Draft: validation in worker thread

juslesan · juslesan · commit 707891969889 · 2025-12-22T14:46:55.000+02:00
diff --git a/packages/sdk/package.json b/packages/sdk/package.json
@@ -13,7 +13,9 @@
   "script": "./dist/streamr-sdk.web.min.js",
   "browser": {
     "./src/utils/persistence/ServerPersistence.ts": "./src/utils/persistence/BrowserPersistence.mts",
-    "./dist/src/utils/persistence/ServerPersistence.js": "./dist/src/utils/persistence/BrowserPersistence.mjs"
+    "./dist/src/utils/persistence/ServerPersistence.js": "./dist/src/utils/persistence/BrowserPersistence.mjs",
+    "./src/signature/ServerSignatureValidation.ts": "./src/signature/BrowserSignatureValidation.mts",
+    "./dist/src/signature/ServerSignatureValidation.js": "./dist/src/signature/BrowserSignatureValidation.mjs"
   },
   "exports": {
     "default": {
@@ -93,6 +95,7 @@
   "#IMPORTANT": "babel-runtime must be in dependencies, not devDependencies",
   "dependencies": {
     "@babel/runtime": "^7.28.4",
+    "comlink": "^4.4.2",
     "@babel/runtime-corejs3": "^7.28.4",
     "@noble/post-quantum": "^0.4.1",
     "@protobuf-ts/runtime": "^2.8.2",
diff --git a/packages/sdk/src/signature/BrowserSignatureValidation.mts b/packages/sdk/src/signature/BrowserSignatureValidation.mts
@@ -0,0 +1,38 @@
+/**
+ * Browser implementation of signature validation using Web Worker.
+ * This offloads CPU-intensive cryptographic operations to a separate thread.
+ */
+import * as Comlink from 'comlink'
+import { SignatureValidationContext } from './SignatureValidationContext.js'
+import { SignatureValidationResult } from './signatureValidation.js'
+import type { SignatureValidationWorkerApi } from './SignatureValidationWorker.js'
+import { StreamMessage } from '../protocol/StreamMessage.js'
+
+export default class BrowserSignatureValidation implements SignatureValidationContext {
+    private worker: Worker | null = null
+    private workerApi: Comlink.Remote<SignatureValidationWorkerApi> | null = null
+
+    private ensureWorker(): Comlink.Remote<SignatureValidationWorkerApi> {
+        if (!this.workerApi) {
+            // Webpack 5 handles this pattern automatically, creating a separate chunk for the worker
+            this.worker = new Worker(
+                /* webpackChunkName: "signature-worker" */
+                new URL('./SignatureValidationWorker.js', import.meta.url)
+            )
+            this.workerApi = Comlink.wrap<SignatureValidationWorkerApi>(this.worker)
+        }
+        return this.workerApi
+    }
+
+    async validateSignature(message: StreamMessage): Promise<SignatureValidationResult> {
+        return this.ensureWorker().validateSignature(message)
+    }
+
+    destroy(): void {
+        if (this.worker) {
+            this.worker.terminate()
+            this.worker = null
+        }
+        this.workerApi = null
+    }
+}
diff --git a/packages/sdk/src/signature/ServerSignatureValidation.ts b/packages/sdk/src/signature/ServerSignatureValidation.ts
@@ -0,0 +1,20 @@
+/**
+ * Node.js implementation of signature validation.
+ * Runs on the main thread (worker threads can be added later if needed).
+ */
+import { StreamMessage } from '../protocol/StreamMessage'
+import { SignatureValidationContext } from './SignatureValidationContext'
+import { SignatureValidationResult, validateSignatureData } from './signatureValidation'
+
+export default class ServerSignatureValidation implements SignatureValidationContext {
+
+    async validateSignature(message: StreamMessage): Promise<SignatureValidationResult> {
+        return validateSignatureData(message)
+    }
+
+    // eslint-disable-next-line class-methods-use-this
+    destroy(): void {
+        // No-op for server implementation
+    }
+}
+
diff --git a/packages/sdk/src/signature/SignatureValidationContext.ts b/packages/sdk/src/signature/SignatureValidationContext.ts
@@ -0,0 +1,12 @@
+/**
+ * Interface for signature validation backend.
+ * Browser implementation uses a Web Worker, Node.js runs on main thread.
+ */
+import { StreamMessage } from '../protocol/StreamMessage'
+import { SignatureValidationResult } from './signatureValidation'
+
+export interface SignatureValidationContext {
+    validateSignature(message: StreamMessage): Promise<SignatureValidationResult>
+    destroy(): void
+}
+
diff --git a/packages/sdk/src/signature/SignatureValidationWorker.ts b/packages/sdk/src/signature/SignatureValidationWorker.ts
@@ -0,0 +1,18 @@
+/**
+ * Web Worker for signature validation.
+ * This worker handles CPU-intensive cryptographic operations off the main thread.
+ */
+import * as Comlink from 'comlink'
+import { validateSignatureData, SignatureValidationResult } from './signatureValidation'
+import { StreamMessage } from '../protocol/StreamMessage'
+
+const workerApi = {
+    validateSignature: async (data: StreamMessage): Promise<SignatureValidationResult> => {
+        return validateSignatureData(data)
+    }
+}
+
+export type SignatureValidationWorkerApi = typeof workerApi
+
+Comlink.expose(workerApi)
+
diff --git a/packages/sdk/src/signature/SignatureValidator.ts b/packages/sdk/src/signature/SignatureValidator.ts
@@ -1,26 +1,33 @@
-import { toEthereumAddress, toUserIdRaw, SigningUtil } from '@streamr/utils'
+import { toEthereumAddress } from '@streamr/utils'
 import { Lifecycle, scoped } from 'tsyringe'
 import { ERC1271ContractFacade } from '../contracts/ERC1271ContractFacade'
+import { DestroySignal } from '../DestroySignal'
 import { StreamMessage } from '../protocol/StreamMessage'
 import { StreamrClientError } from '../StreamrClientError'
-import { createLegacySignaturePayload } from './createLegacySignaturePayload'
 import { createSignaturePayload } from './createSignaturePayload'
+import { SignatureValidationContext } from './SignatureValidationContext'
+// This import will be swapped to BrowserSignatureValidation.mts in browser builds
+import SignatureValidation from './ServerSignatureValidation'
 import { SignatureType } from '@streamr/trackerless-network'
-import { IDENTITY_MAPPING } from '../identity/IdentityMapping'
-
-// Lookup structure SignatureType -> SigningUtil
-const signingUtilBySignatureType: Record<number, SigningUtil> = Object.fromEntries(
-    IDENTITY_MAPPING.map((idMapping) => [idMapping.signatureType, SigningUtil.getInstance(idMapping.keyType)])
-)
-
-const evmSigner = SigningUtil.getInstance('ECDSA_SECP256K1_EVM')
 
 @scoped(Lifecycle.ContainerScoped)
 export class SignatureValidator {
     private readonly erc1271ContractFacade: ERC1271ContractFacade
+    private validationContext: SignatureValidationContext | undefined
 
-    constructor(erc1271ContractFacade: ERC1271ContractFacade) {
+    constructor(
+        erc1271ContractFacade: ERC1271ContractFacade,
+        destroySignal: DestroySignal
+    ) {
         this.erc1271ContractFacade = erc1271ContractFacade
+        destroySignal.onDestroy.listen(() => this.destroy())
+    }
+
+    private getValidationContext(): SignatureValidationContext {
+        if (!this.validationContext) {
+            this.validationContext = new SignatureValidation()
+        }
+        return this.validationContext
     }
 
     /**
@@ -41,36 +48,33 @@ export class SignatureValidator {
     }
 
     private async validate(streamMessage: StreamMessage): Promise<boolean> {
-        const signingUtil = signingUtilBySignatureType[streamMessage.signatureType]
-
-        // Common case
-        if (signingUtil) {
-            return signingUtil.verifySignature(
-                toUserIdRaw(streamMessage.getPublisherId()),
-                createSignaturePayload(streamMessage),
-                streamMessage.signature
-            )
-        }
-
-        // Special handling: different payload computation, same SigningUtil
-        if (streamMessage.signatureType === SignatureType.ECDSA_SECP256K1_LEGACY) {
-            return evmSigner.verifySignature(
-                // publisherId is hex encoded Ethereum address string
-                toUserIdRaw(streamMessage.getPublisherId()),
-                createLegacySignaturePayload(streamMessage),
-                streamMessage.signature
-            )
-        }
-
-        // Special handling: check signature with ERC-1271 contract facade
         if (streamMessage.signatureType === SignatureType.ERC_1271) {
             return this.erc1271ContractFacade.isValidSignature(
-                toEthereumAddress(streamMessage.getPublisherId()),
+                toEthereumAddress(streamMessage.messageId.publisherId),
                 createSignaturePayload(streamMessage),
                 streamMessage.signature
             )
         }
+        const result = await this.getValidationContext().validateSignature(streamMessage)
+        switch (result.type) {
+            case 'valid':
+                return true
+            case 'invalid':
+                return false
+            case 'error':
+                throw new Error(result.message)
+            default:
+                throw new Error(`Unknown signature validation result type: ${result.type}`)
+        }
+    }
 
-        throw new Error(`Cannot validate message signature, unsupported signatureType: "${streamMessage.signatureType}"`)
+    /**
+     * Cleanup worker resources when the validator is no longer needed.
+     */
+    destroy(): void {
+        if (this.validationContext) {
+            this.validationContext.destroy()
+            this.validationContext = undefined
+        }
     }
 }
diff --git a/packages/sdk/src/signature/signatureValidation.ts b/packages/sdk/src/signature/signatureValidation.ts
@@ -0,0 +1,72 @@
+/**
+ * Core signature validation logic - shared between worker and main thread implementations.
+ * This file contains pure cryptographic validation functions without any network dependencies.
+ */
+import { SigningUtil, toUserIdRaw } from '@streamr/utils'
+import { SignatureType } from '@streamr/trackerless-network'
+import { IDENTITY_MAPPING } from '../identity/IdentityMapping'
+import { createSignaturePayload } from './createSignaturePayload'
+import { createLegacySignaturePayload } from './createLegacySignaturePayload'
+import { StreamMessage } from '../protocol/StreamMessage'
+
+// Lookup structure SignatureType -> SigningUtil
+const signingUtilBySignatureType: Record<number, SigningUtil> = Object.fromEntries(
+    IDENTITY_MAPPING.map((idMapping) => [idMapping.signatureType, SigningUtil.getInstance(idMapping.keyType)])
+)
+
+const evmSigner = SigningUtil.getInstance('ECDSA_SECP256K1_EVM')
+
+/**
+ * Result of signature validation
+ */
+export type SignatureValidationResult = 
+    | { type: 'valid' }
+    | { type: 'invalid' }
+    | { type: 'requires_erc1271' }
+    | { type: 'error'; message: string }
+
+/**
+ * Validate signature using extracted data.
+ * This is the core validation logic that can be run in a worker.
+ */
+export async function validateSignatureData(message: StreamMessage): Promise<SignatureValidationResult> {
+    try {
+        const signingUtil = signingUtilBySignatureType[message.signatureType]
+        // Common case: standard signature types
+        if (signingUtil) {
+            const payload = createSignaturePayload({
+                messageId: message.messageId,
+                content: message.content,
+                messageType: message.messageType,
+                prevMsgRef: message.prevMsgRef,
+                newGroupKey: message.newGroupKey,
+            })
+            const isValid = await signingUtil.verifySignature(
+                toUserIdRaw(message.messageId.publisherId),
+                payload,
+                message.signature
+            )
+            return isValid ? { type: 'valid' } : { type: 'invalid' }
+        }
+        // Special handling: legacy signature type
+        if (message.signatureType === SignatureType.ECDSA_SECP256K1_LEGACY) {
+            const payload = createLegacySignaturePayload({
+                messageId: message.messageId,
+                content: message.content,
+                encryptionType: message.encryptionType,
+                prevMsgRef: message.prevMsgRef,
+                newGroupKey: message.newGroupKey,
+            })
+            const isValid = await evmSigner.verifySignature(
+                toUserIdRaw(message.messageId.publisherId),
+                payload,
+                message.signature
+            )
+            return isValid ? { type: 'valid' } : { type: 'invalid' }
+        }
+        return { type: 'error', message: `Unsupported signatureType: "${message.signatureType}"` }
+    } catch (err) {
+        return { type: 'error', message: String(err) }
+    }
+}
+
diff --git a/packages/sdk/webpack.config.js b/packages/sdk/webpack.config.js
@@ -67,7 +67,8 @@ module.exports = (env, argv) => {
                 GIT_BRANCH: gitRevisionPlugin.branch(),
             }),
             new webpack.optimize.LimitChunkCountPlugin({
-                maxChunks: 1
+                // Allow 2 chunks: main bundle + signature validation worker
+                maxChunks: 2
             })
         ],
         performance: {
