fix: use the app identity keys everywhere

Author: pcarranzav

apps/connect/src/routes/authenticate.tsx

@@ -278,7 +278,7 @@ function AuthenticateComponent() {
                 id: keyData.id,
                 ciphertext: Utils.bytesToHex(keyBox.keyBoxCiphertext),
                 nonce: Utils.bytesToHex(keyBox.keyBoxNonce),
-                authorPublicKey: appIdentity.encryptionPublicKey,
+                authorPublicKey: keys.encryptionPublicKey,
                 accountAddress: accountAddress,
               };
             });
@@ -405,27 +405,33 @@ function AuthenticateComponent() {
         rpcUrl: import.meta.env.VITE_HYPERGRAPH_RPC_URL,
       });
 
+      const appIdentityKeys = {
+        encryptionPrivateKey: newAppIdentity.encryptionPrivateKey,
+        encryptionPublicKey: newAppIdentity.encryptionPublicKey,
+        signaturePrivateKey: newAppIdentity.signaturePrivateKey,
+        signaturePublicKey: newAppIdentity.signaturePublicKey,
+      };
       console.log('encrypting app identity');
       const { ciphertext, nonce } = await Connect.encryptAppIdentity(
         signer,
         newAppIdentity.address,
         newAppIdentity.addressPrivateKey,
         permissionId,
-        keys,
+        appIdentityKeys,
       );
       console.log('proving ownership');
       const { accountProof, keyProof } = await Identity.proveIdentityOwnership(
         smartAccountClient,
         accountAddress,
-        keys,
+        appIdentityKeys,
       );
 
       const message: Messages.RequestConnectCreateAppIdentity = {
         appId: state.appInfo.appId,
         address: newAppIdentity.address,
         accountAddress,
-        signaturePublicKey: keys.signaturePublicKey,
-        encryptionPublicKey: keys.encryptionPublicKey,
+        signaturePublicKey: newAppIdentity.signaturePublicKey,
+        encryptionPublicKey: newAppIdentity.encryptionPublicKey,
         ciphertext,
         nonce,
         accountProof,
@@ -449,10 +455,10 @@ function AuthenticateComponent() {
           address: newAppIdentity.address,
           addressPrivateKey: newAppIdentity.addressPrivateKey,
           accountAddress,
-          encryptionPrivateKey: keys.encryptionPrivateKey,
-          signaturePrivateKey: keys.signaturePrivateKey,
-          encryptionPublicKey: keys.encryptionPublicKey,
-          signaturePublicKey: keys.signaturePublicKey,
+          encryptionPrivateKey: newAppIdentity.encryptionPrivateKey,
+          signaturePrivateKey: newAppIdentity.signaturePrivateKey,
+          encryptionPublicKey: newAppIdentity.encryptionPublicKey,
+          signaturePublicKey: newAppIdentity.signaturePublicKey,
           sessionToken: appIdentityResponse.appIdentity.sessionToken,
           sessionTokenExpires: new Date(appIdentityResponse.appIdentity.sessionTokenExpires),
           permissionId,

apps/events/src/Boot.tsx

@@ -15,7 +15,11 @@ declare module '@tanstack/react-router' {
 
 export function Boot() {
   return (
-    <HypergraphAppProvider syncServerUri="http://localhost:3030" mapping={mapping}>
+    <HypergraphAppProvider
+      syncServerUri="http://localhost:3030"
+      mapping={mapping}
+      appId="93bb8907-085a-4a0e-83dd-62b0dc98e793"
+    >
       <RouterProvider router={router} />
     </HypergraphAppProvider>
   );

apps/events/src/routes/login.lazy.tsx

@@ -16,7 +16,6 @@ function Login() {
             storage: localStorage,
             connectUrl: 'http://localhost:5180',
             successUrl: 'http://localhost:5173/authenticate-success',
-            appId: '93bb8907-085a-4a0e-83dd-62b0dc98e793',
             redirectFn: (url: URL) => {
               window.location.href = url.toString();
             },

apps/next-example/src/components/providers.tsx

@@ -7,7 +7,11 @@ export default function Providers({ children }: { children: React.ReactNode }) {
   const storage = typeof window !== 'undefined' ? window.localStorage : (undefined as unknown as Storage);
 
   return (
-    <HypergraphAppProvider syncServerUri="http://localhost:3030" mapping={{}}>
+    <HypergraphAppProvider
+      syncServerUri="http://localhost:3030"
+      mapping={{}}
+      appId="83aa8907-085b-430f-1296-ab87dc98e793"
+    >
       {children}
     </HypergraphAppProvider>
   );

apps/server/src/handlers/applySpaceEvent.ts

@@ -4,6 +4,7 @@ import type { Messages } from '@graphprotocol/hypergraph';
 import { Identity, SpaceEvents } from '@graphprotocol/hypergraph';
 
 import { prisma } from '../prisma.js';
+import { getAppOrConnectIdentity } from './getAppOrConnectIdentity.js';
 import { getConnectIdentity } from './getConnectIdentity.js';
 
 type Params = {
@@ -40,7 +41,7 @@ export async function applySpaceEvent({ accountAddress, spaceId, event, keyBoxes
       orderBy: { counter: 'desc' },
     });
 
-    const getVerifiedIdentity = (accountAddressToFetch: string) => {
+    const getVerifiedIdentity = (accountAddressToFetch: string, publicKey: string) => {
       console.log('getVerifiedIdentity', accountAddressToFetch, accountAddress);
       // applySpaceEvent is only allowed to be called by the account that is applying the event
       if (accountAddressToFetch !== accountAddress) {
@@ -49,7 +50,8 @@ export async function applySpaceEvent({ accountAddress, spaceId, event, keyBoxes
 
       return Effect.gen(function* () {
         const identity = yield* Effect.tryPromise({
-          try: () => getConnectIdentity({ accountAddress: accountAddressToFetch }),
+          try: () =>
+            getAppOrConnectIdentity({ accountAddress: accountAddressToFetch, signaturePublicKey: publicKey, spaceId }),
           catch: () => new Identity.InvalidIdentityError(),
         });
         return identity;

apps/server/src/handlers/create-space.ts

@@ -5,6 +5,7 @@ import type { Messages } from '@graphprotocol/hypergraph';
 import { Identity, SpaceEvents } from '@graphprotocol/hypergraph';
 
 import { prisma } from '../prisma.js';
+import { getAppOrConnectIdentity } from './getAppOrConnectIdentity.js';
 import { getConnectIdentity } from './getConnectIdentity.js';
 
 type Params = {
@@ -26,15 +27,15 @@ export const createSpace = async ({
   infoSignatureRecovery,
   name,
 }: Params) => {
-  const getVerifiedIdentity = (accountAddressToFetch: string) => {
+  const getVerifiedIdentity = (accountAddressToFetch: string, publicKey: string) => {
     // applySpaceEvent is only allowed to be called by the account that is applying the event
     if (accountAddressToFetch !== accountAddress) {
       return Effect.fail(new Identity.InvalidIdentityError());
     }
 
     return Effect.gen(function* () {
       const identity = yield* Effect.tryPromise({
-        try: () => getConnectIdentity({ accountAddress: accountAddressToFetch }),
+        try: () => getAppOrConnectIdentity({ accountAddress: accountAddressToFetch, signaturePublicKey: publicKey }),
         catch: () => new Identity.InvalidIdentityError(),
       });
       return identity;

apps/server/src/handlers/getAccountInbox.ts

@@ -8,7 +8,7 @@ export async function getAccountInbox({ accountAddress, inboxId }: { accountAddr
       id: true,
       account: {
         select: {
-          id: true,
+          address: true,
         },
       },
       isPublic: true,
@@ -24,7 +24,7 @@ export async function getAccountInbox({ accountAddress, inboxId }: { accountAddr
 
   return {
     inboxId: inbox.id,
-    accountAddress: inbox.account.id,
+    accountAddress: inbox.account.address,
     isPublic: inbox.isPublic,
     authPolicy: inbox.authPolicy as Inboxes.InboxSenderAuthPolicy,
     encryptionPublicKey: inbox.encryptionPublicKey,

apps/server/src/handlers/getAppOrConnectIdentity.ts

@@ -0,0 +1,82 @@
+import { prisma } from '../prisma.js';
+
+type Params =
+  | {
+      accountAddress: string;
+      signaturePublicKey: string;
+      spaceId?: string;
+    }
+  | {
+      accountAddress: string;
+      appId: string;
+      spaceId?: string;
+    };
+
+export type GetIdentityResult = {
+  accountAddress: string;
+  ciphertext: string;
+  nonce: string;
+  signaturePublicKey: string;
+  encryptionPublicKey: string;
+  accountProof: string;
+  keyProof: string;
+  appId: string | null;
+};
+
+export const getAppOrConnectIdentity = async (params: Params): Promise<GetIdentityResult> => {
+  if (!('appId' in params)) {
+    const where: { address: string; connectSignaturePublicKey?: string } = { address: params.accountAddress };
+    if ('signaturePublicKey' in params) {
+      where.connectSignaturePublicKey = params.signaturePublicKey;
+    }
+    const account = await prisma.account.findFirst({
+      where,
+    });
+    if (account) {
+      return {
+        accountAddress: account.address,
+        ciphertext: account.connectCiphertext,
+        nonce: account.connectNonce,
+        signaturePublicKey: account.connectSignaturePublicKey,
+        encryptionPublicKey: account.connectEncryptionPublicKey,
+        accountProof: account.connectAccountProof,
+        keyProof: account.connectKeyProof,
+        appId: null,
+      };
+    }
+  }
+  const appWhere: {
+    accountAddress: string;
+    appId?: string;
+    signaturePublicKey?: string;
+    spaces?: { some: { id: string } };
+  } = {
+    accountAddress: params.accountAddress,
+  };
+  if ('signaturePublicKey' in params) {
+    appWhere.signaturePublicKey = params.signaturePublicKey;
+  }
+  if ('appId' in params) {
+    appWhere.appId = params.appId;
+  }
+  if (params.spaceId) {
+    appWhere.spaces = { some: { id: params.spaceId } };
+  }
+  console.log('appWhere', appWhere);
+  const appIdentity = await prisma.appIdentity.findFirst({
+    where: appWhere,
+  });
+  if (appIdentity) {
+    return {
+      accountAddress: appIdentity.accountAddress,
+      ciphertext: appIdentity.ciphertext,
+      nonce: appIdentity.nonce,
+      signaturePublicKey: appIdentity.signaturePublicKey,
+      encryptionPublicKey: appIdentity.encryptionPublicKey,
+      accountProof: appIdentity.accountProof,
+      keyProof: appIdentity.keyProof,
+      appId: appIdentity.appId,
+    };
+  }
+  throw new Error('Identity not found');
+};

apps/server/src/index.ts

@@ -17,6 +17,7 @@ import { createUpdate } from './handlers/createUpdate.js';
 import { findAppIdentity } from './handlers/find-app-identity.js';
 import { getAppIdentityBySessionToken } from './handlers/get-app-identity-by-session-token.js';
 import { getAccountInbox } from './handlers/getAccountInbox.js';
+import { getAppOrConnectIdentity } from './handlers/getAppOrConnectIdentity.js';
 import { type GetIdentityResult, getConnectIdentity } from './handlers/getConnectIdentity.js';
 import { getLatestAccountInboxMessages } from './handlers/getLatestAccountInboxMessages.js';
 import { getLatestSpaceInboxMessages } from './handlers/getLatestSpaceInboxMessages.js';
@@ -318,6 +319,20 @@ app.post('/connect/app-identity', async (req, res) => {
       res.status(401).send('Unauthorized');
       return;
     }
+    if (
+      !Identity.verifyIdentityOwnership(
+        accountAddress,
+        message.signaturePublicKey,
+        message.accountProof,
+        message.keyProof,
+        CHAIN,
+        RPC_URL,
+      )
+    ) {
+      console.log('Ownership proof is invalid');
+      res.status(401).send('Unauthorized');
+      return;
+    }
     const sessionToken = bytesToHex(randomBytes(32));
     const sessionTokenExpires = new Date(Date.now() + 1000 * 60 * 60 * 24 * 30); // 30 days
     const appIdentity = await createAppIdentity({
@@ -361,21 +376,47 @@ app.get('/whoami', async (req, res) => {
   }
 });
 
+app.get('/connect/identity', async (req, res) => {
+  console.log('GET connect/identity');
+  const accountAddress = req.query.accountAddress as string;
+  const identity = await getConnectIdentity({ accountAddress });
+  if (!identity) {
+    res.status(404).send('Identity not found');
+    return;
+  }
+  const outgoingMessage: Messages.ResponseIdentity = {
+    accountAddress,
+    signaturePublicKey: identity.signaturePublicKey,
+    encryptionPublicKey: identity.encryptionPublicKey,
+    accountProof: identity.accountProof,
+    keyProof: identity.keyProof,
+  };
+  res.status(200).send(outgoingMessage);
+});
+
 app.get('/identity', async (req, res) => {
   console.log('GET identity');
   const accountAddress = req.query.accountAddress as string;
+  const signaturePublicKey = req.query.signaturePublicKey as string;
+  const appId = req.query.appId as string;
   if (!accountAddress) {
     res.status(400).send('No accountAddress');
     return;
   }
+  if (!signaturePublicKey && !appId) {
+    res.status(400).send('No signaturePublicKey or appId');
+    return;
+  }
   try {
-    const identity = await getConnectIdentity({ accountAddress });
+    const params = signaturePublicKey ? { accountAddress, signaturePublicKey } : { accountAddress, appId };
+    const identity = await getAppOrConnectIdentity(params);
     const outgoingMessage: Messages.ResponseIdentity = {
       accountAddress,
       signaturePublicKey: identity.signaturePublicKey,
       encryptionPublicKey: identity.encryptionPublicKey,
       accountProof: identity.accountProof,
       keyProof: identity.keyProof,
+      appId: identity.appId ?? undefined,
     };
     res.status(200).send(outgoingMessage);
   } catch (error) {
@@ -455,7 +496,10 @@ app.post('/spaces/:spaceId/inboxes/:inboxId/messages', async (req, res) => {
     // Check if this public key corresponds to a user's identity
     let authorIdentity: GetIdentityResult;
     try {
-      authorIdentity = await getConnectIdentity({ connectSignaturePublicKey: authorPublicKey });
+      authorIdentity = await getAppOrConnectIdentity({
+        accountAddress: message.authorAccountAddress,
+        signaturePublicKey: authorPublicKey,
+      });
     } catch (error) {
       res.status(403).send({ error: 'Not authorized to post to this inbox' });
       return;
@@ -538,7 +582,10 @@ app.post('/accounts/:accountAddress/inboxes/:inboxId/messages', async (req, res)
     // Check if this public key corresponds to a user's identity
     let authorIdentity: GetIdentityResult;
     try {
-      authorIdentity = await getConnectIdentity({ connectSignaturePublicKey: authorPublicKey });
+      authorIdentity = await getAppOrConnectIdentity({
+        accountAddress: message.authorAccountAddress,
+        signaturePublicKey: authorPublicKey,
+      });
     } catch (error) {
       res.status(403).send({ error: 'Not authorized to post to this inbox' });
       return;
@@ -700,19 +747,15 @@ webSocketServer.on('connection', async (webSocket: CustomWebSocket, request: Req
           break;
         }
         case 'create-space-event': {
-          const getVerifiedIdentity = (accountAddressToFetch: string) => {
-            console.log(
-              'TODO getVerifiedIdentity should work for app identities',
-              accountAddressToFetch,
-              accountAddress,
-            );
+          const getVerifiedIdentity = (accountAddressToFetch: string, publicKey: string) => {
             if (accountAddressToFetch !== accountAddress) {
               return Effect.fail(new Identity.InvalidIdentityError());
             }
 
             return Effect.gen(function* () {
               const identity = yield* Effect.tryPromise({
-                try: () => getConnectIdentity({ accountAddress: accountAddressToFetch }),
+                try: () =>
+                  getAppOrConnectIdentity({ accountAddress: accountAddressToFetch, signaturePublicKey: publicKey }),
                 catch: () => new Identity.InvalidIdentityError(),
               });
               return identity;
@@ -811,7 +854,10 @@ webSocketServer.on('connection', async (webSocket: CustomWebSocket, request: Req
               throw new Error('Invalid accountAddress');
             }
             const signer = Inboxes.recoverAccountInboxCreatorKey(data);
-            const signerAccount = await getConnectIdentity({ connectSignaturePublicKey: signer });
+            const signerAccount = await getAppOrConnectIdentity({
+              accountAddress: data.accountAddress,
+              signaturePublicKey: signer,
+            });
             if (signerAccount.accountAddress !== accountAddress) {
               throw new Error('Invalid signature');
             }
@@ -881,7 +927,10 @@ webSocketServer.on('connection', async (webSocket: CustomWebSocket, request: Req
             // Check that the update was signed by a valid identity
             // belonging to this accountAddress
             const signer = Messages.recoverUpdateMessageSigner(data);
-            const identity = await getConnectIdentity({ connectSignaturePublicKey: signer });
+            const identity = await getAppOrConnectIdentity({
+              accountAddress: data.accountAddress,
+              signaturePublicKey: signer,
+            });
             if (identity.accountAddress !== accountAddress) {
               throw new Error('Invalid signature');
             }