use base64::engine::general_purpose::URL_SAFE;
use base64::prelude::*;
use crate::encryption::EncryptionKey;
use crate::hosts::Host;
use blake2::Digest;
use chrono::{DateTime, Utc};
use reqwest::{Method, StatusCode};
use serde_json::to_vec;
use serde_with::base64::Base64;
use serde_with::{DefaultOnNull, serde_as};
use sia_core::blake2::Blake2b256;
use thiserror::Error;
use serde::de::DeserializeOwned;
use serde::{Deserialize, Serialize};
use crate::object_encryption::DecryptError;
use crate::slabs::Sector;
use crate::time::Duration;
use crate::{
Account, AppMetadata, HostQuery, Object, ObjectsCursor, PinnedSlab, SealedObject, Slab,
};
use sia_core::signing::{PrivateKey, PublicKey, Signature};
use sia_core::types::Hash256;
pub(crate) use reqwest::{IntoUrl, Url};
const QUERY_PARAM_VALID_UNTIL: &str = "sv";
const QUERY_PARAM_CREDENTIAL: &str = "sc";
const QUERY_PARAM_SIGNATURE: &str = "ss";
const SHARE_URL_SCHEME: &str = "sia";
#[cfg(not(test))]
const SHARE_URL_FETCH_SCHEME: &str = "https";
#[cfg(test)]
const SHARE_URL_FETCH_SCHEME: &str = "http";
#[derive(Debug, Error)]
pub enum Error {
#[error("indexd responded with an error: {0}")]
Api(String),
#[error("invalid header value: {0}")]
InvalidHeader(#[from] reqwest::header::InvalidHeaderValue),
#[error("http error: {0}")]
Reqwest(#[from] reqwest::Error),
#[error("serde error: {0}")]
Serde(#[from] serde_json::Error),
#[error("url parse error: {0}")]
UrlParse(#[from] url::ParseError),
#[error("user rejected connection request")]
UserRejected,
#[error("format error: {0}")]
Format(String),
#[error("decryption error: {0}")]
Decryption(#[from] DecryptError),
#[error("custom error: {0}")]
Custom(String),
}
#[derive(Debug, Deserialize, Serialize, PartialEq)]
#[serde(rename_all = "camelCase")]
pub(crate) struct AuthConnectStatusResponse {
approved: bool,
user_secret: Option<Hash256>,
}
#[derive(Debug, Deserialize, Serialize, PartialEq)]
#[serde(rename_all = "camelCase")]
pub(crate) struct RegisterAppResponse {
#[serde(rename = "responseURL")]
pub response_url: String,
#[serde(rename = "statusURL")]
pub status_url: String,
#[serde(rename = "registerURL")]
pub register_url: String,
pub expiration: DateTime<Utc>,
}
#[derive(Debug, Clone, Serialize, PartialEq)]
#[serde(rename_all = "camelCase")]
pub(crate) struct SlabPinParams {
pub encryption_key: EncryptionKey,
pub min_shards: u8,
pub sectors: Vec<Sector>,
}
#[serde_as]
#[derive(Debug, Clone, Deserialize, Serialize, PartialEq)]
#[serde(rename_all = "camelCase")]
pub(crate) struct SealedObjectEvent {
#[serde(rename = "key")]
pub id: Hash256,
pub deleted: bool,
pub updated_at: DateTime<Utc>,
pub object: Option<SealedObject>,
}
#[serde_as]
#[derive(Debug, Clone, PartialEq, Serialize, Deserialize)]
#[serde(rename_all = "camelCase")]
struct SharedObjectResponse {
pub slabs: Vec<Slab>,
#[serde_as(as = "Option<Base64>")]
pub encrypted_metadata: Option<Vec<u8>>,
}
#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(rename_all = "camelCase")]
struct RegisterAppRequest {
pub app_key: PublicKey,
pub signature: Signature,
}
#[derive(Debug, Clone, Serialize)]
#[serde(rename_all = "camelCase")]
struct ObjectSlab {
id: Hash256,
offset: u32,
length: u32,
}
#[serde_as]
#[derive(Debug, Clone, Serialize)]
#[serde(rename_all = "camelCase")]
struct PinObjectRequest {
id: Hash256,
#[serde_as(as = "Base64")]
encrypted_data_key: Vec<u8>,
slabs: Vec<ObjectSlab>,
data_signature: Signature,
#[serde(default, skip_serializing_if = "Vec::is_empty")]
#[serde_as(as = "DefaultOnNull<Base64>")]
encrypted_metadata_key: Vec<u8>,
#[serde(default, skip_serializing_if = "Vec::is_empty")]
#[serde_as(as = "DefaultOnNull<Base64>")]
encrypted_metadata: Vec<u8>,
metadata_signature: Signature,
}
impl From<&SealedObject> for PinObjectRequest {
fn from(obj: &SealedObject) -> Self {
PinObjectRequest {
id: obj.id(),
encrypted_data_key: obj.encrypted_data_key.clone(),
slabs: obj
.slabs
.iter()
.map(|s| ObjectSlab {
id: s.digest(),
offset: s.offset,
length: s.length,
})
.collect(),
data_signature: obj.data_signature.clone(),
encrypted_metadata_key: obj.encrypted_metadata_key.clone(),
encrypted_metadata: obj.encrypted_metadata.clone(),
metadata_signature: obj.metadata_signature.clone(),
}
}
}
#[derive(Clone)]
pub(crate) struct Client {
client: reqwest::Client,
url: Url,
}
struct EmptyResponse;
impl<'de> serde::Deserialize<'de> for EmptyResponse {
fn deserialize<D>(_: D) -> Result<Self, D::Error>
where
D: serde::Deserializer<'de>,
{
Ok(EmptyResponse)
}
}
impl Client {
pub(crate) fn new<U: IntoUrl>(base_url: U) -> Result<Self, Error> {
Ok(Self {
client: reqwest::Client::new(),
url: base_url.into_url()?,
})
}
pub(crate) async fn check_app_authenticated(
&self,
app_key: &PrivateKey,
) -> Result<bool, Error> {
let url = self.url.join("auth/check")?;
let query_params = sign(
app_key,
&url,
Method::GET,
None,
Utc::now() + Duration::from_secs(60),
);
let resp = self
.client
.get(url)
.timeout(Duration::from_secs(15))
.query(&query_params)
.send()
.await?;
match resp.status() {
StatusCode::UNAUTHORIZED => Ok(false),
StatusCode::NO_CONTENT => Ok(true),
_ => Err(Error::Api(resp.text().await?)),
}
}
pub(crate) async fn request_app_connection(
&self,
ephemeral_key: &PrivateKey,
opts: &AppMetadata,
) -> Result<RegisterAppResponse, Error> {
self.post_json("auth/connect", ephemeral_key, Some(opts))
.await
}
pub(crate) async fn check_request_status(
&self,
ephemeral_key: &PrivateKey,
status_url: Url,
) -> Result<Option<Hash256>, Error> {
let query_params = sign(
ephemeral_key,
&status_url,
Method::GET,
None,
Utc::now() + Duration::from_secs(60),
);
let resp = self
.client
.get(status_url)
.timeout(Duration::from_secs(15))
.query(&query_params)
.send()
.await?;
match resp.status() {
StatusCode::OK => {
if let Ok(status) = resp.json::<AuthConnectStatusResponse>().await {
if status.approved {
Ok(status.user_secret)
} else {
Ok(None)
}
} else {
Err(Error::Api("invalid response format".to_string()))
}
}
StatusCode::NOT_FOUND => Err(Error::UserRejected),
_ => Err(Error::Api(resp.text().await?)),
}
}
pub(crate) async fn register_app(
&self,
signing_key: &PrivateKey,
app_key: &PrivateKey,
register_url: Url,
) -> Result<(), Error> {
let segments = register_url
.path_segments()
.ok_or(Error::Format("invalid register url format".into()))?;
let request_id = segments
.rev()
.nth(1)
.ok_or(Error::Format("invalid register url format".into()))?;
let sig_hash = register_app_sig_hash(request_id, &signing_key.public_key());
let body = RegisterAppRequest {
app_key: app_key.public_key(),
signature: app_key.sign(sig_hash.as_ref()),
};
post_json::<_, EmptyResponse>(&self.client, register_url, signing_key, Some(&body))
.await
.map(|_| ())
}
pub(crate) async fn hosts(
&self,
app_key: &PrivateKey,
query: HostQuery,
) -> Result<Vec<Host>, Error> {
self.get_json("hosts", app_key, Some(&query)).await
}
pub(crate) async fn object(
&self,
app_key: &PrivateKey,
key: &Hash256,
) -> Result<SealedObject, Error> {
self.get_json::<_, ()>(&format!("objects/{key}"), app_key, None)
.await
}
pub(crate) async fn objects(
&self,
app_key: &PrivateKey,
cursor: Option<ObjectsCursor>,
limit: Option<usize>,
) -> Result<Vec<SealedObjectEvent>, Error> {
let mut query_params = Vec::new();
if let Some(limit) = limit {
query_params.push(("limit", limit.to_string()));
}
if let Some(ObjectsCursor { after, id }) = cursor {
query_params.push(("after", after.to_rfc3339())); query_params.push(("key", id.to_string()));
}
self.get_json::<_, _>("objects", app_key, Some(&query_params))
.await
}
pub(crate) async fn pin_object(
&self,
app_key: &PrivateKey,
object: &SealedObject,
) -> Result<(), Error> {
let req = PinObjectRequest::from(object);
self.post_json::<_, EmptyResponse>("objects", app_key, Some(&req))
.await
.map(|_| ())
}
pub(crate) async fn delete_object(
&self,
app_key: &PrivateKey,
key: &Hash256,
) -> Result<(), Error> {
self.delete(&format!("objects/{key}"), app_key).await
}
pub(crate) async fn slab(
&self,
app_key: &PrivateKey,
slab_id: &Hash256,
) -> Result<PinnedSlab, Error> {
self.get_json::<_, ()>(&format!("slabs/{slab_id}"), app_key, None)
.await
}
pub(crate) async fn pin_slabs(
&self,
app_key: &PrivateKey,
slabs: Vec<SlabPinParams>,
) -> Result<Vec<Hash256>, Error> {
self.post_json("slabs", app_key, Some(&slabs)).await
}
pub(crate) async fn prune_slabs(&self, app_key: &PrivateKey) -> Result<(), Error> {
self.post_json::<(), EmptyResponse>("slabs/prune", app_key, None)
.await
.map(|_| ())
}
pub(crate) async fn account(&self, app_key: &PrivateKey) -> Result<Account, Error> {
self.get_json::<_, ()>("account", app_key, None).await
}
async fn delete(&self, path: &str, app_key: &PrivateKey) -> Result<(), Error> {
let url = self.url.join(path)?;
delete(&self.client, url, app_key).await
}
async fn get_json<D: DeserializeOwned, Q: Serialize + ?Sized>(
&self,
path: &str,
signing_key: &PrivateKey,
query_params: Option<&Q>,
) -> Result<D, Error> {
let url = self.url.join(path)?;
get_json(&self.client, url, signing_key, query_params).await
}
async fn handle_response<T: DeserializeOwned>(resp: reqwest::Response) -> Result<T, Error> {
if resp.status().is_success() {
Ok(resp.json::<T>().await?)
} else {
Err(Error::Api(resp.text().await?))
}
}
async fn post_json<S: Serialize, D: DeserializeOwned>(
&self,
path: &str,
signing_key: &PrivateKey,
body: Option<&S>,
) -> Result<D, Error> {
let url = self.url.join(path)?;
post_json(&self.client, url, signing_key, body).await
}
pub(crate) fn shared_object_url(
&self,
app_key: &PrivateKey,
object: &Object,
valid_until: DateTime<Utc>,
) -> Result<Url, Error> {
let mut url: Url = format!(
"{SHARE_URL_SCHEME}://{}/objects/{}/shared",
self.url.authority(),
object.id()
)
.parse()?;
let params = sign(app_key, &url, Method::GET, None, valid_until);
url.set_fragment(Some(
format!(
"encryption_key={}",
URL_SAFE.encode(object.data_key().as_ref())
)
.as_str(),
));
let mut pairs = url.query_pairs_mut();
for (key, value) in params {
pairs.append_pair(key, value.as_str());
}
Ok(pairs.finish().to_owned())
}
pub(crate) async fn shared_object(&self, mut share_url: Url) -> Result<Object, Error> {
if share_url.scheme() != SHARE_URL_SCHEME {
return Err(Error::Format(format!(
"invalid url scheme: expected {SHARE_URL_SCHEME}"
)));
}
let encryption_key = match share_url.fragment() {
Some(fragment) => {
let fragment = match fragment.strip_prefix("encryption_key=") {
Some(fragment) => Ok(fragment),
None => Err(Error::Format("missing encryption_key".into())),
}?;
let mut out = [0u8; 32];
URL_SAFE.decode_slice(fragment, &mut out).map_err(|_| {
Error::Format("encryption key must be 32 hex-encoded bytes".into())
})?;
Ok(EncryptionKey::from(out))
}
None => Err(Error::Format("missing encryption_key".into())),
}?;
share_url.set_fragment(None);
let share_url: Url = format!(
"{SHARE_URL_FETCH_SCHEME}://{}",
share_url.as_str().strip_prefix("sia://").unwrap()
)
.parse()?;
let shared_object: SharedObjectResponse = Self::handle_response(
self.client
.get(share_url)
.timeout(Duration::from_secs(15))
.send()
.await?,
)
.await?;
Ok(Object::new(
encryption_key,
shared_object.slabs.clone(),
Vec::new(),
))
}
}
fn request_hash(
url: &Url,
method: Method,
body: Option<&[u8]>,
valid_until: DateTime<Utc>,
) -> Hash256 {
let host_port = url
.port()
.map_or(url.host_str().unwrap_or("localhost").to_string(), |port| {
format!("{}:{}", url.host_str().unwrap_or("localhost"), port)
});
let mut state = Blake2b256::new();
state.update(method.as_str().as_bytes());
state.update(host_port.as_bytes());
state.update(url.path().as_bytes());
state.update(valid_until.timestamp().to_le_bytes());
if let Some(body) = body {
state.update(body);
}
state.finalize().into()
}
fn sign(
app_key: &PrivateKey,
url: &Url,
method: Method,
body: Option<&[u8]>,
valid_until: DateTime<Utc>,
) -> [(&'static str, String); 3] {
let hash = request_hash(url, method, body, valid_until);
let public_key = app_key.public_key();
let signature = app_key.sign(hash.as_ref());
[
(QUERY_PARAM_VALID_UNTIL, valid_until.timestamp().to_string()),
(QUERY_PARAM_CREDENTIAL, URL_SAFE.encode(public_key)),
(QUERY_PARAM_SIGNATURE, URL_SAFE.encode(signature.as_ref())),
]
}
async fn get_json<D: DeserializeOwned, Q: Serialize + ?Sized>(
client: &reqwest::Client,
url: Url,
signing_key: &PrivateKey,
query_params: Option<&Q>,
) -> Result<D, Error> {
let signing_params = sign(
signing_key,
&url,
Method::GET,
None,
Utc::now() + Duration::from_secs(60),
);
let mut builder = client
.get(url)
.timeout(Duration::from_secs(15))
.query(&signing_params);
if let Some(q) = query_params {
builder = builder.query(q);
}
Client::handle_response(builder.send().await?).await
}
async fn post_json<S: Serialize, D: DeserializeOwned>(
client: &reqwest::Client,
url: Url,
signing_key: &PrivateKey,
body: Option<&S>,
) -> Result<D, Error> {
let body = body.and_then(|body| to_vec(body).ok());
let params = &sign(
signing_key,
&url,
Method::POST,
body.as_deref(),
Utc::now() + Duration::from_secs(60),
);
let mut builder = client
.post(url)
.timeout(Duration::from_secs(15))
.query(params);
if let Some(body) = body {
builder = builder.body(body);
}
Client::handle_response(builder.send().await?).await
}
async fn delete(client: &reqwest::Client, url: Url, app_key: &PrivateKey) -> Result<(), Error> {
let query_params = sign(
app_key,
&url,
Method::DELETE,
None,
Utc::now() + Duration::from_secs(60),
);
Client::handle_response::<EmptyResponse>(
client
.delete(url)
.timeout(Duration::from_secs(15))
.query(&query_params)
.send()
.await?,
)
.await
.map(|_| ())
}
fn register_app_sig_hash(request_id: &str, ephemeral_key: &PublicKey) -> Hash256 {
const KEY_DOMAIN: &[u8] = b"registerAppKey";
Blake2b256::default()
.chain_update(KEY_DOMAIN)
.chain_update(ephemeral_key)
.chain_update(request_id.as_bytes())
.finalize()
.into()
}
#[cfg(test)]
mod cross_target_test {
use base64::engine::general_purpose::URL_SAFE;
use base64::prelude::*;
use sia_core::{hash_256, public_key, signature};
use crate::slabs::object_id;
use super::*;
#[cfg(target_arch = "wasm32")]
wasm_bindgen_test::wasm_bindgen_test_configure!(run_in_browser);
#[sia_core_derive::cross_target_test]
fn test_register_app_sig_hash_golden() {
const REQUEST_ID: &str = "ebddc9385dace70f9a97cebce34134ac";
const EPHEMERAL_KEY: PublicKey =
public_key!("ed25519:9f5fb0b962f29497b3993e12c7a7880fbaf0cf52bad3620af0280895fdea8ece");
const EXPECTED_SIG_HASH: Hash256 =
hash_256!("3017354ace367561d4c568263463c17d3c16030c637734e12e9418be1f2f8e65");
assert_eq!(
register_app_sig_hash(REQUEST_ID, &EPHEMERAL_KEY),
EXPECTED_SIG_HASH,
"expected sig hash did not match"
);
}
#[sia_core_derive::cross_target_test]
fn test_base64_url() {
const DATA: &[u8] = b"hello, world!";
const ENCODED_DATA: &str = "aGVsbG8sIHdvcmxkIQ==";
let encoded = URL_SAFE.encode(DATA);
assert_eq!(encoded, ENCODED_DATA);
}
#[sia_core_derive::cross_target_test]
fn test_request_hash() {
let method = Method::POST;
let url = Url::parse("https://foo.bar/foo").unwrap();
let valid_until = DateTime::from_timestamp_secs(123).unwrap();
let body = b"hello world!";
let hash = request_hash(&url, method, Some(body), valid_until);
assert_eq!(
hash,
hash_256!("a9f0bda1b97b7d44ae6369ac830851a115311bb59aa2d848beda6ae95d10ad18")
)
}
#[sia_core_derive::cross_target_test]
fn test_sign() {
let app_key = PrivateKey::from_seed(&[0u8; 32]);
let params = sign(
&app_key,
&"https://foo.bar/baz.jpg".parse().unwrap(),
Method::POST,
Some("{}".as_bytes()),
DateTime::from_timestamp_secs(123).unwrap() + Duration::from_secs(60),
);
assert_eq!(params[0], (QUERY_PARAM_VALID_UNTIL, "183".to_string()));
assert_eq!(
params[1],
(
QUERY_PARAM_CREDENTIAL,
URL_SAFE.encode(public_key!(
"ed25519:3b6a27bcceb6a42d62a3a8d02a6f0d73653215771de243a63ac048a18b59da29"
)),
)
);
assert_eq!(
params[2],
(
QUERY_PARAM_SIGNATURE,
URL_SAFE.encode(signature!("458283fd707c9d170d5e1814944f35893c53c9445fd46c74a6b285bf3029bf404c9af509ea271d811726bd20d8c7d8fe4b9efdc4bebb445f18059eca886ece03").as_ref()),
)
);
let params = sign(
&app_key,
&"https://foo.bar/baz.jpg".parse().unwrap(),
Method::GET,
None,
DateTime::from_timestamp_secs(123).unwrap() + Duration::from_secs(60),
);
assert_eq!(params[0], (QUERY_PARAM_VALID_UNTIL, "183".to_string()));
assert_eq!(
params[1],
(
QUERY_PARAM_CREDENTIAL,
URL_SAFE.encode(
public_key!(
"ed25519:3b6a27bcceb6a42d62a3a8d02a6f0d73653215771de243a63ac048a18b59da29"
)
.as_ref()
)
)
);
assert_eq!(
params[2],
(
QUERY_PARAM_SIGNATURE,
URL_SAFE.encode(signature!("7411fc80f920cb098690498133be075cd43bf6385fc8348fe1946e29d909891680d45651dfb0a6fd9f7196a971816c21441852362680f2fe4cb935de8f90380b").as_ref()),
)
);
}
#[sia_core_derive::cross_target_test]
fn test_shared_object_id() {
let obj = SharedObjectResponse {
slabs: vec![Slab {
encryption_key: [0u8; 32].into(),
min_shards: 1,
sectors: vec![Sector {
root: Hash256::new([1u8; 32]),
host_key: PublicKey::new([2u8; 32]),
}],
offset: 10,
length: 100,
}],
encrypted_metadata: None,
};
assert_eq!(
object_id(&obj.slabs).to_string(),
"1b13d5dd22605af0573cae7fe9242c1ee83727c29798308b2b170864677b46d0"
);
}
}
#[cfg(all(test, not(target_arch = "wasm32")))]
mod tests {
use base64::engine::general_purpose::URL_SAFE;
use base64::prelude::*;
use chrono::FixedOffset;
use sia_core::signing::Signature;
use sia_core::{hash_256, public_key};
use crate::{AppID, GeoLocation, Protocol};
use super::*;
use httptest::http::Response;
use httptest::matchers::*;
use httptest::{Expectation, Server};
fn validate_url_signature_request(
req: &httptest::http::Request<httptest::bytes::Bytes>,
) -> PublicKey {
let host = req
.headers()
.get("host")
.expect("missing host header")
.to_str()
.expect("invalid host header");
let uri = req.uri();
let url: Url = format!("http://{}{}", host, uri)
.parse()
.expect("invalid url");
let method: Method = req.method().clone();
let body = req.body();
let body = if body.is_empty() {
None
} else {
Some(body.as_ref())
};
let query_pairs: std::collections::HashMap<_, _> = url.query_pairs().collect();
let credential_str = query_pairs
.get(QUERY_PARAM_CREDENTIAL)
.unwrap_or_else(|| panic!("missing {QUERY_PARAM_CREDENTIAL} parameter"));
let signature_str = query_pairs
.get(QUERY_PARAM_SIGNATURE)
.unwrap_or_else(|| panic!("missing {QUERY_PARAM_SIGNATURE} parameter"));
let valid_until_str = query_pairs
.get(QUERY_PARAM_VALID_UNTIL)
.unwrap_or_else(|| panic!("missing {QUERY_PARAM_VALID_UNTIL} parameter"));
let mut pk_bytes = [0u8; 32];
let n = URL_SAFE
.decode_slice(credential_str.as_bytes(), &mut pk_bytes)
.expect("invalid credential encoding");
assert_eq!(n, 32, "invalid credential length");
let pk = PublicKey::new(pk_bytes);
let mut sig_bytes = [0u8; 64];
let n = URL_SAFE
.decode_slice(signature_str.as_bytes(), &mut sig_bytes)
.expect("invalid signature encoding");
assert_eq!(n, 64, "invalid signature length");
let sig = Signature::from(sig_bytes);
let ts: i64 = valid_until_str.parse().expect("invalid timestamp");
let valid_until = DateTime::from_timestamp(ts, 0).expect("invalid timestamp");
assert!(valid_until >= Utc::now(), "signature expired");
let mut verify_url = url.clone();
{
let filtered: Vec<(String, String)> = verify_url
.query_pairs()
.filter(|(k, _)| {
k != QUERY_PARAM_CREDENTIAL
&& k != QUERY_PARAM_SIGNATURE
&& k != QUERY_PARAM_VALID_UNTIL
})
.map(|(k, v)| (k.into_owned(), v.into_owned()))
.collect();
if filtered.is_empty() {
verify_url.set_query(None);
} else {
verify_url.query_pairs_mut().clear().extend_pairs(&filtered);
}
}
let hash = request_hash(&verify_url, method, body, valid_until);
assert!(pk.verify(hash.as_ref(), &sig), "invalid signature");
pk
}
#[tokio::test]
async fn test_shared_object_roundtrip() {
let data_key: EncryptionKey = [42u8; 32].into();
let slabs = vec![Slab {
encryption_key: [1u8; 32].into(),
min_shards: 1,
sectors: vec![Sector {
root: Hash256::new([2u8; 32]),
host_key: PublicKey::new([3u8; 32]),
}],
offset: 0,
length: 256,
}];
let object = Object::new(data_key.clone(), slabs.clone(), Vec::new());
let object_id = object.id();
let server = Server::run();
server.expect(
Expectation::matching(request::method_path(
"GET",
format!("/objects/{object_id}/shared"),
))
.respond_with(
Response::builder()
.status(StatusCode::OK)
.body(
serde_json::to_string(&SharedObjectResponse {
slabs: slabs.clone(),
encrypted_metadata: None,
})
.unwrap(),
)
.unwrap(),
),
);
let app_key = PrivateKey::from_seed(&[0u8; 32]);
let client = Client::new(server.url("/").to_string()).unwrap();
let valid_until = DateTime::from_timestamp_secs(123).unwrap() + Duration::from_secs(60);
let share_url = client
.shared_object_url(&app_key, &object, valid_until)
.unwrap();
assert_eq!(share_url.scheme(), SHARE_URL_SCHEME);
assert_eq!(share_url.path(), format!("/objects/{object_id}/shared"));
let invalid_url: Url = share_url
.clone()
.as_str()
.replace("sia://", "http://")
.parse()
.unwrap();
assert!(client.shared_object(invalid_url).await.is_err());
let result = client.shared_object(share_url).await.unwrap();
assert_eq!(result.data_key(), &data_key);
assert_eq!(result.slabs(), &slabs);
}
#[tokio::test]
async fn test_signed_auth() {
let app_key = PrivateKey::from_seed(&rand::random());
let expected_pk = app_key.public_key();
let server = Server::run();
server.expect(
Expectation::matching(
move |req: &httptest::http::Request<httptest::bytes::Bytes>| {
let pk = validate_url_signature_request(req);
pk == expected_pk
},
)
.times(5)
.respond_with(Response::builder().status(StatusCode::OK).body("").unwrap()),
);
let client = Client::new(server.url("/").to_string()).unwrap();
client
.get_json::<EmptyResponse, ()>("", &app_key, None)
.await
.expect("GET request failed");
client
.get_json::<EmptyResponse, _>("", &app_key, Some(&[("foo", "bar"), ("baz", "1")]))
.await
.expect("GET with query params failed");
client
.post_json::<[u8; 3], EmptyResponse>("", &app_key, Some(&[1u8, 2, 3]))
.await
.expect("POST with body failed");
client
.post_json::<(), EmptyResponse>("", &app_key, None)
.await
.expect("POST request failed");
client
.delete("", &app_key)
.await
.expect("DELETE request failed");
}
#[tokio::test]
async fn test_hosts_with_distance_sort_adds_query() {
let server = Server::run();
server.expect(
Expectation::matching(all_of![
request::method_path("GET", "/hosts"),
request::query(url_decoded(contains(("location", "(51.209300,3.224700)"))))
])
.respond_with(
Response::builder()
.status(StatusCode::OK)
.body("[]")
.unwrap(),
),
);
let app_key = PrivateKey::from_seed(&rand::random());
let client = Client::new(server.url("/").to_string()).unwrap();
let hosts = client
.hosts(
&app_key,
HostQuery {
location: Some(GeoLocation {
latitude: 51.2093,
longitude: 3.2247,
}),
..Default::default()
},
)
.await
.unwrap();
assert!(hosts.is_empty());
}
#[tokio::test]
async fn test_hosts_with_additional_filters() {
let server = Server::run();
server.expect(
Expectation::matching(all_of![
request::method_path("GET", "/hosts"),
request::query(url_decoded(all_of![
contains(("offset", "5")),
contains(("limit", "25")),
contains(("protocol", "quic")),
contains(("country", "us"))
]))
])
.respond_with(
Response::builder()
.status(StatusCode::OK)
.body("[]")
.unwrap(),
),
);
let app_key = PrivateKey::from_seed(&rand::random());
let client = Client::new(server.url("/").to_string()).unwrap();
let hosts = client
.hosts(
&app_key,
HostQuery {
offset: Some(5),
limit: Some(25),
protocol: Some(Protocol::QUIC),
country: Some("us".into()),
..Default::default()
},
)
.await
.unwrap();
assert!(hosts.is_empty());
}
#[tokio::test]
async fn test_slab() {
let slab = PinnedSlab {
id: "43e424e1fc0e8b4fab0b49721d3ccb73fe1d09eef38227d9915beee623785f28"
.parse()
.unwrap(),
encryption_key: [
186, 153, 179, 170, 159, 95, 101, 177, 15, 130, 58, 19, 138, 144, 9, 91, 181, 119,
38, 225, 209, 47, 149, 22, 157, 210, 16, 232, 10, 151, 186, 160,
]
.into(),
min_shards: 1,
sectors: vec![Sector {
root: hash_256!("826af7ab6471d01f4a912903a9dc23d59cff3b151059fa25615322bbf41634d6"),
host_key: public_key!(
"ed25519:910b22c360a1c67cb6a9a7371fa600c48e87d626b328669d01f34048ac3132fe"
),
}],
};
const TEST_SLAB_JSON: &str = r#"
{
"id": "43e424e1fc0e8b4fab0b49721d3ccb73fe1d09eef38227d9915beee623785f28",
"encryptionKey": "upmzqp9fZbEPgjoTipAJW7V3JuHRL5UWndIQ6AqXuqA=",
"minShards": 1,
"sectors": [
{
"root": "826af7ab6471d01f4a912903a9dc23d59cff3b151059fa25615322bbf41634d6",
"hostKey": "ed25519:910b22c360a1c67cb6a9a7371fa600c48e87d626b328669d01f34048ac3132fe"
}
]
}
"#;
let server = Server::run();
server.expect(
Expectation::matching(request::method_path(
"GET",
"/slabs/43e424e1fc0e8b4fab0b49721d3ccb73fe1d09eef38227d9915beee623785f28",
))
.respond_with(
Response::builder()
.status(StatusCode::OK)
.body(TEST_SLAB_JSON)
.unwrap(),
),
);
let app_key = PrivateKey::from_seed(&rand::random());
let client = Client::new(server.url("/").to_string()).unwrap();
assert_eq!(client.slab(&app_key, &slab.id).await.unwrap(), slab);
}
#[tokio::test]
async fn test_prune_slabs() {
let server = Server::run();
server.expect(
Expectation::matching(all_of![
request::method_path("POST", "/slabs/prune"),
request::body(""),
])
.respond_with(Response::builder().status(StatusCode::OK).body("").unwrap()),
);
let app_key = PrivateKey::from_seed(&rand::random());
let client = Client::new(server.url("/").to_string()).unwrap();
client.prune_slabs(&app_key).await.unwrap();
}
#[tokio::test]
async fn test_handle_response() {
let server = Server::run();
server.expect(
Expectation::matching(any()).times(3).respond_with(
Response::builder()
.status(StatusCode::INTERNAL_SERVER_ERROR)
.body("something went wrong")
.unwrap(),
),
);
let app_key = PrivateKey::from_seed(&rand::random());
let client = Client::new(server.url("/").to_string()).unwrap();
let expected_error = Error::Api("something went wrong".to_string());
let get_error = client
.get_json::<(), ()>("", &app_key, None)
.await
.unwrap_err();
assert_eq!(get_error.to_string(), expected_error.to_string());
let post_error = client
.post_json::<(), ()>("", &app_key, None)
.await
.unwrap_err();
assert_eq!(post_error.to_string(), expected_error.to_string());
let delete_error = client.delete("", &app_key).await.unwrap_err();
assert_eq!(delete_error.to_string(), expected_error.to_string());
}
#[tokio::test]
async fn test_check_request_status() {
let server = Server::run();
server.expect(
Expectation::matching(request::method_path("GET", "/approved")).respond_with(
Response::builder()
.status(StatusCode::OK)
.body("{\"approved\": true, \"userSecret\": \"3ceeb79f58b0c4f67775e0a06aa7241c461e6844b4700a94e0a31e4d22dd02c2\"}")
.unwrap(),
),
);
server.expect(
Expectation::matching(request::method_path("GET", "/rejected")).respond_with(
Response::builder()
.status(StatusCode::NOT_FOUND)
.body("")
.unwrap(),
),
);
server.expect(
Expectation::matching(request::method_path("GET", "/error")).respond_with(
Response::builder()
.status(StatusCode::INTERNAL_SERVER_ERROR)
.body("something went wrong")
.unwrap(),
),
);
let client = Client::new("https://foo.com").unwrap();
let ephemeral_key = PrivateKey::from_seed(&rand::random());
let status_url: Url = server.url("/approved").to_string().parse().unwrap();
assert_eq!(
client
.check_request_status(&ephemeral_key, status_url)
.await
.unwrap()
.unwrap(),
hash_256!("3ceeb79f58b0c4f67775e0a06aa7241c461e6844b4700a94e0a31e4d22dd02c2")
);
let status_url: Url = server.url("/rejected").to_string().parse().unwrap();
assert!(matches!(
client
.check_request_status(&ephemeral_key, status_url)
.await
.unwrap_err(),
Error::UserRejected,
));
let status_url: Url = server.url("/error").to_string().parse().unwrap();
let err = client
.check_request_status(&ephemeral_key, status_url)
.await
.unwrap_err();
assert_eq!(
err.to_string(),
"indexd responded with an error: something went wrong"
);
}
#[tokio::test]
async fn test_check_app_auth() {
let server = Server::run();
let app_key = PrivateKey::from_seed(&rand::random());
let client = Client::new(server.url("").to_string()).unwrap();
server.expect(
Expectation::matching(request::method_path("GET", "/auth/check")).respond_with(
Response::builder()
.status(StatusCode::NO_CONTENT)
.body("")
.unwrap(),
),
);
assert!(client.check_app_authenticated(&app_key).await.unwrap());
server.expect(
Expectation::matching(request::method_path("GET", "/auth/check")).respond_with(
Response::builder()
.status(StatusCode::UNAUTHORIZED)
.body("")
.unwrap(),
),
);
assert!(!client.check_app_authenticated(&app_key).await.unwrap());
server.expect(
Expectation::matching(request::method_path("GET", "/auth/check")).respond_with(
Response::builder()
.status(StatusCode::INTERNAL_SERVER_ERROR)
.body("something went wrong")
.unwrap(),
),
);
let err = client.check_app_authenticated(&app_key).await.unwrap_err();
assert_eq!(
err.to_string(),
"indexd responded with an error: something went wrong"
);
}
#[tokio::test]
async fn test_request_app_connection() {
let server = Server::run();
let app_id = AppID::from(rand::random::<[u8; 32]>());
server.expect(
Expectation::matching(all_of![
request::method_path("POST", "/auth/connect"),
request::body(format!(r#"{{"appID":"{app_id}","name":"name","description":"description","serviceURL":"https://service.com","logoURL":"https://logo.com","callbackURL":"https://callback.com"}}"#)),
])
.respond_with(Response::builder().status(StatusCode::OK).body(r#"{"responseURL":"https://response.com", "registerURL":"https://response.com","statusURL":"https://status.com","expiration":"1970-01-01T01:01:40+01:00"}"#).unwrap()),
);
let client = Client::new(server.url("/").to_string()).unwrap();
let ephemeral_key = PrivateKey::from_seed(&rand::random());
let resp = client
.request_app_connection(
&ephemeral_key,
&AppMetadata {
id: app_id,
name: "name",
description: "description",
service_url: "https://service.com",
logo_url: Some("https://logo.com"),
callback_url: Some("https://callback.com"),
},
)
.await
.unwrap();
assert_eq!(
resp,
RegisterAppResponse {
register_url: "https://response.com".to_string(),
response_url: "https://response.com".to_string(),
status_url: "https://status.com".to_string(),
expiration: DateTime::from_timestamp_secs(100).unwrap(),
}
)
}
#[tokio::test]
async fn test_object() {
let object = SealedObject {
encrypted_data_key: vec![1u8; 72],
encrypted_metadata_key: vec![1u8; 72],
encrypted_metadata: b"hello world!".to_vec(),
data_signature: Signature::from([2u8; 64]),
metadata_signature: Signature::from([2u8; 64]),
slabs: vec![
Slab {
encryption_key: [1u8; 32].into(),
min_shards: 1,
sectors: vec![
Sector {
root: hash_256!(
"0202020202020202020202020202020202020202020202020202020202020202"
),
host_key: public_key!(
"ed25519:0303030303030303030303030303030303030303030303030303030303030303"
),
},
Sector {
root: hash_256!(
"0404040404040404040404040404040404040404040404040404040404040404"
),
host_key: public_key!(
"ed25519:0505050505050505050505050505050505050505050505050505050505050505"
),
},
],
offset: 6,
length: 7,
},
Slab {
encryption_key: [1u8; 32].into(),
min_shards: 1,
sectors: vec![
Sector {
root: hash_256!(
"0202020202020202020202020202020202020202020202020202020202020202"
),
host_key: public_key!(
"ed25519:0303030303030303030303030303030303030303030303030303030303030303"
),
},
Sector {
root: hash_256!(
"0404040404040404040404040404040404040404040404040404040404040404"
),
host_key: public_key!(
"ed25519:0505050505050505050505050505050505050505050505050505050505050505"
),
},
],
offset: 6,
length: 7,
},
],
created_at: DateTime::<FixedOffset>::parse_from_rfc3339(
"2025-09-09T16:10:46.898399-07:00",
)
.unwrap()
.to_utc(),
updated_at: DateTime::<FixedOffset>::parse_from_rfc3339(
"2025-09-09T16:10:46.898399-07:00",
)
.unwrap()
.to_utc(),
};
const TEST_OBJECT_JSON: &str = r#"
{
"encryptedDataKey": "AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEB",
"encryptedMetadataKey": "AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEB",
"slabs": [
{
"encryptionKey": "AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQE=",
"minShards": 1,
"sectors": [
{
"root": "0202020202020202020202020202020202020202020202020202020202020202",
"hostKey": "ed25519:0303030303030303030303030303030303030303030303030303030303030303"
},
{
"root": "0404040404040404040404040404040404040404040404040404040404040404",
"hostKey": "ed25519:0505050505050505050505050505050505050505050505050505050505050505"
}
],
"offset": 6,
"length": 7
},
{
"encryptionKey": "AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQE=",
"minShards": 1,
"sectors": [
{
"root": "0202020202020202020202020202020202020202020202020202020202020202",
"hostKey": "ed25519:0303030303030303030303030303030303030303030303030303030303030303"
},
{
"root": "0404040404040404040404040404040404040404040404040404040404040404",
"hostKey": "ed25519:0505050505050505050505050505050505050505050505050505050505050505"
}
],
"offset": 6,
"length": 7
}
],
"encryptedMetadata": "aGVsbG8gd29ybGQh",
"dataSignature": "02020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202",
"metadataSignature": "02020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202",
"createdAt": "2025-09-09T16:10:46.898399-07:00",
"updatedAt": "2025-09-09T16:10:46.898399-07:00"
}
"#;
let server = Server::run();
let object_id = object.id();
server.expect(
Expectation::matching(request::method_path(
"GET",
format!("/objects/{}", object_id),
))
.respond_with(
Response::builder()
.status(StatusCode::OK)
.body(TEST_OBJECT_JSON)
.unwrap(),
),
);
let app_key = PrivateKey::from_seed(&rand::random());
let client = Client::new(server.url("/").to_string()).unwrap();
assert_eq!(client.object(&app_key, &object_id).await.unwrap(), object);
}
#[tokio::test]
async fn test_objects() {
let object = SealedObject {
encrypted_data_key: vec![1u8; 72],
encrypted_metadata_key: vec![1u8; 72],
slabs: vec![
Slab {
encryption_key: [1u8; 32].into(),
min_shards: 1,
sectors: vec![
Sector {
root: hash_256!(
"0202020202020202020202020202020202020202020202020202020202020202"
),
host_key: public_key!(
"ed25519:0303030303030303030303030303030303030303030303030303030303030303"
),
},
Sector {
root: hash_256!(
"0404040404040404040404040404040404040404040404040404040404040404"
),
host_key: public_key!(
"ed25519:0505050505050505050505050505050505050505050505050505050505050505"
),
},
],
offset: 0,
length: 256,
},
Slab {
encryption_key: [2u8; 32].into(),
min_shards: 1,
sectors: vec![
Sector {
root: hash_256!(
"0202020202020202020202020202020202020202020202020202020202020202"
),
host_key: public_key!(
"ed25519:0303030303030303030303030303030303030303030303030303030303030303"
),
},
Sector {
root: hash_256!(
"0404040404040404040404040404040404040404040404040404040404040404"
),
host_key: public_key!(
"ed25519:0505050505050505050505050505050505050505050505050505050505050505"
),
},
],
offset: 256,
length: 512,
},
],
encrypted_metadata: b"hello world!".to_vec(),
data_signature: Signature::from([2u8; 64]),
metadata_signature: Signature::from([2u8; 64]),
created_at: DateTime::<FixedOffset>::parse_from_rfc3339(
"2025-09-09T16:10:46.898399-07:00",
)
.unwrap()
.to_utc(),
updated_at: DateTime::<FixedOffset>::parse_from_rfc3339(
"2025-09-09T16:10:46.898399-07:00",
)
.unwrap()
.to_utc(),
};
let object_no_meta = SealedObject {
encrypted_metadata: Vec::new(),
..object.clone()
};
const TEST_OBJECTS_JSON: &str = r#"
[
{
"key": "7f26b785c0dff73f51b81728289381064ad4b947f37417cbcb366afc3d80c7f5",
"deleted": false,
"updatedAt": "2025-09-09T16:10:46.898399-07:00",
"object": {
"encryptedDataKey": "AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEB",
"encryptedMetadataKey": "AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEB",
"slabs": [
{
"encryptionKey": "AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQE=",
"minShards": 1,
"sectors": [
{
"root": "0202020202020202020202020202020202020202020202020202020202020202",
"hostKey": "ed25519:0303030303030303030303030303030303030303030303030303030303030303"
},
{
"root": "0404040404040404040404040404040404040404040404040404040404040404",
"hostKey": "ed25519:0505050505050505050505050505050505050505050505050505050505050505"
}
],
"offset": 0,
"length": 256
},
{
"encryptionKey": "AgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgI=",
"minShards": 1,
"sectors": [
{
"root": "0202020202020202020202020202020202020202020202020202020202020202",
"hostKey": "ed25519:0303030303030303030303030303030303030303030303030303030303030303"
},
{
"root": "0404040404040404040404040404040404040404040404040404040404040404",
"hostKey": "ed25519:0505050505050505050505050505050505050505050505050505050505050505"
}
],
"offset": 256,
"length": 512
}
],
"encryptedMetadata": "aGVsbG8gd29ybGQh",
"dataSignature": "02020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202",
"metadataSignature": "02020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202",
"createdAt": "2025-09-09T16:10:46.898399-07:00",
"updatedAt": "2025-09-09T16:10:46.898399-07:00"
}
},
{
"key": "7f26b785c0dff73f51b81728289381064ad4b947f37417cbcb366afc3d80c7f5",
"deleted": false,
"updatedAt": "2025-09-09T16:10:46.898399-07:00",
"object": {
"encryptedDataKey": "AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEB",
"encryptedMetadataKey": "AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEB",
"slabs": [
{
"encryptionKey": "AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQE=",
"minShards": 1,
"sectors": [
{
"root": "0202020202020202020202020202020202020202020202020202020202020202",
"hostKey": "ed25519:0303030303030303030303030303030303030303030303030303030303030303"
},
{
"root": "0404040404040404040404040404040404040404040404040404040404040404",
"hostKey": "ed25519:0505050505050505050505050505050505050505050505050505050505050505"
}
],
"offset": 0,
"length": 256
},
{
"encryptionKey": "AgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgI=",
"minShards": 1,
"sectors": [
{
"root": "0202020202020202020202020202020202020202020202020202020202020202",
"hostKey": "ed25519:0303030303030303030303030303030303030303030303030303030303030303"
},
{
"root": "0404040404040404040404040404040404040404040404040404040404040404",
"hostKey": "ed25519:0505050505050505050505050505050505050505050505050505050505050505"
}
],
"offset": 256,
"length": 512
}
],
"encryptedMetadata": null,
"dataSignature": "02020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202",
"metadataSignature": "02020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202",
"createdAt": "2025-09-09T16:10:46.898399-07:00",
"updatedAt": "2025-09-09T16:10:46.898399-07:00"
}
},
{
"key": "7f26b785c0dff73f51b81728289381064ad4b947f37417cbcb366afc3d80c7f5",
"deleted": false,
"updatedAt": "2025-09-09T16:10:46.898399-07:00",
"object": {
"encryptedDataKey": "AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEB",
"encryptedMetadataKey": "AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEB",
"slabs": [
{
"encryptionKey": "AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQE=",
"minShards": 1,
"sectors": [
{
"root": "0202020202020202020202020202020202020202020202020202020202020202",
"hostKey": "ed25519:0303030303030303030303030303030303030303030303030303030303030303"
},
{
"root": "0404040404040404040404040404040404040404040404040404040404040404",
"hostKey": "ed25519:0505050505050505050505050505050505050505050505050505050505050505"
}
],
"offset": 0,
"length": 256
},
{
"encryptionKey": "AgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgI=",
"minShards": 1,
"sectors": [
{
"root": "0202020202020202020202020202020202020202020202020202020202020202",
"hostKey": "ed25519:0303030303030303030303030303030303030303030303030303030303030303"
},
{
"root": "0404040404040404040404040404040404040404040404040404040404040404",
"hostKey": "ed25519:0505050505050505050505050505050505050505050505050505050505050505"
}
],
"offset": 256,
"length": 512
}
],
"dataSignature": "02020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202",
"metadataSignature": "02020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202",
"createdAt": "2025-09-09T16:10:46.898399-07:00",
"updatedAt": "2025-09-09T16:10:46.898399-07:00"
}
}
]
"#;
let server = Server::run();
server.expect(
Expectation::matching(all_of![
request::method_path("GET", "/objects"),
request::query(url_decoded(all_of![
contains(("after", "2025-09-09T23:10:46.898399+00:00")),
contains(("key", object.id().to_string())),
contains(("limit", "1")),
]))
])
.respond_with(
Response::builder()
.status(StatusCode::OK)
.body(TEST_OBJECTS_JSON)
.unwrap(),
),
);
let app_key = PrivateKey::from_seed(&rand::random());
let client = Client::new(server.url("/").to_string()).unwrap();
assert_eq!(
client
.objects(
&app_key,
Some(ObjectsCursor {
after: object.updated_at,
id: object.id(),
}),
Some(1)
)
.await
.unwrap(),
vec![
SealedObjectEvent {
id: object.id(),
deleted: false,
updated_at: object.updated_at,
object: Some(object),
},
SealedObjectEvent {
id: object_no_meta.id(),
deleted: false,
updated_at: object_no_meta.updated_at,
object: Some(object_no_meta.clone()),
},
SealedObjectEvent {
id: object_no_meta.id(),
deleted: false,
updated_at: object_no_meta.updated_at,
object: Some(object_no_meta),
},
]
);
}
#[tokio::test]
async fn delete_object() {
let object_key =
hash_256!("1a1fcd352cdf56f5da73a566b58d764afc8cd8bfb30ef4e786b031227356d2ef");
let server = Server::run();
server.expect(
Expectation::matching(request::method_path(
"DELETE",
"/objects/1a1fcd352cdf56f5da73a566b58d764afc8cd8bfb30ef4e786b031227356d2ef",
))
.respond_with(Response::builder().status(StatusCode::OK).body("").unwrap()),
);
let app_key = PrivateKey::from_seed(&rand::random());
let client = Client::new(server.url("/").to_string()).unwrap();
client.delete_object(&app_key, &object_key).await.unwrap();
}
#[tokio::test]
async fn test_pin_object() {
let object = SealedObject {
encrypted_data_key: vec![1u8; 72],
encrypted_metadata_key: vec![1u8; 72],
data_signature: Signature::from([2u8; 64]),
metadata_signature: Signature::from([2u8; 64]),
slabs: vec![
Slab {
encryption_key: [1u8; 32].into(),
min_shards: 2,
sectors: vec![],
offset: 0,
length: 256,
},
Slab {
encryption_key: [2u8; 32].into(),
min_shards: 2,
sectors: vec![],
offset: 256,
length: 512,
},
],
encrypted_metadata: b"hello world!".to_vec(),
created_at: DateTime::<FixedOffset>::parse_from_rfc3339(
"2025-09-09T16:10:46.898399-07:00",
)
.unwrap()
.to_utc(),
updated_at: DateTime::<FixedOffset>::parse_from_rfc3339(
"2025-09-09T16:10:46.898399-07:00",
)
.unwrap()
.to_utc(),
};
let server = Server::run();
let pin_request = PinObjectRequest::from(&object);
server.expect(
Expectation::matching(all_of![
request::method_path("POST", "/objects"),
request::body(serde_json::to_string(&pin_request).unwrap())
])
.respond_with(Response::builder().status(StatusCode::OK).body("").unwrap()),
);
let app_key = PrivateKey::from_seed(&rand::random());
let client = Client::new(server.url("/").to_string()).unwrap();
client.pin_object(&app_key, &object).await.unwrap();
}
#[tokio::test]
async fn test_register_flow() {
let ephemeral_key = PrivateKey::from_seed(&rand::random());
let ephemeral_pk = ephemeral_key.public_key();
let app_key = PrivateKey::from_seed(&rand::random());
let app_pk = app_key.public_key();
let app_id = AppID::from(rand::random::<[u8; 32]>());
let metadata = AppMetadata {
id: app_id,
name: "test-app",
description: "A test application",
service_url: "https://test-app.com",
logo_url: Some("https://test-app.com/logo.png"),
callback_url: Some("https://test-app.com/callback"),
};
let server = Server::run();
let request_id = "abc123def456";
let expected_body = serde_json::to_string(&metadata).unwrap();
let step1_ephemeral_pk = ephemeral_pk;
server.expect(
Expectation::matching(move |req: &httptest::http::Request<httptest::bytes::Bytes>| {
let pk = validate_url_signature_request(req);
pk == step1_ephemeral_pk
&& req.method() == "POST"
&& req.uri().path() == "/auth/connect"
&& req.body().as_ref() == expected_body.as_bytes()
})
.respond_with(
Response::builder()
.status(StatusCode::OK)
.body(format!(
r#"{{"responseURL":"http://example.com/auth/connect/{request_id}","statusURL":"{}","registerURL":"{}","expiration":"2030-01-01T00:00:00Z"}}"#,
&server.url(&format!("/auth/connect/{request_id}/status")).to_string(),
&server.url(&format!("/auth/connect/{request_id}/register")).to_string()
))
.unwrap(),
),
);
let step2_ephemeral_pk = ephemeral_pk;
let user_secret = Hash256::new(rand::random());
let status_response = serde_json::to_string(&AuthConnectStatusResponse {
approved: true,
user_secret: Some(user_secret),
})
.unwrap();
server.expect(
Expectation::matching(
move |req: &httptest::http::Request<httptest::bytes::Bytes>| {
let pk = validate_url_signature_request(req);
pk == step2_ephemeral_pk
&& req.method() == "GET"
&& req.uri().path() == format!("/auth/connect/{request_id}/status")
},
)
.respond_with(
Response::builder()
.status(StatusCode::OK)
.body(status_response)
.unwrap(),
),
);
let step3_ephemeral_pk = ephemeral_pk;
let step3_app_pk = app_pk;
server.expect(
Expectation::matching(
move |req: &httptest::http::Request<httptest::bytes::Bytes>| {
let pk = validate_url_signature_request(req);
if pk != step3_ephemeral_pk || req.method() != "POST" {
return false;
}
if req.uri().path() != format!("/auth/connect/{request_id}/register") {
return false;
}
let body: RegisterAppRequest =
serde_json::from_slice(req.body().as_ref()).expect("invalid body");
if body.app_key != step3_app_pk {
return false;
}
let sig_hash = register_app_sig_hash(request_id, &step3_ephemeral_pk);
step3_app_pk.verify(sig_hash.as_ref(), &body.signature)
},
)
.respond_with(Response::builder().status(StatusCode::OK).body("").unwrap()),
);
let client = Client::new(server.url("/").to_string()).unwrap();
let resp = client
.request_app_connection(&ephemeral_key, &metadata)
.await
.unwrap();
let status_url: Url = resp.status_url.parse().unwrap();
let secret = client
.check_request_status(&ephemeral_key, status_url)
.await
.unwrap();
assert_eq!(secret, Some(user_secret));
let register_url: Url = resp.register_url.parse().unwrap();
client
.register_app(&ephemeral_key, &app_key, register_url)
.await
.unwrap();
}
}