spaced rpc user/password protection

Author: Ximik

Cargo.lock

@@ -40,6 +40,7 @@ tabled = "0.17.0"
 colored = "3.0.0"
 domain = {version = "0.10.3", default-features = false, features = ["zonefile"]}
 tower = "0.4.13"
+hyper = "0.14.28"
 
 [dev-dependencies]
 assert_cmd = "2.0.16"

client/Cargo.toml

@@ -69,11 +69,12 @@ impl App {
         let rpc_server = RpcServerImpl::new(async_chain_state.clone(), wallet_manager);
 
         let bind = spaced.bind.clone();
+        let auth_token = spaced.auth_token.clone();
         let shutdown = self.shutdown.clone();
 
         self.services.spawn(async move {
             rpc_server
-                .listen(bind, shutdown)
+                .listen(bind, auth_token, shutdown)
                 .await
                 .map_err(|e| anyhow!("RPC Server error: {}", e))
         });

client/src/app.rs

@@ -0,0 +1,108 @@
+use std::{
+    error::Error,
+    future::Future,
+    pin::Pin,
+    sync::Arc,
+    task::{Context, Poll},
+};
+use base64::Engine;
+use hyper::{Body, Request, Response, StatusCode, HeaderMap};
+use tower::{Layer, Service};
+
+#[derive(Debug, Clone)]
+pub(crate) struct BasicAuthLayer {
+    token: Option<String>,
+}
+
+impl BasicAuthLayer {
+    pub fn new(token: Option<String>) -> Self {
+        Self { token }
+    }
+}
+
+impl<S> Layer<S> for BasicAuthLayer {
+    type Service = BasicAuth<S>;
+
+    fn layer(&self, inner: S) -> Self::Service {
+        BasicAuth::new(inner, self.token.clone())
+    }
+}
+
+#[derive(Debug, Clone)]
+pub(crate) struct BasicAuth<S> {
+    inner: S,
+    token: Option<Arc<str>>,
+}
+
+impl<S> BasicAuth<S> {
+    pub fn new(inner: S, token: Option<String>) -> Self {
+        Self {
+            inner,
+            token: token.map(|t| Arc::from(t.as_str())),
+        }
+    }
+
+    fn check_auth(&self, headers: &HeaderMap) -> bool {
+        let Some(expected_token) = &self.token else {
+            return true;
+        };
+
+        let auth_header = match headers.get("authorization") {
+            Some(header) => header,
+            None => return false,
+        };
+
+        let auth_str = match auth_header.to_str() {
+            Ok(s) => s,
+            Err(_) => return false,
+        };
+
+        if let Some(token_part) = auth_str.strip_prefix("Basic ") {
+            token_part == expected_token.as_ref()
+        } else {
+            false
+        }
+    }
+
+    fn unauthorized_response() -> Response<Body> {
+        Response::builder()
+            .status(StatusCode::UNAUTHORIZED)
+            .header("WWW-Authenticate", "Basic realm=\"Protected\"")
+            .body(Body::from("Unauthorized"))
+            .expect("Failed to build unauthorized response")
+    }
+}
+
+impl<S> Service<Request<Body>> for BasicAuth<S>
+where
+    S: Service<Request<Body>, Response = Response<Body>>,
+    S::Response: 'static,
+    S::Error: Into<Box<dyn Error + Send + Sync>> + 'static,
+    S::Future: Send + 'static,
+{
+    type Response = S::Response;
+    type Error = Box<dyn Error + Send + Sync + 'static>;
+    type Future = Pin<Box<dyn Future<Output = Result<Self::Response, Self::Error>> + Send + 'static>>;
+
+    #[inline]
+    fn poll_ready(&mut self, cx: &mut Context<'_>) -> Poll<Result<(), Self::Error>> {
+        self.inner.poll_ready(cx).map_err(Into::into)
+    }
+
+    fn call(&mut self, req: Request<Body>) -> Self::Future {
+        if !self.check_auth(req.headers()) {
+            let response = Self::unauthorized_response();
+            return Box::pin(async move { Ok(response) });
+        }
+
+        let fut = self.inner.call(req);
+        let res_fut = async move {
+            fut.await.map_err(|err| err.into())
+        };
+        Box::pin(res_fut)
+    }
+}
+
+pub fn basic_auth_token(user: &str, password: &str) -> String {
+    base64::prelude::BASE64_STANDARD.encode(format!("{user}:{password}"))
+}

client/src/auth.rs

@@ -20,6 +20,7 @@ use jsonrpsee::{
 };
 use serde::{Deserialize, Serialize};
 use spaces_client::{
+    auth::basic_auth_token,
     config::{default_spaces_rpc_port, ExtendedNetwork},
     deserialize_base64,
     format::{
@@ -54,6 +55,12 @@ pub struct Args {
     /// Spaced RPC URL [default: based on specified chain]
     #[arg(long)]
     spaced_rpc_url: Option<String>,
+    /// Spaced RPC user
+    #[arg(long, requires = "rpc_password", env = "SPACED_RPC_USER")]
+    rpc_user: Option<String>,
+    /// Spaced RPC password
+    #[arg(long, env = "SPACED_RPC_PASSWORD")]
+    rpc_password: Option<String>,
     /// Specify wallet to use
     #[arg(long, short, global = true, default_value = "default")]
     wallet: String,
@@ -387,7 +394,17 @@ impl SpaceCli {
             args.spaced_rpc_url = Some(default_spaced_rpc_url(&args.chain));
         }
 
-        let client = HttpClientBuilder::default().build(args.spaced_rpc_url.clone().unwrap())?;
+        let client = HttpClientBuilder::default();
+        let client = if args.rpc_user.is_some() {
+            let token = basic_auth_token(args.rpc_user.as_ref().unwrap(), args.rpc_password.as_ref().unwrap());
+            let mut headers = hyper::http::HeaderMap::new();
+            headers.insert("Authorization", hyper::http::HeaderValue::from_str(&format!("Basic {token}")).unwrap());
+            client.set_headers(headers)
+        } else {
+            client
+        };
+        let client = client.build(args.spaced_rpc_url.clone().unwrap())?;
+
         Ok((
             Self {
                 wallet: args.wallet.clone(),

client/src/bin/space-cli.rs

@@ -15,6 +15,7 @@ use serde::Deserialize;
 use spaces_protocol::bitcoin::Network;
 
 use crate::{
+    auth::basic_auth_token,
     source::{BitcoinRpc, BitcoinRpcAuth},
     store::{LiveStore, Store},
     spaces::Spaced,
@@ -58,6 +59,12 @@ pub struct Args {
     /// Bitcoin RPC password
     #[arg(long, env = "SPACED_BITCOIN_RPC_PASSWORD")]
     bitcoin_rpc_password: Option<String>,
+    /// Spaced RPC user
+    #[arg(long, requires = "rpc_password", env = "SPACED_RPC_USER")]
+    rpc_user: Option<String>,
+    /// Spaced RPC password
+    #[arg(long, env = "SPACED_RPC_PASSWORD")]
+    rpc_password: Option<String>,
     /// Bind to given address to listen for JSON-RPC connections.
     /// This option can be specified multiple times (default: 127.0.0.1 and ::1 i.e., localhost)
     #[arg(long, help_heading = Some(RPC_OPTIONS), default_values = ["127.0.0.1", "::1"], env = "SPACED_RPC_BIND")]
@@ -102,7 +109,7 @@ impl Args {
     /// Configures spaced node by processing command line arguments
     /// and configuration files
     pub async fn configure(args: Vec<String>) -> anyhow::Result<Spaced> {
-        let mut args =  Args::try_parse_from(args)?;
+        let mut args = Args::try_parse_from(args)?;
         let default_dirs = get_default_node_dirs();
 
         if args.bitcoin_rpc_url.is_none() {
@@ -132,6 +139,12 @@ impl Args {
             })
             .collect();
 
+        let auth_token = if args.rpc_user.is_some() {
+            Some(basic_auth_token(args.rpc_user.as_ref().unwrap(), args.rpc_password.as_ref().unwrap()))
+        } else {
+            None
+        };
+
         let bitcoin_rpc_auth = if let Some(cookie) = args.bitcoin_rpc_cookie {
             let cookie = std::fs::read_to_string(cookie)?;
             BitcoinRpcAuth::Cookie(cookie)
@@ -144,7 +157,7 @@ impl Args {
         let rpc = BitcoinRpc::new(
             &args.bitcoin_rpc_url.expect("bitcoin rpc url"),
             bitcoin_rpc_auth,
-            !args.bitcoin_rpc_light
+            !args.bitcoin_rpc_light,
         );
 
         let genesis = Spaced::genesis(args.chain);
@@ -196,13 +209,14 @@ impl Args {
             rpc,
             data_dir,
             bind: rpc_bind_addresses,
+            auth_token,
             chain,
             block_index,
             block_index_full: args.block_index_full,
             num_workers: args.jobs as usize,
             anchors_path,
             synced: false,
-            cbf: args.bitcoin_rpc_light
+            cbf: args.bitcoin_rpc_light,
         })
     }
 }

client/src/config.rs

@@ -9,6 +9,7 @@ use std::time::{Duration, Instant};
 use base64::Engine;
 use serde::{Deserialize, Deserializer, Serializer};
 
+pub mod auth;
 mod checker;
 pub mod client;
 pub mod config;

client/src/lib.rs

@@ -53,6 +53,7 @@ use crate::{calc_progress, checker::TxChecker, client::{BlockMeta, TxEntry}, con
     WalletResponse,
 }};
 use crate::wallets::WalletInfoWithProgress;
+use crate::auth::BasicAuthLayer;
 
 pub(crate) type Responder<T> = oneshot::Sender<T>;
 
@@ -689,12 +690,14 @@ impl RpcServerImpl {
     pub async fn listen(
         self,
         addrs: Vec<SocketAddr>,
+        auth_token: Option<String>,
         signal: broadcast::Sender<()>,
     ) -> anyhow::Result<()> {
         let mut listeners: Vec<_> = Vec::with_capacity(addrs.len());
 
         for addr in addrs.iter() {
             let service_builder = tower::ServiceBuilder::new()
+                .layer(BasicAuthLayer::new(auth_token.clone()))
                 .layer(ProxyGetRequestLayer::new(
                     "/root-anchors.json",
                     "getrootanchors",

client/src/rpc.rs

@@ -42,6 +42,7 @@ pub struct Spaced {
     pub rpc: BitcoinRpc,
     pub data_dir: PathBuf,
     pub bind: Vec<SocketAddr>,
+    pub auth_token: Option<String>,
     pub num_workers: usize,
     pub anchors_path: Option<PathBuf>,
     pub synced: bool,