feat: strengthen device authentication, linking, session security, an…

[devchant]

feat: strengthen device authentication, linking, session security, and key-bundle abuse protection

Closes #165
Closes #167
Closes #169
Closes #164

Summary

This PR enhances device management and authentication security by introducing device-bound authentication, secure device linking, session revocation across devices, and abuse protection for key-bundle retrieval.

Implemented Features

#165 - Register First Device During Authentication Verification

• Extended POST /auth/verify to require a device payload containing:

  {
    deviceId,
    deviceName,
    platform,
    identityPublicKey,
    registrationId?
  }

• Device registration now occurs immediately after successful signature verification.

• Implemented idempotent device upsert using (userId, deviceId) to prevent duplicate records.

• JWTs issued by the endpoint now include both:

  • userId
  • deviceId

• Added validation for the submitted identity public key.

• Requests without a device payload now return 400 Bad Request with a clear client upgrade message.

Acceptance Criteria

• Verification creates or retrieves the device and returns a device-bound JWT.
• Re-verification from an existing device does not create duplicates.
• Missing device payload returns 400 with upgrade instructions.
• Identity public key validation is enforced.

---

#167 - Secure Device Linking Challenge Flow

• Added:

  • POST /auth/link-device/challenge
  • POST /auth/link-device/verify

• Reused the existing SIWS nonce flow with a dedicated "link" authentication mode.

• Device linking now requires a fresh wallet-signed challenge, preventing unauthorized device provisioning.

• Successful verification routes through the existing device-registration workflow.

• Newly linked devices are created without prekeys and bootstrap normally through subsequent key exchange.

Acceptance Criteria

• Device linking requires a fresh signed challenge.
• Successful linking registers the device with zero prekeys.
• Existing conversations become available after standard key-bundle exchange.

---

#169 - Device Session Revocation ("Log Out Everywhere")

• Added POST /devices/revoke-all-except-current.

• Endpoint revokes every authenticated user's device except the currently active one.

• Revocation workflow includes:

  • Device session invalidation.
  • Cascading one-time prekey deletion.
  • Active socket disconnection for revoked devices.

• Endpoint returns the total number of revoked devices.

Acceptance Criteria

• All other devices are revoked while preserving the current device.
• Revoked device sockets are disconnected and prekeys removed.
• Response includes the number of revoked devices.

---

#164 - Key-Bundle Rate Limiting and Abuse Protection

• Added layered rate limiting to GET /key-bundle using express-rate-limit.

• Implemented:

  • Per-caller request limits.
  • Per-target device consumption limits.

• Added monitoring for abnormal one-time prekey consumption velocity to detect exhaustion attacks.

• Excessive bundle requests now return 429 Too Many Requests.

• Consumption metrics and anomaly events are emitted for observability and alerting.

Acceptance Criteria

• Excessive requests from a single caller return 429.
• Per-target consumption metrics are emitted and logged.
• Legitimate first-contact scenarios continue to function within normal thresholds.

Security Improvements

• Enforced device-bound authentication tokens.
• Prevented silent device provisioning using stolen JWTs.
• Added protections against one-time prekey exhaustion attacks.
• Improved account-wide session revocation capabilities.

Testing

Added comprehensive test coverage for:

• Device registration during authentication.
• Device re-verification idempotency.
• Missing device payload validation.
• Device-link challenge and verification flow.
• Cross-device revocation behavior.
• Socket disconnection and prekey cleanup.
• Rate limiting behavior and abuse detection.
• Key-bundle consumption monitoring.

Breaking Changes

• POST /auth/verify now requires a device payload.
• Older clients must upgrade to support device registration during authentication.

All tests pass successfully.

[drips-wave]

@devchant Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits