npm - signet-login - Versions diffs - 0.10.1 → 0.10.3 - Mend

signet-login 0.10.1 → 0.10.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/README.md +30 -5
package/dist/modal.js +41 -18
package/dist/signers.d.ts +17 -5
package/dist/signers.js +51 -6
package/dist/signet-login.d.ts +2 -2
package/dist/signet-login.iife.js +16 -16
package/dist/signet-login.js +6 -2
package/dist/types.d.ts +7 -5
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -6,7 +6,8 @@ Published as `signet-login`.
 **Signet Access** is a drop-in auth and signer-access SDK for Nostr-aware websites. One picker, one session shape, multiple ways to prove identity and, when available, keep a live signer:
-- **Sign in with Signet** on this device or by cross-device QR
+- **Local Signet** on this device, against hosted or local-dev Signet
+- **Remote Signet** by cross-device QR, so a phone or second machine can approve
 - **Browser extension** via NIP-07 (bark, Alby, nos2x, Flamingo, ...)
 - **Connect a Nostr signer** via app-initiated NIP-46 / NostrConnect
 - **Paste or scan bunker URI** for Heartwood, nsecBunker, Amber, or compatible signers
@@ -88,8 +89,10 @@ interface SignetStorage {
 type LoginPickerMethod =
   | 'nip07'
-  | 'redirect'      // same-device Signet, relay delivery
-  | 'qr'            // cross-device Signet QR
+  | 'local-signet'  // same-device Signet, relay delivery
+  | 'remote-signet' // cross-device Signet QR
+  | 'redirect'      // legacy alias for local-signet
+  | 'qr'            // legacy alias for remote-signet
   | 'bunker'        // paste bunker://
   | 'nostrconnect'  // show nostrconnect:// QR
   | 'amber'         // Android NIP-55
@@ -110,7 +113,14 @@ By default, the picker shows ordinary user-facing methods first and groups `bunk
 ```js
 await Signet.login({
   appName: 'My Game',
-  methods: ['redirect', 'qr', 'nip07'],
+  methods: ['local-signet', 'remote-signet', 'nip07'],
+});
+await Signet.login({
+  appName: 'My Local Dev Game',
+  preferredMethod: 'local-signet',
+  signetAppOrigin: 'http://localhost:5174',
+  relayUrl: 'ws://localhost:7777',
 });
 await Signet.login({
@@ -121,6 +131,8 @@ await Signet.login({
 });
 ```
+`redirect` and `qr` remain supported picker aliases for existing apps, but new integrations should use `local-signet` and `remote-signet`.
 When camera APIs are available, the bunker URI screen can scan `bunker://` QR codes directly. Paste remains the fallback.
 ### Headless/custom UI
@@ -152,9 +164,22 @@ await fetch('/api/login', {
 });
 ```
-Headless exports include `hasNip07`, `createNip07Signer`, `createBunkerSigner`, `createBunkerSignerFromNostrConnect`, `buildNostrConnectUri`, `createLocalSignerFromNsec`, `createLoginAuthEvent`, `createSessionFromSigner`, and `generateSecretKey`.
+Headless exports include `hasNip07`, `createNip07Signer`, `createBunkerSigner`, `createBunkerSignerFromNostrConnect`, `buildNostrConnectUri`, `buildBunkerUriFromNostrConnectUri`, `isBunkerUri`, `isNostrConnectUri`, `isSupportedPairingUri`, `createLocalSignerFromNsec`, `createLoginAuthEvent`, `createSessionFromSigner`, and `generateSecretKey`.
 The IIFE bundle attaches the same helpers to `window.Signet`.
+### NostrConnect and bunker roles
+NIP-46 has two URI directions:
+| URI | Producer | Consumer | Use |
+|---|---|---|---|
+| `nostrconnect://...` | The app / Signet Access client | Signer app scans or opens it | First pairing, where the app advertises its client pubkey, relays, requested permissions, and one-time secret |
+| `bunker://...` | The signer / bunker | App connects to it | Reconnect, paste/scan bunker flows, native clients, and persisted sessions |
+`createBunkerSignerFromNostrConnect()` waits for the signer response and then stores the equivalent `bunker://` reconnect URI internally, preserving the relay list and secret. This matters for apps such as Canary, Pallasite, and Axenstax: the user can pair once with NostrConnect, then `restoreSession()` can reconnect with the same stable client key instead of showing a fresh pairing request.
+Signet Access is the app-side session broker. Identity creation, recovery, and derived personas belong in Signet, Heartwood, and `nsec-tree`; app integrations should consume the returned pubkey and capability flags instead of deriving identities inside the login SDK.
 ### Custom storage
 By default, Signet Access stores session state in localStorage under `signet:login.*`. Pass `storage` when you need encrypted, async, IndexedDB, server-backed, or test storage:

package/dist/modal.js CHANGED Viewed

@@ -14,7 +14,8 @@ import { bytesToHex } from '@noble/hashes/utils';
 import QRCode from 'qrcode';
 import jsQR from 'jsqr';
 const QR_BUNKER_CONNECT_TIMEOUT_MS = 8000;
-const DEFAULT_PICKER_METHODS = ['nip07', 'amber', 'redirect', 'qr', 'bunker', 'nostrconnect', 'nsec'];
+const DEFAULT_PICKER_METHODS = ['nip07', 'amber', 'local-signet', 'remote-signet', 'bunker', 'nostrconnect', 'nsec'];
+const ALL_PICKER_METHODS = [...DEFAULT_PICKER_METHODS, 'redirect', 'qr'];
 const DEFAULT_ADVANCED_METHODS = ['bunker', 'nostrconnect', 'nsec'];
 const DEFAULT_NOSTR_CONNECT_PERMS = ['sign_event', 'nip44_encrypt', 'nip44_decrypt'];
 function escapeHtml(str) {
@@ -254,12 +255,28 @@ async function startCameraQrScanner(input) {
 const METHOD_META = {
     nip07: { icon: '🌐', title: 'Browser extension', hint: 'bark, Alby, nos2x' },
     amber: { icon: '🤖', title: 'Sign in with Amber', hint: 'Android signer (NIP-55)' },
-    redirect: { icon: '🪪', title: 'Sign in with Signet', hint: 'Open Signet on this device' },
-    qr: { icon: '📱', title: 'Signet on another device', hint: 'Scan QR with your phone' },
+    'local-signet': { icon: '🪪', title: 'Local Signet', hint: 'Open Signet on this device' },
+    'remote-signet': { icon: '📱', title: 'Remote Signet', hint: 'Scan with Signet on another device' },
+    redirect: { icon: '🪪', title: 'Local Signet', hint: 'Open Signet on this device' },
+    qr: { icon: '📱', title: 'Remote Signet', hint: 'Scan with Signet on another device' },
     bunker: { icon: '🔑', title: 'Paste bunker URI', hint: 'For NIP-46 power users' },
     nostrconnect: { icon: '📡', title: 'Connect a Nostr signer', hint: 'Scan with nsec.app, Amber, Keychat...' },
     nsec: { icon: '⚠️', title: 'Paste private key', hint: 'In-memory only - risky, last resort' },
 };
+function pickerMethodKey(method) {
+    if (method === 'local-signet' || method === 'redirect')
+        return 'local-signet';
+    if (method === 'remote-signet' || method === 'qr')
+        return 'remote-signet';
+    return method;
+}
+function routePickerChoice(choice) {
+    if (choice === 'local-signet')
+        return 'redirect';
+    if (choice === 'remote-signet')
+        return 'qr';
+    return choice;
+}
 function isMethodAvailable(method) {
     if (method === 'nip07')
         return hasNip07();
@@ -277,9 +294,9 @@ function renderPicker(refs, opts) {
     return new Promise(resolve => {
         let advancedOpen = false;
         const availableMethods = opts.methods.filter(isMethodAvailable);
-        const advancedSet = new Set(opts.advancedMethods);
-        const primaryMethods = availableMethods.filter(method => !advancedSet.has(method));
-        const advancedMethods = availableMethods.filter(method => advancedSet.has(method));
+        const advancedSet = new Set(opts.advancedMethods.map(pickerMethodKey));
+        const primaryMethods = availableMethods.filter(method => !advancedSet.has(pickerMethodKey(method)));
+        const advancedMethods = availableMethods.filter(method => advancedSet.has(pickerMethodKey(method)));
         const attachChoiceHandlers = () => {
             refs.dialog.querySelectorAll('button[data-choice]').forEach(btn => {
                 btn.addEventListener('click', () => {
@@ -806,20 +823,25 @@ async function runNsecFlow(refs, opts) {
 }
 function uniquePickerMethods(input, fallback) {
     const source = input ?? fallback;
-    const allowed = new Set(DEFAULT_PICKER_METHODS);
+    const allowed = new Set(ALL_PICKER_METHODS);
+    const seen = new Set();
     const out = [];
     for (const method of source) {
         if (!allowed.has(method))
             continue;
-        if (!out.includes(method))
-            out.push(method);
+        const key = pickerMethodKey(method);
+        if (seen.has(key))
+            continue;
+        seen.add(key);
+        out.push(method);
     }
     return input === undefined && out.length === 0 ? [...fallback] : out;
 }
 function resolveMethodConfig(opts) {
     const methods = uniquePickerMethods(opts.methods, DEFAULT_PICKER_METHODS);
+    const methodKeys = new Set(methods.map(pickerMethodKey));
     const advancedMethods = uniquePickerMethods(opts.advancedMethods, DEFAULT_ADVANCED_METHODS)
-        .filter(method => methods.includes(method));
+        .filter(method => methodKeys.has(pickerMethodKey(method)));
     return { methods, advancedMethods };
 }
 function resolveRelayUrls(opts) {
@@ -895,11 +917,12 @@ async function runLoginModal(opts) {
             const choice = resolved.preferredMethod
                 ? resolved.preferredMethod
                 : await Promise.race([renderPicker(refs, resolved), aborted]);
+            const routeChoice = choice === null ? null : routePickerChoice(choice);
             if (userAborted)
                 return null;
-            if (choice === null || choice === 'cancel')
+            if (routeChoice === null || routeChoice === 'cancel')
                 return null;
-            if (choice === 'nip07') {
+            if (routeChoice === 'nip07') {
                 const result = await Promise.race([runNip07Flow(refs, resolved), aborted]);
                 if (userAborted)
                     return null;
@@ -919,7 +942,7 @@ async function runLoginModal(opts) {
                     authEvent: result.authEvent,
                 };
             }
-            if (choice === 'redirect') {
+            if (routeChoice === 'redirect') {
                 // Same-device Signet in the modal must keep this app tab alive and keep
                 // the My Signet tab alive as the ongoing bunker. Use the relay-backed
                 // auth response path here; explicit `login({ mode: 'redirect' })`
@@ -942,7 +965,7 @@ async function runLoginModal(opts) {
                 }
                 return session;
             }
-            if (choice === 'amber') {
+            if (routeChoice === 'amber') {
                 // Same-tab navigation to a `nostrsigner:` URL. Android dispatches
                 // it to Amber; the page comes back via callbackUrl with the signed
                 // event in `?event=`. Picked up on next boot by handleRedirectCallback.
@@ -955,7 +978,7 @@ async function runLoginModal(opts) {
                 });
                 return null; // unreachable
             }
-            if (choice === 'qr') {
+            if (routeChoice === 'qr') {
                 const result = await Promise.race([runRedirectFlow(refs, resolved), aborted]);
                 if (userAborted)
                     return null;
@@ -974,7 +997,7 @@ async function runLoginModal(opts) {
                 }
                 return session;
             }
-            if (choice === 'bunker') {
+            if (routeChoice === 'bunker') {
                 const signer = await Promise.race([runBunkerFlow(refs, resolved), aborted]);
                 if (userAborted)
                     return null;
@@ -1000,7 +1023,7 @@ async function runLoginModal(opts) {
                     authEvent,
                 };
             }
-            if (choice === 'nostrconnect') {
+            if (routeChoice === 'nostrconnect') {
                 const signer = await Promise.race([runNostrConnectFlow(refs, resolved), aborted]);
                 if (userAborted)
                     return null;
@@ -1029,7 +1052,7 @@ async function runLoginModal(opts) {
                     authEvent,
                 };
             }
-            if (choice === 'nsec') {
+            if (routeChoice === 'nsec') {
                 const signer = await Promise.race([runNsecFlow(refs, resolved), aborted]);
                 if (userAborted)
                     return null;

package/dist/signers.d.ts CHANGED Viewed

@@ -85,11 +85,23 @@ export declare function buildNostrConnectUri(input: {
     appUrl?: string;
 }): string;
 /**
- * Connect a bunker session from a `bunker://` or `nostr+connect://` URI (or a
- * NIP-05 identifier). Pass `clientSecretKey` to bind a stable client pubkey the
- * signer can auto-approve (see `loadOrCreatePersistentClientSk`); when omitted a
- * fresh ephemeral key is generated, which a per-pubkey-approving bunker will
- * treat as a new, unapproved client.
+ * Convert an app-generated `nostrconnect://` pairing URI into the equivalent
+ * signer-published `bunker://` reconnect URI once the signer pubkey is known.
+ *
+ * `nostrconnect://` is a one-time app-to-signer invitation; it only contains
+ * the client pubkey. After the signer responds, future restores should use
+ * `bunker://signerPubkey?...` with the same relays and secret.
+ */
+export declare function buildBunkerUriFromNostrConnectUri(nostrConnectUri: string, signerPubkeyHex: string): string;
+export declare function isBunkerUri(value: string): boolean;
+export declare function isNostrConnectUri(value: string): boolean;
+export declare function isSupportedPairingUri(value: string): boolean;
+/**
+ * Connect a bunker session from a `bunker://` URI or NIP-05 identifier. Pass
+ * `clientSecretKey` to bind a stable client pubkey the signer can auto-approve
+ * (see `loadOrCreatePersistentClientSk`); when omitted a fresh ephemeral key is
+ * generated, which a per-pubkey-approving bunker will treat as a new,
+ * unapproved client.
  */
 export declare function createBunkerSigner(input: {
     uri: string;

package/dist/signers.js CHANGED Viewed

@@ -118,7 +118,8 @@ export async function createBunkerSignerFromNostrConnect(input) {
         await bunker.close().catch(() => { });
         throw new Error('invalid-pubkey-from-bunker');
     }
-    return new BunkerSignerImpl(pubkey.toLowerCase(), bunker, uri, clientSecretKey);
+    const normalizedBunkerUri = buildBunkerUriFromNostrConnectUri(uri, pubkey);
+    return new BunkerSignerImpl(pubkey.toLowerCase(), bunker, normalizedBunkerUri, clientSecretKey);
 }
 /**
  * Build a NIP-46 `nostrconnect://` URI for the app-initiated flow. The
@@ -149,6 +150,50 @@ export function buildNostrConnectUri(input) {
         params.set('url', input.appUrl);
     return `nostrconnect://${clientPubkeyHex}?${params.toString()}`;
 }
+/**
+ * Convert an app-generated `nostrconnect://` pairing URI into the equivalent
+ * signer-published `bunker://` reconnect URI once the signer pubkey is known.
+ *
+ * `nostrconnect://` is a one-time app-to-signer invitation; it only contains
+ * the client pubkey. After the signer responds, future restores should use
+ * `bunker://signerPubkey?...` with the same relays and secret.
+ */
+export function buildBunkerUriFromNostrConnectUri(nostrConnectUri, signerPubkeyHex) {
+    if (!/^[0-9a-f]{64}$/i.test(signerPubkeyHex))
+        throw new Error('invalid-signer-pubkey');
+    let parsed;
+    try {
+        parsed = new URL(nostrConnectUri);
+    }
+    catch {
+        throw new Error('invalid-nostrconnect-uri');
+    }
+    if (parsed.protocol !== 'nostrconnect:')
+        throw new Error('invalid-nostrconnect-uri');
+    const relays = parsed.searchParams.getAll('relay').map(relay => relay.trim()).filter(Boolean);
+    if (relays.length === 0)
+        throw new Error('relay-url-required');
+    for (const relayUrl of relays) {
+        if (!/^wss?:\/\//.test(relayUrl))
+            throw new Error('invalid-relay-url');
+    }
+    const secret = parsed.searchParams.get('secret');
+    const params = new URLSearchParams();
+    for (const relayUrl of relays)
+        params.append('relay', relayUrl);
+    if (secret)
+        params.set('secret', secret);
+    return `bunker://${signerPubkeyHex.toLowerCase()}?${params.toString()}`;
+}
+export function isBunkerUri(value) {
+    return value.trim().toLowerCase().startsWith('bunker://');
+}
+export function isNostrConnectUri(value) {
+    return value.trim().toLowerCase().startsWith('nostrconnect://');
+}
+export function isSupportedPairingUri(value) {
+    return isBunkerUri(value) || isNostrConnectUri(value);
+}
 /**
  * Race a bunker handshake against a deadline. nostr-tools' `BunkerSigner`
  * `sendRequest` has no per-request timeout — it publishes the request and only
@@ -177,11 +222,11 @@ async function raceBunkerHandshake(p, ms, bunker) {
     }
 }
 /**
- * Connect a bunker session from a `bunker://` or `nostr+connect://` URI (or a
- * NIP-05 identifier). Pass `clientSecretKey` to bind a stable client pubkey the
- * signer can auto-approve (see `loadOrCreatePersistentClientSk`); when omitted a
- * fresh ephemeral key is generated, which a per-pubkey-approving bunker will
- * treat as a new, unapproved client.
+ * Connect a bunker session from a `bunker://` URI or NIP-05 identifier. Pass
+ * `clientSecretKey` to bind a stable client pubkey the signer can auto-approve
+ * (see `loadOrCreatePersistentClientSk`); when omitted a fresh ephemeral key is
+ * generated, which a per-pubkey-approving bunker will treat as a new,
+ * unapproved client.
  */
 export async function createBunkerSigner(input) {
     const trimmed = input.uri.trim();

package/dist/signet-login.d.ts CHANGED Viewed

@@ -16,7 +16,7 @@
  */
 export type { NostrEvent, EventTemplate, LoginMethod, LoginPickerMethod, SignerCapabilities, SignetSigner, SignetAuthEvent, SignetSession, LoginOptions, RestoreOptions, SignetStorage, } from './types.js';
 import type { SignetSigner, LoginOptions, RestoreOptions, SignetSession, SignetAuthEvent, SignetStorage } from './types.js';
-import { hasNip07, createNip07Signer, createBunkerSigner, createBunkerSignerFromNostrConnect, buildNostrConnectUri, createLocalSignerFromNsec, generateSecretKey, Nip07Signer, BunkerSignerImpl, LocalSigner } from './signers.js';
+import { hasNip07, createNip07Signer, createBunkerSigner, createBunkerSignerFromNostrConnect, buildNostrConnectUri, buildBunkerUriFromNostrConnectUri, isBunkerUri, isNostrConnectUri, isSupportedPairingUri, createLocalSignerFromNsec, generateSecretKey, Nip07Signer, BunkerSignerImpl, LocalSigner } from './signers.js';
 import { type ConsumeAmberResult } from './amber.js';
 import { handleCallback as handlePopupCallback } from './callback.js';
 import type { ConsumeCallbackResult } from './redirect.js';
@@ -24,7 +24,7 @@ export type { CallbackResult } from './callback.js';
 export type { ConsumeCallbackResult } from './redirect.js';
 export type { ConsumeAmberResult } from './amber.js';
 export { isAndroid } from './amber.js';
-export { hasNip07, createNip07Signer, createBunkerSigner, createBunkerSignerFromNostrConnect, buildNostrConnectUri, createLocalSignerFromNsec, generateSecretKey, Nip07Signer, BunkerSignerImpl, LocalSigner, };
+export { hasNip07, createNip07Signer, createBunkerSigner, createBunkerSignerFromNostrConnect, buildNostrConnectUri, buildBunkerUriFromNostrConnectUri, isBunkerUri, isNostrConnectUri, isSupportedPairingUri, createLocalSignerFromNsec, generateSecretKey, Nip07Signer, BunkerSignerImpl, LocalSigner, };
 export interface HandleRedirectCallbackOptions {
     /**
      * Await the returned `bunker://` handoff before resolving the callback.