Skip to content

feat(sdk-core): add webauthnInfo support to bulkAcceptShare#8365

Draft
derranW26 wants to merge 2 commits intomasterfrom
WP-8314-bulk-accept-webauthn-info
Draft

feat(sdk-core): add webauthnInfo support to bulkAcceptShare#8365
derranW26 wants to merge 2 commits intomasterfrom
WP-8314-bulk-accept-webauthn-info

Conversation

@derranW26
Copy link
Copy Markdown

@derranW26 derranW26 commented Mar 27, 2026

Summary

  • Adds AcceptShareWebauthnInfo type and extends BulkAcceptShareOptions and AcceptShareOptionsRequest with optional webauthnInfo
  • In both ECDH and userMultiKeyRotationRequired branches of bulkAcceptShare(), encrypts wallet prv with PRF-derived passphrase when webauthnInfo is provided
  • Passphrase is consumed client-side only — never sent to server

Test plan

  • ECDH branch with webauthnInfo: verifies otpDeviceId, prfSalt, encryptedPrv present; passphrase absent
  • userMultiKeyRotationRequired branch with webauthnInfo: same assertions + pub still present
  • Backward compat: no webauthnInfo field when not provided
  • All 13 existing bulkAcceptShare tests still pass
  • tsc --noEmit passes

Ticket: WP-8314

@derranW26
feat(sdk-core): add webauthnInfo support to bulkAcceptShare
ada11fd 
When webauthnInfo is provided, each share entry now includes a second
encrypted copy of the wallet private key using the PRF-derived passphrase,
alongside the standard password-encrypted copy. The passphrase is consumed
client-side only and never sent to the server.

Ticket: WP-8314
@derranW26 derranW26 force-pushed the WP-8314-bulk-accept-webauthn-info branch from 0d54fd1 to ada11fd Compare March 27, 2026 17:51
mohammadalfaiyazbitgo
mohammadalfaiyazbitgo reviewed Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@mohammadalfaiyazbitgo mohammadalfaiyazbitgo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@derranW26 derranW26 marked this pull request as ready for review March 29, 2026 01:23
@derranW26 derranW26 requested review from a team as code owners March 29, 2026 01:23
@derranW26 derranW26 requested a review from a team as a code owner March 30, 2026 17:17
@sachushaji
Copy link
Copy Markdown
Contributor

sachushaji commented Mar 30, 2026

@claude

@derranW26 derranW26 marked this pull request as draft March 30, 2026 17:25
@derranW26
chore: exclude audit advisories for dev-only transitive vulnerabilities
ae8092f 
Add .iyarc exclusions for path-to-regexp (nise, express) and handlebars
(lerna) advisories that cannot be resolved without breaking dependencies.
All affected packages are dev-only or have existing mitigations.

Ticket: WP-8314
@derranW26 derranW26 force-pushed the WP-8314-bulk-accept-webauthn-info branch from 4c32ac5 to ae8092f Compare March 30, 2026 17:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrdanish26 mrdanish26 Awaiting requested review from mrdanish26 mrdanish26 is a code owner automatically assigned from BitGo/wallet-core

@kaustubhbitgo kaustubhbitgo Awaiting requested review from kaustubhbitgo kaustubhbitgo is a code owner automatically assigned from BitGo/wallet-core-india

@mohammadalfaiyazbitgo mohammadalfaiyazbitgo Awaiting requested review from mohammadalfaiyazbitgo

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@derranW26 @sachushaji @mohammadalfaiyazbitgo