TheSoftwareDevGuild · joelamouche · Dec 8, 2025 · Dec 6, 2025 · Dec 7, 2025
@@ -4,4 +4,6 @@ DATABASE_URL=postgres://guild_user:guild_password@localhost:5432/guild_genesis
 # Optional: allow SQLx offline mode when building
 # SQLX_OFFLINE=true
 
-# Other env vars your app uses...
+# JWT Configuration
+JWT_SECRET=your-super-secret-jwt-key-change-in-production
+JWT_EXPIRATION=86400
@@ -26,6 +26,7 @@ serde_json = "1.0"
 siwe = "0.6"
 ethers = { version = "2.0", features = ["rustls"] }
 sha3 = "0.10"
+jsonwebtoken = "9.3"
 
 # Pin problematic dependencies to avoid edition 2024
 base64ct = "1.7.3"

@@ -0,0 +1,6 @@
+use crate::infrastructure::jwt::JwtManager;
+
+pub async fn login(address: String) -> Result<String, String> {
+    let jwt_manager = JwtManager::new();
+    jwt_manager.generate_token(&address)
+}
@@ -1,2 +1,3 @@
 pub mod create_profile;
+pub mod login;
 pub mod update_profile;
@@ -18,3 +18,9 @@ pub struct NonceResponse {
     pub nonce: i64,
     pub address: String,
 }
+
+#[derive(Debug, Serialize, Deserialize)]
+pub struct AuthTokenResponse {
+    pub token: String,
+    pub address: String,
+}
@@ -0,0 +1,57 @@
+use jsonwebtoken::{decode, encode, DecodingKey, EncodingKey, Header, Validation};
+use serde::{Deserialize, Serialize};
+use std::env;
+
+#[derive(Debug, Serialize, Deserialize, Clone)]
+pub struct JwtClaims {
+    pub address: String,
+    pub exp: usize,
+}
+
+pub struct JwtManager {
+    secret: String,
+    expiration: usize,
+}
+
+impl JwtManager {
+    pub fn new() -> Self {
+        let secret = env::var("JWT_SECRET").expect("JWT_SECRET must be set");
+        let expiration: usize = env::var("JWT_EXPIRATION")
+            .unwrap_or_else(|_| "86400".to_string())
+            .parse()
+            .expect("JWT_EXPIRATION must be a valid number (seconds)");
+
+        JwtManager { secret, expiration }
+    }
+
+    pub fn generate_token(&self, address: &str) -> Result<String, String> {
+        let now = chrono::Utc::now().timestamp() as usize;
+        let claims = JwtClaims {
+            address: address.to_string(),
+            exp: now + self.expiration,
+        };
+
+        encode(
+            &Header::default(),
+            &claims,
+            &EncodingKey::from_secret(self.secret.as_bytes()),
+        )
+        .map_err(|e| format!("Failed to generate token: {}", e))
+    }
+
+    pub fn validate_token(&self, token: &str) -> Result<JwtClaims, String> {
+        decode::<JwtClaims>(
+            token,
+            &DecodingKey::from_secret(self.secret.as_bytes()),
+            &Validation::default(),
+        )
+        .map(|data| data.claims)
+        .map_err(|e| format!("Invalid token: {}", e))
+    }
+}
+
+impl Default for JwtManager {
+    fn default() -> Self {
+        Self::new()
+    }
+}
@@ -1,2 +1,3 @@
+pub mod jwt;
 pub mod repositories;
 pub mod services;
@@ -21,7 +21,7 @@ use tower_http::{
 
 use super::handlers::{
     create_profile_handler, delete_profile_handler, get_all_profiles_handler, get_nonce_handler,
-    get_profile_handler, update_profile_handler,
+    get_profile_handler, login_handler, update_profile_handler,
 };
 
 use super::middlewares::{eth_auth_layer, test_auth_layer};
@@ -40,6 +40,7 @@ pub async fn create_app(pool: sqlx::PgPool) -> Router {
         .route("/profiles/", post(create_profile_handler))
         .route("/profiles/:address", put(update_profile_handler))
         .route("/profiles/:address", delete(delete_profile_handler))
+        .route("/auth/login", post(login_handler))
         .with_state(state.clone());
 
     let protected_with_auth = if std::env::var("TEST_MODE").is_ok() {
@@ -82,6 +83,7 @@ pub fn test_api(state: AppState) -> Router {
         .route("/profiles", post(create_profile_handler))
         .route("/profiles/:address", put(update_profile_handler))
         .route("/profiles/:address", delete(delete_profile_handler))
+        .route("/auth/login", post(login_handler))
         .with_state(state.clone())
         .layer(from_fn(test_auth_layer));
 

@@ -7,8 +7,11 @@ use axum::{
 
 use crate::{
     application::{
-        commands::{create_profile::create_profile, update_profile::update_profile},
-        dtos::{CreateProfileRequest, NonceResponse, ProfileResponse, UpdateProfileRequest},
+        commands::{create_profile::create_profile, login::login, update_profile::update_profile},
+        dtos::{
+            AuthTokenResponse, CreateProfileRequest, NonceResponse, ProfileResponse,
+            UpdateProfileRequest,
+        },
         queries::{
             get_all_profiles::get_all_profiles, get_login_nonce::get_login_nonce,
             get_profile::get_profile,
@@ -87,3 +90,16 @@ pub async fn get_nonce_handler(
         Err(e) => (StatusCode::NOT_FOUND, Json(serde_json::json!({"error": e}))).into_response(),
     }
 }
+
+pub async fn login_handler(
+    Extension(VerifiedWallet(address)): Extension<VerifiedWallet>,
+) -> impl IntoResponse {
+    match login(address.clone()).await {
+        Ok(token) => (StatusCode::OK, Json(AuthTokenResponse { token, address })).into_response(),
+        Err(e) => (
+            StatusCode::INTERNAL_SERVER_ERROR,
+            Json(serde_json::json!({"error": e})),
+        )
+            .into_response(),
+    }
+}
@@ -7,6 +7,7 @@ use axum::{
 };
 
 use crate::domain::services::auth_service::AuthChallenge;
+use crate::infrastructure::jwt::JwtManager;
 
 use super::api::AppState;
 
@@ -31,6 +32,20 @@ pub async fn eth_auth_layer(
         return Ok(next.run(req).await);
     }
 
+    // Try JWT token first
+    if let Some(auth_header) = headers.get("authorization") {
+        if let Ok(auth_str) = auth_header.to_str() {
+            if let Some(token) = auth_str.strip_prefix("Bearer ") {
+                let jwt_manager = JwtManager::new();
+                if let Ok(claims) = jwt_manager.validate_token(token) {
+                    req.extensions_mut().insert(VerifiedWallet(claims.address));
+                    return Ok(next.run(req).await);
+                }
+            }
+        }
+    }
+
+    // Fall back to signature verification
     let address = headers
         .get("x-eth-address")
         .and_then(|v| v.to_str().ok())