verify space events identities

apps/server/src/handlers/applySpaceEvent.ts

@@ -1,9 +1,10 @@
 import { Effect, Exit } from 'effect';
 
 import type { Messages } from '@graphprotocol/hypergraph';
-import { SpaceEvents } from '@graphprotocol/hypergraph';
+import { Identity, SpaceEvents } from '@graphprotocol/hypergraph';
 
 import { prisma } from '../prisma.js';
+import { getIdentity } from './getIdentity.js';
 
 type Params = {
   accountId: string;
@@ -36,7 +37,28 @@ export async function applySpaceEvent({ accountId, spaceId, event, keyBoxes }: P
       orderBy: { counter: 'desc' },
     });
 
-    const result = await Effect.runPromiseExit(SpaceEvents.applyEvent({ event, state: JSON.parse(lastEvent.state) }));
+    const getVerifiedIdentity = (accountIdToFetch: string) => {
+      // applySpaceEvent is only allowed to be called by the account that is applying the event
+      if (accountIdToFetch !== accountId) {
+        return Effect.fail(new Identity.InvalidIdentityError());
+      }
+
+      return Effect.gen(function* () {
+        const identity = yield* Effect.tryPromise({
+          try: () => getIdentity({ accountId: accountIdToFetch }),
+          catch: () => new Identity.InvalidIdentityError(),
+        });
+        return identity;
+      });
+    };
+
+    const result = await Effect.runPromiseExit(
+      SpaceEvents.applyEvent({
+        event,
+        state: JSON.parse(lastEvent.state),
+        getVerifiedIdentity,
+      }),
+    );
     if (Exit.isFailure(result)) {
       console.log('Failed to apply event', result);
       throw new Error('Invalid event');

apps/server/src/handlers/createSpace.ts

@@ -2,9 +2,10 @@ import { Effect, Exit } from 'effect';
 
 import type { Messages } from '@graphprotocol/hypergraph';
 
-import { SpaceEvents } from '@graphprotocol/hypergraph';
+import { Identity, SpaceEvents } from '@graphprotocol/hypergraph';
 
 import { prisma } from '../prisma.js';
+import { getIdentity } from './getIdentity.js';
 
 type Params = {
   accountId: string;
@@ -14,7 +15,22 @@ type Params = {
 };
 
 export const createSpace = async ({ accountId, event, keyBox, keyId }: Params) => {
-  const result = await Effect.runPromiseExit(SpaceEvents.applyEvent({ event, state: undefined }));
+  const getVerifiedIdentity = (accountIdToFetch: string) => {
+    // applySpaceEvent is only allowed to be called by the account that is applying the event
+    if (accountIdToFetch !== accountId) {
+      return Effect.fail(new Identity.InvalidIdentityError());
+    }
+
+    return Effect.gen(function* () {
+      const identity = yield* Effect.tryPromise({
+        try: () => getIdentity({ accountId: accountIdToFetch }),
+        catch: () => new Identity.InvalidIdentityError(),
+      });
+      return identity;
+    });
+  };
+
+  const result = await Effect.runPromiseExit(SpaceEvents.applyEvent({ event, state: undefined, getVerifiedIdentity }));
   if (Exit.isFailure(result)) {
     throw new Error('Invalid event');
   }

apps/server/src/index.ts

@@ -366,8 +366,26 @@ webSocketServer.on('connection', async (webSocket: CustomWebSocket, request: Req
           break;
         }
         case 'create-space-event': {
+          const getVerifiedIdentity = (accountIdToFetch: string) => {
+            if (accountIdToFetch !== accountId) {
+              return Effect.fail(new Identity.InvalidIdentityError());
+            }
+
+            return Effect.gen(function* () {
+              const identity = yield* Effect.tryPromise({
+                try: () => getIdentity({ accountId: accountIdToFetch }),
+                catch: () => new Identity.InvalidIdentityError(),
+              });
+              return identity;
+            });
+          };
+
           const applyEventResult = await Effect.runPromiseExit(
-            SpaceEvents.applyEvent({ event: data.event, state: undefined }),
+            SpaceEvents.applyEvent({
+              event: data.event,
+              state: undefined,
+              getVerifiedIdentity,
+            }),
           );
           if (Exit.isSuccess(applyEventResult)) {
             const space = await createSpace({ accountId, event: data.event, keyBox: data.keyBox, keyId: data.keyId });

packages/hypergraph-react/src/HypergraphAppContext.tsx

@@ -35,7 +35,7 @@ export type HypergraphAppCtx = {
   acceptInvitation(params: Readonly<{ invitation: Messages.Invitation }>): Promise<unknown>;
   subscribeToSpace(params: Readonly<{ spaceId: string }>): void;
   inviteToSpace(params: Readonly<{ space: SpaceStorageEntry; invitee: { accountId: Address } }>): Promise<unknown>;
-  getUserIdentity(accountId: string): Promise<{
+  getVerifiedIdentity(accountId: string): Promise<{
     accountId: string;
     encryptionPublicKey: string;
     signaturePublicKey: string;
@@ -44,28 +44,36 @@ export type HypergraphAppCtx = {
 };
 
 export const HypergraphAppContext = createContext<HypergraphAppCtx>({
-  async login() {},
-  logout() {},
-  setIdentityAndSessionToken() {},
+  async login() {
+    throw new Error('login is missing');
+  },
+  logout() {
+    throw new Error('logout is missing');
+  },
+  setIdentityAndSessionToken() {
+    throw new Error('setIdentityAndSessionToken is missing');
+  },
   invitations: [],
   async createSpace() {
-    return {};
+    throw new Error('createSpace is missing');
+  },
+  listSpaces() {
+    throw new Error('listSpaces is missing');
+  },
+  listInvitations() {
+    throw new Error('listInvitations is missing');
   },
-  listSpaces() {},
-  listInvitations() {},
   async acceptInvitation() {
-    return {};
+    throw new Error('acceptInvitation is missing');
+  },
+  subscribeToSpace() {
+    throw new Error('subscribeToSpace is missing');
   },
-  subscribeToSpace() {},
   async inviteToSpace() {
-    return {};
+    throw new Error('inviteToSpace is missing');
   },
-  async getUserIdentity() {
-    return {
-      accountId: '',
-      encryptionPublicKey: '',
-      signaturePublicKey: '',
-    };
+  async getVerifiedIdentity() {
+    throw new Error('getVerifiedIdentity is missing');
   },
   loading: true,
 });
@@ -294,7 +302,7 @@ export function HypergraphAppProvider({
             signature: update.signature,
             accountId: update.accountId,
           });
-          const authorIdentity = await getUserIdentity(update.accountId);
+          const authorIdentity = await Identity.getVerifiedIdentity(update.accountId, syncServerUri);
           if (authorIdentity.signaturePublicKey !== signer) {
             console.error(
               `Received invalid signature, recovered signer is ${signer},
@@ -325,6 +333,16 @@ export function HypergraphAppProvider({
       });
     };
 
+    const getVerifiedIdentity = (accountId: string) => {
+      return Effect.gen(function* () {
+        const identity = yield* Effect.tryPromise({
+          try: () => Identity.getVerifiedIdentity(accountId, syncServerUri),
+          catch: () => new Identity.InvalidIdentityError(),
+        });
+        return identity;
+      });
+    };
+
     const onMessage = async (event: MessageEvent) => {
       const data = Messages.deserialize(event.data);
       const message = decodeResponseMessage(data);
@@ -346,7 +364,7 @@ export function HypergraphAppProvider({
             for (const event of response.events) {
               // Not sure why but type inference doesn't work here
               const applyEventResult: Exit.Exit<SpaceEvents.SpaceState, SpaceEvents.ApplyError> =
-                await Effect.runPromiseExit(SpaceEvents.applyEvent({ state, event }));
+                await Effect.runPromiseExit(SpaceEvents.applyEvent({ state, event, getVerifiedIdentity }));
               if (Exit.isSuccess(applyEventResult)) {
                 state = applyEventResult.value;
               } else {
@@ -428,7 +446,7 @@ export function HypergraphAppProvider({
             }
 
             const applyEventResult = await Effect.runPromiseExit(
-              SpaceEvents.applyEvent({ event: response.event, state: space.state }),
+              SpaceEvents.applyEvent({ event: response.event, state: space.state, getVerifiedIdentity }),
             );
             if (Exit.isSuccess(applyEventResult)) {
               store.send({
@@ -488,7 +506,7 @@ export function HypergraphAppProvider({
     return () => {
       websocketConnection.removeEventListener('message', onMessage);
     };
-  }, [websocketConnection, spaces, accountId, keys?.encryptionPrivateKey, keys?.signaturePrivateKey]);
+  }, [websocketConnection, spaces, accountId, keys?.encryptionPrivateKey, keys?.signaturePrivateKey, syncServerUri]);
 
   const createSpaceForContext = async () => {
     if (!accountId) {
@@ -593,54 +611,6 @@ export function HypergraphAppProvider({
     [websocketConnection],
   );
 
-  const getUserIdentity = async (
-    accountId: string,
-  ): Promise<{
-    accountId: string;
-    encryptionPublicKey: string;
-    signaturePublicKey: string;
-  }> => {
-    const storeState = store.getSnapshot();
-    const identity = storeState.context.userIdentities[accountId];
-    if (identity) {
-      return {
-        accountId,
-        encryptionPublicKey: identity.encryptionPublicKey,
-        signaturePublicKey: identity.signaturePublicKey,
-      };
-    }
-    const res = await fetch(`${syncServerUri}/identity?accountId=${accountId}`);
-    if (res.status !== 200) {
-      throw new Error('Failed to fetch identity');
-    }
-    const resDecoded = Schema.decodeUnknownSync(Messages.ResponseIdentity)(await res.json());
-
-    if (
-      !(await Identity.verifyIdentityOwnership(
-        resDecoded.accountId,
-        resDecoded.signaturePublicKey,
-        resDecoded.accountProof,
-        resDecoded.keyProof,
-      ))
-    ) {
-      throw new Error('Invalid identity');
-    }
-
-    store.send({
-      type: 'addUserIdentity',
-      accountId: resDecoded.accountId,
-      encryptionPublicKey: resDecoded.encryptionPublicKey,
-      signaturePublicKey: resDecoded.signaturePublicKey,
-      accountProof: resDecoded.accountProof,
-      keyProof: resDecoded.keyProof,
-    });
-    return {
-      accountId: resDecoded.accountId,
-      encryptionPublicKey: resDecoded.encryptionPublicKey,
-      signaturePublicKey: resDecoded.signaturePublicKey,
-    };
-  };
-
   const inviteToSpace = async ({
     space,
     invitee,
@@ -667,7 +637,7 @@ export function HypergraphAppProvider({
       console.error('No state found for space');
       return;
     }
-    const inviteeWithKeys = await getUserIdentity(invitee.accountId);
+    const inviteeWithKeys = await Identity.getVerifiedIdentity(invitee.accountId, syncServerUri);
     const spaceEvent = await Effect.runPromiseExit(
       SpaceEvents.createInvitation({
         author: {
@@ -709,6 +679,13 @@ export function HypergraphAppProvider({
     websocketConnection?.send(Messages.serialize(message));
   };
 
+  const getVerifiedIdentity = useCallback(
+    (accountId: string) => {
+      return Identity.getVerifiedIdentity(accountId, syncServerUri);
+    },
+    [syncServerUri],
+  );
+
   return (
     <HypergraphAppContext.Provider
       value={{
@@ -721,7 +698,7 @@ export function HypergraphAppProvider({
         listInvitations,
         acceptInvitation: acceptInvitationForContext,
         subscribeToSpace,
-        getUserIdentity,
+        getVerifiedIdentity,
         inviteToSpace,
         loading,
       }}

packages/hypergraph/src/identity/get-verified-identity.ts

@@ -0,0 +1,53 @@
+import * as Schema from 'effect/Schema';
+import * as Messages from '../messages/index.js';
+import { store } from '../store.js';
+import { verifyIdentityOwnership } from './prove-ownership.js';
+
+export const getVerifiedIdentity = async (
+  accountId: string,
+  syncServerUri: string,
+): Promise<{
+  accountId: string;
+  encryptionPublicKey: string;
+  signaturePublicKey: string;
+}> => {
+  const storeState = store.getSnapshot();
+  const identity = storeState.context.identities[accountId];
+  if (identity) {
+    return {
+      accountId,
+      encryptionPublicKey: identity.encryptionPublicKey,
+      signaturePublicKey: identity.signaturePublicKey,
+    };
+  }
+  const res = await fetch(`${syncServerUri}/identity?accountId=${accountId}`);
+  if (res.status !== 200) {
+    throw new Error('Failed to fetch identity');
+  }
+  const resDecoded = Schema.decodeUnknownSync(Messages.ResponseIdentity)(await res.json());
+
+  if (
+    !(await verifyIdentityOwnership(
+      resDecoded.accountId,
+      resDecoded.signaturePublicKey,
+      resDecoded.accountProof,
+      resDecoded.keyProof,
+    ))
+  ) {
+    throw new Error('Invalid identity');
+  }
+
+  store.send({
+    type: 'addVerifiedIdentity',
+    accountId: resDecoded.accountId,
+    encryptionPublicKey: resDecoded.encryptionPublicKey,
+    signaturePublicKey: resDecoded.signaturePublicKey,
+    accountProof: resDecoded.accountProof,
+    keyProof: resDecoded.keyProof,
+  });
+  return {
+    accountId: resDecoded.accountId,
+    encryptionPublicKey: resDecoded.encryptionPublicKey,
+    signaturePublicKey: resDecoded.signaturePublicKey,
+  };
+};

packages/hypergraph/src/identity/index.ts

@@ -1,5 +1,6 @@
 export * from './auth-storage.js';
 export * from './create-identity-keys.js';
+export * from './get-verified-identity.js';
 export * from './identity-encryption.js';
 export * from './login.js';
 export * from './prove-ownership.js';

packages/hypergraph/src/identity/types.ts

@@ -32,3 +32,13 @@ export type KeysSchema = Schema.Schema.Type<typeof KeysSchema>;
 export type Identity = IdentityKeys & {
   accountId: string;
 };
+
+export type PublicIdentity = {
+  accountId: string;
+  encryptionPublicKey: string;
+  signaturePublicKey: string;
+};
+
+export class InvalidIdentityError {
+  readonly _tag = 'InvalidIdentityError';
+}