Security News
RubyGems.org Adds New Maintainer Role
RubyGems.org has added a new "maintainer" role that allows for publishing new versions of gems. This new permission type is aimed at improving security for gem owners and the service overall.
@cosmjs/launchpad
Advanced tools
A client library for the Cosmos SDK 0.37 (cosmoshub-3), 0.38 and 0.39 (Launchpad)
A client library for the Cosmos SDK 0.37 (cosmoshub-3), 0.38 and 0.39 (Launchpad). See the article Launchpad — A pre-stargate stable version of the Cosmos SDK to learn more about launchpad.
The basic usage of the package @cosmjs/launchpad
contains the following:
For the sake of simplicity we use an in-memory wallet. This is not the safest way to store production keys. The following demo code is intended for developers using testnet credentials only. Integrating it into end user facing products requires serious security review.
If you do not yet have a mnemonic, generate a new wallet with a random mnemonic:
import { Secp256k1HdWallet } from "@cosmjs/launchpad";
// …
const wallet = await Secp256k1HdWallet.generate();
console.log("Mnemonic:", wallet.mnemonic);
const [{ address }] = await wallet.getAccounts();
console.log("Address:", address);
Or import an existing one:
import { Secp256k1HdWallet } from "@cosmjs/launchpad";
// …
const wallet = await Secp256k1HdWallet.fromMnemonic(
// your mnemonic here 👇
"enlist hip relief stomach skate base shallow young switch frequent cry park",
);
const [{ address }] = await wallet.getAccounts();
console.log("Address:", address);
A wallet holds private keys and can use them for signing transactions. To do so we stick the wallet into a client:
import {
Secp256k1HdWallet,
SigningCosmosClient,
coins,
} from "@cosmjs/launchpad";
// …
const wallet = await Secp256k1HdWallet.generate();
const [{ address }] = await wallet.getAccounts();
console.log("Address:", address);
// Ensure the address has some tokens to spend
const lcdApi = "https://…";
const client = new SigningCosmosClient(lcdApi, address, wallet);
// check our balance
const account = await client.getAccount();
console.log("Account:", account);
// Send tokens
const recipient = "cosmos1b2340gb2…";
await client.sendTokens(recipient, coins(123, "uatom"));
or use custom message types:
import {
Secp256k1HdWallet,
SigningCosmosClient,
coins,
coin,
MsgDelegate,
} from "@cosmjs/launchpad";
// …
const wallet = await Secp256k1HdWallet.generate();
const [{ address }] = await wallet.getAccounts();
console.log("Address:", address);
// Ensure the address has some tokens to spend
const lcdApi = "https://…";
const client = new SigningCosmosClient(lcdApi, address, wallet);
// …
const msg: MsgDelegate = {
type: "cosmos-sdk/MsgDelegate",
value: {
delegator_address: address,
validator_address: "cosmosvaloper1yfkkk04ve8a0sugj4fe6q6zxuvmvza8r3arurr",
amount: coin(300000, "ustake"),
},
};
const fee = {
amount: coins(2000, "ucosm"),
gas: "180000", // 180k
};
await client.signAndBroadcast([msg], fee);
Here you will learn a few things that are slightly more advanced:
You can sign a transaction without broadcasting it:
import {
Secp256k1HdWallet,
SigningCosmosClient,
coins,
coin,
MsgDelegate,
} from "@cosmjs/launchpad";
// …
const wallet = await Secp256k1HdWallet.generate();
const [{ address }] = await wallet.getAccounts();
console.log("Address:", address);
const lcdApi = "https://…"; // Signing is offline, but from this endpoint we get the account number and sequence
const client = new SigningCosmosClient(lcdApi, address, wallet);
// …
const msg: MsgDelegate = {
type: "cosmos-sdk/MsgDelegate",
value: {
delegator_address: address,
validator_address: "cosmosvaloper1yfkkk04ve8a0sugj4fe6q6zxuvmvza8r3arurr",
amount: coin(300000, "ustake"),
},
};
const fee = {
amount: coins(2000, "ucosm"),
gas: "180000", // 180k
};
let signed = await client.sign([msg], fee);
console.log("Signed transaction:", signed);
// We can broadcast it manually later on
const result = await client.broadcastTx(signed);
console.log("Broadcasting result:", result);
In this example we use wallet0
/client0
and wallet1
/client1
which can
live on separate systems:
import {
Secp256k1HdWallet,
SigningCosmosClient,
coins,
coin,
MsgDelegate,
} from "@cosmjs/launchpad";
const wallet0 = await Secp256k1HdWallet.fromMnemonic(mnemonic0);
const [{ address: address0 }] = await wallet.getAccounts();
const client0 = new SigningCosmosClient("https://…", address0, wallet0);
const wallet1 = await Secp256k1HdWallet.fromMnemonic(mnemonic1);
const [{ address: address1 }] = await wallet.getAccounts();
const client1 = new SigningCosmosClient("https://…", address1, wallet1);
const msg1: MsgSend = {
type: "cosmos-sdk/MsgSend",
value: {
from_address: address0,
to_address: "cosmos1b2340gb2…",
amount: coins(1234567, "ucosm"),
},
};
const msg2: MsgSend = {
type: "cosmos-sdk/MsgSend",
value: {
from_address: address1,
to_address: "cosmos1b2340gb2…",
amount: coins(1234567, "ucosm"),
},
};
const fee = {
amount: coins(2000, "ucosm"),
gas: "160000", // 2*80k
};
const memo = "This must be authorized by the two of us";
const signed = await client0.sign([msg1, msg2], fee, memo);
const cosigned = await client1.appendSignature(signed);
const result = await client1.broadcastTx(cosigned);
console.log("Broadcasting result:", result);
This client library supports connecting to standard Cosmos SDK modules as well as custom modules. The modularity has two sides that are handled separately:
@cosmjs/launchpad now has a flexible LcdClient, which can be extended with all the standard Cosmos SDK modules in a type-safe way. With
import { LcdClient } from "@cosmjs/launchpad";
const client = new LcdClient(apiUrl);
const response = await client.nodeInfo();
you only get access to blocks, transaction lists and node info. In order to sign transactions, you need to setup the auth extension with:
import { LcdClient, setupAuthExtension } from "@cosmjs/launchpad";
const client = LcdClient.withExtensions({ apiUrl }, setupAuthExtension);
const { account_number, sequence } = (await client.auth.account(myAddress))
.result.value;
A full client can use all of the following extensions:
import {
LcdClient,
setupAuthExtension,
setupBankExtension,
setupDistributionExtension,
setupGovExtension,
setupMintExtension,
setupSlashingExtension,
setupStakingExtension,
setupSupplyExtension,
} from "@cosmjs/launchpad";
const client = LcdClient.withExtensions(
{ apiUrl },
setupAuthExtension,
setupBankExtension,
setupDistributionExtension,
setupGovExtension,
setupMintExtension,
setupSlashingExtension,
setupStakingExtension,
setupSupplyExtension,
);
// Example queries
const balances = await client.bank.balances(myAddress);
const distParameters = await client.distribution.parameters();
const proposals = await client.gov.proposals();
const inflation = await client.mint.inflation();
const signingInfos = await client.slashing.signingInfos();
const redelegations = await client.staking.redelegations();
const supply = await client.supply.totalAll();
Every Amino-JSON compatible message can be used for the Msg interface like this:
const voteMsg: Msg = {
type: "cosmos-sdk/MsgVote",
value: {
proposal_id: proposalId,
voter: faucet.address,
option: "Yes",
},
};
This is most flexible since you are not restricted to known messages, but gives you very little type safety. For improved type safety, we added TypeScript definitions for all common Cosmos SDK messages:
Those can be signed and broadcast the manual way or by using a higher level SigningCosmosClient:
import {
coins,
BroadcastTxResult,
MsgSubmitProposal,
OfflineSigner,
SigningCosmosClient,
StdFee,
} from "@cosmjs/launchpad";
async function publishProposal(
apiUrl: string,
signer: OfflineSigner,
): Promise<BroadcastTxResult> {
const [{ address: authorAddress }] = await signer.getAccounts();
const memo = "My first proposal on chain";
const msg: MsgSubmitProposal = {
type: "cosmos-sdk/MsgSubmitProposal",
value: {
content: {
type: "cosmos-sdk/TextProposal",
value: {
description:
"This proposal proposes to test whether this proposal passes",
title: "Test Proposal",
},
},
proposer: authorAddress,
initial_deposit: coins(25000000, "ustake"),
},
};
const fee: StdFee = {
amount: coins(5000000, "ucosm"),
gas: "89000000",
};
const client = new SigningCosmosClient(apiUrl, authorAddress, signer);
return client.signAndBroadcast([msg], fee, memo);
}
Both query and message support is implemented in a decentralized fashion, which allows applications to add their extensions without changing CosmJS. As an example we show how to build a client for a blockchain with a wasm module:
import {
MsgExecuteContract,
setupWasmExtension,
} from "@cosmjs/cosmwasm-launchpad";
import {
assertIsBroadcastTxResult,
LcdClient,
makeSignDoc,
setupAuthExtension,
StdFee,
StdTx,
} from "@cosmjs/launchpad";
const client = LcdClient.withExtensions(
{ apiUrl },
setupAuthExtension,
// 👇 this extension can come from a chain-specific package or the application itself
setupWasmExtension,
);
// 👇 this message type can come from a chain-specific package or the application itself
const msg: MsgExecuteContract = {
type: "wasm/MsgExecuteContract",
value: {
sender: myAddress,
contract: contractAddress,
msg: wasmMsg,
sent_funds: [],
},
};
const fee: StdFee = {
amount: coins(5000000, "ucosm"),
gas: "89000000",
};
const memo = "Time for action";
const { account_number, sequence } = (await client.auth.account(myAddress))
.result.value;
const signDoc = makeSignDoc([msg], fee, apiUrl, memo, account_number, sequence);
const { signed, signature } = await signer.sign(myAddress, signDoc);
const signedTx = makeStdTx(signed, signature);
const result = await client.broadcastTx(signedTx);
assertIsBroadcastTxResult(result);
Secp256k1HdWallet supports securely encrypted serialization/deserialization using Argon2 for key derivation and XChaCha20Poly1305 for authenticated encryption. It can be used as easily as:
// generate an 18 word mnemonic
const wallet = await Secp256k1HdWallet.generate(18);
const serialized = await original.serialize("my password");
// serialized is encrypted and can now be stored in an application-specific way
const restored = await Secp256k1HdWallet.deserialize(serialized, "my password");
If you want to use really strong KDF parameters in a user interface, you should offload the KDF execution to a separate thread in order to avoid freezing the UI. This can be done in the advanced mode:
Session 1 (main thread)
const wallet = await Secp256k1HdWallet.generate(18);
Session 1 (WebWorker)
This operation can now run a couple of seconds without freezing the UI.
import { executeKdf } from "@cosmjs/launchpad";
// pass password to the worker
const strongKdfParams: KdfConfiguration = {
algorithm: "argon2id",
params: {
outputLength: 32,
opsLimit: 5000,
memLimitKib: 15 * 1024,
},
};
const encryptionKey = await executeKdf(password, strongKdfParams);
// pass encryptionKey to the main thread
Session 1 (main thread)
const serialized = await wallet.serializeWithEncryptionKey(
encryptionKey,
anyKdfParams,
);
Session 2 (WebWorker)
import { executeKdf, extractKdfConfiguration } from "@cosmjs/launchpad";
// pass serialized and password to the worker
const kdfConfiguration = extractKdfConfiguration(serialized);
const encryptionKey = await executeKdf(password, kdfConfiguration);
// pass encryptionKey to the main thread
Session 2 (main thead)
const restored = await Secp256k1HdWallet.deserializeWithEncryptionKey(
serialized,
encryptionKey,
);
// use restored for signing
This package is part of the cosmjs repository, licensed under the Apache License 2.0 (see NOTICE and LICENSE).
FAQs
A client library for the Cosmos SDK 0.37 (cosmoshub-3), 0.38 and 0.39 (Launchpad)
The npm package @cosmjs/launchpad receives a total of 28,450 weekly downloads. As such, @cosmjs/launchpad popularity was classified as popular.
We found that @cosmjs/launchpad demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
RubyGems.org has added a new "maintainer" role that allows for publishing new versions of gems. This new permission type is aimed at improving security for gem owners and the service overall.
Security News
Node.js will be enforcing stricter semver-major PR policies a month before major releases to enhance stability and ensure reliable release candidates.
Security News
Research
Socket's threat research team has detected five malicious npm packages targeting Roblox developers, deploying malware to steal credentials and personal data.