Authentication

GFN uses JWT-based authentication for both client-server communication and inter-service authentication on the rig.

Client Authentication

JWT Token

From vendor_beautified.js:

// JWT token injection into WebRTC/streaming requests
case 1: st("GFNJWT ", token)   // Prepends "GFNJWT " to token
authTokenCallback()             // Callback for token refresh

The GFNJWT prefix distinguishes GFN tokens from other auth schemes.

IPC Bridge Commands

SET_AUTH_INFO    ← Full authentication info object
SET_AUTH_TOKEN   ← JWT token string

LOFN Key

The LofnKeyInfoDef protobuf and lofnDataSendTimeoutMs suggest an encryption key exchange mechanism (LOFN = likely "Local On-Rig Negotiation"):

{
  "GcisConnector": {
    "lofnDataSendTimeoutMs": 3000
  }
}

Server-Side Authentication

Provision Manager (PM) Auth

PM communication uses mutual TLS:

{
  "PMConnector": {
    "authEnabled": true,
    "nonceLengthBytes": 16,
    "crlCacheTimeMin": 720,
    "cipherList": "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:..."
  }
}

Server certificate requirements:

• CN: pm.np-ams-06.svc.cluster.local
• Issuer: GFN PM - API Server Zone NP-AMS-06 CA 02

GSG (Game Seat Gateway) Auth

API key-based authentication, refreshed every 5 minutes:

{
  "GSGConnector": {
    "apiKeyRefreshPeriodSec": 300
  }
}

Auth Info Protobuf

AuthInfoDef covers:

• Authentication protocol types
• Error codes for auth failures
• Token validation states

AuthorizationInfoDef covers:

• User authorization time limits
• Storage authorization
• User identity data

Entitlement Codes

From AuthInfoDef and EntitlementInfoDef:

Code	Description
INVALID__AUTHENTICATION_MALFORMED_STATUS	Malformed auth token
INVALID__AUTHENTICATION_NOT_FOUND_STATUS	Auth not found
INVALID__AUTHENTICATION_EXPIRED_STATUS	Token expired
INVALID__AUTHENTICATION_CREDENTIALS_STATUS	Bad credentials
INVALID__AUTHENTICATION_UNKNOWN_TOKEN_STATUS	Unknown token type
INVALID__AUTHENTICATION_EMAIL_NOT_VERIFIED_STATUS	Email unverified
INVALID__AUTHENTICATION_UNSUPPORTED_PROTOCOL_STATUS	Unsupported protocol
AUTH__FAILURE_STATUS	Generic auth failure
ENTITLEMENT__FAILURE_STATUS	Entitlement check failed
EULA__UNACCEPTED_STATUS	EULA not accepted

Steam Authentication

Steam sessions use dedicated protobuf types:

• SteamSessionDef — Steam session with launch parameters
• SteamTokenFilesSessionDef — Steam auth token files for login

Steam-specific error codes:

Code	Description
STEAM__GUARD_REQUIRED_STATUS	Steam Guard 2FA required
STEAM__GUARD_INVALID_STATUS	Invalid Steam Guard code
STEAM__LOGIN_REQUIRED_STATUS	Steam login required
STEAM__PROFILE_PRIVATE_STATUS	Steam profile is private

UEK (User Encryption Key)

UEK__RETRIEVAL_FAILED

The User Encryption Key is used for encrypting user save data in cloud storage. If retrieval fails, cloud saves may be unavailable.

SSH Key (Linux GameSeat)

For GameSeat2 (Linux backend) SSH access:

LinuxGameseatSshPubKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQAB...

A 4096-bit RSA key used for backend SSH communication.

AWS Credentials (UAD ML)

The UadMLPlugin uses dedicated AWS credentials for SageMaker access (from secure_userdata.txt):

AwsAccesKeyId: AKIA45MWRG7CU2W6USPQ
EncryptionSecretKey: [redacted]

These credentials scoped to SageMaker inference endpoints only.