feat: authenticate with a scoped API key (FIP-07), connect once#3
Open
islandbitcoin wants to merge 1 commit into
Open
feat: authenticate with a scoped API key (FIP-07), connect once#3islandbitcoin wants to merge 1 commit into
islandbitcoin wants to merge 1 commit into
Conversation
After OTP login the mod mints a scoped Flash API key (read_user/read_wallet/ read_transactions + write_wallet/write_transactions, 30-day expiry), persists it in localStorage, and authenticates every request with X-API-KEY. Returning users skip captcha/OTP; Logout revokes the key. The GraphQL client prefers X-API-KEY and falls back to the session Bearer token (used to bootstrap login and mint the key). A 401 clears both credentials. Minting is best-effort: if the endpoint lacks the feature, login still works on the session token. The feature is live on Flash TEST first, so the dev/preview proxy now targets api.test.flashapp.me (override via VITE_FLASH_PROXY_TARGET). Verified end-to-end against TEST: login -> apiKeyCreate -> me via X-API-KEY -> apiKeyRevoke -> revoked key rejected (401). 78 unit tests pass (+10), typecheck and production build clean. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
After OTP login, the mod now mints a scoped Flash API key (FIP-07), stores it, and authenticates every request with
X-API-KEY— so returning users skip captcha/OTP (connect once). Logout revokes the key.Chosen model: OTP bootstraps login → auto-mint a least-privilege key → persist in
localStorage→ reuse across reopens.Why
Today the session token lives in
sessionStorage(tab-scoped), so users re-run captcha + OTP every time they reopen the mod inside the Fedi webview. A scoped, revocable, expiring API key gives a durable connection without holding a full session.Changes
flash/client.ts— preferX-API-KEY, fall back toBearer(used to bootstrap login + mint);localStorage-backed key store; a 401 clears both credentials.flash/operations.ts—createApiKey()+revokeApiKey(id).state/FlashContext.tsx— mint-on-login (best-effort: if minting fails, login still works on the session token); Logout revokes + clears.config.ts/types.ts— key config (scopes, 30-day expiry, name) + types.vite.config.ts— dev/preview proxy now targetsapi.test.flashapp.me(the feature is on TEST first; override viaVITE_FLASH_PROXY_TARGET)..env.example+READMEupdated (incl. correcting the old "neverlocalStorage" note).Scopes requested:
read_user,read_wallet,read_transactions,write_wallet,write_transactions— noadmin, nowrite_user.Verification
End-to-end against Flash TEST (app-review account):
userLogin→apiKeyCreate(returnsid, correct scopes) →meviaX-API-KEY→apiKeyRevoke(id)→ revoked key rejected with401. No keys left active.X-API-KEYpreference, 401-clears-both, mint-on-login, mint-failure fallback, revoke-on-logout, mutation shape/scopes/expiresIn)tsc --noEmit+vite buildNotes
"Flash FediMod"is valid).🤖 Generated with Claude Code