npm - holosphere - Versions diffs - 2.0.0-alpha13 → 2.0.0-alpha15 - Mend

holosphere 2.0.0-alpha13 → 2.0.0-alpha15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (50) hide show

package/dist/2019-ATLjawsU.cjs +8 -0
package/dist/{2019-Cp3uYhyY.cjs.map → 2019-ATLjawsU.cjs.map} +1 -1
package/dist/{2019-CLMqIAfQ.js → 2019-BfjzDRje.js} +1667 -1721
package/dist/{2019-CLMqIAfQ.js.map → 2019-BfjzDRje.js.map} +1 -1
package/dist/{browser-nUQt1cnB.js → browser-CKTczilW.js} +2 -2
package/dist/{browser-nUQt1cnB.js.map → browser-CKTczilW.js.map} +1 -1
package/dist/{browser-D6cNVl0v.cjs → browser-GOg6KKOV.cjs} +2 -2
package/dist/{browser-D6cNVl0v.cjs.map → browser-GOg6KKOV.cjs.map} +1 -1
package/dist/cjs/holosphere.cjs +1 -1
package/dist/esm/holosphere.js +25 -21
package/dist/{index-CoAjtqsD.js → index-BdnrGafX.js} +2 -2
package/dist/{index-CoAjtqsD.js.map → index-BdnrGafX.js.map} +1 -1
package/dist/{index-BN_uoxQK.js → index-C3Cag0SV.js} +2558 -495
package/dist/index-C3Cag0SV.js.map +1 -0
package/dist/index-ChpSfdYS.cjs +29 -0
package/dist/index-ChpSfdYS.cjs.map +1 -0
package/dist/{index-DJjGSwXG.cjs → index-D_QecZNu.cjs} +2 -2
package/dist/{index-DJjGSwXG.cjs.map → index-D_QecZNu.cjs.map} +1 -1
package/dist/{index-Z5TstN1e.js → index-nMC3dWZ5.js} +2 -2
package/dist/{index-Z5TstN1e.js.map → index-nMC3dWZ5.js.map} +1 -1
package/dist/{index-Cp3tI53z.cjs → index-z5HWfWMu.cjs} +2 -2
package/dist/{index-Cp3tI53z.cjs.map → index-z5HWfWMu.cjs.map} +1 -1
package/dist/{indexeddb-storage-CZK5A7XH.cjs → indexeddb-storage-DWSeL-YF.cjs} +2 -2
package/dist/{indexeddb-storage-CZK5A7XH.cjs.map → indexeddb-storage-DWSeL-YF.cjs.map} +1 -1
package/dist/{indexeddb-storage-bpA01pAU.js → indexeddb-storage-dx01N0ET.js} +2 -2
package/dist/{indexeddb-storage-bpA01pAU.js.map → indexeddb-storage-dx01N0ET.js.map} +1 -1
package/dist/{memory-storage-BqhmytP_.js → memory-storage-BPIfkpcf.js} +2 -2
package/dist/{memory-storage-BqhmytP_.js.map → memory-storage-BPIfkpcf.js.map} +1 -1
package/dist/{memory-storage-B1k8Jszd.cjs → memory-storage-CKUGDq2d.cjs} +2 -2
package/dist/{memory-storage-B1k8Jszd.cjs.map → memory-storage-CKUGDq2d.cjs.map} +1 -1
package/package.json +3 -1
package/scripts/test-ndk-direct.js +104 -0
package/src/crypto/key-store.js +356 -0
package/src/crypto/lens-keys.js +205 -0
package/src/crypto/secp256k1.js +181 -18
package/src/federation/handshake.js +317 -23
package/src/federation/hologram.js +25 -17
package/src/federation/registry.js +779 -59
package/src/index.js +416 -27
package/src/lib/federation-methods.js +308 -4
package/src/storage/nostr-async.js +144 -86
package/src/storage/nostr-client.js +77 -18
package/src/storage/nostr-wrapper.js +4 -1
package/src/storage/unified-storage.js +5 -4
package/src/subscriptions/manager.js +1 -1
package/vitest.config.js +6 -1
package/dist/2019-Cp3uYhyY.cjs +0 -8
package/dist/index-BN_uoxQK.js.map +0 -1
package/dist/index-V8EHMYEY.cjs +0 -29
package/dist/index-V8EHMYEY.cjs.map +0 -1

package/src/crypto/secp256k1.js CHANGED Viewed

@@ -10,20 +10,23 @@
 import { sha256 } from '@noble/hashes/sha256';
 import { bytesToHex, hexToBytes } from '@noble/hashes/utils';
-import { secp256k1 } from '@noble/curves/secp256k1';
+import { secp256k1, schnorr } from '@noble/curves/secp256k1';
 /**
- * Get public key from private key
+ * Get public key from private key (x-only / schnorr format for Nostr compatibility)
  * @param {string} privateKey - Private key (hex string)
- * @returns {string} Public key (hex string)
+ * @returns {string} Public key (64-char hex string, x-only format)
  */
 export function getPublicKey(privateKey) {
-  const pubKey = secp256k1.getPublicKey(privateKey);
+  // Use schnorr.getPublicKey for x-only format (32 bytes, 64 hex chars)
+  // This is compatible with Nostr and matches nostr-tools format
+  const pubKey = schnorr.getPublicKey(privateKey);
   return bytesToHex(pubKey);
 }
 /**
- * Sign content with private key
+ * Sign content with private key using schnorr signature
+ * Uses schnorr for compatibility with x-only public keys (Nostr standard)
  * @param {string} content - Content to sign (will be hashed)
  * @param {string} privateKey - Private key (hex string)
  * @returns {Promise<string>} Signature (hex string)
@@ -33,30 +36,32 @@ export async function sign(content, privateKey) {
     // Hash content
     const msgHash = hashContent(content);
-    // Sign - secp256k1.sign returns Signature object
-    const signature = secp256k1.sign(msgHash, privateKey);
-    return signature.toCompactHex();
+    // Use schnorr.sign for x-only key compatibility
+    const signature = schnorr.sign(msgHash, privateKey);
+    return bytesToHex(signature);
   } catch (error) {
     throw new Error(`Signature generation failed: ${error.message}`);
   }
 }
 /**
- * Verify signature
+ * Verify schnorr signature
+ * Uses schnorr for compatibility with x-only public keys (Nostr standard)
  * @param {string} content - Original content
  * @param {string} signature - Signature (hex string)
- * @param {string} publicKey - Public key (hex string)
+ * @param {string} publicKey - Public key (hex string, x-only format)
  * @returns {Promise<boolean>} True if valid
  */
 export async function verify(content, signature, publicKey) {
   try {
-    // Validate public key format
+    // Validate public key format (x-only is 64 hex chars)
     if (!publicKey || typeof publicKey !== 'string' || publicKey.length < 64) {
       throw new Error('Invalid public key format');
     }
     const msgHash = hashContent(content);
-    const isValid = secp256k1.verify(signature, msgHash, publicKey);
+    // Use schnorr.verify for x-only key compatibility
+    const isValid = schnorr.verify(signature, msgHash, publicKey);
     return isValid;
   } catch (error) {
     // Invalid signatures or keys throw errors
@@ -169,10 +174,12 @@ export async function issueCapability(permissions, scope, recipient, options = {
   };
   // Encode token as base64
+  // Use browser-native btoa when available to avoid Buffer serialization issues
+  // (Buffer can serialize to {"type":"Buffer","data":[...]} in JSON)
   const payload = JSON.stringify(token);
-  const encoded = Buffer.from ?
-    Buffer.from(payload).toString('base64') :
-    btoa(payload);
+  const encoded = typeof btoa === 'function'
+    ? btoa(payload)
+    : Buffer.from(payload).toString('base64');
   // If issuerKey provided, sign the token
   if (issuerKey) {
@@ -225,6 +232,30 @@ export async function verifyCapability(token, requiredPermission, scope) {
       token = token.token;  // Extract the actual token string
     }
+    // Handle Buffer serialization format {"type":"Buffer","data":[...]}
+    // This can happen when Buffer is polyfilled and JSON serialized
+    if (token && typeof token === 'object' && token.type === 'Buffer' && Array.isArray(token.data)) {
+      try {
+        // Convert Buffer data array back to string
+        token = String.fromCharCode.apply(null, token.data);
+      } catch (e) {
+        console.log('[verifyCapability] ❌ Failed to decode Buffer object:', e.message);
+        return false;
+      }
+    }
+    // Handle comma-separated byte string (e.g., "123,34,116,...")
+    // This can happen when Uint8Array.toString() is called
+    if (typeof token === 'string' && /^\d+(,\d+)+$/.test(token.substring(0, 50))) {
+      try {
+        const bytes = token.split(',').map(Number);
+        token = String.fromCharCode.apply(null, bytes);
+      } catch (e) {
+        console.log('[verifyCapability] ❌ Failed to decode byte string:', e.message);
+        return false;
+      }
+    }
     // Decode if string
     if (typeof token === 'string') {
       // Check if it's a base64-encoded token (starts with "ey" for JSON base64)
@@ -232,9 +263,10 @@ export async function verifyCapability(token, requiredPermission, scope) {
         // Base64 encoded (with or without signature)
         try {
           const payload = token.includes('.') ? token.split('.')[0] : token;
-          const decoded = Buffer.from ?
-            Buffer.from(payload, 'base64').toString('utf8') :
-            atob(payload);
+          // Prefer browser-native atob to avoid Buffer issues
+          const decoded = typeof atob === 'function'
+            ? atob(payload)
+            : Buffer.from(payload, 'base64').toString('utf8');
           tokenObj = JSON.parse(decoded);
         } catch (e) {
           console.log('[verifyCapability] ❌ Token is not valid base64 JSON:', {
@@ -307,6 +339,137 @@ export async function verifyCapability(token, requiredPermission, scope) {
   }
 }
+/**
+ * Verify that a capability token was issued by the expected author.
+ * This is the core security check for the object-capability model.
+ * A hologram should only be resolvable if the capability issuer matches
+ * the claimed data author AND the signature was made by that author's key.
+ *
+ * @param {string} token - Capability token
+ * @param {string} expectedIssuer - Expected issuer public key (data author)
+ * @returns {Promise<boolean>} True if issuer matches expected AND signature is valid
+ */
+export async function verifyCapabilityIssuer(token, expectedIssuer) {
+  try {
+    // Handle capability object wrapper
+    if (token && typeof token === 'object' && token.token) {
+      token = token.token;
+    }
+    // Handle Buffer serialization format
+    if (token && typeof token === 'object' && token.type === 'Buffer' && Array.isArray(token.data)) {
+      token = String.fromCharCode.apply(null, token.data);
+    }
+    // Must be a string at this point
+    if (typeof token !== 'string') {
+      console.log('[verifyCapabilityIssuer] ❌ Token is not a string');
+      return false;
+    }
+    // Extract payload and signature from token
+    let payload;
+    let signature;
+    let tokenObj;
+    if (token.includes('.')) {
+      // Token has signature: payload.signature
+      const parts = token.split('.');
+      const encodedPayload = parts[0];
+      signature = parts[1];
+      // Decode payload
+      const decoded = typeof atob === 'function'
+        ? atob(encodedPayload)
+        : Buffer.from(encodedPayload, 'base64').toString('utf8');
+      payload = decoded;
+      tokenObj = JSON.parse(decoded);
+    } else if (token.startsWith('ey')) {
+      // Base64 encoded without signature
+      const decoded = typeof atob === 'function'
+        ? atob(token)
+        : Buffer.from(token, 'base64').toString('utf8');
+      payload = decoded;
+      tokenObj = JSON.parse(decoded);
+    } else if (token.startsWith('{')) {
+      // Already JSON string
+      payload = token;
+      tokenObj = JSON.parse(token);
+    } else {
+      console.log('[verifyCapabilityIssuer] ❌ Unknown token format');
+      return false;
+    }
+    // Verify issuer field matches expected
+    if (tokenObj.issuer !== expectedIssuer) {
+      console.log('[verifyCapabilityIssuer] ❌ Issuer mismatch:', {
+        tokenIssuer: tokenObj.issuer?.slice(0, 12) + '...',
+        expectedIssuer: expectedIssuer?.slice(0, 12) + '...',
+      });
+      return false;
+    }
+    // CRITICAL: Verify signature was made by the claimed issuer's private key
+    // This prevents forged capabilities where someone claims a different issuer
+    if (signature) {
+      const signatureValid = await verify(payload, signature, expectedIssuer);
+      if (!signatureValid) {
+        console.log('[verifyCapabilityIssuer] ❌ Signature verification failed - capability not signed by claimed issuer');
+        return false;
+      }
+    } else {
+      // No signature - for backwards compatibility, allow unsigned tokens
+      // but log a warning
+      console.log('[verifyCapabilityIssuer] ⚠️ Token has no signature - cannot verify cryptographically');
+    }
+    console.log('[verifyCapabilityIssuer] ✅ Issuer verified');
+    return true;
+  } catch (error) {
+    console.log('[verifyCapabilityIssuer] ❌ Error:', error.message);
+    return false;
+  }
+}
+/**
+ * Decode a capability token to extract its payload.
+ * Useful for inspecting capability contents without full verification.
+ *
+ * @param {string} token - Capability token
+ * @returns {Object|null} Decoded token payload or null if invalid
+ */
+export function decodeCapability(token) {
+  try {
+    // Handle capability object wrapper
+    if (token && typeof token === 'object' && token.token) {
+      token = token.token;
+    }
+    // Handle Buffer serialization format
+    if (token && typeof token === 'object' && token.type === 'Buffer' && Array.isArray(token.data)) {
+      token = String.fromCharCode.apply(null, token.data);
+    }
+    if (typeof token !== 'string') {
+      return null;
+    }
+    if (token.startsWith('ey') || (!token.includes('.') && !token.startsWith('{'))) {
+      const payload = token.includes('.') ? token.split('.')[0] : token;
+      const decoded = typeof atob === 'function'
+        ? atob(payload)
+        : Buffer.from(payload, 'base64').toString('utf8');
+      return JSON.parse(decoded);
+    } else if (token.startsWith('{')) {
+      return JSON.parse(token);
+    }
+    return null;
+  } catch (error) {
+    return null;
+  }
+}
 /**
  * Generate unique nonce
  * @private