Authorize implicit session (#738)

* Authorize implicit session

* Move code

* Delete signature request after use

* Implicit tests

* Fmt

* Raw leaf does not require signature

* Avoid using as

* Separate prepare and complete for implicit session authorization

Author: ScreamingHawk

packages/wallet/primitives/src/attestation.ts

@@ -36,12 +36,40 @@ export function encodeAuthData(authData: AuthData): Bytes.Bytes {
   )
 }
 
+export function decode(bytes: Bytes.Bytes): Attestation {
+  const approvedSigner = Bytes.toHex(bytes.slice(0, 20))
+  const identityType = bytes.slice(20, 24)
+  const issuerHash = bytes.slice(24, 56)
+  const audienceHash = bytes.slice(56, 88)
+  const applicationDataLength = Bytes.toNumber(bytes.slice(88, 91))
+  const applicationData = bytes.slice(91, 91 + applicationDataLength)
+  const authData = decodeAuthData(bytes.slice(91 + applicationDataLength))
+
+  return {
+    approvedSigner,
+    identityType,
+    issuerHash,
+    audienceHash,
+    applicationData,
+    authData,
+  }
+}
+
+export function decodeAuthData(bytes: Bytes.Bytes): AuthData {
+  const redirectUrlLength = Bytes.toNumber(bytes.slice(0, 3))
+  const redirectUrl = Bytes.toString(bytes.slice(3, 3 + redirectUrlLength))
+
+  return {
+    redirectUrl,
+  }
+}
+
 export function hash(attestation: Attestation): Bytes.Bytes {
   return Hash.keccak256(encode(attestation))
 }
 
-export function toJson(attestation: Attestation): string {
-  return JSON.stringify(encodeForJson(attestation))
+export function toJson(attestation: Attestation, indent?: number): string {
+  return JSON.stringify(encodeForJson(attestation), null, indent)
 }
 
 export function encodeForJson(attestation: Attestation): any {

packages/wallet/primitives/src/payload.ts

@@ -1,7 +1,8 @@
-import { AbiFunction, AbiParameters, Address, Bytes, Hash, Hex, TypedData } from 'ox'
+import { AbiFunction, AbiParameters, Address, Bytes, Hash, Hex } from 'ox'
+import { getSignPayload } from 'ox/TypedData'
 import { RECOVER_SAPIENT_SIGNATURE } from './constants.js'
+import { Attestation } from './index.js'
 import { minBytesFor } from './utils.js'
-import { getSignPayload } from 'ox/TypedData'
 
 export type Call = {
   to: Address.Address
@@ -35,11 +36,17 @@ export type Digest = {
   digest: Hex.Hex
 }
 
+export type SessionImplicitAuthorize = {
+  type: 'session-implicit-authorize'
+  sessionAddress: Address.Address
+  attestation: Attestation.Attestation
+}
+
 export type Parent = {
   parentWallets?: Address.Address[]
 }
 
-export type Payload = Calls | Message | ConfigUpdate | Digest
+export type Payload = Calls | Message | ConfigUpdate | Digest | SessionImplicitAuthorize
 
 export type Parented = Payload & Parent
 
@@ -97,6 +104,14 @@ export function isConfigUpdate(payload: Payload): payload is ConfigUpdate {
   return payload.type === 'config-update'
 }
 
+export function isDigest(payload: Payload): payload is Digest {
+  return payload.type === 'digest'
+}
+
+export function isSessionImplicitAuthorize(payload: Payload): payload is SessionImplicitAuthorize {
+  return payload.type === 'session-implicit-authorize'
+}
+
 export function encode(payload: Calls, self?: Address.Address): Bytes.Bytes {
   const callsLen = payload.calls.length
   const nonceBytesNeeded = minBytesFor(payload.nonce)
@@ -295,6 +310,12 @@ export function encodeSapient(
 }
 
 export function hash(wallet: Address.Address, chainId: bigint, payload: Parented): Bytes.Bytes {
+  if (isDigest(payload)) {
+    return Bytes.fromHex(payload.digest)
+  }
+  if (isSessionImplicitAuthorize(payload)) {
+    return Attestation.hash(payload.attestation)
+  }
   const typedData = toTyped(wallet, chainId, payload)
   return Bytes.fromHex(getSignPayload(typedData))
 }
@@ -395,7 +416,11 @@ export function toTyped(wallet: Address.Address, chainId: bigint, payload: Paren
     }
 
     case 'digest': {
-      throw new Error('Digest is not supported - Use message instead')
+      throw new Error('Digest does not support typed data - Use message instead')
+    }
+
+    case 'session-implicit-authorize': {
+      throw new Error('Payload does not support typed data')
     }
   }
 }

packages/wallet/primitives/src/signature.ts

@@ -172,7 +172,7 @@ export function isRawTopology(cand: any): cand is RawTopology {
 }
 
 export function isRawLeaf(cand: any): cand is RawLeaf {
-  return typeof cand === 'object' && 'weight' in cand && 'signature' in cand && !('tree' in cand)
+  return typeof cand === 'object' && 'weight' in cand && !('tree' in cand)
 }
 
 export function isRawNestedLeaf(cand: any): cand is RawNestedLeaf {
@@ -1389,5 +1389,8 @@ function encode(
         digest: payload.digest,
         parentWallets: payload.parentWallets ?? [],
       }
+
+    default:
+      throw new Error('Invalid payload type')
   }
 }

packages/wallet/wdk/src/identity/signer.ts

@@ -14,7 +14,7 @@ export class IdentitySigner implements Signers.Signer {
     if (!Address.validate(this.authKey.identitySigner)) {
       throw new Error('No signer address found')
     }
-    return this.authKey.identitySigner as `0x${string}`
+    return this.authKey.identitySigner
   }
 
   async sign(

packages/wallet/wdk/src/sequence/handlers/authcode-pkce.ts

@@ -12,14 +12,14 @@ export class AuthCodePkceHandler extends IdentityHandler implements Handler {
 
   constructor(
     public readonly signupKind: 'google-pkce' | 'apple-pkce',
-    private readonly issuer: string,
-    private readonly audience: string,
+    public readonly issuer: string,
+    public readonly audience: string,
     nitro: Identity.IdentityInstrument,
     signatures: Signatures,
     private readonly commitments: Db.AuthCommitments,
     authKeys: Db.AuthKeys,
   ) {
-    super(nitro, authKeys, signatures)
+    super(nitro, authKeys, signatures, Identity.IdentityType.OIDC)
   }
 
   public get kind() {

packages/wallet/wdk/src/sequence/handlers/identity.ts

@@ -4,11 +4,27 @@ import * as Identity from '../../identity/index.js'
 import { Signatures } from '../signatures.js'
 import { BaseSignatureRequest } from '../types/signature-request.js'
 
+export const identityTypeToHex = (identityType?: Identity.IdentityType): Hex.Hex => {
+  // Bytes4
+  switch (identityType) {
+    case Identity.IdentityType.Guest:
+      return '0x00000000'
+    case Identity.IdentityType.Email:
+      return '0x00000001'
+    case Identity.IdentityType.OIDC:
+      return '0x00000002'
+    default:
+      // Unknown identity type
+      return '0xffffffff'
+  }
+}
+
 export class IdentityHandler {
   constructor(
     private readonly nitro: Identity.IdentityInstrument,
     private readonly authKeys: Db.AuthKeys,
     private readonly signatures: Signatures,
+    public readonly identityType: Identity.IdentityType,
   ) {}
 
   public onStatusChange(cb: () => void): () => void {

packages/wallet/wdk/src/sequence/handlers/otp.ts

@@ -16,7 +16,7 @@ export class OtpHandler extends IdentityHandler implements Handler {
   private onPromptOtp: undefined | ((recipient: string, respond: RespondFn) => Promise<void>)
 
   constructor(nitro: Identity.IdentityInstrument, signatures: Signatures, authKeys: Db.AuthKeys) {
-    super(nitro, authKeys, signatures)
+    super(nitro, authKeys, signatures, Identity.IdentityType.Email)
   }
 
   public registerUI(onPromptOtp: (recipient: string, respond: RespondFn) => Promise<void>) {
@@ -36,7 +36,7 @@ export class OtpHandler extends IdentityHandler implements Handler {
       throw new Error('otp-handler-ui-not-registered')
     }
 
-    const challenge = Identity.OtpChallenge.fromRecipient(Identity.IdentityType.Email, email)
+    const challenge = Identity.OtpChallenge.fromRecipient(this.identityType, email)
     const { loginHint, challenge: codeChallenge } = await this.nitroCommitVerifier(challenge)
 
     return new Promise(async (resolve, reject) => {
@@ -87,7 +87,7 @@ export class OtpHandler extends IdentityHandler implements Handler {
       message: 'request-otp',
       handle: () =>
         new Promise(async (resolve, reject) => {
-          const challenge = Identity.OtpChallenge.fromSigner(Identity.IdentityType.Email, address)
+          const challenge = Identity.OtpChallenge.fromSigner(this.identityType, address)
           const { loginHint, challenge: codeChallenge } = await this.nitroCommitVerifier(challenge)
 
           const respond = async (otp: string) => {

packages/wallet/wdk/src/sequence/manager.ts

@@ -1,28 +1,38 @@
 import { Signers as CoreSigners, Relayer, State } from '@0xsequence/wallet-core'
-import { Config, Constants, Context, Extensions, Network, Payload, SessionConfig } from '@0xsequence/wallet-primitives'
+import {
+  Attestation,
+  Config,
+  Constants,
+  Context,
+  Extensions,
+  Network,
+  Payload,
+  SessionConfig,
+  Signature as SequenceSignature,
+} from '@0xsequence/wallet-primitives'
 import { Address } from 'ox'
 import * as Db from '../dbs/index.js'
 import * as Identity from '../identity/index.js'
 import { Devices } from './devices.js'
 import {
-  Handler,
-  DevicesHandler,
-  PasskeysHandler,
   AuthCodePkceHandler,
+  DevicesHandler,
+  Handler,
   MnemonicHandler,
   OtpHandler,
+  PasskeysHandler,
 } from './handlers/index.js'
+import { Janitor } from './janitor.js'
 import { Logger } from './logger.js'
-import { Sessions } from './sessions.js'
+import { AuthorizeImplicitSessionArgs, Sessions } from './sessions.js'
 import { Signatures } from './signatures.js'
 import { Signers } from './signers.js'
 import { Transactions } from './transactions.js'
 import { BaseSignatureRequest, SignatureRequest, Wallet } from './types/index.js'
-import { Transaction, TransactionRequest } from './types/transaction-request.js'
-import { CompleteRedirectArgs, LoginArgs, SignupArgs, StartSignUpWithRedirectArgs, Wallets } from './wallets.js'
 import { Kinds } from './types/signer.js'
+import { Transaction, TransactionRequest } from './types/transaction-request.js'
 import { WalletSelectionUiHandler } from './types/wallet.js'
-import { Janitor } from './janitor.js'
+import { CompleteRedirectArgs, LoginArgs, SignupArgs, StartSignUpWithRedirectArgs, Wallets } from './wallets.js'
 
 export type ManagerOptions = {
   verbose?: boolean
@@ -329,6 +339,10 @@ export class Manager {
     return this.shared.modules.wallets.unregisterWalletSelector(handler)
   }
 
+  public async getConfiguration(wallet: Address.Address) {
+    return this.shared.modules.wallets.getConfiguration({ wallet })
+  }
+
   // Signatures
 
   public async listSignatureRequests(): Promise<SignatureRequest[]> {
@@ -416,8 +430,19 @@ export class Manager {
     return this.shared.modules.sessions.getSessionTopology(walletAddress)
   }
 
-  public async addImplicitSession(walletAddress: Address.Address, sessionAddress: Address.Address) {
-    return this.shared.modules.sessions.addImplicitSession(walletAddress, sessionAddress)
+  public async prepareAuthorizeImplicitSession(
+    walletAddress: Address.Address,
+    sessionAddress: Address.Address,
+    args: AuthorizeImplicitSessionArgs,
+  ): Promise<string> {
+    return this.shared.modules.sessions.prepareAuthorizeImplicitSession(walletAddress, sessionAddress, args)
+  }
+
+  public async completeAuthorizeImplicitSession(requestId: string): Promise<{
+    attestation: Attestation.Attestation
+    signature: SequenceSignature.RSY
+  }> {
+    return this.shared.modules.sessions.completeAuthorizeImplicitSession(requestId)
   }
 
   public async addExplicitSession(
@@ -448,8 +473,4 @@ export class Manager {
     console.log('Completing session update:', requestId)
     return this.shared.modules.sessions.completeSessionUpdate(sigRequest.wallet, requestId)
   }
-
-  public async getConfiguration(wallet: Address.Address) {
-    return this.shared.modules.wallets.getConfiguration({ wallet })
-  }
 }