@thru/passkey 0.2.13 → 0.2.14

package/src/mobile/passkey.ts

@@ -0,0 +1,154 @@
+import { create as passkeyCreate, get as passkeyGet } from 'react-native-passkeys';
+import {
+  bytesToBase64Url,
+  base64UrlToBytes,
+  normalizeLowS,
+  parseDerSignature,
+  type PasskeySigningResult,
+} from '@thru/passkey-manager';
+import type {
+  DiscoverablePasskeyResult,
+  PasskeyMobileConfig,
+  PasskeyRegistrationResult,
+} from './types';
+
+type ProcessLike = typeof globalThis & {
+  process?: {
+    env?: Record<string, string | undefined>;
+  };
+};
+
+function getDefaultConfig(config?: PasskeyMobileConfig): Required<PasskeyMobileConfig> {
+  const env = (globalThis as ProcessLike).process?.env ?? {};
+
+  return {
+    rpId: config?.rpId ?? env.EXPO_PUBLIC_PASSKEY_RP_ID ?? 'wallet.thru.org',
+    rpName: config?.rpName ?? env.EXPO_PUBLIC_PASSKEY_RP_NAME ?? 'Thru Wallet',
+  };
+}
+
+export async function registerPasskey(
+  alias: string,
+  userId: string,
+  config?: PasskeyMobileConfig
+): Promise<PasskeyRegistrationResult> {
+  const { rpId, rpName } = getDefaultConfig(config);
+  const challenge = bytesToBase64Url(crypto.getRandomValues(new Uint8Array(32)));
+  const userIdB64 = bytesToBase64Url(new TextEncoder().encode(userId));
+
+  const result = await passkeyCreate({
+    challenge,
+    rp: { id: rpId, name: rpName },
+    user: { id: userIdB64, name: alias, displayName: alias },
+    pubKeyCredParams: [{ type: 'public-key', alg: -7 }],
+    authenticatorSelection: {
+      authenticatorAttachment: 'platform',
+      userVerification: 'required',
+      residentKey: 'required',
+    },
+    attestation: 'none',
+    timeout: 60000,
+  });
+
+  if (!result) {
+    throw new Error('Passkey registration was cancelled');
+  }
+
+  const publicKeyB64 = result.response.getPublicKey?.();
+  if (!publicKeyB64) {
+    throw new Error('Failed to retrieve public key from registration');
+  }
+
+  const keyBytes = base64UrlToBytes(publicKeyB64);
+  const { x, y } = extractP256Coordinates(keyBytes);
+
+  return {
+    credentialId: result.id,
+    publicKeyX: x,
+    publicKeyY: y,
+    rpId,
+  };
+}
+
+export async function signWithPasskey(
+  credentialId: string,
+  challenge: Uint8Array,
+  rpId?: string
+): Promise<PasskeySigningResult> {
+  const resolvedRpId = rpId ?? getDefaultConfig().rpId;
+  const challengeB64 = bytesToBase64Url(challenge);
+
+  const result = await passkeyGet({
+    challenge: challengeB64,
+    rpId: resolvedRpId,
+    allowCredentials: [{ type: 'public-key', id: credentialId }],
+    userVerification: 'required',
+    timeout: 60000,
+  });
+
+  if (!result) {
+    throw new Error('Passkey authentication was cancelled');
+  }
+
+  const derSignature = base64UrlToBytes(result.response.signature);
+  let { r, s } = parseDerSignature(derSignature);
+  s = normalizeLowS(s);
+
+  return {
+    signature: new Uint8Array([...r, ...s]),
+    authenticatorData: base64UrlToBytes(result.response.authenticatorData),
+    clientDataJSON: base64UrlToBytes(result.response.clientDataJSON),
+    signatureR: r,
+    signatureS: s,
+  };
+}
+
+export async function authenticateWithDiscoverablePasskey(
+  config?: Pick<PasskeyMobileConfig, 'rpId'>
+): Promise<DiscoverablePasskeyResult | null> {
+  const { rpId } = getDefaultConfig(config);
+
+  try {
+    const challenge = bytesToBase64Url(crypto.getRandomValues(new Uint8Array(32)));
+    const result = await passkeyGet({
+      challenge,
+      rpId,
+      userVerification: 'required',
+      timeout: 60000,
+    });
+
+    return result ? { credentialId: result.id, rpId } : null;
+  } catch {
+    return null;
+  }
+}
+
+export function extractP256Coordinates(
+  keyBytes: Uint8Array
+): { x: Uint8Array; y: Uint8Array } {
+  if (keyBytes.length === 64) {
+    return {
+      x: keyBytes.slice(0, 32),
+      y: keyBytes.slice(32, 64),
+    };
+  }
+
+  if (keyBytes.length === 65 && keyBytes[0] === 0x04) {
+    return {
+      x: keyBytes.slice(1, 33),
+      y: keyBytes.slice(33, 65),
+    };
+  }
+
+  const pointStart = keyBytes.length - 65;
+  if (pointStart > 0 && keyBytes[pointStart] === 0x04) {
+    return {
+      x: keyBytes.slice(pointStart + 1, pointStart + 33),
+      y: keyBytes.slice(pointStart + 33, pointStart + 65),
+    };
+  }
+
+  throw new Error(
+    `Unsupported public key format (${keyBytes.length} bytes). Expected raw X||Y (64), uncompressed point (65), or SPKI DER (91).`
+  );
+}

package/src/mobile/storage.ts

@@ -0,0 +1,115 @@
+import * as SecureStore from 'expo-secure-store';
+import type { PasskeyMetadata } from '@thru/passkey-manager';
+
+const SECURE_STORE_OPTS = {
+  keychainAccessible: SecureStore.WHEN_UNLOCKED_THIS_DEVICE_ONLY,
+} as const;
+
+const PASSKEY_CREDENTIAL_ID_KEY = 'thru_passkey_credential_id';
+const PASSKEY_PUBLIC_KEY_X_KEY = 'thru_passkey_pubkey_x';
+const PASSKEY_PUBLIC_KEY_Y_KEY = 'thru_passkey_pubkey_y';
+const PASSKEY_RP_ID_KEY = 'thru_passkey_rp_id';
+const PASSKEY_LABEL_KEY = 'thru_passkey_label';
+const PASSKEY_CREATED_AT_KEY = 'thru_passkey_created_at';
+const PASSKEY_LAST_USED_AT_KEY = 'thru_passkey_last_used_at';
+
+const ADDRESS_KEY = 'thru_address';
+const USER_ID_KEY = 'thru_user_id';
+const TOKEN_ACCOUNT_KEY = 'thru_token_account';
+
+export async function storePasskeyMetadata(metadata: PasskeyMetadata): Promise<void> {
+  await Promise.all([
+    SecureStore.setItemAsync(PASSKEY_CREDENTIAL_ID_KEY, metadata.credentialId, SECURE_STORE_OPTS),
+    SecureStore.setItemAsync(PASSKEY_PUBLIC_KEY_X_KEY, metadata.publicKeyX, SECURE_STORE_OPTS),
+    SecureStore.setItemAsync(PASSKEY_PUBLIC_KEY_Y_KEY, metadata.publicKeyY, SECURE_STORE_OPTS),
+    SecureStore.setItemAsync(PASSKEY_RP_ID_KEY, metadata.rpId, SECURE_STORE_OPTS),
+    SecureStore.setItemAsync(PASSKEY_LABEL_KEY, metadata.label ?? '', SECURE_STORE_OPTS),
+    SecureStore.setItemAsync(PASSKEY_CREATED_AT_KEY, metadata.createdAt, SECURE_STORE_OPTS),
+    SecureStore.setItemAsync(PASSKEY_LAST_USED_AT_KEY, metadata.lastUsedAt, SECURE_STORE_OPTS),
+  ]);
+}
+
+export async function getStoredPasskeyMetadata(): Promise<PasskeyMetadata | null> {
+  const credentialId = await SecureStore.getItemAsync(PASSKEY_CREDENTIAL_ID_KEY);
+  if (!credentialId) return null;
+
+  const [publicKeyX, publicKeyY, rpId, label, createdAt, lastUsedAt] = await Promise.all([
+    SecureStore.getItemAsync(PASSKEY_PUBLIC_KEY_X_KEY),
+    SecureStore.getItemAsync(PASSKEY_PUBLIC_KEY_Y_KEY),
+    SecureStore.getItemAsync(PASSKEY_RP_ID_KEY),
+    SecureStore.getItemAsync(PASSKEY_LABEL_KEY),
+    SecureStore.getItemAsync(PASSKEY_CREATED_AT_KEY),
+    SecureStore.getItemAsync(PASSKEY_LAST_USED_AT_KEY),
+  ]);
+
+  if (!rpId || !createdAt) return null;
+
+  return {
+    credentialId,
+    publicKeyX: publicKeyX ?? '',
+    publicKeyY: publicKeyY ?? '',
+    rpId,
+    label: label || undefined,
+    createdAt,
+    lastUsedAt: lastUsedAt ?? createdAt,
+  };
+}
+
+export async function touchPasskeyLastUsedAt(lastUsedAt = new Date().toISOString()): Promise<string> {
+  await SecureStore.setItemAsync(PASSKEY_LAST_USED_AT_KEY, lastUsedAt, SECURE_STORE_OPTS);
+  return lastUsedAt;
+}
+
+export async function hasStoredPasskey(): Promise<boolean> {
+  return (await SecureStore.getItemAsync(PASSKEY_CREDENTIAL_ID_KEY)) !== null;
+}
+
+export async function clearPasskeyMetadata(): Promise<void> {
+  await Promise.all([
+    SecureStore.deleteItemAsync(PASSKEY_CREDENTIAL_ID_KEY),
+    SecureStore.deleteItemAsync(PASSKEY_PUBLIC_KEY_X_KEY),
+    SecureStore.deleteItemAsync(PASSKEY_PUBLIC_KEY_Y_KEY),
+    SecureStore.deleteItemAsync(PASSKEY_RP_ID_KEY),
+    SecureStore.deleteItemAsync(PASSKEY_LABEL_KEY),
+    SecureStore.deleteItemAsync(PASSKEY_CREATED_AT_KEY),
+    SecureStore.deleteItemAsync(PASSKEY_LAST_USED_AT_KEY),
+  ]);
+}
+
+export async function storeWalletInfo(
+  address: string,
+  userId: string,
+  tokenAccountAddress?: string
+): Promise<void> {
+  await Promise.all([
+    SecureStore.setItemAsync(ADDRESS_KEY, address, SECURE_STORE_OPTS),
+    SecureStore.setItemAsync(USER_ID_KEY, userId, SECURE_STORE_OPTS),
+    tokenAccountAddress
+      ? SecureStore.setItemAsync(TOKEN_ACCOUNT_KEY, tokenAccountAddress, SECURE_STORE_OPTS)
+      : SecureStore.deleteItemAsync(TOKEN_ACCOUNT_KEY),
+  ]);
+}
+
+export async function hasStoredWallet(): Promise<boolean> {
+  return (await SecureStore.getItemAsync(ADDRESS_KEY)) !== null;
+}
+
+export async function getStoredAddress(): Promise<string | null> {
+  return SecureStore.getItemAsync(ADDRESS_KEY);
+}
+
+export async function getStoredUserId(): Promise<string | null> {
+  return SecureStore.getItemAsync(USER_ID_KEY);
+}
+
+export async function getStoredTokenAccount(): Promise<string | null> {
+  return SecureStore.getItemAsync(TOKEN_ACCOUNT_KEY);
+}
+
+export async function clearSession(): Promise<void> {
+  await Promise.all([
+    SecureStore.deleteItemAsync(ADDRESS_KEY),
+    SecureStore.deleteItemAsync(USER_ID_KEY),
+    SecureStore.deleteItemAsync(TOKEN_ACCOUNT_KEY),
+  ]);
+}

package/src/mobile/types.ts

@@ -0,0 +1,24 @@
+import type { PasskeySigningResult, PasskeyMetadata } from '@thru/passkey-manager';
+
+export type { PasskeySigningResult, PasskeyMetadata } from '@thru/passkey-manager';
+
+export interface PasskeyMobileConfig {
+  rpId?: string;
+  rpName?: string;
+}
+
+export interface PasskeyRegistrationResult {
+  credentialId: string;
+  publicKeyX: Uint8Array;
+  publicKeyY: Uint8Array;
+  rpId: string;
+}
+
+export interface DiscoverablePasskeyResult {
+  credentialId: string;
+  rpId: string;
+}
+
+export interface StoredPasskeySigningResult extends PasskeySigningResult {
+  passkey: PasskeyMetadata;
+}

package/src/popup-entry.ts

@@ -0,0 +1,33 @@
+export type {
+  PasskeyPopupAction,
+  PasskeyPopupGetRequestPayload,
+  PasskeyPopupCreateRequestPayload,
+  PasskeyPopupGetStoredRequestPayload,
+  PasskeyPopupRequestPayload,
+  PasskeyPopupRequest,
+  PasskeyPopupSigningResult,
+  PasskeyPopupStoredPasskey,
+  PasskeyPopupStoredSigningResult,
+  PasskeyPopupRegistrationResult,
+  PasskeyPopupResponse,
+  PasskeyPopupContext,
+  PasskeyPopupAccount,
+} from './types';
+
+export {
+  PASSKEY_POPUP_PATH,
+  PASSKEY_POPUP_READY_EVENT,
+  PASSKEY_POPUP_REQUEST_EVENT,
+  PASSKEY_POPUP_RESPONSE_EVENT,
+  PASSKEY_POPUP_CHANNEL,
+  openPasskeyPopupWindow,
+  closePopup,
+  requestPasskeyPopup,
+} from './popup';
+
+export {
+  toPopupSigningResult,
+  buildSuccessResponse,
+  decodeChallenge,
+  getResponseError,
+} from './popup-service';

package/src/popup-service.ts

@@ -1,24 +1,13 @@
 import type {
   PasskeyPopupAction,
-  PasskeyPopupAccount,
-  PasskeyPopupContext,
   PasskeyPopupResponse,
   PasskeyPopupSigningResult,
-  PasskeyPopupStoredPasskey,
-  PasskeyPopupStoredSigningResult,
-  PasskeyMetadata,
   PasskeySigningResult,
 } from './types';
 import {
   PASSKEY_POPUP_RESPONSE_EVENT,
 } from './popup';
 import { bytesToBase64Url, base64UrlToBytes } from '@thru/passkey-manager';
-import { signWithPasskey, signWithDiscoverablePasskey } from './sign';
-
-type PasskeySignResult =
-  | Awaited<ReturnType<typeof signWithDiscoverablePasskey>>
-  | Awaited<ReturnType<typeof signWithPasskey>>;
-
 export function toPopupSigningResult(result: PasskeySigningResult): PasskeyPopupSigningResult {
   return {
     signatureBase64Url: bytesToBase64Url(result.signature),
@@ -47,23 +36,6 @@ export function decodeChallenge(base64Url: string): Uint8Array {
   return base64UrlToBytes(base64Url);
 }
 
-export function getPopupDisplayInfo(context?: PasskeyPopupContext): {
-  name: string;
-  url?: string;
-  imageUrl?: string;
-  logoText: string;
-} {
-  const name = context?.appName || context?.origin || 'A dApp';
-  const url = context?.appUrl || context?.origin;
-  const logoText = name.charAt(0).toUpperCase() || 'A';
-  return {
-    name,
-    url,
-    imageUrl: context?.imageUrl,
-    logoText,
-  };
-}
-
 export function getResponseError(action: PasskeyPopupAction, error: unknown): { name?: string; message: string } {
   const { name, message } = normalizeError(error);
   const actionLabel = `Popup ${action}`;
@@ -76,72 +48,6 @@ export function getResponseError(action: PasskeyPopupAction, error: unknown): {
     message: detailedMessage,
   };
 }
-
-export async function signWithPreferredPasskey(
-  preferredPasskey: PasskeyMetadata | null,
-  challenge: Uint8Array,
-  log?: (message: string) => void
-): Promise<{ result: PasskeySignResult; credentialId: string; rpId: string }> {
-  const resolvedRpId = preferredPasskey?.rpId ?? window.location.hostname;
-
-  if (preferredPasskey?.credentialId && preferredPasskey.rpId) {
-    try {
-      const storedResult = await signWithPasskey(
-        preferredPasskey.credentialId,
-        challenge,
-        preferredPasskey.rpId
-      );
-      return {
-        result: storedResult,
-        credentialId: preferredPasskey.credentialId,
-        rpId: preferredPasskey.rpId,
-      };
-    } catch (error) {
-      if (!shouldFallbackToDiscoverable(error)) {
-        throw error;
-      }
-      if (log) {
-        log('stored passkey failed; falling back to discoverable prompt');
-      }
-    }
-  }
-
-  const discovered = await signWithDiscoverablePasskey(challenge, resolvedRpId);
-  return {
-    result: discovered,
-    credentialId: discovered.credentialId,
-    rpId: resolvedRpId,
-  };
-}
-
-export function buildStoredPasskeyResult(
-  signed: { result: PasskeySignResult; credentialId: string; rpId: string },
-  preferredPasskey: PasskeyMetadata | null,
-  profiles: Array<{ passkey: PasskeyMetadata | null }>,
-  accounts: PasskeyPopupAccount[]
-): PasskeyPopupStoredSigningResult {
-  const now = new Date().toISOString();
-  const matchingPasskey =
-    profiles.find((profile) => profile.passkey?.credentialId === signed.credentialId)?.passkey ??
-    null;
-
-  const passkey: PasskeyPopupStoredPasskey = (matchingPasskey ?? {
-    credentialId: signed.credentialId,
-    publicKeyX: '',
-    publicKeyY: '',
-    rpId: signed.rpId,
-    label: preferredPasskey?.label,
-    createdAt: now,
-    lastUsedAt: now,
-  }) as PasskeyPopupStoredPasskey;
-
-  return {
-    ...toPopupSigningResult(signed.result),
-    passkey: matchingPasskey ? { ...passkey, lastUsedAt: now } : passkey,
-    accounts,
-  };
-}
-
 function normalizeError(error: unknown): { name?: string; message?: string; normalized: string } {
   const name =
     error && typeof error === 'object' && 'name' in error
@@ -157,12 +63,3 @@ function normalizeError(error: unknown): { name?: string; message?: string; norm
     normalized: `${name} ${message}`.toLowerCase(),
   };
 }
-
-function shouldFallbackToDiscoverable(error: unknown): boolean {
-  const normalized = normalizeError(error).normalized;
-  return (
-    normalized.includes('notfounderror') ||
-    normalized.includes('notallowederror') ||
-    normalized.includes('securityerror')
-  );
-}

package/src/server/challenge.ts

@@ -0,0 +1,26 @@
+import {
+  bytesToBase64Url,
+  createValidateChallenge,
+  fetchWalletNonce,
+} from '@thru/passkey-manager';
+import type { AccountContext } from '@thru/passkey-manager';
+import type { PasskeyChallengeResult, ThruClient } from './types';
+
+export async function createPasskeyChallenge(opts: {
+  client: ThruClient;
+  walletAddress: string;
+  accountCtx: AccountContext;
+  invokeIx: Uint8Array;
+}): Promise<PasskeyChallengeResult> {
+  const nonce = await fetchWalletNonce(opts.client, opts.walletAddress);
+  const challenge = await createValidateChallenge(
+    nonce,
+    opts.accountCtx.accountAddresses,
+    opts.invokeIx
+  );
+
+  return {
+    challenge: bytesToBase64Url(challenge),
+    nonce: nonce.toString(),
+  };
+}

package/src/server/create-wallet.ts

@@ -0,0 +1,149 @@
+import {
+  PASSKEY_MANAGER_PROGRAM_ADDRESS,
+  base64UrlToBytes,
+  buildAccountContext,
+  createCredentialLookupSeed,
+  createWalletSeed,
+  deriveCredentialLookupAddress,
+  deriveWalletAddress,
+  encodeCreateInstruction,
+  encodeRegisterCredentialInstruction,
+} from '@thru/passkey-manager';
+import { toThruAddress, getStateProof, trackTransaction } from './utils';
+import type { ThruClient } from './types';
+
+export async function createPasskeyWallet(opts: {
+  client: ThruClient;
+  adminPublicKey: Uint8Array;
+  adminPrivateKey: string;
+  adminAddress: string;
+  pubkeyX: Uint8Array;
+  pubkeyY: Uint8Array;
+  credentialId?: string;
+  walletName?: string;
+}): Promise<{ walletAddress: string; credentialLookupAddress?: string }> {
+  const walletName = opts.walletName ?? 'default';
+  const seed = await createWalletSeed(walletName, opts.pubkeyX, opts.pubkeyY);
+  const walletBytes = await deriveWalletAddress(seed, PASSKEY_MANAGER_PROGRAM_ADDRESS);
+  const walletAddress = toThruAddress(walletBytes);
+
+  let walletExists = false;
+  try {
+    await opts.client.accounts.get(walletAddress);
+    walletExists = true;
+  } catch {
+    walletExists = false;
+  }
+
+  if (!walletExists) {
+    const stateProof = await getStateProof(opts.client, walletAddress);
+    const accountCtx = buildAccountContext({
+      walletAddress,
+      readWriteAccounts: [],
+      readOnlyAccounts: [],
+      feePayerAddress: opts.adminAddress,
+      programAddress: PASSKEY_MANAGER_PROGRAM_ADDRESS,
+    });
+
+    const createIx = encodeCreateInstruction({
+      walletAccountIdx: accountCtx.walletAccountIdx,
+      authority: {
+        tag: 1,
+        pubkeyX: opts.pubkeyX,
+        pubkeyY: opts.pubkeyY,
+      },
+      seed,
+      stateProof,
+    });
+
+    const transaction = await opts.client.transactions.build({
+      feePayer: { publicKey: opts.adminPublicKey },
+      program: PASSKEY_MANAGER_PROGRAM_ADDRESS,
+      instructionData: createIx,
+      accounts: {
+        readWrite: [walletAddress],
+        readOnly: [],
+      },
+      header: { fee: 0n },
+    });
+
+    await transaction.sign(opts.adminPrivateKey);
+    const signature = await opts.client.transactions.send(transaction.toWire());
+    const result = await trackTransaction(opts.client, signature, 60000);
+    if (result.status !== 'finalized') {
+      throw new Error(
+        `Wallet creation failed with error code: ${result.errorCode ?? 'unknown'}`
+      );
+    }
+  }
+
+  let credentialLookupAddress: string | undefined;
+  if (opts.credentialId) {
+    const credentialIdBytes = base64UrlToBytes(opts.credentialId);
+    const lookupAddressBytes = await deriveCredentialLookupAddress(
+      credentialIdBytes,
+      walletName,
+      PASSKEY_MANAGER_PROGRAM_ADDRESS
+    );
+
+    credentialLookupAddress = toThruAddress(lookupAddressBytes);
+
+    let lookupExists = false;
+    try {
+      await opts.client.accounts.get(credentialLookupAddress);
+      lookupExists = true;
+    } catch {
+      lookupExists = false;
+    }
+
+    if (!lookupExists) {
+      try {
+        const credSeed = await createCredentialLookupSeed(credentialIdBytes, walletName);
+        const stateProof = await getStateProof(opts.client, credentialLookupAddress);
+        const accountCtx = buildAccountContext({
+          walletAddress,
+          readWriteAccounts: [lookupAddressBytes],
+          readOnlyAccounts: [],
+          feePayerAddress: opts.adminAddress,
+          programAddress: PASSKEY_MANAGER_PROGRAM_ADDRESS,
+        });
+
+        const registerIx = encodeRegisterCredentialInstruction({
+          walletAccountIdx: accountCtx.walletAccountIdx,
+          lookupAccountIdx: accountCtx.getAccountIndex(lookupAddressBytes),
+          seed: credSeed,
+          stateProof,
+        });
+
+        const transaction = await opts.client.transactions.build({
+          feePayer: { publicKey: opts.adminPublicKey },
+          program: PASSKEY_MANAGER_PROGRAM_ADDRESS,
+          instructionData: registerIx,
+          accounts: {
+            readWrite: [walletAddress, credentialLookupAddress],
+            readOnly: [],
+          },
+          header: { fee: 0n },
+        });
+
+        await transaction.sign(opts.adminPrivateKey);
+        const signature = await opts.client.transactions.send(transaction.toWire());
+        const result = await trackTransaction(opts.client, signature, 60000);
+        if (result.status !== 'finalized') {
+          throw new Error(
+            `Credential registration failed with status: ${result.status}${
+              result.errorCode !== undefined ? ` (error code: ${result.errorCode})` : ''
+            }`
+          );
+        }
+      } catch (error) {
+        console.warn('Credential registration failed (non-fatal):', error);
+      }
+    }
+  }
+
+  return {
+    walletAddress,
+    credentialLookupAddress,
+  };
+}