tempo.ts 0.7.6 → 0.8.0

package/src/wagmi/Actions/amm.test.ts

@@ -116,7 +116,7 @@ describe('mintSync', () => {
   })
 })
 
-describe('burnSync', () => {
+describe.skip('burnSync', () => {
   test('default', async () => {
     await connect(config, {
       connector: config.connectors[0]!,
@@ -167,7 +167,7 @@ describe('burnSync', () => {
   })
 })
 
-describe('rebalanceSwapSync', () => {
+describe.skip('rebalanceSwapSync', () => {
   test('default', async () => {
     await connect(config, {
       connector: config.connectors[0]!,

package/src/wagmi/Connector.test.ts

@@ -40,10 +40,10 @@ test('connect', async (context) => {
   expect(result.current.useAccount.status).toEqual('disconnected')
 
   result.current.useConnect.connect({
+    capabilities: { type: 'sign-up', label: 'Test Account' },
     connector: webAuthn({
       keyManager: KeyManager.localStorage(),
     }),
-    capabilities: { createAccount: { label: 'Test Account' } },
   })
 
   await vi.waitFor(() =>

package/src/wagmi/Connector.ts

@@ -1,5 +1,6 @@
 import * as Address from 'ox/Address'
 import type * as Hex from 'ox/Hex'
+import * as PublicKey from 'ox/PublicKey'
 import {
   createClient,
   type EIP1193Provider,
@@ -9,11 +10,16 @@ import {
 } from 'viem'
 import { generatePrivateKey, privateKeyToAccount } from 'viem/accounts'
 import { ChainNotConfiguredError, createConnector } from 'wagmi'
+import type { OneOf } from '../internal/types.js'
+import * as KeyAuthorization from '../ox/KeyAuthorization.js'
+import * as SignatureEnvelope from '../ox/SignatureEnvelope.js'
 import * as Account from '../viem/Account.js'
 import type * as tempo_Chain from '../viem/Chain.js'
 import { normalizeValue } from '../viem/internal/utils.js'
+import * as Storage from '../viem/Storage.js'
 import { walletNamespaceCompat } from '../viem/Transport.js'
 import * as WebAuthnP256 from '../viem/WebAuthnP256.js'
+import * as WebCryptoP256 from '../viem/WebCryptoP256.js'
 import type * as KeyManager from './KeyManager.js'
 
 type Chain = ReturnType<ReturnType<typeof tempo_Chain.define>>
@@ -35,9 +41,12 @@ export function dangerous_secp256k1(
   type Properties = {
     connect<withCapabilities extends boolean = false>(parameters: {
       capabilities?:
-        | {
-            createAccount?: boolean | undefined
-          }
+        | OneOf<
+            | {
+                type: 'sign-up'
+              }
+            | {}
+          >
         | undefined
       chainId?: number | undefined
       isReconnecting?: boolean | undefined
@@ -75,7 +84,7 @@ export function dangerous_secp256k1(
       const address = await (async () => {
         if (
           'capabilities' in parameters &&
-          parameters.capabilities?.createAccount
+          parameters.capabilities?.type === 'sign-up'
         ) {
           const privateKey = generatePrivateKey()
           const account = privateKeyToAccount(privateKey)
@@ -197,20 +206,28 @@ export declare namespace dangerous_secp256k1 {
  * @returns Connector.
  */
 export function webAuthn(options: webAuthn.Parameters) {
-  let account: Account.Account | undefined
+  let account: Account.RootAccount | undefined
+  let accessKey: Account.AccessKeyAccount | undefined
+
+  const idbStorage = Storage.idb<{
+    [key: `accessKey:${string}`]: WebCryptoP256.createKeyPair.ReturnType
+  }>()
 
   type Properties = {
     connect<withCapabilities extends boolean = false>(parameters: {
       chainId?: number | undefined
       capabilities?:
-        | {
-            createAccount?:
-              | boolean
-              | {
-                  label?: string | undefined
-                }
-              | undefined
-          }
+        | OneOf<
+            | {
+                label?: string | undefined
+                type: 'sign-up'
+              }
+            | {
+                selectAccount?: boolean | undefined
+                type: 'sign-in'
+              }
+            | {}
+          >
         | undefined
       isReconnecting?: boolean | undefined
       withCapabilities?: withCapabilities | boolean | undefined
@@ -234,50 +251,107 @@ export function webAuthn(options: webAuthn.Parameters) {
       account = Account.fromWebAuthnP256(credential)
     },
     async connect(parameters = {}) {
-      account ??= await (async () => {
-        let credential: WebAuthnP256.P256Credential | undefined
+      const { grantAccessKey = false } = options
+      const capabilities =
+        'capabilities' in parameters ? (parameters.capabilities ?? {}) : {}
 
-        if (
-          'capabilities' in parameters &&
-          parameters.capabilities?.createAccount
-        ) {
+      // We are going to need to find:
+      // - a WebAuthn `credential` to instantiate an account
+      // - optionally, a `keyPair` to use as the access key for the account
+      // - optionally, a signed `keyAuthorization` to provision the access key
+      const { credential, keyAuthorization, keyPair } = await (async () => {
+        // If the connection type is of "sign-up", we are going to create a new credential
+        // and provision an access key (if needed).
+        if (capabilities.type === 'sign-up') {
           // Create credential (sign up)
-          const createOptions =
-            typeof parameters.capabilities?.createAccount === 'boolean'
-              ? {}
-              : parameters.capabilities?.createAccount
           const createOptions_remote = await options.keyManager.getChallenge?.()
-          credential = await WebAuthnP256.createCredential({
+          const label =
+            capabilities.label ??
+            options.createOptions?.label ??
+            new Date().toISOString()
+          const rpId =
+            createOptions_remote?.rp?.id ??
+            options.createOptions?.rpId ??
+            options.rpId
+          const credential = await WebAuthnP256.createCredential({
             ...(options.createOptions ?? {}),
-            label:
-              createOptions.label ??
-              options.createOptions?.label ??
-              `Account ${new Date().toISOString().split('T')[0]}`,
-            rpId:
-              createOptions_remote?.rp?.id ??
-              options.createOptions?.rpId ??
-              options.rpId,
+            label,
+            rpId,
             ...(createOptions_remote ?? {}),
           })
           await options.keyManager.setPublicKey({
             credential: credential.raw,
             publicKey: credential.publicKey,
           })
-        } else {
-          // Load credential (log in)
-          credential = (await config.storage?.getItem(
+
+          // Get key pair (access key) to use for the account.
+          const keyPair = await (async () => {
+            if (!grantAccessKey) return undefined
+            return await WebCryptoP256.createKeyPair()
+          })()
+
+          return { credential, keyPair }
+        }
+
+        // If we are not selecting an account, we will check if an active credential is present in
+        // storage and if so, we will use it to instantiate an account.
+        if (!capabilities.selectAccount) {
+          const credential = (await config.storage?.getItem(
             'webAuthn.activeCredential',
-          )) as WebAuthnP256.P256Credential | undefined
+          )) as WebAuthnP256.getCredential.ReturnValue | undefined
 
-          // If no active credential, load (last active, if present) credential from keychain.
-          const lastActiveCredential = await config.storage?.getItem(
-            'webAuthn.lastActiveCredential',
-          )
-          credential ??= await WebAuthnP256.getCredential({
+          if (credential) {
+            // Get key pair (access key) to use for the account.
+            const keyPair = await (async () => {
+              if (!grantAccessKey) return undefined
+              const address = Address.fromPublicKey(
+                PublicKey.fromHex(credential.publicKey),
+              )
+              return await idbStorage.getItem(`accessKey:${address}`)
+            })()
+
+            // If the access key policy is lax, return the credential and key pair (if exists).
+            if (grantAccessKey === 'lax') return { credential, keyPair }
+
+            // If a key pair is found, return the credential and key pair.
+            if (keyPair) return { credential, keyPair }
+
+            // If we are reconnecting, throw an error if not found.
+            if (parameters.isReconnecting)
+              throw new Error('credential not found.')
+
+            // Otherwise, we want to continue to sign up or register against new key pair.
+          }
+        }
+
+        // Discover credential
+        {
+          // Get key pair (access key) to use for the account.
+          const keyPair = await (async () => {
+            if (!grantAccessKey) return undefined
+            return await WebCryptoP256.createKeyPair()
+          })()
+
+          // If we are provisioning an access key, we will need to sign a key authorization.
+          // We will need the hash (digest) to sign, and the address of the access key to construct the key authorization.
+          const { accessKeyAddress, hash } = await (async () => {
+            if (!keyPair)
+              return { accessKeyAddress: undefined, hash: undefined }
+            const accessKeyAddress = Address.fromPublicKey(keyPair.publicKey)
+            const hash = KeyAuthorization.getSignPayload({
+              address: accessKeyAddress,
+              type: 'p256',
+            })
+            return { accessKeyAddress, hash, keyPair }
+          })()
+
+          // If no active credential, we will attempt to load the last active credential from storage.
+          const lastActiveCredential = !capabilities.selectAccount
+            ? await config.storage?.getItem('webAuthn.lastActiveCredential')
+            : undefined
+          const credential = await WebAuthnP256.getCredential({
             ...(options.getOptions ?? {}),
             credentialId: lastActiveCredential?.id,
-            // biome-ignore lint/suspicious/noTsIgnore: _
-            // @ts-ignore
             async getPublicKey(credential) {
               const publicKey = await options.keyManager.getPublicKey({
                 credential,
@@ -285,21 +359,63 @@ export function webAuthn(options: webAuthn.Parameters) {
               if (!publicKey) throw new Error('publicKey not found.')
               return publicKey
             },
+            hash,
             rpId: options.getOptions?.rpId ?? options.rpId,
           })
-        }
 
-        config.storage?.setItem(
-          'webAuthn.activeCredential',
-          normalizeValue(credential),
-        )
-        config.storage?.setItem(
-          'webAuthn.lastActiveCredential',
-          normalizeValue(credential),
-        )
-        return Account.fromWebAuthnP256(credential)
+          const keyAuthorization = accessKeyAddress
+            ? KeyAuthorization.from({
+                address: accessKeyAddress,
+                signature: SignatureEnvelope.from({
+                  metadata: credential.metadata,
+                  signature: credential.signature,
+                  publicKey: PublicKey.fromHex(credential.publicKey),
+                  type: 'webAuthn',
+                }),
+                type: 'p256',
+              })
+            : undefined
+
+          return { credential, keyAuthorization, keyPair }
+        }
       })()
 
+      config.storage?.setItem(
+        'webAuthn.lastActiveCredential',
+        normalizeValue(credential),
+      )
+      config.storage?.setItem(
+        'webAuthn.activeCredential',
+        normalizeValue(credential),
+      )
+
+      account = Account.fromWebAuthnP256(credential, {
+        storage: Storage.from(config.storage as never),
+      })
+
+      if (keyPair) {
+        accessKey = Account.fromWebCryptoP256(keyPair, {
+          access: account,
+          storage: Storage.from(config.storage as never),
+        })
+
+        // If we are not reconnecting, orchestrate the provisioning of the access key.
+        if (!parameters.isReconnecting) {
+          const keyAuth =
+            keyAuthorization ?? (await account.signKeyAuthorization(accessKey))
+
+          await account.storage.setItem('pendingKeyAuthorization', keyAuth)
+          await idbStorage.setItem(
+            `accessKey:${account.address.toLowerCase()}`,
+            keyPair,
+          )
+        }
+        // If we are granting an access key, throw an error if the access key is not provisioned.
+      } else if (grantAccessKey === true) {
+        await config.storage?.removeItem('webAuthn.activeCredential')
+        throw new Error('access key not found')
+      }
+
       const address = getAddress(account.address)
 
       const chainId = parameters.chainId ?? config.chains[0]?.id
@@ -361,7 +477,7 @@ export function webAuthn(options: webAuthn.Parameters) {
       if (!transport) throw new ChainNotConfiguredError()
 
       return createClient({
-        account,
+        account: accessKey ?? account,
         chain: chain as Chain,
         transport: walletNamespaceCompat(transport),
       })
@@ -386,6 +502,20 @@ export namespace webAuthn {
     getOptions?:
       | Pick<WebAuthnP256.getCredential.Parameters, 'getFn' | 'rpId'>
       | undefined
+    /**
+     * Whether or not to grant an access key upon connection.
+     *
+     * - `true`: The account MUST have an access key provisioned.
+     *   On failure, the connection will fail.
+     * - `"lax"`: The account MAY have an access key provisioned.
+     *   On failure, the connection will succeed, but the access key will not be provisioned
+     *   and must be provisioned manually if the user wants to enforce access keys.
+     * - `false`: The account WILL NOT have an access key provisioned. The access key must be
+     *   provisioned manually if the user wants to enforce access keys.
+     *
+     * @default false
+     */
+    grantAccessKey?: boolean | 'lax'
     /** Public key manager. */
     keyManager: KeyManager.KeyManager
     /** The RP ID to use for WebAuthn. */

package/src/wagmi/Hooks/amm.test.ts

@@ -165,7 +165,7 @@ describe('useMintSync', () => {
   })
 })
 
-describe('useBurnSync', () => {
+describe.skip('useBurnSync', () => {
   test('default', async () => {
     const { result } = await renderHook(() => ({
       connect: useConnect(),
@@ -249,7 +249,7 @@ describe('useBurnSync', () => {
   })
 })
 
-describe('useRebalanceSwapSync', () => {
+describe.skip('useRebalanceSwapSync', () => {
   test('default', async () => {
     const { result } = await renderHook(() => ({
       connect: useConnect(),
@@ -322,7 +322,7 @@ describe('useRebalanceSwapSync', () => {
   })
 })
 
-describe('useWatchRebalanceSwap', () => {
+describe.skip('useWatchRebalanceSwap', () => {
   test('default', async () => {
     const { result: connectResult } = await renderHook(() => ({
       connect: useConnect(),
@@ -468,7 +468,7 @@ describe('useWatchMint', () => {
   })
 })
 
-describe('useWatchBurn', () => {
+describe.skip('useWatchBurn', () => {
   test('default', async () => {
     const { result: connectResult } = await renderHook(() => ({
       connect: useConnect(),

package/src/wagmi/Hooks/fee.test.ts

@@ -100,15 +100,21 @@ describe('useUserToken', () => {
           {
             "account": {
               "address": "0xf39Fd6e51aad88F6F4ce6aB8827279cffFb92266",
-              "getHdKey": [Function],
-              "nonceManager": undefined,
-              "publicKey": "0x048318535b54105d4a7aae60c08fc45f9687181b4fdfc625bd1a753fa7397fed753547f11ca8696646f2f3acb08e31016afac23e630c5d11f59f61fef57b0d2aa5",
+              "assignKeyAuthorization": [Function],
+              "keyType": "secp256k1",
+              "publicKey": "0x8318535b54105d4a7aae60c08fc45f9687181b4fdfc625bd1a753fa7397fed753547f11ca8696646f2f3acb08e31016afac23e630c5d11f59f61fef57b0d2aa5",
               "sign": [Function],
               "signAuthorization": [Function],
+              "signKeyAuthorization": [Function],
               "signMessage": [Function],
               "signTransaction": [Function],
               "signTypedData": [Function],
-              "source": "hd",
+              "source": "root",
+              "storage": {
+                "getItem": [Function],
+                "removeItem": [Function],
+                "setItem": [Function],
+              },
               "type": "local",
             },
             "chainId": 1337,