Merge pull request #115 from JerryIdoko/feature/jwt-authentication-160

AlAfiz · web-flow · commit 98fa97e22e18 · 2026-03-26T05:04:02.000+01:00
Pull Request: JWT Authentication for Admin/Indexer Routes (#160, #84)
diff --git a/.env.example b/.env.example
@@ -12,4 +12,8 @@ DB_DATABASE=tradeflow
 SOROBAN_RPC_URL="https://soroban-testnet.stellar.org"
 POOL_ADDRESS="CC..." # Replace with your Pool Contract ID
 INDEXER_POLL_INTERVAL=5000 # Polling interval in ms
-WS_PORT=3001 # WebSocket server port
+WS_PORT=3001 # WebSocket server port
+
+# Security Configuration
+JWT_SECRET="YOUR_SUPER_SECRET_KEY_CHANGE_ME"
+ADMIN_PASSWORD="admin_secure_password_123"
diff --git a/src/app.module.ts b/src/app.module.ts
@@ -1,4 +1,4 @@
-import { Module } from '@nestjs/common';
+import { Module, NestModule, MiddlewareConsumer, RequestMethod } from '@nestjs/common';
 import { APP_GUARD, APP_FILTER } from '@nestjs/core';
 import { ThrottlerModule, ThrottlerGuard } from '@nestjs/throttler';
 import { AppController } from './app.controller';
@@ -13,6 +13,7 @@ import { TokensModule } from './tokens/tokens.module';
 import { ThrottlerExceptionFilter } from './common/filters/throttler-exception.filter';
 import { AllExceptionsFilter } from './common/filters/all-exceptions.filter';
 import { OgModule } from './og/og.module';
+import { RequireJwtMiddleware } from './common/middleware/require-jwt.middleware';
 
 @Module({
   imports: [PrismaModule, HealthModule, RiskModule, AuthModule, AnalyticsModule, SwapModule, TokensModule, OgModule],
@@ -33,4 +34,13 @@ import { OgModule } from './og/og.module';
     },
   ],
 })
-export class AppModule {}
+export class AppModule implements NestModule {
+  configure(consumer: MiddlewareConsumer) {
+    consumer
+      .apply(RequireJwtMiddleware)
+      .forRoutes(
+        { path: 'api/v1/webhook/soroban', method: RequestMethod.POST },
+        { path: 'invoices', method: RequestMethod.POST }, // Database-mutating in AppController
+      );
+  }
+}
diff --git a/src/auth/admin.controller.ts b/src/auth/admin.controller.ts
@@ -0,0 +1,32 @@
+import { Controller, Post, Body, HttpException, HttpStatus } from '@nestjs/common';
+import { ApiTags, ApiOperation, ApiResponse } from '@nestjs/swagger';
+import { AuthService } from './auth.service';
+
+@ApiTags('admin')
+@Controller('api/v1/admin')
+export class AdminController {
+  constructor(private readonly authService: AuthService) {}
+
+  @Post('login')
+  @ApiOperation({ summary: 'Admin login for backend dashboard' })
+  @ApiResponse({ 
+    status: 200, 
+    description: 'Admin login successful', 
+    schema: { type: 'object', properties: { token: { type: 'string' } } } 
+  })
+  @ApiResponse({ status: 401, description: 'Unauthorized' })
+  async login(@Body() body: { password: string }) {
+    if (!body.password) {
+      throw new HttpException('Password is required', HttpStatus.BAD_REQUEST);
+    }
+
+    const isValid = await this.authService.verifyAdminPassword(body.password);
+
+    if (!isValid) {
+      throw new HttpException('Invalid admin password', HttpStatus.UNAUTHORIZED);
+    }
+
+    const token = this.authService.generateAdminJWT();
+    return { token };
+  }
+}
diff --git a/src/auth/auth.module.ts b/src/auth/auth.module.ts
@@ -1,9 +1,12 @@
 import { Module } from '@nestjs/common';
 import { AuthController } from './auth.controller';
+import { AdminController } from './admin.controller';
+import { WebhookController } from './webhook.controller';
 import { AuthService } from './auth.service';
 
 @Module({
-  controllers: [AuthController],
+  controllers: [AuthController, AdminController, WebhookController],
   providers: [AuthService],
+  exports: [AuthService], // Export for middleware use
 })
 export class AuthModule {}
diff --git a/src/auth/auth.service.ts b/src/auth/auth.service.ts
@@ -7,11 +7,17 @@ import { Keypair } from '@stellar/stellar-sdk';
 export class AuthService {
   private readonly jwtSecret = process.env.JWT_SECRET || 'fallback-secret-key';
   private readonly jwtExpiration = '1h';
+  private readonly adminExpiration = '24h';
+  private readonly adminPassword = process.env.ADMIN_PASSWORD || 'admin123';
 
   generateNonce(): string {
     return crypto.randomBytes(16).toString('hex');
   }
 
+  async verifyAdminPassword(password: string): Promise<boolean> {
+    return password === this.adminPassword;
+  }
+
   async verifySignature(publicKey: string, signature: string, nonce: string): Promise<boolean> {
     try {
       const message = `Sign in to TradeFlow with nonce: ${nonce}`;
@@ -40,6 +46,17 @@ export class AuthService {
     });
   }
 
+  generateAdminJWT(): string {
+    const payload = {
+      role: 'admin',
+      iat: Math.floor(Date.now() / 1000),
+    };
+
+    return jwt.sign(payload, this.jwtSecret, {
+      expiresIn: this.adminExpiration,
+    });
+  }
+
   verifyJWT(token: string): any {
     try {
       return jwt.verify(token, this.jwtSecret);
diff --git a/src/auth/webhook.controller.ts b/src/auth/webhook.controller.ts
@@ -0,0 +1,33 @@
+import { Controller, Post, Body, HttpCode, HttpStatus } from '@nestjs/common';
+import { ApiTags, ApiOperation, ApiResponse, ApiHeader } from '@nestjs/swagger';
+
+@ApiTags('webhooks')
+@Controller('api/v1/webhook')
+export class WebhookController {
+  
+  @Post('soroban')
+  @HttpCode(HttpStatus.OK)
+  @ApiOperation({ 
+    summary: 'Stellar Soroban event webhook receiver',
+    description: 'Receives and processes incoming smart contract events. Requires JWT authentication.'
+  })
+  @ApiHeader({
+    name: 'Authorization',
+    description: 'Bearer <JWT_TOKEN>',
+    required: true
+  })
+  @ApiResponse({ status: 200, description: 'Event processed successfully' })
+  @ApiResponse({ status: 401, description: 'Unauthorized' })
+  async handleSorobanEvent(@Body() eventData: any) {
+    console.log('--- Incoming Soroban Event Webhook ---');
+    console.log('Payload:', JSON.stringify(eventData, null, 2));
+    
+    // In a production scenario, logic to respond to specific events
+    // would go here (e.g. updating internal state).
+    
+    return {
+      status: 'success',
+      receivedAt: new Date().toISOString()
+    };
+  }
+}
diff --git a/src/common/middleware/require-jwt.middleware.ts b/src/common/middleware/require-jwt.middleware.ts
@@ -0,0 +1,26 @@
+import { Injectable, NestMiddleware, UnauthorizedException } from '@nestjs/common';
+import { Request, Response, NextFunction } from 'express';
+import { AuthService } from '../../auth/auth.service';
+
+@Injectable()
+export class RequireJwtMiddleware implements NestMiddleware {
+  constructor(private readonly authService: AuthService) {}
+
+  use(req: Request, res: Response, next: NextFunction) {
+    const authHeader = req.headers.authorization;
+
+    if (!authHeader || !authHeader.startsWith('Bearer ')) {
+      throw new UnauthorizedException('Missing or invalid Authorization header');
+    }
+
+    const token = authHeader.split(' ')[1];
+
+    try {
+      const decoded = this.authService.verifyJWT(token);
+      req['user'] = decoded;
+      next();
+    } catch (error) {
+      throw new UnauthorizedException('Invalid or expired token');
+    }
+  }
+}
