Make client_id Dynamic (#3508)

Author: silva-fj

tee-worker/client-api/src/omni/interfaces/omniExecutor/definitions.ts

@@ -11,6 +11,7 @@ export default {
       task: "NativeTask",
       nonce: "Option<Nonce>",
       auth: "Option<OmniAuth>",
+      client_id: "String",
     },
     MrEnclave: "H256",
     NativeTask: {

tee-worker/omni-executor/client-sdk/packages/client-sdk/src/lib/type-creators/raw-task.ts

@@ -17,6 +17,7 @@ import { createOmniAuth, OmniAuthData } from './omni-auth';
  * @param data.nonce - Optional nonce value
  * @param data.authData - Optional authentication data
  * @param data.plain - Flag to return unencrypted raw task
+ * @param data.clientId - Client identifier for the task
  * @param {Enclave} enclaveInstance - The enclave instance use to interact with Enclave.
  * @returns Promise resolving to RawTask
  */
@@ -27,6 +28,7 @@ export async function createRawTaskType(
     nonce?: Index;
     authData?: OmniAuthData;
     plain: true;
+    clientId: string;
   },
   enclaveInstance?: Enclave,
 ): Promise<RawTask>;
@@ -50,6 +52,7 @@ export async function createRawTaskType(
     nonce?: Index;
     authData?: OmniAuthData;
     plain?: false;
+    clientId: string;
   },
   enclaveInstance?: Enclave,
 ): Promise<{ rawTask: RawTask, encryptionKey: CryptoKey }>;
@@ -90,16 +93,18 @@ export async function createRawTaskType(
     nonce?: Index;
     authData?: OmniAuthData;
     plain?: boolean;
+    clientId: string;
   },
   enclaveInstance: Enclave = enclave,
 ): Promise<RawTask | { rawTask: RawTask, encryptionKey: CryptoKey }> {
-  const { authData, task, nonce, plain = false } = data;
+  const { authData, task, nonce, plain = false, clientId } = data;
 
   const auth = authData ? createOmniAuth(api.registry, authData) : undefined;
   const wrappedTask = api.createType<NativeTaskWrapper>('NativeTaskWrapper', {
     task,
     nonce: api.createType('Option<Nonce>', nonce),
     auth: api.createType('Option<OmniAuth>', auth),
+    client_id: clientId,
   });
 
   if (plain) {

tee-worker/omni-executor/executor-core/src/native_task.rs

@@ -24,12 +24,13 @@ pub struct NativeTaskWrapper<T: NativeTaskTrait> {
 	pub task: T,
 	pub nonce: Option<Nonce>,
 	pub auth: Option<OmniAuth>,
+	pub client_id: String,
 }
 
 impl<T: NativeTaskTrait + Debug> NativeTaskWrapper<T> {
-	pub fn new(task: T, nonce: Option<Nonce>, auth: Option<OmniAuth>) -> Self {
+	pub fn new(task: T, nonce: Option<Nonce>, auth: Option<OmniAuth>, client_id: String) -> Self {
 		let id: String = Uuid::new_v4().into();
-		Self { id, task, nonce, auth }
+		Self { id, task, nonce, auth, client_id }
 	}
 }
 

tee-worker/omni-executor/native-task-handler/src/lib.rs

@@ -20,10 +20,7 @@ use executor_storage::{
 };
 use heima_authentication::{
 	auth_token::*,
-	constants::{
-		AUTH_TOKEN_ACCESS_TYPE, AUTH_TOKEN_EXPIRATION_DAYS, AUTH_TOKEN_ID_TYPE, CLIENT_ID_HEIMA,
-		CLIENT_ID_PUMPX,
-	},
+	constants::{AUTH_TOKEN_ACCESS_TYPE, AUTH_TOKEN_EXPIRATION_DAYS, AUTH_TOKEN_ID_TYPE},
 };
 use heima_identity_verification::{get_verification_message, web2, web3};
 use parentchain_api_interface::runtime_types::{
@@ -206,6 +203,7 @@ async fn handle_native_task<
 	};
 
 	let auth_type: Option<OmniAccountAuthType> = wrapper.auth.map(|t| t.into());
+	let client_id = &wrapper.client_id;
 
 	let (response_sender, tx) = match wrapper.task {
 		NativeTask::RequestAuthToken(sender) => {
@@ -236,14 +234,14 @@ async fn handle_native_task<
 					AuthTokenClaims::new(
 						email.to_string(),
 						AUTH_TOKEN_ID_TYPE.to_string(),
-						CLIENT_ID_HEIMA.to_string(),
+						client_id.to_string(),
 						auth_options,
 					)
 				},
 				_ => AuthTokenClaims::new(
 					sender.hash().to_string(),
 					AUTH_TOKEN_ID_TYPE.to_string(),
-					CLIENT_ID_HEIMA.to_string(),
+					client_id.to_string(),
 					auth_options,
 				),
 			};
@@ -275,8 +273,7 @@ async fn handle_native_task<
 			return;
 		},
 		NativeTask::RequestIntent(sender, intent_id, intent) => {
-			// TODO: fix this as part of P-1560
-			let omni_account = sender.to_omni_account_with_client_id(CLIENT_ID_HEIMA);
+			let omni_account = sender.to_omni_account_with_client_id(client_id);
 
 			debug!("Intent requested");
 
@@ -622,12 +619,12 @@ async fn handle_native_task<
 
 			debug!("get_account_user_id ok, email: {}, user_id: {}", email, user_id);
 			let omni_account = Identity::from_web2_account(&user_id, Web2IdentityType::Pumpx)
-				.to_omni_account_with_client_id(CLIENT_ID_PUMPX);
+				.to_omni_account_with_client_id(client_id);
 
 			let access_token_claims = AuthTokenClaims::new(
 				omni_account.to_hex(),
 				AUTH_TOKEN_ACCESS_TYPE.to_string(),
-				CLIENT_ID_PUMPX.to_string(),
+				client_id.to_string(),
 				auth_options.clone(),
 			);
 			let Ok(access_token) = jwt::create(&access_token_claims, &ctx.jwt_rsa_private_key)
@@ -675,7 +672,7 @@ async fn handle_native_task<
 			let id_token_claims = AuthTokenClaims::new(
 				omni_account.to_hex(),
 				AUTH_TOKEN_ID_TYPE.to_string(),
-				CLIENT_ID_PUMPX.to_string(),
+				client_id.to_string(),
 				auth_options,
 			);
 			let Ok(id_token) = jwt::create(&id_token_claims, &ctx.jwt_rsa_private_key) else {
@@ -713,10 +710,9 @@ async fn handle_native_task<
 			expected_wallet_address,
 		) => {
 			let storage = HeimaJwtStorage::new(ctx.storage_db.clone());
-			let Ok(Some(access_token)) = storage.get(&(
-				sender.to_omni_account_with_client_id(CLIENT_ID_PUMPX),
-				AUTH_TOKEN_ACCESS_TYPE,
-			)) else {
+			let Ok(Some(access_token)) = storage
+				.get(&(sender.to_omni_account_with_client_id(client_id), AUTH_TOKEN_ACCESS_TYPE))
+			else {
 				send_error(
 					format!("Failed to get pumpx_{}_jwt_token", AUTH_TOKEN_ACCESS_TYPE),
 					response_sender,
@@ -755,7 +751,7 @@ async fn handle_native_task<
 				.export_wallet(
 					chain,
 					pumpx_wallet_index,
-					sender.to_omni_account_with_client_id(CLIENT_ID_PUMPX).into(),
+					sender.to_omni_account_with_client_id(client_id).into(),
 					// TODO: theoretically we could pass the aes_key from initial RPC to signer, so that
 					//       we don't have to do double encryption/decryption
 					ctx.aes256_key.to_vec(),
@@ -780,8 +776,8 @@ async fn handle_native_task<
 			};
 
 			let omni_account_profile_storage = PumpxProfileStorage::new(ctx.storage_db.clone());
-			if let Ok(maybe_profile) = omni_account_profile_storage
-				.get(&sender.to_omni_account_with_client_id(CLIENT_ID_PUMPX))
+			if let Ok(maybe_profile) =
+				omni_account_profile_storage.get(&sender.to_omni_account_with_client_id(client_id))
 			{
 				let profile = maybe_profile
 					.map(|mut p| {
@@ -790,7 +786,7 @@ async fn handle_native_task<
 					})
 					.unwrap_or_else(|| PumpxAccountProfile { wallet_exported: true });
 				if let Err(e) = omni_account_profile_storage
-					.insert(&sender.to_omni_account_with_client_id(CLIENT_ID_PUMPX), profile)
+					.insert(&sender.to_omni_account_with_client_id(client_id), profile)
 				{
 					error!("Failed to update pumpx account profile: {:?}", e);
 					send_error(
@@ -813,10 +809,9 @@ async fn handle_native_task<
 		},
 		NativeTask::PumpxAddWallet(sender) => {
 			let storage = HeimaJwtStorage::new(ctx.storage_db.clone());
-			let Ok(Some(access_token)) = storage.get(&(
-				sender.to_omni_account_with_client_id(CLIENT_ID_PUMPX),
-				AUTH_TOKEN_ACCESS_TYPE,
-			)) else {
+			let Ok(Some(access_token)) = storage
+				.get(&(sender.to_omni_account_with_client_id(client_id), AUTH_TOKEN_ACCESS_TYPE))
+			else {
 				send_error(
 					format!("Failed to get pumpx_{}_jwt_token", AUTH_TOKEN_ACCESS_TYPE),
 					response_sender,
@@ -891,10 +886,9 @@ async fn handle_native_task<
 		) => {
 			// 1. Verify we have a valid Pumpx "access" token for the user
 			let storage = HeimaJwtStorage::new(ctx.storage_db.clone());
-			let Ok(Some(access_token)) = storage.get(&(
-				sender.to_omni_account_with_client_id(CLIENT_ID_PUMPX),
-				AUTH_TOKEN_ACCESS_TYPE,
-			)) else {
+			let Ok(Some(access_token)) = storage
+				.get(&(sender.to_omni_account_with_client_id(client_id), AUTH_TOKEN_ACCESS_TYPE))
+			else {
 				send_error(
 					"Failed to get access_token within NativeTask::PumpxTransferWidthdraw"
 						.to_string(),

tee-worker/omni-executor/rpc-server/src/methods/omni/add_wallet.rs

@@ -23,17 +23,17 @@ pub struct RPCAddWalletResponse {
 	pub backend_response: AddWalletResponse,
 }
 
-impl From<AddWalletParams> for NativeTaskWrapper<NativeTask> {
-	fn from(p: AddWalletParams) -> Self {
-		let sender = Identity::from_web2_account(p.user_email.as_str(), Web2IdentityType::Email);
-		NativeTaskWrapper::new(NativeTask::PumpxAddWallet(sender.clone()), None, None)
+impl AddWalletParams {
+	pub fn into_native_task_wrapper(self, client_id: String) -> NativeTaskWrapper<NativeTask> {
+		let sender = Identity::from_web2_account(self.user_email.as_str(), Web2IdentityType::Email);
+		NativeTaskWrapper::new(NativeTask::PumpxAddWallet(sender.clone()), None, None, client_id)
 	}
 }
 
 pub fn register_add_wallet(module: &mut RpcModule<RpcContext>) {
 	module
 		.register_async_method("omni_addWallet", |params, ctx, ext| async move {
-			check_auth(&ext).map_err(|e| {
+			let user = check_auth(&ext).map_err(|e| {
 				error!("Authentication check failed: {:?}", e);
 				PumpxRpcError::from_error_code(ErrorCode::ServerError(
 					AUTH_VERIFICATION_FAILED_CODE,
@@ -46,7 +46,7 @@ pub fn register_add_wallet(module: &mut RpcModule<RpcContext>) {
 
 			debug!("Received omni_addWallet, user_email: {}", params.user_email);
 
-			let wrapper: NativeTaskWrapper<NativeTask> = params.into();
+			let wrapper = params.into_native_task_wrapper(user.client_id);
 
 			handle_omni_native_task(&ctx, wrapper, |task_ok| match task_ok {
 				NativeTaskOk::PumpxAddWallet(response) => {

tee-worker/omni-executor/rpc-server/src/methods/omni/common.rs

@@ -124,6 +124,7 @@ where
 
 pub struct User {
 	pub omni_account: String,
+	pub client_id: String,
 }
 
 /// This is used to verify that the request is authenticated.
@@ -132,7 +133,10 @@ pub struct User {
 /// Check rpc_middleware.rs
 pub fn check_auth(ext: &Extensions) -> Result<User, ()> {
 	if let Some(rpc_extensions) = ext.get::<RpcExtensions>() {
-		return Ok(User { omni_account: rpc_extensions.sender.clone() });
+		return Ok(User {
+			omni_account: rpc_extensions.sender.clone(),
+			client_id: rpc_extensions.client_id.clone(),
+		});
 	}
 	Err(())
 }

tee-worker/omni-executor/rpc-server/src/methods/omni/export_wallet.rs

@@ -17,8 +17,8 @@ use super::common::handle_omni_native_task;
 
 #[derive(Debug, Deserialize)]
 pub struct ExportWalletParams {
-	pub user_email: String,
 	pub client_id: String,
+	pub user_email: String,
 	pub key: Bytes, // RSA-encrypted AES key to encrypt the wallet private key, in 0x-hex-string
 	pub google_code: String,
 	pub chain_id: PumpxChainId,
@@ -27,25 +27,25 @@ pub struct ExportWalletParams {
 	pub email_code: String,
 }
 
-impl From<ExportWalletParams> for NativeTaskWrapper<NativeTask> {
-	fn from(p: ExportWalletParams) -> Self {
+impl ExportWalletParams {
+	pub fn into_native_task_wrapper(self) -> NativeTaskWrapper<NativeTask> {
 		NativeTaskWrapper::new(
 			NativeTask::PumpxExportWallet(
-				Identity::from_web2_account(p.user_email.as_str(), Web2IdentityType::Pumpx),
-				p.google_code,
-				p.chain_id,
-				p.wallet_index,
-				p.wallet_address,
+				Identity::from_web2_account(self.user_email.as_str(), Web2IdentityType::Pumpx),
+				self.google_code,
+				self.chain_id,
+				self.wallet_index,
+				self.wallet_address,
 			),
 			None,
-			Some(OmniAuth::Email(p.client_id.clone(), p.user_email, p.email_code)),
+			Some(OmniAuth::Email(self.client_id.clone(), self.user_email, self.email_code)),
+			self.client_id,
 		)
 	}
 }
 
 pub fn register_export_wallet(module: &mut RpcModule<RpcContext>) {
-	module
-		.register_async_method("omni_exportWallet", |params, ctx, _| async move {
+	module        .register_async_method("omni_exportWallet", |params, ctx, _ext| async move {
 			let params = params.parse::<ExportWalletParams>().map_err(|e| {
 				error!("Failed to parse params: {:?}", e);
 				PumpxRpcError::from_error_code(ErrorCode::ParseError)
@@ -72,7 +72,7 @@ pub fn register_export_wallet(module: &mut RpcModule<RpcContext>) {
 				)
 			})?;
 
-			let wrapper: NativeTaskWrapper<NativeTask> = params.into();
+			let wrapper = params.into_native_task_wrapper();
 
 			if wrapper.task.require_auth() {
 				let Some(ref auth) = wrapper.auth else {

tee-worker/omni-executor/rpc-server/src/methods/omni/notify_limit_order_result.rs

@@ -49,6 +49,7 @@ pub fn register_notify_limit_order_result(module: &mut RpcModule<RpcContext>) {
 				),
 				None,
 				None,
+				user.client_id,
 			);
 
 			handle_omni_native_task(&ctx, wrapper, |task_ok| match task_ok {

tee-worker/omni-executor/rpc-server/src/methods/omni/request_jwt.rs

@@ -15,8 +15,8 @@ use super::common::{check_omni_api_response, handle_omni_native_task};
 
 #[derive(Debug, Deserialize)]
 pub struct RequestJwtParams {
-	pub user_email: String,
 	pub client_id: String,
+	pub user_email: String,
 	pub invite_code: Option<String>,
 	pub google_code: String,
 	pub language: Option<String>,
@@ -30,33 +30,37 @@ pub struct RequestJwtResponse {
 	pub backend_response: UserConnectResponse,
 }
 
-impl From<RequestJwtParams> for NativeTaskWrapper<NativeTask> {
-	fn from(p: RequestJwtParams) -> Self {
+impl RequestJwtParams {
+	pub fn into_native_task_wrapper(self) -> NativeTaskWrapper<NativeTask> {
 		NativeTaskWrapper::new(
 			NativeTask::PumpxRequestJwt(
-				Identity::from_web2_account(p.user_email.as_str(), Web2IdentityType::Email), // actually unused
-				p.user_email.clone(),
-				p.invite_code,
-				p.google_code,
-				p.language,
+				Identity::from_web2_account(self.user_email.as_str(), Web2IdentityType::Email), // actually unused
+				self.user_email.clone(),
+				self.invite_code,
+				self.google_code,
+				self.language,
 			),
 			None,
-			Some(OmniAuth::Email(p.client_id.clone(), p.user_email, p.email_code)),
+			Some(OmniAuth::Email(self.client_id.clone(), self.user_email, self.email_code)),
+			self.client_id,
 		)
 	}
 }
 
 pub fn register_request_jwt(module: &mut RpcModule<RpcContext>) {
 	module
-		.register_async_method("omni_requestJwt", |params, ctx, _| async move {
+		.register_async_method("omni_requestJwt", |params, ctx, _ext| async move {
 			let params = params.parse::<RequestJwtParams>().map_err(|e| {
 				error!("Failed to parse params: {:?}", e);
 				PumpxRpcError::from_error_code(ErrorCode::ParseError)
 			})?;
 
-			debug!("Received omni_requestJwt, user_email: {}", params.user_email);
+			debug!(
+				"Received omni_requestJwt, user_email: {}, client_id: {}",
+				params.user_email, params.client_id
+			);
 
-			let wrapper: NativeTaskWrapper<NativeTask> = params.into();
+			let wrapper = params.into_native_task_wrapper();
 
 			if wrapper.task.require_auth() {
 				let Some(ref auth) = wrapper.auth else {

tee-worker/omni-executor/rpc-server/src/methods/omni/sign_limit_order.rs

@@ -83,6 +83,7 @@ pub fn register_sign_limit_order_params(module: &mut RpcModule<RpcContext>) {
 				),
 				None,
 				None,
+				user.client_id,
 			);
 
 			handle_omni_native_task(&ctx, wrapper, |task_ok| match task_ok {