feat: add VPC authentication routes and signature verification (#218)

* feat: add VPC authentication routes and signature verification

- Introduced new VPC authentication routes, including a login endpoint that verifies client signatures and generates access tokens.
- Implemented HMAC-SHA256 signature verification for VPC requests, enhancing security.
- Added comprehensive end-to-end tests for VPC login functionality, covering success cases and various failure scenarios.
- Updated dependencies to include `hmac` and `sha2` for cryptographic operations.
- Refactored the AttestationService to support VPC signature verification and manage shared secrets.

* refactor: update VPC login tests for improved validation

- Changed API key validation to check for non-empty values instead of format.
- Updated user response assertions to ensure both user ID and email are non-empty.
- Enhanced comments for clarity regarding mock authentication behavior.

* feat: get vpc shared secret from file

* test: drop temp files

---------

Co-authored-by: Robert Yan <46699230+think-in-universe@users.noreply.github.com>

Author: PierreLeGuen

Cargo.lock

@@ -53,3 +53,4 @@ base64 = "0.22.1"
 dotenvy = "0.15.7"
 k256 = { version = "0.13", features = ["ecdsa", "arithmetic"] }
 sha3 = "0.10"
+hmac = "0.12"

crates/api/Cargo.toml

@@ -485,6 +485,8 @@ pub fn build_app_with_config(
     let invitation_routes =
         build_invitation_routes(app_state.clone(), &auth_components.auth_state_middleware);
 
+    let auth_vpc_routes = build_auth_vpc_routes(app_state.clone());
+
     let files_routes =
         build_files_routes(app_state.clone(), &auth_components.auth_state_middleware);
 
@@ -508,12 +510,23 @@ pub fn build_app_with_config(
                 .merge(model_routes)
                 .merge(admin_routes)
                 .merge(invitation_routes)
+                .merge(auth_vpc_routes)
                 .merge(files_routes)
                 .merge(health_routes),
         )
         .merge(openapi_routes)
 }
 
+/// Build VPC authentication routes
+pub fn build_auth_vpc_routes(app_state: AppState) -> Router {
+    use crate::routes::auth_vpc::vpc_login;
+    use axum::routing::post;
+
+    Router::new()
+        .route("/auth/vpc/login", post(vpc_login))
+        .with_state(app_state)
+}
+
 /// Build invitation routes with selective auth
 pub fn build_invitation_routes(app_state: AppState, auth_state_middleware: &AuthState) -> Router {
     use crate::routes::users::{accept_invitation_by_token, get_invitation_by_token};

crates/api/src/lib.rs

@@ -0,0 +1,180 @@
+use crate::routes::api::AppState;
+use axum::{
+    extract::State,
+    http::StatusCode,
+    response::{IntoResponse, Json},
+};
+use serde::{Deserialize, Serialize};
+use services::{
+    auth::{ports::OAuthUserInfo, Session},
+    organization::ports::Organization,
+    workspace::ports::Workspace,
+};
+
+#[derive(Debug, Deserialize)]
+pub struct VpcLoginRequest {
+    pub timestamp: i64,
+    pub signature: String,
+    pub client_id: String,
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+pub struct VpcLoginResponse {
+    pub access_token: String,
+    pub session: Session,
+    pub refresh_token: String,
+    pub api_key: String,
+    pub organization: Organization,
+    pub workspace: Workspace,
+}
+
+pub async fn vpc_login(
+    State(state): State<AppState>,
+    Json(payload): Json<VpcLoginRequest>,
+) -> Result<impl IntoResponse, (StatusCode, String)> {
+    // Verify VPC signature
+    let valid = state
+        .attestation_service
+        .verify_vpc_signature(payload.timestamp, payload.signature.clone())
+        .await
+        .map_err(|e| {
+            tracing::error!("VPC signature verification failed: {e:?}");
+            (
+                StatusCode::INTERNAL_SERVER_ERROR,
+                "Verification error".to_string(),
+            )
+        })?;
+
+    if !valid {
+        return Err((
+            StatusCode::UNAUTHORIZED,
+            "Invalid VPC signature".to_string(),
+        ));
+    }
+
+    // Get or create Chat API user with deterministic mapping
+    let provider_user_id = format!("vpc:{}", payload.client_id);
+    let email = format!("{}@vpc.internal.near.ai", payload.client_id);
+    let username = payload.client_id.clone();
+
+    let user_info = OAuthUserInfo {
+        provider: "vpc".to_string(),
+        provider_user_id,
+        email,
+        username,
+        display_name: None,
+        avatar_url: None,
+    };
+
+    let user = state
+        .auth_service
+        .get_or_create_oauth_user(user_info)
+        .await
+        .map_err(|e| {
+            tracing::error!("Failed to get/create Chat API user: {e:?}");
+            (
+                StatusCode::INTERNAL_SERVER_ERROR,
+                "User creation error".to_string(),
+            )
+        })?;
+
+    // Create session
+    let (access_token, session, refresh_token) = state
+        .auth_service
+        .create_session(
+            user.id.clone(),
+            None,
+            "VPC/1.0".to_string(),
+            state.config.auth.encoding_key.clone(),
+            24,
+            24 * 30,
+        )
+        .await
+        .map_err(|e| {
+            tracing::error!("Failed to create session: {e:?}");
+            (
+                StatusCode::INTERNAL_SERVER_ERROR,
+                "Session creation error".to_string(),
+            )
+        })?;
+
+    // Create unbound API key for this session
+    // 1. Get default organization for user
+    let orgs = state
+        .organization_service
+        .list_organizations_for_user(user.id.clone(), 1, 0, None, None)
+        .await
+        .map_err(|e| {
+            tracing::error!("Failed to list organizations for user: {e:?}");
+            (
+                StatusCode::INTERNAL_SERVER_ERROR,
+                "Organization lookup error".to_string(),
+            )
+        })?;
+
+    let org = orgs.first().ok_or_else(|| {
+        tracing::error!("User has no organizations");
+        (
+            StatusCode::INTERNAL_SERVER_ERROR,
+            "No organization found".to_string(),
+        )
+    })?;
+
+    // 2. Get default workspace for organization
+    let workspaces = state
+        .workspace_service
+        .list_workspaces_for_organization(org.id.clone(), user.id.clone())
+        .await
+        .map_err(|e| {
+            tracing::error!("Failed to list workspaces: {e:?}");
+            (
+                StatusCode::INTERNAL_SERVER_ERROR,
+                "Workspace lookup error".to_string(),
+            )
+        })?;
+
+    let workspace = workspaces.first().ok_or_else(|| {
+        tracing::error!("Organization has no workspaces");
+        (
+            StatusCode::INTERNAL_SERVER_ERROR,
+            "No workspace found".to_string(),
+        )
+    })?;
+
+    // 3. Create API key
+    let api_key_name = format!("VPC Key - {}", payload.client_id);
+    let api_key = state
+        .workspace_service
+        .create_api_key(services::workspace::ports::CreateApiKeyRequest {
+            name: api_key_name,
+            workspace_id: workspace.id.clone(),
+            created_by_user_id: user.id,
+            expires_at: None,  // Unbound expiry
+            spend_limit: None, // Unbound spend limit
+        })
+        .await
+        .map_err(|e| {
+            tracing::error!("Failed to create API key: {e:?}");
+            (
+                StatusCode::INTERNAL_SERVER_ERROR,
+                "API key creation error".to_string(),
+            )
+        })?;
+
+    let key = api_key.key.ok_or_else(|| {
+        tracing::error!("API key was created but key value is missing");
+        (
+            StatusCode::INTERNAL_SERVER_ERROR,
+            "API key creation error".to_string(),
+        )
+    })?;
+
+    Ok(Json(VpcLoginResponse {
+        access_token,
+        session,
+        refresh_token,
+        api_key: key,
+        organization: org.clone(),
+        workspace: workspace.clone(),
+    }))
+}

crates/api/src/routes/auth_vpc.rs

@@ -2,6 +2,7 @@ pub mod admin;
 pub mod api;
 pub mod attestation;
 pub mod auth;
+pub mod auth_vpc;
 pub mod common;
 pub mod completions;
 pub mod conversations;