tempo.ts 0.7.5 → 0.8.0

package/src/viem/Account.ts

@@ -1,15 +1,57 @@
-import { WebCryptoP256 } from 'ox'
 import * as Address from 'ox/Address'
-import type * as Hex from 'ox/Hex'
+import * as Hex from 'ox/Hex'
 import * as P256 from 'ox/P256'
 import * as PublicKey from 'ox/PublicKey'
 import * as Secp256k1 from 'ox/Secp256k1'
 import * as Signature from 'ox/Signature'
 import * as WebAuthnP256 from 'ox/WebAuthnP256'
+import * as WebCryptoP256 from 'ox/WebCryptoP256'
+import type { LocalAccount, RequiredBy, Account as viem_Account } from 'viem'
+import {
+  hashAuthorization,
+  hashMessage,
+  hashTypedData,
+  keccak256,
+  parseAccount,
+} from 'viem/utils'
+import type { OneOf } from '../internal/types.js'
+import * as KeyAuthorization from '../ox/KeyAuthorization.js'
 import * as SignatureEnvelope from '../ox/SignatureEnvelope.js'
-import * as internal from './internal/account.js'
+import * as Storage from './Storage.js'
+import * as Transaction from './Transaction.js'
 
-export type { Account } from './internal/account.js'
+type StorageSchema = {
+  pendingKeyAuthorization?: KeyAuthorization.Signed | undefined
+}
+
+export type Account_base<source extends string = string> = RequiredBy<
+  LocalAccount<source>,
+  'sign' | 'signAuthorization'
+> & {
+  /** Key type. */
+  keyType: SignatureEnvelope.Type
+  /** Account storage. */
+  storage: Storage.Storage<StorageSchema>
+}
+
+export type RootAccount = Account_base<'root'> & {
+  /** Assign key authorization to the next transaction. */
+  assignKeyAuthorization: (
+    keyAuthorization: KeyAuthorization.Signed,
+  ) => Promise<void>
+  /** Sign key authorization. */
+  signKeyAuthorization: (
+    key: Pick<AccessKeyAccount, 'accessKeyAddress' | 'keyType'>,
+    parameters?: Pick<KeyAuthorization.KeyAuthorization, 'expiry' | 'limits'>,
+  ) => Promise<KeyAuthorization.Signed>
+}
+
+export type AccessKeyAccount = Account_base<'accessKey'> & {
+  /** Access key ID. */
+  accessKeyAddress: Address.Address
+}
+
+export type Account = OneOf<RootAccount | AccessKeyAccount>
 
 /**
  * Instantiates an Account from a headless WebAuthn credential (P256 private key).
@@ -24,17 +66,19 @@ export type { Account } from './internal/account.js'
  * @param privateKey P256 private key.
  * @returns Account.
  */
-export function fromHeadlessWebAuthn(
+export function fromHeadlessWebAuthn<
+  const options extends fromHeadlessWebAuthn.Options,
+>(
   privateKey: Hex.Hex,
-  options: fromHeadlessWebAuthn.Options,
-): fromP256.ReturnValue {
-  const { rpId, origin } = options
+  options: options | fromHeadlessWebAuthn.Options,
+): fromHeadlessWebAuthn.ReturnValue<options> {
+  const { access, rpId, origin, storage } = options
 
   const publicKey = P256.getPublicKey({ privateKey })
-  const address = Address.fromPublicKey(publicKey)
 
-  return internal.toPrivateKeyAccount({
-    address,
+  return from({
+    access,
+    keyType: 'webAuthn',
     publicKey,
     async sign({ hash }) {
       const { metadata, payload } = WebAuthnP256.getSignPayload({
@@ -55,20 +99,22 @@ export function fromHeadlessWebAuthn(
         type: 'webAuthn',
       })
     },
-    source: 'webAuthn',
-  })
+    storage,
+  }) as never
 }
 
 export declare namespace fromHeadlessWebAuthn {
   export type Options = Omit<
     WebAuthnP256.getSignPayload.Options,
     'challenge' | 'rpId' | 'origin'
-  > & {
-    rpId: string
-    origin: string
-  }
+  > &
+    Pick<from.Parameters, 'access' | 'storage'> & {
+      rpId: string
+      origin: string
+    }
 
-  export type ReturnValue = internal.toPrivateKeyAccount.ReturnValue
+  export type ReturnValue<options extends Options = Options> =
+    from.ReturnValue<options>
 }
 
 /**
@@ -84,12 +130,16 @@ export declare namespace fromHeadlessWebAuthn {
  * @param privateKey P256 private key.
  * @returns Account.
  */
-export function fromP256(privateKey: Hex.Hex): fromP256.ReturnValue {
+export function fromP256<const options extends fromP256.Options>(
+  privateKey: Hex.Hex,
+  options: options | fromP256.Options = {},
+): fromP256.ReturnValue<options> {
+  const { access, storage } = options
   const publicKey = P256.getPublicKey({ privateKey })
-  const address = Address.fromPublicKey(publicKey)
 
-  return internal.toPrivateKeyAccount({
-    address,
+  return from({
+    access,
+    keyType: 'p256',
     publicKey,
     async sign({ hash }) {
       const signature = P256.sign({ payload: hash, privateKey })
@@ -99,12 +149,15 @@ export function fromP256(privateKey: Hex.Hex): fromP256.ReturnValue {
         type: 'p256',
       })
     },
-    source: 'p256',
-  })
+    storage,
+  }) as never
 }
 
 export declare namespace fromP256 {
-  export type ReturnValue = internal.toPrivateKeyAccount.ReturnValue
+  export type Options = Pick<from.Parameters, 'access' | 'storage'>
+
+  export type ReturnValue<options extends Options = Options> =
+    from.ReturnValue<options>
 }
 
 /**
@@ -121,22 +174,31 @@ export declare namespace fromP256 {
  * @returns Account.
  */
 // TODO: this function will be redundant when Viem migrates to Ox.
-export function fromSecp256k1(privateKey: Hex.Hex): fromSecp256k1.ReturnValue {
+export function fromSecp256k1<const options extends fromSecp256k1.Options>(
+  privateKey: Hex.Hex,
+  options: options | fromSecp256k1.Options = {},
+): fromSecp256k1.ReturnValue<options> {
+  const { access, storage } = options
   const publicKey = Secp256k1.getPublicKey({ privateKey })
 
-  return internal.toPrivateKeyAccount({
-    address: Address.fromPublicKey(publicKey),
+  return from({
+    access,
+    keyType: 'secp256k1',
     publicKey,
     async sign(parameters) {
       const { hash } = parameters
       const signature = Secp256k1.sign({ payload: hash, privateKey })
       return Signature.toHex(signature)
     },
-  })
+    storage,
+  }) as never
 }
 
 export declare namespace fromSecp256k1 {
-  export type ReturnValue = internal.toPrivateKeyAccount.ReturnValue
+  export type Options = Pick<from.Parameters, 'access' | 'storage'>
+
+  export type ReturnValue<options extends Options = Options> =
+    from.ReturnValue<options>
 }
 
 /**
@@ -201,9 +263,10 @@ export function fromWebAuthnP256(
   options: fromWebAuthnP256.Options = {},
 ): fromWebAuthnP256.ReturnValue {
   const { id } = credential
+  const { storage } = options
   const publicKey = PublicKey.fromHex(credential.publicKey)
-  return internal.toPrivateKeyAccount({
-    address: Address.fromPublicKey(publicKey),
+  return from({
+    keyType: 'webAuthn',
     publicKey,
     async sign({ hash }) {
       const { metadata, signature } = await WebAuthnP256.sign({
@@ -218,7 +281,7 @@ export function fromWebAuthnP256(
         type: 'webAuthn',
       })
     },
-    source: 'webAuthn',
+    storage,
   })
 }
 
@@ -231,9 +294,10 @@ export declare namespace fromWebAuthnP256 {
   export type Options = {
     getFn?: WebAuthnP256.sign.Options['getFn'] | undefined
     rpId?: WebAuthnP256.sign.Options['rpId'] | undefined
+    storage?: from.Parameters['storage'] | undefined
   }
 
-  export type ReturnValue = internal.toPrivateKeyAccount.ReturnValue
+  export type ReturnValue = from.ReturnValue
 }
 
 /**
@@ -252,14 +316,18 @@ export declare namespace fromWebAuthnP256 {
  * @param keyPair WebCryptoP256 key pair.
  * @returns Account.
  */
-export function fromWebCryptoP256(
+export function fromWebCryptoP256<
+  const options extends fromWebCryptoP256.Options,
+>(
   keyPair: Awaited<ReturnType<typeof WebCryptoP256.createKeyPair>>,
-): fromWebCryptoP256.ReturnValue {
+  options: options | fromWebCryptoP256.Options = {},
+): fromWebCryptoP256.ReturnValue<options> {
+  const { access, storage } = options
   const { publicKey, privateKey } = keyPair
-  const address = Address.fromPublicKey(publicKey)
 
-  return internal.toPrivateKeyAccount({
-    address,
+  return from({
+    access,
+    keyType: 'p256',
     publicKey,
     async sign({ hash }) {
       const signature = await WebCryptoP256.sign({ payload: hash, privateKey })
@@ -270,10 +338,255 @@ export function fromWebCryptoP256(
         type: 'p256',
       })
     },
-    source: 'p256',
-  })
+    storage,
+  }) as never
 }
 
 export declare namespace fromWebCryptoP256 {
-  export type ReturnValue = internal.toPrivateKeyAccount.ReturnValue
+  export type Options = Pick<from.Parameters, 'access' | 'storage'>
+
+  export type ReturnValue<options extends Options = Options> =
+    from.ReturnValue<options>
+}
+
+export async function signKeyAuthorization(
+  account: LocalAccount,
+  parameters: signKeyAuthorization.Parameters,
+): Promise<signKeyAuthorization.ReturnValue> {
+  const { key, expiry, limits } = parameters
+  const { accessKeyAddress, keyType: type } = key
+
+  const signature = await account.sign!({
+    hash: KeyAuthorization.getSignPayload({
+      address: accessKeyAddress,
+      expiry,
+      limits,
+      type,
+    }),
+  })
+  return KeyAuthorization.from({
+    address: accessKeyAddress,
+    expiry,
+    limits,
+    signature: SignatureEnvelope.from(signature),
+    type,
+  })
+}
+
+export declare namespace signKeyAuthorization {
+  type Parameters = Pick<
+    KeyAuthorization.KeyAuthorization,
+    'expiry' | 'limits'
+  > & {
+    key: Pick<AccessKeyAccount, 'accessKeyAddress' | 'keyType'>
+  }
+
+  type ReturnValue = KeyAuthorization.Signed
+}
+
+/** @internal */
+// biome-ignore lint/correctness/noUnusedVariables: _
+function fromBase(parameters: fromBase.Parameters): Account_base {
+  const {
+    keyType = 'secp256k1',
+    parentAddress,
+    source = 'privateKey',
+  } = parameters
+
+  const address = parentAddress ?? Address.fromPublicKey(parameters.publicKey)
+  const publicKey = PublicKey.toHex(parameters.publicKey, {
+    includePrefix: false,
+  })
+
+  const storage = Storage.from<StorageSchema>(
+    parameters.storage ?? Storage.memory(),
+    { key: `tempo.ts:${address.toLowerCase()}` },
+  )
+
+  async function sign({ hash }: { hash: Hex.Hex }) {
+    const signature = await parameters.sign({ hash })
+    if (parentAddress)
+      return SignatureEnvelope.serialize(
+        SignatureEnvelope.from({
+          userAddress: parentAddress,
+          inner: SignatureEnvelope.from(signature),
+          type: 'keychain',
+        }),
+      )
+
+    return signature
+  }
+
+  return {
+    address: Address.checksum(address),
+    keyType,
+    sign,
+    async signAuthorization(parameters) {
+      const { chainId, nonce } = parameters
+      const address = parameters.contractAddress ?? parameters.address
+      const signature = await sign({
+        hash: hashAuthorization({ address, chainId, nonce }),
+      })
+      const envelope = SignatureEnvelope.from(signature)
+      if (envelope.type !== 'secp256k1')
+        throw new Error(
+          'Unsupported signature type. Expected `secp256k1` but got `' +
+            envelope.type +
+            '`.',
+        )
+      const { r, s, yParity } = envelope.signature
+      return {
+        address,
+        chainId,
+        nonce,
+        r: Hex.fromNumber(r, { size: 32 }),
+        s: Hex.fromNumber(s, { size: 32 }),
+        yParity,
+      }
+    },
+    async signMessage(parameters) {
+      const { message } = parameters
+      const signature = await sign({ hash: hashMessage(message) })
+      const envelope = SignatureEnvelope.from(signature)
+      return SignatureEnvelope.serialize(envelope)
+    },
+    async signTransaction(transaction, options) {
+      const { serializer = Transaction.serialize } = options ?? {}
+
+      const keyAuthorization =
+        (await storage?.getItem('pendingKeyAuthorization')) ?? undefined
+      if (keyAuthorization && !(transaction as any).keyAuthorization) {
+        ;(transaction as any).keyAuthorization = keyAuthorization
+        await storage.removeItem('pendingKeyAuthorization')
+      }
+
+      const signature = await sign({
+        hash: keccak256(await serializer(transaction)),
+      })
+      const envelope = SignatureEnvelope.from(signature)
+      return await serializer(transaction, envelope as never)
+    },
+    async signTypedData(typedData) {
+      const signature = await sign({ hash: hashTypedData(typedData) })
+      const envelope = SignatureEnvelope.from(signature)
+      return SignatureEnvelope.serialize(envelope)
+    },
+    publicKey,
+    source,
+    storage,
+    type: 'local',
+  }
+}
+
+declare namespace fromBase {
+  export type Parameters = {
+    /** Parent address. */
+    parentAddress?: Address.Address | undefined
+    /** Public key. */
+    publicKey: PublicKey.PublicKey
+    /** Key type. */
+    keyType?: SignatureEnvelope.Type | undefined
+    /** Sign function. */
+    sign: NonNullable<LocalAccount['sign']>
+    /** Source. */
+    source?: string | undefined
+    /**
+     * Account storage.
+     * Used for access key management, and pending key authorizations.
+     * @default `Storage.memory()`
+     */
+    storage?: Storage.Storage | undefined
+  }
+
+  export type ReturnValue = Account_base
+}
+
+/** @internal */
+// biome-ignore lint/correctness/noUnusedVariables: _
+function fromRoot(parameters: fromRoot.Parameters): RootAccount {
+  const account = fromBase(parameters)
+  return {
+    ...account,
+    source: 'root',
+    async assignKeyAuthorization(keyAuthorization) {
+      account.storage.setItem('pendingKeyAuthorization', keyAuthorization)
+    },
+    async signKeyAuthorization(key, parameters = {}) {
+      const { expiry, limits } = parameters
+      const { accessKeyAddress, keyType: type } = key
+
+      const signature = await account.sign({
+        hash: KeyAuthorization.getSignPayload({
+          address: accessKeyAddress,
+          expiry,
+          limits,
+          type,
+        }),
+      })
+      const keyAuthorization = KeyAuthorization.from({
+        address: accessKeyAddress,
+        expiry,
+        limits,
+        signature: SignatureEnvelope.from(signature),
+        type,
+      })
+      return keyAuthorization
+    },
+  }
+}
+
+declare namespace fromRoot {
+  export type Parameters = fromBase.Parameters
+
+  export type ReturnValue = RootAccount
+}
+
+// biome-ignore lint/correctness/noUnusedVariables: _
+function fromAccessKey(parameters: fromAccessKey.Parameters): AccessKeyAccount {
+  const { access } = parameters
+  const { address: parentAddress } = parseAccount(access)
+  const account = fromBase({ ...parameters, parentAddress })
+  return {
+    ...account,
+    accessKeyAddress: Address.fromPublicKey(parameters.publicKey),
+    source: 'accessKey',
+  }
+}
+
+declare namespace fromAccessKey {
+  export type Parameters = fromBase.Parameters & {
+    /**
+     * Parent account to access.
+     * If defined, this account will act as an "access key", and use
+     * the parent account's address as the keychain address.
+     */
+    access: viem_Account | Address.Address
+  }
+
+  export type ReturnValue = AccessKeyAccount
+}
+
+// biome-ignore lint/correctness/noUnusedVariables: _
+function from<const parameters extends from.Parameters>(
+  parameters: parameters | from.Parameters,
+): from.ReturnValue<parameters> {
+  const { access } = parameters
+  if (access) return fromAccessKey(parameters) as never
+  return fromRoot(parameters) as never
+}
+
+declare namespace from {
+  export type Parameters = OneOf<fromRoot.Parameters | fromAccessKey.Parameters>
+
+  export type ReturnValue<
+    parameters extends {
+      access?: fromAccessKey.Parameters['access'] | undefined
+    } = {
+      access?: fromAccessKey.Parameters['access'] | undefined
+    },
+  > = parameters extends {
+    access: fromAccessKey.Parameters['access']
+  }
+    ? AccessKeyAccount
+    : RootAccount
 }

package/src/viem/Actions/account.ts

@@ -63,9 +63,8 @@ export async function verifyHash<chain extends Chain | undefined>(
 
   const [envelope, userAddress] = (() => {
     const envelope = SignatureEnvelope.from(signature)
-    // TODO: add once we have key auth
-    // if (envelope.type === 'keychain')
-    //   return [envelope.inner, envelope.userAddress]
+    if (envelope.type === 'keychain')
+      return [envelope.inner, envelope.userAddress]
     return [envelope, undefined]
   })()
 
@@ -83,8 +82,7 @@ export async function verifyHash<chain extends Chain | undefined>(
       publicKey: envelope.publicKey,
       signature: envelope.signature,
     })
-  // TODO: add once we have key auth
-  // if (envelope.type === 'keychain') throw new Error('not supported')
+  if (envelope.type === 'keychain') throw new Error('not supported')
 
   const address =
     parameters.address ??