You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
feat(pxe): add execution hooks for authorizing cross-contract utility calls (#23007)
Cherry-pick of PR #23007 with .rej files for the two hunks that failed
to apply against backport-to-v4-next-staging:
- yarn-project/end-to-end/src/fixtures/setup.ts.rej
Hunk anchored on `skipInitialSequencer?: boolean;` field that does
not exist on this branch.
- yarn-project/pxe/src/contract_function_simulator/oracle/private_execution_oracle.ts.rej
Hunk context shifted by an extra `log: this.logger,` line present on
this branch. (Note: the target file is unmodified by this commit
because its only hunk was rejected.)
This commit will not compile on its own; the next commit resolves the
.rej files.
|`No public key registered for address`| Call `wallet.registerSender(...)`|
100
100
|`Direct invocation of ... functions is not supported`| Use `self.call()`, `self.view()`, or `self.enqueue()` to [call contract functions](framework-description/calling_contracts.md)|
101
101
|`Failed to solve brillig function`| Check function parameters and note validity |
102
+
|`Cross-contract utility call denied`| Configure an `authorizeUtilityCall`[execution hook](#cross-contract-utility-call-denied) on your PXE |
103
+
104
+
#### Cross-contract utility call denied
105
+
106
+
When a contract executes a utility function that calls into a different contract, PXE asks an **execution hook** whether the call should be allowed. If no hook is configured, or the hook denies the request, you will see:
To fix this, pass an `authorizeUtilityCall` hook when creating your PXE:
113
+
114
+
```typescript
115
+
import { PXE } from"@aztec/pxe/server";
116
+
117
+
const pxe =awaitPXE.create({
118
+
// ...other options
119
+
hooks: {
120
+
authorizeUtilityCall: async (request) => {
121
+
// Inspect request.caller, request.target, request.functionSelector, etc.
122
+
return { authorized: true };
123
+
},
124
+
},
125
+
});
126
+
```
127
+
128
+
The hook receives a `UtilityCallAuthorizationRequest` with the caller address, target address, function selector, function name, arguments, and caller context (`'private'` or `'utility'`). Return `{ authorized: true }` to allow or `{ authorized: false, reason: '...' }` to deny with a message.
0 commit comments