Back to Home
Node Operator DocsDeveloper Docs
GitHub
Page Navigation

epress world protocol

Open

Collapsed while browsing epress node docs.

epress node Developer Docs

Auth and Permissions

epress node combines SIWE authentication, JWT audience scoping, and operation-level permission checks via request.cani(permission).

When to Use Which Auth

Different operations require different authentication mechanisms:

Node Owner Operations

SIWE + JWT (aud: client)

  • Publishing content
  • Managing settings
  • Following/unfollowing
  • Deleting content

Cross-Node Operations

EIP-712 in Body

  • Follow handshakes
  • Replication requests
  • Profile updates
  • Content verification

Public Content

No Auth Required

  • Reading public posts
  • Fetching profiles
  • Avatar retrieval
  • RSS feeds

SIWE Sign-In Flow

  1. Client requests SIWE message through GraphQL query getSiweMessage.
  2. Node issues nonce JWT encoded in SIWE nonce field.
  3. Client signs SIWE message and submits to signInWithEthereum.
  4. Server verifies SIWE signature, nonce JWT, and owner address before issuing JWT token.

JWT Audience Model

audIntentVerification
clientOwner session tokenDB token verification + owner address check
integrationScoped integration tokenDB token verification + scope check
nonceSIWE challenge nonceSignature and expiration verification
commentEmail comment confirm tokenSignature and expiration verification

Permission Checks

Route and GraphQL resolvers call request.cani(permission). For client audience it returns full access; for integration audience it validates requested permission against JWT scope.

  • Publication creation requires create permission and valid owner identity.
  • Search and fetch permissions gate visibility of non-public or non-owned data.
  • Sensitive settings fields are conditionally exposed by auth context.

EIP-712 Signature Verification

Cross-node operations use EIP-712 typed data signatures embedded in the request body:

  1. Extract typedData and signature from request body
  2. Verify domain matches Epress domain spec
  3. Recover signer address from signature
  4. Verify signer matches claimed address in message
  5. Check timestamp is recent (typically within 5 minutes)

See EIP-712 Signing Spec for complete type definitions.