@ironcorelabs/ironweb 4.2.49 → 4.4.1

package/es/lib/Utils.js

@@ -1,5 +1,8 @@
 import * as UTF8 from "@stablelib/utf8";
 import { fromByteArray, toByteArray } from "base64-js";
+import Future from "futurejs";
+import { CryptoConstants, ErrorCodes, VERSION_HEADER_LENGTH, HEADER_META_LENGTH_LENGTH } from "../Constants";
+import SDKError from "./SDKError";
 /**
  * Convert a string into a ArrayBuffer, specifically a Uint8Array
  */
@@ -59,6 +62,13 @@ export function concatArrayBuffers() {
         return newBuffer;
     }, new Uint8Array(length));
 }
+/**
+ * Convert a transfer list of Uint8Arrays and Transferables into a Transferable[].
+ * Uint8Arrays are unwrapped to their underlying ArrayBuffer; other items pass through.
+ */
+export function toTransferables(items) {
+    return items.map(function (item) { return (item instanceof Uint8Array ? item.buffer : item); });
+}
 /**
  * Polyfill since some environments (notably Phantom) don't support ArrayBuffer.slice
  */
@@ -68,3 +78,30 @@ export function sliceArrayBuffer(buffer, start, end) {
     }
     return new Uint8Array(Array.prototype.slice.call(buffer, start, end));
 }
+/**
+ * Parse the IronCore document header from encrypted document bytes.
+ * Extracts the document ID (if v2), IV, and the byte offset where ciphertext begins.
+ */
+export function parseDocumentHeader(data) {
+    return Future.tryF(function () {
+        var version = data[0];
+        var documentID = null;
+        var headerTotalLength;
+        if (version === 1) {
+            headerTotalLength = VERSION_HEADER_LENGTH;
+        }
+        else if (version === 2) {
+            var headerJsonLength = new DataView(data.buffer, data.byteOffset).getUint16(VERSION_HEADER_LENGTH, false);
+            headerTotalLength = VERSION_HEADER_LENGTH + HEADER_META_LENGTH_LENGTH + headerJsonLength;
+            var headerContent = data.slice(VERSION_HEADER_LENGTH + HEADER_META_LENGTH_LENGTH, headerTotalLength);
+            var headerObject = JSON.parse(UTF8.decode(headerContent));
+            documentID = headerObject._did_;
+        }
+        else {
+            throw new Error("Provided encrypted document doesn't appear to be valid. Invalid version.");
+        }
+        var contentOffset = headerTotalLength + CryptoConstants.IV_LENGTH;
+        var iv = data.slice(headerTotalLength, contentOffset);
+        return { documentID: documentID, iv: iv, contentOffset: contentOffset };
+    }).errorMap(function (error) { return new SDKError(error, ErrorCodes.DOCUMENT_HEADER_PARSE_FAILURE); });
+}

package/es/shim/FrameMediator.js

@@ -1,6 +1,7 @@
 import Future from "futurejs";
 import { ErrorCodes, Frame, Versions } from "../Constants";
 import SDKError from "../lib/SDKError";
+import { toTransferables } from "../lib/Utils";
 /**
  * Class which handles messaging from the shim into the frame. Holds callback messages so that users can interact with this
  * class via Futures. Also handles the creation of all the ChannelMessage ports to pass down to the frame.
@@ -33,7 +34,7 @@ var ShimMessenger = /** @class */ (function () {
     /**
      * Post request message to child iFrame
      * @param {RequestMessage} data         RequestMessage to post to child iFrame
-     * @param {Uint8Array[]}  transferList  List of byte arrays to transfer to frame
+     * @param {Uint8Array[]}  transferList  List of byte arrays or transferables to transfer to frame
      */
     ShimMessenger.prototype.postMessageToFrame = function (data, transferList) {
         var _this = this;
@@ -43,16 +44,19 @@ var ShimMessenger = /** @class */ (function () {
             data: data,
         };
         try {
-            this.messagePort.postMessage(message, transferList.map(function (_a) {
-                var buffer = _a.buffer;
-                return buffer;
-            }));
+            this.messagePort.postMessage(message, toTransferables(transferList));
             return new Future(function (_, resolve) {
                 _this.callbacks[message.replyID] = resolve;
             });
         }
-        catch (_) {
-            return Future.reject(new SDKError(new Error("Failure occurred when passing message due to the lack of browser support."), ErrorCodes.BROWSER_FRAME_MESSAGE_FAILURE));
+        catch (_e) {
+            var hasStreams = transferList.some(function (item) { return item instanceof ReadableStream || item instanceof WritableStream; });
+            // Safari is the notable holdout here (https://github.com/WebKit/standards-positions/issues/643). For now,
+            // give an informative message about support.
+            var message_1 = hasStreams
+                ? "Streaming encrypt/decrypt requires transferable streams, which is not supported by this browser. It is known to be supported by Chrome, Firefox, and Edge."
+                : "Failure occurred when passing message due to the lack of browser support.";
+            return Future.reject(new SDKError(new Error(message_1), ErrorCodes.BROWSER_FRAME_MESSAGE_FAILURE));
         }
     };
     return ShimMessenger;

package/es/shim/Initialize.js

@@ -74,7 +74,6 @@ export var createNewUser = function (jwtCallback, passcode, needsRotation) {
         return FrameMediator.sendMessage(payload);
     })
         //Rename a few fields and strip out the users private key and currentKeyId since they'll probably be confusing that they're getting back an encrypted private key
-        //eslint-disable-next-line @typescript-eslint/no-unused-vars
         .map(function (_a) {
         var _b = _a.message, id = _b.id, segmentId = _b.segmentId, needsRotation = _b.needsRotation, status = _b.status, userMasterPublicKey = _b.userMasterPublicKey;
         return ({
@@ -157,3 +156,29 @@ export var deleteDeviceByPublicSigningKey = function (jwtCallback, publicSigning
     })
         .toPromise();
 };
+/**
+ * Update the status (enabled or disabled) of the user identified by the provided JWT.
+ * Authenticates with a JWT and does not require an initialized SDK. The user id is taken
+ * from the `sub` claim of the JWT.
+ */
+export var updateUserStatus = function (jwtCallback, status) {
+    return getJWT(jwtCallback)
+        .flatMap(function (jwtToken) {
+        var payload = {
+            type: "UPDATE_USER_STATUS_JWT",
+            message: { jwtToken: jwtToken, status: status },
+        };
+        return FrameMediator.sendMessage(payload);
+    })
+        .map(function (_a) {
+        var _b = _a.message, id = _b.id, segmentId = _b.segmentId, needsRotation = _b.needsRotation, status = _b.status, userMasterPublicKey = _b.userMasterPublicKey;
+        return ({
+            accountID: id,
+            segmentID: segmentId,
+            needsRotation: needsRotation,
+            status: status,
+            userMasterPublicKey: userMasterPublicKey,
+        });
+    })
+        .toPromise();
+};

package/es/shim/index.js

@@ -2,7 +2,8 @@ import { ErrorCodes } from "../Constants";
 import SDKError from "../lib/SDKError";
 import * as Init from "./Initialize";
 import { checkSDKInitialized } from "./ShimUtils";
-export { deleteDeviceByPublicSigningKey } from "./Initialize";
+export { deleteDeviceByPublicSigningKey, updateUserStatus } from "./Initialize";
+export { UserStatus } from "../Constants";
 /**
  * Checks bowser functionality to ensure random number generation is supported.
  */

package/es/shim/sdk/DocumentSDK.js

@@ -1,3 +1,39 @@
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __generator = (this && this.__generator) || function (thisArg, body) {
+    var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g;
+    return g = { next: verb(0), "throw": verb(1), "return": verb(2) }, typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
+    function verb(n) { return function (v) { return step([n, v]); }; }
+    function step(op) {
+        if (f) throw new TypeError("Generator is already executing.");
+        while (_) try {
+            if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
+            if (y = 0, t) op = [op[0] & 2, t.value];
+            switch (op[0]) {
+                case 0: case 1: t = op; break;
+                case 4: _.label++; return { value: op[1], done: false };
+                case 5: _.label++; y = op[1]; op = [0]; continue;
+                case 7: op = _.ops.pop(); _.trys.pop(); continue;
+                default:
+                    if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
+                    if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
+                    if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
+                    if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
+                    if (t[2]) _.ops.pop();
+                    _.trys.pop(); continue;
+            }
+            op = body.call(thisArg, _);
+        } catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
+        if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
+    }
+};
 var __read = (this && this.__read) || function (o, n) {
     var m = typeof Symbol === "function" && o[Symbol.iterator];
     if (!m) return o;
@@ -14,12 +50,21 @@ var __read = (this && this.__read) || function (o, n) {
     }
     return ar;
 };
+var __spreadArray = (this && this.__spreadArray) || function (to, from, pack) {
+    if (pack || arguments.length === 2) for (var i = 0, l = from.length, ar; i < l; i++) {
+        if (ar || !(i in from)) {
+            if (!ar) ar = Array.prototype.slice.call(from, 0, i);
+            ar[i] = from[i];
+        }
+    }
+    return to.concat(ar || Array.prototype.slice.call(from));
+};
 import Future from "futurejs";
 import { ErrorCodes, HEADER_META_LENGTH_LENGTH, VERSION_HEADER_LENGTH } from "../../Constants";
 import SDKError from "../../lib/SDKError";
+import { concatArrayBuffers, parseDocumentHeader } from "../../lib/Utils";
 import * as FrameMediator from "../FrameMediator";
 import * as ShimUtils from "../ShimUtils";
-import { utf8 } from "./CodecSDK";
 var MAX_DOCUMENT_SIZE = 1024 * 2 * 1000; //2MB
 /**
  * Takes the document encrypt options object and normalizes it to a complete object with proper default values.
@@ -83,23 +128,12 @@ export function getMetadata(documentID) {
 export function getDocumentIDFromBytes(documentData) {
     ShimUtils.checkSDKInitialized();
     ShimUtils.validateEncryptedDocument(documentData);
-    //Version 1 document, we don't have the document ID as it's not encoded in the header
-    if (documentData[0] === 1) {
-        return Promise.resolve(null);
-    }
-    //Check to see if the document is a version we don't support and reject if so
-    if (documentData[0] !== 2) {
-        return Promise.reject(new SDKError(new Error("Provided encrypted document doesn't appear to be valid. Invalid version."), ErrorCodes.DOCUMENT_HEADER_PARSE_FAILURE));
-    }
-    var headerLength = new DataView(documentData.buffer).getUint16(documentData.byteOffset + VERSION_HEADER_LENGTH, false);
-    var headerContent = documentData.slice(VERSION_HEADER_LENGTH + HEADER_META_LENGTH_LENGTH, VERSION_HEADER_LENGTH + HEADER_META_LENGTH_LENGTH + headerLength);
-    try {
-        var headerObject = JSON.parse(utf8.fromBytes(headerContent));
-        return Promise.resolve(headerObject._did_);
-    }
-    catch (_a) {
-        return Promise.reject(new SDKError(new Error("Unable to parse document header. Header value is corrupted."), ErrorCodes.DOCUMENT_HEADER_PARSE_FAILURE));
-    }
+    return parseDocumentHeader(documentData)
+        .map(function (_a) {
+        var documentID = _a.documentID;
+        return documentID;
+    })
+        .toPromise();
 }
 /**
  * @deprecated Use `decrypt` instead.
@@ -354,6 +388,174 @@ export function revokeAccess(documentID, revokeList) {
     })
         .toPromise();
 }
+/**
+ * Parse the version header, header JSON, and IV from the beginning of an encrypted ReadableStream.
+ * Returns the document ID, IV, and a new ReadableStream starting after the header+IV (ciphertext only).
+ */
+function parseStreamHeader(encryptedStream) {
+    var _this = this;
+    return Future.tryP(function () { return __awaiter(_this, void 0, void 0, function () {
+        var reader, chunks_1, totalLen_1, readAtLeastIntoChunks, initialHeaderBytes, headerJsonLength, e_1;
+        var _this = this;
+        return __generator(this, function (_a) {
+            switch (_a.label) {
+                case 0:
+                    reader = encryptedStream.getReader();
+                    _a.label = 1;
+                case 1:
+                    _a.trys.push([1, 7, , 8]);
+                    chunks_1 = [];
+                    totalLen_1 = 0;
+                    readAtLeastIntoChunks = function (n) { return __awaiter(_this, void 0, void 0, function () {
+                        var _a, done, value;
+                        return __generator(this, function (_b) {
+                            switch (_b.label) {
+                                case 0:
+                                    if (!(totalLen_1 < n)) return [3 /*break*/, 2];
+                                    return [4 /*yield*/, reader.read()];
+                                case 1:
+                                    _a = _b.sent(), done = _a.done, value = _a.value;
+                                    if (done)
+                                        throw new SDKError(new Error("Encrypted stream ended before header could be parsed"), ErrorCodes.DOCUMENT_HEADER_PARSE_FAILURE);
+                                    chunks_1.push(value);
+                                    totalLen_1 += value.length;
+                                    return [3 /*break*/, 0];
+                                case 2: return [2 /*return*/];
+                            }
+                        });
+                    }); };
+                    // Need to read the header length prefix to know total size.
+                    return [4 /*yield*/, readAtLeastIntoChunks(VERSION_HEADER_LENGTH + HEADER_META_LENGTH_LENGTH)];
+                case 2:
+                    // Need to read the header length prefix to know total size.
+                    _a.sent();
+                    initialHeaderBytes = concatArrayBuffers.apply(void 0, __spreadArray([], __read(chunks_1), false));
+                    if (!(initialHeaderBytes[0] === 2)) return [3 /*break*/, 4];
+                    headerJsonLength = new DataView(initialHeaderBytes.buffer, initialHeaderBytes.byteOffset).getUint16(VERSION_HEADER_LENGTH, false);
+                    return [4 /*yield*/, readAtLeastIntoChunks(VERSION_HEADER_LENGTH + HEADER_META_LENGTH_LENGTH + headerJsonLength + 12)];
+                case 3:
+                    _a.sent();
+                    return [3 /*break*/, 6];
+                case 4: return [4 /*yield*/, readAtLeastIntoChunks(VERSION_HEADER_LENGTH + 12)];
+                case 5:
+                    _a.sent();
+                    _a.label = 6;
+                case 6: return [2 /*return*/, { reader: reader, buffer: concatArrayBuffers.apply(void 0, __spreadArray([], __read(chunks_1), false)) }];
+                case 7:
+                    e_1 = _a.sent();
+                    // On any error in reading header chunks we need to release the reader
+                    reader.releaseLock();
+                    throw e_1;
+                case 8: return [2 /*return*/];
+            }
+        });
+    }); }).flatMap(function (_a) {
+        var reader = _a.reader, buffer = _a.buffer;
+        return parseDocumentHeader(buffer)
+            .map(function (parsed) {
+            var remainder = buffer.slice(parsed.contentOffset);
+            // Once we've parsed the header we might have remaining bytes. If
+            // we do we start out the ciphertextStream by writing them and then pull
+            // can just pull from the reader we had previously read from.
+            var ciphertextStream = new ReadableStream({
+                start: function (controller) {
+                    if (remainder.length > 0) {
+                        controller.enqueue(remainder);
+                    }
+                },
+                pull: function (controller) {
+                    return reader.read().then(function (_a) {
+                        var done = _a.done, value = _a.value;
+                        done ? controller.close() : controller.enqueue(value);
+                    });
+                },
+                cancel: function () {
+                    return reader.cancel();
+                },
+            });
+            return { documentID: parsed.documentID, iv: parsed.iv, ciphertextStream: ciphertextStream };
+        })
+            .errorMap(function (e) {
+            // On any error in preparing the new stream we need to release the reader lock
+            // This is purely defensive.
+            reader.releaseLock();
+            return e;
+        });
+    });
+}
+/**
+ * Encrypt a plaintext stream. Returns a Promise which resolves with the encrypted stream and document metadata.
+ * The output stream produces bytes in the same format as encrypt(): [header][IV][ciphertext][auth_tag].
+ *
+ * @param {ReadableStream<Uint8Array>} plaintextStream  Plaintext data as a ReadableStream
+ * @param {DocumentCreateOptions}      options           Document create options
+ */
+export function encryptStream(plaintextStream, options) {
+    ShimUtils.checkSDKInitialized();
+    var encryptOptions = calculateDocumentCreateOptionsDefault(options);
+    if (encryptOptions.documentID) {
+        ShimUtils.validateID(encryptOptions.documentID);
+    }
+    var _a = __read(ShimUtils.dedupeAccessLists(encryptOptions.accessList), 2), userGrants = _a[0], groupGrants = _a[1];
+    var payload = {
+        type: "DOCUMENT_STREAM_ENCRYPT",
+        message: {
+            documentID: encryptOptions.documentID,
+            documentName: encryptOptions.documentName,
+            plaintextStream: plaintextStream,
+            userGrants: userGrants,
+            groupGrants: groupGrants,
+            grantToAuthor: encryptOptions.accessList.grantToAuthor,
+            policy: encryptOptions.policy,
+        },
+    };
+    // Cast needed because TS's Transferable type doesn't yet include ReadableStream/WritableStream
+    return FrameMediator.sendMessage(payload, [plaintextStream])
+        .map(function (_a) {
+        var message = _a.message;
+        return ({
+            documentID: message.documentID,
+            documentName: message.documentName,
+            encryptedStream: message.encryptedStream,
+            created: message.created,
+            updated: message.updated,
+        });
+    })
+        .toPromise();
+}
+/**
+ * Decrypt an encrypted document stream. Parses the header and IV from the stream, then streams decrypted
+ * plaintext back via the returned ReadableStream. If the auth tag fails at the end of the stream, the
+ * readable side errors — which propagates through pipeTo() to abort any destination WritableStream.
+ *
+ * @param {string}                     documentID      ID of the document to decrypt
+ * @param {ReadableStream<Uint8Array>} encryptedStream Encrypted document as a ReadableStream (from fetch().body, file.stream(), etc.)
+ */
+export function decryptStream(documentID, encryptedStream) {
+    ShimUtils.checkSDKInitialized();
+    ShimUtils.validateID(documentID);
+    return parseStreamHeader(encryptedStream)
+        .flatMap(function (_a) {
+        var iv = _a.iv, ciphertextStream = _a.ciphertextStream;
+        var payload = {
+            type: "DOCUMENT_STREAM_DECRYPT",
+            message: { documentID: documentID, iv: iv, encryptedStream: ciphertextStream },
+        };
+        return FrameMediator.sendMessage(payload, [ciphertextStream]).map(function (_a) {
+            var message = _a.message;
+            return ({
+                documentID: documentID,
+                documentName: message.documentName,
+                visibleTo: message.visibleTo,
+                association: message.association,
+                created: message.created,
+                updated: message.updated,
+                plaintextStream: message.plaintextStream,
+            });
+        });
+    })
+        .toPromise();
+}
 /**
  * A collection of methods for advanced encryption/decryption use cases. Currently focused on methods which require the caller to manage the encrypted
  * DEKs.
@@ -389,6 +591,66 @@ export var advanced = {
         })
             .toPromise();
     },
+    /**
+     * Streaming decrypt with caller-provided EDEKs. Parses the header/IV from the stream, then decrypts.
+     * If the auth tag fails, the returned plaintextStream errors.
+     */
+    decryptStreamUnmanaged: function (encryptedStream, edeks) {
+        ShimUtils.checkSDKInitialized();
+        ShimUtils.validateEncryptedDeks(edeks);
+        return parseStreamHeader(encryptedStream)
+            .flatMap(function (_a) {
+            var documentID = _a.documentID, iv = _a.iv, ciphertextStream = _a.ciphertextStream;
+            var payload = {
+                type: "DOCUMENT_UNMANAGED_STREAM_DECRYPT",
+                message: { edeks: edeks, iv: iv, encryptedStream: ciphertextStream },
+            };
+            return FrameMediator.sendMessage(payload, [
+                ciphertextStream,
+            ]).map(function (_a) {
+                var message = _a.message;
+                return ({
+                    documentID: documentID,
+                    plaintextStream: message.plaintextStream,
+                    accessVia: message.accessVia,
+                });
+            });
+        })
+            .toPromise();
+    },
+    /**
+     * Streaming encrypt with caller-managed EDEKs. Returns the encrypted stream and EDEKs to the caller.
+     * The output stream produces bytes in the same format as encrypt(): [header][IV][ciphertext][auth_tag].
+     */
+    encryptStreamUnmanaged: function (plaintextStream, options) {
+        ShimUtils.checkSDKInitialized();
+        var encryptOptions = calculateDocumentCreateOptionsDefault(options);
+        if (encryptOptions.documentID) {
+            ShimUtils.validateID(encryptOptions.documentID);
+        }
+        var _a = __read(ShimUtils.dedupeAccessLists(encryptOptions.accessList), 2), userGrants = _a[0], groupGrants = _a[1];
+        var payload = {
+            type: "DOCUMENT_UNMANAGED_STREAM_ENCRYPT",
+            message: {
+                documentID: encryptOptions.documentID,
+                plaintextStream: plaintextStream,
+                userGrants: userGrants,
+                groupGrants: groupGrants,
+                grantToAuthor: encryptOptions.accessList.grantToAuthor,
+                policy: encryptOptions.policy,
+            },
+        };
+        return FrameMediator.sendMessage(payload, [plaintextStream])
+            .map(function (_a) {
+            var message = _a.message;
+            return ({
+                documentID: message.documentID,
+                encryptedStream: message.encryptedStream,
+                edeks: message.edeks,
+            });
+        })
+            .toPromise();
+    },
     /**
      * Encrypt the provided document with various document create options. Does not store any part of the document within IronCore and instead returns
      * the encrypted DEKs to the caller. These encrypted DEKs must be then be provided as input in order to decrypt the document.

package/es/shim/sdk/UserSDK.js

@@ -96,3 +96,34 @@ export var listDevices = function () {
     })
         .toPromise();
 };
+/**
+ * Disables the currently authenticated user. Disabled users are unable to call any
+ * other authorized SDK functions but remain in any groups they belonged to. Users
+ * cannot re-enable themselves; an admin must call `updateUserStatus` with a JWT for
+ * the user to re-enable them.
+ */
+export var disableSelf = function () {
+    checkSDKInitialized();
+    var payload = {
+        type: "DISABLE_USER_SELF",
+        message: null,
+    };
+    // The frame wipes its ApiState and device keys on a successful disable, so mirror the
+    // current-device path of `deleteDevice` here: drop the parent-window symmetric key now
+    // and clear the init flag on success. Otherwise `isInitialized()` keeps returning true
+    // while the frame is empty, and the next SDK call fails confusingly in the frame.
+    clearParentWindowSymmetricKey();
+    return FrameMediator.sendMessage(payload)
+        .map(function (_a) {
+        var _b = _a.message, id = _b.id, segmentId = _b.segmentId, needsRotation = _b.needsRotation, status = _b.status, userMasterPublicKey = _b.userMasterPublicKey;
+        clearSDKInitialized();
+        return {
+            accountID: id,
+            segmentID: segmentId,
+            needsRotation: needsRotation,
+            status: status,
+            userMasterPublicKey: userMasterPublicKey,
+        };
+    })
+        .toPromise();
+};

package/ironweb.d.ts

@@ -96,6 +96,22 @@ export interface DocumentAccessResponse {
     succeeded: UserOrGroup[];
     failed: (UserOrGroup & {error: string})[];
 }
+export interface StreamEncryptResponse extends DocumentIDNameResponse {
+    encryptedStream: ReadableStream<Uint8Array>;
+}
+export interface StreamEncryptUnmanagedResponse {
+    documentID: string;
+    encryptedStream: ReadableStream<Uint8Array>;
+    edeks: Uint8Array;
+}
+export interface StreamDecryptResponse extends DocumentMetaResponse {
+    plaintextStream: ReadableStream<Uint8Array>;
+}
+export interface StreamDecryptUnmanagedResponse {
+    documentID: string;
+    plaintextStream: ReadableStream<Uint8Array>;
+    accessVia: UserOrGroup;
+}
 
 /**
  * Group SDK response types
@@ -139,6 +155,18 @@ export interface UserCreateResponse {
     userMasterPublicKey: PublicKey<Base64String>;
     needsRotation: boolean;
 }
+export interface UserUpdateResponse {
+    accountID: string;
+    segmentID: number;
+    status: UserStatus;
+    userMasterPublicKey: PublicKey<Base64String>;
+    needsRotation: boolean;
+}
+export const UserStatus: {
+    DISABLED: 0;
+    ENABLED: 1;
+};
+export type UserStatus = 0 | 1;
 export interface DeviceKeys {
     accountId: string;
     segmentId: number;
@@ -184,6 +212,7 @@ export interface User {
     listDevices(): Promise<UserDeviceListResponse>;
     changePasscode(currentPasscode: string, newPasscode: string): Promise<void>;
     rotateMasterKey(passcode: string): Promise<void>;
+    disableSelf(): Promise<UserUpdateResponse>;
 }
 
 export interface Document {
@@ -191,8 +220,10 @@ export interface Document {
     getMetadata(documentID: string): Promise<DocumentMetaResponse>;
     getDocumentIDFromBytes(encryptedDocument: Uint8Array): Promise<string | null>;
     decrypt(documentID: string, encryptedDocument: Uint8Array): Promise<DecryptedDocumentResponse>;
+    decryptStream(documentID: string, encryptedStream: ReadableStream<Uint8Array>): Promise<StreamDecryptResponse>;
     decryptFromStore(documentID: string): Promise<DecryptedDocumentResponse>;
     encrypt(documentData: Uint8Array, options?: DocumentCreateOptions): Promise<EncryptedDocumentResponse>;
+    encryptStream(plaintextStream: ReadableStream<Uint8Array>, options?: DocumentCreateOptions): Promise<StreamEncryptResponse>;
     encryptToStore(documentData: Uint8Array, options?: DocumentCreateOptions): Promise<DocumentIDNameResponse>;
     updateEncryptedData(documentID: string, newDocumentData: Uint8Array): Promise<EncryptedDocumentResponse>;
     updateEncryptedDataInStore(documentID: string, newDocumentData: Uint8Array): Promise<DocumentIDNameResponse>;
@@ -201,7 +232,12 @@ export interface Document {
     revokeAccess(documentID: string, revokeList: DocumentAccessList): Promise<DocumentAccessResponse>;
     advanced: {
         decryptUnmanaged(data: Uint8Array, edeks: Uint8Array): Promise<DecryptedUnmanagedDocumentResponse>;
+        decryptStreamUnmanaged(encryptedStream: ReadableStream<Uint8Array>, edeks: Uint8Array): Promise<StreamDecryptUnmanagedResponse>;
         encryptUnmanaged(documentData: Uint8Array, options?: Omit<DocumentCreateOptions, "documentName">): Promise<EncryptedUnmanagedDocumentResponse>;
+        encryptStreamUnmanaged(
+            plaintextStream: ReadableStream<Uint8Array>,
+            options?: Omit<DocumentCreateOptions, "documentName">
+        ): Promise<StreamEncryptUnmanagedResponse>;
     };
 }
 
@@ -283,6 +319,7 @@ export interface ErrorCodes {
     USER_DEVICE_DELETE_REQUEST_FAILURE: 210;
     USER_UPDATE_KEY_REQUEST_FAILURE: 211;
     USER_PRIVATE_KEY_ROTATION_FAILURE: 212;
+    USER_UPDATE_STATUS_REQUEST_FAILURE: 214;
     DOCUMENT_LIST_REQUEST_FAILURE: 300;
     DOCUMENT_GET_REQUEST_FAILURE: 301;
     DOCUMENT_CREATE_REQUEST_FAILURE: 302;
@@ -297,6 +334,8 @@ export interface ErrorCodes {
     DOCUMENT_CREATE_WITH_ACCESS_FAILURE: 311;
     DOCUMENT_HEADER_PARSE_FAILURE: 312;
     DOCUMENT_TRANSFORM_REQUEST_FAILURE: 313;
+    DOCUMENT_STREAM_DECRYPT_FAILURE: 314;
+    DOCUMENT_STREAM_ENCRYPT_FAILURE: 315;
     GROUP_LIST_REQUEST_FAILURE: 400;
     GROUP_GET_REQUEST_FAILURE: 401;
     GROUP_CREATE_REQUEST_FAILURE: 402;
@@ -335,3 +374,4 @@ export function createNewUser(jwtCallback: JWTCallback, passcode: string, option
 export function createNewDeviceKeys(jwtCallback: JWTCallback, passcode: string): Promise<DeviceKeys>;
 export function isInitialized(): boolean;
 export function deleteDeviceByPublicSigningKey(jwtCallback: JWTCallback, publicSigningKey: Base64String): Promise<number>;
+export function updateUserStatus(jwtCallback: JWTCallback, status: UserStatus): Promise<UserUpdateResponse>;