DukeInc/Kez
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Kez/nodejs/packages/kez-channels/test/activitypub.test.ts
Tudisco d0db6f00f1 Initial implementation of KEZ — protocol, two impls, and storage server 
KEZ is a portable, decentralized identity graph: a person signs claims
linking their many accounts, publishes those claims in places only the
claimed account can publish to, and anyone can verify the connections
without trusting a central server.

Layout
------
- SPEC.md            Language-agnostic protocol spec (v0.2)
- rust/              Rust implementation: kez-core, kez-channels, kez-cli
- nodejs/            TypeScript port at full parity
- rust-sig-server/   Optional axum + SQLite storage server for sigchains
- crosstest.sh       Cross-implementation interop harness

Capabilities (both implementations, byte-compatible)
----------------------------------------------------
- Two primary-key algorithms: nostr/secp256k1 Schnorr (BIP-340) and
  Ed25519 (RFC 8032). Identifiers: nostr:npub1... and ed25519:<hex>.
- JCS (RFC 8785) canonicalization for everything signed.
- Four proof encodings: JSON envelope, compact (kez:z1:<base64url(zstd(json))>),
  Markdown fence, DNS TXT.
- Five channel plugins (no API keys, no auth needed for any of them):
    dns:        system resolver, _kez.<domain> TXT records
    github:     public gist scan + <user>/<user> profile README fallback
    nostr:      kind-30078 events from default relays
    bluesky:    public AppView author feed
    ap:         WebFinger + actor JSON (alias mastodon:)
- Identical CLI surface:
    kez identity new [--key-type nostr|ed25519]
    kez claim create <subject> (--nsec | --ed25519-seed) [--format ...] [--out ...]
    kez claim dns <domain>     (--nsec | --ed25519-seed)
    kez verify file <path>
    kez verify id <identifier>
    kez sigchain add|revoke|show|export|publish
- Sigchains: append-only signed log per primary, hash-chained per spec §6,
  stored locally at ~/.kez/sigchains/, exportable as JSONL or kez:zc1: bundle.
- Sigchain publish destinations: chain server, web (file dump), DNS (zone
  record print), nostr (kind-30078 wrapping event).

kez-sig-server
--------------
Optional storage tier. Axum + SQLite, single binary, no external deps.

- No auth — the cryptography is the access control. The server validates
  every signature, every seq, every prev hash before storing.
- REST API: POST /v1/sigchains/{scheme}/{id}/events (append signed event,
  201 with new head hash or 4xx); GET /{scheme}/{id} (full chain as JSONL);
  GET /head; GET /healthz.
- Designed for one central instance for now; the design doesn't preclude
  running more later (clients gain a configurable list, verifiers
  reconcile per spec §6.2).
- Channel-based publishing remains the always-available fallback if the
  server is unavailable.

Tests
-----
- rust/                 99 tests
- rust-sig-server/      10 integration tests (real HTTP, real SQLite)
- nodejs/               91 tests (vitest)
- crosstest.sh          19 cross-impl scenarios — proves JCS bytes,
                        Schnorr + Ed25519 sigs, all four claim encodings,
                        and the sigchain JSONL bundle are byte-compatible
                        between Rust and Node in both directions.

What's not done yet
-------------------
- verify id consulting the sigchain for revocations (data path exists,
  just not wired into the verifier output).
- rotate and add_device sigchain ops (types reserved).
- expires_at enforcement during claim verification.
- Typed VerificationStatus.status reflecting the five failure modes.
- Auth-required publishers (GitHub gist, Bluesky, ActivityPub).
2026-05-24 14:41:00 -06:00

194 lines
6.3 KiB
TypeScript
Raw Blame History

import { describe, expect, it } from "vitest";
import {
Identity,
NostrSecret,
newClaimPayload,
signClaim,
toCompact,
} from "@kez/core";
import {
ActivityPubChannel,
extractActorCandidates,
extractActorUrl,
parseHandle,
stripHtml,
webfingerUrl,
} from "../src/activitypub.js";
function sign(subject: string) {
const secret = NostrSecret.generate();
return signClaim(
newClaimPayload(Identity.parse(subject), secret.identity(), new Date()),
secret,
);
}
const BASE = "https://ap.test";
function makeFetch(routes: Record<string, unknown>): typeof fetch {
return (async (input: string | URL) => {
const key = input.toString();
const body = routes[key];
if (body === undefined) return new Response("", { status: 404 });
return new Response(typeof body === "string" ? body : JSON.stringify(body), { status: 200 });
}) as unknown as typeof fetch;
}
describe("ActivityPubChannel", () => {
it("verifies proof in profile attachment", async () => {
const signed = sign("ap:@jason@mastodon.social");
const actorUrl = `${BASE}/users/jason`;
const wfUrl = `${BASE}/.well-known/webfinger?resource=acct:jason@mastodon.social`;
const fetch = makeFetch({
[wfUrl]: {
subject: "acct:jason@mastodon.social",
links: [{ rel: "self", type: "application/activity+json", href: actorUrl }],
},
[actorUrl]: {
id: actorUrl,
type: "Person",
attachment: [
{ type: "PropertyValue", name: "site", value: '<a href="https://x">x</a>' },
{ type: "PropertyValue", name: "kez", value: toCompact(signed) },
],
summary: "<p>hi</p>",
},
});
const channel = new ActivityPubChannel({ baseOverride: BASE, fetch });
const hit = await channel.fetchAndVerify(Identity.parse("ap:@jason@mastodon.social"));
expect(hit.proof).toEqual(signed);
});
it("verifies proof embedded in bio", async () => {
const signed = sign("ap:@jason@mastodon.social");
const actorUrl = `${BASE}/users/jason`;
const wfUrl = `${BASE}/.well-known/webfinger?resource=acct:jason@mastodon.social`;
const fetch = makeFetch({
[wfUrl]: {
links: [{ rel: "self", type: "application/activity+json", href: actorUrl }],
},
[actorUrl]: {
summary: `<p>portable identity: ${toCompact(signed)}</p>`,
attachment: [],
},
});
const channel = new ActivityPubChannel({ baseOverride: BASE, fetch });
const hit = await channel.fetchAndVerify(Identity.parse("ap:@jason@mastodon.social"));
expect(hit.proof).toEqual(signed);
});
it("rejects proof for wrong subject", async () => {
const signed = sign("ap:@mallory@mastodon.social");
const actorUrl = `${BASE}/users/jason`;
const wfUrl = `${BASE}/.well-known/webfinger?resource=acct:jason@mastodon.social`;
const fetch = makeFetch({
[wfUrl]: {
links: [{ rel: "self", type: "application/activity+json", href: actorUrl }],
},
[actorUrl]: {
attachment: [{ type: "PropertyValue", name: "kez", value: toCompact(signed) }],
},
});
const channel = new ActivityPubChannel({ baseOverride: BASE, fetch });
await expect(
channel.fetchAndVerify(Identity.parse("ap:@jason@mastodon.social")),
).rejects.toMatchObject({ kind: "SubjectMismatch" });
});
it("WebFinger 404 is Unreachable", async () => {
const fetch = makeFetch({});
const channel = new ActivityPubChannel({ baseOverride: BASE, fetch });
await expect(
channel.fetchAndVerify(Identity.parse("ap:@ghost@mastodon.social")),
).rejects.toMatchObject({ kind: "Unreachable" });
});
it("WebFinger with no self link is NotFound", async () => {
const wfUrl = `${BASE}/.well-known/webfinger?resource=acct:jason@mastodon.social`;
const fetch = makeFetch({
[wfUrl]: {
links: [{ rel: "profile", type: "text/html", href: "https://example/@jason" }],
},
});
const channel = new ActivityPubChannel({ baseOverride: BASE, fetch });
await expect(
channel.fetchAndVerify(Identity.parse("ap:@jason@mastodon.social")),
).rejects.toMatchObject({ kind: "NotFound" });
});
});
describe("ActivityPub pure helpers", () => {
it("parseHandle accepts both forms", () => {
expect(parseHandle("@jason@mastodon.social")).toEqual({
user: "jason",
server: "mastodon.social",
});
expect(parseHandle("jason@mastodon.social")).toEqual({
user: "jason",
server: "mastodon.social",
});
});
it("parseHandle rejects malformed", () => {
expect(() => parseHandle("jason")).toThrow();
expect(() => parseHandle("@@server")).toThrow();
expect(() => parseHandle("@jason@")).toThrow();
});
it("webfingerUrl matches spec shape", () => {
expect(webfingerUrl("https://mastodon.social", "jason", "mastodon.social")).toBe(
"https://mastodon.social/.well-known/webfinger?resource=acct:jason@mastodon.social",
);
});
it("extractActorUrl picks self activity+json", () => {
expect(
extractActorUrl({
links: [
{ rel: "profile", type: "text/html", href: "https://x/@jason" },
{
rel: "self",
type: "application/activity+json",
href: "https://x/users/jason",
},
],
}),
).toBe("https://x/users/jason");
});
it("extractActorUrl accepts ld+json", () => {
expect(
extractActorUrl({
links: [
{ rel: "self", type: "application/ld+json; profile=...", href: "https://x/u" },
],
}),
).toBe("https://x/u");
});
it("extractActorCandidates returns attachment then summary", () => {
expect(
extractActorCandidates({
attachment: [
{ value: '<a href="...">x</a>' },
{ value: "kez:z1:abc" },
],
summary: "<p>kez:z1:def</p>",
}),
).toEqual(["x", "kez:z1:abc", "kez:z1:def"]);
});
it("stripHtml drops tags and decodes entities", () => {
expect(stripHtml("<p>hello <b>world</b></p>")).toBe("hello world");
expect(stripHtml("a &amp; b &lt;c&gt;")).toBe("a & b <c>");
expect(stripHtml("&quot;quoted&quot;")).toBe('"quoted"');
expect(stripHtml("&#39;apos&#39;")).toBe("'apos'");
});
it("stripHtml preserves compact kez prefix", () => {
expect(stripHtml("<p>my proof: kez:z1:KLUv_QBYabc</p>")).toBe(
"my proof: kez:z1:KLUv_QBYabc",
);
});
});
Reference in New Issue View Git Blame Copy Permalink