Code Structure - Naflows/naflows-auth GitHub Wiki
This page of the wiki is set up for you to understand the code behind the NASS contracts.
The core structure of the contracts is designed to be as much efficient, useful, and secure as possible. It contains general indexing values for the database as well as nested detailed informations for processing:
| Value | Type | Object path | Description |
|---|---|---|---|
| my_type | "ISSUER" | "RECEIVER" | / | Gives the type of the contract, since there are two for each entity |
| id | string | / | The general ID of the contract (unique) |
| contracted | "API" | "USER" | /signature | Gives details about the type of entity that is being contracted |
| contractor | "API" | "NASS" | /signature | Identifies who is initiating the contract |
| contractor_id | string | /signature | The unique identifier of the contractor entity |
| associated_contract | string | /signature | Links to the paired contract (ISSUER ↔ RECEIVER) |
| api_key | string | null | /signature | API authentication key, if applicable |
| route | string | /details | The specific API endpoint/route this contract authorizes |
| user | User | null | /details | User object associated with the contract, if any |
| session | UserSession | null | /details | Session object associated with the contract, if any |
| contract_type | CONTRACT_TYPE | /details | The specific type of action this contract authorizes |
| active | boolean | /status | Whether the contract is currently active and enforceable |
| force_action | boolean | /status | Forces execution without contracted entity choice (admin actions) |
| ending_reason | CONTRACT_ENDING_REASON | null | /status | Why the contract was terminated, if applicable |
| issued_at | number | /time | Unix timestamp when the contract was created |
| completed_at | number | null | /time | Unix timestamp when the contract was fulfilled |
| modified_at | number | null | /time | Unix timestamp of last contract modification |
Note: Not all data under the CentralContracts type needs to be kept by the APIs, but all fields are useful for the NASS central system.
Defines what type of entity is being contracted:
export enum CONTRACTED {
API = "API", // The contract involves an API service
USER = "USER" // The contract involves a user
}
Defines who is initiating the contract:
export enum CONTRACTOR {
API = "API", // An API service is requesting the contract
NASS = "NASS" // The NASS system is issuing the contract
}
Defines the specific type of action the contract authorizes:
export enum CONTRACT_TYPE {
TOKEN_RENEWAL = "TOKEN_RENEWAL", // API token refresh operations
USER_AUTHENTIFICATION = "USER_AUTHENTIFICATION", // User login/auth verification
DATA_MANIPULATION = "DATA_MANIPULATION", // User data read/write operations
USER_MANAGEMENT = "USER_MANAGEMENT", // User account administration
SERVICE_MANAGEMENT = "SERVICE_MANAGEMENT", // API service configuration
BLACKLIST_MANAGEMENT = "BLACKLIST_MANAGEMENT", // Security blacklist operations
REQUESTS_MANAGEMENT = "REQUESTS_MANAGEMENT", // Request logging and monitoring
SERVICE_CONNECTION = "SERVICE_CONNECTION" // Initial API service registration
}
Defines why a contract was terminated:
export enum CONTRACT_ENDING_REASON {
COMPLETED = "COMPLETED", // Contract fulfilled successfully
CANCELED = "CANCELED", // Contract canceled by contractor
EXPIRED = "EXPIRED", // Contract exceeded time limits
FORCED = "FORCED" // Contract terminated by system admin
}
- Every action requiring authorization generates a contract pair (ISSUER + RECEIVER)
- Each contract gets a unique
idand links to its pair viaassociated_contract - Contracts are immediately stored in the NASS database with
active: true
- APIs must validate contracts before executing any authorized actions
- Validation checks include:
- Contract is
active: true - Current timestamp is within acceptable bounds of
issued_at -
contractor_idmatches the requesting entity -
api_keyis valid (if applicable)
- Contract is
- When the authorized action is completed, the contract status is updated
-
completed_attimestamp is recorded -
ending_reasonis set toCOMPLETED -
activeis set tofalse
Contracts can be terminated early for several reasons:
- CANCELED: Contractor decides not to proceed
- EXPIRED: Contract took too long to fulfill
- FORCED: System administrator intervention
- Each contract contains cryptographic signatures to prevent tampering
- The
associated_contractfield ensures both parties have matching contract terms - All contract modifications are logged with timestamps
When force_action: true, the contracted entity must execute the action:
- Used for critical security operations (token revocation, account suspension)
- Cannot be refused or canceled by the contracted entity
- Typically initiated by system administrators or security protocols
- The
api_keyfield supports the constantly renewed API key system - Contracts may reference old keys during transition periods
- Key validation occurs at both contract creation and execution time
For optimal performance, the following database indexes are recommended:
Primary indexes:
-
id(unique, primary key) -
signature.contractor_id+status.active(contractor queries) -
signature.associated_contract(contract pair lookups)