JSX Template Auth Portal (FlexNet JSX · KV Pairs · Sui)

Lightweight, self-contained FlexNet application that lets users create/restore accounts with a 12-word passphrase, derive a Sui Ed25519 address, and store encrypted credentials in Cloudflare KV (or locally when offline/dev). Uses bundled ES modules only—no Node runtime required.

Features

• Passphrase-first onboarding (BIP39, bundled @scure/bip39)
• Sui Ed25519 key derivation (bundled public/vendor/sui)
• AES-GCM + PBKDF2-SHA256 encryption of the mnemonic; SHA-256 hashes for password/PIN salted with addressHash (hex) + legacy base64 fallback for older records
• Username → address uniqueness enforced (KV mapping; username and address hashed before KV keys; username and address encrypted client-side; addressMask only shown in UI)
• Connected header button with dropdown (copy address, sign out)
• Token container terminology (account number shown; short form in UI)
• Offline/local fallback (stores accounts in localStorage) when /api/auth isn’t available
• Console filter loaded on every page (src/core/runtime/integrations/console-filter.js) to scrub infrastructure details from logs in production
• Optional Stripe Payment Intent endpoint at /api/stripe (requires secret STRIPE_SECRET_KEY)
• Balance fetch (SUI + USDC) via Sui RPC (configurable; defaults to https://fullnode.mainnet.sui.io:443 and the Circle USDC coin type)

Layout & Styling

• FlexNet BEM styles: src/styles/bem-starter-base.css, src/styles/theme-default.css, src/styles/bem-starter.css
• Templates copied locally under public/templates/
• Vendor bundles copied locally under public/vendor/ (@scure/bip39, sui)

Using This as a Template

• Clone/copy the jsxSUI folder as your project root.
• Set a KV binding named CONTAINER_KV in your Pages/Workers dashboard (IDs stay in dashboard; not hardcoded).
• Optionally set STRIPE_SECRET_KEY for funding flows; remove functions/api/stripe.js if you don’t need payments.
• Adjust branding/text in index.html as desired; IDs/classes are already wired to src/app.js.

Run Locally (static/offline)

cd jsxSUI
python3 -m http.server 8000
# open http://localhost:8000/index.html

In this mode, /api/auth doesn’t exist; account records are cached in localStorage (jsx_local_accounts). Header button still updates, and the auth modals work with local storage.

Run with Workers KV bound (no Wrangler)

• Create/bind a KV namespace in your Cloudflare dashboard with binding name CONTAINER_KV (ID managed in dashboard/secrets; not hardcoded here).
• Add secret STRIPE_SECRET_KEY in dashboard if using payments.
• Deploy via your normal Workers/Pages workflow (dashboard or pipeline) pointing the project root to jsxSUI/.
• Functions: functions/api/auth.js (hashed + encrypted account storage), functions/api/stripe.js (payment intent helper).
• Optional runtime config (set via <script> globals):
  • window.JSXSUI_SUI_RPC to override the Sui RPC URL.
  • window.JSXSUI_USDC_COIN_TYPE to override the USDC coin type.
  • window.JSXSUI_SUI_RPC_MAINNET / window.JSXSUI_SUI_RPC_TESTNET to override per-network RPCs.
  • window.JSXSUI_USDC_COIN_TYPE_MAINNET / window.JSXSUI_USDC_COIN_TYPE_TESTNET to override per-network USDC coin types.

Auth Flow (app.js)

1. Generate passphrase (BIP39) → copy/regenerate supported.
2. Confirm passphrase.
3. Set username/password/PIN (with confirm fields + availability check).
4. Derive Sui address (bundled SDK); build record:
   • passwordHash: SHA-256 of ${addressHashHex}:${password} (hex digest of address); login also accepts legacy ${address}:${password} base64 hash for backward compatibility
   • pinHash: SHA-256 of ${addressHashHex}:${pin} (hex); legacy base64 fallback for ${address}:${pin}
   • encMnemonic: AES-GCM with PBKDF2-SHA256 (100k iterations; stores salt/iv)
   • addressEnc: encrypted full address; addressMask: short display only; usernameEnc: encrypted username
   • crypto metadata for auditing
5. Store via /api/auth (KV) or local cache if offline.
6. Header button shows Connected • short address; dropdown shows username/address, copy, and sign out.
7. Delete action in dropdown issues a DELETE to /api/auth and clears local state.

Restore:

• Paste passphrase, set username/password/PIN; derivation + encryption repeat, and record is saved (KV or local). Forgot password/username/PIN: use the restore flow with passphrase.

FlexNet JSX folder map (pre-staged for expansion)

• public/ – static assets, templates, and vendor bundles
• src/ – auth UI logic, runtime helpers, styles
• functions/api/ – Workers endpoints (auth, stripe)
• manifests/ – (staged) drop additional FlexNet manifests here when extending
• pages/js/ – (staged) JS-driven pages/adapters for FlexNet Pages
• pages/html/ – (staged) static HTML/HTM surfaces for FlexNet Pages
• runtime/ – (staged) runtime adapters/hooks for future FlexNet JSX infrastructure
• docs/ – any architecture notes