Move /v1/svrb/auth to /v1/archives/auth/svrb

service/src/main/java/org/whispersystems/textsecuregcm/controllers/ArchiveController.java

@@ -64,6 +64,7 @@ import org.signal.libsignal.zkgroup.backups.BackupAuthCredentialRequest;
 import org.signal.libsignal.zkgroup.backups.BackupCredentialType;
 import org.signal.libsignal.zkgroup.receipts.ReceiptCredentialPresentation;
 import org.whispersystems.textsecuregcm.auth.AuthenticatedDevice;
+import org.whispersystems.textsecuregcm.auth.ExternalServiceCredentials;
 import org.whispersystems.textsecuregcm.backup.BackupAuthManager;
 import org.whispersystems.textsecuregcm.backup.BackupManager;
 import org.whispersystems.textsecuregcm.backup.CopyParameters;
@@ -389,6 +390,35 @@ public class ArchiveController {
         .thenApply(ReadAuthResponse::new);
   }
 
+  @GET
+  @Path("/auth/svrb")
+  @Produces(MediaType.APPLICATION_JSON)
+  @Operation(
+      summary = "Generate credentials for SVRB",
+      description = """
+          Generate SVRB service credentials. Generated credentials have an expiration time of 1 day (subject to change)
+          """)
+  @ApiResponse(responseCode = "200", description = "`JSON` with generated credentials.", useReturnTypeSchema = true)
+  @ApiResponseZkAuth
+  public CompletionStage<ExternalServiceCredentials> svrbAuth(
+      @Auth final Optional<AuthenticatedDevice> account,
+      @HeaderParam(HttpHeaders.USER_AGENT) final String userAgent,
+
+      @Parameter(description = BackupAuthCredentialPresentationHeader.DESCRIPTION, schema = @Schema(implementation = String.class))
+      @NotNull
+      @HeaderParam(X_SIGNAL_ZK_AUTH) final ArchiveController.BackupAuthCredentialPresentationHeader presentation,
+
+      @Parameter(description = BackupAuthCredentialPresentationSignature.DESCRIPTION, schema = @Schema(implementation = String.class))
+      @NotNull
+      @HeaderParam(X_SIGNAL_ZK_AUTH_SIGNATURE) final BackupAuthCredentialPresentationSignature signature) {
+    if (account.isPresent()) {
+      throw new BadRequestException("must not use authenticated connection for anonymous operations");
+    }
+    return backupManager
+        .authenticateBackupUser(presentation.presentation, signature.signature, userAgent)
+        .thenApply(backupManager::generateSvrbAuth);
+  }
+
   public record BackupInfoResponse(
       @Schema(description = "The CDN type where the message backup is stored. Media may be stored elsewhere.")
       int cdn,

service/src/main/java/org/whispersystems/textsecuregcm/controllers/SecureValueRecoveryBController.java

@@ -1,63 +0,0 @@
-/*
- * Copyright 2025 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-
-package org.whispersystems.textsecuregcm.controllers;
-
-import com.google.common.annotations.VisibleForTesting;
-import io.dropwizard.auth.Auth;
-import io.swagger.v3.oas.annotations.Operation;
-import io.swagger.v3.oas.annotations.responses.ApiResponse;
-import io.swagger.v3.oas.annotations.tags.Tag;
-import jakarta.ws.rs.GET;
-import jakarta.ws.rs.Path;
-import jakarta.ws.rs.Produces;
-import jakarta.ws.rs.core.MediaType;
-import java.time.Clock;
-import org.whispersystems.textsecuregcm.auth.AuthenticatedDevice;
-import org.whispersystems.textsecuregcm.auth.ExternalServiceCredentials;
-import org.whispersystems.textsecuregcm.auth.ExternalServiceCredentialsGenerator;
-import org.whispersystems.textsecuregcm.configuration.SecureValueRecoveryConfiguration;
-
-@Path("/v1/svrb")
-@Tag(name = "Secure Value Recovery B")
-public class SecureValueRecoveryBController {
-
-  public static ExternalServiceCredentialsGenerator credentialsGenerator(final SecureValueRecoveryConfiguration cfg) {
-    return credentialsGenerator(cfg, Clock.systemUTC());
-  }
-
-  @VisibleForTesting
-  public static ExternalServiceCredentialsGenerator credentialsGenerator(final SecureValueRecoveryConfiguration cfg,
-      final Clock clock) {
-    return ExternalServiceCredentialsGenerator
-        .builder(cfg.userAuthenticationTokenSharedSecret())
-        .withUserDerivationKey(cfg.userIdTokenSharedSecret().value())
-        .prependUsername(false)
-        .withDerivedUsernameTruncateLength(16)
-        .withClock(clock)
-        .build();
-  }
-
-  private final ExternalServiceCredentialsGenerator svrbCredentialGenerator;
-
-  public SecureValueRecoveryBController(final ExternalServiceCredentialsGenerator svrbCredentialGenerator) {
-    this.svrbCredentialGenerator = svrbCredentialGenerator;
-  }
-
-  @GET
-  @Path("/auth")
-  @Produces(MediaType.APPLICATION_JSON)
-  @Operation(
-      summary = "Generate credentials for SVRB",
-      description = """
-          Generate SVRB service credentials. Generated credentials have an expiration time of 1 day (subject to change)
-          """
-  )
-  @ApiResponse(responseCode = "200", description = "`JSON` with generated credentials.", useReturnTypeSchema = true)
-  @ApiResponse(responseCode = "401", description = "Account authentication check failed.")
-  public ExternalServiceCredentials getAuth(@Auth final AuthenticatedDevice auth) {
-    return svrbCredentialGenerator.generateFor(auth.accountIdentifier().toString());
-  }
-}