shogun-core 5.2.0 → 5.2.2

package/dist/plugins/webauthn/webauthnSigner.js

@@ -0,0 +1,310 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.WebAuthnSigner = void 0;
+const webauthn_1 = require("./webauthn");
+const p256_1 = require("@noble/curves/p256");
+const sha256_1 = require("@noble/hashes/sha256");
+const derive_1 = __importDefault(require("../../gundb/derive"));
+const ethers_1 = require("ethers");
+/**
+ * Base64URL encoding utilities
+ */
+const base64url = {
+    encode: function (buffer) {
+        const bytes = new Uint8Array(buffer);
+        return btoa(String.fromCharCode(...bytes))
+            .replace(/\+/g, "-")
+            .replace(/\//g, "_")
+            .replace(/=/g, "");
+    },
+    decode: function (str) {
+        str = str.replace(/-/g, "+").replace(/_/g, "/");
+        while (str.length % 4)
+            str += "=";
+        const binary = atob(str);
+        return new Uint8Array(binary.split("").map((c) => c.charCodeAt(0)));
+    },
+};
+/**
+ * WebAuthn Signer - Provides oneshot signing functionality
+ * Similar to webauthn.js but integrated with our architecture
+ * CONSISTENT with normal WebAuthn approach
+ */
+class WebAuthnSigner {
+    constructor(webauthn) {
+        this.credentials = new Map();
+        this.webauthn = webauthn || new webauthn_1.Webauthn();
+    }
+    /**
+     * Creates a new WebAuthn credential for signing
+     * Similar to webauthn.js create functionality but CONSISTENT with normal approach
+     */
+    async createSigningCredential(username) {
+        try {
+            const credential = (await navigator.credentials.create({
+                publicKey: {
+                    challenge: crypto.getRandomValues(new Uint8Array(32)),
+                    rp: {
+                        id: window.location.hostname === "localhost"
+                            ? "localhost"
+                            : window.location.hostname,
+                        name: "Shogun Wallet",
+                    },
+                    user: {
+                        id: new TextEncoder().encode(username),
+                        name: username,
+                        displayName: username,
+                    },
+                    // Use the same algorithms as webauthn.js for SEA compatibility
+                    pubKeyCredParams: [
+                        { type: "public-key", alg: -7 }, // ECDSA, P-256 curve, for signing
+                        { type: "public-key", alg: -25 }, // ECDH, P-256 curve, for creating shared secrets
+                        { type: "public-key", alg: -257 },
+                    ],
+                    authenticatorSelection: {
+                        userVerification: "preferred",
+                    },
+                    timeout: 60000,
+                    attestation: "none",
+                },
+            }));
+            if (!credential) {
+                throw new Error("Failed to create WebAuthn credential");
+            }
+            // Extract public key in the same way as webauthn.js
+            const response = credential.response;
+            const publicKey = response.getPublicKey();
+            if (!publicKey) {
+                throw new Error("Failed to get public key from credential");
+            }
+            const rawKey = new Uint8Array(publicKey);
+            // Extract coordinates like webauthn.js (slice positions may need adjustment)
+            const xCoord = rawKey.slice(27, 59);
+            const yCoord = rawKey.slice(59, 91);
+            const x = base64url.encode(xCoord);
+            const y = base64url.encode(yCoord);
+            const pub = `${x}.${y}`;
+            // CONSISTENCY: Use the same hashing approach as normal WebAuthn
+            const hashedCredentialId = ethers_1.ethers.keccak256(ethers_1.ethers.toUtf8Bytes(credential.id));
+            const signingCredential = {
+                id: credential.id,
+                rawId: credential.rawId,
+                publicKey: { x, y },
+                pub,
+                hashedCredentialId, // This ensures consistency
+            };
+            // Store credential for later use
+            this.credentials.set(credential.id, signingCredential);
+            return signingCredential;
+        }
+        catch (error) {
+            console.error("Error creating signing credential:", error);
+            throw new Error(`Failed to create signing credential: ${error.message}`);
+        }
+    }
+    /**
+     * Creates an authenticator function compatible with SEA.sign
+     * This is the key function that makes it work like webauthn.js
+     */
+    createAuthenticator(credentialId) {
+        const credential = this.credentials.get(credentialId);
+        if (!credential) {
+            throw new Error(`Credential ${credentialId} not found`);
+        }
+        return async (data) => {
+            try {
+                const challenge = new TextEncoder().encode(JSON.stringify(data));
+                const options = {
+                    challenge,
+                    rpId: window.location.hostname === "localhost"
+                        ? "localhost"
+                        : window.location.hostname,
+                    userVerification: "preferred",
+                    allowCredentials: [
+                        {
+                            type: "public-key",
+                            id: credential.rawId,
+                        },
+                    ],
+                    timeout: 60000,
+                };
+                const assertion = (await navigator.credentials.get({
+                    publicKey: options,
+                }));
+                if (!assertion) {
+                    throw new Error("WebAuthn assertion failed");
+                }
+                return assertion.response;
+            }
+            catch (error) {
+                console.error("WebAuthn assertion error:", error);
+                throw error;
+            }
+        };
+    }
+    /**
+     * Creates a derived key pair from WebAuthn credential
+     * CONSISTENT with normal approach: uses hashedCredentialId as password
+     */
+    async createDerivedKeyPair(credentialId, username, extra) {
+        const credential = this.credentials.get(credentialId);
+        if (!credential) {
+            throw new Error(`Credential ${credentialId} not found`);
+        }
+        try {
+            // CONSISTENCY: Use the same approach as normal WebAuthn
+            // Use hashedCredentialId as password (same as normal approach)
+            const derivedKeys = await (0, derive_1.default)(credential.hashedCredentialId, // This is the key change!
+            extra, { includeP256: true });
+            return {
+                pub: derivedKeys.pub,
+                priv: derivedKeys.priv,
+                epub: derivedKeys.epub,
+                epriv: derivedKeys.epriv,
+            };
+        }
+        catch (error) {
+            console.error("Error deriving keys from WebAuthn credential:", error);
+            throw error;
+        }
+    }
+    /**
+     * Creates a Gun user from WebAuthn credential
+     * This ensures the SAME user is created as with normal approach
+     * FIX: Use derived pair instead of username/password for GunDB auth
+     */
+    async createGunUser(credentialId, username, gunInstance) {
+        const credential = this.credentials.get(credentialId);
+        if (!credential) {
+            throw new Error(`Credential ${credentialId} not found`);
+        }
+        try {
+            // FIX: Use derived pair for GunDB authentication instead of username/password
+            const derivedPair = await this.createDerivedKeyPair(credentialId, username);
+            return new Promise((resolve) => {
+                // Use the derived pair directly for GunDB auth
+                gunInstance.user().create(derivedPair, (ack) => {
+                    if (ack.err) {
+                        // Try to login if user already exists
+                        gunInstance.user().auth(derivedPair, (authAck) => {
+                            if (authAck.err) {
+                                resolve({ success: false, error: authAck.err });
+                            }
+                            else {
+                                const userPub = authAck.pub;
+                                // Update credential with Gun user pub
+                                credential.gunUserPub = userPub;
+                                this.credentials.set(credentialId, credential);
+                                resolve({ success: true, userPub });
+                            }
+                        });
+                    }
+                    else {
+                        // User created, now login
+                        gunInstance.user().auth(derivedPair, (authAck) => {
+                            if (authAck.err) {
+                                resolve({ success: false, error: authAck.err });
+                            }
+                            else {
+                                const userPub = authAck.pub;
+                                // Update credential with Gun user pub
+                                credential.gunUserPub = userPub;
+                                this.credentials.set(credentialId, credential);
+                                resolve({ success: true, userPub });
+                            }
+                        });
+                    }
+                });
+            });
+        }
+        catch (error) {
+            console.error("Error creating Gun user:", error);
+            return { success: false, error: error.message };
+        }
+    }
+    /**
+     * Signs data using WebAuthn + derived keys
+     * This provides a hybrid approach: WebAuthn for user verification + derived keys for actual signing
+     * CONSISTENT with normal approach
+     */
+    async signWithDerivedKeys(data, credentialId, username, extra) {
+        try {
+            // First, verify user with WebAuthn
+            const authenticator = this.createAuthenticator(credentialId);
+            await authenticator(data); // This verifies the user
+            // Then use derived keys for actual signing (CONSISTENT approach)
+            const keyPair = await this.createDerivedKeyPair(credentialId, username, extra);
+            // Create signature using P-256 (same as SEA)
+            const message = JSON.stringify(data);
+            const messageHash = (0, sha256_1.sha256)(new TextEncoder().encode(message));
+            // Convert base64url private key to bytes
+            const privKeyBytes = base64url.decode(keyPair.priv);
+            // Sign with P-256
+            const signature = p256_1.p256.sign(messageHash, privKeyBytes);
+            // Format like SEA signature
+            const seaSignature = {
+                m: message,
+                s: base64url.encode(signature.toCompactRawBytes()),
+            };
+            return "SEA" + JSON.stringify(seaSignature);
+        }
+        catch (error) {
+            console.error("Error signing with derived keys:", error);
+            throw error;
+        }
+    }
+    /**
+     * Get the Gun user public key for a credential
+     * This allows checking if the same user would be created
+     */
+    getGunUserPub(credentialId) {
+        const credential = this.credentials.get(credentialId);
+        return credential?.gunUserPub;
+    }
+    /**
+     * Get the hashed credential ID (for consistency checking)
+     */
+    getHashedCredentialId(credentialId) {
+        const credential = this.credentials.get(credentialId);
+        return credential?.hashedCredentialId;
+    }
+    /**
+     * Check if this credential would create the same Gun user as normal approach
+     */
+    async verifyConsistency(credentialId, username, expectedUserPub) {
+        const credential = this.credentials.get(credentialId);
+        if (!credential) {
+            return { consistent: false };
+        }
+        // The derived keys should be the same as normal approach
+        const derivedKeys = await this.createDerivedKeyPair(credentialId, username);
+        return {
+            consistent: expectedUserPub ? derivedKeys.pub === expectedUserPub : true,
+            actualUserPub: derivedKeys.pub,
+            expectedUserPub,
+        };
+    }
+    /**
+     * Get credential by ID
+     */
+    getCredential(credentialId) {
+        return this.credentials.get(credentialId);
+    }
+    /**
+     * List all stored credentials
+     */
+    listCredentials() {
+        return Array.from(this.credentials.values());
+    }
+    /**
+     * Remove a credential
+     */
+    removeCredential(credentialId) {
+        return this.credentials.delete(credentialId);
+    }
+}
+exports.WebAuthnSigner = WebAuthnSigner;
+exports.default = WebAuthnSigner;

package/dist/plugins/zkproof/index.js

@@ -0,0 +1,53 @@
+"use strict";
+/**
+ * ZK-Proof Plugin for Shogun Core
+ *
+ * Provides Zero-Knowledge Proof authentication using Semaphore protocol
+ *
+ * Features:
+ * - Anonymous authentication without revealing identity
+ * - Multi-device support via trapdoor backup
+ * - Privacy-preserving group membership proofs
+ * - Compatible with Gun decentralized storage
+ *
+ * @example
+ * ```typescript
+ * // Initialize Shogun with ZK-Proof plugin
+ * const shogun = new ShogunCore({
+ *   peers: ['https://gun-manhattan.herokuapp.com/gun'],
+ *   zkproof: {
+ *     enabled: true,
+ *     defaultGroupId: 'my-app-users'
+ *   }
+ * });
+ *
+ * await shogun.initialize();
+ *
+ * // Get the plugin
+ * const zkPlugin = shogun.getPlugin<ZkProofPlugin>('zkproof');
+ *
+ * // Sign up with ZK-Proof
+ * const signupResult = await zkPlugin.signUp();
+ * if (signupResult.success) {
+ *   console.log('Trapdoor (save this!):', signupResult.seedPhrase);
+ *   console.log('Public commitment:', signupResult.username);
+ * }
+ *
+ * // Login with trapdoor
+ * const loginResult = await zkPlugin.login(trapdoor);
+ * if (loginResult.success) {
+ *   console.log('Logged in anonymously!');
+ * }
+ * ```
+ *
+ * @module zkproof
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CredentialType = exports.ZkCredentials = exports.ZkProofConnector = exports.ZkProofPlugin = void 0;
+var zkProofPlugin_1 = require("./zkProofPlugin");
+Object.defineProperty(exports, "ZkProofPlugin", { enumerable: true, get: function () { return zkProofPlugin_1.ZkProofPlugin; } });
+var zkProofConnector_1 = require("./zkProofConnector");
+Object.defineProperty(exports, "ZkProofConnector", { enumerable: true, get: function () { return zkProofConnector_1.ZkProofConnector; } });
+var zkCredentials_1 = require("./zkCredentials");
+Object.defineProperty(exports, "ZkCredentials", { enumerable: true, get: function () { return zkCredentials_1.ZkCredentials; } });
+Object.defineProperty(exports, "CredentialType", { enumerable: true, get: function () { return zkCredentials_1.CredentialType; } });

package/dist/plugins/zkproof/types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/plugins/zkproof/zkCredentials.js

@@ -0,0 +1,213 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ZkCredentials = exports.CredentialType = void 0;
+const group_1 = require("@semaphore-protocol/group");
+const proof_1 = require("@semaphore-protocol/proof");
+const ethers_1 = require("ethers");
+const errorHandler_1 = require("../../utils/errorHandler");
+/**
+ * Types of verifiable credentials
+ */
+var CredentialType;
+(function (CredentialType) {
+    CredentialType["AGE"] = "age";
+    CredentialType["CITIZENSHIP"] = "citizenship";
+    CredentialType["EDUCATION"] = "education";
+    CredentialType["INCOME"] = "income";
+    CredentialType["EMPLOYMENT"] = "employment";
+    CredentialType["HEALTH"] = "health";
+    CredentialType["CUSTOM"] = "custom";
+})(CredentialType || (exports.CredentialType = CredentialType = {}));
+/**
+ * ZK Credentials Manager
+ * Extends ZK-Proof functionality to support verifiable credentials
+ */
+class ZkCredentials {
+    constructor() {
+        this.groups = new Map();
+    }
+    /**
+     * Create a verifiable credential from private data
+     */
+    createCredential(identity, credentialData) {
+        try {
+            // Hash the private data to create a credential commitment
+            const privateDataString = JSON.stringify(credentialData.privateData);
+            const credentialHash = ethers_1.ethers.keccak256(ethers_1.ethers.toUtf8Bytes(privateDataString));
+            // For now, return a basic credential structure
+            // Full proof generation requires circuit files
+            const credential = {
+                type: credentialData.type,
+                claim: credentialData.claim,
+                proof: {
+                    merkleTreeRoot: "",
+                    nullifierHash: "",
+                    signal: credentialHash,
+                    externalNullifier: "",
+                    proof: [],
+                },
+                credentialHash,
+                timestamp: Date.now(),
+            };
+            return {
+                credential,
+                credentialHash,
+            };
+        }
+        catch (error) {
+            errorHandler_1.ErrorHandler.handle(errorHandler_1.ErrorType.ENCRYPTION, "CREDENTIAL_CREATION_FAILED", `Failed to create verifiable credential: ${error.message}`, error);
+            throw error;
+        }
+    }
+    /**
+     * Prove an attribute about yourself without revealing the underlying data
+     */
+    async proveAttribute(identity, credentialData, groupId = "verified-credentials") {
+        try {
+            const { credential, credentialHash } = this.createCredential(identity, credentialData);
+            // Convert claim to signal
+            const signal = ethers_1.ethers.keccak256(ethers_1.ethers.toUtf8Bytes(credentialData.claim));
+            const signalBigInt = BigInt(signal);
+            // Create or get group
+            const group = this.getOrCreateGroup(groupId);
+            // Add identity if not already in group
+            if (group.indexOf(identity.commitment) === -1) {
+                group.addMember(identity.commitment);
+            }
+            // External nullifier from credential type
+            const externalNullifier = BigInt(ethers_1.ethers.keccak256(ethers_1.ethers.toUtf8Bytes(credentialData.type)));
+            // Generate ZK proof
+            // Note: This requires circuit files to be available
+            const fullProof = await (0, proof_1.generateProof)(identity, group, signalBigInt, externalNullifier);
+            return {
+                type: credentialData.type,
+                claim: credentialData.claim,
+                proof: {
+                    merkleTreeRoot: fullProof.merkleTreeRoot.toString(),
+                    nullifierHash: fullProof.nullifierHash.toString(),
+                    signal: fullProof.signal.toString(),
+                    externalNullifier: fullProof.externalNullifier.toString(),
+                    proof: fullProof.proof.map((p) => p.toString()),
+                },
+                credentialHash,
+                timestamp: Date.now(),
+            };
+        }
+        catch (error) {
+            errorHandler_1.ErrorHandler.handle(errorHandler_1.ErrorType.ENCRYPTION, "ATTRIBUTE_PROOF_FAILED", `Failed to prove attribute: ${error.message}`, error);
+            throw error;
+        }
+    }
+    /**
+     * Verify a credential proof
+     */
+    async verifyCredential(proof, treeDepth = 20) {
+        try {
+            const verified = await (0, proof_1.verifyProof)(proof.proof, treeDepth);
+            return {
+                verified,
+                type: proof.type,
+                claim: proof.claim,
+                timestamp: proof.timestamp,
+            };
+        }
+        catch (error) {
+            errorHandler_1.ErrorHandler.handle(errorHandler_1.ErrorType.ENCRYPTION, "CREDENTIAL_VERIFICATION_FAILED", `Failed to verify credential: ${error.message}`, error);
+            return {
+                verified: false,
+                error: error.message,
+            };
+        }
+    }
+    /**
+     * Create a group for credential holders
+     */
+    getOrCreateGroup(groupId) {
+        if (!this.groups.has(groupId)) {
+            const groupIdHash = ethers_1.ethers.keccak256(ethers_1.ethers.toUtf8Bytes(groupId));
+            const groupIdNumber = BigInt(groupIdHash);
+            this.groups.set(groupId, new group_1.Group(groupIdNumber));
+        }
+        return this.groups.get(groupId);
+    }
+    /**
+     * Add an identity to a credentials group
+     */
+    addToCredentialGroup(identity, groupId = "verified-credentials") {
+        const group = this.getOrCreateGroup(groupId);
+        if (group.indexOf(identity.commitment) === -1) {
+            group.addMember(identity.commitment);
+        }
+    }
+    /**
+     * Common credential proofs
+     */
+    /**
+     * Prove age without revealing exact birthdate
+     */
+    async proveAge(identity, birthDate, minimumAge) {
+        const age = Math.floor((Date.now() - birthDate.getTime()) / (365.25 * 24 * 60 * 60 * 1000));
+        if (age < minimumAge) {
+            throw new Error(`Age ${age} is less than required ${minimumAge}`);
+        }
+        return this.proveAttribute(identity, {
+            type: CredentialType.AGE,
+            claim: `Age is ${minimumAge} or older`,
+            privateData: {
+                birthDate: birthDate.toISOString(),
+                actualAge: age,
+            },
+        });
+    }
+    /**
+     * Prove citizenship without revealing country
+     */
+    async proveCitizenship(identity, country, region = "EU") {
+        return this.proveAttribute(identity, {
+            type: CredentialType.CITIZENSHIP,
+            claim: `Citizen of ${region}`,
+            privateData: {
+                country,
+                passportNumber: "hidden",
+            },
+        });
+    }
+    /**
+     * Prove education without revealing institution
+     */
+    async proveEducation(identity, degree, university, year) {
+        return this.proveAttribute(identity, {
+            type: CredentialType.EDUCATION,
+            claim: `Has ${degree} degree`,
+            privateData: {
+                university,
+                degree,
+                year,
+            },
+        });
+    }
+    /**
+     * Prove income range without revealing exact amount
+     */
+    async proveIncome(identity, amount, minimumRequired, currency = "USD") {
+        if (amount < minimumRequired) {
+            throw new Error(`Income ${amount} is less than required ${minimumRequired}`);
+        }
+        return this.proveAttribute(identity, {
+            type: CredentialType.INCOME,
+            claim: `Income ≥ ${minimumRequired} ${currency}`,
+            privateData: {
+                actualIncome: amount,
+                currency,
+                verified: true,
+            },
+        });
+    }
+    /**
+     * Cleanup resources
+     */
+    cleanup() {
+        this.groups.clear();
+    }
+}
+exports.ZkCredentials = ZkCredentials;