@abraca/dabra 1.2.0 → 1.3.1

package/dist/index.d.ts

@@ -340,6 +340,28 @@ declare class AbracadabraClient {
       publicKey: string;
     };
   }>;
+  /** Request a device session token after successful crypto auth. Requires valid JWT. */
+  requestDeviceSession(opts: {
+    publicKey: string;
+    deviceName?: string;
+  }): Promise<{
+    sessionId: string;
+    sessionToken: string;
+    expiresAt: number;
+  }>;
+  /** Exchange a device session token for a fresh JWT. No biometric/passkey needed. */
+  refreshWithDeviceSession(sessionToken: string): Promise<string>;
+  /** List active device sessions for the authenticated user. */
+  listDeviceSessions(): Promise<Array<{
+    id: string;
+    keyId: string;
+    deviceName?: string;
+    issuedAt: number;
+    expiresAt: number;
+    lastUsedAt?: number;
+  }>>;
+  /** Revoke a device session by ID. */
+  revokeDeviceSession(sessionId: string): Promise<void>;
   /**
    * Fetch a short-lived anonymous pairing token for WebRTC signaling.
    * No authentication required. The token only grants access to `__pairing_*` rooms.
@@ -584,6 +606,11 @@ declare class CryptoIdentityKeystore {
    * Returns the locally-cached username label, or null if no identity is cached.
    */
   getUsername(credentialIdHint?: string): Promise<string | null>;
+  /**
+   * Updates the cached username for a given credential (or the first cached identity).
+   * Call this after the user sets/changes their display name so it persists across devices.
+   */
+  setUsername(username: string, credentialIdHint?: string): Promise<void>;
   /** Returns true if an identity is cached in IndexedDB. */
   hasIdentity(): Promise<boolean>;
   /** Remove cached identity record(s) from IndexedDB. The passkey itself
@@ -2060,7 +2087,7 @@ interface AbracadabraWebRTCConfiguration {
    * When provided, all data channel messages (except key-exchange) are
    * encrypted with AES-256-GCM using X25519 ECDH-derived session keys.
    */
-  e2ee?: E2EEIdentity;
+  e2ee?: E2EEIdentity | (() => Promise<E2EEIdentity>);
   /** WebSocket polyfill for signaling (e.g. for Node.js). */
   WebSocketPolyfill?: any;
 }
@@ -2121,6 +2148,9 @@ declare class AbracadabraWebRTC extends EventEmitter {
   private fileChannels;
   private e2eeChannels;
   private readonly config;
+  /** Cached resolved E2EE identity (lazily resolved from factory on first peer connect). */
+  private _resolvedE2ee;
+  private _resolveE2eePromise;
   readonly peers: Map<string, PeerState>;
   localPeerId: string | null;
   isConnected: boolean;
@@ -2157,6 +2187,8 @@ declare class AbracadabraWebRTC extends EventEmitter {
   private removePeer;
   private removeAllPeers;
   private createPeerConnection;
+  /** Resolve the E2EE identity, supporting both pre-resolved objects and lazy factories. */
+  private resolveE2ee;
   private attachDataHandlers;
   private startDataSync;
   private initiateConnection;
@@ -2530,8 +2562,8 @@ interface IdentityDocConfiguration {
    */
   webrtc?: {
     /** Server URL to use for signaling (any connected server works). */signalingServerUrl: string; /** Token for the signaling server. */
-    token: string | (() => string) | (() => Promise<string>); /** E2EE identity for the data channel. */
-    e2ee?: E2EEIdentity; /** ICE servers. */
+    token: string | (() => string) | (() => Promise<string>); /** E2EE identity for the data channel. Accepts a factory for lazy derivation. */
+    e2ee?: E2EEIdentity | (() => Promise<E2EEIdentity>); /** ICE servers. */
     iceServers?: RTCIceServer[];
   };
   /** Disable IndexedDB offline store. */

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@abraca/dabra",
-  "version": "1.2.0",
+  "version": "1.3.1",
   "description": "abracadabra provider",
   "keywords": [
     "abracadabra",

package/src/AbracadabraClient.ts

@@ -227,6 +227,43 @@ export class AbracadabraClient {
 		});
 	}
 
+	// ── Device Sessions ────────────────────────────────────────────────────
+
+	/** Request a device session token after successful crypto auth. Requires valid JWT. */
+	async requestDeviceSession(opts: {
+		publicKey: string;
+		deviceName?: string;
+	}): Promise<{ sessionId: string; sessionToken: string; expiresAt: number }> {
+		return this.request("POST", "/auth/device-session", {
+			body: { publicKey: opts.publicKey, deviceName: opts.deviceName },
+		});
+	}
+
+	/** Exchange a device session token for a fresh JWT. No biometric/passkey needed. */
+	async refreshWithDeviceSession(sessionToken: string): Promise<string> {
+		const res = await this.request<{ token: string }>("POST", "/auth/refresh", {
+			body: { sessionToken },
+			auth: false,
+		});
+		this.token = res.token;
+		return res.token;
+	}
+
+	/** List active device sessions for the authenticated user. */
+	async listDeviceSessions(): Promise<
+		Array<{ id: string; keyId: string; deviceName?: string; issuedAt: number; expiresAt: number; lastUsedAt?: number }>
+	> {
+		const res = await this.request<{
+			sessions: Array<{ id: string; keyId: string; deviceName?: string; issuedAt: number; expiresAt: number; lastUsedAt?: number }>;
+		}>("GET", "/auth/device-session");
+		return res.sessions;
+	}
+
+	/** Revoke a device session by ID. */
+	async revokeDeviceSession(sessionId: string): Promise<void> {
+		await this.request("DELETE", `/auth/device-session/${encodeURIComponent(sessionId)}`);
+	}
+
 	// ── Pairing ─────────────────────────────────────────────────────────────
 
 	/**

package/src/CryptoIdentityKeystore.ts

@@ -322,6 +322,29 @@ export class CryptoIdentityKeystore {
 		}
 	}
 
+	/**
+	 * Updates the cached username for a given credential (or the first cached identity).
+	 * Call this after the user sets/changes their display name so it persists across devices.
+	 */
+	async setUsername(username: string, credentialIdHint?: string): Promise<void> {
+		const db = await openDb();
+		try {
+			if (credentialIdHint) {
+				const stored = await dbGet(db, credentialIdHint);
+				if (stored) {
+					await dbPut(db, credentialIdHint, { ...stored, username });
+				}
+			} else {
+				const all = await dbGetAll(db);
+				if (all.length > 0) {
+					await dbPut(db, all[0].key, { ...all[0].value, username });
+				}
+			}
+		} finally {
+			db.close();
+		}
+	}
+
 	/** Returns true if an identity is cached in IndexedDB. */
 	async hasIdentity(): Promise<boolean> {
 		const db = await openDb();

package/src/IdentityDoc.ts

@@ -132,8 +132,8 @@ export interface IdentityDocConfiguration {
 		signalingServerUrl: string;
 		/** Token for the signaling server. */
 		token: string | (() => string) | (() => Promise<string>);
-		/** E2EE identity for the data channel. */
-		e2ee?: E2EEIdentity;
+		/** E2EE identity for the data channel. Accepts a factory for lazy derivation. */
+		e2ee?: E2EEIdentity | (() => Promise<E2EEIdentity>);
 		/** ICE servers. */
 		iceServers?: RTCIceServer[];
 	};

package/src/webrtc/AbracadabraWebRTC.ts

@@ -49,10 +49,14 @@ export class AbracadabraWebRTC extends EventEmitter {
 		enableAwarenessSync: boolean;
 		enableFileTransfer: boolean;
 		fileChunkSize: number;
-		e2ee: E2EEIdentity | null;
+		e2ee: E2EEIdentity | (() => Promise<E2EEIdentity>) | null;
 		WebSocketPolyfill: any;
 	};
 
+	/** Cached resolved E2EE identity (lazily resolved from factory on first peer connect). */
+	private _resolvedE2ee: E2EEIdentity | null = null;
+	private _resolveE2eePromise: Promise<E2EEIdentity> | null = null;
+
 	public readonly peers = new Map<string, PeerState>();
 	public localPeerId: string | null = null;
 	public isConnected = false;
@@ -284,6 +288,9 @@ export class AbracadabraWebRTC extends EventEmitter {
 			this.signaling = null;
 		}
 
+		this._resolvedE2ee = null;
+		this._resolveE2eePromise = null;
+
 		this.removeAllListeners();
 	}
 
@@ -471,45 +478,92 @@ export class AbracadabraWebRTC extends EventEmitter {
 		return pc;
 	}
 
+	/** Resolve the E2EE identity, supporting both pre-resolved objects and lazy factories. */
+	private async resolveE2ee(): Promise<E2EEIdentity | null> {
+		if (this._resolvedE2ee) return this._resolvedE2ee;
+		if (!this.config.e2ee) return null;
+		if (typeof this.config.e2ee === "function") {
+			if (!this._resolveE2eePromise) {
+				this._resolveE2eePromise = this.config.e2ee().then((id) => {
+					this._resolvedE2ee = id;
+					return id;
+				});
+			}
+			return this._resolveE2eePromise;
+		}
+		this._resolvedE2ee = this.config.e2ee;
+		return this._resolvedE2ee;
+	}
+
 	private attachDataHandlers(peerId: string, pc: PeerConnection): void {
-		// Set up E2EE if configured.
-		if (this.config.e2ee) {
-			const e2ee = new E2EEChannel(this.config.e2ee, this.config.docId);
+		if (!this.config.e2ee) {
+			this.startDataSync(peerId, pc);
+			return;
+		}
+
+		// E2EE identity may resolve asynchronously (e.g. lazy passkey-derived key).
+		// Register handlers synchronously so no messages are lost during resolution.
+		let e2ee: E2EEChannel | null = null;
+		const pendingMessages: Uint8Array[] = [];
+		let pendingKeyExchangeChannel: RTCDataChannel | null = null;
+
+		pc.router.on("channelMessage", async ({ name, data }: { name: string; data: any }) => {
+			if (name !== KEY_EXCHANGE_CHANNEL) return;
+			const buf = data instanceof ArrayBuffer ? new Uint8Array(data) : data;
+			if (!e2ee) {
+				pendingMessages.push(buf);
+				return;
+			}
+			try {
+				await e2ee.handleKeyExchange(buf);
+			} catch (err) {
+				this.emit("e2eeFailed", { peerId, error: err });
+			}
+		});
+
+		pc.router.on("channelOpen", ({ name, channel }: { name: string; channel: RTCDataChannel }) => {
+			if (name !== KEY_EXCHANGE_CHANNEL) return;
+			if (!e2ee) {
+				pendingKeyExchangeChannel = channel;
+				return;
+			}
+			channel.send(e2ee.getKeyExchangeMessage());
+		});
+
+		this.resolveE2ee().then(async (identity) => {
+			if (!identity) {
+				this.startDataSync(peerId, pc);
+				return;
+			}
+			e2ee = new E2EEChannel(identity, this.config.docId);
 			this.e2eeChannels.set(peerId, e2ee);
 			pc.router.setEncryptor(e2ee);
 
-			// Listen for key-exchange messages on the router.
-			pc.router.on("channelMessage", async ({ name, data }: { name: string; data: any }) => {
-				if (name === KEY_EXCHANGE_CHANNEL) {
-					try {
-						const buf = data instanceof ArrayBuffer ? new Uint8Array(data) : data;
-						await e2ee.handleKeyExchange(buf);
-					} catch (err) {
-						this.emit("e2eeFailed", { peerId, error: err });
-					}
-				}
-			});
-
-			// When key-exchange channel opens, send our public key.
-			pc.router.on("channelOpen", ({ name, channel }: { name: string; channel: RTCDataChannel }) => {
-				if (name === KEY_EXCHANGE_CHANNEL) {
-					channel.send(e2ee.getKeyExchangeMessage());
+			// Drain buffered key-exchange channel open
+			if (pendingKeyExchangeChannel) {
+				pendingKeyExchangeChannel.send(e2ee.getKeyExchangeMessage());
+			}
+			// Drain buffered messages
+			for (const msg of pendingMessages) {
+				try {
+					await e2ee.handleKeyExchange(msg);
+				} catch (err) {
+					this.emit("e2eeFailed", { peerId, error: err });
 				}
-			});
+			}
 
 			e2ee.on("established", () => {
 				this.emit("e2eeEstablished", { peerId });
-				// Now that E2EE is ready, start Y.js sync (deferred).
 				this.startDataSync(peerId, pc);
 			});
 
 			e2ee.on("error", (err: Error) => {
 				this.emit("e2eeFailed", { peerId, error: err });
 			});
-		} else {
-			// No E2EE — start data sync immediately.
+		}).catch((err) => {
+			this.emit("e2eeFailed", { peerId, error: err });
 			this.startDataSync(peerId, pc);
-		}
+		});
 	}
 
 	private startDataSync(peerId: string, pc: PeerConnection): void {

package/src/webrtc/types.ts

@@ -158,7 +158,7 @@ export interface AbracadabraWebRTCConfiguration {
 	 * When provided, all data channel messages (except key-exchange) are
 	 * encrypted with AES-256-GCM using X25519 ECDH-derived session keys.
 	 */
-	e2ee?: import("./E2EEChannel.ts").E2EEIdentity;
+	e2ee?: import("./E2EEChannel.ts").E2EEIdentity | (() => Promise<import("./E2EEChannel.ts").E2EEIdentity>);
 
 	/** WebSocket polyfill for signaling (e.g. for Node.js). */
 	WebSocketPolyfill?: any;