feat: auth on restore and check

Author: thesimplekid

crates/cdk-axum/src/router_handlers.rs

@@ -322,13 +322,18 @@ pub async fn post_melt_bolt11(
 ///
 /// Check whether a secret has been spent already or not.
 pub async fn post_check(
+    auth: AuthHeader,
     State(state): State<MintState>,
     Json(payload): Json<CheckStateRequest>,
 ) -> Result<Json<CheckStateResponse>, Response> {
-    let state = state.mint.check_state(&payload).await.map_err(|err| {
-        tracing::error!("Could not check state of proofs");
-        into_response(err)
-    })?;
+    let state = state
+        .mint
+        .check_state(auth.into(), &payload)
+        .await
+        .map_err(|err| {
+            tracing::error!("Could not check state of proofs");
+            into_response(err)
+        })?;
 
     Ok(Json(state))
 }
@@ -390,13 +395,18 @@ pub async fn post_swap(
 ))]
 /// Restores blind signature for a set of outputs.
 pub async fn post_restore(
+    auth: AuthHeader,
     State(state): State<MintState>,
     Json(payload): Json<RestoreRequest>,
 ) -> Result<Json<RestoreResponse>, Response> {
-    let restore_response = state.mint.restore(payload).await.map_err(|err| {
-        tracing::error!("Could not process restore: {}", err);
-        into_response(err)
-    })?;
+    let restore_response = state
+        .mint
+        .restore(auth.into(), payload)
+        .await
+        .map_err(|err| {
+            tracing::error!("Could not process restore: {}", err);
+            into_response(err)
+        })?;
 
     Ok(Json(restore_response))
 }

crates/cdk-integration-tests/src/direct_mint_connection.rs

@@ -16,6 +16,7 @@ use cdk::{Error, Mint};
 use uuid::Uuid;
 
 pub struct DirectMintConnection {
+    pub cat: Option<AuthToken>,
     pub mint: Arc<Mint>,
 }
 
@@ -60,76 +61,80 @@ impl MintConnector for DirectMintConnection {
     async fn post_mint_quote(
         &self,
         request: MintQuoteBolt11Request,
-        _auth_token: Option<AuthToken>,
+        auth_token: Option<AuthToken>,
     ) -> Result<MintQuoteBolt11Response<String>, Error> {
         self.mint
-            .get_mint_bolt11_quote(None, request)
+            .get_mint_bolt11_quote(auth_token, request)
             .await
             .map(Into::into)
     }
 
     async fn get_mint_quote_status(
         &self,
         quote_id: &str,
-        _auth_token: Option<AuthToken>,
+        auth_token: Option<AuthToken>,
     ) -> Result<MintQuoteBolt11Response<String>, Error> {
         let quote_id_uuid = Uuid::from_str(quote_id).unwrap();
         self.mint
-            .check_mint_quote(None, &quote_id_uuid)
+            .check_mint_quote(auth_token, &quote_id_uuid)
             .await
             .map(Into::into)
     }
 
     async fn post_mint(
         &self,
         request: MintBolt11Request<String>,
-        _auth_token: Option<AuthToken>,
+        auth_token: Option<AuthToken>,
     ) -> Result<MintBolt11Response, Error> {
         let request_uuid = request.try_into().unwrap();
-        self.mint.process_mint_request(None, request_uuid).await
+        self.mint
+            .process_mint_request(auth_token, request_uuid)
+            .await
     }
 
     async fn post_melt_quote(
         &self,
         request: MeltQuoteBolt11Request,
-        _auth_token: Option<AuthToken>,
+        auth_token: Option<AuthToken>,
     ) -> Result<MeltQuoteBolt11Response<String>, Error> {
         self.mint
-            .get_melt_bolt11_quote(None, &request)
+            .get_melt_bolt11_quote(auth_token, &request)
             .await
             .map(Into::into)
     }
 
     async fn get_melt_quote_status(
         &self,
         quote_id: &str,
-        _auth_token: Option<AuthToken>,
+        auth_token: Option<AuthToken>,
     ) -> Result<MeltQuoteBolt11Response<String>, Error> {
         let quote_id_uuid = Uuid::from_str(quote_id).unwrap();
         self.mint
-            .check_melt_quote(None, &quote_id_uuid)
+            .check_melt_quote(auth_token, &quote_id_uuid)
             .await
             .map(Into::into)
     }
 
     async fn post_melt(
         &self,
         request: MeltBolt11Request<String>,
-        _auth_token: Option<AuthToken>,
+        auth_token: Option<AuthToken>,
     ) -> Result<MeltQuoteBolt11Response<String>, Error> {
         let request_uuid = request.try_into().unwrap();
         self.mint
-            .melt_bolt11(None, &request_uuid)
+            .melt_bolt11(auth_token, &request_uuid)
             .await
             .map(Into::into)
     }
 
     async fn post_swap(
         &self,
         swap_request: SwapRequest,
-        _auth_token: Option<AuthToken>,
+        auth_token: Option<AuthToken>,
     ) -> Result<SwapResponse, Error> {
-        self.mint.process_swap_request(None, swap_request).await
+        self.mint
+            .process_swap_request(auth_token, swap_request)
+            .await
     }
 
     async fn get_mint_info(&self) -> Result<MintInfo, Error> {
@@ -139,36 +144,44 @@ impl MintConnector for DirectMintConnection {
     async fn post_check_state(
         &self,
         request: CheckStateRequest,
-        _auth_token: Option<AuthToken>,
+        auth_token: Option<AuthToken>,
     ) -> Result<CheckStateResponse, Error> {
-        self.mint.check_state(&request).await
+        self.mint.check_state(auth_token, &request).await
     }
 
     async fn post_restore(
         &self,
         request: RestoreRequest,
-        _auth_token: Option<AuthToken>,
+        auth_token: Option<AuthToken>,
     ) -> Result<RestoreResponse, Error> {
-        self.mint.restore(request).await
+        self.mint.restore(auth_token, request).await
     }
 
     /// Get Blind Auth keys
     async fn get_mint_blind_auth_keys(&self) -> Result<Vec<KeySet>, Error> {
-        todo!();
+        Ok(self.mint.auth_pubkeys().await?.keysets)
     }
+
     /// Get Blind Auth Keyset
-    async fn get_mint_blind_auth_keyset(&self, _keyset_id: Id) -> Result<KeySet, Error> {
-        todo!();
+    async fn get_mint_blind_auth_keyset(&self, keyset_id: Id) -> Result<KeySet, Error> {
+        Ok(self
+            .mint
+            .keyset(&keyset_id)
+            .await?
+            .ok_or(Error::UnknownKeySet)?)
     }
+
     /// Get Blind Auth keysets
     async fn get_mint_blind_auth_keysets(&self) -> Result<KeysetResponse, Error> {
-        todo!();
+        self.mint.auth_keysets().await
     }
+
     /// Post mint blind auth
     async fn post_mint_blind_auth(
         &self,
-        _request: MintAuthRequest,
+        request: MintAuthRequest,
     ) -> Result<MintBolt11Response, Error> {
-        todo!();
+        let cat = self.cat.clone().ok_or(Error::AuthRequired)?;
+        self.mint.mint_blind_auth(cat, request).await
     }
 }

crates/cdk-integration-tests/src/init_direct_mint.rs

@@ -4,7 +4,7 @@ use std::sync::Arc;
 use cdk::amount::SplitTarget;
 use cdk::cdk_database::mint_memory::MintMemoryDatabase;
 use cdk::cdk_database::WalletMemoryDatabase;
-use cdk::nuts::{CurrencyUnit, MintInfo, MintQuoteState, Nuts};
+use cdk::nuts::{AuthToken, CurrencyUnit, MintInfo, MintQuoteState, Nuts};
 use cdk::types::QuoteTTL;
 use cdk::{Amount, Mint, Wallet};
 use rand::random;
@@ -60,12 +60,18 @@ pub async fn create_and_start_test_mint() -> anyhow::Result<Arc<Mint>> {
     Ok(mint_arc)
 }
 
-pub fn get_mint_connector(mint: Arc<Mint>) -> DirectMintConnection {
-    DirectMintConnection { mint }
+pub fn get_mint_connector(cat: Option<String>, mint: Arc<Mint>) -> DirectMintConnection {
+    DirectMintConnection {
+        mint,
+        cat: cat.map(|cat| AuthToken::ClearAuth(cat)),
+    }
 }
 
-pub fn create_test_wallet_for_mint(mint: Arc<Mint>) -> anyhow::Result<Arc<Wallet>> {
-    let connector = get_mint_connector(mint);
+pub fn create_test_wallet_for_mint(
+    cat: Option<String>,
+    mint: Arc<Mint>,
+) -> anyhow::Result<Arc<Wallet>> {
+    let connector = get_mint_connector(cat, mint);
 
     let seed = random::<[u8; 32]>();
     let mint_url = connector.mint.config.mint_url().to_string();

crates/cdk-integration-tests/tests/pure_tests.rs

@@ -11,7 +11,7 @@ use cdk_integration_tests::init_direct_mint::{
 #[tokio::test]
 pub async fn test_swap_to_send() -> anyhow::Result<()> {
     let mint_bob = create_and_start_test_mint().await?;
-    let wallet_alice = create_test_wallet_for_mint(mint_bob.clone())?;
+    let wallet_alice = create_test_wallet_for_mint(None, mint_bob.clone())?;
 
     // Alice gets 64 sats
     receive(wallet_alice.clone(), 64).await?;
@@ -33,7 +33,7 @@ pub async fn test_swap_to_send() -> anyhow::Result<()> {
     assert_eq!(Amount::from(24), wallet_alice.total_balance().await?);
 
     // Alice sends cashu, Carol receives
-    let wallet_carol = create_test_wallet_for_mint(mint_bob.clone())?;
+    let wallet_carol = create_test_wallet_for_mint(None, mint_bob.clone())?;
     let received_amount = wallet_carol
         .receive_proofs(token.proofs(), SplitTarget::None, &[], &[])
         .await?;

crates/cdk/src/mint/check_spendable.rs

@@ -2,16 +2,27 @@ use std::collections::HashSet;
 
 use tracing::instrument;
 
-use super::{CheckStateRequest, CheckStateResponse, Mint, ProofState, PublicKey, State};
+use super::{
+    AuthToken, CheckStateRequest, CheckStateResponse, Method, Mint, ProofState, PublicKey,
+    RoutePath, State,
+};
+use crate::nuts::ProtectedEndpoint;
 use crate::Error;
 
 impl Mint {
     /// Check state
     #[instrument(skip_all)]
     pub async fn check_state(
         &self,
+        auth_token: Option<AuthToken>,
         check_state: &CheckStateRequest,
     ) -> Result<CheckStateResponse, Error> {
+        self.verify_auth(
+            auth_token,
+            &ProtectedEndpoint::new(Method::Get, RoutePath::MintBolt11),
+        )
+        .await?;
+
         let states = self.localstore.get_proofs_states(&check_state.ys).await?;
 
         let states = states

crates/cdk/src/mint/mod.rs

@@ -438,7 +438,17 @@ impl Mint {
 
     /// Restore
     #[instrument(skip_all)]
-    pub async fn restore(&self, request: RestoreRequest) -> Result<RestoreResponse, Error> {
+    pub async fn restore(
+        &self,
+        auth_token: Option<AuthToken>,
+        request: RestoreRequest,
+    ) -> Result<RestoreResponse, Error> {
+        self.verify_auth(
+            auth_token,
+            &ProtectedEndpoint::new(Method::Get, RoutePath::MintBolt11),
+        )
+        .await?;
+
         let output_len = request.outputs.len();
 
         let mut outputs = Vec::with_capacity(output_len);