accounts 0.7.0 → 0.7.1

package/src/react-native/Provider.test.ts

@@ -0,0 +1,115 @@
+import { Address, Hex, PublicKey } from 'ox'
+import { KeyAuthorization } from 'ox/tempo'
+import { parseUnits, type Address as viem_Address } from 'viem'
+import { Actions, Addresses } from 'viem/tempo'
+import { describe, expect, test } from 'vp/test'
+
+import { accounts, chain, getClient } from '../../test/config.js'
+import * as Storage from '../core/Storage.js'
+import * as Provider from './Provider.js'
+
+const root = accounts[0]!
+const transferCall = Actions.token.transfer.call({
+  to: '0x0000000000000000000000000000000000000001',
+  token: Addresses.pathUsd,
+  amount: parseUnits('1', 6),
+})
+
+async function fund(address: viem_Address) {
+  await Actions.token.transferSync(getClient(), {
+    account: root,
+    feeToken: Addresses.pathUsd,
+    to: address,
+    token: Addresses.pathUsd,
+    amount: parseUnits('10', 6),
+  })
+}
+
+function createOpen(options: { mismatchFirstCall?: boolean | undefined } = {}) {
+  let calls = 0
+
+  return {
+    calls: () => calls,
+    open: async (url: string) => {
+      calls += 1
+
+      const authUrl = new URL(url)
+      const callback = authUrl.searchParams.get('callback')
+      const chainId = authUrl.searchParams.get('chainId')
+      const pubKey = authUrl.searchParams.get('pubKey')
+      const state = authUrl.searchParams.get('state')
+
+      if (!callback || !chainId || !pubKey || !state)
+        throw new Error('Expected callback, chainId, pubKey, and state in auth URL.')
+
+      const limits = authUrl.searchParams.get('limits')
+      const keyType = authUrl.searchParams.get('keyType')
+      if (keyType !== 'p256' && keyType !== 'secp256k1')
+        throw new Error('Expected a managed key type in auth URL.')
+
+      const keyAuthorization = await root.signKeyAuthorization(
+        {
+          accessKeyAddress:
+            options.mismatchFirstCall && calls === 1
+              ? accounts[1]!.address
+              : Address.fromPublicKey(PublicKey.fromHex(pubKey as Hex.Hex)),
+          keyType,
+        },
+        {
+          chainId: BigInt(chainId),
+          ...(authUrl.searchParams.get('expiry')
+            ? { expiry: Number(authUrl.searchParams.get('expiry')) }
+            : {}),
+          ...(limits
+            ? {
+                limits: (JSON.parse(limits) as { token: `0x${string}`; limit: string }[]).map(
+                  (x) => ({
+                    limit: BigInt(x.limit),
+                    token: x.token,
+                  }),
+                ),
+              }
+            : {}),
+        },
+      )
+
+      const callbackUrl = new URL(callback)
+      callbackUrl.searchParams.set('accountAddress', root.address)
+      callbackUrl.searchParams.set('keyAuthorization', KeyAuthorization.serialize(keyAuthorization))
+      callbackUrl.searchParams.set('state', state)
+      return callbackUrl.toString()
+    },
+  }
+}
+
+describe('create', () => {
+  test('behavior: reauthorizes the managed key when the saved authorization targets the wrong key', async () => {
+    const secureStorage = Storage.memory()
+    const browser = createOpen({ mismatchFirstCall: true })
+    const provider = Provider.create({
+      authorizeAccessKey: () => ({
+        expiry: Math.floor(Date.now() / 1000) + 3600,
+      }),
+      chains: [chain],
+      host: 'https://wallet.tempo.xyz',
+      open: browser.open,
+      redirectUri: 'accounts-playground://auth',
+      secureStorage,
+    })
+
+    const result = await provider.request({
+      method: 'wallet_connect',
+      params: [{ capabilities: { method: 'register', name: 'Accounts RN Test' } }],
+    })
+    expect(result.accounts[0]!.address).toBe(root.address)
+
+    await fund(root.address)
+
+    const receipt = await provider.request({
+      method: 'eth_sendTransactionSync',
+      params: [{ calls: [transferCall], feeToken: Addresses.pathUsd }],
+    })
+    expect(receipt.status).toMatchInlineSnapshot(`"0x1"`)
+    expect(browser.calls()).toMatchInlineSnapshot(`2`)
+  })
+})

package/src/react-native/adapter.ts

@@ -9,7 +9,7 @@ import {
 } from 'ox'
 import { KeyAuthorization } from 'ox/tempo'
 import { prepareTransactionRequest } from 'viem/actions'
-import { Account as TempoAccount, Secp256k1 } from 'viem/tempo'
+import { Actions, Account as TempoAccount, Secp256k1 } from 'viem/tempo'
 
 import * as AccessKey from '../core/AccessKey.js'
 import * as Adapter from '../core/Adapter.js'
@@ -28,27 +28,58 @@ export function reactNative(options: reactNative.Options): Adapter.Adapter {
     async function loadManagedKey(
       address: Adapter.authorizeAccessKey.ReturnType['rootAddress'],
       parameters: loadManagedKey.Options = {},
-    ): Promise<ManagedKeyEntry | undefined> {
+    ): Promise<loadManagedKey.ReturnType | undefined> {
       const { keyType } = parameters
       const { secureStorage } = options
       if (!secureStorage) return undefined
 
       const { chainId } = store.getState()
-      const storageKey = managedKeyStorageKey(address, chainId, keyType)
-      const entry = await secureStorage.getItem<ManagedKeyEntry>(storageKey)
+      const storageKeys = keyType
+        ? [managedKeyStorageKey(address, chainId, keyType)]
+        : [
+            managedKeyStorageKey(address, chainId, 'secp256k1'),
+            managedKeyStorageKey(address, chainId, 'p256'),
+            managedKeyStorageKey(address, chainId),
+          ]
+      let entry: ManagedKeyEntry | null = null
+      for (const storageKey of storageKeys) {
+        entry = await secureStorage.getItem<ManagedKeyEntry>(storageKey)
+        if (entry) break
+      }
       if (!entry) return undefined
 
+      const account =
+        entry.keyType === 'p256'
+          ? TempoAccount.fromP256(entry.key, { access: address })
+          : TempoAccount.fromSecp256k1(entry.key, { access: address })
+      const keyAddress = core_Address.fromPublicKey(PublicKey.from(account.publicKey))
       const deserialized = KeyAuthorization.deserialize(entry.keyAuthorization)
       if (!deserialized.signature) throw new Error('Managed access key is missing a signature.')
       const keyAuthorization = deserialized as KeyAuthorization.Signed
-      AccessKey.save({
-        address,
-        keyAuthorization,
-        privateKey: entry.key,
-        store,
-      })
 
-      return entry
+      if (keyAuthorization.address.toLowerCase() === keyAddress.toLowerCase())
+        AccessKey.save({
+          address,
+          keyAuthorization,
+          privateKey: entry.key,
+          store,
+        })
+      else
+        store.setState((state) => ({
+          accessKeys: state.accessKeys.filter(
+            (accessKey) => accessKey.address.toLowerCase() !== keyAuthorization.address.toLowerCase(),
+          ),
+        }))
+
+      return {
+        account,
+        expiry: entry.expiry,
+        key: entry.key,
+        keyAddress,
+        keyType: entry.keyType,
+        publicKey: account.publicKey,
+        storedAuthorization: keyAuthorization,
+      }
     }
 
     async function resolveManagedKey(
@@ -63,19 +94,14 @@ export function reactNative(options: reactNative.Options): Adapter.Adapter {
       const entry = address
         ? await loadManagedKey(address, requestedKeyType ? { keyType: requestedKeyType } : {})
         : undefined
-      if (entry) {
-        const account =
-          entry.keyType === 'p256'
-            ? TempoAccount.fromP256(entry.key, { access: address })
-            : TempoAccount.fromSecp256k1(entry.key, { access: address })
+      if (entry)
         return {
-          account,
+          account: entry.account,
           key: entry.key,
           keyAddress: entry.keyAddress,
           keyType: entry.keyType,
-          publicKey: account.publicKey,
+          publicKey: entry.publicKey,
         }
-      }
 
       const nextKeyType = requestedKeyType === 'p256' ? 'p256' : 'secp256k1'
       const key = nextKeyType === 'p256' ? P256.randomPrivateKey() : Secp256k1.randomPrivateKey()
@@ -124,6 +150,44 @@ export function reactNative(options: reactNative.Options): Adapter.Adapter {
       await secureStorage.setItem(storageKey, entry)
     }
 
+    async function isManagedKeyAuthorized(
+      address: Adapter.authorizeAccessKey.ReturnType['rootAddress'],
+      managedKey: loadManagedKey.ReturnType,
+    ) {
+      try {
+        const metadata = await Actions.accessKey.getMetadata(getClient(), {
+          account: address,
+          accessKey: managedKey.keyAddress,
+        })
+        return (
+          metadata.address.toLowerCase() === managedKey.keyAddress.toLowerCase() &&
+          !metadata.isRevoked
+        )
+      } catch {
+        return false
+      }
+    }
+
+    async function reauthorizeManagedKey(
+      address: Adapter.authorizeAccessKey.ReturnType['rootAddress'],
+      managedKey: loadManagedKey.ReturnType,
+    ) {
+      const result = await authorize({
+        account: address,
+        authorizeAccessKey: {
+          expiry: managedKey.expiry,
+          keyType: managedKey.keyType,
+          ...(managedKey.storedAuthorization.limits
+            ? { limits: managedKey.storedAuthorization.limits.map((limit) => ({ ...limit })) }
+            : {}),
+          publicKey: managedKey.publicKey,
+        },
+        method: 'wallet_authorizeAccessKey',
+      })
+      await saveManagedKey(address, managedKey, result.keyAuthorization)
+      return result.keyAuthorization
+    }
+
     async function withManagedAccessKey<result>(
       fn: (
         account: TempoAccount.Account,
@@ -131,10 +195,14 @@ export function reactNative(options: reactNative.Options): Adapter.Adapter {
       ) => Promise<result>,
     ) {
       const rootAddress = store.getState().accounts[store.getState().activeAccount]?.address
-      if (rootAddress) await loadManagedKey(rootAddress)
+      const managedKey = rootAddress ? await loadManagedKey(rootAddress) : undefined
+
+      const account = managedKey?.account ?? getAccount({ signable: true })
+      let keyAuthorization = AccessKey.getPending(account, { store })
+      if (rootAddress && managedKey && !keyAuthorization)
+        if (!(await isManagedKeyAuthorized(rootAddress, managedKey)))
+          keyAuthorization = await reauthorizeManagedKey(rootAddress, managedKey)
 
-      const account = getAccount({ signable: true })
-      const keyAuthorization = AccessKey.getPending(account, { store })
       try {
         const result = await fn(account, keyAuthorization ?? undefined)
         AccessKey.removePending(account, { store })
@@ -371,6 +439,11 @@ declare namespace loadManagedKey {
   type Options = {
     keyType?: 'secp256k1' | 'p256' | undefined
   }
+
+  type ReturnType = resolveManagedKey.ReturnType & {
+    expiry: number
+    storedAuthorization: KeyAuthorization.Signed
+  }
 }
 
 /** Entry shape persisted to secure storage for managed access keys. */

package/src/server/internal/handlers/codeAuth.ts

@@ -1,6 +1,6 @@
 import type { Chain, Client, Transport } from 'viem'
 import { createClient, http } from 'viem'
-import { tempo, tempoModerato } from 'viem/chains'
+import { tempo, tempoDevnet, tempoModerato } from 'viem/chains'
 import * as z from 'zod/mini'
 
 import * as CliAuth from '../../CliAuth.js'
@@ -20,7 +20,7 @@ import { type Handler, from } from '../../Handler.js'
  */
 export function codeAuth(options: codeAuth.Options = {}): Handler {
   const {
-    chains = [tempo, tempoModerato],
+    chains = [tempo, tempoModerato, tempoDevnet],
     now,
     path = '/auth/pkce',
     policy,
@@ -127,7 +127,7 @@ export declare namespace codeAuth {
     /**
      * Supported chains. The handler resolves the client based on chain IDs carried
      * by device-code requests and key authorizations.
-     * @default [tempo, tempoModerato]
+     * @default [tempo, tempoModerato, tempoDevnet]
      */
     chains?: readonly [Chain, ...Chain[]] | undefined
     /** Time source used for TTL evaluation. */

package/src/server/internal/handlers/relay.ts

@@ -15,7 +15,7 @@ import {
 } from 'viem'
 import type { LocalAccount } from 'viem/accounts'
 import { simulateCalls } from 'viem/actions'
-import { tempo, tempoLocalnet, tempoMainnet, tempoModerato } from 'viem/chains'
+import { tempo, tempoDevnet, tempoLocalnet, tempoMainnet, tempoModerato } from 'viem/chains'
 import { Abis, Actions, Addresses, Capabilities, Transaction } from 'viem/tempo'
 
 import * as ExecutionError from '../../../core/ExecutionError.js'
@@ -64,7 +64,7 @@ import * as Utils from './utils.js'
  */
 export function relay(options: relay.Options = {}): Handler {
   const {
-    chains = [tempo, tempoModerato],
+    chains = [tempo, tempoModerato, tempoDevnet],
     onRequest,
     path = '/',
     resolveTokens = (chainId) =>
@@ -420,6 +420,12 @@ export namespace relay {
       '0x20c0000000000000000000009e8d7eb59b783726', // USDC.e
       '0x20c000000000000000000000d72572838bbee59c', // EURC.e
     ],
+    [tempoDevnet.id]: [
+      '0x20c0000000000000000000000000000000000000', // pathUSD
+      '0x20c0000000000000000000000000000000000001', // alphaUSD
+      '0x20c0000000000000000000000000000000000002', // betaUSD
+      '0x20c0000000000000000000000000000000000003', // thetaUSD
+    ],
     [tempoLocalnet.id]: [
       '0x20c0000000000000000000000000000000000000', // pathUSD
       '0x20c0000000000000000000000000000000000001', // alphaUSD
@@ -442,7 +448,7 @@ export namespace relay {
     /**
      * Supported chains. The handler resolves the client based on the
      * `chainId` in the incoming transaction.
-     * @default [tempo, tempoModerato]
+     * @default [tempo, tempoModerato, tempoDevnet]
      */
     chains?: readonly [Chain, ...Chain[]] | undefined
     /**