feat: NUC authentication

.env.ci

@@ -8,6 +8,7 @@ HF_TOKEN="Hugging Face API Token"
 
 ENVIRONMENT = "mainnet"
 NILAI_GUNICORN_WORKERS = 10
+AUTH_STRATEGY = "nuc"
 
 # The domain name of the server
 # - It must be written as "localhost" or "test.nilai.nillion"
@@ -18,7 +19,8 @@ NILAI_SERVER_DOMAIN = "localhost"
 ATTESTATION_HOST = "attestation"
 ATTESTATION_PORT = 8080
 
-
+# nilAuth Trusted URLs
+NILAUTH_TRUSTED_ROOT_ISSUERS = "http://nilauth:30921"
 
 # Postgres Docker Compose Config
 POSTGRES_HOST = "postgres"

.env.sample

@@ -8,6 +8,8 @@ HF_TOKEN="Hugging Face API Token"
 
 ENVIRONMENT = "mainnet"
 NILAI_GUNICORN_WORKERS = 10
+AUTH_STRATEGY = "api_key"
+
 # The domain name of the server
 # - It must be written as "localhost" or "test.nilai.nillion"
 # - Do not put "https://" or "http://" in the domain name or / at the end
@@ -17,6 +19,9 @@ NILAI_SERVER_DOMAIN = "localhost"
 ATTESTATION_HOST = "attestation"
 ATTESTATION_PORT = 8080
 
+# nilAuth Trusted URLs
+NILAUTH_TRUSTED_ROOT_ISSUERS = "http://localhost:30921"
+
 # Postgres Docker Compose Config
 POSTGRES_HOST = "postgres"
 POSTGRES_USER = "user"

.github/workflows/ci.yml

@@ -92,9 +92,10 @@ jobs:
         with:
           enable-cache: true
           cache-dependency-glob: "**/pyproject.toml"
-
       - name: Install dependencies
-        run: uv sync
+        run: |
+          apt-get update && apt-get install curl git pkg-config automake file -y
+          uv sync
 
       - name: Build vllm
         run: docker build -t nillion/nilai-vllm:latest -f docker/vllm.Dockerfile .
@@ -103,7 +104,7 @@ jobs:
         run: docker build -t nillion/nilai-attestation:latest -f docker/attestation.Dockerfile .
 
       - name: Build nilal API
-        run: docker build -t nillion/nilai-api:latest -f docker/api.Dockerfile --target nilai .
+        run: docker build -t nillion/nilai-api:latest -f docker/api.Dockerfile --target nilai --platform linux/amd64 .
 
       - name: Create .env
         run: |
@@ -126,7 +127,6 @@ jobs:
       - name: Run E2E tests
         run: |
           set -e
-          export AUTH_TOKEN=$(docker exec nilai-api uv run src/nilai_api/commands/add_user.py --name test1 --email test1@test.com --ratelimit-minute 1000 --ratelimit-hour 1000 --ratelimit-day 1000 | jq ".apikey" -r)
           export ENVIRONMENT=ci
           uv run pytest -v tests/e2e
 

.gitignore

@@ -170,3 +170,6 @@ grafana/runtime-data/*
 
 prometheus/data/*
 !prometheus/data/.gitkeep
+
+private_key.key
+private_key.key.lock

README.md

@@ -77,7 +77,7 @@ docker build -t nillion/nilai-attestation:latest -f docker/attestation.Dockerfil
 # Build vLLM docker container
 docker build -t nillion/nilai-vllm:latest -f docker/vllm.Dockerfile .
 # Build nilai_api container
-docker build -t nillion/nilai-api:latest -f docker/api.Dockerfile --target nilai .
+docker build -t nillion/nilai-api:latest -f docker/api.Dockerfile --target nilai --platform linux/amd64 .
 ```
 To deploy:
 ```shell
@@ -195,6 +195,8 @@ git checkout v0.7.3 # We use v0.7.3
 # Build vLLM OpenAI (vllm folder)
 cd vllm
 docker build -f Dockerfile.arm -t vllm/vllm-openai . --shm-size=4g
+# Build nilai attestation container
+docker build -t nillion/nilai-attestation:latest -f docker/attestation.Dockerfile .
 # Build vLLM docker container (root folder)
 docker build -t nillion/nilai-vllm:latest -f docker/vllm.Dockerfile .
 # Build nilai_api container

docker-compose.dev.yml

@@ -1,10 +1,13 @@
 services:
   api:
+    platform: linux/amd64 # for macOS to force running on Rosetta 2
     ports:
       - "8080:8080"
     volumes:
       - ./nilai-api/:/app/nilai-api/
       - ./packages/:/app/packages/
+    networks:
+      - nilauth
   attestation:
     ports:
       - "8081:8080"
@@ -20,3 +23,49 @@ services:
   grafana:
     ports:
       - "3000:3000"
+
+  nilauth-postgres:
+    image: postgres:17
+    environment:
+      POSTGRES_PASSWORD: postgres
+    ports:
+      - "30432:5432"
+    networks:
+      - nilauth
+
+  nilchain:
+    image: ghcr.io/nillionnetwork/nilchain-devnet:v0.1.0
+    restart: unless-stopped
+    shm_size: 128mb
+    ports:
+      - "26648:26648" # JSON RPC
+      - "26649:26649" # gRPC
+      - "26650:26650" # REST
+    networks:
+      - nilauth
+
+  nilauth:
+    image: public.ecr.aws/k5d9x2g2/nilauth:latest
+    depends_on:
+      - nilauth-postgres
+      - nilchain
+    volumes:
+      - ./docker/nilauth/config.yaml:/opt/config.yaml
+    command: ["--config-file", "/opt/config.yaml"]
+    ports:
+      - "30921:30921" # main server
+      - "30922:30022" # metrics server
+    networks:
+      - nilauth
+
+  token-price-api:
+    image: caddy:2
+    ports:
+      - "30923:80"
+    command: |
+      caddy respond --listen :80 --body '{"nillion":{"usd":1}}' --header "Content-Type: application/json"
+    networks:
+      - nilauth
+
+networks:
+  nilauth:

docker/api.Dockerfile

@@ -5,7 +5,7 @@ COPY --link . /app/
 WORKDIR /app/nilai-api/
 
 RUN apt-get update && \
-apt-get install build-essential curl -y && \
+apt-get install build-essential curl git pkg-config automake file -y && \
 apt-get clean && \
 apt-get autoremove && \
 rm -rf /var/lib/apt/lists/* && \

docker/nilauth/config.yaml

@@ -0,0 +1,23 @@
+server:
+  bind_endpoint: 0.0.0.0:30921
+
+private_key:
+  hex: 7c5c8d3114ac2410249ca2baae7dec86ac2950a389ac44a5fdca8941b92b6c86
+
+metrics:
+  bind_endpoint: 0.0.0.0:30022
+
+payments:
+  nilchain_url: http://nilchain:26648
+
+  subscriptions:
+    renewal_threshold_seconds: 1000
+    length_seconds: 120
+    dollar_cost: 1
+
+  token_price:
+    base_url: http://token-price-api/api/v3/simple/price
+    api_key: abc
+
+postgres:
+  url: postgres://postgres:postgres@nilauth-postgres:5432/postgres

nilai-api/alembic/versions/ca76e3ebe6ee_fix_remove_mail_and_adjust_field_lengths.py

@@ -0,0 +1,82 @@
+"""fix: remove mail and adjust field lengths
+
+Revision ID: ca76e3ebe6ee
+Revises: da89d3230653
+Create Date: 2025-04-25 09:08:37.775973
+
+"""
+
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision: str = "ca76e3ebe6ee"
+down_revision: Union[str, None] = "da89d3230653"
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.alter_column(
+        "query_logs",
+        "userid",
+        existing_type=sa.VARCHAR(length=50),
+        type_=sa.String(length=75),
+        existing_nullable=False,
+    )
+    op.alter_column(
+        "users",
+        "userid",
+        existing_type=sa.VARCHAR(length=50),
+        type_=sa.String(length=75),
+        existing_nullable=False,
+    )
+    op.alter_column(
+        "users",
+        "apikey",
+        existing_type=sa.VARCHAR(length=50),
+        type_=sa.String(length=75),
+        existing_nullable=False,
+    )
+    op.drop_index("ix_users_email", table_name="users")
+    op.drop_index("ix_users_apikey", table_name="users")
+    op.create_index(op.f("ix_users_apikey"), "users", ["apikey"], unique=False)
+    op.drop_column("users", "email")
+    # ### end Alembic commands ###
+
+
+def downgrade() -> None:
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.add_column(
+        "users",
+        sa.Column("email", sa.VARCHAR(length=255), autoincrement=False, nullable=False),
+    )
+    op.drop_index(op.f("ix_users_apikey"), table_name="users")
+    op.create_index("ix_users_apikey", "users", ["apikey"], unique=True)
+    op.create_index("ix_users_email", "users", ["email"], unique=True)
+    op.alter_column(
+        "users",
+        "apikey",
+        existing_type=sa.String(length=75),
+        type_=sa.VARCHAR(length=50),
+        existing_nullable=False,
+    )
+    op.alter_column(
+        "users",
+        "userid",
+        existing_type=sa.String(length=75),
+        type_=sa.VARCHAR(length=50),
+        existing_nullable=False,
+    )
+    op.alter_column(
+        "query_logs",
+        "userid",
+        existing_type=sa.String(length=75),
+        type_=sa.VARCHAR(length=50),
+        existing_nullable=False,
+    )
+    # ### end Alembic commands ###

nilai-api/pyproject.toml

@@ -31,6 +31,7 @@ dependencies = [
     "verifier",
     "web3>=7.8.0",
     "click>=8.1.8",
+    "nuc",
 ]
 
 
@@ -40,3 +41,4 @@ build-backend = "hatchling.build"
 
 [tool.uv.sources]
 nilai-common = { workspace = true }
+nuc = { git = "https://github.com/NillionNetwork/nuc-py.git" }

nilai-api/src/nilai_api/attestation/__init__.py

@@ -1,6 +1,6 @@
 from fastapi import HTTPException
 import httpx
-from nilai_common import SETTINGS, Nonce, AttestationReport
+from nilai_common import Nonce, AttestationReport, SETTINGS
 from nilai_common.logger import setup_logger
 
 logger = setup_logger(__name__)

nilai-api/src/nilai_api/auth/__init__.py

@@ -8,6 +8,8 @@
 from nilai_api.db.users import UserManager, UserModel
 from nilai_api.auth.strategies import STRATEGIES
 
+from nuc.validate import ValidationException
+
 logger = getLogger(__name__)
 bearer_scheme = HTTPBearer()
 
@@ -38,6 +40,8 @@ async def get_user(
         raise e
     except ValueError as e:
         raise AuthenticationError(detail="Authentication failed: " + str(e))
+    except ValidationException as e:
+        raise AuthenticationError(detail="NUC validation failed: " + str(e))
     except Exception as e:
         raise AuthenticationError(detail="Unexpected authentication error: " + str(e))