kentucky-signer-viem 0.1.1 → 0.1.3

package/src/account.ts

@@ -19,6 +19,28 @@ import {
 import { toAccount } from 'viem/accounts'
 import type { AuthSession, KentuckySignerConfig } from './types'
 import { KentuckySignerClient, KentuckySignerError } from './client'
+import { SecureKentuckySignerClient } from './secure-client'
+import type { EphemeralKeyManager } from './ephemeral'
+
+/**
+ * 2FA codes for signing operations
+ */
+export interface TwoFactorCodes {
+  /** TOTP code from authenticator app */
+  totpCode?: string
+  /** PIN code */
+  pin?: string
+}
+
+/**
+ * Callback to request 2FA codes from the user
+ * Returns null/undefined if user cancels
+ */
+export type TwoFactorCallback = (requirements: {
+  totpRequired: boolean
+  pinRequired: boolean
+  pinLength: number
+}) => Promise<TwoFactorCodes | null | undefined>
 
 /**
  * Options for creating a Kentucky Signer account
@@ -32,6 +54,10 @@ export interface KentuckySignerAccountOptions {
   defaultChainId?: number
   /** Callback when session needs refresh */
   onSessionExpired?: () => Promise<AuthSession>
+  /** Optional secure client for ephemeral key signing */
+  secureClient?: SecureKentuckySignerClient
+  /** Callback to request 2FA codes when required */
+  on2FARequired?: TwoFactorCallback
 }
 
 /**
@@ -81,10 +107,11 @@ export interface KentuckySignerAccount extends LocalAccount<'kentuckySigner'> {
 export function createKentuckySignerAccount(
   options: KentuckySignerAccountOptions
 ): KentuckySignerAccount {
-  const { config, defaultChainId = 1, onSessionExpired } = options
+  const { config, defaultChainId = 1, onSessionExpired, secureClient, on2FARequired } = options
   let session = options.session
 
-  const client = new KentuckySignerClient({ baseUrl: config.baseUrl })
+  // Use secure client if provided, otherwise use standard client
+  const client = secureClient ?? new KentuckySignerClient({ baseUrl: config.baseUrl })
 
   /**
    * Get current token, refreshing if needed
@@ -106,26 +133,91 @@ export function createKentuckySignerAccount(
   }
 
   /**
-   * Sign a hash using Kentucky Signer
+   * Sign a hash using Kentucky Signer and return full signature
+   * Handles 2FA by detecting the error and calling the callback
    */
   async function signHash(hash: Hex, chainId: number): Promise<Hex> {
     const token = await getToken()
-    const response = await client.signEvmTransaction(
-      { tx_hash: hash, chain_id: chainId },
-      token
-    )
-    return response.signature.full
+
+    // First attempt without 2FA codes
+    try {
+      const response = await client.signEvmTransaction(
+        { tx_hash: hash, chain_id: chainId },
+        token
+      )
+      return response.signature.full
+    } catch (err) {
+      // Check if 2FA is required
+      if (err instanceof KentuckySignerError && err.code === '2FA_REQUIRED' && on2FARequired) {
+        // Parse requirements from error details
+        const totpRequired = err.message.includes('TOTP') || (err.details?.includes('totp_code') ?? false)
+        const pinRequired = err.message.includes('PIN') || (err.details?.includes('pin') ?? false)
+        // Default to 6-digit PIN if required
+        const pinLength = err.details?.match(/(\d)-digit/)?.[1] ? parseInt(err.details.match(/(\d)-digit/)![1]) : 6
+
+        // Request 2FA codes from user
+        const codes = await on2FARequired({ totpRequired, pinRequired, pinLength })
+        if (!codes) {
+          throw new KentuckySignerError('2FA verification cancelled', '2FA_CANCELLED', 'User cancelled 2FA input')
+        }
+
+        // Retry with 2FA codes
+        const response = await client.signEvmTransactionWith2FA(
+          { tx_hash: hash, chain_id: chainId, totp_code: codes.totpCode, pin: codes.pin },
+          token
+        )
+        return response.signature.full
+      }
+      throw err
+    }
   }
 
   /**
-   * Parse signature components from full signature
+   * Sign a hash using Kentucky Signer and return signature components
+   * Handles 2FA by detecting the error and calling the callback
    */
-  function parseSignature(signature: Hex): { r: Hex; s: Hex; v: bigint } {
-    // Signature is 65 bytes: r (32) + s (32) + v (1)
-    const r = `0x${signature.slice(2, 66)}` as Hex
-    const s = `0x${signature.slice(66, 130)}` as Hex
-    const v = BigInt(`0x${signature.slice(130, 132)}`)
-    return { r, s, v }
+  async function signHashWithComponents(hash: Hex, chainId: number): Promise<{ r: Hex; s: Hex; v: number }> {
+    const token = await getToken()
+
+    // First attempt without 2FA codes
+    try {
+      const response = await client.signEvmTransaction(
+        { tx_hash: hash, chain_id: chainId },
+        token
+      )
+      return {
+        r: response.signature.r,
+        s: response.signature.s,
+        v: response.signature.v,
+      }
+    } catch (err) {
+      // Check if 2FA is required
+      if (err instanceof KentuckySignerError && err.code === '2FA_REQUIRED' && on2FARequired) {
+        // Parse requirements from error details
+        const totpRequired = err.message.includes('TOTP') || (err.details?.includes('totp_code') ?? false)
+        const pinRequired = err.message.includes('PIN') || (err.details?.includes('pin') ?? false)
+        // Default to 6-digit PIN if required
+        const pinLength = err.details?.match(/(\d)-digit/)?.[1] ? parseInt(err.details.match(/(\d)-digit/)![1]) : 6
+
+        // Request 2FA codes from user
+        const codes = await on2FARequired({ totpRequired, pinRequired, pinLength })
+        if (!codes) {
+          throw new KentuckySignerError('2FA verification cancelled', '2FA_CANCELLED', 'User cancelled 2FA input')
+        }
+
+        // Retry with 2FA codes
+        const response = await client.signEvmTransactionWith2FA(
+          { tx_hash: hash, chain_id: chainId, totp_code: codes.totpCode, pin: codes.pin },
+          token
+        )
+        return {
+          r: response.signature.r,
+          s: response.signature.s,
+          v: response.signature.v,
+        }
+      }
+      throw err
+    }
   }
 
   const account = toAccount({
@@ -159,11 +251,8 @@ export function createKentuckySignerAccount(
       // Hash the serialized transaction
       const txHash = keccak256(serializedUnsigned)
 
-      // Sign the hash
-      const signature = await signHash(txHash, chainId)
-
-      // Parse signature components
-      const { r, s, v } = parseSignature(signature)
+      // Sign the hash and get components directly from API
+      const { r, s, v } = await signHashWithComponents(txHash, chainId)
 
       // For EIP-1559 and EIP-2930 transactions, v is 0 or 1
       // For legacy transactions, v is chainId * 2 + 35 + recovery
@@ -174,10 +263,10 @@ export function createKentuckySignerAccount(
         transaction.type === 'eip4844' ||
         transaction.type === 'eip7702'
       ) {
-        yParity = Number(v) - 27 // Convert from 27/28 to 0/1
+        yParity = v >= 27 ? v - 27 : v // Convert from 27/28 to 0/1 if needed
       } else {
         // Legacy transaction - v already includes chain ID
-        yParity = Number(v)
+        yParity = v
       }
 
       // Serialize with signature

package/src/auth.ts

@@ -164,7 +164,8 @@ export async function authenticateWithPasskey(
   const passkeyCredential = credentialToPasskey(credential)
   const authResponse = await client.authenticatePasskey(
     options.accountId,
-    passkeyCredential
+    passkeyCredential,
+    options.ephemeralPublicKey
   )
 
   // Step 5: Get account info to retrieve addresses
@@ -222,11 +223,11 @@ export async function authenticateWithToken(
  * Register a new passkey for account creation (browser only)
  *
  * @param options - Registration options
- * @returns Registration credential with public key
+ * @returns Registration credential with public key and attestation object
  */
 export async function registerPasskey(
   options: PasskeyRegistrationOptions
-): Promise<PasskeyCredential & { publicKey: string }> {
+): Promise<PasskeyCredential & { publicKey: string; attestationObject: string }> {
   if (!isWebAuthnAvailable()) {
     throw new KentuckySignerError(
       'WebAuthn is not available in this environment',
@@ -294,6 +295,7 @@ export async function registerPasskey(
     credentialId: base64UrlEncode(new Uint8Array(credential.rawId)),
     clientDataJSON: base64UrlEncode(new Uint8Array(response.clientDataJSON)),
     authenticatorData: base64UrlEncode(new Uint8Array(response.getAuthenticatorData())),
+    attestationObject: base64UrlEncode(new Uint8Array(response.attestationObject)),
     signature: '', // Not applicable for registration
     publicKey: base64UrlEncode(new Uint8Array(publicKeyBytes)),
   }
@@ -357,11 +359,19 @@ export async function authenticateWithPassword(
 ): Promise<AuthSession> {
   const client = new KentuckySignerClient({ baseUrl: options.baseUrl })
 
-  // Authenticate with password
-  const authResponse = await client.authenticatePassword({
+  // Build auth request with optional ephemeral key
+  const authRequest: { account_id: string; password: string; ephemeral_public_key?: string } = {
     account_id: options.accountId,
     password: options.password,
-  })
+  }
+
+  // Add ephemeral public key if provided (for secure mode binding)
+  if (options.ephemeralPublicKey) {
+    authRequest.ephemeral_public_key = options.ephemeralPublicKey
+  }
+
+  // Authenticate with password
+  const authResponse = await client.authenticatePassword(authRequest)
 
   // Get account info to retrieve addresses
   const accountInfo = await client.getAccountInfo(