add basic auth to queues management

Author: arcoraven

package.json

@@ -27,13 +27,14 @@
   "dependencies": {
     "@aws-sdk/client-kms": "^3.398.0",
     "@bull-board/fastify": "^5.21.1",
+    "@fastify/basic-auth": "^5.1.1",
     "@fastify/cookie": "^8.3.0",
     "@fastify/express": "^2.3.0",
     "@fastify/swagger": "^8.9.0",
     "@fastify/type-provider-typebox": "^3.2.0",
     "@fastify/websocket": "^8.2.0",
     "@google-cloud/kms": "^4.4.0",
-    "@prisma/client": "^5.16.1",
+    "@prisma/client": "5.17.0",
     "@sinclair/typebox": "^0.31.28",
     "@t3-oss/env-core": "^0.6.0",
     "@thirdweb-dev/auth": "^4.1.87",
@@ -43,7 +44,7 @@
     "@types/base-64": "^1.0.2",
     "base-64": "^1.0.0",
     "body-parser": "^1.20.2",
-    "bullmq": "^5.10.3",
+    "bullmq": "^5.11.0",
     "cookie": "^0.5.0",
     "cookie-parser": "^1.4.6",
     "cron-parser": "^4.9.0",

src/server/middleware/adminRoutes.ts

@@ -1,8 +1,12 @@
 import { createBullBoard } from "@bull-board/api";
 import { BullMQAdapter } from "@bull-board/api/bullMQAdapter";
 import { FastifyAdapter } from "@bull-board/fastify";
+import fastifyBasicAuth from "@fastify/basic-auth";
 import { Queue } from "bullmq";
+import { timingSafeEqual } from "crypto";
 import { FastifyInstance } from "fastify";
+import { StatusCodes } from "http-status-codes";
+import { env } from "../../utils/env";
 import { CancelRecycledNoncesQueue } from "../../worker/queues/cancelRecycledNoncesQueue";
 import { MineTransactionQueue } from "../../worker/queues/mineTransactionQueue";
 import { ProcessEventsLogQueue } from "../../worker/queues/processEventLogsQueue";
@@ -11,29 +15,71 @@ import { PruneTransactionsQueue } from "../../worker/queues/pruneTransactionsQue
 import { SendTransactionQueue } from "../../worker/queues/sendTransactionQueue";
 import { SendWebhookQueue } from "../../worker/queues/sendWebhookQueue";
 
-export const withAdminRoutes = async (server: FastifyInstance) => {
-  const serverAdapter = new FastifyAdapter();
+export const ADMIN_QUEUES_BASEPATH = "/admin/queues";
+const ADMIN_ROUTES_PASSWORD = env.THIRDWEB_API_SECRET_KEY;
+// Add queues to monitor here.
+const QUEUES: Queue[] = [
+  SendWebhookQueue.q,
+  ProcessEventsLogQueue.q,
+  ProcessTransactionReceiptsQueue.q,
+  SendTransactionQueue.q,
+  MineTransactionQueue.q,
+  CancelRecycledNoncesQueue.q,
+  PruneTransactionsQueue.q,
+];
 
-  const queues: Queue[] = [
-    SendWebhookQueue.q,
-    ProcessEventsLogQueue.q,
-    ProcessTransactionReceiptsQueue.q,
-    SendTransactionQueue.q,
-    MineTransactionQueue.q,
-    CancelRecycledNoncesQueue.q,
-    PruneTransactionsQueue.q,
-  ];
-
-  createBullBoard({
-    queues: queues.map((q) => new BullMQAdapter(q)),
-    serverAdapter,
+export const withAdminRoutes = async (fastify: FastifyInstance) => {
+  // Configure basic auth.
+  await fastify.register(fastifyBasicAuth, {
+    validate: (username, password, req, reply, done) => {
+      if (assertAdminBasicAuth(username, password)) {
+        done();
+        return;
+      }
+      done(new Error("Unauthorized"));
+    },
+    authenticate: true,
   });
 
-  const bullboardPath = "/admin/queues";
+  // Set up routes after Fastify is set up.
+  fastify.after(async () => {
+    // Register bullboard UI.
+    const serverAdapter = new FastifyAdapter();
+    serverAdapter.setBasePath(ADMIN_QUEUES_BASEPATH);
+
+    createBullBoard({
+      queues: QUEUES.map((q) => new BullMQAdapter(q)),
+      serverAdapter,
+    });
+    await fastify.register(serverAdapter.registerPlugin(), {
+      basePath: ADMIN_QUEUES_BASEPATH,
+      prefix: ADMIN_QUEUES_BASEPATH,
+    });
 
-  serverAdapter.setBasePath(bullboardPath);
-  await server.register(serverAdapter.registerPlugin(), {
-    basePath: bullboardPath,
-    prefix: bullboardPath,
+    // Apply basic auth only to admin routes.
+    fastify.addHook("onRequest", (req, reply, done) => {
+      if (req.url.startsWith(ADMIN_QUEUES_BASEPATH)) {
+        fastify.basicAuth(req, reply, (error) => {
+          if (error) {
+            reply
+              .status(StatusCodes.UNAUTHORIZED)
+              .send({ error: "Unauthorized" });
+            return done(error);
+          }
+        });
+      }
+      done();
+    });
   });
 };
+
+const assertAdminBasicAuth = (username: string, password: string) => {
+  if (username === "admin") {
+    try {
+      const buf1 = Buffer.from(password.padEnd(100));
+      const buf2 = Buffer.from(ADMIN_ROUTES_PASSWORD.padEnd(100));
+      return timingSafeEqual(buf1, buf2);
+    } catch (e) {}
+  }
+  return false;
+};

src/server/middleware/auth.ts

@@ -24,6 +24,7 @@ import { env } from "../../utils/env";
 import { logger } from "../../utils/logger";
 import { sendWebhookRequest } from "../../utils/webhook";
 import { Permission } from "../schemas/auth";
+import { ADMIN_QUEUES_BASEPATH } from "./adminRoutes";
 
 export type TAuthData = never;
 export type TAuthSession = { permissions: string };
@@ -229,6 +230,11 @@ const handlePublicEndpoints = (req: FastifyRequest): AuthResponse => {
     }
   }
 
+  // Admin routes enforce their own auth.
+  if (req.url.startsWith(ADMIN_QUEUES_BASEPATH)) {
+    return { isAuthed: true };
+  }
+
   return { isAuthed: false };
 };
 

src/utils/tracer.ts

@@ -1,10 +1,8 @@
 import tracer from "dd-trace";
-import {env} from "./env";
+import { env } from "./env";
 
 if (env.DD_TRACER_ACTIVATED) {
   tracer.init(); // initialized in a different file to avoid hoisting.
-} else {
-  console.info("DD_TRACER_ACTIVATED is not activated");
 }
 
 export default tracer;

yarn.lock

@@ -1782,6 +1782,14 @@
     ajv-formats "^2.1.1"
     fast-uri "^2.0.0"
 
+"@fastify/basic-auth@^5.1.1":
+  version "5.1.1"
+  resolved "https://registry.yarnpkg.com/@fastify/basic-auth/-/basic-auth-5.1.1.tgz#ff93d787bbbbd93b126550b797e1c416628c0a49"
+  integrity sha512-L4b7EK5LKZnV6fdH1+rQbjhkKGXjCfiKJ0JkdGHZQPBMHMiXDZF8xbZsCakWGf9c7jDXJicP3FPcIXUPBkuSeQ==
+  dependencies:
+    "@fastify/error" "^3.0.0"
+    fastify-plugin "^4.0.0"
+
 "@fastify/cookie@^8.3.0":
   version "8.3.0"
   resolved "https://registry.yarnpkg.com/@fastify/cookie/-/cookie-8.3.0.tgz#7d3304fcf0d11ea64ae8e02d65ae217b01fe1cf4"
@@ -1798,7 +1806,7 @@
     cookie-signature "^1.1.0"
     fastify-plugin "^4.0.0"
 
-"@fastify/error@^3.3.0", "@fastify/error@^3.4.0":
+"@fastify/error@^3.0.0", "@fastify/error@^3.3.0", "@fastify/error@^3.4.0":
   version "3.4.1"
   resolved "https://registry.yarnpkg.com/@fastify/error/-/error-3.4.1.tgz#b14bb4cac3dd4ec614becbc643d1511331a6425c"
   integrity sha512-wWSvph+29GR783IhmvdwWnN4bUxTD01Vm5Xad4i7i1VuAOItLvbPAb69sb0IQ2N57yprvhNIwAP5B6xfKTmjmQ==
@@ -2530,10 +2538,10 @@
   resolved "https://registry.yarnpkg.com/@pkgjs/parseargs/-/parseargs-0.11.0.tgz#a77ea742fab25775145434eb1d2328cf5013ac33"
   integrity sha512-+1VkjdD0QBLPodGrJUeqarH8VAIvQODIbwh9XpP5Syisf7YoQgsJKPNFoqqLQlu+VQ/tVSshMR6loPMn8U+dPg==
 
-"@prisma/client@^5.16.1":
-  version "5.16.1"
-  resolved "https://registry.yarnpkg.com/@prisma/client/-/client-5.16.1.tgz#65c5649b4701c097e7fa943c91a3140ce8bf053d"
-  integrity sha512-wM9SKQjF0qLxdnOZIVAIMKiz6Hu7vDt4FFAih85K1dk/Rr2mdahy6d3QP41K62N9O0DJJA//gUDA3Mp49xsKIg==
+"@prisma/client@5.17.0":
+  version "5.17.0"
+  resolved "https://registry.yarnpkg.com/@prisma/client/-/client-5.17.0.tgz#9079947bd749689c2dabfb9ecc70a24ebefb1f43"
+  integrity sha512-N2tnyKayT0Zf7mHjwEyE8iG7FwTmXDHFZ1GnNhQp0pJUObsuel4ZZ1XwfuAYkq5mRIiC/Kot0kt0tGCfLJ70Jw==
 
 "@prisma/debug@5.17.0":
   version "5.17.0"
@@ -5349,10 +5357,10 @@ builtin-status-codes@^3.0.0:
   resolved "https://registry.yarnpkg.com/builtin-status-codes/-/builtin-status-codes-3.0.0.tgz#85982878e21b98e1c66425e03d0174788f569ee8"
   integrity sha512-HpGFw18DgFWlncDfjTa2rcQ4W88O1mC8e8yZ2AvQY5KDaktSTwo+KRf6nHK6FRI5FyRyb/5T6+TSxfP7QyGsmQ==
 
-bullmq@^5.10.3:
-  version "5.10.3"
-  resolved "https://registry.yarnpkg.com/bullmq/-/bullmq-5.10.3.tgz#655d5bc8621ad5fc78f94559206024e3b7639088"
-  integrity sha512-kJZTTPs5WNcNdkqyECXEckgXy7RZgf75emzbiJ+2Q4fKHDvLbeEnbveGwYxncNaJQMcsu6gjr6eHIgMMzD3gSw==
+bullmq@^5.11.0:
+  version "5.11.0"
+  resolved "https://registry.yarnpkg.com/bullmq/-/bullmq-5.11.0.tgz#15c526d4a45453843b36cc34bdcaa5249772d22e"
+  integrity sha512-qVzyWGZqie3VHaYEgRXhId/j8ebfmj6MExEJyUByMsUJA5pVciVle3hKLer5fyMwtQ8lTMP7GwhXV/NZ+HzlRA==
   dependencies:
     cron-parser "^4.6.0"
     ioredis "^5.4.1"