Separate prepare and complete for implicit session authorization

ScreamingHawk · ScreamingHawk · commit b5b56fcd7807 · 2025-04-30T09:22:49.000+12:00
diff --git a/packages/wallet/primitives/src/payload.ts b/packages/wallet/primitives/src/payload.ts
@@ -1,7 +1,8 @@
-import { AbiFunction, AbiParameters, Address, Bytes, Hash, Hex, TypedData } from 'ox'
+import { AbiFunction, AbiParameters, Address, Bytes, Hash, Hex } from 'ox'
+import { getSignPayload } from 'ox/TypedData'
 import { RECOVER_SAPIENT_SIGNATURE } from './constants.js'
+import { Attestation } from './index.js'
 import { minBytesFor } from './utils.js'
-import { getSignPayload } from 'ox/TypedData'
 
 export type Call = {
   to: Address.Address
@@ -35,11 +36,17 @@ export type Digest = {
   digest: Hex.Hex
 }
 
+export type SessionImplicitAuthorize = {
+  type: 'session-implicit-authorize'
+  sessionAddress: Address.Address
+  attestation: Attestation.Attestation
+}
+
 export type Parent = {
   parentWallets?: Address.Address[]
 }
 
-export type Payload = Calls | Message | ConfigUpdate | Digest
+export type Payload = Calls | Message | ConfigUpdate | Digest | SessionImplicitAuthorize
 
 export type Parented = Payload & Parent
 
@@ -101,6 +108,10 @@ export function isDigest(payload: Payload): payload is Digest {
   return payload.type === 'digest'
 }
 
+export function isSessionImplicitAuthorize(payload: Payload): payload is SessionImplicitAuthorize {
+  return payload.type === 'session-implicit-authorize'
+}
+
 export function encode(payload: Calls, self?: Address.Address): Bytes.Bytes {
   const callsLen = payload.calls.length
   const nonceBytesNeeded = minBytesFor(payload.nonce)
@@ -302,6 +313,9 @@ export function hash(wallet: Address.Address, chainId: bigint, payload: Parented
   if (isDigest(payload)) {
     return Bytes.fromHex(payload.digest)
   }
+  if (isSessionImplicitAuthorize(payload)) {
+    return Attestation.hash(payload.attestation)
+  }
   const typedData = toTyped(wallet, chainId, payload)
   return Bytes.fromHex(getSignPayload(typedData))
 }
@@ -402,7 +416,11 @@ export function toTyped(wallet: Address.Address, chainId: bigint, payload: Paren
     }
 
     case 'digest': {
-      throw new Error('Digest is not supported - Use message instead')
+      throw new Error('Digest does not support typed data - Use message instead')
+    }
+
+    case 'session-implicit-authorize': {
+      throw new Error('Payload does not support typed data')
     }
   }
 }
diff --git a/packages/wallet/primitives/src/signature.ts b/packages/wallet/primitives/src/signature.ts
@@ -1389,5 +1389,8 @@ function encode(
         digest: payload.digest,
         parentWallets: payload.parentWallets ?? [],
       }
+
+    default:
+      throw new Error('Invalid payload type')
   }
 }
diff --git a/packages/wallet/wdk/src/sequence/manager.ts b/packages/wallet/wdk/src/sequence/manager.ts
@@ -430,15 +430,19 @@ export class Manager {
     return this.shared.modules.sessions.getSessionTopology(walletAddress)
   }
 
-  public async authorizeImplicitSession(
+  public async prepareAuthorizeImplicitSession(
     walletAddress: Address.Address,
     sessionAddress: Address.Address,
     args: AuthorizeImplicitSessionArgs,
-  ): Promise<{
+  ): Promise<string> {
+    return this.shared.modules.sessions.prepareAuthorizeImplicitSession(walletAddress, sessionAddress, args)
+  }
+
+  public async completeAuthorizeImplicitSession(requestId: string): Promise<{
     attestation: Attestation.Attestation
     signature: SequenceSignature.RSY
   }> {
-    return this.shared.modules.sessions.authorizeImplicitSession(walletAddress, sessionAddress, args)
+    return this.shared.modules.sessions.completeAuthorizeImplicitSession(requestId)
   }
 
   public async addExplicitSession(
diff --git a/packages/wallet/wdk/src/sequence/sessions.ts b/packages/wallet/wdk/src/sequence/sessions.ts
@@ -1,12 +1,17 @@
 import { Signers as CoreSigners, Envelope, Wallet } from '@0xsequence/wallet-core'
-import { Attestation, Payload, SessionConfig, Signature as SequenceSignature } from '@0xsequence/wallet-primitives'
+import {
+  Attestation,
+  Payload,
+  SessionConfig,
+  Signature as SequenceSignature,
+  Config,
+} from '@0xsequence/wallet-primitives'
 import { Address, Bytes, Hex, Provider, RpcTransport } from 'ox'
 import { SessionController } from '../session/index.js'
 import { IdentityHandler, identityTypeToHex } from './handlers/identity.js'
 import { Shared } from './manager.js'
 import { AuthCodePkceHandler } from './handlers/authcode-pkce.js'
 import { IdentityType } from '../identity/index.js'
-import { isSignature } from '../../../core/dist/envelope.js'
 
 export type AuthorizeImplicitSessionArgs = {
   target: string
@@ -58,14 +63,11 @@ export class Sessions {
     return controller.getTopology()
   }
 
-  async authorizeImplicitSession(
+  async prepareAuthorizeImplicitSession(
     walletAddress: Address.Address,
     sessionAddress: Address.Address,
     args: AuthorizeImplicitSessionArgs,
-  ): Promise<{
-    attestation: Attestation.Attestation
-    signature: SequenceSignature.RSY
-  }> {
+  ): Promise<string> {
     const topology = await this.getSessionTopology(walletAddress)
     const identitySignerAddress = SessionConfig.getIdentitySigner(topology)
     if (!identitySignerAddress) {
@@ -80,7 +82,7 @@ export class Sessions {
       throw new Error('No identity handler found')
     }
 
-    // Create the digest to sign
+    // Create the attestation to sign
     let identityType: IdentityType | undefined
     let issuerHash: Hex.Hex = '0x'
     let audienceHash: Hex.Hex = '0x'
@@ -103,52 +105,62 @@ export class Sessions {
         redirectUrl: args.target,
       },
     }
-    const attestationHash = Attestation.hash(attestation)
-    const walletStatus = await this.getCoreWallet(walletAddress).getStatus()
-    const envelope: Envelope.Envelope<Payload.Digest> = {
+    // Fake the configuration with the single required signer
+    const configuration: Config.Config = {
+      threshold: 1n,
+      checkpoint: 0n,
+      topology: {
+        type: 'signer',
+        address: identitySignerAddress,
+        weight: 1n,
+      },
+    }
+    const envelope: Envelope.Envelope<Payload.SessionImplicitAuthorize> = {
       payload: {
-        type: 'digest',
-        digest: Hex.fromBytes(attestationHash),
+        type: 'session-implicit-authorize',
+        sessionAddress,
+        attestation,
       },
       wallet: walletAddress,
       chainId: 0n,
-      configuration: walletStatus.configuration,
+      configuration,
     }
 
     // Request the signature from the identity handler
-    const requestId = await this.shared.modules.signatures.request(envelope, 'sign-digest', {
+    return this.shared.modules.signatures.request(envelope, 'session-implicit-authorize', {
       origin: args.target,
     })
-    let signatureRequest = await this.shared.modules.signatures.get(requestId)
-    const identitySigner = signatureRequest.signers.find((s) => s.address === identitySignerAddress)
-    if (!identitySigner || (identitySigner.status !== 'actionable' && identitySigner.status !== 'ready')) {
-      throw new Error(`Identity signer not found or not ready: ${identitySigner?.status}`)
-    }
-    const handled = await identitySigner.handle()
-    if (!handled) {
-      throw new Error('Failed to handle identity handler')
+  }
+
+  async completeAuthorizeImplicitSession(requestId: string): Promise<{
+    attestation: Attestation.Attestation
+    signature: SequenceSignature.RSY
+  }> {
+    // Get the updated signature request
+    const signatureRequest = await this.shared.modules.signatures.get(requestId)
+    if (
+      signatureRequest.action !== 'session-implicit-authorize' ||
+      !Payload.isSessionImplicitAuthorize(signatureRequest.envelope.payload)
+    ) {
+      throw new Error('Invalid action')
     }
-    // Get the updated signature request. Then delete it, we don't need it anymore
-    signatureRequest = await this.shared.modules.signatures.get(requestId)
-    await this.shared.modules.signatures.cancel(requestId)
-    // Find the handler signature
-    const signatures = signatureRequest.envelope.signatures.filter(
-      (sig) => isSignature(sig) && sig.address === identitySignerAddress,
-    )
-    if (signatures.length === 0) {
-      throw new Error('No signatures found')
+
+    if (!Envelope.isSigned(signatureRequest.envelope) || !Envelope.reachedThreshold(signatureRequest.envelope)) {
+      throw new Error('Envelope not signed or threshold not reached')
     }
-    const signature = signatures[0]
-    if (!signature) {
-      throw new Error('No signature found')
+
+    // Find any valid signature
+    const signature = signatureRequest.envelope.signatures[0]
+    if (!signature || !Envelope.isSignature(signature)) {
+      throw new Error('No valid signature found')
     }
     if (signature.signature.type !== 'hash') {
       // Should never happen
       throw new Error('Unsupported signature type')
     }
 
     return {
-      attestation,
+      attestation: signatureRequest.envelope.payload.attestation,
       signature: signature.signature,
     }
   }
diff --git a/packages/wallet/wdk/src/sequence/types/signature-request.ts b/packages/wallet/wdk/src/sequence/types/signature-request.ts
@@ -8,15 +8,15 @@ export type ActionToPayload = {
   [Actions.Login]: Payload.ConfigUpdate
   [Actions.SendTransaction]: Payload.Calls
   [Actions.SessionUpdate]: Payload.ConfigUpdate
-  [Actions.SignDigest]: Payload.Digest
+  [Actions.SessionImplicitAuthorize]: Payload.SessionImplicitAuthorize
 }
 
 export const Actions = {
   Logout: 'logout',
   Login: 'login',
   SendTransaction: 'send-transaction',
   SessionUpdate: 'session-update',
-  SignDigest: 'sign-digest',
+  SessionImplicitAuthorize: 'session-implicit-authorize',
 } as const
 
 export type Action = (typeof Actions)[keyof typeof Actions]
diff --git a/packages/wallet/wdk/test/sessions.test.ts b/packages/wallet/wdk/test/sessions.test.ts
@@ -250,13 +250,24 @@ describe('Sessions (via Manager)', () => {
       }
 
       // Request the session authorization from the WDK
-      const { attestation, signature: identitySignature } = await wdk.manager.authorizeImplicitSession(
-        dapp.wallet.address,
-        e.address,
-        {
-          target: 'https://example.com',
-        },
-      )
+      const requestId = await wdk.manager.prepareAuthorizeImplicitSession(dapp.wallet.address, e.address, {
+        target: 'https://example.com',
+      })
+
+      // Sign the request (Wallet UI action)
+      const sigRequest = await wdk.manager.getSignatureRequest(requestId)
+      const identitySigner = sigRequest.signers[0]
+      if (!identitySigner || identitySigner.status !== 'ready') {
+        throw new Error(`Identity signer not found or not ready: ${identitySigner?.status}`)
+      }
+      const handled = await identitySigner.handle()
+      if (!handled) {
+        throw new Error('Failed to handle identity signer')
+      }
+
+      // Complete the request
+      const { attestation, signature: identitySignature } =
+        await wdk.manager.completeAuthorizeImplicitSession(requestId)
 
       // Load the implicit signer
       const implicitSigner = new CoreSigners.Session.Implicit(

Original file line number	Diff line number	Diff line change
`@@ -1389,5 +1389,8 @@ function encode(`
`1389`	`1389`	`digest: payload.digest,`
`1390`	`1390`	`parentWallets: payload.parentWallets ?? [],`
`1391`	`1391`	`}`
	`1392`	`+`
	`1393`	`+ default:`
	`1394`	`+ throw new Error('Invalid payload type')`
`1392`	`1395`	`}`
`1393`	`1396`	`}`