⚗️ server: add panda signature

Author: nfmelendez

common/pandaCertificate.ts

@@ -21,11 +21,5 @@ export default process.env.EXPO_PUBLIC_PANDA_PUBLIC_KEY ||
     "base.exactly.app": production,
     "base-sepolia.exactly.app": sandbox,
     "sandbox.exactly.app": sandbox,
-  }[domain] ||
-  `-----BEGIN PUBLIC KEY-----
-MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCu2YOeObkaYiQmc49t2Cnk8syA
-1UBqFBMVhkJXyuSA9f+hGC22fXgQtpfAjQmFRpt5q4f6i0rG2bUi8Km0jZELdD6X
-Kz63/hp522fbxNuOOxs37dlH9B3k6W8NQjjDjaFhAwCsevq7uASXwEEK3NpV7DEP
-lJe6c8CQ0+QqTTy2ZwIDAQAB
------END PUBLIC KEY-----`;
+  }[domain] || sandbox;
 /* eslint-enable @typescript-eslint/prefer-nullish-coalescing */

server/api/card.ts

@@ -5,6 +5,7 @@ import { Hono } from "hono";
 import { describeRoute } from "hono-openapi";
 import { resolver, validator as vValidator } from "hono-openapi/valibot";
 import {
+  any,
   integer,
   literal,
   maxValue,
@@ -13,6 +14,7 @@ import {
   nullable,
   number,
   object,
+  optional,
   parse,
   picklist,
   pipe,
@@ -21,12 +23,16 @@ import {
   transform,
   union,
   uuid,
+  variant,
   type InferOutput,
 } from "valibot";
+import { createSiweMessage } from "viem/siwe";
 
+import domain from "@exactly/common/domain";
+import chain from "@exactly/common/generated/chain";
 import MAX_INSTALLMENTS from "@exactly/common/MAX_INSTALLMENTS";
 import { PLATINUM_PRODUCT_ID, SIGNATURE_PRODUCT_ID } from "@exactly/common/panda";
-import { Address } from "@exactly/common/validation";
+import { Address, Base64URL } from "@exactly/common/validation";
 
 import database, { cards, credentials } from "../database";
 import t from "../i18n";
@@ -41,9 +47,11 @@ import {
   getProcessorDetails,
   getSecrets,
   getUser,
+  nonce,
   setPIN,
   updateCard,
   USD_TO_CENTS,
+  verify,
 } from "../utils/panda";
 import { addCapita, deriveAssociateId } from "../utils/pax";
 import { getAccount, getCardLimitAccount } from "../utils/persona";
@@ -111,6 +119,30 @@ const UpdateCard = union([
     strictObject({ data: string(), iv: string(), sessionId: string() }),
     transform((patch) => ({ ...patch, type: "pin" as const })),
   ),
+  pipe(
+    variant("action", [
+      object({ method: literal("siwe"), action: literal("message") }),
+      object({ method: literal("siwe"), action: literal("verify"), message: string(), signature: string() }),
+      object({ method: literal("webauthn"), action: literal("challenge") }),
+      object({
+        method: literal("webauthn"),
+        action: literal("verify"),
+        assertion: object({
+          id: Base64URL,
+          rawId: Base64URL,
+          response: object({
+            clientDataJSON: Base64URL,
+            authenticatorData: Base64URL,
+            signature: Base64URL,
+            userHandle: optional(Base64URL),
+          }),
+          clientExtensionResults: any(),
+          type: literal("public-key"),
+        }),
+      }),
+    ]),
+    transform((signature) => ({ ...signature, type: "signature" as const })),
+  ),
 ]);
 
 const WalletCredentialsResponse = object({
@@ -124,6 +156,9 @@ const UpdatedCardResponse = union([
   object({
     status: pipe(picklist(["ACTIVE", "DELETED", "FROZEN"]), metadata({ examples: ["ACTIVE", "DELETED", "FROZEN"] })),
   }),
+  object({ message: string() }),
+  object({ challenge: pipe(string(), metadata({ examples: ["1a2b3c"] })) }),
+  object({}),
 ]);
 
 export default new Hono()
@@ -384,11 +419,7 @@ function decrypt(base64Secret: string, base64Iv: string, secretKey: string): str
               captureException(error, { level: "error", contexts: { details: { credentialId, scope: "cardLimit" } } });
             });
             const limit = cardLimitAccount?.attributes.fields.card_limit_usd?.value;
-            const card = await createCard(
-              credential.pandaId,
-              SIGNATURE_PRODUCT_ID,
-              limit == null ? undefined : limit * USD_TO_CENTS,
-            );
+            const card = await createCard(credential.pandaId, SIGNATURE_PRODUCT_ID);
             let mode = 0;
             try {
               if (await autoCredit(account)) mode = 1;
@@ -545,6 +576,12 @@ async function encryptPIN(pin: string) {
             },
           },
         },
+        403: {
+          description: "Forbidden",
+          content: {
+            "application/json": { schema: resolver(object({ code: literal("no panda") }), { errorMode: "ignore" }) },
+          },
+        },
         404: {
           description: "Not found",
           content: {
@@ -569,10 +606,20 @@ async function encryptPIN(pin: string) {
       return mutex
         .runExclusive(async () => {
           const credential = await database.query.credentials.findFirst({
-            columns: { account: true },
+            columns: {
+              account: true,
+              pandaId: true,
+              factory: true,
+              publicKey: true,
+              transports: true,
+              counter: true,
+            },
             where: eq(credentials.id, credentialId),
             with: {
-              cards: { columns: { id: true, mode: true, status: true }, where: ne(cards.status, "DELETED") },
+              cards: {
+                columns: { id: true, mode: true, status: true, lastFour: true },
+                where: ne(cards.status, "DELETED"),
+              },
             },
           });
           if (!credential) return c.json({ code: "no credential" }, 500);
@@ -619,6 +666,66 @@ async function encryptPIN(pin: string) {
               }
               return c.json({ data, iv } satisfies InferOutput<typeof UpdatedCardResponse>, 200);
             }
+            case "signature":
+              switch (patch.method) {
+                case "siwe":
+                  switch (patch.action) {
+                    case "message": {
+                      if (!credential.pandaId) return c.json({ code: "no panda" }, 403);
+                      const { nonce: value } = await nonce(credential.pandaId);
+                      const message = createSiweMessage({
+                        domain,
+                        address: parse(Address, credentialId),
+                        statement: `I authorize the account ${account} to be linked with the card ending in ${card.lastFour} for my user (${credential.pandaId})`,
+                        uri: `https://${domain}`,
+                        version: "1",
+                        chainId: chain.id,
+                        nonce: value,
+                        issuedAt: new Date(),
+                      });
+                      return c.json({ message } satisfies InferOutput<typeof UpdatedCardResponse>, 200);
+                    }
+                    case "verify":
+                      if (!credential.pandaId) return c.json({ code: "no panda" }, 403);
+                      await verify(credential.pandaId, {
+                        message: patch.message,
+                        signature: patch.signature,
+                        authType: "siwe",
+                      });
+                      return c.json({}, 200);
+
+                    default:
+                      return c.json({ code: "bad request" }, 400);
+                  }
+
+                case "webauthn": {
+                  const statement = `I authorize the account ${account} to be linked with the card ending in ${card.lastFour} for my user (${credential.pandaId})`;
+                  switch (patch.action) {
+                    case "challenge":
+                      if (!credential.pandaId) return c.json({ code: "no panda" }, 403);
+                      return c.json({ challenge: statement } satisfies InferOutput<typeof UpdatedCardResponse>, 200);
+                    case "verify":
+                      if (!credential.pandaId) return c.json({ code: "no panda" }, 403);
+                      await verify(credential.pandaId, {
+                        authType: "webauthn",
+                        credential: {
+                          publicKey: { type: "Buffer", data: [...credential.publicKey] },
+                          transports: credential.transports,
+                          counter: credential.counter,
+                        },
+                        assertion: patch.assertion,
+                        factory: credential.factory,
+                        statement,
+                        challenge: statement,
+                      });
+                      return c.json({}, 200);
+
+                    default:
+                      return c.json({ code: "bad request" }, 400);
+                  }
+                }
+              }
+              break;
           }
         })
         .finally(() => {