- Use internal auth context for all downstream client calls in pubsub
and storage handlers to avoid circular auth and enforce security - Add
gateway component warning logs for pubsub websocket handler on error
conditions and important branch decisions - Fix pubsub topic
subscription and publishing to use un-namespaced topics; handle
namespace filtering explicitly on listing - Accept base64-encoded
payloads in storage E2E test to handle encoded responses transparently
Enforce GATEWAY_API_KEY in Makefile E2E test target Fix gateway E2E test
payload reading to use io.ReadAll Remove deprecated multi-node test
targets and cleanup Makefile comments
- Require API key or JWT by default for client connections - Auto-derive
namespace from JWT claim or API key format `ak_<rand>:<namespace>` -
Deny calls if per-call namespace override mismatches resolved namespace
- Guard Storage, PubSub, Database, and NetworkInfo operations with
access checks - Add context helpers for consistent namespace override
handling - Update docs and add end-to-end and unit tests for
authentication logic
This commit adds wallet-based authentication to protected CLI commands
by removing the manual auth command and automatically prompting for
credentials when needed. Protected commands will check for valid
credentials and trigger the auth
Here's the commit message:
``` Fix code style and indentation
Apply consistent indentation, fix whitespace and tabs vs spaces issues,
remove trailing whitespace, and ensure proper line endings throughout
the codebase. Also add comments and improve code organization. ```
The message body is included since this is a bigger cleanup effort that
touched multiple files and made various formatting improvements that are
worth explaining.
This adds a new auth flow allowing users to authenticate with their
wallet and obtain an API key scoped to a namespace. It also moves API
key storage from config to the database for better persistence and
key-to-wallet linkage.
The commit message uses the imperative mood, is under 50 characters,
provides a concise summary in the subject line followed by more detailed
explanation in the body. This follows good Git commit message style
while capturing the key changes made.
Update Makefile, README, and .gitignore to use configs/ Add YAML config
loading to node main.go Add gopkg.in/yaml.v3 dependency Remove unused
IsBootstrap field from NodeConfig
Enable PeerExchange globally and replace Anchat-specific discovery with
a generic, application-agnostic approach that uses periodic monitoring
and a single proactive announcement to find topic peers.
Replace DHT-based discovery with bootstrap peerstore and peer exchange.
Update config and code to remove DHT references and dependencies. Add
data directory override support in node config. Cleanup related config
files and dependencies.
Implements jitter and interval growth to improve robustness when
connecting to bootstrap peers. Adds cancellation for the reconnection
loop and ensures it stops cleanly on node shutdown.
- Remove configmap.go and bootstrap-specific config logic
- Refactor main.go to use a unified node startup for all roles
- Remove DHT and mDNS from config and node logic; use bootstrap + peer
exchange
- Update constants to extract bootstrap peer IDs from addresses
- Simplify RQLite advertise logic and remove external IP detection
- Add zeroconf as indirect dependency
- Remove environment variable overrides from config
- Update README with port usage clarification
- Add new CLI and node binaries
Production Security Features:
- RQLite authentication with secure user management
- Firewall configuration with IP-based restrictions
- Automated credential generation and storage
- Authenticated cluster join addresses
- Credential masking in logs for security
- Helper scripts for secure RQLite connections
Network Architecture:
- Port 4000: Public LibP2P P2P (encrypted)
- Port 4001/4002: RQLite cluster (IP-restricted to cluster members)
- UFW firewall rules restricting RQLite access to cluster IPs only
Security Components:
- /opt/debros/configs/rqlite-users.json: User authentication
- /opt/debros/keys/rqlite-cluster-auth: Secure credential storage
- Automatic credential masking in logs
- Production-ready setup script
This implements enterprise-grade security for public network deployment
while maintaining seamless cluster communication between trusted nodes.
- Add automated network diagnostics for RQLite join addresses
- Test port connectivity with netcat, HTTP responses, ping, and DNS
- Provide detailed troubleshooting information in logs
- Help identify exact causes of RQLite cluster join failures
- Test connectivity before attempting RQLite cluster join
This will help diagnose the 'invalid join address' error by showing exactly
why the connection to 57.129.81.31:4001 is failing.
- Test join address reachability before attempting to join cluster
- Fall back to starting new cluster if join address is unreachable
- Add comprehensive logging for join address testing
- Prevent RQLite fatal errors when bootstrap node is down
This fixes the issue where secondary nodes fail with 'invalid join address'
when the primary bootstrap node is not accessible on port 4001.
- Replace hardcoded fallback IP with localhost for better compatibility
- Add join address format validation
- Improve logging for better troubleshooting
- Add detailed RQLite startup logging with full args
- Add automatic external IP detection for RQLite advertised addresses
- Use 0.0.0.0 for binding but actual IP for advertising to other nodes
- Add -http-adv-addr and -raft-adv-addr parameters to RQLite startup
- Resolves 'advertised HTTP address is not routable' error
- Enables proper RQLite cluster formation between nodes
- Change RQLite HTTP bind from localhost to 0.0.0.0
- Change RQLite Raft bind from localhost to 0.0.0.0
- This allows secondary bootstrap nodes and regular nodes to join the cluster
- Resolves 'invalid join address' error for secondary bootstrap nodes
CRITICAL FIX: Separate RQLite and LibP2P ports to prevent service startup failures
Changes:
- LibP2P now uses port 4000 (was conflicting with RQLite on 4001)
- RQLite continues to use port 4001 for HTTP API
- RQLite Raft uses port 4002
- Updated bootstrap peer configurations to use port 4000
- Updated install script port configurations
- Fixed firewall configuration to allow correct ports
This resolves the 'bind: address already in use' error that was preventing
the debros-node service from starting properly.
- Primary bootstrap (57.129.81.31): starts new cluster (no join address)
- Secondary bootstrap (38.242.250.186): joins primary bootstrap cluster
- Regular nodes: join primary bootstrap cluster
This allows both VPS servers to be bootstrap nodes while forming a
proper RQLite cluster where the secondary bootstrap joins the primary
instead of trying to start its own independent cluster.
Should resolve the leadership establishment timeout on the second VPS.
The actual running bootstrap node has peer ID:
12D3KooWJvJj94TmNwG1sntDWgAXi7MN3xxLLkoQzgHX6gQ22eKi
But the constants file had the wrong peer ID:
12D3KooWQRK2duw5B5LXi8gA7HBBFiCsLvwyph2ZU9VBmvbE1Nei
This mismatch was causing nodes to fail to connect to the bootstrap
node, leading to the 'invalid join address' error from RQLite.
