prysm-pulse/network/auth.go

package network

import (
	"net/http"
	"time"

	"github.com/golang-jwt/jwt/v4"
	"github.com/pkg/errors"
)

// DefaultRPCHTTPTimeout for HTTP requests via an RPC connection to an execution node.
const DefaultRPCHTTPTimeout = time.Second * 30

// This creates a custom HTTP transport which we can attach to our HTTP client
// in order to inject JWT auth strings into our HTTP request headers. Authentication
// is required when interacting with an Ethereum engine API server via HTTP, and JWT
// is chosen as the scheme of choice.
// For more details on the requirements of authentication when using the engine API, see
// the specification here: https://github.com/ethereum/execution-apis/blob/main/src/engine/authentication.md
//
// To use this transport, initialize a new &http.Client{} from the standard library
// and set the Transport field to &jwtTransport{} with values
// http.DefaultTransport and a JWT secret.
type jwtTransport struct {
	underlyingTransport http.RoundTripper
	jwtSecret           []byte
	jwtId               string
}

// RoundTrip ensures our transport implements http.RoundTripper interface from the
// standard library. When used as the transport for an HTTP client, the code below
// will run every time our client makes an HTTP request. This is used to inject
// an JWT bearer token in the Authorization request header of every outgoing request
// our HTTP client makes.
func (t *jwtTransport) RoundTrip(req *http.Request) (*http.Response, error) {
	claims := jwt.MapClaims{
		// Required claim for engine API auth. "iat" stands for issued at
		// and it must be a unix timestamp that is +/- 5 seconds from the current
		// timestamp at the moment the server verifies this value.
		"iat": time.Now().Unix(),
	}
	if len(t.jwtId) > 0 {
		claims["id"] = t.jwtId
	}
	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
	tokenString, err := token.SignedString(t.jwtSecret)
	if err != nil {
		return nil, errors.Wrap(err, "could not produce signed JWT token")
	}
	req.Header.Set("Authorization", "Bearer "+tokenString)
	return t.underlyingTransport.RoundTrip(req)
}
Set Auth Differently In Our Powchain Constructor (#10501) 2022-04-09 09:03:05 +00:00			`package network`
Engine API Client Authentication for the Merge via HTTP (#10236) * round tripper with claims * auth * edit auth * test out jwt * passing * jwt flag * comment * passing * commentary * fix up jwt parsing * gaz * update jwt libs * tidy * gaz * lint * tidy up * comment too long Co-authored-by: james-prysm <90280386+james-prysm@users.noreply.github.com> 2022-02-25 19:08:43 +00:00
			`import (`
			`"net/http"`
			`"time"`

			`"github.com/golang-jwt/jwt/v4"`
			`"github.com/pkg/errors"`
			`)`

Set Auth Differently In Our Powchain Constructor (#10501) 2022-04-09 09:03:05 +00:00			`// DefaultRPCHTTPTimeout for HTTP requests via an RPC connection to an execution node.`
Change Default Timeout To 30 Seconds (#11487) 2022-09-22 10:43:53 +00:00			`const DefaultRPCHTTPTimeout = time.Second * 30`
Set Auth Differently In Our Powchain Constructor (#10501) 2022-04-09 09:03:05 +00:00
Engine API Client Authentication for the Merge via HTTP (#10236) * round tripper with claims * auth * edit auth * test out jwt * passing * jwt flag * comment * passing * commentary * fix up jwt parsing * gaz * update jwt libs * tidy * gaz * lint * tidy up * comment too long Co-authored-by: james-prysm <90280386+james-prysm@users.noreply.github.com> 2022-02-25 19:08:43 +00:00			`// This creates a custom HTTP transport which we can attach to our HTTP client`
			`// in order to inject JWT auth strings into our HTTP request headers. Authentication`
			`// is required when interacting with an Ethereum engine API server via HTTP, and JWT`
			`// is chosen as the scheme of choice.`
			`// For more details on the requirements of authentication when using the engine API, see`
			`// the specification here: https://github.com/ethereum/execution-apis/blob/main/src/engine/authentication.md`
			`//`
			`// To use this transport, initialize a new &http.Client{} from the standard library`
			`// and set the Transport field to &jwtTransport{} with values`
			`// http.DefaultTransport and a JWT secret.`
			`type jwtTransport struct {`
			`underlyingTransport http.RoundTripper`
			`jwtSecret []byte`
Add `--jwt-id` flag (#13218) * add jwt-id flag * optimize unit test for jwt-id * Add jwt-id to help text * gofmt --------- Co-authored-by: Preston Van Loon <pvanloon@offchainlabs.com> 2023-12-05 19:02:25 +00:00			`jwtId string`
Engine API Client Authentication for the Merge via HTTP (#10236) * round tripper with claims * auth * edit auth * test out jwt * passing * jwt flag * comment * passing * commentary * fix up jwt parsing * gaz * update jwt libs * tidy * gaz * lint * tidy up * comment too long Co-authored-by: james-prysm <90280386+james-prysm@users.noreply.github.com> 2022-02-25 19:08:43 +00:00			`}`

			`// RoundTrip ensures our transport implements http.RoundTripper interface from the`
			`// standard library. When used as the transport for an HTTP client, the code below`
			`// will run every time our client makes an HTTP request. This is used to inject`
			`// an JWT bearer token in the Authorization request header of every outgoing request`
			`// our HTTP client makes.`
			`func (t jwtTransport) RoundTrip(req http.Request) (*http.Response, error) {`
Add `--jwt-id` flag (#13218) * add jwt-id flag * optimize unit test for jwt-id * Add jwt-id to help text * gofmt --------- Co-authored-by: Preston Van Loon <pvanloon@offchainlabs.com> 2023-12-05 19:02:25 +00:00			`claims := jwt.MapClaims{`
Engine API Client Authentication for the Merge via HTTP (#10236) * round tripper with claims * auth * edit auth * test out jwt * passing * jwt flag * comment * passing * commentary * fix up jwt parsing * gaz * update jwt libs * tidy * gaz * lint * tidy up * comment too long Co-authored-by: james-prysm <90280386+james-prysm@users.noreply.github.com> 2022-02-25 19:08:43 +00:00			`// Required claim for engine API auth. "iat" stands for issued at`
			`// and it must be a unix timestamp that is +/- 5 seconds from the current`
			`// timestamp at the moment the server verifies this value.`
			`"iat": time.Now().Unix(),`
Add `--jwt-id` flag (#13218) * add jwt-id flag * optimize unit test for jwt-id * Add jwt-id to help text * gofmt --------- Co-authored-by: Preston Van Loon <pvanloon@offchainlabs.com> 2023-12-05 19:02:25 +00:00			`}`
			`if len(t.jwtId) > 0 {`
			`claims["id"] = t.jwtId`
			`}`
			`token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)`
Engine API Client Authentication for the Merge via HTTP (#10236) * round tripper with claims * auth * edit auth * test out jwt * passing * jwt flag * comment * passing * commentary * fix up jwt parsing * gaz * update jwt libs * tidy * gaz * lint * tidy up * comment too long Co-authored-by: james-prysm <90280386+james-prysm@users.noreply.github.com> 2022-02-25 19:08:43 +00:00			`tokenString, err := token.SignedString(t.jwtSecret)`
			`if err != nil {`
			`return nil, errors.Wrap(err, "could not produce signed JWT token")`
			`}`
			`req.Header.Set("Authorization", "Bearer "+tokenString)`
			`return t.underlyingTransport.RoundTrip(req)`
			`}`