fix: secret parsing whitelisting private rpc (#4347)

aon · calvogenerico · web-flow · commit 12d375a0c7cf · 2025-07-24T19:43:21.000Z
## What ❔ Fix a mismatch between secret sending between `private-rpc` and `block-explorer`. Currently the `block-explorer` sends the secret in the header: https://github.com/matter-labs/block-explorer/blob/prividium-mode/packages/api/src/auth/auth.controller.ts#L227. The mismatch was ocurring due to `private-rpc` sending it as a query param.    ## Why ❔    ## Is this a breaking change? - [ ] Yes - [ ] No ## Operational changes   ## Checklist   - [ ] PR title corresponds to the body of PR (we generate changelog entries from PRs). - [ ] Tests for the changes have been added / updated. - [ ] Documentation comments have been added / updated. - [ ] Code has been formatted via `zkstack dev fmt` and `zkstack dev lint`. --------- Co-authored-by: calvo.generico <miguelfeliped@gmail.com>
diff --git a/private-rpc/src/routes/users-routes.ts b/private-rpc/src/routes/users-routes.ts
@@ -46,18 +46,16 @@ export function usersRoutes(app: WebServer) {
         schema: {
             params: z.object({
                 address: addressSchema
-            }),
-            querystring: z.object({
-                secret: z.string()
             })
         }
     };
 
     app.get('/:address', getUserSchema, (req, reply) => {
         const { authorizer, createTokenSecret } = app.context;
-        const { secret } = req.query;
+        const secret = req.headers['x-secret'];
 
         if (secret !== createTokenSecret) {
+            console.warn(`Invalid secret sent: ${secret}`);
             throw new HttpError('forbidden', 403);
         }
 
