Skip to content

Feat/signature verification library #464

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Nov 24, 2025
Merged

Feat/signature verification library #464

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
198b7b5
chore: key sync on login
coodos Nov 24, 2025
d103751
chore: loosen CORS for evault-core
coodos Nov 24, 2025
157a685
fix: default key ID
coodos Nov 24, 2025
dc95e1c
chore: EID_WALLET_TOKEN .env variable
coodos Nov 24, 2025
b1ebf31
chore: apply changes for .env
coodos Nov 24, 2025
56aceac
feat: signature validator library
coodos Nov 24, 2025
e692130
chore: fix lockfile
coodos Nov 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions infrastructure/eid-wallet/src/env.d.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,4 +5,5 @@ declare namespace App {}
declare module "$env/static/public" {
export const PUBLIC_REGISTRY_URL: string;
export const PUBLIC_PROVISIONER_URL: string;
export const PUBLIC_EID_WALLET_TOKEN: string;
Copy link
Contributor

@coderabbitai coderabbitai bot Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

PUBLIC_EID_WALLET_TOKEN in $env/static/public will be exposed to the browser

Declaring PUBLIC_EID_WALLET_TOKEN in the $env/static/public module means its value is statically inlined into client bundles and is not secret. If this token is used for authenticating sensitive operations (e.g., calling eVault /public-key), exposing it to all client code (and, transitively, attackers running JS in the browser) significantly weakens your security model.

Please:

  • Confirm that this token is truly safe to be public, or
  • Move it to a private env module ($env/static/private/dynamic private) and adjust the flow so that only trusted server-side code uses it.

Based on prior learnings about avoiding PUBLIC_* envs for critical configuration (e.g., PUBLIC_PLATFORM_URL), this is worth a careful threat-model review rather than treating it as just another public constant.

🏁 Script executed:

#!/bin/bash
# Examine env.d.ts file content to see token declaration context
cat infrastructure/eid-wallet/src/env.d.ts

Length of output: 251

🏁 Script executed:

#!/bin/bash
# Search for how PUBLIC_EID_WALLET_TOKEN is used in the codebase
rg -n "PUBLIC_EID_WALLET_TOKEN" infrastructure/eid-wallet/

Length of output: 469

🏁 Script executed:

#!/bin/bash
# Check for .env.example or .env template files
fd -t f "\\.env" infrastructure/eid-wallet/ | head -20

Length of output: 0

🏁 Script executed:

#!/bin/bash
# Search for eVault API calls and /public-key references to understand token usage
rg -n "public-key|eVault|PUBLIC_EID_WALLET" infrastructure/eid-wallet/ -A 3 -B 3

Length of output: 47537

}
71 changes: 49 additions & 22 deletions infrastructure/eid-wallet/src/lib/global/controllers/evault.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,8 @@
import { PUBLIC_REGISTRY_URL, PUBLIC_PROVISIONER_URL } from "$env/static/public";
import {
PUBLIC_REGISTRY_URL,
PUBLIC_PROVISIONER_URL,
PUBLIC_EID_WALLET_TOKEN,
} from "$env/static/public";
Comment on lines +1 to +5
Copy link
Contributor

@coderabbitai coderabbitai bot Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Verify that PUBLIC_EID_WALLET_TOKEN is configured in the environment.

The import of PUBLIC_EID_WALLET_TOKEN represents a shift from registry entropy to environment-based token derivation. Ensure this token is properly configured in your deployment environment.

🌐 Web query:

What is the recommended way to configure PUBLIC_EID_WALLET_TOKEN in SvelteKit for production deployments?

💡 Result:

Short answer

  • Don’t expose a sensitive wallet token to the browser. If the EID wallet token is secret, keep it server‑side (no PUBLIC_ prefix) and implement a server endpoint that uses it. [1][2]

If the token truly must be client‑visible

  • Add PUBLIC_EID_WALLET_TOKEN to your production environment variables in your host (Vercel/Netlify/Cloudflare/AWS/SST) rather than committing it to source or .env. Use the host’s dashboard/secret store so it’s injected at build/run time. [3][4]
  • Import it in client code via SvelteKit’s APIs:
    • Build‑time/static value: import { PUBLIC_EID_WALLET_TOKEN } from '$env/static/public'.
    • Runtime/dynamic value: import { env } from '$env/dynamic/public' and read env.PUBLIC_EID_WALLET_TOKEN. Prefer dynamic if the value may change between builds. [1][2]

Why this is recommended

  • PUBLIC_ prefix marks variables safe for client exposure; SvelteKit only exposes variables with that prefix to browser code. Use host environment settings to manage production values and avoid committing secrets. [1][2][3]

References

  1. SvelteKit environment variables docs (public vs private, static vs dynamic). [SvelteKit docs]. [1]
  2. $env/static/public and $env/dynamic/public usage (build-time vs runtime). [SvelteKit docs]. [2]
  3. Deployers’ guidance: set environment variables in your hosting provider (example: SST SvelteKitSite / hosting dashboards). [SST / hosting docs]. [3]
  4. Platform notes on framework env var naming and how hosts expose vars (Vercel discussion). [4]

I need to verify the codebase to understand the context better before rewriting the review comment.

Based on the web search results and the learnings from the repository, I can now provide my final analysis.

Remove the PUBLIC_EID_WALLET_TOKEN import and convert to a server-side private variable.

The import of PUBLIC_EID_WALLET_TOKEN conflicts with SvelteKit security best practices and eID wallet token handling standards. Authentication tokens should be kept secret and the signing key should be treated like any other credential and revealed only to services that need it. Private environment variables should only be accessed inside .server files, and secrets should be handled using server-only modules by adding .server to a filename or placing files inside $lib/server.

Since evault.ts is a client-side library controller in src/lib/global/controllers/, the token should not be imported there. Instead:

  • Convert PUBLIC_EID_WALLET_TOKEN to a private variable (remove PUBLIC_ prefix)
  • Move token usage to a server-side endpoint (e.g., +server.ts or .server.ts file)
  • Have the client-side code call the server endpoint rather than using the token directly

This aligns with the project's pattern noted in the learnings: public environment variables should not be added as configuration fallbacks.

import type { Store } from "@tauri-apps/plugin-store";
import axios from "axios";
import { GraphQLClient } from "graphql-request";
Expand Down Expand Up @@ -52,7 +56,11 @@ export class VaultController {
#profileCreationStatus: "idle" | "loading" | "success" | "failed" = "idle";
#notificationService: NotificationService;

constructor(store: Store, userController: UserController, keyService?: KeyService) {
constructor(
store: Store,
userController: UserController,
keyService?: KeyService,
) {
this.#store = store;
this.#userController = userController;
this.#keyService = keyService || null;
Expand Down Expand Up @@ -81,17 +89,21 @@ export class VaultController {
* Sync public key to eVault core
* Checks if public key was already saved, calls /whois, and PATCH if needed
*/
private async syncPublicKey(eName: string): Promise<void> {
async syncPublicKey(eName: string): Promise<void> {
try {
// Check if we've already saved the public key
const savedKey = localStorage.getItem(`publicKeySaved_${eName}`);
if (savedKey === "true") {
console.log(`Public key already saved for ${eName}, skipping sync`);
console.log(
`Public key already saved for ${eName}, skipping sync`,
);
return;
}
Comment on lines 95 to 101
Copy link
Contributor

@coderabbitai coderabbitai bot Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Consider more robust sync state tracking than localStorage.

Using localStorage to track whether the public key was synced can be unreliable since users can clear browser storage. This could lead to:

  • Unnecessary PATCH requests if localStorage is cleared
  • False assumptions about sync state across sessions

Consider alternatives:

  1. Store sync state in the Tauri Store alongside other vault data for persistence
  2. Always check /whois (which you already do) and skip the localStorage check entirely, relying on the server as source of truth

Apply this diff to use Tauri Store instead:

-            // Check if we've already saved the public key
-            const savedKey = localStorage.getItem(`publicKeySaved_${eName}`);
-            if (savedKey === "true") {
+            // Check if we've already saved the public key from store
+            const savedKey = await this.#store.get<boolean>(`publicKeySaved_${eName}`);
+            if (savedKey === true) {
                 console.log(
                     `Public key already saved for ${eName}, skipping sync`,
                 );

And update the save call at line 185:

-            // Mark as saved
-            localStorage.setItem(`publicKeySaved_${eName}`, "true");
+            // Mark as saved in store
+            await this.#store.set(`publicKeySaved_${eName}`, true);

Committable suggestion skipped: line range outside the PR's diff.


if (!this.#keyService) {
console.warn("KeyService not available, cannot sync public key");
console.warn(
"KeyService not available, cannot sync public key",
);
return;
}

Expand All @@ -118,23 +130,42 @@ export class VaultController {
return;
}

// Get public key from KeyService
const publicKey = await this.#keyService.getPublicKey(eName, "signing");
// Get public key using the exact same logic as onboarding/verification flow
// KEY_ID is always "default", context depends on whether user is pre-verification
const KEY_ID = "default";

// Determine context: check if user is pre-verification (fake/demo user)
const isFake = await this.#userController.isFake;
const context = isFake ? "pre-verification" : "onboarding";

// Get public key using the same method as getApplicationPublicKey() in onboarding/verify
let publicKey: string | undefined;
try {
publicKey = await this.#keyService.getPublicKey(
KEY_ID,
context,
);
} catch (error) {
console.error(
`Failed to get public key for ${KEY_ID} with context ${context}:`,
error,
);
return;
}

if (!publicKey) {
console.warn(`No public key found for ${eName}, cannot sync`);
console.warn(
`No public key found for ${KEY_ID} with context ${context}, cannot sync`,
);
return;
}

// Get authentication token from registry
let authToken: string | null = null;
try {
const entropyResponse = await axios.get(
new URL("/entropy", PUBLIC_REGISTRY_URL).toString()
// Get authentication token from environment variable
const authToken = PUBLIC_EID_WALLET_TOKEN || null;
if (!authToken) {
console.warn(
"PUBLIC_EID_WALLET_TOKEN not set, request may fail authentication",
);
authToken = entropyResponse.data?.token || null;
} catch (error) {
console.error("Failed to get auth token from registry:", error);
// Continue without token - server will reject if auth is required
}
Comment on lines +163 to 169
Copy link
Contributor

@coderabbitai coderabbitai bot Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

Review the security implications of continuing without authentication token.

The code warns but continues if PUBLIC_EID_WALLET_TOKEN is not set, which could lead to:

  • Silent authentication failures on the server side
  • Unexpected 401/403 responses that aren't clearly traced to missing token
  • Potential security bypass if the server doesn't properly enforce authentication

Consider one of these approaches:

  1. Fail fast (recommended): Throw an error if the token is not set, making misconfigurations immediately visible:
             const authToken = PUBLIC_EID_WALLET_TOKEN || null;
             if (!authToken) {
-                console.warn(
-                    "PUBLIC_EID_WALLET_TOKEN not set, request may fail authentication",
-                );
+                throw new Error(
+                    "PUBLIC_EID_WALLET_TOKEN not set, cannot authenticate public key sync",
+                );
             }
  1. Make it truly optional: If the token is genuinely optional (e.g., for development), add a clearer comment explaining when/why it's optional.

Which approach aligns with your authentication requirements?

I'll investigate the authentication token handling to verify the security implications. Let me examine the codebase context.

🏁 Script executed:

#!/bin/bash
# Find and examine the evault.ts file with context around the flagged lines
fd -t f "evault.ts" --exec head -n 200 {} \; | tail -n 150

Length of output: 5194

🏁 Script executed:

#!/bin/bash
# Search for authToken usage in the file to understand how it's handled
rg -n "authToken" infrastructure/eid-wallet/src/lib/global/controllers/evault.ts -A 5 -B 5

Length of output: 832

🏁 Script executed:

#!/bin/bash
# Check for authentication-related setup and configuration in the wallet
rg -n "PUBLIC_EID_WALLET_TOKEN" infrastructure/eid-wallet/ -B 3 -A 3

Length of output: 2048

🏁 Script executed:

#!/bin/bash
# Search for similar authentication patterns in the codebase
rg -n "throw new Error" infrastructure/eid-wallet/src/lib/global/controllers/ | head -20

Length of output: 1329

🏁 Script executed:

#!/bin/bash
# Look for environment variable validation patterns
rg -n "|| null||| undefined" infrastructure/eid-wallet/src/lib/global/controllers/ -B 2 -A 2 | head -30

Length of output: 2936

🏁 Script executed:

#!/bin/bash
# Check for tests related to evault or authentication
fd -t f "\.(test|spec)\.(ts|js)$" infrastructure/eid-wallet/ --exec grep -l "evault\|authToken\|PUBLIC_EID_WALLET_TOKEN" {} \;

Length of output: 0

🏁 Script executed:

#!/bin/bash
# Search for documentation or comments about authentication requirements
rg -n "authentication|token" infrastructure/eid-wallet/src/lib/global/controllers/evault.ts -B 2 -A 2

Length of output: 360

🏁 Script executed:

#!/bin/bash
# Check if this is development-only code by looking at build/export context
rg -n "export|async function" infrastructure/eid-wallet/src/lib/global/controllers/evault.ts | head -10

Length of output: 33

🏁 Script executed:

#!/bin/bash
# Look for where this function is called to understand the context
rg -n "evault" infrastructure/eid-wallet/src/ --type ts -B 2 -A 2 | grep -E "(import|from|\.ts)" | head -20

Length of output: 541

🏁 Script executed:

#!/bin/bash
# Check .env files or configuration for how PUBLIC_EID_WALLET_TOKEN is documented
find infrastructure/eid-wallet -name ".env*" -o -name "*.env" -o -name "*.config.*" | xargs cat 2>/dev/null | grep -i token || echo "No env files found"

Length of output: 18

🏁 Script executed:

#!/bin/bash
# Search for error handling patterns around authentication failures
rg -n "401|403|Unauthorized|authentication" infrastructure/eid-wallet/src/lib/global/controllers/ -B 2 -A 2 | head -30

Length of output: 2958

🏁 Script executed:

#!/bin/bash
# Check if authToken is conditionally used (making it optional) or always required
rg -n "if.*authToken|authToken.*if" infrastructure/eid-wallet/src/lib/global/controllers/evault.ts -B 3 -A 3

Length of output: 533

🏁 Script executed:

#!/bin/bash
# Look for README or documentation files
fd -t f "(README|AUTHENTICATION|SECURITY)" infrastructure/eid-wallet/ -i

Length of output: 100

🏁 Script executed:

#!/bin/bash
# Check the request call to see if authentication is actually needed
rg -n "fetch|axios|request" infrastructure/eid-wallet/src/lib/global/controllers/evault.ts -A 10 | head -40

Length of output: 1538

🏁 Script executed:

#!/bin/bash
# Examine if there's a specific section about public key sync mentioned in error
rg -n "public key sync|sync" infrastructure/eid-wallet/src/lib/global/controllers/evault.ts -B 5 -A 5

Length of output: 5399

🏁 Script executed:

#!/bin/bash
# Check the function signature and purpose around line 163
sed -n '130,180p' infrastructure/eid-wallet/src/lib/global/controllers/evault.ts

Length of output: 1946

🏁 Script executed:

#!/bin/bash
# Get broader context of the entire function
sed -n '100,220p' infrastructure/eid-wallet/src/lib/global/controllers/evault.ts

Length of output: 4465

🏁 Script executed:

#!/bin/bash
# Check if this is part of a route handler and what its endpoint is
rg -n "POST|GET|PUT|DELETE|router\." infrastructure/eid-wallet/src/lib/global/controllers/evault.ts -B 5 -A 10 | head -50

Length of output: 0

🏁 Script executed:

#!/bin/bash
# Look for any try-catch or error handling around this code
rg -n "try|catch|error" infrastructure/eid-wallet/src/lib/global/controllers/evault.ts -B 3 -A 3

Length of output: 10043

🏁 Script executed:

#!/bin/bash
# Check what the function returns and if auth token is required for the return
rg -n "return|response" infrastructure/eid-wallet/src/lib/global/controllers/evault.ts -B 2 -A 2 | head -40

Length of output: 1072

🏁 Script executed:

#!/bin/bash
# See the full function that contains lines 163-169
awk '/^(export\s+|async\s+|function\s+).*\{/,/^}/' infrastructure/eid-wallet/src/lib/global/controllers/evault.ts | grep -n "PUBLIC_EID_WALLET_TOKEN" -B 50 -A 20 | head -100

Length of output: 3113

🏁 Script executed:

#!/bin/bash
# Check if authToken validation exists elsewhere in the codebase
rg -n "authToken.*throw|throw.*authToken" infrastructure/eid-wallet/ -B 2 -A 2

Length of output: 0

🏁 Script executed:

#!/bin/bash
# Look for environment variable validation patterns to understand best practices in this codebase
rg -n "process\.env\.[A-Z_]+" infrastructure/eid-wallet/src/lib/global/controllers/ -B 2 -A 5 | head -50

Length of output: 0

🏁 Script executed:

#!/bin/bash
# Check if PUBLIC_EID_WALLET_TOKEN is marked as optional in env schema/validation
rg -n "PUBLIC_EID_WALLET_TOKEN" infrastructure/eid-wallet/ -B 5 -A 5 --type ts --type js

Length of output: 2852

🏁 Script executed:

#!/bin/bash
# Get the exact content of the file to ensure we have accurate line numbers
cat -n infrastructure/eid-wallet/src/lib/global/controllers/evault.ts | sed -n '150,180p'

Length of output: 1312

🏁 Script executed:

#!/bin/bash
# Check if there's any server-side validation mentioned in comments or logs
rg -n "server|validate|enforce" infrastructure/eid-wallet/src/lib/global/controllers/evault.ts -C 2 | head -30

Length of output: 0

🏁 Script executed:

#!/bin/bash
# Look at the complete function to understand the full flow
wc -l infrastructure/eid-wallet/src/lib/global/controllers/evault.ts && grep -n "^function\|^export\|^async" infrastructure/eid-wallet/src/lib/global/controllers/evault.ts

Length of output: 100

🏁 Script executed:

#!/bin/bash
# Simple approach: output the entire file to see the context
cat infrastructure/eid-wallet/src/lib/global/controllers/evault.ts

Length of output: 18309

🏁 Script executed:

#!/bin/bash
# Look for where the token is passed in headers or request
rg -n "header|Authorization|Bearer" infrastructure/eid-wallet/src/lib/global/controllers/evault.ts -B 3 -A 3

Length of output: 1219

🏁 Script executed:

#!/bin/bash
# Check if the response includes the authToken or if it's used in request
rg -n "headers|Authorization" infrastructure/eid-wallet/src/lib/global/controllers/evault.ts -B 10 -A 10

Length of output: 2795

🏁 Script executed:

#!/bin/bash
# Look for the complete request being made to understand auth necessity
grep -n "fetch\|axios\|request" infrastructure/eid-wallet/src/lib/global/controllers/evault.ts -A 20 | head -60

Length of output: 2244

🏁 Script executed:

#!/bin/bash
# Check git history or comments about this token requirement
git log -p infrastructure/eid-wallet/src/lib/global/controllers/evault.ts | grep -A 10 -B 10 "PUBLIC_EID_WALLET_TOKEN" | head -50

Length of output: 59

🏁 Script executed:

#!/bin/bash
# Check how other controllers handle required environment variables
ls -la infrastructure/eid-wallet/src/lib/global/controllers/ && find infrastructure/eid-wallet/src/lib/global/controllers/ -name "*.ts" -exec basename {} \;

Length of output: 455

🏁 Script executed:

#!/bin/bash
# Look at other controller implementations for pattern comparison
find infrastructure/eid-wallet/src/lib/global/controllers/ -name "*.ts" ! -name "evault.ts" -exec rg -l "process\.env\|throw.*Error" {} \; | head -5

Length of output: 0

🏁 Script executed:

#!/bin/bash
# Check one other controller to see how they handle env vars
for file in $(find infrastructure/eid-wallet/src/lib/global/controllers/ -name "*.ts" ! -name "evault.ts" | head -1); do
  echo "=== $file ===" && grep -n "process\.env\|throw" "$file" -B 2 -A 2 | head -30
done

Length of output: 69

🏁 Script executed:

#!/bin/bash
# Search for authentication enforcement or validation on API routes
rg -n "middleware|validate|auth" infrastructure/eid-wallet/src/ --type ts -B 2 -A 2 | head -40

Length of output: 3529

🏁 Script executed:

#!/bin/bash
# Check if there's any documentation about required environment variables
find infrastructure/eid-wallet -type f \( -name "*.md" -o -name ".env.example" -o -name ".env.sample" \) -exec cat {} \;

Length of output: 1713

🏁 Script executed:

#!/bin/bash
# List all *.md files to find documentation
find infrastructure/eid-wallet -type f -name "*.md" -o -name "*.MD"

Length of output: 35

🏁 Script executed:

#!/bin/bash
# Check root documentation
cat README.md 2>/dev/null || echo "No README at root"

Length of output: 2106

🏁 Script executed:

#!/bin/bash
# Look for configuration schema or type definitions that might specify required fields
fd -t f "(schema|config|types|interface)" infrastructure/eid-wallet/src --exec grep -l "PUBLIC_EID_WALLET_TOKEN" {} \;

Length of output: 0

🏁 Script executed:

#!/bin/bash
# Check if there are type definitions or env validation files
fd -t f "(env|config)" infrastructure/eid-wallet/src -type f | grep -E "\.(ts|js)$"

Length of output: 170

🏁 Script executed:

#!/bin/bash
# Check if this endpoint is public/unauthenticated based on naming or comments
grep -n "public\|unauthenticated\|route\|endpoint" infrastructure/eid-wallet/src/lib/global/controllers/evault.ts -B 3 -A 3

Length of output: 5959

🏁 Script executed:

#!/bin/bash
# Simple check: Just show the function containing line 163
sed -n '1,200p' infrastructure/eid-wallet/src/lib/global/controllers/evault.ts | tail -100

Length of output: 3665

🏁 Script executed:

#!/bin/bash
# Simpler: Just cat the entire file
head -300 infrastructure/eid-wallet/src/lib/global/controllers/evault.ts

Length of output: 9861

🏁 Script executed:

#!/bin/bash
# Get line counts and structure
wc -l infrastructure/eid-wallet/src/lib/global/controllers/evault.ts
grep -n "function\|const.*=.*(\|export" infrastructure/eid-wallet/src/lib/global/controllers/evault.ts | head -20

Length of output: 920

🏁 Script executed:

#!/bin/bash
# Show lines 150-190 with exact numbers
awk 'NR>=150 && NR<=190 {print NR": "$0}' infrastructure/eid-wallet/src/lib/global/controllers/evault.ts

Length of output: 1703

🏁 Script executed:

#!/bin/bash
# Check if file exists and is readable
test -f infrastructure/eid-wallet/src/lib/global/controllers/evault.ts && echo "File exists" || echo "File not found"

Length of output: 11

🏁 Script executed:

#!/bin/bash
# List the directory to confirm structure
ls -la infrastructure/eid-wallet/src/lib/global/controllers/ 2>/dev/null || ls -la infrastructure/eid-wallet/src/lib/global/ 2>/dev/null || find infrastructure -type d -name controllers

Length of output: 409

🏁 Script executed:

#!/bin/bash
# Locate the file
find . -name "evault.ts" -type f 2>/dev/null

Length of output: 115

🏁 Script executed:

#!/bin/bash
# Check directory structure
find infrastructure/eid-wallet -type d | head -20

Length of output: 1161

🏁 Script executed:

#!/bin/bash
# List what's in infrastructure
ls -la infrastructure/ 2>/dev/null || echo "Infrastructure dir listing failed"

Length of output: 538

🏁 Script executed:

#!/bin/bash
# Find all TypeScript files in the repository
fd -t f "\.ts$" infrastructure/ 2>/dev/null | head -30

Length of output: 1688

🏁 Script executed:

#!/bin/bash
# Broader search for evault file
fd evault -t f

Length of output: 868

🏁 Script executed:

#!/bin/bash
# Check if we're in the right repo by listing top-level contents
ls -la ./

Length of output: 2662

🏁 Script executed:

#!/bin/bash
# Find the file anywhere
find . -name "*evault*" -type f 2>/dev/null

Length of output: 507

🏁 Script executed:

#!/bin/bash
# List all files in src if it exists
find src -name "*.ts" 2>/dev/null | grep -E "(evault|controller)" | head -20

Length of output: 0

🏁 Script executed:

#!/bin/bash
# Comprehensive file search
find . -type f -name "*.ts" 2>/dev/null | grep -i evault

Length of output: 4429

🏁 Script executed:

#!/bin/bash
# Look for any wallet-related files
find . -type f -path "*/wallet/*" -name "*.ts" 2>/dev/null | head -30

Length of output: 0

🏁 Script executed:

#!/bin/bash
# Check the directory structure for any hints
find . -type d -name "*wallet*" -o -type d -name "*controller*" 2>/dev/null | head -20

Length of output: 838

🏁 Script executed:

#!/bin/bash
# Locate files that might contain this code
rg "PUBLIC_EID_WALLET_TOKEN" -l

Length of output: 101

🏁 Script executed:

#!/bin/bash
# Search for the specific warning message
rg "PUBLIC_EID_WALLET_TOKEN not set" -B 10 -A 10

Length of output: 2107

🏁 Script executed:

#!/bin/bash
# Search more broadly
rg "PUBLIC_EID_WALLET_TOKEN" -B 5 -A 15

Length of output: 4639

🏁 Script executed:

#!/bin/bash
# Try searching for the console.warn message
rg "request may fail authentication" -B 10 -A 10

Length of output: 2107

🏁 Script executed:

#!/bin/bash
# Search for evault related code
rg "evault" -B 3 -A 3 -i

Length of output: 274654

🏁 Script executed:

#!/bin/bash
# Find any references to this specific pattern
rg "authToken.*PUBLIC_EID" -B 5 -A 10

Length of output: 1600

🏁 Script executed:

#!/bin/bash
# Search for the exact snippet
rg "Get authentication token from environment variable" -B 5 -A 15

Length of output: 2106

🏁 Script executed:

#!/bin/bash
# Comprehensive search for authentication patterns
rg "const authToken" -B 3 -A 10

Length of output: 1431

🏁 Script executed:

#!/bin/bash
# Check all TypeScript/JavaScript files at once
fd -e ts -e js --exec rg -l "PUBLIC_EID_WALLET_TOKEN" {} \;

Length of output: 105

🏁 Script executed:

#!/bin/bash
# List all files to see repository structure
find . -type f -name "*.ts" -o -name "*.js" | head -50

Length of output: 2981

🏁 Script executed:

#!/bin/bash
# Try to see what files exist
ls -R . 2>/dev/null | head -100

Length of output: 1527

🏁 Script executed:

#!/bin/bash
# Get top-level structure
find . -maxdepth 2 -type f -name "*.ts" | head -30

Length of output: 24

🏁 Script executed:

#!/bin/bash
# List files and directories at top level
pwd && ls -la

Length of output: 2681

🏁 Script executed:

#!/bin/bash
# Check if files are in the PR branch by looking at git
git log --oneline -10 2>/dev/null || echo "Not a git repo"

Length of output: 451

🏁 Script executed:

#!/bin/bash
# Check git status and current branch
git status 2>/dev/null || echo "Git not available"

Length of output: 252

🏁 Script executed:

#!/bin/bash
# Try to find where the files should be
find . -type f -path "*infrastructure*" 2>/dev/null | head -20

Length of output: 894

🏁 Script executed:

#!/bin/bash
# Last resort: search entire filesystem for the file
locate evault.ts 2>/dev/null || echo "Locate not available"

Length of output: 20

🏁 Script executed:

#!/bin/bash
# Use rg to search everything
rg -t ts --files | head -50

Length of output: 2117

🏁 Script executed:

#!/bin/bash
# Try to understand the structure by listing dirs
find . -type d -maxdepth 3 | sort | head -50

Length of output: 1189

🏁 Script executed:

#!/bin/bash
# Check if infrastructure directory exists
test -d infrastructure && echo "infrastructure dir exists" || echo "infrastructure dir does not exist"
ls -la infrastructure 2>/dev/null || true

Length of output: 564

🏁 Script executed:

#!/bin/bash
# Use git to show changed files
git diff --name-only HEAD~1 2>/dev/null | head -20 || git diff --name-only 2>/dev/null | head -20 || echo "Could not get git diff"

Length of output: 560

🏁 Script executed:

#!/bin/bash
# Show all staged/changed files
git status -s 2>/dev/null || echo "Git unavailable"

Length of output: 71

🏁 Script executed:

#!/bin/bash
# Try to find the actual file location using rg on the entire repo
rg "authToken.*=.*PUBLIC_EID_WALLET_TOKEN" --files-with-matches

Length of output: 62

🏁 Script executed:

#!/bin/bash
# More flexible search
rg "PUBLIC_EID_WALLET_TOKEN.*null" --files-with-matches

Length of output: 62

🏁 Script executed:

#!/bin/bash
# Search by the exact comment
rg "Get authentication token from environment" --files-with-matches

Length of output: 62

🏁 Script executed:

#!/bin/bash
# Try rg without type filter
rg "PUBLIC_EID_WALLET_TOKEN" --files

Length of output: 63

🏁 Script executed:

#!/bin/bash
# Show current working directory context
echo "PWD: $(pwd)" && echo "FILES:" && ls -la

Length of output: 2693

🏁 Script executed:

#!/bin/bash
# Final attempt: comprehensive file listing
find . -name "*.ts" -o -name "*.js" | wc -l && echo "---" && find . -name "*.ts" -o -name "*.js" | sort | head -50

Length of output: 2959

🏁 Script executed:

#!/bin/bash
# List ALL files recursively to understand structure
ls -laR . 2>/dev/null | head -200

Length of output: 14803

🏁 Script executed:

#!/bin/bash
# Try git show to see the PR files
git show --name-only 2>/dev/null | head -30 || echo "Git show unavailable"

Length of output: 723

🏁 Script executed:

#!/bin/bash
# Check if the file exists with exact path from review
test -f "infrastructure/eid-wallet/src/lib/global/controllers/evault.ts" && echo "EXISTS" || echo "NOT FOUND"

Length of output: 6

🏁 Script executed:

#!/bin/bash
# Use ls to explicitly check
ls infrastructure/eid-wallet/src/lib/global/controllers/evault.ts 2>&1

Length of output: 62

🏁 Script executed:

#!/bin/bash
# Try alternate path
ls -la infrastructure/ 2>&1 | head -20

Length of output: 538

🏁 Script executed:

#!/bin/bash
# Debug: show git branch and files
git branch && echo "---" && git ls-files | head -30

Length of output: 752

🏁 Script executed:

#!/bin/bash
# Show PR context if available
git log --all --oneline | head -20

Length of output: 881

🏁 Script executed:

#!/bin/bash
# Final diagnostic
echo "Current directory: $(pwd)" && echo "Home: $HOME" && echo "Repo status:" && git remote -v 2>/dev/null || true

Length of output: 234

Require PUBLIC_EID_WALLET_TOKEN (fail fast) or make its absence explicit and deliberate

syncPublicKey currently only warns and continues if PUBLIC_EID_WALLET_TOKEN is missing, which yields silent authentication failures or unauthenticated PATCH calls. Either fail loudly or make the “optional” behavior explicit:

  • Location: infrastructure/eid-wallet/src/lib/global/controllers/evault.ts — syncPublicKey (lines ~163–169).
  • Option A (recommended): Throw an error when the token is not set so misconfiguration fails fast.
  • Option B: If it must be optional, add a clear dev-only guard (only allow missing token in non-production), document it in README/.env.example, and add tests that cover both modes.
    Also add startup/env validation for required public env vars to prevent silent misconfiguration.


// Call PATCH /public-key to save the public key
Expand All @@ -148,11 +179,7 @@ export class VaultController {
headers["Authorization"] = `Bearer ${authToken}`;
}

await axios.patch(
patchUrl,
{ publicKey },
{ headers }
);
await axios.patch(patchUrl, { publicKey }, { headers });

// Mark as saved
localStorage.setItem(`publicKeySaved_${eName}`, "true");
Expand Down
6 changes: 5 additions & 1 deletion infrastructure/eid-wallet/src/lib/global/state.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,11 @@ export class GlobalState {
this.securityController = new SecurityController(store);
this.userController = new UserController(store);
this.keyService = keyService;
this.vaultController = new VaultController(store, this.userController, keyService);
this.vaultController = new VaultController(
store,
this.userController,
keyService,
);
this.notificationService = NotificationService.getInstance();
}

Expand Down
20 changes: 20 additions & 0 deletions infrastructure/eid-wallet/src/routes/(auth)/login/+page.svelte
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,16 @@ onMount(async () => {
}
// For other errors, continue to app - non-blocking
}

// Sync public key to eVault core
try {
await globalState.vaultController.syncPublicKey(
vault.ename,
);
} catch (error) {
console.error("Error syncing public key:", error);
// Continue to app even if sync fails - non-blocking
}
}
} catch (error) {
console.error("Error during eVault health check:", error);
Expand Down Expand Up @@ -170,6 +180,16 @@ onMount(async () => {
}
// For other errors, continue to app - non-blocking
}

// Sync public key to eVault core
try {
await globalState.vaultController.syncPublicKey(
vault.ename,
);
} catch (error) {
console.error("Error syncing public key:", error);
// Continue to app even if sync fails - non-blocking
}
}
} catch (error) {
console.error("Error during eVault health check:", error);
Expand Down
68 changes: 68 additions & 0 deletions infrastructure/evault-core/generate-test-token.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
#!/usr/bin/env node

/**
* Script to generate a test JWT token for evault-core authentication
*
* Usage:
* REGISTRY_ENTROPY_KEY_JWK='{"kty":"EC",...}' node generate-test-token.js
*
* Or set the environment variable in a .env file
*
* You can also use tsx to run it:
* REGISTRY_ENTROPY_KEY_JWK='...' npx tsx generate-test-token.js
*/

const { importJWK, SignJWT } = require("jose");
const dotenv = require("dotenv");
const path = require("path");

// Load .env file if it exists (try both root and current directory)
dotenv.config({ path: path.resolve(__dirname, "../../../.env") });
dotenv.config({ path: path.resolve(__dirname, ".env") });

async function generateTestToken() {
const jwkString = '{"kty":"EC","use":"sig","alg":"ES256","kid":"entropy-key-1","crv":"P-256","x":"POWUVJwOulAW0gheTVUHF4nXUenMCg0jxhGKI8M1LLU","y":"Cb4GC8Tt0gW7zMr-DhsDJisGVNgWttwjnyQl1HyU7hg","d":"FWqvWBzoiZcD0hh4JAMdJ7foxFRGqyV2Ei_eWvr1Si4"}';

if (!jwkString) {
console.error("Error: REGISTRY_ENTROPY_KEY_JWK environment variable is required");
console.error("\nUsage:");
console.error(" REGISTRY_ENTROPY_KEY_JWK='<your-jwk-json>' node generate-test-token.js");
console.error("\nOr set it in your .env file");
process.exit(1);
}
Comment on lines +19 to +32
Copy link
Contributor

@coderabbitai coderabbitai bot Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Hard-coded private JWK and unused REGISTRY_ENTROPY_KEY_JWK env are problematic

The script currently ignores the documented REGISTRY_ENTROPY_KEY_JWK env var and instead uses a hard-coded JWK (including the private key). That:

  • Commits a signing key into the repo.
  • Forces all tokens to be signed with that specific key.
  • Makes rotation harder and increases risk if this key is ever trusted by other components.

Recommend:

  1. Remove the hard-coded JWK and read from the environment instead:
-async function generateTestToken() {
-  const jwkString = '{"kty":"EC",...}';
+async function generateTestToken() {
+  const jwkString = process.env.REGISTRY_ENTROPY_KEY_JWK;
@@
-  if (!jwkString) {
+  if (!jwkString) {
     console.error("Error: REGISTRY_ENTROPY_KEY_JWK environment variable is required");
@@
-    const jwk = JSON.parse(jwkString);
+    const jwk = JSON.parse(jwkString);

  1. Rotate / invalidate the currently checked-in key anywhere it may be trusted (e.g., JWKS on the registry), and ensure test-only keys are clearly segregated from any production trust roots.

  2. Optionally, keep a sample JWK in comments or docs rather than as executable code to avoid accidental use.

Also applies to: 34-65

🤖 Prompt for AI Agents 
in infrastructure/evault-core/generate-test-token.js around lines 19 to 32 (and
likewise remove occurrences in lines 34–65), remove the hard-coded private JWK
string and instead read the key from the REGISTRY_ENTROPY_KEY_JWK environment
variable; validate that the env var is present and well-formed (exit with a
clear error and usage message if missing), parse the JWK from the env value for
signing, and ensure no private key literals remain in the file or repository;
additionally update docs/comments to show a sample JWK (not executable) and add
a note to rotate/invalidate the committed key wherever it may be trusted.


try {
const jwk = JSON.parse(jwkString);
const privateKey = await importJWK(jwk, "ES256");

// Generate token valid for 1 year
const token = await new SignJWT({
// Add any custom claims you want
platform: "eid-wallet",
purpose: "public-key-sync",
})
.setProtectedHeader({
alg: "ES256",
kid: jwk.kid || "entropy-key-1",
})
.setIssuedAt()
.setExpirationTime("1y") // Valid for 1 year
.sign(privateKey);

console.log("\n✅ Generated JWT Token (valid for 1 year):\n");
console.log(token);
console.log("\n📋 Use this token in the Authorization header:");
console.log(` Authorization: Bearer ${token}\n`);

return token;
} catch (error) {
console.error("Error generating token:", error.message);
if (error.message.includes("JSON")) {
console.error("\nMake sure REGISTRY_ENTROPY_KEY_JWK is valid JSON");
}
process.exit(1);
}
}

generateTestToken();

1 change: 1 addition & 0 deletions infrastructure/evault-core/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@
"migration:revert": "npm run typeorm migration:revert -- -d dist/config/database.js"
},
"dependencies": {
"@fastify/cors": "^8.5.0",
"@fastify/formbody": "^8.0.2",
"@fastify/swagger": "^8.14.0",
"@fastify/swagger-ui": "^3.0.0",
Expand Down
42 changes: 31 additions & 11 deletions infrastructure/evault-core/src/core/http/server.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -286,30 +286,50 @@ export async function registerHttpRoutes(
// Helper function to validate JWT token
async function validateToken(authHeader: string | null): Promise<any | null> {
if (!authHeader || !authHeader.startsWith("Bearer ")) {
console.error("Token validation: Missing or invalid Authorization header format");
return null;
}

const token = authHeader.substring(7); // Remove 'Bearer ' prefix

try {
if (!process.env.REGISTRY_URL) {
console.error("REGISTRY_URL is not set");
// Try REGISTRY_URL first, fallback to PUBLIC_REGISTRY_URL
const registryUrl = process.env.REGISTRY_URL || process.env.PUBLIC_REGISTRY_URL;
if (!registryUrl) {
console.error("Token validation: REGISTRY_URL or PUBLIC_REGISTRY_URL is not set");
return null;
}

const jwksResponse = await axios.get(
new URL(
`/.well-known/jwks.json`,
process.env.REGISTRY_URL
).toString()
);
const jwksUrl = new URL(`/.well-known/jwks.json`, registryUrl).toString();
console.log(`Token validation: Fetching JWKS from ${jwksUrl}`);

const jwksResponse = await axios.get(jwksUrl, {
timeout: 5000,
});

console.log(`Token validation: JWKS response keys count: ${jwksResponse.data?.keys?.length || 0}`);

const JWKS = jose.createLocalJWKSet(jwksResponse.data);

// Decode token header to see what kid it's using
const decodedHeader = jose.decodeProtectedHeader(token);
console.log(`Token validation: Token header - alg: ${decodedHeader.alg}, kid: ${decodedHeader.kid}`);

const { payload } = await jose.jwtVerify(token, JWKS);


console.log(`Token validation: Token verified successfully, payload:`, payload);
return payload;
} catch (error) {
console.error("Token validation failed:", error);
} catch (error: any) {
console.error("Token validation failed:", error.message || error);
if (error.code) {
console.error(`Token validation error code: ${error.code}`);
}
if (error.response) {
console.error(`Token validation HTTP error: ${error.response.status} - ${error.response.statusText}`);
}
if (error.cause) {
console.error(`Token validation error cause:`, error.cause);
}
return null;
}
}
Expand Down
9 changes: 9 additions & 0 deletions infrastructure/evault-core/src/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ import fastify, {
FastifyRequest,
FastifyReply,
} from "fastify";
import fastifyCors from "@fastify/cors";
import { renderVoyagerPage } from "graphql-voyager/middleware";
import { connectWithRetry } from "./core/db/retry-neo4j";
import neo4j, { Driver } from "neo4j-driver";
Expand Down Expand Up @@ -116,6 +117,14 @@ const initializeEVault = async (provisioningServiceInstance?: ProvisioningServic
logger: true,
});

// Register CORS plugin with relaxed settings
await fastifyServer.register(fastifyCors, {
origin: true, // Allow all origins
methods: ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],
allowedHeaders: ["Content-Type", "Authorization", "X-ENAME"],
credentials: true,
});

// Register HTTP routes with provisioning service if available
await registerHttpRoutes(fastifyServer, evaultInstance, provisioningServiceInstance, dbService);

Expand Down
5 changes: 5 additions & 0 deletions infrastructure/signature-validator/.gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
node_modules/
dist/
*.log
.DS_Store

Loading
Loading