add signer check

entropyxyz · Sep 13, 2024 · abe8958 · abe8958
1 parent 51b3353
commit abe8958
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 3 deletions.
diff --git a/crates/threshold-signature-server/src/user/api.rs b/crates/threshold-signature-server/src/user/api.rs
@@ -67,7 +67,8 @@ use crate::{
         launch::LATEST_BLOCK_NUMBER_NEW_USER,
         signing::{do_signing, Hasher},
         substrate::{
-            get_oracle_data, get_program, get_stash_address, query_chain, submit_transaction,
+            get_oracle_data, get_program, get_stash_address, get_validators_info, query_chain,
+            submit_transaction,
         },
         user::{check_in_registration_group, compute_hash, do_dkg},
         validator::{get_signer, get_signer_and_x25519_secret},
@@ -115,7 +116,6 @@ pub async fn relay_tx(
     let request_author = SubxtAccountId32(*signed_message.account_id().as_ref());
     tracing::Span::current().record("request_author", signed_message.account_id().to_string());
     // make sure Im a validator not a signer
-    // pick signers (random OS is fine)
     let signers = get_signers_from_chain(&api, &rpc).await?;
     let mut user_sig_req: UserSignatureRequest = serde_json::from_slice(&signed_message.message.0)?;
 
@@ -173,7 +173,6 @@ pub async fn relay_tx(
             tracing::warn!("Cannot send signing protocol output - connection is closed")
         };
     });
-    // send back response
 
     //TODO: remove validators_info from user sig request
     Ok((StatusCode::OK, Body::from_stream(response_rx)))
@@ -197,6 +196,18 @@ pub async fn sign_tx(
 
     let request_author = SubxtAccountId32(*signed_message.account_id().as_ref());
     tracing::Span::current().record("request_author", signed_message.account_id().to_string());
+    let validators_query = entropy::storage().session().validators();
+
+    let validators = query_chain(&api, &rpc, validators_query, None)
+        .await?
+        .ok_or_else(|| UserErr::ChainFetch("Error getting signers"))?;
+
+    let validators_info = get_validators_info(&api, &rpc, validators).await?;
+
+    validators_info
+        .iter()
+        .find(|validator| validator.tss_account == request_author)
+        .ok_or_else(|| UserErr::NotRelayedFromValidator)?;
 
     let request_limit_query = entropy::storage().parameters().request_limit();
     let request_limit = query_chain(&api, &rpc, request_limit_query, None)

diff --git a/crates/threshold-signature-server/src/user/errors.rs b/crates/threshold-signature-server/src/user/errors.rs
@@ -173,6 +173,8 @@ pub enum UserErr {
     UnknownHashingAlgorithm,
     #[error("Failed to derive BIP-32 account: {0}")]
     Bip32DerivationError(#[from] bip32::Error),
+    #[error("Message sent directly to signer")]
+    NotRelayedFromValidator,
 }
 
 impl From<hkdf::InvalidLength> for UserErr {

diff --git a/crates/threshold-signature-server/src/user/tests.rs b/crates/threshold-signature-server/src/user/tests.rs
@@ -357,6 +357,16 @@ async fn signature_request_with_derived_account_works() {
     verify_signature(signature_request_responses, message_hash, &verifying_key, &validators_info)
         .await;
 
+    let signature_request_responses_fail_not_relayer = mock_client
+        .post("http://127.0.0.1:3001/user/sign_tx")
+        .header("Content-Type", "application/json")
+        .body(serde_json::to_string(&signed_message).unwrap())
+        .send()
+        .await;
+    assert_eq!(
+        signature_request_responses_fail_not_relayer.unwrap().text().await.unwrap(),
+        "Message sent directly to signer"
+    );
     clean_tests();
 }