@drakkar.software/starfish-client 3.0.0-alpha.2 → 3.0.0-alpha.5

package/dist/index.js

@@ -5,6 +5,7 @@ import { buildRevocationList, revocationListCanonicalSigningInput } from "@drakk
 
 // src/client.ts
 import {
+  DEFAULT_ALG,
   signRequest,
   stableStringify
 } from "@drakkar.software/starfish-protocol";
@@ -38,6 +39,7 @@ function encodeCapAuth(cap) {
 }
 var StarfishClient = class {
   baseUrl;
+  namespace;
   capProvider;
   fetch;
   /**
@@ -47,6 +49,7 @@ var StarfishClient = class {
   plugins;
   constructor(options) {
     this.baseUrl = options.baseUrl.replace(/\/$/, "");
+    this.namespace = options.namespace || void 0;
     this.capProvider = options.capProvider;
     this.fetch = options.fetch ?? globalThis.fetch.bind(globalThis);
     this.plugins = options.plugins ? [...options.plugins] : [];
@@ -70,6 +73,20 @@ var StarfishClient = class {
       return "";
     }
   }
+  /**
+   * Rewrite a request path for the configured namespace. A no-op when no
+   * namespace is set; otherwise `/{action}/…` becomes `/v1/{namespace}/{action}/…`
+   * (the `/v1` protocol-version segment is part of the namespaced route, matching
+   * the Python client and the server's namespace mount).
+   *
+   * Applied to the path used for BOTH the signature and the URL so the canonical
+   * path the client signs equals the path the server reconstructs from the URL.
+   * Covers SDK-helper-built paths too — that's the point: a namespace-unaware
+   * helper passing `/push/spaces/x/_keyring` reaches `/v1/{ns}/push/spaces/x/_keyring`.
+   */
+  applyNamespace(path) {
+    return this.namespace ? `/v1/${this.namespace}${path}` : path;
+  }
   /**
    * Build auth headers for a request. When a `capProvider` is set, signs the
    * request with the device's Ed25519 private key and returns the v3 header
@@ -82,19 +99,23 @@ var StarfishClient = class {
    */
   async buildAuthHeaders(method, pathAndQuery, body) {
     if (this.capProvider) {
-      const { cap, devEdPrivHex, pubHex } = await this.capProvider.getCap();
+      const { cap, devEdPrivHex, pubHex, presenterAlg } = await this.capProvider.getCap();
       const req = {
         method,
         pathAndQuery,
         body,
         host: this.signingHost()
       };
-      const { sig, ts, nonce } = await signRequest(req, devEdPrivHex);
+      const signAlg = cap.kind === "audience" ? presenterAlg ?? DEFAULT_ALG : cap.subAlg ?? cap.issAlg;
+      const { alg, sig, ts, nonce } = await signRequest(req, devEdPrivHex, {
+        alg: signAlg
+      });
       const headers = {
         Authorization: `Cap ${encodeCapAuth(cap)}`,
         "X-Starfish-Sig": sig,
         "X-Starfish-Ts": String(ts),
-        "X-Starfish-Nonce": nonce
+        "X-Starfish-Nonce": nonce,
+        "X-Starfish-Alg": alg
       };
       if (pubHex !== void 0) headers["X-Starfish-Pub"] = pubHex;
       return headers;
@@ -102,7 +123,7 @@ var StarfishClient = class {
     return {};
   }
   async pull(path, checkpointOrOptions) {
-    let pathAndQuery = path;
+    let pathAndQuery = this.applyNamespace(path);
     let appendField;
     if (typeof checkpointOrOptions === "number") {
       if (checkpointOrOptions) pathAndQuery += `?checkpoint=${checkpointOrOptions}`;
@@ -161,8 +182,9 @@ var StarfishClient = class {
       data,
       baseHash
     });
-    const authHeaders = await this.buildAuthHeaders("POST", path, body);
-    const res = await this.fetch(`${this.baseUrl}${path}`, {
+    const sendPath = this.applyNamespace(path);
+    const authHeaders = await this.buildAuthHeaders("POST", sendPath, body);
+    const res = await this.fetch(`${this.baseUrl}${sendPath}`, {
       method: "POST",
       headers: {
         "Content-Type": "application/json",
@@ -200,8 +222,9 @@ var StarfishClient = class {
     const bodyObj = { data };
     if (opts.ts !== void 0) bodyObj["ts"] = opts.ts;
     const body = JSON.stringify(bodyObj);
-    const authHeaders = await this.buildAuthHeaders("POST", path, body);
-    const res = await this.fetch(`${this.baseUrl}${path}`, {
+    const sendPath = this.applyNamespace(path);
+    const authHeaders = await this.buildAuthHeaders("POST", sendPath, body);
+    const res = await this.fetch(`${this.baseUrl}${sendPath}`, {
       method: "POST",
       headers: {
         "Content-Type": "application/json",
@@ -220,8 +243,9 @@ var StarfishClient = class {
    * Returns raw bytes with the content hash from the ETag header.
    */
   async pullBlob(path) {
-    const authHeaders = await this.buildAuthHeaders("GET", path, void 0);
-    const res = await this.fetch(`${this.baseUrl}${path}`, {
+    const sendPath = this.applyNamespace(path);
+    const authHeaders = await this.buildAuthHeaders("GET", sendPath, void 0);
+    const res = await this.fetch(`${this.baseUrl}${sendPath}`, {
       method: "GET",
       headers: { Accept: "*/*", ...authHeaders }
     });
@@ -238,8 +262,9 @@ var StarfishClient = class {
    * Binary collections use last-write-wins (no conflict detection).
    */
   async pushBlob(path, data, contentType) {
-    const authHeaders = await this.buildAuthHeaders("POST", path, void 0);
-    const res = await this.fetch(`${this.baseUrl}${path}`, {
+    const sendPath = this.applyNamespace(path);
+    const authHeaders = await this.buildAuthHeaders("POST", sendPath, void 0);
+    const res = await this.fetch(`${this.baseUrl}${sendPath}`, {
       method: "POST",
       headers: {
         "Content-Type": contentType,