@auths-dev/sdk 0.0.1 → 0.1.0

package/src/verify.rs

@@ -0,0 +1,447 @@
+use auths_verifier::core::{
+    Attestation, Capability, MAX_ATTESTATION_JSON_SIZE, MAX_JSON_BATCH_SIZE,
+};
+use auths_verifier::error::AuthsErrorInfo;
+use auths_verifier::types::DeviceDID;
+use auths_verifier::verify::{
+    verify_at_time as rust_verify_at_time, verify_chain as rust_verify_chain,
+    verify_chain_with_capability as rust_verify_chain_with_capability,
+    verify_chain_with_witnesses as rust_verify_chain_with_witnesses,
+    verify_device_authorization as rust_verify_device_authorization,
+    verify_with_capability as rust_verify_with_capability, verify_with_keys,
+};
+use auths_verifier::witness::{WitnessReceipt, WitnessVerifyConfig};
+use chrono::{DateTime, Utc};
+use napi_derive::napi;
+
+use crate::error::format_error;
+use crate::types::{NapiVerificationReport, NapiVerificationResult};
+
+fn decode_pk_hex(hex_str: &str, label: &str) -> napi::Result<Vec<u8>> {
+    let bytes = hex::decode(hex_str)
+        .map_err(|e| format_error("AUTHS_INVALID_INPUT", format!("Invalid {label} hex: {e}")))?;
+    if bytes.len() != 32 {
+        return Err(format_error(
+            "AUTHS_INVALID_INPUT",
+            format!(
+                "Invalid {label} length: expected 32 bytes (64 hex chars), got {}",
+                bytes.len()
+            ),
+        ));
+    }
+    Ok(bytes)
+}
+
+fn parse_attestations(jsons: &[String]) -> napi::Result<Vec<Attestation>> {
+    jsons
+        .iter()
+        .enumerate()
+        .map(|(i, json)| {
+            serde_json::from_str(json).map_err(|e| {
+                format_error(
+                    "AUTHS_SERIALIZATION_ERROR",
+                    format!("Failed to parse attestation {i}: {e}"),
+                )
+            })
+        })
+        .collect()
+}
+
+fn check_batch_size(jsons: &[String]) -> napi::Result<()> {
+    let total: usize = jsons.iter().map(|s| s.len()).sum();
+    if total > MAX_JSON_BATCH_SIZE {
+        return Err(format_error(
+            "AUTHS_INVALID_INPUT",
+            format!("Total attestation JSON too large: {total} bytes, max {MAX_JSON_BATCH_SIZE}"),
+        ));
+    }
+    Ok(())
+}
+
+#[napi]
+pub async fn verify_attestation(
+    attestation_json: String,
+    issuer_pk_hex: String,
+) -> napi::Result<NapiVerificationResult> {
+    if attestation_json.len() > MAX_ATTESTATION_JSON_SIZE {
+        return Err(format_error(
+            "AUTHS_INVALID_INPUT",
+            format!(
+                "Attestation JSON too large: {} bytes, max {}",
+                attestation_json.len(),
+                MAX_ATTESTATION_JSON_SIZE
+            ),
+        ));
+    }
+
+    let issuer_pk_bytes = decode_pk_hex(&issuer_pk_hex, "issuer public key")?;
+
+    let att: Attestation = match serde_json::from_str(&attestation_json) {
+        Ok(att) => att,
+        Err(e) => {
+            return Ok(NapiVerificationResult {
+                valid: false,
+                error: Some(format!("Failed to parse attestation JSON: {e}")),
+                error_code: Some("AUTHS_SERIALIZATION_ERROR".to_string()),
+            });
+        }
+    };
+
+    match verify_with_keys(&att, &issuer_pk_bytes).await {
+        Ok(_) => Ok(NapiVerificationResult {
+            valid: true,
+            error: None,
+            error_code: None,
+        }),
+        Err(e) => Ok(NapiVerificationResult {
+            valid: false,
+            error_code: Some(e.error_code().to_string()),
+            error: Some(e.to_string()),
+        }),
+    }
+}
+
+#[napi]
+pub async fn verify_chain(
+    attestations_json: Vec<String>,
+    root_pk_hex: String,
+) -> napi::Result<NapiVerificationReport> {
+    check_batch_size(&attestations_json)?;
+    let root_pk_bytes = decode_pk_hex(&root_pk_hex, "root public key")?;
+    let attestations = parse_attestations(&attestations_json)?;
+
+    match rust_verify_chain(&attestations, &root_pk_bytes).await {
+        Ok(report) => Ok(report.into()),
+        Err(e) => Err(format_error(
+            e.error_code(),
+            format!("Chain verification failed: {e}"),
+        )),
+    }
+}
+
+#[napi]
+pub async fn verify_device_authorization(
+    identity_did: String,
+    device_did: String,
+    attestations_json: Vec<String>,
+    identity_pk_hex: String,
+) -> napi::Result<NapiVerificationReport> {
+    check_batch_size(&attestations_json)?;
+    let identity_pk_bytes = decode_pk_hex(&identity_pk_hex, "identity public key")?;
+    let attestations = parse_attestations(&attestations_json)?;
+    let device =
+        DeviceDID::parse(&device_did).map_err(|e| format_error("AUTHS_INVALID_INPUT", e))?;
+
+    match rust_verify_device_authorization(
+        &identity_did,
+        &device,
+        &attestations,
+        &identity_pk_bytes,
+    )
+    .await
+    {
+        Ok(report) => Ok(report.into()),
+        Err(e) => Err(format_error(
+            e.error_code(),
+            format!("Device authorization verification failed: {e}"),
+        )),
+    }
+}
+
+#[napi]
+pub async fn verify_attestation_with_capability(
+    attestation_json: String,
+    issuer_pk_hex: String,
+    required_capability: String,
+) -> napi::Result<NapiVerificationResult> {
+    if attestation_json.len() > MAX_ATTESTATION_JSON_SIZE {
+        return Err(format_error(
+            "AUTHS_INVALID_INPUT",
+            format!(
+                "Attestation JSON too large: {} bytes, max {}",
+                attestation_json.len(),
+                MAX_ATTESTATION_JSON_SIZE
+            ),
+        ));
+    }
+
+    let issuer_pk_bytes = decode_pk_hex(&issuer_pk_hex, "issuer public key")?;
+
+    let att: Attestation = match serde_json::from_str(&attestation_json) {
+        Ok(att) => att,
+        Err(e) => {
+            return Ok(NapiVerificationResult {
+                valid: false,
+                error: Some(format!("Failed to parse attestation JSON: {e}")),
+                error_code: Some("AUTHS_SERIALIZATION_ERROR".to_string()),
+            });
+        }
+    };
+
+    let cap = Capability::parse(&required_capability).map_err(|e| {
+        format_error(
+            "AUTHS_INVALID_INPUT",
+            format!("Invalid capability '{required_capability}': {e}"),
+        )
+    })?;
+
+    match rust_verify_with_capability(&att, &cap, &issuer_pk_bytes).await {
+        Ok(_) => Ok(NapiVerificationResult {
+            valid: true,
+            error: None,
+            error_code: None,
+        }),
+        Err(e) => Ok(NapiVerificationResult {
+            valid: false,
+            error_code: Some(e.error_code().to_string()),
+            error: Some(e.to_string()),
+        }),
+    }
+}
+
+#[napi]
+pub async fn verify_chain_with_capability(
+    attestations_json: Vec<String>,
+    root_pk_hex: String,
+    required_capability: String,
+) -> napi::Result<NapiVerificationReport> {
+    check_batch_size(&attestations_json)?;
+    let root_pk_bytes = decode_pk_hex(&root_pk_hex, "root public key")?;
+    let attestations = parse_attestations(&attestations_json)?;
+
+    let cap = Capability::parse(&required_capability).map_err(|e| {
+        format_error(
+            "AUTHS_INVALID_INPUT",
+            format!("Invalid capability '{required_capability}': {e}"),
+        )
+    })?;
+
+    match rust_verify_chain_with_capability(&attestations, &cap, &root_pk_bytes).await {
+        Ok(report) => Ok(report.into()),
+        Err(e) => Err(format_error(
+            e.error_code(),
+            format!("Chain verification with capability failed: {e}"),
+        )),
+    }
+}
+
+fn parse_rfc3339_timestamp(at_rfc3339: &str) -> napi::Result<DateTime<Utc>> {
+    let at: DateTime<Utc> = at_rfc3339.parse::<DateTime<Utc>>().map_err(|_| {
+        if at_rfc3339.contains(' ') && !at_rfc3339.contains('T') {
+            format_error(
+                "AUTHS_INVALID_INPUT",
+                format!(
+                    "Expected RFC 3339 format like '2024-06-15T00:00:00Z', got '{at_rfc3339}'. \
+                     Hint: use 'T' between date and time, and append 'Z' or a UTC offset."
+                ),
+            )
+        } else {
+            format_error(
+                "AUTHS_INVALID_INPUT",
+                format!(
+                    "Expected RFC 3339 format like '2024-06-15T00:00:00Z', got '{at_rfc3339}'."
+                ),
+            )
+        }
+    })?;
+
+    #[allow(clippy::disallowed_methods)] // Presentation boundary
+    let now = Utc::now();
+    let skew_tolerance = chrono::Duration::seconds(60);
+    if at > now + skew_tolerance {
+        return Err(format_error(
+            "AUTHS_INVALID_INPUT",
+            format!(
+                "Timestamp {at_rfc3339} is in the future. \
+                 Time-pinned verification requires a past or present timestamp."
+            ),
+        ));
+    }
+
+    Ok(at)
+}
+
+#[napi]
+pub async fn verify_at_time(
+    attestation_json: String,
+    issuer_pk_hex: String,
+    at_rfc3339: String,
+) -> napi::Result<NapiVerificationResult> {
+    if attestation_json.len() > MAX_ATTESTATION_JSON_SIZE {
+        return Err(format_error(
+            "AUTHS_INVALID_INPUT",
+            format!(
+                "Attestation JSON too large: {} bytes, max {}",
+                attestation_json.len(),
+                MAX_ATTESTATION_JSON_SIZE
+            ),
+        ));
+    }
+
+    let at = parse_rfc3339_timestamp(&at_rfc3339)?;
+    let issuer_pk_bytes = decode_pk_hex(&issuer_pk_hex, "issuer public key")?;
+
+    let att: Attestation = match serde_json::from_str(&attestation_json) {
+        Ok(att) => att,
+        Err(e) => {
+            return Ok(NapiVerificationResult {
+                valid: false,
+                error: Some(format!("Failed to parse attestation JSON: {e}")),
+                error_code: Some("AUTHS_SERIALIZATION_ERROR".to_string()),
+            });
+        }
+    };
+
+    match rust_verify_at_time(&att, &issuer_pk_bytes, at).await {
+        Ok(_) => Ok(NapiVerificationResult {
+            valid: true,
+            error: None,
+            error_code: None,
+        }),
+        Err(e) => Ok(NapiVerificationResult {
+            valid: false,
+            error_code: Some(e.error_code().to_string()),
+            error: Some(e.to_string()),
+        }),
+    }
+}
+
+#[napi]
+pub async fn verify_at_time_with_capability(
+    attestation_json: String,
+    issuer_pk_hex: String,
+    at_rfc3339: String,
+    required_capability: String,
+) -> napi::Result<NapiVerificationResult> {
+    if attestation_json.len() > MAX_ATTESTATION_JSON_SIZE {
+        return Err(format_error(
+            "AUTHS_INVALID_INPUT",
+            format!(
+                "Attestation JSON too large: {} bytes, max {}",
+                attestation_json.len(),
+                MAX_ATTESTATION_JSON_SIZE
+            ),
+        ));
+    }
+
+    let at = parse_rfc3339_timestamp(&at_rfc3339)?;
+    let issuer_pk_bytes = decode_pk_hex(&issuer_pk_hex, "issuer public key")?;
+
+    let att: Attestation = match serde_json::from_str(&attestation_json) {
+        Ok(att) => att,
+        Err(e) => {
+            return Ok(NapiVerificationResult {
+                valid: false,
+                error: Some(format!("Failed to parse attestation JSON: {e}")),
+                error_code: Some("AUTHS_SERIALIZATION_ERROR".to_string()),
+            });
+        }
+    };
+
+    let cap = Capability::parse(&required_capability).map_err(|e| {
+        format_error(
+            "AUTHS_INVALID_INPUT",
+            format!("Invalid capability '{required_capability}': {e}"),
+        )
+    })?;
+
+    match rust_verify_at_time(&att, &issuer_pk_bytes, at).await {
+        Ok(_) => {
+            if att.capabilities.contains(&cap) {
+                Ok(NapiVerificationResult {
+                    valid: true,
+                    error: None,
+                    error_code: None,
+                })
+            } else {
+                Ok(NapiVerificationResult {
+                    valid: false,
+                    error: Some(format!(
+                        "Attestation does not grant required capability '{required_capability}'"
+                    )),
+                    error_code: Some("AUTHS_MISSING_CAPABILITY".to_string()),
+                })
+            }
+        }
+        Err(e) => Ok(NapiVerificationResult {
+            valid: false,
+            error_code: Some(e.error_code().to_string()),
+            error: Some(e.to_string()),
+        }),
+    }
+}
+
+#[napi]
+pub async fn verify_chain_with_witnesses(
+    attestations_json: Vec<String>,
+    root_pk_hex: String,
+    receipts_json: Vec<String>,
+    witness_keys_json: Vec<String>,
+    threshold: u32,
+) -> napi::Result<NapiVerificationReport> {
+    check_batch_size(&attestations_json)?;
+    let root_pk_bytes = decode_pk_hex(&root_pk_hex, "root public key")?;
+    let attestations = parse_attestations(&attestations_json)?;
+
+    let receipts: Vec<WitnessReceipt> = receipts_json
+        .iter()
+        .enumerate()
+        .map(|(i, json)| {
+            serde_json::from_str(json).map_err(|e| {
+                format_error(
+                    "AUTHS_SERIALIZATION_ERROR",
+                    format!("Failed to parse witness receipt {i}: {e}"),
+                )
+            })
+        })
+        .collect::<napi::Result<Vec<_>>>()?;
+
+    #[derive(serde::Deserialize)]
+    struct WitnessKeyInput {
+        did: String,
+        public_key_hex: String,
+    }
+
+    let witness_keys: Vec<(String, Vec<u8>)> = witness_keys_json
+        .iter()
+        .enumerate()
+        .map(|(i, json)| {
+            let input: WitnessKeyInput = serde_json::from_str(json).map_err(|e| {
+                format_error(
+                    "AUTHS_SERIALIZATION_ERROR",
+                    format!("Failed to parse witness key {i}: {e}"),
+                )
+            })?;
+            let pk_bytes = hex::decode(&input.public_key_hex).map_err(|e| {
+                format_error(
+                    "AUTHS_INVALID_INPUT",
+                    format!("Invalid witness key {i} hex: {e}"),
+                )
+            })?;
+            if pk_bytes.len() != 32 {
+                return Err(format_error(
+                    "AUTHS_INVALID_INPUT",
+                    format!(
+                        "Invalid witness key {i} length: expected 32 bytes, got {}",
+                        pk_bytes.len()
+                    ),
+                ));
+            }
+            Ok((input.did, pk_bytes))
+        })
+        .collect::<napi::Result<Vec<_>>>()?;
+
+    let config = WitnessVerifyConfig {
+        receipts: &receipts,
+        witness_keys: &witness_keys,
+        threshold: threshold as usize,
+    };
+
+    match rust_verify_chain_with_witnesses(&attestations, &root_pk_bytes, &config).await {
+        Ok(report) => Ok(report.into()),
+        Err(e) => Err(format_error(
+            e.error_code(),
+            format!("Chain verification with witnesses failed: {e}"),
+        )),
+    }
+}

package/src/witness.rs

@@ -0,0 +1,138 @@
+use std::path::PathBuf;
+
+use auths_id::storage::identity::IdentityStorage;
+use auths_id::witness_config::WitnessConfig;
+use auths_storage::git::RegistryIdentityStorage;
+use napi_derive::napi;
+
+use crate::error::format_error;
+
+fn resolve_repo(repo_path: &str) -> PathBuf {
+    PathBuf::from(shellexpand::tilde(repo_path).as_ref())
+}
+
+fn load_witness_config(repo_path: &PathBuf) -> napi::Result<WitnessConfig> {
+    let storage = RegistryIdentityStorage::new(repo_path);
+    let identity = storage
+        .load_identity()
+        .map_err(|e| format_error("AUTHS_WITNESS_ERROR", e))?;
+
+    if let Some(wc) = identity
+        .metadata
+        .as_ref()
+        .and_then(|m| m.get("witness_config"))
+    {
+        let config: WitnessConfig = serde_json::from_value(wc.clone())
+            .map_err(|e| format_error("AUTHS_WITNESS_ERROR", e))?;
+        return Ok(config);
+    }
+    Ok(WitnessConfig::default())
+}
+
+fn save_witness_config(repo_path: &PathBuf, config: &WitnessConfig) -> napi::Result<()> {
+    let storage = RegistryIdentityStorage::new(repo_path);
+    let mut identity = storage
+        .load_identity()
+        .map_err(|e| format_error("AUTHS_WITNESS_ERROR", e))?;
+
+    let metadata = identity
+        .metadata
+        .get_or_insert_with(|| serde_json::json!({}));
+    if let Some(obj) = metadata.as_object_mut() {
+        obj.insert(
+            "witness_config".to_string(),
+            serde_json::to_value(config).map_err(|e| format_error("AUTHS_WITNESS_ERROR", e))?,
+        );
+    }
+
+    storage
+        .create_identity(identity.controller_did.as_str(), identity.metadata)
+        .map_err(|e| format_error("AUTHS_WITNESS_ERROR", e))?;
+    Ok(())
+}
+
+#[napi(object)]
+#[derive(Clone)]
+pub struct NapiWitnessResult {
+    pub url: String,
+    pub did: Option<String>,
+    pub label: Option<String>,
+}
+
+#[napi]
+pub fn add_witness(
+    url_str: String,
+    repo_path: String,
+    label: Option<String>,
+) -> napi::Result<NapiWitnessResult> {
+    let repo = resolve_repo(&repo_path);
+    let parsed_url: url::Url = url_str.parse().map_err(|e| {
+        format_error(
+            "AUTHS_WITNESS_ERROR",
+            format!("Invalid URL '{}': {}", url_str, e),
+        )
+    })?;
+
+    let mut config = load_witness_config(&repo)?;
+
+    if config.witness_urls.contains(&parsed_url) {
+        return Ok(NapiWitnessResult {
+            url: url_str,
+            did: None,
+            label,
+        });
+    }
+
+    config.witness_urls.push(parsed_url);
+    if config.threshold == 0 {
+        config.threshold = 1;
+    }
+
+    save_witness_config(&repo, &config)?;
+    Ok(NapiWitnessResult {
+        url: url_str,
+        did: None,
+        label,
+    })
+}
+
+#[napi]
+pub fn remove_witness(url_str: String, repo_path: String) -> napi::Result<()> {
+    let repo = resolve_repo(&repo_path);
+    let parsed_url: url::Url = url_str.parse().map_err(|e| {
+        format_error(
+            "AUTHS_WITNESS_ERROR",
+            format!("Invalid URL '{}': {}", url_str, e),
+        )
+    })?;
+
+    let mut config = load_witness_config(&repo)?;
+    config.witness_urls.retain(|u| u != &parsed_url);
+
+    if config.threshold > config.witness_urls.len() {
+        config.threshold = config.witness_urls.len();
+    }
+
+    save_witness_config(&repo, &config)?;
+    Ok(())
+}
+
+#[napi]
+pub fn list_witnesses(repo_path: String) -> napi::Result<String> {
+    let repo = resolve_repo(&repo_path);
+    let config = load_witness_config(&repo)?;
+
+    let entries: Vec<serde_json::Value> = config
+        .witness_urls
+        .iter()
+        .map(|u| {
+            serde_json::json!({
+                "url": u.to_string(),
+                "did": null,
+                "label": null,
+            })
+        })
+        .collect();
+
+    serde_json::to_string(&entries).map_err(|e| format_error("AUTHS_WITNESS_ERROR", e))
+}

package/tsconfig.json

@@ -0,0 +1,19 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "lib": ["ES2022", "ESNext.Disposable"],
+    "module": "commonjs",
+    "moduleResolution": "node",
+    "strict": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "forceConsistentCasingInFileNames": true,
+    "declaration": true,
+    "declarationMap": true,
+    "sourceMap": true,
+    "outDir": "./dist",
+    "rootDir": "."
+  },
+  "include": ["lib/**/*.ts"],
+  "exclude": ["node_modules", "__tests__", "dist"]
+}

package/typedoc.json

@@ -0,0 +1,18 @@
+{
+  "$schema": "https://typedoc.org/schema.json",
+  "entryPoints": ["lib/index.ts"],
+  "out": "../../docs/sdk/node/api",
+  "plugin": ["typedoc-plugin-markdown"],
+  "tsconfig": "tsconfig.json",
+  "readme": "none",
+  "hideGenerator": true,
+  "excludePrivate": true,
+  "excludeInternal": true,
+  "disableSources": true,
+  "outputFileStrategy": "modules",
+  "hideBreadcrumbs": true,
+  "hidePageHeader": true,
+  "useCodeBlocks": true,
+  "entryFileName": "index",
+  "flattenOutputFiles": true
+}

package/vitest.config.ts

@@ -0,0 +1,12 @@
+import { defineConfig } from 'vitest/config'
+
+export default defineConfig({
+  test: {
+    pool: 'forks',
+    poolOptions: {
+      forks: {
+        singleFork: true,
+      },
+    },
+  },
+})