npm - @zerodev/wallet-core - Versions diffs - 0.0.1-alpha.13 → 0.0.1-alpha.14 - Mend

@zerodev/wallet-core 0.0.1-alpha.13 → 0.0.1-alpha.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (23) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@zerodev/wallet-core",
-  "version": "0.0.1-alpha.13",
+  "version": "0.0.1-alpha.14",
   "description": "ZeroDev Wallet SDK built on Turnkey",
   "main": "./dist/_cjs/index.js",
   "module": "./dist/_esm/index.js",

package/src/actions/auth/authenticateWithOAuth.ts CHANGED Viewed

@@ -5,6 +5,8 @@ export type AuthenticateWithOAuthParameters = {
   provider: string
   /** The project ID for the request */
   projectId: string
+  /** The session ID from the OAuth callback URL */
+  sessionId: string
 }
 export type AuthenticateWithOAuthReturnType = {
@@ -19,11 +21,11 @@ export type AuthenticateWithOAuthReturnType = {
 }
 /**
- * Authenticates a user with OAuth using cookie-based backend flow
+ * Authenticates a user with OAuth using a server-side session ID
  *
- * The backend reads the OAuth session from a cookie set during the OAuth flow.
- * This requires the OAuth popup flow to complete first via the backend's
- * /oauth/google/login endpoint.
+ * The backend stores the OAuth session server-side and returns a session ID
+ * via the callback URL. The SDK extracts this session ID and sends it in
+ * the request body.
  *
  * @param client - The ZeroDev Wallet client
  * @param params - The parameters for OAuth authentication
@@ -34,6 +36,7 @@ export type AuthenticateWithOAuthReturnType = {
  * const result = await authenticateWithOAuth(client, {
  *   provider: 'google',
  *   projectId: 'proj_456',
+ *   sessionId: 'abc123',
  * });
  * ```
  */
@@ -41,12 +44,11 @@ export async function authenticateWithOAuth(
   client: Client,
   params: AuthenticateWithOAuthParameters,
 ): Promise<AuthenticateWithOAuthReturnType> {
-  const { projectId } = params
+  const { projectId, sessionId } = params
   return await client.request({
     path: `${projectId}/auth/oauth`,
     method: 'POST',
-    body: null,
-    credentials: 'include',
+    body: { sessionId },
   })
 }

package/src/actions/auth/getWhoami.ts CHANGED Viewed

@@ -1,3 +1,4 @@
+import { canonicalizeEx } from 'json-canonicalize'
 import type { Client } from '../../client/types.js'
 export type GetWhoamiParameters = {
@@ -5,6 +6,8 @@ export type GetWhoamiParameters = {
   organizationId: string
   /** The project ID for the request */
   projectId: string
+  /** The session token for authorization (required for session-based auth) */
+  token?: string
 }
 export type GetWhoamiReturnType = {
@@ -19,7 +22,11 @@ export type GetWhoamiReturnType = {
 }
 /**
- * Gets the current user information
+ * Gets the current user information.
+ *
+ * The whoami endpoint requires two stamps:
+ * 1. An inner stamp over the payload (for Turnkey verification) embedded in the body
+ * 2. An outer stamp over the full body (for KMS middleware) in the X-Stamp header
  *
  * @param client - The ZeroDev Wallet client
  * @param params - The parameters for the whoami request
@@ -29,7 +36,8 @@ export type GetWhoamiReturnType = {
  * ```ts
  * const userInfo = await getWhoami(client, {
  *   organizationId: 'org_123',
- *   projectId: 'proj_456'
+ *   projectId: 'proj_456',
+ *   token: 'session_token',
  * });
  * console.log(userInfo.userId); // 'user_789'
  * ```
@@ -38,14 +46,33 @@ export async function getWhoami(
   client: Client,
   params: GetWhoamiParameters,
 ): Promise<GetWhoamiReturnType> {
-  const { organizationId, projectId } = params
+  const { organizationId, projectId, token } = params
+  // Step 1: Inner stamp over the payload (for Turnkey verification)
+  const innerBody = { organizationId }
+  const innerBodyString = canonicalizeEx(innerBody)
+  const innerStamp = await client.indexedDbStamper.stamp(innerBodyString)
+  // Step 2: Build full body with inner stamp embedded
+  const fullBody = {
+    ...innerBody,
+    stamp: {
+      stampHeaderName: innerStamp.stampHeaderName,
+      stampHeaderValue: innerStamp.stampHeaderValue,
+    },
+  }
+  // Step 3: Outer stamp over full body (for KMS middleware)
+  const fullBodyString = canonicalizeEx(fullBody)
+  const outerStamp = await client.indexedDbStamper.stamp(fullBodyString)
   return await client.request({
     path: `${projectId}/whoami`,
     method: 'POST',
-    body: {
-      organizationId,
+    body: fullBody,
+    headers: {
+      [outerStamp.stampHeaderName]: outerStamp.stampHeaderValue,
+      ...(token && { Authorization: `Bearer ${token}` }),
     },
-    stamp: true,
   })
 }

package/src/core/createZeroDevWallet.ts CHANGED Viewed

@@ -50,6 +50,7 @@ export type AuthParams =
   | {
       type: 'oauth'
       provider: string
+      sessionId: string
     }
   | {
       type: 'passkey'
@@ -219,11 +220,10 @@ export async function createZeroDevWallet(
     async auth(params: AuthParams) {
       switch (params.type) {
         case 'oauth': {
-          // Backend OAuth flow - the backend reads the OAuth session from a cookie
-          // set during the OAuth popup flow via /oauth/google/login
           const data = await client.authenticateWithOAuth({
             provider: params.provider,
             projectId,
+            sessionId: params.sessionId,
           })
           if (data.session) {