Tighten device wallet auth and wallet signature binding

Author: gemcoder21

apps/api/src/auth/guard.rs

@@ -1,7 +1,7 @@
 use crate::responders::cache_error;
 use gem_auth::{AuthClient, verify_auth_signature};
 use gem_hash::sha2::sha256;
-use primitives::{AuthMessage, AuthenticatedRequest};
+use primitives::{AuthMessage, AuthenticatedRequest, WalletId};
 use rocket::data::{FromData, Outcome, ToByteUnit};
 use rocket::http::Status;
 use rocket::outcome::Outcome::{Error, Success};
@@ -67,11 +67,21 @@ async fn verify_wallet_signature<'r, T: DeserializeOwned + Send, O>(req: &'r Req
     })
 }
 
+// Auth layering principles:
+// Device guards verify the request/device signature and database scope.
+// WalletSigned verifies wallet ownership of the signed JSON body using an auth nonce.
+// Routes that mutate wallet-owned reward state should require both and bind the signed wallet to the resolved wallet.
 pub struct WalletSigned<T> {
     pub address: String,
     pub data: T,
 }
 
+impl<T> WalletSigned<T> {
+    pub fn matches_multicoin_wallet(&self, wallet_id: &WalletId) -> bool {
+        WalletId::Multicoin(self.address.clone()) == *wallet_id
+    }
+}
+
 #[rocket::async_trait]
 impl<'r, T: DeserializeOwned + Send> FromData<'r> for WalletSigned<T> {
     type Error = String;
@@ -88,3 +98,28 @@ impl<'r, T: DeserializeOwned + Send> FromData<'r> for WalletSigned<T> {
         })
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::WalletSigned;
+    use primitives::{Chain, WalletId};
+
+    const ADDRESS: &str = "0x1111111111111111111111111111111111111111";
+    const OTHER_ADDRESS: &str = "0x2222222222222222222222222222222222222222";
+
+    fn signed_wallet(address: &str) -> WalletSigned<()> {
+        WalletSigned {
+            address: address.to_string(),
+            data: (),
+        }
+    }
+
+    #[test]
+    fn test_matches_multicoin_wallet() {
+        let request = signed_wallet(ADDRESS);
+
+        assert!(request.matches_multicoin_wallet(&WalletId::Multicoin(ADDRESS.to_string())));
+        assert!(!request.matches_multicoin_wallet(&WalletId::Multicoin(OTHER_ADDRESS.to_string())));
+        assert!(!request.matches_multicoin_wallet(&WalletId::Single(Chain::Ethereum, ADDRESS.to_string())));
+    }
+}

apps/api/src/devices/guard.rs apps/api/src/devices/guard/auth.rsapps/api/src/devices/guard.rs renamed to apps/api/src/devices/guard/auth.rs

@@ -1,20 +1,23 @@
-use primitives::WalletId;
 use rocket::Request;
 use rocket::http::Status;
 use rocket::outcome::Outcome::{Error, Success};
-use rocket::request::{FromRequest, Outcome};
-use storage::Database;
+use rocket::request::Outcome;
 use storage::database::devices::DevicesStore;
-use storage::database::wallets::WalletsStore;
-use storage::models::DeviceRow;
+use storage::models::{DeviceRow, WalletRow};
+use storage::{Database, DatabaseClient, WalletsRepository};
 
 use crate::devices::auth_config::AuthConfig;
 use crate::devices::constants::{DEVICE_ID_LENGTH, HEADER_DEVICE_ID, HEADER_WALLET_ID};
 use crate::devices::error::DeviceError;
 use crate::devices::signature::{parse_auth_components, verify_request_signature};
 use crate::responders::cache_error;
 
-fn auth_error_outcome<T>(req: &Request<'_>, error: DeviceError, device_id: Option<&str>, wallet_id: Option<&str>) -> Outcome<T, String> {
+pub(super) struct AuthResult {
+    pub(super) device_id: String,
+    pub(super) wallet_id: Option<String>,
+}
+
+pub(super) fn auth_error_outcome<T>(req: &Request<'_>, error: DeviceError, device_id: Option<&str>, wallet_id: Option<&str>) -> Outcome<T, String> {
     let status = match error {
         DeviceError::MissingHeader(_)
         | DeviceError::InvalidDeviceId
@@ -41,12 +44,7 @@ fn format_auth_error_message(error: &DeviceError, device_id: Option<&str>, walle
     message
 }
 
-struct AuthResult {
-    device_id: String,
-    wallet_id: Option<String>,
-}
-
-async fn authenticate<T>(req: &Request<'_>) -> Result<AuthResult, Outcome<T, String>> {
+pub(super) async fn authenticate<T>(req: &Request<'_>) -> Result<AuthResult, Outcome<T, String>> {
     let Success(config) = req.guard::<&rocket::State<AuthConfig>>().await else {
         panic!("AuthConfig not configured");
     };
@@ -86,84 +84,7 @@ async fn authenticate<T>(req: &Request<'_>) -> Result<AuthResult, Outcome<T, Str
     })
 }
 
-// Signature verified, no database check (for device registration)
-pub struct VerifiedDeviceId(pub String);
-
-#[rocket::async_trait]
-impl<'r> FromRequest<'r> for VerifiedDeviceId {
-    type Error = String;
-
-    async fn from_request(req: &'r Request<'_>) -> Outcome<Self, String> {
-        match authenticate(req).await {
-            Ok(auth) => Success(VerifiedDeviceId(auth.device_id)),
-            Err(error) => error,
-        }
-    }
-}
-
-// Signature verified + device exists in database
-pub struct AuthenticatedDevice {
-    pub device_row: DeviceRow,
-}
-
-#[rocket::async_trait]
-impl<'r> FromRequest<'r> for AuthenticatedDevice {
-    type Error = String;
-
-    async fn from_request(req: &'r Request<'_>) -> Outcome<Self, String> {
-        let auth = match authenticate(req).await {
-            Ok(auth) => auth,
-            Err(error) => return error,
-        };
-
-        let (device_row, _) = match lookup_device(req, &auth.device_id).await {
-            Ok(result) => result,
-            Err(error) => return error,
-        };
-
-        Success(AuthenticatedDevice { device_row })
-    }
-}
-
-// Signature verified + device and wallet exist in database
-pub struct AuthenticatedDeviceWallet {
-    pub device_row: DeviceRow,
-    pub wallet_id: i32,
-    pub wallet_identifier: WalletId,
-}
-
-#[rocket::async_trait]
-impl<'r> FromRequest<'r> for AuthenticatedDeviceWallet {
-    type Error = String;
-
-    async fn from_request(req: &'r Request<'_>) -> Outcome<Self, String> {
-        let auth = match authenticate(req).await {
-            Ok(auth) => auth,
-            Err(error) => return error,
-        };
-
-        let Some(wallet_id_str) = auth.wallet_id else {
-            return auth_error_outcome(req, DeviceError::MissingHeader(HEADER_WALLET_ID), Some(&auth.device_id), None);
-        };
-
-        let (device_row, mut db_client) = match lookup_device(req, &auth.device_id).await {
-            Ok(result) => result,
-            Err(error) => return error,
-        };
-
-        let Ok(wallet_row) = WalletsStore::get_wallet(&mut db_client, &wallet_id_str) else {
-            return auth_error_outcome(req, DeviceError::WalletNotFound, Some(&auth.device_id), Some(&wallet_id_str));
-        };
-
-        Success(AuthenticatedDeviceWallet {
-            device_row,
-            wallet_id: wallet_row.id,
-            wallet_identifier: wallet_row.wallet_id.0,
-        })
-    }
-}
-
-async fn lookup_device<T>(req: &Request<'_>, device_id: &str) -> Result<(DeviceRow, storage::DatabaseClient), Outcome<T, String>> {
+pub(super) async fn lookup_device<T>(req: &Request<'_>, device_id: &str) -> Result<(DeviceRow, DatabaseClient), Outcome<T, String>> {
     let Success(database) = req.guard::<&rocket::State<Database>>().await else {
         return Err(auth_error_outcome(req, DeviceError::DatabaseUnavailable, Some(device_id), None));
     };
@@ -179,6 +100,18 @@ async fn lookup_device<T>(req: &Request<'_>, device_id: &str) -> Result<(DeviceR
     Ok((device_row, db_client))
 }
 
+pub(super) async fn lookup_device_wallet<T>(req: &Request<'_>, device_id: &str, wallet_id: &str) -> Result<(DeviceRow, WalletRow), Outcome<T, String>> {
+    let (device_row, mut db_client) = lookup_device(req, device_id).await?;
+
+    let wallet_row = match db_client.get_wallet_by_device_and_identifier(device_row.id, wallet_id) {
+        Ok(wallet_row) => wallet_row,
+        Err(error) if error.is_not_found() => return Err(auth_error_outcome(req, DeviceError::WalletNotFound, Some(device_id), Some(wallet_id))),
+        Err(_) => return Err(auth_error_outcome(req, DeviceError::DatabaseError, Some(device_id), Some(wallet_id))),
+    };
+
+    Ok((device_row, wallet_row))
+}
+
 #[cfg(test)]
 mod tests {
     use super::format_auth_error_message;

apps/api/src/devices/guard/authenticated_device.rs

@@ -0,0 +1,30 @@
+use rocket::Request;
+use rocket::outcome::Outcome::Success;
+use rocket::request::{FromRequest, Outcome};
+use storage::models::DeviceRow;
+
+use super::auth::{authenticate, lookup_device};
+
+// Verifies the device request signature, then checks that the device exists.
+pub struct AuthenticatedDevice {
+    pub device_row: DeviceRow,
+}
+
+#[rocket::async_trait]
+impl<'r> FromRequest<'r> for AuthenticatedDevice {
+    type Error = String;
+
+    async fn from_request(req: &'r Request<'_>) -> Outcome<Self, String> {
+        let auth = match authenticate(req).await {
+            Ok(auth) => auth,
+            Err(error) => return error,
+        };
+
+        let (device_row, _) = match lookup_device(req, &auth.device_id).await {
+            Ok(result) => result,
+            Err(error) => return error,
+        };
+
+        Success(AuthenticatedDevice { device_row })
+    }
+}

apps/api/src/devices/guard/authenticated_device_wallet.rs

@@ -0,0 +1,44 @@
+use primitives::WalletId;
+use rocket::Request;
+use rocket::outcome::Outcome::Success;
+use rocket::request::{FromRequest, Outcome};
+use storage::models::DeviceRow;
+
+use super::auth::{auth_error_outcome, authenticate, lookup_device_wallet};
+use crate::devices::constants::HEADER_WALLET_ID;
+use crate::devices::error::DeviceError;
+
+// Verifies control of the device key, then resolves a wallet attached to that device.
+// This proves device-wallet scope, not wallet-owner intent; routes that need owner approval must also use WalletSigned<T>.
+pub struct AuthenticatedDeviceWallet {
+    pub device_row: DeviceRow,
+    pub wallet_id: i32,
+    pub wallet_identifier: WalletId,
+}
+
+#[rocket::async_trait]
+impl<'r> FromRequest<'r> for AuthenticatedDeviceWallet {
+    type Error = String;
+
+    async fn from_request(req: &'r Request<'_>) -> Outcome<Self, String> {
+        let auth = match authenticate(req).await {
+            Ok(auth) => auth,
+            Err(error) => return error,
+        };
+
+        let Some(wallet_id_str) = auth.wallet_id else {
+            return auth_error_outcome(req, DeviceError::MissingHeader(HEADER_WALLET_ID), Some(&auth.device_id), None);
+        };
+
+        let (device_row, wallet_row) = match lookup_device_wallet(req, &auth.device_id, &wallet_id_str).await {
+            Ok(result) => result,
+            Err(error) => return error,
+        };
+
+        Success(AuthenticatedDeviceWallet {
+            device_row,
+            wallet_id: wallet_row.id,
+            wallet_identifier: wallet_row.wallet_id.0,
+        })
+    }
+}

apps/api/src/devices/guard/mod.rs

@@ -0,0 +1,8 @@
+mod auth;
+mod authenticated_device;
+mod authenticated_device_wallet;
+mod verified_device_id;
+
+pub use authenticated_device::AuthenticatedDevice;
+pub use authenticated_device_wallet::AuthenticatedDeviceWallet;
+pub use verified_device_id::VerifiedDeviceId;

apps/api/src/devices/guard/verified_device_id.rs

@@ -0,0 +1,20 @@
+use rocket::Request;
+use rocket::outcome::Outcome::Success;
+use rocket::request::{FromRequest, Outcome};
+
+use super::auth::authenticate;
+
+// Verifies the device request signature without checking the database.
+pub struct VerifiedDeviceId(pub String);
+
+#[rocket::async_trait]
+impl<'r> FromRequest<'r> for VerifiedDeviceId {
+    type Error = String;
+
+    async fn from_request(req: &'r Request<'_>) -> Outcome<Self, String> {
+        match authenticate(req).await {
+            Ok(auth) => Success(VerifiedDeviceId(auth.device_id)),
+            Err(error) => error,
+        }
+    }
+}

apps/api/src/devices/mod.rs

@@ -193,6 +193,10 @@ pub async fn redeem_device_rewards_v2(
     request: WalletSigned<RedemptionRequest>,
     client: &State<Mutex<RewardsRedemptionClient>>,
 ) -> Result<ApiResponse<RedemptionResult>, ApiError> {
+    if !request.matches_multicoin_wallet(&device.wallet_identifier) {
+        return Err(ApiError::BadRequest("Wallet signature mismatch".to_string()));
+    }
+
     Ok(client
         .lock()
         .await

crates/storage/src/database/wallets.rs

@@ -8,6 +8,7 @@ use primitives::Chain;
 
 pub trait WalletsStore {
     fn get_wallet(&mut self, identifier: &str) -> Result<WalletRow, diesel::result::Error>;
+    fn get_wallet_by_device_and_identifier(&mut self, device_id: i32, identifier: &str) -> Result<WalletRow, diesel::result::Error>;
     fn get_wallet_by_id(&mut self, id: i32) -> Result<WalletRow, diesel::result::Error>;
     fn get_wallets(&mut self, identifiers: Vec<String>) -> Result<Vec<WalletRow>, diesel::result::Error>;
     fn create_wallet(&mut self, wallet: NewWalletRow) -> Result<WalletRow, diesel::result::Error>;
@@ -46,6 +47,15 @@ impl WalletsStore for DatabaseClient {
             .first(&mut self.connection)
     }
 
+    fn get_wallet_by_device_and_identifier(&mut self, device_id: i32, identifier: &str) -> Result<WalletRow, diesel::result::Error> {
+        wallets::table
+            .inner_join(wallets_subscriptions::table.on(wallets_subscriptions::wallet_id.eq(wallets::id)))
+            .filter(wallets::identifier.eq(identifier))
+            .filter(wallets_subscriptions::device_id.eq(device_id))
+            .select(WalletRow::as_select())
+            .first(&mut self.connection)
+    }
+
     fn get_wallet_by_id(&mut self, id: i32) -> Result<WalletRow, diesel::result::Error> {
         wallets::table.filter(wallets::id.eq(id)).select(WalletRow::as_select()).first(&mut self.connection)
     }

crates/storage/src/repositories/wallets_repository.rs

@@ -7,6 +7,7 @@ use std::collections::{HashMap, HashSet};
 
 pub trait WalletsRepository {
     fn get_wallet(&mut self, identifier: &str) -> Result<WalletRow, DatabaseError>;
+    fn get_wallet_by_device_and_identifier(&mut self, device_id: i32, identifier: &str) -> Result<WalletRow, DatabaseError>;
     fn get_wallet_by_id(&mut self, id: i32) -> Result<WalletRow, DatabaseError>;
     fn get_wallets(&mut self, identifiers: Vec<String>) -> Result<Vec<WalletRow>, DatabaseError>;
     fn create_wallets(&mut self, wallets: Vec<NewWalletRow>) -> Result<usize, DatabaseError>;
@@ -32,6 +33,10 @@ impl WalletsRepository for DatabaseClient {
         WalletsStore::get_wallet(self, identifier).or_not_found(identifier.to_string())
     }
 
+    fn get_wallet_by_device_and_identifier(&mut self, device_id: i32, identifier: &str) -> Result<WalletRow, DatabaseError> {
+        WalletsStore::get_wallet_by_device_and_identifier(self, device_id, identifier).or_not_found(identifier.to_string())
+    }
+
     fn get_wallet_by_id(&mut self, id: i32) -> Result<WalletRow, DatabaseError> {
         WalletsStore::get_wallet_by_id(self, id).or_not_found_internal(id.to_string())
     }