@protontech/drive-sdk 0.14.4 → 0.14.6

package/src/internal/batchLoading.test.ts

@@ -1,4 +1,4 @@
-import { ProtonDriveError } from '../errors';
+import { AbortError, ProtonDriveError } from '../errors';
 import { BatchLoading } from './batchLoading';
 
 describe('BatchLoading', () => {
@@ -124,6 +124,36 @@ describe('BatchLoading', () => {
         expect((thrown as ProtonDriveError).cause).toEqual([expect.objectContaining({ message: 'iterator failed' })]);
     });
 
+    it('should rethrow AbortError immediately without accumulating', async () => {
+        const abortError = new AbortError();
+        const result: string[] = [];
+        const iterateItems = jest.fn(async function* (items: string[]) {
+            if (items.includes('a')) {
+                throw abortError;
+            }
+            for (const item of items) {
+                yield `loaded:${item}`;
+            }
+        });
+
+        batchLoading = new BatchLoading<string, string>({ iterateItems, batchSize: 2 });
+
+        let thrown: unknown;
+        try {
+            for (const item of ['a', 'b', 'c', 'd']) {
+                for await (const loadedItem of batchLoading.load(item)) {
+                    result.push(loadedItem);
+                }
+            }
+        } catch (e) {
+            thrown = e;
+        }
+
+        expect(result).toEqual([]);
+        expect(thrown).toBe(abortError);
+        expect(iterateItems).toHaveBeenCalledTimes(1);
+    });
+
     it('should throw ProtonDriveError with causes when multiple batches fail', async () => {
         const loadItems = jest.fn((items: string[]) => {
             if (items.includes('a') || items.includes('e')) {

package/src/internal/batchLoading.ts

@@ -1,6 +1,6 @@
 import { c } from 'ttag';
 
-import { ProtonDriveError } from '../errors';
+import { AbortError, ProtonDriveError } from '../errors';
 
 const DEFAULT_BATCH_LOADING = 10;
 
@@ -84,6 +84,9 @@ export class BatchLoading<ID, ITEM> {
         try {
             yield* this.iterateItems(items);
         } catch (error) {
+            if (error instanceof AbortError) {
+                throw error;
+            }
             this.errors.push(error);
         }
     }

package/src/internal/nodes/cryptoService.test.ts

@@ -86,6 +86,10 @@ describe('nodesCryptoService', () => {
         };
         // @ts-expect-error No need to implement all methods for mocking
         sharesService = {
+            getRootIDs: jest.fn(async () => ({
+                volumeId: 'volumeId',
+                rootNodeId: 'rootNodeId',
+            })),
             getMyFilesShareMemberEmailKey: jest.fn(async () => ({
                 email: 'email',
                 addressKey: 'key' as unknown as PrivateKey,
@@ -94,7 +98,7 @@ describe('nodesCryptoService', () => {
         };
 
         const nodesCryptoReporter = new NodesCryptoReporter(telemetry, sharesService);
-        cryptoService = new NodesCryptoService(telemetry, driveCrypto, account, nodesCryptoReporter);
+        cryptoService = new NodesCryptoService(telemetry, driveCrypto, account, sharesService, nodesCryptoReporter);
     });
 
     const parentKey = 'parentKey' as unknown as PrivateKey;
@@ -579,6 +583,7 @@ describe('nodesCryptoService', () => {
         const encryptedNode = {
             uid: 'volumeId~nodeId',
             parentUid: 'volumeId~parentId',
+            creationTime: new Date('2026-01-01'),
             encryptedCrypto: {
                 signatureEmail: 'signatureEmail',
                 nameSignatureEmail: 'nameSignatureEmail',
@@ -786,7 +791,13 @@ describe('nodesCryptoService', () => {
                         }) as any,
                 );
 
-                const result = await cryptoService.decryptNode(encryptedNode, parentKey);
+                const result = await cryptoService.decryptNode(
+                    {
+                        ...encryptedNode,
+                        creationTime: new Date('2026-01-01'),
+                    },
+                    parentKey,
+                );
                 verifyResult(result, {
                     keyAuthor: {
                         ok: false,
@@ -796,12 +807,50 @@ describe('nodesCryptoService', () => {
                         },
                     },
                 });
+                expect(account.getOwnAddresses).not.toHaveBeenCalled();
                 verifyLogEventVerificationError({
                     field: 'nodeContentKey',
                     error: 'verification error',
                 });
             });
 
+            it('on content key packet with skipped fallback verification for non-own volume', async () => {
+                driveCrypto.decryptAndVerifySessionKey = jest.fn(
+                    async () =>
+                        Promise.resolve({
+                            sessionKey: 'contentKeyPacketSessionKey',
+                            verified: VERIFICATION_STATUS.SIGNED_AND_INVALID,
+                            verificationErrors: [new Error('verification error')],
+                        }) as any,
+                );
+
+                const result = await cryptoService.decryptNode(
+                    {
+                        ...encryptedNode,
+                        uid: 'otherVolumeId~nodeId',
+                        creationTime: new Date('2022-01-01'),
+                    },
+                    parentKey,
+                );
+
+                verifyResult(result, {
+                    keyAuthor: {
+                        ok: false,
+                        error: {
+                            claimedAuthor: 'signatureEmail',
+                            error: 'Signature verification for content key failed: verification error',
+                        },
+                    },
+                });
+                expect(account.getOwnAddresses).not.toHaveBeenCalled();
+                verifyLogEventVerificationError({
+                    field: 'nodeContentKey',
+                    error: 'verification error',
+                    uid: 'otherVolumeId~nodeId',
+                    fromBefore2024: true,
+                });
+            });
+
             it('on content key packet with successful fallback verification', async () => {
                 driveCrypto.decryptAndVerifySessionKey = jest
                     .fn()
@@ -829,6 +878,7 @@ describe('nodesCryptoService', () => {
                     parentKey,
                 );
                 verifyResult(result);
+                expect(account.getOwnAddresses).toHaveBeenCalled();
                 expect(driveCrypto.decryptAndVerifySessionKey).toHaveBeenCalledTimes(2);
                 expect(driveCrypto.decryptAndVerifySessionKey).toHaveBeenCalledWith(
                     'base64ContentKeyPacket',

package/src/internal/nodes/cryptoService.ts

@@ -33,7 +33,9 @@ import {
     DecryptedUnparsedRevision,
     NodeSigningKeys,
     EncryptedNodeFileCrypto,
+    SharesService,
 } from './interface';
+import { splitNodeUid } from '../uids';
 
 export interface NodesCryptoReporter {
     handleClaimedAuthor(
@@ -76,6 +78,7 @@ export class NodesCryptoService {
         telemetry: ProtonDriveTelemetry,
         protected driveCrypto: DriveCrypto,
         private account: ProtonDriveAccount,
+        private sharesService: Pick<SharesService, 'getRootIDs'>,
         private reporter: NodesCryptoReporter,
     ) {
         this.logger = telemetry.getLogger('nodes-crypto');
@@ -538,6 +541,15 @@ export class NodesCryptoService {
             return result;
         }
 
+        const { volumeId: ownVolumeId } = await this.sharesService.getRootIDs();
+        const { volumeId: nodesVolumeId } = splitNodeUid(node.uid);
+
+        // If the node is not in the own volume, skip the fallback verification,
+        // because it is not possible to load all owners' address keys.
+        if (ownVolumeId !== nodesVolumeId) {
+            return result;
+        }
+
         const allAddresses = await this.account.getOwnAddresses();
         const allKeys = allAddresses.flatMap((address) => address.keys.map(({ key }) => key));
 
@@ -745,7 +757,10 @@ export class NodesCryptoService {
         };
     }
 
-    async generateNameHashes(parentHashKey: Uint8Array<ArrayBuffer>, names: string[]): Promise<{ name: string; hash: string }[]> {
+    async generateNameHashes(
+        parentHashKey: Uint8Array<ArrayBuffer>,
+        names: string[],
+    ): Promise<{ name: string; hash: string }[]> {
         return Promise.all(
             names.map(async (name) => ({
                 name,

package/src/internal/nodes/index.ts

@@ -43,7 +43,7 @@ export function initNodesModule(
     const cache = new NodesCache(telemetry.getLogger('nodes-cache'), driveEntitiesCache);
     const cryptoCache = new NodesCryptoCache(telemetry.getLogger('nodes-cache'), driveCryptoCache);
     const cryptoReporter = new NodesCryptoReporter(telemetry, sharesService);
-    const cryptoService = new NodesCryptoService(telemetry, driveCrypto, account, cryptoReporter);
+    const cryptoService = new NodesCryptoService(telemetry, driveCrypto, account, sharesService, cryptoReporter);
     const nodesAccess = new NodesAccess(telemetry, api, cache, cryptoCache, cryptoService, sharesService);
     const nodesEventHandler = new NodesEventsHandler(telemetry.getLogger('nodes-events'), cache);
     const nodesManagement = new NodesManagement(api, cryptoCache, cryptoService, nodesAccess);

package/src/internal/nodes/nodesManagement.test.ts

@@ -4,9 +4,9 @@ import { NodesCryptoService } from './cryptoService';
 import { NodesAccess } from './nodesAccess';
 import { DecryptedNode } from './interface';
 import { NodesManagement } from './nodesManagement';
-import { NodeResult } from '../../interface';
+import { NodeResult, NodeResultWithError } from '../../interface';
 import { NodeOutOfSyncError } from './errors';
-import { ValidationError } from '../../errors';
+import { NodeWithSameNameExistsValidationError, ValidationError } from '../../errors';
 
 describe('NodesManagement', () => {
     let apiService: NodeAPIService;
@@ -263,6 +263,42 @@ describe('NodesManagement', () => {
         );
     });
 
+    it('moveNodes yields NodeWithSameNameExistsValidationError in case of duplicate node name', async () => {
+        const encryptedCrypto = {
+            encryptedName: 'movedArmoredNodeName',
+            hash: 'movedHash',
+            armoredNodePassphrase: 'movedArmoredNodePassphrase',
+            armoredNodePassphraseSignature: 'movedArmoredNodePassphraseSignature',
+            signatureEmail: 'movedSignatureEmail',
+            nameSignatureEmail: 'movedNameSignatureEmail',
+        };
+        cryptoService.encryptNodeWithNewParent = jest.fn().mockResolvedValue(encryptedCrypto);
+        const error = new NodeWithSameNameExistsValidationError('Node with same name exists', 2500, 'existingNodeUid');
+        apiService.moveNode = jest.fn().mockRejectedValue(error);
+
+        const results: NodeResultWithError[] = [];
+        for await (const result of management.moveNodes(['nodeUid'], 'newParentNodeUid')) {
+            results.push(result);
+        }
+
+        expect(results).toHaveLength(1);
+        expect(results[0]).toEqual({ uid: 'nodeUid', ok: false, error });
+        expect(results[0].ok === false && results[0].error).toBeInstanceOf(NodeWithSameNameExistsValidationError);
+    });
+
+    it('moveNodes yields NodeResultWithError with Error on failure', async () => {
+        const error = new Error('move failed');
+        cryptoService.encryptNodeWithNewParent = jest.fn().mockRejectedValue(error);
+
+        const results: NodeResultWithError[] = [];
+        for await (const result of management.moveNodes(['nodeUid'], 'newParentNodeUid')) {
+            results.push(result);
+        }
+
+        expect(results).toHaveLength(1);
+        expect(results[0]).toEqual({ uid: 'nodeUid', ok: false, error });
+    });
+
     it('copyNode manages copy and updates cache', async () => {
         const encryptedCrypto = {
             encryptedName: 'copiedArmoredNodeName',

package/src/internal/nodes/nodesManagement.ts

@@ -1,6 +1,14 @@
 import { c } from 'ttag';
 
-import { MemberRole, NodeType, NodeResult, NodeResultWithNewUid, resultOk, InvalidNameError } from '../../interface';
+import {
+    MemberRole,
+    NodeType,
+    NodeResult,
+    NodeResultWithNewUid,
+    resultOk,
+    InvalidNameError,
+    NodeResultWithError,
+} from '../../interface';
 import { AbortError, ValidationError } from '../../errors';
 import { createErrorFromUnknown, getErrorMessage } from '../errors';
 import { splitNodeUid } from '../uids';
@@ -107,7 +115,11 @@ export abstract class NodesManagementBase<
     }
 
     // Improvement requested: move nodes in parallel
-    async *moveNodes(nodeUids: string[], newParentNodeUid: string, signal?: AbortSignal): AsyncGenerator<NodeResult> {
+    async *moveNodes(
+        nodeUids: string[],
+        newParentNodeUid: string,
+        signal?: AbortSignal,
+    ): AsyncGenerator<NodeResultWithError> {
         for (const nodeUid of nodeUids) {
             if (signal?.aborted) {
                 throw new AbortError(c('Error').t`Move operation aborted`);
@@ -122,7 +134,7 @@ export abstract class NodesManagementBase<
                 yield {
                     uid: nodeUid,
                     ok: false,
-                    error: getErrorMessage(error),
+                    error: error instanceof Error ? error : new Error(getErrorMessage(error), { cause: error }),
                 };
             }
         }

package/src/internal/photos/index.ts

@@ -123,7 +123,7 @@ export function initPhotosNodesModule(
     const cache = new PhotosNodesCache(telemetry.getLogger('nodes-cache'), driveEntitiesCache);
     const cryptoCache = new NodesCryptoCache(telemetry.getLogger('nodes-cache'), driveCryptoCache);
     const cryptoReporter = new NodesCryptoReporter(telemetry, sharesService);
-    const cryptoService = new NodesCryptoService(telemetry, driveCrypto, account, cryptoReporter);
+    const cryptoService = new NodesCryptoService(telemetry, driveCrypto, account, sharesService, cryptoReporter);
     const nodesAccess = new PhotosNodesAccess(telemetry, api, cache, cryptoCache, cryptoService, sharesService);
     const nodesEventHandler = new NodesEventsHandler(telemetry.getLogger('nodes-events'), cache);
     const nodesManagement = new PhotosNodesManagement(api, cryptoCache, cryptoService, nodesAccess);

package/src/internal/photos/nodes.test.ts

@@ -206,6 +206,61 @@ describe('PhotosNodesCache', () => {
 });
 
 describe('PhotosNodesAccess', () => {
+    describe('getParentKeys', () => {
+        let access: PhotosNodesAccess;
+        let getNodeKeysMock: jest.Mock;
+        let getSharePrivateKeyMock: jest.Mock;
+
+        beforeEach(() => {
+            getNodeKeysMock = jest.fn().mockResolvedValue({ key: 'key', hashKey: 'hashKey' });
+            getSharePrivateKeyMock = jest.fn().mockResolvedValue('shareKey');
+            access = new PhotosNodesAccess(
+                getMockTelemetry(),
+                // @ts-expect-error No need to implement for this test
+                {},
+                {},
+                { getNodeKeys: jest.fn().mockRejectedValue(new Error()) },
+                {},
+                { getSharePrivateKey: getSharePrivateKeyMock },
+            );
+            jest.spyOn(access, 'getNodeKeys').mockImplementation(getNodeKeysMock);
+        });
+
+        it('should use parentUid path when set, ignoring shareId', async () => {
+            await access.getParentKeys({
+                uid: 'v~node',
+                parentUid: 'v~parent',
+                shareId: 'publicLinkShareId',
+                photo: undefined,
+            });
+            expect(getNodeKeysMock).toHaveBeenCalledWith('v~parent');
+            expect(getSharePrivateKeyMock).not.toHaveBeenCalled();
+        });
+
+        it('should use album key when no parentUid but has albums, even when shareId is set', async () => {
+            await access.getParentKeys({
+                uid: 'v~node',
+                parentUid: undefined,
+                shareId: 'publicLinkShareId',
+                // @ts-expect-error No need to implement for this test
+                photo: { albums: [{ nodeUid: 'v~album' }] },
+            });
+            expect(getNodeKeysMock).toHaveBeenCalledWith('v~album');
+            expect(getSharePrivateKeyMock).not.toHaveBeenCalled();
+        });
+
+        it('should fall back to shareId when no parentUid and no albums', async () => {
+            await access.getParentKeys({
+                uid: 'v~node',
+                parentUid: undefined,
+                shareId: 'rootShareId',
+                // @ts-expect-error No need to implement for this test
+                photo: { albums: [] },
+            });
+            expect(getSharePrivateKeyMock).toHaveBeenCalledWith('rootShareId');
+        });
+    });
+
     describe('parseNode', () => {
         it('should keep photo type and add photo object', async () => {
             const telemetry = getMockTelemetry();
@@ -222,7 +277,14 @@ describe('PhotosNodesAccess', () => {
             const sharesService: SharesService = {};
 
             // eslint-disable-next-line @typescript-eslint/no-explicit-any
-            const nodesAccess = new PhotosNodesAccess(telemetry, apiService, cacheService, cryptoCache, cryptoService, sharesService);
+            const nodesAccess = new PhotosNodesAccess(
+                telemetry,
+                apiService,
+                cacheService,
+                cryptoCache,
+                cryptoService,
+                sharesService,
+            );
 
             const unparsedNode = {
                 uid: 'volumeId~linkId',

package/src/internal/photos/nodes.ts

@@ -151,7 +151,18 @@ export class PhotosNodesAccess extends NodesAccessBase<EncryptedPhotoNode, Decry
     async getParentKeys(
         node: Pick<EncryptedPhotoNode, 'uid' | 'parentUid' | 'shareId' | 'photo'>,
     ): Promise<Pick<DecryptedNodeKeys, 'key' | 'hashKey'>> {
-        if (node.parentUid || node.shareId) {
+        // In regular case, the parent should be used first as it is guaranteed that
+        // the root node without parent will have a share with direct membership for
+        // the user that can be used to decrypt the node.
+        // For photos, the parent might be missing but then an album (or more) plays
+        // the role of the parent. It must be used first before fallbacking to share
+        // because the node might be shared but user is not directly invited and thus
+        // cannot decrypt via the share (user's address cannot decrypt).
+        // Using parent path first should stay as if present, it will be fastest way
+        // to decrypt for the owner - all photos in the timeline can use already
+        // cached key without the need to load albums as well.
+
+        if (node.parentUid) {
             return super.getParentKeys(node);
         }
 
@@ -176,6 +187,10 @@ export class PhotosNodesAccess extends NodesAccessBase<EncryptedPhotoNode, Decry
             return this.getNodeKeys(albumNodeUid);
         }
 
+        if (node.shareId) {
+            return super.getParentKeys(node);
+        }
+
         // This is bug that should not happen.
         // API cannot provide node without parent or share or album.
         throw new Error(`Node has neither parent node nor share nor album: ${node.uid}`);

package/src/internal/sharing/apiService.ts

@@ -433,6 +433,7 @@ export class SharingAPIService {
         shareId: string,
         invitation: EncryptedInvitationRequest,
         emailDetails: { message?: string; nodeName?: string } = {},
+        externalInvitationId: string | null = null,
     ): Promise<EncryptedInvitation> {
         const response = await this.apiService.post<PostInviteProtonUserRequest, PostInviteProtonUserResponse>(
             `drive/v2/shares/${shareId}/invitations`,
@@ -443,7 +444,7 @@ export class SharingAPIService {
                     Permissions: memberRoleToPermission(invitation.role),
                     KeyPacket: invitation.base64KeyPacket,
                     KeyPacketSignature: invitation.base64KeyPacketSignature,
-                    ExternalInvitationID: null,
+                    ExternalInvitationID: externalInvitationId,
                 },
                 EmailDetails: {
                     Message: emailDetails.message,

package/src/internal/sharing/cryptoService.ts

@@ -182,11 +182,12 @@ export class SharingCryptoService {
         shareSessionKey: SessionKey,
         inviterKey: PrivateKey,
         inviteeEmail: string,
+        forceRefreshKeys?: boolean,
     ): Promise<{
         base64KeyPacket: string;
         base64KeyPacketSignature: string;
     }> {
-        const inviteePublicKeys = await this.account.getPublicKeys(inviteeEmail);
+        const inviteePublicKeys = await this.account.getPublicKeys(inviteeEmail, forceRefreshKeys);
         const result = await this.driveCrypto.encryptInvitation(shareSessionKey, inviteePublicKeys[0], inviterKey);
         return result;
     }

package/src/internal/sharing/sharingManagement.test.ts

@@ -1138,4 +1138,77 @@ describe('SharingManagement', () => {
             expect(apiService.resendExternalInvitationEmail).not.toHaveBeenCalled();
         });
     });
+
+    describe('convertNonProtonInvitation', () => {
+        const nodeUid = 'volumeId~nodeId';
+        const externalInvitationId = 'inv123';
+        const externalInvitationUid = `${DEFAULT_SHARE_ID}~${externalInvitationId}`;
+        const externalInvitation: NonProtonInvitation = {
+            uid: externalInvitationUid,
+            inviteeEmail: 'external@example.com',
+            addedByEmail: resultOk('inviter@example.com'),
+            role: MemberRole.Viewer,
+            invitationTime: new Date(),
+            state: NonProtonInvitationState.Pending,
+        };
+
+        beforeEach(() => {
+            nodesService.getNode = jest.fn().mockResolvedValue({
+                nodeUid,
+                shareId: DEFAULT_SHARE_ID,
+                directRole: MemberRole.Admin,
+                name: { ok: true, value: 'name' },
+            });
+            apiService.getShareExternalInvitations = jest.fn().mockResolvedValue([externalInvitation]);
+        });
+
+        it('should throw if caller is not admin', async () => {
+            nodesService.getNode = jest.fn().mockResolvedValue({
+                nodeUid,
+                shareId: DEFAULT_SHARE_ID,
+                directRole: MemberRole.Viewer,
+                name: { ok: true, value: 'name' },
+            });
+
+            await expect(
+                sharingManagement.convertNonProtonInvitation(nodeUid, externalInvitationUid),
+            ).rejects.toThrow(ValidationError);
+        });
+
+        it('should throw if no sharing info found', async () => {
+            nodesService.getNode = jest.fn().mockResolvedValue({
+                nodeUid,
+                shareId: undefined,
+                directRole: MemberRole.Admin,
+                name: { ok: true, value: 'name' },
+            });
+
+            await expect(
+                sharingManagement.convertNonProtonInvitation(nodeUid, externalInvitationUid),
+            ).rejects.toThrow(ValidationError);
+        });
+
+        it('should throw if external invitation ID is not found', async () => {
+            await expect(
+                sharingManagement.convertNonProtonInvitation(nodeUid, 'unknownShareId~unknownInvId'),
+            ).rejects.toThrow(ValidationError);
+        });
+
+        it('should invite proton user with force-refreshed keys and the external invitation ID', async () => {
+            await sharingManagement.convertNonProtonInvitation(nodeUid, externalInvitationUid);
+
+            expect(cryptoService.encryptInvitation).toHaveBeenCalledWith(
+                expect.anything(),
+                expect.anything(),
+                externalInvitation.inviteeEmail,
+                true,
+            );
+            expect(apiService.inviteProtonUser).toHaveBeenCalledWith(
+                DEFAULT_SHARE_ID,
+                expect.objectContaining({ inviteeEmail: externalInvitation.inviteeEmail, role: externalInvitation.role }),
+                {},
+                externalInvitationId,
+            );
+        });
+    });
 });

package/src/internal/sharing/sharingManagement.ts

@@ -16,7 +16,7 @@ import {
     SharePublicLinkSettingsObject,
 } from '../../interface';
 import { ErrorCode } from '../apiService';
-import { splitNodeUid } from '../uids';
+import { splitNodeUid, splitInvitationUid } from '../uids';
 import { getErrorMessage } from '../errors';
 import { SharingAPIService } from './apiService';
 import { PUBLIC_LINK_GENERATED_PASSWORD_LENGTH, SharingCryptoService } from './cryptoService';
@@ -596,8 +596,52 @@ export class SharingManagement {
         await this.apiService.deleteExternalInvitation(invitationUid);
     }
 
-    private async convertExternalInvitationsToInternal(): Promise<void> {
-        // FIXME
+    async convertNonProtonInvitation(nodeUid: string, nonProtonInvitationUid: string): Promise<ProtonInvitation> {
+        const { invitationId: externalInvitationId } = splitInvitationUid(nonProtonInvitationUid);
+
+        const node = await this.nodesService.getNode(nodeUid);
+        if (node.directRole !== MemberRole.Admin) {
+            throw new ValidationError(c('Error').t`Only admins can convert non-Proton invitations`);
+        }
+
+        const [currentSharing, inviter] = await Promise.all([
+            this.getInternalSharingInfo(nodeUid),
+            this.nodesService.getRootNodeEmailKey(nodeUid),
+        ]);
+        if (!currentSharing) {
+            throw new ValidationError(c('Error').t`The node is not shared anymore`);
+        }
+
+        const externalInvitation = currentSharing.nonProtonInvitations.find(
+            (invitation) => invitation.uid === nonProtonInvitationUid,
+        );
+        if (!externalInvitation) {
+            throw new ValidationError(c('Error').t`Invitation not found`);
+        }
+        this.logger.info(
+            `Converting non-Proton invitation for ${externalInvitation.inviteeEmail} to internal for node ${nodeUid}`,
+        );
+        const invitationCrypto = await this.cryptoService.encryptInvitation(
+            currentSharing.share.passphraseSessionKey,
+            inviter.addressKey,
+            externalInvitation.inviteeEmail,
+            true, // Force refresh keys: the invitee just created a Proton account, so we have "absent" keys in cache
+        );
+        const encryptedInvitation = await this.apiService.inviteProtonUser(
+            currentSharing.share.shareId,
+            {
+                addedByEmail: inviter.email,
+                inviteeEmail: externalInvitation.inviteeEmail,
+                role: externalInvitation.role,
+                ...invitationCrypto,
+            },
+            {},
+            externalInvitationId,
+        );
+        return {
+            ...encryptedInvitation,
+            addedByEmail: resultOk(encryptedInvitation.addedByEmail),
+        };
     }
 
     private async removeMember(memberUid: string): Promise<void> {

package/src/internal/sharingPublic/index.ts

@@ -100,7 +100,13 @@ export function initSharingPublicNodesModule(
     const cache = new NodesCache(telemetry.getLogger('nodes-cache'), driveEntitiesCache);
     const cryptoCache = new NodesCryptoCache(telemetry.getLogger('nodes-cache'), driveCryptoCache);
     const cryptoReporter = new SharingPublicCryptoReporter(telemetry);
-    const cryptoService = new SharingPublicNodesCryptoService(telemetry, driveCrypto, account, cryptoReporter);
+    const cryptoService = new SharingPublicNodesCryptoService(
+        telemetry,
+        driveCrypto,
+        account,
+        sharesService,
+        cryptoReporter,
+    );
     const nodesAccess = new SharingPublicNodesAccess(
         telemetry,
         api,

package/src/protonDriveClient.ts

@@ -8,11 +8,13 @@ import {
     MaybeNode,
     MaybeMissingNode,
     NodeResult,
+    NodeResultWithError,
     NodeResultWithNewUid,
     Revision,
     RevisionOrUid,
     ShareNodeSettings,
     UnshareNodeSettings,
+    ProtonInvitation,
     ProtonInvitationOrUid,
     NonProtonInvitationOrUid,
     ProtonInvitationWithNode,
@@ -420,7 +422,7 @@ export class ProtonDriveClient {
         nodeUids: NodeOrUid[],
         newParentNodeUid: NodeOrUid,
         signal?: AbortSignal,
-    ): AsyncGenerator<NodeResult> {
+    ): AsyncGenerator<NodeResultWithError> {
         this.logger.info(`Moving ${nodeUids.length} nodes to ${getUid(newParentNodeUid)}`);
         yield* this.nodes.management.moveNodes(getUids(nodeUids), getUid(newParentNodeUid), signal);
     }
@@ -749,6 +751,22 @@ export class ProtonDriveClient {
         return this.sharing.management.unshareNode(getUid(nodeUid), settings);
     }
 
+    /**
+     * Convert a non-Proton invitation to an internal invitation.
+     * This is called automatically in the background when the SDK receives
+     * a metadata update event, but can also be triggered manually.
+     *
+     * @param nodeUid - Node entity or its UID string.
+     * @param invitationOrUid - Non-Proton invitation entity or its UID string.
+     */
+    async convertNonProtonInvitation(
+        nodeUid: NodeOrUid,
+        invitationOrUid: NonProtonInvitationOrUid,
+    ): Promise<ProtonInvitation> {
+        this.logger.info(`Converting non-Proton invitation ${getUid(invitationOrUid)} for node ${getUid(nodeUid)}`);
+        return this.sharing.management.convertNonProtonInvitation(getUid(nodeUid), getUid(invitationOrUid));
+    }
+
     /**
      * Resend the invitation email to shared node.
      *