signet-login 0.1.0

package/dist/signet-login.js

@@ -0,0 +1,265 @@
+/**
+ * Signet Login SDK — Sign in with Signet for Nostr-aware websites.
+ *
+ * ESM / bundler usage:
+ *   import { login, restoreSession, logout } from 'signet-login';
+ *
+ * Script-tag / IIFE usage (additively extends `window.Signet`):
+ *   <script src="https://cdn.signet.forgesworn.dev/signet-login.iife.js"></script>
+ *   <script>
+ *     const session = await Signet.login({ appName: 'Asteroid Sats' });
+ *   </script>
+ *
+ * The IIFE bundle does NOT overwrite `window.Signet` — it augments whatever is
+ * already there (so `signet-verify.iife.js` and `signet-login.iife.js` coexist
+ * in either load order on the same page).
+ */
+import { DEFAULTS } from './types.js';
+import { showLoginModal } from './modal.js';
+import { saveSession, loadSession, clearSession, bytesToHexLocal, hexToBytesLocal } from './storage.js';
+import { hasNip07, createNip07Signer, createBunkerSigner, EphemeralSigner, } from './signers.js';
+import { handleCallback as handlePopupCallback } from './callback.js';
+import { consumeCallback, startRedirect } from './redirect.js';
+// ── Public API ────────────────────────────────────────────────────────────────
+/**
+ * Show the login picker and resolve to a SignetSession on success, or null on
+ * cancel / timeout.
+ *
+ * When `mode: 'redirect'` is set, the picker is skipped entirely — the current
+ * tab navigates to signet-app and this promise NEVER resolves in this tab.
+ * Callers should treat the returned promise as "fire and forget" in that case
+ * and call `Signet.handleCallback()` on the next page load to receive the
+ * session. The other login methods (NIP-07, bunker) don't use redirect at all
+ * and are unaffected by this option.
+ */
+export async function login(opts) {
+    // Redirect mode short-circuits the picker — the user is going to signet-app.
+    // We don't gate on preferredMethod here: redirect mode implies the consumer
+    // wants the Sign in with Signet method, which is the only method that uses
+    // navigation. (NIP-07 and bunker resolve in-tab regardless of mode.)
+    if (opts.mode === 'redirect') {
+        if (typeof window === 'undefined') {
+            throw new Error('signet-login: redirect mode requires a browser environment');
+        }
+        const challenge = opts.challenge ?? generateChallenge();
+        if (!/^[0-9a-f]{64}$/i.test(challenge))
+            throw new Error('challenge-must-be-64-hex');
+        if (!opts.appName || opts.appName.length === 0)
+            throw new Error('appName-required');
+        if (opts.appName.length > 64)
+            throw new Error('appName-too-long');
+        return startRedirect({
+            appName: opts.appName,
+            challenge: challenge.toLowerCase(),
+            origin: window.location.origin,
+            signetAppOrigin: opts.signetAppOrigin ?? DEFAULTS.signetAppOrigin,
+            ...(opts.redirectCallback !== undefined ? { redirectCallback: opts.redirectCallback } : {}),
+        });
+    }
+    const session = await showLoginModal(opts);
+    if (!session)
+        return null;
+    if (opts.persist !== false) {
+        persistSession(session);
+    }
+    return session;
+}
+/**
+ * Generate a 64-hex random challenge. Mirrors the modal's helper but lives at
+ * the module level so the redirect path can call it without pulling the modal
+ * into the bundle when only `mode: 'redirect'` is used.
+ */
+function generateChallenge() {
+    const bytes = new Uint8Array(32);
+    crypto.getRandomValues(bytes);
+    return Array.from(bytes, b => b.toString(16).padStart(2, '0')).join('');
+}
+/**
+ * Try to restore a session from localStorage. Returns null if no session is
+ * stored or it's malformed/expired.
+ *
+ * For bunker sessions, attempts to reconnect using the stored URI + client SK.
+ * If the bunker is unreachable, returns null and clears the stored session.
+ */
+export async function restoreSession(opts) {
+    const stored = loadSession();
+    if (!stored)
+        return null;
+    let authEvent;
+    try {
+        authEvent = JSON.parse(stored.authEventJson);
+    }
+    catch {
+        clearSession();
+        return null;
+    }
+    if (stored.method === 'nip07') {
+        if (!hasNip07()) {
+            // Extension was uninstalled — return ephemeral identity-only session
+            const ephemeral = new EphemeralSigner(stored.pubkey, authEvent);
+            return {
+                pubkey: stored.pubkey,
+                method: 'redirect', // downgrade — caller sees "no signing"
+                signer: ephemeral,
+                authEvent,
+            };
+        }
+        try {
+            const signer = await createNip07Signer();
+            // Verify the same pubkey is selected — extension may have switched accounts
+            if (signer.pubkey !== stored.pubkey) {
+                clearSession();
+                return null;
+            }
+            return {
+                pubkey: stored.pubkey,
+                method: 'nip07',
+                signer,
+                authEvent,
+            };
+        }
+        catch {
+            clearSession();
+            return null;
+        }
+    }
+    if (stored.method === 'bunker') {
+        if (opts?.reconnectBunker === false) {
+            const ephemeral = new EphemeralSigner(stored.pubkey, authEvent);
+            return {
+                pubkey: stored.pubkey,
+                method: 'redirect',
+                signer: ephemeral,
+                authEvent,
+            };
+        }
+        if (!stored.bunkerUri || !stored.bunkerClientSkHex) {
+            clearSession();
+            return null;
+        }
+        try {
+            const sk = hexToBytesLocal(stored.bunkerClientSkHex);
+            const signer = await createBunkerSigner({ uri: stored.bunkerUri, clientSecretKey: sk });
+            if (signer.pubkey !== stored.pubkey) {
+                await signer.close();
+                clearSession();
+                return null;
+            }
+            return {
+                pubkey: stored.pubkey,
+                method: 'bunker',
+                signer,
+                authEvent,
+            };
+        }
+        catch {
+            clearSession();
+            return null;
+        }
+    }
+    // method === 'redirect' — restore as ephemeral (auth-only)
+    const ephemeral = new EphemeralSigner(stored.pubkey, authEvent);
+    const session = {
+        pubkey: stored.pubkey,
+        method: 'redirect',
+        signer: ephemeral,
+        authEvent,
+    };
+    if (stored.displayName)
+        session.displayName = stored.displayName;
+    return session;
+}
+/**
+ * Popup-style callback receiver. Use on the page that signet-app redirects
+ * a popup to. Parses URL params and posts them to `window.opener`, then
+ * closes the popup. Returns the raw params for non-popup contexts.
+ *
+ * For the same-tab redirect flow (`mode: 'redirect'` on `login()`), use
+ * `Signet.handleRedirectCallback()` instead — that one validates against the
+ * persisted pending state and returns a fully-formed `SignetSession`.
+ */
+export const handleCallback = handlePopupCallback;
+/**
+ * Same-tab redirect callback receiver. Call once on app boot, before
+ * `restoreSession()`, to consume an incoming `?pubkey&signature&eventId`
+ * payload from signet-app.
+ *
+ * Behaviour:
+ *
+ *   - `'session'`: validates the round-trip against the pending state saved
+ *     by `login({ mode: 'redirect' })`, builds and persists a SignetSession
+ *     (so `restoreSession()` finds it next time), and strips the auth params
+ *     from the URL via `history.replaceState`. The returned session uses an
+ *     `EphemeralSigner` — `signer.capabilities.canSignEvents` is false. Pair
+ *     with NIP-07 / bunker if you need ongoing signing.
+ *
+ *   - `'denied'`: signet-app reported the user rejected the request.
+ *
+ *   - `'no-callback'`: no auth params on the URL — the typical case on most
+ *     page loads. Idempotent: a second call after success also returns this.
+ *
+ *   - `'invalid'`: params present but failed validation. `reason` is a
+ *     machine-readable token (`origin-mismatch`, `pending-stale`,
+ *     `pubkey-malformed`, …). Pending state is cleared either way so a stale
+ *     URL can't poison the next attempt.
+ *
+ * The returned shape is intentionally tagged so consumers can distinguish
+ * "user denied" from "no callback" without inspecting null. Persistence on
+ * success uses the same storage layer as relay-mode sessions, so downstream
+ * code that consumes `restoreSession()` doesn't need to care which path
+ * authenticated the user.
+ */
+export async function handleRedirectCallback() {
+    const result = consumeCallback();
+    if (result.kind === 'session') {
+        persistSession(result.session);
+    }
+    return result;
+}
+/**
+ * Clear the stored session and close the active signer.
+ */
+export async function logout(currentSession) {
+    if (currentSession) {
+        try {
+            await currentSession.signer.close();
+        }
+        catch { /* ignore */ }
+    }
+    clearSession();
+}
+// ── Persistence helpers (internal) ────────────────────────────────────────────
+function persistSession(session) {
+    const payload = {
+        pubkey: session.pubkey,
+        method: session.method,
+        authEventJson: JSON.stringify(session.authEvent),
+    };
+    if (session.method === 'bunker') {
+        // Cast: in bunker mode, the signer is a BunkerSignerImpl with bunkerUri + clientSecretKey
+        const bunkerSigner = session.signer;
+        if (bunkerSigner.bunkerUri && bunkerSigner.clientSecretKey instanceof Uint8Array) {
+            payload.bunkerUri = bunkerSigner.bunkerUri;
+            payload.bunkerClientSkHex = bytesToHexLocal(bunkerSigner.clientSecretKey);
+        }
+    }
+    if (session.expiresAt !== undefined)
+        payload.expiresAt = session.expiresAt;
+    if (session.displayName !== undefined)
+        payload.displayName = session.displayName;
+    saveSession(payload);
+}
+// ── Auto-attach to window.Signet (additive) ───────────────────────────────────
+if (typeof window !== 'undefined') {
+    // Never overwrite — additive only. Coexists with signet-verify on the same page.
+    const existing = window.Signet;
+    const SignetGlobal = existing ?? {};
+    Object.assign(SignetGlobal, {
+        login,
+        restoreSession,
+        logout,
+        handleCallback,
+        handleRedirectCallback,
+    });
+    window.Signet = SignetGlobal;
+}

package/dist/storage.d.ts

@@ -0,0 +1,38 @@
+/**
+ * localStorage persistence for signet-login sessions.
+ *
+ * Storage keys are namespaced under `signet:login.*` so they don't collide
+ * with `signet:verify.*` or any future Signet SDK.
+ */
+import type { LoginMethod, PendingRedirect } from './types.js';
+/** Raw shape of a persisted session — flat string fields, JSON for the auth event. */
+export interface PersistedSession {
+    pubkey: string;
+    method: LoginMethod;
+    authEventJson: string;
+    bunkerUri?: string;
+    bunkerClientSkHex?: string;
+    expiresAt?: number;
+    displayName?: string;
+}
+/** Save a session. Caller must serialise authEvent to JSON. */
+export declare function saveSession(s: PersistedSession): void;
+/** Load a session if one is present. Returns null if no session or it's malformed. */
+export declare function loadSession(): PersistedSession | null;
+/** Clear all signet-login keys. Does not touch other Signet SDK storage. */
+export declare function clearSession(): void;
+/**
+ * Persist the in-flight redirect state. Called immediately before navigating
+ * to signet-app so the callback consumer can validate the round-trip.
+ *
+ * Stored as a single JSON blob under `signet:login.pendingRedirect`. We keep
+ * it in localStorage rather than sessionStorage because some browsers (older
+ * iOS Safari especially) wipe sessionStorage on cross-origin navigation.
+ */
+export declare function savePendingRedirect(p: PendingRedirect): void;
+/** Load and shape-validate the pending redirect. Returns null if absent or malformed. */
+export declare function loadPendingRedirect(): PendingRedirect | null;
+/** Clear the pending-redirect record. Safe to call when none exists. */
+export declare function clearPendingRedirect(): void;
+export declare function bytesToHexLocal(bytes: Uint8Array): string;
+export declare function hexToBytesLocal(hex: string): Uint8Array;

package/dist/storage.js

@@ -0,0 +1,159 @@
+/**
+ * localStorage persistence for signet-login sessions.
+ *
+ * Storage keys are namespaced under `signet:login.*` so they don't collide
+ * with `signet:verify.*` or any future Signet SDK.
+ */
+import { STORAGE_KEYS } from './types.js';
+function safeGet(key) {
+    try {
+        return typeof localStorage !== 'undefined' ? localStorage.getItem(key) : null;
+    }
+    catch {
+        return null;
+    }
+}
+function safeSet(key, value) {
+    try {
+        if (typeof localStorage !== 'undefined')
+            localStorage.setItem(key, value);
+    }
+    catch {
+        // localStorage unavailable (private mode, quota, etc.) — silently skip
+    }
+}
+function safeRemove(key) {
+    try {
+        if (typeof localStorage !== 'undefined')
+            localStorage.removeItem(key);
+    }
+    catch {
+        // ignore
+    }
+}
+/** Save a session. Caller must serialise authEvent to JSON. */
+export function saveSession(s) {
+    safeSet(STORAGE_KEYS.pubkey, s.pubkey);
+    safeSet(STORAGE_KEYS.method, s.method);
+    safeSet(STORAGE_KEYS.authEvent, s.authEventJson);
+    if (s.bunkerUri !== undefined)
+        safeSet(STORAGE_KEYS.bunkerUri, s.bunkerUri);
+    if (s.bunkerClientSkHex !== undefined)
+        safeSet(STORAGE_KEYS.bunkerClientSk, s.bunkerClientSkHex);
+    if (s.expiresAt !== undefined)
+        safeSet(STORAGE_KEYS.expiresAt, String(s.expiresAt));
+    if (s.displayName !== undefined)
+        safeSet(STORAGE_KEYS.displayName, s.displayName);
+}
+/** Load a session if one is present. Returns null if no session or it's malformed. */
+export function loadSession() {
+    const pubkey = safeGet(STORAGE_KEYS.pubkey);
+    const method = safeGet(STORAGE_KEYS.method);
+    const authEventJson = safeGet(STORAGE_KEYS.authEvent);
+    if (!pubkey || !method || !authEventJson)
+        return null;
+    if (!/^[0-9a-f]{64}$/i.test(pubkey))
+        return null;
+    if (method !== 'nip07' && method !== 'redirect' && method !== 'bunker')
+        return null;
+    // Sanity-parse the auth event before returning
+    let authEvent;
+    try {
+        authEvent = JSON.parse(authEventJson);
+        if (typeof authEvent !== 'object' || authEvent === null)
+            return null;
+        if (authEvent.pubkey !== pubkey)
+            return null;
+    }
+    catch {
+        return null;
+    }
+    const expiresAtRaw = safeGet(STORAGE_KEYS.expiresAt);
+    const expiresAt = expiresAtRaw ? Number(expiresAtRaw) : undefined;
+    if (expiresAt !== undefined && Number.isFinite(expiresAt) && Date.now() > expiresAt) {
+        // Session expired — drop it
+        clearSession();
+        return null;
+    }
+    const result = { pubkey, method, authEventJson };
+    const bunkerUri = safeGet(STORAGE_KEYS.bunkerUri);
+    const bunkerClientSkHex = safeGet(STORAGE_KEYS.bunkerClientSk);
+    const displayName = safeGet(STORAGE_KEYS.displayName);
+    if (bunkerUri)
+        result.bunkerUri = bunkerUri;
+    if (bunkerClientSkHex)
+        result.bunkerClientSkHex = bunkerClientSkHex;
+    if (expiresAt !== undefined && Number.isFinite(expiresAt))
+        result.expiresAt = expiresAt;
+    if (displayName)
+        result.displayName = displayName;
+    return result;
+}
+/** Clear all signet-login keys. Does not touch other Signet SDK storage. */
+export function clearSession() {
+    safeRemove(STORAGE_KEYS.pubkey);
+    safeRemove(STORAGE_KEYS.method);
+    safeRemove(STORAGE_KEYS.authEvent);
+    safeRemove(STORAGE_KEYS.bunkerUri);
+    safeRemove(STORAGE_KEYS.bunkerClientSk);
+    safeRemove(STORAGE_KEYS.expiresAt);
+    safeRemove(STORAGE_KEYS.displayName);
+}
+// ── Pending-redirect persistence ──────────────────────────────────────────────
+/**
+ * Persist the in-flight redirect state. Called immediately before navigating
+ * to signet-app so the callback consumer can validate the round-trip.
+ *
+ * Stored as a single JSON blob under `signet:login.pendingRedirect`. We keep
+ * it in localStorage rather than sessionStorage because some browsers (older
+ * iOS Safari especially) wipe sessionStorage on cross-origin navigation.
+ */
+export function savePendingRedirect(p) {
+    safeSet(STORAGE_KEYS.pendingRedirect, JSON.stringify(p));
+}
+/** Load and shape-validate the pending redirect. Returns null if absent or malformed. */
+export function loadPendingRedirect() {
+    const raw = safeGet(STORAGE_KEYS.pendingRedirect);
+    if (!raw)
+        return null;
+    try {
+        const parsed = JSON.parse(raw);
+        const challenge = parsed.challenge;
+        const origin = parsed.origin;
+        const appName = parsed.appName;
+        const createdAt = parsed.createdAt;
+        if (typeof challenge !== 'string' || !/^[0-9a-f]{64}$/i.test(challenge))
+            return null;
+        if (typeof origin !== 'string' || origin.length === 0)
+            return null;
+        if (typeof appName !== 'string' || appName.length === 0)
+            return null;
+        if (typeof createdAt !== 'number' || !Number.isFinite(createdAt))
+            return null;
+        return { challenge, origin, appName, createdAt };
+    }
+    catch {
+        return null;
+    }
+}
+/** Clear the pending-redirect record. Safe to call when none exists. */
+export function clearPendingRedirect() {
+    safeRemove(STORAGE_KEYS.pendingRedirect);
+}
+// ── Hex helpers (avoid pulling in @noble for two functions) ───────────────────
+export function bytesToHexLocal(bytes) {
+    let out = '';
+    for (let i = 0; i < bytes.length; i++) {
+        out += bytes[i].toString(16).padStart(2, '0');
+    }
+    return out;
+}
+export function hexToBytesLocal(hex) {
+    if (hex.length % 2 !== 0)
+        throw new Error('odd-hex-length');
+    const out = new Uint8Array(hex.length / 2);
+    for (let i = 0; i < out.length; i++) {
+        out[i] = parseInt(hex.slice(i * 2, i * 2 + 2), 16);
+    }
+    return out;
+}

package/dist/types.d.ts

@@ -0,0 +1,164 @@
+/**
+ * Public types for signet-login.
+ *
+ * The SDK exposes a single SignetSigner interface that wraps three backends
+ * (NIP-07 extension, NIP-46 bunker, ephemeral redirect-only). Consumers code
+ * against the interface; the SDK picks the implementation based on user choice.
+ */
+/** A signed Nostr event. */
+export interface NostrEvent {
+    id: string;
+    pubkey: string;
+    kind: number;
+    created_at: number;
+    tags: string[][];
+    content: string;
+    sig: string;
+}
+/** An unsigned event template ready for signing. */
+export interface EventTemplate {
+    kind: number;
+    created_at?: number;
+    tags?: string[][];
+    content: string;
+}
+/** Login method actually used to authenticate. */
+export type LoginMethod = 'nip07' | 'redirect' | 'bunker';
+/** Capability flags exposed by a signer. */
+export interface SignerCapabilities {
+    /** True if the signer can sign arbitrary events going forward. False for redirect-auth-only sessions. */
+    canSignEvents: boolean;
+    /** True if NIP-44 encrypt/decrypt is available. */
+    hasNip44: boolean;
+}
+/** Unified signer interface — three backends, one shape. */
+export interface SignetSigner {
+    readonly pubkey: string;
+    readonly method: LoginMethod;
+    readonly capabilities: SignerCapabilities;
+    signEvent(template: EventTemplate): Promise<NostrEvent>;
+    nip44?: {
+        encrypt(peerPubkey: string, plaintext: string): Promise<string>;
+        decrypt(peerPubkey: string, ciphertext: string): Promise<string>;
+    };
+    close(): Promise<void>;
+}
+/** A signed kind-21236 auth event proving pubkey ownership. */
+export interface SignetAuthEvent extends NostrEvent {
+    kind: 21236;
+}
+/** An authenticated session — pubkey + signer + the signed challenge proof. */
+export interface SignetSession {
+    pubkey: string;
+    method: LoginMethod;
+    signer: SignetSigner;
+    /** The signed challenge event — proves identity, useful for server-side verification. */
+    authEvent: SignetAuthEvent;
+    /** Unix-ms expiry, if the session can expire (bunker tokens). Absent = session does not expire. */
+    expiresAt?: number;
+    /** Optional display name the user shared at approval (sanitised). */
+    displayName?: string;
+}
+/**
+ * Delivery mode for the "Sign in with Signet" method.
+ *
+ * - 'relay' (default): the modal shows a QR / link, signet-app gift-wraps the
+ *   signed auth event back via a Nostr relay. The current tab stays put. Best
+ *   for desktop where users have a phone alongside.
+ *
+ * - 'redirect': the current tab navigates to signet-app, the user signs in
+ *   there, signet-app redirects the same tab back to `redirectCallback` with
+ *   auth params in the query string. The consumer must call
+ *   `Signet.handleCallback()` on boot to consume the params and resolve a
+ *   session. Best for mobile / single-device flows.
+ *
+ * Only affects the 'redirect' login method. NIP-07 and bunker are unchanged.
+ */
+export type SignetDeliveryMode = 'relay' | 'redirect';
+/** Options for Signet.login(). */
+export interface LoginOptions {
+    /** Required. Shown in the consent UI (e.g. "Asteroid Sats"). */
+    appName: string;
+    /** Optional 64-hex challenge. Auto-generated if omitted. */
+    challenge?: string;
+    /** Skip the picker and force a specific method. */
+    preferredMethod?: LoginMethod;
+    /** Relay URL for cross-device communication. Default: wss://relay.damus.io */
+    relayUrl?: string;
+    /** Modal colour scheme. Default: 'auto'. */
+    theme?: 'light' | 'dark' | 'auto';
+    /** Timeout in milliseconds. Default: 120_000. Clamped to [5_000, 600_000]. */
+    timeout?: number;
+    /**
+     * Origin of the Signet app. Default: https://mysignet.app
+     * Override for local development against your own signet-app instance.
+     */
+    signetAppOrigin?: string;
+    /**
+     * Callback URL used by the same-device redirect path. Must be same-origin
+     * as the calling page. Defaults to `${origin}/`. Only used when `mode` is
+     * 'redirect'.
+     */
+    redirectCallback?: string;
+    /**
+     * Delivery mode for the Sign in with Signet method. See `SignetDeliveryMode`.
+     * Default: 'relay'.
+     *
+     * In 'redirect' mode `Signet.login()` navigates the current tab away and
+     * never resolves in this tab — the returned promise is abandoned. Wire up
+     * `Signet.handleCallback()` on boot to receive the session on return.
+     */
+    mode?: SignetDeliveryMode;
+    /** Persist the session to localStorage. Default: true. */
+    persist?: boolean;
+}
+/**
+ * State persisted to localStorage between starting a redirect and consuming
+ * the callback. Used by `consumeCallback()` to validate the round-trip and
+ * reconstruct the kind-21236 auth event.
+ */
+export interface PendingRedirect {
+    /** 64-hex challenge issued at login start — must match the auth event tag. */
+    challenge: string;
+    /** Origin that initiated the login — must match `window.location.origin` on return. */
+    origin: string;
+    /** App name — used to reconstruct the `app` tag on the auth event. */
+    appName: string;
+    /** Unix-ms when the redirect started. Used for the freshness window. */
+    createdAt: number;
+}
+/** Options for Signet.restoreSession(). */
+export interface RestoreOptions {
+    /** Reconnect a stored bunker session if present. Default: true. */
+    reconnectBunker?: boolean;
+    /** Default relay for bunker reconnection if URI omits it. */
+    defaultRelay?: string;
+}
+/** Default values applied when the consumer omits an option. */
+export declare const DEFAULTS: {
+    relayUrl: string;
+    signetAppOrigin: string;
+    timeout: number;
+    theme: "auto";
+    persist: boolean;
+    mode: SignetDeliveryMode;
+};
+/**
+ * Pending redirect must be consumed within this window of starting it,
+ * otherwise the callback is treated as stale (likely a stray bookmark or
+ * tab restored after a long pause). Mirrors signet-app's URL freshness
+ * window (5 min) so callback consumers behave consistently with the issuer.
+ */
+export declare const PENDING_REDIRECT_TTL_MS: number;
+/** Storage keys, namespaced under signet:login.* */
+export declare const STORAGE_KEYS: {
+    pubkey: string;
+    method: string;
+    authEvent: string;
+    bunkerUri: string;
+    bunkerClientSk: string;
+    expiresAt: string;
+    displayName: string;
+    /** Session-storage key for in-flight redirect state. */
+    pendingRedirect: string;
+};

package/dist/types.js

@@ -0,0 +1,35 @@
+/**
+ * Public types for signet-login.
+ *
+ * The SDK exposes a single SignetSigner interface that wraps three backends
+ * (NIP-07 extension, NIP-46 bunker, ephemeral redirect-only). Consumers code
+ * against the interface; the SDK picks the implementation based on user choice.
+ */
+/** Default values applied when the consumer omits an option. */
+export const DEFAULTS = {
+    relayUrl: 'wss://relay.damus.io',
+    signetAppOrigin: 'https://mysignet.app',
+    timeout: 120000,
+    theme: 'auto',
+    persist: true,
+    mode: 'relay',
+};
+/**
+ * Pending redirect must be consumed within this window of starting it,
+ * otherwise the callback is treated as stale (likely a stray bookmark or
+ * tab restored after a long pause). Mirrors signet-app's URL freshness
+ * window (5 min) so callback consumers behave consistently with the issuer.
+ */
+export const PENDING_REDIRECT_TTL_MS = 5 * 60 * 1000;
+/** Storage keys, namespaced under signet:login.* */
+export const STORAGE_KEYS = {
+    pubkey: 'signet:login.pubkey',
+    method: 'signet:login.method',
+    authEvent: 'signet:login.authEvent',
+    bunkerUri: 'signet:login.bunkerUri',
+    bunkerClientSk: 'signet:login.bunkerClientSk',
+    expiresAt: 'signet:login.expiresAt',
+    displayName: 'signet:login.displayName',
+    /** Session-storage key for in-flight redirect state. */
+    pendingRedirect: 'signet:login.pendingRedirect',
+};