Skip to content

feat: hide auth details from listNetwork and mint self-signed token server-side #1872

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mjuchli-da merged 8 commits into from
May 27, 2026
Merged

feat: hide auth details from listNetwork and mint self-signed token server-side #1872

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
84bd68d
feat: hide secret details from listNetwork
mjuchli-da May 22, 2026
1815100
mint self signed access token on server
mjuchli-da May 22, 2026
6efd058
minor adjustments
mjuchli-da May 26, 2026
6884ff0
renaming
mjuchli-da May 26, 2026
a2ed9c8
types
mjuchli-da May 26, 2026
52a36da
fix test
mjuchli-da May 26, 2026
09606a3
Merge branch 'main' into mjuchli/list-networks-restricted
mjuchli-da May 26, 2026
9795887
Merge branch 'main' into mjuchli/list-networks-restricted
mjuchli-da May 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
150 changes: 148 additions & 2 deletions api-specs/openrpc-user-api.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,13 +74,93 @@
"title": "networks",
"type": "array",
"items": {
"$ref": "#/components/schemas/Network"
"$ref": "#/components/schemas/PublicNetwork"
}
}
},
"required": ["networks"]
}
}
},
"description": "Lists configured networks without sensitive authentication details."
},
{
"name": "getNetwork",
"params": [
{
"name": "params",
"schema": {
"title": "GetNetworkParams",
"type": "object",
"additionalProperties": false,
"properties": {
"networkId": {
"title": "networkId",
"type": "string",
"description": "Network ID"
}
},
"required": ["networkId"]
}
}
],
"result": {
"name": "result",
"schema": {
"title": "GetNetworkResult",
"type": "object",
"additionalProperties": false,
"properties": {
"network": {
"$ref": "#/components/schemas/Network"
}
},
"required": ["network"]
}
},
"description": "Returns full network configuration including auth details. Admin only."
},
{
"name": "selfSignedAccessToken",
"params": [
{
"name": "params",
"schema": {
"title": "SelfSignedAccessTokenParams",
"type": "object",
"additionalProperties": false,
"properties": {
"networkId": {
"title": "networkId",
"type": "string",
"description": "Network ID"
},
"clientId": {
"title": "clientId",
"type": "string",
"description": "Client ID used as the JWT subject"
}
},
"required": ["networkId", "clientId"]
}
}
],
"result": {
"name": "result",
"schema": {
"title": "SelfSignedAccessTokenResult",
"type": "object",
"additionalProperties": false,
"properties": {
"accessToken": {
"title": "accessToken",
"type": "string",
"description": "Self-signed JWT access token"
}
},
"required": ["accessToken"]
}
},
"description": "Mints a self-signed access token using server-side network credentials. Used for login on self-signed networks."
},
{
"name": "addIdp",
Expand Down Expand Up @@ -877,6 +957,72 @@
"format": "uuid",
"description": "The internal transaction identifier."
},
"PublicNetwork": {
"title": "PublicNetwork",
"type": "object",
"additionalProperties": false,
"description": "Network metadata exposed by listNetworks without sensitive auth configuration",
"properties": {
"id": {
"title": "networkId",
"type": "string",
"description": "Network ID"
},
"name": {
"title": "name",
"type": "string",
"description": "Name of network"
},
"description": {
"title": "description",
"type": "string",
"description": "Description of network"
},
"synchronizerId": {
"title": "synchronizerId",
"type": "string",
"description": "Synchronizer ID"
},
"identityProviderId": {
"title": "identityProviderId",
"type": "string",
"description": "Identity Provider ID"
},
"ledgerApi": {
"title": "ledgerApi",
"type": "string",
"description": "Ledger api url"
},
"authMethod": {
"title": "authMethod",
"type": "string",
"description": "Authentication method configured for this network"
},
"clientId": {
"title": "clientId",
"type": "string",
"description": "OAuth or self-signed client ID used for user login"
},
"scope": {
"title": "scope",
"type": "string",
"description": "OAuth scope used for user login"
},
"audience": {
"title": "audience",
"type": "string",
"description": "OAuth audience used for user login"
}
},
"required": [
"id",
"name",
"description",
"identityProviderId",
"ledgerApi",
"authMethod"
]
},
"Network": {
"title": "Network",
"type": "object",
Expand Down
1 change: 0 additions & 1 deletion core/wallet-store-inmemory/src/StoreInternal.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -375,7 +375,6 @@ export class StoreInternal implements Store, AuthAware<StoreInternal> {
}

async listIdps(): Promise<Array<Idp>> {
this.assertConnected()
return this.systemStorage.idps
}

Expand Down
19 changes: 9 additions & 10 deletions core/wallet-ui-components/src/components/login-form.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,14 +5,14 @@ import { css, html, PropertyValues } from 'lit'
import { customElement, property, state } from 'lit/decorators.js'
import './back-link.js'
import { BaseElement } from '../internal/base-element.js'
import { Network, Idp } from '@canton-network/core-wallet-user-rpc-client'
import { PublicNetwork, Idp } from '@canton-network/core-wallet-user-rpc-client'
import { chevronDownIcon } from '../icons'
import cantonLogo from '../../images/logos/canton-logo.png'

/** Emitted when the user clicks the Connect button */
export class LoginConnectEvent extends Event {
constructor(
public selectedNetwork: Network,
public selectedNetwork: PublicNetwork,
public selectedIdp: Idp,
public clientId: string
) {
Expand All @@ -34,15 +34,15 @@ export class LoginBackEvent extends Event {
@customElement('wg-login-form')
export class WgLoginForm extends BaseElement {
/** Available networks to show in the dropdown */
@property({ type: Array }) networks: Network[] = []
@property({ type: Array }) networks: PublicNetwork[] = []

/** Available identity providers */
@property({ type: Array }) idps: Idp[] = []

@property({ type: Boolean }) connecting = false
@property({ type: String }) backHref = '/'

@state() accessor selectedNetwork: Network | null = null
@state() accessor selectedNetwork: PublicNetwork | null = null
@state() accessor selectedIdp: Idp | null = null
@state() accessor message: string | null = null
@state() accessor messageType: 'error' | 'info' | null = null
Expand Down Expand Up @@ -141,7 +141,7 @@ export class WgLoginForm extends BaseElement {

if (changedProperties.has('networks') && !this.selectedNetwork) {
const index = this.networks.findIndex(
(network) => network.auth.method !== 'client_credentials'
(network) => network.authMethod !== 'client_credentials'
)

if (index >= 0) {
Expand Down Expand Up @@ -211,10 +211,10 @@ export class WgLoginForm extends BaseElement {
this.renderRoot.querySelector(
'#client-id'
) as HTMLInputElement | null
)?.value || this.selectedNetwork.auth.clientId
)?.value || this.selectedNetwork.clientId

this.dispatchEvent(
new LoginConnectEvent(this.selectedNetwork, idp, clientId)
new LoginConnectEvent(this.selectedNetwork, idp, clientId || '')
)
}

Expand Down Expand Up @@ -262,7 +262,7 @@ export class WgLoginForm extends BaseElement {
(net, index) =>
html`<option
value=${index}
?disabled=${net.auth.method ===
?disabled=${net.authMethod ===
'client_credentials'}
>
${net.name}
Expand All @@ -283,8 +283,7 @@ export class WgLoginForm extends BaseElement {
id="client-id"
class="client-id-input form-control"
type="text"
.value=${this.selectedNetwork?.auth
.clientId || ''}
.value=${this.selectedNetwork?.clientId || ''}
?disabled=${this.connecting}
/>
`
Expand Down
10 changes: 5 additions & 5 deletions core/wallet-ui-components/src/components/network-card.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,19 +4,19 @@
import { customElement, property } from 'lit/decorators.js'
import { BaseElement } from '../internal/base-element'
import { css, html } from 'lit'
import { Network } from '@canton-network/core-wallet-store'
import { PublicNetwork } from '@canton-network/core-wallet-user-rpc-client'
import { cardStyles } from '../styles/card'

/** Emitted when the user clicks a network card to review it */
export class NetworkCardReviewEvent extends Event {
constructor(public network: Network) {
constructor(public network: PublicNetwork) {
super('network-review', { bubbles: true, composed: true })
}
}

/** Emitted when the user clicks the "Delete" button on a network card */
export class NetworkCardDeleteEvent extends Event {
constructor(public network: Network) {
constructor(public network: PublicNetwork) {
super('delete', { bubbles: true, composed: true })
}
}
Expand All @@ -30,7 +30,7 @@ export class NetworkCardUpdateEvent extends Event {

@customElement('network-card')
export class NetworkCard extends BaseElement {
@property({ type: Object }) network: Network | null = null
@property({ type: Object }) network: PublicNetwork | null = null
@property({ type: Boolean }) activeSession = false
@property({ type: String }) accessToken = ''
@property({ type: Boolean }) readonly = false
Expand Down Expand Up @@ -184,7 +184,7 @@ export class NetworkCard extends BaseElement {

<div class="meta-row">
<p class="meta-title">Auth</p>
<p class="meta-value">${this.network.auth.method}</p>
<p class="meta-value">${this.network.authMethod}</p>
</div>

${syncId
Expand Down
4 changes: 2 additions & 2 deletions core/wallet-ui-components/src/components/network-table.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.
// SPDX-License-Identifier: Apache-2.0

import { Network } from '@canton-network/core-wallet-store'
import { PublicNetwork } from '@canton-network/core-wallet-user-rpc-client'
import { html } from 'lit'
import { customElement, property } from 'lit/decorators.js'

Expand All @@ -10,7 +10,7 @@ import { Session } from '@canton-network/core-wallet-user-rpc-client'

@customElement('network-table')
export class NetworkTable extends BaseElement {
@property({ type: Array }) networks: Network[] = []
@property({ type: Array }) networks: PublicNetwork[] = []
@property({ type: Array }) activeSessions: Session[] = []
@property({ type: Boolean }) readonly = false

Expand Down
11 changes: 7 additions & 4 deletions core/wallet-ui-components/src/components/networks.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,10 @@

import { html, css } from 'lit'
import { customElement, property, state } from 'lit/decorators.js'
import { Network, Session } from '@canton-network/core-wallet-user-rpc-client'
import {
PublicNetwork,
Session,
} from '@canton-network/core-wallet-user-rpc-client'

import { BaseElement } from '../internal/base-element'
import { modalStyles } from '../styles/modal'
Expand All @@ -25,13 +28,13 @@ export class WgNetworks extends BaseElement {
`,
]

@property({ type: Array }) accessor networks: Network[] = []
@property({ type: Array }) accessor networks: PublicNetwork[] = []
@property({ type: Array }) accessor activeSessions: Session[] = []
@property({ type: Boolean }) accessor readonly = false
@state() accessor isModalOpen = false
@state() accessor editingNetwork: Network | null = null
@state() accessor editingNetwork: PublicNetwork | null = null
@state() accessor authType: string =
this.editingNetwork?.auth?.method ?? 'authorization_code'
this.editingNetwork?.authMethod ?? 'authorization_code'

connectedCallback(): void {
super.connectedCallback()
Expand Down
Loading