• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

decentraland / world-storage-service / 28960364948
99%

Build:
DEFAULT BRANCH: main
Ran 08 Jul 2026 04:54PM UTC
Jobs 1
Files 58
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

08 Jul 2026 04:53PM UTC coverage: 98.68% (-0.1%) from 98.824%
28960364948

push

github

web-flow
feat: authorize world-scoped authoritative storage delegations (#112)

* feat: authorize world-scoped authoritative storage delegations

Adds an additive authorization path for /values/* so an authoritative scene server can read/write a world's storage without holding the authoritative key.

A request signed by a throwaway ephemeral is authorized when it carries an x-authoritative-scope claim, signed by a trusted AUTHORITATIVE_SERVER_ADDRESS, that binds that ephemeral to the target world and has not expired. The claim's ephemeral must equal the request signer (blocks replaying a captured claim with another key). The existing owner/ACL and broad authorized-address paths are unchanged.

Pin @dcl/crypto (was transitive) since verifyStorageDelegation uses it directly.

* refactor: storage delegations no longer expire (worker-lifetime)

Drop the Expiration line from the claim and the expiry check: the ephemeral lives for the life of the scene worker. The ephemeral==signer binding and world scoping remain; revoke by rotating the authoritative key.

* feat: enforce storage delegation expiry again (1h TTL)

Re-add the Expiration claim line and the expiry check; delegations are short-lived and renewed by the worker over IPC, so an expired claim must be rejected.

* fix: restrict storage scope-claim signers to the authoritative address; cover the scoped path

Least authority: a scope claim is trusted only when signed by AUTHORITATIVE_SERVER_ADDRESS, not by every AUTHORIZED_ADDRESSES entry. Add middleware-level tests for the world-scoped delegation branch (valid, untrusted signer, wrong ephemeral, wrong world, expired, missing header).

* chore: fix eslint (prettier, import order, interface types, typed auth chain)

* feat: enforce scene scope on storage delegations; guard header size

Security review F2/F5: verifyStorageDelegation now takes a target { signer, world, sceneId, parcel, trustedSigners } and requires the claim's sceneId == the request's scene and pa... (continued)

424 of 438 branches covered (96.8%)

Branch coverage included in aggregate %.

69 of 70 new or added lines in 2 files covered. (98.57%)

1146 of 1153 relevant lines covered (99.39%)

69.42 hits per line

Uncovered Changes

Lines Coverage ∆ File
1
98.2
src/utils/storage-delegation.ts
Jobs
ID Job ID Ran Files Coverage
1 28960364948.1 08 Jul 2026 04:54PM UTC 116
98.88
GitHub Action Run
Source Files on build 28960364948
  • Tree
  • List 58
  • Changed 33
  • Source Changed 1
  • Coverage Changed 33
Coverage ∆ File Lines Relevant Covered Missed Hits/Line Branch Hits Branch Misses
  • Back to Repo
  • Github Actions Build #28960364948
  • ef2939b8 on github
  • Prev Build on main (#28628817499)
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc