Check wallet signature (#947)

* check wallet signature

* lint fix

* configurable ddo validate env

* add tests

Author: giurgiur99

.env.example

@@ -37,6 +37,7 @@ export MAX_REQ_PER_MINUTE=
 export MAX_CHECKSUM_LENGTH=
 export LOG_LEVEL=
 export HTTP_API_PORT=
+export VALIDATE_UNSIGNED_DDO=
 
 ## p2p
 

docs/env.md

@@ -32,6 +32,7 @@ Environmental variables are also tracked in `ENVIRONMENT_VARIABLES` within `src/
 - `IS_BOOTSTRAP`: Is this node to be used as bootstrap node or not. Default is `false`.
 - `AUTHORIZED_PUBLISHERS`: Authorized list of publishers. If present, Node will only index assets published by the accounts in the list. Example: `"[\"0x967da4048cD07aB37855c090aAF366e4ce1b9F48\",\"0x388C818CA8B9251b393131C08a736A67ccB19297\"]"`
 - `AUTHORIZED_PUBLISHERS_LIST`: AccessList contract addresses (per chain). If present, Node will only index assets published by the accounts present on the given access lists. Example: `"{ \"8996\": [\"0x967da4048cD07aB37855c090aAF366e4ce1b9F48\",\"0x388C818CA8B9251b393131C08a736A67ccB19297\"] }"`
+- `VALIDATE_UNSIGNED_DDO`: If set to `false`, the node will not validate unsigned DDOs and will request a signed message with the publisher address, nonce and signature. Default is `true`. Example: `false`
 
 ## Payments
 

src/@types/OceanNode.ts

@@ -112,6 +112,7 @@ export interface OceanNodeConfig {
   denyList?: DenyList
   unsafeURLs?: string[]
   isBootstrap?: boolean
+  validateUnsignedDDO?: boolean
 }
 
 export interface P2PStatusResponse {

src/@types/commands.ts

@@ -79,6 +79,9 @@ export interface FindDDOCommand extends DDOCommand {
 // https://github.com/oceanprotocol/ocean-node/issues/47
 export interface ValidateDDOCommand extends Command {
   ddo: DDO
+  publisherAddress?: string
+  nonce?: string
+  signature?: string
 }
 
 export interface StatusCommand extends Command {

src/components/core/handler/ddoHandler.ts

@@ -396,17 +396,9 @@ export class DecryptDdoHandler extends CommandHandler {
           ['bytes'],
           [ethers.hexlify(ethers.toUtf8Bytes(message))]
         )
-        const addressFromHashSignature = ethers.verifyMessage(messageHash, task.signature)
-        const messageHashBytes = ethers.toBeArray(messageHash)
-        const addressFromBytesSignature = ethers.verifyMessage(
-          messageHashBytes,
-          task.signature
-        )
+        const addressFromSignature = ethers.verifyMessage(messageHash, task.signature)
 
-        if (
-          addressFromHashSignature?.toLowerCase() !== decrypterAddress?.toLowerCase() &&
-          addressFromBytesSignature?.toLowerCase() !== decrypterAddress?.toLowerCase()
-        ) {
+        if (addressFromSignature?.toLowerCase() !== decrypterAddress?.toLowerCase()) {
           throw new Error('address does not match')
         }
       } catch (error) {
@@ -809,6 +801,7 @@ export class ValidateDDOHandler extends CommandHandler {
   }
 
   async handle(task: ValidateDDOCommand): Promise<P2PCommandResponse> {
+    const configuration = await getConfiguration()
     const validationResponse = await this.verifyParamsAndRateLimits(task)
     if (this.shouldDenyTaskHandling(validationResponse)) {
       return validationResponse
@@ -817,6 +810,35 @@ export class ValidateDDOHandler extends CommandHandler {
       const ddoInstance = DDOManager.getDDOClass(task.ddo)
       const validation = await ddoInstance.validate()
 
+      const { ddo, publisherAddress, nonce, signature: signatureFromRequest } = task
+      if (configuration.validateUnsignedDDO === false) {
+        if (!publisherAddress || !nonce || !signatureFromRequest) {
+          return {
+            stream: null,
+            status: {
+              httpStatus: 400,
+              error:
+                'A signature is required to validate a DDO, please provide a signed message with the publisher address, nonce and signature'
+            }
+          }
+        }
+      }
+
+      if (publisherAddress && nonce && signatureFromRequest) {
+        const isValid = validateDdoSignedByPublisher(
+          ddo,
+          nonce,
+          signatureFromRequest,
+          publisherAddress
+        )
+        if (!isValid) {
+          return {
+            stream: null,
+            status: { httpStatus: 400, error: 'Invalid signature' }
+          }
+        }
+      }
+
       if (validation[0] === false) {
         CORE_LOGGER.logMessageWithEmoji(
           `Validation failed with error: ${validation[1]}`,
@@ -849,6 +871,27 @@ export class ValidateDDOHandler extends CommandHandler {
   }
 }
 
+export function validateDdoSignedByPublisher(
+  ddo: DDO,
+  nonce: string,
+  signature: string,
+  publisherAddress: string
+): boolean {
+  try {
+    const message = ddo.id + nonce
+    const messageHash = ethers.solidityPackedKeccak256(
+      ['bytes'],
+      [ethers.hexlify(ethers.toUtf8Bytes(message))]
+    )
+    const messageHashBytes = ethers.toBeArray(messageHash)
+    const recoveredAddress = ethers.verifyMessage(messageHashBytes, signature)
+    return recoveredAddress === publisherAddress
+  } catch (error) {
+    CORE_LOGGER.logMessage(`Error: ${error}`, true)
+    return false
+  }
+}
+
 export function validateDDOIdentifier(identifier: string): ValidateParams {
   const valid = identifier && identifier.length > 0 && identifier.startsWith('did:op')
   if (!valid) {

src/components/httpRoutes/aquarius.ts

@@ -10,7 +10,6 @@ import { QueryCommand } from '../../@types/commands.js'
 import { DatabaseFactory } from '../database/DatabaseFactory.js'
 import { SearchQuery } from '../../@types/DDO/SearchQuery.js'
 import { getConfiguration } from '../../utils/index.js'
-import { DDO } from '@oceanprotocol/ddo-js'
 
 export const aquariusRoutes = express.Router()
 
@@ -134,23 +133,32 @@ aquariusRoutes.get(`${AQUARIUS_API_BASE_PATH}/state/ddo`, async (req, res) => {
 })
 
 aquariusRoutes.post(`${AQUARIUS_API_BASE_PATH}/assets/ddo/validate`, async (req, res) => {
+  const node = req.oceanNode
   try {
-    if (!req.body || req.body === undefined) {
+    if (!req.body) {
       res.status(400).send('Missing DDO object')
       return
     }
-    const ddo = JSON.parse(req.body) as DDO
+
+    const requestBody = JSON.parse(req.body)
+    const { publisherAddress, nonce, signature } = requestBody
+
+    // This is for backward compatibility with the old way of sending the DDO
+    const ddo = requestBody.ddo || JSON.parse(req.body)
 
     if (!ddo.version) {
       res.status(400).send('Missing DDO version')
       return
     }
 
-    const node = req.oceanNode
     const result = await new ValidateDDOHandler(node).handle({
       ddo,
+      publisherAddress,
+      nonce,
+      signature,
       command: PROTOCOL_COMMANDS.VALIDATE_DDO
     })
+
     if (result.stream) {
       const validationResult = JSON.parse(await streamToString(result.stream as Readable))
       res.json(validationResult)

src/test/unit/indexer/validation.test.ts

@@ -1,33 +1,44 @@
 import { DDOExample, ddov5, ddov7, ddoValidationSignature } from '../../data/ddo.js'
 import { getValidationSignature } from '../../../components/core/utils/validateDdoHandler.js'
 import { ENVIRONMENT_VARIABLES } from '../../../utils/index.js'
-
 import { expect } from 'chai'
 import {
   setupEnvironment,
   tearDownEnvironment,
   buildEnvOverrideConfig,
-  OverrideEnvConfig
+  OverrideEnvConfig,
+  getMockSupportedNetworks
 } from '../../utils/utils.js'
-import { DDOManager } from '@oceanprotocol/ddo-js'
+import { DDOManager, DDO } from '@oceanprotocol/ddo-js'
+import { ValidateDDOHandler } from '../../../components/core/handler/ddoHandler.js'
+import { OceanNode } from '../../../OceanNode.js'
+import { PROTOCOL_COMMANDS } from '../../../utils/constants.js'
+import { ethers } from 'ethers'
+import { RPCS } from '../../../@types/blockchain.js'
 
-describe('Schema validation tests', async () => {
+describe('Schema validation tests', () => {
   let envOverrides: OverrideEnvConfig[]
-  envOverrides = buildEnvOverrideConfig(
-    [
-      ENVIRONMENT_VARIABLES.PRIVATE_KEY,
-      ENVIRONMENT_VARIABLES.IPFS_GATEWAY,
-      ENVIRONMENT_VARIABLES.ARWEAVE_GATEWAY,
-      ENVIRONMENT_VARIABLES.RPCS
-    ],
-    [
-      '0xc594c6e5def4bab63ac29eed19a134c130388f74f019bc74b8f4389df2837a58',
-      'https://ipfs.io/',
-      'https://arweave.net/',
-      '{ "1": "https://rpc.eth.gateway.fm", "137": "https://polygon.meowrpc.com" }'
-    ]
-  )
-  envOverrides = await setupEnvironment(null, envOverrides)
+  const mockSupportedNetworks: RPCS = getMockSupportedNetworks()
+
+  before(async () => {
+    envOverrides = buildEnvOverrideConfig(
+      [
+        ENVIRONMENT_VARIABLES.VALIDATE_UNSIGNED_DDO,
+        ENVIRONMENT_VARIABLES.PRIVATE_KEY,
+        ENVIRONMENT_VARIABLES.IPFS_GATEWAY,
+        ENVIRONMENT_VARIABLES.ARWEAVE_GATEWAY,
+        ENVIRONMENT_VARIABLES.RPCS
+      ],
+      [
+        'false',
+        '0xc594c6e5def4bab63ac29eed19a134c130388f74f019bc74b8f4389df2837a58',
+        'https://ipfs.io/',
+        'https://arweave.net/',
+        JSON.stringify(mockSupportedNetworks)
+      ]
+    )
+    envOverrides = await setupEnvironment(null, envOverrides)
+  })
 
   after(() => {
     // Restore original local setup / env variables after test
@@ -40,6 +51,7 @@ describe('Schema validation tests', async () => {
     expect(validationResult[0]).to.eql(true)
     expect(validationResult[1]).to.eql({})
   })
+
   it('should not pass due to invalid metadata.created on version 4.1.0', async () => {
     const copy = JSON.parse(JSON.stringify(DDOExample))
     copy['@context'] = ['https://w3id.org/did/v1']
@@ -49,12 +61,14 @@ describe('Schema validation tests', async () => {
     expect(validationResult[0]).to.eql(false)
   })
   // TO DO after fixing regex for created & updated: it('should not pass due to invalid ISO timestamp on version 4.1.0', async () => {
+
   it('4.5.0 should pass the validation without service', async () => {
     const ddoInstance = DDOManager.getDDOClass(ddov5)
     const validationResult = await ddoInstance.validate()
     expect(validationResult[0]).to.eql(true)
     expect(validationResult[1]).to.eql({})
   })
+
   it('should pass the validation and return signature', async () => {
     const ddoInstance = DDOManager.getDDOClass(ddoValidationSignature)
     const validationResult = await ddoInstance.validate()
@@ -88,4 +102,69 @@ describe('Schema validation tests', async () => {
     expect(validationResult[0]).to.eql(true)
     expect(validationResult[1]).to.eql({})
   })
+
+  it('should fail validation when signature is missing', async () => {
+    const node = OceanNode.getInstance()
+    const handler = new ValidateDDOHandler(node)
+    const ddoInstance = DDOManager.getDDOClass(DDOExample)
+    const task = {
+      ddo: ddoInstance.getDDOData() as DDO,
+      publisherAddress: '0x8F292046bb73595A978F4e7A131b4EBd03A15e8a',
+      nonce: '123456',
+      command: PROTOCOL_COMMANDS.VALIDATE_DDO
+    }
+
+    const result = await handler.handle(task)
+    expect(result.status.httpStatus).to.equal(400)
+  })
+
+  it('should fail validation when signature is invalid', async () => {
+    const node = OceanNode.getInstance()
+    const handler = new ValidateDDOHandler(node)
+    const ddoInstance = DDOManager.getDDOClass(DDOExample)
+    const ddo: DDO = {
+      ...(ddoInstance.getDDOData() as DDO)
+    }
+    const task = {
+      ddo,
+      publisherAddress: '0x8F292046bb73595A978F4e7A131b4EBd03A15e8a',
+      nonce: '123456',
+      signature: '0xInvalidSignature',
+      command: PROTOCOL_COMMANDS.VALIDATE_DDO
+    }
+
+    const result = await handler.handle(task)
+
+    expect(result.status.httpStatus).to.equal(400)
+  })
+
+  it('should pass validation with valid signature', async () => {
+    const node = OceanNode.getInstance()
+    const handler = new ValidateDDOHandler(node)
+    const ddoInstance = DDOManager.getDDOClass(ddoValidationSignature)
+    const ddo = ddoInstance.getDDOData() as DDO
+
+    const privateKey = process.env.PRIVATE_KEY
+    const wallet = new ethers.Wallet(privateKey)
+    const nonce = Date.now().toString()
+    const message = ddo.id + nonce
+    const messageHash = ethers.solidityPackedKeccak256(
+      ['bytes'],
+      [ethers.hexlify(ethers.toUtf8Bytes(message))]
+    )
+    const messageHashBytes = ethers.getBytes(messageHash)
+    const signature = await wallet.signMessage(messageHashBytes)
+
+    const task = {
+      ddo,
+      publisherAddress: await wallet.getAddress(),
+      nonce,
+      signature,
+      command: PROTOCOL_COMMANDS.VALIDATE_DDO
+    }
+
+    const result = await handler.handle(task)
+
+    expect(result.status.httpStatus).to.equal(200)
+  })
 })

src/utils/config.ts

@@ -831,7 +831,8 @@ async function getEnvConfig(isStartup?: boolean): Promise<OceanNodeConfig> {
       knownUnsafeURLs
     ),
     isBootstrap: getBoolEnvValue('IS_BOOTSTRAP', false),
-    claimDurationTimeout: getIntEnvValue(process.env.ESCROW_CLAIM_TIMEOUT, 600)
+    claimDurationTimeout: getIntEnvValue(process.env.ESCROW_CLAIM_TIMEOUT, 600),
+    validateUnsignedDDO: getBoolEnvValue('VALIDATE_UNSIGNED_DDO', true)
   }
 
   if (!previousConfiguration) {

src/utils/constants.ts

@@ -439,6 +439,11 @@ export const ENVIRONMENT_VARIABLES: Record<any, EnvVariable> = {
     name: 'POLICY_SERVER_URL',
     value: process.env.POLICY_SERVER_URL,
     required: false
+  },
+  VALIDATE_UNSIGNED_DDO: {
+    name: 'VALIDATE_UNSIGNED_DDO',
+    value: process.env.VALIDATE_UNSIGNED_DDO,
+    required: false
   }
 }
 export const CONNECTION_HISTORY_DELETE_THRESHOLD = 300