@dxos/client-services 0.7.4 → 0.7.5-labs.071a3e2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@dxos/client-services",
-  "version": "0.7.4",
+  "version": "0.7.5-labs.071a3e2",
   "description": "DXOS client services implementation",
   "homepage": "https://dxos.org",
   "bugs": "https://github.com/dxos/dxos/issues",
@@ -42,48 +42,48 @@
   "dependencies": {
     "cbor-x": "^1.5.4",
     "platform": "^1.3.6",
-    "@dxos/async": "0.7.4",
-    "@dxos/client-protocol": "0.7.4",
-    "@dxos/automerge": "0.7.4",
-    "@dxos/codec-protobuf": "0.7.4",
-    "@dxos/context": "0.7.4",
-    "@dxos/config": "0.7.4",
-    "@dxos/credentials": "0.7.4",
-    "@dxos/debug": "0.7.4",
-    "@dxos/crypto": "0.7.4",
-    "@dxos/echo-db": "0.7.4",
-    "@dxos/echo-pipeline": "0.7.4",
-    "@dxos/echo-schema": "0.7.4",
-    "@dxos/edge-client": "0.7.4",
-    "@dxos/echo-protocol": "0.7.4",
-    "@dxos/indexing": "0.7.4",
-    "@dxos/invariant": "0.7.4",
-    "@dxos/keyring": "0.7.4",
-    "@dxos/feed-store": "0.7.4",
-    "@dxos/kv-store": "0.7.4",
-    "@dxos/keys": "0.7.4",
-    "@dxos/lock-file": "0.7.4",
-    "@dxos/log": "0.7.4",
-    "@dxos/network-manager": "0.7.4",
-    "@dxos/node-std": "0.7.4",
-    "@dxos/protocols": "0.7.4",
-    "@dxos/messaging": "0.7.4",
-    "@dxos/rpc": "0.7.4",
-    "@dxos/random-access-storage": "0.7.4",
-    "@dxos/teleport": "0.7.4",
-    "@dxos/teleport-extension-gossip": "0.7.4",
-    "@dxos/teleport-extension-object-sync": "0.7.4",
-    "@dxos/tracing": "0.7.4",
-    "@dxos/timeframe": "0.7.4",
-    "@dxos/websocket-rpc": "0.7.4",
-    "@dxos/util": "0.7.4"
+    "@dxos/async": "0.7.5-labs.071a3e2",
+    "@dxos/automerge": "0.7.5-labs.071a3e2",
+    "@dxos/client-protocol": "0.7.5-labs.071a3e2",
+    "@dxos/codec-protobuf": "0.7.5-labs.071a3e2",
+    "@dxos/config": "0.7.5-labs.071a3e2",
+    "@dxos/context": "0.7.5-labs.071a3e2",
+    "@dxos/credentials": "0.7.5-labs.071a3e2",
+    "@dxos/debug": "0.7.5-labs.071a3e2",
+    "@dxos/crypto": "0.7.5-labs.071a3e2",
+    "@dxos/echo-db": "0.7.5-labs.071a3e2",
+    "@dxos/echo-pipeline": "0.7.5-labs.071a3e2",
+    "@dxos/echo-protocol": "0.7.5-labs.071a3e2",
+    "@dxos/echo-schema": "0.7.5-labs.071a3e2",
+    "@dxos/edge-client": "0.7.5-labs.071a3e2",
+    "@dxos/feed-store": "0.7.5-labs.071a3e2",
+    "@dxos/invariant": "0.7.5-labs.071a3e2",
+    "@dxos/keyring": "0.7.5-labs.071a3e2",
+    "@dxos/indexing": "0.7.5-labs.071a3e2",
+    "@dxos/keys": "0.7.5-labs.071a3e2",
+    "@dxos/kv-store": "0.7.5-labs.071a3e2",
+    "@dxos/lock-file": "0.7.5-labs.071a3e2",
+    "@dxos/log": "0.7.5-labs.071a3e2",
+    "@dxos/messaging": "0.7.5-labs.071a3e2",
+    "@dxos/node-std": "0.7.5-labs.071a3e2",
+    "@dxos/protocols": "0.7.5-labs.071a3e2",
+    "@dxos/network-manager": "0.7.5-labs.071a3e2",
+    "@dxos/random-access-storage": "0.7.5-labs.071a3e2",
+    "@dxos/rpc": "0.7.5-labs.071a3e2",
+    "@dxos/teleport": "0.7.5-labs.071a3e2",
+    "@dxos/teleport-extension-gossip": "0.7.5-labs.071a3e2",
+    "@dxos/teleport-extension-object-sync": "0.7.5-labs.071a3e2",
+    "@dxos/timeframe": "0.7.5-labs.071a3e2",
+    "@dxos/util": "0.7.5-labs.071a3e2",
+    "@dxos/tracing": "0.7.5-labs.071a3e2",
+    "@dxos/websocket-rpc": "0.7.5-labs.071a3e2"
   },
   "devDependencies": {
     "@types/platform": "^1.3.4",
     "@types/readable-stream": "^2.3.9",
     "get-port-please": "^3.1.1",
-    "@dxos/signal": "0.7.4",
-    "@dxos/test-utils": "0.7.4"
+    "@dxos/signal": "0.7.5-labs.071a3e2",
+    "@dxos/test-utils": "0.7.5-labs.071a3e2"
   },
   "publishConfig": {
     "access": "public"

package/src/packlets/agents/edge-agent-service.ts

@@ -2,7 +2,7 @@
 // Copyright 2024 DXOS.org
 //
 
-import { Stream } from '@dxos/codec-protobuf';
+import { Stream } from '@dxos/codec-protobuf/stream';
 import { type EdgeConnection } from '@dxos/edge-client';
 import { EdgeAgentStatus } from '@dxos/protocols';
 import {

package/src/packlets/devices/devices-service.ts

@@ -3,7 +3,7 @@
 //
 
 import { EventSubscriptions } from '@dxos/async';
-import { Stream } from '@dxos/codec-protobuf';
+import { Stream } from '@dxos/codec-protobuf/stream';
 import { type EdgeConnection } from '@dxos/edge-client';
 import { invariant } from '@dxos/invariant';
 import {

package/src/packlets/devtools/devtools.ts

@@ -3,7 +3,7 @@
 //
 
 import { Event as AsyncEvent } from '@dxos/async';
-import { Stream } from '@dxos/codec-protobuf';
+import { Stream } from '@dxos/codec-protobuf/stream';
 import { type Config } from '@dxos/config';
 import {
   type ClearSnapshotsRequest,

package/src/packlets/devtools/feeds.ts

@@ -3,7 +3,7 @@
 //
 
 import { EventSubscriptions } from '@dxos/async';
-import { Stream } from '@dxos/codec-protobuf';
+import { Stream } from '@dxos/codec-protobuf/stream';
 import { type SpaceManager } from '@dxos/echo-pipeline';
 import { FeedIterator, type FeedStore, type FeedWrapper } from '@dxos/feed-store';
 import { PublicKey } from '@dxos/keys';

package/src/packlets/devtools/keys.ts

@@ -3,7 +3,7 @@
 //
 
 import { scheduleTask } from '@dxos/async';
-import { Stream } from '@dxos/codec-protobuf';
+import { Stream } from '@dxos/codec-protobuf/stream';
 import { type Keyring } from '@dxos/keyring';
 import { type SubscribeToKeyringKeysResponse } from '@dxos/protocols/proto/dxos/devtools/host';
 

package/src/packlets/devtools/metadata.ts

@@ -2,7 +2,7 @@
 // Copyright 2023 DXOS.org
 //
 
-import { Stream } from '@dxos/codec-protobuf';
+import { Stream } from '@dxos/codec-protobuf/stream';
 import { type SubscribeToMetadataResponse } from '@dxos/protocols/proto/dxos/devtools/host';
 
 import { type ServiceContext } from '../services';

package/src/packlets/devtools/network.ts

@@ -2,7 +2,7 @@
 // Copyright 2020 DXOS.org
 //
 
-import { Stream } from '@dxos/codec-protobuf';
+import { Stream } from '@dxos/codec-protobuf/stream';
 import { Context } from '@dxos/context';
 import { PublicKey } from '@dxos/keys';
 import { type SignalManager } from '@dxos/messaging';

package/src/packlets/devtools/spaces.ts

@@ -2,7 +2,7 @@
 // Copyright 2020 DXOS.org
 //
 
-import { Stream } from '@dxos/codec-protobuf';
+import { Stream } from '@dxos/codec-protobuf/stream';
 import { type Space } from '@dxos/echo-pipeline';
 import {
   type SubscribeToSpacesRequest,

package/src/packlets/diagnostics/diagnostics.ts

@@ -6,7 +6,7 @@ import { asyncTimeout } from '@dxos/async';
 import { type ClientServices } from '@dxos/client-protocol';
 import { getFirstStreamValue } from '@dxos/codec-protobuf';
 import { type Config, type ConfigProto } from '@dxos/config';
-import { credentialTypeFilter } from '@dxos/credentials';
+import { createDidFromIdentityKey, credentialTypeFilter } from '@dxos/credentials';
 import { invariant } from '@dxos/invariant';
 import { type PublicKey } from '@dxos/keys';
 import { STORAGE_VERSION } from '@dxos/protocols';
@@ -120,6 +120,7 @@ export const createDiagnostics = async (
       if (identity) {
         // Identity.
         diagnostics.identity = {
+          did: identity.did,
           identityKey: identity.identityKey,
           spaceKey: identity.space.key,
           profile: identity.profileDocument,
@@ -179,19 +180,22 @@ const getSpaceStats = async (space: DataSpace): Promise<SpaceStats> => {
         id: credential.id,
       })),
 
-    members: Array.from(space.inner.spaceState.members.values()).map((member) => ({
-      role: member.role,
-      identity: {
-        identityKey: member.key,
-        profile: {
-          displayName: member.assertion.profile?.displayName,
+    members: await Promise.all(
+      Array.from(space.inner.spaceState.members.values()).map(async (member) => ({
+        role: member.role,
+        identity: {
+          did: await createDidFromIdentityKey(member.key),
+          identityKey: member.key,
+          profile: {
+            displayName: member.assertion.profile?.displayName,
+          },
         },
-      },
-      presence:
-        space.presence.getPeersOnline().filter(({ identityKey }) => identityKey.equals(member.key)).length > 0
-          ? SpaceMember.PresenceState.ONLINE
-          : SpaceMember.PresenceState.OFFLINE,
-    })),
+        presence:
+          space.presence.getPeersOnline().filter(({ identityKey }) => identityKey.equals(member.key)).length > 0
+            ? SpaceMember.PresenceState.ONLINE
+            : SpaceMember.PresenceState.OFFLINE,
+      })),
+    ),
 
     pipeline: {
       // TODO(burdon): Pick properties from credentials if needed.

package/src/packlets/identity/contacts-service.ts

@@ -3,7 +3,7 @@
 //
 
 import { EventSubscriptions, scheduleTask, UpdateScheduler } from '@dxos/async';
-import { Stream } from '@dxos/codec-protobuf';
+import { Stream } from '@dxos/codec-protobuf/stream';
 import { type MemberInfo } from '@dxos/credentials';
 import { type SpaceManager } from '@dxos/echo-pipeline';
 import { PublicKey } from '@dxos/keys';

package/src/packlets/identity/identity-manager.ts

@@ -5,12 +5,7 @@ import platform from 'platform';
 
 import { Event } from '@dxos/async';
 import { Context } from '@dxos/context';
-import {
-  createCredentialSignerWithKey,
-  CredentialGenerator,
-  generateSeedPhrase,
-  keyPairFromSeedPhrase,
-} from '@dxos/credentials';
+import { createCredentialSignerWithKey, createDidFromIdentityKey, CredentialGenerator } from '@dxos/credentials';
 import { type MetadataStore, type SpaceManager, type SwarmIdentity } from '@dxos/echo-pipeline';
 import { type EdgeConnection } from '@dxos/edge-client';
 import { type FeedStore } from '@dxos/feed-store';
@@ -335,29 +330,6 @@ export class IdentityManager {
     };
   }
 
-  async createRecoveryPhrase() {
-    const identity = this._identity;
-    invariant(identity);
-
-    const seedphrase = generateSeedPhrase();
-    const keypair = keyPairFromSeedPhrase(seedphrase);
-    const recoveryKey = PublicKey.from(keypair.publicKey);
-    const identityKey = identity.identityKey;
-    const credential = await identity.getIdentityCredentialSigner().createCredential({
-      subject: identityKey,
-      assertion: {
-        '@type': 'dxos.halo.credentials.IdentityRecovery',
-        recoveryKey,
-        identityKey,
-      },
-    });
-
-    const receipt = await identity.controlPipeline.writer.write({ credential: { credential } });
-    await identity.controlPipeline.state.waitUntilTimeframe(new Timeframe([[receipt.feedKey, receipt.seq]]));
-
-    return { seedphrase };
-  }
-
   private async _constructIdentity(identityRecord: IdentityRecord) {
     invariant(!this._identity);
     log('constructing identity', { identityRecord });
@@ -397,10 +369,12 @@ export class IdentityManager {
     await space.setControlFeed(controlFeed);
     await space.setDataFeed(dataFeed);
 
+    const did = await createDidFromIdentityKey(identityRecord.identityKey);
     const identity: Identity = new Identity({
       space,
       presence,
       signer: this._keyring,
+      did,
       identityKey: identityRecord.identityKey,
       deviceKey: identityRecord.deviceKey,
       edgeConnection: this._edgeConnection,

package/src/packlets/identity/identity-recovery-manager.ts

@@ -9,8 +9,16 @@ import { invariant } from '@dxos/invariant';
 import { type Keyring } from '@dxos/keyring';
 import { PublicKey } from '@dxos/keys';
 import { log } from '@dxos/log';
-import { EdgeAuthChallengeError, type RecoverIdentityRequest, type RecoverIdentityResponseBody } from '@dxos/protocols';
+import {
+  EdgeAuthChallengeError,
+  type RecoverIdentityRequest as EdgeRecoverIdentityRequest,
+  type RecoverIdentityResponseBody,
+} from '@dxos/protocols';
 import { schema } from '@dxos/protocols/proto';
+import {
+  type CreateRecoveryCredentialRequest,
+  type RecoverIdentityRequest,
+} from '@dxos/protocols/proto/dxos/client/services';
 import { Timeframe } from '@dxos/timeframe';
 
 import { type Identity } from './identity';
@@ -24,13 +32,19 @@ export class EdgeIdentityRecoveryManager {
     private readonly _acceptRecoveredIdentity: (params: JoinIdentityParams) => Promise<Identity>,
   ) {}
 
-  public async createRecoveryPhrase() {
+  public async createRecoveryCredential({ recoveryKey, algorithm }: CreateRecoveryCredentialRequest) {
     const identity = this._identityProvider();
     invariant(identity);
 
-    const seedphrase = generateSeedPhrase();
-    const keypair = keyPairFromSeedPhrase(seedphrase);
-    const recoveryKey = PublicKey.from(keypair.publicKey);
+    let recoveryCode: string | undefined;
+    if (!recoveryKey) {
+      recoveryCode = generateSeedPhrase();
+      const keypair = keyPairFromSeedPhrase(recoveryCode);
+      recoveryKey = PublicKey.from(keypair.publicKey);
+      algorithm = -8; // Ed25519
+    }
+
+    invariant(algorithm, 'Algorithm is required.');
     const identityKey = identity.identityKey;
     const credential = await identity.getIdentityCredentialSigner().createCredential({
       subject: identityKey,
@@ -38,23 +52,86 @@ export class EdgeIdentityRecoveryManager {
         '@type': 'dxos.halo.credentials.IdentityRecovery',
         recoveryKey,
         identityKey,
+        algorithm,
       },
     });
 
     const receipt = await identity.controlPipeline.writer.write({ credential: { credential } });
     await identity.controlPipeline.state.waitUntilTimeframe(new Timeframe([[receipt.feedKey, receipt.seq]]));
 
-    return { seedphrase };
+    return { recoveryCode };
+  }
+
+  public async requestRecoveryChallenge() {
+    invariant(this._edgeClient, 'Not connected to EDGE.');
+
+    const deviceKey = await this._keyring.createKey();
+    const controlFeedKey = await this._keyring.createKey();
+    const request: EdgeRecoverIdentityRequest = {
+      deviceKey: deviceKey.toHex(),
+      controlFeedKey: controlFeedKey.toHex(),
+    };
+
+    try {
+      await this._edgeClient.recoverIdentity(request);
+      throw new Error('No challenge received.');
+    } catch (error: any) {
+      if (!(error instanceof EdgeAuthChallengeError)) {
+        throw error;
+      }
+      return {
+        deviceKey,
+        controlFeedKey,
+        challenge: error.challenge,
+      };
+    }
+  }
+
+  public async recoverIdentityWithExternalSignature({
+    identityDid,
+    deviceKey,
+    controlFeedKey,
+    signature,
+    clientDataJson,
+    authenticatorData,
+  }: RecoverIdentityRequest.ExternalSignature) {
+    invariant(this._edgeClient, 'Not connected to EDGE.');
+
+    const request: EdgeRecoverIdentityRequest = {
+      identityDid,
+      deviceKey: deviceKey.toHex(),
+      controlFeedKey: controlFeedKey.toHex(),
+      signature:
+        clientDataJson && authenticatorData
+          ? {
+              signature: Buffer.from(signature).toString('base64'),
+              clientDataJson: Buffer.from(clientDataJson).toString('base64'),
+              authenticatorData: Buffer.from(authenticatorData).toString('base64'),
+            }
+          : Buffer.from(signature).toString('base64'),
+    };
+
+    const response = await this._edgeClient.recoverIdentity(request);
+
+    await this._acceptRecoveredIdentity({
+      authorizedDeviceCredential: decodeCredential(response.deviceAuthCredential),
+      haloGenesisFeedKey: PublicKey.fromHex(response.genesisFeedKey),
+      haloSpaceKey: PublicKey.fromHex(response.haloSpaceKey),
+      identityKey: PublicKey.fromHex(response.identityKey),
+      deviceKey,
+      controlFeedKey,
+      dataFeedKey: await this._keyring.createKey(),
+    });
   }
 
-  public async recoverIdentity(args: { seedphrase: string }) {
+  public async recoverIdentity({ recoveryCode }: { recoveryCode: string }) {
     invariant(this._edgeClient, 'Not connected to EDGE.');
 
-    const recoveryKeypair = keyPairFromSeedPhrase(args.seedphrase);
+    const recoveryKeypair = keyPairFromSeedPhrase(recoveryCode);
     const recoveryKey = PublicKey.from(recoveryKeypair.publicKey);
     const deviceKey = await this._keyring.createKey();
     const controlFeedKey = await this._keyring.createKey();
-    const request: RecoverIdentityRequest = {
+    const request: EdgeRecoverIdentityRequest = {
       recoveryKey: recoveryKey.toHex(),
       deviceKey: deviceKey.toHex(),
       controlFeedKey: controlFeedKey.toHex(),

package/src/packlets/identity/identity-service.ts

@@ -3,7 +3,7 @@
 //
 
 import { Trigger, sleep } from '@dxos/async';
-import { Stream } from '@dxos/codec-protobuf';
+import { Stream } from '@dxos/codec-protobuf/stream';
 import { Resource } from '@dxos/context';
 import { createCredential, signPresentation } from '@dxos/credentials';
 import { invariant } from '@dxos/invariant';
@@ -11,6 +11,7 @@ import { type Keyring } from '@dxos/keyring';
 import { log } from '@dxos/log';
 import {
   type CreateIdentityRequest,
+  type CreateRecoveryCredentialRequest,
   type Identity as IdentityProto,
   type IdentityService,
   type QueryIdentityResponse,
@@ -76,6 +77,7 @@ export class IdentityServiceImpl extends Resource implements IdentityService {
     }
 
     return {
+      did: this._identityManager.identity.did,
       identityKey: this._identityManager.identity.identityKey,
       spaceKey: this._identityManager.identity.space.key,
       profile: this._identityManager.identity.profileDocument,
@@ -89,12 +91,23 @@ export class IdentityServiceImpl extends Resource implements IdentityService {
     return this._getIdentity()!;
   }
 
-  async createRecoveryPhrase() {
-    return this._recoveryManager.createRecoveryPhrase();
+  async createRecoveryCredential(request: CreateRecoveryCredentialRequest) {
+    return this._recoveryManager.createRecoveryCredential(request);
+  }
+
+  async requestRecoveryChallenge() {
+    return this._recoveryManager.requestRecoveryChallenge();
   }
 
   async recoverIdentity(request: RecoverIdentityRequest): Promise<IdentityProto> {
-    await this._recoveryManager.recoverIdentity(request);
+    if (request.recoveryCode) {
+      await this._recoveryManager.recoverIdentity({ recoveryCode: request.recoveryCode });
+    } else if (request.external) {
+      await this._recoveryManager.recoverIdentityWithExternalSignature(request.external);
+    } else {
+      throw new Error('Invalid request.');
+    }
+
     return this._getIdentity()!;
   }
 

package/src/packlets/identity/identity.test.ts

@@ -5,7 +5,7 @@
 import { onTestFinished, describe, expect, test } from 'vitest';
 
 import { Context } from '@dxos/context';
-import { CredentialGenerator, verifyCredential } from '@dxos/credentials';
+import { createDidFromIdentityKey, CredentialGenerator, verifyCredential } from '@dxos/credentials';
 import {
   createIdFromSpaceKey,
   MetadataStore,
@@ -206,6 +206,7 @@ describe('identity/identity', () => {
 
     const identity = new Identity({
       signer: keyring,
+      did: await createDidFromIdentityKey(identityKey),
       identityKey,
       deviceKey,
       space,

package/src/packlets/identity/identity.ts

@@ -17,7 +17,7 @@ import { type Space } from '@dxos/echo-pipeline';
 import { type EdgeConnection } from '@dxos/edge-client';
 import { writeMessages, type FeedWrapper } from '@dxos/feed-store';
 import { invariant } from '@dxos/invariant';
-import { PublicKey, type SpaceId } from '@dxos/keys';
+import { type IdentityDid, PublicKey, type SpaceId } from '@dxos/keys';
 import { log } from '@dxos/log';
 import { type Runtime } from '@dxos/protocols/proto/dxos/config';
 import { type FeedMessage } from '@dxos/protocols/proto/dxos/echo/feed';
@@ -38,6 +38,7 @@ import { DefaultSpaceStateMachine } from './default-space-state-machine';
 import { EdgeFeedReplicator } from '../spaces';
 
 export type IdentityParams = {
+  did: IdentityDid;
   identityKey: PublicKey;
   deviceKey: PublicKey;
   signer: Signer;
@@ -63,6 +64,7 @@ export class Identity {
 
   public readonly authVerifier: TrustedKeySetAuthVerifier;
 
+  public readonly did: IdentityDid;
   public readonly identityKey: PublicKey;
   public readonly deviceKey: PublicKey;
 
@@ -73,6 +75,7 @@ export class Identity {
     this._signer = params.signer;
     this._presence = params.presence;
 
+    this.did = params.did;
     this.identityKey = params.identityKey;
     this.deviceKey = params.deviceKey;
 

package/src/packlets/invitations/invitations-handler.ts

@@ -3,7 +3,7 @@
 //
 
 import { type PushStream, scheduleTask, TimeoutError, type Trigger } from '@dxos/async';
-import { INVITATION_TIMEOUT } from '@dxos/client-protocol';
+import { INVITATION_TIMEOUT, getExpirationTime } from '@dxos/client-protocol';
 import { type Context, ContextDisposedError } from '@dxos/context';
 import { createKeyPair, sign } from '@dxos/crypto';
 import { type EdgeHttpClient } from '@dxos/edge-client';
@@ -11,7 +11,7 @@ import { invariant } from '@dxos/invariant';
 import { PublicKey } from '@dxos/keys';
 import { log } from '@dxos/log';
 import { createTeleportProtocolFactory, type SwarmNetworkManager, type SwarmConnection } from '@dxos/network-manager';
-import { InvalidInvitationExtensionRoleError, trace } from '@dxos/protocols';
+import { InvalidInvitationError, InvalidInvitationExtensionRoleError, trace } from '@dxos/protocols';
 import { type AdmissionKeypair, Invitation } from '@dxos/protocols/proto/dxos/client/services';
 import { type DeviceProfileDocument } from '@dxos/protocols/proto/dxos/halo/credentials';
 import { AuthenticationResponse, type IntroductionResponse } from '@dxos/protocols/proto/dxos/halo/invitations';
@@ -188,8 +188,9 @@ export class InvitationsHandler {
       return extension;
     };
 
-    if (invitation.lifetime && invitation.created) {
-      if (invitation.created.getTime() + invitation.lifetime * 1000 < Date.now()) {
+    const expiresOn = getExpirationTime(invitation);
+    if (expiresOn) {
+      if (expiresOn.getTime() < Date.now()) {
         log.warn('invitation has already expired');
         guardedState.set(null, Invitation.State.EXPIRED);
         void ctx.dispose().catch((err) => log.catch(err));
@@ -204,7 +205,7 @@ export class InvitationsHandler {
           metrics.increment('dxos.invitation.expired');
           await ctx.dispose();
         },
-        invitation.created.getTime() + invitation.lifetime * 1000 - Date.now(),
+        expiresOn.getTime() - Date.now(),
       );
     }
 
@@ -397,7 +398,7 @@ export class InvitationsHandler {
     edgeInvitationHandler.handle(ctx, guardedState, protocol, deviceProfile);
 
     scheduleTask(ctx, async () => {
-      const error = protocol.checkInvitation(invitation);
+      const error = checkInvitation(protocol, invitation);
       if (error) {
         stream.error(error);
         await ctx.dispose();
@@ -499,6 +500,14 @@ export class InvitationsHandler {
   }
 }
 
+const checkInvitation = (protocol: InvitationProtocol, invitation: Partial<Invitation>) => {
+  const expiresOn = getExpirationTime(invitation);
+  if (expiresOn && expiresOn.getTime() < Date.now()) {
+    return new InvalidInvitationError('Invitation already expired.');
+  }
+  return protocol.checkInvitation(invitation);
+};
+
 export const createAdmissionKeypair = (): AdmissionKeypair => {
   const keypair = createKeyPair();
   return { publicKey: PublicKey.from(keypair.publicKey), privateKey: keypair.secretKey };

package/src/packlets/invitations/invitations-manager.ts

@@ -202,7 +202,7 @@ export class InvitationsManager {
       created = new Date(),
       guestKeypair = undefined,
       role = SpaceMember.Role.ADMIN,
-      lifetime = 86400, // 1 day,
+      lifetime = 86400 * 7, // 7 days,
       multiUse = false,
       ...options
     } = _options ?? {};

package/src/packlets/invitations/invitations-service.ts

@@ -2,7 +2,7 @@
 // Copyright 2022 DXOS.org
 //
 
-import { Stream } from '@dxos/codec-protobuf';
+import { Stream } from '@dxos/codec-protobuf/stream';
 import {
   type AuthenticationRequest,
   type AcceptInvitationRequest,

package/src/packlets/invitations/space-invitation-protocol.ts

@@ -28,6 +28,7 @@ import {
 } from '@dxos/protocols/proto/dxos/halo/invitations';
 
 import { type InvitationProtocol } from './invitation-protocol';
+import { computeExpirationTime } from './utils';
 import { type DataSpaceManager, type SigningContext } from '../spaces';
 
 export class SpaceInvitationProtocol implements InvitationProtocol {
@@ -113,9 +114,7 @@ export class SpaceInvitationProtocol implements InvitationProtocol {
         authMethod: invitation.authMethod,
         swarmKey: invitation.swarmKey,
         role: invitation.role ?? SpaceMember.Role.ADMIN,
-        expiresOn: invitation.lifetime
-          ? new Date((invitation.created?.getTime() ?? Date.now()) + invitation.lifetime)
-          : undefined,
+        expiresOn: computeExpirationTime(invitation),
         multiUse: invitation.multiUse ?? false,
         guestKey:
           invitation.authMethod === Invitation.AuthMethod.KNOWN_PUBLIC_KEY

package/src/packlets/invitations/utils.ts

@@ -10,6 +10,13 @@ export const stateToString = (state: Invitation.State): string => {
   return Object.entries(Invitation.State).find(([key, val]) => val === state)?.[0] ?? 'unknown';
 };
 
+export const computeExpirationTime = (invitation: Partial<Invitation>): Date | undefined => {
+  if (!invitation.lifetime) {
+    return;
+  }
+  return new Date((invitation.created?.getTime() ?? Date.now()) + invitation.lifetime * 1000);
+};
+
 export const tryAcquireBeforeContextDisposed = async (ctx: Context, mutex: Mutex): Promise<MutexGuard> => {
   let guard: MutexGuard | undefined;
   return cancelWithContext(

package/src/packlets/logging/logging-service.ts

@@ -3,7 +3,7 @@
 //
 
 import { Event } from '@dxos/async';
-import { Stream } from '@dxos/codec-protobuf';
+import { Stream } from '@dxos/codec-protobuf/stream';
 import { PublicKey } from '@dxos/keys';
 import {
   type LogLevel,