@turnkey/core 1.6.0 → 1.8.0

package/dist/__clients__/core.mjs

@@ -2,7 +2,7 @@ import { TurnkeySDKClientBase } from '../__generated__/sdk-client-base.mjs';
 import { TurnkeyErrorCodes, TurnkeyError, AuthAction } from '@turnkey/sdk-types';
 import { DEFAULT_SESSION_EXPIRATION_IN_SECONDS } from '../__types__/auth.mjs';
 import { SessionKey, StamperType, WalletSource, Chain, FilterType, OtpTypeToFilterTypeMap, OtpType, Curve, SignIntent } from '../__types__/enums.mjs';
-import { withTurnkeyErrorHandling, isValidPasskeyName, isWeb, isReactNative, buildSignUpBody, findWalletProviderFromAddress, getPublicKeyFromStampHeader, addressFromPublicKey, getCurveTypeFromProvider, sendSignedRequest, fetchAllWalletAccountsWithCursor, mapAccountsToWallet, toExternalTimestamp, getAuthenticatorAddresses, isEthereumProvider, isSolanaProvider, getActiveSessionOrThrowIfRequired, getHashFunction, getEncodingType, getEncodedMessage, splitSignature, broadcastTransaction, getPolicySignature, googleISS, isWalletAccountArray, generateWalletAccountsFromAddressFormat } from '../utils.mjs';
+import { withTurnkeyErrorHandling, isValidPasskeyName, isWeb, isReactNative, buildSignUpBody, findWalletProviderFromAddress, getPublicKeyFromStampHeader, addressFromPublicKey, getCurveTypeFromProvider, sendSignedRequest, getAuthenticatorAddresses, fetchAllWalletAccountsWithCursor, mapAccountsToWallet, toExternalTimestamp, isEthereumProvider, isSolanaProvider, getActiveSessionOrThrowIfRequired, getHashFunction, getEncodingType, getEncodedMessage, splitSignature, broadcastTransaction, getPolicySignature, googleISS, isWalletAccountArray, generateWalletAccountsFromAddressFormat } from '../utils.mjs';
 import { createStorageManager } from '../__storage__/base.mjs';
 import { CrossPlatformApiKeyStamper } from '../__stampers__/api/base.mjs';
 import { CrossPlatformPasskeyStamper } from '../__stampers__/passkey/base.mjs';
@@ -228,10 +228,10 @@ class TurnkeyClient {
          * - Stores the resulting session token and manages cleanup of unused key pairs.
          *
          * @param params.passkeyDisplayName - display name for the passkey (defaults to a generated name based on the current timestamp).
+         * @param params.challenge - challenge string to use for passkey registration. If not provided, a new challenge will be generated.
+         * @param params.expirationSeconds - session expiration time in seconds (defaults to the configured default).
          * @param params.createSubOrgParams - parameters for creating a sub-organization (e.g., authenticators, user metadata).
          * @param params.sessionKey - session key to use for storing the session (defaults to the default session key).
-         * @param params.expirationSeconds - session expiration time in seconds (defaults to the configured default).
-         * @param params.challenge - challenge string to use for passkey registration. If not provided, a new challenge will be generated.
          * @param params.organizationId - organization ID to target (defaults to the session's organization ID or the parent organization ID).
          * @returns A promise that resolves to a {@link PasskeyAuthResult}, which includes:
          *          - `sessionToken`: the signed JWT session token.
@@ -239,7 +239,7 @@ class TurnkeyClient {
          * @throws {TurnkeyError} If there is an error during passkey creation, sub-organization creation, or session storage.
          */
         this.signUpWithPasskey = async (params) => {
-            const { createSubOrgParams, passkeyDisplayName, sessionKey = SessionKey.DefaultSessionkey, expirationSeconds = DEFAULT_SESSION_EXPIRATION_IN_SECONDS, organizationId, } = params || {};
+            const { passkeyDisplayName, challenge, expirationSeconds = DEFAULT_SESSION_EXPIRATION_IN_SECONDS, createSubOrgParams, sessionKey = SessionKey.DefaultSessionkey, organizationId, } = params || {};
             let generatedPublicKey = undefined;
             return withTurnkeyErrorHandling(async () => {
                 generatedPublicKey = await this.apiKeyStamper?.createKeyPair();
@@ -247,7 +247,7 @@ class TurnkeyClient {
                 // A passkey will be created automatically when you call this function. The name is passed in
                 const passkey = await this.createPasskey({
                     name: passkeyName,
-                    ...(params?.challenge && { challenge: params.challenge }),
+                    ...(challenge && { challenge }),
                 });
                 if (!passkey) {
                     throw new TurnkeyError("Failed to create passkey: encoded challenge or attestation is missing", TurnkeyErrorCodes.INTERNAL_ERROR);
@@ -285,11 +285,13 @@ class TurnkeyClient {
                     organizationId: organizationId ?? this.config.organizationId,
                     expirationSeconds,
                 });
-                await this.apiKeyStamper?.deleteKeyPair(generatedPublicKey);
-                await this.storeSession({
-                    sessionToken: sessionResponse.session,
-                    sessionKey,
-                });
+                await Promise.all([
+                    this.apiKeyStamper?.deleteKeyPair(generatedPublicKey),
+                    this.storeSession({
+                        sessionToken: sessionResponse.session,
+                        sessionKey,
+                    }),
+                ]);
                 generatedPublicKey = undefined; // Key pair was successfully used, set to null to prevent cleanup
                 return {
                     sessionToken: sessionResponse.session,
@@ -651,11 +653,13 @@ class TurnkeyClient {
                     organizationId: this.config.organizationId,
                     expirationSeconds,
                 });
-                await this.apiKeyStamper?.deleteKeyPair(generatedPublicKey);
-                await this.storeSession({
-                    sessionToken: sessionResponse.session,
-                    sessionKey,
-                });
+                await Promise.all([
+                    this.apiKeyStamper?.deleteKeyPair(generatedPublicKey),
+                    this.storeSession({
+                        sessionToken: sessionResponse.session,
+                        sessionKey,
+                    }),
+                ]);
                 generatedPublicKey = undefined; // Key pair was successfully used, set to null to prevent cleanup
                 // TODO (Moe): What happens if a user connects to MetaMask on Ethereum,
                 // then switches to a Solana account within MetaMask? Will this flow break?
@@ -1033,16 +1037,17 @@ class TurnkeyClient {
          * @param params.oidcToken - OIDC token received after successful authentication with the OAuth provider.
          * @param params.publicKey - public key to use for authentication. Must be generated prior to calling this function, this is because the OIDC nonce has to be set to `sha256(publicKey)`.
          * @param params.providerName - name of the OAuth provider (defaults to a generated name with a timestamp).
-         * @param params.sessionKey - session key to use for session creation (defaults to the default session key).
-         * @param params.invalidateExisting - flag to invalidate existing sessions for the user.
          * @param params.createSubOrgParams - parameters for sub-organization creation (e.g., authenticators, user metadata).
+         * @param params.invalidateExisting - flag to invalidate existing sessions for the user.
+         * @param params.sessionKey - session key to use for session creation (defaults to the default session key).
+         *
          * @returns A promise that resolves to an object containing:
          *          - `sessionToken`: the signed JWT session token.
          *          - `action`: whether the flow resulted in a login or signup ({@link AuthAction}).
          * @throws {TurnkeyError} If there is an error during the OAuth completion process, such as account lookup, sign-up, or login.
          */
         this.completeOauth = async (params) => {
-            const { oidcToken, publicKey, createSubOrgParams, providerName = "OpenID Connect Provider" + " " + Date.now(), sessionKey = SessionKey.DefaultSessionkey, invalidateExisting = false, } = params;
+            const { oidcToken, publicKey, providerName, createSubOrgParams, invalidateExisting, sessionKey, } = params;
             return withTurnkeyErrorHandling(async () => {
                 const accountRes = await this.httpClient.proxyGetAccount({
                     filterType: "OIDC_TOKEN",
@@ -1056,8 +1061,8 @@ class TurnkeyClient {
                     const loginRes = await this.loginWithOauth({
                         oidcToken,
                         publicKey,
-                        invalidateExisting,
-                        sessionKey,
+                        ...(invalidateExisting && { invalidateExisting }),
+                        ...(sessionKey && { sessionKey }),
                     });
                     return {
                         ...loginRes,
@@ -1068,11 +1073,14 @@ class TurnkeyClient {
                     const signUpRes = await this.signUpWithOauth({
                         oidcToken,
                         publicKey,
-                        providerName,
-                        sessionKey,
+                        ...(providerName && {
+                            providerName,
+                        }),
                         ...(createSubOrgParams && {
                             createSubOrgParams,
                         }),
+                        ...(invalidateExisting && { invalidateExisting }),
+                        ...(sessionKey && { sessionKey }),
                     });
                     return {
                         ...signUpRes,
@@ -1093,7 +1101,10 @@ class TurnkeyClient {
          * - Handles cleanup of unused key pairs if login fails.
          *
          * @param params.oidcToken - OIDC token received after successful authentication with the OAuth provider.
-         * @param params.publicKey - public key to use for authentication. Must be generated prior to calling this function.
+         * @param params.publicKey - The public key bound to the login session. This key is required because it is directly
+         *                           tied to the nonce used during OIDC token generation and must match the value
+         *                           encoded in the token.
+         * @param params.organizationId - ID of the organization to target when creating the session.
          * @param params.invalidateExisting - flag to invalidate existing sessions for the user.
          * @param params.sessionKey - session key to use for session creation (defaults to the default session key).
          * @returns A promise that resolves to a {@link BaseAuthResult}, which includes:
@@ -1101,7 +1112,7 @@ class TurnkeyClient {
          * @throws {TurnkeyError} If there is an error during the OAuth login process or if key pair cleanup fails.
          */
         this.loginWithOauth = async (params) => {
-            const { oidcToken, invalidateExisting = false, publicKey, sessionKey = SessionKey.DefaultSessionkey, } = params;
+            const { oidcToken, publicKey, organizationId, invalidateExisting = false, sessionKey = SessionKey.DefaultSessionkey, } = params;
             return withTurnkeyErrorHandling(async () => {
                 if (!publicKey) {
                     throw new TurnkeyError("Public key must be provided to log in with OAuth. Please create a key pair first.", TurnkeyErrorCodes.MISSING_PARAMS);
@@ -1110,6 +1121,7 @@ class TurnkeyClient {
                     oidcToken,
                     publicKey,
                     invalidateExisting,
+                    ...(organizationId && { organizationId }),
                 });
                 if (!loginRes) {
                     throw new TurnkeyError(`Auth proxy OAuth login failed`, TurnkeyErrorCodes.OAUTH_LOGIN_ERROR);
@@ -1162,7 +1174,7 @@ class TurnkeyClient {
          * @throws {TurnkeyError} If there is an error during the OAuth sign-up or login process.
          */
         this.signUpWithOauth = async (params) => {
-            const { oidcToken, publicKey, providerName, createSubOrgParams, sessionKey, } = params;
+            const { oidcToken, publicKey, providerName = "OpenID Connect Provider" + " " + Date.now(), createSubOrgParams, sessionKey, } = params;
             return withTurnkeyErrorHandling(async () => {
                 const signUpBody = buildSignUpBody({
                     createSubOrgParams: {
@@ -1223,20 +1235,41 @@ class TurnkeyClient {
             }
             return withTurnkeyErrorHandling(async () => {
                 let embedded = [];
+                const organizationId = organizationIdFromParams || session?.organizationId;
+                const userId = userIdFromParams || session?.userId;
+                // we start fetching user early if we have the required params (needed for connected wallets)
+                // this runs in parallel with the embedded wallet fetching below
+                let userPromise;
+                if (organizationId && userId && this.walletManager?.connector) {
+                    const signedUserRequest = await this.httpClient.stampGetUser({
+                        userId,
+                        organizationId,
+                    }, stampWith);
+                    if (!signedUserRequest) {
+                        throw new TurnkeyError("Failed to stamp user request", TurnkeyErrorCodes.INVALID_REQUEST);
+                    }
+                    userPromise = sendSignedRequest(signedUserRequest).then((response) => getAuthenticatorAddresses(response.user));
+                }
                 // if connectedOnly is true, we skip fetching embedded wallets
                 if (!connectedOnly) {
-                    const organizationId = organizationIdFromParams || session?.organizationId;
                     if (!organizationId) {
                         throw new TurnkeyError("No organization ID provided and no active session found. Please log in first or pass in an organization ID.", TurnkeyErrorCodes.INVALID_REQUEST);
                     }
-                    const userId = userIdFromParams || session?.userId;
                     if (!userId) {
                         throw new TurnkeyError("No user ID provided and no active session found. Please log in first or pass in a user ID.", TurnkeyErrorCodes.INVALID_REQUEST);
                     }
-                    const accounts = await fetchAllWalletAccountsWithCursor(this.httpClient, organizationId, stampWith);
-                    const walletsRes = await this.httpClient.getWallets({
+                    // we stamp the wallet request first
+                    // this is done to avoid concurrent passkey prompts
+                    const signedWalletsRequest = await this.httpClient.stampGetWallets({
                         organizationId,
                     }, stampWith);
+                    if (!signedWalletsRequest) {
+                        throw new TurnkeyError("Failed to stamp wallet request", TurnkeyErrorCodes.INVALID_REQUEST);
+                    }
+                    const [accounts, walletsRes] = await Promise.all([
+                        fetchAllWalletAccountsWithCursor(this.httpClient, organizationId, stampWith),
+                        sendSignedRequest(signedWalletsRequest),
+                    ]);
                     // create a map of walletId to EmbeddedWallet for easy lookup
                     const walletMap = new Map(walletsRes.wallets.map((wallet) => [
                         wallet.walletId,
@@ -1264,6 +1297,13 @@ class TurnkeyClient {
                     group.push(provider);
                     groupedProviders.set(walletId, group);
                 }
+                // we fetch user once for all connected wallets to avoid duplicate `fetchUser` calls
+                // this is only done if we have `organizationId` and `userId`
+                // Note: this was started earlier in parallel with embedded wallet fetching for performance
+                let authenticatorAddresses;
+                if (userPromise) {
+                    authenticatorAddresses = await userPromise;
+                }
                 // has to be done in a for of loop so we can await each fetchWalletAccounts call individually
                 // otherwise await Promise.all would cause them all to fire at once breaking passkey only set ups
                 // (multiple wallet fetches at once causing "OperationError: A request is already pending.")
@@ -1288,6 +1328,7 @@ class TurnkeyClient {
                             organizationId: organizationIdFromParams,
                         }),
                         ...(userIdFromParams !== undefined && { userId: userIdFromParams }),
+                        ...(authenticatorAddresses && { authenticatorAddresses }),
                     });
                     wallet.accounts = accounts;
                     if (wallet.accounts.length > 0) {
@@ -1315,6 +1356,7 @@ class TurnkeyClient {
          * @param params.stampWith - parameter to stamp the request with a specific stamper (StamperType.Passkey, StamperType.ApiKey, or StamperType.Wallet).
          * @param params.organizationId - organization ID to target (defaults to the session's organization ID).
          * @param params.userId - user ID to target (defaults to the session's user ID).
+         * @param params.authenticatorAddresses - optional authenticator addresses to avoid redundant user fetches (this is used for connected wallets to determine if a connected wallet is an authenticator)
          *
          * @returns A promise that resolves to an array of `v1WalletAccount` objects.
          * @throws {TurnkeyError} If no active session is found or if there is an error fetching wallet accounts.
@@ -1369,9 +1411,13 @@ class TurnkeyClient {
                 const sign = this.walletManager.connector.sign.bind(this.walletManager.connector);
                 let ethereumAddresses = [];
                 let solanaAddresses = [];
-                // we only fetch the user if we have to the organizationId and userId
-                // if not that means `isAuthenticator` will always be false
-                if (organizationId && userId) {
+                if (params.authenticatorAddresses) {
+                    ({ ethereum: ethereumAddresses, solana: solanaAddresses } =
+                        params.authenticatorAddresses);
+                }
+                else if (organizationId && userId) {
+                    // we only fetch the user if authenticator addresses aren't provided and we have the organizationId and userId
+                    // if not, then that means `isAuthenticator` will always be false
                     const user = await this.fetchUser({
                         userId,
                         organizationId,
@@ -2695,8 +2741,10 @@ class TurnkeyClient {
             withTurnkeyErrorHandling(async () => {
                 const session = await this.storageManager.getSession(sessionKey);
                 if (session) {
-                    await this.apiKeyStamper?.deleteKeyPair(session.publicKey);
-                    await this.storageManager.clearSession(sessionKey);
+                    await Promise.all([
+                        this.apiKeyStamper?.deleteKeyPair(session.publicKey),
+                        this.storageManager.clearSession(sessionKey),
+                    ]);
                 }
                 else {
                     throw new TurnkeyError(`No session found with key: ${sessionKey}`, TurnkeyErrorCodes.NOT_FOUND);
@@ -3071,15 +3119,24 @@ class TurnkeyClient {
         this.storageManager = await createStorageManager();
         // Initialize the API key stamper
         this.apiKeyStamper = new CrossPlatformApiKeyStamper(this.storageManager);
-        await this.apiKeyStamper.init();
+        // we parallelize independent initializations:
+        // - API key stamper init
+        // - Passkey stamper creation and init (if configured)
+        // - Wallet manager creation (if configured)
+        const initTasks = [this.apiKeyStamper.init()];
         if (this.config.passkeyConfig) {
-            this.passkeyStamper = new CrossPlatformPasskeyStamper(this.config.passkeyConfig);
-            await this.passkeyStamper.init();
+            const passkeyStamper = new CrossPlatformPasskeyStamper(this.config.passkeyConfig);
+            initTasks.push(passkeyStamper.init().then(() => {
+                this.passkeyStamper = passkeyStamper;
+            }));
         }
         if (this.config.walletConfig?.features?.auth ||
             this.config.walletConfig?.features?.connecting) {
-            this.walletManager = await createWalletManager(this.config.walletConfig);
+            initTasks.push(createWalletManager(this.config.walletConfig).then((manager) => {
+                this.walletManager = manager;
+            }));
         }
+        await Promise.all(initTasks);
         // Initialize the HTTP client with the appropriate stampers
         // Note: not passing anything here since we want to use the configured stampers and this.config
         this.httpClient = this.createHttpClient();