Protect create2 verification with an auth0 authentication (#1090)

* generalize auth0 authentication functions * support different environments via env * support in ui docker build and update env * auth0: in ui instead of refreshing the token every 25 seconds, refresh the token each new request * remove old token management * Improve UI * add tests for create2 auth0 authentication * auth0: add missing AUTH0_CLIENTID to dev and stable envs * solve linter error * auth0: fix for linter * forbidden error for apiCheckPermission * accept only salt when is convertible to BigNumber * handle bearer tokens in create2 routes * check the user's information to validate the user instead of relying on short living tokens * fix missing getAccessTokenSilently in useEffect's dependencies * add missing openid, profile scopes in auth0 in tests
ethereum · Jul 24, 2023 · c1705ea · c1705ea
1 parent e4fbfd4
commit c1705ea
Show file tree

Hide file tree

Showing 27 changed files with 523 additions and 187 deletions.
diff --git a/environments/.env.dev b/environments/.env.dev
@@ -92,4 +92,10 @@ GRAFANA_EXTERNAL_PORT=3000
 GRAFANA_LOKI_EXTERNAL_PORT=3100
 GRAFANA_PROMETHEUS_EXTERNAL_PORT=9090
 # Use if you'll have a running Loki instance, otherwise leave blank
-# GRAFANA_LOKI_URL=http://localhost:3100
+# GRAFANA_LOKI_URL=http://localhost:3100
+
+# Authentication
+AUTH0_AUDIENCE=https://sourcify.dev
+AUTH0_ISSUERBASEURL=https://dev-htkreq1l71u1hn5l.us.auth0.com/
+AUTH0_TOKENSIGNINGALG=RS256
+AUTH0_CLIENTID=epipuQWJL67dVggPvxNmAy40ggzNum9F
diff --git a/environments/.env.latest b/environments/.env.latest
@@ -91,4 +91,10 @@ GRAFANA_HTTP_PASS=xxx
 GRAFANA_EXTERNAL_PORT=13000
 GRAFANA_LOKI_EXTERNAL_PORT=13100
 GRAFANA_PROMETHEUS_EXTERNAL_PORT=9090
-GRAFANA_LOKI_URL=http://grafana-loki-latest:3100
+GRAFANA_LOKI_URL=http://grafana-loki-latest:3100
+
+# Authentication
+AUTH0_AUDIENCE=https://staging.sourcify.dev/
+AUTH0_ISSUERBASEURL=https://sourcify-staging.eu.auth0.com/
+AUTH0_TOKENSIGNINGALG=RS256
+AUTH0_CLIENTID=BUtkg8OwkVgfbzyUDH0YlD1R8TO0a0nM
diff --git a/environments/.env.stable b/environments/.env.stable
@@ -88,4 +88,10 @@ GRAFANA_HTTP_PASS=xxx
 GRAFANA_EXTERNAL_PORT=13000
 GRAFANA_LOKI_EXTERNAL_PORT=13100
 GRAFANA_PROMETHEUS_EXTERNAL_PORT=9090
-GRAFANA_LOKI_URL=http://grafana-loki-stable:3100
+GRAFANA_LOKI_URL=http://grafana-loki-stable:3100
+
+# Authentication
+AUTH0_AUDIENCE=https://sourcify.dev
+AUTH0_ISSUERBASEURL=https://sourcify.eu.auth0.com
+AUTH0_TOKENSIGNINGALG=RS256
+AUTH0_CLIENTID=nApMV1kEehEBtDwSx1fiVmggdX57pb0Q
diff --git a/openapi.yaml b/openapi.yaml
@@ -8,9 +8,9 @@ info:
     url: https://github.com/ethereum/sourcify/blob/master/LICENSE
 servers:
   - url: https://sourcify.dev/server
-    description: Production server 
+    description: Production server
   - url: https://staging.sourcify.dev/server
-    description: Staging server 
+    description: Staging server
   - url: http://localhost:5555
     description: Local development server address on default port 5555.
 paths:
@@ -56,3 +56,8 @@ paths:
     $ref: "src/server/controllers/repository/get-source-files-all.stateless.paths.yaml#/paths/~1files~1any~1{chain}~1{address}"
   /files/{chain}/{address}:
     $ref: "src/server/controllers/repository/get-source-files-full.stateless.paths.yaml#/paths/~1files~1{chain}~1{address}"
+components:
+  securitySchemes:
+    BearerAuth:
+      type: http
+      scheme: bearer
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -60,7 +60,9 @@
     "ethers": "^6.6.2",
     "express": "^4.17.1",
     "express-fileupload": "^1.4.0",
+    "express-oauth2-jwt-bearer": "^1.5.0",
     "express-openapi-validator": "^5.0.4",
+    "express-rate-limit": "^6.7.0",
     "express-session": "^1.17.1",
     "http-status-codes": "^2.1.4",
     "ipfs-http-client": "^56.0.3",

diff --git a/src/common/errors/ForbiddenError.ts b/src/common/errors/ForbiddenError.ts
@@ -0,0 +1,12 @@
+import { StatusCodes } from "http-status-codes";
+import { IResponseError } from "../interfaces";
+
+export class ForbiddenError implements IResponseError {
+  code: number;
+  message: string;
+
+  constructor(message?: string) {
+    this.code = StatusCodes.FORBIDDEN;
+    this.message = message || "Forbidden";
+  }
+}
diff --git a/src/common/errors/UnauthorizedError.ts b/src/common/errors/UnauthorizedError.ts
@@ -0,0 +1,12 @@
+import { StatusCodes } from "http-status-codes";
+import { IResponseError } from "../interfaces";
+
+export class UnauthorizedError implements IResponseError {
+  code: number;
+  message: string;
+
+  constructor(message?: string) {
+    this.code = StatusCodes.UNAUTHORIZED;
+    this.message = message || "Unauthorized";
+  }
+}
diff --git a/src/config.ts b/src/config.ts
@@ -47,6 +47,13 @@ export default {
     /^https?:\/\/(?:.+\.)?ipfs.dweb.link$/, // dweb links used by Brave browser etc.
     process.env.NODE_ENV === "development" && /^https?:\/\/localhost(?::\d+)?$/, // localhost on any port
   ],
+  authentication: {
+    jwt: {
+      audience: process.env.AUTH0_AUDIENCE,
+      issuerBaseURL: process.env.AUTH0_ISSUERBASEURL,
+      tokenSigningAlg: process.env.AUTH0_TOKENSIGNINGALG || "RS256",
+    },
+  },
 };
 
 type EtherscanAPIs = {

diff --git a/src/server/controllers/verification/create2/create2.common.ts b/src/server/controllers/verification/create2/create2.common.ts
@@ -1,4 +1,5 @@
 import { Request } from "express";
+import { apiLimiter /* apiCheckPermission */ } from "../verification.common";
 
 type Create2RequestBody = {
   deployerAddress: string;
@@ -26,3 +27,12 @@ export interface SessionCreate2VerifyRequest extends Request {
     verificationId: string;
   };
 }
+
+export const apiVerifyCreate2Limiter = apiLimiter(10 * 1000, 10);
+
+/* 
+export const hasVerifyCreate2Permission = apiCheckPermission(
+  "verify:create2",
+  "This user has no permission to create2 verification"
+);
+*/
diff --git a/src/server/controllers/verification/create2/session/create2.session.paths.yaml b/src/server/controllers/verification/create2/session/create2.session.paths.yaml
@@ -3,6 +3,8 @@ openapi: "3.0.0"
 paths:
   /session/verify/create2:
     post:
+      security:
+        - BearerAuth: []
       summary: Verify create2
       tags:
         - Session Verification
@@ -12,9 +14,6 @@ paths:
             schema:
               type: object
               properties:
-                clientToken:
-                  type: string
-                  description: Mandatory client token to call this api
                 deployerAddress:
                   type: string
                   format: address

diff --git a/src/server/controllers/verification/create2/session/create2.session.routes.ts b/src/server/controllers/verification/create2/session/create2.session.routes.ts
@@ -3,14 +3,22 @@ import {
   sessionVerifyCreate2,
   sessionPrecompileContract,
 } from "./create2.session.handlers";
-import { authenticatedRequest } from "../../verification.common";
 import { safeHandler } from "../../../controllers.common";
+import { isAuth0EnabledUser, jwtCheck } from "../../verification.common";
+import {
+  // hasVerifyCreate2Permission,
+  apiVerifyCreate2Limiter,
+} from "../create2.common";
 
 const router: Router = Router();
 
-router
-  .route("/session/verify/create2")
-  .post(authenticatedRequest, safeHandler(sessionVerifyCreate2));
+router.route("/session/verify/create2").post(
+  jwtCheck,
+  // hasVerifyCreate2Permission,
+  isAuth0EnabledUser,
+  apiVerifyCreate2Limiter,
+  safeHandler(sessionVerifyCreate2)
+);
 
 router
   .route(["/session/verify/create2/compile"])

diff --git a/src/server/controllers/verification/create2/stateless/create2.stateless.paths.yaml b/src/server/controllers/verification/create2/stateless/create2.stateless.paths.yaml
@@ -3,19 +3,17 @@ openapi: "3.0.0"
 paths:
   /verify/create2:
     post:
-      summary: Verify create2
+      summary: Verify create2 (requires authentication)
       tags:
         - Stateless Verification
+      security:
+        - BearerAuth: []
       requestBody:
         content:
           application/json:
             schema:
               type: object
               properties:
-                clientToken:
-                  type: string
-                  description: Mandatory client token to call this api
-                  example: ""
                 deployerAddress:
                   type: string
                   format: address
@@ -146,3 +144,19 @@ paths:
                 Deployed and recompiled mismatch:
                   value:
                     error: "The deployed and recompiled bytecode don't match."
+        "401":
+          description: Unauthorized
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  error:
+                    type: string
+              examples:
+                Authorization header required:
+                  value:
+                    message: "Authorization header required"
+                Bad Formatted Json:
+                  value:
+                    error: "Unexpected token ' in JSON at position 107"
diff --git a/src/server/controllers/verification/create2/stateless/create2.stateless.routes.ts b/src/server/controllers/verification/create2/stateless/create2.stateless.routes.ts
@@ -1,12 +1,20 @@
 import { Router } from "express";
 import { verifyCreate2Handler } from "./create2.stateless.handlers";
-import { authenticatedRequest } from "../../verification.common";
 import { safeHandler } from "../../../controllers.common";
+import { isAuth0EnabledUser, jwtCheck } from "../../verification.common";
+import {
+  // hasVerifyCreate2Permission,
+  apiVerifyCreate2Limiter,
+} from "../create2.common";
 
 const router: Router = Router();
 
-router
-  .route("/verify/create2")
-  .post(authenticatedRequest, safeHandler(verifyCreate2Handler));
+router.route("/verify/create2").post(
+  jwtCheck,
+  // hasVerifyCreate2Permission,
+  isAuth0EnabledUser,
+  apiVerifyCreate2Limiter,
+  safeHandler(verifyCreate2Handler)
+);
 
 export default router;