fix(auth-service): add scopes to pkpMint endpoint

Ansonhkg · Ansonhkg · commit eff05d90543a · 2025-07-30T21:21:57.000+01:00
diff --git a/packages/auth-services/src/auth-server/src/routes/pkp/mint.ts b/packages/auth-services/src/auth-server/src/routes/pkp/mint.ts
@@ -1,13 +1,13 @@
-import { MintRequestRaw } from '@lit-protocol/networks';
 import { ElysiaInstance } from '../../types/ElysiaInstance.type';
 import { addJob } from '../../../../queue-manager/src/bullmqSetup';
 import { resp } from '../../response-helpers/response-helpers';
 import { mintPkpDoc } from '../../../../queue-manager/src/handlers/pkpMint/pkpMint.doc';
+import { AuthServiceMintRequestRaw } from '../../schemas/AuthServiceMintRequestSchema';
 
 export const mint = (app: ElysiaInstance) => {
   app.post(
     '/mint',
-    async ({ body }: { body: MintRequestRaw }) => {
+    async ({ body }: { body: AuthServiceMintRequestRaw }) => {
       try {
         const job = await addJob('pkpMint', { requestBody: body });
         return resp.QUEUED(job.id, 'PKP minting request queued successfully.');
diff --git a/packages/auth-services/src/auth-server/src/schemas/AuthServiceMintRequestSchema.ts b/packages/auth-services/src/auth-server/src/schemas/AuthServiceMintRequestSchema.ts
@@ -0,0 +1,41 @@
+import { t } from 'elysia';
+import { z } from 'zod';
+
+/**
+ * Schema for auth service PKP mint request
+ * This is a simplified version for minting with a single auth method
+ */
+export const AuthServiceMintRequestSchema = z.object({
+  authMethodType: z.string(),
+  authMethodId: z.string(),
+  pubkey: z.string().optional().default('0x'),
+  scopes: z
+    .array(z.enum(['sign-anything', 'personal-sign', 'no-permissions']))
+    .optional(),
+});
+
+// User Input Type - what the API accepts
+export type AuthServiceMintRequestRaw = z.input<
+  typeof AuthServiceMintRequestSchema
+>;
+
+// Transformed/Validated Type - after validation
+export type AuthServiceMintRequestTransformed = z.infer<
+  typeof AuthServiceMintRequestSchema
+>;
+
+// Elysia Schema for runtime validation
+export const tAuthServiceMintRequestSchema = t.Object({
+  authMethodType: t.String(),
+  authMethodId: t.String(),
+  pubkey: t.Optional(t.String({ default: '0x' })),
+  scopes: t.Optional(
+    t.Array(
+      t.Union([
+        t.Literal('sign-anything'),
+        t.Literal('personal-sign'),
+        t.Literal('no-permissions'),
+      ])
+    )
+  ),
+});
diff --git a/packages/auth-services/src/queue-manager/src/handlers/pkpMint/pkpMint.doc.ts b/packages/auth-services/src/queue-manager/src/handlers/pkpMint/pkpMint.doc.ts
@@ -4,22 +4,22 @@ export const mintPkpDoc = {
   body: t.Object(
     {
       authMethodType: t.Required(
-        t.Number({
+        t.String({
           description:
-            'The numeric type of authentication method to use for the PKP. Supported types include:\n' +
-            '- 1: EthWallet\n' +
-            '- 2: LitAction\n' +
-            '- 3: WebAuthn\n' +
-            '- 4: Discord\n' +
-            '- 5: Google\n' +
-            '- 6: GoogleJwt\n' +
-            '- 8: AppleJwt\n' +
-            '- 9: StytchOtp\n' +
-            '- 10: StytchEmailFactorOtp\n' +
-            '- 11: StytchSmsFactorOtp\n' +
-            '- 12: StytchWhatsAppFactorOtp\n' +
-            '- 13: StytchTotpFactorOtp\n\n' +
-            'Custom auth methods can also be used by providing their corresponding numeric ID.',
+            'The type of authentication method to use for the PKP. Supported types include:\n' +
+            '- "1": EthWallet\n' +
+            '- "2": LitAction\n' +
+            '- "3": WebAuthn\n' +
+            '- "4": Discord\n' +
+            '- "5": Google\n' +
+            '- "6": GoogleJwt\n' +
+            '- "8": AppleJwt\n' +
+            '- "9": StytchOtp\n' +
+            '- "10": StytchEmailFactorOtp\n' +
+            '- "11": StytchSmsFactorOtp\n' +
+            '- "12": StytchWhatsAppFactorOtp\n' +
+            '- "13": StytchTotpFactorOtp\n\n' +
+            'Custom auth methods can also be used by providing their corresponding string ID.',
         })
       ),
       authMethodId: t.Required(
@@ -36,6 +36,22 @@ export const mintPkpDoc = {
             "Public key associated with the authentication method. This is primarily used for WebAuthn, where it should be the public key obtained from the WebAuthn registration process. For other authentication types, if this field is omitted or an empty string is provided, it will default to '0x'. If explicitly providing for non-WebAuthn, use '0x'.",
         })
       ),
+      scopes: t.Optional(
+        t.Array(
+          t.Union([
+            t.Literal('sign-anything'),
+            t.Literal('personal-sign'),
+            t.Literal('no-permissions'),
+          ]),
+          {
+            description:
+              'Array of permission scopes to grant to the PKP. If omitted, defaults to an empty array (no permissions). Available scopes:\n' +
+              '- "sign-anything": Allows the PKP to sign any message\n' +
+              '- "personal-sign": Allows the PKP to sign personal messages only\n' +
+              '- "no-permissions": Explicitly sets no permissions',
+          }
+        )
+      ),
     },
     {
       description:
diff --git a/packages/auth-services/src/queue-manager/src/handlers/pkpMint/pkpMint.handler.ts b/packages/auth-services/src/queue-manager/src/handlers/pkpMint/pkpMint.handler.ts
@@ -12,6 +12,7 @@ export async function handlePkpMintTask(jobData: {
     authMethodType: string;
     authMethodId: Hex;
     pubkey: Hex;
+    scopes?: ('sign-anything' | 'personal-sign' | 'no-permissions')[];
   };
 }): Promise<any> {
   const userAuthData: Optional<AuthData, 'accessToken'> = {
@@ -23,7 +24,7 @@ export async function handlePkpMintTask(jobData: {
   const result = await globalThis.systemContext.litClient.mintWithAuth({
     account: globalThis.systemContext.account,
     authData: userAuthData,
-    scopes: ['sign-anything'],
+    scopes: jobData.requestBody.scopes || [],
   });
 
   console.log(
diff --git a/packages/lit-client/src/lib/LitClient/createLitClient.ts b/packages/lit-client/src/lib/LitClient/createLitClient.ts
@@ -866,7 +866,13 @@ export const _createNagaLitClient = async (
       });
     },
     authService: {
-      mintWithAuth: networkModule.authService.pkpMint,
+      mintWithAuth: async (params: {
+        authData: AuthData;
+        authServiceBaseUrl?: string;
+        scopes?: ('sign-anything' | 'personal-sign' | 'no-permissions')[];
+      }) => {
+        return networkModule.authService.pkpMint(params);
+      },
     },
     executeJs: async (
       params: z.infer<typeof networkModule.api.executeJs.schemas.Input>
diff --git a/packages/networks/src/networks/vNaga/envs/naga-dev/naga-dev.module.ts b/packages/networks/src/networks/vNaga/envs/naga-dev/naga-dev.module.ts
@@ -447,6 +447,7 @@ const networkModuleObject = {
     pkpMint: async (params: {
       authData: AuthData;
       authServiceBaseUrl?: string;
+      scopes?: ('sign-anything' | 'personal-sign' | 'no-permissions')[];
     }) => {
       return await handleAuthServerRequest<PKPData>({
         jobName: 'PKP Minting',
@@ -458,6 +459,7 @@ const networkModuleObject = {
           authMethodType: params.authData.authMethodType,
           authMethodId: params.authData.authMethodId,
           pubkey: params.authData.publicKey,
+          scopes: params.scopes,
         },
       });
     },
diff --git a/packages/networks/src/networks/vNaga/envs/naga-local/naga-local.module.ts b/packages/networks/src/networks/vNaga/envs/naga-local/naga-local.module.ts
@@ -447,6 +447,7 @@ const networkModuleObject = {
     pkpMint: async (params: {
       authData: AuthData;
       authServiceBaseUrl?: string;
+      scopes?: ('sign-anything' | 'personal-sign' | 'no-permissions')[];
     }) => {
       return await handleAuthServerRequest<PKPData>({
         jobName: 'PKP Minting',
@@ -458,6 +459,7 @@ const networkModuleObject = {
           authMethodType: params.authData.authMethodType,
           authMethodId: params.authData.authMethodId,
           pubkey: params.authData.publicKey,
+          scopes: params.scopes,
         },
       });
     },
diff --git a/packages/networks/src/networks/vNaga/envs/naga-staging/naga-staging.module.ts b/packages/networks/src/networks/vNaga/envs/naga-staging/naga-staging.module.ts
@@ -447,6 +447,7 @@ const networkModuleObject = {
     pkpMint: async (params: {
       authData: AuthData;
       authServiceBaseUrl?: string;
+      scopes?: ('sign-anything' | 'personal-sign' | 'no-permissions')[];
     }) => {
       return await handleAuthServerRequest<PKPData>({
         jobName: 'PKP Minting',
@@ -458,6 +459,7 @@ const networkModuleObject = {
           authMethodType: params.authData.authMethodType,
           authMethodId: params.authData.authMethodId,
           pubkey: params.authData.publicKey,
+          scopes: params.scopes,
         },
       });
     },
diff --git a/packages/networks/src/networks/vNaga/envs/naga-test/naga-test.module.ts b/packages/networks/src/networks/vNaga/envs/naga-test/naga-test.module.ts
@@ -447,6 +447,7 @@ const networkModuleObject = {
     pkpMint: async (params: {
       authData: AuthData;
       authServiceBaseUrl?: string;
+      scopes?: ('sign-anything' | 'personal-sign' | 'no-permissions')[];
     }) => {
       return await handleAuthServerRequest<PKPData>({
         jobName: 'PKP Minting',
@@ -458,6 +459,7 @@ const networkModuleObject = {
           authMethodType: params.authData.authMethodType,
           authMethodId: params.authData.authMethodId,
           pubkey: params.authData.publicKey,
+          scopes: params.scopes,
         },
       });
     },
