Update: Key-Pair auth data check

Author: farhanW3

src/server/middleware/auth.ts

@@ -5,6 +5,7 @@ import {
   getToken as getJWT,
 } from "@thirdweb-dev/auth/fastify";
 import { AsyncWallet } from "@thirdweb-dev/wallets/evm/wallets/async";
+import { createHash } from "crypto";
 import { FastifyInstance } from "fastify";
 import { FastifyRequest } from "fastify/types/request";
 import jsonwebtoken from "jsonwebtoken";
@@ -153,6 +154,7 @@ export const onRequest = async ({
   const jwt = getJWT(req);
   if (jwt) {
     const payload = jsonwebtoken.decode(jwt, { json: true });
+    const data = payload?.data;
 
     // The `iss` field determines the auth type.
     if (payload?.iss) {
@@ -162,7 +164,7 @@ export const onRequest = async ({
       } else if (payload.iss === THIRDWEB_DASHBOARD_ISSUER) {
         return await handleDashboardAuth(jwt);
       } else {
-        return await handleKeypairAuth(jwt, payload.iss);
+        return await handleKeypairAuth(jwt, payload.iss, req, payload.data);
       }
     }
   }
@@ -264,6 +266,8 @@ const handleWebsocketAuth = async (
 const handleKeypairAuth = async (
   jwt: string,
   iss: string,
+  req: FastifyRequest,
+  data: string | null,
 ): Promise<AuthResponse> => {
   // The keypair auth feature must be explicitly enabled.
   if (!env.ENABLE_KEYPAIR_AUTH) {
@@ -278,6 +282,11 @@ const handleKeypairAuth = async (
       throw error;
     }
 
+    if (data && req.method === "POST" && data !== hashRequestBody(req)) {
+      error = "The request body has been tampered with.";
+      throw error;
+    }
+
     // The JWT is valid if `verify` did not throw.
     jsonwebtoken.verify(jwt, keypair.publicKey, {
       algorithms: [keypair.algorithm as jsonwebtoken.Algorithm],
@@ -421,3 +430,9 @@ const handleAuthWebhooks = async (
 
   return { isAuthed: false };
 };
+
+const hashRequestBody = (req: FastifyRequest): string => {
+  return createHash("sha256")
+    .update(JSON.stringify(req.body), "utf8")
+    .digest("hex");
+};