thirdweb-dev · d4mr · Aug 27, 2024 · Aug 28, 2024 · Aug 28, 2024 · Aug 28, 2024
@@ -0,0 +1,4 @@
+TEST_AWS_KMS_KEY_ID=""
+TEST_AWS_KMS_ACCESS_KEY_ID=""
+TEST_AWS_KMS_SECRET_ACCESS_KEY=""
+TEST_AWS_KMS_REGION=""
@@ -1,4 +1,5 @@
 dist/
 coverage/
 .watchmanconfig
-*storybook.log
+*storybook.log
+.env.test
@@ -198,6 +198,7 @@
     "@walletconnect/ethereum-provider": "2.12.2",
     "@walletconnect/sign-client": "^2.13.3",
     "abitype": "1.0.5",
+    "aws-kms-signer": "^0.5.3",
     "fast-text-encoding": "^1.0.6",
     "fuse.js": "7.0.0",
     "input-otp": "^1.2.4",
@@ -310,6 +311,7 @@
     "node": ">=18"
   },
   "devDependencies": {
+    "@aws-sdk/client-kms": "^3.637.0",
     "@aws-sdk/client-lambda": "3.577.0",
     "@aws-sdk/credential-providers": "3.577.0",
     "@chromatic-com/storybook": "^1.5.0",
@@ -343,8 +345,8 @@
     "react-native-passkey": "3.0.0-beta2",
     "react-native-quick-crypto": "0.7.0-rc.6",
     "react-native-svg": "15.3.0",
-    "typescript": "5.5.4",
     "storybook": "^8.2.9",
+    "typescript": "5.5.4",
     "vite": "^5.3.1",
     "vitest": "1.6.0"
   }

@@ -0,0 +1,143 @@
+import { beforeAll, expect, test } from "vitest";
+import { TEST_CLIENT } from "~test/test-clients.js";
+import { typedData } from "~test/typed-data.js";
+import { ANVIL_CHAIN } from "../../test/src/chains.js";
+import { sendTransaction } from "../exports/thirdweb.js";
+import { prepareTransaction } from "../transaction/prepare-transaction.js";
+import { getAwsKmsAccount } from "./aws-kms.js";
+import { getWalletBalance } from "./utils/getWalletBalance.js";
+
+import {
+  http,
+  createTestClient,
+  parseUnits,
+  verifyMessage,
+  verifyTypedData,
+} from "viem";
+import { TEST_AWS_KMS_CONFIG } from "~test/test-aws-kms-config.js";
+import { toWei } from "../utils/units.js";
+
+let account: Awaited<ReturnType<typeof getAwsKmsAccount>>;
+
+const anvilTestClient = createTestClient({
+  mode: "anvil",
+  transport: http(ANVIL_CHAIN.rpc),
+});
+
+beforeAll(async () => {
+  account = await getAwsKmsAccount({
+    keyId: TEST_AWS_KMS_CONFIG.keyId,
+    client: TEST_CLIENT,
+    config: {
+      credentials: {
+        accessKeyId: TEST_AWS_KMS_CONFIG.accessKeyId,
+        secretAccessKey: TEST_AWS_KMS_CONFIG.secretAccessKey,
+      },
+      region: TEST_AWS_KMS_CONFIG.region,
+    },
+  });
+});
+
+test("account address is valid", () => {
+  expect(account.address).toMatch(/^0x[a-fA-F0-9]{40}$/);
+});
+
+test("sign message", async () => {
+  const message = "hello world";
+  const signature = await account.signMessage({ message });
+
+  expect(signature).toMatch(/^0x[a-fA-F0-9]{130}$/);
+
+  const isValid = await verifyMessage({
+    address: account.address,
+    message,
+    signature,
+  });
+  expect(isValid).toBe(true);
+});
+
+test("sign transaction", async () => {
+  const tx = {
+    chainId: ANVIL_CHAIN.id,
+    maxFeePerGas: parseUnits("20", 9),
+    gas: 21000n,
+    to: "0x70997970c51812dc3a010c7d01b50e0d17dc79c8",
+    value: parseUnits("1", 18),
+  };
+
+  expect(account.signTransaction).toBeDefined();
+
+  const signedTx = await account.signTransaction?.(tx);
+  expect(signedTx).toMatch(/^0x[a-fA-F0-9]+$/);
+
+  // Optionally, you can use viem to parse the transaction and verify its contents
+  // This step depends on the exact format of your signed transaction
+});
+
+test("sign typed data", async () => {
+  const signature = await account.signTypedData({
+    ...typedData.basic,
+    primaryType: "Mail",
+  });
+
+  expect(signature).toMatch(/^0x[a-fA-F0-9]{130}$/);
+
+  const isValid = await verifyTypedData({
+    address: account.address,
+    ...typedData.basic,
+    primaryType: "Mail",
+    signature,
+  });
+  expect(isValid).toBe(true);
+});
+
+test("send transaction", async () => {
+  const recipient = "0x70997970c51812dc3a010c7d01b50e0d17dc79c8";
+
+  await anvilTestClient.setBalance({
+    address: account.address,
+    value: toWei("10"),
+  });
+
+  const startingBalance = await getWalletBalance({
+    address: account.address,
+    chain: ANVIL_CHAIN,
+    client: TEST_CLIENT,
+  });
+
+  const startingBalanceRecipient = await getWalletBalance({
+    address: recipient,
+    chain: ANVIL_CHAIN,
+    client: TEST_CLIENT,
+  });
+
+  const tx = prepareTransaction({
+    client: TEST_CLIENT,
+    chain: ANVIL_CHAIN,
+    to: recipient,
+    value: parseUnits("1", 18),
+  });
+
+  const result = await sendTransaction({
+    account,
+    transaction: tx,
+  });
+
+  expect(result.transactionHash).toMatch(/^0x[a-fA-F0-9]{64}$/);
+
+  const endingBalance = await getWalletBalance({
+    address: account.address,
+    client: TEST_CLIENT,
+    chain: ANVIL_CHAIN,
+  });
+  const endingBalanceRecipient = await getWalletBalance({
+    address: recipient,
+    client: TEST_CLIENT,
+    chain: ANVIL_CHAIN,
+  });
+
+  expect(endingBalance.value).toBeLessThan(startingBalance.value);
+  expect(endingBalanceRecipient.value).toBeGreaterThan(
+    startingBalanceRecipient.value,
+  );
+});
@@ -0,0 +1,129 @@
+import type { KMSClientConfig } from "@aws-sdk/client-kms";
+import { KmsSigner } from "aws-kms-signer";
+import type {
+  SignableMessage,
+  TransactionSerializable,
+  TypedData,
+  TypedDataDefinition,
+} from "viem";
+import { hashTypedData, toBytes } from "viem";
+import { getCachedChain } from "../chains/utils.js";
+import type { ThirdwebClient } from "../client/client.js";
+import { eth_sendRawTransaction } from "../rpc/actions/eth_sendRawTransaction.js";
+import { getRpcClient } from "../rpc/rpc.js";
+import { serializeTransaction } from "../transaction/serialize-transaction.js";
+import type { Address } from "../utils/address.js";
+import type { Hex } from "../utils/encoding/hex.js";
+import { keccak256 } from "../utils/hashing/keccak256.js";
+import type { Account } from "./interfaces/wallet.js";
+
+const Buffer = globalThis.Buffer;
+
+type SendTransactionResult = {
+  transactionHash: Hex;
+};
+
+type SendTransactionOption = TransactionSerializable & {
+  chainId: number;
+};
+
+type AwsKmsAccountOptions = {
+  keyId: string;
+  config?: KMSClientConfig;
+  client: ThirdwebClient;
+};
+
+export async function getAwsKmsAccount(
+  options: AwsKmsAccountOptions,
+): Promise<Account> {
+  if (typeof Buffer === "undefined") {
+    throw new Error("AwsKmsAccount only works in Node.js environment");
+  }
+
+  const { keyId, config, client } = options;
+  const signer = new KmsSigner(keyId, config);
+
+  // Populate address immediately
+  const addressUnprefixed = await signer.getAddress();
+  const address = `0x${addressUnprefixed}` as Address;
+
+  async function signTransaction(tx: TransactionSerializable): Promise<Hex> {
+    const serializedTx = serializeTransaction({ transaction: tx });
+    const txHash = keccak256(serializedTx);
+
+    // we don't polyfill buffer, but signer.sign explicitly requires a buffer
+    // what do we do here?
+    const signature = await signer.sign(Buffer.from(txHash.slice(2), "hex"));
+
+    const r = `0x${signature.r.toString("hex")}` as Hex;
+    const s = `0x${signature.s.toString("hex")}` as Hex;
+    const v = signature.v;
+
+    const yParity = v % 2 === 0 ? 1 : (0 as 0 | 1);
+
+    const signedTx = serializeTransaction({
+      transaction: tx,
+      signature: {
+        r,
+        s,
+        yParity,
+      },
+    });
+
+    return signedTx;
+  }
+
+  async function signMessage({
+    message,
+  }: {
+    message: SignableMessage;
+  }): Promise<Hex> {
+    let messageHash: Hex;
+    if (typeof message === "string") {
+      const prefixedMessage = `\x19Ethereum Signed Message:\n${message.length}${message}`;
+      messageHash = keccak256(toBytes(prefixedMessage));
+    } else if ("raw" in message) {
+      messageHash = keccak256(message.raw);
+    } else {
+      throw new Error("Invalid message format");
+    }
+
+    const signature = await signer.sign(
+      Buffer.from(messageHash.slice(2), "hex"),
+    );
+    return `0x${signature.toString()}`;
+  }
+
+  async function signTypedData<
+    const typedData extends TypedData | Record<string, unknown>,
+    primaryType extends keyof typedData | "EIP712Domain" = keyof typedData,
+  >(_typedData: TypedDataDefinition<typedData, primaryType>): Promise<Hex> {
+    const typedDataHash = hashTypedData(_typedData);
+    const signature = await signer.sign(
+      Buffer.from(typedDataHash.slice(2), "hex"),
+    );
+    return `0x${signature.toString()}`;
+  }
+
+  async function sendTransaction(
+    tx: SendTransactionOption,
+  ): Promise<SendTransactionResult> {
+    const rpcRequest = getRpcClient({
+      client: client,
+      chain: getCachedChain(tx.chainId),
+    });
+
+    const signedTx = await signTransaction(tx);
+
+    const transactionHash = await eth_sendRawTransaction(rpcRequest, signedTx);
+    return { transactionHash };
+  }
+
+  return {
+    address,
+    sendTransaction,
+    signMessage,
+    signTypedData,
+    signTransaction,
+  } satisfies Account;
+}
@@ -0,0 +1,22 @@
+import { assert } from "vitest";
+
+const TEST_AWS_KMS_ACCESS_KEY_ID = process.env.TEST_AWS_KMS_ACCESS_KEY_ID;
+const TEST_AWS_KMS_SECRET_ACCESS_KEY =
+  process.env.TEST_AWS_KMS_SECRET_ACCESS_KEY;
+const TEST_AWS_KMS_KEY_ID = process.env.TEST_AWS_KMS_KEY_ID;
+const TEST_AWS_KMS_REGION = process.env.TEST_AWS_KMS_REGION;
+
+assert(TEST_AWS_KMS_ACCESS_KEY_ID, "TEST_AWS_KMS_ACCESS_KEY_ID is required");
+assert(
+  TEST_AWS_KMS_SECRET_ACCESS_KEY,
+  "TEST_AWS_KMS_SECRET_ACCESS_KEY is required",
+);
+assert(TEST_AWS_KMS_KEY_ID, "TEST_AWS_KMS_KEY_ID is required");
+assert(TEST_AWS_KMS_REGION, "TEST_AWS_KMS_REGION is required");
+
+export const TEST_AWS_KMS_CONFIG = {
+  accessKeyId: TEST_AWS_KMS_ACCESS_KEY_ID,
+  secretAccessKey: TEST_AWS_KMS_SECRET_ACCESS_KEY,
+  region: TEST_AWS_KMS_REGION,
+  keyId: TEST_AWS_KMS_KEY_ID,
+};