Skip to content

Update Configuration and Authentication Protocol#9

Merged
PearlAegis merged 24 commits intomainfrom
feature/AddSecretApiKeyAuthentication
Sep 16, 2025
Merged

Update Configuration and Authentication Protocol#9
PearlAegis merged 24 commits intomainfrom
feature/AddSecretApiKeyAuthentication

Conversation

@PearlAegis
Copy link
Copy Markdown
Owner

@PearlAegis PearlAegis commented Sep 1, 2025
edited
Loading

Summary

This PR implements a complete migration from legacy HMAC-SHA256 authentication to modern JWT Bearer token authentication using ECDSA ES256 signatures, aligning with Coinbase's Cloud API authentication standards.

Key Changes

  • New Authentication Method: Implements SecretApiKeyAuthenticator using JWT Bearer tokens with ES256 signatures
  • Unified Configuration: Consolidates ApiClientConfig and WebsocketClientConfig into single CoinbaseClientConfig
  • Dependency Injection: Adds native IOptions<T> support with AddCoinbaseAdvancedTradeClient() extension method
  • Enhanced Security: JWT tokens with 2-minute expiration and nonce-based replay protection
  • Updated Dependencies: Added BouncyCastle.Cryptography for EC P-256 cryptographic operations

Breaking Changes

⚠️ This is a breaking change requiring migration:

  • Configuration properties renamed: ApiKey/ApiSecretKeyName/KeySecret
  • Requires new Coinbase Cloud API keys (EC P-256 private keys in PEM format)
  • Constructor parameters now use IOptions<CoinbaseClientConfig>
  • Removed legacy ApiKeyAuthenticator and CB-ACCESS-* header authentication

Test Plan

  • All existing unit tests updated and passing
  • New authentication tests with generated EC key pairs
  • Comprehensive error handling for invalid key formats
  • JWT token generation and signature validation
  • Configuration validation and DI registration

🤖 Generated with Claude Code

PearlAegis and others added 21 commits August 31, 2025 18:58
@PearlAegis
Add local claude settings to gitignore
f3e8f0e
@PearlAegis @claude
Add BouncyCastle.Cryptography dependency for Ed25519 cryptography
3310f44 
- Add BouncyCastle.Cryptography v2.6.2 package reference
- Required for SecretApiKey authentication using Ed25519 signatures

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@PearlAegis @claude
Add validation error messages for SecretApiKey authentication
7dcee70 
- Add RequestMethodRequired, RequestHostRequired, RequestPathRequired messages
- Add InvalidBase64KeyFormat and InvalidEd25519KeyLength error messages
- Update ErrorMessages.Designer.cs with new resource properties

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@PearlAegis @claude
Add SecretApiKey configuration models
27d53ff 
- Add SecretApiKeyConfig for REST API authentication configuration
- Add SecretApiKeyWebSocketConfig for WebSocket authentication configuration
- Both models include KeyName, KeySecret, and default endpoint URLs

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@PearlAegis @claude
Implement SecretApiKey JWT authentication using Ed25519
414659d 
- Add SecretApiKeyAuthenticator class with GenerateBearerJWT method
- Implements Coinbase's new authentication using Ed25519 digital signatures
- Validates Ed25519 key format (64 bytes: 32-byte seed + 32-byte public key)
- Generates JWT with proper header, payload, and Ed25519 signature
- Includes comprehensive input validation with descriptive error messages
- Uses BouncyCastle for cryptographic operations

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@PearlAegis @claude
Add test helpers for SecretApiKey authentication
d74d72a 
- Add TestConfigHelper with Ed25519 test key generation
- Include factory methods for creating test API and WebSocket configs
- Generate valid 64-byte Ed25519 keys with deterministic test patterns

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@PearlAegis @claude
Add unit tests for SecretApiKey authentication
0d3c28e 
- Add SecretApiKeyAuthenticatorTests with JWT generation validation
- Test valid parameter scenarios and JWT format verification
- Test error handling for invalid key formats
- Verify proper 3-part JWT structure (header.payload.signature)

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@PearlAegis @claude
Add Authorization header constant for JWT Bearer authentication
133c04c 
- Add Authorization header constant to RequestHeaders class
- Required for new SecretApiKey JWT-based authentication

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@PearlAegis @claude
Add Bearer token format string resource
885be53 
- Add BearerTokenFormat resource with value "Bearer {0}"
- Update ErrorMessages.Designer.cs with new resource property
- Enables localization and centralized management of Bearer token format

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@PearlAegis @claude
Replace deprecated ApiKeyAuthenticator with SecretApiKeyAuthenticator
5790f45 
- Update CoinbaseAdvancedTradeApiClient to use JWT Bearer authentication
- Update CoinbaseAdvancedTradeWebSocketClient to use JWT signatures
- Replace HMAC-SHA256 signatures with Ed25519 JWT tokens
- Use Authorization header with Bearer token format from string resources
- Remove deprecated ApiKeyAuthenticator.cs
- Switch from ApiClientConfig/WebSocketClientConfig to SecretApiKey variants

BREAKING CHANGE: Authentication method changed from HMAC to Ed25519 JWT

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@PearlAegis @claude
Mark legacy configuration models as obsolete
046ef4f 
- Add [Obsolete] attributes to ApiClientConfig and WebSocketClientConfig
- Provide clear migration guidance to SecretApiKey variants
- Maintain backward compatibility while encouraging migration

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@PearlAegis @claude
Update unit tests to use new SecretApiKey authentication
009005b 
- Update all test files to use SecretApiKeyConfig instead of ApiClientConfig
- Update WebSocket tests to use SecretApiKeyWebSocketConfig
- Switch from ApiKey/ApiSecret to KeyName/KeySecret property names
- Use TestConfigHelper.GenerateTestKeySecret() for proper Ed25519 key generation
- All 144 tests continue to pass with new authentication system

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@PearlAegis
Switch to ES256 key format.
1e646b8
@PearlAegis
Fix unit tests
5a4fa8a
@PearlAegis
Update WebSocket SubscriptionMessage
ab48784
@PearlAegis
Merge config files into CoinbaseClientConfig.
e8d40d7
@PearlAegis
Add configuration extension
889072a
@PearlAegis
Move IDisposable to websocket interface
c2a0a19
@PearlAegis
Change registration extension
91f4d14
@PearlAegis
Use IOptions in api and websocket constructors
8625870
@PearlAegis
Simplify client configuration extension
d78d663
@PearlAegis PearlAegis changed the title Add SecretApiKey Ed25519 JWT Authentication Update Authentication and Configuration Sep 9, 2025
@PearlAegis PearlAegis changed the title Update Authentication and Configuration feat: Add Secret API Key JWT Authentication with ES256 signatures Sep 9, 2025
@PearlAegis PearlAegis changed the title feat: Add Secret API Key JWT Authentication with ES256 signatures Update Configuration and Authentication Protocol Sep 9, 2025
@PearlAegis PearlAegis marked this pull request as ready for review September 9, 2025 06:23
@PearlAegis
Copy link
Copy Markdown
Owner Author

PearlAegis commented Sep 16, 2025

A human being has reviewed and approved this pull request.
-Pearl

@PearlAegis PearlAegis merged commit 2b2f21f into main Sep 16, 2025
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@PearlAegis