From 4f599c94120b2334f6e9c258c2599ee294f7ee17 Mon Sep 17 00:00:00 2001
From: farhanW3 <132962163+farhanW3@users.noreply.github.com>
Date: Sat, 2 Dec 2023 03:23:09 +0530
Subject: [PATCH] Hacker1 Recommendations (#316)

* fixes as per hacker1 recommendations

* added relayer updated

* updates

* Fix

* Update relayer auth

---------

Co-authored-by: Adam Majmudar <mr.adam.maj@gmail.com>
---
 src/server/middleware/auth.ts       | 25 ++++++++++++++-----------
 src/server/routes/relayer/create.ts | 27 +++++++++++++++++++++++++--
 src/server/routes/relayer/index.ts  |  2 ++
 3 files changed, 41 insertions(+), 13 deletions(-)

diff --git a/src/server/middleware/auth.ts b/src/server/middleware/auth.ts
index 30bb0425e..5ca03c3a8 100644
--- a/src/server/middleware/auth.ts
+++ b/src/server/middleware/auth.ts
@@ -165,23 +165,26 @@ export const withAuth = async (server: FastifyInstance) => {
       req.url === "/favicon.ico" ||
       req.url === "/" ||
       req.url === "/health" ||
-      req.url.startsWith("/static") ||
-      req.url.startsWith("/json") ||
-      req.url.includes("/auth/payload") ||
-      req.url.includes("/auth/login") ||
-      req.url.includes("/auth/user") ||
-      req.url.includes("/auth/switch-account") ||
-      req.url.includes("/auth/logout") ||
-      req.url.includes("/transaction/status")
+      req.url === "/static" ||
+      req.url === "/json" ||
+      req.url === "/auth/payload" ||
+      req.url === "/auth/login" ||
+      req.url === "/auth/user" ||
+      req.url === "/auth/switch-account" ||
+      req.url === "/auth/logout" ||
+      req.url === "/transaction/status"
     ) {
       // We skip auth check for static endpoints and auth routes
       return;
     }
 
     if (
-      req.url.includes("/relayer") &&
-      !req.url.includes("/create") &&
-      !req.url.includes("/revoke")
+      req.url.startsWith("/relayer/") &&
+      req.method === "POST" &&
+      req.url.split("/").length === 2 &&
+      req.url !== "/relayer/create" &&
+      req.url !== "/relayer/revoke" &&
+      req.url !== "/relayer/update"
     ) {
       // Relayer endpoints can handle their own authentication
       return;
diff --git a/src/server/routes/relayer/create.ts b/src/server/routes/relayer/create.ts
index 0b4303790..1c8a90f4d 100644
--- a/src/server/routes/relayer/create.ts
+++ b/src/server/routes/relayer/create.ts
@@ -11,10 +11,33 @@ const BodySchema = Type.Object({
     description:
       "The address of the backend wallet to use for relaying transactions.",
   }),
-  allowedContracts: Type.Optional(Type.Array(Type.String())),
-  allowedForwarders: Type.Optional(Type.Array(Type.String())),
+  allowedContracts: Type.Array(
+    Type.String({
+      minLength: 42,
+      maxLength: 42,
+    }),
+  ),
+
+  allowedForwarders: Type.Optional(
+    Type.Array(
+      Type.String({
+        minLength: 42,
+        maxLength: 42,
+      }),
+    ),
+  ),
 });
 
+BodySchema.examples = [
+  {
+    name: "My relayer",
+    chain: "mainnet",
+    backendWalletAddress: "0",
+    allowedContracts: ["0x1234...."],
+    allowedForwarders: ["0x1234..."],
+  },
+];
+
 const ReplySchema = Type.Object({
   result: Type.Object({
     relayerId: Type.String(),
diff --git a/src/server/routes/relayer/index.ts b/src/server/routes/relayer/index.ts
index 7d7acbb9c..3553070cd 100644
--- a/src/server/routes/relayer/index.ts
+++ b/src/server/routes/relayer/index.ts
@@ -159,6 +159,7 @@ export async function relayTransaction(fastify: FastifyInstance) {
         const { request, signature } = req.body;
         const { v, r, s } = utils.splitSignature(signature);
 
+        // TODO: Remaining for backwards compatibility, but should enforce in the future
         if (
           relayer.allowedContracts &&
           !relayer.allowedContracts.includes(request.to.toLowerCase())
@@ -213,6 +214,7 @@ export async function relayTransaction(fastify: FastifyInstance) {
         });
       }
 
+      // TODO: Remaining for backwards compatibility, but should enforce in the future
       if (
         relayer.allowedContracts &&
         !relayer.allowedContracts.includes(request.to.toLowerCase())