@bandeira-tech/b3nd-web 0.2.7 → 0.3.1

package/dist/{chunk-F3W5GZU6.js → chunk-B4VAPGAO.js}

@@ -5,11 +5,12 @@ import {
   decrypt,
   encodeHex,
   encrypt,
+  verify,
   verifyPayload
 } from "./chunk-JN75UL5C.js";
 import {
   HttpClient
-} from "./chunk-LFUC4ETD.js";
+} from "./chunk-OY4CDOHY.js";
 
 // wallet-server/interfaces.ts
 var defaultLogger = {
@@ -446,27 +447,42 @@ async function proxyWrite(proxyClient, credentialClient, serverPublicKey, userna
     };
   }
 }
-async function proxyRead(proxyClient, uri, serverEncryptionPrivateKeyPem) {
+async function proxyRead(proxyClient, credentialClient, serverPublicKey, username, serverEncryptionPrivateKeyPem, uri) {
   try {
-    const result = await proxyClient.read(uri);
+    const accountKey = await loadUserAccountKey(
+      credentialClient,
+      serverPublicKey,
+      username,
+      serverEncryptionPrivateKeyPem
+    );
+    const resolvedUri = uri.replace(/:key/g, accountKey.publicKeyHex);
+    const result = await proxyClient.read(resolvedUri);
     if (!result.success) {
       return {
         success: false,
+        uri: resolvedUri,
         error: result.error || "Read failed"
       };
     }
     const response = {
       success: true,
+      uri: resolvedUri,
       record: result.record
     };
-    if (serverEncryptionPrivateKeyPem && result.record?.data) {
+    if (result.record?.data) {
       try {
         const data = result.record.data;
         if (typeof data === "object" && data.payload && typeof data.payload === "object") {
           const payload = data.payload;
           if (payload.data && payload.nonce && payload.ephemeralPublicKey) {
+            const userEncryptionKey = await loadUserEncryptionKey(
+              credentialClient,
+              serverPublicKey,
+              username,
+              serverEncryptionPrivateKeyPem
+            );
             const privateKey = await pemToCryptoKey(
-              serverEncryptionPrivateKeyPem,
+              userEncryptionKey.privateKeyPem,
               "X25519"
             );
             const encryptedPayload = {
@@ -491,10 +507,94 @@ async function proxyRead(proxyClient, uri, serverEncryptionPrivateKeyPem) {
   } catch (error) {
     return {
       success: false,
+      uri,
       error: `Proxy read failed: ${error instanceof Error ? error.message : String(error)}`
     };
   }
 }
+async function proxyReadMulti(proxyClient, credentialClient, serverPublicKey, username, serverEncryptionPrivateKeyPem, uris) {
+  if (uris.length > 50) {
+    return {
+      success: false,
+      results: [],
+      summary: { total: uris.length, succeeded: 0, failed: uris.length },
+      error: "Maximum 50 URIs per request"
+    };
+  }
+  try {
+    const [accountKey, userEncryptionKey] = await Promise.all([
+      loadUserAccountKey(
+        credentialClient,
+        serverPublicKey,
+        username,
+        serverEncryptionPrivateKeyPem
+      ),
+      loadUserEncryptionKey(
+        credentialClient,
+        serverPublicKey,
+        username,
+        serverEncryptionPrivateKeyPem
+      )
+    ]);
+    const resolvedUris = uris.map(
+      (uri) => uri.replace(/:key/g, accountKey.publicKeyHex)
+    );
+    const multiResult = await proxyClient.readMulti(resolvedUris);
+    const privateKey = await pemToCryptoKey(
+      userEncryptionKey.privateKeyPem,
+      "X25519"
+    );
+    const results = await Promise.all(
+      multiResult.results.map(async (item, i) => {
+        const originalUri = uris[i];
+        if (!item.success) {
+          return {
+            uri: originalUri,
+            success: false,
+            error: "error" in item ? item.error : "Read failed"
+          };
+        }
+        const result = {
+          uri: originalUri,
+          success: true,
+          record: "record" in item ? item.record : void 0
+        };
+        if (result.record?.data) {
+          try {
+            const data = result.record.data;
+            if (typeof data === "object" && data.payload && typeof data.payload === "object") {
+              const payload = data.payload;
+              if (payload.data && payload.nonce && payload.ephemeralPublicKey) {
+                const encryptedPayload = {
+                  data: payload.data,
+                  nonce: payload.nonce,
+                  ephemeralPublicKey: payload.ephemeralPublicKey
+                };
+                const decrypted = await decrypt(encryptedPayload, privateKey);
+                return { ...result, decrypted };
+              }
+            }
+          } catch {
+          }
+        }
+        return result;
+      })
+    );
+    const succeeded = results.filter((r) => r.success).length;
+    return {
+      success: succeeded > 0,
+      results,
+      summary: { total: uris.length, succeeded, failed: uris.length - succeeded }
+    };
+  } catch (error) {
+    return {
+      success: false,
+      results: [],
+      summary: { total: uris.length, succeeded: 0, failed: uris.length },
+      error: `Proxy read-multi failed: ${error instanceof Error ? error.message : String(error)}`
+    };
+  }
+}
 
 // wallet-server/auth.ts
 function generateSalt() {
@@ -581,7 +681,7 @@ async function createUser(client, serverPublicKey, username, password, serverIde
   );
   return { salt, hash };
 }
-async function authenticateUser(client, serverPublicKey, username, password, serverIdentityPublicKeyHex, serverEncryptionPrivateKeyPem, appScope, logger) {
+async function authenticateUser(client, serverPublicKey, username, password, serverEncryptionPrivateKeyPem, appScope, logger) {
   const passwordPath = await deriveObfuscatedPath(
     serverPublicKey,
     username,
@@ -613,7 +713,6 @@ async function changePassword(client, serverPublicKey, username, oldPassword, ne
     serverPublicKey,
     username,
     oldPassword,
-    serverIdentityPublicKeyHex,
     serverEncryptionPrivateKeyPem,
     appScope
   );
@@ -987,7 +1086,6 @@ var PasswordCredentialHandler = class {
       context.serverPublicKey,
       username,
       password,
-      context.serverIdentityPublicKeyHex,
       context.serverEncryptionPrivateKeyPem,
       context.appKey,
       context.logger
@@ -1294,13 +1392,42 @@ var WalletServerCore = class {
   async writeBootstrapState(path, state) {
     await this.storage.writeTextFile(path, JSON.stringify(state, null, 2));
   }
-  async sessionExists(appKey, sessionKey) {
-    const input = new TextEncoder().encode(sessionKey);
-    const digest = await crypto.subtle.digest("SHA-256", input);
-    const sigHex = Array.from(new Uint8Array(digest)).map((b) => b.toString(16).padStart(2, "0")).join("").substring(0, 32);
-    const uri = `mutable://accounts/${appKey}/sessions/${sigHex}`;
+  /**
+   * Validate that a session is approved by the app.
+   * Sessions are keypairs - the sessionPubkey is used directly as the identifier.
+   * App approves sessions by writing 1 to mutable://accounts/{appKey}/sessions/{sessionPubkey}
+   *
+   * @param appKey - The app's public key
+   * @param sessionPubkey - The session's public key (hex encoded)
+   * @returns { valid: true } if approved, { valid: false, reason } if not
+   */
+  async sessionExists(appKey, sessionPubkey) {
+    const uri = `mutable://accounts/${appKey}/sessions/${sessionPubkey}`;
     const res = await this.proxyClient.read(uri);
-    return res.success;
+    if (!res.success) {
+      return { valid: false, reason: "session_not_approved" };
+    }
+    if (res.record?.data === 1) {
+      return { valid: true };
+    }
+    if (res.record?.data === 0) {
+      return { valid: false, reason: "session_revoked" };
+    }
+    return { valid: false, reason: "invalid_session_status" };
+  }
+  /**
+   * Verify that a login request signature is valid for the given session pubkey.
+   * The signature should be over the stringified login payload (without the signature field).
+   * Uses SDK crypto for consistent verification across the codebase.
+   */
+  async verifySessionSignature(sessionPubkey, signature, payload) {
+    try {
+      const { sessionSignature: _, ...signedPayload } = payload;
+      return await verify(sessionPubkey, signature, signedPayload);
+    } catch (error) {
+      this.logger.error("Session signature verification failed:", error);
+      return false;
+    }
   }
   createApp() {
     const app = new Hono();
@@ -1402,12 +1529,33 @@ var WalletServerCore = class {
         if (!appKey) {
           return c.json({ success: false, error: "appKey is required" }, 400);
         }
+        if (!payload.sessionPubkey) {
+          return c.json({ success: false, error: "sessionPubkey is required" }, 400);
+        }
+        if (!payload.sessionSignature) {
+          return c.json({ success: false, error: "sessionSignature is required" }, 400);
+        }
         if (!payload.type) {
           return c.json({
             success: false,
             error: `type is required. Supported: ${getSupportedCredentialTypes().join(", ")}`
           }, 400);
         }
+        const signatureValid = await this.verifySessionSignature(
+          payload.sessionPubkey,
+          payload.sessionSignature,
+          payload
+        );
+        if (!signatureValid) {
+          return c.json({ success: false, error: "Invalid session signature" }, 401);
+        }
+        const sessionResult = await this.sessionExists(appKey, payload.sessionPubkey);
+        if (!sessionResult.valid) {
+          return c.json({
+            success: false,
+            error: sessionResult.reason === "session_revoked" ? "Session has been revoked" : sessionResult.reason === "session_not_approved" ? "Session not approved by app" : "Invalid session"
+          }, 401);
+        }
         const handler = getCredentialHandler(payload.type);
         let googleClientId;
         if (payload.type === "google") {
@@ -1469,8 +1617,11 @@ var WalletServerCore = class {
         if (!appKey) {
           return c.json({ success: false, error: "appKey is required" }, 400);
         }
-        if (!payload.session) {
-          return c.json({ success: false, error: "session is required" }, 400);
+        if (!payload.sessionPubkey) {
+          return c.json({ success: false, error: "sessionPubkey is required" }, 400);
+        }
+        if (!payload.sessionSignature) {
+          return c.json({ success: false, error: "sessionSignature is required" }, 400);
         }
         if (!payload.type) {
           return c.json({
@@ -1478,8 +1629,20 @@ var WalletServerCore = class {
             error: `type is required. Supported: ${getSupportedCredentialTypes().join(", ")}`
           }, 400);
         }
-        if (!await this.sessionExists(appKey, payload.session)) {
-          return c.json({ success: false, error: "Invalid session" }, 401);
+        const signatureValid = await this.verifySessionSignature(
+          payload.sessionPubkey,
+          payload.sessionSignature,
+          payload
+        );
+        if (!signatureValid) {
+          return c.json({ success: false, error: "Invalid session signature" }, 401);
+        }
+        const sessionResult = await this.sessionExists(appKey, payload.sessionPubkey);
+        if (!sessionResult.valid) {
+          return c.json({
+            success: false,
+            error: sessionResult.reason === "session_revoked" ? "Session has been revoked" : sessionResult.reason === "session_not_approved" ? "Session not approved by app" : "Invalid session"
+          }, 401);
         }
         const handler = getCredentialHandler(payload.type);
         let googleClientId;
@@ -1704,22 +1867,25 @@ var WalletServerCore = class {
           return c.json({ success: false, error: "Authorization required" }, 401);
         }
         const token = authHeader.substring(7);
-        await verifyJwt(token, this.config.jwtSecret);
+        const payload = await verifyJwt(token, this.config.jwtSecret);
         const uri = c.req.query("uri");
         if (!uri) {
           return c.json({ success: false, error: "uri query parameter is required" }, 400);
         }
         const result = await proxyRead(
           this.proxyClient,
-          uri,
-          serverEncryptionPrivateKeyPem
+          this.credentialClient,
+          serverPublicKey,
+          payload.username,
+          serverEncryptionPrivateKeyPem,
+          uri
         );
         if (!result.success) {
           return c.json({ success: false, error: result.error }, 400);
         }
         return c.json({
           success: true,
-          uri,
+          uri: result.uri,
           record: result.record,
           decrypted: result.decrypted
         });
@@ -1732,6 +1898,36 @@ var WalletServerCore = class {
         return c.json({ success: false, error: message }, 500);
       }
     });
+    app.post("/api/v1/proxy/read-multi", async (c) => {
+      try {
+        const authHeader = c.req.header("Authorization");
+        if (!authHeader?.startsWith("Bearer ")) {
+          return c.json({ success: false, error: "Authorization required" }, 401);
+        }
+        const token = authHeader.substring(7);
+        const payload = await verifyJwt(token, this.config.jwtSecret);
+        const body = await c.req.json();
+        if (!Array.isArray(body.uris)) {
+          return c.json({ success: false, error: "uris must be an array" }, 400);
+        }
+        const result = await proxyReadMulti(
+          this.proxyClient,
+          this.credentialClient,
+          serverPublicKey,
+          payload.username,
+          serverEncryptionPrivateKeyPem,
+          body.uris
+        );
+        return c.json(result);
+      } catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        if (message.includes("expired")) {
+          return c.json({ success: false, error: message }, 401);
+        }
+        this.logger.error("Proxy read-multi error:", error);
+        return c.json({ success: false, error: message }, 500);
+      }
+    });
     return app;
   }
 };