Skip to content

Replace JWT method with RS256#24

Merged
markmnl merged 1 commit into
mainfrom
RS256
Jun 11, 2026
Merged

Replace JWT method with RS256#24
markmnl merged 1 commit into
mainfrom
RS256

Conversation

@markmnl

@markmnl markmnl commented Jun 11, 2026

Copy link
Copy Markdown
Owner

No description provided.

@markmnl markmnl merged commit 73b7a76 into main Jun 11, 2026
1 check passed
@markmnl markmnl deleted the RS256 branch June 11, 2026 08:39
markmnl added a commit that referenced this pull request Jul 8, 2026
…30)

* Fix JWT verification to EdDSA and add sub-account message visibility

The RS256 rework in #24 assumed a switch to an RSA-based IdP that never
happened; idp.fmsg.io signs EdDSA (Ed25519) tokens with the address in
`sub` and no `aud` claim, so HEAD would reject every real login. Restore
EdDSA verification and make audience optional to match reality.

Also implement the visibility model the sub-account feature was built
for: an owner sees their own messages plus their derived sub-accounts',
while a sub-account (via its own API-key token or the owner's
X-FMSG-Act-As) still sees only itself. Write paths are unchanged.

Co-Authored-By: Claude Sonnet 5 <[email protected]>

* only one account at a time

---------

Co-authored-by: Claude Sonnet 5 <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant