feat: Add functionality to validate authenticators added my clients (#335)

adamfraser · web-flow · commit 38d913445faf · 2025-02-26T15:28:52.000-05:00
Authenticators can be easily misused. This code adds an
`validateAuthenticator` function that does some rudimentary checks to
ensure that users are adding a signatureVerification authenticator as
part of any combination of authenticators that are added.
diff --git a/v4-client-js/__tests__/clients/composite-client.test.ts b/v4-client-js/__tests__/clients/composite-client.test.ts
@@ -0,0 +1,140 @@
+import { Authenticator, AuthenticatorType, Network } from '../../src';
+import { CompositeClient } from '../../src/clients/composite-client'
+
+describe('CompositeClient', () => {
+  describe('validateAuthenticators', () => {
+    const network = Network.staging();
+
+    it('Validates top level AnyOf authenticators', async () => {
+      const client = await CompositeClient.connect(network);
+      const auth: Authenticator = {
+        type: AuthenticatorType.ANY_OF,
+        config: [
+          { type: AuthenticatorType.SIGNATURE_VERIFICATION, config: "" },
+          { type: AuthenticatorType.SIGNATURE_VERIFICATION, config: "" },
+        ],
+      }
+      expect(client.validateAuthenticator(auth)).toEqual(true);
+    });
+
+    it('Fails top level AnyOf authenticators with non-signature nested authenticator', async () => {
+      const client = await CompositeClient.connect(network);
+      const auth: Authenticator = {
+        type: AuthenticatorType.ANY_OF,
+        config: [
+          { type: AuthenticatorType.SIGNATURE_VERIFICATION, config: "" },
+          { type: AuthenticatorType.MESSAGE_FILTER, config: "" },
+        ],
+      }
+      expect(client.validateAuthenticator(auth)).toEqual(false);
+    });
+
+    it('Validates top level AllOf authenticators', async () => {
+      const client = await CompositeClient.connect(network);
+      const auth: Authenticator = {
+        type: AuthenticatorType.ALL_OF,
+        config: [
+          { type: AuthenticatorType.SIGNATURE_VERIFICATION, config: "" },
+          { type: AuthenticatorType.MESSAGE_FILTER, config: "" },
+        ],
+      }
+      expect(client.validateAuthenticator(auth)).toEqual(true);
+    });
+
+    it('Fails top level AllOf authenticators, without signature verification', async () => {
+      const client = await CompositeClient.connect(network);
+      const auth: Authenticator = {
+        type: AuthenticatorType.ALL_OF,
+        config: [
+          { type: AuthenticatorType.MESSAGE_FILTER, config: "" },
+          { type: AuthenticatorType.MESSAGE_FILTER, config: "" },
+        ],
+      }
+      expect(client.validateAuthenticator(auth)).toEqual(false);
+    });
+
+    it('Validates nested anyOf authenticators', async () => {
+      const client = await CompositeClient.connect(network);
+      const nestedAnyOf =  {
+        type: AuthenticatorType.ANY_OF,
+        config: [
+          { type: AuthenticatorType.MESSAGE_FILTER, config: "" },
+          { type: AuthenticatorType.MESSAGE_FILTER, config: "" },
+        ]
+      }
+      const signatureVerification = {
+        type: AuthenticatorType.SIGNATURE_VERIFICATION,
+        config: ""
+      }
+
+      const auth: Authenticator = {
+        type: AuthenticatorType.ALL_OF,
+        config: [signatureVerification, nestedAnyOf],
+      };
+      expect(client.validateAuthenticator(auth)).toEqual(true);
+    });
+
+    it('Validates nested allOf authenticators', async () => {
+      const client = await CompositeClient.connect(network);
+      const nestedAllOf =  {
+        type: AuthenticatorType.ALL_OF,
+        config: [
+          { type: AuthenticatorType.SIGNATURE_VERIFICATION, config: "" },
+          { type: AuthenticatorType.SIGNATURE_VERIFICATION, config: "" },
+        ]
+      }
+      const messageVerification = {
+        type: AuthenticatorType.MESSAGE_FILTER,
+        config: ""
+      }
+
+      const auth: Authenticator = {
+        type: AuthenticatorType.ALL_OF,
+        config: [messageVerification, nestedAllOf],
+      };
+      expect(client.validateAuthenticator(auth)).toEqual(true);
+    });
+
+    it('Fails nested anyOf signatureVerification authenticators', async () => {
+      const client = await CompositeClient.connect(network);
+      const nestedAnyOf =  {
+        type: AuthenticatorType.ANY_OF,
+        config: [
+          { type: AuthenticatorType.MESSAGE_FILTER, config: "" },
+          { type: AuthenticatorType.SIGNATURE_VERIFICATION, config: "" },
+        ]
+      }
+      const messageVerification = {
+        type: AuthenticatorType.MESSAGE_FILTER,
+        config: ""
+      }
+
+      const auth: Authenticator = {
+        type: AuthenticatorType.ALL_OF,
+        config: [messageVerification, nestedAnyOf],
+      };
+      expect(client.validateAuthenticator(auth)).toEqual(false);
+    });
+
+    it('Fails nested anyOf authenticators', async () => {
+      const client = await CompositeClient.connect(network);
+      const nestedAnyOf =  {
+        type: AuthenticatorType.ANY_OF,
+        config: [
+          { type: AuthenticatorType.MESSAGE_FILTER, config: "" },
+          { type: AuthenticatorType.SIGNATURE_VERIFICATION, config: "" },
+        ]
+      }
+      const messageVerification = {
+        type: AuthenticatorType.MESSAGE_FILTER,
+        config: ""
+      }
+
+      const auth: Authenticator = {
+        type: AuthenticatorType.ANY_OF,
+        config: [messageVerification, nestedAnyOf],
+      };
+      expect(client.validateAuthenticator(auth)).toEqual(false);
+    });
+  });
+});
diff --git a/v4-client-js/examples/permissioned_keys_example.ts b/v4-client-js/examples/permissioned_keys_example.ts
@@ -47,31 +47,57 @@ async function test(): Promise<void> {
   await placeOrder(client, subaccount2, subaccount1, authenticatorID);
 }
 
-async function removeAuthenticator(client: CompositeClient,subaccount: SubaccountInfo, id: Long): Promise<void> {
+async function removeAuthenticator(
+  client: CompositeClient,
+  subaccount: SubaccountInfo,
+  id: Long,
+): Promise<void> {
   await client.removeAuthenticator(subaccount, id);
 }
 
-async function addAuthenticator(client: CompositeClient, subaccount: SubaccountInfo, authedPubKey:string): Promise<void> {
-  const subAuthenticators = [{
+async function addAuthenticator(
+  client: CompositeClient,
+  subaccount: SubaccountInfo,
+  authedPubKey: string,
+): Promise<void> {
+  const subAuth = [ {
     type: AuthenticatorType.SIGNATURE_VERIFICATION,
     config: authedPubKey,
   },
   {
-    type: AuthenticatorType.MESSAGE_FILTER,
-    config: toBase64(new TextEncoder().encode("/dydxprotocol.clob.MsgPlaceOrder")),
-  },
+    type: AuthenticatorType.ANY_OF,
+    config: [
+    {
+      type: AuthenticatorType.MESSAGE_FILTER,
+      config: toBase64(new TextEncoder().encode('/dydxprotocol.clob.MsgPlaceOrder')),
+    },
+    {
+      type: AuthenticatorType.MESSAGE_FILTER,
+      config: toBase64(new TextEncoder().encode('/dydxprotocol.clob.MsgPlaceOrder')),
+    },
+    ]
+  }
 ];
 
-  const jsonString = JSON.stringify(subAuthenticators);
+  const jsonString = JSON.stringify(subAuth);
   const encodedData = new TextEncoder().encode(jsonString);
 
-  await client.addAuthenticator(subaccount, AuthenticatorType.ALL_OF, encodedData);
+  try {
+    await client.addAuthenticator(subaccount, AuthenticatorType.ALL_OF, encodedData);
+  } catch (error) {
+    console.log(error.message);
+  }
 }
 
-async function placeOrder(client: CompositeClient, fromAccount: SubaccountInfo, forAccount: SubaccountInfo, authenticatorId: Long): Promise<void> {
+async function placeOrder(
+  client: CompositeClient,
+  fromAccount: SubaccountInfo,
+  forAccount: SubaccountInfo,
+  authenticatorId: Long,
+): Promise<void> {
   try {
-    const side = OrderSide.BUY
-    const price = Number("1000");
+    const side = OrderSide.BUY;
+    const price = Number('1000');
     const currentBlock = await client.validatorClient.get.latestBlockHeight();
     const nextValidBlockHeight = currentBlock + 5;
     const goodTilBlock = nextValidBlockHeight + 10;
@@ -94,7 +120,7 @@ async function placeOrder(client: CompositeClient, fromAccount: SubaccountInfo,
       {
         authenticators: [authenticatorId],
         accountForOrder: forAccount,
-      }
+      },
     );
     console.log('**Order Tx**');
     console.log(Buffer.from(tx.hash).toString('hex'));
diff --git a/v4-client-js/package-lock.json b/v4-client-js/package-lock.json
diff --git a/v4-client-js/src/clients/composite-client.ts b/v4-client-js/src/clients/composite-client.ts
@@ -1,3 +1,5 @@
+import { TextDecoder } from 'util';
+
 import { EncodeObject } from '@cosmjs/proto-signing';
 import { Account, GasPrice, IndexedTx, StdFee } from '@cosmjs/stargate';
 import { Method } from '@cosmjs/tendermint-rpc';
@@ -18,6 +20,7 @@ import { bigIntToBytes } from '../lib/helpers';
 import { isStatefulOrder, verifyOrderFlags } from '../lib/validation';
 import { GovAddNewMarketParams, OrderFlags } from '../types';
 import {
+  Authenticator,
   AuthenticatorType,
   Network,
   OrderExecution,
@@ -169,7 +172,7 @@ export class CompositeClient {
       broadcastMode,
       account,
       undefined,
-     authenticators,
+      authenticators,
     );
   }
 
@@ -311,9 +314,10 @@ export class CompositeClient {
   ): Promise<BroadcastTxAsyncResponse | BroadcastTxSyncResponse | IndexedTx> {
     // For permissioned orders, use the permissioning account details instead of the subaccount
     // This allows placing orders on behalf of another account when using permissioned keys
-    const accountForOrder = permissionedKeysAccountAuth ? permissionedKeysAccountAuth.accountForOrder : subaccount;
+    const accountForOrder = permissionedKeysAccountAuth
+      ? permissionedKeysAccountAuth.accountForOrder
+      : subaccount;
     const msgs: Promise<EncodeObject[]> = new Promise((resolve, reject) => {
-
       const msg = this.placeShortTermOrderMessage(
         accountForOrder,
         marketId,
@@ -1233,25 +1237,74 @@ export class CompositeClient {
     gasAdjustment?: number,
     memo?: string,
   ): Promise<BroadcastTxAsyncResponse | BroadcastTxSyncResponse | IndexedTx> {
-    return this.validatorClient.post.createMarketPermissionless(ticker, subaccount, broadcastMode, gasAdjustment, memo);
+    return this.validatorClient.post.createMarketPermissionless(
+      ticker,
+      subaccount,
+      broadcastMode,
+      gasAdjustment,
+      memo,
+    );
   }
 
   async addAuthenticator(
     subaccount: SubaccountInfo,
     authenticatorType: AuthenticatorType,
     data: Uint8Array,
   ): Promise<BroadcastTxAsyncResponse | BroadcastTxSyncResponse | IndexedTx> {
-    return this.validatorClient.post.addAuthenticator(subaccount, authenticatorType, data)
+    // Validate the provided authenticators before sending to the validator
+    const authenticator: Authenticator = {
+      type: authenticatorType,
+      config: JSON.parse(new TextDecoder().decode(data)),
+    };
+    if (!this.validateAuthenticator(authenticator)) {
+      throw new Error(
+        'Invalid authenticator, please ensure the authenticator permissions are correct',
+      );
+    }
+
+    return this.validatorClient.post.addAuthenticator(subaccount, authenticatorType, data);
   }
 
   async removeAuthenticator(
     subaccount: SubaccountInfo,
     id: Long,
   ): Promise<BroadcastTxAsyncResponse | BroadcastTxSyncResponse | IndexedTx> {
-    return this.validatorClient.post.removeAuthenticator(subaccount, id)
+    return this.validatorClient.post.removeAuthenticator(subaccount, id);
   }
 
-  async getAuthenticators(address: string): Promise<GetAuthenticatorsResponse>{
+  async getAuthenticators(address: string): Promise<GetAuthenticatorsResponse> {
     return this.validatorClient.get.getAuthenticators(address);
   }
+
+  validateAuthenticator(authenticator: Authenticator): boolean {
+    function checkAuthenticator(auth: Authenticator): boolean {
+      if (auth.type === AuthenticatorType.SIGNATURE_VERIFICATION) {
+        return true; // A SignatureVerification authenticator is safe.
+      }
+
+      if (!Array.isArray(auth.config)) {
+        return false; // Unsafe case: a non-array config for a composite authenticator
+      }
+
+      if (auth.type === AuthenticatorType.ANY_OF) {
+        // ANY_OF is safe only if ALL sub-authenticators return true
+        return auth.config.every((nestedAuth) => checkAuthenticator(nestedAuth));
+      }
+
+      if (auth.type === AuthenticatorType.ALL_OF) {
+        // ALL_OF is safe if at least one sub-authenticator returns true
+        return auth.config.some((nestedAuth) => checkAuthenticator(nestedAuth));
+      }
+
+      // If it's a base-case authenticator but not SignatureVerification, it's unsafe
+      return false;
+    }
+
+    // The top-level authenticator must pass validation
+    if (!checkAuthenticator(authenticator)) {
+      return false
+    }
+
+    return true;
+  }
 }
diff --git a/v4-client-js/src/clients/constants.ts b/v4-client-js/src/clients/constants.ts
@@ -211,6 +211,11 @@ export enum AuthenticatorType {
   SUBACCOUNT_FILTER = 'SubaccountFilter',
 }
 
+export interface Authenticator {
+  type: AuthenticatorType;
+  config: string | Authenticator[];
+}
+
 export enum TradingRewardAggregationPeriod {
   DAILY = 'DAILY',
   WEEKLY = 'WEEKLY',
