From ef0d84c934dae5e6874529ac26d9345757f54793 Mon Sep 17 00:00:00 2001 From: Garvit Khatri Date: Fri, 22 Nov 2024 17:43:16 +0530 Subject: [PATCH 1/2] Add security page --- .../platform/security/protect-api-keys.mdx | 120 ++++++++++++++++++ vocs.config.tsx | 10 ++ 2 files changed, 130 insertions(+) create mode 100644 docs/pages/infra/platform/security/protect-api-keys.mdx diff --git a/docs/pages/infra/platform/security/protect-api-keys.mdx b/docs/pages/infra/platform/security/protect-api-keys.mdx new file mode 100644 index 0000000..c15d263 --- /dev/null +++ b/docs/pages/infra/platform/security/protect-api-keys.mdx @@ -0,0 +1,120 @@ +# How to Protect Your API Keys + +Keeping your API keys secure is essential. Here are two main ways to protect them: + +- Restrict access to your API keys. +- Use a proxy server to handle requests to Pimlico. + +## Restrict Access to Your API Keys + +You can limit how your API keys are used by modifying their permissions on the [API Keys page](https://dashboard.pimlico.io/apikeys). Restrictions can include: + +- **IP addresses:** Specify which IPs are allowed to make requests. +- **User agents:** Limit access to specific browsers, SDK versions, or other user agents. +- **Origins:** Define which domains are permitted to make requests. + +Additionally, you can enable or disable specific API features for each key, such as: + +- Bundler methods. +- Paymaster methods. +- Account APIs. + +## Use a Proxy Server + +You can create a proxy server to handle requests to Pimlico. This way, you can have custom authentication, rate limiting, and other features before forwarding requests to Pimlico. + +Here's an example of how you can create a proxy server for `fastify` and `express`: + +::::code-group + +```typescript [fastify.ts] +import Fastify from 'fastify' +import proxy from '@fastify/http-proxy' + +const fastify = Fastify({ logger: true }) +const PIMLICO_API_KEY = process.env.PIMLICO_API_KEY + +// Middleware to check authentication +fastify.addHook('preHandler', async (request, reply) => { + const authHeader = request.headers.authorization + + if (!authHeader || !isValidAuth(authHeader)) { + reply.code(401).send({ error: 'Unauthorized' }) + } +}) + +// Setup proxy to Pimlico API +fastify.register(proxy, { + upstream: `https://api.pimlico.io/v2/137/rpc?apikey=${PIMLICO_API_KEY}`, + prefix: '/api/proxy', // Optional: prefix all routes with /api/proxy + rewriteRequestHeaders: (req, headers) => ({ + ...headers, + }) +}) + +// Start server +fastify.listen({ port: 3000 }, (err) => { + if (err) { + fastify.log.error(err) + process.exit(1) + } +}) + +// Helper function to validate auth +function isValidAuth(authHeader: string): boolean { + // Implement your authentication logic here + return true +} + +``` + +```typescript [express.ts] +import express from 'express'; +import { createProxyMiddleware } from 'http-proxy-middleware'; + +const app = express(); +const PIMLICO_API_KEY = process.env.PIMLICO_API_KEY; +const targetUrl = `https://api.pimlico.io/v2/137/rpc?apikey=${PIMLICO_API_KEY}`; + + +// Middleware to check authentication +app.use((req, res, next) => { + const authHeader = req.headers.authorization; + + if (!authHeader || !isValidAuth(authHeader)) { + return res.status(401).json({ error: 'Unauthorized' }); + } + next(); +}); + +// Setup proxy to Pimlico API +app.use('/api/proxy', createProxyMiddleware({ + target: targetUrl, + changeOrigin: true, + pathRewrite: { + '^/proxy': '', // Remove '/proxy' from the path + }, + onProxyReq: (proxyReq, req) => { + // Ensure JSON content type if necessary + proxyReq.setHeader('Content-Type', 'application/json'); + }, + })); + +// Start server +app.listen(3000, (err) => { + if (err) { + console.error(err); + process.exit(1); + } + console.log('Server is running on port 3000'); +}); + +// Helper function to validate auth +function isValidAuth(authHeader: string): boolean { + // Implement your authentication logic here + return true; +} + +``` + +:::: diff --git a/vocs.config.tsx b/vocs.config.tsx index 4c6649a..4f4dfee 100644 --- a/vocs.config.tsx +++ b/vocs.config.tsx @@ -1,6 +1,7 @@ import { defineConfig } from "vocs" import viteConfig from "./utils" import { link } from "fs" +import { text } from "stream/consumers" export const platformSidebar = [ { @@ -45,6 +46,15 @@ export const platformSidebar = [ }, ], }, + { + text: "Security", + items: [ + { + text: "How to protect your API keys", + link: "/infra/platform/security/protect-api-keys", + }, + ], + }, { text: "Debugging", items: [ From 34c0056f9976cbe52970245f44ad30e8d5219b77 Mon Sep 17 00:00:00 2001 From: Garvit Khatri Date: Fri, 22 Nov 2024 18:01:22 +0530 Subject: [PATCH 2/2] fix docs --- docs/pages/infra/platform/security/protect-api-keys.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/pages/infra/platform/security/protect-api-keys.mdx b/docs/pages/infra/platform/security/protect-api-keys.mdx index c15d263..e2249aa 100644 --- a/docs/pages/infra/platform/security/protect-api-keys.mdx +++ b/docs/pages/infra/platform/security/protect-api-keys.mdx @@ -46,7 +46,7 @@ fastify.addHook('preHandler', async (request, reply) => { // Setup proxy to Pimlico API fastify.register(proxy, { upstream: `https://api.pimlico.io/v2/137/rpc?apikey=${PIMLICO_API_KEY}`, - prefix: '/api/proxy', // Optional: prefix all routes with /api/proxy + prefix: '/api/proxy', rewriteRequestHeaders: (req, headers) => ({ ...headers, }) @@ -92,10 +92,10 @@ app.use('/api/proxy', createProxyMiddleware({ target: targetUrl, changeOrigin: true, pathRewrite: { - '^/proxy': '', // Remove '/proxy' from the path + '^/api/proxy': '', // Remove '/proxy' from the path }, onProxyReq: (proxyReq, req) => { - // Ensure JSON content type if necessary + // Ensure JSON content type proxyReq.setHeader('Content-Type', 'application/json'); }, }));