npm - @metalabel/dfos-protocol - Versions diffs - 0.7.1 → 0.8.1 - Mend

@metalabel/dfos-protocol 0.7.1 → 0.8.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/README.md +8 -21
package/dist/chain/index.d.ts +54 -148
package/dist/chain/index.js +15 -8
package/dist/{chunk-QKHP7UVL.js → chunk-LQ56P4SU.js} +137 -110
package/dist/chunk-MEV6QVLC.js +402 -0
package/dist/credentials/index.d.ts +133 -117
package/dist/credentials/index.js +17 -21
package/dist/index.d.ts +3 -2
package/dist/index.js +30 -28
package/dist/schemas-BEl38wrI.d.ts +148 -0
package/examples/beacon.json +5 -5
package/examples/content-delegated.json +3 -3
package/examples/credential-read.json +4 -5
package/examples/credential-write.json +5 -6
package/package.json +2 -2
package/dist/chunk-CZSEEZLL.js +0 -258

package/dist/chunk-MEV6QVLC.js ADDED Viewed

@@ -0,0 +1,402 @@
+import {
+  createJws,
+  createJwt,
+  dagCborCanonicalEncode,
+  decodeJwsUnsafe,
+  verifyJws,
+  verifyJwt
+} from "./chunk-ZXXP5W5N.js";
+// src/credentials/schemas.ts
+import { z } from "zod";
+var MAX_DID = 256;
+var MAX_AUD = 512;
+var MAX_RESOURCE = 512;
+var MAX_ACTION = 64;
+var MAX_ATT = 32;
+var MAX_PRF = 8;
+var Attenuation = z.strictObject({
+  resource: z.string().min(1).max(MAX_RESOURCE),
+  action: z.string().min(1).max(MAX_ACTION)
+});
+var DFOSCredentialPayload = z.strictObject({
+  version: z.literal(1),
+  type: z.literal("DFOSCredential"),
+  /** Issuer DID */
+  iss: z.string().min(1).max(MAX_DID),
+  /** Audience DID or "*" for public credentials */
+  aud: z.string().min(1).max(MAX_AUD),
+  /** Attenuations — resource + action pairs */
+  att: z.array(Attenuation).min(1).max(MAX_ATT),
+  /** Parent credential JWS tokens (for delegation chains) */
+  prf: z.array(z.string()).max(MAX_PRF).default([]),
+  /** Expiration — unix seconds */
+  exp: z.number().int().positive(),
+  /** Issued at — unix seconds */
+  iat: z.number().int().positive()
+});
+var AuthTokenClaims = z.strictObject({
+  /** Issuer — the DID proving identity */
+  iss: z.string().max(MAX_DID),
+  /** Subject — same as iss for auth tokens */
+  sub: z.string().max(MAX_DID),
+  /** Audience — target relay hostname (prevents cross-relay replay) */
+  aud: z.string().max(MAX_AUD),
+  /** Expiration — unix seconds, short-lived (minutes) */
+  exp: z.number().int().positive(),
+  /** Issued at — unix seconds */
+  iat: z.number().int().positive()
+});
+// src/credentials/auth-token.ts
+var createAuthToken = async (options) => {
+  if (!options.kid.includes("#")) {
+    throw new Error("kid must be a DID URL (did:dfos:xxx#key_yyy)");
+  }
+  const kidDid = options.kid.substring(0, options.kid.indexOf("#"));
+  if (kidDid !== options.iss) {
+    throw new Error("kid DID does not match iss");
+  }
+  const now = options.iat ?? Math.floor(Date.now() / 1e3);
+  const header = { alg: "EdDSA", typ: "JWT", kid: options.kid };
+  const payload = {
+    iss: options.iss,
+    sub: options.iss,
+    aud: options.aud,
+    exp: options.exp,
+    iat: now
+  };
+  return createJwt({ header, payload, sign: options.sign });
+};
+var verifyAuthToken = (options) => {
+  const { header, payload } = verifyJwt({
+    token: options.token,
+    publicKey: options.publicKey,
+    audience: options.audience,
+    ...options.currentTime !== void 0 ? { currentTime: options.currentTime } : {}
+  });
+  const result = AuthTokenClaims.safeParse(payload);
+  if (!result.success) {
+    const messages = result.error.issues.map((e) => e.message).join(", ");
+    throw new AuthTokenVerificationError(`invalid auth token claims: ${messages}`);
+  }
+  const currentTime = options.currentTime ?? Math.floor(Date.now() / 1e3);
+  if (result.data.iat > currentTime) {
+    throw new AuthTokenVerificationError("auth token not yet valid (iat is in the future)");
+  }
+  const kid = header.kid;
+  if (!kid || !kid.includes("#")) {
+    throw new AuthTokenVerificationError("auth token kid must be a DID URL");
+  }
+  const kidDid = kid.substring(0, kid.indexOf("#"));
+  if (kidDid !== result.data.iss) {
+    throw new AuthTokenVerificationError("auth token kid DID does not match iss");
+  }
+  return {
+    iss: result.data.iss,
+    aud: result.data.aud,
+    exp: result.data.exp,
+    kid
+  };
+};
+var AuthTokenVerificationError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "AuthTokenVerificationError";
+  }
+};
+// src/chain/multikey.ts
+import { base58btc } from "multiformats/bases/base58";
+var ED25519_PUB_PREFIX = new Uint8Array([237, 1]);
+var ED25519_PRIV_PREFIX = new Uint8Array([128, 38]);
+var ED25519_PUB_MULTICODEC = 237;
+var ED25519_PRIV_MULTICODEC = 4864;
+var encodeEd25519Multikey = (publicKeyBytes) => {
+  if (publicKeyBytes.length !== 32) {
+    throw new Error(`expected 32-byte Ed25519 public key, got ${publicKeyBytes.length}`);
+  }
+  const prefixed = new Uint8Array(ED25519_PUB_PREFIX.length + publicKeyBytes.length);
+  prefixed.set(ED25519_PUB_PREFIX);
+  prefixed.set(publicKeyBytes, ED25519_PUB_PREFIX.length);
+  return base58btc.encode(prefixed);
+};
+var decodeMultikey = (multibase) => {
+  const bytes = base58btc.decode(multibase);
+  if (bytes.length < 2) {
+    throw new Error("multikey too short");
+  }
+  if (bytes[0] === ED25519_PUB_PREFIX[0] && bytes[1] === ED25519_PUB_PREFIX[1]) {
+    const keyBytes = bytes.slice(2);
+    if (keyBytes.length !== 32) {
+      throw new Error(`expected 32-byte Ed25519 public key, got ${keyBytes.length}`);
+    }
+    return { keyBytes, codec: ED25519_PUB_MULTICODEC };
+  }
+  if (bytes[0] === ED25519_PRIV_PREFIX[0] && bytes[1] === ED25519_PRIV_PREFIX[1]) {
+    const keyBytes = bytes.slice(2);
+    if (keyBytes.length !== 32) {
+      throw new Error(`expected 32-byte Ed25519 private key, got ${keyBytes.length}`);
+    }
+    return { keyBytes, codec: ED25519_PRIV_MULTICODEC };
+  }
+  throw new Error(
+    `unsupported multikey codec: [0x${bytes[0]?.toString(16)}, 0x${bytes[1]?.toString(16)}]`
+  );
+};
+// src/credentials/dfos-credential.ts
+var resolveKeyFromIdentity = (identity, kid) => {
+  const hashIdx = kid.indexOf("#");
+  if (hashIdx < 0) throw new CredentialVerificationError("kid must be a DID URL");
+  const keyId = kid.substring(hashIdx + 1);
+  const allKeys = [...identity.authKeys, ...identity.assertKeys, ...identity.controllerKeys];
+  const key = allKeys.find((k) => k.id === keyId);
+  if (!key) {
+    throw new CredentialVerificationError(`key ${keyId} not found on identity ${identity.did}`);
+  }
+  const { keyBytes } = decodeMultikey(key.publicKeyMultibase);
+  return keyBytes;
+};
+var createDFOSCredential = async (options) => {
+  const kid = `${options.issuerDID}#${options.keyId}`;
+  const now = options.iat ?? Math.floor(Date.now() / 1e3);
+  const payload = {
+    version: 1,
+    type: "DFOSCredential",
+    iss: options.issuerDID,
+    aud: options.audienceDID,
+    att: options.att,
+    prf: options.prf ?? [],
+    exp: options.exp,
+    iat: now
+  };
+  const parseResult = DFOSCredentialPayload.safeParse(payload);
+  if (!parseResult.success) {
+    const messages = parseResult.error.issues.map((e) => e.message).join(", ");
+    throw new Error(`invalid credential payload: ${messages}`);
+  }
+  const encoded = await dagCborCanonicalEncode(payload);
+  const credentialCID = encoded.cid.toString();
+  const jwsToken = await createJws({
+    header: { alg: "EdDSA", typ: "did:dfos:credential", kid, cid: credentialCID },
+    payload,
+    sign: options.signer
+  });
+  return jwsToken;
+};
+var verifyDFOSCredential = async (jwsToken, options) => {
+  const decoded = decodeJwsUnsafe(jwsToken);
+  if (!decoded) throw new CredentialVerificationError("failed to decode credential JWS");
+  if (decoded.header.typ !== "did:dfos:credential") {
+    throw new CredentialVerificationError(`invalid typ: ${decoded.header.typ}`);
+  }
+  const result = DFOSCredentialPayload.safeParse(decoded.payload);
+  if (!result.success) {
+    const messages = result.error.issues.map((e) => e.message).join(", ");
+    throw new CredentialVerificationError(`invalid credential payload: ${messages}`);
+  }
+  const payload = result.data;
+  const kid = decoded.header.kid;
+  const hashIdx = kid.indexOf("#");
+  if (hashIdx < 0) throw new CredentialVerificationError("credential kid must be a DID URL");
+  const kidDid = kid.substring(0, hashIdx);
+  if (kidDid !== payload.iss) {
+    throw new CredentialVerificationError("credential kid DID does not match iss");
+  }
+  const identity = await options.resolveIdentity(payload.iss);
+  if (!identity) {
+    throw new CredentialVerificationError(`issuer identity not found: ${payload.iss}`);
+  }
+  if (identity.isDeleted) {
+    throw new CredentialVerificationError(`issuer identity is deleted: ${payload.iss}`);
+  }
+  const publicKey = resolveKeyFromIdentity(identity, kid);
+  try {
+    verifyJws({ token: jwsToken, publicKey });
+  } catch {
+    throw new CredentialVerificationError("invalid credential signature");
+  }
+  const encoded = await dagCborCanonicalEncode(payload);
+  const credentialCID = encoded.cid.toString();
+  if (!decoded.header.cid) {
+    throw new CredentialVerificationError("missing cid in credential header");
+  }
+  if (decoded.header.cid !== credentialCID) {
+    throw new CredentialVerificationError("credential cid mismatch");
+  }
+  const now = options.now ?? Math.floor(Date.now() / 1e3);
+  if (payload.iat > now) {
+    throw new CredentialVerificationError("credential not yet valid (iat is in the future)");
+  }
+  if (payload.exp <= now) {
+    throw new CredentialVerificationError("credential expired");
+  }
+  return {
+    iss: payload.iss,
+    aud: payload.aud,
+    att: payload.att,
+    prf: payload.prf,
+    exp: payload.exp,
+    iat: payload.iat,
+    credentialCID,
+    signerKeyId: kid
+  };
+};
+var verifyDelegationChain = async (credential, options) => {
+  const chain = [credential];
+  let current = credential;
+  const maxDepth = 16;
+  for (let depth = 0; depth < maxDepth; depth++) {
+    if (current.prf.length === 0) {
+      if (current.iss !== options.rootDID) {
+        throw new CredentialVerificationError(
+          `delegation chain root issuer ${current.iss} does not match expected root ${options.rootDID}`
+        );
+      }
+      return { credential, chain, rootDID: options.rootDID };
+    }
+    const parents = [];
+    for (const parentJws of current.prf) {
+      const parent = await verifyDFOSCredential(parentJws, {
+        resolveIdentity: options.resolveIdentity,
+        ...options.now !== void 0 ? { now: options.now } : {}
+      });
+      if (options.isRevoked) {
+        const revoked = await options.isRevoked(parent.iss, parent.credentialCID);
+        if (revoked) {
+          throw new CredentialVerificationError("parent credential in delegation chain is revoked");
+        }
+      }
+      parents.push(parent);
+    }
+    const matchingParent = parents.find((p) => p.aud === "*" || p.aud === current.iss);
+    if (!matchingParent) {
+      throw new CredentialVerificationError(
+        `delegation gap: no parent credential has audience matching child issuer ${current.iss}`
+      );
+    }
+    for (const parent of parents) {
+      if (current.exp > parent.exp) {
+        throw new CredentialVerificationError(
+          "delegation chain: child credential expiry exceeds parent expiry"
+        );
+      }
+    }
+    const parentAttUnion = parents.flatMap((p) => p.att);
+    if (!isAttenuated(parentAttUnion, current.att)) {
+      throw new CredentialVerificationError(
+        "delegation chain: child credential scope exceeds parent scope"
+      );
+    }
+    chain.push(...parents);
+    current = parents[0];
+  }
+  throw new CredentialVerificationError("delegation chain too deep (max 16 hops)");
+};
+var parseResource = (resource) => {
+  const colonIdx = resource.indexOf(":");
+  if (colonIdx < 0) return null;
+  return { type: resource.substring(0, colonIdx), id: resource.substring(colonIdx + 1) };
+};
+var parseActions = (action) => {
+  return new Set(action.split(",").map((a) => a.trim()));
+};
+var isAttenuated = (parentAtt, childAtt) => {
+  return childAtt.every((childEntry) => {
+    const childRes = parseResource(childEntry.resource);
+    if (!childRes) return false;
+    const childActions = parseActions(childEntry.action);
+    return parentAtt.some((parentEntry) => {
+      const parentRes = parseResource(parentEntry.resource);
+      if (!parentRes) return false;
+      const parentActions = parseActions(parentEntry.action);
+      for (const a of childActions) {
+        if (!parentActions.has(a)) return false;
+      }
+      if (parentRes.type === "chain" && parentRes.id === "*") {
+        return true;
+      }
+      if (childRes.type === "chain" && childRes.id === "*") {
+        return false;
+      }
+      if (childRes.type === "chain" && parentRes.type === "chain") {
+        return childRes.id === parentRes.id;
+      }
+      if (childRes.type === "chain" && parentRes.type === "manifest") {
+        return true;
+      }
+      if (childRes.type === "manifest" && parentRes.type === "manifest") {
+        return childRes.id === parentRes.id;
+      }
+      return false;
+    });
+  });
+};
+var matchesResource = async (att, resource, action, options) => {
+  const requestedRes = parseResource(resource);
+  if (!requestedRes) return false;
+  const requestedActions = parseActions(action);
+  for (const entry of att) {
+    const entryRes = parseResource(entry.resource);
+    if (!entryRes) continue;
+    const entryActions = parseActions(entry.action);
+    let actionsCovered = true;
+    for (const a of requestedActions) {
+      if (!entryActions.has(a)) {
+        actionsCovered = false;
+        break;
+      }
+    }
+    if (!actionsCovered) continue;
+    if (entryRes.type === "chain" && entryRes.id === "*" && requestedRes.type === "chain") {
+      return true;
+    }
+    if (entryRes.type === requestedRes.type && entryRes.id === requestedRes.id) {
+      return true;
+    }
+    if (entryRes.type === "manifest" && requestedRes.type === "chain") {
+      if (options?.manifestLookup) {
+        const indexed = await options.manifestLookup(entryRes.id);
+        if (indexed.includes(requestedRes.id)) return true;
+      }
+    }
+  }
+  return false;
+};
+var decodeDFOSCredentialUnsafe = (jwsToken) => {
+  const decoded = decodeJwsUnsafe(jwsToken);
+  if (!decoded) return null;
+  const result = DFOSCredentialPayload.safeParse(decoded.payload);
+  if (!result.success) return null;
+  return {
+    header: decoded.header,
+    payload: result.data
+  };
+};
+var CredentialVerificationError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "CredentialVerificationError";
+  }
+};
+export {
+  ED25519_PUB_MULTICODEC,
+  ED25519_PRIV_MULTICODEC,
+  encodeEd25519Multikey,
+  decodeMultikey,
+  Attenuation,
+  DFOSCredentialPayload,
+  AuthTokenClaims,
+  createAuthToken,
+  verifyAuthToken,
+  AuthTokenVerificationError,
+  createDFOSCredential,
+  verifyDFOSCredential,
+  verifyDelegationChain,
+  isAttenuated,
+  matchesResource,
+  decodeDFOSCredentialUnsafe,
+  CredentialVerificationError
+};