Skip to content

feat: implement challenge-response wallet session token generation sub-module (#16)#107

Open
Husten150 wants to merge 2 commits into
VeriNode-Labs:mainfrom
Husten150:feat/challenge-response-auth-16
Open

feat: implement challenge-response wallet session token generation sub-module (#16)#107
Husten150 wants to merge 2 commits into
VeriNode-Labs:mainfrom
Husten150:feat/challenge-response-auth-16

Conversation

@Husten150

Copy link
Copy Markdown

Closes #16

Summary

Implements the Challenge-Response Wallet Session Token Generation Sub-Module for passwordless authentication using Stellar wallet keypairs.

Endpoints

  • POST /api/v1/auth/challenge - Generates a random 32-byte nonce bound to client IP/User-Agent, stored with 5-minute TTL
  • POST /api/v1/auth/verify - Verifies Ed25519 signature of SHA256(nonce || serverId) using Stellar public key; issues JWT access token (1h) + refresh token (7d)
  • POST /api/v1/auth/refresh - Single-use refresh token rotation with hash-based invalidation

Components

  • src/api/auth/config.ts - Auth configuration with env var overrides
  • src/api/auth/nonce_store.ts - In-memory NonceStore with TTL (Redis-ready interface)
  • src/api/auth/jwt_manager.ts - RS256 JWT signing/verification with auto-generated key pair
  • src/api/auth/session.ts - Express middleware extracting JWT from Authorization header
  • src/api/auth/challenge.ts - Challenge generation handler
  • src/api/auth/verify.ts - Signature verification + token issuance handler
  • src/api/auth/refresh.ts - Refresh token rotation handler
  • src/api/auth/index.ts - Express router with rate limiting (10/ip/min challenge, 5/ip/min verify)

Security Features

  • Cryptographic random 32-byte nonces (crypto.randomBytes)
  • Single-use nonce replay protection
  • IP binding on challenge/verify
  • Stellar StrKey format validation (StrKey.isValidEd25519PublicKey)
  • Ed25519 signature verification via @stellar/stellar-sdk
  • RS256 JWT signing with auto-generated key pair
  • Refresh token rotation with hash-based single-use invalidation

Testing

  • 22 integration tests covering full flow, replay protection, invalid signatures, session middleware, and refresh rotation
  • All tests pass

Husten150 and others added 2 commits June 24, 2026 14:33
…b-module

Implements issue VeriNode-Labs#16 - Challenge-Response Wallet Session Token Generation.

Adds:
- POST /api/v1/auth/challenge - generates 32-byte random nonce, stores in
  memory store with 5-min TTL, returns nonce (base64) and serverId
- POST /api/v1/auth/verify - validates nonce existence/expiry, IP binding,
  Stellar StrKey format, Ed25519 signature of SHA256(nonce || serverId);
  on success issues JWT access token (1h) and refresh token (7d)
- POST /api/v1/auth/refresh - refresh token rotation with single-use
  invalidation of old refresh token
- SessionMiddleware - extracts JWT from Authorization: Bearer header,
  verifies signature using RS256 public key, attaches nodeId to req
- Rate limiting - 10/ip/min on challenge, 5/ip/min on verify
- In-memory NonceStore abstraction for challenge records & refresh hashes
- 22 integration tests covering full auth flow, replay protection,
  invalid signatures, session middleware, refresh rotation
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Challenge-Response Wallet Session Token Generation Sub-Module

1 participant