Remove the need to include sender for jwt authentication (#3476)

* feat: remove sender requirement from JWT authentication

- Simplified OmniAuth::AuthToken enum variant to only accept JWT token
- Removed OmniAccount parameter from AuthToken constructor calls
- Updated all RPC method implementations to use simplified AuthToken
- Removed unused OmniAccount type definition
- Cleaned up imports removing ToHexPrefixed where no longer needed

This change streamlines JWT authentication by extracting sender
information directly from the JWT token rather than requiring it
as a separate parameter, reducing potential inconsistencies and
simplifying the API surface.

* feat: remove subject validation from JWT auth tokens

This change streamlines JWT validation by removing the redundant
subject check, as the subject information is already embedded
within the token claims and doesn't need separate validation.

* feat: extract account ID from JWT claims instead of parameters

Remove the need to pass omni_account as a separate parameter to JWT
authentication. The account ID is now extracted directly from the JWT
token's subject claim, improving security and reducing parameter
coupling.

* refactor: centralize JWT auth and extract account from token

Replace duplicated JWT validation code with centralized
verify_auth_token_authentication function. Account ID is now extracted
directly from JWT token claims instead of being passed as separate
parameter, improving security and reducing code duplication.

* updating ts definitions

---------

Co-authored-by: Kai <7630809+Kailai-Wang@users.noreply.github.com>

Author: silva-fj

tee-worker/client-api/src/omni/interfaces/omniExecutor/definitions.ts

@@ -44,7 +44,7 @@ export default {
       _enum: {
         Web3: "(Identity, HeimaMultiSignature)",
         Email: "(Text, Text)",
-        AuthToken: "(Text, Text)",
+        AuthToken: "(Text)",
         OAuth2: "(Identity, OAuth2Data)",
       },
     },

tee-worker/omni-executor/executor-primitives/src/auth.rs

@@ -6,7 +6,6 @@ use serde::{Deserialize, Serialize};
 
 pub type VerificationCode = String;
 type Email = String;
-type OmniAccount = String;
 type JwtToken = String;
 
 /// A serializable representation of Identity for JSON interchange.
@@ -89,15 +88,15 @@ impl TryFrom<IdentitySerde> for Identity {
 pub enum OmniAuth {
 	Web3(Identity, HeimaMultiSignature), // (Signer, Signature)
 	Email(Email, VerificationCode),
-	AuthToken(OmniAccount, JwtToken),
+	AuthToken(JwtToken),
 	OAuth2(Identity, OAuth2Data), // (Sender, OAuth2Data)
 }
 
 #[derive(Deserialize)]
 pub enum OmniAuthSerde {
 	Web3(IdentitySerde, HeimaMultiSignature),
 	Email(Email, VerificationCode),
-	AuthToken(OmniAccount, JwtToken),
+	AuthToken(JwtToken),
 	OAuth2(IdentitySerde, OAuth2Data),
 }
 

tee-worker/omni-executor/heima/authentication/src/auth_token.rs

@@ -37,20 +37,16 @@ impl AuthTokenClaims {
 }
 
 pub struct Validation {
-	pub sub: String,
 	pub typ: String,
 	pub skip_exp_check: bool,
 }
 
 impl Validation {
-	pub fn new(sub: String, typ: String, skip_exp_check: bool) -> Self {
-		Self { sub, typ, skip_exp_check }
+	pub fn new(typ: String, skip_exp_check: bool) -> Self {
+		Self { typ, skip_exp_check }
 	}
 
 	pub fn validate(&self, claims: &AuthTokenClaims) -> Result<(), Error> {
-		if self.sub != claims.sub {
-			return Err(Error::JwtError(jwt::ErrorKind::InvalidSubject));
-		}
 		if self.typ != claims.typ {
 			return Err(Error::JwtError(jwt::ErrorKind::InvalidToken));
 		}
@@ -144,8 +140,7 @@ mod tests {
 		);
 		let token = jwt::create(&claims, private_key.as_bytes()).unwrap();
 
-		let validation =
-			Validation::new(omni_account.to_hex(), AUTH_TOKEN_ID_TYPE.to_string(), false);
+		let validation = Validation::new(AUTH_TOKEN_ID_TYPE.to_string(), false);
 		let result = token.validate(private_key.as_bytes(), validation);
 
 		assert_eq!(result, Ok(claims));
@@ -168,8 +163,7 @@ mod tests {
 		);
 		let token = jwt::create(&claims, private_key.as_bytes()).unwrap();
 
-		let validation =
-			Validation::new(omni_account.to_hex(), AUTH_TOKEN_ID_TYPE.to_string(), false);
+		let validation = Validation::new(AUTH_TOKEN_ID_TYPE.to_string(), false);
 		let result = token.validate(private_key.as_bytes(), validation);
 
 		assert_eq!(result, Err(Error::JwtError(jwt::ErrorKind::ExpiredSignature)));
@@ -191,41 +185,14 @@ mod tests {
 			TestAuthTokenNoSubClaims { typ: AUTH_TOKEN_ID_TYPE.to_string(), exp: expires_at };
 		let token = jwt::create(&claims, private_key.as_bytes()).unwrap();
 
-		let validation =
-			Validation::new("test-subject".to_string(), AUTH_TOKEN_ID_TYPE.to_string(), false);
+		let validation = Validation::new(AUTH_TOKEN_ID_TYPE.to_string(), false);
 		let result = token.validate(private_key.as_bytes(), validation);
 		let Err(Error::JwtError(jwt::ErrorKind::Json(e))) = result else {
 			panic!("Expected JsonError, got {:?}", result);
 		};
 		assert!(e.to_string().contains("missing field `sub`"));
 	}
 
-	#[test]
-	fn test_auth_token_invalid_subject() {
-		let mut rng = rand::thread_rng();
-		let rsa_private_key =
-			RsaPrivateKey::new(&mut rng, 2048).expect("Failed to generate private key");
-		let private_key = rsa_private_key.to_pkcs1_der().unwrap();
-
-		let expires_at = Utc::now()
-			.checked_add_days(Days::new(1))
-			.expect("Failed to calculate expiration")
-			.timestamp();
-
-		let claims = AuthTokenClaims {
-			sub: "test-sub".to_string(),
-			typ: AUTH_TOKEN_ID_TYPE.to_string(),
-			exp: expires_at,
-		};
-		let token = jwt::create(&claims, private_key.as_bytes()).unwrap();
-
-		let validation =
-			Validation::new("invalid-sub".to_string(), AUTH_TOKEN_ID_TYPE.to_string(), false);
-		let result = token.validate(private_key.as_bytes(), validation);
-
-		assert_eq!(result, Err(Error::JwtError(jwt::ErrorKind::InvalidSubject)));
-	}
-
 	#[test]
 	fn test_auth_token_missing_typ() {
 		let mut rng = rand::thread_rng();
@@ -241,8 +208,7 @@ mod tests {
 		let claims = TestAuthTokenNoTypClaims { sub: "test-sub".to_string(), exp: expires_at };
 		let token = jwt::create(&claims, private_key.as_bytes()).unwrap();
 
-		let validation =
-			Validation::new("test-sub".to_string(), AUTH_TOKEN_ID_TYPE.to_string(), false);
+		let validation = Validation::new(AUTH_TOKEN_ID_TYPE.to_string(), false);
 		let result = token.validate(private_key.as_bytes(), validation);
 		let Err(Error::JwtError(jwt::ErrorKind::Json(e))) = result else {
 			panic!("Expected JsonError, got {:?}", result);
@@ -272,8 +238,7 @@ mod tests {
 		);
 		let token = jwt::create(&claims, private_key.as_bytes()).unwrap();
 
-		let validation =
-			Validation::new(omni_account.to_hex(), AUTH_TOKEN_ID_TYPE.to_string(), false);
+		let validation = Validation::new(AUTH_TOKEN_ID_TYPE.to_string(), false);
 		let result = token.validate(private_key.as_bytes(), validation);
 
 		assert_eq!(result, Err(Error::JwtError(jwt::ErrorKind::InvalidToken)));

tee-worker/omni-executor/rpc-server/src/methods/omni/add_wallet.rs

@@ -3,7 +3,7 @@ use crate::{
 	Deserialize, ErrorCode,
 };
 use executor_core::native_task::*;
-use executor_primitives::{utils::hex::ToHexPrefixed, OmniAuth};
+use executor_primitives::OmniAuth;
 use heima_primitives::{Identity, Web2IdentityType};
 use jsonrpsee::RpcModule;
 use native_task_handler::NativeTaskOk;
@@ -30,7 +30,7 @@ impl From<AddWalletParams> for NativeTaskWrapper<NativeTask> {
 		NativeTaskWrapper::new(
 			NativeTask::PumpxAddWallet(sender.clone()),
 			None,
-			Some(OmniAuth::AuthToken(sender.to_omni_account().to_hex(), p.auth_token)),
+			Some(OmniAuth::AuthToken(p.auth_token)),
 		)
 	}
 }

tee-worker/omni-executor/rpc-server/src/methods/omni/notify_limit_order_result.rs

@@ -1,15 +1,12 @@
 use crate::methods::omni::PumpxRpcError;
+use crate::verify_auth::verify_auth_token_authentication;
 use crate::{error_code::*, server::RpcContext, Deserialize, ErrorCode};
 use executor_core::native_task::*;
-use executor_crypto::jwt;
 use executor_primitives::{utils::hex::FromHexPrefixed, OmniAuth};
-use heima_authentication::auth_token::AuthTokenClaims;
+use heima_authentication::auth_token::AUTH_TOKEN_ACCESS_TYPE;
 use heima_primitives::{Address32, Identity};
 use jsonrpsee::RpcModule;
 use native_task_handler::NativeTaskOk;
-use rsa::pkcs1::DecodeRsaPrivateKey;
-use rsa::pkcs1::EncodeRsaPublicKey;
-use rsa::RsaPrivateKey;
 use tracing::{debug, error};
 
 use super::common::handle_omni_native_task;
@@ -35,32 +32,21 @@ pub fn register_notify_limit_order_result(module: &mut RpcModule<RpcContext>) {
 				params.intent_id, params.result, params.message
 			);
 
-			let private_key =
-				RsaPrivateKey::from_pkcs1_der(&ctx.jwt_rsa_private_key).map_err(|e| {
-					error!("Failed to parse private key: {:?}", e);
-					PumpxRpcError::from_error_code(ErrorCode::InternalError)
-				})?;
-
-			let public_key = private_key.to_public_key().to_pkcs1_der().map_err(|e| {
-				error!("Failed to generate public key: {:?}", e);
-				PumpxRpcError::from_error_code(ErrorCode::InternalError)
-			})?;
-
-			// this validates jwt - we skip exp check for this call
-			let Ok(token) =
-				jwt::decode::<AuthTokenClaims>(&params.auth_token, public_key.as_bytes(), true)
-			else {
-				return Err(PumpxRpcError::from_error_code(ErrorCode::ServerError(
-					AUTH_VERIFICATION_FAILED_CODE,
-				)));
+			let omni_account = match verify_auth_token_authentication(
+				ctx.clone(),
+				&params.auth_token,
+				AUTH_TOKEN_ACCESS_TYPE,
+				true,
+			) {
+				Ok(claims) => claims.sub,
+				Err(_) => {
+					error!("Failed to verify auth token");
+					return Err(PumpxRpcError::from_error_code(ErrorCode::ServerError(
+						AUTH_VERIFICATION_FAILED_CODE,
+					)));
+				},
 			};
-			if token.typ != "access" {
-				return Err(PumpxRpcError::from_error_code(ErrorCode::ServerError(
-					AUTH_VERIFICATION_FAILED_CODE,
-				)));
-			}
 
-			let omni_account = token.sub;
 			let Ok(address) = Address32::from_hex(&omni_account) else {
 				error!("Failed to parse from omni account token");
 				return Err(PumpxRpcError::from_error_code(ErrorCode::InternalError));
@@ -74,7 +60,7 @@ pub fn register_notify_limit_order_result(module: &mut RpcModule<RpcContext>) {
 					params.message,
 				),
 				None,
-				Some(OmniAuth::AuthToken(omni_account, params.auth_token)),
+				Some(OmniAuth::AuthToken(params.auth_token)),
 			);
 
 			handle_omni_native_task(&ctx, wrapper, |task_ok| match task_ok {

tee-worker/omni-executor/rpc-server/src/methods/omni/sign_limit_order.rs

@@ -14,28 +14,24 @@
 // You should have received a copy of the GNU General Public License
 // along with Litentry.  If not, see <https://www.gnu.org/licenses/>.
 
-use executor_primitives::utils::hex::FromHexPrefixed;
-use heima_primitives::Address32;
-use heima_primitives::IntentId;
-use rsa::pkcs1::DecodeRsaPrivateKey;
-use rsa::pkcs1::EncodeRsaPublicKey;
-
 use crate::error_code::AUTH_VERIFICATION_FAILED_CODE;
 use crate::methods::omni::PumpxRpcError;
 use crate::server::RpcContext;
+use crate::verify_auth::verify_auth_token_authentication;
 use crate::ErrorCode;
 use ethers::types::Bytes;
 use executor_core::native_task::NativeTask;
 use executor_core::native_task::NativeTaskWrapper;
 use executor_core::native_task::PumpxChainId;
 use executor_core::native_task::PumxWalletIndex;
-use executor_crypto::jwt;
+use executor_primitives::utils::hex::FromHexPrefixed;
 use executor_primitives::OmniAuth;
-use heima_authentication::auth_token::AuthTokenClaims;
+use heima_authentication::auth_token::AUTH_TOKEN_ACCESS_TYPE;
+use heima_primitives::Address32;
 use heima_primitives::Identity;
+use heima_primitives::IntentId;
 use jsonrpsee::RpcModule;
 use native_task_handler::NativeTaskOk;
-use rsa::RsaPrivateKey;
 use serde::Deserialize;
 use serde::Serialize;
 use tracing::{debug, error};
@@ -70,32 +66,21 @@ pub fn register_sign_limit_order_params(module: &mut RpcModule<RpcContext>) {
 
 			debug!("Received omni_signLimitOrder, intent_id: {}, order_id: {}, chain_id: {}, wallet_index: {}", params.intent_id, params.order_id, params.chain_id, params.wallet_index);
 
-			let private_key =
-				RsaPrivateKey::from_pkcs1_der(&ctx.jwt_rsa_private_key).map_err(|e| {
-					error!("Failed to parse private key: {:?}", e);
-					PumpxRpcError::from_error_code(ErrorCode::InternalError)
-				})?;
-
-			let public_key = private_key.to_public_key().to_pkcs1_der().map_err(|e| {
-				error!("Failed to generate public key: {:?}", e);
-				PumpxRpcError::from_error_code(ErrorCode::InternalError)
-			})?;
-
-			// this validates jwt - we skip exp check for this call
-			let Ok(token) =
-				jwt::decode::<AuthTokenClaims>(&params.auth_token, public_key.as_bytes(), true)
-			else {
-				return Err(PumpxRpcError::from_error_code(ErrorCode::ServerError(
-					AUTH_VERIFICATION_FAILED_CODE,
-				)));
+           	let omni_account = match verify_auth_token_authentication(
+				ctx.clone(),
+				&params.auth_token,
+				AUTH_TOKEN_ACCESS_TYPE,
+				true,
+			) {
+				Ok(claims) => claims.sub,
+				Err(_) => {
+					error!("Failed to verify auth token");
+					return Err(PumpxRpcError::from_error_code(ErrorCode::ServerError(
+						AUTH_VERIFICATION_FAILED_CODE,
+					)));
+				},
 			};
-			if token.typ != "access" {
-				return Err(PumpxRpcError::from_error_code(ErrorCode::ServerError(
-					AUTH_VERIFICATION_FAILED_CODE,
-				)));
-			}
 
-			let omni_account = token.sub;
 			let Ok(address) = Address32::from_hex(&omni_account) else {
 				error!("Failed to parse from omni account token");
 				return Err(PumpxRpcError::from_error_code(ErrorCode::InternalError));
@@ -109,7 +94,7 @@ pub fn register_sign_limit_order_params(module: &mut RpcModule<RpcContext>) {
 					params.unsigned_tx.iter().map(|tx| tx.to_vec()).collect(),
 				),
 		     	None,
-				Some(OmniAuth::AuthToken(omni_account, params.auth_token)),
+				Some(OmniAuth::AuthToken(params.auth_token)),
 			);
 
 			handle_omni_native_task(&ctx, wrapper, |task_ok| match task_ok {

tee-worker/omni-executor/rpc-server/src/methods/omni/submit_swap_order.rs

@@ -4,12 +4,12 @@ use crate::{
 	Deserialize, ErrorCode,
 };
 use executor_core::native_task::*;
-use executor_primitives::{utils::hex::ToHexPrefixed, OmniAuth};
+use executor_primitives::OmniAuth;
 use executor_storage::{PumpxJwtStorage, Storage};
 use heima_authentication::auth_token::{AUTH_TOKEN_ACCESS_TYPE, AUTH_TOKEN_ID_TYPE};
 use heima_hex_utils::decode_hex;
 use heima_primitives::{
-	Address20, Address32, BinanceConfig, BoundedVec, ChainAsset, CrossChainSwapProvider,
+	AccountId, Address20, Address32, BinanceConfig, BoundedVec, ChainAsset, CrossChainSwapProvider,
 	EthereumToken, Identity, Intent, PumpxConfig, PumpxOrderType, SingleChainSwapProvider,
 	SolanaToken, SwapOrder, Web2IdentityType,
 };
@@ -19,6 +19,7 @@ use pumpx::constants::*;
 use pumpx::methods::common::{OrderInfoResponse, SwapType};
 use pumpx::methods::send_order_tx::SendOrderTxResponse;
 use serde::Serialize;
+use std::str::FromStr;
 use tracing::{debug, error};
 
 use super::common::{check_omni_api_response, handle_omni_native_task};
@@ -116,16 +117,20 @@ pub fn register_submit_swap_order(module: &mut RpcModule<RpcContext>) {
 			debug!("Received omni_submitSwapOrder, user_email: {}, intent_id: {}, order_type: {:?}, swap_type: {:?}, from_chain_id: {}, from_token_ca: {:?}, from_amount: {}, to_chain_id: {}, to_token_ca: {:?}, wallet_index: {}",
 			params.user_email, params.intent_id, params.order_type, params.swap_type, params.from_chain_id, params.from_token_ca, params.from_amount, params.to_chain_id, params.to_token_ca, params.wallet_index);
 
-			let user_identity =
-				Identity::from_web2_account(&params.user_email, Web2IdentityType::Email);
-			if verify_auth_token_authentication(ctx.clone(), user_identity.to_omni_account().to_hex(), &params.auth_token, AUTH_TOKEN_ID_TYPE, false)
-				.is_err()
-			{
-				error!("Failed to verify auth token");
-				return Err(PumpxRpcError::from_error_code(ErrorCode::ServerError(
-					AUTH_VERIFICATION_FAILED_CODE,
-				)));
-			}
+            let omni_account = match verify_auth_token_authentication(ctx.clone(), &params.auth_token, AUTH_TOKEN_ID_TYPE, false) {
+                Ok(claims) => {
+                    AccountId::from_str(&claims.sub).map_err(|_| {
+                        error!("Failed to parse account id from auth token");
+                        PumpxRpcError::from_error_code(ErrorCode::InternalError)
+                    })?
+                },
+                Err(_) => {
+                    error!("Failed to verify auth token");
+                    return Err(PumpxRpcError::from_error_code(ErrorCode::ServerError(
+                        AUTH_VERIFICATION_FAILED_CODE,
+                    )));
+                }
+            };
 
 			let from_chain_asset = params.try_get_from_chain_asset().map_err(|_| {
 				error!("Failed to get from chain asset");
@@ -151,7 +156,7 @@ pub fn register_submit_swap_order(module: &mut RpcModule<RpcContext>) {
 
 			let storage = PumpxJwtStorage::new(ctx.storage_db.clone());
 			let Ok(Some(access_token)) =
-				storage.get(&(user_identity.to_omni_account(), AUTH_TOKEN_ACCESS_TYPE))
+				storage.get(&(omni_account, AUTH_TOKEN_ACCESS_TYPE))
 			else {
 				error!("Failed to get access token from storage");
 				return Err(PumpxRpcError::from_error_code(ErrorCode::InternalError));
@@ -225,10 +230,12 @@ pub fn register_submit_swap_order(module: &mut RpcModule<RpcContext>) {
                 error!("Failed to convert single chain swap provider");
                 PumpxRpcError::from_error_code(ErrorCode::InternalError)
             })?);
+           	let user_identity =
+				Identity::from_web2_account(&params.user_email, Web2IdentityType::Pumpx);
 			let wrapper = NativeTaskWrapper::new(
-				NativeTask::RequestIntent(user_identity.clone(), params.intent_id, intent),
+				NativeTask::RequestIntent(user_identity, params.intent_id, intent),
 				 None,
-				 Some(OmniAuth::AuthToken(user_identity.to_omni_account().to_hex(), params.auth_token)),
+				 Some(OmniAuth::AuthToken(params.auth_token)),
 			);
 
 			handle_omni_native_task(&ctx, wrapper, |task_ok| match task_ok {