Use signature or auth token for routes (#968)

* check auth and signature for routes

* fix check commands

* validation fix

* add nonce in get download

* change message paid

* send correct msg in test

* add correct signature

* fix signature messages test

* do not check log

* sign download asset test

* remove validation fields

* lint fix

Author: giurgiur99

package-lock.json

@@ -73,7 +73,7 @@
     "@libp2p/websockets": "^8.1.1",
     "@multiformats/multiaddr": "^10.2.0",
     "@oceanprotocol/contracts": "^2.3.0",
-    "@oceanprotocol/ddo-js": "^0.1.0",
+    "@oceanprotocol/ddo-js": "^0.1.1",
     "@types/lodash.clonedeep": "^4.5.7",
     "axios": "^1.8.4",
     "base58-js": "^2.0.0",

package.json

@@ -9,6 +9,14 @@ export interface CommonValidation {
   error: string
 }
 
+export interface AuthValidation {
+  token?: string
+  address?: string
+  nonce?: string
+  signature?: string
+  message?: string
+}
+
 export class Auth {
   private authTokenDatabase: AuthTokenDatabase
 
@@ -21,10 +29,6 @@ export class Auth {
     return config.jwtSecret
   }
 
-  public getMessage(address: string, nonce: string): string {
-    return address + nonce
-  }
-
   async getJWTToken(address: string, nonce: string, createdAt: number): Promise<string> {
     const jwtToken = jwt.sign(
       {
@@ -68,17 +72,10 @@ export class Auth {
    * @param {string} message - The message to validate
    * @returns The validation result
    */
-  async validateAuthenticationOrToken({
-    token,
-    address,
-    nonce,
-    signature
-  }: {
-    token?: string
-    address?: string
-    nonce?: string
-    signature?: string
-  }): Promise<CommonValidation> {
+  async validateAuthenticationOrToken(
+    authValidation: AuthValidation
+  ): Promise<CommonValidation> {
+    const { token, address, nonce, signature, message } = authValidation
     try {
       if (signature && address && nonce) {
         const oceanNode = OceanNode.getInstance()
@@ -87,7 +84,7 @@ export class Auth {
           address,
           parseInt(nonce),
           signature,
-          this.getMessage(address, nonce)
+          message
         )
 
         if (!nonceCheckResult.valid) {

src/components/Auth/index.ts

@@ -2,7 +2,6 @@ import { P2PCommandResponse } from '../../../@types/index.js'
 import { CORE_LOGGER } from '../../../utils/logging/common.js'
 import { CommandHandler } from '../handler/handler.js'
 import { ComputeGetResultCommand } from '../../../@types/commands.js'
-import { checkNonce, NonceResponse } from '../utils/nonceHandler.js'
 import {
   buildInvalidRequestMessage,
   validateCommandParameters,
@@ -12,13 +11,7 @@ import { isAddress } from 'ethers'
 
 export class ComputeGetResultHandler extends CommandHandler {
   validate(command: ComputeGetResultCommand): ValidateParams {
-    const validation = validateCommandParameters(command, [
-      'consumerAddress',
-      'signature',
-      'nonce',
-      'jobId',
-      'index'
-    ])
+    const validation = validateCommandParameters(command, ['jobId', 'index'])
     if (validation.valid) {
       if (command.consumerAddress && !isAddress(command.consumerAddress)) {
         return buildInvalidRequestMessage(
@@ -38,33 +31,17 @@ export class ComputeGetResultHandler extends CommandHandler {
       return validationResponse
     }
 
-    let error = null
-
-    // signature message to check against
-    const message = task.consumerAddress + task.jobId + task.index.toString() + task.nonce
-    const nonceCheckResult: NonceResponse = await checkNonce(
-      this.getOceanNode().getDatabase().nonce,
+    const authValidationResponse = await this.validateTokenOrSignature(
+      task.authorization,
       task.consumerAddress,
-      parseInt(task.nonce),
+      task.nonce,
       task.signature,
-      message // task.jobId + task.index.toString()
+      String(task.consumerAddress + task.jobId + task.index.toString() + task.nonce)
     )
-
-    if (!nonceCheckResult.valid) {
-      // eslint-disable-next-line prefer-destructuring
-      error = nonceCheckResult.error
+    if (authValidationResponse.status.httpStatus !== 200) {
+      return authValidationResponse
     }
 
-    if (error) {
-      CORE_LOGGER.logMessage(error, true)
-      return {
-        stream: null,
-        status: {
-          httpStatus: 400,
-          error
-        }
-      }
-    }
     // split jobId (which is already in hash-jobId format) and get the hash
     // then get jobId which might contain dashes as well
     const index = task.jobId.indexOf('-')

src/components/core/compute/getResults.ts

@@ -2,7 +2,6 @@ import { P2PCommandResponse } from '../../../@types/index.js'
 import { CORE_LOGGER } from '../../../utils/logging/common.js'
 import { CommandHandler } from '../handler/handler.js'
 import { ComputeGetStreamableLogsCommand } from '../../../@types/commands.js'
-import { checkNonce, NonceResponse } from '../utils/nonceHandler.js'
 import { Stream } from 'stream'
 import {
   buildInvalidRequestMessage,
@@ -13,12 +12,7 @@ import { isAddress } from 'ethers'
 
 export class ComputeGetStreamableLogsHandler extends CommandHandler {
   validate(command: ComputeGetStreamableLogsCommand): ValidateParams {
-    const validation = validateCommandParameters(command, [
-      'consumerAddress',
-      'signature',
-      'nonce',
-      'jobId'
-    ])
+    const validation = validateCommandParameters(command, ['jobId'])
     if (validation.valid) {
       if (command.consumerAddress && !isAddress(command.consumerAddress)) {
         return buildInvalidRequestMessage(
@@ -30,37 +24,22 @@ export class ComputeGetStreamableLogsHandler extends CommandHandler {
   }
 
   async handle(task: ComputeGetStreamableLogsCommand): Promise<P2PCommandResponse> {
+    const oceanNode = this.getOceanNode()
+
     const validationResponse = await this.verifyParamsAndRateLimits(task)
     if (this.shouldDenyTaskHandling(validationResponse)) {
       return validationResponse
     }
-    const oceanNode = this.getOceanNode()
-    let error = null
 
-    // signature message to check against
-    const message = task.consumerAddress + task.jobId + task.nonce
-    const nonceCheckResult: NonceResponse = await checkNonce(
-      oceanNode.getDatabase().nonce,
+    const authValidationResponse = await this.validateTokenOrSignature(
+      task.authorization,
       task.consumerAddress,
-      parseInt(task.nonce),
+      task.nonce,
       task.signature,
-      message
+      String(task.consumerAddress + task.jobId + task.nonce)
     )
-
-    if (!nonceCheckResult.valid) {
-      // eslint-disable-next-line prefer-destructuring
-      error = nonceCheckResult.error
-    }
-
-    if (error) {
-      CORE_LOGGER.logMessage(error, true)
-      return {
-        stream: null,
-        status: {
-          httpStatus: 400,
-          error
-        }
-      }
+    if (authValidationResponse.status.httpStatus !== 200) {
+      return authValidationResponse
     }
 
     // split jobId (which is already in hash-jobId format) and get the hash

src/components/core/compute/getStreamableLogs.ts

@@ -32,15 +32,12 @@ import { FindDdoHandler } from '../handler/ddoHandler.js'
 // import { ProviderFeeValidation } from '../../../@types/Fees.js'
 import { isOrderingAllowedForAsset } from '../handler/downloadHandler.js'
 import { DDOManager } from '@oceanprotocol/ddo-js'
-import { getNonceAsNumber, checkNonce, NonceResponse } from '../utils/nonceHandler.js'
+import { getNonceAsNumber } from '../utils/nonceHandler.js'
 import { generateUniqueID } from '../../database/sqliteCompute.js'
 
 export class PaidComputeStartHandler extends CommandHandler {
   validate(command: PaidComputeStartCommand): ValidateParams {
     const commandValidation = validateCommandParameters(command, [
-      'consumerAddress',
-      'signature',
-      'nonce',
       'environment',
       'algorithm',
       'datasets',
@@ -64,6 +61,19 @@ export class PaidComputeStartHandler extends CommandHandler {
     if (this.shouldDenyTaskHandling(validationResponse)) {
       return validationResponse
     }
+
+    const authValidationResponse = await this.validateTokenOrSignature(
+      task.authorization,
+      task.consumerAddress,
+      task.nonce,
+      task.signature,
+      String(task.consumerAddress + task.datasets[0]?.documentId + task.nonce)
+    )
+
+    if (authValidationResponse.status.httpStatus !== 200) {
+      return authValidationResponse
+    }
+
     try {
       const node = this.getOceanNode()
       // split compute env (which is already in hash-envId format) and get the hash
@@ -452,9 +462,6 @@ export class FreeComputeStartHandler extends CommandHandler {
     const commandValidation = validateCommandParameters(command, [
       'algorithm',
       'datasets',
-      'consumerAddress',
-      'signature',
-      'nonce',
       'environment'
     ])
     if (commandValidation.valid) {
@@ -468,34 +475,23 @@ export class FreeComputeStartHandler extends CommandHandler {
   }
 
   async handle(task: FreeComputeStartCommand): Promise<P2PCommandResponse> {
+    const thisNode = this.getOceanNode()
     const validationResponse = await this.verifyParamsAndRateLimits(task)
     if (this.shouldDenyTaskHandling(validationResponse)) {
       return validationResponse
     }
-    const thisNode = this.getOceanNode()
-    // Validate nonce and signature
-    const nonceCheckResult: NonceResponse = await checkNonce(
-      thisNode.getDatabase().nonce,
+
+    const authValidationResponse = await this.validateTokenOrSignature(
+      task.authorization,
       task.consumerAddress,
-      parseInt(task.nonce),
+      task.nonce,
       task.signature,
       String(task.nonce)
     )
-
-    if (!nonceCheckResult.valid) {
-      CORE_LOGGER.logMessage(
-        'Invalid nonce or signature, unable to proceed: ' + nonceCheckResult.error,
-        true
-      )
-      return {
-        stream: null,
-        status: {
-          httpStatus: 500,
-          error:
-            'Invalid nonce or signature, unable to proceed: ' + nonceCheckResult.error
-        }
-      }
+    if (authValidationResponse.status.httpStatus !== 200) {
+      return authValidationResponse
     }
+
     let engine = null
     try {
       // split compute env (which is already in hash-envId format) and get the hash

src/components/core/compute/startCompute.ts

@@ -12,12 +12,7 @@ import { isAddress } from 'ethers'
 
 export class ComputeStopHandler extends CommandHandler {
   validate(command: ComputeStopCommand): ValidateParams {
-    const validation = validateCommandParameters(command, [
-      'consumerAddress',
-      'signature',
-      'nonce',
-      'jobId'
-    ])
+    const validation = validateCommandParameters(command, ['jobId'])
     if (validation.valid) {
       if (!isAddress(command.consumerAddress)) {
         return buildInvalidRequestMessage(
@@ -33,6 +28,18 @@ export class ComputeStopHandler extends CommandHandler {
     if (this.shouldDenyTaskHandling(validationResponse)) {
       return validationResponse
     }
+
+    const authValidationResponse = await this.validateTokenOrSignature(
+      task.authorization,
+      task.consumerAddress,
+      task.nonce,
+      task.signature,
+      String(task.consumerAddress + (task.jobId || ''))
+    )
+    if (authValidationResponse.status.httpStatus !== 200) {
+      return authValidationResponse
+    }
+
     try {
       // split jobId (which is already in hash-jobId format) and get the hash
       // then get jobId which might contain dashes as well

src/components/core/compute/stopCompute.ts

@@ -31,7 +31,6 @@ export class CreateAuthTokenHandler extends CommandHandler {
   async handle(task: CreateAuthTokenCommand): Promise<P2PCommandResponse> {
     const { address, nonce, signature } = task
     const nonceDb = this.getOceanNode().getDatabase().nonce
-    const auth = this.getOceanNode().getAuth()
     const validationResponse = await this.verifyParamsAndRateLimits(task)
     if (this.shouldDenyTaskHandling(validationResponse)) {
       return validationResponse
@@ -43,7 +42,7 @@ export class CreateAuthTokenHandler extends CommandHandler {
         address,
         parseInt(nonce),
         signature,
-        auth.getMessage(address, nonce)
+        String(address + nonce)
       )
 
       if (!nonceCheckResult.valid) {
@@ -83,7 +82,6 @@ export class InvalidateAuthTokenHandler extends CommandHandler {
   async handle(task: InvalidateAuthTokenCommand): Promise<P2PCommandResponse> {
     const { address, nonce, signature, token } = task
     const nonceDb = this.getOceanNode().getDatabase().nonce
-    const auth = this.getOceanNode().getAuth()
     const validationResponse = await this.verifyParamsAndRateLimits(task)
     if (this.shouldDenyTaskHandling(validationResponse)) {
       return validationResponse
@@ -95,7 +93,7 @@ export class InvalidateAuthTokenHandler extends CommandHandler {
         address,
         parseInt(nonce),
         signature,
-        auth.getMessage(address, nonce)
+        String(address + nonce)
       )
       if (!isValid) {
         return {