Conversation
1553feb to
679875c
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
feat(plugin): ERC-8128 authentication
Adds an
erc8128()plugin that verifies ERC-8128 signed HTTP requests from Ethereum wallets (EOA and ERC-1271 smart contract accounts), built on RFC 9421 HTTP Message Signatures.What it does
POST /erc8128/verify— verifies a signed request, creates/links user + wallet records, starts a Better Auth session.hooks.beforemiddleware — verifiesSignature/Signature-Inputheaders on any BA endpoint, bridges into session resolution.GET /.well-known/erc8128— discovery metadata (OIDC/MCP pattern).POST /erc8128/invalidate— revokes replayable signatures by key ID or individual signature (whenallowReplayable: true).Files
Design decisions
Middleware model (like bearer): Translates verified signatures into session cookie context so
getSessionresolution works unchanged. Non-throwing on invalid headers — falls through to normal session/cookie auth.Verification cache: Three-tier strategy based on what the host app provides:
secondaryStorage(Redis) → DB (verificationtable) → in-memoryMap. Pure performance optimization — cache miss triggers full cryptographic verification. Mirrors Better Auth'scookieCachephilosophy.Pluggable NonceStore, non-pluggable cache: Nonce storage needs strict guarantees (atomic consume, distributed consistency) so it's pluggable. The verification cache is deliberately non-authoritative — making it pluggable would add distributed-cache expectations Better Auth avoids.
User creation on
/verifyonly: Middleware resolves existing wallet links but never creates users. Identity provisioning stays in the explicit auth endpoint where request body, onboarding policy, and response contracts are clear.Route policy map:
routePolicyoption with"METHOD /path"keys and wildcard support, consistent with Better Auth'srateLimit.customRulespattern.falseskips verification; aVerifyPolicyobject requires it (structured 401 +Accept-Signatureon failure).Auth-only plugin: No bans, scoping, or rate limiting. Those belong in Better Auth's
admin,access, and rate-limit layers.Configuration
Test coverage
27 tests covering: discovery, verify (user creation, linking, deduplication), middleware (auth header, passthrough, fallback), route policy (exact, wildcard, default, skip), invalidation (per-key, per-signature, cache eviction), replayable signatures (caching, expiry, sweep), and structured error responses.
References
@slicekit/erc8128