snarkos-node-rest 4.6.0

A REST API server for a decentralized virtual machine
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134

// Copyright (c) 2019-2026 Provable Inc.
// This file is part of the snarkOS library.

// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at:

// http://www.apache.org/licenses/LICENSE-2.0

// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

use snarkvm::prelude::*;

use ::time::OffsetDateTime;
use anyhow::{Result, anyhow};
use axum::{
    RequestPartsExt,
    body::Body,
    http::{Request, StatusCode},
    middleware::Next,
    response::{IntoResponse, Response},
};
use axum_extra::{
    TypedHeader,
    headers::authorization::{Authorization, Bearer},
};
use jsonwebtoken::{Algorithm, DecodingKey, EncodingKey, Header, Validation, decode, encode};
use once_cell::sync::OnceCell;
use serde::{Deserialize, Serialize};

/// The time a jwt token is valid for.
pub const EXPIRATION: i64 = 10 * 365 * 24 * 60 * 60; // 10 years.

/// The JWT secret for the REST server.
static JWT_SECRET: OnceCell<Vec<u8>> = OnceCell::new();

/// The Json web token claims.
#[derive(Debug, Deserialize, Serialize)]
pub struct Claims {
    /// The subject (user).
    sub: String,
    /// The UTC timestamp the token was issued at.
    iat: i64,
    /// Expiration time (as UTC timestamp).
    exp: i64,
}

impl Claims {
    pub fn new<N: Network>(address: Address<N>, jwt_secret: Option<Vec<u8>>, jwt_timestamp: Option<i64>) -> Self {
        if let Some(secret) = jwt_secret {
            JWT_SECRET.set(secret)
        } else {
            JWT_SECRET.set({
                let seed: [u8; 16] = ::rand::thread_rng().r#gen();
                seed.to_vec()
            })
        }
        .expect("Failed to set JWT secret: already initialized");

        let issued_at = jwt_timestamp.unwrap_or_else(|| OffsetDateTime::now_utc().unix_timestamp());
        let expiration = issued_at.saturating_add(EXPIRATION);

        Self { sub: address.to_string(), iat: issued_at, exp: expiration }
    }

    /// Returns the json web token string.
    pub fn to_jwt_string(&self) -> Result<String> {
        encode(&Header::default(), &self, &EncodingKey::from_secret(JWT_SECRET.get().unwrap())).map_err(|e| anyhow!(e))
    }
}

pub async fn auth_middleware(request: Request<Body>, next: Next) -> Result<Response, Response> {
    // If the JWT secret is not set, skip authentication.
    if JWT_SECRET.get().is_none() {
        return Ok(next.run(request).await);
    }

    // Deconstruct the request to extract the auth token.
    let (mut parts, body) = request.into_parts();
    let auth: TypedHeader<Authorization<Bearer>> =
        parts.extract().await.map_err(|_| StatusCode::UNAUTHORIZED.into_response())?;

    if let Err(err) = decode::<Claims>(
        auth.token(),
        &DecodingKey::from_secret(JWT_SECRET.get().unwrap()),
        &Validation::new(Algorithm::HS256),
    ) {
        warn!("Request authorization error: {err}");
        return Err(StatusCode::UNAUTHORIZED.into_response());
    }

    // Reconstruct the request.
    let request = Request::from_parts(parts, body);

    Ok(next.run(request).await)
}

#[cfg(test)]
mod tests {
    use super::*;
    use base64::prelude::*;
    use snarkvm::prelude::{Address, MainnetV0};

    #[test]
    fn check_const_jwt_value() {
        // Arbitrary input values to check against the expected value.
        let secret = "FVPjEPVAKh2f0EkRCpQkqA==";
        let timestamp = 174437065;

        let secret_bytes = BASE64_STANDARD.decode(secret).unwrap();

        // A fixed seed, as the address also forms part of the JWT.
        let mut rng = TestRng::fixed(12345);
        let pk = PrivateKey::<MainnetV0>::new(&mut rng).unwrap();
        let addr = Address::try_from(pk).unwrap();

        let claims = Claims::new(addr, Some(secret_bytes), Some(timestamp));
        let jwt_str = claims.to_jwt_string().unwrap();

        assert_eq!(
            jwt_str,
            "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.\
            eyJzdWIiOiJhbGVvMTBrbmtlbHZuZDU1ZnNhYX\
            JtMjV3Y2g3cDlzdWYydHFsZ3d5NWs0bnh3bXM2\
            ZDI2Mnh5ZnFtMnRjY3IiLCJpYXQiOjE3NDQzNz\
            A2NSwiZXhwIjo0ODk3OTcwNjV9.HcTvPC7jQyq\
            NaPqsC2XHZl3Yji_OHxo5TyKLSKVxirI"
        );
    }
}