feat!: upgrade capabilities to latest ucanto (#463)

package.json

@@ -23,7 +23,7 @@
     "prettier": "2.8.3",
     "simple-git-hooks": "^2.8.1",
     "typedoc-plugin-markdown": "^3.14.0",
-    "typescript": "4.9.4",
+    "typescript": "4.9.5",
     "wrangler": "^2.8.0"
   },
   "simple-git-hooks": {

packages/access-api/package.json

@@ -10,19 +10,20 @@
     "lint": "tsc --build && eslint '**/*.{js,ts}' && prettier --check '**/*.{js,ts,yml,json}' --ignore-path ../../.gitignore",
     "dev": "scripts/cli.js dev",
     "build": "scripts/cli.js build",
+    "check": "tsc --build",
     "test": "pnpm build && mocha --bail --timeout 10s -n no-warnings -n experimental-vm-modules",
     "test-watch": "pnpm build && mocha --bail --timeout 10s --watch --parallel -n no-warnings -n experimental-vm-modules --watch-files src,test"
   },
   "author": "Hugo Dias <[email protected]> (hugodias.me)",
   "license": "(Apache-2.0 OR MIT)",
   "dependencies": {
     "@ipld/dag-ucan": "^3.2.0",
-    "@ucanto/core": "^4.2.3",
-    "@ucanto/interface": "^4.2.3",
-    "@ucanto/principal": "^4.2.3",
-    "@ucanto/server": "^4.2.3",
-    "@ucanto/transport": "^4.2.3",
-    "@ucanto/validator": "^4.2.3",
+    "@ucanto/core": "^5.0.0",
+    "@ucanto/interface": "^5.0.0",
+    "@ucanto/principal": "^5.0.0",
+    "@ucanto/server": "^5.0.0",
+    "@ucanto/transport": "^5.0.0",
+    "@ucanto/validator": "^5.0.0",
     "@web3-storage/access": "workspace:^",
     "@web3-storage/capabilities": "workspace:^",
     "@web3-storage/worker-utils": "0.4.3-dev",
@@ -45,7 +46,7 @@
     "@types/mocha": "^10.0.1",
     "@types/node": "^18.11.18",
     "@types/qrcode": "^1.5.0",
-    "@ucanto/client": "^4.2.3",
+    "@ucanto/client": "^5.0.0",
     "better-sqlite3": "8.0.1",
     "buffer": "^6.0.3",
     "dotenv": "^16.0.3",
@@ -59,7 +60,7 @@
     "process": "^0.11.10",
     "readable-stream": "^4.2.0",
     "sade": "^1.8.1",
-    "typescript": "4.9.4",
+    "typescript": "4.9.5",
     "wrangler": "^2.8.0"
   },
   "eslintConfig": {

packages/access-api/src/routes/validate-email.js

@@ -1,5 +1,8 @@
 /* eslint-disable no-unused-vars */
-import { stringToDelegation } from '@web3-storage/access/encoding'
+import {
+  stringToDelegation,
+  delegationsToString,
+} from '@web3-storage/access/encoding'
 import * as Access from '@web3-storage/capabilities/access'
 import QRCode from 'qrcode'
 import { toEmail } from '../utils/did-mailto.js'
@@ -11,7 +14,7 @@ import {
 } from '../utils/html.js'
 import * as ucanto from '@ucanto/core'
 import * as validator from '@ucanto/validator'
-import { Verifier } from '@ucanto/principal/ed25519'
+import { Verifier, Absentee } from '@ucanto/principal'
 
 /**
  * @param {import('@web3-storage/worker-utils/router').ParsedRequest} req
@@ -132,53 +135,84 @@ async function recover(req, env) {
  * @param {import('../bindings.js').RouteContext} env
  */
 async function session(req, env) {
-  /** @type {import('@ucanto/interface').Delegation<[import('@web3-storage/capabilities/src/types.js').AccessSession]>} */
+  /** @type {import('@ucanto/interface').Delegation<[import('@web3-storage/capabilities/src/types.js').AccessAuthorize]>} */
   const delegation = stringToDelegation(req.query.ucan)
-  await env.models.validations.putSession(
-    req.query.ucan,
-    delegation.capabilities[0].nb.key
-  )
+
+  // ⚠️ This is not an ideal solution but we do need to ensure that attacker
+  // cannot simply send a valid `access/authorize` delegation to the service
+  // and get an attested session.
+  if (delegation.issuer.did() !== env.signer.did()) {
+    throw new Error('Delegation MUST be issued by the service')
+  }
+
+  // TODO: Figure when do we go through a post vs get request. WebSocket message
+  // was send regardless of the method, but delegations were only stored on post
+  // requests.
   if (req.method.toLowerCase() === 'post') {
     const accessSessionResult = await validator.access(delegation, {
-      capability: Access.session,
+      capability: Access.authorize,
       principal: Verifier,
       authority: env.signer,
     })
+
     if (accessSessionResult.error) {
       throw new Error(
         `unable to validate access session: ${accessSessionResult.error}`
       )
     }
-    const account = accessSessionResult.audience
-    const agentPubkey = accessSessionResult.capability.nb.key
-    const wrappedKeyCanAsignForAccount = await ucanto.delegate({
+
+    // Create a absentee signer for the account that authorized the delegation
+    const account = Absentee.from({ id: accessSessionResult.capability.nb.iss })
+    const agent = Verifier.parse(accessSessionResult.capability.with)
+
+    // It the future we should instead render a page and allow a user to select
+    // which delegations they wish to re-delegate. Right now we just re-delegate
+    // everything that was requested for all of the resources.
+    const capabilities =
+      /** @type {ucanto.UCAN.Capabilities} */
+      (
+        accessSessionResult.capability.nb.att.map(({ can }) => ({
+          can,
+          with: /** @type {ucanto.UCAN.Resource} */ ('ucan:*'),
+        }))
+      )
+
+    // create an authorization on behalf of the account with an absent
+    // signature.
+    const authorization = await ucanto.delegate({
+      issuer: account,
+      audience: agent,
+      capabilities,
+      expiration: Infinity,
+      // We should also include proofs with all the delegations we have for
+      // the account.
+    })
+
+    const attestation = await ucanto.delegate({
       issuer: env.signer,
-      audience: { did: () => agentPubkey },
+      audience: agent,
       capabilities: [
         {
           with: env.signer.did(),
-          can: 'access-api/delegation',
+          can: 'ucan/attest',
+          nb: { proof: authorization.cid },
         },
       ],
-      proofs: [
-        await ucanto.delegate({
-          issuer: env.signer,
-          audience: account,
-          capabilities: [
-            {
-              with: env.signer.did(),
-              can: './update',
-              nb: {
-                key: agentPubkey,
-              },
-            },
-          ],
-        }),
-      ],
+      expiration: Infinity,
     })
-    await env.models.delegations.putMany(wrappedKeyCanAsignForAccount)
+
+    // Store the delegations so that they can be pulled with access/claim
+    await env.models.delegations.putMany(authorization, attestation)
+
+    // Send delegations to the client through a websocket
+    await env.models.validations.putSession(
+      delegationsToString([authorization, attestation]),
+      agent.did()
+    )
   }
 
+  // TODO: We clearly should not render that access/delegate in the QR code, but
+  // I'm not sure what this QR code is used for.
   try {
     return new HtmlResponse(
       (

packages/access-api/src/service/access-authorize.js

@@ -14,21 +14,27 @@ export function accessAuthorizeProvider(ctx) {
   return Server.provide(
     Access.authorize,
     async ({ capability, invocation }) => {
-      const session = await Access.session
+      /**
+       * We re-delegate the capability to the account DID and limit it's
+       * lifetime to 15 minutes which should be enough time for the user to
+       * complete the authorization. We don't want to allow authorization for
+       * long time because it could be used by an attacker to gain authorization
+       * by sending second request misleading a user to click a wrong one.
+       */
+      const authorization = await Access.authorize
         .invoke({
           issuer: ctx.signer,
-          audience: DID.parse(capability.nb.as),
-          with: ctx.signer.did(),
-          lifetimeInSeconds: 86_400 * 7, // 7 days
-          nb: {
-            key: capability.with,
-          },
+          audience: DID.parse(capability.nb.iss),
+          with: capability.with,
+          lifetimeInSeconds: 60 * 15, // 15 minutes
+          nb: capability.nb,
+          proofs: [invocation],
         })
         .delegate()
 
-      const encoded = delegationToString(session)
+      const encoded = delegationToString(authorization)
 
-      await ctx.models.accounts.create(capability.nb.as)
+      await ctx.models.accounts.create(capability.nb.iss)
 
       const url = `${ctx.url.protocol}//${ctx.url.host}/validate-email?ucan=${encoded}&mode=session`
       // For testing
@@ -37,7 +43,7 @@ export function accessAuthorizeProvider(ctx) {
       }
 
       await ctx.email.sendValidation({
-        to: Mailto.toEmail(capability.nb.as),
+        to: Mailto.toEmail(capability.nb.iss),
         url,
       })
     }

packages/access-api/src/service/access-claim.js

@@ -25,8 +25,9 @@ export function accessClaimProvider(ctx) {
   return Server.provide(claim, async ({ invocation }) => {
     // disable until hardened in test/staging
     if (ctx.config.ENV === 'production') {
-      throw new Error(`acccess/claim invocation handling is not enabled`)
+      throw new Error(`access/claim invocation handling is not enabled`)
     }
+
     return handleClaimInvocation(invocation)
   })
 }