Merge pull request #30 from windingtree/feat/node-trpc-auth

Node API authorization

Author: kostysh

package.json

@@ -73,22 +73,18 @@
   },
   "devDependencies": {
     "@types/node": "^18.15.11",
-    "@types/mocha": "^10.0.1",
-    "@types/chai": "^4.3.5",
     "@types/debug": "^4.1.8",
-    "@types/chai-as-promised": "^7.1.5",
     "@types/luxon": "^3.3.0",
-    "mocha": "^10.2.0",
-    "chai": "^4.3.7",
-    "chai-as-promised": "^7.1.1",
+    "@types/jsonwebtoken": "^9.0.2",
+    "@types/bcryptjs": "^2.4.2",
     "ts-node": "^10.9.1",
     "typescript": "^5.1.3",
-    "semantic-release": "^21.0.2",
+    "semantic-release": "^21.0.5",
     "semantic-release-cli": "^5.4.4",
     "@semantic-release/changelog": "^6.0.3",
-    "eslint": "^8.41.0",
-    "@typescript-eslint/eslint-plugin": "^5.59.11",
-    "@typescript-eslint/parser": "^5.59.11",
+    "eslint": "^8.43.0",
+    "@typescript-eslint/eslint-plugin": "^5.60.0",
+    "@typescript-eslint/parser": "^5.60.0",
     "prettier": "^2.8.8",
     "husky": "^8.0.3",
     "git-cz": "^4.9.0",
@@ -97,7 +93,7 @@
     "lint-staged": "^13.2.2",
     "c8": "^8.0.0",
     "typedoc": "^0.24.8",
-    "dotenv": "^16.1.4",
+    "dotenv": "^16.3.1",
     "vitest": "^0.32.2"
   },
   "dependencies": {
@@ -107,23 +103,28 @@
     "@chainsafe/libp2p-yamux": "^4.0.2",
     "@libp2p/mplex": "^8.0.3",
     "@libp2p/websockets": "^6.0.3",
-    "ethers": "^6.4.0",
-    "viem": "^1.0.7",
+    "viem": "^1.1.7",
     "luxon": "^3.3.0",
     "h3-js": "^4.1.0",
     "debug": "^4.3.4",
-    "@windingtree/contracts": "^1.0.0-beta.12"
+    "@windingtree/contracts": "^1.0.0-beta.12",
+    "@trpc/server": "^10.32.0",
+    "@trpc/client": "^10.32.0",
+    "jsonwebtoken": "^9.0.0",
+    "zod": "^3.21.4",
+    "bcryptjs": "^2.4.3"
   },
   "scripts": {
     "clean": "rm -rf ./lib",
     "build": "npm run clean && tsc -p ./tsconfig.build.json",
     "test": "vitest --run test",
+    "test:rel": "vitest related --run",
     "semantic-release": "semantic-release",
     "lint": "eslint . --ext .ts",
     "lint:fix": "eslint . --ext .ts --fix && prettier --write .",
     "prepare": "husky install",
     "commit": "git-cz -S",
-    "coverage": "c8 --all --exclude coverage --exclude lib --exclude test yarn test && c8 report --all --exclude coverage --exclude lib --exclude test -r html",
+    "coverage": "c8 --all --exclude coverage --exclude lib --exclude test --exclude examples --exclude temp yarn test && c8 report -r html",
     "example:server": "node --experimental-specifier-resolution=node --loader ts-node/esm ./examples/server/index.ts",
     "example:client": "yarn --cwd ./examples/client dev",
     "example:node": "node --experimental-specifier-resolution=node --loader ts-node/esm ./examples/node/index.ts",

src/node/api/db.ts

@@ -0,0 +1,162 @@
+import { z } from 'zod';
+import { hash } from 'bcryptjs';
+import { Storage } from '../../storage/index.js';
+
+export { compare as comparePassword } from 'bcryptjs';
+
+/**
+ * Interface defining the properties of a User object stored in storage.
+ */
+export interface User {
+  /** The username of the user */
+  login: string;
+  /** The hashed password of the user */
+  hashedPassword: string;
+  /** Flag which indicate that the use is admin */
+  isAdmin?: boolean;
+  /** The optional JSON Web Token of the user */
+  jwt?: string;
+}
+
+/**
+ * Validation schema for user creation API input.
+ * It validates that the input contains a nonempty `login` and `password`.
+ */
+export const UserInputSchema = z.object({
+  login: z.string().nonempty(),
+  password: z.union([z.string().nonempty(), z.string().startsWith('0x')]),
+});
+
+/**
+ * Type definition for User registration input,
+ * inferred from UserInputSchema.
+ */
+export type UserInputType = z.infer<typeof UserInputSchema>;
+
+/**
+ * Interface defining the properties of UsersDb initialization options.
+ */
+export interface UsersDbOptions {
+  /** Instance of storage used for persisting the state of the API server */
+  storage: Storage;
+  /** Prefix used for the storage key to avoid potential key collisions */
+  prefix: string;
+}
+
+export class UsersDb {
+  /** Storage instance for persisting the state of the API server */
+  storage: Storage;
+  /** Specific key prefix for the storage key to avoid potential key collisions */
+  prefix: string;
+
+  /**
+   * Creates an instance of UsersDb.
+   * Initializes an instance of UsersDb with given options.
+   *
+   * @param {UsersDbOptions} options
+   * @memberof NodeApiServer
+   */
+  constructor(options: UsersDbOptions) {
+    const { storage, prefix } = options;
+
+    // TODO Validate NodeApiServerOptions
+
+    this.prefix = `${prefix}_api_users_`;
+    this.storage = storage;
+  }
+
+  /**
+   * Hashes the given password with the given salt.
+   *
+   * @static
+   * @param {string} password The password to be hashed
+   * @returns {string} The hashed password
+   * @memberof UsersDb
+   */
+  static async hashPassword(password: string): Promise<string> {
+    return await hash(password, 10);
+  }
+
+  /**
+   * Generates a prefixed login key
+   *
+   * @private
+   * @param {string} login The login for which the key is generated
+   * @returns {string} The prefixed login key
+   * @memberof UsersDb
+   */
+  private loginKey(login: string): string {
+    return `${this.prefix}${login}`;
+  }
+
+  /**
+   * Retrieves the user with the given login from storage.
+   *
+   * @param {string} login The login of the user to be retrieved
+   * @returns {Promise<User>} The User object associated with the given login
+   * @throws Will throw an error if the user is not found
+   * @memberof UsersDb
+   */
+  async get(login: string): Promise<User> {
+    const user = await this.storage.get<User>(this.loginKey(login));
+
+    if (!user) {
+      throw new Error(`User ${login} not found`);
+    }
+
+    return user;
+  }
+
+  /**
+   * Adds a new user to the storage.
+   *
+   * @param {string} login The login of the user to be added
+   * @param {string} password The password of the user to be added
+   * @param {boolean} [isAdmin] Option which indicate that the use is admin
+   * @returns {Promise<void>}
+   * @throws Will throw an error if a user with the same login already exists
+   * @memberof UsersDb
+   */
+  async add(login: string, password: string, isAdmin = false): Promise<void> {
+    const knownUser = await this.storage.get<User>(this.loginKey(login));
+
+    // Check if the user already exists
+    if (knownUser) {
+      throw new Error(`User ${login} already exists`);
+    }
+
+    // Save the user into the storage
+    await this.storage.set<User>(this.loginKey(login), {
+      login,
+      hashedPassword: await UsersDb.hashPassword(password),
+      isAdmin,
+    });
+  }
+
+  /**
+   * Updates the record of the user in the storage
+   *
+   * @param {User} user The user object
+   * @returns {Promise<void>}
+   * @memberof UsersDb
+   */
+  async set(user: User): Promise<void> {
+    await this.storage.set<User>(this.loginKey(user.login), user);
+  }
+
+  /**
+   * Deletes the user from storage
+   *
+   * @param {string} login The user login name
+   * @returns {Promise<void>}
+   * @throws Will throw an error if not possible to delete the user
+   * @memberof UsersDb
+   */
+  async delete(login: string): Promise<void> {
+    const deleted = await this.storage.delete(this.loginKey(login));
+
+    if (!deleted) {
+      throw new Error(`Unable to delete user ${login}`);
+    }
+  }
+}

src/node/api/index.ts

@@ -0,0 +1,4 @@
+export * from './db.js';
+export * from './server.js';
+export * from './router/admin.js';
+export * from './router/user.js';

src/node/api/router/admin.ts

@@ -0,0 +1,132 @@
+import { TRPCError } from '@trpc/server';
+import { Address, Hash, verifyTypedData } from 'viem';
+import { TypedDataDomain } from 'abitype';
+import { Account } from '../../../index.js';
+import { User, UserInputSchema } from '../db.js';
+import { router, procedure } from '../index.js';
+import { createLogger } from '../../../utils/logger.js';
+
+const logger = createLogger('AdminRouter');
+
+/**
+ * Typed domain for the admin signature
+ */
+export const adminDomain: TypedDataDomain = {
+  name: 'Admin',
+  version: '1',
+};
+
+/** EIP-712 JSON schema types for node API server auth operation */
+export const adminAuthEip712Types = {
+  Admin: [
+    {
+      name: 'signer',
+      type: 'address',
+    },
+  ],
+} as const;
+
+/**
+ * Create EIP-712 signature for checkIn/Out voucher
+ *
+ * @param {Account} account Ethereum local account
+ * @returns {Promise<Hash>}
+ */
+export const createAdminSignature = async (account: Account): Promise<Hash> =>
+  await account.signTypedData({
+    domain: adminDomain,
+    types: adminAuthEip712Types,
+    primaryType: 'Admin',
+    message: {
+      signer: account.address,
+    },
+  });
+
+/**
+ * Verification of the admins signature
+ *
+ * @param {Address} signer The address of admin account
+ * @param {Hash} signature Admins EIP-712 signature
+ * @returns {Promise<boolean>}
+ */
+export const verifyAdminSignature = async (
+  signer: Address,
+  signature: Hash,
+): Promise<boolean> =>
+  await verifyTypedData({
+    address: signer,
+    domain: adminDomain,
+    types: adminAuthEip712Types,
+    primaryType: 'Admin',
+    message: {
+      signer,
+    },
+    signature,
+  });
+
+/**
+ * A router defining procedures for admin management.
+ */
+export const adminRouter = router({
+  /**
+   * Register a new admin.
+   * Throws an error if the user already exists or signature provided is invalid.
+   */
+  register: procedure
+    .input(UserInputSchema)
+    .mutation(async ({ input, ctx }) => {
+      const { login, password } = input;
+      const { server } = ctx;
+
+      try {
+        if (
+          !server.ownerAccount ||
+          !(await verifyAdminSignature(server.ownerAccount, password as Hash))
+        ) {
+          throw new Error('Invalid signature');
+        }
+
+        await server.users.add(login, password, true);
+        logger.trace(`Admin registered`);
+      } catch (error) {
+        logger.error('admin.register', error);
+        throw new TRPCError({
+          code: 'BAD_REQUEST',
+          message: (error as Error).message,
+        });
+      }
+    }),
+
+  /**
+   * Log in an existing admin.
+   * If successful, generates a new access token and sends it in the response.
+   */
+  login: procedure.input(UserInputSchema).mutation(async ({ input, ctx }) => {
+    const { login, password } = input;
+    const { server, updateAccessToken } = ctx;
+    let user: User;
+
+    try {
+      logger.trace(`Trying to log in admin ${login}`);
+      user = await server.users.get(login);
+    } catch (error) {
+      logger.error('admin.login', error);
+      throw new TRPCError({
+        code: 'BAD_REQUEST',
+        message: (error as Error).message,
+      });
+    }
+
+    if (
+      !server.ownerAccount ||
+      !(await verifyAdminSignature(server.ownerAccount, password as Hash))
+    ) {
+      throw new TRPCError({
+        code: 'UNAUTHORIZED',
+        message: 'Invalid signature',
+      });
+    }
+
+    await updateAccessToken(user);
+  }),
+});