w3pk 0.10.1 → 0.10.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -257,6 +257,8 @@ await w3pk.clearSession()
257
257
 
258
258
  **Note:** STRICT mode never allows persistent sessions.
259
259
 
260
+ **PRF-keyed persistence:** persistent sessions are encrypted under a key derived from the WebAuthn PRF extension (an authenticator-held secret, released only during a biometric/PIN-verified assertion) and re-keyed at every real login. Authenticators without PRF support get in-memory sessions only — there is no weaker at-rest fallback. See [Security Architecture](./docs/SECURITY.md) for details.
261
+
260
262
  ### RPC Endpoints
261
263
 
262
264
  ```typescript
package/dist/index.d.mts CHANGED
@@ -386,11 +386,20 @@ declare class ApiError extends Web3PasskeyError {
386
386
  * Enables "Remember Me" functionality for STANDARD and YOLO mode wallets.
387
387
  *
388
388
  * SECURITY:
389
- * - Sessions encrypted with WebAuthn-derived keys
389
+ * - The mnemonic blob is encrypted with a key derived from the WebAuthn PRF
390
+ * extension: a secret the authenticator releases only during a
391
+ * user-verified assertion. Nothing stored on disk can re-derive it.
392
+ * - requireReauth: true → the key is NOT stored; every restore re-evaluates
393
+ * the PRF on a live assertion. The blob is hardware-bound at rest.
394
+ * - requireReauth: false → the key is stored as a NON-EXTRACTABLE CryptoKey
395
+ * so silent restore works without a prompt. Scripts can use it but never
396
+ * read its bytes; it is refreshed at every real (prompted) login.
397
+ * - Authenticators without PRF get no persistent sessions (in-memory only) —
398
+ * there is deliberately no weaker fallback encryption.
390
399
  * - Only enabled for STANDARD and YOLO modes (STRICT mode excluded)
391
- * - Time-limited expiration
392
- * - Origin-isolated via IndexedDB
393
- * - Requires valid WebAuthn credential to decrypt
400
+ * - Time-limited expiration; the expiry IS the renewal boundary: when the
401
+ * blob expires, the next login prompts, and that assertion's PRF output
402
+ * re-keys a fresh blob.
394
403
  */
395
404
 
396
405
  /**
@@ -521,6 +530,12 @@ declare class Web3Passkey {
521
530
  login(): Promise<UserInfo>;
522
531
  /**
523
532
  * Logout current user and clear session
533
+ *
534
+ * The user is always logged out in memory, even if clearing persistent
535
+ * storage fails — in that case a StorageError is thrown so the app knows
536
+ * a persistent session may still exist on the device
537
+ *
538
+ * @throws {StorageError} if persistent sessions could not be cleared
524
539
  */
525
540
  logout(): Promise<void>;
526
541
  get isAuthenticated(): boolean;
@@ -1009,6 +1024,8 @@ declare class Web3Passkey {
1009
1024
  /**
1010
1025
  * Clear active session
1011
1026
  * Also clears ALL persistent sessions from IndexedDB
1027
+ *
1028
+ * @throws {StorageError} if persistent sessions could not be cleared
1012
1029
  */
1013
1030
  clearSession(): Promise<void>;
1014
1031
  /**
@@ -1016,6 +1033,14 @@ declare class Web3Passkey {
1016
1033
  * @param hours - Duration in hours
1017
1034
  */
1018
1035
  setSessionDuration(hours: number): void;
1036
+ /**
1037
+ * Update the persistent-session duration (the "Remember Me" window).
1038
+ * Takes effect the next time a session is persisted — i.e. at the next
1039
+ * real (prompted) login, which is also when the blob is re-keyed with a
1040
+ * fresh PRF-derived key. The duration is therefore the renewal interval.
1041
+ * @param hours - Duration in hours
1042
+ */
1043
+ setPersistentSessionDuration(hours: number): void;
1019
1044
  /**
1020
1045
  * Derive ML-KEM-1024 public key from the current wallet
1021
1046
  *
@@ -1301,6 +1326,15 @@ declare function verifyEIP7702Authorization(chainId: bigint, contractAddress: st
1301
1326
  s: string;
1302
1327
  } | string, expectedSigner: string): boolean;
1303
1328
 
1329
+ /** Client extension results consumed by w3pk (subset of the WebAuthn spec) */
1330
+ interface PrfExtensionResults {
1331
+ prf?: {
1332
+ enabled?: boolean;
1333
+ results?: {
1334
+ first?: ArrayBuffer;
1335
+ };
1336
+ };
1337
+ }
1304
1338
  /**
1305
1339
  * Native WebAuthn credential response (authentication)
1306
1340
  */
@@ -1314,14 +1348,7 @@ interface AuthenticationCredential {
1314
1348
  signature: ArrayBuffer;
1315
1349
  userHandle?: ArrayBuffer;
1316
1350
  };
1317
- getClientExtensionResults(): {
1318
- prf?: {
1319
- results?: {
1320
- first?: ArrayBuffer;
1321
- second?: ArrayBuffer;
1322
- };
1323
- };
1324
- };
1351
+ getClientExtensionResults(): PrfExtensionResults;
1325
1352
  }
1326
1353
 
1327
1354
  /**
package/dist/index.d.ts CHANGED
@@ -386,11 +386,20 @@ declare class ApiError extends Web3PasskeyError {
386
386
  * Enables "Remember Me" functionality for STANDARD and YOLO mode wallets.
387
387
  *
388
388
  * SECURITY:
389
- * - Sessions encrypted with WebAuthn-derived keys
389
+ * - The mnemonic blob is encrypted with a key derived from the WebAuthn PRF
390
+ * extension: a secret the authenticator releases only during a
391
+ * user-verified assertion. Nothing stored on disk can re-derive it.
392
+ * - requireReauth: true → the key is NOT stored; every restore re-evaluates
393
+ * the PRF on a live assertion. The blob is hardware-bound at rest.
394
+ * - requireReauth: false → the key is stored as a NON-EXTRACTABLE CryptoKey
395
+ * so silent restore works without a prompt. Scripts can use it but never
396
+ * read its bytes; it is refreshed at every real (prompted) login.
397
+ * - Authenticators without PRF get no persistent sessions (in-memory only) —
398
+ * there is deliberately no weaker fallback encryption.
390
399
  * - Only enabled for STANDARD and YOLO modes (STRICT mode excluded)
391
- * - Time-limited expiration
392
- * - Origin-isolated via IndexedDB
393
- * - Requires valid WebAuthn credential to decrypt
400
+ * - Time-limited expiration; the expiry IS the renewal boundary: when the
401
+ * blob expires, the next login prompts, and that assertion's PRF output
402
+ * re-keys a fresh blob.
394
403
  */
395
404
 
396
405
  /**
@@ -521,6 +530,12 @@ declare class Web3Passkey {
521
530
  login(): Promise<UserInfo>;
522
531
  /**
523
532
  * Logout current user and clear session
533
+ *
534
+ * The user is always logged out in memory, even if clearing persistent
535
+ * storage fails — in that case a StorageError is thrown so the app knows
536
+ * a persistent session may still exist on the device
537
+ *
538
+ * @throws {StorageError} if persistent sessions could not be cleared
524
539
  */
525
540
  logout(): Promise<void>;
526
541
  get isAuthenticated(): boolean;
@@ -1009,6 +1024,8 @@ declare class Web3Passkey {
1009
1024
  /**
1010
1025
  * Clear active session
1011
1026
  * Also clears ALL persistent sessions from IndexedDB
1027
+ *
1028
+ * @throws {StorageError} if persistent sessions could not be cleared
1012
1029
  */
1013
1030
  clearSession(): Promise<void>;
1014
1031
  /**
@@ -1016,6 +1033,14 @@ declare class Web3Passkey {
1016
1033
  * @param hours - Duration in hours
1017
1034
  */
1018
1035
  setSessionDuration(hours: number): void;
1036
+ /**
1037
+ * Update the persistent-session duration (the "Remember Me" window).
1038
+ * Takes effect the next time a session is persisted — i.e. at the next
1039
+ * real (prompted) login, which is also when the blob is re-keyed with a
1040
+ * fresh PRF-derived key. The duration is therefore the renewal interval.
1041
+ * @param hours - Duration in hours
1042
+ */
1043
+ setPersistentSessionDuration(hours: number): void;
1019
1044
  /**
1020
1045
  * Derive ML-KEM-1024 public key from the current wallet
1021
1046
  *
@@ -1301,6 +1326,15 @@ declare function verifyEIP7702Authorization(chainId: bigint, contractAddress: st
1301
1326
  s: string;
1302
1327
  } | string, expectedSigner: string): boolean;
1303
1328
 
1329
+ /** Client extension results consumed by w3pk (subset of the WebAuthn spec) */
1330
+ interface PrfExtensionResults {
1331
+ prf?: {
1332
+ enabled?: boolean;
1333
+ results?: {
1334
+ first?: ArrayBuffer;
1335
+ };
1336
+ };
1337
+ }
1304
1338
  /**
1305
1339
  * Native WebAuthn credential response (authentication)
1306
1340
  */
@@ -1314,14 +1348,7 @@ interface AuthenticationCredential {
1314
1348
  signature: ArrayBuffer;
1315
1349
  userHandle?: ArrayBuffer;
1316
1350
  };
1317
- getClientExtensionResults(): {
1318
- prf?: {
1319
- results?: {
1320
- first?: ArrayBuffer;
1321
- second?: ArrayBuffer;
1322
- };
1323
- };
1324
- };
1351
+ getClientExtensionResults(): PrfExtensionResults;
1325
1352
  }
1326
1353
 
1327
1354
  /**