@volr/sdk-core 0.1.90 → 0.1.92

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. package/README.md +1 -1
  2. package/dist/index.cjs +5 -6
  3. package/dist/index.cjs.map +1 -1
  4. package/dist/index.d.cts +9 -7
  5. package/dist/index.d.ts +9 -7
  6. package/dist/index.js +5 -6
  7. package/dist/index.js.map +1 -1
  8. package/package.json +1 -1
package/dist/index.d.cts CHANGED
@@ -208,22 +208,25 @@ declare function unsealMasterSeed(cipher: Uint8Array, wrapKey: WrapKey, aad: Uin
208
208
 
209
209
  /**
210
210
  * PRF input parameters for wrap key derivation
211
+ *
212
+ * Note: origin is NOT included in PrfInput because:
213
+ * - Different domains should be able to share the same wallet
214
+ * - WebAuthn rpId binding already provides domain security
215
+ * - Including origin would prevent cross-domain wallet usage
211
216
  */
212
217
  type PrfInput = {
213
- /** Origin (e.g., "https://example.com") */
214
- origin: string;
215
218
  /** Project ID */
216
219
  projectId: string;
217
220
  /** Credential ID from WebAuthn */
218
221
  credentialId: string;
219
- /** Optional salt (defaults to SHA256 of concatenated inputs) */
222
+ /** Optional salt (defaults to SHA256 of projectId) */
220
223
  salt?: Uint8Array;
221
224
  };
222
225
  /**
223
226
  * Derive wrap key from PRF inputs using HKDF
224
227
  *
225
- * PRF input domain is fixed: rpId|projectId (credentialId excluded)
226
- * This ensures consistent wrap key derivation across sessions
228
+ * Salt derivation uses only projectId to enable cross-domain wallet sharing.
229
+ * WebAuthn's rpId binding already provides domain-level security.
227
230
  *
228
231
  * Note: credentialId is NOT included in salt derivation because:
229
232
  * - During enrollment, actual credentialId is not known until after credential creation
@@ -240,7 +243,6 @@ type PrfInput = {
240
243
  * @example
241
244
  * ```ts
242
245
  * const wrapKey = deriveWrapKey({
243
- * origin: 'https://example.com',
244
246
  * projectId: 'project-123',
245
247
  * credentialId: 'cred-456' // stored for authentication, but not used in salt derivation
246
248
  * });
@@ -1300,7 +1302,7 @@ type PasskeyProviderOptions = {
1300
1302
  * @example
1301
1303
  * ```ts
1302
1304
  * const provider = createPasskeyProvider(passkeyAdapter, {
1303
- * prfInput: { origin, projectId, credentialId },
1305
+ * prfInput: { projectId, credentialId },
1304
1306
  * encryptedBlob: { cipher, nonce }
1305
1307
  * });
1306
1308
  * await provider.ensureSession({ interactive: true, force: true });
package/dist/index.d.ts CHANGED
@@ -208,22 +208,25 @@ declare function unsealMasterSeed(cipher: Uint8Array, wrapKey: WrapKey, aad: Uin
208
208
 
209
209
  /**
210
210
  * PRF input parameters for wrap key derivation
211
+ *
212
+ * Note: origin is NOT included in PrfInput because:
213
+ * - Different domains should be able to share the same wallet
214
+ * - WebAuthn rpId binding already provides domain security
215
+ * - Including origin would prevent cross-domain wallet usage
211
216
  */
212
217
  type PrfInput = {
213
- /** Origin (e.g., "https://example.com") */
214
- origin: string;
215
218
  /** Project ID */
216
219
  projectId: string;
217
220
  /** Credential ID from WebAuthn */
218
221
  credentialId: string;
219
- /** Optional salt (defaults to SHA256 of concatenated inputs) */
222
+ /** Optional salt (defaults to SHA256 of projectId) */
220
223
  salt?: Uint8Array;
221
224
  };
222
225
  /**
223
226
  * Derive wrap key from PRF inputs using HKDF
224
227
  *
225
- * PRF input domain is fixed: rpId|projectId (credentialId excluded)
226
- * This ensures consistent wrap key derivation across sessions
228
+ * Salt derivation uses only projectId to enable cross-domain wallet sharing.
229
+ * WebAuthn's rpId binding already provides domain-level security.
227
230
  *
228
231
  * Note: credentialId is NOT included in salt derivation because:
229
232
  * - During enrollment, actual credentialId is not known until after credential creation
@@ -240,7 +243,6 @@ type PrfInput = {
240
243
  * @example
241
244
  * ```ts
242
245
  * const wrapKey = deriveWrapKey({
243
- * origin: 'https://example.com',
244
246
  * projectId: 'project-123',
245
247
  * credentialId: 'cred-456' // stored for authentication, but not used in salt derivation
246
248
  * });
@@ -1300,7 +1302,7 @@ type PasskeyProviderOptions = {
1300
1302
  * @example
1301
1303
  * ```ts
1302
1304
  * const provider = createPasskeyProvider(passkeyAdapter, {
1303
- * prfInput: { origin, projectId, credentialId },
1305
+ * prfInput: { projectId, credentialId },
1304
1306
  * encryptedBlob: { cipher, nonce }
1305
1307
  * });
1306
1308
  * await provider.ensureSession({ interactive: true, force: true });
package/dist/index.js CHANGED
@@ -223,14 +223,13 @@ function createMasterKeyProvider() {
223
223
  };
224
224
  }
225
225
  function deriveWrapKey(input) {
226
- const { origin, projectId, salt } = input;
227
- const rpId = typeof window !== "undefined" && origin ? new URL(origin).hostname : origin;
228
- const prfInput = new TextEncoder().encode(`${rpId}|${projectId}`);
229
- const prfOutput = sha256(prfInput);
226
+ const { projectId, salt } = input;
227
+ const prfInputBytes = new TextEncoder().encode(`volr|${projectId}`);
228
+ const prfOutput = sha256(prfInputBytes);
230
229
  const defaultSalt = salt || sha256(
231
- new TextEncoder().encode(`volr/salt|${rpId}|${projectId}`)
230
+ new TextEncoder().encode(`volr/salt|${projectId}`)
232
231
  );
233
- const info = `volr/wrap-key/v1|${rpId}|${projectId}`;
232
+ const info = `volr/wrap-key/v1|${projectId}`;
234
233
  const wrapKey = hkdfSha256(prfOutput, defaultSalt, info, 32);
235
234
  return wrapKey;
236
235
  }