You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/architecture/identity.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -51,9 +51,9 @@ Server response:
51
51
52
52
Both parties emerge from the handshake having verified each other's identity keys. Subsequent requests in the same session use a session token derived from the initial handshake.
53
53
54
-
`@bsv/auth-express-middleware` installs BRC-31 as Express middleware. Any route wrapped by it requires a valid BRC-31 handshake from the client.
54
+
`@bsv/auth-express-middleware` installs BRC-103/BRC-104 as Express middleware. Any route wrapped by it requires a valid BRC-103 handshake from the client over the BRC-104 HTTP binding.
55
55
56
-
The machine-readable spec is at `specs/auth/brc31-handshake.yaml` (AsyncAPI 3.0).
56
+
The machine-readable spec is at `specs/auth/brc103-mutual-auth.yaml` (AsyncAPI 3.0).
Copy file name to clipboardExpand all lines: docs/packages/middleware/auth-express-middleware.md
+15-2Lines changed: 15 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -57,7 +57,7 @@ app.listen(3000)
57
57
-**AuthRequest** — Extended Request with `.auth` object containing `identityKey`
58
58
-**BRC-103 mutual authentication** — Nonce-based challenge-response with signatures
59
59
-**BRC-104 HTTP transport** — Custom headers (`x-bsv-auth-*`) for non-general messages
60
-
-**Session management** — Tracks nonces per identity; SessionManager interface extensible
60
+
-**Session management** — Tracks nonces per identity; AsyncSessionManager interface extensible to synchronous or asynchronous stores
61
61
-**Certificate exchange** — Optional verifiable certificates during handshake
62
62
-**Response wrapping** — Middleware intercepts response methods to sign responses before sending
63
63
-**Optional authentication** — `allowUnauthenticated` flag for mixed public/private endpoints
@@ -104,6 +104,19 @@ app.use(express.json())
104
104
app.use(authMiddleware)
105
105
```
106
106
107
+
### Shared sessions for scaled servers
108
+
109
+
The default `SessionManager` stores BRC-103 nonce/session state in one process. For load-balanced Express servers, pass a `AsyncSessionManager` backed by shared storage so every instance can resolve the same handshake state instead of relying on sticky routing.
### BRC-103 / BRC-104: Mutual Authentication Handshake + HTTP Transport
82
82
83
-
Specifies the `x-bsv-auth-*` HTTP headers that implement mutual-auth challenge-response over standard HTTP. Built on the BRC-103 Peer framework.
83
+
BRC-103 specifies the peer-to-peer mutual authentication protocol (AuthMessage envelope, nonces, certificates, sessions). BRC-104 binds it to HTTP via the `/.well-known/auth` endpoint and `x-bsv-auth-*` headers. Replaces the legacy BRC-31 identifier.
Copy file name to clipboardExpand all lines: packages/middleware/auth-express-middleware/README.md
+44-5Lines changed: 44 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -53,7 +53,7 @@ By layering **BRC-103** on top of Express, you can:
53
53
Supports BRC-103’s concept of revealing only certain fields in a certificate, helping to preserve privacy for you and your users while verifying necessary information.
54
54
55
55
-**Extendable**
56
-
Provide a custom `SessionManager` or plug in advanced logic for verifying user attributes.
56
+
Provide a custom `AsyncSessionManager`, including asynchronous shared stores, or plug in advanced logic for verifying user attributes.
-**`wallet`***(required)*: A wallet instance that implements signing and key management, typically from `@bsv/sdk` or your own custom build.
135
135
-**`allowUnauthenticated`***(default: `false`)*: If `true`, requests without valid BRC-103 authentication will **not** be rejected. Instead, `req.auth.identityKey` is set to `"unknown"`.
136
-
-**`sessionManager`***(optional)*: Customize session management (nonce tracking, etc.). By default, an internal `SessionManager` is used.
136
+
-**`sessionManager`***(optional)*: Customize session management (nonce tracking, etc.). By default, an internal `SessionManager` is used. For horizontally scaled servers, pass a `AsyncSessionManager` backed by shared storage so every instance can resolve the same nonce/session state.
137
137
-**`certificatesToRequest`***(optional)*: A specification of which certificates (by type, fields, issuer) to request automatically from the peer.
138
138
-**`onCertificatesReceived`***(optional)*: Callback invoked when the peer responds with **Verifiable Certificates**.
139
139
140
+
### Horizontal Scaling
141
+
142
+
The default `SessionManager` stores handshake state in memory. That is appropriate for one process, but a load-balanced deployment can route the initial nonce exchange, certificate request, and general message to different server instances. In that topology, provide a `AsyncSessionManager` backed by shared storage so nonce lookups are available to every instance:
0 commit comments