@ipld/dag-ucan
An implementation of UCANs in IPLD via Advanced Data Layout (ADL), designed for use with multiformats.
Overview
This library implements ADL for representing UCANs natively in IPLD. It uses DAG-CBOR as a primary encoding, which is hash consistent and more compact than a secondary RAW JWT encoding. Every UCAN in either encoding can be formatted into a valid JWT string and consumed by other spec compliant UCAN implementations. However UCANs issued by other libraries may end up in represented in secondory RAW JWT encoding, that is because whitespaces and key order in JWT affects signatures and there for can't be represented accurately in CBOR. When parsing UCANs library will use CBOR representation and fallback to RAW JWT, which allows interop with all existing tokens in the wild.
Primary Representation
UCANs in primary representation are encoded in DAG-CBOR and have following
IPLD schema:
type UCAN struct {
version String
issuer SigningKey
audience SigningKey
signature Signature
capabilities [Capability]
proofs [&UCAN]
expiration Int
facts [Fact]
nonce optional String
notBefore optional Int
} representation map {
field facts default []
field proofs default []
}
type Capability struct {
with Resource
can Ability
-- can have arbitrary other fields
}
type Fact { String: Any }
-- The resource pointer in URI format
type Resource = String
-- Must be all lower-case `/` delimeted with at least one path segment
type Ability = String
-- Signature is computed by seralizing header & body
-- into corresponding JSON with DAG-JSON (to achieve
-- for hash consitency) then encoded into base64 and
-- then signed by issuers private key
type Signature = Bytes
-- multicodec tagged public key
-- 0xed Ed25519
-- 0x1205 RSA
type SigningKey = Bytes
API
import * as UCAN from "@ipld/dag-ucan"
UCAN.parse(jwt: string): UCAN.View
Parses UCAN formatted as JWT string into a representatino that can be encoded, formatted and queried.
const ucan = UCAN.parse(jwt)
ucan.issuer.did()
UCAN.format(ucan: UCAN.UCAN): string
Formats UCAN into a JWT string.
UCAN.format(UCAN.parse(jwt)) === jwt
UCAN.encode(ucan: UCAN.UCAN): Uint8Array
Encodes UCAN into a binary representation.
UCAN.encode(UCAN.parse(jwt))
UCAN.decode(bytes: Uint8Array): UCAN.UCAN
Decodes UCAN from binary representation into object representation.
UCAN.decode(UCAN.encode(ucan))
UCAN.issue(options: UCAN.UCANOptions): Promise<UCAN.UCAN>
Issues a signed UCAN.
Please note that no capability or time bound validation takes place.
const ucan = await UCAN.issue({
issuer: alice,
audience: bob,
capabilities: [
{
can: "fs/read",
with: `storage://${alice.did()}/public/photos/`,
},
{
can: "pin/add",
with: alice.did(),
},
],
})