[DO NOT MERGE] feat: email reception with Postbox UI for identity owners

.github/workflows/canister-tests.yml

@@ -605,7 +605,9 @@ jobs:
 
       - name: Stop dev server
         if: ${{ always() }}
-        run: kill ${{ steps.dev-server-start.outputs.dev_server_pid }}
+        # `|| true` so that a dev server which has already exited (e.g. after
+        # `icp network stop` triggered shutdown above) doesn't fail the job.
+        run: kill ${{ steps.dev-server-start.outputs.dev_server_pid }} || true
 
       - name: Archive dev server logs
         if: ${{ always() }}

Cargo.toml

@@ -45,6 +45,7 @@ serde_bytes = "0.11"
 serde_cbor = "0.11"
 sha2 = "0.10"
 rsa = "0.9.7"
+p256 = { version = "0.13", features = ["ecdsa", "pkcs8"] }
 minicbor = "1.0.0"
 
 # Certification

src/frontend/src/app.html

@@ -3,6 +3,7 @@
   <head>
     <meta charset="utf-8" />
     <link rel="shortcut icon" href="%sveltekit.assets%/favicon.svg" />
+    <link rel="manifest" href="%sveltekit.assets%/manifest.json" />
     <title>Internet Identity</title>
     <meta
       name="viewport"

src/frontend/src/lib/generated/internet_identity_idl.js

@@ -398,6 +398,52 @@ export const idlFactory = ({ IDL }) => {
     'Unauthorized' : IDL.Principal,
     'NoSuchCredentials' : IDL.Text,
   });
+  const DkimCheckName = IDL.Variant({
+    'DkimSignaturePresent' : IDL.Null,
+    'PublicKeyFetched' : IDL.Null,
+    'AlgorithmSupported' : IDL.Null,
+    'BodyHashValid' : IDL.Null,
+    'SignatureValid' : IDL.Null,
+    'SignatureParsed' : IDL.Null,
+    'RequiredHeadersSigned' : IDL.Null,
+  });
+  const DkimCheckStatus = IDL.Variant({
+    'Skipped' : IDL.Null,
+    'Fail' : IDL.Null,
+    'Pass' : IDL.Null,
+  });
+  const DkimCheck = IDL.Record({
+    'status' : DkimCheckStatus,
+    'name' : DkimCheckName,
+    'detail' : IDL.Opt(IDL.Text),
+  });
+  const DkimVerificationStatus = IDL.Variant({
+    'Unverified' : IDL.Record({ 'checks' : IDL.Vec(DkimCheck) }),
+    'Verified' : IDL.Record({ 'checks' : IDL.Vec(DkimCheck) }),
+    'Pending' : IDL.Null,
+  });
+  const PostboxEmail = IDL.Record({
+    'dkim_status' : IDL.Opt(DkimVerificationStatus),
+    'subject' : IDL.Text,
+    'body' : IDL.Text,
+    'recipient' : IDL.Text,
+    'sender' : IDL.Text,
+  });
+  const PushSubscription = IDL.Record({
+    'endpoint' : IDL.Text,
+    'p256dh' : IDL.Vec(IDL.Nat8),
+    'auth' : IDL.Vec(IDL.Nat8),
+  });
+  const PushSubscribeError = IDL.Variant({
+    'InvalidSubscription' : IDL.Text,
+    'TooManySubscriptions' : IDL.Null,
+    'Unauthorized' : IDL.Principal,
+    'InternalCanisterError' : IDL.Text,
+  });
+  const PushUnsubscribeError = IDL.Variant({
+    'Unauthorized' : IDL.Principal,
+    'InternalCanisterError' : IDL.Text,
+  });
   const HeaderField = IDL.Tuple(IDL.Text, IDL.Text);
   const HttpRequest = IDL.Record({
     'url' : IDL.Text,
@@ -587,6 +633,26 @@ export const idlFactory = ({ IDL }) => {
       'anchor_number' : UserNumber,
     }),
   });
+  const SmtpAddress = IDL.Record({ 'domain' : IDL.Text, 'user' : IDL.Text });
+  const SmtpEnvelope = IDL.Record({ 'to' : SmtpAddress, 'from' : SmtpAddress });
+  const SmtpHeader = IDL.Record({ 'value' : IDL.Text, 'name' : IDL.Text });
+  const SmtpMessage = IDL.Record({
+    'body' : IDL.Vec(IDL.Nat8),
+    'headers' : IDL.Vec(SmtpHeader),
+  });
+  const SmtpRequest = IDL.Record({
+    'envelope' : IDL.Opt(SmtpEnvelope),
+    'message' : IDL.Opt(SmtpMessage),
+    'gateway_flags' : IDL.Opt(IDL.Vec(IDL.Text)),
+  });
+  const SmtpRequestError = IDL.Record({
+    'code' : IDL.Nat64,
+    'message' : IDL.Text,
+  });
+  const SmtpResponse = IDL.Variant({
+    'Ok' : IDL.Record({}),
+    'Err' : SmtpRequestError,
+  });
   const ArchiveInfo = IDL.Record({
     'archive_config' : IDL.Opt(ArchiveConfig),
     'archive_canister' : IDL.Opt(IDL.Principal),
@@ -802,6 +868,27 @@ export const idlFactory = ({ IDL }) => {
         [IDL.Variant({ 'Ok' : IdAliasCredentials, 'Err' : GetIdAliasError })],
         ['query'],
       ),
+    'get_postbox' : IDL.Func([UserNumber], [IDL.Vec(PostboxEmail)], ['query']),
+    'push_subscribe' : IDL.Func(
+        [UserNumber, PushSubscription],
+        [IDL.Variant({ 'Ok' : IDL.Null, 'Err' : PushSubscribeError })],
+        [],
+      ),
+    'push_unsubscribe' : IDL.Func(
+        [UserNumber, IDL.Text],
+        [IDL.Variant({ 'Ok' : IDL.Null, 'Err' : PushUnsubscribeError })],
+        [],
+      ),
+    'push_vapid_public_key' : IDL.Func(
+        [],
+        [IDL.Opt(IDL.Vec(IDL.Nat8))],
+        ['query'],
+      ),
+    'push_init_vapid_key' : IDL.Func(
+        [],
+        [IDL.Variant({ 'Ok' : IDL.Vec(IDL.Nat8), 'Err' : PushSubscribeError })],
+        [],
+      ),
     'get_principal' : IDL.Func(
         [UserNumber, FrontendHostname],
         [IDL.Principal],
@@ -968,6 +1055,12 @@ export const idlFactory = ({ IDL }) => {
         [IDL.Variant({ 'Ok' : AccountInfo, 'Err' : SetDefaultAccountError })],
         [],
       ),
+    'smtp_request' : IDL.Func([SmtpRequest], [SmtpResponse], []),
+    'smtp_request_validate' : IDL.Func(
+        [SmtpRequest],
+        [SmtpResponse],
+        ['query'],
+      ),
     'stats' : IDL.Func([], [InternetIdentityStats], ['query']),
     'update' : IDL.Func([UserNumber, DeviceKey, DeviceData], [], []),
     'update_account' : IDL.Func(

src/frontend/src/lib/generated/internet_identity_types.d.ts

@@ -472,6 +472,26 @@ export interface DeviceWithUsage {
  * discovery at openid_configuration for { issuer, jwks_uri }.
  */
 export interface DiscoverableOidcConfig { 'discovery_domain' : string }
+export interface DkimCheck {
+  'status' : DkimCheckStatus,
+  'name' : DkimCheckName,
+  'detail' : [] | [string],
+}
+export type DkimCheckName = { 'DkimSignaturePresent' : null } |
+  { 'PublicKeyFetched' : null } |
+  { 'AlgorithmSupported' : null } |
+  { 'BodyHashValid' : null } |
+  { 'SignatureValid' : null } |
+  { 'SignatureParsed' : null } |
+  { 'RequiredHeadersSigned' : null };
+export type DkimCheckStatus = { 'Skipped' : null } |
+  { 'Fail' : null } |
+  { 'Pass' : null };
+export type DkimVerificationStatus = {
+    'Unverified' : { 'checks' : Array<DkimCheck> }
+  } |
+  { 'Verified' : { 'checks' : Array<DkimCheck> } } |
+  { 'Pending' : null };
 export interface DummyAuthConfig {
   /**
    * Prompts user for a index value (0 - 255) when set to true,
@@ -992,6 +1012,24 @@ export interface OpenIdPrepareDelegationResponse {
   'expiration' : Timestamp,
   'anchor_number' : UserNumber,
 }
+export interface PostboxEmail {
+  'dkim_status' : [] | [DkimVerificationStatus],
+  'subject' : string,
+  'body' : string,
+  'recipient' : string,
+  'sender' : string,
+}
+export interface PushSubscription {
+  'endpoint' : string,
+  'p256dh' : Uint8Array | number[],
+  'auth' : Uint8Array | number[],
+}
+export type PushSubscribeError = { 'InvalidSubscription' : string } |
+  { 'TooManySubscriptions' : null } |
+  { 'Unauthorized' : Principal } |
+  { 'InternalCanisterError' : string };
+export type PushUnsubscribeError = { 'Unauthorized' : Principal } |
+  { 'InternalCanisterError' : string };
 export interface PrepareAccountDelegation {
   'user_key' : UserKey,
   'expiration' : Timestamp,
@@ -1184,6 +1222,25 @@ export interface SignedIdAlias {
   'id_alias' : Principal,
   'id_dapp' : Principal,
 }
+export interface SmtpAddress { 'domain' : string, 'user' : string }
+export interface SmtpEnvelope { 'to' : SmtpAddress, 'from' : SmtpAddress }
+/**
+ * SMTP Gateway Protocol types
+ * ============================
+ */
+export interface SmtpHeader { 'value' : string, 'name' : string }
+export interface SmtpMessage {
+  'body' : Uint8Array | number[],
+  'headers' : Array<SmtpHeader>,
+}
+export interface SmtpRequest {
+  'envelope' : [] | [SmtpEnvelope],
+  'message' : [] | [SmtpMessage],
+  'gateway_flags' : [] | [Array<string>],
+}
+export interface SmtpRequestError { 'code' : bigint, 'message' : string }
+export type SmtpResponse = { 'Ok' : {} } |
+  { 'Err' : SmtpRequestError };
 export interface StreamingCallbackHttpResponse {
   'token' : [] | [Token],
   'body' : Uint8Array | number[],
@@ -1431,7 +1488,40 @@ export interface _SERVICE {
     { 'Ok' : IdAliasCredentials } |
       { 'Err' : GetIdAliasError }
   >,
+  'get_postbox' : ActorMethod<[UserNumber], Array<PostboxEmail>>,
   'get_principal' : ActorMethod<[UserNumber, FrontendHostname], Principal>,
+  /**
+   * Subscribes the caller's browser for Web Push notifications on new emails
+   * arriving at the given identity's postbox. Generates the canister's VAPID
+   * key pair on first call.
+   */
+  'push_subscribe' : ActorMethod<
+    [UserNumber, PushSubscription],
+    { 'Ok' : null } |
+      { 'Err' : PushSubscribeError }
+  >,
+  /** Removes a previously registered push subscription by endpoint URL. */
+  'push_unsubscribe' : ActorMethod<
+    [UserNumber, string],
+    { 'Ok' : null } |
+      { 'Err' : PushUnsubscribeError }
+  >,
+  /**
+   * Returns the canister's VAPID public key (65-byte uncompressed SEC-1).
+   * Returns empty if the key hasn't been generated yet — use
+   * `push_init_vapid_key` to generate it.
+   */
+  'push_vapid_public_key' : ActorMethod<[], [] | [Uint8Array | number[]]>,
+  /**
+   * Ensures the canister has a VAPID key pair and returns the public key.
+   * The frontend calls this at the start of the opt-in flow to obtain the
+   * `applicationServerKey` required by `PushManager.subscribe()`.
+   */
+  'push_init_vapid_key' : ActorMethod<
+    [],
+    { 'Ok' : Uint8Array | number[] } |
+      { 'Err' : PushSubscribeError }
+  >,
   /**
    * HTTP Gateway protocol
    * =====================
@@ -1618,6 +1708,12 @@ export interface _SERVICE {
     { 'Ok' : AccountInfo } |
       { 'Err' : SetDefaultAccountError }
   >,
+  /**
+   * SMTP Gateway Protocol
+   * =====================
+   */
+  'smtp_request' : ActorMethod<[SmtpRequest], SmtpResponse>,
+  'smtp_request_validate' : ActorMethod<[SmtpRequest], SmtpResponse>,
   'stats' : ActorMethod<[], InternetIdentityStats>,
   'update' : ActorMethod<[UserNumber, DeviceKey, DeviceData], undefined>,
   'update_account' : ActorMethod<