fix: use the app identity keys everywhere

apps/connect/src/routes/authenticate.tsx

@@ -261,7 +261,7 @@ function AuthenticateComponent() {
                 id: keyData.id,
                 ciphertext: Utils.bytesToHex(keyBox.keyBoxCiphertext),
                 nonce: Utils.bytesToHex(keyBox.keyBoxNonce),
-                authorPublicKey: appIdentity.encryptionPublicKey,
+                authorPublicKey: keys.encryptionPublicKey,
                 accountAddress: accountAddress,
               };
             });
@@ -388,19 +388,25 @@ function AuthenticateComponent() {
         rpcUrl: import.meta.env.VITE_HYPERGRAPH_RPC_URL,
       });
 
+      const appIdentityKeys = {
+        encryptionPrivateKey: newAppIdentity.encryptionPrivateKey,
+        encryptionPublicKey: newAppIdentity.encryptionPublicKey,
+        signaturePrivateKey: newAppIdentity.signaturePrivateKey,
+        signaturePublicKey: newAppIdentity.signaturePublicKey,
+      };
       console.log('encrypting app identity');
       const { ciphertext, nonce } = await Connect.encryptAppIdentity(
         signer,
         newAppIdentity.address,
         newAppIdentity.addressPrivateKey,
         permissionId,
-        keys,
+        appIdentityKeys,
       );
       console.log('proving ownership');
       const { accountProof, keyProof } = await Identity.proveIdentityOwnership(
         smartAccountClient,
         accountAddress,
-        keys,
+        appIdentityKeys,
       );
 
       const message: Messages.RequestConnectCreateAppIdentity = {
@@ -432,10 +438,10 @@ function AuthenticateComponent() {
           address: newAppIdentity.address,
           addressPrivateKey: newAppIdentity.addressPrivateKey,
           accountAddress,
-          encryptionPrivateKey: keys.encryptionPrivateKey,
-          signaturePrivateKey: keys.signaturePrivateKey,
-          encryptionPublicKey: keys.encryptionPublicKey,
-          signaturePublicKey: keys.signaturePublicKey,
+          encryptionPrivateKey: newAppIdentity.encryptionPrivateKey,
+          signaturePrivateKey: newAppIdentity.signaturePrivateKey,
+          encryptionPublicKey: newAppIdentity.encryptionPublicKey,
+          signaturePublicKey: newAppIdentity.signaturePublicKey,
           sessionToken: appIdentityResponse.appIdentity.sessionToken,
           sessionTokenExpires: new Date(appIdentityResponse.appIdentity.sessionTokenExpires),
           permissionId,

apps/events/src/Boot.tsx

@@ -15,7 +15,11 @@ declare module '@tanstack/react-router' {
 
 export function Boot() {
   return (
-    <HypergraphAppProvider syncServerUri="http://localhost:3030" mapping={mapping}>
+    <HypergraphAppProvider
+      syncServerUri="http://localhost:3030"
+      mapping={mapping}
+      appId="93bb8907-085a-4a0e-83dd-62b0dc98e793"
+    >
       <RouterProvider router={router} />
     </HypergraphAppProvider>
   );

apps/events/src/routes/login.lazy.tsx

@@ -16,7 +16,6 @@ function Login() {
             storage: localStorage,
             connectUrl: 'http://localhost:5180',
             successUrl: `${window.location.origin}/authenticate-success`,
-            appId: '93bb8907-085a-4a0e-83dd-62b0dc98e793',
             redirectFn: (url: URL) => {
               window.location.href = url.toString();
             },

apps/next-example/src/components/providers.tsx

@@ -7,7 +7,11 @@ export default function Providers({ children }: { children: React.ReactNode }) {
   const storage = typeof window !== 'undefined' ? window.localStorage : (undefined as unknown as Storage);
 
   return (
-    <HypergraphAppProvider syncServerUri="http://localhost:3030" mapping={{}}>
+    <HypergraphAppProvider
+      syncServerUri="http://localhost:3030"
+      mapping={{}}
+      appId="83aa8907-085b-430f-1296-ab87dc98e793"
+    >
       {children}
     </HypergraphAppProvider>
   );

apps/server/src/handlers/applySpaceEvent.ts

@@ -4,7 +4,7 @@ import type { Messages } from '@graphprotocol/hypergraph';
 import { Identity, SpaceEvents } from '@graphprotocol/hypergraph';
 
 import { prisma } from '../prisma.js';
-import { getConnectIdentity } from './getConnectIdentity.js';
+import { getAppOrConnectIdentity } from './getAppOrConnectIdentity.js';
 
 type Params = {
   accountAddress: string;
@@ -40,7 +40,7 @@ export async function applySpaceEvent({ accountAddress, spaceId, event, keyBoxes
       orderBy: { counter: 'desc' },
     });
 
-    const getVerifiedIdentity = (accountAddressToFetch: string) => {
+    const getVerifiedIdentity = (accountAddressToFetch: string, publicKey: string) => {
       console.log('getVerifiedIdentity', accountAddressToFetch, accountAddress);
       // applySpaceEvent is only allowed to be called by the account that is applying the event
       if (accountAddressToFetch !== accountAddress) {
@@ -49,7 +49,8 @@ export async function applySpaceEvent({ accountAddress, spaceId, event, keyBoxes
 
       return Effect.gen(function* () {
         const identity = yield* Effect.tryPromise({
-          try: () => getConnectIdentity({ accountAddress: accountAddressToFetch }),
+          try: () =>
+            getAppOrConnectIdentity({ accountAddress: accountAddressToFetch, signaturePublicKey: publicKey, spaceId }),
           catch: () => new Identity.InvalidIdentityError(),
         });
         return identity;

apps/server/src/handlers/create-space.ts

@@ -5,7 +5,7 @@ import type { Messages } from '@graphprotocol/hypergraph';
 import { Identity, SpaceEvents } from '@graphprotocol/hypergraph';
 
 import { prisma } from '../prisma.js';
-import { getConnectIdentity } from './getConnectIdentity.js';
+import { getAppOrConnectIdentity } from './getAppOrConnectIdentity.js';
 
 type Params = {
   accountAddress: string;
@@ -26,15 +26,15 @@ export const createSpace = async ({
   infoSignatureRecovery,
   name,
 }: Params) => {
-  const getVerifiedIdentity = (accountAddressToFetch: string) => {
+  const getVerifiedIdentity = (accountAddressToFetch: string, publicKey: string) => {
     // applySpaceEvent is only allowed to be called by the account that is applying the event
     if (accountAddressToFetch !== accountAddress) {
       return Effect.fail(new Identity.InvalidIdentityError());
     }
 
     return Effect.gen(function* () {
       const identity = yield* Effect.tryPromise({
-        try: () => getConnectIdentity({ accountAddress: accountAddressToFetch }),
+        try: () => getAppOrConnectIdentity({ accountAddress: accountAddressToFetch, signaturePublicKey: publicKey }),
         catch: () => new Identity.InvalidIdentityError(),
       });
       return identity;

apps/server/src/handlers/getAccountInbox.ts

@@ -8,7 +8,7 @@ export async function getAccountInbox({ accountAddress, inboxId }: { accountAddr
       id: true,
       account: {
         select: {
-          id: true,
+          address: true,
         },
       },
       isPublic: true,
@@ -24,7 +24,7 @@ export async function getAccountInbox({ accountAddress, inboxId }: { accountAddr
 
   return {
     inboxId: inbox.id,
-    accountAddress: inbox.account.id,
+    accountAddress: inbox.account.address,
     isPublic: inbox.isPublic,
     authPolicy: inbox.authPolicy as Inboxes.InboxSenderAuthPolicy,
     encryptionPublicKey: inbox.encryptionPublicKey,

apps/server/src/handlers/getAppOrConnectIdentity.ts

@@ -0,0 +1,82 @@
+import { prisma } from '../prisma.js';
+
+type Params =
+  | {
+      accountAddress: string;
+      signaturePublicKey: string;
+      spaceId?: string;
+    }
+  | {
+      accountAddress: string;
+      appId: string;
+      spaceId?: string;
+    };
+
+export type GetIdentityResult = {
+  accountAddress: string;
+  ciphertext: string;
+  nonce: string;
+  signaturePublicKey: string;
+  encryptionPublicKey: string;
+  accountProof: string;
+  keyProof: string;
+  appId: string | null;
+};
+
+export const getAppOrConnectIdentity = async (params: Params): Promise<GetIdentityResult> => {
+  if (!('appId' in params)) {
+    const where: { address: string; connectSignaturePublicKey?: string } = { address: params.accountAddress };
+    if ('signaturePublicKey' in params) {
+      where.connectSignaturePublicKey = params.signaturePublicKey;
+    }
+    const account = await prisma.account.findFirst({
+      where,
+    });
+    if (account) {
+      return {
+        accountAddress: account.address,
+        ciphertext: account.connectCiphertext,
+        nonce: account.connectNonce,
+        signaturePublicKey: account.connectSignaturePublicKey,
+        encryptionPublicKey: account.connectEncryptionPublicKey,
+        accountProof: account.connectAccountProof,
+        keyProof: account.connectKeyProof,
+        appId: null,
+      };
+    }
+  }
+  const appWhere: {
+    accountAddress: string;
+    appId?: string;
+    signaturePublicKey?: string;
+    spaces?: { some: { id: string } };
+  } = {
+    accountAddress: params.accountAddress,
+  };
+  if ('signaturePublicKey' in params) {
+    appWhere.signaturePublicKey = params.signaturePublicKey;
+  }
+  if ('appId' in params) {
+    appWhere.appId = params.appId;
+  }
+  if (params.spaceId) {
+    appWhere.spaces = { some: { id: params.spaceId } };
+  }
+
+  const appIdentity = await prisma.appIdentity.findFirst({
+    where: appWhere,
+  });
+  if (appIdentity) {
+    return {
+      accountAddress: appIdentity.accountAddress,
+      ciphertext: appIdentity.ciphertext,
+      nonce: appIdentity.nonce,
+      signaturePublicKey: appIdentity.signaturePublicKey,
+      encryptionPublicKey: appIdentity.encryptionPublicKey,
+      accountProof: appIdentity.accountProof,
+      keyProof: appIdentity.keyProof,
+      appId: appIdentity.appId,
+    };
+  }
+  throw new Error('Identity not found');
+};

apps/server/src/handlers/getSpace.ts

@@ -4,9 +4,10 @@ import { prisma } from '../prisma.js';
 type Params = {
   spaceId: string;
   accountAddress: string;
+  appIdentityAddress: string;
 };
 
-export const getSpace = async ({ spaceId, accountAddress }: Params) => {
+export const getSpace = async ({ spaceId, accountAddress, appIdentityAddress }: Params) => {
   const space = await prisma.space.findUniqueOrThrow({
     where: {
       id: spaceId,
@@ -27,6 +28,7 @@ export const getSpace = async ({ spaceId, accountAddress }: Params) => {
           keyBoxes: {
             where: {
               accountAddress,
+              appIdentityAddress,
             },
             select: {
               nonce: true,