: overrides.nearExplorerUrl ?? defaults.nearExplorerUrl,\n walletTheme: overrides.walletTheme ?? defaults.walletTheme,\n signerMode,\n signingSessionDefaults: {\n ttlMs: overrides.signingSessionDefaults?.ttlMs\n ?? defaults.signingSessionDefaults?.ttlMs,\n remainingUses: overrides.signingSessionDefaults?.remainingUses\n ?? defaults.signingSessionDefaults?.remainingUses,\n },\n relayer: {\n url: relayerUrl,\n delegateActionRoute: overrides.relayer?.delegateActionRoute\n ?? defaults.relayer?.delegateActionRoute,\n emailRecovery: {\n minBalanceYocto: overrides.relayer?.emailRecovery?.minBalanceYocto\n ?? defaults.relayer?.emailRecovery?.minBalanceYocto,\n pollingIntervalMs: overrides.relayer?.emailRecovery?.pollingIntervalMs\n ?? defaults.relayer?.emailRecovery?.pollingIntervalMs,\n maxPollingDurationMs: overrides.relayer?.emailRecovery?.maxPollingDurationMs\n ?? defaults.relayer?.emailRecovery?.maxPollingDurationMs,\n pendingTtlMs: overrides.relayer?.emailRecovery?.pendingTtlMs\n ?? defaults.relayer?.emailRecovery?.pendingTtlMs,\n mailtoAddress: overrides.relayer?.emailRecovery?.mailtoAddress\n ?? defaults.relayer?.emailRecovery?.mailtoAddress,\n },\n },\n authenticatorOptions: overrides.authenticatorOptions ?? defaults.authenticatorOptions,\n vrfWorkerConfigs: {\n shamir3pass: {\n p: overrides.vrfWorkerConfigs?.shamir3pass?.p\n ?? defaults.vrfWorkerConfigs?.shamir3pass?.p,\n relayServerUrl: resolvedShamirRelayServerUrl,\n applyServerLockRoute: overrides.vrfWorkerConfigs?.shamir3pass?.applyServerLockRoute\n ?? defaults.vrfWorkerConfigs?.shamir3pass?.applyServerLockRoute,\n removeServerLockRoute: overrides.vrfWorkerConfigs?.shamir3pass?.removeServerLockRoute\n ?? defaults.vrfWorkerConfigs?.shamir3pass?.removeServerLockRoute,\n },\n },\n emailRecoveryContracts: {\n emailRecovererGlobalContract: overrides.emailRecoveryContracts?.emailRecovererGlobalContract\n ?? defaults.emailRecoveryContracts?.emailRecovererGlobalContract,\n zkEmailVerifierContract: overrides.emailRecoveryContracts?.zkEmailVerifierContract\n ?? defaults.emailRecoveryContracts?.zkEmailVerifierContract,\n emailDkimVerifierContract: overrides.emailRecoveryContracts?.emailDkimVerifierContract\n ?? defaults.emailRecoveryContracts?.emailDkimVerifierContract,\n },\n iframeWallet: {\n // Preserve explicit empty-string walletOrigin (\"\") because it is used as a sentinel\n // to disable iframe-wallet mode in tests and some apps.\n walletOrigin: overrides.iframeWallet?.walletOrigin\n ?? defaults.iframeWallet?.walletOrigin,\n rpIdOverride: overrides.iframeWallet?.rpIdOverride\n ?? defaults.iframeWallet?.rpIdOverride,\n // IMPORTANT: the following fields are often wired from CI env vars like `VITE_SDK_BASE_PATH`.\n // When a GitHub Actions env var is missing, expressions like `${{ vars.VITE_SDK_BASE_PATH }}`\n // frequently become the empty string at build-time. Treat empty strings as \"unset\" so we\n // fall back to SDK defaults instead of accidentally generating root-relative URLs like:\n // https://wallet.example.com/w3a-components.css (wrong; should be /sdk/w3a-components.css)\n walletServicePath: toTrimmedString(overrides.iframeWallet?.walletServicePath)\n || toTrimmedString(defaults.iframeWallet?.walletServicePath)\n || '/wallet-service',\n sdkBasePath: toTrimmedString(overrides.iframeWallet?.sdkBasePath)\n || toTrimmedString(defaults.iframeWallet?.sdkBasePath)\n || '/sdk',\n }\n };\n if (!merged.contractId) {\n throw new Error('[configPresets] Missing required config: contractId');\n }\n if (!merged.relayer.url) {\n throw new Error('[configPresets] Missing required config: relayer.url');\n }\n return merged;\n}\n"],"mappings":";;AAQA,MAAaA,kCAAiD;CAG5D,YAAY;CACZ,aAAa;CACb,YAAY;CACZ,iBAAiB;CACjB,YAAY,EAAE,MAAM;CAGpB,wBAAwB;EACtB,OAAO;EACP,eAAe;;CAEjB,SAAS;EAIP,KAAK;EACL,qBAAqB;EACrB,eAAe;GAEb,iBAAiB;GAEjB,mBAAmB;GAEnB,sBAAsB,OAAU;GAEhC,cAAc,OAAU;GAExB,eAAe;;;CAGnB,kBAAkB,EAChB,aAAa;EAEX,GAAG;EAGH,gBAAgB;EAChB,sBAAsB;EACtB,uBAAuB;;CAG3B,wBAAwB;EACtB,8BAA8B;EAC9B,yBAAyB;EACzB,2BAA2B;;CAG7B,cAAc;EACZ,cAAc;EACd,mBAAmB;EACnB,aAAa;EACb,cAAc;;;AAOlB,MAAa,0CAA0C;AACvD,MAAa,2CAA2C;AACxD,MAAa,uCAAuC,CAClD,yCACA;AAQF,MAAaC,mCAA2D;CACtE,8BAA8B,gCAAgC,uBAAuB;CACrF,yBAAyB,gCAAgC,uBAAuB;CAChF,2BAA2B,gCAAgC,uBAAuB"}
package/dist/esm/core/IndexedDBManager/passkeyClientDB.js CHANGED
@@ -298,8 +298,8 @@ var PasskeyClientDBManager = class {
298
298
  await this.storeUser(userData);
299
299
  return userData;
300
300
  }
301
- async updateUser(nearAccountId, updates) {
302
- const user = await this.getUser(nearAccountId);
301
+ async updateUser(nearAccountId, updates, deviceNumber) {
302
+ const user = await this.getUser(nearAccountId, deviceNumber);
303
303
  if (user) {
304
304
  const updatedUser = {
305
305
  ...user,