@storacha/encrypt-upload-client 1.1.70 → 1.1.71

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@storacha/encrypt-upload-client",
   "type": "module",
-  "version": "1.1.70",
+  "version": "1.1.71",
   "license": "Apache-2.0 OR MIT",
   "description": "Client for upload and download encrypted files",
   "author": "Storacha",
@@ -82,9 +82,9 @@
     "p-queue": "^9.0.1",
     "p-retry": "^5.1.2",
     "viem": "^2.39.0",
-    "@storacha/capabilities": "^2.0.0",
-    "@storacha/client": "^2.0.0",
-    "@storacha/upload-client": "^1.3.7"
+    "@storacha/capabilities": "^2.1.0",
+    "@storacha/client": "^2.0.1",
+    "@storacha/upload-client": "^1.3.8"
   },
   "devDependencies": {
     "@lit-protocol/schemas": "^8.0.2",

package/dist/examples/decrypt-test.d.ts

@@ -1,2 +0,0 @@
-export {};
-//# sourceMappingURL=decrypt-test.d.ts.map

package/dist/examples/decrypt-test.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"decrypt-test.d.ts","sourceRoot":"","sources":["../../examples/decrypt-test.js"],"names":[],"mappings":""}

package/dist/examples/decrypt-test.js

@@ -1,102 +0,0 @@
-process.env.LOG_LEVEL = 'info';
-import * as fs from 'fs';
-import dotenv from 'dotenv';
-import { CID } from 'multiformats';
-import * as Client from '@storacha/client';
-import * as Signer from '@ucanto/principal/ed25519';
-import { StoreMemory } from '@storacha/client/stores/memory';
-import { nagaTest } from '@lit-protocol/networks';
-import { createLitClient } from '@lit-protocol/lit-client';
-import { privateKeyToAccount } from 'viem/accounts';
-import { create } from '../src/index.js';
-import { serviceConf, receiptsEndpoint } from '../src/config/service.js';
-import { createGenericLitAdapter } from '../src/crypto/factories.node.js';
-import { extract } from '@ucanto/core/delegation';
-import { createAuthManager, storagePlugins } from '@lit-protocol/auth';
-dotenv.config();
-const WALLET_PK = /** @type {`0x${string}`}  */ (process.env.WALLET_PK) || '0x';
-const DELEGATEE_AGENT_PK = process.env.DELEGATEE_AGENT_PK || '';
-async function main() {
-    console.log('Starting encrypt-decrypt test example...');
-    // encrypted content CID
-    const cid = CID.parse('bafyreigmpvb4rhs6uod7qzxw65fxgruagg5x37swmf5p434cto36nlz7a4');
-    const delegationCarBuffer = fs.readFileSync('delegation.car');
-    const wallet = privateKeyToAccount(WALLET_PK);
-    const principal = Signer.parse(DELEGATEE_AGENT_PK);
-    const store = new StoreMemory();
-    const client = await Client.create({
-        principal,
-        store,
-        serviceConf,
-        receiptsEndpoint,
-    });
-    // Set up Lit client
-    const litClient = await createLitClient({
-        network: nagaTest,
-    });
-    const authManager = createAuthManager({
-        storage: storagePlugins.localStorageNode({
-            appName: 'my-app',
-            networkName: 'naga-local',
-            storagePath: './lit-auth-local',
-        }),
-    });
-    const encryptedClient = await create({
-        storachaClient: client,
-        cryptoAdapter: createGenericLitAdapter(litClient, authManager),
-    });
-    console.log('Extracting delegation from CAR file...');
-    const res = await extract(delegationCarBuffer);
-    if (res.error) {
-        throw new Error(`Failed to extract delegation: ${res.error.message}`);
-    }
-    const decryptDelegation = res.ok;
-    const decryptionCapability = decryptDelegation.capabilities.find((c) => c.can === 'space/content/decrypt');
-    if (!decryptionCapability) {
-        throw new Error('Failed to find decryption capability');
-    }
-    const spaceDID = /** @type {`did:key:${string}`} */ (decryptionCapability.with);
-    const paymentManager = await litClient.getPaymentManager({
-        account: wallet,
-    });
-    const balance = await paymentManager.getBalance({
-        userAddress: wallet.address,
-    });
-    console.log('Current Balance: ', balance.totalBalance);
-    /**
-     *  Uncomment to deposit funds from your wallet to the Lit Payment Manager contract so you can pay for Lit Actions
-     *  If you need testLPX tokens, please visit the faucet: https://chronicle-yellowstone-faucet.getlit.dev/
-     */
-    // const depositReceipt = await paymentManager.deposit({
-    //   amountInEth: '1',
-    // })
-    // console.log(`Deposit successful: ${depositReceipt.hash}`)
-    console.log('Retrieving and decrypting file...');
-    const decryptionConfig = {
-        wallet,
-        decryptDelegation,
-        spaceDID,
-    };
-    const decryptedContent = await encryptedClient.retrieveAndDecryptFile(cid, decryptionConfig);
-    const reader = decryptedContent.stream.getReader();
-    const decoder = new TextDecoder();
-    let result = '';
-    let done = false;
-    while (!done) {
-        const { value, done: isDone } = await reader.read();
-        done = isDone;
-        if (value) {
-            result += decoder.decode(value, { stream: true });
-        }
-    }
-    console.log('================ RESULT ===================');
-    console.log(result);
-    console.log('===========================================');
-}
-main()
-    .then(() => process.exit(0))
-    .catch((err) => {
-    console.error(err);
-    process.exit(1);
-});
-//# sourceMappingURL=decrypt-test.js.map

package/dist/examples/encrypt-test.d.ts

@@ -1,2 +0,0 @@
-export {};
-//# sourceMappingURL=encrypt-test.d.ts.map

package/dist/examples/encrypt-test.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"encrypt-test.d.ts","sourceRoot":"","sources":["../../examples/encrypt-test.js"],"names":[],"mappings":""}

package/dist/examples/encrypt-test.js

@@ -1,93 +0,0 @@
-import * as fs from 'fs';
-import dotenv from 'dotenv';
-import { DID } from '@ucanto/server';
-import * as Client from '@storacha/client';
-import * as Proof from '@storacha/client/proof';
-import * as Signer from '@ucanto/principal/ed25519';
-import { StoreMemory } from '@storacha/client/stores/memory';
-import { decrypt } from '@storacha/capabilities/space';
-import { nagaTest } from '@lit-protocol/networks';
-import { createLitClient } from '@lit-protocol/lit-client';
-import * as EncryptClient from '../src/index.js';
-import { serviceConf, receiptsEndpoint } from '../src/config/service.js';
-import { createGenericLitAdapter } from '../src/crypto/factories.node.js';
-// import { CID } from 'multiformats'
-import { createAuthManager, storagePlugins } from '@lit-protocol/auth';
-dotenv.config();
-const PROOF = process.env.PROOF || '';
-const AGENT_PK = process.env.AGENT_PK || '';
-const AUDIENCE_DID = process.env.AUDIENCE_DID || '';
-async function main() {
-    console.log('Starting encrypt-upload-client example...');
-    // set up storacha client with a new agent
-    const principal = Signer.parse(AGENT_PK);
-    console.log(`Using agent: ${principal.did()}`);
-    const store = new StoreMemory();
-    const client = await Client.create({
-        principal,
-        store,
-        serviceConf,
-        receiptsEndpoint,
-    });
-    // now give Agent the delegation from the Space
-    const proof = await Proof.parse(PROOF);
-    const space = await client.addSpace(proof);
-    await client.setCurrentSpace(space.did());
-    console.log(`Using space: ${space.did()}, creating lit client...`);
-    // Set up Lit client
-    const litClient = await createLitClient({
-        network: nagaTest,
-    });
-    const authManager = createAuthManager({
-        storage: storagePlugins.localStorageNode({
-            appName: 'my-app',
-            networkName: 'naga-local',
-            storagePath: './lit-auth-local',
-        }),
-    });
-    const encryptedClient = await EncryptClient.create({
-        storachaClient: client,
-        cryptoAdapter: createGenericLitAdapter(litClient, authManager),
-    });
-    const fileContent = await fs.promises.readFile('./README.md');
-    const blob = new Blob([Uint8Array.from(fileContent)]);
-    // Create encryption config
-    const encryptionConfig = {
-        issuer: principal,
-        spaceDID: space.did(),
-    };
-    console.log('Encrypting and uploading file...');
-    const link = await encryptedClient.encryptAndUploadFile(blob, encryptionConfig);
-    console.log('Finished uploading file:', link);
-    // If we already have a CID
-    // const link = CID.parse(
-    //   'bafyreid6euzw23b5puazg6epubzaxibim7fioavoe6xydffibbzju4feae'
-    // )
-    console.log('🔄 Creating decrypt delegation with:');
-    const delegationOptions = {
-        issuer: principal,
-        audience: DID.parse(AUDIENCE_DID),
-        with: space.did(),
-        nb: {
-            resource: link,
-        },
-        expiration: new Date(Date.now() + 1000 * 60 * 10).getTime(), // 10 min,
-        proofs: [proof],
-    };
-    console.log({
-        ...delegationOptions,
-        issuer: principal.did(),
-        audience: AUDIENCE_DID,
-    });
-    const delegation = await decrypt.delegate(delegationOptions);
-    const { ok: bytes } = await delegation.archive();
-    fs.writeFileSync('delegation.car', Buffer.from(/** @type Uint8Array<ArrayBufferLike>**/ (bytes)));
-    console.log(`✅ Delegation written to delegation.car`);
-}
-main()
-    .then(() => process.exit(0))
-    .catch((err) => {
-    console.error(err);
-    process.exit(1);
-});
-//# sourceMappingURL=encrypt-test.js.map

package/dist/test/cid-verification.spec.d.ts

@@ -1,2 +0,0 @@
-export {};
-//# sourceMappingURL=cid-verification.spec.d.ts.map

package/dist/test/cid-verification.spec.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"cid-verification.spec.d.ts","sourceRoot":"","sources":["../../test/cid-verification.spec.js"],"names":[],"mappings":""}

package/dist/test/cid-verification.spec.js

@@ -1,314 +0,0 @@
-import assert from 'node:assert';
-import { describe, test } from 'node:test';
-import { getCarFileFromPublicGateway } from '../src/handlers/decrypt-handler.js';
-import { createTestCar } from './helpers/test-file-utils.js';
-await describe('CID Verification', async () => {
-    await describe('getCarFileFromPublicGateway', async () => {
-        await test('should construct correct gateway URL format', async () => {
-            // This is a basic test to verify the function exists and can be called
-            // Integration tests with real network calls would test full functionality
-            const gatewayURL = new URL('https://example.com');
-            const testCID = 'bafkreih5aznjvttude6c3wbvqeebb6rlx5wkbzyppv7z3aldwdht2oqadq';
-            // Mock fetch to avoid network calls in unit tests
-            const originalFetch = globalThis.fetch;
-            let capturedURL = '';
-            // @ts-ignore - Mock fetch for testing
-            globalThis.fetch = async (url) => {
-                capturedURL = url.toString();
-                // Return a mock response that looks like a failed fetch
-                return {
-                    ok: false,
-                    status: 404,
-                    statusText: 'Not Found',
-                    arrayBuffer: async () => {
-                        throw new Error('Mock 404');
-                    },
-                };
-            };
-            try {
-                await getCarFileFromPublicGateway(gatewayURL, testCID);
-            }
-            catch (error) {
-                // We expect this to fail with our mock, that's fine
-            }
-            finally {
-                globalThis.fetch = originalFetch;
-            }
-            // Verify the URL was constructed correctly
-            const expectedURL = `https://example.com/ipfs/${testCID}?format=car`;
-            assert.strictEqual(capturedURL, expectedURL, 'Should construct correct gateway URL');
-        });
-        await test('should be exported and callable', async () => {
-            // Basic smoke test
-            assert.strictEqual(typeof getCarFileFromPublicGateway, 'function', 'Should be a function');
-            // Verify it requires proper parameters
-            try {
-                // @ts-ignore - intentionally testing invalid input
-                await getCarFileFromPublicGateway(null, 'test');
-                assert.fail('Should throw error for null gateway URL');
-            }
-            catch (error) {
-                // Expected to fail - good
-                assert(error instanceof Error, 'Should throw an Error');
-            }
-        });
-        await test('should validate CID format', async () => {
-            const gatewayURL = new URL('https://example.com');
-            // Mock fetch to return valid CAR response
-            const originalFetch = globalThis.fetch;
-            // @ts-ignore - Mock fetch for testing
-            globalThis.fetch = async (url) => ({
-                ok: true,
-                status: 200,
-                statusText: 'OK',
-                arrayBuffer: async () => new ArrayBuffer(100), // Mock CAR data
-            });
-            try {
-                await getCarFileFromPublicGateway(gatewayURL, 'invalid-cid');
-                assert.fail('Should throw error for invalid CID');
-            }
-            catch (error) {
-                // Expected to fail due to invalid CID format
-                assert(error instanceof Error, 'Should throw an Error for invalid CID');
-            }
-            finally {
-                globalThis.fetch = originalFetch;
-            }
-        });
-        await test('should accept valid CAR file with matching root CID', async () => {
-            const gatewayURL = new URL('https://example.com');
-            // Create a valid KMS metadata CAR file
-            const testContent = {
-                encryptedDataCID: 'bafkreih5aznjvttude6c3wbvqeebb6rlx5wkbzyppv7z3aldwdht2oqadq',
-                encryptedSymmetricKey: 'test-encrypted-key',
-                space: 'did:key:z6MkwDK3M4PxU1FqcSt6quBH1xRBSGnPRdQYP9B13h3Wq5X1',
-                kms: {
-                    provider: 'google-kms',
-                    keyId: 'test-key-id',
-                    algorithm: 'RSA-OAEP-2048-SHA256',
-                },
-            };
-            const { car, actualRootCID } = await createTestCar(testContent);
-            // Mock fetch to return the valid CAR
-            const originalFetch = globalThis.fetch;
-            // @ts-ignore - Mock fetch for testing
-            globalThis.fetch = async (url) => ({
-                ok: true,
-                status: 200,
-                statusText: 'OK',
-                arrayBuffer: async () => car.buffer,
-            });
-            try {
-                const result = await getCarFileFromPublicGateway(gatewayURL, actualRootCID.toString());
-                assert(result instanceof Uint8Array, 'Should return Uint8Array');
-                assert.deepStrictEqual(result, car, 'Should return the exact CAR file');
-            }
-            finally {
-                globalThis.fetch = originalFetch;
-            }
-        });
-        await test('should reject CAR file with wrong root CID (tampering detection)', async () => {
-            const gatewayURL = new URL('https://example.com');
-            // Create a CAR file with content A
-            const originalContent = {
-                encryptedDataCID: 'bafkreih5aznjvttude6c3wbvqeebb6rlx5wkbzyppv7z3aldwdht2oqadq',
-                encryptedSymmetricKey: 'original-encrypted-key',
-                space: 'did:key:z6MkwDK3M4PxU1FqcSt6quBH1xRBSGnPRdQYP9B13h3Wq5X1',
-                kms: {
-                    provider: 'google-kms',
-                    keyId: 'original-key-id',
-                    algorithm: 'RSA-OAEP-2048-SHA256',
-                },
-            };
-            const { actualRootCID: originalCID } = await createTestCar(originalContent);
-            // Create a different CAR file with content B
-            const tamperedContent = {
-                encryptedDataCID: 'bafkreidb6v6sjfnpnf6lqkh7p4w7zfzqfuzn2lqhp5x6zkojfuzwzlhpny',
-                encryptedSymmetricKey: 'tampered-encrypted-key',
-                space: 'did:key:z6MkMaliciousSpaceDIDThatShouldNotBeAccepted',
-                kms: {
-                    provider: 'google-kms',
-                    keyId: 'tampered-key-id',
-                    algorithm: 'RSA-OAEP-2048-SHA256',
-                },
-            };
-            const { car: tamperedCar } = await createTestCar(tamperedContent);
-            // Mock fetch to return the tampered CAR when requesting the original CID
-            const originalFetch = globalThis.fetch;
-            // @ts-ignore - Mock fetch for testing
-            globalThis.fetch = async (url) => ({
-                ok: true,
-                status: 200,
-                statusText: 'OK',
-                arrayBuffer: async () => tamperedCar.buffer, // Return wrong CAR!
-            });
-            try {
-                await getCarFileFromPublicGateway(gatewayURL, originalCID.toString());
-                assert.fail('Should throw error for CID verification failure');
-            }
-            catch (error) {
-                assert(error instanceof Error, 'Should throw an Error');
-                assert(error.message.includes('CID verification failed'), `Should mention CID verification failure. Got: ${error.message}`);
-            }
-            finally {
-                globalThis.fetch = originalFetch;
-            }
-        });
-        await test('should detect when malicious gateway serves completely different CAR', async () => {
-            const gatewayURL = new URL('https://example.com');
-            // CID we're requesting
-            const requestedCID = 'bafkreih5aznjvttude6c3wbvqeebb6rlx5wkbzyppv7z3aldwdht2oqadq';
-            // Create a completely different CAR file
-            const maliciousContent = {
-                encryptedDataCID: 'bafkreig6h5fimhfvj3wmlsf4fzj2d2ndqxd7qnugcgcmkn6dcqzxcq5zdu',
-                encryptedSymmetricKey: 'malicious-encrypted-key',
-                space: 'did:key:z6MkMaliciousSpaceDIDControlledByAttacker',
-                kms: {
-                    provider: 'google-kms',
-                    keyId: 'attacker-controlled-key',
-                    algorithm: 'RSA-OAEP-2048-SHA256',
-                },
-            };
-            const { car: maliciousCar } = await createTestCar(maliciousContent);
-            // Mock fetch to return the malicious CAR
-            const originalFetch = globalThis.fetch;
-            // @ts-ignore - Mock fetch for testing
-            globalThis.fetch = async (url) => ({
-                ok: true,
-                status: 200,
-                statusText: 'OK',
-                arrayBuffer: async () => maliciousCar.buffer,
-            });
-            try {
-                await getCarFileFromPublicGateway(gatewayURL, requestedCID);
-                assert.fail('Should throw error when gateway serves wrong CAR');
-            }
-            catch (error) {
-                assert(error instanceof Error, 'Should throw an Error');
-                assert(error.message.includes('CID verification failed'), `Should mention CID verification failure. Got: ${error.message}`);
-            }
-            finally {
-                globalThis.fetch = originalFetch;
-            }
-        });
-        await test('should handle network errors gracefully', async () => {
-            const gatewayURL = new URL('https://example.com');
-            const testCID = 'bafkreih5aznjvttude6c3wbvqeebb6rlx5wkbzyppv7z3aldwdht2oqadq';
-            // Mock fetch to return network error
-            const originalFetch = globalThis.fetch;
-            // @ts-ignore - Mock fetch for testing
-            globalThis.fetch = async (url) => ({
-                ok: false,
-                status: 500,
-                statusText: 'Internal Server Error',
-                arrayBuffer: async () => {
-                    throw new Error('Network error');
-                },
-            });
-            try {
-                await getCarFileFromPublicGateway(gatewayURL, testCID);
-                assert.fail('Should throw error for network errors');
-            }
-            catch (error) {
-                assert(error instanceof Error, 'Should throw an Error');
-                assert(error.message.includes('Failed to fetch'), `Should mention fetch failure. Got: ${error.message}`);
-            }
-            finally {
-                globalThis.fetch = originalFetch;
-            }
-        });
-    });
-    await describe('Metadata Tampering Detection', async () => {
-        await test('should prevent modification of space DID in metadata', async () => {
-            const gatewayURL = new URL('https://example.com');
-            // Original metadata with legitimate space DID
-            const originalMetadata = {
-                encryptedDataCID: 'bafkreie2hvzhqzj3ixnmjh7h3nkhdyp6qxhqltkq6qxf3wxq7hqxd6nzde',
-                encryptedSymmetricKey: 'encrypted-key-data',
-                space: 'did:key:z6MkwDK3M4PxU1FqcSt6quBH1xRBSGnPRdQYP9B13h3Wq5X1', // Original space
-                kms: {
-                    provider: 'google-kms',
-                    keyId: 'test-key-id',
-                    algorithm: 'RSA-OAEP-2048-SHA256',
-                },
-            };
-            // Tampered metadata with different space DID
-            const tamperedMetadata = {
-                ...originalMetadata,
-                space: 'did:key:z6MkMaliciousSpaceDIDThatShouldNotBeAccepted', // Malicious space!
-            };
-            // Create CAR files for both
-            const { actualRootCID: originalCID } = await createTestCar(originalMetadata);
-            const { car: tamperedCar } = await createTestCar(tamperedMetadata);
-            // Mock fetch to return tampered CAR when requesting original CID
-            const originalFetch = globalThis.fetch;
-            // @ts-ignore - Mock fetch for testing
-            globalThis.fetch = async (url) => ({
-                ok: true,
-                status: 200,
-                statusText: 'OK',
-                arrayBuffer: async () => tamperedCar.buffer, // Returns tampered metadata!
-            });
-            try {
-                await getCarFileFromPublicGateway(gatewayURL, originalCID.toString());
-                assert.fail('Should detect space DID tampering via CID verification');
-            }
-            catch (error) {
-                assert(error instanceof Error, 'Should throw an Error');
-                assert(error.message.includes('CID verification failed'), `Should catch tampering via CID verification. Got: ${error.message}`);
-            }
-            finally {
-                globalThis.fetch = originalFetch;
-            }
-        });
-        await test('should prevent complete metadata substitution attacks', async () => {
-            const gatewayURL = new URL('https://example.com');
-            // Original legitimate metadata
-            const originalMetadata = {
-                encryptedDataCID: 'bafkreih5aznjvttude6c3wbvqeebb6rlx5wkbzyppv7z3aldwdht2oqadq',
-                encryptedSymmetricKey: 'original-encrypted-key',
-                space: 'did:key:z6MkwDK3M4PxU1FqcSt6quBH1xRBSGnPRdQYP9B13h3Wq5X1',
-                kms: {
-                    provider: 'google-kms',
-                    keyId: 'legitimate-key-id',
-                    algorithm: 'RSA-OAEP-2048-SHA256',
-                },
-            };
-            // Completely different malicious metadata (using same CID but different content)
-            const maliciousMetadata = {
-                encryptedDataCID: 'bafkreih5aznjvttude6c3wbvqeebb6rlx5wkbzyppv7z3aldwdht2oqadq',
-                encryptedSymmetricKey: 'malicious-encrypted-key',
-                space: 'did:key:z6MkMaliciousSpaceDIDControlledByAttacker',
-                kms: {
-                    provider: 'google-kms',
-                    keyId: 'attacker-controlled-key',
-                    algorithm: 'RSA-OAEP-2048-SHA256',
-                },
-            };
-            // Create CAR files for both
-            const { actualRootCID: originalCID } = await createTestCar(originalMetadata);
-            const { car: maliciousCar } = await createTestCar(maliciousMetadata);
-            // Mock fetch to return completely different metadata
-            const originalFetch = globalThis.fetch;
-            // @ts-ignore - Mock fetch for testing
-            globalThis.fetch = async (url) => ({
-                ok: true,
-                status: 200,
-                statusText: 'OK',
-                arrayBuffer: async () => maliciousCar.buffer, // Complete substitution attack!
-            });
-            try {
-                await getCarFileFromPublicGateway(gatewayURL, originalCID.toString());
-                assert.fail('Should detect complete metadata substitution via CID verification');
-            }
-            catch (error) {
-                assert(error instanceof Error, 'Should throw an Error');
-                assert(error.message.includes('CID verification failed'), `Should catch complete substitution via CID verification. Got: ${error.message}`);
-            }
-            finally {
-                globalThis.fetch = originalFetch;
-            }
-        });
-    });
-});
-//# sourceMappingURL=cid-verification.spec.js.map

package/dist/test/crypto-compatibility.spec.d.ts

@@ -1,2 +0,0 @@
-export {};
-//# sourceMappingURL=crypto-compatibility.spec.d.ts.map

package/dist/test/crypto-compatibility.spec.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"crypto-compatibility.spec.d.ts","sourceRoot":"","sources":["../../test/crypto-compatibility.spec.js"],"names":[],"mappings":""}