core: gateway client authn precheck

This is done by KGW returns extra domain/chainID/version info that it uses for composing message and verify signature. gateway client here will check if those are same before do the signing.
kwilteam · Apr 19, 2024 · 577f5e4 · 577f5e4
1 parent bf17e52
commit 577f5e4
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 1 deletion.
diff --git a/core/gatewayclient/client.go b/core/gatewayclient/client.go
@@ -157,7 +157,27 @@ func (c *GatewayClient) authenticate(ctx context.Context) error {
 		return fmt.Errorf("join path: %w", err)
 	}
 
-	msg := composeGatewayAuthMessage(authParam, c.target.String(), authURI, kgwAuthVersion, c.Client.ChainID())
+	// remove trailing slash, avoid the confusing case like "http://example.com/" != "http://example.com"
+	// This is also done in the kgw, https://github.com/kwilteam/kgw/pull/42
+	targetDomain := strings.TrimSuffix(c.target.String(), "/")
+	// backward compatibility if the Domain is not returned by the gateway
+	// Those fields are returned from kgw in https://github.com/kwilteam/kgw/pull/40
+	if authParam.Domain != "" && authParam.Domain != targetDomain {
+		return fmt.Errorf("domain mismatch: configured '%s' != remote %s",
+			targetDomain, authParam.Domain)
+	}
+
+	if authParam.ChainID != "" && authParam.ChainID != c.Client.ChainID() {
+		return fmt.Errorf("chain ID mismatch: configured '%s' !=  remote '%s'",
+			c.Client.ChainID(), authParam.ChainID)
+	}
+
+	if authParam.Version != "" && authParam.Version != kgwAuthVersion {
+		return fmt.Errorf("authn version mismatch: configured '%s' != remote '%s'",
+			kgwAuthVersion, authParam.Version)
+	}
+
+	msg := composeGatewayAuthMessage(authParam, targetDomain, authURI, kgwAuthVersion, c.Client.ChainID())
 
 	if c.Signer == nil {
 		return fmt.Errorf("cannot authenticate to gateway without a signer")

diff --git a/core/types/gateway/gateway.go b/core/types/gateway/gateway.go
@@ -18,4 +18,9 @@ type GatewayAuthParameter struct {
 	Statement      string `json:"statement"` // optional
 	IssueAt        string `json:"issue_at"`
 	ExpirationTime string `json:"expiration_time"`
+	// client can use those to precheck before signing
+	ChainID string `json:"chain_id"` // the chain id of the gateway
+	Domain  string `json:"domain"`   // the domain of the gateway
+	Version string `json:"version"`  // the authn version used by the gateway
+	URI     string `json:"uri"`      // the endpoint used for authn
 }