refactor(gateway)!: remove legacy v1 device-auth handshake

2026-05-09 07:27:40 +00:00 · 2026-02-22 09:26:49 +01:00
parent ed38b50fa5
commit 8887f41d7d
17 changed files with 404 additions and 210 deletions
--- a/src/gateway/server.talk-config.e2e.test.ts
+++ b/src/gateway/server.talk-config.e2e.test.ts
@@ -1,10 +1,15 @@
 import { describe, expect, it } from "vitest";
-import { connectOk, installGatewayTestHooks, rpcReq } from "./test-helpers.js";
+import {
+  connectOk,
+  installGatewayTestHooks,
+  readConnectChallengeNonce,
+  rpcReq,
+} from "./test-helpers.js";
 import { withServer } from "./test-with-server.js";

 installGatewayTestHooks({ scope: "suite" });

-async function createFreshOperatorDevice(scopes: string[]) {
+async function createFreshOperatorDevice(scopes: string[], nonce: string) {
  const { randomUUID } = await import("node:crypto");
  const { tmpdir } = await import("node:os");
  const { join } = await import("node:path");
@@ -24,6 +29,7 @@ async function createFreshOperatorDevice(scopes: string[]) {
    scopes,
    signedAtMs,
    token: "secret",
+    nonce,
  });

  return {
@@ -31,6 +37,7 @@ async function createFreshOperatorDevice(scopes: string[]) {
    publicKey: publicKeyRawBase64UrlFromPem(identity.publicKeyPem),
    signature: signDevicePayload(identity.privateKeyPem, payload),
    signedAt: signedAtMs,
+    nonce,
  };
 }

@@ -51,10 +58,12 @@ describe("gateway talk.config", () => {
    });

    await withServer(async (ws) => {
+      const nonce = await readConnectChallengeNonce(ws);
+      expect(nonce).toBeTruthy();
      await connectOk(ws, {
        token: "secret",
        scopes: ["operator.read"],
-        device: await createFreshOperatorDevice(["operator.read"]),
+        device: await createFreshOperatorDevice(["operator.read"], String(nonce)),
      });
      const res = await rpcReq<{ config?: { talk?: { apiKey?: string; voiceId?: string } } }>(
        ws,
@@ -76,10 +85,12 @@ describe("gateway talk.config", () => {
    });

    await withServer(async (ws) => {
+      const nonce = await readConnectChallengeNonce(ws);
+      expect(nonce).toBeTruthy();
      await connectOk(ws, {
        token: "secret",
        scopes: ["operator.read"],
-        device: await createFreshOperatorDevice(["operator.read"]),
+        device: await createFreshOperatorDevice(["operator.read"], String(nonce)),
      });
      const res = await rpcReq(ws, "talk.config", { includeSecrets: true });
      expect(res.ok).toBe(false);
@@ -96,14 +107,15 @@ describe("gateway talk.config", () => {
    });

    await withServer(async (ws) => {
+      const nonce = await readConnectChallengeNonce(ws);
+      expect(nonce).toBeTruthy();
      await connectOk(ws, {
        token: "secret",
        scopes: ["operator.read", "operator.write", "operator.talk.secrets"],
-        device: await createFreshOperatorDevice([
-          "operator.read",
-          "operator.write",
-          "operator.talk.secrets",
-        ]),
+        device: await createFreshOperatorDevice(
+          ["operator.read", "operator.write", "operator.talk.secrets"],
+          String(nonce),
+        ),
      });
      const res = await rpcReq<{ config?: { talk?: { apiKey?: string } } }>(ws, "talk.config", {
        includeSecrets: true,