jazz-tools 0.19.19 → 0.19.20

package/src/react-native-core/tests/PasskeyAuth.test.ts

@@ -0,0 +1,463 @@
+// @vitest-environment happy-dom
+
+import { AgentSecret } from "cojson";
+import { Account, InMemoryKVStore, KvStoreContext } from "jazz-tools";
+import { AuthSecretStorage } from "jazz-tools";
+import { createJazzTestAccount } from "jazz-tools/testing";
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import {
+  ReactNativePasskeyAuth,
+  setPasskeyModule,
+} from "../auth/PasskeyAuth.js";
+import {
+  base64UrlToUint8Array,
+  uint8ArrayToBase64Url,
+} from "../auth/passkey-utils.js";
+
+// Create mock functions
+const mockCreate = vi.fn();
+const mockGet = vi.fn();
+const mockIsSupported = vi.fn();
+
+// Create mock passkey module
+const mockPasskeyModule = {
+  create: mockCreate,
+  get: mockGet,
+  isSupported: mockIsSupported,
+};
+
+KvStoreContext.getInstance().initialize(new InMemoryKVStore());
+const authSecretStorage = new AuthSecretStorage();
+
+beforeEach(async () => {
+  await authSecretStorage.clear();
+  vi.clearAllMocks();
+
+  // Inject the mock module using dependency injection
+  setPasskeyModule(mockPasskeyModule);
+
+  await createJazzTestAccount({
+    isCurrentActiveAccount: true,
+  });
+});
+
+describe("ReactNativePasskeyAuth", () => {
+  const mockCrypto = {
+    randomBytes: (l: number) => crypto.getRandomValues(new Uint8Array(l)),
+    newRandomSecretSeed: () => new Uint8Array(32).fill(1),
+    agentSecretFromSecretSeed: () => "mock-secret" as AgentSecret,
+  } as any;
+  const mockAuthenticate = vi.fn();
+
+  describe("initialization", () => {
+    it("should initialize with app name and rpId", () => {
+      const auth = new ReactNativePasskeyAuth(
+        mockCrypto,
+        mockAuthenticate,
+        authSecretStorage,
+        "Test App",
+        "example.com",
+      );
+      expect(auth.appName).toBe("Test App");
+      expect(auth.rpId).toBe("example.com");
+    });
+
+    it("should have static id property", () => {
+      expect(ReactNativePasskeyAuth.id).toBe("passkey");
+    });
+  });
+
+  describe("logIn", () => {
+    it("should call Passkey.get with correct parameters", async () => {
+      const auth = new ReactNativePasskeyAuth(
+        mockCrypto,
+        mockAuthenticate,
+        authSecretStorage,
+        "Test App",
+        "example.com",
+      );
+
+      // Create a mock credential payload (secretSeed + accountID)
+      const mockPayload = new Uint8Array(56);
+      mockPayload.fill(1, 0, 32); // secretSeed
+      mockPayload.fill(2, 32, 56); // accountID hash
+
+      mockGet.mockResolvedValue({
+        id: "credential-id",
+        rawId: "raw-credential-id",
+        type: "public-key",
+        response: {
+          clientDataJSON: "mock-client-data",
+          authenticatorData: "mock-auth-data",
+          signature: "mock-signature",
+          userHandle: uint8ArrayToBase64Url(mockPayload),
+        },
+      });
+
+      await auth.logIn();
+
+      expect(mockGet).toHaveBeenCalledWith({
+        challenge: expect.any(String),
+        rpId: "example.com",
+        timeout: 60000,
+        userVerification: "preferred",
+      });
+
+      expect(mockAuthenticate).toHaveBeenCalledWith({
+        accountID: expect.any(String),
+        accountSecret: "mock-secret",
+      });
+    });
+
+    it("should store credentials after successful login", async () => {
+      const auth = new ReactNativePasskeyAuth(
+        mockCrypto,
+        mockAuthenticate,
+        authSecretStorage,
+        "Test App",
+        "example.com",
+      );
+
+      const mockPayload = new Uint8Array(56);
+      mockPayload.fill(1, 0, 32);
+      mockPayload.fill(2, 32, 56);
+
+      mockGet.mockResolvedValue({
+        id: "credential-id",
+        rawId: "raw-credential-id",
+        type: "public-key",
+        response: {
+          clientDataJSON: "mock-client-data",
+          authenticatorData: "mock-auth-data",
+          signature: "mock-signature",
+          userHandle: uint8ArrayToBase64Url(mockPayload),
+        },
+      });
+
+      await auth.logIn();
+
+      const stored = await authSecretStorage.get();
+      expect(stored).toEqual({
+        accountID: expect.any(String),
+        secretSeed: expect.any(Uint8Array),
+        accountSecret: "mock-secret",
+        provider: "passkey",
+      });
+    });
+
+    it("should throw error when passkey authentication fails", async () => {
+      const auth = new ReactNativePasskeyAuth(
+        mockCrypto,
+        mockAuthenticate,
+        authSecretStorage,
+        "Test App",
+        "example.com",
+      );
+
+      mockGet.mockRejectedValue(new Error("User cancelled"));
+
+      await expect(auth.logIn()).rejects.toThrow(
+        "Passkey authentication aborted",
+      );
+    });
+
+    it("should return early when passkey.get returns null", async () => {
+      const auth = new ReactNativePasskeyAuth(
+        mockCrypto,
+        mockAuthenticate,
+        authSecretStorage,
+        "Test App",
+        "example.com",
+      );
+
+      mockGet.mockResolvedValue(null);
+
+      await auth.logIn();
+
+      expect(mockAuthenticate).not.toHaveBeenCalled();
+    });
+
+    it("should throw error when userHandle is null", async () => {
+      const auth = new ReactNativePasskeyAuth(
+        mockCrypto,
+        mockAuthenticate,
+        authSecretStorage,
+        "Test App",
+        "example.com",
+      );
+
+      mockGet.mockResolvedValue({
+        id: "credential-id",
+        rawId: "raw-credential-id",
+        type: "public-key",
+        response: {
+          clientDataJSON: "mock-client-data",
+          authenticatorData: "mock-auth-data",
+          signature: "mock-signature",
+          userHandle: null,
+        },
+      });
+
+      await expect(auth.logIn()).rejects.toThrow(
+        "Passkey credential is missing userHandle",
+      );
+    });
+  });
+
+  describe("signUp", () => {
+    it("should call Passkey.create with correct parameters", async () => {
+      // Use the real account from createJazzTestAccount
+      const me = await Account.getMe().$jazz.ensureLoaded({ resolve: true });
+
+      const auth = new ReactNativePasskeyAuth(
+        mockCrypto,
+        mockAuthenticate,
+        authSecretStorage,
+        "Test App",
+        "example.com",
+      );
+
+      // Set up credentials with the real account ID
+      await authSecretStorage.set({
+        accountID: me.$jazz.id,
+        secretSeed: new Uint8Array(32).fill(1),
+        accountSecret: "mock-secret" as AgentSecret,
+        provider: "anonymous",
+      });
+
+      mockCreate.mockResolvedValue({
+        id: "credential-id",
+        rawId: "raw-credential-id",
+        type: "public-key",
+        response: {
+          clientDataJSON: "mock-client-data",
+          attestationObject: "mock-attestation",
+        },
+      });
+
+      await auth.signUp("testuser");
+
+      expect(mockCreate).toHaveBeenCalledWith({
+        challenge: expect.any(String),
+        rp: {
+          id: "example.com",
+          name: "Test App",
+        },
+        user: {
+          id: expect.any(String),
+          name: expect.stringContaining("testuser"),
+          displayName: "testuser",
+        },
+        pubKeyCredParams: [
+          { alg: -7, type: "public-key" },
+          { alg: -257, type: "public-key" },
+        ],
+        authenticatorSelection: {
+          residentKey: "required",
+          userVerification: "preferred",
+        },
+        timeout: 60000,
+        attestation: "none",
+      });
+    });
+
+    it("should update provider to passkey after signup", async () => {
+      const me = await Account.getMe().$jazz.ensureLoaded({ resolve: true });
+
+      const auth = new ReactNativePasskeyAuth(
+        mockCrypto,
+        mockAuthenticate,
+        authSecretStorage,
+        "Test App",
+        "example.com",
+      );
+
+      await authSecretStorage.set({
+        accountID: me.$jazz.id,
+        secretSeed: new Uint8Array(32).fill(1),
+        accountSecret: "mock-secret" as AgentSecret,
+        provider: "anonymous",
+      });
+
+      mockCreate.mockResolvedValue({
+        id: "credential-id",
+        rawId: "raw-credential-id",
+        type: "public-key",
+        response: {
+          clientDataJSON: "mock-client-data",
+          attestationObject: "mock-attestation",
+        },
+      });
+
+      await auth.signUp("testuser");
+
+      const stored = await authSecretStorage.get();
+      expect(stored?.provider).toBe("passkey");
+    });
+
+    it("should throw error when no credentials exist", async () => {
+      await authSecretStorage.clear();
+
+      const auth = new ReactNativePasskeyAuth(
+        mockCrypto,
+        mockAuthenticate,
+        authSecretStorage,
+        "Test App",
+        "example.com",
+      );
+
+      await expect(auth.signUp("testuser")).rejects.toThrow(
+        "Not enough credentials to register the account with passkey",
+      );
+    });
+
+    it("should throw error when passkey creation fails", async () => {
+      const me = await Account.getMe().$jazz.ensureLoaded({ resolve: true });
+
+      const auth = new ReactNativePasskeyAuth(
+        mockCrypto,
+        mockAuthenticate,
+        authSecretStorage,
+        "Test App",
+        "example.com",
+      );
+
+      await authSecretStorage.set({
+        accountID: me.$jazz.id,
+        secretSeed: new Uint8Array(32).fill(1),
+        accountSecret: "mock-secret" as AgentSecret,
+        provider: "anonymous",
+      });
+
+      mockCreate.mockRejectedValue(new Error("User cancelled"));
+
+      await expect(auth.signUp("testuser")).rejects.toThrow(
+        "Passkey creation aborted",
+      );
+    });
+
+    it("should leave profile name unchanged if username is empty", async () => {
+      const me = await Account.getMe().$jazz.ensureLoaded({ resolve: true });
+
+      const auth = new ReactNativePasskeyAuth(
+        mockCrypto,
+        mockAuthenticate,
+        authSecretStorage,
+        "Test App",
+        "example.com",
+      );
+
+      await authSecretStorage.set({
+        accountID: me.$jazz.id,
+        secretSeed: new Uint8Array(32).fill(1),
+        accountSecret: "mock-secret" as AgentSecret,
+        provider: "anonymous",
+      });
+
+      mockCreate.mockResolvedValue({
+        id: "credential-id",
+        rawId: "raw-credential-id",
+        type: "public-key",
+        response: {
+          clientDataJSON: "mock-client-data",
+          attestationObject: "mock-attestation",
+        },
+      });
+
+      await auth.signUp("");
+
+      const currentAccount = await Account.getMe().$jazz.ensureLoaded({
+        resolve: {
+          profile: true,
+        },
+      });
+
+      // 'Test Account' is the name provided during account creation
+      expect(currentAccount.profile.name).toEqual("Test Account");
+    });
+
+    it("should update profile name if username is provided", async () => {
+      const me = await Account.getMe().$jazz.ensureLoaded({ resolve: true });
+
+      const auth = new ReactNativePasskeyAuth(
+        mockCrypto,
+        mockAuthenticate,
+        authSecretStorage,
+        "Test App",
+        "example.com",
+      );
+
+      await authSecretStorage.set({
+        accountID: me.$jazz.id,
+        secretSeed: new Uint8Array(32).fill(1),
+        accountSecret: "mock-secret" as AgentSecret,
+        provider: "anonymous",
+      });
+
+      mockCreate.mockResolvedValue({
+        id: "credential-id",
+        rawId: "raw-credential-id",
+        type: "public-key",
+        response: {
+          clientDataJSON: "mock-client-data",
+          attestationObject: "mock-attestation",
+        },
+      });
+
+      await auth.signUp("testuser");
+
+      const currentAccount = await Account.getMe().$jazz.ensureLoaded({
+        resolve: {
+          profile: true,
+        },
+      });
+
+      expect(currentAccount.profile.name).toEqual("testuser");
+    });
+  });
+
+  describe("credential encoding", () => {
+    it("should encode user.id as base64url in create request", async () => {
+      const me = await Account.getMe().$jazz.ensureLoaded({ resolve: true });
+
+      const auth = new ReactNativePasskeyAuth(
+        mockCrypto,
+        mockAuthenticate,
+        authSecretStorage,
+        "Test App",
+        "example.com",
+      );
+
+      await authSecretStorage.set({
+        accountID: me.$jazz.id,
+        secretSeed: new Uint8Array(32).fill(1),
+        accountSecret: "mock-secret" as AgentSecret,
+        provider: "anonymous",
+      });
+
+      mockCreate.mockResolvedValue({
+        id: "credential-id",
+        rawId: "raw-credential-id",
+        type: "public-key",
+        response: {
+          clientDataJSON: "mock-client-data",
+          attestationObject: "mock-attestation",
+        },
+      });
+
+      await auth.signUp("testuser");
+
+      const createCall = mockCreate.mock.calls[0]![0];
+      const userId = createCall.user.id;
+
+      // Should be a valid base64url string (no +, /, or =)
+      expect(userId).not.toContain("+");
+      expect(userId).not.toContain("/");
+      expect(userId).not.toContain("=");
+
+      // Should decode to expected length (secretSeedLength 32 + shortHashLength 19 = 51 bytes)
+      const decoded = base64UrlToUint8Array(userId);
+      expect(decoded.length).toBe(51);
+    });
+  });
+});

package/src/react-native-core/tests/passkey-utils.test.ts

@@ -0,0 +1,144 @@
+import { describe, expect, it } from "vitest";
+import {
+  base64UrlToUint8Array,
+  uint8ArrayToBase64Url,
+} from "../auth/passkey-utils";
+
+describe("passkey-utils", () => {
+  describe("uint8ArrayToBase64Url", () => {
+    it("should encode an empty array", () => {
+      const bytes = new Uint8Array([]);
+      expect(uint8ArrayToBase64Url(bytes)).toBe("");
+    });
+
+    it("should encode a simple byte array", () => {
+      // "Hello" in bytes
+      const bytes = new Uint8Array([72, 101, 108, 108, 111]);
+      expect(uint8ArrayToBase64Url(bytes)).toBe("SGVsbG8");
+    });
+
+    it("should use base64url alphabet (- instead of +)", () => {
+      // Bytes that produce + in standard base64
+      const bytes = new Uint8Array([251, 239]); // produces "++" in base64
+      const result = uint8ArrayToBase64Url(bytes);
+      expect(result).not.toContain("+");
+      expect(result).toContain("-");
+    });
+
+    it("should use base64url alphabet (_ instead of /)", () => {
+      // Bytes that produce / in standard base64
+      const bytes = new Uint8Array([255, 255]); // produces "//" in base64
+      const result = uint8ArrayToBase64Url(bytes);
+      expect(result).not.toContain("/");
+      expect(result).toContain("_");
+    });
+
+    it("should omit padding", () => {
+      // Single byte produces base64 with padding
+      const bytes = new Uint8Array([1]);
+      const result = uint8ArrayToBase64Url(bytes);
+      expect(result).not.toContain("=");
+    });
+
+    it("should handle typical credential payload size (56 bytes)", () => {
+      // secretSeedLength (32) + shortHashLength (19) = 51 bytes
+      const bytes = new Uint8Array(56);
+      for (let i = 0; i < 56; i++) {
+        bytes[i] = i;
+      }
+      const result = uint8ArrayToBase64Url(bytes);
+      expect(result.length).toBeGreaterThan(0);
+      expect(result).not.toContain("+");
+      expect(result).not.toContain("/");
+      expect(result).not.toContain("=");
+    });
+  });
+
+  describe("base64UrlToUint8Array", () => {
+    it("should decode an empty string", () => {
+      const result = base64UrlToUint8Array("");
+      expect(result).toEqual(new Uint8Array([]));
+    });
+
+    it("should decode a simple base64url string", () => {
+      // "SGVsbG8" is "Hello" in base64url
+      const result = base64UrlToUint8Array("SGVsbG8");
+      expect(result).toEqual(new Uint8Array([72, 101, 108, 108, 111]));
+    });
+
+    it("should handle - character (base64url for +)", () => {
+      const result = base64UrlToUint8Array("--8");
+      expect(result).toBeInstanceOf(Uint8Array);
+    });
+
+    it("should handle _ character (base64url for /)", () => {
+      const result = base64UrlToUint8Array("__8");
+      expect(result).toBeInstanceOf(Uint8Array);
+    });
+
+    it("should add padding automatically", () => {
+      // "AQ" needs padding to become "AQ==" for valid base64
+      const result = base64UrlToUint8Array("AQ");
+      expect(result).toEqual(new Uint8Array([1]));
+    });
+
+    it("should handle strings that need 1 padding char", () => {
+      // 3 chars needs 1 padding
+      const result = base64UrlToUint8Array("ABC");
+      expect(result).toBeInstanceOf(Uint8Array);
+      expect(result.length).toBe(2);
+    });
+
+    it("should handle strings that need 2 padding chars", () => {
+      // 2 chars needs 2 padding
+      const result = base64UrlToUint8Array("AB");
+      expect(result).toBeInstanceOf(Uint8Array);
+      expect(result.length).toBe(1);
+    });
+  });
+
+  describe("roundtrip encoding/decoding", () => {
+    it("should roundtrip empty array", () => {
+      const original = new Uint8Array([]);
+      const encoded = uint8ArrayToBase64Url(original);
+      const decoded = base64UrlToUint8Array(encoded);
+      expect(decoded).toEqual(original);
+    });
+
+    it("should roundtrip simple bytes", () => {
+      const original = new Uint8Array([1, 2, 3, 4, 5]);
+      const encoded = uint8ArrayToBase64Url(original);
+      const decoded = base64UrlToUint8Array(encoded);
+      expect(decoded).toEqual(original);
+    });
+
+    it("should roundtrip all byte values", () => {
+      const original = new Uint8Array(256);
+      for (let i = 0; i < 256; i++) {
+        original[i] = i;
+      }
+      const encoded = uint8ArrayToBase64Url(original);
+      const decoded = base64UrlToUint8Array(encoded);
+      expect(decoded).toEqual(original);
+    });
+
+    it("should roundtrip credential-sized payload", () => {
+      // Typical passkey credential payload: secretSeed + accountID hash
+      const original = new Uint8Array(56);
+      crypto.getRandomValues(original);
+      const encoded = uint8ArrayToBase64Url(original);
+      const decoded = base64UrlToUint8Array(encoded);
+      expect(decoded).toEqual(original);
+    });
+
+    it("should roundtrip random data of various sizes", () => {
+      for (const size of [1, 2, 3, 10, 32, 64, 100, 256]) {
+        const original = new Uint8Array(size);
+        crypto.getRandomValues(original);
+        const encoded = uint8ArrayToBase64Url(original);
+        const decoded = base64UrlToUint8Array(encoded);
+        expect(decoded).toEqual(original);
+      }
+    });
+  });
+});

package/src/tools/coValues/account.ts

@@ -271,7 +271,12 @@ export class Account extends CoValueBase implements CoValue {
     worker: Account,
     options: {
       creationProps: { name: string };
-      onCreate?: (account: A, worker: Account) => Promise<void>;
+      onCreate?: (
+        account: A,
+        worker: Account,
+        credentials: { accountID: string; accountSecret: AgentSecret },
+      ) => Promise<void>;
+      waitForSyncTimeout?: number;
     },
   ): Promise<{
     credentials: {
@@ -311,9 +316,12 @@ export class Account extends CoValueBase implements CoValue {
       throw new Error("Unable to load the worker account");
 
     // The onCreate hook can be helpful to define inline logic, such as querying the DB
-    if (options.onCreate) await options.onCreate(account, loadedWorker);
+    if (options.onCreate)
+      await options.onCreate(account, loadedWorker, credentials);
 
-    await account.$jazz.waitForAllCoValuesSync();
+    await account.$jazz.waitForAllCoValuesSync({
+      timeout: options.waitForSyncTimeout,
+    });
 
     const createdAccount = await this.load(account.$jazz.id, {
       loadAs: worker,

package/src/tools/implementation/zodSchema/schemaTypes/AccountSchema.ts

@@ -94,7 +94,31 @@ export class AccountSchema<
     );
   }
 
-  // Create an account via worker, useful to generate controlled accounts from the server
+  /**
+   * Creates a new account as a worker account, useful for generating controlled accounts from a server environment.
+   * This method initializes a new account, applies migrations, invokes the `onCreate` callback, and then shuts down the temporary node to avoid memory leaks.
+   * Returns the created account (loaded on the worker) and its credentials.
+   *
+   * The method internally calls `waitForAllCoValuesSync` on the new account. If many CoValues are created during `onCreate`,
+   * consider adjusting the timeout using the `waitForSyncTimeout` option.
+   *
+   * @param worker - The worker account to create the new account from
+   * @param options.creationProps - The creation properties for the new account
+   * @param options.onCreate - The callback to use to initialize the account after it is created
+   * @param options.waitForSyncTimeout - The timeout for the sync to complete
+   * @returns The credentials and the created account loaded by the worker account
+   *
+   *
+   * @example
+   * ```ts
+   * const { credentials, account } = await AccountSchema.createAs(worker, {
+   *   creationProps: { name: "My Account" },
+   *   onCreate: async (account, worker, credentials) => {
+   *     account.root.$jazz.owner.addMember(worker, "writer");
+   *   },
+   * });
+   * ```
+   */
   createAs(
     worker: Account,
     options: {
@@ -102,7 +126,9 @@ export class AccountSchema<
       onCreate?: (
         account: AccountInstance<Shape>,
         worker: Account,
+        credentials: { accountID: string; accountSecret: AgentSecret },
       ) => Promise<void>;
+      waitForSyncTimeout?: number;
     },
   ): Promise<{
     credentials: {

package/src/tools/tests/account.test.ts

@@ -469,8 +469,9 @@ describe("createAs", () => {
 
     const created = await CustomAccount.createAs(worker, {
       creationProps: { name: "Test Account" },
-      onCreate: async (account, loadedWorker) => {
+      onCreate: async (account, loadedWorker, credentials) => {
         executionOrder.push("onCreate");
+        expect(credentials.accountID).toBe(account.$jazz.id);
 
         // Verify migration ran before onCreate
         expect(executionOrder).toEqual(["migration", "onCreate"]);

package/testSetup.ts

@@ -0,0 +1,4 @@
+import { cojsonInternals } from "cojson";
+
+// Use a very high budget to avoid that slow tests fail due to the budget being exceeded.
+cojsonInternals.setIncomingMessagesTimeBudget(10000); // 10 seconds

package/vitest.config.ts

@@ -30,6 +30,7 @@ export default defineProject({
   test: {
     name: "jazz-tools",
     include: ["src/**/*.test.{js,ts,tsx,svelte}"],
+    setupFiles: ["./testSetup.ts"],
     typecheck: {
       enabled: true,
       checker: "tsc",