Use project ID from header (#32)

go.mod

@@ -19,7 +19,6 @@ require (
 	github.com/go-chi/traceid v0.2.0
 	github.com/go-chi/transport v0.1.0
 	github.com/goware/rerun v0.0.9
-	github.com/jxskiss/base62 v1.1.0
 	github.com/lestrrat-go/jwx/v2 v2.0.20
 	github.com/mdlayher/vsock v1.2.1
 	github.com/rs/zerolog v1.32.0

go.sum

@@ -240,8 +240,6 @@ github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/
 github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
 github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
-github.com/jxskiss/base62 v1.1.0 h1:A5zbF8v8WXx2xixnAKD2w+abC+sIzYJX+nxmhA6HWFw=
-github.com/jxskiss/base62 v1.1.0/go.mod h1:HhWAlUXvxKThfOlZbcuFzsqwtF5TcqS9ru3y5GfjWAc=
 github.com/kevinburke/ssh_config v0.0.0-20180830205328-81db2a75821e/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
 github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
 github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4=

rpc/helpers_test.go

@@ -5,7 +5,6 @@ import (
 	"crypto/rand"
 	"crypto/rsa"
 	"encoding/base64"
-	"encoding/binary"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -33,7 +32,6 @@ import (
 	dynamodbtypes "github.com/aws/aws-sdk-go-v2/service/dynamodb/types"
 	"github.com/aws/aws-sdk-go-v2/service/kms"
 	kmstypes "github.com/aws/aws-sdk-go-v2/service/kms/types"
-	"github.com/jxskiss/base62"
 	"github.com/lestrrat-go/jwx/v2/jwa"
 	"github.com/lestrrat-go/jwx/v2/jwk"
 	"github.com/lestrrat-go/jwx/v2/jwt"
@@ -562,13 +560,6 @@ func newSession(t *testing.T, enc *enclave.Enclave, issuer string, signingSessio
 	return newSessionFromData(t, enc, payload)
 }
 
-func newRandAccessKey(projectID uint64) string {
-	buf := make([]byte, 24)
-	binary.BigEndian.PutUint64(buf, projectID)
-	rand.Read(buf[8:])
-	return base62.EncodeToString(buf)
-}
-
 type walletServiceMock struct {
 	registeredUsers    map[string]struct{}
 	registeredSessions map[string]struct{}

rpc/send_transaction_test.go

@@ -8,6 +8,7 @@ import (
 	mathrand "math/rand"
 	"net/http"
 	"net/http/httptest"
+	"strconv"
 	"testing"
 
 	"github.com/0xsequence/ethkit/ethwallet"
@@ -68,7 +69,7 @@ func TestRPC_SendIntent_SendTransaction(t *testing.T) {
 
 	c := proto.NewWaasAuthenticatorClient(srv.URL, http.DefaultClient)
 	header := make(http.Header)
-	header.Set("X-Access-Key", newRandAccessKey(tenant.ProjectID))
+	header.Set("X-Sequence-Project", strconv.Itoa(int(tenant.ProjectID)))
 	ctx, err := proto.WithHTTPRequestHeaders(context.Background(), header)
 
 	res, err := c.SendIntent(ctx, intent)

rpc/sessions_test.go

@@ -8,6 +8,7 @@ import (
 	mathrand "math/rand"
 	"net/http"
 	"net/http/httptest"
+	"strconv"
 	"strings"
 	"testing"
 	"time"
@@ -200,7 +201,7 @@ func TestRPC_RegisterSession(t *testing.T) {
 
 			c := proto.NewWaasAuthenticatorClient(srv.URL, http.DefaultClient)
 			header := make(http.Header)
-			header.Set("X-Access-Key", newRandAccessKey(tenant.ProjectID))
+			header.Set("X-Sequence-Project", strconv.Itoa(int(tenant.ProjectID)))
 			ctx, err := proto.WithHTTPRequestHeaders(context.Background(), header)
 			require.NoError(t, err)
 
@@ -337,7 +338,7 @@ func TestRPC_SendIntent_DropSession(t *testing.T) {
 
 			c := proto.NewWaasAuthenticatorClient(srv.URL, http.DefaultClient)
 			header := make(http.Header)
-			header.Set("X-Access-Key", newRandAccessKey(tenant.ProjectID))
+			header.Set("X-Sequence-Project", strconv.Itoa(int(tenant.ProjectID)))
 			ctx, err := proto.WithHTTPRequestHeaders(context.Background(), header)
 
 			res, err := c.SendIntent(ctx, intent)
@@ -411,7 +412,7 @@ func TestRPC_SendIntent_ListSessions(t *testing.T) {
 
 	c := proto.NewWaasAuthenticatorClient(srv.URL, http.DefaultClient)
 	header := make(http.Header)
-	header.Set("X-Access-Key", newRandAccessKey(tenant.ProjectID))
+	header.Set("X-Sequence-Project", strconv.Itoa(int(tenant.ProjectID)))
 	ctx, err := proto.WithHTTPRequestHeaders(context.Background(), header)
 	require.NoError(t, err)
 

rpc/sign_message_test.go

@@ -7,6 +7,7 @@ import (
 	mathrand "math/rand"
 	"net/http"
 	"net/http/httptest"
+	"strconv"
 	"testing"
 
 	"github.com/0xsequence/ethkit/ethwallet"
@@ -66,7 +67,7 @@ func TestRPC_SendIntent_SignMessage(t *testing.T) {
 
 	c := proto.NewWaasAuthenticatorClient(srv.URL, http.DefaultClient)
 	header := make(http.Header)
-	header.Set("X-Access-Key", newRandAccessKey(tenant.ProjectID))
+	header.Set("X-Sequence-Project", strconv.Itoa(int(tenant.ProjectID)))
 	ctx, err := proto.WithHTTPRequestHeaders(context.Background(), header)
 
 	res, err := c.SendIntent(ctx, intent)

rpc/tenant/middleware.go

@@ -2,15 +2,15 @@ package tenant
 
 import (
 	"context"
-	"encoding/binary"
 	"fmt"
 	"net/http"
 	"slices"
+	"strconv"
+	"strings"
 
 	"github.com/0xsequence/waas-authenticator/data"
 	"github.com/0xsequence/waas-authenticator/proto"
 	"github.com/0xsequence/waas-authenticator/rpc/crypto"
-	"github.com/jxskiss/base62"
 )
 
 // Middleware validates that the tenant sent in X-Access-Key header is valid and stores it in context.
@@ -19,21 +19,27 @@ func Middleware(tenants *data.TenantTable, tenantKeys []string) func(http.Handle
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			ctx := r.Context()
 
-			// Get projectID based on access key header which is encoded in the value
-			// and place the access key on the context.
+			// Place the access key in context as it's used by services downstream
 			accessKey := r.Header.Get("x-access-key")
 			if accessKey != "" {
 				ctx = WithAccessKey(ctx, accessKey)
 			}
 
-			projectID, err := decodeProjectIDFromAccessKey(accessKey)
+			// Get projectID from the header populated by the ingress service
+			projectHeader := r.Header.Get("x-sequence-project")
+			if projectHeader == "" {
+				proto.RespondWithError(w, fmt.Errorf("missing X-Sequence-Project header"))
+				return
+			}
+
+			projectID, err := strconv.Atoi(strings.TrimSpace(projectHeader))
 			if err != nil {
-				proto.RespondWithError(w, fmt.Errorf("invalid tenant: %v", projectID))
+				proto.RespondWithError(w, fmt.Errorf("parse project ID: %w", err))
 				return
 			}
 
 			// Find tenant based on project id
-			tenant, found, err := tenants.GetLatest(ctx, projectID)
+			tenant, found, err := tenants.GetLatest(ctx, uint64(projectID))
 			if err != nil {
 				proto.RespondWithError(w, fmt.Errorf("could not retrieve tenant: %w", err))
 				return
@@ -62,11 +68,3 @@ func Middleware(tenants *data.TenantTable, tenantKeys []string) func(http.Handle
 		})
 	}
 }
-
-func decodeProjectIDFromAccessKey(accessKey string) (uint64, error) {
-	buf, err := base62.DecodeString(accessKey)
-	if err != nil || len(buf) < 8 {
-		return 0, fmt.Errorf("invalid access key")
-	}
-	return binary.BigEndian.Uint64(buf[:8]), nil
-}