Merge pull request #1044 from Web3Auth/add-whitelistUrl

replace `whitelistUrl` function with inline implementation
Web3Auth · Feb 6, 2025 · df1ceb4 · df1ceb4
2 parents b450e3f + 763fa64
commit df1ceb4
Showing 1 changed file with 32 additions and 13 deletions.
diff --git a/docs/dashboard-setup/whitelisting.mdx b/docs/dashboard-setup/whitelisting.mdx
@@ -40,35 +40,54 @@ following
 
 You can use the manual origin whitelisting method to whitelist URLs without using the Developer
 Dashboard. `AuthAdapter` accepts a parameter called `originData` inside the `adapterSettings`.
-`originData` is a key value pair where the key is the origin URL and the value is a `signature`. The
-signature is generated by `whitelistUrl` function from the `@web3auth/auth` package. The
-`whitelistUrl` function accepts the `clientId`, `clientSecret` and `origin` as parameters.
+`originData` is a key-value pair where the key is the origin URL and the value is a `signature`. The
+signature is generated using the `whitelistUrl` function.
 
 :::warning Note
 
 Please perform this in a highly secure environment. The `clientSecret` should not be exposed to the
-public making this a risky process.
+public, making this a risky process.
 
 :::
 
 ```tsx
 import { AuthAdapter } from "@web3auth/auth-adapter";
-import { whitelistUrl } from "@web3auth/auth";
 import { CommonPrivateKeyProvider } from "@web3auth/base-provider";
+import { getPublic, sign } from "@toruslabs/eccrypto";
+import { keccak256 } from "@toruslabs/metadata-helpers";
+import base64urlLib from "base64url";
+
+const base64url = base64urlLib;
+
+const whitelistUrl = async (clientId: string, clientSecret: string, origin: string) => {
+  const appKeyBuf = Buffer.from(clientSecret.padStart(64, "0"), "hex");
+
+  if (base64url.encode(getPublic(appKeyBuf)) !== clientId) {
+    throw new Error("clientSecret mismatch");
+  }
+
+  const sig = await sign(appKeyBuf, keccak256(Buffer.from(origin, "utf8")));
+  return base64url.encode(sig);
+};
 
 const clientId = "YOUR_CLIENT_ID"; // get from https://dashboard.web3auth.io
 const clientSecret = "CORRESPONDING_CLIENT_SECRET"; // get from https://dashboard.web3auth.io
 const origin = "https://example.com";
 
 const privateKeyProvider = new CommonPrivateKeyProvider({ config: { chainConfig } });
-const sig = await whitelistUrl(clientId, clientSecret, origin);
-
-const authAdapter = new AuthAdapter({
-  privateKeyProvider,
-  adapterSettings: {
-    originData: { [origin]: sig },
-  },
-});
+
+(async () => {
+  const sig = await whitelistUrl(clientId, clientSecret, origin);
+
+  const authAdapter = new AuthAdapter({
+    privateKeyProvider,
+    adapterSettings: {
+      originData: { [origin]: sig },
+    },
+  });
+
+  console.log("AuthAdapter initialized:", authAdapter);
+})();
 ```
 
 ### How to secure deep linking via whitelisting strategies to avoid phishing attacks?