Add airnode address to POST endpoint as a path parameter (#189)

* Add airnode address to POST endpoint as a path parameter

* Check authentication first

* Update package name in READMEs

* Fix typo

Author: bdrhn9

README.md

@@ -2,7 +2,7 @@
 
 A monorepo for managing signed data. Consists of:
 
-- [api](./packages/signed-api/README.md) - A service for storing and accessing signed data. It provides endpoints to
+- [signed-api](./packages/signed-api/README.md) - A service for storing and accessing signed data. It provides endpoints to
   handle signed data for a specific airnode.
 - [airnode-feed](./packages/airnode-feed/README.md) - A service for pushing data provider signed data.
 - [e2e](./packages/e2e/README.md) - End to end test utilizing Mock API, Airnode feed and signed API.

packages/airnode-feed/src/api-requests/signed-api.test.ts

@@ -38,7 +38,7 @@ describe(pushSignedData.name, () => {
     );
     jest.spyOn(stateModule, 'getState').mockReturnValue(state);
     jest.spyOn(logger, 'warn');
-    jest.spyOn(axios, 'post').mockResolvedValue({ youHaveNotThoughAboutThisDidYou: 'yes-I-did' });
+    jest.spyOn(axios, 'post').mockResolvedValue({ youHaveNotThoughtAboutThisDidYou: 'yes-I-did' });
 
     const response = await pushSignedData(config.triggers.signedApiUpdates[0]!);
 

packages/airnode-feed/src/api-requests/signed-api.ts

@@ -45,7 +45,7 @@ export const pushSignedData = async (group: SignedApiUpdate) => {
     const signedApi = signedApis.find((a) => a.name === signedApiName)!;
     const goAxiosRequest = await go<Promise<unknown>, AxiosError>(async () => {
       logger.debug('Posting batch payload.', { batchPayload });
-      const axiosResponse = await axios.post(signedApi.url, batchPayload, {
+      const axiosResponse = await axios.post(new URL(airnode, signedApi.url).href, batchPayload, {
         headers: {
           'Content-Type': 'application/json',
           ...(signedApi.authToken ? { Authorization: `Bearer ${signedApi.authToken}` } : {}),

packages/signed-api/README.md

@@ -1,4 +1,4 @@
-# api
+# signed-api
 
 > A service for storing and accessing signed data. It provides endpoints to handle signed data for a specific airnode.
 

packages/signed-api/src/handlers.test.ts

@@ -23,7 +23,7 @@ describe(batchInsertData.name, () => {
   it('validates signature', async () => {
     const invalidData = await createSignedData({ signature: '0xInvalid' });
 
-    const result = await batchInsertData(undefined, [invalidData]);
+    const result = await batchInsertData(undefined, [invalidData], invalidData.airnode);
 
     expect(result).toStrictEqual({
       body: JSON.stringify({
@@ -47,7 +47,7 @@ describe(batchInsertData.name, () => {
     const data = await createSignedData();
     const invalidData = { ...data, beaconId: deriveBeaconId(data.airnode, generateRandomBytes(32)) };
 
-    const result = await batchInsertData(undefined, [invalidData]);
+    const result = await batchInsertData(undefined, [invalidData], invalidData.airnode);
 
     expect(result).toStrictEqual({
       body: JSON.stringify({
@@ -74,7 +74,7 @@ describe(batchInsertData.name, () => {
     );
     const batchData = [await createSignedData({ airnodeWallet })];
 
-    const result = await batchInsertData(undefined, batchData);
+    const result = await batchInsertData(undefined, batchData, airnodeWallet.address);
 
     expect(result).toStrictEqual({
       body: JSON.stringify({
@@ -109,7 +109,7 @@ describe(batchInsertData.name, () => {
     ];
     jest.spyOn(logger, 'debug');
 
-    const result = await batchInsertData(undefined, batchData);
+    const result = await batchInsertData(undefined, batchData, airnodeWallet.address);
 
     expect(result).toStrictEqual({
       body: JSON.stringify({ count: 1, skipped: 1 }),
@@ -124,14 +124,14 @@ describe(batchInsertData.name, () => {
   });
 
   it('rejects a batch if there is a beacon with timestamp too far in the future', async () => {
-    const batchData = [await createSignedData({ timestamp: (Math.floor(Date.now() / 1000) + 60 * 60 * 2).toString() })];
+    const invalidData = await createSignedData({ timestamp: (Math.floor(Date.now() / 1000) + 60 * 60 * 2).toString() });
 
-    const result = await batchInsertData(undefined, batchData);
+    const result = await batchInsertData(undefined, [invalidData], invalidData.airnode);
 
     expect(result).toStrictEqual({
       body: JSON.stringify({
         message: 'Request timestamp is too far in the future',
-        context: { signedData: batchData[0] },
+        context: { signedData: invalidData },
       }),
       headers: {
         'access-control-allow-methods': '*',
@@ -154,7 +154,7 @@ describe(batchInsertData.name, () => {
       await createSignedData({ airnodeWallet: airnodeWallet2 }),
     ];
 
-    const result = await batchInsertData(undefined, batchData);
+    const result = await batchInsertData(undefined, batchData, airnodeWallet1.address);
 
     expect(result).toStrictEqual({
       body: JSON.stringify({
@@ -175,11 +175,42 @@ describe(batchInsertData.name, () => {
     });
   });
 
+  it('rejects a batch when the path parameter conflicts with the Airnode address populated in the signed data', async () => {
+    const airnodeWallet1 = ethers.Wallet.fromMnemonic(
+      'echo dose empower ensure purchase enjoy once hotel slender loop repair desk'
+    );
+    const airnodeWallet2 = ethers.Wallet.fromMnemonic(
+      'clay drift protect wise love frost tourist eyebrow glide cost comfort punch'
+    );
+    const batchData = [
+      await createSignedData({ airnodeWallet: airnodeWallet2 }),
+      await createSignedData({ airnodeWallet: airnodeWallet2 }),
+    ];
+
+    const result = await batchInsertData(undefined, batchData, airnodeWallet1.address);
+
+    expect(result).toStrictEqual({
+      body: JSON.stringify({
+        message: 'Airnode address in the path parameter does not match one in the signed data',
+        context: {
+          airnodeAddress: airnodeWallet1.address,
+          signedData: batchData[0],
+        },
+      }),
+      headers: {
+        'access-control-allow-methods': '*',
+        'access-control-allow-origin': '*',
+        'content-type': 'application/json',
+      },
+      statusCode: 400,
+    });
+  });
+
   it('inserts the batch if data is valid', async () => {
     const airnodeWallet = generateRandomWallet();
     const batchData = [await createSignedData({ airnodeWallet }), await createSignedData({ airnodeWallet })];
 
-    const result = await batchInsertData(undefined, batchData);
+    const result = await batchInsertData(undefined, batchData, airnodeWallet.address);
 
     expect(result).toStrictEqual({
       body: JSON.stringify({ count: 2, skipped: 0 }),
@@ -201,8 +232,9 @@ describe(batchInsertData.name, () => {
 
 describe(getData.name, () => {
   it('drops the request if the airnode address is invalid', async () => {
-    const batchData = [await createSignedData(), await createSignedData()];
-    await batchInsertData(undefined, batchData);
+    const airnodeWallet = generateRandomWallet();
+    const batchData = [await createSignedData({ airnodeWallet }), await createSignedData({ airnodeWallet })];
+    await batchInsertData(undefined, batchData, airnodeWallet.address);
 
     const result = await getData({ authTokens: null, delaySeconds: 0, urlPath: 'path' }, undefined, '0xInvalid');
 
@@ -220,7 +252,7 @@ describe(getData.name, () => {
   it('returns the live data', async () => {
     const airnodeWallet = generateRandomWallet();
     const batchData = [await createSignedData({ airnodeWallet }), await createSignedData({ airnodeWallet })];
-    await batchInsertData(undefined, batchData);
+    await batchInsertData(undefined, batchData, airnodeWallet.address);
 
     const result = await getData(
       { authTokens: null, delaySeconds: 0, urlPath: 'path' },
@@ -252,7 +284,7 @@ describe(getData.name, () => {
       await createSignedData({ airnodeWallet, timestamp: delayTimestamp }),
       await createSignedData({ airnodeWallet }),
     ];
-    await batchInsertData(undefined, batchData);
+    await batchInsertData(undefined, batchData, airnodeWallet.address);
 
     const result = await getData(
       { authTokens: null, delaySeconds: 30, urlPath: 'path' },
@@ -281,7 +313,7 @@ describe(listAirnodeAddresses.name, () => {
   it('returns the list of airnode addresses', async () => {
     const airnodeWallet = generateRandomWallet();
     const batchData = [await createSignedData({ airnodeWallet }), await createSignedData({ airnodeWallet })];
-    await batchInsertData(undefined, batchData);
+    await batchInsertData(undefined, batchData, airnodeWallet.address);
 
     const result = await listAirnodeAddresses();
 

packages/signed-api/src/handlers.ts

@@ -22,8 +22,27 @@ import {
 // important for the delayed endpoint which may not be allowed to return the fresh data yet.
 export const batchInsertData = async (
   authorizationHeader: string | undefined,
-  requestBody: unknown
+  requestBody: unknown,
+  airnodeAddress: string
 ): Promise<ApiResponse> => {
+  // Ensure that the batch of signed that comes from a whitelisted Airnode.
+  const { endpoints, allowedAirnodes } = getConfig();
+  if (allowedAirnodes !== '*') {
+    // Find the allowed airnode and extract the request token.
+    const allowedAirnode = allowedAirnodes.find((allowedAirnode) => allowedAirnode.address === airnodeAddress);
+    const authToken = extractBearerToken(authorizationHeader);
+
+    // Check if the airnode is allowed and if the auth token is valid.
+    const isAirnodeAllowed = Boolean(allowedAirnode);
+    const isAuthTokenValid = allowedAirnode?.authTokens === null || allowedAirnode?.authTokens.includes(authToken!);
+    if (!isAirnodeAllowed || !isAuthTokenValid) {
+      if (isAirnodeAllowed) {
+        logger.debug(`Invalid auth token`, { allowedAirnode, authToken });
+      }
+      return generateErrorResponse(403, 'Unauthorized Airnode address', { airnodeAddress });
+    }
+  }
+
   const goValidateSchema = await go(async () => batchSignedDataSchema.parseAsync(requestBody));
   if (!goValidateSchema.success) {
     return generateErrorResponse(400, 'Invalid request, body must fit schema for batch of signed data', {
@@ -35,31 +54,20 @@ export const batchInsertData = async (
   const batchSignedData = goValidateSchema.data;
   if (isEmpty(batchSignedData)) return generateErrorResponse(400, 'No signed data to push');
 
-  // Check if all signed data is from the same airnode
+  // Check if all signed data is from the same airnode.
   const signedDataAirnodes = new Set(batchSignedData.map((signedData) => signedData.airnode));
   if (signedDataAirnodes.size > 1) {
     return generateErrorResponse(400, 'All signed data must be from the same Airnode address', {
       airnodeAddresses: [...signedDataAirnodes],
     });
   }
-  const airnodeAddress = batchSignedData[0]!.airnode;
 
-  // Ensure that the batch of signed that comes from a whitelisted Airnode.
-  const { endpoints, allowedAirnodes } = getConfig();
-  if (allowedAirnodes !== '*') {
-    // Find the allowed airnode and extract the request token.
-    const allowedAirnode = allowedAirnodes.find((allowedAirnode) => allowedAirnode.address === airnodeAddress);
-    const authToken = extractBearerToken(authorizationHeader);
-
-    // Check if the airnode is allowed and if the auth token is valid.
-    const isAirnodeAllowed = Boolean(allowedAirnode);
-    const isAuthTokenValid = allowedAirnode?.authTokens === null || allowedAirnode?.authTokens.includes(authToken!);
-    if (!isAirnodeAllowed || !isAuthTokenValid) {
-      if (isAirnodeAllowed) {
-        logger.debug(`Invalid auth token`, { allowedAirnode, authToken });
-      }
-      return generateErrorResponse(403, 'Unauthorized Airnode address', { airnodeAddress });
-    }
+  // Check if the path parameter matches the airnode address in the signed data.
+  if (airnodeAddress !== batchSignedData[0]!.airnode) {
+    return generateErrorResponse(400, 'Airnode address in the path parameter does not match one in the signed data', {
+      airnodeAddress,
+      signedData: batchSignedData[0],
+    });
   }
 
   // Check whether any duplications exist
@@ -111,15 +119,15 @@ export const batchInsertData = async (
     newSignedData.push(signedData);
   }
 
-  // Write batch of validated data to the database
+  // Write batch of validated data to the database.
   const goBatchWriteDb = await go(async () => putAll(newSignedData));
   if (!goBatchWriteDb.success) {
     return generateErrorResponse(500, 'Unable to send batch of signed data to database', {
       detail: goBatchWriteDb.error.message,
     });
   }
 
-  // Prune the cache with the data that is too old (no endpoint will ever return it)
+  // Prune the cache with the data that is too old (no endpoint will ever return it).
   const maxDelay = endpoints.reduce((acc, endpoint) => Math.max(acc, endpoint.delaySeconds), 0);
   const maxIgnoreAfterTimestamp = Math.floor(Date.now() / 1000 - maxDelay);
   const goPruneCache = await go(async () => prune(newSignedData, maxIgnoreAfterTimestamp));

packages/signed-api/src/server.ts

@@ -16,12 +16,12 @@ export const startServer = (config: Config, port: number) => {
   // The default limit is 100kb, which is not enough for the signed API because some payloads can be quite large.
   app.use(express.json({ limit: '10mb' }));
 
-  app.post('/', async (req, res, next) => {
+  app.post('/:airnodeAddress', async (req, res, next) => {
     const goRequest = await go(async () => {
-      logger.info('Received request "POST /".');
-      logger.debug('Request details.', { body: req.body });
+      logger.info('Received request "POST /:airnodeAddress".');
+      logger.debug('Request details.', { body: req.body, params: req.params });
 
-      const result = await batchInsertData(req.headers.authorization, req.body);
+      const result = await batchInsertData(req.headers.authorization, req.body, req.params.airnodeAddress);
       res.status(result.statusCode).header(result.headers).send(result.body);
 
       logger.debug('Responded to request "POST /".', result);