verify space event identities

Author: nikgraf

apps/server/src/handlers/applySpaceEvent.ts

@@ -4,6 +4,7 @@ import type { Messages } from '@graphprotocol/hypergraph';
 import { SpaceEvents } from '@graphprotocol/hypergraph';
 
 import { prisma } from '../prisma.js';
+import { getIdentity } from './getIdentity.js';
 
 type Params = {
   accountId: string;
@@ -36,7 +37,15 @@ export async function applySpaceEvent({ accountId, spaceId, event, keyBoxes }: P
       orderBy: { counter: 'desc' },
     });
 
-    const result = await Effect.runPromiseExit(SpaceEvents.applyEvent({ event, state: JSON.parse(lastEvent.state) }));
+    const identity = await getIdentity({ accountId });
+
+    const result = await Effect.runPromiseExit(
+      SpaceEvents.applyEvent({
+        event,
+        state: JSON.parse(lastEvent.state),
+        getVerifiedIdentity: () => Effect.succeed(identity),
+      }),
+    );
     if (Exit.isFailure(result)) {
       console.log('Failed to apply event', result);
       throw new Error('Invalid event');

apps/server/src/handlers/createSpace.ts

@@ -5,6 +5,7 @@ import type { Messages } from '@graphprotocol/hypergraph';
 import { SpaceEvents } from '@graphprotocol/hypergraph';
 
 import { prisma } from '../prisma.js';
+import { getIdentity } from './getIdentity.js';
 
 type Params = {
   accountId: string;
@@ -14,7 +15,10 @@ type Params = {
 };
 
 export const createSpace = async ({ accountId, event, keyBox, keyId }: Params) => {
-  const result = await Effect.runPromiseExit(SpaceEvents.applyEvent({ event, state: undefined }));
+  const identity = await getIdentity({ accountId });
+  const result = await Effect.runPromiseExit(
+    SpaceEvents.applyEvent({ event, state: undefined, getVerifiedIdentity: () => Effect.succeed(identity) }),
+  );
   if (Exit.isFailure(result)) {
     throw new Error('Invalid event');
   }

apps/server/src/index.ts

@@ -331,8 +331,13 @@ webSocketServer.on('connection', async (webSocket: CustomWebSocket, request: Req
           break;
         }
         case 'create-space-event': {
+          const identity = await getIdentity({ accountId });
           const applyEventResult = await Effect.runPromiseExit(
-            SpaceEvents.applyEvent({ event: data.event, state: undefined }),
+            SpaceEvents.applyEvent({
+              event: data.event,
+              state: undefined,
+              getVerifiedIdentity: () => Effect.succeed(identity),
+            }),
           );
           if (Exit.isSuccess(applyEventResult)) {
             const space = await createSpace({ accountId, event: data.event, keyBox: data.keyBox, keyId: data.keyId });

packages/hypergraph-react/src/HypergraphAppContext.tsx

@@ -11,6 +11,7 @@ import {
   restoreKeys,
   signup,
 } from '@graphprotocol/hypergraph/identity/login';
+import { InvalidIdentityError } from '@graphprotocol/hypergraph/identity/types';
 import { useSelector as useSelectorStore } from '@xstate/store/react';
 import { Effect, Exit } from 'effect';
 import * as Schema from 'effect/Schema';
@@ -400,6 +401,16 @@ export function HypergraphAppProvider({
       return;
     }
 
+    const getVerifiedIdentity = (accountId: string) => {
+      return Effect.gen(function* () {
+        const identity = yield* Effect.tryPromise({
+          try: () => Identity.getVerifiedIdentity(accountId, syncServerUri),
+          catch: () => new InvalidIdentityError(),
+        });
+        return identity;
+      });
+    };
+
     const onMessage = async (event: MessageEvent) => {
       const data = Messages.deserialize(event.data);
       const message = decodeResponseMessage(data);
@@ -419,7 +430,9 @@ export function HypergraphAppProvider({
             let state: SpaceEvents.SpaceState | undefined = undefined;
 
             for (const event of response.events) {
-              const applyEventResult = await Effect.runPromiseExit(SpaceEvents.applyEvent({ state: undefined, event }));
+              const applyEventResult = await Effect.runPromiseExit(
+                SpaceEvents.applyEvent({ state: undefined, event, getVerifiedIdentity }),
+              );
               if (Exit.isSuccess(applyEventResult)) {
                 state = applyEventResult.value;
               }
@@ -521,7 +534,7 @@ export function HypergraphAppProvider({
             }
 
             const applyEventResult = await Effect.runPromiseExit(
-              SpaceEvents.applyEvent({ event: response.event, state: space.state }),
+              SpaceEvents.applyEvent({ event: response.event, state: space.state, getVerifiedIdentity }),
             );
             if (Exit.isSuccess(applyEventResult)) {
               store.send({
@@ -594,7 +607,7 @@ export function HypergraphAppProvider({
     return () => {
       websocketConnection.removeEventListener('message', onMessage);
     };
-  }, [websocketConnection, spaces, keys?.encryptionPrivateKey]);
+  }, [websocketConnection, spaces, keys?.encryptionPrivateKey, syncServerUri]);
 
   const createSpaceForContext = async () => {
     if (!accountId) {

packages/hypergraph/src/identity/types.ts

@@ -32,3 +32,13 @@ export type KeysSchema = Schema.Schema.Type<typeof KeysSchema>;
 export type Identity = IdentityKeys & {
   accountId: string;
 };
+
+export type PublicIdentity = {
+  accountId: string;
+  encryptionPublicKey: string;
+  signaturePublicKey: string;
+};
+
+export class InvalidIdentityError {
+  readonly _tag = 'InvalidIdentityError';
+}

packages/hypergraph/src/space-events/apply-event.ts

@@ -2,6 +2,7 @@ import { secp256k1 } from '@noble/curves/secp256k1';
 import { sha256 } from '@noble/hashes/sha256';
 import { Effect, Schema } from 'effect';
 import type { ParseError } from 'effect/ParseResult';
+import type { InvalidIdentityError, PublicIdentity } from '../identity/types.js';
 import { canonicalize, stringToUint8Array } from '../utils/index.js';
 import { hashEvent } from './hash-event.js';
 import {
@@ -16,14 +17,16 @@ import {
 type Params = {
   state: SpaceState | undefined;
   event: SpaceEvent;
+  getVerifiedIdentity: (accountId: string) => Effect.Effect<PublicIdentity, InvalidIdentityError>;
 };
 
 const decodeSpaceEvent = Schema.decodeUnknownEither(SpaceEvent);
 
 export const applyEvent = ({
   state,
   event: rawEvent,
-}: Params): Effect.Effect<SpaceState, ParseError | VerifySignatureError | InvalidEventError> => {
+  getVerifiedIdentity,
+}: Params): Effect.Effect<SpaceState, ParseError | VerifySignatureError | InvalidEventError | InvalidIdentityError> => {
   const decodedEvent = decodeSpaceEvent(rawEvent);
   if (decodedEvent._tag === 'Left') {
     return decodedEvent.left;
@@ -43,90 +46,92 @@ export const applyEvent = ({
 
   let signatureInstance = secp256k1.Signature.fromCompact(event.author.signature.hex);
   signatureInstance = signatureInstance.addRecoveryBit(event.author.signature.recovery);
-  // @ts-expect-error
-  const authorPublicKey = signatureInstance.recoverPublicKey(sha256(encodedTransaction));
-  // TODO compare it to the public key from the author accountId (this already verifies the signature)
-  // in case of a failure we return Effect.fail(new VerifySignatureError());
-
-  // biome-ignore lint/correctness/noConstantCondition: wip
-  if (false) {
-    return Effect.fail(new VerifySignatureError());
-  }
-
-  let id = '';
-  let members: { [accountId: string]: SpaceMember } = {};
-  let removedMembers: { [accountId: string]: SpaceMember } = {};
-  let invitations: { [id: string]: SpaceInvitation } = {};
+  const authorPublicKey = `0x${signatureInstance.recoverPublicKey(sha256(encodedTransaction)).toHex()}`;
 
-  if (event.transaction.type === 'create-space') {
-    id = event.transaction.id;
-    members[event.transaction.creatorAccountId] = {
-      accountId: event.transaction.creatorAccountId,
-      role: 'admin',
-    };
-  } else if (state !== undefined) {
-    id = state.id;
-    members = { ...state.members };
-    removedMembers = { ...state.removedMembers };
-    invitations = { ...state.invitations };
-
-    if (event.transaction.type === 'accept-invitation') {
-      // is already a member
-      if (members[event.author.accountId] !== undefined) {
-        return Effect.fail(new InvalidEventError());
-      }
+  return Effect.gen(function* () {
+    const identity = yield* getVerifiedIdentity(event.author.accountId);
+    if (authorPublicKey !== identity.signaturePublicKey) {
+      yield* Effect.fail(new VerifySignatureError());
+    }
 
-      // find the invitation
-      const result = Object.entries(invitations).find(
-        ([, invitation]) => invitation.inviteeAccountId === event.author.accountId,
-      );
-      if (!result) {
-        return Effect.fail(new InvalidEventError());
-      }
-      const [id, invitation] = result;
+    let id = '';
+    let members: { [accountId: string]: SpaceMember } = {};
+    let removedMembers: { [accountId: string]: SpaceMember } = {};
+    let invitations: { [id: string]: SpaceInvitation } = {};
 
-      members[invitation.inviteeAccountId] = {
-        accountId: invitation.inviteeAccountId,
-        role: 'member',
+    if (event.transaction.type === 'create-space') {
+      id = event.transaction.id;
+      members[event.transaction.creatorAccountId] = {
+        accountId: event.transaction.creatorAccountId,
+        role: 'admin',
       };
-      delete invitations[id];
-      if (removedMembers[event.author.accountId] !== undefined) {
-        delete removedMembers[event.author.accountId];
-      }
-    } else {
-      // check if the author is an admin
-      if (members[event.author.accountId]?.role !== 'admin') {
-        return Effect.fail(new InvalidEventError());
-      }
+    } else if (state !== undefined) {
+      id = state.id;
+      members = { ...state.members };
+      removedMembers = { ...state.removedMembers };
+      invitations = { ...state.invitations };
 
-      if (event.transaction.type === 'delete-space') {
-        removedMembers = { ...members };
-        members = {};
-        invitations = {};
-      } else if (event.transaction.type === 'create-invitation') {
-        if (members[event.transaction.inviteeAccountId] !== undefined) {
-          return Effect.fail(new InvalidEventError());
+      if (event.transaction.type === 'accept-invitation') {
+        // is already a member
+        if (members[event.author.accountId] !== undefined) {
+          yield* Effect.fail(new InvalidEventError());
         }
-        for (const invitation of Object.values(invitations)) {
-          if (invitation.inviteeAccountId === event.transaction.inviteeAccountId) {
-            return Effect.fail(new InvalidEventError());
-          }
+
+        // find the invitation
+        const result = Object.entries(invitations).find(
+          ([, invitation]) => invitation.inviteeAccountId === event.author.accountId,
+        );
+        if (!result) {
+          yield* Effect.fail(new InvalidEventError());
         }
 
-        invitations[event.transaction.id] = {
-          inviteeAccountId: event.transaction.inviteeAccountId,
+        // @ts-expect-error type issue? we checked that result is not undefined before
+        const [id, invitation] = result;
+
+        members[invitation.inviteeAccountId] = {
+          accountId: invitation.inviteeAccountId,
+          role: 'member',
         };
+        delete invitations[id];
+        if (removedMembers[event.author.accountId] !== undefined) {
+          delete removedMembers[event.author.accountId];
+        }
       } else {
-        throw new Error('State is required for all events except create-space');
+        // check if the author is an admin
+        if (members[event.author.accountId]?.role !== 'admin') {
+          yield* Effect.fail(new InvalidEventError());
+        }
+
+        if (event.transaction.type === 'delete-space') {
+          removedMembers = { ...members };
+          members = {};
+          invitations = {};
+        } else if (event.transaction.type === 'create-invitation') {
+          if (members[event.transaction.inviteeAccountId] !== undefined) {
+            yield* Effect.fail(new InvalidEventError());
+          }
+          for (const invitation of Object.values(invitations)) {
+            if (invitation.inviteeAccountId === event.transaction.inviteeAccountId) {
+              yield* Effect.fail(new InvalidEventError());
+            }
+          }
+
+          invitations[event.transaction.id] = {
+            inviteeAccountId: event.transaction.inviteeAccountId,
+          };
+        } else {
+          // state is required for all events except create-space
+          yield* Effect.fail(new InvalidEventError());
+        }
       }
     }
-  }
 
-  return Effect.succeed({
-    id,
-    members,
-    removedMembers,
-    invitations,
-    lastEventHash: hashEvent(event),
+    return {
+      id,
+      members,
+      removedMembers,
+      invitations,
+      lastEventHash: hashEvent(event),
+    };
   });
 };

packages/hypergraph/test/space-events/accept-invitation.test.ts

@@ -20,22 +20,29 @@ const invitee = {
   encryptionPublicKey: 'encryption',
 };
 
+const getVerifiedIdentity = (accountId: string) => {
+  if (accountId === author.accountId) {
+    return Effect.succeed(author);
+  }
+  return Effect.succeed(invitee);
+};
+
 it('should accept an invitation', async () => {
   const { state3 } = await Effect.runPromise(
     Effect.gen(function* () {
       const spaceEvent = yield* createSpace({ author });
-      const state = yield* applyEvent({ event: spaceEvent, state: undefined });
+      const state = yield* applyEvent({ event: spaceEvent, state: undefined, getVerifiedIdentity });
       const spaceEvent2 = yield* createInvitation({
         author,
         previousEventHash: state.lastEventHash,
         invitee,
       });
-      const state2 = yield* applyEvent({ event: spaceEvent2, state });
+      const state2 = yield* applyEvent({ event: spaceEvent2, state, getVerifiedIdentity });
       const spaceEvent3 = yield* acceptInvitation({
         previousEventHash: state2.lastEventHash,
         author: invitee,
       });
-      const state3 = yield* applyEvent({ event: spaceEvent3, state: state2 });
+      const state3 = yield* applyEvent({ event: spaceEvent3, state: state2, getVerifiedIdentity });
       return {
         state3,
         spaceEvent3,