feat: access-api forwards store/ and upload/ invocations to upload-api

packages/access-api/package.json

@@ -43,6 +43,7 @@
     "@types/mocha": "^10.0.1",
     "@types/node": "^18.11.14",
     "@types/qrcode": "^1.5.0",
+    "@ucanto/client": "^4.0.3",
     "better-sqlite3": "8.0.1",
     "buffer": "^6.0.3",
     "dotenv": "^16.0.3",

packages/access-api/src/config.js

@@ -1,5 +1,7 @@
 import { Signer } from '@ucanto/principal/ed25519'
-import * as DID from '@ipld/dag-ucan/did'
+// eslint-disable-next-line no-unused-vars
+import * as UCAN from '@ucanto/interface'
+import { DID } from '@ucanto/core'
 
 /**
  * Loads configuration variables from the global environment and returns a JS object
@@ -128,3 +130,19 @@ export function configureSigner(config) {
   }
   return signer
 }
+
+/**
+ * @template {UCAN.DID} ConfigDID
+ * @template {UCAN.DID} [ID=UCAN.DID]
+ * @template {UCAN.SigAlg} [Alg=UCAN.SigAlg]
+ * @param {object} config
+ * @param {ConfigDID} [config.DID] - public DID for the service
+ * @param {import('@ucanto/interface').Verifier<ID,Alg>} verifier
+ * @returns {import('@ucanto/interface').Verifier<ConfigDID|ID,Alg>}
+ */
+export function configureVerifier(config, verifier) {
+  if (config.DID) {
+    return verifier.withDID(DID.parse(config.DID).did())
+  }
+  return verifier
+}

packages/access-api/src/service/index.js

@@ -1,4 +1,4 @@
-import * as DID from '@ipld/dag-ucan/did'
+import * as ucanto from '@ucanto/core'
 import * as Server from '@ucanto/server'
 import { Failure } from '@ucanto/server'
 import * as Space from '@web3-storage/capabilities/space'
@@ -9,13 +9,18 @@ import {
 } from '@web3-storage/access/encoding'
 import { voucherClaimProvider } from './voucher-claim.js'
 import { voucherRedeemProvider } from './voucher-redeem.js'
+import { UploadApiProxyService } from './upload-api-proxy.js'
 
 /**
  * @param {import('../bindings').RouteContext} ctx
  * @returns {import('@web3-storage/access/types').Service}
  */
 export function service(ctx) {
   return {
+    ...UploadApiProxyService.create({
+      fetch: globalThis.fetch,
+    }),
+
     voucher: {
       claim: voucherClaimProvider(ctx),
       redeem: voucherRedeemProvider(ctx),
@@ -97,7 +102,7 @@ export function service(ctx) {
           const inv = await Space.recover
             .invoke({
               issuer: ctx.signer,
-              audience: DID.parse(capability.with),
+              audience: ucanto.DID.parse(capability.with),
               with: ctx.signer.did(),
               lifetimeInSeconds: 60 * 10,
               nb: {

packages/access-api/src/service/upload-api-proxy.js

@@ -0,0 +1,188 @@
+import * as Client from '@ucanto/client'
+import * as CAR from '@ucanto/transport/car'
+import * as CBOR from '@ucanto/transport/cbor'
+// eslint-disable-next-line no-unused-vars
+import * as dagUcan from '@ipld/dag-ucan'
+import { DID } from '@ucanto/core'
+import * as HTTP from '@ucanto/transport/http'
+// eslint-disable-next-line no-unused-vars
+import * as Store from '@web3-storage/capabilities/store'
+// eslint-disable-next-line no-unused-vars
+import * as Upload from '@web3-storage/capabilities/upload'
+// eslint-disable-next-line no-unused-vars
+import * as Ucanto from '@ucanto/interface'
+import { createProxyHandler } from '../ucanto/proxy.js'
+
+/**
+ * @template {Ucanto.Capability} C
+ * @template [Success=unknown]
+ * @template {{ error: true }} [Failure={error:true}]
+ * @callback InvocationResponder
+ * @param {Ucanto.Invocation<C>} invocationIn
+ * @param {Ucanto.InvocationContext} context
+ * @returns {Promise<Ucanto.Result<Success, Failure>>}
+ */
+
+/**
+ * @typedef StoreService
+ * @property {InvocationResponder<Ucanto.InferInvokedCapability<typeof Store.add>>} add
+ * @property {InvocationResponder<Ucanto.InferInvokedCapability<typeof Store.list>>} list
+ * @property {InvocationResponder<Ucanto.InferInvokedCapability<typeof Store.remove>>} remove
+ */
+
+/**
+ * @typedef UploadService
+ * @property {InvocationResponder<Ucanto.InferInvokedCapability<typeof Upload.add>>} add
+ * @property {InvocationResponder<Ucanto.InferInvokedCapability<typeof Upload.list>>} list
+ * @property {InvocationResponder<Ucanto.InferInvokedCapability<typeof Upload.remove>>} remove
+ */
+
+/**
+ * @template {Record<string, any>} T
+ * @param {object} options
+ * @param {Ucanto.Signer} [options.signer]
+ * @param {Pick<Map<dagUcan.DID, Ucanto.ConnectionView<T>>, 'get'>} options.connections
+ */
+function createProxyStoreService(options) {
+  const handleInvocation = createProxyHandler(options)
+  /**
+   * @type {StoreService}
+   */
+  const store = {
+    add: handleInvocation,
+    list: handleInvocation,
+    remove: handleInvocation,
+  }
+  return store
+}
+
+/**
+ * @template {Record<string, any>} T
+ * @param {object} options
+ * @param {Ucanto.Signer} [options.signer]
+ * @param {Pick<Map<dagUcan.DID, Ucanto.ConnectionView<T>>, 'get'>} options.connections
+ */
+function createProxyUploadService(options) {
+  const handleInvocation = createProxyHandler(options)
+  /**
+   * @type {UploadService}
+   */
+  const store = {
+    add: handleInvocation,
+    list: handleInvocation,
+    remove: handleInvocation,
+  }
+  return store
+}
+
+/**
+ * @typedef UcantoHttpConnectionOptions
+ * @property {dagUcan.DID} audience
+ * @property {typeof globalThis.fetch} options.fetch
+ * @property {URL} options.url
+ */
+
+/**
+ * @param {UcantoHttpConnectionOptions} options
+ * @returns {Ucanto.ConnectionView<any>}
+ */
+function createUcantoHttpConnection(options) {
+  return Client.connect({
+    id: DID.parse(options.audience),
+    encoder: CAR,
+    decoder: CBOR,
+    channel: HTTP.open({
+      fetch: options.fetch,
+      url: options.url,
+    }),
+  })
+}
+
+/**
+ * @type {Record<string, {
+ * audience: dagUcan.DID,
+ * url: URL,
+ * }>}
+ */
+const uploadApiEnvironments = {
+  production: {
+    audience: 'did:web:web3.storage',
+    url: new URL('https://up.web3.storage'),
+  },
+  staging: {
+    audience: 'did:web:staging.web3.storage',
+    url: new URL('https://staging.up.web3.storage'),
+  },
+}
+
+/**
+ * @interface {Pick<Map<dagUcan.DID, Ucanto.Connection<any>>, 'get'>}
+ */
+const audienceConnections = {
+  audienceToUrl: (() => {
+    /** @type {{ [k: keyof typeof uploadApiEnvironments]: URL }} */
+    const object = {}
+    for (const [, { audience, url }] of Object.entries(uploadApiEnvironments)) {
+      object[audience] = url
+    }
+    return object
+  })(),
+  fetch: globalThis.fetch,
+  /** @type {undefined|Ucanto.DID} */
+  defaultAudience: uploadApiEnvironments.production.audience,
+  /**
+   * Return a ucanto connection to use for the provided invocation audience.
+   * If no connection is available for the provided audience, return a connection for the default audience.
+   *
+   * @param {dagUcan.DID} audience
+   */
+  get(audience) {
+    const defaultedAudience =
+      audience in this.audienceToUrl ? audience : this.defaultAudience
+    if (!defaultedAudience) {
+      return
+    }
+    const url = this.audienceToUrl[defaultedAudience]
+    return createUcantoHttpConnection({
+      audience: defaultedAudience,
+      fetch: this.fetch,
+      url,
+    })
+  },
+}
+
+export class UploadApiProxyService {
+  /** @type {StoreService} */
+  store
+  /** @type {UploadService} */
+  upload
+
+  /**
+   * @param {object} options
+   * @param {Ucanto.Signer} [options.signer]
+   * @param {typeof globalThis.fetch} options.fetch
+   */
+  static create(options) {
+    const proxyOptions = {
+      signer: options.signer,
+      connections: {
+        ...audienceConnections,
+        ...(options.fetch && { fetch: options.fetch }),
+      },
+    }
+    return new this(
+      createProxyStoreService(proxyOptions),
+      createProxyUploadService(proxyOptions)
+    )
+  }
+
+  /**
+   * @protected
+   * @param {StoreService} store
+   * @param {UploadService} upload
+   */
+  constructor(store, upload) {
+    this.store = store
+    this.upload = upload
+  }
+}

packages/access-api/src/ucanto/proxy.js

@@ -0,0 +1,57 @@
+// eslint-disable-next-line no-unused-vars
+import * as Ucanto from '@ucanto/interface'
+import * as Client from '@ucanto/client'
+
+/**
+ * @template {Ucanto.Capability} C
+ * @template [Success=unknown]
+ * @template {{ error: true }} [Failure={error:true}]
+ * @callback InvocationResponder
+ * @param {Ucanto.Invocation<C>} invocationIn
+ * @param {Ucanto.InvocationContext} context
+ * @returns {Promise<Ucanto.Result<Success, Failure>>}
+ */
+
+/**
+ * @param {object} options
+ * @param {Pick<Map<Ucanto.DID, Ucanto.ConnectionView<any>>, 'get'>} options.connections
+ * @param {Ucanto.Signer} [options.signer]
+ */
+export function createProxyHandler(options) {
+  /**
+   * @template {import('@ucanto/interface').Capability} Capability
+   * @param {Ucanto.Invocation<Capability>} invocationIn
+   * @param {Ucanto.InvocationContext} context
+   * @returns {Promise<Ucanto.Result<any, { error: true }>>}
+   */
+  return async function handleInvocation(invocationIn, context) {
+    const connection = options.connections.get(invocationIn.audience.did())
+    if (!connection) {
+      throw new Error(
+        `unable to get connection for audience ${invocationIn.audience.did()}}`
+      )
+    }
+    // eslint-disable-next-line unicorn/prefer-logical-operator-over-ternary
+    const proxyInvocationIssuer = options.signer
+      ? // this results in a forwarded invocation, but the upstream will reject the signature
+        // created using options.signer unless options.signer signs w/ the same private key as the original issuer
+        // and it'd be nice to not even have to pass around `options.signer`
+        options.signer
+      : // this works, but involves lying about the issuer type (it wants a Signer but context.id is only a Verifier)
+        // @todo obviate this type override via https://github.com/web3-storage/ucanto/issues/195
+        /** @type {Ucanto.Signer} */ (context.id)
+
+    const [result] = await Client.execute(
+      [
+        Client.invoke({
+          issuer: proxyInvocationIssuer,
+          capability: invocationIn.capabilities[0],
+          audience: invocationIn.audience,
+          proofs: [invocationIn],
+        }),
+      ],
+      /** @type {Client.ConnectionView<any>} */ (connection)
+    )
+    return result
+  }
+}

packages/access-api/test/helpers/context.js

@@ -2,10 +2,11 @@
 import { Signer } from '@ucanto/principal/ed25519'
 import { connection } from '@web3-storage/access'
 import dotenv from 'dotenv'
-import { Miniflare } from 'miniflare'
+import { Miniflare, Log, LogLevel } from 'miniflare'
 import path from 'path'
 import { fileURLToPath } from 'url'
 import { migrate } from '../../scripts/migrate.js'
+import { configureSigner } from '../../src/config.js'
 
 const __dirname = path.dirname(fileURLToPath(import.meta.url))
 
@@ -53,6 +54,7 @@ export async function context(options) {
   const bindings = createBindings({
     ...environment,
   })
+  const servicePrincipal = configureSigner(bindings)
   const mf = new Miniflare({
     packagePath: true,
     wranglerConfigPath: true,
@@ -61,6 +63,7 @@ export async function context(options) {
     bindings,
     d1Persist: undefined,
     buildCommand: undefined,
+    log: new Log(LogLevel.ERROR),
   })
 
   const binds = await mf.getBindings()
@@ -70,7 +73,7 @@ export async function context(options) {
   return {
     mf,
     conn: connection({
-      principal,
+      principal: servicePrincipal,
       // @ts-ignore
       fetch: mf.dispatchFetch.bind(mf),
       url: new URL('http://localhost:8787'),

packages/access-api/test/helpers/utils.js

@@ -48,7 +48,7 @@ export async function createSpace(issuer, service, conn, email) {
     })
     .execute(conn)
   if (!claim || claim.error) {
-    throw new Error('failed to create space')
+    throw new Error('failed to create space', { cause: claim })
   }
 
   const delegation = stringToDelegation(claim)
@@ -98,3 +98,15 @@ export async function createSpace(issuer, service, conn, email) {
     delegation: spaceDelegation,
   }
 }
+
+/**
+ * Return whether the provided stack trace string appears to be generated
+ * by a deployed upload-api.
+ * Heuristics:
+ * * stack trace files paths will start with `file:///var/task/upload-api` because of how the lambda environment is working
+ *
+ * @param {string} stack
+ */
+export function isUploadApiStack(stack) {
+  return stack.includes('file:///var/task/upload-api')
+}