@xtr-dev/rondevu-client 0.20.1 → 0.21.3

package/dist/crypto/adapter.d.ts

@@ -1,9 +1,9 @@
 /**
  * Crypto adapter interface for platform-independent cryptographic operations
  */
-export interface Keypair {
-    publicKey: string;
-    privateKey: string;
+export interface Credential {
+    name: string;
+    secret: string;
 }
 /**
  * Platform-independent crypto adapter interface
@@ -11,17 +11,33 @@ export interface Keypair {
  */
 export interface CryptoAdapter {
     /**
-     * Generate an Ed25519 keypair
+     * Generate HMAC-SHA256 signature for message authentication
+     * @param secret - The credential secret (hex string)
+     * @param message - The message to sign
+     * @returns Base64-encoded signature
      */
-    generateKeypair(): Promise<Keypair>;
+    generateSignature(secret: string, message: string): Promise<string>;
     /**
-     * Sign a message with an Ed25519 private key
+     * Verify HMAC-SHA256 signature
+     * @param secret - The credential secret (hex string)
+     * @param message - The message that was signed
+     * @param signature - The signature to verify (base64)
+     * @returns True if signature is valid
      */
-    signMessage(message: string, privateKeyBase64: string): Promise<string>;
+    verifySignature(secret: string, message: string, signature: string): Promise<boolean>;
     /**
-     * Verify an Ed25519 signature
+     * Generate a random secret (256-bit hex string)
+     * @returns 64-character hex string
      */
-    verifySignature(message: string, signatureBase64: string, publicKeyBase64: string): Promise<boolean>;
+    generateSecret(): string;
+    /**
+     * Convert hex string to bytes
+     */
+    hexToBytes(hex: string): Uint8Array;
+    /**
+     * Convert bytes to hex string
+     */
+    bytesToHex(bytes: Uint8Array): string;
     /**
      * Convert Uint8Array to base64 string
      */

package/dist/crypto/node.d.ts

@@ -2,7 +2,7 @@
  * Node.js Crypto adapter for Node.js environments
  * Requires Node.js 19+ or Node.js 18 with --experimental-global-webcrypto flag
  */
-import { CryptoAdapter, Keypair } from './adapter.js';
+import { CryptoAdapter } from './adapter.js';
 /**
  * Node.js Crypto implementation using Node.js built-in APIs
  * Uses Buffer for base64 encoding and crypto.randomBytes for random generation
@@ -19,16 +19,38 @@ import { CryptoAdapter, Keypair } from './adapter.js';
  * const api = new RondevuAPI(
  *   'https://signal.example.com',
  *   'alice',
- *   keypair,
+ *   { name: 'alice', secret: '...' },
  *   new NodeCryptoAdapter()
  * )
  * ```
  */
 export declare class NodeCryptoAdapter implements CryptoAdapter {
     constructor();
-    generateKeypair(): Promise<Keypair>;
-    signMessage(message: string, privateKeyBase64: string): Promise<string>;
-    verifySignature(message: string, signatureBase64: string, publicKeyBase64: string): Promise<boolean>;
+    /**
+     * Generate HMAC-SHA256 signature
+     */
+    generateSignature(secret: string, message: string): Promise<string>;
+    /**
+     * Verify HMAC-SHA256 signature
+     * Uses constant-time comparison via Web Crypto API to prevent timing attacks
+     *
+     * @returns false for invalid signatures, throws for malformed input
+     * @throws Error if secret/signature format is invalid (not a verification failure)
+     */
+    verifySignature(secret: string, message: string, signature: string): Promise<boolean>;
+    /**
+     * Generate a random secret (256-bit hex string)
+     */
+    generateSecret(): string;
+    /**
+     * Convert hex string to bytes
+     * @throws Error if hex string is invalid
+     */
+    hexToBytes(hex: string): Uint8Array;
+    /**
+     * Convert bytes to hex string
+     */
+    bytesToHex(bytes: Uint8Array): string;
     bytesToBase64(bytes: Uint8Array): string;
     base64ToBytes(base64: string): Uint8Array;
     randomBytes(length: number): Uint8Array;

package/dist/crypto/node.js

@@ -2,7 +2,6 @@
  * Node.js Crypto adapter for Node.js environments
  * Requires Node.js 19+ or Node.js 18 with --experimental-global-webcrypto flag
  */
-import * as ed25519 from '@noble/ed25519';
 /**
  * Node.js Crypto implementation using Node.js built-in APIs
  * Uses Buffer for base64 encoding and crypto.randomBytes for random generation
@@ -19,55 +18,127 @@ import * as ed25519 from '@noble/ed25519';
  * const api = new RondevuAPI(
  *   'https://signal.example.com',
  *   'alice',
- *   keypair,
+ *   { name: 'alice', secret: '...' },
  *   new NodeCryptoAdapter()
  * )
  * ```
  */
 export class NodeCryptoAdapter {
     constructor() {
-        // Set SHA-512 hash function for ed25519 using Node's crypto.subtle
         if (typeof crypto === 'undefined' || !crypto.subtle) {
             throw new Error('crypto.subtle is not available. ' +
                 'Node.js 19+ is required, or Node.js 18 with --experimental-global-webcrypto flag');
         }
-        ed25519.hashes.sha512Async = async (message) => {
-            const hash = await crypto.subtle.digest('SHA-512', message);
-            return new Uint8Array(hash);
-        };
     }
-    async generateKeypair() {
-        const privateKey = ed25519.utils.randomSecretKey();
-        const publicKey = await ed25519.getPublicKeyAsync(privateKey);
-        return {
-            publicKey: this.bytesToBase64(publicKey),
-            privateKey: this.bytesToBase64(privateKey),
-        };
-    }
-    async signMessage(message, privateKeyBase64) {
-        const privateKey = this.base64ToBytes(privateKeyBase64);
+    /**
+     * Generate HMAC-SHA256 signature
+     */
+    async generateSignature(secret, message) {
+        if (!secret || typeof secret !== 'string') {
+            throw new Error('Invalid secret: must be a non-empty string');
+        }
+        if (typeof message !== 'string') {
+            throw new Error('Invalid message: must be a string');
+        }
+        const secretBytes = this.hexToBytes(secret);
+        // Import secret as HMAC key
+        const key = await crypto.subtle.importKey('raw', secretBytes, { name: 'HMAC', hash: 'SHA-256' }, false, ['sign']);
+        // Convert message to bytes
         const encoder = new TextEncoder();
         const messageBytes = encoder.encode(message);
-        const signature = await ed25519.signAsync(messageBytes, privateKey);
-        return this.bytesToBase64(signature);
+        // Generate HMAC signature
+        const signatureBytes = await crypto.subtle.sign('HMAC', key, messageBytes);
+        // Convert to base64
+        return this.bytesToBase64(new Uint8Array(signatureBytes));
     }
-    async verifySignature(message, signatureBase64, publicKeyBase64) {
+    /**
+     * Verify HMAC-SHA256 signature
+     * Uses constant-time comparison via Web Crypto API to prevent timing attacks
+     *
+     * @returns false for invalid signatures, throws for malformed input
+     * @throws Error if secret/signature format is invalid (not a verification failure)
+     */
+    async verifySignature(secret, message, signature) {
+        // Validate inputs first
+        // Use generic error messages to prevent timing attacks and information leakage
+        let secretBytes;
+        let signatureBytes;
+        try {
+            secretBytes = this.hexToBytes(secret);
+        }
+        catch (error) {
+            // Generic error message - don't leak format details
+            throw new Error('Invalid credential format');
+        }
+        try {
+            signatureBytes = this.base64ToBytes(signature);
+        }
+        catch (error) {
+            // Generic error message - don't leak format details
+            throw new Error('Invalid signature format');
+        }
+        // Perform HMAC verification
         try {
-            const signature = this.base64ToBytes(signatureBase64);
-            const publicKey = this.base64ToBytes(publicKeyBase64);
+            // Import secret as HMAC key for verification
+            const key = await crypto.subtle.importKey('raw', secretBytes, { name: 'HMAC', hash: 'SHA-256' }, false, ['verify']);
+            // Convert message to bytes
             const encoder = new TextEncoder();
             const messageBytes = encoder.encode(message);
-            return await ed25519.verifyAsync(signature, messageBytes, publicKey);
+            // Use Web Crypto API's verify() for constant-time comparison
+            // Returns false for signature mismatch (auth failure)
+            return await crypto.subtle.verify('HMAC', key, signatureBytes, messageBytes);
         }
-        catch {
-            return false;
+        catch (error) {
+            // System/crypto errors - unexpected failures
+            throw new Error(`Signature verification error: ${error instanceof Error ? error.message : String(error)}`);
         }
     }
+    /**
+     * Generate a random secret (256-bit hex string)
+     */
+    generateSecret() {
+        const bytes = this.randomBytes(32); // 32 bytes = 256 bits
+        return this.bytesToHex(bytes);
+    }
+    /**
+     * Convert hex string to bytes
+     * @throws Error if hex string is invalid
+     */
+    hexToBytes(hex) {
+        if (hex.length % 2 !== 0) {
+            throw new Error('Hex string must have even length');
+        }
+        // Validate all characters are valid hex (0-9, a-f, A-F)
+        if (!/^[0-9a-fA-F]*$/.test(hex)) {
+            throw new Error('Invalid hex string: contains non-hex characters');
+        }
+        const bytes = new Uint8Array(hex.length / 2);
+        for (let i = 0; i < hex.length; i += 2) {
+            bytes[i / 2] = parseInt(hex.slice(i, i + 2), 16);
+        }
+        return bytes;
+    }
+    /**
+     * Convert bytes to hex string
+     */
+    bytesToHex(bytes) {
+        return Array.from(bytes)
+            .map(b => b.toString(16).padStart(2, '0'))
+            .join('');
+    }
     bytesToBase64(bytes) {
         // Node.js Buffer provides native base64 encoding
         return Buffer.from(bytes).toString('base64');
     }
     base64ToBytes(base64) {
+        // Validate base64 string format
+        if (typeof base64 !== 'string' || base64.length === 0) {
+            throw new Error('Invalid base64 string');
+        }
+        // Base64 length must be divisible by 4 (with padding), + requires at least one char
+        if (base64.length % 4 !== 0 || !/^[A-Za-z0-9+/]+={0,2}$/.test(base64)) {
+            throw new Error('Invalid base64 string');
+        }
         // Node.js Buffer provides native base64 decoding
         return new Uint8Array(Buffer.from(base64, 'base64'));
     }

package/dist/crypto/web.d.ts

@@ -1,15 +1,37 @@
 /**
  * Web Crypto adapter for browser environments
  */
-import { CryptoAdapter, Keypair } from './adapter.js';
+import { CryptoAdapter } from './adapter.js';
 /**
  * Web Crypto implementation using browser APIs
  * Uses btoa/atob for base64 encoding and crypto.getRandomValues for random bytes
  */
 export declare class WebCryptoAdapter implements CryptoAdapter {
-    generateKeypair(): Promise<Keypair>;
-    signMessage(message: string, privateKeyBase64: string): Promise<string>;
-    verifySignature(message: string, signatureBase64: string, publicKeyBase64: string): Promise<boolean>;
+    /**
+     * Generate HMAC-SHA256 signature
+     */
+    generateSignature(secret: string, message: string): Promise<string>;
+    /**
+     * Verify HMAC-SHA256 signature
+     * Uses constant-time comparison via Web Crypto API to prevent timing attacks
+     *
+     * @returns false for invalid signatures, throws for malformed input
+     * @throws Error if secret/signature format is invalid (not a verification failure)
+     */
+    verifySignature(secret: string, message: string, signature: string): Promise<boolean>;
+    /**
+     * Generate a random secret (256-bit hex string)
+     */
+    generateSecret(): string;
+    /**
+     * Convert hex string to bytes
+     * @throws Error if hex string is invalid
+     */
+    hexToBytes(hex: string): Uint8Array;
+    /**
+     * Convert bytes to hex string
+     */
+    bytesToHex(bytes: Uint8Array): string;
     bytesToBase64(bytes: Uint8Array): string;
     base64ToBytes(base64: string): Uint8Array;
     randomBytes(length: number): Uint8Array;

package/dist/crypto/web.js

@@ -1,50 +1,127 @@
 /**
  * Web Crypto adapter for browser environments
  */
-import * as ed25519 from '@noble/ed25519';
-// Set SHA-512 hash function for ed25519 (required in @noble/ed25519 v3+)
-ed25519.hashes.sha512Async = async (message) => {
-    return new Uint8Array(await crypto.subtle.digest('SHA-512', message));
-};
 /**
  * Web Crypto implementation using browser APIs
  * Uses btoa/atob for base64 encoding and crypto.getRandomValues for random bytes
  */
 export class WebCryptoAdapter {
-    async generateKeypair() {
-        const privateKey = ed25519.utils.randomSecretKey();
-        const publicKey = await ed25519.getPublicKeyAsync(privateKey);
-        return {
-            publicKey: this.bytesToBase64(publicKey),
-            privateKey: this.bytesToBase64(privateKey),
-        };
-    }
-    async signMessage(message, privateKeyBase64) {
-        const privateKey = this.base64ToBytes(privateKeyBase64);
+    /**
+     * Generate HMAC-SHA256 signature
+     */
+    async generateSignature(secret, message) {
+        if (!secret || typeof secret !== 'string') {
+            throw new Error('Invalid secret: must be a non-empty string');
+        }
+        if (typeof message !== 'string') {
+            throw new Error('Invalid message: must be a string');
+        }
+        const secretBytes = this.hexToBytes(secret);
+        // Import secret as HMAC key
+        const key = await crypto.subtle.importKey('raw', secretBytes, { name: 'HMAC', hash: 'SHA-256' }, false, ['sign']);
+        // Convert message to bytes
         const encoder = new TextEncoder();
         const messageBytes = encoder.encode(message);
-        const signature = await ed25519.signAsync(messageBytes, privateKey);
-        return this.bytesToBase64(signature);
+        // Generate HMAC signature
+        const signatureBytes = await crypto.subtle.sign('HMAC', key, messageBytes);
+        // Convert to base64
+        return this.bytesToBase64(new Uint8Array(signatureBytes));
     }
-    async verifySignature(message, signatureBase64, publicKeyBase64) {
+    /**
+     * Verify HMAC-SHA256 signature
+     * Uses constant-time comparison via Web Crypto API to prevent timing attacks
+     *
+     * @returns false for invalid signatures, throws for malformed input
+     * @throws Error if secret/signature format is invalid (not a verification failure)
+     */
+    async verifySignature(secret, message, signature) {
+        // Validate inputs first
+        // Use generic error messages to prevent timing attacks and information leakage
+        let secretBytes;
+        let signatureBytes;
+        try {
+            secretBytes = this.hexToBytes(secret);
+        }
+        catch (error) {
+            // Generic error message - don't leak format details
+            throw new Error('Invalid credential format');
+        }
         try {
-            const signature = this.base64ToBytes(signatureBase64);
-            const publicKey = this.base64ToBytes(publicKeyBase64);
+            signatureBytes = this.base64ToBytes(signature);
+        }
+        catch (error) {
+            // Generic error message - don't leak format details
+            throw new Error('Invalid signature format');
+        }
+        // Perform HMAC verification
+        try {
+            // Import secret as HMAC key for verification
+            const key = await crypto.subtle.importKey('raw', secretBytes, { name: 'HMAC', hash: 'SHA-256' }, false, ['verify']);
+            // Convert message to bytes
             const encoder = new TextEncoder();
             const messageBytes = encoder.encode(message);
-            return await ed25519.verifyAsync(signature, messageBytes, publicKey);
+            // Use Web Crypto API's verify() for constant-time comparison
+            // Returns false for signature mismatch (auth failure)
+            return await crypto.subtle.verify('HMAC', key, signatureBytes, messageBytes);
         }
-        catch {
-            return false;
+        catch (error) {
+            // System/crypto errors - unexpected failures
+            throw new Error(`Signature verification error: ${error instanceof Error ? error.message : String(error)}`);
         }
     }
+    /**
+     * Generate a random secret (256-bit hex string)
+     */
+    generateSecret() {
+        const bytes = this.randomBytes(32); // 32 bytes = 256 bits
+        return this.bytesToHex(bytes);
+    }
+    /**
+     * Convert hex string to bytes
+     * @throws Error if hex string is invalid
+     */
+    hexToBytes(hex) {
+        if (hex.length % 2 !== 0) {
+            throw new Error('Hex string must have even length');
+        }
+        // Validate all characters are valid hex (0-9, a-f, A-F)
+        if (!/^[0-9a-fA-F]*$/.test(hex)) {
+            throw new Error('Invalid hex string: contains non-hex characters');
+        }
+        const bytes = new Uint8Array(hex.length / 2);
+        for (let i = 0; i < hex.length; i += 2) {
+            bytes[i / 2] = parseInt(hex.slice(i, i + 2), 16);
+        }
+        return bytes;
+    }
+    /**
+     * Convert bytes to hex string
+     */
+    bytesToHex(bytes) {
+        return Array.from(bytes)
+            .map(b => b.toString(16).padStart(2, '0'))
+            .join('');
+    }
     bytesToBase64(bytes) {
         const binString = Array.from(bytes, byte => String.fromCodePoint(byte)).join('');
         return btoa(binString);
     }
     base64ToBytes(base64) {
-        const binString = atob(base64);
-        return Uint8Array.from(binString, char => char.codePointAt(0));
+        // Validate base64 string format
+        if (typeof base64 !== 'string' || base64.length === 0) {
+            throw new Error('Invalid base64 string');
+        }
+        // Base64 length must be divisible by 4 (with padding), + requires at least one char
+        if (base64.length % 4 !== 0 || !/^[A-Za-z0-9+/]+={0,2}$/.test(base64)) {
+            throw new Error('Invalid base64 string');
+        }
+        try {
+            const binString = atob(base64);
+            return Uint8Array.from(binString, char => char.codePointAt(0));
+        }
+        catch {
+            throw new Error('Invalid base64 string');
+        }
     }
     randomBytes(length) {
         return crypto.getRandomValues(new Uint8Array(length));

package/dist/utils/message-buffer.js

@@ -40,7 +40,7 @@ export class MessageBuffer {
      */
     getValid() {
         const now = Date.now();
-        return this.buffer.filter((msg) => now - msg.timestamp < this.config.maxAge);
+        return this.buffer.filter(msg => now - msg.timestamp < this.config.maxAge);
     }
     /**
      * Get and remove expired messages
@@ -48,7 +48,7 @@ export class MessageBuffer {
     getExpired() {
         const now = Date.now();
         const expired = [];
-        this.buffer = this.buffer.filter((msg) => {
+        this.buffer = this.buffer.filter(msg => {
             if (now - msg.timestamp >= this.config.maxAge) {
                 expired.push(msg);
                 return false;
@@ -61,7 +61,7 @@ export class MessageBuffer {
      * Remove a specific message by ID
      */
     remove(messageId) {
-        const index = this.buffer.findIndex((msg) => msg.id === messageId);
+        const index = this.buffer.findIndex(msg => msg.id === messageId);
         if (index === -1)
             return null;
         const [removed] = this.buffer.splice(index, 1);
@@ -79,7 +79,7 @@ export class MessageBuffer {
      * Increment attempt count for a message
      */
     incrementAttempt(messageId) {
-        const message = this.buffer.find((msg) => msg.id === messageId);
+        const message = this.buffer.find(msg => msg.id === messageId);
         if (!message)
             return false;
         message.attempts++;

package/dist/webrtc/adapter.d.ts

@@ -0,0 +1,22 @@
+/**
+ * WebRTC adapter interface for platform-independent WebRTC operations
+ * Allows using native browser APIs or polyfills like `wrtc` for Node.js
+ */
+/**
+ * Platform-independent WebRTC adapter interface
+ * Implementations provide platform-specific WebRTC constructors
+ */
+export interface WebRTCAdapter {
+    /**
+     * Create a new RTCPeerConnection
+     * @param config - RTCConfiguration for the peer connection
+     * @returns A new RTCPeerConnection instance
+     */
+    createPeerConnection(config?: RTCConfiguration): RTCPeerConnection;
+    /**
+     * Create a new RTCIceCandidate
+     * @param candidateInit - RTCIceCandidateInit to create the candidate from
+     * @returns A new RTCIceCandidate instance
+     */
+    createIceCandidate(candidateInit: RTCIceCandidateInit): RTCIceCandidate;
+}

package/dist/webrtc/adapter.js

@@ -0,0 +1,5 @@
+/**
+ * WebRTC adapter interface for platform-independent WebRTC operations
+ * Allows using native browser APIs or polyfills like `wrtc` for Node.js
+ */
+export {};

package/dist/webrtc/browser.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Browser WebRTC adapter using native browser APIs
+ */
+import { WebRTCAdapter } from './adapter.js';
+/**
+ * Browser WebRTC implementation using native browser APIs
+ * This is the default adapter for browser environments
+ */
+export declare class BrowserWebRTCAdapter implements WebRTCAdapter {
+    createPeerConnection(config?: RTCConfiguration): RTCPeerConnection;
+    createIceCandidate(candidateInit: RTCIceCandidateInit): RTCIceCandidate;
+}

package/dist/webrtc/browser.js

@@ -0,0 +1,15 @@
+/**
+ * Browser WebRTC adapter using native browser APIs
+ */
+/**
+ * Browser WebRTC implementation using native browser APIs
+ * This is the default adapter for browser environments
+ */
+export class BrowserWebRTCAdapter {
+    createPeerConnection(config) {
+        return new RTCPeerConnection(config);
+    }
+    createIceCandidate(candidateInit) {
+        return new RTCIceCandidate(candidateInit);
+    }
+}

package/dist/webrtc/node.d.ts

@@ -0,0 +1,32 @@
+/**
+ * Node.js WebRTC adapter using polyfills like `wrtc`
+ */
+import { WebRTCAdapter } from './adapter.js';
+export interface NodeWebRTCPolyfills {
+    RTCPeerConnection: typeof RTCPeerConnection;
+    RTCIceCandidate: typeof RTCIceCandidate;
+}
+/**
+ * Node.js WebRTC implementation using polyfills
+ *
+ * @example
+ * ```typescript
+ * import wrtc from 'wrtc'
+ *
+ * const adapter = new NodeWebRTCAdapter({
+ *   RTCPeerConnection: wrtc.RTCPeerConnection,
+ *   RTCIceCandidate: wrtc.RTCIceCandidate,
+ * })
+ *
+ * const rondevu = await Rondevu.connect({
+ *   apiUrl: 'https://api.ronde.vu',
+ *   webrtcAdapter: adapter,
+ * })
+ * ```
+ */
+export declare class NodeWebRTCAdapter implements WebRTCAdapter {
+    private readonly polyfills;
+    constructor(polyfills: NodeWebRTCPolyfills);
+    createPeerConnection(config?: RTCConfiguration): RTCPeerConnection;
+    createIceCandidate(candidateInit: RTCIceCandidateInit): RTCIceCandidate;
+}

package/dist/webrtc/node.js

@@ -0,0 +1,32 @@
+/**
+ * Node.js WebRTC adapter using polyfills like `wrtc`
+ */
+/**
+ * Node.js WebRTC implementation using polyfills
+ *
+ * @example
+ * ```typescript
+ * import wrtc from 'wrtc'
+ *
+ * const adapter = new NodeWebRTCAdapter({
+ *   RTCPeerConnection: wrtc.RTCPeerConnection,
+ *   RTCIceCandidate: wrtc.RTCIceCandidate,
+ * })
+ *
+ * const rondevu = await Rondevu.connect({
+ *   apiUrl: 'https://api.ronde.vu',
+ *   webrtcAdapter: adapter,
+ * })
+ * ```
+ */
+export class NodeWebRTCAdapter {
+    constructor(polyfills) {
+        this.polyfills = polyfills;
+    }
+    createPeerConnection(config) {
+        return new this.polyfills.RTCPeerConnection(config);
+    }
+    createIceCandidate(candidateInit) {
+        return new this.polyfills.RTCIceCandidate(candidateInit);
+    }
+}