search
GithubStatusSupportLaunch App

SSS Key Manager

Self-contained SSS key management library

@learncard/sss-key-manager is a self-contained library that implements Shamir Secret Sharing (SSS) key management for LearnCard. It has zero UI dependencies and can be used in any JavaScript/TypeScript environment.

hashtag
Installation

pnpm add @learncard/sss-key-manager

hashtag
Overview

This package provides the KeyDerivationStrategy implementation used by the AuthCoordinator. It handles:

  • Key splitting and reconstruction using a 2-of-3 Shamir threshold scheme

  • Local device share storage in IndexedDB with versioning

  • Server communication for storing and retrieving auth shares

  • Recovery methods β€” passkey (WebAuthn PRF), recovery phrase, backup file, email backup

  • Cross-device login via QR code with ephemeral ECDH encryption

  • Migration from Web3Auth to SSS

hashtag
Architecture

sss-key-manager/
β”œβ”€β”€ sss.ts                  # Shamir split (2-of-3) and reconstruct primitives
β”œβ”€β”€ sss-strategy.ts         # KeyDerivationStrategy implementation
β”œβ”€β”€ storage.ts              # IndexedDB device share persistence
β”œβ”€β”€ crypto.ts               # AES-GCM encryption, PBKDF2 key derivation
β”œβ”€β”€ passkey.ts              # WebAuthn PRF-based share encryption
β”œβ”€β”€ recovery-phrase.ts      # BIP39-style mnemonic ↔ share encoding
β”œβ”€β”€ qr-crypto.ts            # ECDH ephemeral key exchange
β”œβ”€β”€ qr-login.ts             # Cross-device login flow
β”œβ”€β”€ atomic-operations.ts    # Split-and-verify with rollback
β”œβ”€β”€ api-client.ts           # Typed fetch wrapper for lca-api routes
└── types.ts                # All types, re-exports from @learncard/types

hashtag
Key Types

hashtag
ContactMethod

Identifies a user by their primary contact method:

hashtag
SecurityLevel

Describes how well-protected a user's key is:

  • basic β€” device + server share only (no recovery method)

  • enhanced β€” at least one recovery method configured

  • advanced β€” multiple recovery methods configured

hashtag
RecoveryInput

What the user provides to recover their key:

hashtag
RecoverySetupInput

What the user provides to set up a new recovery method:

hashtag
BackupFile

The JSON structure of a downloadable backup file:

hashtag
SSSStrategy

The main class that implements KeyDerivationStrategy. It is typically instantiated by the AuthCoordinator, not directly by application code.

hashtag
Configuration

Option
Default
Description

serverUrl

β€”

Base URL of the lca-api server (e.g., https://api.example.com/api)

enableEmailBackupShare

false

Automatically send a backup share to the user's email during key setup

hashtag
Key Methods

Method
Purpose

fetchServerKeyStatus(token, providerType)

Check if a key record exists on the server for the authenticated user

setupNewKey(token, providerType, signVp)

Generate a new key, split it, store shares on device and server

reconstructKey(token, providerType)

Reconstruct the key from device share + auth share

recoverKey(token, providerType, input)

Recover the key using a recovery method + auth share

hasLocalKey()

Check if a device share exists in IndexedDB

clearLocalKey()

Remove the device share from IndexedDB

setupRecoveryMethod(params)

Set up a new recovery method (passkey, phrase, backup, email)

getAvailableRecoveryMethods(token, providerType)

List the user's configured recovery methods

hashtag
API Client

The api-client.ts module provides a typed fetch wrapper for all lca-api /keys/* and /qr-login/* routes. It is used internally by the SSS strategy but can also be used directly:

hashtag
Testing

The package includes ~249 unit tests across 13 test files:

PreviousxAPI ReferenceNextAuth Types

Last updated

Was this helpful?