feat: enforce jwt authentication for moderation endpoints

Author: Villaquiranm

packages/api-main/src/index.ts

@@ -4,6 +4,7 @@ import { Elysia } from 'elysia';
 
 import * as GetRequests from './gets/index';
 import * as PostRequests from './posts/index';
+import { verifyJWT } from './shared/jwt';
 import { useConfig } from './config';
 
 const config = useConfig();
@@ -42,19 +43,24 @@ function startWriteOnlyServer() {
     app.post('/dislike', ({ body }) => PostRequests.Dislike(body), { body: PostRequests.DislikeBody });
     app.post('/flag', ({ body }) => PostRequests.Flag(body), { body: PostRequests.FlagBody });
     app.post('/post-remove', ({ body }) => PostRequests.PostRemove(body), { body: PostRequests.PostRemoveBody });
-    app.post('/mod/post-remove', ({ body }) => PostRequests.ModRemovePost(body), {
-        body: PostRequests.ModRemovePostBody,
-    });
-    app.post('/mod/post-restore', ({ body }) => PostRequests.ModRestorePost(body), {
-        body: PostRequests.ModRemovePostBody,
-    });
-    app.post('/mod/ban', ({ body }) => PostRequests.ModBan(body), {
-        body: PostRequests.ModBanBody,
-    });
-    app.post('/mod/unban', ({ body }) => PostRequests.ModUnban(body), {
-        body: PostRequests.ModBanBody,
-    });
 
+    // Protected route group
+    app.group('/mod', group =>
+        group
+            .onBeforeHandle(verifyJWT)
+            .post('/post-remove', ({ body }) => PostRequests.ModRemovePost(body), {
+                body: PostRequests.ModRemovePostBody,
+            })
+            .post('/post-restore', ({ body }) => PostRequests.ModRestorePost(body), {
+                body: PostRequests.ModRemovePostBody,
+            })
+            .post('/ban', ({ body }) => PostRequests.ModBan(body), {
+                body: PostRequests.ModBanBody,
+            })
+            .post('/unban', ({ body }) => PostRequests.ModUnban(body), {
+                body: PostRequests.ModBanBody,
+            }),
+    );
     app.listen(config.WRITE_ONLY_PORT ?? 3001);
     console.log(`[API Write Only] Running on ${config.WRITE_ONLY_PORT ?? 3001}`);
 }

packages/api-main/src/shared/jwt.ts

@@ -0,0 +1,18 @@
+import jwt from 'jsonwebtoken';
+
+import { secretKey } from './useUserAuth';
+
+export const verifyJWT = async ({ request }) => {
+    const authHeader = request.headers.get('authorization');
+
+    if (!authHeader?.startsWith('Bearer ')) {
+        return { status: 401, error: 'Unauthorized: No token' };
+    }
+
+    const token = authHeader.split(' ')[1];
+    const tokenData = await jwt.verify(token, secretKey);
+
+    if (!tokenData) {
+        return { status: 401, error: 'Unauthorized: Invalid token' };
+    }
+};

packages/api-main/src/shared/useUserAuth.ts

@@ -7,7 +7,7 @@ import jwt from 'jsonwebtoken';
 
 const expirationTime = 60_000 * 5;
 const requests: { [publicKey: string]: string } = {};
-const secretKey = 'temp-key-need-to-config-this';
+export const secretKey = 'temp-key-need-to-config-this';
 
 let id = 0;
 

packages/api-main/tests/shared.ts

@@ -20,10 +20,22 @@ export async function get<T>(endpoint: string, port: 'WRITE' | 'READ' = 'READ')
     return jsonData as T;
 }
 
-export async function post<T = { status: number }>(endpoint: string, body: object, port: 'WRITE' | 'READ' = 'WRITE') {
+export async function post<T = { status: number }>(
+    endpoint: string,
+    body: object,
+    port: 'WRITE' | 'READ' = 'WRITE',
+    token?: string,
+): Promise<T | null> {
+    const headers: Record<string, string> = {
+        'Content-Type': 'application/json',
+    };
+
+    if (token) {
+        headers['authorization'] = `Bearer ${token}`;
+    }
     const response = await fetch(`http://localhost:${port === 'WRITE' ? 3001 : 3000}/v1/${endpoint}`, {
         method: 'POST',
-        headers: { 'Content-Type': 'application/json' },
+        headers,
         body: JSON.stringify({ ...body }),
     }).catch((err) => {
         console.error(err);

packages/api-main/tests/v1.test.ts

@@ -411,13 +411,35 @@ describe('v1 - mod', { sequential: true }, () => {
         = 'hello world, this is a really intereresting post $@!($)@!()@!$21,4214,12,42142,14,12,421,';
     const postHash = getRandomHash();
     const secondPostHash = getRandomHash();
+    let bearerToken: string;
 
     it('EMPTY ALL TABLES', async () => {
         for (const tableName of tables) {
             await getDatabase().execute(sql`TRUNCATE TABLE ${sql.raw(tableName)};`);
         }
     });
 
+    it('POST mod obtain bearer token', async () => {
+        const walletA = await createWallet();
+        const body: typeof Posts.AuthCreateBody.static = {
+            address: walletA.publicKey,
+        };
+
+        const response = (await post(`auth-create`, body, 'READ')) as { status: 200; id: number; message: string };
+        assert.isOk(response?.status === 200, 'response was not okay');
+
+        const signData = await signADR36Document(walletA.mnemonic, response.message);
+        const verifyBody: typeof Posts.AuthBody.static = {
+            id: response.id,
+            ...signData.signature,
+        };
+
+        const responseVerify = (await post(`auth`, verifyBody, 'READ')) as { status: 200; bearer: string };
+        assert.isOk(responseVerify?.status === 200, 'response was not verified and confirmed okay');
+        assert.isOk(responseVerify.bearer.length >= 1, 'bearer was not passed back');
+        bearerToken = responseVerify.bearer;
+    });
+
     it('POST - /post', async () => {
         const body: typeof Posts.PostBody.static = {
             from: addressUserA,
@@ -431,6 +453,19 @@ describe('v1 - mod', { sequential: true }, () => {
         assert.isOk(response?.status === 200, 'response was not okay');
     });
 
+    it('POST - /mod/post-remove without autorization', async () => {
+        const body: typeof Posts.ModRemovePostBody.static = {
+            mod_address: addressModerator,
+            hash: getRandomHash(),
+            timestamp: '2025-04-16T19:46:42Z',
+            post_hash: postHash,
+            reason: 'spam',
+        };
+
+        const replyResponse = await post(`mod/post-remove`, body);
+        assert.isOk(replyResponse?.status === 401, `expected unauthorized, got ${JSON.stringify(replyResponse)}`);
+    });
+
     it('POST - /mod/post-remove moderator does not exists', async () => {
         const response = await get<{ status: number; rows: { hash: string; author: string; message: string }[] }>(
             `posts?address=${addressUserA}`,
@@ -446,7 +481,7 @@ describe('v1 - mod', { sequential: true }, () => {
             reason: 'spam',
         };
 
-        const replyResponse = await post(`mod/post-remove`, body);
+        const replyResponse = await post(`mod/post-remove`, body, 'WRITE', bearerToken);
         assert.isOk(replyResponse?.status === 404, `expected moderator was not found`);
 
         const postsResponse = await get<{
@@ -488,7 +523,7 @@ describe('v1 - mod', { sequential: true }, () => {
             reason: 'spam',
         };
 
-        const replyResponse = await post(`mod/post-remove`, body);
+        const replyResponse = await post(`mod/post-remove`, body, 'WRITE', bearerToken);
         assert.isOk(replyResponse?.status === 200, `response was not okay, got ${JSON.stringify(replyResponse)}`);
 
         const postsResponse = await get<{
@@ -517,7 +552,7 @@ describe('v1 - mod', { sequential: true }, () => {
             reason: 'spam',
         };
 
-        const replyResponse = await post(`mod/post-restore`, body);
+        const replyResponse = await post(`mod/post-restore`, body, 'WRITE', bearerToken);
         assert.isOk(replyResponse?.status === 200, `response was not okay, got ${JSON.stringify(replyResponse)}`);
 
         const postsResponse = await get<{
@@ -546,7 +581,7 @@ describe('v1 - mod', { sequential: true }, () => {
             post_hash: postHash,
         };
 
-        const userRemoveResponse = await post(`post-remove`, body);
+        const userRemoveResponse = await post(`post-remove`, body, 'WRITE', bearerToken);
         assert.isOk(userRemoveResponse?.status === 200, 'response was not okay');
 
         // MOD tries to restore post
@@ -585,7 +620,7 @@ describe('v1 - mod', { sequential: true }, () => {
             reason: 'user too political',
         };
 
-        const userBanResponse = await post(`mod/ban`, body);
+        const userBanResponse = await post(`mod/ban`, body, 'WRITE', bearerToken);
         assert.isOk(userBanResponse?.status === 200, `response was not okay ${JSON.stringify(userBanResponse)}`);
 
         // post from user should be all hidden
@@ -617,7 +652,7 @@ describe('v1 - mod', { sequential: true }, () => {
             timestamp: '2025-04-16T19:46:42Z',
         };
 
-        const response = await post(`post`, body);
+        const response = await post(`post`, body, 'WRITE', bearerToken);
         assert.isOk(response?.status === 200, 'response was not okay');
 
         // Even new post should be hidden
@@ -649,7 +684,7 @@ describe('v1 - mod', { sequential: true }, () => {
             reason: 'user too political',
         };
 
-        const userBanResponse = await post(`mod/unban`, body);
+        const userBanResponse = await post(`mod/unban`, body, 'WRITE', bearerToken);
         assert.isOk(userBanResponse?.status === 200, `response was not okay ${JSON.stringify(userBanResponse)}`);
 
         // Totally user should have 2 post as one was deleted by itself (including the one posted while banned)
@@ -682,7 +717,7 @@ describe('v1 - mod', { sequential: true }, () => {
             timestamp: '2025-04-16T19:46:42Z',
         };
 
-        const response = await post(`post`, body);
+        const response = await post(`post`, body, 'WRITE', bearerToken);
         assert.isOk(response?.status === 200, 'response was not okay');
 
         // Even new post should be hidden