@zkproofport-app/sdk 0.1.2-beta.1 → 0.2.0

package/dist/index.js

@@ -140,51 +140,6 @@ const DEFAULT_REQUEST_EXPIRY_MS = 10 * 60 * 1000;
  * ```
  */
 const MAX_QR_DATA_SIZE = 2953; // Version 40 with L error correction
-/**
- * ZKProofportNullifierRegistry contract ABI (V2).
- *
- * This is the current nullifier registry interface with relayer-only registration.
- * Public view functions allow checking nullifier status and verifying proofs without registration.
- *
- * Key functions:
- * - `isNullifierRegistered`: Check if a nullifier has been used
- * - `getNullifierInfo`: Get registration details for a nullifier
- * - `verifyOnly`: Verify a proof without registering the nullifier
- *
- * Note: Registration functions (verifyAndRegister) are relayer-only and not exposed in this ABI.
- *
- * @example
- * ```typescript
- * import { Contract } from 'ethers';
- *
- * const registry = new Contract(
- *   registryAddress,
- *   ZKPROOFPORT_NULLIFIER_REGISTRY_ABI,
- *   provider
- * );
- *
- * const isUsed = await registry.isNullifierRegistered(nullifier);
- * ```
- */
-const ZKPROOFPORT_NULLIFIER_REGISTRY_ABI = [
-    'function isNullifierRegistered(bytes32 _nullifier) external view returns (bool)',
-    'function getNullifierInfo(bytes32 _nullifier) external view returns (uint64 registeredAt, bytes32 scope, bytes32 circuitId)',
-    'function verifyOnly(bytes32 _circuitId, bytes calldata _proof, bytes32[] calldata _publicInputs) external view returns (bool)',
-    'event NullifierRegistered(bytes32 indexed nullifier, bytes32 indexed scope, bytes32 indexed circuitId)',
-];
-
-var constants = /*#__PURE__*/Object.freeze({
-    __proto__: null,
-    CIRCUIT_METADATA: CIRCUIT_METADATA,
-    DEEP_LINK_HOSTS: DEEP_LINK_HOSTS,
-    DEFAULT_REQUEST_EXPIRY_MS: DEFAULT_REQUEST_EXPIRY_MS,
-    DEFAULT_SCHEME: DEFAULT_SCHEME,
-    MAX_QR_DATA_SIZE: MAX_QR_DATA_SIZE,
-    RELAY_URLS: RELAY_URLS,
-    RPC_ENDPOINTS: RPC_ENDPOINTS,
-    VERIFIER_ABI: VERIFIER_ABI,
-    ZKPROOFPORT_NULLIFIER_REGISTRY_ABI: ZKPROOFPORT_NULLIFIER_REGISTRY_ABI
-});
 
 /**
  * Deep Link utilities for ZKProofport SDK
@@ -383,7 +338,6 @@ function parseProofResponseUrl(url) {
             if (timestamp) {
                 response.timestamp = parseInt(timestamp, 10);
             }
-            response.nullifier = urlObj.searchParams.get('nullifier') || undefined;
         }
         else if (status === 'error') {
             response.error = urlObj.searchParams.get('error') || undefined;
@@ -911,41 +865,6 @@ function extractScopeFromPublicInputs(publicInputsHex, circuit) {
     const scopeFields = publicInputsHex.slice(start, end + 1);
     return reconstructBytes32FromFields(scopeFields);
 }
-/**
- * Extract nullifier value from public inputs array.
- *
- * The nullifier is a bytes32 value encoded across 32 consecutive field elements
- * in the public inputs. The exact position depends on the circuit type.
- * Nullifiers are used for duplicate proof detection and must be unique per user+scope.
- *
- * @param publicInputsHex - Array of public input hex strings (zero-padded to 32 bytes)
- * @param circuit - Optional circuit identifier to determine field positions
- * @returns Reconstructed nullifier as hex string with 0x prefix, or null if inputs are insufficient
- *
- * @example
- * ```typescript
- * const nullifier = extractNullifierFromPublicInputs(publicInputsHex, 'coinbase_attestation');
- * console.log(nullifier); // '0xabcd1234...'
- *
- * // Check if nullifier is already registered
- * const isRegistered = await isNullifierRegistered(nullifier, registryAddress, provider);
- * ```
- */
-function extractNullifierFromPublicInputs(publicInputsHex, circuit) {
-    let start, end;
-    if (circuit === 'coinbase_country_attestation') {
-        start = 118;
-        end = 149;
-    }
-    else {
-        start = 96;
-        end = 127;
-    }
-    if (publicInputsHex.length <= end)
-        return null;
-    const nullifierFields = publicInputsHex.slice(start, end + 1);
-    return reconstructBytes32FromFields(nullifierFields);
-}
 /** @internal Reconstruct a bytes32 value from 32 individual field elements */
 function reconstructBytes32FromFields(fields) {
     if (fields.length !== 32) {
@@ -957,83 +876,6 @@ function reconstructBytes32FromFields(fields) {
     }).join('');
     return '0x' + bytes;
 }
-/**
- * Check if a nullifier is already registered on-chain in the ZKProofport nullifier registry.
- *
- * This function queries the on-chain nullifier registry contract to determine if a nullifier
- * has been used before. This is used to prevent duplicate proof submissions from the same user
- * for the same scope.
- *
- * @param nullifier - The nullifier hash as hex string with 0x prefix
- * @param registryAddress - ZKProofportNullifierRegistry contract address
- * @param provider - ethers.js Provider instance (v5 or v6 compatible)
- * @returns Promise resolving to true if nullifier is registered, false otherwise
- *
- * @example
- * ```typescript
- * const nullifier = extractNullifierFromPublicInputs(publicInputsHex, circuit);
- * const isRegistered = await isNullifierRegistered(
- *   nullifier,
- *   '0x...',
- *   provider
- * );
- *
- * if (isRegistered) {
- *   console.log('This nullifier has already been used');
- * }
- * ```
- */
-async function isNullifierRegistered(nullifier, registryAddress, provider) {
-    const { ZKPROOFPORT_NULLIFIER_REGISTRY_ABI } = await Promise.resolve().then(function () { return constants; });
-    const contract = new ethers.ethers.Contract(registryAddress, ZKPROOFPORT_NULLIFIER_REGISTRY_ABI, provider);
-    try {
-        return await contract.isNullifierRegistered(nullifier);
-    }
-    catch {
-        return false;
-    }
-}
-/**
- * Get detailed information about a registered nullifier from the on-chain registry.
- *
- * This function retrieves the registration timestamp, scope, and circuit ID for a nullifier
- * that has been registered on-chain. This metadata is useful for auditing and analytics.
- *
- * @param nullifier - The nullifier hash as hex string with 0x prefix
- * @param registryAddress - ZKProofportNullifierRegistry contract address
- * @param provider - ethers.js Provider instance (v5 or v6 compatible)
- * @returns Promise resolving to nullifier info object, or null if not registered
- *
- * @example
- * ```typescript
- * const info = await getNullifierInfo(nullifier, registryAddress, provider);
- *
- * if (info) {
- *   console.log('Registered at:', new Date(info.registeredAt * 1000));
- *   console.log('Scope:', info.scope);
- *   console.log('Circuit:', info.circuitId);
- * } else {
- *   console.log('Nullifier not registered');
- * }
- * ```
- */
-async function getNullifierInfo(nullifier, registryAddress, provider) {
-    const { ZKPROOFPORT_NULLIFIER_REGISTRY_ABI } = await Promise.resolve().then(function () { return constants; });
-    const contract = new ethers.ethers.Contract(registryAddress, ZKPROOFPORT_NULLIFIER_REGISTRY_ABI, provider);
-    try {
-        const [registeredAt, scope, circuitId] = await contract.getNullifierInfo(nullifier);
-        if (BigInt(registeredAt) === 0n)
-            return null;
-        return {
-            registeredAt: Number(registeredAt),
-            scope: scope,
-            circuitId: circuitId,
-        };
-    }
-    catch {
-        return null;
-    }
-}
 
 /**
  * Proofport SDK - Main class
@@ -1047,12 +889,15 @@ async function getNullifierInfo(nullifier, registryAddress, provider) {
  * @example
  * ```typescript
  * import { ProofportSDK } from '@zkproofport-app/sdk';
+ * import { BrowserProvider } from 'ethers';
  *
  * // Initialize SDK (uses production relay by default)
  * const sdk = ProofportSDK.create();
  *
- * // Authenticate
- * await sdk.login({ clientId: 'your-id', apiKey: 'your-key' });
+ * // Set wallet signer for challenge-signature auth
+ * const provider = new BrowserProvider(window.ethereum);
+ * const signer = await provider.getSigner();
+ * sdk.setSigner(signer);
  *
  * // Create proof request via relay
  * const relay = await sdk.createRelayRequest('coinbase_attestation', {
@@ -1098,14 +943,13 @@ class ProofportSDK {
      */
     constructor(config = {}) {
         this.pendingRequests = new Map();
-        this.authToken = null;
+        this.signer = null;
         this.socket = null;
         this.config = {
             scheme: config.scheme || DEFAULT_SCHEME,
             verifiers: config.verifiers || {},
         };
         this.relayUrl = config.relayUrl || '';
-        this.nullifierRegistry = config.nullifierRegistry;
     }
     // ============ Request Creation ============
     /**
@@ -1866,115 +1710,42 @@ class ProofportSDK {
             return false;
         return /Android|iPhone|iPad|iPod|webOS|BlackBerry|IEMobile|Opera Mini/i.test(navigator.userAgent);
     }
+    // ============ Relay Integration ============
     /**
-     * Authenticates with ZKProofport using client credentials via the relay server.
-     *
-     * Exchanges a client_id and api_key pair for a short-lived JWT token
-     * that can be used to authenticate relay requests.
+     * Sets the wallet signer for challenge-signature authentication.
+     * The signer will be used to sign challenges from the relay server.
      *
-     * @param credentials - Client ID and API key
-     * @param relayUrl - Relay server URL (e.g., 'https://relay.zkproofport.app')
-     * @returns Promise resolving to AuthToken with JWT token and metadata
-     * @throws Error if authentication fails
+     * @param signer - Wallet signer (ethers v6 Signer or compatible object with signMessage/getAddress)
      *
      * @example
      * ```typescript
-     * const auth = await ProofportSDK.authenticate(
-     *   { clientId: 'your-client-id', apiKey: 'your-api-key' },
-     *   'https://relay.zkproofport.app'
-     * );
-     * console.log('Token:', auth.token);
-     * console.log('Expires in:', auth.expiresIn, 'seconds');
-     * ```
-     */
-    static async authenticate(credentials, relayUrl) {
-        if (!credentials.clientId || !credentials.apiKey) {
-            throw new Error('clientId and apiKey are required');
-        }
-        if (!relayUrl) {
-            throw new Error('relayUrl is required');
-        }
-        const response = await fetch(`${relayUrl}/api/v1/auth/token`, {
-            method: 'POST',
-            headers: { 'Content-Type': 'application/json' },
-            body: JSON.stringify({
-                client_id: credentials.clientId,
-                api_key: credentials.apiKey,
-            }),
-        });
-        if (!response.ok) {
-            const error = await response.json().catch(() => ({ error: `HTTP ${response.status}` }));
-            throw new Error(error.error || `Authentication failed: HTTP ${response.status}`);
-        }
-        const data = await response.json();
-        return {
-            token: data.token,
-            clientId: data.client_id,
-            dappId: data.dapp_id,
-            tier: data.tier,
-            expiresIn: data.expires_in,
-            expiresAt: Date.now() + (data.expires_in * 1000),
-        };
-    }
-    /**
-     * Checks if an auth token is still valid (not expired).
+     * import { BrowserProvider } from 'ethers';
      *
-     * @param auth - AuthToken to check
-     * @returns True if the token has not expired
-     *
-     * @example
-     * ```typescript
-     * if (!ProofportSDK.isTokenValid(auth)) {
-     *   auth = await ProofportSDK.authenticate(credentials, relayUrl);
-     * }
+     * const provider = new BrowserProvider(window.ethereum);
+     * const signer = await provider.getSigner();
+     * sdk.setSigner(signer);
      * ```
      */
-    static isTokenValid(auth) {
-        return Date.now() < auth.expiresAt - 30000; // 30s buffer
+    setSigner(signer) {
+        this.signer = signer;
     }
-    // ============ Relay Integration ============
     /**
-     * Authenticates with ZKProofport and stores the token for relay requests.
-     *
-     * Instance method that authenticates via the relay server and stores
-     * the JWT token internally, so subsequent relay requests are automatically authenticated.
-     *
-     * @param credentials - Client ID and API key
-     * @returns Promise resolving to AuthToken
-     * @throws Error if authentication fails or relayUrl is not configured
-     *
-     * @example
-     * ```typescript
-     * const sdk = ProofportSDK.create('production');
+     * Fetches a random challenge from the relay server.
+     * The challenge must be signed and included in proof requests.
      *
-     * await sdk.login({ clientId: 'your-id', apiKey: 'your-key' });
-     * // SDK is now authenticated for relay requests
-     * ```
+     * @returns Promise resolving to ChallengeResponse with challenge hex and expiry
+     * @throws Error if relayUrl is not configured
      */
-    async login(credentials) {
+    async getChallenge() {
         if (!this.relayUrl) {
-            throw new Error('relayUrl is required for authentication. Use ProofportSDK.create(\'production\') or set relayUrl in config.');
+            throw new Error('relayUrl is required. Set it in ProofportSDK config.');
         }
-        this.authToken = await ProofportSDK.authenticate(credentials, this.relayUrl);
-        return this.authToken;
-    }
-    /**
-     * Logs out by clearing the stored authentication token.
-     */
-    logout() {
-        this.authToken = null;
-    }
-    /**
-     * Returns whether the SDK instance is currently authenticated with a valid token.
-     */
-    isAuthenticated() {
-        return this.authToken !== null && ProofportSDK.isTokenValid(this.authToken);
-    }
-    /**
-     * Returns the current auth token, or null if not authenticated.
-     */
-    getAuthToken() {
-        return this.authToken;
+        const response = await fetch(`${this.relayUrl}/api/v1/challenge`);
+        if (!response.ok) {
+            const error = await response.json().catch(() => ({ error: `HTTP ${response.status}` }));
+            throw new Error(error.error || `Failed to get challenge: HTTP ${response.status}`);
+        }
+        return await response.json();
     }
     /**
      * Creates a proof request through the relay server.
@@ -1982,19 +1753,19 @@ class ProofportSDK {
      * This is the recommended way to create proof requests. The relay server:
      * - Issues a server-side requestId (validated by the mobile app)
      * - Tracks request status in Redis
-     * - Handles credit deduction and tier enforcement
      * - Builds the deep link with relay callback URL
+     * - Stores inputs hash for deep link integrity verification
      *
      * @param circuit - Circuit type identifier
      * @param inputs - Circuit-specific inputs
      * @param options - Request options (message, dappName, dappIcon, nonce)
      * @returns Promise resolving to RelayProofRequest with requestId, deepLink, pollUrl
-     * @throws Error if not authenticated or relay request fails
+     * @throws Error if signer not set or relay request fails
      *
      * @example
      * ```typescript
      * const sdk = ProofportSDK.create();
-     * await sdk.login({ clientId: 'id', apiKey: 'key' });
+     * sdk.setSigner(signer);
      *
      * const relay = await sdk.createRelayRequest('coinbase_attestation', {
      *   scope: 'myapp.com'
@@ -2008,15 +1779,20 @@ class ProofportSDK {
      * ```
      */
     async createRelayRequest(circuit, inputs, options = {}) {
-        if (!this.authToken || !ProofportSDK.isTokenValid(this.authToken)) {
-            throw new Error('Not authenticated. Call login() first.');
+        if (!this.signer) {
+            throw new Error('Signer not set. Call setSigner() first.');
         }
         if (!this.relayUrl) {
             throw new Error('relayUrl is required. Set it in ProofportSDK config.');
         }
+        // Get challenge from relay and sign it
+        const { challenge } = await this.getChallenge();
+        const signature = await this.signer.signMessage(challenge);
         const body = {
             circuitId: circuit,
             inputs,
+            challenge,
+            signature,
         };
         if (options.message)
             body.message = options.message;
@@ -2030,7 +1806,6 @@ class ProofportSDK {
             method: 'POST',
             headers: {
                 'Content-Type': 'application/json',
-                'Authorization': `Bearer ${this.authToken.token}`,
             },
             body: JSON.stringify(body),
         });
@@ -2113,7 +1888,7 @@ class ProofportSDK {
      * @param callbacks.onResult - Called when proof is completed or failed
      * @param callbacks.onError - Called on errors
      * @returns Unsubscribe function to clean up the connection
-     * @throws Error if not authenticated, relayUrl not set, or socket.io-client not installed
+     * @throws Error if relayUrl not set or socket.io-client not installed
      *
      * @example
      * ```typescript
@@ -2134,9 +1909,6 @@ class ProofportSDK {
      * ```
      */
     async subscribe(requestId, callbacks) {
-        if (!this.authToken || !ProofportSDK.isTokenValid(this.authToken)) {
-            throw new Error('Not authenticated. Call login() first.');
-        }
         if (!this.relayUrl) {
             throw new Error('relayUrl is required. Set it in ProofportSDK config.');
         }
@@ -2151,10 +1923,9 @@ class ProofportSDK {
         if (typeof ioConnect !== 'function') {
             throw new Error('Failed to load socket.io-client: io function not found');
         }
-        // Connect to relay /proof namespace
+        // Connect to relay /proof namespace (no JWT — open connections)
         const socket = ioConnect(`${this.relayUrl}/proof`, {
             path: '/socket.io',
-            auth: { token: this.authToken.token },
             transports: ['websocket', 'polling'],
         });
         this.socket = socket;
@@ -2203,7 +1974,7 @@ class ProofportSDK {
     async waitForProof(requestId, options = {}) {
         const timeout = options.timeoutMs || 300000;
         // Try Socket.IO first
-        if (this.authToken && ProofportSDK.isTokenValid(this.authToken) && this.relayUrl) {
+        if (this.relayUrl) {
             try {
                 return await new Promise((resolve, reject) => {
                     const timer = setTimeout(() => {
@@ -2251,30 +2022,7 @@ class ProofportSDK {
             this.socket = null;
         }
     }
-    // ============ Nullifier Utilities ============
-    /**
-     * Extracts the nullifier from proof public inputs.
-     *
-     * The nullifier is a bytes32 value derived from the user's address and scope,
-     * used to prevent duplicate proof submissions. Each user+scope combination
-     * produces a unique nullifier.
-     *
-     * @param publicInputs - Array of public input hex strings from proof response
-     * @param circuit - Circuit type to determine field positions
-     * @returns Nullifier as hex string (0x...), or null if inputs are insufficient
-     *
-     * @example
-     * ```typescript
-     * const result = await sdk.waitForProof(relay.requestId);
-     * if (result.status === 'completed') {
-     *   const nullifier = sdk.extractNullifier(result.publicInputs, result.circuit);
-     *   console.log('Nullifier:', nullifier);
-     * }
-     * ```
-     */
-    extractNullifier(publicInputs, circuit) {
-        return extractNullifierFromPublicInputs(publicInputs, circuit);
-    }
+    // ============ Public Input Utilities ============
     /**
      * Extracts the scope from proof public inputs.
      *
@@ -2297,66 +2045,6 @@ class ProofportSDK {
     extractScope(publicInputs, circuit) {
         return extractScopeFromPublicInputs(publicInputs, circuit);
     }
-    /**
-     * Checks if a nullifier is already registered on-chain.
-     *
-     * Queries the ZKProofportNullifierRegistry contract to determine if the
-     * nullifier has been used before. Used to prevent duplicate proof submissions.
-     *
-     * Requires `nullifierRegistry` in SDK config.
-     *
-     * @param nullifier - Nullifier hex string from extractNullifier()
-     * @param provider - Optional ethers provider (defaults to public RPC for configured chain)
-     * @returns True if nullifier is already registered
-     * @throws Error if nullifierRegistry is not configured
-     *
-     * @example
-     * ```typescript
-     * const sdk = ProofportSDK.create({
-     *   relayUrl: 'https://relay.zkproofport.app',
-     *   nullifierRegistry: { address: '0x...', chainId: 8453 }
-     * });
-     *
-     * const nullifier = sdk.extractNullifier(publicInputs, circuit);
-     * const isDuplicate = await sdk.checkNullifier(nullifier);
-     * ```
-     */
-    async checkNullifier(nullifier, provider) {
-        if (!this.nullifierRegistry) {
-            throw new Error('nullifierRegistry is required. Set it in ProofportSDK config.');
-        }
-        const p = provider || getDefaultProvider(this.nullifierRegistry.chainId);
-        return isNullifierRegistered(nullifier, this.nullifierRegistry.address, p);
-    }
-    /**
-     * Gets detailed information about a registered nullifier from on-chain registry.
-     *
-     * Retrieves the registration timestamp, scope, and circuit ID for a nullifier.
-     * Returns null if the nullifier is not registered.
-     *
-     * Requires `nullifierRegistry` in SDK config.
-     *
-     * @param nullifier - Nullifier hex string from extractNullifier()
-     * @param provider - Optional ethers provider (defaults to public RPC for configured chain)
-     * @returns Nullifier info or null if not registered
-     * @throws Error if nullifierRegistry is not configured
-     *
-     * @example
-     * ```typescript
-     * const info = await sdk.getNullifierDetails(nullifier);
-     * if (info) {
-     *   console.log('Registered at:', new Date(info.registeredAt * 1000));
-     *   console.log('Circuit:', info.circuitId);
-     * }
-     * ```
-     */
-    async getNullifierDetails(nullifier, provider) {
-        if (!this.nullifierRegistry) {
-            throw new Error('nullifierRegistry is required. Set it in ProofportSDK config.');
-        }
-        const p = provider || getDefaultProvider(this.nullifierRegistry.chainId);
-        return getNullifierInfo(nullifier, this.nullifierRegistry.address, p);
-    }
 }
 
 exports.ProofportSDK = ProofportSDK;