feat: Add security headers in response (#779)

* feat: Add security headers in response

* change order

* update cross-spawn package

* fix import

* wip

* fix cors, remove basic auth

* use const

* small updates

Author: arcoraven

package.json

@@ -32,7 +32,6 @@
     "@cloud-cryptographic-wallet/cloud-kms-signer": "^0.1.2",
     "@cloud-cryptographic-wallet/signer": "^0.0.5",
     "@ethersproject/json-wallets": "^5.7.0",
-    "@fastify/basic-auth": "^5.1.1",
     "@fastify/swagger": "^8.9.0",
     "@fastify/type-provider-typebox": "^3.2.0",
     "@fastify/websocket": "^8.2.0",
@@ -67,7 +66,6 @@
     "pg": "^8.11.3",
     "prisma": "^5.14.0",
     "prom-client": "^15.1.3",
-    "prool": "^0.0.16",
     "superjson": "^2.2.1",
     "thirdweb": "5.61.3",
     "uuid": "^9.0.1",
@@ -91,6 +89,7 @@
     "eslint-config-prettier": "^8.7.0",
     "openapi-typescript-codegen": "^0.25.0",
     "prettier": "^2.8.7",
+    "prool": "^0.0.16",
     "typescript": "^5.1.3",
     "vitest": "^2.0.3"
   },
@@ -112,6 +111,7 @@
     "elliptic": ">=6.6.0",
     "micromatch": ">=4.0.8",
     "secp256k1": ">=4.0.4",
-    "ws": ">=8.17.1"
+    "ws": ">=8.17.1",
+    "cross-spawn": ">=7.0.6"
   }
 }

src/server/index.ts

@@ -3,6 +3,7 @@ import fastify, { type FastifyInstance } from "fastify";
 import * as fs from "node:fs";
 import path from "node:path";
 import { URL } from "node:url";
+import { getConfig } from "../utils/cache/getConfig";
 import { clearCacheCron } from "../utils/cron/clearCacheCron";
 import { env } from "../utils/env";
 import { logger } from "../utils/logger";
@@ -15,9 +16,10 @@ import { withCors } from "./middleware/cors";
 import { withEnforceEngineMode } from "./middleware/engineMode";
 import { withErrorHandler } from "./middleware/error";
 import { withRequestLogs } from "./middleware/logs";
-import { withOpenApi } from "./middleware/open-api";
+import { withOpenApi } from "./middleware/openApi";
 import { withPrometheus } from "./middleware/prometheus";
 import { withRateLimit } from "./middleware/rateLimit";
+import { withSecurityHeaders } from "./middleware/securityHeaders";
 import { withWebSocket } from "./middleware/websocket";
 import { withRoutes } from "./routes";
 import { writeOpenApiToFile } from "./utils/openapi";
@@ -69,19 +71,23 @@ export const initServer = async () => {
     ...(env.ENABLE_HTTPS ? httpsObject : {}),
   }).withTypeProvider<TypeBoxTypeProvider>();
 
-  server.decorateRequest("corsPreflightEnabled", false);
+  const config = await getConfig();
 
-  await withCors(server);
-  await withRequestLogs(server);
-  await withPrometheus(server);
-  await withErrorHandler(server);
-  await withEnforceEngineMode(server);
-  await withRateLimit(server);
+  // Configure middleware
+  withErrorHandler(server);
+  withRequestLogs(server);
+  withSecurityHeaders(server);
+  withCors(server, config);
+  withRateLimit(server);
+  withEnforceEngineMode(server);
+  withServerUsageReporting(server);
+  withPrometheus(server);
+
+  // Register routes
   await withWebSocket(server);
   await withAuth(server);
   await withOpenApi(server);
   await withRoutes(server);
-  await withServerUsageReporting(server);
   await withAdminRoutes(server);
 
   await server.ready();

src/server/middleware/adminRoutes.ts

@@ -1,11 +1,10 @@
 import { createBullBoard } from "@bull-board/api";
 import { BullMQAdapter } from "@bull-board/api/bullMQAdapter";
 import { FastifyAdapter } from "@bull-board/fastify";
-import fastifyBasicAuth from "@fastify/basic-auth";
 import type { Queue } from "bullmq";
-import { timingSafeEqual } from "crypto";
 import type { FastifyInstance } from "fastify";
 import { StatusCodes } from "http-status-codes";
+import { timingSafeEqual } from "node:crypto";
 import { env } from "../../utils/env";
 import { CancelRecycledNoncesQueue } from "../../worker/queues/cancelRecycledNoncesQueue";
 import { MigratePostgresTransactionsQueue } from "../../worker/queues/migratePostgresTransactionsQueue";
@@ -19,7 +18,9 @@ import { SendTransactionQueue } from "../../worker/queues/sendTransactionQueue";
 import { SendWebhookQueue } from "../../worker/queues/sendWebhookQueue";
 
 export const ADMIN_QUEUES_BASEPATH = "/admin/queues";
+const ADMIN_ROUTES_USERNAME = "admin";
 const ADMIN_ROUTES_PASSWORD = env.THIRDWEB_API_SECRET_KEY;
+
 // Add queues to monitor here.
 const QUEUES: Queue[] = [
   SendWebhookQueue.q,
@@ -35,57 +36,59 @@ const QUEUES: Queue[] = [
 ];
 
 export const withAdminRoutes = async (fastify: FastifyInstance) => {
-  // Configure basic auth.
-  await fastify.register(fastifyBasicAuth, {
-    validate: (username, password, req, reply, done) => {
-      if (assertAdminBasicAuth(username, password)) {
-        done();
-        return;
-      }
-      done(new Error("Unauthorized"));
-    },
-    authenticate: true,
-  });
-
-  // Set up routes after Fastify is set up.
   fastify.after(async () => {
-    // Register bullboard UI.
+    // Create a new route for Bullboard routes.
     const serverAdapter = new FastifyAdapter();
     serverAdapter.setBasePath(ADMIN_QUEUES_BASEPATH);
 
     createBullBoard({
       queues: QUEUES.map((q) => new BullMQAdapter(q)),
       serverAdapter,
     });
+
     await fastify.register(serverAdapter.registerPlugin(), {
       basePath: ADMIN_QUEUES_BASEPATH,
       prefix: ADMIN_QUEUES_BASEPATH,
     });
 
-    // Apply basic auth only to admin routes.
-    fastify.addHook("onRequest", (req, reply, done) => {
+    fastify.addHook("onRequest", async (req, reply) => {
       if (req.url.startsWith(ADMIN_QUEUES_BASEPATH)) {
-        fastify.basicAuth(req, reply, (error) => {
-          if (error) {
-            reply
-              .status(StatusCodes.UNAUTHORIZED)
-              .send({ error: "Unauthorized" });
-            return done(error);
-          }
-        });
+        const authHeader = req.headers.authorization;
+
+        if (!authHeader || !authHeader.startsWith("Basic ")) {
+          reply
+            .status(StatusCodes.UNAUTHORIZED)
+            .header("WWW-Authenticate", 'Basic realm="Admin Routes"')
+            .send({ error: "Unauthorized" });
+          return;
+        }
+
+        // Parse the basic auth credentials (`Basic <base64 of username:password>`).
+        const base64Credentials = authHeader.split(" ")[1];
+        const credentials = Buffer.from(base64Credentials, "base64").toString(
+          "utf8",
+        );
+        const [username, password] = credentials.split(":");
+
+        if (!assertAdminBasicAuth(username, password)) {
+          reply
+            .status(StatusCodes.UNAUTHORIZED)
+            .header("WWW-Authenticate", 'Basic realm="Admin Routes"')
+            .send({ error: "Unauthorized" });
+          return;
+        }
       }
-      done();
     });
   });
 };
 
 const assertAdminBasicAuth = (username: string, password: string) => {
-  if (username === "admin") {
+  if (username === ADMIN_ROUTES_USERNAME) {
     try {
       const buf1 = Buffer.from(password.padEnd(100));
       const buf2 = Buffer.from(ADMIN_ROUTES_PASSWORD.padEnd(100));
       return timingSafeEqual(buf1, buf2);
-    } catch (e) {}
+    } catch {}
   }
   return false;
 };

src/server/middleware/auth.ts

@@ -25,7 +25,7 @@ import { logger } from "../../utils/logger";
 import { sendWebhookRequest } from "../../utils/webhook";
 import { Permission } from "../schemas/auth";
 import { ADMIN_QUEUES_BASEPATH } from "./adminRoutes";
-import { OPENAPI_ROUTES } from "./open-api";
+import { OPENAPI_ROUTES } from "./openApi";
 
 export type TAuthData = never;
 export type TAuthSession = { permissions: string };
@@ -43,7 +43,7 @@ declare module "fastify" {
   }
 }
 
-export const withAuth = async (server: FastifyInstance) => {
+export async function withAuth(server: FastifyInstance) {
   const config = await getConfig();
 
   // Configure the ThirdwebAuth fastify plugin
@@ -140,7 +140,7 @@ export const withAuth = async (server: FastifyInstance) => {
       message,
     });
   });
-};
+}
 
 export const onRequest = async ({
   req,

src/server/middleware/cors.ts

@@ -0,0 +1,95 @@
+import type { FastifyInstance } from "fastify";
+import type { ParsedConfig } from "../../schema/config";
+import { ADMIN_QUEUES_BASEPATH } from "./adminRoutes";
+
+const STANDARD_METHODS = "GET,POST,DELETE,PUT,PATCH,HEAD,PUT,PATCH,POST,DELETE";
+const DEFAULT_ALLOWED_HEADERS = [
+  "Authorization",
+  "Content-Type",
+  "ngrok-skip-browser-warning",
+];
+
+export function withCors(server: FastifyInstance, config: ParsedConfig) {
+  server.addHook("onRequest", async (request, reply) => {
+    const origin = request.headers.origin;
+
+    // Allow backend calls (no origin header).
+    if (!origin) {
+      return;
+    }
+
+    // Allow admin routes to be accessed from the same host.
+    if (request.url.startsWith(ADMIN_QUEUES_BASEPATH)) {
+      const host = request.headers.host;
+      const originHost = new URL(origin).host;
+      if (originHost !== host) {
+        reply.code(403).send({ error: "Invalid origin" });
+        return;
+      }
+      return;
+    }
+
+    const allowedOrigins = config.accessControlAllowOrigin
+      .split(",")
+      .map(sanitizeOrigin);
+
+    // Always set `Vary: Origin` to prevent caching issues even on invalid origins.
+    reply.header("Vary", "Origin");
+
+    if (isAllowedOrigin(origin, allowedOrigins)) {
+      // Set CORS headers if valid origin.
+      reply.header("Access-Control-Allow-Origin", origin);
+      reply.header("Access-Control-Allow-Methods", STANDARD_METHODS);
+
+      // Handle preflight requests
+      if (request.method === "OPTIONS") {
+        const requestedHeaders =
+          request.headers["access-control-request-headers"];
+        reply.header(
+          "Access-Control-Allow-Headers",
+          requestedHeaders ?? DEFAULT_ALLOWED_HEADERS.join(","),
+        );
+
+        reply.header("Cache-Control", "public, max-age=3600");
+        reply.header("Access-Control-Max-Age", "3600");
+        reply.code(204).send();
+        return;
+      }
+    } else {
+      reply.code(403).send({ error: "Invalid origin" });
+      return;
+    }
+  });
+}
+
+function isAllowedOrigin(origin: string, allowedOrigins: string[]) {
+  return (
+    allowedOrigins
+      // Check if the origin matches any allowed origins.
+      .some((allowed) => {
+        if (allowed === "https://thirdweb-preview.com") {
+          return /^https?:\/\/.*\.thirdweb-preview\.com$/.test(origin);
+        }
+        if (allowed === "https://thirdweb-dev.com") {
+          return /^https?:\/\/.*\.thirdweb-dev\.com$/.test(origin);
+        }
+
+        // Allow wildcards in the origin. For example "foo.example.com" matches "*.example.com"
+        if (allowed.includes("*")) {
+          const wildcardPattern = allowed.replace(/\*/g, ".*");
+          const regex = new RegExp(`^${wildcardPattern}$`);
+          return regex.test(origin);
+        }
+
+        // Otherwise check for an exact match.
+        return origin === allowed;
+      })
+  );
+}
+
+function sanitizeOrigin(origin: string) {
+  if (origin.endsWith("/")) {
+    return origin.slice(0, -1);
+  }
+  return origin;
+}