Merge pull request #34 from kleros/feat/siwe-authentication-for-file-uploads-and-notifications

feat(web): add-siwe-authentication-for-file-uploads-and-notification-…

Author: jaybuidl

web/.gitignore

@@ -30,6 +30,7 @@ parcel-bundle-reports
 src/hooks/contracts
 src/graphql
 generatedGitInfo.json
+generatedNetlifyInfo.json
 
 # logs
 npm-debug.log*

web/netlify.toml

@@ -0,0 +1,14 @@
+## Yarn 3 cache does not work out of the box as of Jan 2022. Context:
+## https://github.com/netlify/build/issues/1535#issuecomment-1021947989
+[build.environment]
+NETLIFY_USE_YARN = "true"
+NETLIFY_YARN_WORKSPACES = "true"
+YARN_ENABLE_GLOBAL_CACHE = "true"
+# YARN_CACHE_FOLDER = "$HOME/.yarn_cache"
+# YARN_VERSION = "3.2.0"
+
+[functions]
+directory = "web/netlify/functions/"
+
+[dev]
+framework = "parcel"

web/netlify/functions/authUser.ts

@@ -0,0 +1,112 @@
+import middy from "@middy/core";
+import jsonBodyParser from "@middy/http-json-body-parser";
+import { createClient } from "@supabase/supabase-js";
+import * as jwt from "jose";
+import { SiweMessage } from "siwe";
+
+import { DEFAULT_CHAIN } from "consts/chains";
+import { ETH_SIGNATURE_REGEX } from "consts/index";
+
+import { netlifyUri, netlifyDeployUri, netlifyDeployPrimeUri } from "src/generatedNetlifyInfo.json";
+import { Database } from "src/types/supabase-notification";
+
+const authUser = async (event) => {
+  try {
+    if (!event.body) {
+      throw new Error("No body provided");
+    }
+
+    const signature = event?.body?.signature;
+    if (!signature) {
+      throw new Error("Missing key : signature");
+    }
+
+    if (!ETH_SIGNATURE_REGEX.test(signature)) {
+      throw new Error("Invalid signature");
+    }
+
+    const message = event?.body?.message;
+    if (!message) {
+      throw new Error("Missing key : message");
+    }
+
+    const address = event?.body?.address;
+    if (!address) {
+      throw new Error("Missing key : address");
+    }
+
+    const siweMessage = new SiweMessage(message);
+
+    if (
+      !(
+        (netlifyUri && netlifyUri === siweMessage.uri) ||
+        (netlifyDeployUri && netlifyDeployUri === siweMessage.uri) ||
+        (netlifyDeployPrimeUri && netlifyDeployPrimeUri === siweMessage.uri)
+      )
+    ) {
+      console.debug(
+        `Invalid URI: expected one of [${netlifyUri} ${netlifyDeployUri} ${netlifyDeployPrimeUri}] but got ${siweMessage.uri}`
+      );
+      throw new Error(`Invalid URI`);
+    }
+
+    if (siweMessage.chainId !== DEFAULT_CHAIN) {
+      console.debug(`Invalid chain ID: expected ${DEFAULT_CHAIN} but got ${siweMessage.chainId}`);
+      throw new Error(`Invalid chain ID`);
+    }
+
+    const lowerCaseAddress = siweMessage.address.toLowerCase();
+    if (lowerCaseAddress !== address.toLowerCase()) {
+      throw new Error("Address mismatch in provided address and message");
+    }
+
+    const supabase = createClient<Database>(process.env.SUPABASE_URL!, process.env.SUPABASE_CLIENT_API_KEY!);
+
+    // get nonce from db, if its null that means it was already used
+    const { error: nonceError, data: nonceData } = await supabase
+      .from("user-nonce")
+      .select("nonce")
+      .eq("address", lowerCaseAddress)
+      .single();
+
+    if (nonceError || !nonceData?.nonce) {
+      throw new Error("Unable to fetch nonce from DB");
+    }
+
+    try {
+      await siweMessage.verify({ signature, nonce: nonceData.nonce, time: new Date().toISOString() });
+    } catch (err) {
+      throw new Error("Invalid signer");
+    }
+
+    const { error } = await supabase.from("user-nonce").delete().match({ address: lowerCaseAddress });
+
+    if (error) {
+      throw new Error("Error updating nonce in DB");
+    }
+
+    const issuer = process.env.JWT_ISSUER ?? "Kleros"; // ex :- Kleros
+    const audience = process.env.JWT_AUDIENCE ?? "Curate"; // ex :- Court, Curate, Escrow
+    const authExp = process.env.JWT_EXP_TIME ?? "2h";
+    const secret = process.env.JWT_SECRET;
+
+    if (!secret) {
+      throw new Error("Secret not set in environment");
+    }
+    // user verified, generate auth token
+    const encodedSecret = new TextEncoder().encode(secret);
+
+    const token = await new jwt.SignJWT({ id: address.toLowerCase() })
+      .setProtectedHeader({ alg: "HS256" })
+      .setIssuer(issuer)
+      .setAudience(audience)
+      .setExpirationTime(authExp)
+      .sign(encodedSecret);
+
+    return { statusCode: 200, body: JSON.stringify({ message: "User authorised", token }) };
+  } catch (err) {
+    return { statusCode: 500, body: JSON.stringify({ message: `${err}` }) };
+  }
+};
+
+export const handler = middy(authUser).use(jsonBodyParser());

web/netlify/functions/fetch-settings.ts

@@ -0,0 +1,39 @@
+import middy from "@middy/core";
+import { createClient } from "@supabase/supabase-js";
+
+import { Database } from "../../src/types/supabase-notification";
+import { authMiddleware } from "../middleware/authMiddleware";
+
+const fetchSettings = async (event) => {
+  try {
+    const address = event.auth.id;
+    const lowerCaseAddress = address.toLowerCase() as `0x${string}`;
+
+    const supabaseUrl = process.env.SUPABASE_URL;
+    const supabaseApiKey = process.env.SUPABASE_CLIENT_API_KEY;
+
+    if (!supabaseUrl || !supabaseApiKey) {
+      throw new Error("Supabase URL or API key is undefined");
+    }
+    const supabase = createClient<Database>(supabaseUrl, supabaseApiKey);
+
+    const { error, data } = await supabase
+      .from("user-settings")
+      .select("address, email, telegram")
+      .eq("address", lowerCaseAddress)
+      .single();
+
+    if (!data) {
+      return { statusCode: 404, message: "Error : User not found" };
+    }
+
+    if (error) {
+      throw error;
+    }
+    return { statusCode: 200, body: JSON.stringify({ data }) };
+  } catch (err) {
+    return { statusCode: 500, message: `Error ${err?.message ?? err}` };
+  }
+};
+
+export const handler = middy(fetchSettings).use(authMiddleware());

web/netlify/functions/getNonce.ts

@@ -0,0 +1,56 @@
+import middy from "@middy/core";
+import { createClient } from "@supabase/supabase-js";
+import { generateNonce } from "siwe";
+
+import { ETH_ADDRESS_REGEX } from "src/consts";
+
+import { Database } from "../../src/types/supabase-notification";
+
+const getNonce = async (event) => {
+  try {
+    const { queryStringParameters } = event;
+
+    if (!queryStringParameters?.address) {
+      return {
+        statusCode: 400,
+        body: JSON.stringify({ message: "Invalid query parameters" }),
+      };
+    }
+
+    const { address } = queryStringParameters;
+
+    if (!ETH_ADDRESS_REGEX.test(address)) {
+      throw new Error("Invalid Ethereum address format");
+    }
+
+    const lowerCaseAddress = address.toLowerCase() as `0x${string}`;
+
+    const supabaseUrl = process.env.SUPABASE_URL;
+    const supabaseApiKey = process.env.SUPABASE_CLIENT_API_KEY;
+
+    if (!supabaseUrl || !supabaseApiKey) {
+      throw new Error("Supabase URL or API key is undefined");
+    }
+    const supabase = createClient<Database>(supabaseUrl, supabaseApiKey);
+
+    // generate nonce and save in db
+    const nonce = generateNonce();
+
+    const { error } = await supabase
+      .from("user-nonce")
+      .upsert({ address: lowerCaseAddress, nonce: nonce })
+      .eq("address", lowerCaseAddress);
+
+    if (error) {
+      throw error;
+    }
+
+    return { statusCode: 200, body: JSON.stringify({ nonce }) };
+  } catch (err) {
+    console.log(err);
+
+    return { statusCode: 500, message: `Error ${err?.message ?? err}` };
+  }
+};
+
+export const handler = middy(getNonce);

web/netlify/functions/update-settings.ts

@@ -0,0 +1,97 @@
+import middy from "@middy/core";
+import jsonBodyParser from "@middy/http-json-body-parser";
+import { createClient } from "@supabase/supabase-js";
+
+import { EMAIL_REGEX, TELEGRAM_REGEX, ETH_ADDRESS_REGEX } from "../../src/consts/index";
+import { Database } from "../../src/types/supabase-notification";
+import { authMiddleware } from "../middleware/authMiddleware";
+
+type NotificationSettings = {
+  email?: string;
+  telegram?: string;
+  address: `0x${string}`;
+};
+
+const validate = (input: any): NotificationSettings => {
+  const requiredKeys: (keyof NotificationSettings)[] = ["address"];
+  const optionalKeys: (keyof NotificationSettings)[] = ["email", "telegram"];
+  const receivedKeys = Object.keys(input);
+
+  for (const key of requiredKeys) {
+    if (!receivedKeys.includes(key)) {
+      throw new Error(`Missing key: ${key}`);
+    }
+  }
+
+  const allExpectedKeys = [...requiredKeys, ...optionalKeys];
+  for (const key of receivedKeys) {
+    if (!allExpectedKeys.includes(key as keyof NotificationSettings)) {
+      throw new Error(`Unexpected key: ${key}`);
+    }
+  }
+
+  const email = input.email ? input.email.trim() : "";
+  if (email && !EMAIL_REGEX.test(email)) {
+    throw new Error("Invalid email format");
+  }
+
+  const telegram = input.telegram ? input.telegram.trim() : "";
+  if (telegram && !TELEGRAM_REGEX.test(telegram)) {
+    throw new Error("Invalid Telegram username format");
+  }
+
+  if (!ETH_ADDRESS_REGEX.test(input.address)) {
+    throw new Error("Invalid Ethereum address format");
+  }
+
+  return {
+    email: input.email?.trim(),
+    telegram: input.telegram?.trim(),
+    address: input.address.trim().toLowerCase(),
+  };
+};
+
+const updateSettings = async (event) => {
+  try {
+    if (!event.body) {
+      throw new Error("No body provided");
+    }
+
+    const { email, telegram, address } = validate(event.body);
+    const lowerCaseAddress = address.toLowerCase() as `0x${string}`;
+
+    // Prevent using someone else's token
+    if (event?.auth?.id.toLowerCase() !== lowerCaseAddress) {
+      throw new Error("Unauthorised user");
+    }
+
+    const supabaseUrl = process.env.SUPABASE_URL;
+    const supabaseApiKey = process.env.SUPABASE_CLIENT_API_KEY;
+
+    if (!supabaseUrl || !supabaseApiKey) {
+      throw new Error("Supabase URL or API key is undefined");
+    }
+    const supabase = createClient<Database>(supabaseUrl, supabaseApiKey);
+
+    // If the message is empty, delete the user record
+    if (email === "" && telegram === "") {
+      const { error } = await supabase.from("user-settings").delete().match({ address: lowerCaseAddress });
+      if (error) throw error;
+      return { statusCode: 200, body: JSON.stringify({ message: "Record deleted successfully." }) };
+    }
+
+    // For a user matching this address, upsert the user record
+    const { error } = await supabase
+      .from("user-settings")
+      .upsert({ address: lowerCaseAddress, email: email, telegram: telegram })
+      .match({ address: lowerCaseAddress });
+    if (error) {
+      throw error;
+    }
+    return { statusCode: 200, body: JSON.stringify({ message: "Record updated successfully." }) };
+  } catch (err) {
+    return { statusCode: 500, body: JSON.stringify({ message: `${err}` }) };
+  }
+};
+
+export const handler = middy(updateSettings).use(jsonBodyParser()).use(authMiddleware());

web/netlify/functions/uploadToIPFS.ts

@@ -1,7 +1,8 @@
-import { Handler } from "@netlify/functions";
 import { File, FilebaseClient } from "@filebase/client";
 import amqp, { Connection } from "amqplib";
 import busboy from "busboy";
+import middy from "@middy/core";
+import { authMiddleware } from "../middleware/authMiddleware";
 
 const { FILEBASE_TOKEN, RABBITMQ_URL, FILEBASE_API_WRAPPER } = process.env;
 const filebase = new FilebaseClient({ token: FILEBASE_TOKEN ?? "" });
@@ -50,7 +51,7 @@ const parseMultipart = ({ headers, body, isBase64Encoded }) =>
     bb.end();
   });
 
-const pinToFilebase = async (data: FormData, dapp: string, operation: string): Promise<Array<string>> => {
+const pinToFilebase = async (data: FormData, operation: string): Promise<Array<string>> => {
   const cids = new Array<string>();
   for (const [_, dataElement] of Object.entries(data)) {
     if (dataElement.isFile) {
@@ -65,33 +66,21 @@ const pinToFilebase = async (data: FormData, dapp: string, operation: string): P
   return cids;
 };
 
-export const handler: Handler = async (event) => {
+export const uploadToIpfs = async (event) => {
   const { queryStringParameters } = event;
 
-  if (
-    !queryStringParameters ||
-    !queryStringParameters.dapp ||
-    !queryStringParameters.key ||
-    !queryStringParameters.operation
-  ) {
+  if (!queryStringParameters?.operation) {
     return {
       statusCode: 400,
-      body: JSON.stringify({ message: "Invalid query parameters" }),
+      body: JSON.stringify({ message: "Invalid query parameters, missing query : operation " }),
     };
   }
 
-  const { dapp, key, operation } = queryStringParameters;
-
-  if (key !== FILEBASE_API_WRAPPER) {
-    return {
-      statusCode: 403,
-      body: JSON.stringify({ message: "Invalid API key" }),
-    };
-  }
+  const { operation } = queryStringParameters;
 
   try {
     const parsed = await parseMultipart(event);
-    const cids = await pinToFilebase(parsed, dapp, operation);
+    const cids = await pinToFilebase(parsed, operation);
 
     return {
       statusCode: 200,
@@ -107,3 +96,5 @@ export const handler: Handler = async (event) => {
     };
   }
 };
+
+export const handler = middy(uploadToIpfs).use(authMiddleware());