@storacha/encrypt-upload-client 1.1.65 → 1.1.66

package/dist/examples/decrypt-test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=decrypt-test.d.ts.map

package/dist/examples/decrypt-test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"decrypt-test.d.ts","sourceRoot":"","sources":["../../examples/decrypt-test.js"],"names":[],"mappings":""}

package/dist/examples/decrypt-test.js

@@ -0,0 +1,73 @@
+import * as fs from 'fs';
+import dotenv from 'dotenv';
+import { CID } from 'multiformats';
+import * as Client from '@storacha/client';
+import * as Signer from '@ucanto/principal/ed25519';
+import { StoreMemory } from '@storacha/client/stores/memory';
+import { create } from '../src/index.js';
+import { Wallet } from 'ethers';
+import { serviceConf, receiptsEndpoint } from '../src/config/service.js';
+import { createNodeLitAdapter } from '../src/crypto/factories.node.js';
+import { LitNodeClient } from '@lit-protocol/lit-node-client';
+import { extract } from '@ucanto/core/delegation';
+dotenv.config();
+async function main() {
+    // set up storacha client with a new agent
+    const cid = CID.parse('bafyreifhwqmspdjsy6rgcmcizgodv7bwskgiehjhdx7wukax3z5r7tz5ji');
+    const delegationCarBuffer = fs.readFileSync('delegation.car');
+    const wallet = new Wallet(process.env.WALLET_PK || '');
+    const principal = Signer.parse(process.env.DELEGATEE_AGENT_PK || '');
+    const store = new StoreMemory();
+    const client = await Client.create({
+        principal,
+        store,
+        serviceConf,
+        receiptsEndpoint,
+    });
+    // Set up Lit client
+    const litClient = new LitNodeClient({
+        litNetwork: 'datil-dev',
+    });
+    await litClient.connect();
+    const encryptedClient = await create({
+        storachaClient: client,
+        cryptoAdapter: createNodeLitAdapter(litClient),
+    });
+    const res = await extract(delegationCarBuffer);
+    if (res.error) {
+        throw new Error(`Failed to extract delegation: ${res.error.message}`);
+    }
+    const decryptDelegation = res.ok;
+    const decryptionCapability = decryptDelegation.capabilities.find((c) => c.can === 'space/content/decrypt');
+    if (!decryptionCapability) {
+        throw new Error('Failed to find decryption capability');
+    }
+    const spaceDID = /** @type {`did:key:${string}`} */ (decryptionCapability.with);
+    const decryptionConfig = {
+        wallet,
+        decryptDelegation,
+        spaceDID,
+    };
+    const decryptedContent = await encryptedClient.retrieveAndDecryptFile(cid, decryptionConfig);
+    const reader = decryptedContent.stream.getReader();
+    const decoder = new TextDecoder();
+    let result = '';
+    let done = false;
+    while (!done) {
+        const { value, done: isDone } = await reader.read();
+        done = isDone;
+        if (value) {
+            result += decoder.decode(value, { stream: true });
+        }
+    }
+    console.log('================ RESULT ===================');
+    console.log(result);
+    console.log('===========================================');
+}
+main()
+    .then(() => process.exit(0))
+    .catch((err) => {
+    console.error(err);
+    process.exit(1);
+});
+//# sourceMappingURL=decrypt-test.js.map

package/dist/examples/encrypt-test.d.ts

@@ -0,0 +1,4 @@
+/** @param {string} data Base64 encoded CAR file */
+export function parseProof(data: string): Promise<Signer.Delegation<Signer.Signer.Capabilities>>;
+import * as Signer from '@ucanto/principal/ed25519';
+//# sourceMappingURL=encrypt-test.d.ts.map

package/dist/examples/encrypt-test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"encrypt-test.d.ts","sourceRoot":"","sources":["../../examples/encrypt-test.js"],"names":[],"mappings":"AAeA,mDAAmD;AACnD,iCADY,MAAM,0DAQjB;wBAlBuB,2BAA2B"}

package/dist/examples/encrypt-test.js

@@ -0,0 +1,61 @@
+import * as fs from 'fs';
+import dotenv from 'dotenv';
+import { CarReader } from '@ipld/car';
+import * as Client from '@storacha/client';
+import { importDAG } from '@ucanto/core/delegation';
+import * as Signer from '@ucanto/principal/ed25519';
+import { StoreMemory } from '@storacha/client/stores/memory';
+import * as EncryptClient from '../src/index.js';
+import { serviceConf, receiptsEndpoint } from '../src/config/service.js';
+import { createNodeLitAdapter } from '../src/crypto/factories.node.js';
+import { LitNodeClient } from '@lit-protocol/lit-node-client';
+dotenv.config();
+/** @param {string} data Base64 encoded CAR file */
+export async function parseProof(data) {
+    const blocks = [];
+    const reader = await CarReader.fromBytes(Buffer.from(data, 'base64'));
+    for await (const block of reader.blocks()) {
+        blocks.push(block);
+    }
+    return importDAG(blocks);
+}
+async function main() {
+    // set up storacha client with a new agent
+    const principal = Signer.parse(process.env.AGENT_PK || '');
+    const store = new StoreMemory();
+    const client = await Client.create({
+        principal,
+        store,
+        serviceConf,
+        receiptsEndpoint,
+    });
+    // now give Agent the delegation from the Space
+    const proof = await parseProof(process.env.PROOF || '');
+    const space = await client.addSpace(proof);
+    await client.setCurrentSpace(space.did());
+    // Set up Lit client
+    const litClient = new LitNodeClient({
+        litNetwork: 'datil-dev',
+    });
+    await litClient.connect();
+    const encryptedClient = await EncryptClient.create({
+        storachaClient: client,
+        cryptoAdapter: createNodeLitAdapter(litClient),
+    });
+    const fileContent = await fs.promises.readFile('./README.md');
+    const blob = new Blob([fileContent]);
+    // Create encryption config
+    const encryptionConfig = {
+        issuer: principal,
+        spaceDID: space.did(),
+    };
+    const link = await encryptedClient.encryptAndUploadFile(blob, encryptionConfig);
+    console.log(link);
+}
+main()
+    .then(() => process.exit(0))
+    .catch((err) => {
+    console.error(err);
+    process.exit(1);
+});
+//# sourceMappingURL=encrypt-test.js.map

package/dist/test/fixtures/test-fixtures.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Generate mock RSA key pair for testing that works with Web Crypto API
+ */
+export function generateMockRSAKeyPair(): Promise<{
+    keyPair: CryptoKeyPair;
+    publicKeyPem: string;
+}>;
+/**
+ * Helper to create test fixtures
+ */
+export function createTestFixtures(): Promise<{
+    keyManagerServiceDID: ed25519.EdSigner;
+    spaceDID: `did:key:${string}`;
+    spaceSigner: ed25519.EdSigner;
+    issuer: ed25519.EdSigner;
+    keyPair: CryptoKeyPair;
+    publicKeyPem: string;
+    delegationProof: Server.API.Delegation<[{
+        with: `did:key:${string}`;
+        can: "space/encryption/setup";
+    }, {
+        with: `did:key:${string}`;
+        can: "space/encryption/key/decrypt";
+    }]>;
+}>;
+import { ed25519 } from '@ucanto/principal';
+import * as Server from '@ucanto/server';
+//# sourceMappingURL=test-fixtures.d.ts.map

package/dist/test/fixtures/test-fixtures.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"test-fixtures.d.ts","sourceRoot":"","sources":["../../../test/fixtures/test-fixtures.js"],"names":[],"mappings":"AAGA;;GAEG;AACH;;;GA+BC;AAED;;GAEG;AACH;;;;;;;;;;;;;;GAqCC;wBA9EuB,mBAAmB;wBADnB,gBAAgB"}

package/dist/test/fixtures/test-fixtures.js

@@ -0,0 +1,63 @@
+import * as Server from '@ucanto/server';
+import { ed25519 } from '@ucanto/principal';
+/**
+ * Generate mock RSA key pair for testing that works with Web Crypto API
+ */
+export async function generateMockRSAKeyPair() {
+    // Generate key pair using Web Crypto API first
+    const keyPair = await globalThis.crypto.subtle.generateKey({
+        name: 'RSA-OAEP',
+        modulusLength: 2048,
+        publicExponent: new Uint8Array([1, 0, 1]),
+        hash: 'SHA-256',
+    }, true, ['encrypt', 'decrypt']);
+    // Export public key to SPKI format (this will work with our adapter)
+    const publicKeyBuffer = await globalThis.crypto.subtle.exportKey('spki', keyPair.publicKey);
+    // Convert to proper PEM format using standard base64 (not multibase)
+    const base64String = Buffer.from(publicKeyBuffer).toString('base64');
+    // Format as proper PEM with line breaks every 64 characters like real KMS
+    const formattedBase64 = base64String.match(/.{1,64}/g)?.join('\n') || base64String;
+    const publicKeyPem = `-----BEGIN PUBLIC KEY-----\n${formattedBase64}\n-----END PUBLIC KEY-----`;
+    return {
+        keyPair,
+        publicKeyPem,
+    };
+}
+/**
+ * Helper to create test fixtures
+ */
+export async function createTestFixtures() {
+    // Create mock key manager service DID
+    const keyManagerServiceDID = await ed25519.generate();
+    // Create mock space DID - this will be the issuer
+    const spaceSigner = await ed25519.generate();
+    const spaceDID = spaceSigner.did();
+    // Generate mock RSA key pair
+    const { keyPair, publicKeyPem } = await generateMockRSAKeyPair();
+    // Create mock delegation proof - space delegates to itself (self-issued)
+    const delegationProof = await Server.delegate({
+        issuer: spaceSigner,
+        audience: spaceSigner, // Self-delegation for testing
+        capabilities: [
+            {
+                with: spaceDID,
+                can: 'space/encryption/setup',
+            },
+            {
+                with: spaceDID,
+                can: 'space/encryption/key/decrypt',
+            },
+        ],
+        expiration: Infinity,
+    });
+    return {
+        keyManagerServiceDID,
+        spaceDID,
+        spaceSigner,
+        issuer: spaceSigner, // Use space signer as issuer
+        keyPair,
+        publicKeyPem,
+        delegationProof,
+    };
+}
+//# sourceMappingURL=test-fixtures.js.map

package/dist/test/https-enforcement.spec.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=https-enforcement.spec.d.ts.map

package/dist/test/https-enforcement.spec.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"https-enforcement.spec.d.ts","sourceRoot":"","sources":["../../test/https-enforcement.spec.js"],"names":[],"mappings":""}

package/dist/test/https-enforcement.spec.js

@@ -0,0 +1,125 @@
+import assert from 'node:assert';
+import { describe, test } from 'node:test';
+import { KMSCryptoAdapter } from '../src/crypto/adapters/kms-crypto-adapter.js';
+import { GenericAesCtrStreamingCrypto } from '../src/crypto/symmetric/generic-aes-ctr-streaming-crypto.js';
+await describe('HTTPS Enforcement', async () => {
+    await describe('KMSCryptoAdapter Constructor', async () => {
+        await test('should accept valid HTTPS URL as string', async () => {
+            const symmetricCrypto = new GenericAesCtrStreamingCrypto();
+            // Should not throw
+            const adapter = new KMSCryptoAdapter(symmetricCrypto, 'https://private.storacha.link', 'did:web:private.storacha.link');
+            assert(adapter instanceof KMSCryptoAdapter, 'Should create adapter successfully');
+            assert.strictEqual(adapter.keyManagerServiceURL.protocol, 'https:', 'Should store HTTPS protocol');
+            assert.strictEqual(adapter.keyManagerServiceURL.toString(), 'https://private.storacha.link/', 'Should store correct URL');
+        });
+        await test('should accept valid HTTPS URL object', async () => {
+            const symmetricCrypto = new GenericAesCtrStreamingCrypto();
+            const httpsURL = new URL('https://example.com:8443/path');
+            // Should not throw
+            const adapter = new KMSCryptoAdapter(symmetricCrypto, httpsURL, 'did:web:example.com');
+            assert(adapter instanceof KMSCryptoAdapter, 'Should create adapter successfully');
+            assert.strictEqual(adapter.keyManagerServiceURL.protocol, 'https:', 'Should store HTTPS protocol');
+            assert.strictEqual(adapter.keyManagerServiceURL.toString(), 'https://example.com:8443/path', 'Should preserve URL structure');
+        });
+        await test('should reject HTTP URL string', async () => {
+            const symmetricCrypto = new GenericAesCtrStreamingCrypto();
+            assert.throws(() => new KMSCryptoAdapter(symmetricCrypto, 'http://insecure.example.com', 'did:web:example.com'), /Key manager service must use HTTPS protocol for security/, 'Should reject HTTP protocol');
+        });
+        await test('should reject HTTP URL object', async () => {
+            const symmetricCrypto = new GenericAesCtrStreamingCrypto();
+            const httpURL = new URL('http://insecure.example.com');
+            assert.throws(() => new KMSCryptoAdapter(symmetricCrypto, httpURL, 'did:web:example.com'), /Key manager service must use HTTPS protocol for security/, 'Should reject HTTP URL object');
+        });
+        await test('should reject other protocols', async () => {
+            const symmetricCrypto = new GenericAesCtrStreamingCrypto();
+            const protocolTestCases = [
+                'ftp://example.com',
+                'ws://example.com',
+                'file://example.com',
+                'data:text/plain;base64,SGVsbG8=',
+            ];
+            for (const testURL of protocolTestCases) {
+                assert.throws(() => new KMSCryptoAdapter(symmetricCrypto, testURL, 'did:web:example.com'), /Key manager service must use HTTPS protocol for security/, `Should reject protocol: ${testURL}`);
+            }
+        });
+        await test('should provide helpful error message', async () => {
+            const symmetricCrypto = new GenericAesCtrStreamingCrypto();
+            try {
+                new KMSCryptoAdapter(symmetricCrypto, 'http://example.com', 'did:web:example.com');
+                assert.fail('Should have thrown an error');
+            }
+            catch (error) {
+                assert(error instanceof Error, 'Should throw Error instance');
+                assert(error.message.includes('Key manager service must use HTTPS protocol'), 'Should include main error message');
+                assert(error.message.includes('Received: http:'), 'Should include received protocol');
+                assert(error.message.includes('https://your-key-manager-service.com'), 'Should include example of correct format');
+            }
+        });
+        await test('should handle localhost development URLs correctly', async () => {
+            const symmetricCrypto = new GenericAesCtrStreamingCrypto();
+            // Even localhost should require HTTPS for consistency
+            assert.throws(() => new KMSCryptoAdapter(symmetricCrypto, 'http://localhost:3000', 'did:web:localhost'), /Key manager service must use HTTPS protocol for security/, 'Should reject HTTP even for localhost');
+            // But HTTPS localhost should work
+            const adapter = new KMSCryptoAdapter(symmetricCrypto, 'https://localhost:3000', 'did:web:localhost');
+            assert(adapter instanceof KMSCryptoAdapter, 'Should accept HTTPS localhost');
+        });
+        await test('should handle invalid URL strings gracefully', async () => {
+            const symmetricCrypto = new GenericAesCtrStreamingCrypto();
+            assert.throws(() => new KMSCryptoAdapter(symmetricCrypto, 'not-a-valid-url', 'did:web:example.com'), /Invalid URL/, 'Should throw URL parsing error for invalid URLs');
+        });
+        await test('should preserve all adapter functionality after HTTPS validation', async () => {
+            const symmetricCrypto = new GenericAesCtrStreamingCrypto();
+            const adapter = new KMSCryptoAdapter(symmetricCrypto, 'https://private.storacha.link', 'did:web:private.storacha.link');
+            // Verify all expected methods exist
+            assert.strictEqual(typeof adapter.encryptStream, 'function', 'Should have encryptStream method');
+            assert.strictEqual(typeof adapter.decryptStream, 'function', 'Should have decryptStream method');
+            assert.strictEqual(typeof adapter.encryptSymmetricKey, 'function', 'Should have encryptSymmetricKey method');
+            assert.strictEqual(typeof adapter.decryptSymmetricKey, 'function', 'Should have decryptSymmetricKey method');
+            assert.strictEqual(typeof adapter.extractEncryptedMetadata, 'function', 'Should have extractEncryptedMetadata method');
+            assert.strictEqual(typeof adapter.getEncryptedKey, 'function', 'Should have getEncryptedKey method');
+            assert.strictEqual(typeof adapter.encodeMetadata, 'function', 'Should have encodeMetadata method');
+            // Verify adapter properties are set correctly
+            assert(adapter.symmetricCrypto === symmetricCrypto, 'Should store symmetric crypto reference');
+            assert.strictEqual(adapter.keyManagerServiceDID.did(), 'did:web:private.storacha.link', 'Should store gateway DID');
+        });
+    });
+    await describe('Secure by Default Principle', async () => {
+        await test('should demonstrate secure by default - HTTPS is automatically used', async () => {
+            const symmetricCrypto = new GenericAesCtrStreamingCrypto();
+            // All of these should work without any special configuration
+            const validHttpsUrls = [
+                'https://gateway.example.com',
+                'https://localhost:8080',
+                'https://192.168.1.100:3000',
+                'https://api.storacha.network:443/v1',
+            ];
+            for (const url of validHttpsUrls) {
+                const adapter = new KMSCryptoAdapter(symmetricCrypto, url, 'did:web:example.com');
+                assert.strictEqual(adapter.keyManagerServiceURL.protocol, 'https:', `Should store HTTPS protocol for URL: ${url}`);
+            }
+        });
+        await test('should require explicit insecure configuration to bypass HTTPS', async () => {
+            // This demonstrates that HTTP is never accidentally allowed
+            // If someone really needs HTTP (like for testing), they would need to
+            // modify our security validation code intentionally
+            const symmetricCrypto = new GenericAesCtrStreamingCrypto();
+            const httpUrls = [
+                'http://example.com',
+                'http://localhost:3000',
+                'http://192.168.1.100:8080',
+            ];
+            for (const url of httpUrls) {
+                assert.throws(() => new KMSCryptoAdapter(symmetricCrypto, url, 'did:web:example.com'), /Key manager service must use HTTPS protocol for security/, `Should reject HTTP URL: ${url}`);
+            }
+        });
+        await test('should allow HTTP for testing when explicitly enabled', async () => {
+            // This demonstrates the testing escape hatch
+            const symmetricCrypto = new GenericAesCtrStreamingCrypto();
+            const adapter = new KMSCryptoAdapter(symmetricCrypto, 'http://localhost:8080', 'did:web:localhost', { allowInsecureHttp: true } // Explicit testing option
+            );
+            assert.strictEqual(adapter.keyManagerServiceURL.protocol, 'http:', 'Should allow HTTP when explicitly enabled for testing');
+            assert.strictEqual(adapter.keyManagerServiceURL.toString(), 'http://localhost:8080/', 'Should preserve HTTP URL when testing option is enabled');
+        });
+    });
+});
+//# sourceMappingURL=https-enforcement.spec.js.map

package/dist/test/kms-crypto-adapter.spec.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=kms-crypto-adapter.spec.d.ts.map

package/dist/test/kms-crypto-adapter.spec.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"kms-crypto-adapter.spec.d.ts","sourceRoot":"","sources":["../../test/kms-crypto-adapter.spec.js"],"names":[],"mappings":""}