Merge 07de8bb into a6436d3

decentraland · Jun 17, 2024 · acee8e6 · acee8e6
2 parents a6436d3 + 07de8bb
commit acee8e6
Show file tree

Hide file tree

Showing 3 changed files with 47 additions and 2 deletions.
diff --git a/src/entities/Auth/middleware.ts b/src/entities/Auth/middleware.ts
@@ -17,11 +17,18 @@ export function withChainHeader(options: AuthOptions = {}) {
   return middleware(
     async (req: Pick<Request, 'method' | 'baseUrl' | 'path' | 'headers'>) => {
       try {
-        const data = await verify(
+        const data = await verify<Record<string, string>>(
           req.method,
           req.baseUrl + req.path,
           req.headers
         )
+        if (
+          data.authMetadata &&
+          'signer' in data.authMetadata &&
+          data.authMetadata.signer === 'decentraland-kernel-scene'
+        ) {
+          throw new RequestError('Invalid signer', RequestError.BadRequest)
+        }
         Object.assign(req, data)
       } catch (err) {
         if (err.statusCode === 401) {

diff --git a/src/entities/Auth/routes/withDecentralandAuth.test.ts b/src/entities/Auth/routes/withDecentralandAuth.test.ts
@@ -43,6 +43,20 @@ describe(`withAuth`, () => {
     )
   })
 
+  test('should fail for requests with an invalid signer', async () => {
+    const logger = new Logger({}, { disabled: true })
+    const errors = jest.spyOn(logger, 'error')
+    errors.mockImplementation(() => null)
+    const request = signRequest(new Request('/'), {
+      identity,
+      metadata: { signer: 'decentraland-kernel-scene' },
+    })
+
+    await expect(() => withAuth({ request, logger })).rejects.toThrow(
+      'Invalid signer'
+    )
+  })
+
   test(`should return auth data for signed request`, async () => {
     const request = signRequest(new Request('/'), {
       identity,
@@ -83,6 +97,16 @@ describe(`withAuthOptional`, () => {
     expect(await withAuthOptional({ request, logger })).toBe(null)
   })
 
+  test('should return null for requests with an invalid signer', async () => {
+    const logger = new Logger({}, { disabled: true })
+    const request = signRequest(new Request('/'), {
+      identity,
+      metadata: { signer: 'decentraland-kernel-scene' },
+    })
+
+    expect(await withAuthOptional({ request, logger })).toBe(null)
+  })
+
   test(`should return auth data for signed request`, async () => {
     const request = signRequest(new Request('/'), {
       identity,

diff --git a/src/entities/Auth/routes/withDecentralandAuth.ts b/src/entities/Auth/routes/withDecentralandAuth.ts
@@ -5,6 +5,7 @@ import {
 import verify from 'decentraland-crypto-middleware/lib/verify'
 
 import globalLogger from '../../Development/logger'
+import RequestError from '../../Route/error'
 import Context from '../../Route/wkc/context/Context'
 import ErrorResponse from '../../Route/wkc/response/ErrorResponse'
 import Router from '../../Route/wkc/routes/Router'
@@ -55,7 +56,20 @@ function withDecentralandAuth(options: WithDecentralandAuthOptions = {}) {
       })
 
       try {
-        const data = await verify(method, path, headers, options)
+        const data = await verify<Record<string, string>>(
+          method,
+          path,
+          headers,
+          options
+        )
+
+        if (
+          data.authMetadata &&
+          'signer' in data.authMetadata &&
+          data.authMetadata.signer === 'decentraland-kernel-scene'
+        ) {
+          throw new RequestError('Invalid signer', RequestError.BadRequest)
+        }
 
         return {
           address: data.auth,