feat(user_worker): SIWE auth handlers (unit 2)#5
Merged
Conversation
Unit 2 of the SIWE user system. Replaces the auth.rs stub:
- nonce: uuid v4 stored in NONCES KV under "nonce:{nonce}" with
NONCE_TTL_SECS, returned as Json(NonceResp).
- verify: parses the EIP-4361 message (400 on parse error); checks
domain, version "1", chain id (401); issued-at freshness within
SIWE_MAX_AGE_SECS and optional expiration-time (401); single-use
nonce via KV get+delete (401 on unknown/expired); recovered EIP-191
signer must match the claimed address (401); upserts the user row in
D1 and rejects banned accounts (403); do_init's the UserAccount DO;
signs the ue_session cookie and returns the checksummed address.
- logout: clears the session cookie.
- me: verified session -> DO /status as Json(StatusResp), else 401.
All failures return Json(ApiError); internal errors are logged with
console_error and mapped to 500, matching gateway_worker idioms.
Note: siwe.rs is a stub implemented by a parallel unit, so runtime auth
cannot be exercised locally yet — cargo check + existing unit tests are
the local verification gate.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implements
user_worker/src/auth.rs: nonce issuance (KV, TTL, single-use), full SIWE verify chain (domain/version/chain-id, issued-at freshness, expiration, nonce, ecrecover match), D1 user upsert + ban check, DO free-grant init, HS256ue_sessioncookie; logout and /me.Runtime auth depends on unit 1's siwe.rs (PR #2) landing — compile gate + tests were the local verification.
Part of the SIWE user-system batch (scaffold 69457f8).
🤖 Generated with Claude Code