feat: update to new signatures

for audited contracts there were some small changes

Author: cpb8010

examples/demo-app/components/SessionCreator.vue

@@ -71,9 +71,10 @@
 
 <script setup lang="ts">
 import { ref, computed } from "vue";
-import { createPublicClient, http, parseEther, type Chain, type Address } from "viem";
+import { createPublicClient, http, parseEther, type Address, type Chain } from "viem";
 import { createBundlerClient } from "viem/account-abstraction";
-import { createSession, toEcdsaSmartAccount, LimitType } from "zksync-sso-4337/client";
+import { privateKeyToAccount } from "viem/accounts";
+import { createSession, toEcdsaSmartAccount, LimitType, getSessionHash } from "zksync-sso-4337/client";
 
 interface SessionConfig {
   enabled: boolean;
@@ -234,18 +235,28 @@ async function createSessionOnChain() {
 
     // eslint-disable-next-line no-console
     console.log("Session spec created:", sessionSpec);
+
+    // Generate proof
+    const sessionHash = getSessionHash(sessionSpec);
+    const sessionSignerAccount = privateKeyToAccount(props.sessionConfig.sessionPrivateKey as `0x${string}`);
+    const proof = await sessionSignerAccount.sign({
+      hash: sessionHash,
+    });
+
     // eslint-disable-next-line no-console
     console.log("Calling createSession with:", {
       bundlerClient: !!bundlerClient,
       sessionSpec: !!sessionSpec,
       sessionValidator: props.sessionConfig.validatorAddress,
+      proof,
     });
 
     // Create the session on-chain
     let sessionResult;
     try {
       sessionResult = await createSession(bundlerClient, {
         sessionSpec,
+        proof,
         contracts: {
           sessionValidator: props.sessionConfig.validatorAddress as Address,
         },

packages/erc4337-contracts

@@ -129,6 +129,10 @@ export const SessionKeyValidatorAbi = [{
         }],
       }],
     }],
+  }, {
+    name: "proof",
+    type: "bytes",
+    internalType: "bytes",
   }],
   outputs: [],
   stateMutability: "nonpayable",

packages/sdk-4337/src/abi/SessionKeyValidator.ts

@@ -23,6 +23,11 @@ export type CreateSessionParams = {
    */
   sessionSpec: SessionSpec;
 
+  /**
+   * Proof of session key ownership (signature of session hash by session key)
+   */
+  proof: Hex;
+
   /**
    * Contract addresses
    */
@@ -82,6 +87,7 @@ export type CreateSessionReturnType = {
  *     ],
  *     transferPolicies: [],
  *   },
+ *   proof: "0x...", // Signature of session hash by session key
  *   contracts: {
  *     sessionValidator: "0x...", // SessionKeyValidator module address
  *   },
@@ -96,15 +102,15 @@ export async function createSession<
   client: Client<TTransport, TChain, TAccount>,
   params: CreateSessionParams,
 ): Promise<CreateSessionReturnType> {
-  const { sessionSpec, contracts } = params;
+  const { sessionSpec, proof, contracts } = params;
 
   if (!client.account) {
     throw new Error("Client must have an account");
   }
 
   // Convert SessionSpec into JSON string expected by wasm helper
   const sessionSpecJSON = sessionSpecToJSON(sessionSpec);
-  const callData = encode_create_session_call_data(sessionSpecJSON) as Hex;
+  const callData = encode_create_session_call_data(sessionSpecJSON, proof) as Hex;
   // Send the UserOperation to create the session using the bundler client method.
   // Note: We explicitly pass the account for broader viem compatibility.
   const bundler = client as unknown as {

packages/sdk-4337/src/client/actions/sessions.ts

@@ -50,7 +50,7 @@ export type PasskeyClientActions<TChain extends Chain = Chain, TAccount extends
   /**
    * Create a session on-chain using the provided specification
    */
-  createSession: (params: { sessionSpec: SessionSpec; contracts: { sessionValidator: Address } }) => Promise<Hash>;
+  createSession: (params: { sessionSpec: SessionSpec; proof: Hex; contracts: { sessionValidator: Address } }) => Promise<Hash>;
 };
 
 /**
@@ -93,11 +93,11 @@ export function passkeyClientActions<
     },
 
     // Create a session on-chain using the provided specification
-    createSession: async (params: { sessionSpec: SessionSpec; contracts: { sessionValidator: Address } }) => {
+    createSession: async (params: { sessionSpec: SessionSpec; proof: Hex; contracts: { sessionValidator: Address } }) => {
       // Build smart account instance (lazy, not cached here; acceptable overhead for now)
       const smartAccount = await toPasskeySmartAccount(config.passkeyAccount);
       const sessionSpecJSON = sessionSpecToJSON(params.sessionSpec);
-      const callData = encode_create_session_call_data(sessionSpecJSON) as unknown as `0x${string}`;
+      const callData = encode_create_session_call_data(sessionSpecJSON, params.proof) as unknown as `0x${string}`;
       const userOpHash = await config.bundler.sendUserOperation({
         account: smartAccount,
         calls: [

packages/sdk-4337/src/client/passkey/client-actions.ts

@@ -1,5 +1,6 @@
-import type { Address, Hex } from "viem";
+import { type Address, encodeAbiParameters, type Hex, keccak256 } from "viem";
 
+import { SessionKeyValidatorAbi } from "../../abi/SessionKeyValidator.js";
 import type { SessionSpec, UsageLimit } from "./types.js";
 
 /**
@@ -130,3 +131,23 @@ export function isSessionExpired(
 export function getSessionExpiryDate(spec: SessionSpec): Date {
   return new Date(Number(spec.expiresAt) * 1000);
 }
+
+/**
+ * Computes the hash of a session specification.
+ * This hash is signed by the session key to prove ownership.
+ */
+export function getSessionHash(spec: SessionSpec): Hex {
+  const createSessionFunction = SessionKeyValidatorAbi.find(
+    (x) => x.type === "function" && x.name === "createSession",
+  );
+  if (!createSessionFunction) throw new Error("createSession function not found in ABI");
+
+  const sessionSpecParam = createSessionFunction.inputs.find((x) => x.name === "sessionSpec");
+  if (!sessionSpecParam) throw new Error("sessionSpec param not found in createSession ABI");
+
+  const encoded = encodeAbiParameters(
+    [sessionSpecParam],
+    [spec as any],
+  );
+  return keccak256(encoded);
+}

packages/sdk-4337/src/client/session/utils.ts

@@ -1,12 +1,13 @@
 use crate::erc4337::account::modular_smart_account::guardian::contract::GuardianExecutor;
 use alloy::{
-    primitives::Address, providers::Provider, rpc::types::TransactionReceipt,
+    primitives::{Address, Bytes}, providers::Provider, rpc::types::TransactionReceipt,
 };
 
 #[derive(Clone)]
 pub struct FinalizeRecoveryParams<P: Provider + Send + Sync + Clone> {
     pub guardian_executor: Address,
     pub account: Address,
+    pub data: Bytes,
     pub guardian_provider: P,
 }
 
@@ -19,14 +20,15 @@ where
     let FinalizeRecoveryParams {
         guardian_executor,
         account,
+        data,
         guardian_provider,
     } = params;
 
     let guardian_executor_instance =
         GuardianExecutor::new(guardian_executor, guardian_provider);
 
     let receipt = guardian_executor_instance
-        .finalizeRecovery(account)
+        .finalizeRecovery(account, data)
         .send()
         .await?
         .get_receipt()
@@ -197,14 +199,14 @@ mod tests {
             address!("0x14dC79964da2C08b23698B3D3cc7Ca32193d9955");
 
         // Initialize recovery directly
+        let initialize_recovery_data: Bytes =
+            new_owner_address.abi_encode().into();
         {
-            let initialize_recovery_data =
-                new_owner_address.abi_encode().into();
             initialize_recovery(InitializeRecoveryParams {
                 guardian_executor: guardian_module,
                 account: account_address,
                 recovery_type: RecoveryType::EOA,
-                data: initialize_recovery_data,
+                data: initialize_recovery_data.clone(),
                 guardian_provider: guardian_provider.clone(),
             })
             .await?;
@@ -223,6 +225,7 @@ mod tests {
         finalize_recovery(FinalizeRecoveryParams {
             guardian_executor: guardian_module,
             account: account_address,
+            data: initialize_recovery_data,
             guardian_provider: guardian_provider.clone(),
         })
         .await?;

packages/sdk-platforms/rust/zksync-sso-erc4337/crates/zksync-sso-erc4337-core/src/erc4337/account/modular_smart_account/guardian/recovery/finalize.rs

@@ -23,6 +23,7 @@ use alloy::{
 pub struct CreateSessionParams<P: Provider + Send + Sync + Clone> {
     pub account_address: Address,
     pub spec: SessionSpec,
+    pub proof: Bytes,
     pub entry_point_address: Address,
     pub session_key_validator: Address,
     pub paymaster: Option<PaymasterParams>,
@@ -40,6 +41,7 @@ where
     let CreateSessionParams {
         account_address,
         spec,
+        proof,
         entry_point_address,
         session_key_validator,
         paymaster,
@@ -48,7 +50,7 @@ where
         signer,
     } = params;
 
-    let call_data = add_session_call_data(spec, session_key_validator);
+    let call_data = add_session_call_data(spec, proof, session_key_validator);
 
     send_user_op(SendUserOpParams {
         account: account_address,
@@ -66,17 +68,18 @@ where
     Ok(())
 }
 
-pub fn create_session_call_data(spec: SessionSpec) -> Bytes {
-    SessionKeyValidator::createSessionCall { sessionSpec: spec.into() }
+pub fn create_session_call_data(spec: SessionSpec, proof: Bytes) -> Bytes {
+    SessionKeyValidator::createSessionCall { sessionSpec: spec.into(), proof }
         .abi_encode()
         .into()
 }
 
 fn add_session_call_data(
     spec: SessionSpec,
+    proof: Bytes,
     session_key_validator: Address,
 ) -> Bytes {
-    let calldata = create_session_call_data(spec);
+    let calldata = create_session_call_data(spec, proof);
     encoded_call_with_target_and_data(session_key_validator, calldata)
 }
 

packages/sdk-platforms/rust/zksync-sso-erc4337/crates/zksync-sso-erc4337-core/src/erc4337/account/modular_smart_account/session/create.rs

@@ -1685,15 +1685,20 @@ pub fn generate_session_stub_signature_wasm(
 #[wasm_bindgen]
 pub fn encode_create_session_call_data(
     session_spec_json: String,
+    proof: String,
 ) -> Result<String, JsValue> {
     // Parse SessionSpec from JSON
     let spec: SessionSpec =
         serde_json::from_str(&session_spec_json).map_err(|e| {
             JsValue::from_str(&format!("Invalid SessionSpec JSON: {}", e))
         })?;
 
+    let proof_bytes = hex::decode(proof.trim_start_matches("0x")).map_err(|e| {
+        JsValue::from_str(&format!("Invalid proof hex: {}", e))
+    })?;
+
     // Build createSession call and ABI encode
-    let create_session_calldata = create_session_call_data_core(spec);
+    let create_session_calldata = create_session_call_data_core(spec, proof_bytes.into());
 
     Ok(format!("0x{}", hex::encode(create_session_calldata)))
 }