@enbox/dwn-server 0.1.1 → 0.1.3

package/src/connection/socket-connection.ts

@@ -38,22 +38,22 @@ export class SocketConnection {
   /** Timestamp when the connection was established (for admin introspection). */
   public readonly connectedAt: number = Date.now();
 
-  private heartbeatInterval: ReturnType<typeof setInterval>;
-  private subscriptions: Map<JsonRpcId, JsonRpcSubscription> = new Map();
-  private flowControllers: Map<JsonRpcId, FlowController> = new Map();
+  private readonly heartbeatInterval: ReturnType<typeof setInterval>;
+  private readonly subscriptions: Map<JsonRpcId, JsonRpcSubscription> = new Map();
+  private readonly flowControllers: Map<JsonRpcId, FlowController> = new Map();
   private isAlive: boolean;
 
   constructor(
-    private socket: ServerWebSocket<WsData>,
-    private dwn: Dwn,
-    private onCloseCallback?: () => void,
-    private maxInFlight: number = DEFAULT_MAX_IN_FLIGHT,
-    private activityLog?: ActivityLog,
-    private adminStore?: AdminStore,
-    private registrationStore?: RegistrationStore,
-    private serverConfig?: DwnServerConfig,
-    private tenantRateLimiter?: RateLimiter,
-    private messageProcessedHooks?: MessageProcessedHook[],
+    private readonly socket: ServerWebSocket<WsData>,
+    private readonly dwn: Dwn,
+    private readonly onCloseCallback?: () => void,
+    private readonly maxInFlight: number = DEFAULT_MAX_IN_FLIGHT,
+    private readonly activityLog?: ActivityLog,
+    private readonly adminStore?: AdminStore,
+    private readonly registrationStore?: RegistrationStore,
+    private readonly serverConfig?: DwnServerConfig,
+    private readonly tenantRateLimiter?: RateLimiter,
+    private readonly messageProcessedHooks?: MessageProcessedHook[],
   ){
     // Bun handles ping/pong automatically at the protocol level, but we still
     // want an application-level heartbeat to detect dead connections.

package/src/delivery-service.ts

@@ -8,6 +8,15 @@ import log from 'loglevel';
 import { createJsonRpcRequest } from '@enbox/dwn-clients';
 import { DwnInterfaceName, DwnMethodName, getRuleSetAtPath, Message } from '@enbox/dwn-sdk-js';
 
+/** Strips trailing `/` characters without regex (avoids ReDoS scanners). */
+function stripTrailingSlashes(value: string): string {
+  let end = value.length;
+  while (end > 0 && value.codePointAt(end - 1) === 47) { // 47 === '/'
+    end--;
+  }
+  return end === value.length ? value : value.slice(0, end);
+}
+
 // ---------------------------------------------------------------------------
 // Types
 // ---------------------------------------------------------------------------
@@ -77,7 +86,7 @@ export class DeliveryService implements MessageProcessedHook {
     this.#dwn = dwn;
     this.#didResolver = didResolver;
     this.#config = config;
-    this.#selfBaseUrl = config.baseUrl.replace(/\/+$/, '');
+    this.#selfBaseUrl = stripTrailingSlashes(config.baseUrl);
   }
 
   /**
@@ -224,7 +233,7 @@ export class DeliveryService implements MessageProcessedHook {
     }
 
     const ruleSet = getRuleSetAtPath(descriptor.protocolPath, protocolDefinition.structure);
-    if (!ruleSet || !ruleSet.$delivery) {
+    if (!ruleSet?.$delivery) {
       return;
     }
 
@@ -536,17 +545,17 @@ export class DeliveryService implements MessageProcessedHook {
       const epValue = service.serviceEndpoint;
 
       if (typeof epValue === 'string') {
-        endpoints.push({ url: epValue.replace(/\/+$/, ''), isFull: true });
+        endpoints.push({ url: stripTrailingSlashes(epValue), isFull: true });
       } else if (Array.isArray(epValue)) {
         for (const entry of epValue) {
           if (typeof entry === 'string') {
-            endpoints.push({ url: entry.replace(/\/+$/, ''), isFull: true });
+            endpoints.push({ url: stripTrailingSlashes(entry), isFull: true });
           } else if (entry && typeof entry === 'object') {
             // Map entry: { url: "...", dataRetention?: "full" | "cache" }
             const mapEntry = entry as { url?: string; dataRetention?: string };
             if (typeof mapEntry.url === 'string') {
               endpoints.push({
-                url    : mapEntry.url.replace(/\/+$/, ''),
+                url    : stripTrailingSlashes(mapEntry.url),
                 isFull : mapEntry.dataRetention !== 'cache',
               });
             }
@@ -559,7 +568,7 @@ export class DeliveryService implements MessageProcessedHook {
           if (Array.isArray(nodes)) {
             for (const node of nodes) {
               if (typeof node === 'string') {
-                endpoints.push({ url: node.replace(/\/+$/, ''), isFull: true });
+                endpoints.push({ url: stripTrailingSlashes(node), isFull: true });
               }
             }
           }
@@ -569,7 +578,7 @@ export class DeliveryService implements MessageProcessedHook {
           const mapEntry = epValue as { url?: string; dataRetention?: string };
           if (typeof mapEntry.url === 'string') {
             endpoints.push({
-              url    : mapEntry.url.replace(/\/+$/, ''),
+              url    : stripTrailingSlashes(mapEntry.url),
               isFull : mapEntry.dataRetention !== 'cache',
             });
           }

package/src/dwn-server.ts

@@ -101,9 +101,9 @@ export class DwnServer {
   #auditLog: AuditLog | undefined;
   #passkeyStore: AdminPasskeyStore | undefined;
   #sessionManager: AdminSessionManager | undefined;
-  #externalHooks: MessageProcessedHook[];
-  #externalRegistrationManager: RegistrationManager | undefined;
-  #externalOpenAuthHandler: OpenAuthHandler | undefined;
+  readonly #externalHooks: MessageProcessedHook[];
+  readonly #externalRegistrationManager: RegistrationManager | undefined;
+  readonly #externalOpenAuthHandler: OpenAuthHandler | undefined;
 
   /**
    * @param options.dwn - Dwn instance to use as an override.

package/src/http-api.ts

@@ -800,11 +800,11 @@ export class HttpApi {
         return Response.json({ success: true }, { status: 200 });
       } catch (error) {
         const dwnServerError = error as DwnServerError;
-        if (dwnServerError.code !== undefined) {
-          return Response.json(dwnServerError, { status: 400 });
-        } else {
+        if (dwnServerError.code === undefined) {
           log.info('Error handling registration request:', error);
           return Response.json({ success: false }, { status: 500 });
+        } else {
+          return Response.json(dwnServerError, { status: 400 });
         }
       }
     }
@@ -850,18 +850,18 @@ export class HttpApi {
         log.info(`Retrieving Connect Request object of ID: ${requestId}...`);
 
         const requestObjectJwt = await this.connectServer.getConnectRequest(requestId);
-        if (!requestObjectJwt) {
-          return Response.json({
-            ok     : false,
-            status : { code: 404, message: 'Not Found' },
-          }, { status: 404 });
-        } else {
+        if (requestObjectJwt) {
           const body = typeof requestObjectJwt === 'string'
             ? requestObjectJwt
             : JSON.stringify(requestObjectJwt);
           return new Response(body, {
             headers: { 'content-type': 'application/jwt' },
           });
+        } else {
+          return Response.json({
+            ok     : false,
+            status : { code: 404, message: 'Not Found' },
+          }, { status: 404 });
         }
       }
     }
@@ -869,9 +869,24 @@ export class HttpApi {
     // POST /connect/callback
     if (method === 'POST' && path === '/connect/callback') {
       log.info('Storing Identity Provider (wallet) pushed response with ID token...');
-      const body = await req.json();
-      const idToken = body.id_token;
-      const state = body.state;
+
+      // The agent's submitConnectResponse sends application/x-www-form-urlencoded
+      // but the server was previously parsing as JSON, causing a 500 error.
+      // Support both content types for robustness.
+      const contentType = req.headers.get('content-type') ?? '';
+      let idToken: string | undefined;
+      let state: string | undefined;
+
+      if (contentType.includes('application/x-www-form-urlencoded')) {
+        const text = await req.text();
+        const params = new URLSearchParams(text);
+        idToken = params.get('id_token') ?? undefined;
+        state = params.get('state') ?? undefined;
+      } else {
+        const body = await req.json();
+        idToken = body.id_token;
+        state = body.state;
+      }
 
       if (idToken !== undefined && state != undefined) {
         await this.connectServer.setConnectResponse(state, idToken);
@@ -895,16 +910,16 @@ export class HttpApi {
         log.info(`Retrieving ID token for state: ${state}...`);
 
         const idToken = await this.connectServer.getConnectResponse(state);
-        if (!idToken) {
-          return Response.json({
-            ok     : false,
-            status : { code: 404, message: 'Not Found' },
-          }, { status: 404 });
-        } else {
+        if (idToken) {
           const body = typeof idToken === 'string' ? idToken : JSON.stringify(idToken);
           return new Response(body, {
             headers: { 'content-type': 'application/jwt' },
           });
+        } else {
+          return Response.json({
+            ok     : false,
+            status : { code: 404, message: 'Not Found' },
+          }, { status: 404 });
         }
       }
     }

package/src/plugins/event-log-nats.ts

@@ -161,13 +161,13 @@ function tenantToSubjectToken(tenant: string): string {
  * Must be a default export with a no-arg constructor.
  */
 export default class NatsEventLog implements EventLog {
-  #config: NatsEventLogConfig;
+  readonly #config: NatsEventLogConfig;
   #nc: NatsConnection | undefined;
   #js: JetStreamClient | undefined;
   #jsm: JetStreamManager | undefined;
 
   /** Active subscription consumers, keyed by consumer name. */
-  #activeConsumers: Map<string, { messages?: ConsumerMessages; stopped: boolean }> = new Map();
+  readonly #activeConsumers: Map<string, { messages?: ConsumerMessages; stopped: boolean }> = new Map();
 
   /**
    * Epoch for this EventLog instance. Stable as long as the JetStream stream exists.
@@ -252,13 +252,13 @@ export default class NatsEventLog implements EventLog {
     let reason: ProgressGapReason;
     if (cursor.streamId !== expectedStreamId) {
       reason = 'stream_mismatch';
-    } else if (cursor.epoch !== this.#epoch) {
-      reason = 'epoch_mismatch';
-    } else {
+    } else if (cursor.epoch === this.#epoch) {
       // Check if position is within replay bounds using BigInt
       // for safe handling of NATS sequences beyond Number.MAX_SAFE_INTEGER.
       const bounds = await this.getReplayBounds(tenant);
-      if (bounds !== undefined) {
+      if (bounds === undefined) {
+        return; // No events — vacuously valid.
+      } else {
         const cursorSeq = BigInt(cursor.position);
         const oldestSeq = BigInt(bounds.oldest.position);
         if (cursorSeq < oldestSeq - 1n) {
@@ -266,9 +266,9 @@ export default class NatsEventLog implements EventLog {
         } else {
           return; // Valid.
         }
-      } else {
-        return; // No events — vacuously valid.
       }
+    } else {
+      reason = 'epoch_mismatch';
     }
 
     const bounds = await this.getReplayBounds(tenant);
@@ -315,11 +315,11 @@ export default class NatsEventLog implements EventLog {
       ack_policy     : AckPolicy.None, // ordered consumers use AckNone
     };
 
-    if (cursor !== undefined) {
+    if (cursor === undefined) {
+      consumerOpts.deliver_policy = DeliverPolicy.All;
+    } else {
       consumerOpts.deliver_policy = DeliverPolicy.StartSequence;
       consumerOpts.opt_start_seq = Number(cursor.position) + 1;
-    } else {
-      consumerOpts.deliver_policy = DeliverPolicy.All;
     }
 
     const consumer = await this.#jsm!.consumers.add(this.#config.streamName, consumerOpts);
@@ -405,11 +405,11 @@ export default class NatsEventLog implements EventLog {
       inactive_threshold : 60_000_000_000, // 60 seconds in nanos
     };
 
-    if (cursor !== undefined) {
+    if (cursor === undefined) {
+      consumerOpts.deliver_policy = DeliverPolicy.New;
+    } else {
       consumerOpts.deliver_policy = DeliverPolicy.StartSequence;
       consumerOpts.opt_start_seq = Number(cursor.position) + 1;
-    } else {
-      consumerOpts.deliver_policy = DeliverPolicy.New;
     }
 
     await this.#jsm!.consumers.add(this.#config.streamName, consumerOpts);

package/src/rate-limiter.ts

@@ -25,7 +25,7 @@ type Bucket = {
 export class RateLimiter {
   #refillRate: number;
   #maxTokens: number;
-  #buckets: Map<string, Bucket> = new Map();
+  readonly #buckets: Map<string, Bucket> = new Map();
   #cleanupInterval: ReturnType<typeof setInterval> | undefined;
 
   /** Stale buckets older than 5 minutes are purged. */

package/src/registration/jwt-provider-auth-plugin.ts

@@ -36,9 +36,9 @@ export type JwtProviderAuthPluginOptions = {
  * {@link ProviderAuthPlugin} instead.
  */
 export class JwtProviderAuthPlugin implements ProviderAuthPlugin {
-  #getKey: Uint8Array | jose.JWTVerifyGetKey;
-  #issuer: string | undefined;
-  #audience: string | undefined;
+  readonly #getKey: Uint8Array | jose.JWTVerifyGetKey;
+  readonly #issuer: string | undefined;
+  readonly #audience: string | undefined;
 
   private constructor(
     getKey: Uint8Array | jose.JWTVerifyGetKey,

package/src/registration/open-auth-handler.ts

@@ -28,14 +28,14 @@ const MAX_PENDING_CODES = 10_000;
 const CLEANUP_INTERVAL_MS = 60_000;
 
 export class OpenAuthHandler {
-  #secret: Uint8Array;
-  #issuer: string;
+  readonly #secret: Uint8Array;
+  readonly #issuer: string;
   /** Pending authorization codes. Maps code → { redirectUri, expiresAt }. */
-  #pendingCodes: Map<string, { redirectUri: string; expiresAt: number }>;
+  readonly #pendingCodes: Map<string, { redirectUri: string; expiresAt: number }>;
   /** Registration token TTL in seconds. Default: 1 year. */
-  #tokenTtlSeconds: number;
+  readonly #tokenTtlSeconds: number;
   /** Periodic cleanup timer for expired codes. */
-  #cleanupTimer: ReturnType<typeof setInterval>;
+  readonly #cleanupTimer: ReturnType<typeof setInterval>;
 
   private constructor(secret: Uint8Array, issuer: string, tokenTtlSeconds: number) {
     this.#secret = secret;

package/src/registration/proof-of-work-manager.ts

@@ -20,14 +20,14 @@ export class ProofOfWorkManager {
 
   // There is opportunity to improve implementation here.
   // TODO: https://github.com/enboxorg/enbox/issues/101
-  private proofOfWorkOfLastMinute: Map<string, number> = new Map(); // proofOfWorkId -> timestamp of proof-of-work
+  private readonly proofOfWorkOfLastMinute: Map<string, number> = new Map(); // proofOfWorkId -> timestamp of proof-of-work
 
   // Seed to generate the challenge nonce from, this allows all DWN instances in a cluster to generate the same challenge.
-  private challengeSeed?: string;
-  private difficultyIncreaseMultiplier: number;
+  private readonly challengeSeed?: string;
+  private readonly difficultyIncreaseMultiplier: number;
   private currentMaximumAllowedHashValueAsBigInt: bigint;
-  private initialMaximumAllowedHashValueAsBigInt: bigint;
-  private desiredSolveCountPerMinute: number;
+  private readonly initialMaximumAllowedHashValueAsBigInt: bigint;
+  private readonly desiredSolveCountPerMinute: number;
 
   /**
    * How often the challenge nonce is refreshed.
@@ -183,17 +183,19 @@ export class ProofOfWorkManager {
     } catch (error) {
       console.error(`Encountered error while refreshing challenge nonce: ${error}`);
     } finally {
-      setTimeout(async () => this.periodicallyRefreshChallengeNonce(), this.challengeRefreshFrequencyInSeconds * 1000);
+      setTimeout(() => this.periodicallyRefreshChallengeNonce(), this.challengeRefreshFrequencyInSeconds * 1000);
     }
   }
 
-  private periodicallyRefreshProofOfWorkDifficulty (): void {
+  private async periodicallyRefreshProofOfWorkDifficulty (): Promise<void> {
     try {
-      this.refreshMaximumAllowedHashValue();
+      await this.refreshMaximumAllowedHashValue();
     } catch (error) {
       console.error(`Encountered error while updating proof of work difficulty: ${error}`);
     } finally {
-      setTimeout(async () => this.periodicallyRefreshProofOfWorkDifficulty(), this.difficultyReevaluationFrequencyInSeconds * 1000);
+      setTimeout(() => {
+        void this.periodicallyRefreshProofOfWorkDifficulty();
+      }, this.difficultyReevaluationFrequencyInSeconds * 1000);
     }
   }
 
@@ -208,7 +210,12 @@ export class ProofOfWorkManager {
 
   private refreshChallengeNonce(): void {
     // If challenge seed is supplied, use it to deterministically generate the challenge nonces.
-    if (this.challengeSeed !== undefined) {
+    if (this.challengeSeed === undefined) {
+      const newChallengeNonce = ProofOfWork.generateNonce();
+
+      this.challengeNonces.previousChallengeNonce = this.challengeNonces.currentChallengeNonce;
+      this.challengeNonces.currentChallengeNonce = newChallengeNonce;
+    } else {
       const currentRefreshIntervalId = Math.floor(Date.now() / (this.challengeRefreshFrequencyInSeconds * 1000));
       const previousRefreshIntervalId = currentRefreshIntervalId - 1;
       const nextRefreshIntervalId = currentRefreshIntervalId + 1;
@@ -218,11 +225,6 @@ export class ProofOfWorkManager {
       const nextChallengeNonce = ProofOfWork.hashAsHexString([this.challengeSeed, nextRefreshIntervalId.toString(), this.challengeSeed]);
 
       this.challengeNonces = { previousChallengeNonce, currentChallengeNonce, nextChallengeNonce };
-    } else {
-      const newChallengeNonce = ProofOfWork.generateNonce();
-
-      this.challengeNonces.previousChallengeNonce = this.challengeNonces.currentChallengeNonce;
-      this.challengeNonces.currentChallengeNonce = newChallengeNonce;
     }
   }
 

package/src/registration/registration-manager.ts

@@ -108,13 +108,13 @@ export class RegistrationManager implements TenantGate {
   public async handleRegistrationRequest(registrationRequest: RegistrationRequest): Promise<void> {
     if (registrationRequest.providerAuth?.registrationToken !== undefined) {
       await this.handleProviderAuthRegistration(registrationRequest);
-    } else if (registrationRequest.proofOfWork !== undefined) {
-      await this.handleProofOfWorkRegistration(registrationRequest);
-    } else {
+    } else if (registrationRequest.proofOfWork === undefined) {
       throw new DwnServerError(
         DwnServerErrorCode.RegistrationRequestMissingCredentials,
         'Registration request must include either providerAuth or proofOfWork credentials.',
       );
+    } else {
+      await this.handleProofOfWorkRegistration(registrationRequest);
     }
   }
 
@@ -154,9 +154,9 @@ export class RegistrationManager implements TenantGate {
       termsOfServiceHash : registrationRequest.registrationData.termsOfServiceHash,
       accountId          : validationResult.accountId,
       registrationType   : 'provider-auth',
-      metadata           : validationResult.metadata !== undefined
-        ? JSON.stringify(validationResult.metadata)
-        : undefined,
+      metadata           : validationResult.metadata === undefined
+        ? undefined
+        : JSON.stringify(validationResult.metadata),
     });
   }
 

package/src/registration/registration-store.ts

@@ -12,7 +12,7 @@ export class RegistrationStore {
   private static readonly registeredTenantTableName = 'registeredTenants';
   private static readonly tenantQuotasTableName = 'tenantQuotas';
 
-  private db: Kysely<RegistrationDatabase>;
+  private readonly db: Kysely<RegistrationDatabase>;
 
   private constructor (sqlDialect: Dialect) {
     this.db = new Kysely<RegistrationDatabase>({ dialect: sqlDialect });

package/src/server-migration-runner.ts

@@ -11,7 +11,7 @@ import { Migrator } from 'kysely';
  * dialect, producing the concrete Kysely {@link Migration} objects.
  */
 class ServerMigrationProvider implements MigrationProvider {
-  #dialect: Dialect;
+  readonly #dialect: Dialect;
   #factories: ReadonlyArray<readonly [name: string, factory: ServerMigrationFactory]>;
 
   constructor(

package/src/ws-api.ts

@@ -14,7 +14,7 @@ import { InMemoryConnectionManager } from './connection/connection-manager.js';
 
 export class WsApi {
   dwn: Dwn;
-  #connectionManager: ConnectionManager;
+  readonly #connectionManager: ConnectionManager;
 
   constructor(
     httpApi: HttpApi, dwn: Dwn, connectionManager?: ConnectionManager,