@rodit/rodit-auth-be 9.11.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (28) hide show
  1. package/CHANGELOG.md +54 -0
  2. package/README.md +3543 -0
  3. package/index.js +1884 -0
  4. package/lib/auth/authentication.js +1971 -0
  5. package/lib/auth/roditmanager.js +627 -0
  6. package/lib/auth/sessionmanager.js +1302 -0
  7. package/lib/auth/tokenservice.js +2418 -0
  8. package/lib/blockchain/blockchainservice.js +1715 -0
  9. package/lib/blockchain/statemanager.js +1614 -0
  10. package/lib/middleware/authenticationmw.js +2301 -0
  11. package/lib/middleware/environcredentialstoremw.js +176 -0
  12. package/lib/middleware/filecredentialstoremw.js +158 -0
  13. package/lib/middleware/loggingmw.js +82 -0
  14. package/lib/middleware/performanceexamplemw.js +58 -0
  15. package/lib/middleware/performancemw.js +172 -0
  16. package/lib/middleware/ratelimitmw.js +171 -0
  17. package/lib/middleware/validatepermissionsmw.js +439 -0
  18. package/lib/middleware/vaultcredentialstoremw.js +617 -0
  19. package/lib/middleware/versioningmw.js +142 -0
  20. package/lib/middleware/webhookhandlermw.js +1388 -0
  21. package/package.json +57 -0
  22. package/services/configsdk.js +588 -0
  23. package/services/env.js +34 -0
  24. package/services/error-response.js +29 -0
  25. package/services/logger.js +160 -0
  26. package/services/performanceservice.js +568 -0
  27. package/services/utils.js +1024 -0
  28. package/services/versionmanager.js +81 -0
package/CHANGELOG.md ADDED
@@ -0,0 +1,54 @@
1
+ # Changelog
2
+
3
+ All notable changes to `@rodit/rodit-auth-be` are documented here.
4
+
5
+ ## [8.0.0] — 2026-05-02
6
+
7
+ ### Breaking
8
+
9
+ - **`login_client` / `POST /api/login` body**
10
+ - Signature field: prefer **`base64url_signature`**, or the same bytes under **`roditid_base64url_signature`** (for callers such as **`login_server`**). Sending **both** keys non-empty is **400** `LOGIN_PAYLOAD_DEPRECATED`.
11
+ - Hard-deprecated keys (always **400** `LOGIN_PAYLOAD_DEPRECATED`): **`signature`**, **`account_id`**.
12
+ - Identifiers: exactly **one** of **`roditid`** or **`accountid`** non-empty (both non-empty → **400** `LOGIN_IDENTIFIER_AMBIGUOUS`).
13
+ - Error codes: **`MISSING_LOGIN_IDENTIFIER`**, **`MISSING_BASE64URL_SIGNATURE`** (400, flat `{ error, message, requestId }`).
14
+
15
+ - **Outbound login (`login_server`, `login_portal`)**
16
+ Request bodies keep **`roditid_base64url_signature`** on the wire (stable field name for peers). **`login_portal`**: `roditid`, `timestamp`, `roditid_base64url_signature`. **`login_server`**: `timestamp`, `roditid_base64url_signature`, plus **`roditid`** and/or **`accountid`** per signing mode.
17
+
18
+ - **Peer resolution vs verification**
19
+ - **`resolve_peer_rodit_for_login(roditid, accountid)`** — fetch by rodit id first, then by account id (see implementation).
20
+ - **`verify_peer_rodit(peer_rodit, peerroditid, timestamp, signature)`** — timestamp, ownership, match, live, active, trust (no chain fetch).
21
+ - Removed **`verify_peerrodit_getrodit`** and **`verify_peeraccount_getrodit`** (call **`resolve_peer_rodit_for_login`** then **`verify_peer_rodit`**).
22
+
23
+ ### Fixed
24
+
25
+ - Removed an invalid synchronous **`require('jose')`** in `tokenservice.js` (jose is ESM-only); signing paths already use dynamic `import('jose')`.
26
+
27
+ ### Migration from 7.x
28
+
29
+ ```javascript
30
+ // Before (7.x)
31
+ await fetch('/api/login', {
32
+ method: 'POST',
33
+ headers: { 'Content-Type': 'application/json' },
34
+ body: JSON.stringify({
35
+ roditid,
36
+ timestamp,
37
+ roditid_base64url_signature: sig,
38
+ // or account_id — removed
39
+ }),
40
+ });
41
+
42
+ // After (8.x)
43
+ await fetch('/api/login', {
44
+ method: 'POST',
45
+ headers: { 'Content-Type': 'application/json' },
46
+ body: JSON.stringify({
47
+ roditid, // and/or accountid (hex)
48
+ timestamp,
49
+ base64url_signature: sig,
50
+ }),
51
+ });
52
+ ```
53
+
54
+ Rename fields only; signing payload remains **`identifier + timestamp_iso`** where identifier is the same string you send as `roditid` or `accountid` per the resolution rule above.