[WIP] support IAW auth tokens for EOA signing

joaquim-verges · joaquim-verges · commit 70d35cebd0d7 · 2025-06-26T22:57:45.000+12:00
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/core/src/credentials.rs b/core/src/credentials.rs
@@ -1,7 +1,13 @@
 use serde::{Deserialize, Serialize};
+use thirdweb_core::auth::ThirdwebAuth;
+use thirdweb_core::iaw::AuthToken;
 use vault_types::enclave::auth::Auth;
 
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub enum SigningCredential {
     Vault(Auth),
+    Iaw { 
+        auth_token: AuthToken, 
+        thirdweb_auth: ThirdwebAuth 
+    },
 }
diff --git a/core/src/error.rs b/core/src/error.rs
@@ -8,6 +8,7 @@ use alloy::{
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
 use thirdweb_core::error::ThirdwebError;
+
 use thiserror::Error;
 use twmq::error::TwmqError;
 
@@ -206,6 +207,11 @@ pub enum EngineError {
     #[serde(rename_all = "camelCase")]
     VaultError { message: String },
 
+    #[schema(title = "Engine IAW Service Error")]
+    #[error("Error interaction with IAW service: {message}")]
+    #[serde(rename_all = "camelCase")]
+    IawError { message: String },
+
     #[schema(title = "RPC Configuration Error")]
     #[error("Bad RPC configuration: {message}")]
     RpcConfigError { message: String },
@@ -456,3 +462,11 @@ impl From<TwmqError> for EngineError {
         }
     }
 }
+
+impl From<thirdweb_core::iaw::IAWError> for EngineError {
+    fn from(error: thirdweb_core::iaw::IAWError) -> Self {
+        EngineError::IawError {
+            message: error.to_string(),
+        }
+    }
+}
diff --git a/core/src/signer.rs b/core/src/signer.rs
@@ -5,6 +5,7 @@ use alloy::{
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
 use serde_with::{DisplayFromStr, PickFirst, serde_as};
+use thirdweb_core::iaw::IAWClient;
 use vault_sdk::VaultClient;
 use vault_types::enclave::encrypted::eoa::MessageFormat;
 
@@ -164,12 +165,13 @@ pub trait AccountSigner {
 #[derive(Clone)]
 pub struct EoaSigner {
     pub vault_client: VaultClient,
+    pub iaw_client: IAWClient,
 }
 
 impl EoaSigner {
     /// Create a new EOA signer
-    pub fn new(vault_client: VaultClient) -> Self {
-        Self { vault_client }
+    pub fn new(vault_client: VaultClient, iaw_client: IAWClient) -> Self {
+        Self { vault_client, iaw_client }
     }
 }
 
@@ -196,12 +198,37 @@ impl AccountSigner for EoaSigner {
                     )
                     .await
                     .map_err(|e| {
-                        tracing::error!("Error signing message with EOA: {:?}", e);
+                        tracing::error!("Error signing message with EOA (Vault): {:?}", e);
                         e
                     })?;
 
                 Ok(vault_result.signature)
             }
+            SigningCredential::Iaw { auth_token, thirdweb_auth } => {
+                // Convert MessageFormat to IAW MessageFormat
+                let iaw_format = match format {
+                    MessageFormat::Text => thirdweb_core::iaw::MessageFormat::Text,
+                    MessageFormat::Hex => thirdweb_core::iaw::MessageFormat::Hex,
+                };
+
+                let iaw_result = self
+                    .iaw_client
+                    .sign_message(
+                        auth_token,
+                        thirdweb_auth,
+                        message.to_string(),
+                        options.from,
+                        options.chain_id,
+                        Some(iaw_format),
+                    )
+                    .await
+                    .map_err(|e| {
+                        tracing::error!("Error signing message with EOA (IAW): {:?}", e);
+                        EngineError::from(e)
+                    })?;
+
+                Ok(iaw_result.signature)
+            }
         }
     }
 
@@ -218,12 +245,29 @@ impl AccountSigner for EoaSigner {
                     .sign_typed_data(auth_method.clone(), typed_data.clone(), options.from)
                     .await
                     .map_err(|e| {
-                        tracing::error!("Error signing typed data with EOA: {:?}", e);
+                        tracing::error!("Error signing typed data with EOA (Vault): {:?}", e);
                         e
                     })?;
 
                 Ok(vault_result.signature)
             }
+            SigningCredential::Iaw { auth_token, thirdweb_auth } => {
+                let iaw_result = self
+                    .iaw_client
+                    .sign_typed_data(
+                        auth_token.clone(),
+                        thirdweb_auth.clone(),
+                        typed_data.clone(),
+                        options.from,
+                    )
+                    .await
+                    .map_err(|e| {
+                        tracing::error!("Error signing typed data with EOA (IAW): {:?}", e);
+                        EngineError::from(e)
+                    })?;
+
+                Ok(iaw_result.signature)
+            }
         }
     }
 }
diff --git a/core/src/userop.rs b/core/src/userop.rs
@@ -103,6 +103,12 @@ impl UserOpSigner {
                     }
                 })?)
             }
+            SigningCredential::Iaw { auth_token: _, thirdweb_auth: _ } => {
+                // IAW doesn't support UserOp signing yet
+                Err(EngineError::ValidationError {
+                    message: "IAW service does not support UserOperation signing".to_string(),
+                })
+            }
         }
     }
 }
diff --git a/server/configuration/server_base.yaml b/server/configuration/server_base.yaml
@@ -9,6 +9,7 @@ thirdweb:
     paymaster: bundler.thirdweb-dev.com
     vault: https://d2w4ge7u2axqfk.cloudfront.net
     abi_service: https://contract.thirdweb.com/abi/
+    iaw_service: https://embedded-wallet.thirdweb-dev.com
   secret: read_from_env
   client_id: read_from_env
 
diff --git a/server/configuration/server_production.yaml b/server/configuration/server_production.yaml
@@ -9,6 +9,7 @@ thirdweb:
     paymaster: bundler.thirdweb.com
     vault: https://d145tet905juug.cloudfront.net # override in env
     abi_service: https://contract.thirdweb.com/abi/ # override in env
+    iaw_service: https://embedded-wallet.thirdweb.com # override in env
   secret: read_from_env
   client_id: read_from_env
 
diff --git a/server/src/config.rs b/server/src/config.rs
@@ -51,6 +51,7 @@ pub struct ThirdwebUrls {
     pub vault: String,
     pub paymaster: String,
     pub abi_service: String,
+    pub iaw_service: String,
 }
 
 impl Default for ServerConfig {
diff --git a/server/src/http/error.rs b/server/src/http/error.rs
@@ -67,6 +67,7 @@ impl ApiEngineError {
                 _ => StatusCode::INTERNAL_SERVER_ERROR,
             },
             EngineError::VaultError { .. } => StatusCode::INTERNAL_SERVER_ERROR,
+            EngineError::IawError { .. } => StatusCode::INTERNAL_SERVER_ERROR,
             EngineError::BundlerError { .. } => StatusCode::BAD_REQUEST,
             EngineError::PaymasterError { .. } => StatusCode::BAD_REQUEST,
             EngineError::ValidationError { .. } => StatusCode::BAD_REQUEST,
diff --git a/server/src/http/extractors.rs b/server/src/http/extractors.rs
@@ -92,13 +92,61 @@ where
     type Rejection = ApiEngineError;
 
     async fn from_request_parts(parts: &mut Parts, _state: &S) -> Result<Self, Self::Rejection> {
+        // Check for IAW credentials first (x-wallet-token)
+        if let Some(wallet_token) = parts
+            .headers
+            .get("x-wallet-token")
+            .and_then(|v| v.to_str().ok())
+        {
+            // Extract ThirdwebAuth for billing purposes
+            let thirdweb_auth = if let Some(secret_key) = parts
+                .headers
+                .get("x-thirdweb-secret-key")
+                .and_then(|v| v.to_str().ok())
+            {
+                ThirdwebAuth::SecretKey(secret_key.to_string())
+            } else {
+                // Try client ID and service key combination
+                let client_id = parts
+                    .headers
+                    .get("x-thirdweb-client-id")
+                    .and_then(|v| v.to_str().ok())
+                    .ok_or_else(|| {
+                        ApiEngineError(EngineError::ValidationError {
+                            message: "Missing x-thirdweb-client-id header when using IAW".to_string(),
+                        })
+                    })?;
+
+                let service_key = parts
+                    .headers
+                    .get("x-thirdweb-service-key")
+                    .and_then(|v| v.to_str().ok())
+                    .ok_or_else(|| {
+                        ApiEngineError(EngineError::ValidationError {
+                            message: "Missing x-thirdweb-service-key header when using IAW".to_string(),
+                        })
+                    })?;
+
+                ThirdwebAuth::ClientIdServiceKey(thirdweb_core::auth::ThirdwebClientIdAndServiceKey {
+                    client_id: client_id.to_string(),
+                    service_key: service_key.to_string(),
+                })
+            };
+
+            return Ok(SigningCredentialsExtractor(SigningCredential::Iaw {
+                auth_token: wallet_token.to_string(),
+                thirdweb_auth,
+            }));
+        }
+
+        // Fall back to Vault credentials
         let vault_access_token = parts
             .headers
             .get("x-vault-access-token")
             .and_then(|v| v.to_str().ok())
             .ok_or_else(|| {
                 ApiEngineError(EngineError::ValidationError {
-                    message: "Missing x-vault-access-token header".to_string(),
+                    message: "Missing x-vault-access-token or x-wallet-token header".to_string(),
                 })
             })?;
 
diff --git a/server/src/main.rs b/server/src/main.rs
@@ -1,7 +1,7 @@
 use std::sync::Arc;
 
 use engine_core::{signer::EoaSigner, userop::UserOpSigner};
-use thirdweb_core::{abi::ThirdwebAbiServiceBuilder, auth::ThirdwebAuth};
+use thirdweb_core::{abi::ThirdwebAbiServiceBuilder, auth::ThirdwebAuth, iaw::IAWClient};
 use thirdweb_engine::{
     chains::ThirdwebChainService,
     config,
@@ -38,10 +38,13 @@ async fn main() -> anyhow::Result<()> {
         rpc_base_url: config.thirdweb.urls.rpc,
     });
 
+    let iaw_client = IAWClient::new(&config.thirdweb.urls.iaw_service)?;
+    tracing::info!("IAW client initialized");
+
     let signer = Arc::new(UserOpSigner {
         vault_client: vault_client.clone(),
     });
-    let eoa_signer = Arc::new(EoaSigner { vault_client });
+    let eoa_signer = Arc::new(EoaSigner::new(vault_client, iaw_client));
 
     let queue_manager =
         QueueManager::new(&config.redis, &config.queue, chains.clone(), signer.clone()).await?;
diff --git a/thirdweb-core/Cargo.toml b/thirdweb-core/Cargo.toml
@@ -4,7 +4,7 @@ version = "0.1.0"
 edition = "2024"
 
 [dependencies]
-alloy = { version = "1.0.9", features = ["json-abi"] }
+alloy = { version = "1.0.9", features = ["json-abi", "consensus", "dyn-abi", "eips", "eip712"] }
 moka = { version = "0.12.10", features = ["future"] }
 reqwest = "0.12.18"
 schemars = "0.8.22"
diff --git a/thirdweb-core/src/iaw/mod.rs b/thirdweb-core/src/iaw/mod.rs
diff --git a/thirdweb-core/src/lib.rs b/thirdweb-core/src/lib.rs

Original file line number	Diff line number	Diff line change
`@@ -103,6 +103,12 @@ impl UserOpSigner {`
`103`	`103`	`}`
`104`	`104`	`})?)`
`105`	`105`	`}`
	`106`	`+ SigningCredential::Iaw { auth_token: _, thirdweb_auth: _ } => {`
	`107`	`+ // IAW doesn't support UserOp signing yet`
	`108`	`+ Err(EngineError::ValidationError {`
	`109`	`+ message: "IAW service does not support UserOperation signing".to_string(),`
	`110`	`+ })`
	`111`	`+ }`
`106`	`112`	`}`
`107`	`113`	`}`
`108`	`114`	`}`
Original file line number	Diff line number	Diff line change
`@@ -51,6 +51,7 @@ pub struct ThirdwebUrls {`
`51`	`51`	`pub vault: String,`
`52`	`52`	`pub paymaster: String,`
`53`	`53`	`pub abi_service: String,`
	`54`	`+ pub iaw_service: String,`
`54`	`55`	`}`
`55`	`56`
`56`	`57`	`impl Default for ServerConfig {`