Merge pull request #200 from Web3Auth/feat/import-sfa

import sfa key

Author: himanshuchawla009

src/interfaces.ts

@@ -85,7 +85,18 @@ export type MPCKeyDetails = {
   tssPubKey?: TkeyPoint;
 };
 
-export type OAuthLoginParams = (SubVerifierDetailsParams | AggregateVerifierLoginParams) & { importTssKey?: string };
+export type OAuthLoginParams = (SubVerifierDetailsParams | AggregateVerifierLoginParams) & {
+  /**
+   * Key to import key into Tss during first time login.
+   */
+  importTssKey?: string;
+
+  /**
+   * For new users, use SFA key if user was registered with SFA before.
+   * Useful when you created the user with SFA before and now want to convert it to TSS.
+   */
+  registerExistingSFAKey?: boolean;
+};
 export type UserInfo = TorusVerifierResponse & LoginWindowResponse;
 
 export interface EnableMFAParams {
@@ -146,6 +157,12 @@ export interface JWTLoginParams {
    */
   importTssKey?: string;
 
+  /**
+   * For new users, use SFA key if user was registered with SFA before.
+   * Useful when you created the user with SFA before and now want to convert it to TSS.
+   */
+  registerExistingSFAKey?: boolean;
+
   /**
    * Number of TSS public keys to prefetch. For the best performance, set it to
    * the number of factors you want to create. Set it to 0 for an existing user.

src/mpcCoreKit.ts

@@ -1,4 +1,4 @@
-import { BNString, KeyType, Point, secp256k1, SHARE_DELETED, ShareStore, StringifiedType } from "@tkey/common-types";
+import { BNString, KeyType, ONE_KEY_DELETE_NONCE, Point, secp256k1, SHARE_DELETED, ShareStore, StringifiedType } from "@tkey/common-types";
 import { CoreError } from "@tkey/core";
 import { ShareSerializationModule } from "@tkey/share-serialization";
 import { TorusStorageLayer } from "@tkey/storage-layer-torus";
@@ -318,16 +318,24 @@ export class Web3AuthMPCCoreKit implements ICoreKit {
     if (this.isNodejsOrRN(this.options.uxMode)) {
       throw CoreKitError.oauthLoginUnsupported(`Oauth login is NOT supported in ${this.options.uxMode} mode.`);
     }
-    const { importTssKey } = params;
+    const { importTssKey, registerExistingSFAKey } = params;
     const tkeyServiceProvider = this.torusSp;
 
+    if (registerExistingSFAKey && importTssKey) {
+      throw CoreKitError.invalidConfig("Cannot import TSS key and register SFA key at the same time.");
+    }
+
+    if (this.isRedirectMode && (importTssKey || registerExistingSFAKey)) {
+      throw CoreKitError.invalidConfig("key import is not supported in redirect mode");
+    }
     try {
       // oAuth login.
       const verifierParams = params as SubVerifierDetailsParams;
       const aggregateParams = params as AggregateVerifierLoginParams;
+      let loginResponse: TorusLoginResponse | TorusAggregateLoginResponse;
       if (verifierParams.subVerifierDetails) {
         // single verifier login.
-        const loginResponse = await tkeyServiceProvider.triggerLogin((params as SubVerifierDetailsParams).subVerifierDetails);
+        loginResponse = await tkeyServiceProvider.triggerLogin((params as SubVerifierDetailsParams).subVerifierDetails);
 
         if (this.isRedirectMode) return;
 
@@ -338,7 +346,7 @@ export class Web3AuthMPCCoreKit implements ICoreKit {
           signatures: this._getSignatures(loginResponse.sessionData.sessionTokenData),
         });
       } else if (aggregateParams.subVerifierDetailsArray) {
-        const loginResponse = await tkeyServiceProvider.triggerAggregateLogin({
+        loginResponse = await tkeyServiceProvider.triggerAggregateLogin({
           aggregateVerifierType: aggregateParams.aggregateVerifierType || AGGREGATE_VERIFIER.SINGLE_VERIFIER_ID,
           verifierIdentifier: aggregateParams.aggregateVerifierIdentifier as string,
           subVerifierDetailsArray: aggregateParams.subVerifierDetailsArray,
@@ -354,7 +362,15 @@ export class Web3AuthMPCCoreKit implements ICoreKit {
         });
       }
 
-      await this.setupTkey(importTssKey);
+      if (loginResponse && registerExistingSFAKey && loginResponse.finalKeyData.privKey) {
+        if (loginResponse.metadata.typeOfUser === "v1") {
+          throw CoreKitError.invalidConfig("Cannot register existing SFA key for v1 users, please contact web3auth support.");
+        }
+        const existingSFAKey = loginResponse.finalKeyData.privKey.padStart(64, "0");
+        await this.setupTkey(existingSFAKey, loginResponse, true);
+      } else {
+        await this.setupTkey(importTssKey, loginResponse, false);
+      }
     } catch (err: unknown) {
       log.error("login error", err);
       if (err instanceof CoreError) {
@@ -373,10 +389,14 @@ export class Web3AuthMPCCoreKit implements ICoreKit {
       throw CoreKitError.prefetchValueExceeded(`The prefetch value '${prefetchTssPublicKeys}' exceeds the maximum allowed limit of 3.`);
     }
 
-    const { verifier, verifierId, idToken, importTssKey } = params;
+    const { verifier, verifierId, idToken, importTssKey, registerExistingSFAKey } = params;
     this.torusSp.verifierName = verifier;
     this.torusSp.verifierId = verifierId;
 
+    if (registerExistingSFAKey && importTssKey) {
+      throw CoreKitError.invalidConfig("Cannot import TSS key and register SFA key at the same time.");
+    }
+
     try {
       // prefetch tss pub keys.
       const prefetchTssPubs = [];
@@ -412,7 +432,15 @@ export class Web3AuthMPCCoreKit implements ICoreKit {
         userInfo: { ...parseToken(idToken), verifier, verifierId },
         signatures: this._getSignatures(loginResponse.sessionData.sessionTokenData),
       });
-      await this.setupTkey(importTssKey);
+      if (registerExistingSFAKey && loginResponse.finalKeyData.privKey) {
+        if (loginResponse.metadata.typeOfUser === "v1") {
+          throw CoreKitError.invalidConfig("Cannot register existing SFA key for v1 users, please contact web3auth support.");
+        }
+        const existingSFAKey = loginResponse.finalKeyData.privKey.padStart(64, "0");
+        await this.setupTkey(existingSFAKey, loginResponse, true);
+      } else {
+        await this.setupTkey(importTssKey, loginResponse, false);
+      }
     } catch (err: unknown) {
       log.error("login error", err);
       if (err instanceof CoreError) {
@@ -433,30 +461,30 @@ export class Web3AuthMPCCoreKit implements ICoreKit {
 
     try {
       const result = await this.torusSp.customAuthInstance.getRedirectResult();
-
+      let loginResponse: TorusLoginResponse | TorusAggregateLoginResponse;
       if (result.method === TORUS_METHOD.TRIGGER_LOGIN) {
-        const data = result.result as TorusLoginResponse;
-        if (!data) {
+        loginResponse = result.result as TorusLoginResponse;
+        if (!loginResponse) {
           throw CoreKitError.invalidTorusLoginResponse();
         }
         this.updateState({
-          postBoxKey: this._getPostBoxKey(data),
-          postboxKeyNodeIndexes: data.nodesData?.nodeIndexes || [],
-          userInfo: data.userInfo,
-          signatures: this._getSignatures(data.sessionData.sessionTokenData),
+          postBoxKey: this._getPostBoxKey(loginResponse),
+          postboxKeyNodeIndexes: loginResponse.nodesData?.nodeIndexes || [],
+          userInfo: loginResponse.userInfo,
+          signatures: this._getSignatures(loginResponse.sessionData.sessionTokenData),
         });
         const userInfo = this.getUserInfo();
         this.torusSp.verifierName = userInfo.verifier;
       } else if (result.method === TORUS_METHOD.TRIGGER_AGGREGATE_LOGIN) {
-        const data = result.result as TorusAggregateLoginResponse;
-        if (!data) {
+        loginResponse = result.result as TorusAggregateLoginResponse;
+        if (!loginResponse) {
           throw CoreKitError.invalidTorusAggregateLoginResponse();
         }
         this.updateState({
-          postBoxKey: this._getPostBoxKey(data),
-          postboxKeyNodeIndexes: data.nodesData?.nodeIndexes || [],
-          userInfo: data.userInfo[0],
-          signatures: this._getSignatures(data.sessionData.sessionTokenData),
+          postBoxKey: this._getPostBoxKey(loginResponse),
+          postboxKeyNodeIndexes: loginResponse.nodesData?.nodeIndexes || [],
+          userInfo: loginResponse.userInfo[0],
+          signatures: this._getSignatures(loginResponse.sessionData.sessionTokenData),
         });
         const userInfo = this.getUserInfo();
         this.torusSp.verifierName = userInfo.aggregateVerifier;
@@ -984,35 +1012,45 @@ export class Web3AuthMPCCoreKit implements ICoreKit {
     return tssNonce;
   }
 
-  private async setupTkey(providedImportTssKey?: string): Promise<void> {
+  private async setupTkey(
+    providedImportKey?: string,
+    sfaLoginResponse?: TorusKey | TorusLoginResponse | TorusAggregateLoginResponse,
+    importingSFAKey?: boolean
+  ): Promise<void> {
+    if (importingSFAKey && !sfaLoginResponse) {
+      throw CoreKitError.default("SFA key registration requires SFA login response");
+    }
     if (!this.state.postBoxKey) {
       throw CoreKitError.userNotLoggedIn();
     }
     const existingUser = await this.isMetadataPresent(this.state.postBoxKey);
-    let importTssKey = providedImportTssKey;
+    let importKey = providedImportKey;
     if (!existingUser) {
-      if (!importTssKey && this.useClientGeneratedTSSKey) {
+      if (!importKey && this.useClientGeneratedTSSKey) {
         if (this.keyType === KeyType.ed25519) {
           const k = generateEd25519Seed();
-          importTssKey = k.toString("hex");
+          importKey = k.toString("hex");
         } else if (this.keyType === KeyType.secp256k1) {
           const k = secp256k1.genKeyPair().getPrivate();
-          importTssKey = scalarBNToBufferSEC1(k).toString("hex");
+          importKey = scalarBNToBufferSEC1(k).toString("hex");
         } else {
           throw CoreKitError.default("Unsupported key type");
         }
       }
-      await this.handleNewUser(importTssKey);
+      if (importingSFAKey && sfaLoginResponse && sfaLoginResponse.metadata.upgraded) {
+        throw CoreKitError.default("SFA key registration is not allowed for already upgraded users");
+      }
+      await this.handleNewUser(importKey, importingSFAKey);
     } else {
-      if (importTssKey) {
+      if (importKey) {
         throw CoreKitError.tssKeyImportNotAllowed();
       }
       await this.handleExistingUser();
     }
   }
 
   // mutation function
-  private async handleNewUser(importTssKey?: string) {
+  private async handleNewUser(importTssKey?: string, isSfaKey?: boolean) {
     await this.atomicSync(async () => {
       // Generate or use hash factor and initialize tkey with it.
       let factorKey: BN;
@@ -1055,6 +1093,12 @@ export class Web3AuthMPCCoreKit implements ICoreKit {
           updateMetadata: false,
         });
       }
+      if (importTssKey && isSfaKey) {
+        await this.tkey.addLocalMetadataTransitions({
+          input: [{ message: ONE_KEY_DELETE_NONCE }],
+          privKey: [new BN(this.state.postBoxKey, "hex")],
+        });
+      }
     });
   }
 

tests/importRecovery.spec.ts

@@ -4,14 +4,14 @@ import test from "node:test";
 import { tssLib as tssLibDKLS } from "@toruslabs/tss-dkls-lib";
 import { tssLib as tssLibFROST } from "@toruslabs/tss-frost-lib";
 
-import { AsyncStorage, MemoryStorage, TssLib, TssShareType, WEB3AUTH_NETWORK } from "../src";
+import { AsyncStorage, MemoryStorage, TssLibType, TssShareType, WEB3AUTH_NETWORK } from "../src";
 import { bufferToElliptic, criticalResetAccount, newCoreKitLogInInstance } from "./setup";
 
 type ImportKeyTestVariable = {
   manualSync?: boolean;
   email: string;
   importKeyEmail: string;
-  tssLib: TssLib;
+  tssLib: TssLibType;
 };
 
 const storageInstance = new MemoryStorage();

tests/setup.ts

@@ -4,7 +4,7 @@ import BN from "bn.js";
 import jwt, { Algorithm } from "jsonwebtoken";
 import { tssLib as tssLibDKLS } from "@toruslabs/tss-dkls-lib";
 
-import { IAsyncStorage, IStorage, parseToken, TssLib, WEB3AUTH_NETWORK_TYPE, Web3AuthMPCCoreKit } from "../src";
+import { IAsyncStorage, IStorage, parseToken, TssLibType, WEB3AUTH_NETWORK_TYPE, Web3AuthMPCCoreKit } from "../src";
 
 export const mockLogin2 = async (email: string) => {
   const req = new Request("https://li6lnimoyrwgn2iuqtgdwlrwvq0upwtr.lambda-url.eu-west-1.on.aws/", {
@@ -91,14 +91,16 @@ export const newCoreKitLogInInstance = async ({
   email,
   storageInstance,
   importTssKey,
+  registerExistingSFAKey,
   login,
 }: {
   network: WEB3AUTH_NETWORK_TYPE;
   manualSync: boolean;
   email: string;
   storageInstance: IStorage | IAsyncStorage;
-  tssLib?: TssLib;
+  tssLib?: TssLibType;
   importTssKey?: string;
+  registerExistingSFAKey?: boolean;
   login?: LoginFunc;
 }) => {
   const instance = new Web3AuthMPCCoreKit({
@@ -118,11 +120,55 @@ export const newCoreKitLogInInstance = async ({
     verifierId: parsedToken.email,
     idToken,
     importTssKey,
+    registerExistingSFAKey
   });
 
   return instance;
 };
 
+export const loginWithSFA = async ({
+  network,
+  manualSync,
+  email,
+  storageInstance,
+  login,
+}: {
+  network: WEB3AUTH_NETWORK_TYPE;
+  manualSync: boolean;
+  email: string;
+  storageInstance: IStorage | IAsyncStorage;
+  tssLib?: TssLibType;
+  login?: LoginFunc;
+}) => {
+  const instance = new Web3AuthMPCCoreKit({
+    web3AuthClientId: "torus-key-test",
+    web3AuthNetwork: network,
+    baseUrl: "http://localhost:3000",
+    uxMode: "nodejs",
+    tssLib: tssLib || tssLibDKLS,
+    storage: storageInstance,
+    manualSync,
+  });
+
+  const { idToken, parsedToken } = login ? await login(email) : await mockLogin(email);
+  await instance.init();
+  const nodeDetails = await instance.torusSp.customAuthInstance.nodeDetailManager.getNodeDetails({
+    verifier: "torus-test-health",
+    verifierId: parsedToken.email,
+  })
+  return await instance.torusSp.customAuthInstance.torus.retrieveShares({
+    idToken,
+    nodePubkeys: nodeDetails.torusNodePub,
+    verifier: "torus-test-health",
+    verifierParams: {
+      verifier_id: parsedToken.email,
+    },
+    endpoints: nodeDetails.torusNodeEndpoints,
+    indexes: nodeDetails.torusIndexes,
+  })
+
+}
+
 export class AsyncMemoryStorage implements IAsyncStorage {
   private _store: Record<string, string> = {};
 
@@ -138,3 +184,12 @@ export class AsyncMemoryStorage implements IAsyncStorage {
 export function bufferToElliptic(p: Buffer, ec = secp256k1): EllipticPoint {
   return ec.keyFromPublic(p).getPublic();
 }
+
+
+export function generateRandomEmail(): string {
+  const username = stringGen(10); 
+  const domain = stringGen(5); 
+  const tld = stringGen(3);     
+  return `${username}@${domain}.${tld}`;
+}
+