Stian/Shade
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: persistent storage — SQLite backends for crash resilience

Browse Source 
Shade sessions and keys now survive server crashes, container restarts,
and power outages via SQLite with WAL mode.

New packages:
- @shade/storage-sqlite: SQLiteStorage (StorageProvider) + SqlitePrekeyStore
  (PrekeyStore), both using bun:sqlite with auto-created tables and WAL mode
- Serialization layer in shade-core for SessionState/keys ↔ JSON/base64

Docker usage: mount volume at /data, set SHADE_DB_PATH=/data/shade-client.db
Prekey server auto-detects SHADE_PREKEY_DB_PATH for SQLite persistence

Includes crash recovery integration test: encrypt → close DB → reopen →
conversation continues seamlessly.

129 tests, 0 failures.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Sterister
2026-04-10 00:19:54 +02:00
parent d071551b2f
commit 7d214dc614
13 changed files with 1719 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
packages/shade-storage-sqlite/package.json Normal file
View File

@@ -0,0 +1,12 @@
{
"name": "@shade/storage-sqlite",
"version": "0.1.0",
"type": "module",
"main": "src/index.ts",
"types": "src/index.ts",
"dependencies": {
"@shade/core": "workspace:*",
"@shade/crypto-web": "workspace:*",
"@shade/server": "workspace:*"
}
}

2
packages/shade-storage-sqlite/src/index.ts Normal file
View File

@@ -0,0 +1,2 @@
export { SQLiteStorage } from './sqlite-storage.js';
export { SqlitePrekeyStore } from './sqlite-prekey-store.js';

138
packages/shade-storage-sqlite/src/sqlite-prekey-store.ts Normal file
View File

@@ -0,0 +1,138 @@
import { Database } from 'bun:sqlite';
import type { PrekeyStore } from '@shade/server/src/store.js';
import { toBase64, fromBase64 } from '@shade/core';
/**
* SQLite-backed PrekeyStore for the Shade Prekey Server.
*
* Stores PUBLIC keys only (never private keys). Used by the prekey server
* Docker container to persist registered identities and prekey bundles.
*
* Docker usage:
* Volume mount /data, set SHADE_PREKEY_DB_PATH=/data/shade-prekeys.db
*/
export class SqlitePrekeyStore implements PrekeyStore {
private db: Database;
private stmts!: {
saveIdentity: ReturnType<Database['prepare']>;
getIdentity: ReturnType<Database['prepare']>;
saveSignedPreKey: ReturnType<Database['prepare']>;
getSignedPreKey: ReturnType<Database['prepare']>;
insertOTPK: ReturnType<Database['prepare']>;
consumeOTPK: ReturnType<Database['prepare']>;
countOTPK: ReturnType<Database['prepare']>;
deleteIdentity: ReturnType<Database['prepare']>;
deleteSignedPreKey: ReturnType<Database['prepare']>;
deleteOTPKs: ReturnType<Database['prepare']>;
};
constructor(dbPath?: string) {
const path = dbPath ?? process.env.SHADE_PREKEY_DB_PATH ?? '/data/shade-prekeys.db';
this.db = new Database(path, { create: true });
this.db.exec('PRAGMA journal_mode=WAL');
this.ensureTables();
this.prepareStatements();
}
private ensureTables() {
this.db.exec(`
CREATE TABLE IF NOT EXISTS identities (
address TEXT PRIMARY KEY,
identity_signing_key TEXT NOT NULL,
identity_dh_key TEXT NOT NULL
);
CREATE TABLE IF NOT EXISTS signed_prekeys (
address TEXT PRIMARY KEY,
key_id INTEGER NOT NULL,
public_key TEXT NOT NULL,
signature TEXT NOT NULL
);
CREATE TABLE IF NOT EXISTS one_time_prekeys (
id INTEGER PRIMARY KEY AUTOINCREMENT,
address TEXT NOT NULL,
key_id INTEGER NOT NULL,
public_key TEXT NOT NULL
);
CREATE INDEX IF NOT EXISTS idx_otp_address ON one_time_prekeys(address);
`);
}
private prepareStatements() {
this.stmts = {
saveIdentity: this.db.prepare('INSERT OR REPLACE INTO identities (address, identity_signing_key, identity_dh_key) VALUES (?, ?, ?)'),
getIdentity: this.db.prepare('SELECT identity_signing_key, identity_dh_key FROM identities WHERE address = ?'),
saveSignedPreKey: this.db.prepare('INSERT OR REPLACE INTO signed_prekeys (address, key_id, public_key, signature) VALUES (?, ?, ?, ?)'),
getSignedPreKey: this.db.prepare('SELECT key_id, public_key, signature FROM signed_prekeys WHERE address = ?'),
insertOTPK: this.db.prepare('INSERT INTO one_time_prekeys (address, key_id, public_key) VALUES (?, ?, ?)'),
consumeOTPK: this.db.prepare('DELETE FROM one_time_prekeys WHERE id = (SELECT id FROM one_time_prekeys WHERE address = ? ORDER BY id LIMIT 1) RETURNING key_id, public_key'),
countOTPK: this.db.prepare('SELECT COUNT(*) as count FROM one_time_prekeys WHERE address = ?'),
deleteIdentity: this.db.prepare('DELETE FROM identities WHERE address = ?'),
deleteSignedPreKey: this.db.prepare('DELETE FROM signed_prekeys WHERE address = ?'),
deleteOTPKs: this.db.prepare('DELETE FROM one_time_prekeys WHERE address = ?'),
};
}
close() {
this.db.close();
}
async saveIdentity(address: string, identitySigningKey: Uint8Array, identityDHKey: Uint8Array): Promise<void> {
this.stmts.saveIdentity.run(address, toBase64(identitySigningKey), toBase64(identityDHKey));
}
async getIdentity(address: string): Promise<{ identitySigningKey: Uint8Array; identityDHKey: Uint8Array } | null> {
const row = this.stmts.getIdentity.get(address) as any;
if (!row) return null;
return {
identitySigningKey: fromBase64(row.identity_signing_key),
identityDHKey: fromBase64(row.identity_dh_key),
};
}
async saveSignedPreKey(address: string, keyId: number, publicKey: Uint8Array, signature: Uint8Array): Promise<void> {
this.stmts.saveSignedPreKey.run(address, keyId, toBase64(publicKey), toBase64(signature));
}
async getSignedPreKey(address: string): Promise<{ keyId: number; publicKey: Uint8Array; signature: Uint8Array } | null> {
const row = this.stmts.getSignedPreKey.get(address) as any;
if (!row) return null;
return {
keyId: row.key_id,
publicKey: fromBase64(row.public_key),
signature: fromBase64(row.signature),
};
}
async saveOneTimePreKeys(address: string, keys: Array<{ keyId: number; publicKey: Uint8Array }>): Promise<void> {
const insertMany = this.db.transaction(() => {
for (const k of keys) {
this.stmts.insertOTPK.run(address, k.keyId, toBase64(k.publicKey));
}
});
insertMany();
}
async consumeOneTimePreKey(address: string): Promise<{ keyId: number; publicKey: Uint8Array } | null> {
const row = this.stmts.consumeOTPK.get(address) as any;
if (!row) return null;
return {
keyId: row.key_id,
publicKey: fromBase64(row.public_key),
};
}
async getOneTimePreKeyCount(address: string): Promise<number> {
const row = this.stmts.countOTPK.get(address) as any;
return row.count;
}
async deleteAll(address: string): Promise<void> {
const deleteAllTx = this.db.transaction(() => {
this.stmts.deleteIdentity.run(address);
this.stmts.deleteSignedPreKey.run(address);
this.stmts.deleteOTPKs.run(address);
});
deleteAllTx();
}
}

202
packages/shade-storage-sqlite/src/sqlite-storage.ts Normal file
View File

@@ -0,0 +1,202 @@
import { Database } from 'bun:sqlite';
import type { StorageProvider, IdentityKeyPair, SignedPreKey, OneTimePreKey, SessionState } from '@shade/core';
import {
toBase64, fromBase64,
serializeSessionState, deserializeSessionState,
serializeSignedPreKey, deserializeSignedPreKey,
serializeOneTimePreKey, deserializeOneTimePreKey,
} from '@shade/core';
/**
* SQLite-backed StorageProvider for Shade client-side key/session storage.
*
* Uses bun:sqlite (built-in, zero deps). Stores private keys — for trusted environments only.
* WAL mode enabled for crash safety. Auto-creates tables on first use.
*
* Docker usage:
* Volume mount /data, set SHADE_DB_PATH=/data/shade-client.db
*/
export class SQLiteStorage implements StorageProvider {
private db: Database;
// Prepared statements
private stmts!: {
getIdentity: ReturnType<Database['prepare']>;
saveIdentity: ReturnType<Database['prepare']>;
getConfig: ReturnType<Database['prepare']>;
saveConfig: ReturnType<Database['prepare']>;
getSignedPreKey: ReturnType<Database['prepare']>;
saveSignedPreKey: ReturnType<Database['prepare']>;
removeSignedPreKey: ReturnType<Database['prepare']>;
getOneTimePreKey: ReturnType<Database['prepare']>;
saveOneTimePreKey: ReturnType<Database['prepare']>;
removeOneTimePreKey: ReturnType<Database['prepare']>;
countOneTimePreKeys: ReturnType<Database['prepare']>;
getSession: ReturnType<Database['prepare']>;
saveSession: ReturnType<Database['prepare']>;
removeSession: ReturnType<Database['prepare']>;
getTrust: ReturnType<Database['prepare']>;
saveTrust: ReturnType<Database['prepare']>;
};
constructor(dbPath?: string) {
const path = dbPath ?? process.env.SHADE_DB_PATH ?? '/data/shade-client.db';
this.db = new Database(path, { create: true });
this.db.exec('PRAGMA journal_mode=WAL');
this.ensureTables();
this.prepareStatements();
}
private ensureTables() {
this.db.exec(`
CREATE TABLE IF NOT EXISTS identity (
id INTEGER PRIMARY KEY CHECK (id = 1),
signing_public_key TEXT NOT NULL,
signing_private_key TEXT NOT NULL,
dh_public_key TEXT NOT NULL,
dh_private_key TEXT NOT NULL
);
CREATE TABLE IF NOT EXISTS config (
key TEXT PRIMARY KEY,
value TEXT NOT NULL
);
CREATE TABLE IF NOT EXISTS signed_prekeys (
key_id INTEGER PRIMARY KEY,
data_json TEXT NOT NULL
);
CREATE TABLE IF NOT EXISTS one_time_prekeys (
key_id INTEGER PRIMARY KEY,
data_json TEXT NOT NULL
);
CREATE TABLE IF NOT EXISTS sessions (
address TEXT PRIMARY KEY,
state_json TEXT NOT NULL
);
CREATE TABLE IF NOT EXISTS trusted_identities (
address TEXT PRIMARY KEY,
identity_key TEXT NOT NULL
);
`);
}
private prepareStatements() {
this.stmts = {
getIdentity: this.db.prepare('SELECT * FROM identity WHERE id = 1'),
saveIdentity: this.db.prepare('INSERT OR REPLACE INTO identity (id, signing_public_key, signing_private_key, dh_public_key, dh_private_key) VALUES (1, ?, ?, ?, ?)'),
getConfig: this.db.prepare('SELECT value FROM config WHERE key = ?'),
saveConfig: this.db.prepare('INSERT OR REPLACE INTO config (key, value) VALUES (?, ?)'),
getSignedPreKey: this.db.prepare('SELECT data_json FROM signed_prekeys WHERE key_id = ?'),
saveSignedPreKey: this.db.prepare('INSERT OR REPLACE INTO signed_prekeys (key_id, data_json) VALUES (?, ?)'),
removeSignedPreKey: this.db.prepare('DELETE FROM signed_prekeys WHERE key_id = ?'),
getOneTimePreKey: this.db.prepare('SELECT data_json FROM one_time_prekeys WHERE key_id = ?'),
saveOneTimePreKey: this.db.prepare('INSERT OR REPLACE INTO one_time_prekeys (key_id, data_json) VALUES (?, ?)'),
removeOneTimePreKey: this.db.prepare('DELETE FROM one_time_prekeys WHERE key_id = ?'),
countOneTimePreKeys: this.db.prepare('SELECT COUNT(*) as count FROM one_time_prekeys'),
getSession: this.db.prepare('SELECT state_json FROM sessions WHERE address = ?'),
saveSession: this.db.prepare('INSERT OR REPLACE INTO sessions (address, state_json) VALUES (?, ?)'),
removeSession: this.db.prepare('DELETE FROM sessions WHERE address = ?'),
getTrust: this.db.prepare('SELECT identity_key FROM trusted_identities WHERE address = ?'),
saveTrust: this.db.prepare('INSERT OR REPLACE INTO trusted_identities (address, identity_key) VALUES (?, ?)'),
};
}
close() {
this.db.close();
}
// ─── Identity ──────────────────────────────────────────────
async getIdentityKeyPair(): Promise<IdentityKeyPair | null> {
const row = this.stmts.getIdentity.get() as any;
if (!row) return null;
return {
signingPublicKey: fromBase64(row.signing_public_key),
signingPrivateKey: fromBase64(row.signing_private_key),
dhPublicKey: fromBase64(row.dh_public_key),
dhPrivateKey: fromBase64(row.dh_private_key),
};
}
async saveIdentityKeyPair(kp: IdentityKeyPair): Promise<void> {
this.stmts.saveIdentity.run(
toBase64(kp.signingPublicKey),
toBase64(kp.signingPrivateKey),
toBase64(kp.dhPublicKey),
toBase64(kp.dhPrivateKey),
);
}
async getLocalRegistrationId(): Promise<number> {
const row = this.stmts.getConfig.get('registrationId') as any;
return row ? parseInt(row.value, 10) : 0;
}
async saveLocalRegistrationId(id: number): Promise<void> {
this.stmts.saveConfig.run('registrationId', String(id));
}
// ─── Signed PreKeys ───────────────────────────────────────
async getSignedPreKey(keyId: number): Promise<SignedPreKey | null> {
const row = this.stmts.getSignedPreKey.get(keyId) as any;
if (!row) return null;
return deserializeSignedPreKey(row.data_json);
}
async saveSignedPreKey(key: SignedPreKey): Promise<void> {
this.stmts.saveSignedPreKey.run(key.keyId, serializeSignedPreKey(key));
}
async removeSignedPreKey(keyId: number): Promise<void> {
this.stmts.removeSignedPreKey.run(keyId);
}
// ─── One-Time PreKeys ─────────────────────────────────────
async getOneTimePreKey(keyId: number): Promise<OneTimePreKey | null> {
const row = this.stmts.getOneTimePreKey.get(keyId) as any;
if (!row) return null;
return deserializeOneTimePreKey(row.data_json);
}
async saveOneTimePreKey(key: OneTimePreKey): Promise<void> {
this.stmts.saveOneTimePreKey.run(key.keyId, serializeOneTimePreKey(key));
}
async removeOneTimePreKey(keyId: number): Promise<void> {
this.stmts.removeOneTimePreKey.run(keyId);
}
async getOneTimePreKeyCount(): Promise<number> {
const row = this.stmts.countOneTimePreKeys.get() as any;
return row.count;
}
// ─── Sessions ─────────────────────────────────────────────
async getSession(address: string): Promise<SessionState | null> {
const row = this.stmts.getSession.get(address) as any;
if (!row) return null;
return deserializeSessionState(row.state_json);
}
async saveSession(address: string, state: SessionState): Promise<void> {
this.stmts.saveSession.run(address, serializeSessionState(state));
}
async removeSession(address: string): Promise<void> {
this.stmts.removeSession.run(address);
}
// ─── Trust ────────────────────────────────────────────────
async isTrustedIdentity(address: string, identityKey: Uint8Array): Promise<boolean> {
const row = this.stmts.getTrust.get(address) as any;
if (!row) return true; // TOFU
return row.identity_key === toBase64(identityKey);
}
async saveTrustedIdentity(address: string, identityKey: Uint8Array): Promise<void> {
this.stmts.saveTrust.run(address, toBase64(identityKey));
}
}

140
packages/shade-storage-sqlite/tests/sqlite-prekey-store.test.ts Normal file
View File

@@ -0,0 +1,140 @@
import { describe, test, expect, beforeEach, afterEach } from 'bun:test';
import { tmpdir } from 'os';
import { join } from 'path';
import { unlinkSync } from 'fs';
import { SqlitePrekeyStore } from '../src/sqlite-prekey-store.js';
function randBytes(n: number): Uint8Array {
const buf = new Uint8Array(n);
globalThis.crypto.getRandomValues(buf);
return buf;
}
function tempDbPath(): string {
return join(tmpdir(), `shade-prekey-test-${Date.now()}-${Math.random().toString(36).slice(2)}.db`);
}
describe('SqlitePrekeyStore', () => {
let dbPath: string;
let store: SqlitePrekeyStore;
beforeEach(() => {
dbPath = tempDbPath();
store = new SqlitePrekeyStore(dbPath);
});
afterEach(() => {
store.close();
try { unlinkSync(dbPath); } catch {}
try { unlinkSync(dbPath + '-wal'); } catch {}
try { unlinkSync(dbPath + '-shm'); } catch {}
});
describe('identity', () => {
test('save and get identity', async () => {
const sigKey = randBytes(32);
const dhKey = randBytes(32);
await store.saveIdentity('bob', sigKey, dhKey);
const id = await store.getIdentity('bob');
expect(id).not.toBeNull();
expect(id!.identitySigningKey).toEqual(sigKey);
expect(id!.identityDHKey).toEqual(dhKey);
});
test('returns null for unknown address', async () => {
expect(await store.getIdentity('nobody')).toBeNull();
});
});
describe('signed prekeys', () => {
test('save and get signed prekey', async () => {
const pubKey = randBytes(32);
const sig = randBytes(64);
await store.saveSignedPreKey('bob', 1, pubKey, sig);
const spk = await store.getSignedPreKey('bob');
expect(spk!.keyId).toBe(1);
expect(spk!.publicKey).toEqual(pubKey);
expect(spk!.signature).toEqual(sig);
});
});
describe('one-time prekeys', () => {
test('FIFO consumption', async () => {
await store.saveOneTimePreKeys('bob', [
{ keyId: 100, publicKey: randBytes(32) },
{ keyId: 101, publicKey: randBytes(32) },
{ keyId: 102, publicKey: randBytes(32) },
]);
expect(await store.getOneTimePreKeyCount('bob')).toBe(3);
const k1 = await store.consumeOneTimePreKey('bob');
expect(k1!.keyId).toBe(100);
expect(await store.getOneTimePreKeyCount('bob')).toBe(2);
const k2 = await store.consumeOneTimePreKey('bob');
expect(k2!.keyId).toBe(101);
const k3 = await store.consumeOneTimePreKey('bob');
expect(k3!.keyId).toBe(102);
const k4 = await store.consumeOneTimePreKey('bob');
expect(k4).toBeNull();
expect(await store.getOneTimePreKeyCount('bob')).toBe(0);
});
test('replenish adds more keys', async () => {
await store.saveOneTimePreKeys('bob', [{ keyId: 100, publicKey: randBytes(32) }]);
await store.saveOneTimePreKeys('bob', [{ keyId: 200, publicKey: randBytes(32) }, { keyId: 201, publicKey: randBytes(32) }]);
expect(await store.getOneTimePreKeyCount('bob')).toBe(3);
});
test('different addresses are isolated', async () => {
await store.saveOneTimePreKeys('alice', [{ keyId: 1, publicKey: randBytes(32) }]);
await store.saveOneTimePreKeys('bob', [{ keyId: 1, publicKey: randBytes(32) }, { keyId: 2, publicKey: randBytes(32) }]);
expect(await store.getOneTimePreKeyCount('alice')).toBe(1);
expect(await store.getOneTimePreKeyCount('bob')).toBe(2);
});
});
describe('deleteAll', () => {
test('removes everything for an address', async () => {
await store.saveIdentity('bob', randBytes(32), randBytes(32));
await store.saveSignedPreKey('bob', 1, randBytes(32), randBytes(64));
await store.saveOneTimePreKeys('bob', [{ keyId: 100, publicKey: randBytes(32) }]);
await store.deleteAll('bob');
expect(await store.getIdentity('bob')).toBeNull();
expect(await store.getSignedPreKey('bob')).toBeNull();
expect(await store.getOneTimePreKeyCount('bob')).toBe(0);
});
test('does not affect other addresses', async () => {
await store.saveIdentity('alice', randBytes(32), randBytes(32));
await store.saveIdentity('bob', randBytes(32), randBytes(32));
await store.deleteAll('bob');
expect(await store.getIdentity('alice')).not.toBeNull();
expect(await store.getIdentity('bob')).toBeNull();
});
});
describe('persistence', () => {
test('data survives close and reopen', async () => {
await store.saveIdentity('bob', randBytes(32), randBytes(32));
await store.saveOneTimePreKeys('bob', [
{ keyId: 1, publicKey: randBytes(32) },
{ keyId: 2, publicKey: randBytes(32) },
]);
store.close();
store = new SqlitePrekeyStore(dbPath);
expect(await store.getIdentity('bob')).not.toBeNull();
expect(await store.getOneTimePreKeyCount('bob')).toBe(2);
});
});
});

243
packages/shade-storage-sqlite/tests/sqlite-storage.test.ts Normal file
View File

@@ -0,0 +1,243 @@
import { describe, test, expect, beforeEach, afterEach } from 'bun:test';
import { tmpdir } from 'os';
import { join } from 'path';
import { unlinkSync } from 'fs';
import { SQLiteStorage } from '../src/sqlite-storage.js';
import { SubtleCryptoProvider, MemoryStorage } from '@shade/crypto-web';
import { ShadeSessionManager } from '@shade/core';
import type { IdentityKeyPair, SignedPreKey, OneTimePreKey } from '@shade/core';
const crypto = new SubtleCryptoProvider();
function randBytes(n: number): Uint8Array {
const buf = new Uint8Array(n);
globalThis.crypto.getRandomValues(buf);
return buf;
}
function tempDbPath(): string {
return join(tmpdir(), `shade-test-${Date.now()}-${Math.random().toString(36).slice(2)}.db`);
}
describe('SQLiteStorage', () => {
let dbPath: string;
let storage: SQLiteStorage;
beforeEach(() => {
dbPath = tempDbPath();
storage = new SQLiteStorage(dbPath);
});
afterEach(() => {
storage.close();
try { unlinkSync(dbPath); } catch {}
try { unlinkSync(dbPath + '-wal'); } catch {}
try { unlinkSync(dbPath + '-shm'); } catch {}
});
// ─── Identity ──────────────────────────────────────────────
describe('identity', () => {
test('returns null when no identity stored', async () => {
expect(await storage.getIdentityKeyPair()).toBeNull();
});
test('save and retrieve identity keypair', async () => {
const ikp: IdentityKeyPair = {
signingPublicKey: randBytes(32),
signingPrivateKey: randBytes(32),
dhPublicKey: randBytes(32),
dhPrivateKey: randBytes(32),
};
await storage.saveIdentityKeyPair(ikp);
const restored = await storage.getIdentityKeyPair();
expect(restored).not.toBeNull();
expect(restored!.signingPublicKey).toEqual(ikp.signingPublicKey);
expect(restored!.dhPrivateKey).toEqual(ikp.dhPrivateKey);
});
test('registration ID roundtrip', async () => {
expect(await storage.getLocalRegistrationId()).toBe(0);
await storage.saveLocalRegistrationId(42);
expect(await storage.getLocalRegistrationId()).toBe(42);
});
});
// ─── Signed PreKeys ───────────────────────────────────────
describe('signed prekeys', () => {
test('save, get, remove', async () => {
const spk: SignedPreKey = {
keyId: 1,
keyPair: { publicKey: randBytes(32), privateKey: randBytes(32) },
signature: randBytes(64),
timestamp: Date.now(),
};
await storage.saveSignedPreKey(spk);
const restored = await storage.getSignedPreKey(1);
expect(restored).not.toBeNull();
expect(restored!.keyId).toBe(1);
expect(restored!.keyPair.publicKey).toEqual(spk.keyPair.publicKey);
await storage.removeSignedPreKey(1);
expect(await storage.getSignedPreKey(1)).toBeNull();
});
});
// ─── One-Time PreKeys ─────────────────────────────────────
describe('one-time prekeys', () => {
test('save, get, remove, count', async () => {
const otpk: OneTimePreKey = {
keyId: 100,
keyPair: { publicKey: randBytes(32), privateKey: randBytes(32) },
};
await storage.saveOneTimePreKey(otpk);
expect(await storage.getOneTimePreKeyCount()).toBe(1);
const restored = await storage.getOneTimePreKey(100);
expect(restored!.keyId).toBe(100);
await storage.removeOneTimePreKey(100);
expect(await storage.getOneTimePreKeyCount()).toBe(0);
expect(await storage.getOneTimePreKey(100)).toBeNull();
});
});
// ─── Sessions ─────────────────────────────────────────────
describe('sessions', () => {
test('save and restore session with skipped keys', async () => {
const state = {
remoteIdentityKey: randBytes(32),
rootKey: randBytes(32),
sendChain: { chainKey: randBytes(32), counter: 5 },
receiveChain: { chainKey: randBytes(32), counter: 3 },
dhSend: { publicKey: randBytes(32), privateKey: randBytes(32) },
dhReceive: randBytes(32),
previousSendCounter: 4,
skippedKeys: new Map([['key:1', randBytes(32)]]),
};
await storage.saveSession('bob', state);
const restored = await storage.getSession('bob');
expect(restored).not.toBeNull();
expect(restored!.sendChain.counter).toBe(5);
expect(restored!.skippedKeys.size).toBe(1);
expect(restored!.skippedKeys.get('key:1')).toEqual(state.skippedKeys.get('key:1'));
});
test('remove session', async () => {
await storage.saveSession('bob', {
remoteIdentityKey: randBytes(32),
rootKey: randBytes(32),
sendChain: { chainKey: randBytes(32), counter: 0 },
receiveChain: null,
dhSend: { publicKey: randBytes(32), privateKey: randBytes(32) },
dhReceive: null,
previousSendCounter: 0,
skippedKeys: new Map(),
});
await storage.removeSession('bob');
expect(await storage.getSession('bob')).toBeNull();
});
});
// ─── Trust ────────────────────────────────────────────────
describe('trust', () => {
test('TOFU: first use is trusted', async () => {
expect(await storage.isTrustedIdentity('bob', randBytes(32))).toBe(true);
});
test('saved identity matches', async () => {
const key = randBytes(32);
await storage.saveTrustedIdentity('bob', key);
expect(await storage.isTrustedIdentity('bob', key)).toBe(true);
expect(await storage.isTrustedIdentity('bob', randBytes(32))).toBe(false);
});
});
// ─── Crash Recovery ───────────────────────────────────────
describe('persistence across close/reopen', () => {
test('data survives close and reopen', async () => {
const ikp: IdentityKeyPair = {
signingPublicKey: randBytes(32),
signingPrivateKey: randBytes(32),
dhPublicKey: randBytes(32),
dhPrivateKey: randBytes(32),
};
await storage.saveIdentityKeyPair(ikp);
await storage.saveLocalRegistrationId(99);
await storage.saveSession('alice', {
remoteIdentityKey: randBytes(32),
rootKey: randBytes(32),
sendChain: { chainKey: randBytes(32), counter: 7 },
receiveChain: null,
dhSend: { publicKey: randBytes(32), privateKey: randBytes(32) },
dhReceive: null,
previousSendCounter: 0,
skippedKeys: new Map(),
});
// Close and reopen
storage.close();
storage = new SQLiteStorage(dbPath);
const restored = await storage.getIdentityKeyPair();
expect(restored!.signingPublicKey).toEqual(ikp.signingPublicKey);
expect(await storage.getLocalRegistrationId()).toBe(99);
const session = await storage.getSession('alice');
expect(session!.sendChain.counter).toBe(7);
});
});
// ─── Full E2EE with SQLiteStorage ─────────────────────────
describe('full E2EE conversation with persistent storage', () => {
test('encrypt, close, reopen, continue conversation', async () => {
const bobDbPath = tempDbPath();
let bobStorage = new SQLiteStorage(bobDbPath);
try {
const alice = new ShadeSessionManager(crypto, storage);
let bob = new ShadeSessionManager(crypto, bobStorage);
await alice.initialize();
await bob.initialize();
const otpks = await bob.generateOneTimePreKeys(5);
const bundle = await bob.createPreKeyBundle();
bundle.oneTimePreKey = { keyId: otpks[0].keyId, publicKey: otpks[0].keyPair.publicKey };
await alice.initSessionFromBundle('bob', bundle);
// Alice → Bob
const env1 = await alice.encrypt('bob', 'Hello persistent!');
expect(await bob.decrypt('alice', env1)).toBe('Hello persistent!');
// Bob → Alice
const env2 = await bob.encrypt('alice', 'Got it!');
expect(await alice.decrypt('bob', env2)).toBe('Got it!');
// "Crash" Bob — close DB and reopen
bobStorage.close();
bobStorage = new SQLiteStorage(bobDbPath);
bob = new ShadeSessionManager(crypto, bobStorage);
await bob.initialize();
// Continue conversation after "crash"
const env3 = await alice.encrypt('bob', 'After your restart');
expect(await bob.decrypt('alice', env3)).toBe('After your restart');
const env4 = await bob.encrypt('alice', 'I survived!');
expect(await alice.decrypt('bob', env4)).toBe('I survived!');
} finally {
bobStorage.close();
try { unlinkSync(bobDbPath); } catch {}
try { unlinkSync(bobDbPath + '-wal'); } catch {}
try { unlinkSync(bobDbPath + '-shm'); } catch {}
}
});
});
});

5
packages/shade-storage-sqlite/tsconfig.json Normal file
View File

@@ -0,0 +1,5 @@
{
"extends": "../../tsconfig.json",
"compilerOptions": { "outDir": "dist", "rootDir": "src" },
"include": ["src"]
}