@protontech/drive-sdk 0.6.2 → 0.7.0

package/src/internal/nodes/cryptoService.ts

@@ -24,6 +24,7 @@ import {
     DecryptedNodeKeys,
     EncryptedRevision,
     DecryptedUnparsedRevision,
+    NodeSigningKeys,
 } from './interface';
 
 export interface NodesCryptoReporter {
@@ -33,7 +34,7 @@ export interface NodesCryptoReporter {
         signatureType: string,
         verified: VERIFICATION_STATUS,
         verificationErrors?: Error[],
-        claimedAuthor?: string,
+        claimedAuthor?: string | AnonymousUser,
         notAvailableVerificationKeys?: boolean,
     ): Promise<Author>;
     reportDecryptionError(node: NodesCryptoReporterNode, field: MetricsDecryptionErrorField, error: unknown): void;
@@ -336,11 +337,19 @@ export class NodesCryptoService {
         const nameSignatureEmail = node.encryptedCrypto.nameSignatureEmail;
 
         try {
-            const { name, verified, verificationErrors } = await this.driveCrypto.decryptNodeName(
-                node.encryptedName,
-                parentKey,
-                verificationKeys,
-            );
+            const {
+                name,
+                verified: verificationStatus,
+                verificationErrors,
+            } = await this.driveCrypto.decryptNodeName(node.encryptedName, parentKey, verificationKeys);
+
+            let verified = verificationStatus;
+            // The name was not signed until Drive web Beta 3.
+            // It is decided to ignore this and consider it signed.
+            // The problem will be gone with migration to new crypto model.
+            if (verificationStatus === VERIFICATION_STATUS.NOT_SIGNED && node.creationTime < new Date(2021, 0, 1)) {
+                verified = VERIFICATION_STATUS.SIGNED_AND_VALID;
+            }
 
             return {
                 name: resultOk(name),
@@ -438,11 +447,19 @@ export class NodesCryptoService {
             throw new Error('Node is not a folder');
         }
 
-        const { hashKey, verified, verificationErrors } = await this.driveCrypto.decryptNodeHashKey(
-            node.encryptedCrypto.folder.armoredHashKey,
-            nodeKey,
-            addressKeys,
-        );
+        const {
+            hashKey,
+            verified: verificationStatus,
+            verificationErrors,
+        } = await this.driveCrypto.decryptNodeHashKey(node.encryptedCrypto.folder.armoredHashKey, nodeKey, addressKeys);
+
+        let verified = verificationStatus;
+        // The hash was not signed until Drive web Beta 17.
+        // It is decided to ignore this and consider it signed.
+        // The problem will be gone with migration to new crypto model.
+        if (verificationStatus === VERIFICATION_STATUS.NOT_SIGNED && node.creationTime < new Date(2021, 7, 1)) {
+            verified = VERIFICATION_STATUS.SIGNED_AND_VALID;
+        }
 
         return {
             hashKey,
@@ -490,7 +507,7 @@ export class NodesCryptoService {
         encryptedExtendedAttributes: string | undefined,
         nodeKey: PrivateKey,
         addressKeys: PublicKey[],
-        signatureEmail?: string,
+        signatureEmail?: string | AnonymousUser,
     ): Promise<{
         extendedAttributes?: string;
         author: Author;
@@ -522,31 +539,44 @@ export class NodesCryptoService {
 
     async createFolder(
         parentKeys: { key: PrivateKey; hashKey: Uint8Array },
-        address: { email: string; addressKey: PrivateKey },
+        signingKeys: NodeSigningKeys,
         name: string,
         extendedAttributes?: string,
     ): Promise<{
-        encryptedCrypto: EncryptedNodeFolderCrypto & {
+        encryptedCrypto: Omit<EncryptedNodeFolderCrypto, 'signatureEmail' | 'nameSignatureEmail'> & {
+            signatureEmail: string | AnonymousUser;
+            nameSignatureEmail: string | AnonymousUser;
             armoredNodePassphraseSignature: string;
-            // signatureEmail and nameSignatureEmail are not optional.
-            signatureEmail: string;
-            nameSignatureEmail: string;
             encryptedName: string;
             hash: string;
         };
         keys: DecryptedNodeKeys;
     }> {
-        const { email, addressKey } = address;
+        const email = signingKeys.type === 'userAddress' ? signingKeys.email : null;
+        const nameAndPassprhaseSigningKey =
+            signingKeys.type === 'userAddress' ? signingKeys.key : signingKeys.parentNodeKey;
+        if (!nameAndPassprhaseSigningKey) {
+            // This is a bug within the SDK.
+            throw new Error('Cannot create new node without a name and passphrase signing key');
+        }
+
         const [nodeKeys, { armoredNodeName }, hash] = await Promise.all([
-            this.driveCrypto.generateKey([parentKeys.key], addressKey),
-            this.driveCrypto.encryptNodeName(name, undefined, parentKeys.key, addressKey),
+            this.driveCrypto.generateKey([parentKeys.key], nameAndPassprhaseSigningKey),
+            this.driveCrypto.encryptNodeName(name, undefined, parentKeys.key, nameAndPassprhaseSigningKey),
             this.driveCrypto.generateLookupHash(name, parentKeys.hashKey),
         ]);
 
         const { armoredHashKey, hashKey } = await this.driveCrypto.generateHashKey(nodeKeys.decrypted.key);
 
+        const extendedAttributesSigningKey =
+            signingKeys.type === 'userAddress' ? signingKeys.key : signingKeys.nodeKey || nodeKeys.decrypted.key;
+
         const { armoredExtendedAttributes } = extendedAttributes
-            ? await this.driveCrypto.encryptExtendedAttributes(extendedAttributes, nodeKeys.decrypted.key, addressKey)
+            ? await this.driveCrypto.encryptExtendedAttributes(
+                  extendedAttributes,
+                  nodeKeys.decrypted.key,
+                  extendedAttributesSigningKey,
+              )
             : { armoredExtendedAttributes: undefined };
 
         return {
@@ -575,20 +605,25 @@ export class NodesCryptoService {
     async encryptNewName(
         parentKeys: { key: PrivateKey; hashKey?: Uint8Array },
         nodeNameSessionKey: SessionKey,
-        address: { email: string; addressKey: PrivateKey },
+        signingKeys: NodeSigningKeys,
         newName: string,
     ): Promise<{
-        signatureEmail: string;
+        signatureEmail: string | AnonymousUser;
         armoredNodeName: string;
         hash?: string;
     }> {
-        const { email, addressKey } = address;
+        const email = signingKeys.type === 'userAddress' ? signingKeys.email : null;
+        const nameSigningKey = signingKeys.type === 'userAddress' ? signingKeys.key : signingKeys.parentNodeKey;
+        if (!nameSigningKey) {
+            // This is a bug within the SDK.
+            throw new Error('Cannot encrypt new node name without a name signing key');
+        }
 
         const { armoredNodeName } = await this.driveCrypto.encryptNodeName(
             newName,
             nodeNameSessionKey,
             parentKeys.key,
-            addressKey,
+            nameSigningKey,
         );
 
         const hash = parentKeys.hashKey
@@ -605,14 +640,14 @@ export class NodesCryptoService {
         node: Pick<DecryptedNode, 'name'>,
         keys: { passphrase: string; passphraseSessionKey: SessionKey; nameSessionKey: SessionKey },
         parentKeys: { key: PrivateKey; hashKey: Uint8Array },
-        address: { email: string; addressKey: PrivateKey },
+        signingKeys: NodeSigningKeys,
     ): Promise<{
         encryptedName: string;
         hash: string;
         armoredNodePassphrase: string;
         armoredNodePassphraseSignature: string;
-        signatureEmail: string;
-        nameSignatureEmail: string;
+        signatureEmail: string | AnonymousUser;
+        nameSignatureEmail: string | AnonymousUser;
     }> {
         if (!parentKeys.hashKey) {
             throw new ValidationError('Moving item to a non-folder is not allowed');
@@ -621,19 +656,25 @@ export class NodesCryptoService {
             throw new ValidationError('Cannot move item without a valid name, please rename the item first');
         }
 
-        const { email, addressKey } = address;
+        const email = signingKeys.type === 'userAddress' ? signingKeys.email : null;
+        const nameAndPassprhaseSigningKey = signingKeys.type === 'userAddress' ? signingKeys.key : signingKeys.nodeKey;
+        if (!nameAndPassprhaseSigningKey) {
+            // This is a bug within the SDK.
+            throw new Error('Cannot re-encrypt node without a name and passphrase signing key');
+        }
+
         const { armoredNodeName } = await this.driveCrypto.encryptNodeName(
             node.name.value,
             keys.nameSessionKey,
             parentKeys.key,
-            addressKey,
+            nameAndPassprhaseSigningKey,
         );
         const hash = await this.driveCrypto.generateLookupHash(node.name.value, parentKeys.hashKey);
         const { armoredPassphrase, armoredPassphraseSignature } = await this.driveCrypto.encryptPassphrase(
             keys.passphrase,
             keys.passphraseSessionKey,
             [parentKeys.key],
-            addressKey,
+            nameAndPassprhaseSigningKey,
         );
 
         return {
@@ -657,7 +698,7 @@ export class NodesCryptoService {
 }
 
 function getClaimedAuthor(
-    claimedAuthor?: string,
+    claimedAuthor?: string | AnonymousUser,
     notAvailableVerificationKeys = false,
 ): string | AnonymousUser | undefined {
     if (!claimedAuthor && notAvailableVerificationKeys) {

package/src/internal/nodes/interface.ts

@@ -10,6 +10,7 @@ import {
     MetricVolumeType,
     Revision,
     RevisionState,
+    AnonymousUser,
 } from '../../interface';
 
 export type FilterOptions = {
@@ -57,8 +58,8 @@ export interface EncryptedNode extends BaseNode {
 }
 
 export interface EncryptedNodeCrypto {
-    signatureEmail?: string;
-    nameSignatureEmail?: string;
+    signatureEmail?: string | AnonymousUser;
+    nameSignatureEmail?: string | AnonymousUser;
     armoredKey: string;
     armoredNodePassphrase: string;
     armoredNodePassphraseSignature?: string;
@@ -88,6 +89,19 @@ export interface EncryptedNodeFolderCrypto extends EncryptedNodeCrypto {
 // eslint-disable-next-line @typescript-eslint/no-empty-object-type
 export interface EncryptedNodeAlbumCrypto extends EncryptedNodeCrypto {}
 
+export type NodeSigningKeys =
+    | {
+          type: 'userAddress';
+          email: string;
+          addressId: string;
+          key: PrivateKey;
+      }
+    | {
+          type: 'nodeKey';
+          nodeKey?: PrivateKey;
+          parentNodeKey?: PrivateKey;
+      };
+
 /**
  * Interface used only internally in the nodes module.
  *

package/src/internal/nodes/nodesAccess.ts

@@ -29,6 +29,7 @@ import {
     DecryptedNode,
     DecryptedNodeKeys,
     FilterOptions,
+    NodeSigningKeys,
 } from './interface';
 import { validateNodeName } from './validations';
 import { isProtonDocument, isProtonSheet } from './mediaTypes';
@@ -425,6 +426,22 @@ export class NodesAccess {
         };
     }
 
+    async getNodeSigningKeys(
+        uids: { nodeUid: string; parentNodeUid?: string } | { nodeUid?: string; parentNodeUid: string },
+    ): Promise<NodeSigningKeys> {
+        const contextNodeUid = uids.nodeUid || uids.parentNodeUid;
+        if (!contextNodeUid) {
+            throw new Error('Context node UID is required for signing keys');
+        }
+        const address = await this.getRootNodeEmailKey(contextNodeUid);
+        return {
+            type: 'userAddress',
+            email: address.email,
+            addressId: address.addressId,
+            key: address.addressKey,
+        };
+    }
+
     async getRootNodeEmailKey(nodeUid: string): Promise<{
         email: string;
         addressId: string;

package/src/internal/nodes/nodesManagement.test.ts

@@ -57,7 +57,7 @@ describe('NodesManagement', () => {
             restoreNodes: jest.fn(async function* (uids) {
                 yield* uids.map((uid) => ({ ok: true, uid }) as NodeResult);
             }),
-            deleteNodes: jest.fn(async function* (uids) {
+            deleteTrashedNodes: jest.fn(async function* (uids) {
                 yield* uids.map((uid) => ({ ok: true, uid }) as NodeResult);
             }),
             createFolder: jest.fn(),
@@ -117,7 +117,12 @@ describe('NodesManagement', () => {
                     nameSessionKey: `${uid}-nameSessionKey`,
                 }),
             ),
-            getRootNodeEmailKey: jest.fn().mockResolvedValue({ email: 'root-email', addressKey: 'root-key' }),
+            getNodeSigningKeys: jest.fn().mockResolvedValue({
+                type: 'userAddress',
+                email: 'root-email',
+                addressId: 'root-addressId',
+                key: 'root-key',
+            }),
             notifyNodeChanged: jest.fn(),
             notifyNodeDeleted: jest.fn(),
             notifyChildCreated: jest.fn(),
@@ -136,11 +141,11 @@ describe('NodesManagement', () => {
             nameAuthor: { ok: true, value: 'newSignatureEmail' },
             hash: 'newHash',
         });
-        expect(nodesAccess.getRootNodeEmailKey).toHaveBeenCalledWith('nodeUid');
+        expect(nodesAccess.getNodeSigningKeys).toHaveBeenCalledWith({ nodeUid: 'nodeUid', parentNodeUid: 'parentUid' });
         expect(cryptoService.encryptNewName).toHaveBeenCalledWith(
             { key: 'parentUid-key', hashKey: 'parentUid-hashKey' },
             'nodeUid-nameSessionKey',
-            { email: 'root-email', addressKey: 'root-key' },
+            { type: 'userAddress', email: 'root-email', addressId: 'root-addressId', key: 'root-key' },
             'new name',
         );
         expect(apiService.renameNode).toHaveBeenCalledWith(
@@ -181,7 +186,10 @@ describe('NodesManagement', () => {
             keyAuthor: { ok: true, value: 'movedSignatureEmail' },
             nameAuthor: { ok: true, value: 'movedNameSignatureEmail' },
         });
-        expect(nodesAccess.getRootNodeEmailKey).toHaveBeenCalledWith('newParentNodeUid');
+        expect(nodesAccess.getNodeSigningKeys).toHaveBeenCalledWith({
+            nodeUid: 'nodeUid',
+            parentNodeUid: 'newParentNodeUid',
+        });
         expect(cryptoService.encryptNodeWithNewParent).toHaveBeenCalledWith(
             nodes.nodeUid,
             expect.objectContaining({
@@ -192,7 +200,7 @@ describe('NodesManagement', () => {
                 nameSessionKey: 'nodeUid-nameSessionKey',
             }),
             expect.objectContaining({ key: 'newParentNodeUid-key', hashKey: 'newParentNodeUid-hashKey' }),
-            { email: 'root-email', addressKey: 'root-key' },
+            { type: 'userAddress', email: 'root-email', addressId: 'root-addressId', key: 'root-key' },
         );
         expect(apiService.moveNode).toHaveBeenCalledWith(
             'nodeUid',
@@ -232,7 +240,7 @@ describe('NodesManagement', () => {
                 nameSessionKey: 'anonymousNodeUid-nameSessionKey',
             }),
             expect.objectContaining({ key: 'newParentNodeUid-key', hashKey: 'newParentNodeUid-hashKey' }),
-            { email: 'root-email', addressKey: 'root-key' },
+            { type: 'userAddress', email: 'root-email', addressId: 'root-addressId', key: 'root-key' },
         );
         expect(newNode).toEqual({
             ...nodes.anonymousNodeUid,
@@ -276,7 +284,10 @@ describe('NodesManagement', () => {
             keyAuthor: { ok: true, value: 'copiedSignatureEmail' },
             nameAuthor: { ok: true, value: 'copiedNameSignatureEmail' },
         });
-        expect(nodesAccess.getRootNodeEmailKey).toHaveBeenCalledWith('newParentNodeUid');
+        expect(nodesAccess.getNodeSigningKeys).toHaveBeenCalledWith({
+            nodeUid: 'nodeUid',
+            parentNodeUid: 'newParentNodeUid',
+        });
         expect(cryptoService.encryptNodeWithNewParent).toHaveBeenCalledWith(
             nodes.nodeUid,
             expect.objectContaining({
@@ -287,7 +298,7 @@ describe('NodesManagement', () => {
                 nameSessionKey: 'nodeUid-nameSessionKey',
             }),
             expect.objectContaining({ key: 'newParentNodeUid-key', hashKey: 'newParentNodeUid-hashKey' }),
-            { email: 'root-email', addressKey: 'root-key' },
+            { type: 'userAddress', email: 'root-email', addressId: 'root-addressId', key: 'root-key' },
         );
         expect(apiService.copyNode).toHaveBeenCalledWith('nodeUid', {
             parentUid: 'newParentNodeUid',
@@ -322,7 +333,7 @@ describe('NodesManagement', () => {
                 nameSessionKey: 'anonymousNodeUid-nameSessionKey',
             }),
             expect.objectContaining({ key: 'newParentNodeUid-key', hashKey: 'newParentNodeUid-hashKey' }),
-            { email: 'root-email', addressKey: 'root-key' },
+            { type: 'userAddress', email: 'root-email', addressId: 'root-addressId', key: 'root-key' },
         );
         expect(newNode).toEqual({
             ...nodes.anonymousNodeUid,

package/src/internal/nodes/nodesManagement.ts

@@ -28,10 +28,10 @@ const AVAILABLE_NAME_LIMIT = 1000;
  */
 export class NodesManagement {
     constructor(
-        private apiService: NodeAPIService,
-        private cryptoCache: NodesCryptoCache,
-        private cryptoService: NodesCryptoService,
-        private nodesAccess: NodesAccess,
+        protected apiService: NodeAPIService,
+        protected cryptoCache: NodesCryptoCache,
+        protected cryptoService: NodesCryptoService,
+        protected nodesAccess: NodesAccess,
     ) {
         this.apiService = apiService;
         this.cryptoCache = cryptoCache;
@@ -49,7 +49,7 @@ export class NodesManagement {
         const node = await this.nodesAccess.getNode(nodeUid);
         const { nameSessionKey: nodeNameSessionKey } = await this.nodesAccess.getNodePrivateAndSessionKeys(nodeUid);
         const parentKeys = await this.nodesAccess.getParentKeys(node);
-        const address = await this.nodesAccess.getRootNodeEmailKey(nodeUid);
+        const signingKeys = await this.nodesAccess.getNodeSigningKeys({ nodeUid, parentNodeUid: node.parentUid });
 
         if (!options.allowRenameRootNode && (!node.hash || !parentKeys.hashKey)) {
             throw new ValidationError(c('Error').t`Renaming root item is not allowed`);
@@ -58,7 +58,7 @@ export class NodesManagement {
         const { signatureEmail, armoredNodeName, hash } = await this.cryptoService.encryptNewName(
             parentKeys,
             nodeNameSessionKey,
-            address,
+            signingKeys,
             newName,
         );
 
@@ -95,7 +95,7 @@ export class NodesManagement {
             ...node,
             name: resultOk(newName),
             encryptedName: armoredNodeName,
-            nameAuthor: resultOk(signatureEmail),
+            nameAuthor: resultOk(signatureEmail || null),
             hash,
         };
         return newNode;
@@ -124,14 +124,12 @@ export class NodesManagement {
     }
 
     async moveNode(nodeUid: string, newParentUid: string): Promise<DecryptedNode> {
-        const [node, address] = await Promise.all([
-            this.nodesAccess.getNode(nodeUid),
-            this.nodesAccess.getRootNodeEmailKey(newParentUid),
-        ]);
+        const node = await this.nodesAccess.getNode(nodeUid);
 
-        const [keys, newParentKeys] = await Promise.all([
+        const [keys, newParentKeys, signingKeys] = await Promise.all([
             this.nodesAccess.getNodePrivateAndSessionKeys(nodeUid),
             this.nodesAccess.getNodeKeys(newParentUid),
+            this.nodesAccess.getNodeSigningKeys({ nodeUid, parentNodeUid: newParentUid }),
         ]);
 
         if (!node.hash) {
@@ -145,7 +143,7 @@ export class NodesManagement {
             node,
             keys,
             { key: newParentKeys.key, hashKey: newParentKeys.hashKey },
-            address,
+            signingKeys,
         );
 
         // Node could be uploaded or renamed by anonymous user and thus have
@@ -214,14 +212,12 @@ export class NodesManagement {
     }
 
     async copyNode(nodeUid: string, newParentUid: string): Promise<DecryptedNode> {
-        const [node, address] = await Promise.all([
-            this.nodesAccess.getNode(nodeUid),
-            this.nodesAccess.getRootNodeEmailKey(newParentUid),
-        ]);
+        const node = await this.nodesAccess.getNode(nodeUid);
 
-        const [keys, newParentKeys] = await Promise.all([
+        const [keys, newParentKeys, signingKeys] = await Promise.all([
             this.nodesAccess.getNodePrivateAndSessionKeys(nodeUid),
             this.nodesAccess.getNodeKeys(newParentUid),
+            this.nodesAccess.getNodeSigningKeys({ nodeUid, parentNodeUid: newParentUid }),
         ]);
 
         if (!newParentKeys.hashKey) {
@@ -232,7 +228,7 @@ export class NodesManagement {
             node,
             keys,
             { key: newParentKeys.key, hashKey: newParentKeys.hashKey },
-            address,
+            signingKeys,
         );
 
         // Node could be uploaded or renamed by anonymous user and thus have
@@ -286,7 +282,7 @@ export class NodesManagement {
     }
 
     async *deleteNodes(nodeUids: string[], signal?: AbortSignal): AsyncGenerator<NodeResult> {
-        for await (const result of this.apiService.deleteNodes(nodeUids, signal)) {
+        for await (const result of this.apiService.deleteTrashedNodes(nodeUids, signal)) {
             if (result.ok) {
                 await this.nodesAccess.notifyNodeDeleted(result.uid);
             }
@@ -303,12 +299,12 @@ export class NodesManagement {
             throw new ValidationError(c('Error').t`Creating folders in non-folders is not allowed`);
         }
 
-        const address = await this.nodesAccess.getRootNodeEmailKey(parentNodeUid);
+        const signingKeys = await this.nodesAccess.getNodeSigningKeys({ parentNodeUid });
         const extendedAttributes = generateFolderExtendedAttributes(modificationTime);
 
         const { encryptedCrypto, keys } = await this.cryptoService.createFolder(
             { key: parentKeys.key, hashKey: parentKeys.hashKey },
-            address,
+            signingKeys,
             folderName,
             extendedAttributes,
         );
@@ -344,8 +340,8 @@ export class NodesManagement {
 
             // Decrypted metadata
             isStale: false,
-            keyAuthor: resultOk(encryptedCrypto.signatureEmail),
-            nameAuthor: resultOk(encryptedCrypto.signatureEmail),
+            keyAuthor: resultOk(encryptedCrypto.signatureEmail || null),
+            nameAuthor: resultOk(encryptedCrypto.signatureEmail || null),
             name: resultOk(folderName),
             treeEventScopeId: splitNodeUid(nodeUid).volumeId,
         };

package/src/internal/photos/upload.ts

@@ -1,5 +1,5 @@
 import { DriveCrypto } from '../../crypto';
-import { ProtonDriveTelemetry, UploadMetadata, Thumbnail } from '../../interface';
+import { ProtonDriveTelemetry, UploadMetadata, Thumbnail, AnonymousUser } from '../../interface';
 import { DriveAPIService, drivePaths } from '../apiService';
 import { generateFileExtendedAttributes } from '../nodes';
 import { splitNodeRevisionUid } from '../uids';
@@ -198,7 +198,7 @@ export class PhotoUploadAPIService extends UploadAPIService {
         draftNodeRevisionUid: string,
         options: {
             armoredManifestSignature: string;
-            signatureEmail: string;
+            signatureEmail: string | AnonymousUser;
             armoredExtendedAttributes?: string;
         },
         photo: {
@@ -220,7 +220,7 @@ export class PhotoUploadAPIService extends UploadAPIService {
             XAttr: options.armoredExtendedAttributes || null,
             Photo: {
                 ContentHash: photo.contentHash,
-                CaptureTime: photo.captureTime ? Math.floor(photo.captureTime?.getTime() /1000) : 0,
+                CaptureTime: photo.captureTime ? Math.floor(photo.captureTime?.getTime() / 1000) : 0,
                 MainPhotoLinkID: photo.mainPhotoLinkID || null,
                 Tags: photo.tags || [],
                 Exif: null, // Deprecated field, not used.

package/src/internal/sharingPublic/index.ts

@@ -10,13 +10,13 @@ import { NodeAPIService } from '../nodes/apiService';
 import { NodesCache } from '../nodes/cache';
 import { NodesCryptoCache } from '../nodes/cryptoCache';
 import { NodesCryptoService } from '../nodes/cryptoService';
-import { NodesManagement } from '../nodes/nodesManagement';
 import { NodesRevisons } from '../nodes/nodesRevisions';
 import { SharingPublicCryptoReporter } from './cryptoReporter';
-import { SharingPublicNodesAccess } from './nodes';
+import { SharingPublicNodesAccess, SharingPublicNodesManagement } from './nodes';
 import { SharingPublicSharesManager } from './shares';
 
 export { SharingPublicSessionManager } from './session/manager';
+export { UnauthDriveAPIService } from './unauthApiService';
 
 /**
  * Provides facade for the whole sharing public module.
@@ -38,6 +38,7 @@ export function initSharingPublicModule(
     token: string,
     publicShareKey: PrivateKey,
     publicRootNodeUid: string,
+    isAnonymousContext: boolean,
 ) {
     const shares = new SharingPublicSharesManager(account, publicShareKey, publicRootNodeUid);
     const nodes = initSharingPublicNodesModule(
@@ -52,6 +53,7 @@ export function initSharingPublicModule(
         token,
         publicShareKey,
         publicRootNodeUid,
+        isAnonymousContext,
     );
 
     return {
@@ -78,6 +80,7 @@ export function initSharingPublicNodesModule(
     token: string,
     publicShareKey: PrivateKey,
     publicRootNodeUid: string,
+    isAnonymousContext: boolean,
 ) {
     const clientUid = undefined; // No client UID for public context yet.
     const api = new NodeAPIService(telemetry.getLogger('nodes-api'), apiService, clientUid);
@@ -96,8 +99,9 @@ export function initSharingPublicNodesModule(
         token,
         publicShareKey,
         publicRootNodeUid,
+        isAnonymousContext,
     );
-    const nodesManagement = new NodesManagement(api, cryptoCache, cryptoService, nodesAccess);
+    const nodesManagement = new SharingPublicNodesManagement(api, cryptoCache, cryptoService, nodesAccess);
     const nodesRevisions = new NodesRevisons(telemetry.getLogger('nodes'), api, cryptoService, nodesAccess);
 
     return {

package/src/internal/sharingPublic/nodes.ts

@@ -1,13 +1,14 @@
-import { ProtonDriveTelemetry } from '../../interface';
+import { NodeResult, ProtonDriveTelemetry } from '../../interface';
 import { NodeAPIService } from '../nodes/apiService';
 import { NodesCache } from '../nodes/cache';
 import { NodesCryptoCache } from '../nodes/cryptoCache';
 import { NodesCryptoService } from '../nodes/cryptoService';
 import { NodesAccess } from '../nodes/nodesAccess';
+import { NodesManagement } from '../nodes/nodesManagement';
 import { isProtonDocument, isProtonSheet } from '../nodes/mediaTypes';
 import { splitNodeUid } from '../uids';
 import { SharingPublicSharesManager } from './shares';
-import { DecryptedNode, DecryptedNodeKeys } from '../nodes/interface';
+import { DecryptedNode, DecryptedNodeKeys, NodeSigningKeys } from '../nodes/interface';
 import { PrivateKey } from '../../crypto';
 
 export class SharingPublicNodesAccess extends NodesAccess {
@@ -22,11 +23,13 @@ export class SharingPublicNodesAccess extends NodesAccess {
         private token: string,
         private publicShareKey: PrivateKey,
         private publicRootNodeUid: string,
+        private isAnonymousContext: boolean,
     ) {
         super(telemetry, apiService, cache, cryptoCache, cryptoService, sharesService);
         this.token = token;
         this.publicShareKey = publicShareKey;
         this.publicRootNodeUid = publicRootNodeUid;
+        this.isAnonymousContext = isAnonymousContext;
     }
 
     async getParentKeys(
@@ -56,4 +59,42 @@ export class SharingPublicNodesAccess extends NodesAccess {
         // Public link doesn't support specific node URLs.
         return this.url;
     }
+
+    async getNodeSigningKeys(
+        uids: { nodeUid: string; parentNodeUid?: string } | { nodeUid?: string; parentNodeUid: string },
+    ): Promise<NodeSigningKeys> {
+        if (this.isAnonymousContext) {
+            const nodeKeys = uids.nodeUid ? await this.getNodeKeys(uids.nodeUid) : { key: undefined };
+            const parentNodeKeys = uids.parentNodeUid ? await this.getNodeKeys(uids.parentNodeUid) : { key: undefined };
+            return {
+                type: 'nodeKey',
+                nodeKey: nodeKeys.key,
+                parentNodeKey: parentNodeKeys.key,
+            };
+        }
+
+        return super.getNodeSigningKeys(uids);
+    }
+}
+
+export class SharingPublicNodesManagement extends NodesManagement {
+    constructor(
+        apiService: NodeAPIService,
+        cryptoCache: NodesCryptoCache,
+        cryptoService: NodesCryptoService,
+        nodesAccess: SharingPublicNodesAccess,
+    ) {
+        super(apiService, cryptoCache, cryptoService, nodesAccess);
+    }
+
+    async *deleteNodes(nodeUids: string[], signal?: AbortSignal): AsyncGenerator<NodeResult> {
+        // Public link does not support trashing and deleting trashed nodes.
+        // Instead, if user is owner, API allows directly deleting existing nodes.
+        for await (const result of this.apiService.deleteExistingNodes(nodeUids, signal)) {
+            if (result.ok) {
+                await this.nodesAccess.notifyNodeDeleted(result.uid);
+            }
+            yield result;
+        }
+    }
 }