Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

@ipld/dag-ucan

Package Overview
Dependencies
Maintainers
9
Versions
29
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@ipld/dag-ucan

UCAN codec for IPLD

  • 4.0.0-beta
  • Source
  • npm
  • Socket score

Version published
Weekly downloads
7.4K
increased by60.44%
Maintainers
9
Weekly downloads
 
Created
Source

@ipld/dag-ucan

An implementation of UCANs in IPLD via Advanced Data Layout (ADL), designed for use with multiformats.

Overview

This library implements ADL for representing UCANs natively in IPLD. It uses DAG-CBOR as a primary encoding, which is hash consistent and more compact than a secondary RAW JWT encoding. Every UCAN in either encoding can be formatted into a valid JWT string and consumed by other spec compliant UCAN implementations. However UCANs issued by other libraries may end up in represented in secondory RAW JWT encoding, that is because whitespaces and key order in JWT affects signatures and there for can't be represented accurately in CBOR. When parsing UCANs library will use CBOR representation and fallback to RAW JWT, which allows interop with all existing tokens in the wild.

Primary Representation

UCANs in primary representation are encoded in DAG-CBOR and have following IPLD schema:

type UCAN struct {
  v String
  s Signature

  -- Issuer DID (sender)
  iss SigningKey
  -- Audience DID (receiver)
  aud SigningKey
  -- Not Before UTC Unix Timestamp (valid from)
  nbf optional Int
  -- Expiration UTC Unix Timestamp (valid until)
  exp nullable Int
  -- Nonce
  nnc optional String
  -- Facts (asserted, signed data)
  fct [Fact]
  -- Attenuations
  att [Capability]
  -- Proof of delegation (hash-linked UCANs)
  prf [&UCAN]
} representation map {
  field fct default []
  field prf default []
}

exp

type Capability struct {
  with Resource
  can Ability
  nb Any
}

type Fact { String: Any }


-- The resource pointer in URI format
type Resource = String

-- Must be all lower-case `/` delimeted with at least one path segment
type Ability = String

-- Signature is computed by seralizing header & body
-- into corresponding JSON with DAG-JSON (to achieve
-- for hash consitency) then encoded into base64 and
-- then signed by issuers private key
type Signature = Bytes

-- multicodec tagged public key
-- 0xed       Ed25519
-- 0x1205     RSA
type SigningKey = Bytes

API

import * as UCAN from "@ipld/dag-ucan"
UCAN.parse(jwt: string): UCAN.View

Parses UCAN formatted as JWT string into a representatino that can be encoded, formatted and queried.

const ucan = UCAN.parse(jwt)
ucan.issuer.did() // did:key:z6Mkk89bC3JrVqKie71YEcc5M1SMVxuCgNx6zLZ8SYJsxALi
UCAN.format(ucan: UCAN.UCAN): string

Formats UCAN into a JWT string.

UCAN.format(UCAN.parse(jwt)) === jwt // true
UCAN.encode(ucan: UCAN.UCAN): Uint8Array

Encodes UCAN into a binary representation.

UCAN.encode(UCAN.parse(jwt)) // Uint8Array(679)
UCAN.decode(bytes: Uint8Array): UCAN.UCAN

Decodes UCAN from binary representation into object representation.

UCAN.decode(UCAN.encode(ucan))
UCAN.issue(options: UCAN.UCANOptions): Promise<UCAN.UCAN>

Issues a signed UCAN.

Please note that no capability or time bound validation takes place.

const ucan = await UCAN.issue({
  issuer: alice,
  audience: bob,
  capabilities: [
    {
      can: "fs/read",
      with: `storage://${alice.did()}/public/photos/`,
    },
    {
      can: "pin/add",
      with: alice.did(),
    },
  ],
})

Embedding Proofs

While not recommended, it is possible to inline proofs inside a single UCAN using CIDs with identity multihash:

import { identity } from "multiformats/hashes/identity"
const proof = await UCAN.issue({
  issuer: alice,
  audience: bob,
  capabilities: [{ can: "store/add", with: alice.did() }],
})

const delegation = await UCAN.issue({
  issuer: bob,
  audience: mallory,
  capabilities: proof.capabilities,
  proofs: [await UCAN.link(proof, { hasher: identity })],
})

Keywords

FAQs

Package last updated on 26 Sep 2022

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc