coopcloud_code/home
0
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

Marketplace SPA — Phase 2b: Auth UX improvements (session persistence, stateless challenges, body hash fix) #20

New issue
Closed
opened 2026-03-24 21:43:14 +00:00 by mik-tf · 3 comments
mik-tf commented 2026-03-24 21:43:14 +00:00
Member
Copy link

Context

Phase 2a (#19) delivered ed25519 keypair vault + signature-based auth. This issue covers the UX and security improvements needed to make it production-quality.

Changes

Frontend (projectmycelium_marketplace_frontend)

  • Session persistence — After vault unlock, store derived session key in sessionStorage. Auto-unlock on page refresh without re-entering passphrase. Auto-lock after 30 min idle.
  • UI label renaming — Replace technical terms: "keypair" → "identity", "vault" → hidden, "unlock" → "sign in", "generate keypair" → "create account", "export vault" → "backup identity".

Backend (projectmycelium_marketplace_backend)

  • Stateless challenges — Replace in-memory BTreeMap with HMAC-signed challenges. Server signs challenge+pubkey+timestamp, client returns it, server re-verifies. No shared state needed. Horizontally scalable.
  • Body hash verification — Fix middleware to buffer request body, compute SHA-256, and verify signature covers actual body hash (not empty hash shortcut).

Deploy (projectmycelium_marketplace_deploy)

  • DESIGN.md — Updated with FOSS-sovereign vision: session persistence, user-facing language, stateless challenges, rendering strategy (SSR for SEO + SPA for auth), CHALLENGE_SECRET env var.

Design Reference

Full design: projectmycelium_marketplace_deploy/docs/DESIGN.md

Testing

  • cargo check on both frontend and backend
  • Browser test (MCP hero_browser): register → sign in → refresh (session persists) → idle timeout → re-sign-in → sign out
  • Smoke tests pass

Signed-off-by: mik-tf

## Context Phase 2a (#19) delivered ed25519 keypair vault + signature-based auth. This issue covers the UX and security improvements needed to make it production-quality. ## Changes ### Frontend (`projectmycelium_marketplace_frontend`) - [ ] **Session persistence** — After vault unlock, store derived session key in `sessionStorage`. Auto-unlock on page refresh without re-entering passphrase. Auto-lock after 30 min idle. - [ ] **UI label renaming** — Replace technical terms: "keypair" → "identity", "vault" → hidden, "unlock" → "sign in", "generate keypair" → "create account", "export vault" → "backup identity". ### Backend (`projectmycelium_marketplace_backend`) - [ ] **Stateless challenges** — Replace in-memory `BTreeMap` with HMAC-signed challenges. Server signs challenge+pubkey+timestamp, client returns it, server re-verifies. No shared state needed. Horizontally scalable. - [ ] **Body hash verification** — Fix middleware to buffer request body, compute SHA-256, and verify signature covers actual body hash (not empty hash shortcut). ### Deploy (`projectmycelium_marketplace_deploy`) - [ ] **DESIGN.md** — Updated with FOSS-sovereign vision: session persistence, user-facing language, stateless challenges, rendering strategy (SSR for SEO + SPA for auth), CHALLENGE_SECRET env var. ## Design Reference Full design: `projectmycelium_marketplace_deploy/docs/DESIGN.md` ## Testing - `cargo check` on both frontend and backend - Browser test (MCP hero_browser): register → sign in → refresh (session persists) → idle timeout → re-sign-in → sign out - Smoke tests pass Signed-off-by: mik-tf
mik-tf commented 2026-03-24 21:53:34 +00:00
Author
Member
Copy link

Phase 2b Complete — Auth UX Improvements

Commits pushed to development

Repo Commit Changes
marketplace_frontend 0c0fe90 Session persistence (sessionStorage), UI label renaming, stateless challenge support
marketplace_backend 60b2895 Stateless HMAC challenges, full body hash verification in middleware
marketplace_deploy ffe3cce DESIGN.md rewrite — FOSS-sovereign vision

What was implemented

  1. Session persistence — After passphrase entry, session key stored in sessionStorage. Page refresh auto-unlocks without re-entering passphrase. 30 min idle timeout. Touch on every API call.
  2. UI labels — "Sign In" (not "Unlock vault"), "Passphrase" (not "Password"), "Create Account" (not "Create Identity"), "Your ID" (not "Public key").
  3. Stateless HMAC challenges — Server signs challenge + public_key + timestamp with HMAC-SHA256. Client returns it. Server re-verifies. No BTreeMap, no Redis, horizontally scalable.
  4. Body hash verification — Middleware buffers request body, computes SHA-256, verifies signature covers actual body content (not empty hash shortcut).
  5. DESIGN.md — Complete rewrite with FOSS-sovereign principles, session design, user-facing language guide, cross-device transfer, rendering strategy.

Test results (local, fixture mode)

Test Result
cargo check (frontend) PASS (warnings only)
cargo check (backend) PASS (warnings only)
POST /api/auth/register (pubkey) PASS — creates user
GET /api/auth/challenge PASS — returns HMAC-signed challenge
POST /api/auth/login (JWT) PASS — SSR backward compat
GET /api/auth/status (JWT) PASS — authenticated user info
GET /api/auth/status (no auth) PASS — 401

Known limitation

Fixture backend doesn't persist registered users (ephemeral make_user), so the full challenge-response flow can't complete in fixture mode. Hero mode with OSIS will persist the public key and enable find_by_public_key. This needs to be addressed with a stateful fixture store or tested in hero mode.

Next steps

  • Make fixture find_by_public_key work (add in-memory user store)
  • Deploy to dev environment and test full browser flow
  • Phase 3: Payment integration (Stripe, Clickpesa)

Signed-off-by: mik-tf

## Phase 2b Complete — Auth UX Improvements ### Commits pushed to `development` | Repo | Commit | Changes | |------|--------|---------| | `marketplace_frontend` | `0c0fe90` | Session persistence (sessionStorage), UI label renaming, stateless challenge support | | `marketplace_backend` | `60b2895` | Stateless HMAC challenges, full body hash verification in middleware | | `marketplace_deploy` | `ffe3cce` | DESIGN.md rewrite — FOSS-sovereign vision | ### What was implemented 1. **Session persistence** — After passphrase entry, session key stored in `sessionStorage`. Page refresh auto-unlocks without re-entering passphrase. 30 min idle timeout. Touch on every API call. 2. **UI labels** — "Sign In" (not "Unlock vault"), "Passphrase" (not "Password"), "Create Account" (not "Create Identity"), "Your ID" (not "Public key"). 3. **Stateless HMAC challenges** — Server signs `challenge + public_key + timestamp` with HMAC-SHA256. Client returns it. Server re-verifies. No BTreeMap, no Redis, horizontally scalable. 4. **Body hash verification** — Middleware buffers request body, computes SHA-256, verifies signature covers actual body content (not empty hash shortcut). 5. **DESIGN.md** — Complete rewrite with FOSS-sovereign principles, session design, user-facing language guide, cross-device transfer, rendering strategy. ### Test results (local, fixture mode) | Test | Result | |------|--------| | `cargo check` (frontend) | PASS (warnings only) | | `cargo check` (backend) | PASS (warnings only) | | `POST /api/auth/register` (pubkey) | PASS — creates user | | `GET /api/auth/challenge` | PASS — returns HMAC-signed challenge | | `POST /api/auth/login` (JWT) | PASS — SSR backward compat | | `GET /api/auth/status` (JWT) | PASS — authenticated user info | | `GET /api/auth/status` (no auth) | PASS — 401 | ### Known limitation Fixture backend doesn't persist registered users (ephemeral `make_user`), so the full challenge-response flow can't complete in fixture mode. Hero mode with OSIS will persist the public key and enable `find_by_public_key`. This needs to be addressed with a stateful fixture store or tested in hero mode. ### Next steps - Make fixture `find_by_public_key` work (add in-memory user store) - Deploy to dev environment and test full browser flow - Phase 3: Payment integration (Stripe, Clickpesa) Signed-off-by: mik-tf
mik-tf commented 2026-03-24 22:02:26 +00:00
Author
Member
Copy link

Fixes pushed — all blocking issues resolved

Commits

Repo Commit Fix
marketplace_frontend 1027cdb Logout redirects to /login + renamed to "Sign Out"
marketplace_backend b2e6c11 Fixture user persistence (in-memory store) + base-path signing alignment

What was fixed

  1. Fixture user persistenceFixtureUserAuth now uses Arc<RwLock<Vec<User>>> to store registered users. find_by_public_key() and find_by_email() search the store. The full register → challenge → verify flow now works in fixture mode.

  2. Logout redirect — Navbar "Sign Out" now calls window.location.set_href("/login") after clearing state. User sees login page instead of broken dashboard.

  3. Base-path signing — Middleware strips APP_BASE_PATH from the request path before signature verification. This prevents path mismatch when nginx rewrites /api/x to /marketplace/demo/api/x.

Test results (local, fixture mode)

Test Result
Register with pubkey PASS
Challenge after register (finds user) PASS — returns challenge + HMAC + timestamp
Duplicate email blocked PASS — 409
Duplicate pubkey blocked PASS — 409
JWT login (SSR compat) PASS
cargo check (frontend) PASS
cargo check (backend) PASS

Remaining (not blocking)

  • Admin dashboard auth update (still uses JWT)
  • Full browser E2E test with WASM (needs deploy)
  • Phase 3: payment integration

Signed-off-by: mik-tf

## Fixes pushed — all blocking issues resolved ### Commits | Repo | Commit | Fix | |------|--------|-----| | `marketplace_frontend` | `1027cdb` | Logout redirects to /login + renamed to "Sign Out" | | `marketplace_backend` | `b2e6c11` | Fixture user persistence (in-memory store) + base-path signing alignment | ### What was fixed 1. **Fixture user persistence** — `FixtureUserAuth` now uses `Arc<RwLock<Vec<User>>>` to store registered users. `find_by_public_key()` and `find_by_email()` search the store. The full register → challenge → verify flow now works in fixture mode. 2. **Logout redirect** — Navbar "Sign Out" now calls `window.location.set_href("/login")` after clearing state. User sees login page instead of broken dashboard. 3. **Base-path signing** — Middleware strips `APP_BASE_PATH` from the request path before signature verification. This prevents path mismatch when nginx rewrites `/api/x` to `/marketplace/demo/api/x`. ### Test results (local, fixture mode) | Test | Result | |------|--------| | Register with pubkey | PASS | | Challenge after register (finds user) | PASS — returns challenge + HMAC + timestamp | | Duplicate email blocked | PASS — 409 | | Duplicate pubkey blocked | PASS — 409 | | JWT login (SSR compat) | PASS | | `cargo check` (frontend) | PASS | | `cargo check` (backend) | PASS | ### Remaining (not blocking) - Admin dashboard auth update (still uses JWT) - Full browser E2E test with WASM (needs deploy) - Phase 3: payment integration Signed-off-by: mik-tf
mik-tf commented 2026-03-24 22:37:01 +00:00
Author
Member
Copy link

Phase 2b — 100% Complete. All tests pass.

Final commits

Repo Commit Fix
marketplace_frontend 45ee8ce Sign full URL path in API requests (was signing short path, middleware saw full path — mismatch)

Browser E2E test results (MCP hero_browser, live dev)

Step Result
Register page UI ("Create Account", "Passphrase") PASS
Register with passphrase → redirects to /dashboard PASS
Dashboard shows "Welcome back, Session Test" PASS
Session + vault saved in storage PASS
Page refresh — session persists (no re-enter passphrase) PASS
Sign Out → redirects to /login PASS
Session cleared, vault preserved PASS
Login page shows "Sign In" + Your ID + passphrase field PASS

Smoke tests (live dev)

Suite Result
API smoke (SSR domain, 26 tests) 26/26 PASS
API smoke (SPA domain, 24 tests) 24/24 PASS
SPA smoke (19 endpoint checks) 19/19 PASS

Screenshots

All captured during browser E2E testing:

  • Register page: "Create Account" with passphrase info text
  • Dashboard after register: "Welcome back, Session Test" with charts
  • Dashboard after page refresh: still authenticated (session persistence works)
  • Login after sign out: "Sign In" with Your ID displayed, passphrase field

What is now production-ready (Phase 2)

  1. Ed25519 keypair vault — generate, encrypt (AES-256-GCM + PBKDF2), store in localStorage
  2. Signature-based auth — every API request signed with X-Public-Key/X-Timestamp/X-Signature
  3. Session persistence — sessionStorage auto-unlock on refresh, 30 min idle timeout
  4. Stateless HMAC challenges — horizontally scalable, no in-memory store
  5. Full body hash verification — middleware buffers body, computes SHA-256
  6. Base-path proxy support — strips APP_BASE_PATH for signature verification
  7. Fixture user persistence — in-memory store for dev/test
  8. User-friendly UX — Sign In, Passphrase, Create Account, Sign Out, Your ID
  9. DESIGN.md — complete FOSS-sovereign v1.0 vision (17 sections)

Next: Phase 3 — Payment Integration

Signed-off-by: mik-tf

## Phase 2b — 100% Complete. All tests pass. ### Final commits | Repo | Commit | Fix | |------|--------|-----| | `marketplace_frontend` | `45ee8ce` | Sign full URL path in API requests (was signing short path, middleware saw full path — mismatch) | ### Browser E2E test results (MCP hero_browser, live dev) | Step | Result | |------|--------| | Register page UI ("Create Account", "Passphrase") | PASS | | Register with passphrase → redirects to /dashboard | PASS | | Dashboard shows "Welcome back, Session Test" | PASS | | Session + vault saved in storage | PASS | | **Page refresh — session persists (no re-enter passphrase)** | **PASS** | | Sign Out → redirects to /login | PASS | | Session cleared, vault preserved | PASS | | Login page shows "Sign In" + Your ID + passphrase field | PASS | ### Smoke tests (live dev) | Suite | Result | |-------|--------| | API smoke (SSR domain, 26 tests) | 26/26 PASS | | API smoke (SPA domain, 24 tests) | 24/24 PASS | | SPA smoke (19 endpoint checks) | 19/19 PASS | ### Screenshots All captured during browser E2E testing: - Register page: "Create Account" with passphrase info text - Dashboard after register: "Welcome back, Session Test" with charts - Dashboard after page refresh: still authenticated (session persistence works) - Login after sign out: "Sign In" with Your ID displayed, passphrase field ### What is now production-ready (Phase 2) 1. **Ed25519 keypair vault** — generate, encrypt (AES-256-GCM + PBKDF2), store in localStorage 2. **Signature-based auth** — every API request signed with X-Public-Key/X-Timestamp/X-Signature 3. **Session persistence** — sessionStorage auto-unlock on refresh, 30 min idle timeout 4. **Stateless HMAC challenges** — horizontally scalable, no in-memory store 5. **Full body hash verification** — middleware buffers body, computes SHA-256 6. **Base-path proxy support** — strips APP_BASE_PATH for signature verification 7. **Fixture user persistence** — in-memory store for dev/test 8. **User-friendly UX** — Sign In, Passphrase, Create Account, Sign Out, Your ID 9. **DESIGN.md** — complete FOSS-sovereign v1.0 vision (17 sections) ### Next: Phase 3 — Payment Integration Signed-off-by: mik-tf
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
No results found.
Labels
Clear labels   
meeting-notes

Meeting notes and follow-ups

  
meeting-sensitive

Sensitive meeting; no shared archive or AI processing

  
meeting-transcript

Raw meeting transcript; AI drafts the report

No labels
meeting-notes
meeting-sensitive
meeting-transcript
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
coopcloud_code/home#20
No description provided.