We love your input! We want to make contributing to YetAnotherAA as easy and transparent as possible.
- Fork the repo on GitHub
- Clone your fork locally
- Create a branch for your feature:
git checkout -b feature/amazing-feature - Make your changes following our guidelines
- Test thoroughly including WebAuthn/Passkey flows
- Submit a pull request
# Fork and clone
git clone https://github.com/your-username/YetAnotherAA.git
cd YetAnotherAA
# Install dependencies
npm install
# Set up development environment
cp aastar/.env.example aastar/.env
cp aastar-frontend/.env.example aastar-frontend/.env.local
# Start development servers
npm run start:dev -w aastar # Backend API
npm run dev -w aastar-frontend # Frontend
# Note: BLS signing service uses remote endpoint
# Configure via BLS_SEED_NODES environment variableSince WebAuthn requires HTTPS or localhost, ensure you test:
- Browser Compatibility: Chrome, Safari, Firefox, Edge
- Device Support: Test on actual devices with biometric sensors
- Error Handling: Test cancelled authentications, timeouts
- Multi-device: Test registering on multiple devices
# Test backend authentication
curl -X POST http://localhost:3000/auth/passkey/login/begin
# Test transaction verification
curl -X POST http://localhost:3000/auth/transaction/verify/begin
# Manual testing checklist
# - [ ] Face ID/Touch ID registration works
# - [ ] Passwordless login works
# - [ ] Transaction verification required
# - [ ] Multi-device registration worksWe follow Conventional Commits:
type(scope): description
feat(auth): add Face ID support for iOS
fix(bls): resolve signature verification bug
docs(readme): update WebAuthn setup guide
test(passkey): add integration tests
refactor(frontend): improve error handling
Types:
feat: New featuresfix: Bug fixesdocs: Documentationtest: Testsrefactor: Code refactoringperf: Performance improvementssecurity: Security improvements
- Unit Tests: All new functions must have unit tests
- Integration Tests: WebAuthn flows must be integration tested
- Security Tests: Authentication flows must be security tested
- Browser Tests: Frontend changes need cross-browser testing
# Run all tests
npm run test
# Run specific workspace tests
npm test -w aastar
npm test -w aastar-frontend
# Smart contracts and BLS signer are in separate repository
# See: https://github.com/fanhousanbu/YetAnotherAA-Validator- ✅ Always require user verification (
userVerification: "required") - ✅ Use discoverable credentials (
residentKey: "required") - ✅ Validate origin and RP ID strictly
- ✅ Never log or expose credentials
- ✅ Handle timeouts and cancellations gracefully
- ✅ Validate all public keys before aggregation
- ✅ Verify message point integrity
- ✅ Use constant-time operations where possible
- ✅ Implement replay protection
- ✅ Follow checks-effects-interactions pattern
- ✅ Implement proper access controls
- ✅ Add reentrancy guards where needed
- ✅ Validate all external calls
- Branch Naming:
feature/descriptionorfix/description - PR Title: Use conventional commit format
- Description: Use our PR template (auto-populated)
- Tests: Ensure all tests pass
- Documentation: Update docs if needed
- Security: Consider security implications
- Code follows style guidelines
- Self-review completed
- Tests added/updated
- Documentation updated
- WebAuthn flows tested
- BLS signatures verified
- Smart contracts tested
- Breaking changes documented
- Additional WebAuthn authenticator support
- Enhanced error handling and recovery
- Security audit improvements
- Multi-factor authentication options
- BLS signature optimization
- Gas cost reduction techniques
- Frontend performance improvements
- Database query optimization
- Mobile app development
- Desktop application
- Browser extension
- Hardware wallet integration
- More code examples
- Video tutorials
- Integration guides
- API documentation
- Automated testing improvements
- Cross-browser testing
- Load testing
- Security testing
We use Prettier and ESLint. Run before committing:
npm run format # Format all code
npm run lint # Check for issues
npm run lint:fix # Auto-fix issues/aastar # Backend API (NestJS)
/src/auth/ # WebAuthn authentication
/src/transfer/ # Transaction handling
/src/kms/ # KMS integration
/aastar-frontend # Frontend (Next.js)
/app/auth/ # Authentication pages
/app/transfer/ # Transaction interface
/lib/ # Utilities and API client
External Services:
- BLS Signer & Smart Contracts: Maintained in
YetAnotherAA-Validator
- BLS signature aggregation service (NestJS)
- Solidity contracts (Foundry)
- Gossip network for node coordination
- Use TypeScript everywhere
- Follow OpenAPI/Swagger standards
- Implement proper error handling
- Add comprehensive logging
- Include input validation
- Document all endpoints
Use GitHub Issues with our bug report template:
- Bug description: Clear and concise
- Steps to reproduce: Detailed steps
- Expected behavior: What should happen
- Screenshots: If applicable
- Environment: OS, browser, versions
- Security impact: If security-related
Use GitHub Issues with our feature request template:
- Feature description: What you want
- Motivation: Why it's needed
- Proposed solution: How it could work
- Alternatives considered: Other options
- Additional context: Examples, mockups
- GitHub Discussions: General questions and ideas
- GitHub Issues: Bug reports and feature requests
- Code Review: Submit PRs for feedback
- Discord: Join our community (link coming soon)
Contributors will be:
- ✨ Listed in our contributors section
- 🎖️ Credited in release notes
- 📱 Featured in project updates
- 🌟 Highlighted in documentation
By contributing, you agree that your contributions will be licensed under the MIT License.
Thank you for making YetAnotherAA better for everyone! 🙏