@mh-gg/push 0.1.1-alpha.20260626T104441232Z

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/LICENSE ADDED
@@ -0,0 +1,21 @@
1
+ MIT License
2
+
3
+ Copyright (c) 2026 Matterhorn contributors
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining a copy
6
+ of this software and associated documentation files (the "Software"), to deal
7
+ in the Software without restriction, including without limitation the rights
8
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
+ copies of the Software, and to permit persons to whom the Software is
10
+ furnished to do so, subject to the following conditions:
11
+
12
+ The above copyright notice and this permission notice shall be included in all
13
+ copies or substantial portions of the Software.
14
+
15
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21
+ SOFTWARE.
package/README.md ADDED
@@ -0,0 +1,3 @@
1
+ # @mh-gg/push
2
+
3
+
package/package.json ADDED
@@ -0,0 +1,29 @@
1
+ {
2
+ "name": "@mh-gg/push",
3
+ "version": "0.1.1-alpha.20260626T104441232Z",
4
+ "type": "commonjs",
5
+ "main": "src/index.cjs",
6
+ "exports": {
7
+ ".": "./src/index.cjs",
8
+ "./browser": "./src/browser.cjs"
9
+ },
10
+ "dependencies": {
11
+ "@noble/curves": "^2.2.0",
12
+ "@noble/hashes": "^2.2.0",
13
+ "web-push": "^3.6.7",
14
+ "@mh-gg/room-security": "^0.1.1-alpha.20260626T104441232Z"
15
+ },
16
+ "engines": {
17
+ "node": ">=22.12"
18
+ },
19
+ "license": "MIT",
20
+ "files": [
21
+ "src",
22
+ "README.md",
23
+ "package.json"
24
+ ],
25
+ "scripts": {
26
+ "test": "node --test test/*.test.cjs",
27
+ "coverage": "node --test --experimental-test-coverage --test-coverage-lines=80 --test-coverage-functions=80 --test-coverage-branches=80 --test-coverage-include=src/**/*.cjs test/*.test.cjs"
28
+ }
29
+ }
@@ -0,0 +1,140 @@
1
+ const { p256 } = require("@noble/curves/nist.js");
2
+ const { sha256 } = require("@noble/hashes/sha2.js");
3
+ const {
4
+ USER_VAPID_DERIVATION_LABEL,
5
+ VAPID_GRANT_KIND,
6
+ VAPID_GRANT_VERSION,
7
+ VAPID_GRANT_WRAP_ALG
8
+ } = require("./constants.cjs");
9
+
10
+ const P256_ORDER = BigInt("0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551");
11
+
12
+ function base64url(bytes) {
13
+ if (typeof Buffer !== "undefined") return Buffer.from(bytes).toString("base64url");
14
+ /* node:coverage ignore next 4 */
15
+ let binary = "";
16
+ for (const byte of bytes) binary += String.fromCharCode(byte);
17
+ return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
18
+ }
19
+
20
+ function fromBase64url(value) {
21
+ const text = String(value || "");
22
+ if (typeof Buffer !== "undefined") return Buffer.from(text, "base64url");
23
+ /* node:coverage ignore next 6 */
24
+ const base64 = `${text}${"=".repeat((4 - (text.length % 4)) % 4)}`.replace(/-/g, "+").replace(/_/g, "/");
25
+ const binary = atob(base64);
26
+ const bytes = new Uint8Array(binary.length);
27
+ for (let index = 0; index < binary.length; index += 1) bytes[index] = binary.charCodeAt(index);
28
+ return bytes;
29
+ }
30
+
31
+ function utf8Bytes(value) {
32
+ if (typeof TextEncoder !== "undefined") return new TextEncoder().encode(value);
33
+ /* node:coverage ignore next */
34
+ return Buffer.from(value, "utf8");
35
+ }
36
+
37
+ function concatBytes(parts) {
38
+ const length = parts.reduce((total, part) => total + part.byteLength, 0);
39
+ const bytes = new Uint8Array(length);
40
+ let offset = 0;
41
+ for (const part of parts) {
42
+ bytes.set(part, offset);
43
+ offset += part.byteLength;
44
+ }
45
+ return bytes;
46
+ }
47
+
48
+ function deriveUserVapidScalar(rootKey, label = USER_VAPID_DERIVATION_LABEL) {
49
+ if (!(rootKey instanceof Uint8Array) || rootKey.byteLength === 0) throw new Error("rootKey must be a non-empty Uint8Array.");
50
+ const digest = sha256(concatBytes([
51
+ utf8Bytes("matterhorn.user-vapid.v1"),
52
+ new Uint8Array([0]),
53
+ utf8Bytes(label),
54
+ new Uint8Array([0]),
55
+ rootKey
56
+ ]));
57
+ const hex = Array.from(digest, (byte) => byte.toString(16).padStart(2, "0")).join("");
58
+ const scalar = (BigInt(`0x${hex}`) % (P256_ORDER - 1n)) + 1n;
59
+ const privateHex = scalar.toString(16).padStart(64, "0");
60
+ return new Uint8Array(privateHex.match(/../g).map((byte) => Number.parseInt(byte, 16)));
61
+ }
62
+
63
+ function deriveUserVapidKeys(rootKey, label = USER_VAPID_DERIVATION_LABEL) {
64
+ const privateKey = deriveUserVapidScalar(rootKey, label);
65
+ const publicKey = p256.getPublicKey(privateKey, false);
66
+ return {
67
+ publicKey: base64url(publicKey),
68
+ privateKey: base64url(privateKey)
69
+ };
70
+ }
71
+
72
+ function vapidPublicKeyFromPrivateKey(privateKeyBase64url) {
73
+ const privateKeyBytes = fromBase64url(privateKeyBase64url);
74
+ const publicKeyBytes = p256.getPublicKey(privateKeyBytes, false);
75
+ return base64url(publicKeyBytes);
76
+ }
77
+
78
+ function cryptoProvider() {
79
+ const provider = globalThis.crypto || globalThis.msCrypto;
80
+ if (!provider?.subtle) throw new Error("WebCrypto is required.");
81
+ return provider;
82
+ }
83
+
84
+ function grantAad(grant) {
85
+ return utf8Bytes(JSON.stringify([
86
+ "matterhorn.vapid-grant.v1",
87
+ grant.relayPublicKey,
88
+ grant.createdAt
89
+ ]));
90
+ }
91
+
92
+ async function grantKey(sharedSecret, grant) {
93
+ const subtle = cryptoProvider().subtle;
94
+ const key = await subtle.importKey("raw", sharedSecret, "HKDF", false, ["deriveKey"]);
95
+ return subtle.deriveKey(
96
+ { name: "HKDF", hash: "SHA-256", salt: grantAad(grant), info: utf8Bytes("matterhorn:vapid-grant:v1") },
97
+ key,
98
+ { name: "AES-GCM", length: 256 },
99
+ false,
100
+ ["encrypt"]
101
+ );
102
+ }
103
+
104
+ async function publicKeyFromSpkiBase64url(value) {
105
+ return cryptoProvider().subtle.importKey("spki", fromBase64url(value), { name: "X25519" }, false, []);
106
+ }
107
+
108
+ async function wrapVapidGrant({ vapidPrivateKey, relayPublicKey }) {
109
+ if (typeof vapidPrivateKey !== "string" || vapidPrivateKey.length === 0) throw new Error("vapidPrivateKey is required.");
110
+ if (typeof relayPublicKey !== "string" || relayPublicKey.length === 0) throw new Error("relayPublicKey is required.");
111
+ const provider = cryptoProvider();
112
+ const recipientPublicKey = await publicKeyFromSpkiBase64url(relayPublicKey);
113
+ const ephemeral = await provider.subtle.generateKey({ name: "X25519" }, true, ["deriveBits"]);
114
+ const sharedSecret = await provider.subtle.deriveBits({ name: "X25519", public: recipientPublicKey }, ephemeral.privateKey, 256);
115
+ const grant = {
116
+ kind: VAPID_GRANT_KIND,
117
+ version: VAPID_GRANT_VERSION,
118
+ relayPublicKey,
119
+ createdAt: Date.now(),
120
+ wrap: {
121
+ alg: VAPID_GRANT_WRAP_ALG,
122
+ ephemeralPublicKey: base64url(new Uint8Array(await provider.subtle.exportKey("spki", ephemeral.publicKey)))
123
+ }
124
+ };
125
+ const iv = provider.getRandomValues(new Uint8Array(12));
126
+ const encrypted = new Uint8Array(await provider.subtle.encrypt(
127
+ { name: "AES-GCM", iv, additionalData: grantAad(grant) },
128
+ await grantKey(sharedSecret, grant),
129
+ utf8Bytes(vapidPrivateKey)
130
+ ));
131
+ grant.wrap.iv = base64url(iv);
132
+ grant.wrappedVapidPrivateKey = base64url(encrypted);
133
+ return grant;
134
+ }
135
+
136
+ module.exports = {
137
+ deriveUserVapidKeys,
138
+ wrapVapidGrant,
139
+ vapidPublicKeyFromPrivateKey
140
+ };
@@ -0,0 +1,21 @@
1
+ export interface VapidKeys {
2
+ publicKey: string;
3
+ privateKey: string;
4
+ }
5
+
6
+ export interface VapidGrant {
7
+ kind: string;
8
+ version: number;
9
+ relayPublicKey: string;
10
+ createdAt: number;
11
+ wrap: {
12
+ alg: string;
13
+ ephemeralPublicKey: string;
14
+ iv?: string;
15
+ };
16
+ wrappedVapidPrivateKey?: string;
17
+ }
18
+
19
+ export function deriveUserVapidKeys(rootKey: Uint8Array, label?: string): VapidKeys;
20
+ export function wrapVapidGrant(input: { vapidPrivateKey: string; relayPublicKey: string }): Promise<VapidGrant>;
21
+ export function vapidPublicKeyFromPrivateKey(privateKeyBase64url: string): string;
@@ -0,0 +1,28 @@
1
+ const USER_VAPID_DERIVATION_LABEL = "matterhorn/vapid/v1";
2
+ const VAPID_GRANT_KIND = "matterhorn.vapid-grant";
3
+ const VAPID_GRANT_VERSION = 1;
4
+ const VAPID_GRANT_WRAP_ALG = "x25519+hkdf-sha256+aes-256-gcm";
5
+ const MAX_PUSH_PAYLOAD_BYTES = 3 * 1024;
6
+ const DEFAULT_PUSH_TTL_SECONDS = 60 * 60;
7
+ const DEFAULT_PUSH_URGENCY = "high";
8
+ const PUSH_URGENCY_VALUES = ["very-low", "low", "normal", "high"];
9
+
10
+ const CLIENT_PUSH_REGISTER = "client/push-register";
11
+ const CLIENT_PUSH_GRANT = "client/push-grant";
12
+ const RELAY_PUSH = "relay.push";
13
+ const PUSH_HOME_RELAYS_EVENT_KIND = "push.home-relays";
14
+
15
+ module.exports = {
16
+ CLIENT_PUSH_GRANT,
17
+ CLIENT_PUSH_REGISTER,
18
+ DEFAULT_PUSH_TTL_SECONDS,
19
+ DEFAULT_PUSH_URGENCY,
20
+ MAX_PUSH_PAYLOAD_BYTES,
21
+ PUSH_URGENCY_VALUES,
22
+ PUSH_HOME_RELAYS_EVENT_KIND,
23
+ RELAY_PUSH,
24
+ USER_VAPID_DERIVATION_LABEL,
25
+ VAPID_GRANT_KIND,
26
+ VAPID_GRANT_VERSION,
27
+ VAPID_GRANT_WRAP_ALG
28
+ };
package/src/index.cjs ADDED
@@ -0,0 +1,160 @@
1
+ const crypto = require("node:crypto");
2
+ const { deriveUserVapidKeys, wrapVapidGrant: wrapVapidGrantBrowser, vapidPublicKeyFromPrivateKey } = require("./browser.cjs");
3
+ const {
4
+ DEFAULT_PUSH_URGENCY,
5
+ DEFAULT_PUSH_TTL_SECONDS,
6
+ PUSH_URGENCY_VALUES,
7
+ VAPID_GRANT_KIND,
8
+ VAPID_GRANT_VERSION,
9
+ VAPID_GRANT_WRAP_ALG
10
+ } = require("./constants.cjs");
11
+
12
+ function fromBase64url(value) {
13
+ return Buffer.from(String(value || ""), "base64url");
14
+ }
15
+
16
+ function publicKeyFromSpkiBase64url(value) {
17
+ return crypto.createPublicKey({ key: fromBase64url(value), type: "spki", format: "der" });
18
+ }
19
+
20
+ function privateKeyFromPkcs8Base64url(value) {
21
+ return crypto.createPrivateKey({ key: fromBase64url(value), type: "pkcs8", format: "der" });
22
+ }
23
+
24
+ function grantAad(grant) {
25
+ return Buffer.from(JSON.stringify([
26
+ "matterhorn.vapid-grant.v1",
27
+ grant.relayPublicKey,
28
+ grant.createdAt
29
+ ]), "utf8");
30
+ }
31
+
32
+ function grantKey(sharedSecret, grant) {
33
+ return Buffer.from(crypto.hkdfSync(
34
+ "sha256",
35
+ sharedSecret,
36
+ grantAad(grant),
37
+ Buffer.from("matterhorn:vapid-grant:v1", "utf8"),
38
+ 32
39
+ ));
40
+ }
41
+
42
+ function relayPrivateKeyObject(relayPrivateKey) {
43
+ if (typeof relayPrivateKey === "string") return privateKeyFromPkcs8Base64url(relayPrivateKey);
44
+ return relayPrivateKey;
45
+ }
46
+
47
+ function unwrapVapidGrant({ grant, relayPrivateKey }) {
48
+ if (!grant || grant.kind !== VAPID_GRANT_KIND || grant.version !== VAPID_GRANT_VERSION) throw new Error("VAPID grant is invalid.");
49
+ if (grant.wrap?.alg !== VAPID_GRANT_WRAP_ALG) throw new Error("VAPID grant wrap algorithm is invalid.");
50
+ const privateKey = relayPrivateKeyObject(relayPrivateKey);
51
+ const ephemeralPublicKey = publicKeyFromSpkiBase64url(grant.wrap.ephemeralPublicKey);
52
+ const sharedSecret = crypto.diffieHellman({ privateKey, publicKey: ephemeralPublicKey });
53
+ const bytes = fromBase64url(grant.wrappedVapidPrivateKey);
54
+ if (bytes.length < 17) throw new Error("VAPID grant ciphertext is invalid.");
55
+ const ciphertext = bytes.subarray(0, bytes.length - 16);
56
+ const authTag = bytes.subarray(bytes.length - 16);
57
+ const decipher = crypto.createDecipheriv("aes-256-gcm", grantKey(sharedSecret, grant), fromBase64url(grant.wrap.iv));
58
+ decipher.setAAD(grantAad(grant));
59
+ decipher.setAuthTag(authTag);
60
+ return {
61
+ vapidPrivateKey: Buffer.concat([decipher.update(ciphertext), decipher.final()]).toString("utf8")
62
+ };
63
+ }
64
+
65
+ function wrapVapidGrant(args) {
66
+ const relayPublicKey = args?.relayPublicKey;
67
+ if (typeof relayPublicKey !== "string" || relayPublicKey.length === 0) throw new Error("relayPublicKey is required.");
68
+ const recipientPublicKey = publicKeyFromSpkiBase64url(relayPublicKey);
69
+ const ephemeral = crypto.generateKeyPairSync("x25519");
70
+ const sharedSecret = crypto.diffieHellman({ privateKey: ephemeral.privateKey, publicKey: recipientPublicKey });
71
+ const grant = {
72
+ kind: VAPID_GRANT_KIND,
73
+ version: VAPID_GRANT_VERSION,
74
+ relayPublicKey,
75
+ createdAt: Date.now(),
76
+ wrap: {
77
+ alg: VAPID_GRANT_WRAP_ALG,
78
+ ephemeralPublicKey: Buffer.from(ephemeral.publicKey.export({ type: "spki", format: "der" })).toString("base64url")
79
+ }
80
+ };
81
+ const iv = crypto.randomBytes(12);
82
+ const cipher = crypto.createCipheriv("aes-256-gcm", grantKey(sharedSecret, grant), iv);
83
+ cipher.setAAD(grantAad(grant));
84
+ const encrypted = Buffer.concat([cipher.update(Buffer.from(args.vapidPrivateKey, "utf8")), cipher.final(), cipher.getAuthTag()]);
85
+ grant.wrap.iv = iv.toString("base64url");
86
+ grant.wrappedVapidPrivateKey = encrypted.toString("base64url");
87
+ return grant;
88
+ }
89
+
90
+ function loadWebPush() {
91
+ try {
92
+ return require("web-push");
93
+ } catch (error) {
94
+ throw new Error("web-push dependency is required for push egress.");
95
+ }
96
+ }
97
+
98
+ function normalizePayload(payload) {
99
+ if (payload instanceof Uint8Array) return Buffer.from(payload);
100
+ throw new Error("payload must be a Uint8Array.");
101
+ }
102
+
103
+ function normalizeTtlSeconds(ttlSeconds) {
104
+ const ttl = Number(ttlSeconds);
105
+ if (!Number.isFinite(ttl) || ttl <= 0) return DEFAULT_PUSH_TTL_SECONDS;
106
+ return Math.floor(ttl);
107
+ }
108
+
109
+ function normalizeUrgency(urgency) {
110
+ if (PUSH_URGENCY_VALUES.includes(urgency)) return urgency;
111
+ return DEFAULT_PUSH_URGENCY;
112
+ }
113
+
114
+ async function sendWebPush({
115
+ subscription,
116
+ vapidPublicKey,
117
+ vapidPrivateKey,
118
+ subject,
119
+ payload,
120
+ ttlSeconds = DEFAULT_PUSH_TTL_SECONDS,
121
+ urgency = DEFAULT_PUSH_URGENCY,
122
+ webPush: injectedWebPush
123
+ }) {
124
+ const body = normalizePayload(payload);
125
+ const webPush = injectedWebPush || loadWebPush();
126
+ webPush.setVapidDetails(subject, vapidPublicKey, vapidPrivateKey);
127
+ const normalizedUrgency = normalizeUrgency(urgency);
128
+ try {
129
+ const result = await webPush.sendNotification(subscription, body, {
130
+ TTL: normalizeTtlSeconds(ttlSeconds),
131
+ urgency: normalizedUrgency,
132
+ headers: { Urgency: normalizedUrgency }
133
+ });
134
+ return { statusCode: result.statusCode || 201, gone: false };
135
+ } catch (error) {
136
+ const statusCode = Number(error?.statusCode || error?.status || 0);
137
+ if (statusCode === 404 || statusCode === 410) return { statusCode, gone: true };
138
+ throw error;
139
+ }
140
+ }
141
+
142
+ async function sendToUser({ vapidPublicKey, vapidPrivateKey, subject, subscriptions, payload, ttlSeconds, urgency, webPush }) {
143
+ const results = [];
144
+ for (const subscription of subscriptions || []) {
145
+ const result = await sendWebPush({ subscription, vapidPublicKey, vapidPrivateKey, subject, payload, ttlSeconds, urgency, webPush });
146
+ results.push({ endpoint: subscription.endpoint, ...result });
147
+ }
148
+ return results;
149
+ }
150
+
151
+ module.exports = {
152
+ ...require("./constants.cjs"),
153
+ deriveUserVapidKeys,
154
+ sendToUser,
155
+ sendWebPush,
156
+ unwrapVapidGrant,
157
+ wrapVapidGrant,
158
+ wrapVapidGrantBrowser,
159
+ vapidPublicKeyFromPrivateKey
160
+ };