@powerhousedao/reactor-api 1.13.0 → 1.14.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@powerhousedao/reactor-api",
-  "version": "1.13.0",
+  "version": "1.14.1",
   "description": "",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -17,12 +17,15 @@
     "@types/body-parser": "^1.19.5",
     "@types/cors": "^2.8.17",
     "@types/express": "^5.0.0",
+    "@types/jsonwebtoken": "^9.0.7",
+    "@types/ms": "^0.7.34",
+    "@types/node": "^20",
     "@types/pg": "^8.11.10",
     "esbuild": "^0.24.0",
     "graphql-tag": "^2.12.6",
-    "@powerhousedao/scalars": "1.15.0",
-    "document-drive": "1.12.1",
-    "document-model": "2.14.0"
+    "document-model": "2.15.0",
+    "document-drive": "1.13.1",
+    "@powerhousedao/scalars": "1.16.0"
   },
   "dependencies": {
     "@apollo/server": "^4.11.0",
@@ -32,17 +35,23 @@
     "@powerhousedao/analytics-engine-knex": "^0.4.0",
     "body-parser": "^1.20.3",
     "cors": "^2.8.5",
+    "dotenv": "^16.4.5",
     "drizzle-kit": "^0.25.0",
     "drizzle-orm": "^0.34.1",
     "express": "^4.21.1",
     "graphql": "^16.9.0",
     "graphql-request": "^6.1.0",
+    "jsonwebtoken": "^9.0.2",
     "knex": "^3.1.0",
     "knex-pglite": "^0.10.0",
+    "ms": "^2.1.3",
     "nanoevents": "^9.0.0",
     "pg": "^8.13.0",
+    "siwe": "^2.3.2",
     "uuid": "^9.0.1",
-    "document-model-libs": "1.124.0"
+    "wildcard-match": "^5.1.3",
+    "zod": "^3.24.1",
+    "document-model-libs": "1.125.1"
   },
   "scripts": {
     "build": "tsup",

package/src/subgraphs/auth/env/getters.ts

@@ -0,0 +1,30 @@
+import ms from "ms";
+
+export const getJwtSecret = (): string => {
+  if (!process.env.JWT_SECRET) {
+    if (process.env.NODE_ENV === "production") {
+      throw new Error("JWT_SECRET is not defined");
+    }
+  }
+  return process.env.JWT_SECRET || "dev";
+};
+
+export const getJwtExpirationPeriod = (): string => {
+  if (!process.env.JWT_EXPIRATION_PERIOD) {
+    return "7d";
+  }
+  // check if number of seconds is provided
+  const expirationSeconds = Number(process.env.JWT_EXPIRATION_PERIOD);
+  if (!Number.isNaN(expirationSeconds)) {
+    // https://www.npmjs.com/package/jsonwebtoken for `expiresIn` format
+    return ms(expirationSeconds * 1000);
+  }
+  // check if a valid time string is provided
+  const expirationMs = ms(process.env.JWT_EXPIRATION_PERIOD);
+  if (!expirationMs) {
+    throw new Error(
+      "JWT_EXPIRATION_PERIOD must be a number of seconds or ms string",
+    );
+  }
+  return process.env.JWT_EXPIRATION_PERIOD;
+};

package/src/subgraphs/auth/env/index.ts

@@ -0,0 +1,15 @@
+import dotenv from "dotenv";
+import { getJwtExpirationPeriod, getJwtSecret } from "./getters";
+
+dotenv.config();
+
+export const JWT_SECRET = getJwtSecret();
+export const PORT = process.env.PORT ?? "3000";
+export const isDevelopment = process.env.NODE_ENV === "development";
+export const AUTH_SIGNUP_ENABLED = Boolean(process.env.AUTH_SIGNUP_ENABLED);
+export const JWT_EXPIRATION_PERIOD: string = getJwtExpirationPeriod();
+export const API_ORIGIN = process.env.API_ORIGIN || `http://localhost:${PORT}`;
+export const CORS_ORIGINS = process.env.ORIGINS?.split(",") ?? [
+  "https://studio.apollographql.com",
+  "https://ph-switchboard-nginx-prod-c84ebf8c6e3b.herokuapp.com",
+];

package/src/subgraphs/auth/index.ts

@@ -0,0 +1,323 @@
+import { GraphQLResolverMap } from "@apollo/subgraph/dist/schema-helper";
+import { generateUUID } from "document-drive";
+import { GraphQLError } from "graphql";
+import { gql } from "graphql-tag";
+import { SiweMessage } from "siwe";
+import { Db } from "src/types";
+import { Subgraph } from "../base";
+import { Context } from "../types";
+import { AuthContext, Challenge, Session, SessionInput } from "./types";
+import { generateTokenAndSession } from "./utils/helpers";
+import {
+  authenticate,
+  createAuthenticationSession,
+  verifySignature,
+} from "./utils/session";
+import { getUser, upsertUser } from "./utils/user";
+
+export class AuthSubgraph extends Subgraph {
+  name = "auth";
+  typeDefs = gql`
+    type Query {
+      me: User
+      sessions: [Session!]!
+    }
+
+    type Mutation {
+      createChallenge(address: String!): Challenge
+      solveChallenge(nonce: String!, signature: String!): SessionOutput
+      createSession(session: SessionInput!): SessionOutput
+      revokeSession(sessionId: String!): SessionOutput
+    }
+
+    type User {
+      address: String!
+      createdAt: DateTime!
+    }
+
+    type Challenge {
+      nonce: String!
+      message: String!
+      hex: String!
+    }
+
+    type SessionOutput {
+      id: ID!
+      token: String
+    }
+
+    type Session {
+      id: ID!
+      userId: String!
+      address: String!
+      expiresAt: DateTime!
+      createdAt: DateTime!
+      updatedAt: DateTime!
+      referenceTokenId: String!
+      createdBy: String!
+      referenceExpiryDate: DateTime
+      isUserCreated: Boolean!
+      name: String
+      allowedOrigins: String
+      revokedAt: DateTime
+    }
+
+    input SessionInput {
+      expiryDurationSeconds: Int
+      name: String!
+      allowedOrigins: String!
+    }
+  `;
+
+  resolvers: GraphQLResolverMap<AuthContext> = {
+    Query: {
+      me: async (_, __, ctx) => {
+        const db = ctx.db as Db;
+        const session = await authenticate(ctx);
+        const user = await getUser(db, session.createdBy);
+        return user;
+      },
+      sessions: async (_: unknown, __: unknown, ctx: Context) => {
+        const session = await authenticate(ctx);
+        const db = ctx.db as Db;
+        const sessions = await db<Session>("Session")
+          .select()
+          .where("createdBy", session.createdBy)
+          .orderBy("createdAt", "desc");
+        return sessions;
+      },
+    },
+    Mutation: {
+      createChallenge: async (
+        _: unknown,
+        { address }: { address: string },
+        ctx: Context,
+      ) => {
+        const db = ctx.db as Db;
+        const { API_ORIGIN } = process.env;
+
+        const origin = API_ORIGIN ?? "http://localhost:3000";
+        const domain = new URL(origin).hostname;
+
+        if (!domain) {
+          throw new GraphQLError("Invalid origin");
+        }
+
+        const nonce = generateUUID().replace(/-/g, "");
+        // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment, @typescript-eslint/no-unsafe-call
+        const message = new SiweMessage({
+          address,
+          nonce,
+          uri: origin,
+          domain,
+          version: "1",
+          chainId: 1,
+          // eslint-disable-next-line @typescript-eslint/no-unsafe-member-access
+        }).prepareMessage();
+        const textToHex = (textMessage: string) =>
+          `0x${Buffer.from(textMessage, "utf8").toString("hex")}`;
+        if (!message || typeof message !== "string") {
+          throw new GraphQLError("Failed to create challenge");
+        }
+        const hexMessage = textToHex(message);
+
+        await db("Challenge").insert({
+          nonce,
+          message,
+          updatedAt: new Date().toISOString(),
+        });
+
+        return {
+          nonce,
+          message,
+          hex: hexMessage,
+        };
+      },
+      solveChallenge: async (
+        _: unknown,
+        { nonce, signature }: { nonce: string; signature: string },
+        ctx: Context,
+      ) => {
+        const db = ctx.db as Db;
+        const data = await db.transaction(async (tx) => {
+          const [challenge] = await tx<Challenge>("Challenge")
+            .select()
+            .where("nonce", nonce);
+
+          // check that challenge with this nonce exists
+          if (!challenge) {
+            throw new GraphQLError("The nonce is not known");
+          }
+
+          // check that challenge was not used
+          if (challenge.signature) {
+            throw new GraphQLError("The signature was already used");
+          }
+
+          // verify signature
+          // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment, @typescript-eslint/no-unsafe-call
+          const parsedMessage = new SiweMessage(challenge.message);
+          try {
+            await verifySignature(parsedMessage, signature);
+          } catch (error) {
+            throw new GraphQLError("Signature validation has failed");
+          }
+
+          // mark challenge as used
+          await tx<Challenge>("Challenge")
+            .update({
+              signature,
+            })
+            .where("nonce", nonce);
+
+          // create user and session
+          const user = await upsertUser(db, {
+            // eslint-disable-next-line @typescript-eslint/no-unsafe-member-access
+            address: parsedMessage.address as `0x${string}`,
+            networkId: "1",
+            chainId: 1,
+          });
+
+          if (!user) {
+            throw new GraphQLError("User not found");
+          }
+
+          const tokenAndSession = await createAuthenticationSession(
+            db,
+            user.address,
+          );
+
+          return tokenAndSession;
+        });
+
+        return data;
+      },
+      createSession: async (
+        _: unknown,
+        { session }: { session: SessionInput },
+        ctx: Context,
+      ) => {
+        const db = ctx.db as Db;
+        const sessionAuth = await authenticate(ctx);
+        const tokenAndSession = await generateTokenAndSession(
+          db,
+          session,
+          sessionAuth.createdBy,
+          sessionAuth.isUserCreated,
+        );
+        if (!tokenAndSession) {
+          throw new GraphQLError("Failed to create session");
+        }
+        return tokenAndSession;
+      },
+      revokeSession: async (
+        _: unknown,
+        { sessionId }: { sessionId: string },
+        ctx: Context,
+      ): Promise<{ id: string }> => {
+        const user = await authenticate(ctx);
+        const db = ctx.db as Db;
+        const [session] = await db<Session>("Session").select().where({
+          id: sessionId,
+          createdBy: user.createdBy,
+        });
+
+        if (!session) {
+          throw new GraphQLError("Session not found", {
+            extensions: { code: "SESSION_NOT_FOUND" },
+          });
+        }
+        if (session.revokedAt !== null) {
+          throw new GraphQLError("Session already revoked", {
+            extensions: { code: "SESSION_ALREADY_REVOKED" },
+          });
+        }
+
+        await db<Session>("Session")
+          .update({
+            revokedAt: new Date().toISOString(),
+          })
+          .where({
+            id: sessionId,
+            createdBy: user.createdBy,
+          });
+
+        return { id: session.id };
+      },
+    },
+  };
+
+  async onSetup() {
+    await super.onSetup();
+    await this.#createTables();
+    this.subgraphManager.setAdditionalContextFields({
+      session: async (ctx: Context) => {
+        const bearerToken = ctx.headers.authorization?.split(" ")[1];
+        if (!bearerToken) {
+          return null;
+        }
+
+        // @todo: optimize and cache this
+        const db = ctx.db as Db;
+        const [session] = await db<Session>("Session")
+          .select()
+          .where({
+            referenceTokenId: bearerToken,
+          })
+          .limit(1);
+
+        return session;
+      },
+    });
+  }
+
+  async #createTables() {
+    if (!(await this.operationalStore.schema.hasTable("User"))) {
+      await this.operationalStore.schema.createTable("User", (table) => {
+        table.string("address").primary().notNullable();
+        table.timestamp("createdAt").notNullable().defaultTo(`now()`);
+        table.timestamp("updatedAt").notNullable().defaultTo(`now()`);
+      });
+    }
+
+    if (!(await this.operationalStore.schema.hasTable("Session"))) {
+      await this.operationalStore.schema.createTable("Session", (table) => {
+        table.string("id").primary().notNullable();
+        table.timestamp("createdAt").notNullable().defaultTo(`now()`);
+        table.string("createdBy").notNullable();
+        table.string("referenceExpiryDate");
+        table.string("name");
+        table.string("revokedAt");
+        table.string("referenceTokenId").notNullable();
+        table.boolean("isUserCreated").notNullable().defaultTo(false);
+        table.string("allowedOrigins").notNullable();
+
+        table.index(["createdBy", "id"], "Session_createdBy_id_key", {
+          indexType: "UNIQUE",
+          storageEngineIndexType: "btree",
+        });
+
+        table
+          .foreign("createdBy")
+          .references("User.address")
+          .onDelete("cascade")
+          .onUpdate("cascade");
+      });
+    }
+
+    if (!(await this.operationalStore.schema.hasTable("Challenge"))) {
+      await this.operationalStore.schema.createTable("Challenge", (table) => {
+        table.string("nonce").primary().notNullable();
+        table.string("message").notNullable();
+        table.string("signature");
+        table.timestamp("createdAt").notNullable().defaultTo(`now()`);
+        table.timestamp("updatedAt").notNullable();
+
+        table.index("nonce", "Challenge_message_key", {
+          indexType: "UNIQUE",
+          storageEngineIndexType: "btree",
+        });
+      });
+    }
+  }
+}

package/src/subgraphs/auth/types.ts

@@ -0,0 +1,39 @@
+import { Context } from "../types";
+
+export interface SessionInput {
+  name: string;
+  allowedOrigins: string[];
+  expiresAt?: string;
+}
+
+export interface SessionOutput {
+  session: Session;
+  token: string;
+}
+
+export interface Session {
+  id: string;
+  userId: string;
+  address: string;
+  name?: string;
+  expiresAt: string;
+  createdAt: string;
+  updatedAt: string;
+  revokedAt: string | null;
+  allowedOrigins: string;
+  referenceExpiryDate: string;
+  referenceTokenId: string;
+  isUserCreated: boolean;
+  createdBy: string;
+}
+
+export interface Challenge {
+  id: string;
+  nonce: string;
+  signature: string;
+  message: string;
+}
+
+export type AuthContext = Context & {
+  session: Session;
+};

package/src/subgraphs/auth/utils/helpers.ts

@@ -0,0 +1,136 @@
+/* eslint-disable @typescript-eslint/no-unsafe-return */
+/* eslint-disable @typescript-eslint/no-unsafe-member-access */
+/* eslint-disable @typescript-eslint/no-unsafe-call */
+/* eslint-disable @typescript-eslint/no-unsafe-assignment */
+import { randomUUID } from "crypto";
+import { GraphQLError } from "graphql";
+import jwt from "jsonwebtoken";
+import ms from "ms";
+import wildcard from "wildcard-match";
+import z from "zod";
+import { Session, SessionInput } from "../types";
+import { JWT_EXPIRATION_PERIOD, JWT_SECRET } from "../env";
+import { Db } from "../../../utils/db";
+const jwtSchema = z.object({
+  sessionId: z.string(),
+  exp: z.optional(z.number()),
+});
+
+export const formatToken = (token: string) =>
+  `${token.slice(0, 4)}...${token.slice(-4)}`;
+
+/** Generate a JWT token
+ * - If expiryDurationSeconds is null, the token will never expire
+ * - If expiryDurationSeconds is undefined, the token will expire after the default expiry period
+ */
+const generateToken = (
+  sessionId: string,
+  expiryDurationSeconds?: number | null,
+): string => {
+  if (expiryDurationSeconds === null) {
+    return jwt.sign({ sessionId }, JWT_SECRET);
+  }
+
+  const expiresIn = expiryDurationSeconds
+    ? ms(expiryDurationSeconds * 1000)
+    : (JWT_EXPIRATION_PERIOD ?? 3600);
+  return jwt.sign({ sessionId }, JWT_SECRET, { expiresIn });
+};
+
+const getExpiryDateFromToken = (token: string): Date | null => {
+  const { exp } = jwtSchema.parse(jwt.verify(token, JWT_SECRET));
+  if (!exp) {
+    return null;
+  }
+  return new Date(exp * 1000);
+};
+
+export const verifyToken = (
+  token: string,
+): { sessionId: string } | undefined => {
+  const verified = jwt.verify(token, JWT_SECRET, (err, decoded) => {
+    if (err) {
+      throw new GraphQLError(
+        err.name === "TokenExpiredError"
+          ? "Token expired"
+          : "Invalid authentication token",
+        { extensions: { code: "AUTHENTICATION_TOKEN_ERROR" } },
+      );
+    }
+    return decoded;
+  }) as { sessionId: string } | undefined;
+  if (!verified) {
+    return undefined;
+  }
+  const validated = jwtSchema.parse(verified);
+  return validated;
+};
+
+function parseOriginMarkup(originParam: string): string {
+  if (originParam === "*") {
+    return "*";
+  }
+  const trimmedOriginParam = originParam.trim();
+  const origins = trimmedOriginParam.split(",").map((origin) => origin.trim());
+  origins.forEach((origin) => {
+    if (!origin.startsWith("http://") && !origin.startsWith("https://")) {
+      throw new GraphQLError("Origin must start with 'http://' or 'https://'", {
+        extensions: { code: "INVALID_ORIGIN_PROTOCOL" },
+      });
+    }
+  });
+  return origins.join(",");
+}
+
+export function validateOriginAgainstAllowed(
+  allowedOrigins: string,
+  originReceived?: string,
+) {
+  if (allowedOrigins === "*") {
+    return;
+  }
+  if (!originReceived) {
+    throw new GraphQLError("Origin not provided", {
+      extensions: { code: "ORIGIN_HEADER_MISSING" },
+    });
+  }
+  const allowedOriginsSplit = allowedOrigins.split(",");
+  if (!wildcard(allowedOriginsSplit)(originReceived)) {
+    throw new GraphQLError(
+      `Access denied due to origin restriction: ${allowedOrigins}, ${originReceived}`,
+      {
+        extensions: { code: "ORIGIN_FORBIDDEN" },
+      },
+    );
+  }
+}
+
+export const generateTokenAndSession = async (
+  db: Db,
+  session: SessionInput,
+  userId: string,
+  isUserCreated: boolean,
+) => {
+  const sessionId = randomUUID();
+  const generatedToken = generateToken(sessionId, Number(session.expiresAt));
+  const referenceExpiryDate = getExpiryDateFromToken(generatedToken);
+  const referenceTokenId = formatToken(generatedToken);
+  const allowedOrigins = parseOriginMarkup(
+    Array.isArray(session.allowedOrigins)
+      ? session.allowedOrigins.join(",")
+      : session.allowedOrigins,
+  );
+  const createdSession = await db<Session>("Session").insert({
+    id: sessionId,
+    name: session.name,
+    allowedOrigins,
+    referenceExpiryDate: referenceExpiryDate?.toISOString(),
+    referenceTokenId,
+    isUserCreated: isUserCreated,
+    createdBy: userId,
+  });
+  return {
+    token: generatedToken,
+    session: createdSession,
+  };
+};