Skip to content

Commit 81aaf0e

Browse files
authored
Feat/emover admin mode (#766)
* feat: workin admin dash * fix: admin mode ui * fix: admin mode ui * fix: ghost vault cleanup * fix: empty evault migrations * fix: build
1 parent 63f8fee commit 81aaf0e

File tree

22 files changed

+1170
-47
lines changed

22 files changed

+1170
-47
lines changed

docs/docs/Infrastructure/eID-Wallet.md

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -170,14 +170,16 @@ When a new user first opens the wallet:
170170
```
171171
Wallet → Registry: GET /entropy
172172
Registry → Wallet: JWT entropy token
173-
Wallet → Provisioner: POST /provision (entropy, namespace, publicKey)
174-
Provisioner → Registry: Request key binding certificate
175-
Registry → Provisioner: JWT certificate
173+
Wallet → Provisioner: POST /provision (entropy, namespace, publicKey?)
174+
Provisioner → Registry: Request key binding certificate (if publicKey provided)
175+
Registry → Provisioner: JWT certificate (if publicKey provided)
176176
Provisioner → Wallet: w3id, evaultUri
177177
```
178178

179179
**Note**: The `/provision` endpoint is part of the Provisioner service, not eVault Core. This is the **provisioning protocol** - any vault provider should expose such an endpoint to enable eVault creation.
180180

181+
**Note**: The `publicKey` parameter is optional. User eVaults require it for signature verification and key binding, while keyless eVaults (platforms, groups) can be provisioned without it.
182+
181183
### Platform Authentication
182184

183185
User authenticating their eName to a platform:
@@ -343,14 +345,14 @@ const provisionResponse = await fetch(`${provisionerUrl}/provision`, {
343345
registryEntropy: entropyToken,
344346
namespace: namespace,
345347
verificationId: verificationCode,
346-
publicKey: publicKey
348+
publicKey: publicKey // Optional: omit for keyless eVaults (platforms, groups)
347349
})
348350
});
349351

350352
const { w3id, uri } = await provisionResponse.json();
351353
```
352354

353-
**Note**: The `/provision` endpoint is hosted by the Provisioner service, not eVault Core.
355+
**Note**: The `/provision` endpoint is hosted by the Provisioner service, not eVault Core. The `publicKey` parameter is optional - it's required for user eVaults that need signature verification, but can be omitted for keyless eVaults like platforms or groups.
354356

355357
### Platform Authentication
356358

docs/docs/Infrastructure/eVault-Key-Delegation.md

Lines changed: 27 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,7 @@ The default key ID is `"default"` and is used for all signing operations.
2525

2626
### Setting Keys During eVault Creation
2727

28-
During the eVault provisioning process (onboarding), the public key can be set directly when creating the eVault. The `/provision` endpoint accepts a `publicKey` parameter:
28+
During the eVault provisioning process (onboarding), the public key can be set directly when creating the eVault. The `/provision` endpoint accepts an optional `publicKey` parameter:
2929

3030
**Provision Request:**
3131
```http
@@ -36,17 +36,21 @@ Content-Type: application/json
3636
"registryEntropy": "<entropy-token>",
3737
"namespace": "<w3id>",
3838
"verificationId": "<verification-code>",
39-
"publicKey": "z3059301306072a8648ce3d020106082a8648ce3d03010703420004..."
39+
"publicKey": "z3059301306072a8648ce3d020106082a8648ce3d03010703420004..." // Optional
4040
}
4141
```
4242

43-
When provisioning an eVault during onboarding, the eID wallet:
43+
**Note**: The `publicKey` parameter is optional. It is required for user eVaults that need key binding for signature verification, but can be omitted for keyless eVaults (such as platform or group eVaults) that don't require cryptographic identity.
44+
45+
When provisioning a user eVault during onboarding, the eID wallet:
4446
1. Generates or retrieves the public key using `getApplicationPublicKey()`
4547
2. Includes the `publicKey` in the provision request
4648
3. The eVault stores the public key and generates a key binding certificate automatically
4749

4850
This eliminates the need for a separate sync step when the eVault is first created.
4951

52+
For platform or group eVaults that don't need key binding, the `publicKey` can be omitted entirely.
53+
5054
### Syncing Public Keys to eVault
5155

5256
The public key syncing is an autonomous process done by the eID Wallet when linking new devices to the same eName.
@@ -155,7 +159,7 @@ X-ENAME: @user.w3id
155159
### Setting Public Key During eVault Creation
156160

157161
```typescript
158-
// During onboarding - provision eVault with public key
162+
// During onboarding - provision user eVault with public key
159163
const publicKey = await getApplicationPublicKey(); // Get public key from KeyService
160164

161165
const provisionResponse = await axios.post(
@@ -164,11 +168,28 @@ const provisionResponse = await axios.post(
164168
registryEntropy,
165169
namespace: uuidv4(),
166170
verificationId,
167-
publicKey: publicKey, // Public key included in provision request
171+
publicKey: publicKey, // Optional: include for user eVaults, omit for keyless eVaults
172+
}
173+
);
174+
175+
// eVault is created with the public key already stored (if provided)
176+
const { w3id, uri } = provisionResponse.data;
177+
```
178+
179+
For keyless eVaults (platforms, groups), omit the `publicKey` parameter:
180+
181+
```typescript
182+
// Provision a keyless eVault (e.g., for a platform or group)
183+
const provisionResponse = await axios.post(
184+
new URL("/provision", provisionerUrl).toString(),
185+
{
186+
registryEntropy,
187+
namespace: uuidv4(),
188+
verificationId,
189+
// No publicKey - this is a keyless eVault
168190
}
169191
);
170192

171-
// eVault is created with the public key already stored
172193
const { w3id, uri } = provisionResponse.data;
173194
```
174195

docs/docs/W3DS Protocol/Signature-Formats.md

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -328,8 +328,9 @@ The provisioning process creates an eVault tied to your generated public key:
328328
- `registryEntropy`: JWT token from step 1
329329
- `namespace`: Identifier from step 2
330330
- `verificationId`: Verification code (demo code or your verification ID)
331-
- `publicKey`: Multibase-encoded public key from key generation
332-
- Provisioner validates entropy, generates W3ID, creates eVault, stores public key, and requests key binding certificate from Registry
331+
- `publicKey` (optional): Multibase-encoded public key from key generation
332+
- Provisioner validates entropy, generates W3ID, creates eVault, and if publicKey is provided, stores it and requests key binding certificate from Registry
333+
- **Note**: `publicKey` is required for user eVaults that need signature verification, but optional for keyless eVaults (platforms, groups)
333334

334335
4. **Receive Credentials**
335336
- Receive `w3id` (eName) and `uri` (eVault URI) in response

infrastructure/evault-core/src/core/http/server.ts

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -682,7 +682,6 @@ export async function registerHttpRoutes(
682682
"registryEntropy",
683683
"namespace",
684684
"verificationId",
685-
"publicKey",
686685
],
687686
properties: {
688687
registryEntropy: { type: "string" },
@@ -808,8 +807,10 @@ export async function registerHttpRoutes(
808807
console.log(
809808
`[MIGRATION] No metaEnvelopes found for eName: ${eName}`,
810809
);
811-
return reply.status(400).send({
812-
error: `No metaEnvelopes found for eName: ${eName}`,
810+
return reply.status(200).send({
811+
success: true,
812+
count: 0,
813+
message: "No metaEnvelopes to copy",
813814
});
814815
}
815816

infrastructure/evault-core/src/services/ProvisioningService.ts

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ export interface ProvisionRequest {
88
registryEntropy: string;
99
namespace: string;
1010
verificationId: string;
11-
publicKey: string;
11+
publicKey?: string;
1212
}
1313

1414
export interface ProvisionResponse {
@@ -41,17 +41,21 @@ export class ProvisioningService {
4141
if (
4242
!registryEntropy ||
4343
!namespace ||
44-
!verificationId ||
45-
!publicKey
44+
!verificationId
4645
) {
4746
return {
4847
success: false,
4948
error: "Missing required fields",
5049
message:
51-
"Missing required fields: registryEntropy, namespace, verificationId, publicKey",
50+
"Missing required fields: registryEntropy, namespace, verificationId",
5251
};
5352
}
5453

54+
// Log if keyless provisioning
55+
if (!publicKey) {
56+
console.log(`[PROVISIONING] Keyless eVault provisioning (no publicKey provided)`);
57+
}
58+
5559
// Verify the registry entropy token
5660
let payload: any;
5761
try {

0 commit comments

Comments
 (0)