npm - hbsig - Versions diffs - 0.2.8 → 0.3.1 - Mend

hbsig 0.2.8 → 0.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (27) hide show

package/esm/parser.js CHANGED Viewed

@@ -26,7 +26,7 @@ export function decodeSigInput(signatureInput, signatureName = null) {
       // Extract from signature name to the next signature (if any) or end
       const nextSigMatch = signatureInput
         .substring(startIndex + signatureName.length)
-        .match(/,\s*[a-zA-Z0-9-]+=/)
+        .match(/,\s*[a-zA-Z0-9_-]+=/)
       const endIndex = nextSigMatch
         ? startIndex + signatureName.length + nextSigMatch.index
         : signatureInput.length
@@ -38,13 +38,13 @@ export function decodeSigInput(signatureInput, signatureName = null) {
     const signatures = {}
     // Split by signature entries (handle multiple signatures)
-    const entries = inputToDecode.split(/,(?=\s*[a-zA-Z0-9-]+=)/)
+    const entries = inputToDecode.split(/,(?=\s*[a-zA-Z0-9_-]+=)/)
     for (const entry of entries) {
       const trimmedEntry = entry.trim()
       // Match signature-name=(components);params format
-      const match = trimmedEntry.match(/^([a-zA-Z0-9-]+)=\(([^)]*)\)(.*)$/)
+      const match = trimmedEntry.match(/^([a-zA-Z0-9_-]+)=\(([^)]*)\)(.*)$/)
       if (!match) {
         continue
       }
@@ -126,15 +126,33 @@ export function extractPubKey(headers, signatureName) {
   if (!decoded) return null
   // If we decoded a specific signature, use its keyid
-  const keyid =
-    signatureName && decoded.params
-      ? decoded.params.keyid
-      : Object.values(decoded)[0]?.params?.keyid
+  // When no specific signatureName, prefer RSA signature over HMAC
+  // (HMAC keyid is "constant:ao" which is not a real public key)
+  let keyid = null
+  if (signatureName && decoded.params) {
+    keyid = decoded.params.keyid
+  } else {
+    const entries = Object.values(decoded)
+    const rsaEntry = entries.find(e => e.params?.alg?.startsWith("rsa-"))
+    keyid = rsaEntry?.params?.keyid || entries[0]?.params?.keyid
+  }
   if (!keyid) return null
   try {
-    return base64url.toBuffer(keyid)
+    // Strip scheme prefix if present (e.g., "publickey:base64data" -> "base64data")
+    let keyidToDecode = keyid
+    if (keyid.includes(":")) {
+      const colonIndex = keyid.indexOf(":")
+      keyidToDecode = keyid.substring(colonIndex + 1)
+    }
+    // Handle both base64url and standard base64 encoding
+    // Standard base64 uses +/ while base64url uses -_
+    if (keyidToDecode.includes("+") || keyidToDecode.includes("/")) {
+      // Standard base64 - convert to buffer directly
+      return Buffer.from(keyidToDecode, "base64")
+    }
+    return base64url.toBuffer(keyidToDecode)
   } catch (error) {
     return null
   }

package/esm/send.js CHANGED Viewed

@@ -41,7 +41,6 @@ export async function send(signedMsg, fetchImpl = fetch) {
   ) {
     fetchOptions.body = signedMsg.body
   }
   const response = await fetchImpl(signedMsg.url, fetchOptions)
   if (response.status >= 400) {
     throw new Error(`${response.status}: ${await response.text()}`)
@@ -54,7 +53,9 @@ export const httpSigName = address => {
   const hexString = [...decoded.subarray(1, 9)]
     .map(byte => byte.toString(16).padStart(2, "0"))
     .join("")
-  return `http-sig-${hexString}`
+  // Use 'comm-' prefix to match HyperBEAM's siginfo_to_commitments pattern
+  // (it strips <<"comm-", Rest/binary>> before parsing structured fields)
+  return `comm-${hexString}`
 }
 const toView = value => {
@@ -80,11 +81,15 @@ export const toHttpSigner = signer => {
       const { publicKey, alg = "rsa-pss-sha512" } = injected
       const publicKeyBuffer = toView(publicKey)
+      // Use standard base64 encoding for keyid to be compatible with HyperBEAM's
+      // base64:decode in dev_codec_httpsig_keyid:apply_scheme
+      // Include "publickey:" prefix so HyperBEAM knows the key scheme
+      const keyidBase64 = `publickey:${publicKeyBuffer.toString("base64")}`
       const signingParameters = createSigningParameters({
         params,
         paramValues: {
-          keyid: base64url.encode(publicKeyBuffer),
+          keyid: keyidBase64,
           alg,
         },
       })

package/esm/signer-utils.js CHANGED Viewed

@@ -282,11 +282,15 @@ export const toHttpSigner = signer => {
       const { publicKey, alg = "rsa-pss-sha512" } = injected
       const publicKeyBuffer = toView(publicKey)
+      // Use standard base64 encoding for keyid to be compatible with HyperBEAM's
+      // base64:decode in dev_codec_httpsig_keyid:apply_scheme
+      // Include "publickey:" prefix so HyperBEAM knows the key scheme
+      const keyidBase64 = `publickey:${publicKeyBuffer.toString("base64")}`
       const signingParameters = createSigningParameters({
         params,
         paramValues: {
-          keyid: base64url.encode(publicKeyBuffer),
+          keyid: keyidBase64,
           alg,
         },
       })

package/esm/signer.js CHANGED Viewed

@@ -96,173 +96,22 @@ const hasBinaryData = obj => {
   return false
 }
-// Helper to check if value is a simple array that should use structured fields
-const isSimpleArray = value => {
-  if (!Array.isArray(value)) return false
-  return value.every(item => {
-    // Simple types that can be in structured field lists
-    if (typeof item === "string") return true
-    if (typeof item === "number") return true
-    if (typeof item === "boolean") return true
-    if (isBytes(item)) return true
-    // Complex types cannot be in structured field lists
-    if (item && typeof item === "object") return false
-    return true
-  })
-}
-// Helper to encode array as structured field list
-const encodeAsStructuredFieldList = arr => {
-  return arr
-    .map(item => {
-      if (typeof item === "string") {
-        // String values are quoted
-        return `"${item.replace(/\\/g, "\\\\").replace(/"/g, '\\"')}"`
-      } else if (typeof item === "number") {
-        // Numbers are bare
-        return String(item)
-      } else if (typeof item === "boolean") {
-        // Booleans use ?0 or ?1
-        return item ? "?1" : "?0"
-      } else if (isBytes(item)) {
-        // Binary data as byte sequences
-        const buffer = Buffer.isBuffer(item) ? item : Buffer.from(item)
-        return `:${buffer.toString("base64")}:`
-      } else {
-        // Fallback
-        return `"${String(item)}"`
-      }
-    })
-    .join(", ")
-}
-const smartSign = async (obj, path) => {
-  try {
-    // Filter out undefined values
-    const filtered = filterUndefined(obj)
-    // Check if we can encode everything as headers (no multipart needed)
-    let canUseSimpleEncoding = true
-    let hasBodyField = false
-    for (const [key, value] of Object.entries(filtered)) {
-      if (key === "path") continue
-      // Check if this is the "body" field
-      if (key === "body" || key === "data") {
-        hasBodyField = true
-        // Only use multipart if body/data is actually binary
-        if (isBytes(value)) {
-          canUseSimpleEncoding = false
-          break
-        }
-      }
-      // Complex nested objects need multipart
-      if (
-        value &&
-        typeof value === "object" &&
-        !Array.isArray(value) &&
-        !isBytes(value)
-      ) {
-        if (Object.keys(value).length > 0) {
-          canUseSimpleEncoding = false
-          break
-        }
-      }
-      // Arrays with complex items need multipart
-      if (Array.isArray(value) && !isSimpleArray(value)) {
-        canUseSimpleEncoding = false
-        break
-      }
-    }
-    if (canUseSimpleEncoding) {
-      // Build a simple message that won't trigger multipart
-      const message = {}
-      if (path) message.path = path
-      const types = []
-      for (const [key, value] of Object.entries(filtered)) {
-        if (key === "path") continue
-        if (value === "") {
-          types.push(`${key}="empty-binary"`)
-        } else if (Array.isArray(value) && value.length === 0) {
-          types.push(`${key}="empty-list"`)
-        } else if (
-          value &&
-          typeof value === "object" &&
-          Object.keys(value).length === 0
-        ) {
-          types.push(`${key}="empty-message"`)
-        } else if (isSimpleArray(value)) {
-          types.push(`${key}="list"`)
-          message[key] = encodeAsStructuredFieldList(value)
-        } else if (typeof value === "number") {
-          types.push(
-            `${key}="${Number.isInteger(value) ? "integer" : "float"}"`
-          )
-          message[key] = String(value)
-        } else if (typeof value === "boolean") {
-          types.push(`${key}="atom"`)
-          message[key] = String(value)
-        } else if (value === null || value === undefined) {
-          types.push(`${key}="atom"`)
-          message[key] = String(value)
-        } else if (typeof value === "string") {
-          message[key] = value
-        }
-      }
-      if (types.length > 0) {
-        message["ao-types"] = types.join(", ")
-      }
-      return httpsig_to(message)
-    }
-    // For complex structures that need multipart, use enc()
-    const normalized = normalize({
-      ...filtered,
-      ...(path && { path }),
-    })
-    const result = await enc(normalized)
-    // enc() returns { headers: {...}, body: ... }
-    // We need to flatten this for httpsig_to
-    const flattened = {
-      ...result.headers,
-      body: result.body,
-      ...(path && { path }),
-    }
-    // httpsig_to expects the structured format
-    const encoded = httpsig_to(flattened)
-    return encoded
-  } catch (error) {
-    console.error("Encoding failed:", error)
-    // Fallback: create a simple structure
-    const result = {}
-    if (path) result.path = path
-    for (const [key, value] of Object.entries(obj)) {
-      if (key === "path") continue
-      if (!isBytes(value) && value !== undefined) {
-        result[key] = value
-      }
+// Helper to build ao-types string from an object
+const buildAoTypes = (obj) => {
+  const types = []
+  for (const [key, value] of Object.entries(obj)) {
+    if (typeof value === "number") {
+      types.push(`${key}="${Number.isInteger(value) ? "integer" : "float"}"`)
+    } else if (typeof value === "boolean") {
+      types.push(`${key}="atom"`)
+    } else if (value === null) {
+      types.push(`${key}="atom"`)
+    } else if (typeof value === "symbol") {
+      // Symbols are Erlang atoms
+      types.push(`${key}="atom"`)
     }
-    return result
   }
+  return types.length > 0 ? types.join(", ") : null
 }
 // Internal encode function that uses the original impl as much as possible
@@ -272,22 +121,30 @@ const encode = async (obj, path) => {
   // If object contains binary data, use enc() directly
   if (hasBinaryData(filtered)) {
-    // For binary data, use enc() which handles multipart
     return await enc(filtered)
   }
-  // Otherwise use the standard pipeline
-  let fields = { ...filtered }
   // Only add path if explicitly provided
+  let fields = { ...filtered }
   if (path) fields.path = path
+  // Build ao-types annotation for typed values (integers, booleans, etc.)
+  // This tells HyperBEAM how to convert values during verification
+  // Merge with any existing ao-types (e.g., list annotations from hb.js)
+  const aoTypes = buildAoTypes(filtered)
+  if (aoTypes) {
+    const existing = fields["ao-types"]
+    fields["ao-types"] = existing ? existing + ", " + aoTypes : aoTypes
+  }
   // Try the standard encoding pipeline
   const encoded = httpsig_to(normalize(structured_from(normalize(fields))))
   // Check if the encoded result is valid for HTTP headers
   if (!isValid(encoded)) {
     // If invalid, fall back to enc()
-    return await enc(filtered)
+    const encResult = await enc(filtered)
+    return encResult
   }
   // For non-binary data, return in the same format as enc()
@@ -346,8 +203,14 @@ async function _sign({
   let url_path = typeof signPath === "string" ? signPath : path
   const _url = joinUrl({ url, path: url_path })
-  // Only add path header if path is provided
-  if (path) headersObj["path"] = path
+  // Only add path header if it's a data field (doesn't start with "/").
+  // URL paths (like "/relay/process") should NOT be added to headers.
+  // Data fields named "path" (e.g., "credit-notice") should be signed.
+  const isDataFieldPath = path && typeof path === "string" && !path.startsWith("/")
+  if (isDataFieldPath && !headersObj["path"]) headersObj["path"] = path
+  // Add accept-bundle header to request inline data instead of links
+  headersObj["accept-bundle"] = "true"
   if (body && !headersObj["content-length"]) {
     const bodySize = body.size || body.byteLength || 0
@@ -366,15 +229,27 @@ async function _sign({
         .map(k => k.trim())
     : []
+  // Exclude metadata fields that get consumed/stripped during JSON codec parsing:
+  // - ao-types: used for type conversion, then removed by structured codec
+  // - accept-bundle: request metadata for inlining nested data
+  // - content-digest: only exclude when no body; when body exists, sign it so
+  //   HyperBEAM can map content-digest → body → ao-body-key field in committed list
+  // Note: "path" as a data field (e.g., path: "credit-notice") should be signed.
+  // The @path derived component (HTTP request URL) is handled separately.
+  const metadataFields = ["body-keys", "ao-types", "accept-bundle", "content-length"]
+  if (!body) {
+    metadataFields.push("content-digest")
+  }
   let isPath = false
   const signingFields = Object.keys(lowercaseHeaders).filter(key => {
     if (key === "path") isPath = true
-    return key !== "body-keys" && key !== "path" && !bodyKeys.includes(key)
+    return !metadataFields.includes(key) && !bodyKeys.includes(key)
   })
   // Only add @path if signPath is enabled AND path header exists
   if (signPath !== false && isPath) signingFields.push("@path")
   const signedRequest = await toHttpSigner(signer)({
     request: { url: _url, method, headers: lowercaseHeaders },
     fields: signingFields,
@@ -405,11 +280,28 @@ export function signer(config) {
     fields,
     { encoded: _encoded = false, path: signPath = true } = {}
   ) => {
-    const { path = "/relay/process", method = "POST", ...aoFields } = fields
+    const { method = "POST", ...restFields } = fields
+    // Distinguish URL paths from data fields:
+    // - URL paths start with "/" (e.g., "/relay/process")
+    // - Data fields don't (e.g., "credit-notice" for P4 ledger actions)
+    const fieldsPath = restFields.path
+    const isUrlPath = typeof fieldsPath === "string" && fieldsPath.startsWith("/")
+    const path = isUrlPath ? fieldsPath : "/relay/process"
+    // Keep path in data fields if it's not a URL path
+    let aoFields
+    if (isUrlPath) {
+      const { path: _, ...rest } = restFields
+      aoFields = rest
+    } else {
+      aoFields = restFields  // path stays as data field
+    }
     const filteredFields = filterUndefined(aoFields)
     const encoded = _encoded
       ? filteredFields
-      : await encode(filteredFields, path)
+      : await encode(filteredFields, null)
     return await _sign({ path, signPath, method, encoded, signer, url })
   }
 }