internal: incomplete vault systems behind feature flag (#2340)

packages/services/src/Domain/SharedVaults/PendingSharedVaultInviteRecord.ts

@@ -0,0 +1,8 @@
+import { AsymmetricMessageSharedVaultInvite } from '@standardnotes/models'
+import { SharedVaultInviteServerHash } from '@standardnotes/responses'
+
+export type PendingSharedVaultInviteRecord = {
+  invite: SharedVaultInviteServerHash
+  message: AsymmetricMessageSharedVaultInvite
+  trusted: boolean
+}

packages/services/src/Domain/SharedVaults/SharedVaultService.ts

@@ -0,0 +1,587 @@
+import { MutatorClientInterface } from './../Mutator/MutatorClientInterface'
+import { StorageServiceInterface } from './../Storage/StorageServiceInterface'
+import { InviteContactToSharedVaultUseCase } from './UseCase/InviteContactToSharedVault'
+import {
+  ClientDisplayableError,
+  SharedVaultInviteServerHash,
+  isErrorResponse,
+  SharedVaultUserServerHash,
+  isClientDisplayableError,
+  SharedVaultPermission,
+  UserEventType,
+} from '@standardnotes/responses'
+import {
+  HttpServiceInterface,
+  SharedVaultServerInterface,
+  SharedVaultUsersServerInterface,
+  SharedVaultInvitesServerInterface,
+  SharedVaultUsersServer,
+  SharedVaultInvitesServer,
+  SharedVaultServer,
+  AsymmetricMessageServerInterface,
+  AsymmetricMessageServer,
+} from '@standardnotes/api'
+import {
+  DecryptedItemInterface,
+  PayloadEmitSource,
+  TrustedContactInterface,
+  SharedVaultListingInterface,
+  VaultListingInterface,
+  AsymmetricMessageSharedVaultInvite,
+  KeySystemRootKeyStorageMode,
+} from '@standardnotes/models'
+import { SharedVaultServiceInterface } from './SharedVaultServiceInterface'
+import { SharedVaultServiceEvent, SharedVaultServiceEventPayload } from './SharedVaultServiceEvent'
+import { EncryptionProviderInterface } from '@standardnotes/encryption'
+import { ContentType } from '@standardnotes/common'
+import { GetSharedVaultUsersUseCase } from './UseCase/GetSharedVaultUsers'
+import { RemoveVaultMemberUseCase } from './UseCase/RemoveSharedVaultMember'
+import { AbstractService } from '../Service/AbstractService'
+import { InternalEventHandlerInterface } from '../Internal/InternalEventHandlerInterface'
+import { SyncServiceInterface } from '../Sync/SyncServiceInterface'
+import { ItemManagerInterface } from '../Item/ItemManagerInterface'
+import { SessionsClientInterface } from '../Session/SessionsClientInterface'
+import { ContactServiceInterface } from '../Contacts/ContactServiceInterface'
+import { InternalEventBusInterface } from '../Internal/InternalEventBusInterface'
+import { SyncEvent, SyncEventReceivedSharedVaultInvitesData } from '../Event/SyncEvent'
+import { SessionEvent } from '../Session/SessionEvent'
+import { InternalEventInterface } from '../Internal/InternalEventInterface'
+import { FilesClientInterface } from '@standardnotes/files'
+import { LeaveVaultUseCase } from './UseCase/LeaveSharedVault'
+import { VaultServiceInterface } from '../Vaults/VaultServiceInterface'
+import { UserEventServiceEvent, UserEventServiceEventPayload } from '../UserEvent/UserEventServiceEvent'
+import { DeleteExternalSharedVaultUseCase } from './UseCase/DeleteExternalSharedVault'
+import { DeleteSharedVaultUseCase } from './UseCase/DeleteSharedVault'
+import { VaultServiceEvent, VaultServiceEventPayload } from '../Vaults/VaultServiceEvent'
+import { AcceptTrustedSharedVaultInvite } from './UseCase/AcceptTrustedSharedVaultInvite'
+import { GetAsymmetricMessageTrustedPayload } from '../AsymmetricMessage/UseCase/GetAsymmetricMessageTrustedPayload'
+import { PendingSharedVaultInviteRecord } from './PendingSharedVaultInviteRecord'
+import { GetAsymmetricMessageUntrustedPayload } from '../AsymmetricMessage/UseCase/GetAsymmetricMessageUntrustedPayload'
+import { ShareContactWithAllMembersOfSharedVaultUseCase } from './UseCase/ShareContactWithAllMembersOfSharedVault'
+import { GetSharedVaultTrustedContacts } from './UseCase/GetSharedVaultTrustedContacts'
+import { NotifySharedVaultUsersOfRootKeyRotationUseCase } from './UseCase/NotifySharedVaultUsersOfRootKeyRotation'
+import { CreateSharedVaultUseCase } from './UseCase/CreateSharedVault'
+import { SendSharedVaultMetadataChangedMessageToAll } from './UseCase/SendSharedVaultMetadataChangedMessageToAll'
+import { ConvertToSharedVaultUseCase } from './UseCase/ConvertToSharedVault'
+import { GetVaultUseCase } from '../Vaults/UseCase/GetVault'
+
+export class SharedVaultService
+  extends AbstractService<SharedVaultServiceEvent, SharedVaultServiceEventPayload>
+  implements SharedVaultServiceInterface, InternalEventHandlerInterface
+{
+  private server: SharedVaultServerInterface
+  private usersServer: SharedVaultUsersServerInterface
+  private invitesServer: SharedVaultInvitesServerInterface
+  private messageServer: AsymmetricMessageServerInterface
+
+  private pendingInvites: Record<string, PendingSharedVaultInviteRecord> = {}
+
+  constructor(
+    http: HttpServiceInterface,
+    private sync: SyncServiceInterface,
+    private items: ItemManagerInterface,
+    private mutator: MutatorClientInterface,
+    private encryption: EncryptionProviderInterface,
+    private session: SessionsClientInterface,
+    private contacts: ContactServiceInterface,
+    private files: FilesClientInterface,
+    private vaults: VaultServiceInterface,
+    private storage: StorageServiceInterface,
+    eventBus: InternalEventBusInterface,
+  ) {
+    super(eventBus)
+
+    eventBus.addEventHandler(this, SessionEvent.UserKeyPairChanged)
+    eventBus.addEventHandler(this, UserEventServiceEvent.UserEventReceived)
+    eventBus.addEventHandler(this, VaultServiceEvent.VaultRootKeyRotated)
+
+    this.server = new SharedVaultServer(http)
+    this.usersServer = new SharedVaultUsersServer(http)
+    this.invitesServer = new SharedVaultInvitesServer(http)
+    this.messageServer = new AsymmetricMessageServer(http)
+
+    this.eventDisposers.push(
+      sync.addEventObserver(async (event, data) => {
+        if (event === SyncEvent.ReceivedSharedVaultInvites) {
+          void this.processInboundInvites(data as SyncEventReceivedSharedVaultInvitesData)
+        } else if (event === SyncEvent.ReceivedRemoteSharedVaults) {
+          void this.notifyCollaborationStatusChanged()
+        }
+      }),
+    )
+
+    this.eventDisposers.push(
+      items.addObserver<TrustedContactInterface>(ContentType.TrustedContact, ({ changed, inserted, source }) => {
+        if (source === PayloadEmitSource.LocalChanged && inserted.length > 0) {
+          void this.handleCreationOfNewTrustedContacts(inserted)
+        }
+        if (source === PayloadEmitSource.LocalChanged && changed.length > 0) {
+          void this.handleTrustedContactsChange(changed)
+        }
+      }),
+    )
+
+    this.eventDisposers.push(
+      items.addObserver<VaultListingInterface>(ContentType.VaultListing, ({ changed, source }) => {
+        if (source === PayloadEmitSource.LocalChanged && changed.length > 0) {
+          void this.handleVaultListingsChange(changed)
+        }
+      }),
+    )
+  }
+
+  async handleEvent(event: InternalEventInterface): Promise<void> {
+    if (event.type === SessionEvent.UserKeyPairChanged) {
+      void this.invitesServer.deleteAllInboundInvites()
+    } else if (event.type === UserEventServiceEvent.UserEventReceived) {
+      await this.handleUserEvent(event.payload as UserEventServiceEventPayload)
+    } else if (event.type === VaultServiceEvent.VaultRootKeyRotated) {
+      const payload = event.payload as VaultServiceEventPayload[VaultServiceEvent.VaultRootKeyRotated]
+      await this.handleVaultRootKeyRotatedEvent(payload.vault)
+    }
+  }
+
+  private async handleUserEvent(event: UserEventServiceEventPayload): Promise<void> {
+    if (event.eventPayload.eventType === UserEventType.RemovedFromSharedVault) {
+      const vault = new GetVaultUseCase(this.items).execute({ sharedVaultUuid: event.eventPayload.sharedVaultUuid })
+      if (vault) {
+        const useCase = new DeleteExternalSharedVaultUseCase(
+          this.items,
+          this.mutator,
+          this.encryption,
+          this.storage,
+          this.sync,
+        )
+        await useCase.execute(vault)
+      }
+    } else if (event.eventPayload.eventType === UserEventType.SharedVaultItemRemoved) {
+      const item = this.items.findItem(event.eventPayload.itemUuid)
+      if (item) {
+        this.items.removeItemsLocally([item])
+      }
+    }
+  }
+
+  private async handleVaultRootKeyRotatedEvent(vault: VaultListingInterface): Promise<void> {
+    if (!vault.isSharedVaultListing()) {
+      return
+    }
+
+    if (!this.isCurrentUserSharedVaultOwner(vault)) {
+      return
+    }
+
+    const usecase = new NotifySharedVaultUsersOfRootKeyRotationUseCase(
+      this.usersServer,
+      this.invitesServer,
+      this.messageServer,
+      this.encryption,
+      this.contacts,
+    )
+
+    await usecase.execute({ sharedVault: vault, userUuid: this.session.getSureUser().uuid })
+  }
+
+  async createSharedVault(dto: {
+    name: string
+    description?: string
+    userInputtedPassword: string | undefined
+    storagePreference?: KeySystemRootKeyStorageMode
+  }): Promise<VaultListingInterface | ClientDisplayableError> {
+    const usecase = new CreateSharedVaultUseCase(
+      this.encryption,
+      this.items,
+      this.mutator,
+      this.sync,
+      this.files,
+      this.server,
+    )
+
+    return usecase.execute({
+      vaultName: dto.name,
+      vaultDescription: dto.description,
+      userInputtedPassword: dto.userInputtedPassword,
+      storagePreference: dto.storagePreference ?? KeySystemRootKeyStorageMode.Synced,
+    })
+  }
+
+  async convertVaultToSharedVault(
+    vault: VaultListingInterface,
+  ): Promise<SharedVaultListingInterface | ClientDisplayableError> {
+    const usecase = new ConvertToSharedVaultUseCase(this.items, this.mutator, this.sync, this.files, this.server)
+
+    return usecase.execute({ vault })
+  }
+
+  public getCachedPendingInviteRecords(): PendingSharedVaultInviteRecord[] {
+    return Object.values(this.pendingInvites)
+  }
+
+  private getAllSharedVaults(): SharedVaultListingInterface[] {
+    const vaults = this.vaults.getVaults().filter((vault) => vault.isSharedVaultListing())
+    return vaults as SharedVaultListingInterface[]
+  }
+
+  private findSharedVault(sharedVaultUuid: string): SharedVaultListingInterface | undefined {
+    return this.getAllSharedVaults().find((vault) => vault.sharing.sharedVaultUuid === sharedVaultUuid)
+  }
+
+  public isCurrentUserSharedVaultAdmin(sharedVault: SharedVaultListingInterface): boolean {
+    if (!sharedVault.sharing.ownerUserUuid) {
+      throw new Error(`Shared vault ${sharedVault.sharing.sharedVaultUuid} does not have an owner user uuid`)
+    }
+    return sharedVault.sharing.ownerUserUuid === this.session.userUuid
+  }
+
+  public isCurrentUserSharedVaultOwner(sharedVault: SharedVaultListingInterface): boolean {
+    if (!sharedVault.sharing.ownerUserUuid) {
+      throw new Error(`Shared vault ${sharedVault.sharing.sharedVaultUuid} does not have an owner user uuid`)
+    }
+    return sharedVault.sharing.ownerUserUuid === this.session.userUuid
+  }
+
+  public isSharedVaultUserSharedVaultOwner(user: SharedVaultUserServerHash): boolean {
+    const vault = this.findSharedVault(user.shared_vault_uuid)
+    return vault != undefined && vault.sharing.ownerUserUuid === user.user_uuid
+  }
+
+  private async handleCreationOfNewTrustedContacts(_contacts: TrustedContactInterface[]): Promise<void> {
+    await this.downloadInboundInvites()
+  }
+
+  private async handleTrustedContactsChange(contacts: TrustedContactInterface[]): Promise<void> {
+    await this.reprocessCachedInvitesTrustStatusAfterTrustedContactsChange()
+
+    for (const contact of contacts) {
+      await this.shareContactWithUserAdministeredSharedVaults(contact)
+    }
+  }
+
+  private async handleVaultListingsChange(vaults: VaultListingInterface[]): Promise<void> {
+    for (const vault of vaults) {
+      if (!vault.isSharedVaultListing()) {
+        continue
+      }
+
+      const usecase = new SendSharedVaultMetadataChangedMessageToAll(
+        this.encryption,
+        this.contacts,
+        this.usersServer,
+        this.messageServer,
+      )
+
+      await usecase.execute({
+        vault,
+        senderUuid: this.session.getSureUser().uuid,
+        senderEncryptionKeyPair: this.encryption.getKeyPair(),
+        senderSigningKeyPair: this.encryption.getSigningKeyPair(),
+      })
+    }
+  }
+
+  public async downloadInboundInvites(): Promise<ClientDisplayableError | SharedVaultInviteServerHash[]> {
+    const response = await this.invitesServer.getInboundUserInvites()
+
+    if (isErrorResponse(response)) {
+      return ClientDisplayableError.FromString(`Failed to get inbound user invites ${response}`)
+    }
+
+    this.pendingInvites = {}
+
+    await this.processInboundInvites(response.data.invites)
+
+    return response.data.invites
+  }
+
+  public async getOutboundInvites(
+    sharedVault?: SharedVaultListingInterface,
+  ): Promise<SharedVaultInviteServerHash[] | ClientDisplayableError> {
+    const response = await this.invitesServer.getOutboundUserInvites()
+
+    if (isErrorResponse(response)) {
+      return ClientDisplayableError.FromString(`Failed to get outbound user invites ${response}`)
+    }
+
+    if (sharedVault) {
+      return response.data.invites.filter((invite) => invite.shared_vault_uuid === sharedVault.sharing.sharedVaultUuid)
+    }
+
+    return response.data.invites
+  }
+
+  public async deleteInvite(invite: SharedVaultInviteServerHash): Promise<ClientDisplayableError | void> {
+    const response = await this.invitesServer.deleteInvite({
+      sharedVaultUuid: invite.shared_vault_uuid,
+      inviteUuid: invite.uuid,
+    })
+
+    if (isErrorResponse(response)) {
+      return ClientDisplayableError.FromString(`Failed to delete invite ${response}`)
+    }
+
+    delete this.pendingInvites[invite.uuid]
+  }
+
+  public async deleteSharedVault(sharedVault: SharedVaultListingInterface): Promise<ClientDisplayableError | void> {
+    const useCase = new DeleteSharedVaultUseCase(this.server, this.items, this.mutator, this.sync, this.encryption)
+    return useCase.execute({ sharedVault })
+  }
+
+  private async reprocessCachedInvitesTrustStatusAfterTrustedContactsChange(): Promise<void> {
+    const cachedInvites = this.getCachedPendingInviteRecords()
+
+    for (const record of cachedInvites) {
+      if (record.trusted) {
+        continue
+      }
+
+      const trustedMessageUseCase = new GetAsymmetricMessageTrustedPayload<AsymmetricMessageSharedVaultInvite>(
+        this.encryption,
+        this.contacts,
+      )
+
+      const trustedMessage = trustedMessageUseCase.execute({
+        message: record.invite,
+        privateKey: this.encryption.getKeyPair().privateKey,
+      })
+
+      if (trustedMessage) {
+        record.message = trustedMessage
+        record.trusted = true
+      }
+    }
+  }
+
+  private async processInboundInvites(invites: SharedVaultInviteServerHash[]): Promise<void> {
+    if (invites.length === 0) {
+      return
+    }
+
+    for (const invite of invites) {
+      const trustedMessageUseCase = new GetAsymmetricMessageTrustedPayload<AsymmetricMessageSharedVaultInvite>(
+        this.encryption,
+        this.contacts,
+      )
+
+      const trustedMessage = trustedMessageUseCase.execute({
+        message: invite,
+        privateKey: this.encryption.getKeyPair().privateKey,
+      })
+
+      if (trustedMessage) {
+        this.pendingInvites[invite.uuid] = {
+          invite,
+          message: trustedMessage,
+          trusted: true,
+        }
+
+        continue
+      }
+
+      const untrustedMessageUseCase = new GetAsymmetricMessageUntrustedPayload<AsymmetricMessageSharedVaultInvite>(
+        this.encryption,
+      )
+
+      const untrustedMessage = untrustedMessageUseCase.execute({
+        message: invite,
+        privateKey: this.encryption.getKeyPair().privateKey,
+      })
+
+      if (untrustedMessage) {
+        this.pendingInvites[invite.uuid] = {
+          invite,
+          message: untrustedMessage,
+          trusted: false,
+        }
+      }
+    }
+
+    await this.notifyCollaborationStatusChanged()
+  }
+
+  private async notifyCollaborationStatusChanged(): Promise<void> {
+    await this.notifyEventSync(SharedVaultServiceEvent.SharedVaultStatusChanged)
+  }
+
+  async acceptPendingSharedVaultInvite(pendingInvite: PendingSharedVaultInviteRecord): Promise<void> {
+    if (!pendingInvite.trusted) {
+      throw new Error('Cannot accept untrusted invite')
+    }
+
+    const useCase = new AcceptTrustedSharedVaultInvite(this.invitesServer, this.mutator, this.sync, this.contacts)
+    await useCase.execute({ invite: pendingInvite.invite, message: pendingInvite.message })
+
+    delete this.pendingInvites[pendingInvite.invite.uuid]
+
+    void this.sync.sync()
+
+    await this.decryptErroredItemsAfterInviteAccept()
+
+    await this.sync.syncSharedVaultsFromScratch([pendingInvite.invite.shared_vault_uuid])
+  }
+
+  private async decryptErroredItemsAfterInviteAccept(): Promise<void> {
+    await this.encryption.decryptErroredPayloads()
+  }
+
+  public async getInvitableContactsForSharedVault(
+    sharedVault: SharedVaultListingInterface,
+  ): Promise<TrustedContactInterface[]> {
+    const users = await this.getSharedVaultUsers(sharedVault)
+    if (!users) {
+      return []
+    }
+
+    const contacts = this.contacts.getAllContacts()
+    return contacts.filter((contact) => {
+      const isContactAlreadyInVault = users.some((user) => user.user_uuid === contact.contactUuid)
+      return !isContactAlreadyInVault
+    })
+  }
+
+  private async getSharedVaultContacts(sharedVault: SharedVaultListingInterface): Promise<TrustedContactInterface[]> {
+    const usecase = new GetSharedVaultTrustedContacts(this.contacts, this.usersServer)
+    const contacts = await usecase.execute(sharedVault)
+    if (!contacts) {
+      return []
+    }
+
+    return contacts
+  }
+
+  async inviteContactToSharedVault(
+    sharedVault: SharedVaultListingInterface,
+    contact: TrustedContactInterface,
+    permissions: SharedVaultPermission,
+  ): Promise<SharedVaultInviteServerHash | ClientDisplayableError> {
+    const sharedVaultContacts = await this.getSharedVaultContacts(sharedVault)
+
+    const useCase = new InviteContactToSharedVaultUseCase(this.encryption, this.invitesServer)
+
+    const result = await useCase.execute({
+      senderKeyPair: this.encryption.getKeyPair(),
+      senderSigningKeyPair: this.encryption.getSigningKeyPair(),
+      sharedVault,
+      recipient: contact,
+      sharedVaultContacts,
+      permissions,
+    })
+
+    void this.notifyCollaborationStatusChanged()
+
+    await this.sync.sync()
+
+    return result
+  }
+
+  async removeUserFromSharedVault(
+    sharedVault: SharedVaultListingInterface,
+    userUuid: string,
+  ): Promise<ClientDisplayableError | void> {
+    if (!this.isCurrentUserSharedVaultAdmin(sharedVault)) {
+      throw new Error('Only vault admins can remove users')
+    }
+
+    if (this.vaults.isVaultLocked(sharedVault)) {
+      throw new Error('Cannot remove user from locked vault')
+    }
+
+    const useCase = new RemoveVaultMemberUseCase(this.usersServer)
+    const result = await useCase.execute({ sharedVaultUuid: sharedVault.sharing.sharedVaultUuid, userUuid })
+    if (isClientDisplayableError(result)) {
+      return result
+    }
+
+    void this.notifyCollaborationStatusChanged()
+
+    await this.vaults.rotateVaultRootKey(sharedVault)
+  }
+
+  async leaveSharedVault(sharedVault: SharedVaultListingInterface): Promise<ClientDisplayableError | void> {
+    const useCase = new LeaveVaultUseCase(
+      this.usersServer,
+      this.items,
+      this.mutator,
+      this.encryption,
+      this.storage,
+      this.sync,
+    )
+    const result = await useCase.execute({
+      sharedVault: sharedVault,
+      userUuid: this.session.getSureUser().uuid,
+    })
+
+    if (isClientDisplayableError(result)) {
+      return result
+    }
+
+    void this.notifyCollaborationStatusChanged()
+  }
+
+  async getSharedVaultUsers(
+    sharedVault: SharedVaultListingInterface,
+  ): Promise<SharedVaultUserServerHash[] | undefined> {
+    const useCase = new GetSharedVaultUsersUseCase(this.usersServer)
+    return useCase.execute({ sharedVaultUuid: sharedVault.sharing.sharedVaultUuid })
+  }
+
+  private async shareContactWithUserAdministeredSharedVaults(contact: TrustedContactInterface): Promise<void> {
+    const sharedVaults = this.getAllSharedVaults()
+
+    const useCase = new ShareContactWithAllMembersOfSharedVaultUseCase(
+      this.contacts,
+      this.encryption,
+      this.usersServer,
+      this.messageServer,
+    )
+
+    for (const vault of sharedVaults) {
+      if (!this.isCurrentUserSharedVaultAdmin(vault)) {
+        continue
+      }
+
+      await useCase.execute({
+        senderKeyPair: this.encryption.getKeyPair(),
+        senderSigningKeyPair: this.encryption.getSigningKeyPair(),
+        sharedVault: vault,
+        contactToShare: contact,
+        senderUserUuid: this.session.getSureUser().uuid,
+      })
+    }
+  }
+
+  getItemLastEditedBy(item: DecryptedItemInterface): TrustedContactInterface | undefined {
+    if (!item.last_edited_by_uuid) {
+      return undefined
+    }
+
+    const contact = this.contacts.findTrustedContact(item.last_edited_by_uuid)
+
+    return contact
+  }
+
+  getItemSharedBy(item: DecryptedItemInterface): TrustedContactInterface | undefined {
+    if (!item.user_uuid || item.user_uuid === this.session.getSureUser().uuid) {
+      return undefined
+    }
+
+    const contact = this.contacts.findTrustedContact(item.user_uuid)
+
+    return contact
+  }
+
+  override deinit(): void {
+    super.deinit()
+    ;(this.contacts as unknown) = undefined
+    ;(this.encryption as unknown) = undefined
+    ;(this.files as unknown) = undefined
+    ;(this.invitesServer as unknown) = undefined
+    ;(this.items as unknown) = undefined
+    ;(this.messageServer as unknown) = undefined
+    ;(this.server as unknown) = undefined
+    ;(this.session as unknown) = undefined
+    ;(this.sync as unknown) = undefined
+    ;(this.usersServer as unknown) = undefined
+    ;(this.vaults as unknown) = undefined
+  }
+}

packages/services/src/Domain/SharedVaults/SharedVaultServiceEvent.ts

@@ -0,0 +1,10 @@
+import { KeySystemIdentifier } from '@standardnotes/models'
+
+export enum SharedVaultServiceEvent {
+  SharedVaultStatusChanged = 'SharedVaultStatusChanged',
+}
+
+export type SharedVaultServiceEventPayload = {
+  sharedVaultUuid: string
+  keySystemIdentifier: KeySystemIdentifier
+}

packages/services/src/Domain/SharedVaults/SharedVaultServiceInterface.ts

@@ -0,0 +1,55 @@
+import {
+  ClientDisplayableError,
+  SharedVaultInviteServerHash,
+  SharedVaultUserServerHash,
+  SharedVaultPermission,
+} from '@standardnotes/responses'
+import {
+  DecryptedItemInterface,
+  TrustedContactInterface,
+  SharedVaultListingInterface,
+  VaultListingInterface,
+  KeySystemRootKeyStorageMode,
+} from '@standardnotes/models'
+import { AbstractService } from '../Service/AbstractService'
+import { SharedVaultServiceEvent, SharedVaultServiceEventPayload } from './SharedVaultServiceEvent'
+import { PendingSharedVaultInviteRecord } from './PendingSharedVaultInviteRecord'
+
+export interface SharedVaultServiceInterface
+  extends AbstractService<SharedVaultServiceEvent, SharedVaultServiceEventPayload> {
+  createSharedVault(dto: {
+    name: string
+    description?: string
+    userInputtedPassword: string | undefined
+    storagePreference?: KeySystemRootKeyStorageMode
+  }): Promise<VaultListingInterface | ClientDisplayableError>
+  deleteSharedVault(sharedVault: SharedVaultListingInterface): Promise<ClientDisplayableError | void>
+
+  convertVaultToSharedVault(vault: VaultListingInterface): Promise<SharedVaultListingInterface | ClientDisplayableError>
+
+  inviteContactToSharedVault(
+    sharedVault: SharedVaultListingInterface,
+    contact: TrustedContactInterface,
+    permissions: SharedVaultPermission,
+  ): Promise<SharedVaultInviteServerHash | ClientDisplayableError>
+  removeUserFromSharedVault(
+    sharedVault: SharedVaultListingInterface,
+    userUuid: string,
+  ): Promise<ClientDisplayableError | void>
+  leaveSharedVault(sharedVault: SharedVaultListingInterface): Promise<ClientDisplayableError | void>
+  getSharedVaultUsers(sharedVault: SharedVaultListingInterface): Promise<SharedVaultUserServerHash[] | undefined>
+  isSharedVaultUserSharedVaultOwner(user: SharedVaultUserServerHash): boolean
+  isCurrentUserSharedVaultAdmin(sharedVault: SharedVaultListingInterface): boolean
+
+  getItemLastEditedBy(item: DecryptedItemInterface): TrustedContactInterface | undefined
+  getItemSharedBy(item: DecryptedItemInterface): TrustedContactInterface | undefined
+
+  downloadInboundInvites(): Promise<ClientDisplayableError | SharedVaultInviteServerHash[]>
+  getOutboundInvites(
+    sharedVault?: SharedVaultListingInterface,
+  ): Promise<SharedVaultInviteServerHash[] | ClientDisplayableError>
+  acceptPendingSharedVaultInvite(pendingInvite: PendingSharedVaultInviteRecord): Promise<void>
+  getCachedPendingInviteRecords(): PendingSharedVaultInviteRecord[]
+  getInvitableContactsForSharedVault(sharedVault: SharedVaultListingInterface): Promise<TrustedContactInterface[]>
+  deleteInvite(invite: SharedVaultInviteServerHash): Promise<ClientDisplayableError | void>
+}

packages/services/src/Domain/SharedVaults/UseCase/AcceptTrustedSharedVaultInvite.ts

@@ -0,0 +1,29 @@
+import { MutatorClientInterface } from './../../Mutator/MutatorClientInterface'
+import { SyncServiceInterface } from './../../Sync/SyncServiceInterface'
+import { AsymmetricMessageSharedVaultInvite } from '@standardnotes/models'
+import { SharedVaultInvitesServerInterface } from '@standardnotes/api'
+import { SharedVaultInviteServerHash } from '@standardnotes/responses'
+import { HandleTrustedSharedVaultInviteMessage } from '../../AsymmetricMessage/UseCase/HandleTrustedSharedVaultInviteMessage'
+import { ContactServiceInterface } from '../../Contacts/ContactServiceInterface'
+
+export class AcceptTrustedSharedVaultInvite {
+  constructor(
+    private vaultInvitesServer: SharedVaultInvitesServerInterface,
+    private mutator: MutatorClientInterface,
+    private sync: SyncServiceInterface,
+    private contacts: ContactServiceInterface,
+  ) {}
+
+  async execute(dto: {
+    invite: SharedVaultInviteServerHash
+    message: AsymmetricMessageSharedVaultInvite
+  }): Promise<void> {
+    const useCase = new HandleTrustedSharedVaultInviteMessage(this.mutator, this.sync, this.contacts)
+    await useCase.execute(dto.message, dto.invite.shared_vault_uuid, dto.invite.sender_uuid)
+
+    await this.vaultInvitesServer.acceptInvite({
+      sharedVaultUuid: dto.invite.shared_vault_uuid,
+      inviteUuid: dto.invite.uuid,
+    })
+  }
+}

packages/services/src/Domain/SharedVaults/UseCase/ConvertToSharedVault.ts

@@ -0,0 +1,47 @@
+import { SyncServiceInterface } from './../../Sync/SyncServiceInterface'
+import { SharedVaultListingInterface, VaultListingInterface, VaultListingMutator } from '@standardnotes/models'
+import { ClientDisplayableError, isErrorResponse } from '@standardnotes/responses'
+import { SharedVaultServerInterface } from '@standardnotes/api'
+import { ItemManagerInterface } from '../../Item/ItemManagerInterface'
+import { MoveItemsToVaultUseCase } from '../../Vaults/UseCase/MoveItemsToVault'
+import { FilesClientInterface } from '@standardnotes/files'
+import { MutatorClientInterface } from '../../Mutator/MutatorClientInterface'
+
+export class ConvertToSharedVaultUseCase {
+  constructor(
+    private items: ItemManagerInterface,
+    private mutator: MutatorClientInterface,
+    private sync: SyncServiceInterface,
+    private files: FilesClientInterface,
+    private sharedVaultServer: SharedVaultServerInterface,
+  ) {}
+
+  async execute(dto: { vault: VaultListingInterface }): Promise<SharedVaultListingInterface | ClientDisplayableError> {
+    if (dto.vault.isSharedVaultListing()) {
+      throw new Error('Cannot convert a shared vault to a shared vault')
+    }
+
+    const serverResult = await this.sharedVaultServer.createSharedVault()
+    if (isErrorResponse(serverResult)) {
+      return ClientDisplayableError.FromString(`Failed to create shared vault ${serverResult}`)
+    }
+
+    const serverVaultHash = serverResult.data.sharedVault
+
+    const sharedVaultListing = await this.mutator.changeItem<VaultListingMutator, VaultListingInterface>(
+      dto.vault,
+      (mutator) => {
+        mutator.sharing = {
+          sharedVaultUuid: serverVaultHash.uuid,
+          ownerUserUuid: serverVaultHash.user_uuid,
+        }
+      },
+    )
+
+    const vaultItems = this.items.itemsBelongingToKeySystem(sharedVaultListing.systemIdentifier)
+    const moveToVaultUsecase = new MoveItemsToVaultUseCase(this.mutator, this.sync, this.files)
+    await moveToVaultUsecase.execute({ vault: sharedVaultListing, items: vaultItems })
+
+    return sharedVaultListing as SharedVaultListingInterface
+  }
+}

packages/services/src/Domain/SharedVaults/UseCase/CreateSharedVault.ts

@@ -0,0 +1,64 @@
+import { SyncServiceInterface } from './../../Sync/SyncServiceInterface'
+import {
+  KeySystemRootKeyStorageMode,
+  SharedVaultListingInterface,
+  VaultListingInterface,
+  VaultListingMutator,
+} from '@standardnotes/models'
+import { ClientDisplayableError, isErrorResponse } from '@standardnotes/responses'
+import { EncryptionProviderInterface } from '@standardnotes/encryption'
+import { SharedVaultServerInterface } from '@standardnotes/api'
+import { ItemManagerInterface } from '../../Item/ItemManagerInterface'
+import { CreateVaultUseCase } from '../../Vaults/UseCase/CreateVault'
+import { MoveItemsToVaultUseCase } from '../../Vaults/UseCase/MoveItemsToVault'
+import { FilesClientInterface } from '@standardnotes/files'
+import { MutatorClientInterface } from '../../Mutator/MutatorClientInterface'
+
+export class CreateSharedVaultUseCase {
+  constructor(
+    private encryption: EncryptionProviderInterface,
+    private items: ItemManagerInterface,
+    private mutator: MutatorClientInterface,
+    private sync: SyncServiceInterface,
+    private files: FilesClientInterface,
+    private sharedVaultServer: SharedVaultServerInterface,
+  ) {}
+
+  async execute(dto: {
+    vaultName: string
+    vaultDescription?: string
+    userInputtedPassword: string | undefined
+    storagePreference: KeySystemRootKeyStorageMode
+  }): Promise<SharedVaultListingInterface | ClientDisplayableError> {
+    const usecase = new CreateVaultUseCase(this.mutator, this.encryption, this.sync)
+    const privateVault = await usecase.execute({
+      vaultName: dto.vaultName,
+      vaultDescription: dto.vaultDescription,
+      userInputtedPassword: dto.userInputtedPassword,
+      storagePreference: dto.storagePreference,
+    })
+
+    const serverResult = await this.sharedVaultServer.createSharedVault()
+    if (isErrorResponse(serverResult)) {
+      return ClientDisplayableError.FromString(`Failed to create shared vault ${JSON.stringify(serverResult)}`)
+    }
+
+    const serverVaultHash = serverResult.data.sharedVault
+
+    const sharedVaultListing = await this.mutator.changeItem<VaultListingMutator, VaultListingInterface>(
+      privateVault,
+      (mutator) => {
+        mutator.sharing = {
+          sharedVaultUuid: serverVaultHash.uuid,
+          ownerUserUuid: serverVaultHash.user_uuid,
+        }
+      },
+    )
+
+    const vaultItems = this.items.itemsBelongingToKeySystem(sharedVaultListing.systemIdentifier)
+    const moveToVaultUsecase = new MoveItemsToVaultUseCase(this.mutator, this.sync, this.files)
+    await moveToVaultUsecase.execute({ vault: sharedVaultListing, items: vaultItems })
+
+    return sharedVaultListing as SharedVaultListingInterface
+  }
+}

packages/services/src/Domain/SharedVaults/UseCase/DeleteExternalSharedVault.ts

@@ -0,0 +1,48 @@
+import { SyncServiceInterface } from './../../Sync/SyncServiceInterface'
+import { StorageServiceInterface } from '../../Storage/StorageServiceInterface'
+import { EncryptionProviderInterface } from '@standardnotes/encryption'
+import { ItemManagerInterface } from '../../Item/ItemManagerInterface'
+import { AnyItemInterface, VaultListingInterface } from '@standardnotes/models'
+import { Uuids } from '@standardnotes/utils'
+import { MutatorClientInterface } from '../../Mutator/MutatorClientInterface'
+
+export class DeleteExternalSharedVaultUseCase {
+  constructor(
+    private items: ItemManagerInterface,
+    private mutator: MutatorClientInterface,
+    private encryption: EncryptionProviderInterface,
+    private storage: StorageServiceInterface,
+    private sync: SyncServiceInterface,
+  ) {}
+
+  async execute(vault: VaultListingInterface): Promise<void> {
+    await this.deleteDataSharedByVaultUsers(vault)
+    await this.deleteDataOwnedByThisUser(vault)
+    await this.encryption.keys.deleteNonPersistentSystemRootKeysForVault(vault.systemIdentifier)
+
+    void this.sync.sync({ sourceDescription: 'Not awaiting due to this event handler running from sync response' })
+  }
+
+  /**
+   * This data is shared with all vault users and does not belong to this particular user
+   * The data will be removed locally without syncing the items
+   */
+  private async deleteDataSharedByVaultUsers(vault: VaultListingInterface): Promise<void> {
+    const vaultItems = this.items
+      .allTrackedItems()
+      .filter((item) => item.key_system_identifier === vault.systemIdentifier)
+    this.items.removeItemsLocally(vaultItems as AnyItemInterface[])
+
+    const itemsKeys = this.encryption.keys.getKeySystemItemsKeys(vault.systemIdentifier)
+    this.items.removeItemsLocally(itemsKeys)
+
+    await this.storage.deletePayloadsWithUuids([...Uuids(vaultItems), ...Uuids(itemsKeys)])
+  }
+
+  private async deleteDataOwnedByThisUser(vault: VaultListingInterface): Promise<void> {
+    const rootKeys = this.encryption.keys.getSyncedKeySystemRootKeysForVault(vault.systemIdentifier)
+    await this.mutator.setItemsToBeDeleted(rootKeys)
+
+    await this.mutator.setItemToBeDeleted(vault)
+  }
+}

packages/services/src/Domain/SharedVaults/UseCase/DeleteSharedVault.ts

@@ -0,0 +1,33 @@
+import { MutatorClientInterface } from './../../Mutator/MutatorClientInterface'
+import { ClientDisplayableError, isErrorResponse } from '@standardnotes/responses'
+import { SharedVaultServerInterface } from '@standardnotes/api'
+import { ItemManagerInterface } from '../../Item/ItemManagerInterface'
+import { SharedVaultListingInterface } from '@standardnotes/models'
+import { SyncServiceInterface } from '../../Sync/SyncServiceInterface'
+import { DeleteVaultUseCase } from '../../Vaults/UseCase/DeleteVault'
+import { EncryptionProviderInterface } from '@standardnotes/encryption'
+
+export class DeleteSharedVaultUseCase {
+  constructor(
+    private sharedVaultServer: SharedVaultServerInterface,
+    private items: ItemManagerInterface,
+    private mutator: MutatorClientInterface,
+    private sync: SyncServiceInterface,
+    private encryption: EncryptionProviderInterface,
+  ) {}
+
+  async execute(params: { sharedVault: SharedVaultListingInterface }): Promise<ClientDisplayableError | void> {
+    const response = await this.sharedVaultServer.deleteSharedVault({
+      sharedVaultUuid: params.sharedVault.sharing.sharedVaultUuid,
+    })
+
+    if (isErrorResponse(response)) {
+      return ClientDisplayableError.FromString(`Failed to delete vault ${response}`)
+    }
+
+    const deleteUsecase = new DeleteVaultUseCase(this.items, this.mutator, this.encryption)
+    await deleteUsecase.execute(params.sharedVault)
+
+    await this.sync.sync()
+  }
+}

packages/services/src/Domain/SharedVaults/UseCase/GetSharedVaultTrustedContacts.ts

@@ -0,0 +1,23 @@
+import { SharedVaultUsersServerInterface } from '@standardnotes/api'
+import { GetSharedVaultUsersUseCase } from './GetSharedVaultUsers'
+import { SharedVaultListingInterface, TrustedContactInterface } from '@standardnotes/models'
+import { ContactServiceInterface } from '../../Contacts/ContactServiceInterface'
+import { isNotUndefined } from '@standardnotes/utils'
+
+export class GetSharedVaultTrustedContacts {
+  constructor(
+    private contacts: ContactServiceInterface,
+    private sharedVaultUsersServer: SharedVaultUsersServerInterface,
+  ) {}
+
+  async execute(vault: SharedVaultListingInterface): Promise<TrustedContactInterface[] | undefined> {
+    const useCase = new GetSharedVaultUsersUseCase(this.sharedVaultUsersServer)
+    const users = await useCase.execute({ sharedVaultUuid: vault.sharing.sharedVaultUuid })
+    if (!users) {
+      return undefined
+    }
+
+    const contacts = users.map((user) => this.contacts.findTrustedContact(user.user_uuid)).filter(isNotUndefined)
+    return contacts
+  }
+}

packages/services/src/Domain/SharedVaults/UseCase/GetSharedVaultUsers.ts

@@ -0,0 +1,16 @@
+import { SharedVaultUserServerHash, isErrorResponse } from '@standardnotes/responses'
+import { SharedVaultUsersServerInterface } from '@standardnotes/api'
+
+export class GetSharedVaultUsersUseCase {
+  constructor(private vaultUsersServer: SharedVaultUsersServerInterface) {}
+
+  async execute(params: { sharedVaultUuid: string }): Promise<SharedVaultUserServerHash[] | undefined> {
+    const response = await this.vaultUsersServer.getSharedVaultUsers({ sharedVaultUuid: params.sharedVaultUuid })
+
+    if (isErrorResponse(response)) {
+      return undefined
+    }
+
+    return response.data.users
+  }
+}

packages/services/src/Domain/SharedVaults/UseCase/InviteContactToSharedVault.ts

@@ -0,0 +1,63 @@
+import { EncryptionProviderInterface } from '@standardnotes/encryption'
+import { ClientDisplayableError, SharedVaultInviteServerHash, SharedVaultPermission } from '@standardnotes/responses'
+import {
+  TrustedContactInterface,
+  SharedVaultListingInterface,
+  AsymmetricMessagePayloadType,
+} from '@standardnotes/models'
+import { SharedVaultInvitesServerInterface } from '@standardnotes/api'
+import { SendSharedVaultInviteUseCase } from './SendSharedVaultInviteUseCase'
+import { PkcKeyPair } from '@standardnotes/sncrypto-common'
+
+export class InviteContactToSharedVaultUseCase {
+  constructor(
+    private encryption: EncryptionProviderInterface,
+    private sharedVaultInviteServer: SharedVaultInvitesServerInterface,
+  ) {}
+
+  async execute(params: {
+    senderKeyPair: PkcKeyPair
+    senderSigningKeyPair: PkcKeyPair
+    sharedVault: SharedVaultListingInterface
+    sharedVaultContacts: TrustedContactInterface[]
+    recipient: TrustedContactInterface
+    permissions: SharedVaultPermission
+  }): Promise<SharedVaultInviteServerHash | ClientDisplayableError> {
+    const keySystemRootKey = this.encryption.keys.getPrimaryKeySystemRootKey(params.sharedVault.systemIdentifier)
+    if (!keySystemRootKey) {
+      return ClientDisplayableError.FromString('Cannot add contact; key system root key not found')
+    }
+
+    const delegatedContacts = params.sharedVaultContacts.filter(
+      (contact) => !contact.isMe && contact.contactUuid !== params.recipient.contactUuid,
+    )
+
+    const encryptedMessage = this.encryption.asymmetricallyEncryptMessage({
+      message: {
+        type: AsymmetricMessagePayloadType.SharedVaultInvite,
+        data: {
+          recipientUuid: params.recipient.contactUuid,
+          rootKey: keySystemRootKey.content,
+          trustedContacts: delegatedContacts.map((contact) => contact.content),
+          metadata: {
+            name: params.sharedVault.name,
+            description: params.sharedVault.description,
+          },
+        },
+      },
+      senderKeyPair: params.senderKeyPair,
+      senderSigningKeyPair: params.senderSigningKeyPair,
+      recipientPublicKey: params.recipient.publicKeySet.encryption,
+    })
+
+    const createInviteUseCase = new SendSharedVaultInviteUseCase(this.sharedVaultInviteServer)
+    const createInviteResult = await createInviteUseCase.execute({
+      sharedVaultUuid: params.sharedVault.sharing.sharedVaultUuid,
+      recipientUuid: params.recipient.contactUuid,
+      encryptedMessage,
+      permissions: params.permissions,
+    })
+
+    return createInviteResult
+  }
+}

packages/services/src/Domain/SharedVaults/UseCase/LeaveSharedVault.ts

@@ -0,0 +1,48 @@
+import { MutatorClientInterface } from './../../Mutator/MutatorClientInterface'
+import { SyncServiceInterface } from './../../Sync/SyncServiceInterface'
+import { StorageServiceInterface } from './../../Storage/StorageServiceInterface'
+import { ClientDisplayableError, isErrorResponse } from '@standardnotes/responses'
+import { SharedVaultUsersServerInterface } from '@standardnotes/api'
+import { DeleteExternalSharedVaultUseCase } from './DeleteExternalSharedVault'
+import { ItemManagerInterface } from '../../Item/ItemManagerInterface'
+import { SharedVaultListingInterface } from '@standardnotes/models'
+import { EncryptionProviderInterface } from '@standardnotes/encryption'
+
+export class LeaveVaultUseCase {
+  constructor(
+    private vaultUserServer: SharedVaultUsersServerInterface,
+    private items: ItemManagerInterface,
+    private mutator: MutatorClientInterface,
+    private encryption: EncryptionProviderInterface,
+    private storage: StorageServiceInterface,
+    private sync: SyncServiceInterface,
+  ) {}
+
+  async execute(params: {
+    sharedVault: SharedVaultListingInterface
+    userUuid: string
+  }): Promise<ClientDisplayableError | void> {
+    const latestVaultListing = this.items.findItem<SharedVaultListingInterface>(params.sharedVault.uuid)
+    if (!latestVaultListing) {
+      throw new Error(`LeaveVaultUseCase: Could not find vault ${params.sharedVault.uuid}`)
+    }
+
+    const response = await this.vaultUserServer.deleteSharedVaultUser({
+      sharedVaultUuid: latestVaultListing.sharing.sharedVaultUuid,
+      userUuid: params.userUuid,
+    })
+
+    if (isErrorResponse(response)) {
+      return ClientDisplayableError.FromString(`Failed to leave vault ${JSON.stringify(response)}`)
+    }
+
+    const removeLocalItems = new DeleteExternalSharedVaultUseCase(
+      this.items,
+      this.mutator,
+      this.encryption,
+      this.storage,
+      this.sync,
+    )
+    await removeLocalItems.execute(latestVaultListing)
+  }
+}

packages/services/src/Domain/SharedVaults/UseCase/NotifySharedVaultUsersOfRootKeyRotation.ts

@@ -0,0 +1,62 @@
+import {
+  AsymmetricMessageServerInterface,
+  SharedVaultInvitesServerInterface,
+  SharedVaultUsersServerInterface,
+} from '@standardnotes/api'
+import { EncryptionProviderInterface } from '@standardnotes/encryption'
+import { ContactServiceInterface } from '../../Contacts/ContactServiceInterface'
+import { SharedVaultListingInterface } from '@standardnotes/models'
+import { ClientDisplayableError } from '@standardnotes/responses'
+import { ReuploadSharedVaultInvitesAfterKeyRotationUseCase } from './ReuploadSharedVaultInvitesAfterKeyRotation'
+import { SendSharedVaultRootKeyChangedMessageToAll } from './SendSharedVaultRootKeyChangedMessageToAll'
+
+export class NotifySharedVaultUsersOfRootKeyRotationUseCase {
+  constructor(
+    private sharedVaultUsersServer: SharedVaultUsersServerInterface,
+    private sharedVaultInvitesServer: SharedVaultInvitesServerInterface,
+    private messageServer: AsymmetricMessageServerInterface,
+    private encryption: EncryptionProviderInterface,
+    private contacts: ContactServiceInterface,
+  ) {}
+
+  async execute(params: {
+    sharedVault: SharedVaultListingInterface
+    userUuid: string
+  }): Promise<ClientDisplayableError[]> {
+    const errors: ClientDisplayableError[] = []
+    const updatePendingInvitesUseCase = new ReuploadSharedVaultInvitesAfterKeyRotationUseCase(
+      this.encryption,
+      this.contacts,
+      this.sharedVaultInvitesServer,
+      this.sharedVaultUsersServer,
+    )
+
+    const updateExistingResults = await updatePendingInvitesUseCase.execute({
+      sharedVault: params.sharedVault,
+      senderUuid: params.userUuid,
+      senderEncryptionKeyPair: this.encryption.getKeyPair(),
+      senderSigningKeyPair: this.encryption.getSigningKeyPair(),
+    })
+
+    errors.push(...updateExistingResults)
+
+    const shareKeyUseCase = new SendSharedVaultRootKeyChangedMessageToAll(
+      this.encryption,
+      this.contacts,
+      this.sharedVaultUsersServer,
+      this.messageServer,
+    )
+
+    const shareKeyResults = await shareKeyUseCase.execute({
+      keySystemIdentifier: params.sharedVault.systemIdentifier,
+      sharedVaultUuid: params.sharedVault.sharing.sharedVaultUuid,
+      senderUuid: params.userUuid,
+      senderEncryptionKeyPair: this.encryption.getKeyPair(),
+      senderSigningKeyPair: this.encryption.getSigningKeyPair(),
+    })
+
+    errors.push(...shareKeyResults)
+
+    return errors
+  }
+}

packages/services/src/Domain/SharedVaults/UseCase/RemoveSharedVaultMember.ts

@@ -0,0 +1,17 @@
+import { ClientDisplayableError, isErrorResponse } from '@standardnotes/responses'
+import { SharedVaultUsersServerInterface } from '@standardnotes/api'
+
+export class RemoveVaultMemberUseCase {
+  constructor(private vaultUserServer: SharedVaultUsersServerInterface) {}
+
+  async execute(params: { sharedVaultUuid: string; userUuid: string }): Promise<ClientDisplayableError | void> {
+    const response = await this.vaultUserServer.deleteSharedVaultUser({
+      sharedVaultUuid: params.sharedVaultUuid,
+      userUuid: params.userUuid,
+    })
+
+    if (isErrorResponse(response)) {
+      return ClientDisplayableError.FromNetworkError(response)
+    }
+  }
+}

packages/services/src/Domain/SharedVaults/UseCase/ReuploadSharedVaultInvitesAfterKeyRotation.ts

@@ -0,0 +1,144 @@
+import {
+  KeySystemRootKeyContentSpecialized,
+  SharedVaultListingInterface,
+  TrustedContactInterface,
+} from '@standardnotes/models'
+import { EncryptionProviderInterface } from '@standardnotes/encryption'
+import {
+  ClientDisplayableError,
+  SharedVaultInviteServerHash,
+  isClientDisplayableError,
+  isErrorResponse,
+} from '@standardnotes/responses'
+import { SharedVaultInvitesServerInterface, SharedVaultUsersServerInterface } from '@standardnotes/api'
+import { ContactServiceInterface } from '../../Contacts/ContactServiceInterface'
+import { PkcKeyPair } from '@standardnotes/sncrypto-common'
+import { InviteContactToSharedVaultUseCase } from './InviteContactToSharedVault'
+import { GetSharedVaultTrustedContacts } from './GetSharedVaultTrustedContacts'
+
+type ReuploadAllSharedVaultInvitesDTO = {
+  sharedVault: SharedVaultListingInterface
+  senderUuid: string
+  senderEncryptionKeyPair: PkcKeyPair
+  senderSigningKeyPair: PkcKeyPair
+}
+
+export class ReuploadSharedVaultInvitesAfterKeyRotationUseCase {
+  constructor(
+    private encryption: EncryptionProviderInterface,
+    private contacts: ContactServiceInterface,
+    private vaultInvitesServer: SharedVaultInvitesServerInterface,
+    private vaultUserServer: SharedVaultUsersServerInterface,
+  ) {}
+
+  async execute(params: ReuploadAllSharedVaultInvitesDTO): Promise<ClientDisplayableError[]> {
+    const keySystemRootKey = this.encryption.keys.getPrimaryKeySystemRootKey(params.sharedVault.systemIdentifier)
+    if (!keySystemRootKey) {
+      throw new Error(`Vault key not found for keySystemIdentifier ${params.sharedVault.systemIdentifier}`)
+    }
+
+    const existingInvites = await this.getExistingInvites(params.sharedVault.sharing.sharedVaultUuid)
+    if (isClientDisplayableError(existingInvites)) {
+      return [existingInvites]
+    }
+
+    const deleteResult = await this.deleteExistingInvites(params.sharedVault.sharing.sharedVaultUuid)
+    if (isClientDisplayableError(deleteResult)) {
+      return [deleteResult]
+    }
+
+    const vaultContacts = await this.getVaultContacts(params.sharedVault)
+    if (vaultContacts.length === 0) {
+      return []
+    }
+
+    const errors: ClientDisplayableError[] = []
+
+    for (const invite of existingInvites) {
+      const contact = this.contacts.findTrustedContact(invite.user_uuid)
+      if (!contact) {
+        errors.push(ClientDisplayableError.FromString(`Contact not found for invite ${invite.user_uuid}`))
+        continue
+      }
+
+      const result = await this.sendNewInvite({
+        usecaseDTO: params,
+        contact: contact,
+        previousInvite: invite,
+        keySystemRootKeyData: keySystemRootKey.content,
+        sharedVaultContacts: vaultContacts,
+      })
+
+      if (isClientDisplayableError(result)) {
+        errors.push(result)
+      }
+    }
+
+    return errors
+  }
+
+  private async getVaultContacts(sharedVault: SharedVaultListingInterface): Promise<TrustedContactInterface[]> {
+    const usecase = new GetSharedVaultTrustedContacts(this.contacts, this.vaultUserServer)
+    const contacts = await usecase.execute(sharedVault)
+    if (!contacts) {
+      return []
+    }
+
+    return contacts
+  }
+
+  private async getExistingInvites(
+    sharedVaultUuid: string,
+  ): Promise<SharedVaultInviteServerHash[] | ClientDisplayableError> {
+    const response = await this.vaultInvitesServer.getOutboundUserInvites()
+
+    if (isErrorResponse(response)) {
+      return ClientDisplayableError.FromString(`Failed to get outbound user invites ${response}`)
+    }
+
+    const invites = response.data.invites
+
+    return invites.filter((invite) => invite.shared_vault_uuid === sharedVaultUuid)
+  }
+
+  private async deleteExistingInvites(sharedVaultUuid: string): Promise<ClientDisplayableError | void> {
+    const response = await this.vaultInvitesServer.deleteAllSharedVaultInvites({
+      sharedVaultUuid: sharedVaultUuid,
+    })
+
+    if (isErrorResponse(response)) {
+      return ClientDisplayableError.FromString(`Failed to delete existing invites ${response}`)
+    }
+  }
+
+  private async sendNewInvite(params: {
+    usecaseDTO: ReuploadAllSharedVaultInvitesDTO
+    contact: TrustedContactInterface
+    previousInvite: SharedVaultInviteServerHash
+    keySystemRootKeyData: KeySystemRootKeyContentSpecialized
+    sharedVaultContacts: TrustedContactInterface[]
+  }): Promise<ClientDisplayableError | void> {
+    const signatureResult = this.encryption.asymmetricSignatureVerifyDetached(params.previousInvite.encrypted_message)
+    if (!signatureResult.signatureVerified) {
+      return ClientDisplayableError.FromString('Failed to verify signature of previous invite')
+    }
+
+    if (signatureResult.signaturePublicKey !== params.usecaseDTO.senderSigningKeyPair.publicKey) {
+      return ClientDisplayableError.FromString('Sender public key does not match signature')
+    }
+
+    const usecase = new InviteContactToSharedVaultUseCase(this.encryption, this.vaultInvitesServer)
+    const result = await usecase.execute({
+      senderKeyPair: params.usecaseDTO.senderEncryptionKeyPair,
+      senderSigningKeyPair: params.usecaseDTO.senderSigningKeyPair,
+      sharedVault: params.usecaseDTO.sharedVault,
+      sharedVaultContacts: params.sharedVaultContacts,
+      recipient: params.contact,
+      permissions: params.previousInvite.permissions,
+    })
+
+    if (isClientDisplayableError(result)) {
+      return result
+    }
+  }
+}

packages/services/src/Domain/SharedVaults/UseCase/SendSharedVaultInviteUseCase.ts

@@ -0,0 +1,31 @@
+import {
+  ClientDisplayableError,
+  SharedVaultInviteServerHash,
+  isErrorResponse,
+  SharedVaultPermission,
+} from '@standardnotes/responses'
+import { SharedVaultInvitesServerInterface } from '@standardnotes/api'
+
+export class SendSharedVaultInviteUseCase {
+  constructor(private vaultInvitesServer: SharedVaultInvitesServerInterface) {}
+
+  async execute(params: {
+    sharedVaultUuid: string
+    recipientUuid: string
+    encryptedMessage: string
+    permissions: SharedVaultPermission
+  }): Promise<SharedVaultInviteServerHash | ClientDisplayableError> {
+    const response = await this.vaultInvitesServer.createInvite({
+      sharedVaultUuid: params.sharedVaultUuid,
+      recipientUuid: params.recipientUuid,
+      encryptedMessage: params.encryptedMessage,
+      permissions: params.permissions,
+    })
+
+    if (isErrorResponse(response)) {
+      return ClientDisplayableError.FromError(response.data.error)
+    }
+
+    return response.data.invite
+  }
+}

packages/services/src/Domain/SharedVaults/UseCase/SendSharedVaultMetadataChangedMessageToAll.ts

@@ -0,0 +1,100 @@
+import {
+  AsymmetricMessagePayloadType,
+  AsymmetricMessageSharedVaultMetadataChanged,
+  SharedVaultListingInterface,
+  TrustedContactInterface,
+} from '@standardnotes/models'
+import { EncryptionProviderInterface } from '@standardnotes/encryption'
+import { AsymmetricMessageServerHash, ClientDisplayableError, isClientDisplayableError } from '@standardnotes/responses'
+import { AsymmetricMessageServerInterface, SharedVaultUsersServerInterface } from '@standardnotes/api'
+import { GetSharedVaultUsersUseCase } from './GetSharedVaultUsers'
+import { ContactServiceInterface } from '../../Contacts/ContactServiceInterface'
+import { PkcKeyPair } from '@standardnotes/sncrypto-common'
+import { SendAsymmetricMessageUseCase } from '../../AsymmetricMessage/UseCase/SendAsymmetricMessageUseCase'
+
+export class SendSharedVaultMetadataChangedMessageToAll {
+  constructor(
+    private encryption: EncryptionProviderInterface,
+    private contacts: ContactServiceInterface,
+    private vaultUsersServer: SharedVaultUsersServerInterface,
+    private messageServer: AsymmetricMessageServerInterface,
+  ) {}
+
+  async execute(params: {
+    vault: SharedVaultListingInterface
+    senderUuid: string
+    senderEncryptionKeyPair: PkcKeyPair
+    senderSigningKeyPair: PkcKeyPair
+  }): Promise<ClientDisplayableError[]> {
+    const errors: ClientDisplayableError[] = []
+
+    const getUsersUseCase = new GetSharedVaultUsersUseCase(this.vaultUsersServer)
+    const users = await getUsersUseCase.execute({ sharedVaultUuid: params.vault.sharing.sharedVaultUuid })
+    if (!users) {
+      return [ClientDisplayableError.FromString('Cannot send metadata changed message; users not found')]
+    }
+
+    for (const user of users) {
+      if (user.user_uuid === params.senderUuid) {
+        continue
+      }
+
+      const trustedContact = this.contacts.findTrustedContact(user.user_uuid)
+      if (!trustedContact) {
+        continue
+      }
+
+      const sendMessageResult = await this.sendToContact({
+        vault: params.vault,
+        senderKeyPair: params.senderEncryptionKeyPair,
+        senderSigningKeyPair: params.senderSigningKeyPair,
+        contact: trustedContact,
+      })
+
+      if (isClientDisplayableError(sendMessageResult)) {
+        errors.push(sendMessageResult)
+      }
+    }
+
+    return errors
+  }
+
+  private async sendToContact(params: {
+    vault: SharedVaultListingInterface
+    senderKeyPair: PkcKeyPair
+    senderSigningKeyPair: PkcKeyPair
+    contact: TrustedContactInterface
+  }): Promise<AsymmetricMessageServerHash | ClientDisplayableError> {
+    const message: AsymmetricMessageSharedVaultMetadataChanged = {
+      type: AsymmetricMessagePayloadType.SharedVaultMetadataChanged,
+      data: {
+        recipientUuid: params.contact.contactUuid,
+        sharedVaultUuid: params.vault.sharing.sharedVaultUuid,
+        name: params.vault.name,
+        description: params.vault.description,
+      },
+    }
+
+    const encryptedMessage = this.encryption.asymmetricallyEncryptMessage({
+      message: message,
+      senderKeyPair: params.senderKeyPair,
+      senderSigningKeyPair: params.senderSigningKeyPair,
+      recipientPublicKey: params.contact.publicKeySet.encryption,
+    })
+
+    const replaceabilityIdentifier = [
+      AsymmetricMessagePayloadType.SharedVaultMetadataChanged,
+      params.vault.sharing.sharedVaultUuid,
+      params.vault.systemIdentifier,
+    ].join(':')
+
+    const sendMessageUseCase = new SendAsymmetricMessageUseCase(this.messageServer)
+    const sendMessageResult = await sendMessageUseCase.execute({
+      recipientUuid: params.contact.contactUuid,
+      encryptedMessage,
+      replaceabilityIdentifier,
+    })
+
+    return sendMessageResult
+  }
+}

packages/services/src/Domain/SharedVaults/UseCase/SendSharedVaultRootKeyChangedMessageToAll.ts

@@ -0,0 +1,103 @@
+import {
+  AsymmetricMessagePayloadType,
+  AsymmetricMessageSharedVaultRootKeyChanged,
+  KeySystemIdentifier,
+  TrustedContactInterface,
+} from '@standardnotes/models'
+import { EncryptionProviderInterface } from '@standardnotes/encryption'
+import { AsymmetricMessageServerHash, ClientDisplayableError, isClientDisplayableError } from '@standardnotes/responses'
+import { AsymmetricMessageServerInterface, SharedVaultUsersServerInterface } from '@standardnotes/api'
+import { GetSharedVaultUsersUseCase } from './GetSharedVaultUsers'
+import { ContactServiceInterface } from '../../Contacts/ContactServiceInterface'
+import { PkcKeyPair } from '@standardnotes/sncrypto-common'
+import { SendAsymmetricMessageUseCase } from '../../AsymmetricMessage/UseCase/SendAsymmetricMessageUseCase'
+
+export class SendSharedVaultRootKeyChangedMessageToAll {
+  constructor(
+    private encryption: EncryptionProviderInterface,
+    private contacts: ContactServiceInterface,
+    private vaultUsersServer: SharedVaultUsersServerInterface,
+    private messageServer: AsymmetricMessageServerInterface,
+  ) {}
+
+  async execute(params: {
+    keySystemIdentifier: KeySystemIdentifier
+    sharedVaultUuid: string
+    senderUuid: string
+    senderEncryptionKeyPair: PkcKeyPair
+    senderSigningKeyPair: PkcKeyPair
+  }): Promise<ClientDisplayableError[]> {
+    const errors: ClientDisplayableError[] = []
+
+    const getUsersUseCase = new GetSharedVaultUsersUseCase(this.vaultUsersServer)
+    const users = await getUsersUseCase.execute({ sharedVaultUuid: params.sharedVaultUuid })
+    if (!users) {
+      return [ClientDisplayableError.FromString('Cannot send root key changed message; users not found')]
+    }
+
+    for (const user of users) {
+      if (user.user_uuid === params.senderUuid) {
+        continue
+      }
+
+      const trustedContact = this.contacts.findTrustedContact(user.user_uuid)
+      if (!trustedContact) {
+        continue
+      }
+
+      const sendMessageResult = await this.sendToContact({
+        keySystemIdentifier: params.keySystemIdentifier,
+        sharedVaultUuid: params.sharedVaultUuid,
+        senderKeyPair: params.senderEncryptionKeyPair,
+        senderSigningKeyPair: params.senderSigningKeyPair,
+        contact: trustedContact,
+      })
+
+      if (isClientDisplayableError(sendMessageResult)) {
+        errors.push(sendMessageResult)
+      }
+    }
+
+    return errors
+  }
+
+  private async sendToContact(params: {
+    keySystemIdentifier: KeySystemIdentifier
+    sharedVaultUuid: string
+    senderKeyPair: PkcKeyPair
+    senderSigningKeyPair: PkcKeyPair
+    contact: TrustedContactInterface
+  }): Promise<AsymmetricMessageServerHash | ClientDisplayableError> {
+    const keySystemRootKey = this.encryption.keys.getPrimaryKeySystemRootKey(params.keySystemIdentifier)
+    if (!keySystemRootKey) {
+      throw new Error(`Vault key not found for keySystemIdentifier ${params.keySystemIdentifier}`)
+    }
+
+    const message: AsymmetricMessageSharedVaultRootKeyChanged = {
+      type: AsymmetricMessagePayloadType.SharedVaultRootKeyChanged,
+      data: { recipientUuid: params.contact.contactUuid, rootKey: keySystemRootKey.content },
+    }
+
+    const encryptedMessage = this.encryption.asymmetricallyEncryptMessage({
+      message: message,
+      senderKeyPair: params.senderKeyPair,
+      senderSigningKeyPair: params.senderSigningKeyPair,
+      recipientPublicKey: params.contact.publicKeySet.encryption,
+    })
+
+    const replaceabilityIdentifier = [
+      AsymmetricMessagePayloadType.SharedVaultRootKeyChanged,
+      params.sharedVaultUuid,
+      params.keySystemIdentifier,
+    ].join(':')
+
+    const sendMessageUseCase = new SendAsymmetricMessageUseCase(this.messageServer)
+    const sendMessageResult = await sendMessageUseCase.execute({
+      recipientUuid: params.contact.contactUuid,
+      encryptedMessage,
+      replaceabilityIdentifier,
+    })
+
+    return sendMessageResult
+  }
+}

packages/services/src/Domain/SharedVaults/UseCase/ShareContactWithAllMembersOfSharedVault.ts

@@ -0,0 +1,78 @@
+import { EncryptionProviderInterface } from '@standardnotes/encryption'
+import { ClientDisplayableError, isErrorResponse } from '@standardnotes/responses'
+import {
+  TrustedContactInterface,
+  SharedVaultListingInterface,
+  AsymmetricMessagePayloadType,
+} from '@standardnotes/models'
+import { AsymmetricMessageServerInterface, SharedVaultUsersServerInterface } from '@standardnotes/api'
+import { PkcKeyPair } from '@standardnotes/sncrypto-common'
+import { ContactServiceInterface } from '../../Contacts/ContactServiceInterface'
+import { SendAsymmetricMessageUseCase } from '../../AsymmetricMessage/UseCase/SendAsymmetricMessageUseCase'
+
+export class ShareContactWithAllMembersOfSharedVaultUseCase {
+  constructor(
+    private contacts: ContactServiceInterface,
+    private encryption: EncryptionProviderInterface,
+    private sharedVaultUsersServer: SharedVaultUsersServerInterface,
+    private messageServer: AsymmetricMessageServerInterface,
+  ) {}
+
+  async execute(params: {
+    senderKeyPair: PkcKeyPair
+    senderSigningKeyPair: PkcKeyPair
+    senderUserUuid: string
+    sharedVault: SharedVaultListingInterface
+    contactToShare: TrustedContactInterface
+  }): Promise<void | ClientDisplayableError> {
+    if (params.sharedVault.sharing.ownerUserUuid !== params.senderUserUuid) {
+      return ClientDisplayableError.FromString('Cannot share contact; user is not the owner of the shared vault')
+    }
+
+    const usersResponse = await this.sharedVaultUsersServer.getSharedVaultUsers({
+      sharedVaultUuid: params.sharedVault.sharing.sharedVaultUuid,
+    })
+
+    if (isErrorResponse(usersResponse)) {
+      return ClientDisplayableError.FromString('Cannot share contact; shared vault users not found')
+    }
+
+    const users = usersResponse.data.users
+    if (users.length === 0) {
+      return
+    }
+
+    const messageSendUseCase = new SendAsymmetricMessageUseCase(this.messageServer)
+
+    for (const vaultUser of users) {
+      if (vaultUser.user_uuid === params.senderUserUuid) {
+        continue
+      }
+
+      if (vaultUser.user_uuid === params.contactToShare.contactUuid) {
+        continue
+      }
+
+      const vaultUserAsContact = this.contacts.findTrustedContact(vaultUser.user_uuid)
+      if (!vaultUserAsContact) {
+        continue
+      }
+
+      const encryptedMessage = this.encryption.asymmetricallyEncryptMessage({
+        message: {
+          type: AsymmetricMessagePayloadType.ContactShare,
+          data: { recipientUuid: vaultUserAsContact.contactUuid, trustedContact: params.contactToShare.content },
+        },
+        senderKeyPair: params.senderKeyPair,
+        senderSigningKeyPair: params.senderSigningKeyPair,
+        recipientPublicKey: vaultUserAsContact.publicKeySet.encryption,
+      })
+
+      await messageSendUseCase.execute({
+        recipientUuid: vaultUserAsContact.contactUuid,
+        encryptedMessage,
+        replaceabilityIdentifier: undefined,
+      })
+    }
+  }
+}

packages/services/src/Domain/SharedVaults/UseCase/UpdateSharedVaultInvite.ts

@@ -0,0 +1,31 @@
+import {
+  ClientDisplayableError,
+  SharedVaultInviteServerHash,
+  isErrorResponse,
+  SharedVaultPermission,
+} from '@standardnotes/responses'
+import { SharedVaultInvitesServerInterface } from '@standardnotes/api'
+
+export class UpdateSharedVaultInviteUseCase {
+  constructor(private vaultInvitesServer: SharedVaultInvitesServerInterface) {}
+
+  async execute(params: {
+    sharedVaultUuid: string
+    inviteUuid: string
+    encryptedMessage: string
+    permissions: SharedVaultPermission
+  }): Promise<SharedVaultInviteServerHash | ClientDisplayableError> {
+    const response = await this.vaultInvitesServer.updateInvite({
+      sharedVaultUuid: params.sharedVaultUuid,
+      inviteUuid: params.inviteUuid,
+      encryptedMessage: params.encryptedMessage,
+      permissions: params.permissions,
+    })
+
+    if (isErrorResponse(response)) {
+      return ClientDisplayableError.FromError(response.data.error)
+    }
+
+    return response.data.invite
+  }
+}