serialize calls

Author: benma

src/index.ts

@@ -480,6 +480,7 @@ function makePairingBitBox(state: PairingState, close: () => void): PairingBitBo
  */
 export class PairedBitBox {
   #state: PairedStateUnion = { kind: 'uninitialized' };
+  #queue: Promise<void> = Promise.resolve();
 
   /** @internal */
   constructor(init?: Omit<PairedOpen, 'kind'>) {
@@ -504,6 +505,43 @@ export class PairedBitBox {
     return state;
   }
 
+  /**
+   * Serializes all device-touching public methods on this paired connection.
+   *
+   * The BitBox protocol and Noise channel are ordered streams, not multiplexed
+   * request/response transports. Some public methods also perform multi-step
+   * conversations (for example ETH streaming or anti-klepto signing), so the
+   * lock must cover the whole public method, not only one encrypted query.
+   *
+   * Calls made after close fail before joining the queue, so they do not wait
+   * behind a stuck transport read. The open state is checked again when the
+   * queued operation starts, so calls queued before close still fail if they
+   * did not already enter the device conversation.
+   *
+   * Each call chains onto the previous queue tail and then replaces the tail
+   * with a settled `void` promise, so a rejected call does not poison later
+   * queued operations.
+   */
+  #runExclusive<T>(
+    method: string,
+    fn: (open: PairedOpen) => Promise<T>,
+  ): Promise<T> {
+    this.#requireOpen(method);
+    const run = this.#queue.catch(() => undefined).then(async () => {
+      const open = this.#requireOpen(method);
+      try {
+        return await fn(open);
+      } catch (err) {
+        throw toPublicError(err);
+      }
+    });
+    this.#queue = run.then(
+      () => undefined,
+      () => undefined,
+    );
+    return run;
+  }
+
   /** No-op; retained for ABI compatibility with the wasm-bindgen output. */
   free(): void {}
 
@@ -524,12 +562,7 @@ export class PairedBitBox {
 
   /** Query device metadata. */
   async deviceInfo(): Promise<DeviceInfo> {
-    const open = this.#requireOpen('deviceInfo');
-    try {
-      return await deviceInfoImpl(open.channel);
-    } catch (err) {
-      throw toPublicError(err);
-    }
+    return this.#runExclusive('deviceInfo', open => deviceInfoImpl(open.channel));
   }
 
   /** Returns which product we are connected to. */
@@ -544,12 +577,7 @@ export class PairedBitBox {
 
   /** Returns the hex-encoded 4-byte root fingerprint. */
   async rootFingerprint(): Promise<string> {
-    const open = this.#requireOpen('rootFingerprint');
-    try {
-      return await rootFingerprintImpl(open.channel);
-    } catch (err) {
-      throw toPublicError(err);
-    }
+    return this.#runExclusive('rootFingerprint', open => rootFingerprintImpl(open.channel));
   }
 
   /** Not implemented in this TypeScript iteration. */
@@ -647,12 +675,7 @@ export class PairedBitBox {
 
   /** Query the device for an Ethereum account xpub. */
   async ethXpub(keypath: Keypath): Promise<string> {
-    const open = this.#requireOpen('ethXpub');
-    try {
-      return await ethXpubImpl(open.channel, keypath);
-    } catch (err) {
-      throw toPublicError(err);
-    }
+    return this.#runExclusive('ethXpub', open => ethXpubImpl(open.channel, keypath));
   }
 
   /**
@@ -661,12 +684,9 @@ export class PairedBitBox {
    * Set `display` to `true` to require on-device confirmation.
    */
   async ethAddress(chain_id: bigint, keypath: Keypath, display: boolean): Promise<string> {
-    const open = this.#requireOpen('ethAddress');
-    try {
-      return await ethAddressImpl(open.channel, chain_id, keypath, display);
-    } catch (err) {
-      throw toPublicError(err);
-    }
+    return this.#runExclusive('ethAddress', open =>
+      ethAddressImpl(open.channel, chain_id, keypath, display),
+    );
   }
 
   /**
@@ -681,19 +701,16 @@ export class PairedBitBox {
     tx: EthTransaction,
     address_case?: EthAddressCase,
   ): Promise<EthSignature> {
-    const open = this.#requireOpen('ethSignTransaction');
-    try {
-      return await ethSignTransactionImpl(
+    return this.#runExclusive('ethSignTransaction', open =>
+      ethSignTransactionImpl(
         open.channel,
         open.info,
         chain_id,
         keypath,
         tx,
         address_case,
-      );
-    } catch (err) {
-      throw toPublicError(err);
-    }
+      ),
+    );
   }
 
   /**
@@ -706,18 +723,15 @@ export class PairedBitBox {
     tx: Eth1559Transaction,
     address_case?: EthAddressCase,
   ): Promise<EthSignature> {
-    const open = this.#requireOpen('ethSign1559Transaction');
-    try {
-      return await ethSign1559TransactionImpl(
+    return this.#runExclusive('ethSign1559Transaction', open =>
+      ethSign1559TransactionImpl(
         open.channel,
         open.info,
         keypath,
         tx,
         address_case,
-      );
-    } catch (err) {
-      throw toPublicError(err);
-    }
+      ),
+    );
   }
 
   /**
@@ -731,12 +745,9 @@ export class PairedBitBox {
     keypath: Keypath,
     msg: Uint8Array,
   ): Promise<EthSignature> {
-    const open = this.#requireOpen('ethSignMessage');
-    try {
-      return await ethSignMessageImpl(open.channel, open.info, chain_id, keypath, msg);
-    } catch (err) {
-      throw toPublicError(err);
-    }
+    return this.#runExclusive('ethSignMessage', open =>
+      ethSignMessageImpl(open.channel, open.info, chain_id, keypath, msg),
+    );
   }
 
   /**
@@ -750,19 +761,16 @@ export class PairedBitBox {
     msg: any,
     use_antiklepto?: boolean,
   ): Promise<EthSignature> {
-    const open = this.#requireOpen('ethSignTypedMessage');
-    try {
-      return await ethSignTypedMessageImpl(
+    return this.#runExclusive('ethSignTypedMessage', open =>
+      ethSignTypedMessageImpl(
         open.channel,
         open.info,
         chain_id,
         keypath,
         msg,
         use_antiklepto,
-      );
-    } catch (err) {
-      throw toPublicError(err);
-    }
+      ),
+    );
   }
 
   /** Cardano support is not implemented in this TypeScript iteration. */

test/device-methods.test.ts

@@ -21,44 +21,56 @@ const INFO: Info = {
   initialized: true,
 };
 
+function responseFor(request: Request): Uint8Array {
+  let response: Response;
+  switch (request.request.case) {
+    case 'deviceInfo':
+      response = create(ResponseSchema, {
+        response: {
+          case: 'deviceInfo',
+          value: create(DeviceInfoResponseSchema, {
+            name: 'My BitBox',
+            initialized: true,
+            version: '9.26.1',
+            mnemonicPassphraseEnabled: false,
+            securechipModel: 'ATECC608B',
+            monotonicIncrementsRemaining: 42,
+            passwordStretchingAlgo: 'pwhash',
+          }),
+        },
+      });
+      break;
+    case 'fingerprint':
+      response = create(ResponseSchema, {
+        response: {
+          case: 'fingerprint',
+          value: create(RootFingerprintResponseSchema, {
+            fingerprint: new Uint8Array([0x4c, 0x00, 0x73, 0x9d]),
+          }),
+        },
+      });
+      break;
+    default:
+      throw new Error(`unexpected request: ${request.request.case}`);
+  }
+  return toBinary(ResponseSchema, response);
+}
+
+function deferred(): { promise: Promise<void>; resolve: () => void } {
+  let resolve!: () => void;
+  const promise = new Promise<void>((r) => {
+    resolve = r;
+  });
+  return { promise, resolve };
+}
+
 class FakeDeviceChannel implements EncryptedChannel {
   readonly requests: Request['request']['case'][] = [];
 
   async query(plaintext: Uint8Array): Promise<Uint8Array> {
     const request = fromBinary(RequestSchema, plaintext);
     this.requests.push(request.request.case);
-    let response: Response;
-    switch (request.request.case) {
-      case 'deviceInfo':
-        response = create(ResponseSchema, {
-          response: {
-            case: 'deviceInfo',
-            value: create(DeviceInfoResponseSchema, {
-              name: 'My BitBox',
-              initialized: true,
-              version: '9.26.1',
-              mnemonicPassphraseEnabled: false,
-              securechipModel: 'ATECC608B',
-              monotonicIncrementsRemaining: 42,
-              passwordStretchingAlgo: 'pwhash',
-            }),
-          },
-        });
-        break;
-      case 'fingerprint':
-        response = create(ResponseSchema, {
-          response: {
-            case: 'fingerprint',
-            value: create(RootFingerprintResponseSchema, {
-              fingerprint: new Uint8Array([0x4c, 0x00, 0x73, 0x9d]),
-            }),
-          },
-        });
-        break;
-      default:
-        throw new Error(`unexpected request: ${request.request.case}`);
-    }
-    return toBinary(ResponseSchema, response);
+    return responseFor(request);
   }
 }
 
@@ -68,6 +80,41 @@ class EmptyResponseChannel implements EncryptedChannel {
   }
 }
 
+class BlockingFirstQueryChannel implements EncryptedChannel {
+  readonly requests: Request['request']['case'][] = [];
+  activeQueries = 0;
+  maxActiveQueries = 0;
+  readonly firstQueryStarted = deferred();
+  readonly releaseFirstQuery = deferred();
+
+  async query(plaintext: Uint8Array): Promise<Uint8Array> {
+    const request = fromBinary(RequestSchema, plaintext);
+    this.requests.push(request.request.case);
+    this.activeQueries += 1;
+    this.maxActiveQueries = Math.max(this.maxActiveQueries, this.activeQueries);
+    try {
+      if (this.requests.length === 1) {
+        this.firstQueryStarted.resolve();
+        await this.releaseFirstQuery.promise;
+      }
+      return responseFor(request);
+    } finally {
+      this.activeQueries -= 1;
+    }
+  }
+}
+
+class FailsFirstChannel extends FakeDeviceChannel {
+  override async query(plaintext: Uint8Array): Promise<Uint8Array> {
+    const request = fromBinary(RequestSchema, plaintext);
+    this.requests.push(request.request.case);
+    if (this.requests.length === 1) {
+      return toBinary(ResponseSchema, create(ResponseSchema, {}));
+    }
+    return responseFor(request);
+  }
+}
+
 describe('device methods', () => {
   it('deviceInfo returns the wasm package DeviceInfo shape', async () => {
     const channel = new FakeDeviceChannel();
@@ -104,4 +151,43 @@ describe('device methods', () => {
       message: 'protobuf message could not be decoded',
     });
   });
+
+  it('serializes concurrent device queries', async () => {
+    const channel = new BlockingFirstQueryChannel();
+    const paired = new PairedBitBox({ channel, info: INFO, close(): void {} });
+
+    const deviceInfo = paired.deviceInfo();
+    await channel.firstQueryStarted.promise;
+
+    const rootFingerprint = paired.rootFingerprint();
+    await Promise.resolve();
+    await Promise.resolve();
+
+    expect(channel.requests).toEqual(['deviceInfo']);
+    expect(channel.maxActiveQueries).toBe(1);
+
+    channel.releaseFirstQuery.resolve();
+    await expect(Promise.all([deviceInfo, rootFingerprint])).resolves.toEqual([
+      {
+        name: 'My BitBox',
+        initialized: true,
+        version: '9.26.1',
+        mnemonicPassphraseEnabled: false,
+        securechipModel: 'ATECC608B',
+        monotonicIncrementsRemaining: 42,
+      },
+      '4c00739d',
+    ]);
+    expect(channel.requests).toEqual(['deviceInfo', 'fingerprint']);
+    expect(channel.maxActiveQueries).toBe(1);
+  });
+
+  it('continues serializing after a rejected query', async () => {
+    const channel = new FailsFirstChannel();
+    const paired = new PairedBitBox({ channel, info: INFO, close(): void {} });
+
+    await expect(paired.deviceInfo()).rejects.toMatchObject({ code: 'protobuf-decode' });
+    await expect(paired.rootFingerprint()).resolves.toBe('4c00739d');
+    expect(channel.requests).toEqual(['deviceInfo', 'fingerprint']);
+  });
 });