From a993ff60a1d337fb14f8de1c201d77ac89df2a72 Mon Sep 17 00:00:00 2001 From: Bryan Stitt Date: Sat, 18 Nov 2023 22:45:55 -0500 Subject: [PATCH] add internal_bearer_token to config --- web3_proxy/src/config.rs | 3 +++ web3_proxy/src/frontend/admin.rs | 5 ++++- web3_proxy/src/frontend/authorization.rs | 13 +++++++++++-- web3_proxy/src/frontend/users/mod.rs | 5 ++++- web3_proxy/src/frontend/users/payment.rs | 20 ++++++++++++++++---- web3_proxy/src/frontend/users/referral.rs | 17 +++++++++++++---- web3_proxy/src/frontend/users/rpc_keys.rs | 10 ++++++++-- web3_proxy/src/frontend/users/stats.rs | 12 +++++++++--- web3_proxy/src/frontend/users/subuser.rs | 13 ++++++++++--- web3_proxy/src/stats/influxdb_queries.rs | 5 ++++- 10 files changed, 82 insertions(+), 21 deletions(-) diff --git a/web3_proxy/src/config.rs b/web3_proxy/src/config.rs index aa2d54a2..7035256b 100644 --- a/web3_proxy/src/config.rs +++ b/web3_proxy/src/config.rs @@ -150,6 +150,9 @@ pub struct AppConfig { /// percentage to increase eth_estimateGas results. 100 == 100% pub gas_increase_percent: Option, + /// bearer token for internal requests. keep this secret + pub internal_bearer_token: Option, + /// Restrict user registration. /// None = no code needed pub invite_code: Option, diff --git a/web3_proxy/src/frontend/admin.rs b/web3_proxy/src/frontend/admin.rs index 6841dabf..134376f3 100644 --- a/web3_proxy/src/frontend/admin.rs +++ b/web3_proxy/src/frontend/admin.rs @@ -56,7 +56,10 @@ pub async fn admin_increase_balance( TypedHeader(Authorization(bearer)): TypedHeader>, Json(payload): Json, ) -> Web3ProxyResponse { - let caller = app.bearer_is_authorized(bearer).await?; + let caller = app + .bearer_is_authorized(bearer) + .await? + .ok_or(Web3ProxyError::InvalidUserKey)?; // Establish connections let db_conn = global_db_conn()?; diff --git a/web3_proxy/src/frontend/authorization.rs b/web3_proxy/src/frontend/authorization.rs index abffe00b..97fb19d3 100644 --- a/web3_proxy/src/frontend/authorization.rs +++ b/web3_proxy/src/frontend/authorization.rs @@ -614,7 +614,16 @@ impl App { /// Verify that the given bearer token and address are allowed to take the specified action. /// This includes concurrent request limiting. /// keep the semaphore alive until the user's request is entirely complete - pub async fn bearer_is_authorized(&self, bearer: Bearer) -> Web3ProxyResult { + pub async fn bearer_is_authorized( + &self, + bearer: Bearer, + ) -> Web3ProxyResult> { + if let Some(internal_token) = &self.config.internal_bearer_token { + if internal_token == bearer.token() { + return Ok(None); + } + } + // get the user id for this bearer token let user_bearer_token = UserBearerToken::try_from(bearer)?; @@ -631,7 +640,7 @@ impl App { .web3_context("fetching user from db by bearer token")? .web3_context("unknown bearer token")?; - Ok(user) + Ok(Some(user)) } pub async fn rate_limit_login( diff --git a/web3_proxy/src/frontend/users/mod.rs b/web3_proxy/src/frontend/users/mod.rs index ff652b93..7762365c 100644 --- a/web3_proxy/src/frontend/users/mod.rs +++ b/web3_proxy/src/frontend/users/mod.rs @@ -56,7 +56,10 @@ pub async fn user_post( TypedHeader(Authorization(bearer_token)): TypedHeader>, Json(payload): Json, ) -> Web3ProxyResponse { - let user = app.bearer_is_authorized(bearer_token).await?; + let user = app + .bearer_is_authorized(bearer_token) + .await? + .ok_or(Web3ProxyError::InvalidUserKey)?; let user_id = user.id; diff --git a/web3_proxy/src/frontend/users/payment.rs b/web3_proxy/src/frontend/users/payment.rs index 1f3cb162..d90dd298 100644 --- a/web3_proxy/src/frontend/users/payment.rs +++ b/web3_proxy/src/frontend/users/payment.rs @@ -44,7 +44,10 @@ pub async fn user_balance_get( State(app): State>, TypedHeader(Authorization(bearer)): TypedHeader>, ) -> Web3ProxyResponse { - let user = app.bearer_is_authorized(bearer).await?; + let user = app + .bearer_is_authorized(bearer) + .await? + .ok_or(Web3ProxyError::InvalidUserKey)?; let db_replica = global_db_replica_conn()?; @@ -64,7 +67,10 @@ pub async fn user_chain_deposits_get( State(app): State>, TypedHeader(Authorization(bearer)): TypedHeader>, ) -> Web3ProxyResponse { - let user = app.bearer_is_authorized(bearer).await?; + let user = app + .bearer_is_authorized(bearer) + .await? + .ok_or(Web3ProxyError::InvalidUserKey)?; let db_replica = global_db_replica_conn()?; @@ -103,7 +109,10 @@ pub async fn user_stripe_deposits_get( State(app): State>, TypedHeader(Authorization(bearer)): TypedHeader>, ) -> Web3ProxyResponse { - let user = app.bearer_is_authorized(bearer).await?; + let user = app + .bearer_is_authorized(bearer) + .await? + .ok_or(Web3ProxyError::InvalidUserKey)?; let db_replica = global_db_replica_conn()?; @@ -146,7 +155,10 @@ pub async fn user_admin_deposits_get( State(app): State>, TypedHeader(Authorization(bearer)): TypedHeader>, ) -> Web3ProxyResponse { - let user = app.bearer_is_authorized(bearer).await?; + let user = app + .bearer_is_authorized(bearer) + .await? + .ok_or(Web3ProxyError::InvalidUserKey)?; let db_replica = global_db_replica_conn()?; diff --git a/web3_proxy/src/frontend/users/referral.rs b/web3_proxy/src/frontend/users/referral.rs index 2a6f7f1f..9055c44a 100644 --- a/web3_proxy/src/frontend/users/referral.rs +++ b/web3_proxy/src/frontend/users/referral.rs @@ -1,5 +1,5 @@ //! Handle registration, logins, and managing account data. -use crate::errors::Web3ProxyResponse; +use crate::errors::{Web3ProxyError, Web3ProxyResponse}; use crate::globals::global_db_conn; use crate::referral_code::ReferralCode; use crate::{app::App, globals::global_db_replica_conn}; @@ -34,7 +34,10 @@ pub async fn user_referral_link_get( Query(_params): Query>, ) -> Web3ProxyResponse { // First get the bearer token and check if the user is logged in - let user = app.bearer_is_authorized(bearer).await?; + let user = app + .bearer_is_authorized(bearer) + .await? + .ok_or(Web3ProxyError::InvalidUserKey)?; let db_replica = global_db_replica_conn()?; @@ -79,7 +82,10 @@ pub async fn user_used_referral_stats( Query(_params): Query>, ) -> Web3ProxyResponse { // First get the bearer token and check if the user is logged in - let user = app.bearer_is_authorized(bearer).await?; + let user = app + .bearer_is_authorized(bearer) + .await? + .ok_or(Web3ProxyError::InvalidUserKey)?; let db_replica = global_db_replica_conn()?; @@ -137,7 +143,10 @@ pub async fn user_shared_referral_stats( Query(_params): Query>, ) -> Web3ProxyResponse { // First get the bearer token and check if the user is logged in - let user = app.bearer_is_authorized(bearer).await?; + let user = app + .bearer_is_authorized(bearer) + .await? + .ok_or(Web3ProxyError::InvalidUserKey)?; let db_replica = global_db_replica_conn()?; diff --git a/web3_proxy/src/frontend/users/rpc_keys.rs b/web3_proxy/src/frontend/users/rpc_keys.rs index 5fada3c4..e5402586 100644 --- a/web3_proxy/src/frontend/users/rpc_keys.rs +++ b/web3_proxy/src/frontend/users/rpc_keys.rs @@ -31,7 +31,10 @@ pub async fn rpc_keys_get( State(app): State>, TypedHeader(Authorization(bearer)): TypedHeader>, ) -> Web3ProxyResponse { - let user = app.bearer_is_authorized(bearer).await?; + let user = app + .bearer_is_authorized(bearer) + .await? + .ok_or(Web3ProxyError::InvalidUserKey)?; let db_replica = global_db_replica_conn()?; @@ -160,7 +163,10 @@ pub async fn rpc_keys_management( ) -> Web3ProxyResponse { // TODO: is there a way we can know if this is a PUT or POST? right now we can modify or create keys with either. though that probably doesn't matter - let user = app.bearer_is_authorized(bearer).await?; + let user = app + .bearer_is_authorized(bearer) + .await? + .ok_or(Web3ProxyError::InvalidUserKey)?; let db_replica = global_db_replica_conn()?; diff --git a/web3_proxy/src/frontend/users/stats.rs b/web3_proxy/src/frontend/users/stats.rs index 71c16544..24ae8f57 100644 --- a/web3_proxy/src/frontend/users/stats.rs +++ b/web3_proxy/src/frontend/users/stats.rs @@ -1,6 +1,6 @@ //! Handle registration, logins, and managing account data. use crate::app::App; -use crate::errors::{Web3ProxyErrorContext, Web3ProxyResponse}; +use crate::errors::{Web3ProxyError, Web3ProxyErrorContext, Web3ProxyResponse}; use crate::globals::global_db_replica_conn; use crate::http_params::{ get_chain_id_from_params, get_page_from_params, get_query_start_from_params, @@ -32,7 +32,10 @@ pub async fn user_revert_logs_get( TypedHeader(Authorization(bearer)): TypedHeader>, Query(params): Query>, ) -> Web3ProxyResponse { - let user = app.bearer_is_authorized(bearer).await?; + let user = app + .bearer_is_authorized(bearer) + .await? + .ok_or(Web3ProxyError::InvalidUserKey)?; let chain_id = get_chain_id_from_params(app.as_ref(), ¶ms)?; let query_start = get_query_start_from_params(¶ms)?; @@ -140,7 +143,10 @@ pub async fn user_mysql_stats_get( State(app): State>, TypedHeader(Authorization(bearer)): TypedHeader>, ) -> Web3ProxyResponse { - let user = app.bearer_is_authorized(bearer).await?; + let user = app + .bearer_is_authorized(bearer) + .await? + .ok_or(Web3ProxyError::InvalidUserKey)?; let db_replica = global_db_replica_conn()?; // Fetch everything from mysql, joined diff --git a/web3_proxy/src/frontend/users/subuser.rs b/web3_proxy/src/frontend/users/subuser.rs index 81907bf5..6c22ffcf 100644 --- a/web3_proxy/src/frontend/users/subuser.rs +++ b/web3_proxy/src/frontend/users/subuser.rs @@ -34,7 +34,10 @@ pub async fn get_keys_as_subuser( Query(_params): Query>, ) -> Web3ProxyResponse { // First, authenticate - let subuser = app.bearer_is_authorized(bearer).await?; + let subuser = app + .bearer_is_authorized(bearer) + .await? + .ok_or(Web3ProxyError::InvalidUserKey)?; let db_replica = global_db_replica_conn()?; @@ -99,7 +102,8 @@ pub async fn get_subusers( Query(mut params): Query>, ) -> Web3ProxyResponse { // First, authenticate - let user = app.bearer_is_authorized(bearer).await?; + let user = app.bearer_is_authorized(bearer).await? + .ok_or(Web3ProxyError::InvalidUserKey)?; let db_replica = global_db_replica_conn()?; @@ -171,7 +175,10 @@ pub async fn modify_subuser( Query(mut params): Query>, ) -> Web3ProxyResponse { // First, authenticate - let user = app.bearer_is_authorized(bearer).await?; + let user = app + .bearer_is_authorized(bearer) + .await? + .ok_or(Web3ProxyError::InvalidUserKey)?; let db_replica = global_db_replica_conn()?; diff --git a/web3_proxy/src/stats/influxdb_queries.rs b/web3_proxy/src/stats/influxdb_queries.rs index fd93c284..efa9933a 100644 --- a/web3_proxy/src/stats/influxdb_queries.rs +++ b/web3_proxy/src/stats/influxdb_queries.rs @@ -34,7 +34,10 @@ pub async fn query_user_influx_stats<'a>( ) -> Web3ProxyResponse { let caller_user = match bearer { Some(TypedHeader(Authorization(bearer))) => { - let user = app.bearer_is_authorized(bearer).await?; + let user = app + .bearer_is_authorized(bearer) + .await? + .ok_or(Web3ProxyError::InvalidUserKey)?; Some(user) }