safe-global / safe-client-gateway / 23007061327
89%
main: 90%

LAST BUILD BRANCH: feat/auth-code-clow
DEFAULT BRANCH: main
Ran
Jobs 0
Files 0
Run time
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
23007061327

push

github

web-flow 
feat(auth): extend JWT payload (#2971)

* feat(auth): extend JWT payload with RFC 7519 registered claims

Standardize CGW JWT to use registered claims (sub, aud, auth_method)
instead of inferring auth type from field presence. This is a breaking
change that invalidates existing SIWE sessions.

- Add discriminated union schema on auth_method (siwe/oidc)
- Add sub claim (numeric user ID) and aud claim to JWT
- Auto-create user on first SIWE login via findOrCreateByWalletAddress
- Add audience validation at JWT library level
- Reject legacy tokens missing auth_method/sub fields

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: formatting

* refactor: rename from authPayloadDtoBuilder to siweAuthPayloadDtoBuilder

* test: enhance AuthPayload entity tests for SIWE and OIDC payloads

* fix: formatting

* docs: remove unnecessary comment

* test: refactor SpacesService tests to use siweAuthPayloadDtoBuilder for auth payloads

* refactor: extract TestUsersModule

* fix: remove unused import

* test: integrate UsersModule and enhance auth payload assertions in NotificationsController tests

* refactor: update AuthRepository to use new AuthPayloadWithClaimsDtoSchema for token decoding

- Removed unused imports and simplified the decodeToken method to utilize the new AuthPayloadWithClaimsDtoSchema.
- Introduced AuthPayloadWithClaimsDtoSchema to extend JWT claims with SIWE and OIDC payloads in the auth-payload.entity.ts file.

* chore: add license headers

* test: add integration tests for findOrCreateByWalletAddress

* fix: handle race condition in findOrCreateByWalletAddress

Catch the unique constraint violation (UQ_wallet_address) that can occur
when two concurrent SIWE logins for the same address both pass the
initial find check and attempt to insert. On conflict, retry the lookup.

* refactor: omit sub from JwtClaimsSchema in AuthPayloadWithClaimsDtoSchema

The auth payload schemas define sub as a required NumericString, while
JwtClaimsSchema... (continued)
Source Files on build 23007061327
Detailed source file information is not available for this build.