@dxos/client-services 0.6.13 → 0.6.14-main.69511f5

package/src/packlets/devices/devices-service.test.ts

@@ -2,13 +2,12 @@
 // Copyright 2023 DXOS.org
 //
 
-import { expect } from 'chai';
+import { afterEach, onTestFinished, beforeEach, describe, expect, test } from 'vitest';
 
 import { Trigger } from '@dxos/async';
 import { Context } from '@dxos/context';
 import { log } from '@dxos/log';
 import { type DevicesService, type Device } from '@dxos/protocols/proto/dxos/client/services';
-import { afterEach, afterTest, beforeEach, describe, test } from '@dxos/test';
 
 import { DevicesServiceImpl } from './devices-service';
 import { type ServiceContext } from '../services';
@@ -36,7 +35,7 @@ describe('DevicesService', () => {
       query.subscribe(({ devices }) => {
         result.wake(devices);
       });
-      afterTest(() => query.close());
+      onTestFinished(() => query.close());
       expect(device.profile?.label).to.equal('test-device');
     });
   });
@@ -51,7 +50,7 @@ describe('DevicesService', () => {
         },
         (err) => log.catch(err),
       );
-      afterTest(() => query.close().catch((err) => log.catch(err)));
+      onTestFinished(() => query.close().catch((err) => log.catch(err)));
       expect(await result.wait()).to.be.length(0);
     });
 
@@ -61,7 +60,7 @@ describe('DevicesService', () => {
       query.subscribe(({ devices }) => {
         result.wake(devices);
       });
-      afterTest(() => query.close());
+      onTestFinished(() => query.close());
       expect(await result.wait()).to.be.length(0);
 
       result = new Trigger<Device[] | undefined>();

package/src/packlets/diagnostics/diagnostics-broadcast.ts

@@ -1,6 +1,7 @@
 //
 // Copyright 2024 DXOS.org
 //
+
 import { type SystemService } from '@dxos/protocols/proto/dxos/client/services';
 
 import {

package/src/packlets/identity/{authenticator.test.ts → authenticator.node.test.ts}

@@ -2,14 +2,13 @@
 // Copyright 2022 DXOS.org
 //
 
-import expect from 'expect';
+import { describe, expect, test } from 'vitest';
 
 import { Event } from '@dxos/async';
 import { createCredentialSignerWithKey } from '@dxos/credentials';
 import { invariant } from '@dxos/invariant';
 import { Keyring } from '@dxos/keyring';
 import { PublicKey } from '@dxos/keys';
-import { describe, test } from '@dxos/test';
 import { ComplexSet } from '@dxos/util';
 
 import { createAuthProvider, TrustedKeySetAuthVerifier } from './authenticator';
@@ -30,5 +29,5 @@ describe('identity/authenticator', () => {
     const credential = await authProvider(nonce);
     invariant(credential);
     expect(await authVerifier.verifier(nonce, credential)).toBeTruthy();
-  }).onlyEnvironments('nodejs');
+  });
 });

package/src/packlets/identity/authenticator.ts

@@ -67,7 +67,7 @@ export class TrustedKeySetAuthVerifier {
       }
 
       if (this._isTrustedKey(credential.issuer)) {
-        log('key is not currently in trusted set, waiting...', { key: credential.issuer });
+        log('key is trusted -- auth success', { key: credential.issuer });
         return true;
       }
 
@@ -81,7 +81,10 @@ export class TrustedKeySetAuthVerifier {
           log('auth success', { key: credential.issuer });
           trigger.wake(true);
         } else {
-          log('key is not currently in trusted set, waiting...', { key: credential.issuer });
+          log('key is not currently in trusted set, waiting...', {
+            key: credential.issuer,
+            trusted: [...this._params.trustedKeysProvider()],
+          });
         }
       });
 

package/src/packlets/identity/contacts-service.ts

@@ -5,7 +5,7 @@
 import { EventSubscriptions, scheduleTask, UpdateScheduler } from '@dxos/async';
 import { Stream } from '@dxos/codec-protobuf';
 import { type MemberInfo } from '@dxos/credentials';
-import type { SpaceManager } from '@dxos/echo-pipeline';
+import { type SpaceManager } from '@dxos/echo-pipeline';
 import { PublicKey } from '@dxos/keys';
 import { type Contact, type ContactBook, type ContactsService } from '@dxos/protocols/proto/dxos/client/services';
 import { ComplexMap, ComplexSet } from '@dxos/util';

package/src/packlets/identity/identity-manager.test.ts

@@ -2,7 +2,7 @@
 // Copyright 2022 DXOS.org
 //
 
-import { expect } from 'chai';
+import { describe, expect, test, onTestFinished } from 'vitest';
 
 import { Context } from '@dxos/context';
 import { valueEncoding, MetadataStore, SpaceManager, AuthStatus } from '@dxos/echo-pipeline';
@@ -13,7 +13,6 @@ import { MemoryTransportFactory, SwarmNetworkManager } from '@dxos/network-manag
 import type { FeedMessage } from '@dxos/protocols/proto/dxos/echo/feed';
 import { createStorage, type Storage, StorageType } from '@dxos/random-access-storage';
 import { BlobStore } from '@dxos/teleport-extension-object-sync';
-import { describe, test, afterTest } from '@dxos/test';
 
 import { IdentityManager } from './identity-manager';
 
@@ -39,7 +38,7 @@ describe('identity/identity-manager', () => {
       }),
     });
 
-    afterTest(() => feedStore.close());
+    onTestFinished(() => feedStore.close());
 
     const networkManager = new SwarmNetworkManager({
       signalManager: new MemorySignalManager(signalContext),
@@ -51,9 +50,10 @@ describe('identity/identity-manager', () => {
       blobStore,
       metadataStore,
     });
-    const identityManager = new IdentityManager(metadataStore, keyring, feedStore, spaceManager);
+    const identityManager = new IdentityManager({ metadataStore, keyring, feedStore, spaceManager });
 
     return {
+      networkManager,
       metadataStore,
       identityManager,
       feedStore,
@@ -64,7 +64,7 @@ describe('identity/identity-manager', () => {
   test('creates identity', async () => {
     const { identityManager } = await setupPeer();
     await identityManager.open(new Context());
-    afterTest(() => identityManager.close());
+    onTestFinished(() => identityManager.close());
 
     const identity = await identityManager.createIdentity();
     expect(identity).to.exist;
@@ -95,7 +95,7 @@ describe('identity/identity-manager', () => {
   test('update profile', async () => {
     const { identityManager } = await setupPeer();
     await identityManager.open(new Context());
-    afterTest(() => identityManager.close());
+    onTestFinished(() => identityManager.close());
 
     const identity = await identityManager.createIdentity();
     expect(identity.profileDocument?.displayName).to.be.undefined;
@@ -108,6 +108,11 @@ describe('identity/identity-manager', () => {
 
     const peer1 = await setupPeer({ signalContext });
     const identity1 = await peer1.identityManager.createIdentity();
+    peer1.networkManager.setPeerInfo({
+      peerKey: identity1.deviceKey.toHex(),
+      identityKey: identity1.identityKey.toHex(),
+    });
+    await identity1.joinNetwork();
 
     const peer2 = await setupPeer({ signalContext });
 
@@ -115,28 +120,38 @@ describe('identity/identity-manager', () => {
     const controlFeedKey = await peer2.keyring.createKey();
     const dataFeedKey = await peer2.keyring.createKey();
 
+    const credential = await identity1.getIdentityCredentialSigner().createCredential({
+      subject: deviceKey,
+      assertion: {
+        '@type': 'dxos.halo.credentials.AuthorizedDevice',
+        identityKey: identity1.identityKey,
+        deviceKey,
+      },
+    });
+
     await identity1.controlPipeline.writer.write({
       credential: {
-        credential: await identity1.getIdentityCredentialSigner().createCredential({
-          subject: deviceKey,
-          assertion: {
-            '@type': 'dxos.halo.credentials.AuthorizedDevice',
-            identityKey: identity1.identityKey,
-            deviceKey,
-          },
-        }),
+        credential,
       },
     });
 
-    // Identity2 is not yet ready at this point. Peer1 needs to admit peer2 device key and feed keys.
-    const identity2 = await peer2.identityManager.acceptIdentity({
+    const { identity: identity2, identityRecord } = await peer2.identityManager.prepareIdentity({
       identityKey: identity1.identityKey,
       deviceKey,
       haloSpaceKey: identity1.haloSpaceKey,
       haloGenesisFeedKey: identity1.haloGenesisFeedKey,
       controlFeedKey,
       dataFeedKey,
+      authorizedDeviceCredential: credential,
+    });
+    peer2.networkManager.setPeerInfo({
+      peerKey: identity2.deviceKey.toHex(),
+      identityKey: identity2.identityKey.toHex(),
     });
+    await identity2.joinNetwork();
+
+    // Identity2 is not yet ready at this point. Peer1 needs to admit peer2 device key and feed keys.
+    await peer2.identityManager.acceptIdentity(identity2, identityRecord);
 
     // TODO(dmaretskyi): We'd also need to admit device2's feeds otherwise messages from them won't be processed by the pipeline.
     // This would mean that peer2 has replicated it's device credential chain from peer1 and is ready to issue credentials.

package/src/packlets/identity/identity-manager.ts

@@ -5,8 +5,14 @@ import platform from 'platform';
 
 import { Event } from '@dxos/async';
 import { Context } from '@dxos/context';
-import { createCredentialSignerWithKey, CredentialGenerator } from '@dxos/credentials';
+import {
+  createCredentialSignerWithKey,
+  CredentialGenerator,
+  generateSeedPhrase,
+  keyPairFromSeedPhrase,
+} from '@dxos/credentials';
 import { type MetadataStore, type SpaceManager, type SwarmIdentity } from '@dxos/echo-pipeline';
+import { type EdgeConnection } from '@dxos/edge-client';
 import { type FeedStore } from '@dxos/feed-store';
 import { invariant } from '@dxos/invariant';
 import { type Keyring } from '@dxos/keyring';
@@ -14,6 +20,7 @@ import { PublicKey } from '@dxos/keys';
 import { log } from '@dxos/log';
 import { trace } from '@dxos/protocols';
 import { Device, DeviceKind } from '@dxos/protocols/proto/dxos/client/services';
+import { type Runtime } from '@dxos/protocols/proto/dxos/config';
 import { type FeedMessage } from '@dxos/protocols/proto/dxos/echo/feed';
 import { type IdentityRecord, type SpaceMetadata } from '@dxos/protocols/proto/dxos/echo/metadata';
 import {
@@ -21,6 +28,7 @@ import {
   type DeviceProfileDocument,
   DeviceType,
   type ProfileDocument,
+  type Credential,
 } from '@dxos/protocols/proto/dxos/halo/credentials';
 import { Gossip, Presence } from '@dxos/teleport-extension-gossip';
 import { Timeframe } from '@dxos/timeframe';
@@ -47,6 +55,7 @@ export type JoinIdentityParams = {
   haloGenesisFeedKey: PublicKey;
   controlFeedKey: PublicKey;
   dataFeedKey: PublicKey;
+  authorizedDeviceCredential: Credential;
 
   /**
    * Latest known timeframe for the control pipeline.
@@ -63,7 +72,13 @@ export type CreateIdentityOptions = {
   deviceProfile?: DeviceProfileDocument;
 };
 
-export type IdentityManagerRuntimeParams = {
+export type IdentityManagerParams = {
+  metadataStore: MetadataStore;
+  keyring: Keyring;
+  feedStore: FeedStore<FeedMessage>;
+  spaceManager: SpaceManager;
+  edgeConnection?: EdgeConnection;
+  edgeFeatures?: Runtime.Client.EdgeFeatures;
   devicePresenceAnnounceInterval?: number;
   devicePresenceOfflineTimeout?: number;
 };
@@ -73,28 +88,27 @@ export type IdentityManagerRuntimeParams = {
 export class IdentityManager {
   readonly stateUpdate = new Event();
 
-  private _identity?: Identity;
+  private readonly _metadataStore: MetadataStore;
+  private readonly _keyring: Keyring;
+  private readonly _feedStore: FeedStore<FeedMessage>;
+  private readonly _spaceManager: SpaceManager;
   private readonly _devicePresenceAnnounceInterval: number;
   private readonly _devicePresenceOfflineTimeout: number;
+  private readonly _edgeConnection: EdgeConnection | undefined;
+  private readonly _edgeFeatures: Runtime.Client.EdgeFeatures | undefined;
+
+  private _identity?: Identity;
 
-  // TODO(burdon): IdentityManagerParams.
   // TODO(dmaretskyi): Perhaps this should take/generate the peerKey outside of an initialized identity.
-  constructor(
-    private readonly _metadataStore: MetadataStore,
-    private readonly _keyring: Keyring,
-    private readonly _feedStore: FeedStore<FeedMessage>,
-    private readonly _spaceManager: SpaceManager,
-    params?: IdentityManagerRuntimeParams,
-    private readonly _callbacks?: {
-      onIdentityConstruction?: (identity: Identity) => void;
-    },
-  ) {
-    const {
-      devicePresenceAnnounceInterval = DEVICE_PRESENCE_ANNOUNCE_INTERVAL,
-      devicePresenceOfflineTimeout = DEVICE_PRESENCE_OFFLINE_TIMEOUT,
-    } = params ?? {};
-    this._devicePresenceAnnounceInterval = devicePresenceAnnounceInterval;
-    this._devicePresenceOfflineTimeout = devicePresenceOfflineTimeout;
+  constructor(params: IdentityManagerParams) {
+    this._metadataStore = params.metadataStore;
+    this._keyring = params.keyring;
+    this._feedStore = params.feedStore;
+    this._spaceManager = params.spaceManager;
+    this._edgeConnection = params.edgeConnection;
+    this._edgeFeatures = params.edgeFeatures;
+    this._devicePresenceAnnounceInterval = params.devicePresenceAnnounceInterval ?? DEVICE_PRESENCE_ANNOUNCE_INTERVAL;
+    this._devicePresenceOfflineTimeout = params.devicePresenceOfflineTimeout ?? DEVICE_PRESENCE_OFFLINE_TIMEOUT;
   }
 
   get identity() {
@@ -184,10 +198,6 @@ export class IdentityManager {
       }
     }
 
-    // TODO(burdon): ???
-    // await this._keyring.deleteKey(identityRecord.identity_key);
-    // await this._keyring.deleteKey(identityRecord.halo_space.space_key);
-
     await this._metadataStore.setIdentityRecord(identityRecord);
     this._identity = identity;
     await this._identity.ready();
@@ -202,6 +212,7 @@ export class IdentityManager {
       deviceKey: identity.deviceKey,
       profile: identity.profileDocument,
     });
+
     return identity;
   }
 
@@ -232,9 +243,9 @@ export class IdentityManager {
   }
 
   /**
-   * Accept an existing identity. Expects its device key to be authorized (now or later).
+   * Prepare an identity object as the first step of acceptIdentity flow.
    */
-  async acceptIdentity(params: JoinIdentityParams) {
+  async prepareIdentity(params: JoinIdentityParams) {
     log('accepting identity', { params });
     invariant(!this._identity, 'Identity already exists.');
 
@@ -249,24 +260,33 @@ export class IdentityManager {
         controlTimeframe: params.controlTimeframe,
       },
     };
-
     const identity = await this._constructIdentity(identityRecord);
     await identity.open(new Context());
+    return { identity, identityRecord };
+  }
+
+  /**
+   * Accept an existing identity. Expects its device key to be authorized (now or later).
+   */
+  public async acceptIdentity(identity: Identity, identityRecord: IdentityRecord, profile?: DeviceProfileDocument) {
     this._identity = identity;
-    await this._metadataStore.setIdentityRecord(identityRecord);
+
+    // Identity becomes ready after device chain is replicated. Wait for it before storing the record.
     await this._identity.ready();
+    await this._metadataStore.setIdentityRecord(identityRecord);
+
     log.trace('dxos.halo.identity', {
-      identityKey: identityRecord.identityKey,
+      identityKey: this._identity!.identityKey,
       displayName: this._identity.profileDocument?.displayName,
     });
 
     await this.updateDeviceProfile({
       ...this.createDefaultDeviceProfile(),
-      ...params.deviceProfile,
+      ...profile,
     });
     this.stateUpdate.emit();
+
     log('accepted identity', { identityKey: identity.identityKey, deviceKey: identity.deviceKey });
-    return identity;
   }
 
   /**
@@ -315,6 +335,29 @@ export class IdentityManager {
     };
   }
 
+  async createRecoveryPhrase() {
+    const identity = this._identity;
+    invariant(identity);
+
+    const seedphrase = generateSeedPhrase();
+    const keypair = keyPairFromSeedPhrase(seedphrase);
+    const recoveryKey = PublicKey.from(keypair.publicKey);
+    const identityKey = identity.identityKey;
+    const credential = await identity.getIdentityCredentialSigner().createCredential({
+      subject: identityKey,
+      assertion: {
+        '@type': 'dxos.halo.credentials.IdentityRecovery',
+        recoveryKey,
+        identityKey,
+      },
+    });
+
+    const receipt = await identity.controlPipeline.writer.write({ credential: { credential } });
+    await identity.controlPipeline.state.waitUntilTimeframe(new Timeframe([[receipt.feedKey, receipt.seq]]));
+
+    return { seedphrase };
+  }
+
   private async _constructIdentity(identityRecord: IdentityRecord) {
     invariant(!this._identity);
     log('constructing identity', { identityRecord });
@@ -360,9 +403,10 @@ export class IdentityManager {
       signer: this._keyring,
       identityKey: identityRecord.identityKey,
       deviceKey: identityRecord.deviceKey,
+      edgeConnection: this._edgeConnection,
+      edgeFeatures: this._edgeFeatures,
     });
     log('done', { identityKey: identityRecord.identityKey });
-    this._callbacks?.onIdentityConstruction?.(identity);
 
     // TODO(mykola): Set new timeframe on a write to a feed.
     if (identityRecord.haloSpace.controlTimeframe) {

package/src/packlets/identity/identity-recovery-manager.ts

@@ -0,0 +1,95 @@
+//
+// Copyright 2024 DXOS.org
+//
+
+import { generateSeedPhrase, keyPairFromSeedPhrase } from '@dxos/credentials';
+import { sign } from '@dxos/crypto';
+import { type EdgeHttpClient } from '@dxos/edge-client';
+import { invariant } from '@dxos/invariant';
+import { type Keyring } from '@dxos/keyring';
+import { PublicKey } from '@dxos/keys';
+import { log } from '@dxos/log';
+import { EdgeAuthChallengeError, type RecoverIdentityRequest, type RecoverIdentityResponseBody } from '@dxos/protocols';
+import { schema } from '@dxos/protocols/proto';
+import { Timeframe } from '@dxos/timeframe';
+
+import { type Identity } from './identity';
+import { type JoinIdentityParams } from './identity-manager';
+
+export class EdgeIdentityRecoveryManager {
+  constructor(
+    private readonly _keyring: Keyring,
+    private readonly _edgeClient: EdgeHttpClient | undefined,
+    private readonly _identityProvider: () => Identity | undefined,
+    private readonly _acceptRecoveredIdentity: (params: JoinIdentityParams) => Promise<Identity>,
+  ) {}
+
+  public async createRecoveryPhrase() {
+    const identity = this._identityProvider();
+    invariant(identity);
+
+    const seedphrase = generateSeedPhrase();
+    const keypair = keyPairFromSeedPhrase(seedphrase);
+    const recoveryKey = PublicKey.from(keypair.publicKey);
+    const identityKey = identity.identityKey;
+    const credential = await identity.getIdentityCredentialSigner().createCredential({
+      subject: identityKey,
+      assertion: {
+        '@type': 'dxos.halo.credentials.IdentityRecovery',
+        recoveryKey,
+        identityKey,
+      },
+    });
+
+    const receipt = await identity.controlPipeline.writer.write({ credential: { credential } });
+    await identity.controlPipeline.state.waitUntilTimeframe(new Timeframe([[receipt.feedKey, receipt.seq]]));
+
+    return { seedphrase };
+  }
+
+  public async recoverIdentity(args: { seedphrase: string }) {
+    invariant(this._edgeClient, 'Not connected to EDGE.');
+
+    const recoveryKeypair = keyPairFromSeedPhrase(args.seedphrase);
+    const recoveryKey = PublicKey.from(recoveryKeypair.publicKey);
+    const deviceKey = await this._keyring.createKey();
+    const controlFeedKey = await this._keyring.createKey();
+    const request: RecoverIdentityRequest = {
+      recoveryKey: recoveryKey.toHex(),
+      deviceKey: deviceKey.toHex(),
+      controlFeedKey: controlFeedKey.toHex(),
+    };
+
+    let response: RecoverIdentityResponseBody;
+    try {
+      response = await this._edgeClient.recoverIdentity(request);
+    } catch (error: any) {
+      if (!(error instanceof EdgeAuthChallengeError)) {
+        throw error;
+      }
+      const signature = sign(Buffer.from(error.challenge, 'base64'), recoveryKeypair.secretKey);
+      response = await this._edgeClient.recoverIdentity({
+        ...request,
+        signature: Buffer.from(signature).toString('base64'),
+      });
+    }
+
+    log.info('recovering identity', response);
+
+    await this._acceptRecoveredIdentity({
+      authorizedDeviceCredential: decodeCredential(response.deviceAuthCredential),
+      haloGenesisFeedKey: PublicKey.fromHex(response.genesisFeedKey),
+      haloSpaceKey: PublicKey.fromHex(response.haloSpaceKey),
+      identityKey: PublicKey.fromHex(response.identityKey),
+      deviceKey,
+      controlFeedKey,
+      dataFeedKey: await this._keyring.createKey(),
+    });
+  }
+}
+
+const decodeCredential = (credentialBase64: string) => {
+  const credentialBytes = Buffer.from(credentialBase64, 'base64');
+  const codec = schema.getCodecForType('dxos.halo.credentials.Credential');
+  return codec.decode(credentialBytes);
+};

package/src/packlets/identity/identity-service.test.ts

@@ -2,21 +2,17 @@
 // Copyright 2023 DXOS.org
 //
 
-import chai, { expect } from 'chai';
-import chaiAsPromised from 'chai-as-promised';
+import { afterEach, onTestFinished, beforeEach, describe, expect, test } from 'vitest';
 
 import { Trigger } from '@dxos/async';
 import { Context } from '@dxos/context';
 import { PublicKey } from '@dxos/keys';
 import { type Identity, type IdentityService } from '@dxos/protocols/proto/dxos/client/services';
-import { afterEach, afterTest, beforeEach, describe, test } from '@dxos/test';
 
 import { IdentityServiceImpl } from './identity-service';
 import { type ServiceContext } from '../services';
 import { createServiceContext } from '../testing';
 
-chai.use(chaiAsPromised);
-
 describe('IdentityService', () => {
   let serviceContext: ServiceContext;
   let identityService: IdentityService;
@@ -49,7 +45,7 @@ describe('IdentityService', () => {
 
     test('fails to create identity if one already exists', async () => {
       await identityService.createIdentity({});
-      await expect(identityService.createIdentity({})).to.be.rejectedWith('Identity already exists');
+      await expect(identityService.createIdentity({})).rejects.toThrowError('Identity already exists');
     });
   });
 
@@ -72,7 +68,7 @@ describe('IdentityService', () => {
       query.subscribe(({ identity }) => {
         result.wake(identity);
       });
-      afterTest(() => query.close());
+      onTestFinished(() => query.close());
       expect(await result.wait()).to.be.undefined;
     });
 
@@ -82,7 +78,7 @@ describe('IdentityService', () => {
       query.subscribe(({ identity }) => {
         result.wake(identity);
       });
-      afterTest(() => query.close());
+      onTestFinished(() => query.close());
       expect(await result.wait()).to.be.undefined;
 
       result = new Trigger<Identity | undefined>();
@@ -120,6 +116,7 @@ describe('open', () => {
 const createIdentityService = (serviceContext: ServiceContext) => {
   return new IdentityServiceImpl(
     serviceContext.identityManager,
+    serviceContext.recoveryManager,
     serviceContext.keyring,
     () => serviceContext.dataSpaceManager!,
     (options) => serviceContext.createIdentity(options),

package/src/packlets/identity/identity-service.ts

@@ -6,7 +6,6 @@ import { Trigger, sleep } from '@dxos/async';
 import { Stream } from '@dxos/codec-protobuf';
 import { Resource } from '@dxos/context';
 import { signPresentation } from '@dxos/credentials';
-import { todo } from '@dxos/debug';
 import { invariant } from '@dxos/invariant';
 import { type Keyring } from '@dxos/keyring';
 import { log } from '@dxos/log';
@@ -24,6 +23,7 @@ import { safeAwaitAll } from '@dxos/util';
 
 import { type Identity } from './identity';
 import { type CreateIdentityOptions, type IdentityManager } from './identity-manager';
+import { type EdgeIdentityRecoveryManager } from './identity-recovery-manager';
 import { type DataSpaceManager } from '../spaces';
 
 const DEFAULT_SPACE_SEARCH_TIMEOUT = 10_000;
@@ -31,6 +31,7 @@ const DEFAULT_SPACE_SEARCH_TIMEOUT = 10_000;
 export class IdentityServiceImpl extends Resource implements IdentityService {
   constructor(
     private readonly _identityManager: IdentityManager,
+    private readonly _recoveryManager: EdgeIdentityRecoveryManager,
     private readonly _keyring: Keyring,
     private readonly _dataSpaceManagerProvider: () => DataSpaceManager,
     private readonly _createIdentity: (params: CreateIdentityOptions) => Promise<Identity>,
@@ -60,10 +61,6 @@ export class IdentityServiceImpl extends Resource implements IdentityService {
     await identity.updateDefaultSpace(space.id);
   }
 
-  async recoverIdentity(request: RecoverIdentityRequest): Promise<IdentityProto> {
-    return todo();
-  }
-
   queryIdentity(): Stream<QueryIdentityResponse> {
     return new Stream(({ next }) => {
       const emitNext = () => next({ identity: this._getIdentity() });
@@ -92,6 +89,15 @@ export class IdentityServiceImpl extends Resource implements IdentityService {
     return this._getIdentity()!;
   }
 
+  async createRecoveryPhrase() {
+    return this._recoveryManager.createRecoveryPhrase();
+  }
+
+  async recoverIdentity(request: RecoverIdentityRequest): Promise<IdentityProto> {
+    await this._recoveryManager.recoverIdentity(request);
+    return this._getIdentity()!;
+  }
+
   // TODO(burdon): Rename createPresentation?
   async signPresentation({ presentation, nonce }: SignPresentationRequest): Promise<Presentation> {
     invariant(this._identityManager.identity, 'Identity not initialized.');