fix: web crypto strategy uses same hmac subject calc

use same calculateHMACSubject function for getting
the subject to sign as regular hmac flows
split up IndexedDB class to separate file & tests
other small changes from review

Ticket: CE-10122

Author: bitgoAaron

modules/sdk-api/src/bitgoAPI.ts

@@ -377,6 +377,84 @@ export class BitGoAPI implements BitGoBase {
     return this._authVersion;
   }
 
+  /**
+   * Signs and sends a v2-authenticated request, then verifies the response HMAC.
+   * Extracted from the req.then override in requestPatch to keep that method readable.
+   */
+  private async _sendRequestWithHmac({
+    req,
+    method,
+    url,
+    data,
+    strategyAuthenticated,
+    onfulfilled,
+    originalThen,
+  }: {
+    req: superagent.SuperAgentRequest;
+    method: RequestMethods;
+    url: string;
+    data: string | undefined;
+    strategyAuthenticated: boolean;
+    onfulfilled: ((response: superagent.Response) => any) | null | undefined;
+    originalThen: (onfulfilled: any, onrejected?: any) => Promise<any>;
+  }): Promise<any> {
+    if (this._token || strategyAuthenticated) {
+      setRequestQueryString(req);
+
+      const requestProperties = await this._hmacAuthStrategy.calculateRequestHeaders({
+        url: req.url,
+        token: this._token ?? '',
+        method,
+        text: data || '',
+        authVersion: this._authVersion,
+      });
+      req.set('Auth-Timestamp', requestProperties.timestamp.toString());
+
+      req.set('Authorization', 'Bearer ' + requestProperties.tokenHash);
+      debug(
+        'sending v2 %s request to %s with token %s',
+        method,
+        url,
+        this._token?.substr(0, 8) ?? '(strategy-managed)'
+      );
+
+      req.set('HMAC', requestProperties.hmac);
+    }
+
+    if (this.getAdditionalHeadersCb) {
+      const additionalHeaders = this.getAdditionalHeadersCb(method, url, data);
+      for (const { key, value } of additionalHeaders) {
+        req.set(key, value);
+      }
+    }
+
+    /**
+     * Verify the response before calling the original onfulfilled handler,
+     * and make sure onrejected is called if a verification error is encountered
+     */
+    const newOnFulfilled = onfulfilled
+      ? async (response: superagent.Response) => {
+          // HMAC verification is only allowed to be skipped in certain environments.
+          // This is checked in the constructor, but checking it again at request time
+          // will help prevent against tampering of this property after the object is created
+          if (!this._hmacVerification && !common.Environments[this.getEnv()].hmacVerificationEnforced) {
+            return onfulfilled(response);
+          }
+
+          const verifiedResponse = await verifyResponseAsync(
+            this,
+            this._token,
+            method,
+            req,
+            response,
+            this._authVersion
+          );
+          return onfulfilled(verifiedResponse);
+        }
+      : null;
+    return originalThen(newOnFulfilled);
+  }
+
   /**
    * This is a patching function which can apply our authorization
    * headers to any outbound request.
@@ -446,65 +524,15 @@ export class BitGoAPI implements BitGoBase {
 
       const data = serializeRequestData(req);
 
-      const sendWithHmac = (async () => {
-        if (this._token || strategyAuthenticated) {
-          setRequestQueryString(req);
-
-          const requestProperties = await this._hmacAuthStrategy.calculateRequestHeaders({
-            url: req.url,
-            token: this._token ?? '',
-            method,
-            text: data || '',
-            authVersion: this._authVersion,
-          });
-          req.set('Auth-Timestamp', requestProperties.timestamp.toString());
-
-          req.set('Authorization', 'Bearer ' + requestProperties.tokenHash);
-          debug(
-            'sending v2 %s request to %s with token %s',
-            method,
-            url,
-            this._token?.substr(0, 8) ?? '(strategy-managed)'
-          );
-
-          req.set('HMAC', requestProperties.hmac);
-        }
-
-        if (this.getAdditionalHeadersCb) {
-          const additionalHeaders = this.getAdditionalHeadersCb(method, url, data);
-          for (const { key, value } of additionalHeaders) {
-            req.set(key, value);
-          }
-        }
-
-        /**
-         * Verify the response before calling the original onfulfilled handler,
-         * and make sure onrejected is called if a verification error is encountered
-         */
-        const newOnFulfilled = onfulfilled
-          ? async (response: superagent.Response) => {
-              // HMAC verification is only allowed to be skipped in certain environments.
-              // This is checked in the constructor, but checking it again at request time
-              // will help prevent against tampering of this property after the object is created
-              if (!this._hmacVerification && !common.Environments[this.getEnv()].hmacVerificationEnforced) {
-                return onfulfilled(response);
-              }
-
-              const verifiedResponse = await verifyResponseAsync(
-                this,
-                this._token,
-                method,
-                req,
-                response,
-                this._authVersion
-              );
-              return onfulfilled(verifiedResponse);
-            }
-          : null;
-        return originalThen(newOnFulfilled);
-      })();
-
-      return sendWithHmac.catch(onrejected);
+      return this._sendRequestWithHmac({
+        req,
+        method,
+        url,
+        data,
+        strategyAuthenticated,
+        onfulfilled,
+        originalThen,
+      }).catch(onrejected);
     };
     return toBitgoRequest(req);
   }

modules/sdk-hmac/src/browser.ts

@@ -1,2 +1,3 @@
 export * from './index';
+export * from './indexedDbTokenStore';
 export * from './webCryptoStrategy';

modules/sdk-hmac/src/indexedDbTokenStore.ts

@@ -0,0 +1,90 @@
+import type { CryptoSigning, ITokenStore } from './types';
+
+const CRYPTO_DB_NAME = 'bitgo-auth';
+const CRYPTO_STORE_NAME = 'crypto-signing';
+const CRYPTO_RECORD_KEY = 'current';
+
+function hasIndexedDB(): boolean {
+  return typeof indexedDB !== 'undefined';
+}
+
+function openCryptoDb(): Promise<IDBDatabase> {
+  return new Promise((resolve, reject) => {
+    const request = indexedDB.open(CRYPTO_DB_NAME, 1);
+    request.onupgradeneeded = () => {
+      const db = request.result;
+      if (!db.objectStoreNames.contains(CRYPTO_STORE_NAME)) {
+        db.createObjectStore(CRYPTO_STORE_NAME);
+      }
+    };
+    request.onsuccess = () => resolve(request.result);
+    request.onerror = () => reject(request.error);
+  });
+}
+
+async function withDb<T>(fn: (db: IDBDatabase) => Promise<T>): Promise<T> {
+  const db = await openCryptoDb();
+  try {
+    return await fn(db);
+  } finally {
+    db.close();
+  }
+}
+
+async function persistCryptoSigning(signing: CryptoSigning): Promise<void> {
+  if (!hasIndexedDB()) return;
+  await withDb(
+    (db) =>
+      new Promise<void>((resolve, reject) => {
+        const tx = db.transaction(CRYPTO_STORE_NAME, 'readwrite');
+        tx.objectStore(CRYPTO_STORE_NAME).put(signing, CRYPTO_RECORD_KEY);
+        tx.oncomplete = () => resolve();
+        tx.onerror = () => reject(tx.error);
+      })
+  );
+}
+
+async function loadCryptoSigning(): Promise<CryptoSigning | null> {
+  if (!hasIndexedDB()) return null;
+  return withDb(
+    (db) =>
+      new Promise<CryptoSigning | null>((resolve, reject) => {
+        const tx = db.transaction(CRYPTO_STORE_NAME, 'readonly');
+        const request = tx.objectStore(CRYPTO_STORE_NAME).get(CRYPTO_RECORD_KEY);
+        request.onsuccess = () => resolve(request.result ?? null);
+        request.onerror = () => reject(request.error);
+      })
+  );
+}
+
+async function removeCryptoSigning(): Promise<void> {
+  if (!hasIndexedDB()) return;
+  await withDb(
+    (db) =>
+      new Promise<void>((resolve, reject) => {
+        const tx = db.transaction(CRYPTO_STORE_NAME, 'readwrite');
+        tx.objectStore(CRYPTO_STORE_NAME).delete(CRYPTO_RECORD_KEY);
+        tx.oncomplete = () => resolve();
+        tx.onerror = () => reject(tx.error);
+      })
+  );
+}
+
+/**
+ * Persists {@link CryptoSigning} material in the browser's IndexedDB.
+ * The raw bearer token is never stored — only the non-extractable CryptoKey
+ * and the SHA-256 token hash are persisted via the structured clone algorithm.
+ */
+export class IndexedDbTokenStore implements ITokenStore {
+  async save(signing: CryptoSigning): Promise<void> {
+    await persistCryptoSigning(signing);
+  }
+
+  async load(): Promise<CryptoSigning | null> {
+    return loadCryptoSigning();
+  }
+
+  async remove(): Promise<void> {
+    await removeCryptoSigning();
+  }
+}

modules/sdk-hmac/src/types.ts

@@ -28,6 +28,11 @@ export interface CalculateRequestHeadersOptions<T extends string | Buffer = stri
   authVersion: AuthVersion;
 }
 
+export type CalculateRequestHeadersWebCryptoOptions<T extends string | Buffer = string> = Omit<
+  CalculateRequestHeadersOptions<T>,
+  'token'
+>;
+
 export interface RequestHeaders {
   hmac: string;
   timestamp: number;