cojson 0.8.44 → 0.8.48

package/src/tests/crypto.test.ts

@@ -3,178 +3,187 @@ import { x25519 } from "@noble/curves/ed25519";
 import { blake3 } from "@noble/hashes/blake3";
 import { base58, base64url } from "@scure/base";
 import { expect, test } from "vitest";
+import { PureJSCrypto } from "../crypto/PureJSCrypto.js";
 import { WasmCrypto } from "../crypto/WasmCrypto.js";
 import { SessionID } from "../ids.js";
 import { stableStringify } from "../jsonStringify.js";
 
-const Crypto = await WasmCrypto.create();
-
-test("Signatures round-trip and use stable stringify", () => {
-  const data = { b: "world", a: "hello" };
-  const signer = Crypto.newRandomSigner();
-  const signature = Crypto.sign(signer, data);
-
-  expect(signature).toMatch(/^signature_z/);
-  expect(
-    Crypto.verify(
-      signature,
-      { a: "hello", b: "world" },
-      Crypto.getSignerID(signer),
-    ),
-  ).toBe(true);
-});
-
-test("Invalid signatures don't verify", () => {
-  const data = { b: "world", a: "hello" };
-  const signer = Crypto.newRandomSigner();
-  const signer2 = Crypto.newRandomSigner();
-  const wrongSignature = Crypto.sign(signer2, data);
+const wasmCrypto = await WasmCrypto.create();
+const pureJSCrypto = await PureJSCrypto.create();
+
+[wasmCrypto, pureJSCrypto].forEach((crypto) => {
+  const name = crypto.constructor.name;
+
+  test(`Signatures round-trip and use stable stringify [${name}]`, () => {
+    const data = { b: "world", a: "hello" };
+    const signer = crypto.newRandomSigner();
+    const signature = crypto.sign(signer, data);
+
+    expect(signature).toMatch(/^signature_z/);
+    expect(
+      crypto.verify(
+        signature,
+        { a: "hello", b: "world" },
+        crypto.getSignerID(signer),
+      ),
+    ).toBe(true);
+  });
 
-  expect(Crypto.verify(wrongSignature, data, Crypto.getSignerID(signer))).toBe(
-    false,
-  );
-});
+  test(`Invalid signatures don't verify [${name}]`, () => {
+    const data = { b: "world", a: "hello" };
+    const signer = crypto.newRandomSigner();
+    const signer2 = crypto.newRandomSigner();
+    const wrongSignature = crypto.sign(signer2, data);
 
-test("encrypting round-trips, but invalid receiver can't unseal", () => {
-  const data = { b: "world", a: "hello" };
-  const sender = Crypto.newRandomSealer();
-  const sealer = Crypto.newRandomSealer();
-  const wrongSealer = Crypto.newRandomSealer();
-
-  const nOnceMaterial = {
-    in: "co_zTEST",
-    tx: { sessionID: "co_zTEST_session_zTEST" as SessionID, txIndex: 0 },
-  } as const;
-
-  const sealed = Crypto.seal({
-    message: data,
-    from: sender,
-    to: Crypto.getSealerID(sealer),
-    nOnceMaterial,
+    expect(
+      crypto.verify(wrongSignature, data, crypto.getSignerID(signer)),
+    ).toBe(false);
   });
 
-  expect(
-    Crypto.unseal(sealed, sealer, Crypto.getSealerID(sender), nOnceMaterial),
-  ).toEqual(data);
-  expect(() =>
-    Crypto.unseal(
-      sealed,
-      wrongSealer,
-      Crypto.getSealerID(sender),
+  test(`encrypting round-trips, but invalid receiver can't unseal [${name}]`, () => {
+    const data = { b: "world", a: "hello" };
+    const sender = crypto.newRandomSealer();
+    const sealer = crypto.newRandomSealer();
+    const wrongSealer = crypto.newRandomSealer();
+
+    const nOnceMaterial = {
+      in: "co_zTEST",
+      tx: { sessionID: "co_zTEST_session_zTEST" as SessionID, txIndex: 0 },
+    } as const;
+
+    const sealed = crypto.seal({
+      message: data,
+      from: sender,
+      to: crypto.getSealerID(sealer),
       nOnceMaterial,
-    ),
-  ).toThrow(/Wrong tag/);
-
-  // trying with wrong sealer secret, by hand
-  const nOnce = blake3(
-    new TextEncoder().encode(stableStringify(nOnceMaterial)),
-  ).slice(0, 24);
-  const sealer3priv = base58.decode(
-    wrongSealer.substring("sealerSecret_z".length),
-  );
-  const senderPub = base58.decode(
-    Crypto.getSealerID(sender).substring("sealer_z".length),
-  );
-  const sealedBytes = base64url.decode(sealed.substring("sealed_U".length));
-  const sharedSecret = x25519.getSharedSecret(sealer3priv, senderPub);
-
-  expect(() => {
-    const _ = xsalsa20_poly1305(sharedSecret, nOnce).decrypt(sealedBytes);
-  }).toThrow("Wrong tag");
-});
+    });
+
+    expect(
+      crypto.unseal(sealed, sealer, crypto.getSealerID(sender), nOnceMaterial),
+    ).toEqual(data);
+    expect(() =>
+      crypto.unseal(
+        sealed,
+        wrongSealer,
+        crypto.getSealerID(sender),
+        nOnceMaterial,
+      ),
+    ).toThrow(/Wrong tag/);
+
+    // trying with wrong sealer secret, by hand
+    const nOnce = blake3(
+      new TextEncoder().encode(stableStringify(nOnceMaterial)),
+    ).slice(0, 24);
+    const sealer3priv = base58.decode(
+      wrongSealer.substring("sealerSecret_z".length),
+    );
+    const senderPub = base58.decode(
+      crypto.getSealerID(sender).substring("sealer_z".length),
+    );
+    const sealedBytes = base64url.decode(sealed.substring("sealed_U".length));
+    const sharedSecret = x25519.getSharedSecret(sealer3priv, senderPub);
+
+    expect(() => {
+      const _ = xsalsa20_poly1305(sharedSecret, nOnce).decrypt(sealedBytes);
+    }).toThrow("Wrong tag");
+  });
 
-test("Hashing is deterministic", () => {
-  expect(Crypto.secureHash({ b: "world", a: "hello" })).toEqual(
-    Crypto.secureHash({ a: "hello", b: "world" }),
-  );
+  test(`Hashing is deterministic [${name}]`, () => {
+    expect(crypto.secureHash({ b: "world", a: "hello" })).toEqual(
+      crypto.secureHash({ a: "hello", b: "world" }),
+    );
 
-  expect(Crypto.shortHash({ b: "world", a: "hello" })).toEqual(
-    Crypto.shortHash({ a: "hello", b: "world" }),
-  );
-});
+    expect(crypto.shortHash({ b: "world", a: "hello" })).toEqual(
+      crypto.shortHash({ a: "hello", b: "world" }),
+    );
+  });
 
-test("Encryption for transactions round-trips", () => {
-  const { secret } = Crypto.newRandomKeySecret();
+  test(`Encryption for transactions round-trips [${name}]`, () => {
+    const { secret } = crypto.newRandomKeySecret();
 
-  const encrypted1 = Crypto.encryptForTransaction({ a: "hello" }, secret, {
-    in: "co_zTEST",
-    tx: { sessionID: "co_zTEST_session_zTEST" as SessionID, txIndex: 0 },
-  });
+    const encrypted1 = crypto.encryptForTransaction({ a: "hello" }, secret, {
+      in: "co_zTEST",
+      tx: { sessionID: "co_zTEST_session_zTEST" as SessionID, txIndex: 0 },
+    });
 
-  const encrypted2 = Crypto.encryptForTransaction({ b: "world" }, secret, {
-    in: "co_zTEST",
-    tx: { sessionID: "co_zTEST_session_zTEST" as SessionID, txIndex: 1 },
-  });
+    const encrypted2 = crypto.encryptForTransaction({ b: "world" }, secret, {
+      in: "co_zTEST",
+      tx: { sessionID: "co_zTEST_session_zTEST" as SessionID, txIndex: 1 },
+    });
 
-  const decrypted1 = Crypto.decryptForTransaction(encrypted1, secret, {
-    in: "co_zTEST",
-    tx: { sessionID: "co_zTEST_session_zTEST" as SessionID, txIndex: 0 },
-  });
+    const decrypted1 = crypto.decryptForTransaction(encrypted1, secret, {
+      in: "co_zTEST",
+      tx: { sessionID: "co_zTEST_session_zTEST" as SessionID, txIndex: 0 },
+    });
 
-  const decrypted2 = Crypto.decryptForTransaction(encrypted2, secret, {
-    in: "co_zTEST",
-    tx: { sessionID: "co_zTEST_session_zTEST" as SessionID, txIndex: 1 },
+    const decrypted2 = crypto.decryptForTransaction(encrypted2, secret, {
+      in: "co_zTEST",
+      tx: { sessionID: "co_zTEST_session_zTEST" as SessionID, txIndex: 1 },
+    });
+
+    expect([decrypted1, decrypted2]).toEqual([{ a: "hello" }, { b: "world" }]);
   });
 
-  expect([decrypted1, decrypted2]).toEqual([{ a: "hello" }, { b: "world" }]);
-});
+  test(`Encryption for transactions doesn't decrypt with a wrong key [${name}]`, () => {
+    const { secret } = crypto.newRandomKeySecret();
+    const { secret: secret2 } = crypto.newRandomKeySecret();
 
-test("Encryption for transactions doesn't decrypt with a wrong key", () => {
-  const { secret } = Crypto.newRandomKeySecret();
-  const { secret: secret2 } = Crypto.newRandomKeySecret();
+    const encrypted1 = crypto.encryptForTransaction({ a: "hello" }, secret, {
+      in: "co_zTEST",
+      tx: { sessionID: "co_zTEST_session_zTEST" as SessionID, txIndex: 0 },
+    });
 
-  const encrypted1 = Crypto.encryptForTransaction({ a: "hello" }, secret, {
-    in: "co_zTEST",
-    tx: { sessionID: "co_zTEST_session_zTEST" as SessionID, txIndex: 0 },
-  });
+    const encrypted2 = crypto.encryptForTransaction({ b: "world" }, secret, {
+      in: "co_zTEST",
+      tx: { sessionID: "co_zTEST_session_zTEST" as SessionID, txIndex: 1 },
+    });
 
-  const encrypted2 = Crypto.encryptForTransaction({ b: "world" }, secret, {
-    in: "co_zTEST",
-    tx: { sessionID: "co_zTEST_session_zTEST" as SessionID, txIndex: 1 },
-  });
+    const decrypted1 = crypto.decryptForTransaction(encrypted1, secret2, {
+      in: "co_zTEST",
+      tx: { sessionID: "co_zTEST_session_zTEST" as SessionID, txIndex: 0 },
+    });
 
-  const decrypted1 = Crypto.decryptForTransaction(encrypted1, secret2, {
-    in: "co_zTEST",
-    tx: { sessionID: "co_zTEST_session_zTEST" as SessionID, txIndex: 0 },
-  });
+    const decrypted2 = crypto.decryptForTransaction(encrypted2, secret2, {
+      in: "co_zTEST",
+      tx: { sessionID: "co_zTEST_session_zTEST" as SessionID, txIndex: 1 },
+    });
 
-  const decrypted2 = Crypto.decryptForTransaction(encrypted2, secret2, {
-    in: "co_zTEST",
-    tx: { sessionID: "co_zTEST_session_zTEST" as SessionID, txIndex: 1 },
+    expect([decrypted1, decrypted2]).toEqual([undefined, undefined]);
   });
 
-  expect([decrypted1, decrypted2]).toEqual([undefined, undefined]);
-});
-
-test("Encryption of keySecrets round-trips", () => {
-  const toEncrypt = Crypto.newRandomKeySecret();
-  const encrypting = Crypto.newRandomKeySecret();
+  test(`Encryption of keySecrets round-trips [${name}]`, () => {
+    const toEncrypt = crypto.newRandomKeySecret();
+    const encrypting = crypto.newRandomKeySecret();
 
-  const keys = {
-    toEncrypt,
-    encrypting,
-  };
+    const keys = {
+      toEncrypt,
+      encrypting,
+    };
 
-  const encrypted = Crypto.encryptKeySecret(keys);
+    const encrypted = crypto.encryptKeySecret(keys);
 
-  const decrypted = Crypto.decryptKeySecret(encrypted, encrypting.secret);
+    const decrypted = crypto.decryptKeySecret(encrypted, encrypting.secret);
 
-  expect(decrypted).toEqual(toEncrypt.secret);
-});
+    expect(decrypted).toEqual(toEncrypt.secret);
+  });
 
-test("Encryption of keySecrets doesn't decrypt with a wrong key", () => {
-  const toEncrypt = Crypto.newRandomKeySecret();
-  const encrypting = Crypto.newRandomKeySecret();
-  const encryptingWrong = Crypto.newRandomKeySecret();
+  test(`Encryption of keySecrets doesn't decrypt with a wrong key [${name}]`, () => {
+    const toEncrypt = crypto.newRandomKeySecret();
+    const encrypting = crypto.newRandomKeySecret();
+    const encryptingWrong = crypto.newRandomKeySecret();
 
-  const keys = {
-    toEncrypt,
-    encrypting,
-  };
+    const keys = {
+      toEncrypt,
+      encrypting,
+    };
 
-  const encrypted = Crypto.encryptKeySecret(keys);
+    const encrypted = crypto.encryptKeySecret(keys);
 
-  const decrypted = Crypto.decryptKeySecret(encrypted, encryptingWrong.secret);
+    const decrypted = crypto.decryptKeySecret(
+      encrypted,
+      encryptingWrong.secret,
+    );
 
-  expect(decrypted).toBeUndefined();
+    expect(decrypted).toBeUndefined();
+  });
 });

package/src/tests/group.test.ts

@@ -1,4 +1,5 @@
 import { describe, expect, test } from "vitest";
+import { CoValueState } from "../coValueState.js";
 import { RawCoList } from "../coValues/coList.js";
 import { RawCoMap } from "../coValues/coMap.js";
 import { RawCoStream } from "../coValues/coStream.js";
@@ -492,4 +493,120 @@ describe("writeOnly", () => {
     // The writer role should be able to see the edits from the admin
     expect(mapOnNode2.get("test")).toEqual("Written from the admin");
   });
+
+  test("upgrade to writer roles should work correctly", async () => {
+    const { node1, node2 } = await createTwoConnectedNodes("server", "server");
+
+    const group = node1.node.createGroup();
+    group.addMember(
+      await loadCoValueOrFail(node1.node, node2.accountID),
+      "writeOnly",
+    );
+
+    await group.core.waitForSync();
+
+    const groupOnNode2 = await loadCoValueOrFail(node2.node, group.id);
+    const map = groupOnNode2.createMap();
+    map.set("test", "Written from the writeOnly member");
+
+    await map.core.waitForSync();
+
+    group.addMember(
+      await loadCoValueOrFail(node1.node, node2.accountID),
+      "writer",
+    );
+
+    group.core.waitForSync();
+
+    node2.node.coValuesStore.coValues.delete(map.id);
+    expect(node2.node.coValuesStore.get(map.id)).toEqual(
+      CoValueState.Unknown(map.id),
+    );
+
+    const mapOnNode2 = await loadCoValueOrFail(node2.node, map.id);
+
+    // The writer role should be able to see the edits from the admin
+    expect(mapOnNode2.get("test")).toEqual("Written from the writeOnly member");
+  });
+
+  test("a user should be able to extend a group when his role on the parent group is writer", async () => {
+    const { node1, node2 } = await createTwoConnectedNodes("server", "server");
+
+    const group = node1.node.createGroup();
+    group.addMember(
+      await loadCoValueOrFail(node1.node, node2.accountID),
+      "writer",
+    );
+
+    await group.core.waitForSync();
+
+    const groupOnNode2 = await loadCoValueOrFail(node2.node, group.id);
+
+    const childGroup = node2.node.createGroup();
+    childGroup.extend(groupOnNode2);
+
+    const map = childGroup.createMap();
+    map.set("test", "Written from node2");
+
+    await map.core.waitForSync();
+    await childGroup.core.waitForSync();
+
+    const mapOnNode2 = await loadCoValueOrFail(node2.node, map.id);
+
+    expect(mapOnNode2.get("test")).toEqual("Written from node2");
+  });
+
+  test("a user should be able to extend a group when his role on the parent group is reader", async () => {
+    const { node1, node2 } = await createTwoConnectedNodes("server", "server");
+
+    const group = node1.node.createGroup();
+    group.addMember(
+      await loadCoValueOrFail(node1.node, node2.accountID),
+      "reader",
+    );
+
+    await group.core.waitForSync();
+
+    const groupOnNode2 = await loadCoValueOrFail(node2.node, group.id);
+
+    const childGroup = node2.node.createGroup();
+    childGroup.extend(groupOnNode2);
+
+    const map = childGroup.createMap();
+    map.set("test", "Written from node2");
+
+    await map.core.waitForSync();
+    await childGroup.core.waitForSync();
+
+    const mapOnNode2 = await loadCoValueOrFail(node2.node, map.id);
+
+    expect(mapOnNode2.get("test")).toEqual("Written from node2");
+  });
+
+  test("a user should be able to extend a group when his role on the parent group is writeOnly", async () => {
+    const { node1, node2 } = await createTwoConnectedNodes("server", "server");
+
+    const group = node1.node.createGroup();
+    group.addMember(
+      await loadCoValueOrFail(node1.node, node2.accountID),
+      "writeOnly",
+    );
+
+    await group.core.waitForSync();
+
+    const groupOnNode2 = await loadCoValueOrFail(node2.node, group.id);
+
+    const childGroup = node2.node.createGroup();
+    childGroup.extend(groupOnNode2);
+
+    const map = childGroup.createMap();
+    map.set("test", "Written from node2");
+
+    await map.core.waitForSync();
+    await childGroup.core.waitForSync();
+
+    const mapOnNode2 = await loadCoValueOrFail(node2.node, map.id);
+
+    expect(mapOnNode2.get("test")).toEqual("Written from node2");
+  });
 });

package/src/tests/permissions.test.ts

@@ -2157,21 +2157,17 @@ test("Admins can set child extensions when the admin role is inherited", async (
   );
 });
 
-test("Writers, readers and invitees can not set child extensions", () => {
+test("Writers, readers and writeOnly can set child extensions", () => {
   const { group, node } = newGroupHighLevel();
   const childGroup = node.createGroup();
 
   const writer = node.createAccount();
   const reader = node.createAccount();
-  const adminInvite = node.createAccount();
-  const writerInvite = node.createAccount();
-  const readerInvite = node.createAccount();
+  const writeOnly = node.createAccount();
 
   group.addMember(writer, "writer");
   group.addMember(reader, "reader");
-  group.addMember(adminInvite, "adminInvite");
-  group.addMember(writerInvite, "writerInvite");
-  group.addMember(readerInvite, "readerInvite");
+  group.addMember(writeOnly, "writeOnly");
 
   const groupAsWriter = expectGroup(
     group.core
@@ -2180,7 +2176,7 @@ test("Writers, readers and invitees can not set child extensions", () => {
   );
 
   groupAsWriter.set(`child_${childGroup.id}`, "extend", "trusting");
-  expect(groupAsWriter.get(`child_${childGroup.id}`)).toBeUndefined();
+  expect(groupAsWriter.get(`child_${childGroup.id}`)).toEqual("extend");
 
   const groupAsReader = expectGroup(
     group.core
@@ -2189,7 +2185,20 @@ test("Writers, readers and invitees can not set child extensions", () => {
   );
 
   groupAsReader.set(`child_${childGroup.id}`, "extend", "trusting");
-  expect(groupAsReader.get(`child_${childGroup.id}`)).toBeUndefined();
+  expect(groupAsReader.get(`child_${childGroup.id}`)).toEqual("extend");
+});
+
+test("Invitees can not set child extensions", () => {
+  const { group, node } = newGroupHighLevel();
+  const childGroup = node.createGroup();
+
+  const adminInvite = node.createAccount();
+  const writerInvite = node.createAccount();
+  const readerInvite = node.createAccount();
+
+  group.addMember(adminInvite, "adminInvite");
+  group.addMember(writerInvite, "writerInvite");
+  group.addMember(readerInvite, "readerInvite");
 
   const groupAsAdminInvite = expectGroup(
     group.core