ehbp 0.1.6 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +5 -7
- package/dist/cjs/client.d.ts +3 -0
- package/dist/cjs/client.d.ts.map +1 -1
- package/dist/cjs/client.js +17 -3
- package/dist/cjs/client.js.map +1 -1
- package/dist/cjs/derive.d.ts.map +1 -1
- package/dist/cjs/derive.js +3 -3
- package/dist/cjs/derive.js.map +1 -1
- package/dist/cjs/identity.d.ts +26 -4
- package/dist/cjs/identity.d.ts.map +1 -1
- package/dist/cjs/identity.js +103 -73
- package/dist/cjs/identity.js.map +1 -1
- package/dist/cjs/index.d.ts +2 -1
- package/dist/cjs/index.d.ts.map +1 -1
- package/dist/cjs/index.js +6 -1
- package/dist/cjs/index.js.map +1 -1
- package/dist/esm/client.d.ts +3 -0
- package/dist/esm/client.d.ts.map +1 -1
- package/dist/esm/client.js +17 -3
- package/dist/esm/client.js.map +1 -1
- package/dist/esm/derive.d.ts.map +1 -1
- package/dist/esm/derive.js +1 -1
- package/dist/esm/derive.js.map +1 -1
- package/dist/esm/identity.d.ts +26 -4
- package/dist/esm/identity.d.ts.map +1 -1
- package/dist/esm/identity.js +98 -72
- package/dist/esm/identity.js.map +1 -1
- package/dist/esm/index.d.ts +2 -1
- package/dist/esm/index.d.ts.map +1 -1
- package/dist/esm/index.js +1 -0
- package/dist/esm/index.js.map +1 -1
- package/dist/esm/test/client.test.js +2 -1
- package/dist/esm/test/client.test.js.map +1 -1
- package/dist/esm/test/derive.test.js +31 -17
- package/dist/esm/test/derive.test.js.map +1 -1
- package/dist/esm/test/identity.test.js +4 -4
- package/dist/esm/test/identity.test.js.map +1 -1
- package/dist/esm/test/security.test.js +2 -1
- package/dist/esm/test/security.test.js.map +1 -1
- package/dist/esm/test/session-recovery.test.d.ts +9 -0
- package/dist/esm/test/session-recovery.test.d.ts.map +1 -0
- package/dist/esm/test/session-recovery.test.js +419 -0
- package/dist/esm/test/session-recovery.test.js.map +1 -0
- package/package.json +2 -1
package/README.md
CHANGED
|
@@ -10,11 +10,13 @@ EHBP encrypts HTTP request and response bodies end-to-end using HPKE ([RFC 9180]
|
|
|
10
10
|
npm install ehbp
|
|
11
11
|
```
|
|
12
12
|
|
|
13
|
-
##
|
|
13
|
+
## Compatible Runtimes
|
|
14
14
|
|
|
15
|
-
- Node.js 20+
|
|
16
|
-
-
|
|
15
|
+
- **Node.js** 20+
|
|
16
|
+
- **Bun** 1.x+
|
|
17
|
+
- **Browsers** with ES2020 support
|
|
17
18
|
|
|
19
|
+
All HPKE key operations use [`@noble/curves`](https://github.com/paulmillr/noble-curves) (via `@panva/hpke-noble`) instead of WebCrypto, so X25519 support in the runtime's `crypto.subtle` is **not** required.
|
|
18
20
|
|
|
19
21
|
## Quick Start
|
|
20
22
|
|
|
@@ -75,10 +77,6 @@ await transport.delete('/users/123');
|
|
|
75
77
|
</script>
|
|
76
78
|
```
|
|
77
79
|
|
|
78
|
-
## Requirements
|
|
79
|
-
|
|
80
|
-
- Node.js 20+ or modern browsers with Web Crypto API
|
|
81
|
-
|
|
82
80
|
## Development
|
|
83
81
|
|
|
84
82
|
```sh
|
package/dist/cjs/client.d.ts
CHANGED
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
import { Identity } from './identity.js';
|
|
2
|
+
import type { SessionRecoveryToken } from './identity.js';
|
|
2
3
|
import type { Key } from 'hpke';
|
|
3
4
|
/**
|
|
4
5
|
* HTTP transport for EHBP
|
|
@@ -6,7 +7,9 @@ import type { Key } from 'hpke';
|
|
|
6
7
|
export declare class Transport {
|
|
7
8
|
private serverIdentity;
|
|
8
9
|
private serverHost;
|
|
10
|
+
private _lastSessionRecoveryToken?;
|
|
9
11
|
constructor(serverIdentity: Identity, serverHost: string);
|
|
12
|
+
getSessionRecoveryToken(): SessionRecoveryToken;
|
|
10
13
|
/**
|
|
11
14
|
* Create a new transport by fetching server public key.
|
|
12
15
|
*/
|
package/dist/cjs/client.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;
|
|
1
|
+
{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AAEzC,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,eAAe,CAAC;AAG1D,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,MAAM,CAAC;AAOhC;;GAEG;AACH,qBAAa,SAAS;IACpB,OAAO,CAAC,cAAc,CAAW;IACjC,OAAO,CAAC,UAAU,CAAS;IAC3B,OAAO,CAAC,yBAAyB,CAAC,CAAuB;gBAE7C,cAAc,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM;IAKxD,uBAAuB,IAAI,oBAAoB;IAO/C;;OAEG;WACU,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;IAuB1D,OAAO,CAAC,MAAM,CAAC,wBAAwB;mBAQlB,sBAAsB;IAiB3C;;OAEG;IACH,iBAAiB,IAAI,QAAQ;IAI7B;;OAEG;IACH,kBAAkB,IAAI,GAAG;IAIzB;;OAEG;IACG,qBAAqB,IAAI,OAAO,CAAC,MAAM,CAAC;IAI9C;;OAEG;IACG,OAAO,CAAC,KAAK,EAAE,WAAW,GAAG,GAAG,EAAE,IAAI,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC;IA8E9E;;OAEG;IACG,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,EAAE,IAAI,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC;IAInE;;OAEG;IACG,IAAI,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,EAAE,IAAI,CAAC,EAAE,QAAQ,EAAE,IAAI,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC;IAIrF;;OAEG;IACG,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,EAAE,IAAI,CAAC,EAAE,QAAQ,EAAE,IAAI,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC;IAIpF;;OAEG;IACG,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,EAAE,IAAI,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC;CAGvE;AAED;;GAEG;AACH,wBAAsB,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAE3E"}
|
package/dist/cjs/client.js
CHANGED
|
@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
|
|
|
3
3
|
exports.Transport = void 0;
|
|
4
4
|
exports.createTransport = createTransport;
|
|
5
5
|
const identity_js_1 = require("./identity.js");
|
|
6
|
+
const identity_js_2 = require("./identity.js");
|
|
6
7
|
const protocol_js_1 = require("./protocol.js");
|
|
7
8
|
const errors_js_1 = require("./errors.js");
|
|
8
9
|
/**
|
|
@@ -11,10 +12,17 @@ const errors_js_1 = require("./errors.js");
|
|
|
11
12
|
class Transport {
|
|
12
13
|
serverIdentity;
|
|
13
14
|
serverHost;
|
|
15
|
+
_lastSessionRecoveryToken;
|
|
14
16
|
constructor(serverIdentity, serverHost) {
|
|
15
17
|
this.serverIdentity = serverIdentity;
|
|
16
18
|
this.serverHost = serverHost;
|
|
17
19
|
}
|
|
20
|
+
getSessionRecoveryToken() {
|
|
21
|
+
if (!this._lastSessionRecoveryToken) {
|
|
22
|
+
throw new Error('No session recovery token available — no request has been made yet');
|
|
23
|
+
}
|
|
24
|
+
return this._lastSessionRecoveryToken;
|
|
25
|
+
}
|
|
18
26
|
/**
|
|
19
27
|
* Create a new transport by fetching server public key.
|
|
20
28
|
*/
|
|
@@ -121,10 +129,14 @@ class Transport {
|
|
|
121
129
|
// Encrypt request (returns context for response decryption)
|
|
122
130
|
// For bodyless requests, context will be null and request passes through unmodified
|
|
123
131
|
const { request: encryptedRequest, context } = await this.serverIdentity.encryptRequestWithContext(request);
|
|
132
|
+
const token = context
|
|
133
|
+
? await (0, identity_js_2.extractSessionRecoveryToken)(context)
|
|
134
|
+
: undefined;
|
|
124
135
|
// Make the request
|
|
125
136
|
const response = await fetch(encryptedRequest);
|
|
126
137
|
// Bodyless requests: context is null, response is plaintext
|
|
127
|
-
if (
|
|
138
|
+
if (!token) {
|
|
139
|
+
this._lastSessionRecoveryToken = undefined;
|
|
128
140
|
return response;
|
|
129
141
|
}
|
|
130
142
|
// Throws KeyConfigMismatchError if server returned 422 key-config mismatch
|
|
@@ -134,8 +146,10 @@ class Transport {
|
|
|
134
146
|
if (!responseNonceHeader) {
|
|
135
147
|
throw new errors_js_1.ProtocolError(`Missing ${protocol_js_1.PROTOCOL.RESPONSE_NONCE_HEADER} header`);
|
|
136
148
|
}
|
|
137
|
-
//
|
|
138
|
-
|
|
149
|
+
// Publish token only after confirming the response is valid
|
|
150
|
+
this._lastSessionRecoveryToken = token;
|
|
151
|
+
// Decrypt response using the already-extracted token
|
|
152
|
+
return await (0, identity_js_2.decryptResponseWithToken)(response, token);
|
|
139
153
|
}
|
|
140
154
|
/**
|
|
141
155
|
* Convenience method for GET requests
|
package/dist/cjs/client.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"client.js","sourceRoot":"","sources":["../../src/client.ts"],"names":[],"mappings":";;;
|
|
1
|
+
{"version":3,"file":"client.js","sourceRoot":"","sources":["../../src/client.ts"],"names":[],"mappings":";;;AAyNA,0CAEC;AA3ND,+CAAyC;AACzC,+CAAsF;AAEtF,+CAAyC;AACzC,2CAAoE;AAQpE;;GAEG;AACH,MAAa,SAAS;IACZ,cAAc,CAAW;IACzB,UAAU,CAAS;IACnB,yBAAyB,CAAwB;IAEzD,YAAY,cAAwB,EAAE,UAAkB;QACtD,IAAI,CAAC,cAAc,GAAG,cAAc,CAAC;QACrC,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;IAC/B,CAAC;IAED,uBAAuB;QACrB,IAAI,CAAC,IAAI,CAAC,yBAAyB,EAAE,CAAC;YACpC,MAAM,IAAI,KAAK,CAAC,oEAAoE,CAAC,CAAC;QACxF,CAAC;QACD,OAAO,IAAI,CAAC,yBAAyB,CAAC;IACxC,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,SAAiB;QACnC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;QAC/B,MAAM,UAAU,GAAG,GAAG,CAAC,IAAI,CAAC;QAE5B,0BAA0B;QAC1B,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,sBAAQ,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;QACvD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;QAEjD,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,oCAAoC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QACzE,CAAC;QAED,MAAM,WAAW,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;QACzD,IAAI,WAAW,KAAK,sBAAQ,CAAC,eAAe,EAAE,CAAC;YAC7C,MAAM,IAAI,KAAK,CAAC,yBAAyB,WAAW,EAAE,CAAC,CAAC;QAC1D,CAAC;QAED,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,MAAM,QAAQ,CAAC,WAAW,EAAE,CAAC,CAAC;QAC9D,MAAM,cAAc,GAAG,MAAM,sBAAQ,CAAC,qBAAqB,CAAC,QAAQ,CAAC,CAAC;QAEtE,OAAO,IAAI,SAAS,CAAC,cAAc,EAAE,UAAU,CAAC,CAAC;IACnD,CAAC;IAEO,MAAM,CAAC,wBAAwB,CAAC,WAA0B;QAChE,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,OAAO,KAAK,CAAC;QACf,CAAC;QACD,MAAM,SAAS,GAAG,WAAW,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,WAAW,EAAE,IAAI,EAAE,CAAC;QAC3E,OAAO,SAAS,KAAK,sBAAQ,CAAC,uBAAuB,CAAC;IACxD,CAAC;IAEO,MAAM,CAAC,KAAK,CAAC,sBAAsB,CAAC,QAAkB;QAC5D,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG;YAAE,OAAO;QACpC,IAAI,CAAC,SAAS,CAAC,wBAAwB,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;YAAE,OAAO;QAEtF,IAAI,OAAmC,CAAC;QACxC,IAAI,CAAC;YACH,OAAO,GAAG,CAAC,MAAM,QAAQ,CAAC,KAAK,EAAE,CAAC,IAAI,EAAE,CAAmB,CAAC;QAC9D,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,CAAC,6CAA6C;QACvD,CAAC;QACD,IAAI,OAAO,EAAE,IAAI,KAAK,sBAAQ,CAAC,uBAAuB,EAAE,CAAC;YACvD,MAAM,IAAI,kCAAsB,CAC9B,OAAO,OAAO,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAC9D,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;OAEG;IACH,iBAAiB;QACf,OAAO,IAAI,CAAC,cAAc,CAAC;IAC7B,CAAC;IAED;;OAEG;IACH,kBAAkB;QAChB,OAAO,IAAI,CAAC,cAAc,CAAC,YAAY,EAAE,CAAC;IAC5C,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,qBAAqB;QACzB,OAAO,IAAI,CAAC,cAAc,CAAC,eAAe,EAAE,CAAC;IAC/C,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,OAAO,CAAC,KAAwB,EAAE,IAAkB;QACxD,gDAAgD;QAChD,MAAM,QAAQ,GAAG,KAAK,YAAY,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACtE,IAAI,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YACjE,OAAO,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QAC5B,CAAC;QAED,4EAA4E;QAC5E,IAAI,WAAW,GAAoB,IAAI,CAAC;QAExC,IAAI,KAAK,YAAY,OAAO,EAAE,CAAC;YAC7B,0CAA0C;YAC1C,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC;gBACf,WAAW,GAAG,MAAM,KAAK,CAAC,WAAW,EAAE,CAAC;YAC1C,CAAC;QACH,CAAC;aAAM,CAAC;YACN,6CAA6C;YAC7C,WAAW,GAAG,IAAI,EAAE,IAAI,IAAI,IAAI,CAAC;QACnC,CAAC;QAED,mCAAmC;QACnC,IAAI,GAAQ,CAAC;QACb,IAAI,MAAc,CAAC;QACnB,IAAI,OAAoB,CAAC;QAEzB,IAAI,KAAK,YAAY,OAAO,EAAE,CAAC;YAC7B,GAAG,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YACzB,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC;YACtB,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC;QAC1B,CAAC;aAAM,CAAC;YACN,GAAG,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC;YACrB,MAAM,GAAG,IAAI,EAAE,MAAM,IAAI,KAAK,CAAC;YAC/B,OAAO,GAAG,IAAI,EAAE,OAAO,IAAI,EAAE,CAAC;QAChC,CAAC;QAED,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC,UAAU,CAAC;QAE3B,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE;YAC1C,MAAM;YACN,OAAO;YACP,IAAI,EAAE,WAAW;YACjB,MAAM,EAAE,MAAM;SACA,CAAC,CAAC;QAElB,4DAA4D;QAC5D,oFAAoF;QACpF,MAAM,EAAE,OAAO,EAAE,gBAAgB,EAAE,OAAO,EAAE,GAC1C,MAAM,IAAI,CAAC,cAAc,CAAC,yBAAyB,CAAC,OAAO,CAAC,CAAC;QAE/D,MAAM,KAAK,GAAG,OAAO;YACnB,CAAC,CAAC,MAAM,IAAA,yCAA2B,EAAC,OAAO,CAAC;YAC5C,CAAC,CAAC,SAAS,CAAC;QAEd,mBAAmB;QACnB,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,gBAAgB,CAAC,CAAC;QAE/C,4DAA4D;QAC5D,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,IAAI,CAAC,yBAAyB,GAAG,SAAS,CAAC;YAC3C,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,2EAA2E;QAC3E,MAAM,SAAS,CAAC,sBAAsB,CAAC,QAAQ,CAAC,CAAC;QAEjD,qEAAqE;QACrE,MAAM,mBAAmB,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,sBAAQ,CAAC,qBAAqB,CAAC,CAAC;QACjF,IAAI,CAAC,mBAAmB,EAAE,CAAC;YACzB,MAAM,IAAI,yBAAa,CAAC,WAAW,sBAAQ,CAAC,qBAAqB,SAAS,CAAC,CAAC;QAC9E,CAAC;QAED,4DAA4D;QAC5D,IAAI,CAAC,yBAAyB,GAAG,KAAK,CAAC;QAEvC,qDAAqD;QACrD,OAAO,MAAM,IAAA,sCAAwB,EAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IACzD,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,GAAG,CAAC,GAAiB,EAAE,IAAkB;QAC7C,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,GAAG,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;IACvD,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,IAAI,CAAC,GAAiB,EAAE,IAAe,EAAE,IAAkB;QAC/D,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,GAAG,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;IAC9D,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,GAAG,CAAC,GAAiB,EAAE,IAAe,EAAE,IAAkB;QAC9D,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,GAAG,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IAC7D,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,MAAM,CAAC,GAAiB,EAAE,IAAkB;QAChD,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,GAAG,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,CAAC;IAC1D,CAAC;CACF;AArMD,8BAqMC;AAED;;GAEG;AACI,KAAK,UAAU,eAAe,CAAC,SAAiB;IACrD,OAAO,SAAS,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;AACrC,CAAC"}
|
package/dist/cjs/derive.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"derive.d.ts","sourceRoot":"","sources":["../../src/derive.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;
|
|
1
|
+
{"version":3,"file":"derive.d.ts","sourceRoot":"","sources":["../../src/derive.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAQH,eAAO,MAAM,iBAAiB,iBAAiB,CAAC;AAChD,eAAO,MAAM,YAAY,kBAAkB,CAAC;AAC5C,eAAO,MAAM,aAAa,KAAK,CAAC;AAChC,eAAO,MAAM,qBAAqB,KAAK,CAAC;AACxC,eAAO,MAAM,iBAAiB,KAAK,CAAC;AACpC,eAAO,MAAM,oBAAoB,KAAK,CAAC;AACvC,eAAO,MAAM,kBAAkB,KAAK,CAAC;AAMrC;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,wCAAwC;IACxC,QAAQ,EAAE,UAAU,CAAC;IACrB,0DAA0D;IAC1D,SAAS,EAAE,UAAU,CAAC;CACvB;AAED;;;;;;;;;;;;GAYG;AACH,wBAAsB,kBAAkB,CACtC,cAAc,EAAE,UAAU,EAC1B,UAAU,EAAE,UAAU,EACtB,aAAa,EAAE,UAAU,GACxB,OAAO,CAAC,mBAAmB,CAAC,CA2B9B;AAED;;;GAGG;AACH,wBAAgB,YAAY,CAAC,SAAS,EAAE,UAAU,EAAE,GAAG,EAAE,MAAM,GAAG,UAAU,CAyB3E;AAED;;GAEG;AACH,wBAAsB,YAAY,CAChC,EAAE,EAAE,mBAAmB,EACvB,GAAG,EAAE,MAAM,EACX,SAAS,EAAE,UAAU,GACpB,OAAO,CAAC,UAAU,CAAC,CAMrB;AAED;;GAEG;AACH,wBAAsB,YAAY,CAChC,EAAE,EAAE,mBAAmB,EACvB,GAAG,EAAE,MAAM,EACX,UAAU,EAAE,UAAU,GACrB,OAAO,CAAC,UAAU,CAAC,CAMrB;AAED;;GAEG;AACH,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,CAYlD;AAED;;GAEG;AACH,wBAAgB,UAAU,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CAIpD"}
|
package/dist/cjs/derive.js
CHANGED
|
@@ -18,9 +18,9 @@ exports.encryptChunk = encryptChunk;
|
|
|
18
18
|
exports.decryptChunk = decryptChunk;
|
|
19
19
|
exports.hexToBytes = hexToBytes;
|
|
20
20
|
exports.bytesToHex = bytesToHex;
|
|
21
|
-
const
|
|
22
|
-
const kdf = (0,
|
|
23
|
-
const aead = (0,
|
|
21
|
+
const hpke_noble_1 = require("@panva/hpke-noble");
|
|
22
|
+
const kdf = (0, hpke_noble_1.KDF_HKDF_SHA256)();
|
|
23
|
+
const aead = (0, hpke_noble_1.AEAD_AES_256_GCM)();
|
|
24
24
|
exports.HPKE_REQUEST_INFO = 'ehbp request';
|
|
25
25
|
exports.EXPORT_LABEL = 'ehbp response';
|
|
26
26
|
exports.EXPORT_LENGTH = 32;
|
package/dist/cjs/derive.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"derive.js","sourceRoot":"","sources":["../../src/derive.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;GAUG;;;
|
|
1
|
+
{"version":3,"file":"derive.js","sourceRoot":"","sources":["../../src/derive.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;GAUG;;;AA2CH,gDA+BC;AAMD,oCAyBC;AAKD,oCAUC;AAKD,oCAUC;AAKD,gCAYC;AAKD,gCAIC;AA9JD,kDAAsE;AAEtE,MAAM,GAAG,GAAQ,IAAA,4BAAe,GAAE,CAAC;AACnC,MAAM,IAAI,GAAS,IAAA,6BAAgB,GAAE,CAAC;AAEzB,QAAA,iBAAiB,GAAG,cAAc,CAAC;AACnC,QAAA,YAAY,GAAG,eAAe,CAAC;AAC/B,QAAA,aAAa,GAAG,EAAE,CAAC;AACnB,QAAA,qBAAqB,GAAG,EAAE,CAAC,CAAC,iCAAiC;AAC7D,QAAA,iBAAiB,GAAG,EAAE,CAAC;AACvB,QAAA,oBAAoB,GAAG,EAAE,CAAC;AAC1B,QAAA,kBAAkB,GAAG,EAAE,CAAC,CAAC,kBAAkB;AAExD,yBAAyB;AACzB,MAAM,kBAAkB,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC3D,MAAM,oBAAoB,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;AAY/D;;;;;;;;;;;;GAYG;AACI,KAAK,UAAU,kBAAkB,CACtC,cAA0B,EAC1B,UAAsB,EACtB,aAAyB;IAEzB,kBAAkB;IAClB,IAAI,cAAc,CAAC,MAAM,KAAK,qBAAa,EAAE,CAAC;QAC5C,MAAM,IAAI,KAAK,CAAC,2BAA2B,qBAAa,eAAe,cAAc,CAAC,MAAM,EAAE,CAAC,CAAC;IAClG,CAAC;IACD,IAAI,UAAU,CAAC,MAAM,KAAK,0BAAkB,EAAE,CAAC;QAC7C,MAAM,IAAI,KAAK,CAAC,uBAAuB,0BAAkB,eAAe,UAAU,CAAC,MAAM,EAAE,CAAC,CAAC;IAC/F,CAAC;IACD,IAAI,aAAa,CAAC,MAAM,KAAK,6BAAqB,EAAE,CAAC;QACnD,MAAM,IAAI,KAAK,CAAC,0BAA0B,6BAAqB,eAAe,aAAa,CAAC,MAAM,EAAE,CAAC,CAAC;IACxG,CAAC;IAED,qCAAqC;IACrC,MAAM,IAAI,GAAG,IAAI,UAAU,CAAC,UAAU,CAAC,MAAM,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACtE,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC;IACxB,IAAI,CAAC,GAAG,CAAC,aAAa,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC;IAE3C,8BAA8B;IAC9B,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC;IAEpD,+BAA+B;IAC/B,MAAM,QAAQ,GAAG,MAAM,GAAG,CAAC,MAAM,CAAC,GAAG,EAAE,kBAAkB,EAAE,yBAAiB,CAAC,CAAC;IAE9E,uCAAuC;IACvC,MAAM,SAAS,GAAG,MAAM,GAAG,CAAC,MAAM,CAAC,GAAG,EAAE,oBAAoB,EAAE,4BAAoB,CAAC,CAAC;IAEpF,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;AACjC,CAAC;AAED;;;GAGG;AACH,SAAgB,YAAY,CAAC,SAAqB,EAAE,GAAW;IAC7D,IAAI,SAAS,CAAC,MAAM,KAAK,4BAAoB,EAAE,CAAC;QAC9C,MAAM,IAAI,KAAK,CAAC,sBAAsB,4BAAoB,QAAQ,CAAC,CAAC;IACtE,CAAC;IAED,6DAA6D;IAC7D,+EAA+E;IAC/E,4EAA4E;IAC5E,mGAAmG;IACnG,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,GAAG,GAAG,CAAC,IAAI,GAAG,IAAI,WAAW,EAAE,CAAC;QAC5D,MAAM,IAAI,KAAK,CAAC,8DAA8D,GAAG,EAAE,CAAC,CAAC;IACvF,CAAC;IAED,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,4BAAoB,CAAC,CAAC;IACnD,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAErB,4DAA4D;IAC5D,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC3B,MAAM,KAAK,GAAG,CAAC,GAAG,CAAC,CAAC;QACpB,IAAI,KAAK,GAAG,EAAE,EAAE,CAAC;YACf,KAAK,CAAC,4BAAoB,GAAG,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,KAAK,KAAK,CAAC,GAAG,IAAI,CAAC;QAChE,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,YAAY,CAChC,EAAuB,EACvB,GAAW,EACX,SAAqB;IAErB,MAAM,KAAK,GAAG,YAAY,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;IAE9C,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,QAAQ,EAAE,KAAK,EAAE,IAAI,UAAU,CAAC,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;IAErF,OAAO,UAAU,CAAC;AACpB,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,YAAY,CAChC,EAAuB,EACvB,GAAW,EACX,UAAsB;IAEtB,MAAM,KAAK,GAAG,YAAY,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;IAE9C,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,QAAQ,EAAE,KAAK,EAAE,IAAI,UAAU,CAAC,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC;IAErF,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,SAAgB,UAAU,CAAC,GAAW;IACpC,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;IACtD,CAAC;IACD,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAC3C,CAAC;IACD,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAC7C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,KAAK,CAAC,CAAC,CAAC,GAAG,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAC3D,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,SAAgB,UAAU,CAAC,KAAiB;IAC1C,OAAO,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC;SACrB,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;SACzC,IAAI,CAAC,EAAE,CAAC,CAAC;AACd,CAAC"}
|
package/dist/cjs/identity.d.ts
CHANGED
|
@@ -7,6 +7,13 @@ export interface RequestContext {
|
|
|
7
7
|
senderContext: SenderContext;
|
|
8
8
|
requestEnc: Uint8Array;
|
|
9
9
|
}
|
|
10
|
+
/**
|
|
11
|
+
* Serializable token containing the pre-computed bytes needed to decrypt a response.
|
|
12
|
+
*/
|
|
13
|
+
export interface SessionRecoveryToken {
|
|
14
|
+
exportedSecret: Uint8Array;
|
|
15
|
+
requestEnc: Uint8Array;
|
|
16
|
+
}
|
|
10
17
|
/**
|
|
11
18
|
* Identity class for managing HPKE key pairs and encryption/decryption
|
|
12
19
|
*/
|
|
@@ -88,9 +95,24 @@ export declare class Identity {
|
|
|
88
95
|
* 4. Decrypts the response body
|
|
89
96
|
*/
|
|
90
97
|
decryptResponseWithContext(response: Response, context: RequestContext): Promise<Response>;
|
|
91
|
-
/**
|
|
92
|
-
* Creates a ReadableStream that decrypts response chunks.
|
|
93
|
-
*/
|
|
94
|
-
private createDecryptStream;
|
|
95
98
|
}
|
|
99
|
+
/**
|
|
100
|
+
* Extract a serializable token from a RequestContext by exporting the HPKE secret.
|
|
101
|
+
* The returned token contains only plain bytes and can be stored/serialized.
|
|
102
|
+
*/
|
|
103
|
+
export declare function extractSessionRecoveryToken(context: RequestContext): Promise<SessionRecoveryToken>;
|
|
104
|
+
/**
|
|
105
|
+
* Serialize a SessionRecoveryToken to a JSON string with hex-encoded fields.
|
|
106
|
+
* See SPEC.md Section 6.1.1.
|
|
107
|
+
*/
|
|
108
|
+
export declare function serializeSessionRecoveryToken(token: SessionRecoveryToken): string;
|
|
109
|
+
/**
|
|
110
|
+
* Deserialize a SessionRecoveryToken from a JSON string with hex-encoded fields.
|
|
111
|
+
* See SPEC.md Section 6.1.1.
|
|
112
|
+
*/
|
|
113
|
+
export declare function deserializeSessionRecoveryToken(json: string): SessionRecoveryToken;
|
|
114
|
+
/**
|
|
115
|
+
* Decrypt a response using a SessionRecoveryToken.
|
|
116
|
+
*/
|
|
117
|
+
export declare function decryptResponseWithToken(response: Response, token: SessionRecoveryToken): Promise<Response>;
|
|
96
118
|
//# sourceMappingURL=identity.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"identity.d.ts","sourceRoot":"","sources":["../../src/identity.ts"],"names":[],"mappings":"AAAA,OAAO,
|
|
1
|
+
{"version":3,"file":"identity.d.ts","sourceRoot":"","sources":["../../src/identity.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,KAAK,aAAa,EAAE,KAAK,GAAG,EAAE,MAAM,MAAM,CAAC;AAgBjE;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B,aAAa,EAAE,aAAa,CAAC;IAC7B,UAAU,EAAE,UAAU,CAAC;CACxB;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,cAAc,EAAE,UAAU,CAAC;IAC3B,UAAU,EAAE,UAAU,CAAC;CACxB;AAaD;;GAEG;AACH,qBAAa,QAAQ;IACnB,OAAO,CAAC,KAAK,CAAc;IAC3B,OAAO,CAAC,SAAS,CAAM;IACvB,OAAO,CAAC,UAAU,CAAM;gBAEZ,KAAK,EAAE,WAAW,EAAE,SAAS,EAAE,GAAG,EAAE,UAAU,EAAE,GAAG;IAM/D;;OAEG;WACU,QAAQ,IAAI,OAAO,CAAC,QAAQ,CAAC;IAO1C;;OAEG;WACU,QAAQ,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC;IAWtD;;OAEG;IACG,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC;IAU/B;;OAEG;IACH,YAAY,IAAI,GAAG;IAInB;;OAEG;IACG,eAAe,IAAI,OAAO,CAAC,MAAM,CAAC;IAKxC;;OAEG;IACH,aAAa,IAAI,GAAG;IAIpB;;;OAGG;IACG,aAAa,IAAI,OAAO,CAAC,UAAU,CAAC;IA0C1C;;OAEG;WACU,qBAAqB,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,QAAQ,CAAC;IA2CvE;;;;;;OAMG;WACU,gBAAgB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC;IAStE;;;;;;;OAOG;mBACkB,kBAAkB;IAQvC;;;;;;;;OAQG;IACG,yBAAyB,CAC7B,OAAO,EAAE,OAAO,GACf,OAAO,CAAC;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,OAAO,EAAE,cAAc,GAAG,IAAI,CAAA;KAAE,CAAC;IAwDhE;;;;;;;;OAQG;IACG,0BAA0B,CAC9B,QAAQ,EAAE,QAAQ,EAClB,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,QAAQ,CAAC;CAIrB;AAED;;;GAGG;AACH,wBAAsB,2BAA2B,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,oBAAoB,CAAC,CAOxG;AAED;;;GAGG;AACH,wBAAgB,6BAA6B,CAAC,KAAK,EAAE,oBAAoB,GAAG,MAAM,CAKjF;AAED;;;GAGG;AACH,wBAAgB,+BAA+B,CAAC,IAAI,EAAE,MAAM,GAAG,oBAAoB,CAMlF;AAED;;GAEG;AACH,wBAAsB,wBAAwB,CAC5C,QAAQ,EAAE,QAAQ,EAClB,KAAK,EAAE,oBAAoB,GAC1B,OAAO,CAAC,QAAQ,CAAC,CAqBnB"}
|
package/dist/cjs/identity.js
CHANGED
|
@@ -1,7 +1,12 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
3
|
exports.Identity = void 0;
|
|
4
|
+
exports.extractSessionRecoveryToken = extractSessionRecoveryToken;
|
|
5
|
+
exports.serializeSessionRecoveryToken = serializeSessionRecoveryToken;
|
|
6
|
+
exports.deserializeSessionRecoveryToken = deserializeSessionRecoveryToken;
|
|
7
|
+
exports.decryptResponseWithToken = decryptResponseWithToken;
|
|
4
8
|
const hpke_1 = require("hpke");
|
|
9
|
+
const hpke_noble_1 = require("@panva/hpke-noble");
|
|
5
10
|
const protocol_js_1 = require("./protocol.js");
|
|
6
11
|
const derive_js_1 = require("./derive.js");
|
|
7
12
|
const errors_js_1 = require("./errors.js");
|
|
@@ -9,7 +14,7 @@ const errors_js_1 = require("./errors.js");
|
|
|
9
14
|
* Creates a new CipherSuite for X25519/HKDF-SHA256/AES-256-GCM
|
|
10
15
|
*/
|
|
11
16
|
function createSuite() {
|
|
12
|
-
return new hpke_1.CipherSuite(
|
|
17
|
+
return new hpke_1.CipherSuite(hpke_noble_1.KEM_DHKEM_X25519_HKDF_SHA256, hpke_noble_1.KDF_HKDF_SHA256, hpke_noble_1.AEAD_AES_256_GCM);
|
|
13
18
|
}
|
|
14
19
|
/**
|
|
15
20
|
* Identity class for managing HPKE key pairs and encryption/decryption
|
|
@@ -235,82 +240,107 @@ class Identity {
|
|
|
235
240
|
* 4. Decrypts the response body
|
|
236
241
|
*/
|
|
237
242
|
async decryptResponseWithContext(response, context) {
|
|
238
|
-
|
|
239
|
-
|
|
240
|
-
}
|
|
241
|
-
// Get response nonce from header
|
|
242
|
-
const responseNonceHex = response.headers.get(protocol_js_1.PROTOCOL.RESPONSE_NONCE_HEADER);
|
|
243
|
-
if (!responseNonceHex) {
|
|
244
|
-
throw new errors_js_1.ProtocolError(`Missing ${protocol_js_1.PROTOCOL.RESPONSE_NONCE_HEADER} header`);
|
|
245
|
-
}
|
|
246
|
-
const responseNonce = (0, derive_js_1.hexToBytes)(responseNonceHex);
|
|
247
|
-
if (responseNonce.length !== derive_js_1.RESPONSE_NONCE_LENGTH) {
|
|
248
|
-
throw new errors_js_1.ProtocolError(`Invalid response nonce length: expected ${derive_js_1.RESPONSE_NONCE_LENGTH}, got ${responseNonce.length}`);
|
|
249
|
-
}
|
|
250
|
-
// Export secret from request context
|
|
251
|
-
const exportLabelBytes = new TextEncoder().encode(derive_js_1.EXPORT_LABEL);
|
|
252
|
-
const exportedSecret = await context.senderContext.Export(exportLabelBytes, derive_js_1.EXPORT_LENGTH);
|
|
253
|
-
// Derive response keys
|
|
254
|
-
const km = await (0, derive_js_1.deriveResponseKeys)(exportedSecret, context.requestEnc, responseNonce);
|
|
255
|
-
// Create decrypting stream
|
|
256
|
-
const decryptedStream = this.createDecryptStream(response.body, km);
|
|
257
|
-
return new Response(decryptedStream, {
|
|
258
|
-
status: response.status,
|
|
259
|
-
statusText: response.statusText,
|
|
260
|
-
headers: response.headers,
|
|
261
|
-
});
|
|
243
|
+
const token = await extractSessionRecoveryToken(context);
|
|
244
|
+
return decryptResponseWithToken(response, token);
|
|
262
245
|
}
|
|
263
|
-
|
|
264
|
-
|
|
265
|
-
|
|
266
|
-
|
|
267
|
-
|
|
268
|
-
|
|
269
|
-
|
|
270
|
-
|
|
271
|
-
|
|
272
|
-
|
|
273
|
-
|
|
274
|
-
|
|
275
|
-
|
|
276
|
-
|
|
277
|
-
|
|
278
|
-
|
|
279
|
-
|
|
246
|
+
}
|
|
247
|
+
exports.Identity = Identity;
|
|
248
|
+
/**
|
|
249
|
+
* Extract a serializable token from a RequestContext by exporting the HPKE secret.
|
|
250
|
+
* The returned token contains only plain bytes and can be stored/serialized.
|
|
251
|
+
*/
|
|
252
|
+
async function extractSessionRecoveryToken(context) {
|
|
253
|
+
const exportLabelBytes = new TextEncoder().encode(derive_js_1.EXPORT_LABEL);
|
|
254
|
+
const exportedSecret = new Uint8Array(await context.senderContext.Export(exportLabelBytes, derive_js_1.EXPORT_LENGTH));
|
|
255
|
+
return {
|
|
256
|
+
exportedSecret,
|
|
257
|
+
requestEnc: new Uint8Array(context.requestEnc),
|
|
258
|
+
};
|
|
259
|
+
}
|
|
260
|
+
/**
|
|
261
|
+
* Serialize a SessionRecoveryToken to a JSON string with hex-encoded fields.
|
|
262
|
+
* See SPEC.md Section 6.1.1.
|
|
263
|
+
*/
|
|
264
|
+
function serializeSessionRecoveryToken(token) {
|
|
265
|
+
return JSON.stringify({
|
|
266
|
+
exportedSecret: (0, derive_js_1.bytesToHex)(token.exportedSecret),
|
|
267
|
+
requestEnc: (0, derive_js_1.bytesToHex)(token.requestEnc),
|
|
268
|
+
});
|
|
269
|
+
}
|
|
270
|
+
/**
|
|
271
|
+
* Deserialize a SessionRecoveryToken from a JSON string with hex-encoded fields.
|
|
272
|
+
* See SPEC.md Section 6.1.1.
|
|
273
|
+
*/
|
|
274
|
+
function deserializeSessionRecoveryToken(json) {
|
|
275
|
+
const parsed = JSON.parse(json);
|
|
276
|
+
return {
|
|
277
|
+
exportedSecret: (0, derive_js_1.hexToBytes)(parsed.exportedSecret),
|
|
278
|
+
requestEnc: (0, derive_js_1.hexToBytes)(parsed.requestEnc),
|
|
279
|
+
};
|
|
280
|
+
}
|
|
281
|
+
/**
|
|
282
|
+
* Decrypt a response using a SessionRecoveryToken.
|
|
283
|
+
*/
|
|
284
|
+
async function decryptResponseWithToken(response, token) {
|
|
285
|
+
if (!response.body)
|
|
286
|
+
return response;
|
|
287
|
+
const responseNonceHex = response.headers.get(protocol_js_1.PROTOCOL.RESPONSE_NONCE_HEADER);
|
|
288
|
+
if (!responseNonceHex) {
|
|
289
|
+
throw new errors_js_1.ProtocolError(`Missing ${protocol_js_1.PROTOCOL.RESPONSE_NONCE_HEADER} header`);
|
|
290
|
+
}
|
|
291
|
+
const responseNonce = (0, derive_js_1.hexToBytes)(responseNonceHex);
|
|
292
|
+
if (responseNonce.length !== derive_js_1.RESPONSE_NONCE_LENGTH) {
|
|
293
|
+
throw new errors_js_1.ProtocolError(`Invalid response nonce length`);
|
|
294
|
+
}
|
|
295
|
+
const km = await (0, derive_js_1.deriveResponseKeys)(token.exportedSecret, token.requestEnc, responseNonce);
|
|
296
|
+
const decryptedStream = createDecryptStream(response.body, km);
|
|
297
|
+
return new Response(decryptedStream, {
|
|
298
|
+
status: response.status,
|
|
299
|
+
statusText: response.statusText,
|
|
300
|
+
headers: response.headers,
|
|
301
|
+
});
|
|
302
|
+
}
|
|
303
|
+
function createDecryptStream(body, km) {
|
|
304
|
+
let buffer = new Uint8Array(0);
|
|
305
|
+
let seq = 0;
|
|
306
|
+
const reader = body.getReader();
|
|
307
|
+
return new ReadableStream({
|
|
308
|
+
async pull(controller) {
|
|
309
|
+
while (true) {
|
|
310
|
+
if (buffer.length >= 4) {
|
|
311
|
+
const chunkLength = (buffer[0] << 24) | (buffer[1] << 16) | (buffer[2] << 8) | buffer[3];
|
|
312
|
+
if (chunkLength === 0) {
|
|
313
|
+
buffer = buffer.slice(4);
|
|
314
|
+
continue;
|
|
315
|
+
}
|
|
316
|
+
if (buffer.length >= 4 + chunkLength) {
|
|
317
|
+
const ciphertext = buffer.slice(4, 4 + chunkLength);
|
|
318
|
+
buffer = buffer.slice(4 + chunkLength);
|
|
319
|
+
try {
|
|
320
|
+
const plaintext = await (0, derive_js_1.decryptChunk)(km, seq++, ciphertext);
|
|
321
|
+
controller.enqueue(plaintext);
|
|
322
|
+
return;
|
|
280
323
|
}
|
|
281
|
-
|
|
282
|
-
|
|
283
|
-
|
|
284
|
-
try {
|
|
285
|
-
const plaintext = await (0, derive_js_1.decryptChunk)(km, seq++, ciphertext);
|
|
286
|
-
controller.enqueue(plaintext);
|
|
287
|
-
return;
|
|
288
|
-
}
|
|
289
|
-
catch (error) {
|
|
290
|
-
controller.error(new errors_js_1.DecryptionError(`Decryption failed at chunk ${seq - 1}`, { cause: error }));
|
|
291
|
-
return;
|
|
292
|
-
}
|
|
324
|
+
catch (error) {
|
|
325
|
+
controller.error(new errors_js_1.DecryptionError(`Decryption failed at chunk ${seq - 1}`, { cause: error }));
|
|
326
|
+
return;
|
|
293
327
|
}
|
|
294
328
|
}
|
|
295
|
-
// Need more data
|
|
296
|
-
const { done, value } = await reader.read();
|
|
297
|
-
if (done) {
|
|
298
|
-
controller.close();
|
|
299
|
-
return;
|
|
300
|
-
}
|
|
301
|
-
// Append to buffer
|
|
302
|
-
const newBuffer = new Uint8Array(buffer.length + value.length);
|
|
303
|
-
newBuffer.set(buffer);
|
|
304
|
-
newBuffer.set(value, buffer.length);
|
|
305
|
-
buffer = newBuffer;
|
|
306
329
|
}
|
|
307
|
-
|
|
308
|
-
|
|
309
|
-
|
|
310
|
-
|
|
311
|
-
|
|
312
|
-
|
|
313
|
-
|
|
330
|
+
const { done, value } = await reader.read();
|
|
331
|
+
if (done) {
|
|
332
|
+
controller.close();
|
|
333
|
+
return;
|
|
334
|
+
}
|
|
335
|
+
const newBuffer = new Uint8Array(buffer.length + value.length);
|
|
336
|
+
newBuffer.set(buffer);
|
|
337
|
+
newBuffer.set(value, buffer.length);
|
|
338
|
+
buffer = newBuffer;
|
|
339
|
+
}
|
|
340
|
+
},
|
|
341
|
+
cancel(reason) {
|
|
342
|
+
return reader.cancel(reason);
|
|
343
|
+
},
|
|
344
|
+
});
|
|
314
345
|
}
|
|
315
|
-
exports.Identity = Identity;
|
|
316
346
|
//# sourceMappingURL=identity.js.map
|
package/dist/cjs/identity.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"identity.js","sourceRoot":"","sources":["../../src/identity.ts"],"names":[],"mappings":";;;
|
|
1
|
+
{"version":3,"file":"identity.js","sourceRoot":"","sources":["../../src/identity.ts"],"names":[],"mappings":";;;AA0UA,kEAOC;AAMD,sEAKC;AAMD,0EAMC;AAKD,4DAwBC;AArYD,+BAAiE;AACjE,kDAAoG;AACpG,+CAAsD;AACtD,2CAUqB;AACrB,2CAA6D;AAmB7D;;GAEG;AACH,SAAS,WAAW;IAClB,OAAO,IAAI,kBAAW,CACpB,yCAA4B,EAC5B,4BAAe,EACf,6BAAgB,CACjB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAa,QAAQ;IACX,KAAK,CAAc;IACnB,SAAS,CAAM;IACf,UAAU,CAAM;IAExB,YAAY,KAAkB,EAAE,SAAc,EAAE,UAAe;QAC7D,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;QACnB,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;QAC3B,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;IAC/B,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,KAAK,CAAC,QAAQ;QACnB,MAAM,KAAK,GAAG,WAAW,EAAE,CAAC;QAC5B,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,MAAM,KAAK,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,cAAc;QAEnF,OAAO,IAAI,QAAQ,CAAC,KAAK,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC;IACpD,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAY;QAChC,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC9B,MAAM,KAAK,GAAG,WAAW,EAAE,CAAC;QAE5B,mCAAmC;QACnC,MAAM,SAAS,GAAG,MAAM,KAAK,CAAC,oBAAoB,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC;QACnF,MAAM,UAAU,GAAG,MAAM,KAAK,CAAC,qBAAqB,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,IAAI,CAAC,CAAC;QAE5F,OAAO,IAAI,QAAQ,CAAC,KAAK,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC;IACpD,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,MAAM;QACV,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAC3E,MAAM,eAAe,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAE9E,OAAO,IAAI,CAAC,SAAS,CAAC;YACpB,SAAS,EAAE,KAAK,CAAC,IAAI,CAAC,cAAc,CAAC;YACrC,UAAU,EAAE,KAAK,CAAC,IAAI,CAAC,eAAe,CAAC;SACxC,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACH,YAAY;QACV,OAAO,IAAI,CAAC,SAAS,CAAC;IACxB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,eAAe;QACnB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACrE,OAAO,IAAA,sBAAU,EAAC,QAAQ,CAAC,CAAC;IAC9B,CAAC;IAED;;OAEG;IACH,aAAa;QACX,OAAO,IAAI,CAAC,UAAU,CAAC;IACzB,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,aAAa;QACjB,MAAM,KAAK,GAAG,yBAAW,CAAC,GAAG,CAAC;QAC9B,MAAM,KAAK,GAAG,yBAAW,CAAC,GAAG,CAAC;QAC9B,MAAM,MAAM,GAAG,yBAAW,CAAC,IAAI,CAAC;QAEhC,iCAAiC;QACjC,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAE3E,kEAAkE;QAClE,MAAM,KAAK,GAAG,CAAC,CAAC;QAChB,MAAM,aAAa,GAAG,cAAc,CAAC,MAAM,CAAC;QAC5C,MAAM,gBAAgB,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,mBAAmB;QAEnD,MAAM,MAAM,GAAG,IAAI,UAAU,CAAC,CAAC,GAAG,CAAC,GAAG,aAAa,GAAG,CAAC,GAAG,gBAAgB,CAAC,CAAC;QAC5E,IAAI,MAAM,GAAG,CAAC,CAAC;QAEf,SAAS;QACT,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,KAAK,CAAC;QAEzB,SAAS;QACT,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,KAAK,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC;QACvC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,KAAK,GAAG,IAAI,CAAC;QAEhC,aAAa;QACb,MAAM,CAAC,GAAG,CAAC,cAAc,EAAE,MAAM,CAAC,CAAC;QACnC,MAAM,IAAI,aAAa,CAAC;QAExB,iCAAiC;QACjC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,gBAAgB,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC;QAClD,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,gBAAgB,GAAG,IAAI,CAAC;QAE3C,SAAS;QACT,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,KAAK,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC;QACvC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,KAAK,GAAG,IAAI,CAAC;QAEhC,UAAU;QACV,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,MAAM,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC;QACxC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,MAAM,GAAG,IAAI,CAAC;QAEjC,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,KAAK,CAAC,qBAAqB,CAAC,IAAgB;QACjD,IAAI,MAAM,GAAG,CAAC,CAAC;QAEf,cAAc;QACd,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;QAE7B,cAAc;QACd,MAAM,KAAK,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;QAErD,wCAAwC;QACxC,MAAM,aAAa,GAAG,EAAE,CAAC;QACzB,MAAM,cAAc,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,MAAM,GAAG,aAAa,CAAC,CAAC;QAClE,MAAM,IAAI,aAAa,CAAC;QAExB,4BAA4B;QAC5B,MAAM,kBAAkB,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;QAElE,yEAAyE;QACzE,MAAM,MAAM,GAAG,EAAE,CAAC;QAClB,MAAM,eAAe,GAAG,MAAM,GAAG,kBAAkB,CAAC;QACpD,OAAO,MAAM,GAAG,eAAe,EAAE,CAAC;YAChC,MAAM,KAAK,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;YACrD,MAAM,MAAM,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;YACtD,MAAM,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;QACjC,CAAC;QAED,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxB,MAAM,IAAI,yBAAa,CAAC,kCAAkC,CAAC,CAAC;QAC9D,CAAC;QAED,6BAA6B;QAC7B,MAAM,UAAU,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;QAE7B,6CAA6C;QAC7C,IAAI,UAAU,CAAC,KAAK,KAAK,yBAAW,CAAC,GAAG,IAAI,UAAU,CAAC,MAAM,KAAK,yBAAW,CAAC,IAAI,EAAE,CAAC;YACnF,MAAM,IAAI,yBAAa,CACrB,mCAAmC,UAAU,CAAC,KAAK,CAAC,QAAQ,CAAC,EAAE,CAAC,YAAY,UAAU,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC,EAAE,CAC7G,CAAC;QACJ,CAAC;QAED,OAAO,QAAQ,CAAC,kBAAkB,CAAC,cAAc,CAAC,CAAC;IACrD,CAAC;IAED;;;;;;OAMG;IACH,MAAM,CAAC,KAAK,CAAC,gBAAgB,CAAC,YAAoB;QAChD,MAAM,cAAc,GAAG,IAAA,sBAAU,EAAC,YAAY,CAAC,CAAC;QAChD,IAAI,cAAc,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;YACjC,MAAM,IAAI,yBAAa,CAAC,+CAA+C,cAAc,CAAC,MAAM,EAAE,CAAC,CAAC;QAClG,CAAC;QAED,OAAO,QAAQ,CAAC,kBAAkB,CAAC,cAAc,CAAC,CAAC;IACrD,CAAC;IAED;;;;;;;OAOG;IACK,MAAM,CAAC,KAAK,CAAC,kBAAkB,CAAC,cAA0B;QAChE,MAAM,KAAK,GAAG,WAAW,EAAE,CAAC;QAC5B,MAAM,SAAS,GAAG,MAAM,KAAK,CAAC,oBAAoB,CAAC,cAAc,CAAC,CAAC;QACnE,MAAM,qBAAqB,GAAG,MAAM,KAAK,CAAC,qBAAqB,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,EAAE,KAAK,CAAC,CAAC;QAE3F,OAAO,IAAI,QAAQ,CAAC,KAAK,EAAE,SAAS,EAAE,qBAAqB,CAAC,CAAC;IAC/D,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,yBAAyB,CAC7B,OAAgB;QAEhB,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,WAAW,EAAE,CAAC;QAEzC,sEAAsE;QACtE,+EAA+E;QAC/E,8EAA8E;QAC9E,sDAAsD;QACtD,IAAI,IAAI,CAAC,UAAU,KAAK,CAAC,EAAE,CAAC;YAC1B,OAAO;gBACL,OAAO,EAAE,IAAI,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE;oBAChC,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,OAAO,EAAE,OAAO,CAAC,OAAO;oBACxB,IAAI,EAAE,IAAI;iBACX,CAAC;gBACF,OAAO,EAAE,IAAI;aACd,CAAC;QACJ,CAAC;QAED,iFAAiF;QACjF,MAAM,SAAS,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,6BAAiB,CAAC,CAAC;QAC9D,MAAM,EAAE,kBAAkB,EAAE,GAAG,EAAE,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,IAAI,CAAC,SAAS,EAAE;YAC/E,IAAI,EAAE,SAAS;SAChB,CAAC,CAAC;QAEH,wCAAwC;QACxC,MAAM,OAAO,GAAmB;YAC9B,aAAa,EAAE,GAAG;YAClB,UAAU,EAAE,kBAAkB;SAC/B,CAAC;QAEF,6DAA6D;QAC7D,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC7C,OAAO,CAAC,GAAG,CAAC,sBAAQ,CAAC,uBAAuB,EAAE,IAAA,sBAAU,EAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC;QAE9E,mBAAmB;QACnB,MAAM,SAAS,GAAG,MAAM,GAAG,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC;QAEvD,+DAA+D;QAC/D,MAAM,WAAW,GAAG,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC;QACtC,IAAI,QAAQ,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,SAAS,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;QAE3E,MAAM,WAAW,GAAG,IAAI,UAAU,CAAC,CAAC,GAAG,SAAS,CAAC,UAAU,CAAC,CAAC;QAC7D,WAAW,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;QAChC,WAAW,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC;QAE9B,OAAO;YACL,OAAO,EAAE,IAAI,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE;gBAChC,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,OAAO;gBACP,IAAI,EAAE,WAAW;gBACjB,MAAM,EAAE,MAAM;aACA,CAAC;YACjB,OAAO;SACR,CAAC;IACJ,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,0BAA0B,CAC9B,QAAkB,EAClB,OAAuB;QAEvB,MAAM,KAAK,GAAG,MAAM,2BAA2B,CAAC,OAAO,CAAC,CAAC;QACzD,OAAO,wBAAwB,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IACnD,CAAC;CACF;AArRD,4BAqRC;AAED;;;GAGG;AACI,KAAK,UAAU,2BAA2B,CAAC,OAAuB;IACvE,MAAM,gBAAgB,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,wBAAY,CAAC,CAAC;IAChE,MAAM,cAAc,GAAG,IAAI,UAAU,CAAC,MAAM,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,gBAAgB,EAAE,yBAAa,CAAC,CAAC,CAAC;IAC3G,OAAO;QACL,cAAc;QACd,UAAU,EAAE,IAAI,UAAU,CAAC,OAAO,CAAC,UAAU,CAAC;KAC/C,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,SAAgB,6BAA6B,CAAC,KAA2B;IACvE,OAAO,IAAI,CAAC,SAAS,CAAC;QACpB,cAAc,EAAE,IAAA,sBAAU,EAAC,KAAK,CAAC,cAAc,CAAC;QAChD,UAAU,EAAE,IAAA,sBAAU,EAAC,KAAK,CAAC,UAAU,CAAC;KACzC,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,SAAgB,+BAA+B,CAAC,IAAY;IAC1D,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAChC,OAAO;QACL,cAAc,EAAE,IAAA,sBAAU,EAAC,MAAM,CAAC,cAAc,CAAC;QACjD,UAAU,EAAE,IAAA,sBAAU,EAAC,MAAM,CAAC,UAAU,CAAC;KAC1C,CAAC;AACJ,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,wBAAwB,CAC5C,QAAkB,EAClB,KAA2B;IAE3B,IAAI,CAAC,QAAQ,CAAC,IAAI;QAAE,OAAO,QAAQ,CAAC;IAEpC,MAAM,gBAAgB,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,sBAAQ,CAAC,qBAAqB,CAAC,CAAC;IAC9E,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACtB,MAAM,IAAI,yBAAa,CAAC,WAAW,sBAAQ,CAAC,qBAAqB,SAAS,CAAC,CAAC;IAC9E,CAAC;IAED,MAAM,aAAa,GAAG,IAAA,sBAAU,EAAC,gBAAgB,CAAC,CAAC;IACnD,IAAI,aAAa,CAAC,MAAM,KAAK,iCAAqB,EAAE,CAAC;QACnD,MAAM,IAAI,yBAAa,CAAC,+BAA+B,CAAC,CAAC;IAC3D,CAAC;IAED,MAAM,EAAE,GAAG,MAAM,IAAA,8BAAkB,EAAC,KAAK,CAAC,cAAc,EAAE,KAAK,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC;IAC3F,MAAM,eAAe,GAAG,mBAAmB,CAAC,QAAQ,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IAE/D,OAAO,IAAI,QAAQ,CAAC,eAAe,EAAE;QACnC,MAAM,EAAE,QAAQ,CAAC,MAAM;QACvB,UAAU,EAAE,QAAQ,CAAC,UAAU;QAC/B,OAAO,EAAE,QAAQ,CAAC,OAAO;KAC1B,CAAC,CAAC;AACL,CAAC;AAED,SAAS,mBAAmB,CAC1B,IAAgC,EAChC,EAAuB;IAEvB,IAAI,MAAM,GAAG,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC;IAC/B,IAAI,GAAG,GAAG,CAAC,CAAC;IACZ,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC;IAEhC,OAAO,IAAI,cAAc,CAAC;QACxB,KAAK,CAAC,IAAI,CAAC,UAAU;YACnB,OAAO,IAAI,EAAE,CAAC;gBACZ,IAAI,MAAM,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;oBACvB,MAAM,WAAW,GACf,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;oBAEvE,IAAI,WAAW,KAAK,CAAC,EAAE,CAAC;wBACtB,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;wBACzB,SAAS;oBACX,CAAC;oBAED,IAAI,MAAM,CAAC,MAAM,IAAI,CAAC,GAAG,WAAW,EAAE,CAAC;wBACrC,MAAM,UAAU,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,WAAW,CAAC,CAAC;wBACpD,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,WAAW,CAAC,CAAC;wBAEvC,IAAI,CAAC;4BACH,MAAM,SAAS,GAAG,MAAM,IAAA,wBAAY,EAAC,EAAE,EAAE,GAAG,EAAE,EAAE,UAAU,CAAC,CAAC;4BAC5D,UAAU,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;4BAC9B,OAAO;wBACT,CAAC;wBAAC,OAAO,KAAK,EAAE,CAAC;4BACf,UAAU,CAAC,KAAK,CAAC,IAAI,2BAAe,CAClC,8BAA8B,GAAG,GAAG,CAAC,EAAE,EACvC,EAAE,KAAK,EAAE,KAAK,EAAE,CACjB,CAAC,CAAC;4BACH,OAAO;wBACT,CAAC;oBACH,CAAC;gBACH,CAAC;gBAED,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,MAAM,MAAM,CAAC,IAAI,EAAE,CAAC;gBAC5C,IAAI,IAAI,EAAE,CAAC;oBACT,UAAU,CAAC,KAAK,EAAE,CAAC;oBACnB,OAAO;gBACT,CAAC;gBAED,MAAM,SAAS,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;gBAC/D,SAAS,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;gBACtB,SAAS,CAAC,GAAG,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;gBACpC,MAAM,GAAG,SAAS,CAAC;YACrB,CAAC;QACH,CAAC;QACD,MAAM,CAAC,MAAM;YACX,OAAO,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAC/B,CAAC;KACF,CAAC,CAAC;AACL,CAAC"}
|
package/dist/cjs/index.d.ts
CHANGED
|
@@ -6,7 +6,8 @@
|
|
|
6
6
|
* bodies while preserving HTTP headers for routing.
|
|
7
7
|
*/
|
|
8
8
|
export { Identity } from './identity.js';
|
|
9
|
-
export type { RequestContext } from './identity.js';
|
|
9
|
+
export type { RequestContext, SessionRecoveryToken } from './identity.js';
|
|
10
|
+
export { extractSessionRecoveryToken, decryptResponseWithToken, serializeSessionRecoveryToken, deserializeSessionRecoveryToken } from './identity.js';
|
|
10
11
|
export { Transport, createTransport } from './client.js';
|
|
11
12
|
export { PROTOCOL, HPKE_CONFIG } from './protocol.js';
|
|
12
13
|
export { EhbpError, KeyConfigMismatchError, ProtocolError, DecryptionError, } from './errors.js';
|
package/dist/cjs/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AACzC,YAAY,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AACzC,YAAY,EAAE,cAAc,EAAE,oBAAoB,EAAE,MAAM,eAAe,CAAC;AAC1E,OAAO,EAAE,2BAA2B,EAAE,wBAAwB,EAAE,6BAA6B,EAAE,+BAA+B,EAAE,MAAM,eAAe,CAAC;AACtJ,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AACzD,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AACtD,OAAO,EACL,SAAS,EACT,sBAAsB,EACtB,aAAa,EACb,eAAe,GAChB,MAAM,aAAa,CAAC;AAGrB,OAAO,EACL,kBAAkB,EAClB,YAAY,EACZ,YAAY,EACZ,YAAY,EACZ,UAAU,EACV,UAAU,EACV,iBAAiB,EACjB,YAAY,EACZ,aAAa,EACb,qBAAqB,EACrB,iBAAiB,EACjB,oBAAoB,GACrB,MAAM,aAAa,CAAC;AACrB,YAAY,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAEvD,YAAY,EAAE,WAAW,EAAE,aAAa,EAAE,gBAAgB,EAAE,GAAG,EAAE,MAAM,MAAM,CAAC"}
|
package/dist/cjs/index.js
CHANGED
|
@@ -7,9 +7,14 @@
|
|
|
7
7
|
* bodies while preserving HTTP headers for routing.
|
|
8
8
|
*/
|
|
9
9
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
10
|
-
exports.AES_GCM_NONCE_LENGTH = exports.AES256_KEY_LENGTH = exports.RESPONSE_NONCE_LENGTH = exports.EXPORT_LENGTH = exports.EXPORT_LABEL = exports.HPKE_REQUEST_INFO = exports.bytesToHex = exports.hexToBytes = exports.decryptChunk = exports.encryptChunk = exports.computeNonce = exports.deriveResponseKeys = exports.DecryptionError = exports.ProtocolError = exports.KeyConfigMismatchError = exports.EhbpError = exports.HPKE_CONFIG = exports.PROTOCOL = exports.createTransport = exports.Transport = exports.Identity = void 0;
|
|
10
|
+
exports.AES_GCM_NONCE_LENGTH = exports.AES256_KEY_LENGTH = exports.RESPONSE_NONCE_LENGTH = exports.EXPORT_LENGTH = exports.EXPORT_LABEL = exports.HPKE_REQUEST_INFO = exports.bytesToHex = exports.hexToBytes = exports.decryptChunk = exports.encryptChunk = exports.computeNonce = exports.deriveResponseKeys = exports.DecryptionError = exports.ProtocolError = exports.KeyConfigMismatchError = exports.EhbpError = exports.HPKE_CONFIG = exports.PROTOCOL = exports.createTransport = exports.Transport = exports.deserializeSessionRecoveryToken = exports.serializeSessionRecoveryToken = exports.decryptResponseWithToken = exports.extractSessionRecoveryToken = exports.Identity = void 0;
|
|
11
11
|
var identity_js_1 = require("./identity.js");
|
|
12
12
|
Object.defineProperty(exports, "Identity", { enumerable: true, get: function () { return identity_js_1.Identity; } });
|
|
13
|
+
var identity_js_2 = require("./identity.js");
|
|
14
|
+
Object.defineProperty(exports, "extractSessionRecoveryToken", { enumerable: true, get: function () { return identity_js_2.extractSessionRecoveryToken; } });
|
|
15
|
+
Object.defineProperty(exports, "decryptResponseWithToken", { enumerable: true, get: function () { return identity_js_2.decryptResponseWithToken; } });
|
|
16
|
+
Object.defineProperty(exports, "serializeSessionRecoveryToken", { enumerable: true, get: function () { return identity_js_2.serializeSessionRecoveryToken; } });
|
|
17
|
+
Object.defineProperty(exports, "deserializeSessionRecoveryToken", { enumerable: true, get: function () { return identity_js_2.deserializeSessionRecoveryToken; } });
|
|
13
18
|
var client_js_1 = require("./client.js");
|
|
14
19
|
Object.defineProperty(exports, "Transport", { enumerable: true, get: function () { return client_js_1.Transport; } });
|
|
15
20
|
Object.defineProperty(exports, "createTransport", { enumerable: true, get: function () { return client_js_1.createTransport; } });
|
package/dist/cjs/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;;AAEH,6CAAyC;AAAhC,uGAAA,QAAQ,OAAA;AAEjB,yCAAyD;AAAhD,sGAAA,SAAS,OAAA;AAAE,4GAAA,eAAe,OAAA;AACnC,6CAAsD;AAA7C,uGAAA,QAAQ,OAAA;AAAE,0GAAA,WAAW,OAAA;AAC9B,yCAKqB;AAJnB,sGAAA,SAAS,OAAA;AACT,mHAAA,sBAAsB,OAAA;AACtB,0GAAA,aAAa,OAAA;AACb,4GAAA,eAAe,OAAA;AAGjB,qDAAqD;AACrD,yCAaqB;AAZnB,+GAAA,kBAAkB,OAAA;AAClB,yGAAA,YAAY,OAAA;AACZ,yGAAA,YAAY,OAAA;AACZ,yGAAA,YAAY,OAAA;AACZ,uGAAA,UAAU,OAAA;AACV,uGAAA,UAAU,OAAA;AACV,8GAAA,iBAAiB,OAAA;AACjB,yGAAA,YAAY,OAAA;AACZ,0GAAA,aAAa,OAAA;AACb,kHAAA,qBAAqB,OAAA;AACrB,8GAAA,iBAAiB,OAAA;AACjB,iHAAA,oBAAoB,OAAA"}
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;;AAEH,6CAAyC;AAAhC,uGAAA,QAAQ,OAAA;AAEjB,6CAAsJ;AAA7I,0HAAA,2BAA2B,OAAA;AAAE,uHAAA,wBAAwB,OAAA;AAAE,4HAAA,6BAA6B,OAAA;AAAE,8HAAA,+BAA+B,OAAA;AAC9H,yCAAyD;AAAhD,sGAAA,SAAS,OAAA;AAAE,4GAAA,eAAe,OAAA;AACnC,6CAAsD;AAA7C,uGAAA,QAAQ,OAAA;AAAE,0GAAA,WAAW,OAAA;AAC9B,yCAKqB;AAJnB,sGAAA,SAAS,OAAA;AACT,mHAAA,sBAAsB,OAAA;AACtB,0GAAA,aAAa,OAAA;AACb,4GAAA,eAAe,OAAA;AAGjB,qDAAqD;AACrD,yCAaqB;AAZnB,+GAAA,kBAAkB,OAAA;AAClB,yGAAA,YAAY,OAAA;AACZ,yGAAA,YAAY,OAAA;AACZ,yGAAA,YAAY,OAAA;AACZ,uGAAA,UAAU,OAAA;AACV,uGAAA,UAAU,OAAA;AACV,8GAAA,iBAAiB,OAAA;AACjB,yGAAA,YAAY,OAAA;AACZ,0GAAA,aAAa,OAAA;AACb,kHAAA,qBAAqB,OAAA;AACrB,8GAAA,iBAAiB,OAAA;AACjB,iHAAA,oBAAoB,OAAA"}
|
package/dist/esm/client.d.ts
CHANGED
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
import { Identity } from './identity.js';
|
|
2
|
+
import type { SessionRecoveryToken } from './identity.js';
|
|
2
3
|
import type { Key } from 'hpke';
|
|
3
4
|
/**
|
|
4
5
|
* HTTP transport for EHBP
|
|
@@ -6,7 +7,9 @@ import type { Key } from 'hpke';
|
|
|
6
7
|
export declare class Transport {
|
|
7
8
|
private serverIdentity;
|
|
8
9
|
private serverHost;
|
|
10
|
+
private _lastSessionRecoveryToken?;
|
|
9
11
|
constructor(serverIdentity: Identity, serverHost: string);
|
|
12
|
+
getSessionRecoveryToken(): SessionRecoveryToken;
|
|
10
13
|
/**
|
|
11
14
|
* Create a new transport by fetching server public key.
|
|
12
15
|
*/
|
package/dist/esm/client.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;
|
|
1
|
+
{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AAEzC,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,eAAe,CAAC;AAG1D,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,MAAM,CAAC;AAOhC;;GAEG;AACH,qBAAa,SAAS;IACpB,OAAO,CAAC,cAAc,CAAW;IACjC,OAAO,CAAC,UAAU,CAAS;IAC3B,OAAO,CAAC,yBAAyB,CAAC,CAAuB;gBAE7C,cAAc,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM;IAKxD,uBAAuB,IAAI,oBAAoB;IAO/C;;OAEG;WACU,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;IAuB1D,OAAO,CAAC,MAAM,CAAC,wBAAwB;mBAQlB,sBAAsB;IAiB3C;;OAEG;IACH,iBAAiB,IAAI,QAAQ;IAI7B;;OAEG;IACH,kBAAkB,IAAI,GAAG;IAIzB;;OAEG;IACG,qBAAqB,IAAI,OAAO,CAAC,MAAM,CAAC;IAI9C;;OAEG;IACG,OAAO,CAAC,KAAK,EAAE,WAAW,GAAG,GAAG,EAAE,IAAI,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC;IA8E9E;;OAEG;IACG,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,EAAE,IAAI,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC;IAInE;;OAEG;IACG,IAAI,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,EAAE,IAAI,CAAC,EAAE,QAAQ,EAAE,IAAI,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC;IAIrF;;OAEG;IACG,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,EAAE,IAAI,CAAC,EAAE,QAAQ,EAAE,IAAI,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC;IAIpF;;OAEG;IACG,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,EAAE,IAAI,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC;CAGvE;AAED;;GAEG;AACH,wBAAsB,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAE3E"}
|
package/dist/esm/client.js
CHANGED
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
import { Identity } from './identity.js';
|
|
2
|
+
import { extractSessionRecoveryToken, decryptResponseWithToken } from './identity.js';
|
|
2
3
|
import { PROTOCOL } from './protocol.js';
|
|
3
4
|
import { KeyConfigMismatchError, ProtocolError } from './errors.js';
|
|
4
5
|
/**
|
|
@@ -7,10 +8,17 @@ import { KeyConfigMismatchError, ProtocolError } from './errors.js';
|
|
|
7
8
|
export class Transport {
|
|
8
9
|
serverIdentity;
|
|
9
10
|
serverHost;
|
|
11
|
+
_lastSessionRecoveryToken;
|
|
10
12
|
constructor(serverIdentity, serverHost) {
|
|
11
13
|
this.serverIdentity = serverIdentity;
|
|
12
14
|
this.serverHost = serverHost;
|
|
13
15
|
}
|
|
16
|
+
getSessionRecoveryToken() {
|
|
17
|
+
if (!this._lastSessionRecoveryToken) {
|
|
18
|
+
throw new Error('No session recovery token available — no request has been made yet');
|
|
19
|
+
}
|
|
20
|
+
return this._lastSessionRecoveryToken;
|
|
21
|
+
}
|
|
14
22
|
/**
|
|
15
23
|
* Create a new transport by fetching server public key.
|
|
16
24
|
*/
|
|
@@ -117,10 +125,14 @@ export class Transport {
|
|
|
117
125
|
// Encrypt request (returns context for response decryption)
|
|
118
126
|
// For bodyless requests, context will be null and request passes through unmodified
|
|
119
127
|
const { request: encryptedRequest, context } = await this.serverIdentity.encryptRequestWithContext(request);
|
|
128
|
+
const token = context
|
|
129
|
+
? await extractSessionRecoveryToken(context)
|
|
130
|
+
: undefined;
|
|
120
131
|
// Make the request
|
|
121
132
|
const response = await fetch(encryptedRequest);
|
|
122
133
|
// Bodyless requests: context is null, response is plaintext
|
|
123
|
-
if (
|
|
134
|
+
if (!token) {
|
|
135
|
+
this._lastSessionRecoveryToken = undefined;
|
|
124
136
|
return response;
|
|
125
137
|
}
|
|
126
138
|
// Throws KeyConfigMismatchError if server returned 422 key-config mismatch
|
|
@@ -130,8 +142,10 @@ export class Transport {
|
|
|
130
142
|
if (!responseNonceHeader) {
|
|
131
143
|
throw new ProtocolError(`Missing ${PROTOCOL.RESPONSE_NONCE_HEADER} header`);
|
|
132
144
|
}
|
|
133
|
-
//
|
|
134
|
-
|
|
145
|
+
// Publish token only after confirming the response is valid
|
|
146
|
+
this._lastSessionRecoveryToken = token;
|
|
147
|
+
// Decrypt response using the already-extracted token
|
|
148
|
+
return await decryptResponseWithToken(response, token);
|
|
135
149
|
}
|
|
136
150
|
/**
|
|
137
151
|
* Convenience method for GET requests
|