Turnkey auth

packages/backend/package.json

@@ -3,10 +3,11 @@
   "version": "1.0.0",
   "main": "index.js",
   "dependencies": {
-    "@snowballtools/laconic-sdk": "^0.1.17",
     "@graphql-tools/schema": "^10.0.2",
     "@graphql-tools/utils": "^10.0.12",
     "@octokit/oauth-app": "^6.1.0",
+    "@snowballtools/laconic-sdk": "^0.1.17",
+    "@turnkey/sdk-server": "^0.1.0",
     "@types/debug": "^4.1.5",
     "@types/express": "^4.17.21",
     "@types/node": "^20.11.0",

packages/backend/src/config.ts

@@ -52,4 +52,10 @@ export interface Config {
   gitHub: GitHubConfig;
   registryConfig: RegistryConfig;
   misc: MiscConfig;
+  turnkey: {
+    apiBaseUrl: string;
+    apiPublicKey: string;
+    apiPrivateKey: string;
+    defaultOrganizationId: string;
+  };
 }

packages/backend/src/entity/User.ts

@@ -39,6 +39,12 @@ export class User {
   @CreateDateColumn()
     updatedAt!: Date;
 
+  @Column()
+    subOrgId!: string;
+
+  @Column()
+    turnkeyWalletId!: string;
+
   @OneToMany(() => ProjectMember, (projectMember) => projectMember.project, {
     cascade: ['soft-remove']
   })

packages/backend/src/routes/auth.ts

@@ -1,45 +1,50 @@
 import { Router } from 'express';
 import { SiweMessage } from 'siwe';
 import { Service } from '../service';
+import { authenticateUser, createUser } from '../turnkey-backend';
 
 const router = Router();
 
-router.post('/validate', async (req, res) => {
+router.get('/registration/:email', async (req, res) => {
-  const { message, signature, action } = req.body;
-  const { success, data } = await new SiweMessage(message).verify({
-    signature,
-  });
-
-  if (!success) {
-    return res.send({ success });
-  }
-
   const service: Service = req.app.get('service');
-  const user = await service.getUserByEthAddress(data.address);
+  const user = await service.getUserByEmail(req.params.email);
-
+  if (user) {
-  if (action === 'signup') {
+    return res.send({ subOrganizationId: user?.subOrgId });
-    if (user) {
+  } else {
-      return res.send({ success: false, error: 'user_already_exists' });
+    return res.sendStatus(204);
-    }
-    const newUser = await service.loadOrCreateUser(data.address);
-    req.session.userId = newUser.id;
-  } else if (action === 'login') {
-    if (!user) {
-      return res.send({ success: false, error: 'user_not_found' });
-    }
-    req.session.userId = user.id;
   }
+});
 
-  req.session.address = data.address;
+router.post('/register', async (req, res) => {
+  const { email, challenge, attestation } = req.body;
+  const user = await createUser(req.app.get('service'), {
+    challenge,
+    attestation,
+    userEmail: email,
+    userName: email.split('@')[0],
+  });
+  req.session.userId = user.id;
+  res.sendStatus(200);
+});
 
-  res.send({ success });
+router.post('/authenticate', async (req, res) => {
+  const { signedWhoamiRequest } = req.body;
+  const user = await authenticateUser(
+    req.app.get('service'),
+    signedWhoamiRequest,
+  );
+  if (user) {
+    req.session.userId = user.id;
+    res.sendStatus(200);
+  } else {
+    res.sendStatus(401);
+  }
 });
 
 router.get('/session', (req, res) => {
-  if (req.session.address) {
+  if (req.session.userId) {
     res.send({
       userId: req.session.userId,
-      address: req.session.address,
     });
   } else {
     res.status(401).send({ error: 'Unauthorized: No active session' });

packages/backend/src/server.ts

@@ -24,7 +24,6 @@ const log = debug('snowball:server');
 declare module 'express-session' {
   interface SessionData {
     userId: string;
-    address: string;
   }
 }
 
@@ -54,14 +53,13 @@ export const createAndStartServer = async (
     context: async ({ req }) => {
       // https://www.apollographql.com/docs/apollo-server/v3/security/authentication#api-wide-authorization
 
-      const { address } = req.session;
+      const { userId } = req.session;
 
-      if (!address) {
+      if (!userId) {
         throw new AuthenticationError('Unauthorized: No active session');
       }
 
-      // Find/create user from ETH address in request session
+      const user = await service.getUser(userId);
-      const user = await service.loadOrCreateUser(address);
 
       return { user };
     },

packages/backend/src/service.ts

@@ -161,6 +161,22 @@ export class Service {
     });
   }
 
+  async getUserByEmail(email: string): Promise<User | null> {
+    return await this.db.getUser({
+      where: {
+        email
+      }
+    });
+  }
+
+  async getUserBySubOrgId(subOrgId: string): Promise<User | null> {
+    return await this.db.getUser({
+      where: {
+        subOrgId
+      }
+    });
+  }
+
   async getUserByEthAddress (ethAddress: string): Promise<User | null> {
     return await this.db.getUser({
       where: {
@@ -169,28 +185,30 @@ export class Service {
     });
   }
 
-  async loadOrCreateUser (ethAddress: string): Promise<User> {
+  async createUser (params: {
-    // Get user by ETH address
+    name: string
-    let user = await this.getUserByEthAddress(ethAddress);
+    email: string
+    subOrgId: string
+    ethAddress: string
+    turnkeyWalletId: string
+  }): Promise<User> {
+    const [org] = await this.db.getOrganizations({});
+    assert(org, 'No organizations exists in database');
 
-    if (!user) {
+    // Create user with new address
-      const [org] = await this.db.getOrganizations({});
+    const user = await this.db.addUser({
-      assert(org, 'No organizations exists in database');
+      email: params.email,
+      name: params.name,
+      subOrgId: params.subOrgId,
+      ethAddress: params.ethAddress,
+      isVerified: true,
+    });
 
-      // Create user with new address
+    await this.db.addUserOrganization({
-      user = await this.db.addUser({
+      member: user,
-        email: `${ethAddress}@example.com`,
+      organization: org,
-        name: ethAddress,
+      role: Role.Owner
-        isVerified: true,
+    });
-        ethAddress
-      });
-
-      await this.db.addUserOrganization({
-        member: user,
-        organization: org,
-        role: Role.Owner
-      });
-    }
 
     return user;
   }

packages/backend/src/turnkey-backend.ts

@@ -0,0 +1,130 @@
+import { Turnkey, TurnkeyApiTypes } from '@turnkey/sdk-server';
+
+// Default path for the first Ethereum address in a new HD wallet.
+// See https://github.com/bitcoin/bips/blob/master/bip-0044.mediawiki, paths are in the form:
+//     m / purpose' / coin_type' / account' / change / address_index
+// - Purpose is a constant set to 44' following the BIP43 recommendation.
+// - Coin type is set to 60 (ETH) -- see https://github.com/satoshilabs/slips/blob/master/slip-0044.md
+// - Account, Change, and Address Index are set to 0
+import { DEFAULT_ETHEREUM_ACCOUNTS } from '@turnkey/sdk-server';
+import { getConfig } from './utils';
+import { Service } from './service';
+
+type TAttestation = TurnkeyApiTypes['v1Attestation'];
+
+type CreateUserParams = {
+  userName: string;
+  userEmail: string;
+  challenge: string;
+  attestation: TAttestation;
+};
+
+export async function createUser(
+  service: Service,
+  { userName, userEmail, challenge, attestation }: CreateUserParams,
+) {
+  try {
+    if (await service.getUserByEmail(userEmail)) {
+      throw new Error(`User already exists: ${userEmail}`);
+    }
+
+    const config = await getConfig();
+    const turnkey = new Turnkey(config.turnkey);
+
+    const apiClient = turnkey.api();
+
+    const walletName = `Default ETH Wallet`;
+
+    const createSubOrgResponse = await apiClient.createSubOrganization({
+      subOrganizationName: `Default SubOrg for ${userEmail}`,
+      rootQuorumThreshold: 1,
+      rootUsers: [
+        {
+          userName,
+          userEmail,
+          apiKeys: [],
+          authenticators: [
+            {
+              authenticatorName: 'Passkey',
+              challenge,
+              attestation,
+            },
+          ],
+        },
+      ],
+      wallet: {
+        walletName: walletName,
+        accounts: DEFAULT_ETHEREUM_ACCOUNTS,
+      },
+    });
+
+    const subOrgId = refineNonNull(createSubOrgResponse.subOrganizationId);
+    const wallet = refineNonNull(createSubOrgResponse.wallet);
+
+    const result = {
+      id: wallet.walletId,
+      address: wallet.addresses[0],
+      subOrgId: subOrgId,
+    };
+    console.log('Turnkey success', result);
+
+    const user = await service.createUser({
+      name: userName,
+      email: userEmail,
+      subOrgId,
+      ethAddress: wallet.addresses[0],
+      turnkeyWalletId: wallet.walletId,
+    });
+    console.log('New user', user);
+
+    return user;
+  } catch (e) {
+    console.error('Failed to create user:', e);
+    throw e;
+  }
+}
+
+export async function authenticateUser(
+  service: Service,
+  signedWhoamiRequest: {
+    url: string;
+    body: any;
+    stamp: {
+      stampHeaderName: string;
+      stampHeaderValue: string;
+    };
+  },
+) {
+  try {
+    const tkRes = await fetch(signedWhoamiRequest.url, {
+      method: 'POST',
+      body: signedWhoamiRequest.body,
+      headers: {
+        [signedWhoamiRequest.stamp.stampHeaderName]:
+          signedWhoamiRequest.stamp.stampHeaderValue,
+      },
+    });
+    console.log('AUTH RESULT', tkRes.status);
+    if (tkRes.status !== 200) {
+      console.log(await tkRes.text());
+      return null;
+    }
+    const orgId = (await tkRes.json()).organizationId;
+    const user = await service.getUserBySubOrgId(orgId);
+    return user;
+  } catch (e) {
+    console.error('Failed to authenticate:', e);
+    throw e;
+  }
+}
+
+function refineNonNull<T>(
+  input: T | null | undefined,
+  errorMessage?: string,
+): T {
+  if (input == null) {
+    throw new Error(errorMessage ?? `Unexpected ${JSON.stringify(input)}`);
+  }
+
+  return input;
+}

packages/frontend/package.json

@@ -36,6 +36,9 @@
     "@testing-library/jest-dom": "^5.17.0",
     "@testing-library/react": "^13.4.0",
     "@testing-library/user-event": "^13.5.0",
+    "@turnkey/http": "^2.10.0",
+    "@turnkey/sdk-react": "^0.1.0",
+    "@turnkey/webauthn-stamper": "^0.5.0",
     "@walletconnect/ethereum-provider": "^2.12.2",
     "@web3modal/siwe": "^4.0.5",
     "@web3modal/wagmi": "^4.0.5",
@@ -83,4 +86,4 @@
     "typescript": "^5.3.3",
     "vite": "^5.2.0"
   }
-}
+}

packages/frontend/src/pages/auth/SignUp.tsx

@@ -9,7 +9,6 @@ import { DotBorder } from 'components/shared/DotBorder';
 import { WavyBorder } from 'components/shared/WavyBorder';
 import { useEffect, useState } from 'react';
 import { useSnowball } from 'utils/use-snowball';
-import { CreatePasskey } from './CreatePasskey';
 import { Input } from 'components/shared/Input';
 import { AppleIcon } from 'components/shared/CustomIcon/AppleIcon';
 import { Link } from 'react-router-dom';
@@ -17,6 +16,11 @@ import { useToast } from 'components/shared/Toast';
 import { PKPEthersWallet } from '@lit-protocol/pkp-ethers';
 import { signInWithEthereum } from 'utils/siwe';
 import { logError } from 'utils/log-error';
+import {
+  subOrganizationIdForEmail,
+  turnkeySignin,
+  turnkeySignup,
+} from 'utils/turnkey-frontend';
 
 type Provider = 'google' | 'github' | 'apple' | 'email';
 
@@ -81,6 +85,23 @@ export const SignUp = ({ onDone }: Props) => {
     }
   }
 
+  async function authEmail() {
+    setProvider('email');
+    try {
+      const orgId = await subOrganizationIdForEmail(email);
+      console.log('orgId', orgId);
+      if (orgId) {
+        await turnkeySignin(orgId);
+        window.location.href = '/dashboard';
+      } else {
+        await turnkeySignup(email);
+        onDone();
+      }
+    } catch (err: any) {
+      setError({ type: 'email', message: err.message });
+    }
+  }
+
   useEffect(() => {
     handleSignupRedirect();
   }, []);
@@ -88,10 +109,6 @@ export const SignUp = ({ onDone }: Props) => {
   const loading = provider;
   const emailValid = /.@./.test(email);
 
-  if (provider === 'email') {
-    return <CreatePasskey onDone={onDone} />;
-  }
-
   return (
     <div>
       <div className="self-stretch p-3 xs:p-6 flex-col justify-center items-center gap-5 flex">
@@ -200,9 +217,15 @@ export const SignUp = ({ onDone }: Props) => {
             />
           </div>
           <Button
-            rightIcon={<ArrowRightCircleFilledIcon height="16" />}
+            rightIcon={
+              loading && loading === 'email' ? (
+                <LoaderIcon className="animate-spin" />
+              ) : (
+                <ArrowRightCircleFilledIcon height="16" />
+              )
+            }
             onClick={() => {
-              setProvider('email');
+              authEmail();
             }}
             variant={'secondary'}
             disabled={!email || !emailValid || !!loading}

packages/frontend/src/utils/turnkey-frontend.ts

@@ -0,0 +1,144 @@
+import { TurnkeyClient, getWebAuthnAttestation } from '@turnkey/http';
+import { WebauthnStamper } from '@turnkey/webauthn-stamper';
+
+const baseUrl = import.meta.env.VITE_SERVER_URL;
+
+const PASSKEY_WALLET_RPID = import.meta.env.VITE_PASSKEY_WALLET_RPID!;
+const TURNKEY_BASE_URL = import.meta.env.VITE_TURNKEY_API_BASE_URL!;
+
+// All algorithms can be found here: https://www.iana.org/assignments/cose/cose.xhtml#algorithms
+// We only support ES256, which is listed here
+const es256 = -7;
+
+export async function subOrganizationIdForEmail(
+  email: string,
+): Promise<string | null> {
+  const res = await fetch(`${baseUrl}/auth/registration/${email}`);
+
+  // If API returns a non-empty 200, this email maps to an existing user.
+  if (res.status == 200) {
+    return (await res.json()).subOrganizationId;
+  } else if (res.status === 204) {
+    return null;
+  } else {
+    throw new Error(
+      `Unexpected response from registration status endpoint: ${res.status}: ${await res.text()}`,
+    );
+  }
+}
+
+/**
+ * This signup function triggers a webauthn "create" ceremony and POSTs the resulting attestation to the backend
+ * The backend uses Turnkey to create a brand new sub-organization with a new private key.
+ * @param email user email
+ */
+export async function turnkeySignup(email: string) {
+  const challenge = generateRandomBuffer();
+  const authenticatorUserId = generateRandomBuffer();
+
+  // An example of possible options can be found here:
+  // https://www.w3.org/TR/webauthn-2/#sctn-sample-registration
+  const attestation = await getWebAuthnAttestation({
+    publicKey: {
+      rp: {
+        id: PASSKEY_WALLET_RPID,
+        name: 'Demo Passkey Wallet',
+      },
+      challenge,
+      pubKeyCredParams: [
+        {
+          // This constant designates the type of credential we want to create.
+          // The enum only supports one value, "public-key"
+          // https://www.w3.org/TR/webauthn-2/#enumdef-publickeycredentialtype
+          type: 'public-key',
+          alg: es256,
+        },
+      ],
+      user: {
+        id: authenticatorUserId,
+        name: email,
+        displayName: email,
+      },
+      authenticatorSelection: {
+        requireResidentKey: true,
+        residentKey: 'required',
+        userVerification: 'preferred',
+      },
+    },
+  });
+
+  const res = await fetch(`${baseUrl}/auth/register`, {
+    method: 'POST',
+    body: JSON.stringify({
+      email,
+      attestation,
+      challenge: base64UrlEncode(challenge),
+    }),
+    headers: {
+      'Content-Type': 'application/json',
+    },
+    credentials: 'include',
+  });
+
+  if (res.status !== 200) {
+    throw new Error(
+      `Unexpected response from registration endpoint: ${res.status}: ${await res.text()}`,
+    );
+  }
+}
+
+// In order to know whether the user is logged in for `subOrganizationId`, we make them sign
+// a request for Turnkey's "whoami" endpoint.
+// The backend will then forward to Turnkey and get a response on whether the stamp was valid.
+// If this is successful, our backend will issue a logged in session.
+export async function turnkeySignin(subOrganizationId: string) {
+  const stamper = new WebauthnStamper({
+    rpId: PASSKEY_WALLET_RPID,
+  });
+  const client = new TurnkeyClient(
+    {
+      baseUrl: TURNKEY_BASE_URL,
+    },
+    stamper,
+  );
+
+  var signedRequest;
+  try {
+    signedRequest = await client.stampGetWhoami({
+      organizationId: subOrganizationId,
+    });
+  } catch (e) {
+    throw new Error(`Error during webauthn prompt: ${e}`);
+  }
+
+  const res = await fetch(`${baseUrl}/auth/authenticate`, {
+    method: 'POST',
+    body: JSON.stringify({
+      signedWhoamiRequest: signedRequest,
+    }),
+    headers: {
+      'Content-Type': 'application/json',
+    },
+    credentials: 'include',
+  });
+
+  if (res.status !== 200) {
+    throw new Error(
+      `Unexpected response from authentication endpoint: ${res.status}: ${await res.text()}`,
+    );
+  }
+}
+
+const generateRandomBuffer = (): ArrayBuffer => {
+  const arr = new Uint8Array(32);
+  crypto.getRandomValues(arr);
+  return arr.buffer;
+};
+
+const base64UrlEncode = (challenge: ArrayBuffer): string => {
+  return Buffer.from(challenge)
+    .toString('base64')
+    .replace(/\+/g, '-')
+    .replace(/\//g, '_')
+    .replace(/=/g, '');
+};

yarn.lock

@@ -4183,7 +4183,7 @@
   resolved "https://registry.yarnpkg.com/@turnkey/encoding/-/encoding-0.1.0.tgz#85461c3aa11c70882cc2b0853f5db40f576c3ac9"
   integrity sha512-aLmLrWtvV1k9UyGzuzMpBFdwleCH8VpzXIriusVMrFLiQp+4uHCS9cwrEG1glg3207ewWFDtvgj31qLoJS29pg==
 
-"@turnkey/http@2.10.0", "@turnkey/http@^2.6.2":
+"@turnkey/http@2.10.0", "@turnkey/http@^2.10.0", "@turnkey/http@^2.6.2":
   version "2.10.0"
   resolved "https://registry.yarnpkg.com/@turnkey/http/-/http-2.10.0.tgz#9e8d0dc6279719e3efaf5ae1df7dc9fd5a111ecf"
   integrity sha512-5I2VwOzxYGxmSy8UOZn8rsV23gmK8v93KqNZ/mjf4GrFQ69q8LCaAFmrH1Zo+/J7eq0/GQdxNqBHfJKLp5iihw==
@@ -4193,11 +4193,42 @@
     "@turnkey/webauthn-stamper" "0.5.0"
     cross-fetch "^3.1.5"
 
-"@turnkey/iframe-stamper@^1.0.0":
+"@turnkey/iframe-stamper@1.2.0", "@turnkey/iframe-stamper@^1.0.0":
   version "1.2.0"
   resolved "https://registry.yarnpkg.com/@turnkey/iframe-stamper/-/iframe-stamper-1.2.0.tgz#bba478e391a266833f1a5960b9f1df9de5934fb8"
   integrity sha512-OXbCVVzypa0AXa6dcNpfu8Q0xY/sq2nGXwhesrUQmE7V5I5nYYHZE3sQv54lErToX6H6YyDR9Z1DuPzEUkYTjw==
 
+"@turnkey/sdk-browser@0.1.0":
+  version "0.1.0"
+  resolved "https://registry.yarnpkg.com/@turnkey/sdk-browser/-/sdk-browser-0.1.0.tgz#8bab3f0600644025b8935d8e6e8c0e193d3a763b"
+  integrity sha512-afgn/pP/HQ4fMoVk7q/vPbNCAQKlEuIREX++tdovl1Wr8IXGuzXDz8sXm4R1T6RU/gl+KzsE9B1EfKpr6JoriQ==
+  dependencies:
+    "@turnkey/api-key-stamper" "0.4.0"
+    "@turnkey/http" "2.10.0"
+    "@turnkey/iframe-stamper" "1.2.0"
+    "@turnkey/webauthn-stamper" "0.5.0"
+    buffer "^6.0.3"
+    cross-fetch "^3.1.5"
+    elliptic "^6.5.5"
+
+"@turnkey/sdk-react@^0.1.0":
+  version "0.1.0"
+  resolved "https://registry.yarnpkg.com/@turnkey/sdk-react/-/sdk-react-0.1.0.tgz#ec7016410db6c5fec5863f5d7844340b59cee133"
+  integrity sha512-a7CzXtQJJGlB5TrK9Cean/Ry4EmTkdqDns5UWk3Vg6DAoCaUmKFmNHqFA4bT+JDvbkXRbmhkmsjh/hRrh4IHCA==
+  dependencies:
+    "@turnkey/sdk-browser" "0.1.0"
+
+"@turnkey/sdk-server@^0.1.0":
+  version "0.1.0"
+  resolved "https://registry.yarnpkg.com/@turnkey/sdk-server/-/sdk-server-0.1.0.tgz#899d199e2382a2ea4a933d1f408d96bee83d18d1"
+  integrity sha512-INg+r1p955OsS33OkV+AEqkhIhP2QcB20bAhS+oVPskGjin93/02RvfniJvArU30arhYTKOgeHrUHWmI6lVuaw==
+  dependencies:
+    "@turnkey/api-key-stamper" "0.4.0"
+    "@turnkey/http" "2.10.0"
+    buffer "^6.0.3"
+    cross-fetch "^3.1.5"
+    elliptic "^6.5.5"
+
 "@turnkey/viem@^0.4.8":
   version "0.4.14"
   resolved "https://registry.yarnpkg.com/@turnkey/viem/-/viem-0.4.14.tgz#bbc60bd8ce478401e9e7900357de7edc792acd14"
@@ -4208,7 +4239,7 @@
     cross-fetch "^4.0.0"
     typescript "^5.1"
 
-"@turnkey/webauthn-stamper@0.5.0":
+"@turnkey/webauthn-stamper@0.5.0", "@turnkey/webauthn-stamper@^0.5.0":
   version "0.5.0"
   resolved "https://registry.yarnpkg.com/@turnkey/webauthn-stamper/-/webauthn-stamper-0.5.0.tgz#014b8c20b1732af49dacb04f396edf010d3b7f47"
   integrity sha512-iUbTUwD4f4ibdLy5PWWb7ITEz4S4VAP9/mNjFhoRY3cKVVTDfmykrVTKjPOIHWzDgAmLtgrLvySIIC9ZBVENBw==
@@ -7203,7 +7234,7 @@ elliptic@6.5.4:
     minimalistic-assert "^1.0.1"
     minimalistic-crypto-utils "^1.0.1"
 
-elliptic@^6.4.0, elliptic@^6.5.2, elliptic@^6.5.3, elliptic@^6.5.4:
+elliptic@^6.4.0, elliptic@^6.5.2, elliptic@^6.5.3, elliptic@^6.5.4, elliptic@^6.5.5:
   version "6.5.5"
   resolved "https://registry.yarnpkg.com/elliptic/-/elliptic-6.5.5.tgz#c715e09f78b6923977610d4c2346d6ce22e6dded"
   integrity sha512-7EjbcmUm17NQFu4Pmgmq2olYMj8nwMnpcddByChSUjArp8F5DQWcIcpriwO4ZToLNAJig0yiyjswfyGNje/ixw==