+5

.changeset/bright-keys-sign.md

reviewed

··· 1 1 + --- 2 2 + '@atcute/did-plc': minor 3 3 + --- 4 4 + 5 5 + add `signOperation` and `signTombstone` functions for signing unsigned PLC operations

+7

.changeset/hungry-plc-client.md

reviewed

··· 1 1 + --- 2 2 + '@atcute/did-plc': minor 3 3 + --- 4 4 + 5 5 + add `PlcClient` for interacting with plc.directory API 6 6 + 7 7 + includes new types `PlcState` and `SequencedEntry` for API responses

+5

.changeset/smooth-dids-derive.md

reviewed

··· 1 1 + --- 2 2 + '@atcute/did-plc': minor 3 3 + --- 4 4 + 5 5 + add `deriveDidFromGenesisOp` to derive did:plc identifier from genesis operation

+41 -2

packages/identity/did-plc/README.md

reviewed

··· 1 1 # @atcute/did-plc 2 2 3 3 - validate and process did:plc operation logs. 3 3 + validate, sign, and interact with did:plc operations. 4 4 5 5 ```sh 6 6 npm install @atcute/did-plc 7 7 ``` 8 8 9 9 did:plc is a self-certifying DID method where the audit log serves as the source of truth. this 10 10 - package validates that operations are properly signed and chained. 10 10 + package validates that operations are properly signed and chained, and provides utilities for 11 11 + creating and submitting new operations. 11 12 12 13 ## usage 14 14 + 15 15 + ### using the client 16 16 + 17 17 + ```ts 18 18 + import { PlcClient } from '@atcute/did-plc'; 19 19 + 20 20 + const client = new PlcClient(); 21 21 + 22 22 + // fetch DID document 23 23 + const doc = await client.getDocument('did:plc:ragtjsm2j2vknwkz3zp4oxrd'); 24 24 + 25 25 + // fetch current identity state 26 26 + const state = await client.getState('did:plc:ragtjsm2j2vknwkz3zp4oxrd'); 27 27 + 28 28 + // fetch operation log 29 29 + const log = await client.getOperationLog('did:plc:ragtjsm2j2vknwkz3zp4oxrd'); 30 30 + 31 31 + // fetch last operation 32 32 + const lastOp = await client.getLastOperation('did:plc:ragtjsm2j2vknwkz3zp4oxrd'); 33 33 + 34 34 + // submit a signed operation 35 35 + await client.submitOperation('did:plc:ragtjsm2j2vknwkz3zp4oxrd', signedOperation); 36 36 + ``` 37 37 + 38 38 + ### signing operations 39 39 + 40 40 + ```ts 41 41 + import { signOperation, signTombstone, deriveDidFromGenesisOp } from '@atcute/did-plc'; 42 42 + 43 43 + // sign an unsigned operation 44 44 + const signedOp = await signOperation(unsignedOp, rotationKey); 45 45 + 46 46 + // sign a tombstone 47 47 + const signedTombstone = await signTombstone(unsignedTombstone, rotationKey); 48 48 + 49 49 + // derive did:plc from genesis operation 50 50 + const did = await deriveDidFromGenesisOp(signedGenesisOp); 51 51 + ``` 13 52 14 53 ### validating audit logs 15 54

+195

packages/identity/did-plc/lib/client.ts

reviewed

··· 1 1 + import type { DidDocument } from '@atcute/identity'; 2 2 + import { defs as identityDefs } from '@atcute/identity'; 3 3 + import { FailedResponseError, isResponseOk, parseResponseAsJson, pipe, validateJsonWith } from '@atcute/util-fetch'; 4 4 + 5 5 + import * as defs from './typedefs.js'; 6 6 + import * as t from './types.js'; 7 7 + 8 8 + const MAX_RESPONSE_SIZE = 64 * 1024; 9 9 + 10 10 + const handleDocument = pipe( 11 11 + isResponseOk, 12 12 + parseResponseAsJson(/^application\/(did\+ld\+)?json$/, MAX_RESPONSE_SIZE), 13 13 + validateJsonWith(identityDefs.didDocument, { mode: 'passthrough' }), 14 14 + ); 15 15 + 16 16 + const handlePlcState = pipe( 17 17 + isResponseOk, 18 18 + parseResponseAsJson(/^application\/json$/, MAX_RESPONSE_SIZE), 19 19 + validateJsonWith(defs.plcState, { mode: 'passthrough' }), 20 20 + ); 21 21 + 22 22 + const handleOperationLog = pipe( 23 23 + isResponseOk, 24 24 + parseResponseAsJson(/^application\/json$/, MAX_RESPONSE_SIZE), 25 25 + validateJsonWith(defs.operationLog, { mode: 'passthrough' }), 26 26 + ); 27 27 + 28 28 + const handleIndexedEntryLog = pipe( 29 29 + isResponseOk, 30 30 + parseResponseAsJson(/^application\/json$/, MAX_RESPONSE_SIZE), 31 31 + validateJsonWith(defs.indexedEntryLog, { mode: 'passthrough' }), 32 32 + ); 33 33 + 34 34 + const handleLastOperation = pipe( 35 35 + isResponseOk, 36 36 + parseResponseAsJson(/^application\/json$/, MAX_RESPONSE_SIZE), 37 37 + validateJsonWith(defs.compatibleOperationOrTombstone, { mode: 'passthrough' }), 38 38 + ); 39 39 + 40 40 + export interface PlcClientOptions { 41 41 + /** plc directory URL, defaults to https://plc.directory */ 42 42 + serviceUrl?: string; 43 43 + /** custom fetch function */ 44 44 + fetch?: typeof globalThis.fetch; 45 45 + } 46 46 + 47 47 + export interface PlcRequestOptions { 48 48 + signal?: AbortSignal; 49 49 + } 50 50 + 51 51 + /** 52 52 + * client for interacting with plc.directory 53 53 + */ 54 54 + export class PlcClient { 55 55 + readonly serviceUrl: string; 56 56 + #fetch: typeof globalThis.fetch; 57 57 + 58 58 + constructor({ serviceUrl = 'https://plc.directory', fetch: fetchFn = fetch }: PlcClientOptions = {}) { 59 59 + this.serviceUrl = serviceUrl; 60 60 + this.#fetch = fetchFn; 61 61 + } 62 62 + 63 63 + /** 64 64 + * fetches the DID document for a did:plc 65 65 + * @param did the did:plc identifier 66 66 + * @param options request options 67 67 + * @returns the DID document 68 68 + */ 69 69 + async getDocument(did: t.DidPlcString, options?: PlcRequestOptions): Promise<DidDocument> { 70 70 + const url = new URL(`/${encodeURIComponent(did)}`, this.serviceUrl); 71 71 + 72 72 + const response = await this.#fetch(url, { 73 73 + signal: options?.signal, 74 74 + headers: { accept: 'application/did+ld+json,application/json' }, 75 75 + }); 76 76 + 77 77 + const { json } = await handleDocument(response); 78 78 + return json; 79 79 + } 80 80 + 81 81 + /** 82 82 + * fetches the current identity state for a did:plc 83 83 + * @param did the did:plc identifier 84 84 + * @param options request options 85 85 + * @returns the current plc state 86 86 + */ 87 87 + async getState(did: t.DidPlcString, options?: PlcRequestOptions): Promise<t.PlcState> { 88 88 + const url = new URL(`/${encodeURIComponent(did)}/data`, this.serviceUrl); 89 89 + 90 90 + const response = await this.#fetch(url, { 91 91 + signal: options?.signal, 92 92 + headers: { accept: 'application/json' }, 93 93 + }); 94 94 + 95 95 + const { json } = await handlePlcState(response); 96 96 + return json; 97 97 + } 98 98 + 99 99 + /** 100 100 + * fetches the operation log for a did:plc 101 101 + * @param did the did:plc identifier 102 102 + * @param options request options 103 103 + * @returns the operation log 104 104 + */ 105 105 + async getOperationLog(did: t.DidPlcString, options?: PlcRequestOptions): Promise<t.OperationLog> { 106 106 + const url = new URL(`/${encodeURIComponent(did)}/log`, this.serviceUrl); 107 107 + 108 108 + const response = await this.#fetch(url, { 109 109 + signal: options?.signal, 110 110 + headers: { accept: 'application/json' }, 111 111 + }); 112 112 + 113 113 + const { json } = await handleOperationLog(response); 114 114 + return json; 115 115 + } 116 116 + 117 117 + /** 118 118 + * fetches the auditable log for a did:plc (includes CIDs and timestamps) 119 119 + * @param did the did:plc identifier 120 120 + * @param options request options 121 121 + * @returns the indexed entry log 122 122 + */ 123 123 + async getAuditLog(did: t.DidPlcString, options?: PlcRequestOptions): Promise<t.IndexedEntryLog> { 124 124 + const url = new URL(`/${encodeURIComponent(did)}/log/audit`, this.serviceUrl); 125 125 + 126 126 + const response = await this.#fetch(url, { 127 127 + signal: options?.signal, 128 128 + headers: { accept: 'application/json' }, 129 129 + }); 130 130 + 131 131 + const { json } = await handleIndexedEntryLog(response); 132 132 + return json; 133 133 + } 134 134 + 135 135 + /** 136 136 + * fetches the last operation for a did:plc 137 137 + * @param did the did:plc identifier 138 138 + * @param options request options 139 139 + * @returns the last operation or tombstone 140 140 + */ 141 141 + async getLastOperation( 142 142 + did: t.DidPlcString, 143 143 + options?: PlcRequestOptions, 144 144 + ): Promise<t.CompatibleOperationOrTombstone> { 145 145 + const url = new URL(`/${encodeURIComponent(did)}/log/last`, this.serviceUrl); 146 146 + 147 147 + const response = await this.#fetch(url, { 148 148 + signal: options?.signal, 149 149 + headers: { accept: 'application/json' }, 150 150 + }); 151 151 + 152 152 + const { json } = await handleLastOperation(response); 153 153 + return json; 154 154 + } 155 155 + 156 156 + /** 157 157 + * submits a signed operation to plc.directory 158 158 + * @param did the did:plc identifier 159 159 + * @param operation the signed operation to submit 160 160 + * @param options request options 161 161 + */ 162 162 + async submitOperation( 163 163 + did: t.DidPlcString, 164 164 + operation: t.OperationOrTombstone, 165 165 + options?: PlcRequestOptions, 166 166 + ): Promise<void> { 167 167 + const url = new URL(`/${encodeURIComponent(did)}`, this.serviceUrl); 168 168 + 169 169 + const response = await this.#fetch(url, { 170 170 + method: 'POST', 171 171 + signal: options?.signal, 172 172 + headers: { 'content-type': 'application/json' }, 173 173 + body: JSON.stringify(operation), 174 174 + }); 175 175 + 176 176 + if (!response.ok) { 177 177 + throw new FailedResponseError(response); 178 178 + } 179 179 + } 180 180 + 181 181 + /** 182 182 + * checks if the plc directory is reachable 183 183 + * @param options request options 184 184 + * @returns true if reachable 185 185 + */ 186 186 + async ping(options?: PlcRequestOptions): Promise<boolean> { 187 187 + const url = new URL('/_health', this.serviceUrl); 188 188 + 189 189 + const response = await this.#fetch(url, { 190 190 + signal: options?.signal, 191 191 + }); 192 192 + 193 193 + return response.ok; 194 194 + } 195 195 + }

+3 -6

packages/identity/did-plc/lib/data.ts

reviewed

··· 1 1 import * as CBOR from '@atcute/cbor'; 2 2 import * as CID from '@atcute/cid'; 3 3 import { isKeyDid } from '@atcute/identity'; 4 4 - import { toBase32 } from '@atcute/multibase'; 5 5 - import { toSha256 } from '@atcute/uint8array'; 6 4 7 5 import { DISPUTE_WINDOW } from './constants.js'; 8 6 import * as err from './errors.js'; 9 7 import * as t from './types.js'; 10 10 - import { isSignedOperationValid, normalizeOp } from './utils.js'; 8 8 + import { deriveDidFromGenesisOp, isSignedOperationValid, normalizeOp } from './utils.js'; 11 9 12 10 // soft constraint limits for incoming operations 13 11 const MAX_OP_BYTES = 4000; ··· 148 146 149 147 // Check if CID and DID matches 150 148 { 151 151 - const opBytes = CBOR.encode(proposed.operation); 152 152 - 153 153 - const expectedDid = `did:plc:${toBase32(await toSha256(opBytes)).slice(0, 24)}`; 149 149 + const expectedDid = await deriveDidFromGenesisOp(proposed.operation); 154 150 if (expectedDid !== did) { 155 151 throw new err.GenesisHashError(proposed, did); 156 152 } 157 153 154 154 + const opBytes = CBOR.encode(proposed.operation); 158 155 const expectedCid = CID.toString(await CID.create(CID.CODEC_DCBOR, opBytes)); 159 156 if (expectedCid !== proposed.cid) { 160 157 throw new err.InvalidHashError(proposed, expectedCid);

+1

packages/identity/did-plc/lib/index.ts

reviewed

··· 1 1 export * as defs from './typedefs.js'; 2 2 export * from './types.js'; 3 3 4 4 + export * from './client.js'; 4 5 export * from './constants.js'; 5 6 export * from './data.js'; 6 7 export * from './errors.js';

+15

packages/identity/did-plc/lib/typedefs.ts

reviewed

··· 120 120 .tuple([_indexedEntry.extend({ operation: compatibleOperation })]) 121 121 .concat(v.array(_indexedEntry.extend({ operation: operationOrTombstone }))); 122 122 // #endregion 123 123 + 124 124 + // #region Client response schemas 125 125 + export const plcState: v.Type<t.PlcState> = v.object({ 126 126 + did: didPlcString, 127 127 + rotationKeys: v.array(didKeyString), 128 128 + verificationMethods: v.record(permissiveDidKeyString), 129 129 + alsoKnownAs: v.array(v.string()), 130 130 + services: v.record(service), 131 131 + }); 132 132 + 133 133 + export const sequencedEntry: v.Type<t.SequencedEntry> = _indexedEntry.extend({ 134 134 + type: v.literal('sequenced_op'), 135 135 + seq: v.number(), 136 136 + }); 137 137 + // #endregion

+23

packages/identity/did-plc/lib/types.ts

reviewed

··· 71 71 genesis: IndexedEntry<CompatibleOperation>, 72 72 ...IndexedEntry<OperationOrTombstone>[], 73 73 ]; 74 74 + 75 75 + // #region client response types 76 76 + 77 77 + /** 78 78 + * current identity state derived from the did:plc operation log 79 79 + */ 80 80 + export interface PlcState { 81 81 + did: DidPlcString; 82 82 + rotationKeys: DidKeyString[]; 83 83 + verificationMethods: Record<string, DidKeyString>; 84 84 + alsoKnownAs: string[]; 85 85 + services: Record<string, Service>; 86 86 + } 87 87 + 88 88 + /** 89 89 + * operation entry with sequence number from /export endpoint 90 90 + */ 91 91 + export interface SequencedEntry extends IndexedEntry { 92 92 + type: 'sequenced_op'; 93 93 + seq: number; 94 94 + } 95 95 + 96 96 + // #endregion

+44 -1

packages/identity/did-plc/lib/utils.ts

reviewed

··· 1 1 import * as CBOR from '@atcute/cbor'; 2 2 + import type { PrivateKey } from '@atcute/crypto'; 2 3 import { verifySigWithDidKey } from '@atcute/crypto'; 3 3 - import { fromBase64Url } from '@atcute/multibase'; 4 4 + import { fromBase64Url, toBase32, toBase64Url } from '@atcute/multibase'; 5 5 + import { toSha256 } from '@atcute/uint8array'; 4 6 5 7 import * as t from './types.js'; 6 8 ··· 20 22 const stripped = str.replace('http://', '').replace('https://', ''); 21 23 22 24 return `at://${stripped}`; 25 25 + }; 26 26 + 27 27 + /** 28 28 + * derives the did:plc identifier from a genesis operation 29 29 + * @param op signed genesis operation 30 30 + * @returns the did:plc string 31 31 + */ 32 32 + export const deriveDidFromGenesisOp = async (op: t.CompatibleOperation): Promise<t.DidPlcString> => { 33 33 + const opBytes = CBOR.encode(op); 34 34 + const hash = await toSha256(opBytes); 35 35 + return `did:plc:${toBase32(hash).slice(0, 24)}`; 23 36 }; 24 37 25 38 export const normalizeOp = (op: t.CompatibleOperation): t.Operation => { ··· 64 77 65 78 return null; 66 79 }; 80 80 + 81 81 + // #region signing operations 82 82 + 83 83 + /** 84 84 + * signs an unsigned plc operation 85 85 + * @param op unsigned operation to sign 86 86 + * @param key private key to sign with (must be one of the rotation keys) 87 87 + * @returns signed operation 88 88 + */ 89 89 + export const signOperation = async (op: t.UnsignedOperation, key: PrivateKey): Promise<t.Operation> => { 90 90 + const data = CBOR.encode(op); 91 91 + const sig = await key.sign(data); 92 92 + 93 93 + return { ...op, sig: toBase64Url(sig) }; 94 94 + }; 95 95 + 96 96 + /** 97 97 + * signs an unsigned plc tombstone 98 98 + * @param op unsigned tombstone to sign 99 99 + * @param key private key to sign with (must be one of the rotation keys) 100 100 + * @returns signed tombstone 101 101 + */ 102 102 + export const signTombstone = async (op: t.UnsignedTombstone, key: PrivateKey): Promise<t.Tombstone> => { 103 103 + const data = CBOR.encode(op); 104 104 + const sig = await key.sign(data); 105 105 + 106 106 + return { ...op, sig: toBase64Url(sig) }; 107 107 + }; 108 108 + 109 109 + // #endregion

+1

packages/identity/did-plc/package.json

reviewed

··· 43 43 "@atcute/lexicons": "workspace:^", 44 44 "@atcute/multibase": "workspace:^", 45 45 "@atcute/uint8array": "workspace:^", 46 46 + "@atcute/util-fetch": "workspace:^", 46 47 "@badrap/valita": "^0.4.6" 47 48 } 48 49 }