Skip to content

feat: add data: and ipfs:// URI support in fetchRegistrationFile#8

Merged
vraspar merged 3 commits into
mainfrom
vraspar/data-ipfs-uri
Apr 11, 2026
Merged

feat: add data: and ipfs:// URI support in fetchRegistrationFile#8
vraspar merged 3 commits into
mainfrom
vraspar/data-ipfs-uri

Conversation

@vraspar
Copy link
Copy Markdown
Contributor

@vraspar vraspar commented Apr 11, 2026

Summary

  • Support all three ERC-8004 agentURI schemes in fetchRegistrationFile:
    • https:// (existing)
    • data:application/json;base64,... and data:application/json,... (on-chain storage)
    • ipfs://<cid> via configurable gateway (default: ipfs.io)
  • Add FetchRegistrationFileOptions with optional ipfsGateway parameter
  • Thread ipfsGateway through resolveServiceEndpoint
  • Bump to 0.1.0-alpha.2

Depends on #7 (revert of direct push) being merged first.

Test plan

  • 103 tests pass (14 new: 9 data URI + 4 IPFS + 1 error message)
  • pnpm typecheck passes
  • pnpm build clean

🤖 Generated with Claude Code

@vraspar @claude
feat: add data: and ipfs:// URI support in fetchRegistrationFile
59bae49 
Support all three ERC-8004 agentURI schemes:
- https:// (existing)
- data:application/json;base64,... and data:application/json,...
- ipfs://<cid> via configurable gateway (default: ipfs.io)

Add FetchRegistrationFileOptions with optional ipfsGateway parameter,
threaded through resolveServiceEndpoint. Bump to 0.1.0-alpha.2.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
@vraspar vraspar force-pushed the vraspar/data-ipfs-uri branch from 1b1fe0e to 59bae49 Compare April 11, 2026 01:32
@vraspar @claude
fix: address review issues in data/ipfs URI support
0e5eb8d 
- Fix atob → Buffer.from for correct UTF-8 handling in base64 data URIs
- Move FetchRegistrationFileOptions to types.ts with other param types
- Compose ResolveServiceEndpointParameters extends FetchRegistrationFileOptions
- Extract MAX_REGISTRATION_FILE_SIZE constant (was duplicated 1_048_576)
- Add resolveServiceEndpoint + ipfsGateway integration tests

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
@A1igator
Copy link
Copy Markdown

A1igator commented Apr 11, 2026

SDK Review

Found 2 issues (reviewed: tests, conventions, dead code, SDK design):

  1. [Conventions / Portability] Buffer.from(payload, 'base64') is a Node.js-only API. The SDK uses globalThis.fetch everywhere else to stay runtime-agnostic, but Buffer breaks that contract and will throw ReferenceError in browsers, Cloudflare Workers, and Deno. Additionally, Buffer.from silently discards invalid base64 characters instead of throwing (the test file itself acknowledges this at line 367), which means malformed base64 data URIs produce a misleading "not valid JSON" error instead of "Failed to decode data URI (base64)". The commit message says "Fix atob -> Buffer.from for correct UTF-8 handling" but JSON is ASCII-safe, and atob() + TextDecoder handles UTF-8 correctly while being available in all runtimes.

    Fix: replace Buffer.from(payload, 'base64').toString('utf8') with atob(payload) (sufficient for JSON) or new TextDecoder().decode(Uint8Array.from(atob(payload), c => c.charCodeAt(0))) for full UTF-8.

    erc8004/src/registration/fetch.ts

    Lines 94 to 95 in 0e5eb8d

    decoded = isBase64
    ? Buffer.from(payload, 'base64').toString('utf8')

  2. [Conventions / Security] IPFS CID is extracted with uri.slice(7) and concatenated directly into the gateway URL with no validation. Two concerns: (a) ipfs://QmFoo/../../../other path-traverses to https://ipfs.io/other after URL normalization, causing an SSRF against the gateway; (b) ipfs:// with no CID produces https://ipfs.io/ipfs/ which hits the gateway's listing endpoint. Since agentURI values come from an on-chain registry (attacker-controllable), this is a realistic attack surface. Impact is limited to the IPFS gateway host, not arbitrary hosts.

    Fix: validate the extracted path before constructing the URL -- reject empty CIDs and .. path segments.

    erc8004/src/registration/fetch.ts

    Lines 30 to 34 in 0e5eb8d

    if (uri.startsWith('ipfs://')) {
    const gateway = options?.ipfsGateway ?? DEFAULT_IPFS_GATEWAY
    const base = gateway.endsWith('/') ? gateway.slice(0, -1) : gateway
    const path = uri.slice(7) // strip "ipfs://"
    fetchUrl = `${base}/ipfs/${path}`

Generated with Claude Code using review-sdk skill

@vraspar @claude
fix: use portable atob+TextDecoder, validate IPFS CID paths
628cee9 
Address review feedback:
- Replace Node-only Buffer.from with atob + TextDecoder for portable
  UTF-8 base64 decoding (works in browsers, Workers, Deno)
- Validate IPFS CID path: reject empty CIDs and .. path traversal
  segments to prevent SSRF against the gateway

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
@vraspar vraspar merged commit b2af5ff into main Apr 11, 2026
2 checks passed
@vraspar vraspar deleted the vraspar/data-ipfs-uri branch April 11, 2026 03:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vraspar @A1igator