Merge pull request #60 from NillionNetwork/fix/api-break

fix: allow legacy mode to be used

Author: mfontanini

Cargo.toml

@@ -21,7 +21,7 @@ reqwest = { version = "0.12", default-features = false, features = ["rustls-tls"
 rust_decimal = { version = "1.39", features = ["serde-float", "serde-arbitrary-precision"] }
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
-serde_with = "3.14"
+serde_with = { version = "3.14", features = ["hex"] }
 strum = { version = "0.27", features = ["derive"] }
 sqlx = { version = "0.8", features = ["postgres", "runtime-tokio", "chrono"] }
 thiserror = "2"

src/config.rs

@@ -1,5 +1,4 @@
 use anyhow::Context;
-use nillion_nucs::{DidMethod, NucSigner, Signer};
 use rust_decimal::Decimal;
 use serde::Deserialize;
 use serde_with::serde_as;
@@ -61,7 +60,7 @@ pub enum PrivateKeyConfig {
 
 impl PrivateKeyConfig {
     /// Load a signer using this configuration.
-    pub fn load_signer(&self) -> anyhow::Result<Box<dyn NucSigner>> {
+    pub fn load_private_key(&self) -> anyhow::Result<[u8; 32]> {
         let bytes: [u8; 32] = match self {
             PrivateKeyConfig::Hex(hex_bytes) => hex_bytes
                 .to_vec()
@@ -74,7 +73,7 @@ impl PrivateKeyConfig {
                 })?
             }
         };
-        Ok(Signer::from_private_key(&bytes, DidMethod::Key))
+        Ok(bytes)
     }
 }
 

src/routes/nucs/create.rs

@@ -10,6 +10,7 @@ use axum::{
 };
 use chrono::{DateTime, Utc};
 use metrics::counter;
+use nillion_nucs::NucSigner;
 use nillion_nucs::token::Command;
 use nillion_nucs::{builder::DelegationBuilder, did::Did};
 use serde::{Deserialize, Serialize};
@@ -117,19 +118,19 @@ pub(crate) async fn handler(
     OptionalIdentityNuc(opt_auth): OptionalIdentityNuc,
     Json(request): Json<serde_json::Value>,
 ) -> Result<Json<CreateNucResponse>, HandlerError> {
-    let (requestor_did, blind_module) = if let Some(auth) = opt_auth {
-        handle_modern_auth(auth, request).await?
+    let ((requestor_did, blind_module), signer) = if let Some(auth) = opt_auth {
+        (handle_modern_auth(auth, request).await?, &state.parameters.signer)
     } else {
-        handle_legacy_auth(&state, request).await?
+        (handle_legacy_auth(&state, request).await?, &state.parameters.legacy_signer)
     };
-
-    handle_nuc_creation(state, requestor_did, blind_module).await
+    handle_nuc_creation(&state, requestor_did, blind_module, signer.as_ref()).await
 }
 
 async fn handle_nuc_creation(
-    state: SharedState,
+    state: &SharedState,
     requestor_did: Did,
     blind_module: BlindModule,
+    signer: &dyn NucSigner,
 ) -> Result<Json<CreateNucResponse>, HandlerError> {
     let expires_at = match state.databases.subscriptions.find_subscription_end(&requestor_did, &blind_module).await {
         Ok(Some(timestamp)) if timestamp > state.services.time.current_time() => timestamp,
@@ -147,13 +148,12 @@ async fn handle_nuc_creation(
     };
 
     info!("Minting token for {requestor_did}, expires at '{expires_at}'");
-    let signer = &state.parameters.signer;
     let token = DelegationBuilder::new()
         .command(["nil", segment])
         .subject(requestor_did)
         .audience(requestor_did)
         .expires_at(expires_at)
-        .sign_and_serialize(signer.as_ref())
+        .sign_and_serialize(signer)
         .await
         .map_err(|e| {
             error!("Failed to sign token: {e}");

src/routes/subscriptions/status.rs

@@ -9,16 +9,24 @@ use axum::{
 use chrono::{DateTime, Utc};
 use nillion_nucs::did::Did;
 use serde::{Deserialize, Serialize};
+use serde_with::hex::Hex;
+use serde_with::serde_as;
 use strum::EnumDiscriminants;
 use tracing::error;
 use utoipa::{IntoParams, ToSchema};
 
 /// A request to get a subscription's status.
+#[serde_as]
 #[derive(Deserialize, IntoParams)]
 pub(crate) struct SubscriptionStatusArgs {
     /// The Did to check the subscription for.
     #[param(value_type = String, example = "did:key:zQ3sh...")]
-    did: Did,
+    did: Option<Did>,
+
+    /// The Did to check the subscription for.
+    #[param(value_type = String)]
+    #[serde_as(as = "Option<Hex>")]
+    public_key: Option<[u8; 33]>,
 
     /// The blind module to check the subscription for.
     #[param(value_type = String, example = crate::docs::blind_module)]
@@ -65,13 +73,17 @@ pub(crate) async fn handler(
     state: SharedState,
     request: Query<SubscriptionStatusArgs>,
 ) -> Result<Json<SubscriptionStatusResponse>, HandlerError> {
+    let did = match (request.did, request.public_key) {
+        (Some(did), _) => did,
+        #[allow(deprecated)]
+        (_, Some(public_key)) => Did::nil(public_key),
+        _ => return Err(HandlerError::MissingIdentity),
+    };
     let expires_at =
-        state.databases.subscriptions.find_subscription_end(&request.did, &request.blind_module).await.map_err(
-            |e| {
-                error!("Subscription lookup failed: {e}");
-                HandlerError::Internal
-            },
-        )?;
+        state.databases.subscriptions.find_subscription_end(&did, &request.blind_module).await.map_err(|e| {
+            error!("Subscription lookup failed: {e}");
+            HandlerError::Internal
+        })?;
     let details = expires_at.map(|expires_at| Subscription {
         expires_at,
         renewable_at: expires_at - state.parameters.subscription_renewal_threshold,
@@ -83,13 +95,15 @@ pub(crate) async fn handler(
 #[derive(Debug, EnumDiscriminants)]
 pub(crate) enum HandlerError {
     Internal,
+    MissingIdentity,
 }
 
 impl IntoResponse for HandlerError {
     fn into_response(self) -> Response {
         let discriminant = HandlerErrorDiscriminants::from(&self);
         let (code, message) = match self {
             Self::Internal => (StatusCode::INTERNAL_SERVER_ERROR, "internal error"),
+            Self::MissingIdentity => (StatusCode::BAD_REQUEST, "need either `did` or `public_key`"),
         };
         let response = RequestHandlerError::new(message, format!("{discriminant:?}"));
         (code, Json(response)).into_response()
@@ -145,7 +159,38 @@ mod tests {
         let renewal_threshold = Duration::from_secs(30);
         handler.builder.subscription_renewal_threshold = renewal_threshold;
 
-        let request = SubscriptionStatusArgs { did: subscriber_did, blind_module };
+        let request = SubscriptionStatusArgs { did: Some(subscriber_did), public_key: None, blind_module };
+        let response = handler.invoke(request).await.expect("handler failed");
+        assert!(response.subscribed);
+        assert_eq!(
+            response.details,
+            Some(Subscription { expires_at: timestamp, renewable_at: timestamp - renewal_threshold })
+        );
+    }
+
+    #[tokio::test]
+    async fn valid_request_public_key() {
+        let mut handler = Handler::default();
+        let key = SecretKey::random(&mut rand::thread_rng());
+        let public_key_bytes: [u8; 33] = key.public_key().to_sec1_bytes().as_ref().try_into().unwrap();
+        #[allow(deprecated)]
+        let subscriber_did = Did::nil(public_key_bytes);
+        let now = Utc::now();
+        let timestamp = now + Duration::from_secs(120);
+        let blind_module = BlindModule::NilDb;
+        handler.builder.time_service.expect_current_time().returning(move || now);
+
+        handler
+            .builder
+            .subscriptions_db
+            .expect_find_subscription_end()
+            .with(eq(subscriber_did), eq(blind_module))
+            .return_once(move |_, _| Ok(Some(timestamp)));
+
+        let renewal_threshold = Duration::from_secs(30);
+        handler.builder.subscription_renewal_threshold = renewal_threshold;
+
+        let request = SubscriptionStatusArgs { did: None, public_key: Some(public_key_bytes), blind_module };
         let response = handler.invoke(request).await.expect("handler failed");
         assert!(response.subscribed);
         assert_eq!(
@@ -172,7 +217,7 @@ mod tests {
             .with(eq(subscriber_did), eq(blind_module))
             .return_once(move |_, _| Ok(Some(timestamp)));
 
-        let request = SubscriptionStatusArgs { did: subscriber_did, blind_module };
+        let request = SubscriptionStatusArgs { did: Some(subscriber_did), public_key: None, blind_module };
         let response = handler.invoke(request).await.expect("handler failed");
         assert!(!response.subscribed);
         response.details.expect("subscription should still be returned");

src/run.rs

@@ -14,6 +14,7 @@ use axum_prometheus::{EndpointLabel, PrometheusMetricLayerBuilder, metrics_expor
 use chrono::Utc;
 use nilauth_client::nilchain_client::tx::DefaultPaymentTransactionRetriever;
 use nillion_nucs::did::Did;
+use nillion_nucs::{DidMethod, Signer};
 use std::net::SocketAddr;
 use std::sync::Arc;
 use tokio::signal;
@@ -27,7 +28,10 @@ use tracing::info;
 /// and starts the main application and metrics servers. It also handles
 /// graceful shutdown on receiving a termination signal.
 pub async fn run(config: Config) -> anyhow::Result<()> {
-    let signer = config.private_key.load_signer()?;
+    let private_key = config.private_key.load_private_key()?;
+    let signer = Signer::from_private_key(&private_key, DidMethod::Key);
+    #[allow(deprecated)]
+    let legacy_signer = Signer::from_private_key(&private_key, DidMethod::Nil);
     let did = *signer.did();
     let public_key = match did {
         Did::Key { public_key } => public_key,
@@ -50,6 +54,7 @@ pub async fn run(config: Config) -> anyhow::Result<()> {
     let state = AppState {
         parameters: Parameters {
             signer,
+            legacy_signer,
             did,
             public_key,
             started_at: Utc::now(),

src/state.rs

@@ -50,6 +50,9 @@ pub struct Parameters {
     /// The server's secret signer.
     pub signer: Box<dyn NucSigner>,
 
+    /// The server's legacy secret signer.
+    pub legacy_signer: Box<dyn NucSigner>,
+
     /// The Did of the server's signer.
     pub did: Did,
 

src/tests.rs

@@ -23,6 +23,7 @@ mock! {
 
 pub(crate) struct AppStateBuilder {
     pub(crate) signer: Box<dyn NucSigner>,
+    pub(crate) legacy_signer: Box<dyn NucSigner>,
     pub(crate) tx_retriever: MockPaymentRetriever,
     pub(crate) time_service: MockTimeService,
     pub(crate) subscription_costs_service: MockSubscriptionCostService,
@@ -35,6 +36,8 @@ impl Default for AppStateBuilder {
     fn default() -> Self {
         Self {
             signer: Signer::generate(DidMethod::Key),
+            #[allow(deprecated)]
+            legacy_signer: Signer::generate(DidMethod::Nil),
             tx_retriever: Default::default(),
             time_service: Default::default(),
             subscription_costs_service: Default::default(),
@@ -49,6 +52,7 @@ impl AppStateBuilder {
     pub(crate) fn build(self) -> Arc<AppState> {
         let Self {
             signer,
+            legacy_signer,
             tx_retriever,
             time_service,
             subscription_costs_service,
@@ -66,6 +70,7 @@ impl AppStateBuilder {
         Arc::new(AppState {
             parameters: Parameters {
                 signer,
+                legacy_signer,
                 did,
                 public_key,
                 started_at: Utc::now(),