@kya-os/mcp-i-core 1.3.13 → 1.3.15

package/src/services/__tests__/proof-verifier.integration.test.ts

@@ -1,485 +0,0 @@
-/**
- * Integration Tests for ProofVerifier with Real DID Resolution
- *
- * These tests verify end-to-end proof verification with actual DID resolution,
- * testing both did:key (offline) and did:web (HTTP) resolution methods.
- */
-
-import { describe, it, expect, beforeEach, vi } from "vitest";
-import { ProofVerifier } from "../proof-verifier.js";
-import { CryptoService, type Ed25519JWK } from "../crypto.service.js";
-import type {
-  CryptoProvider,
-  ClockProvider,
-  NonceCacheProvider,
-  FetchProvider,
-} from "../../providers/base.js";
-import type { DetachedProof } from "@kya-os/contracts/proof";
-import {
-  PROOF_VERIFICATION_ERROR_CODES,
-  ProofVerificationError,
-} from "../errors.js";
-
-describe("ProofVerifier Integration - Real DID Resolution", () => {
-  let proofVerifier: ProofVerifier;
-  let mockCryptoProvider: CryptoProvider;
-  let mockClockProvider: ClockProvider;
-  let mockNonceCache: NonceCacheProvider;
-  let realFetchProvider: FetchProvider;
-
-  const validJwk: Ed25519JWK = {
-    kty: "OKP",
-    crv: "Ed25519",
-    x: "VCpo2LMLhn6iWku8MKvSLg2ZAoC-nlOyPVQaO3FxVeQ",
-    kid: "did:key:z6MkhaXgBZDvVCpo2LMLhn6iWku8MKvSLg2ZAoC-nlOyPVQaO3FxVeQ#key-1",
-  };
-
-  const createValidProof = (did: string, kid: string): DetachedProof => {
-    const header = { alg: "EdDSA", typ: "JWT" };
-    const payload = {
-      aud: "test-audience",
-      sub: did,
-      iss: did,
-      nonce: `nonce-${Date.now()}`,
-      ts: Math.floor(Date.now() / 1000),
-      sessionId: "session123",
-      requestHash: "sha256:" + "a".repeat(64),
-      responseHash: "sha256:" + "b".repeat(64),
-    };
-    // Use TextEncoder/Decoder for base64 encoding (works in both Node and browser)
-    const encoder = new TextEncoder();
-    const headerB64 = btoa(JSON.stringify(header))
-      .replace(/\+/g, "-")
-      .replace(/\//g, "_")
-      .replace(/=/g, "");
-    const payloadB64 = btoa(JSON.stringify(payload))
-      .replace(/\+/g, "-")
-      .replace(/\//g, "_")
-      .replace(/=/g, "");
-    const signatureB64 = btoa("signature")
-      .replace(/\+/g, "-")
-      .replace(/\//g, "_")
-      .replace(/=/g, "");
-    const jws = `${headerB64}.${payloadB64}.${signatureB64}`;
-
-    return {
-      jws,
-      meta: {
-        did,
-        kid,
-        ts: Math.floor(Date.now() / 1000),
-        nonce: `nonce-${Date.now()}`,
-        audience: "test-audience",
-        sessionId: "session123",
-        requestHash: "sha256:" + "a".repeat(64),
-        responseHash: "sha256:" + "b".repeat(64),
-      },
-    };
-  };
-
-  beforeEach(() => {
-    mockCryptoProvider = {
-      sign: vi.fn(),
-      verify: vi.fn().mockResolvedValue(true),
-      generateKeyPair: vi.fn(),
-      hash: vi.fn(),
-      randomBytes: vi.fn(),
-    };
-
-    mockClockProvider = {
-      now: vi.fn().mockReturnValue(Date.now()),
-      isWithinSkew: vi.fn().mockReturnValue(true),
-      hasExpired: vi.fn(),
-      calculateExpiry: vi.fn(
-        (ttlSeconds: number) => Date.now() + ttlSeconds * 1000
-      ),
-      format: vi.fn(),
-    };
-
-    mockNonceCache = {
-      has: vi.fn().mockResolvedValue(false),
-      add: vi.fn().mockResolvedValue(undefined),
-      cleanup: vi.fn().mockResolvedValue(undefined),
-      destroy: vi.fn().mockResolvedValue(undefined),
-    };
-
-    // Real fetch provider that actually resolves DIDs
-    realFetchProvider = {
-      resolveDID: async (did: string) => {
-        // did:key resolution (offline)
-        if (did.startsWith("did:key:")) {
-          const publicKeyMultibase = did.slice("did:key:".length);
-          return {
-            "@context": ["https://www.w3.org/ns/did/v1"],
-            id: did,
-            verificationMethod: [
-              {
-                id: `${did}#key-1`,
-                type: "Ed25519VerificationKey2020",
-                controller: did,
-                publicKeyMultibase,
-                publicKeyJwk: validJwk,
-              },
-            ],
-            authentication: [`${did}#key-1`],
-            assertionMethod: [`${did}#key-1`],
-          };
-        }
-
-        // did:web resolution (HTTP)
-        if (did.startsWith("did:web:")) {
-          const domain = did.slice("did:web:".length).replace(/:/g, "/");
-          const url = `https://${domain}/.well-known/did.json`;
-
-          try {
-            const response = await fetch(url);
-            if (!response.ok) {
-              throw new Error(
-                `HTTP ${response.status}: ${response.statusText}`
-              );
-            }
-            return await response.json();
-          } catch (error) {
-            throw new Error(
-              `Failed to resolve ${did}: ${error instanceof Error ? error.message : String(error)}`
-            );
-          }
-        }
-
-        throw new Error(`Unsupported DID method: ${did}`);
-      },
-      fetchStatusList: vi.fn(),
-      fetchDelegationChain: vi.fn(),
-      fetch: vi.fn(),
-    };
-
-    proofVerifier = new ProofVerifier({
-      cryptoProvider: mockCryptoProvider,
-      clockProvider: mockClockProvider,
-      nonceCacheProvider: mockNonceCache,
-      fetchProvider: realFetchProvider,
-      timestampSkewSeconds: 120,
-      nonceTtlSeconds: 300,
-    });
-  });
-
-  describe("did:key Resolution (Offline)", () => {
-    it("should resolve did:key and extract public key", async () => {
-      const did =
-        "did:key:z6MkhaXgBZDvVCpo2LMLhn6iWku8MKvSLg2ZAoC-nlOyPVQaO3FxVeQ";
-      const kid = "key-1"; // Just the fragment, not the full DID#key-1
-
-      const publicKey = await proofVerifier.fetchPublicKeyFromDID(did, kid);
-
-      expect(publicKey).toBeDefined();
-      expect(publicKey?.kty).toBe("OKP");
-      expect(publicKey?.crv).toBe("Ed25519");
-      expect(publicKey?.kid).toBe(`${did}#${kid}`);
-    });
-
-    it("should verify proof with did:key resolution", async () => {
-      const did =
-        "did:key:z6MkhaXgBZDvVCpo2LMLhn6iWku8MKvSLg2ZAoC-nlOyPVQaO3FxVeQ";
-      const kid = "key-1";
-      const proof = createValidProof(did, `${did}#${kid}`); // Full kid in proof meta
-
-      // Fetch public key from DID
-      const publicKey = await proofVerifier.fetchPublicKeyFromDID(did, kid);
-      expect(publicKey).toBeDefined();
-
-      // Verify proof
-      const result = await proofVerifier.verifyProof(proof, publicKey!);
-
-      expect(result.valid).toBe(true);
-      expect(mockNonceCache.has).toHaveBeenCalledWith(proof.meta.nonce, proof.meta.did);
-      expect(mockNonceCache.add).toHaveBeenCalledWith(
-        proof.meta.nonce,
-        expect.any(Number),
-        proof.meta.did
-      );
-    });
-
-    it("should handle missing verification method in did:key", async () => {
-      const did =
-        "did:key:z6MkhaXgBZDvVCpo2LMLhn6iWku8MKvSLg2ZAoC-nlOyPVQaO3FxVeQ";
-      const kid = "nonexistent"; // Just the fragment
-
-      await expect(
-        proofVerifier.fetchPublicKeyFromDID(did, kid)
-      ).rejects.toThrow(ProofVerificationError);
-
-      try {
-        await proofVerifier.fetchPublicKeyFromDID(did, kid);
-        expect.fail("Should have thrown ProofVerificationError");
-      } catch (error) {
-        expect(error).toBeInstanceOf(ProofVerificationError);
-        expect((error as ProofVerificationError).code).toBe(
-          PROOF_VERIFICATION_ERROR_CODES.VERIFICATION_METHOD_NOT_FOUND
-        );
-      }
-    });
-  });
-
-  describe("did:web Resolution (HTTP)", () => {
-    // Skip this test in CI environments - it depends on external network calls
-    // and can be flaky. Run locally for manual verification only.
-    it.skip("should resolve did:web from real endpoint", async () => {
-      // Use a known did:web endpoint (example.com has a well-known DID document)
-      // Note: This test may fail if the endpoint is unavailable
-      const did = "did:web:example.com";
-
-      try {
-        const publicKey = await proofVerifier.fetchPublicKeyFromDID(did);
-
-        // If resolution succeeds, verify structure
-        if (publicKey) {
-          expect(publicKey.kty).toBe("OKP");
-          expect(publicKey.crv).toBe("Ed25519");
-        }
-      } catch (error) {
-        // If resolution fails (network issue, endpoint doesn't exist), that's okay
-        // We're testing that the resolution mechanism works, not that every endpoint exists
-        expect(error).toBeInstanceOf(ProofVerificationError);
-        expect((error as ProofVerificationError).code).toBe(
-          PROOF_VERIFICATION_ERROR_CODES.DID_RESOLUTION_FAILED
-        );
-      }
-    }, 10000); // 10 second timeout for HTTP requests
-
-    it("should handle HTTP errors gracefully", async () => {
-      const did = "did:web:nonexistent-domain-that-does-not-exist-12345.com";
-
-      await expect(proofVerifier.fetchPublicKeyFromDID(did)).rejects.toThrow(
-        ProofVerificationError
-      );
-
-      try {
-        await proofVerifier.fetchPublicKeyFromDID(did);
-      } catch (error) {
-        expect(error).toBeInstanceOf(ProofVerificationError);
-        expect((error as ProofVerificationError).code).toBe(
-          PROOF_VERIFICATION_ERROR_CODES.DID_RESOLUTION_FAILED
-        );
-      }
-    }, 10000);
-
-    it("should handle DID document without verification methods", async () => {
-      // Mock a DID document without verification methods
-      const mockFetchProvider: FetchProvider = {
-        resolveDID: vi.fn().mockResolvedValue({
-          "@context": ["https://www.w3.org/ns/did/v1"],
-          id: "did:web:test.com",
-          // No verificationMethod
-        }),
-        fetchStatusList: vi.fn(),
-        fetchDelegationChain: vi.fn(),
-        fetch: vi.fn(),
-      };
-
-      const testVerifier = new ProofVerifier({
-        cryptoProvider: mockCryptoProvider,
-        clockProvider: mockClockProvider,
-        nonceCacheProvider: mockNonceCache,
-        fetchProvider: mockFetchProvider,
-      });
-
-      await expect(
-        testVerifier.fetchPublicKeyFromDID("did:web:test.com")
-      ).rejects.toThrow(ProofVerificationError);
-
-      try {
-        await testVerifier.fetchPublicKeyFromDID("did:web:test.com");
-      } catch (error) {
-        expect(error).toBeInstanceOf(ProofVerificationError);
-        expect((error as ProofVerificationError).code).toBe(
-          PROOF_VERIFICATION_ERROR_CODES.VERIFICATION_METHOD_NOT_FOUND
-        );
-      }
-    });
-
-    it("should handle verification method without publicKeyJwk", async () => {
-      const mockFetchProvider: FetchProvider = {
-        resolveDID: vi.fn().mockResolvedValue({
-          "@context": ["https://www.w3.org/ns/did/v1"],
-          id: "did:web:test.com",
-          verificationMethod: [
-            {
-              id: "did:web:test.com#key-1",
-              type: "Ed25519VerificationKey2020",
-              controller: "did:web:test.com",
-              // No publicKeyJwk
-            },
-          ],
-        }),
-        fetchStatusList: vi.fn(),
-        fetchDelegationChain: vi.fn(),
-        fetch: vi.fn(),
-      };
-
-      const testVerifier = new ProofVerifier({
-        cryptoProvider: mockCryptoProvider,
-        clockProvider: mockClockProvider,
-        nonceCacheProvider: mockNonceCache,
-        fetchProvider: mockFetchProvider,
-      });
-
-      await expect(
-        testVerifier.fetchPublicKeyFromDID("did:web:test.com", "key-1")
-      ).rejects.toThrow(ProofVerificationError);
-
-      try {
-        await testVerifier.fetchPublicKeyFromDID("did:web:test.com", "key-1");
-      } catch (error) {
-        expect(error).toBeInstanceOf(ProofVerificationError);
-        expect((error as ProofVerificationError).code).toBe(
-          PROOF_VERIFICATION_ERROR_CODES.PUBLIC_KEY_NOT_FOUND
-        );
-      }
-    });
-
-    it("should handle non-Ed25519 keys", async () => {
-      const mockFetchProvider: FetchProvider = {
-        resolveDID: vi.fn().mockResolvedValue({
-          "@context": ["https://www.w3.org/ns/did/v1"],
-          id: "did:web:test.com",
-          verificationMethod: [
-            {
-              id: "did:web:test.com#key-1",
-              type: "RsaVerificationKey2018",
-              controller: "did:web:test.com",
-              publicKeyJwk: {
-                kty: "RSA",
-                n: "test",
-                e: "AQAB",
-              },
-            },
-          ],
-        }),
-        fetchStatusList: vi.fn(),
-        fetchDelegationChain: vi.fn(),
-        fetch: vi.fn(),
-      };
-
-      const testVerifier = new ProofVerifier({
-        cryptoProvider: mockCryptoProvider,
-        clockProvider: mockClockProvider,
-        nonceCacheProvider: mockNonceCache,
-        fetchProvider: mockFetchProvider,
-      });
-
-      await expect(
-        testVerifier.fetchPublicKeyFromDID("did:web:test.com", "key-1")
-      ).rejects.toThrow(ProofVerificationError);
-
-      try {
-        await testVerifier.fetchPublicKeyFromDID("did:web:test.com", "key-1");
-      } catch (error) {
-        expect(error).toBeInstanceOf(ProofVerificationError);
-        expect((error as ProofVerificationError).code).toBe(
-          PROOF_VERIFICATION_ERROR_CODES.INVALID_JWK_FORMAT
-        );
-      }
-    });
-  });
-
-  describe("End-to-End Proof Verification with DID Resolution", () => {
-    it("should verify proof with did:key resolution end-to-end", async () => {
-      const did =
-        "did:key:z6MkhaXgBZDvVCpo2LMLhn6iWku8MKvSLg2ZAoC-nlOyPVQaO3FxVeQ";
-      const kid = "key-1";
-      const proof = createValidProof(did, `${did}#${kid}`); // Full kid in proof meta
-
-      // Fetch public key from DID
-      const publicKey = await proofVerifier.fetchPublicKeyFromDID(did, kid);
-      expect(publicKey).toBeDefined();
-
-      // Verify proof
-      const result = await proofVerifier.verifyProof(proof, publicKey!);
-
-      expect(result.valid).toBe(true);
-      expect(result.errorCode).toBeUndefined();
-      expect(mockCryptoProvider.verify).toHaveBeenCalled();
-    });
-
-    it("should return specific error code for nonce replay", async () => {
-      const did =
-        "did:key:z6MkhaXgBZDvVCpo2LMLhn6iWku8MKvSLg2ZAoC-nlOyPVQaO3FxVeQ";
-      const kid = "key-1";
-      const proof = createValidProof(did, `${did}#${kid}`);
-      const publicKey = await proofVerifier.fetchPublicKeyFromDID(did, kid);
-
-      // First verification should succeed
-      const result1 = await proofVerifier.verifyProof(proof, publicKey!);
-      expect(result1.valid).toBe(true);
-
-      // Second verification should fail with nonce replay error
-      mockNonceCache.has = vi.fn().mockResolvedValue(true);
-      const result2 = await proofVerifier.verifyProof(proof, publicKey!);
-
-      expect(result2.valid).toBe(false);
-      expect(result2.errorCode).toBe(
-        PROOF_VERIFICATION_ERROR_CODES.NONCE_REPLAY_DETECTED
-      );
-      expect(result2.details?.nonce).toBe(proof.meta.nonce);
-    });
-
-    it("should return specific error code for timestamp skew", async () => {
-      const did =
-        "did:key:z6MkhaXgBZDvVCpo2LMLhn6iWku8MKvSLg2ZAoC-nlOyPVQaO3FxVeQ";
-      const kid = "key-1";
-      const proof = createValidProof(did, `${did}#${kid}`);
-      const publicKey = await proofVerifier.fetchPublicKeyFromDID(did, kid);
-
-      // Mock clock to reject timestamp
-      mockClockProvider.isWithinSkew = vi.fn().mockReturnValue(false);
-
-      const result = await proofVerifier.verifyProof(proof, publicKey!);
-
-      expect(result.valid).toBe(false);
-      expect(result.errorCode).toBe(
-        PROOF_VERIFICATION_ERROR_CODES.TIMESTAMP_SKEW_EXCEEDED
-      );
-      expect(result.details?.timestamp).toBe(proof.meta.ts);
-      expect(result.details?.skewSeconds).toBe(120);
-    });
-
-    it("should return specific error code for invalid signature", async () => {
-      const did =
-        "did:key:z6MkhaXgBZDvVCpo2LMLhn6iWku8MKvSLg2ZAoC-nlOyPVQaO3FxVeQ";
-      const kid = "key-1";
-      const proof = createValidProof(did, `${did}#${kid}`);
-      const publicKey = await proofVerifier.fetchPublicKeyFromDID(did, kid);
-
-      // Mock signature verification to fail
-      mockCryptoProvider.verify = vi.fn().mockResolvedValue(false);
-
-      const result = await proofVerifier.verifyProof(proof, publicKey!);
-
-      expect(result.valid).toBe(false);
-      expect(result.errorCode).toBe(
-        PROOF_VERIFICATION_ERROR_CODES.INVALID_JWS_SIGNATURE
-      );
-      expect(result.details?.expectedKid).toBe(`${did}#${kid}`);
-    });
-  });
-
-  describe("Error Code Coverage", () => {
-    it("should return INVALID_PROOF_STRUCTURE for malformed proof", async () => {
-      const invalidProof = {
-        jws: "invalid",
-        meta: {
-          // Missing required fields
-          did: "did:test",
-        },
-      } as any;
-
-      const result = await proofVerifier.verifyProof(invalidProof, validJwk);
-
-      expect(result.valid).toBe(false);
-      expect(result.errorCode).toBe(
-        PROOF_VERIFICATION_ERROR_CODES.INVALID_PROOF_STRUCTURE
-      );
-      expect(result.details?.zodErrors).toBeDefined();
-    });
-  });
-});