refactor(server::{useragent::auth, client::auth}): use random based + timestamp nonce instead of monotonic counter in database

server/crates/arbiter-server/tests/client/auth.rs

@@ -1,5 +1,5 @@
 use arbiter_crypto::{
-    authn::{self, CLIENT_CONTEXT, format_challenge},
+    authn::{self, AuthChallenge, CLIENT_CONTEXT},
     safecell::{SafeCell, SafeCellHandle as _},
 };
 use arbiter_proto::ClientMetadata;
@@ -66,12 +66,8 @@ async fn insert_registered_client(
     .unwrap();
 }
 
-fn sign_client_challenge(
-    key: &SigningKey<MlDsa87>,
-    nonce: i32,
-    pubkey: &authn::PublicKey,
-) -> authn::Signature {
-    let challenge = format_challenge(nonce, &pubkey.to_bytes());
+fn sign_client_challenge(key: &SigningKey<MlDsa87>, challenge: &AuthChallenge) -> authn::Signature {
+    let challenge = challenge.format();
     key.signing_key()
         .sign_deterministic(&challenge, CLIENT_CONTEXT)
         .unwrap()

server/crates/arbiter-server/tests/user_agent/auth.rs

@@ -8,7 +8,7 @@ use arbiter_server::{
     actors::{GlobalActors, bootstrap::GetToken, vault::Bootstrap},
     crypto::integrity,
     db::{self, schema},
-    peers::user_agent::{AuthCredentials, Credentials, UserAgentConnection, auth},
+    peers::user_agent::{Credentials, Credentials, UserAgentConnection, auth},
 };
 use diesel::{ExpressionMethods as _, QueryDsl, insert_into};
 use diesel_async::RunQueryDsl;
@@ -144,7 +144,7 @@ pub async fn test_challenge_auth() {
         integrity::sign_entity(
             &mut conn,
             &actors.vault,
-            &AuthCredentials {
+            &Credentials {
                 creds: Credentials {
                     id,
                     pubkey: new_key.verifying_key().into(),
@@ -285,7 +285,7 @@ pub async fn test_challenge_auth_rejects_invalid_signature() {
         integrity::sign_entity(
             &mut conn,
             &actors.vault,
-            &AuthCredentials {
+            &Credentials {
                 creds: Credentials {
                     id,
                     pubkey: new_key.verifying_key().into(),

server/crates/arbiter-server/tests/user_agent/unseal.rs

@@ -9,8 +9,10 @@ use arbiter_server::{
     },
     db,
     peers::user_agent::{
-        AuthCredentials, Credentials,
-        vault_gate::{Error as VaultGateError, HandleHandshake, HandleUnsealEncryptedKey, VaultGate},
+        Credentials,
+        vault_gate::{
+            Error as VaultGateError, HandleHandshake, HandleUnsealEncryptedKey, VaultGate,
+        },
     },
 };
 
@@ -21,7 +23,11 @@ use x25519_dalek::{EphemeralSecret, PublicKey};
 
 async fn setup_sealed_gate(
     seal_key: &[u8],
-) -> (db::DatabasePool, kameo::actor::ActorRef<VaultGate>, oneshot::Receiver<Result<Credentials, VaultGateError>>) {
+) -> (
+    db::DatabasePool,
+    kameo::actor::ActorRef<VaultGate>,
+    oneshot::Receiver<Result<Credentials, VaultGateError>>,
+) {
     let db = db::create_test_pool().await;
     let actors = GlobalActors::spawn(db.clone()).await.unwrap();
 
@@ -36,10 +42,7 @@ async fn setup_sealed_gate(
 
     let (promotion_tx, promotion_rx) = oneshot::channel();
     let pubkey = authn::SigningKey::generate().public_key();
-    let auth_creds = AuthCredentials {
-        creds: Credentials { id: 1, pubkey },
-        new_nonce: 1,
-    };
+    let auth_creds = Credentials { id: 1, pubkey };
     let gate = VaultGate::spawn(VaultGate::new(auth_creds, actors, db.clone(), promotion_tx));
 
     (db, gate, promotion_rx)