feat: (PRO-439) (PRO-440) Method validation for allowed methods to er...

[dev-jodee]

...ror out faster and reduce useless processing

bugfix: Constant time hmac verification function

---

Important

Add method validation for JSON-RPC requests and fix HMAC verification to prevent timing attacks.

• Behavior:
  • Adds method validation in verify_jsonrpc_method() in middleware_utils.rs to ensure only allowed methods are processed.
  • Updates ApiKeyAuthLayer and HmacAuthLayer in auth.rs to use method validation, rejecting unauthorized methods.
  • Fixes HMAC verification in HmacAuthService in auth.rs to use constant time comparison, preventing timing attacks.
• Configuration:
  • Adds get_enabled_method_names() to EnabledMethods in config.rs to retrieve allowed methods.
  • Updates run_rpc_server() in server.rs to build middleware with allowed methods from config.
• Tests:
  • Adds tests for method validation and HMAC verification in auth.rs.

^{This description was created by for 818bd88. You can customize this summary. It will automatically update as commits are pushed.}

📊 Unit Test Coverage

Unit Test Coverage: 83.6%

View Detailed Coverage Report

[linear]

PRO-439 Prevent side channel attacks on hmac calculation in middleware

PRO-440 Middleware for unknown methods should have whitelist

[ellipsis-dev]

Caution

Changes requested ❌

Reviewed everything up to 818bd88 in 1 minute and 34 seconds. Click for details.

• Reviewed 545 lines of code in 4 files
• Skipped 0 files when reviewing.
• Skipped posting 4 draft comments. View those below.
• Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.

1. crates/lib/src/config.rs:264

• Draft comment:
  Consider preallocating the Vec in get_enabled_method_names (e.g., using Vec::with_capacity(10)) to reduce reallocations.
• Reason this comment was not posted:
  Confidence changes required: 30% <= threshold 50% None

2. crates/lib/src/rpc_server/auth.rs:86

• Draft comment:
  Avoid using unwrap_or("") when converting header values to strings; handle conversion errors explicitly to prevent silent failures.
• Reason this comment was not posted:
  Comment was not on a location in the diff, so it can't be submitted as a review comment.

3. crates/lib/src/rpc_server/auth.rs:188

• Draft comment:
  The comment 'Verify timestamp is within 5 minutes' is misleading since max_timestamp_age is configurable; consider updating the comment to reflect the actual configuration.
• Reason this comment was not posted:
  Comment was not on a location in the diff, so it can't be submitted as a review comment.

4. crates/lib/src/rpc_server/server.rs:146

• Draft comment:
  get_config() is called again in build_rpc_module, potentially leading to inconsistencies. Consider reusing the config retrieved earlier (line 59) to ensure consistent settings.
• Reason this comment was not posted:
  Confidence changes required: 50% <= threshold 50% None

Workflow ID: wflow_T04vRpayOaefLZQK

^{You can customize by changing your verbosity settings, reacting with 👍 or 👎, replying to comments, or adding code review rules.}