@abraca/dabra 0.1.1 → 0.1.3

package/dist/abracadabra-provider.cjs

@@ -2133,10 +2133,17 @@ var SubdocMessage = class extends OutgoingMessage {
 */
 var AbracadabraProvider = class AbracadabraProvider extends HocuspocusProvider {
 	constructor(configuration) {
-		super(configuration);
+		const resolved = { ...configuration };
+		const client = configuration.client ?? null;
+		if (client) {
+			if (!resolved.url && !resolved.websocketProvider) resolved.url = client.wsUrl;
+			if (resolved.token === void 0 && !configuration.cryptoIdentity) resolved.token = () => client.token ?? "";
+		}
+		super(resolved);
 		this.effectiveRole = null;
 		this.childProviders = /* @__PURE__ */ new Map();
 		this.boundHandleYSubdocsChange = this.handleYSubdocsChange.bind(this);
+		this._client = client;
 		this.abracadabraConfig = configuration;
 		this.subdocLoading = configuration.subdocLoading ?? "lazy";
 		this.offlineStore = configuration.disableOfflineStore ? null : new OfflineStore(configuration.name);
@@ -2152,8 +2159,12 @@ var AbracadabraProvider = class AbracadabraProvider extends HocuspocusProvider {
 		this.offlineStore?.savePermissionSnapshot(this.effectiveRole);
 	}
 	/**
-	* Override sendToken to send an identity declaration instead of a JWT
-	* when cryptoIdentity is configured.
+	* Override sendToken to send a pubkey-only identity declaration instead of a
+	* JWT when cryptoIdentity is configured.
+	*
+	* The public key is the sole identifier in the crypto auth handshake.
+	* Username is decoupled from auth; it lives on the server as an immutable
+	* internal field and is never sent in the challenge-response frames.
 	*/
 	async sendToken() {
 		const { cryptoIdentity } = this.abracadabraConfig;
@@ -2161,7 +2172,6 @@ var AbracadabraProvider = class AbracadabraProvider extends HocuspocusProvider {
 			const id = typeof cryptoIdentity === "function" ? await cryptoIdentity() : cryptoIdentity;
 			const json = JSON.stringify({
 				type: "identity",
-				username: id.username,
 				publicKey: id.publicKey
 			});
 			this.send(AuthenticationMessage, {
@@ -2185,7 +2195,6 @@ var AbracadabraProvider = class AbracadabraProvider extends HocuspocusProvider {
 		const signature = await signChallenge(challenge);
 		const proof = JSON.stringify({
 			type: "proof",
-			username: id.username,
 			publicKey: id.publicKey,
 			signature,
 			challenge
@@ -2203,6 +2212,10 @@ var AbracadabraProvider = class AbracadabraProvider extends HocuspocusProvider {
 	get canWrite() {
 		return this.effectiveRole === "owner" || this.effectiveRole === "editor";
 	}
+	/** The AbracadabraClient instance for REST API access, if configured. */
+	get client() {
+		return this._client;
+	}
 	/**
 	* Called when a MSG_STATELESS frame arrives from the server.
 	* Abracadabra uses stateless frames to deliver subdoc confirmations
@@ -2272,7 +2285,10 @@ var AbracadabraProvider = class AbracadabraProvider extends HocuspocusProvider {
 			WebSocketPolyfill: parentWsp.configuration.WebSocketPolyfill,
 			token: this.configuration.token,
 			subdocLoading: this.subdocLoading,
-			disableOfflineStore: this.abracadabraConfig.disableOfflineStore
+			disableOfflineStore: this.abracadabraConfig.disableOfflineStore,
+			client: this._client ?? void 0,
+			cryptoIdentity: this.abracadabraConfig.cryptoIdentity,
+			signChallenge: this.abracadabraConfig.signChallenge
 		});
 		this.childProviders.set(childId, childProvider);
 		this.emit("subdocLoaded", {
@@ -2334,6 +2350,229 @@ var AbracadabraProvider = class AbracadabraProvider extends HocuspocusProvider {
 	}
 };
 
+//#endregion
+//#region packages/provider/src/AbracadabraClient.ts
+var AbracadabraClient = class {
+	constructor(config) {
+		this.baseUrl = config.url.replace(/\/+$/, "");
+		this.persistAuth = config.persistAuth ?? typeof localStorage !== "undefined";
+		this.storageKey = config.storageKey ?? "abracadabra:auth";
+		this._fetch = config.fetch ?? globalThis.fetch.bind(globalThis);
+		this._token = config.token ?? this.loadPersistedToken() ?? null;
+	}
+	get token() {
+		return this._token;
+	}
+	set token(value) {
+		this._token = value;
+		if (this.persistAuth) if (value) this.persistToken(value);
+		else this.clearPersistedToken();
+	}
+	get isAuthenticated() {
+		return this._token !== null;
+	}
+	/** Derives ws:// or wss:// URL from the http(s) base URL. */
+	get wsUrl() {
+		return this.baseUrl.replace(/^https:\/\//, "wss://").replace(/^http:\/\//, "ws://") + "/ws";
+	}
+	/** Register a new user with password. */
+	async register(opts) {
+		return this.request("POST", "/auth/register", {
+			body: opts,
+			auth: false
+		});
+	}
+	/**
+	* Register a new user with an Ed25519 public key (crypto auth).
+	* Username is optional — if omitted, a short identifier is derived from the key.
+	*/
+	async registerWithKey(opts) {
+		const username = opts.username ?? `user-${opts.publicKey.slice(0, 8)}`;
+		return this.request("POST", "/auth/register", {
+			body: {
+				username,
+				identityPublicKey: opts.publicKey,
+				deviceName: opts.deviceName,
+				displayName: opts.displayName,
+				email: opts.email
+			},
+			auth: false
+		});
+	}
+	/** Login with username + password. Auto-persists returned token. */
+	async login(opts) {
+		const res = await this.request("POST", "/auth/login", {
+			body: opts,
+			auth: false
+		});
+		this.token = res.token;
+		return res.token;
+	}
+	/** Request an Ed25519 crypto auth challenge for the given public key. */
+	async challenge(publicKey) {
+		return this.request("POST", "/auth/challenge", {
+			body: { publicKey },
+			auth: false
+		});
+	}
+	/** Verify an Ed25519 signature to complete crypto auth. Auto-persists token. */
+	async verify(opts) {
+		const res = await this.request("POST", "/auth/verify", {
+			body: opts,
+			auth: false
+		});
+		this.token = res.token;
+		return res.token;
+	}
+	/**
+	* Full crypto auth flow: challenge → sign → verify.
+	* Convenience method combining challenge() + external signing + verify().
+	*/
+	async loginWithKey(publicKey, signChallenge) {
+		const { challenge } = await this.challenge(publicKey);
+		const signature = await signChallenge(challenge);
+		return this.verify({
+			publicKey,
+			signature,
+			challenge
+		});
+	}
+	/** Add a new Ed25519 public key to the current user (multi-device). */
+	async addKey(opts) {
+		await this.request("POST", "/auth/keys", { body: opts });
+	}
+	/** List all registered public keys for the current user. */
+	async listKeys() {
+		return (await this.request("GET", "/auth/keys")).keys;
+	}
+	/** Revoke a public key by its ID. */
+	async revokeKey(keyId) {
+		await this.request("DELETE", `/auth/keys/${encodeURIComponent(keyId)}`);
+	}
+	/** Clear token from memory and storage. */
+	logout() {
+		this.token = null;
+	}
+	/** Get the current user's profile. */
+	async getMe() {
+		return this.request("GET", "/users/me");
+	}
+	/** Update the current user's display name. */
+	async updateMe(opts) {
+		await this.request("PATCH", "/users/me", { body: opts });
+	}
+	/** Create a new root document. Returns its metadata. */
+	async createDoc(opts) {
+		return this.request("POST", "/docs", { body: opts ?? {} });
+	}
+	/** Get document metadata. */
+	async getDoc(docId) {
+		return this.request("GET", `/docs/${encodeURIComponent(docId)}`);
+	}
+	/** Delete a document (requires Owner role). Cascades to children and uploads. */
+	async deleteDoc(docId) {
+		await this.request("DELETE", `/docs/${encodeURIComponent(docId)}`);
+	}
+	/** List immediate child documents. */
+	async listChildren(docId) {
+		return (await this.request("GET", `/docs/${encodeURIComponent(docId)}/children`)).children;
+	}
+	/** Create a child document under a parent (requires write permission). */
+	async createChild(docId, opts) {
+		return this.request("POST", `/docs/${encodeURIComponent(docId)}/children`, { body: opts ?? {} });
+	}
+	/** Grant or change a user's role on a document (requires Owner). */
+	async setPermission(docId, opts) {
+		await this.request("POST", `/docs/${encodeURIComponent(docId)}/permissions`, { body: opts });
+	}
+	/** Revoke a user's permission on a document (requires Owner). */
+	async removePermission(docId, opts) {
+		await this.request("DELETE", `/docs/${encodeURIComponent(docId)}/permissions`, { body: opts });
+	}
+	/** Upload a file to a document (requires write permission). */
+	async upload(docId, file, filename) {
+		const formData = new FormData();
+		formData.append("file", file, filename);
+		const headers = {};
+		if (this._token) headers["Authorization"] = `Bearer ${this._token}`;
+		const res = await this._fetch(`${this.baseUrl}/docs/${encodeURIComponent(docId)}/uploads`, {
+			method: "POST",
+			headers,
+			body: formData
+		});
+		if (!res.ok) throw await this.toError(res);
+		return res.json();
+	}
+	/** List all uploads for a document. */
+	async listUploads(docId) {
+		return (await this.request("GET", `/docs/${encodeURIComponent(docId)}/uploads`)).uploads;
+	}
+	/** Download an upload as a Blob. */
+	async getUpload(docId, uploadId) {
+		const headers = {};
+		if (this._token) headers["Authorization"] = `Bearer ${this._token}`;
+		const res = await this._fetch(`${this.baseUrl}/docs/${encodeURIComponent(docId)}/uploads/${encodeURIComponent(uploadId)}`, {
+			method: "GET",
+			headers
+		});
+		if (!res.ok) throw await this.toError(res);
+		return res.blob();
+	}
+	/** Delete an upload (requires uploader or document Owner). */
+	async deleteUpload(docId, uploadId) {
+		await this.request("DELETE", `/docs/${encodeURIComponent(docId)}/uploads/${encodeURIComponent(uploadId)}`);
+	}
+	/** Health check — no auth required. */
+	async health() {
+		return this.request("GET", "/health", { auth: false });
+	}
+	async request(method, path, opts) {
+		const auth = opts?.auth ?? true;
+		const headers = {};
+		if (auth && this._token) headers["Authorization"] = `Bearer ${this._token}`;
+		const init = {
+			method,
+			headers
+		};
+		if (opts?.body !== void 0) {
+			headers["Content-Type"] = "application/json";
+			init.body = JSON.stringify(opts.body);
+		}
+		const res = await this._fetch(`${this.baseUrl}${path}`, init);
+		if (!res.ok) throw await this.toError(res);
+		if (res.status === 204) return;
+		return res.json();
+	}
+	async toError(res) {
+		let message;
+		try {
+			message = (await res.json()).error ?? res.statusText;
+		} catch {
+			message = res.statusText;
+		}
+		const err = new Error(message);
+		err.status = res.status;
+		return err;
+	}
+	loadPersistedToken() {
+		try {
+			return localStorage.getItem(this.storageKey);
+		} catch {
+			return null;
+		}
+	}
+	persistToken(token) {
+		try {
+			localStorage.setItem(this.storageKey, token);
+		} catch {}
+	}
+	clearPersistedToken() {
+		try {
+			localStorage.removeItem(this.storageKey);
+		} catch {}
+	}
+};
+
 //#endregion
 //#region node_modules/@noble/hashes/esm/utils.js
 /** Checks if something is Uint8Array. Be careful: nodejs Buffer will return true. */
@@ -3151,7 +3390,13 @@ var CryptoIdentityKeystore = class {
 		db.close();
 		return stored?.publicKey ?? null;
 	}
-	/** Returns the stored username, or null if no identity exists. */
+	/**
+	* Returns the locally-stored internal username label, or null if no identity exists.
+	*
+	* This is NOT the auth identifier (the public key is). It can be used as a
+	* hint when calling POST /auth/register, or displayed before the user sets
+	* a real display name via PATCH /users/me.
+	*/
 	async getUsername() {
 		const db = await openDb();
 		const stored = await dbGet(db);
@@ -3174,6 +3419,7 @@ var CryptoIdentityKeystore = class {
 };
 
 //#endregion
+exports.AbracadabraClient = AbracadabraClient;
 exports.AbracadabraProvider = AbracadabraProvider;
 exports.AwarenessError = AwarenessError;
 exports.CryptoIdentityKeystore = CryptoIdentityKeystore;