wip

Author: fforbeck

package.json

@@ -22,8 +22,8 @@
   "main": "src/index.js",
   "types": "dist/src/index.d.ts",
   "scripts": {
-    "build": "esbuild --bundle src/index.js --format=esm --external:node:buffer --external:node:events --external:node:async_hooks --sourcemap --minify --outfile=dist/worker.mjs && npm run build:tsc",
-    "build:debug": "esbuild --bundle src/index.js --format=esm --external:node:buffer --external:node:events --external:node:async_hooks --outfile=dist/worker.mjs",
+    "build": "esbuild --bundle src/index.js --format=esm --external:node:buffer --external:node:events --external:node:async_hooks --external:cloudflare:workers --sourcemap --minify --outfile=dist/worker.mjs && npm run build:tsc",
+    "build:debug": "esbuild --bundle src/index.js --format=esm --external:node:buffer --external:node:events --external:node:async_hooks --external:cloudflare:workers --outfile=dist/worker.mjs",
     "build:tsc": "tsc --build",
     "dev": "npm run build:debug && miniflare dist/worker.mjs --watch --debug -m --r2-persist --global-async-io --global-timers",
     "lint": "standard",
@@ -57,6 +57,7 @@
     "multiformats": "^13.0.1"
   },
   "devDependencies": {
+    "@ipld/dag-ucan": "^3.4.5",
     "@storacha/cli": "^1.6.2",
     "@storacha/client": "^1.8.2",
     "@types/chai": "^5.0.0",
@@ -81,5 +82,6 @@
     "ignore": [
       "*.ts"
     ]
-  }
+  },
+  "packageManager": "pnpm@10.14.0+sha512.ad27a79641b49c3e481a16a805baa71817a04bbe06a38d17e60e2eaee83f6a146c6a688125f5792e48dd5ba30e7da52a5cda4c3992b9ccf333f9ce223af84748"
 }

scripts/mk-validator-proof.js

@@ -0,0 +1,92 @@
+/**
+ * Create a "ucan/attest" delegation allowing the gateway to validate
+ * attestations issued by the upload-service.
+ *
+ * This generates the GATEWAY_VALIDATOR_PROOF environment variable value.
+ *
+ * Usage: node scripts/mk-validator-proof.js <upload-service-did-web> <upload-service-private-key> <gateway-did-web>
+ *
+ * Example (staging):
+ *   node scripts/mk-validator-proof.js \
+ *     did:web:staging.up.storacha.network \
+ *     MgCZT5J+...your-key-here... \
+ *     did:web:staging.w3s.link
+ *
+ * Example (production):
+ *   node scripts/mk-validator-proof.js \
+ *     did:web:up.storacha.network \
+ *     MgCZT5J+...your-key-here... \
+ *     did:web:w3s.link
+ */
+import * as DID from '@ipld/dag-ucan/did'
+import { CAR, delegate } from '@ucanto/core'
+import * as ed25519 from '@ucanto/principal/ed25519'
+import { base64 } from 'multiformats/bases/base64'
+import { identity } from 'multiformats/hashes/identity'
+import * as Link from 'multiformats/link'
+
+// CORRECT DIRECTION (staging):
+// - issuer   should be did:web:staging.up.storacha.network (upload-service)
+// - audience should be did:web:staging.w3s.link (gateway)
+// - can      should be 'ucan/attest'
+// - with     should be issuer.did() (i.e. did:web:staging.up.storacha.network)
+// The private key must be the upload-service private key. This makes the
+// gateway trust attestations issued by the upload-service.
+
+
+const uploadServiceDIDWeb = process.argv[2]
+const uploadServicePrivateKey = process.argv[3]
+const gatewayDIDWeb = process.argv[4]
+
+if (!uploadServiceDIDWeb || !uploadServicePrivateKey || !gatewayDIDWeb) {
+  console.error('Error: Missing required arguments')
+  console.error('Usage: node scripts/mk-validator-proof.js <upload-service-did-web> <upload-service-private-key> <gateway-did-web>')
+  console.error('')
+  console.error('Example (staging):')
+  console.error('  node scripts/mk-validator-proof.js \\')
+  console.error('    did:web:staging.up.storacha.network \\')
+  console.error('    MgCZT5J+...your-key-here... \\')
+  console.error('    did:web:staging.w3s.link')
+  process.exit(1)
+}
+
+console.log(`Upload Service DID: ${uploadServiceDIDWeb}`)
+console.log(`Upload Service Private Key: ${uploadServicePrivateKey.slice(0, 7)}...${uploadServicePrivateKey.slice(-7)}`)
+console.log(`Gateway DID: ${gatewayDIDWeb}`)
+console.log('')
+
+const issuer = ed25519
+  .parse(uploadServicePrivateKey)
+  .withDID(DID.parse(uploadServiceDIDWeb).did())
+const audience = DID.parse(gatewayDIDWeb)
+
+// Note: variable names are confusing - "uploadService" is actually the issuer (gateway in our case)
+// and "gateway" is actually the audience (upload service in our case)
+// The 'with' should be the issuer's DID per colleague's instructions
+const delegation = await delegate({
+  issuer: issuer,
+  audience: audience,
+  capabilities: [{ can: 'ucan/attest', with: issuer.did() }],
+  expiration: Infinity
+})
+
+console.log('✅ Delegation created:')
+console.log(`   Issuer: ${issuer.did()}`)
+console.log(`   Audience: ${audience.did()}`)
+console.log(`   Capability: ucan/attest with ${issuer.did()}`)
+console.log('')
+
+const res = await delegation.archive()
+if (res.error) {
+  console.error('❌ Error archiving delegation:', res.error)
+  throw res.error
+}
+
+const proof = Link.create(CAR.code, identity.digest(res.ok)).toString(base64)
+
+console.log('✅ Validator proof generated successfully!')
+console.log('')
+console.log('Add this to your environment variables:')
+console.log('')
+console.log('GATEWAY_VALIDATOR_PROOF=' + proof)
+console.log('')

src/bindings.d.ts

@@ -26,4 +26,5 @@ export interface Environment
   HONEYCOMB_API_KEY: string
   FF_TELEMETRY_ENABLED: string
   TELEMETRY_RATIO: string
+  GATEWAY_VALIDATOR_PROOF?: string
 }

src/middleware/withAuthorizedSpace.js

@@ -1,16 +1,18 @@
 import { Verifier } from '@ucanto/principal'
 import { ok, access, Unauthorized } from '@ucanto/validator'
+import { resolveDIDKey, getValidatorProofs } from '../server/index.js'
 import { HttpError } from '@web3-storage/gateway-lib/util'
 import * as serve from '../capabilities/serve.js'
 import { SpaceDID } from '@storacha/capabilities/utils'
+ 
 
 /**
  * @import * as Ucanto from '@ucanto/interface'
  * @import { IpfsUrlContext, Middleware } from '@web3-storage/gateway-lib'
  * @import { LocatorContext } from './withLocator.types.js'
- * @import { AuthTokenContext } from './withAuthToken.types.js'
+ * @import { AuthTokenContext, Environment } from './withAuthToken.types.js'
  * @import { SpaceContext } from './withAuthorizedSpace.types.js'
- * @import { DelegationsStorageContext } from './withDelegationsStorage.types.js'
+ * @import { DelegationsStorageContext, DelegationsStorageEnvironment } from './withDelegationsStorage.types.js'
  * @import { GatewayIdentityContext } from './withGatewayIdentity.types.js'
  * @import { DelegationProofsContext } from './withAuthorizedSpace.types.js'
  */
@@ -61,7 +63,8 @@ export function withAuthorizedSpace (handler) {
       // First space to successfully authorize is the one we'll use.
       const { space: selectedSpace, delegationProofs } = await Promise.any(
         spaces.map(async (space) => {
-          const result = await authorize(SpaceDID.from(space), ctx)
+          // @ts-ignore
+          const result = await authorize(SpaceDID.from(space), ctx, env)
           if (result.error) throw result.error
           return result.ok
         })
@@ -102,9 +105,10 @@ export function withAuthorizedSpace (handler) {
  *
  * @param {import('@storacha/capabilities/types').SpaceDID} space
  * @param {AuthTokenContext & DelegationsStorageContext & GatewayIdentityContext} ctx
+ * @param {import('./withRateLimit.types.js').Environment} env
  * @returns {Promise<Ucanto.Result<{space: import('@storacha/capabilities/types').SpaceDID, delegationProofs: Ucanto.Delegation[]}, Ucanto.Failure>>}
  */
-const authorize = async (space, ctx) => {
+const authorize = async (space, ctx, env) => {
   // Look up delegations that might authorize us to serve the content.
   const relevantDelegationsResult = await ctx.delegationsStorage.find(space)
   if (relevantDelegationsResult.error) return relevantDelegationsResult
@@ -121,12 +125,15 @@ const authorize = async (space, ctx) => {
       proofs: delegationProofs
     })
     .delegate()
-
-  // Validate the invocation.
+  
+  // Load validator proofs and validate the invocation
+  const validatorProofs = await getValidatorProofs(env)
   const accessResult = await access(invocation, {
     capability: serve.transportHttp,
     authority: ctx.gatewayIdentity,
     principal: Verifier,
+    proofs: validatorProofs,
+    resolveDIDKey,
     validateAuthorization: () => ok({})
   })
   if (accessResult.error) {

src/middleware/withDelegationsStorage.js

@@ -88,7 +88,7 @@ function createStorage (env) {
       try {
         await env.CONTENT_SERVE_DELEGATIONS_STORE.put(
           `${space}:${delegation.cid.toString()}`,
-          value.ok.buffer,
+          /** @type {ArrayBuffer} */ (value.ok.buffer),
           options
         )
         return ok({})

src/middleware/withDelegationsStorage.types.ts

@@ -7,6 +7,7 @@ import { SpaceDID } from '@storacha/capabilities/types'
 export interface DelegationsStorageEnvironment extends MiddlewareEnvironment {
   CONTENT_SERVE_DELEGATIONS_STORE: KVNamespace
   FF_DELEGATIONS_STORAGE_ENABLED: string
+  GATEWAY_VALIDATOR_PROOF?: string
 }
 
 export interface DelegationsStorageContext
@@ -35,6 +36,6 @@ export interface DelegationsStorage {
    */
   store: (
     space: SpaceDID,
-    delegation: Ucanto.Delegation<Ucanto.Capabilities>
+    delegation: Ucanto.Delegation<Ucanto.Capabilities>,
   ) => Promise<Ucanto.Result<Ucanto.Unit, StoreOperationFailed | Ucanto.Failure>>
 }

src/middleware/withRateLimit.types.ts

@@ -6,6 +6,7 @@ export interface Environment extends MiddlewareEnvironment {
   RATE_LIMITER: RateLimit
   AUTH_TOKEN_METADATA: KVNamespace
   FF_RATE_LIMITER_ENABLED: string
+  GATEWAY_VALIDATOR_PROOF?: string
 }
 
 export interface TokenMetadata {

src/middleware/withUcanInvocationHandler.js

@@ -22,8 +22,8 @@ export function withUcanInvocationHandler (handler) {
       return handler(request, env, ctx)
     }
 
-    const service = ctx.service ?? createService(ctx)
-    const server = ctx.server ?? createServer(ctx, service)
+    const service = ctx.service ?? await createService(ctx, env)
+    const server = ctx.server ?? await createServer(ctx, service, env)
 
     const { headers, body, status } = await server.request({
       body: new Uint8Array(await request.arrayBuffer()),

src/middleware/withUcanInvocationHandler.types.ts

@@ -4,6 +4,7 @@ import { DelegationsStorageContext } from './withDelegationsStorage.types.js'
 import { Service } from '../server/api.types.js'
 import * as Server from '@ucanto/server'
 export interface Environment extends MiddlewareEnvironment {
+  GATEWAY_VALIDATOR_PROOF?: string
 }
 
 export interface Context<T = unknown, U = unknown>

src/server/index.js

@@ -1,20 +1,93 @@
 import * as Server from '@ucanto/server'
 import * as CAR from '@ucanto/transport/car'
+import { DIDResolutionError } from '@ucanto/validator'
+import * as Proof from '@storacha/client/proof'
+
+/**
+ * Known did:web to did:key mappings for signature verification
+ * @type {Record<`did:${string}:${string}`, `did:key:${string}`>}
+ */
+const knownWebDIDs = {
+  // Production
+  'did:web:up.storacha.network': 'did:key:z6MkqdncRZ1wj8zxCTDUQ8CRT8NQWd63T7mZRvZUX8B7XDFi',
+  'did:web:web3.storage': 'did:key:z6MkqdncRZ1wj8zxCTDUQ8CRT8NQWd63T7mZRvZUX8B7XDFi',
+  'did:web:w3s.link': 'did:key:z6Mkha3NLZ38QiZXsUHKRHecoumtha3LnbYEL21kXYBFXvo5',
+  
+  // Staging
+  'did:web:staging.up.storacha.network': 'did:key:z6MkhcbEpJpEvNVDd3n5RurquVdqs5dPU16JDU5VZTDtFgnn',
+  'did:web:staging.web3.storage': 'did:key:z6MkhcbEpJpEvNVDd3n5RurquVdqs5dPU16JDU5VZTDtFgnn',
+  'did:web:staging.w3s.link': 'did:key:z6MkqK1d4thaCEXSGZ6EchJw3tDPhQriwynWDuR55ayATMNf',
+}
+
+/**
+ * Resolves did:web DIDs to their corresponding did:key DIDs
+ * @param {import('@ucanto/interface').DID} did
+ */
+export const resolveDIDKey = async (did) => {
+  if (knownWebDIDs[did]) {
+    const didKey = /** @type {`did:key:${string}`} */ (knownWebDIDs[did])
+    return Server.ok([didKey])  // Return array of did:keys
+  }
+  return Server.error(new DIDResolutionError(did))
+}
+
+/**
+ * @type {import('@ucanto/interface').Delegation[]}
+ */
+let cachedValidatorProofs
+
+/**
+ * Loads validator proofs from environment variable.
+ * These proofs allow the gateway to validate ucan/attest delegations.
+ * 
+ * @param {{ GATEWAY_VALIDATOR_PROOF?: string }} env
+ * @returns {Promise<import('@ucanto/interface').Delegation[]>}
+ */
+export const getValidatorProofs = async (env) => {
+  if (cachedValidatorProofs) {
+    return cachedValidatorProofs
+  }
+  cachedValidatorProofs = []
+  if (env.GATEWAY_VALIDATOR_PROOF) {
+    try {
+      const proof = await Proof.parse(env.GATEWAY_VALIDATOR_PROOF)
+      const delegation = /** @type {import('@ucanto/interface').Delegation} */ (proof)
+      console.log(`Gateway validator proof loaded: [issuer: ${delegation.issuer.did()}, audience: ${delegation.audience.did()}]`)
+      cachedValidatorProofs = [delegation]
+    } catch (error) {
+      console.error('Failed to parse GATEWAY_VALIDATOR_PROOF:', error)
+    }
+  }
+  return cachedValidatorProofs
+}
 
 /**
  * Creates a UCAN server.
  *
  * @template T
  * @param {import('../middleware/withUcanInvocationHandler.types.js').Context} ctx
  * @param {import('./api.types.js').Service<T>} service
+ * @param {{ GATEWAY_VALIDATOR_PROOF?: string }} env
  */
-export function createServer (ctx, service) {
+export async function createServer (ctx, service, env) {
+  const proofs = await getValidatorProofs(env)
+  console.log('Server validator proofs loaded:', proofs.length)
+  if (proofs.length > 0) {
+    console.log('First proof details:', {
+      issuer: proofs[0].issuer.did(),
+      audience: proofs[0].audience.did(),
+      capabilities: proofs[0].capabilities.map(c => ({ can: c.can, with: c.with })),
+      cid: proofs[0].cid.toString()
+    })
+  }
   return Server.create({
     id: ctx.gatewaySigner,
     codec: CAR.inbound,
     service,
     catch: err => console.error(err),
     // TODO: wire into revocations
-    validateAuthorization: () => ({ ok: {} })
+    validateAuthorization: () => ({ ok: {} }),
+    resolveDIDKey,
+    proofs,
   })
 }