@zerodev/wallet-core 0.0.1-alpha.17 → 0.0.1-alpha.19

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@zerodev/wallet-core",
-  "version": "0.0.1-alpha.17",
+  "version": "0.0.1-alpha.19",
   "description": "ZeroDev Wallet SDK built on Turnkey",
   "main": "./dist/_cjs/index.js",
   "module": "./dist/_esm/index.js",
@@ -49,6 +49,9 @@
   ],
   "license": "MIT",
   "dependencies": {
+    "@noble/ciphers": "^2.2.0",
+    "@noble/curves": "^2.2.0",
+    "@noble/hashes": "^2.2.0",
     "@turnkey/http": "^3.12.1",
     "@turnkey/iframe-stamper": "^2.5.0",
     "@turnkey/indexed-db-stamper": "^1.1.1",
@@ -59,6 +62,7 @@
     "viem": "^2.38.0"
   },
   "devDependencies": {
+    "@hpke/core": "^1.9.0",
     "@types/node": "^20.0.0",
     "typescript": "5.9.3"
   },

package/src/actions/auth/getOAuthLoginUrl.ts

@@ -0,0 +1,48 @@
+import type { Client } from '../../client/types.js'
+
+export type GetOAuthLoginUrlParameters = {
+  /** OAuth provider — currently only `'google'` is supported. */
+  provider: 'google'
+  /** The project ID for the request. */
+  projectId: string
+  /**
+   * The session public key (compressed P-256 hex, lowercase, with or
+   * without `0x` prefix). The backend embeds `sha256(utf8(hex))` as the
+   * OIDC `nonce` so the SDK can verify the URL was minted for this key.
+   */
+  publicKey: string
+  /**
+   * Where the popup should land after the OAuth round-trip
+   * (e.g. `https://app.example.com/dashboard?oauth_success=true`).
+   * Must be on the project's whitelist.
+   */
+  returnTo: string
+}
+
+export type GetOAuthLoginUrlReturnType = string
+
+/**
+ * Fetches the Google OAuth authorization URL from the backend.
+ *
+ * The SDK must verify the returned URL's `nonce` against
+ * `sha256(utf8(publicKey))` (and the host is `accounts.google.com`)
+ * before opening it in a popup — the backend is not a trusted party.
+ * See audit finding TOB-KMS-1.
+ */
+export async function getOAuthLoginUrl(
+  client: Client,
+  params: GetOAuthLoginUrlParameters,
+): Promise<GetOAuthLoginUrlReturnType> {
+  if (params.provider !== 'google') {
+    throw new Error(`Unsupported OAuth provider: ${params.provider}`)
+  }
+  const query = new URLSearchParams({
+    project_id: params.projectId,
+    pub_key: params.publicKey.replace(/^0x/, '').toLowerCase(),
+    return_to: params.returnTo,
+  })
+  return await client.request<string>({
+    path: `oauth/google/login-url?${query.toString()}`,
+    method: 'GET',
+  })
+}

package/src/actions/auth/getWhoami.ts

@@ -51,7 +51,7 @@ export async function getWhoami(
   // Step 1: Inner stamp over the payload (for Turnkey verification)
   const innerBody = { organizationId }
   const innerBodyString = canonicalizeEx(innerBody)
-  const innerStamp = await client.indexedDbStamper.stamp(innerBodyString)
+  const innerStamp = await client.apiKeyStamper.stamp(innerBodyString)
 
   // Step 2: Build full body with inner stamp embedded
   const fullBody = {
@@ -64,7 +64,7 @@ export async function getWhoami(
 
   // Step 3: Outer stamp over full body (for KMS middleware)
   const fullBodyString = canonicalizeEx(fullBody)
-  const outerStamp = await client.indexedDbStamper.stamp(fullBodyString)
+  const outerStamp = await client.apiKeyStamper.stamp(fullBodyString)
 
   return await client.request({
     path: `${projectId}/whoami`,

package/src/actions/auth/index.ts

@@ -23,6 +23,11 @@ export {
   type GetAuthProxyConfigIdReturnType,
   getAuthProxyConfigId,
 } from './getAuthProxyConfigId.js'
+export {
+  type GetOAuthLoginUrlParameters,
+  type GetOAuthLoginUrlReturnType,
+  getOAuthLoginUrl,
+} from './getOAuthLoginUrl.js'
 export {
   type GetWhoamiParameters,
   type GetWhoamiReturnType,

package/src/actions/auth/loginWithStamp.ts

@@ -1,6 +1,7 @@
 import { canonicalizeEx } from 'json-canonicalize'
 import type { Client } from '../../client/types.js'
 import type { Stamp } from '../../stampers/types.js'
+import type { StamperType } from '../../types/session.js'
 
 export type EmailCustomization = {
   /** A template for the URL to be used in a magic link button, e.g. `https://dapp.xyz/%s`. The auth bundle will be interpolated into the `%s`. */
@@ -15,7 +16,7 @@ export type LoginWithStampParameters = {
   /** The encoded public key for the request */
   targetPublicKey: string
   /** The stamper type for the request */
-  stampWith?: 'indexedDb' | 'webauthn'
+  stampWith?: StamperType
 }
 
 export type LoginWithStampReturnType = {
@@ -58,12 +59,12 @@ export async function loginWithStamp(
     type: 'ACTIVITY_TYPE_STAMP_LOGIN',
   })
   let stamp: Stamp
-  if (stampWith === 'indexedDb') {
-    stamp = await client.indexedDbStamper.stamp(stampPayload)
-  } else if (stampWith === 'webauthn') {
-    stamp = await client.webauthnStamper.stamp(stampPayload)
+  if (stampWith === 'apiKey') {
+    stamp = await client.apiKeyStamper.stamp(stampPayload)
+  } else if (stampWith === 'passkey') {
+    stamp = await client.passkeyStamper.stamp(stampPayload)
   } else {
-    stamp = await client.indexedDbStamper.stamp(stampPayload)
+    stamp = await client.apiKeyStamper.stamp(stampPayload)
   }
 
   return client.request({

package/src/actions/auth/registerWithOTP.ts

@@ -31,6 +31,12 @@ export type RegisterWithOTPParameters = {
 export type RegisterWithOTPReturnType = {
   /** The OTP ID needed for verification */
   otpId: string
+  /**
+   * Signed encryption target bundle issued by the TLS Fetcher enclave for
+   * this OTP session. Passed verbatim to the verify step so the SDK can
+   * HPKE-encrypt the OTP attempt to the enclave's ephemeral target key.
+   */
+  otpEncryptionTargetBundle: string
 }
 
 /**

package/src/actions/index.ts

@@ -12,10 +12,13 @@ export {
   type GetAuthenticatorsParameters,
   type GetAuthenticatorsReturnType,
   type GetAuthProxyConfigIdReturnType,
+  type GetOAuthLoginUrlParameters,
+  type GetOAuthLoginUrlReturnType,
   type GetWhoamiParameters,
   type GetWhoamiReturnType,
   getAuthenticators,
   getAuthProxyConfigId,
+  getOAuthLoginUrl,
   getWhoami,
   type LoginWithOTPParameters,
   type LoginWithOTPReturnType,

package/src/actions/wallet/signingUtils.ts

@@ -47,7 +47,7 @@ export async function sendSigningRequest(
 
   // Inner stamp over the Turnkey payload (for Turnkey verification)
   const innerBodyString = canonicalizeEx(turnkeyPayload)
-  const innerStamp = await client.indexedDbStamper.stamp(innerBodyString)
+  const innerStamp = await client.apiKeyStamper.stamp(innerBodyString)
 
   // Build full body with inner stamp embedded
   const fullBody = {
@@ -61,7 +61,7 @@ export async function sendSigningRequest(
 
   // Outer stamp over full body (for KMS middleware)
   const fullBodyString = canonicalizeEx(fullBody)
-  const outerStamp = await client.indexedDbStamper.stamp(fullBodyString)
+  const outerStamp = await client.apiKeyStamper.stamp(fullBodyString)
 
   const { signature } = await client.request({
     path: `${projectId}/${path}`,

package/src/client/authProxy.ts

@@ -10,10 +10,11 @@ export type AuthProxyClientConfig = {
 export type AuthProxyVerifyOtpRequest = {
   /** The OTP ID from registration */
   otpId: string
-  /** The OTP code entered by the user */
-  otpCode: string
-  /** The public key to associate with the verification */
-  public_key: string
+  /**
+   * HPKE-sealed bundle containing `{otp_code, public_key}` encrypted to the
+   * enclave's per-session target key. Produced by `encryptOtpAttempt`.
+   */
+  encryptedOtpBundle: string
 }
 
 export type AuthProxyVerifyOtpResponse = {
@@ -62,15 +63,20 @@ export function createAuthProxyClient(config: AuthProxyClientConfig) {
 
   return {
     /**
-     * Verifies an OTP code with Turnkey's Auth Proxy
+     * Verifies an OTP attempt with Turnkey's Auth Proxy.
      *
-     * Returns a verificationToken that should be passed to the backend's
-     * /auth/login/otp endpoint along with a client signature.
+     * The `encryptedOtpBundle` is HPKE-sealed `{otp_code, public_key}` JSON
+     * (see `encryptOtpAttempt`). The auth proxy forwards the ciphertext to
+     * the TLS Fetcher enclave, which decrypts it, verifies the OTP code, and
+     * returns a `verificationToken` bound to the embedded public key.
+     *
+     * Pass the returned `verificationToken` to `/auth/login/otp` along with
+     * a client signature to complete the login.
      */
     async verifyOtp(
       params: AuthProxyVerifyOtpRequest,
     ): Promise<AuthProxyVerifyOtpResponse> {
-      return request<AuthProxyVerifyOtpResponse>('/v1/otp_verify', params)
+      return request<AuthProxyVerifyOtpResponse>('/v1/otp_verify_v2', params)
     },
   }
 }

package/src/client/createClient.ts

@@ -16,8 +16,8 @@ export function createBaseClient<
 >(config: ClientConfig): Client<extended> {
   const {
     transport,
-    indexedDbStamper,
-    webauthnStamper,
+    apiKeyStamper,
+    passkeyStamper,
     organizationId,
     key = 'zeroDevWallet',
     name = 'ZeroDev Wallet Client',
@@ -29,8 +29,8 @@ export function createBaseClient<
     request,
     value,
   } = transport({
-    indexedDbStamper,
-    webauthnStamper,
+    apiKeyStamper,
+    passkeyStamper,
   })
   const transportInstance = { ...transportConfig, ...value }
 
@@ -39,8 +39,8 @@ export function createBaseClient<
   const client = {
     transport: transportInstance,
     request,
-    indexedDbStamper,
-    webauthnStamper,
+    apiKeyStamper,
+    passkeyStamper,
     organizationId,
     key,
     name,

package/src/client/decorators/client.ts

@@ -13,12 +13,15 @@ import {
   type GetAuthenticatorsParameters,
   type GetAuthenticatorsReturnType,
   type GetAuthProxyConfigIdReturnType,
+  type GetOAuthLoginUrlParameters,
+  type GetOAuthLoginUrlReturnType,
   type GetUserWalletParameters,
   type GetUserWalletReturnType,
   type GetWhoamiParameters,
   type GetWhoamiReturnType,
   getAuthenticators,
   getAuthProxyConfigId,
+  getOAuthLoginUrl,
   getUserWallet,
   getWhoami,
   type LoginWithOTPParameters,
@@ -153,6 +156,15 @@ export type ZeroDevWalletActions = {
    * Gets the auth proxy config ID from the backend
    */
   getAuthProxyConfigId: () => Promise<GetAuthProxyConfigIdReturnType>
+
+  /**
+   * Fetches the Google OAuth authorization URL from the backend.
+   * The caller must verify the URL's `nonce` against `sha256(utf8(publicKey))`
+   * before opening it (audit finding TOB-KMS-1).
+   */
+  getOAuthLoginUrl: (
+    params: GetOAuthLoginUrlParameters,
+  ) => Promise<GetOAuthLoginUrlReturnType>
 }
 
 /**
@@ -197,5 +209,6 @@ export function zeroDevWalletActions(client: Client): ZeroDevWalletActions {
     registerWithOTP: (params) => registerWithOTP(client, params),
     loginWithOTP: (params) => loginWithOTP(client, params),
     getAuthProxyConfigId: () => getAuthProxyConfigId(client),
+    getOAuthLoginUrl: (params) => getOAuthLoginUrl(client, params),
   }
 }

package/src/client/transports/createTransport.ts

@@ -26,14 +26,14 @@ export function zeroDevWalletTransport(
     name = 'ZeroDev Wallet Transport',
   } = options
 
-  return ({ indexedDbStamper, webauthnStamper }) => {
+  return ({ apiKeyStamper, passkeyStamper }) => {
     // Create REST transport with stamper
     const transport = rest(baseUrl, {
       timeoutMs,
       key,
       name,
-      indexedDbStamper,
-      webauthnStamper,
+      apiKeyStamper,
+      passkeyStamper,
     })
 
     return {
@@ -46,8 +46,8 @@ export function zeroDevWalletTransport(
       },
       request: transport.request,
       value: {
-        indexedDbStamper,
-        webauthnStamper,
+        apiKeyStamper,
+        passkeyStamper,
       },
     }
   }

package/src/client/transports/rest.ts

@@ -1,6 +1,7 @@
 import { canonicalizeEx } from 'json-canonicalize'
 import { RestRequestError, RestTimeoutError } from '../../errors/request.js'
-import type { IndexedDbStamper, WebauthnStamper } from '../../stampers/types.js'
+import type { ApiKeyStamper, PasskeyStamper } from '../../stampers/types.js'
+import type { StamperType } from '../../types/session.js'
 
 export type RestRequestArgs = {
   path: string
@@ -8,7 +9,7 @@ export type RestRequestArgs = {
   body?: any
   headers?: Record<string, string>
   stamp?: boolean
-  stampWith?: 'indexedDb' | 'webAuthn'
+  stampWith?: StamperType
   stampPostion?: 'body' | 'headers'
   /** Include credentials (cookies) in the request */
   credentials?: RequestCredentials
@@ -32,8 +33,8 @@ export type RestTransportConfig = {
   timeoutMs?: number
   key?: string
   name?: string
-  indexedDbStamper: IndexedDbStamper
-  webauthnStamper: WebauthnStamper
+  apiKeyStamper: ApiKeyStamper
+  passkeyStamper: PasskeyStamper
 }
 
 export function rest(url: string, cfg: RestTransportConfig): RestTransport {
@@ -56,13 +57,13 @@ export function rest(url: string, cfg: RestTransportConfig): RestTransport {
 
       // Handle stamping if requested
       if (args.stamp) {
-        let stamper: IndexedDbStamper | WebauthnStamper
-        if (args.stampWith === 'indexedDb') {
-          stamper = cfg.indexedDbStamper
-        } else if (args.stampWith === 'webAuthn') {
-          stamper = cfg.webauthnStamper
+        let stamper: ApiKeyStamper | PasskeyStamper
+        if (args.stampWith === 'apiKey') {
+          stamper = cfg.apiKeyStamper
+        } else if (args.stampWith === 'passkey') {
+          stamper = cfg.passkeyStamper
         } else {
-          stamper = cfg.indexedDbStamper
+          stamper = cfg.apiKeyStamper
         }
         const { body, apiUrl } = args.body
         const bodyString = canonicalizeEx(body ?? args.body)

package/src/client/types.ts

@@ -1,4 +1,4 @@
-import type { IndexedDbStamper, WebauthnStamper } from '../stampers/types.js'
+import type { ApiKeyStamper, PasskeyStamper } from '../stampers/types.js'
 import type { RestRequestFn } from './transports/rest.js'
 
 export type TransportConfig = {
@@ -17,8 +17,8 @@ export type TransportConfig = {
 }
 
 export type Transport = (options: {
-  indexedDbStamper: IndexedDbStamper
-  webauthnStamper: WebauthnStamper
+  apiKeyStamper: ApiKeyStamper
+  passkeyStamper: PasskeyStamper
 }) => {
   config: TransportConfig
   request: RestRequestFn
@@ -27,8 +27,8 @@ export type Transport = (options: {
 
 export type ClientConfig = {
   transport: Transport
-  indexedDbStamper: IndexedDbStamper
-  webauthnStamper: WebauthnStamper
+  apiKeyStamper: ApiKeyStamper
+  passkeyStamper: PasskeyStamper
   organizationId?: string
   key?: string
   name?: string
@@ -39,10 +39,10 @@ export type Client<extended extends Extended | undefined = undefined> = {
   transport: TransportConfig & Record<string, unknown>
   /** Request function from transport */
   request: RestRequestFn
-  /** IndexedDB Stamper for authenticated requests */
-  indexedDbStamper: IndexedDbStamper
-  /** WebAuthn Stamper for authenticated requests */
-  webauthnStamper: WebauthnStamper
+  /** API Key Stamper for authenticated requests */
+  apiKeyStamper: ApiKeyStamper
+  /** Passkey Stamper for authenticated requests */
+  passkeyStamper: PasskeyStamper
   /** Organization ID */
   organizationId?: string
   /** A key for the client */

package/src/constants.ts

@@ -3,3 +3,11 @@ export const DEFAULT_IFRAME_CONTAINER_ID = 'turnkey-auth-iframe-container-id'
 export const DEFAULT_IFRAME_ELEMENT_ID = 'turnkey-default-iframe-element-id'
 export const DEFAULT_ORGANIZATION_ID = '0d98e826-dd8f-44ca-a585-3afcd27d4002'
 export const KMS_SERVER_URL = 'https://kms.staging.zerodev.app'
+
+// Pinned ECDSA P-256 public key (uncompressed, 65 bytes hex) of Turnkey's
+// TLS Fetcher Sign enclave. Used to verify the signature on the OTP encryption
+// target bundle returned by /auth/init/otp before HPKE-encrypting the OTP
+// attempt. The bundle's `dataSignature` is verified against this key, so a
+// compromised proxy cannot substitute its own ephemeral key.
+export const TURNKEY_TLS_FETCHER_SIGN_PUBLIC_KEY =
+  '046b4f88421f76b6ba418afc2ea1d8ced671337d7db6b80478a60d8531bf8f17fa9a512f0fef96fc0c9b4cd9dff70b34992e520ce04c79d931f6ff6296b547d201'