Fix bug where a buffer construction is attempted in env without it (#209)

* Fix bug where a buffer construction is attempted in env without it

like a web browser that didn't have a system to polyfill buffer in when encountered during bundling.

* Make running the integration test much easier

also add integration tests to CI (this is likely to need some iteration)

* Make sure stable chrome/chromedriver match in CI

* Fix streaming bug, write could get blocked with no reader yet

* Add some more integration test coverage of newer features

* Make the integration test actually wait for elements instead of pauses

so they work in CI where CPU is way more variable. Required adding some
things to wait for in cases that didn't already create an element at the
right time in the process.

Author: skeet70

.github/workflows/ci.yml

@@ -18,3 +18,40 @@ jobs:
         run: |
           yarn
           yarn test
+
+  integration_test:
+    runs-on: ubuntu-24.04
+    needs: build_and_test
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/setup-node@v6
+        with:
+          node-version: 24.x
+      - uses: browser-actions/setup-chrome@latest
+        id: setup-chrome
+        with:
+          chrome-version: stable
+          install-chromedriver: true
+      - name: install dependencies
+        run: yarn
+      - name: write project credentials
+        run: |
+          echo '${{ secrets.INTEGRATION_PROJECT_JSON }}' > integration/projects/project.json
+          echo '${{ secrets.INTEGRATION_PRIVATE_KEY }}' > integration/projects/private.key
+      - name: start integration servers
+        run: |
+          yarn start &
+          for port in 4500 4501; do
+            for i in $(seq 1 30); do
+              if curl -sk https://localhost:$port > /dev/null 2>&1; then
+                echo "Server on port $port is ready"
+                break
+              fi
+              sleep 1
+            done
+          done
+      - name: run nightwatch tests
+        env:
+          CHROME_PATH: ${{ steps.setup-chrome.outputs.chrome-path }}
+          CHROMEDRIVER_PATH: ${{ steps.setup-chrome.outputs.chromedriver-path }}
+        run: yarn nightwatch

.gitignore

@@ -8,7 +8,8 @@ bin/
 dist/
 docs/
 coverage/
-integration/private.key
 integration/projects/*
+!integration/projects/*.iron
 integration/certs/*
 .direnv
+logs/

CHANGELOG.md

@@ -4,6 +4,11 @@ The IronWeb SDK NPM releases follow standard [Semantic Versioning](https://semve
 
 **Note:** The patch versions of the IronWeb SDK will not be sequential and might jump by multiple numbers between sequential releases.
 
+## v4.3.1
+
+- fix a streaming bug, encrypt could get blocked with no reader yet on writing the header+IV.
+- fix a bug in unmanaged encryption if ironweb was used without a bundler that could provide a `Buffer` polyfill.
+
 ## v4.3.0
 - add streaming encrypt and decrypt functionality for managed and unmanaged documents.
 

flake.nix

@@ -5,14 +5,20 @@
   outputs = { self, nixpkgs, flake-utils }:
     flake-utils.lib.eachDefaultSystem (system:
       let
-        pkgs = nixpkgs.legacyPackages.${system};
+        pkgs = import nixpkgs {
+          inherit system;
+          config.allowUnfreePredicate = pkg:
+            builtins.elem (nixpkgs.lib.getName pkg) [ "google-chrome" ];
+        };
       in
       {
         devShell = pkgs.mkShell {
           buildInputs = [
             pkgs.prettier
             pkgs.nodejs_24
             (pkgs.yarn.override { nodejs = pkgs.nodejs_24; })
+            pkgs.google-chrome
+            pkgs.chromedriver
           ];
         };
       });

integration/README.md

@@ -0,0 +1,97 @@
+# Integration Tests
+
+## Architecture
+
+The integration test setup has three components:
+
+1. **Client app** (`clientHost.webpack.js`) — serves the demo app at `https://localhost:4500`. This is the UI that nightwatch interacts with.
+2. **Frame/Worker host** (`iclHost.webpack.js`) — serves the iframe + web worker code at `https://localhost:4501`. This is where the SDK's frame and crypto worker run, built from your local source.
+3. **API backend** — by default, API requests are proxied to stage ironcore-id (`https://api-staging.ironcorelabs.com`). Set `API_PROXY_TARGET=http://localhost:9090` to use a local ironcore-id instead.
+
+All three SDK layers (shim, frame, worker) run locally from source, so your uncommitted changes are under test.
+
+## Prerequisites
+
+### Nix dev shell (recommended)
+
+The project flake provides everything you need: Node.js, yarn, Chrome, and ChromeDriver (version-matched from the same nixpkgs):
+
+```bash
+nix develop
+```
+
+### Project credentials
+
+The project credentials are encrypted with ironhide. Decrypt them before first use:
+
+```bash
+ironhide file decrypt integration/projects/*
+```
+
+This produces `integration/projects/project.json` and `integration/projects/private.key`, which contain the project ID, segment ID, identity assertion key ID, and signing key for the stage environment.
+
+## Running the Integration App
+
+```bash
+yarn start
+```
+
+This generates self-signed localhost TLS certs (if not already present) and starts both webpack dev servers in parallel (client on port 4500, frame on port 4501).
+
+Navigate to **`https://localhost:4500`** in your browser (the `https://` is required). If your browser shows a certificate warning for the self-signed cert, click through to proceed.
+
+### Testing against a hosted frame environment
+
+To test against a specific deployed frame version (e.g. to reproduce a reported bug or confirm a regression against a release), set `HOSTED_ENV` and `HOSTED_VERSION`. This loads the frame and worker from the remote environment instead of local source:
+
+```bash
+HOSTED_VERSION=4.3.1 HOSTED_ENV=stage yarn start
+```
+
+In this mode the client app still runs locally, but the iframe loads from the remote environment (e.g. `https://api-staging.ironcorelabs.com`). Local changes to frame or worker code will **not** be reflected — only shim changes are tested.
+
+Available environments: `stage`, `dev`, `prod`.
+
+### Environment variables
+
+| Variable           | Default                                    | Description                                |
+|--------------------|--------------------------------------------|--------------------------------------------|
+| `CLIENT_HOST`      | `localhost`                                | Hostname for the client app server         |
+| `CLIENT_PORT`      | `4500`                                     | Port for the client app server             |
+| `FRAME_HOST`       | `localhost`                                | Hostname for the frame/worker server       |
+| `FRAME_PORT`       | `4501`                                     | Port for the frame/worker server           |
+| `CLIENT_CERT_DIR`  | `certs/localhost`                           | TLS cert directory for the client server   |
+| `FRAME_CERT_DIR`   | `certs/localhost`                           | TLS cert directory for the frame server    |
+| `API_PROXY_TARGET` | `https://api-staging.ironcorelabs.com`     | Backend API to proxy `/api/1/` requests to |
+| `HOSTED_ENV`       | _(unset)_                                  | Load frame from a remote env instead of local (`stage`, `dev`, `prod`) |
+| `HOSTED_VERSION`   | _(unset)_                                  | SDK version string (required with `HOSTED_ENV`) |
+
+## Running Nightwatch Tests
+
+### 1. Start the integration app
+
+```bash
+yarn start
+```
+
+### 2. Run tests
+
+Run all tests:
+
+```bash
+yarn nightwatch
+```
+
+Run tests by tag:
+
+```bash
+yarn nightwatch --tag unmanagedEncrypt
+```
+
+## Test Tags
+
+| Tag                         | Test file                                        | Description                                      |
+|-----------------------------|--------------------------------------------------|--------------------------------------------------|
+| `unmanagedEncrypt`          | `document-unmanaged-encrypt.test.js`             | Unmanaged encrypt/decrypt round-trip             |
+| `streamingEncrypt`          | `document-streaming-encrypt.test.js`             | Streaming encrypt/decrypt round-trip             |
+| `unmanagedStreamingEncrypt` | `document-unmanaged-streaming-encrypt.test.js`   | Unmanaged streaming encrypt/decrypt round-trip   |

integration/clientHost.webpack.js

@@ -8,8 +8,11 @@ const projectIDs = require("./projects/project.json");
 const keyFile = path.join(__dirname, "./projects/private.key");
 const privateKey = fs.readFileSync(keyFile, "utf8");
 
-const SB_HOST = "dev1.scrambledbits.org";
-const SB_PORT = 4500;
+const SB_HOST = process.env.CLIENT_HOST || "localhost";
+const SB_PORT = parseInt(process.env.CLIENT_PORT, 10) || 4500;
+const FRAME_HOST = process.env.FRAME_HOST || "localhost";
+const FRAME_PORT = parseInt(process.env.FRAME_PORT, 10) || 4501;
+const CERT_DIR = path.join(__dirname, process.env.CLIENT_CERT_DIR || "certs/localhost");
 
 if ((process.env.HOSTED_VERSION && !process.env.HOSTED_ENV) || (!process.env.HOSTED_VERSION && process.env.HOSTED_ENV)) {
     throw new Error("In order to run against a non-local environment you need to set both the `HOSTED_VERSION` and `HOSTED_ENV` environment variables.");
@@ -26,12 +29,10 @@ function getFrameDomain() {
         case "dev":
             return "https://api-dev1.ironcorelabs.com";
         default:
-            return "https://dev1.ironcorelabs.com:4501";
+            return `https://${FRAME_HOST}:${FRAME_PORT}`;
     }
 }
 
-const runtimeEnvironment = process.env.HOSTED_VERSION ? "production" : "";
-
 /**
  * Serve the app index.html page. This figures out who the current user is, and if one doesn't exist, generates a new random user
  */
@@ -72,7 +73,7 @@ function serveIndex(req, res) {
  */
 function serveJWT(req, res) {
     res.json(
-        jwt.sign({pid: projectIDs.projectId, sid: projectIDs.segmentId, kid: projectIDs.serviceKeyId || undefined}, privateKey, {
+        jwt.sign({pid: projectIDs.projectId, sid: projectIDs.segmentId, kid: projectIDs.identityAssertionKeyId}, privateKey, {
             algorithm: "ES256",
             expiresIn: "2m",
             subject: req.params.userID,
@@ -92,9 +93,8 @@ module.exports = {
         server: {
             type: "https",
             options: {
-                key: fs.readFileSync(path.join(__dirname, "certs/sb/privkey.pem")),
-                cert: fs.readFileSync(path.join(__dirname, "certs/sb/cert.pem")),
-                ca: fs.readFileSync(path.join(__dirname, "certs/sb/chain.pem")),
+                key: fs.readFileSync(path.join(CERT_DIR, "privkey.pem")),
+                cert: fs.readFileSync(path.join(CERT_DIR, "cert.pem")),
             },
         },
         setupMiddlewares: (middlewares, devServer) => {
@@ -131,7 +131,6 @@ module.exports = {
     },
     plugins: [
         new webpack.DefinePlugin({
-            //"process.env.NODE_ENV": JSON.stringify(runtimeEnvironment), not sure why this conflicting problem comes up
             SDK_NPM_VERSION_PLACEHOLDER: JSON.stringify(process.env.HOSTED_VERSION || "SDK_NPM_VERSION_PLACEHOLDER"),
             _ICL_FRAME_DOMAIN_REPLACEMENT_: JSON.stringify(getFrameDomain()),
         }),

integration/components/UserInfo.tsx

@@ -50,7 +50,7 @@ export default class UserInfo extends React.Component<Record<string, never>, Use
             passcodeError: false,
             changingPasscode: false,
             listingDevices: false,
-            loading: true,
+            loading: false,
             deviceList: [],
         };
     }