Skip to content

feat(core): GET-with-stamp auth endpoints + project-config OTP/magic-link#271

Merged
SahilVasava merged 3 commits into
mainfrom
sahil/adapt-backend-auth
Jun 29, 2026
Merged

feat(core): GET-with-stamp auth endpoints + project-config OTP/magic-link#271
SahilVasava merged 3 commits into
mainfrom
sahil/adapt-backend-auth

Conversation

@SahilVasava

@SahilVasava SahilVasava commented Jun 26, 2026

Copy link
Copy Markdown
Collaborator

Adapts the SDK to two auth changes already on doorway-kms main.

1. GET-behind-StampCheckUser (/authenticators, /user-wallet)

These endpoints moved from POST-with-body to GET behind StampCheckUser, which requires an X-Timestamp header plus a stamp whose signed body is that timestamp value (FormatTimestamp(t) = strconv.FormatInt(t.UnixMilli(), 10)).

  • rest transport: new stampPostion: 'timestamp' — signs Date.now() (unix-millis string), sends it as X-Timestamp + the stamp header, no request body.
  • getAuthenticators / getUserWallet: switched to GET + stampPostion: 'timestamp'.

2. OTP / magic-link customization is now project-config-driven

The backend now sources OTP length/format and the magic-link URL template from the project's wallet.otp_configs row, and the request DTOs (InitOtpRequest = { contact }) no longer accept client customization — it's silently ignored. So this drops the dead params:

  • Remove otpCodeCustomization and emailCustomization from registerWithOTP, authenticateWithEmail, the core wallet wrapper, and the react sendOTP / sendMagicLink actions (and their exported types).
  • Magic-link redirect is now project-config: remove redirectURL from sendMagicLink and magicLinkBaseUrl from react-kit's AuthConfig + auth UI (+ docs).

⚠️ Operational note: with this, magic-link requires the project's wallet.otp_configs.magic_link_template to be set — there's no client-side fallback. Projects without it degrade to plain OTP.

Verification

  • Typecheck + build: wallet-core, wallet-react, wallet-react-kit, and the demo — all clean.
  • Unit tests: 741/741 (incl. a new rest.test.ts locking the timestamp-stamp wire contract).
  • Live e2e against a local main backend: OTP register/login (no customization sent) → getUserWallet (GET) → signMessage / whoami, and the full browser flow (login → dashboard → gasless tx) — all green.

Notes

  • Changeset intentionally omitted — to be added via pnpm changeset.
  • The two changes are in one commit because auth.test.ts is touched by both and can't be cleanly hunk-split; happy to split into two PRs if preferred.

@SahilVasava
adapt SDK to doorway-kms backend auth changes
36de026 
Two backend changes on doorway-kms main require SDK adaptation.

GET-behind-StampCheckUser (/authenticators, /user-wallet):
- transport: add `stampPostion: 'timestamp'` — signs the unix-millis string,
  sends it as the X-Timestamp header plus the stamp header, and sends no body
  (matches the backend's FormatTimestamp contract).
- getAuthenticators / getUserWallet: switch to GET + timestamp stamp.

OTP / magic-link customization is now project-config-driven (wallet.otp_configs);
the backend ignores client-supplied customization, so drop it:
- remove otpCodeCustomization and emailCustomization from registerWithOTP,
  authenticateWithEmail, the core wallet wrapper, and the react sendOTP /
  sendMagicLink actions (plus their exported types).
- magic-link URL template now comes from project config; remove redirectURL
  from sendMagicLink and magicLinkBaseUrl from react-kit's AuthConfig + UI.

Verified: typecheck + build (core/react/react-kit/demo), 741 unit tests, and a
live OTP register/login + getUserWallet round-trip against a local main backend.
@vercel

vercel Bot commented Jun 26, 2026
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
zerodev-signer-demo Ready Ready Preview, Comment Jun 26, 2026 3:06pm

Request Review

@SahilVasava SahilVasava mentioned this pull request Jun 26, 2026
Closed
@SahilVasava
fix(expo-example): drop removed redirectURL arg from sendMagicLink
62a1848 
Also remove stale redirectURL / magicLinkBaseUrl / otpCodeCustomization
examples from the core/react/react-kit READMEs to match the API changes.
@SahilVasava SahilVasava requested a review from jayeshbhole June 26, 2026 15:01
@SahilVasava SahilVasava requested a review from brtkx June 26, 2026 15:01
@SahilVasava
fix(e2e): parse OTP at backend default length (6)
5c5f61a 
The SDK no longer sends otpCodeCustomization, so OTP length is the backend
default (6) rather than the 7 the tests used to force. Parse accordingly.
@SahilVasava SahilVasava merged commit 2ad3c83 into main Jun 29, 2026
16 of 20 checks passed
@SahilVasava SahilVasava deleted the sahil/adapt-backend-auth branch June 29, 2026 10:08
@SahilVasava SahilVasava mentioned this pull request Jun 29, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@brtkx brtkx brtkx approved these changes
@jayeshbhole jayeshbhole Awaiting requested review from jayeshbhole

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@SahilVasava @brtkx