trustplane-sdk 0.1.1 → 0.3.0

package/README.md

@@ -1,4 +1,4 @@
-# Trustplane JS SDK (v0.1)
+# Trustplane JS SDK (v0.2)
 
 Minimal SDK to generate Trustplane proof headers.
 
@@ -55,3 +55,52 @@ const out = client.sign({
   privateKey: '<private_key_b64url>'
 });
 ```
+
+## Blindfold verify (one call)
+
+```js
+const { blindfoldVerify, fromFile } = require('trustplane-sdk');
+
+const res = await blindfoldVerify({
+  authBaseUrl: 'https://auth.trustplane.mergematter.io',
+  tenantId: 'new_tenant',
+  apiId: 'api_demo_2',
+  clientId: 'client_demo',
+  privateKey: '<private_key_b64url>',
+  method: 'GET',
+  path: '/orders',
+  body: '',
+});
+
+console.log(res.status, res.data);
+```
+
+Blindfold uses a blind OPRF exchange under the hood and only sends a blinded input to the Auth Plane.
+
+You can also load `auth_base_url` from `trustplane.json`:
+
+```js
+const { fromFile } = require('trustplane-sdk');
+
+const client = fromFile('./trustplane.json');
+const res = await client.blindfoldVerify({
+  method: 'GET',
+  path: '/orders',
+  body: '',
+  privateKey: '<private_key_b64url>'
+});
+```
+
+## Integration test (against auth plane)
+
+```bash
+TP_AUTH_BASE_URL=https://auth.trustplane.mergematter.io \
+TP_TENANT_ID=<tenant_id> \
+TP_API_ID=<api_id> \
+TP_CLIENT_ID=<client_id> \
+TP_PRIVATE_KEY=<private_key_b64url> \
+TP_MODE=core \
+npm run test:integration
+```
+
+For blindfold APIs, use `TP_MODE=blindfold`.

package/index.d.ts

@@ -30,15 +30,53 @@ export type SignOutput = {
 
 export function sign(input: SignInput): SignOutput;
 export function signAsync(input: SignInput): Promise<SignOutput>;
+export function blindfoldVerify(input: SignInput & {
+  authBaseUrl: string;
+  fetchFn?: (input: RequestInfo | URL, init?: RequestInit) => Promise<Response>;
+}): Promise<{
+  step: string;
+  status: number;
+  ok: boolean;
+  data: any;
+  verifyPayload?: any;
+  transcript?: string;
+  digest?: string;
+}>;
 
 export function createClient(input: {
   tenantId: string;
   apiId: string;
   clientId: string;
   bucketSeconds?: number;
+  authBaseUrl?: string;
+  gatewayUrl?: string;
+  requestPath?: string;
+  proofType?: string;
 }): {
+  config: {
+    tenantId: string;
+    apiId: string;
+    clientId: string;
+    bucketSeconds?: number;
+    authBaseUrl?: string;
+    gatewayUrl?: string;
+    requestPath?: string;
+    proofType?: string;
+  };
   sign(input: Omit<SignInput, "tenantId" | "apiId" | "clientId" | "bucketSeconds">): SignOutput;
   signAsync(input: Omit<SignInput, "tenantId" | "apiId" | "clientId" | "bucketSeconds">): Promise<SignOutput>;
+  blindfoldVerify(input: Omit<SignInput, "tenantId" | "apiId" | "clientId" | "bucketSeconds"> & {
+    authBaseUrl?: string;
+    fetchFn?: (input: RequestInfo | URL, init?: RequestInit) => Promise<Response>;
+  }): Promise<{
+    step: string;
+    status: number;
+    ok: boolean;
+    data: any;
+    verifyPayload?: any;
+    transcript?: string;
+    digest?: string;
+  }>;
 };
 
 export function fromFile(path: string): ReturnType<typeof createClient>;

package/index.js

@@ -1,6 +1,7 @@
 const crypto = require('crypto');
 const nacl = require('tweetnacl');
 const fs = require('fs');
+const OPRF = require('oprf');
 
 function base64urlEncode(buf) {
   return Buffer.from(buf)
@@ -189,21 +190,122 @@ function fromFile(path) {
     apiId: cfg.api_id,
     clientId: cfg.client_id,
     bucketSeconds: cfg.bucket_seconds,
+    authBaseUrl: cfg.auth_base_url,
+    gatewayUrl: cfg.gateway_url,
+    requestPath: cfg.request_path,
+    proofType: cfg.proof_type,
   });
 }
 
-function createClient({ tenantId, apiId, clientId, bucketSeconds }) {
+function createClient({ tenantId, apiId, clientId, bucketSeconds, authBaseUrl, gatewayUrl, requestPath, proofType }) {
   return {
+    config: {
+      tenantId,
+      apiId,
+      clientId,
+      bucketSeconds,
+      authBaseUrl,
+      gatewayUrl,
+      requestPath,
+      proofType,
+    },
     sign: ({ method, path, body, privateKey }) =>
       signProof({ tenantId, apiId, clientId, privateKey, method, path, body, bucketSeconds }),
     signAsync: ({ method, path, body, privateKey }) =>
       signProofAsync({ tenantId, apiId, clientId, privateKey, method, path, body, bucketSeconds }),
+    blindfoldVerify: async ({ authBaseUrl: authOverride, method, path, body, privateKey, fetchFn }) =>
+      blindfoldVerify({
+        authBaseUrl: authOverride || authBaseUrl,
+        tenantId,
+        apiId,
+        clientId,
+        privateKey,
+        method,
+        path,
+        body,
+        bucketSeconds,
+        fetchFn,
+      }),
+  };
+}
+
+async function httpJSON(url, payload, fetchFn) {
+  const impl = fetchFn || (typeof fetch !== 'undefined' ? fetch : null);
+  if (!impl) {
+    throw new Error('fetch is required; provide fetchFn or run in an environment with global fetch');
+  }
+  const res = await impl(url, {
+    method: 'POST',
+    headers: { 'content-type': 'application/json' },
+    body: JSON.stringify(payload),
+  });
+  const text = await res.text();
+  let data;
+  try {
+    data = JSON.parse(text);
+  } catch (err) {
+    data = { raw: text };
+  }
+  return { status: res.status, ok: res.ok, data };
+}
+
+async function blindfoldVerify({ authBaseUrl, tenantId, apiId, clientId, privateKey, method, path, body, bucketSeconds, fetchFn }) {
+  if (!authBaseUrl) throw new Error('authBaseUrl is required');
+  const signed = signProof({ tenantId, apiId, clientId, privateKey, method, path, body, bucketSeconds });
+  const base = String(authBaseUrl).replace(/\/+$/, '');
+  const oprf = new OPRF();
+  if (oprf.ready) {
+    await oprf.ready;
+  }
+  const start = await httpJSON(base + '/auth/blindfold/start', {
+    tenant_id: signed.verifyPayload.tenant_id,
+    api_id: signed.verifyPayload.api_id,
+    client_id: signed.verifyPayload.client_id,
+    method: signed.verifyPayload.method,
+    path: signed.verifyPayload.path,
+    body_hash: signed.verifyPayload.body_hash,
+    time_bucket: signed.verifyPayload.time_bucket,
+    nonce: signed.verifyPayload.nonce,
+  }, fetchFn);
+  if (!start.ok) {
+    return { step: 'start', ...start };
+  }
+  const oprfInput = signed.digest;
+  const masked = oprf.maskInput(oprfInput);
+  const evalRes = await httpJSON(base + '/oprf/full-evaluate', {
+    blinded_input_b64url: base64urlEncode(masked.point),
+  }, fetchFn);
+  if (!evalRes.ok) {
+    return { step: 'evaluate', ...evalRes };
+  }
+  const evaluated = base64urlDecode((evalRes.data || {}).evaluated_b64url || '');
+  const unmasked = oprf.unmaskPoint(new Uint8Array(evaluated), masked.mask);
+  const proofPayload = base64urlEncode(Buffer.from(unmasked));
+  const finalize = await httpJSON(base + '/auth/blindfold/finalize', {
+    session_id: (start.data || {}).session_id,
+    proof_payload: proofPayload,
+  }, fetchFn);
+  if (!finalize.ok) {
+    return { step: 'finalize', ...finalize };
+  }
+  const verifyPayload = Object.assign({}, signed.verifyPayload, {
+    proof_type: 'blindfold',
+    proof_payload: ((finalize.data || {}).verify_payload || {}).proof_payload || proofPayload || '',
+  });
+  const verify = await httpJSON(base + '/auth/verify', verifyPayload, fetchFn);
+  return {
+    step: 'verify',
+    ...verify,
+    verifyPayload,
+    transcript: signed.transcript,
+    digest: signed.digest,
   };
 }
 
 module.exports = {
   sign: signProof,
   signAsync: signProofAsync,
+  blindfoldVerify,
   createClient,
   fromFile,
 };

package/integration_test.js

@@ -0,0 +1,59 @@
+const { sign, blindfoldVerify } = require('./index');
+
+async function postJSON(url, payload) {
+  const res = await fetch(url, {
+    method: 'POST',
+    headers: { 'content-type': 'application/json' },
+    body: JSON.stringify(payload),
+  });
+  const data = await res.json().catch(() => ({}));
+  return { status: res.status, ok: res.ok, data };
+}
+
+async function main() {
+  const base = process.env.TP_AUTH_BASE_URL || '';
+  const tenantId = process.env.TP_TENANT_ID || '';
+  const apiId = process.env.TP_API_ID || '';
+  const clientId = process.env.TP_CLIENT_ID || '';
+  const privateKey = process.env.TP_PRIVATE_KEY || '';
+  const path = process.env.TP_PATH || '/orders';
+  const mode = (process.env.TP_MODE || 'core').toLowerCase();
+
+  if (!base || !tenantId || !apiId || !clientId || !privateKey) {
+    console.log('SKIP: set TP_AUTH_BASE_URL TP_TENANT_ID TP_API_ID TP_CLIENT_ID TP_PRIVATE_KEY');
+    process.exit(0);
+  }
+
+  if (mode === 'blindfold') {
+    const out = await blindfoldVerify({
+      authBaseUrl: base,
+      tenantId,
+      apiId,
+      clientId,
+      privateKey,
+      method: 'GET',
+      path,
+      body: '',
+    });
+    console.log('blindfold', out.status, out.data && out.data.decision);
+    process.exit(out.ok ? 0 : 1);
+  }
+
+  const out = sign({
+    tenantId,
+    apiId,
+    clientId,
+    privateKey,
+    method: 'GET',
+    path,
+    body: '',
+  });
+  const res = await postJSON(String(base).replace(/\/+$/, '') + '/auth/verify', out.verifyPayload);
+  console.log('core', res.status, res.data && res.data.decision);
+  process.exit(res.ok ? 0 : 1);
+}
+
+main().catch((err) => {
+  console.error(err);
+  process.exit(1);
+});

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "trustplane-sdk",
-  "version": "0.1.1",
+  "version": "0.3.0",
   "description": "Trustplane SDK (JS) for generating request proof headers",
   "main": "index.js",
   "types": "index.d.ts",
@@ -8,16 +8,19 @@
     "index.js",
     "index.d.ts",
     "README.md",
-    "test_vector.js"
+    "test_vector.js",
+    "integration_test.js"
   ],
   "publishConfig": {
     "access": "public"
   },
   "scripts": {
-    "test": "node test_vector.js"
+    "test": "node test_vector.js",
+    "test:integration": "node integration_test.js"
   },
   "license": "MIT",
   "dependencies": {
+    "oprf": "^2.0.0",
     "tweetnacl": "^1.0.3"
   }
 }