@abraca/dabra 1.1.2 → 1.3.0

package/dist/abracadabra-provider.cjs

@@ -7101,15 +7101,60 @@ const ristretto255_oprf = createORPF({
 /**
 * CryptoIdentityKeystore
 *
-* Per-device Ed25519 keypair, private key protected by WebAuthn PRF + AES-256-GCM.
-* Stored in IndexedDB under "abracadabra:identity" / "identity" / key "current".
-*
-* No private key is ever shared between devices. Each device generates its own
-* keypair, encrypts the private key with the PRF output from its own WebAuthn
-* credential, and stores the ciphertext in IndexedDB.
-*
-* Dependencies: @noble/ed25519, @noble/hashes (for HKDF)
-*/
+* Per-user Ed25519 keypair derived deterministically from a synced WebAuthn
+* passkey's PRF extension output. The same passkey on any device produces the
+* same identity — no private key storage needed.
+*
+* Derivation chain:
+*   Synced Passkey → PRF(constant salt) → HKDF-SHA256 → Ed25519 seed → keypair
+*
+* IndexedDB is used only as a lightweight cache for the public key and
+* credential ID. Loss of IndexedDB is non-catastrophic — a passkey assertion
+* re-derives everything.
+*
+* Dependencies: @noble/ed25519, @noble/hashes (for HKDF), @noble/curves (for X25519)
+*/
+/**
+* Fixed PRF eval salt. Must be constant across all devices so the same synced
+* passkey produces the same PRF output everywhere.
+*
+* Value: SHA-256("abracadabra-prf-salt-v1"), precomputed.
+*/
+const PRF_SALT = new Uint8Array([
+	183,
+	121,
+	65,
+	162,
+	231,
+	133,
+	29,
+	250,
+	94,
+	193,
+	171,
+	182,
+	80,
+	26,
+	92,
+	133,
+	117,
+	253,
+	62,
+	63,
+	146,
+	201,
+	225,
+	167,
+	78,
+	186,
+	113,
+	252,
+	242,
+	177,
+	18,
+	207
+]);
+const HKDF_INFO$2 = new TextEncoder().encode("abracadabra-identity-v1");
 function toBase64url(bytes) {
 	return btoa(String.fromCharCode(...bytes)).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
 }
@@ -7121,61 +7166,88 @@ function fromBase64url(b64) {
 }
 const DB_NAME = "abracadabra:identity";
 const STORE_NAME = "identity";
-const RECORD_KEY = "current";
-const HKDF_INFO$2 = new TextEncoder().encode("abracadabra-identity-v1");
 function openDb$4() {
 	return new Promise((resolve, reject) => {
-		const req = indexedDB.open(DB_NAME, 1);
+		const req = indexedDB.open(DB_NAME, 2);
 		req.onupgradeneeded = () => {
-			req.result.createObjectStore(STORE_NAME);
+			const db = req.result;
+			if (!db.objectStoreNames.contains(STORE_NAME)) db.createObjectStore(STORE_NAME);
 		};
 		req.onsuccess = () => resolve(req.result);
 		req.onerror = () => reject(req.error);
 	});
 }
-async function dbGet(db) {
+async function dbGetAll(db) {
+	return new Promise((resolve, reject) => {
+		const store = db.transaction(STORE_NAME, "readonly").objectStore(STORE_NAME);
+		const results = [];
+		const req = store.openCursor();
+		req.onsuccess = () => {
+			const cursor = req.result;
+			if (cursor) {
+				results.push({
+					key: cursor.key,
+					value: cursor.value
+				});
+				cursor.continue();
+			} else resolve(results);
+		};
+		req.onerror = () => reject(req.error);
+	});
+}
+async function dbGet(db, key) {
 	return new Promise((resolve, reject) => {
-		const req = db.transaction(STORE_NAME, "readonly").objectStore(STORE_NAME).get(RECORD_KEY);
+		const req = db.transaction(STORE_NAME, "readonly").objectStore(STORE_NAME).get(key);
 		req.onsuccess = () => resolve(req.result);
 		req.onerror = () => reject(req.error);
 	});
 }
-async function dbPut(db, value) {
+async function dbPut(db, key, value) {
 	return new Promise((resolve, reject) => {
-		const req = db.transaction(STORE_NAME, "readwrite").objectStore(STORE_NAME).put(value, RECORD_KEY);
+		const req = db.transaction(STORE_NAME, "readwrite").objectStore(STORE_NAME).put(value, key);
 		req.onsuccess = () => resolve();
 		req.onerror = () => reject(req.error);
 	});
 }
-async function dbDelete(db) {
+async function dbClear(db) {
 	return new Promise((resolve, reject) => {
-		const req = db.transaction(STORE_NAME, "readwrite").objectStore(STORE_NAME).delete(RECORD_KEY);
+		const req = db.transaction(STORE_NAME, "readwrite").objectStore(STORE_NAME).clear();
 		req.onsuccess = () => resolve();
 		req.onerror = () => reject(req.error);
 	});
 }
-async function deriveAesKey(prfOutput, salt) {
-	const keyBytes = hkdf(sha256, new Uint8Array(prfOutput), salt, HKDF_INFO$2, 32);
-	return crypto.subtle.importKey("raw", keyBytes, { name: "AES-GCM" }, false, ["encrypt", "decrypt"]);
+/** Derive a 32-byte Ed25519 seed from raw PRF output. */
+function deriveEd25519Seed(prfOutput) {
+	return hkdf(sha256, new Uint8Array(prfOutput), PRF_SALT, HKDF_INFO$2, 32);
+}
+function extractPrfOutput(credential) {
+	const prfOutput = credential.getClientExtensionResults()?.prf?.results?.first;
+	if (!prfOutput) throw new Error("WebAuthn PRF extension not available on this authenticator. A PRF-capable platform authenticator (e.g. iCloud Keychain) is required.");
+	return prfOutput;
 }
 var CryptoIdentityKeystore = class {
 	/**
-	* One-time setup for a device: generates an Ed25519 keypair, creates a
-	* WebAuthn credential with PRF extension, encrypts the private key, and
-	* stores everything in IndexedDB.
-	*
-	* Returns the base64url-encoded public key. The caller must register this
-	* key with the server via POST /auth/register (first device) or
-	* POST /auth/keys (additional device).
+	* Check whether the platform supports WebAuthn with PRF extension.
+	* Call this before offering the "Secure with Passkey" option.
+	*/
+	static async isPrfAvailable() {
+		if (typeof window === "undefined" || !window.PublicKeyCredential) return false;
+		try {
+			if (!await PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable()) return false;
+			return true;
+		} catch {
+			return false;
+		}
+	}
+	/**
+	* Create a synced discoverable passkey and derive the Ed25519 identity from
+	* its PRF output. The passkey is stored in the platform credential manager
+	* (e.g. iCloud Keychain) and syncs across devices automatically.
 	*
-	* @param username  - The user's account name.
-	* @param rpId      - WebAuthn relying party ID (e.g. "example.com").
-	* @param rpName    - Human-readable relying party name.
+	* Returns the base64url-encoded public key, X25519 public key, and credential ID.
+	* The caller must register the public key with the server.
 	*/
 	async register(username, rpId, rpName) {
-		const privateKey = _noble_ed25519.utils.randomPrivateKey();
-		const publicKey = await _noble_ed25519.getPublicKeyAsync(privateKey);
-		const salt = crypto.getRandomValues(new Uint8Array(32));
 		const credential = await navigator.credentials.create({ publicKey: {
 			challenge: crypto.getRandomValues(new Uint8Array(32)),
 			rp: {
@@ -7194,151 +7266,222 @@ var CryptoIdentityKeystore = class {
 				alg: -257,
 				type: "public-key"
 			}],
-			authenticatorSelection: { userVerification: "required" },
-			extensions: { prf: { eval: { first: salt.buffer } } }
+			authenticatorSelection: {
+				residentKey: "required",
+				requireResidentKey: true,
+				userVerification: "required"
+			},
+			extensions: { prf: { eval: { first: PRF_SALT.buffer } } }
 		} });
-		if (!credential) throw new Error("WebAuthn credential creation failed");
-		const prfOutput = credential.getClientExtensionResults()?.prf?.results?.first;
-		if (!prfOutput) throw new Error("WebAuthn PRF extension not available on this authenticator. A PRF-capable authenticator (e.g. platform authenticator with PRF support) is required.");
-		const aesKey = await deriveAesKey(prfOutput, salt);
-		const iv = crypto.getRandomValues(new Uint8Array(12));
-		const encryptedPrivateKey = await crypto.subtle.encrypt({
-			name: "AES-GCM",
-			iv
-		}, aesKey, privateKey);
+		if (!credential) throw new Error("WebAuthn credential creation cancelled");
+		const seed = deriveEd25519Seed(extractPrfOutput(credential));
+		const publicKey = await _noble_ed25519.getPublicKeyAsync(seed);
+		const publicKeyB64 = toBase64url(publicKey);
+		const x25519PubB64 = toBase64url(ed25519.utils.toMontgomery(publicKey));
+		const credentialIdB64 = toBase64url(new Uint8Array(credential.rawId));
 		const db = await openDb$4();
-		await dbPut(db, {
+		await dbPut(db, credentialIdB64, {
 			username,
-			publicKey: toBase64url(publicKey),
-			encryptedPrivateKey,
-			iv,
-			salt,
+			publicKey: publicKeyB64,
 			credentialId: credential.rawId
 		});
 		db.close();
-		const x25519Pub = ed25519.utils.toMontgomery(publicKey);
+		seed.fill(0);
 		return {
-			publicKey: toBase64url(publicKey),
-			x25519PublicKey: toBase64url(x25519Pub)
+			publicKey: publicKeyB64,
+			x25519PublicKey: x25519PubB64,
+			credentialId: credentialIdB64
 		};
 	}
 	/**
-	* Sign a base64url-encoded challenge using the stored Ed25519 private key.
-	*
-	* This triggers a WebAuthn assertion (biometric / PIN prompt) to unlock the
-	* private key via PRF → HKDF → AES-GCM decryption. The private key is
-	* wiped from memory after signing.
+	* Sign a base64url-encoded challenge using the Ed25519 key derived from
+	* a passkey assertion. Triggers a WebAuthn prompt (biometric / PIN).
 	*
 	* @param challengeB64 - base64url-encoded challenge bytes from the server.
+	* @param credentialIdHint - optional credential ID to select a specific passkey.
 	* @returns base64url-encoded Ed25519 signature (64 bytes).
 	*/
-	async sign(challengeB64) {
+	async sign(challengeB64, credentialIdHint) {
+		const { seed } = await this._assertAndDerive(credentialIdHint);
+		try {
+			const challengeBytes = fromBase64url(challengeB64);
+			return toBase64url(await _noble_ed25519.signAsync(challengeBytes, seed));
+		} finally {
+			seed.fill(0);
+		}
+	}
+	/**
+	* Returns the cached base64url public key, or null if no identity is cached.
+	*
+	* Does NOT trigger a WebAuthn prompt. If the cache is empty (e.g. IndexedDB
+	* cleared), returns null — the identity can be recovered via sign() or
+	* a fresh register() with the same synced passkey.
+	*/
+	async getPublicKey(credentialIdHint) {
 		const db = await openDb$4();
-		const stored = await dbGet(db);
-		db.close();
-		if (!stored) throw new Error("No identity stored. Call register() first.");
-		const assertion = await navigator.credentials.get({ publicKey: {
-			challenge: crypto.getRandomValues(new Uint8Array(32)),
-			allowCredentials: [{
-				id: stored.credentialId,
-				type: "public-key"
-			}],
-			userVerification: "required",
-			extensions: { prf: { eval: { first: stored.salt.buffer } } }
-		} });
-		if (!assertion) throw new Error("WebAuthn assertion failed");
-		const prfOutput = assertion.getClientExtensionResults()?.prf?.results?.first;
-		if (!prfOutput) throw new Error("PRF output not available from authenticator");
-		const aesKey = await deriveAesKey(prfOutput, stored.salt);
-		const privateKeyBytes = await crypto.subtle.decrypt({
-			name: "AES-GCM",
-			iv: stored.iv
-		}, aesKey, stored.encryptedPrivateKey);
-		const privateKey = new Uint8Array(privateKeyBytes);
-		const challengeBytes = fromBase64url(challengeB64);
-		const signature = await _noble_ed25519.signAsync(challengeBytes, privateKey);
-		privateKey.fill(0);
-		return toBase64url(signature);
-	}
-	/** Returns the stored base64url public key, or null if no identity exists. */
-	async getPublicKey() {
+		try {
+			if (credentialIdHint) return (await dbGet(db, credentialIdHint))?.publicKey ?? null;
+			const all = await dbGetAll(db);
+			return all.length > 0 ? all[0].value.publicKey : null;
+		} finally {
+			db.close();
+		}
+	}
+	/**
+	* Returns the locally-cached username label, or null if no identity is cached.
+	*/
+	async getUsername(credentialIdHint) {
 		const db = await openDb$4();
-		const stored = await dbGet(db);
-		db.close();
-		return stored?.publicKey ?? null;
+		try {
+			if (credentialIdHint) return (await dbGet(db, credentialIdHint))?.username ?? null;
+			const all = await dbGetAll(db);
+			return all.length > 0 ? all[0].value.username : null;
+		} finally {
+			db.close();
+		}
 	}
 	/**
-	* Returns the locally-stored internal username label, or null if no identity exists.
-	*
-	* This is NOT the auth identifier (the public key is). It can be used as a
-	* hint when calling POST /auth/register, or displayed before the user sets
-	* a real display name via PATCH /users/me.
+	* Updates the cached username for a given credential (or the first cached identity).
+	* Call this after the user sets/changes their display name so it persists across devices.
 	*/
-	async getUsername() {
+	async setUsername(username, credentialIdHint) {
 		const db = await openDb$4();
-		const stored = await dbGet(db);
-		db.close();
-		return stored?.username ?? null;
+		try {
+			if (credentialIdHint) {
+				const stored = await dbGet(db, credentialIdHint);
+				if (stored) await dbPut(db, credentialIdHint, {
+					...stored,
+					username
+				});
+			} else {
+				const all = await dbGetAll(db);
+				if (all.length > 0) await dbPut(db, all[0].key, {
+					...all[0].value,
+					username
+				});
+			}
+		} finally {
+			db.close();
+		}
 	}
-	/** Returns true if an identity is stored in IndexedDB. */
+	/** Returns true if an identity is cached in IndexedDB. */
 	async hasIdentity() {
 		const db = await openDb$4();
-		const stored = await dbGet(db);
-		db.close();
-		return stored !== void 0;
+		try {
+			return (await dbGetAll(db)).length > 0;
+		} finally {
+			db.close();
+		}
 	}
-	/** Remove the stored identity from IndexedDB. */
+	/** Remove cached identity record(s) from IndexedDB. The passkey itself
+	*  remains in the platform credential store. */
 	async clear() {
 		const db = await openDb$4();
-		await dbDelete(db);
+		await dbClear(db);
 		db.close();
 	}
 	/**
-	* Returns the X25519 public key derived from the stored Ed25519 private key.
-	* Does NOT require WebAuthn — computed from the stored encrypted key... actually
-	* we derive from the Ed25519 public key directly (Montgomery form), no decryption needed
-	* since nobleEd25519Curves.utils.toMontgomery only needs the public key.
-	* Returns null if no identity is stored.
+	* Returns the X25519 public key derived from the cached Ed25519 public key.
+	* Does NOT require WebAuthn — computed from the cached public key only.
+	* Returns null if no identity is cached.
 	*/
 	async getX25519PublicKey() {
 		const db = await openDb$4();
-		const stored = await dbGet(db);
-		db.close();
-		if (!stored) return null;
-		const edPub = fromBase64url(stored.publicKey);
-		return ed25519.utils.toMontgomery(edPub);
+		try {
+			const all = await dbGetAll(db);
+			if (all.length === 0) return null;
+			const edPub = fromBase64url(all[0].value.publicKey);
+			return ed25519.utils.toMontgomery(edPub);
+		} finally {
+			db.close();
+		}
 	}
 	/**
-	* Returns the X25519 private key derived from the stored Ed25519 private key.
-	* Requires WebAuthn assertion to decrypt the private key.
+	* Returns the X25519 private key derived from the Ed25519 seed.
+	* Requires a WebAuthn assertion to get the PRF output.
 	* The caller MUST wipe the returned Uint8Array after use.
 	*/
-	async getX25519PrivateKey() {
+	async getX25519PrivateKey(credentialIdHint) {
+		const { seed } = await this._assertAndDerive(credentialIdHint);
+		try {
+			return ed25519.utils.toMontgomerySecret(seed);
+		} finally {
+			seed.fill(0);
+		}
+	}
+	/**
+	* Trigger a WebAuthn assertion to derive (or re-derive) the identity and
+	* update the IndexedDB cache. Returns the public key and credential ID.
+	*
+	* Use this when the cache is empty but you need the public key before
+	* signing (e.g. to send it to the server for the challenge request).
+	*/
+	async deriveIdentity(credentialIdHint) {
+		const { seed, publicKeyB64, credentialIdB64 } = await this._assertAndDerive(credentialIdHint);
+		seed.fill(0);
+		return {
+			publicKey: publicKeyB64,
+			credentialId: credentialIdB64
+		};
+	}
+	/**
+	* List all cached credential IDs. Useful for account switching UI.
+	*/
+	async listCachedIdentities() {
 		const db = await openDb$4();
-		const stored = await dbGet(db);
-		db.close();
-		if (!stored) throw new Error("No identity stored. Call register() first.");
+		try {
+			return (await dbGetAll(db)).map(({ key, value }) => ({
+				credentialId: key,
+				publicKey: value.publicKey,
+				username: value.username
+			}));
+		} finally {
+			db.close();
+		}
+	}
+	/**
+	* Perform a WebAuthn assertion with PRF, derive the Ed25519 seed, and
+	* update the IndexedDB cache. Returns the seed (caller MUST wipe it).
+	*/
+	async _assertAndDerive(credentialIdHint) {
+		const allowCredentials = [];
+		if (credentialIdHint) allowCredentials.push({
+			id: fromBase64url(credentialIdHint),
+			type: "public-key"
+		});
+		else try {
+			const db = await openDb$4();
+			const all = await dbGetAll(db);
+			db.close();
+			for (const { value } of all) allowCredentials.push({
+				id: value.credentialId,
+				type: "public-key"
+			});
+		} catch {}
 		const assertion = await navigator.credentials.get({ publicKey: {
 			challenge: crypto.getRandomValues(new Uint8Array(32)),
-			allowCredentials: [{
-				id: stored.credentialId,
-				type: "public-key"
-			}],
+			...allowCredentials.length > 0 ? { allowCredentials } : {},
 			userVerification: "required",
-			extensions: { prf: { eval: { first: stored.salt.buffer } } }
+			extensions: { prf: { eval: { first: PRF_SALT.buffer } } }
 		} });
-		if (!assertion) throw new Error("WebAuthn assertion failed");
-		const prfOutput = assertion.getClientExtensionResults()?.prf?.results?.first;
-		if (!prfOutput) throw new Error("PRF output not available from authenticator");
-		const aesKey = await deriveAesKey(prfOutput, stored.salt);
-		const privateKeyBytes = await crypto.subtle.decrypt({
-			name: "AES-GCM",
-			iv: stored.iv
-		}, aesKey, stored.encryptedPrivateKey);
-		const edPrivKey = new Uint8Array(privateKeyBytes);
-		const x25519Priv = ed25519.utils.toMontgomerySecret(edPrivKey);
-		edPrivKey.fill(0);
-		return x25519Priv;
+		if (!assertion) throw new Error("WebAuthn assertion cancelled");
+		const seed = deriveEd25519Seed(extractPrfOutput(assertion));
+		const publicKeyB64 = toBase64url(await _noble_ed25519.getPublicKeyAsync(seed));
+		const credentialIdB64 = toBase64url(new Uint8Array(assertion.rawId));
+		try {
+			const db = await openDb$4();
+			await dbPut(db, credentialIdB64, {
+				username: (await dbGet(db, credentialIdB64))?.username ?? "",
+				publicKey: publicKeyB64,
+				credentialId: assertion.rawId
+			});
+			db.close();
+		} catch {}
+		return {
+			seed,
+			publicKeyB64,
+			credentialIdB64
+		};
 	}
 };
 
@@ -8495,7 +8638,7 @@ var BackgroundSyncManager = class extends EventEmitter {
 			concurrency: opts?.concurrency ?? 2,
 			syncTimeout: opts?.syncTimeout ?? 15e3,
 			prefetchFiles: opts?.prefetchFiles ?? true,
-			throttleMs: opts?.throttleMs ?? 50,
+			throttleMs: opts?.throttleMs ?? 200,
 			maxRetries: opts?.maxRetries ?? 2
 		};
 		let serverOrigin = "default";
@@ -9865,6 +10008,8 @@ var AbracadabraWebRTC = class AbracadabraWebRTC extends EventEmitter {
 		this.yjsChannels = /* @__PURE__ */ new Map();
 		this.fileChannels = /* @__PURE__ */ new Map();
 		this.e2eeChannels = /* @__PURE__ */ new Map();
+		this._resolvedE2ee = null;
+		this._resolveE2eePromise = null;
 		this.peers = /* @__PURE__ */ new Map();
 		this.localPeerId = null;
 		this.isConnected = false;
@@ -10131,9 +10276,27 @@ var AbracadabraWebRTC = class AbracadabraWebRTC extends EventEmitter {
 		this.attachDataHandlers(peerId, pc);
 		return pc;
 	}
+	/** Resolve the E2EE identity, supporting both pre-resolved objects and lazy factories. */
+	async resolveE2ee() {
+		if (this._resolvedE2ee) return this._resolvedE2ee;
+		if (!this.config.e2ee) return null;
+		if (typeof this.config.e2ee === "function") {
+			if (!this._resolveE2eePromise) this._resolveE2eePromise = this.config.e2ee().then((id) => {
+				this._resolvedE2ee = id;
+				return id;
+			});
+			return this._resolveE2eePromise;
+		}
+		this._resolvedE2ee = this.config.e2ee;
+		return this._resolvedE2ee;
+	}
 	attachDataHandlers(peerId, pc) {
-		if (this.config.e2ee) {
-			const e2ee = new E2EEChannel(this.config.e2ee, this.config.docId);
+		if (this.config.e2ee) this.resolveE2ee().then((identity) => {
+			if (!identity) {
+				this.startDataSync(peerId, pc);
+				return;
+			}
+			const e2ee = new E2EEChannel(identity, this.config.docId);
 			this.e2eeChannels.set(peerId, e2ee);
 			pc.router.setEncryptor(e2ee);
 			pc.router.on("channelMessage", async ({ name, data }) => {
@@ -10160,7 +10323,14 @@ var AbracadabraWebRTC = class AbracadabraWebRTC extends EventEmitter {
 					error: err
 				});
 			});
-		} else this.startDataSync(peerId, pc);
+		}).catch((err) => {
+			this.emit("e2eeFailed", {
+				peerId,
+				error: err
+			});
+			this.startDataSync(peerId, pc);
+		});
+		else this.startDataSync(peerId, pc);
 	}
 	startDataSync(peerId, pc) {
 		if (this.config.document && this.config.enableDocSync) {