wao 0.32.0 → 0.32.2

package/esm/http-message-signatures/httpbis.js

@@ -0,0 +1,438 @@
+import {
+  parseDictionary,
+  parseItem,
+  serializeItem,
+  serializeList,
+  ByteSequence,
+  serializeDictionary,
+  parseList,
+  isInnerList,
+  isByteSequence,
+  Token,
+} from "structured-headers"
+import { Dictionary, parseHeader, quoteString } from "./structured-header.js"
+
+// Default params if not provided
+const defaultParams = ["created", "keyid", "alg", "expires"]
+
+// Helper to check if message is a request
+const isRequest = message => {
+  return message.method !== undefined
+}
+
+/**
+ * Components can be derived from requests or responses (which can also be bound to their request).
+ * The signature is essentially (component, params, signingSubject, supplementaryData)
+ *
+ * MODIFIED: This implementation matches Erlang behavior where @ components are treated as field lookups
+ */
+export function deriveComponent(component, params, message, req) {
+  // MODIFIED: Match Erlang behavior - all @ components become field lookups
+  // The Erlang strips @ and calls extract_field for ALL derived components
+
+  // Remove @ prefix to match Erlang behavior
+  const fieldName = component.startsWith("@") ? component.slice(1) : component
+
+  // For all @ components, do a field lookup instead of deriving
+  // This matches the Erlang identifier_to_component behavior
+  if (component.startsWith("@")) {
+    try {
+      if (params.has("req") && req) {
+        return extractHeader(fieldName, params, req, undefined)
+      }
+      return extractHeader(fieldName, params, message, req)
+    } catch (e) {
+      // If field not found, return empty or throw based on component type
+      throw new Error(
+        `No field "${fieldName}" found for component "${component}"`
+      )
+    }
+  }
+
+  // This code path should not be reached for @ components anymore
+  // but keeping it for non-@ components
+  throw new Error(`Unsupported component "${component}"`)
+}
+
+export function extractHeader(header, params, messageOrHeaders, req) {
+  const headers = messageOrHeaders.headers || messageOrHeaders
+  const context = params.has("req") ? req?.headers : headers
+  if (!context) {
+    throw new Error("Missing request in request-response bound component")
+  }
+  const headerTuple = Object.entries(context).find(
+    ([name]) => name.toLowerCase() === header
+  )
+  if (!headerTuple) {
+    throw new Error(`No header "${header}" found in headers`)
+  }
+  const values = Array.isArray(headerTuple[1])
+    ? headerTuple[1]
+    : [headerTuple[1]]
+  if (params.has("bs") && (params.has("sf") || params.has("key"))) {
+    throw new Error("Cannot have both `bs` and (implicit) `sf` parameters")
+  }
+  if (params.has("sf") || params.has("key")) {
+    // strict encoding of field
+    const value = values.join(", ")
+    const parsed = parseHeader(value)
+    if (params.has("key") && !(parsed instanceof Dictionary)) {
+      throw new Error("Unable to parse header as dictionary")
+    }
+    if (params.has("key")) {
+      const key = params.get("key").toString()
+      if (!parsed.has(key)) {
+        throw new Error(`Unable to find key "${key}" in structured field`)
+      }
+      return [parsed.get(key)]
+    }
+    return [parsed.toString()]
+  }
+  if (params.has("bs")) {
+    return [
+      values
+        .map(val => {
+          const encoded = Buffer.from(val.trim().replace(/\n\s*/gm, " "))
+          return `:${encoded.toString("base64")}:`
+        })
+        .join(", "),
+    ]
+  }
+  // raw encoding
+  return [values.map(val => val.trim().replace(/\n\s*/gm, " ")).join(", ")]
+}
+
+function normaliseParams(params) {
+  const map = new Map()
+  params.forEach((value, key) => {
+    if (value instanceof ByteSequence) {
+      map.set(key, value.toBase64())
+    } else if (value instanceof Token) {
+      map.set(key, value.toString())
+    } else {
+      map.set(key, value)
+    }
+  })
+  return map
+}
+
+export function createSignatureBase(config, res, req) {
+  return config.fields.reduce((base, fieldName) => {
+    const [field, params] = parseItem(quoteString(fieldName))
+    const fieldParams = normaliseParams(params)
+    const lcFieldName = field.toLowerCase()
+    if (lcFieldName !== "@signature-params") {
+      let value = null
+      if (config.componentParser) {
+        value =
+          config.componentParser(lcFieldName, fieldParams, res, req) ?? null
+      }
+      if (value === null) {
+        value = field.startsWith("@")
+          ? deriveComponent(lcFieldName, fieldParams, res, req)
+          : extractHeader(lcFieldName, fieldParams, res, req)
+      }
+      base.push([serializeItem([field, params]), value])
+    }
+    return base
+  }, [])
+}
+
+export function formatSignatureBase(base) {
+  return base
+    .map(([key, value]) => {
+      const quotedKey = serializeItem(parseItem(quoteString(key)))
+
+      // MODIFIED: Special handling to match Erlang behavior
+      // If the key is "@path", format it as "path" (without @) in the signature base
+      let formattedKey = quotedKey
+      if (quotedKey === '"@path"') {
+        formattedKey = '"path"'
+      }
+
+      return value.map(val => `${formattedKey}: ${val}`).join("\n")
+    })
+    .join("\n")
+}
+
+export function createSigningParameters(config) {
+  const now = new Date()
+  return (config.params ?? defaultParams).reduce((params, paramName) => {
+    let value = ""
+    switch (paramName.toLowerCase()) {
+      case "created":
+        // created is optional but recommended. If created is supplied but is null, that's an explicit
+        // instruction to *not* include the created parameter
+        if (config.paramValues?.created !== null) {
+          const created = config.paramValues?.created ?? now
+          value = Math.floor(created.getTime() / 1000)
+        }
+        break
+      case "expires":
+        // attempt to obtain an explicit expires time, otherwise create one that is 300 seconds after
+        // creation. Don't add an expires time if there is no created time
+        if (
+          config.paramValues?.expires ||
+          config.paramValues?.created !== null
+        ) {
+          const expires =
+            config.paramValues?.expires ??
+            new Date((config.paramValues?.created ?? now).getTime() + 300000)
+          value = Math.floor(expires.getTime() / 1000)
+        }
+        break
+      case "keyid": {
+        // attempt to obtain the keyid omit if missing
+        const kid = config.paramValues?.keyid ?? config.key.id ?? null
+        if (kid) {
+          value = kid.toString()
+        }
+        break
+      }
+      case "alg": {
+        // if there is no alg, but it's listed as a required parameter, we should probably
+        // throw an error - the problem is that if it's in the default set of params, do we
+        // really want to throw if there's no keyid?
+        const alg = config.paramValues?.alg ?? config.key.alg ?? null
+        if (alg) {
+          value = alg.toString()
+        }
+        break
+      }
+      default:
+        if (config.paramValues?.[paramName] instanceof Date) {
+          value = Math.floor(config.paramValues[paramName].getTime() / 1000)
+        } else if (config.paramValues?.[paramName]) {
+          value = config.paramValues[paramName]
+        }
+    }
+    if (value) {
+      params.set(paramName, value)
+    }
+    return params
+  }, new Map())
+}
+
+export function augmentHeaders(headers, signature, signatureInput, name) {
+  let signatureHeaderName = "Signature"
+  let signatureInputHeaderName = "Signature-Input"
+  let signatureHeader = new Map()
+  let inputHeader = new Map()
+  // check to see if there are already signature/signature-input headers
+  // if there are we want to store the current (case-sensitive) name of the header
+  // and we want to parse out the current values so we can append our new signature
+  for (const header in headers) {
+    switch (header.toLowerCase()) {
+      case "signature": {
+        signatureHeaderName = header
+        signatureHeader = parseDictionary(
+          Array.isArray(headers[header])
+            ? headers[header].join(", ")
+            : headers[header]
+        )
+        break
+      }
+      case "signature-input":
+        signatureInputHeaderName = header
+        inputHeader = parseDictionary(
+          Array.isArray(headers[header])
+            ? headers[header].join(", ")
+            : headers[header]
+        )
+        break
+    }
+  }
+  // find a unique signature name for the header. Check if any existing headers already use
+  // the name we intend to use, if there are, add incrementing numbers to the signature name
+  // until we have a unique name to use
+  let signatureName = name ?? "sig"
+  if (signatureHeader.has(signatureName) || inputHeader.has(signatureName)) {
+    let count = 0
+    while (
+      signatureHeader.has(`${signatureName}${count}`) ||
+      inputHeader.has(`${signatureName}${count}`)
+    ) {
+      count++
+    }
+    signatureName += count.toString()
+  }
+  // append our signature and signature-inputs to the headers and return
+  signatureHeader.set(signatureName, [
+    new ByteSequence(signature.toString("base64")),
+    new Map(),
+  ])
+  inputHeader.set(signatureName, parseList(signatureInput)[0])
+  return {
+    ...headers,
+    [signatureHeaderName]: serializeDictionary(signatureHeader),
+    [signatureInputHeaderName]: serializeDictionary(inputHeader),
+  }
+}
+
+export async function signMessage(config, message, req) {
+  const signingParameters = createSigningParameters(config)
+  const signatureBase = createSignatureBase(
+    {
+      fields: config.fields ?? [],
+      componentParser: config.componentParser,
+    },
+    message,
+    req
+  )
+  const signatureInput = serializeList([
+    [signatureBase.map(([item]) => parseItem(item)), signingParameters],
+  ])
+  signatureBase.push(['"@signature-params"', [signatureInput]])
+  const base = formatSignatureBase(signatureBase)
+  // call sign
+  const signature = await config.key.sign(Buffer.from(base))
+  return {
+    ...message,
+    headers: augmentHeaders(
+      { ...message.headers },
+      signature,
+      signatureInput,
+      config.name
+    ),
+  }
+}
+
+export async function verifyMessage(config, message, req) {
+  const { signatures, signatureInputs } = Object.entries(
+    message.headers
+  ).reduce((accum, [name, value]) => {
+    switch (name.toLowerCase()) {
+      case "signature":
+        return Object.assign(accum, {
+          signatures: parseDictionary(
+            Array.isArray(value) ? value.join(", ") : value
+          ),
+        })
+      case "signature-input":
+        return Object.assign(accum, {
+          signatureInputs: parseDictionary(
+            Array.isArray(value) ? value.join(", ") : value
+          ),
+        })
+      default:
+        return accum
+    }
+  }, {})
+  // no signatures means an indeterminate result
+  if (!signatures?.size && !signatureInputs?.size) {
+    return null
+  }
+  // a missing header means we can't verify the signatures
+  if (!signatures?.size || !signatureInputs?.size) {
+    throw new Error("Incomplete signature headers")
+  }
+  const now = Math.floor(Date.now() / 1000)
+  const tolerance = config.tolerance ?? 0
+  const notAfter =
+    config.notAfter instanceof Date
+      ? Math.floor(config.notAfter.getTime() / 1000)
+      : (config.notAfter ?? now)
+  const maxAge = config.maxAge ?? null
+  const requiredParams = config.requiredParams ?? []
+  const requiredFields = config.requiredFields ?? []
+  return Array.from(signatureInputs.entries()).reduce(
+    async (prev, [name, input]) => {
+      const signatureParams = Array.from(input[1].entries()).reduce(
+        (params, [key, value]) => {
+          if (value instanceof ByteSequence) {
+            Object.assign(params, {
+              [key]: value.toBase64(),
+            })
+          } else if (value instanceof Token) {
+            Object.assign(params, {
+              [key]: value.toString(),
+            })
+          } else if (key === "created" || key === "expired") {
+            Object.assign(params, {
+              [key]: new Date(value * 1000),
+            })
+          } else {
+            Object.assign(params, {
+              [key]: value,
+            })
+          }
+          return params
+        },
+        {}
+      )
+      const [result, key] = await Promise.all([
+        prev.catch(e => e),
+        config.keyLookup(signatureParams),
+      ])
+      // @todo - confirm this is all working as expected
+      if (config.all && !key) {
+        throw new Error("Unknown key")
+      }
+      if (!key) {
+        if (result instanceof Error) {
+          throw result
+        }
+        return result
+      }
+      if (
+        input[1].has("alg") &&
+        key.algs?.includes(input[1].get("alg")) === false
+      ) {
+        throw new Error("Unsupported key algorithm")
+      }
+      if (!isInnerList(input)) {
+        throw new Error("Malformed signature input")
+      }
+      const hasRequiredParams = requiredParams.every(param =>
+        input[1].has(param)
+      )
+      if (!hasRequiredParams) {
+        throw new Error("Missing required signature parameters")
+      }
+      // this could be tricky, what if we say "@method" but there is "@method;req"
+      const hasRequiredFields = requiredFields.every(field =>
+        input[0].some(([fieldName]) => fieldName === field)
+      )
+      if (!hasRequiredFields) {
+        throw new Error("Missing required signed fields")
+      }
+      if (input[1].has("created")) {
+        const created = input[1].get("created") - tolerance
+        // maxAge overrides expires.
+        // signature is older than maxAge
+        if ((maxAge && now - created > maxAge) || created > notAfter) {
+          throw new Error("Signature is too old")
+        }
+      }
+      if (input[1].has("expires")) {
+        const expires = input[1].get("expires") + tolerance
+        // expired signature
+        if (now > expires) {
+          throw new Error("Signature has expired")
+        }
+      }
+      // now look to verify the signature! Build the expected "signing base" and verify it!
+      const fields = input[0].map(item => serializeItem(item))
+      const signingBase = createSignatureBase(
+        { fields, componentParser: config.componentParser },
+        message,
+        req
+      )
+      signingBase.push(['"@signature-params"', [serializeList([input])]])
+      const base = formatSignatureBase(signingBase)
+      const signature = signatures.get(name)
+      if (!signature) {
+        throw new Error("No corresponding signature for input")
+      }
+      if (!isByteSequence(signature[0])) {
+        throw new Error("Malformed signature")
+      }
+      return key.verify(
+        Buffer.from(base),
+        Buffer.from(signature[0].toBase64(), "base64"),
+        signatureParams
+      )
+    },
+    Promise.resolve(null)
+  )
+}

package/esm/http-message-signatures/index.js

@@ -0,0 +1,4 @@
+export * from "./httpbis.js"
+import * as httpbis from "./httpbis.js"
+export { httpbis }
+export { httpbis as default }

package/esm/http-message-signatures/structured-header.js

@@ -0,0 +1,105 @@
+import {
+  isInnerList,
+  parseDictionary,
+  parseItem,
+  parseList,
+  serializeDictionary,
+  serializeInnerList,
+  serializeItem,
+  serializeList,
+} from "structured-headers"
+
+export class Dictionary {
+  constructor(input) {
+    this.raw = input
+    this.parsed = parseDictionary(input)
+  }
+
+  toString() {
+    return this.serialize()
+  }
+
+  serialize() {
+    return serializeDictionary(this.parsed)
+  }
+
+  has(key) {
+    return this.parsed.has(key)
+  }
+
+  get(key) {
+    const value = this.parsed.get(key)
+    if (!value) {
+      return value
+    }
+    if (isInnerList(value)) {
+      return serializeInnerList(value)
+    }
+    return serializeItem(value)
+  }
+}
+
+export class List {
+  constructor(input) {
+    this.raw = input
+    this.parsed = parseList(input)
+  }
+
+  toString() {
+    return this.serialize()
+  }
+
+  serialize() {
+    return serializeList(this.parsed)
+  }
+}
+
+export class Item {
+  constructor(input) {
+    this.raw = input
+    this.parsed = parseItem(input)
+  }
+
+  toString() {
+    return this.serialize()
+  }
+
+  serialize() {
+    return serializeItem(this.parsed)
+  }
+}
+
+export function parseHeader(header) {
+  const classes = [List, Dictionary, Item]
+  for (let i = 0; i < classes.length; i++) {
+    try {
+      return new classes[i](header)
+    } catch (e) {
+      // noop
+    }
+  }
+  throw new Error("Unable to parse header as structured field")
+}
+
+/**
+ * This allows consumers of the library to supply field specifications that aren't
+ * strictly "structured fields". Really a string must start with a `"` but that won't
+ * tend to happen in our configs.
+ *
+ * @param {string} input
+ * @returns {string}
+ */
+export function quoteString(input) {
+  // if it's not quoted, attempt to quote
+  if (!input.startsWith('"')) {
+    // try to split the structured field
+    const [name, ...rest] = input.split(";")
+    // no params, just quote the whole thing
+    if (!rest.length) {
+      return `"${name}"`
+    }
+    // quote the first part and put the rest back as it was
+    return `"${name}";${rest.join(";")}`
+  }
+  return input
+}

package/esm/send.js

@@ -1,5 +1,5 @@
 import base64url from "base64url"
-import { httpbis } from "http-message-signatures"
+import { httpbis } from "./http-message-signatures/index.js"
 import { parseItem, serializeList } from "structured-headers"
 const {
   augmentHeaders,
@@ -36,7 +36,7 @@ export async function send(signedMsg, fetchImpl = fetch) {
   return { ...from(http), ...http }
 }
 
-const httpSigName = address => {
+export const httpSigName = address => {
   const decoded = base64url.toBuffer(address)
   const hexString = [...decoded.subarray(1, 9)]
     .map(byte => byte.toString(16).padStart(2, "0"))
@@ -76,7 +76,13 @@ export const toHttpSigner = signer => {
         },
       })
 
-      const signatureBaseArray = createSignatureBase({ fields }, request)
+      // SORT THE FIELDS HERE to match Erlang's lists:sort(maps:keys(Enc))
+      const sortedFields = [...fields].sort()
+
+      const signatureBaseArray = createSignatureBase(
+        { fields: sortedFields },
+        request
+      )
       signatureInput = serializeList([
         [
           signatureBaseArray.map(([item]) => parseItem(item)),
@@ -89,7 +95,6 @@ export const toHttpSigner = signer => {
       return new TextEncoder().encode(signatureBase)
     }
     const result = await signer(create, "httpsig")
-
     if (!createCalled) {
       throw new Error(
         "create() must be invoked in order to construct the data to sign"
@@ -107,7 +112,6 @@ export const toHttpSigner = signer => {
       signatureInput,
       httpSigName(result.address)
     )
-
     const finalHeaders = {}
     for (const [key, value] of Object.entries(signedHeaders)) {
       if (key === "Signature" || key === "Signature-Input") {

package/esm/signer-utils.js

@@ -1,6 +1,6 @@
 import base64url from "base64url"
 import crypto from "crypto"
-import { httpbis } from "http-message-signatures"
+import { httpbis } from "./http-message-signatures/index.js"
 import { parseItem, serializeList } from "structured-headers"
 const {
   augmentHeaders,

package/esm/signer.js

@@ -11,7 +11,7 @@ const joinUrl = ({ url, path }) => {
     : url + normalizedPath
 }
 
-export async function sign({ url, path, msg: encoded, jwk, signPath = false }) {
+export async function sign({ url, path, msg: encoded, jwk, signPath = true }) {
   const signer = createSigner(jwk, url)
   const { body = null, ...headers } = encoded
   let _enc = { headers }
@@ -25,11 +25,12 @@ async function _sign({
   path,
   url,
   method = "POST",
-  _path = false,
+  _path = true,
 }) {
   const headersObj = encoded ? encoded.headers : {}
   const body = encoded ? encoded.body : undefined
-  const _url = joinUrl({ url, path })
+  let url_path = typeof _path === "string" ? _path : path
+  const _url = joinUrl({ url, path: url_path })
   headersObj["path"] = path
   if (body && !headersObj["content-length"]) {
     const bodySize = body.size || body.byteLength || 0
@@ -45,18 +46,12 @@ async function _sign({
         .split(",")
         .map(k => k.trim())
     : []
-
-  const signingFields = Object.keys(lowercaseHeaders).filter(
-    key => key !== "body-keys" && key !== "path" && !bodyKeys.includes(key)
-  )
-
-  if (_path) signingFields.push("path")
-  /*
-  if (signingFields.length === 0 && !body) {
-    //lowercaseHeaders["content-length"] = "0"
-    //signingFields.push("content-length")
-  }
-  */
+  let isPath = false
+  const signingFields = Object.keys(lowercaseHeaders).filter(key => {
+    if (key === "path") isPath = true
+    return key !== "body-keys" && key !== "path" && !bodyKeys.includes(key)
+  })
+  if (_path !== false && isPath) signingFields.push("@path")
   const signedRequest = await toHttpSigner(signer)({
     request: { url: _url, method, headers: lowercaseHeaders },
     fields: signingFields,
@@ -85,7 +80,7 @@ export function signer(config) {
   if (!signer) throw new Error("Signer is required for mainnet mode")
   return async (
     fields,
-    { encoded: _encoded = false, path: _path = false } = {}
+    { encoded: _encoded = false, path: _path = true } = {}
   ) => {
     const { path = "/relay/process", method = "POST", ...aoFields } = fields
     const encoded = _encoded ? aoFields : await enc(aoFields)

package/esm/workspace/package.json

@@ -9,6 +9,6 @@
     "deploy": "node scripts/deploy.js"
   },
   "dependencies": {
-    "wao": "^0.32.0"
+    "wao": "^0.32.2"
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "wao",
-  "version": "0.32.0",
+  "version": "0.32.2",
   "bin": {
     "wao": "./cjs/cli.js",
     "wao-esm": "./esm/cli.js"
@@ -56,6 +56,7 @@
     "md5": "^2.3.0",
     "pm2": "^5.4.3",
     "ramda": "^0.30.1",
+    "structured-headers": "1.0.1",
     "warp-arbundles": "^1.0.4",
     "wasm-brotli": "^2.0.2",
     "yargs": "^17.7.2"