ox 0.12.4 → 0.13.1

package/tempo/SignatureEnvelope.test.ts

@@ -772,6 +772,153 @@ describe('deserialize', () => {
   })
 })
 
+describe('extractAddress', () => {
+  describe('secp256k1', () => {
+    test('default', () => {
+      const privateKey = Secp256k1.randomPrivateKey()
+      const address = Address.fromPublicKey(
+        Secp256k1.getPublicKey({ privateKey }),
+      )
+      const payload = '0xdeadbeef' as const
+
+      const signature = Secp256k1.sign({ payload, privateKey })
+      const envelope = SignatureEnvelope.from(signature)
+
+      expect(
+        SignatureEnvelope.extractAddress({ payload, signature: envelope }),
+      ).toBe(address)
+    })
+  })
+
+  describe('p256', () => {
+    test('default', () => {
+      const privateKey = P256.randomPrivateKey()
+      const pk = P256.getPublicKey({ privateKey })
+      const address = Address.fromPublicKey(pk)
+      const payload = '0xdeadbeef' as const
+
+      const signature = P256.sign({ payload, privateKey })
+      const envelope = SignatureEnvelope.from({
+        prehash: false,
+        publicKey: pk,
+        signature,
+      })
+
+      expect(
+        SignatureEnvelope.extractAddress({ payload, signature: envelope }),
+      ).toBe(address)
+    })
+  })
+
+  describe('webAuthn', () => {
+    test('default', () => {
+      const address = Address.fromPublicKey(publicKey)
+
+      expect(
+        SignatureEnvelope.extractAddress({
+          payload: '0xdeadbeef',
+          signature: signature_webauthn,
+        }),
+      ).toBe(address)
+    })
+  })
+
+  describe('keychain', () => {
+    test('default', () => {
+      const privateKey = Secp256k1.randomPrivateKey()
+      const address = Address.fromPublicKey(
+        Secp256k1.getPublicKey({ privateKey }),
+      )
+      const payload = '0xdeadbeef' as const
+
+      const signature = Secp256k1.sign({ payload, privateKey })
+      const envelope = SignatureEnvelope.from({
+        userAddress: '0x1234567890123456789012345678901234567890',
+        inner: SignatureEnvelope.from(signature),
+      })
+
+      expect(
+        SignatureEnvelope.extractAddress({ payload, signature: envelope }),
+      ).toBe(address)
+    })
+
+    test('behavior: root = true returns userAddress', () => {
+      expect(
+        SignatureEnvelope.extractAddress({
+          payload: '0xdeadbeef',
+          signature: signature_keychain_secp256k1,
+          root: true,
+        }),
+      ).toBe('0x1234567890123456789012345678901234567890')
+    })
+  })
+})
+
+describe('extractPublicKey', () => {
+  describe('secp256k1', () => {
+    test('default', () => {
+      const privateKey = Secp256k1.randomPrivateKey()
+      const pk = Secp256k1.getPublicKey({ privateKey })
+      const payload = '0xdeadbeef' as const
+
+      const signature = Secp256k1.sign({ payload, privateKey })
+      const envelope = SignatureEnvelope.from(signature)
+
+      expect(
+        SignatureEnvelope.extractPublicKey({ payload, signature: envelope }),
+      ).toEqual(pk)
+    })
+  })
+
+  describe('p256', () => {
+    test('default', () => {
+      const privateKey = P256.randomPrivateKey()
+      const pk = P256.getPublicKey({ privateKey })
+      const payload = '0xdeadbeef' as const
+
+      const signature = P256.sign({ payload, privateKey })
+      const envelope = SignatureEnvelope.from({
+        prehash: false,
+        publicKey: pk,
+        signature,
+      })
+
+      expect(
+        SignatureEnvelope.extractPublicKey({ payload, signature: envelope }),
+      ).toEqual(pk)
+    })
+  })
+
+  describe('webAuthn', () => {
+    test('default', () => {
+      expect(
+        SignatureEnvelope.extractPublicKey({
+          payload: '0xdeadbeef',
+          signature: signature_webauthn,
+        }),
+      ).toEqual(publicKey)
+    })
+  })
+
+  describe('keychain', () => {
+    test('default', () => {
+      const privateKey = Secp256k1.randomPrivateKey()
+      const pk = Secp256k1.getPublicKey({ privateKey })
+      const payload = '0xdeadbeef' as const
+
+      const signature = Secp256k1.sign({ payload, privateKey })
+      const envelope = SignatureEnvelope.from({
+        userAddress: '0x1234567890123456789012345678901234567890',
+        inner: SignatureEnvelope.from(signature),
+      })
+
+      expect(
+        SignatureEnvelope.extractPublicKey({ payload, signature: envelope }),
+      ).toEqual(pk)
+    })
+  })
+})
+
 describe('from', () => {
   describe('secp256k1', () => {
     test('behavior: coerces from hex string', () => {

package/tempo/SignatureEnvelope.ts

@@ -269,6 +269,119 @@ export declare namespace assert {
     | Errors.GlobalErrorType
 }
 
+/**
+ * Extracts the address of the signer from a {@link ox#SignatureEnvelope.SignatureEnvelope}.
+ *
+ * - **secp256k1**: Recovers the address from the payload via `ecrecover`.
+ * - **p256** / **webAuthn**: Derives the address from the embedded public key.
+ * - **keychain**: Extracts from the inner signature (or returns `userAddress` if `user` is `true`).
+ *
+ * @example
+ * ```ts twoslash
+ * import { Secp256k1 } from 'ox'
+ * import { SignatureEnvelope } from 'ox/tempo'
+ *
+ * const payload = '0xdeadbeef'
+ * const signature = Secp256k1.sign({ payload, privateKey: '0x...' })
+ * const envelope = SignatureEnvelope.from(signature)
+ *
+ * const address = SignatureEnvelope.extractAddress({ // [!code focus]
+ *   payload, // [!code focus]
+ *   signature: envelope, // [!code focus]
+ * }) // [!code focus]
+ * ```
+ *
+ * @param options - The extraction options.
+ * @returns The signer address.
+ */
+export function extractAddress(
+  options: extractAddress.Options,
+): extractAddress.ReturnType {
+  const { signature, root } = options
+  if (signature.type === 'keychain') {
+    if (root) return signature.userAddress
+    return extractAddress({ ...options, signature: signature.inner })
+  }
+  return Address.fromPublicKey(extractPublicKey(options))
+}
+
+export declare namespace extractAddress {
+  type Options = {
+    /** The sign payload that was signed (only required for secp256k1 signatures). */
+    payload: Hex.Hex | Bytes.Bytes
+    /** The signature envelope. */
+    signature: SignatureEnvelope
+    /** Whether to return the root `userAddress` for keychain signatures instead of extracting from the inner signature. */
+    root?: boolean | undefined
+  }
+
+  type ReturnType = Address.Address
+
+  type ErrorType =
+    | Address.fromPublicKey.ErrorType
+    | extractPublicKey.ErrorType
+    | Errors.GlobalErrorType
+}
+
+/**
+ * Extracts the public key of the signer from a {@link ox#SignatureEnvelope.SignatureEnvelope}.
+ *
+ * - **secp256k1**: Recovers the public key from the payload via `ecrecover`.
+ * - **p256** / **webAuthn**: Returns the embedded public key.
+ * - **keychain**: Extracts from the inner signature.
+ *
+ * @example
+ * ```ts twoslash
+ * import { Secp256k1 } from 'ox'
+ * import { SignatureEnvelope } from 'ox/tempo'
+ *
+ * const payload = '0xdeadbeef'
+ * const signature = Secp256k1.sign({ payload, privateKey: '0x...' })
+ * const envelope = SignatureEnvelope.from(signature)
+ *
+ * const publicKey = SignatureEnvelope.extractPublicKey({ // [!code focus]
+ *   payload, // [!code focus]
+ *   signature: envelope, // [!code focus]
+ * }) // [!code focus]
+ * ```
+ *
+ * @param options - The extraction options.
+ * @returns The signer's public key.
+ */
+export function extractPublicKey(
+  options: extractPublicKey.Options,
+): extractPublicKey.ReturnType {
+  const { payload, signature } = options
+
+  switch (signature.type) {
+    case 'secp256k1':
+      return ox_Secp256k1.recoverPublicKey({
+        payload,
+        signature: signature.signature,
+      })
+    case 'p256':
+    case 'webAuthn':
+      return signature.publicKey
+    case 'keychain':
+      return extractPublicKey({ payload, signature: signature.inner })
+  }
+}
+
+export declare namespace extractPublicKey {
+  type Options = {
+    /** The sign payload that was signed (only required for secp256k1 signatures). */
+    payload: Hex.Hex | Bytes.Bytes
+    /** The signature envelope. */
+    signature: SignatureEnvelope
+  }
+
+  type ReturnType = PublicKey.PublicKey
+
+  type ErrorType =
+    | ox_Secp256k1.recoverPublicKey.ErrorType
+    | Errors.GlobalErrorType
+}
+
 /**
  * Deserializes a hex-encoded signature envelope into a typed signature object.
  *

package/tempo/Transaction.ts

@@ -13,7 +13,7 @@ import type { Call } from './TxEnvelopeTempo.js'
 /**
  * A Transaction as defined in the [Execution API specification](https://github.com/ethereum/execution-apis/blob/main/src/schemas/transaction.yaml).
  *
- * @see {@link https://docs.tempo.xyz/protocol/transactions Tempo Transactions}
+ * @see {@link https://docs.tempo.xyz/protocol/transactions}
  */
 export type Transaction<
   pending extends boolean = false,
@@ -39,7 +39,7 @@ export type Rpc<pending extends boolean = false> = UnionCompute<
  * Features configurable fee tokens, call batching, fee sponsorship, access keys,
  * parallelizable nonces, and scheduled execution via `validAfter`/`validBefore`.
  *
- * @see {@link https://docs.tempo.xyz/protocol/transactions/spec-tempo-transaction Tempo Transaction Specification}
+ * @see {@link https://docs.tempo.xyz/protocol/transactions/spec-tempo-transaction}
  */
 export type Tempo<
   pending extends boolean = false,

package/tempo/TransactionReceipt.ts

@@ -9,7 +9,7 @@ import * as ox_TransactionReceipt from '../core/TransactionReceipt.js'
  * Extends standard receipts with `feePayer` (the address that paid fees) and
  * `feeToken` (the TIP-20 token used for fee payment).
  *
- * @see {@link https://docs.tempo.xyz/protocol/transactions Tempo Transactions}
+ * @see {@link https://docs.tempo.xyz/protocol/transactions}
  */
 export type TransactionReceipt<
   status = ox_TransactionReceipt.Status,
@@ -60,7 +60,7 @@ export const toRpcType = {
 /**
  * Converts an RPC receipt to a TransactionReceipt.
  *
- * @see {@link https://docs.tempo.xyz/protocol/transactions Tempo Transactions}
+ * @see {@link https://docs.tempo.xyz/protocol/transactions}
  *
  * @example
  * ```ts twoslash

package/tempo/TransactionRequest.ts

@@ -16,7 +16,7 @@ type KeyType = 'secp256k1' | 'p256' | 'webAuthn'
  * Extends the [Execution API specification](https://github.com/ethereum/execution-apis/blob/4aca1d7a3e5aab24c8f6437131289ad386944eaa/src/schemas/transaction.yaml#L358-L423)
  * with Tempo-specific fields for batched calls, fee tokens, access keys, and scheduled execution.
  *
- * @see {@link https://docs.tempo.xyz/protocol/transactions Tempo Transactions}
+ * @see {@link https://docs.tempo.xyz/protocol/transactions}
  */
 export type TransactionRequest<
   bigintType = bigint,
@@ -54,7 +54,7 @@ export type Rpc = Omit<
 /**
  * Converts a {@link ox#TransactionRequest.TransactionRequest} to a {@link ox#TransactionRequest.Rpc}.
  *
- * @see {@link https://docs.tempo.xyz/protocol/transactions Tempo Transactions}
+ * @see {@link https://docs.tempo.xyz/protocol/transactions}
  *
  * @example
  * ```ts twoslash

package/tempo/TxEnvelopeTempo.ts

@@ -378,18 +378,11 @@ export function deserialize(serialized: Serialized): Compute<TxEnvelopeTempo> {
   // Recover sender address from the signature if not already set.
   if (!transaction.from && signatureEnvelope) {
     try {
-      if (signatureEnvelope.type === 'keychain')
-        transaction.from = signatureEnvelope.userAddress
-      else if (
-        signatureEnvelope.type === 'p256' ||
-        signatureEnvelope.type === 'webAuthn'
-      )
-        transaction.from = Address.fromPublicKey(signatureEnvelope.publicKey)
-      else if (signatureEnvelope.type === 'secp256k1')
-        transaction.from = Secp256k1.recoverAddress({
-          payload: getSignPayload(from(transaction)),
-          signature: signatureEnvelope.signature,
-        })
+      transaction.from = SignatureEnvelope.extractAddress({
+        payload: getSignPayload(from(transaction)),
+        signature: signatureEnvelope,
+        root: true,
+      })
     } catch {}
   }
 

package/tempo/e2e.test.ts

@@ -1391,4 +1391,269 @@ describe('behavior: keyAuthorization', () => {
       expect(receipt).toBeDefined()
     }
   })
+
+  test('behavior: access key with limits + expiry', async () => {
+    const privateKey = P256.randomPrivateKey()
+    const publicKey = P256.getPublicKey({ privateKey })
+    const address = Address.fromPublicKey(publicKey)
+    const access = {
+      address,
+      publicKey,
+      privateKey,
+    } as const
+
+    const keyAuth = KeyAuthorization.from({
+      address: access.address,
+      type: 'p256',
+      expiry: Math.floor(Date.now() / 1000) + 60 * 60,
+      limits: [
+        {
+          token: '0x20c0000000000000000000000000000000000001',
+          limit: Value.from('1000', 6),
+        },
+      ],
+    })
+
+    const keyAuth_signature = Secp256k1.sign({
+      payload: KeyAuthorization.getSignPayload(keyAuth),
+      privateKey: root.privateKey,
+    })
+
+    const keyAuth_signed = KeyAuthorization.from(keyAuth, {
+      signature: SignatureEnvelope.from(keyAuth_signature),
+    })
+
+    const nonce = await getTransactionCount(client, {
+      address: root.address,
+      blockTag: 'pending',
+    })
+
+    const transaction = TxEnvelopeTempo.from({
+      calls: [
+        {
+          to: '0x0000000000000000000000000000000000000000',
+        },
+      ],
+      chainId,
+      feeToken: '0x20c0000000000000000000000000000000000001',
+      keyAuthorization: keyAuth_signed,
+      nonce: BigInt(nonce),
+      gas: 1_000_000n,
+      maxFeePerGas: Value.fromGwei('20'),
+      maxPriorityFeePerGas: Value.fromGwei('10'),
+    })
+
+    const signature = P256.sign({
+      payload: TxEnvelopeTempo.getSignPayload(transaction),
+      privateKey: access.privateKey,
+    })
+
+    const serialized_signed = TxEnvelopeTempo.serialize(transaction, {
+      signature: SignatureEnvelope.from({
+        userAddress: root.address,
+        inner: SignatureEnvelope.from({
+          prehash: false,
+          publicKey: access.publicKey,
+          signature,
+          type: 'p256',
+        }),
+        type: 'keychain',
+      }),
+    })
+
+    const receipt = (await client
+      .request({
+        method: 'eth_sendRawTransactionSync',
+        params: [serialized_signed],
+      })
+      .then((tx) => TransactionReceipt.fromRpc(tx as any)))!
+    expect(receipt).toBeDefined()
+    expect(receipt.status).toBe('success')
+
+    {
+      const response = await client
+        .request({
+          method: 'eth_getTransactionByHash',
+          params: [receipt.transactionHash],
+        })
+        .then((tx) => Transaction.fromRpc(tx as any))
+      if (!response) throw new Error()
+
+      expect(response.from).toBe(root.address)
+      expect(response.keyAuthorization).toBeDefined()
+      expect(response.keyAuthorization?.expiry).toBe(keyAuth.expiry)
+      expect(response.keyAuthorization?.limits).toEqual(keyAuth.limits)
+    }
+  })
+
+  test('behavior: access key with limits (no expiry)', async () => {
+    const privateKey = Secp256k1.randomPrivateKey()
+    const publicKey = Secp256k1.getPublicKey({ privateKey })
+    const address = Address.fromPublicKey(publicKey)
+    const access = {
+      address,
+      publicKey,
+      privateKey,
+    } as const
+
+    const keyAuth = KeyAuthorization.from({
+      address: access.address,
+      type: 'secp256k1',
+      limits: [
+        {
+          token: '0x20c0000000000000000000000000000000000001',
+          limit: Value.from('1000', 6),
+        },
+      ],
+    })
+
+    const keyAuth_signature = Secp256k1.sign({
+      payload: KeyAuthorization.getSignPayload(keyAuth),
+      privateKey: root.privateKey,
+    })
+
+    const keyAuth_signed = KeyAuthorization.from(keyAuth, {
+      signature: SignatureEnvelope.from(keyAuth_signature),
+    })
+
+    const nonce = await getTransactionCount(client, {
+      address: root.address,
+      blockTag: 'pending',
+    })
+
+    const transaction = TxEnvelopeTempo.from({
+      calls: [
+        {
+          to: '0x0000000000000000000000000000000000000000',
+        },
+      ],
+      chainId,
+      feeToken: '0x20c0000000000000000000000000000000000001',
+      keyAuthorization: keyAuth_signed,
+      nonce: BigInt(nonce),
+      gas: 1_000_000n,
+      maxFeePerGas: Value.fromGwei('20'),
+      maxPriorityFeePerGas: Value.fromGwei('10'),
+    })
+
+    const signature = Secp256k1.sign({
+      payload: TxEnvelopeTempo.getSignPayload(transaction),
+      privateKey: access.privateKey,
+    })
+
+    const serialized_signed = TxEnvelopeTempo.serialize(transaction, {
+      signature: SignatureEnvelope.from({
+        userAddress: root.address,
+        inner: SignatureEnvelope.from(signature),
+        type: 'keychain',
+      }),
+    })
+
+    const receipt = (await client
+      .request({
+        method: 'eth_sendRawTransactionSync',
+        params: [serialized_signed],
+      })
+      .then((tx) => TransactionReceipt.fromRpc(tx as any)))!
+    expect(receipt).toBeDefined()
+    expect(receipt.status).toBe('success')
+
+    {
+      const response = await client
+        .request({
+          method: 'eth_getTransactionByHash',
+          params: [receipt.transactionHash],
+        })
+        .then((tx) => Transaction.fromRpc(tx as any))
+      if (!response) throw new Error()
+
+      expect(response.from).toBe(root.address)
+      expect(response.keyAuthorization).toBeDefined()
+      expect(response.keyAuthorization?.expiry).toBe(0)
+      expect(response.keyAuthorization?.limits).toEqual(keyAuth.limits)
+    }
+  })
+
+  test('behavior: access key with expiry (no limits)', async () => {
+    const privateKey = Secp256k1.randomPrivateKey()
+    const publicKey = Secp256k1.getPublicKey({ privateKey })
+    const address = Address.fromPublicKey(publicKey)
+    const access = {
+      address,
+      publicKey,
+      privateKey,
+    } as const
+
+    const keyAuth = KeyAuthorization.from({
+      address: access.address,
+      type: 'secp256k1',
+      expiry: Math.floor(Date.now() / 1000) + 60 * 60,
+    })
+
+    const keyAuth_signature = Secp256k1.sign({
+      payload: KeyAuthorization.getSignPayload(keyAuth),
+      privateKey: root.privateKey,
+    })
+
+    const keyAuth_signed = KeyAuthorization.from(keyAuth, {
+      signature: SignatureEnvelope.from(keyAuth_signature),
+    })
+
+    const nonce = await getTransactionCount(client, {
+      address: root.address,
+      blockTag: 'pending',
+    })
+
+    const transaction = TxEnvelopeTempo.from({
+      calls: [
+        {
+          to: '0x0000000000000000000000000000000000000000',
+        },
+      ],
+      chainId,
+      feeToken: '0x20c0000000000000000000000000000000000001',
+      keyAuthorization: keyAuth_signed,
+      nonce: BigInt(nonce),
+      gas: 1_000_000n,
+      maxFeePerGas: Value.fromGwei('20'),
+      maxPriorityFeePerGas: Value.fromGwei('10'),
+    })
+
+    const signature = Secp256k1.sign({
+      payload: TxEnvelopeTempo.getSignPayload(transaction),
+      privateKey: access.privateKey,
+    })
+
+    const serialized_signed = TxEnvelopeTempo.serialize(transaction, {
+      signature: SignatureEnvelope.from({
+        userAddress: root.address,
+        inner: SignatureEnvelope.from(signature),
+        type: 'keychain',
+      }),
+    })
+
+    const receipt = (await client
+      .request({
+        method: 'eth_sendRawTransactionSync',
+        params: [serialized_signed],
+      })
+      .then((tx) => TransactionReceipt.fromRpc(tx as any)))!
+    expect(receipt).toBeDefined()
+    expect(receipt.status).toBe('success')
+
+    {
+      const response = await client
+        .request({
+          method: 'eth_getTransactionByHash',
+          params: [receipt.transactionHash],
+        })
+        .then((tx) => Transaction.fromRpc(tx as any))
+      if (!response) throw new Error()
+
+      expect(response.from).toBe(root.address)
+      expect(response.keyAuthorization).toBeDefined()
+      expect(response.keyAuthorization?.expiry).toBe(keyAuth.expiry)
+      expect(response.keyAuthorization?.limits).toBeUndefined()
+    }
+  })
 })

package/version.ts

@@ -1,2 +1,2 @@
 /** @internal */
-export const version = '0.12.4'
+export const version = '0.13.1'

package/webauthn/Authentication/package.json

@@ -0,0 +1,6 @@
+{
+  "type": "module",
+  "types": "../../_types/webauthn/Authentication.d.ts",
+  "main": "../../_cjs/webauthn/Authentication.js",
+  "module": "../../_esm/webauthn/Authentication.js"
+}