coinbase · erdimaden · May 13, 2024 · May 13, 2024 · May 13, 2024 · May 13, 2024
diff --git a/package.json b/package.json
@@ -12,7 +12,7 @@
     "format": "prettier -c .prettierrc --write \"**/*.{ts,js,cjs,json,md}\"",
     "format-check": "prettier -c .prettierrc --check \"**/*.{ts,js,cjs,json,md}\"",
     "check": "tsc --noEmit",
-    "test": "NODE_OPTIONS=--experimental-vm-modules npx jest --no-cache",
+    "test": "npx jest --no-cache",
     "clean": "rm -rf dist/*",
     "build": "tsc",
     "prepack": "tsc"
@@ -39,6 +39,7 @@
     "eslint-config-prettier": "^9.1.0",
     "eslint-plugin-prettier": "^5.1.3",
     "jest": "^29.7.0",
+    "mock-fs": "^5.2.0",
     "prettier": "^3.2.5",
     "ts-jest": "^29.1.2",
     "ts-node": "^10.9.2",

diff --git a/src/coinbase/authenticator.ts b/src/coinbase/authenticator.ts
@@ -0,0 +1,126 @@
+import { JWK, JWS } from "node-jose";
+import { InternalError, InvalidAPIKeyFormat } from "./errors";
+import { InternalAxiosRequestConfig } from "axios";
+
+const legacyPemHeader = "-----BEGIN ECDSA Private Key-----";
+const legacyPemFooter = "-----END ECDSA Private Key-----";
+const pemHeader = "-----BEGIN EC PRIVATE KEY-----";
+const pemFooter = "-----END EC PRIVATE KEY-----";
+
+// A class that builds JWTs for authenticating with the Coinbase Platform APIs.
+export class CoinbaseAuthenticator {
+  private apiKey: string;
+  private privateKey: string;
+
+  /* 
+    Initializes the Authenticator.
+    @constructor
+    @param {string} apiKey - The API key name.
+    @param {string} privateKey - The private key associated with the API key.
+  */
+  constructor(apiKey: string, privateKey: string) {
+    this.apiKey = apiKey;
+    this.privateKey = privateKey;
+  }
+
+  /*
+    Middleware to intercept requests and add JWT to the Authorization header for AxiosInterceptor
+    @param {MiddlewareRequestType} config - The request configuration.
+    @returns {MiddlewareRequestType} The request configuration with the Authorization header added.
+  */
+  async authenticateRequest(config: InternalAxiosRequestConfig) {
+    const method = config.method?.toString().toUpperCase();
+    const token = await this.buildJWT(config.url || "", method);
+
+    config.headers["Authorization"] = `Bearer ${token}`;
+    config.headers["Content-Type"] = "application/json";
+    return config;
+  }
+
+  /* 
+    Builds the JWT for the given API endpoint URI. The JWT is signed with the API key's private key.
+    @param {string} url - The URI of the API endpoint.
+    @param {string} method - The HTTP method of the request.
+    @returns {string} The signed JWT.
+  */
+  async buildJWT(url: string, method = "GET"): Promise<string> {
+    const pemPrivateKey = this.extractPemKey(this.privateKey);
+    let privateKey: JWK.Key;
+
+    try {
+      privateKey = await JWK.asKey(pemPrivateKey, "pem");
+      if (privateKey.kty !== "EC") {
+        throw InternalError;
+      }
+    } catch (error) {
+      throw InternalError;
+    }
+
+    const header = {
+      alg: "ES256",
+      kid: this.apiKey,
+      typ: "JWT",
+      nonce: this.nonce(),
+    };
+
+    const uri = `${method} ${url.substring(8)}`;
+    const claims = {
+      sub: this.apiKey,
+      iss: "coinbase-cloud",
+      aud: ["cdp_service"],
+      nbf: Math.floor(Date.now() / 1000),
+      exp: Math.floor(Date.now() / 1000) + 60, // +1 minute
+      uri,
+    };
+
+    const payload = Buffer.from(JSON.stringify(claims)).toString("utf8");
+    try {
+      const result = await JWS.createSign({ format: "compact", fields: header }, privateKey)
+        .update(payload)
+        .final();
+
+      return result as unknown as string;
+    } catch (err) {
+      throw InternalError;
+    }
+  }
+
+  /* 
+    Extracts the PEM key from the given private key string.
+    @param {string} privateKeyString - The private key string.
+    @returns {string} The PEM key.
+  */
+  extractPemKey(privateKeyString: string): string {
+    // Remove all newline characters
+    privateKeyString = privateKeyString.replace(/\n/g, "");
+
+    // If the string starts with the standard PEM header and footer, return as is.
+    if (privateKeyString.startsWith(pemHeader) && privateKeyString.endsWith(pemFooter)) {
+      return privateKeyString;
+    }
+
+    // If the string starts with the legacy header and footer, replace them.
+    const regex = new RegExp(`^${legacyPemHeader}([\\s\\S]+?)${legacyPemFooter}$`);
+
+    const match = privateKeyString.match(regex);
+
+    if (match && match[1]) {
+      return pemHeader + match[1].trim() + pemFooter;
+    }
+
+    // The string does not match any of the expected formats.
+    throw InvalidAPIKeyFormat;
+  }
+
+  // Generates a random nonce for the JWT.
+  nonce(): string {
+    const range = "0123456789";
+    let result = "";
+
+    for (let i = 0; i < 16; i++) {
+      result += range.charAt(Math.floor(Math.random() * range.length));
+    }
+
+    return result;
+  }
+}
diff --git a/src/coinbase/errors.ts b/src/coinbase/errors.ts
@@ -0,0 +1,3 @@
+export const InvalidConfiguration = new Error("Invalid configuration");
+export const InvalidAPIKeyFormat = new Error("Invalid format of API private key");
+export const InternalError = new Error(`Internal Error`);
diff --git a/src/coinbase/tests/authenticator_test.ts b/src/coinbase/tests/authenticator_test.ts
@@ -0,0 +1,42 @@
+import { AxiosHeaders } from "axios";
+import { CoinbaseAuthenticator } from "../authenticator";
+
+const VALID_KEY =
+  "organizations/0c3bbe72-ac81-46ec-946a-7cd019d6d86b/apiKeys/db813705-bf33-4e33-816c-4c3f1f54672b";
+const VALID_PRIVATE_KEY =
+  "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIBPl8LBKrDw2Is+bxQEXa2eHhDmvIgArOhSAdmYpYQrCoAoGCCqGSM49\nAwEHoUQDQgAEQSoVSr8ImpS18thpGe3KuL9efy+L+AFdFFfCVwGgCsKvTYVDKaGo\nVmN5Bl6EJkeIQjyarEtWbmY6komwEOdnHA==\n-----END EC PRIVATE KEY-----\n";
+
+const VALID_CONFIG = {
+  method: "GET",
+  url: "https://api.cdp.coinbase.com/platform/v1/users/me",
+  headers: {} as AxiosHeaders,
+};
+
+describe("Authenticator tests", () => {
+  const authenticator = new CoinbaseAuthenticator(VALID_KEY, VALID_PRIVATE_KEY);
+  it("should raise InvalidConfiguration error", async () => {
+    const invalidConfig = {
+      method: "GET",
+      url: "https://api.cdp.coinbase.com/platform/v1/users/me",
+      headers: {} as AxiosHeaders,
+    };
+    const authenticator = new CoinbaseAuthenticator("api_key", "private_key");
+    await expect(authenticator.authenticateRequest(invalidConfig)).rejects.toThrow();
+  });
+
+  it("should return a valid signature", async () => {
+    const config = await authenticator.authenticateRequest(VALID_CONFIG);
+    const token = config.headers?.Authorization as string;
+    expect(token).toContain("Bearer ");
+    // length of the token should be greater than 100
+    expect(token?.length).toBeGreaterThan(100);
+  });
+
+  it("invalid pem key should raise an error", () => {
+    const invalidAuthenticator = new CoinbaseAuthenticator(
+      "test-key",
+      "-----BEGIN EC PRIVATE KEY-----+L+==\n-----END EC PRIVATE KEY-----\n",
+    );
+    expect(invalidAuthenticator.authenticateRequest(VALID_CONFIG)).rejects.toThrow();
+  });
+});