@abraca/dabra 2.20.0 → 2.22.0

package/dist/index.d.ts

@@ -158,9 +158,12 @@ declare class OfflineStore {
   private db;
   /**
    * @param docId       The document UUID.
-   * @param serverOrigin  Hostname of the server (e.g. "abra.cou.sh").
-   *                    When provided the IndexedDB database is namespaced
-   *                    per-server, preventing cross-server data contamination.
+   * @param serverOrigin  Host of the server, including a non-default port
+   *                    (e.g. "abra.cou.sh", "localhost:3001"). When provided
+   *                    the IndexedDB database is namespaced per-server,
+   *                    preventing cross-server data contamination — the port
+   *                    matters because two same-host servers sharing the
+   *                    default root_doc_id would otherwise collide.
    */
   constructor(docId: string, serverOrigin?: string);
   private dbPromise;
@@ -354,7 +357,14 @@ declare class AbracadabraClient {
   listKeys(): Promise<PublicKeyInfo[]>;
   /** Rename a registered device key. */
   renameKey(keyId: string, deviceName: string): Promise<void>;
-  /** Revoke a public key by its ID. */
+  /**
+   * Revoke a public key by its ID. The server treats this as a panic
+   * action: every outstanding JWT for the account is invalidated (a stolen
+   * device's token must die immediately, and tokens carry no per-key
+   * claim), and a fresh token for THIS session is returned and adopted
+   * automatically — so the device performing the revocation stays
+   * authenticated while every other device silently re-auths.
+   */
   revokeKey(keyId: string): Promise<void>;
   /** Create a single-use device invite code for pairing a new device to this account. */
   createDeviceInvite(opts?: {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@abraca/dabra",
-  "version": "2.20.0",
+  "version": "2.22.0",
   "description": "abracadabra provider",
   "keywords": [
     "abracadabra",
@@ -41,7 +41,7 @@
     "yjs": "^13.6.8"
   },
   "devDependencies": {
-    "@abraca/schema": "2.20.0"
+    "@abraca/schema": "2.22.0"
   },
   "scripts": {
     "test": "node --no-warnings --conditions=source --experimental-transform-types --test 'tests/*.test.ts'"

package/src/AbracadabraBaseProvider.ts

@@ -717,9 +717,18 @@ export class AbracadabraBaseProvider extends EventEmitter {
 
     this.configuration.websocketProvider.on("rateLimited", this.forwardRateLimited);
 
-    this.configuration.websocketProvider.attach(this);
-
+    // Mark attached BEFORE registering with the socket: when the shared
+    // socket is already connected (the loadChild case), wsp.attach()
+    // synchronously invokes onOpen() → sendToken(), and send() drops frames
+    // while _isAttached is false. With a crypto identity OBJECT sendToken()
+    // hits no await before send(), so the AUTH frame was silently swallowed
+    // and the doc never authenticated on the connection — the server then
+    // (correctly) ignored every subsequent frame for it: child providers
+    // never synced and their writes were dropped. (JWT auth only survived
+    // by accident: `await getToken()` defers send() past attach().)
     this._isAttached = true;
+
+    this.configuration.websocketProvider.attach(this);
   }
 
   permissionDeniedHandler(reason: string) {

package/src/AbracadabraClient.ts

@@ -31,6 +31,21 @@ function fromBase64(b64: string): Uint8Array {
 	return Uint8Array.from(atob(b64), (c) => c.charCodeAt(0));
 }
 
+/**
+ * Decode a base64url-encoded string (e.g. a JWT header/payload segment) to
+ * UTF-8 text. `atob` only accepts standard base64, so we translate the
+ * url-safe alphabet (`-`/`_`) and re-pad before decoding — otherwise a
+ * perfectly valid token whose payload happens to contain `-` or `_` throws
+ * and gets misclassified as invalid/expired.
+ */
+function decodeBase64UrlToString(b64url: string): string {
+	let b64 = b64url.replace(/-/g, "+").replace(/_/g, "/");
+	const pad = b64.length % 4;
+	if (pad) b64 += "=".repeat(4 - pad);
+	const bytes = Uint8Array.from(atob(b64), (c) => c.charCodeAt(0));
+	return new TextDecoder().decode(bytes);
+}
+
 /**
  * Reason classifications surfaced to `onAuthFailed`. Consumers can decide
  * whether to silently re-register the keypair (`user_not_found`) or
@@ -142,7 +157,10 @@ export class AbracadabraClient {
 		if (!this._token) return false;
 		try {
 			const [, payload] = this._token.split(".");
-			const { exp } = JSON.parse(atob(payload));
+			// JWT payloads are base64url — `atob` only handles standard base64,
+			// so a payload containing `-` or `_` would throw and a valid token
+			// would be misread as expired, forcing a spurious re-auth.
+			const { exp } = JSON.parse(decodeBase64UrlToString(payload));
 			return typeof exp === "number" && exp * 1000 > Date.now();
 		} catch {
 			return false;
@@ -262,9 +280,23 @@ export class AbracadabraClient {
 		await this.request("PATCH", `/auth/keys/${encodeURIComponent(keyId)}`, { body: { deviceName } });
 	}
 
-	/** Revoke a public key by its ID. */
+	/**
+	 * Revoke a public key by its ID. The server treats this as a panic
+	 * action: every outstanding JWT for the account is invalidated (a stolen
+	 * device's token must die immediately, and tokens carry no per-key
+	 * claim), and a fresh token for THIS session is returned and adopted
+	 * automatically — so the device performing the revocation stays
+	 * authenticated while every other device silently re-auths.
+	 */
 	async revokeKey(keyId: string): Promise<void> {
-		await this.request("DELETE", `/auth/keys/${encodeURIComponent(keyId)}`);
+		const res = await this.request<{ token?: string } | null>(
+			"DELETE",
+			`/auth/keys/${encodeURIComponent(keyId)}`,
+		);
+		// Older servers respond 204 with no body — keep working against them.
+		if (res && typeof res === "object" && typeof res.token === "string") {
+			this.token = res.token;
+		}
 	}
 
 	// ── Device Invites ───────────────────────────────────────────────────────

package/src/AbracadabraProvider.ts

@@ -244,7 +244,13 @@ export class AbracadabraProvider extends AbracadabraBaseProvider {
 				config.url ??
 				(config.websocketProvider as AbracadabraWS | undefined)?.url ??
 				client?.wsUrl;
-			if (url) return new URL(url).hostname;
+			// `host` (NOT `hostname`): the port is part of a server's identity.
+			// Two servers on the same host but different ports would otherwise
+			// share one IDB namespace — and since default-config servers also
+			// share the same root_doc_id, one server's cached doc state silently
+			// hydrated into the other's Y.Doc (cross-server contamination that
+			// can then sync back upstream).
+			if (url) return new URL(url).host;
 		} catch {
 			// Malformed URL — fall back to no scoping
 		}

package/src/BackgroundSyncManager.ts

@@ -165,10 +165,12 @@ export class BackgroundSyncManager extends EventEmitter {
 			maxRetries: opts?.maxRetries ?? 2,
 		};
 
-		// Derive server origin from client URL for IDB namespacing
+		// Derive server origin from client URL for IDB namespacing.
+		// `host` (not `hostname`): port-scoped so same-host servers on
+		// different ports don't share a namespace.
 		let serverOrigin = "default";
 		try {
-			serverOrigin = new URL((client as any).baseUrl ?? "").hostname;
+			serverOrigin = new URL((client as any).baseUrl ?? "").host;
 		} catch {}
 
 		this.persistence = new BackgroundSyncPersistence(serverOrigin);
@@ -377,10 +379,10 @@ export class BackgroundSyncManager extends EventEmitter {
 			docIds.add(docId);
 		}
 
-		// Derive server origin the same way the provider does
+		// Derive server origin the same way the provider does (`host`, port-scoped)
 		let serverOrigin: string | undefined;
 		try {
-			serverOrigin = new URL((this.client as any).baseUrl ?? "").hostname;
+			serverOrigin = new URL((this.client as any).baseUrl ?? "").host;
 		} catch {}
 
 		// Clear each document's offline store contents

package/src/DocKeyManager.ts

@@ -14,7 +14,12 @@ import type { CryptoIdentityKeystore } from "./CryptoIdentityKeystore.ts";
 const HKDF_INFO = new TextEncoder().encode("abracadabra-dockey-v1");
 
 function fromBase64(b64: string): Uint8Array {
-	return Uint8Array.from(atob(b64), (c) => c.charCodeAt(0));
+	// Accept both standard base64 and base64url, padded or not — server
+	// payloads mix the two alphabets depending on the field.
+	let normalized = b64.replace(/-/g, "+").replace(/_/g, "/");
+	const pad = normalized.length % 4;
+	if (pad) normalized += "=".repeat(4 - pad);
+	return Uint8Array.from(atob(normalized), (c) => c.charCodeAt(0));
 }
 
 export class DocKeyManager {
@@ -84,7 +89,7 @@ export class DocKeyManager {
 					const myKeys = await client.listUserKeys(me.id);
 					const primaryKey = myKeys[0];
 					if (primaryKey?.x25519Key) {
-						const x25519Pub = fromBase64(primaryKey.x25519Key.replace(/-/g, "+").replace(/_/g, "/"));
+						const x25519Pub = fromBase64(primaryKey.x25519Key);
 						const rewrapped = await this.wrapKeyForRecipient(docKey, x25519Pub, docId);
 						const b64 = (() => {
 							let s = "";

package/src/OfflineStore.ts

@@ -69,9 +69,12 @@ export class OfflineStore {
 
 	/**
 	 * @param docId       The document UUID.
-	 * @param serverOrigin  Hostname of the server (e.g. "abra.cou.sh").
-	 *                    When provided the IndexedDB database is namespaced
-	 *                    per-server, preventing cross-server data contamination.
+	 * @param serverOrigin  Host of the server, including a non-default port
+	 *                    (e.g. "abra.cou.sh", "localhost:3001"). When provided
+	 *                    the IndexedDB database is namespaced per-server,
+	 *                    preventing cross-server data contamination — the port
+	 *                    matters because two same-host servers sharing the
+	 *                    default root_doc_id would otherwise collide.
 	 */
 	constructor(docId: string, serverOrigin?: string) {
 		this.storeKey = serverOrigin ? `${serverOrigin}/${docId}` : docId;

package/src/TokenManager.ts

@@ -270,7 +270,15 @@ export class TokenManager extends EventEmitter {
 		try {
 			const [, payload] = jwt.split(".");
 			if (!payload) return null;
-			const { exp } = JSON.parse(atob(payload));
+			// base64url-safe: `atob` alone throws on `-`/`_`, which would make
+			// the proactive-refresh timer treat a valid token as unparseable.
+			let b64 = payload.replace(/-/g, "+").replace(/_/g, "/");
+			const pad = b64.length % 4;
+			if (pad) b64 += "=".repeat(4 - pad);
+			const json = new TextDecoder().decode(
+				Uint8Array.from(atob(b64), (c) => c.charCodeAt(0)),
+			);
+			const { exp } = JSON.parse(json);
 			return typeof exp === "number" ? exp : null;
 		} catch {
 			return null;