wdk: address review comments; refactor auth commitments

Author: patrislav

packages/wallet/wdk/src/dbs/auth-commitments.ts

@@ -3,17 +3,19 @@ import { IDBPDatabase, IDBPTransaction } from 'idb'
 
 const TABLE_NAME = 'auth-commitments'
 
+export type CommitAuthArgs =
+  | { type: 'auth'; state?: string }
+  | { type: 'reauth'; state: string; signer: string }
+  | { type: 'add-signer'; wallet: string; state?: string }
+
 export type AuthCommitment = {
   id: string
   kind: 'google-pkce' | 'apple' | `custom-${string}`
   metadata: { [key: string]: string }
   verifier?: string
   challenge?: string
   target: string
-  isSignUp: boolean
-  signer?: string
-  wallet?: string
-}
+} & ({ type: 'auth' } | { type: 'reauth'; signer: string } | { type: 'add-signer'; wallet: string })
 
 export class AuthCommitments extends Generic<AuthCommitment, 'id'> {
   constructor(dbName: string = 'sequence-auth-commitments') {

packages/wallet/wdk/src/dbs/index.ts

@@ -1,4 +1,4 @@
-export type { AuthCommitment } from './auth-commitments.js'
+export type { AuthCommitment, CommitAuthArgs } from './auth-commitments.js'
 export { AuthCommitments } from './auth-commitments.js'
 
 export type { AuthKey } from './auth-keys.js'

packages/wallet/wdk/src/sequence/handlers/authcode-pkce.ts

@@ -6,6 +6,7 @@ import * as Identity from '@0xsequence/identity-instrument'
 import { IdentitySigner } from '../../identity/signer.js'
 import { AuthCodeHandler } from './authcode.js'
 import type { WdkEnv } from '../../env.js'
+import type { CommitAuthArgs } from '../../dbs/auth-commitments.js'
 
 export class AuthCodePkceHandler extends AuthCodeHandler implements Handler {
   constructor(
@@ -22,26 +23,30 @@ export class AuthCodePkceHandler extends AuthCodeHandler implements Handler {
     super(signupKind, issuer, oauthUrl, audience, nitro, signatures, commitments, authKeys, env)
   }
 
-  public async commitAuth(target: string, isSignUp: boolean, state?: string, signer?: string, wallet?: string) {
+  public async commitAuth(target: string, args: CommitAuthArgs) {
     let challenge = new Identity.AuthCodePkceChallenge(this.issuer, this.audience, this.redirectUri)
-    if (signer) {
-      challenge = challenge.withSigner({ address: signer, keyType: Identity.KeyType.Ethereum_Secp256k1 })
+    if (args.type === 'reauth') {
+      challenge = challenge.withSigner({ address: args.signer, keyType: Identity.KeyType.Ethereum_Secp256k1 })
     }
     const { verifier, loginHint, challenge: codeChallenge } = await this.nitroCommitVerifier(challenge)
-    if (!state) {
-      state = Hex.fromBytes(Bytes.random(32))
-    }
+    const state = args.state ?? Hex.fromBytes(Bytes.random(32))
 
-    await this.commitments.set({
+    const base = {
       id: state,
-      kind: this.signupKind,
+      kind: this.signupKind as Db.AuthCommitment['kind'],
       verifier,
       challenge: codeChallenge,
       target,
       metadata: {},
-      isSignUp,
-      wallet,
-    })
+    }
+
+    if (args.type === 'reauth') {
+      await this.commitments.set({ ...base, type: 'reauth', signer: args.signer })
+    } else if (args.type === 'add-signer') {
+      await this.commitments.set({ ...base, type: 'add-signer', wallet: args.wallet })
+    } else {
+      await this.commitments.set({ ...base, type: 'auth' })
+    }
 
     const searchParams = this.serializeQuery({
       code_challenge: codeChallenge,

packages/wallet/wdk/src/sequence/handlers/authcode.ts

@@ -8,6 +8,7 @@ import { IdentitySigner } from '../../identity/signer.js'
 import { IdentityHandler } from './identity.js'
 import { Kinds } from '../types/signer.js'
 import type { NavigationLike, WdkEnv } from '../../env.js'
+import type { CommitAuthArgs } from '../../dbs/auth-commitments.js'
 
 export class AuthCodeHandler extends IdentityHandler implements Handler {
   protected redirectUri: string = ''
@@ -39,20 +40,23 @@ export class AuthCodeHandler extends IdentityHandler implements Handler {
     this.redirectUri = redirectUri
   }
 
-  public async commitAuth(target: string, isSignUp: boolean, state?: string, signer?: string, wallet?: string) {
-    if (!state) {
-      state = Hex.fromBytes(Bytes.random(32))
-    }
+  public async commitAuth(target: string, args: CommitAuthArgs) {
+    const state = args.state ?? Hex.fromBytes(Bytes.random(32))
 
-    await this.commitments.set({
+    const base = {
       id: state,
-      kind: this.signupKind,
-      signer,
+      kind: this.signupKind as Db.AuthCommitment['kind'],
       target,
       metadata: {},
-      isSignUp,
-      wallet,
-    })
+    }
+
+    if (args.type === 'reauth') {
+      await this.commitments.set({ ...base, type: 'reauth', signer: args.signer })
+    } else if (args.type === 'add-signer') {
+      await this.commitments.set({ ...base, type: 'add-signer', wallet: args.wallet })
+    } else {
+      await this.commitments.set({ ...base, type: 'auth' })
+    }
 
     const searchParams = this.serializeQuery({
       client_id: this.audience,
@@ -70,7 +74,7 @@ export class AuthCodeHandler extends IdentityHandler implements Handler {
     code: string,
   ): Promise<[IdentitySigner, { [key: string]: string }]> {
     let challenge = new Identity.AuthCodeChallenge(this.issuer, this.audience, this.redirectUri, code)
-    if (commitment.signer) {
+    if (commitment.type === 'reauth') {
       challenge = challenge.withSigner({ address: commitment.signer, keyType: Identity.KeyType.Ethereum_Secp256k1 })
     }
     await this.nitroCommitVerifier(challenge)
@@ -104,7 +108,11 @@ export class AuthCodeHandler extends IdentityHandler implements Handler {
       message: 'request-redirect',
       handle: async () => {
         const navigation = this.getNavigation()
-        const url = await this.commitAuth(navigation.getPathname(), false, request.id, address)
+        const url = await this.commitAuth(navigation.getPathname(), {
+          type: 'reauth',
+          state: request.id,
+          signer: address,
+        })
         navigation.redirect(url)
         return true
       },

packages/wallet/wdk/src/sequence/wallets.ts

@@ -339,9 +339,15 @@ export interface WalletsInterface {
    * via a redirect-based OAuth flow. It validates the wallet, generates the necessary challenges and state,
    * stores them locally, and returns a URL. Your application should redirect the user to this URL.
    *
+   * After the redirect callback, call `completeRedirect` with the returned state and code. This will
+   * create a pending `AddLoginSigner` signature request internally. The caller can then discover
+   * the pending request through the signatures module and call `completeAddLoginSigner` with the requestId
+   * once it has been signed.
+   *
    * @param args Arguments specifying the wallet, provider (`kind`), and the `target` URL for the redirect callback.
    * @returns A promise that resolves to the full OAuth URL to which the user should be redirected.
    * @see {completeRedirect} for the second step of this flow.
+   * @see {completeAddLoginSigner} to finalize after signing.
    */
   startAddLoginSignerWithRedirect(args: StartAddLoginSignerWithRedirectArgs): Promise<string>
 
@@ -490,6 +496,20 @@ export function isIdTokenArgs(args: SignupArgs): args is IdTokenSignupArgs {
   return 'idToken' in args
 }
 
+function addLoginSignerToSignupArgs(args: AddLoginSignerArgs): SignupArgs {
+  switch (args.kind) {
+    case 'mnemonic':
+      return { kind: 'mnemonic', mnemonic: args.mnemonic }
+    case 'email-otp':
+      return { kind: 'email-otp', email: args.email }
+    default: {
+      // google-id-token, apple-id-token, custom-*
+      const _args = args as { kind: string; idToken: string }
+      return { kind: _args.kind as IdTokenSignupArgs['kind'], idToken: _args.idToken }
+    }
+  }
+}
+
 function buildCappedTree(members: { address: Address.Address; imageHash?: Hex.Hex }[]): Config.Topology {
   const loginMemberWeight = 1n
 
@@ -880,7 +900,7 @@ export class Wallets implements WalletsInterface {
     if (!(handler instanceof AuthCodeHandler)) {
       throw new Error('handler-does-not-support-redirect')
     }
-    return handler.commitAuth(args.target, true)
+    return handler.commitAuth(args.target, { type: 'auth' })
   }
 
   async startAddLoginSignerWithRedirect(args: StartAddLoginSignerWithRedirectArgs) {
@@ -900,7 +920,7 @@ export class Wallets implements WalletsInterface {
     if (!(handler instanceof AuthCodeHandler)) {
       throw new Error('handler-does-not-support-redirect')
     }
-    return handler.commitAuth(args.target, true, undefined, undefined, args.wallet)
+    return handler.commitAuth(args.target, { type: 'add-signer', wallet: args.wallet })
   }
 
   async completeRedirect(args: CompleteRedirectArgs): Promise<string> {
@@ -909,62 +929,62 @@ export class Wallets implements WalletsInterface {
       throw new Error('invalid-state')
     }
 
-    // If commitment has a wallet, this is an add-login-signer redirect
-    if (commitment.wallet) {
-      const handlerKind = getSignupHandlerKey(commitment.kind)
-      const handler = this.shared.handlers.get(handlerKind)
-      if (!handler) {
-        throw new Error('handler-not-registered')
-      }
-      if (!(handler instanceof AuthCodeHandler)) {
-        throw new Error('handler-does-not-support-redirect')
-      }
-
-      const walletAddress = commitment.wallet as Address.Address
-      const walletEntry = await this.get(walletAddress)
-      if (!walletEntry) {
-        throw new Error('wallet-not-found')
-      }
-      if (walletEntry.status !== 'ready') {
-        throw new Error('wallet-not-ready')
-      }
+    switch (commitment.type) {
+      case 'add-signer': {
+        const handlerKind = getSignupHandlerKey(commitment.kind)
+        const handler = this.shared.handlers.get(handlerKind)
+        if (!handler) {
+          throw new Error('handler-not-registered')
+        }
+        if (!(handler instanceof AuthCodeHandler)) {
+          throw new Error('handler-does-not-support-redirect')
+        }
 
-      const [signer] = await handler.completeAuth(commitment, args.code)
-      const signerKind = getSignerKindForSignup(commitment.kind)
+        const walletAddress = commitment.wallet as Address.Address
+        const walletEntry = await this.get(walletAddress)
+        if (!walletEntry) {
+          throw new Error('wallet-not-found')
+        }
+        if (walletEntry.status !== 'ready') {
+          throw new Error('wallet-not-ready')
+        }
 
-      await this.addLoginSignerFromPrepared(walletAddress, {
-        signer,
-        extra: { signerKind },
-      })
+        const [signer] = await handler.completeAuth(commitment, args.code)
+        const signerKind = getSignerKindForSignup(commitment.kind)
 
-      if (!commitment.target) {
-        throw new Error('invalid-state')
-      }
-      return commitment.target
-    }
-
-    // commitment.isSignUp and signUp also mean 'signIn' from wallet's perspective
-    if (commitment.isSignUp) {
-      await this.signUp({
-        kind: commitment.kind,
-        commitment,
-        code: args.code,
-        noGuard: args.noGuard,
-        target: commitment.target,
-        isRedirect: true,
-        use4337: args.use4337,
-      })
-    } else {
-      const handlerKind = getSignupHandlerKey(commitment.kind)
-      const handler = this.shared.handlers.get(handlerKind)
-      if (!handler) {
-        throw new Error('handler-not-registered')
+        await this.addLoginSignerFromPrepared(walletAddress, {
+          signer,
+          extra: { signerKind },
+        })
+        break
       }
-      if (!(handler instanceof AuthCodeHandler)) {
-        throw new Error('handler-does-not-support-redirect')
+
+      case 'auth': {
+        await this.signUp({
+          kind: commitment.kind,
+          commitment,
+          code: args.code,
+          noGuard: args.noGuard,
+          target: commitment.target,
+          isRedirect: true,
+          use4337: args.use4337,
+        })
+        break
       }
 
-      await handler.completeAuth(commitment, args.code)
+      case 'reauth': {
+        const handlerKind = getSignupHandlerKey(commitment.kind)
+        const handler = this.shared.handlers.get(handlerKind)
+        if (!handler) {
+          throw new Error('handler-not-registered')
+        }
+        if (!(handler instanceof AuthCodeHandler)) {
+          throw new Error('handler-does-not-support-redirect')
+        }
+
+        await handler.completeAuth(commitment, args.code)
+        break
+      }
     }
 
     if (!commitment.target) {
@@ -1409,7 +1429,8 @@ export class Wallets implements WalletsInterface {
       throw new Error('wallet-not-ready')
     }
 
-    const loginSigner = await this.prepareSignUp(args as unknown as SignupArgs)
+    const signupArgs = addLoginSignerToSignupArgs(args)
+    const loginSigner = await this.prepareSignUp(signupArgs)
     return this.addLoginSignerFromPrepared(args.wallet, loginSigner)
   }