feat: exchange projectid validation (#1075)

* chore: add validation method

* chore: add projectId allowlist

* chore: use &String to avoid deref

* fix: tests

Author: lukaisailovic

.env.example

@@ -22,14 +22,6 @@ export RPC_PROXY_PROVIDER_MELD_API_URL=""
 export RPC_PROXY_POSTGRES_URI="postgres://postgres@localhost/postgres"
 
 
-# Payments Exchanges
-#export RPC_PROXY_EXCHANGES_COINBASE_PROJECT_ID=""
-#export RPC_PROXY_EXCHANGES_COINBASE_KEY_NAME=""
-#export RPC_PROXY_EXCHANGES_COINBASE_KEY_SECRET=""
-#export RPC_PROXY_EXCHANGES_BINANCE_CLIENT_ID=""
-#export RPC_PROXY_EXCHANGES_BINANCE_TOKEN=""
-#export RPC_PROXY_EXCHANGES_BINANCE_KEY=""
-#export RPC_PROXY_EXCHANGES_BINANCE_HOST=""
 
 # Uncomment for Project ID that is allowed to make a test-specific requests
 # export RPC_PROXY_TESTING_PROJECT_ID=""
@@ -59,3 +51,14 @@ export RPC_PROXY_POSTGRES_URI="postgres://postgres@localhost/postgres"
 
 # Uncomment for using the ENS names offchain gateway
 # export RPC_PROXY_NAMES_ALLOWED_ZONES="eth.id,xyz.id"
+
+
+# Payments
+#export RPC_PROXY_EXCHANGES_COINBASE_PROJECT_ID=""
+#export RPC_PROXY_EXCHANGES_COINBASE_KEY_NAME=""
+#export RPC_PROXY_EXCHANGES_COINBASE_KEY_SECRET=""
+#export RPC_PROXY_EXCHANGES_BINANCE_CLIENT_ID=""
+#export RPC_PROXY_EXCHANGES_BINANCE_TOKEN=""
+#export RPC_PROXY_EXCHANGES_BINANCE_KEY=""
+#export RPC_PROXY_EXCHANGES_BINANCE_HOST=""
+#export RPC_PROXY_EXCHANGES_ALLOWED_PROJECT_IDS=""

docker-compose.mock-bundler.yaml

@@ -3,7 +3,7 @@ services:
     image: ghcr.io/foundry-rs/foundry:stable
     restart: unless-stopped
     ports: ["8545:8545"]
-    entrypoint: [ "anvil", "--fork-url", "https://gateway.tenderly.co/public/sepolia", "--host", "0.0.0.0", "--gas-price", "1" ]
+    entrypoint: [ "anvil", "--fork-url", "https://sepolia.gateway.tenderly.co", "--host", "0.0.0.0", "--gas-price", "1" ]
     platform: linux/amd64
 
   mock-paymaster:

src/env/mod.rs

@@ -250,6 +250,10 @@ mod test {
             ("RPC_PROXY_EXCHANGES_BINANCE_TOKEN", "BINANCE_TOKEN"),
             ("RPC_PROXY_EXCHANGES_BINANCE_KEY", "BINANCE_KEY"),
             ("RPC_PROXY_EXCHANGES_BINANCE_HOST", "BINANCE_HOST"),
+            (
+                "RPC_PROXY_EXCHANGES_ALLOWED_PROJECT_IDS",
+                "test_project_id,test_project_id_2",
+            ),
         ];
 
         values.iter().for_each(set_env_var);
@@ -356,6 +360,10 @@ mod test {
                     binance_host: Some("BINANCE_HOST".to_owned()),
                     coinbase_key_name: Some("COINBASE_KEY_NAME".to_owned()),
                     coinbase_key_secret: Some("COINBASE_KEY_SECRET".to_owned()),
+                    allowed_project_ids: Some(vec![
+                        "test_project_id".to_owned(),
+                        "test_project_id_2".to_owned(),
+                    ]),
                 },
             }
         );

src/handlers/wallet/exchanges/mod.rs

@@ -6,6 +6,7 @@ use {
     strum::IntoEnumIterator,
     strum_macros::{AsRefStr, EnumIter},
     thiserror::Error,
+    tracing::debug,
 };
 
 pub mod binance;
@@ -23,6 +24,7 @@ pub struct Config {
     pub binance_token: Option<String>,
     pub binance_key: Option<String>,
     pub binance_host: Option<String>,
+    pub allowed_project_ids: Option<Vec<String>>,
 }
 
 #[derive(Debug, Serialize, Clone)]
@@ -93,6 +95,9 @@ pub enum ExchangeError {
     #[error("Get pay url error: {0}")]
     GetPayUrlError(String),
 
+    #[error("Feature not enabled: {0}")]
+    FeatureNotEnabled(String),
+
     #[error("Internal error")]
     InternalError(String),
 }
@@ -157,3 +162,25 @@ pub fn get_supported_exchanges(asset: Option<String>) -> Result<Vec<Exchange>, E
 pub fn get_exchange_by_id(id: &str) -> Option<Exchange> {
     ExchangeType::from_id(id).map(|e| e.to_exchange())
 }
+
+pub fn is_feature_enabled_for_project_id(
+    state: State<Arc<AppState>>,
+    project_id: &String,
+) -> Result<(), ExchangeError> {
+    let allowed_project_ids = state
+        .config
+        .exchanges
+        .allowed_project_ids
+        .as_ref()
+        .ok_or_else(|| ExchangeError::FeatureNotEnabled("Feature is not enabled".to_string()))?;
+
+    debug!("allowed_project_ids: {:?}", allowed_project_ids);
+
+    if !allowed_project_ids.contains(project_id) {
+        return Err(ExchangeError::FeatureNotEnabled(
+            "Project is not allowed to use this feature".to_string(),
+        ));
+    }
+
+    Ok(())
+}

src/handlers/wallet/get_exchange_buy_status.rs

@@ -1,6 +1,7 @@
 use {
     crate::handlers::wallet::exchanges::{
-        BuyTransactionStatus, ExchangeError, ExchangeType, GetBuyStatusParams,
+        is_feature_enabled_for_project_id, BuyTransactionStatus, ExchangeError, ExchangeType,
+        GetBuyStatusParams,
     },
     crate::{
         handlers::{SdkInfoParams, HANDLER_TASK_METRICS},
@@ -64,11 +65,14 @@ impl GetExchangeBuyStatusError {
 
 pub async fn handler(
     state: State<Arc<AppState>>,
+    project_id: String,
     connect_info: ConnectInfo<SocketAddr>,
     headers: HeaderMap,
     query: Query<QueryParams>,
     Json(request): Json<GetExchangeBuyStatusRequest>,
 ) -> Result<GetExchangeBuyStatusResponse, GetExchangeBuyStatusError> {
+    is_feature_enabled_for_project_id(state.clone(), &project_id)
+        .map_err(|e| GetExchangeBuyStatusError::ValidationError(e.to_string()))?;
     handler_internal(state, connect_info, headers, query, request)
         .with_metrics(HANDLER_TASK_METRICS.with_name("pay_get_exchange_buy_status"))
         .await

src/handlers/wallet/get_exchange_url.rs

@@ -1,5 +1,7 @@
 use {
-    crate::handlers::wallet::exchanges::{ExchangeError, ExchangeType, GetBuyUrlParams},
+    crate::handlers::wallet::exchanges::{
+        is_feature_enabled_for_project_id, ExchangeError, ExchangeType, GetBuyUrlParams,
+    },
     crate::{
         handlers::{SdkInfoParams, HANDLER_TASK_METRICS},
         state::AppState,
@@ -67,6 +69,8 @@ pub async fn handler(
     query: Query<QueryParams>,
     Json(request): Json<GeneratePayUrlRequest>,
 ) -> Result<GeneratePayUrlResponse, GetExchangeUrlError> {
+    is_feature_enabled_for_project_id(state.clone(), &project_id)
+        .map_err(|e| GetExchangeUrlError::ValidationError(e.to_string()))?;
     handler_internal(state, project_id, connect_info, headers, query, request)
         .with_metrics(HANDLER_TASK_METRICS.with_name("pay_get_exchange_url"))
         .await

src/handlers/wallet/get_exchanges.rs

@@ -1,5 +1,7 @@
 use {
-    crate::handlers::wallet::exchanges::{get_supported_exchanges, Exchange},
+    crate::handlers::wallet::exchanges::{
+        get_supported_exchanges, is_feature_enabled_for_project_id, Exchange,
+    },
     crate::{
         handlers::{SdkInfoParams, HANDLER_TASK_METRICS},
         state::AppState,
@@ -67,11 +69,14 @@ impl GetExchangesError {
 
 pub async fn handler(
     state: State<Arc<AppState>>,
+    project_id: String,
     connect_info: ConnectInfo<SocketAddr>,
     headers: HeaderMap,
     query: Query<QueryParams>,
     Json(request): Json<GetExchangesRequest>,
 ) -> Result<GetExchangesResponse, GetExchangesError> {
+    is_feature_enabled_for_project_id(state.clone(), &project_id)
+        .map_err(|e| GetExchangesError::ValidationError(e.to_string()))?;
     handler_internal(state, connect_info, headers, query, request)
         .with_metrics(HANDLER_TASK_METRICS.with_name("pay_get_exchanges"))
         .await

src/handlers/wallet/handler.rs

@@ -244,6 +244,7 @@ async fn handle_rpc(
         PAY_GET_EXCHANGES => serde_json::to_value(
             &get_exchanges::handler(
                 state,
+                project_id,
                 connect_info,
                 headers,
                 Query(get_exchanges::QueryParams {
@@ -273,6 +274,7 @@ async fn handle_rpc(
         PAY_GET_EXCHANGE_BUY_STATUS => serde_json::to_value(
             &get_exchange_buy_status::handler(
                 state,
+                project_id,
                 connect_info,
                 headers,
                 Query(get_exchange_buy_status::QueryParams {

terraform/ecs/cluster.tf

@@ -145,6 +145,7 @@ resource "aws_ecs_task_definition" "app_task" {
         { name = "RPC_PROXY_EXCHANGES_BINANCE_TOKEN", value = var.binance_token },
         { name = "RPC_PROXY_EXCHANGES_BINANCE_KEY", value = var.binance_key },
         { name = "RPC_PROXY_EXCHANGES_BINANCE_HOST", value = var.binance_host },
+        { name = "RPC_PROXY_EXCHANGES_ALLOWED_PROJECT_IDS", value = var.pay_allowed_project_ids },
 
 
       ],

terraform/ecs/variables.tf

@@ -485,3 +485,10 @@ variable "binance_host" {
   sensitive   = true
   default     = ""
 }
+
+variable "pay_allowed_project_ids" {
+  description = "Allowed project ids for pay with exchange"
+  type        = string
+  sensitive   = false
+  default     = ""
+}

terraform/res_ecs.tf

@@ -121,13 +121,14 @@ module "ecs" {
   testing_project_id = var.testing_project_id
 
   # Exchanges
-  coinbase_project_id = var.coinbase_project_id
-  coinbase_key_name   = var.coinbase_key_name
-  coinbase_key_secret = var.coinbase_key_secret
-  binance_client_id   = var.binance_client_id
-  binance_token       = var.binance_token
-  binance_key         = var.binance_key
-  binance_host        = var.binance_host
+  coinbase_project_id     = var.coinbase_project_id
+  coinbase_key_name       = var.coinbase_key_name
+  coinbase_key_secret     = var.coinbase_key_secret
+  binance_client_id       = var.binance_client_id
+  binance_token           = var.binance_token
+  binance_key             = var.binance_key
+  binance_host            = var.binance_host
+  pay_allowed_project_ids = var.pay_allowed_project_ids
 
   depends_on = [aws_iam_role.application_role]
 }

terraform/variables.tf

@@ -337,3 +337,9 @@ variable "binance_host" {
   default     = ""
 }
 
+variable "pay_allowed_project_ids" {
+  description = "Allowed project ids for pay with exchange"
+  type        = string
+  sensitive   = false
+  default     = ""
+}