@abraca/dabra 2.21.0 → 2.22.0

package/dist/index.d.ts

@@ -357,7 +357,14 @@ declare class AbracadabraClient {
   listKeys(): Promise<PublicKeyInfo[]>;
   /** Rename a registered device key. */
   renameKey(keyId: string, deviceName: string): Promise<void>;
-  /** Revoke a public key by its ID. */
+  /**
+   * Revoke a public key by its ID. The server treats this as a panic
+   * action: every outstanding JWT for the account is invalidated (a stolen
+   * device's token must die immediately, and tokens carry no per-key
+   * claim), and a fresh token for THIS session is returned and adopted
+   * automatically — so the device performing the revocation stays
+   * authenticated while every other device silently re-auths.
+   */
   revokeKey(keyId: string): Promise<void>;
   /** Create a single-use device invite code for pairing a new device to this account. */
   createDeviceInvite(opts?: {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@abraca/dabra",
-  "version": "2.21.0",
+  "version": "2.22.0",
   "description": "abracadabra provider",
   "keywords": [
     "abracadabra",
@@ -41,7 +41,7 @@
     "yjs": "^13.6.8"
   },
   "devDependencies": {
-    "@abraca/schema": "2.21.0"
+    "@abraca/schema": "2.22.0"
   },
   "scripts": {
     "test": "node --no-warnings --conditions=source --experimental-transform-types --test 'tests/*.test.ts'"

package/src/AbracadabraClient.ts

@@ -31,6 +31,21 @@ function fromBase64(b64: string): Uint8Array {
 	return Uint8Array.from(atob(b64), (c) => c.charCodeAt(0));
 }
 
+/**
+ * Decode a base64url-encoded string (e.g. a JWT header/payload segment) to
+ * UTF-8 text. `atob` only accepts standard base64, so we translate the
+ * url-safe alphabet (`-`/`_`) and re-pad before decoding — otherwise a
+ * perfectly valid token whose payload happens to contain `-` or `_` throws
+ * and gets misclassified as invalid/expired.
+ */
+function decodeBase64UrlToString(b64url: string): string {
+	let b64 = b64url.replace(/-/g, "+").replace(/_/g, "/");
+	const pad = b64.length % 4;
+	if (pad) b64 += "=".repeat(4 - pad);
+	const bytes = Uint8Array.from(atob(b64), (c) => c.charCodeAt(0));
+	return new TextDecoder().decode(bytes);
+}
+
 /**
  * Reason classifications surfaced to `onAuthFailed`. Consumers can decide
  * whether to silently re-register the keypair (`user_not_found`) or
@@ -142,7 +157,10 @@ export class AbracadabraClient {
 		if (!this._token) return false;
 		try {
 			const [, payload] = this._token.split(".");
-			const { exp } = JSON.parse(atob(payload));
+			// JWT payloads are base64url — `atob` only handles standard base64,
+			// so a payload containing `-` or `_` would throw and a valid token
+			// would be misread as expired, forcing a spurious re-auth.
+			const { exp } = JSON.parse(decodeBase64UrlToString(payload));
 			return typeof exp === "number" && exp * 1000 > Date.now();
 		} catch {
 			return false;
@@ -262,9 +280,23 @@ export class AbracadabraClient {
 		await this.request("PATCH", `/auth/keys/${encodeURIComponent(keyId)}`, { body: { deviceName } });
 	}
 
-	/** Revoke a public key by its ID. */
+	/**
+	 * Revoke a public key by its ID. The server treats this as a panic
+	 * action: every outstanding JWT for the account is invalidated (a stolen
+	 * device's token must die immediately, and tokens carry no per-key
+	 * claim), and a fresh token for THIS session is returned and adopted
+	 * automatically — so the device performing the revocation stays
+	 * authenticated while every other device silently re-auths.
+	 */
 	async revokeKey(keyId: string): Promise<void> {
-		await this.request("DELETE", `/auth/keys/${encodeURIComponent(keyId)}`);
+		const res = await this.request<{ token?: string } | null>(
+			"DELETE",
+			`/auth/keys/${encodeURIComponent(keyId)}`,
+		);
+		// Older servers respond 204 with no body — keep working against them.
+		if (res && typeof res === "object" && typeof res.token === "string") {
+			this.token = res.token;
+		}
 	}
 
 	// ── Device Invites ───────────────────────────────────────────────────────

package/src/DocKeyManager.ts

@@ -14,7 +14,12 @@ import type { CryptoIdentityKeystore } from "./CryptoIdentityKeystore.ts";
 const HKDF_INFO = new TextEncoder().encode("abracadabra-dockey-v1");
 
 function fromBase64(b64: string): Uint8Array {
-	return Uint8Array.from(atob(b64), (c) => c.charCodeAt(0));
+	// Accept both standard base64 and base64url, padded or not — server
+	// payloads mix the two alphabets depending on the field.
+	let normalized = b64.replace(/-/g, "+").replace(/_/g, "/");
+	const pad = normalized.length % 4;
+	if (pad) normalized += "=".repeat(4 - pad);
+	return Uint8Array.from(atob(normalized), (c) => c.charCodeAt(0));
 }
 
 export class DocKeyManager {
@@ -84,7 +89,7 @@ export class DocKeyManager {
 					const myKeys = await client.listUserKeys(me.id);
 					const primaryKey = myKeys[0];
 					if (primaryKey?.x25519Key) {
-						const x25519Pub = fromBase64(primaryKey.x25519Key.replace(/-/g, "+").replace(/_/g, "/"));
+						const x25519Pub = fromBase64(primaryKey.x25519Key);
 						const rewrapped = await this.wrapKeyForRecipient(docKey, x25519Pub, docId);
 						const b64 = (() => {
 							let s = "";

package/src/TokenManager.ts

@@ -270,7 +270,15 @@ export class TokenManager extends EventEmitter {
 		try {
 			const [, payload] = jwt.split(".");
 			if (!payload) return null;
-			const { exp } = JSON.parse(atob(payload));
+			// base64url-safe: `atob` alone throws on `-`/`_`, which would make
+			// the proactive-refresh timer treat a valid token as unparseable.
+			let b64 = payload.replace(/-/g, "+").replace(/_/g, "/");
+			const pad = b64.length % 4;
+			if (pad) b64 += "=".repeat(4 - pad);
+			const json = new TextDecoder().decode(
+				Uint8Array.from(atob(b64), (c) => c.charCodeAt(0)),
+			);
+			const { exp } = JSON.parse(json);
 			return typeof exp === "number" ? exp : null;
 		} catch {
 			return null;