feat: implement role-based auth system with middleware and signature verification [skip ci]

Author: AryanGodara

apps/leaderboard-backend/src/auth/index.ts

@@ -0,0 +1,6 @@
+export * from "./roles"
+export * from "./verifySignature"
+export * from "./middlewares/userAuth"
+export * from "./middlewares/gameAuth"
+export * from "./middlewares/guildAuth"
+export * from "./middlewares/requireAuth"

apps/leaderboard-backend/src/auth/middlewares/gameAuth.ts

@@ -0,0 +1,20 @@
+import { createMiddleware } from "hono/factory"
+import type { GameTableId, UserTableId } from "../../db/types"
+
+export const requireGameOwnership = createMiddleware(async (c, next) => {
+    const userId = c.get("userId") as UserTableId
+    const gameId = c.req.param("id")
+    const { gameRepo } = c.get("repos")
+
+    const game = await gameRepo.findById(Number(gameId) as GameTableId)
+
+    if (!game) {
+        return c.json({ error: "Game not found", ok: false }, 404)
+    }
+
+    if (game.admin_id !== userId) {
+        return c.json({ error: "Only the game creator can perform this action", ok: false }, 403)
+    }
+
+    await next()
+})

apps/leaderboard-backend/src/auth/middlewares/guildAuth.ts

@@ -0,0 +1,34 @@
+import { createMiddleware } from "hono/factory"
+import type { GuildTableId, UserTableId } from "../../db/types"
+import type { GuildRole } from "../roles"
+
+export const requireGuildRole = (role: keyof typeof GuildRole) => {
+    return createMiddleware(async (c, next) => {
+        const userId = c.get("userId") as UserTableId
+        const guildId = c.req.param("id")
+        const { guildRepo } = c.get("repos")
+
+        const guild = await guildRepo.findById(Number(guildId) as GuildTableId)
+        if (!guild) {
+            return c.json({ error: "Guild not found", ok: false }, 404)
+        }
+
+        if (role === "CREATOR" && guild.creator_id !== userId) {
+            return c.json({ error: "Only the guild creator can perform this action", ok: false }, 403)
+        }
+
+        if (role === "MEMBER" || role === "ADMIN") {
+            const member = await guildRepo.findGuildMember(Number(guildId) as GuildTableId, userId)
+
+            if (!member) {
+                return c.json({ error: "You are not a member of this guild", ok: false }, 403)
+            }
+
+            if (role === "ADMIN" && !member.is_admin) {
+                return c.json({ error: "Admin privileges required", ok: false }, 403)
+            }
+        }
+
+        await next()
+    })
+}

apps/leaderboard-backend/src/auth/middlewares/requireAuth.ts

@@ -0,0 +1,41 @@
+import type { Address } from "@happy.tech/common"
+import type { MiddlewareHandler } from "hono"
+import { createMiddleware } from "hono/factory"
+import type { AuthSessionTableId, UserTableId } from "../../db/types"
+
+// Define the context variables we'll set in the middleware
+declare module "hono" {
+    interface ContextVariableMap {
+        userId: UserTableId
+        primaryWallet: Address
+        sessionId: AuthSessionTableId
+    }
+}
+
+/**
+ * Middleware that verifies if a user is authenticated via session
+ * Requires Authorization header with Bearer token containing the session ID
+ */
+export const requireAuth: MiddlewareHandler = createMiddleware(async (c, next) => {
+    const authHeader = c.req.header("Authorization")
+
+    if (!authHeader || !authHeader.startsWith("Bearer ")) {
+        return c.json({ error: "Authentication required", ok: false }, 401)
+    }
+
+    const sessionId = authHeader.substring(7) as AuthSessionTableId
+
+    const { authRepo } = c.get("repos")
+    const session = await authRepo.verifySession(sessionId)
+
+    if (!session) {
+        return c.json({ error: "Invalid or expired session", ok: false }, 401)
+    }
+
+    // Set user context for downstream middleware and handlers
+    c.set("userId", session.user_id)
+    c.set("primaryWallet", session.primary_wallet)
+    c.set("sessionId", session.id)
+
+    await next()
+})

apps/leaderboard-backend/src/auth/middlewares/userAuth.ts

@@ -0,0 +1,19 @@
+import { createMiddleware } from "hono/factory"
+import type { UserTableId } from "../../db/types"
+
+export const requireOwnership = (paramName: string, idType: "id" | "primary_wallet") => {
+    return createMiddleware(async (c, next) => {
+        const userId = c.get("userId") as UserTableId
+        const resourceId = c.req.param(paramName)
+
+        if (idType === "id" && userId !== (Number(resourceId) as UserTableId)) {
+            return c.json({ error: "You can only access your own resources", ok: false }, 403)
+        }
+
+        if (idType === "primary_wallet" && c.get("primaryWallet") !== resourceId) {
+            return c.json({ error: "You can only access your own resources", ok: false }, 403)
+        }
+
+        await next()
+    })
+}

apps/leaderboard-backend/src/auth/roles.ts

@@ -0,0 +1,48 @@
+export enum UserRole {
+    AUTHENTICATED = "authenticated", // Any authenticated user
+    SELF = "self", // The user themselves (for self-management)
+}
+
+export enum GuildRole {
+    MEMBER = "member", // Regular guild member
+    ADMIN = "admin", // Guild admin (can manage members)
+    CREATOR = "creator", // Guild creator (can delete guild)
+}
+
+export enum GameRole {
+    PLAYER = "player", // Regular player (can submit scores)
+    CREATOR = "creator", // Game creator (can manage game)
+}
+
+export const Permissions = {
+    User: {
+        READ: [UserRole.AUTHENTICATED, UserRole.SELF], // Anyone can read user profiles
+        CREATE: [UserRole.AUTHENTICATED], // Any authenticated user can create a profile
+        UPDATE: [UserRole.SELF], // Only the user can update their profile
+        DELETE: [UserRole.SELF], // Only the user can delete their profile
+        MANAGE_WALLETS: [UserRole.SELF], // Only the user can manage their wallets
+    },
+
+    Guild: {
+        READ: [UserRole.AUTHENTICATED], // Anyone can read guild info
+        CREATE: [UserRole.AUTHENTICATED], // Any authenticated user can create a guild
+        UPDATE: [GuildRole.ADMIN, GuildRole.CREATOR], // Admins and creators can update guild
+        DELETE: [GuildRole.CREATOR], // Only creator can delete guild
+        ADD_MEMBER: [GuildRole.ADMIN, GuildRole.CREATOR], // Admins and creators can add members
+        REMOVE_MEMBER: [GuildRole.ADMIN, GuildRole.CREATOR], // Admins and creators can remove members
+        PROMOTE_MEMBER: [GuildRole.CREATOR], // Only creator can promote members to admin
+    },
+
+    Game: {
+        READ: [UserRole.AUTHENTICATED], // Anyone can read game info
+        CREATE: [UserRole.AUTHENTICATED], // Any authenticated user can create a game
+        UPDATE: [GameRole.CREATOR], // Only creator can update game
+        DELETE: [GameRole.CREATOR], // Only creator can delete game
+        SUBMIT_SCORE: [UserRole.AUTHENTICATED], // Any authenticated user can submit scores
+        MANAGE_SCORES: [GameRole.CREATOR], // Only creator can manage/delete scores
+    },
+}
+
+export type RoleType = UserRole | GuildRole | GameRole
+export type ResourceType = "user" | "guild" | "game" | "score"
+export type ActionType = "read" | "create" | "update" | "delete" | "manage"

apps/leaderboard-backend/src/auth/verifySignature.ts

@@ -0,0 +1,39 @@
+import type { Address, Hex } from "@happy.tech/common"
+import { abis } from "@happy.tech/contracts/boop/anvil"
+import { http, createPublicClient, hashMessage } from "viem"
+import { localhost } from "viem/chains"
+import { env } from "../env"
+
+// ERC-1271 magic value constant
+const EIP1271_MAGIC_VALUE = "0x1626ba7e"
+
+/**
+ * Verifies a signature against a wallet address using ERC-1271 standard
+ * Makes an RPC call to the smart contract account for signature verification
+ *
+ * @param walletAddress - The wallet address to verify against
+ * @param message - The message that was signed
+ * @param signature - The signature to verify
+ * @returns Promise<boolean> - Whether the signature is valid
+ */
+export async function verifySignature(walletAddress: Address, message: Hex, signature: Hex): Promise<boolean> {
+    try {
+        const publicClient = createPublicClient({
+            chain: localhost,
+            transport: http(env.RPC_URL),
+        })
+
+        const messageHash = hashMessage({ raw: message })
+        const result = await publicClient.readContract({
+            address: walletAddress,
+            abi: abis.HappyAccountImpl,
+            functionName: "isValidSignature",
+            args: [messageHash, signature],
+        })
+
+        return result === EIP1271_MAGIC_VALUE
+    } catch (error) {
+        console.error("Error verifying signature:", error)
+        return false
+    }
+}

apps/leaderboard-backend/src/env.ts

@@ -4,7 +4,7 @@ const envSchema = z.object({
     LEADERBOARD_DB_URL: z.string().trim(),
     PORT: z.string().trim().default("4545"),
     DATABASE_MIGRATE_DIR: z.string().trim().default("migrations"),
-    SESSION_EXPIRY: z.string().trim().default("1h"),
+    SESSION_EXPIRY: z.string().trim().default("1d"),
     SIGN_MESSAGE_PREFIX: z.string().trim().default("HappyChain Authentication"),
     RPC_URL: z.string().trim().default("http://localhost:8545"),
 })

apps/leaderboard-backend/src/middlewares/isValidSignature.ts

@@ -1,16 +1,14 @@
 import { createUUID } from "@happy.tech/common"
-import type { Address, Hex } from "@happy.tech/common"
+import type { Address } from "@happy.tech/common"
 import { abis, deployment } from "@happy.tech/contracts/boop/anvil"
 
 import type { Kysely } from "kysely"
-import { http, createPublicClient, hashMessage } from "viem"
+import { http, createPublicClient } from "viem"
 import { localhost } from "viem/chains"
 
 import type { AuthSession, AuthSessionTableId, Database, NewAuthSession, UserTableId } from "../db/types"
 import { env } from "../env"
 
-const EIP1271_MAGIC_VALUE = "0x1626ba7e"
-
 export class AuthRepository {
     private publicClient: ReturnType<typeof createPublicClient>
 
@@ -34,23 +32,6 @@ export class AuthRepository {
         return `${nonce}${timestamp}`
     }
 
-    async verifySignature(primary_wallet: Address, message: Hex, signature: Hex): Promise<boolean> {
-        try {
-            const messageHash = await hashMessage({ raw: message })
-            const result = await this.publicClient.readContract({
-                address: primary_wallet,
-                abi: abis.HappyAccountImpl,
-                functionName: "isValidSignature",
-                args: [messageHash, signature],
-            })
-
-            return result === EIP1271_MAGIC_VALUE
-        } catch (error) {
-            console.error("Error verifying signature:", error)
-            return false
-        }
-    }
-
     async createSession(userId: UserTableId, walletAddress: Address): Promise<AuthSession | undefined> {
         try {
             const now = new Date()