vestauth 0.18.2 → 0.20.0

package/CHANGELOG.md

@@ -2,7 +2,19 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
-[Unreleased](https://github.com/vestauth/vestauth/compare/v0.18.2...main)
+[Unreleased](https://github.com/vestauth/vestauth/compare/v0.20.0...main)
+
+## [0.20.0](https://github.com/vestauth/vestauth/compare/v0.19.0...v0.20.0) (2026-02-24)
+
+### Added
+
+* Add server logs ([#37](https://github.com/vestauth/vestauth/pull/37))
+
+## [0.19.0](https://github.com/vestauth/vestauth/compare/v0.18.2...v0.19.0) (2026-02-24)
+
+### Added
+
+* Add `POST /rotate` ([#36](https://github.com/vestauth/vestauth/pull/36))
 
 ## [0.18.2](https://github.com/vestauth/vestauth/compare/v0.18.1...v0.18.2) (2026-02-24)
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "vestauth",
-  "version": "0.18.2",
+  "version": "0.20.0",
   "description": "auth for agents–from the creator of dotenvx",
   "keywords": [
     "vestauth",

package/src/server/index.js

@@ -1,10 +1,14 @@
 const { logger } = require('./../shared/logger')
-const tool = require('./../lib/tool')
+const { version } = require('./../lib/helpers/packageJson')
 const resolvePortAndHostname = require('./../lib/helpers/resolvePortAndHostname')
 const subdomainBaseHost = require('./../lib/helpers/subdomainBaseHost')
 const { connectOrm } = require('./models/index')
 const RegisterService = require('./services/registerService')
 const RegisterSerializer = require('./serializers/registerSerializer')
+const RotateService = require('./services/rotateService')
+const RotateSerializer = require('./serializers/rotateSerializer')
+const WhoamiService = require('./services/whoamiService')
+const WhoamiSerializer = require('./serializers/whoamiSerializer')
 
 const express = require('express')
 
@@ -18,6 +22,22 @@ let HOSTNAME = null
 
 const app = express()
 app.use(express.json())
+app.use((req, res, next) => {
+  const startedAt = Date.now()
+
+  res.on('finish', () => {
+    const durationMs = Date.now() - startedAt
+    const host = req.get('host') || '-'
+    const contentLength = res.getHeader('content-length') || '-'
+
+    logger.info(
+      `at=info method=${req.method} path="${req.originalUrl}" status=${res.statusCode} ` +
+      `host="${host}" duration_ms=${durationMs} bytes=${contentLength}`
+    )
+  })
+
+  next()
+})
 
 app.use((req, res, next) => {
   const hostNoPort = (req.headers.host || '').split(':')[0].toLowerCase()
@@ -44,7 +64,11 @@ app.get('/', (req, res) => {
   if (req.agentUid) {
     res.json({ uid: req.agentUid })
   } else {
-    res.json({ hello: 'vestauth' })
+    res.json({
+      service: 'vestauth',
+      status: 'ok',
+      version
+    })
   }
 })
 
@@ -52,17 +76,14 @@ app.post('/register', async (req, res) => {
   try {
     const url = `${req.protocol}://${req.get('host')}${req.originalUrl}`
 
-    const {
-      agent,
-      publicJwk,
-      isNew
-    } = await new RegisterService({
+    const attrs = {
       models: app.models,
       httpMethod: req.method,
       uri: url,
       headers: req.headers,
       publicJwk: req.body.public_jwk
-    }).run()
+    }
+    const { agent, publicJwk, isNew } = await new RegisterService(attrs).run()
 
     const json = new RegisterSerializer({ agent, publicJwk, isNew }).run()
     res.json(json)
@@ -87,9 +108,36 @@ app.get('/.well-known/http-message-signatures-directory', async (req, res) => {
 app.get('/whoami', async (req, res) => {
   try {
     const url = `${req.protocol}://${req.get('host')}${req.originalUrl}`
-    const verified = await tool.verify(req.method, url, req.headers)
+    const attrs = {
+      httpMethod: req.method,
+      uri: url,
+      headers: req.headers
+    }
+    const agent = await new WhoamiService(attrs).run()
 
-    res.json(verified)
+    const json = new WhoamiSerializer({ agent }).run()
+    res.json(json)
+  } catch (err) {
+    logger.error(err)
+    res.status(401).json({ error: { status: 401, code: 401, message: err.message } })
+  }
+})
+
+app.post('/rotate', async (req, res) => {
+  try {
+    const url = `${req.protocol}://${req.get('host')}${req.originalUrl}`
+
+    const attrs = {
+      models: app.models,
+      httpMethod: req.method,
+      uri: url,
+      headers: req.headers,
+      publicJwk: req.body.public_jwk
+    }
+    const { agent, publicJwk } = await new RotateService(attrs).run()
+
+    const json = new RotateSerializer({ agent, publicJwk }).run()
+    res.json(json)
   } catch (err) {
     logger.error(err)
     res.status(401).json({ error: { status: 401, code: 401, message: err.message } })

package/src/server/serializers/rotateSerializer.js

@@ -0,0 +1,18 @@
+class RotateSerializer {
+  constructor ({ agent, publicJwk }) {
+    this.agent = agent
+    this.publicJwk = publicJwk
+  }
+
+  run () {
+    const agentFormatted = this.agent.toJSON()
+
+    return {
+      uid: agentFormatted.uidFormatted,
+      kid: this.publicJwk.kid,
+      public_jwk: this.publicJwk.value
+    }
+  }
+}
+
+module.exports = RotateSerializer

package/src/server/serializers/whoamiSerializer.js

@@ -0,0 +1,11 @@
+class WhoamiSerializer {
+  constructor ({ agent }) {
+    this.agent = agent
+  }
+
+  run () {
+    return this.agent
+  }
+}
+
+module.exports = WhoamiSerializer

package/src/server/services/rotateService.js

@@ -0,0 +1,71 @@
+const primitives = require('./../../lib/primitives')
+const parseSignatureInputHeader = require('./../../lib/helpers/parseSignatureInputHeader')
+
+class RotateService {
+  constructor ({ models, httpMethod, uri, headers, publicJwk }) {
+    this.models = models
+    this.httpMethod = httpMethod
+    this.uri = uri
+    this.headers = headers
+    this.publicJwk = publicJwk
+  }
+
+  async run () {
+    const signatureInput = this.headers['Signature-Input'] || this.headers['signature-input']
+    const signatureInputValues = parseSignatureInputHeader(signatureInput)
+
+    const kid = signatureInputValues && signatureInputValues.keyid
+    if (!kid) throw new Error('kid missing')
+
+    const newKid = this.publicJwk && this.publicJwk.kid
+    if (!newKid) throw new Error('new kid missing')
+
+    const currentPublicJwk = await this.models.public_jwk.findOne({ kid })
+    if (!currentPublicJwk) throw new Error('public_jwk not found')
+
+    await primitives.verify(this.httpMethod, this.uri, this.headers, currentPublicJwk.value)
+
+    const agent = await this.models.agent.findOne({ id: currentPublicJwk.agent })
+    if (!agent) throw new Error('agent not found')
+
+    await this.models.public_jwk.db.transaction(async (trx) => {
+      const existingNewPublicJwk = await trx('public_jwks')
+        .select(['id', 'agent_id', 'kid'])
+        .where({ kid: newKid })
+        .first()
+
+      if (existingNewPublicJwk && Number(existingNewPublicJwk.agent_id) !== agent.id) {
+        throw new Error('new kid already belongs to another agent')
+      }
+
+      if (!existingNewPublicJwk) {
+        const now = new Date()
+        await trx('public_jwks').insert({
+          agent_id: agent.id,
+          kid: newKid,
+          value: this.publicJwk,
+          state: 'active',
+          created_at: now,
+          updated_at: now
+        })
+      }
+
+      await trx('public_jwks')
+        .where({ id: currentPublicJwk.id })
+        .update({
+          state: 'revoked',
+          updated_at: new Date()
+        })
+    })
+
+    const rotatedPublicJwk = await this.models.public_jwk.findOne({ kid: newKid })
+    if (!rotatedPublicJwk) throw new Error('rotated public_jwk not found')
+
+    return {
+      agent,
+      publicJwk: rotatedPublicJwk
+    }
+  }
+}
+
+module.exports = RotateService

package/src/server/services/whoamiService.js

@@ -0,0 +1,15 @@
+const tool = require('./../../lib/tool')
+
+class WhoamiService {
+  constructor ({ httpMethod, uri, headers }) {
+    this.httpMethod = httpMethod
+    this.uri = uri
+    this.headers = headers
+  }
+
+  async run () {
+    return tool.verify(this.httpMethod, this.uri, this.headers)
+  }
+}
+
+module.exports = WhoamiService