Auth token routes

.env.example

@@ -38,6 +38,7 @@ export MAX_CHECKSUM_LENGTH=
 export LOG_LEVEL=
 export HTTP_API_PORT=
 export VALIDATE_UNSIGNED_DDO=
+export JWT_SECRET=
 
 ## p2p
 

docs/env.md

@@ -33,6 +33,7 @@ Environmental variables are also tracked in `ENVIRONMENT_VARIABLES` within `src/
 - `AUTHORIZED_PUBLISHERS`: Authorized list of publishers. If present, Node will only index assets published by the accounts in the list. Example: `"[\"0x967da4048cD07aB37855c090aAF366e4ce1b9F48\",\"0x388C818CA8B9251b393131C08a736A67ccB19297\"]"`
 - `AUTHORIZED_PUBLISHERS_LIST`: AccessList contract addresses (per chain). If present, Node will only index assets published by the accounts present on the given access lists. Example: `"{ \"8996\": [\"0x967da4048cD07aB37855c090aAF366e4ce1b9F48\",\"0x388C818CA8B9251b393131C08a736A67ccB19297\"] }"`
 - `VALIDATE_UNSIGNED_DDO`: If set to `false`, the node will not validate unsigned DDOs and will request a signed message with the publisher address, nonce and signature. Default is `true`. Example: `false`
+- `JWT_SECRET`: Secret used to sign JWT tokens. Default is `ocean-node-secret`. Example: `"my-secret-jwt-token"`
 
 ## Payments
 

package.json

@@ -89,6 +89,7 @@
     "hyperdiff": "^2.0.16",
     "ip": "^2.0.1",
     "it-pipe": "^3.0.1",
+    "jsonwebtoken": "^9.0.2",
     "libp2p": "^1.8.0",
     "lodash.clonedeep": "^4.5.0",
     "lzma-purejs-requirejs": "^1.0.0",
@@ -112,6 +113,7 @@
     "@types/dockerode": "^3.3.31",
     "@types/express": "^4.17.17",
     "@types/ip": "^1.1.3",
+    "@types/jsonwebtoken": "^9.0.9",
     "@types/lzma-native": "^4.0.4",
     "@types/mocha": "^10.0.10",
     "@types/node": "^20.14.2",

src/@types/OceanNode.ts

@@ -113,6 +113,7 @@ export interface OceanNodeConfig {
   unsafeURLs?: string[]
   isBootstrap?: boolean
   validateUnsignedDDO?: boolean
+  jwtSecret?: string
 }
 
 export interface P2PStatusResponse {

src/@types/commands.ts

@@ -19,6 +19,7 @@ import {
 export interface Command {
   command: string // command name
   node?: string // if not present it means current node
+  authorization?: string
 }
 
 export interface GetP2PPeerCommand extends Command {
@@ -82,6 +83,7 @@ export interface ValidateDDOCommand extends Command {
   publisherAddress?: string
   nonce?: string
   signature?: string
+  message?: string
 }
 
 export interface StatusCommand extends Command {
@@ -261,3 +263,15 @@ export interface StartStopIndexingCommand extends AdminCommand {
 export interface PolicyServerPassthroughCommand extends Command {
   policyServerPassthrough?: any
 }
+
+export interface CreateAuthTokenCommand extends Command {
+  address: string
+  signature: string
+  validUntil?: number | null
+}
+
+export interface InvalidateAuthTokenCommand extends Command {
+  address: string
+  signature: string
+  token: string
+}

src/OceanNode.ts

@@ -12,6 +12,7 @@ import { pipe } from 'it-pipe'
 import { GENERIC_EMOJIS, LOG_LEVELS_STR } from './utils/logging/Logger.js'
 import { BaseHandler } from './components/core/handler/handler.js'
 import { C2DEngines } from './components/c2d/compute_engines.js'
+import { Auth } from './components/Auth/index.js'
 
 export interface RequestLimiter {
   requester: string | string[] // IP address or peer ID
@@ -35,6 +36,7 @@ export class OceanNode {
   // requester
   private remoteCaller: string | string[]
   private requestMap: Map<string, RequestLimiter>
+  private auth: Auth
 
   // eslint-disable-next-line no-useless-constructor
   private constructor(
@@ -47,6 +49,9 @@ export class OceanNode {
     this.coreHandlers = CoreHandlersRegistry.getInstance(this)
     this.requestMap = new Map<string, RequestLimiter>()
     this.config = config
+    if (this.db && this.db?.authToken) {
+      this.auth = new Auth(this.db.authToken)
+    }
     if (node) {
       node.setCoreHandlers(this.coreHandlers)
     }
@@ -64,9 +69,10 @@ export class OceanNode {
     db?: Database,
     node?: OceanP2P,
     provider?: OceanProvider,
-    indexer?: OceanIndexer
+    indexer?: OceanIndexer,
+    newInstance: boolean = false
   ): OceanNode {
-    if (!OceanNode.instance) {
+    if (!OceanNode.instance || newInstance) {
       // prepare compute engines
       this.instance = new OceanNode(config, db, node, provider, indexer)
     }
@@ -136,6 +142,10 @@ export class OceanNode {
     return this.requestMap
   }
 
+  public getAuth(): Auth {
+    return this.auth
+  }
+
   /**
    * Use this method to direct calls to the node as node cannot dial into itself
    * @param message command message

src/components/Auth/index.ts

@@ -0,0 +1,120 @@
+import { AuthToken, AuthTokenDatabase } from '../database/AuthTokenDatabase.js'
+import jwt from 'jsonwebtoken'
+import { checkNonce, NonceResponse } from '../core/utils/nonceHandler.js'
+import { OceanNode } from '../../OceanNode.js'
+import { getConfiguration } from '../../utils/index.js'
+
+export interface CommonValidation {
+  valid: boolean
+  error: string
+}
+
+export class Auth {
+  private authTokenDatabase: AuthTokenDatabase
+
+  public constructor(authTokenDatabase: AuthTokenDatabase) {
+    this.authTokenDatabase = authTokenDatabase
+  }
+
+  public async getJwtSecret(): Promise<string> {
+    const config = await getConfiguration()
+    return config.jwtSecret
+  }
+
+  public getMessage(address: string, nonce: string): string {
+    return address + nonce
+  }
+
+  async getJWTToken(address: string, nonce: string, createdAt: number): Promise<string> {
+    const jwtToken = jwt.sign(
+      {
+        address,
+        nonce,
+        createdAt
+      },
+      await this.getJwtSecret()
+    )
+
+    return jwtToken
+  }
+
+  async insertToken(
+    address: string,
+    jwtToken: string,
+    validUntil: number,
+    createdAt: number
+  ): Promise<void> {
+    await this.authTokenDatabase.createToken(jwtToken, address, validUntil, createdAt)
+  }
+
+  async invalidateToken(jwtToken: string): Promise<void> {
+    await this.authTokenDatabase.invalidateToken(jwtToken)
+  }
+
+  async validateToken(token: string): Promise<AuthToken | null> {
+    const tokenEntry = await this.authTokenDatabase.validateToken(token)
+    if (!tokenEntry) {
+      return null
+    }
+    return tokenEntry
+  }
+
+  /**
+   * Validates the authentication or token
+   * You need to provider either a token or an address, signature and message
+   * @param {string} token - The token to validate
+   * @param {string} address - The address to validate
+   * @param {string} signature - The signature to validate
+   * @param {string} message - The message to validate
+   * @returns The validation result
+   */
+  async validateAuthenticationOrToken({
+    token,
+    address,
+    nonce,
+    signature
+  }: {
+    token?: string
+    address?: string
+    nonce?: string
+    signature?: string
+  }): Promise<CommonValidation> {
+    try {
+      if (signature && address && nonce) {
+        const oceanNode = OceanNode.getInstance()
+        const nonceCheckResult: NonceResponse = await checkNonce(
+          oceanNode.getDatabase().nonce,
+          address,
+          parseInt(nonce),
+          signature,
+          this.getMessage(address, nonce)
+        )
+
+        if (!nonceCheckResult.valid) {
+          return { valid: false, error: nonceCheckResult.error }
+        }
+
+        if (nonceCheckResult.valid) {
+          return { valid: true, error: '' }
+        }
+      }
+
+      if (token) {
+        const authToken = await this.validateToken(token)
+        if (authToken) {
+          return { valid: true, error: '' }
+        }
+
+        return { valid: false, error: 'Invalid token' }
+      }
+
+      return {
+        valid: false,
+        error:
+          'Invalid authentication, you need to provide either a token or an address, signature, message and nonce'
+      }
+    } catch (e) {
+      return { valid: false, error: `Error during authentication validation: ${e}` }
+    }
+  }
+}