Add transactional account linking with arkavo-node #23
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Enables atomic DID-to-blockchain-address linking during registration via backchannel RPC call to arkavo-node. Changes: - Add optional `blockchain_address` parameter to RegisterParams - Include `did` and `blockchain_address` in AccountToken JWT claims - Add `link_account_on_chain()` to call arkavo-node RPC after registration - Add reqwest dependency for HTTP client - Improve error response status codes (BAD_REQUEST for validation errors) Flow: 1. Client provides blockchain_address during registration 2. authnz-rs validates address format (0x + 40 hex chars) 3. After successful passkey registration, authnz-rs calls arkavo_linkAccountWithProof RPC on arkavo-node 4. arkavo-node verifies JWT and links DID to address on-chain Environment: - ARKAVO_NODE_URL: arkavo-node RPC endpoint (default: http://127.0.0.1:9933) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Open
9 tasks
- Fix broken test_webauthn_error_responses test to verify correct status codes after HTTP status code improvements - Add test_blockchain_address_validation test for EVM address format - Add HTTP client to AppState with 5-second timeout for RPC calls - Reuse HTTP client instead of creating new one per request - Update link_account_on_chain to use shared client 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add ntdf_token module for NanoTDF-based authentication tokens - Implement ECDH key exchange with KAS public key - Add AES-256-GCM encryption for payload - Add Z85 encoding for wire format - Update Cargo.toml with required dependencies (z85, aes-gcm, hkdf, rand_core) - Enable ecdh feature for p256 crate 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add AccountLinkingFailed error variant with SERVICE_UNAVAILABLE status - Propagate account linking errors to block registration on failure - Add retry with exponential backoff (3 attempts, 100ms * 2^n delay) - Normalize blockchain address to lowercase for consistency - Add test for AccountLinkingFailed error response - Fix rustls version for aws-lc-rs dependency compatibility - Add opentdf-rs v0.8.0 dependencies for NanoTDF Collection support 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Replace custom NanoTDF implementation with opentdf-rs library:
- Use NanoTdfBuilder from opentdf-crypto for encryption
- Correct HKDF salt: SHA256("L1L") per NanoTDF spec
- Remove custom ECDH, HKDF, and AES-GCM code
- Remove aes-gcm and hkdf direct dependencies
- Add roundtrip test verifying Z85 decode and magic number
- Simplify error types (remove EcdhError, Z85EncodeError)
The opentdf-rs library handles all cryptographic operations:
- Ephemeral P-256 key generation
- ECDH key agreement
- HKDF-SHA256 key derivation with spec-compliant salt
- AES-256-GCM encryption with 3-byte IV
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove unused `head` import from main.rs - Add User Present (UP) flag validation for attestation and assertion - Add Attested Credential (AT) flag warning for incomplete attestation - Document auth_flags module with WebAuthn/FIDO spec reference - Add #[allow(dead_code)] with documentation for: - receipt field (Apple fraud detection, future use) - rp_id_hash raw bytes (stored as hex string instead) - Add debug logging for authenticator flags Security improvement: Now validates that User Present flag is set, which is required per WebAuthn spec for genuine user interaction. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add explicit ring crypto provider installation at startup to resolve ambiguity when both ring and aws-lc-rs are enabled via transitive dependencies (tokio-rustls, aws-smithy-http-client, hyper-rustls). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Implements W3C WebAuthn Level 3 Related Origin Requests (ROR) specification to allow passkeys registered on identity.arkavo.net to be used on related origins. Configuration loaded from WEBAUTHN_CONFIG_PATH env var (defaults to webauthn.json). Uses newtype wrappers to distinguish Extension types and avoid conflicts with existing apple-app-site-association endpoint. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Adds transactional blockchain account linking with arkavo-node and NTDF token support:
Key Design Decisions
Backchannel Architecture (No JWT Token Passing)
The link between authnz-rs and arkavo-node is a secured backchannel - a trusted server-to-server connection. This means:
user_id,did, andblockchain_addressdirectlyTransactional Semantics
If account linking fails after 3 retries, registration is blocked (returns 503 SERVICE_UNAVAILABLE). This ensures the user doesn't end up with a registered account that isn't linked to their blockchain address.
Flow
Changes by Commit
blockchain_addressparam, backchannel RPCConfiguration
ARKAVO_NODE_URL: arkavo-node RPC endpoint (default:http://127.0.0.1:9933)KAS_PUBLIC_KEY_PATH: (optional) KAS public key for NTDF token generationKAS_URL: (optional) KAS URL embedded in NTDF tokensTest Plan
Related Issues
Partial implementation for #21 and #22 (chain anchoring infrastructure)
🤖 Generated with Claude Code