feat(passport): Revocation of smart contract wallet scope

[poolsar42]

Description

Revoke Smart contract wallet session key

Updates docs to indicate revocation of SC wallet session keys

Related Issues

• Closes feat(passport): Revocation of smart contract wallet scope #2119
• Closes fix(passport): revoke button in passport doesn't disable while submitting #2410
• Closes chore(integration): Test validity of 4337 session key and update docs #2201

Testing

1. Authorise app for erc_4337 scope:
   localhost:10001/authorize?client_id=b84308327fccec7d52d454011286c6d8&redirect_uri=http://localhost&state=foo&scope=erc_4337&prompt=consent
2. After it's done, query galaxy to create session key for this SC wallet:
   curl http://localhost:10401/graphql \ -X POST \ -H 'content-type: application/json' \ -H 'X-GALAXY-KEY: %GALAXY APY KEY%' \ -H 'Authorization: Bearer %ACCESS TOKEN%' \ --data '{"query":"mutation { registerSessionKey (sessionPublicKey: \"%DEVELOPER'S WALLET ADDRESS%\", smartContractWalletAddress: \"%SMART WALLET BLOCKCHAIN ADDRESS%\" )}"}'

This endpoint will return session key, test then this session key - e.g. mint NFT with this. Here' my script

3. Revoke Access for authorised app
4. Try minting NFT with same session key once again

Checklist

• I have read the CONTRIBUTING guidelines
• I have tested my code (manually and/or automated if applicable)
• I have updated the documentation (if necessary)

[poolsar42]

This is the only valuable change in this file - I change fetcher.Form on Form from @remix-run/react. Other changes here are from prettier.

[poolsar42]

Keep it as Mumbai for now - will switch to ethereum mainnet after we decide how to do this properly

[maurerbot]

should be based on project id?

[poolsar42]

should be based on the env I'd say and project id should be based on env as well (I think this is how it is now, right?)

[maurerbot]

what env? project id's are tied to the chain.

[poolsar42]

I am talking about our env - for everything not in prod it should probably be tied to Mumbai and only mainnet on prod

[poolsar42]

Same about Mumbai in different file

[maurerbot]

should be based on project id?

[maurerbot]

this object should have the project id that was used to register the session key? It should also check if the session key is expired or not so we don't have to revoke it?

[maurerbot]

to be more generic, it should state the provider and the the provider secret used to register it.

e.g. provider: ZeroDev, config: {projectId: <project id>}

[poolsar42]

This revocation happens only for a specific app. In our current schema we have getPaymaster endpoint in starbase which returns exactly this generic information about paymaster provider you mentioned in the last comment.

export const PaymasterProviderSchema = z.literal('zerodev')

export const PaymasterSchema = z
  .object({
    provider: PaymasterProviderSchema,
    secret: z.string(),
  })
  .optional()

as for appData it stores smart wallet addresses and dev's address to which session key was issued. Since per one app we have one session key there's no point of storing it additionally in appData.