Implement bearer token auth (#174)

* Implement bearer token auth

* Readme configuration changes

packages/airnode-feed/README.md

@@ -283,11 +283,12 @@ Configuration for the signed APIs. Each signed API is defined by a `signedApiNam
 example:
 
 ```jsonc
-// Defines a single signed API.
+// Defines a single signed API that uses AUTH_TOKEN secret as Bearer token when pushing signed data to signed API.
 "signedApis": [
   {
     "name": "localhost",
-    "url": "http://localhost:8090"
+    "url": "http://localhost:8090",
+    "authToken": "${AUTH_TOKEN}"
   }
 ]
 ```
@@ -304,6 +305,13 @@ The name of the signed API.
 
 The URL of the signed API.
 
+#### `authToken`
+
+The authentication token used to authenticate with the signed API. It is recommended to interpolate this value from
+secrets.
+
+If the signed API does not require authentication, set this value to `null`.
+
 #### `ois`
 
 Configuration for the OISes.

packages/airnode-feed/config/airnode-feed.example.json

@@ -29,14 +29,15 @@
           "0x1d65c1f1e127a41cebd2339f823d0290322c63f3044380cbac105db8e522ebb9"
         ],
         "fetchInterval": 5,
-        "updateDelay": 30
+        "updateDelay": 0
       }
     ]
   },
   "signedApis": [
     {
       "name": "localhost",
-      "url": "http://localhost:8090"
+      "url": "http://localhost:8090",
+      "authToken": "some-secret-token-for-airnode-feed"
     }
   ],
   "ois": [

packages/airnode-feed/src/api-requests/signed-api.ts

@@ -42,12 +42,13 @@ export const pushSignedData = async (group: SignedApiUpdate) => {
     }
 
     logger.debug('Posting signed API data.', { group });
-    const provider = signedApis.find((a) => a.name === signedApiName)!;
+    const signedApi = signedApis.find((a) => a.name === signedApiName)!;
     const goAxiosRequest = await go<Promise<unknown>, AxiosError>(async () => {
       logger.debug('Posting batch payload.', { batchPayload });
-      const axiosResponse = await axios.post(provider.url, batchPayload, {
+      const axiosResponse = await axios.post(signedApi.url, batchPayload, {
         headers: {
           'Content-Type': 'application/json',
+          ...(signedApi.authToken ? { Authorization: `Bearer ${signedApi.authToken}` } : {}),
         },
       });
 

packages/airnode-feed/src/heartbeat/heartbeat.test.ts

@@ -28,9 +28,9 @@ describe(logHeartbeat.name, () => {
       nodeVersion: '0.1.0',
       currentTimestamp: '1674172803',
       deploymentTimestamp: '1674172800',
-      configHash: '0x1a2a00f22eeab37eb95f8cf1ec10ec89521516db42f41b7ffc6da541d948a54a',
+      configHash: '0x0a36630da26fa987561ff8b692f2015a6fe632bdabcf3dcdd010ccc8262f4a3a',
       signature:
-        '0xd0f84a62705585e03c14ebfda2688a4e4c733aa42a3d13f98d4fe390d482fd1c3e698e91939df28b9565a9de82f3495b053824ffe61239fdd4fa0e4a970523a81b',
+        '0x15fb32178d3c6e30385e448b21a4b9086c715a11e8044513bf3b6a578643f7a327498b59cc3d9442fbd2f3b3b4991f94398727e54558ac24871e2df44d1664e11c',
     };
     const rawConfig = JSON.parse(readFileSync(join(__dirname, '../../config/airnode-feed.example.json'), 'utf8'));
     jest.spyOn(configModule, 'loadRawConfig').mockReturnValue(rawConfig);
@@ -50,12 +50,12 @@ describe(verifyHeartbeatLog.name, () => {
     const jsonLog = {
       context: {
         airnode: '0xbF3137b0a7574563a23a8fC8badC6537F98197CC',
-        configHash: '0x1a2a00f22eeab37eb95f8cf1ec10ec89521516db42f41b7ffc6da541d948a54a',
+        configHash: '0x0a36630da26fa987561ff8b692f2015a6fe632bdabcf3dcdd010ccc8262f4a3a',
         currentTimestamp: '1674172803',
         deploymentTimestamp: '1674172800',
         nodeVersion: '0.1.0',
         signature:
-          '0xd0f84a62705585e03c14ebfda2688a4e4c733aa42a3d13f98d4fe390d482fd1c3e698e91939df28b9565a9de82f3495b053824ffe61239fdd4fa0e4a970523a81b',
+          '0x15fb32178d3c6e30385e448b21a4b9086c715a11e8044513bf3b6a578643f7a327498b59cc3d9442fbd2f3b3b4991f94398727e54558ac24871e2df44d1664e11c',
         stage: 'test',
       },
       level: 'info',
@@ -81,10 +81,10 @@ describe(stringifyUnsignedHeartbeatPayload.name, () => {
         nodeVersion: '0.1.0',
         currentTimestamp: '1674172803',
         deploymentTimestamp: '1674172800',
-        configHash: '0x1a2a00f22eeab37eb95f8cf1ec10ec89521516db42f41b7ffc6da541d948a54a',
+        configHash: '0x0a36630da26fa987561ff8b692f2015a6fe632bdabcf3dcdd010ccc8262f4a3a',
       })
     ).toBe(
-      '{"airnode":"0xbF3137b0a7574563a23a8fC8badC6537F98197CC","configHash":"0x1a2a00f22eeab37eb95f8cf1ec10ec89521516db42f41b7ffc6da541d948a54a","currentTimestamp":"1674172803","deploymentTimestamp":"1674172800","nodeVersion":"0.1.0","stage":"test"}'
+      '{"airnode":"0xbF3137b0a7574563a23a8fC8badC6537F98197CC","configHash":"0x0a36630da26fa987561ff8b692f2015a6fe632bdabcf3dcdd010ccc8262f4a3a","currentTimestamp":"1674172803","deploymentTimestamp":"1674172800","nodeVersion":"0.1.0","stage":"test"}'
     );
   });
 });

packages/airnode-feed/src/validation/schema.test.ts

@@ -52,8 +52,8 @@ test('ensures nodeVersion matches Airnode feed version', async () => {
 test('ensures signed API names are unique', () => {
   expect(() =>
     signedApisSchema.parse([
-      { name: 'foo', url: 'https://example.com' },
-      { name: 'foo', url: 'https://example.com' },
+      { name: 'foo', url: 'https://example.com', authToken: null },
+      { name: 'foo', url: 'https://example.com', authToken: null },
     ])
   ).toThrow(
     new ZodError([
@@ -65,10 +65,11 @@ test('ensures signed API names are unique', () => {
     ])
   );
 
-  expect(signedApisSchema.parse([{ name: 'foo', url: 'https://example.com' }])).toStrictEqual([
+  expect(signedApisSchema.parse([{ name: 'foo', url: 'https://example.com', authToken: null }])).toStrictEqual([
     {
       name: 'foo',
       url: 'https://example.com',
+      authToken: null,
     },
   ]);
 });

packages/airnode-feed/src/validation/schema.ts

@@ -223,6 +223,7 @@ const validateTriggerReferences: SuperRefinement<{
 export const signedApiSchema = z.strictObject({
   name: z.string(),
   url: z.string().url(),
+  authToken: z.string().nullable(),
 });
 
 export type SignedApi = z.infer<typeof signedApiSchema>;

packages/airnode-feed/test/fixtures.ts

@@ -46,6 +46,7 @@ export const config: Config = {
     {
       name: 'localhost',
       url: 'http://localhost:8090',
+      authToken: null,
     },
   ],
   ois: [

packages/api/README.md

@@ -145,15 +145,17 @@ The API needs to be configured with endpoints to be served. This is done via the
 ```jsonc
 // Defines two endpoints.
 "endpoints": [
-  // Serves the non-delayed data on URL path "/real-time".
+  // Serves the non-delayed data on URL path "/real-time". Requesters need to provide the "some-secret-token" as Bearer token.
   {
     "urlPath": "/real-time",
-    "delaySeconds": 0
+    "delaySeconds": 0,
+    "authTokens": ["some-secret-token"],
   },
-  // Serves the data delayed by 15 seconds on URL path "/delayed".
+  // Serves the data delayed by 15 seconds on URL path "/delayed". No authentication is required.
   {
     "urlPath": "/delayed",
-    "delaySeconds": 15
+    "delaySeconds": 15,
+    "authTokens": null,
   }
 ]
 ```
@@ -171,6 +173,14 @@ dashes.
 
 The delay in seconds for the endpoint. The endpoint will only serve data that is older than the delay.
 
+###### `authTokens`
+
+The nonempty list of
+[Bearer authentication tokens](https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication#bearer) allowed to query
+the data.
+
+In case the endpoint should be publicly available, set the value to `null`.
+
 #### `cache` _(optional)_
 
 Configures the cache for the API endpoints.
@@ -190,8 +200,8 @@ The maximum age of the cache in seconds. The cache is cleared after this time.
 
 #### `allowedAirnodes`
 
-The list of allowed Airnode addresses. If the list is empty, no Airnode is allowed. To whitelist all Airnodes, set the
-value to `"*"` instead of an array.
+The list of allowed Airnodes with authorization details. If the list is empty, no Airnode is allowed. To whitelist all
+Airnodes, set the value to `"*"` instead of an array.
 
 Example:
 
@@ -203,10 +213,33 @@ Example:
 or
 
 ```jsonc
-// Allows pushing signed data only from the specific Airnode.
-"allowedAirnodes": ["0xB47E3D8734780430ee6EfeF3c5407090601Dcd15"]
+// Allows pushing signed data only for the specific Airnode. No authorization is required to push the data.
+"allowedAirnodes": [ { "address": "0xB47E3D8734780430ee6EfeF3c5407090601Dcd15", "authTokens": null } ]
+```
+
+or
+
+```jsonc
+// Allows pushing signed data only for the specific Airnode. The pusher needs to authorize with one of the specific tokens.
+"allowedAirnodes": { "address": "0xbF3137b0a7574563a23a8fC8badC6537F98197CC", "authTokens": ["some-secret-token-for-airnode-feed"] }
 ```
 
+##### `allowedAirnodes[n]`
+
+One of the allowed Airnodes.
+
+###### `address`
+
+The address of the Airnode. The address must be a valid Ethereum address.
+
+###### `authTokens`
+
+The nonempty list of
+[Bearer authentication tokens](https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication#bearer).
+
+To allow pushing data without any authorization, set the value to `null`. The API validates the data, but this is not
+recommended.
+
 ##### `stage`
 
 An identifier of the deployment stage. This is used to distinguish between different deployments of Signed API, for

packages/api/config/signed-api.example.json

@@ -2,14 +2,18 @@
   "endpoints": [
     {
       "urlPath": "/real-time",
+      "authTokens": ["some-secret-token"],
       "delaySeconds": 0
     },
     {
       "urlPath": "/delayed",
+      "authTokens": null,
       "delaySeconds": 15
     }
   ],
-  "allowedAirnodes": ["0xbF3137b0a7574563a23a8fC8badC6537F98197CC"],
+  "allowedAirnodes": [
+    { "address": "0xbF3137b0a7574563a23a8fC8badC6537F98197CC", "authTokens": ["some-secret-token-for-airnode-feed"] }
+  ],
   "stage": "local",
   "version": "0.1.0"
 }