Skip to content

Feature/credential proxy jwt #5957

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jstuczyn merged 4 commits into from
Nov 3, 2025
Merged

Feature/credential proxy jwt #5957

jstuczyn merged 4 commits into from
Nov 3, 2025

Conversation

@jstuczyn
Copy link
Contributor

@jstuczyn jstuczyn commented Aug 14, 2025
edited by atlassian bot
Loading

This PR is part of the 'Upgrade Mode' (NET-341) that should allow usage of the network in a situation where ecash credentials are unissuable, because, for example, we have lost signing quorum (i.e. we have fewer than the required number of threshold signers responding to requests).

It partially implements NET-448, however, this version is more naive. Instead requesting actual 'emergency credentials' that would have been issued by a subset of ecash signers, the credentials proxy creates a JWT, signed with its key, attesting the upgrade mode has been enabled.

In the current iteration it is expected to work as follows

  • there exists an external endpoint hosting an attestation.json file that dictates whether the upgrade mode has been enabled. this is expected to be under Nym's control and signed with the corresponding key
  • credential proxy periodically queries this endpoint to check whether the upgrade mode has been enabled
  • if so, a JWT is signed and stored in credential proxy's state
  • now, any subsequent requests for obtaining credential shares will instead return the JWT instead of the actual shares (since they couldn't have been obtained anyway)

this is as far as the flow goes in this PR. once fully implemented (via subsequent changes), it will continue as follows:

  • once JWT is obtained by the client, it will stop its internal routine for toping up bandwidth
  • it will then send the JWT alongside the actual published attestation to its target gateway
  • gateways will have their own watchers for the attestation, but in case there's been a desync, they will do an expedited check once they receive attestation from one of its clients.
  • if gateway confirms upgrade mode, it will stop bandwidth metering and keep returning constant base amount of bandwidth for legacy clients (that don't understand upgrade mode), so that they would not attempt to spend any credentials)

This change is Reviewable

@vercel
Copy link

vercel bot commented Aug 14, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
nym-explorer-v2 Ready Ready Preview Comment Nov 3, 2025 3:28pm
nym-node-status Ready Ready Preview Comment Nov 3, 2025 3:28pm
1 Skipped Deployment
Project Deployment Preview Comments Updated (UTC)
docs-nextra Ignored Ignored Preview Nov 3, 2025 3:28pm

@jstuczyn jstuczyn force-pushed the feature/upgrade-mode-lib branch 2 times, most recently from b13fe0d to 71480d0 Compare August 20, 2025 15:20
@jstuczyn jstuczyn force-pushed the feature/credential-proxy-jwt branch from 37b18a8 to 953aaa0 Compare August 20, 2025 15:33
@jstuczyn jstuczyn force-pushed the feature/upgrade-mode-lib branch from 71480d0 to 9e258d9 Compare August 20, 2025 15:57
@jstuczyn jstuczyn force-pushed the feature/credential-proxy-jwt branch from 953aaa0 to 44ccae5 Compare August 20, 2025 15:57
@jstuczyn jstuczyn marked this pull request as ready for review August 21, 2025 10:34
@jstuczyn jstuczyn force-pushed the feature/upgrade-mode-lib branch from 9e258d9 to 98b9b99 Compare August 21, 2025 10:36
@jstuczyn jstuczyn force-pushed the feature/credential-proxy-jwt branch 4 times, most recently from 99585ec to 55b39c4 Compare August 21, 2025 11:13
@jstuczyn jstuczyn force-pushed the feature/upgrade-mode-lib branch from b576d95 to bc97c9c Compare August 27, 2025 11:53
@jstuczyn jstuczyn force-pushed the feature/credential-proxy-jwt branch from 55b39c4 to 5f8be2d Compare August 27, 2025 11:54
@jstuczyn jstuczyn mentioned this pull request Aug 28, 2025
Closed
Base automatically changed from feature/upgrade-mode-lib to develop September 2, 2025 08:28
@jstuczyn jstuczyn force-pushed the feature/credential-proxy-jwt branch from 5f8be2d to df54ef8 Compare September 2, 2025 08:41
jstuczyn added a commit that referenced this pull request Oct 30, 2025
@jstuczyn
squashed feature/credential-proxy-jwt [#5957]
106cba0 
post rebasing fixes

clippy

changed obtain-async endpoint to conditionally return jwt instead of pending zk-nym

watching for the attestation file and issuing jwt
@jstuczyn jstuczyn force-pushed the feature/credential-proxy-jwt branch from 17259f6 to 106cba0 Compare October 30, 2025 12:30
jstuczyn added a commit that referenced this pull request Oct 30, 2025
@jstuczyn
squashed feature/credential-proxy-jwt [#5957]
8c15a5c 
post rebasing fixes

clippy

changed obtain-async endpoint to conditionally return jwt instead of pending zk-nym

watching for the attestation file and issuing jwt
@jstuczyn jstuczyn force-pushed the feature/credential-proxy-jwt branch from 106cba0 to 8c15a5c Compare October 30, 2025 13:13
mmsinclair
mmsinclair requested changes Oct 31, 2025
View reviewed changes
Copy link
Contributor

@mmsinclair mmsinclair left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • in the attestation add:
    • trusted JWT issuer pubkeys

@jstuczyn jstuczyn force-pushed the feature/credential-proxy-jwt branch from 7d44e08 to a0eafc0 Compare November 3, 2025 14:04
@jstuczyn
squashed feature/credential-proxy-jwt [#5957]
ba01e06 
post rebasing fixes

clippy

changed obtain-async endpoint to conditionally return jwt instead of pending zk-nym

watching for the attestation file and issuing jwt
@jstuczyn
changed attestation starting time serialisation into rfc3339
f70de16
@jstuczyn
including authorised JWT issuers in attestation
bcd717f
@jstuczyn
reduce attestation retrieval error log
737b465
@jstuczyn jstuczyn force-pushed the feature/credential-proxy-jwt branch from a0eafc0 to 737b465 Compare November 3, 2025 15:21
jstuczyn added a commit that referenced this pull request Nov 3, 2025
@jstuczyn
squashed feature/credential-proxy-jwt [#5957]
3f102fd 
post rebasing fixes

clippy

changed obtain-async endpoint to conditionally return jwt instead of pending zk-nym

watching for the attestation file and issuing jwt
@jstuczyn jstuczyn merged commit d9c2f6e into develop Nov 3, 2025
20 of 21 checks passed
@jstuczyn jstuczyn deleted the feature/credential-proxy-jwt branch November 3, 2025 16:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mmsinclair mmsinclair mmsinclair approved these changes

@dynco-nym dynco-nym Awaiting requested review from dynco-nym

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

Mozzarella (est. mainnet 25.11.2025)

Development

Successfully merging this pull request may close these issues.

4 participants

@jstuczyn @mmsinclair @benedettadavico