@dxos/client-services 0.4.10-main.3e35a2f → 0.4.10-main.403e461

package/dist/types/src/packlets/invitations/invitations-handler.d.ts

@@ -1,5 +1,5 @@
 import { AuthenticatingInvitation, CancellableInvitation } from '@dxos/client-protocol';
-import { Invitation } from '@dxos/protocols/proto/dxos/client/services';
+import { type AdmissionKeypair, Invitation } from '@dxos/protocols/proto/dxos/client/services';
 import { type DeviceProfileDocument } from '@dxos/protocols/proto/dxos/halo/credentials';
 import { type InvitationProtocol } from './invitation-protocol';
 /**
@@ -33,5 +33,8 @@ export declare class InvitationsHandler {
     private readonly _networkManager;
     createInvitation(protocol: InvitationProtocol, options?: Partial<Invitation>): CancellableInvitation;
     acceptInvitation(protocol: InvitationProtocol, invitation: Invitation, deviceProfile?: DeviceProfileDocument): AuthenticatingInvitation;
+    private _handleGuestOtpAuth;
+    private _handleGuestKpkAuth;
 }
+export declare const createAdmissionKeypair: () => AdmissionKeypair;
 //# sourceMappingURL=invitations-handler.d.ts.map

package/dist/types/src/packlets/invitations/invitations-handler.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"invitations-handler.d.ts","sourceRoot":"","sources":["../../../../../src/packlets/invitations/invitations-handler.ts"],"names":[],"mappings":"AAKA,OAAO,EACL,wBAAwB,EAExB,qBAAqB,EAEtB,MAAM,uBAAuB,CAAC;AAa/B,OAAO,EAAE,UAAU,EAAE,MAAM,4CAA4C,CAAC;AACxE,OAAO,EAAE,KAAK,qBAAqB,EAAE,MAAM,6CAA6C,CAAC;AASzF,OAAO,EAAE,KAAK,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAEhE;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,qBAAa,kBAAkB;IAIjB,OAAO,CAAC,QAAQ,CAAC,eAAe;IAE5C,gBAAgB,CAAC,QAAQ,EAAE,kBAAkB,EAAE,OAAO,CAAC,EAAE,OAAO,CAAC,UAAU,CAAC,GAAG,qBAAqB;IA6KpG,gBAAgB,CACd,QAAQ,EAAE,kBAAkB,EAC5B,UAAU,EAAE,UAAU,EACtB,aAAa,CAAC,EAAE,qBAAqB,GACpC,wBAAwB;CAsL5B"}
+{"version":3,"file":"invitations-handler.d.ts","sourceRoot":"","sources":["../../../../../src/packlets/invitations/invitations-handler.ts"],"names":[],"mappings":"AAKA,OAAO,EACL,wBAAwB,EAExB,qBAAqB,EAEtB,MAAM,uBAAuB,CAAC;AAc/B,OAAO,EAAE,KAAK,gBAAgB,EAAE,UAAU,EAAE,MAAM,4CAA4C,CAAC;AAC/F,OAAO,EAAE,KAAK,qBAAqB,EAAE,MAAM,6CAA6C,CAAC;AASzF,OAAO,EAAE,KAAK,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAEhE;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,qBAAa,kBAAkB;IAIjB,OAAO,CAAC,QAAQ,CAAC,eAAe;IAE5C,gBAAgB,CAAC,QAAQ,EAAE,kBAAkB,EAAE,OAAO,CAAC,EAAE,OAAO,CAAC,UAAU,CAAC,GAAG,qBAAqB;IAgLpG,gBAAgB,CACd,QAAQ,EAAE,kBAAkB,EAC5B,UAAU,EAAE,UAAU,EACtB,aAAa,CAAC,EAAE,qBAAqB,GACpC,wBAAwB;YA0Kb,mBAAmB;YA6BnB,mBAAmB;CAsBlC;AAED,eAAO,MAAM,sBAAsB,QAAO,gBAGzC,CAAC"}

package/dist/types/src/version.d.ts

@@ -1,2 +1,2 @@
-export declare const DXOS_VERSION = "0.4.10-main.3e35a2f";
+export declare const DXOS_VERSION = "0.4.10-main.403e461";
 //# sourceMappingURL=version.d.ts.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@dxos/client-services",
-  "version": "0.4.10-main.3e35a2f",
+  "version": "0.4.10-main.403e461",
   "description": "DXOS client services implementation",
   "homepage": "https://dxos.org",
   "bugs": "https://github.com/dxos/dxos/issues",
@@ -24,43 +24,43 @@
   "dependencies": {
     "level": "^8.0.1",
     "platform": "^1.3.6",
-    "@dxos/async": "0.4.10-main.3e35a2f",
-    "@dxos/client-protocol": "0.4.10-main.3e35a2f",
-    "@dxos/automerge": "0.4.10-main.3e35a2f",
-    "@dxos/codec-protobuf": "0.4.10-main.3e35a2f",
-    "@dxos/config": "0.4.10-main.3e35a2f",
-    "@dxos/credentials": "0.4.10-main.3e35a2f",
-    "@dxos/context": "0.4.10-main.3e35a2f",
-    "@dxos/crypto": "0.4.10-main.3e35a2f",
-    "@dxos/debug": "0.4.10-main.3e35a2f",
-    "@dxos/echo-db": "0.4.10-main.3e35a2f",
-    "@dxos/echo-pipeline": "0.4.10-main.3e35a2f",
-    "@dxos/echo-schema": "0.4.10-main.3e35a2f",
-    "@dxos/feed-store": "0.4.10-main.3e35a2f",
-    "@dxos/indexing": "0.4.10-main.3e35a2f",
-    "@dxos/keys": "0.4.10-main.3e35a2f",
-    "@dxos/invariant": "0.4.10-main.3e35a2f",
-    "@dxos/lock-file": "0.4.10-main.3e35a2f",
-    "@dxos/keyring": "0.4.10-main.3e35a2f",
-    "@dxos/log": "0.4.10-main.3e35a2f",
-    "@dxos/network-manager": "0.4.10-main.3e35a2f",
-    "@dxos/messaging": "0.4.10-main.3e35a2f",
-    "@dxos/protocols": "0.4.10-main.3e35a2f",
-    "@dxos/node-std": "0.4.10-main.3e35a2f",
-    "@dxos/random-access-storage": "0.4.10-main.3e35a2f",
-    "@dxos/rpc": "0.4.10-main.3e35a2f",
-    "@dxos/teleport": "0.4.10-main.3e35a2f",
-    "@dxos/teleport-extension-gossip": "0.4.10-main.3e35a2f",
-    "@dxos/teleport-extension-object-sync": "0.4.10-main.3e35a2f",
-    "@dxos/timeframe": "0.4.10-main.3e35a2f",
-    "@dxos/tracing": "0.4.10-main.3e35a2f",
-    "@dxos/util": "0.4.10-main.3e35a2f",
-    "@dxos/websocket-rpc": "0.4.10-main.3e35a2f"
+    "@dxos/async": "0.4.10-main.403e461",
+    "@dxos/client-protocol": "0.4.10-main.403e461",
+    "@dxos/automerge": "0.4.10-main.403e461",
+    "@dxos/codec-protobuf": "0.4.10-main.403e461",
+    "@dxos/context": "0.4.10-main.403e461",
+    "@dxos/config": "0.4.10-main.403e461",
+    "@dxos/crypto": "0.4.10-main.403e461",
+    "@dxos/credentials": "0.4.10-main.403e461",
+    "@dxos/debug": "0.4.10-main.403e461",
+    "@dxos/echo-db": "0.4.10-main.403e461",
+    "@dxos/echo-schema": "0.4.10-main.403e461",
+    "@dxos/feed-store": "0.4.10-main.403e461",
+    "@dxos/echo-pipeline": "0.4.10-main.403e461",
+    "@dxos/indexing": "0.4.10-main.403e461",
+    "@dxos/invariant": "0.4.10-main.403e461",
+    "@dxos/keyring": "0.4.10-main.403e461",
+    "@dxos/keys": "0.4.10-main.403e461",
+    "@dxos/lock-file": "0.4.10-main.403e461",
+    "@dxos/log": "0.4.10-main.403e461",
+    "@dxos/messaging": "0.4.10-main.403e461",
+    "@dxos/network-manager": "0.4.10-main.403e461",
+    "@dxos/node-std": "0.4.10-main.403e461",
+    "@dxos/protocols": "0.4.10-main.403e461",
+    "@dxos/random-access-storage": "0.4.10-main.403e461",
+    "@dxos/rpc": "0.4.10-main.403e461",
+    "@dxos/teleport": "0.4.10-main.403e461",
+    "@dxos/teleport-extension-gossip": "0.4.10-main.403e461",
+    "@dxos/teleport-extension-object-sync": "0.4.10-main.403e461",
+    "@dxos/timeframe": "0.4.10-main.403e461",
+    "@dxos/tracing": "0.4.10-main.403e461",
+    "@dxos/websocket-rpc": "0.4.10-main.403e461",
+    "@dxos/util": "0.4.10-main.403e461"
   },
   "devDependencies": {
     "@types/platform": "^1.3.4",
     "@types/readable-stream": "^2.3.9",
-    "@dxos/signal": "0.4.10-main.3e35a2f"
+    "@dxos/signal": "0.4.10-main.403e461"
   },
   "publishConfig": {
     "access": "public"

package/src/packlets/invitations/invitation-extension.ts

@@ -4,6 +4,7 @@
 
 import { Trigger } from '@dxos/async';
 import { cancelWithContext, Context } from '@dxos/context';
+import { randomBytes, verify } from '@dxos/crypto';
 import { invariant } from '@dxos/invariant';
 import { PublicKey } from '@dxos/keys';
 import { log } from '@dxos/log';
@@ -51,6 +52,8 @@ export class InvitationHostExtension extends RpcExtension<
   private _remoteOptions?: Options;
   private _remoteOptionsTrigger = new Trigger();
 
+  private _challenge?: Buffer = undefined;
+
   public invitation?: Invitation = undefined;
 
   public guestProfile?: ProfileDocument = undefined;
@@ -113,13 +116,17 @@ export class InvitationHostExtension extends RpcExtension<
 
           this._callbacks.onStateUpdate({ ...this.invitation, state: Invitation.State.READY_FOR_AUTHENTICATION });
 
+          this._challenge =
+            this.invitation.authMethod === Invitation.AuthMethod.KNOWN_PUBLIC_KEY ? randomBytes(32) : undefined;
+
           log.trace('dxos.sdk.invitation-handler.host.introduce', trace.end({ id: traceId }));
           return {
             authMethod: this.invitation.authMethod,
+            challenge: this._challenge,
           };
         },
 
-        authenticate: async ({ authCode: code }) => {
+        authenticate: async ({ authCode: code, signedChallenge }) => {
           const traceId = PublicKey.random().toHex();
           log.trace('dxos.sdk.invitation-handler.host.authenticate', trace.begin({ id: traceId }));
           log('received authentication request', { authCode: code });
@@ -145,6 +152,26 @@ export class InvitationHostExtension extends RpcExtension<
               break;
             }
 
+            case Invitation.AuthMethod.KNOWN_PUBLIC_KEY: {
+              if (!this.invitation.guestKeypair) {
+                status = AuthenticationResponse.Status.INTERNAL_ERROR;
+                break;
+              }
+              const isSignatureValid =
+                this._challenge &&
+                verify(
+                  this._challenge,
+                  Buffer.from(signedChallenge ?? []),
+                  this.invitation.guestKeypair.publicKey.asBuffer(),
+                );
+              if (isSignatureValid) {
+                this.authenticationPassed = true;
+              } else {
+                status = AuthenticationResponse.Status.INVALID_SIGNATURE;
+              }
+              break;
+            }
+
             default: {
               log.error('invalid authentication method', { authMethod: this.invitation.authMethod });
               status = AuthenticationResponse.Status.INTERNAL_ERROR;

package/src/packlets/invitations/invitations-handler.ts

@@ -11,6 +11,7 @@ import {
 } from '@dxos/client-protocol';
 import { Context } from '@dxos/context';
 import { generatePasscode } from '@dxos/credentials';
+import { createKeyPair, sign } from '@dxos/crypto';
 import { invariant } from '@dxos/invariant';
 import { PublicKey } from '@dxos/keys';
 import { log } from '@dxos/log';
@@ -21,9 +22,9 @@ import {
   type SwarmConnection,
 } from '@dxos/network-manager';
 import { InvalidInvitationExtensionRoleError, trace } from '@dxos/protocols';
-import { Invitation } from '@dxos/protocols/proto/dxos/client/services';
+import { type AdmissionKeypair, Invitation } from '@dxos/protocols/proto/dxos/client/services';
 import { type DeviceProfileDocument } from '@dxos/protocols/proto/dxos/halo/credentials';
-import { AuthenticationResponse } from '@dxos/protocols/proto/dxos/halo/invitations';
+import { AuthenticationResponse, type IntroductionResponse } from '@dxos/protocols/proto/dxos/halo/invitations';
 
 import {
   InvitationGuestExtension,
@@ -74,8 +75,9 @@ export class InvitationsHandler {
       state = Invitation.State.INIT,
       timeout = INVITATION_TIMEOUT,
       swarmKey = PublicKey.random(),
-      persistent = true,
+      persistent = options?.authMethod !== Invitation.AuthMethod.KNOWN_PUBLIC_KEY, // default no not storing keypairs
       created = new Date(),
+      guestKeypair = undefined,
       lifetime = 86400, // 1 day,
       multiUse = false,
     } = options ?? {};
@@ -92,7 +94,9 @@ export class InvitationsHandler {
       swarmKey,
       authCode,
       timeout,
-      persistent: persistent && type !== Invitation.Type.OFFLINE, // offline invitations are persisted in control feed
+      persistent: persistent && type !== Invitation.Type.DELEGATED, // delegated invitations are persisted in control feed
+      guestKeypair:
+        guestKeypair ?? (authMethod === Invitation.AuthMethod.KNOWN_PUBLIC_KEY ? createAdmissionKeypair() : undefined),
       created,
       lifetime,
       multiUse,
@@ -319,26 +323,13 @@ export class InvitationsHandler {
 
               // 2. Get authentication code.
               if (isAuthenticationRequired(invitation)) {
-                for (let attempt = 1; attempt <= MAX_OTP_ATTEMPTS; attempt++) {
-                  log('guest waiting for authentication code...');
-                  setState({ state: Invitation.State.READY_FOR_AUTHENTICATION });
-                  const authCode = await authenticated.wait({ timeout });
-
-                  log('sending authentication request');
-                  setState({ state: Invitation.State.AUTHENTICATING });
-                  const response = await extension.rpc.InvitationHostService.authenticate({ authCode });
-                  if (response.status === undefined || response.status === AuthenticationResponse.Status.OK) {
+                switch (invitation.authMethod) {
+                  case Invitation.AuthMethod.SHARED_SECRET:
+                    await this._handleGuestOtpAuth(extension, setState, authenticated, { timeout });
+                    break;
+                  case Invitation.AuthMethod.KNOWN_PUBLIC_KEY:
+                    await this._handleGuestKpkAuth(extension, setState, invitation, introductionResponse);
                     break;
-                  }
-
-                  if (response.status === AuthenticationResponse.Status.INVALID_OTP) {
-                    if (attempt === MAX_OTP_ATTEMPTS) {
-                      throw new Error(`Maximum retry attempts: ${MAX_OTP_ATTEMPTS}`);
-                    } else {
-                      log('retrying invalid code', { attempt });
-                      authenticated.reset();
-                    }
-                  }
                 }
               }
 
@@ -425,4 +416,61 @@ export class InvitationsHandler {
 
     return observable;
   }
+
+  private async _handleGuestOtpAuth(
+    extension: InvitationGuestExtension,
+    setState: (newState: Partial<Invitation>) => void,
+    authenticated: Trigger<string>,
+    options: { timeout: number },
+  ) {
+    for (let attempt = 1; attempt <= MAX_OTP_ATTEMPTS; attempt++) {
+      log('guest waiting for authentication code...');
+      setState({ state: Invitation.State.READY_FOR_AUTHENTICATION });
+      const authCode = await authenticated.wait(options);
+
+      log('sending authentication request');
+      setState({ state: Invitation.State.AUTHENTICATING });
+      const response = await extension.rpc.InvitationHostService.authenticate({ authCode });
+      if (response.status === undefined || response.status === AuthenticationResponse.Status.OK) {
+        break;
+      }
+
+      if (response.status === AuthenticationResponse.Status.INVALID_OTP) {
+        if (attempt === MAX_OTP_ATTEMPTS) {
+          throw new Error(`Maximum retry attempts: ${MAX_OTP_ATTEMPTS}`);
+        } else {
+          log('retrying invalid code', { attempt });
+          authenticated.reset();
+        }
+      }
+    }
+  }
+
+  private async _handleGuestKpkAuth(
+    extension: InvitationGuestExtension,
+    setState: (newState: Partial<Invitation>) => void,
+    invitation: Invitation,
+    introductionResponse: IntroductionResponse,
+  ) {
+    if (invitation.guestKeypair?.privateKey == null) {
+      throw new Error('keypair missing in the invitation');
+    }
+    if (introductionResponse.challenge == null) {
+      throw new Error('challenge missing in the introduction');
+    }
+    log('sending authentication request');
+    setState({ state: Invitation.State.AUTHENTICATING });
+    const signature = sign(Buffer.from(introductionResponse.challenge), invitation.guestKeypair.privateKey);
+    const response = await extension.rpc.InvitationHostService.authenticate({
+      signedChallenge: signature,
+    });
+    if (response.status !== AuthenticationResponse.Status.OK) {
+      throw new Error(`Authentication failed with code: ${response.status}`);
+    }
+  }
 }
+
+export const createAdmissionKeypair = (): AdmissionKeypair => {
+  const keypair = createKeyPair();
+  return { publicKey: PublicKey.from(keypair.publicKey), privateKey: keypair.secretKey };
+};

package/src/packlets/services/service-host.ts

@@ -15,7 +15,7 @@ import {
   type SpaceDoc,
   type MyLevel,
 } from '@dxos/echo-pipeline';
-import * as E from '@dxos/echo-schema';
+import { getTypeReference } from '@dxos/echo-schema';
 import { IndexServiceImpl } from '@dxos/indexing';
 import { invariant } from '@dxos/invariant';
 import { PublicKey } from '@dxos/keys';
@@ -383,7 +383,7 @@ export class ClientServicesHost {
     // TODO(dmaretskyi): Better API for low-level data access.
     const properties: ObjectStructure = {
       system: {
-        type: encodeReference(E.getTypeReference(Properties)!),
+        type: encodeReference(getTypeReference(Properties)!),
       },
       data: {
         [defaultKey]: identity.identityKey.toHex(),

package/src/version.ts

@@ -1 +1 @@
-export const DXOS_VERSION = "0.4.10-main.3e35a2f";
+export const DXOS_VERSION = "0.4.10-main.403e461";