refactor(server::{useragent::auth, client::auth}): use random based + timestamp nonce instead of monotonic counter in database

2026-04-17 16:14:45 +02:00
parent 51e6571d80
commit 0e09afda5d
24 changed files with 320 additions and 466 deletions
--- a/server/crates/arbiter-server/src/grpc/client/auth.rs
+++ b/server/crates/arbiter-server/src/grpc/client/auth.rs
@@ -44,10 +44,14 @@ impl<'a> AuthTransportAdapter<'a> {

    fn response_to_proto(response: auth::Outbound) -> AuthResponsePayload {
        match response {
-            auth::Outbound::AuthChallenge { pubkey, nonce } => {
+            auth::Outbound::AuthChallenge {  challenge } => {
                AuthResponsePayload::Challenge(ProtoAuthChallenge {
-                    pubkey: pubkey.to_bytes(),
-                    nonce,
+                    timestamp_nanos: challenge
+                        .timestamp
+                        .timestamp_nanos_opt()
+                        .expect("timestamp within range")
+                        as u64,
+                    random: challenge.nonce.to_vec(),
                })
            }
            auth::Outbound::AuthSuccess => {
--- a/server/crates/arbiter-server/src/grpc/user_agent/auth.rs
+++ b/server/crates/arbiter-server/src/grpc/user_agent/auth.rs
@@ -19,7 +19,7 @@ use tracing::warn;

 use crate::{
    grpc::request_tracker::RequestTracker,
-    peers::user_agent::{AuthCredentials, UserAgentConnection, auth},
+    peers::user_agent::{Credentials, UserAgentConnection, auth},
 };

 pub struct AuthTransportAdapter<'a> {
@@ -77,8 +77,15 @@ impl Sender<Result<auth::Outbound, auth::Error>> for AuthTransportAdapter<'_> {
    ) -> Result<(), TransportError> {
        use auth::{Error, Outbound};
        let payload = match item {
-            Ok(Outbound::AuthChallenge { nonce }) => {
-                AuthResponsePayload::Challenge(ProtoAuthChallenge { nonce })
+            Ok(Outbound::AuthChallenge { challenge }) => {
+                AuthResponsePayload::Challenge(ProtoAuthChallenge {
+                    timestamp_nanos: challenge
+                        .timestamp
+                        .timestamp_nanos_opt()
+                        .expect("timestamp within range")
+                        as u64,
+                    random: challenge.nonce.to_vec(),
+                })
            }
            Ok(Outbound::AuthSuccess) => {
                AuthResponsePayload::Result(ProtoAuthResult::Success.into())
@@ -183,7 +190,7 @@ pub async fn start(
    conn: &mut UserAgentConnection,
    bi: &mut GrpcBi<UserAgentRequest, UserAgentResponse>,
    request_tracker: &mut RequestTracker,
-) -> Result<AuthCredentials, auth::Error> {
+) -> Result<Credentials, auth::Error> {
    let mut transport = AuthTransportAdapter::new(bi, request_tracker);
    auth::authenticate(conn, &mut transport).await
 }