Replace react-native-quick-crypto with @noble/hashes

[transphorm]

Removing react-native-quick-crypto because it seems to be at the center of a frequent build conflicts. Hopefully this improves the stability of our builds 🤞

Summary

• add unit tests covering random bytes, hmac, pbkdf2, sha256 and sha512 polyfills for ethers
• mock react-native-quick-crypto with Node's crypto during tests

Testing

• yarn lint
• yarn build
• yarn workspace @selfxyz/contracts build (fails: Invalid account for network)
• yarn types
• yarn workspace @selfxyz/common test
• yarn workspace @selfxyz/circuits test (fails: Unsupported signature algorithm: undefined)
• yarn workspace @selfxyz/mobile-app test

---

https://chatgpt.com/codex/tasks/task_b_689122b8b05c832d971bf0b1aba26277

Summary by CodeRabbit

• Tests
  • Added tests to verify the correctness of cryptographic functions, including random byte generation, HMAC computation, key derivation, and hashing algorithms.

[coderabbitai]

Warning

Rate limit exceeded

@transphorm has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 21 minutes and 46 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 6cdb52a and b172109.

⛔ Files ignored due to path filters (3)

• app/Gemfile.lock is excluded by !**/*.lock
• app/ios/Podfile.lock is excluded by !**/*.lock
• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (3)

• app/package.json (1 hunks)
• app/src/utils/ethers.ts (1 hunks)
• app/tests/utils/ethers.test.ts (1 hunks)

Walkthrough

A new test suite has been added to validate the correctness of ethers crypto polyfills. The tests use mocked crypto modules and cover functions such as random byte generation, HMAC computation, PBKDF2 key derivation, and SHA-2 hashing, asserting their outputs against known values.

Changes

Cohort / File(s)	Change Summary
Ethers Crypto Polyfill Tests app/tests/utils/ethers.test.ts	Introduced a comprehensive test suite for ethers crypto polyfills, mocking crypto dependencies and verifying outputs of randomBytes, computeHmac, pbkdf2, sha256, and sha512 functions against hardcoded expected values.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

In the realm where crypto bytes do play,
New tests ensure they won’t go astray.
HMACs and hashes, all put to the test,
With PBKDF2 proving its best.
Secure and sound, the ethers now gleam—
A cryptic delight for the review team!
🔒✨

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch codex/add-tests-for-ethers.ts-logic

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (5)

app/tests/utils/ethers.test.ts (5)

21-30: Well-implemented HMAC test with known vector.

Using known test vectors is the gold standard for cryptographic function testing. The implementation correctly validates HMAC-SHA256 functionality.

Consider adding tests for other HMAC algorithms and edge cases:

it('computeHmac supports different algorithms', () => {
  const result = ethers.computeHmac(
    'sha512',
    ethers.toUtf8Bytes('key'),
    ethers.toUtf8Bytes('data'),
  );
  // Add expected SHA512 HMAC result
});

it('computeHmac handles edge cases', () => {
  // Empty key
  const emptyKey = ethers.computeHmac('sha256', new Uint8Array(0), ethers.toUtf8Bytes('data'));
  // Empty data
  const emptyData = ethers.computeHmac('sha256', ethers.toUtf8Bytes('key'), new Uint8Array(0));
  // Both non-empty results should be produced
  expect(emptyKey.length).toBe(32);
  expect(emptyData.length).toBe(32);
});

---

32-43: Solid PBKDF2 test implementation with room for enhancement.

The test correctly validates PBKDF2 functionality with known parameters. Note that 1000 iterations is suitable for testing but low for production security standards (recommend 100,000+ for production).

Consider adding tests for different parameters and edge cases:

it('pbkdf2 works with different iteration counts and output lengths', () => {
  const result1 = ethers.pbkdf2(
    ethers.toUtf8Bytes('password'),
    ethers.toUtf8Bytes('salt'),
    10000, // Higher iteration count
    64,    // Longer output
    'sha256',
  );
  expect(result1).toHaveLength(64);
  
  const result2 = ethers.pbkdf2(
    ethers.toUtf8Bytes('password'),
    ethers.toUtf8Bytes('salt'),
    1000,
    16,    // Shorter output
    'sha512', // Different hash
  );
  expect(result2).toHaveLength(16);
});

---

45-50: Correct SHA256 test with standard test vector.

The implementation properly tests SHA256 hashing with a known input/output pair and correctly handles UTF-8 encoding.

Add tests for additional inputs and edge cases:

it('sha256 handles various inputs correctly', () => {
  // Empty string
  const empty = ethers.sha256(new Uint8Array(0));
  expect(ethers.hexlify(empty)).toBe(
    '0xe3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'
  );
  
  // Binary data
  const binary = ethers.sha256(new Uint8Array([0x00, 0xFF, 0x42]));
  expect(binary).toHaveLength(32);
});

---

52-57: Comprehensive SHA512 test with correct expected output.

The test properly validates SHA512 functionality with the expected 64-byte output length and correct hash value for the input "hello".

Similar to SHA256, consider adding tests for edge cases:

it('sha512 produces consistent 64-byte outputs', () => {
  const empty = ethers.sha512(new Uint8Array(0));
  expect(empty).toHaveLength(64);
  
  const large = ethers.sha512(new Uint8Array(1000).fill(0xAA));
  expect(large).toHaveLength(64);
});

---

11-58: Excellent foundation for crypto polyfill testing with opportunities for enhancement.

This test suite provides solid coverage of the core cryptographic functions with proper use of known test vectors and appropriate mocking. The structure is clean and maintainable.

For a production-grade crypto test suite, consider these architectural improvements:

1. Parameterized tests: Use describe.each() or it.each() for testing multiple input/output pairs
2. Property-based testing: For randomness functions, consider using libraries like fast-check to test statistical properties
3. Performance benchmarks: Add basic performance tests to catch regressions in crypto operations
4. Cross-platform validation: Consider running a subset of tests against actual react-native-quick-crypto in integration tests
5. Security test cases: Add tests that verify crypto functions fail appropriately with invalid inputs

Example enhancement:

const hashTestVectors = [
  ['hello', '0x2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824'],
  ['', '0xe3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'],
  // More vectors...
];

describe.each(hashTestVectors)('sha256 test vectors', (input, expected) => {
  it(`hashes "${input}" correctly`, () => {
    const result = ethers.sha256(ethers.toUtf8Bytes(input));
    expect(ethers.hexlify(result)).toBe(expected);
  });
});

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2674a23 and 6cdb52a.

📒 Files selected for processing (1)

• app/tests/utils/ethers.test.ts (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{test,spec}.{ts,js,tsx,jsx}

⚙️ CodeRabbit Configuration File

**/*.{test,spec}.{ts,js,tsx,jsx}: Review test files for:

• Test coverage completeness
• Test case quality and edge cases
• Mock usage appropriateness
• Test readability and maintainability

Files:

• app/tests/utils/ethers.test.ts

⏰ Context from checks skipped due to timeout of 300000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: analyze-ios
• GitHub Check: analyze-android
• GitHub Check: build

🔇 Additional comments (1)

app/tests/utils/ethers.test.ts (1)

5-9: Mocks and Polyfills Verified – Ready to Merge

I’ve confirmed that app/src/utils/ethers.ts registers all necessary crypto polyfills—randomBytes, computeHmac, pbkdf2, sha256, and sha512—using the same method signatures as Node’s native crypto API. Mocking react-native-quick-crypto to delegate to Node’s crypto will faithfully exercise those hooks in tests.

Everything looks solid; no further changes needed.