Application Wallet Api call request timeout

Author: physcom

src/main/kotlin/io/openfuture/api/component/state/DefaultStateApi.kt

@@ -16,7 +16,7 @@ class DefaultStateApi(private val stateRestTemplate: RestTemplate) : StateApi {
     }
 
     override fun deleteWallet(address: String, blockchain: Blockchain) {
-        val url = "/wallets/blockchain/${blockchain}/address/${address}"
+        val url = "/wallets/blockchain/${blockchain.getValue()}/address/${address}"
         stateRestTemplate.delete(url)
     }
 

src/main/kotlin/io/openfuture/api/config/SecurityConfig.kt

@@ -47,7 +47,7 @@ class SecurityConfig(
 
                 .addFilterAfter(AuthorizationFilter(properties, keyService), OAuth2LoginAuthenticationFilter::class.java)
                 .addFilterAfter(ApiAuthorizationFilter(mapper), AuthorizationFilter::class.java)
-                .addFilterAfter(PublicApiAuthorizationFilter(applicationService), AuthorizationFilter::class.java)
+                .addFilterAfter(PublicApiAuthorizationFilter(applicationService, mapper, properties), AuthorizationFilter::class.java)
                 .sessionManagement().sessionCreationPolicy(STATELESS)
 
                 .and()

src/main/kotlin/io/openfuture/api/config/filter/PublicApiAuthorizationFilter.kt

@@ -2,21 +2,26 @@ package io.openfuture.api.config.filter
 
 import com.fasterxml.jackson.databind.ObjectMapper
 import io.openfuture.api.config.propety.AuthorizationProperties
+import org.springframework.http.HttpStatus.UNAUTHORIZED
+import io.openfuture.api.domain.exception.ExceptionResponse
 import io.openfuture.api.domain.key.WalletApiCreateRequest
 import io.openfuture.api.service.ApplicationService
 import io.openfuture.api.util.CustomHttpRequestWrapper
 import io.openfuture.api.util.KeyGeneratorUtils
+import io.openfuture.api.util.currentEpochs
 import io.openfuture.api.util.differenceEpochs
-import org.springframework.http.HttpHeaders
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken
 import org.springframework.security.core.authority.SimpleGrantedAuthority
 import org.springframework.security.core.context.SecurityContextHolder
 import javax.servlet.*
 import javax.servlet.http.HttpServletRequest
+import javax.servlet.http.HttpServletResponse
 
 
 class PublicApiAuthorizationFilter(
-    private val applicationService: ApplicationService
+    private val applicationService: ApplicationService,
+    private val mapper: ObjectMapper,
+    private val properties: AuthorizationProperties
 ): Filter {
 
     override fun init(filterConfig: FilterConfig?) {
@@ -25,29 +30,35 @@ class PublicApiAuthorizationFilter(
 
     override fun doFilter(request: ServletRequest, response: ServletResponse, chain: FilterChain) {
         request as HttpServletRequest
+        response as HttpServletResponse
 
-        if (request.requestURI.startsWith("/public") && null == SecurityContextHolder.getContext().authentication && request.getHeader("X-API-KEY") != null) {
+        if (request.requestURI.startsWith("/public") && request.getHeader("X-API-KEY") != null) {
 
             val accessKey = request.getHeader("X-API-KEY")
             val signature = request.getHeader("X-API-SIGNATURE")
+            val expirePeriod = 10L;
 
             val requestWrapper = CustomHttpRequestWrapper(request)
-            val walletApiCreateRequest = ObjectMapper().readValue(requestWrapper.bodyInStringFormat, WalletApiCreateRequest::class.java)
+            val walletApiCreateRequest = mapper.readValue(requestWrapper.bodyInStringFormat, WalletApiCreateRequest::class.java)
 
-            val diffMinutes = differenceEpochs(System.currentTimeMillis() / 1000L, walletApiCreateRequest.timestamp.toLong())
+            val diffMinutes = differenceEpochs(currentEpochs(), walletApiCreateRequest.timestamp.toLong())
 
             val application = applicationService.getByAccessKey(accessKey)
 
             val hmacSha256 = application.let {
                 KeyGeneratorUtils.calcHmacSha256(it.apiSecretKey, walletApiCreateRequest.toString())
             }
 
-            if (hmacSha256 == signature && diffMinutes < 10){
-                val token = UsernamePasswordAuthenticationToken(application.user, null,
-                    application.user.roles.map { SimpleGrantedAuthority("ROLE_APPLICATION") })
-                SecurityContextHolder.getContext().authentication = token
+            if (hmacSha256 != signature || diffMinutes > expirePeriod) {
+                val exceptionResponse = ExceptionResponse(UNAUTHORIZED.value(), "Signature mismatch or request timeout")
+                response.status = exceptionResponse.status
+                response.writer.write(mapper.writeValueAsString(exceptionResponse))
+                return
             }
 
+            val token = UsernamePasswordAuthenticationToken(application.user, null, listOf(SimpleGrantedAuthority("ROLE_APPLICATION")))
+            SecurityContextHolder.getContext().authentication = token
+
             chain.doFilter(requestWrapper, response);
             return
         }

src/main/kotlin/io/openfuture/api/config/propety/AuthorizationProperties.kt

@@ -9,5 +9,6 @@ import javax.validation.constraints.NotEmpty
 @Validated
 @Component
 class AuthorizationProperties(
-        @field:NotEmpty var cookieName: String? = null
+        @field:NotEmpty var cookieName: String? = null,
+        var expireApi: Long? = 10
 )

src/main/kotlin/io/openfuture/api/controller/api/WalletApiController.kt

@@ -19,12 +19,7 @@ class WalletApiController(
 ) {
 
     @PreAuthorize(value = "hasAnyRole('ROLE_APPLICATION')")
-    @PostMapping(path = ["/generate"], consumes = [MediaType.APPLICATION_FORM_URLENCODED_VALUE])
-    fun generateWallet(@RequestParam paramMap: MutableMap<String, Any>, httpServletRequest: HttpServletRequest): KeyWalletDto? {
-        return service.generateWallet(paramMap, httpServletRequest)
-    }
-
-    @PostMapping("/gen")
+    @PostMapping("/generate")
     fun generateWallet(@RequestBody walletApiCreateRequest: WalletApiCreateRequest, @RequestHeader("X-API-KEY") accessKey: String, @CurrentUser user: User): KeyWalletDto? {
 
         val application = applicationService.getByAccessKey(accessKey)

src/main/kotlin/io/openfuture/api/service/DefaultApplicationWalletService.kt

@@ -32,7 +32,9 @@ class DefaultApplicationWalletService(
     }
 
     override fun deleteWallet(applicationId: String, address: String) {
+        // Delete from Open Key
         keyApi.deleteAllKeysByApplicationAddress(applicationId, address)
+        // Delete from Open State
         stateApi.deleteWallet(address, Blockchain.Ethereum)
     }
 }

src/main/kotlin/io/openfuture/api/service/DefaultWalletApiService.kt

@@ -13,37 +13,17 @@ import javax.servlet.http.HttpServletRequest
 
 @Service
 class DefaultWalletApiService(
-    private val applicationWalletService: ApplicationWalletService,
-    private val applicationService: ApplicationService
+    private val applicationWalletService: ApplicationWalletService
 ) : WalletApiService{
 
     override fun generateWallet(
         walletApiCreateRequest: WalletApiCreateRequest,
         application: Application,
         user: User
     ): KeyWalletDto {
-        return applicationWalletService.generateWallet(GenerateWalletRequest(application.id.toString(), application.webHook!!, walletApiCreateRequest.blockchain), user)
-    }
-
-    override fun generateWallet(
-        paramMap: MutableMap<String, Any>,
-        httpServletRequest: HttpServletRequest
-    ): KeyWalletDto {
-        val accessKey = httpServletRequest.getHeader("X-API-KEY")
-        val signature = httpServletRequest.getHeader("X-API-SIGNATURE")
-
-        val joinedParams = paramMap.entries.joinToString(separator = "&") { (key, value) ->
-            "${key}=${value}"
-        }
-        val application = applicationService.getByAccessKey(accessKey)
-
-        val hmacSha256 = KeyGeneratorUtils.calcHmacSha256(application.apiSecretKey, joinedParams)
-
-
-        if (hmacSha256 == signature){
-            return applicationWalletService.generateWallet(GenerateWalletRequest(application.id.toString(), application.webHook!!, BlockchainType.valueOf(
-                paramMap["blockchain"].toString())), application.user)
-        }
-        throw NotFoundException("Signature does not match")
+        return applicationWalletService.generateWallet(
+            GenerateWalletRequest(application.id.toString(), application.webHook!!, walletApiCreateRequest.blockchain),
+            user
+        )
     }
 }

src/main/kotlin/io/openfuture/api/service/Service.kt

@@ -138,6 +138,4 @@ interface WalletApiService {
 
     fun generateWallet(walletApiCreateRequest: WalletApiCreateRequest, application: Application, user: User): KeyWalletDto
 
-    fun generateWallet(paramMap: MutableMap<String, Any>, httpServletRequest: HttpServletRequest): KeyWalletDto
-
 }

src/main/kotlin/io/openfuture/api/util/DateUtils.kt

@@ -31,7 +31,7 @@ fun LocalDateTime.toEpochMillis(): Long {
 }
 
 fun differenceEpochs(startTime: Long, endTime: Long): Long{
-    return TimeUnit.MILLISECONDS.toMinutes(kotlin.math.abs(
-        endTime - startTime
-    ))
+    return kotlin.math.abs(endTime - startTime)/60
 }
+
+fun currentEpochs(): Long = System.currentTimeMillis() / 1000L

src/main/resources/application.properties

@@ -19,9 +19,13 @@ ethereum.event-subscription=${EVENT_SUBSCRIPTION}
 
 # AUTH
 auth.cookie-name=open_key
+auth.expire-api=10
 
 # WIDGET
 widget.host=${WIDGET_HOST}
 
 # STATE
 state.base-url=${OPEN_STATE_URL}
+
+# KEY
+key.base-url=${OPEN_KEY_URL}