npm - @volr/sdk-core - Versions diffs - 0.1.65 → 0.1.67 - Mend

@volr/sdk-core 0.1.65 → 0.1.67

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.cjs CHANGED Viewed

@@ -79,6 +79,15 @@ function getRandomBytes(len) {
 }
 // src/core/crypto/aes-gcm.ts
+function generateNonce() {
+  const nonce = new Uint8Array(12);
+  const timestamp = Math.floor(Date.now() / 1e3);
+  const view = new DataView(nonce.buffer);
+  view.setUint32(0, timestamp, false);
+  const random = getRandomBytes(8);
+  nonce.set(random, 4);
+  return nonce;
+}
 function getSubtleCrypto() {
   if (typeof crypto !== "undefined" && crypto.subtle) {
     return crypto.subtle;
@@ -99,7 +108,7 @@ async function aesGcmEncrypt(plain, params) {
   if (key.length !== 32) {
     throw new Error(`${ERR_INVALID_PARAM}: key must be 32 bytes, got ${key.length}`);
   }
-  const nonce = providedNonce || getRandomBytes(12);
+  const nonce = providedNonce || generateNonce();
   if (nonce.length !== 12) {
     throw new Error(`${ERR_NONCE_SIZE}: nonce must be 12 bytes, got ${nonce.length}`);
   }
@@ -1056,62 +1065,79 @@ async function getAuthNonce(client, from, mode) {
 }
 function createPasskeyProvider(passkey, options) {
   let unwrappedKeypair = null;
-  const ensureSession = async (opts) => {
-    if (opts?.force && unwrappedKeypair) {
-      console.log("[PasskeyProvider] force=true: zeroizing existing session");
+  const sessionTtlMs = options.sessionTtlMs ?? 0;
+  let sessionExpiresAt = null;
+  let lockTimer = null;
+  const isSessionExpired = () => {
+    if (sessionTtlMs <= 0) return false;
+    if (!sessionExpiresAt) return true;
+    return Date.now() >= sessionExpiresAt;
+  };
+  const resetSessionTimer = () => {
+    if (sessionTtlMs <= 0) return;
+    if (lockTimer) {
+      clearTimeout(lockTimer);
+      lockTimer = null;
+    }
+    sessionExpiresAt = Date.now() + sessionTtlMs;
+    lockTimer = setTimeout(async () => {
+      console.log("[PasskeyProvider] Session expired, auto-locking");
+      await lock();
+    }, sessionTtlMs);
+  };
+  const lock = async () => {
+    if (lockTimer) {
+      clearTimeout(lockTimer);
+      lockTimer = null;
+    }
+    sessionExpiresAt = null;
+    if (unwrappedKeypair) {
+      console.log("[PasskeyProvider] lock(): zeroizing sensitive data from memory");
       zeroize(unwrappedKeypair.privateKey);
       zeroize(unwrappedKeypair.publicKey);
       unwrappedKeypair = null;
     }
-    if (unwrappedKeypair) {
+  };
+  const ensureSession = async (opts) => {
+    if (opts?.force && unwrappedKeypair) {
+      console.log("[PasskeyProvider] force=true: zeroizing existing session");
+      await lock();
+    }
+    if (unwrappedKeypair && !isSessionExpired()) {
+      resetSessionTimer();
       return;
     }
-    if (opts?.interactive || opts?.force) {
-      console.log("[PasskeyProvider] interactive mode: triggering WebAuthn prompt");
-      const prfSalt = deriveWrapKey(options.prfInput);
-      const { prfOutput } = await passkey.authenticate({
-        salt: prfSalt,
-        credentialId: options.prfInput.credentialId
-      });
-      const wrapKey = prfOutput;
-      const aad = options.aad || new TextEncoder().encode("volr/master-seed/v1");
-      const masterSeed = await unsealMasterSeed(
-        options.encryptedBlob.cipher,
-        wrapKey,
-        aad,
-        options.encryptedBlob.nonce
-      );
-      const keypair = deriveEvmKey({ masterSeed });
-      unwrappedKeypair = {
-        privateKey: keypair.privateKey,
-        publicKey: keypair.publicKey,
-        address: keypair.address
-      };
-      zeroize(masterSeed);
-      zeroize(wrapKey);
-      zeroize(prfSalt);
-    } else {
-      console.warn("[PasskeyProvider] Non-interactive mode: using deterministic wrap key (insecure for TTL=0)");
-      const wrapKey = deriveWrapKey(options.prfInput);
-      const aad = options.aad || new TextEncoder().encode("volr/master-seed/v1");
-      const masterSeed = await unsealMasterSeed(
-        options.encryptedBlob.cipher,
-        wrapKey,
-        aad,
-        options.encryptedBlob.nonce
-      );
-      const keypair = deriveEvmKey({ masterSeed });
-      unwrappedKeypair = {
-        privateKey: keypair.privateKey,
-        publicKey: keypair.publicKey,
-        address: keypair.address
-      };
-      zeroize(masterSeed);
-      zeroize(wrapKey);
+    if (unwrappedKeypair && isSessionExpired()) {
+      console.log("[PasskeyProvider] Session expired, re-authenticating");
+      await lock();
     }
+    console.log("[PasskeyProvider] Triggering WebAuthn prompt for hardware-backed authentication");
+    const prfSalt = deriveWrapKey(options.prfInput);
+    const { prfOutput } = await passkey.authenticate({
+      salt: prfSalt,
+      credentialId: options.prfInput.credentialId
+    });
+    const wrapKey = prfOutput;
+    const aad = options.aad || new TextEncoder().encode("volr/master-seed/v1");
+    const masterSeed = await unsealMasterSeed(
+      options.encryptedBlob.cipher,
+      wrapKey,
+      aad,
+      options.encryptedBlob.nonce
+    );
+    const keypair = deriveEvmKey({ masterSeed });
+    unwrappedKeypair = {
+      privateKey: keypair.privateKey,
+      publicKey: keypair.publicKey,
+      address: keypair.address
+    };
+    zeroize(masterSeed);
+    zeroize(wrapKey);
+    zeroize(prfSalt);
+    resetSessionTimer();
   };
   const getAddress = async () => {
-    await ensureSession();
+    await ensureSession({ });
     if (!unwrappedKeypair) {
       throw new Error(`${ERR_INVALID_PARAM}: Session not established`);
     }
@@ -1121,7 +1147,7 @@ function createPasskeyProvider(passkey, options) {
     if (hash32.length !== 32) {
       throw new Error(`${ERR_INVALID_PARAM}: Message hash must be 32 bytes, got ${hash32.length}`);
     }
-    await ensureSession();
+    await ensureSession({ });
     if (!unwrappedKeypair) {
       throw new Error(`${ERR_INVALID_PARAM}: Session not established`);
     }
@@ -1133,7 +1159,7 @@ function createPasskeyProvider(passkey, options) {
     };
   };
   const signTypedData = async (input) => {
-    await ensureSession();
+    await ensureSession({ });
     if (!unwrappedKeypair) {
       throw new Error(`${ERR_INVALID_PARAM}: Session not established`);
     }
@@ -1149,7 +1175,7 @@ function createPasskeyProvider(passkey, options) {
     for (let i = 0; i < 32; i++) {
       msgHashBytes[i] = parseInt(hex.slice(i * 2, i * 2 + 2), 16);
     }
-    const sig = await signMessage(msgHashBytes);
+    const sig = evmSign(unwrappedKeypair.privateKey, msgHashBytes);
     const v = sig.yParity + 27;
     const rHex = Array.from(sig.r).map((b) => b.toString(16).padStart(2, "0")).join("");
     const sHex = Array.from(sig.s).map((b) => b.toString(16).padStart(2, "0")).join("");
@@ -1157,20 +1183,12 @@ function createPasskeyProvider(passkey, options) {
     return `0x${rHex}${sHex}${vHex}`;
   };
   const getPublicKey = async () => {
-    await ensureSession();
+    await ensureSession({ });
     if (!unwrappedKeypair) {
       throw new Error(`${ERR_INVALID_PARAM}: Session not established`);
     }
     return new Uint8Array(unwrappedKeypair.publicKey);
   };
-  const lock = async () => {
-    if (unwrappedKeypair) {
-      console.log("[PasskeyProvider] lock(): zeroizing sensitive data from memory");
-      zeroize(unwrappedKeypair.privateKey);
-      zeroize(unwrappedKeypair.publicKey);
-      unwrappedKeypair = null;
-    }
-  };
   return {
     keyStorageType: "passkey",
     ensureSession,
@@ -1324,6 +1342,7 @@ exports.deriveEvmKey = deriveEvmKey;
 exports.deriveWrapKey = deriveWrapKey;
 exports.evmSign = evmSign;
 exports.evmVerify = evmVerify;
+exports.generateNonce = generateNonce;
 exports.getAuthNonce = getAuthNonce;
 exports.getRandomBytes = getRandomBytes;
 exports.hkdfSha256 = hkdfSha256;