npm - @tomo-inc/cubist-wallet-sdk - Versions diffs - 0.0.5 → 0.0.7 - Mend

@tomo-inc/cubist-wallet-sdk 0.0.5 → 0.0.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/index.cjs ADDED Viewed

@@ -0,0 +1,1271 @@
+'use strict';
+var walletUtils = require('@tomo-inc/wallet-utils');
+var cubesignerSdk = require('@cubist-labs/cubesigner-sdk');
+var cubistSigSdk = require('@tomo-inc/cubist-sig-sdk');
+var axios = require('axios');
+var CryptoJS = require('crypto-js');
+function _interopDefault (e) { return e && e.__esModule ? e : { default: e }; }
+var axios__default = /*#__PURE__*/_interopDefault(axios);
+var CryptoJS__default = /*#__PURE__*/_interopDefault(CryptoJS);
+// src/cube-account.ts
+// src/const.ts
+var SEED_PHRASE_EXPORT_DURATION = 48;
+var EXPORT_TIME_FORMAT = "yyyy-MM-dd hh:mm:ss";
+var OIDC_TOKEN_LIFETIME = 30 * 24 * 60 * 60;
+var CUBE_LIFETIME = {
+  auth: OIDC_TOKEN_LIFETIME,
+  refresh: OIDC_TOKEN_LIFETIME * 2
+};
+var CUBE_SCOPES = [
+  "sign:*",
+  "export:*",
+  "manage:session:extend",
+  "manage:mfa:*",
+  "manage:mfa:register:email",
+  "manage:mfa:register:fido",
+  "manage:mfa:unregister:fido",
+  "manage:mfa:register:totp",
+  "manage:mfa:unregister:totp",
+  "manage:export:user:delete",
+  "manage:export:user:list"
+];
+var EXPORT_KEY_PREFIX = "Key#Mnemonic_";
+var ISS_MAP = {
+  "https://accounts.google.com": "google",
+  "https://shim.oauth2.cubist.dev/twitter": "x"
+};
+var CUBE_SALTS = {
+  prod: "xnPWRJT5XG2WyevuydMjMpZq",
+  pre: "xnPWRJT5XG2WyevuydMjMpZq",
+  dev: "dev@tomo"
+};
+var getMfaInfoConfig = (cubeStage) => {
+  const lastTime = cubeStage === "prod" ? 172800 : 300;
+  const AllowedMfaTypes = {
+    Login: ["Fido", "EmailOtp", "Totp"],
+    RegisterMfa: ["Fido", `EmailOtp#${lastTime}`, "Totp"],
+    Export: ["Fido", "Totp"]
+  };
+  const MfaRequestConfig = {
+    createSession: {
+      method: "POST",
+      path: "/session/",
+      _allowed_mfa_types: AllowedMfaTypes.Login
+    },
+    addFido: {
+      method: "POST",
+      path: "/user/me/fido/",
+      _allowed_mfa_types: AllowedMfaTypes.RegisterMfa
+    },
+    deleteFido: {
+      method: "DELETE",
+      path: "/user/me/fido/",
+      _allowed_mfa_types: AllowedMfaTypes.RegisterMfa
+    },
+    registerTotp: {
+      method: "POST",
+      path: "/user/me/totp/",
+      _allowed_mfa_types: AllowedMfaTypes.RegisterMfa
+    },
+    deleteTotp: {
+      method: "DELETE",
+      path: "/user/me/totp/",
+      _allowed_mfa_types: AllowedMfaTypes.RegisterMfa
+    },
+    registerEmailOtp: {
+      method: "POST",
+      path: "/user/me/email/",
+      _allowed_mfa_types: AllowedMfaTypes.RegisterMfa
+    },
+    initExport: {
+      method: "POST",
+      path: "/user/me/export/",
+      _allowed_mfa_types: AllowedMfaTypes.Export
+    },
+    completeExport: {
+      method: "PATCH",
+      path: "/user/me/export/",
+      _allowed_mfa_types: AllowedMfaTypes.Export
+    }
+  };
+  return MfaRequestConfig;
+};
+// src/cube-export.ts
+var CubeExportService = class _CubeExportService {
+  constructor() {
+    this.seedPhraseKey = "";
+    this.cubeAccountService = null;
+    this.cubeSignerClient = null;
+    this.exportKey = null;
+    cubesignerSdk.userExportKeygen().then((key) => {
+      this.exportKey = key;
+    });
+  }
+  static getInstance() {
+    if (!_CubeExportService.instance) {
+      _CubeExportService.instance = new _CubeExportService();
+    }
+    return _CubeExportService.instance;
+  }
+  init(cubeAccountService) {
+    this.cubeAccountService = cubeAccountService;
+    this.cubeSignerClient = cubeAccountService.cubeSignerClient;
+    return this;
+  }
+  async getExportKey() {
+    if (this.seedPhraseKey) {
+      return this.seedPhraseKey;
+    }
+    const sessionKeys = await this.cubeSignerClient?.sessionKeys() || [];
+    const key = sessionKeys.find((key2) => key2?.id.indexOf(EXPORT_KEY_PREFIX) === 0);
+    this.seedPhraseKey = key?.id || "";
+    return this.seedPhraseKey;
+  }
+  async getExportInfo() {
+    if (!this.cubeSignerClient) {
+      return null;
+    }
+    const keyId = await this.getExportKey();
+    const exports$1 = this.cubeSignerClient?.org()?.exports(keyId);
+    const exportData = await exports$1?.fetch();
+    if (exportData?.length === 0) {
+      return { ready: true };
+    }
+    const { valid_epoch = 0, exp_epoch = 0 } = exportData[0];
+    let lastTime = valid_epoch - Date.now() / 1e3;
+    lastTime = Math.max(Math.ceil(lastTime), 0);
+    const duration = exp_epoch - valid_epoch;
+    return {
+      ready: true,
+      keyId,
+      lastTime,
+      duration,
+      valid_epoch,
+      exp_epoch
+    };
+  }
+  async initExport(receipt) {
+    if (!this.cubeSignerClient || !this.cubeAccountService) {
+      throw new Error("cubeSignerClient is not initialized");
+    }
+    const keyId = await this.getExportKey();
+    const initExportResp = await this.cubeSignerClient.org().initExport(keyId, receipt);
+    if (initExportResp.requiresMfa()) {
+      return await this.cubeAccountService?.cubeMfaService?.getMfaInfo("initExport") || null;
+    }
+    return initExportResp.data();
+  }
+  async completeExport(receipt) {
+    if (!this.cubeSignerClient || !this.cubeAccountService) {
+      throw new Error("cubeSignerClient is not initialized");
+    }
+    const keyId = await this.getExportKey();
+    const exportResp = await this.cubeSignerClient.org().completeExport(keyId, this.exportKey.publicKey, receipt);
+    if (exportResp.requiresMfa()) {
+      return await this.cubeAccountService?.cubeMfaService?.getMfaInfo("completeExport") || null;
+    }
+    const encryptedData = exportResp.data();
+    const seedPhrase = await cubesignerSdk.userExportDecrypt(this.exportKey.privateKey, encryptedData);
+    return seedPhrase;
+  }
+  async deleteExport() {
+    if (!this.cubeSignerClient || !this.cubeAccountService) {
+      throw new Error("cubeSignerClient is not initialized");
+    }
+    try {
+      const keyId = await this.getExportKey();
+      const res = await this.cubeSignerClient.org().deleteExport(keyId);
+      return {
+        success: true,
+        data: res
+      };
+    } catch (error) {
+      return {
+        success: false,
+        message: error?.message || "delete export error",
+        error
+      };
+    }
+  }
+};
+var RELAY_NAME = "passkey-relay";
+var SENDER_NAME = "cubist-sdk";
+var passkeyRelayWindow = null;
+var openWindow = ({ url, name, width, height }) => {
+  const RN = window.ReactNativeWebView;
+  if (RN) {
+    const message = {
+      url,
+      name
+    };
+    RN.postMessage(
+      JSON.stringify({
+        type: "OPEN_PASSKEY_RELAY",
+        message
+      })
+    );
+    return {
+      closed: false,
+      postMessage: (message2) => {
+        RN.postMessage(
+          JSON.stringify({
+            type: "PASSKEY_RELAY_MESSAGE",
+            message: message2
+          })
+        );
+      }
+    };
+  }
+  const top = (window.innerHeight - (height)) / 2 + window.screenY;
+  const left = (window.innerWidth - (width)) / 2 + window.screenX;
+  try {
+    const relyWindow = window.open(
+      url,
+      name,
+      `dialog=yes,top=${top}px,left=${left},width=${width !== void 0 ? width : 400}px,height=${height !== void 0 ? height : 600}px`
+    );
+    if (!relyWindow) {
+      return null;
+    }
+    return relyWindow;
+  } catch (error) {
+    console.error("Failed to open window:", error);
+    return null;
+  }
+};
+var closeWindow = () => {
+  try {
+    if (passkeyRelayWindow && !passkeyRelayWindow.closed) {
+      passkeyRelayWindow.close();
+    }
+  } catch (error) {
+    console.error("Failed to close window:", error);
+  } finally {
+    passkeyRelayWindow = null;
+  }
+};
+var sendPasskeyMessage = async (message, tomoStage) => {
+  if (passkeyRelayWindow === null) {
+    throw new Error("Failed to open relay window");
+  }
+  const origin = walletUtils.RelayOrigins[tomoStage] || walletUtils.RelayOrigins["dev"];
+  passkeyRelayWindow.postMessage({ ...message, from: SENDER_NAME }, origin);
+};
+var initPasskeyPage = async (config) => {
+  return new Promise((resolve, reject) => {
+    config = config || walletUtils.cache.get("cubeConfig");
+    if (!config.oidcToken || !config.tomoClientId) {
+      reject({ message: "oidcToken/tomoClientId is required" });
+      return;
+    }
+    const PASSKEY_ORIGIN = walletUtils.RelayOrigins[config.tomoStage];
+    if (!PASSKEY_ORIGIN) {
+      reject({ message: "tomoStage must be dev/pre/prod." });
+      return;
+    }
+    passkeyRelayWindow = openWindow({
+      url: `${PASSKEY_ORIGIN}/passkey?origin=${window.location.origin}`,
+      name: "relay-passkey",
+      width: 400,
+      height: 600
+    });
+    const handleMessage = (event) => {
+      const { type, data, from, error } = event.data;
+      if (type === "passkey-relay-loaded" && from === RELAY_NAME) {
+        sendPasskeyMessage({ type: "init", params: config }, config.tomoStage);
+      }
+      if (type === "passkey-relay-init" && from === RELAY_NAME) {
+        window.removeEventListener("message", handleMessage);
+        resolve(data);
+      }
+    };
+    window.addEventListener("message", handleMessage);
+  });
+};
+var addPasskey = async (params, config) => {
+  if (!passkeyRelayWindow) {
+    await initPasskeyPage(config);
+  }
+  return new Promise((resolve, reject) => {
+    const handleMessage = (event) => {
+      const { type, data, from, error } = event.data;
+      if (type === "passkey-relay-addFido" && from === RELAY_NAME) {
+        window.removeEventListener("message", handleMessage);
+        resolve(data);
+      }
+    };
+    window.addEventListener("message", handleMessage);
+    sendPasskeyMessage({ type: "addFido", params }, config.tomoStage);
+  });
+};
+var verifyPasskey = async (params, config) => {
+  if (!passkeyRelayWindow) {
+    await initPasskeyPage(config);
+  }
+  return new Promise((resolve, reject) => {
+    const handleMessage = (event) => {
+      const { type, data: receipt, from, error } = event.data;
+      if (type === "passkey-relay-verify" && from === RELAY_NAME) {
+        window.removeEventListener("message", handleMessage);
+        resolve(receipt);
+      }
+    };
+    window.addEventListener("message", handleMessage);
+    sendPasskeyMessage({ type: "verify", params }, config.tomoStage);
+  });
+};
+// src/utils.ts
+var applyLocalDevFixes = (type, challenge, { userId, rpId, fidoName }) => {
+  rpId = rpId || window.location.hostname;
+  const { host, protocol } = window.location;
+  const isNotHttp = protocol !== "https:" && protocol !== "http:";
+  const isLocal = host.indexOf("localhost:") === 0;
+  challenge.options = challenge?.options || {};
+  challenge.options.rp = challenge.options.rp || {};
+  challenge.options.rp.id = rpId;
+  challenge.options.rpId = rpId;
+  if (isNotHttp || isLocal) {
+    if (challenge?.options?.rp?.id) {
+      delete challenge.options.rp.id;
+    }
+    if (challenge?.options?.rpId) {
+      delete challenge.options.rpId;
+    }
+  }
+  challenge.options.timeout = 6e4;
+  challenge.options.attestation = "none";
+  const user = challenge.options?.user || {};
+  if (type === "add") {
+    user.id = user.id || new TextEncoder().encode(userId);
+    user.name = fidoName;
+    user.displayName = fidoName;
+  }
+  challenge.options.user = user;
+  return challenge;
+};
+// src/cube-mfa.ts
+var CubeMfaService = class _CubeMfaService {
+  constructor() {
+    this.mfaType = "fido";
+    this.cubeAccountService = null;
+    this.cubeSignerClient = null;
+    this.apiClient = null;
+    this.mfaAnswer = null;
+    this.mfaChallenge = null;
+    this.registerChallenge = null;
+  }
+  static getInstance() {
+    if (!_CubeMfaService.instance) {
+      _CubeMfaService.instance = new _CubeMfaService();
+    }
+    return _CubeMfaService.instance;
+  }
+  init(cubeAccountService) {
+    this.cubeSignerClient = cubeAccountService.cubeSignerClient;
+    this.apiClient = cubeAccountService.apiClient;
+    this.cubeAccountService = cubeAccountService;
+    return this;
+  }
+  setMfaType(mfaType) {
+    if (!mfaType) {
+      throw new Error("mfaType is required");
+    }
+    this.mfaType = mfaType;
+  }
+  setMfaAnswer(mfaAnswer) {
+    this.mfaAnswer = mfaAnswer;
+  }
+  async getMfaInfo(bizType) {
+    if (!bizType) {
+      throw new Error("mfaRequestType is required");
+    }
+    const MfaInfoConfig = getMfaInfoConfig(this.cubeAccountService?.config?.cubeStage || "gamma");
+    const config = MfaInfoConfig[bizType];
+    if (!config) {
+      throw new Error("mfaRequestType is not supported");
+    }
+    const { method, path } = config;
+    const mfaList = await this.apiClient.mfaList();
+    const mfaInfo = mfaList.find((mfa) => {
+      const _method = mfa?.request.method;
+      const _path = mfa?.request.path + "/";
+      return _method === method && _path.indexOf(path) > -1;
+    });
+    if (!mfaInfo) {
+      return null;
+    }
+    let mfaRequired = null;
+    const allowed_mfa_types = mfaInfo?.status?.allowed_mfa_types || [];
+    for (const type of allowed_mfa_types) {
+      mfaRequired = mfaRequired || {};
+      const types = type.toLowerCase().split("#");
+      mfaRequired[types[0]] = types[1] ? Number(types[1]) : true;
+    }
+    const { receipt, created_at } = mfaInfo;
+    let emailOtpRemainTime = 0;
+    if (typeof mfaRequired.emailOtp === "number") {
+      const remainTime = mfaRequired.emailOtp - (Date.now() / 1e3 - created_at);
+      emailOtpRemainTime = Math.max(0, Math.ceil(remainTime));
+    }
+    if (mfaRequired.emailOtp) {
+      mfaRequired.emailOtpRemainTime = emailOtpRemainTime;
+    }
+    const verifyStatus = receipt !== null ? "approved" : "pending";
+    return { ...mfaInfo, verifyStatus, mfaRequired };
+  }
+  async answerRegister(code) {
+    const challenge = this.registerChallenge;
+    if (!challenge) {
+      throw new Error("challenge is required");
+    }
+    try {
+      const receipt = await challenge.answer(code) || null;
+      this.registerChallenge = null;
+      return {
+        success: true,
+        data: receipt
+      };
+    } catch (error) {
+      return {
+        success: false,
+        message: error?.message || "answer error",
+        error
+      };
+    }
+  }
+  async executeBizWithMfa(bizType, mfaInfo) {
+    if (!bizType) {
+      throw new Error("bizType is required");
+    }
+    if (!mfaInfo) {
+      mfaInfo = await this.getMfaInfo(bizType) || null;
+    }
+    if (!mfaInfo?.id) {
+      throw new Error("mfa not exists, please create mfa first");
+    }
+    const { success, data: receipt } = await this.approvalMfa(mfaInfo?.id || "") || {};
+    if (!success) {
+      return {
+        success: false,
+        message: `approval with ${this.mfaType} error.`
+      };
+    }
+    if (bizType === "createSession") {
+      const result = await this.cubeAccountService?.createSession(receipt);
+      return {
+        success: !!result,
+        message: !result ? "create session error" : "",
+        data: result
+      };
+    }
+    if (bizType === "addFido") {
+      const name = mfaInfo.request?.body?.name;
+      const res = await this.addFido(name, receipt);
+      return {
+        success: !!res,
+        message: !res ? "addFido error" : "",
+        data: res
+      };
+    }
+    if (bizType === "deleteFido") {
+      const path = mfaInfo?.request?.path || "";
+      const fidoId = path.split("/user/me/fido/")[1] || "";
+      if (!fidoId) {
+        throw new Error("fidoId is required");
+      }
+      const res = await this.deleteFido(decodeURIComponent(fidoId), receipt);
+      return {
+        success: !!res,
+        message: !res ? "deleteFido error" : "",
+        data: res
+      };
+    }
+    if (bizType === "registerTotp") {
+      const issuer = mfaInfo.request?.body?.issuer;
+      const res = await this.registerTotp(issuer, receipt);
+      return {
+        success: !!res,
+        message: !res ? "registerTotp error" : "",
+        data: res
+      };
+    }
+    if (bizType === "deleteTotp") {
+      const res = await this.deleteTotp(receipt);
+      return {
+        success: !!res,
+        message: !res ? "deleteTotp error" : "",
+        data: res
+      };
+    }
+    if (bizType === "registerEmailOtp") {
+      const email = mfaInfo.request?.body?.email;
+      const res = await this.registerEmailOtp(email, receipt);
+      return {
+        success: !!res,
+        message: !res ? "registerEmailOtp error" : "",
+        data: res
+      };
+    }
+    const cubeExportService = this.cubeAccountService?.cubeExportService;
+    if (bizType === "initExport") {
+      const res = await cubeExportService?.initExport(receipt);
+      return {
+        success: !!res,
+        message: !res ? "init export error" : "",
+        data: res
+      };
+    }
+    if (bizType === "completeExport") {
+      const res = await cubeExportService?.completeExport(receipt);
+      return {
+        success: !!res,
+        message: !res ? "complete export error" : "",
+        data: res
+      };
+    }
+    return {
+      success: false,
+      message: "bizType is not supported"
+    };
+  }
+  async approvalMfa(mfaId) {
+    const apis = {
+      totp: "approvalTotp",
+      emailOtp: "approvalEmailOtp",
+      fido: "approvalFido"
+    };
+    const mfaType = this.mfaType;
+    if (!mfaType || !apis[mfaType]) {
+      return {
+        success: false,
+        message: "mfaType is required"
+      };
+    }
+    let receipt = null;
+    try {
+      switch (mfaType) {
+        case "totp":
+          receipt = await this.approvalTotp(mfaId);
+          break;
+        case "emailOtp":
+          receipt = await this.approvalEmailOtp(mfaId);
+          break;
+        case "fido":
+          receipt = await this.approvalFido(mfaId);
+          break;
+        default:
+          return {
+            success: false,
+            message: "Unsupported MFA type"
+          };
+      }
+    } catch (error) {
+      return {
+        success: false,
+        message: `approval ${mfaType} error: ${error instanceof Error ? error.message : "Unknown error"}`
+      };
+    }
+    if (!receipt) {
+      return {
+        success: false,
+        message: `approval ${mfaType} error.`
+      };
+    }
+    return {
+      success: true,
+      data: receipt
+    };
+  }
+  getPasskeyConfig() {
+    const { config } = this.cubeAccountService || {};
+    delete config?.cubeSalt;
+    delete config?.jwtToken;
+    return config;
+  }
+  passkeyClear() {
+    closeWindow();
+  }
+  async addFido(fidoName, receipt) {
+    const config = this.getPasskeyConfig();
+    return await addPasskey({ fidoName, receipt }, config);
+  }
+  async addFidoLocal(fidoName, receipt) {
+    if (!fidoName || typeof fidoName !== "string") {
+      throw new Error("name is required");
+    }
+    try {
+      const mfaConfig = await this.cubeAccountService?.getMfaConfig();
+      const fidos = mfaConfig?.fido?.data || [];
+      const existingFido = fidos.find((fido) => fido?.name === fidoName);
+      if (existingFido) {
+        throw new Error(`FIDO key with name "${fidoName}" already exists`);
+      }
+      const cubeSignerClient = this.cubeSignerClient;
+      const addFidoResp = await cubeSignerClient?.addFido(fidoName, receipt);
+      if (addFidoResp.requiresMfa()) {
+        return await this.getMfaInfo("addFido");
+      }
+      const config = {
+        userId: mfaConfig?.account?.userId,
+        rpId: this.cubeAccountService?.config?.rpId || window.location.hostname,
+        fidoName
+      };
+      const challenge = applyLocalDevFixes("add", addFidoResp.data(), config);
+      await challenge.createCredentialAndAnswer();
+      return true;
+    } catch (error) {
+      console.error("addFido error", error);
+      return false;
+    }
+  }
+  async deleteFido(fidoId, receipt) {
+    try {
+      const cubeSignerClient = this.cubeSignerClient;
+      const deleteFidoResp = await cubeSignerClient?.deleteFido(fidoId, receipt);
+      if (deleteFidoResp.requiresMfa()) {
+        return await this.getMfaInfo("deleteFido");
+      }
+      return deleteFidoResp.data();
+    } catch (error) {
+      return null;
+    }
+  }
+  async approvalFido(mfaId) {
+    const config = this.getPasskeyConfig();
+    const receipt = await verifyPasskey({ mfaId }, config);
+    return receipt;
+  }
+  async approvalFidoLocal(mfaId) {
+    const apiClient = this.apiClient;
+    const mfaConfig = await this.cubeAccountService?.getMfaConfig();
+    let challenge = await apiClient.mfaFidoInit(mfaId);
+    const config = {
+      userId: mfaConfig?.account?.userId,
+      rpId: this.cubeAccountService?.config?.rpId || window.location.hostname,
+      fidoName: ""
+    };
+    challenge = applyLocalDevFixes("approval", challenge, config);
+    const mfa = await challenge.createCredentialAndAnswer("approve");
+    const receipt = await mfa.receipt();
+    return receipt;
+  }
+  async registerTotp(issuer, receipt) {
+    if (issuer === "") {
+      throw new Error("issuer are required");
+    }
+    const totpResp = await this.apiClient.userTotpResetInit(issuer, receipt);
+    if (totpResp.requiresMfa()) {
+      return await this.getMfaInfo("registerTotp");
+    }
+    const challenge = totpResp.data();
+    this.registerChallenge = challenge;
+    const searchParams = new URL(challenge?.url).searchParams;
+    const totpInfo = {
+      id: challenge?.id,
+      url: challenge?.url,
+      secret: searchParams.get("secret") || "",
+      issuer: searchParams.get("issuer") || issuer
+    };
+    return totpInfo;
+  }
+  async deleteTotp(receipt) {
+    const deleteTotpResp = await this.apiClient.userTotpDelete(receipt);
+    if (deleteTotpResp.requiresMfa()) {
+      return await this.getMfaInfo("deleteTotp");
+    }
+    return deleteTotpResp.data();
+  }
+  async approvalTotp(mfaId) {
+    if (!mfaId) {
+      throw new Error("MFA ID not found");
+    }
+    const totpCode = this.mfaAnswer?.totpCode;
+    if (!totpCode || !/^\d{6}$/.test(totpCode)) {
+      console.error("TOTP code is required");
+      throw new Error("TOTP code is required");
+    }
+    const mfa = await this.apiClient.mfaVoteTotp(mfaId, totpCode, "approve");
+    const mfaOrgId = this.cubeSignerClient?.org()?.id || this.cubeAccountService?.cubeOrgId || "";
+    const receipt = {
+      mfaId: mfa.id,
+      mfaConf: mfa?.receipt?.confirmation,
+      mfaOrgId
+    };
+    return receipt;
+  }
+  async registerEmailOtp(email, receipt) {
+    if (!email || !walletUtils.isEmail(email)) {
+      throw new Error("email is required");
+    }
+    const cubeSignerClient = await this.cubeAccountService?.getOidcClient();
+    const apiClient = cubeSignerClient.apiClient;
+    const params = {
+      email,
+      allow_otp_login: true
+    };
+    const registerEmailOtpResp = await apiClient.userEmailResetInit(params, receipt);
+    if (registerEmailOtpResp.requiresMfa()) {
+      return await this.getMfaInfo("registerEmailOtp");
+    }
+    this.registerChallenge = registerEmailOtpResp.data();
+    return this.registerChallenge;
+  }
+  //48hour countdown
+  //mfaVoteEmailComplete
+  async approvalEmailOtp(mfaId) {
+    if (!mfaId) {
+      throw new Error("MFA ID not found");
+    }
+    if (!this.mfaChallenge) {
+      const mfaChallenge = await this.apiClient.mfaVoteEmailInit(mfaId, "approve");
+      this.mfaChallenge = mfaChallenge;
+      return null;
+    }
+    let emailCode = this.mfaAnswer?.emailCode || "";
+    emailCode = emailCode.split(/\s/).join("");
+    if (!emailCode) {
+      throw new Error("emailCode is required");
+    }
+    try {
+      const mfa = await this.mfaChallenge.answer(emailCode);
+      const mfaOrgId = this.cubeSignerClient?.org()?.id || this.cubeAccountService?.cubeOrgId || "";
+      const receipt = {
+        mfaId: mfa.id,
+        mfaConf: mfa?.receipt?.confirmation,
+        mfaOrgId
+      };
+      this.mfaChallenge = null;
+      return receipt;
+    } catch (error) {
+      console.warn("approvalEmailOtp error", error);
+      return null;
+    }
+  }
+  async sendEmailCode(mfaId) {
+    if (!mfaId) {
+      throw new Error("mfaId is required");
+    }
+    try {
+      const mfaChallenge = await this.apiClient.mfaVoteEmailInit(mfaId, "approve");
+      this.mfaChallenge = mfaChallenge;
+      return true;
+    } catch (error) {
+      return false;
+    }
+  }
+};
+var recoverEVMTxData = (unsignedTx, numberType) => {
+  try {
+    const { data, types } = JSON.parse(unsignedTx);
+    for (const prop in types) {
+      if (types[prop] === "bigint") {
+        data[prop] = BigInt(data[prop]);
+        if (numberType === "string") {
+          data[prop] = data[prop].toString();
+        }
+      }
+    }
+    return data;
+  } catch (error) {
+    throw new Error("Invalid unsigned transaction");
+  }
+};
+var CubeSignService = class _CubeSignService {
+  async init({ cubeSession }) {
+    this.cubeSession = cubeSession;
+    if (!this.services) {
+      this.services = await cubistSigSdk.getKeys(cubeSession);
+    }
+  }
+  static getInstance() {
+    if (!_CubeSignService.instance) {
+      _CubeSignService.instance = new _CubeSignService();
+    }
+    return _CubeSignService.instance;
+  }
+  /**
+   * Get specific services by chainType and address
+   * @param chainType Chain type (EVM, TRON, SOL, DOGE)
+   * @param address Wallet address
+   * @returns The matching services object or null if not found
+   */
+  async getServiceByChainAndAddress(chainType, address) {
+    if (!this.services) {
+      this.services = await cubistSigSdk.getKeys(this.cubeSession);
+    }
+    const keyId = this.buildKeyId(chainType, address);
+    const service = this.services.find((k) => k.id === keyId);
+    if (!service) {
+      console.warn(`service not found for chainType: ${chainType}`);
+      return null;
+    }
+    return service;
+  }
+  /**
+   * Build key ID from chainType and address following the pattern in the services data
+   * @param chainType Chain type
+   * @param address Wallet address
+   * @returns Key ID string
+   */
+  buildKeyId(chainType, address) {
+    switch (chainType) {
+      case walletUtils.ChainTypes.EVM:
+        return `Key#${address}`;
+      case walletUtils.ChainTypes.TRON:
+        return `Key#Tron_${address}`;
+      case walletUtils.ChainTypes.SOL:
+        return `Key#Solana_${address}`;
+      case walletUtils.ChainTypes.DOGE:
+        return `Key#Doge_${address}`;
+      default:
+        return `Key#${address}`;
+    }
+  }
+  /**
+   * Unified transaction signing method for all supported chains
+   * @param chainType Chain type (EVM, SOL, DOGE, TRON, BTC)
+   * @param address User's wallet address
+   * @param params Signing parameters specific to each chain (always JSON stringified from social account)
+   * @returns Signed transaction
+   */
+  async signTransaction(chainType, address, params) {
+    const sessionInfo = this?.cubeSession;
+    const service = await this.getServiceByChainAndAddress(chainType, address);
+    if (!service) {
+      throw new Error(`service not found for chain ${chainType}`);
+    }
+    const parsedParams = typeof params === "string" ? JSON.parse(params) : params;
+    switch (chainType) {
+      case walletUtils.ChainTypes.EVM: {
+        const transaction = recoverEVMTxData(params, "string");
+        return await cubistSigSdk.signEvmTransaction(service, transaction, transaction.chainId, sessionInfo);
+      }
+      case walletUtils.ChainTypes.SOL: {
+        return await cubistSigSdk.signSolanaTransaction(service, parsedParams.rawTransaction, sessionInfo);
+      }
+      case walletUtils.ChainTypes.DOGE: {
+        return await cubistSigSdk.signDogePsbt(service, parsedParams.psbtBase64, sessionInfo);
+      }
+      case walletUtils.ChainTypes.TRON: {
+        const rawTransaction = parsedParams.data?.rawTransaction || parsedParams.rawTransaction;
+        return await cubistSigSdk.signTronRawTransaction(service, rawTransaction, sessionInfo);
+      }
+      default:
+        throw new Error(`Unsupported chain type: ${chainType}`);
+    }
+  }
+  /**
+   * Unified message signing method for all supported chains
+   * @param chainType Chain type (EVM, SOL, DOGE, TRON)
+   * @param address User's wallet address
+   * @param message Message to be signed
+   * @returns Message signature
+   */
+  async signMessage(chainType, address, message) {
+    const sessionInfo = this?.cubeSession;
+    const service = await this.getServiceByChainAndAddress(chainType, address);
+    if (!service) {
+      throw new Error(`service not found for chain ${chainType}`);
+    }
+    switch (chainType) {
+      case walletUtils.ChainTypes.EVM:
+        return await cubistSigSdk.signEvmMessage(service, message, sessionInfo);
+      case walletUtils.ChainTypes.SOL:
+        return await cubistSigSdk.signSolanaMessage(service, message, sessionInfo);
+      case walletUtils.ChainTypes.DOGE:
+        return (await cubistSigSdk.signDogeMessage(service, message, sessionInfo)).signature;
+      case walletUtils.ChainTypes.TRON:
+        return await cubistSigSdk.signTronMessage(service, message, sessionInfo);
+      default:
+        throw new Error(`Unsupported chain type: ${chainType}`);
+    }
+  }
+  /**
+   * Unified typed data signing method (supports EVM and TRON)
+   * @param chainType Chain type (EVM, TRON)
+   * @param address User's wallet address
+   * @param typedData Typed data to be signed
+   * @returns Typed data signature
+   */
+  async signTypedData(chainType, address, typedData) {
+    const sessionInfo = this?.cubeSession;
+    const service = await this.getServiceByChainAndAddress(chainType, address);
+    if (!service) {
+      throw new Error(`service not found for chain ${chainType}`);
+    }
+    switch (chainType) {
+      case walletUtils.ChainTypes.EVM:
+        return await cubistSigSdk.signEvmTypedData(service, typedData, sessionInfo);
+      case walletUtils.ChainTypes.TRON: {
+        return await cubistSigSdk.signTronTypeDaya(service, typedData.message, sessionInfo);
+      }
+      default:
+        throw new Error(`Unsupported chain type: ${chainType}`);
+    }
+  }
+};
+var generateCubeSignature = async (data, salt) => {
+  if (!salt) {
+    throw new Error("salt is required");
+  }
+  const timestamp = Date.now().toString();
+  const req = {
+    ...data,
+    timestamp
+  };
+  const reqString = JSON.stringify(req);
+  const signature = CryptoJS__default.default.SHA256(reqString + salt).toString();
+  return { timestamp, signature };
+};
+// src/api.ts
+function getTomoApi(config) {
+  const { tomoStage = "dev", tomoClientId, jwtToken } = config;
+  const tomoApi = axios__default.default.create({
+    baseURL: `${walletUtils.TomoApiDomains[tomoStage] || walletUtils.TomoApiDomains.dev}/user`,
+    timeout: 2e4
+  });
+  tomoApi.interceptors.request.use(
+    async (config2) => {
+      config2.headers["client-id"] = tomoClientId;
+      if (jwtToken) {
+        config2.headers["Authorization"] = `Bearer ${jwtToken}`;
+      }
+      return config2;
+    },
+    (error) => {
+      if (error?.response?.status === 401) {
+        return Promise.reject(error);
+      }
+    }
+  );
+  return tomoApi;
+}
+var addUserToCube = async (req, config) => {
+  const { iss, sub } = req;
+  const cubeSalt = config.cubeSalt || "";
+  if (!cubeSalt) {
+    throw new Error("tomoStage error.");
+  }
+  const { timestamp, signature } = await generateCubeSignature({ iss, sub }, cubeSalt);
+  const signedReq = { ...req, timestamp, signature };
+  const tomoApi = getTomoApi(config);
+  const res = await tomoApi.post("/api/login/loginByCubistV2", signedReq);
+  return res?.data?.data || {};
+};
+var updateUserInfo = async (userInfo, config) => {
+  const tomoApi = getTomoApi(config);
+  const res = await tomoApi.post("/api/user/getUserInfo");
+  const userInfoBefore = res?.data?.data.user || {};
+  const nickname = userInfo.nickname.trim();
+  userInfo = { ...userInfoBefore, ...userInfo, nickname, username: nickname };
+  const result = await tomoApi.post("/api/setting/updateUserInfo", userInfo, {
+    headers: {}
+  });
+  return !!result?.data?.success;
+};
+var CubeAccountService = class _CubeAccountService {
+  constructor(config) {
+    this.jwtToken = "";
+    this.accountData = null;
+    this.cubeUserInfo = null;
+    this.cubeIdentity = null;
+    this.cubeSession = null;
+    this.cubeSignerClient = null;
+    this.apiClient = null;
+    this.cubeMfaService = null;
+    this.cubeExportService = null;
+    this.cubeOrgId = "";
+    this.config = config;
+    this.cubeEnv = null;
+  }
+  static getInstance(config) {
+    if (_CubeAccountService.instance) {
+      return _CubeAccountService.instance;
+    }
+    if (!config?.tomoStage || !walletUtils.CubeStages[config?.tomoStage]) {
+      throw new Error("tomoStage not 'dev' or 'pre' or 'prod'");
+    }
+    const cubeSalt = CUBE_SALTS[config?.tomoStage];
+    if (!cubeSalt) {
+      throw new Error("cubeSalt is required");
+    }
+    const cubeStage = walletUtils.CubeStages[config?.tomoStage];
+    const env = cubesignerSdk.envs[cubeStage];
+    const cubeOrgId = walletUtils.CubeOrgIds[config?.tomoStage];
+    _CubeAccountService.instance = new _CubeAccountService({ ...config, cubeSalt, cubeStage });
+    _CubeAccountService.instance.cubeEnv = env;
+    _CubeAccountService.instance.cubeOrgId = cubeOrgId;
+    return _CubeAccountService.instance;
+  }
+  //no api dependency
+  async getCubeIdentity() {
+    const oidcToken = this?.config?.oidcToken;
+    if (!oidcToken) {
+      const cubeIdentityCache = await walletUtils.cache.get("cubeIdentity");
+      if (cubeIdentityCache) {
+        this.cubeIdentity = cubeIdentityCache;
+        return this.cubeIdentity;
+      }
+      console.warn("oidcToken is required");
+      return null;
+    }
+    const cubeOrgId = this.cubeOrgId;
+    const cubeIdentity = await cubistSigSdk.proof(oidcToken, this.cubeEnv, cubeOrgId);
+    await walletUtils.cache.set("cubeIdentity", cubeIdentity, false);
+    this.cubeIdentity = cubeIdentity;
+    return cubeIdentity;
+  }
+  //login + reg new user by wallet-api
+  async loginOrRegister(oidcToken, options) {
+    this.config = { ...this.config, oidcToken };
+    const cubeIdentity = await this.getCubeIdentity();
+    const req = {
+      cubistUserID: cubeIdentity?.user_info?.user_id,
+      aud: cubeIdentity?.aud,
+      email: cubeIdentity?.email || options?.email || null,
+      //must null
+      iss: cubeIdentity?.identity?.iss,
+      sub: cubeIdentity?.identity?.sub,
+      initialized: cubeIdentity?.user_info?.initialized
+    };
+    const accountData = await addUserToCube(req, this.config);
+    const { userToken, user, accountBaseInfo, accountWallet } = accountData;
+    this.accountData = accountData;
+    this.accountWallet = accountWallet;
+    this.jwtToken = userToken.accessToken;
+    return {
+      user: { userId: user.userID, nickname: user.nickname, avatar: user.avatar },
+      accountBaseInfo,
+      accountWallet,
+      walletId: accountWallet?.walletID
+    };
+  }
+  async updateUserInfo(userInfo) {
+    const nickname = userInfo.nickname.trim();
+    if (nickname.length < 6 || nickname.length > 20) {
+      throw new Error("name length 6~20");
+    }
+    const config = { ...this.config, jwtToken: this.jwtToken };
+    const result = await updateUserInfo(userInfo, config);
+    return result;
+  }
+  /*
+  all functions below must after loginOrRegister
+  user only can user cube apis after added by org manager with loginOrRegister
+  cube session = loginOrRegister + cube connected
+  */
+  async createSessionByOidcToken(oidcToken) {
+    oidcToken = oidcToken || this?.config?.oidcToken || "";
+    if (!oidcToken) {
+      console.warn("oidcToken is required");
+      return false;
+    }
+    const scopes = CUBE_SCOPES;
+    const oidcSessionResp = await cubistSigSdk.getOidcResp(oidcToken, this.cubeEnv, this.cubeOrgId, OIDC_TOKEN_LIFETIME, scopes);
+    const cubeSession = oidcSessionResp.data();
+    this.setCubeSession(cubeSession);
+    return !!cubeSession;
+  }
+  //with mfa
+  async createSession(receipt) {
+    const purpose = "wallet_operations";
+    const oidcSessionResp = await this.apiClient.sessionCreateExtended(purpose, CUBE_SCOPES, CUBE_LIFETIME, receipt);
+    if (oidcSessionResp.requiresMfa()) {
+      return await this.cubeMfaService?.getMfaInfo("createSession") || null;
+    }
+    const cubeSession = oidcSessionResp.data();
+    this.setCubeSession(cubeSession);
+    return cubeSession;
+  }
+  async refreshSession() {
+    const purpose = "wallet_operations";
+    const oidcSessionResp = await this.apiClient.sessionCreate(purpose, CUBE_SCOPES, CUBE_LIFETIME);
+    const cubeSession = oidcSessionResp.data();
+    this.setCubeSession(cubeSession);
+    return !!cubeSession;
+  }
+  getCubeSession() {
+    return this.cubeSession;
+  }
+  setCubeSession(cubeSession) {
+    this.cubeSession = cubeSession;
+  }
+  sessionRevoke() {
+    const apiClient = this.apiClient;
+    this.cubeSession = null;
+    apiClient?.sessionRevoke();
+  }
+  async refreshCubeClient(cubeSession) {
+    try {
+      await this.createCubeSignerClient(cubeSession);
+      this.initSubServices();
+    } catch (error) {
+      console.error("refreshCubeClient error", error);
+    }
+  }
+  async createCubeSignerClient(session) {
+    const cubeSignerClient = await cubesignerSdk.CubeSignerClient.create(session);
+    this.cubeSignerClient = cubeSignerClient;
+    this.apiClient = this.cubeSignerClient.apiClient;
+    return cubeSignerClient;
+  }
+  async getOidcClient(receipt) {
+    const oidcToken = this?.config?.oidcToken || "";
+    if (!oidcToken) {
+      console.warn("oidcToken is required");
+      return;
+    }
+    const scopes = CUBE_SCOPES;
+    const cubeSignerClient = await cubistSigSdk.getOidcClient(
+      oidcToken,
+      this.cubeEnv,
+      this.cubeOrgId,
+      OIDC_TOKEN_LIFETIME,
+      scopes,
+      receipt
+    );
+    return cubeSignerClient;
+  }
+  async autoLogin(session) {
+    await this.refreshCubeClient(session);
+    await this.setCubeSession(session);
+  }
+  async init(oidcToken) {
+    oidcToken = oidcToken || this?.config?.oidcToken || "";
+    if (!oidcToken) {
+      console.warn("oidcToken is required");
+      return false;
+    }
+    try {
+      this.config = { ...this.config, oidcToken };
+      const cubeSignerClient = await this.getOidcClient();
+      this.cubeSignerClient = cubeSignerClient;
+      this.apiClient = this.cubeSignerClient.apiClient;
+      const result = await this.createSessionByOidcToken(oidcToken);
+      if (!result) {
+        throw new Error("create session by oidc token failed");
+      }
+      this.initSubServices();
+      return true;
+    } catch (error) {
+      console.error("init error", error);
+      throw error;
+    }
+  }
+  async initSubServices() {
+    const cubeMfaService = CubeMfaService.getInstance();
+    this.cubeMfaService = cubeMfaService.init(this);
+    const cubeExportService = CubeExportService.getInstance();
+    this.cubeExportService = cubeExportService.init(this);
+  }
+  async initCubeSignService() {
+    const cubeSession = this.getCubeSession();
+    const cubeSignService = CubeSignService.getInstance();
+    await cubeSignService.init({ cubeSession });
+    return cubeSignService;
+  }
+  async getCubeUserInfo() {
+    try {
+      const cubeUserInfo = await this.apiClient?.userGet();
+      this.cubeUserInfo = cubeUserInfo;
+      return cubeUserInfo;
+    } catch (error) {
+      return null;
+    }
+  }
+  async getMfaConfig() {
+    const [cubeUserInfo, cubeIdentity] = await Promise.all([
+      this.getCubeUserInfo(),
+      this.getCubeIdentity()
+    ]);
+    const name = cubeUserInfo?.name || cubeIdentity?.preferred_username || "";
+    const iss = cubeIdentity?.identity?.iss || "";
+    const accountType = ISS_MAP?.[iss] || "email";
+    const verifiedEmail = cubeUserInfo?.verified_email?.email || "";
+    const email = cubeUserInfo?.email || "";
+    const emailOtpEnabled = verifiedEmail !== "" || email !== "";
+    const configuredMfa = cubeUserInfo?.mfa || [];
+    const fidos = configuredMfa.filter((item) => item.type === "fido");
+    const totp = configuredMfa.filter((item) => item.type === "totp");
+    return {
+      noMfa: !emailOtpEnabled && fidos.length === 0 && totp.length === 0,
+      hasMfa: emailOtpEnabled || fidos.length > 0 || totp.length > 0,
+      account: {
+        name,
+        email,
+        otpEmail: verifiedEmail,
+        accountType,
+        userId: cubeUserInfo?.user_id || ""
+      },
+      emailOtp: {
+        data: email || verifiedEmail,
+        enabled: emailOtpEnabled
+      },
+      fido: {
+        data: fidos,
+        enabled: fidos.length > 0
+      },
+      totp: {
+        data: totp[0],
+        enabled: totp.length > 0
+      }
+    };
+  }
+};
+// src/cube-connect.ts
+var CubeConnect = async (config) => {
+  const cubeAccount = CubeAccountService.getInstance(config);
+  if (!config.oidcToken) {
+    throw new Error("oidcToken is required");
+  }
+  await cubeAccount.loginOrRegister(config.oidcToken);
+  await cubeAccount.init(config.oidcToken);
+  const cubeMfaService = cubeAccount.cubeMfaService;
+  const cubeExportService = cubeAccount.cubeExportService;
+  return {
+    cubeAccount,
+    cubeMfa: cubeMfaService,
+    cubeExport: cubeExportService
+  };
+};
+// src/types.ts
+var LoginError = /* @__PURE__ */ ((LoginError2) => {
+  LoginError2["FIDO_NOT_ALLOWED"] = "NotAllowedError";
+  LoginError2["MFA_NOT_APPROVED"] = "MFA not approved yet";
+  LoginError2["MFA_REQUIRED"] = "MFA should not be required after approval";
+  LoginError2["OIDC_TOKEN_NOT_FOUND"] = "Oidc token not found";
+  LoginError2["CUBE_IDENTITY_NOT_FOUND"] = "Cube identity not found";
+  LoginError2["CUBE_USER_INFO_NOT_FOUND"] = "Cube user info not found";
+  LoginError2["OIDC_TOKEN_EXPIRED"] = "ExpiredSignature";
+  LoginError2["FAILED_OPEN_POPUP"] = "Failed to open popup window";
+  LoginError2["OAUTH_LOGIN_TIMEOUT"] = "OAuth login timeout";
+  LoginError2["USER_CANCELLED_LOGIN"] = "User cancelled login";
+  return LoginError2;
+})(LoginError || {});
+exports.CUBE_LIFETIME = CUBE_LIFETIME;
+exports.CUBE_SALTS = CUBE_SALTS;
+exports.CUBE_SCOPES = CUBE_SCOPES;
+exports.CubeAccountService = CubeAccountService;
+exports.CubeConnect = CubeConnect;
+exports.CubeExportService = CubeExportService;
+exports.CubeMfaService = CubeMfaService;
+exports.CubeSignService = CubeSignService;
+exports.EXPORT_KEY_PREFIX = EXPORT_KEY_PREFIX;
+exports.EXPORT_TIME_FORMAT = EXPORT_TIME_FORMAT;
+exports.ISS_MAP = ISS_MAP;
+exports.LoginError = LoginError;
+exports.OIDC_TOKEN_LIFETIME = OIDC_TOKEN_LIFETIME;
+exports.SEED_PHRASE_EXPORT_DURATION = SEED_PHRASE_EXPORT_DURATION;
+exports.getMfaInfoConfig = getMfaInfoConfig;