add contract/write and create access token routes

Author: d4mr

src/db/derived-schemas.ts

@@ -1,4 +1,5 @@
 import { createSelectSchema } from "drizzle-zod";
-import { transactions } from "./schema";
+import { tokens, transactions } from "./schema";
 
 export const transactionDbEntrySchema = createSelectSchema(transactions);
+export const accessTokenDbEntrySchema = createSelectSchema(tokens);

src/executors/eoa/index.ts

@@ -37,12 +37,7 @@ import {
 } from "../../lib/errors";
 import { keccak256 } from "ox/Hash";
 import type { TransactionReceipt } from "thirdweb/transaction";
-import {
-  checkEoaIssues,
-  type EoaIssues,
-  type EoaIssueCode,
-  setOutOfGasIssue,
-} from "./issues";
+import { checkEoaIssues, type EoaIssues, setOutOfGasIssue } from "./issues";
 import { recordTransactionAttempt } from "./attempts";
 
 const sendLogger = initializeLogger("executor:eoa:send");

src/executors/external-bundler/index.ts

@@ -137,6 +137,7 @@ export function execute(request: ExecutionRequest) {
     createAndSignUserOp({
       adminAccount: executionOptions.signer,
       client,
+      waitForDeployment: false,
       smartWalletOptions: {
         // if we don't provide a factory address, SDK uses thirdweb's default account factory
         // user might be using a custom factory, and they might not provide one, so executor entrypoint should try to infer it

src/lib/errors.ts

@@ -212,7 +212,11 @@ export type EngineErr =
   | AccountErr;
 
 export function isEngineErr(err: unknown): err is EngineErr {
-  return "kind" in (err as EngineErr) && "code" in (err as EngineErr);
+  return (
+    typeof err === "object" &&
+    "kind" in (err as EngineErr) &&
+    "code" in (err as EngineErr)
+  );
 }
 
 export class EngineHttpException extends HTTPException {

src/lib/permissions.ts

@@ -11,13 +11,14 @@ import {
 import { getAddressResult } from "./validation/address";
 import { db } from "../db/connection";
 import { LRUCache } from "lru-cache";
+import { adminAccount } from "./admin-account";
 
 const permissionCache = new LRUCache<string, PermissionDbEntry>({
   max: 1024,
 });
 
 export function getPermissions(
-  address: Address,
+  address: Address
 ): ResultAsync<PermissionDbEntry, DbErr | PermissionsErr> {
   const cached = permissionCache.get(address);
   if (cached) {
@@ -28,7 +29,7 @@ export function getPermissions(
     db.query.permissions.findFirst({
       where: (permissions, { eq }) => eq(permissions.accountAddress, address),
     }),
-    mapDbError,
+    mapDbError
   )
     .andTee((permission) => {
       permission && permissionCache.set(address, permission);
@@ -40,7 +41,7 @@ export function getPermissions(
             kind: "permissions",
             code: "no_permissions",
             status: 400,
-          } as PermissionsErr),
+          } as PermissionsErr)
     );
 }
 
@@ -55,7 +56,16 @@ export function checkPermissions({
   AuthErr | ValidationErr | DbErr
 > {
   return getAddressResult("Invalid User Address")(rawAddress)
-    .asyncAndThen((address) => getPermissions(address))
+    .asyncAndThen((address) => {
+      if (address === adminAccount.address) {
+        return okAsync({
+          accountAddress: address,
+          permissions: "ADMIN" as const,
+          label: "Admin",
+        });
+      }
+      return getPermissions(address);
+    })
     .mapErr((error) => {
       if (error.kind === "permissions") {
         return {

src/server/engine.ts

@@ -28,6 +28,8 @@ import { accountRouter } from "./account";
 import { setupQueuesUiRoutes } from "./routes/queues";
 import { transactionsRoutes } from "./routes/transactions";
 import { correlationId } from "./middleware/correlation-id";
+import contractRoutes from "./routes/contract";
+import authRoutes from "./routes/auth";
 
 const engineServer = new Hono();
 const publicRoutes = new Hono();
@@ -125,10 +127,14 @@ engineServer.use(
 engineServer.route("/accounts", accountsRoutes);
 engineServer.route("/transactions", transactionsRoutes);
 engineServer.route("/account", accountRouter);
+engineServer.route("/contract", contractRoutes);
+engineServer.route("/auth", authRoutes);
 
 engineServer.onError((err, c) => {
   if (err instanceof HTTPException) {
     if (err instanceof EngineHttpException) {
+      defaultLogger.error("[Debug] EngineHttpException", err);
+
       const engineErr = err.engineErr;
       return c.json(
         {

src/server/middleware/auth/keypair.ts

@@ -11,7 +11,7 @@ import { env } from "../../../lib/env";
 import { HTTPException } from "hono/http-exception";
 import { extractJwt } from "./shared";
 import type { KeypairDbEntry } from "../../../db/types";
-import { createHash } from "crypto";
+import { createHash } from "node:crypto";
 
 function checkKeypairAuth({
   jwt,
@@ -23,7 +23,6 @@ function checkKeypairAuth({
   // First decode without verification to get the keypair info
   const decoded = decode(jwt);
 
-  
   // Get keypair from our DB
   return getKeypair({
     publicKey: decoded.payload.iss as string,
@@ -34,7 +33,7 @@ function checkKeypairAuth({
         const actualBodyHashBytes = Buffer.from(actualBodyHash, "hex");
         const expectedBodyHashBytes = Buffer.from(
           decoded.payload.bodyHash as string,
-          "hex",
+          "hex"
         );
 
         if (!actualBodyHashBytes.equals(expectedBodyHashBytes)) {
@@ -59,8 +58,8 @@ function checkKeypairAuth({
             kind: "auth",
             code: "invalid_signature",
             status: 401,
-          } as const),
-      ),
+          } as const)
+      )
     )
     .mapErr((err) => {
       if (err.kind === "keypair") {
@@ -84,11 +83,11 @@ export const keypairAuth = createMiddleware(async (c, next) => {
   const actualBodyHash = await c.req
     .arrayBuffer()
     .then((buffer) =>
-      createHash("sha256").update(new Uint8Array(buffer)).digest("hex"),
+      createHash("sha256").update(new Uint8Array(buffer)).digest("hex")
     );
 
   const result = await extractJwt(c.req.header("authorization")).asyncAndThen(
-    (jwt) => checkKeypairAuth({ jwt, actualBodyHash }),
+    (jwt) => checkKeypairAuth({ jwt, actualBodyHash })
   );
 
   if (result.isErr()) {

src/server/middleware/auth/types.ts

@@ -0,0 +1,19 @@
+import type { Permission } from "../../../db/types";
+
+export type AuthContext = {
+  Variables: {
+    user?: {
+      address: string;
+      permissions: Permission[];
+    };
+    keypair?: {
+      createdAt: Date;
+      hash: string;
+      label: string | null;
+      updatedAt: Date;
+      deletedAt: Date | null;
+      publicKey: string;
+      algorithm: "RS256" | "ES256" | "PS256";
+    };
+  };
+};

src/server/routes/auth/access-tokens.ts

@@ -0,0 +1,107 @@
+import { describeRoute } from "hono-openapi";
+import { authRoutesFactory } from "./factory";
+import { resolver, validator } from "hono-openapi/zod";
+import {
+  engineErrToHttpException,
+  mapDbError,
+  zErrorMapper,
+} from "../../../lib/errors";
+import * as z from "zod";
+import { adminAccount } from "../../../lib/admin-account";
+import { config } from "../../../lib/config";
+import { encodeJWT } from "thirdweb/utils";
+import { db } from "../../../db/connection";
+import { tokens } from "../../../db/schema";
+import { ResultAsync } from "neverthrow";
+import { accessTokenDbEntrySchema } from "../../../db/derived-schemas";
+import { wrapResponseSchema } from "../../schemas/shared-api-schemas";
+
+export const createAccessTokenRoute = authRoutesFactory.createHandlers(
+  describeRoute({
+    tags: ["Auth"],
+    summary: "Create Access Token",
+    description: "Create an access token for a client",
+    responses: {
+      200: {
+        description: "Access token created successfully",
+        content: {
+          "application/json": {
+            schema: resolver(
+              wrapResponseSchema(
+                accessTokenDbEntrySchema.extend({
+                  accessToken: z.string().openapi({
+                    description: "The access token created",
+                  }),
+                })
+              )
+            ),
+          },
+        },
+      },
+    },
+  }),
+  validator(
+    "json",
+    z.object({
+      label: z.string(),
+    }),
+    zErrorMapper
+  ),
+  async (c) => {
+    const { label } = c.req.valid("json");
+
+    const user = c.get("user");
+
+    const expiresAt = new Date(Date.now() + 1000 * 60 * 60 * 24 * 365 * 100);
+
+    const id = crypto.randomUUID();
+    const jwt = await encodeJWT({
+      account: adminAccount,
+      payload: {
+        iss: adminAccount.address,
+        sub: user?.address ?? adminAccount.address,
+        aud: config.authDomain,
+        nbf: new Date(),
+        // Set to expire in 100 years
+        exp: expiresAt,
+        iat: new Date(),
+        ctx: {
+          permissions: user?.permissions ?? ["ADMIN"],
+        },
+        jti: id,
+      },
+    });
+
+    const dbResult = await ResultAsync.fromPromise(
+      db
+        .insert(tokens)
+        .values({
+          id,
+          accountAddress: user?.address ?? adminAccount.address,
+          isAccessToken: true,
+          label: label,
+          expiresAt,
+          tokenMask: `${jwt.slice(0, 10)}...${jwt.slice(-10)}`,
+        })
+        .returning(),
+      mapDbError
+    );
+
+    if (dbResult.isErr()) {
+      throw engineErrToHttpException(dbResult.error);
+    }
+
+    const createdToken = dbResult.value[0];
+
+    if (!createdToken) {
+      throw engineErrToHttpException({
+        kind: "database",
+        code: "query_failed",
+        status: 500,
+        message: "Failed to create access token",
+      });
+    }
+
+    return c.json({ result: { accessToken: jwt, ...createdToken } });
+  }
+);

src/server/routes/auth/factory.ts

@@ -0,0 +1,4 @@
+import { createFactory } from "hono/factory";
+import type { AuthContext } from "../../middleware/auth/types";
+
+export const authRoutesFactory = createFactory<AuthContext>();