Skip to content

feat: Web3 Authentication and Authorization (#77)#444

Open
Susuhome wants to merge 1 commit intoSpectral-Finance:mainfrom
Susuhome:feat/web3-auth
Open

feat: Web3 Authentication and Authorization (#77)#444
Susuhome wants to merge 1 commit intoSpectral-Finance:mainfrom
Susuhome:feat/web3-auth

Conversation

@Susuhome
Copy link

@Susuhome Susuhome commented Mar 8, 2026

Overview

Comprehensive Web3 authentication and authorization framework for issue #77.

Modules

SiweMessage (EIP-4361)

  • Generate SIWE messages with all EIP-4361 fields (domain, address, URI, nonce, chain_id, statement, resources)
  • Parse EIP-4361 message strings back to structs
  • Validate message fields (expiry, not_before, address format, nonce length)
  • Cryptographic nonce generation

SignatureVerifier

  • EIP-191 personal sign verification
  • Address recovery from signature using ExSecp256k1
  • Personal message hash computation

RBAC (Role-Based Access Control)

  • Define roles with permission sets
  • Assign/revoke roles to Ethereum addresses
  • Permission checking with wildcard (:all) support
  • Token gate management (contract + min balance)
  • Case-insensitive address handling

SessionManager

  • Create authenticated sessions with configurable TTL
  • Validate sessions (auto-expire stale ones)
  • Refresh sessions before expiry
  • Revoke individual or all sessions per address
  • Full audit logging (created, expired, revoked events)

Guide

  • guides/web3_auth.md with full auth flow example

Acceptance Criteria

  • EIP-4361 compliant authentication (SiweMessage)
  • Multi-signature wallet support (SignatureVerifier)
  • Role and permission management (RBAC with wildcard)
  • Session handling and expiry (SessionManager with TTL)
  • Signature verification system (EIP-191 + ExSecp256k1)
  • Token-gated access control (RBAC.add_token_gate)
  • Documentation and examples (guide + moduledocs)
  • Integration tests demonstrating auth flows (31 tests)

Tests

31 tests:

  • SiweMessage: 8 tests (create, to_string, parse, validate valid/expired/invalid_address/short_nonce, resources)
  • SignatureVerifier: 4 tests (hash consistency, different messages, invalid format, recovery)
  • RBAC: 10 tests (define, assign, undefined role, permissions, authorize, revoke, wildcard, normalization, token gates)
  • SessionManager: 9 tests (create/get, validate, expired, refresh, revoke, revoke_all, audit, active count, not_found)

Budget: $1,000

@Susuhome
feat: Web3 Authentication and Authorization (Spectral-Finance#77)
33f45b2 
- SiweMessage: EIP-4361 message generation, parsing, validation
- SignatureVerifier: EIP-191 personal sign verification, address recovery
- RBAC: role-based access control with token gates, wildcard permissions
- SessionManager: session create/validate/refresh/revoke with audit logging
- Guide: guides/web3_auth.md
- 31 tests, all passing
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Susuhome