Merge pull request #218 from hack-a-chain-software/fixes

Whitelist domains; transaction cursor; query complexity

Author: 0xneves

indexer/src/kadena-server/repository/infra/repository/transaction-db-repository.ts

@@ -148,15 +148,18 @@ export default class TransactionDbRepository implements TransactionRepository {
       ]);
 
       const { params: txParams, conditions: txConditions } = this.createTransactionConditions(
-        params,
+        { ...params, after, before },
         blockParams,
       );
 
       queryParams.push(...txParams);
       transactionsConditions = txConditions;
       blocksConditions = bConditions;
     } else {
-      const { conditions, params: txParams } = this.createTransactionConditions(params, [limit]);
+      const { conditions, params: txParams } = this.createTransactionConditions(
+        { ...params, after, before },
+        [limit],
+      );
       const { blocksConditions: bConditions, blockParams } = this.createBlockConditions(
         params,
         txParams,

indexer/src/kadena-server/server.ts

@@ -35,17 +35,13 @@ import {
 import { depthLimit } from '@graphile/depth-limit';
 
 // Maximum allowed complexity
-const MAX_COMPLEXITY = 1000;
+const MAX_COMPLEXITY = 2500;
 
 const typeDefs = readFileSync(join(__dirname, './config/schema.graphql'), 'utf-8');
 
 const KADENA_GRAPHQL_API_PORT = getRequiredEnvString('KADENA_GRAPHQL_API_PORT');
 
-const ALLOWED_ORIGINS = [
-  getRequiredEnvString('API_GATEWAY_URL'),
-  getRequiredEnvString('API_KADENA_URL'),
-  `http://localhost:${KADENA_GRAPHQL_API_PORT}`,
-];
+const ALLOWED_ORIGINS = [process.env.API_GATEWAY_URL ?? '', process.env.API_KADENA_URL ?? ''];
 
 const validatePaginationParamsPlugin: ApolloServerPlugin = {
   requestDidStart: async () => ({
@@ -127,13 +123,16 @@ const ipFilterMiddleware = (req: Request, res: Response, next: NextFunction) =>
 const isAllowedOrigin = (origin: string): boolean => {
   try {
     const originUrl = new URL(origin);
+    if (originUrl.hostname === 'localhost') return true;
+
     return ALLOWED_ORIGINS.some(allowed => {
       const allowedUrl = new URL(allowed);
       // Check if it's an exact match
       if (originUrl.origin === allowedUrl.origin) return true;
       // Check if it's a subdomain (only for kadena.io)
-      if (allowedUrl.hostname === 'kadena.io' && originUrl.hostname.endsWith('.kadena.io'))
+      if (allowedUrl.hostname === 'kadena.io' && originUrl.hostname.endsWith('.kadena.io')) {
         return true;
+      }
       return false;
     });
   } catch {
@@ -233,15 +232,6 @@ export async function useKadenaGraphqlServer() {
   const wsServer = new WebSocketServer({
     server: httpServer,
     path: '/graphql',
-    verifyClient: ({ origin }, callback) => {
-      if (!origin || origin === 'null') {
-        return callback(false, 400, 'No origin');
-      }
-      if (isAllowedOrigin(origin)) {
-        return callback(true);
-      }
-      return callback(false, 403, 'Forbidden');
-    },
   });
 
   const serverCleanup = useServer(
@@ -282,14 +272,42 @@ export async function useKadenaGraphqlServer() {
         }
       },
       methods: ['POST', 'OPTIONS'],
-      allowedHeaders: ['Content-Type', 'Authorization'],
+      allowedHeaders: [
+        'Content-Type',
+        'Authorization',
+        'Accept',
+        'Origin',
+        'X-Requested-With',
+        'Cache-Control',
+        'Pragma',
+      ],
+      exposedHeaders: ['Access-Control-Allow-Origin'],
       credentials: true,
+      maxAge: 86400, // 24 hours
     }),
     expressMiddleware(server, {
       context: createGraphqlContext,
     }),
   );
 
+  // Handle OPTIONS requests explicitly
+  app.options('*', (req: Request, res: Response) => {
+    const origin = req.headers.origin;
+    if (origin && isAllowedOrigin(origin)) {
+      res.setHeader('Access-Control-Allow-Origin', origin);
+      res.setHeader('Access-Control-Allow-Credentials', 'true');
+      res.setHeader('Access-Control-Allow-Methods', 'POST, OPTIONS');
+      res.setHeader(
+        'Access-Control-Allow-Headers',
+        'Content-Type, Authorization, Accept, Origin, X-Requested-With, Cache-Control, Pragma',
+      );
+      res.setHeader('Access-Control-Max-Age', '86400');
+      res.status(204).end();
+    } else {
+      res.status(403).end();
+    }
+  });
+
   app.post('/new-block', ipFilterMiddleware, async (req, res) => {
     const payload = await dispatchInfoSchema.safeParseAsync(req.body);
     if (!payload.success) {

indexer/tests/integration/transactions.query.test.ts

@@ -46,6 +46,102 @@ const resOne = {
   },
 };
 
+const resTwo = {
+  data: {
+    transactions: {
+      pageInfo: {
+        endCursor: 'MTcyNDc2MTg5',
+        hasNextPage: false,
+        hasPreviousPage: true,
+        startCursor: 'MTcyNDc2MTky',
+      },
+      totalCount: 21,
+      edges: [
+        {
+          cursor: 'MTcyNDc2MTky',
+          node: {
+            id: 'VHJhbnNhY3Rpb246WyJGSEQyaEVwQlltUzdDUjhsMUI2YmhyVk0zZHZLX0wxeXo5dUtLWFBBRFVRIiwicVVFdEhUZnpfOXo5cWl2dDRmZXROdHF0MDVwei15RktMdTJ3TWlHNFdyRSJd',
+            hash: 'qUEtHTfz_9z9qivt4fetNtqt05pz-yFKLu2wMiG4WrE',
+            cmd: {
+              meta: {
+                sender: 'k:b95ea3559d0bdab751891523dab34f5f57f473fdd00cb9d79a23b9414e4f4e33',
+              },
+              payload: {
+                code: '"(free.radio02.add-received-with-chain \\"cc4f5cfffe205d7b\\" \\"U2FsdGVkX19SVUSGOXLII21FEVYX3X+5eqsnPJcA1PA=;;;;;oQTiyaTIRTnokdQjDZ8e6MXQyqQ5WZmgcwRJa5QmM2GngbpJCs4oG4M2Iaf0CXPxkuMplG4llknLmOwkG1CPOCVXnjoSEE+95ut7zpNwaVYTw7HJ711DJPgc1LiZEclWcKaOFRQ/Fax5t0EPnqLE5WwpGjWZEwlrdDlvx/XuJBI=\\" \\"0\\" )"',
+              },
+            },
+            result: {
+              badResult: null,
+              goodResult: '"Write succeeded"',
+              continuation: null,
+            },
+          },
+        },
+        {
+          cursor: 'MTcyNDc2MTkx',
+          node: {
+            id: 'VHJhbnNhY3Rpb246WyJGSEQyaEVwQlltUzdDUjhsMUI2YmhyVk0zZHZLX0wxeXo5dUtLWFBBRFVRIiwiU2MweDVnWHdYVHFGd1B2LTRyUUx4VWlfYWNOa1owN3psYURsbFBfNWFzMCJd',
+            hash: 'Sc0x5gXwXTqFwPv-4rQLxUi_acNkZ07zlaDllP_5as0',
+            cmd: {
+              meta: {
+                sender: 'k:e1e4a7064bffaf7dbbf5ef5f7f3c025e5d7fe48614aa2e4d6c44ccc9dcd3d56b',
+              },
+              payload: {
+                code: '"(free.radio02.close-send-receive \\"k:48e0917d48785f68572bc6506e049a713979772fa341aeb14e9ecae47d951f8c\\" [] [] )"',
+              },
+            },
+            result: {
+              badResult: null,
+              goodResult: '""',
+              continuation: null,
+            },
+          },
+        },
+        {
+          cursor: 'MTcyNDc2MTkw',
+          node: {
+            id: 'VHJhbnNhY3Rpb246WyJGSEQyaEVwQlltUzdDUjhsMUI2YmhyVk0zZHZLX0wxeXo5dUtLWFBBRFVRIiwiV1pHdkFHQjFpVU12WENjMWRHbnc4QlZYUzJsa0NJdDhLTEN3QlRDNllVUSJd',
+            hash: 'WZGvAGB1iUMvXCc1dGnw8BVXS2lkCIt8KLCwBTC6YUQ',
+            cmd: {
+              meta: {
+                sender: 'k:6712f99b183edd481c76c1fd572b60f56620a799dd00d0a40e74a06ce1b09c77',
+              },
+              payload: {
+                code: '"(free.radio02.add-received-with-chain \\"cc4f5cfffe205d7b\\" \\"U2FsdGVkX18vv0+U2aVuU/ZtRgGTo4a1ScURpWZG3Rc=;;;;;U2YBtMfdmgH65fGUlkFJdXwncaDF27GDpPBsGGVO16imgpDoJ4IHG5ZpOKxpJbV/DgsFgU/DSlfFIGIW6kIDXYcjja+icMQLZnkopKXrbOMYeNf9nEu3iOE1Gft4leAYHUqHhG9DBt9+1xOLzdxAOteuyeyhbtPb3xBK/RZilFQ=\\" \\"0\\" )"',
+              },
+            },
+            result: {
+              badResult: null,
+              goodResult: '"Write succeeded"',
+              continuation: null,
+            },
+          },
+        },
+        {
+          cursor: 'MTcyNDc2MTg5',
+          node: {
+            id: 'VHJhbnNhY3Rpb246WyJGSEQyaEVwQlltUzdDUjhsMUI2YmhyVk0zZHZLX0wxeXo5dUtLWFBBRFVRIiwiRXQ0NWdTWGN4ZnF1bDU0Zi04TTVfaExTTjVObVYyVjhkXzVUNDlEYXlNYyJd',
+            hash: 'Et45gSXcxfqul54f-8M5_hLSN5NmV2V8d_5T49DayMc',
+            cmd: {
+              meta: {
+                sender: 'k:0e98a32914e0af5c3dc2b41f216a37091d1664b00b6a8e3a87d5e5022eeab4e3',
+              },
+              payload: {
+                code: '"(free.radio02.direct-to-send \\"k:b3c65463af1f398a5465c15c4c9f221d3a5bb3efad52829715f088a7ee4bc7d3\\" )"',
+              },
+            },
+            result: {
+              badResult: null,
+              goodResult: '"Write succeeded"',
+              continuation: null,
+            },
+          },
+        },
+      ],
+    },
+  },
+};
+
 describe('Transactions Query', () => {
   it('blockHash: "Qzi58vcpW97du01srIwxpwSQUPDRNBnl2EKyubP-IWw"', async () => {
     const query = gql`
@@ -84,4 +180,51 @@ describe('Transactions Query', () => {
     const data = await client.request(query);
     expect(resOne.data).toMatchObject(data);
   });
+
+  it('first: "20", after: "MTcyNDc2MTkz", blockHash: "FHD2hEpBYmS7CR8l1B6bhrVM3dvK_L1yz9uKKXPADUQ"', async () => {
+    const query = gql`
+      query {
+        transactions(
+          first: 20
+          after: "MTcyNDc2MTkz"
+          blockHash: "FHD2hEpBYmS7CR8l1B6bhrVM3dvK_L1yz9uKKXPADUQ"
+        ) {
+          pageInfo {
+            endCursor
+            hasNextPage
+            hasPreviousPage
+            startCursor
+          }
+          totalCount
+          edges {
+            cursor
+            node {
+              id
+              hash
+              cmd {
+                meta {
+                  sender
+                }
+                payload {
+                  ... on ExecutionPayload {
+                    code
+                  }
+                }
+              }
+              result {
+                ... on TransactionResult {
+                  badResult
+                  goodResult
+                  continuation
+                }
+              }
+            }
+          }
+        }
+      }
+    `;
+
+    const data = await client.request(query);
+    expect(resTwo.data).toMatchObject(data);
+  });
 });