@oxyhq/services 5.16.35 → 5.16.37

package/src/crypto/core.ts

@@ -0,0 +1,142 @@
+/**
+ * Core Cryptographic Functions - Platform Agnostic
+ * 
+ * This module contains the core signature verification logic
+ * that is shared between all platforms (React Native, Node.js, Web).
+ * Platform-specific implementations (hashing, random generation) are injected.
+ */
+
+import { ec as EC } from 'elliptic';
+import type { EC as ECType } from 'elliptic';
+
+const ec = new EC('secp256k1');
+
+// Constants for signature validation
+export const CHALLENGE_TTL_MS = 5 * 60 * 1000; // 5 minutes
+export const MAX_SIGNATURE_AGE_MS = 5 * 60 * 1000; // 5 minutes
+
+/**
+ * Core signature verification using elliptic curve
+ * This is platform-agnostic and works everywhere
+ */
+export function verifySignatureCore(
+  messageHash: string,
+  signature: string,
+  publicKey: string
+): boolean {
+  try {
+    const key = ec.keyFromPublic(publicKey, 'hex');
+    return key.verify(messageHash, signature);
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Validate that a string is a valid public key
+ */
+export function isValidPublicKey(publicKey: string): boolean {
+  // Reject empty strings
+  if (!publicKey || publicKey.trim().length === 0) {
+    return false;
+  }
+  
+  try {
+    ec.keyFromPublic(publicKey, 'hex');
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Validate that a string is a valid private key
+ */
+export function isValidPrivateKey(privateKey: string): boolean {
+  // Reject empty strings
+  if (!privateKey || privateKey.trim().length === 0) {
+    return false;
+  }
+  
+  // Private keys must be 64 hex characters (32 bytes)
+  if (!/^[0-9a-fA-F]{64}$/.test(privateKey)) {
+    return false;
+  }
+  
+  try {
+    const keyPair = ec.keyFromPrivate(privateKey);
+    // Verify it can derive a public key and the key is valid
+    keyPair.getPublic('hex');
+    // Check that the private key is not zero (which would be invalid)
+    const priv = keyPair.getPrivate();
+    if (!priv || priv.isZero()) {
+      return false;
+    }
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Get a shortened display version of a public key
+ * Format: first 8 chars...last 8 chars
+ */
+export function shortenPublicKey(publicKey: string): string {
+  if (publicKey.length <= 20) return publicKey;
+  return `${publicKey.slice(0, 8)}...${publicKey.slice(-8)}`;
+}
+
+/**
+ * Derive public key from a private key (without storing)
+ */
+export function derivePublicKey(privateKey: string): string {
+  const keyPair = ec.keyFromPrivate(privateKey);
+  return keyPair.getPublic('hex');
+}
+
+/**
+ * Check timestamp freshness
+ */
+export function isTimestampFresh(timestamp: number, maxAgeMs: number = MAX_SIGNATURE_AGE_MS): boolean {
+  const now = Date.now();
+  return (now - timestamp) <= maxAgeMs;
+}
+
+/**
+ * Build authentication challenge message
+ * Format: auth:{publicKey}:{challenge}:{timestamp}
+ */
+export function buildAuthMessage(publicKey: string, challenge: string, timestamp: number): string {
+  return `auth:${publicKey}:${challenge}:${timestamp}`;
+}
+
+/**
+ * Build registration message
+ * Format: oxy:register:{publicKey}:{timestamp}
+ */
+export function buildRegistrationMessage(publicKey: string, timestamp: number): string {
+  return `oxy:register:${publicKey}:${timestamp}`;
+}
+
+/**
+ * Build request signature message
+ * Format: request:{publicKey}:{timestamp}:{canonicalString}
+ */
+export function buildRequestMessage(
+  publicKey: string,
+  timestamp: number,
+  data: Record<string, unknown>
+): string {
+  const sortedKeys = Object.keys(data).sort();
+  const canonicalParts = sortedKeys.map(key => `${key}:${JSON.stringify(data[key])}`);
+  const canonicalString = canonicalParts.join('|');
+  return `request:${publicKey}:${timestamp}:${canonicalString}`;
+}
+
+/**
+ * Get the elliptic curve instance (for key generation)
+ */
+export function getEllipticCurve(): ECType {
+  return ec;
+}

package/src/crypto/index.ts

@@ -3,15 +3,6 @@
  * 
  * Provides cryptographic identity management for the Oxy ecosystem.
  * Handles key generation, secure storage, and digital signatures.
- * 
- * ⚠️ IMPORTANT: KeyManager is primarily intended for use in the Oxy Accounts app.
- * While it's exported here for convenience, third-party applications should NOT
- * generate or store user identities. The Accounts app is the identity wallet.
- * 
- * For third-party apps:
- * - Use SignatureService for signing operations (but keys come from Accounts app)
- * - Do NOT call KeyManager.createIdentity() or KeyManager.importKeyPair()
- * - The Oxy Accounts app handles all identity generation and key storage
  */
 
 // Import polyfills first - this ensures Buffer is available for crypto libraries
@@ -25,7 +16,9 @@ export {
 } from './signatureService';
 export { type BackupData } from './types';
 
+// Export core crypto utilities (shared across platforms)
+export * from './core';
+
 // Re-export for convenience
 export { KeyManager as default } from './keyManager';
 
-

package/src/crypto/keyManager.ts

@@ -1,20 +1,38 @@
 /**
  * Key Manager - ECDSA secp256k1 Key Generation and Storage
  * 
- * Handles secure generation, storage, and retrieval of cryptographic keys.
+ * ⚠️ **FOR OXY ACCOUNTS APP ONLY**
+ * 
+ * This module handles secure generation, storage, and retrieval of cryptographic keys.
  * Private keys are stored securely using expo-secure-store and never leave the device.
+ * 
+ * **IMPORTANT**: Third-party apps should NOT use KeyManager directly.
+ * Instead, use the OxyServices authentication flows which communicate with the
+ * Oxy Accounts app via deep links/QR codes to obtain user authorization.
+ * 
+ * The Oxy Accounts app is the sole owner of the user's private key and identity.
+ * Other apps request authentication from the Accounts app, which signs challenges
+ * and returns authorization to the requesting app via the API.
+ * 
+ * @see {@link https://github.com/OxyHQ/OxyHQServices/blob/main/packages/services/src/crypto/README.md|Crypto Module Documentation}
  */
 
 import { ec as EC } from 'elliptic';
 import type { ECKeyPair } from 'elliptic';
 import { Platform } from 'react-native';
-import { shortenPublicKey as sharedShortenPublicKey } from '../shared';
+import {
+  isValidPublicKey as validatePublicKey,
+  isValidPrivateKey as validatePrivateKey,
+  derivePublicKey as derivePublicKeyFromPrivate,
+  shortenPublicKey as shortenKey,
+  getEllipticCurve,
+} from './core';
 
 // Lazy imports for React Native specific modules
 let SecureStore: typeof import('expo-secure-store') | null = null;
 let ExpoCrypto: typeof import('expo-crypto') | null = null;
 
-const ec = new EC('secp256k1');
+const ec = getEllipticCurve();
 
 const STORAGE_KEYS = {
   PRIVATE_KEY: 'oxy_identity_private_key',
@@ -505,34 +523,21 @@ export class KeyManager {
    * Derive public key from a private key (without storing)
    */
   static derivePublicKey(privateKey: string): string {
-    const keyPair = ec.keyFromPrivate(privateKey);
-    return keyPair.getPublic('hex');
+    return derivePublicKeyFromPrivate(privateKey);
   }
 
   /**
    * Validate that a string is a valid public key
    */
   static isValidPublicKey(publicKey: string): boolean {
-    try {
-      ec.keyFromPublic(publicKey, 'hex');
-      return true;
-    } catch {
-      return false;
-    }
+    return validatePublicKey(publicKey);
   }
 
   /**
    * Validate that a string is a valid private key
    */
   static isValidPrivateKey(privateKey: string): boolean {
-    try {
-      const keyPair = ec.keyFromPrivate(privateKey);
-      // Verify it can derive a public key
-      keyPair.getPublic('hex');
-      return true;
-    } catch {
-      return false;
-    }
+    return validatePrivateKey(privateKey);
   }
 
   /**
@@ -540,8 +545,7 @@ export class KeyManager {
    * Format: first 8 chars...last 8 chars
    */
   static shortenPublicKey(publicKey: string): string {
-    // Use shared utility
-    return sharedShortenPublicKey(publicKey);
+    return shortenKey(publicKey);
   }
 }
 

package/src/crypto/signatureService.ts

@@ -4,26 +4,88 @@
  * Handles signing and verification of messages using ECDSA secp256k1.
  * Used for authenticating requests and proving identity ownership.
  * 
- * Note: This service handles SIGNING (requires private key access via KeyManager).
- * For VERIFICATION, use the shared SignatureService from '../shared' instead.
+ * This service provides async methods for cross-platform compatibility (React Native + Node).
+ * For Node.js-only synchronous operations, use the node/signatureService module.
  */
 
-import { ec as EC } from 'elliptic';
 import { KeyManager } from './keyManager';
 import {
+  verifySignatureCore,
+  isValidPublicKey as validatePublicKey,
+  isTimestampFresh,
   buildAuthMessage,
   buildRegistrationMessage,
   buildRequestMessage,
-  getCryptoAdapter,
-  SignatureService as SharedSignatureService,
-  isTimestampFresh,
-  type SignedMessage,
-} from '../shared';
+  shortenPublicKey as shortenKey,
+  getEllipticCurve,
+} from './core';
+
+// Lazy import for expo-crypto
+let ExpoCrypto: typeof import('expo-crypto') | null = null;
+
+const ec = getEllipticCurve();
+
+/**
+ * Check if we're in a React Native environment
+ */
+function isReactNative(): boolean {
+  return typeof navigator !== 'undefined' && navigator.product === 'ReactNative';
+}
+
+/**
+ * Check if we're in a Node.js environment
+ */
+function isNodeJS(): boolean {
+  return typeof process !== 'undefined' && process.versions != null && process.versions.node != null;
+}
 
-const ec = new EC('secp256k1');
+/**
+ * Initialize expo-crypto module
+ */
+async function initExpoCrypto(): Promise<typeof import('expo-crypto')> {
+  if (!ExpoCrypto) {
+    ExpoCrypto = await import('expo-crypto');
+  }
+  return ExpoCrypto;
+}
 
-// Re-export shared types
-export type { SignedMessage } from '../shared';
+/**
+ * Compute SHA-256 hash of a string
+ */
+async function sha256(message: string): Promise<string> {
+  // In React Native, always use expo-crypto
+  if (isReactNative() || !isNodeJS()) {
+    const Crypto = await initExpoCrypto();
+    return Crypto.digestStringAsync(
+      Crypto.CryptoDigestAlgorithm.SHA256,
+      message
+    );
+  }
+  
+  // In Node.js, use Node's crypto module
+  // Use Function constructor to prevent Metro bundler from statically analyzing this require
+  // This ensures the require is only evaluated in Node.js runtime, not during Metro bundling
+  try {
+    // eslint-disable-next-line @typescript-eslint/no-implied-eval
+    const getCrypto = new Function('return require("crypto")');
+    const crypto = getCrypto();
+    return crypto.createHash('sha256').update(message).digest('hex');
+  } catch (error) {
+    // Fallback to expo-crypto if Node crypto fails
+    const Crypto = await initExpoCrypto();
+    return Crypto.digestStringAsync(
+      Crypto.CryptoDigestAlgorithm.SHA256,
+      message
+    );
+  }
+}
+
+export interface SignedMessage {
+  message: string;
+  signature: string;
+  publicKey: string;
+  timestamp: number;
+}
 
 export interface AuthChallenge {
   challenge: string;
@@ -34,23 +96,39 @@ export interface AuthChallenge {
 export class SignatureService {
   /**
    * Generate a random challenge string (for offline use)
-   * Uses shared crypto adapter
+   * Uses expo-crypto in React Native, crypto.randomBytes in Node.js
    */
   static async generateChallenge(): Promise<string> {
-    const adapter = await getCryptoAdapter();
-    const randomBytes = await adapter.randomBytes(32);
-    return Array.from(randomBytes)
-      .map((b: number) => b.toString(16).padStart(2, '0'))
-      .join('');
+    if (isReactNative() || !isNodeJS()) {
+      // Use expo-crypto for React Native (expo-random is deprecated)
+      const Crypto = await initExpoCrypto();
+      const randomBytes = await Crypto.getRandomBytesAsync(32);
+      return Array.from(randomBytes)
+        .map((b: number) => b.toString(16).padStart(2, '0'))
+        .join('');
+    }
+    
+    // Node.js fallback
+    try {
+      // eslint-disable-next-line @typescript-eslint/no-implied-eval
+      const getCrypto = new Function('return require("crypto")');
+      const crypto = getCrypto();
+      return crypto.randomBytes(32).toString('hex');
+    } catch (error) {
+      // Fallback to expo-crypto if Node crypto fails
+      const Crypto = await initExpoCrypto();
+      const randomBytes = await Crypto.getRandomBytesAsync(32);
+      return Array.from(randomBytes)
+        .map((b: number) => b.toString(16).padStart(2, '0'))
+        .join('');
+    }
   }
 
   /**
    * Hash a message using SHA-256
-   * Uses shared crypto adapter
    */
   static async hashMessage(message: string): Promise<string> {
-    const adapter = await getCryptoAdapter();
-    return adapter.sha256(message);
+    return sha256(message);
   }
 
   /**
@@ -63,8 +141,7 @@ export class SignatureService {
       throw new Error('No identity found. Please create or import an identity first.');
     }
 
-    const adapter = await getCryptoAdapter();
-    const messageHash = await adapter.sha256(message);
+    const messageHash = await sha256(message);
     const signature = keyPair.sign(messageHash);
     return signature.toDER('hex');
   }
@@ -75,18 +152,43 @@ export class SignatureService {
    */
   static async signWithKey(message: string, privateKey: string): Promise<string> {
     const keyPair = ec.keyFromPrivate(privateKey);
-    const adapter = await getCryptoAdapter();
-    const messageHash = await adapter.sha256(message);
+    const messageHash = await sha256(message);
     const signature = keyPair.sign(messageHash);
     return signature.toDER('hex');
   }
 
   /**
    * Verify a signature against a message and public key
-   * Uses shared SignatureService for verification
    */
   static async verify(message: string, signature: string, publicKey: string): Promise<boolean> {
-    return SharedSignatureService.verify(message, signature, publicKey);
+    try {
+      const messageHash = await sha256(message);
+      return verifySignatureCore(messageHash, signature, publicKey);
+    } catch {
+      return false;
+    }
+  }
+
+  /**
+   * Synchronous verification (for Node.js backend)
+   * Uses crypto module directly for hashing
+   * Note: This method should only be used in Node.js environments
+   */
+  static verifySync(message: string, signature: string, publicKey: string): boolean {
+    try {
+      if (!isNodeJS()) {
+        // In React Native, use async verify instead
+        throw new Error('verifySync should only be used in Node.js. Use verify() in React Native.');
+      }
+      // Use Function constructor to prevent Metro bundler from statically analyzing this require
+      // eslint-disable-next-line @typescript-eslint/no-implied-eval
+      const getCrypto = new Function('return require("crypto")');
+      const crypto = getCrypto();
+      const messageHash = crypto.createHash('sha256').update(message).digest('hex');
+      return verifySignatureCore(messageHash, signature, publicKey);
+    } catch {
+      return false;
+    }
   }
 
   /**
@@ -113,7 +215,6 @@ export class SignatureService {
   /**
    * Verify a signed message object
    * Checks both signature validity and timestamp freshness
-   * Uses shared SignatureService for verification
    */
   static async verifySignedMessage(
     signedMessage: SignedMessage,
@@ -128,7 +229,7 @@ export class SignatureService {
 
     // Verify signature
     const messageWithTimestamp = `${message}:${timestamp}`;
-    return SharedSignatureService.verify(messageWithTimestamp, signature, publicKey);
+    return SignatureService.verify(messageWithTimestamp, signature, publicKey);
   }
 
   /**
@@ -154,7 +255,6 @@ export class SignatureService {
 
   /**
    * Verify a challenge response
-   * Uses shared SignatureService for verification
    */
   static async verifyChallengeResponse(
     originalChallenge: string,
@@ -162,13 +262,14 @@ export class SignatureService {
     maxAgeMs: number = 5 * 60 * 1000
   ): Promise<boolean> {
     const { challenge: signature, publicKey, timestamp } = response;
-    return SharedSignatureService.verifyChallengeResponse(
-      publicKey,
-      originalChallenge,
-      signature,
-      timestamp,
-      maxAgeMs
-    );
+
+    // Check timestamp freshness
+    if (!isTimestampFresh(timestamp, maxAgeMs)) {
+      return false;
+    }
+
+    const message = buildAuthMessage(publicKey, originalChallenge, timestamp);
+    return SignatureService.verify(message, signature, publicKey);
   }
 
   /**

package/src/index.ts

@@ -48,12 +48,11 @@ export {
 } from './utils/languageUtils';
 export type { LanguageMetadata } from './utils/languageUtils';
 
-// Shared models and utilities (bundled for external consumers)
-export * from './shared';
-
 // Type exports
 export type {
   OxyConfig,
+  User,
+  LoginResponse,
   Notification,
   Wallet,
   Transaction,

package/src/models/interfaces.ts

@@ -1,12 +1,3 @@
-/**
- * Services Package Interfaces
- * 
- * Package-specific interfaces. For shared models (User, Session, etc.),
- * import directly from the shared module:
- * 
- * import { User, LoginResponse, Session } from '../shared';
- */
-
 export interface OxyConfig {
   baseURL: string;
   cloudURL?: string;
@@ -30,8 +21,65 @@ export interface OxyConfig {
   onRequestError?: (url: string, method: string, error: Error) => void;
 }
 
-// Note: User and LoginResponse are in the shared module
-// Import them directly: import { User, LoginResponse } from '../shared';
+/**
+ * User Model
+ * 
+ * IMPORTANT: 
+ * - id: MongoDB ObjectId (24 hex characters) - PRIMARY IDENTIFIER for all internal operations
+ * - publicKey: Cryptographic public key (130 hex characters) - LOOKUP KEY for authentication and identity operations
+ * 
+ * Never use publicKey as an ID. Always use id (ObjectId) for:
+ * - Database queries
+ * - Session userId
+ * - Token userId
+ * - Socket room names
+ * - API route parameters (unless explicitly doing publicKey lookup)
+ */
+export interface User {
+  id: string;           // MongoDB ObjectId - PRIMARY IDENTIFIER (always 24 hex chars)
+  publicKey: string;    // Cryptographic public key - LOOKUP KEY (130 hex chars for secp256k1)
+  username: string;
+  email?: string;
+  // Avatar file id (asset id)
+  avatar?: string;
+  // Privacy and security settings
+  privacySettings?: {
+    [key: string]: unknown;
+  };
+  name?: {
+    first?: string;
+    last?: string;
+    full?: string; // virtual, not stored in DB, returned by API
+    [key: string]: unknown;
+  };
+  bio?: string;
+  karma?: number;
+  location?: string;
+  website?: string;
+  createdAt?: string;
+  updatedAt?: string;
+  links?: Array<{
+    title?: string;
+    description?: string;
+    image?: string;
+    link: string;
+  }>;
+  // Social counts
+  _count?: {
+    followers?: number;
+    following?: number;
+  };
+  accountExpiresAfterInactivityDays?: number | null; // Days of inactivity before account expires (null = never expire)
+  [key: string]: unknown;
+}
+
+export interface LoginResponse {
+  accessToken?: string;
+  refreshToken?: string;
+  token?: string; // For backwards compatibility
+  user: User;
+  message?: string;
+}
 
 export interface Notification {
   id: string;
@@ -104,8 +152,17 @@ export interface TransactionResponse {
   transaction: Transaction;
 }
 
-// Note: PaginationInfo and SearchProfilesResponse are in the shared module
-// Import them directly: import { PaginationInfo, SearchProfilesResponse } from '../shared';
+export interface PaginationInfo {
+  total: number;
+  limit: number;
+  offset: number;
+  hasMore: boolean;
+}
+
+export interface SearchProfilesResponse {
+  data: User[];
+  pagination: PaginationInfo;
+}
 
 export interface KarmaRule {
   id: string;
@@ -318,6 +375,8 @@ export interface AssetUrlResponse {
 
 export interface AssetDeleteSummary {
   fileId: string;
+  wouldDelete: boolean;
+  affectedApps: string[];
   remainingLinks: number;
   variants: string[];
 }
@@ -435,7 +494,6 @@ export interface AssetUploadProgress {
 }
 
 // Device Session interfaces
-// Note: User type should be imported from the shared module
 export interface DeviceSession {
   sessionId: string;
   deviceId: string;
@@ -444,13 +502,7 @@ export interface DeviceSession {
   lastActive: string;
   expiresAt: string;
   isCurrent: boolean;
-  user?: {
-    id: string;
-    publicKey: string;
-    username: string;
-    avatar?: string;
-    [key: string]: unknown;
-  }; // Partial User - import full User type from '../shared' if needed
+  user?: User;
   createdAt?: string;
 }
 

package/src/node/index.ts

@@ -13,5 +13,8 @@ export { OxyServices, OXY_CLOUD_URL, oxyClient };
 export { Models };  // Export all models as a namespace
 export * from '../models/interfaces'; // Export all models directly
 
+// ------------- Node-Specific Crypto Exports -------------
+export { SignatureService } from './signatureService';
+
 // Default export for consistency or specific use cases if needed
 export default OxyServices;