@textrp/briij-js-sdk 43.0.0 → 43.1.1

package/src/wallet-recovery.ts

@@ -21,6 +21,9 @@ const KEY_BYTES = 32;
 const NONCE_BYTES = 12;
 const SALT_BYTES = 16;
 const PASSWORD_KDF_ITERATIONS = 210_000;
+const SUPPORTED_WRAP_ALG = "aes-256-gcm";
+const SUPPORTED_WALLET_WRAP_KDF = "sha256-context-v1";
+const SUPPORTED_PASSWORD_WRAP_KDF = "pbkdf2-sha256-v1";
 
 export interface CreateDualWrapEnvelopeParams {
     chainId: string;
@@ -76,13 +79,10 @@ function randomBytes(len: number): Uint8Array {
 }
 
 async function importAesGcmKey(key: Uint8Array): Promise<CryptoKey> {
-    return await globalThis.crypto.subtle.importKey(
-        "raw",
-        toArrayBuffer(key),
-        { name: "AES-GCM" },
-        false,
-        ["encrypt", "decrypt"],
-    );
+    return await globalThis.crypto.subtle.importKey("raw", toArrayBuffer(key), { name: "AES-GCM" }, false, [
+        "encrypt",
+        "decrypt",
+    ]);
 }
 
 async function encryptWrap(
@@ -125,6 +125,14 @@ async function encryptWrap(
 }
 
 async function decryptWrap(wrap: WalletRecoveryWrap, key: Uint8Array): Promise<Uint8Array> {
+    assert(
+        wrap.alg === SUPPORTED_WRAP_ALG,
+        `Unsupported recovery wrap alg '${wrap.alg}', expected '${SUPPORTED_WRAP_ALG}'`,
+    );
+    assert(
+        wrap.kdf === SUPPORTED_WALLET_WRAP_KDF || wrap.kdf === SUPPORTED_PASSWORD_WRAP_KDF,
+        `Unsupported recovery wrap kdf '${wrap.kdf}'`,
+    );
     const nonce = fromBase64(wrap.nonce);
     const aad = wrap.aad ? fromBase64(wrap.aad) : new Uint8Array();
     const ciphertext = fromBase64(wrap.ciphertext);
@@ -143,9 +151,13 @@ async function decryptWrap(wrap: WalletRecoveryWrap, key: Uint8Array): Promise<U
 }
 
 async function derivePasswordWrapKey(password: string, salt: Uint8Array): Promise<Uint8Array> {
-    const keyMaterial = await globalThis.crypto.subtle.importKey("raw", toArrayBuffer(toUtf8(password)), "PBKDF2", false, [
-        "deriveBits",
-    ]);
+    const keyMaterial = await globalThis.crypto.subtle.importKey(
+        "raw",
+        toArrayBuffer(toUtf8(password)),
+        "PBKDF2",
+        false,
+        ["deriveBits"],
+    );
     const bits = await globalThis.crypto.subtle.deriveBits(
         {
             name: "PBKDF2",
@@ -165,7 +177,8 @@ export async function deriveWalletWrapKeyFromSecret(
     accountId: string,
     homeserver: string,
 ): Promise<Uint8Array> {
-    const context = `briij-wallet-auth-wrap-v1:${homeserver}:${chainId}:${accountId}`;
+    const canonicalHomeserver = canonicalizeHomeserver(homeserver);
+    const context = `briij-wallet-auth-wrap-v1:${canonicalHomeserver}:${chainId}:${accountId}`;
     const digest = await globalThis.crypto.subtle.digest(
         "SHA-256",
         toArrayBuffer(toUtf8(`${context}:${walletSecret}`)),
@@ -173,28 +186,82 @@ export async function deriveWalletWrapKeyFromSecret(
     return new Uint8Array(digest);
 }
 
-export function validateRecoveryEnvelopeShape(
-    value: unknown,
-): asserts value is WalletE2eeRecoveryEnvelope {
+export function validateRecoveryEnvelopeShape(value: unknown): asserts value is WalletE2eeRecoveryEnvelope {
     assert(!!value && typeof value === "object", "recovery envelope must be an object");
     const envelope = value as WalletE2eeRecoveryEnvelope;
     assert(typeof envelope.envelope_version === "number", "envelope_version must be a number");
+    assert(
+        envelope.envelope_version === ENVELOPE_VERSION,
+        `Unsupported envelope_version '${envelope.envelope_version}', expected '${ENVELOPE_VERSION}'`,
+    );
     assert(typeof envelope.chain_id === "string" && envelope.chain_id.length > 0, "chain_id is required");
     assert(typeof envelope.account_id === "string" && envelope.account_id.length > 0, "account_id is required");
     assert(typeof envelope.created_at_ms === "number", "created_at_ms must be a number");
     assert(typeof envelope.key_id === "string" && envelope.key_id.length > 0, "key_id is required");
     assert(!!envelope.wallet_wrap && typeof envelope.wallet_wrap === "object", "wallet_wrap is required");
     assert(!!envelope.password_wrap && typeof envelope.password_wrap === "object", "password_wrap is required");
-    for (const wrap of [envelope.wallet_wrap, envelope.password_wrap]) {
-        assert(typeof wrap.alg === "string" && wrap.alg.length > 0, "wrap.alg is required");
-        assert(typeof wrap.kdf === "string" && wrap.kdf.length > 0, "wrap.kdf is required");
-        assert(typeof wrap.salt === "string" && wrap.salt.length > 0, "wrap.salt is required");
-        assert(typeof wrap.nonce === "string" && wrap.nonce.length > 0, "wrap.nonce is required");
-        assert(typeof wrap.ciphertext === "string" && wrap.ciphertext.length > 0, "wrap.ciphertext is required");
-    }
+    assert(
+        typeof envelope.wallet_wrap.alg === "string" && envelope.wallet_wrap.alg.length > 0,
+        "wallet_wrap.alg is required",
+    );
+    assert(
+        typeof envelope.wallet_wrap.kdf === "string" && envelope.wallet_wrap.kdf.length > 0,
+        "wallet_wrap.kdf is required",
+    );
+    assert(
+        envelope.wallet_wrap.alg === SUPPORTED_WRAP_ALG,
+        `Unsupported wallet_wrap.alg '${envelope.wallet_wrap.alg}', expected '${SUPPORTED_WRAP_ALG}'`,
+    );
+    assert(
+        envelope.wallet_wrap.kdf === SUPPORTED_WALLET_WRAP_KDF,
+        `Unsupported wallet_wrap.kdf '${envelope.wallet_wrap.kdf}', expected '${SUPPORTED_WALLET_WRAP_KDF}'`,
+    );
+    assert(
+        typeof envelope.wallet_wrap.salt === "string" && envelope.wallet_wrap.salt.length > 0,
+        "wallet_wrap.salt is required",
+    );
+    assert(
+        typeof envelope.wallet_wrap.nonce === "string" && envelope.wallet_wrap.nonce.length > 0,
+        "wallet_wrap.nonce is required",
+    );
+    assert(
+        typeof envelope.wallet_wrap.ciphertext === "string" && envelope.wallet_wrap.ciphertext.length > 0,
+        "wallet_wrap.ciphertext is required",
+    );
+
+    assert(
+        typeof envelope.password_wrap.alg === "string" && envelope.password_wrap.alg.length > 0,
+        "password_wrap.alg is required",
+    );
+    assert(
+        typeof envelope.password_wrap.kdf === "string" && envelope.password_wrap.kdf.length > 0,
+        "password_wrap.kdf is required",
+    );
+    assert(
+        envelope.password_wrap.alg === SUPPORTED_WRAP_ALG,
+        `Unsupported password_wrap.alg '${envelope.password_wrap.alg}', expected '${SUPPORTED_WRAP_ALG}'`,
+    );
+    assert(
+        envelope.password_wrap.kdf === SUPPORTED_PASSWORD_WRAP_KDF,
+        `Unsupported password_wrap.kdf '${envelope.password_wrap.kdf}', expected '${SUPPORTED_PASSWORD_WRAP_KDF}'`,
+    );
+    assert(
+        typeof envelope.password_wrap.salt === "string" && envelope.password_wrap.salt.length > 0,
+        "password_wrap.salt is required",
+    );
+    assert(
+        typeof envelope.password_wrap.nonce === "string" && envelope.password_wrap.nonce.length > 0,
+        "password_wrap.nonce is required",
+    );
+    assert(
+        typeof envelope.password_wrap.ciphertext === "string" && envelope.password_wrap.ciphertext.length > 0,
+        "password_wrap.ciphertext is required",
+    );
 }
 
-export async function createDualWrapEnvelope(params: CreateDualWrapEnvelopeParams): Promise<WalletE2eeRecoveryEnvelope> {
+export async function createDualWrapEnvelope(
+    params: CreateDualWrapEnvelopeParams,
+): Promise<WalletE2eeRecoveryEnvelope> {
     assert(params.chainId.length > 0, "chainId is required");
     assert(params.accountId.length > 0, "accountId is required");
     assert(params.backupPassword.length > 0, "backupPassword is required");
@@ -241,12 +308,20 @@ export async function unwrapWithWallet({ envelope, walletWrapKey }: UnwrapWithWa
     return await decryptWrap(envelope.wallet_wrap, walletWrapKey);
 }
 
-export async function unwrapWithPassword({
-    envelope,
-    backupPassword,
-}: UnwrapWithPasswordParams): Promise<Uint8Array> {
+export async function unwrapWithPassword({ envelope, backupPassword }: UnwrapWithPasswordParams): Promise<Uint8Array> {
     validateRecoveryEnvelopeShape(envelope);
     const passwordSalt = fromBase64(envelope.password_wrap.salt);
     const passwordWrapKey = await derivePasswordWrapKey(backupPassword, passwordSalt);
     return await decryptWrap(envelope.password_wrap, passwordWrapKey);
 }
+
+function canonicalizeHomeserver(homeserver: string): string {
+    const trimmed = homeserver.trim().replace(/\/+$/, "");
+    try {
+        const parsed = new URL(trimmed);
+        parsed.hostname = parsed.hostname.toLowerCase();
+        return parsed.toString().replace(/\/+$/, "");
+    } catch {
+        return trimmed.toLowerCase();
+    }
+}

package/src/xrpl/identity.ts

@@ -66,8 +66,19 @@ export function setXamanWalletForXrplIdentity(xamanWallet: XamanWalletAdapter):
     };
 }
 
-export async function mintSoulboundIdentityNFT(matrixUserId: string): Promise<XrplIdentityMintResult | null> {
-    const { homeserverBaseUrl, accessToken, xamanWallet } = mintingConfig;
+export function getConfiguredXrplIdentityMintingConfig(): Partial<XrplIdentityMintingConfig> {
+    return { ...mintingConfig };
+}
+
+export async function mintSoulboundIdentityNFT(
+    matrixUserId: string,
+    config?: Partial<XrplIdentityMintingConfig>,
+): Promise<XrplIdentityMintResult | null> {
+    const effectiveConfig = {
+        ...mintingConfig,
+        ...config,
+    };
+    const { homeserverBaseUrl, accessToken, xamanWallet } = effectiveConfig;
     if (!homeserverBaseUrl || !accessToken || !xamanWallet) {
         logger.warn(
             "Skipping XRPL identity mint for %s: missing homeserver auth and/or Xaman wallet adapter",
@@ -85,10 +96,10 @@ export async function mintSoulboundIdentityNFT(matrixUserId: string): Promise<Xr
     }
 
     const xrplAddress = await xamanWallet.getAddress();
-    const ipfsUri = await buildIpfsUri(matrixUserId, xrplAddress);
+    const ipfsUri = await buildIpfsUri(matrixUserId, xrplAddress, effectiveConfig);
     const encodedUri = toHex(ipfsUri);
 
-    const xrplClient = new XrplClient(resolveXrplWebSocketUrl());
+    const xrplClient = new XrplClient(resolveXrplWebSocketUrl(effectiveConfig));
     await xrplClient.connect();
 
     try {
@@ -102,13 +113,9 @@ export async function mintSoulboundIdentityNFT(matrixUserId: string): Promise<Xr
 
         const autofilled = await xrplClient.autofill(mintTransaction);
         const { hash: txHash } = await xamanWallet.signAndSubmit(autofilled as unknown as Record<string, unknown>);
-        const txResult = await xrplClient.request({
-            command: "tx",
-            transaction: txHash,
-        });
-
+        const txResult = await waitForValidation(xrplClient, txHash);
         const nftTokenId =
-            extractNftTokenId(txResult.result?.meta) ??
+            extractTxScopedNftTokenId(txResult.result) ??
             (await findAccountNftByUri(xrplClient, xrplAddress, encodedUri));
         if (!nftTokenId) {
             throw new Error(`Unable to resolve NFTokenID for transaction ${txHash}`);
@@ -133,9 +140,13 @@ export async function mintSoulboundIdentityNFT(matrixUserId: string): Promise<Xr
     }
 }
 
-async function buildIpfsUri(matrixUserId: string, xrplAddress: string): Promise<string> {
-    if (mintingConfig.ipfsUriFactory) {
-        return await mintingConfig.ipfsUriFactory(matrixUserId, xrplAddress);
+async function buildIpfsUri(
+    matrixUserId: string,
+    xrplAddress: string,
+    config: Partial<XrplIdentityMintingConfig>,
+): Promise<string> {
+    if (config.ipfsUriFactory) {
+        return await config.ipfsUriFactory(matrixUserId, xrplAddress);
     }
 
     const payload = JSON.stringify({ matrixUserId, xrplAddress });
@@ -143,12 +154,26 @@ async function buildIpfsUri(matrixUserId: string, xrplAddress: string): Promise<
     return `ipfs://textrp-briij/${toHex(digest).slice(0, 46)}`;
 }
 
-function resolveXrplWebSocketUrl(): string {
-    if (mintingConfig.websocketUrl) return mintingConfig.websocketUrl;
-    const network = mintingConfig.network ?? DEFAULT_XRPL_NETWORK;
+function resolveXrplWebSocketUrl(config: Partial<XrplIdentityMintingConfig>): string {
+    if (config.websocketUrl) return config.websocketUrl;
+    const network = config.network ?? DEFAULT_XRPL_NETWORK;
     return network === "mainnet" ? DEFAULT_XRPL_MAINNET_WS : DEFAULT_XRPL_TESTNET_WS;
 }
 
+async function waitForValidation(xrplClient: XrplClient, txHash: string): Promise<{ result?: unknown }> {
+    for (let attempt = 0; attempt < 15; attempt += 1) {
+        const response = await xrplClient.request({
+            command: "tx",
+            transaction: txHash,
+        });
+        if (response.result?.validated === true) {
+            return response as unknown as { result?: unknown };
+        }
+        await sleep(1000);
+    }
+    throw new Error(`Timed out waiting for XRPL tx validation: ${txHash}`);
+}
+
 function accountDataUrl(baseUrl: string, matrixUserId: string): string {
     const trimmedBaseUrl = baseUrl.replace(/\/+$/, "");
     return `${trimmedBaseUrl}/_matrix/client/v3/user/${encodeURIComponent(matrixUserId)}/account_data/${encodeURIComponent(XRPL_IDENTITY_ACCOUNT_DATA_TYPE)}`;
@@ -162,7 +187,7 @@ async function getIdentityAccountData(
     const response = await fetch(accountDataUrl(homeserverBaseUrl, matrixUserId), {
         method: "GET",
         headers: {
-            Authorization: `Bearer ${accessToken}`,
+            "Authorization": `Bearer ${accessToken}`,
             "Content-Type": "application/json",
         },
     });
@@ -184,7 +209,7 @@ async function setIdentityAccountData(
     const response = await fetch(accountDataUrl(homeserverBaseUrl, matrixUserId), {
         method: "PUT",
         headers: {
-            Authorization: `Bearer ${accessToken}`,
+            "Authorization": `Bearer ${accessToken}`,
             "Content-Type": "application/json",
         },
         body: JSON.stringify(payload),
@@ -195,7 +220,11 @@ async function setIdentityAccountData(
     }
 }
 
-async function findAccountNftByUri(xrplClient: XrplClient, xrplAddress: string, encodedUri: string): Promise<string | null> {
+async function findAccountNftByUri(
+    xrplClient: XrplClient,
+    xrplAddress: string,
+    encodedUri: string,
+): Promise<string | null> {
     const response = await xrplClient.request({
         command: "account_nfts",
         account: xrplAddress,
@@ -209,28 +238,20 @@ async function findAccountNftByUri(xrplClient: XrplClient, xrplAddress: string,
     return nft?.NFTokenID ?? null;
 }
 
-function extractNftTokenId(meta: unknown): string | null {
-    if (!meta || typeof meta !== "object") return null;
-    const affectedNodes = (meta as { AffectedNodes?: unknown[] }).AffectedNodes ?? [];
-
-    for (const nodeWrapper of affectedNodes) {
-        if (!nodeWrapper || typeof nodeWrapper !== "object") continue;
-        const [nodeValue] = Object.values(nodeWrapper as Record<string, unknown>);
-        if (!nodeValue || typeof nodeValue !== "object") continue;
+function extractTxScopedNftTokenId(result: unknown): string | null {
+    if (!result || typeof result !== "object") {
+        return null;
+    }
 
-        const newFields = (nodeValue as { NewFields?: unknown }).NewFields;
-        const finalFields = (nodeValue as { FinalFields?: unknown }).FinalFields;
-        const tokensContainer = [newFields, finalFields].find((container) => {
-            if (!container || typeof container !== "object") return false;
-            return Array.isArray((container as { NFTokens?: unknown[] }).NFTokens);
-        }) as { NFTokens?: unknown[] } | undefined;
+    const payload = result as Record<string, unknown>;
+    const directTokenId = payload["nftoken_id"];
+    if (typeof directTokenId === "string" && directTokenId.length > 0) {
+        return directTokenId;
+    }
 
-        const nftokens = tokensContainer?.NFTokens ?? [];
-        for (const tokenEntry of nftokens) {
-            if (!tokenEntry || typeof tokenEntry !== "object") continue;
-            const token = (tokenEntry as { NFToken?: { NFTokenID?: string } }).NFToken;
-            if (token?.NFTokenID) return token.NFTokenID;
-        }
+    const directAlternate = payload["NFTokenID"];
+    if (typeof directAlternate === "string" && directAlternate.length > 0) {
+        return directAlternate;
     }
 
     return null;
@@ -243,3 +264,9 @@ function toHex(input: string | Uint8Array): string {
         .join("")
         .toUpperCase();
 }
+
+async function sleep(ms: number): Promise<void> {
+    await new Promise((resolve) => {
+        setTimeout(resolve, ms);
+    });
+}

package/src/xrpl/trust.ts

@@ -15,6 +15,7 @@ limitations under the License.
 */
 
 const DEFAULT_TRUST_PATH = "/_matrix/client/v3/org.textrp.xrpl/trust";
+const DEFAULT_TRUST_TIMEOUT_MS = 10_000;
 
 export interface XrplTrustConfig {
     homeserverBaseUrl: string;
@@ -22,35 +23,51 @@ export interface XrplTrustConfig {
     trustPath?: string;
 }
 
-let xrplTrustConfig: Partial<XrplTrustConfig> = {};
-
-export function configureXrplTrust(config: Partial<XrplTrustConfig>): void {
-    xrplTrustConfig = {
-        ...xrplTrustConfig,
-        ...config,
-    };
+export interface XrplTrustRequestOptions {
+    timeoutMs?: number;
 }
 
-export async function getTrustScore(payer: string, payee: string): Promise<number> {
-    const homeserverBaseUrl = xrplTrustConfig.homeserverBaseUrl;
-    const accessToken = xrplTrustConfig.accessToken;
+export async function getTrustScore(
+    payer: string,
+    payee: string,
+    config: XrplTrustConfig,
+    options?: XrplTrustRequestOptions,
+): Promise<number> {
+    const { homeserverBaseUrl, accessToken } = config;
     if (!homeserverBaseUrl || !accessToken) {
         throw new Error("XRPL trust config is incomplete");
     }
 
     const trimmedBaseUrl = homeserverBaseUrl.replace(/\/+$/, "");
-    const trustPath = xrplTrustConfig.trustPath ?? DEFAULT_TRUST_PATH;
+    const trustPath = config.trustPath ?? DEFAULT_TRUST_PATH;
     const query = new URLSearchParams({
         payer,
         payee,
     });
-    const response = await fetch(`${trimmedBaseUrl}${trustPath}?${query.toString()}`, {
-        method: "GET",
-        headers: {
-            Authorization: `Bearer ${accessToken}`,
-            "Content-Type": "application/json",
-        },
-    });
+    const timeoutMs = options?.timeoutMs ?? DEFAULT_TRUST_TIMEOUT_MS;
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => {
+        controller.abort();
+    }, timeoutMs);
+
+    let response: Response;
+    try {
+        response = await fetch(`${trimmedBaseUrl}${trustPath}?${query.toString()}`, {
+            method: "GET",
+            headers: {
+                "Authorization": `Bearer ${accessToken}`,
+                "Content-Type": "application/json",
+            },
+            signal: controller.signal,
+        });
+    } catch (error) {
+        if (error instanceof Error && error.name === "AbortError") {
+            throw new Error(`Timed out fetching trust score after ${timeoutMs}ms`);
+        }
+        throw error;
+    } finally {
+        clearTimeout(timeoutId);
+    }
 
     if (!response.ok) {
         throw new Error(`Failed to fetch trust score: HTTP ${response.status}`);

package/src/xrpl/verification.ts

@@ -114,8 +114,8 @@ export async function acceptVerification(issuerXrplAddress: string): Promise<Xrp
 
     await matrixClient.sendEvent(roomId, XRPL_VERIFY_ACCEPT_EVENT, {
         tx_hash: txHash,
-        issuer_xrpl_address: signerAddress,
-        accepter_xrpl_address: issuerXrplAddress,
+        issuer_xrpl_address: issuerXrplAddress,
+        accepter_xrpl_address: signerAddress,
         nft_token_id: identity.nftTokenId,
         ipfs_uri: updatedUri,
         trust_model: NFT_TRUST_TAG,
@@ -154,10 +154,23 @@ async function signAndValidateOnXrpl(
 
 async function waitForValidation(xrplClient: XrplClient, txHash: string): Promise<void> {
     for (let attempt = 0; attempt < 15; attempt += 1) {
-        const response = await xrplClient.request({
-            command: "tx",
-            transaction: txHash,
-        });
+        let response: { result?: { validated?: boolean } };
+        try {
+            response = (await xrplClient.request({
+                command: "tx",
+                transaction: txHash,
+            })) as { result?: { validated?: boolean } };
+        } catch (error) {
+            const errorCode =
+                error instanceof Error && "data" in error
+                    ? ((error as { data?: { error?: string } }).data?.error ?? (error as { error?: string }).error)
+                    : undefined;
+            if (errorCode === "txnNotFound") {
+                await sleep(1000);
+                continue;
+            }
+            throw error;
+        }
 
         if (response.result?.validated === true) return;
         await sleep(1000);