@protontech/drive-sdk 0.6.2 → 0.7.1

package/src/internal/photos/nodes.ts

@@ -0,0 +1,233 @@
+import { PrivateKey } from '../../crypto';
+import { DecryptionError } from '../../errors';
+import { NodeType } from '../../interface';
+import { drivePaths } from '../apiService';
+import { NodeAPIServiceBase, linkToEncryptedNode, linkToEncryptedNodeBaseMetadata } from '../nodes/apiService';
+import { NodesCacheBase, serialiseNode, deserialiseNode } from '../nodes/cache';
+import { NodesCryptoService } from '../nodes/cryptoService';
+import { DecryptedNodeKeys } from '../nodes/interface';
+import { NodesAccessBase, parseNode as parseNodeBase } from '../nodes/nodesAccess';
+import { NodesManagementBase } from '../nodes/nodesManagement';
+import { makeNodeUid } from '../uids';
+import { EncryptedPhotoNode, DecryptedPhotoNode, DecryptedUnparsedPhotoNode } from './interface';
+
+type PostLoadLinksMetadataRequest = Extract<
+    drivePaths['/drive/photos/volumes/{volumeID}/links']['post']['requestBody'],
+    { content: object }
+>['content']['application/json'];
+type PostLoadLinksMetadataResponse =
+    drivePaths['/drive/photos/volumes/{volumeID}/links']['post']['responses']['200']['content']['application/json'];
+
+export class PhotosNodesAPIService extends NodeAPIServiceBase<
+    EncryptedPhotoNode,
+    PostLoadLinksMetadataResponse['Links'][0]
+> {
+    protected async fetchNodeMetadata(volumeId: string, linkIds: string[], signal?: AbortSignal) {
+        const response = await this.apiService.post<PostLoadLinksMetadataRequest, PostLoadLinksMetadataResponse>(
+            `drive/photos/volumes/${volumeId}/links`,
+            {
+                LinkIDs: linkIds,
+            },
+            signal,
+        );
+        return response.Links;
+    }
+
+    protected linkToEncryptedNode(
+        volumeId: string,
+        link: PostLoadLinksMetadataResponse['Links'][0],
+        isOwnVolumeId: boolean,
+    ): EncryptedPhotoNode {
+        const { baseNodeMetadata, baseCryptoNodeMetadata } = linkToEncryptedNodeBaseMetadata(
+            this.logger,
+            volumeId,
+            link,
+            isOwnVolumeId,
+        );
+
+        if (link.Link.Type === 2 && link.Photo && link.Photo.ActiveRevision) {
+            const node = linkToEncryptedNode(
+                this.logger,
+                volumeId,
+                { ...link, File: link.Photo, Folder: null },
+                isOwnVolumeId,
+            );
+            return {
+                ...node,
+                type: NodeType.Photo,
+                photo: {
+                    captureTime: new Date(link.Photo.CaptureTime * 1000),
+                    mainPhotoNodeUid: link.Photo.MainPhotoLinkID
+                        ? makeNodeUid(volumeId, link.Photo.MainPhotoLinkID)
+                        : undefined,
+                    relatedPhotoNodeUids: link.Photo.RelatedPhotosLinkIDs.map((relatedLinkId) =>
+                        makeNodeUid(volumeId, relatedLinkId),
+                    ),
+                    contentHash: link.Photo.ContentHash || undefined,
+                    tags: link.Photo.Tags,
+                    albums: link.Photo.Albums.map((album) => ({
+                        nodeUid: makeNodeUid(volumeId, album.AlbumLinkID),
+                        additionTime: new Date(album.AddedTime * 1000),
+                        nameHash: album.Hash,
+                        contentHash: album.ContentHash,
+                    })),
+                },
+            };
+        }
+
+        if (link.Link.Type === 3) {
+            return {
+                ...baseNodeMetadata,
+                encryptedCrypto: {
+                    ...baseCryptoNodeMetadata,
+                },
+            };
+        }
+
+        const baseLink = {
+            Link: link.Link,
+            Membership: link.Membership,
+            Sharing: link.Sharing,
+            // @ts-expect-error The photo link can have a folder type, but not always. If not set, it will use other paths.
+            Folder: link.Folder,
+            File: null, // The photo link metadata never returns a file type.
+        };
+        return linkToEncryptedNode(this.logger, volumeId, baseLink, isOwnVolumeId);
+    }
+}
+
+export class PhotosNodesCache extends NodesCacheBase<DecryptedPhotoNode> {
+    serialiseNode(node: DecryptedPhotoNode): string {
+        return serialiseNode(node);
+    }
+
+    // TODO: use better deserialisation with validation
+    deserialiseNode(nodeData: string): DecryptedPhotoNode {
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        const node = deserialiseNode(nodeData) as any;
+
+        if (
+            !node ||
+            typeof node !== 'object' ||
+            (typeof node.photo !== 'object' && node.photo !== undefined) ||
+            (typeof node.photo?.captureTime !== 'string' && node.folder?.captureTime !== undefined) ||
+            (typeof node.photo?.albums !== 'object' && node.photo?.albums !== undefined)
+        ) {
+            throw new Error(`Invalid node data: ${nodeData}`);
+        }
+
+        return {
+            ...node,
+            photo: !node.photo
+                ? undefined
+                : {
+                      captureTime: new Date(node.photo.captureTime),
+                      mainPhotoNodeUid: node.photo.mainPhotoNodeUid,
+                      relatedPhotoNodeUids: node.photo.relatedPhotoNodeUids,
+                      contentHash: node.photo.contentHash,
+                      tags: node.photo.tags,
+                      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+                      albums: node.photo.albums?.map((album: any) => ({
+                          nodeUid: album.nodeUid,
+                          additionTime: new Date(album.additionTime),
+                      })),
+                  },
+        } as DecryptedPhotoNode;
+    }
+}
+
+export class PhotosNodesAccess extends NodesAccessBase<EncryptedPhotoNode, DecryptedPhotoNode, PhotosNodesCryptoService> {
+    async getParentKeys(
+        node: Pick<EncryptedPhotoNode, 'uid' | 'parentUid' | 'shareId' | 'photo'>,
+    ): Promise<Pick<DecryptedNodeKeys, 'key' | 'hashKey'>> {
+        if (node.parentUid || node.shareId) {
+            return super.getParentKeys(node);
+        }
+
+        if (node.photo?.albums.length) {
+            // If photo is in multiple albums, we just need to get keys for one of them.
+            // Prefer to find a cached key first.
+            for (const album of node.photo.albums) {
+                try {
+                    const keys = await this.cryptoCache.getNodeKeys(album.nodeUid);
+                    return {
+                        key: keys.key,
+                        hashKey: keys.hashKey,
+                    };
+                } catch {
+                    // We ignore missing or invalid keys here, its just optimization.
+                    // If it cannot be fixed, it will bubble up later when requesting
+                    // the node keys for one of the albums.
+                }
+            }
+
+            const albumNodeUid = node.photo.albums[0].nodeUid;
+            return this.getNodeKeys(albumNodeUid);
+        }
+
+        // This is bug that should not happen.
+        // API cannot provide node without parent or share or album.
+        throw new Error('Node has neither parent node nor share nor album');
+    }
+
+    protected getDegradedUndecryptableNode(
+        encryptedNode: EncryptedPhotoNode,
+        error: DecryptionError,
+    ): DecryptedPhotoNode {
+        return this.getDegradedUndecryptableNodeBase(encryptedNode, error);
+    }
+
+    protected parseNode(unparsedNode: DecryptedUnparsedPhotoNode): DecryptedPhotoNode {
+        if (unparsedNode.type === NodeType.Photo) {
+            const node = parseNodeBase(this.logger, {
+                ...unparsedNode,
+                type: NodeType.File,
+            });
+            return {
+                ...node,
+                photo: unparsedNode.photo,
+            };
+        }
+
+        return parseNodeBase(this.logger, unparsedNode);
+    }
+}
+
+export class PhotosNodesCryptoService extends NodesCryptoService {
+    async decryptNode(
+        encryptedNode: EncryptedPhotoNode,
+        parentKey: PrivateKey,
+    ): Promise<{ node: DecryptedUnparsedPhotoNode; keys?: DecryptedNodeKeys }> {
+        const decryptedNode = await super.decryptNode(encryptedNode, parentKey);
+
+        if (decryptedNode.node.type === NodeType.Photo) {
+            return {
+                node: {
+                    ...decryptedNode.node,
+                    photo: encryptedNode.photo,
+                },
+            };
+        }
+
+        return decryptedNode;
+    }
+}
+
+export class PhotosNodesManagement extends NodesManagementBase<
+    EncryptedPhotoNode,
+    DecryptedPhotoNode,
+    PhotosNodesCryptoService
+> {
+    protected generateNodeFolder(
+        nodeUid: string,
+        parentNodeUid: string,
+        name: string,
+        encryptedCrypto: {
+            hash: string;
+            encryptedName: string;
+            signatureEmail: string | null;
+        },
+    ): DecryptedPhotoNode {
+        return this.generateNodeFolderBase(nodeUid, parentNodeUid, name, encryptedCrypto);
+    }
+}

package/src/internal/photos/timeline.test.ts

@@ -2,7 +2,7 @@ import { getMockLogger } from '../../tests/logger';
 import { DriveCrypto } from '../../crypto';
 import { makeNodeUid } from '../uids';
 import { PhotosAPIService } from './apiService';
-import { NodesService } from './interface';
+import { PhotosNodesAccess } from './nodes';
 import { PhotoSharesManager } from './shares';
 import { PhotosTimeline } from './timeline';
 
@@ -11,7 +11,7 @@ describe('PhotosTimeline', () => {
     let apiService: PhotosAPIService;
     let driveCrypto: DriveCrypto;
     let photoShares: PhotoSharesManager;
-    let nodesService: NodesService;
+    let nodesService: PhotosNodesAccess;
     let timeline: PhotosTimeline;
 
     const volumeId = 'volumeId';

package/src/internal/photos/timeline.ts

@@ -2,7 +2,7 @@ import { DriveCrypto } from '../../crypto';
 import { Logger } from '../../interface';
 import { makeNodeUid } from '../uids';
 import { PhotosAPIService } from './apiService';
-import { NodesService } from './interface';
+import { PhotosNodesAccess } from './nodes';
 import { PhotoSharesManager } from './shares';
 
 /**
@@ -14,7 +14,7 @@ export class PhotosTimeline {
         private apiService: PhotosAPIService,
         private driveCrypto: DriveCrypto,
         private photoShares: PhotoSharesManager,
-        private nodesService: NodesService,
+        private nodesService: PhotosNodesAccess,
     ) {
         this.logger = logger;
         this.apiService = apiService;

package/src/internal/photos/upload.ts

@@ -1,5 +1,5 @@
 import { DriveCrypto } from '../../crypto';
-import { ProtonDriveTelemetry, UploadMetadata, Thumbnail } from '../../interface';
+import { ProtonDriveTelemetry, UploadMetadata, Thumbnail, AnonymousUser } from '../../interface';
 import { DriveAPIService, drivePaths } from '../apiService';
 import { generateFileExtendedAttributes } from '../nodes';
 import { splitNodeRevisionUid } from '../uids';
@@ -198,7 +198,7 @@ export class PhotoUploadAPIService extends UploadAPIService {
         draftNodeRevisionUid: string,
         options: {
             armoredManifestSignature: string;
-            signatureEmail: string;
+            signatureEmail: string | AnonymousUser;
             armoredExtendedAttributes?: string;
         },
         photo: {
@@ -220,7 +220,7 @@ export class PhotoUploadAPIService extends UploadAPIService {
             XAttr: options.armoredExtendedAttributes || null,
             Photo: {
                 ContentHash: photo.contentHash,
-                CaptureTime: photo.captureTime ? Math.floor(photo.captureTime?.getTime() /1000) : 0,
+                CaptureTime: photo.captureTime ? Math.floor(photo.captureTime?.getTime() / 1000) : 0,
                 MainPhotoLinkID: photo.mainPhotoLinkID || null,
                 Tags: photo.tags || [],
                 Exif: null, // Deprecated field, not used.

package/src/internal/sharingPublic/index.ts

@@ -10,13 +10,13 @@ import { NodeAPIService } from '../nodes/apiService';
 import { NodesCache } from '../nodes/cache';
 import { NodesCryptoCache } from '../nodes/cryptoCache';
 import { NodesCryptoService } from '../nodes/cryptoService';
-import { NodesManagement } from '../nodes/nodesManagement';
 import { NodesRevisons } from '../nodes/nodesRevisions';
 import { SharingPublicCryptoReporter } from './cryptoReporter';
-import { SharingPublicNodesAccess } from './nodes';
+import { SharingPublicNodesAccess, SharingPublicNodesManagement } from './nodes';
 import { SharingPublicSharesManager } from './shares';
 
 export { SharingPublicSessionManager } from './session/manager';
+export { UnauthDriveAPIService } from './unauthApiService';
 
 /**
  * Provides facade for the whole sharing public module.
@@ -38,6 +38,7 @@ export function initSharingPublicModule(
     token: string,
     publicShareKey: PrivateKey,
     publicRootNodeUid: string,
+    isAnonymousContext: boolean,
 ) {
     const shares = new SharingPublicSharesManager(account, publicShareKey, publicRootNodeUid);
     const nodes = initSharingPublicNodesModule(
@@ -52,6 +53,7 @@ export function initSharingPublicModule(
         token,
         publicShareKey,
         publicRootNodeUid,
+        isAnonymousContext,
     );
 
     return {
@@ -78,6 +80,7 @@ export function initSharingPublicNodesModule(
     token: string,
     publicShareKey: PrivateKey,
     publicRootNodeUid: string,
+    isAnonymousContext: boolean,
 ) {
     const clientUid = undefined; // No client UID for public context yet.
     const api = new NodeAPIService(telemetry.getLogger('nodes-api'), apiService, clientUid);
@@ -96,8 +99,9 @@ export function initSharingPublicNodesModule(
         token,
         publicShareKey,
         publicRootNodeUid,
+        isAnonymousContext,
     );
-    const nodesManagement = new NodesManagement(api, cryptoCache, cryptoService, nodesAccess);
+    const nodesManagement = new SharingPublicNodesManagement(api, cryptoCache, cryptoService, nodesAccess);
     const nodesRevisions = new NodesRevisons(telemetry.getLogger('nodes'), api, cryptoService, nodesAccess);
 
     return {

package/src/internal/sharingPublic/nodes.ts

@@ -1,13 +1,14 @@
-import { ProtonDriveTelemetry } from '../../interface';
+import { NodeResult, ProtonDriveTelemetry } from '../../interface';
 import { NodeAPIService } from '../nodes/apiService';
 import { NodesCache } from '../nodes/cache';
 import { NodesCryptoCache } from '../nodes/cryptoCache';
 import { NodesCryptoService } from '../nodes/cryptoService';
 import { NodesAccess } from '../nodes/nodesAccess';
+import { NodesManagement } from '../nodes/nodesManagement';
 import { isProtonDocument, isProtonSheet } from '../nodes/mediaTypes';
 import { splitNodeUid } from '../uids';
 import { SharingPublicSharesManager } from './shares';
-import { DecryptedNode, DecryptedNodeKeys } from '../nodes/interface';
+import { DecryptedNode, DecryptedNodeKeys, NodeSigningKeys } from '../nodes/interface';
 import { PrivateKey } from '../../crypto';
 
 export class SharingPublicNodesAccess extends NodesAccess {
@@ -22,11 +23,13 @@ export class SharingPublicNodesAccess extends NodesAccess {
         private token: string,
         private publicShareKey: PrivateKey,
         private publicRootNodeUid: string,
+        private isAnonymousContext: boolean,
     ) {
         super(telemetry, apiService, cache, cryptoCache, cryptoService, sharesService);
         this.token = token;
         this.publicShareKey = publicShareKey;
         this.publicRootNodeUid = publicRootNodeUid;
+        this.isAnonymousContext = isAnonymousContext;
     }
 
     async getParentKeys(
@@ -56,4 +59,42 @@ export class SharingPublicNodesAccess extends NodesAccess {
         // Public link doesn't support specific node URLs.
         return this.url;
     }
+
+    async getNodeSigningKeys(
+        uids: { nodeUid: string; parentNodeUid?: string } | { nodeUid?: string; parentNodeUid: string },
+    ): Promise<NodeSigningKeys> {
+        if (this.isAnonymousContext) {
+            const nodeKeys = uids.nodeUid ? await this.getNodeKeys(uids.nodeUid) : { key: undefined };
+            const parentNodeKeys = uids.parentNodeUid ? await this.getNodeKeys(uids.parentNodeUid) : { key: undefined };
+            return {
+                type: 'nodeKey',
+                nodeKey: nodeKeys.key,
+                parentNodeKey: parentNodeKeys.key,
+            };
+        }
+
+        return super.getNodeSigningKeys(uids);
+    }
+}
+
+export class SharingPublicNodesManagement extends NodesManagement {
+    constructor(
+        apiService: NodeAPIService,
+        cryptoCache: NodesCryptoCache,
+        cryptoService: NodesCryptoService,
+        nodesAccess: SharingPublicNodesAccess,
+    ) {
+        super(apiService, cryptoCache, cryptoService, nodesAccess);
+    }
+
+    async *deleteNodes(nodeUids: string[], signal?: AbortSignal): AsyncGenerator<NodeResult> {
+        // Public link does not support trashing and deleting trashed nodes.
+        // Instead, if user is owner, API allows directly deleting existing nodes.
+        for await (const result of this.apiService.deleteExistingNodes(nodeUids, signal)) {
+            if (result.ok) {
+                await this.nodesAccess.notifyNodeDeleted(result.uid);
+            }
+            yield result;
+        }
+    }
 }

package/src/internal/sharingPublic/unauthApiService.test.ts

@@ -0,0 +1,29 @@
+import { getUnauthEndpoint } from './unauthApiService';
+
+describe('getUnauthEndpoint', () => {
+    it('should not change urls endpoints', () => {
+        expect(getUnauthEndpoint('drive/urls/anything')).toBe('drive/urls/anything');
+        expect(getUnauthEndpoint('drive/urls/drive/anything')).toBe('drive/urls/drive/anything');
+        expect(getUnauthEndpoint('drive/urls/drive/v2/anything')).toBe('drive/urls/drive/v2/anything');
+    });
+
+    it('should not change v2/urls endpoints', () => {
+        expect(getUnauthEndpoint('drive/v2/urls/anything')).toBe('drive/v2/urls/anything');
+        expect(getUnauthEndpoint('drive/v2/urls/drive/anything')).toBe('drive/v2/urls/drive/anything');
+        expect(getUnauthEndpoint('drive/v2/urls/drive/v2/anything')).toBe('drive/v2/urls/drive/v2/anything');
+    });
+
+    it('should put unauth prefix for v2 endpoints', () => {
+        expect(getUnauthEndpoint('drive/v2/anything')).toBe('drive/unauth/v2/anything');
+        expect(getUnauthEndpoint('drive/v2/drive/anything')).toBe('drive/unauth/v2/drive/anything');
+        expect(getUnauthEndpoint('drive/v2/drive/v2/anything')).toBe('drive/unauth/v2/drive/v2/anything');
+    });
+
+    it('should put unauth prefix for non-v2 endpoints', () => {
+        expect(getUnauthEndpoint('drive/anything')).toBe('drive/unauth/anything');
+        expect(getUnauthEndpoint('drive/anything/v2/anything')).toBe('drive/unauth/anything/v2/anything');
+        expect(getUnauthEndpoint('drive/anything/drive/anything')).toBe('drive/unauth/anything/drive/anything');
+        expect(getUnauthEndpoint('drive/anything/drive/v2/anything')).toBe('drive/unauth/anything/drive/v2/anything');
+    });
+});
+

package/src/internal/sharingPublic/unauthApiService.ts

@@ -0,0 +1,32 @@
+import { DriveAPIService } from '../apiService';
+
+/**
+ * Drive API Service for public links.
+ *
+ * This service is used to make requests to the Drive API without
+ * authentication. The unauth context uses the same endpoint, but
+ * with an `unauth` prefix. The goal is to avoid the need to use
+ * different path and use the exact endpoint for both contexts.
+ * However, API has global logic for handling expired sessions that
+ * is not compatible with the unauth context. For this reason, this
+ * service is used to make requests to the Drive API for public
+ * link context in the mean time.
+ */
+export class UnauthDriveAPIService extends DriveAPIService {
+    protected async makeRequest<RequestPayload, ResponsePayload>(
+        url: string,
+        method = 'GET',
+        data?: RequestPayload,
+        signal?: AbortSignal,
+    ): Promise<ResponsePayload> {
+        const unauthUrl = getUnauthEndpoint(url);
+        return super.makeRequest(unauthUrl, method, data, signal);
+    }
+}
+
+export function getUnauthEndpoint(url: string): string {
+    if (url.startsWith('drive/urls/') || url.startsWith('drive/v2/urls/')) {
+        return url;
+    }
+    return url.replace(/^drive\//, 'drive/unauth/');
+}

package/src/internal/upload/apiService.ts

@@ -1,6 +1,7 @@
 import { c } from 'ttag';
 
 import { base64StringToUint8Array, uint8ArrayToBase64String } from '../../crypto';
+import { AnonymousUser } from '../../interface';
 import { APICodeError, DriveAPIService, drivePaths, isCodeOk } from '../apiService';
 import { splitNodeUid, makeNodeUid, splitNodeRevisionUid, makeNodeRevisionUid } from '../uids';
 import { UploadTokens } from './interface';
@@ -65,7 +66,7 @@ export class UploadAPIService {
             armoredNodePassphraseSignature: string;
             base64ContentKeyPacket: string;
             armoredContentKeyPacketSignature: string;
-            signatureEmail: string;
+            signatureEmail: string | AnonymousUser;
         },
     ): Promise<{
         nodeUid: string;
@@ -150,7 +151,7 @@ export class UploadAPIService {
 
     async requestBlockUpload(
         draftNodeRevisionUid: string,
-        addressId: string,
+        addressId: string | AnonymousUser,
         blocks: {
             contentBlocks: {
                 index: number;
@@ -211,7 +212,7 @@ export class UploadAPIService {
         draftNodeRevisionUid: string,
         options: {
             armoredManifestSignature: string;
-            signatureEmail: string;
+            signatureEmail: string | AnonymousUser;
             armoredExtendedAttributes?: string;
         },
     ): Promise<void> {

package/src/internal/upload/cryptoService.ts

@@ -2,8 +2,15 @@ import { c } from 'ttag';
 
 import { DriveCrypto, PrivateKey, SessionKey } from '../../crypto';
 import { IntegrityError } from '../../errors';
-import { Thumbnail } from '../../interface';
-import { EncryptedBlock, EncryptedThumbnail, NodeCrypto, NodeRevisionDraftKeys, NodesService } from './interface';
+import { Thumbnail, AnonymousUser } from '../../interface';
+import {
+    EncryptedBlock,
+    EncryptedThumbnail,
+    NodeCrypto,
+    NodeCryptoSigningKeys,
+    NodeRevisionDraftKeys,
+    NodesService,
+} from './interface';
 
 export class UploadCryptoService {
     constructor(
@@ -19,11 +26,15 @@ export class UploadCryptoService {
         parentKeys: { key: PrivateKey; hashKey: Uint8Array },
         name: string,
     ): Promise<NodeCrypto> {
-        const signatureAddress = await this.nodesService.getRootNodeEmailKey(parentUid);
+        const signingKeys = await this.getSigningKeys({ parentNodeUid: parentUid });
+
+        if (!signingKeys.nameAndPassphraseSigningKey) {
+            throw new Error('Cannot create new node without a name and passphrase signing key');
+        }
 
         const [nodeKeys, { armoredNodeName }, hash] = await Promise.all([
-            this.driveCrypto.generateKey([parentKeys.key], signatureAddress.addressKey),
-            this.driveCrypto.encryptNodeName(name, undefined, parentKeys.key, signatureAddress.addressKey),
+            this.driveCrypto.generateKey([parentKeys.key], signingKeys.nameAndPassphraseSigningKey),
+            this.driveCrypto.encryptNodeName(name, undefined, parentKeys.key, signingKeys.nameAndPassphraseSigningKey),
             this.driveCrypto.generateLookupHash(name, parentKeys.hashKey),
         ]);
 
@@ -36,7 +47,57 @@ export class UploadCryptoService {
                 encryptedName: armoredNodeName,
                 hash,
             },
-            signatureAddress,
+            signingKeys: {
+                email: signingKeys.email,
+                addressId: signingKeys.addressId,
+                nameAndPassphraseSigningKey: signingKeys.nameAndPassphraseSigningKey,
+                contentSigningKey: signingKeys.contentSigningKey || nodeKeys.decrypted.key,
+            },
+        };
+    }
+
+    async getSigningKeysForExistingNode(uids: {
+        nodeUid: string;
+        parentNodeUid?: string;
+    }): Promise<NodeCryptoSigningKeys> {
+        const signingKeys = await this.getSigningKeys(uids);
+
+        if (!signingKeys.nameAndPassphraseSigningKey) {
+            throw new Error('Cannot get name and passphrase signing key for existing node');
+        }
+        if (!signingKeys.contentSigningKey) {
+            throw new Error('Cannot get content signing key for existing node');
+        }
+
+        return {
+            email: signingKeys.email,
+            addressId: signingKeys.addressId,
+            nameAndPassphraseSigningKey: signingKeys.nameAndPassphraseSigningKey,
+            contentSigningKey: signingKeys.contentSigningKey,
+        };
+    }
+
+    private async getSigningKeys(
+        uids: { nodeUid: string; parentNodeUid?: string } | { nodeUid?: string; parentNodeUid: string },
+    ): Promise<
+        Omit<NodeCryptoSigningKeys, 'nameAndPassphraseSigningKey' | 'contentSigningKey'> & {
+            nameAndPassphraseSigningKey?: PrivateKey;
+            contentSigningKey?: PrivateKey;
+        }
+    > {
+        const signingKeys = await this.nodesService.getNodeSigningKeys(uids);
+
+        const email = signingKeys.type === 'userAddress' ? signingKeys.email : null;
+        const addressId = signingKeys.type === 'userAddress' ? signingKeys.addressId : null;
+        const nameAndPassphraseSigningKey =
+            signingKeys.type === 'userAddress' ? signingKeys.key : signingKeys.parentNodeKey;
+        const contentSigningKey = signingKeys.type === 'userAddress' ? signingKeys.key : signingKeys.nodeKey;
+
+        return {
+            email,
+            addressId,
+            nameAndPassphraseSigningKey,
+            contentSigningKey,
         };
     }
 
@@ -47,7 +108,7 @@ export class UploadCryptoService {
         const { encryptedData } = await this.driveCrypto.encryptThumbnailBlock(
             thumbnail.thumbnail,
             nodeRevisionDraftKeys.contentKeyPacketSessionKey,
-            nodeRevisionDraftKeys.signatureAddress.addressKey,
+            nodeRevisionDraftKeys.signingKeys.contentSigningKey,
         );
 
         const digest = await crypto.subtle.digest('SHA-256', encryptedData);
@@ -71,7 +132,7 @@ export class UploadCryptoService {
             block,
             nodeRevisionDraftKeys.key,
             nodeRevisionDraftKeys.contentKeyPacketSessionKey,
-            nodeRevisionDraftKeys.signatureAddress.addressKey,
+            nodeRevisionDraftKeys.signingKeys.contentSigningKey,
         );
 
         const digest = await crypto.subtle.digest('SHA-256', encryptedData);
@@ -94,25 +155,25 @@ export class UploadCryptoService {
         extendedAttributes?: string,
     ): Promise<{
         armoredManifestSignature: string;
-        signatureEmail: string;
+        signatureEmail: string | AnonymousUser;
         armoredExtendedAttributes?: string;
     }> {
         const { armoredManifestSignature } = await this.driveCrypto.signManifest(
             manifest,
-            nodeRevisionDraftKeys.signatureAddress.addressKey,
+            nodeRevisionDraftKeys.signingKeys.contentSigningKey,
         );
 
         const { armoredExtendedAttributes } = extendedAttributes
             ? await this.driveCrypto.encryptExtendedAttributes(
                   extendedAttributes,
                   nodeRevisionDraftKeys.key,
-                  nodeRevisionDraftKeys.signatureAddress.addressKey,
+                  nodeRevisionDraftKeys.signingKeys.contentSigningKey,
               )
             : { armoredExtendedAttributes: undefined };
 
         return {
             armoredManifestSignature,
-            signatureEmail: nodeRevisionDraftKeys.signatureAddress.email,
+            signatureEmail: nodeRevisionDraftKeys.signingKeys.email,
             armoredExtendedAttributes,
         };
     }

package/src/internal/upload/fileUploader.test.ts

@@ -110,7 +110,7 @@ describe('FileUploader', () => {
             nodeRevisionUid: 'revisionUid',
             nodeUid: 'nodeUid',
             nodeKeys: {
-                signatureAddress: { addressId: 'addressId' },
+                signingKeys: { addressId: 'addressId' },
             },
         } as NodeRevisionDraft;