@ironcorelabs/ironweb 4.2.49 → 4.4.1

package/commonjs/Constants.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.Versions = exports.UserAndGroupTypes = exports.GroupPermissions = exports.Frame = exports.ErrorCodes = exports.CryptoConstants = exports.ALLOWED_ID_CHAR_REGEX = exports.HEADER_META_LENGTH_LENGTH = exports.VERSION_HEADER_LENGTH = exports.DOCUMENT_ENCRYPTION_DETAILS_VERSION_NUMBER = void 0;
+exports.Versions = exports.UserStatus = exports.UserAndGroupTypes = exports.GroupPermissions = exports.Frame = exports.ErrorCodes = exports.CryptoConstants = exports.ALLOWED_ID_CHAR_REGEX = exports.HEADER_META_LENGTH_LENGTH = exports.VERSION_HEADER_LENGTH = exports.DOCUMENT_ENCRYPTION_DETAILS_VERSION_NUMBER = void 0;
 /**
  * Number which is prepended onto encrypted documents to denote which classification of encrypted data
  * the document represents. Used to have a place to denote header info, symmetric encryption details, etc
@@ -47,6 +47,7 @@ var ErrorCodes;
     ErrorCodes[ErrorCodes["USER_UPDATE_KEY_REQUEST_FAILURE"] = 211] = "USER_UPDATE_KEY_REQUEST_FAILURE";
     ErrorCodes[ErrorCodes["USER_PRIVATE_KEY_ROTATION_FAILURE"] = 212] = "USER_PRIVATE_KEY_ROTATION_FAILURE";
     ErrorCodes[ErrorCodes["USER_DEVICE_LIST_REQUEST_FAILURE"] = 213] = "USER_DEVICE_LIST_REQUEST_FAILURE";
+    ErrorCodes[ErrorCodes["USER_UPDATE_STATUS_REQUEST_FAILURE"] = 214] = "USER_UPDATE_STATUS_REQUEST_FAILURE";
     ErrorCodes[ErrorCodes["DOCUMENT_LIST_REQUEST_FAILURE"] = 300] = "DOCUMENT_LIST_REQUEST_FAILURE";
     ErrorCodes[ErrorCodes["DOCUMENT_GET_REQUEST_FAILURE"] = 301] = "DOCUMENT_GET_REQUEST_FAILURE";
     ErrorCodes[ErrorCodes["DOCUMENT_CREATE_REQUEST_FAILURE"] = 302] = "DOCUMENT_CREATE_REQUEST_FAILURE";
@@ -61,6 +62,8 @@ var ErrorCodes;
     ErrorCodes[ErrorCodes["DOCUMENT_CREATE_WITH_ACCESS_FAILURE"] = 311] = "DOCUMENT_CREATE_WITH_ACCESS_FAILURE";
     ErrorCodes[ErrorCodes["DOCUMENT_HEADER_PARSE_FAILURE"] = 312] = "DOCUMENT_HEADER_PARSE_FAILURE";
     ErrorCodes[ErrorCodes["DOCUMENT_TRANSFORM_REQUEST_FAILURE"] = 313] = "DOCUMENT_TRANSFORM_REQUEST_FAILURE";
+    ErrorCodes[ErrorCodes["DOCUMENT_STREAM_DECRYPT_FAILURE"] = 314] = "DOCUMENT_STREAM_DECRYPT_FAILURE";
+    ErrorCodes[ErrorCodes["DOCUMENT_STREAM_ENCRYPT_FAILURE"] = 315] = "DOCUMENT_STREAM_ENCRYPT_FAILURE";
     ErrorCodes[ErrorCodes["GROUP_LIST_REQUEST_FAILURE"] = 400] = "GROUP_LIST_REQUEST_FAILURE";
     ErrorCodes[ErrorCodes["GROUP_GET_REQUEST_FAILURE"] = 401] = "GROUP_GET_REQUEST_FAILURE";
     ErrorCodes[ErrorCodes["GROUP_CREATE_REQUEST_FAILURE"] = 402] = "GROUP_CREATE_REQUEST_FAILURE";
@@ -110,7 +113,15 @@ exports.UserAndGroupTypes = {
     USER: "user",
     GROUP: "group",
 };
+/**
+ * Status values for a user. A disabled user cannot call SDK functions but
+ * remains a member of any groups they were added to.
+ */
+exports.UserStatus = {
+    DISABLED: 0,
+    ENABLED: 1,
+};
 exports.Versions = {
     //This define is replaced at runtime during development, and at build time in the build script with the proper version
-    SDK_VERSION: "4.2.49",
+    SDK_VERSION: "4.4.1",
 };

package/commonjs/lib/Utils.js

@@ -1,8 +1,11 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.sliceArrayBuffer = exports.concatArrayBuffers = exports.transformKeyToBase64 = exports.publicKeyToBytes = exports.publicKeyToBase64 = exports.arrayBufferToUtf8String = exports.utf8StringToArrayBuffer = void 0;
+exports.parseDocumentHeader = exports.sliceArrayBuffer = exports.toTransferables = exports.concatArrayBuffers = exports.transformKeyToBase64 = exports.publicKeyToBytes = exports.publicKeyToBase64 = exports.arrayBufferToUtf8String = exports.utf8StringToArrayBuffer = void 0;
 var UTF8 = require("@stablelib/utf8");
 var base64_js_1 = require("base64-js");
+var futurejs_1 = require("futurejs");
+var Constants_1 = require("../Constants");
+var SDKError_1 = require("./SDKError");
 /**
  * Convert a string into a ArrayBuffer, specifically a Uint8Array
  */
@@ -68,6 +71,14 @@ function concatArrayBuffers() {
     }, new Uint8Array(length));
 }
 exports.concatArrayBuffers = concatArrayBuffers;
+/**
+ * Convert a transfer list of Uint8Arrays and Transferables into a Transferable[].
+ * Uint8Arrays are unwrapped to their underlying ArrayBuffer; other items pass through.
+ */
+function toTransferables(items) {
+    return items.map(function (item) { return (item instanceof Uint8Array ? item.buffer : item); });
+}
+exports.toTransferables = toTransferables;
 /**
  * Polyfill since some environments (notably Phantom) don't support ArrayBuffer.slice
  */
@@ -78,3 +89,31 @@ function sliceArrayBuffer(buffer, start, end) {
     return new Uint8Array(Array.prototype.slice.call(buffer, start, end));
 }
 exports.sliceArrayBuffer = sliceArrayBuffer;
+/**
+ * Parse the IronCore document header from encrypted document bytes.
+ * Extracts the document ID (if v2), IV, and the byte offset where ciphertext begins.
+ */
+function parseDocumentHeader(data) {
+    return futurejs_1.default.tryF(function () {
+        var version = data[0];
+        var documentID = null;
+        var headerTotalLength;
+        if (version === 1) {
+            headerTotalLength = Constants_1.VERSION_HEADER_LENGTH;
+        }
+        else if (version === 2) {
+            var headerJsonLength = new DataView(data.buffer, data.byteOffset).getUint16(Constants_1.VERSION_HEADER_LENGTH, false);
+            headerTotalLength = Constants_1.VERSION_HEADER_LENGTH + Constants_1.HEADER_META_LENGTH_LENGTH + headerJsonLength;
+            var headerContent = data.slice(Constants_1.VERSION_HEADER_LENGTH + Constants_1.HEADER_META_LENGTH_LENGTH, headerTotalLength);
+            var headerObject = JSON.parse(UTF8.decode(headerContent));
+            documentID = headerObject._did_;
+        }
+        else {
+            throw new Error("Provided encrypted document doesn't appear to be valid. Invalid version.");
+        }
+        var contentOffset = headerTotalLength + Constants_1.CryptoConstants.IV_LENGTH;
+        var iv = data.slice(headerTotalLength, contentOffset);
+        return { documentID: documentID, iv: iv, contentOffset: contentOffset };
+    }).errorMap(function (error) { return new SDKError_1.default(error, Constants_1.ErrorCodes.DOCUMENT_HEADER_PARSE_FAILURE); });
+}
+exports.parseDocumentHeader = parseDocumentHeader;

package/commonjs/shim/FrameMediator.js

@@ -4,6 +4,7 @@ exports.sendMessage = exports.messenger = exports.ShimMessenger = void 0;
 var futurejs_1 = require("futurejs");
 var Constants_1 = require("../Constants");
 var SDKError_1 = require("../lib/SDKError");
+var Utils_1 = require("../lib/Utils");
 /**
  * Class which handles messaging from the shim into the frame. Holds callback messages so that users can interact with this
  * class via Futures. Also handles the creation of all the ChannelMessage ports to pass down to the frame.
@@ -36,7 +37,7 @@ var ShimMessenger = /** @class */ (function () {
     /**
      * Post request message to child iFrame
      * @param {RequestMessage} data         RequestMessage to post to child iFrame
-     * @param {Uint8Array[]}  transferList  List of byte arrays to transfer to frame
+     * @param {Uint8Array[]}  transferList  List of byte arrays or transferables to transfer to frame
      */
     ShimMessenger.prototype.postMessageToFrame = function (data, transferList) {
         var _this = this;
@@ -46,16 +47,19 @@ var ShimMessenger = /** @class */ (function () {
             data: data,
         };
         try {
-            this.messagePort.postMessage(message, transferList.map(function (_a) {
-                var buffer = _a.buffer;
-                return buffer;
-            }));
+            this.messagePort.postMessage(message, (0, Utils_1.toTransferables)(transferList));
             return new futurejs_1.default(function (_, resolve) {
                 _this.callbacks[message.replyID] = resolve;
             });
         }
-        catch (_) {
-            return futurejs_1.default.reject(new SDKError_1.default(new Error("Failure occurred when passing message due to the lack of browser support."), Constants_1.ErrorCodes.BROWSER_FRAME_MESSAGE_FAILURE));
+        catch (_e) {
+            var hasStreams = transferList.some(function (item) { return item instanceof ReadableStream || item instanceof WritableStream; });
+            // Safari is the notable holdout here (https://github.com/WebKit/standards-positions/issues/643). For now,
+            // give an informative message about support.
+            var message_1 = hasStreams
+                ? "Streaming encrypt/decrypt requires transferable streams, which is not supported by this browser. It is known to be supported by Chrome, Firefox, and Edge."
+                : "Failure occurred when passing message due to the lack of browser support.";
+            return futurejs_1.default.reject(new SDKError_1.default(new Error(message_1), Constants_1.ErrorCodes.BROWSER_FRAME_MESSAGE_FAILURE));
         }
     };
     return ShimMessenger;

package/commonjs/shim/Initialize.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.deleteDeviceByPublicSigningKey = exports.initialize = exports.createUserDeviceKeys = exports.createNewUser = void 0;
+exports.updateUserStatus = exports.deleteDeviceByPublicSigningKey = exports.initialize = exports.createUserDeviceKeys = exports.createNewUser = void 0;
 var futurejs_1 = require("futurejs");
 var Constants_1 = require("../Constants");
 var SDKError_1 = require("../lib/SDKError");
@@ -77,7 +77,6 @@ var createNewUser = function (jwtCallback, passcode, needsRotation) {
         return FrameMediator.sendMessage(payload);
     })
         //Rename a few fields and strip out the users private key and currentKeyId since they'll probably be confusing that they're getting back an encrypted private key
-        //eslint-disable-next-line @typescript-eslint/no-unused-vars
         .map(function (_a) {
         var _b = _a.message, id = _b.id, segmentId = _b.segmentId, needsRotation = _b.needsRotation, status = _b.status, userMasterPublicKey = _b.userMasterPublicKey;
         return ({
@@ -164,3 +163,30 @@ var deleteDeviceByPublicSigningKey = function (jwtCallback, publicSigningKey) {
         .toPromise();
 };
 exports.deleteDeviceByPublicSigningKey = deleteDeviceByPublicSigningKey;
+/**
+ * Update the status (enabled or disabled) of the user identified by the provided JWT.
+ * Authenticates with a JWT and does not require an initialized SDK. The user id is taken
+ * from the `sub` claim of the JWT.
+ */
+var updateUserStatus = function (jwtCallback, status) {
+    return getJWT(jwtCallback)
+        .flatMap(function (jwtToken) {
+        var payload = {
+            type: "UPDATE_USER_STATUS_JWT",
+            message: { jwtToken: jwtToken, status: status },
+        };
+        return FrameMediator.sendMessage(payload);
+    })
+        .map(function (_a) {
+        var _b = _a.message, id = _b.id, segmentId = _b.segmentId, needsRotation = _b.needsRotation, status = _b.status, userMasterPublicKey = _b.userMasterPublicKey;
+        return ({
+            accountID: id,
+            segmentID: segmentId,
+            needsRotation: needsRotation,
+            status: status,
+            userMasterPublicKey: userMasterPublicKey,
+        });
+    })
+        .toPromise();
+};
+exports.updateUserStatus = updateUserStatus;

package/commonjs/shim/index.js

@@ -14,13 +14,16 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.SDKError = exports.ErrorCodes = exports.isInitialized = exports.initialize = exports.createNewDeviceKeys = exports.createNewUser = exports.deleteDeviceByPublicSigningKey = void 0;
+exports.SDKError = exports.ErrorCodes = exports.isInitialized = exports.initialize = exports.createNewDeviceKeys = exports.createNewUser = exports.UserStatus = exports.updateUserStatus = exports.deleteDeviceByPublicSigningKey = void 0;
 var Constants_1 = require("../Constants");
 var SDKError_1 = require("../lib/SDKError");
 var Init = require("./Initialize");
 var ShimUtils_1 = require("./ShimUtils");
 var Initialize_1 = require("./Initialize");
 Object.defineProperty(exports, "deleteDeviceByPublicSigningKey", { enumerable: true, get: function () { return Initialize_1.deleteDeviceByPublicSigningKey; } });
+Object.defineProperty(exports, "updateUserStatus", { enumerable: true, get: function () { return Initialize_1.updateUserStatus; } });
+var Constants_2 = require("../Constants");
+Object.defineProperty(exports, "UserStatus", { enumerable: true, get: function () { return Constants_2.UserStatus; } });
 /**
  * Checks bowser functionality to ensure random number generation is supported.
  */
@@ -120,8 +123,8 @@ exports.isInitialized = isInitialized;
 /**
  * List of SDK Error Codes
  */
-var Constants_2 = require("../Constants");
-Object.defineProperty(exports, "ErrorCodes", { enumerable: true, get: function () { return Constants_2.ErrorCodes; } });
+var Constants_3 = require("../Constants");
+Object.defineProperty(exports, "ErrorCodes", { enumerable: true, get: function () { return Constants_3.ErrorCodes; } });
 /**
  * SDK Error which extends normal Error object but adds `code` property which will be one of the ErrorCodes from above
  */

package/commonjs/shim/sdk/DocumentSDK.js

@@ -1,4 +1,40 @@
 "use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __generator = (this && this.__generator) || function (thisArg, body) {
+    var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g;
+    return g = { next: verb(0), "throw": verb(1), "return": verb(2) }, typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
+    function verb(n) { return function (v) { return step([n, v]); }; }
+    function step(op) {
+        if (f) throw new TypeError("Generator is already executing.");
+        while (_) try {
+            if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
+            if (y = 0, t) op = [op[0] & 2, t.value];
+            switch (op[0]) {
+                case 0: case 1: t = op; break;
+                case 4: _.label++; return { value: op[1], done: false };
+                case 5: _.label++; y = op[1]; op = [0]; continue;
+                case 7: op = _.ops.pop(); _.trys.pop(); continue;
+                default:
+                    if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
+                    if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
+                    if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
+                    if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
+                    if (t[2]) _.ops.pop();
+                    _.trys.pop(); continue;
+            }
+            op = body.call(thisArg, _);
+        } catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
+        if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
+    }
+};
 var __read = (this && this.__read) || function (o, n) {
     var m = typeof Symbol === "function" && o[Symbol.iterator];
     if (!m) return o;
@@ -15,14 +51,23 @@ var __read = (this && this.__read) || function (o, n) {
     }
     return ar;
 };
+var __spreadArray = (this && this.__spreadArray) || function (to, from, pack) {
+    if (pack || arguments.length === 2) for (var i = 0, l = from.length, ar; i < l; i++) {
+        if (ar || !(i in from)) {
+            if (!ar) ar = Array.prototype.slice.call(from, 0, i);
+            ar[i] = from[i];
+        }
+    }
+    return to.concat(ar || Array.prototype.slice.call(from));
+};
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.advanced = exports.revokeAccess = exports.grantAccess = exports.updateName = exports.updateEncryptedData = exports.updateEncryptedDataInStore = exports.encrypt = exports.encryptToStore = exports.decrypt = exports.decryptFromStore = exports.getDocumentIDFromBytes = exports.getMetadata = exports.list = void 0;
+exports.advanced = exports.decryptStream = exports.encryptStream = exports.revokeAccess = exports.grantAccess = exports.updateName = exports.updateEncryptedData = exports.updateEncryptedDataInStore = exports.encrypt = exports.encryptToStore = exports.decrypt = exports.decryptFromStore = exports.getDocumentIDFromBytes = exports.getMetadata = exports.list = void 0;
 var futurejs_1 = require("futurejs");
 var Constants_1 = require("../../Constants");
 var SDKError_1 = require("../../lib/SDKError");
+var Utils_1 = require("../../lib/Utils");
 var FrameMediator = require("../FrameMediator");
 var ShimUtils = require("../ShimUtils");
-var CodecSDK_1 = require("./CodecSDK");
 var MAX_DOCUMENT_SIZE = 1024 * 2 * 1000; //2MB
 /**
  * Takes the document encrypt options object and normalizes it to a complete object with proper default values.
@@ -88,23 +133,12 @@ exports.getMetadata = getMetadata;
 function getDocumentIDFromBytes(documentData) {
     ShimUtils.checkSDKInitialized();
     ShimUtils.validateEncryptedDocument(documentData);
-    //Version 1 document, we don't have the document ID as it's not encoded in the header
-    if (documentData[0] === 1) {
-        return Promise.resolve(null);
-    }
-    //Check to see if the document is a version we don't support and reject if so
-    if (documentData[0] !== 2) {
-        return Promise.reject(new SDKError_1.default(new Error("Provided encrypted document doesn't appear to be valid. Invalid version."), Constants_1.ErrorCodes.DOCUMENT_HEADER_PARSE_FAILURE));
-    }
-    var headerLength = new DataView(documentData.buffer).getUint16(documentData.byteOffset + Constants_1.VERSION_HEADER_LENGTH, false);
-    var headerContent = documentData.slice(Constants_1.VERSION_HEADER_LENGTH + Constants_1.HEADER_META_LENGTH_LENGTH, Constants_1.VERSION_HEADER_LENGTH + Constants_1.HEADER_META_LENGTH_LENGTH + headerLength);
-    try {
-        var headerObject = JSON.parse(CodecSDK_1.utf8.fromBytes(headerContent));
-        return Promise.resolve(headerObject._did_);
-    }
-    catch (_a) {
-        return Promise.reject(new SDKError_1.default(new Error("Unable to parse document header. Header value is corrupted."), Constants_1.ErrorCodes.DOCUMENT_HEADER_PARSE_FAILURE));
-    }
+    return (0, Utils_1.parseDocumentHeader)(documentData)
+        .map(function (_a) {
+        var documentID = _a.documentID;
+        return documentID;
+    })
+        .toPromise();
 }
 exports.getDocumentIDFromBytes = getDocumentIDFromBytes;
 /**
@@ -369,6 +403,176 @@ function revokeAccess(documentID, revokeList) {
         .toPromise();
 }
 exports.revokeAccess = revokeAccess;
+/**
+ * Parse the version header, header JSON, and IV from the beginning of an encrypted ReadableStream.
+ * Returns the document ID, IV, and a new ReadableStream starting after the header+IV (ciphertext only).
+ */
+function parseStreamHeader(encryptedStream) {
+    var _this = this;
+    return futurejs_1.default.tryP(function () { return __awaiter(_this, void 0, void 0, function () {
+        var reader, chunks_1, totalLen_1, readAtLeastIntoChunks, initialHeaderBytes, headerJsonLength, e_1;
+        var _this = this;
+        return __generator(this, function (_a) {
+            switch (_a.label) {
+                case 0:
+                    reader = encryptedStream.getReader();
+                    _a.label = 1;
+                case 1:
+                    _a.trys.push([1, 7, , 8]);
+                    chunks_1 = [];
+                    totalLen_1 = 0;
+                    readAtLeastIntoChunks = function (n) { return __awaiter(_this, void 0, void 0, function () {
+                        var _a, done, value;
+                        return __generator(this, function (_b) {
+                            switch (_b.label) {
+                                case 0:
+                                    if (!(totalLen_1 < n)) return [3 /*break*/, 2];
+                                    return [4 /*yield*/, reader.read()];
+                                case 1:
+                                    _a = _b.sent(), done = _a.done, value = _a.value;
+                                    if (done)
+                                        throw new SDKError_1.default(new Error("Encrypted stream ended before header could be parsed"), Constants_1.ErrorCodes.DOCUMENT_HEADER_PARSE_FAILURE);
+                                    chunks_1.push(value);
+                                    totalLen_1 += value.length;
+                                    return [3 /*break*/, 0];
+                                case 2: return [2 /*return*/];
+                            }
+                        });
+                    }); };
+                    // Need to read the header length prefix to know total size.
+                    return [4 /*yield*/, readAtLeastIntoChunks(Constants_1.VERSION_HEADER_LENGTH + Constants_1.HEADER_META_LENGTH_LENGTH)];
+                case 2:
+                    // Need to read the header length prefix to know total size.
+                    _a.sent();
+                    initialHeaderBytes = Utils_1.concatArrayBuffers.apply(void 0, __spreadArray([], __read(chunks_1), false));
+                    if (!(initialHeaderBytes[0] === 2)) return [3 /*break*/, 4];
+                    headerJsonLength = new DataView(initialHeaderBytes.buffer, initialHeaderBytes.byteOffset).getUint16(Constants_1.VERSION_HEADER_LENGTH, false);
+                    return [4 /*yield*/, readAtLeastIntoChunks(Constants_1.VERSION_HEADER_LENGTH + Constants_1.HEADER_META_LENGTH_LENGTH + headerJsonLength + 12)];
+                case 3:
+                    _a.sent();
+                    return [3 /*break*/, 6];
+                case 4: return [4 /*yield*/, readAtLeastIntoChunks(Constants_1.VERSION_HEADER_LENGTH + 12)];
+                case 5:
+                    _a.sent();
+                    _a.label = 6;
+                case 6: return [2 /*return*/, { reader: reader, buffer: Utils_1.concatArrayBuffers.apply(void 0, __spreadArray([], __read(chunks_1), false)) }];
+                case 7:
+                    e_1 = _a.sent();
+                    // On any error in reading header chunks we need to release the reader
+                    reader.releaseLock();
+                    throw e_1;
+                case 8: return [2 /*return*/];
+            }
+        });
+    }); }).flatMap(function (_a) {
+        var reader = _a.reader, buffer = _a.buffer;
+        return (0, Utils_1.parseDocumentHeader)(buffer)
+            .map(function (parsed) {
+            var remainder = buffer.slice(parsed.contentOffset);
+            // Once we've parsed the header we might have remaining bytes. If
+            // we do we start out the ciphertextStream by writing them and then pull
+            // can just pull from the reader we had previously read from.
+            var ciphertextStream = new ReadableStream({
+                start: function (controller) {
+                    if (remainder.length > 0) {
+                        controller.enqueue(remainder);
+                    }
+                },
+                pull: function (controller) {
+                    return reader.read().then(function (_a) {
+                        var done = _a.done, value = _a.value;
+                        done ? controller.close() : controller.enqueue(value);
+                    });
+                },
+                cancel: function () {
+                    return reader.cancel();
+                },
+            });
+            return { documentID: parsed.documentID, iv: parsed.iv, ciphertextStream: ciphertextStream };
+        })
+            .errorMap(function (e) {
+            // On any error in preparing the new stream we need to release the reader lock
+            // This is purely defensive.
+            reader.releaseLock();
+            return e;
+        });
+    });
+}
+/**
+ * Encrypt a plaintext stream. Returns a Promise which resolves with the encrypted stream and document metadata.
+ * The output stream produces bytes in the same format as encrypt(): [header][IV][ciphertext][auth_tag].
+ *
+ * @param {ReadableStream<Uint8Array>} plaintextStream  Plaintext data as a ReadableStream
+ * @param {DocumentCreateOptions}      options           Document create options
+ */
+function encryptStream(plaintextStream, options) {
+    ShimUtils.checkSDKInitialized();
+    var encryptOptions = calculateDocumentCreateOptionsDefault(options);
+    if (encryptOptions.documentID) {
+        ShimUtils.validateID(encryptOptions.documentID);
+    }
+    var _a = __read(ShimUtils.dedupeAccessLists(encryptOptions.accessList), 2), userGrants = _a[0], groupGrants = _a[1];
+    var payload = {
+        type: "DOCUMENT_STREAM_ENCRYPT",
+        message: {
+            documentID: encryptOptions.documentID,
+            documentName: encryptOptions.documentName,
+            plaintextStream: plaintextStream,
+            userGrants: userGrants,
+            groupGrants: groupGrants,
+            grantToAuthor: encryptOptions.accessList.grantToAuthor,
+            policy: encryptOptions.policy,
+        },
+    };
+    // Cast needed because TS's Transferable type doesn't yet include ReadableStream/WritableStream
+    return FrameMediator.sendMessage(payload, [plaintextStream])
+        .map(function (_a) {
+        var message = _a.message;
+        return ({
+            documentID: message.documentID,
+            documentName: message.documentName,
+            encryptedStream: message.encryptedStream,
+            created: message.created,
+            updated: message.updated,
+        });
+    })
+        .toPromise();
+}
+exports.encryptStream = encryptStream;
+/**
+ * Decrypt an encrypted document stream. Parses the header and IV from the stream, then streams decrypted
+ * plaintext back via the returned ReadableStream. If the auth tag fails at the end of the stream, the
+ * readable side errors — which propagates through pipeTo() to abort any destination WritableStream.
+ *
+ * @param {string}                     documentID      ID of the document to decrypt
+ * @param {ReadableStream<Uint8Array>} encryptedStream Encrypted document as a ReadableStream (from fetch().body, file.stream(), etc.)
+ */
+function decryptStream(documentID, encryptedStream) {
+    ShimUtils.checkSDKInitialized();
+    ShimUtils.validateID(documentID);
+    return parseStreamHeader(encryptedStream)
+        .flatMap(function (_a) {
+        var iv = _a.iv, ciphertextStream = _a.ciphertextStream;
+        var payload = {
+            type: "DOCUMENT_STREAM_DECRYPT",
+            message: { documentID: documentID, iv: iv, encryptedStream: ciphertextStream },
+        };
+        return FrameMediator.sendMessage(payload, [ciphertextStream]).map(function (_a) {
+            var message = _a.message;
+            return ({
+                documentID: documentID,
+                documentName: message.documentName,
+                visibleTo: message.visibleTo,
+                association: message.association,
+                created: message.created,
+                updated: message.updated,
+                plaintextStream: message.plaintextStream,
+            });
+        });
+    })
+        .toPromise();
+}
+exports.decryptStream = decryptStream;
 /**
  * A collection of methods for advanced encryption/decryption use cases. Currently focused on methods which require the caller to manage the encrypted
  * DEKs.
@@ -404,6 +608,66 @@ exports.advanced = {
         })
             .toPromise();
     },
+    /**
+     * Streaming decrypt with caller-provided EDEKs. Parses the header/IV from the stream, then decrypts.
+     * If the auth tag fails, the returned plaintextStream errors.
+     */
+    decryptStreamUnmanaged: function (encryptedStream, edeks) {
+        ShimUtils.checkSDKInitialized();
+        ShimUtils.validateEncryptedDeks(edeks);
+        return parseStreamHeader(encryptedStream)
+            .flatMap(function (_a) {
+            var documentID = _a.documentID, iv = _a.iv, ciphertextStream = _a.ciphertextStream;
+            var payload = {
+                type: "DOCUMENT_UNMANAGED_STREAM_DECRYPT",
+                message: { edeks: edeks, iv: iv, encryptedStream: ciphertextStream },
+            };
+            return FrameMediator.sendMessage(payload, [
+                ciphertextStream,
+            ]).map(function (_a) {
+                var message = _a.message;
+                return ({
+                    documentID: documentID,
+                    plaintextStream: message.plaintextStream,
+                    accessVia: message.accessVia,
+                });
+            });
+        })
+            .toPromise();
+    },
+    /**
+     * Streaming encrypt with caller-managed EDEKs. Returns the encrypted stream and EDEKs to the caller.
+     * The output stream produces bytes in the same format as encrypt(): [header][IV][ciphertext][auth_tag].
+     */
+    encryptStreamUnmanaged: function (plaintextStream, options) {
+        ShimUtils.checkSDKInitialized();
+        var encryptOptions = calculateDocumentCreateOptionsDefault(options);
+        if (encryptOptions.documentID) {
+            ShimUtils.validateID(encryptOptions.documentID);
+        }
+        var _a = __read(ShimUtils.dedupeAccessLists(encryptOptions.accessList), 2), userGrants = _a[0], groupGrants = _a[1];
+        var payload = {
+            type: "DOCUMENT_UNMANAGED_STREAM_ENCRYPT",
+            message: {
+                documentID: encryptOptions.documentID,
+                plaintextStream: plaintextStream,
+                userGrants: userGrants,
+                groupGrants: groupGrants,
+                grantToAuthor: encryptOptions.accessList.grantToAuthor,
+                policy: encryptOptions.policy,
+            },
+        };
+        return FrameMediator.sendMessage(payload, [plaintextStream])
+            .map(function (_a) {
+            var message = _a.message;
+            return ({
+                documentID: message.documentID,
+                encryptedStream: message.encryptedStream,
+                edeks: message.edeks,
+            });
+        })
+            .toPromise();
+    },
     /**
      * Encrypt the provided document with various document create options. Does not store any part of the document within IronCore and instead returns
      * the encrypted DEKs to the caller. These encrypted DEKs must be then be provided as input in order to decrypt the document.

package/commonjs/shim/sdk/UserSDK.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.listDevices = exports.deleteDeviceByPublicSigningKey = exports.deleteDevice = exports.deauthorizeDevice = exports.rotateMasterKey = exports.changePasscode = void 0;
+exports.disableSelf = exports.listDevices = exports.deleteDeviceByPublicSigningKey = exports.deleteDevice = exports.deauthorizeDevice = exports.rotateMasterKey = exports.changePasscode = void 0;
 var ShimUtils_1 = require("../ShimUtils");
 var FrameMediator = require("../FrameMediator");
 /**
@@ -105,3 +105,35 @@ var listDevices = function () {
         .toPromise();
 };
 exports.listDevices = listDevices;
+/**
+ * Disables the currently authenticated user. Disabled users are unable to call any
+ * other authorized SDK functions but remain in any groups they belonged to. Users
+ * cannot re-enable themselves; an admin must call `updateUserStatus` with a JWT for
+ * the user to re-enable them.
+ */
+var disableSelf = function () {
+    (0, ShimUtils_1.checkSDKInitialized)();
+    var payload = {
+        type: "DISABLE_USER_SELF",
+        message: null,
+    };
+    // The frame wipes its ApiState and device keys on a successful disable, so mirror the
+    // current-device path of `deleteDevice` here: drop the parent-window symmetric key now
+    // and clear the init flag on success. Otherwise `isInitialized()` keeps returning true
+    // while the frame is empty, and the next SDK call fails confusingly in the frame.
+    (0, ShimUtils_1.clearParentWindowSymmetricKey)();
+    return FrameMediator.sendMessage(payload)
+        .map(function (_a) {
+        var _b = _a.message, id = _b.id, segmentId = _b.segmentId, needsRotation = _b.needsRotation, status = _b.status, userMasterPublicKey = _b.userMasterPublicKey;
+        (0, ShimUtils_1.clearSDKInitialized)();
+        return {
+            accountID: id,
+            segmentID: segmentId,
+            needsRotation: needsRotation,
+            status: status,
+            userMasterPublicKey: userMasterPublicKey,
+        };
+    })
+        .toPromise();
+};
+exports.disableSelf = disableSelf;

package/es/Constants.js

@@ -44,6 +44,7 @@ export var ErrorCodes;
     ErrorCodes[ErrorCodes["USER_UPDATE_KEY_REQUEST_FAILURE"] = 211] = "USER_UPDATE_KEY_REQUEST_FAILURE";
     ErrorCodes[ErrorCodes["USER_PRIVATE_KEY_ROTATION_FAILURE"] = 212] = "USER_PRIVATE_KEY_ROTATION_FAILURE";
     ErrorCodes[ErrorCodes["USER_DEVICE_LIST_REQUEST_FAILURE"] = 213] = "USER_DEVICE_LIST_REQUEST_FAILURE";
+    ErrorCodes[ErrorCodes["USER_UPDATE_STATUS_REQUEST_FAILURE"] = 214] = "USER_UPDATE_STATUS_REQUEST_FAILURE";
     ErrorCodes[ErrorCodes["DOCUMENT_LIST_REQUEST_FAILURE"] = 300] = "DOCUMENT_LIST_REQUEST_FAILURE";
     ErrorCodes[ErrorCodes["DOCUMENT_GET_REQUEST_FAILURE"] = 301] = "DOCUMENT_GET_REQUEST_FAILURE";
     ErrorCodes[ErrorCodes["DOCUMENT_CREATE_REQUEST_FAILURE"] = 302] = "DOCUMENT_CREATE_REQUEST_FAILURE";
@@ -58,6 +59,8 @@ export var ErrorCodes;
     ErrorCodes[ErrorCodes["DOCUMENT_CREATE_WITH_ACCESS_FAILURE"] = 311] = "DOCUMENT_CREATE_WITH_ACCESS_FAILURE";
     ErrorCodes[ErrorCodes["DOCUMENT_HEADER_PARSE_FAILURE"] = 312] = "DOCUMENT_HEADER_PARSE_FAILURE";
     ErrorCodes[ErrorCodes["DOCUMENT_TRANSFORM_REQUEST_FAILURE"] = 313] = "DOCUMENT_TRANSFORM_REQUEST_FAILURE";
+    ErrorCodes[ErrorCodes["DOCUMENT_STREAM_DECRYPT_FAILURE"] = 314] = "DOCUMENT_STREAM_DECRYPT_FAILURE";
+    ErrorCodes[ErrorCodes["DOCUMENT_STREAM_ENCRYPT_FAILURE"] = 315] = "DOCUMENT_STREAM_ENCRYPT_FAILURE";
     ErrorCodes[ErrorCodes["GROUP_LIST_REQUEST_FAILURE"] = 400] = "GROUP_LIST_REQUEST_FAILURE";
     ErrorCodes[ErrorCodes["GROUP_GET_REQUEST_FAILURE"] = 401] = "GROUP_GET_REQUEST_FAILURE";
     ErrorCodes[ErrorCodes["GROUP_CREATE_REQUEST_FAILURE"] = 402] = "GROUP_CREATE_REQUEST_FAILURE";
@@ -107,7 +110,15 @@ export var UserAndGroupTypes = {
     USER: "user",
     GROUP: "group",
 };
+/**
+ * Status values for a user. A disabled user cannot call SDK functions but
+ * remains a member of any groups they were added to.
+ */
+export var UserStatus = {
+    DISABLED: 0,
+    ENABLED: 1,
+};
 export var Versions = {
     //This define is replaced at runtime during development, and at build time in the build script with the proper version
-    SDK_VERSION: "4.2.49",
+    SDK_VERSION: "4.4.1",
 };