npm - @blocklet/meta - Versions diffs - 1.16.40-beta-20250314-125842-4252b590 → 1.16.40-beta-20250315-134510-bc80c5f5 - Mend

@blocklet/meta 1.16.40-beta-20250314-125842-4252b590 → 1.16.40-beta-20250315-134510-bc80c5f5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/lib/security.d.ts CHANGED Viewed

@@ -10,6 +10,9 @@ type VaultRecord = {
     did: string;
     at: number;
     sig: string;
+    approverSig?: string;
+    approverDid?: string;
+    approverPk?: string;
 };
-export declare function verifyVault(vaults: VaultRecord[], appId: string, throwOnError?: boolean): Promise<string>;
+export declare function verifyVault(vaults: VaultRecord[], appPid: string, throwOnError?: boolean): Promise<string>;
 export {};

package/lib/security.js CHANGED Viewed

@@ -22,11 +22,11 @@ function verifyResponse(signed, wallet) {
     }
     return Promise.resolve(wallet.verify((0, json_stable_stringify_1.default)((0, omit_1.default)(signed, '$signature')), signed.$signature));
 }
-async function verifyVault(vaults, appId, throwOnError = false) {
+async function verifyVault(vaults, appPid, throwOnError = false) {
     // return empty string if the vaults list is empty
     if (!Array.isArray(vaults) || vaults.length === 0) {
         if (throwOnError) {
-            throw new Error('Blocklet vaults list is empty');
+            throw new Error('vaults list is empty');
         }
         return '';
     }
@@ -34,7 +34,7 @@ async function verifyVault(vaults, appId, throwOnError = false) {
     for (let i = 1; i < vaults.length; i++) {
         if (vaults[i].at <= vaults[i - 1].at) {
             if (throwOnError) {
-                throw new Error('Blocklet vaults are not in ascending order');
+                throw new Error('vaults are not in ascending order');
             }
             return '';
         }
@@ -43,31 +43,90 @@ async function verifyVault(vaults, appId, throwOnError = false) {
     const uniqueVaults = new Set(vaults.map((vault) => vault.did));
     if (uniqueVaults.size !== vaults.length) {
         if (throwOnError) {
-            throw new Error('Blocklet vaults list has duplicate vaults');
+            throw new Error('vaults list has duplicate vaults');
         }
         return '';
     }
-    // verify signature for each vault
-    let data = Buffer.from(`vault:${appId}`);
+    // verify signature for each vault: approve and commit
     for (let i = 0; i < vaults.length; i++) {
         const vault = vaults[i];
-        const wallet = (0, wallet_1.fromPublicKey)(vault.pk, (0, did_1.toTypeInfo)(vault.did));
-        data = Buffer.concat([data, Buffer.from(`\n${vault.did}`)]);
+        if (!(0, did_1.isFromPublicKey)(vault.did, vault.pk)) {
+            if (throwOnError) {
+                throw new Error(`vault did and pk mismatch: ${vault.did}(${vault.pk})`);
+            }
+            return '';
+        }
+        let data = Buffer.from(`vault:${appPid}`);
+        for (let j = 0; j <= i; j++) {
+            data = Buffer.concat([data, Buffer.from(`:${vaults[j].did}`)]);
+        }
+        // verify approve signature for non-first vault
+        if (!vault.approverSig) {
+            if (throwOnError) {
+                throw new Error(`vault approve signature missing for ${vault.did}`);
+            }
+            return '';
+        }
+        try {
+            let wallet;
+            if (i > 0) {
+                const prevVault = vaults[i - 1];
+                wallet = (0, wallet_1.fromPublicKey)(prevVault.pk, (0, did_1.toTypeInfo)(prevVault.did));
+            }
+            else {
+                if (!vault.approverPk || !vault.approverDid || !(0, did_1.isFromPublicKey)(vault.approverDid, vault.approverPk)) {
+                    if (throwOnError) {
+                        throw new Error(`approver config missing for ${vault.did}`);
+                    }
+                    return '';
+                }
+                wallet = (0, wallet_1.fromPublicKey)(vault.approverPk, (0, did_1.toTypeInfo)(vault.approverDid));
+            }
+            // eslint-disable-next-line no-await-in-loop
+            if ((await wallet.verify(data, vault.approverSig)) === false) {
+                if (throwOnError) {
+                    throw new Error(`signature verify failed for ${vault.did}`);
+                }
+                return '';
+            }
+        }
+        catch (err) {
+            /* istanbul ignore if */
+            if (process.env.NODE_ENV !== 'test') {
+                console.error(err);
+            }
+            if (throwOnError) {
+                throw new Error(`vault approve verify failed: ${err.message}`);
+            }
+            return '';
+        }
+        // verify commit signature for all vaults
+        if (!vault.sig) {
+            if (throwOnError) {
+                throw new Error(`vault commit signature missing for ${vault.did}`);
+            }
+            return '';
+        }
         try {
+            const wallet = (0, wallet_1.fromPublicKey)(vault.pk, (0, did_1.toTypeInfo)(vault.did));
+            if (vault.approverSig) {
+                data = Buffer.concat([data, Buffer.from(`:${vault.approverSig}`)]);
+            }
             // eslint-disable-next-line no-await-in-loop
             if ((await wallet.verify(data, vault.sig)) === false) {
                 if (throwOnError) {
-                    throw new Error(`Blocklet vault signature verification failed for ${vault.did}`);
+                    throw new Error(`commit signature verify failed for ${vault.did}`);
                 }
                 return '';
             }
         }
         catch (err) {
+            /* istanbul ignore if */
             if (process.env.NODE_ENV !== 'test') {
                 console.error(err);
             }
             if (throwOnError) {
-                throw new Error(`Blocklet vault signature verification failed for ${vault.did}`);
+                throw new Error(`vault commit verify failed: ${err.message}`);
             }
             return '';
         }

package/package.json CHANGED Viewed

@@ -3,7 +3,7 @@
   "publishConfig": {
     "access": "public"
   },
-  "version": "1.16.40-beta-20250314-125842-4252b590",
+  "version": "1.16.40-beta-20250315-134510-bc80c5f5",
   "description": "Library to parse/validate/fix blocklet meta",
   "main": "./lib/index.js",
   "typings": "./lib/index.d.ts",
@@ -25,13 +25,13 @@
   "author": "wangshijun <wangshijun2020@gmail.com> (http://github.com/wangshijun)",
   "license": "Apache-2.0",
   "dependencies": {
-    "@abtnode/constant": "1.16.40-beta-20250314-125842-4252b590",
-    "@abtnode/docker-utils": "1.16.40-beta-20250314-125842-4252b590",
+    "@abtnode/constant": "1.16.40-beta-20250315-134510-bc80c5f5",
+    "@abtnode/docker-utils": "1.16.40-beta-20250315-134510-bc80c5f5",
     "@arcblock/did": "1.19.15",
     "@arcblock/did-ext": "1.19.15",
     "@arcblock/did-util": "1.19.15",
     "@arcblock/jwt": "1.19.15",
-    "@blocklet/constant": "1.16.40-beta-20250314-125842-4252b590",
+    "@blocklet/constant": "1.16.40-beta-20250315-134510-bc80c5f5",
     "@ocap/asset": "1.19.15",
     "@ocap/mcrypto": "1.19.15",
     "@ocap/types": "1.19.15",
@@ -80,5 +80,5 @@
     "ts-node": "^10.9.1",
     "typescript": "^5.6.3"
   },
-  "gitHead": "1092d34fe556403e34fd3fbb0608b5d00970d13b"
+  "gitHead": "c0f7d7e29a3e0e8c97361a04caacd136713ac184"
 }