@oxyhq/services 5.16.33 → 5.16.35

package/src/crypto/signatureService.ts

@@ -3,77 +3,27 @@
  * 
  * Handles signing and verification of messages using ECDSA secp256k1.
  * Used for authenticating requests and proving identity ownership.
+ * 
+ * Note: This service handles SIGNING (requires private key access via KeyManager).
+ * For VERIFICATION, use the shared SignatureService from '../shared' instead.
  */
 
 import { ec as EC } from 'elliptic';
 import { KeyManager } from './keyManager';
-
-// Lazy import for expo-crypto
-let ExpoCrypto: typeof import('expo-crypto') | null = null;
+import {
+  buildAuthMessage,
+  buildRegistrationMessage,
+  buildRequestMessage,
+  getCryptoAdapter,
+  SignatureService as SharedSignatureService,
+  isTimestampFresh,
+  type SignedMessage,
+} from '../shared';
 
 const ec = new EC('secp256k1');
 
-/**
- * Check if we're in a React Native environment
- */
-function isReactNative(): boolean {
-  return typeof navigator !== 'undefined' && navigator.product === 'ReactNative';
-}
-
-/**
- * Check if we're in a Node.js environment
- */
-function isNodeJS(): boolean {
-  return typeof process !== 'undefined' && process.versions != null && process.versions.node != null;
-}
-
-/**
- * Initialize expo-crypto module
- */
-async function initExpoCrypto(): Promise<typeof import('expo-crypto')> {
-  if (!ExpoCrypto) {
-    ExpoCrypto = await import('expo-crypto');
-  }
-  return ExpoCrypto;
-}
-
-/**
- * Compute SHA-256 hash of a string
- */
-async function sha256(message: string): Promise<string> {
-  // In React Native, always use expo-crypto
-  if (isReactNative() || !isNodeJS()) {
-    const Crypto = await initExpoCrypto();
-    return Crypto.digestStringAsync(
-      Crypto.CryptoDigestAlgorithm.SHA256,
-      message
-    );
-  }
-  
-  // In Node.js, use Node's crypto module
-  // Use Function constructor to prevent Metro bundler from statically analyzing this require
-  // This ensures the require is only evaluated in Node.js runtime, not during Metro bundling
-  try {
-    // eslint-disable-next-line @typescript-eslint/no-implied-eval
-    const getCrypto = new Function('return require("crypto")');
-    const crypto = getCrypto();
-    return crypto.createHash('sha256').update(message).digest('hex');
-  } catch (error) {
-    // Fallback to expo-crypto if Node crypto fails
-    const Crypto = await initExpoCrypto();
-    return Crypto.digestStringAsync(
-      Crypto.CryptoDigestAlgorithm.SHA256,
-      message
-    );
-  }
-}
-
-export interface SignedMessage {
-  message: string;
-  signature: string;
-  publicKey: string;
-  timestamp: number;
-}
+// Re-export shared types
+export type { SignedMessage } from '../shared';
 
 export interface AuthChallenge {
   challenge: string;
@@ -84,39 +34,23 @@ export interface AuthChallenge {
 export class SignatureService {
   /**
    * Generate a random challenge string (for offline use)
-   * Uses expo-crypto in React Native, crypto.randomBytes in Node.js
+   * Uses shared crypto adapter
    */
   static async generateChallenge(): Promise<string> {
-    if (isReactNative() || !isNodeJS()) {
-      // Use expo-crypto for React Native (expo-random is deprecated)
-      const Crypto = await initExpoCrypto();
-      const randomBytes = await Crypto.getRandomBytesAsync(32);
-      return Array.from(randomBytes)
-        .map((b: number) => b.toString(16).padStart(2, '0'))
-        .join('');
-    }
-    
-    // Node.js fallback
-    try {
-      // eslint-disable-next-line @typescript-eslint/no-implied-eval
-      const getCrypto = new Function('return require("crypto")');
-      const crypto = getCrypto();
-      return crypto.randomBytes(32).toString('hex');
-    } catch (error) {
-      // Fallback to expo-crypto if Node crypto fails
-      const Crypto = await initExpoCrypto();
-      const randomBytes = await Crypto.getRandomBytesAsync(32);
-      return Array.from(randomBytes)
-        .map((b: number) => b.toString(16).padStart(2, '0'))
-        .join('');
-    }
+    const adapter = await getCryptoAdapter();
+    const randomBytes = await adapter.randomBytes(32);
+    return Array.from(randomBytes)
+      .map((b: number) => b.toString(16).padStart(2, '0'))
+      .join('');
   }
 
   /**
    * Hash a message using SHA-256
+   * Uses shared crypto adapter
    */
   static async hashMessage(message: string): Promise<string> {
-    return sha256(message);
+    const adapter = await getCryptoAdapter();
+    return adapter.sha256(message);
   }
 
   /**
@@ -129,7 +63,8 @@ export class SignatureService {
       throw new Error('No identity found. Please create or import an identity first.');
     }
 
-    const messageHash = await sha256(message);
+    const adapter = await getCryptoAdapter();
+    const messageHash = await adapter.sha256(message);
     const signature = keyPair.sign(messageHash);
     return signature.toDER('hex');
   }
@@ -140,45 +75,18 @@ export class SignatureService {
    */
   static async signWithKey(message: string, privateKey: string): Promise<string> {
     const keyPair = ec.keyFromPrivate(privateKey);
-    const messageHash = await sha256(message);
+    const adapter = await getCryptoAdapter();
+    const messageHash = await adapter.sha256(message);
     const signature = keyPair.sign(messageHash);
     return signature.toDER('hex');
   }
 
   /**
    * Verify a signature against a message and public key
+   * Uses shared SignatureService for verification
    */
   static async verify(message: string, signature: string, publicKey: string): Promise<boolean> {
-    try {
-      const key = ec.keyFromPublic(publicKey, 'hex');
-      const messageHash = await sha256(message);
-      return key.verify(messageHash, signature);
-    } catch {
-      return false;
-    }
-  }
-
-  /**
-   * Synchronous verification (for Node.js backend)
-   * Uses crypto module directly for hashing
-   * Note: This method should only be used in Node.js environments
-   */
-  static verifySync(message: string, signature: string, publicKey: string): boolean {
-    try {
-      if (!isNodeJS()) {
-        // In React Native, use async verify instead
-        throw new Error('verifySync should only be used in Node.js. Use verify() in React Native.');
-      }
-      // Use Function constructor to prevent Metro bundler from statically analyzing this require
-      // eslint-disable-next-line @typescript-eslint/no-implied-eval
-      const getCrypto = new Function('return require("crypto")');
-      const crypto = getCrypto();
-      const key = ec.keyFromPublic(publicKey, 'hex');
-      const messageHash = crypto.createHash('sha256').update(message).digest('hex');
-      return key.verify(messageHash, signature);
-    } catch {
-      return false;
-    }
+    return SharedSignatureService.verify(message, signature, publicKey);
   }
 
   /**
@@ -205,6 +113,7 @@ export class SignatureService {
   /**
    * Verify a signed message object
    * Checks both signature validity and timestamp freshness
+   * Uses shared SignatureService for verification
    */
   static async verifySignedMessage(
     signedMessage: SignedMessage,
@@ -213,14 +122,13 @@ export class SignatureService {
     const { message, signature, publicKey, timestamp } = signedMessage;
 
     // Check timestamp freshness
-    const now = Date.now();
-    if (now - timestamp > maxAgeMs) {
+    if (!isTimestampFresh(timestamp, maxAgeMs)) {
       return false;
     }
 
     // Verify signature
     const messageWithTimestamp = `${message}:${timestamp}`;
-    return SignatureService.verify(messageWithTimestamp, signature, publicKey);
+    return SharedSignatureService.verify(messageWithTimestamp, signature, publicKey);
   }
 
   /**
@@ -234,7 +142,7 @@ export class SignatureService {
     }
 
     const timestamp = Date.now();
-    const message = `auth:${publicKey}:${challenge}:${timestamp}`;
+    const message = buildAuthMessage(publicKey, challenge, timestamp);
     const signature = await SignatureService.sign(message);
 
     return {
@@ -246,6 +154,7 @@ export class SignatureService {
 
   /**
    * Verify a challenge response
+   * Uses shared SignatureService for verification
    */
   static async verifyChallengeResponse(
     originalChallenge: string,
@@ -253,15 +162,13 @@ export class SignatureService {
     maxAgeMs: number = 5 * 60 * 1000
   ): Promise<boolean> {
     const { challenge: signature, publicKey, timestamp } = response;
-
-    // Check timestamp freshness
-    const now = Date.now();
-    if (now - timestamp > maxAgeMs) {
-      return false;
-    }
-
-    const message = `auth:${publicKey}:${originalChallenge}:${timestamp}`;
-    return SignatureService.verify(message, signature, publicKey);
+    return SharedSignatureService.verifyChallengeResponse(
+      publicKey,
+      originalChallenge,
+      signature,
+      timestamp,
+      maxAgeMs
+    );
   }
 
   /**
@@ -276,7 +183,7 @@ export class SignatureService {
     }
 
     const timestamp = Date.now();
-    const message = `oxy:register:${publicKey}:${timestamp}`;
+    const message = buildRegistrationMessage(publicKey, timestamp);
     const signature = await SignatureService.sign(message);
 
     return {
@@ -301,13 +208,7 @@ export class SignatureService {
     }
 
     const timestamp = Date.now();
-    
-    // Create canonical string representation
-    const sortedKeys = Object.keys(data).sort();
-    const canonicalParts = sortedKeys.map(key => `${key}:${JSON.stringify(data[key])}`);
-    const canonicalString = canonicalParts.join('|');
-    
-    const message = `request:${publicKey}:${timestamp}:${canonicalString}`;
+    const message = buildRequestMessage(publicKey, timestamp, data);
     const signature = await SignatureService.sign(message);
 
     return {

package/src/index.ts

@@ -48,11 +48,12 @@ export {
 } from './utils/languageUtils';
 export type { LanguageMetadata } from './utils/languageUtils';
 
+// Shared models and utilities (bundled for external consumers)
+export * from './shared';
+
 // Type exports
 export type {
   OxyConfig,
-  User,
-  LoginResponse,
   Notification,
   Wallet,
   Transaction,

package/src/models/interfaces.ts

@@ -1,3 +1,12 @@
+/**
+ * Services Package Interfaces
+ * 
+ * Package-specific interfaces. For shared models (User, Session, etc.),
+ * import directly from the shared module:
+ * 
+ * import { User, LoginResponse, Session } from '../shared';
+ */
+
 export interface OxyConfig {
   baseURL: string;
   cloudURL?: string;
@@ -21,66 +30,8 @@ export interface OxyConfig {
   onRequestError?: (url: string, method: string, error: Error) => void;
 }
 
-/**
- * User Model
- * 
- * IMPORTANT: 
- * - id: Public key (ECDSA secp256k1 public key, 130 hex characters) - CANONICAL USER IDENTITY
- * - publicKey: Same as id (kept for backward compatibility and explicit clarity)
- * 
- * publicKey is the canonical user identity across the ecosystem because it's:
- * - Globally unique
- * - Local-first (stored in Accounts app)
- * - Avoids device-bound artifacts
- * 
- * MongoDB _id remains internal to backend only and is not exposed in the User interface.
- * Backend may use MongoDB ObjectId internally for database operations, but client always uses publicKey.
- */
-export interface User {
-  id: string;           // Public key - CANONICAL USER IDENTITY (130 hex chars for secp256k1)
-  publicKey: string;    // Same as id (kept for backward compatibility)
-  username: string;
-  email?: string;
-  // Avatar file id (asset id)
-  avatar?: string;
-  // Privacy and security settings
-  privacySettings?: {
-    [key: string]: unknown;
-  };
-  name?: {
-    first?: string;
-    last?: string;
-    full?: string; // virtual, not stored in DB, returned by API
-    [key: string]: unknown;
-  };
-  bio?: string;
-  karma?: number;
-  location?: string;
-  website?: string;
-  createdAt?: string;
-  updatedAt?: string;
-  links?: Array<{
-    title?: string;
-    description?: string;
-    image?: string;
-    link: string;
-  }>;
-  // Social counts
-  _count?: {
-    followers?: number;
-    following?: number;
-  };
-  accountExpiresAfterInactivityDays?: number | null; // Days of inactivity before account expires (null = never expire)
-  [key: string]: unknown;
-}
-
-export interface LoginResponse {
-  accessToken?: string;
-  refreshToken?: string;
-  token?: string; // For backwards compatibility
-  user: User;
-  message?: string;
-}
+// Note: User and LoginResponse are in the shared module
+// Import them directly: import { User, LoginResponse } from '../shared';
 
 export interface Notification {
   id: string;
@@ -153,17 +104,8 @@ export interface TransactionResponse {
   transaction: Transaction;
 }
 
-export interface PaginationInfo {
-  total: number;
-  limit: number;
-  offset: number;
-  hasMore: boolean;
-}
-
-export interface SearchProfilesResponse {
-  data: User[];
-  pagination: PaginationInfo;
-}
+// Note: PaginationInfo and SearchProfilesResponse are in the shared module
+// Import them directly: import { PaginationInfo, SearchProfilesResponse } from '../shared';
 
 export interface KarmaRule {
   id: string;
@@ -376,8 +318,6 @@ export interface AssetUrlResponse {
 
 export interface AssetDeleteSummary {
   fileId: string;
-  wouldDelete: boolean;
-  affectedApps: string[];
   remainingLinks: number;
   variants: string[];
 }
@@ -495,6 +435,7 @@ export interface AssetUploadProgress {
 }
 
 // Device Session interfaces
+// Note: User type should be imported from the shared module
 export interface DeviceSession {
   sessionId: string;
   deviceId: string;
@@ -503,7 +444,13 @@ export interface DeviceSession {
   lastActive: string;
   expiresAt: string;
   isCurrent: boolean;
-  user?: User;
+  user?: {
+    id: string;
+    publicKey: string;
+    username: string;
+    avatar?: string;
+    [key: string]: unknown;
+  }; // Partial User - import full User type from '../shared' if needed
   createdAt?: string;
 }
 

package/src/models/session.ts

@@ -2,17 +2,15 @@
  * Client Session Model
  * 
  * IMPORTANT:
- * - publicKey: Canonical user identity (ECDSA secp256k1 public key) - PRIMARY IDENTIFIER
- * - userId: MongoDB ObjectId (kept for backward compatibility, but publicKey is canonical)
- * - Sessions are bound to the local identity (publicKey) stored in Accounts app
+ * - userId: MongoDB ObjectId (24 hex characters), never publicKey
+ * - Used for session management and user identification
  */
 export interface ClientSession {
   sessionId: string;
   deviceId: string;
   expiresAt: string;
   lastActive: string;
-  publicKey: string;  // Canonical user identity - PRIMARY IDENTIFIER
-  userId?: string;     // MongoDB ObjectId (internal backend reference, optional for compatibility)
+  userId?: string;  // MongoDB ObjectId - PRIMARY IDENTIFIER (never publicKey)
   isCurrent?: boolean;
 }
 

package/src/shared/crypto/messageBuilders.ts

@@ -0,0 +1,89 @@
+/**
+ * Canonical Message Builders
+ * 
+ * Creates standardized, canonical message formats for signing.
+ * These formats are used consistently across Accounts, Services SDK, and API.
+ */
+
+import type { SignedMessage, AuthChallengeResponse } from '../models/index';
+
+/**
+ * Build authentication message for challenge-response
+ * Format: auth:{publicKey}:{challenge}:{timestamp}
+ */
+export function buildAuthMessage(
+  publicKey: string,
+  challenge: string,
+  timestamp: number
+): string {
+  return `auth:${publicKey}:${challenge}:${timestamp}`;
+}
+
+/**
+ * Build registration message
+ * Format: oxy:register:{publicKey}:{timestamp}
+ */
+export function buildRegistrationMessage(
+  publicKey: string,
+  timestamp: number
+): string {
+  return `oxy:register:${publicKey}:${timestamp}`;
+}
+
+/**
+ * Build request signing message
+ * Format: request:{publicKey}:{timestamp}:{canonicalData}
+ */
+export function buildRequestMessage(
+  publicKey: string,
+  timestamp: number,
+  data: Record<string, unknown>
+): string {
+  // Create canonical string representation
+  const sortedKeys = Object.keys(data).sort();
+  const canonicalParts = sortedKeys.map(key => `${key}:${JSON.stringify(data[key])}`);
+  const canonicalString = canonicalParts.join('|');
+  
+  return `request:${publicKey}:${timestamp}:${canonicalString}`;
+}
+
+/**
+ * Create canonical data representation for signing
+ * Sorts keys and creates a consistent string representation
+ */
+export function canonicalizeData(data: Record<string, unknown>): string {
+  const sortedKeys = Object.keys(data).sort();
+  const canonicalParts = sortedKeys.map(key => `${key}:${JSON.stringify(data[key])}`);
+  return canonicalParts.join('|');
+}
+
+/**
+ * Build auth challenge response payload
+ * Helper to construct the signed challenge response
+ */
+export function buildAuthChallengeResponse(
+  publicKey: string,
+  challenge: string,
+  signature: string,
+  timestamp: number
+): AuthChallengeResponse {
+  return {
+    challenge,
+    publicKey,
+    signature,
+    timestamp,
+  };
+}
+
+/**
+ * Validate timestamp freshness
+ * Ensures signed messages are not too old
+ */
+export function isTimestampFresh(
+  timestamp: number,
+  maxAgeMs: number = 5 * 60 * 1000 // 5 minutes default
+): boolean {
+  const now = Date.now();
+  return (now - timestamp) <= maxAgeMs && timestamp <= now;
+}
+

package/src/shared/crypto/platform.ts

@@ -0,0 +1,140 @@
+/**
+ * Platform Detection and Adapters
+ * 
+ * Provides environment detection and platform-specific crypto adapters
+ * to support Node.js, React Native, and Web environments.
+ */
+
+/**
+ * Platform types
+ */
+export type Platform = 'node' | 'react-native' | 'web';
+
+/**
+ * Platform detection utilities
+ */
+export const PlatformDetector = {
+  /**
+   * Detect current platform
+   */
+  detect(): Platform {
+    if (typeof window === 'undefined' && typeof process !== 'undefined' && process.versions?.node) {
+      return 'node';
+    }
+    if (typeof navigator !== 'undefined' && navigator.product === 'ReactNative') {
+      return 'react-native';
+    }
+    return 'web';
+  },
+
+  /**
+   * Check if running in Node.js
+   */
+  isNode(): boolean {
+    return this.detect() === 'node';
+  },
+
+  /**
+   * Check if running in React Native
+   */
+  isReactNative(): boolean {
+    return this.detect() === 'react-native';
+  },
+
+  /**
+   * Check if running in Web browser
+   */
+  isWeb(): boolean {
+    return this.detect() === 'web';
+  },
+};
+
+/**
+ * Crypto adapter interface
+ * Platform-specific implementations must implement this interface
+ */
+export interface CryptoAdapter {
+  /**
+   * Generate random bytes
+   */
+  randomBytes(size: number): Promise<Uint8Array>;
+
+  /**
+   * Compute SHA-256 hash
+   */
+  sha256(message: string): Promise<string>;
+
+  /**
+   * Synchronous SHA-256 hash (Node.js only)
+   */
+  sha256Sync?(message: string): string;
+}
+
+/**
+ * Get the appropriate crypto adapter for the current platform
+ */
+export async function getCryptoAdapter(): Promise<CryptoAdapter> {
+  const platform = PlatformDetector.detect();
+
+  if (platform === 'node') {
+    // eslint-disable-next-line @typescript-eslint/no-implied-eval
+    const getCrypto = new Function('return require("crypto")');
+    const crypto = getCrypto();
+    
+    return {
+      async randomBytes(size: number): Promise<Uint8Array> {
+        return new Uint8Array(crypto.randomBytes(size));
+      },
+      async sha256(message: string): Promise<string> {
+        return crypto.createHash('sha256').update(message).digest('hex');
+      },
+      sha256Sync(message: string): string {
+        return crypto.createHash('sha256').update(message).digest('hex');
+      },
+    };
+  }
+
+  if (platform === 'react-native') {
+    // Lazy load expo-crypto (peer dependency)
+    try {
+      // @ts-ignore - expo-crypto is an optional peer dependency
+      const ExpoCrypto = await import('expo-crypto');
+      
+      return {
+        async randomBytes(size: number): Promise<Uint8Array> {
+          const bytes = await ExpoCrypto.getRandomBytesAsync(size);
+          return new Uint8Array(bytes);
+        },
+        async sha256(message: string): Promise<string> {
+          return ExpoCrypto.digestStringAsync(
+            ExpoCrypto.CryptoDigestAlgorithm.SHA256,
+            message
+          );
+        },
+      };
+    } catch (error) {
+      throw new Error(
+        `expo-crypto is required in React Native environment: ${error instanceof Error ? error.message : String(error)}`
+      );
+    }
+  }
+
+  // Web platform - use Web Crypto API
+  if (typeof window !== 'undefined' && window.crypto) {
+    return {
+      async randomBytes(size: number): Promise<Uint8Array> {
+        return window.crypto.getRandomValues(new Uint8Array(size));
+      },
+      async sha256(message: string): Promise<string> {
+        const encoder = new TextEncoder();
+        const data = encoder.encode(message);
+        const hashBuffer = await window.crypto.subtle.digest('SHA-256', data);
+        const hashArray = Array.from(new Uint8Array(hashBuffer));
+        return hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
+      },
+    };
+  }
+
+  throw new Error('No suitable crypto implementation found for current platform');
+}
+