iota_types/auth_context/

mod.rs

// Copyright (c) 2026 IOTA Stiftung
// SPDX-License-Identifier: Apache-2.0

mod fields_v1;

pub use fields_v1::*;
use move_binary_format::{CompiledModule, file_format::SignatureToken};
use move_bytecode_utils::resolve_struct;
use move_core_types::{
    account_address::AccountAddress, ident_str, identifier::IdentStr, language_storage::StructTag,
};
use serde::Serialize;

use crate::{
    IOTA_FRAMEWORK_ADDRESS,
    account_abstraction::authenticator_function::{
        AuthenticatorFunctionRef, AuthenticatorFunctionRefV1,
    },
    digests::{Digest, MoveAuthenticatorDigest},
    transaction::ProgrammableTransaction,
};

pub const AUTH_CONTEXT_MODULE_NAME: &IdentStr = ident_str!("auth_context");
pub const AUTH_CONTEXT_STRUCT_NAME: &IdentStr = ident_str!("AuthContext");

/// `AuthContext` provides a lightweight execution context used during the
/// authentication phase of a transaction.
///
/// It allows authenticator functions to:
/// - Inspect the programmable transaction block (PTB) inputs and commands
/// - Perform function-level permission checks
/// - Support OTP, time-locked auth, or regulatory rule enforcement
///
/// This struct is **immutable** during the auth phase and must not allow
/// mutation of state or access to storage beyond what is declared.
///
/// It is guaranteed to be available to all smart accounts implementing a
/// custom authenticator function.
///
/// Typical use:
/// ```move
/// public fun authenticate(account: &Account, signature: &vector<u8>, auth_ctx: &AuthContext, ctx: &TxContext) {
///     assert!(ed25519::ed25519_verify(signature, &account.pub_key, ctx.digest()), EEd25519VerificationFailed);
///
///     assert!(is_authorized(&extract_function_key(&auth_ctx)), EUnauthorized);
///     ...
/// }
/// ```
// Conceptually similar to `TxContext`, but designed specifically for use in the authentication
// flow.
#[derive(Clone, Debug, PartialEq, Eq, Serialize)]
pub struct AuthContext {
    /// The digest of the MoveAuthenticator
    auth_digest: MoveAuthenticatorDigest,
    /// The sender's auth digest. For [`MoveAuthenticator`] signatures equals
    /// [`MoveAuthenticator::digest()`]; for others Blake2b256 of the
    /// serialized (flag-prefixed) signature bytes.
    sender_auth_digest: Digest,
    /// The sponsor's auth digest, present only for sponsored transactions.
    /// For [`MoveAuthenticator`] signatures equals
    /// [`MoveAuthenticator::digest()`]; for others Blake2b256 of the
    /// serialized (flag-prefixed) signature bytes.
    sponsor_auth_digest: Option<Digest>,
    /// The sender's authenticator function ref, present when the sender uses a
    /// [`MoveAuthenticator`] signature.
    sender_authenticator_function_ref_v1: Option<AuthenticatorFunctionRefV1>,
    /// The sponsor's authenticator function ref, present when the sponsor uses
    /// a [`MoveAuthenticator`] signature.
    sponsor_authenticator_function_ref_v1: Option<AuthenticatorFunctionRefV1>,
    /// The authentication input objects or primitive values
    tx_inputs: Vec<MoveCallArg>,
    /// The authentication commands to be executed sequentially.
    tx_commands: Vec<MoveCommand>,
    /// The BCS-serialized `TransactionData` bytes.
    tx_data_bytes: Vec<u8>,
}

impl AuthContext {
    pub fn new_from_components(
        auth_digest: MoveAuthenticatorDigest,
        sender_auth_digest: Digest,
        sponsor_auth_digest: Option<Digest>,
        sender_authenticator_function_ref_v1: Option<AuthenticatorFunctionRefV1>,
        sponsor_authenticator_function_ref_v1: Option<AuthenticatorFunctionRefV1>,
        ptb: &ProgrammableTransaction,
        tx_data_bytes: Vec<u8>,
    ) -> Self {
        Self {
            auth_digest,
            sender_auth_digest,
            sponsor_auth_digest,
            sender_authenticator_function_ref_v1,
            sponsor_authenticator_function_ref_v1,
            tx_inputs: ptb.inputs.iter().map(MoveCallArg::from).collect(),
            tx_commands: ptb.commands.iter().map(MoveCommand::from).collect(),
            tx_data_bytes,
        }
    }

    pub fn new_for_testing() -> Self {
        Self {
            auth_digest: MoveAuthenticatorDigest::default(),
            sender_auth_digest: Digest::default(),
            sponsor_auth_digest: None,
            sender_authenticator_function_ref_v1: None,
            sponsor_authenticator_function_ref_v1: None,
            tx_inputs: Vec::new(),
            tx_commands: Vec::new(),
            tx_data_bytes: Vec::new(),
        }
    }

    /// Returns the MoveAuthenticator digest.
    pub fn digest(&self) -> &MoveAuthenticatorDigest {
        &self.auth_digest
    }

    /// Returns the sender's auth digest. For
    /// [`MoveAuthenticator`](crate::move_authenticator::MoveAuthenticator)
    /// signatures equals
    /// [`MoveAuthenticator::digest()`](crate::move_authenticator::MoveAuthenticator::digest);
    /// for others Blake2b256 of the serialized (flag-prefixed) signature bytes.
    pub fn sender_auth_digest(&self) -> &Digest {
        &self.sender_auth_digest
    }

    /// Returns the sponsor's auth digest for sponsored transactions, `None`
    /// otherwise. For
    /// [`MoveAuthenticator`](crate::move_authenticator::MoveAuthenticator)
    /// signatures equals
    /// [`MoveAuthenticator::digest()`](crate::move_authenticator::MoveAuthenticator::digest);
    /// for others Blake2b256 of the serialized (flag-prefixed) signature bytes.
    pub fn sponsor_auth_digest(&self) -> Option<&Digest> {
        self.sponsor_auth_digest.as_ref()
    }

    /// Returns the sender's authenticator function ref, present when the sender
    /// uses a [`MoveAuthenticator`](crate::move_authenticator::MoveAuthenticator) signature.
    pub fn sender_authenticator_function_ref_v1(&self) -> Option<&AuthenticatorFunctionRefV1> {
        self.sender_authenticator_function_ref_v1.as_ref()
    }

    /// Returns the sponsor's authenticator function ref, present when the
    /// sponsor uses a
    /// [`MoveAuthenticator`](crate::move_authenticator::MoveAuthenticator)
    /// signature.
    pub fn sponsor_authenticator_function_ref_v1(&self) -> Option<&AuthenticatorFunctionRefV1> {
        self.sponsor_authenticator_function_ref_v1.as_ref()
    }

    pub fn tx_inputs(&self) -> &Vec<MoveCallArg> {
        &self.tx_inputs
    }

    pub fn tx_commands(&self) -> &Vec<MoveCommand> {
        &self.tx_commands
    }

    pub fn tx_data_bytes(&self) -> &Vec<u8> {
        &self.tx_data_bytes
    }

    pub fn to_bcs_bytes(&self) -> Vec<u8> {
        bcs::to_bytes(&self).unwrap()
    }

    pub fn to_move_bcs_bytes(&self) -> Vec<u8> {
        bcs::to_bytes(&MoveAuthContext::default()).unwrap()
    }

    /// Returns whether the type signature is &mut AuthContext, &AuthContext, or
    /// none of the above.
    pub fn kind(module: &CompiledModule, token: &SignatureToken) -> AuthContextKind {
        use SignatureToken as S;

        let (kind, token) = match token {
            S::MutableReference(token) => (AuthContextKind::Mutable, token),
            S::Reference(token) => (AuthContextKind::Immutable, token),
            _ => return AuthContextKind::None,
        };

        let S::Datatype(idx) = &**token else {
            return AuthContextKind::None;
        };

        let (module_addr, module_name, struct_name) = resolve_struct(module, *idx);

        if is_auth_context(module_addr, module_name, struct_name) {
            kind
        } else {
            AuthContextKind::None
        }
    }

    pub fn type_() -> StructTag {
        StructTag {
            address: IOTA_FRAMEWORK_ADDRESS,
            module: AUTH_CONTEXT_MODULE_NAME.to_owned(),
            name: AUTH_CONTEXT_STRUCT_NAME.to_owned(),
            type_params: vec![],
        }
    }

    /// Replaces the contents of the `AuthContext` with new values. This is
    /// intended for use within a Move test function, as the `AuthContext`
    /// should be immutable during normal use.
    pub fn replace(
        &mut self,
        auth_digest: MoveAuthenticatorDigest,
        tx_inputs: Vec<MoveCallArg>,
        tx_commands: Vec<MoveCommand>,
        tx_data_bytes: Vec<u8>,
        sender_auth_digest: Digest,
        sponsor_auth_digest: Option<Digest>,
        sender_authenticator_function_ref_v1: Option<AuthenticatorFunctionRefV1>,
        sponsor_authenticator_function_ref_v1: Option<AuthenticatorFunctionRefV1>,
    ) {
        self.auth_digest = auth_digest;
        self.tx_inputs = tx_inputs;
        self.tx_commands = tx_commands;
        self.tx_data_bytes = tx_data_bytes;
        self.sender_auth_digest = sender_auth_digest;
        self.sponsor_auth_digest = sponsor_auth_digest;
        self.sender_authenticator_function_ref_v1 = sender_authenticator_function_ref_v1;
        self.sponsor_authenticator_function_ref_v1 = sponsor_authenticator_function_ref_v1;
    }
}

/// A Move-side `AuthContext` representation.
/// It is supposed to be used with empty fields since the Move `AuthContext`
/// struct is managed by the native functions.
#[derive(Default, Serialize)]
pub struct MoveAuthContext {
    auth_digest: MoveAuthenticatorDigest,
    tx_inputs: Vec<MoveCallArg>,
    tx_commands: Vec<MoveCommand>,
}

#[derive(PartialEq, Eq, Clone, Copy)]
pub enum AuthContextKind {
    // Not AuthContext
    None,
    // &mut AuthContext
    Mutable,
    // &AuthContext
    Immutable,
}

pub fn is_auth_context(
    module_addr: &AccountAddress,
    module_name: &IdentStr,
    struct_name: &IdentStr,
) -> bool {
    module_addr == &IOTA_FRAMEWORK_ADDRESS
        && module_name == AUTH_CONTEXT_MODULE_NAME
        && struct_name == AUTH_CONTEXT_STRUCT_NAME
}

#[derive(Clone, Debug, PartialEq, Eq)]
pub struct AuthContextData {
    pub transaction_data_bytes: Vec<u8>,
    pub sender_auth_digest: Digest,
    pub sponsor_auth_digest: Option<Digest>,
    pub sender_authenticator_function_ref: Option<AuthenticatorFunctionRef>,
    pub sponsor_authenticator_function_ref: Option<AuthenticatorFunctionRef>,
}

#[cfg(test)]
mod tests {
    use iota_sdk_types::{Argument, Command, Identifier, ObjectId, TypeTag};

    use super::*;
    use crate::transaction::{CallArg, ProgrammableTransaction};

    #[test]
    fn auth_context_new_from_components() {
        let auth_digest = MoveAuthenticatorDigest::new([1u8; 32]);
        let sender_auth_digest = Digest::new([2u8; 32]);
        let sponsor_auth_digest = Some(Digest::new([3u8; 32]));
        let tx_data_bytes = vec![0xde, 0xad, 0xbe, 0xef];

        let ptb = ProgrammableTransaction {
            inputs: vec![CallArg::Pure(vec![0xab])],
            commands: vec![Command::new_move_call(
                ObjectId::from_prefixed_short_hex("0x0000000000000000000000000000000000000001")
                    .unwrap(),
                Identifier::new_unchecked("mod"),
                Identifier::new_unchecked("fun"),
                vec![TypeTag::U8],
                vec![Argument::Gas],
            )],
        };

        let sender_auth_fun_ref_v1 = AuthenticatorFunctionRefV1 {
            package: ObjectId::from([0xAAu8; 32]),
            module: "sender_mod".to_string(),
            function: "authenticate".to_string(),
        };
        let sponsor_auth_fun_ref_v1 = AuthenticatorFunctionRefV1 {
            package: ObjectId::from([0xBBu8; 32]),
            module: "sponsor_mod".to_string(),
            function: "authenticate".to_string(),
        };

        let ctx = AuthContext::new_from_components(
            auth_digest,
            sender_auth_digest,
            sponsor_auth_digest,
            Some(sender_auth_fun_ref_v1.clone()),
            Some(sponsor_auth_fun_ref_v1.clone()),
            &ptb,
            tx_data_bytes.clone(),
        );

        // auth_digest
        assert_eq!(ctx.digest(), &auth_digest);

        // sender_auth_digest
        assert_eq!(ctx.sender_auth_digest(), &sender_auth_digest);

        // sponsor_auth_digest
        assert_eq!(ctx.sponsor_auth_digest(), sponsor_auth_digest.as_ref());

        // sender_authenticator_function_ref_v1
        assert_eq!(
            ctx.sender_authenticator_function_ref_v1(),
            Some(&sender_auth_fun_ref_v1)
        );

        // sponsor_authenticator_function_ref_v1
        assert_eq!(
            ctx.sponsor_authenticator_function_ref_v1(),
            Some(&sponsor_auth_fun_ref_v1)
        );

        // tx_inputs: one Pure input
        assert_eq!(ctx.tx_inputs().len(), 1);
        assert!(matches!(ctx.tx_inputs()[0], MoveCallArg::Pure(_)));

        // tx_commands: one MoveCall command
        assert_eq!(ctx.tx_commands().len(), 1);
        let MoveCommand::MoveCall(call) = &ctx.tx_commands()[0] else {
            panic!("expected MoveCall");
        };
        assert_eq!(call.type_arguments, vec![TypeTag::U8]);

        // tx_data_bytes
        assert_eq!(ctx.tx_data_bytes(), &tx_data_bytes);
    }

    #[test]
    fn auth_context_to_bcs_bytes_is_deterministic() {
        let ctx = AuthContext::new_for_testing();
        assert_eq!(ctx.to_bcs_bytes(), ctx.to_bcs_bytes());
    }

    #[test]
    fn auth_context_to_bcs_bytes_reflects_content() {
        let mut ctx = AuthContext::new_for_testing();
        let empty_bytes = ctx.to_bcs_bytes();

        ctx.replace(
            MoveAuthenticatorDigest::default(),
            vec![MoveCallArg::Pure(vec![1])],
            vec![],
            vec![],
            Digest::default(),
            None,
            None,
            None,
        );
        let non_empty_bytes = ctx.to_bcs_bytes();

        assert_ne!(empty_bytes, non_empty_bytes);
    }
}