feat: support mTLS certificate upload (#835)

* feat: Add mTLS and custom HMAC support to webhoks

* remove resetNonce

* use env vars for client id/secret

* update tests

* debug steps

* remove async

* remove unneeded changes

Author: arcoraven

.env.test

@@ -7,11 +7,11 @@ ENABLE_HTTPS="true"
 REDIS_URL="redis://127.0.0.1:6379/0"
 THIRDWEB_API_SECRET_KEY="my-thirdweb-secret-key"
 
-TEST_AWS_KMS_KEY_ID=""
-TEST_AWS_KMS_ACCESS_KEY_ID=""
-TEST_AWS_KMS_SECRET_ACCESS_KEY=""
-TEST_AWS_KMS_REGION=""
+TEST_AWS_KMS_KEY_ID="UNIMPLEMENTED"
+TEST_AWS_KMS_ACCESS_KEY_ID="UNIMPLEMENTED"
+TEST_AWS_KMS_SECRET_ACCESS_KEY="UNIMPLEMENTED"
+TEST_AWS_KMS_REGION="UNIMPLEMENTED"
 
-TEST_GCP_KMS_RESOURCE_PATH=""
-TEST_GCP_KMS_EMAIL=""
-TEST_GCP_KMS_PK=""
+TEST_GCP_KMS_RESOURCE_PATH="UNIMPLEMENTED"
+TEST_GCP_KMS_EMAIL="UNIMPLEMENTED"
+TEST_GCP_KMS_PK="UNIMPLEMENTED"

package.json

@@ -68,6 +68,7 @@
     "prom-client": "^15.1.3",
     "superjson": "^2.2.1",
     "thirdweb": "^5.83.0",
+    "undici": "^6.20.1",
     "uuid": "^9.0.1",
     "viem": "^2.21.54",
     "winston": "^3.14.1",

src/prisma/migrations/20241031010103_add_mtls_configuration/migration.sql

@@ -0,0 +1,3 @@
+-- AlterTable
+ALTER TABLE "configuration" ADD COLUMN     "mtlsCertificateEncrypted" TEXT,
+ADD COLUMN     "mtlsPrivateKeyEncrypted" TEXT;

src/prisma/schema.prisma

@@ -50,6 +50,9 @@ model Configuration {
   accessControlAllowOrigin           String   @default("https://thirdweb.com,https://embed.ipfscdn.io") @map("accessControlAllowOrigin")
   ipAllowlist                        String[] @default([]) @map("ipAllowlist")
   clearCacheCronSchedule             String   @default("*/30 * * * * *") @map("clearCacheCronSchedule")
+  // mTLS support
+  mtlsCertificateEncrypted           String?
+  mtlsPrivateKeyEncrypted            String?
 
   @@map("configuration")
 }

src/server/middleware/auth.ts

@@ -5,10 +5,10 @@ import {
   type ThirdwebAuthUser,
 } from "@thirdweb-dev/auth/fastify";
 import { AsyncWallet } from "@thirdweb-dev/wallets/evm/wallets/async";
-import { createHash } from "node:crypto";
 import type { FastifyInstance } from "fastify";
 import type { FastifyRequest } from "fastify/types/request";
 import jsonwebtoken, { type JwtPayload } from "jsonwebtoken";
+import { createHash } from "node:crypto";
 import { validate as uuidValidate } from "uuid";
 import { getPermissions } from "../../shared/db/permissions/get-permissions";
 import { createToken } from "../../shared/db/tokens/create-token";
@@ -123,7 +123,8 @@ export async function withAuth(server: FastifyInstance) {
         }
         // Allow this request to proceed.
         return;
-      }if (error) {
+      }
+      if (error) {
         message = error;
       }
     } catch (err: unknown) {
@@ -172,10 +173,11 @@ export const onRequest = async ({
         const authWallet = await getAuthWallet();
         if (publicKey === (await authWallet.getAddress())) {
           return await handleAccessToken(jwt, req, getUser);
-        }if (publicKey === THIRDWEB_DASHBOARD_ISSUER) {
+        }
+        if (publicKey === THIRDWEB_DASHBOARD_ISSUER) {
           return await handleDashboardAuth(jwt);
         }
-          return await handleKeypairAuth({ jwt, req, publicKey });
+        return await handleKeypairAuth({ jwt, req, publicKey });
       }
 
       // Get the public key hash from the `kid` header.

src/server/routes/configuration/auth/get.ts

@@ -6,7 +6,9 @@ import { standardResponseSchema } from "../../../schemas/shared-api-schemas";
 
 export const responseBodySchema = Type.Object({
   result: Type.Object({
-    domain: Type.String(),
+    authDomain: Type.String(),
+    mtlsCertificate: Type.Union([Type.String(), Type.Null()]),
+    // Do not return mtlsPrivateKey.
   }),
 });
 
@@ -27,10 +29,12 @@ export async function getAuthConfiguration(fastify: FastifyInstance) {
       },
     },
     handler: async (_req, res) => {
-      const config = await getConfig();
+      const { authDomain, mtlsCertificate } = await getConfig();
+
       res.status(StatusCodes.OK).send({
         result: {
-          domain: config.authDomain,
+          authDomain,
+          mtlsCertificate,
         },
       });
     },

src/server/routes/configuration/auth/update.ts

@@ -5,10 +5,21 @@ import { updateConfiguration } from "../../../../shared/db/configuration/update-
 import { getConfig } from "../../../../shared/utils/cache/get-config";
 import { standardResponseSchema } from "../../../schemas/shared-api-schemas";
 import { responseBodySchema } from "./get";
+import { createCustomError } from "../../../middleware/error";
+import { encrypt } from "../../../../shared/utils/crypto";
 
-export const requestBodySchema = Type.Object({
-  domain: Type.String(),
-});
+export const requestBodySchema = Type.Partial(
+  Type.Object({
+    authDomain: Type.String(),
+    mtlsCertificate: Type.String({
+      description:
+        "Engine certificate used for outbound mTLS requests. Must provide the full certificate chain.",
+    }),
+    mtlsPrivateKey: Type.String({
+      description: "Engine private key used for outbound mTLS requests.",
+    }),
+  }),
+);
 
 export async function updateAuthConfiguration(fastify: FastifyInstance) {
   fastify.route<{
@@ -29,15 +40,49 @@ export async function updateAuthConfiguration(fastify: FastifyInstance) {
       },
     },
     handler: async (req, res) => {
+      const { authDomain, mtlsCertificate, mtlsPrivateKey } = req.body;
+
+      if (mtlsCertificate) {
+        if (
+          !mtlsCertificate.includes("-----BEGIN CERTIFICATE-----\n") ||
+          !mtlsCertificate.includes("\n-----END CERTIFICATE-----")
+        ) {
+          throw createCustomError(
+            "Invalid mtlsCertificate.",
+            StatusCodes.BAD_REQUEST,
+            "INVALID_MTLS_CERTIFICATE",
+          );
+        }
+      }
+      if (mtlsPrivateKey) {
+        if (
+          !mtlsPrivateKey.startsWith("-----BEGIN PRIVATE KEY-----\n") ||
+          !mtlsPrivateKey.endsWith("\n-----END PRIVATE KEY-----")
+        ) {
+          throw createCustomError(
+            "Invalid mtlsPrivateKey.",
+            StatusCodes.BAD_REQUEST,
+            "INVALID_MTLS_PRIVATE_KEY",
+          );
+        }
+      }
+
       await updateConfiguration({
-        authDomain: req.body.domain,
+        authDomain,
+        mtlsCertificateEncrypted: mtlsCertificate
+          ? encrypt(mtlsCertificate)
+          : undefined,
+        mtlsPrivateKeyEncrypted: mtlsPrivateKey
+          ? encrypt(mtlsPrivateKey)
+          : undefined,
       });
 
       const config = await getConfig(false);
 
       res.status(StatusCodes.OK).send({
         result: {
-          domain: config.authDomain,
+          authDomain: config.authDomain,
+          mtlsCertificate: config.mtlsCertificate,
         },
       });
     },

src/server/routes/webhooks/create.ts

@@ -45,7 +45,7 @@ export async function createWebhookRoute(fastify: FastifyInstance) {
     method: "POST",
     url: "/webhooks/create",
     schema: {
-      summary: "Create a webhook",
+      summary: "Create webhook",
       description:
         "Create a webhook to call when a specific Engine event occurs.",
       tags: ["Webhooks"],

src/shared/db/configuration/get-configuration.ts

@@ -172,6 +172,12 @@ const toParsedConfig = async (config: Configuration): Promise<ParsedConfig> => {
       gcp: gcpWalletConfiguration,
       legacyWalletType_removeInNextBreakingChange,
     },
+    mtlsCertificate: config.mtlsCertificateEncrypted
+      ? decrypt(config.mtlsCertificateEncrypted, env.ENCRYPTION_PASSWORD)
+      : null,
+    mtlsPrivateKey: config.mtlsPrivateKeyEncrypted
+      ? decrypt(config.mtlsPrivateKeyEncrypted, env.ENCRYPTION_PASSWORD)
+      : null,
   };
 };
 

src/shared/db/configuration/update-configuration.ts

@@ -3,7 +3,7 @@ import { encrypt } from "../../utils/crypto";
 import { prisma } from "../client";
 
 export const updateConfiguration = async (
-  data: Prisma.ConfigurationUpdateArgs["data"],
+  data: Prisma.ConfigurationUpdateInput,
 ) => {
   return prisma.configuration.update({
     where: {