feat: auth primitives - JWT/SIWE (pkg/auth/jwt)#352
Conversation
Self-contained, reusable auth building blocks with no app wiring: - Issuer: mint short-lived RS256 JWTs; publish the public key as JWKS - Validator: verify bearer JWTs (in-process key or remote JWKS) - SIWEVerifier: validate EIP-4361 login messages and recover the signer - RequireAuth: bearer-token HTTP middleware - ParseRSAPrivateKey: load the base64-PEM signing key Folds in the previously-dead auth.JWTValidator (relocated from pkg/auth/jwt.go).
There was a problem hiding this comment.
Code Review
This pull request introduces a comprehensive JWT authentication package (pkg/auth/jwt) that supports Sign-In with Ethereum (SIWE) login flows, JWT session issuance, and verification via JWKS, replacing the previous auth implementation. The feedback identifies several important improvements: adding a mutex to serialize JWKS key refreshes to prevent a thundering herd problem, implementing a double-checked locking pattern in getKey to avoid redundant fetches, completely replacing the cached keys map during refreshes to ensure revoked keys are evicted, and adding a defensive nil check on msg.GetURI() in the SIWE verifier to prevent potential panics.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #352 +/- ##
=======================================
Coverage ? 33.08%
=======================================
Files ? 159
Lines ? 12376
Branches ? 0
=======================================
Hits ? 4094
Misses ? 7949
Partials ? 333
Flags with carried forward coverage won't be shown. Click here to find out more.
🚀 New features to boost your workflow:
|
Address review: guard against a thundering-herd of JWKS fetches on concurrent cache misses (refreshMu + double-check), and replace the key map on refresh so rotated-out keys stop being trusted.
|
Addressed Gemini's review in
|
1 of 3 — read-API authentication, split for review. Merge order: this → auth-service → auth-integration.
Self-contained, reusable auth building blocks with no app wiring (nothing calls them yet), so this can be reviewed as a library in isolation.
Issuer— mint short-lived RS256 JWTs; publish the public key as JWKSValidator— verify bearer JWTs (in-process key or remote JWKS URL)SIWEVerifier— validate EIP-4361 login messages, recover the signer, return the nonceRequireAuth— bearer-token HTTP middlewareParseRSAPrivateKey— load the base64-PEM signing keyAlso folds in the previously-dead
auth.JWTValidator(relocated frompkg/auth/jwt.go, zero callers). Full unit tests per file.