# service-login-verify

Verify login proof and anti-replay policy for services that embed UserWallet in an iframe.

## Purpose

The **service** is the parent application that embeds UserWallet. It receives `login-proof` via `postMessage` and must verify the proof before accepting a session, **without a central server**. This package provides:

- `verifyLoginProof(proof, context)` – full verification (crypto, allowed pubkeys, timestamp window, nonce anti-replay)
- `NonceCache` – in-memory anti-replay cache (TTL configurable)
- `buildAllowedPubkeysFromValidateurs(validateurs)` – build allowed pubkeys from action login validators (`cle_publique` only)

## Usage

See `features/service-login-verify.md` for explanation and usage example.

## Install

From the repo root:

```bash
cd service-login-verify && npm install && npm run build
```

Consuming apps can add a workspace dependency or link to `../service-login-verify`.

## References

- `features/service-login-verify.md`
- `features/userwallet-contrat-login-reste-a-faire.md` (§ 3.7)