chore: some things from coderabbit

Author: mabels

core/device-id/certor.ts

@@ -4,6 +4,7 @@ import { decodeJwt } from "jose";
 import { base58btc } from "multiformats/bases/base58";
 import { sha1 } from "multiformats/hashes/sha1";
 import { sha256 } from "multiformats/hashes/sha2";
+import { deepFreeze } from "@fireproof/core-runtime";
 import { CertificatePayload, CertificatePayloadSchema } from "@fireproof/core-types-base/fp-ca-cert-payload.zod.js";
 
 export class Certor {
@@ -25,7 +26,8 @@ export class Certor {
   }
 
   constructor(base64: Base64EndeCoder, cert: CertificatePayload) {
-    this.#cert = cert;
+    // this.#cert = cert;
+    this.#cert = deepFreeze(toSortedObject(cert)) as CertificatePayload;
     this.base64 = base64;
   }
 

core/device-id/device-id-key.ts

@@ -21,14 +21,15 @@ export class DeviceIdKey {
     },
   ): Promise<Result<DeviceIdKey>> {
     const parsed = JWKPrivateSchema.safeParse(jwk);
-    if (parsed.success && (parsed.data.kty !== "EC" || parsed.data.crv !== "P-256" || !("d" in parsed.data))) {
-      return Result.Err("Invalid JWK for ES256");
+    if (!parsed.success) {
+      return Result.Err(new Error(`Invalid JWK: ${parsed.error.message}`));
     }
-    const pair = await importJWK(jwk, "ES256", opts);
-    if (pair instanceof Uint8Array) {
-      return Result.Err("Invalid JWK");
+    const j = parsed.data;
+    if (j.kty !== "EC" || j.crv !== "P-256" || !("d" in j)) {
+      return Result.Err(new Error("Invalid JWK for ES256"));
     }
-    return Result.Ok(new DeviceIdKey(pair));
+    const key = await importJWK(j, "ES256", opts);
+    return Result.Ok(new DeviceIdKey(key as CryptoKey));
   }
 
   private constructor(pair: CryptoKey) {
@@ -51,9 +52,9 @@ export class DeviceIdKey {
 
   async publicKey(): Promise<JWKPublic> {
     const privateJWK = await exportJWK(this.#privateKey);
-    const { success, data } = JWKPublicSchema.safeParse(privateJWK);
+    const { success, data, error } = JWKPublicSchema.safeParse(privateJWK);
     if (!success || !data) {
-      throw new Error("Invalid JWK");
+      throw new Error(`Invalid public JWK: ${error.message}`);
     }
     return data;
   }

core/runtime/utils.ts

@@ -594,3 +594,12 @@ export function timerStart(loggerOrHasLogger: Logger | HasLogger, tag: string) {
 export function timerEnd(loggerOrHasLogger: Logger | HasLogger, tag: string) {
   coerceLogger(loggerOrHasLogger).Debug().TimerEnd(tag).Msg("Timing ended");
 }
+
+export function deepFreeze<T extends object>(o?: T): T | undefined {
+  if (!o) return undefined;
+  Object.freeze(o);
+  for (const v of Object.values(o)) {
+    if (v && typeof v === "object" && !Object.isFrozen(v)) deepFreeze(v as object);
+  }
+  return o;
+}

core/types/base/fp-device-id-payload.zod.ts

@@ -98,8 +98,11 @@ export const FPDeviceIDPayloadSchema = JWTPayloadSchema.extend({
       publicKey: JWKPublicSchema,
       extensions: ExtensionsSchema.optional(),
     })
+    .strict()
     .readonly(),
-}).readonly();
+})
+  .strict()
+  .readonly();
 
 // Type inference
 export type FPDeviceIDPayload = z.infer<typeof FPDeviceIDPayloadSchema>;