fix: use bearer token format

primev · Jul 12, 2024 · 3154474 · 3154474
1 parent d98aee6
commit 3154474
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 13 deletions.
diff --git a/infrastructure/nomad/playbooks/templates/jobs/mev-commit-oracle.nomad.j2 b/infrastructure/nomad/playbooks/templates/jobs/mev-commit-oracle.nomad.j2
@@ -173,7 +173,7 @@ job "{{ job.name }}" {
           MEV_ORACLE_KEYSTORE_PATH="/local/data-{{ env "NOMAD_ALLOC_INDEX" }}/keystore"
           MEV_ORACLE_KEYSTORE_FILENAME="{{ with secret "secret/data/mev-commit" }}{{ .Data.data.{% endraw %}{{ job.artifacts | selectattr('keystore', 'defined') | map(attribute='keystore.name') | first }}{% raw %}_filename }}{{ end }}"
           MEV_ORACLE_KEYSTORE_PASSWORD="{{ with secret "secret/data/mev-commit" }}{{ .Data.data.{% endraw %}{{ job.artifacts | selectattr('keystore', 'defined') | map(attribute='keystore.name') | first }}{% raw %}_password }}{{ end }}"
-          MEV_ORACLE_REGISTRATION_PASSWORD="{{ with secret "secret/data/mev-commit" }}{{ .Data.data.registration_password }}{{ end }}"
+          MEV_ORACLE_REGISTER_PROVIDER_API_AUTH_TOKEN="{{ with secret "secret/data/mev-commit" }}{{ .Data.data.register_provider_auth_token }}{{ end }}"
           {{- range nomadService "mev-commit-oracle" }}
             {{- if contains "http" .Tags }}
           MEV_ORACLE_HTTP_PORT="{{ .Port }}"

diff --git a/oracle/cmd/main.go b/oracle/cmd/main.go
@@ -211,10 +211,10 @@ var (
 		Value:   filepath.Join(defaultConfigDir, defaultKeystore),
 	})
 
-	optionRegistrationPassword = altsrc.NewStringFlag(&cli.StringFlag{
-		Name:     "registration-password",
-		Usage:    "password for registration",
-		EnvVars:  []string{"MEV_ORACLE_REGISTRATION_PASSWORD"},
+	optionRegistrationAuthToken = altsrc.NewStringFlag(&cli.StringFlag{
+		Name:     "register-provider-auth-token",
+		Usage:    "Authorization token for provider registration",
+		EnvVars:  []string{"MEV_ORACLE_REGISTER_PROVIDER_API_AUTH_TOKEN"},
 		Required: true,
 	})
 )
@@ -244,7 +244,7 @@ func main() {
 		optionOverrideWinners,
 		optionKeystorePath,
 		optionKeystorePassword,
-		optionRegistrationPassword,
+		optionRegistrationAuthToken,
 	}
 	app := &cli.App{
 		Name:  "mev-oracle",
@@ -330,7 +330,7 @@ func launchOracleWithConfig(c *cli.Context) error {
 		PgDbname:                     c.String(optionPgDbname.Name),
 		LaggerdMode:                  c.Int(optionLaggerdMode.Name),
 		OverrideWinners:              c.StringSlice(optionOverrideWinners.Name),
-		RegistrationPassword:         c.String(optionRegistrationPassword.Name),
+		RegistrationAuthToken:        c.String(optionRegistrationAuthToken.Name),
 	})
 	if err != nil {
 		return fmt.Errorf("failed starting node: %w", err)

diff --git a/oracle/pkg/apiserver/apiserver.go b/oracle/pkg/apiserver/apiserver.go
@@ -8,6 +8,7 @@ import (
 	"net"
 	"net/http"
 	"net/http/pprof"
+	"strings"
 	"sync"
 	"time"
 
@@ -57,7 +58,7 @@ func New(
 	logger *slog.Logger,
 	evm events.EventManager,
 	store Store,
-	password string,
+	token string,
 	blockTracker *blocktracker.BlocktrackerTransactorSession,
 	providerRegistry *providerregistry.ProviderregistryCallerSession,
 	monitor *txmonitor.Monitor,
@@ -86,20 +87,33 @@ func New(
 		logger.Error("failed to configure dashboard", "error", err)
 	}
 
-	srv.router.Handle("/register_provider", srv.registerProvider(password))
+	srv.router.Handle("/register_provider", srv.registerProvider(token))
 
 	srv.registerDebugEndpoints()
 	return srv
 }
 
-func (s *Service) registerProvider(password string) http.Handler {
+func (s *Service) registerProvider(token string) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if r.Method != http.MethodPost {
 			http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
 			return
 		}
 
-		if r.Header.Get("X-Registration-Password") != password {
+		authHeader := r.Header.Get("Authorization")
+		if authHeader == "" {
+			http.Error(w, "Authorization header missing", http.StatusUnauthorized)
+			return
+		}
+
+		// Expected format "Bearer <token>"
+		splitToken := strings.Split(authHeader, " ")
+		if len(splitToken) != 2 || splitToken[0] != "Bearer" {
+			http.Error(w, "Invalid Authorization header format", http.StatusUnauthorized)
+			return
+		}
+
+		if splitToken[1] != token {
 			http.Error(w, "Unauthorized", http.StatusUnauthorized)
 			return
 		}

diff --git a/oracle/pkg/node/node.go b/oracle/pkg/node/node.go
@@ -57,7 +57,7 @@ type Options struct {
 	PgDbname                     string
 	LaggerdMode                  int
 	OverrideWinners              []string
-	RegistrationPassword         string
+	RegistrationAuthToken        string
 }
 
 type Node struct {
@@ -271,7 +271,7 @@ func NewNode(opts *Options) (*Node, error) {
 		nd.logger.With("component", "apiserver"),
 		evtMgr,
 		st,
-		opts.RegistrationPassword,
+		opts.RegistrationAuthToken,
 		blockTrackerTransactor,
 		providerRegistryCaller,
 		monitor,