Multi-Transaction Signing for SignTransaction

[mraveux]

Summary

• Extends the SignTransaction request to accept multiple transactions (TransactionData[] or Uint8Array[]) that are signed with a single password entry, enabling batch operations like combined staking + transfer flows
• Adds a dedicated multi-transaction UI with a scrollable list of transaction cards (identicon, address, value, fee), summary totals, and a shared confirm button
• Maintains full backward compatibility — single transactions (inline fields or single-item arrays) continue to work exactly as before, returning a single SignTransactionResult; only multi-item arrays return SignTransactionResults

Changes

Client types (client/src/PublicRequest.ts)

• New TransactionData type (TransactionInfo without keyPath, since keyPath lives at request level)
• SignTransactionRequestStandard now accepts either inline TransactionData fields or a { transactions: TransactionData[] | Uint8Array[] } object
• New SignTransactionResults array type; ResultType and ResultByCommand updated accordingly

Request parsing (SignTransactionApi.js)

• Auto-detects three input formats: inline single-tx fields, TransactionData[], or Uint8Array[] (serialized, for staking transactions)
• Validates non-empty arrays, no mixed formats, standard-layout-only for multi-tx
• Handles postMessage Uint8Array → plain object conversion
• Removed the staking-type rejection — staking transactions are now supported via serialized format

Internal types (Keyguard.d.ts)

• Parsed for Standard now uses transactions: Nimiq.Transaction[] instead of transaction: Nimiq.Transaction
• Parsed for Checkout and Cashlink updated with Transform to also map transaction → transactions

UI handler (SignTransaction.js, SignTransaction.css, index.html)

• Constructor branches between _renderMultiTransactionView and _renderSingleTransactionView based on transactions.length
• Multi-tx view: transaction count header, scrollable card list with identicons, total value + total fees summary
• Transaction count text is reactive to language changes via I18n.observer
• Signing supports mixed staking/non-staking batches: uses transaction.sign(keyPair) when any staking tx is present, manual SignatureProof.singleSig otherwise
• CSS scoped under #confirm-transaction.multi — no impact on SignMultisigTransaction which shares the same stylesheet

Translations (en.json)

• 4 new keys: sign-tx-heading-multi, sign-tx-multi-count, sign-tx-multi-total-fees, passwordbox-confirm-txs
• Non-English translations still need to be added

Other

• PasswordBox.js: added passwordbox-confirm-txs button template
• RequestParser.js: minor adjustment for shared parseTransaction() usage
• demos/SignTransaction.html: comprehensive demo with format selector and multi-tx controls

Testing

Use the demo page at demos/SignTransaction.html. It provides a format selector (inline / TransactionData / Uint8Array) and controls to adjust the number of transactions. Test single-tx mode to verify backward compatibility, then switch to multi-tx to verify the batch UI, totals, and array result format.

[danimoh]

This is a first part of the review, which includes everything but SignTransaction.js and the demo so far.
The included files have already been thoroughly reviewed.

The two missing files I have not thoroughly reviewed yet, but I am already aware of some things that require changing, so a second change request will follow for those files.

[danimoh]

Could also be the other way around.
Additionally, it can be considered to rename TransactionInfo to TransactionDataWithKeyPath to reduce confusion between TransactionInfo and TransactionData.

export type TransactionData = {
    senderLabel?: string,
    sender: Uint8Array,
    senderType: Nimiq.AccountType,
    senderData?: Uint8Array,
    recipient: Uint8Array,
    recipientType?: Nimiq.AccountType,
    recipientData?: Uint8Array,
    value: number,
    fee: number,
    validityStartHeight: number,
    flags?: number,
};

export type TransactionDataWithKeyPath = TransactionData & { keyPath: string };

However, TransactionData is not an ideal name either, because it also includes senderLabel, which is not part of the transaction. So maybe they should be called TransactionInfo and TransactionInfoWithKeyPath.

[danimoh]

The name SignTransactionRequestCommon is not adequate anymore if it's not used in SignTransactionRequestStandard anymore, as it's then in fact not common to all SignTransactionRequests.
This can be circumvented by actually using the type here, as is still proves useful:

export type SignTransactionRequestStandard = (
    SignTransactionRequestCommon
    | (SimpleRequest & {
        keyPath: string,
        transactions: TransactionData[] | Uint8Array[],
    })
) & {
    layout?: 'standard',
    recipientLabel?: string, // Only used for single-tx display
};

Or to go further, and explicitly allow senderLabel and recipientLabel only for a single transaction:

Suggested change

	type SignTransactionRequestCommon = SimpleRequest & TransactionInfo;
	export type SignTransactionRequestStandard = SignTransactionRequestCommon & {
	// Standard layout supports both single and multiple transactions
	export type SignTransactionRequestStandard = SimpleRequest & {
	keyPath: string,
	layout?: 'standard',
	recipientLabel?: string,
	};
	recipientLabel?: string, // Only used for single-tx display
	} & (
	// Option A: Single transaction (backward compatible - fields directly on request)
	TransactionData |
	// Option B: Multiple transactions
	{ transactions: TransactionData[] | Uint8Array[] }
	);
	export type SignTransactionRequestStandard = ((
	// Legacy request type for a single transaction
	SignTransactionRequestCommon & {
	recipientLabel?: string,
	}
	) | (
	// New request type for a single transaction. senderLabel and recipientLabel are supported.
	SimpleRequest & {
	keyPath: string,
	recipientLabel?: string,
	transactions: [TransactionData] | [Uint8Array],
	}
	) | (
	// New request type for multiple transactions. senderLabel and recipientLabel are not supported
	SimpleRequest & {
	keyPath: string,
	transactions: Omit<TransactionData, 'senderLabel'>[] | Uint8Array[],
	}
	)) & {
	layout?: 'standard',
	};

[danimoh]

Not sure whether it's worth introducing a type alias for this. Imo, just using SignTransactionResult[] would also be fine.

[danimoh]

I don't think that the sender and recipient can be the same even for staking transactions. One side is the staking contract, the other side the sender of funds or fees, or the recipient of funds.

[danimoh]

I would move this below the Single Transaction View because that is rather the standard view.

[danimoh]

Can consider calling tx.verify, and check that it fails because of an invalid signature, but not because of another error.

[danimoh]

Unnecessary comment.

Suggested change

// Deserialize using Nimiq's fromAny method

[danimoh]

Suggested change

	// EXISTING: TransactionData object path
	// TransactionData object

[danimoh]

If the public request type was to be updated to exclude the senderLabel (see suggestion there), it should be adapted here, too:

Suggested change

	/** @param {KeyguardRequest.TransactionData} tx */
	/** @param {Omit<KeyguardRequest.TransactionData, 'senderLabel'>} tx */

[danimoh]

senderLabel does not exist on the request, if it has transactions. Does typescript not flag this as a type error?

[danimoh]

Review of SignTransaction.js.

I haven't looked at the demo yet, and also haven't tested.

[danimoh]

This is only used within this constructor, so can be a local const instead of a property on the instance.

[danimoh]

Suggested change

* Renders the single transaction view (existing behavior)

The method name is self-explanatory.

[danimoh]

Suggested change

* Renders the multi-transaction view

The method name is self-explanatory.

[danimoh]

Controling the display via the hide-* classes would be more elegant, without the need of additional css.

[danimoh]

Suggested change

	const txCount = String(request.transactions.length);
	const updateCount = () => {
	$count.textContent = I18n.translatePhrase('sign-tx-multi-count').replace('{count}', txCount);
	};
	updateCount();
	I18n.observer.on(I18n.Events.LANGUAGE_CHANGED, updateCount);
	I18n.translateToHtmlContent($count, 'sign-tx-multi-count', { count: String(request.transactions.length) });

[danimoh]

The address must also be accesible in full, without text ellipsis. I suggest opening the details overlay with the full address when clicking the address / identicon, like in the single transaction view.

[danimoh]

The transaction data must be shown. Otherwise the user might be signing a contract creation without knowing, or worse, signing an unwanted update to his validator in what looks like a harmless 0 NIM transaction.

Can use TransactionDataFormatting for this, just like in the single transaction case. It tries to display all relevant information, but this might not be in the most user-friendly fashion. Thus, it would be worth additionally building specific UIs / cards for transaction types typically to be expected here, like unstaking transactions.

[danimoh]

Suggested change

	// For non-staking transactions, use the existing manual signing approach
	// For incoming staking transactions with user-provided staker / validator signature proof and non-
	// staking transactions, use the manual signing approach. `transaction.sign()` does not currently support
	// user-provided staker / validator signature proofs or HTLC redemptions.
	// Note however, thas this will not return a valid HTLC redemption signature proof. It has to be built
	// manually from the signature.

[danimoh]

Suggested change

	// For staking transactions, use the same approach as SignStaking:
	// Derive a KeyPair and call transaction.sign()
	// For staking transactions, use `transaction.sign()` for automatically generating the staker / validator
	// signature proof in the recipient data. The same keypair as for signing the transaction will be used for
	// this. Arbitrary signature proofs for a different staker or validator address are not supported.

[danimoh]

Also check whether the staking transaction includes a user-provided signature proof, and defer to manual signing in that case.
Alternatively, reject staking transactions with a user-provided signature proof during parsing.