kentucky-signer-viem 0.1.0

package/dist/index.mjs

@@ -0,0 +1,714 @@
+// src/account.ts
+import {
+  hashMessage,
+  hashTypedData,
+  keccak256,
+  serializeTransaction
+} from "viem";
+import { toAccount } from "viem/accounts";
+
+// src/client.ts
+var KentuckySignerError = class extends Error {
+  constructor(message, code, details) {
+    super(message);
+    this.code = code;
+    this.details = details;
+    this.name = "KentuckySignerError";
+  }
+};
+var KentuckySignerClient = class {
+  constructor(options) {
+    this.baseUrl = options.baseUrl.replace(/\/$/, "");
+    this.fetchImpl = options.fetch ?? globalThis.fetch;
+    this.timeout = options.timeout ?? 3e4;
+  }
+  /**
+   * Make an authenticated request to the API
+   */
+  async request(path, options = {}) {
+    const { token, ...fetchOptions } = options;
+    const headers = {
+      "Content-Type": "application/json",
+      ...options.headers
+    };
+    if (token) {
+      ;
+      headers["Authorization"] = `Bearer ${token}`;
+    }
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), this.timeout);
+    try {
+      const response = await this.fetchImpl(`${this.baseUrl}${path}`, {
+        ...fetchOptions,
+        headers,
+        signal: controller.signal
+      });
+      const data = await response.json();
+      if (!response.ok || data.success === false) {
+        const error = data;
+        throw new KentuckySignerError(
+          error.error?.message ?? "Unknown error",
+          error.error?.code ?? "UNKNOWN_ERROR",
+          error.error?.details
+        );
+      }
+      return data;
+    } finally {
+      clearTimeout(timeoutId);
+    }
+  }
+  /**
+   * Get a challenge for passkey authentication
+   *
+   * @param accountId - Account ID to authenticate
+   * @returns Challenge response with 32-byte challenge
+   */
+  async getChallenge(accountId) {
+    return this.request("/api/auth/challenge", {
+      method: "POST",
+      body: JSON.stringify({ account_id: accountId })
+    });
+  }
+  /**
+   * Authenticate with a passkey credential
+   *
+   * @param accountId - Account ID to authenticate
+   * @param credential - WebAuthn credential from navigator.credentials.get()
+   * @returns Authentication response with JWT token
+   */
+  async authenticatePasskey(accountId, credential) {
+    return this.request("/api/auth/passkey", {
+      method: "POST",
+      body: JSON.stringify({
+        account_id: accountId,
+        credential_id: credential.credentialId,
+        client_data_json: credential.clientDataJSON,
+        authenticator_data: credential.authenticatorData,
+        signature: credential.signature,
+        user_handle: credential.userHandle
+      })
+    });
+  }
+  /**
+   * Refresh an authentication token
+   *
+   * @param token - Current JWT token
+   * @returns New authentication response with fresh token
+   */
+  async refreshToken(token) {
+    return this.request("/api/auth/refresh", {
+      method: "POST",
+      token
+    });
+  }
+  /**
+   * Logout and invalidate token
+   *
+   * @param token - JWT token to invalidate
+   */
+  async logout(token) {
+    await this.request("/api/auth/logout", {
+      method: "POST",
+      token
+    });
+  }
+  /**
+   * Get account information
+   *
+   * @param accountId - Account ID
+   * @param token - JWT token
+   * @returns Account info with addresses and passkeys
+   */
+  async getAccountInfo(accountId, token) {
+    return this.request(`/api/accounts/${accountId}`, {
+      method: "GET",
+      token
+    });
+  }
+  /**
+   * Check if an account exists
+   *
+   * @param accountId - Account ID
+   * @param token - JWT token
+   * @returns True if account exists
+   */
+  async accountExists(accountId, token) {
+    try {
+      await this.request(`/api/accounts/${accountId}`, {
+        method: "HEAD",
+        token
+      });
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  /**
+   * Sign an EVM transaction hash
+   *
+   * @param request - Sign request with tx_hash and chain_id
+   * @param token - JWT token
+   * @returns Signature response with r, s, v components
+   */
+  async signEvmTransaction(request, token) {
+    return this.request("/api/sign/evm", {
+      method: "POST",
+      token,
+      body: JSON.stringify(request)
+    });
+  }
+  /**
+   * Sign a raw hash for EVM
+   *
+   * Convenience method that wraps signEvmTransaction.
+   *
+   * @param hash - 32-byte hash to sign (hex encoded with 0x prefix)
+   * @param chainId - Chain ID
+   * @param token - JWT token
+   * @returns Full signature (hex encoded with 0x prefix)
+   */
+  async signHash(hash, chainId, token) {
+    const response = await this.signEvmTransaction(
+      { tx_hash: hash, chain_id: chainId },
+      token
+    );
+    return response.signature.full;
+  }
+  /**
+   * Create a new account with passkey authentication
+   *
+   * @param credential - WebAuthn credential from navigator.credentials.create()
+   * @returns Account creation response with account ID and addresses
+   */
+  async createAccountWithPasskey(credential) {
+    return this.request("/api/accounts/create/passkey", {
+      method: "POST",
+      body: JSON.stringify({
+        credential_id: credential.credentialId,
+        public_key: credential.publicKey,
+        client_data_json: credential.clientDataJSON,
+        authenticator_data: credential.authenticatorData
+      })
+    });
+  }
+  /**
+   * Create a new account with password authentication
+   *
+   * @param request - Password and confirmation
+   * @returns Account creation response with account ID and addresses
+   */
+  async createAccountWithPassword(request) {
+    return this.request("/api/accounts/create/password", {
+      method: "POST",
+      body: JSON.stringify(request)
+    });
+  }
+  /**
+   * Authenticate with password
+   *
+   * @param request - Account ID and password
+   * @returns Authentication response with JWT token
+   */
+  async authenticatePassword(request) {
+    return this.request("/api/auth/password", {
+      method: "POST",
+      body: JSON.stringify(request)
+    });
+  }
+  /**
+   * Health check
+   *
+   * @returns True if the API is healthy
+   */
+  async healthCheck() {
+    try {
+      const response = await this.request("/api/health", {
+        method: "GET"
+      });
+      return response.status === "ok";
+    } catch {
+      return false;
+    }
+  }
+  /**
+   * Get API version
+   *
+   * @returns Version string
+   */
+  async getVersion() {
+    const response = await this.request("/api/version", {
+      method: "GET"
+    });
+    return response.version;
+  }
+};
+function createClient(options) {
+  return new KentuckySignerClient(options);
+}
+
+// src/account.ts
+function createKentuckySignerAccount(options) {
+  const { config, defaultChainId = 1, onSessionExpired } = options;
+  let session = options.session;
+  const client = new KentuckySignerClient({ baseUrl: config.baseUrl });
+  async function getToken() {
+    if (Date.now() + 6e4 >= session.expiresAt) {
+      if (onSessionExpired) {
+        session = await onSessionExpired();
+      } else {
+        throw new KentuckySignerError(
+          "Session expired",
+          "SESSION_EXPIRED",
+          "Please re-authenticate with your passkey"
+        );
+      }
+    }
+    return session.token;
+  }
+  async function signHash(hash, chainId) {
+    const token = await getToken();
+    const response = await client.signEvmTransaction(
+      { tx_hash: hash, chain_id: chainId },
+      token
+    );
+    return response.signature.full;
+  }
+  function parseSignature(signature) {
+    const r = `0x${signature.slice(2, 66)}`;
+    const s = `0x${signature.slice(66, 130)}`;
+    const v = BigInt(`0x${signature.slice(130, 132)}`);
+    return { r, s, v };
+  }
+  const account = toAccount({
+    address: session.evmAddress,
+    /**
+     * Sign a message
+     *
+     * Supports string messages, hex messages, and raw bytes.
+     */
+    async signMessage({ message }) {
+      const messageHash = hashMessage(message);
+      return signHash(messageHash, defaultChainId);
+    },
+    /**
+     * Sign a transaction
+     *
+     * Serializes the transaction, hashes it, signs via Kentucky Signer,
+     * and returns the signed serialized transaction.
+     */
+    async signTransaction(transaction) {
+      const chainId = transaction.chainId ?? defaultChainId;
+      const serializedUnsigned = serializeTransaction(transaction);
+      const txHash = keccak256(serializedUnsigned);
+      const signature = await signHash(txHash, chainId);
+      const { r, s, v } = parseSignature(signature);
+      let yParity;
+      if (transaction.type === "eip1559" || transaction.type === "eip2930" || transaction.type === "eip4844" || transaction.type === "eip7702") {
+        yParity = Number(v) - 27;
+      } else {
+        yParity = Number(v);
+      }
+      const serializedSigned = serializeTransaction(transaction, {
+        r,
+        s,
+        v: BigInt(yParity),
+        yParity
+      });
+      return serializedSigned;
+    },
+    /**
+     * Sign typed data (EIP-712)
+     */
+    async signTypedData(typedData) {
+      const hash = hashTypedData(typedData);
+      return signHash(hash, defaultChainId);
+    }
+  });
+  account.source = "kentuckySigner";
+  account.accountId = config.accountId;
+  account.session = session;
+  account.updateSession = (newSession) => {
+    session = newSession;
+    if (newSession.evmAddress !== account.address) {
+      ;
+      account.address = newSession.evmAddress;
+    }
+  };
+  return account;
+}
+function createServerAccount(baseUrl, accountId, token, evmAddress, chainId = 1) {
+  const session = {
+    token,
+    accountId,
+    evmAddress,
+    expiresAt: Date.now() + 36e5
+    // 1 hour default
+  };
+  return createKentuckySignerAccount({
+    config: { baseUrl, accountId },
+    session,
+    defaultChainId: chainId
+  });
+}
+
+// src/utils.ts
+function base64UrlEncode(data) {
+  let base64;
+  if (typeof Buffer !== "undefined") {
+    base64 = Buffer.from(data).toString("base64");
+  } else {
+    const binary = Array.from(data).map((byte) => String.fromCharCode(byte)).join("");
+    base64 = btoa(binary);
+  }
+  return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function base64UrlDecode(str) {
+  let base64 = str.replace(/-/g, "+").replace(/_/g, "/");
+  const padding = (4 - base64.length % 4) % 4;
+  base64 += "=".repeat(padding);
+  if (typeof Buffer !== "undefined") {
+    return new Uint8Array(Buffer.from(base64, "base64"));
+  } else {
+    const binary = atob(base64);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+      bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes;
+  }
+}
+function hexToBytes(hex) {
+  const cleanHex = hex.startsWith("0x") ? hex.slice(2) : hex;
+  const bytes = new Uint8Array(cleanHex.length / 2);
+  for (let i = 0; i < bytes.length; i++) {
+    bytes[i] = parseInt(cleanHex.slice(i * 2, i * 2 + 2), 16);
+  }
+  return bytes;
+}
+function bytesToHex(bytes, withPrefix = true) {
+  const hex = Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+  return withPrefix ? `0x${hex}` : hex;
+}
+function isValidAccountId(accountId) {
+  return /^[0-9a-fA-F]{64}$/.test(accountId);
+}
+function isValidEvmAddress(address) {
+  return /^0x[0-9a-fA-F]{40}$/.test(address);
+}
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+async function withRetry(fn, maxRetries = 3, baseDelay = 1e3) {
+  let lastError;
+  for (let attempt = 0; attempt <= maxRetries; attempt++) {
+    try {
+      return await fn();
+    } catch (error) {
+      lastError = error;
+      if (attempt < maxRetries) {
+        const delay = baseDelay * Math.pow(2, attempt);
+        await sleep(delay);
+      }
+    }
+  }
+  throw lastError;
+}
+function parseJwt(token) {
+  const parts = token.split(".");
+  if (parts.length !== 3) {
+    throw new Error("Invalid JWT format");
+  }
+  const payload = base64UrlDecode(parts[1]);
+  const text = new TextDecoder().decode(payload);
+  return JSON.parse(text);
+}
+function getJwtExpiration(token) {
+  try {
+    const payload = parseJwt(token);
+    if (typeof payload.exp === "number") {
+      return payload.exp * 1e3;
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+function formatError(error) {
+  if (error instanceof Error) {
+    return error.message;
+  }
+  if (typeof error === "string") {
+    return error;
+  }
+  return "An unknown error occurred";
+}
+
+// src/auth.ts
+function isWebAuthnAvailable() {
+  return typeof window !== "undefined" && typeof window.PublicKeyCredential !== "undefined" && typeof navigator.credentials !== "undefined";
+}
+var MemoryTokenStorage = class {
+  constructor() {
+    this.token = null;
+    this.expiresAt = 0;
+  }
+  async getToken() {
+    if (this.token && Date.now() < this.expiresAt) {
+      return this.token;
+    }
+    return null;
+  }
+  async setToken(token, expiresAt) {
+    this.token = token;
+    this.expiresAt = expiresAt;
+  }
+  async clearToken() {
+    this.token = null;
+    this.expiresAt = 0;
+  }
+};
+var LocalStorageTokenStorage = class {
+  constructor(keyPrefix = "kentucky_signer") {
+    this.keyPrefix = keyPrefix;
+  }
+  async getToken() {
+    if (typeof localStorage === "undefined") return null;
+    const token = localStorage.getItem(`${this.keyPrefix}_token`);
+    const expiresAt = localStorage.getItem(`${this.keyPrefix}_expires`);
+    if (token && expiresAt && Date.now() < parseInt(expiresAt, 10)) {
+      return token;
+    }
+    await this.clearToken();
+    return null;
+  }
+  async setToken(token, expiresAt) {
+    if (typeof localStorage === "undefined") return;
+    localStorage.setItem(`${this.keyPrefix}_token`, token);
+    localStorage.setItem(`${this.keyPrefix}_expires`, expiresAt.toString());
+  }
+  async clearToken() {
+    if (typeof localStorage === "undefined") return;
+    localStorage.removeItem(`${this.keyPrefix}_token`);
+    localStorage.removeItem(`${this.keyPrefix}_expires`);
+  }
+};
+function credentialToPasskey(credential) {
+  const response = credential.response;
+  return {
+    credentialId: base64UrlEncode(new Uint8Array(credential.rawId)),
+    clientDataJSON: base64UrlEncode(new Uint8Array(response.clientDataJSON)),
+    authenticatorData: base64UrlEncode(new Uint8Array(response.authenticatorData)),
+    signature: base64UrlEncode(new Uint8Array(response.signature)),
+    userHandle: response.userHandle ? base64UrlEncode(new Uint8Array(response.userHandle)) : void 0
+  };
+}
+async function authenticateWithPasskey(options) {
+  if (!isWebAuthnAvailable()) {
+    throw new KentuckySignerError(
+      "WebAuthn is not available in this environment",
+      "WEBAUTHN_NOT_AVAILABLE",
+      "Use authenticateWithToken() for server-side authentication"
+    );
+  }
+  const client = new KentuckySignerClient({ baseUrl: options.baseUrl });
+  const challengeResponse = await client.getChallenge(options.accountId);
+  const challengeBytes = base64UrlDecode(challengeResponse.challenge);
+  const credentialRequestOptions = {
+    publicKey: {
+      challenge: challengeBytes.buffer,
+      timeout: 6e4,
+      rpId: options.rpId ?? window.location.hostname,
+      userVerification: "preferred",
+      allowCredentials: options.allowCredentials?.map((id) => ({
+        type: "public-key",
+        id: base64UrlDecode(id).buffer
+      }))
+    }
+  };
+  const credential = await navigator.credentials.get(
+    credentialRequestOptions
+  );
+  if (!credential) {
+    throw new KentuckySignerError(
+      "User cancelled passkey authentication",
+      "USER_CANCELLED"
+    );
+  }
+  const passkeyCredential = credentialToPasskey(credential);
+  const authResponse = await client.authenticatePasskey(
+    options.accountId,
+    passkeyCredential
+  );
+  const accountInfo = await client.getAccountInfo(
+    options.accountId,
+    authResponse.token
+  );
+  const expiresAt = Date.now() + authResponse.expires_in * 1e3;
+  return {
+    token: authResponse.token,
+    accountId: options.accountId,
+    evmAddress: accountInfo.addresses.evm,
+    btcAddress: accountInfo.addresses.bitcoin,
+    solAddress: accountInfo.addresses.solana,
+    expiresAt
+  };
+}
+async function authenticateWithToken(baseUrl, accountId, token, expiresAt) {
+  const client = new KentuckySignerClient({ baseUrl });
+  const accountInfo = await client.getAccountInfo(accountId, token);
+  return {
+    token,
+    accountId,
+    evmAddress: accountInfo.addresses.evm,
+    btcAddress: accountInfo.addresses.bitcoin,
+    solAddress: accountInfo.addresses.solana,
+    expiresAt: expiresAt ?? Date.now() + 36e5
+    // Default 1 hour if not specified
+  };
+}
+async function registerPasskey(options) {
+  if (!isWebAuthnAvailable()) {
+    throw new KentuckySignerError(
+      "WebAuthn is not available in this environment",
+      "WEBAUTHN_NOT_AVAILABLE"
+    );
+  }
+  const userId = new Uint8Array(32);
+  crypto.getRandomValues(userId);
+  const challenge = new Uint8Array(32);
+  crypto.getRandomValues(challenge);
+  const createOptions = {
+    publicKey: {
+      challenge,
+      rp: {
+        name: options.rpName ?? "Kentucky Signer",
+        id: options.rpId ?? window.location.hostname
+      },
+      user: {
+        id: userId,
+        name: options.username ?? "user@example.com",
+        displayName: options.username ?? "User"
+      },
+      pubKeyCredParams: [
+        { type: "public-key", alg: -7 },
+        // ES256 (P-256)
+        { type: "public-key", alg: -257 }
+        // RS256
+      ],
+      authenticatorSelection: {
+        authenticatorAttachment: "platform",
+        userVerification: "preferred",
+        residentKey: "preferred"
+      },
+      timeout: 6e4,
+      attestation: "none"
+    }
+  };
+  const credential = await navigator.credentials.create(
+    createOptions
+  );
+  if (!credential) {
+    throw new KentuckySignerError(
+      "User cancelled passkey registration",
+      "USER_CANCELLED"
+    );
+  }
+  const response = credential.response;
+  const publicKeyBytes = response.getPublicKey?.();
+  if (!publicKeyBytes) {
+    throw new KentuckySignerError(
+      "Failed to get public key from credential",
+      "PUBLIC_KEY_ERROR"
+    );
+  }
+  return {
+    credentialId: base64UrlEncode(new Uint8Array(credential.rawId)),
+    clientDataJSON: base64UrlEncode(new Uint8Array(response.clientDataJSON)),
+    authenticatorData: base64UrlEncode(new Uint8Array(response.getAuthenticatorData())),
+    signature: "",
+    // Not applicable for registration
+    publicKey: base64UrlEncode(new Uint8Array(publicKeyBytes))
+  };
+}
+function isSessionValid(session, bufferMs = 6e4) {
+  return Date.now() + bufferMs < session.expiresAt;
+}
+async function refreshSessionIfNeeded(session, baseUrl, bufferMs = 6e4) {
+  if (isSessionValid(session, bufferMs)) {
+    return session;
+  }
+  const client = new KentuckySignerClient({ baseUrl });
+  const authResponse = await client.refreshToken(session.token);
+  return {
+    ...session,
+    token: authResponse.token,
+    expiresAt: Date.now() + authResponse.expires_in * 1e3
+  };
+}
+async function authenticateWithPassword(options) {
+  const client = new KentuckySignerClient({ baseUrl: options.baseUrl });
+  const authResponse = await client.authenticatePassword({
+    account_id: options.accountId,
+    password: options.password
+  });
+  const accountInfo = await client.getAccountInfo(
+    options.accountId,
+    authResponse.token
+  );
+  const expiresAt = Date.now() + authResponse.expires_in * 1e3;
+  return {
+    token: authResponse.token,
+    accountId: options.accountId,
+    evmAddress: accountInfo.addresses.evm,
+    btcAddress: accountInfo.addresses.bitcoin,
+    solAddress: accountInfo.addresses.solana,
+    expiresAt
+  };
+}
+async function createAccountWithPassword(options) {
+  if (options.password !== options.confirmation) {
+    throw new KentuckySignerError(
+      "Password and confirmation do not match",
+      "PASSWORD_MISMATCH"
+    );
+  }
+  if (options.password.length < 8 || options.password.length > 128) {
+    throw new KentuckySignerError(
+      "Password must be 8-128 characters",
+      "INVALID_PASSWORD"
+    );
+  }
+  const client = new KentuckySignerClient({ baseUrl: options.baseUrl });
+  return client.createAccountWithPassword({
+    password: options.password,
+    confirmation: options.confirmation
+  });
+}
+export {
+  KentuckySignerClient,
+  KentuckySignerError,
+  LocalStorageTokenStorage,
+  MemoryTokenStorage,
+  authenticateWithPasskey,
+  authenticateWithPassword,
+  authenticateWithToken,
+  base64UrlDecode,
+  base64UrlEncode,
+  bytesToHex,
+  createAccountWithPassword,
+  createClient,
+  createKentuckySignerAccount,
+  createServerAccount,
+  formatError,
+  getJwtExpiration,
+  hexToBytes,
+  isSessionValid,
+  isValidAccountId,
+  isValidEvmAddress,
+  isWebAuthnAvailable,
+  parseJwt,
+  refreshSessionIfNeeded,
+  registerPasskey,
+  withRetry
+};
+//# sourceMappingURL=index.mjs.map