@zerodev/wallet-core 0.0.1-alpha.18 → 0.0.1-alpha.19

package/src/stampers/indexedDbStamper.ts

@@ -1,10 +1,13 @@
 import { IndexedDbStamper as TurnkeyIndexedDbStamper } from '@turnkey/indexed-db-stamper'
-import type { IndexedDbStamper } from './types.js'
+import { generateCompressedPublicKeyFromKeyPair } from '../utils/utils.js'
+import type { ApiKeyStamper } from './types.js'
 
-export async function createIndexedDbStamper(): Promise<IndexedDbStamper> {
+export async function createIndexedDbStamper(): Promise<ApiKeyStamper> {
   const inner = new TurnkeyIndexedDbStamper()
   await inner.init()
 
+  let pendingKeyPair: CryptoKeyPair | null = null
+
   return {
     async getPublicKey() {
       return await inner.getPublicKey()
@@ -15,8 +18,25 @@ export async function createIndexedDbStamper(): Promise<IndexedDbStamper> {
     async clear() {
       await inner.clear()
     },
-    async resetKeyPair(externalKeyPair?: CryptoKeyPair) {
-      await inner.resetKeyPair(externalKeyPair)
+    async resetKeyPair() {
+      pendingKeyPair = null
+      await inner.resetKeyPair()
+    },
+    async prepareKeyRotation() {
+      const keyPair = await crypto.subtle.generateKey(
+        { name: 'ECDSA', namedCurve: 'P-256' },
+        false,
+        ['sign', 'verify'],
+      )
+      pendingKeyPair = keyPair
+      return await generateCompressedPublicKeyFromKeyPair(keyPair)
+    },
+    async commitKeyRotation() {
+      if (!pendingKeyPair) {
+        throw new Error('No pending key rotation to commit')
+      }
+      await inner.resetKeyPair(pendingKeyPair)
+      pendingKeyPair = null
     },
   }
 }

package/src/stampers/types.ts

@@ -5,8 +5,6 @@ export type Stamp = {
 }
 
 export type Stamper = {
-  /** retrieve public key compressed or otherwise as per the stamper */
-  getPublicKey: () => Promise<string | null>
   /** produce Turnkey header value for a given request body */
   stamp: (payload: string) => Promise<Stamp>
   /** clear local state (embedded key, IDB keypair, etc.) */
@@ -16,6 +14,8 @@ export type Stamper = {
 export type KeyFormat = 'Hexadecimal' | 'Solana'
 
 export type IframeStamper = Stamper & {
+  /** retrieve public key compressed or otherwise as per the stamper */
+  getPublicKey: () => Promise<string | null>
   init(): Promise<string>
   injectCredentialBundle(bundle: string): Promise<boolean>
   injectWalletExportBundle(
@@ -30,7 +30,35 @@ export type IframeStamper = Stamper & {
   applySettings(settings: { styles?: Record<string, string> }): Promise<boolean>
 }
 
-export type IndexedDbStamper = Stamper & {
-  resetKeyPair: (externalKeyPair?: CryptoKeyPair) => Promise<void>
+export type ApiKeyStamper = Stamper & {
+  /** retrieve public key compressed or otherwise as per the stamper */
+  getPublicKey: () => Promise<string | null>
+  /** Generate + activate a new key pair immediately (simple cases: login init, logout). */
+  resetKeyPair: () => Promise<void>
+  /** Generate a new key pair internally, return its compressed public key, but keep the OLD key active for stamp(). */
+  prepareKeyRotation: () => Promise<string>
+  /** Promote the pending key to active. Call after the server accepts the new key. */
+  commitKeyRotation: () => Promise<void>
+}
+export type Attestation = {
+  attestationObject: string
+  clientDataJson: string
+  credentialId: string
+}
+
+export type PasskeyRegistrationOptions = {
+  rp: { id: string; name: string }
+  userName: string
+}
+
+export type PasskeyRegistrationResult = {
+  attestation: Attestation
+  encodedChallenge: string
+}
+
+export type PasskeyStamper = Stamper & {
+  /** Create a new passkey credential. Owns challenge and user ID generation internally. */
+  register: (
+    options: PasskeyRegistrationOptions,
+  ) => Promise<PasskeyRegistrationResult>
 }
-export type WebauthnStamper = Stamper

package/src/stampers/webauthnStamper.ts

@@ -1,21 +1,42 @@
+import { getWebAuthnAttestation } from '@turnkey/http'
 import { WebauthnStamper as TurnkeyWebauthnStamper } from '@turnkey/webauthn-stamper'
-import type { WebauthnStamper } from './types.js'
+import { base64UrlEncode, generateRandomBuffer } from '../utils/utils.js'
+import type { PasskeyRegistrationOptions, PasskeyStamper } from './types.js'
 
 export async function createWebauthnStamper({
   rpId,
 }: {
   rpId: string
-}): Promise<WebauthnStamper> {
+}): Promise<PasskeyStamper> {
   const inner = new TurnkeyWebauthnStamper({ rpId })
 
   return {
-    async getPublicKey() {
-      //   return await inner.();
-      return null
-    },
     async stamp(payload: string) {
       return await inner.stamp(payload)
     },
     async clear() {},
+    async register(options: PasskeyRegistrationOptions) {
+      const challenge = generateRandomBuffer()
+      const encodedChallenge = base64UrlEncode(challenge)
+      const authenticatorUserId = generateRandomBuffer()
+
+      const attestation = await getWebAuthnAttestation({
+        publicKey: {
+          rp: options.rp,
+          challenge,
+          pubKeyCredParams: [
+            { type: 'public-key', alg: -7 },
+            { type: 'public-key', alg: -257 },
+          ],
+          user: {
+            id: authenticatorUserId,
+            name: options.userName,
+            displayName: options.userName,
+          },
+        },
+      })
+
+      return { attestation, encodedChallenge }
+    },
   }
 }

package/src/types/session.ts

@@ -3,7 +3,7 @@ export enum SessionType {
   READ_WRITE = 'SESSION_TYPE_READ_WRITE',
 }
 
-export type StamperType = 'iframe' | 'indexedDb' | 'passkey'
+export type StamperType = 'apiKey' | 'passkey'
 
 export type ZeroDevWalletSession = {
   id: string
@@ -11,8 +11,7 @@ export type ZeroDevWalletSession = {
   organizationId: string
   stamperType: StamperType
   sessionType?: SessionType
-  token?: string
-  publicKey?: string
+  token: string
   expiry: number
   createdAt: number
 }

package/src/utils/buildClientSignature.ts

@@ -1,4 +1,4 @@
-import type { IndexedDbStamper } from '../stampers/types.js'
+import type { ApiKeyStamper } from '../stampers/types.js'
 import { derToRawSignature } from './derToRawSignature.js'
 
 export type BuildClientSignatureParams = {
@@ -6,8 +6,8 @@ export type BuildClientSignatureParams = {
   verificationToken: string
   /** The compressed public key hex */
   publicKey: string
-  /** The IndexedDB stamper for signing */
-  stamper: IndexedDbStamper
+  /** The API key stamper for signing */
+  stamper: ApiKeyStamper
 }
 
 /**

package/src/utils/exportPrivateKey.ts

@@ -72,7 +72,7 @@ export async function exportPrivateKey(
   })
 
   const stamperKey =
-    session.stamperType === 'indexedDb' ? 'indexedDbStamper' : 'webauthnStamper'
+    session.stamperType === 'apiKey' ? 'apiKeyStamper' : 'passkeyStamper'
   const stamper = wallet.client[stamperKey]
   if (!stamper) {
     throw new Error(`Stamper '${stamperKey}' not found on wallet.client`)

package/src/utils/exportWallet.ts

@@ -56,9 +56,7 @@ export async function exportWallet(
 
     const listWalletsStamp =
       await wallet.client[
-        session.stamperType === 'indexedDb'
-          ? 'indexedDbStamper'
-          : 'webauthnStamper'
+        session.stamperType === 'apiKey' ? 'apiKeyStamper' : 'passkeyStamper'
       ].stamp(listWalletsBody)
     if (!listWalletsStamp) {
       throw new Error('Failed to stamp list wallets body')
@@ -93,9 +91,7 @@ export async function exportWallet(
     })
     const exportWalletStamp =
       await wallet.client[
-        session.stamperType === 'indexedDb'
-          ? 'indexedDbStamper'
-          : 'webauthnStamper'
+        session.stamperType === 'apiKey' ? 'apiKeyStamper' : 'passkeyStamper'
       ].stamp(exportWalletBody)
     if (!exportWalletStamp) {
       throw new Error('Failed to stamp export wallet body')

package/src/utils/hpke.ts

@@ -15,6 +15,7 @@
  *   - tkhq/go-sdk/pkg/enclave_encrypt
  */
 
+import { gcm } from '@noble/ciphers/aes.js'
 import { p256 } from '@noble/curves/nist.js'
 import { expand, extract } from '@noble/hashes/hkdf.js'
 import { sha256 } from '@noble/hashes/sha2.js'
@@ -165,42 +166,15 @@ function keySchedule(
   return { key, baseNonce }
 }
 
-// Web Crypto's BufferSource type rejects `Uint8Array<ArrayBufferLike>` (which
-// noble/v2 returns) under strict TS lib settings because the underlying buffer
-// could in principle be a SharedArrayBuffer. Copy into a fresh ArrayBuffer to
-// satisfy the type.
-function toArrayBuffer(u8: Uint8Array): ArrayBuffer {
-  const out = new ArrayBuffer(u8.byteLength)
-  new Uint8Array(out).set(u8)
-  return out
-}
-
-async function aesGcmSeal(
+function aesGcmSeal(
   key: Uint8Array,
   nonce: Uint8Array,
   aad: Uint8Array,
   plaintext: Uint8Array,
-): Promise<Uint8Array> {
-  // Web Crypto returns ciphertext || tag (16 bytes appended). Matches the
-  // single-blob format Turnkey's `Sealer.Seal` produces.
-  const cryptoKey = await crypto.subtle.importKey(
-    'raw',
-    toArrayBuffer(key),
-    { name: 'AES-GCM' },
-    /* extractable */ false,
-    ['encrypt'],
-  )
-  const ct = await crypto.subtle.encrypt(
-    {
-      name: 'AES-GCM',
-      iv: toArrayBuffer(nonce),
-      additionalData: toArrayBuffer(aad),
-      tagLength: 128,
-    },
-    cryptoKey,
-    toArrayBuffer(plaintext),
-  )
-  return new Uint8Array(ct)
+): Uint8Array {
+  // Returns ciphertext || tag (16 bytes appended) — matches the single-blob
+  // format Turnkey's `Sealer.Seal` and Web Crypto's AES-GCM produce.
+  return gcm(key, nonce, aad).encrypt(plaintext)
 }
 
 export type HpkeSealResult = {
@@ -239,7 +213,7 @@ export async function hpkeSealP256({
 
   // First message of the context, sequence 0 → nonce = base_nonce.
   const aad = concat(enc, receiverPublicKey)
-  const ciphertext = await aesGcmSeal(key, baseNonce, aad, plaintext)
+  const ciphertext = aesGcmSeal(key, baseNonce, aad, plaintext)
 
   return { encappedPublic: enc, ciphertext }
 }

package/src/utils/utils.ts

@@ -18,7 +18,8 @@ export function parseSession(
     throw new Error('Invalid JWT: Missing payload')
   }
 
-  const decoded = JSON.parse(Buffer.from(payload, 'base64').toString())
+  const base64 = payload.replace(/-/g, '+').replace(/_/g, '/')
+  const decoded = JSON.parse(atob(base64))
   const {
     exp,
     public_key: publicKey,
@@ -68,11 +69,9 @@ export const generateRandomBuffer = (): ArrayBuffer => {
  * @returns {string} - The encoded challenge.
  */
 export const base64UrlEncode = (challenge: ArrayBuffer): string => {
-  return Buffer.from(challenge)
-    .toString('base64')
-    .replace(/\+/g, '-')
-    .replace(/\//g, '_')
-    .replace(/=/g, '')
+  const bytes = new Uint8Array(challenge)
+  const binary = String.fromCharCode(...bytes)
+  return btoa(binary).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '')
 }
 
 /**