@bod.ee/db 0.9.1 → 0.10.2

package/src/shared/keyAuth.ts

@@ -0,0 +1,177 @@
+import {
+  createHash, randomBytes, createCipheriv, createDecipheriv, pbkdf2Sync,
+  sign as cryptoSign, verify as cryptoVerify, generateKeyPairSync,
+} from 'crypto';
+
+// --- Types ---
+
+export interface KeyAuthAccount {
+  publicKey: string;       // base64
+  fingerprint: string;     // hex SHA-256 of publicKey
+  encryptedPrivateKey: string; // base64 (AES-256-GCM encrypted)
+  salt: string;            // base64 (PBKDF2 salt)
+  iv: string;              // base64 (AES-GCM IV)
+  authTag: string;         // base64 (AES-GCM auth tag)
+  displayName?: string;
+  roles: string[];
+  createdAt: number;
+  lastAuth: number;
+}
+
+export interface KeyAuthDevice {
+  publicKey: string;
+  fingerprint: string;
+  accountFingerprint: string;
+  certificate: string;     // base64 Ed25519 signature of (devicePubKey + accountFp + linkedAt)
+  name?: string;
+  linkedAt: number;
+  lastAuth: number;
+}
+
+export interface KeyAuthRole {
+  id: string;
+  name: string;
+  permissions: Array<{ path: string; read?: boolean; write?: boolean }>;
+}
+
+export interface KeyAuthSession {
+  fingerprint: string;      // device or root fingerprint
+  accountFingerprint: string;
+  roles: string[];
+  isRoot: boolean;
+  createdAt: number;
+  expiresAt: number;
+}
+
+export interface KeyAuthContext {
+  sid: string;
+  fingerprint: string;
+  accountFingerprint: string;
+  roles: string[];
+  isRoot: boolean;
+}
+
+export interface KeyAuthTokenPayload {
+  sid: string;
+  fp: string;
+  accountFp: string;
+  roles: string[];
+  root: boolean;
+  exp: number;
+}
+
+// --- Utils ---
+
+export function fingerprint(publicKeyBase64: string): string {
+  return createHash('sha256').update(Buffer.from(publicKeyBase64, 'base64')).digest('hex');
+}
+
+export function generateNonce(): string {
+  return randomBytes(32).toString('base64url');
+}
+
+export function generateSessionId(): string {
+  return randomBytes(16).toString('base64url');
+}
+
+// --- Token encoding (self-signed, no JWT library) ---
+
+function base64url(buf: Buffer): string {
+  return buf.toString('base64url');
+}
+
+function fromBase64url(str: string): Buffer {
+  return Buffer.from(str, 'base64url');
+}
+
+export function encodeToken(payload: KeyAuthTokenPayload, serverPrivateKey: Uint8Array): string {
+  const payloadBytes = Buffer.from(JSON.stringify(payload));
+  const payloadB64 = base64url(payloadBytes);
+  const sig = cryptoSign(null, Buffer.from(payloadB64), {
+    key: Buffer.from(serverPrivateKey),
+    format: 'der',
+    type: 'pkcs8',
+  });
+  return payloadB64 + '.' + base64url(sig);
+}
+
+export function decodeToken(token: string, serverPublicKey: Uint8Array): KeyAuthTokenPayload | null {
+  const dotIdx = token.indexOf('.');
+  if (dotIdx < 0) return null;
+  const payloadB64 = token.slice(0, dotIdx);
+  const sigB64 = token.slice(dotIdx + 1);
+  try {
+    const valid = cryptoVerify(null, Buffer.from(payloadB64), {
+      key: Buffer.from(serverPublicKey),
+      format: 'der',
+      type: 'spki',
+    }, fromBase64url(sigB64));
+    if (!valid) return null;
+    return JSON.parse(fromBase64url(payloadB64).toString());
+  } catch {
+    return null;
+  }
+}
+
+// --- Crypto: AES-256-GCM + PBKDF2 ---
+
+const PBKDF2_ITERATIONS = 100_000;
+const PBKDF2_KEYLEN = 32; // 256 bits
+const PBKDF2_DIGEST = 'sha256';
+
+export function encryptPrivateKey(privateKeyDer: Uint8Array, password: string): { encrypted: string; salt: string; iv: string; authTag: string } {
+  const salt = randomBytes(16);
+  const iv = randomBytes(12); // 96-bit for GCM
+  const derivedKey = pbkdf2Sync(password, salt, PBKDF2_ITERATIONS, PBKDF2_KEYLEN, PBKDF2_DIGEST);
+  const cipher = createCipheriv('aes-256-gcm', derivedKey, iv);
+  const encrypted = Buffer.concat([cipher.update(privateKeyDer), cipher.final()]);
+  const authTag = cipher.getAuthTag();
+  return {
+    encrypted: encrypted.toString('base64'),
+    salt: salt.toString('base64'),
+    iv: iv.toString('base64'),
+    authTag: authTag.toString('base64'),
+  };
+}
+
+export function decryptPrivateKey(encrypted: string, salt: string, iv: string, authTag: string, password: string): Uint8Array {
+  const derivedKey = pbkdf2Sync(password, Buffer.from(salt, 'base64'), PBKDF2_ITERATIONS, PBKDF2_KEYLEN, PBKDF2_DIGEST);
+  const decipher = createDecipheriv('aes-256-gcm', derivedKey, Buffer.from(iv, 'base64'));
+  decipher.setAuthTag(Buffer.from(authTag, 'base64'));
+  const decrypted = Buffer.concat([decipher.update(Buffer.from(encrypted, 'base64')), decipher.final()]);
+  return new Uint8Array(decrypted);
+}
+
+// --- Ed25519 key generation ---
+
+export function generateEd25519KeyPair(): { publicKey: Uint8Array; privateKey: Uint8Array; publicKeyBase64: string } {
+  const { publicKey, privateKey } = generateKeyPairSync('ed25519', {
+    publicKeyEncoding: { type: 'spki', format: 'der' },
+    privateKeyEncoding: { type: 'pkcs8', format: 'der' },
+  });
+  return {
+    publicKey: new Uint8Array(publicKey),
+    privateKey: new Uint8Array(privateKey),
+    publicKeyBase64: Buffer.from(publicKey).toString('base64'),
+  };
+}
+
+export function signData(data: Buffer, privateKeyDer: Uint8Array): Buffer {
+  return cryptoSign(null, data, {
+    key: Buffer.from(privateKeyDer),
+    format: 'der',
+    type: 'pkcs8',
+  });
+}
+
+export function verifySignature(data: Buffer, signature: Buffer, publicKeyDer: Uint8Array): boolean {
+  try {
+    return cryptoVerify(null, data, {
+      key: Buffer.from(publicKeyDer),
+      format: 'der',
+      type: 'spki',
+    }, signature);
+  } catch {
+    return false;
+  }
+}

package/src/shared/protocol.ts

@@ -38,7 +38,34 @@ export type ClientMessage =
   | { id: string; op: 'vfs-list'; path: string }
   | { id: string; op: 'vfs-delete'; path: string }
   | { id: string; op: 'vfs-mkdir'; path: string }
-  | { id: string; op: 'vfs-move'; path: string; dst: string };
+  | { id: string; op: 'vfs-move'; path: string; dst: string }
+  // KeyAuth ops
+  | { id: string; op: 'auth-challenge' }
+  | { id: string; op: 'auth-verify'; publicKey: string; signature: string; nonce: string }
+  | { id: string; op: 'auth-link-device'; accountFingerprint: string; password: string; devicePublicKey: string; deviceName?: string }
+  | { id: string; op: 'auth-change-password'; fingerprint: string; oldPassword: string; newPassword: string }
+  | { id: string; op: 'auth-create-account'; password: string; roles?: string[]; displayName?: string }
+  | { id: string; op: 'auth-register-device'; publicKey: string; displayName?: string }
+  | { id: string; op: 'auth-revoke-session'; sid: string }
+  | { id: string; op: 'auth-revoke-device'; accountFingerprint: string; deviceFingerprint: string }
+  | { id: string; op: 'auth-create-role'; role: { id: string; name: string; permissions: Array<{ path: string; read?: boolean; write?: boolean }> } }
+  | { id: string; op: 'auth-delete-role'; roleId: string }
+  | { id: string; op: 'auth-update-roles'; accountFingerprint: string; roles: string[] }
+  | { id: string; op: 'auth-list-accounts' }
+  | { id: string; op: 'auth-list-roles' }
+  | { id: string; op: 'auth-list-devices'; accountFingerprint: string }
+  | { id: string; op: 'auth-list-sessions'; accountFingerprint?: string }
+  | { id: string; op: 'auth-request-approval'; publicKey: string }
+  | { id: string; op: 'auth-approve-device'; requestId: string }
+  | { id: string; op: 'auth-poll-approval'; requestId: string }
+  | { id: string; op: 'auth-has-accounts' }
+  | { id: string; op: 'auth-account-info'; accountFingerprint?: string }
+  | { id: string; op: 'auth-list-account-fingerprints' }
+  // Admin ops
+  | { id: string; op: 'transform'; path: string; type: string; value?: unknown }
+  | { id: string; op: 'set-ttl'; path: string; value: unknown; ttl: number }
+  | { id: string; op: 'sweep' }
+  | { id: string; op: 'get-rules' };
 
 // Server → Client messages
 export type ServerMessage =

package/tests/cached-client.test.ts

@@ -1,26 +1,31 @@
 import { describe, test, expect, beforeAll, afterAll } from 'bun:test';
 import { BodDB } from '../src/server/BodDB.ts';
 import { BodClient, ValueSnapshot } from '../src/client/BodClient.ts';
-import { CachedClient } from '../src/client/CachedClient.ts';
+import { BodClientCached } from '../src/client/BodClientCached.ts';
+import { mkdtempSync, rmSync } from 'fs';
+import { tmpdir } from 'os';
+import { join } from 'path';
 
 let db: BodDB;
 let client: BodClient;
-let cached: CachedClient;
+let cached: BodClientCached;
+const vfsRoot = mkdtempSync(join(tmpdir(), 'boddb-vfs-test-'));
 
 beforeAll(async () => {
-  db = new BodDB({ port: 0 });
+  db = new BodDB({ port: 0, vfs: { storageRoot: vfsRoot } });
   const server = db.serve();
   client = new BodClient({ url: `ws://localhost:${server.port}`, reconnect: false });
   await client.connect();
-  cached = new CachedClient(client, { enabled: true });
+  cached = new BodClientCached(client, { enabled: true });
 });
 
 afterAll(() => {
   client.disconnect();
   db.close();
+  try { rmSync(vfsRoot, { recursive: true }); } catch {}
 });
 
-describe('CachedClient', () => {
+describe('BodClientCached', () => {
   test('get() fetches from network on first call', async () => {
     db.set('cache/test1', { name: 'hello' });
     const val = await cached.get('cache/test1');
@@ -89,7 +94,7 @@ describe('CachedClient', () => {
   });
 
   test('disabled mode is pure passthrough', async () => {
-    const passthrough = new CachedClient(client, { enabled: false });
+    const passthrough = new BodClientCached(client, { enabled: false });
     db.set('cache/pt', 'val');
     const v1 = await passthrough.get('cache/pt');
     expect(v1).toBe('val');
@@ -99,7 +104,7 @@ describe('CachedClient', () => {
   });
 
   test('memory eviction respects maxMemoryEntries', async () => {
-    const small = new CachedClient(client, { maxMemoryEntries: 3 });
+    const small = new BodClientCached(client, { maxMemoryEntries: 3 });
     for (let i = 0; i < 5; i++) {
       db.set(`cache/evict/${i}`, i);
       await small.get(`cache/evict/${i}`);
@@ -141,3 +146,114 @@ describe('CachedClient', () => {
     off();
   });
 });
+
+describe('CachedVFSClient', () => {
+  test('list() caches and returns from memory on second call', async () => {
+    const vfs = cached.vfs();
+    // Upload a file to have something to list
+    await vfs.upload('vfs-test/a.txt', new TextEncoder().encode('hello'), 'text/plain');
+
+    const list1 = await vfs.list('vfs-test');
+    expect(list1.length).toBeGreaterThan(0);
+
+    // Second call returns from cache (stale-while-revalidate)
+    const list2 = await vfs.list('vfs-test');
+    expect(list2).toEqual(list1);
+  });
+
+  test('stat() caches and returns from memory on second call', async () => {
+    const vfs = cached.vfs();
+    const stat1 = await vfs.stat('vfs-test/a.txt');
+    expect(stat1).not.toBeNull();
+    expect(stat1!.name).toBe('a.txt');
+
+    const stat2 = await vfs.stat('vfs-test/a.txt');
+    expect(stat2).toEqual(stat1);
+  });
+
+  test('delete() invalidates stat + parent list cache', async () => {
+    const vfs = cached.vfs();
+    await vfs.upload('vfs-test/del.txt', new TextEncoder().encode('bye'), 'text/plain');
+
+    // Prime caches
+    await vfs.stat('vfs-test/del.txt');
+    await vfs.list('vfs-test');
+
+    await vfs.delete('vfs-test/del.txt');
+
+    // stat cache should be invalidated — fresh fetch returns null
+    const stat = await vfs.stat('vfs-test/del.txt');
+    expect(stat).toBeNull();
+  });
+
+  test('move() invalidates both src and dst dirs', async () => {
+    const vfs = cached.vfs();
+    await vfs.upload('vfs-test/mv-src.txt', new TextEncoder().encode('data'), 'text/plain');
+    await vfs.mkdir('vfs-test/subdir');
+
+    // Prime list caches
+    await vfs.list('vfs-test');
+    await vfs.list('vfs-test/subdir');
+
+    await vfs.move('vfs-test/mv-src.txt', 'vfs-test/subdir/mv-dst.txt');
+
+    // Fresh list should reflect the move
+    const rootList = await vfs.list('vfs-test');
+    const names = rootList.map(s => s.name);
+    expect(names).not.toContain('mv-src.txt');
+
+    const subList = await vfs.list('vfs-test/subdir');
+    const subNames = subList.map(s => s.name);
+    expect(subNames).toContain('mv-dst.txt');
+  });
+
+  test('mkdir() invalidates parent list and own list cache', async () => {
+    const vfs = cached.vfs();
+    // Prime parent list cache
+    await vfs.list('vfs-test');
+
+    await vfs.mkdir('vfs-test/newdir');
+
+    // Parent list should be invalidated — fresh fetch includes newdir
+    const parentList = await vfs.list('vfs-test');
+    expect(parentList.map(s => s.name)).toContain('newdir');
+
+    // The dir's own list cache should also be cleared (was stale empty)
+    const dirList = await vfs.list('vfs-test/newdir');
+    expect(dirList).toEqual([]);
+  });
+
+  test('stats tracks hits, misses and invalidations', async () => {
+    const fresh = new BodClientCached(client, { enabled: true });
+    const vfs = fresh.vfs();
+
+    await vfs.upload('vfs-stats/f.txt', new TextEncoder().encode('x'), 'text/plain');
+    await vfs.list('vfs-stats'); // miss
+    await vfs.list('vfs-stats'); // hit
+
+    const s = vfs.stats;
+    expect(s.misses).toBeGreaterThanOrEqual(1);
+    expect(s.hits).toBeGreaterThanOrEqual(1);
+    expect(s.hitRate).not.toBe('n/a');
+    expect(s.invalidations).toBeGreaterThanOrEqual(1); // from upload
+    fresh.close();
+  });
+
+  test('server-side _vfs event invalidates list cache', async () => {
+    const vfs = cached.vfs();
+
+    // Prime list cache
+    await vfs.list('vfs-test');
+
+    // Upload via raw client (simulates another device)
+    await client.vfs().upload('vfs-test/remote.txt', new TextEncoder().encode('remote'), 'text/plain');
+
+    // Wait for _vfs event to propagate
+    await new Promise(r => setTimeout(r, 200));
+
+    // List should now show the new file (cache was invalidated by push event)
+    const list = await vfs.list('vfs-test');
+    const names = list.map(s => s.name);
+    expect(names).toContain('remote.txt');
+  });
+});