@aztec/p2p 1.2.1 → 2.0.0-nightly.20250813

package/dest/services/peer-manager/peer_manager.js

@@ -4,13 +4,18 @@ function _ts_decorate(decorators, target, key, desc) {
     else for(var i = decorators.length - 1; i >= 0; i--)if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
     return c > 3 && r && Object.defineProperty(target, key, r), r;
 }
+import { makeEthSignDigest, recoverAddress } from '@aztec/foundation/crypto';
+import { Fr } from '@aztec/foundation/fields';
 import { createLogger } from '@aztec/foundation/log';
 import { bufferToHex } from '@aztec/foundation/string';
+import { DateProvider } from '@aztec/foundation/timer';
 import { trackSpan } from '@aztec/telemetry-client';
 import { ENR } from '@chainsafe/enr';
+import { peerIdFromString } from '@libp2p/peer-id';
 import { inspect } from 'util';
 import { PeerEvent } from '../../types/index.js';
 import { ReqRespSubProtocol } from '../reqresp/interface.js';
+import { AuthRequest, AuthResponse } from '../reqresp/protocols/auth.js';
 import { GoodByeReason, prettyGoodbyeReason } from '../reqresp/protocols/goodbye.js';
 import { StatusMessage } from '../reqresp/protocols/status.js';
 import { ReqRespStatus } from '../reqresp/status.js';
@@ -21,6 +26,7 @@ const MAX_CACHED_PEERS = 100;
 const MAX_CACHED_PEER_AGE_MS = 5 * 60 * 1000; // 5 minutes
 const FAILED_PEER_BAN_TIME_MS = 5 * 60 * 1000; // 5 minutes timeout after failing MAX_DIAL_ATTEMPTS
 const GOODBYE_DIAL_TIMEOUT_MS = 1000;
+const FAILED_AUTH_HANDSHAKE_EXPIRY_MS = 60 * 60 * 1000; // 1 hour
 export class PeerManager {
     libP2PNode;
     peerDiscoveryService;
@@ -30,6 +36,8 @@ export class PeerManager {
     reqresp;
     worldStateSynchronizer;
     protocolVersion;
+    epochCache;
+    dateProvider;
     cachedPeers;
     heartbeatCounter;
     displayPeerCountsPeerHeartbeat;
@@ -38,9 +46,16 @@ export class PeerManager {
     trustedPeersInitialized;
     privatePeers;
     privatePeersInitialized;
+    preferredPeers;
+    authenticatedPeerIdToValidatorAddress;
+    authenticatedValidatorAddressToPeerId;
+    peersToBeDisconnected;
+    failedAuthHandshakes;
+    validatorAddresses;
+    initializedPreferredPeers;
     metrics;
     handlers;
-    constructor(libP2PNode, peerDiscoveryService, config, telemetryClient, logger = createLogger('p2p:peer-manager'), peerScoring, reqresp, worldStateSynchronizer, protocolVersion){
+    constructor(libP2PNode, peerDiscoveryService, config, telemetryClient, logger = createLogger('p2p:peer-manager'), peerScoring, reqresp, worldStateSynchronizer, protocolVersion, epochCache, dateProvider = new DateProvider()){
         this.libP2PNode = libP2PNode;
         this.peerDiscoveryService = peerDiscoveryService;
         this.config = config;
@@ -49,6 +64,8 @@ export class PeerManager {
         this.reqresp = reqresp;
         this.worldStateSynchronizer = worldStateSynchronizer;
         this.protocolVersion = protocolVersion;
+        this.epochCache = epochCache;
+        this.dateProvider = dateProvider;
         this.cachedPeers = new Map();
         this.heartbeatCounter = 0;
         this.displayPeerCountsPeerHeartbeat = 0;
@@ -57,6 +74,16 @@ export class PeerManager {
         this.trustedPeersInitialized = false;
         this.privatePeers = new Set();
         this.privatePeersInitialized = false;
+        this.preferredPeers = new Set();
+        this.authenticatedPeerIdToValidatorAddress = new Map();
+        this.authenticatedValidatorAddressToPeerId = new Map();
+        this.peersToBeDisconnected = new Set();
+        this.failedAuthHandshakes = new Map();
+        this.validatorAddresses = [];
+        this.initializedPreferredPeers = false;
+        if (this.config.p2pDisableStatusHandshake && this.config.p2pAllowOnlyValidators) {
+            throw new Error('Status handshake disabled but is required to allow only validators to connect.');
+        }
         this.metrics = new PeerManagerMetrics(telemetryClient, 'PeerManager');
         // Handle Discovered peers
         this.handlers = {
@@ -69,7 +96,7 @@ export class PeerManager {
         // Handle lost connections
         this.libP2PNode.addEventListener(PeerEvent.DISCONNECTED, this.handlers.handleDisconnectedPeerEvent);
         // eslint-disable-next-line @typescript-eslint/no-misused-promises
-        this.peerDiscoveryService.on(PeerEvent.DISCOVERED, this.handlers.handleDiscoveredPeer);
+        this.peerDiscoveryService?.on(PeerEvent.DISCOVERED, this.handlers.handleDiscoveredPeer);
         // Display peer counts every 60 seconds
         this.displayPeerCountsPeerHeartbeat = Math.floor(60_000 / this.config.peerCheckIntervalMS);
     }
@@ -96,16 +123,61 @@ export class PeerManager {
                 this.privatePeersInitialized = true;
             }).catch((e)=>this.logger.error('Error initializing private peers', e));
         }
+        if (this.config.preferredPeers) {
+            const preferredPeersEnrs = this.config.preferredPeers.map((enr)=>ENR.decodeTxt(enr));
+            await Promise.all(preferredPeersEnrs.map((enr)=>enr.peerId())).then((peerIds)=>peerIds.forEach((peerId)=>this.preferredPeers.add(peerId.toString()))).catch((e)=>this.logger.error('Error initializing preferred peers', e));
+        }
     }
     get tracer() {
         return this.metrics.tracer;
     }
-    heartbeat() {
+    async heartbeat() {
         this.heartbeatCounter++;
         this.peerScoring.decayAllScores();
         this.cleanupExpiredTimeouts();
+        await this.setupDirectPeersIfValidator();
+        await this.updateAuthenticatedPeers();
+        await this.processScheduledDisconnects();
         this.discover();
     }
+    /*
+   * If this node is connecting to preferred peers, make sure it is registered validator */ async setupDirectPeersIfValidator() {
+        if (!this.config.preferredPeers) {
+            return;
+        }
+        // Already initialized preferred peers, don't wastefully repeat the same work
+        if (this.initializedPreferredPeers) {
+            return;
+        }
+        const registeredValidators = await this.epochCache.getRegisteredValidators();
+        const validatorSet = new Set(registeredValidators.map((v)=>v.toString()));
+        const isThisNodePartOfValidatorSet = this.validatorAddresses.some((v)=>validatorSet.has(v.toString()));
+        if (!isThisNodePartOfValidatorSet) {
+            return;
+        }
+        const preferredPeersEnrs = this.config.preferredPeers.map((enr)=>ENR.decodeTxt(enr));
+        await Promise.all(preferredPeersEnrs.map((enr)=>enr.peerId())).then((peerIds)=>peerIds.forEach((peerId)=>this.preferredPeers.add(peerId.toString()))).catch((e)=>this.logger.error('Error initializing preferred peers', e));
+        const directPeers = (await Promise.all(preferredPeersEnrs.map(async (enr)=>{
+            const peerId = await enr.peerId();
+            const address = enr.getLocationMultiaddr('tcp');
+            if (address === undefined) {
+                throw new Error(`Direct peer ${peerId.toString()} has no TCP address, ENR: ${enr.encodeTxt()}`);
+            }
+            return {
+                id: peerId,
+                addrs: [
+                    address
+                ]
+            };
+        }))).filter((peer)=>peer !== undefined);
+        await Promise.all(directPeers.map((peer)=>{
+            this.libP2PNode.services.pubsub.direct.add(peer.id.toString());
+            return this.libP2PNode.peerStore.merge(peer.id, {
+                multiaddrs: peer.addrs
+            });
+        }));
+        this.initializedPreferredPeers = true;
+    }
     /**
    * Cleans up expired timeouts.
    *
@@ -114,7 +186,7 @@ export class PeerManager {
    * To give them a chance to reconnect.
    */ cleanupExpiredTimeouts() {
         // Clean up expired timeouts
-        const now = Date.now();
+        const now = this.dateProvider.now();
         for (const [peerId, timedOutPeer] of this.timedOutPeers.entries()){
             if (now >= timedOutPeer.timeoutUntilMs) {
                 this.timedOutPeers.delete(peerId);
@@ -122,30 +194,69 @@ export class PeerManager {
         }
     }
     /**
+   * Processes scheduled disconnects during heartbeat.
+   *
+   * This batch processes all peers that have been marked for disconnect.
+   * preventing immediate disconnects that could cause libp2p state corruption.
+   */ async processScheduledDisconnects() {
+        if (this.peersToBeDisconnected.size === 0) {
+            return;
+        }
+        const peersToDisconnect = Array.from(this.peersToBeDisconnected);
+        this.logger.debug(`Processing ${peersToDisconnect.length} scheduled disconnects`);
+        try {
+            await Promise.all(peersToDisconnect.map(async (peerIdStr)=>{
+                if (await this.disconnectPeer(peerIdFromString(peerIdStr))) {
+                    this.peersToBeDisconnected.delete(peerIdStr);
+                }
+            }));
+            this.logger.verbose(`Disconnected ${peersToDisconnect.length} peers`, {
+                peersToDisconnect
+            });
+        } catch (error) {
+            this.logger.error('Error when disconnecting from peers', error);
+        }
+    }
+    /**
    * Performs Status Handshake with a connected peer.
    * @param e - The connected peer event.
    */ handleConnectedPeerEvent(e) {
         const peerId = e.detail;
-        if (this.peerDiscoveryService.isBootstrapPeer(peerId)) {
-            this.logger.verbose(`Connected to bootstrap peer ${peerId.toString()}`);
-        } else {
-            this.logger.verbose(`Connected to transaction peer ${peerId.toString()}`);
+        this.logger.verbose(`Connected to peer ${peerId.toString()}`);
+        if (this.config.p2pDisableStatusHandshake) {
+            return;
         }
-        if (!this.config.p2pDisableStatusHandshake) {
+        // If we are not configured to only allow validators then perform a status handshake
+        if (!this.config.p2pAllowOnlyValidators) {
             void this.exchangeStatusHandshake(peerId);
+            return;
         }
+        // We are configured to only allow validators, but this doesn't apply to trusted, private peers or preferred peers
+        if (this.isProtectedPeer(peerId)) {
+            void this.exchangeStatusHandshake(peerId);
+            return;
+        }
+        // Initiate auth handshake
+        void this.exchangeAuthHandshake(peerId);
     }
     /**
    * Simply logs the type of disconnected peer.
    * @param e - The disconnected peer event.
    */ handleDisconnectedPeerEvent(e) {
         const peerId = e.detail;
-        if (this.peerDiscoveryService.isBootstrapPeer(peerId)) {
-            this.logger.verbose(`Disconnected from bootstrap peer ${peerId.toString()}`);
-        } else {
-            this.logger.verbose(`Disconnected from transaction peer ${peerId.toString()}`);
+        this.logger.verbose(`Disconnected from peer ${peerId.toString()}`);
+        const validatorAddress = this.authenticatedPeerIdToValidatorAddress.get(peerId.toString());
+        if (validatorAddress !== undefined) {
+            this.logger.info(`Removing authentication for validator ${validatorAddress} at peer id ${peerId.toString()} due to disconnection`);
+            this.authenticatedValidatorAddressToPeerId.delete(validatorAddress.toString());
+            this.authenticatedPeerIdToValidatorAddress.delete(peerId.toString());
         }
     }
+    registerThisValidatorAddresses(address) {
+        this.validatorAddresses = [
+            ...address
+        ];
+    }
     /**
    * Checks if a peer is trusted.
    * @param peerId - The peer ID.
@@ -190,11 +301,26 @@ export class PeerManager {
         return this.privatePeers.has(peerId.toString());
     }
     /**
+   * Adds a peer to the preferred peers set.
+   * @param peerId - The peer ID to add to preferred peers.
+   */ addPreferredPeer(peerId) {
+        const peerIdStr = peerId.toString();
+        this.preferredPeers.add(peerIdStr);
+        this.logger.verbose(`Added preferred peer ${peerIdStr}`);
+    }
+    /**
+   * Checks if a peer is preferred.
+   * @param peerId - The peer ID.
+   * @returns True if the peer is preferred, false otherwise.
+   */ isPreferredPeer(peerId) {
+        return this.preferredPeers.has(peerId.toString());
+    }
+    /**
    * Checks if a peer is protected (either trusted or private).
    * @param peerId - The peer ID.
    * @returns True if the peer is protected, false otherwise.
    */ isProtectedPeer(peerId) {
-        return this.isTrustedPeer(peerId) || this.isPrivatePeer(peerId);
+        return this.isTrustedPeer(peerId) || this.isPrivatePeer(peerId) || this.isPreferredPeer(peerId);
     }
     /**
    * Handles a goodbye received from a peer.
@@ -205,7 +331,7 @@ export class PeerManager {
    */ goodbyeReceived(peerId, reason) {
         this.logger.debug(`Goodbye received from peer ${peerId.toString()} with reason ${prettyGoodbyeReason(reason)}`);
         this.metrics.recordGoodbyeReceived(reason);
-        void this.disconnectPeer(peerId);
+        this.markPeerForDisconnect(peerId);
     }
     penalizePeer(peerId, penalty) {
         this.peerScoring.penalizePeer(peerId, penalty);
@@ -213,6 +339,10 @@ export class PeerManager {
     getPeerScore(peerId) {
         return this.peerScoring.getScore(peerId);
     }
+    shouldDisableP2PGossip(peerId) {
+        const isAuthenticated = this.isAuthenticatedPeer(peerIdFromString(peerId));
+        return (this.config.p2pAllowOnlyValidators ?? false) && !isAuthenticated;
+    }
     getPeers(includePending = false) {
         const connected = this.libP2PNode.getPeers().map((peer)=>({
                 id: peer.toString(),
@@ -243,17 +373,40 @@ export class PeerManager {
             ...cachedPeers
         ];
     }
+    isAuthenticatedPeer(peerId) {
+        const peerIdAsString = peerId.toString();
+        return this.privatePeers.has(peerIdAsString) || this.trustedPeers.has(peerIdAsString) || this.preferredPeers.has(peerIdAsString) || this.authenticatedPeerIdToValidatorAddress.has(peerIdAsString);
+    }
+    /*
+   * Checks whether peer is allowed to connect
+   *
+   * @param id: Address of the node or it's peerId
+   *
+   * @returns: True if node is allowed to connect, otherwise false
+   * */ isNodeAllowedToConnect(id) {
+        const entry = this.failedAuthHandshakes.get(id.toString());
+        if (!entry) {
+            return true;
+        }
+        // In case entry is too old, remove it and allow connection
+        if (this.dateProvider.now() - entry.lastFailureTimestamp > FAILED_AUTH_HANDSHAKE_EXPIRY_MS) {
+            this.failedAuthHandshakes.delete(id.toString());
+            return true;
+        }
+        return entry.count <= this.config.p2pMaxFailedAuthAttemptsAllowed;
+    }
     /**
    * Discovers peers.
    */ discover() {
         const connections = this.libP2PNode.getConnections();
         const healthyConnections = this.prioritizePeers(this.pruneUnhealthyPeers(this.getNonProtectedPeers(this.pruneDuplicatePeers(connections))));
         // Calculate how many connections we're looking to make
-        const peersToConnect = this.config.maxPeerCount - healthyConnections.length - this.trustedPeers.size;
+        const protectedPeerCount = this.getProtectedPeerCount();
+        const peersToConnect = this.config.maxPeerCount - healthyConnections.length - protectedPeerCount;
         const logLevel = this.heartbeatCounter % this.displayPeerCountsPeerHeartbeat === 0 ? 'info' : 'debug';
         this.logger[logLevel](`Connected to ${healthyConnections.length + this.trustedPeers.size} peers`, {
             discoveredConnections: healthyConnections.length,
-            protectedConnections: this.trustedPeers.size,
+            protectedConnections: protectedPeerCount,
             maxPeerCount: this.config.maxPeerCount,
             cachedPeers: this.cachedPeers.size,
             ...this.peerScoring.getStats()
@@ -265,10 +418,11 @@ export class PeerManager {
         }
         const cachedPeersToDial = [];
         const pendingDials = new Set(this.libP2PNode.getDialQueue().map((pendingDial)=>pendingDial.peerId?.toString()).filter(Boolean));
+        const now = this.dateProvider.now();
         for (const [id, peerData] of this.cachedPeers.entries()){
             // if already dialling or connected to, remove from cache
             if (pendingDials.has(id) || healthyConnections.some((conn)=>conn.remotePeer.equals(peerData.peerId)) || // if peer has been in cache for the max cache age, remove from cache
-            Date.now() - peerData.addedUnixMs > MAX_CACHED_PEER_AGE_MS) {
+            now - peerData.addedUnixMs > MAX_CACHED_PEER_AGE_MS) {
                 this.cachedPeers.delete(id);
             } else {
                 // cachedPeersToDial.set(id, enr);
@@ -291,6 +445,9 @@ export class PeerManager {
     getNonProtectedPeers(connections) {
         return connections.filter((conn)=>!this.isProtectedPeer(conn.remotePeer));
     }
+    getProtectedPeerCount() {
+        return this.trustedPeers.size + this.privatePeers.size + this.preferredPeers.size;
+    }
     pruneUnhealthyPeers(connections) {
         const connectedHealthyPeers = [];
         for (const peer of connections){
@@ -314,7 +471,8 @@ export class PeerManager {
    * @param connections - The list of connections to prune low scoring peers above the max peer count from.
    * @returns The pruned list of connections.
    */ prioritizePeers(connections) {
-        if (connections.length > this.config.maxPeerCount - this.trustedPeers.size) {
+        const protectedPeerCount = this.getProtectedPeerCount();
+        if (connections.length > this.config.maxPeerCount - protectedPeerCount) {
             // Sort the regular peer scores from highest to lowest
             const prioritizedConnections = connections.sort((connectionA, connectionB)=>{
                 const connectionScoreA = this.peerScoring.getScore(connectionA.remotePeer.toString());
@@ -322,7 +480,7 @@ export class PeerManager {
                 return connectionScoreB - connectionScoreA;
             });
             // Calculate how many regular peers we can keep
-            const peersToKeep = Math.max(0, this.config.maxPeerCount - this.trustedPeers.size);
+            const peersToKeep = Math.max(0, this.config.maxPeerCount - protectedPeerCount);
             // Disconnect from the lowest scoring regular connections that exceed our limit
             for (const conn of prioritizedConnections.slice(peersToKeep)){
                 void this.goodbyeAndDisconnectPeer(conn.remotePeer, GoodByeReason.MAX_PEERS);
@@ -380,16 +538,32 @@ export class PeerManager {
         } catch (error) {
             this.logger.debug(`Failed to send goodbye to peer ${peer.toString()}: ${error}`);
         } finally{
-            await this.disconnectPeer(peer);
+            this.markPeerForDisconnect(peer);
         }
     }
-    async disconnectPeer(peer) {
+    /*
+   * Marks peer to be disconnected on the next heartbeat
+   * */ markPeerForDisconnect(peer) {
+        const peerIdStr = peer.toString();
+        this.logger.debug(`Scheduling peer ${peerIdStr} for disconnection`);
+        this.peersToBeDisconnected.add(peerIdStr);
+    }
+    /**
+   * Performs the actual disconnection of a peer.
+   * This is called during heartbeat processing to avoid immediate disconnections.
+   *
+   * @returns True if peer was disconnect, otherwise false
+   */ async disconnectPeer(peer) {
+        const peerIdStr = peer.toString();
         try {
             await this.libP2PNode.hangUp(peer);
+            this.logger.debug(`Successfully disconnected peer ${peerIdStr}`);
+            return true;
         } catch (error) {
-            this.logger.debug(`Failed to disconnect peer ${peer.toString()}`, {
-                error: inspect(error)
+            this.logger.warn(`Failed to disconnect peer ${peerIdStr}`, {
+                error
             });
+            return false;
         }
     }
     /**
@@ -399,10 +573,15 @@ export class PeerManager {
         // Check that the peer has not already been banned
         const peerId = await enr.peerId();
         const peerIdString = peerId.toString();
+        // Don't attempt to connect to peers scheduled for disconnection
+        if (this.peersToBeDisconnected.has(peerIdString)) {
+            this.logger.trace(`Skipping peer scheduled for disconnection ${peerId}`);
+            return;
+        }
         // Check if peer is temporarily timed out
         const timedOutPeer = this.timedOutPeers.get(peerIdString);
         if (timedOutPeer) {
-            if (Date.now() < timedOutPeer.timeoutUntilMs) {
+            if (this.dateProvider.now() < timedOutPeer.timeoutUntilMs) {
                 this.logger.trace(`Skipping timed out peer ${peerId}`);
                 return;
             }
@@ -438,7 +617,7 @@ export class PeerManager {
             enr,
             multiaddrTcp,
             dialAttempts: 0,
-            addedUnixMs: Date.now()
+            addedUnixMs: this.dateProvider.now()
         };
         // Determine if we should dial immediately or not
         if (this.shouldDialPeer()) {
@@ -477,7 +656,7 @@ export class PeerManager {
                 // Add to timed out peers
                 this.timedOutPeers.set(id, {
                     peerId: id,
-                    timeoutUntilMs: Date.now() + FAILED_PEER_BAN_TIME_MS
+                    timeoutUntilMs: this.dateProvider.now() + FAILED_PEER_BAN_TIME_MS
                 });
             }
         }
@@ -509,6 +688,10 @@ export class PeerManager {
             }
         }
     }
+    async createStatusMessage() {
+        const syncSummary = (await this.worldStateSynchronizer.status()).syncSummary;
+        return StatusMessage.fromWorldStateSyncStatus(this.protocolVersion, syncSummary);
+    }
     /**
    * Performs status Handshake with the Peer
    * The way the protocol is designed is that each peer will call this method on newly established p2p connection.
@@ -520,29 +703,33 @@ export class PeerManager {
    * @param: peerId The Id of the peer to request the Status from.
    * */ async exchangeStatusHandshake(peerId) {
         try {
-            const syncSummary = (await this.worldStateSynchronizer.status()).syncSummary;
-            const ourStatus = StatusMessage.fromWorldStateSyncStatus(this.protocolVersion, syncSummary);
+            const ourStatus = await this.createStatusMessage();
             //Note: Technically we don't have to send out status to peer as well, but we do.
             //It will be easier to update protocol in the future this way if need be.
             this.logger.trace(`Initiating status handshake with peer ${peerId}`);
-            const { status, data } = await this.reqresp.sendRequestToPeer(peerId, ReqRespSubProtocol.STATUS, ourStatus.toBuffer());
-            const logData = {
-                peerId,
-                status: ReqRespStatus[status],
-                data: data ? bufferToHex(data) : undefined
-            };
+            const response = await this.reqresp.sendRequestToPeer(peerId, ReqRespSubProtocol.STATUS, ourStatus.toBuffer());
+            const { status } = response;
             if (status !== ReqRespStatus.SUCCESS) {
                 //TODO: maybe hard ban these peers in the future.
                 //We could allow this to happen up to N times, and then hard ban?
                 //Hard ban: Disallow connection via e.g. libp2p's Gater
-                this.logger.debug(`Disconnecting peer ${peerId} who failed to respond status handshake`, logData);
-                await this.disconnectPeer(peerId);
+                this.logger.debug(`Disconnecting peer ${peerId} who failed to respond status handshake`, {
+                    peerId,
+                    status: ReqRespStatus[status]
+                });
+                this.markPeerForDisconnect(peerId);
                 return;
             }
+            const { data } = response;
+            const logData = {
+                peerId,
+                status: ReqRespStatus[status],
+                data: data ? bufferToHex(data) : undefined
+            };
             const peerStatusMessage = StatusMessage.fromBuffer(data);
             if (!ourStatus.validate(peerStatusMessage)) {
                 this.logger.debug(`Disconnecting peer ${peerId} due to failed status handshake.`, logData);
-                await this.disconnectPeer(peerId);
+                this.markPeerForDisconnect(peerId);
                 return;
             }
             this.logger.debug(`Successfully completed status handshake with peer ${peerId}`, logData);
@@ -551,10 +738,113 @@ export class PeerManager {
             this.logger.debug(`Disconnecting peer ${peerId} due to error during status handshake: ${err.message ?? err}`, {
                 peerId
             });
-            await this.disconnectPeer(peerId);
+            this.markPeerForDisconnect(peerId);
         }
     }
     /**
+   * Performs auth Handshake with the Peer
+   * A superset of the status handshake. Also includes a challenge that needs to be signed by the peer's validator key.
+   * @param: peerId The Id of the peer to request the Status from.
+   * */ async exchangeAuthHandshake(peerId) {
+        const peerIdString = peerId.toString();
+        try {
+            const ourStatus = await this.createStatusMessage();
+            const authRequest = new AuthRequest(ourStatus, Fr.random());
+            // Note: Technically we don't have to send our status to peer as well, but we do.
+            // It will be easier to update protocol in the future this way if need be.
+            // We also need to send the challenge at least, so that the peer can sign it.
+            this.logger.debug(`Initiating auth handshake with peer ${peerId}`);
+            const response = await this.reqresp.sendRequestToPeer(peerId, ReqRespSubProtocol.AUTH, authRequest.toBuffer());
+            const { status } = response;
+            if (status !== ReqRespStatus.SUCCESS) {
+                this.logger.debug(`Disconnecting peer ${peerId} who failed to respond auth handshake`, {
+                    peerId,
+                    status: ReqRespStatus[status]
+                });
+                this.markAuthHandshakeFailed(peerId);
+                this.markPeerForDisconnect(peerId);
+                return;
+            }
+            const { data } = response;
+            const logData = {
+                peerId,
+                status: ReqRespStatus[status],
+                data: data ? bufferToHex(data) : undefined
+            };
+            const peerAuthResponse = AuthResponse.fromBuffer(data);
+            const peerStatusMessage = peerAuthResponse.status;
+            if (!ourStatus.validate(peerStatusMessage)) {
+                this.logger.debug(`Disconnecting peer ${peerId} due to failed status handshake as part of auth.`, logData);
+                this.markAuthHandshakeFailed(peerId);
+                this.markPeerForDisconnect(peerId);
+                return;
+            }
+            const hashToRecover = authRequest.getPayloadToSign();
+            const ethSignedHash = makeEthSignDigest(hashToRecover);
+            const sender = recoverAddress(ethSignedHash, peerAuthResponse.signature);
+            const registeredValidators = await this.epochCache.getRegisteredValidators();
+            const found = registeredValidators.find((v)=>v.toString() === sender.toString()) !== undefined;
+            if (!found) {
+                this.logger.debug(`Disconnecting peer ${peerId} due to failed auth handshake, peer is not a registered validator.`, {
+                    peerId,
+                    address: sender.toString()
+                });
+                this.markAuthHandshakeFailed(peerId);
+                this.markPeerForDisconnect(peerId);
+                return;
+            }
+            // Check to see that this validator address isn't already allocated to a different peer
+            const peerForAddress = this.authenticatedValidatorAddressToPeerId.get(sender.toString());
+            if (peerForAddress !== undefined && peerForAddress.toString() !== peerIdString) {
+                this.logger.debug(`Received auth for validator ${sender.toString()} from peer ${peerIdString}, but this validator is already authenticated to peer ${peerForAddress.toString()}`);
+                return;
+            }
+            this.markAuthHandshakeSuccess(peerId);
+            this.authenticatedPeerIdToValidatorAddress.set(peerIdString, sender);
+            this.authenticatedValidatorAddressToPeerId.set(sender.toString(), peerId);
+            this.logger.info(`Successfully completed auth handshake with peer ${peerId}, validator address ${sender.toString()}`, logData);
+        } catch (err) {
+            //TODO: maybe hard ban these peers in the future
+            this.logger.debug(`Disconnecting peer ${peerId} due to error during auth handshake: ${err.message ?? err}`, {
+                peerId
+            });
+            this.markAuthHandshakeFailed(peerId);
+            this.markPeerForDisconnect(peerId);
+        }
+    }
+    /*
+   * Marks when peer fails auth handshake
+   * */ markAuthHandshakeFailed(peerId) {
+        const now = this.dateProvider.now();
+        const peerIdStr = peerId.toString();
+        const existingEntry = this.failedAuthHandshakes.get(peerIdStr);
+        this.failedAuthHandshakes.set(peerIdStr, {
+            count: (existingEntry?.count || 0) + 1,
+            lastFailureTimestamp: now
+        });
+        const connections = this.libP2PNode.getConnections(peerId);
+        connections.forEach((conn)=>{
+            // We mark the IP address
+            const address = conn.remoteAddr.nodeAddress().address;
+            const existingAddressEntry = this.failedAuthHandshakes.get(address);
+            this.failedAuthHandshakes.set(address, {
+                count: (existingAddressEntry?.count || 0) + 1,
+                lastFailureTimestamp: now
+            });
+        });
+    }
+    /*
+   * Marks when peer exchanges auth handshake
+   * Removes any failed previous attempts
+   * */ markAuthHandshakeSuccess(peerId) {
+        this.failedAuthHandshakes.delete(peerId.toString());
+        const connections = this.libP2PNode.getConnections(peerId);
+        connections.forEach((conn)=>{
+            const address = conn.remoteAddr.nodeAddress().address;
+            this.failedAuthHandshakes.delete(address);
+        });
+    }
+    /**
    * Stops the peer manager.
    * Removing all event listeners.
    */ async stop() {
@@ -565,6 +855,46 @@ export class PeerManager {
         this.libP2PNode.removeEventListener(PeerEvent.CONNECTED, this.handlers.handleConnectedPeerEvent);
         this.libP2PNode.removeEventListener(PeerEvent.DISCONNECTED, this.handlers.handleDisconnectedPeerEvent);
     }
+    shouldTrustWithIdentity(peerId) {
+        return this.isProtectedPeer(peerId);
+    }
+    /**
+   * Performs auth request verification from peer. An auth request is valid if requested by an authorized peer (a peer we trust).
+   *
+   * @param: _authRequest - Auth request (unused)
+   * @param: peerId - The ID of the peer that requested the auth handshake
+   *
+   * @returns: StatusMessage if peer is trusted
+   *
+   * @throws: If peer is unauthorized
+   * */ async handleAuthRequestFromPeer(_authRequest, peerId) {
+        if (!this.shouldTrustWithIdentity(peerId)) {
+            this.logger.warn(`Received auth request from untrusted peer ${peerId.toString()}`);
+            throw new Error('Unauthorised');
+        }
+        this.logger.debug(`Received auth request from trusted peer ${peerId.toString()}`);
+        return await this.createStatusMessage();
+    }
+    async updateAuthenticatedPeers() {
+        const registeredValidators = await this.epochCache.getRegisteredValidators();
+        const validatorSet = new Set(registeredValidators.map((v)=>v.toString()));
+        const peersToDelete = new Set();
+        const addressesToDelete = new Set();
+        for (const [peer, address] of this.authenticatedPeerIdToValidatorAddress.entries()){
+            const addressString = address.toString();
+            if (!validatorSet.has(addressString)) {
+                peersToDelete.add(peer);
+                addressesToDelete.add(addressString);
+                this.logger.info(`Removing authentication for peer ${peer.toString()} at address ${addressString} due to no longer being a registered validator`);
+            }
+        }
+        for (const peer of peersToDelete){
+            this.authenticatedPeerIdToValidatorAddress.delete(peer);
+        }
+        for (const address of addressesToDelete){
+            this.authenticatedValidatorAddressToPeerId.delete(address);
+        }
+    }
 }
 _ts_decorate([
     trackSpan('PeerManager.heartbeat')

package/dest/services/reqresp/config.d.ts

@@ -1,7 +1,7 @@
 import { type ConfigMapping } from '@aztec/foundation/config';
-export declare const DEFAULT_INDIVIDUAL_REQUEST_TIMEOUT_MS = 2000;
-export declare const DEFAULT_OVERALL_REQUEST_TIMEOUT_MS = 4000;
-export declare const DEFAULT_REQRESP_DIAL_TIMEOUT_MS = 1000;
+export declare const DEFAULT_INDIVIDUAL_REQUEST_TIMEOUT_MS = 10000;
+export declare const DEFAULT_OVERALL_REQUEST_TIMEOUT_MS = 10000;
+export declare const DEFAULT_REQRESP_DIAL_TIMEOUT_MS = 5000;
 export declare const DEFAULT_OPTIMISTIC_NEGOTIATION = false;
 export declare const DEFAULT_P2P_REQRESP_CONFIG: P2PReqRespConfig;
 export interface P2PReqRespConfig {

package/dest/services/reqresp/config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../../src/services/reqresp/config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,aAAa,EAA2C,MAAM,0BAA0B,CAAC;AAEvG,eAAO,MAAM,qCAAqC,OAAO,CAAC;AAC1D,eAAO,MAAM,kCAAkC,OAAO,CAAC;AACvD,eAAO,MAAM,+BAA+B,OAAO,CAAC;AACpD,eAAO,MAAM,8BAA8B,QAAQ,CAAC;AAGpD,eAAO,MAAM,0BAA0B,EAAE,gBAKxC,CAAC;AAEF,MAAM,WAAW,gBAAgB;IAC/B,4DAA4D;IAC5D,uBAAuB,EAAE,MAAM,CAAC;IAEhC,uEAAuE;IACvE,0BAA0B,EAAE,MAAM,CAAC;IAEnC,kHAAkH;IAClH,wBAAwB,EAAE,OAAO,CAAC;IAElC,uEAAuE;IACvE,aAAa,EAAE,MAAM,CAAC;CACvB;AAED,eAAO,MAAM,wBAAwB,EAAE,MAAM,CAAC,MAAM,gBAAgB,EAAE,aAAa,CAsBlF,CAAC"}
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../../src/services/reqresp/config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,aAAa,EAA2C,MAAM,0BAA0B,CAAC;AAEvG,eAAO,MAAM,qCAAqC,QAAS,CAAC;AAC5D,eAAO,MAAM,kCAAkC,QAAS,CAAC;AACzD,eAAO,MAAM,+BAA+B,OAAQ,CAAC;AACrD,eAAO,MAAM,8BAA8B,QAAQ,CAAC;AAGpD,eAAO,MAAM,0BAA0B,EAAE,gBAKxC,CAAC;AAEF,MAAM,WAAW,gBAAgB;IAC/B,4DAA4D;IAC5D,uBAAuB,EAAE,MAAM,CAAC;IAEhC,uEAAuE;IACvE,0BAA0B,EAAE,MAAM,CAAC;IAEnC,kHAAkH;IAClH,wBAAwB,EAAE,OAAO,CAAC;IAElC,uEAAuE;IACvE,aAAa,EAAE,MAAM,CAAC;CACvB;AAED,eAAO,MAAM,wBAAwB,EAAE,MAAM,CAAC,MAAM,gBAAgB,EAAE,aAAa,CAsBlF,CAAC"}