@zerodev/wallet-core 0.0.1-alpha.18 → 0.0.1-alpha.20

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@zerodev/wallet-core",
-  "version": "0.0.1-alpha.18",
+  "version": "0.0.1-alpha.20",
   "description": "ZeroDev Wallet SDK built on Turnkey",
   "main": "./dist/_cjs/index.js",
   "module": "./dist/_esm/index.js",
@@ -49,6 +49,7 @@
   ],
   "license": "MIT",
   "dependencies": {
+    "@noble/ciphers": "^2.2.0",
     "@noble/curves": "^2.2.0",
     "@noble/hashes": "^2.2.0",
     "@turnkey/http": "^3.12.1",

package/src/actions/auth/authenticateWithOAuth.ts

@@ -7,6 +7,8 @@ export type AuthenticateWithOAuthParameters = {
   projectId: string
   /** The session ID from the OAuth callback URL */
   sessionId: string
+  /** Proof-of-possession signature for `sessionId`. */
+  popSignature: string
 }
 
 export type AuthenticateWithOAuthReturnType = {
@@ -37,6 +39,7 @@ export type AuthenticateWithOAuthReturnType = {
  *   provider: 'google',
  *   projectId: 'proj_456',
  *   sessionId: 'abc123',
+ *   popSignature: '3045022100...',
  * });
  * ```
  */
@@ -44,11 +47,11 @@ export async function authenticateWithOAuth(
   client: Client,
   params: AuthenticateWithOAuthParameters,
 ): Promise<AuthenticateWithOAuthReturnType> {
-  const { projectId, sessionId } = params
+  const { projectId, sessionId, popSignature } = params
 
   return await client.request({
     path: `${projectId}/auth/oauth`,
     method: 'POST',
-    body: { sessionId },
+    body: { sessionId, popSignature },
   })
 }

package/src/actions/auth/getOAuthLoginUrl.ts

@@ -0,0 +1,48 @@
+import type { Client } from '../../client/types.js'
+
+export type GetOAuthLoginUrlParameters = {
+  /** OAuth provider — currently only `'google'` is supported. */
+  provider: 'google'
+  /** The project ID for the request. */
+  projectId: string
+  /**
+   * The session public key (compressed P-256 hex, lowercase, with or
+   * without `0x` prefix). The backend embeds `sha256(utf8(hex))` as the
+   * OIDC `nonce` so the SDK can verify the URL was minted for this key.
+   */
+  publicKey: string
+  /**
+   * Where the popup should land after the OAuth round-trip
+   * (e.g. `https://app.example.com/dashboard?oauth_success=true`).
+   * Must be on the project's whitelist.
+   */
+  returnTo: string
+}
+
+export type GetOAuthLoginUrlReturnType = string
+
+/**
+ * Fetches the Google OAuth authorization URL from the backend.
+ *
+ * The SDK must verify the returned URL's `nonce` against
+ * `sha256(utf8(publicKey))` (and the host is `accounts.google.com`)
+ * before opening it in a popup — the backend is not a trusted party.
+ * See audit finding TOB-KMS-1.
+ */
+export async function getOAuthLoginUrl(
+  client: Client,
+  params: GetOAuthLoginUrlParameters,
+): Promise<GetOAuthLoginUrlReturnType> {
+  if (params.provider !== 'google') {
+    throw new Error(`Unsupported OAuth provider: ${params.provider}`)
+  }
+  const query = new URLSearchParams({
+    project_id: params.projectId,
+    pub_key: params.publicKey.replace(/^0x/, '').toLowerCase(),
+    return_to: params.returnTo,
+  })
+  return await client.request<string>({
+    path: `oauth/google/login-url?${query.toString()}`,
+    method: 'GET',
+  })
+}

package/src/actions/auth/getWhoami.ts

@@ -51,7 +51,7 @@ export async function getWhoami(
   // Step 1: Inner stamp over the payload (for Turnkey verification)
   const innerBody = { organizationId }
   const innerBodyString = canonicalizeEx(innerBody)
-  const innerStamp = await client.indexedDbStamper.stamp(innerBodyString)
+  const innerStamp = await client.apiKeyStamper.stamp(innerBodyString)
 
   // Step 2: Build full body with inner stamp embedded
   const fullBody = {
@@ -64,7 +64,7 @@ export async function getWhoami(
 
   // Step 3: Outer stamp over full body (for KMS middleware)
   const fullBodyString = canonicalizeEx(fullBody)
-  const outerStamp = await client.indexedDbStamper.stamp(fullBodyString)
+  const outerStamp = await client.apiKeyStamper.stamp(fullBodyString)
 
   return await client.request({
     path: `${projectId}/whoami`,

package/src/actions/auth/index.ts

@@ -23,6 +23,11 @@ export {
   type GetAuthProxyConfigIdReturnType,
   getAuthProxyConfigId,
 } from './getAuthProxyConfigId.js'
+export {
+  type GetOAuthLoginUrlParameters,
+  type GetOAuthLoginUrlReturnType,
+  getOAuthLoginUrl,
+} from './getOAuthLoginUrl.js'
 export {
   type GetWhoamiParameters,
   type GetWhoamiReturnType,

package/src/actions/auth/loginWithStamp.ts

@@ -1,6 +1,7 @@
 import { canonicalizeEx } from 'json-canonicalize'
 import type { Client } from '../../client/types.js'
 import type { Stamp } from '../../stampers/types.js'
+import type { StamperType } from '../../types/session.js'
 
 export type EmailCustomization = {
   /** A template for the URL to be used in a magic link button, e.g. `https://dapp.xyz/%s`. The auth bundle will be interpolated into the `%s`. */
@@ -15,7 +16,7 @@ export type LoginWithStampParameters = {
   /** The encoded public key for the request */
   targetPublicKey: string
   /** The stamper type for the request */
-  stampWith?: 'indexedDb' | 'webauthn'
+  stampWith?: StamperType
 }
 
 export type LoginWithStampReturnType = {
@@ -58,12 +59,12 @@ export async function loginWithStamp(
     type: 'ACTIVITY_TYPE_STAMP_LOGIN',
   })
   let stamp: Stamp
-  if (stampWith === 'indexedDb') {
-    stamp = await client.indexedDbStamper.stamp(stampPayload)
-  } else if (stampWith === 'webauthn') {
-    stamp = await client.webauthnStamper.stamp(stampPayload)
+  if (stampWith === 'apiKey') {
+    stamp = await client.apiKeyStamper.stamp(stampPayload)
+  } else if (stampWith === 'passkey') {
+    stamp = await client.passkeyStamper.stamp(stampPayload)
   } else {
-    stamp = await client.indexedDbStamper.stamp(stampPayload)
+    stamp = await client.apiKeyStamper.stamp(stampPayload)
   }
 
   return client.request({

package/src/actions/index.ts

@@ -12,10 +12,13 @@ export {
   type GetAuthenticatorsParameters,
   type GetAuthenticatorsReturnType,
   type GetAuthProxyConfigIdReturnType,
+  type GetOAuthLoginUrlParameters,
+  type GetOAuthLoginUrlReturnType,
   type GetWhoamiParameters,
   type GetWhoamiReturnType,
   getAuthenticators,
   getAuthProxyConfigId,
+  getOAuthLoginUrl,
   getWhoami,
   type LoginWithOTPParameters,
   type LoginWithOTPReturnType,

package/src/actions/wallet/signingUtils.ts

@@ -47,7 +47,7 @@ export async function sendSigningRequest(
 
   // Inner stamp over the Turnkey payload (for Turnkey verification)
   const innerBodyString = canonicalizeEx(turnkeyPayload)
-  const innerStamp = await client.indexedDbStamper.stamp(innerBodyString)
+  const innerStamp = await client.apiKeyStamper.stamp(innerBodyString)
 
   // Build full body with inner stamp embedded
   const fullBody = {
@@ -61,7 +61,7 @@ export async function sendSigningRequest(
 
   // Outer stamp over full body (for KMS middleware)
   const fullBodyString = canonicalizeEx(fullBody)
-  const outerStamp = await client.indexedDbStamper.stamp(fullBodyString)
+  const outerStamp = await client.apiKeyStamper.stamp(fullBodyString)
 
   const { signature } = await client.request({
     path: `${projectId}/${path}`,

package/src/client/createClient.ts

@@ -16,8 +16,8 @@ export function createBaseClient<
 >(config: ClientConfig): Client<extended> {
   const {
     transport,
-    indexedDbStamper,
-    webauthnStamper,
+    apiKeyStamper,
+    passkeyStamper,
     organizationId,
     key = 'zeroDevWallet',
     name = 'ZeroDev Wallet Client',
@@ -29,8 +29,8 @@ export function createBaseClient<
     request,
     value,
   } = transport({
-    indexedDbStamper,
-    webauthnStamper,
+    apiKeyStamper,
+    passkeyStamper,
   })
   const transportInstance = { ...transportConfig, ...value }
 
@@ -39,8 +39,8 @@ export function createBaseClient<
   const client = {
     transport: transportInstance,
     request,
-    indexedDbStamper,
-    webauthnStamper,
+    apiKeyStamper,
+    passkeyStamper,
     organizationId,
     key,
     name,

package/src/client/decorators/client.ts

@@ -13,12 +13,15 @@ import {
   type GetAuthenticatorsParameters,
   type GetAuthenticatorsReturnType,
   type GetAuthProxyConfigIdReturnType,
+  type GetOAuthLoginUrlParameters,
+  type GetOAuthLoginUrlReturnType,
   type GetUserWalletParameters,
   type GetUserWalletReturnType,
   type GetWhoamiParameters,
   type GetWhoamiReturnType,
   getAuthenticators,
   getAuthProxyConfigId,
+  getOAuthLoginUrl,
   getUserWallet,
   getWhoami,
   type LoginWithOTPParameters,
@@ -153,6 +156,15 @@ export type ZeroDevWalletActions = {
    * Gets the auth proxy config ID from the backend
    */
   getAuthProxyConfigId: () => Promise<GetAuthProxyConfigIdReturnType>
+
+  /**
+   * Fetches the Google OAuth authorization URL from the backend.
+   * The caller must verify the URL's `nonce` against `sha256(utf8(publicKey))`
+   * before opening it (audit finding TOB-KMS-1).
+   */
+  getOAuthLoginUrl: (
+    params: GetOAuthLoginUrlParameters,
+  ) => Promise<GetOAuthLoginUrlReturnType>
 }
 
 /**
@@ -197,5 +209,6 @@ export function zeroDevWalletActions(client: Client): ZeroDevWalletActions {
     registerWithOTP: (params) => registerWithOTP(client, params),
     loginWithOTP: (params) => loginWithOTP(client, params),
     getAuthProxyConfigId: () => getAuthProxyConfigId(client),
+    getOAuthLoginUrl: (params) => getOAuthLoginUrl(client, params),
   }
 }

package/src/client/index.ts

@@ -10,7 +10,10 @@ export {
   createClient,
   type ZeroDevWalletClient,
 } from './createClient.js'
-export { zeroDevWalletTransport } from './transports/createTransport.js'
+export {
+  type CreateTransportOptions,
+  zeroDevWalletTransport,
+} from './transports/createTransport.js'
 export type {
   Client,
   ClientConfig,

package/src/client/transports/createTransport.ts

@@ -10,6 +10,8 @@ export type CreateTransportOptions = {
   key?: string
   /** Transport name */
   name?: string
+  /** Extra options merged into every fetch() call */
+  fetchOptions?: Omit<RequestInit, 'body' | 'method' | 'signal'>
 }
 
 /**
@@ -26,14 +28,15 @@ export function zeroDevWalletTransport(
     name = 'ZeroDev Wallet Transport',
   } = options
 
-  return ({ indexedDbStamper, webauthnStamper }) => {
+  return ({ apiKeyStamper, passkeyStamper }) => {
     // Create REST transport with stamper
     const transport = rest(baseUrl, {
       timeoutMs,
       key,
       name,
-      indexedDbStamper,
-      webauthnStamper,
+      apiKeyStamper,
+      passkeyStamper,
+      ...(options.fetchOptions && { fetchOptions: options.fetchOptions }),
     })
 
     return {
@@ -46,8 +49,8 @@ export function zeroDevWalletTransport(
       },
       request: transport.request,
       value: {
-        indexedDbStamper,
-        webauthnStamper,
+        apiKeyStamper,
+        passkeyStamper,
       },
     }
   }

package/src/client/transports/rest.ts

@@ -1,6 +1,7 @@
 import { canonicalizeEx } from 'json-canonicalize'
 import { RestRequestError, RestTimeoutError } from '../../errors/request.js'
-import type { IndexedDbStamper, WebauthnStamper } from '../../stampers/types.js'
+import type { ApiKeyStamper, PasskeyStamper } from '../../stampers/types.js'
+import type { StamperType } from '../../types/session.js'
 
 export type RestRequestArgs = {
   path: string
@@ -8,7 +9,7 @@ export type RestRequestArgs = {
   body?: any
   headers?: Record<string, string>
   stamp?: boolean
-  stampWith?: 'indexedDb' | 'webAuthn'
+  stampWith?: StamperType
   stampPostion?: 'body' | 'headers'
   /** Include credentials (cookies) in the request */
   credentials?: RequestCredentials
@@ -32,8 +33,8 @@ export type RestTransportConfig = {
   timeoutMs?: number
   key?: string
   name?: string
-  indexedDbStamper: IndexedDbStamper
-  webauthnStamper: WebauthnStamper
+  apiKeyStamper: ApiKeyStamper
+  passkeyStamper: PasskeyStamper
 }
 
 export function rest(url: string, cfg: RestTransportConfig): RestTransport {
@@ -49,20 +50,20 @@ export function rest(url: string, cfg: RestTransportConfig): RestTransport {
     try {
       let requestBody = args.body
       let requestHeaders = {
-        'content-type': 'application/json',
-        ...(args.headers ?? {}),
         ...(cfg.fetchOptions?.headers ?? {}),
+        ...(args.headers ?? {}),
+        'content-type': 'application/json',
       }
 
       // Handle stamping if requested
       if (args.stamp) {
-        let stamper: IndexedDbStamper | WebauthnStamper
-        if (args.stampWith === 'indexedDb') {
-          stamper = cfg.indexedDbStamper
-        } else if (args.stampWith === 'webAuthn') {
-          stamper = cfg.webauthnStamper
+        let stamper: ApiKeyStamper | PasskeyStamper
+        if (args.stampWith === 'apiKey') {
+          stamper = cfg.apiKeyStamper
+        } else if (args.stampWith === 'passkey') {
+          stamper = cfg.passkeyStamper
         } else {
-          stamper = cfg.indexedDbStamper
+          stamper = cfg.apiKeyStamper
         }
         const { body, apiUrl } = args.body
         const bodyString = canonicalizeEx(body ?? args.body)

package/src/client/types.ts

@@ -1,4 +1,4 @@
-import type { IndexedDbStamper, WebauthnStamper } from '../stampers/types.js'
+import type { ApiKeyStamper, PasskeyStamper } from '../stampers/types.js'
 import type { RestRequestFn } from './transports/rest.js'
 
 export type TransportConfig = {
@@ -17,8 +17,8 @@ export type TransportConfig = {
 }
 
 export type Transport = (options: {
-  indexedDbStamper: IndexedDbStamper
-  webauthnStamper: WebauthnStamper
+  apiKeyStamper: ApiKeyStamper
+  passkeyStamper: PasskeyStamper
 }) => {
   config: TransportConfig
   request: RestRequestFn
@@ -27,8 +27,8 @@ export type Transport = (options: {
 
 export type ClientConfig = {
   transport: Transport
-  indexedDbStamper: IndexedDbStamper
-  webauthnStamper: WebauthnStamper
+  apiKeyStamper: ApiKeyStamper
+  passkeyStamper: PasskeyStamper
   organizationId?: string
   key?: string
   name?: string
@@ -39,10 +39,10 @@ export type Client<extended extends Extended | undefined = undefined> = {
   transport: TransportConfig & Record<string, unknown>
   /** Request function from transport */
   request: RestRequestFn
-  /** IndexedDB Stamper for authenticated requests */
-  indexedDbStamper: IndexedDbStamper
-  /** WebAuthn Stamper for authenticated requests */
-  webauthnStamper: WebauthnStamper
+  /** API Key Stamper for authenticated requests */
+  apiKeyStamper: ApiKeyStamper
+  /** Passkey Stamper for authenticated requests */
+  passkeyStamper: PasskeyStamper
   /** Organization ID */
   organizationId?: string
   /** A key for the client */