UNPKG

@bsv/auth-express-middleware

Version:

BSV Blockchain mutual-authentication express middleware

293 lines (209 loc) 11.1 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
# @bsv/auth-express-middleware An **Express.js** middleware that implements **BRC-103** [Peer-to-Peer Mutual Authentication](https://github.com/bitcoin-sv/BRCs/blob/master/peer-to-peer/0103.md) via **BRC-104** [HTTP Transport](https://github.com/bitcoin-sv/BRCs/blob/master/peer-to-peer/0103.md). This library makes it easy to **mutually authenticate** and exchange **verifiable certificates** between clients and servers in a standardized way. By layering **BRC-103** on top of Express, you can: - Perform a **cryptographic handshake** between two peers (your server and an external wallet/user). - Request or respond with **certificates** that verify user identity or attributes. - Enforce mutual authentication for your APIs, ensuring that each side proves its identity, without passwords or reliance on centralized authentication providers. - Optionally enable **selective disclosure** of certificate fields. --- ## Table of Contents 1. [Background](#background) 2. [Features](#features) 3. [Installation](#installation) 4. [Quick Start](#quick-start) 5. [Detailed Usage](#detailed-usage) - [Creating the Middleware](#creating-the-middleware) - [Injecting the Middleware into Express](#injecting-the-middleware-into-express) - [Handling Certificates](#handling-certificates) - [Interpreting Authenticated Requests](#interpreting-authenticated-requests) 6. [API Reference](#api-reference) 7. [Examples](#examples) 8. [Security Considerations](#security-considerations) 9. [Resources & References](#resources--references) 10. [License](#license) --- ## Background **BRC-103** is a specification for **mutual authentication** and **certificate exchange** over a **peer-to-peer** channel. It uses nonce-based challenges, digital signatures, and an optional selective disclosure mechanism for certificates. **BRC-104** defines how to transport these messages specifically over **HTTP**, describing custom headers and the `.well-known/auth` endpoint. **`@bsv/auth-express-middleware`** abstracts the complexities of these specs behind a typical **Express** middleware. It verifies BRC-103/104–compliant requests and properly signs responses, all while letting you continue to write normal Express code for your routes. --- ## Features - **Seamless Integration** Plug straight into your existing Express application—no need for rewriting your entire HTTP handling logic. - **Mutual Authentication** Authenticates **both** the server and the client cryptographically, preventing impersonation or MITM attacks. - **Certificate Handling** Request, receive, and verify BRC-103 identity certificates. Includes utility methods to request additional certificates from the client. - **Selective Disclosure** Supports BRC-103’s concept of revealing only certain fields in a certificate, helping to preserve privacy for you and your users while verifying necessary information. - **Extendable** Provide a custom `SessionManager` or plug in advanced logic for verifying user attributes. --- ## Installation ```bash npm i @bsv/auth-express-middleware ``` This package depends on [Express.js](https://www.npmjs.com/package/express) (4.x or 5.x) and a BRC-100–capable wallet (e.g., the `@bsv/sdk` implementation or your own code). --- ## Quick Start Below is the minimal setup to enable BRC-103 mutual authentication in your Express server: ```ts import express from 'express' import bodyParser from 'body-parser' import { createAuthMiddleware } from '@bsv/auth-express-middleware' import { ProtoWallet as Wallet } from '@bsv/sdk' // You need a wallet that supports BRC-100 keys & signing // 1. Initialize your BSV wallet (manages keys and signs messages) const wallet = new Wallet(new PrivateKey('...', 16)) // 2. Create the auth middleware // - Set `allowUnauthenticated` to false to require mutual auth on every route const authMiddleware = createAuthMiddleware({ wallet, allowUnauthenticated: false }) // 3. Create and configure the Express app const app = express() app.use(bodyParser.json()) // 4. Apply the auth middleware globally (or to specific routes) app.use(authMiddleware) // 5. Define your routes as usual app.get('/', (req, res) => { if (req.auth && req.auth.identityKey !== 'unknown') { // The request is authenticated res.send(`Hello, authenticated peer with public key: ${req.auth.identityKey}`) } else { // Not authenticated res.status(401).send('Unauthorized') } }) app.listen(3000, () => { console.log('Server is running on port 3000') }) ``` When the server receives a **BRC-103** handshake or "general" message, `@bsv/auth-express-middleware` automatically handles the cryptographic checks. Once verified, `req.auth.identityKey` will hold the **public key** of the authenticated peer. --- ## Detailed Usage ### Creating the Middleware Use the factory function: ```ts createAuthMiddleware({ wallet: myWallet, allowUnauthenticated?: boolean, sessionManager?: SessionManager, certificatesToRequest?: RequestedCertificateSet, onCertificatesReceived?: (senderPublicKey, certs, req, res, next) => void }) ``` #### Options - **`wallet`** *(required)*: A wallet instance that implements signing and key management, typically from `@bsv/sdk` or your own custom build. - **`allowUnauthenticated`** *(default: `false`)*: If `true`, requests without valid BRC-103 authentication will **not** be rejected. Instead, `req.auth.identityKey` is set to `"unknown"`. - **`sessionManager`** *(optional)*: Customize session management (nonce tracking, etc.). By default, an internal `SessionManager` is used. - **`certificatesToRequest`** *(optional)*: A specification of which certificates (by type, fields, issuer) to request automatically from the peer. - **`onCertificatesReceived`** *(optional)*: Callback invoked when the peer responds with **Verifiable Certificates**. ### Injecting the Middleware into Express Simply call: ```ts app.use(express.json()) // required before the middleware is used app.use(createAuthMiddleware({ wallet: myWallet })) ``` You can also place the middleware at the route level: ```ts app.post('/secure-upload', createAuthMiddleware({ wallet: myWallet }), (req, res) => { // ... }) ``` ### Handling Certificates If you set `certificatesToRequest`, the middleware will attempt to request certificates from the client during the handshake. When certificates arrive, the `onCertificatesReceived` callback (if provided) will fire: ```ts function onCertificatesReceived(senderPublicKey, certs, req, res, next) { // You can inspect the provided certificates here console.log(`Received ${certs.length} certificate(s) from ${senderPublicKey}.`) // Continue to next middleware or route handler next() } const authMiddleware = createAuthMiddleware({ wallet, certificatesToRequest: { certifiers: ['<33-byte-pubkey-of-certifier>'], types: { 'age-verification': ['dateOfBirth', 'country'] } }, onCertificatesReceived }) ``` In your server logic, you can then verify or store these certificates as needed. Replace fields like `age-verification` with an actual base64 certificate type. ### Interpreting Authenticated Requests Once a peer is authenticated, you'll have: - `req.auth.identityKey` ⇒ the authenticated user's **33-byte compressed public key** (hex-encoded). - `req.body` ⇒ your normal request body (parsed by `express.json()` or similar). - Standard `req.headers` ⇒ includes `x-bsv-auth-*` headers with BRC-103 handshake data (for debugging). If `allowUnauthenticated` is **false**, any request without a valid handshake or signature is **rejected** with `401` automatically. --- ## API Reference ### `createAuthMiddleware(options: AuthMiddlewareOptions)` Returns an Express middleware function. **Options**: - **`wallet`**: (required) A BRC-100 object implementing your signing and verification logic. - **`sessionManager`**: (optional) Manage nonces & state across requests. - **`allowUnauthenticated`**: (optional) If true, non-authenticated requests are allowed but marked as `identityKey: 'unknown'`. - **`certificatesToRequest`**: (optional) Automatic certificate request data structure. - **`onCertificatesReceived`**: (optional) A callback triggered when certs arrive from the client. --- ## Examples ### 1. Minimal Setup ```ts import express from 'express' import { createAuthMiddleware } from '@bsv/auth-express-middleware' import { Wallet } from '@your/bsv-wallet' const app = express() const wallet = new Wallet({ /* config for your keys */ }) app.use(express.json()) app.use(createAuthMiddleware({ wallet })) app.get('/protected', (req, res) => { if (req.auth && req.auth.identityKey !== 'unknown') { return res.send('You are authenticated via BRC-103!') } res.status(401).send('Unauthorized') }) app.listen(3000, () => console.log('BRC-103 server listening on port 3000!')) ``` ### 2. Requesting Certificates at Handshake ```ts import express from 'express' import { createAuthMiddleware } from '@bsv/auth-express-middleware' import { Wallet } from '@your/bsv-wallet' const wallet = new Wallet() function onCertificatesReceived(senderPublicKey, certs, req, res, next) { console.log(`Received certs from ${senderPublicKey}`, certs) next() } const authMiddleware = createAuthMiddleware({ wallet, certificatesToRequest: { certifiers: ['<certifier-pubkey-hex>'], types: { 'someCertificateType': ['fieldA', 'fieldB'] } }, onCertificatesReceived }) const app = express() app.use(express.json()) app.use(authMiddleware) app.listen(3000, () => console.log('Server up!')) ``` --- ## Security Considerations 1. **TLS Encryption**: Although BRC-103 messages are authenticated, the protocol does **not** encrypt the entire payload. It's recommended to serve your Express app over **HTTPS** to maintain confidentiality. 2. **Nonce Replay Prevention**: This library implements a `SessionManager` that automatically rejects nonces not bound by the server's private key. 3. **Transport-Only**: BRC-104's HTTP specification focuses on message authenticity, not on anonymizing request metadata. 4. **Certificate Revocation**: BRC-103 allows for revocation references (`revocationOutpoint`). Ensure your app checks the blockchain or an appropriate certificate revocation overlay service if you require strict revocation handling. --- ## Resources & References - [BRC-103 Spec](https://github.com/bitcoin-sv/BRCs/blob/master/peer-to-peer/0103.md) – Mutual authentication & certificate exchange. - [BRC-104 Spec](https://github.com/bitcoin-sv/BRCs/blob/master/peer-to-peer/0103.md) – HTTP Transport for BRC-103. - [@bsv/sdk](https://www.npmjs.com/package/@bsv/sdk) – BSV TypeScript SDK (often used for cryptographic utilities, wallet logic, etc.). - [Express.js](https://expressjs.com/) – Web framework for Node.js. --- ## License [Open BSV License](./LICENSE.txt) --- **Happy hacking!** If you have questions, suggestions, or want to contribute improvements, feel free to open an issue or PR in our repository.