Skip to content

chef-ryan/auth-demo

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
src
src
 
 
tests
tests
 
 
.env
.env
 
 
.env.example
.env.example
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
bun.lock
bun.lock
 
 
package.json
package.json
 
 
pnpm-lock.yaml
pnpm-lock.yaml
 
 
tsconfig.json
tsconfig.json
 
 

Repository files navigation

L3 Auth Demo

This project demonstrates a CAIP-10 compliant L3 authentication workflow using Elysia on Bun. Wallets sign a one-time challenge, the backend verifies the signature, and an HTTP-only l3-session cookie is issued while the full session is stored server-side (Redis or an in-memory fallback).

Prerequisites

  • Bun v1.2+
  • A .env file based on .env.example
PORT=3000
# Optional
REDIS_URL=redis://localhost:6379

Install & Run

bun install
bun run src/index.ts           # start once
# or
bun run --watch src/index.ts   # reload on change

On start, the server listens on http://localhost:${PORT}.

Auth Flow

  1. Client requests a nonce from GET /auth/nonce, which returns a unique nonce and issuedAt.
  2. Client builds the canonical message locally using the template:
    prob.market wants you to sign in with your account: {identity.account}
    domain: prob.market
    Version: 1
    Chain ID: {identity.namespace}:{identity.chainId}
    Nonce: {nonce}
    Issued At: {issuedAt}
  3. Wallet signs the message off-chain.
  4. Client submits { identity, message, signature, nonce, issuedAt } to POST /l3/auth/login.
  5. The backend validates the CAIP-10 identity, checks the nonce and issued timestamp, verifies the signature, then stores an L3Session and sets an l3-session HTTP-only cookie.
  6. Subsequent protected requests attach the cookie automatically; POST /l3/auth/logout clears the cookie and removes the server-side session.

Sessions expire after 24 hours. Nonces expire after five minutes and are single-use.

API Endpoints

Method Path Description
GET / Health check
GET /auth/nonce Issues a one-time nonce with the issued timestamp
POST /l3/auth/login Verifies signature, stores session, sets cookie
POST /l3/auth/logout Clears the cookie and invalidates the session
GET /l3/auth/session Returns the active L3Session (requires cookie)
GET /users/me Returns session-derived identity and timestamps
GET /profiles Mock profile payload
GET /positions Mock positions payload
GET /activity Mock recent activity

All error responses follow { "error": string, "code"?: number }.

Logging

Important auth events (login, logout, revocation, failures) are emitted with ISO timestamps so they can be ingested by an external log pipeline.

Testing

Tests simulate the signature flow with a mock account and run end-to-end against the in-memory server.

TMPDIR=$PWD/.tmp bun test

The TMPDIR override avoids sandbox temp-directory restrictions in the Codex CLI; it is not required on a local machine.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages