feat: persistent storage — SQLite backends for crash resilience

Shade sessions and keys now survive server crashes, container restarts, and power outages via SQLite with WAL mode. New packages: - @shade/storage-sqlite: SQLiteStorage (StorageProvider) + SqlitePrekeyStore (PrekeyStore), both using bun:sqlite with auto-created tables and WAL mode - Serialization layer in shade-core for SessionState/keys ↔ JSON/base64 Docker usage: mount volume at /data, set SHADE_DB_PATH=/data/shade-client.db Prekey server auto-detects SHADE_PREKEY_DB_PATH for SQLite persistence Includes crash recovery integration test: encrypt → close DB → reopen → conversation continues seamlessly. 129 tests, 0 failures. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 00:19:54 +02:00
parent d071551b2f
commit 7d214dc614
13 changed files with 1719 additions and 7 deletions
--- a/packages/shade-storage-sqlite/tests/sqlite-storage.test.ts
+++ b/packages/shade-storage-sqlite/tests/sqlite-storage.test.ts
@@ -0,0 +1,243 @@
+import { describe, test, expect, beforeEach, afterEach } from 'bun:test';
+import { tmpdir } from 'os';
+import { join } from 'path';
+import { unlinkSync } from 'fs';
+import { SQLiteStorage } from '../src/sqlite-storage.js';
+import { SubtleCryptoProvider, MemoryStorage } from '@shade/crypto-web';
+import { ShadeSessionManager } from '@shade/core';
+import type { IdentityKeyPair, SignedPreKey, OneTimePreKey } from '@shade/core';
+
+const crypto = new SubtleCryptoProvider();
+
+function randBytes(n: number): Uint8Array {
+  const buf = new Uint8Array(n);
+  globalThis.crypto.getRandomValues(buf);
+  return buf;
+}
+
+function tempDbPath(): string {
+  return join(tmpdir(), `shade-test-${Date.now()}-${Math.random().toString(36).slice(2)}.db`);
+}
+
+describe('SQLiteStorage', () => {
+  let dbPath: string;
+  let storage: SQLiteStorage;
+
+  beforeEach(() => {
+    dbPath = tempDbPath();
+    storage = new SQLiteStorage(dbPath);
+  });
+
+  afterEach(() => {
+    storage.close();
+    try { unlinkSync(dbPath); } catch {}
+    try { unlinkSync(dbPath + '-wal'); } catch {}
+    try { unlinkSync(dbPath + '-shm'); } catch {}
+  });
+
+  // ─── Identity ──────────────────────────────────────────────
+
+  describe('identity', () => {
+    test('returns null when no identity stored', async () => {
+      expect(await storage.getIdentityKeyPair()).toBeNull();
+    });
+
+    test('save and retrieve identity keypair', async () => {
+      const ikp: IdentityKeyPair = {
+        signingPublicKey: randBytes(32),
+        signingPrivateKey: randBytes(32),
+        dhPublicKey: randBytes(32),
+        dhPrivateKey: randBytes(32),
+      };
+      await storage.saveIdentityKeyPair(ikp);
+      const restored = await storage.getIdentityKeyPair();
+      expect(restored).not.toBeNull();
+      expect(restored!.signingPublicKey).toEqual(ikp.signingPublicKey);
+      expect(restored!.dhPrivateKey).toEqual(ikp.dhPrivateKey);
+    });
+
+    test('registration ID roundtrip', async () => {
+      expect(await storage.getLocalRegistrationId()).toBe(0);
+      await storage.saveLocalRegistrationId(42);
+      expect(await storage.getLocalRegistrationId()).toBe(42);
+    });
+  });
+
+  // ─── Signed PreKeys ───────────────────────────────────────
+
+  describe('signed prekeys', () => {
+    test('save, get, remove', async () => {
+      const spk: SignedPreKey = {
+        keyId: 1,
+        keyPair: { publicKey: randBytes(32), privateKey: randBytes(32) },
+        signature: randBytes(64),
+        timestamp: Date.now(),
+      };
+      await storage.saveSignedPreKey(spk);
+      const restored = await storage.getSignedPreKey(1);
+      expect(restored).not.toBeNull();
+      expect(restored!.keyId).toBe(1);
+      expect(restored!.keyPair.publicKey).toEqual(spk.keyPair.publicKey);
+
+      await storage.removeSignedPreKey(1);
+      expect(await storage.getSignedPreKey(1)).toBeNull();
+    });
+  });
+
+  // ─── One-Time PreKeys ─────────────────────────────────────
+
+  describe('one-time prekeys', () => {
+    test('save, get, remove, count', async () => {
+      const otpk: OneTimePreKey = {
+        keyId: 100,
+        keyPair: { publicKey: randBytes(32), privateKey: randBytes(32) },
+      };
+      await storage.saveOneTimePreKey(otpk);
+      expect(await storage.getOneTimePreKeyCount()).toBe(1);
+
+      const restored = await storage.getOneTimePreKey(100);
+      expect(restored!.keyId).toBe(100);
+
+      await storage.removeOneTimePreKey(100);
+      expect(await storage.getOneTimePreKeyCount()).toBe(0);
+      expect(await storage.getOneTimePreKey(100)).toBeNull();
+    });
+  });
+
+  // ─── Sessions ─────────────────────────────────────────────
+
+  describe('sessions', () => {
+    test('save and restore session with skipped keys', async () => {
+      const state = {
+        remoteIdentityKey: randBytes(32),
+        rootKey: randBytes(32),
+        sendChain: { chainKey: randBytes(32), counter: 5 },
+        receiveChain: { chainKey: randBytes(32), counter: 3 },
+        dhSend: { publicKey: randBytes(32), privateKey: randBytes(32) },
+        dhReceive: randBytes(32),
+        previousSendCounter: 4,
+        skippedKeys: new Map([['key:1', randBytes(32)]]),
+      };
+
+      await storage.saveSession('bob', state);
+      const restored = await storage.getSession('bob');
+      expect(restored).not.toBeNull();
+      expect(restored!.sendChain.counter).toBe(5);
+      expect(restored!.skippedKeys.size).toBe(1);
+      expect(restored!.skippedKeys.get('key:1')).toEqual(state.skippedKeys.get('key:1'));
+    });
+
+    test('remove session', async () => {
+      await storage.saveSession('bob', {
+        remoteIdentityKey: randBytes(32),
+        rootKey: randBytes(32),
+        sendChain: { chainKey: randBytes(32), counter: 0 },
+        receiveChain: null,
+        dhSend: { publicKey: randBytes(32), privateKey: randBytes(32) },
+        dhReceive: null,
+        previousSendCounter: 0,
+        skippedKeys: new Map(),
+      });
+      await storage.removeSession('bob');
+      expect(await storage.getSession('bob')).toBeNull();
+    });
+  });
+
+  // ─── Trust ────────────────────────────────────────────────
+
+  describe('trust', () => {
+    test('TOFU: first use is trusted', async () => {
+      expect(await storage.isTrustedIdentity('bob', randBytes(32))).toBe(true);
+    });
+
+    test('saved identity matches', async () => {
+      const key = randBytes(32);
+      await storage.saveTrustedIdentity('bob', key);
+      expect(await storage.isTrustedIdentity('bob', key)).toBe(true);
+      expect(await storage.isTrustedIdentity('bob', randBytes(32))).toBe(false);
+    });
+  });
+
+  // ─── Crash Recovery ───────────────────────────────────────
+
+  describe('persistence across close/reopen', () => {
+    test('data survives close and reopen', async () => {
+      const ikp: IdentityKeyPair = {
+        signingPublicKey: randBytes(32),
+        signingPrivateKey: randBytes(32),
+        dhPublicKey: randBytes(32),
+        dhPrivateKey: randBytes(32),
+      };
+      await storage.saveIdentityKeyPair(ikp);
+      await storage.saveLocalRegistrationId(99);
+      await storage.saveSession('alice', {
+        remoteIdentityKey: randBytes(32),
+        rootKey: randBytes(32),
+        sendChain: { chainKey: randBytes(32), counter: 7 },
+        receiveChain: null,
+        dhSend: { publicKey: randBytes(32), privateKey: randBytes(32) },
+        dhReceive: null,
+        previousSendCounter: 0,
+        skippedKeys: new Map(),
+      });
+
+      // Close and reopen
+      storage.close();
+      storage = new SQLiteStorage(dbPath);
+
+      const restored = await storage.getIdentityKeyPair();
+      expect(restored!.signingPublicKey).toEqual(ikp.signingPublicKey);
+      expect(await storage.getLocalRegistrationId()).toBe(99);
+      const session = await storage.getSession('alice');
+      expect(session!.sendChain.counter).toBe(7);
+    });
+  });
+
+  // ─── Full E2EE with SQLiteStorage ─────────────────────────
+
+  describe('full E2EE conversation with persistent storage', () => {
+    test('encrypt, close, reopen, continue conversation', async () => {
+      const bobDbPath = tempDbPath();
+      let bobStorage = new SQLiteStorage(bobDbPath);
+
+      try {
+        const alice = new ShadeSessionManager(crypto, storage);
+        let bob = new ShadeSessionManager(crypto, bobStorage);
+        await alice.initialize();
+        await bob.initialize();
+
+        const otpks = await bob.generateOneTimePreKeys(5);
+        const bundle = await bob.createPreKeyBundle();
+        bundle.oneTimePreKey = { keyId: otpks[0].keyId, publicKey: otpks[0].keyPair.publicKey };
+
+        await alice.initSessionFromBundle('bob', bundle);
+
+        // Alice → Bob
+        const env1 = await alice.encrypt('bob', 'Hello persistent!');
+        expect(await bob.decrypt('alice', env1)).toBe('Hello persistent!');
+
+        // Bob → Alice
+        const env2 = await bob.encrypt('alice', 'Got it!');
+        expect(await alice.decrypt('bob', env2)).toBe('Got it!');
+
+        // "Crash" Bob — close DB and reopen
+        bobStorage.close();
+        bobStorage = new SQLiteStorage(bobDbPath);
+        bob = new ShadeSessionManager(crypto, bobStorage);
+        await bob.initialize();
+
+        // Continue conversation after "crash"
+        const env3 = await alice.encrypt('bob', 'After your restart');
+        expect(await bob.decrypt('alice', env3)).toBe('After your restart');
+
+        const env4 = await bob.encrypt('alice', 'I survived!');
+        expect(await alice.decrypt('bob', env4)).toBe('I survived!');
+      } finally {
+        bobStorage.close();
+        try { unlinkSync(bobDbPath); } catch {}
+        try { unlinkSync(bobDbPath + '-wal'); } catch {}
+        try { unlinkSync(bobDbPath + '-shm'); } catch {}
+      }
+    });
+  });
+});