@kya-os/mcp-i-core 1.2.3-canary.7 → 1.3.1

package/src/services/__tests__/proof-verifier.integration.test.ts

@@ -0,0 +1,485 @@
+/**
+ * Integration Tests for ProofVerifier with Real DID Resolution
+ *
+ * These tests verify end-to-end proof verification with actual DID resolution,
+ * testing both did:key (offline) and did:web (HTTP) resolution methods.
+ */
+
+import { describe, it, expect, beforeEach, vi } from "vitest";
+import { ProofVerifier } from "../proof-verifier.js";
+import { CryptoService, type Ed25519JWK } from "../crypto.service.js";
+import type {
+  CryptoProvider,
+  ClockProvider,
+  NonceCacheProvider,
+  FetchProvider,
+} from "../../providers/base.js";
+import type { DetachedProof } from "@kya-os/contracts/proof";
+import {
+  PROOF_VERIFICATION_ERROR_CODES,
+  ProofVerificationError,
+} from "../errors.js";
+
+describe("ProofVerifier Integration - Real DID Resolution", () => {
+  let proofVerifier: ProofVerifier;
+  let mockCryptoProvider: CryptoProvider;
+  let mockClockProvider: ClockProvider;
+  let mockNonceCache: NonceCacheProvider;
+  let realFetchProvider: FetchProvider;
+
+  const validJwk: Ed25519JWK = {
+    kty: "OKP",
+    crv: "Ed25519",
+    x: "VCpo2LMLhn6iWku8MKvSLg2ZAoC-nlOyPVQaO3FxVeQ",
+    kid: "did:key:z6MkhaXgBZDvVCpo2LMLhn6iWku8MKvSLg2ZAoC-nlOyPVQaO3FxVeQ#key-1",
+  };
+
+  const createValidProof = (did: string, kid: string): DetachedProof => {
+    const header = { alg: "EdDSA", typ: "JWT" };
+    const payload = {
+      aud: "test-audience",
+      sub: did,
+      iss: did,
+      nonce: `nonce-${Date.now()}`,
+      ts: Math.floor(Date.now() / 1000),
+      sessionId: "session123",
+      requestHash: "sha256:" + "a".repeat(64),
+      responseHash: "sha256:" + "b".repeat(64),
+    };
+    // Use TextEncoder/Decoder for base64 encoding (works in both Node and browser)
+    const encoder = new TextEncoder();
+    const headerB64 = btoa(JSON.stringify(header))
+      .replace(/\+/g, "-")
+      .replace(/\//g, "_")
+      .replace(/=/g, "");
+    const payloadB64 = btoa(JSON.stringify(payload))
+      .replace(/\+/g, "-")
+      .replace(/\//g, "_")
+      .replace(/=/g, "");
+    const signatureB64 = btoa("signature")
+      .replace(/\+/g, "-")
+      .replace(/\//g, "_")
+      .replace(/=/g, "");
+    const jws = `${headerB64}.${payloadB64}.${signatureB64}`;
+
+    return {
+      jws,
+      meta: {
+        did,
+        kid,
+        ts: Math.floor(Date.now() / 1000),
+        nonce: `nonce-${Date.now()}`,
+        audience: "test-audience",
+        sessionId: "session123",
+        requestHash: "sha256:" + "a".repeat(64),
+        responseHash: "sha256:" + "b".repeat(64),
+      },
+    };
+  };
+
+  beforeEach(() => {
+    mockCryptoProvider = {
+      sign: vi.fn(),
+      verify: vi.fn().mockResolvedValue(true),
+      generateKeyPair: vi.fn(),
+      hash: vi.fn(),
+      randomBytes: vi.fn(),
+    };
+
+    mockClockProvider = {
+      now: vi.fn().mockReturnValue(Date.now()),
+      isWithinSkew: vi.fn().mockReturnValue(true),
+      hasExpired: vi.fn(),
+      calculateExpiry: vi.fn(
+        (ttlSeconds: number) => Date.now() + ttlSeconds * 1000
+      ),
+      format: vi.fn(),
+    };
+
+    mockNonceCache = {
+      has: vi.fn().mockResolvedValue(false),
+      add: vi.fn().mockResolvedValue(undefined),
+      cleanup: vi.fn().mockResolvedValue(undefined),
+      destroy: vi.fn().mockResolvedValue(undefined),
+    };
+
+    // Real fetch provider that actually resolves DIDs
+    realFetchProvider = {
+      resolveDID: async (did: string) => {
+        // did:key resolution (offline)
+        if (did.startsWith("did:key:")) {
+          const publicKeyMultibase = did.slice("did:key:".length);
+          return {
+            "@context": ["https://www.w3.org/ns/did/v1"],
+            id: did,
+            verificationMethod: [
+              {
+                id: `${did}#key-1`,
+                type: "Ed25519VerificationKey2020",
+                controller: did,
+                publicKeyMultibase,
+                publicKeyJwk: validJwk,
+              },
+            ],
+            authentication: [`${did}#key-1`],
+            assertionMethod: [`${did}#key-1`],
+          };
+        }
+
+        // did:web resolution (HTTP)
+        if (did.startsWith("did:web:")) {
+          const domain = did.slice("did:web:".length).replace(/:/g, "/");
+          const url = `https://${domain}/.well-known/did.json`;
+
+          try {
+            const response = await fetch(url);
+            if (!response.ok) {
+              throw new Error(
+                `HTTP ${response.status}: ${response.statusText}`
+              );
+            }
+            return await response.json();
+          } catch (error) {
+            throw new Error(
+              `Failed to resolve ${did}: ${error instanceof Error ? error.message : String(error)}`
+            );
+          }
+        }
+
+        throw new Error(`Unsupported DID method: ${did}`);
+      },
+      fetchStatusList: vi.fn(),
+      fetchDelegationChain: vi.fn(),
+      fetch: vi.fn(),
+    };
+
+    proofVerifier = new ProofVerifier({
+      cryptoProvider: mockCryptoProvider,
+      clockProvider: mockClockProvider,
+      nonceCacheProvider: mockNonceCache,
+      fetchProvider: realFetchProvider,
+      timestampSkewSeconds: 120,
+      nonceTtlSeconds: 300,
+    });
+  });
+
+  describe("did:key Resolution (Offline)", () => {
+    it("should resolve did:key and extract public key", async () => {
+      const did =
+        "did:key:z6MkhaXgBZDvVCpo2LMLhn6iWku8MKvSLg2ZAoC-nlOyPVQaO3FxVeQ";
+      const kid = "key-1"; // Just the fragment, not the full DID#key-1
+
+      const publicKey = await proofVerifier.fetchPublicKeyFromDID(did, kid);
+
+      expect(publicKey).toBeDefined();
+      expect(publicKey?.kty).toBe("OKP");
+      expect(publicKey?.crv).toBe("Ed25519");
+      expect(publicKey?.kid).toBe(`${did}#${kid}`);
+    });
+
+    it("should verify proof with did:key resolution", async () => {
+      const did =
+        "did:key:z6MkhaXgBZDvVCpo2LMLhn6iWku8MKvSLg2ZAoC-nlOyPVQaO3FxVeQ";
+      const kid = "key-1";
+      const proof = createValidProof(did, `${did}#${kid}`); // Full kid in proof meta
+
+      // Fetch public key from DID
+      const publicKey = await proofVerifier.fetchPublicKeyFromDID(did, kid);
+      expect(publicKey).toBeDefined();
+
+      // Verify proof
+      const result = await proofVerifier.verifyProof(proof, publicKey!);
+
+      expect(result.valid).toBe(true);
+      expect(mockNonceCache.has).toHaveBeenCalledWith(proof.meta.nonce, proof.meta.did);
+      expect(mockNonceCache.add).toHaveBeenCalledWith(
+        proof.meta.nonce,
+        expect.any(Number),
+        proof.meta.did
+      );
+    });
+
+    it("should handle missing verification method in did:key", async () => {
+      const did =
+        "did:key:z6MkhaXgBZDvVCpo2LMLhn6iWku8MKvSLg2ZAoC-nlOyPVQaO3FxVeQ";
+      const kid = "nonexistent"; // Just the fragment
+
+      await expect(
+        proofVerifier.fetchPublicKeyFromDID(did, kid)
+      ).rejects.toThrow(ProofVerificationError);
+
+      try {
+        await proofVerifier.fetchPublicKeyFromDID(did, kid);
+        expect.fail("Should have thrown ProofVerificationError");
+      } catch (error) {
+        expect(error).toBeInstanceOf(ProofVerificationError);
+        expect((error as ProofVerificationError).code).toBe(
+          PROOF_VERIFICATION_ERROR_CODES.VERIFICATION_METHOD_NOT_FOUND
+        );
+      }
+    });
+  });
+
+  describe("did:web Resolution (HTTP)", () => {
+    // Skip this test in CI environments - it depends on external network calls
+    // and can be flaky. Run locally for manual verification only.
+    it.skip("should resolve did:web from real endpoint", async () => {
+      // Use a known did:web endpoint (example.com has a well-known DID document)
+      // Note: This test may fail if the endpoint is unavailable
+      const did = "did:web:example.com";
+
+      try {
+        const publicKey = await proofVerifier.fetchPublicKeyFromDID(did);
+
+        // If resolution succeeds, verify structure
+        if (publicKey) {
+          expect(publicKey.kty).toBe("OKP");
+          expect(publicKey.crv).toBe("Ed25519");
+        }
+      } catch (error) {
+        // If resolution fails (network issue, endpoint doesn't exist), that's okay
+        // We're testing that the resolution mechanism works, not that every endpoint exists
+        expect(error).toBeInstanceOf(ProofVerificationError);
+        expect((error as ProofVerificationError).code).toBe(
+          PROOF_VERIFICATION_ERROR_CODES.DID_RESOLUTION_FAILED
+        );
+      }
+    }, 10000); // 10 second timeout for HTTP requests
+
+    it("should handle HTTP errors gracefully", async () => {
+      const did = "did:web:nonexistent-domain-that-does-not-exist-12345.com";
+
+      await expect(proofVerifier.fetchPublicKeyFromDID(did)).rejects.toThrow(
+        ProofVerificationError
+      );
+
+      try {
+        await proofVerifier.fetchPublicKeyFromDID(did);
+      } catch (error) {
+        expect(error).toBeInstanceOf(ProofVerificationError);
+        expect((error as ProofVerificationError).code).toBe(
+          PROOF_VERIFICATION_ERROR_CODES.DID_RESOLUTION_FAILED
+        );
+      }
+    }, 10000);
+
+    it("should handle DID document without verification methods", async () => {
+      // Mock a DID document without verification methods
+      const mockFetchProvider: FetchProvider = {
+        resolveDID: vi.fn().mockResolvedValue({
+          "@context": ["https://www.w3.org/ns/did/v1"],
+          id: "did:web:test.com",
+          // No verificationMethod
+        }),
+        fetchStatusList: vi.fn(),
+        fetchDelegationChain: vi.fn(),
+        fetch: vi.fn(),
+      };
+
+      const testVerifier = new ProofVerifier({
+        cryptoProvider: mockCryptoProvider,
+        clockProvider: mockClockProvider,
+        nonceCacheProvider: mockNonceCache,
+        fetchProvider: mockFetchProvider,
+      });
+
+      await expect(
+        testVerifier.fetchPublicKeyFromDID("did:web:test.com")
+      ).rejects.toThrow(ProofVerificationError);
+
+      try {
+        await testVerifier.fetchPublicKeyFromDID("did:web:test.com");
+      } catch (error) {
+        expect(error).toBeInstanceOf(ProofVerificationError);
+        expect((error as ProofVerificationError).code).toBe(
+          PROOF_VERIFICATION_ERROR_CODES.VERIFICATION_METHOD_NOT_FOUND
+        );
+      }
+    });
+
+    it("should handle verification method without publicKeyJwk", async () => {
+      const mockFetchProvider: FetchProvider = {
+        resolveDID: vi.fn().mockResolvedValue({
+          "@context": ["https://www.w3.org/ns/did/v1"],
+          id: "did:web:test.com",
+          verificationMethod: [
+            {
+              id: "did:web:test.com#key-1",
+              type: "Ed25519VerificationKey2020",
+              controller: "did:web:test.com",
+              // No publicKeyJwk
+            },
+          ],
+        }),
+        fetchStatusList: vi.fn(),
+        fetchDelegationChain: vi.fn(),
+        fetch: vi.fn(),
+      };
+
+      const testVerifier = new ProofVerifier({
+        cryptoProvider: mockCryptoProvider,
+        clockProvider: mockClockProvider,
+        nonceCacheProvider: mockNonceCache,
+        fetchProvider: mockFetchProvider,
+      });
+
+      await expect(
+        testVerifier.fetchPublicKeyFromDID("did:web:test.com", "key-1")
+      ).rejects.toThrow(ProofVerificationError);
+
+      try {
+        await testVerifier.fetchPublicKeyFromDID("did:web:test.com", "key-1");
+      } catch (error) {
+        expect(error).toBeInstanceOf(ProofVerificationError);
+        expect((error as ProofVerificationError).code).toBe(
+          PROOF_VERIFICATION_ERROR_CODES.PUBLIC_KEY_NOT_FOUND
+        );
+      }
+    });
+
+    it("should handle non-Ed25519 keys", async () => {
+      const mockFetchProvider: FetchProvider = {
+        resolveDID: vi.fn().mockResolvedValue({
+          "@context": ["https://www.w3.org/ns/did/v1"],
+          id: "did:web:test.com",
+          verificationMethod: [
+            {
+              id: "did:web:test.com#key-1",
+              type: "RsaVerificationKey2018",
+              controller: "did:web:test.com",
+              publicKeyJwk: {
+                kty: "RSA",
+                n: "test",
+                e: "AQAB",
+              },
+            },
+          ],
+        }),
+        fetchStatusList: vi.fn(),
+        fetchDelegationChain: vi.fn(),
+        fetch: vi.fn(),
+      };
+
+      const testVerifier = new ProofVerifier({
+        cryptoProvider: mockCryptoProvider,
+        clockProvider: mockClockProvider,
+        nonceCacheProvider: mockNonceCache,
+        fetchProvider: mockFetchProvider,
+      });
+
+      await expect(
+        testVerifier.fetchPublicKeyFromDID("did:web:test.com", "key-1")
+      ).rejects.toThrow(ProofVerificationError);
+
+      try {
+        await testVerifier.fetchPublicKeyFromDID("did:web:test.com", "key-1");
+      } catch (error) {
+        expect(error).toBeInstanceOf(ProofVerificationError);
+        expect((error as ProofVerificationError).code).toBe(
+          PROOF_VERIFICATION_ERROR_CODES.INVALID_JWK_FORMAT
+        );
+      }
+    });
+  });
+
+  describe("End-to-End Proof Verification with DID Resolution", () => {
+    it("should verify proof with did:key resolution end-to-end", async () => {
+      const did =
+        "did:key:z6MkhaXgBZDvVCpo2LMLhn6iWku8MKvSLg2ZAoC-nlOyPVQaO3FxVeQ";
+      const kid = "key-1";
+      const proof = createValidProof(did, `${did}#${kid}`); // Full kid in proof meta
+
+      // Fetch public key from DID
+      const publicKey = await proofVerifier.fetchPublicKeyFromDID(did, kid);
+      expect(publicKey).toBeDefined();
+
+      // Verify proof
+      const result = await proofVerifier.verifyProof(proof, publicKey!);
+
+      expect(result.valid).toBe(true);
+      expect(result.errorCode).toBeUndefined();
+      expect(mockCryptoProvider.verify).toHaveBeenCalled();
+    });
+
+    it("should return specific error code for nonce replay", async () => {
+      const did =
+        "did:key:z6MkhaXgBZDvVCpo2LMLhn6iWku8MKvSLg2ZAoC-nlOyPVQaO3FxVeQ";
+      const kid = "key-1";
+      const proof = createValidProof(did, `${did}#${kid}`);
+      const publicKey = await proofVerifier.fetchPublicKeyFromDID(did, kid);
+
+      // First verification should succeed
+      const result1 = await proofVerifier.verifyProof(proof, publicKey!);
+      expect(result1.valid).toBe(true);
+
+      // Second verification should fail with nonce replay error
+      mockNonceCache.has = vi.fn().mockResolvedValue(true);
+      const result2 = await proofVerifier.verifyProof(proof, publicKey!);
+
+      expect(result2.valid).toBe(false);
+      expect(result2.errorCode).toBe(
+        PROOF_VERIFICATION_ERROR_CODES.NONCE_REPLAY_DETECTED
+      );
+      expect(result2.details?.nonce).toBe(proof.meta.nonce);
+    });
+
+    it("should return specific error code for timestamp skew", async () => {
+      const did =
+        "did:key:z6MkhaXgBZDvVCpo2LMLhn6iWku8MKvSLg2ZAoC-nlOyPVQaO3FxVeQ";
+      const kid = "key-1";
+      const proof = createValidProof(did, `${did}#${kid}`);
+      const publicKey = await proofVerifier.fetchPublicKeyFromDID(did, kid);
+
+      // Mock clock to reject timestamp
+      mockClockProvider.isWithinSkew = vi.fn().mockReturnValue(false);
+
+      const result = await proofVerifier.verifyProof(proof, publicKey!);
+
+      expect(result.valid).toBe(false);
+      expect(result.errorCode).toBe(
+        PROOF_VERIFICATION_ERROR_CODES.TIMESTAMP_SKEW_EXCEEDED
+      );
+      expect(result.details?.timestamp).toBe(proof.meta.ts);
+      expect(result.details?.skewSeconds).toBe(120);
+    });
+
+    it("should return specific error code for invalid signature", async () => {
+      const did =
+        "did:key:z6MkhaXgBZDvVCpo2LMLhn6iWku8MKvSLg2ZAoC-nlOyPVQaO3FxVeQ";
+      const kid = "key-1";
+      const proof = createValidProof(did, `${did}#${kid}`);
+      const publicKey = await proofVerifier.fetchPublicKeyFromDID(did, kid);
+
+      // Mock signature verification to fail
+      mockCryptoProvider.verify = vi.fn().mockResolvedValue(false);
+
+      const result = await proofVerifier.verifyProof(proof, publicKey!);
+
+      expect(result.valid).toBe(false);
+      expect(result.errorCode).toBe(
+        PROOF_VERIFICATION_ERROR_CODES.INVALID_JWS_SIGNATURE
+      );
+      expect(result.details?.expectedKid).toBe(`${did}#${kid}`);
+    });
+  });
+
+  describe("Error Code Coverage", () => {
+    it("should return INVALID_PROOF_STRUCTURE for malformed proof", async () => {
+      const invalidProof = {
+        jws: "invalid",
+        meta: {
+          // Missing required fields
+          did: "did:test",
+        },
+      } as any;
+
+      const result = await proofVerifier.verifyProof(invalidProof, validJwk);
+
+      expect(result.valid).toBe(false);
+      expect(result.errorCode).toBe(
+        PROOF_VERIFICATION_ERROR_CODES.INVALID_PROOF_STRUCTURE
+      );
+      expect(result.details?.zodErrors).toBeDefined();
+    });
+  });
+});