feat!: implement new account-based multi-device flow

package.json

@@ -17,14 +17,14 @@
     "docs:markdown": "pnpm run build && docusaurus generate-typedoc"
   },
   "devDependencies": {
-    "@docusaurus/core": "^2.2.0",
+    "@docusaurus/core": "^2.3.1",
     "docusaurus-plugin-typedoc": "^0.18.0",
-    "lint-staged": "^13.1.0",
+    "lint-staged": "^13.2.0",
     "prettier": "2.8.3",
     "simple-git-hooks": "^2.8.1",
     "typedoc-plugin-markdown": "^3.14.0",
     "typescript": "4.9.5",
-    "wrangler": "^2.8.0"
+    "wrangler": "^2.12.3"
   },
   "simple-git-hooks": {
     "pre-commit": "npx lint-staged"
@@ -44,7 +44,7 @@
   },
   "dependencies": {
     "depcheck": "^1.4.3",
-    "typedoc": "^0.23.22",
+    "typedoc": "^0.23.26",
     "typedoc-plugin-missing-exports": "^1.0.0"
   },
   "packageManager": "pnpm@7.24.3",

packages/access-api/package.json

@@ -18,18 +18,18 @@
   "license": "(Apache-2.0 OR MIT)",
   "dependencies": {
     "@ipld/dag-ucan": "^3.2.0",
-    "@ucanto/core": "^5.1.0",
-    "@ucanto/interface": "^6.0.0",
+    "@ucanto/core": "^5.2.0",
+    "@ucanto/interface": "^6.2.0",
     "@ucanto/principal": "^5.1.0",
-    "@ucanto/server": "^6.0.0",
-    "@ucanto/transport": "^5.1.0",
-    "@ucanto/validator": "^6.0.0",
+    "@ucanto/server": "^6.1.0",
+    "@ucanto/transport": "^5.1.1",
+    "@ucanto/validator": "^6.1.0",
     "@web3-storage/access": "workspace:^",
     "@web3-storage/capabilities": "workspace:^",
     "@web3-storage/worker-utils": "0.4.3-dev",
     "kysely": "^0.23.4",
     "kysely-d1": "^0.1.0",
-    "multiformats": "^11.0.1",
+    "multiformats": "^11.0.2",
     "p-retry": "^5.1.2",
     "preact": "^10.11.3",
     "preact-render-to-string": "^5.2.6",
@@ -94,6 +94,7 @@
         "error",
         {
           "definedTypes": [
+            "AsyncIterable",
             "AsyncIterableIterator",
             "Awaited",
             "D1Database",

packages/access-api/src/routes/validate-email.js

@@ -152,7 +152,7 @@ async function authorize(req, env) {
 
     if (confirmation.error) {
       throw new Error(`unable to validate access session: ${confirmation}`, {
-        cause: confirmation.error,
+        cause: confirmation,
       })
     }
 
@@ -168,12 +168,12 @@ async function authorize(req, env) {
       }
     )
     const confirmResult = await confirm(request, {
-      id: env.signer.verifier,
+      id: env.signer,
       principal: Verifier,
     })
     if (confirmResult.error) {
       throw new Error('error confirming', {
-        cause: confirmResult.error,
+        cause: confirmResult,
       })
     }
     const { account, agent } = accessConfirm.parse(request)
@@ -193,6 +193,8 @@ async function authorize(req, env) {
       )
     )
   } catch (error) {
+    // eslint-disable-next-line no-console
+    console.warn('error in validate-email', error)
     const err = /** @type {Error} */ (error)
     env.log.error(err)
     return new HtmlResponse(

packages/access-api/src/service/access-authorize.js

@@ -1,7 +1,6 @@
 import * as Server from '@ucanto/server'
 import * as Access from '@web3-storage/capabilities/access'
 import * as Mailto from '../utils/did-mailto.js'
-import * as DID from '@ipld/dag-ucan/did'
 import { delegationToString } from '@web3-storage/access/encoding'
 
 /**
@@ -25,7 +24,7 @@ export function accessAuthorizeProvider(ctx) {
     const confirmation = await Access.confirm
       .invoke({
         issuer: ctx.signer,
-        audience: DID.parse(capability.nb.iss),
+        audience: ctx.signer,
         // Because with is set to our DID no other actor will be able to issue
         // this delegation without our private key.
         with: ctx.signer.did(),
@@ -35,8 +34,9 @@ export function accessAuthorizeProvider(ctx) {
         nb: {
           // we copy request details and set the `aud` field to the agent DID
           // that requested the authorization.
-          ...capability.nb,
+          iss: capability.nb.iss,
           aud: capability.with,
+          att: capability.nb.att,
         },
       })
       .delegate()

packages/access-api/src/service/access-confirm.js

@@ -1,10 +1,11 @@
 import * as Ucanto from '@ucanto/interface'
 import * as ucanto from '@ucanto/core'
-import { Verifier, Absentee } from '@ucanto/principal'
+import { Absentee } from '@ucanto/principal'
 import { collect } from 'streaming-iterables'
 import * as Access from '@web3-storage/capabilities/access'
 import { delegationsToString } from '@web3-storage/access/encoding'
 import * as delegationsResponse from '../utils/delegations-response.js'
+import * as validator from '@ucanto/validator'
 
 /**
  * @typedef {import('@web3-storage/capabilities/types').AccessConfirmSuccess} AccessConfirmSuccess
@@ -18,7 +19,9 @@ export function parse(invocation) {
   const capability = invocation.capabilities[0]
   // Create a absentee signer for the account that authorized the delegation
   const account = Absentee.from({ id: capability.nb.iss })
-  const agent = Verifier.parse(capability.nb.aud)
+  const agent = {
+    did: () => validator.DID.match({ method: 'key' }).from(capability.nb.aud),
+  }
   return {
     account,
     agent,
@@ -50,31 +53,21 @@ export async function handleAccessConfirm(invocation, ctx) {
       }))
     )
 
-  // create an delegation on behalf of the account with an absent signature.
-  const delegation = await ucanto.delegate({
-    issuer: account,
-    audience: agent,
+  const [delegation, attestation] = await createSessionProofs(
+    ctx.signer,
+    account,
+    agent,
     capabilities,
-    expiration: Infinity,
     // We include all the delegations to the account so that the agent will
     // have delegation chains to all the delegated resources.
     // We should actually filter out only delegations that support delegated
     // capabilities, but for now we just include all of them since we only
     // implement sudo access anyway.
-    proofs: await collect(
-      ctx.models.delegations.find({
-        audience: account.did(),
-      })
-    ),
-  })
-
-  const attestation = await Access.session.delegate({
-    issuer: ctx.signer,
-    audience: agent,
-    with: ctx.signer.did(),
-    nb: { proof: delegation.cid },
-    expiration: Infinity,
-  })
+    ctx.models.delegations.find({
+      audience: account.did(),
+    }),
+    Infinity
+  )
 
   // Store the delegations so that they can be pulled with access/claim
   // The fact that we're storing proofs chains that we pulled from the
@@ -89,3 +82,40 @@ export async function handleAccessConfirm(invocation, ctx) {
     delegations: delegationsResponse.encode([delegation, attestation]),
   }
 }
+
+/**
+ * @param {Ucanto.Signer} service
+ * @param {Ucanto.Principal<Ucanto.DID<'mailto'>>} account
+ * @param {Ucanto.Principal<Ucanto.DID<'key'>>} agent
+ * @param {Ucanto.Capabilities} capabilities
+ * @param {AsyncIterable<Ucanto.Delegation>} delegationProofs
+ * @param {number} expiration
+ * @returns {Promise<[delegation: Ucanto.Delegation, attestation: Ucanto.Delegation]>}
+ */
+export async function createSessionProofs(
+  service,
+  account,
+  agent,
+  capabilities,
+  delegationProofs,
+  expiration
+) {
+  // create an delegation on behalf of the account with an absent signature.
+  const delegation = await ucanto.delegate({
+    issuer: Absentee.from({ id: account.did() }),
+    audience: agent,
+    capabilities,
+    expiration,
+    proofs: [...(await collect(delegationProofs))],
+  })
+
+  const attestation = await Access.session.delegate({
+    issuer: service,
+    audience: agent,
+    with: service.did(),
+    nb: { proof: delegation.cid },
+    expiration,
+  })
+
+  return [delegation, attestation]
+}

packages/access-api/src/types/ucanto.ts

@@ -0,0 +1,8 @@
+import * as Ucanto from '@ucanto/interface'
+
+export type ServiceInvoke<
+  Service extends Record<string, any>,
+  InvocationCapabilities extends Ucanto.Capability = Ucanto.Capability
+> = <Capability extends InvocationCapabilities>(
+  invocation: Ucanto.ServiceInvocation<Capability>
+) => Promise<Ucanto.InferServiceInvocationReturn<Capability, Service>>

packages/access-api/test/access-authorize.test.js

@@ -73,7 +73,7 @@ describe('access/authorize', function () {
       )
     const delegation = stringToDelegation(encoded)
     t.deepEqual(delegation.issuer.did(), service.did())
-    t.deepEqual(delegation.audience.did(), accountDID)
+    t.deepEqual(delegation.audience.did(), service.did())
     t.deepEqual(delegation.capabilities, [
       {
         with: conn.id.did(),
@@ -122,8 +122,9 @@ describe('access/authorize', function () {
 
     const url = new URL(email.url)
     const rsp = await mf.dispatchFetch(url, { method: 'POST' })
-    const html = await rsp.text()
+    assert.deepEqual(rsp.status, 200)
 
+    const html = await rsp.text()
     assert(html.includes('Email Validated'))
     assert(html.includes(toEmail(accountDID)))
     assert(html.includes(issuer.did()))