fix: Replace public key auth with token-based system

[nadeesha]

PR Type

Enhancement, Bug fix

---

Description

• Implemented a new token-based authentication system replacing the complex public key authentication:
  • Removed crypto-based signature verification
  • Added Bearer token validation through Authorization header
  • Simplified authentication checks across all endpoints
• Enhanced logging and monitoring:
  • Added detailed debug logs for request handling
  • Improved error messages and request tracking
  • Added function execution logging
• Improved error handling and response formatting for better debugging
• Updated package version to 0.0.10

---

Changes walkthrough 📝

	Relevant files
Enhancement	mod.ts Replace public key auth with Bearer token authentication  adapters/valtown-adapter/mod.ts Replaced public key authentication with simpler token-based auth system Added extensive logging for better debugging and monitoring Simplified authentication logic by removing crypto verification Improved error handling and response formatting +49/-88
Configuration changes	jsr.json Version bump to 0.0.10                                                                      adapters/valtown-adapter/jsr.json Bumped version from 0.0.5 to 0.0.10 +1/-1

---

💡 PR-Agent usage: Comment /help "your question" on any pull request to receive relevant information

[qodo-merge-pro]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 4 🔵🔵🔵🔵⚪

🧪 No relevant tests

🔒 Security concerns Authentication Implementation Issues: The token comparison uses direct string comparison (token === this.options.token) which is vulnerable to timing attacks. Should use a constant-time comparison function. Debug logs expose sensitive authentication details including token presence/absence which could aid attackers. Raw error messages are being returned to clients which could leak implementation details. No rate limiting implemented on authentication attempts which could enable brute force attacks.

⚡ Recommended focus areas for review Security Risk The token comparison is using direct string comparison which could be vulnerable to timing attacks. Consider using a constant-time comparison function. return token === this.options.token; Token Exposure Debug logging includes sensitive token information that could expose authentication details in logs. Consider removing or masking token logging. console.log(`[Inferable Adapter] Authentication status: hasToken=${hasToken}, token=${token ? 'provided' : 'not provided'}`); Error Handling Generic error messages are being logged and returned to the client, which could expose sensitive implementation details. Consider sanitizing error messages. console.error(`[Inferable Adapter] Error executing function:`, error); return new Response(JSON.stringify({ error: `Error occurred during execution: ${error}` }), { status: 400, headers: { "content-type": "application/json" },

[qodo-merge-pro]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Score
Security	Validate authentication token to prevent security bypass through empty or whitespace-only tokens Add input validation for the token to ensure it's not an empty string or contains only whitespace. This prevents accidentally disabling authentication when a token is intended to be used. adapters/valtown-adapter/mod.ts [28-33] private isAuthenticated(token: string | null): boolean { - if (!this.options.token) { + if (!this.options.token?.trim()) { return true; // If no token is configured, authentication is disabled } return token === this.options.token; } Apply this suggestion Suggestion importance[1-10]: 9 Why: This is a critical security enhancement that prevents authentication bypass through empty or whitespace tokens, addressing a potential vulnerability in the token validation logic.	9
	Prevent potential exposure of sensitive authentication data in logs Avoid logging sensitive authentication tokens in production logs, as this could expose security credentials. Remove or mask the token value in the log message. adapters/valtown-adapter/mod.ts [46] -console.log(`[Inferable Adapter] Authentication status: hasToken=${hasToken}, token=${token ? 'provided' : 'not provided'}`); +console.log(`[Inferable Adapter] Authentication status: hasToken=${hasToken}, tokenPresent=${!!token}`); Apply this suggestion Suggestion importance[1-10]: 8 Why: Important security improvement that prevents potential exposure of sensitive authentication tokens in logs, which could be a significant security risk in production environments.	8
General	Include proper Content-Type headers in API responses for correct client interpretation Add proper Content-Type header to the response when returning function execution results to ensure correct interpretation by clients. adapters/valtown-adapter/mod.ts [117] -return new Response(JSON.stringify({ result })); +return new Response(JSON.stringify({ result }), { + headers: { "content-type": "application/json" } +}); Apply this suggestion Suggestion importance[1-10]: 7 Why: This is a good API design practice that ensures proper response handling by clients, maintaining consistency with other endpoints that already include the content-type header.	7