TW-1612: Temple Tap AirDrop (#183)

* TW-1612: Temple Tap AirDrop. + SigAuth middleware

* TW-1612: Temple Tap AirDrop. + \/temple-tap\/check-airdrop-confirmation proxy endpoint

* TW-1612: Temple Tap AirDrop. ++ Sig Auth. Forbidding non-recognized messages

Author: alex-tsx

src/index.ts

@@ -10,7 +10,7 @@ import swaggerJSDoc from 'swagger-jsdoc';
 import swaggerUi from 'swagger-ui-express';
 
 import { getAdvertisingInfo } from './advertising/advertising';
-import { EnvVars, MIN_ANDROID_APP_VERSION, MIN_IOS_APP_VERSION } from './config';
+import { MIN_ANDROID_APP_VERSION, MIN_IOS_APP_VERSION } from './config';
 import getDAppsStats from './getDAppsStats';
 import { getMagicSquareQuestParticipants, startMagicSquareQuest } from './magic-square';
 import { basicAuth } from './middlewares/basic-auth.middleware';
@@ -23,6 +23,8 @@ import { redisClient } from './redis';
 import { evmRouter } from './routers/evm';
 import { adRulesRouter } from './routers/slise-ad-rules';
 import { templeWalletAdsRouter } from './routers/temple-wallet-ads';
+import { getSigningNonce, tezosSigAuthMiddleware } from './sig-auth';
+import { handleTempleTapApiProxyRequest } from './temple-tap';
 import { getTkeyStats } from './tkey-stats';
 import { getABData } from './utils/ab-test';
 import { cancelAliceBobOrder } from './utils/alice-bob/cancel-alice-bob-order';
@@ -39,7 +41,6 @@ import { coinGeckoTokens } from './utils/gecko-tokens';
 import { getExternalApiErrorPayload, isDefined, isNonEmptyString } from './utils/helpers';
 import logger from './utils/logger';
 import { getSignedMoonPayUrl } from './utils/moonpay/get-signed-moonpay-url';
-import { getSigningNonce } from './utils/signing-nonce';
 import SingleQueryDataProvider from './utils/SingleQueryDataProvider';
 import { getExchangeRates } from './utils/tokens';
 
@@ -398,32 +399,13 @@ app.get('/api/signing-nonce', (req, res) => {
   }
 });
 
-app.post('/api/temple-tap/confirm-airdrop-username', async (req, res) => {
-  try {
-    const response = await fetch(new URL('v1/confirm-airdrop-address', EnvVars.TEMPLE_TAP_API_URL + '/'), {
-      method: 'POST',
-      body: JSON.stringify(req.body),
-      headers: {
-        'Content-Type': 'application/json'
-      }
-    });
-
-    const statusCode = String(response.status);
-    const responseBody = await response.text();
-
-    if (statusCode.startsWith('2') || statusCode.startsWith('4')) {
-      res.status(response.status).send(responseBody);
-
-      return;
-    }
-
-    throw new Error(responseBody);
-  } catch (error) {
-    console.error('Temple Tap API proxy endpoint exception:', error);
+app.post('/api/temple-tap/confirm-airdrop-username', tezosSigAuthMiddleware, (req, res) =>
+  handleTempleTapApiProxyRequest(req, res, 'v1/confirm-airdrop-address')
+);
 
-    res.status(500).send({ message: 'Unknown error' });
-  }
-});
+app.post('/api/temple-tap/check-airdrop-confirmation', tezosSigAuthMiddleware, (req, res) =>
+  handleTempleTapApiProxyRequest(req, res, 'v1/check-airdrop-address-confirmation')
+);
 
 const swaggerOptions = {
   swaggerDefinition: {

src/magic-square.ts

@@ -6,9 +6,9 @@ import { verifySignature, getPkhfromPk } from '@taquito/utils';
 import { StatusCodes } from 'http-status-codes';
 
 import { objectStorageMethodsFactory } from './redis';
+import { getSigningNonce, removeSigningNonce } from './sig-auth';
 import { CodedError } from './utils/errors';
 import { safeCheck } from './utils/helpers';
-import { getSigningNonce, removeSigningNonce } from './utils/signing-nonce';
 
 interface Participant {
   pkh: string;

src/sig-auth.ts

@@ -0,0 +1,111 @@
+import { randomStringForEntropy } from '@stablelib/random';
+import { getPkhfromPk, validateAddress, ValidationResult, verifySignature } from '@taquito/utils';
+import { NextFunction, Request, Response } from 'express';
+import { StatusCodes } from 'http-status-codes';
+import memoizee from 'memoizee';
+import * as yup from 'yup';
+
+import { CodedError } from './utils/errors';
+
+const SIGNING_NONCE_TTL = 5 * 60_000;
+
+/** Result for packing (via `import('@taquito/michel-codec').packDataBytes({ string })`) in bytes for message:
+ * `Tezos Signed Message: Confirming my identity as ${Account PKH}.\n\nNonce: ${nonce}`
+ */
+const TEZ_SIG_AUTH_MSG_PATTERN =
+  /^0501[a-f0-9]{8}54657a6f73205369676e6564204d6573736167653a20436f6e6669726d696e67206d79206964656e7469747920617320[a-f0-9]{72}2e0a0a4e6f6e63653a20[a-f0-9]{16,40}$/;
+
+export const getSigningNonce = memoizee(
+  (pkh: string) => {
+    if (validateAddress(pkh) !== ValidationResult.VALID) throw new CodedError(400, 'Invalid address');
+
+    return buildNonce();
+  },
+  {
+    max: 1_000_000,
+    maxAge: SIGNING_NONCE_TTL
+  }
+);
+
+export function removeSigningNonce(pkh: string) {
+  getSigningNonce.delete(pkh);
+}
+
+export async function tezosSigAuthMiddleware(req: Request, res: Response, next: NextFunction) {
+  const sigHeaders = await sigAuthHeadersSchema.validate(req.headers).catch(() => null);
+
+  if (!sigHeaders) {
+    logInvalidSigAuthValues('values (empty)', req.headers);
+
+    return void res.status(StatusCodes.UNAUTHORIZED).send();
+  }
+
+  const {
+    'tw-sig-auth-tez-pk': publicKey,
+    'tw-sig-auth-tez-msg': messageBytes,
+    'tw-sig-auth-tez-sig': signature
+  } = sigHeaders;
+
+  let pkh: string;
+  try {
+    pkh = getPkhfromPk(publicKey);
+  } catch (err) {
+    console.error(err);
+
+    return void res.status(StatusCodes.BAD_REQUEST).send({ message: 'Invalid public key' });
+  }
+
+  // Nonce
+  const { value: nonce } = getSigningNonce(pkh);
+  const nonceBytes = Buffer.from(nonce, 'utf-8').toString('hex');
+
+  if (!messageBytes.endsWith(nonceBytes)) {
+    logInvalidSigAuthValues('nonce', req.headers);
+
+    return void res.status(StatusCodes.UNAUTHORIZED).send({ code: 'INVALID_NONCE', message: 'Invalid nonce' });
+  }
+
+  // Message
+  if (!TEZ_SIG_AUTH_MSG_PATTERN.test(messageBytes)) {
+    logInvalidSigAuthValues('pattern', req.headers);
+
+    return void res.status(StatusCodes.UNAUTHORIZED).send({ code: 'INVALID_MSG', message: 'Invalid message' });
+  }
+
+  // Signature
+  try {
+    verifySignature(messageBytes, publicKey, signature);
+  } catch (error) {
+    logInvalidSigAuthValues('signature', req.headers);
+    console.error(error);
+
+    return void res
+      .status(StatusCodes.UNAUTHORIZED)
+      .send({ code: 'INVALID_SIG', message: 'Invalid signature or message' });
+  }
+
+  removeSigningNonce(pkh);
+
+  next();
+}
+
+const sigAuthHeadersSchema = yup.object().shape({
+  'tw-sig-auth-tez-pk': yup.string().required(),
+  'tw-sig-auth-tez-msg': yup.string().required(),
+  'tw-sig-auth-tez-sig': yup.string().required()
+});
+
+function buildNonce() {
+  // Same as in in SIWE.generateNonce()
+  const value = randomStringForEntropy(96);
+
+  const expiresAt = new Date(Date.now() + SIGNING_NONCE_TTL).toISOString();
+
+  return { value, expiresAt };
+}
+
+function logInvalidSigAuthValues(title: string, reqHeaders: Record<string, unknown>) {
+  console.error(`[SIG-AUTH] Received invalid message ${title}. Request headers:`);
+
+  console.info(JSON.stringify(reqHeaders, null, 2));
+}

src/temple-tap.ts

@@ -0,0 +1,30 @@
+import { Request, Response } from 'express';
+
+import { EnvVars } from './config';
+
+export async function handleTempleTapApiProxyRequest(req: Request, res: Response, endpoint: string, method = 'POST') {
+  try {
+    const response = await fetch(new URL(endpoint, EnvVars.TEMPLE_TAP_API_URL + '/'), {
+      method,
+      body: JSON.stringify(req.body),
+      headers: {
+        'Content-Type': 'application/json'
+      }
+    });
+
+    const statusCode = String(response.status);
+    const responseBody = await response.text();
+
+    if (statusCode.startsWith('2') || statusCode.startsWith('4')) {
+      res.status(response.status).send(responseBody);
+
+      return;
+    }
+
+    throw new Error(responseBody);
+  } catch (error) {
+    console.error('Temple Tap API proxy endpoint exception:', error);
+
+    res.status(500).send({ message: 'Unknown error' });
+  }
+}