Open
Conversation
|
This pull request is automatically built and testable in CodeSandbox. To see build info of the built libraries, click here or the icon next to each commit SHA. Latest deployment of this branch, based on commit eeece39:
|
andrewkmin
force-pushed
the
andrew/otpe-sdk
branch
3 times, most recently
from
1554aec to
75847a6
Compare
andrewkmin
force-pushed
the
andrew/otpe-sdk
branch
2 times, most recently
from
3c59c97 to
1bbc915
Compare
update pnpm lock
andrewkmin
force-pushed
the
andrew/otpe-sdk
branch
from
1bbc915 to
d1d5ed1
Compare
fix: require publicKey in encryptOtpCode and verify bundle signature - Make publicKey a required parameter in encryptOtpCode to prevent generating throwaway keypairs whose private keys are discarded - Verify OTP encryption target bundle signature against the TLS fetcher signing key before trusting targetPublic, preventing bundle tampering - Update verifyOtp to create/persist key via apiKeyStamper.createKeyPair() and return the publicKey in VerifyOtpResult for use in subsequent loginWithOtp/signUpWithOtp calls - Export verifyEnclaveSignature from @turnkey/crypto for reuse - Selectively export production key constants from @turnkey/crypto
andrewkmin
force-pushed
the
andrew/otpe-sdk
branch
from
25bbfbb to
bdc3d66
Compare
fix OTP client signature and encryption - loginWithOtp/signUpWithOtp: sign with verification token key, not session key - loginWithOtp: don't generate a throwaway keypair when publicKey is omitted - OtpVerification: use HPKE (encryptOtpCode) instead of quorumKeyEncrypt, fix camelCase→snake_case field names - Auth: reintroduce missing otpEncryptionTargetBundle state - Export encryptOtpCode from @turnkey/core
andrewkmin
force-pushed
the
andrew/otpe-sdk
branch
from
bdc3d66 to
f9e4d74
Compare
fix(core): improve OTP key lifecycle management - loginWithOtp: remove catchFn that deleted caller-provided keys on failure - verifyOtp: add generatedPublicKey tracking and finallyFn to fix key leak on failure - signUpWithOtp: switch from catchFn to finallyFn, only clean up auto-generated keys - completeOtp: add key tracking and finallyFn since inner methods no longer clean up caller-provided keys - shared.ts: add JSDoc to VerifyOtpParams, VerifyOtpResult, LoginWithOtpParams, SignUpWithOtpParams, CompleteOtpParams - examples/with-sdk-js: fix initOtp result handling and pass otpEncryptionTargetBundle to completeOtp - Update changeset with key lifecycle notes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary & Motivation
How I Tested These Changes
Did you add a changeset?
If updating one of our packages, you'll likely need to add a changeset to your PR. To do so, run
pnpm changeset.pnpm changesetwill generate a file where you should write a human friendly message about the changes. Note how this (example) includes the package name (should be auto added by the command) along with the type of semver change (major.minor.patch) (which you should set).These changes will be used at release time to determine what packages to publish and how to bump their version. For more context see this comment.