sui.ski 0.1.0

package/src/handlers/vault.ts

@@ -0,0 +1,284 @@
+import { type Context, Hono } from 'hono'
+import type { Env } from '../types'
+import { jsonResponse } from '../utils/response'
+import type { VaultMeta } from '../utils/vault'
+import {
+	VAULT_BLOB_MAX_BYTES,
+	VAULT_MAX_BOOKMARKS,
+	VAULT_TTL_SECONDS,
+	vaultKey,
+	vaultMetaKey,
+} from '../utils/vault'
+
+type VaultEnv = {
+	Bindings: Env
+	Variables: {
+		env: Env
+		session: {
+			address: string | null
+			walletName: string | null
+			verified: boolean
+		}
+	}
+}
+
+const SUI_ADDRESS_LENGTH = 66
+const SUI_ADDRESS_PREFIX = '0x'
+
+function isValidSuiAddress(address: string): boolean {
+	return address.startsWith(SUI_ADDRESS_PREFIX) && address.length === SUI_ADDRESS_LENGTH
+}
+
+function normalizeAddress(address: string): string {
+	return address.trim().toLowerCase()
+}
+
+function getCookieValue(cookieHeader: string, name: string): string | null {
+	const cookie = cookieHeader
+		.split(';')
+		.map((part) => part.trim())
+		.find((part) => part.startsWith(`${name}=`))
+	if (!cookie) return null
+	const rawValue = cookie.slice(name.length + 1)
+	return rawValue ? decodeURIComponent(rawValue) : null
+}
+
+async function getVerifiedSessionAddress(c: Context<VaultEnv>) {
+	const env = c.get('env') as Env
+	const cookieHeader = c.req.header('Cookie') || ''
+	const sessionId = getCookieValue(cookieHeader, 'session_id')
+	if (!sessionId) return null
+
+	const stub = env.WALLET_SESSIONS.getByName('global')
+	const info = await stub.getSessionInfo(sessionId)
+	if (!info?.verified) return null
+	if (!isValidSuiAddress(info.address)) return null
+	return info.address
+}
+
+function sanitizeMeta(meta: Partial<VaultMeta>): VaultMeta {
+	const version = Math.max(1, Number(meta.version) || 1)
+	const count = Math.max(0, Math.floor(Number(meta.count) || 0))
+	const updatedAt = Number(meta.updatedAt) || Date.now()
+	return {
+		version,
+		updatedAt,
+		count,
+	}
+}
+
+export const vaultRoutes = new Hono<VaultEnv>()
+
+const OVERCLOCK_OBJECT_ID = '0x145540d931f182fef76467dd8074c9839aea126852d90d18e1556fcbbd1208b6'
+
+interface KeyServerConfig {
+	objectId: string
+	weight: number
+	apiKeyName?: string
+	apiKey?: string
+}
+
+function buildKeyServerConfigs(env: Env): KeyServerConfig[] {
+	const ids = (env.SEAL_KEY_SERVERS || '').split(',')
+	const configs: KeyServerConfig[] = []
+	for (const raw of ids) {
+		const objectId = raw.trim()
+		if (!objectId) continue
+		const config: KeyServerConfig = { objectId, weight: 1 }
+		if (objectId === OVERCLOCK_OBJECT_ID) {
+			configs.push(config)
+			continue
+		}
+		if (env.NATSAI_SEAL_API_KEY) {
+			config.apiKeyName = 'x-api-key'
+			config.apiKey = env.NATSAI_SEAL_API_KEY
+			configs.push(config)
+			continue
+		}
+		if (env.PROVIDER3_SEAL_API_KEY) {
+			config.apiKeyName = 'x-api-key'
+			config.apiKey = env.PROVIDER3_SEAL_API_KEY
+			configs.push(config)
+			continue
+		}
+		configs.push(config)
+	}
+	return configs
+}
+
+function buildLegacyKeyServerConfigs(env: Env): KeyServerConfig[] | null {
+	const ids = env.SEAL_TESTNET_KEY_SERVERS
+	if (!ids) return null
+	const configs: KeyServerConfig[] = []
+	for (const raw of ids.split(',')) {
+		const objectId = raw.trim()
+		if (objectId) configs.push({ objectId, weight: 1 })
+	}
+	return configs.length > 0 ? configs : null
+}
+
+vaultRoutes.get('/config', (c) => {
+	const env = c.get('env')
+	const keyServers = buildKeyServerConfigs(env)
+	const threshold = keyServers.length >= 3 ? 2 : Math.max(1, keyServers.length)
+	const legacyKeyServers = buildLegacyKeyServerConfigs(env)
+
+	return jsonResponse({
+		seal: {
+			packageId: env.SEAL_PACKAGE_ID || '',
+			keyServers,
+			approveTarget: env.SEAL_APPROVE_TARGET || null,
+			threshold,
+			network: env.SUI_NETWORK || 'mainnet',
+		},
+		...(legacyKeyServers
+			? {
+					sealLegacy: {
+						packageId: env.SEAL_TESTNET_PACKAGE_ID || '',
+						keyServers: legacyKeyServers,
+						approveTarget: env.SEAL_TESTNET_APPROVE_TARGET || null,
+						threshold: 2,
+						network: 'testnet' as const,
+					},
+				}
+			: {}),
+	})
+})
+
+vaultRoutes.get('/', async (c) => {
+	const env = c.get('env')
+	const ownerAddress = await getVerifiedSessionAddress(c)
+	if (!ownerAddress) return jsonResponse({ error: 'Verified wallet session required' }, 401)
+
+	const [encryptedBlob, metaJson] = await Promise.all([
+		env.CACHE.get(vaultKey(ownerAddress)),
+		env.CACHE.get(vaultMetaKey(ownerAddress)),
+	])
+
+	if (!encryptedBlob || !metaJson) return jsonResponse({ found: false })
+
+	const meta = sanitizeMeta(JSON.parse(metaJson) as VaultMeta)
+	return jsonResponse({ found: true, encryptedBlob, meta })
+})
+
+vaultRoutes.post('/sync', async (c) => {
+	const env = c.get('env')
+	const ownerAddress = await getVerifiedSessionAddress(c)
+	if (!ownerAddress) return jsonResponse({ error: 'Verified wallet session required' }, 401)
+	const body = await c.req.json<{ encryptedBlob: string; ownerAddress: string; meta: VaultMeta }>()
+
+	if (body.ownerAddress && normalizeAddress(body.ownerAddress) !== normalizeAddress(ownerAddress))
+		return jsonResponse({ error: 'ownerAddress must match authenticated wallet session' }, 403)
+	if (body.ownerAddress && !isValidSuiAddress(body.ownerAddress))
+		return jsonResponse(
+			{
+				error: `Invalid ownerAddress: expected ${SUI_ADDRESS_LENGTH} hex chars starting with ${SUI_ADDRESS_PREFIX}`,
+			},
+			400,
+		)
+	if (!body.encryptedBlob) return jsonResponse({ error: 'encryptedBlob is required' }, 400)
+	if (body.encryptedBlob.length > VAULT_BLOB_MAX_BYTES)
+		return jsonResponse(
+			{ error: `encryptedBlob exceeds max size of ${VAULT_BLOB_MAX_BYTES} bytes` },
+			400,
+		)
+	if (!body.meta) return jsonResponse({ error: 'meta is required' }, 400)
+	const nextMeta = sanitizeMeta(body.meta)
+	if (nextMeta.count > VAULT_MAX_BOOKMARKS)
+		return jsonResponse(
+			{ error: `Bookmark count ${nextMeta.count} exceeds max of ${VAULT_MAX_BOOKMARKS}` },
+			400,
+		)
+
+	await Promise.all([
+		env.CACHE.put(vaultKey(ownerAddress), body.encryptedBlob, {
+			expirationTtl: VAULT_TTL_SECONDS,
+		}),
+		env.CACHE.put(
+			vaultMetaKey(ownerAddress),
+			JSON.stringify({ ...nextMeta, updatedAt: Date.now() }),
+			{
+				expirationTtl: VAULT_TTL_SECONDS,
+			},
+		),
+	])
+
+	return jsonResponse({ success: true })
+})
+
+vaultRoutes.get('/watching', async (c) => {
+	const ownerAddress = await getVerifiedSessionAddress(c)
+	if (!ownerAddress) return jsonResponse({ error: 'Verified wallet session required' }, 401)
+	return jsonResponse(
+		{
+			error:
+				'Deprecated endpoint. Determine watching state by decrypting your wallet vault blob client-side.',
+		},
+		410,
+	)
+})
+
+vaultRoutes.post('/toggle-watch', async (c) => {
+	const env = c.get('env')
+	const ownerAddress = await getVerifiedSessionAddress(c)
+	if (!ownerAddress) return jsonResponse({ error: 'Verified wallet session required' }, 401)
+	const body = await c.req.json<{
+		ownerAddress: string
+		name: string
+		action: 'watch' | 'unwatch'
+		encryptedBlob?: string
+		meta?: VaultMeta
+	}>()
+
+	if (!body.name || !body.action)
+		return jsonResponse({ error: 'name and action are required' }, 400)
+	if (body.ownerAddress && normalizeAddress(body.ownerAddress) !== normalizeAddress(ownerAddress))
+		return jsonResponse({ error: 'ownerAddress must match authenticated wallet session' }, 403)
+	if (body.ownerAddress && !isValidSuiAddress(body.ownerAddress))
+		return jsonResponse(
+			{
+				error: `Invalid ownerAddress: expected ${SUI_ADDRESS_LENGTH} hex chars starting with ${SUI_ADDRESS_PREFIX}`,
+			},
+			400,
+		)
+
+	if (!body.encryptedBlob || !body.meta)
+		return jsonResponse(
+			{
+				error:
+					'toggle-watch requires encryptedBlob + meta and no longer stores plaintext bookmark names',
+			},
+			410,
+		)
+	if (body.encryptedBlob.length > VAULT_BLOB_MAX_BYTES)
+		return jsonResponse(
+			{ error: `encryptedBlob exceeds max size of ${VAULT_BLOB_MAX_BYTES} bytes` },
+			400,
+		)
+	const meta = sanitizeMeta(body.meta)
+	if (meta.count > VAULT_MAX_BOOKMARKS)
+		return jsonResponse({ error: `Vault full: max ${VAULT_MAX_BOOKMARKS} bookmarks` }, 400)
+
+	await Promise.all([
+		env.CACHE.put(vaultKey(ownerAddress), body.encryptedBlob, {
+			expirationTtl: VAULT_TTL_SECONDS,
+		}),
+		env.CACHE.put(vaultMetaKey(ownerAddress), JSON.stringify({ ...meta, updatedAt: Date.now() }), {
+			expirationTtl: VAULT_TTL_SECONDS,
+		}),
+	])
+
+	return jsonResponse({ success: true, watching: body.action === 'watch', meta })
+})
+
+vaultRoutes.get('/meta', async (c) => {
+	const env = c.get('env')
+	const ownerAddress = await getVerifiedSessionAddress(c)
+	if (!ownerAddress) return jsonResponse({ error: 'Verified wallet session required' }, 401)
+
+	const metaJson = await env.CACHE.get(vaultMetaKey(ownerAddress))
+	if (!metaJson) return jsonResponse({ found: false })
+
+	const meta = sanitizeMeta(JSON.parse(metaJson) as VaultMeta)
+	return jsonResponse({ found: true, ...meta })
+})

package/src/handlers/wallet-api.ts

@@ -0,0 +1,169 @@
+import { verifyPersonalMessageSignature } from '@mysten/sui/verify'
+import invariant from 'tiny-invariant'
+import type { Env } from '../types'
+import { errorResponse, jsonResponse } from '../utils/response'
+
+const COOKIE_DOMAIN = '.sui.ski'
+const COOKIE_MAX_AGE = 30 * 24 * 60 * 60
+
+interface ConnectRequest {
+	address: string
+	walletName?: string
+	signature?: string
+	challenge?: string
+}
+
+interface DisconnectRequest {
+	sessionId: string
+}
+
+function getCookieValue(cookieHeader: string, name: string): string | null {
+	if (!cookieHeader) return null
+	const parts = cookieHeader.split(';')
+	for (let i = 0; i < parts.length; i++) {
+		const part = parts[i].trim()
+		if (!part) continue
+		const eqIndex = part.indexOf('=')
+		if (eqIndex <= 0) continue
+		if (part.slice(0, eqIndex).trim() !== name) continue
+		return part.slice(eqIndex + 1).trim()
+	}
+	return null
+}
+
+function decodeCookieValue(value: string | null): string | null {
+	if (!value) return null
+	try {
+		return decodeURIComponent(value)
+	} catch {
+		return value
+	}
+}
+
+export async function handleWalletChallenge(_request: Request, env: Env): Promise<Response> {
+	const stub = env.WALLET_SESSIONS.getByName('global')
+	const { challenge, expiresAt } = await stub.createChallenge()
+	return jsonResponse({ challenge, expiresAt })
+}
+
+export async function handleWalletConnect(request: Request, env: Env): Promise<Response> {
+	try {
+		const stub = env.WALLET_SESSIONS.getByName('global')
+
+		const ip = request.headers.get('CF-Connecting-IP') || 'unknown'
+		const withinLimit = await stub.checkRateLimit(ip)
+		if (!withinLimit) {
+			return errorResponse('Too many requests, try again later', 'RATE_LIMITED', 429)
+		}
+
+		const body = await request.json<ConnectRequest>()
+		invariant(body.address, 'address is required')
+
+		let verified = false
+		if (body.signature && body.challenge) {
+			const challengeValid = await stub.verifyChallenge(body.challenge)
+			if (!challengeValid) {
+				return errorResponse('Challenge expired or already used', 'INVALID_CHALLENGE', 400)
+			}
+			const messageBytes = new TextEncoder().encode(body.challenge)
+			try {
+				await verifyPersonalMessageSignature(messageBytes, body.signature, {
+					address: body.address,
+				})
+			} catch {
+				return errorResponse('Signature verification failed', 'INVALID_SIGNATURE', 401)
+			}
+			verified = true
+		}
+
+		await stub.recordRateLimit(ip)
+
+		const sessionId = crypto.randomUUID()
+		await stub.createSession(body.address, sessionId, verified)
+
+		const response = jsonResponse({ sessionId, address: body.address, verified })
+
+		response.headers.append(
+			'Set-Cookie',
+			`session_id=${sessionId}; Domain=${COOKIE_DOMAIN}; Path=/; Max-Age=${COOKIE_MAX_AGE}; SameSite=Lax; Secure`,
+		)
+
+		response.headers.append(
+			'Set-Cookie',
+			`wallet_address=${encodeURIComponent(body.address)}; Domain=${COOKIE_DOMAIN}; Path=/; Max-Age=${COOKIE_MAX_AGE}; SameSite=Lax; Secure`,
+		)
+
+		if (body.walletName) {
+			response.headers.append(
+				'Set-Cookie',
+				`wallet_name=${encodeURIComponent(body.walletName)}; Domain=${COOKIE_DOMAIN}; Path=/; Max-Age=${COOKIE_MAX_AGE}; SameSite=Lax; Secure`,
+			)
+		}
+
+		return response
+	} catch (error) {
+		return errorResponse(
+			error instanceof Error ? error.message : 'Invalid request',
+			'INVALID_REQUEST',
+			400,
+		)
+	}
+}
+
+export async function handleWalletCheck(request: Request, env: Env): Promise<Response> {
+	const url = new URL(request.url)
+	const sessionIdParam = url.searchParams.get('sessionId')
+
+	const cookieHeader = request.headers.get('Cookie') || ''
+	const sessionId = sessionIdParam || decodeCookieValue(getCookieValue(cookieHeader, 'session_id'))
+	const walletName = decodeCookieValue(getCookieValue(cookieHeader, 'wallet_name'))
+
+	if (!sessionId) {
+		return jsonResponse({ address: null, verified: false, walletName: null })
+	}
+
+	const stub = env.WALLET_SESSIONS.getByName('global')
+	const info = await stub.getSessionInfo(sessionId)
+
+	if (info) {
+		await stub.extendSession(sessionId)
+		return jsonResponse({ address: info.address, verified: info.verified, walletName })
+	}
+
+	return jsonResponse({ address: null, verified: false, walletName: null })
+}
+
+export async function handleWalletDisconnect(request: Request, env: Env): Promise<Response> {
+	try {
+		const body = await request.json<DisconnectRequest>()
+		invariant(body.sessionId, 'sessionId is required')
+
+		const stub = env.WALLET_SESSIONS.getByName('global')
+		const success = await stub.deleteSession(body.sessionId)
+
+		const response = jsonResponse({ success })
+
+		response.headers.append(
+			'Set-Cookie',
+			`session_id=; Domain=${COOKIE_DOMAIN}; Path=/; Max-Age=0; SameSite=Lax; Secure`,
+		)
+
+		response.headers.append(
+			'Set-Cookie',
+			`wallet_address=; Domain=${COOKIE_DOMAIN}; Path=/; Max-Age=0; SameSite=Lax; Secure`,
+		)
+
+		response.headers.append(
+			'Set-Cookie',
+			`wallet_name=; Domain=${COOKIE_DOMAIN}; Path=/; Max-Age=0; SameSite=Lax; Secure`,
+		)
+
+		return response
+	} catch (error) {
+		return errorResponse(
+			error instanceof Error ? error.message : 'Invalid request',
+			'INVALID_REQUEST',
+			400,
+		)
+	}
+}