signet-login 0.10.2 → 0.10.4

package/README.md

@@ -164,9 +164,22 @@ await fetch('/api/login', {
 });
 ```
 
-Headless exports include `hasNip07`, `createNip07Signer`, `createBunkerSigner`, `createBunkerSignerFromNostrConnect`, `buildNostrConnectUri`, `createLocalSignerFromNsec`, `createLoginAuthEvent`, `createSessionFromSigner`, and `generateSecretKey`.
+Headless exports include `hasNip07`, `createNip07Signer`, `createBunkerSigner`, `createBunkerSignerFromNostrConnect`, `buildNostrConnectUri`, `buildBunkerUriFromNostrConnectUri`, `isBunkerUri`, `isNostrConnectUri`, `isSupportedPairingUri`, `createLocalSignerFromNsec`, `createLoginAuthEvent`, `createSessionFromSigner`, and `generateSecretKey`.
 The IIFE bundle attaches the same helpers to `window.Signet`.
 
+### NostrConnect and bunker roles
+
+NIP-46 has two URI directions:
+
+| URI | Producer | Consumer | Use |
+|---|---|---|---|
+| `nostrconnect://...` | The app / Signet Access client | Signer app scans or opens it | First pairing, where the app advertises its client pubkey, relays, requested permissions, and one-time secret |
+| `bunker://...` | The signer / bunker | App connects to it | Reconnect, paste/scan bunker flows, native clients, and persisted sessions |
+
+`createBunkerSignerFromNostrConnect()` waits for the signer response and then stores the equivalent `bunker://` reconnect URI internally, preserving the relay list and secret. This matters for apps such as Canary, Pallasite, and Axenstax: the user can pair once with NostrConnect, then `restoreSession()` can reconnect with the same stable client key instead of showing a fresh pairing request.
+
+Signet Access is the app-side session broker. Identity creation, recovery, and derived personas belong in Signet, Heartwood, and `nsec-tree`; app integrations should consume the returned pubkey and capability flags instead of deriving identities inside the login SDK.
+
 ### Custom storage
 
 By default, Signet Access stores session state in localStorage under `signet:login.*`. Pass `storage` when you need encrypted, async, IndexedDB, server-backed, or test storage:

package/dist/modal.js

@@ -18,6 +18,7 @@ const DEFAULT_PICKER_METHODS = ['nip07', 'amber', 'local-signet', 'remote-signet
 const ALL_PICKER_METHODS = [...DEFAULT_PICKER_METHODS, 'redirect', 'qr'];
 const DEFAULT_ADVANCED_METHODS = ['bunker', 'nostrconnect', 'nsec'];
 const DEFAULT_NOSTR_CONNECT_PERMS = ['sign_event', 'nip44_encrypt', 'nip44_decrypt'];
+const LARGE_QR_SIZE_PX = 360;
 function escapeHtml(str) {
     return str.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;');
 }
@@ -26,6 +27,13 @@ function generateChallenge() {
     crypto.getRandomValues(bytes);
     return Array.from(bytes, b => b.toString(16).padStart(2, '0')).join('');
 }
+function keepQrCanvasResponsive(canvas, sizePx = LARGE_QR_SIZE_PX) {
+    // qrcode mutates canvas.style.width/height after rendering. Reset height so
+    // max-width scaling on narrow phones preserves the square QR aspect ratio.
+    canvas.style.width = `${sizePx}px`;
+    canvas.style.height = 'auto';
+    canvas.style.maxWidth = '100%';
+}
 function isDarkMode(theme) {
     if (theme === 'dark')
         return true;
@@ -441,7 +449,7 @@ async function runRedirectFlow(refs, opts, flowOpts = {}) {
     <h2 style="margin:0 0 8px;font-size:1.2rem;">${sameDevice ? 'Open My Signet' : 'Sign in with Signet'}</h2>
     <p style="margin:0 0 16px;color:${muted};font-size:0.85rem;">${sameDevice ? 'Approve in My Signet and keep that tab open so it can sign for this app.' : 'Open the link on your phone, or scan the QR if rendered.'}</p>
     <div style="background:${dark ? '#0f0f1f' : '#f5f5f8'};border-radius:8px;padding:16px;margin-bottom:16px;">
-      <canvas id="signet-login-qr" width="360" height="360" style="display:block;width:360px;height:360px;max-width:100%;margin:0 auto 12px;background:#ffffff;border-radius:6px;box-sizing:border-box;"></canvas>
+      <canvas id="signet-login-qr" width="${LARGE_QR_SIZE_PX}" height="${LARGE_QR_SIZE_PX}" style="display:block;width:${LARGE_QR_SIZE_PX}px;height:auto;max-width:100%;margin:0 auto 12px;background:#ffffff;border-radius:6px;box-sizing:border-box;"></canvas>
       <a id="signet-login-open-signet" href="${escapeHtml(authUrl)}" target="_blank" rel="noopener" style="${sameDevice ? buttonStyle(dark, true) + 'justify-content:center;text-align:center;text-decoration:none;' : 'display:block;color:#5b6dff;font-size:0.75rem;word-break:break-all;text-decoration:none;'}">${sameDevice ? 'Open My Signet' : `${escapeHtml(authUrl.slice(0, 80))}…`}</a>
     </div>
     <p id="signet-login-status" style="margin:0 0 12px;color:${muted};font-size:0.85rem;">${sameDevice ? 'Waiting for My Signet approval…' : 'Waiting for approval…'}</p>
@@ -459,11 +467,11 @@ async function runRedirectFlow(refs, opts, flowOpts = {}) {
     const qrCanvas = refs.dialog.querySelector('#signet-login-qr');
     if (qrCanvas) {
         void QRCode.toCanvas(qrCanvas, authUrl, {
-            width: 360,
+            width: LARGE_QR_SIZE_PX,
             margin: 1,
             errorCorrectionLevel: 'H',
             color: { dark: '#0a0418', light: '#ffffff' },
-        }).catch(() => {
+        }).then(() => { keepQrCanvasResponsive(qrCanvas); }).catch(() => {
             // Encoding failure (URL too long for QR L-Q levels, canvas inaccessible)
             // — the visible link below the canvas still gets the user across.
         });
@@ -708,9 +716,10 @@ async function runNostrConnectFlow(refs, opts) {
     });
     refs.dialog.innerHTML = `
     <h2 style="margin:0 0 8px;font-size:1.2rem;">Connect a Nostr signer</h2>
-    <p style="margin:0 0 16px;color:${muted};font-size:0.85rem;">Scan or paste this into your signer (nsec.app, Amber, Keychat...). The connection happens over your configured relay${opts.relayUrls.length > 1 ? 's' : ''}.</p>
+    <p style="margin:0 0 16px;color:${muted};font-size:0.85rem;">Scan this with your signer (nsec.app, Amber, Keychat...), or copy/paste the URI below. The connection happens over your configured relay${opts.relayUrls.length > 1 ? 's' : ''}.</p>
     <div style="background:${dark ? '#0f0f1f' : '#f5f5f8'};border-radius:8px;padding:16px;margin-bottom:16px;">
-      <canvas id="signet-login-nc-qr" width="200" height="200" style="display:block;width:200px;height:200px;margin:0 auto 12px;background:#ffffff;border-radius:6px;box-sizing:border-box;"></canvas>
+      <canvas id="signet-login-nc-qr" width="${LARGE_QR_SIZE_PX}" height="${LARGE_QR_SIZE_PX}" style="display:block;width:${LARGE_QR_SIZE_PX}px;height:auto;max-width:100%;margin:0 auto 12px;background:#ffffff;border-radius:6px;box-sizing:border-box;"></canvas>
+      <textarea id="signet-login-nc-uri" readonly rows="4" autocomplete="off" autocapitalize="off" autocorrect="off" spellcheck="false" aria-label="NostrConnect URI" style="width:100%;background:${dark ? '#050510' : '#ffffff'};color:${dark ? '#e7e7f0' : '#141427'};border:1px solid ${dark ? '#34344d' : '#d8dae3'};border-radius:6px;padding:8px;font-size:0.7rem;line-height:1.35;font-family:ui-monospace,SFMono-Regular,Menlo,Consolas,monospace;box-sizing:border-box;resize:vertical;margin:0 0 10px;overflow-wrap:anywhere;">${escapeHtml(uri)}</textarea>
       <button data-action="copy" style="${buttonStyle(dark)}width:auto;font-size:0.75rem;padding:6px 10px;margin:0 auto;display:block;">Copy URI</button>
     </div>
     <p id="signet-login-nc-status" style="margin:0 0 12px;color:${muted};font-size:0.85rem;">Waiting for signer to connect…</p>
@@ -722,19 +731,49 @@ async function runNostrConnectFlow(refs, opts) {
     const qrCanvas = refs.dialog.querySelector('#signet-login-nc-qr');
     if (qrCanvas) {
         void QRCode.toCanvas(qrCanvas, uri, {
-            width: 200, margin: 1, errorCorrectionLevel: 'M',
+            width: LARGE_QR_SIZE_PX, margin: 2, errorCorrectionLevel: 'L',
             color: { dark: '#0a0418', light: '#ffffff' },
-        }).catch(() => { });
+        }).then(() => { keepQrCanvasResponsive(qrCanvas); }).catch(() => { });
     }
+    const status = refs.dialog.querySelector('#signet-login-nc-status');
+    const uriText = refs.dialog.querySelector('#signet-login-nc-uri');
+    const selectUriText = () => {
+        if (!uriText)
+            return;
+        uriText.focus();
+        uriText.select();
+        uriText.setSelectionRange(0, uriText.value.length);
+    };
+    uriText?.addEventListener('focus', selectUriText);
+    uriText?.addEventListener('click', selectUriText);
     const copyBtn = refs.dialog.querySelector('[data-action="copy"]');
     copyBtn?.addEventListener('click', () => {
-        void navigator.clipboard?.writeText(uri).then(() => {
-            copyBtn.textContent = 'Copied ✓';
-            window.setTimeout(() => { copyBtn.textContent = 'Copy URI'; }, 1500);
-        });
+        void (async () => {
+            try {
+                if (navigator.clipboard?.writeText) {
+                    await navigator.clipboard.writeText(uri);
+                }
+                else {
+                    selectUriText();
+                    if (typeof document.execCommand !== 'function' || !document.execCommand('copy')) {
+                        throw new Error('clipboard-unavailable');
+                    }
+                }
+                copyBtn.textContent = 'Copied ✓';
+                window.setTimeout(() => { copyBtn.textContent = 'Copy URI'; }, 1500);
+            }
+            catch {
+                selectUriText();
+                copyBtn.textContent = 'URI selected';
+                if (status) {
+                    status.textContent = 'URI selected. Copy it manually if needed.';
+                    status.style.color = '';
+                }
+                window.setTimeout(() => { copyBtn.textContent = 'Copy URI'; }, 2000);
+            }
+        })();
     });
     const ac = new AbortController();
-    const status = refs.dialog.querySelector('#signet-login-nc-status');
     return new Promise(resolve => {
         let settled = false;
         const settle = (v) => {

package/dist/signers.d.ts

@@ -85,11 +85,23 @@ export declare function buildNostrConnectUri(input: {
     appUrl?: string;
 }): string;
 /**
- * Connect a bunker session from a `bunker://` or `nostr+connect://` URI (or a
- * NIP-05 identifier). Pass `clientSecretKey` to bind a stable client pubkey the
- * signer can auto-approve (see `loadOrCreatePersistentClientSk`); when omitted a
- * fresh ephemeral key is generated, which a per-pubkey-approving bunker will
- * treat as a new, unapproved client.
+ * Convert an app-generated `nostrconnect://` pairing URI into the equivalent
+ * signer-published `bunker://` reconnect URI once the signer pubkey is known.
+ *
+ * `nostrconnect://` is a one-time app-to-signer invitation; it only contains
+ * the client pubkey. After the signer responds, future restores should use
+ * `bunker://signerPubkey?...` with the same relays and secret.
+ */
+export declare function buildBunkerUriFromNostrConnectUri(nostrConnectUri: string, signerPubkeyHex: string): string;
+export declare function isBunkerUri(value: string): boolean;
+export declare function isNostrConnectUri(value: string): boolean;
+export declare function isSupportedPairingUri(value: string): boolean;
+/**
+ * Connect a bunker session from a `bunker://` URI or NIP-05 identifier. Pass
+ * `clientSecretKey` to bind a stable client pubkey the signer can auto-approve
+ * (see `loadOrCreatePersistentClientSk`); when omitted a fresh ephemeral key is
+ * generated, which a per-pubkey-approving bunker will treat as a new,
+ * unapproved client.
  */
 export declare function createBunkerSigner(input: {
     uri: string;

package/dist/signers.js

@@ -118,7 +118,8 @@ export async function createBunkerSignerFromNostrConnect(input) {
         await bunker.close().catch(() => { });
         throw new Error('invalid-pubkey-from-bunker');
     }
-    return new BunkerSignerImpl(pubkey.toLowerCase(), bunker, uri, clientSecretKey);
+    const normalizedBunkerUri = buildBunkerUriFromNostrConnectUri(uri, pubkey);
+    return new BunkerSignerImpl(pubkey.toLowerCase(), bunker, normalizedBunkerUri, clientSecretKey);
 }
 /**
  * Build a NIP-46 `nostrconnect://` URI for the app-initiated flow. The
@@ -149,6 +150,50 @@ export function buildNostrConnectUri(input) {
         params.set('url', input.appUrl);
     return `nostrconnect://${clientPubkeyHex}?${params.toString()}`;
 }
+/**
+ * Convert an app-generated `nostrconnect://` pairing URI into the equivalent
+ * signer-published `bunker://` reconnect URI once the signer pubkey is known.
+ *
+ * `nostrconnect://` is a one-time app-to-signer invitation; it only contains
+ * the client pubkey. After the signer responds, future restores should use
+ * `bunker://signerPubkey?...` with the same relays and secret.
+ */
+export function buildBunkerUriFromNostrConnectUri(nostrConnectUri, signerPubkeyHex) {
+    if (!/^[0-9a-f]{64}$/i.test(signerPubkeyHex))
+        throw new Error('invalid-signer-pubkey');
+    let parsed;
+    try {
+        parsed = new URL(nostrConnectUri);
+    }
+    catch {
+        throw new Error('invalid-nostrconnect-uri');
+    }
+    if (parsed.protocol !== 'nostrconnect:')
+        throw new Error('invalid-nostrconnect-uri');
+    const relays = parsed.searchParams.getAll('relay').map(relay => relay.trim()).filter(Boolean);
+    if (relays.length === 0)
+        throw new Error('relay-url-required');
+    for (const relayUrl of relays) {
+        if (!/^wss?:\/\//.test(relayUrl))
+            throw new Error('invalid-relay-url');
+    }
+    const secret = parsed.searchParams.get('secret');
+    const params = new URLSearchParams();
+    for (const relayUrl of relays)
+        params.append('relay', relayUrl);
+    if (secret)
+        params.set('secret', secret);
+    return `bunker://${signerPubkeyHex.toLowerCase()}?${params.toString()}`;
+}
+export function isBunkerUri(value) {
+    return value.trim().toLowerCase().startsWith('bunker://');
+}
+export function isNostrConnectUri(value) {
+    return value.trim().toLowerCase().startsWith('nostrconnect://');
+}
+export function isSupportedPairingUri(value) {
+    return isBunkerUri(value) || isNostrConnectUri(value);
+}
 /**
  * Race a bunker handshake against a deadline. nostr-tools' `BunkerSigner`
  * `sendRequest` has no per-request timeout — it publishes the request and only
@@ -177,11 +222,11 @@ async function raceBunkerHandshake(p, ms, bunker) {
     }
 }
 /**
- * Connect a bunker session from a `bunker://` or `nostr+connect://` URI (or a
- * NIP-05 identifier). Pass `clientSecretKey` to bind a stable client pubkey the
- * signer can auto-approve (see `loadOrCreatePersistentClientSk`); when omitted a
- * fresh ephemeral key is generated, which a per-pubkey-approving bunker will
- * treat as a new, unapproved client.
+ * Connect a bunker session from a `bunker://` URI or NIP-05 identifier. Pass
+ * `clientSecretKey` to bind a stable client pubkey the signer can auto-approve
+ * (see `loadOrCreatePersistentClientSk`); when omitted a fresh ephemeral key is
+ * generated, which a per-pubkey-approving bunker will treat as a new,
+ * unapproved client.
  */
 export async function createBunkerSigner(input) {
     const trimmed = input.uri.trim();

package/dist/signet-login.d.ts

@@ -16,7 +16,7 @@
  */
 export type { NostrEvent, EventTemplate, LoginMethod, LoginPickerMethod, SignerCapabilities, SignetSigner, SignetAuthEvent, SignetSession, LoginOptions, RestoreOptions, SignetStorage, } from './types.js';
 import type { SignetSigner, LoginOptions, RestoreOptions, SignetSession, SignetAuthEvent, SignetStorage } from './types.js';
-import { hasNip07, createNip07Signer, createBunkerSigner, createBunkerSignerFromNostrConnect, buildNostrConnectUri, createLocalSignerFromNsec, generateSecretKey, Nip07Signer, BunkerSignerImpl, LocalSigner } from './signers.js';
+import { hasNip07, createNip07Signer, createBunkerSigner, createBunkerSignerFromNostrConnect, buildNostrConnectUri, buildBunkerUriFromNostrConnectUri, isBunkerUri, isNostrConnectUri, isSupportedPairingUri, createLocalSignerFromNsec, generateSecretKey, Nip07Signer, BunkerSignerImpl, LocalSigner } from './signers.js';
 import { type ConsumeAmberResult } from './amber.js';
 import { handleCallback as handlePopupCallback } from './callback.js';
 import type { ConsumeCallbackResult } from './redirect.js';
@@ -24,7 +24,7 @@ export type { CallbackResult } from './callback.js';
 export type { ConsumeCallbackResult } from './redirect.js';
 export type { ConsumeAmberResult } from './amber.js';
 export { isAndroid } from './amber.js';
-export { hasNip07, createNip07Signer, createBunkerSigner, createBunkerSignerFromNostrConnect, buildNostrConnectUri, createLocalSignerFromNsec, generateSecretKey, Nip07Signer, BunkerSignerImpl, LocalSigner, };
+export { hasNip07, createNip07Signer, createBunkerSigner, createBunkerSignerFromNostrConnect, buildNostrConnectUri, buildBunkerUriFromNostrConnectUri, isBunkerUri, isNostrConnectUri, isSupportedPairingUri, createLocalSignerFromNsec, generateSecretKey, Nip07Signer, BunkerSignerImpl, LocalSigner, };
 export interface HandleRedirectCallbackOptions {
     /**
      * Await the returned `bunker://` handoff before resolving the callback.