Pre-gen wallet for user when they create account

Author: taitsengstock

PARA_INTEGRATION.md

@@ -3,6 +3,7 @@ import { NextResponse } from "next/server";
 import { auth } from "@/lib/auth";
 import { db } from "@/lib/db";
 import { accounts, users } from "@/lib/db/schema";
+import { getUserWallet } from "@/lib/para/wallet-helpers";
 
 export async function GET(request: Request) {
   try {
@@ -37,9 +38,20 @@ export async function GET(request: Request) {
       },
     });
 
+    // Get the user's wallet address (if exists)
+    let walletAddress: string | null = null;
+    try {
+      const wallet = await getUserWallet(session.user.id);
+      walletAddress = wallet.walletAddress;
+    } catch (error) {
+      // User doesn't have a wallet yet, that's ok
+      walletAddress = null;
+    }
+
     return NextResponse.json({
       ...userData,
       providerId: userAccount?.providerId ?? null,
+      walletAddress,
     });
   } catch (error) {
     console.error("Failed to get user:", error);

app/api/user/route.ts

@@ -0,0 +1,42 @@
+import { NextResponse } from "next/server";
+import { auth } from "@/lib/auth";
+import { getUserWallet, userHasWallet } from "@/lib/para/wallet-helpers";
+
+export async function GET(request: Request) {
+  try {
+    const session = await auth.api.getSession({
+      headers: request.headers,
+    });
+
+    if (!session?.user) {
+      return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+    }
+
+    const hasWallet = await userHasWallet(session.user.id);
+
+    if (!hasWallet) {
+      return NextResponse.json({
+        hasWallet: false,
+        message: "No Para wallet found for this user",
+      });
+    }
+
+    const wallet = await getUserWallet(session.user.id);
+
+    return NextResponse.json({
+      hasWallet: true,
+      walletAddress: wallet.walletAddress,
+      walletId: wallet.walletId,
+      email: wallet.email,
+      createdAt: wallet.createdAt,
+    });
+  } catch (error) {
+    console.error("Failed to get wallet:", error);
+    return NextResponse.json(
+      {
+        error: error instanceof Error ? error.message : "Failed to get wallet",
+      },
+      { status: 500 }
+    );
+  }
+}

app/api/user/wallet/route.ts

@@ -33,14 +33,21 @@ export const UserMenu = () => {
   const [settingsOpen, setSettingsOpen] = useState(false);
   const [integrationsOpen, setIntegrationsOpen] = useState(false);
   const [providerId, setProviderId] = useState<string | null>(null);
+  const [walletAddress, setWalletAddress] = useState<string | null>(null);
 
-  // Fetch provider info when session is available
+  // Fetch provider info and wallet when session is available
   useEffect(() => {
     if (session?.user && !session.user.name?.startsWith("Anonymous")) {
       api.user
         .get()
-        .then((user) => setProviderId(user.providerId))
-        .catch(() => setProviderId(null));
+        .then((user) => {
+          setProviderId(user.providerId);
+          setWalletAddress(user.walletAddress || null);
+        })
+        .catch(() => {
+          setProviderId(null);
+          setWalletAddress(null);
+        });
     }
   }, [session?.user]);
 
@@ -128,6 +135,11 @@ export const UserMenu = () => {
             <p className="text-muted-foreground text-xs leading-none">
               {session?.user?.email}
             </p>
+            {walletAddress && (
+              <p className="text-muted-foreground font-mono text-xs leading-none">
+                {walletAddress.slice(0, 6)}...{walletAddress.slice(-4)}
+              </p>
+            )}
           </div>
         </DropdownMenuLabel>
         <DropdownMenuSeparator />

components/workflows/user-menu.tsx

@@ -2,10 +2,12 @@ import { betterAuth } from "better-auth";
 import { drizzleAdapter } from "better-auth/adapters/drizzle";
 import { anonymous, genericOAuth } from "better-auth/plugins";
 import { eq } from "drizzle-orm";
+import { Para as ParaServer, Environment } from "@getpara/server-sdk";
 import { db } from "./db";
 import {
   accounts,
   integrations,
+  paraWallets,
   sessions,
   users,
   verifications,
@@ -14,6 +16,7 @@ import {
   workflowExecutionsRelations,
   workflows,
 } from "./db/schema";
+import { encryptUserShare } from "./encryption";
 
 // Construct schema object for drizzle adapter
 const schema = {
@@ -157,4 +160,72 @@ export const auth = betterAuth({
     },
   },
   plugins,
+
+  // Database hooks for automatic Para wallet creation
+  databaseHooks: {
+    user: {
+      create: {
+        after: async (user) => {
+          // Skip wallet creation if no email
+          if (!user.email) {
+            console.log("[Para] Skipping wallet creation - no email");
+            return;
+          }
+
+          console.log(`[Para] Creating wallet for user: ${user.email}`);
+
+          try {
+            const PARA_API_KEY = process.env.PARA_API_KEY;
+            const PARA_ENV = process.env.PARA_ENVIRONMENT || "beta";
+
+            if (!PARA_API_KEY) {
+              console.warn("[Para] PARA_API_KEY not configured");
+              return;
+            }
+
+            // Initialize Para SDK
+            const paraClient = new ParaServer(
+              PARA_ENV === "prod" ? Environment.PROD : Environment.BETA,
+              PARA_API_KEY
+            );
+
+            // Check if wallet already exists
+            const hasWallet = await paraClient.hasPregenWallet({
+              pregenId: { email: user.email },
+            });
+
+            if (hasWallet) {
+              console.log(`[Para] Wallet already exists for ${user.email}`);
+              return;
+            }
+
+            // Create pregenerated wallet
+            const wallet = await paraClient.createPregenWallet({
+              type: "EVM",
+              pregenId: { email: user.email },
+            });
+
+            // Get user's cryptographic share
+            const userShare = await paraClient.getUserShare();
+
+            // Store encrypted wallet in database
+            await db.insert(paraWallets).values({
+              userId: user.id,
+              email: user.email,
+              walletId: wallet.id, // v2 API uses wallet.id instead of wallet.walletId
+              walletAddress: wallet.address,
+              userShare: encryptUserShare(userShare), // Encrypted!
+            });
+
+            console.log(
+              `[Para] ✓ Wallet created successfully: ${wallet.address}`
+            );
+          } catch (error) {
+            console.error(`[Para] Failed to create wallet:`, error);
+            // Don't throw - let signup succeed even if wallet creation fails
+          }
+        },
+      },
+    },
+  },
 });

lib/auth.ts

@@ -139,6 +139,22 @@ export const workflowExecutionLogs = pgTable("workflow_execution_logs", {
   timestamp: timestamp("timestamp").notNull().defaultNow(),
 });
 
+// Para Wallets table to store user wallet information
+export const paraWallets = pgTable("para_wallets", {
+  id: text("id")
+    .primaryKey()
+    .$defaultFn(() => generateId()),
+  userId: text("user_id")
+    .notNull()
+    .unique() // One wallet per user
+    .references(() => users.id, { onDelete: "cascade" }),
+  email: text("email").notNull(),
+  walletId: text("wallet_id").notNull(), // Para wallet ID
+  walletAddress: text("wallet_address").notNull(), // EVM address (0x...)
+  userShare: text("user_share").notNull(), // Encrypted keyshare for signing
+  createdAt: timestamp("created_at").notNull().defaultNow(),
+});
+
 // Relations
 export const workflowExecutionsRelations = relations(
   workflowExecutions,
@@ -160,3 +176,5 @@ export type WorkflowExecution = typeof workflowExecutions.$inferSelect;
 export type NewWorkflowExecution = typeof workflowExecutions.$inferInsert;
 export type WorkflowExecutionLog = typeof workflowExecutionLogs.$inferSelect;
 export type NewWorkflowExecutionLog = typeof workflowExecutionLogs.$inferInsert;
+export type ParaWallet = typeof paraWallets.$inferSelect;
+export type NewParaWallet = typeof paraWallets.$inferInsert;

lib/db/schema.ts

@@ -0,0 +1,65 @@
+import crypto from "crypto";
+
+const ENCRYPTION_KEY = process.env.WALLET_ENCRYPTION_KEY!;
+const ALGORITHM = "aes-256-gcm";
+
+if (!ENCRYPTION_KEY || ENCRYPTION_KEY.length !== 64) {
+  throw new Error(
+    "WALLET_ENCRYPTION_KEY must be a 32-byte hex string (64 characters)"
+  );
+}
+
+/**
+ * Encrypt sensitive userShare before storing in database
+ * Uses AES-256-GCM for authenticated encryption
+ *
+ * @param userShare - The plaintext userShare from Para SDK
+ * @returns Encrypted string in format: iv:authTag:encryptedData
+ */
+export function encryptUserShare(userShare: string): string {
+  const iv = crypto.randomBytes(16);
+  const cipher = crypto.createCipheriv(
+    ALGORITHM,
+    Buffer.from(ENCRYPTION_KEY, "hex"),
+    iv
+  );
+
+  let encrypted = cipher.update(userShare, "utf8", "hex");
+  encrypted += cipher.final("hex");
+
+  const authTag = cipher.getAuthTag();
+
+  // Format: iv:authTag:encryptedData
+  return (
+    iv.toString("hex") + ":" + authTag.toString("hex") + ":" + encrypted
+  );
+}
+
+/**
+ * Decrypt userShare when needed for signing transactions
+ *
+ * @param encryptedData - Encrypted string from database
+ * @returns Decrypted userShare for Para SDK
+ */
+export function decryptUserShare(encryptedData: string): string {
+  const parts = encryptedData.split(":");
+  if (parts.length !== 3) {
+    throw new Error("Invalid encrypted data format");
+  }
+
+  const iv = Buffer.from(parts[0], "hex");
+  const authTag = Buffer.from(parts[1], "hex");
+  const encrypted = parts[2];
+
+  const decipher = crypto.createDecipheriv(
+    ALGORITHM,
+    Buffer.from(ENCRYPTION_KEY, "hex"),
+    iv
+  );
+  decipher.setAuthTag(authTag);
+
+  let decrypted = decipher.update(encrypted, "hex", "utf8");
+  decrypted += decipher.final("utf8");
+
+  return decrypted;
+}

lib/encryption.ts

@@ -0,0 +1,87 @@
+import "server-only";
+import { db } from "@/lib/db";
+import { paraWallets } from "@/lib/db/schema";
+import { eq } from "drizzle-orm";
+import { Para as ParaServer, Environment } from "@getpara/server-sdk";
+import { ParaEthersSigner } from "@getpara/ethers-v6-integration";
+import { ethers } from "ethers";
+import { decryptUserShare } from "@/lib/encryption";
+
+/**
+ * Get user's Para wallet from database
+ * @throws Error if wallet not found
+ */
+export async function getUserWallet(userId: string) {
+  const wallet = await db
+    .select()
+    .from(paraWallets)
+    .where(eq(paraWallets.userId, userId))
+    .limit(1);
+
+  if (wallet.length === 0) {
+    throw new Error("No Para wallet found for user");
+  }
+
+  return wallet[0];
+}
+
+/**
+ * Initialize Para signer for user
+ * This signer can sign transactions using the user's Para wallet
+ *
+ * @param userId - User ID from session
+ * @param rpcUrl - Blockchain RPC URL (e.g., Ethereum mainnet, Polygon, etc.)
+ * @returns Para Ethers signer ready to sign transactions
+ */
+export async function initializeParaSigner(
+  userId: string,
+  rpcUrl: string
+): Promise<ParaEthersSigner> {
+  const PARA_API_KEY = process.env.PARA_API_KEY;
+  const PARA_ENV = process.env.PARA_ENVIRONMENT || "beta";
+
+  if (!PARA_API_KEY) {
+    throw new Error("PARA_API_KEY not configured");
+  }
+
+  // Get user's wallet from database
+  const wallet = await getUserWallet(userId);
+
+  // Initialize Para client
+  const paraClient = new ParaServer(
+    PARA_ENV === "prod" ? Environment.PROD : Environment.BETA,
+    PARA_API_KEY
+  );
+
+  // Decrypt and set user's keyshare
+  const decryptedShare = decryptUserShare(wallet.userShare);
+  await paraClient.setUserShare(decryptedShare);
+
+  // Create blockchain provider and signer
+  const provider = new ethers.JsonRpcProvider(rpcUrl);
+  const signer = new ParaEthersSigner(paraClient, provider);
+
+  return signer;
+}
+
+/**
+ * Get user's wallet address
+ * Useful for displaying wallet address in UI
+ */
+export async function getUserWalletAddress(userId: string): Promise<string> {
+  const wallet = await getUserWallet(userId);
+  return wallet.walletAddress;
+}
+
+/**
+ * Check if user has a Para wallet
+ */
+export async function userHasWallet(userId: string): Promise<boolean> {
+  const wallet = await db
+    .select()
+    .from(paraWallets)
+    .where(eq(paraWallets.userId, userId))
+    .limit(1);
+
+  return wallet.length > 0;
+}