@thirdweb-dev/service-utils 0.0.0-dev-f2d9bcd-20230713055621 → 0.0.0-dev-2666fdc-20230713214856

package/dist/thirdweb-dev-service-utils.esm.js

@@ -1,75 +1,115 @@
 import fetch from 'isomorphic-unfetch';
+import { createHash } from 'crypto';
 
-async function authorizeWorkerService(options) {
+const SERVICE_NAMES = ["bundler", "rpc", "storage"];
+const SERVICES = [{
+  name: "storage",
+  title: "Storage",
+  description: "IPFS Upload and Download",
+  actions: [{
+    name: "read",
+    title: "Download",
+    description: "Download a file from Storage"
+  }, {
+    name: "write",
+    title: "Upload",
+    description: "Upload a file to Storage"
+  }]
+}, {
+  name: "rpc",
+  title: "RPC",
+  description: "Accelerated RPC Edge",
+  // all actions allowed
+  actions: []
+}, {
+  name: "bundler",
+  title: "Smart Wallets",
+  description: "Bundler & Paymaster services",
+  // all actions allowed
+  actions: []
+}];
+
+async function authorizeCFWorkerService(options) {
+  const {
+    kvStore,
+    ctx,
+    authOptions,
+    serviceConfig,
+    validations
+  } = options;
+  const {
+    clientId
+  } = authOptions;
   let cachedKey;
-  if (!options.clientId) {
-    return {
-      authorized: false,
-      errorMessage: "The ClientId is missing. Make sure it is included with your Authorization Bearer request header.",
-      errorCode: "MISSING_CLIENT_ID",
-      statusCode: 422
-    };
-  }
 
   // first, check if the key is in KV
   try {
-    const kvKey = await options.kvStore.get(options.clientId);
+    const kvKey = await kvStore.get(clientId);
     if (kvKey) {
       cachedKey = JSON.parse(kvKey);
     }
   } catch (err) {
     // ignore JSON parse, assuming not valid
   }
-  const origin = options.headers.get("Origin") || "";
-  let originHost;
-  if (origin) {
-    try {
-      const originUrl = new URL(origin);
-      originHost = originUrl.host;
-    } catch (error) {
-      // ignore, will be verified by domains
-    }
-  }
   const updateKv = async keyData => {
-    options.kvStore.put(options.clientId, JSON.stringify(keyData), {
-      expirationTtl: options.authOpts.cacheTtl || 60
+    kvStore.put(clientId, JSON.stringify(keyData), {
+      expirationTtl: serviceConfig.cacheTtl || 60
     });
   };
-  return authorize(options.clientId, {
-    ...options.authOpts,
-    origin: originHost,
-    cachedKey,
-    onRefetchComplete: keyData => {
-      options?.ctx?.waitUntil(updateKv(keyData));
-    }
-  }, options.validations);
+  return authorize({
+    authOptions,
+    serviceConfig: {
+      ...serviceConfig,
+      cachedKey,
+      onRefetchComplete: keyData => {
+        ctx.waitUntil(updateKv(keyData));
+      }
+    },
+    validations
+  });
+}
+async function authorizeNodeService(options) {
+  const {
+    authOptions,
+    serviceConfig,
+    validations
+  } = options;
+  return authorize({
+    authOptions,
+    serviceConfig,
+    validations
+  });
+}
+function hashSecret(secret) {
+  return createHash("sha256").update(secret).digest("hex");
+}
+function hashClientId(secret) {
+  const hashed = createHash("sha256").update(secret).digest("hex");
+  return hashed.slice(0, 32);
 }
 
 /**
- * Authorizes a request for a given clientId
- *
- * @param clientId The String client id
- * @params authOpts The Object auth options
- *           origin - The String origin
- *           apiUrl - The String API URL
- *           scope - The ServiceName scope identifier
- *           cachedKey - The ApiKey (optional) cached key
- *           onRefetchComplete - The Func to trigger after key refetch from API
- * @params validations The Object of validations to run on a key
- *           serviceTargetAddresses - The Array (optional) of service target addresses to validate
- *           serviceActions - The Array (optional) of service actions to validate
+ * Authorizes a request for a given client ID
  *
  * @returns The Promise AuthorizationResponse
  */
-async function authorize(clientId, authOpts, validations) {
+async function authorize(options) {
   try {
+    const {
+      authOptions,
+      serviceConfig,
+      validations
+    } = options;
+    const {
+      clientId
+    } = authOptions;
     const {
       apiUrl,
-      origin,
       scope,
+      serviceKey,
       cachedKey,
       onRefetchComplete
-    } = authOpts;
+    } = serviceConfig;
     let keyData = cachedKey;
 
     // no cached key, re-fetch from API
@@ -77,8 +117,8 @@ async function authorize(clientId, authOpts, validations) {
       const response = await fetch(`${apiUrl}/v1/keys/use/?scope=${scope}&clientId=${clientId}`, {
         method: "GET",
         headers: {
-          "content-type": "application/json",
-          "x-service-api-key": authOpts.serviceAPIKey
+          "x-service-api-key": serviceKey,
+          "content-type": "application/json"
         }
       });
       const apiResponse = await response.json();
@@ -102,107 +142,22 @@ async function authorize(clientId, authOpts, validations) {
     //
     // Run validations
     //
-    const {
-      serviceActions,
-      serviceTargetAddresses
-    } = validations || {};
-
-    // validate domains
-    if (keyData.domains && keyData.domains?.length > 0) {
-      let originHost = "";
-      if (origin) {
-        try {
-          const originUrl = new URL(origin);
-          originHost = originUrl.host;
-        } catch (error) {
-          // ignore, will be verified by domains
-        }
-      }
-      if (
-      // find matching domain, or if all domains allowed
-      !keyData.domains.find(d => {
-        if (d === "*") {
-          return true;
-        }
-
-        // If the allowedDomain has a wildcard,
-        // we'll check that the ending of our domain matches the wildcard
-        if (d.startsWith("*.")) {
-          const wildcard = d.slice(2);
-          return originHost.endsWith(wildcard);
-        }
-
-        // If there's no wildcard, we'll check for an exact match
-        return d === originHost;
-      })) {
-        return {
-          authorized: false,
-          errorMessage: "The domain is not authorized for this key.",
-          errorCode: "DOMAIN_UNAUTHORIZED",
-          statusCode: 403
-        };
-      }
+    const authResponse = authAccess(authOptions, keyData);
+    if (!authResponse?.authorized) {
+      return authResponse;
     }
-
-    // validate services
-    if (keyData.services && keyData.services?.length > 0) {
-      const service = (keyData.services || []).find(srv => srv.name === scope);
-      if (!service) {
-        return {
-          authorized: false,
-          errorMessage: `The service "${scope}" is not authorized for this key.`,
-          errorCode: "SERVICE_UNAUTHORIZED",
-          statusCode: 403
-        };
-      }
-
-      // validate service actions
-      if (serviceActions) {
-        let unknownAction;
-        serviceActions.forEach(action => {
-          if (!service.actions.includes(action)) {
-            unknownAction = action;
-          }
-        });
-        if (unknownAction) {
-          return {
-            authorized: false,
-            errorMessage: `The service "${scope}" action "${unknownAction}" is not authorized for this key.`,
-            errorCode: "SERVICE_ACTION_UNAUTHORIZED",
-            statusCode: 403
-          };
-        }
-      }
-
-      // validate service target addresses
-      if (serviceTargetAddresses && !service.targetAddresses.find(addr => addr === "*" || serviceTargetAddresses.includes(addr))) {
-        return {
-          authorized: false,
-          errorMessage: `The service "${scope}" target address is not authorized for this key.`,
-          errorCode: "SERVICE_TARGET_ADDRESS_UNAUTHORIZED",
-          statusCode: 403
-        };
-      }
+    const authzResponse = authzServices(validations, keyData, scope);
+    if (!authzResponse?.authorized) {
+      return authzResponse;
     }
+    // FIXME: validate bundleId
 
-    // validate bundleIds
-    // if (
-    //   bundleIds &&
-    //   !keyData.bundleIds.find((addr) => addr === "*" || bundleIds.includes(addr))
-    // ) {
-    //   return {
-    //     authorized: false,
-    //     errorMessage: `The service "${scope}" for BundlerIds ${bundleIds} is not authorized for this key.`,
-    //     errorCode: "SERVICE_TARGET_ADDRESS_UNAUTHORIZED",
-    //     statusCode: 403,
-    //   };
-    // }
     return {
       authorized: true,
       data: keyData
     };
   } catch (err) {
-    console.error("Failed to authorize this key", err);
+    console.error("Failed to authorize this key.", err);
     return {
       authorized: false,
       errorMessage: "Internal error",
@@ -211,60 +166,116 @@ async function authorize(clientId, authOpts, validations) {
     };
   }
 }
-async function authorizeNodeService(options) {
-  if (!options.clientId) {
+function authAccess(authOptions, apiKey) {
+  const {
+    origin,
+    secretHash: providedSecretHash
+  } = authOptions;
+  const {
+    domains,
+    secretHash
+  } = apiKey;
+  if (providedSecretHash) {
+    if (secretHash !== providedSecretHash) {
+      return {
+        authorized: false,
+        errorMessage: "The secret is invalid.",
+        errorCode: "SECRET_INVALID",
+        statusCode: 401
+      };
+    }
     return {
-      authorized: false,
-      errorMessage: "The API key is missing. Make sure it is included with your Authorization Bearer request header.",
-      errorCode: "MISSING_API_KEY",
-      statusCode: 422
+      authorized: true
     };
   }
-  const origin = typeof options.headers["Origin"] === "string" ? options.headers["Origin"] : options.headers["Origin"]?.join("");
-  let originHost;
+
+  // validate domains
   if (origin) {
-    try {
-      const originUrl = new URL(origin);
-      originHost = originUrl.hostname;
-    } catch (error) {
-      // ignore, will be verified by domains
+    if (
+    // find matching domain, or if all domains allowed
+    domains.find(d => {
+      if (d === "*") {
+        return true;
+      }
+
+      // If the allowedDomain has a wildcard,
+      // we'll check that the ending of our domain matches the wildcard
+      if (d.startsWith("*.")) {
+        const domainRoot = d.slice(2);
+        return origin.endsWith(domainRoot);
+      }
+
+      // If there's no wildcard, we'll check for an exact match
+      return d === origin;
+    })) {
+      return {
+        authorized: true
+      };
     }
+    return {
+      authorized: false,
+      errorMessage: "The origin is not authorized for this key.",
+      errorCode: "ORIGIN_UNAUTHORIZED",
+      statusCode: 401
+    };
   }
-  return authorize(options.clientId, {
-    ...options.authOpts,
-    origin: originHost,
-    cachedKey: undefined
-  }, options.validations);
+
+  // FIXME: validate bundle id
+  return {
+    authorized: false,
+    errorMessage: "The keys are invalid.",
+    errorCode: "UNAUTHORIZED",
+    statusCode: 401
+  };
+}
+function authzServices(validations, apiKey, scope) {
+  const {
+    services
+  } = apiKey;
+  const {
+    serviceTargetAddresses,
+    serviceAction
+  } = validations;
+
+  // validate services
+  const service = services.find(srv => srv.name === scope);
+  if (!service) {
+    return {
+      authorized: false,
+      errorMessage: `The service "${scope}" is not authorized for this key.`,
+      errorCode: "SERVICE_UNAUTHORIZED",
+      statusCode: 403
+    };
+  }
+
+  // validate service actions
+  if (serviceAction) {
+    if (!service.actions.includes(serviceAction)) {
+      return {
+        authorized: false,
+        errorMessage: `The service "${scope}" action "${serviceAction}" is not authorized for this key.`,
+        errorCode: "SERVICE_ACTION_UNAUTHORIZED",
+        statusCode: 403
+      };
+    }
+  }
+
+  // validate service target addresses
+  if (serviceTargetAddresses && !service.targetAddresses.find(addr => addr === "*" || serviceTargetAddresses.includes(addr))) {
+    return {
+      authorized: false,
+      errorMessage: `The service "${scope}" target address is not authorized for this key.`,
+      errorCode: "SERVICE_TARGET_ADDRESS_UNAUTHORIZED",
+      statusCode: 403
+    };
+  }
+  return {
+    authorized: true
+  };
 }
 
-const SERVICES = [{
-  name: "storage",
-  title: "Storage",
-  description: "IPFS Upload and Download",
-  actions: [{
-    name: "read",
-    title: "Download",
-    description: "Download a file from Storage"
-  }, {
-    name: "write",
-    title: "Upload",
-    description: "Upload a file to Storage"
-  }]
-}, {
-  name: "rpc",
-  title: "RPC",
-  description: "Accelerated RPC Edge",
-  // all actions allowed
-  actions: []
-}, {
-  name: "bundler",
-  title: "Smart Wallets",
-  description: "Bundler & Paymaster services",
-  // all actions allowed
-  actions: []
-}];
 function getServiceByName(name) {
   return SERVICES.find(srv => srv.name === name);
 }
 
-export { SERVICES, authorizeNodeService, authorizeWorkerService, getServiceByName };
+export { SERVICES, SERVICE_NAMES, authorizeCFWorkerService, authorizeNodeService, getServiceByName, hashClientId, hashSecret };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@thirdweb-dev/service-utils",
-  "version": "0.0.0-dev-f2d9bcd-20230713055621",
+  "version": "0.0.0-dev-2666fdc-20230713214856",
   "main": "dist/thirdweb-dev-service-utils.cjs.js",
   "module": "dist/thirdweb-dev-service-utils.esm.js",
   "exports": {