npm - @bandeira-tech/b3nd-web - Versions diffs - 0.2.3 → 0.2.4 - Mend

@bandeira-tech/b3nd-web 0.2.3 → 0.2.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/dist/chunk-F3W5GZU6.js +1775 -0
package/dist/{chunk-K3ZSSVHR.js → chunk-JN75UL5C.js} +2 -0
package/dist/core-CgxQpSVM.d.ts +275 -0
package/dist/encrypt/mod.d.ts +1 -1
package/dist/encrypt/mod.js +1 -1
package/dist/{mod-D02790g_.d.ts → mod-CII9wqu2.d.ts} +1 -1
package/dist/src/mod.web.d.ts +1 -1
package/dist/src/mod.web.js +4 -4
package/dist/wallet-server/adapters/browser.d.ts +76 -0
package/dist/wallet-server/adapters/browser.js +105 -0
package/dist/wallet-server/mod.d.ts +320 -0
package/dist/wallet-server/mod.js +77 -0
package/package.json +13 -3

package/dist/wallet-server/mod.d.ts ADDED Viewed

@@ -0,0 +1,320 @@
+import { P as ProxyWriteRequest, a as ProxyWriteResponse, b as ProxyReadResponse, U as UserKeys, L as Logger, H as HttpFetch } from '../core-CgxQpSVM.js';
+export { A as AppBackendConfig, f as AuthSessionResponse, C as ConfigEnvironment, E as Environment, F as FileStorage, h as HealthResponse, M as MemoryFileStorage, g as PublicKeysResponse, R as ResolvedWalletServerConfig, e as ServerKeyPair, S as ServerKeys, i as ServerKeysResponse, c as WalletServerConfig, W as WalletServerCore, d as WalletServerDeps, j as defaultLogger } from '../core-CgxQpSVM.js';
+import { N as NodeProtocolInterface } from '../types-oQCx3U-_.js';
+import { S as SignedEncryptedMessage, E as EncryptedPayload } from '../mod-CII9wqu2.js';
+import 'hono';
+/**
+ * JWT Token Management
+ *
+ * Creates and validates JWT tokens for authenticated sessions.
+ */
+interface JwtPayload {
+    username: string;
+    iat: number;
+    exp: number;
+    type: "access";
+}
+/**
+ * Create JWT token using HMAC-SHA256
+ */
+declare function createJwt(username: string, secret: string, expirationSeconds: number): Promise<string>;
+/**
+ * Verify and decode JWT token
+ */
+declare function verifyJwt(token: string, secret: string): Promise<JwtPayload>;
+/**
+ * Extract username from JWT token (without verification)
+ * Use only for logging/debugging
+ */
+declare function extractUsernameFromJwt(token: string): string | null;
+/**
+ * Write Proxy
+ *
+ * Handles proxying user write requests to the target b3nd backend.
+ * Automatically signs writes with the user's identity key and encrypts with user's encryption key.
+ */
+/**
+ * Proxy a write request with user signing
+ * The server acts as the key custodian for the write operation.
+ */
+declare function proxyWrite(proxyClient: NodeProtocolInterface, credentialClient: NodeProtocolInterface, serverPublicKey: string, username: string, serverEncryptionPrivateKeyPem: string, request: ProxyWriteRequest): Promise<ProxyWriteResponse>;
+/**
+ * Proxy a read request (with optional decryption)
+ */
+declare function proxyRead(proxyClient: NodeProtocolInterface, uri: string, serverEncryptionPrivateKeyPem?: string): Promise<ProxyReadResponse>;
+/**
+ * User Key Management
+ *
+ * Generates and manages user Ed25519 (account/signing) and X25519 (encryption) keys.
+ */
+/**
+ * Generate and store user keys
+ * Stores signed+encrypted at obfuscated paths under: mutable://accounts/{serverPublicKey}/...
+ */
+declare function generateUserKeys(client: NodeProtocolInterface, serverPublicKey: string, username: string, serverIdentityPrivateKeyPem: string, serverIdentityPublicKeyHex: string, serverEncryptionPublicKeyHex: string): Promise<UserKeys>;
+/**
+ * Load user's account key (Ed25519)
+ */
+declare function loadUserAccountKey(client: NodeProtocolInterface, serverPublicKey: string, username: string, serverEncryptionPrivateKeyPem: string, logger?: Logger): Promise<{
+    privateKeyPem: string;
+    publicKeyHex: string;
+}>;
+/**
+ * Load user's encryption key (X25519)
+ */
+declare function loadUserEncryptionKey(client: NodeProtocolInterface, serverPublicKey: string, username: string, serverEncryptionPrivateKeyPem: string, logger?: Logger): Promise<{
+    privateKeyPem: string;
+    publicKeyHex: string;
+}>;
+/**
+ * Load both user keys
+ */
+declare function loadUserKeys(client: NodeProtocolInterface, serverPublicKey: string, username: string, serverEncryptionPrivateKeyPem: string, logger?: Logger): Promise<UserKeys>;
+/**
+ * Get user's public keys (safe to share)
+ */
+declare function getUserPublicKeys(client: NodeProtocolInterface, serverPublicKey: string, username: string, serverEncryptionPrivateKeyPem: string, logger?: Logger): Promise<{
+    accountPublicKeyHex: string;
+    encryptionPublicKeyHex: string;
+}>;
+/**
+ * Google OAuth Module
+ *
+ * Handles verification of Google ID tokens using Google's public keys.
+ * Supports both signup and login flows with Google OAuth2.
+ */
+interface GoogleTokenPayload {
+    iss: string;
+    azp: string;
+    aud: string;
+    sub: string;
+    email: string;
+    email_verified: boolean;
+    name?: string;
+    picture?: string;
+    given_name?: string;
+    family_name?: string;
+    iat: number;
+    exp: number;
+}
+/**
+ * Clear the cached Google public keys
+ */
+declare function clearGooglePublicKeyCache(): void;
+/**
+ * Verify a Google ID token and extract the payload
+ */
+declare function verifyGoogleIdToken(idToken: string, clientId: string, fetchImpl?: HttpFetch): Promise<GoogleTokenPayload>;
+/**
+ * Generate a deterministic username from Google user info
+ * Uses the Google sub (unique user ID) to create a consistent username
+ */
+declare function generateGoogleUsername(googleSub: string): Promise<string>;
+/**
+ * Authentication Module
+ *
+ * Handles password hashing, user signup, login, password change, and reset flows.
+ * All data is encrypted before writing to backend using obfuscated paths.
+ */
+/**
+ * Check if user exists
+ */
+declare function userExists(client: NodeProtocolInterface, serverPublicKey: string, username: string, appScope?: string): Promise<boolean>;
+/**
+ * Create a new user with password
+ * Stores signed+encrypted at obfuscated paths under: mutable://accounts/{serverPublicKey}/...
+ */
+declare function createUser(client: NodeProtocolInterface, serverPublicKey: string, username: string, password: string, serverIdentityPrivateKeyPem: string, serverIdentityPublicKeyHex: string, serverEncryptionPublicKeyHex: string, appScope?: string): Promise<{
+    salt: string;
+    hash: string;
+}>;
+/**
+ * Authenticate user with password
+ */
+declare function authenticateUser(client: NodeProtocolInterface, serverPublicKey: string, username: string, password: string, serverIdentityPublicKeyHex: string, serverEncryptionPrivateKeyPem: string, appScope?: string, logger?: Logger): Promise<boolean>;
+/**
+ * Change user password
+ */
+declare function changePassword(client: NodeProtocolInterface, serverPublicKey: string, username: string, oldPassword: string, newPassword: string, serverIdentityPrivateKeyPem: string, serverIdentityPublicKeyHex: string, serverEncryptionPublicKeyHex: string, serverEncryptionPrivateKeyPem: string, appScope?: string): Promise<void>;
+/**
+ * Create password reset token
+ */
+declare function createPasswordResetToken(client: NodeProtocolInterface, serverPublicKey: string, username: string, ttlSeconds: number, serverIdentityPrivateKeyPem: string, serverIdentityPublicKeyHex: string, serverEncryptionPublicKeyHex: string, appScope?: string): Promise<string>;
+/**
+ * Reset password with token
+ */
+declare function resetPasswordWithToken(client: NodeProtocolInterface, serverPublicKey: string, token: string, newPassword: string, serverIdentityPrivateKeyPem: string, serverIdentityPublicKeyHex: string, serverEncryptionPublicKeyHex: string, serverEncryptionPrivateKeyPem: string, username: string, appScope?: string, logger?: Logger): Promise<string>;
+/**
+ * Check if a Google user exists by their Google sub ID
+ */
+declare function googleUserExists(client: NodeProtocolInterface, serverPublicKey: string, googleSub: string, appScope?: string): Promise<boolean>;
+/**
+ * Create a new user from Google OAuth
+ * Stores Google profile info instead of password credentials
+ */
+declare function createGoogleUser(client: NodeProtocolInterface, serverPublicKey: string, username: string, googlePayload: GoogleTokenPayload, serverIdentityPrivateKeyPem: string, serverIdentityPublicKeyHex: string, serverEncryptionPublicKeyHex: string, appScope?: string): Promise<{
+    username: string;
+    googleSub: string;
+}>;
+/**
+ * Authenticate user via Google OAuth
+ * Returns the username if Google sub ID is found
+ */
+declare function authenticateGoogleUser(client: NodeProtocolInterface, serverPublicKey: string, googleSub: string, serverEncryptionPrivateKeyPem: string, appScope?: string, logger?: Logger): Promise<string | null>;
+/**
+ * Credential System
+ *
+ * Unified abstraction for different authentication methods (password, OAuth providers, etc.)
+ * Each credential type has a handler that implements signup and login logic.
+ */
+/**
+ * Standard credential signup/login result
+ */
+interface CredentialResult {
+    username: string;
+    metadata?: Record<string, unknown>;
+}
+/**
+ * Base credential payload
+ */
+interface BaseCredentialPayload {
+    type: string;
+    session?: string;
+}
+/**
+ * Password credential payload
+ */
+interface PasswordCredentialPayload extends BaseCredentialPayload {
+    type: "password";
+    username: string;
+    password: string;
+}
+/**
+ * Google OAuth credential payload
+ */
+interface GoogleCredentialPayload extends BaseCredentialPayload {
+    type: "google";
+    googleIdToken: string;
+}
+/**
+ * Union of all credential payload types
+ */
+type CredentialPayload = PasswordCredentialPayload | GoogleCredentialPayload;
+/**
+ * Credential handler interface
+ */
+interface CredentialHandler<T extends BaseCredentialPayload = BaseCredentialPayload> {
+    /**
+     * Handle signup with this credential type
+     */
+    signup(payload: T, context: CredentialContext): Promise<CredentialResult>;
+    /**
+     * Handle login with this credential type
+     */
+    login(payload: T, context: CredentialContext): Promise<CredentialResult>;
+}
+/**
+ * Context passed to credential handlers
+ */
+interface CredentialContext {
+    client: NodeProtocolInterface;
+    serverPublicKey: string;
+    serverIdentityPrivateKeyPem: string;
+    serverIdentityPublicKeyHex: string;
+    serverEncryptionPublicKeyHex: string;
+    serverEncryptionPrivateKeyPem: string;
+    appKey: string;
+    googleClientId?: string | null;
+    logger?: Logger;
+    fetch?: HttpFetch;
+}
+/**
+ * Get a credential handler by type
+ */
+declare function getCredentialHandler(type: string): CredentialHandler;
+/**
+ * Register a new credential handler
+ */
+declare function registerCredentialHandler(type: string, handler: CredentialHandler): void;
+/**
+ * Get list of supported credential types
+ */
+declare function getSupportedCredentialTypes(): string[];
+/**
+ * Path Obfuscation & Encryption Utilities
+ *
+ * Provides deterministic path derivation and transparent encryption/decryption
+ * for all data stored in the public b3nd backend.
+ *
+ * All data written to the backend is:
+ * 1. Encrypted with server's X25519 key
+ * 2. Written to a deterministically obfuscated path
+ *
+ * The obfuscated path is derived from username/operationType/params,
+ * ensuring same inputs always produce same path (deterministic),
+ * but the path itself reveals nothing about the data.
+ */
+/**
+ * Operation types for path obfuscation
+ */
+type OperationType = "password" | "account-key" | "encryption-key" | "profile" | "reset-tokens" | "google-profile";
+/**
+ * Derive obfuscated path deterministically using HMAC-SHA256
+ *
+ * Inputs:
+ * - serverPublicKey: Server's Ed25519 public key (for context)
+ * - username: Username to obfuscate
+ * - operationType: Type of operation (password, keys, tokens, etc.)
+ * - params: Additional parameters (e.g., token id)
+ *
+ * Output: Hex string that looks like random data
+ *
+ * Properties:
+ * - Deterministic: Same inputs → same output
+ * - Non-reversible: Can't guess username from hash
+ * - Uniform: All paths look similar length/format
+ * - Repeatable: Can reconstruct on write and read
+ */
+declare function deriveObfuscatedPath(serverPublicKey: string, username: string, operationType: OperationType, ...params: string[]): Promise<string>;
+/**
+ * Convert PEM string to CryptoKey
+ */
+declare function pemToCryptoKey(pem: string, algorithm?: "Ed25519" | "X25519"): Promise<CryptoKey>;
+/**
+ * Create a signed+encrypted payload for storage
+ * Signs with server identity key, encrypts with server encryption key
+ */
+declare function createSignedEncryptedPayload(data: unknown, serverIdentityPrivateKeyPem: string, serverIdentityPublicKeyHex: string, serverEncryptionPublicKeyHex: string): Promise<SignedEncryptedMessage>;
+/**
+ * Decrypt and verify a signed+encrypted payload from storage
+ */
+declare function decryptSignedEncryptedPayload(signedMessage: SignedEncryptedMessage, serverEncryptionPrivateKeyPem: string): Promise<{
+    data: unknown;
+    verified: boolean;
+    signers: string[];
+}>;
+/**
+ * Encrypt data using server's X25519 public key
+ * Returns the encrypted payload structure
+ */
+declare function encryptForBackend(data: unknown, serverEncryptionPublicKeyHex: string): Promise<EncryptedPayload>;
+/**
+ * Decrypt data using server's X25519 private key
+ * Expects the encrypted payload structure
+ */
+declare function decryptFromBackend(encryptedPayload: EncryptedPayload, serverEncryptionPrivateKeyPem: string): Promise<unknown>;
+export { type BaseCredentialPayload, type CredentialContext, type CredentialHandler, type CredentialPayload, type CredentialResult, type GoogleCredentialPayload, type GoogleTokenPayload, HttpFetch, type JwtPayload, Logger, type OperationType, type PasswordCredentialPayload, ProxyReadResponse, ProxyWriteRequest, ProxyWriteResponse, UserKeys, authenticateGoogleUser, authenticateUser, changePassword, clearGooglePublicKeyCache, createGoogleUser, createJwt, createPasswordResetToken, createSignedEncryptedPayload, createUser, decryptFromBackend, decryptSignedEncryptedPayload, deriveObfuscatedPath, encryptForBackend, extractUsernameFromJwt, generateGoogleUsername, generateUserKeys, getCredentialHandler, getSupportedCredentialTypes, getUserPublicKeys, googleUserExists, loadUserAccountKey, loadUserEncryptionKey, loadUserKeys, pemToCryptoKey, proxyRead, proxyWrite, registerCredentialHandler, resetPasswordWithToken, userExists, verifyGoogleIdToken, verifyJwt };

package/dist/wallet-server/mod.js ADDED Viewed

@@ -0,0 +1,77 @@
+import {
+  ConfigEnvironment,
+  MemoryFileStorage,
+  WalletServerCore,
+  authenticateGoogleUser,
+  authenticateUser,
+  changePassword,
+  clearGooglePublicKeyCache,
+  createGoogleUser,
+  createJwt,
+  createPasswordResetToken,
+  createSignedEncryptedPayload,
+  createUser,
+  decryptFromBackend,
+  decryptSignedEncryptedPayload,
+  defaultLogger,
+  deriveObfuscatedPath,
+  encryptForBackend,
+  extractUsernameFromJwt,
+  generateGoogleUsername,
+  generateUserKeys,
+  getCredentialHandler,
+  getSupportedCredentialTypes,
+  getUserPublicKeys,
+  googleUserExists,
+  loadUserAccountKey,
+  loadUserEncryptionKey,
+  loadUserKeys,
+  pemToCryptoKey,
+  proxyRead,
+  proxyWrite,
+  registerCredentialHandler,
+  resetPasswordWithToken,
+  userExists,
+  verifyGoogleIdToken,
+  verifyJwt
+} from "../chunk-F3W5GZU6.js";
+import "../chunk-JN75UL5C.js";
+import "../chunk-LFUC4ETD.js";
+import "../chunk-MLKGABMK.js";
+export {
+  ConfigEnvironment,
+  MemoryFileStorage,
+  WalletServerCore,
+  authenticateGoogleUser,
+  authenticateUser,
+  changePassword,
+  clearGooglePublicKeyCache,
+  createGoogleUser,
+  createJwt,
+  createPasswordResetToken,
+  createSignedEncryptedPayload,
+  createUser,
+  decryptFromBackend,
+  decryptSignedEncryptedPayload,
+  defaultLogger,
+  deriveObfuscatedPath,
+  encryptForBackend,
+  extractUsernameFromJwt,
+  generateGoogleUsername,
+  generateUserKeys,
+  getCredentialHandler,
+  getSupportedCredentialTypes,
+  getUserPublicKeys,
+  googleUserExists,
+  loadUserAccountKey,
+  loadUserEncryptionKey,
+  loadUserKeys,
+  pemToCryptoKey,
+  proxyRead,
+  proxyWrite,
+  registerCredentialHandler,
+  resetPasswordWithToken,
+  userExists,
+  verifyGoogleIdToken,
+  verifyJwt
+};

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@bandeira-tech/b3nd-web",
-  "version": "0.2.3",
+  "version": "0.2.4",
   "description": "Browser-focused B3nd SDK bundle",
   "type": "module",
   "main": "./dist/src/mod.web.js",
@@ -34,13 +34,21 @@
     "./apps": {
       "import": "./dist/apps/mod.js",
       "types": "./dist/apps/mod.d.ts"
+    },
+    "./wallet-server": {
+      "import": "./dist/wallet-server/mod.js",
+      "types": "./dist/wallet-server/mod.d.ts"
+    },
+    "./wallet-server/adapters/browser": {
+      "import": "./dist/wallet-server/adapters/browser.js",
+      "types": "./dist/wallet-server/adapters/browser.d.ts"
     }
   },
   "files": [
     "dist"
   ],
   "scripts": {
-    "build": "tsup src/mod.web.ts wallet/mod.ts apps/mod.ts encrypt/mod.ts clients/http/mod.ts clients/local-storage/mod.ts clients/websocket/mod.ts --dts --format esm --out-dir dist --clean --tsconfig tsconfig.web.json",
+    "build": "tsup src/mod.web.ts wallet/mod.ts apps/mod.ts encrypt/mod.ts clients/http/mod.ts clients/local-storage/mod.ts clients/websocket/mod.ts wallet-server/mod.ts wallet-server/adapters/browser.ts --dts --format esm --out-dir dist --clean --tsconfig tsconfig.web.json",
     "clean": "rm -rf dist",
     "lint": "deno lint src/",
     "format": "deno fmt src/"
@@ -69,7 +77,9 @@
     "url": "https://github.com/bandeira-tech/b3nd-sdk/issues"
   },
   "homepage": "https://github.com/bandeira-tech/b3nd-sdk#readme",
-  "dependencies": {},
+  "dependencies": {
+    "hono": "^4.6.0"
+  },
   "devDependencies": {
     "tsup": "^8.3.5",
     "typescript": "^5.6.3",