vestauth 0.2.5 → 0.3.2

package/README.md

@@ -1,4 +1,4 @@
-[![vestauth](https://vestauth.com/banner.png)](https://vestauth.com)
+[![vestauth](https://vestauth.com/better-banner.png)](https://vestauth.com)
 
 *auth for agents*–from the creator of [`dotenvx`](https://github.com/dotenvx/dotenvx).
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "vestauth",
-  "version": "0.2.5",
+  "version": "0.3.2",
   "description": "auth for agents–from the creator of dotenvx",
   "keywords": [
     "vestauth"
@@ -42,7 +42,10 @@
     "@noble/secp256k1": "^1.7.2",
     "commander": "^11.1.0",
     "eciesjs": "^0.4.16",
-    "undici": "7.11.0"
+    "execa": "^5.1.1",
+    "http-message-sig": "^0.2.0",
+    "undici": "7.11.0",
+    "web-bot-auth": "^0.1.2"
   },
   "devDependencies": {
     "@yao-pkg/pkg": "^5.14.2",

package/src/cli/actions/agent/curl.js

@@ -0,0 +1,34 @@
+const { logger } = require('./../../../shared/logger')
+const agent = require('./../../../lib/agent')
+const execute = require('./../../../lib/helpers/execute')
+const findUrl = require('./../../../lib/helpers/findUrl')
+
+async function curl () {
+  const commandArgs = this.args
+  logger.debug(`process command [${commandArgs.join(' ')}]`)
+
+  const options = this.opts()
+  logger.debug(`options: ${JSON.stringify(options)}`)
+
+  const httpMethod = 'GET'
+  const url = findUrl(commandArgs)
+  const headers = await agent.headers(httpMethod, url)
+  const injected = [
+    'curl',
+    '-H', `Signature: ${headers.Signature}`,
+    '-H', `Signature-Input: ${headers['Signature-Input']}`,
+    ...commandArgs
+  ]
+
+  const child = execute.execa(injected[0], injected.slice(1), { stdio: 'inherit' })
+
+  // Wait for the command process to finish
+  const { exitCode } = await child
+
+  if (exitCode !== 0) {
+    logger.debug(`received exitCode ${exitCode}`)
+    throw new Error(`Command exited with exit code ${exitCode}`)
+  }
+}
+
+module.exports = curl

package/src/cli/actions/agent/headers.js

@@ -0,0 +1,22 @@
+const { logger } = require('./../../../shared/logger')
+
+const agent = require('./../../../lib/agent')
+
+async function headers (httpMethod, uri) {
+  logger.debug(`httpMethod: ${httpMethod}`)
+  logger.debug(`uri: ${uri}`)
+
+  const options = this.opts()
+  logger.debug(`options: ${JSON.stringify(options)}`)
+
+  const output = await agent.headers(httpMethod, uri, options.tag, options.nonce)
+
+  let space = 0
+  if (options.prettyPrint) {
+    space = 2
+  }
+
+  console.log(JSON.stringify(output, null, space))
+}
+
+module.exports = headers

package/src/cli/actions/primitives/headers.js

@@ -0,0 +1,23 @@
+const { logger } = require('./../../../shared/logger')
+
+const primitives = require('./../../../lib/primitives')
+
+async function headers (httpMethod, uri, privateKey) {
+  logger.debug(`httpMethod: ${httpMethod}`)
+  logger.debug(`uri: ${uri}`)
+  logger.debug(`privateKey: ${privateKey}`)
+
+  const options = this.opts()
+  logger.debug(`options: ${JSON.stringify(options)}`)
+
+  const output = await primitives.headers(httpMethod, uri, privateKey, options.tag, options.nonce)
+
+  let space = 0
+  if (options.prettyPrint) {
+    space = 2
+  }
+
+  console.log(JSON.stringify(output, null, space))
+}
+
+module.exports = headers

package/src/cli/actions/primitives/keypair.js

@@ -3,6 +3,8 @@ const { logger } = require('./../../../shared/logger')
 const primitives = require('./../../../lib/primitives')
 
 function keypair (existingPrivateKey) {
+  logger.debug(`existingPrivateKey: ${existingPrivateKey}`)
+
   const options = this.opts()
   logger.debug(`options: ${JSON.stringify(options)}`)
 

package/src/cli/actions/primitives/keypairOld.js

@@ -0,0 +1,24 @@
+const { logger } = require('./../../../shared/logger')
+
+const primitives = require('./../../../lib/primitives')
+
+function keypairOld (existingPrivateKey) {
+  const options = this.opts()
+  logger.debug(`options: ${JSON.stringify(options)}`)
+
+  const kp = primitives.keypairOld(existingPrivateKey, options.prefix)
+
+  const output = {
+    public_key: kp.publicKey,
+    private_key: kp.privateKey
+  }
+
+  let space = 0
+  if (options.prettyPrint) {
+    space = 2
+  }
+
+  console.log(JSON.stringify(output, null, space))
+}
+
+module.exports = keypairOld

package/src/cli/actions/{agent/hello.js → provider/challenge.js}

@@ -1,14 +1,12 @@
 const { logger } = require('./../../../shared/logger')
 
-const agent = require('./../../../lib/agent')
+const prov = require('./../../../lib/provider')
 
-function hello () {
+async function provider (website) {
   const options = this.opts()
   logger.debug(`options: ${JSON.stringify(options)}`)
 
-  const output = {
-    hello: agent.hello()
-  }
+  const output = await prov.challenge()
 
   let space = 0
   if (options.prettyPrint) {
@@ -18,4 +16,4 @@ function hello () {
   console.log(JSON.stringify(output, null, space))
 }
 
-module.exports = hello
+module.exports = provider

package/src/cli/actions/provider/verify.js

@@ -0,0 +1,38 @@
+const { logger } = require('./../../../shared/logger')
+
+const { verify } = require('web-bot-auth')
+const { verifierFromJWK } = require('web-bot-auth/crypto')
+
+async function _verify (httpMethod, uri, signatureHeader, signatureInputHeader, publicKey) {
+  logger.debug(`httpMethod: ${httpMethod}`)
+  logger.debug(`uri: ${uri}`)
+  logger.debug(`signatureHeader: ${signatureHeader}`)
+  logger.debug(`signatureInputHeader: ${signatureInputHeader}`)
+  logger.debug(`publicKey: ${publicKey}`)
+
+  const options = this.opts()
+  logger.debug(`options: ${JSON.stringify(options)}`)
+
+  const verifier = await verifierFromJWK(JSON.parse(publicKey))
+  const headers = {
+    Signature: signatureHeader,
+    'Signature-Input': signatureInputHeader
+  }
+
+  const signedRequest = new Request(uri, { headers: headers })
+  const r = await verify(signedRequest, verifier)
+  console.log(r)
+
+  const output = {
+    implement: 'todo'
+  }
+
+  let space = 0
+  if (options.prettyPrint) {
+    space = 2
+  }
+
+  console.log(JSON.stringify(output, null, space))
+}
+
+module.exports = _verify

package/src/cli/commands/agent.js

@@ -3,17 +3,10 @@ const { Command } = require('commander')
 const agent = new Command('agent')
 
 agent
-  .description('🪪 agent')
+  .usage('run -- yourcommand')
+  .description('🤖 agent')
   .allowUnknownOption()
 
-// vestauth agent auth
-const authAction = require('./../actions/agent/auth')
-agent.command('auth')
-  .description('auth agent')
-  .argument('<website>', 'root url of website')
-  .option('-pp, --pretty-print', 'pretty print output')
-  .action(authAction)
-
 // vestauth agent init
 const initAction = require('./../actions/agent/init')
 agent.command('init')
@@ -21,10 +14,25 @@ agent.command('init')
   .option('-pp, --pretty-print', 'pretty print output')
   .action(initAction)
 
-// vestauth agent hello
-const helloAction = require('./../actions/agent/hello')
-agent.command('hello')
-  .description('say hello')
-  .action(helloAction)
+// vestauth agent curl
+const curlAction = require('./../actions/agent/curl')
+agent.command('curl')
+  .description('run curl as agent')
+  .allowUnknownOption()
+  .option('--tag <tag>', 'vestauth (default) | web-bot-auth', 'vestauth')
+  .option('--nonce <nonce>', 'null (default)')
+  .option('-pp, --pretty-print', 'pretty print output')
+  .action(curlAction)
+
+// vestauth agent headers
+const headersAction = require('./../actions/agent/headers')
+agent.command('headers')
+  .description('generate headers as agent')
+  .argument('<httpMethod>', 'GET (default)')
+  .argument('<uri>', '')
+  .option('--tag <tag>', 'vestauth (default) | web-bot-auth', 'vestauth')
+  .option('--nonce <nonce>', 'null (default)')
+  .option('-pp, --pretty-print', 'pretty print output')
+  .action(headersAction)
 
 module.exports = agent

package/src/cli/commands/primitives.js

@@ -25,11 +25,23 @@ primitives.command('hash')
 const keypairAction = require('./../actions/primitives/keypair')
 primitives.command('keypair')
   .description('generate public/private keypair')
-  .argument('[private_key]', 'pre-existing private key')
+  .argument('[privateKey]', 'pre-existing private key')
   .option('--prefix <type>', 'agent (default) | provider | none', 'agent')
   .option('-pp, --pretty-print', 'pretty print output')
   .action(keypairAction)
 
+// vestauth primitives headers
+const headersAction = require('./../actions/primitives/headers')
+primitives.command('headers')
+  .description('generate signed headers')
+  .argument('<httpMethod>', 'GET (default)')
+  .argument('<uri>', '')
+  .argument('<privateKey>', 'private key (json string)')
+  .option('--tag <tag>', 'vestauth (default) | web-bot-auth', 'vestauth')
+  .option('--nonce <nonce>', 'null (default)')
+  .option('-pp, --pretty-print', 'pretty print output')
+  .action(headersAction)
+
 // vestauth primitives sign
 const signAction = require('./../actions/primitives/sign')
 primitives.command('sign')

package/src/cli/commands/provider.js

@@ -0,0 +1,28 @@
+const { Command } = require('commander')
+
+const provider = new Command('provider')
+
+provider
+  .description('🔌 provider')
+  .allowUnknownOption()
+
+// vestauth provider verify
+const verifyAction = require('./../actions/provider/verify')
+provider.command('verify')
+  .description('verify agent')
+  .argument('<httpMethod>', 'GET (default)')
+  .argument('<uri>', '')
+  .argument('<signatureHeader>', '')
+  .argument('<signatureInputHeader>', '')
+  .argument('<publicKey>', 'public key (json string)')
+  .option('-pp, --pretty-print', 'pretty print output')
+  .action(verifyAction)
+
+// vestauth provider challenge
+const challengeAction = require('./../actions/provider/challenge')
+provider.command('challenge')
+  .description('generate challenge')
+  .option('-pp, --pretty-print', 'pretty print output')
+  .action(challengeAction)
+
+module.exports = provider

package/src/cli/vestauth.js

@@ -38,8 +38,9 @@ program
   .version(packageJson.version)
   .allowUnknownOption()
 
-// dotenvx agent
 program.addCommand(require('./commands/agent'))
+program.addCommand(require('./commands/provider'))
+program.addCommand(require('./commands/primitives'))
 
 // vestauth verifyAgent
 const verifyAgentAction = require('./actions/verifyAgent')
@@ -51,9 +52,6 @@ program.command('verifyagent')
   .option('-pp, --pretty-print', 'pretty print output')
   .action(verifyAgentAction)
 
-// dotenvx primitive
-program.addCommand(require('./commands/primitives'))
-
 // vestauth help
 program.command('help [command]')
   .description('display help for command')

package/src/lib/agent.js

@@ -1,9 +1,9 @@
-const agentAuth = require('./helpers/agentAuth')
 const agentInit = require('./helpers/agentInit')
+const agentHeaders = require('./helpers/agentHeaders')
 const hello = require('./helpers/hello')
 
 module.exports = {
-  auth: agentAuth,
   init: agentInit,
+  headers: agentHeaders,
   hello
 }

package/src/lib/helpers/agentAuth.js

@@ -43,6 +43,7 @@ async function agentAuth (website) {
   }
 
   const json = await resp.body.json()
+  // ok and if a success what should i do here? should i store the challenge to the .env file?
   return json
 }
 

package/src/lib/helpers/agentHeaders.js

@@ -0,0 +1,25 @@
+const headers = require('./headers')
+const dotenvx = require('@dotenvx/dotenvx')
+const { verify } = require('web-bot-auth')
+const { verifierFromJWK } = require('web-bot-auth/crypto')
+
+async function agentHeaders (httpMethod, uri, tag = 'vestauth', nonce = null) {
+  let publicKey = null
+  let privateKey = null
+  try { publicKey = dotenvx.get('AGENT_PUBLIC_KEY', { strict: true }) } catch (_e) {}
+  try { privateKey = dotenvx.get('AGENT_PRIVATE_KEY', { strict: true }) } catch (_e) {}
+
+  if (!publicKey && !privateKey) throw new Error('missing AGENT_PUBLIC_KEY and AGENT_PRIVATE_KEY. Run [vestauth agent init]')
+
+  const _headers = await headers(httpMethod, uri, privateKey, tag, nonce)
+
+  // verification (temp testing)
+  const verifier = await verifierFromJWK(JSON.parse(publicKey))
+  const signedRequest = new Request(uri, { headers: _headers })
+  const r = await verify(signedRequest, verifier)
+  console.log(r)
+
+  return _headers
+}
+
+module.exports = agentHeaders

package/src/lib/helpers/agentInit.js

@@ -14,8 +14,8 @@ function agentInit () {
   touch(envPath)
 
   // place in .env file
-  dotenvx.set('AGENT_PUBLIC_KEY', kp.publicKey, { path: envPath, plain: true, quiet: true })
-  dotenvx.set('AGENT_PRIVATE_KEY', kp.privateKey, { path: envPath, plain: true, quiet: true })
+  dotenvx.set('AGENT_PUBLIC_KEY', JSON.stringify(kp.publicKey), { path: envPath, plain: true, quiet: true })
+  dotenvx.set('AGENT_PRIVATE_KEY', JSON.stringify(kp.privateKey), { path: envPath, plain: true, quiet: true })
 
   return {
     AGENT_PUBLIC_KEY: kp.publicKey,

package/src/lib/helpers/edPrivateKeyObject.js

@@ -0,0 +1,7 @@
+const crypto = require('crypto')
+
+function edPrivateKeyObject (keyJson) {
+  return crypto.createPrivateKey({ key: keyJson, format: 'jwk' })
+}
+
+module.exports = edPrivateKeyObject

package/src/lib/helpers/epoch.js

@@ -0,0 +1,12 @@
+function epoch (ttlSeconds = 300) {
+  const now = Date.now()
+  const created = Math.floor(now / 1000)
+  const expires = created + ttlSeconds // 300 -> 5 minutes
+
+  return {
+    created,
+    expires
+  }
+}
+
+module.exports = epoch

package/src/lib/helpers/execute.js

@@ -0,0 +1,12 @@
+const execa = require('execa')
+/* c8 ignore start */
+const pkgArgs = process.pkg ? { PKG_EXECPATH: '' } : {}
+/* c8 ignore stop */
+
+const execute = {
+  execa (command, args, options) {
+    return execa(command, args, { ...options, env: { ...options.env, ...pkgArgs } })
+  }
+}
+
+module.exports = execute

package/src/lib/helpers/executeCommand.js

@@ -0,0 +1,115 @@
+const path = require('path')
+const which = require('which')
+const execute = require('./../../lib/helpers/execute')
+const { logger } = require('./../../shared/logger')
+
+async function executeCommand (commandArgs) {
+  const signals = [
+    'SIGHUP', 'SIGQUIT', 'SIGILL', 'SIGTRAP', 'SIGABRT',
+    'SIGBUS', 'SIGFPE', 'SIGUSR1', 'SIGSEGV', 'SIGUSR2'
+  ]
+
+  logger.debug(`executing process command [${commandArgs.join(' ')}]`)
+
+  let child
+  let signalSent
+
+  /* c8 ignore start */
+  const sigintHandler = () => {
+    logger.debug('received SIGINT')
+    logger.debug('checking command process')
+    logger.debug(child)
+
+    if (child) {
+      logger.debug('sending SIGINT to command process')
+      signalSent = 'SIGINT'
+      child.kill('SIGINT') // Send SIGINT to the command process
+    } else {
+      logger.debug('no command process to send SIGINT to')
+    }
+  }
+
+  const sigtermHandler = () => {
+    logger.debug('received SIGTERM')
+    logger.debug('checking command process')
+    logger.debug(child)
+
+    if (child) {
+      logger.debug('sending SIGTERM to command process')
+      signalSent = 'SIGTERM'
+      child.kill('SIGTERM') // Send SIGTERM to the command process
+    } else {
+      logger.debug('no command process to send SIGTERM to')
+    }
+  }
+
+  const handleOtherSignal = (signal) => {
+    logger.debug(`received ${signal}`)
+    child.kill(signal)
+  }
+  /* c8 ignore stop */
+
+  try {
+    // ensure the first command is expanded
+    try {
+      commandArgs[0] = path.resolve(which.sync(`${commandArgs[0]}`))
+      logger.debug(`expanding process command to [${commandArgs.join(' ')}]`)
+    } catch (e) {
+      logger.debug(`could not expand process command. using [${commandArgs.join(' ')}]`)
+    }
+
+    // expand any other commands that follow a --
+    let expandNext = false
+    for (let i = 0; i < commandArgs.length; i++) {
+      if (commandArgs[i] === '--') {
+        expandNext = true
+      } else if (expandNext) {
+        try {
+          commandArgs[i] = path.resolve(which.sync(`${commandArgs[i]}`))
+          logger.debug(`expanding process command to [${commandArgs.join(' ')}]`)
+        } catch (e) {
+          logger.debug(`could not expand process command. using [${commandArgs.join(' ')}]`)
+        }
+        expandNext = false
+      }
+    }
+
+    child = execute.execa(commandArgs[0], commandArgs.slice(1), {
+      stdio: 'inherit'
+    })
+
+    process.on('SIGINT', sigintHandler)
+    process.on('SIGTERM', sigtermHandler)
+
+    signals.forEach(signal => {
+      process.on(signal, () => handleOtherSignal(signal))
+    })
+
+    // Wait for the command process to finish
+    const { exitCode } = await child
+
+    if (exitCode !== 0) {
+      logger.debug(`received exitCode ${exitCode}`)
+      throw new Error(`Command exited with exit code ${exitCode}`)
+    }
+  } catch (error) {
+    // no color on these errors as they can be standard errors for things like jest exiting with exitCode 1 for a single failed test.
+    if (!['SIGINT', 'SIGTERM'].includes(signalSent || error.signal)) {
+      if (error.code === 'ENOENT') {
+        logger.error(`Unknown command: ${error.command}`)
+      } else {
+        logger.error(error.message)
+      }
+    }
+
+    // Exit with the error code from the command process, or 1 if unavailable
+    process.exit(error.exitCode || 1)
+  } finally {
+    // Clean up: Remove the SIGINT handler
+    process.removeListener('SIGINT', sigintHandler)
+    // Clean up: Remove the SIGTERM handler
+    process.removeListener('SIGTERM', sigtermHandler)
+  }
+}
+
+module.exports = executeCommand

package/src/lib/helpers/findUrl.js

@@ -0,0 +1,10 @@
+function findUrl (args) {
+  for (const arg of args) {
+    if (arg.startsWith('http://') || arg.startsWith('https://')) {
+      return arg
+    }
+  }
+  return null
+}
+
+module.exports = findUrl

package/src/lib/helpers/headers.js

@@ -0,0 +1,38 @@
+const thumbprint = require('./thumbprint')
+const signatureParams = require('./signatureParams')
+const webBotAuthSignature = require('./webBotAuthSignature')
+
+// const { signatureHeaders } = require('web-bot-auth')
+// const { signerFromJWK } = require('web-bot-auth/crypto')
+
+async function headers (httpMethod, uri, privateKeyString, tag = 'vestauth', nonce = null) {
+  // shared
+  const privateKey = JSON.parse(privateKeyString)
+  const kid = thumbprint(privateKey)
+  privateKey.kid = kid
+
+  // // theirs
+  // const request = new Request(uri)
+  // const now = new Date()
+  // const headersTheirs = await signatureHeaders(
+  //   request,
+  //   await signerFromJWK(JSON.parse(privateKeyString)),
+  //   {
+  //     created: now,
+  //     expires: new Date(now.getTime() + 300_000), // now + 5 min
+  //   }
+  // )
+
+  // ours
+  const signature = signatureParams(privateKey.kid, tag, nonce)
+  const sig1 = webBotAuthSignature(httpMethod, uri, signature, privateKey)
+
+  const headersOurs = {
+    Signature: `sig1=:${sig1}:`,
+    'Signature-Input': `sig1=${signature}`
+  }
+
+  return headersOurs
+}
+
+module.exports = headers

package/src/lib/helpers/keypair.js

@@ -1,33 +1,49 @@
-const { PrivateKey } = require('eciesjs')
+const crypto = require('crypto')
 
-const stripFormatting = require('./stripFormatting')
+const thumbprint = require('./thumbprint')
 
 function keypair (existingPrivateKey, prefix = 'agent') {
-  let kp
+  let publicJwk
+  let privateJwk
 
   if (existingPrivateKey) {
-    const existingPrivateKeyStripped = stripFormatting(existingPrivateKey)
-    kp = new PrivateKey(Buffer.from(existingPrivateKeyStripped, 'hex'))
+    // example
+    // {
+    //   "crv": "Ed25519",
+    //   "d": "eScKeQcawvvRiBuA_-gWaAP7PZ3UUGPqJv7jks5tFVI",
+    //   "x": "MYf21IkWEi6dXOtzUdbll3SMCaFiSFi4KgqktFZinCE",
+    //   "kty": "OKP",
+    //   "kid": "rBE7_zLOVYk4oYEdI-01qpXHWNMyZYD-4LEf6HiyZ9Q"
+    // }
+    // (publicKey just remove 'd')
+
+    privateJwk = JSON.parse(existingPrivateKey)
+    publicJwk = {
+      crv: privateJwk.crv,
+      x: privateJwk.x,
+      kty: privateJwk.kty,
+      kid: privateJwk.kid
+    }
+    const kid = thumbprint(publicJwk)
+    publicJwk.kid = kid
+    privateJwk.kid = kid
   } else {
-    kp = new PrivateKey()
-  }
-
-  let publicKey = kp.publicKey.toHex()
-  let privateKey = kp.secret.toString('hex')
+    const {
+      publicKey,
+      privateKey
+    } = crypto.generateKeyPairSync('ed25519')
 
-  if (prefix === 'agent') {
-    publicKey = `agent_pub_${publicKey}`
-    privateKey = `agent_prv_${privateKey}`
-  }
+    publicJwk = publicKey.export({ format: 'jwk' })
+    privateJwk = privateKey.export({ format: 'jwk' })
 
-  if (prefix === 'provider') {
-    publicKey = `provider_pub_${publicKey}`
-    privateKey = `provider_prv_${privateKey}`
+    const kid = thumbprint(publicJwk)
+    publicJwk.kid = kid
+    privateJwk.kid = kid
   }
 
   return {
-    publicKey,
-    privateKey
+    publicKey: publicJwk,
+    privateKey: privateJwk
   }
 }
 

package/src/lib/helpers/keypairOld.js

@@ -0,0 +1,34 @@
+const { PrivateKey } = require('eciesjs')
+
+const stripFormatting = require('./stripFormatting')
+
+function keypairOld (existingPrivateKey, prefix = 'agent') {
+  let kp
+
+  if (existingPrivateKey) {
+    const existingPrivateKeyStripped = stripFormatting(existingPrivateKey)
+    kp = new PrivateKey(Buffer.from(existingPrivateKeyStripped, 'hex'))
+  } else {
+    kp = new PrivateKey()
+  }
+
+  let publicKey = kp.publicKey.toHex()
+  let privateKey = kp.secret.toString('hex')
+
+  if (prefix === 'agent') {
+    publicKey = `agent_pub_${publicKey}`
+    privateKey = `agent_prv_${privateKey}`
+  }
+
+  if (prefix === 'provider') {
+    publicKey = `provider_pub_${publicKey}`
+    privateKey = `provider_prv_${privateKey}`
+  }
+
+  return {
+    publicKey,
+    privateKey
+  }
+}
+
+module.exports = keypairOld

package/src/lib/helpers/providerChallenge.js

@@ -0,0 +1,7 @@
+// const challenge = require('./challenge')
+
+async function providerChallenge (website) {
+  console.log('implement provider challenge')
+}
+
+module.exports = providerChallenge

package/src/lib/helpers/signatureParams.js

@@ -0,0 +1,19 @@
+const crypto = require('crypto')
+
+const epoch = require('./epoch')
+
+function signatureParams (kid, tag = 'vestauth', nonce = null) {
+  const { created, expires } = epoch()
+
+  if (!nonce) nonce = crypto.randomBytes(64).toString('base64url')
+
+  return '("@authority");' +
+    `created=${created};` +
+    `keyid="${kid}";` +
+    'alg="ed25519";' +
+    `expires=${expires};` +
+    `nonce="${nonce}";` +
+    `tag="${tag}"`
+}
+
+module.exports = signatureParams

package/src/lib/helpers/thumbprint.js

@@ -0,0 +1,10 @@
+const crypto = require('crypto')
+
+function thumbprint (publicJwk) {
+  // RFC 7638 canonical JSON for OKP (Ed25519)
+  const canon = `{"crv":"${publicJwk.crv}","kty":"${publicJwk.kty}","x":"${publicJwk.x}"}`
+  const sha256 = crypto.createHash('sha256').update(canon).digest()
+  return Buffer.from(sha256).toString('base64url')
+}
+
+module.exports = thumbprint

package/src/lib/helpers/verifyAgent.js

@@ -1,9 +1,9 @@
 const PostVerify = require('../api/postVerify')
-const keypair = require('./keypair')
+const keypairOld = require('./keypairOld')
 const sign = require('./sign')
 
 async function verifyAgent (providerPrivateKey, providerChallenge, authorizationHeader) {
-  const kp = keypair(providerPrivateKey, 'provider')
+  const kp = keypairOld(providerPrivateKey, 'provider')
   const providerSignature = await sign(providerChallenge, kp.privateKey)
 
   const raw = authorizationHeader.replace(/^Agent\s+/i, '').trim() // remove 'Agent ' prefix

package/src/lib/helpers/webBotAuthSignature.js

@@ -0,0 +1,28 @@
+const crypto = require('crypto')
+const edPrivateKeyObject = require('./edPrivateKeyObject')
+
+function webBotAuthSignature (method = 'GET', uri = '', signatureParams, privateKey) {
+  const u = new URL(uri)
+  const authority = u.host // includes port if present
+
+  const message = [
+    `"@authority": ${authority}`,
+    `"@signature-params": ${signatureParams}`
+  ].join('\n')
+
+  // const message = [
+  //   `"@method": ${method.toUpperCase()}`,
+  //   `"@target-uri": ${uri}`,
+  //   `"@signature-params": ${signatureParams}`
+  // ].join('\n')
+
+  const privateKeyObject = edPrivateKeyObject(privateKey)
+
+  return crypto.sign(
+    null,
+    Buffer.from(message, 'utf8'),
+    privateKeyObject
+  ).toString('base64')
+}
+
+module.exports = webBotAuthSignature

package/src/lib/main.js

@@ -1,8 +1,12 @@
 const verifyAuthorizationHeader = require('./helpers/verifyAuthorizationHeader')
 const verifyAgent = require('./helpers/verifyAgent')
+const agent = require('./agent')
+const provider = require('./provider')
 const primitives = require('./primitives')
 
 module.exports = {
+  agent,
+  provider,
   primitives,
   verifyAuthorizationHeader,
   verifyAgent

package/src/lib/primitives.js

@@ -1,6 +1,8 @@
 const challenge = require('./helpers/challenge')
 const hash = require('./helpers/hash')
 const keypair = require('./helpers/keypair')
+const keypairOld = require('./helpers/keypairOld')
+const headers = require('./helpers/headers')
 const sign = require('./helpers/sign')
 const verify = require('./helpers/verify')
 
@@ -8,6 +10,8 @@ module.exports = {
   challenge,
   hash,
   keypair,
+  keypairOld,
+  headers,
   sign,
   verify
 }

package/src/lib/provider.js

@@ -0,0 +1,5 @@
+const providerChallenge = require('./helpers/providerChallenge')
+
+module.exports = {
+  challenge: providerChallenge
+}