server handling of account address and signer

Author: pcarranzav

apps/connect/src/components/create-space.tsx

@@ -54,6 +54,7 @@ export function CreateSpace() {
 
       const message: Messages.RequestConnectCreateSpaceEvent = {
         type: 'connect-create-space-event',
+        accountAddress,
         event: spaceEvent,
         spaceId: spaceEvent.transaction.id,
         keyBox: {

apps/connect/src/hooks/use-spaces.ts

@@ -1,4 +1,5 @@
 import { getAppInfoByIds } from '@/lib/get-app-info-by-ids';
+import { Connect } from '@graphprotocol/hypergraph';
 import { useIdentityToken } from '@privy-io/react-auth';
 import { useQuery } from '@tanstack/react-query';
 
@@ -22,8 +23,10 @@ export const useSpaces = () => {
     queryKey: ['spaces'],
     queryFn: async () => {
       if (!identityToken) return [];
+      const accountAddress = Connect.loadAccountAddress(localStorage);
+      if (!accountAddress) return [];
       const response = await fetch(`${import.meta.env.VITE_HYPERGRAPH_SYNC_SERVER_ORIGIN}/connect/spaces`, {
-        headers: { 'privy-id-token': identityToken },
+        headers: { 'privy-id-token': identityToken, 'account-address': accountAddress },
       });
       const data = await response.json();
       const appIds = new Set<string>();

apps/connect/src/routes/authenticate.tsx

@@ -268,6 +268,7 @@ function AuthenticateComponent() {
     const message: Messages.RequestConnectAddAppIdentityToSpaces = {
       type: 'connect-add-app-identity-to-spaces',
       appIdentityAddress: appIdentity.address,
+      accountAddress,
       spacesInput,
     };
 
@@ -277,7 +278,6 @@ function AuthenticateComponent() {
       {
         headers: {
           'privy-id-token': identityToken,
-          'account-address': accountAddress,
           'Content-Type': 'application/json',
         },
         method: 'POST',
@@ -366,6 +366,7 @@ function AuthenticateComponent() {
       const message: Messages.RequestConnectCreateAppIdentity = {
         appId: state.appInfo.appId,
         address: newAppIdentity.address,
+        accountAddress,
         signaturePublicKey: newAppIdentity.signaturePublicKey,
         encryptionPublicKey: newAppIdentity.encryptionPublicKey,
         ciphertext,
@@ -377,7 +378,6 @@ function AuthenticateComponent() {
       const response = await fetch(`${import.meta.env.VITE_HYPERGRAPH_SYNC_SERVER_ORIGIN}/connect/app-identity`, {
         headers: {
           'privy-id-token': identityToken,
-          'account-address': accountAddress,
           'Content-Type': 'application/json',
         },
         method: 'POST',

apps/events/src/routes/authenticate-success.tsx

@@ -44,6 +44,7 @@ function RouteComponent() {
       setIdentity({
         address: parsedAuthParams.appIdentityAddress,
         addressPrivateKey: parsedAuthParams.appIdentityAddressPrivateKey,
+        permissionId: parsedAuthParams.permissionId,
         signaturePublicKey: parsedAuthParams.signaturePublicKey,
         signaturePrivateKey: parsedAuthParams.signaturePrivateKey,
         encryptionPublicKey: parsedAuthParams.encryptionPublicKey,

apps/server/prisma/migrations/20250620005807_add_connect_signer_address/migration.sql

@@ -0,0 +1,26 @@
+/*
+  Warnings:
+
+  - Added the required column `connectSignerAddress` to the `Account` table without a default value. This is not possible if the table is not empty.
+
+*/
+-- RedefineTables
+PRAGMA defer_foreign_keys=ON;
+PRAGMA foreign_keys=OFF;
+CREATE TABLE "new_Account" (
+    "address" TEXT NOT NULL PRIMARY KEY,
+    "connectAddress" TEXT NOT NULL,
+    "connectCiphertext" TEXT NOT NULL,
+    "connectNonce" TEXT NOT NULL,
+    "connectSignaturePublicKey" TEXT NOT NULL,
+    "connectEncryptionPublicKey" TEXT NOT NULL,
+    "connectAccountProof" TEXT NOT NULL,
+    "connectKeyProof" TEXT NOT NULL,
+    "connectSignerAddress" TEXT NOT NULL
+);
+INSERT INTO "new_Account" ("address", "connectAccountProof", "connectAddress", "connectCiphertext", "connectEncryptionPublicKey", "connectKeyProof", "connectNonce", "connectSignaturePublicKey") SELECT "address", "connectAccountProof", "connectAddress", "connectCiphertext", "connectEncryptionPublicKey", "connectKeyProof", "connectNonce", "connectSignaturePublicKey" FROM "Account";
+DROP TABLE "Account";
+ALTER TABLE "new_Account" RENAME TO "Account";
+CREATE UNIQUE INDEX "Account_connectAddress_key" ON "Account"("connectAddress");
+PRAGMA foreign_keys=ON;
+PRAGMA defer_foreign_keys=OFF;

apps/server/prisma/schema.prisma

@@ -109,6 +109,7 @@ model Account {
   connectKeyProof            String
   infoAuthor                 Space[]
   spaceKeyBoxes              SpaceKeyBox[]
+  connectSignerAddress       String
 }
 
 model AppIdentity {

apps/server/src/handlers/createIdentity.ts

@@ -1,6 +1,7 @@
 import { prisma } from '../prisma.js';
 
 type Params = {
+  signerAddress: string;
   accountAddress: string;
   ciphertext: string;
   nonce: string;
@@ -11,6 +12,7 @@ type Params = {
 };
 
 export const createIdentity = async ({
+  signerAddress,
   accountAddress,
   ciphertext,
   nonce,
@@ -32,6 +34,7 @@ export const createIdentity = async ({
   }
   return await prisma.account.create({
     data: {
+      connectSignerAddress: signerAddress,
       address: accountAddress,
       connectAccountProof: accountProof,
       connectKeyProof: keyProof,

apps/server/src/handlers/is-signer-for-account.ts

@@ -0,0 +1,13 @@
+import { prisma } from '../prisma';
+
+export const isSignerForAccount = async (signerAddress: string, accountAddress: string) => {
+  const account = await prisma.account.findUnique({
+    where: {
+      address: accountAddress,
+    },
+  });
+  if (!account) {
+    return false;
+  }
+  return account.connectSignerAddress === signerAddress;
+};

apps/server/src/index.ts

@@ -23,6 +23,7 @@ import { getLatestAccountInboxMessages } from './handlers/getLatestAccountInboxM
 import { getLatestSpaceInboxMessages } from './handlers/getLatestSpaceInboxMessages.js';
 import { getSpace } from './handlers/getSpace.js';
 import { getSpaceInbox } from './handlers/getSpaceInbox.js';
+import { isSignerForAccount } from './handlers/is-signer-for-account.js';
 import { listAccountInboxes } from './handlers/list-account-inboxes.js';
 import { listPublicAccountInboxes } from './handlers/list-public-account-inboxes.js';
 import { listSpacesByAccount } from './handlers/list-spaces-by-account.js';
@@ -76,7 +77,12 @@ app.get('/connect/spaces', async (req, res) => {
   console.log('GET connect/spaces');
   try {
     const idToken = req.headers['privy-id-token'];
-    const accountAddress = await getAddressByPrivyToken(Array.isArray(idToken) ? idToken[0] : idToken);
+    const accountAddress = req.headers['account-address'] as string;
+    const signerAddress = await getAddressByPrivyToken(idToken);
+    if (!(await isSignerForAccount(signerAddress, accountAddress))) {
+      res.status(401).send('Unauthorized');
+      return;
+    }
     const spaces = await listSpacesByAccount({ accountAddress });
     const spaceResults = spaces.map((space) => ({
       id: space.id,
@@ -117,8 +123,13 @@ app.post('/connect/spaces', async (req, res) => {
   console.log('POST connect/spaces');
   try {
     const idToken = req.headers['privy-id-token'];
-    const accountAddress = await getAddressByPrivyToken(Array.isArray(idToken) ? idToken[0] : idToken);
     const message = Schema.decodeUnknownSync(Messages.RequestConnectCreateSpaceEvent)(req.body);
+    const accountAddress = message.accountAddress;
+    const signerAddress = await getAddressByPrivyToken(idToken);
+    if (!(await isSignerForAccount(signerAddress, accountAddress))) {
+      res.status(401).send('Unauthorized');
+      return;
+    }
     const space = await createSpace({
       accountAddress,
       event: message.event,
@@ -145,10 +156,15 @@ app.post('/connect/add-app-identity-to-spaces', async (req, res) => {
   console.log('POST connect/add-app-identity-to-spaces');
   try {
     const idToken = req.headers['privy-id-token'];
-    const accountAddress = await getAddressByPrivyToken(Array.isArray(idToken) ? idToken[0] : idToken);
+
+    const signerAddress = await getAddressByPrivyToken(idToken);
     const message = Schema.decodeUnknownSync(Messages.RequestConnectAddAppIdentityToSpaces)(req.body);
+    if (!(await isSignerForAccount(signerAddress, message.accountAddress))) {
+      res.status(401).send('Unauthorized');
+      return;
+    }
     const space = await addAppIdentityToSpaces({
-      accountAddress,
+      accountAddress: message.accountAddress,
       appIdentityAddress: message.appIdentityAddress,
       spacesInput: message.spacesInput,
     });
@@ -169,10 +185,14 @@ app.post('/connect/identity', async (req, res) => {
   console.log('POST connect/identity');
   try {
     const idToken = req.headers['privy-id-token'];
-    const signerAddress = await getAddressByPrivyToken(Array.isArray(idToken) ? idToken[0] : idToken);
+    const signerAddress = await getAddressByPrivyToken(idToken);
     const message = Schema.decodeUnknownSync(Messages.RequestConnectCreateIdentity)(req.body);
     const accountAddress = message.keyBox.accountAddress;
 
+    if (signerAddress !== message.keyBox.signer) {
+      res.status(401).send('Unauthorized');
+      return;
+    }
     if (
       !Identity.verifyIdentityOwnership(
         accountAddress,
@@ -223,17 +243,23 @@ app.post('/connect/identity', async (req, res) => {
   }
 });
 
-app.post('/connect/identity/encrypted', async (req, res) => {
-  console.log('POST connect/identity/encrypted');
+app.get('/connect/identity/encrypted', async (req, res) => {
+  console.log('GET connect/identity/encrypted');
   try {
     const idToken = req.headers['privy-id-token'];
-    const accountAddress = await getAddressByPrivyToken(Array.isArray(idToken) ? idToken[0] : idToken);
+    const signerAddress = await getAddressByPrivyToken(idToken);
+    const accountAddress = req.headers['account-address'] as string;
+    if (!(await isSignerForAccount(signerAddress, accountAddress))) {
+      res.status(401).send('Unauthorized');
+      return;
+    }
     const identity = await getConnectIdentity({ accountAddress });
     const outgoingMessage: Messages.ResponseIdentityEncrypted = {
       keyBox: {
         accountAddress,
         ciphertext: identity.ciphertext,
         nonce: identity.nonce,
+        signer: signerAddress,
       },
     };
     res.status(200).send(outgoingMessage);
@@ -253,7 +279,12 @@ app.get('/connect/app-identity/:appId', async (req, res) => {
   console.log('GET connect/app-identity/:appId');
   try {
     const idToken = req.headers['privy-id-token'];
-    const accountAddress = await getAddressByPrivyToken(Array.isArray(idToken) ? idToken[0] : idToken);
+    const signerAddress = await getAddressByPrivyToken(idToken);
+    const accountAddress = req.headers['account-address'] as string;
+    if (!(await isSignerForAccount(signerAddress, accountAddress))) {
+      res.status(401).send('Unauthorized');
+      return;
+    }
     const appId = req.params.appId;
     const appIdentity = await findAppIdentity({ accountAddress, appId });
     if (!appIdentity) {
@@ -277,8 +308,13 @@ app.post('/connect/app-identity', async (req, res) => {
   console.log('POST connect/app-identity');
   try {
     const idToken = req.headers['privy-id-token'];
-    const accountAddress = await getAddressByPrivyToken(Array.isArray(idToken) ? idToken[0] : idToken);
+    const signerAddress = await getAddressByPrivyToken(idToken);
     const message = Schema.decodeUnknownSync(Messages.RequestConnectCreateAppIdentity)(req.body);
+    const accountAddress = message.accountAddress;
+    if (!(await isSignerForAccount(signerAddress, accountAddress))) {
+      res.status(401).send('Unauthorized');
+      return;
+    }
     const sessionToken = bytesToHex(randomBytes(32));
     const sessionTokenExpires = new Date(Date.now() + 1000 * 60 * 60 * 24 * 30); // 30 days
     const appIdentity = await createAppIdentity({

apps/server/src/utils/get-address-by-privy-token.ts

@@ -1,16 +1,18 @@
 import { PrivyClient, type Wallet } from '@privy-io/server-auth';
 
-export async function getAddressByPrivyToken(idToken: string | undefined): Promise<string> {
+export async function getAddressByPrivyToken(idToken: string[] | string | undefined): Promise<string> {
   if (!idToken) {
     throw new Error('No Privy ID token provided');
   }
 
+  const idTokenString = Array.isArray(idToken) ? idToken[0] : idToken;
+
   if (!process.env.PRIVY_APP_SECRET || !process.env.PRIVY_APP_ID) {
     throw new Error('Missing Privy configuration');
   }
 
   const privy = new PrivyClient(process.env.PRIVY_APP_ID, process.env.PRIVY_APP_SECRET);
-  const user = await privy.getUser({ idToken });
+  const user = await privy.getUser({ idToken: idTokenString });
 
   if (!user) {
     throw new Error('Invalid Privy user');