vestauth 0.14.1 → 0.15.1

package/CHANGELOG.md

@@ -2,7 +2,20 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
-[Unreleased](https://github.com/vestauth/vestauth/compare/v0.14.1...main)
+[Unreleased](https://github.com/vestauth/vestauth/compare/v0.15.1...main)
+
+## [0.15.1](https://github.com/vestauth/vestauth/compare/v0.15.0...v0.15.1) (2026-02-23)
+
+### Added
+
+* Add better error handling for `verify` missing headers ([#25](https://github.com/vestauth/vestauth/pull/25))
+
+## [0.15.0](https://github.com/vestauth/vestauth/compare/v0.14.1...v0.15.0) (2026-02-20)
+
+### Added
+
+* Add support for http localhost ([#23](https://github.com/vestauth/vestauth/pull/23))
+* Add support for localhost public key discovery ([#24](https://github.com/vestauth/vestauth/pull/24))
 
 ## [0.14.1](https://github.com/vestauth/vestauth/compare/v0.14.0...v0.14.1) (2026-02-18)
 

package/README.md

@@ -212,6 +212,7 @@ $ vestauth agent init
 <details><summary>`agent init --hostname`</summary><br>
 
 Use `--hostname` to override the agent API hostname (defaults to `AGENT_HOSTNAME`, then `api.vestauth.com`):
+When no scheme is provided, `https://` is assumed. For local non-TLS endpoints, pass `http://...` explicitly.
 
 ```sh
 $ vestauth agent init --hostname https://vestauth.yoursite.com
@@ -372,7 +373,16 @@ Use vestauth directly in code.
 Verify and authenticate an agent's cryptographic identity.
 
 ```js
-const agent = await vestauth.tool.verify(req.method, url, req.headers)
+const agent = await vestauth.tool.verify(httpMethod, url, headers)
+```
+
+</details>
+<details><summary>`primitives.verify()`</summary><br>
+
+Verify and authenticate a signed http request.
+
+```js
+await vestauth.primitives.verify(httpMethod, url, headers, publicJwk)
 ```
 
 </details>
@@ -381,7 +391,7 @@ const agent = await vestauth.tool.verify(req.method, url, req.headers)
 
 ## Available Tools
 
-> Vestauth is pioneering the auth layer for agents. Get in early on this distribution train. [Become a vestauth tool](mailto:mot@dotenvx.com)
+> List of tools. We're actively building tools and looking for others to help grow the vestauth ecosystem with calls for tools like sending email, sms, uploading files and more. Vestauth agents need more tools. A tool is just a sharp API call. Add your tool here.
 
 * AS2 (Agentic Secret Storage) - https://as2.dotenvx.com
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "vestauth",
-  "version": "0.14.1",
+  "version": "0.15.1",
   "description": "auth for agents–from the creator of dotenvx",
   "keywords": [
     "vestauth",

package/src/cli/actions/agent/init.js

@@ -16,7 +16,7 @@ async function init () {
       logger.info(`• agent exists (${output.path}/AGENT_UID=${output.AGENT_UID})`)
     }
 
-    logger.help('⮕ next run: [vestauth agent curl https://api.vestauth.com/whoami]')
+    logger.help(`⮕ next run: [vestauth agent curl ${output.AGENT_HOSTNAME}/whoami]`)
   } catch (error) {
     catchAndLog(error)
     process.exit(1)

package/src/lib/api/postRegister.js

@@ -10,12 +10,13 @@ class PostRegister {
   }
 
   async run () {
-    const url = `${this.hostname}/register`
+    const hostname = this.hostname
+    const url = `${hostname}/register`
     const publicJwk = this.publicJwk
     const privateJwk = this.privateJwk
 
     const httpMethod = 'POST'
-    const headers = await agentHeaders(httpMethod, url, 'REGISTERING', JSON.stringify(privateJwk))
+    const headers = await agentHeaders(httpMethod, url, 'REGISTERING', JSON.stringify(privateJwk), null, null, hostname)
     headers['Content-Type'] = 'application/json'
 
     const resp = await http(url, {

package/src/lib/helpers/agentHeaders.js

@@ -1,7 +1,7 @@
 const headers = require('./headers')
 const identity = require('./identity')
 
-async function agentHeaders (httpMethod, uri, uid = null, privateJwk = null, tag = 'web-bot-auth', nonce = null) {
+async function agentHeaders (httpMethod, uri, uid = null, privateJwk = null, tag = 'web-bot-auth', nonce = null, hostname = null) {
   if (!privateJwk) {
     privateJwk = identity().privateJwk
   }
@@ -10,7 +10,7 @@ async function agentHeaders (httpMethod, uri, uid = null, privateJwk = null, tag
     uid = identity().uid
   }
 
-  return await headers(httpMethod, uri, uid, privateJwk, tag, nonce)
+  return await headers(httpMethod, uri, uid, privateJwk, tag, nonce, hostname)
 }
 
 module.exports = agentHeaders

package/src/lib/helpers/agentInit.js

@@ -22,12 +22,13 @@ async function agentInit (hostname = null) {
   dotenvx.set('AGENT_PUBLIC_JWK', JSON.stringify(kp.publicJwk), { path: envPath, plain: true, quiet: true })
   dotenvx.set('AGENT_PRIVATE_JWK', JSON.stringify(kp.privateJwk), { path: envPath, plain: true, quiet: true })
   if (shouldPersistHostname) {
-    dotenvx.set('AGENT_HOSTNAME', new URL(normalizedHostname).host, { path: envPath, plain: true, quiet: true })
+    dotenvx.set('AGENT_HOSTNAME', normalizedHostname, { path: envPath, plain: true, quiet: true })
   }
 
   return {
-    AGENT_PUBLIC_JWK: kp.publicJwk,
     AGENT_UID: agent.uid,
+    AGENT_PUBLIC_JWK: kp.publicJwk,
+    AGENT_HOSTNAME: normalizedHostname,
     path: envPath,
     isNew: agent.is_new
   }

package/src/lib/helpers/errors.js

@@ -59,6 +59,15 @@ class Errors {
     return e
   }
 
+  missingSignatureInput () {
+    const code = 'MISSING_SIGNATURE_INPUT'
+    const message = `[${code}] missing --signature-input`
+
+    const e = new Error(message)
+    e.code = code
+    return e
+  }
+
   missingSignatureAgent () {
     const code = 'MISSING_SIGNATURE_AGENT'
     const message = `[${code}] missing --signature-agent`

package/src/lib/helpers/headers.js

@@ -4,12 +4,16 @@ const signatureParams = require('./signatureParams')
 const webBotAuthSignature = require('./webBotAuthSignature')
 const env = require('./env')
 
-function getAgentDiscoveryDomain () {
-  const hostname = (env('AGENT_HOSTNAME') || process.env.AGENT_HOSTNAME || 'api.vestauth.com').trim().toLowerCase()
-  return hostname.replace(/^https?:\/\//, '').split('/')[0]
+function getAgentDiscoveryOrigin (hostname = null) {
+  if (!hostname) {
+    hostname = (env('AGENT_HOSTNAME') || process.env.AGENT_HOSTNAME || 'api.vestauth.com').trim()
+  }
+
+  const candidate = /^https?:\/\//i.test(hostname) ? hostname : `https://${hostname}`
+  return new URL(candidate).origin
 }
 
-async function headers (httpMethod, uri, uid, privateJwk, tag = 'web-bot-auth', nonce = null) {
+async function headers (httpMethod, uri, uid, privateJwk, tag = 'web-bot-auth', nonce = null, hostname = null) {
   if (!uid) throw new Errors().missingUid()
   if (!privateJwk) throw new Errors().missingPrivateJwk()
 
@@ -27,12 +31,14 @@ async function headers (httpMethod, uri, uid, privateJwk, tag = 'web-bot-auth',
 
   const signatureInput = signatureParams(privateJwk.kid, tag, nonce)
   const signature = webBotAuthSignature(httpMethod, uri, signatureInput, privateJwk)
-  const signatureAgent = `${uid}.${getAgentDiscoveryDomain()}` // no scheme; fqdn only
+  const discoveryOrigin = getAgentDiscoveryOrigin(hostname)
+  const discoveryUrl = new URL(discoveryOrigin)
+  const signatureAgent = `${discoveryUrl.protocol}//${uid}.${discoveryUrl.host}`
 
   return {
     Signature: `sig1=:${signature}:`,
     'Signature-Input': `sig1=${signatureInput}`,
-    'Signature-Agent': `sig1=${signatureAgent}`
+    'Signature-Agent': `sig1="${signatureAgent}"`
   }
 }
 

package/src/lib/helpers/isEmptyObject.js

@@ -0,0 +1,9 @@
+function isEmptyObject (value) {
+  if (!value || typeof value !== 'object' || Array.isArray(value)) {
+    return false
+  }
+
+  return Object.keys(value).length === 0
+}
+
+module.exports = isEmptyObject

package/src/lib/helpers/isLocalhost.js

@@ -0,0 +1,6 @@
+function isLocalhost (wellKnownUrl) {
+  const url = new URL(wellKnownUrl)
+  return url.hostname === 'localhost' || url.hostname.endsWith('.localhost')
+}
+
+module.exports = isLocalhost

package/src/lib/helpers/parseSignatureInputHeader.js

@@ -2,21 +2,21 @@ const { parseDictionary } = require('structured-headers')
 
 // example: sig1=(\"@authority\");created=1769707366;keyid=\"xWuYtVgVV_ZQcfEWexUoln9ynA56PmfF4tAvWQ_Bf_o\";alg=\"ed25519\";expires=1769707666;nonce=\"RtdaKawQVJxEAJwCfI_5-7oVTmfjFkz-rGGifYZ2o2MdAMwJF2nYG3713rL1f9FJmPp8T2j4Sqcmh8H8p8TkRA\";tag=\"web-bot-auth\"
 function parseSignatureInputHeader (signatureInputHeader) {
+  if (signatureInputHeader == null) {
+    return {}
+  }
+
+  if (typeof signatureInputHeader !== 'string' || signatureInputHeader.trim() === '') {
+    return {}
+  }
+
   const dictionary = parseDictionary(signatureInputHeader)
   const entry = dictionary.entries().next()
-  const [key, innerlist] = entry.value
-  const [cwp, params] = innerlist
+  const [, innerlist] = entry.value
+  const [, params] = innerlist
   const values = Object.fromEntries(params)
-  const components = []
-  for (const entry of cwp) {
-    components.push(entry[0])
-  }
 
-  return {
-    key,
-    values,
-    components
-  }
+  return values
 }
 
 module.exports = parseSignatureInputHeader

package/src/lib/helpers/verify.js

@@ -9,20 +9,29 @@ const authorityMessage = require('./authorityMessage')
 const publicJwkObject = require('./publicJwkObject')
 const verifyAgentFqdn = require('./verifyAgentFqdn')
 const Errors = require('./errors')
+const isLocalhost = require('./isLocalhost')
+const isEmptyObject = require('./isEmptyObject')
 
 async function resolvePublicJwk ({ signatureInput, signatureAgent, publicJwk }) {
   let uid
   let wellKnownUrl
 
-  const { values } = parseSignatureInputHeader(signatureInput)
+  const values = parseSignatureInputHeader(signatureInput)
+  if (!values || isEmptyObject(values)) {
+    throw new Errors().missingSignatureInput()
+  }
+
   const kid = values.keyid
 
   if (signatureAgent) {
     const { value } = parseSignatureAgentHeader(signatureAgent)
-    const fqdn = value
-    verifyAgentFqdn(fqdn)
-    const origin = `https://${fqdn}`
-    uid = fqdn.split('.')[0]
+    const isUri = /^https?:\/\//i.test(value)
+    const origin = isUri ? new URL(value).origin : `https://${value}`
+    const hostname = new URL(origin).hostname
+    if (!isLocalhost(origin)) {
+      verifyAgentFqdn(hostname)
+    }
+    uid = hostname.split('.')[0]
     wellKnownUrl = `${origin}/.well-known/http-message-signatures-directory`
   }
 
@@ -33,7 +42,22 @@ async function resolvePublicJwk ({ signatureInput, signatureAgent, publicJwk })
     return { publicJwk: null }
   }
 
-  const resp = await http(wellKnownUrl, { method: 'GET', headers: { 'Content-Type': 'application/json' } })
+  let requestUrl = wellKnownUrl
+  const requestHeaders = {}
+
+  const url = new URL(requestUrl)
+  if (isLocalhost(wellKnownUrl)) {
+    const port = url.port || '80'
+    requestUrl = `http://127.0.0.1:${port}${url.pathname}`
+    requestHeaders.host = url.host
+  }
+
+  const opts = { method: 'GET' }
+  if (Object.keys(requestHeaders).length > 0) {
+    opts.headers = requestHeaders
+  }
+
+  const resp = await http(requestUrl, opts)
   if (resp.statusCode >= 400) {
     const json = await resp.body.json()
     throw buildApiError(resp.statusCode, json)
@@ -61,7 +85,11 @@ async function verify (httpMethod, uri, headers = {}, publicJwk) {
   const signatureInput = headers['Signature-Input'] || headers['signature-input']
   const signatureAgent = headers['Signature-Agent'] || headers['signature-agent']
 
-  const { values } = parseSignatureInputHeader(signatureInput)
+  const values = parseSignatureInputHeader(signatureInput)
+  if (!values || isEmptyObject(values)) {
+    throw new Errors().missingSignatureInput()
+  }
+
   const { expires } = values
   if (expires && expires < (Math.floor(Date.now() / 1000))) {
     throw new Errors().expiredSignature()

package/src/lib/helpers/verifyAgentFqdn.js

@@ -16,7 +16,6 @@ function verifyAgentFqdn (fqdn) {
   if (!fqdn || typeof fqdn !== 'string') {
     throw new Errors().invalidSignatureAgent()
   }
-
   const pattern = getToolFqdnRegex()
   if (!pattern.test(fqdn)) {
     throw new Errors().invalidSignatureAgent()