feat: add bearer token auth for /decentralized and /rss routers (#436)

RSS3-Network · Aug 2, 2024 · ee2e96b · ee2e96b
1 parent 182001c
commit ee2e96b
Show file tree

Hide file tree

Showing 8 changed files with 104 additions and 16 deletions.
diff --git a/config/config.go b/config/config.go
@@ -81,6 +81,7 @@ type Operator struct {
 type Server struct {
 	Endpoint              string `mapstructure:"endpoint"`
 	GlobalIndexerEndpoint string `mapstructure:"global_indexer_endpoint"`
+	AccessToken           string `mapstructure:"access_token"`
 }
 
 type Component struct {

diff --git a/config/config_test.go b/config/config_test.go
@@ -28,6 +28,7 @@ discovery:
     server:
       endpoint: https://node.mydomain.com/
       global_indexer_endpoint: https://gi.rss3.dev/
+      access_token: test
 endpoints:
     ethereum:
       url: https://rpc.ankr.com/eth
@@ -98,7 +99,8 @@ component:
     },
     "server": {
       "endpoint": "https://node.mydomain.com/",
-      "global_indexer_endpoint": "https://gi.rss3.dev/"
+      "global_indexer_endpoint": "https://gi.rss3.dev/",
+      "access_token": "test"
     }
   },
   "database": {
@@ -184,6 +186,7 @@ url = "https://rpc.ankr.com/eth"
 [discovery.server]
 endpoint = "https://node.mydomain.com/"
 global_indexer_endpoint = "https://gi.rss3.dev/"
+access_token = "test"
 
 [database]
 driver = "cockroachdb"
@@ -262,6 +265,7 @@ var configFileExpected = &File{
 		Server: &Server{
 			Endpoint:              "https://node.mydomain.com/",
 			GlobalIndexerEndpoint: "https://gi.rss3.dev/",
+			AccessToken:           "test",
 		},
 	},
 	Component: &Component{

diff --git a/docs/openapi.json b/docs/openapi.json
@@ -24,6 +24,11 @@
                 "tags": [
                     "Decentralized"
                 ],
+                "security": [
+                    {
+                        "bearerAuth": []
+                    }
+                ],
                 "parameters": [
                     {
                         "$ref": "#/components/parameters/activity_id_path"
@@ -58,6 +63,11 @@
                 "tags": [
                     "Decentralized"
                 ],
+                "security": [
+                    {
+                        "bearerAuth": []
+                    }
+                ],
                 "parameters": [
                     {
                         "$ref": "#/components/parameters/account_path"
@@ -119,6 +129,11 @@
                 "tags": [
                     "Decentralized"
                 ],
+                "security": [
+                    {
+                        "bearerAuth": []
+                    }
+                ],
                 "requestBody": {
                     "$ref": "#/components/requestBodies/BatchGetAccountsActivities"
                 },
@@ -142,6 +157,11 @@
                 "tags": [
                     "Decentralized"
                 ],
+                "security": [
+                    {
+                        "bearerAuth": []
+                    }
+                ],
                 "parameters": [
                     {
                         "$ref": "#/components/parameters/network_path"
@@ -200,6 +220,11 @@
                 "tags": [
                     "Decentralized"
                 ],
+                "security": [
+                    {
+                        "bearerAuth": []
+                    }
+                ],
                 "parameters": [
                     {
                         "$ref": "#/components/parameters/platform_path"
@@ -258,6 +283,11 @@
                 "tags": [
                     "RSS"
                 ],
+                "security": [
+                    {
+                        "bearerAuth": []
+                    }
+                ],
                 "parameters": [
                     {
                         "$ref": "#/components/parameters/rss_path"
@@ -321,6 +351,12 @@
         }
     },
     "components": {
+        "securitySchemes": {
+            "bearerAuth": {
+                "type": "http",
+                "scheme": "bearer"
+            }
+        },
         "parameters": {
             "activity_id_path": {
                 "description": "Retrieve details for the specified activity ID",

diff --git a/internal/node/broadcaster/broadcaster.go b/internal/node/broadcaster/broadcaster.go
@@ -16,12 +16,13 @@ import (
 
 func (b *Broadcaster) Register(ctx context.Context) error {
 	request := RegisterNodeRequest{
-		Address:   b.config.Discovery.Operator.EvmAddress,
-		Signature: b.config.Discovery.Operator.Signature,
-		Endpoint:  b.config.Discovery.Server.Endpoint,
-		Stream:    b.config.Stream,
-		Config:    b.config.Component,
-		Type:      b.config.Type,
+		Address:     b.config.Discovery.Operator.EvmAddress,
+		Signature:   b.config.Discovery.Operator.Signature,
+		Endpoint:    b.config.Discovery.Server.Endpoint,
+		AccessToken: b.config.Discovery.Server.AccessToken,
+		Stream:      b.config.Stream,
+		Config:      b.config.Component,
+		Type:        b.config.Type,
 	}
 
 	var response any
@@ -104,12 +105,13 @@ func (b *Broadcaster) sendRequest(ctx context.Context, path string, values url.V
 }
 
 type RegisterNodeRequest struct {
-	Address   common.Address    `json:"address" validate:"required"`
-	Signature string            `json:"signature" validate:"required"`
-	Endpoint  string            `json:"endpoint" validate:"required"`
-	Stream    *config.Stream    `json:"stream,omitempty"`
-	Config    *config.Component `json:"config,omitempty"`
-	Type      string            `json:"type" validate:"required"`
+	Address     common.Address    `json:"address" validate:"required"`
+	Signature   string            `json:"signature" validate:"required"`
+	Endpoint    string            `json:"endpoint" validate:"required"`
+	AccessToken string            `json:"access_token,omitempty"`
+	Stream      *config.Stream    `json:"stream,omitempty"`
+	Config      *config.Component `json:"config,omitempty"`
+	Type        string            `json:"type" validate:"required"`
 }
 
 type NodeHeartbeatRequest struct {

diff --git a/internal/node/component/decentralized/component.go b/internal/node/component/decentralized/component.go
@@ -12,6 +12,7 @@ import (
 	"github.com/rss3-network/node/internal/constant"
 	"github.com/rss3-network/node/internal/database"
 	"github.com/rss3-network/node/internal/node/component"
+	"github.com/rss3-network/node/internal/node/component/middleware"
 	"github.com/rss3-network/node/provider/ethereum/etherface"
 	"github.com/samber/lo"
 	"go.opentelemetry.io/otel"
@@ -55,6 +56,9 @@ func NewComponent(_ context.Context, apiServer *echo.Echo, config *config.File,
 
 	group := apiServer.Group(fmt.Sprintf("/%s", Name))
 
+	// Add middleware for bearer token authentication
+	group.Use(middleware.BearerAuth(config.Discovery.Server.AccessToken))
+
 	group.GET("/tx/:id", c.GetActivity)
 	group.GET("/:account", c.GetAccountActivities)
 	group.GET("/network/:network", c.GetNetworkActivities)

diff --git a/internal/node/component/middleware/auth.go b/internal/node/component/middleware/auth.go
@@ -0,0 +1,35 @@
+package middleware
+
+import (
+	"net/http"
+	"strings"
+
+	"github.com/labstack/echo/v4"
+)
+
+// BearerAuth middleware for bearer token authentication
+func BearerAuth(accessToken string) echo.MiddlewareFunc {
+	return func(next echo.HandlerFunc) echo.HandlerFunc {
+		return func(c echo.Context) error {
+			authHeader := c.Request().Header.Get("Authorization")
+			if authHeader == "" {
+				return echo.NewHTTPError(http.StatusUnauthorized, "Missing Authorization header")
+			}
+
+			// Check if the header starts with "Bearer "
+			if !strings.HasPrefix(authHeader, "Bearer ") {
+				return echo.NewHTTPError(http.StatusUnauthorized, "Invalid Authorization header format")
+			}
+
+			// Extract the token
+			token := strings.TrimPrefix(authHeader, "Bearer ")
+
+			// Verify the token
+			if token != accessToken {
+				return echo.NewHTTPError(http.StatusUnauthorized, "Invalid access token")
+			}
+
+			return next(c)
+		}
+	}
+}
diff --git a/internal/node/component/rss/component.go b/internal/node/component/rss/component.go
@@ -9,6 +9,7 @@ import (
 	"github.com/rss3-network/node/config"
 	"github.com/rss3-network/node/internal/constant"
 	"github.com/rss3-network/node/internal/node/component"
+	"github.com/rss3-network/node/internal/node/component/middleware"
 	"github.com/rss3-network/node/schema/worker"
 	"github.com/rss3-network/protocol-go/schema/network"
 	"go.opentelemetry.io/otel"
@@ -18,6 +19,7 @@ import (
 )
 
 type Component struct {
+	config     *config.File
 	httpClient *http.Client
 	rsshub     *configx
 	counter    metric.Int64Counter
@@ -39,20 +41,24 @@ func (h *Component) Name() string {
 
 var _ component.Component = (*Component)(nil)
 
-func NewComponent(_ context.Context, apiServer *echo.Echo, config []*config.Module) component.Component {
+func NewComponent(_ context.Context, apiServer *echo.Echo, config *config.File) component.Component {
 	c := &Component{
+		config:     config,
 		httpClient: http.DefaultClient,
 	}
 
 	group := apiServer.Group(fmt.Sprintf("/%s", Name))
 
+	// Add middleware for bearer token authentication
+	group.Use(middleware.BearerAuth(config.Discovery.Server.AccessToken))
+
 	group.GET("/*", c.Handler)
 
 	if err := c.InitMeter(); err != nil {
 		panic(err)
 	}
 
-	for _, conf := range config {
+	for _, conf := range config.Component.RSS {
 		if conf.Network == network.RSS {
 			c.rsshub = &configx{
 				id:       conf.ID,

diff --git a/internal/node/node.go b/internal/node/node.go
@@ -74,7 +74,7 @@ func NewCoreService(ctx context.Context, config *config.File, databaseClient dat
 	node.components = append(node.components, &infoComponent)
 
 	if len(config.Component.RSS) > 0 {
-		rssComponent := rss.NewComponent(ctx, apiServer, config.Component.RSS)
+		rssComponent := rss.NewComponent(ctx, apiServer, config)
 		node.components = append(node.components, &rssComponent)
 	}