Add encryption for Kaigen server auth

docs/KaigenConfiguration.md

@@ -6,30 +6,30 @@ The Kaigen service is used for managing user credits during backtest operations.
 
 ### Required Environment Variable
 
-- **`KAIGEN_PRIVATE_KEY`**: The private key used for signing API requests to the Kaigen service.
+- **`KAIGEN_SECRET_KEY`**: The secret key used for AES-256-CBC encryption of Basic Auth tokens sent to the Kaigen service.
 
 ### Setting the Environment Variable
 
 #### Development
 ```bash
-export KAIGEN_PRIVATE_KEY="your-private-key-here"
+export KAIGEN_SECRET_KEY="your-secret-key-here"
 ```
 
 #### Production
 Set the environment variable in your deployment configuration:
 ```bash
-KAIGEN_PRIVATE_KEY=your-private-key-here
+KAIGEN_SECRET_KEY=your-secret-key-here
 ```
 
 #### Docker
 ```bash
-docker run -e KAIGEN_PRIVATE_KEY=your-private-key-here your-app
+docker run -e KAIGEN_SECRET_KEY=your-secret-key-here your-app
 ```
 
 #### Docker Compose
 ```yaml
 environment:
-  - KAIGEN_PRIVATE_KEY=your-private-key-here
+  - KAIGEN_SECRET_KEY=your-secret-key-here
 ```
 
 ## Configuration Structure
@@ -42,11 +42,28 @@ The Kaigen service configuration is defined in `appsettings.json`:
     "BaseUrl": "https://api.kaigen.managing.live",
     "DebitEndpoint": "/api/credits/debit",
     "RefundEndpoint": "/api/credits/refund",
-    "PrivateKey": "${KAIGEN_PRIVATE_KEY}"
+    "SecretKey": "${KAIGEN_SECRET_KEY}"
   }
 }
 ```
 
+## Authentication Method
+
+The service now uses **Basic Authentication** with AES-256-GCM encrypted tokens:
+
+1. **Token Format**: `{walletAddress}-{username}`
+2. **Encryption**: The token is encrypted using AES-256-GCM with the configured secret key
+3. **Basic Auth**: The encrypted token is sent in the Authorization header as `Basic {base64EncodedToken}:`
+
+### Example Token Generation
+```csharp
+// For user "john" with wallet "0x123..."
+var authToken = "0x123...-john";
+var encryptedToken = CryptoHelpers.EncryptAesGcm(authToken, secretKey);
+var basicAuth = Convert.ToBase64String(Encoding.ASCII.GetBytes($"{encryptedToken}:"));
+// Result: Authorization: Basic {base64EncodedToken}:
+```
+
 ## API Endpoints
 
 - **PUT** `/api/credits/debit` - Debit credits from user account
@@ -54,11 +71,21 @@ The Kaigen service configuration is defined in `appsettings.json`:
 
 ## Security Notes
 
-- The private key should never be committed to source control
+- The secret key should never be committed to source control
 - Use environment variables or secure configuration management systems
-- The private key is used for signing API requests to ensure authenticity
-- Rotate the private key regularly for enhanced security
+- The secret key is used for AES-256-GCM encryption of authentication tokens
+- Rotate the secret key regularly for enhanced security
+- Each request uses a unique nonce for encryption, ensuring replay attack protection
+- The GCM mode provides both confidentiality and authenticity
 
 ## Error Handling
 
-If the `KAIGEN_PRIVATE_KEY` environment variable is not set, the application will throw an `InvalidOperationException` with a clear error message during startup. 
+If the `KAIGEN_SECRET_KEY` environment variable is not set, the application will throw an `InvalidOperationException` with a clear error message during startup.
+
+## Migration from Private Key Authentication
+
+If migrating from the previous private key signature method:
+
+1. Replace `KAIGEN_PRIVATE_KEY` with `KAIGEN_SECRET_KEY` in your environment variables
+2. Update any configuration files to use the new `SecretKey` property instead of `PrivateKey`
+3. The Kaigen server must be updated to handle Basic Auth with AES-256-GCM decryption