feat: account recover with email

.github/release-please-config.json

@@ -1,7 +1,7 @@
 {
  "separate-pull-requests": true,
  "packages": {
- "packages/access": {},
+ "packages/access-client": {},
  "packages/access-api": {},
  "packages/upload-client": {},
  "packages/wallet": {}

.github/release-please-manifest.json

@@ -1,6 +1,6 @@
 {
  "packages/wallet": "1.0.0",
- "packages/access": "5.0.2",
+ "packages/access-client": "5.0.2",
  "packages/access-api": "3.0.0",
  "packages/upload-client": "1.0.0"
 }

.github/workflows/access.yml → .github/workflows/access-client.yml

@@ -1,4 +1,4 @@
-name: Access SDK
+name: Access Client
 env:
  CI: true
  FORCE_COLOR: 1
@@ -7,12 +7,12 @@ on:
  branches:
  - main
  paths:
- - 'packages/access/**'
+ - 'packages/access-client/**'
  - '.github/workflows/access.yml'
  - 'pnpm-lock.yaml'
  pull_request:
  paths:
- - 'packages/access/**'
+ - 'packages/access-client/**'
  - '.github/workflows/access.yml'
  - 'pnpm-lock.yaml'
 jobs:

.github/workflows/manual.yml

@@ -9,8 +9,8 @@ on:
  default: 'access-api'
  options:
  - access-api
- - access
  - upload-client
+ - access-client
  - wallet
  environment:
  description: 'Environment to deploy'
@@ -52,9 +52,9 @@ jobs:
  with:
  environment: ${{ github.event.inputs.environment }}
  secrets: inherit
- deploy-access:
+ deploy-access-client:
  runs-on: ubuntu-latest
- if: github.event.inputs.package == 'access'
+ if: github.event.inputs.package == 'access-client'
  steps:
  - uses: actions/checkout@v3
  - uses: pnpm/action-setup@v2.2.3

.github/workflows/release.yml

@@ -23,7 +23,7 @@ jobs:
  release-type: node
  publish-access:
  needs: release
- if: contains(fromJson(needs.release.outputs.paths_released), 'packages/access')
+ if: contains(fromJson(needs.release.outputs.paths_released), 'packages/access-client')
  runs-on: ubuntu-latest
  steps:
  - uses: actions/checkout@v3

package.json

@@ -1,5 +1,5 @@
 {
- "name": "ucan-protocol",
+ "name": "w3protocol",
  "version": "0.0.0",
  "private": true,
  "workspaces": [

packages/access-api/package.json

@@ -11,7 +11,7 @@
  "dev": "scripts/cli.js dev",
  "build": "scripts/cli.js build",
  "check": "tsc --build",
- "test": "tsc --build && ava --timeout 10s"
+ "test": "pnpm build && tsc --build && ava --timeout 10s"
  },
  "author": "Hugo Dias <hugomrdias@gmail.com> (hugodias.me)",
  "license": "(Apache-2.0 OR MIT)",
@@ -56,6 +56,7 @@
  "git-rev-sync": "^3.0.1",
  "hd-scripts": "^3.0.2",
  "miniflare": "^2.10.0",
+ "p-wait-for": "^5.0.0",
  "process": "^0.11.10",
  "readable-stream": "^4.1.0",
  "sade": "^1.7.4",
@@ -92,8 +93,6 @@
  ],
  "ava": {
  "failFast": true,
- "concurrency": 1,
- "workerThreads": false,
  "files": [
  "test/**/*.test.js"
  ],

packages/access-api/sql/migrate.js

@@ -28,7 +28,7 @@ export async function migrate(db) {
  } catch (error) {
  const err = /** @type {Error} */ (error)
  // eslint-disable-next-line no-console
- console.log({
+ console.error('D1 Error', {
  message: err.message,
  // @ts-ignore
  cause: err.cause?.message,

packages/access-api/src/kvs/accounts.js

@@ -48,7 +48,7 @@ export class Accounts {
  tableName: 'accounts',
  fields: '*',
  where: {
- conditions: 'did =?1',
+ conditions: 'did=?1',
  params: [did],
  },
  })
@@ -68,10 +68,12 @@ export class Accounts {
  }
 
  /**
- * @param {string} email
+ * Save account delegation per email
+ *
+ * @param {`mailto:${string}`} email
  * @param {Ucanto.Delegation<Ucanto.Capabilities>} delegation
  */
- async saveAccount(email, delegation) {
+ async saveDelegation(email, delegation) {
  const accs = /** @type {string[] | undefined} */ (
  await this.kv.get(email, {
  type: 'json',
@@ -90,10 +92,27 @@ export class Accounts {
  }
 
  /**
- * @param {string} email
+ * Check if we have delegations for an email
+ *
+ * @param {`mailto:${string}`} email
  */
- async hasAccounts(email) {
+ async hasDelegations(email) {
  const r = await this.kv.get(email)
  return Boolean(r)
  }
+
+ /**
+ * @param {`mailto:${string}`} email
+ */
+ async getDelegations(email) {
+ const r = await this.kv.get(email, { type: 'json' })
+
+ if (!r) {
+ return
+ }
+
+ return /** @type {import('@web3-storage/access/types').EncodedDelegation<[import('@web3-storage/access/types').Any]>[]} */ (
+ r
+ )
+ }
 }

packages/access-api/src/kvs/validations.js

@@ -13,11 +13,12 @@ export class Validations {
  }
 
  /**
- * @param {string} ucan
+ * @template {import('@ucanto/interface').Capabilities} [T=import('@ucanto/interface').Capabilities]
+ * @param {import('@web3-storage/access/src/types').EncodedDelegation<T>} ucan
  */
  async put(ucan) {
  const delegation =
- /** @type {import('@ucanto/interface').Delegation<[import('@web3-storage/access/capabilities/types').VoucherClaim]>} */ (
+ /** @type {import('@ucanto/interface').Delegation<T>} */ (
  await stringToDelegation(ucan)
  )
 

packages/access-api/src/routes/validate-email.js

@@ -11,9 +11,16 @@ import {
  * @param {import('../bindings.js').RouteContext} env
  */
 export async function validateEmail(req, env) {
+ if (req.query && req.query.ucan && req.query.mode === 'recover') {
+ return recover(req, env)
+ }
  if (req.query && req.query.ucan) {
  try {
- const delegation = await env.kvs.validations.put(req.query.ucan)
+ const delegation = await env.kvs.validations.put(
+ /** @type {import('@web3-storage/access/src/types.js').EncodedDelegation<[import('@web3-storage/access/src/types.js').VoucherClaim]>} */ (
+ req.query.ucan
+ )
+ )
 
  return new HtmlResponse(
  (
@@ -48,3 +55,44 @@ export async function validateEmail(req, env) {
  <ValidateEmailError msg={'Missing delegation in the URL.'} />
  )
 }
+
+/**
+ * @param {import('@web3-storage/worker-utils/router').ParsedRequest} req
+ * @param {import('../bindings.js').RouteContext} env
+ */
+async function recover(req, env) {
+ try {
+ const delegation = await env.kvs.validations.put(
+ /** @type {import('@web3-storage/access/src/types.js').EncodedDelegation<[import('@web3-storage/access/src/types.js').AccountRecover]>} */ (
+ req.query.ucan
+ )
+ )
+
+ return new HtmlResponse(
+ (
+ <ValidateEmail
+ delegation={delegation}
+ ucan={req.query.ucan}
+ qrcode={await QRCode.toString(req.query.ucan, {
+ type: 'svg',
+ errorCorrectionLevel: 'M',
+ margin: 10,
+ })}
+ />
+ )
+ )
+ } catch (error) {
+ const err = /** @type {Error} */ (error)
+
+ if (err.message.includes('Invalid expiration')) {
+ return new HtmlResponse(
+ <ValidateEmailError msg={'Email confirmation expired.'} />
+ )
+ }
+
+ env.log.error(err)
+ return new HtmlResponse(
+ <ValidateEmailError msg={'Oops something went wrong.'} />
+ )
+ }
+}

packages/access-api/src/routes/validate-ws.js

@@ -3,7 +3,7 @@ import pRetry from 'p-retry'
 const run = async (
  /** @type {import('../kvs/validations').Validations} */ kv,
  /** @type {WebSocket} */ server,
- /** @type {any} */ did
+ /** @type {string} */ did
 ) => {
  const d = await kv.get(did)
 

packages/access-api/src/service/index.js

@@ -4,7 +4,11 @@ import * as Account from '@web3-storage/access/capabilities/account'
 import { voucherClaimProvider } from './voucher-claim.js'
 import { voucherRedeemProvider } from './voucher-redeem.js'
 import * as DID from '@ipld/dag-ucan/did'
-import { delegationToString } from '@web3-storage/access/encoding'
+import {
+ delegationToString,
+ stringToDelegation,
+} from '@web3-storage/access/encoding'
+import { any } from '@web3-storage/access/capabilities/any'
 
 /**
  * @param {import('../bindings').RouteContext} ctx
@@ -18,13 +22,50 @@ export function service(ctx) {
  },
 
  account: {
- info: Server.provide(Account.info, async ({ capability }) => {
+ info: Server.provide(Account.info, async ({ capability, invocation }) => {
  const results = await ctx.kvs.accounts.get(capability.with)
  if (!results) {
- throw new Failure('Account not found...')
+ return new Failure('Account not found.')
  }
  return results
  }),
+ recover: Server.provide(
+ Account.recover,
+ async ({ capability, invocation }) => {
+ if (capability.with !== ctx.signer.did()) {
+ return new Failure(
+ `Resource ${
+ capability.with
+ } does not service did ${ctx.signer.did()}`
+ )
+ }
+
+ const encoded = await ctx.kvs.accounts.getDelegations(
+ capability.nb.identity
+ )
+ if (!encoded) {
+ return new Failure(
+ `No delegations found for ${capability.nb.identity}`
+ )
+ }
+
+ const results = []
+ for (const e of encoded) {
+ const proof = await stringToDelegation(e)
+ const del = await any.delegate({
+ audience: invocation.issuer,
+ issuer: ctx.signer,
+ with: proof.capabilities[0].with,
+ expiration: Infinity,
+ proofs: [proof],
+ })
+
+ results.push(await delegationToString(del))
+ }
+
+ return results
+ }
+ ),
 
  'recover-validation': Server.provide(
  Account.recoverValidation,
@@ -33,9 +74,9 @@ export function service(ctx) {
  // if yes send email with account/login
  // if not error "no accounts for email X"
 
- const email = capability.nb.email
- if (!(await ctx.kvs.accounts.hasAccounts(email))) {
- throw new Failure(
+ const email = capability.nb.identity
+ if (!(await ctx.kvs.accounts.hasDelegations(email))) {
+ return new Failure(
  `No accounts found for email: ${email.replace('mailto:', '')}.`
  )
  }
@@ -46,21 +87,29 @@ export function service(ctx) {
  audience: DID.parse(capability.with),
  with: ctx.signer.did(),
  lifetimeInSeconds: 60 * 10,
+ nb: {
+ identity: email,
+ },
  proofs: [
  await Account.recover.delegate({
  audience: ctx.signer,
  issuer: ctx.signer,
- lifetimeInSeconds: 60 * 1000,
+ expiration: Infinity,
  with: ctx.signer.did(),
+ nb: {
+ identity: 'mailto:*',
+ },
  }),
  ],
  })
  .delegate()
 
  const encoded = await delegationToString(inv)
+ const url = `${ctx.url.protocol}//${ctx.url.host}/validate-email?ucan=${encoded}&mode=recover`
+
  // For testing
  if (ctx.config.ENV === 'test') {
- return encoded
+ return url
  }
  }
  ),

packages/access-api/src/service/voucher-claim.js

@@ -40,9 +40,7 @@ export function voucherClaimProvider(ctx) {
  return encoded
  }
 
- const url = `${ctx.url.protocol}//${
- ctx.url.host
- }/validate-email?ucan=${encoded}&did=${invocation.issuer.did()}`
+ const url = `${ctx.url.protocol}//${ctx.url.host}/validate-email?ucan=${encoded}`
 
  await ctx.email.sendValidation({
  to: capability.nb.identity.replace('mailto:', ''),