authstore

example.js

@@ -10,7 +10,6 @@ const corestore = new Corestore(ram)
 const writer = corestore.get({ name: 'writer' })
 await writer.ready()
 
-// TODO: actual schema from mapeo-schema
 const observation = new DataType({
   name: 'observation',
   blockPrefix: '6f62', // could make this automatically set based on the name, but that might be too magic

index.js

@@ -2,6 +2,7 @@ import MultiCoreIndexer from 'multi-core-indexer'
 import b4a from 'b4a'
 import ram from 'random-access-memory'
 
+import { AuthStore } from './lib/authstore/index.js'
 import { DataStore } from './lib/datastore/index.js'
 import { Indexer } from './lib/indexer/index.js'
 export { DataType } from './lib/datatype/index.js'
@@ -88,4 +89,10 @@ export class Mapeo {
       return dataType.blockPrefix === typeHex
     })
   }
+
+  async sync(options) {}
+
+  async syncAuthStore(options) {}
+
+  async syncDataStores(options) {}
 }

lib/authstore/README.md

@@ -0,0 +1,17 @@
+# AuthStore
+
+> Identities and authorization.
+
+## Purpose
+
+The `AuthStore` class is responsible for defining user identities and authorizing their access to Mapeo projects.
+
+## Usage
+
+## API docs
+
+TODO!
+
+## Tests
+
+Tests for this module are in [tests/authstore.js](../../tests/authstore.js)

lib/authstore/index.js

@@ -0,0 +1,73 @@
+import { DataStore } from './datastore.js'
+import { DataType } from '../datatype.js'
+
+const capabilities = new DataType({
+  name: 'capabilities',
+  blockPrefix: 'capa',
+  schema: {
+    additionalProperties: true, // TODO: actual schema
+  },
+})
+
+// TODO: we may need to override this
+function getWinner(docA, docB) {
+  if (
+    // Checking neither null nor undefined
+    docA.timestamp != null &&
+    docB.timestamp != null
+  ) {
+    if (docA.timestamp > docB.timestamp) return docA
+    if (docB.timestamp > docA.timestamp) return docB
+  }
+  // They are equal or no timestamp property, so sort by version to ensure winner is deterministic
+  return docA.version > docB.version ? docA : docB
+}
+
+// TODO: this may need its own sqlite-indexer and multi-core-indexer instances, particularly if we have multiple data types stored in this core
+export class Authstore {
+  constructor(options) {
+    this.corestore = options.corestore
+    this.capabilities = new DataStore({
+      dataType: capabilities,
+      corestore: options.corestore,
+      indexer: options.indexer,
+    })
+  }
+
+  async ready() {
+    await this.capabilities.ready()
+  }
+
+  async create({ identityPublicKey, creator, capability }) {
+    // TODO: validate that user can write new capabilities based on current capabilities
+    return this.capabilities.create({
+      id: identityPublicKey,
+      creator,
+      capability,
+    })
+  }
+
+  async update({ identityPublicKey, creator, capability }) {
+    // TODO: validate that user can write new capabilities based on current capabilities
+    return this.capabilities.update({
+      id: identityPublicKey,
+      creator,
+      capability,
+    })
+  }
+
+  validateCapability({ identityPublicKey, capability }) {}
+
+  getCapabilities(identityPublicKey) {
+    return this.capabilities.query(`identifyPublicKey == ${identityPublicKey}`)
+  }
+
+  query(where) {
+    return this.capabilities.query(where)
+  }
+
+  async close() {
+    await this.corestore.close()
+    await this.capabilities.close()
+  }
+}

lib/datastore/index.js

@@ -80,7 +80,7 @@ export class DataStore {
     const doc = Object.assign(data, {
       id: data.id || randomBytes(8).toString('hex'),
       version: `${this.#writer.key.toString('hex')}@${this.#writer.length}`,
-      created_at: new Date().toISOString(),
+      created_at: new Date().getTime(),
     })
 
     if (!doc.links) {
@@ -109,6 +109,7 @@ export class DataStore {
   async update(data) {
     const doc = Object.assign({}, data, {
       version: `${this.#writer.key.toString('hex')}@${this.#writer.length}`,
+      updated_at: new Date().getTime(),
     })
 
     const indexing = new Promise((resolve) => {

lib/indexer/index.js

@@ -14,7 +14,7 @@ export class Indexer {
    * @param {string} options.extraColumns any additional column definitions needed for this table, passed to `CREATE TABLE` statement
    */
   constructor(options) {
-    const { dataType, sqlite, extraColumns } = options
+    const { dataType, sqlite, extraColumns, getWinner } = options
 
     this.name = dataType.name
     this.#sqlite = sqlite
@@ -48,6 +48,7 @@ export class Indexer {
       docTableName: this.name,
       backlinkTableName: `${this.name}_backlinks`,
       extraColumns: this.extraColumns,
+      getWinner,
     })
   }
 

package.json

@@ -55,7 +55,9 @@
     "hyperswarm": "^4.3.3",
     "multi-core-indexer": "github:digidem/multi-core-indexer",
     "multicast-service-discovery": "^4.0.3",
+    "mutexify": "^1.4.0",
     "sodium-native": "^3.4.1",
+    "sodium-universal": "^3.1.0",
     "tiny-typed-emitter": "^2.1.0"
   }
 }

tests/authstore.js

@@ -0,0 +1,148 @@
+import test from 'brittle'
+import { addCores, createAuthStore, replicate } from './helpers/index.js'
+
+test('get capabilities and check access levels', async (t) => {
+  t.plan(6)
+
+  const auth1 = await createAuthStore()
+  const auth2 = await createAuthStore({
+    projectKeyPair: auth1.projectKeyPair,
+  })
+
+  replicate(auth1, auth2)
+  addCores(auth1, auth2)
+
+  await auth1.authstore.append({
+    type: 'capabilities',
+    capability: 'admin',
+    identityPublicKey: auth1.identityKeyPair.publicKey.toString('hex'),
+  })
+
+  await auth1.authstore.append({
+    type: 'capabilities',
+    capability: 'member',
+    identityPublicKey: auth2.identityKeyPair.publicKey.toString('hex'),
+  })
+
+  t.is(
+    (await auth1.authstore.getCapabilities()).length,
+    4,
+    'auth1 should have 2 capabilities statements'
+  )
+
+  t.is(
+    (await auth2.authstore.getCapabilities()).length,
+    4,
+    'auth2 should have 2 capabilities statements'
+  )
+
+  t.is(
+    await auth1.authstore.hasCapability({
+      capability: 'admin',
+      identityPublicKey: auth1.identityKeyPair.publicKey.toString('hex'),
+    }),
+    true,
+    'auth1 should have admin capability'
+  )
+
+  t.is(
+    await auth1.authstore.hasCapability({
+      capability: 'admin',
+      identityPublicKey: auth2.identityKeyPair.publicKey.toString('hex'),
+    }),
+    false,
+    'auth2 should not have admin capability'
+  )
+
+  t.is(
+    await auth2.authstore.hasCapability({
+      capability: 'admin',
+      identityPublicKey: auth1.identityKeyPair.publicKey.toString('hex'),
+    }),
+    true,
+    'auth1 should have admin capability'
+  )
+
+  t.is(
+    await auth2.authstore.hasCapability({
+      capability: 'admin',
+      identityPublicKey: auth2.identityKeyPair.publicKey.toString('hex'),
+    }),
+    false,
+    'auth2 should not have admin capability'
+  )
+})
+
+test('resolve fork at lowest capability', async (t) => {
+  t.plan(3)
+
+  const auth1 = await createAuthStore()
+  const auth2 = await createAuthStore({ projectKeyPair: auth1.projectKeyPair })
+  const auth3 = await createAuthStore({ projectKeyPair: auth1.projectKeyPair })
+
+  replicate(auth1, auth2)
+  replicate(auth1, auth3)
+  replicate(auth2, auth3)
+
+  auth1.authstore.addCore(auth2.authstore.key)
+  auth1.authstore.addCore(auth3.authstore.key)
+
+  auth2.authstore.addCore(auth1.authstore.key)
+  auth2.authstore.addCore(auth3.authstore.key)
+
+  auth3.authstore.addCore(auth2.authstore.key)
+  auth3.authstore.addCore(auth1.authstore.key)
+
+  await auth1.authstore.append({
+    type: 'capabilities',
+    capability: 'admin',
+    identityPublicKey: auth1.identityKeyPair.publicKey.toString('hex'),
+  })
+
+  await auth1.authstore.append({
+    type: 'capabilities',
+    capability: 'admin',
+    identityPublicKey: auth2.identityKeyPair.publicKey.toString('hex'),
+  })
+
+  await auth2.authstore.append({
+    type: 'capabilities',
+    capability: 'none',
+    identityPublicKey: auth3.authstore.identityPublicKeyString,
+  })
+
+  await auth1.authstore.append({
+    type: 'capabilities',
+    capability: 'member',
+    identityPublicKey: auth3.authstore.identityPublicKeyString,
+  })
+
+  const capabilities = await auth1.authstore.getCapabilities(
+    auth3.authstore.identityPublicKeyString
+  )
+
+  const auth2capabilities = await auth2.authstore.getCapabilities(
+    auth3.authstore.identityPublicKeyString
+  )
+
+  const isAdmin = await auth1.authstore.hasCapability({
+    capability: 'admin',
+    identityPublicKey: auth3.authstore.identityPublicKeyString,
+  })
+
+  t.is(isAdmin, false, 'auth3 should not be admin')
+
+  const isMember = await auth1.authstore.hasCapability({
+    capability: 'member',
+    identityPublicKey: auth3.authstore.identityPublicKeyString,
+  })
+
+  t.is(isMember, false, 'auth3 should not be member')
+
+  const isBanned = await auth1.authstore.hasCapability({
+    capability: 'none',
+    identityPublicKey: auth3.authstore.identityPublicKeyString,
+  })
+
+  t.is(isBanned, true, 'auth3 should have no access to the project')
+})