feat(auth): simplify auth model and implement bootstrap flow

Remove key_identity indirection table, storing public keys and nonces directly on client tables. Replace AuthResponse with AuthOk, add a BootstrapActor to manage token lifecycle, and move user agent stream handling into the actor module.
2026-02-13 17:55:56 +01:00
parent 8fb7a04102
commit ffa60c90b1
8 changed files with 256 additions and 134 deletions
--- a/server/crates/arbiter-server/migrations/2026-02-09-143015-0000_init/up.sql
+++ b/server/crates/arbiter-server/migrations/2026-02-09-143015-0000_init/up.sql
@@ -14,24 +14,18 @@ create table if not exists arbiter_settings (
    cert blob not null
 ) STRICT;

-create table if not exists key_identity (
-    id integer not null primary key,
-    name text not null,
-    public_key text not null,
-    created_at integer not null default(unixepoch ('now')),
-    updated_at integer not null default(unixepoch ('now'))
-) STRICT;
-
 create table if not exists useragent_client (
    id integer not null primary key,
-    key_identity_id integer not null references key_identity (id) on delete cascade,
+    nonce integer not null default (1), -- used for auth challenge
+    public_key blob not null,
    created_at integer not null default(unixepoch ('now')),
    updated_at integer not null default(unixepoch ('now'))
 ) STRICT;

 create table if not exists program_client (
    id integer not null primary key,
-    key_identity_id integer not null references key_identity (id) on delete cascade,
+    nonce integer not null default (1), -- used for auth challenge
+    public_key blob not null,
    created_at integer not null default(unixepoch ('now')),
    updated_at integer not null default(unixepoch ('now'))
 ) STRICT;