refactor(server::{useragent::auth, client::auth}): use random based + timestamp nonce instead of monotonic counter in database

2026-04-17 16:14:45 +02:00
parent 51e6571d80
commit 0e09afda5d
24 changed files with 320 additions and 466 deletions
--- a/server/crates/arbiter-server/tests/user_agent/auth.rs
+++ b/server/crates/arbiter-server/tests/user_agent/auth.rs
@@ -8,7 +8,7 @@ use arbiter_server::{
    actors::{GlobalActors, bootstrap::GetToken, vault::Bootstrap},
    crypto::integrity,
    db::{self, schema},
-    peers::user_agent::{AuthCredentials, Credentials, UserAgentConnection, auth},
+    peers::user_agent::{Credentials, Credentials, UserAgentConnection, auth},
 };
 use diesel::{ExpressionMethods as _, QueryDsl, insert_into};
 use diesel_async::RunQueryDsl;
@@ -144,7 +144,7 @@ pub async fn test_challenge_auth() {
        integrity::sign_entity(
            &mut conn,
            &actors.vault,
-            &AuthCredentials {
+            &Credentials {
                creds: Credentials {
                    id,
                    pubkey: new_key.verifying_key().into(),
@@ -285,7 +285,7 @@ pub async fn test_challenge_auth_rejects_invalid_signature() {
        integrity::sign_entity(
            &mut conn,
            &actors.vault,
-            &AuthCredentials {
+            &Credentials {
                creds: Credentials {
                    id,
                    pubkey: new_key.verifying_key().into(),
--- a/server/crates/arbiter-server/tests/user_agent/unseal.rs
+++ b/server/crates/arbiter-server/tests/user_agent/unseal.rs
@@ -9,8 +9,10 @@ use arbiter_server::{
    },
    db,
    peers::user_agent::{
-        AuthCredentials, Credentials,
-        vault_gate::{Error as VaultGateError, HandleHandshake, HandleUnsealEncryptedKey, VaultGate},
+        Credentials,
+        vault_gate::{
+            Error as VaultGateError, HandleHandshake, HandleUnsealEncryptedKey, VaultGate,
+        },
    },
 };

@@ -21,7 +23,11 @@ use x25519_dalek::{EphemeralSecret, PublicKey};

 async fn setup_sealed_gate(
    seal_key: &[u8],
-) -> (db::DatabasePool, kameo::actor::ActorRef<VaultGate>, oneshot::Receiver<Result<Credentials, VaultGateError>>) {
+) -> (
+    db::DatabasePool,
+    kameo::actor::ActorRef<VaultGate>,
+    oneshot::Receiver<Result<Credentials, VaultGateError>>,
+) {
    let db = db::create_test_pool().await;
    let actors = GlobalActors::spawn(db.clone()).await.unwrap();

@@ -36,10 +42,7 @@ async fn setup_sealed_gate(

    let (promotion_tx, promotion_rx) = oneshot::channel();
    let pubkey = authn::SigningKey::generate().public_key();
-    let auth_creds = AuthCredentials {
-        creds: Credentials { id: 1, pubkey },
-        new_nonce: 1,
-    };
+    let auth_creds = Credentials { id: 1, pubkey };
    let gate = VaultGate::spawn(VaultGate::new(auth_creds, actors, db.clone(), promotion_tx));

    (db, gate, promotion_rx)