@volr/sdk-core 0.1.64 → 0.1.66

package/dist/index.cjs

@@ -79,6 +79,15 @@ function getRandomBytes(len) {
 }
 
 // src/core/crypto/aes-gcm.ts
+function generateNonce() {
+  const nonce = new Uint8Array(12);
+  const timestamp = Math.floor(Date.now() / 1e3);
+  const view = new DataView(nonce.buffer);
+  view.setUint32(0, timestamp, false);
+  const random = getRandomBytes(8);
+  nonce.set(random, 4);
+  return nonce;
+}
 function getSubtleCrypto() {
   if (typeof crypto !== "undefined" && crypto.subtle) {
     return crypto.subtle;
@@ -99,7 +108,7 @@ async function aesGcmEncrypt(plain, params) {
   if (key.length !== 32) {
     throw new Error(`${ERR_INVALID_PARAM}: key must be 32 bytes, got ${key.length}`);
   }
-  const nonce = providedNonce || getRandomBytes(12);
+  const nonce = providedNonce || generateNonce();
   if (nonce.length !== 12) {
     throw new Error(`${ERR_NONCE_SIZE}: nonce must be 12 bytes, got ${nonce.length}`);
   }
@@ -1056,62 +1065,79 @@ async function getAuthNonce(client, from, mode) {
 }
 function createPasskeyProvider(passkey, options) {
   let unwrappedKeypair = null;
-  const ensureSession = async (opts) => {
-    if (opts?.force && unwrappedKeypair) {
-      console.log("[PasskeyProvider] force=true: zeroizing existing session");
+  const sessionTtlMs = options.sessionTtlMs ?? 0;
+  let sessionExpiresAt = null;
+  let lockTimer = null;
+  const isSessionExpired = () => {
+    if (sessionTtlMs === 0) return true;
+    if (!sessionExpiresAt) return true;
+    return Date.now() >= sessionExpiresAt;
+  };
+  const resetSessionTimer = () => {
+    if (sessionTtlMs <= 0) return;
+    if (lockTimer) {
+      clearTimeout(lockTimer);
+      lockTimer = null;
+    }
+    sessionExpiresAt = Date.now() + sessionTtlMs;
+    lockTimer = setTimeout(async () => {
+      console.log("[PasskeyProvider] Session expired, auto-locking");
+      await lock();
+    }, sessionTtlMs);
+  };
+  const lock = async () => {
+    if (lockTimer) {
+      clearTimeout(lockTimer);
+      lockTimer = null;
+    }
+    sessionExpiresAt = null;
+    if (unwrappedKeypair) {
+      console.log("[PasskeyProvider] lock(): zeroizing sensitive data from memory");
       zeroize(unwrappedKeypair.privateKey);
       zeroize(unwrappedKeypair.publicKey);
       unwrappedKeypair = null;
     }
-    if (unwrappedKeypair) {
+  };
+  const ensureSession = async (opts) => {
+    if (opts?.force && unwrappedKeypair) {
+      console.log("[PasskeyProvider] force=true: zeroizing existing session");
+      await lock();
+    }
+    if (unwrappedKeypair && !isSessionExpired()) {
+      resetSessionTimer();
       return;
     }
-    if (opts?.interactive || opts?.force) {
-      console.log("[PasskeyProvider] interactive mode: triggering WebAuthn prompt");
-      const prfSalt = deriveWrapKey(options.prfInput);
-      const { prfOutput } = await passkey.authenticate({
-        salt: prfSalt,
-        credentialId: options.prfInput.credentialId
-      });
-      const wrapKey = prfOutput;
-      const aad = options.aad || new TextEncoder().encode("volr/master-seed/v1");
-      const masterSeed = await unsealMasterSeed(
-        options.encryptedBlob.cipher,
-        wrapKey,
-        aad,
-        options.encryptedBlob.nonce
-      );
-      const keypair = deriveEvmKey({ masterSeed });
-      unwrappedKeypair = {
-        privateKey: keypair.privateKey,
-        publicKey: keypair.publicKey,
-        address: keypair.address
-      };
-      zeroize(masterSeed);
-      zeroize(wrapKey);
-      zeroize(prfSalt);
-    } else {
-      console.warn("[PasskeyProvider] Non-interactive mode: using deterministic wrap key (insecure for TTL=0)");
-      const wrapKey = deriveWrapKey(options.prfInput);
-      const aad = options.aad || new TextEncoder().encode("volr/master-seed/v1");
-      const masterSeed = await unsealMasterSeed(
-        options.encryptedBlob.cipher,
-        wrapKey,
-        aad,
-        options.encryptedBlob.nonce
-      );
-      const keypair = deriveEvmKey({ masterSeed });
-      unwrappedKeypair = {
-        privateKey: keypair.privateKey,
-        publicKey: keypair.publicKey,
-        address: keypair.address
-      };
-      zeroize(masterSeed);
-      zeroize(wrapKey);
+    if (unwrappedKeypair && isSessionExpired()) {
+      console.log("[PasskeyProvider] Session expired, re-authenticating");
+      await lock();
     }
+    console.log("[PasskeyProvider] Triggering WebAuthn prompt for hardware-backed authentication");
+    const prfSalt = deriveWrapKey(options.prfInput);
+    const { prfOutput } = await passkey.authenticate({
+      salt: prfSalt,
+      credentialId: options.prfInput.credentialId
+    });
+    const wrapKey = prfOutput;
+    const aad = options.aad || new TextEncoder().encode("volr/master-seed/v1");
+    const masterSeed = await unsealMasterSeed(
+      options.encryptedBlob.cipher,
+      wrapKey,
+      aad,
+      options.encryptedBlob.nonce
+    );
+    const keypair = deriveEvmKey({ masterSeed });
+    unwrappedKeypair = {
+      privateKey: keypair.privateKey,
+      publicKey: keypair.publicKey,
+      address: keypair.address
+    };
+    zeroize(masterSeed);
+    zeroize(wrapKey);
+    zeroize(prfSalt);
+    resetSessionTimer();
   };
   const getAddress = async () => {
-    await ensureSession();
+    await ensureSession({ });
     if (!unwrappedKeypair) {
       throw new Error(`${ERR_INVALID_PARAM}: Session not established`);
     }
@@ -1121,11 +1147,15 @@ function createPasskeyProvider(passkey, options) {
     if (hash32.length !== 32) {
       throw new Error(`${ERR_INVALID_PARAM}: Message hash must be 32 bytes, got ${hash32.length}`);
     }
-    await ensureSession();
+    const shouldForceFresh = sessionTtlMs === 0;
+    await ensureSession({ force: shouldForceFresh });
     if (!unwrappedKeypair) {
       throw new Error(`${ERR_INVALID_PARAM}: Session not established`);
     }
     const sig = evmSign(unwrappedKeypair.privateKey, hash32);
+    if (shouldForceFresh) {
+      await lock();
+    }
     return {
       r: sig.r,
       s: sig.s,
@@ -1133,7 +1163,8 @@ function createPasskeyProvider(passkey, options) {
     };
   };
   const signTypedData = async (input) => {
-    await ensureSession();
+    const shouldForceFresh = sessionTtlMs === 0;
+    await ensureSession({ force: shouldForceFresh });
     if (!unwrappedKeypair) {
       throw new Error(`${ERR_INVALID_PARAM}: Session not established`);
     }
@@ -1149,7 +1180,10 @@ function createPasskeyProvider(passkey, options) {
     for (let i = 0; i < 32; i++) {
       msgHashBytes[i] = parseInt(hex.slice(i * 2, i * 2 + 2), 16);
     }
-    const sig = await signMessage(msgHashBytes);
+    const sig = evmSign(unwrappedKeypair.privateKey, msgHashBytes);
+    if (shouldForceFresh) {
+      await lock();
+    }
     const v = sig.yParity + 27;
     const rHex = Array.from(sig.r).map((b) => b.toString(16).padStart(2, "0")).join("");
     const sHex = Array.from(sig.s).map((b) => b.toString(16).padStart(2, "0")).join("");
@@ -1157,20 +1191,12 @@ function createPasskeyProvider(passkey, options) {
     return `0x${rHex}${sHex}${vHex}`;
   };
   const getPublicKey = async () => {
-    await ensureSession();
+    await ensureSession({ });
     if (!unwrappedKeypair) {
       throw new Error(`${ERR_INVALID_PARAM}: Session not established`);
     }
     return new Uint8Array(unwrappedKeypair.publicKey);
   };
-  const lock = async () => {
-    if (unwrappedKeypair) {
-      console.log("[PasskeyProvider] lock(): zeroizing sensitive data from memory");
-      zeroize(unwrappedKeypair.privateKey);
-      zeroize(unwrappedKeypair.publicKey);
-      unwrappedKeypair = null;
-    }
-  };
   return {
     keyStorageType: "passkey",
     ensureSession,
@@ -1324,6 +1350,7 @@ exports.deriveEvmKey = deriveEvmKey;
 exports.deriveWrapKey = deriveWrapKey;
 exports.evmSign = evmSign;
 exports.evmVerify = evmVerify;
+exports.generateNonce = generateNonce;
 exports.getAuthNonce = getAuthNonce;
 exports.getRandomBytes = getRandomBytes;
 exports.hkdfSha256 = hkdfSha256;