feat: persistent storage — SQLite backends for crash resilience
Shade sessions and keys now survive server crashes, container restarts, and power outages via SQLite with WAL mode. New packages: - @shade/storage-sqlite: SQLiteStorage (StorageProvider) + SqlitePrekeyStore (PrekeyStore), both using bun:sqlite with auto-created tables and WAL mode - Serialization layer in shade-core for SessionState/keys ↔ JSON/base64 Docker usage: mount volume at /data, set SHADE_DB_PATH=/data/shade-client.db Prekey server auto-detects SHADE_PREKEY_DB_PATH for SQLite persistence Includes crash recovery integration test: encrypt → close DB → reopen → conversation continues seamlessly. 129 tests, 0 failures. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
140
packages/shade-storage-sqlite/tests/sqlite-prekey-store.test.ts
Normal file
140
packages/shade-storage-sqlite/tests/sqlite-prekey-store.test.ts
Normal file
@@ -0,0 +1,140 @@
|
||||
import { describe, test, expect, beforeEach, afterEach } from 'bun:test';
|
||||
import { tmpdir } from 'os';
|
||||
import { join } from 'path';
|
||||
import { unlinkSync } from 'fs';
|
||||
import { SqlitePrekeyStore } from '../src/sqlite-prekey-store.js';
|
||||
|
||||
function randBytes(n: number): Uint8Array {
|
||||
const buf = new Uint8Array(n);
|
||||
globalThis.crypto.getRandomValues(buf);
|
||||
return buf;
|
||||
}
|
||||
|
||||
function tempDbPath(): string {
|
||||
return join(tmpdir(), `shade-prekey-test-${Date.now()}-${Math.random().toString(36).slice(2)}.db`);
|
||||
}
|
||||
|
||||
describe('SqlitePrekeyStore', () => {
|
||||
let dbPath: string;
|
||||
let store: SqlitePrekeyStore;
|
||||
|
||||
beforeEach(() => {
|
||||
dbPath = tempDbPath();
|
||||
store = new SqlitePrekeyStore(dbPath);
|
||||
});
|
||||
|
||||
afterEach(() => {
|
||||
store.close();
|
||||
try { unlinkSync(dbPath); } catch {}
|
||||
try { unlinkSync(dbPath + '-wal'); } catch {}
|
||||
try { unlinkSync(dbPath + '-shm'); } catch {}
|
||||
});
|
||||
|
||||
describe('identity', () => {
|
||||
test('save and get identity', async () => {
|
||||
const sigKey = randBytes(32);
|
||||
const dhKey = randBytes(32);
|
||||
await store.saveIdentity('bob', sigKey, dhKey);
|
||||
const id = await store.getIdentity('bob');
|
||||
expect(id).not.toBeNull();
|
||||
expect(id!.identitySigningKey).toEqual(sigKey);
|
||||
expect(id!.identityDHKey).toEqual(dhKey);
|
||||
});
|
||||
|
||||
test('returns null for unknown address', async () => {
|
||||
expect(await store.getIdentity('nobody')).toBeNull();
|
||||
});
|
||||
});
|
||||
|
||||
describe('signed prekeys', () => {
|
||||
test('save and get signed prekey', async () => {
|
||||
const pubKey = randBytes(32);
|
||||
const sig = randBytes(64);
|
||||
await store.saveSignedPreKey('bob', 1, pubKey, sig);
|
||||
const spk = await store.getSignedPreKey('bob');
|
||||
expect(spk!.keyId).toBe(1);
|
||||
expect(spk!.publicKey).toEqual(pubKey);
|
||||
expect(spk!.signature).toEqual(sig);
|
||||
});
|
||||
});
|
||||
|
||||
describe('one-time prekeys', () => {
|
||||
test('FIFO consumption', async () => {
|
||||
await store.saveOneTimePreKeys('bob', [
|
||||
{ keyId: 100, publicKey: randBytes(32) },
|
||||
{ keyId: 101, publicKey: randBytes(32) },
|
||||
{ keyId: 102, publicKey: randBytes(32) },
|
||||
]);
|
||||
|
||||
expect(await store.getOneTimePreKeyCount('bob')).toBe(3);
|
||||
|
||||
const k1 = await store.consumeOneTimePreKey('bob');
|
||||
expect(k1!.keyId).toBe(100);
|
||||
expect(await store.getOneTimePreKeyCount('bob')).toBe(2);
|
||||
|
||||
const k2 = await store.consumeOneTimePreKey('bob');
|
||||
expect(k2!.keyId).toBe(101);
|
||||
|
||||
const k3 = await store.consumeOneTimePreKey('bob');
|
||||
expect(k3!.keyId).toBe(102);
|
||||
|
||||
const k4 = await store.consumeOneTimePreKey('bob');
|
||||
expect(k4).toBeNull();
|
||||
expect(await store.getOneTimePreKeyCount('bob')).toBe(0);
|
||||
});
|
||||
|
||||
test('replenish adds more keys', async () => {
|
||||
await store.saveOneTimePreKeys('bob', [{ keyId: 100, publicKey: randBytes(32) }]);
|
||||
await store.saveOneTimePreKeys('bob', [{ keyId: 200, publicKey: randBytes(32) }, { keyId: 201, publicKey: randBytes(32) }]);
|
||||
expect(await store.getOneTimePreKeyCount('bob')).toBe(3);
|
||||
});
|
||||
|
||||
test('different addresses are isolated', async () => {
|
||||
await store.saveOneTimePreKeys('alice', [{ keyId: 1, publicKey: randBytes(32) }]);
|
||||
await store.saveOneTimePreKeys('bob', [{ keyId: 1, publicKey: randBytes(32) }, { keyId: 2, publicKey: randBytes(32) }]);
|
||||
|
||||
expect(await store.getOneTimePreKeyCount('alice')).toBe(1);
|
||||
expect(await store.getOneTimePreKeyCount('bob')).toBe(2);
|
||||
});
|
||||
});
|
||||
|
||||
describe('deleteAll', () => {
|
||||
test('removes everything for an address', async () => {
|
||||
await store.saveIdentity('bob', randBytes(32), randBytes(32));
|
||||
await store.saveSignedPreKey('bob', 1, randBytes(32), randBytes(64));
|
||||
await store.saveOneTimePreKeys('bob', [{ keyId: 100, publicKey: randBytes(32) }]);
|
||||
|
||||
await store.deleteAll('bob');
|
||||
|
||||
expect(await store.getIdentity('bob')).toBeNull();
|
||||
expect(await store.getSignedPreKey('bob')).toBeNull();
|
||||
expect(await store.getOneTimePreKeyCount('bob')).toBe(0);
|
||||
});
|
||||
|
||||
test('does not affect other addresses', async () => {
|
||||
await store.saveIdentity('alice', randBytes(32), randBytes(32));
|
||||
await store.saveIdentity('bob', randBytes(32), randBytes(32));
|
||||
|
||||
await store.deleteAll('bob');
|
||||
|
||||
expect(await store.getIdentity('alice')).not.toBeNull();
|
||||
expect(await store.getIdentity('bob')).toBeNull();
|
||||
});
|
||||
});
|
||||
|
||||
describe('persistence', () => {
|
||||
test('data survives close and reopen', async () => {
|
||||
await store.saveIdentity('bob', randBytes(32), randBytes(32));
|
||||
await store.saveOneTimePreKeys('bob', [
|
||||
{ keyId: 1, publicKey: randBytes(32) },
|
||||
{ keyId: 2, publicKey: randBytes(32) },
|
||||
]);
|
||||
|
||||
store.close();
|
||||
store = new SqlitePrekeyStore(dbPath);
|
||||
|
||||
expect(await store.getIdentity('bob')).not.toBeNull();
|
||||
expect(await store.getOneTimePreKeyCount('bob')).toBe(2);
|
||||
});
|
||||
});
|
||||
});
|
||||
243
packages/shade-storage-sqlite/tests/sqlite-storage.test.ts
Normal file
243
packages/shade-storage-sqlite/tests/sqlite-storage.test.ts
Normal file
@@ -0,0 +1,243 @@
|
||||
import { describe, test, expect, beforeEach, afterEach } from 'bun:test';
|
||||
import { tmpdir } from 'os';
|
||||
import { join } from 'path';
|
||||
import { unlinkSync } from 'fs';
|
||||
import { SQLiteStorage } from '../src/sqlite-storage.js';
|
||||
import { SubtleCryptoProvider, MemoryStorage } from '@shade/crypto-web';
|
||||
import { ShadeSessionManager } from '@shade/core';
|
||||
import type { IdentityKeyPair, SignedPreKey, OneTimePreKey } from '@shade/core';
|
||||
|
||||
const crypto = new SubtleCryptoProvider();
|
||||
|
||||
function randBytes(n: number): Uint8Array {
|
||||
const buf = new Uint8Array(n);
|
||||
globalThis.crypto.getRandomValues(buf);
|
||||
return buf;
|
||||
}
|
||||
|
||||
function tempDbPath(): string {
|
||||
return join(tmpdir(), `shade-test-${Date.now()}-${Math.random().toString(36).slice(2)}.db`);
|
||||
}
|
||||
|
||||
describe('SQLiteStorage', () => {
|
||||
let dbPath: string;
|
||||
let storage: SQLiteStorage;
|
||||
|
||||
beforeEach(() => {
|
||||
dbPath = tempDbPath();
|
||||
storage = new SQLiteStorage(dbPath);
|
||||
});
|
||||
|
||||
afterEach(() => {
|
||||
storage.close();
|
||||
try { unlinkSync(dbPath); } catch {}
|
||||
try { unlinkSync(dbPath + '-wal'); } catch {}
|
||||
try { unlinkSync(dbPath + '-shm'); } catch {}
|
||||
});
|
||||
|
||||
// ─── Identity ──────────────────────────────────────────────
|
||||
|
||||
describe('identity', () => {
|
||||
test('returns null when no identity stored', async () => {
|
||||
expect(await storage.getIdentityKeyPair()).toBeNull();
|
||||
});
|
||||
|
||||
test('save and retrieve identity keypair', async () => {
|
||||
const ikp: IdentityKeyPair = {
|
||||
signingPublicKey: randBytes(32),
|
||||
signingPrivateKey: randBytes(32),
|
||||
dhPublicKey: randBytes(32),
|
||||
dhPrivateKey: randBytes(32),
|
||||
};
|
||||
await storage.saveIdentityKeyPair(ikp);
|
||||
const restored = await storage.getIdentityKeyPair();
|
||||
expect(restored).not.toBeNull();
|
||||
expect(restored!.signingPublicKey).toEqual(ikp.signingPublicKey);
|
||||
expect(restored!.dhPrivateKey).toEqual(ikp.dhPrivateKey);
|
||||
});
|
||||
|
||||
test('registration ID roundtrip', async () => {
|
||||
expect(await storage.getLocalRegistrationId()).toBe(0);
|
||||
await storage.saveLocalRegistrationId(42);
|
||||
expect(await storage.getLocalRegistrationId()).toBe(42);
|
||||
});
|
||||
});
|
||||
|
||||
// ─── Signed PreKeys ───────────────────────────────────────
|
||||
|
||||
describe('signed prekeys', () => {
|
||||
test('save, get, remove', async () => {
|
||||
const spk: SignedPreKey = {
|
||||
keyId: 1,
|
||||
keyPair: { publicKey: randBytes(32), privateKey: randBytes(32) },
|
||||
signature: randBytes(64),
|
||||
timestamp: Date.now(),
|
||||
};
|
||||
await storage.saveSignedPreKey(spk);
|
||||
const restored = await storage.getSignedPreKey(1);
|
||||
expect(restored).not.toBeNull();
|
||||
expect(restored!.keyId).toBe(1);
|
||||
expect(restored!.keyPair.publicKey).toEqual(spk.keyPair.publicKey);
|
||||
|
||||
await storage.removeSignedPreKey(1);
|
||||
expect(await storage.getSignedPreKey(1)).toBeNull();
|
||||
});
|
||||
});
|
||||
|
||||
// ─── One-Time PreKeys ─────────────────────────────────────
|
||||
|
||||
describe('one-time prekeys', () => {
|
||||
test('save, get, remove, count', async () => {
|
||||
const otpk: OneTimePreKey = {
|
||||
keyId: 100,
|
||||
keyPair: { publicKey: randBytes(32), privateKey: randBytes(32) },
|
||||
};
|
||||
await storage.saveOneTimePreKey(otpk);
|
||||
expect(await storage.getOneTimePreKeyCount()).toBe(1);
|
||||
|
||||
const restored = await storage.getOneTimePreKey(100);
|
||||
expect(restored!.keyId).toBe(100);
|
||||
|
||||
await storage.removeOneTimePreKey(100);
|
||||
expect(await storage.getOneTimePreKeyCount()).toBe(0);
|
||||
expect(await storage.getOneTimePreKey(100)).toBeNull();
|
||||
});
|
||||
});
|
||||
|
||||
// ─── Sessions ─────────────────────────────────────────────
|
||||
|
||||
describe('sessions', () => {
|
||||
test('save and restore session with skipped keys', async () => {
|
||||
const state = {
|
||||
remoteIdentityKey: randBytes(32),
|
||||
rootKey: randBytes(32),
|
||||
sendChain: { chainKey: randBytes(32), counter: 5 },
|
||||
receiveChain: { chainKey: randBytes(32), counter: 3 },
|
||||
dhSend: { publicKey: randBytes(32), privateKey: randBytes(32) },
|
||||
dhReceive: randBytes(32),
|
||||
previousSendCounter: 4,
|
||||
skippedKeys: new Map([['key:1', randBytes(32)]]),
|
||||
};
|
||||
|
||||
await storage.saveSession('bob', state);
|
||||
const restored = await storage.getSession('bob');
|
||||
expect(restored).not.toBeNull();
|
||||
expect(restored!.sendChain.counter).toBe(5);
|
||||
expect(restored!.skippedKeys.size).toBe(1);
|
||||
expect(restored!.skippedKeys.get('key:1')).toEqual(state.skippedKeys.get('key:1'));
|
||||
});
|
||||
|
||||
test('remove session', async () => {
|
||||
await storage.saveSession('bob', {
|
||||
remoteIdentityKey: randBytes(32),
|
||||
rootKey: randBytes(32),
|
||||
sendChain: { chainKey: randBytes(32), counter: 0 },
|
||||
receiveChain: null,
|
||||
dhSend: { publicKey: randBytes(32), privateKey: randBytes(32) },
|
||||
dhReceive: null,
|
||||
previousSendCounter: 0,
|
||||
skippedKeys: new Map(),
|
||||
});
|
||||
await storage.removeSession('bob');
|
||||
expect(await storage.getSession('bob')).toBeNull();
|
||||
});
|
||||
});
|
||||
|
||||
// ─── Trust ────────────────────────────────────────────────
|
||||
|
||||
describe('trust', () => {
|
||||
test('TOFU: first use is trusted', async () => {
|
||||
expect(await storage.isTrustedIdentity('bob', randBytes(32))).toBe(true);
|
||||
});
|
||||
|
||||
test('saved identity matches', async () => {
|
||||
const key = randBytes(32);
|
||||
await storage.saveTrustedIdentity('bob', key);
|
||||
expect(await storage.isTrustedIdentity('bob', key)).toBe(true);
|
||||
expect(await storage.isTrustedIdentity('bob', randBytes(32))).toBe(false);
|
||||
});
|
||||
});
|
||||
|
||||
// ─── Crash Recovery ───────────────────────────────────────
|
||||
|
||||
describe('persistence across close/reopen', () => {
|
||||
test('data survives close and reopen', async () => {
|
||||
const ikp: IdentityKeyPair = {
|
||||
signingPublicKey: randBytes(32),
|
||||
signingPrivateKey: randBytes(32),
|
||||
dhPublicKey: randBytes(32),
|
||||
dhPrivateKey: randBytes(32),
|
||||
};
|
||||
await storage.saveIdentityKeyPair(ikp);
|
||||
await storage.saveLocalRegistrationId(99);
|
||||
await storage.saveSession('alice', {
|
||||
remoteIdentityKey: randBytes(32),
|
||||
rootKey: randBytes(32),
|
||||
sendChain: { chainKey: randBytes(32), counter: 7 },
|
||||
receiveChain: null,
|
||||
dhSend: { publicKey: randBytes(32), privateKey: randBytes(32) },
|
||||
dhReceive: null,
|
||||
previousSendCounter: 0,
|
||||
skippedKeys: new Map(),
|
||||
});
|
||||
|
||||
// Close and reopen
|
||||
storage.close();
|
||||
storage = new SQLiteStorage(dbPath);
|
||||
|
||||
const restored = await storage.getIdentityKeyPair();
|
||||
expect(restored!.signingPublicKey).toEqual(ikp.signingPublicKey);
|
||||
expect(await storage.getLocalRegistrationId()).toBe(99);
|
||||
const session = await storage.getSession('alice');
|
||||
expect(session!.sendChain.counter).toBe(7);
|
||||
});
|
||||
});
|
||||
|
||||
// ─── Full E2EE with SQLiteStorage ─────────────────────────
|
||||
|
||||
describe('full E2EE conversation with persistent storage', () => {
|
||||
test('encrypt, close, reopen, continue conversation', async () => {
|
||||
const bobDbPath = tempDbPath();
|
||||
let bobStorage = new SQLiteStorage(bobDbPath);
|
||||
|
||||
try {
|
||||
const alice = new ShadeSessionManager(crypto, storage);
|
||||
let bob = new ShadeSessionManager(crypto, bobStorage);
|
||||
await alice.initialize();
|
||||
await bob.initialize();
|
||||
|
||||
const otpks = await bob.generateOneTimePreKeys(5);
|
||||
const bundle = await bob.createPreKeyBundle();
|
||||
bundle.oneTimePreKey = { keyId: otpks[0].keyId, publicKey: otpks[0].keyPair.publicKey };
|
||||
|
||||
await alice.initSessionFromBundle('bob', bundle);
|
||||
|
||||
// Alice → Bob
|
||||
const env1 = await alice.encrypt('bob', 'Hello persistent!');
|
||||
expect(await bob.decrypt('alice', env1)).toBe('Hello persistent!');
|
||||
|
||||
// Bob → Alice
|
||||
const env2 = await bob.encrypt('alice', 'Got it!');
|
||||
expect(await alice.decrypt('bob', env2)).toBe('Got it!');
|
||||
|
||||
// "Crash" Bob — close DB and reopen
|
||||
bobStorage.close();
|
||||
bobStorage = new SQLiteStorage(bobDbPath);
|
||||
bob = new ShadeSessionManager(crypto, bobStorage);
|
||||
await bob.initialize();
|
||||
|
||||
// Continue conversation after "crash"
|
||||
const env3 = await alice.encrypt('bob', 'After your restart');
|
||||
expect(await bob.decrypt('alice', env3)).toBe('After your restart');
|
||||
|
||||
const env4 = await bob.encrypt('alice', 'I survived!');
|
||||
expect(await alice.decrypt('bob', env4)).toBe('I survived!');
|
||||
} finally {
|
||||
bobStorage.close();
|
||||
try { unlinkSync(bobDbPath); } catch {}
|
||||
try { unlinkSync(bobDbPath + '-wal'); } catch {}
|
||||
try { unlinkSync(bobDbPath + '-shm'); } catch {}
|
||||
}
|
||||
});
|
||||
});
|
||||
});
|
||||
Reference in New Issue
Block a user