@x402/extensions 2.2.0 → 2.3.0

package/dist/esm/chunk-E3F2XHTI.mjs

@@ -0,0 +1,719 @@
+// src/sign-in-with-x/types.ts
+import { z } from "zod";
+var SIGN_IN_WITH_X = "sign-in-with-x";
+var SIWxPayloadSchema = z.object({
+  domain: z.string(),
+  address: z.string(),
+  statement: z.string().optional(),
+  uri: z.string(),
+  version: z.string(),
+  chainId: z.string(),
+  type: z.enum(["eip191", "ed25519"]),
+  nonce: z.string(),
+  issuedAt: z.string(),
+  expirationTime: z.string().optional(),
+  notBefore: z.string().optional(),
+  requestId: z.string().optional(),
+  resources: z.array(z.string()).optional(),
+  signatureScheme: z.enum(["eip191", "eip1271", "eip6492", "siws"]).optional(),
+  signature: z.string()
+});
+
+// src/sign-in-with-x/solana.ts
+import { base58 } from "@scure/base";
+import nacl from "tweetnacl";
+var SOLANA_MAINNET = "solana:5eykt4UsFv8P8NJdTREpY1vzqKqZKvdp";
+var SOLANA_DEVNET = "solana:EtWTRABZaYq6iMfeYKouRu166VU2xqa1";
+var SOLANA_TESTNET = "solana:4uhcVJyU9pJkvQyS88uRDiswHXSCkY3z";
+function extractSolanaChainReference(chainId) {
+  const [, reference] = chainId.split(":");
+  return reference;
+}
+function formatSIWSMessage(info, address) {
+  const lines = [
+    `${info.domain} wants you to sign in with your Solana account:`,
+    address,
+    ""
+  ];
+  if (info.statement) {
+    lines.push(info.statement, "");
+  }
+  lines.push(
+    `URI: ${info.uri}`,
+    `Version: ${info.version}`,
+    `Chain ID: ${extractSolanaChainReference(info.chainId)}`,
+    `Nonce: ${info.nonce}`,
+    `Issued At: ${info.issuedAt}`
+  );
+  if (info.expirationTime) {
+    lines.push(`Expiration Time: ${info.expirationTime}`);
+  }
+  if (info.notBefore) {
+    lines.push(`Not Before: ${info.notBefore}`);
+  }
+  if (info.requestId) {
+    lines.push(`Request ID: ${info.requestId}`);
+  }
+  if (info.resources && info.resources.length > 0) {
+    lines.push("Resources:");
+    for (const resource of info.resources) {
+      lines.push(`- ${resource}`);
+    }
+  }
+  return lines.join("\n");
+}
+function verifySolanaSignature(message, signature, publicKey) {
+  const messageBytes = new TextEncoder().encode(message);
+  return nacl.sign.detached.verify(messageBytes, signature, publicKey);
+}
+function decodeBase58(encoded) {
+  return base58.decode(encoded);
+}
+function encodeBase58(bytes) {
+  return base58.encode(bytes);
+}
+
+// src/sign-in-with-x/schema.ts
+function buildSIWxSchema() {
+  return {
+    $schema: "https://json-schema.org/draft/2020-12/schema",
+    type: "object",
+    properties: {
+      domain: { type: "string" },
+      address: { type: "string" },
+      statement: { type: "string" },
+      uri: { type: "string", format: "uri" },
+      version: { type: "string" },
+      chainId: { type: "string" },
+      type: { type: "string" },
+      nonce: { type: "string" },
+      issuedAt: { type: "string", format: "date-time" },
+      expirationTime: { type: "string", format: "date-time" },
+      notBefore: { type: "string", format: "date-time" },
+      requestId: { type: "string" },
+      resources: { type: "array", items: { type: "string", format: "uri" } },
+      signature: { type: "string" }
+    },
+    required: [
+      "domain",
+      "address",
+      "uri",
+      "version",
+      "chainId",
+      "type",
+      "nonce",
+      "issuedAt",
+      "signature"
+    ]
+  };
+}
+
+// src/sign-in-with-x/declare.ts
+function getSignatureType(network) {
+  return network.startsWith("solana:") ? "ed25519" : "eip191";
+}
+function declareSIWxExtension(options = {}) {
+  const info = {
+    version: options.version ?? "1"
+  };
+  if (options.domain) {
+    info.domain = options.domain;
+  }
+  if (options.resourceUri) {
+    info.uri = options.resourceUri;
+    info.resources = [options.resourceUri];
+  }
+  if (options.statement) {
+    info.statement = options.statement;
+  }
+  let supportedChains = [];
+  if (options.network) {
+    const networks = Array.isArray(options.network) ? options.network : [options.network];
+    supportedChains = networks.map((network) => ({
+      chainId: network,
+      type: getSignatureType(network)
+    }));
+  }
+  const declaration = {
+    info,
+    supportedChains,
+    schema: buildSIWxSchema(),
+    _options: options
+  };
+  return { [SIGN_IN_WITH_X]: declaration };
+}
+
+// src/sign-in-with-x/server.ts
+import { randomBytes } from "crypto";
+var siwxResourceServerExtension = {
+  key: SIGN_IN_WITH_X,
+  enrichPaymentRequiredResponse: async (declaration, context) => {
+    const decl = declaration;
+    const opts = decl._options ?? {};
+    const resourceUri = opts.resourceUri ?? context.resourceInfo.url;
+    let domain = opts.domain;
+    if (!domain && resourceUri) {
+      try {
+        domain = new URL(resourceUri).hostname;
+      } catch {
+      }
+    }
+    let networks;
+    if (opts.network) {
+      networks = Array.isArray(opts.network) ? opts.network : [opts.network];
+    } else {
+      networks = [...new Set(context.requirements.map((r) => r.network))];
+    }
+    const nonce = randomBytes(16).toString("hex");
+    const issuedAt = (/* @__PURE__ */ new Date()).toISOString();
+    const expirationSeconds = opts.expirationSeconds;
+    const expirationTime = expirationSeconds !== void 0 ? new Date(Date.now() + expirationSeconds * 1e3).toISOString() : void 0;
+    const info = {
+      domain: domain ?? "",
+      uri: resourceUri,
+      version: opts.version ?? "1",
+      nonce,
+      issuedAt,
+      resources: [resourceUri]
+    };
+    if (expirationTime) {
+      info.expirationTime = expirationTime;
+    }
+    if (opts.statement) {
+      info.statement = opts.statement;
+    }
+    const supportedChains = networks.map((network) => ({
+      chainId: network,
+      type: getSignatureType(network)
+    }));
+    return {
+      info,
+      supportedChains,
+      schema: buildSIWxSchema()
+    };
+  }
+};
+
+// src/sign-in-with-x/parse.ts
+import { Base64EncodedRegex, safeBase64Decode } from "@x402/core/utils";
+function parseSIWxHeader(header) {
+  if (!Base64EncodedRegex.test(header)) {
+    throw new Error("Invalid SIWX header: not valid base64");
+  }
+  const jsonStr = safeBase64Decode(header);
+  let rawPayload;
+  try {
+    rawPayload = JSON.parse(jsonStr);
+  } catch (error) {
+    if (error instanceof SyntaxError) {
+      throw new Error("Invalid SIWX header: not valid JSON");
+    }
+    throw error;
+  }
+  const parsed = SIWxPayloadSchema.safeParse(rawPayload);
+  if (!parsed.success) {
+    const issues = parsed.error.issues.map((i) => `${i.path.join(".")}: ${i.message}`).join(", ");
+    throw new Error(`Invalid SIWX header: ${issues}`);
+  }
+  return parsed.data;
+}
+
+// src/sign-in-with-x/validate.ts
+var DEFAULT_MAX_AGE_MS = 5 * 60 * 1e3;
+async function validateSIWxMessage(message, expectedResourceUri, options = {}) {
+  const expectedUrl = new URL(expectedResourceUri);
+  const maxAge = options.maxAge ?? DEFAULT_MAX_AGE_MS;
+  if (message.domain !== expectedUrl.hostname) {
+    return {
+      valid: false,
+      error: `Domain mismatch: expected "${expectedUrl.hostname}", got "${message.domain}"`
+    };
+  }
+  if (!message.uri.startsWith(expectedUrl.origin)) {
+    return {
+      valid: false,
+      error: `URI mismatch: expected origin "${expectedUrl.origin}", got "${message.uri}"`
+    };
+  }
+  const issuedAt = new Date(message.issuedAt);
+  if (isNaN(issuedAt.getTime())) {
+    return {
+      valid: false,
+      error: "Invalid issuedAt timestamp"
+    };
+  }
+  const age = Date.now() - issuedAt.getTime();
+  if (age > maxAge) {
+    return {
+      valid: false,
+      error: `Message too old: ${Math.round(age / 1e3)}s exceeds ${maxAge / 1e3}s limit`
+    };
+  }
+  if (age < 0) {
+    return {
+      valid: false,
+      error: "issuedAt is in the future"
+    };
+  }
+  if (message.expirationTime) {
+    const expiration = new Date(message.expirationTime);
+    if (isNaN(expiration.getTime())) {
+      return {
+        valid: false,
+        error: "Invalid expirationTime timestamp"
+      };
+    }
+    if (expiration < /* @__PURE__ */ new Date()) {
+      return {
+        valid: false,
+        error: "Message expired"
+      };
+    }
+  }
+  if (message.notBefore) {
+    const notBefore = new Date(message.notBefore);
+    if (isNaN(notBefore.getTime())) {
+      return {
+        valid: false,
+        error: "Invalid notBefore timestamp"
+      };
+    }
+    if (/* @__PURE__ */ new Date() < notBefore) {
+      return {
+        valid: false,
+        error: "Message not yet valid (notBefore is in the future)"
+      };
+    }
+  }
+  if (options.checkNonce) {
+    const nonceValid = await options.checkNonce(message.nonce);
+    if (!nonceValid) {
+      return {
+        valid: false,
+        error: "Nonce validation failed (possible replay attack)"
+      };
+    }
+  }
+  return { valid: true };
+}
+
+// src/sign-in-with-x/evm.ts
+import { verifyMessage } from "viem";
+import { SiweMessage } from "siwe";
+function extractEVMChainId(chainId) {
+  const match = /^eip155:(\d+)$/.exec(chainId);
+  if (!match) {
+    throw new Error(`Invalid EVM chainId format: ${chainId}. Expected eip155:<number>`);
+  }
+  return parseInt(match[1], 10);
+}
+function formatSIWEMessage(info, address) {
+  const numericChainId = extractEVMChainId(info.chainId);
+  const siweMessage = new SiweMessage({
+    domain: info.domain,
+    address,
+    statement: info.statement,
+    uri: info.uri,
+    version: info.version,
+    chainId: numericChainId,
+    nonce: info.nonce,
+    issuedAt: info.issuedAt,
+    expirationTime: info.expirationTime,
+    notBefore: info.notBefore,
+    requestId: info.requestId,
+    resources: info.resources
+  });
+  return siweMessage.prepareMessage();
+}
+async function verifyEVMSignature(message, address, signature, verifier) {
+  const args = {
+    address,
+    message,
+    signature
+  };
+  if (verifier) {
+    return verifier(args);
+  }
+  return verifyMessage(args);
+}
+
+// src/sign-in-with-x/verify.ts
+async function verifySIWxSignature(payload, options) {
+  try {
+    if (payload.chainId.startsWith("eip155:")) {
+      return verifyEVMPayload(payload, options?.evmVerifier);
+    }
+    if (payload.chainId.startsWith("solana:")) {
+      return verifySolanaPayload(payload);
+    }
+    return {
+      valid: false,
+      error: `Unsupported chain namespace: ${payload.chainId}. Supported: eip155:* (EVM), solana:* (Solana)`
+    };
+  } catch (error) {
+    return {
+      valid: false,
+      error: error instanceof Error ? error.message : "Verification failed"
+    };
+  }
+}
+async function verifyEVMPayload(payload, verifier) {
+  const message = formatSIWEMessage(
+    {
+      domain: payload.domain,
+      uri: payload.uri,
+      statement: payload.statement,
+      version: payload.version,
+      chainId: payload.chainId,
+      type: payload.type,
+      nonce: payload.nonce,
+      issuedAt: payload.issuedAt,
+      expirationTime: payload.expirationTime,
+      notBefore: payload.notBefore,
+      requestId: payload.requestId,
+      resources: payload.resources
+    },
+    payload.address
+  );
+  try {
+    const valid = await verifyEVMSignature(message, payload.address, payload.signature, verifier);
+    if (!valid) {
+      return {
+        valid: false,
+        error: "Signature verification failed"
+      };
+    }
+    return {
+      valid: true,
+      address: payload.address
+    };
+  } catch (error) {
+    return {
+      valid: false,
+      error: error instanceof Error ? error.message : "Signature verification failed"
+    };
+  }
+}
+function verifySolanaPayload(payload) {
+  const message = formatSIWSMessage(
+    {
+      domain: payload.domain,
+      uri: payload.uri,
+      statement: payload.statement,
+      version: payload.version,
+      chainId: payload.chainId,
+      type: payload.type,
+      nonce: payload.nonce,
+      issuedAt: payload.issuedAt,
+      expirationTime: payload.expirationTime,
+      notBefore: payload.notBefore,
+      requestId: payload.requestId,
+      resources: payload.resources
+    },
+    payload.address
+  );
+  let signature;
+  let publicKey;
+  try {
+    signature = decodeBase58(payload.signature);
+    publicKey = decodeBase58(payload.address);
+  } catch (error) {
+    return {
+      valid: false,
+      error: `Invalid Base58 encoding: ${error instanceof Error ? error.message : "decode failed"}`
+    };
+  }
+  if (signature.length !== 64) {
+    return {
+      valid: false,
+      error: `Invalid signature length: expected 64 bytes, got ${signature.length}`
+    };
+  }
+  if (publicKey.length !== 32) {
+    return {
+      valid: false,
+      error: `Invalid public key length: expected 32 bytes, got ${publicKey.length}`
+    };
+  }
+  const valid = verifySolanaSignature(message, signature, publicKey);
+  if (!valid) {
+    return {
+      valid: false,
+      error: "Solana signature verification failed"
+    };
+  }
+  return {
+    valid: true,
+    address: payload.address
+  };
+}
+
+// src/sign-in-with-x/message.ts
+function createSIWxMessage(serverInfo, address) {
+  if (serverInfo.chainId.startsWith("eip155:")) {
+    return formatSIWEMessage(serverInfo, address);
+  }
+  if (serverInfo.chainId.startsWith("solana:")) {
+    return formatSIWSMessage(serverInfo, address);
+  }
+  throw new Error(
+    `Unsupported chain namespace: ${serverInfo.chainId}. Supported: eip155:* (EVM), solana:* (Solana)`
+  );
+}
+
+// src/sign-in-with-x/sign.ts
+function getEVMAddress(signer) {
+  if (signer.account?.address) {
+    return signer.account.address;
+  }
+  if (signer.address) {
+    return signer.address;
+  }
+  throw new Error("EVM signer missing address");
+}
+function getSolanaAddress(signer) {
+  const pk = signer.publicKey;
+  return typeof pk === "string" ? pk : pk.toBase58();
+}
+async function signEVMMessage(message, signer) {
+  if (signer.account) {
+    return signer.signMessage({ message, account: signer.account });
+  }
+  return signer.signMessage({ message });
+}
+async function signSolanaMessage(message, signer) {
+  const messageBytes = new TextEncoder().encode(message);
+  const signatureBytes = await signer.signMessage(messageBytes);
+  return encodeBase58(signatureBytes);
+}
+
+// src/sign-in-with-x/client.ts
+async function createSIWxPayload(serverExtension, signer) {
+  const isSolana = serverExtension.chainId.startsWith("solana:");
+  const address = isSolana ? getSolanaAddress(signer) : getEVMAddress(signer);
+  const message = createSIWxMessage(serverExtension, address);
+  const signature = isSolana ? await signSolanaMessage(message, signer) : await signEVMMessage(message, signer);
+  return {
+    domain: serverExtension.domain,
+    address,
+    statement: serverExtension.statement,
+    uri: serverExtension.uri,
+    version: serverExtension.version,
+    chainId: serverExtension.chainId,
+    type: serverExtension.type,
+    nonce: serverExtension.nonce,
+    issuedAt: serverExtension.issuedAt,
+    expirationTime: serverExtension.expirationTime,
+    notBefore: serverExtension.notBefore,
+    requestId: serverExtension.requestId,
+    resources: serverExtension.resources,
+    signatureScheme: serverExtension.signatureScheme,
+    signature
+  };
+}
+
+// src/sign-in-with-x/encode.ts
+import { safeBase64Encode } from "@x402/core/utils";
+function encodeSIWxHeader(payload) {
+  return safeBase64Encode(JSON.stringify(payload));
+}
+
+// src/sign-in-with-x/fetch.ts
+import { decodePaymentRequiredHeader } from "@x402/core/http";
+function wrapFetchWithSIWx(fetch, signer) {
+  return async (input, init) => {
+    const request = new Request(input, init);
+    const clonedRequest = request.clone();
+    const response = await fetch(request);
+    if (response.status !== 402) {
+      return response;
+    }
+    const paymentRequiredHeader = response.headers.get("PAYMENT-REQUIRED");
+    if (!paymentRequiredHeader) {
+      return response;
+    }
+    const paymentRequired = decodePaymentRequiredHeader(paymentRequiredHeader);
+    const siwxExtension = paymentRequired.extensions?.[SIGN_IN_WITH_X];
+    if (!siwxExtension?.supportedChains) {
+      return response;
+    }
+    if (clonedRequest.headers.has(SIGN_IN_WITH_X)) {
+      throw new Error("SIWX authentication already attempted");
+    }
+    const paymentNetwork = paymentRequired.accepts?.[0]?.network;
+    if (!paymentNetwork) {
+      return response;
+    }
+    const matchingChain = siwxExtension.supportedChains.find(
+      (chain) => chain.chainId === paymentNetwork
+    );
+    if (!matchingChain) {
+      return response;
+    }
+    const completeInfo = {
+      ...siwxExtension.info,
+      chainId: matchingChain.chainId,
+      type: matchingChain.type
+    };
+    const payload = await createSIWxPayload(completeInfo, signer);
+    const siwxHeader = encodeSIWxHeader(payload);
+    clonedRequest.headers.set(SIGN_IN_WITH_X, siwxHeader);
+    return fetch(clonedRequest);
+  };
+}
+
+// src/sign-in-with-x/storage.ts
+var InMemorySIWxStorage = class {
+  constructor() {
+    this.paidAddresses = /* @__PURE__ */ new Map();
+  }
+  /**
+   * Check if an address has paid for a resource.
+   *
+   * @param resource - The resource path
+   * @param address - The wallet address to check
+   * @returns True if the address has paid
+   */
+  hasPaid(resource, address) {
+    return this.paidAddresses.get(resource)?.has(address.toLowerCase()) ?? false;
+  }
+  /**
+   * Record that an address has paid for a resource.
+   *
+   * @param resource - The resource path
+   * @param address - The wallet address that paid
+   */
+  recordPayment(resource, address) {
+    if (!this.paidAddresses.has(resource)) {
+      this.paidAddresses.set(resource, /* @__PURE__ */ new Set());
+    }
+    this.paidAddresses.get(resource).add(address.toLowerCase());
+  }
+};
+
+// src/sign-in-with-x/hooks.ts
+function createSIWxSettleHook(options) {
+  const { storage, onEvent } = options;
+  return async (ctx) => {
+    if (!ctx.result.success) return;
+    const address = ctx.result.payer;
+    if (!address) return;
+    const resource = new URL(ctx.paymentPayload.resource.url).pathname;
+    await storage.recordPayment(resource, address);
+    onEvent?.({ type: "payment_recorded", resource, address });
+  };
+}
+function createSIWxRequestHook(options) {
+  const { storage, verifyOptions, onEvent } = options;
+  const hasUsedNonce = typeof storage.hasUsedNonce === "function";
+  const hasRecordNonce = typeof storage.recordNonce === "function";
+  if (hasUsedNonce !== hasRecordNonce) {
+    throw new Error(
+      "SIWxStorage nonce tracking requires both hasUsedNonce and recordNonce to be implemented"
+    );
+  }
+  return async (context) => {
+    const header = context.adapter.getHeader(SIGN_IN_WITH_X) || context.adapter.getHeader(SIGN_IN_WITH_X.toLowerCase());
+    if (!header) return;
+    try {
+      const payload = parseSIWxHeader(header);
+      const resourceUri = context.adapter.getUrl();
+      const validation = await validateSIWxMessage(payload, resourceUri);
+      if (!validation.valid) {
+        onEvent?.({ type: "validation_failed", resource: context.path, error: validation.error });
+        return;
+      }
+      const verification = await verifySIWxSignature(payload, verifyOptions);
+      if (!verification.valid || !verification.address) {
+        onEvent?.({ type: "validation_failed", resource: context.path, error: verification.error });
+        return;
+      }
+      if (storage.hasUsedNonce) {
+        const nonceUsed = await storage.hasUsedNonce(payload.nonce);
+        if (nonceUsed) {
+          onEvent?.({ type: "nonce_reused", resource: context.path, nonce: payload.nonce });
+          return;
+        }
+      }
+      const hasPaid = await storage.hasPaid(context.path, verification.address);
+      if (hasPaid) {
+        if (storage.recordNonce) {
+          await storage.recordNonce(payload.nonce);
+        }
+        onEvent?.({
+          type: "access_granted",
+          resource: context.path,
+          address: verification.address
+        });
+        return { grantAccess: true };
+      }
+    } catch (err) {
+      onEvent?.({
+        type: "validation_failed",
+        resource: context.path,
+        error: err instanceof Error ? err.message : "Unknown error"
+      });
+    }
+  };
+}
+function createSIWxClientHook(signer) {
+  return async (context) => {
+    const extensions = context.paymentRequired.extensions ?? {};
+    const siwxExtension = extensions[SIGN_IN_WITH_X];
+    if (!siwxExtension?.supportedChains) return;
+    try {
+      const paymentNetwork = context.paymentRequired.accepts?.[0]?.network;
+      if (!paymentNetwork) return;
+      const matchingChain = siwxExtension.supportedChains.find(
+        (chain) => chain.chainId === paymentNetwork
+      );
+      if (!matchingChain) {
+        return;
+      }
+      const completeInfo = {
+        ...siwxExtension.info,
+        chainId: matchingChain.chainId,
+        type: matchingChain.type
+      };
+      const payload = await createSIWxPayload(completeInfo, signer);
+      const header = encodeSIWxHeader(payload);
+      return { headers: { [SIGN_IN_WITH_X]: header } };
+    } catch {
+    }
+  };
+}
+
+export {
+  SIGN_IN_WITH_X,
+  SIWxPayloadSchema,
+  SOLANA_MAINNET,
+  SOLANA_DEVNET,
+  SOLANA_TESTNET,
+  extractSolanaChainReference,
+  formatSIWSMessage,
+  verifySolanaSignature,
+  decodeBase58,
+  encodeBase58,
+  buildSIWxSchema,
+  declareSIWxExtension,
+  siwxResourceServerExtension,
+  parseSIWxHeader,
+  validateSIWxMessage,
+  extractEVMChainId,
+  formatSIWEMessage,
+  verifyEVMSignature,
+  verifySIWxSignature,
+  createSIWxMessage,
+  getEVMAddress,
+  getSolanaAddress,
+  signEVMMessage,
+  signSolanaMessage,
+  createSIWxPayload,
+  encodeSIWxHeader,
+  wrapFetchWithSIWx,
+  InMemorySIWxStorage,
+  createSIWxSettleHook,
+  createSIWxRequestHook,
+  createSIWxClientHook
+};
+//# sourceMappingURL=chunk-E3F2XHTI.mjs.map