fix(webauthn): to include scopes in the API

Author: Ansonhkg

packages/auth-services/src/auth-server/src/routes/pkp/mint.ts

@@ -3,14 +3,26 @@ import { addJob } from '../../../../queue-manager/src/bullmqSetup';
 import { resp } from '../../response-helpers/response-helpers';
 import { mintPkpDoc } from '../../../../queue-manager/src/handlers/pkpMint/pkpMint.doc';
 import { AuthServiceMintRequestRaw } from '../../schemas/AuthServiceMintRequestSchema';
+import { randomUUID } from 'node:crypto';
 
 export const mint = (app: ElysiaInstance) => {
   app.post(
     '/mint',
     async ({ body }: { body: AuthServiceMintRequestRaw }) => {
+      const reqId = randomUUID();
+      // console.log('[PKP Mint][INBOUND]', {
+      //   reqId,
+      //   authMethodType: body.authMethodType,
+      //   authMethodId: body.authMethodId,
+      //   pubkey_len: body.pubkey?.length ?? 0,
+      //   pubkey_is_0x: body.pubkey === '0x',
+      //   pubkey_preview: (body.pubkey ?? '').slice(0, 12),
+      //   scopes: body.scopes,
+      // });
+
       try {
         const job = await addJob('pkpMint', { requestBody: body });
-        return resp.QUEUED(job.id, 'PKP minting request queued successfully.');
+        return resp.QUEUED(job.id, `PKP mint queued. reqId=${reqId}`);
       } catch (error: any) {
         console.error(`[API] Failed to add job 'pkpMint' to queue:`, error);
         return resp.ERROR(

packages/auth-services/src/auth-server/src/schemas/AuthServiceMintRequestSchema.ts

@@ -28,7 +28,7 @@ export type AuthServiceMintRequestTransformed = z.infer<
 export const tAuthServiceMintRequestSchema = t.Object({
   authMethodType: t.String(),
   authMethodId: t.String(),
-  pubkey: t.Optional(t.String({ default: '0x' })),
+  pubkey: t.Optional(t.String()),
   scopes: t.Optional(
     t.Array(
       t.Union([

packages/auth-services/src/queue-manager/src/handlers/pkpMint/pkpMint.doc.ts

@@ -31,9 +31,8 @@ export const mintPkpDoc = {
       ),
       pubkey: t.Optional(
         t.String({
-          default: '0x',
           description:
-            "Public key associated with the authentication method. This is primarily used for WebAuthn, where it should be the public key obtained from the WebAuthn registration process. For other authentication types, if this field is omitted or an empty string is provided, it will default to '0x'. If explicitly providing for non-WebAuthn, use '0x'.",
+            'For WebAuthn (type 3), pubkey is required and must be the COSE key. For other types, omit it.',
         })
       ),
       scopes: t.Optional(

packages/auth-services/src/queue-manager/src/handlers/pkpMint/pkpMint.handler.ts

@@ -14,13 +14,42 @@ export async function handlePkpMintTask(jobData: {
     pubkey: Hex;
     scopes?: ('sign-anything' | 'personal-sign' | 'no-permissions')[];
   };
+  reqId?: string;
 }): Promise<any> {
+  // console.log('[PKP Mint][HANDLER][REQ]', {
+  //   reqId: jobData.reqId,
+  //   authMethodType: jobData.requestBody.authMethodType,
+  //   authMethodId: jobData.requestBody.authMethodId,
+  //   pubkey_len: jobData.requestBody.pubkey?.length ?? 0,
+  //   pubkey_is_0x: jobData.requestBody.pubkey === '0x',
+  //   pubkey_preview: (jobData.requestBody.pubkey ?? '').slice(0, 12),
+  //   scopes: jobData.requestBody.scopes,
+  // });
+
+  if (
+    // AUTH_METHOD_TYPE.WebAuthn = 3
+    Number(jobData.requestBody.authMethodType) === 3 &&
+    (!jobData.requestBody.pubkey || jobData.requestBody.pubkey === '0x')
+  ) {
+    throw new Error(
+      `[PKP Mint][HANDLER] WebAuthn requires a non-empty COSE pubkey; got '${jobData.requestBody.pubkey}'. reqId=${jobData.reqId}`
+    );
+  }
+
   const userAuthData: Optional<AuthData, 'accessToken'> = {
     authMethodId: jobData.requestBody.authMethodId,
     authMethodType: Number(jobData.requestBody.authMethodType),
     publicKey: jobData.requestBody.pubkey,
   };
 
+  // console.log('[PKP Mint][HANDLER][MAPPING]', {
+  //   reqId: jobData.reqId,
+  //   authMethodType: userAuthData.authMethodType,
+  //   authMethodId: userAuthData.authMethodId,
+  //   publicKey_len: userAuthData.publicKey?.length ?? 0,
+  //   publicKey_preview: (userAuthData.publicKey ?? '').slice(0, 12),
+  // });
+
   const result = await globalThis.systemContext.litClient.mintWithAuth({
     account: globalThis.systemContext.account,
     authData: userAuthData,

packages/auth/src/lib/authenticators/native/WebAuthnAuthenticator.ts

@@ -149,6 +149,7 @@ export class WebAuthnAuthenticator {
   public static async registerAndMintPKP(params: {
     username?: string;
     authServiceBaseUrl: string;
+    scopes?: ('sign-anything' | 'personal-sign' | 'no-permissions')[];
   }): Promise<{
     pkpInfo: PKPData;
 
@@ -183,6 +184,7 @@ export class WebAuthnAuthenticator {
       authMethodType: AUTH_METHOD_TYPE.WebAuthn,
       authMethodId: authMethodId,
       pubkey: authMethodPubkey,
+      scopes: params.scopes,
     };
 
     // Immediate mint a new PKP to associate with the auth method

packages/lit-client/src/lib/LitClient/createLitClient.ts

@@ -346,11 +346,15 @@ export const _createNagaLitClient = async (
       currentHandshakeResult.threshold
     );
 
+    // console.log('custom session key result:', result);
+    // console.log('custom request id:', requestId);
+
     // 4. 🟪 Handle response
     return await networkModule.api.signCustomSessionKey.handleResponse(
       result as any,
       params.requestBody.pkpPublicKey,
-      jitContext
+      jitContext,
+      requestId
     );
   }
 

packages/networks/src/networks/vNaga/shared/managers/LitChainClient/apis/highLevelApis/mintPKP/MintPKPSchema.ts

@@ -17,8 +17,10 @@ export const MintPKPSchema = z
 
     // Determine pubkey based on the (potentially derived) authMethodType
     if (data.authMethodType === AUTH_METHOD_TYPE.WebAuthn) {
-      if (!data.pubkey) {
-        throw new Error('pubkey is required for WebAuthn');
+      if (!data.pubkey || data.pubkey === '0x') {
+        throw new Error(
+          `pubkey is required for WebAuthn and cannot be 0x. Received pubkey: "${data.pubkey}" and authMethodType: ${data.authMethodType}`
+        );
       }
       derivedPubkey = data.pubkey as Hex;
     } else {