feat(auth,auth-services,network,lit-client):

**Auth Flow Hardening**
1. (feat) DiscordAuthenticator - it now forces you to support the real Discord client id wheever you hit a non-default login server, so the hashed `authMethodId` lines up with what the Lit nodes compute
2. (fix) WebAuthnAuthenticator - Refuse "successful" jobs that returns no payload. Make the service path fail loudly instad of handing back undefined data.

**Auth Service**
1. (fix) add network-scoped queue names, so multi-network deploytments stops overwriting each other's BullMQ jobs.
2. (fix) initSystemContext - dropped the silent `naga-dev` default and demand an explict `NETWORK`, preventing workers from accidentally botting against the wrong network.
3. (chore) remove unsued route

**Networks * Lit Client**
1. (refactor): stop hard-coding `authServiceBaseUrl` - the SDK will rely on runtime config so staging URLs don't leak into other envs.
2. (fix): Remove Strict Auth Data and make it Partial<AuthData>
3. (chore) add tracing the `mintWithAuth`

Author: Ansonhkg

package.json

@@ -4,7 +4,7 @@
   "license": "MIT",
   "scripts": {
     "sync:contracts": "nx run contracts:sync",
-    "reset": "rimraf dist pnpm-lock.yaml node_modules tmp yarn-error.log yarn.lock package-lock.json learn-debug.log .nx lit-auth-storage pkp-tokens lit-auth-local ./e2e/dist ./e2e/node_modules",
+    "reset": "rimraf .nx dist node_modules packages/**/node_modules tmp",
     "build": "nx run-many --parallel=false --target=build --all --exclude=wrapped-keys,wrapped-keys-lit-actions",
     "gen:local-network-context": "dotenvx run --env-file=.env -- node --conditions=import --import tsx packages/networks/src/networks/vNaga/shared/scripts/generate-abi-signatures.ts",
     "prettier": "npx nx format:write --all",

packages/auth-services/src/_setup/initSystemContext.ts

@@ -4,11 +4,14 @@ import {
   ViemAccountAuthenticator,
 } from '@lit-protocol/auth';
 import { createLitClient } from '@lit-protocol/lit-client';
-import { nagaDev, nagaTest, nagaStaging } from '@lit-protocol/networks';
+import { nagaDev, nagaTest } from '@lit-protocol/networks';
 import { Hex } from 'viem';
 import { privateKeyToAccount } from 'viem/accounts';
 import { env } from '../env';
 import { AuthData } from '@lit-protocol/schemas';
+import { getChildLogger } from '@lit-protocol/logger';
+
+const _logger = getChildLogger({ name: 'initSystemContext' });
 
 declare global {
   var systemContext: {
@@ -29,12 +32,13 @@ export async function initSystemContext({
 }) {
   console.log('🔥 [initSystemContext] Initializing system context...');
 
-  let networkModule: any;
+  let networkModule: typeof nagaDev | typeof nagaTest;
   if (env.NETWORK === 'naga-dev') networkModule = nagaDev;
   else if (env.NETWORK === 'naga-test') networkModule = nagaTest;
-  else if (env.NETWORK === 'naga-staging') networkModule = nagaStaging;
   else throw new Error(`Unsupported network: ${env.NETWORK}`);
 
+  _logger.info({ env: env.NETWORK }, 'Using env.NETWORK');
+
   const overrideRpc = rpcUrl || env.LIT_TXSENDER_RPC_URL;
 
   // Apply runtime override if rpcUrl provided
@@ -52,11 +56,10 @@ export async function initSystemContext({
       typeof effectiveModule.getRpcUrl === 'function'
         ? effectiveModule.getRpcUrl()
         : 'n/a';
-    console.log(
-      '[initSystemContext] RPC (base → effective):',
-      baseRpc,
-      '→',
-      effRpc
+
+    _logger.info(
+      { baseRpc, effRpc },
+      '[initSystemContext] RPC (base → effective):'
     );
   } catch {
     throw new Error(
@@ -73,7 +76,7 @@ export async function initSystemContext({
   const authManager = createAuthManager({
     storage: storagePlugins.localStorageNode({
       appName: appName,
-      networkName: 'naga-dev',
+      networkName: env.NETWORK,
       storagePath: `./lit-auth-worker-storage-${appName}`,
     }),
   });
@@ -93,13 +96,12 @@ export async function initSystemContext({
           statement: `${appName} is running..`,
           domain: 'worker.litprotocol.com',
           resources: [['pkp-signing', '*']],
-          capabilityAuthSigs: [],
           expiration: new Date(Date.now() + 1000 * 60 * 10).toISOString(),
         },
         litClient: litClient,
       });
     },
     authData,
   };
-  console.log('🔥 [initSystemContext] System context initialized');
+  _logger.info('🔥 [initSystemContext] System context initialized');
 }

packages/auth-services/src/auth-server/src/routes/auth/webauthn/webauthn.ts

@@ -1,11 +1,16 @@
 import { Express } from 'express';
 import { addJob } from '../../../queue-manager/src/bullmqSetup';
 import { randomUUID } from 'node:crypto';
+import { getChildLogger } from '@lit-protocol/logger';
+
+const logger = getChildLogger({ name: 'registerPkpRoutes' });
 
 export const registerPkpRoutes = (app: Express) => {
   app.post('/pkp/mint', async (req, res) => {
     const reqId = randomUUID();
     try {
+      logger.info({ reqId, body: req.body }, `[API] pkp/mint incoming request`);
+
       const job = await addJob('pkpMint', { requestBody: req.body });
       return res
         .status(202)

packages/auth-services/src/auth-server/src/routes/pkp.express.ts

@@ -1,6 +1,6 @@
 // Compatibility env shim for existing imports
 export const env = {
-  NETWORK: process.env['NETWORK'] || 'naga-dev',
+  NETWORK: process.env['NETWORK'],
   LIT_TXSENDER_RPC_URL: process.env['LIT_TXSENDER_RPC_URL'] || '',
   LIT_TXSENDER_PRIVATE_KEY: process.env['LIT_TXSENDER_PRIVATE_KEY'] || '',
   REDIS_URL: process.env['REDIS_URL'] || 'redis://localhost:6379',

packages/auth-services/src/env.ts

@@ -2,8 +2,12 @@ import { ConnectionOptions, Queue } from 'bullmq';
 import { env } from '../../env';
 import { parseRedisUrl } from './helper/redisUrlParser';
 import { JobName } from './jobRegistry';
+import { getChildLogger } from '@lit-protocol/logger';
 
-export const mainQueueName = 'pkpAuthServiceQueue';
+const logger = getChildLogger({ name: 'BullMQ' });
+
+const queueSuffix = env.NETWORK ? `-${env.NETWORK}` : '';
+export const mainQueueName = `pkpAuthServiceQueue${queueSuffix}`;
 
 let bullmqConnectionOptions: ConnectionOptions = parseRedisUrl(env.REDIS_URL);
 
@@ -23,6 +27,14 @@ let mainAppQueueInstance: Queue | null = null;
 
 export const getMainAppQueue = (): Queue => {
   if (!mainAppQueueInstance) {
+    logger.info(
+      {
+        queue: mainQueueName,
+        network: env.NETWORK,
+        redis: bullmqConnectionOptions,
+      },
+      'Initialising BullMQ Queue...'
+    );
     mainAppQueueInstance = new Queue(mainQueueName, {
       connection: bullmqConnectionOptions,
       defaultJobOptions: {
@@ -52,6 +64,14 @@ export const getMainAppQueue = (): Queue => {
       )}`
     );
   }
+
+  logger.info(
+    {
+      queue: mainQueueName,
+      network: env.NETWORK,
+    },
+    'Reusing existing BullMQ Queue instance'
+  );
   return mainAppQueueInstance;
 };
 
@@ -63,12 +83,26 @@ export const addJob = async (
    */
   jobData: { requestBody: any }
 ) => {
+  logger.info(
+    {
+      queue: mainQueueName,
+      network: env.NETWORK,
+      jobName,
+    },
+    'Adding job to BullMQ queue'
+  );
   const job = await getMainAppQueue().add(jobName, jobData, {
     jobId: crypto.randomUUID(),
   });
 
-  console.log(
-    `[BullMQ] Job ${job.id} added to queue ${getMainAppQueue().name}`
+  logger.info(
+    {
+      queue: mainQueueName,
+      network: env.NETWORK,
+      jobName,
+      jobId: job.id,
+    },
+    'Job added to BullMQ queue'
   );
 
   return job;
@@ -99,6 +133,27 @@ export const getJobStatus = async (
 
   const state = await job.getState();
 
+  let returnValue: unknown = undefined;
+
+  if (state === 'completed') {
+    returnValue = job.returnvalue;
+
+    if (returnValue == null) {
+      try {
+        const { returnvalue: rawReturnValue } = job.asJSON();
+        returnValue =
+          typeof rawReturnValue === 'string' && rawReturnValue.length > 0
+            ? JSON.parse(rawReturnValue)
+            : rawReturnValue;
+      } catch (err) {
+        console.warn(
+          `[BullMQ] Unable to read return value for completed job ${job.id}:`,
+          err
+        );
+      }
+    }
+  }
+
   const responsePayload = {
     jobId: job.id,
     name: job.name,
@@ -107,7 +162,7 @@ export const getJobStatus = async (
     timestamp: job.timestamp, // Creation time
     processedOn: job.processedOn,
     finishedOn: job.finishedOn,
-    returnValue: job.returnvalue, // Contains result if completed (already stringified by handler)
+    returnValue,
     failedReason: job.failedReason, // Contains error message if failed
   };
 

packages/auth-services/src/queue-manager/src/bullmqSetup.ts

@@ -2,6 +2,7 @@ import { getChildLogger } from '@lit-protocol/logger';
 import { Worker } from 'bullmq';
 import { getBullmqConnectionOptions, mainQueueName } from './bullmqSetup';
 import { JobName, jobRegistry } from './jobRegistry';
+import { env } from '../../env';
 
 const logger = getChildLogger({
   name: 'generic-bullmq-worker',
@@ -10,11 +11,23 @@ const logger = getChildLogger({
 export function createGenericWorker() {
   logger.info('Initialising Generic BullMQ Worker...');
 
+  logger.info(
+    {
+      queue: mainQueueName,
+      network: env.NETWORK,
+      pid: process.pid,
+    },
+    'Generic BullMQ Worker started'
+  );
+
   const worker = new Worker(
     mainQueueName,
     async (job) => {
       logger.info(
         {
+          queue: mainQueueName,
+          network: env.NETWORK,
+          pid: process.pid,
           jobId: job.id,
           jobName: job.name,
         },

packages/auth-services/src/queue-manager/src/genericWorker.ts

@@ -1,9 +1,5 @@
-import {
-  AuthData,
-  MintPKPRequest,
-  MintPKPRequestSchema,
-} from '@lit-protocol/schemas';
-import { Optional } from '@lit-protocol/types';
+import { MintPKPRequest } from '@lit-protocol/schemas';
+import { getChildLogger } from '@lit-protocol/logger';
 
 /**
  * Handles PKP minting tasks.
@@ -14,20 +10,26 @@ export async function handlePkpMintTask(jobData: {
   requestBody: MintPKPRequest;
   reqId?: string;
 }): Promise<any> {
-  const result = await globalThis.systemContext.litClient.mintWithAuth({
+  const mintParams = {
     account: globalThis.systemContext.account,
     authData: {
       authMethodId: jobData.requestBody.authMethodId,
       authMethodType: jobData.requestBody.authMethodType,
       publicKey: jobData.requestBody.pubkey,
     },
     scopes: jobData.requestBody.scopes,
-  });
+  };
+
+  const result = await globalThis.systemContext.litClient.mintWithAuth(
+    mintParams
+  );
 
   console.log(
     `[PkpMintHandler] PKP Minting successful. Token ID: ${result.data.tokenId.toString()}`
   );
 
+  logger.info({ result }, '[PkpMintHandler] raw mint result:');
+
   const processedResult = {
     hash: result._raw.hash,
     data: {

packages/auth-services/src/queue-manager/src/handlers/pkpMint/pkpMint.handler.ts

@@ -9,7 +9,7 @@ import {
 } from '@lit-protocol/constants';
 import { getChildLogger } from '@lit-protocol/logger';
 import { AuthData } from '@lit-protocol/schemas';
-import { AuthMethod, AuthSig, EthBlockhashInfo } from '@lit-protocol/types';
+import { AuthMethod, AuthSig } from '@lit-protocol/types';
 import {
   Account,
   getAddress,
@@ -18,36 +18,12 @@ import {
   PrivateKeyAccount,
   stringToBytes,
 } from 'viem';
+import { fetchBlockchainData } from './helper/fetchBlockchainData';
 
 const _logger = getChildLogger({
   module: 'ViemAccountAuthenticator',
 });
 
-const fetchBlockchainData = async () => {
-  try {
-    const resp = await fetch(
-      'https://block-indexer.litgateway.com/get_most_recent_valid_block'
-    );
-    if (!resp.ok) {
-      throw new Error(`Primary fetch failed with status: ${resp.status}`); // Or a custom error
-    }
-
-    const blockHashBody: EthBlockhashInfo = await resp.json();
-    const { blockhash, timestamp } = blockHashBody;
-
-    if (!blockhash || !timestamp) {
-      throw new Error('Invalid data from primary blockhash source');
-    }
-
-    return blockhash;
-  } catch (error) {
-    if (error instanceof Error) {
-      throw new Error(error.message);
-    }
-    throw new Error(String(error));
-  }
-};
-
 export class ViemAccountAuthenticator {
   public readonly type = 'account';
 

packages/auth/src/lib/authenticators/ViemAccountAuthenticator.ts

@@ -9,34 +9,10 @@ import {
 } from '@lit-protocol/constants';
 import { getChildLogger } from '@lit-protocol/logger';
 import { AuthData } from '@lit-protocol/schemas';
-import { AuthMethod, AuthSig, EthBlockhashInfo } from '@lit-protocol/types';
+import { AuthMethod, AuthSig } from '@lit-protocol/types';
 import { GetWalletClientReturnType } from '@wagmi/core';
 import { getAddress, Hex, keccak256, stringToBytes, WalletClient } from 'viem';
-
-const fetchBlockchainData = async () => {
-  try {
-    const resp = await fetch(
-      'https://block-indexer.litgateway.com/get_most_recent_valid_block'
-    );
-    if (!resp.ok) {
-      throw new Error(`Primary fetch failed with status: ${resp.status}`); // Or a custom error
-    }
-
-    const blockHashBody: EthBlockhashInfo = await resp.json();
-    const { blockhash, timestamp } = blockHashBody;
-
-    if (!blockhash || !timestamp) {
-      throw new Error('Invalid data from primary blockhash source');
-    }
-
-    return blockhash;
-  } catch (error) {
-    if (error instanceof Error) {
-      throw new Error(error.message);
-    }
-    throw new Error(String(error));
-  }
-};
+import { fetchBlockchainData } from './helper/fetchBlockchainData';
 
 const _logger = getChildLogger({
   module: 'WalletClientAuthenticator',