@alteran/astro 0.3.8 → 0.5.2

package/src/lib/firehose/frames.ts

@@ -5,25 +5,26 @@ import { CID } from 'multiformats/cid';
 /**
  * Frame types for AT Protocol firehose
  */
-export enum FrameType {
-  Message = 1,
-  Error = -1,
-}
+export const FrameType = {
+  Message: 1,
+  Error: -1,
+} as const;
+export type FrameType = (typeof FrameType)[keyof typeof FrameType];
 
 /**
  * Frame header structure
  */
 export interface FrameHeader {
-  op: FrameType;
-  t?: string; // Message type discriminator
+  readonly op: FrameType;
+  readonly t?: string; // Message type discriminator
 }
 
 /**
  * Error frame body
  */
 export interface ErrorFrameBody {
-  error: string;
-  message?: string;
+  readonly error: string;
+  readonly message?: string;
 }
 
 /**
@@ -39,6 +40,7 @@ export abstract class Frame {
 
   /**
    * Encode frame to bytes (header + body as CBOR)
+   * Deprecated for WS firehose: upstream expects a single CBOR object per message.
    */
   toBytes(): Uint8Array {
     const headerBytes = dagCbor.encode(this.header);
@@ -48,6 +50,7 @@ export abstract class Frame {
 
   /**
    * Encode with 4-byte big-endian length prefix (payload = header||body encoded as dag-cbor)
+   * Deprecated for WS firehose: kept for tests/back-compat only.
    */
   toFramedBytes(): Uint8Array {
     const payload = this.toBytes();
@@ -114,58 +117,59 @@ export class ErrorFrame extends Frame {
  */
 
 export interface InfoMessage {
-  name: string;
-  message?: string;
+  readonly name: string;
+  readonly message?: string;
 }
 
 export interface RepoOp {
-  action: 'create' | 'update' | 'delete';
-  path: string;
-  cid: CID | null;
-  prev?: CID;
+  readonly action: 'create' | 'update' | 'delete';
+  readonly path: string;
+  readonly cid: CID | null;
+  readonly prev?: CID;
 }
 
 export interface CommitMessage {
-  seq: number;
-  rebase: boolean;
-  tooBig: boolean;
-  repo: string; // DID
-  commit: CID;
-  prev: CID | null;
-  rev: string; // TID
-  since: string | null; // Previous TID
-  blocks: Uint8Array; // CAR bytes
-  ops: RepoOp[];
-  blobs: CID[];
-  time: string; // ISO 8601
-  prevData?: CID; // Previous MST root
+  readonly seq: number;
+  readonly rebase: boolean;
+  readonly tooBig: boolean;
+  readonly repo: string; // DID
+  readonly commit: CID;
+  readonly prev: CID | null;
+  readonly rev: string; // TID
+  readonly since: string | null; // Previous TID
+  readonly blocks: Uint8Array; // CAR bytes
+  readonly ops: readonly RepoOp[];
+  readonly blobs: readonly CID[];
+  readonly time: string; // ISO 8601
+  readonly prevData?: CID; // Previous MST root
 }
 
 export interface IdentityMessage {
-  seq: number;
-  did: string;
-  time: string;
-  handle?: string;
+  readonly seq: number;
+  readonly did: string;
+  readonly time: string;
+  readonly handle?: string;
 }
 
 export interface AccountMessage {
-  seq: number;
-  did: string;
-  time: string;
-  active: boolean;
-  status?: string;
+  readonly seq: number;
+  readonly did: string;
+  readonly time: string;
+  readonly active: boolean;
+  readonly status?: string;
 }
 
 export interface SyncMessage {
-  seq: number;
-  did: string;
-  time: string;
-  active: boolean;
-  status?: string;
+  readonly seq: number;
+  readonly did: string;
+  readonly time: string;
+  readonly active: boolean;
+  readonly status?: string;
 }
 
 /**
- * Create an #info frame
+ * Legacy helpers (frames) — kept for tests/back-compat only.
+ * Upstream subscribeRepos expects a single CBOR object with $type.
  */
 export function createInfoFrame(name: string, message?: string): MessageFrame<InfoMessage> {
   return new MessageFrame({ name, message }, '#info');
@@ -208,22 +212,58 @@ export function createErrorFrame(error: string, message?: string): ErrorFrame {
 
 // Binary encoders (with 4-byte length prefix)
 export function encodeInfoFrame(name: string, message?: string): Uint8Array {
-  return createInfoFrame(name, message).toFramedBytes();
+  // Send as a single WebSocket message containing CBOR(header)||CBOR(body)
+  return createInfoFrame(name, message).toBytes();
 }
 
 export function encodeCommitFrame(data: CommitMessage): Uint8Array {
-  return createCommitFrame(data).toFramedBytes();
+  return createCommitFrame(data).toBytes();
 }
 
 export function encodeIdentityFrame(data: IdentityMessage): Uint8Array {
-  return createIdentityFrame(data).toFramedBytes();
+  return createIdentityFrame(data).toBytes();
 }
 
 export function encodeAccountFrame(data: AccountMessage): Uint8Array {
-  return createAccountFrame(data).toFramedBytes();
+  return createAccountFrame(data).toBytes();
 }
 
 // Alias for TODO nomenclature (#sync)
 export function encodeSyncFrame(data: SyncMessage): Uint8Array {
-  return createSyncFrame(data).toFramedBytes();
+  return createSyncFrame(data).toBytes();
+}
+
+// ----------------------------------------------------------------------------
+// Spec-compliant builders for subscribeRepos WS messages
+// Each message is a single CBOR object with a $type field
+// ----------------------------------------------------------------------------
+
+export type CommitEventObj = CommitMessage & { $type: '#commit' };
+export type InfoEventObj = InfoMessage & { $type: '#info' };
+export type IdentityEventObj = IdentityMessage & { $type: '#identity' };
+export type AccountEventObj = AccountMessage & { $type: '#account' };
+export type SyncEventObj = SyncMessage & { $type: '#sync' };
+
+export function createCommitEvent(data: CommitMessage): CommitEventObj {
+  return { $type: '#commit', ...data };
+}
+
+export function createInfoEvent(name: string, message?: string): InfoEventObj {
+  return { $type: '#info', name, ...(message ? { message } : {}) };
+}
+
+export function createIdentityEvent(data: IdentityMessage): IdentityEventObj {
+  return { $type: '#identity', ...data };
+}
+
+export function createAccountEvent(data: AccountMessage): AccountEventObj {
+  return { $type: '#account', ...data };
+}
+
+export function createSyncEvent(data: SyncMessage): SyncEventObj {
+  return { $type: '#sync', ...data };
+}
+
+export function encodeEvent(obj: object): Uint8Array {
+  return dagCbor.encode(obj);
 }

package/src/lib/firehose/validation.ts

@@ -1,9 +1,9 @@
-import { createErrorFrame } from './frames';
+import { createInfoEvent, encodeEvent } from './frames';
 
 export function checkCursor(cursor: number, currentSeq: number): Uint8Array | null {
   if (Number.isFinite(cursor) && Number.isFinite(currentSeq) && cursor > currentSeq) {
-    return createErrorFrame('FutureCursor', 'Cursor is ahead of current sequence').toFramedBytes();
+    const info = createInfoEvent('OutdatedCursor', 'Cursor is ahead of current sequence');
+    return encodeEvent(info);
   }
   return null;
 }
-

package/src/lib/jwt.ts

@@ -1,6 +1,7 @@
 import type { Env } from "../env";
+import { AuthTokenExpiredError } from "./auth-errors";
+import { errorCode } from "./errors";
 import { getRuntimeString } from "./secrets";
-import { base58btc } from "multiformats/bases/base58";
 import {
   issueSessionTokens,
   verifyAccessToken,
@@ -13,6 +14,9 @@ export interface JwtClaims {
   scope?: string;
   aud?: string;
   jti?: string;
+  iss?: string;
+  iat?: number;
+  exp?: number;
   t: "access" | "refresh";
 }
 
@@ -35,31 +39,66 @@ export async function verifyJwt(
   env: Env,
   token: string,
 ): Promise<{ valid: boolean; payload: JwtClaims } | null> {
+  console.error('[verifyJwt] Starting verification');
+
   const parts = token.split(".");
-  if (parts.length !== 3) return null;
+  if (parts.length !== 3) {
+    console.error('[verifyJwt] Invalid token parts:', parts.length);
+    return null;
+  }
+
   const header = JSON.parse(
     atob(parts[0].replace(/-/g, "+").replace(/_/g, "/")),
   );
+  console.error('[verifyJwt] Header:', JSON.stringify(header));
 
   if (header.typ === "at+jwt") {
-    const payload = await verifyAccessToken(env, token).catch(() => null);
-    if (!payload) return null;
-    if (!payload.sub) return null;
+    console.error('[verifyJwt] Detected at+jwt type');
+    let payload;
+    try {
+      payload = await verifyAccessToken(env, token);
+    } catch (error) {
+      if (isJwtExpiredError(error)) {
+        console.error('[verifyJwt] Access token expired');
+        throw new AuthTokenExpiredError();
+      }
+      console.error('[verifyJwt] verifyAccessToken failed:', error);
+      return null;
+    }
+    if (!payload) {
+      console.error('[verifyJwt] No payload from verifyAccessToken');
+      return null;
+    }
+    if (!payload.sub) {
+      console.error('[verifyJwt] No sub in payload');
+      return null;
+    }
     const claims: JwtClaims = {
       sub: String(payload.sub),
       aud: payload.aud as string | undefined,
       scope: payload.scope as string | undefined,
       jti: payload.jti as string | undefined,
+      iss: (payload as any).iss as string | undefined,
+      iat: (payload as any).iat as number | undefined,
+      exp: (payload as any).exp as number | undefined,
       t: "access",
     };
     if (payload.handle) {
       claims.handle = String(payload.handle);
     }
+    console.error('[verifyJwt] at+jwt verified successfully');
     return { valid: true, payload: claims };
   }
 
   if (header.typ === "refresh+jwt") {
-    const verified = await verifyRefreshToken(env, token).catch(() => null);
+    console.error('[verifyJwt] Detected refresh+jwt type');
+    const verified = await verifyRefreshToken(env, token).catch((error) => {
+      if (isJwtExpiredError(error)) {
+        console.error('[verifyJwt] Refresh token expired');
+        throw new AuthTokenExpiredError();
+      }
+      return null;
+    });
     if (!verified) return null;
     if (!verified.payload.sub) return null;
     const payload: JwtClaims = {
@@ -67,32 +106,52 @@ export async function verifyJwt(
       aud: verified.payload.aud as string | undefined,
       scope: verified.payload.scope as string | undefined,
       jti: verified.payload.jti as string | undefined,
+      iss: (verified.payload as any).iss as string | undefined,
+      iat: (verified.payload as any).iat as number | undefined,
+      exp: (verified.payload as any).exp as number | undefined,
       t: "refresh",
     };
+    console.error('[verifyJwt] refresh+jwt verified successfully');
     return { valid: true, payload };
   }
 
+  console.error('[verifyJwt] Fallback to legacy JWT verification');
   const payload = JSON.parse(
     atob(parts[1].replace(/-/g, "+").replace(/_/g, "/")),
   );
+  console.error('[verifyJwt] Payload type:', payload.t);
 
   let ok = false;
   if (header.alg === "HS256" && header.typ === "JWT") {
+    console.error('[verifyJwt] Using HS256 verification');
     const secret = await getRuntimeString(
       env,
       payload.t === "refresh" ? "REFRESH_TOKEN_SECRET" : "REFRESH_TOKEN",
       payload.t === "refresh" ? "dev-refresh" : "dev-access",
     );
-    if (!secret) return null;
+    if (!secret) {
+      console.error('[verifyJwt] No secret found');
+      return null;
+    }
+    console.error('[verifyJwt] Secret found, verifying signature');
     ok = await hmacJwtVerify(parts[0] + "." + parts[1], parts[2], secret);
-  } else if (header.alg === "EdDSA" && header.typ === "JWT") {
-    ok = await eddsaJwtVerify(parts[0] + "." + parts[1], parts[2], env);
+    console.error('[verifyJwt] Signature verification:', ok);
   } else {
+    console.error('[verifyJwt] Unsupported alg/typ:', header.alg, header.typ);
     return null;
   }
 
   const now = Math.floor(Date.now() / 1000);
-  if (!ok || (payload.exp && now > payload.exp)) return null;
+  if (!ok) {
+    console.error('[verifyJwt] Signature verification failed');
+    return null;
+  }
+  if (payload.exp && now > payload.exp) {
+    console.error('[verifyJwt] Token expired. Now:', now, 'Exp:', payload.exp);
+    throw new AuthTokenExpiredError();
+  }
+
+  console.error('[verifyJwt] Legacy JWT verified successfully');
   return { valid: true, payload: payload as JwtClaims };
 }
 
@@ -102,9 +161,11 @@ async function hmacJwtSign(payload: any, secret: string): Promise<string> {
   const h = b64url(enc.encode(JSON.stringify(header)));
   const p = b64url(enc.encode(JSON.stringify(payload)));
   const data = `${h}.${p}`;
+  const keyBytes = enc.encode(secret);
+  const keyBuf = (() => { const b = new ArrayBuffer(keyBytes.byteLength); new Uint8Array(b).set(keyBytes); return b; })();
   const key = await crypto.subtle.importKey(
     "raw",
-    enc.encode(secret),
+    keyBuf,
     { name: "HMAC", hash: "SHA-256" },
     false,
     ["sign"],
@@ -120,87 +181,28 @@ async function hmacJwtVerify(
   secret: string,
 ): Promise<boolean> {
   const enc = new TextEncoder();
+  const keyBytes = enc.encode(secret);
+  const keyBuf = (() => { const b = new ArrayBuffer(keyBytes.byteLength); new Uint8Array(b).set(keyBytes); return b; })();
   const key = await crypto.subtle.importKey(
     "raw",
-    enc.encode(secret),
+    keyBuf,
     { name: "HMAC", hash: "SHA-256" },
     false,
     ["verify"],
   );
+  const sigBytes = b64urlDecode(sigB64);
+  const sigBuf = (() => { const b = new ArrayBuffer(sigBytes.byteLength); new Uint8Array(b).set(sigBytes); return b; })();
+  const dataBytes = enc.encode(data);
+  const dataBuf = (() => { const b = new ArrayBuffer(dataBytes.byteLength); new Uint8Array(b).set(dataBytes); return b; })();
   const ok = await crypto.subtle.verify(
     "HMAC",
     key,
-    b64urlDecode(sigB64),
-    enc.encode(data),
+    sigBuf,
+    dataBuf,
   );
   return !!ok;
 }
 
-async function eddsaJwtSign(payload: any, env: Env): Promise<string> {
-  const enc = new TextEncoder();
-  const header = { alg: "EdDSA", typ: "JWT" };
-  const h = b64url(enc.encode(JSON.stringify(header)));
-  const p = b64url(enc.encode(JSON.stringify(payload)));
-  const data = `${h}.${p}`;
-
-  // Import Ed25519 private key from env
-  const keyData = await getRuntimeString(env, "REPO_SIGNING_KEY");
-  if (!keyData) {
-    throw new Error("REPO_SIGNING_KEY not configured for EdDSA JWTs");
-  }
-
-  // Decode base64 private key
-  const keyBytes = b64urlDecode(keyData);
-  const key = await crypto.subtle.importKey(
-    "pkcs8",
-    keyBytes,
-    { name: "Ed25519" } as any,
-    false,
-    ["sign"],
-  );
-
-  const sig = await crypto.subtle.sign("Ed25519", key, enc.encode(data));
-  const s = b64url(new Uint8Array(sig));
-  return `${h}.${p}.${s}`;
-}
-
-async function eddsaJwtVerify(
-  data: string,
-  sigB64: string,
-  env: Env,
-): Promise<boolean> {
-  const enc = new TextEncoder();
-
-  // Import Ed25519 public key from env
-  const keyData = await getRuntimeString(env, "REPO_SIGNING_KEY_PUBLIC");
-  if (!keyData) {
-    console.error(
-      "EdDSA JWT verification failed: REPO_SIGNING_KEY_PUBLIC not configured",
-    );
-    return false;
-  }
-
-  try {
-    const key = await importEd25519PublicKey(keyData);
-    if (!key) {
-      console.error(
-        "EdDSA JWT verification failed: unsupported public key format for Ed25519",
-      );
-      return false;
-    }
-
-    const ok = await crypto.subtle.verify(
-      "Ed25519",
-      key,
-      b64urlDecode(sigB64),
-      enc.encode(data),
-    );
-    return !!ok;
-  } catch (error) {
-    console.error("EdDSA JWT verification error:", error);
-    return false;
-  }
-}
 
 function b64url(bytes: ArrayBuffer | Uint8Array): string {
   const b = bytes instanceof Uint8Array ? bytes : new Uint8Array(bytes);
@@ -219,103 +221,9 @@ function b64urlDecode(s: string): Uint8Array {
   return out;
 }
 
-async function importEd25519PublicKey(
-  value: string,
-): Promise<CryptoKey | null> {
-  const attempts = buildPublicKeyCandidates(value);
-  for (const attempt of attempts) {
-    try {
-      return await crypto.subtle.importKey(
-        attempt.format,
-        attempt.data,
-        { name: "Ed25519", namedCurve: "Ed25519" } as any,
-        false,
-        ["verify"],
-      );
-    } catch (error) {
-      console.warn(
-        "EdDSA JWT verification warning: failed to import key candidate",
-        error,
-      );
-    }
-  }
-  return null;
-}
-
-type KeyImportAttempt = { format: KeyFormat; data: Uint8Array };
-type KeyFormat = "raw" | "spki";
-
-function buildPublicKeyCandidates(value: string): KeyImportAttempt[] {
-  const trimmed = value.trim();
-  const attempts: KeyImportAttempt[] = [];
-
-  const didKeyCandidate = decodeDidKey(trimmed);
-  if (didKeyCandidate) {
-    attempts.push({ format: "raw", data: didKeyCandidate });
-  }
-
-  const pemMatch = trimmed.match(
-    /-----BEGIN PUBLIC KEY-----([\s\S]+?)-----END PUBLIC KEY-----/,
-  );
-  if (pemMatch) {
-    const derBytes = decodeBase64(pemMatch[1].replace(/\s+/g, ""));
-    if (derBytes) {
-      attempts.push({ format: "spki", data: derBytes });
-    }
-  }
-
-  const compact = trimmed.replace(/\s+/g, "");
-  const decoded = decodeBase64(compact);
-  if (decoded) {
-    if (decoded.length === 32) {
-      attempts.push({ format: "raw", data: decoded });
-    } else {
-      attempts.push({ format: "spki", data: decoded });
-    }
-  }
-
-  return attempts;
-}
-
-function decodeBase64(value: string): Uint8Array | null {
-  const cleaned = value.replace(/\s+/g, "");
-  if (!cleaned) return null;
-  try {
-    return b64urlDecode(cleaned);
-  } catch {
-    const normalized = cleaned.replace(/-/g, "+").replace(/_/g, "/");
-    const padLength = normalized.length % 4;
-    const padded =
-      padLength === 0
-        ? normalized
-        : padLength === 2
-          ? normalized + "=="
-          : padLength === 3
-            ? normalized + "="
-            : normalized + "===";
-    const bin = atob(padded);
-    const out = new Uint8Array(bin.length);
-    for (let i = 0; i < bin.length; i++) out[i] = bin.charCodeAt(i);
-    return out;
-  }
-}
+// EdDSA (Ed25519) path removed; only HS256 session tokens are supported
 
-function decodeDidKey(didKey: string): Uint8Array | null {
-  if (!didKey.startsWith("did:key:")) return null;
-  try {
-    const multibase = didKey.slice("did:key:".length);
-    const bytes = base58btc.decode(multibase);
-    if (bytes.length === 34 && bytes[0] === 0xed && bytes[1] === 0x01) {
-      return bytes.slice(2);
-    }
-    console.warn(
-      "EdDSA JWT verification warning: unsupported did:key multicodec prefix",
-    );
-  } catch (error) {
-    console.warn(
-      "EdDSA JWT verification warning: failed to parse did:key",
-      error,
-    );
-  }
-  return null;
+function isJwtExpiredError(error: unknown): boolean {
+  return error instanceof AuthTokenExpiredError ||
+    errorCode(error) === "ERR_JWT_EXPIRED";
 }