rpc: use goware/validation for origin validation & matching

proto/authenticator.ridl

@@ -51,6 +51,8 @@ struct Tenant
   - oidcProviders: []OpenIdProvider
     + go.field.name = OIDCProviders
   - allowedOrigins: []string
+    + go.field.type = validation.Origins
+    + go.type.import = github.com/goware/validation
   - updatedAt: timestamp
 
 struct TenantData
@@ -81,6 +83,8 @@ struct TenantData
     + json = kmsKeys
   - allowedOrigins: []string
     + json = allowedOrigins
+    + go.field.type = validation.Origins
+    + go.type.import = github.com/goware/validation
 
 struct MiniSequenceContext
   - factory: string

proto/clients/authenticator.gen.ts

@@ -1,5 +1,5 @@
 /* eslint-disable */
-// sequence-waas-authenticator v0.1.0 3f8465a3a233581e35b46bda830d8b31e2e71bde
+// sequence-waas-authenticator v0.1.0 72a0165f606ce0df3a64b01fece4b59c6b05fd10
 // --
 // Code generated by [email protected] with typescript generator. DO NOT EDIT.
 //
@@ -12,7 +12,7 @@ export const WebRPCVersion = "v1"
 export const WebRPCSchemaVersion = "v0.1.0"
 
 // Schema hash generated from your RIDL schema
-export const WebRPCSchemaHash = "3f8465a3a233581e35b46bda830d8b31e2e71bde"
+export const WebRPCSchemaHash = "72a0165f606ce0df3a64b01fece4b59c6b05fd10"
 
 //
 // Types

rpc/admin.go

@@ -13,6 +13,7 @@ import (
 	"github.com/0xsequence/waas-authenticator/proto"
 	"github.com/0xsequence/waas-authenticator/rpc/attestation"
 	"github.com/0xsequence/waas-authenticator/rpc/crypto"
+	"github.com/goware/validation"
 	"golang.org/x/sync/errgroup"
 )
 
@@ -57,8 +58,9 @@ func (s *RPC) CreateTenant(
 		return nil, "", fmt.Errorf("invalid oidcProviders: %w", err)
 	}
 
-	if len(allowedOrigins) == 0 {
-		return nil, "", fmt.Errorf("at least one allowed origin is required")
+	origins, err := validation.NewOrigins(allowedOrigins...)
+	if err != nil {
+		return nil, "", fmt.Errorf("invalid allowedOrigins: %w", err)
 	}
 
 	wallet, err := ethwallet.NewWalletFromRandomEntropy()
@@ -111,7 +113,7 @@ func (s *RPC) CreateTenant(
 		WaasAccessToken: waasAccessToken,
 		OIDCProviders:   oidcProviders,
 		KMSKeys:         s.Config.KMS.DefaultSessionKeys,
-		AllowedOrigins:  allowedOrigins,
+		AllowedOrigins:  origins,
 	}
 
 	encryptedKey, algorithm, ciphertext, err := crypto.EncryptData(ctx, att, s.Config.KMS.TenantKeys[0], tenantData)
@@ -168,12 +170,13 @@ func (s *RPC) UpdateTenant(
 		return nil, fmt.Errorf("invalid oidcProviders: %w", err)
 	}
 
-	if len(allowedOrigins) == 0 {
-		return nil, fmt.Errorf("at least one allowed origin is required")
+	origins, err := validation.NewOrigins(allowedOrigins...)
+	if err != nil {
+		return nil, fmt.Errorf("invalid allowedOrigins: %w", err)
 	}
 
 	tntData.OIDCProviders = oidcProviders
-	tntData.AllowedOrigins = allowedOrigins
+	tntData.AllowedOrigins = origins
 
 	encryptedKey, algorithm, ciphertext, err := crypto.EncryptData(ctx, att, s.Config.KMS.TenantKeys[0], tntData)
 	if err != nil {
@@ -190,10 +193,11 @@ func (s *RPC) UpdateTenant(
 	}
 
 	retTenant := &proto.Tenant{
-		ProjectID:     tnt.ProjectID,
-		Version:       tnt.Version,
-		OIDCProviders: tntData.OIDCProviders,
-		UpdatedAt:     tnt.CreatedAt,
+		ProjectID:      tnt.ProjectID,
+		Version:        tnt.Version,
+		OIDCProviders:  tntData.OIDCProviders,
+		AllowedOrigins: tntData.AllowedOrigins,
+		UpdatedAt:      tnt.CreatedAt,
 	}
 	return retTenant, nil
 }

rpc/admin_test.go

@@ -12,6 +12,7 @@ import (
 	"github.com/0xsequence/nitrocontrol/enclave"
 	"github.com/0xsequence/waas-authenticator/data"
 	"github.com/0xsequence/waas-authenticator/proto"
+	"github.com/goware/validation"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -53,7 +54,7 @@ func TestRPC_GetTenant(t *testing.T) {
 		require.NoError(t, err)
 		assert.NotEmpty(t, tnt)
 		assert.Equal(t, uint64(1), tnt.ProjectID)
-		assert.Equal(t, []string{"http://localhost"}, tnt.AllowedOrigins)
+		assert.Equal(t, validation.Origins{"http://localhost"}, tnt.AllowedOrigins)
 	})
 
 	t.Run("MissingTenant", func(t *testing.T) {
@@ -115,11 +116,12 @@ func TestRPC_CreateTenant(t *testing.T) {
 		assert.ErrorContains(t, err, "invalid oidcProviders")
 	})
 
-	t.Run("NoAllowedOrigins", func(t *testing.T) {
-		tnt, code, err := c.CreateTenant(ctx, 2, "WAAS_ACCESS_TOKEN", validOidcProviders, nil)
+	t.Run("InvalidOrigin", func(t *testing.T) {
+		invalidOrigins := []string{"localhost"}
+		tnt, code, err := c.CreateTenant(ctx, 2, "WAAS_ACCESS_TOKEN", validOidcProviders, invalidOrigins)
 		assert.Nil(t, tnt)
 		assert.Empty(t, code)
-		assert.ErrorContains(t, err, "at least one allowed origin is required")
+		assert.ErrorContains(t, err, "invalid allowedOrigins")
 	})
 
 	t.Run("Success", func(t *testing.T) {

rpc/helpers_test.go

@@ -32,6 +32,7 @@ import (
 	dynamodbtypes "github.com/aws/aws-sdk-go-v2/service/dynamodb/types"
 	"github.com/aws/aws-sdk-go-v2/service/kms"
 	kmstypes "github.com/aws/aws-sdk-go-v2/service/kms/types"
+	"github.com/goware/validation"
 	"github.com/lestrrat-go/jwx/v2/jwa"
 	"github.com/lestrrat-go/jwx/v2/jwk"
 	"github.com/lestrrat-go/jwx/v2/jwt"
@@ -461,7 +462,7 @@ func newTenant(t *testing.T, enc *enclave.Enclave, issuer string) (*data.Tenant,
 			{Issuer: issuer, Audience: []string{"audience"}},
 			{Issuer: "https://" + strings.TrimPrefix(issuer, "http://"), Audience: []string{"audience"}},
 		},
-		AllowedOrigins: []string{"http://localhost"},
+		AllowedOrigins: validation.Origins{"http://localhost"},
 		KMSKeys:        []string{"SessionKey"},
 	}
 

rpc/tenant/middleware.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"fmt"
 	"net/http"
-	"slices"
 	"strconv"
 	"strings"
 
@@ -56,8 +55,8 @@ func Middleware(tenants *data.TenantTable, tenantKeys []string) func(http.Handle
 			}
 
 			origin := r.Header.Get("origin")
-			if origin != "" && len(tntData.AllowedOrigins) > 0 {
-				if !slices.Contains(tntData.AllowedOrigins, origin) {
+			if origin != "" {
+				if !tntData.AllowedOrigins.MatchAny(origin) {
 					proto.RespondWithError(w, fmt.Errorf("origin not allowed"))
 					return
 				}