Refactor API handlers to include client IP and enhance session management

QSchlegel · QSchlegel · commit 58adc9759271 · 2025-12-15T13:26:06.000+01:00
- Updated multiple API routes to incorporate client IP retrieval for improved security and tracking.
- Refactored the createCaller function to include additional session parameters, enhancing user session management.
- Removed unnecessary client-side loading of MeshProvider, replacing it with a dynamic import to avoid SSR issues.
diff --git a/prisma/migrations/20251215090000_enable_rls_disable_postgrest/migration.sql b/prisma/migrations/20251215090000_enable_rls_disable_postgrest/migration.sql
@@ -0,0 +1,222 @@
+-- Enable Row Level Security (RLS) and deny-all policies for PostgREST roles
+-- This migration is designed for Supabase:
+-- - Blocks access for `anon` and `authenticated` roles (used by PostgREST)
+-- - Allows Prisma (using the service role) to continue bypassing RLS
+
+-- Helper comment:
+-- Pattern applied for each table:
+--   ALTER TABLE "TableName" ENABLE ROW LEVEL SECURITY;
+--   CREATE POLICY "deny_all_anon_TableName" ON "TableName"
+--     FOR ALL TO anon USING (false) WITH CHECK (false);
+--   CREATE POLICY "deny_all_authenticated_TableName" ON "TableName"
+--     FOR ALL TO authenticated USING (false) WITH CHECK (false);
+
+-- =========================
+-- User
+-- =========================
+ALTER TABLE "User" ENABLE ROW LEVEL SECURITY;
+
+CREATE POLICY "deny_all_anon_User" ON "User"
+  FOR ALL
+  TO anon
+  USING (false)
+  WITH CHECK (false);
+
+CREATE POLICY "deny_all_authenticated_User" ON "User"
+  FOR ALL
+  TO authenticated
+  USING (false)
+  WITH CHECK (false);
+
+-- =========================
+-- Wallet
+-- =========================
+ALTER TABLE "Wallet" ENABLE ROW LEVEL SECURITY;
+
+CREATE POLICY "deny_all_anon_Wallet" ON "Wallet"
+  FOR ALL
+  TO anon
+  USING (false)
+  WITH CHECK (false);
+
+CREATE POLICY "deny_all_authenticated_Wallet" ON "Wallet"
+  FOR ALL
+  TO authenticated
+  USING (false)
+  WITH CHECK (false);
+
+-- =========================
+-- Transaction
+-- =========================
+ALTER TABLE "Transaction" ENABLE ROW LEVEL SECURITY;
+
+CREATE POLICY "deny_all_anon_Transaction" ON "Transaction"
+  FOR ALL
+  TO anon
+  USING (false)
+  WITH CHECK (false);
+
+CREATE POLICY "deny_all_authenticated_Transaction" ON "Transaction"
+  FOR ALL
+  TO authenticated
+  USING (false)
+  WITH CHECK (false);
+
+-- =========================
+-- Signable
+-- =========================
+ALTER TABLE "Signable" ENABLE ROW LEVEL SECURITY;
+
+CREATE POLICY "deny_all_anon_Signable" ON "Signable"
+  FOR ALL
+  TO anon
+  USING (false)
+  WITH CHECK (false);
+
+CREATE POLICY "deny_all_authenticated_Signable" ON "Signable"
+  FOR ALL
+  TO authenticated
+  USING (false)
+  WITH CHECK (false);
+
+-- =========================
+-- NewWallet
+-- =========================
+ALTER TABLE "NewWallet" ENABLE ROW LEVEL SECURITY;
+
+CREATE POLICY "deny_all_anon_NewWallet" ON "NewWallet"
+  FOR ALL
+  TO anon
+  USING (false)
+  WITH CHECK (false);
+
+CREATE POLICY "deny_all_authenticated_NewWallet" ON "NewWallet"
+  FOR ALL
+  TO authenticated
+  USING (false)
+  WITH CHECK (false);
+
+-- =========================
+-- Nonce
+-- =========================
+ALTER TABLE "Nonce" ENABLE ROW LEVEL SECURITY;
+
+CREATE POLICY "deny_all_anon_Nonce" ON "Nonce"
+  FOR ALL
+  TO anon
+  USING (false)
+  WITH CHECK (false);
+
+CREATE POLICY "deny_all_authenticated_Nonce" ON "Nonce"
+  FOR ALL
+  TO authenticated
+  USING (false)
+  WITH CHECK (false);
+
+-- =========================
+-- Ballot
+-- =========================
+ALTER TABLE "Ballot" ENABLE ROW LEVEL SECURITY;
+
+CREATE POLICY "deny_all_anon_Ballot" ON "Ballot"
+  FOR ALL
+  TO anon
+  USING (false)
+  WITH CHECK (false);
+
+CREATE POLICY "deny_all_authenticated_Ballot" ON "Ballot"
+  FOR ALL
+  TO authenticated
+  USING (false)
+  WITH CHECK (false);
+
+-- =========================
+-- Proxy
+-- =========================
+ALTER TABLE "Proxy" ENABLE ROW LEVEL SECURITY;
+
+CREATE POLICY "deny_all_anon_Proxy" ON "Proxy"
+  FOR ALL
+  TO anon
+  USING (false)
+  WITH CHECK (false);
+
+CREATE POLICY "deny_all_authenticated_Proxy" ON "Proxy"
+  FOR ALL
+  TO authenticated
+  USING (false)
+  WITH CHECK (false);
+
+-- =========================
+-- BalanceSnapshot
+-- =========================
+ALTER TABLE "BalanceSnapshot" ENABLE ROW LEVEL SECURITY;
+
+CREATE POLICY "deny_all_anon_BalanceSnapshot" ON "BalanceSnapshot"
+  FOR ALL
+  TO anon
+  USING (false)
+  WITH CHECK (false);
+
+CREATE POLICY "deny_all_authenticated_BalanceSnapshot" ON "BalanceSnapshot"
+  FOR ALL
+  TO authenticated
+  USING (false)
+  WITH CHECK (false);
+
+-- =========================
+-- Migration
+-- =========================
+ALTER TABLE "Migration" ENABLE ROW LEVEL SECURITY;
+
+CREATE POLICY "deny_all_anon_Migration" ON "Migration"
+  FOR ALL
+  TO anon
+  USING (false)
+  WITH CHECK (false);
+
+CREATE POLICY "deny_all_authenticated_Migration" ON "Migration"
+  FOR ALL
+  TO authenticated
+  USING (false)
+  WITH CHECK (false);
+
+-- =========================
+-- Crowdfund
+-- =========================
+-- Note: Crowdfund table exists in the database but is not defined in the current Prisma schema.
+-- We still enable RLS and deny-all policies to secure its PostgREST exposure.
+ALTER TABLE "Crowdfund" ENABLE ROW LEVEL SECURITY;
+
+CREATE POLICY "deny_all_anon_Crowdfund" ON "Crowdfund"
+  FOR ALL
+  TO anon
+  USING (false)
+  WITH CHECK (false);
+
+CREATE POLICY "deny_all_authenticated_Crowdfund" ON "Crowdfund"
+  FOR ALL
+  TO authenticated
+  USING (false)
+  WITH CHECK (false);
+
+-- =========================
+-- _prisma_migrations (optional system table)
+-- =========================
+-- While Prisma typically manages this table without RLS, enabling RLS here
+-- and denying anon/authenticated helps ensure it is not exposed via PostgREST.
+ALTER TABLE "_prisma_migrations" ENABLE ROW LEVEL SECURITY;
+
+CREATE POLICY "deny_all_anon__prisma_migrations" ON "_prisma_migrations"
+  FOR ALL
+  TO anon
+  USING (false)
+  WITH CHECK (false);
+
+CREATE POLICY "deny_all_authenticated__prisma_migrations" ON "_prisma_migrations"
+  FOR ALL
+  TO authenticated
+  USING (false)
+  WITH CHECK (false);
+
+
diff --git a/src/components/common/MeshProviderClient.tsx b/src/components/common/MeshProviderClient.tsx
@@ -0,0 +1,8 @@
+ "use client";
+
+import "@meshsdk/react/styles.css";
+import { MeshProvider } from "@meshsdk/react";
+
+export default MeshProvider;
+
+
diff --git a/src/pages/_app.tsx b/src/pages/_app.tsx
@@ -10,7 +10,6 @@ import dynamic from "next/dynamic";
 import { api } from "@/utils/api";
 
 import "@/styles/globals.css";
-import "@meshsdk/react/styles.css";
 import { Toaster } from "@/components/ui/toaster";
 import Metatags from "@/components/ui/metatags";
 import RootLayout from "@/components/common/overall-layout/layout";
@@ -20,9 +19,9 @@ import "swagger-ui-react/swagger-ui.css";
 import "../styles/swagger-overrides.css";
 
 // MeshProvider pulls in dependencies that assume a browser/webpack env.
-// Load it client-side only to avoid SSR/runtime issues in Next.js dev/SSR.
+// Load it client-side only (including its styles) to avoid SSR/runtime issues.
 const MeshProviderNoSSR = dynamic(
-  () => import("@meshsdk/react").then((m) => m.MeshProvider),
+  () => import("@/components/common/MeshProviderClient"),
   { ssr: false },
 );
 
diff --git a/src/pages/api/v1/freeUtxos.ts b/src/pages/api/v1/freeUtxos.ts
@@ -13,6 +13,7 @@ import { db } from "@/server/db";
 import { verifyJwt } from "@/lib/verifyJwt";
 import { DbWalletWithLegacy } from "@/types/wallet";
 import { applyRateLimit } from "@/lib/security/requestGuards";
+import { getClientIP } from "@/lib/security/rateLimit";
 
 export default async function handler(
   req: NextApiRequest,
@@ -50,7 +51,15 @@ export default async function handler(
     user: { id: payload.address },
     expires: new Date(Date.now() + 60 * 60 * 1000).toISOString(), // 1 hour from now
   };
-  const caller = createCaller({ db, session });
+
+  const caller = createCaller({
+    db,
+    session,
+    sessionAddress: payload.address,
+    sessionWallets: [payload.address],
+    primaryWallet: payload.address,
+    ip: getClientIP(req),
+  });
 
   const { walletId, address } = req.query;
 
diff --git a/src/pages/api/v1/nativeScript.ts b/src/pages/api/v1/nativeScript.ts
@@ -7,6 +7,7 @@ import { createCaller } from "@/server/api/root";
 import { db } from "@/server/db";
 import { DbWalletWithLegacy } from "@/types/wallet";
 import { applyRateLimit } from "@/lib/security/requestGuards";
+import { getClientIP } from "@/lib/security/rateLimit";
 
 export default async function handler(
   req: NextApiRequest,
@@ -58,7 +59,14 @@ export default async function handler(
       return res.status(403).json({ error: "Address mismatch" });
     }
 
-    const caller = createCaller({ db, session });
+    const caller = createCaller({
+      db,
+      session,
+      sessionAddress: payload.address,
+      sessionWallets: [payload.address],
+      primaryWallet: payload.address,
+      ip: getClientIP(req),
+    });
     const walletFetch: DbWallet | null = await caller.wallet.getWallet({ walletId, address });
     if (!walletFetch) {
       return res.status(404).json({ error: "Wallet not found" });
diff --git a/src/pages/api/v1/pendingTransactions.ts b/src/pages/api/v1/pendingTransactions.ts
@@ -4,6 +4,7 @@ import { createCaller } from "@/server/api/root";
 import { db } from "@/server/db";
 import type { NextApiRequest, NextApiResponse } from "next";
 import { applyRateLimit } from "@/lib/security/requestGuards";
+import { getClientIP } from "@/lib/security/rateLimit";
 
 export default async function handler(
   req: NextApiRequest,
@@ -55,7 +56,14 @@ export default async function handler(
   }
 
   try {
-    const caller = createCaller({ db, session });
+    const caller = createCaller({
+      db,
+      session,
+      sessionAddress: payload.address,
+      sessionWallets: [payload.address],
+      primaryWallet: payload.address,
+      ip: getClientIP(req),
+    });
 
     const wallet = await caller.wallet.getWallet({ walletId, address });
     if (!wallet) {
diff --git a/src/pages/api/v1/signTransaction.ts b/src/pages/api/v1/signTransaction.ts
@@ -9,6 +9,7 @@ import { addressToNetwork } from "@/utils/multisigSDK";
 import { resolvePaymentKeyHash } from "@meshsdk/core";
 import { csl, calculateTxHash } from "@meshsdk/core-csl";
 import { applyRateLimit, enforceBodySize } from "@/lib/security/requestGuards";
+import { getClientIP } from "@/lib/security/rateLimit";
 
 function coerceBoolean(value: unknown, fallback = false): boolean {
   if (typeof value === "boolean") return value;
@@ -123,7 +124,14 @@ export default async function handler(
   }
 
   try {
-    const caller = createCaller({ db, session });
+    const caller = createCaller({
+      db,
+      session,
+      sessionAddress: payload.address,
+      sessionWallets: [payload.address],
+      primaryWallet: payload.address,
+      ip: getClientIP(req),
+    });
 
     const wallet = await caller.wallet.getWallet({ walletId, address });
     if (!wallet) {
diff --git a/src/pages/api/v1/walletIds.ts b/src/pages/api/v1/walletIds.ts
@@ -4,6 +4,7 @@ import { db } from "@/server/db";
 import { verifyJwt } from "@/lib/verifyJwt";
 import { cors, addCorsCacheBustingHeaders } from "@/lib/cors";
 import { applyRateLimit } from "@/lib/security/requestGuards";
+import { getClientIP } from "@/lib/security/rateLimit";
 
 export default async function handler(
   req: NextApiRequest,
@@ -41,7 +42,14 @@ export default async function handler(
     user: { id: payload.address },
     expires: new Date(Date.now() + 60 * 60 * 1000).toISOString(),
   };
-  const caller = createCaller({ db, session });
+  const caller = createCaller({
+    db,
+    session,
+    sessionAddress: payload.address,
+    sessionWallets: [payload.address],
+    primaryWallet: payload.address,
+    ip: getClientIP(req),
+  });
 
   const { address } = req.query;
 
