@sockethub/data-layer 1.0.0-alpha.10

package/package.json

@@ -0,0 +1,65 @@
+{
+  "name": "@sockethub/data-layer",
+  "description": "Storing and RPC of data for Sockethub",
+  "version": "1.0.0-alpha.10",
+  "type": "module",
+  "private": false,
+  "author": "Nick Jennings <nick@silverbucket.net>",
+  "license": "MIT",
+  "publishConfig": {
+    "access": "public"
+  },
+  "main": "dist/index.js",
+  "exports": {
+    ".": {
+      "bun": "./src/index.ts",
+      "import": "./dist/index.js",
+      "default": "./dist/index.js"
+    }
+  },
+  "files": [
+    "src/",
+    "dist/"
+  ],
+  "engines": {
+    "bun": ">=1.2"
+  },
+  "keywords": [
+    "sockethub",
+    "messaging",
+    "redis",
+    "data layer",
+    "rpc",
+    "data store"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/sockethub/sockethub.git",
+    "directory": "packages/data-layer"
+  },
+  "homepage": "https://github.com/sockethub/sockethub/tree/master/packages/data-layer",
+  "scripts": {
+    "build": "bun build src/index.ts --outdir dist --target node --format esm --sourcemap=external",
+    "clean": "rm -rf dist",
+    "doc": "typedoc --options typedoc.json",
+    "test": "bun test src/",
+    "test:integration": "DEBUG=ioredis*,bullmq*,sockethub* bun test ./integration/redis.integration.ts"
+  },
+  "dependencies": {
+    "@sockethub/crypto": "^1.0.0-alpha.10",
+    "@sockethub/schemas": "^3.0.0-alpha.10",
+    "bullmq": "^5.66.5",
+    "debug": "^4.4.3",
+    "ioredis": "^5.9.2",
+    "secure-store-redis": "^3.0.7"
+  },
+  "devDependencies": {
+    "@types/bun": "latest",
+    "@types/debug": "^4.1.12",
+    "@types/sinon": "^17.0.4",
+    "sinon": "^17.0.2",
+    "typedoc": "^0.28.16",
+    "typedoc-plugin-markdown": "^4.9.0"
+  },
+  "gitHead": "8e1abf116b2a6b57d33c6e1a4af9143870517bae"
+}

package/src/credentials-store.test.ts

@@ -0,0 +1,155 @@
+import { beforeEach, describe, expect, it } from "bun:test";
+import * as sinon from "sinon";
+
+import { CredentialsStore } from "./credentials-store";
+
+describe("CredentialsStore", () => {
+    let credentialsStore,
+        MockSecureStore,
+        MockStoreGet,
+        MockStoreSave,
+        MockObjectHash;
+    beforeEach(() => {
+        MockStoreGet = sinon.stub().returns("credential foo");
+        MockStoreSave = sinon.stub();
+        MockObjectHash = sinon.stub();
+        MockSecureStore = sinon.stub().returns({
+            get: MockStoreGet,
+            save: MockStoreSave,
+        });
+        class TestCredentialsStore extends CredentialsStore {
+            initCrypto() {
+                this.objectHash = MockObjectHash;
+            }
+            initSecureStore(secret, redisConfig) {
+                this.store = MockSecureStore({
+                    namespace: "foo",
+                    secret: secret,
+                    redis: redisConfig,
+                });
+            }
+        }
+        credentialsStore = new TestCredentialsStore(
+            "a parent id",
+            "a session id",
+            "a secret must be 32 chars and th",
+            { url: "redis config" },
+        );
+    });
+
+    it("returns a valid CredentialsStore object", () => {
+        sinon.assert.calledOnce(MockSecureStore);
+        sinon.assert.calledWith(MockSecureStore, {
+            namespace: "foo",
+            secret: "a secret must be 32 chars and th",
+            redis: { url: "redis config" },
+        });
+        expect(typeof credentialsStore).toEqual("object");
+        expect(credentialsStore.uid).toEqual(
+            `sockethub:data-layer:credentials-store:a parent id:a session id`,
+        );
+        expect(typeof credentialsStore.get).toEqual("function");
+        expect(typeof credentialsStore.save).toEqual("function");
+    });
+
+    describe("get", () => {
+        it("handles correct params", async () => {
+            const res = await credentialsStore.get("an actor");
+            sinon.assert.calledOnce(MockStoreGet);
+            sinon.assert.calledWith(MockStoreGet, "an actor");
+            sinon.assert.notCalled(MockObjectHash);
+            sinon.assert.notCalled(MockStoreSave);
+            expect(res).toEqual("credential foo");
+        });
+
+        it("handles no credentials found", async () => {
+            MockStoreGet.returns(undefined);
+            expect(async () => {
+                await credentialsStore.get("a non-existent actor");
+            }).toThrow("credentials not found for a non-existent actor");
+            sinon.assert.calledOnce(MockStoreGet);
+            sinon.assert.calledWith(MockStoreGet, "a non-existent actor");
+            sinon.assert.notCalled(MockObjectHash);
+            sinon.assert.notCalled(MockStoreSave);
+        });
+
+        it("handles an unexpected error", async () => {
+            MockStoreGet.returns(undefined);
+            try {
+                await credentialsStore.get("a problem actor");
+                expect(false).toEqual(true);
+            } catch (err) {
+                expect(err.toString()).toEqual(
+                    "Error: credentials not found for a problem actor",
+                );
+            }
+            sinon.assert.calledOnce(MockStoreGet);
+            sinon.assert.calledWith(MockStoreGet, "a problem actor");
+            sinon.assert.notCalled(MockObjectHash);
+            sinon.assert.notCalled(MockStoreSave);
+        });
+
+        it("validates credentialsHash when provided", async () => {
+            MockObjectHash.returns("a credentialsHash string");
+            MockStoreGet.returns({
+                object: "a credential",
+            });
+            const res = await credentialsStore.get(
+                "an actor",
+                "a credentialsHash string",
+            );
+            sinon.assert.calledOnce(MockStoreGet);
+            sinon.assert.calledWith(MockStoreGet, "an actor");
+            sinon.assert.calledOnce(MockObjectHash);
+            sinon.assert.calledWith(MockObjectHash, "a credential");
+            sinon.assert.notCalled(MockStoreSave);
+            expect(res).toEqual({ object: "a credential" });
+        });
+
+        it("invalidates credentialsHash when provided", async () => {
+            MockObjectHash.returns("the original credentialsHash string");
+            MockStoreGet.returns({
+                object: "a credential",
+            });
+            try {
+                expect(
+                    await credentialsStore.get(
+                        "an actor",
+                        "a different credentialsHash string",
+                    ),
+                ).toBeUndefined();
+                expect(false).toEqual(true);
+            } catch (err) {
+                expect(err.toString()).toEqual(
+                    "Error: invalid credentials for an actor",
+                );
+            }
+            sinon.assert.calledOnce(MockStoreGet);
+            sinon.assert.calledWith(MockStoreGet, "an actor");
+            sinon.assert.calledOnce(MockObjectHash);
+            sinon.assert.calledWith(MockObjectHash, "a credential");
+            sinon.assert.notCalled(MockStoreSave);
+        });
+    });
+
+    describe("save", () => {
+        it("handles success", async () => {
+            const creds = { foo: "bar" };
+            await credentialsStore.save("an actor", creds);
+            sinon.assert.calledOnce(MockStoreSave);
+            sinon.assert.calledWith(MockStoreSave, "an actor", creds);
+            sinon.assert.notCalled(MockObjectHash);
+            sinon.assert.notCalled(MockStoreGet);
+        });
+
+        it("handles failure", async () => {
+            const creds = { foo: "bar" };
+            MockStoreSave.returns(undefined);
+            await credentialsStore.save("an actor", creds);
+            sinon.assert.calledOnce(MockStoreSave);
+            sinon.assert.calledWith(MockStoreSave, "an actor", creds);
+            sinon.assert.notCalled(MockObjectHash);
+            sinon.assert.notCalled(MockStoreGet);
+        });
+    });
+});

package/src/credentials-store.ts

@@ -0,0 +1,124 @@
+import { crypto } from "@sockethub/crypto";
+import type { CredentialsObject } from "@sockethub/schemas";
+import debug, { type Debugger } from "debug";
+import SecureStore from "secure-store-redis";
+
+import type { RedisConfig } from "./types.js";
+
+export interface CredentialsStoreInterface {
+    get(
+        actor: string,
+        credentialsHash: string | undefined,
+    ): Promise<CredentialsObject | undefined>;
+    save(actor: string, creds: CredentialsObject): Promise<number>;
+}
+
+export async function verifySecureStore(config: RedisConfig): Promise<void> {
+    const log = debug("sockethub:data-layer:credentials-store");
+    const ss = new SecureStore({
+        redis: config,
+    });
+    await ss.init();
+    await ss.disconnect();
+    log("redis connection verified");
+}
+
+/**
+ * Secure, encrypted storage for user credentials with session-based isolation.
+ *
+ * Provides automatic encryption/decryption of credential objects stored in Redis,
+ * ensuring that sensitive authentication data is never stored in plaintext.
+ * Each session gets its own isolated credential store.
+ *
+ * @example
+ * ```typescript
+ * const store = new CredentialsStore('session123', secret, redisConfig);
+ *
+ * // Store credentials
+ * await store.save('user@example.com', {
+ *   username: 'user',
+ *   password: 'secret',
+ *   server: 'irc.freenode.net'
+ * });
+ *
+ * // Retrieve credentials
+ * const creds = await store.get('user@example.com', credentialsHash);
+ * ```
+ */
+export class CredentialsStore implements CredentialsStoreInterface {
+    readonly uid: string;
+    store: SecureStore;
+    objectHash: (o: unknown) => string;
+    private readonly log: Debugger;
+
+    /**
+     * Creates a new CredentialsStore instance.
+     *
+     * @param parentId - Unique identifier for the parent instance (e.g. server ID)
+     * @param sessionId - Client session identifier for credential isolation
+     * @param secret - 32-character encryption secret for credential security
+     * @param redisConfig - Redis connection configuration
+     * @throws Error if secret is not exactly 32 characters
+     */
+    constructor(
+        parentId: string,
+        sessionId: string,
+        secret: string,
+        redisConfig: RedisConfig,
+    ) {
+        if (secret.length !== 32) {
+            throw new Error(
+                "CredentialsStore secret must be 32 chars in length",
+            );
+        }
+        this.uid = `sockethub:data-layer:credentials-store:${parentId}:${sessionId}`;
+        this.log = debug(this.uid);
+        this.initCrypto();
+        this.initSecureStore(secret, redisConfig);
+        this.log("initialized");
+    }
+
+    initCrypto() {
+        this.objectHash = crypto.objectHash;
+    }
+
+    initSecureStore(secret: string, redisConfig: RedisConfig) {
+        this.store = new SecureStore({
+            uid: this.uid,
+            secret: secret,
+            redis: redisConfig,
+        });
+    }
+
+    /**
+     * Gets the credentials for a given actor ID
+     * @param actor
+     * @param credentialsHash - Optional hash to validate credentials. If undefined, validation is skipped.
+     */
+    async get(
+        actor: string,
+        credentialsHash: string | undefined,
+    ): Promise<CredentialsObject> {
+        this.log(`get credentials for ${actor}`);
+        const credentials: CredentialsObject = await this.store.get(actor);
+        if (!credentials) {
+            throw new Error(`credentials not found for ${actor}`);
+        }
+
+        if (credentialsHash) {
+            if (credentialsHash !== this.objectHash(credentials.object)) {
+                throw new Error(`invalid credentials for ${actor}`);
+            }
+        }
+        return credentials;
+    }
+
+    /**
+     * Saves the credentials for a given actor ID
+     * @param actor
+     * @param creds
+     */
+    async save(actor: string, creds: CredentialsObject): Promise<number> {
+        return this.store.save(actor, creds);
+    }
+}

package/src/index.ts

@@ -0,0 +1,27 @@
+import debug from "debug";
+
+import {
+    CredentialsStore,
+    type CredentialsStoreInterface,
+    verifySecureStore,
+} from "./credentials-store.js";
+import { JobQueue, verifyJobQueue } from "./job-queue.js";
+import { JobWorker } from "./job-worker.js";
+export * from "./types.js";
+import type { RedisConfig } from "./types.js";
+
+const log = debug("sockethub:data-layer");
+
+async function redisCheck(config: RedisConfig): Promise<void> {
+    log(`checking redis connection ${config.url}`);
+    await verifySecureStore(config);
+    await verifyJobQueue(config);
+}
+
+export {
+    redisCheck,
+    JobQueue,
+    JobWorker,
+    CredentialsStore,
+    type CredentialsStoreInterface,
+};

package/src/job-base.ts

@@ -0,0 +1,58 @@
+import EventEmitter from "node:events";
+import IORedis, { type Redis } from "ioredis";
+
+import { crypto, type Crypto } from "@sockethub/crypto";
+import type { ActivityStream } from "@sockethub/schemas";
+
+import type { JobDataDecrypted, JobEncrypted, RedisConfig } from "./types.js";
+
+export function createIORedisConnection(config: RedisConfig): Redis {
+    return new IORedis(config.url, {
+        enableOfflineQueue: false,
+        maxRetriesPerRequest: null,
+    });
+}
+
+export class JobBase extends EventEmitter {
+    protected crypto: Crypto;
+    private readonly secret: string;
+
+    constructor(secret: string) {
+        super();
+        if (secret.length !== 32) {
+            throw new Error(
+                `secret must be a 32 char string, length: ${secret.length}`,
+            );
+        }
+        this.secret = secret;
+        this.initCrypto();
+    }
+
+    initCrypto() {
+        this.crypto = crypto;
+    }
+
+    disconnectBase() {
+        this.removeAllListeners();
+    }
+
+    /**
+     * @param job
+     * @private
+     */
+    protected decryptJobData(job: JobEncrypted): JobDataDecrypted {
+        return {
+            title: job.data.title,
+            msg: this.decryptActivityStream(job.data.msg) as ActivityStream,
+            sessionId: job.data.sessionId,
+        };
+    }
+
+    protected decryptActivityStream(msg: string): ActivityStream {
+        return this.crypto.decrypt(msg, this.secret);
+    }
+
+    protected encryptActivityStream(msg: ActivityStream): string {
+        return this.crypto.encrypt(msg, this.secret);
+    }
+}