vestauth 0.18.1 → 0.19.0

package/CHANGELOG.md

@@ -2,7 +2,19 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
-[Unreleased](https://github.com/vestauth/vestauth/compare/v0.18.1...main)
+[Unreleased](https://github.com/vestauth/vestauth/compare/v0.19.0...main)
+
+## [0.19.0](https://github.com/vestauth/vestauth/compare/v0.18.2...v0.19.0) (2026-02-24)
+
+### Added
+
+* Add `POST /rotate` ([#36](https://github.com/vestauth/vestauth/pull/36))
+
+## [0.18.2](https://github.com/vestauth/vestauth/compare/v0.18.1...v0.18.2) (2026-02-24)
+
+### Changed
+
+* Pass `--hostname` ([#35](https://github.com/vestauth/vestauth/pull/35))
 
 ## [0.18.1](https://github.com/vestauth/vestauth/compare/v0.18.0...v0.18.1) (2026-02-24)
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "vestauth",
-  "version": "0.18.1",
+  "version": "0.19.0",
   "description": "auth for agents–from the creator of dotenvx",
   "keywords": [
     "vestauth",

package/src/cli/actions/server/start.js

@@ -10,6 +10,7 @@ async function start () {
 
     await server.start({
       port: options.port,
+      hostname: options.hostname,
       databaseUrl: options.databaseUrl
     })
   } catch (error) {

package/src/cli/commands/server.js

@@ -1,8 +1,6 @@
 const { Command } = require('commander')
 const env = require('./../../lib/helpers/env')
 const databaseUrl = require('./../../lib/helpers/databaseUrl')
-const protocol = require('./../../lib/helpers/protocol')
-const hostname = require('./../../lib/helpers/hostname')
 
 const server = new Command('server')
 
@@ -15,8 +13,7 @@ const startAction = require('./../actions/server/start')
 server.command('start')
   .description('start vestauth server')
   .option('--port <port>', 'port', env('PORT'))
-  .option('--protocol <protocol>', 'https or http', protocol())
-  .option('--hostname <hostname>', 'localhost:3000', hostname())
+  .option('--hostname <hostname>', 'HOSTNAME', env('HOSTNAME'))
   .option('--database-url <databaseUrl>', 'DATABASE_URL', databaseUrl())
   .action(startAction)
 

package/src/lib/helpers/dbMigrate.js

@@ -31,7 +31,7 @@ async function dbMigrate ({ databaseUrl } = {}) {
     connection,
     ssl: { rejectUnauthorized: false },
     migrations: {
-      directory: path.resolve(__dirname, '../../db/migrations')
+      directory: path.resolve(__dirname, '../../server/db/migration')
     }
   })
 

package/src/lib/helpers/resolvePortAndHostname.js

@@ -0,0 +1,34 @@
+function resolvePortAndHostname ({ port, hostname } = {}) {
+  const hasPort = port !== undefined && port !== null && String(port).trim() !== ''
+  const inputPort = hasPort ? String(port).trim() : null
+  const inputHostname = typeof hostname === 'string' ? hostname.trim() : ''
+
+  if (!inputHostname) {
+    const PORT = inputPort || '3000'
+    return {
+      PORT,
+      HOSTNAME: `http://localhost:${PORT}`
+    }
+  }
+
+  const hasScheme = /^https?:\/\//i.test(inputHostname)
+  const bareHostname = hasScheme ? new URL(inputHostname).host : inputHostname
+  const bareHostNoPort = bareHostname.split(':')[0].toLowerCase()
+  const localHostnames = new Set(['localhost', '127.0.0.1'])
+  const defaultScheme = localHostnames.has(bareHostNoPort) ? 'http' : 'https'
+
+  const url = new URL(hasScheme ? inputHostname : `${defaultScheme}://${inputHostname}`)
+
+  const PORT = inputPort || url.port || '3000'
+
+  if (!url.port && localHostnames.has(url.hostname.toLowerCase())) {
+    url.port = PORT
+  }
+
+  return {
+    PORT,
+    HOSTNAME: url.toString().replace(/\/$/, '')
+  }
+}
+
+module.exports = resolvePortAndHostname

package/src/lib/helpers/serverStart.js

@@ -1,7 +1,7 @@
 const serverIndex = require('./../../server/index')
 
-function serverStart ({ port, databaseUrl }) {
-  return serverIndex.start({ port, databaseUrl })
+function serverStart ({ port, hostname, databaseUrl }) {
+  return serverIndex.start({ port, hostname, databaseUrl })
 }
 
 module.exports = serverStart

package/src/lib/helpers/subdomainBaseHost.js

@@ -0,0 +1,18 @@
+function subdomainBaseHost (hostname) {
+  if (!hostname) return null
+
+  const value = String(hostname).trim().toLowerCase()
+  if (!value) return null
+
+  if (value.startsWith('http://') || value.startsWith('https://')) {
+    try {
+      return new URL(value).hostname.toLowerCase()
+    } catch {
+      return null
+    }
+  }
+
+  return value.split('/')[0].split(':')[0]
+}
+
+module.exports = subdomainBaseHost

package/src/server/index.js

@@ -1,25 +1,35 @@
 const { logger } = require('./../shared/logger')
-const tool = require('./../lib/tool')
+const { version } = require('./../lib/helpers/packageJson')
+const resolvePortAndHostname = require('./../lib/helpers/resolvePortAndHostname')
+const subdomainBaseHost = require('./../lib/helpers/subdomainBaseHost')
 const { connectOrm } = require('./models/index')
 const RegisterService = require('./services/registerService')
 const RegisterSerializer = require('./serializers/registerSerializer')
+const RotateService = require('./services/rotateService')
+const RotateSerializer = require('./serializers/rotateSerializer')
+const WhoamiService = require('./services/whoamiService')
+const WhoamiSerializer = require('./serializers/whoamiSerializer')
 
 const express = require('express')
 
-const app = express()
 let DB = null
 let HTTP_SERVER = null
 let CLOSE_PROMISE = null
 let SIGNAL_HANDLERS_INSTALLED = false
 let SIGNAL_HANDLERS = null
+let PORT = null
+let HOSTNAME = null
+
+const app = express()
 app.use(express.json())
 
 app.use((req, res, next) => {
   const hostNoPort = (req.headers.host || '').split(':')[0].toLowerCase()
+  const baseHost = subdomainBaseHost(HOSTNAME)
 
-  // agent-c235... .localhost
-  if (hostNoPort.endsWith('.localhost')) {
-    let sub = hostNoPort.slice(0, -'.localhost'.length) // "agent-c235..."
+  // agent-c235... .localhost or agent-c235... .example.com
+  if (baseHost && hostNoPort.endsWith(`.${baseHost}`)) {
+    let sub = hostNoPort.slice(0, -`.${baseHost}`.length) // "agent-c235..."
 
     // remove "agent-" prefix if present
     if (sub.startsWith('agent-')) {
@@ -38,7 +48,11 @@ app.get('/', (req, res) => {
   if (req.agentUid) {
     res.json({ uid: req.agentUid })
   } else {
-    res.json({ hello: 'vestauth' })
+    res.json({
+      service: 'vestauth',
+      status: 'ok',
+      version
+    })
   }
 })
 
@@ -46,17 +60,14 @@ app.post('/register', async (req, res) => {
   try {
     const url = `${req.protocol}://${req.get('host')}${req.originalUrl}`
 
-    const {
-      agent,
-      publicJwk,
-      isNew
-    } = await new RegisterService({
+    const attrs = {
       models: app.models,
       httpMethod: req.method,
       uri: url,
       headers: req.headers,
       publicJwk: req.body.public_jwk
-    }).run()
+    }
+    const { agent, publicJwk, isNew } = await new RegisterService(attrs).run()
 
     const json = new RegisterSerializer({ agent, publicJwk, isNew }).run()
     res.json(json)
@@ -81,17 +92,44 @@ app.get('/.well-known/http-message-signatures-directory', async (req, res) => {
 app.get('/whoami', async (req, res) => {
   try {
     const url = `${req.protocol}://${req.get('host')}${req.originalUrl}`
-    const verified = await tool.verify(req.method, url, req.headers)
+    const attrs = {
+      httpMethod: req.method,
+      uri: url,
+      headers: req.headers
+    }
+    const agent = await new WhoamiService(attrs).run()
+
+    const json = new WhoamiSerializer({ agent }).run()
+    res.json(json)
+  } catch (err) {
+    logger.error(err)
+    res.status(401).json({ error: { status: 401, code: 401, message: err.message } })
+  }
+})
+
+app.post('/rotate', async (req, res) => {
+  try {
+    const url = `${req.protocol}://${req.get('host')}${req.originalUrl}`
 
-    res.json(verified)
+    const attrs = {
+      models: app.models,
+      httpMethod: req.method,
+      uri: url,
+      headers: req.headers,
+      publicJwk: req.body.public_jwk
+    }
+    const { agent, publicJwk } = await new RotateService(attrs).run()
+
+    const json = new RotateSerializer({ agent, publicJwk }).run()
+    res.json(json)
   } catch (err) {
     logger.error(err)
     res.status(401).json({ error: { status: 401, code: 401, message: err.message } })
   }
 })
 
-async function start ({ port, databaseUrl } = {}) {
-  const PORT = port || '3000'
+async function start ({ port, hostname, databaseUrl } = {}) {
+  ({ PORT, HOSTNAME } = resolvePortAndHostname({ port, hostname }))
 
   if (HTTP_SERVER) return HTTP_SERVER
 
@@ -102,7 +140,7 @@ async function start ({ port, databaseUrl } = {}) {
 
     HTTP_SERVER = await new Promise((resolve, reject) => {
       const server = app.listen(PORT, () => {
-        logger.success(`vestauth server listening on http://localhost:${PORT}`)
+        logger.success(`vestauth server listening on ${HOSTNAME}`)
         resolve(server)
       })
 
@@ -183,5 +221,6 @@ function removeSignalHandlers () {
 module.exports = {
   app,
   start,
-  close
+  close,
+  resolvePortAndHostname
 }

package/src/server/serializers/rotateSerializer.js

@@ -0,0 +1,18 @@
+class RotateSerializer {
+  constructor ({ agent, publicJwk }) {
+    this.agent = agent
+    this.publicJwk = publicJwk
+  }
+
+  run () {
+    const agentFormatted = this.agent.toJSON()
+
+    return {
+      uid: agentFormatted.uidFormatted,
+      kid: this.publicJwk.kid,
+      public_jwk: this.publicJwk.value
+    }
+  }
+}
+
+module.exports = RotateSerializer

package/src/server/serializers/whoamiSerializer.js

@@ -0,0 +1,11 @@
+class WhoamiSerializer {
+  constructor ({ agent }) {
+    this.agent = agent
+  }
+
+  run () {
+    return this.agent
+  }
+}
+
+module.exports = WhoamiSerializer

package/src/server/services/rotateService.js

@@ -0,0 +1,71 @@
+const primitives = require('./../../lib/primitives')
+const parseSignatureInputHeader = require('./../../lib/helpers/parseSignatureInputHeader')
+
+class RotateService {
+  constructor ({ models, httpMethod, uri, headers, publicJwk }) {
+    this.models = models
+    this.httpMethod = httpMethod
+    this.uri = uri
+    this.headers = headers
+    this.publicJwk = publicJwk
+  }
+
+  async run () {
+    const signatureInput = this.headers['Signature-Input'] || this.headers['signature-input']
+    const signatureInputValues = parseSignatureInputHeader(signatureInput)
+
+    const kid = signatureInputValues && signatureInputValues.keyid
+    if (!kid) throw new Error('kid missing')
+
+    const newKid = this.publicJwk && this.publicJwk.kid
+    if (!newKid) throw new Error('new kid missing')
+
+    const currentPublicJwk = await this.models.public_jwk.findOne({ kid })
+    if (!currentPublicJwk) throw new Error('public_jwk not found')
+
+    await primitives.verify(this.httpMethod, this.uri, this.headers, currentPublicJwk.value)
+
+    const agent = await this.models.agent.findOne({ id: currentPublicJwk.agent })
+    if (!agent) throw new Error('agent not found')
+
+    await this.models.public_jwk.db.transaction(async (trx) => {
+      const existingNewPublicJwk = await trx('public_jwks')
+        .select(['id', 'agent_id', 'kid'])
+        .where({ kid: newKid })
+        .first()
+
+      if (existingNewPublicJwk && Number(existingNewPublicJwk.agent_id) !== agent.id) {
+        throw new Error('new kid already belongs to another agent')
+      }
+
+      if (!existingNewPublicJwk) {
+        const now = new Date()
+        await trx('public_jwks').insert({
+          agent_id: agent.id,
+          kid: newKid,
+          value: this.publicJwk,
+          state: 'active',
+          created_at: now,
+          updated_at: now
+        })
+      }
+
+      await trx('public_jwks')
+        .where({ id: currentPublicJwk.id })
+        .update({
+          state: 'revoked',
+          updated_at: new Date()
+        })
+    })
+
+    const rotatedPublicJwk = await this.models.public_jwk.findOne({ kid: newKid })
+    if (!rotatedPublicJwk) throw new Error('rotated public_jwk not found')
+
+    return {
+      agent,
+      publicJwk: rotatedPublicJwk
+    }
+  }
+}
+
+module.exports = RotateService

package/src/server/services/whoamiService.js

@@ -0,0 +1,15 @@
+const tool = require('./../../lib/tool')
+
+class WhoamiService {
+  constructor ({ httpMethod, uri, headers }) {
+    this.httpMethod = httpMethod
+    this.uri = uri
+    this.headers = headers
+  }
+
+  async run () {
+    return tool.verify(this.httpMethod, this.uri, this.headers)
+  }
+}
+
+module.exports = WhoamiService