@raytio/core 11.1.0 → 11.2.0

package/CHANGELOG.md

@@ -5,13 +5,24 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+<!--
+  If you think there are missing entries, go to:
+  https://gitlab.com/raytio/raytio-client-v2/-/commits/master/packages/core
+  to see all commits that touched this package.
+-->
+
 ## [Unreleased]
 
-## 11.1.0 (2022-04-20)
+## 11.2.0 (2023-07-03)
+
+- Support key rotation
+- Support the new Schema API format
+
+## 11.1.0 (2023-04-20)
 
 - Move `expandSchema` into core
 
-## 11.0.0 (2022-04-20)
+## 11.0.0 (2023-04-20)
 
 - 💥 BREAKING CHANGE: Changed the input arguments of `convertInstanceToRuleInput` to only require a list of `ProfileObject`s, instead of the whole `Instance` object.
 - Any profile object with an expired field is now considered `Expired`, even if other fields are verified.

package/README.md

@@ -138,7 +138,7 @@ ___
 
 ### checkJsonSignature
 
-▸ **checkJsonSignature**(`data`, `signature`): `Promise`<`boolean`\>
+▸ **checkJsonSignature**(`data`, `signature`, `keyId`): `Promise`<`boolean`\>
 
 checks that a json object was signed by the provided signature. Unless you're
 dealing with bundled verifications, you should use `getOwnRealVerifications`
@@ -150,6 +150,7 @@ or `getSomeoneElsesRealVerifications` instead.
 | :------ | :------ |
 | `data` | `unknown` |
 | `signature` | `string` |
+| `keyId` | `undefined` \| `string` |
 
 #### Returns
 
@@ -393,7 +394,7 @@ two overloads - if you provide undefined, you might get undefined back
 
 | Name | Type |
 | :------ | :------ |
-| `urn` | \`urn:user:${string}\` \| \`urn:profile\_object:${string}\` \| \`urn:instance:${string}\` \| \`urn:schema:${string}\` \| \`urn:temp\_object:${string}\` \| \`urn:document:${string}\` |
+| `urn` | `Urn` |
 
 #### Returns
 
@@ -407,7 +408,7 @@ two overloads - if you provide undefined, you might get undefined back
 
 | Name | Type |
 | :------ | :------ |
-| `urn` | `undefined` \| \`urn:user:${string}\` \| \`urn:profile\_object:${string}\` \| \`urn:instance:${string}\` \| \`urn:schema:${string}\` \| \`urn:temp\_object:${string}\` \| \`urn:document:${string}\` |
+| `urn` | `undefined` \| `Urn` |
 
 #### Returns
 

package/dist/crypto/getAADecryptor.js

@@ -2,16 +2,44 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.getAADecryptor = void 0;
 const util_1 = require("../util");
+/**
+ * Fetches the Public Key Information for an Access Application
+ * @returns the id and Key information of the Applications Public Key
+ */
+async function fetchPublicKey({ apiUrl, apiToken, aId, }) {
+    const [publicKey] = await fetch(`${apiUrl}/db/v1/dsm_access_application_public_keys?aa_id=eq.${aId}`, {
+        headers: { Authorization: `Bearer ${apiToken}` },
+    }).then(util_1.handleResponse);
+    if (!publicKey) {
+        throw new Error("Could not Find Encryption Key");
+    }
+    const { id, public_key } = publicKey;
+    return { n_id: id, properties: public_key };
+}
+/**
+ * Fetches the Private Key Information from a Public Key
+ * @returns An encrypted Private Key
+ */
+async function fetchPrivateKey({ apiUrl, apiToken, publicKeyNId, }) {
+    const [privateKey] = await fetch(`${apiUrl}/db/v1/dsm_access_application_private_keys?aack_id=eq.${publicKeyNId}`, { headers: { Authorization: `Bearer ${apiToken}` } }).then(util_1.handleResponse);
+    return privateKey.encrypted_private_key;
+}
 /**
  * Fetchs the public and private keys for an Access Application, then initializes
  * the {@link https://npm.im/@raytio/maxcryptor|Maxcryptor}'s `ApplicationEncryptor`.
  * @returns an `ApplicationEncryptor` and the public key of the Access Application
  */
 async function getAADecryptor({ aId, apiUrl, maxcryptor, apiToken, }) {
-    const { n_id: publicKeyNId, properties: publicKey } = (await fetch(`${apiUrl}/share/v2/access_application/${aId}/public_key`, {
-        headers: { Authorization: `Bearer ${apiToken}` },
-    }).then(util_1.handleResponse));
-    const privateKey = await fetch(`${apiUrl}/share/v2/access_application/public_key/${publicKeyNId}/private_key`, { headers: { Authorization: `Bearer ${apiToken}` } }).then(util_1.handleResponse);
+    const { n_id: publicKeyNId, properties: publicKey } = (await fetchPublicKey({
+        apiUrl,
+        apiToken,
+        aId,
+    }));
+    const privateKey = await fetchPrivateKey({
+        apiUrl,
+        apiToken,
+        publicKeyNId,
+    });
     return {
         decryptor: await maxcryptor.loadApplicationEncryptorForDecryption(publicKey, privateKey),
         publicKeyNId,

package/dist/schema/expandSchema/__tests__/expandSchema.test.js

@@ -3,13 +3,13 @@ Object.defineProperty(exports, "__esModule", { value: true });
 const expandSchema_1 = require("../expandSchema");
 const fromAPI = [
     {
-        name: "ps_Vessel",
+        schema_name: "ps_Vessel",
         start_date: "1970-01-01T00:00:00+00:00",
         end_date: "2222-12-31T23:59:59+00:00",
         active: true,
         version_current: true,
-        version: "0.0.7",
-        type: "ps",
+        schema_version: "0.0.7",
+        schema_type: "ps",
         schema: {
             $id: "https://api.rayt.io/graph/v1/schema/ps/ps_Vessel",
             $schema: "http://json-schema.org/draft-07/schema#",
@@ -38,8 +38,8 @@ const fromAPI = [
         },
     },
     {
-        name: "ss_birth_year_integer",
-        version: "0.0.1",
+        schema_name: "ss_birth_year_integer",
+        schema_version: "0.0.1",
         schema: {
             $id: "this field often has typos. in this case its blatantly wrong",
             $schema: "https://whatever",
@@ -61,6 +61,7 @@ describe("expandSchema", () => {
             start_date: "1970-01-01T00:00:00+00:00",
             end_date: "2222-12-31T23:59:59+00:00",
             version: "0.0.7",
+            schema_type: "ps",
             i18n: fromAPI[0].schema.i18n,
             isProfileSchema: true,
             isSpSchema: false,

package/dist/schema/expandSchema/__tests__/processSchema.test.js

@@ -25,7 +25,7 @@ describe("processSchema", () => {
         const allUnexpandedSchema = [
             mock,
             {
-                name: "ss_first_name_01",
+                schema_name: "ss_first_name_01",
                 schema: {
                     properties: {},
                     tags: ["a tag from the child"],
@@ -95,14 +95,14 @@ describe("processSchema", () => {
         const allUnexpandedSchema = [
             mock,
             {
-                name: "ss_first_name_01",
+                schema_name: "ss_first_name_01",
                 schema: {
                     required: ["c", "d"],
                     properties: { first_name: { type: "string" } },
                 },
             },
             {
-                name: "ss_last_name_01",
+                schema_name: "ss_last_name_01",
                 schema: {
                     required: ["e", "f"],
                     properties: { last_name: { type: "string" } },
@@ -297,7 +297,7 @@ describe("processSchema", () => {
             ],
         };
         const moeSubSchema = {
-            name: "ss_MOE_ID",
+            schema_name: "ss_MOE_ID",
             schema: {
                 type: "number",
                 properties: {},

package/dist/schema/expandSchema/processSchema.d.ts

@@ -1,4 +1,3 @@
 import { Schema, WrappedSchema } from "@raytio/types";
-export declare const processSchema: (schema: WrappedSchema["schema"] & {
-    version: string;
-}, allUnexpandedSchemas: WrappedSchema[]) => Schema;
+import type { unwrapSchema } from "./unwrapSchema";
+export declare const processSchema: (schema: ReturnType<typeof unwrapSchema>, allUnexpandedSchemas: WrappedSchema[]) => Schema;

package/dist/schema/expandSchema/processSchema.js

@@ -19,7 +19,7 @@ const processSchema = (schema, allUnexpandedSchemas) => {
         const subSchemaName = (0, sortSchemaProperties_1.getNidFromUrn)((_a = schema.definitions) === null || _a === void 0 ? void 0 : _a[$ref.split("/")[2]].$ref);
         if (!subSchemaName)
             throw new Error("Invalid schema");
-        const subSchema = (_b = allUnexpandedSchemas.find(s => s.name === subSchemaName)) === null || _b === void 0 ? void 0 : _b.schema;
+        const subSchema = (_b = allUnexpandedSchemas.find(s => s.schema_name === subSchemaName)) === null || _b === void 0 ? void 0 : _b.schema;
         if (!subSchema) {
             throw new Error(`Could not resolve subschema '${subSchemaName}'`);
         }
@@ -44,7 +44,7 @@ const processSchema = (schema, allUnexpandedSchemas) => {
         const subSchemaName = (0, sortSchemaProperties_1.getNidFromUrn)((_a = schema.definitions) === null || _a === void 0 ? void 0 : _a[$ref.split("/")[2]].$ref);
         if (!subSchemaName)
             throw new Error("Invalid schema");
-        const subSchema = (_b = allUnexpandedSchemas.find(s => s.name === subSchemaName)) === null || _b === void 0 ? void 0 : _b.schema;
+        const subSchema = (_b = allUnexpandedSchemas.find(s => s.schema_name === subSchemaName)) === null || _b === void 0 ? void 0 : _b.schema;
         if (!subSchema) {
             throw new Error(`Could not resolve subschema '${subSchemaName}'`);
         }

package/dist/schema/expandSchema/removePrivateFields.d.ts

@@ -1,10 +1,10 @@
 import { Schema } from "@raytio/types";
 export declare const removePrivateFields: (schema: Schema) => {
     properties: Record<string, Omit<import("@raytio/types").SchemaField, "$id" | "allOf" | "$schema" | "definitions">>;
-    type?: import("@raytio/types").DataTypes | undefined;
-    name: string;
     title: string;
     description: string;
+    description_decorator?: "md" | undefined;
+    schema_type?: import("@raytio/types").SchemaType | undefined;
     title_plural?: string | undefined;
     schema_group?: string | undefined;
     tags?: import("@raytio/types").SchemaTag[] | undefined;
@@ -104,6 +104,8 @@ export declare const removePrivateFields: (schema: Schema) => {
         }[] | undefined;
         return_to?: string | undefined;
     } | undefined;
+    name: string;
+    type?: import("@raytio/types").DataTypes | undefined;
     group_title?: string | undefined;
     verified_fields?: (string | import("@raytio/types").ConditionallyRequired)[] | undefined;
     required?: (string | import("@raytio/types").ConditionallyRequired)[] | undefined;

package/dist/schema/expandSchema/unwrapSchema.d.ts

@@ -1,6 +1,6 @@
 import { WrappedSchema } from "@raytio/types";
-export declare function unwrapSchema(wrapped: WrappedSchema): WrappedSchema["schema"] & {
+export type ClientFields = {
     version: string;
-    start_date?: string;
-    end_date?: string;
+    name: string;
 };
+export declare function unwrapSchema(wrapped: WrappedSchema): WrappedSchema["schema"] & Pick<WrappedSchema, "start_date" | "end_date" | "schema_type"> & ClientFields;

package/dist/schema/expandSchema/unwrapSchema.js

@@ -2,6 +2,6 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.unwrapSchema = void 0;
 function unwrapSchema(wrapped) {
-    return Object.assign(Object.assign({}, wrapped.schema), { name: wrapped.name, start_date: wrapped.start_date, end_date: wrapped.end_date, version: wrapped.version });
+    return Object.assign(Object.assign({}, wrapped.schema), { name: wrapped.schema_name, start_date: wrapped.start_date, end_date: wrapped.end_date, version: wrapped.schema_version, schema_type: wrapped.schema_type });
 }
 exports.unwrapSchema = unwrapSchema;

package/dist/testHelpers.d.ts

@@ -0,0 +1,9 @@
+/// <reference types="jest" />
+/** like {@link Partial} but applies to all deep properties */
+export type DeepPartial<T> = T | (T extends object ? {
+    [K in keyof T]?: DeepPartial<T[K]>;
+} : T extends (infer U)[] ? DeepPartial<U>[] : T);
+/** tells typescript that this function is mocked */
+export declare const m: (func: unknown) => jest.Mock<any, any, any>;
+/** helper to let us define type-safe partial mocks */
+export declare const deepPartial: <T>(partial: DeepPartial<T>) => T;

package/dist/testHelpers.js

@@ -0,0 +1,9 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.deepPartial = exports.m = void 0;
+/** tells typescript that this function is mocked */
+const m = (func) => func;
+exports.m = m;
+/** helper to let us define type-safe partial mocks */
+const deepPartial = (partial) => partial;
+exports.deepPartial = deepPartial;

package/dist/verifications/getPOVerification.js

@@ -55,10 +55,13 @@ function getPOVerification({ PO, schema, realVers, }) {
         if (pertainingVers.length && pertainingVers.every(x => x.expired)) {
             return types_1.FieldVerification.Expired;
         }
-        if (pertainingVers.some(x => !x.verified)) {
+        // the if statement above checks if every ver is expired. It is possible
+        // that only some are expired, so filter out those ones.
+        const nonExpiredPertainingVers = pertainingVers.filter(x => !x.expired);
+        if (nonExpiredPertainingVers.some(x => !x.verified)) {
             return types_1.FieldVerification.VerifiedFalse;
         }
-        return pertainingVers.length
+        return nonExpiredPertainingVers.length
             ? types_1.FieldVerification.Verified
             : types_1.FieldVerification.NotVerified;
     }, shouldBeVerifiedProps);
@@ -89,6 +92,7 @@ function getPOVerification({ PO, schema, realVers, }) {
         nId: PO.n_id,
         realVers,
         shouldBeVerifiedProps,
+        verificationStatus: status,
     });
     // find the earliest expiry date if there is one
     const maybeExpiryDate = ((_c = (0, ramda_1.sortBy)(ver => +ver.expired, realVers.filter(ver => ver.belongsToNId === PO.n_id && ver.expired))[0]) === null || _c === void 0 ? void 0 : _c.expired) || undefined;

package/dist/verifications/getVerifiedBy.js

@@ -1,13 +1,18 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.getVerifiedBy = void 0;
+const types_1 = require("@raytio/types");
 const ramda_1 = require("ramda");
 const maybeRereference_1 = require("./maybeRereference");
 // we should probably document this
 /** @internal */
-const getVerifiedBy = ({ nId, realVers, shouldBeVerifiedProps, }) => {
+const getVerifiedBy = ({ nId, realVers, shouldBeVerifiedProps, verificationStatus, }) => {
     const mayBeVerifiedFields = Object.keys(shouldBeVerifiedProps);
     const pertainingVers = realVers
+        // for valid verifications, we filter out the information that came from
+        // now expired sources. We only ever consider expired source if the verification
+        // itself is expired.
+        .filter(realVer => realVer.expired ? verificationStatus === types_1.POVerification.Expired : true)
         .filter(x => mayBeVerifiedFields.includes(x.fieldName) &&
         // using ramda's `equals` because this needs to work for objects/arrays
         (0, ramda_1.equals)((0, maybeRereference_1.maybeRereference)(shouldBeVerifiedProps[x.fieldName]), (0, maybeRereference_1.maybeRereference)(x.value)) &&

package/dist/verifications/verifyCheck/__tests__/getOwnRealVerifications.test.js

@@ -2,6 +2,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 const __1 = require("..");
 const operations_1 = require("../operations");
+const testHelpers_1 = require("../../../testHelpers");
 jest.mock("../operations");
 /**
  * in this test case:
@@ -16,18 +17,21 @@ jest.mock("../operations");
  */
 describe("getOwnRealVerifications", () => {
     beforeAll(() => {
-        operations_1.checkOwnVerification.mockImplementation(async ({ signature }) => {
+        jest.fn(() => 1).mockImplementation(() => 123);
+        (0, testHelpers_1.m)(operations_1.checkOwnVerification).mockImplementation(async ({ signature, keyId }) => {
             if (signature === "signatureForLastNameMustermannFromN2")
                 return false;
+            if (keyId === "thisOneIsInvalid")
+                return false;
             return true;
         });
     });
     it("calls the verifyCheck function for each PO, keeping only the valid ones", async () => {
-        const profileObjects = [
+        const profileObjects = (0, testHelpers_1.deepPartial)([
             { n_id: "n1", properties: { fName: "Max", lName: "Mustermann" } },
             { n_id: "n2", properties: { fName: "Erika", lName: "Mustermann" } },
-        ];
-        const verifications = [
+        ]);
+        const verifications = (0, testHelpers_1.deepPartial)([
             {
                 n_id: "nv1",
                 properties: {
@@ -65,6 +69,7 @@ describe("getOwnRealVerifications", () => {
                                 passed: false,
                                 source_n_id: "n2",
                             },
+                            // legacy: key_id is not specified
                         },
                     ],
                 },
@@ -103,14 +108,56 @@ describe("getOwnRealVerifications", () => {
                     ],
                 },
             },
-        ];
+            {
+                n_id: "nv6",
+                properties: {
+                    verifications: [
+                        {
+                            signature: "signatureForFirstNameErika",
+                            data: {
+                                field: "fName",
+                                verifier_source_id: "Ministry of pike river mine re-entry",
+                                verifier_service_id: "Minister for pike river re-entry",
+                                verifier_id: "v1",
+                                verification_date: "2020-08-28T23:11:20.592912",
+                                request_div: "x2",
+                                passed: false,
+                                source_n_id: "n2",
+                            },
+                            key_id: "thisOneIsInvalid", // signature & data is good, but this key will fail
+                        },
+                    ],
+                },
+            },
+            {
+                n_id: "nv7",
+                properties: {
+                    verifications: [
+                        {
+                            signature: "signatureForFirstNameErika",
+                            data: {
+                                field: "fName",
+                                verifier_source_id: "Ministry of pike river mine re-entry",
+                                verifier_service_id: "Minister for pike river re-entry",
+                                verifier_id: "v1",
+                                verification_date: "2020-08-28T23:11:20.592912",
+                                request_div: "x2",
+                                passed: false,
+                                source_n_id: "n2",
+                            },
+                            key_id: "raytio", // everything is valid, this is the right key_id
+                        },
+                    ],
+                },
+            },
+        ]);
         const realVers = await (0, __1.getOwnRealVerifications)({
             profileObjects,
             verifications,
             userId: "geesepolice2002",
         });
-        expect(operations_1.checkOwnVerification).toHaveBeenCalledTimes(3);
-        // 3 times, not 5. Because this new method doesn't need to build a big matrix of possible combinations
+        expect(operations_1.checkOwnVerification).toHaveBeenCalledTimes(5);
+        // 5 times. Because this new method doesn't need to build a big matrix of possible combinations
         expect(realVers).toStrictEqual([
             {
                 fieldName: "fName",
@@ -147,6 +194,24 @@ describe("getOwnRealVerifications", () => {
                 xId: "x2",
             },
             // note how lastName is not included since it's invalid
+            // nv6 is not included because the key is invalid
+            {
+                fieldName: "fName",
+                value: "Erika",
+                belongsToNId: "n2",
+                nID: "nv7",
+                expired: false,
+                metadata: undefined,
+                provider: {
+                    dataSourceNId: "Ministry of pike river mine re-entry",
+                    date: new Date("2020-08-28T23:11:20.592Z"),
+                    serviceProviderNId: "Minister for pike river re-entry",
+                    verifierNId: "v1",
+                },
+                signature: "signatureForFirstNameErika",
+                verified: false,
+                xId: "x2",
+            },
         ]);
     });
 });

package/dist/verifications/verifyCheck/getOwnRealVerifications.js

@@ -17,7 +17,8 @@ const getOwnRealVerifications = async ({ verifications, profileObjects, userId,
     // because attempting hundreds of webcrypto operations simultaneously will
     // probably upset some heritage web browser.
     for (const ver of verifications) {
-        for (const { data, signature } of ver.properties.verifications) {
+        for (const verPO of ver.properties.verifications) {
+            const { data, signature } = verPO;
             const sourcePO = profileObjects.find(PO => PO.n_id === data.source_n_id);
             if (!sourcePO)
                 continue;
@@ -34,6 +35,7 @@ const getOwnRealVerifications = async ({ verifications, profileObjects, userId,
                 userId,
                 value: (0, maybeRereference_1.maybeRereference)(value),
                 signature,
+                keyId: verPO.key_id,
             });
             if (!isGenuine)
                 continue;

package/dist/verifications/verifyCheck/operations/__tests__/checkOwnVerification.test.js

@@ -7,8 +7,9 @@ const __1 = require("..");
 const util_1 = require("../../../../util");
 const checkOwnVerification_1 = require("../checkOwnVerification");
 const sampleBundle_json_1 = __importDefault(require("./sampleBundle.json"));
-Reflect.set(global, "fetch", jest.fn().mockResolvedValue({
-    text: async () => `-----BEGIN PUBLIC KEY-----
+global.fetch = jest.fn().mockImplementation(async (url) => ({
+    text: async () => url.endsWith("raytio.pem")
+        ? `-----BEGIN PUBLIC KEY-----
 MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAn9QtCqYa3H3ipFFU0xP3
 n6r7KHS3GMbh0h/xzel57HhCIaXDYjUeUtgUNtzm+uElb/qzGn50xQRzVqO32vKB
 ZAW2kYyZ2+R5ruk9CSxr7K4Vk1FtDMcUCzqxm0eycFD2xbLsN3feRc3BMjfdaQ7P
@@ -21,10 +22,29 @@ Gut0BoM+DIwDu0uZaUprz7fSgNmYHHEiIFbOMVHiOn8oZAZbJXXbUbFIUYXA8u9+
 J1Z+QEpgw+rhGzOf/TSeHfMC9nNbWgYglluAJusWf2XwG/t/VlhtzviHCVGEL7HQ
 jQE5DrM7vaTg6Gu9bjKuoeLIRzbOYK6qAWFoa0CLcN84PLjhDSRw2duatP08hcWg
 jTgOkLWnBFE7NyRU93uPp68CAwEAAQ==
+-----END PUBLIC KEY-----`
+        : `-----BEGIN PUBLIC KEY-----
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgee+uBOgOsbwjMvGN1/H
+qpGXGJLol0Pc2KhI1fh1NBq+UGhk8PqgDd5wHZikbmrtVkvp/maIh+mbIdehY/RC
+ftMylvebCf4Qf+5SWzQsmB1o6nBUbwJzYE2XyvxRiNLhdIeE+GgfdpA5S3l0cDJ5
+B/1TagITmQUjThwTxDYZ6jlGJJ4NSjqlqeQrHhGWRLVQPWU8bYysX3jt3/uiv4tS
+n3TheLGY1TMlbFrVF2Spv1WxuqMZ4bX1mIotK3yEB3TaZSZaOwlUcEZ4xY+J4Vl+
+ZlrOgYbmzFd7UFh9UZbYZUkNSEfddEnFNFlFG3YQVt8UAumPBVJELdjiaRjTj/K4
+62GAFyOcbcw9wcl69fPBnieBo2m2Dqf6U3wcrnvTnkMwjCewWXCH6FdbC4OllBZV
+Nrfn6zf9yX0J8ZEDEcw9ZsNLVkyl2U+Ya/h5CQt43ip/1eNM5LpTbfqBTtAH7iUO
+4L9rxuSJFA2Q9kZfof6kYO9EGgMFB+GM47/Q068+IiTpifvPno4ilnowyS4hbLiy
+Os2yudW79flaz0a7rq5dLdSg9Mm5k7ETBm7WguDcocaiETmuYTJT2PozAGOC3+EP
+w5N7mQff4ecx/880FWYKQmU9Asav1V49DWSnG0ZXQ7U24dG8ANeAgKddDviJGlsh
+SsjKrz8LJqeoNQu30iSGZhUCAwEAAQ==
 -----END PUBLIC KEY-----`,
 }));
 describe("checkOwnVerification", () => {
-    it("works for a real PO", async () => {
+    it.each `
+    keyId                       | result
+    ${undefined}                | ${true}
+    ${"whatever/raytio"}        | ${true}
+    ${"whatever/somethingElse"} | ${false}
+  `("returns $result for a PO with keyId=$keyId", async ({ keyId, result }) => {
         //
         // This is an important integration test from ca. 2021-12-02.
         // If it is failing, it means our code no longer matches the
@@ -54,7 +74,13 @@ describe("checkOwnVerification", () => {
         };
         const value = "NZ Limited Company";
         const userId = "fd9c4903-65c2-4b75-b454-4fda6b682f3e"; // for 27july21 🦈
-        expect(await (0, checkOwnVerification_1.checkOwnVerification)({ value, signature, userId, verObject })).toBe(true);
+        expect(await (0, checkOwnVerification_1.checkOwnVerification)({
+            value,
+            signature,
+            userId,
+            verObject,
+            keyId,
+        })).toBe(result);
     });
     it("errors if you forget to supply the uId", async () => {
         await expect(() => (0, checkOwnVerification_1.checkOwnVerification)({
@@ -62,8 +88,22 @@ describe("checkOwnVerification", () => {
             signature: "",
             userId: "",
             verObject: {},
+            keyId: undefined,
         })).rejects.toThrow(new Error("No userId supplied"));
     });
+    it.each `
+    keyId
+    ${"../../malicious.pem"}
+    ${"https://example.com/malicious.pem"}
+  `("errors if you supply an invalid keyId", async ({ keyId }) => {
+        await expect(() => (0, checkOwnVerification_1.checkOwnVerification)({
+            value: "whatever",
+            signature: "whatever",
+            userId: "whatever",
+            verObject: {},
+            keyId,
+        })).rejects.toThrow(new Error("Invalid key ID"));
+    });
 });
 describe("checkSignature", () => {
     it("works", async () => {
@@ -86,6 +126,6 @@ describe("checkSignature", () => {
 });
 describe("checkJsonSignature", () => {
     it("can verify a bundled verification", async () => {
-        expect(await (0, __1.checkJsonSignature)(sampleBundle_json_1.default.data, sampleBundle_json_1.default.signature)).toBe(true);
+        expect(await (0, __1.checkJsonSignature)(sampleBundle_json_1.default.data, sampleBundle_json_1.default.signature, sampleBundle_json_1.default.key_id)).toBe(true);
     });
 });

package/dist/verifications/verifyCheck/operations/__tests__/sampleBundle.json

@@ -39,5 +39,6 @@
         },
         "valid_until": "2022-03-13T02:26:20.468171"
     },
+    "key_id": "any string/raytio",
     "signature": "AiWWrL+S1paYOqJiOtU3qwLTCkkZjwDq3FuHl7oy14IATYOhCeHLf+ca44X1Wc6pYpTQckjKnJZL\nkfgiwNE97aymWIOc+ZZGEb5YhXRNO+inTV4k5zppaDN3n3YAGzn7zMxleh3+opzJqncNaJtpZ0Wv\na9Pu/m4WjyT5ee3Myz6VOOMuVkcaTL4FD8XT7NdCh0ybRevAZ5R9xl0YuWMhvNpf3P6ieTikHXYN\nkKbPTnAhNdBmqV4njSIR66M82Ek0d9VcsX4zhmlhpdCmGRlXLgHEyMCF4iHlCIxSeKtGaOm2QK2R\nOV/lN3VScDNWyD8lPBipcj++5ZGII6BnFFG8LlT3gY/Y/wt8KeH/xgdu0a7Lt6J/BOiGLFfscUmb\nH5K5t48gnQ5BQS+Cf/yhayMV49LlGiK9m1iPlbmuJH1L2/ZM+iLsIrSTGCU0Rpbkw7qvm0dkUNYf\nhvlj/RnUxcy0Lr/84CzLvBhFMmBX+RHlcPrCWpIiibsdaD81kRyvLY2TASLFTeHajfr+UvtP3LVs\n8NGwRQHd6c2/ptxv3ERRUnDtNASatsLe67ZHg9SeF3BDhMHZwU1neYyrBI1TMECasFli5rP5gviq\nC8ZwFQ9lnDDTidWBF8GjRl6ope4wIuNBBkOsIIeyqIJE5BRUH4LhVUnN1be696uCKnWOyOo7fkc=\n"
 }

package/dist/verifications/verifyCheck/operations/checkOwnVerification.d.ts

@@ -4,12 +4,13 @@ type SingleVerToCheck = {
     signature: string;
     userId: UId;
     value: unknown;
+    keyId: string | undefined;
 };
 /**
  * checks that a json object was signed by the provided signature. Unless you're
  * dealing with bundled verifications, you should use `getOwnRealVerifications`
  * or `getSomeoneElsesRealVerifications` instead.
  */
-export declare const checkJsonSignature: (data: unknown, signature: string) => Promise<boolean>;
-export declare const checkOwnVerification: ({ verObject, signature, userId, value, }: SingleVerToCheck) => Promise<boolean>;
+export declare const checkJsonSignature: (data: unknown, signature: string, keyId: string | undefined) => Promise<boolean>;
+export declare const checkOwnVerification: ({ verObject, signature, userId, value, keyId, }: SingleVerToCheck) => Promise<boolean>;
 export {};

package/dist/verifications/verifyCheck/operations/checkOwnVerification.js

@@ -2,14 +2,14 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.checkOwnVerification = exports.checkJsonSignature = exports.checkSignature = void 0;
 const util_1 = require("../../../util");
-let cache;
+const cache = {};
 const base64ToArrayBuffer = (str) => Uint8Array.from(atob(str), c => c.charCodeAt(0));
-async function getJwk() {
+async function getJwk(keyUrl) {
     // eslint-disable-next-line fp/no-mutation
-    cache || (cache = fetch("https://api-docs.rayt.io/lookups/raytio.pem")
+    cache[keyUrl] || (cache[keyUrl] = fetch(keyUrl)
         .then(r => r.text())
         .then(pem => crypto.subtle.importKey("spki", base64ToArrayBuffer(pem.split("-----")[2].trim()), { name: "RSA-PSS", hash: "SHA-512" }, false, ["verify"])));
-    return cache;
+    return cache[keyUrl];
 }
 /** @internal exported only for tests */
 async function checkSignature(publicCryptoKey, signature, data) {
@@ -24,16 +24,23 @@ exports.checkSignature = checkSignature;
  * dealing with bundled verifications, you should use `getOwnRealVerifications`
  * or `getSomeoneElsesRealVerifications` instead.
  */
-const checkJsonSignature = async (data, signature) => {
-    const jwk = await getJwk();
+const checkJsonSignature = async (data, signature, keyId) => {
+    const keyFileName = keyId ? keyId.split("/")[1] : "raytio";
+    // don't allow any special characters, e.g. to prevent
+    // someone using a keyID of  "../../someOtherFile"
+    if (!keyFileName || /[^\w-]/.test(keyFileName)) {
+        throw new Error("Invalid key ID");
+    }
+    const keyUrl = `https://api-docs.rayt.io/lookups/${keyFileName}.pem`;
+    const jwk = await getJwk(keyUrl);
     const stringified = (0, util_1.canonicalJsonify)(data);
     const result = await checkSignature(jwk, signature, stringified);
     return result;
 };
 exports.checkJsonSignature = checkJsonSignature;
-const checkOwnVerification = async ({ verObject, signature, userId, value, }) => {
+const checkOwnVerification = async ({ verObject, signature, userId, value, keyId, }) => {
     if (!userId)
         throw new Error("No userId supplied");
-    return (0, exports.checkJsonSignature)(Object.assign(Object.assign({}, verObject), { sub: userId, value }), signature);
+    return (0, exports.checkJsonSignature)(Object.assign(Object.assign({}, verObject), { sub: userId, value }), signature, keyId);
 };
 exports.checkOwnVerification = checkOwnVerification;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@raytio/core",
-  "version": "11.1.0",
+  "version": "11.2.0",
   "license": "MIT",
   "main": "index",
   "types": "index",
@@ -17,13 +17,13 @@
   },
   "dependencies": {
     "@raytio/maxcryptor": "3.1.0",
-    "@raytio/types": "7.1.0",
+    "@raytio/types": "7.2.0",
     "ramda": "0.29.0"
   },
   "devDependencies": {
-    "@types/ramda": "0.29.0",
-    "jest": "29.5.0",
-    "ts-jest": "29.1.0"
+    "@types/ramda": "0.29.2",
+    "jest": "29.6.1",
+    "ts-jest": "29.1.1"
   },
   "jest": {
     "transform": {