@vailix/mask 0.2.3 → 0.2.5

package/CHANGELOG.md

@@ -1,5 +1,23 @@
 # @vailix/mask
 
+## 0.2.5
+
+### Patch Changes
+
+- a48760e: Fix master key generation to use cryptographically secure random bytes
+
+  Changed master key generation from `randomUUID()` to `randomBytes(32).toString('hex')`.
+  This fixes the "Invalid master key format" error caused by UUID hyphens failing hex validation,
+  and provides proper 256-bit cryptographic randomness following security best practices.
+
+## 0.2.4
+
+### Patch Changes
+
+- dfda662: fix: make singleton initialization truly atomic
+  - Fix race condition where check-and-set wasn't atomic by using IIFE pattern
+  - Add comprehensive tests for singleton pattern (12 tests including stress test with 100 concurrent calls)
+
 ## 0.2.3
 
 ### Patch Changes

package/__tests__/singleton.test.ts

@@ -0,0 +1,235 @@
+/**
+ * Tests for VailixSDK singleton pattern.
+ * 
+ * These tests verify that the race condition fix works correctly:
+ * - Multiple concurrent calls return the same instance
+ * - The promise is set atomically (no gap between check and set)
+ * - destroy() properly resets the singleton
+ */
+
+import { describe, it, expect, beforeEach, vi } from 'vitest';
+
+// We need to test the singleton pattern in isolation.
+// Since VailixSDK.doCreate has many dependencies, we'll mock them.
+
+// Mock all the heavy dependencies using proper class constructors
+vi.mock('../src/identity', () => {
+    return {
+        IdentityManager: class MockIdentityManager {
+            initialize = vi.fn().mockResolvedValue(undefined);
+            getMasterKey = vi.fn().mockReturnValue('0123456789abcdef0123456789abcdef');
+            getCurrentRPI = vi.fn().mockReturnValue('testrpi');
+            getMetadataKey = vi.fn().mockReturnValue('testkey');
+            getHistory = vi.fn().mockReturnValue([]);
+            getDisplayName = vi.fn().mockReturnValue('Test-123');
+        },
+    };
+});
+
+vi.mock('../src/db', () => ({
+    initializeDatabase: vi.fn().mockResolvedValue({
+        run: vi.fn().mockResolvedValue(undefined),
+    }),
+}));
+
+vi.mock('../src/storage', () => {
+    return {
+        StorageService: class MockStorageService {
+            initialize = vi.fn().mockResolvedValue(undefined);
+            cleanupOldScans = vi.fn().mockResolvedValue(undefined);
+            canScan = vi.fn().mockReturnValue(true);
+            logScan = vi.fn().mockResolvedValue(undefined);
+            getRecentPairs = vi.fn().mockResolvedValue([]);
+        },
+    };
+});
+
+vi.mock('../src/matcher', () => {
+    return {
+        MatcherService: class MockMatcherService {
+            on = vi.fn();
+            off = vi.fn();
+            emit = vi.fn();
+            getMatchById = vi.fn().mockResolvedValue(null);
+        },
+    };
+});
+
+vi.mock('../src/ble', () => {
+    return {
+        BleService: class MockBleService {
+            setStorage = vi.fn();
+            destroy = vi.fn();
+            startDiscovery = vi.fn().mockResolvedValue(undefined);
+            stopDiscovery = vi.fn().mockResolvedValue(undefined);
+            getNearbyUsers = vi.fn().mockReturnValue([]);
+            onNearbyUsersChanged = vi.fn().mockReturnValue(() => { });
+            pairWithUser = vi.fn().mockResolvedValue({ success: true });
+            unpairUser = vi.fn().mockResolvedValue(undefined);
+        },
+    };
+});
+
+vi.mock('react-native-quick-crypto', () => ({
+    createCipheriv: vi.fn(),
+    randomBytes: vi.fn().mockReturnValue(Buffer.alloc(12)),
+}));
+
+// Import after mocks are set up
+import { VailixSDK } from '../src/index';
+
+const TEST_CONFIG = {
+    appSecret: 'test-secret',
+    reportUrl: 'https://test.example.com',
+    downloadUrl: 'https://test.example.com',
+};
+
+describe('VailixSDK Singleton Pattern', () => {
+    beforeEach(async () => {
+        // Reset singleton state before each test
+        await VailixSDK.destroy();
+        vi.clearAllMocks();
+    });
+
+    describe('create()', () => {
+        it('should return the same instance on multiple sequential calls', async () => {
+            const sdk1 = await VailixSDK.create(TEST_CONFIG);
+            const sdk2 = await VailixSDK.create(TEST_CONFIG);
+            const sdk3 = await VailixSDK.create(TEST_CONFIG);
+
+            expect(sdk1).toBe(sdk2);
+            expect(sdk2).toBe(sdk3);
+        });
+
+        it('should return the same instance on concurrent calls (race condition test)', async () => {
+            // Launch multiple concurrent create() calls
+            const promises = [
+                VailixSDK.create(TEST_CONFIG),
+                VailixSDK.create(TEST_CONFIG),
+                VailixSDK.create(TEST_CONFIG),
+                VailixSDK.create(TEST_CONFIG),
+                VailixSDK.create(TEST_CONFIG),
+            ];
+
+            const results = await Promise.all(promises);
+
+            // All should be the exact same instance
+            const firstInstance = results[0];
+            results.forEach((sdk) => {
+                expect(sdk).toBe(firstInstance);
+            });
+        });
+
+        it('should only initialize once even with concurrent calls', async () => {
+            const { initializeDatabase } = await import('../src/db');
+
+            // Launch concurrent calls
+            await Promise.all([
+                VailixSDK.create(TEST_CONFIG),
+                VailixSDK.create(TEST_CONFIG),
+                VailixSDK.create(TEST_CONFIG),
+            ]);
+
+            // initializeDatabase should only be called once
+            expect(initializeDatabase).toHaveBeenCalledTimes(1);
+        });
+
+        it('should use config from first call only', async () => {
+            const config1 = { ...TEST_CONFIG, reportUrl: 'https://first.com' };
+            const config2 = { ...TEST_CONFIG, reportUrl: 'https://second.com' };
+
+            const sdk1 = await VailixSDK.create(config1);
+            const sdk2 = await VailixSDK.create(config2);
+
+            // Both should be the same instance
+            expect(sdk1).toBe(sdk2);
+            // The instance should use the first config (verified indirectly by same instance)
+        });
+    });
+
+    describe('isInitialized()', () => {
+        it('should return false before create() is called', () => {
+            expect(VailixSDK.isInitialized()).toBe(false);
+        });
+
+        it('should return true after create() completes', async () => {
+            await VailixSDK.create(TEST_CONFIG);
+            expect(VailixSDK.isInitialized()).toBe(true);
+        });
+
+        it('should return false after destroy() is called', async () => {
+            await VailixSDK.create(TEST_CONFIG);
+            expect(VailixSDK.isInitialized()).toBe(true);
+
+            await VailixSDK.destroy();
+            expect(VailixSDK.isInitialized()).toBe(false);
+        });
+    });
+
+    describe('destroy()', () => {
+        it('should allow creating a new instance after destroy', async () => {
+            const sdk1 = await VailixSDK.create(TEST_CONFIG);
+            await VailixSDK.destroy();
+
+            const sdk2 = await VailixSDK.create(TEST_CONFIG);
+
+            // Should be different instances
+            expect(sdk1).not.toBe(sdk2);
+        });
+
+        it('should be safe to call destroy() multiple times', async () => {
+            await VailixSDK.create(TEST_CONFIG);
+
+            // Multiple destroy calls should not throw
+            await VailixSDK.destroy();
+            await VailixSDK.destroy();
+            await VailixSDK.destroy();
+
+            expect(VailixSDK.isInitialized()).toBe(false);
+        });
+
+        it('should be safe to call destroy() without prior create()', async () => {
+            // Should not throw
+            await VailixSDK.destroy();
+            expect(VailixSDK.isInitialized()).toBe(false);
+        });
+    });
+
+    describe('Race condition stress test', () => {
+        it('should handle many concurrent calls correctly', async () => {
+            const CONCURRENT_CALLS = 100;
+
+            const promises = Array.from({ length: CONCURRENT_CALLS }, () =>
+                VailixSDK.create(TEST_CONFIG)
+            );
+
+            const results = await Promise.all(promises);
+
+            // All should be the exact same instance
+            const firstInstance = results[0];
+            expect(results.every(sdk => sdk === firstInstance)).toBe(true);
+
+            // Verify initialization only happened once
+            const { initializeDatabase } = await import('../src/db');
+            expect(initializeDatabase).toHaveBeenCalledTimes(1);
+        });
+
+        it('should handle interleaved create and destroy calls', async () => {
+            // First creation
+            const sdk1 = await VailixSDK.create(TEST_CONFIG);
+
+            // Destroy and recreate
+            await VailixSDK.destroy();
+            const sdk2 = await VailixSDK.create(TEST_CONFIG);
+
+            // Destroy and recreate again
+            await VailixSDK.destroy();
+            const sdk3 = await VailixSDK.create(TEST_CONFIG);
+
+            // All should be different instances
+            expect(sdk1).not.toBe(sdk2);
+            expect(sdk2).not.toBe(sdk3);
+            expect(sdk1).not.toBe(sdk3);
+        });
+    });
+});

package/dist/index.js

@@ -73,7 +73,7 @@ var IdentityManager = class {
     try {
       let key = await this.keyStorage.getKey();
       if (!key) {
-        key = (0, import_react_native_quick_crypto.randomUUID)();
+        key = (0, import_react_native_quick_crypto.randomBytes)(32).toString("hex");
         await this.keyStorage.setKey(key);
       }
       this.masterKey = key;
@@ -862,14 +862,17 @@ var VailixSDK = class _VailixSDK {
     if (_VailixSDK.initPromise) {
       return _VailixSDK.initPromise;
     }
-    _VailixSDK.initPromise = _VailixSDK.doCreate(config);
-    try {
-      _VailixSDK.instance = await _VailixSDK.initPromise;
-      return _VailixSDK.instance;
-    } catch (error) {
-      _VailixSDK.initPromise = null;
-      throw error;
-    }
+    _VailixSDK.initPromise = (async () => {
+      try {
+        const sdk = await _VailixSDK.doCreate(config);
+        _VailixSDK.instance = sdk;
+        return sdk;
+      } catch (error) {
+        _VailixSDK.initPromise = null;
+        throw error;
+      }
+    })();
+    return _VailixSDK.initPromise;
   }
   /**
    * Internal initialization logic (extracted for singleton pattern).

package/dist/index.mjs

@@ -1,8 +1,8 @@
 // src/index.ts
-import { createCipheriv, randomBytes } from "react-native-quick-crypto";
+import { createCipheriv, randomBytes as randomBytes2 } from "react-native-quick-crypto";
 
 // src/identity.ts
-import { createHmac, randomUUID } from "react-native-quick-crypto";
+import { createHmac, randomBytes } from "react-native-quick-crypto";
 import * as SecureStore from "expo-secure-store";
 
 // src/utils.ts
@@ -37,7 +37,7 @@ var IdentityManager = class {
     try {
       let key = await this.keyStorage.getKey();
       if (!key) {
-        key = randomUUID();
+        key = randomBytes(32).toString("hex");
         await this.keyStorage.setKey(key);
       }
       this.masterKey = key;
@@ -89,7 +89,7 @@ var IdentityManager = class {
 // src/storage.ts
 import { sqliteTable, text, integer, index } from "drizzle-orm/sqlite-core";
 import { lt, gt, inArray } from "drizzle-orm";
-import { randomUUID as randomUUID2 } from "react-native-quick-crypto";
+import { randomUUID } from "react-native-quick-crypto";
 import AsyncStorage from "@react-native-async-storage/async-storage";
 var SCAN_HISTORY_KEY = "vailix_scan_history";
 var scannedEvents = sqliteTable("scanned_events", {
@@ -123,7 +123,7 @@ var StorageService = class _StorageService {
     return Date.now() - lastScan >= this.rescanIntervalMs;
   }
   async logScan(rpi, metadataKey, timestamp) {
-    await this.db.insert(scannedEvents).values({ id: randomUUID2(), rpi, metadataKey, timestamp });
+    await this.db.insert(scannedEvents).values({ id: randomUUID(), rpi, metadataKey, timestamp });
     this.lastScanByRpi.set(rpi, Date.now());
     if (this.lastScanByRpi.size > _StorageService.MAX_SCAN_HISTORY_SIZE) {
       const entries2 = Array.from(this.lastScanByRpi.entries());
@@ -826,14 +826,17 @@ var VailixSDK = class _VailixSDK {
     if (_VailixSDK.initPromise) {
       return _VailixSDK.initPromise;
     }
-    _VailixSDK.initPromise = _VailixSDK.doCreate(config);
-    try {
-      _VailixSDK.instance = await _VailixSDK.initPromise;
-      return _VailixSDK.instance;
-    } catch (error) {
-      _VailixSDK.initPromise = null;
-      throw error;
-    }
+    _VailixSDK.initPromise = (async () => {
+      try {
+        const sdk = await _VailixSDK.doCreate(config);
+        _VailixSDK.instance = sdk;
+        return sdk;
+      } catch (error) {
+        _VailixSDK.initPromise = null;
+        throw error;
+      }
+    })();
+    return _VailixSDK.initPromise;
   }
   /**
    * Internal initialization logic (extracted for singleton pattern).
@@ -1052,7 +1055,7 @@ var VailixSDK = class _VailixSDK {
       throw new Error(`Metadata exceeds maximum size of ${_VailixSDK.MAX_METADATA_SIZE} bytes`);
     }
     const key = Buffer.from(keyHex, "hex");
-    const iv = randomBytes(12);
+    const iv = randomBytes2(12);
     const cipher = createCipheriv("aes-256-gcm", key, iv);
     let encrypted = cipher.update(jsonStr, "utf8", "base64");
     encrypted += cipher.final("base64");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vailix/mask",
-  "version": "0.2.3",
+  "version": "0.2.5",
   "description": "Privacy-preserving proximity tracing SDK for React Native & Expo",
   "author": "Gil Eyni",
   "keywords": [
@@ -52,7 +52,8 @@
   "devDependencies": {
     "drizzle-kit": "^0.30.0",
     "typescript": "^5.7.0",
-    "tsup": "^8.0.0"
+    "tsup": "^8.0.0",
+    "vitest": "^4.0.0"
   },
   "scripts": {
     "build": "tsup src/index.ts --format esm,cjs --dts --clean",

package/src/identity.ts

@@ -1,4 +1,4 @@
-import { createHmac, randomUUID } from 'react-native-quick-crypto';
+import { createHmac, randomBytes } from 'react-native-quick-crypto';
 import * as SecureStore from 'expo-secure-store';
 import type { KeyStorage } from './types';
 import { generateDisplayName } from './utils';
@@ -30,7 +30,7 @@ export class IdentityManager {
         try {
             let key = await this.keyStorage.getKey();
             if (!key) {
-                key = randomUUID();
+                key = randomBytes(32).toString('hex');
                 await this.keyStorage.setKey(key);
             }
             this.masterKey = key;

package/src/index.ts

@@ -63,22 +63,26 @@ export class VailixSDK {
             return VailixSDK.instance;
         }
 
-        // Initialization in progress - wait for it (prevents race condition)
+        // Initialization in progress - wait for it
         if (VailixSDK.initPromise) {
             return VailixSDK.initPromise;
         }
 
-        // First call - start initialization
-        VailixSDK.initPromise = VailixSDK.doCreate(config);
+        // CRITICAL: Set promise SYNCHRONOUSLY before any await
+        // This makes the check-and-set atomic within the same microtask
+        VailixSDK.initPromise = (async () => {
+            try {
+                const sdk = await VailixSDK.doCreate(config);
+                VailixSDK.instance = sdk;
+                return sdk;
+            } catch (error) {
+                // Clear promise on failure so retry is possible
+                VailixSDK.initPromise = null;
+                throw error;
+            }
+        })();
 
-        try {
-            VailixSDK.instance = await VailixSDK.initPromise;
-            return VailixSDK.instance;
-        } catch (error) {
-            // Clear promise on failure so retry is possible
-            VailixSDK.initPromise = null;
-            throw error;
-        }
+        return VailixSDK.initPromise;
     }
 
     /**

package/vitest.config.ts

@@ -0,0 +1,9 @@
+import { defineConfig } from 'vitest/config';
+
+export default defineConfig({
+    test: {
+        environment: 'node',
+        include: ['__tests__/**/*.test.ts'],
+        globals: true,
+    },
+});