@graphprotocol/hypergraph 0.0.1

package/src/identity/auth-storage.ts

@@ -0,0 +1,57 @@
+import type { PrivateAppIdentity } from '../connect/types.js';
+import type { Storage } from './types.js';
+
+export const storeIdentity = (storage: Storage, identity: PrivateAppIdentity) => {
+  storage.setItem('hypergraph:app-identity-address', identity.address);
+  storage.setItem('hypergraph:app-identity-address-private-key', identity.addressPrivateKey);
+  storage.setItem('hypergraph:signature-public-key', identity.signaturePublicKey);
+  storage.setItem('hypergraph:signature-private-key', identity.signaturePrivateKey);
+  storage.setItem('hypergraph:encryption-public-key', identity.encryptionPublicKey);
+  storage.setItem('hypergraph:encryption-private-key', identity.encryptionPrivateKey);
+  storage.setItem('hypergraph:session-token', identity.sessionToken);
+  storage.setItem('hypergraph:session-token-expires', identity.sessionTokenExpires.toISOString());
+};
+
+export const loadIdentity = (storage: Storage): PrivateAppIdentity | null => {
+  const address = storage.getItem('hypergraph:app-identity-address');
+  const addressPrivateKey = storage.getItem('hypergraph:app-identity-address-private-key');
+  const signaturePublicKey = storage.getItem('hypergraph:signature-public-key');
+  const signaturePrivateKey = storage.getItem('hypergraph:signature-private-key');
+  const encryptionPublicKey = storage.getItem('hypergraph:encryption-public-key');
+  const encryptionPrivateKey = storage.getItem('hypergraph:encryption-private-key');
+  const sessionToken = storage.getItem('hypergraph:session-token');
+  const sessionTokenExpires = storage.getItem('hypergraph:session-token-expires');
+  if (
+    !address ||
+    !addressPrivateKey ||
+    !signaturePublicKey ||
+    !signaturePrivateKey ||
+    !encryptionPublicKey ||
+    !encryptionPrivateKey ||
+    !sessionToken ||
+    !sessionTokenExpires
+  ) {
+    return null;
+  }
+  return {
+    address,
+    addressPrivateKey,
+    signaturePublicKey,
+    signaturePrivateKey,
+    encryptionPublicKey,
+    encryptionPrivateKey,
+    sessionToken,
+    sessionTokenExpires: new Date(sessionTokenExpires),
+  };
+};
+
+export const wipeIdentity = (storage: Storage) => {
+  storage.removeItem('hypergraph:app-identity-address');
+  storage.removeItem('hypergraph:app-identity-address-private-key');
+  storage.removeItem('hypergraph:signature-public-key');
+  storage.removeItem('hypergraph:signature-private-key');
+  storage.removeItem('hypergraph:encryption-public-key');
+  storage.removeItem('hypergraph:encryption-private-key');
+  storage.removeItem('hypergraph:session-token');
+  storage.removeItem('hypergraph:session-token-expires');
+};

package/src/identity/get-verified-identity.ts

@@ -0,0 +1,53 @@
+import * as Schema from 'effect/Schema';
+import * as Messages from '../messages/index.js';
+import { store } from '../store.js';
+import { verifyIdentityOwnership } from './prove-ownership.js';
+
+export const getVerifiedIdentity = async (
+  accountAddress: string,
+  syncServerUri: string,
+): Promise<{
+  accountAddress: string;
+  encryptionPublicKey: string;
+  signaturePublicKey: string;
+}> => {
+  const storeState = store.getSnapshot();
+  const identity = storeState.context.identities[accountAddress];
+  if (identity) {
+    return {
+      accountAddress,
+      encryptionPublicKey: identity.encryptionPublicKey,
+      signaturePublicKey: identity.signaturePublicKey,
+    };
+  }
+  const res = await fetch(`${syncServerUri}/identity?accountAddress=${accountAddress}`);
+  if (res.status !== 200) {
+    throw new Error('Failed to fetch identity');
+  }
+  const resDecoded = Schema.decodeUnknownSync(Messages.ResponseIdentity)(await res.json());
+
+  if (
+    !(await verifyIdentityOwnership(
+      resDecoded.accountAddress,
+      resDecoded.signaturePublicKey,
+      resDecoded.accountProof,
+      resDecoded.keyProof,
+    ))
+  ) {
+    throw new Error('Invalid identity');
+  }
+
+  store.send({
+    type: 'addVerifiedIdentity',
+    accountAddress: resDecoded.accountAddress,
+    encryptionPublicKey: resDecoded.encryptionPublicKey,
+    signaturePublicKey: resDecoded.signaturePublicKey,
+    accountProof: resDecoded.accountProof,
+    keyProof: resDecoded.keyProof,
+  });
+  return {
+    accountAddress: resDecoded.accountAddress,
+    encryptionPublicKey: resDecoded.encryptionPublicKey,
+    signaturePublicKey: resDecoded.signaturePublicKey,
+  };
+};

package/src/identity/identity-encryption.ts

@@ -0,0 +1,140 @@
+import { gcm } from '@noble/ciphers/aes';
+import { randomBytes } from '@noble/ciphers/webcrypto';
+import { hkdf } from '@noble/hashes/hkdf';
+import { sha256 } from '@noble/hashes/sha256';
+import type { Hex } from 'viem';
+import { verifyMessage } from 'viem';
+
+import { bytesToHex, canonicalize, hexToBytes } from '../utils/index.js';
+import type { IdentityKeys, Signer } from './types.js';
+
+// Adapted from the XMTP approach to encrypt keys
+// See: https://github.com/xmtp/xmtp-js/blob/8d6e5a65813902926baac8150a648587acbaad92/sdks/js-sdk/src/keystore/providers/NetworkKeyManager.ts#L79-L116
+// (We reimplement their encrypt/decrypt functions using noble).
+
+const hkdfDeriveKey = (secret: Uint8Array, salt: Uint8Array): Uint8Array => {
+  return hkdf(sha256, secret, salt, '', 32);
+};
+
+// This implements the same encryption as  https://github.com/xmtp/xmtp-js/blob/336471de4ea95416ad0f4f9850d3f12bb0a13f1e/sdks/js-sdk/src/encryption/encryption.ts#L18
+// But using @noble/ciphers instead of the WebCrypto API.
+// The XMTP code was audited by Certik: https://skynet.certik.com/projects/xmtp
+//
+// Worth noting that GCM nonce collision would break the encryption,
+// and 12 bytes is not a lot. So this function should not be used to encrypt
+// a large number of messages with the same secret. In our case it should be okay
+// as each secret is only used to encrypt a single identity. If we need
+// something more secure for a larger number of messages we should use a
+// different encryption scheme, e.g. XAES-256-GCM, see https://words.filippo.io/dispatches/xaes-256-gcm/
+const encrypt = (msg: Uint8Array, secret: Uint8Array): string => {
+  const hkdfSalt = randomBytes(32);
+  const gcmNonce = randomBytes(12);
+  const derivedKey = hkdfDeriveKey(secret, hkdfSalt);
+
+  const aes = gcm(derivedKey, gcmNonce);
+
+  const ciphertext = aes.encrypt(msg);
+
+  // TODO: Use Effect Schema and better serialization?
+  const ciphertextJson = canonicalize({
+    aes256GcmHkdfSha256: {
+      payload: bytesToHex(ciphertext),
+      hkdfSalt: bytesToHex(hkdfSalt),
+      gcmNonce: bytesToHex(gcmNonce),
+    },
+  });
+  return bytesToHex(new TextEncoder().encode(ciphertextJson));
+};
+
+// This implements the same decryption as  https://github.com/xmtp/xmtp-js/blob/336471de4ea95416ad0f4f9850d3f12bb0a13f1e/sdks/js-sdk/src/encryption/encryption.ts#L41
+// But using @noble/ciphers instead of the WebCrypto API
+// The XMTP code was audited by Certik: https://skynet.certik.com/projects/xmtp
+const decrypt = (ciphertext: string, secret: Uint8Array): Uint8Array => {
+  const ciphertextJson = new TextDecoder().decode(hexToBytes(ciphertext));
+  const { aes256GcmHkdfSha256 } = JSON.parse(ciphertextJson);
+  const hkdfSalt = hexToBytes(aes256GcmHkdfSha256.hkdfSalt);
+  const gcmNonce = hexToBytes(aes256GcmHkdfSha256.gcmNonce);
+  const derivedKey = hkdfDeriveKey(secret, hkdfSalt);
+
+  const aes = gcm(derivedKey, gcmNonce);
+
+  return aes.decrypt(hexToBytes(aes256GcmHkdfSha256.payload));
+};
+
+const signatureMessage = (nonce: Uint8Array): string => {
+  return `The Graph: sign to encrypt/decrypt identity keys.\nNonce: ${bytesToHex(nonce)}\n`;
+};
+
+export const encryptIdentity = async (
+  signer: Signer,
+  accountAddress: string,
+  keys: IdentityKeys,
+): Promise<{ ciphertext: string; nonce: string }> => {
+  const nonce = randomBytes(32);
+  const message = signatureMessage(nonce);
+  const signature = (await signer.signMessage(message)) as Hex;
+
+  // Check that the signature is valid
+  const valid = await verifyMessage({
+    address: accountAddress as Hex,
+    message,
+    signature,
+  });
+  if (!valid) {
+    throw new Error('Invalid signature');
+  }
+  const secretKey = hexToBytes(signature);
+  // We use a simple plaintext encoding:
+  // Hex keys separated by newlines
+  const keysTxt = [
+    keys.encryptionPublicKey,
+    keys.encryptionPrivateKey,
+    keys.signaturePublicKey,
+    keys.signaturePrivateKey,
+  ].join('\n');
+  const keysMsg = new TextEncoder().encode(keysTxt);
+  const ciphertext = encrypt(keysMsg, secretKey);
+  return { ciphertext, nonce: bytesToHex(nonce) };
+};
+
+export const decryptIdentity = async (
+  signer: Signer,
+  accountAddress: string,
+  ciphertext: string,
+  nonce: string,
+): Promise<IdentityKeys> => {
+  const message = signatureMessage(hexToBytes(nonce));
+  const signature = (await signer.signMessage(message)) as Hex;
+
+  // Check that the signature is valid
+  const valid = await verifyMessage({
+    address: accountAddress as Hex,
+    message,
+    signature,
+  });
+  if (!valid) {
+    throw new Error('Invalid signature');
+  }
+  const secretKey = hexToBytes(signature);
+  let keysMsg: Uint8Array;
+  try {
+    keysMsg = await decrypt(ciphertext, secretKey);
+  } catch (e) {
+    // See https://github.com/xmtp/xmtp-js/blob/8d6e5a65813902926baac8150a648587acbaad92/sdks/js-sdk/src/keystore/providers/NetworkKeyManager.ts#L142-L146
+    if (secretKey.length !== 65) {
+      throw new Error('Expected 65 bytes before trying a different recovery byte');
+    }
+    // Try the other version of recovery byte, either +27 or -27
+    const lastByte = secretKey[secretKey.length - 1];
+    let newSecret = secretKey.slice(0, secretKey.length - 1);
+    if (lastByte < 27) {
+      newSecret = new Uint8Array([...newSecret, lastByte + 27]);
+    } else {
+      newSecret = new Uint8Array([...newSecret, lastByte - 27]);
+    }
+    keysMsg = await decrypt(ciphertext, newSecret);
+  }
+  const keysTxt = new TextDecoder().decode(keysMsg);
+  const [encryptionPublicKey, encryptionPrivateKey, signaturePublicKey, signaturePrivateKey] = keysTxt.split('\n');
+  return { encryptionPublicKey, encryptionPrivateKey, signaturePublicKey, signaturePrivateKey };
+};

package/src/identity/index.ts

@@ -0,0 +1,6 @@
+export * from './auth-storage.js';
+export * from './get-verified-identity.js';
+export * from './identity-encryption.js';
+export * from './logout.js';
+export * from './prove-ownership.js';
+export * from './types.js';

package/src/identity/logout.ts

@@ -0,0 +1,8 @@
+import { store } from './../store.js';
+import { wipeIdentity } from './auth-storage.js';
+import type { Storage } from './types.js';
+
+export function logout(storage: Storage) {
+  wipeIdentity(storage);
+  store.send({ type: 'resetAuth' });
+}

package/src/identity/prove-ownership.ts

@@ -0,0 +1,58 @@
+import { type Hex, verifyMessage } from 'viem';
+import { privateKeyToAccount } from 'viem/accounts';
+
+import { publicKeyToAddress } from '../utils/index.js';
+import type { IdentityKeys, Signer } from './types.js';
+
+export const getAccountProofMessage = (accountAddress: string, publicKey: string): string => {
+  return `This message proves I am the owner of the account ${accountAddress} and the public key ${publicKey}`;
+};
+
+export const getKeyProofMessage = (accountAddress: string, publicKey: string): string => {
+  return `The public key ${publicKey} is owned by the account ${accountAddress}`;
+};
+
+export const proveIdentityOwnership = async (
+  signer: Signer,
+  accountAddress: string,
+  keys: IdentityKeys,
+): Promise<{ accountProof: string; keyProof: string }> => {
+  const publicKey = keys.signaturePublicKey;
+  const accountProofMessage = getAccountProofMessage(accountAddress, publicKey);
+  const keyProofMessage = getKeyProofMessage(accountAddress, publicKey);
+  const accountProof = await signer.signMessage(accountProofMessage);
+  const account = privateKeyToAccount(keys.signaturePrivateKey as Hex);
+  const keyProof = await account.signMessage({ message: keyProofMessage });
+  return { accountProof, keyProof };
+};
+
+export const verifyIdentityOwnership = async (
+  accountAddress: string,
+  publicKey: string,
+  accountProof: string,
+  keyProof: string,
+): Promise<boolean> => {
+  const accountProofMessage = getAccountProofMessage(accountAddress, publicKey);
+  const keyProofMessage = getKeyProofMessage(accountAddress, publicKey);
+  const validAccountProof = await verifyMessage({
+    address: accountAddress as Hex,
+    message: accountProofMessage,
+    signature: accountProof as Hex,
+  });
+  if (!validAccountProof) {
+    console.log('Invalid account proof');
+    return false;
+  }
+
+  const keyAddress = publicKeyToAddress(publicKey) as Hex;
+  const validKeyProof = await verifyMessage({
+    address: keyAddress,
+    message: keyProofMessage,
+    signature: keyProof as Hex,
+  });
+  if (!validKeyProof) {
+    console.log('Invalid key proof');
+    return false;
+  }
+  return true;
+};

package/src/identity/types.ts

@@ -0,0 +1,44 @@
+import { Schema } from 'effect';
+
+export type Storage = {
+  getItem: (key: string) => string | null;
+  setItem: (key: string, value: string) => void;
+  removeItem: (key: string) => void;
+};
+
+export type SignMessage = (message: string) => Promise<string> | string;
+export type GetAddress = () => Promise<string> | string;
+export type Signer = {
+  getAddress: GetAddress;
+  signMessage: SignMessage;
+};
+
+export type IdentityKeys = {
+  encryptionPublicKey: string;
+  encryptionPrivateKey: string;
+  signaturePublicKey: string;
+  signaturePrivateKey: string;
+};
+
+export const KeysSchema = Schema.Struct({
+  encryptionPublicKey: Schema.String,
+  encryptionPrivateKey: Schema.String,
+  signaturePublicKey: Schema.String,
+  signaturePrivateKey: Schema.String,
+});
+
+export type KeysSchema = Schema.Schema.Type<typeof KeysSchema>;
+
+export type Identity = IdentityKeys & {
+  accountAddress: string;
+};
+
+export type PublicIdentity = {
+  accountAddress: string;
+  encryptionPublicKey: string;
+  signaturePublicKey: string;
+};
+
+export class InvalidIdentityError {
+  readonly _tag = 'InvalidIdentityError';
+}

package/src/inboxes/create-inbox.ts

@@ -0,0 +1,102 @@
+import { secp256k1 } from '@noble/curves/secp256k1';
+import { randomBytes } from '@noble/hashes/utils';
+import { cryptoBoxKeyPair } from '@serenity-kit/noble-sodium';
+import { Effect } from 'effect';
+import * as Messages from '../messages/index.js';
+import * as SpaceEvents from '../space-events/index.js';
+import { bytesToHex, canonicalize, hexToBytes, stringToUint8Array } from '../utils/index.js';
+import type * as Inboxes from './types.js';
+
+type CreateAccountInboxParams = {
+  accountAddress: string;
+  isPublic: boolean;
+  authPolicy: Inboxes.InboxSenderAuthPolicy;
+  encryptionPublicKey: string;
+  signaturePrivateKey: string;
+
+  // TODO: add optional schema
+};
+
+type CreateSpaceInboxParams = {
+  author: SpaceEvents.Author;
+  spaceId: string;
+  isPublic: boolean;
+  authPolicy: Inboxes.InboxSenderAuthPolicy;
+  spaceSecretKey: string;
+  previousEventHash: string;
+};
+
+// The caller should have already verified that the accountAddress, signaturePrivateKey and encryptionPublicKey belong to the same account
+export function createAccountInboxCreationMessage({
+  accountAddress,
+  isPublic,
+  authPolicy,
+  encryptionPublicKey,
+  signaturePrivateKey,
+}: CreateAccountInboxParams): Messages.RequestCreateAccountInbox {
+  // Generate a 32 byte random inbox id
+  const inboxId = bytesToHex(randomBytes(32));
+
+  // This message can prove to anyone wanting to send a message to the inbox that it is indeed from the account
+  // and that the public key belongs to the account
+  const messageToSign = stringToUint8Array(
+    canonicalize({
+      accountAddress,
+      inboxId,
+      encryptionPublicKey,
+    }),
+  );
+
+  const signature = secp256k1.sign(messageToSign, hexToBytes(signaturePrivateKey), { prehash: true });
+
+  return {
+    type: 'create-account-inbox',
+    inboxId: inboxId,
+    accountAddress,
+    isPublic,
+    authPolicy,
+    encryptionPublicKey,
+    signature: {
+      hex: signature.toCompactHex(),
+      recovery: signature.recovery,
+    },
+  } satisfies Messages.RequestCreateAccountInbox;
+}
+
+export async function createSpaceInboxCreationMessage({
+  author,
+  spaceId,
+  isPublic,
+  authPolicy,
+  spaceSecretKey,
+  previousEventHash,
+}: CreateSpaceInboxParams): Promise<Messages.RequestCreateSpaceInboxEvent> {
+  // Same as createAccountInboxMessage but with spaceId instead of accountAddress, and generating a keypair for the inbox
+  const inboxId = bytesToHex(randomBytes(32));
+  const { publicKey, privateKey } = cryptoBoxKeyPair();
+
+  // encrypt the inbox secret key with the space secret key
+  const encryptedInboxSecretKey = Messages.encryptMessage({
+    message: privateKey,
+    secretKey: hexToBytes(spaceSecretKey),
+  });
+
+  const spaceEvent = await Effect.runPromise(
+    SpaceEvents.createInbox({
+      spaceId,
+      inboxId,
+      encryptionPublicKey: bytesToHex(publicKey),
+      secretKey: bytesToHex(encryptedInboxSecretKey),
+      isPublic,
+      authPolicy,
+      author,
+      previousEventHash,
+    }),
+  );
+
+  return {
+    type: 'create-space-inbox-event',
+    spaceId,
+    event: spaceEvent,
+  } satisfies Messages.RequestCreateSpaceInboxEvent;
+}

package/src/inboxes/get-list-inboxes.ts

@@ -0,0 +1,52 @@
+import { Schema } from 'effect';
+import * as Messages from '../messages/index.js';
+
+export const listPublicSpaceInboxes = async ({
+  spaceId,
+  syncServerUri,
+}: Readonly<{ spaceId: string; syncServerUri: string }>): Promise<readonly Messages.SpaceInboxPublic[]> => {
+  const res = await fetch(new URL(`/spaces/${spaceId}/inboxes`, syncServerUri), {
+    method: 'GET',
+  });
+  const decoded = Schema.decodeUnknownSync(Messages.ResponseListSpaceInboxesPublic)(await res.json());
+  return decoded.inboxes;
+};
+
+export const listPublicAccountInboxes = async ({
+  accountAddress,
+  syncServerUri,
+}: Readonly<{ accountAddress: string; syncServerUri: string }>): Promise<readonly Messages.AccountInboxPublic[]> => {
+  const res = await fetch(new URL(`/accounts/${accountAddress}/inboxes`, syncServerUri), {
+    method: 'GET',
+  });
+  const decoded = Schema.decodeUnknownSync(Messages.ResponseListAccountInboxesPublic)(await res.json());
+  return decoded.inboxes;
+};
+
+export const getSpaceInbox = async ({
+  spaceId,
+  inboxId,
+  syncServerUri,
+}: Readonly<{ spaceId: string; inboxId: string; syncServerUri: string }>): Promise<Messages.SpaceInboxPublic> => {
+  const res = await fetch(new URL(`/spaces/${spaceId}/inboxes/${inboxId}`, syncServerUri), {
+    method: 'GET',
+  });
+  const decoded = Schema.decodeUnknownSync(Messages.ResponseSpaceInboxPublic)(await res.json());
+  return decoded.inbox;
+};
+
+export const getAccountInbox = async ({
+  accountAddress,
+  inboxId,
+  syncServerUri,
+}: Readonly<{
+  accountAddress: string;
+  inboxId: string;
+  syncServerUri: string;
+}>): Promise<Messages.AccountInboxPublic> => {
+  const res = await fetch(new URL(`/accounts/${accountAddress}/inboxes/${inboxId}`, syncServerUri), {
+    method: 'GET',
+  });
+  const decoded = Schema.decodeUnknownSync(Messages.ResponseAccountInboxPublic)(await res.json());
+  return decoded.inbox;
+};

package/src/inboxes/index.ts

@@ -0,0 +1,10 @@
+export * from './create-inbox.js';
+export * from './get-list-inboxes.js';
+export * from './message-encryption.js';
+export * from './message-validation.js';
+export * from './prepare-message.js';
+export * from './recover-inbox-creator.js';
+export * from './recover-inbox-message-signer.js';
+export * from './send-message.js';
+export * from './merge-messages.js';
+export * from './types.js';

package/src/inboxes/merge-messages.ts

@@ -0,0 +1,28 @@
+import type { InboxMessageStorageEntry } from '../store.js';
+
+export function mergeMessages(
+  existingMessages: InboxMessageStorageEntry[],
+  existingSeenIds: Set<string>,
+  newMessages: InboxMessageStorageEntry[],
+) {
+  const messages = [...existingMessages];
+  const seenMessageIds = new Set(existingSeenIds);
+
+  // Filter and add new messages
+  const newFilteredMessages = newMessages.filter((msg) => !seenMessageIds.has(msg.id));
+  for (const msg of newFilteredMessages) {
+    seenMessageIds.add(msg.id);
+  }
+
+  if (newFilteredMessages.length > 0) {
+    // Only sort if the last new message is earlier than the last existing message
+    if (messages.length > 0 && newFilteredMessages[0].createdAt < messages[messages.length - 1].createdAt) {
+      messages.push(...newFilteredMessages);
+      messages.sort((a, b) => (a.createdAt < b.createdAt ? -1 : 1));
+    } else {
+      messages.push(...newFilteredMessages);
+    }
+  }
+
+  return { messages, seenMessageIds };
+}

package/src/inboxes/message-encryption.ts

@@ -0,0 +1,35 @@
+import { cryptoBoxSeal, cryptoBoxSealOpen } from '@serenity-kit/noble-sodium';
+import { bytesToHex, hexToBytes, stringToUint8Array, uint8ArrayToString } from '../utils/index.js';
+
+type EncryptParams = {
+  message: string;
+  encryptionPublicKey: string;
+};
+
+type DecryptParams = {
+  ciphertext: string;
+  encryptionPrivateKey: string;
+  encryptionPublicKey: string;
+};
+
+export function encryptInboxMessage({ message, encryptionPublicKey }: EncryptParams): {
+  ciphertext: string;
+} {
+  const ciphertext = cryptoBoxSeal({
+    message: stringToUint8Array(message),
+    publicKey: hexToBytes(encryptionPublicKey),
+  });
+
+  return { ciphertext: bytesToHex(ciphertext) };
+}
+
+export function decryptInboxMessage({ ciphertext, encryptionPrivateKey, encryptionPublicKey }: DecryptParams): string {
+  const publicKey = hexToBytes(encryptionPublicKey);
+  const privateKey = hexToBytes(encryptionPrivateKey);
+  const message = cryptoBoxSealOpen({
+    ciphertext: hexToBytes(ciphertext),
+    privateKey,
+    publicKey,
+  });
+  return uint8ArrayToString(message);
+}

package/src/inboxes/message-validation.ts

@@ -0,0 +1,66 @@
+import * as Identity from '../identity/index.js';
+import type * as Messages from '../messages/index.js';
+import type { AccountInboxStorageEntry, SpaceInboxStorageEntry } from '../store.js';
+import { recoverAccountInboxMessageSigner, recoverSpaceInboxMessageSigner } from './recover-inbox-message-signer.js';
+
+export const validateSpaceInboxMessage = async (
+  message: Messages.InboxMessage,
+  inbox: SpaceInboxStorageEntry,
+  spaceId: string,
+  syncServerUri: string,
+) => {
+  if (message.signature) {
+    if (inbox.authPolicy === 'anonymous') {
+      console.error('Signed message in anonymous inbox');
+      return false;
+    }
+    if (!message.authorAccountAddress) {
+      console.error('Signed message without authorAccountAddress');
+      return false;
+    }
+    const signer = recoverSpaceInboxMessageSigner(message, spaceId, inbox.inboxId);
+    const verifiedIdentity = await Identity.getVerifiedIdentity(message.authorAccountAddress, syncServerUri);
+    const isValid = signer === verifiedIdentity.signaturePublicKey;
+    if (!isValid) {
+      console.error('Invalid signature', signer, verifiedIdentity.signaturePublicKey);
+    }
+    return isValid;
+  }
+  // Unsigned message is valid if the inbox is anonymous or optional auth
+  const isValid = inbox.authPolicy !== 'requires_auth';
+  if (!isValid) {
+    console.error('Unsigned message in required auth inbox');
+  }
+  return isValid;
+};
+
+export const validateAccountInboxMessage = async (
+  message: Messages.InboxMessage,
+  inbox: AccountInboxStorageEntry,
+  accountAddress: string,
+  syncServerUri: string,
+) => {
+  if (message.signature) {
+    if (inbox.authPolicy === 'anonymous') {
+      console.error('Signed message in anonymous inbox');
+      return false;
+    }
+    if (!message.authorAccountAddress) {
+      console.error('Signed message without authorAccountAddress');
+      return false;
+    }
+    const signer = recoverAccountInboxMessageSigner(message, accountAddress, inbox.inboxId);
+    const verifiedIdentity = await Identity.getVerifiedIdentity(message.authorAccountAddress, syncServerUri);
+    const isValid = signer === verifiedIdentity.signaturePublicKey;
+    if (!isValid) {
+      console.error('Invalid signature', signer, verifiedIdentity.signaturePublicKey);
+    }
+    return isValid;
+  }
+  // Unsigned message is valid if the inbox is anonymous or optional auth
+  const isValid = inbox.authPolicy !== 'requires_auth';
+  if (!isValid) {
+    console.error('Unsigned message in required auth inbox');
+  }
+  return isValid;
+};