feat(auth): derive recap metadata for pre-generated PKP contexts

Author: Ansonhkg

packages/auth-helpers/src/index.ts

@@ -3,6 +3,7 @@ export * from './lib/generate-auth-sig';
 export * from './lib/models';
 export * from './lib/recap/recap-session-capability-object';
 export * from './lib/recap/resource-builder';
+export * from './lib/recap/utils';
 export * from './lib/resources';
 export * from './lib/session-capability-object';
 export * from './lib/siwe/create-siwe-message';

packages/auth-helpers/src/lib/recap/utils.ts

@@ -54,3 +54,52 @@ export function getRecapNamespaceAndAbility(litAbility: LIT_ABILITY_VALUES): {
       );
   }
 }
+
+export const RESOLVED_AUTH_CONTEXT_PREFIX = 'lit-resolvedauthcontext://';
+const PAYMENT_DELEGATION_PREFIX = 'lit-paymentdelegation://';
+const PKP_PREFIX = 'lit-pkp://';
+const ACC_PREFIX = 'lit-accesscontrolcondition://';
+
+/**
+ * Reverse mapping from Recap namespace/ability to LitAbility.
+ * Returns null when the recap entry only carries metadata (eg. resolved auth context).
+ */
+export function getLitAbilityFromRecap(params: {
+  recapNamespace: string;
+  recapAbility: string;
+  resourceKey: string;
+}): LIT_ABILITY_VALUES | null {
+  const { recapNamespace, recapAbility, resourceKey } = params;
+
+  if (recapNamespace === LIT_NAMESPACE.Threshold) {
+    if (recapAbility === LIT_RECAP_ABILITY.Decryption) {
+      return LIT_ABILITY.AccessControlConditionDecryption;
+    }
+
+    if (recapAbility === LIT_RECAP_ABILITY.Execution) {
+      return LIT_ABILITY.LitActionExecution;
+    }
+
+    if (recapAbility === LIT_RECAP_ABILITY.Signing) {
+      if (resourceKey.startsWith(PKP_PREFIX)) {
+        return LIT_ABILITY.PKPSigning;
+      }
+      if (resourceKey.startsWith(ACC_PREFIX)) {
+        return LIT_ABILITY.AccessControlConditionSigning;
+      }
+    }
+  }
+
+  if (recapNamespace === LIT_NAMESPACE.Auth && recapAbility === LIT_RECAP_ABILITY.Auth) {
+    if (resourceKey.startsWith(PAYMENT_DELEGATION_PREFIX)) {
+      return LIT_ABILITY.PaymentDelegation;
+    }
+
+    if (resourceKey.startsWith(RESOLVED_AUTH_CONTEXT_PREFIX)) {
+      // Resolved auth context entries only contain metadata.
+      return null;
+    }
+  }
+
+  return null;
+}

packages/auth-helpers/src/lib/resources.ts

@@ -9,8 +9,13 @@ import {
 import { AccessControlConditions, ILitResource } from '@lit-protocol/types';
 import { formatPKPResource } from './utils';
 
+const RESOLVED_AUTH_CONTEXT_PREFIX = 'lit-resolvedauthcontext';
+type InternalResourcePrefix =
+  | LIT_RESOURCE_PREFIX_VALUES
+  | typeof RESOLVED_AUTH_CONTEXT_PREFIX;
+
 abstract class LitResourceBase {
-  abstract resourcePrefix: LIT_RESOURCE_PREFIX_VALUES;
+  abstract resourcePrefix: InternalResourcePrefix;
   public readonly resource: string;
 
   constructor(resource: string) {
@@ -158,6 +163,18 @@ export function parseLitResource(resourceKey: string): ILitResource {
     return new LitActionResource(
       resourceKey.substring(`${LIT_RESOURCE_PREFIX.LitAction}://`.length)
     );
+  } else if (resourceKey.startsWith(RESOLVED_AUTH_CONTEXT_PREFIX)) {
+    const resource = resourceKey.substring(
+      `${RESOLVED_AUTH_CONTEXT_PREFIX}://`.length
+    );
+
+    return {
+      resourcePrefix: RESOLVED_AUTH_CONTEXT_PREFIX,
+      resource,
+      getResourceKey: () => `${RESOLVED_AUTH_CONTEXT_PREFIX}://${resource}`,
+      toString: () => `${RESOLVED_AUTH_CONTEXT_PREFIX}://${resource}`,
+      isValidLitAbility: () => false,
+    } as unknown as ILitResource;
   }
   throw new InvalidArgumentException(
     {

packages/auth/src/lib/AuthManager/auth-manager.ts

@@ -90,10 +90,7 @@ export const createAuthManager = (authManagerParams: AuthManagerParams) => {
       delegationAuthSig: AuthSig;
       authData?: AuthData;
     }) => {
-      return getPkpAuthContextFromPreGeneratedAdapter(
-        authManagerParams,
-        params
-      );
+      return getPkpAuthContextFromPreGeneratedAdapter(params);
     },
     createCustomAuthContext: (params: {
       // authData: AuthData;

packages/auth/src/lib/AuthManager/authAdapters/getPkpAuthContextFromPreGeneratedAdapter.spec.ts

@@ -0,0 +1,103 @@
+import { getPkpAuthContextFromPreGeneratedAdapter } from './getPkpAuthContextFromPreGeneratedAdapter';
+import type { AuthSig, SessionKeyPair } from '@lit-protocol/types';
+
+const baseSessionKeyPair: SessionKeyPair = {
+  publicKey: 'a1b2c3',
+  secretKey: 'deadbeef',
+};
+
+const baseDelegation = ({
+  recap,
+}: {
+  recap: Record<string, unknown>;
+}): AuthSig => {
+  const resourcesLine = `- urn:recap:${Buffer.from(JSON.stringify(recap)).toString('base64url')}`;
+
+  const signedMessage = [
+    'localhost wants you to sign in with your Ethereum account:',
+    '0x1234567890abcdef1234567890ABCDEF12345678',
+    '',
+    "Lit Protocol PKP session signature I further authorize the stated URI to perform the following actions on my behalf: (1) 'Threshold': 'Signing' for 'lit-pkp://*'.",
+    '',
+    'URI: lit:session:a1b2c3',
+    'Version: 1',
+    'Chain ID: 1',
+    'Nonce: 0xabc',
+    'Issued At: 2025-01-01T00:00:00Z',
+    'Expiration Time: 2099-01-01T00:00:00.000Z',
+    'Resources:',
+    resourcesLine,
+  ].join('\n');
+
+  return {
+    sig: '{"ProofOfPossession":"proof"}',
+    algo: 'LIT_BLS',
+    derivedVia: 'lit.bls',
+    signedMessage,
+    address: '0x1234567890abcdef1234567890ABCDEF12345678',
+  };
+};
+
+describe('getPkpAuthContextFromPreGeneratedAdapter', () => {
+  it('derives authData from recap metadata when not provided', async () => {
+    const recapPayload = {
+      att: {
+        'lit-pkp://*': {
+          'Threshold/Signing': [{}],
+        },
+        'lit-resolvedauthcontext://*': {
+          'Auth/Auth': [
+            {
+              auth_context: {
+                authMethodContexts: [
+                  {
+                    appId: 'lit',
+                    authMethodType: 1,
+                    usedForSignSessionKeyRequest: true,
+                    userId: '0xabcdef',
+                  },
+                ],
+                authSigAddress: null,
+              },
+            },
+          ],
+        },
+      },
+      prf: [],
+    };
+
+    const delegationAuthSig = baseDelegation({ recap: recapPayload });
+
+    const context = await getPkpAuthContextFromPreGeneratedAdapter({
+      pkpPublicKey: '0xpkp',
+      sessionKeyPair: baseSessionKeyPair,
+      delegationAuthSig,
+    });
+
+    expect(context.authData).toBeDefined();
+    expect(context.authData?.authMethodId).toBe('0xabcdef');
+    expect(context.derivedAuthMetadata?.authMethodId).toBe('0xabcdef');
+    expect(context.authConfig.resources.length).toBeGreaterThan(0);
+  });
+
+  it('throws when recap metadata is missing and authData not supplied', async () => {
+    const recapPayload = {
+      att: {
+        'lit-pkp://*': {
+          'Threshold/Signing': [{}],
+        },
+      },
+      prf: [],
+    };
+
+    const delegationAuthSig = baseDelegation({ recap: recapPayload });
+
+    await expect(
+      getPkpAuthContextFromPreGeneratedAdapter({
+        pkpPublicKey: '0xpkp',
+        sessionKeyPair: baseSessionKeyPair,
+        delegationAuthSig,
+      })
+    ).rejects.toThrow(/Failed to derive authData/);
+  });
+});