Allow access to access_authority tracks when properly signed (#689)

When reqs are signed by access_authority, allow those tracks to be
returned (otherwise, streaming is a needle in a haystack kind of
problem).

Doesn't have much performance impact b/c most rows are null
access_authorities and those that are have a quick comparison.

Author: raymondjacobson

api/auth_middleware.go

@@ -97,10 +97,22 @@ func (app *ApiServer) isAuthorizedRequest(ctx context.Context, userId int32, aut
 	return isAuthorized
 }
 
+// get the wallet that signed the request
 func (app *ApiServer) getAuthedWallet(c *fiber.Ctx) string {
 	return c.Locals("authedWallet").(string)
 }
 
+// get the wallet that signed the request, or "" if not set
+func (app *ApiServer) tryGetAuthedWallet(c *fiber.Ctx) string {
+	if c == nil {
+		return ""
+	}
+	if w, ok := c.Locals("authedWallet").(string); ok {
+		return w
+	}
+	return ""
+}
+
 // validateOAuthJWTTokenToUserId validates the OAuth JWT and returns the userId from the payload.
 func (app *ApiServer) validateOAuthJWTTokenToUserId(ctx context.Context, token string) (trashid.HashId, error) {
 	tokenParts := strings.Split(token, ".")

api/dbv1/get_tracks.sql.go

@@ -7,10 +7,11 @@ import (
 )
 
 type ParallelParams struct {
-	UserIds     []int32
-	TrackIds    []int32
-	PlaylistIds []int32
-	MyID        int32
+	UserIds       []int32
+	TrackIds      []int32
+	PlaylistIds   []int32
+	MyID          int32
+	AuthedWallet  string
 }
 
 type ParallelResult struct {
@@ -42,8 +43,9 @@ func (q *Queries) Parallel(ctx context.Context, arg ParallelParams) (*ParallelRe
 			var err error
 			trackMap, err = q.TracksKeyed(ctx, TracksParams{
 				GetTracksParams: GetTracksParams{
-					Ids:  arg.TrackIds,
-					MyID: arg.MyID,
+					Ids:           arg.TrackIds,
+					MyID:          arg.MyID,
+					AuthedWallet:  arg.AuthedWallet,
 				},
 			})
 			return err
@@ -58,6 +60,7 @@ func (q *Queries) Parallel(ctx context.Context, arg ParallelParams) (*ParallelRe
 					Ids:  arg.PlaylistIds,
 					MyID: arg.MyID,
 				},
+				AuthedWallet: arg.AuthedWallet,
 			})
 			return err
 		})

api/dbv1/parallel.go

@@ -9,8 +9,9 @@ import (
 
 type PlaylistsParams struct {
 	GetPlaylistsParams
-	OmitTracks bool
-	TrackLimit int // 0 means use default (200), positive values set the limit
+	OmitTracks     bool
+	TrackLimit     int    // 0 means use default (200), positive values set the limit
+	AuthedWallet   string // wallet that signed the request; tracks with matching access_authorities are shown
 }
 
 type Playlist struct {
@@ -68,9 +69,10 @@ func (q *Queries) PlaylistsKeyed(ctx context.Context, arg PlaylistsParams) (map[
 
 	// fetch users + tracks in parallel
 	loaded, err := q.Parallel(ctx, ParallelParams{
-		UserIds:  userIds,
-		TrackIds: trackIds,
-		MyID:     arg.MyID.(int32),
+		UserIds:      userIds,
+		TrackIds:     trackIds,
+		MyID:         arg.MyID.(int32),
+		AuthedWallet: arg.AuthedWallet,
 	})
 	if err != nil {
 		return nil, err

api/dbv1/playlists.go

@@ -209,6 +209,8 @@ LEFT JOIN aggregate_plays on play_item_id = t.track_id
 LEFT JOIN track_routes on t.track_id = track_routes.track_id and track_routes.is_current = true
 WHERE (is_unlisted = false OR t.owner_id = @my_id OR @include_unlisted::bool = TRUE)
   AND t.track_id = ANY(@ids::int[])
-  AND t.access_authorities IS NULL
+  AND (t.access_authorities IS NULL
+    OR (COALESCE(@authed_wallet, '') <> ''
+        AND EXISTS (SELECT 1 FROM unnest(t.access_authorities) aa WHERE lower(aa) = lower(@authed_wallet))))
 ORDER BY t.track_id
 ;

api/dbv1/queries/get_tracks.sql

@@ -10,7 +10,6 @@ import (
 
 	"github.com/ethereum/go-ethereum/crypto"
 	"github.com/gofiber/fiber/v2"
-	"github.com/jackc/pgx/v5"
 	"github.com/jackc/pgx/v5/pgtype"
 )
 
@@ -139,22 +138,30 @@ func (app *ApiServer) getSignerFromApiAccessKey(ctx context.Context, apiAccessKe
 		JOIN api_keys ak ON LOWER(ak.api_key) = LOWER(aak.api_key)
 		WHERE aak.api_access_key = $1 AND aak.is_active = true
 	`, apiAccessKey).Scan(&parentApiKey, &apiSecret)
-	if err == pgx.ErrNoRows || err != nil || apiSecret == "" {
-		return nil
+	if err == nil && apiSecret != "" {
+		privateKey, keyErr := crypto.HexToECDSA(strings.TrimPrefix(apiSecret, "0x"))
+		if keyErr != nil {
+			return nil
+		}
+		parentApiKeyLower := strings.ToLower(parentApiKey)
+		app.apiAccessKeySignerCache.Set(apiAccessKey, apiAccessKeySignerEntry{
+			ApiKey:    parentApiKeyLower,
+			ApiSecret: apiSecret,
+		})
+		return &Signer{
+			Address:    parentApiKeyLower,
+			PrivateKey: privateKey,
+		}
 	}
 
-	parentApiKeyLower := strings.ToLower(parentApiKey)
-	app.apiAccessKeySignerCache.Set(apiAccessKey, apiAccessKeySignerEntry{
-		ApiKey:    parentApiKeyLower,
-		ApiSecret: apiSecret,
-	})
-
-	privateKey, err := crypto.HexToECDSA(strings.TrimPrefix(apiSecret, "0x"))
+	// Fallback: use apiAccessKey as raw private key when no api_secret is found
+	privateKey, err := crypto.HexToECDSA(strings.TrimPrefix(apiAccessKey, "0x"))
 	if err != nil {
 		return nil
 	}
+	address := crypto.PubkeyToAddress(privateKey.PublicKey)
 	return &Signer{
-		Address:    parentApiKeyLower,
+		Address:    address.Hex(),
 		PrivateKey: privateKey,
 	}
 }

api/request_helpers.go

@@ -109,9 +109,10 @@ func (app *ApiServer) queryFullComments(
 		}
 	}
 	related, err := app.queries.Parallel(c.Context(), dbv1.ParallelParams{
-		UserIds:  userIds,
-		TrackIds: trackIds,
-		MyID:     app.getMyId(c),
+		UserIds:      userIds,
+		TrackIds:     trackIds,
+		MyID:         app.getMyId(c),
+		AuthedWallet: app.tryGetAuthedWallet(c),
 	})
 	if err != nil {
 		return err

api/v1_comments.go

@@ -111,9 +111,10 @@ func (app *ApiServer) v1ExploreBestSelling(c *fiber.Ctx) error {
 			}
 		}
 		related, err := app.queries.Parallel(c.Context(), dbv1.ParallelParams{
-			PlaylistIds: playlistIds,
-			TrackIds:    trackIds,
-			MyID:        app.getMyId(c),
+			PlaylistIds:  playlistIds,
+			TrackIds:     trackIds,
+			MyID:         app.getMyId(c),
+			AuthedWallet: app.tryGetAuthedWallet(c),
 		})
 		if err != nil {
 			return err

api/v1_explore_best_selling.go

@@ -81,6 +81,7 @@ func (app *ApiServer) v1Playlist(c *fiber.Ctx) error {
 			MyID: myId,
 			Ids:  []int32{int32(playlistId)},
 		},
+		AuthedWallet: app.tryGetAuthedWallet(c),
 	})
 	if err != nil {
 		return err

api/v1_playlist.go

@@ -33,6 +33,7 @@ func (app *ApiServer) v1PlaylistByPermalink(c *fiber.Ctx) error {
 			MyID: myId,
 			Ids:  ids,
 		},
+		AuthedWallet: app.tryGetAuthedWallet(c),
 	})
 	if err != nil {
 		return err