- New URL scheme for event organizers:
/open?name=$name&host=$host&reason=$reason×tamp=$epoch&startTime=$epochStartTime&duration=$minutes&sig=$signature - Cryptographic signature verification using Ethereum message signing (EIP-191)
- Public key whitelist system (
authorized_keys.json) - Time-based access control with start time and duration
- Request freshness validation (5-minute window to prevent replay attacks)
- Tamper protection via signature verification
- New
door_access.logfile recording all door access - JSON line-delimited format for easy parsing
- Records all access methods: discord, citizenwallet, token, signature, shortcut
- Includes timestamp, name, method, and method-specific metadata
- Tamper-evident audit trail
- Comprehensive test suite (
server/test/signature-auth.test.js)- Tests valid access, future events, expired events, tampered signatures
- Prints Discord message preview for each test
- Interactive URL generator (
scripts/generate-access-url.js) - Reusable utility library (
scripts/signature-utils.js)generateSignedURL()- Core signing functiongenerateImmediateAccess()- Quick access starting nowgenerateScheduledAccess()- Future event accessgenerateTimeRangeAccess()- Specify start and end times
- Example scripts (
examples/event-access-example.js) with 6 real-world scenarios
- Script to automatically send door access emails to Luma event attendees
- Integration with Luma API to fetch events and approved guests
- Integration with Resend API for email delivery
- Personalized door access URLs for each attendee
- Dry run mode for testing without sending emails
- Customizable markdown email template
- Cron job support for daily automation
- Comprehensive error handling and logging
SIGNATURE_AUTH.md- Complete feature documentationIMPLEMENTATION_SUMMARY.md- Technical implementation detailsQUICK_START.md- Quick reference guideLOG_FILE_FORMAT.md- Log file format and usageSECRET_BYPASS.md- SECRET bypass feature guideEVENT_EMAIL_SENDER.md- Event email sender documentationQUICK_START_EMAIL.md- Quick start for email senderCHANGELOG.md- This file
- Signature-based access:
🚪 {name} opened the door for "{reason}" hosted by {host} - More consistent format across all access methods
- Added
verifyEventOrganizerSignature()function in server/index.js:533-585 - Added
logDoorAccess()function in server/index.js:61-77 - Updated GET
/openendpoint to handle signature-based access first - Added logging to all access methods (discord, citizenwallet, token, signature, shortcut)
- Cryptographic signatures prevent unauthorized access
- Time-based validation prevents early/late access
- Request freshness check prevents replay attacks
- Tamper protection via signature verification
- Public key whitelist for authorization control
- All access logged to append-only file
- Includes who accessed, when, and how
- Supports compliance requirements (GDPR, SOC 2, ISO 27001)
✅ Fully backward compatible with existing authentication methods:
- Discord bot
opencommand - Citizen Wallet integration
- Token-based access (
/open?token=...) - User shortcuts (POST
/open)
No breaking changes to existing functionality.
authorized_keys.json- Public key whitelist
server/test/signature-auth.test.js- Test suiteserver/test/README.md- Testing guide
scripts/generate-access-url.js- Interactive URL generatorscripts/signature-utils.js- Utility library
examples/event-access-example.js- Usage examples
SIGNATURE_AUTH.md- Feature documentationIMPLEMENTATION_SUMMARY.md- Technical detailsQUICK_START.md- Quick referenceLOG_FILE_FORMAT.md- Log format guideCHANGELOG.md- This changelog
door_access.log- Access log (created on first access, gitignored)
- Added import for
verifyMessagefrom ethers - Added import for
fsmodule - Added
authorizedKeysconfiguration loading - Added
LOG_FILEconstant andlogDoorAccess()function - Added
verifyEventOrganizerSignature()function - Updated GET
/openendpoint to handle signature-based access - Added logging to all access methods
- Added
testscript:node test/signature-auth.test.js
No new dependencies added. Uses existing:
ethers- For signature verificationfs- Built-in Node.js module for file operations
-
Review and update authorized_keys.json
- Replace example keys with real authorized organizers
- Generate secure private keys for organizers
- Store private keys securely (environment variables, key vault)
-
Test the new functionality
cd server npm test
-
Monitor the log file
tail -f door_access.log | jq -
Set up log rotation (optional)
- Configure logrotate for
door_access.log - Set retention policy based on compliance requirements
- Configure logrotate for
-
Get your public key added
- Generate a wallet:
node -e "import('ethers').then(({Wallet}) => { const w = Wallet.createRandom(); console.log('Private Key:', w.privateKey); console.log('Public Address:', w.address); })" - Share public address with administrator
- Store private key securely
- Generate a wallet:
-
Generate access URLs
node scripts/generate-access-url.js
-
Share URLs with attendees
- Via email, SMS, QR code, or event platform
See QUICK_START.md for integration examples.
None at this time.
Potential improvements for future releases:
- Single-use signatures - Add nonce to prevent URL reuse
- IP whitelisting - Restrict to specific IP ranges
- Revocation list - Ability to invalidate specific signatures
- Analytics dashboard - Web UI for access analytics
- QR code generation - Built-in QR code service
- URL shortening - Integrate with URL shortener
- Multi-signature - Require multiple organizers for approval
- Role-based access - Different durations based on role
- Web UI for URL generation - Browser-based generator
- Slack/Teams integration - Post notifications to other platforms
For questions or issues:
- Review documentation:
SIGNATURE_AUTH.md,QUICK_START.md - Check test suite:
npm test - View examples:
node examples/event-access-example.js - Contact system administrator
Same as parent project.