add api key

Author: dglowinski

.env.template

@@ -7,7 +7,7 @@ CORS_ORIGIN="*" # Allowed CORS origin, adjust as necessary
 
 # Rate Limiting
 COMMON_RATE_LIMIT_WINDOW_MS="1000" # Window size for rate limiting (ms)
-COMMON_RATE_LIMIT_MAX_REQUESTS="20" # Max number of requests per window per IP
+COMMON_RATE_LIMIT_MAX_REQUESTS="20" # Max number of requests per window per API key
 
 # RPCs
 # mainnet
@@ -32,4 +32,9 @@ OKX_API_KEY=""
 OKX_PASSPHRASE=""
 OKX_SECRET_KEY=""
 ODOS_API_KEY=""
-ODOS_REFERRAL_CODE=""
+ODOS_REFERRAL_CODE=""
+
+# API keys
+API_KEY_1=""
+API_KEY_2=""
+# ...

README.md

@@ -39,6 +39,18 @@ pnpm run lint:fix   # fix
 
 Swagger UI is served at the root, it is also available at [swap.euler.finance](https://swap.euler.finance). Request and response schemas are also available [here](./src/api/routes/swap/swapModel.ts)
 
+To try out the `swap` call in Swagger use string `example_api_key` as the `x-api-key` header value.
+
+## Authorization and rate limits
+
+The `/swap` endpoint is protected with an API key expected in `x-api-key` header. Accepted keys are configured through environment variables starting with `API_KEY_`.
+
+Rate limits can be configured with environment variables:
+- `COMMON_RATE_LIMIT_MAX_REQUESTS` defines the max number of requests allowed per API key, per window.
+- `COMMON_RATE_LIMIT_WINDOW_MS` defines window duration in miliseconds.
+
+The example key is allowed 1 request per window.
+
 ## Fetching quotes and executing trades
 
 The `/swap` endpoint fetches token trade quotes which can be used with the swapping peripheries in the Euler Vault Kit [periphery contracts](https://github.com/euler-xyz/evk-periphery/tree/master/src/Swaps). See [periphery docs](https://github.com/euler-xyz/evk-periphery/blob/master/docs/swaps.md) for detailed description of the swapping architecture in Euler V2. The API response includes both encoded payloads as well as raw data for calls to the `Swapper` (`swap` field of the response) and `SwapVerifier` (`verify` field) contracts. These payloads can be used directly in EVC batches.

src/api/routes/swap/swapModel.ts

@@ -1,3 +1,4 @@
+import { EXAMPLE_API_KEY } from "@/common/constants"
 import { SwapVerificationType, SwapperMode } from "@/swapService/interface"
 import { extendZodWithOpenApi } from "@asteasolutions/zod-to-openapi"
 import { InvalidAddressError, getAddress, isHex } from "viem"
@@ -133,6 +134,16 @@ const swapApiResponseSwapSchema = z.object({
     .openapi({ description: "Raw Swapper multicall items" }),
 })
 
+const getSwapHeadersSchema = z.object({
+  "x-api-key": z.string().openapi({
+    param: {
+      description:
+        "API key. You can use the example key provided to try this call out",
+    },
+    example: EXAMPLE_API_KEY,
+  }),
+})
+
 const getSwapSchema = z.object({
   query: z.object({
     chainId: z
@@ -320,4 +331,4 @@ const swapResponseSchema = z.object({
     .openapi({ description: "Swap route details" }),
 })
 
-export { getSwapSchema, swapResponseSchema }
+export { getSwapSchema, getSwapHeadersSchema, swapResponseSchema }

src/api/routes/swap/swapRouter.ts

@@ -3,6 +3,7 @@ import express, { type Router, type Request, type Response } from "express"
 
 import { createApiResponse } from "@/api-docs/openAPIResponseBuilders"
 
+import { apiKeyAuth } from "@/common/middleware/apiKey"
 import { ServiceResponse } from "@/common/models/serviceResponse"
 import {
   handleServiceResponse,
@@ -21,6 +22,7 @@ import { InvalidAddressError, isHex } from "viem"
 import { z } from "zod"
 import {
   type SwapResponse,
+  getSwapHeadersSchema,
   getSwapSchema,
   swapResponseSchema,
 } from "./swapModel"
@@ -33,17 +35,17 @@ swapRegistry.registerPath({
   method: "get",
   path: "/swap",
   tags: ["Get swap quote"],
-  request: { query: getSwapSchema.shape.query },
+  request: { query: getSwapSchema.shape.query, headers: getSwapHeadersSchema },
   responses: createApiResponse(swapResponseSchema, "Success"),
 })
 
 swapRouter.get(
   "/",
-  validateRequest(getSwapSchema),
+  [validateRequest(getSwapSchema), apiKeyAuth],
   async (req: Request, res: Response) => {
     const serviceResponse = await findSwap(req)
     console.log("===== END =====")
-    return handleServiceResponse(serviceResponse, res)
+    return handleServiceResponse(serviceResponse, req, res)
   },
 )
 
@@ -70,14 +72,6 @@ async function findSwap(
 
     return ServiceResponse.success<SwapResponse>(data)
   } catch (error) {
-    console.log(
-      "error: ",
-      error.statusCode,
-      error.message,
-      error.errorMessage,
-      JSON.stringify(error.data),
-      req.url,
-    )
     if (error instanceof ApiError) {
       return ServiceResponse.failure(
         error.message,

src/common/constants.ts

@@ -0,0 +1 @@
+export const EXAMPLE_API_KEY = "example_api_key"

src/common/middleware/apiKey.ts

@@ -0,0 +1,30 @@
+import type { Handler, NextFunction, Request, Response } from "express"
+import { StatusCodes } from "http-status-codes"
+import { EXAMPLE_API_KEY } from "../constants"
+import { ServiceResponse } from "../models/serviceResponse"
+import { handleServiceResponse } from "../utils/httpHandlers"
+
+const apiKeysFromEnv = (regExp: RegExp): string[] =>
+  Object.keys(process.env)
+    .filter((key) => regExp.test(key))
+    .map((key) => process.env[key] as string)
+
+export const apiKeyAuth: Handler = (
+  req: Request,
+  res: Response,
+  next: NextFunction,
+) => {
+  const apiKeys = apiKeysFromEnv(/^API_KEY_/)
+  apiKeys.push(EXAMPLE_API_KEY)
+
+  const apiKey = req.header("x-api-key")
+  if (!apiKey || !apiKeys.includes(apiKey)) {
+    const serviceResponse = ServiceResponse.failure(
+      "Unauthorized",
+      StatusCodes.UNAUTHORIZED,
+      { ip: req.ip },
+    )
+    handleServiceResponse(serviceResponse, req, res)
+  }
+  next()
+}

src/common/middleware/rateLimiter.ts

@@ -1,13 +1,17 @@
 import type { Request } from "express"
 import { rateLimit } from "express-rate-limit"
+import { EXAMPLE_API_KEY } from "../constants"
 
 const rateLimiter = rateLimit({
   legacyHeaders: true,
-  limit: Number(process.env.COMMON_RATE_LIMIT_MAX_REQUESTS || 20),
+  limit: (req: Request) =>
+    req.headers["x-api-key"] === EXAMPLE_API_KEY
+      ? 1
+      : Number(process.env.COMMON_RATE_LIMIT_MAX_REQUESTS || 20),
   message: "Too many requests, please try again later.",
   standardHeaders: true,
   windowMs: Number(process.env.COMMON_RATE_LIMIT_WINDOW_MS || 1000),
-  keyGenerator: (req: Request) => req.ip as string,
+  keyGenerator: (req: Request) => req.headers["x-api-key"] as string,
 })
 
 export default rateLimiter

src/common/utils/httpHandlers.ts

@@ -1,25 +1,42 @@
-import type { NextFunction, Request, Response } from "express"
+import type { NextFunction, Request, RequestHandler, Response } from "express"
 import { StatusCodes } from "http-status-codes"
 import type { ZodError, ZodSchema } from "zod"
 
 import { ServiceResponse } from "@/common/models/serviceResponse"
 
 export const handleServiceResponse = (
   serviceResponse: ServiceResponse<any>,
+  request: Request,
   response: Response,
 ) => {
-  return response.status(serviceResponse.statusCode).send(serviceResponse)
+  if (serviceResponse.statusCode !== StatusCodes.OK) {
+    console.log(
+      "error: ",
+      serviceResponse.statusCode,
+      serviceResponse.message,
+      JSON.stringify(serviceResponse.data),
+      request.url,
+    )
+  }
+  console.log(serviceResponse)
+  response.status(serviceResponse.statusCode).send(serviceResponse)
 }
 
 export const validateRequest =
-  (schema: ZodSchema) => (req: Request, res: Response, next: NextFunction) => {
+  (schema: ZodSchema): RequestHandler =>
+  (req: Request, res: Response, next: NextFunction) => {
     try {
-      schema.parse({ body: req.body, query: req.query, params: req.params })
+      schema.parse({
+        body: req.body,
+        query: req.query,
+        params: req.params,
+        headers: req.headers,
+      })
       next()
     } catch (err) {
       const errorMessage = `Invalid input: ${(err as ZodError).errors.map((e) => e.message).join(", ")}`
       const statusCode = StatusCodes.BAD_REQUEST
       const serviceResponse = ServiceResponse.failure(errorMessage, statusCode)
-      return handleServiceResponse(serviceResponse, res)
+      return handleServiceResponse(serviceResponse, req, res)
     }
   }