@zendfi/sdk 0.5.8 → 0.6.0

package/dist/chunk-XERHBDUK.mjs

@@ -0,0 +1,587 @@
+// src/device-bound-crypto.ts
+import { Keypair } from "@solana/web3.js";
+import * as crypto from "crypto";
+var DeviceFingerprintGenerator = class {
+  /**
+   * Generate a unique device fingerprint
+   * Combines multiple browser attributes for uniqueness
+   */
+  static async generate() {
+    const components = {};
+    try {
+      components.canvas = await this.getCanvasFingerprint();
+      components.webgl = await this.getWebGLFingerprint();
+      components.audio = await this.getAudioFingerprint();
+      components.screen = `${screen.width}x${screen.height}x${screen.colorDepth}`;
+      components.timezone = Intl.DateTimeFormat().resolvedOptions().timeZone;
+      components.languages = navigator.languages?.join(",") || navigator.language;
+      components.platform = navigator.platform;
+      components.hardwareConcurrency = navigator.hardwareConcurrency?.toString() || "unknown";
+      const combined = Object.entries(components).sort(([a], [b]) => a.localeCompare(b)).map(([key, value]) => `${key}:${value}`).join("|");
+      const fingerprint = await this.sha256(combined);
+      return {
+        fingerprint,
+        generatedAt: Date.now(),
+        components
+      };
+    } catch (error) {
+      console.warn("Device fingerprinting failed, using fallback", error);
+      return this.generateFallbackFingerprint();
+    }
+  }
+  /**
+   * Graceful fallback fingerprint generation
+   * Works in headless browsers, SSR, and restricted environments
+   */
+  static async generateFallbackFingerprint() {
+    const components = {};
+    try {
+      if (typeof navigator !== "undefined") {
+        components.platform = navigator.platform || "unknown";
+        components.languages = navigator.languages?.join(",") || navigator.language || "unknown";
+        components.hardwareConcurrency = navigator.hardwareConcurrency?.toString() || "unknown";
+      }
+      if (typeof screen !== "undefined") {
+        components.screen = `${screen.width || 0}x${screen.height || 0}x${screen.colorDepth || 0}`;
+      }
+      if (typeof Intl !== "undefined") {
+        try {
+          components.timezone = Intl.DateTimeFormat().resolvedOptions().timeZone;
+        } catch {
+          components.timezone = "unknown";
+        }
+      }
+    } catch {
+      components.platform = "fallback";
+    }
+    let randomEntropy = "";
+    try {
+      if (typeof window !== "undefined" && window.crypto?.getRandomValues) {
+        const arr = new Uint8Array(16);
+        window.crypto.getRandomValues(arr);
+        randomEntropy = Array.from(arr).map((b) => b.toString(16).padStart(2, "0")).join("");
+      } else if (typeof crypto !== "undefined" && crypto.randomBytes) {
+        randomEntropy = crypto.randomBytes(16).toString("hex");
+      }
+    } catch {
+      randomEntropy = Date.now().toString(36) + Math.random().toString(36);
+    }
+    const combined = Object.entries(components).sort(([a], [b]) => a.localeCompare(b)).map(([key, value]) => `${key}:${value}`).join("|") + "|entropy:" + randomEntropy;
+    const fingerprint = await this.sha256(combined);
+    return {
+      fingerprint,
+      generatedAt: Date.now(),
+      components
+    };
+  }
+  static async getCanvasFingerprint() {
+    const canvas = document.createElement("canvas");
+    const ctx = canvas.getContext("2d");
+    if (!ctx) return "no-canvas";
+    canvas.width = 200;
+    canvas.height = 50;
+    ctx.textBaseline = "top";
+    ctx.font = '14px "Arial"';
+    ctx.fillStyle = "#f60";
+    ctx.fillRect(0, 0, 100, 50);
+    ctx.fillStyle = "#069";
+    ctx.fillText("ZendFi \u{1F510}", 2, 2);
+    ctx.fillStyle = "rgba(102, 204, 0, 0.7)";
+    ctx.fillText("Device-Bound", 4, 17);
+    return canvas.toDataURL();
+  }
+  static async getWebGLFingerprint() {
+    const canvas = document.createElement("canvas");
+    const gl = canvas.getContext("webgl") || canvas.getContext("experimental-webgl");
+    if (!gl) return "no-webgl";
+    const debugInfo = gl.getExtension("WEBGL_debug_renderer_info");
+    if (!debugInfo) return "no-debug-info";
+    const vendor = gl.getParameter(debugInfo.UNMASKED_VENDOR_WEBGL);
+    const renderer = gl.getParameter(debugInfo.UNMASKED_RENDERER_WEBGL);
+    return `${vendor}|${renderer}`;
+  }
+  static async getAudioFingerprint() {
+    try {
+      const AudioContext = window.AudioContext || window.webkitAudioContext;
+      if (!AudioContext) return "no-audio";
+      const context = new AudioContext();
+      const oscillator = context.createOscillator();
+      const analyser = context.createAnalyser();
+      const gainNode = context.createGain();
+      const scriptProcessor = context.createScriptProcessor(4096, 1, 1);
+      gainNode.gain.value = 0;
+      oscillator.connect(analyser);
+      analyser.connect(scriptProcessor);
+      scriptProcessor.connect(gainNode);
+      gainNode.connect(context.destination);
+      oscillator.start(0);
+      return new Promise((resolve) => {
+        scriptProcessor.onaudioprocess = (event) => {
+          const output = event.inputBuffer.getChannelData(0);
+          const hash = Array.from(output.slice(0, 30)).reduce((acc, val) => acc + Math.abs(val), 0);
+          oscillator.stop();
+          scriptProcessor.disconnect();
+          context.close();
+          resolve(hash.toString());
+        };
+      });
+    } catch (error) {
+      return "audio-error";
+    }
+  }
+  static async sha256(data) {
+    if (typeof window !== "undefined" && window.crypto && window.crypto.subtle) {
+      const encoder = new TextEncoder();
+      const dataBuffer = encoder.encode(data);
+      const hashBuffer = await window.crypto.subtle.digest("SHA-256", dataBuffer);
+      const hashArray = Array.from(new Uint8Array(hashBuffer));
+      return hashArray.map((b) => b.toString(16).padStart(2, "0")).join("");
+    } else {
+      return crypto.createHash("sha256").update(data).digest("hex");
+    }
+  }
+};
+var SessionKeyCrypto = class {
+  /**
+   * Encrypt a Solana keypair with PIN + device fingerprint
+   * Uses Argon2id for key derivation and AES-256-GCM for encryption
+   */
+  static async encrypt(keypair, pin, deviceFingerprint) {
+    if (!/^\d{6}$/.test(pin)) {
+      throw new Error("PIN must be exactly 6 numeric digits");
+    }
+    const encryptionKey = await this.deriveKey(pin, deviceFingerprint);
+    const nonce = this.generateNonce();
+    const secretKey = keypair.secretKey;
+    const encryptedData = await this.aesEncrypt(secretKey, encryptionKey, nonce);
+    return {
+      encryptedData: Buffer.from(encryptedData).toString("base64"),
+      nonce: Buffer.from(nonce).toString("base64"),
+      publicKey: keypair.publicKey.toBase58(),
+      deviceFingerprint,
+      version: "argon2id-aes256gcm-v1"
+    };
+  }
+  /**
+   * Decrypt an encrypted session key with PIN + device fingerprint
+   */
+  static async decrypt(encrypted, pin, deviceFingerprint) {
+    if (!/^\d{6}$/.test(pin)) {
+      throw new Error("PIN must be exactly 6 numeric digits");
+    }
+    if (encrypted.deviceFingerprint !== deviceFingerprint) {
+      throw new Error("Device fingerprint mismatch - wrong device or security threat");
+    }
+    const encryptionKey = await this.deriveKey(pin, deviceFingerprint);
+    const encryptedData = Buffer.from(encrypted.encryptedData, "base64");
+    const nonce = Buffer.from(encrypted.nonce, "base64");
+    try {
+      const secretKey = await this.aesDecrypt(encryptedData, encryptionKey, nonce);
+      return Keypair.fromSecretKey(secretKey);
+    } catch (error) {
+      throw new Error("Decryption failed - wrong PIN or corrupted data");
+    }
+  }
+  /**
+   * Derive encryption key from PIN + device fingerprint using Argon2id
+   * 
+   * Argon2id parameters (OWASP recommended):
+   * - Memory: 64MB (65536 KB)
+   * - Iterations: 3
+   * - Parallelism: 4
+   * - Salt: device fingerprint
+   */
+  static async deriveKey(pin, deviceFingerprint) {
+    if (typeof window !== "undefined" && window.crypto && window.crypto.subtle) {
+      const encoder = new TextEncoder();
+      const keyMaterial = await window.crypto.subtle.importKey(
+        "raw",
+        encoder.encode(pin),
+        { name: "PBKDF2" },
+        false,
+        ["deriveBits"]
+      );
+      const derivedBits = await window.crypto.subtle.deriveBits(
+        {
+          name: "PBKDF2",
+          salt: encoder.encode(deviceFingerprint),
+          iterations: 1e5,
+          // High iteration count for security
+          hash: "SHA-256"
+        },
+        keyMaterial,
+        256
+        // 256 bits = 32 bytes for AES-256
+      );
+      return new Uint8Array(derivedBits);
+    } else {
+      const salt = crypto.createHash("sha256").update(deviceFingerprint).digest();
+      return crypto.pbkdf2Sync(pin, salt, 1e5, 32, "sha256");
+    }
+  }
+  /**
+   * Generate random nonce for AES-GCM (12 bytes)
+   */
+  static generateNonce() {
+    if (typeof window !== "undefined" && window.crypto) {
+      return window.crypto.getRandomValues(new Uint8Array(12));
+    } else {
+      return crypto.randomBytes(12);
+    }
+  }
+  /**
+   * Encrypt with AES-256-GCM
+   */
+  static async aesEncrypt(plaintext, key, nonce) {
+    if (typeof window !== "undefined" && window.crypto && window.crypto.subtle) {
+      const keyBuffer = key.buffer.slice(key.byteOffset, key.byteOffset + key.byteLength);
+      const nonceBuffer = nonce.buffer.slice(nonce.byteOffset, nonce.byteOffset + nonce.byteLength);
+      const plaintextBuffer = plaintext.buffer.slice(plaintext.byteOffset, plaintext.byteOffset + plaintext.byteLength);
+      const cryptoKey = await window.crypto.subtle.importKey(
+        "raw",
+        keyBuffer,
+        { name: "AES-GCM" },
+        false,
+        ["encrypt"]
+      );
+      const encrypted = await window.crypto.subtle.encrypt(
+        {
+          name: "AES-GCM",
+          iv: nonceBuffer
+        },
+        cryptoKey,
+        plaintextBuffer
+      );
+      return new Uint8Array(encrypted);
+    } else {
+      const cipher = crypto.createCipheriv("aes-256-gcm", key, nonce);
+      const encrypted = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+      const authTag = cipher.getAuthTag();
+      return new Uint8Array(Buffer.concat([encrypted, authTag]));
+    }
+  }
+  /**
+   * Decrypt with AES-256-GCM
+   */
+  static async aesDecrypt(ciphertext, key, nonce) {
+    if (typeof window !== "undefined" && window.crypto && window.crypto.subtle) {
+      const keyBuffer = key.buffer.slice(key.byteOffset, key.byteOffset + key.byteLength);
+      const nonceBuffer = nonce.buffer.slice(nonce.byteOffset, nonce.byteOffset + nonce.byteLength);
+      const ciphertextBuffer = ciphertext.buffer.slice(ciphertext.byteOffset, ciphertext.byteOffset + ciphertext.byteLength);
+      const cryptoKey = await window.crypto.subtle.importKey(
+        "raw",
+        keyBuffer,
+        { name: "AES-GCM" },
+        false,
+        ["decrypt"]
+      );
+      const decrypted = await window.crypto.subtle.decrypt(
+        {
+          name: "AES-GCM",
+          iv: nonceBuffer
+        },
+        cryptoKey,
+        ciphertextBuffer
+      );
+      return new Uint8Array(decrypted);
+    } else {
+      const authTag = ciphertext.slice(-16);
+      const encrypted = ciphertext.slice(0, -16);
+      const decipher = crypto.createDecipheriv("aes-256-gcm", key, nonce);
+      decipher.setAuthTag(authTag);
+      const decrypted = Buffer.concat([decipher.update(encrypted), decipher.final()]);
+      return new Uint8Array(decrypted);
+    }
+  }
+};
+var RecoveryQRGenerator = class {
+  /**
+   * Generate recovery QR data
+   * This allows users to recover their session key on a new device
+   */
+  static generate(encrypted) {
+    return {
+      encryptedSessionKey: encrypted.encryptedData,
+      nonce: encrypted.nonce,
+      publicKey: encrypted.publicKey,
+      version: "v1",
+      createdAt: Date.now()
+    };
+  }
+  /**
+   * Encode recovery QR as JSON string
+   */
+  static encode(recoveryQR) {
+    return JSON.stringify(recoveryQR);
+  }
+  /**
+   * Decode recovery QR from JSON string
+   */
+  static decode(qrData) {
+    try {
+      const parsed = JSON.parse(qrData);
+      if (!parsed.encryptedSessionKey || !parsed.nonce || !parsed.publicKey) {
+        throw new Error("Invalid recovery QR data");
+      }
+      return parsed;
+    } catch (error) {
+      throw new Error("Failed to decode recovery QR");
+    }
+  }
+  /**
+   * Re-encrypt session key for new device
+   */
+  static async reEncryptForNewDevice(recoveryQR, oldPin, oldDeviceFingerprint, newPin, newDeviceFingerprint) {
+    const oldEncrypted = {
+      encryptedData: recoveryQR.encryptedSessionKey,
+      nonce: recoveryQR.nonce,
+      publicKey: recoveryQR.publicKey,
+      deviceFingerprint: oldDeviceFingerprint,
+      version: "argon2id-aes256gcm-v1"
+    };
+    const keypair = await SessionKeyCrypto.decrypt(oldEncrypted, oldPin, oldDeviceFingerprint);
+    return await SessionKeyCrypto.encrypt(keypair, newPin, newDeviceFingerprint);
+  }
+};
+var DeviceBoundSessionKey = class _DeviceBoundSessionKey {
+  encrypted = null;
+  deviceFingerprint = null;
+  sessionKeyId = null;
+  recoveryQR = null;
+  // Auto-signing cache: decrypted keypair stored in memory
+  // Enables instant signing without re-entering PIN for subsequent payments
+  cachedKeypair = null;
+  cacheExpiry = null;
+  // Timestamp when cache expires
+  DEFAULT_CACHE_TTL_MS = 30 * 60 * 1e3;
+  // 30 minutes
+  /**
+   * Create a new device-bound session key
+   */
+  static async create(options) {
+    const deviceFingerprint = await DeviceFingerprintGenerator.generate();
+    const keypair = Keypair.generate();
+    const encrypted = await SessionKeyCrypto.encrypt(
+      keypair,
+      options.pin,
+      deviceFingerprint.fingerprint
+    );
+    const instance = new _DeviceBoundSessionKey();
+    instance.encrypted = encrypted;
+    instance.deviceFingerprint = deviceFingerprint;
+    if (options.generateRecoveryQR) {
+      instance.recoveryQR = RecoveryQRGenerator.generate(encrypted);
+    }
+    return instance;
+  }
+  /**
+   * Get encrypted data for backend storage
+   */
+  getEncryptedData() {
+    if (!this.encrypted) {
+      throw new Error("Session key not created yet");
+    }
+    return this.encrypted;
+  }
+  /**
+   * Get device fingerprint
+   */
+  getDeviceFingerprint() {
+    if (!this.deviceFingerprint) {
+      throw new Error("Device fingerprint not generated yet");
+    }
+    return this.deviceFingerprint.fingerprint;
+  }
+  /**
+   * Get public key
+   */
+  getPublicKey() {
+    if (!this.encrypted) {
+      throw new Error("Session key not created yet");
+    }
+    return this.encrypted.publicKey;
+  }
+  /**
+   * Get recovery QR data (if generated)
+   */
+  getRecoveryQR() {
+    return this.recoveryQR;
+  }
+  /**
+   * Decrypt and sign a transaction
+   * 
+   * @param transaction - The transaction to sign
+   * @param pin - User's PIN (required only if keypair not cached)
+   * @param cacheKeypair - Whether to cache the decrypted keypair for future use (default: true)
+   * @param cacheTTL - Cache time-to-live in milliseconds (default: 30 minutes)
+   * 
+   * @example
+   * ```typescript
+   * // First payment: requires PIN, caches keypair
+   * await sessionKey.signTransaction(tx1, '123456', true);
+   * 
+   * // Subsequent payments: uses cached keypair, no PIN needed!
+   * await sessionKey.signTransaction(tx2, '', false); // PIN ignored if cached
+   * 
+   * // Clear cache when done
+   * sessionKey.clearCache();
+   * ```
+   */
+  async signTransaction(transaction, pin = "", cacheKeypair = true, cacheTTL) {
+    if (!this.encrypted || !this.deviceFingerprint) {
+      throw new Error("Session key not initialized");
+    }
+    let keypair;
+    if (this.isCached()) {
+      keypair = this.cachedKeypair;
+      if (typeof console !== "undefined") {
+        console.log("\u{1F680} Using cached keypair - instant signing (no PIN required)");
+      }
+    } else {
+      if (!pin) {
+        throw new Error("PIN required: no cached keypair available");
+      }
+      keypair = await SessionKeyCrypto.decrypt(
+        this.encrypted,
+        pin,
+        this.deviceFingerprint.fingerprint
+      );
+      if (cacheKeypair) {
+        const ttl = cacheTTL || this.DEFAULT_CACHE_TTL_MS;
+        this.cacheKeypair(keypair, ttl);
+        if (typeof console !== "undefined") {
+          console.log(`\u2705 Keypair decrypted and cached for ${ttl / 1e3 / 60} minutes`);
+        }
+      }
+    }
+    transaction.sign(keypair);
+    return transaction;
+  }
+  /**
+   * Check if keypair is cached and valid
+   */
+  isCached() {
+    if (!this.cachedKeypair || !this.cacheExpiry) {
+      return false;
+    }
+    const now = Date.now();
+    if (now > this.cacheExpiry) {
+      this.clearCache();
+      return false;
+    }
+    return true;
+  }
+  /**
+   * Manually cache a keypair
+   * Called internally after PIN decryption
+   */
+  cacheKeypair(keypair, ttl) {
+    this.cachedKeypair = keypair;
+    this.cacheExpiry = Date.now() + ttl;
+  }
+  /**
+   * Clear cached keypair
+   * Should be called when user logs out or session ends
+   * 
+   * @example
+   * ```typescript
+   * // Clear cache on logout
+   * sessionKey.clearCache();
+   * 
+   * // Or clear automatically on tab close
+   * window.addEventListener('beforeunload', () => {
+   *   sessionKey.clearCache();
+   * });
+   * ```
+   */
+  clearCache() {
+    this.cachedKeypair = null;
+    this.cacheExpiry = null;
+    if (typeof console !== "undefined") {
+      console.log("\u{1F9F9} Keypair cache cleared");
+    }
+  }
+  /**
+   * Decrypt and cache keypair without signing a transaction
+   * Useful for pre-warming the cache before user makes payments
+   * 
+   * @example
+   * ```typescript
+   * // After session key creation, decrypt and cache
+   * await sessionKey.unlockWithPin('123456');
+   * 
+   * // Now all subsequent payments are instant (no PIN)
+   * await sessionKey.signTransaction(tx1, '', false); // Instant!
+   * await sessionKey.signTransaction(tx2, '', false); // Instant!
+   * ```
+   */
+  async unlockWithPin(pin, cacheTTL) {
+    if (!this.encrypted || !this.deviceFingerprint) {
+      throw new Error("Session key not initialized");
+    }
+    const keypair = await SessionKeyCrypto.decrypt(
+      this.encrypted,
+      pin,
+      this.deviceFingerprint.fingerprint
+    );
+    const ttl = cacheTTL || this.DEFAULT_CACHE_TTL_MS;
+    this.cacheKeypair(keypair, ttl);
+    if (typeof console !== "undefined") {
+      console.log(`\u{1F513} Session key unlocked and cached for ${ttl / 1e3 / 60} minutes`);
+    }
+  }
+  /**
+   * Get time remaining until cache expires (in milliseconds)
+   * Returns 0 if not cached
+   */
+  getCacheTimeRemaining() {
+    if (!this.isCached() || !this.cacheExpiry) {
+      return 0;
+    }
+    const remaining = this.cacheExpiry - Date.now();
+    return Math.max(0, remaining);
+  }
+  /**
+   * Extend cache expiry time
+   * Useful to keep session active during user activity
+   * 
+   * @example
+   * ```typescript
+   * // Extend cache by 15 minutes on each payment
+   * await sessionKey.signTransaction(tx, '');
+   * sessionKey.extendCache(15 * 60 * 1000);
+   * ```
+   */
+  extendCache(additionalTTL) {
+    if (!this.isCached()) {
+      throw new Error("Cannot extend cache: no cached keypair");
+    }
+    this.cacheExpiry += additionalTTL;
+    if (typeof console !== "undefined") {
+      const remainingMinutes = this.getCacheTimeRemaining() / 1e3 / 60;
+      console.log(`\u23F0 Cache extended - ${remainingMinutes.toFixed(1)} minutes remaining`);
+    }
+  }
+  /**
+   * Set session key ID after backend creation
+   */
+  setSessionKeyId(id) {
+    this.sessionKeyId = id;
+  }
+  /**
+   * Get session key ID
+   */
+  getSessionKeyId() {
+    if (!this.sessionKeyId) {
+      throw new Error("Session key not registered with backend");
+    }
+    return this.sessionKeyId;
+  }
+};
+
+export {
+  DeviceFingerprintGenerator,
+  SessionKeyCrypto,
+  RecoveryQRGenerator,
+  DeviceBoundSessionKey
+};

package/dist/chunk-Y6FXYEAI.mjs

@@ -0,0 +1,10 @@
+var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
+  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
+}) : x)(function(x) {
+  if (typeof require !== "undefined") return require.apply(this, arguments);
+  throw Error('Dynamic require of "' + x + '" is not supported');
+});
+
+export {
+  __require
+};

package/dist/device-bound-crypto-VX7SFVHT.mjs

@@ -0,0 +1,13 @@
+import {
+  DeviceBoundSessionKey,
+  DeviceFingerprintGenerator,
+  RecoveryQRGenerator,
+  SessionKeyCrypto
+} from "./chunk-XERHBDUK.mjs";
+import "./chunk-Y6FXYEAI.mjs";
+export {
+  DeviceBoundSessionKey,
+  DeviceFingerprintGenerator,
+  RecoveryQRGenerator,
+  SessionKeyCrypto
+};

package/dist/express.d.mts

@@ -1,4 +1,4 @@
-import { W as WebhookHandlerConfig, a as WebhookHandlers } from './webhook-handler-D5CigE9G.mjs';
+import { W as WebhookHandlerConfig, a as WebhookHandlers } from './webhook-handler-DGBeCWT-.mjs';
 
 /**
  * Express Webhook Handler

package/dist/express.d.ts

@@ -1,4 +1,4 @@
-import { W as WebhookHandlerConfig, a as WebhookHandlers } from './webhook-handler-D5CigE9G.js';
+import { W as WebhookHandlerConfig, a as WebhookHandlers } from './webhook-handler-DGBeCWT-.js';
 
 /**
  * Express Webhook Handler

package/dist/express.mjs

@@ -1,6 +1,7 @@
 import {
   processWebhook
-} from "./chunk-YFOBPGQE.mjs";
+} from "./chunk-3ACJUM6V.mjs";
+import "./chunk-Y6FXYEAI.mjs";
 
 // src/express.ts
 import { createHmac, timingSafeEqual } from "crypto";