thirdweb 5.61.6 → 5.62.0

package/src/wallets/in-app/{web/lib → core}/actions/sign-message.enclave.ts

@@ -1,26 +1,24 @@
-import type { ThirdwebClient } from "../../../../../client/client.js";
-import { getThirdwebBaseUrl } from "../../../../../utils/domains.js";
-import { getClientFetch } from "../../../../../utils/fetch.js";
-import { stringify } from "../../../../../utils/json.js";
-import type { ClientScopedStorage } from "../../../core/authentication/client-scoped-storage.js";
-import type { Ecosystem } from "../../../core/wallet/types.js";
+import type { ThirdwebClient } from "../../../../client/client.js";
+import { getThirdwebBaseUrl } from "../../../../utils/domains.js";
+import { getClientFetch } from "../../../../utils/fetch.js";
+import { stringify } from "../../../../utils/json.js";
+import type { ClientScopedStorage } from "../authentication/client-scoped-storage.js";
 
 export async function signMessage({
   client,
-  ecosystem,
   payload: { message, isRaw },
   storage,
 }: {
   client: ThirdwebClient;
-  ecosystem?: Ecosystem;
   payload: {
     message: string;
     isRaw: boolean;
   };
   storage: ClientScopedStorage;
 }) {
-  const clientFetch = getClientFetch(client, ecosystem);
   const authToken = await storage.getAuthCookie();
+  const ecosystem = storage.ecosystem;
+  const clientFetch = getClientFetch(client, ecosystem);
 
   if (!authToken) {
     throw new Error("No auth token found when signing message");

package/src/wallets/in-app/{web/lib → core}/actions/sign-transaction.enclave.ts

@@ -1,24 +1,22 @@
-import type { ThirdwebClient } from "../../../../../client/client.js";
-import { getThirdwebBaseUrl } from "../../../../../utils/domains.js";
-import type { Hex } from "../../../../../utils/encoding/hex.js";
-import { getClientFetch } from "../../../../../utils/fetch.js";
-import { stringify } from "../../../../../utils/json.js";
-import type { ClientScopedStorage } from "../../../core/authentication/client-scoped-storage.js";
-import type { Ecosystem } from "../../../core/wallet/types.js";
+import type { ThirdwebClient } from "../../../../client/client.js";
+import { getThirdwebBaseUrl } from "../../../../utils/domains.js";
+import type { Hex } from "../../../../utils/encoding/hex.js";
+import { getClientFetch } from "../../../../utils/fetch.js";
+import { stringify } from "../../../../utils/json.js";
+import type { ClientScopedStorage } from "../authentication/client-scoped-storage.js";
 
 export async function signTransaction({
   client,
-  ecosystem,
   payload,
   storage,
 }: {
   client: ThirdwebClient;
-  ecosystem?: Ecosystem;
   payload: Record<string, Hex | number | undefined>;
   storage: ClientScopedStorage;
 }) {
-  const clientFetch = getClientFetch(client, ecosystem);
   const authToken = await storage.getAuthCookie();
+  const ecosystem = storage.ecosystem;
+  const clientFetch = getClientFetch(client, ecosystem);
 
   if (!authToken) {
     throw new Error("No auth token found when signing transaction");

package/src/wallets/in-app/{web/lib → core}/actions/sign-typed-data.enclave.ts

@@ -1,28 +1,26 @@
 import type { TypedData } from "abitype";
 import type { TypedDataDefinition } from "viem";
-import type { ThirdwebClient } from "../../../../../client/client.js";
-import { getThirdwebBaseUrl } from "../../../../../utils/domains.js";
-import { getClientFetch } from "../../../../../utils/fetch.js";
-import { stringify } from "../../../../../utils/json.js";
-import type { ClientScopedStorage } from "../../../core/authentication/client-scoped-storage.js";
-import type { Ecosystem } from "../../../core/wallet/types.js";
+import type { ThirdwebClient } from "../../../../client/client.js";
+import { getThirdwebBaseUrl } from "../../../../utils/domains.js";
+import { getClientFetch } from "../../../../utils/fetch.js";
+import { stringify } from "../../../../utils/json.js";
+import type { ClientScopedStorage } from "../authentication/client-scoped-storage.js";
 
 export async function signTypedData<
   const typedData extends TypedData | Record<string, unknown>,
   primaryType extends keyof typedData | "EIP712Domain" = keyof typedData,
 >({
   client,
-  ecosystem,
   payload,
   storage,
 }: {
   client: ThirdwebClient;
-  ecosystem?: Ecosystem;
   payload: TypedDataDefinition<typedData, primaryType>;
   storage: ClientScopedStorage;
 }) {
-  const clientFetch = getClientFetch(client, ecosystem);
   const authToken = await storage.getAuthCookie();
+  const ecosystem = storage.ecosystem;
+  const clientFetch = getClientFetch(client, ecosystem);
 
   if (!authToken) {
     throw new Error("No auth token found when signing typed data");

package/src/wallets/in-app/core/authentication/client-scoped-storage.ts

@@ -1,5 +1,4 @@
 import type { AsyncStorage } from "../../../../utils/storage/AsyncStorage.js";
-import type { EcosystemWalletId } from "../../../wallet-types.js";
 import {
   AUTH_TOKEN_LOCAL_STORAGE_NAME,
   DEVICE_SHARE_LOCAL_STORAGE_NAME,
@@ -8,6 +7,7 @@ import {
   WALLET_CONNECT_SESSIONS_LOCAL_STORAGE_NAME,
   WALLET_USER_ID_LOCAL_STORAGE_NAME,
 } from "../constants/settings.js";
+import type { Ecosystem } from "../wallet/types.js";
 
 const data = new Map<string, string>();
 
@@ -17,20 +17,22 @@ const data = new Map<string, string>();
 export class ClientScopedStorage {
   protected key: string;
   protected storage: AsyncStorage | null;
+  public ecosystem?: Ecosystem;
   /**
    * @internal
    */
   constructor({
     storage,
     clientId,
-    ecosystemId,
+    ecosystem,
   }: {
     storage: AsyncStorage | null;
     clientId: string;
-    ecosystemId?: EcosystemWalletId;
+    ecosystem?: Ecosystem;
   }) {
     this.storage = storage;
-    this.key = getLocalStorageKey(clientId, ecosystemId);
+    this.key = getLocalStorageKey(clientId, ecosystem?.id);
+    this.ecosystem = ecosystem;
   }
 
   protected async getItem(key: string): Promise<string | null> {

package/src/wallets/in-app/core/authentication/guest.ts

@@ -19,7 +19,7 @@ export async function guestAuthenticate(args: {
   const storage = new ClientScopedStorage({
     storage: args.storage,
     clientId: args.client.clientId,
-    ecosystemId: args.ecosystem?.id,
+    ecosystem: args.ecosystem,
   });
 
   let sessionId = await storage.getGuestSessionId();

package/src/wallets/in-app/core/wallet/enclave-wallet.ts

@@ -11,10 +11,10 @@ import type {
   Account,
   SendTransactionOption,
 } from "../../../interfaces/wallet.js";
-import { getUserStatus } from "../../web/lib/actions/get-enclave-user-status.js";
-import { signMessage as signEnclaveMessage } from "../../web/lib/actions/sign-message.enclave.js";
-import { signTransaction as signEnclaveTransaction } from "../../web/lib/actions/sign-transaction.enclave.js";
-import { signTypedData as signEnclaveTypedData } from "../../web/lib/actions/sign-typed-data.enclave.js";
+import { getUserStatus } from "../actions/get-enclave-user-status.js";
+import { signMessage as signEnclaveMessage } from "../actions/sign-message.enclave.js";
+import { signTransaction as signEnclaveTransaction } from "../actions/sign-transaction.enclave.js";
+import { signTypedData as signEnclaveTypedData } from "../actions/sign-typed-data.enclave.js";
 import type { ClientScopedStorage } from "../authentication/client-scoped-storage.js";
 import type {
   AuthDetails,
@@ -33,18 +33,16 @@ export type UserStatus = {
       | { address: string; [key: string]: string }
       | { id: string; [key: string]: string };
   }[];
-  wallets:
-    | [
-        {
-          address: string;
-          createdAt: string;
-          type: "sharded" | "enclave";
-        },
-      ]
-    | [];
+  wallets: UserWallet[];
   id: string;
 };
 
+export type UserWallet = {
+  address: string;
+  createdAt: string;
+  type: "sharded" | "enclave";
+};
+
 export class EnclaveWallet implements IWebWallet {
   private client: ThirdwebClient;
   private ecosystem?: Ecosystem;
@@ -130,7 +128,6 @@ export class EnclaveWallet implements IWebWallet {
    */
   async getAccount(): Promise<Account> {
     const client = this.client;
-    const ecosystem = this.ecosystem;
     const storage = this.localStorage;
 
     const _signTransaction = async (tx: SendTransactionOption) => {
@@ -171,7 +168,6 @@ export class EnclaveWallet implements IWebWallet {
 
       return signEnclaveTransaction({
         client,
-        ecosystem,
         storage,
         payload: transaction,
       });
@@ -218,7 +214,6 @@ export class EnclaveWallet implements IWebWallet {
 
         const { signature } = await signEnclaveMessage({
           client,
-          ecosystem,
           payload: messagePayload,
           storage,
         });
@@ -228,7 +223,6 @@ export class EnclaveWallet implements IWebWallet {
         const parsedTypedData = parseTypedData(_typedData);
         const { signature } = await signEnclaveTypedData({
           client,
-          ecosystem,
           payload: parsedTypedData,
           storage,
         });

package/src/wallets/in-app/native/auth/passkeys.ts

@@ -125,7 +125,7 @@ export async function hasStoredPasskey(
   const storage = new ClientScopedStorage({
     storage: nativeLocalStorage,
     clientId: client.clientId,
-    ecosystemId: ecosystemId,
+    ecosystem: ecosystemId ? { id: ecosystemId } : undefined,
   });
   const credId = await storage.getPasskeyCredentialId();
   return !!credId;

package/src/wallets/in-app/native/helpers/api/fetchers.ts

@@ -14,6 +14,8 @@ import { createErrorMessage } from "../errors.js";
 
 const EMBEDDED_WALLET_TOKEN_HEADER = "embedded-wallet-token";
 const PAPER_CLIENT_ID_HEADER = "x-thirdweb-client-id";
+const ECOSYSTEM_ID_HEADER = "x-ecosystem-id";
+const ECOSYSTEM_PARTNER_ID_HEADER = "x-ecosystem-partner-id";
 
 let sessionNonce: Hex | undefined = undefined;
 
@@ -63,6 +65,12 @@ export async function authFetchEmbeddedWalletUser(args: {
           authTokenClient || ""
         }`,
         [PAPER_CLIENT_ID_HEADER]: client.clientId,
+        ...(storage.ecosystem
+          ? {
+              [ECOSYSTEM_ID_HEADER]: storage.ecosystem.id,
+              [ECOSYSTEM_PARTNER_ID_HEADER]: storage.ecosystem?.partnerId,
+            }
+          : {}),
         ...getSessionHeaders(),
       }
     : {
@@ -70,6 +78,12 @@ export async function authFetchEmbeddedWalletUser(args: {
           authTokenClient || ""
         }`,
         [PAPER_CLIENT_ID_HEADER]: client.clientId,
+        ...(storage.ecosystem
+          ? {
+              [ECOSYSTEM_ID_HEADER]: storage.ecosystem.id,
+              [ECOSYSTEM_PARTNER_ID_HEADER]: storage.ecosystem?.partnerId,
+            }
+          : {}),
         ...getSessionHeaders(),
       };
 

package/src/wallets/in-app/native/helpers/auth/middleware.ts

@@ -102,10 +102,11 @@ async function getRecoveryCode(args: {
     }
     try {
       return await getCognitoRecoveryPasswordV2({ client, storage });
-    } catch {
+    } catch (err) {
+      console.error("Error recovering wallet", err);
       return await getCognitoRecoveryPasswordV1({ client, storage }).catch(
         () => {
-          throw new Error("Something went wrong getting cognito recovery code");
+          throw new Error("Something went wrong while recovering wallet");
         },
       );
     }

package/src/wallets/in-app/native/helpers/constants.ts

@@ -22,6 +22,8 @@ export const GENERATE_RECOVERY_PASSWORD_LAMBDA_FUNCTION_V1 =
   "arn:aws:lambda:us-west-2:324457261097:function:recovery-share-password-GenerateRecoverySharePassw-bbE5ZbVAToil";
 export const GENERATE_RECOVERY_PASSWORD_LAMBDA_FUNCTION_V2 =
   "arn:aws:lambda:us-west-2:324457261097:function:lambda-thirdweb-auth-enc-key-prod-ThirdwebAuthEncKeyFunction";
+export const ENCLAVE_KMS_KEY_ARN =
+  "arn:aws:kms:us-west-2:324457261097:key/8b2a8cd5-9b22-4ea0-a6bc-463824a78f20";
 
 // TODO allow overriding domain
 const DOMAIN_URL_2023 = getThirdwebBaseUrl("inAppWallet");

package/src/wallets/in-app/native/helpers/wallet/migration.ts

@@ -0,0 +1,185 @@
+import { GenerateDataKeyCommand, KMSClient } from "@aws-sdk/client-kms";
+import { fromCognitoIdentity } from "@aws-sdk/credential-providers";
+import QuickCrypto from "react-native-quick-crypto";
+import type { ThirdwebClient } from "../../../../../client/client.js";
+import { getThirdwebBaseUrl } from "../../../../../utils/domains.js";
+import { stringToBytes } from "../../../../../utils/encoding/to-bytes.js";
+import { randomBytesBuffer } from "../../../../../utils/random.js";
+import {
+  concatUint8Arrays,
+  uint8ArrayToBase64,
+} from "../../../../../utils/uint8-array.js";
+import { privateKeyToAccount } from "../../../../private-key.js";
+import type { ClientScopedStorage } from "../../../core/authentication/client-scoped-storage.js";
+import type { AuthStoredTokenWithCookieReturnType } from "../../../core/authentication/types.js";
+import type { UserWallet } from "../../../core/wallet/enclave-wallet.js";
+import { authFetchEmbeddedWalletUser } from "../api/fetchers.js";
+import { postAuth } from "../auth/middleware.js";
+import {
+  AWS_REGION,
+  ENCLAVE_KMS_KEY_ARN,
+  ROUTE_AUTH_COGNITO_ID_TOKEN_V2,
+} from "../constants.js";
+import { getShares, getWalletPrivateKeyFromShares } from "./retrieval.js";
+
+/**
+ * Migrate a sharded wallet to an enclave wallet.
+ *
+ * @param args - The arguments for the migration process.
+ * @returns The migrated user wallet.
+ */
+export async function migrateToEnclaveWallet(args: {
+  client: ThirdwebClient;
+  storage: ClientScopedStorage;
+  storedToken: AuthStoredTokenWithCookieReturnType["storedToken"];
+  encryptionKey?: string;
+}): Promise<UserWallet> {
+  // setup sharded wallet first, so we have the shares available
+  await postAuth({
+    storedToken: args.storedToken,
+    client: args.client,
+    storage: args.storage,
+    encryptionKey: args.encryptionKey,
+  });
+
+  const { authShare, deviceShare } = await getShares({
+    client: args.client,
+    authShare: { toRetrieve: true },
+    deviceShare: { toRetrieve: true },
+    recoveryShare: { toRetrieve: false },
+    storage: args.storage,
+  });
+
+  // construct the sharded wallet
+  const privateKey = await getWalletPrivateKeyFromShares([
+    authShare,
+    deviceShare,
+  ]);
+  const account = privateKeyToAccount({
+    client: args.client,
+    privateKey,
+  });
+  const address = account.address;
+
+  // get cognito identity
+  const idTokenResponse = await authFetchEmbeddedWalletUser({
+    client: args.client,
+    url: ROUTE_AUTH_COGNITO_ID_TOKEN_V2,
+    props: {
+      method: "GET",
+    },
+    storage: args.storage,
+  });
+  if (!idTokenResponse.ok) {
+    throw new Error(
+      `Failed to fetch id token from Cognito: ${JSON.stringify(
+        await idTokenResponse.json(),
+        null,
+        2,
+      )}`,
+    );
+  }
+  const idTokenResult = await idTokenResponse.json();
+  const { token, identityId } = idTokenResult;
+
+  const cognitoIdentity = fromCognitoIdentity({
+    clientConfig: {
+      region: AWS_REGION,
+    },
+    identityId,
+    logins: {
+      "cognito-identity.amazonaws.com": token,
+    },
+  });
+
+  // get kms key
+  const kmsClient = new KMSClient({
+    region: AWS_REGION,
+    credentials: cognitoIdentity,
+  });
+  const generateDataKeyCommand = new GenerateDataKeyCommand({
+    KeyId: ENCLAVE_KMS_KEY_ARN,
+    KeySpec: "AES_256",
+  });
+  const encryptedKeyResult = await kmsClient.send(generateDataKeyCommand);
+  const plaintextKeyBlob = encryptedKeyResult.Plaintext;
+  const cipherTextBlob = encryptedKeyResult.CiphertextBlob;
+  if (!plaintextKeyBlob || !cipherTextBlob) {
+    throw new Error("No migration key found. Please try again.");
+  }
+
+  // encrypt private key
+  const iv = randomBytesBuffer(16);
+  // @ts-ignore - default import buils but ts doesn't like it
+  const key = await QuickCrypto.subtle.importKey(
+    "raw",
+    plaintextKeyBlob,
+    "AES-CBC",
+    false,
+    ["encrypt", "decrypt"],
+  );
+
+  // @ts-ignore - default import buils but ts doesn't like it
+  const encryptedPrivateKey = await QuickCrypto.subtle.encrypt(
+    {
+      name: "AES-CBC",
+      iv,
+    },
+    key,
+    stringToBytes(privateKey),
+  );
+
+  const encryptedData = concatUint8Arrays([
+    iv,
+    new Uint8Array(encryptedPrivateKey),
+  ]);
+
+  const ivB64 = uint8ArrayToBase64(iv);
+  const cipherTextB64 = uint8ArrayToBase64(cipherTextBlob);
+  const encryptedPrivateKeyB64 = uint8ArrayToBase64(encryptedData);
+
+  // execute migration
+  const result = await executeMigration({
+    client: args.client,
+    storage: args.storage,
+    address,
+    kmsCiphertextB64: cipherTextB64,
+    encryptedPrivateKeyB64: encryptedPrivateKeyB64,
+    ivB64,
+  });
+
+  return result;
+}
+
+async function executeMigration(args: {
+  client: ThirdwebClient;
+  storage: ClientScopedStorage;
+  address: string;
+  kmsCiphertextB64: string;
+  encryptedPrivateKeyB64: string;
+  ivB64: string;
+}): Promise<UserWallet> {
+  const migrationResponse = await authFetchEmbeddedWalletUser({
+    client: args.client,
+    url: `${getThirdwebBaseUrl("inAppWallet")}/api/v1/enclave-wallet/migrate`,
+    props: {
+      method: "POST",
+      body: JSON.stringify({
+        address: args.address,
+        kmsCiphertextB64: args.kmsCiphertextB64,
+        encryptedPrivateKeyB64: args.encryptedPrivateKeyB64,
+        ivB64: args.ivB64,
+      }),
+    },
+    storage: args.storage,
+  });
+  if (!migrationResponse.ok) {
+    throw new Error(
+      `Failed to migrate to enclave wallet: ${JSON.stringify(
+        await migrationResponse.json(),
+      )}`,
+    );
+  }
+  const migrationResult = (await migrationResponse.json()) as UserWallet;
+  return migrationResult;
+}

package/src/wallets/in-app/native/helpers/wallet/retrieval.ts

@@ -40,7 +40,7 @@ export async function getExistingUserAccount(args: {
   });
 }
 
-async function getWalletPrivateKeyFromShares(shares: string[]) {
+export async function getWalletPrivateKeyFromShares(shares: string[]) {
   const { secrets } = await import("./sss.js");
   let privateKeyHex = secrets.combine(shares, 0);
   if (!isHex(privateKeyHex)) {
@@ -86,7 +86,7 @@ async function getAccountFromShares(args: {
  * @returns The requested shares
  * @throws if attempting to get deviceShare when it's not present
  */
-async function getShares<
+export async function getShares<
   A extends boolean,
   D extends boolean,
   R extends boolean,