Skip to content

[service-utils]: Expose domain and bundle id validation logic #3238

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Jun 8, 2024
Merged

[service-utils]: Expose domain and bundle id validation logic #3238

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5fd32f9
chore: expose domain and bundle ID validation
ElasticBottle Jun 6, 2024
ea89f08
chore: update export path
ElasticBottle Jun 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions .changeset/twelve-scissors-share.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
---
"@thirdweb-dev/service-utils": patch
---

expose domain and bundle Id validation logic

```typescript
import { authorizeDomain, authorizeBundleId } from "@thirdweb-dev/service-utils
const isValidDomain = authorizeDomain({ domains, origin });
const isValidBundleId = authorizeBundleId({ bundleId, bundleIds });
```
95 changes: 58 additions & 37 deletions packages/service-utils/src/core/authorize/client.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,36 +51,9 @@ export function authorizeClient(
// validate domains
if (origin) {
if (
// find matching domain, or if all domains allowed
// embedded-wallet.thirdweb(-dev).com is automatically allowed
// because the rpc is passed from user's domain to embedded-wallet.thirdweb.com iframe for use.
// Note this doesn't allow embedded-wallets from being used if it's disabled. The service check that runs after enforces that.
[
...domains,
"embedded-wallet.thirdweb.com",
"embedded-wallet.thirdweb-dev.com",
].find((d) => {
// if any domain is allowed, we'll return true
if (d === "*") {
return true;
}

// special rule for `localhost`
// if the domain is localhost, we'll allow any origin that starts with localhost
if (d === "localhost" && origin.startsWith("localhost")) {
return true;
}

// If the allowedDomain has a wildcard,
// we'll check that the ending of our domain matches the wildcard
if (d.startsWith("*.")) {
// get rid of the * and check if it ends with the `.<domain>.<tld>`
const domainRoot = d.slice(1);
return origin.endsWith(domainRoot);
}

// If there's no wildcard, we'll check for an exact match
return d === origin;
authorizeDomain({
domains,
origin,
})
) {
return authResult;
Expand All @@ -97,13 +70,9 @@ export function authorizeClient(
// validate bundleId
if (bundleId) {
if (
// find matching bundle id, or if all bundles allowed
bundleIds.find((b) => {
if (b === "*") {
return true;
}

return b === bundleId;
authorizeBundleId({
bundleIds,
bundleId,
})
) {
return authResult;
Expand All @@ -125,3 +94,55 @@ export function authorizeClient(
status: 401,
};
}

// Exposed for use in validating ecosystem partners settings
export function authorizeDomain({
domains,
origin,
}: { domains: string[]; origin: string }): boolean {
// find matching domain, or if all domains allowed
// embedded-wallet.thirdweb(-dev).com is automatically allowed
// because the rpc is passed from user's domain to embedded-wallet.thirdweb.com iframe for use.
// Note this doesn't allow embedded-wallets from being used if it's disabled. The service check that runs after enforces that.
return !![
...domains,
"embedded-wallet.thirdweb.com",
"embedded-wallet.thirdweb-dev.com",
].find((d) => {
// if any domain is allowed, we'll return true
if (d === "*") {
return true;
}

// special rule for `localhost`
// if the domain is localhost, we'll allow any origin that starts with localhost
if (d === "localhost" && origin.startsWith("localhost")) {
return true;
}

// If the allowedDomain has a wildcard,
// we'll check that the ending of our domain matches the wildcard
if (d.startsWith("*.")) {
// get rid of the * and check if it ends with the `.<domain>.<tld>`
const domainRoot = d.slice(1);
return origin.endsWith(domainRoot);
}

// If there's no wildcard, we'll check for an exact match
return d === origin;
});
}

export function authorizeBundleId({
bundleIds,
bundleId,
}: { bundleIds: string[]; bundleId: string }): boolean {
// find matching bundle id, or if all bundles allowed
return !!bundleIds.find((b) => {
if (b === "*") {
return true;
}

return b === bundleId;
});
}
5 changes: 5 additions & 0 deletions packages/service-utils/src/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,2 +1,7 @@
// Exports the public service definitions.
export * from "./core/services";

export {
authorizeBundleId,
authorizeDomain,
} from "./core/authorize/client";
10 changes: 6 additions & 4 deletions packages/service-utils/src/node/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,17 +1,19 @@
import { createHash } from "node:crypto";
import { authorize } from "../core/authorize";

import type { ServerResponse } from "node:http";
import type { IncomingHttpHeaders, IncomingMessage } from "node:http";
import type {
IncomingHttpHeaders,
IncomingMessage,
ServerResponse,
} from "node:http";
import type { CoreServiceConfig } from "../core/api";
import type { AuthorizationInput } from "../core/authorize";
import type { AuthorizationResult } from "../core/authorize/types";
import type { CoreAuthInput } from "../core/types";

export * from "../core/services";
export * from "../core/rateLimit";
export * from "../core/services";
export * from "../core/usageLimit";

type NodeServiceConfig = CoreServiceConfig;

export type AuthInput = CoreAuthInput & {
Expand Down