npm - @oxyhq/services - Versions diffs - 5.16.34 → 5.16.35 - Mend

@oxyhq/services 5.16.34 → 5.16.35

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (150) hide show

package/src/core/services/SessionService.ts CHANGED Viewed

@@ -14,7 +14,7 @@
 import type { OxyServices } from '../OxyServices';
 import { tokenService } from './TokenService';
 import type { ClientSession, SessionLoginResponse } from '../../models/session';
-import type { User } from '@oxyhq/shared';
+import type { User } from '../../shared';
 export interface Session {
   sessionId: string;

package/src/core/services/SessionTransportService.ts CHANGED Viewed

@@ -11,7 +11,7 @@ import {
   type TransportConfig,
   type TransportCallbacks,
   type TransportUpdate,
-} from '@oxyhq/shared';
+} from '../../shared';
 export class SessionTransportService {
   private transport: any = null;

package/src/core/services/UserService.ts CHANGED Viewed

@@ -8,7 +8,7 @@
  */
 import type { OxyConfig } from '../../models/interfaces';
-import type { User, SearchProfilesResponse, PaginationInfo } from '@oxyhq/shared';
+import type { User, SearchProfilesResponse, PaginationInfo } from '../../shared';
 import { HttpService } from '../HttpService';
 export interface PaginationParams {

package/src/crypto/keyManager.ts CHANGED Viewed

@@ -8,6 +8,7 @@
 import { ec as EC } from 'elliptic';
 import type { ECKeyPair } from 'elliptic';
 import { Platform } from 'react-native';
+import { shortenPublicKey as sharedShortenPublicKey } from '../shared';
 // Lazy imports for React Native specific modules
 let SecureStore: typeof import('expo-secure-store') | null = null;
@@ -540,8 +541,7 @@ export class KeyManager {
    */
   static shortenPublicKey(publicKey: string): string {
     // Use shared utility
-    const { shortenPublicKey } = require('@oxyhq/shared');
-    return shortenPublicKey(publicKey);
+    return sharedShortenPublicKey(publicKey);
   }
 }

package/src/crypto/signatureService.ts CHANGED Viewed

@@ -5,7 +5,7 @@
  * Used for authenticating requests and proving identity ownership.
  *
  * Note: This service handles SIGNING (requires private key access via KeyManager).
- * For VERIFICATION, use @oxyhq/shared SignatureService instead.
+ * For VERIFICATION, use the shared SignatureService from '../shared' instead.
  */
 import { ec as EC } from 'elliptic';
@@ -15,13 +15,15 @@ import {
   buildRegistrationMessage,
   buildRequestMessage,
   getCryptoAdapter,
+  SignatureService as SharedSignatureService,
+  isTimestampFresh,
   type SignedMessage,
-} from '@oxyhq/shared';
+} from '../shared';
 const ec = new EC('secp256k1');
 // Re-export shared types
-export type { SignedMessage } from '@oxyhq/shared';
+export type { SignedMessage } from '../shared';
 export interface AuthChallenge {
   challenge: string;
@@ -84,7 +86,6 @@ export class SignatureService {
    * Uses shared SignatureService for verification
    */
   static async verify(message: string, signature: string, publicKey: string): Promise<boolean> {
-    const { SignatureService: SharedSignatureService } = await import('@oxyhq/shared');
     return SharedSignatureService.verify(message, signature, publicKey);
   }
@@ -118,7 +119,6 @@ export class SignatureService {
     signedMessage: SignedMessage,
     maxAgeMs: number = 5 * 60 * 1000 // 5 minutes default
   ): Promise<boolean> {
-    const { SignatureService: SharedSignatureService, isTimestampFresh } = await import('@oxyhq/shared');
     const { message, signature, publicKey, timestamp } = signedMessage;
     // Check timestamp freshness
@@ -161,7 +161,6 @@ export class SignatureService {
     response: AuthChallenge,
     maxAgeMs: number = 5 * 60 * 1000
   ): Promise<boolean> {
-    const { SignatureService: SharedSignatureService } = await import('@oxyhq/shared');
     const { challenge: signature, publicKey, timestamp } = response;
     return SharedSignatureService.verifyChallengeResponse(
       publicKey,

package/src/index.ts CHANGED Viewed

@@ -48,8 +48,10 @@ export {
 } from './utils/languageUtils';
 export type { LanguageMetadata } from './utils/languageUtils';
+// Shared models and utilities (bundled for external consumers)
+export * from './shared';
 // Type exports
-// Note: User and LoginResponse should be imported from @oxyhq/shared
 export type {
   OxyConfig,
   Notification,

package/src/models/interfaces.ts CHANGED Viewed

@@ -2,9 +2,9 @@
  * Services Package Interfaces
  *
  * Package-specific interfaces. For shared models (User, Session, etc.),
- * import directly from @oxyhq/shared:
+ * import directly from the shared module:
  *
- * import { User, LoginResponse, Session } from '@oxyhq/shared';
+ * import { User, LoginResponse, Session } from '../shared';
  */
 export interface OxyConfig {
@@ -30,8 +30,8 @@ export interface OxyConfig {
   onRequestError?: (url: string, method: string, error: Error) => void;
 }
-// Note: User and LoginResponse are in @oxyhq/shared
-// Import them directly: import { User, LoginResponse } from '@oxyhq/shared';
+// Note: User and LoginResponse are in the shared module
+// Import them directly: import { User, LoginResponse } from '../shared';
 export interface Notification {
   id: string;
@@ -104,8 +104,8 @@ export interface TransactionResponse {
   transaction: Transaction;
 }
-// Note: PaginationInfo and SearchProfilesResponse are in @oxyhq/shared
-// Import them directly: import { PaginationInfo, SearchProfilesResponse } from '@oxyhq/shared';
+// Note: PaginationInfo and SearchProfilesResponse are in the shared module
+// Import them directly: import { PaginationInfo, SearchProfilesResponse } from '../shared';
 export interface KarmaRule {
   id: string;
@@ -435,7 +435,7 @@ export interface AssetUploadProgress {
 }
 // Device Session interfaces
-// Note: User type should be imported from @oxyhq/shared
+// Note: User type should be imported from the shared module
 export interface DeviceSession {
   sessionId: string;
   deviceId: string;
@@ -450,7 +450,7 @@ export interface DeviceSession {
     username: string;
     avatar?: string;
     [key: string]: unknown;
-  }; // Partial User - import full User type from @oxyhq/shared if needed
+  }; // Partial User - import full User type from '../shared' if needed
   createdAt?: string;
 }

package/src/shared/crypto/messageBuilders.ts ADDED Viewed

@@ -0,0 +1,89 @@
+/**
+ * Canonical Message Builders
+ *
+ * Creates standardized, canonical message formats for signing.
+ * These formats are used consistently across Accounts, Services SDK, and API.
+ */
+import type { SignedMessage, AuthChallengeResponse } from '../models/index';
+/**
+ * Build authentication message for challenge-response
+ * Format: auth:{publicKey}:{challenge}:{timestamp}
+ */
+export function buildAuthMessage(
+  publicKey: string,
+  challenge: string,
+  timestamp: number
+): string {
+  return `auth:${publicKey}:${challenge}:${timestamp}`;
+}
+/**
+ * Build registration message
+ * Format: oxy:register:{publicKey}:{timestamp}
+ */
+export function buildRegistrationMessage(
+  publicKey: string,
+  timestamp: number
+): string {
+  return `oxy:register:${publicKey}:${timestamp}`;
+}
+/**
+ * Build request signing message
+ * Format: request:{publicKey}:{timestamp}:{canonicalData}
+ */
+export function buildRequestMessage(
+  publicKey: string,
+  timestamp: number,
+  data: Record<string, unknown>
+): string {
+  // Create canonical string representation
+  const sortedKeys = Object.keys(data).sort();
+  const canonicalParts = sortedKeys.map(key => `${key}:${JSON.stringify(data[key])}`);
+  const canonicalString = canonicalParts.join('|');
+  return `request:${publicKey}:${timestamp}:${canonicalString}`;
+}
+/**
+ * Create canonical data representation for signing
+ * Sorts keys and creates a consistent string representation
+ */
+export function canonicalizeData(data: Record<string, unknown>): string {
+  const sortedKeys = Object.keys(data).sort();
+  const canonicalParts = sortedKeys.map(key => `${key}:${JSON.stringify(data[key])}`);
+  return canonicalParts.join('|');
+}
+/**
+ * Build auth challenge response payload
+ * Helper to construct the signed challenge response
+ */
+export function buildAuthChallengeResponse(
+  publicKey: string,
+  challenge: string,
+  signature: string,
+  timestamp: number
+): AuthChallengeResponse {
+  return {
+    challenge,
+    publicKey,
+    signature,
+    timestamp,
+  };
+}
+/**
+ * Validate timestamp freshness
+ * Ensures signed messages are not too old
+ */
+export function isTimestampFresh(
+  timestamp: number,
+  maxAgeMs: number = 5 * 60 * 1000 // 5 minutes default
+): boolean {
+  const now = Date.now();
+  return (now - timestamp) <= maxAgeMs && timestamp <= now;
+}

package/src/shared/crypto/platform.ts ADDED Viewed

@@ -0,0 +1,140 @@
+/**
+ * Platform Detection and Adapters
+ *
+ * Provides environment detection and platform-specific crypto adapters
+ * to support Node.js, React Native, and Web environments.
+ */
+/**
+ * Platform types
+ */
+export type Platform = 'node' | 'react-native' | 'web';
+/**
+ * Platform detection utilities
+ */
+export const PlatformDetector = {
+  /**
+   * Detect current platform
+   */
+  detect(): Platform {
+    if (typeof window === 'undefined' && typeof process !== 'undefined' && process.versions?.node) {
+      return 'node';
+    }
+    if (typeof navigator !== 'undefined' && navigator.product === 'ReactNative') {
+      return 'react-native';
+    }
+    return 'web';
+  },
+  /**
+   * Check if running in Node.js
+   */
+  isNode(): boolean {
+    return this.detect() === 'node';
+  },
+  /**
+   * Check if running in React Native
+   */
+  isReactNative(): boolean {
+    return this.detect() === 'react-native';
+  },
+  /**
+   * Check if running in Web browser
+   */
+  isWeb(): boolean {
+    return this.detect() === 'web';
+  },
+};
+/**
+ * Crypto adapter interface
+ * Platform-specific implementations must implement this interface
+ */
+export interface CryptoAdapter {
+  /**
+   * Generate random bytes
+   */
+  randomBytes(size: number): Promise<Uint8Array>;
+  /**
+   * Compute SHA-256 hash
+   */
+  sha256(message: string): Promise<string>;
+  /**
+   * Synchronous SHA-256 hash (Node.js only)
+   */
+  sha256Sync?(message: string): string;
+}
+/**
+ * Get the appropriate crypto adapter for the current platform
+ */
+export async function getCryptoAdapter(): Promise<CryptoAdapter> {
+  const platform = PlatformDetector.detect();
+  if (platform === 'node') {
+    // eslint-disable-next-line @typescript-eslint/no-implied-eval
+    const getCrypto = new Function('return require("crypto")');
+    const crypto = getCrypto();
+    return {
+      async randomBytes(size: number): Promise<Uint8Array> {
+        return new Uint8Array(crypto.randomBytes(size));
+      },
+      async sha256(message: string): Promise<string> {
+        return crypto.createHash('sha256').update(message).digest('hex');
+      },
+      sha256Sync(message: string): string {
+        return crypto.createHash('sha256').update(message).digest('hex');
+      },
+    };
+  }
+  if (platform === 'react-native') {
+    // Lazy load expo-crypto (peer dependency)
+    try {
+      // @ts-ignore - expo-crypto is an optional peer dependency
+      const ExpoCrypto = await import('expo-crypto');
+      return {
+        async randomBytes(size: number): Promise<Uint8Array> {
+          const bytes = await ExpoCrypto.getRandomBytesAsync(size);
+          return new Uint8Array(bytes);
+        },
+        async sha256(message: string): Promise<string> {
+          return ExpoCrypto.digestStringAsync(
+            ExpoCrypto.CryptoDigestAlgorithm.SHA256,
+            message
+          );
+        },
+      };
+    } catch (error) {
+      throw new Error(
+        `expo-crypto is required in React Native environment: ${error instanceof Error ? error.message : String(error)}`
+      );
+    }
+  }
+  // Web platform - use Web Crypto API
+  if (typeof window !== 'undefined' && window.crypto) {
+    return {
+      async randomBytes(size: number): Promise<Uint8Array> {
+        return window.crypto.getRandomValues(new Uint8Array(size));
+      },
+      async sha256(message: string): Promise<string> {
+        const encoder = new TextEncoder();
+        const data = encoder.encode(message);
+        const hashBuffer = await window.crypto.subtle.digest('SHA-256', data);
+        const hashArray = Array.from(new Uint8Array(hashBuffer));
+        return hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
+      },
+    };
+  }
+  throw new Error('No suitable crypto implementation found for current platform');
+}

package/src/shared/crypto/signature.ts ADDED Viewed

@@ -0,0 +1,235 @@
+/**
+ * Signature Verification Service
+ *
+ * Unified signature verification used by both backend (API) and SDK.
+ * Uses platform adapters for crypto operations while keeping message construction shared.
+ */
+import { ec as EC } from 'elliptic';
+import { getCryptoAdapter, PlatformDetector } from './platform';
+import {
+  buildAuthMessage,
+  buildRegistrationMessage,
+  buildRequestMessage,
+  isTimestampFresh,
+} from './messageBuilders';
+const ec = new EC('secp256k1');
+/**
+ * Maximum age for signed messages (5 minutes)
+ */
+export const MAX_SIGNATURE_AGE_MS = 5 * 60 * 1000;
+/**
+ * Challenge TTL (5 minutes)
+ */
+export const CHALLENGE_TTL_MS = 5 * 60 * 1000;
+/**
+ * Signature Service
+ * Provides signature verification that works across all platforms
+ */
+export class SignatureService {
+  /**
+   * Verify an ECDSA signature
+   *
+   * @param message - The original message that was signed
+   * @param signature - The signature in DER format (hex encoded)
+   * @param publicKey - The public key (hex encoded, uncompressed)
+   * @returns true if the signature is valid
+   */
+  static async verify(
+    message: string,
+    signature: string,
+    publicKey: string
+  ): Promise<boolean> {
+    try {
+      const key = ec.keyFromPublic(publicKey, 'hex');
+      const adapter = await getCryptoAdapter();
+      const messageHash = await adapter.sha256(message);
+      return key.verify(messageHash, signature);
+    } catch {
+      return false;
+    }
+  }
+  /**
+   * Synchronous signature verification (Node.js only)
+   * Uses Node.js crypto module directly for hashing
+   */
+  static verifySync(
+    message: string,
+    signature: string,
+    publicKey: string
+  ): boolean {
+    if (!PlatformDetector.isNode()) {
+      throw new Error(
+        'verifySync should only be used in Node.js. Use verify() in other environments.'
+      );
+    }
+    try {
+      // eslint-disable-next-line @typescript-eslint/no-implied-eval
+      const getCrypto = new Function('return require("crypto")');
+      const crypto = getCrypto();
+      const key = ec.keyFromPublic(publicKey, 'hex');
+      const messageHash = crypto.createHash('sha256').update(message).digest('hex');
+      return key.verify(messageHash, signature);
+    } catch {
+      return false;
+    }
+  }
+  /**
+   * Verify an authentication challenge response
+   *
+   * @param publicKey - The user's public key
+   * @param challenge - The original challenge string
+   * @param signature - The signature of the auth message
+   * @param timestamp - The timestamp when the signature was created
+   * @param maxAgeMs - Maximum age of the signature in milliseconds
+   * @returns true if the challenge response is valid
+   */
+  static async verifyChallengeResponse(
+    publicKey: string,
+    challenge: string,
+    signature: string,
+    timestamp: number,
+    maxAgeMs: number = CHALLENGE_TTL_MS
+  ): Promise<boolean> {
+    // Check timestamp freshness
+    if (!isTimestampFresh(timestamp, maxAgeMs)) {
+      return false;
+    }
+    // Build the canonical message
+    const message = buildAuthMessage(publicKey, challenge, timestamp);
+    // Verify the signature
+    return this.verify(message, signature, publicKey);
+  }
+  /**
+   * Synchronous challenge response verification (Node.js only)
+   */
+  static verifyChallengeResponseSync(
+    publicKey: string,
+    challenge: string,
+    signature: string,
+    timestamp: number,
+    maxAgeMs: number = CHALLENGE_TTL_MS
+  ): boolean {
+    // Check timestamp freshness
+    if (!isTimestampFresh(timestamp, maxAgeMs)) {
+      return false;
+    }
+    // Build the canonical message
+    const message = buildAuthMessage(publicKey, challenge, timestamp);
+    // Verify the signature
+    return this.verifySync(message, signature, publicKey);
+  }
+  /**
+   * Verify a registration signature
+   * Signature format: oxy:register:{publicKey}:{timestamp}
+   */
+  static async verifyRegistrationSignature(
+    publicKey: string,
+    signature: string,
+    timestamp: number,
+    maxAgeMs: number = MAX_SIGNATURE_AGE_MS
+  ): Promise<boolean> {
+    // Check timestamp freshness
+    if (!isTimestampFresh(timestamp, maxAgeMs)) {
+      return false;
+    }
+    // Build the canonical message
+    const message = buildRegistrationMessage(publicKey, timestamp);
+    // Verify the signature
+    return this.verify(message, signature, publicKey);
+  }
+  /**
+   * Synchronous registration signature verification (Node.js only)
+   */
+  static verifyRegistrationSignatureSync(
+    publicKey: string,
+    signature: string,
+    timestamp: number,
+    maxAgeMs: number = MAX_SIGNATURE_AGE_MS
+  ): boolean {
+    // Check timestamp freshness
+    if (!isTimestampFresh(timestamp, maxAgeMs)) {
+      return false;
+    }
+    // Build the canonical message
+    const message = buildRegistrationMessage(publicKey, timestamp);
+    // Verify the signature
+    return this.verifySync(message, signature, publicKey);
+  }
+  /**
+   * Verify a signed request
+   * Used for authenticated API operations
+   */
+  static async verifyRequestSignature(
+    publicKey: string,
+    data: Record<string, unknown>,
+    signature: string,
+    timestamp: number,
+    maxAgeMs: number = MAX_SIGNATURE_AGE_MS
+  ): Promise<boolean> {
+    // Check timestamp freshness
+    if (!isTimestampFresh(timestamp, maxAgeMs)) {
+      return false;
+    }
+    // Build the canonical message
+    const message = buildRequestMessage(publicKey, timestamp, data);
+    // Verify the signature
+    return this.verify(message, signature, publicKey);
+  }
+  /**
+   * Synchronous request signature verification (Node.js only)
+   */
+  static verifyRequestSignatureSync(
+    publicKey: string,
+    data: Record<string, unknown>,
+    signature: string,
+    timestamp: number,
+    maxAgeMs: number = MAX_SIGNATURE_AGE_MS
+  ): boolean {
+    // Check timestamp freshness
+    if (!isTimestampFresh(timestamp, maxAgeMs)) {
+      return false;
+    }
+    // Build the canonical message
+    const message = buildRequestMessage(publicKey, timestamp, data);
+    // Verify the signature
+    return this.verifySync(message, signature, publicKey);
+  }
+  /**
+   * Validate that a string is a valid public key
+   */
+  static isValidPublicKey(publicKey: string): boolean {
+    try {
+      ec.keyFromPublic(publicKey, 'hex');
+      return true;
+    } catch {
+      return false;
+    }
+  }
+}

package/src/shared/index.ts ADDED Viewed

@@ -0,0 +1,28 @@
+/**
+ * @oxyhq/shared
+ *
+ * Shared utilities, models, and crypto primitives for OxyHQ packages.
+ *
+ * This package provides:
+ * - Canonical data models (User, Session, ChallengePayload, etc.)
+ * - Unified signature verification across platforms
+ * - Platform-agnostic crypto adapters
+ * - Shared utility functions
+ * - Canonical message builders for signing
+ */
+// Models
+export * from './models/index';
+// Crypto
+export * from './crypto/signature';
+export * from './crypto/messageBuilders';
+export * from './crypto/platform';
+export { getCryptoAdapter, PlatformDetector } from './crypto/platform';
+// Utils
+export * from './utils/index';
+// Transport
+export * from './transport/index';