Merge branch 'main' of github.com:graphprotocol/hypergraph into chris.whited/feat-354/move-app-template

Author: cmwhited

CONTRIBUTING.md

@@ -23,6 +23,25 @@ cd apps/typesync
 pnpm publish --tag latest
 ```
 
+## Deploying your own SyncServer to Railway
+
+Setup a service and attach a volume under `/data` to it.
+
+Since cache-mounts on Railway need to prefixed with the service ID and BuildKit doesn’t expand variables there. You must give it a literal value for the mount ID.
+
+To do so you can fill in the service ID below and run the command before your `railway up` command.
+More info here: https://docs.railway.com/guides/dockerfiles#cache-mounts
+Get the service ID by using CMD/CTRL+K and search for `Copy Service ID`.
+
+```sh
+sed -i '' \
+  's|\(--mount=type=cache,id=\)workspace|\1s/<service-id>-pnpm-store|' \
+  Dockerfile
+railway up
+```
+
+Note: By default horizontal scaling is disabled because of the attached volume.
+
 ## Deploying your own SyncServer to Fly.io (single instance)
 
 ```sh

Dockerfile

@@ -49,7 +49,6 @@ WORKDIR /app
 COPY --from=build /workspace/deployment/out .
 # TODO: Remove this when we switch to an actual database.
 ENV DATABASE_URL="file:/data/production.sqlite"
-RUN npm run prisma migrate deploy --skip-generate
 EXPOSE 3030
 # can't use fly.io release_command because it doesn't mount the volume containing the sqlite db file
 CMD ["sh", "-c", "npm run prisma migrate deploy && node dist/index.js"]

apps/connect/src/routes/authenticate.tsx

@@ -16,6 +16,10 @@ import { createWalletClient, custom } from 'viem';
 import { privateKeyToAccount } from 'viem/accounts';
 
 const CHAIN = import.meta.env.VITE_HYPERGRAPH_CHAIN === 'geogenesis' ? Connect.GEOGENESIS : Connect.GEO_TESTNET;
+const API_URL =
+  import.meta.env.VITE_HYPERGRAPH_CHAIN === 'geogenesis'
+    ? `${Graph.MAINNET_API_ORIGIN}/graphql`
+    : `${Graph.TESTNET_API_ORIGIN}/graphql`;
 
 type AuthenticateSearch = {
   data: unknown;
@@ -135,19 +139,14 @@ function AuthenticateComponent() {
   const accountAddress = useSelector(StoreConnect.store, (state) => state.context.accountAddress);
   const keys = useSelector(StoreConnect.store, (state) => state.context.keys);
 
-  const { signMessage } = usePrivy();
   const { wallets } = useWallets();
   const embeddedWallet = wallets.find((wallet) => wallet.walletClientType === 'privy') || wallets[0];
 
   const state = useSelector(componentStore, (state) => state.context);
   const [selectedPrivateSpaces, setSelectedPrivateSpaces] = useState<Set<string>>(new Set());
 
   const { isPending: privateSpacesPending, error: privateSpacesError, data: privateSpacesData } = usePrivateSpaces();
-  const {
-    isPending: publicSpacesPending,
-    error: publicSpacesError,
-    data: publicSpacesData,
-  } = usePublicSpaces(`${Graph.TESTNET_API_ORIGIN}/graphql`);
+  const { data: publicSpacesData } = usePublicSpaces(API_URL);
 
   useEffect(() => {
     const run = async () => {
@@ -261,7 +260,7 @@ function AuthenticateComponent() {
                 id: keyData.id,
                 ciphertext: Utils.bytesToHex(keyBox.keyBoxCiphertext),
                 nonce: Utils.bytesToHex(keyBox.keyBoxNonce),
-                authorPublicKey: appIdentity.encryptionPublicKey,
+                authorPublicKey: keys.encryptionPublicKey,
                 accountAddress: accountAddress,
               };
             });
@@ -334,21 +333,6 @@ function AuthenticateComponent() {
         transport: custom(privyProvider),
       });
 
-      const signer: Identity.Signer = {
-        getAddress: async () => {
-          const [address] = await walletClient.getAddresses();
-          return address;
-        },
-        signMessage: async (message: string) => {
-          if (embeddedWallet.walletClientType === 'privy') {
-            const { signature } = await signMessage({ message });
-            return signature;
-          }
-          const [address] = await walletClient.getAddresses();
-          return await walletClient.signMessage({ account: address, message });
-        },
-      };
-
       const newAppIdentity = Connect.createAppIdentity();
 
       console.log('creating smart session');
@@ -389,28 +373,21 @@ function AuthenticateComponent() {
       });
 
       console.log('encrypting app identity');
-      const { ciphertext, nonce } = await Connect.encryptAppIdentity(
-        signer,
-        newAppIdentity.address,
-        newAppIdentity.addressPrivateKey,
-        permissionId,
-        keys,
-      );
+      const { ciphertext } = await Connect.encryptAppIdentity({ ...newAppIdentity, permissionId }, keys);
       console.log('proving ownership');
       const { accountProof, keyProof } = await Identity.proveIdentityOwnership(
         smartAccountClient,
         accountAddress,
-        keys,
+        newAppIdentity,
       );
 
       const message: Messages.RequestConnectCreateAppIdentity = {
         appId: state.appInfo.appId,
         address: newAppIdentity.address,
         accountAddress,
-        signaturePublicKey: newAppIdentity.signaturePublicKey,
-        encryptionPublicKey: newAppIdentity.encryptionPublicKey,
+        signaturePublicKey: keys.signaturePublicKey,
+        encryptionPublicKey: keys.encryptionPublicKey,
         ciphertext,
-        nonce,
         accountProof,
         keyProof,
       };
@@ -424,14 +401,16 @@ function AuthenticateComponent() {
         body: JSON.stringify(message),
       });
       const appIdentityResponse = await response.json();
+      // TODO: All apps are essentially using the same keys, we should change to using
+      // the newly created app identity keys, but that requires changing a lot of the verification logic in the server and HypergraphAppContext
       await encryptSpacesAndRedirect({
         accountAddress,
         appIdentity: {
           address: newAppIdentity.address,
           addressPrivateKey: newAppIdentity.addressPrivateKey,
           accountAddress,
-          encryptionPrivateKey: keys.encryptionPrivateKey,
-          signaturePrivateKey: keys.signaturePrivateKey,
+          encryptionPrivateKey: newAppIdentity.encryptionPrivateKey,
+          signaturePrivateKey: newAppIdentity.signaturePrivateKey,
           encryptionPublicKey: newAppIdentity.encryptionPublicKey,
           signaturePublicKey: newAppIdentity.signaturePublicKey,
           sessionToken: appIdentityResponse.appIdentity.sessionToken,
@@ -451,48 +430,16 @@ function AuthenticateComponent() {
   };
 
   const decryptAppIdentityAndRedirect = async () => {
-    if (!state.appIdentityResponse) {
+    if (!state.appIdentityResponse || !keys) {
       return;
     }
 
-    const privyProvider = await embeddedWallet.getEthereumProvider();
-    const walletClient = createWalletClient({
-      account: embeddedWallet.address as `0x${string}`,
-      chain: CHAIN,
-      transport: custom(privyProvider),
-    });
-
-    const signer: Identity.Signer = {
-      getAddress: async () => {
-        const [address] = await walletClient.getAddresses();
-        return address;
-      },
-      signMessage: async (message: string) => {
-        if (embeddedWallet.walletClientType === 'privy') {
-          const { signature } = await signMessage({ message });
-          return signature;
-        }
-        const [address] = await walletClient.getAddresses();
-        return await walletClient.signMessage({ account: address, message });
-      },
-    };
-
-    const decryptedIdentity = await Connect.decryptAppIdentity(
-      signer,
-      state.appIdentityResponse.ciphertext,
-      state.appIdentityResponse.nonce,
-    );
+    const decryptedIdentity = await Connect.decryptAppIdentity(state.appIdentityResponse.ciphertext, keys);
     await encryptSpacesAndRedirect({
       accountAddress: state.appIdentityResponse.accountAddress,
       appIdentity: {
-        address: decryptedIdentity.address,
-        addressPrivateKey: decryptedIdentity.addressPrivateKey,
+        ...decryptedIdentity,
         accountAddress: state.appIdentityResponse.accountAddress,
-        permissionId: decryptedIdentity.permissionId,
-        encryptionPrivateKey: decryptedIdentity.encryptionPrivateKey,
-        signaturePrivateKey: decryptedIdentity.signaturePrivateKey,
-        encryptionPublicKey: decryptedIdentity.encryptionPublicKey,
-        signaturePublicKey: decryptedIdentity.signaturePublicKey,
         sessionToken: state.appIdentityResponse.sessionToken,
         sessionTokenExpires: new Date(state.appIdentityResponse.sessionTokenExpires),
       },

apps/events/src/Boot.tsx

@@ -15,7 +15,11 @@ declare module '@tanstack/react-router' {
 
 export function Boot() {
   return (
-    <HypergraphAppProvider syncServerUri="http://localhost:3030" mapping={mapping}>
+    <HypergraphAppProvider
+      syncServerUri="http://localhost:3030"
+      mapping={mapping}
+      appId="93bb8907-085a-4a0e-83dd-62b0dc98e793"
+    >
       <RouterProvider router={router} />
     </HypergraphAppProvider>
   );

apps/events/src/routes/login.lazy.tsx

@@ -16,7 +16,6 @@ function Login() {
             storage: localStorage,
             connectUrl: 'http://localhost:5180',
             successUrl: `${window.location.origin}/authenticate-success`,
-            appId: '93bb8907-085a-4a0e-83dd-62b0dc98e793',
             redirectFn: (url: URL) => {
               window.location.href = url.toString();
             },

apps/next-example/src/components/providers.tsx

@@ -7,7 +7,11 @@ export default function Providers({ children }: { children: React.ReactNode }) {
   const storage = typeof window !== 'undefined' ? window.localStorage : (undefined as unknown as Storage);
 
   return (
-    <HypergraphAppProvider syncServerUri="http://localhost:3030" mapping={{}}>
+    <HypergraphAppProvider
+      syncServerUri="http://localhost:3030"
+      mapping={{}}
+      appId="83aa8907-085b-430f-1296-ab87dc98e793"
+    >
       {children}
     </HypergraphAppProvider>
   );

apps/server/prisma/migrations/20250627185421_remove_app_identity_nonce/migration.sql

@@ -0,0 +1,29 @@
+/*
+  Warnings:
+
+  - You are about to drop the column `nonce` on the `AppIdentity` table. All the data in the column will be lost.
+
+*/
+-- RedefineTables
+PRAGMA defer_foreign_keys=ON;
+PRAGMA foreign_keys=OFF;
+CREATE TABLE "new_AppIdentity" (
+    "address" TEXT NOT NULL PRIMARY KEY,
+    "ciphertext" TEXT NOT NULL,
+    "signaturePublicKey" TEXT NOT NULL,
+    "encryptionPublicKey" TEXT NOT NULL,
+    "accountProof" TEXT NOT NULL,
+    "keyProof" TEXT NOT NULL,
+    "accountAddress" TEXT NOT NULL,
+    "appId" TEXT NOT NULL,
+    "sessionToken" TEXT NOT NULL,
+    "sessionTokenExpires" DATETIME NOT NULL,
+    CONSTRAINT "AppIdentity_accountAddress_fkey" FOREIGN KEY ("accountAddress") REFERENCES "Account" ("address") ON DELETE RESTRICT ON UPDATE CASCADE
+);
+INSERT INTO "new_AppIdentity" ("accountAddress", "accountProof", "address", "appId", "ciphertext", "encryptionPublicKey", "keyProof", "sessionToken", "sessionTokenExpires", "signaturePublicKey") SELECT "accountAddress", "accountProof", "address", "appId", "ciphertext", "encryptionPublicKey", "keyProof", "sessionToken", "sessionTokenExpires", "signaturePublicKey" FROM "AppIdentity";
+DROP TABLE "AppIdentity";
+ALTER TABLE "new_AppIdentity" RENAME TO "AppIdentity";
+CREATE INDEX "AppIdentity_sessionToken_idx" ON "AppIdentity"("sessionToken");
+CREATE UNIQUE INDEX "AppIdentity_accountAddress_appId_key" ON "AppIdentity"("accountAddress", "appId");
+PRAGMA foreign_keys=ON;
+PRAGMA defer_foreign_keys=OFF;

apps/server/prisma/schema.prisma

@@ -115,7 +115,6 @@ model Account {
 model AppIdentity {
   address             String        @id
   ciphertext          String
-  nonce               String
   signaturePublicKey  String
   encryptionPublicKey String
   accountProof        String
@@ -129,7 +128,6 @@ model AppIdentity {
   sessionTokenExpires DateTime
 
   @@unique([accountAddress, appId])
-  @@unique([accountAddress, nonce])
   @@index([sessionToken])
 }
 

apps/server/src/handlers/applySpaceEvent.ts

@@ -4,7 +4,7 @@ import type { Messages } from '@graphprotocol/hypergraph';
 import { Identity, SpaceEvents } from '@graphprotocol/hypergraph';
 
 import { prisma } from '../prisma.js';
-import { getConnectIdentity } from './getConnectIdentity.js';
+import { getAppOrConnectIdentity } from './getAppOrConnectIdentity.js';
 
 type Params = {
   accountAddress: string;
@@ -40,7 +40,7 @@ export async function applySpaceEvent({ accountAddress, spaceId, event, keyBoxes
       orderBy: { counter: 'desc' },
     });
 
-    const getVerifiedIdentity = (accountAddressToFetch: string) => {
+    const getVerifiedIdentity = (accountAddressToFetch: string, publicKey: string) => {
       console.log('getVerifiedIdentity', accountAddressToFetch, accountAddress);
       // applySpaceEvent is only allowed to be called by the account that is applying the event
       if (accountAddressToFetch !== accountAddress) {
@@ -49,7 +49,8 @@ export async function applySpaceEvent({ accountAddress, spaceId, event, keyBoxes
 
       return Effect.gen(function* () {
         const identity = yield* Effect.tryPromise({
-          try: () => getConnectIdentity({ accountAddress: accountAddressToFetch }),
+          try: () =>
+            getAppOrConnectIdentity({ accountAddress: accountAddressToFetch, signaturePublicKey: publicKey, spaceId }),
           catch: () => new Identity.InvalidIdentityError(),
         });
         return identity;

apps/server/src/handlers/create-app-identity.ts

@@ -19,7 +19,6 @@ export const createAppIdentity = async ({
   address,
   appId,
   ciphertext,
-  nonce,
   signaturePublicKey,
   encryptionPublicKey,
   accountProof,
@@ -43,7 +42,6 @@ export const createAppIdentity = async ({
         accountAddress,
         appId,
         ciphertext,
-        nonce,
         signaturePublicKey,
         encryptionPublicKey,
         accountProof,