Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add new authenticated /getSignatures endpoint #52

Closed
Marketen opened this issue May 17, 2024 · 1 comment
Closed

Add new authenticated /getSignatures endpoint #52

Marketen opened this issue May 17, 2024 · 1 comment

Comments

@Marketen
Copy link
Contributor

Marketen commented May 17, 2024

To safely share stored signatures with third parties, we can implement a private endpoint to retrieve signatures. This new endpoint should be a POST request with the following json body:

{
    "network": <string>,
    "tag": <string>,
    "hours": <int>
}

The /getSignatures endpoint filters and returns all signatures that are newer than the specified number of hours old and belong to validators with the given network and tag.

Authentication
The /getSignatures endpoint should not be accessible by anyone. It is protected by an authentication middleware that uses JWT tokens.

How authentication works

  • A JWT token, such as eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6IkpvaG5Eb2UiLCJleHAiOjE3MTY5OTk5OTksImlzcyI6InRlc3QtYXBwIn0.VB7fHy0c0YXwG0V9hHBK0Hrft0hCVxZ70hBRGMbXodg, is signed with a private key.

  • The API service reads from a /jwt directory where 256-bit secret keys for the allowed JWT tokens are stored. Each key is in a file named according to the tag it is allowed to access. For example, the secret key for stader's JWT is stored in /jwt/stader.

  • The caller must include an "Authorization" header with the value Bearer <jwtToken> when asking for /getSignatures

  • When /getSignatures is called by stader, the API checks if stader's private key is inside /jwt directory, and if stader is asking for signature with tag = stader. If any of these are not true, return unauthorized. We should not share signatures from one 3rd party to another. For example, signatures with tag "rocketpool" to stader.

@pablomendezroyo pablomendezroyo linked a pull request May 24, 2024 that will close this issue
@pablomendezroyo
Copy link
Contributor

pablomendezroyo commented Jun 11, 2024

Implemented in #57

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants