Skip to content

Rpc layer#89

Merged
Ibinola merged 2 commits intoIbinola:mainfrom
zakkiyyat:rpc-layer
Feb 24, 2026
Merged

Rpc layer#89
Ibinola merged 2 commits intoIbinola:mainfrom
zakkiyyat:rpc-layer

Conversation

@zakkiyyat
Copy link
Contributor

@zakkiyyat zakkiyyat commented Feb 24, 2026
edited
Loading

Closes #77
Closes #78

PR: Workspace Sharing + Secure RPC Proxy

Summary

This PR implements:

  1. Workspace state sharing via URL
  2. Secure RPC proxy to protect private API keys and prevent frontend rate-limit issues

These changes improve user collaboration capabilities and strengthen backend security architecture.

1️⃣ Feature: Share Workspace via URL

Description

Users can now persist and share their workspace state using a generated share_id.

A workspace (including nested contracts and interactions) is saved via API and can be retrieved later using a shareable URL.

API Endpoints

POST /api/workspaces

  • Validates payload using Zod / class-validator
  • Persists nested workspace structure
  • Generates unique share_id (via nanoid)
  • Returns stored workspace metadata

GET /api/workspaces/:share_id

  • Fetches workspace including:

    • contracts
    • interactions

  • Returns:

    • 200 with full payload for valid ID
    • 404 if share_id is invalid

Key Files

apps/api/src/routes/workspaces.ts
apps/api/src/controllers/workspace.controller.ts

Acceptance Criteria

  • ✅ POST saves nested workspace data
  • ✅ GET returns 404 for invalid IDs
  • ✅ Valid IDs return complete workspace payload
  • ✅ Payload validation enforced

2️⃣ Feature: Secure RPC Proxy with Rate Limiting

Description

To prevent exposing private RPC API keys in the frontend and avoid public RPC rate limits, this PR introduces a backend RPC proxy.

Frontend requests now go through:

POST /api/rpc/:network

The server:

  • Forwards JSON-RPC payloads
  • Uses private RPC URLs stored in .env
  • Applies IP-based rate limiting

API Endpoint

POST /api/rpc/:network

  • Forwards JSON-RPC body to private RPC node
  • Supports Soroban RPC
  • Returns raw RPC response

Security Measures

  • 🔒 RPC URLs stored in .env
  • 🚫 No private keys exposed to frontend
  • 🛑 IP rate limiting (100 req/min default)
  • ⚠️ Returns HTTP 429 when limit exceeded

Key Files

apps/api/src/routes/rpc.ts
apps/api/src/middleware/rate-limiter.ts

Acceptance Criteria

  • ✅ Requests proxy correctly to Soroban RPC
  • ✅ Exceeding rate limits returns 429
  • ✅ Private RPC URLs are not exposed client-side

Testing

Workspace

  • Create workspace via POST
  • Retrieve via GET using returned share_id
  • Confirm nested data integrity
  • Confirm 404 behavior

RPC Proxy

  • Send JSON-RPC payload
  • Confirm forwarding to correct network
  • Stress test >100 requests/min
  • Confirm 429 response

Impact

🔹 UX Improvements

  • Enables easy workspace sharing via link
  • Supports collaboration and debugging workflows

🔹 Security Improvements

  • Protects private RPC credentials
  • Reduces risk of abuse
  • Prevents public node throttling

@Ibinola Ibinola merged commit 57741ca into Ibinola:main Feb 24, 2026
1 check failed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Build RPC Proxy Layer with Rate Limiting Create Workspace Sharing REST Endpoints

2 participants

@zakkiyyat @Ibinola