@soyeht/soyeht 0.2.2 → 0.2.3

package/openclaw.plugin.json

@@ -5,7 +5,7 @@
   ],
   "name": "Soyeht",
   "description": "Channel plugin for the Soyeht Flutter mobile app",
-  "version": "0.2.2",
+  "version": "0.2.3",
   "configSchema": {
     "type": "object",
     "additionalProperties": false,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@soyeht/soyeht",
-  "version": "0.2.2",
+  "version": "0.2.3",
   "description": "OpenClaw channel plugin for the Soyeht Flutter mobile app",
   "type": "module",
   "main": "src/index.ts",

package/src/http.ts

@@ -1,10 +1,27 @@
 import type { IncomingMessage, ServerResponse } from "node:http";
 import type { OpenClawPluginApi } from "openclaw/plugin-sdk";
-import { normalizeAccountId } from "./config.js";
+import { normalizeAccountId, resolveSoyehtAccount } from "./config.js";
 import { decryptEnvelopeV2, validateEnvelopeV2, type EnvelopeV2 } from "./envelope-v2.js";
-import { cloneRatchetSession } from "./ratchet.js";
+import { cloneRatchetSession, zeroBuffer, type RatchetState } from "./ratchet.js";
 import type { SecurityV2Deps } from "./service.js";
 import { PLUGIN_VERSION } from "./version.js";
+import {
+  base64UrlDecode,
+  computeFingerprint,
+  generateX25519KeyPair,
+  importEd25519PublicKey,
+  importX25519PublicKey,
+  ed25519Verify,
+  isTimestampValid,
+} from "./crypto.js";
+import { buildPairingProofTranscript } from "./pairing.js";
+import {
+  buildHandshakeTranscript,
+  signHandshakeTranscript,
+  verifyHandshakeTranscript,
+  performX3DH,
+} from "./x3dh.js";
+import { savePeer, saveSession, deleteSession, type PeerIdentity } from "./identity.js";
 
 // ---------------------------------------------------------------------------
 // Helpers
@@ -341,6 +358,442 @@ export function sseHandler(
   };
 }
 
+// ---------------------------------------------------------------------------
+// Helpers for HTTP pairing
+// ---------------------------------------------------------------------------
+
+function isWellFormedNonce(nonce: string): boolean {
+  try {
+    const decoded = base64UrlDecode(nonce);
+    return decoded.length >= 16 && decoded.length <= 64;
+  } catch {
+    return false;
+  }
+}
+
+function clearAccountSessionState(v2deps: SecurityV2Deps, accountId: string): void {
+  const existing = v2deps.sessions.get(accountId);
+  if (existing) {
+    zeroBuffer(existing.rootKey);
+    zeroBuffer(existing.sending.chainKey);
+    zeroBuffer(existing.receiving.chainKey);
+    v2deps.sessions.delete(accountId);
+  }
+  for (const [key, pending] of v2deps.pendingHandshakes) {
+    if (pending.accountId === accountId) {
+      v2deps.pendingHandshakes.delete(key);
+    }
+  }
+}
+
+// ---------------------------------------------------------------------------
+// GET /soyeht/pairing/info?t=<pairingToken>
+// ---------------------------------------------------------------------------
+
+export function pairingInfoHandler(
+  _api: OpenClawPluginApi,
+  v2deps: SecurityV2Deps,
+) {
+  return async (req: IncomingMessage, res: ServerResponse) => {
+    if (req.method !== "GET") {
+      sendJson(res, 405, { ok: false, error: "method_not_allowed" });
+      return;
+    }
+
+    if (!v2deps.ready || !v2deps.identity) {
+      sendJson(res, 503, { ok: false, error: "service_unavailable" });
+      return;
+    }
+
+    const url = new URL(req.url ?? "/", `http://${req.headers.host ?? "localhost"}`);
+    const pairingToken = url.searchParams.get("t") ?? "";
+    if (!pairingToken) {
+      sendJson(res, 400, { ok: false, error: "missing_pairing_token" });
+      return;
+    }
+
+    const { allowed } = v2deps.rateLimiter.check(`pairing:info:${pairingToken}`);
+    if (!allowed) {
+      sendJson(res, 429, { ok: false, error: "rate_limited" });
+      return;
+    }
+
+    const session = v2deps.pairingSessions.get(pairingToken);
+    if (!session) {
+      sendJson(res, 404, { ok: false, error: "pairing_not_found" });
+      return;
+    }
+
+    if (session.expiresAt <= Date.now()) {
+      sendJson(res, 410, { ok: false, error: "pairing_expired" });
+      return;
+    }
+
+    sendJson(res, 200, {
+      ok: true,
+      accountId: session.accountId,
+      pluginIdentityKey: v2deps.identity.signKey.publicKeyB64,
+      pluginDhKey: v2deps.identity.dhKey.publicKeyB64,
+      fingerprint: computeFingerprint(v2deps.identity),
+      expiresAt: session.expiresAt,
+      allowOverwrite: session.allowOverwrite,
+    });
+  };
+}
+
+// ---------------------------------------------------------------------------
+// POST /soyeht/pairing/pair — register peer + start handshake in one step
+// ---------------------------------------------------------------------------
+
+const PAIRING_HANDSHAKE_TOLERANCE_MS = 120_000; // 2 minutes for HTTP round-trip
+
+export function pairingPairHandler(
+  api: OpenClawPluginApi,
+  v2deps: SecurityV2Deps,
+) {
+  return async (req: IncomingMessage, res: ServerResponse) => {
+    if (req.method !== "POST") {
+      sendJson(res, 405, { ok: false, error: "method_not_allowed" });
+      return;
+    }
+
+    if (!v2deps.ready || !v2deps.identity) {
+      sendJson(res, 503, { ok: false, error: "service_unavailable" });
+      return;
+    }
+
+    let body: Record<string, unknown>;
+    try {
+      const raw = await readRawBodyBuffer(req);
+      body = JSON.parse(raw.toString("utf8"));
+    } catch {
+      sendJson(res, 400, { ok: false, error: "invalid_json" });
+      return;
+    }
+
+    const pairingToken = body["pairingToken"] as string | undefined;
+    const accountId = normalizeAccountId(body["accountId"] as string | undefined);
+    const appIdentityKey = body["appIdentityKey"] as string | undefined;
+    const appDhKey = body["appDhKey"] as string | undefined;
+    const appSignature = body["appSignature"] as string | undefined;
+    const appEphemeralKey = body["appEphemeralKey"] as string | undefined;
+    const nonce = body["nonce"] as string | undefined;
+    const timestamp = body["timestamp"] as number | undefined;
+
+    if (!pairingToken || !appIdentityKey || !appDhKey || !appSignature ||
+        !appEphemeralKey || !nonce || typeof timestamp !== "number") {
+      sendJson(res, 400, { ok: false, error: "missing_params" });
+      return;
+    }
+
+    const { allowed } = v2deps.rateLimiter.check(`pairing:pair:${accountId}`);
+    if (!allowed) {
+      sendJson(res, 429, { ok: false, error: "rate_limited" });
+      return;
+    }
+
+    // --- Validate pairing session ---
+
+    const pairingSession = v2deps.pairingSessions.get(pairingToken);
+    if (!pairingSession) {
+      sendJson(res, 404, { ok: false, error: "pairing_not_found" });
+      return;
+    }
+
+    if (pairingSession.expiresAt <= Date.now()) {
+      v2deps.pairingSessions.delete(pairingToken);
+      sendJson(res, 410, { ok: false, error: "pairing_expired" });
+      return;
+    }
+
+    if (pairingSession.accountId !== accountId) {
+      sendJson(res, 403, { ok: false, error: "account_mismatch" });
+      return;
+    }
+
+    // --- Validate keys ---
+
+    let appIdentityPub;
+    try {
+      appIdentityPub = importEd25519PublicKey(appIdentityKey);
+    } catch {
+      sendJson(res, 400, { ok: false, error: "invalid_identity_key" });
+      return;
+    }
+
+    try {
+      importX25519PublicKey(appDhKey);
+    } catch {
+      sendJson(res, 400, { ok: false, error: "invalid_dh_key" });
+      return;
+    }
+
+    try {
+      importX25519PublicKey(appEphemeralKey);
+    } catch {
+      sendJson(res, 400, { ok: false, error: "invalid_ephemeral_key" });
+      return;
+    }
+
+    // --- Verify pairing signature ---
+
+    const proofTranscript = buildPairingProofTranscript({
+      accountId,
+      pairingToken,
+      expiresAt: pairingSession.expiresAt,
+      appIdentityKey,
+      appDhKey,
+    });
+    if (!ed25519Verify(appIdentityPub, proofTranscript, base64UrlDecode(appSignature))) {
+      sendJson(res, 403, { ok: false, error: "invalid_signature" });
+      return;
+    }
+
+    // --- Validate nonce + timestamp ---
+
+    if (!isWellFormedNonce(nonce)) {
+      sendJson(res, 400, { ok: false, error: "invalid_nonce" });
+      return;
+    }
+
+    if (!isTimestampValid(timestamp, PAIRING_HANDSHAKE_TOLERANCE_MS)) {
+      sendJson(res, 400, { ok: false, error: "timestamp_out_of_range" });
+      return;
+    }
+
+    if (!v2deps.nonceCache.add(`pairing:http:${accountId}:${nonce}`)) {
+      sendJson(res, 409, { ok: false, error: "nonce_reused" });
+      return;
+    }
+
+    // --- Check existing peer ---
+
+    if (v2deps.peers.has(accountId) && !pairingSession.allowOverwrite) {
+      sendJson(res, 409, { ok: false, error: "peer_already_paired" });
+      return;
+    }
+
+    // --- Register peer (clear old state first) ---
+
+    clearAccountSessionState(v2deps, accountId);
+    if (v2deps.stateDir) {
+      await deleteSession(v2deps.stateDir, accountId).catch(() => {});
+    }
+
+    const peer: PeerIdentity = {
+      accountId,
+      identityKeyB64: appIdentityKey,
+      dhKeyB64: appDhKey,
+    };
+    v2deps.peers.set(accountId, peer);
+    v2deps.pairingSessions.delete(pairingToken);
+
+    if (v2deps.stateDir) {
+      await savePeer(v2deps.stateDir, peer).catch(() => {});
+    }
+
+    // --- Start handshake ---
+
+    const cfg = await api.runtime.config.loadConfig();
+    const account = resolveSoyehtAccount(cfg, accountId);
+    const now = Date.now();
+    const challengeExpiresAt = now + PAIRING_HANDSHAKE_TOLERANCE_MS;
+    const sessionExpiresAt = now + account.security.sessionMaxAgeMs;
+    const pluginEphemeralKey = generateX25519KeyPair();
+
+    const transcript = buildHandshakeTranscript({
+      accountId,
+      appEphKeyB64: appEphemeralKey,
+      pluginEphKeyB64: pluginEphemeralKey.publicKeyB64,
+      nonce,
+      timestamp,
+      expiresAt: sessionExpiresAt,
+    });
+    const pluginSignature = signHandshakeTranscript(
+      v2deps.identity.signKey.privateKey,
+      transcript,
+    );
+
+    const pendingKey = `${accountId}:${nonce}`;
+    v2deps.pendingHandshakes.set(pendingKey, {
+      key: pendingKey,
+      accountId,
+      nonce,
+      appEphemeralKey,
+      pluginEphemeralKey,
+      transcript,
+      challengeExpiresAt,
+      sessionExpiresAt,
+    });
+
+    api.logger.info("[soyeht] HTTP pairing + handshake init completed", { accountId });
+
+    sendJson(res, 200, {
+      ok: true,
+      accountId,
+      pluginIdentityKey: v2deps.identity.signKey.publicKeyB64,
+      pluginDhKey: v2deps.identity.dhKey.publicKeyB64,
+      fingerprint: computeFingerprint(v2deps.identity),
+      pluginEphemeralKey: pluginEphemeralKey.publicKeyB64,
+      pluginSignature,
+      nonce,
+      timestamp,
+      serverTimestamp: now,
+      challengeExpiresAt,
+      sessionExpiresAt,
+    });
+  };
+}
+
+// ---------------------------------------------------------------------------
+// POST /soyeht/pairing/finish — complete handshake, derive session, return streamToken
+// ---------------------------------------------------------------------------
+
+export function pairingFinishHandler(
+  api: OpenClawPluginApi,
+  v2deps: SecurityV2Deps,
+) {
+  return async (req: IncomingMessage, res: ServerResponse) => {
+    if (req.method !== "POST") {
+      sendJson(res, 405, { ok: false, error: "method_not_allowed" });
+      return;
+    }
+
+    if (!v2deps.ready || !v2deps.identity) {
+      sendJson(res, 503, { ok: false, error: "service_unavailable" });
+      return;
+    }
+
+    let body: Record<string, unknown>;
+    try {
+      const raw = await readRawBodyBuffer(req);
+      body = JSON.parse(raw.toString("utf8"));
+    } catch {
+      sendJson(res, 400, { ok: false, error: "invalid_json" });
+      return;
+    }
+
+    const accountId = normalizeAccountId(body["accountId"] as string | undefined);
+    const nonce = body["nonce"] as string | undefined;
+    const appSignature = body["appSignature"] as string | undefined;
+
+    if (!nonce || !appSignature) {
+      sendJson(res, 400, { ok: false, error: "missing_params" });
+      return;
+    }
+
+    const { allowed } = v2deps.rateLimiter.check(`pairing:finish:${accountId}`);
+    if (!allowed) {
+      sendJson(res, 429, { ok: false, error: "rate_limited" });
+      return;
+    }
+
+    const pendingKey = `${accountId}:${nonce}`;
+    const pending = v2deps.pendingHandshakes.get(pendingKey);
+    if (!pending) {
+      sendJson(res, 404, { ok: false, error: "handshake_not_found" });
+      return;
+    }
+
+    if (pending.challengeExpiresAt <= Date.now()) {
+      v2deps.pendingHandshakes.delete(pendingKey);
+      sendJson(res, 410, { ok: false, error: "handshake_expired" });
+      return;
+    }
+
+    const peer = v2deps.peers.get(accountId);
+    if (!peer) {
+      sendJson(res, 404, { ok: false, error: "peer_not_found" });
+      return;
+    }
+
+    let appIdentityPub;
+    try {
+      appIdentityPub = importEd25519PublicKey(peer.identityKeyB64);
+    } catch {
+      sendJson(res, 500, { ok: false, error: "invalid_peer_key" });
+      return;
+    }
+
+    if (!verifyHandshakeTranscript(appIdentityPub, pending.transcript, appSignature)) {
+      sendJson(res, 403, { ok: false, error: "invalid_signature" });
+      return;
+    }
+
+    let appEphemeralPub;
+    try {
+      appEphemeralPub = importX25519PublicKey(pending.appEphemeralKey);
+    } catch {
+      v2deps.pendingHandshakes.delete(pendingKey);
+      sendJson(res, 500, { ok: false, error: "invalid_ephemeral_key" });
+      return;
+    }
+
+    let peerStaticDhPub;
+    try {
+      peerStaticDhPub = importX25519PublicKey(peer.dhKeyB64);
+    } catch {
+      sendJson(res, 500, { ok: false, error: "invalid_peer_dh_key" });
+      return;
+    }
+
+    const x3dhResult = await performX3DH({
+      myStaticDhKey: v2deps.identity.dhKey,
+      myEphemeralKey: pending.pluginEphemeralKey,
+      peerStaticDhPub,
+      peerEphemeralPub: appEphemeralPub,
+      nonce,
+    });
+
+    // Clear any existing session for this account
+    const existingSession = v2deps.sessions.get(accountId);
+    if (existingSession) {
+      zeroBuffer(existingSession.rootKey);
+      zeroBuffer(existingSession.sending.chainKey);
+      zeroBuffer(existingSession.receiving.chainKey);
+      v2deps.sessions.delete(accountId);
+    }
+
+    const session: RatchetState = {
+      accountId,
+      rootKey: x3dhResult.rootKey,
+      sending: { chainKey: x3dhResult.sendChainKey, counter: 0 },
+      receiving: { chainKey: x3dhResult.recvChainKey, counter: 0 },
+      myCurrentEphDhKey: pending.pluginEphemeralKey,
+      peerLastEphDhKeyB64: pending.appEphemeralKey,
+      dhRatchetSendCount: 0,
+      dhRatchetRecvCount: 0,
+      createdAt: Date.now(),
+      expiresAt: pending.sessionExpiresAt,
+    };
+
+    v2deps.sessions.set(accountId, session);
+    v2deps.pendingHandshakes.delete(pendingKey);
+
+    if (v2deps.stateDir) {
+      await saveSession(v2deps.stateDir, session).catch((err) => {
+        api.logger.error("[soyeht] Failed to persist session", { accountId, err });
+      });
+    }
+
+    // Issue stream token for SSE auth
+    v2deps.outboundQueue.revokeStreamTokensForAccount(accountId);
+    const streamToken = v2deps.outboundQueue.createStreamToken(
+      accountId,
+      pending.sessionExpiresAt,
+    );
+
+    api.logger.info("[soyeht] HTTP pairing handshake completed", { accountId });
+
+    sendJson(res, 200, {
+      ok: true,
+      complete: true,
+      sessionExpiresAt: pending.sessionExpiresAt,
+      streamToken,
+    });
+  };
+}
+
 // ---------------------------------------------------------------------------
 // POST /soyeht/livekit/token — stub
 // ---------------------------------------------------------------------------

package/src/index.ts

@@ -15,6 +15,9 @@ import {
   livekitTokenHandler,
   inboundHandler,
   sseHandler,
+  pairingInfoHandler,
+  pairingPairHandler,
+  pairingFinishHandler,
 } from "./http.js";
 import {
   createSoyehtService,
@@ -127,6 +130,23 @@ const soyehtPlugin: OpenClawPluginDefinition = {
       handler: sseHandler(api, v2deps),
     });
 
+    // HTTP pairing routes (app pairs via HTTP, no WebSocket needed)
+    api.registerHttpRoute({
+      path: "/soyeht/pairing/info",
+      auth: "plugin",
+      handler: pairingInfoHandler(api, v2deps),
+    });
+    api.registerHttpRoute({
+      path: "/soyeht/pairing/pair",
+      auth: "plugin",
+      handler: pairingPairHandler(api, v2deps),
+    });
+    api.registerHttpRoute({
+      path: "/soyeht/pairing/finish",
+      auth: "plugin",
+      handler: pairingFinishHandler(api, v2deps),
+    });
+
     // Background service (manages state lifecycle)
     api.registerService(createSoyehtService(api, v2deps));
 

package/src/service.ts

@@ -15,6 +15,7 @@ import type { IdentityBundle, PeerIdentity } from "./identity.js";
 import type { RatchetState } from "./ratchet.js";
 import { createOutboundQueue, type OutboundQueue } from "./outbound-queue.js";
 import { renderQrTerminal } from "./qr.js";
+import { resolveSoyehtAccount } from "./config.js";
 
 const HEARTBEAT_INTERVAL_MS = 60_000; // 60s
 
@@ -90,14 +91,10 @@ async function showPairingQr(api: OpenClawPluginApi, v2deps: SecurityV2Deps): Pr
   const expiresAt = Date.now() + AUTO_PAIRING_TTL_MS;
   const fingerprint = computeFingerprint(identity);
 
-  // Resolve gatewayUrl from config or runtime
-  let gatewayUrl = "";
-  const runtime = api.runtime as Record<string, unknown>;
-  if (typeof runtime["gatewayUrl"] === "string" && runtime["gatewayUrl"]) {
-    gatewayUrl = runtime["gatewayUrl"];
-  } else if (typeof runtime["baseUrl"] === "string" && runtime["baseUrl"]) {
-    gatewayUrl = runtime["baseUrl"];
-  }
+  // Resolve gatewayUrl from config
+  const cfg = await api.runtime.config.loadConfig();
+  const account = resolveSoyehtAccount(cfg, accountId);
+  const gatewayUrl = account.gatewayUrl;
 
   v2deps.pairingSessions.set(pairingToken, {
     token: pairingToken,

package/src/version.ts

@@ -1 +1 @@
-export const PLUGIN_VERSION = "0.2.2";
+export const PLUGIN_VERSION = "0.2.3";