fix: handle CORS in contract verify API (#324)

Author: o-az

apps/contract-verification/README.md

@@ -52,3 +52,30 @@ and [/apps/contract-verification/scripts/medium-verify.sh](./scripts/medium-veri
 #### Direct API Usage
 
 - Standard JSON: see [/apps/contract-verification/scripts/verify-with-curl.sh](./scripts/verify-with-curl.sh) for a full example.
+
+### Development
+
+#### Prerequisites
+
+- A container runtime (e.g., [OrbStack](https://docs.orbstack.dev), [Colima](https://github.com/abiosoft/colima), Docker Desktop)
+
+```sh
+cp .env.example .env  # Copy example environment variables
+pnpm install          # Install dependencies
+pnpm dev              # Start development server
+```
+
+Once dev server is running, you can run scripts in the [/apps/contract-verification/scripts](./scripts) directory to populate your local database with verified contracts.
+
+#### Database
+
+We use [D1](https://developers.cloudflare.com/d1), a serverless SQLite-compatible database by Cloudflare.
+Sometimes you need to debug the local database in development,
+especially when it's SQLite. Sadly, wrangler doesn't have a nice way to do this.
+
+Improvised solution: we [locate the local SQLite file wrangler uses](/apps/contract-verification/scripts/local-d1.sh) and run drizzle-kit studio to view it.
+
+| environment | database | dialect | GUI |
+|-------------|----------|----------|-----|
+| production  | Cloudflare D1 | SQLite | [DrizzleKit Studio](https://github.com/drizzle-team/drizzle-studio) |
+| development | Local SQLite | SQLite | [Cloudflare Dashboard](https://dash.cloudflare.com/) |

apps/contract-verification/env.d.ts

@@ -1,6 +1,7 @@
 interface EnvironmentVariables {
 	readonly PORT: string
 
+	readonly WHITELISTED_ORIGINS: string
 	readonly VITE_LOG_LEVEL: 'info' | 'warn' | 'silent'
 
 	readonly CLOUDFLARE_ACCOUNT_ID: string

apps/contract-verification/package.json

@@ -27,6 +27,7 @@
 		"cbor-x": "^1.6.0",
 		"drizzle-orm": "^0.45.1",
 		"hono": "catalog:",
+		"hono-rate-limiter": "catalog:",
 		"ox": "catalog:",
 		"semver": "^7.7.3",
 		"tempo.ts": "catalog:",
@@ -39,13 +40,14 @@
 		"@libsql/client": "^0.15.15",
 		"@scalar/api-reference": "catalog:",
 		"@total-typescript/ts-reset": "catalog:",
-		"@types/bun": "^1.3.4",
+		"@types/bun": "^1.3.5",
 		"@types/node": "catalog:",
 		"@types/semver": "^7.7.1",
 		"dbmate": "^2.28.0",
 		"drizzle-kit": "^0.31.8",
 		"typescript": "catalog:",
 		"vite": "catalog:",
+		"vite-plugin-devtools-json": "catalog:",
 		"wrangler": "catalog:"
 	},
 	"license": "MIT"

apps/contract-verification/src/chains.ts

@@ -1,4 +1,4 @@
-import { tempoDevnet, tempoTestnet } from 'tempo.ts/chains'
+import { tempoDevnet, tempoTestnet } from 'viem/chains'
 
 export const DEVNET_CHAIN_ID = tempoDevnet.id
 export const TESTNET_CHAIN_ID = tempoTestnet.id
@@ -11,22 +11,18 @@ export const chains = {
 // matches https://sourcify.dev/server/chains format
 export const sourcifyChains = [tempoDevnet, tempoTestnet].map((chain) => {
 	const returnValue = {
-		name: chain().name,
-		title: chain().name,
-		chainId: chain().id,
-		rpc: [
-			chain().rpcUrls.default.http,
-			chain().rpcUrls.default.webSocket,
-		].flat(),
+		name: chain.name,
+		title: chain.name,
+		chainId: chain.id,
+		rpc: [chain.rpcUrls.default.http, chain.rpcUrls.default.webSocket].flat(),
 		supported: true,
 		etherscanAPI: false,
 		_extra: {},
 	}
-	// @ts-expect-error
-	if (chain()?.blockExplorers)
+
+	if (chain?.blockExplorers)
 		returnValue._extra = {
-			// @ts-expect-error
-			blockExplorer: chain()?.blockExplorers.default,
+			blockExplorer: chain?.blockExplorers.default,
 		}
 
 	return returnValue

apps/contract-verification/src/index.tsx

@@ -1,10 +1,13 @@
+import { env } from 'cloudflare:workers'
 import { getContainer } from '@cloudflare/containers'
-import { Hono } from 'hono'
+import { bodyLimit } from 'hono/body-limit'
+import { cors } from 'hono/cors'
 import { showRoutes } from 'hono/dev'
+import { createFactory } from 'hono/factory'
 import { prettyJSON } from 'hono/pretty-json'
 import { requestId } from 'hono/request-id'
 import { timeout } from 'hono/timeout'
-
+import { rateLimiter } from 'hono-rate-limiter'
 import { sourcifyChains } from '#chains.ts'
 import { VerificationContainer } from '#container.ts'
 import OpenApiSpec from '#openapi.json' with { type: 'json' }
@@ -13,24 +16,67 @@ import { docsRoute } from '#route.docs.tsx'
 import { lookupAllChainContractsRoute, lookupRoute } from '#route.lookup.ts'
 import { verifyRoute } from '#route.verify.ts'
 import { legacyVerifyRoute } from '#route.verify-legacy.ts'
+import { originMatches } from '#utilities.ts'
 
 export { VerificationContainer }
 
-/**
- * TODO:
- * - CORS,
- * - Cache,
- * - Security
- * - Rate limiting,
- */
+const WHITELISTED_ORIGINS = [
+	'http://localhost',
+	'https://*.ts.net', // `tailscale funnel`
+	...(env.WHITELISTED_ORIGINS.split(',') ?? []),
+]
 
-const app = new Hono<{ Bindings: Cloudflare.Env }>()
+type AppEnv = { Bindings: Cloudflare.Env }
+const factory = createFactory<AppEnv>()
+const app = factory.createApp()
 
 // @note: order matters
-app.use('*', requestId({ headerName: 'X-Tempo-Request-Id' }))
-// TODO: update before merging to main
-app.use('*', timeout(20_000)) // 20 seconds
-app.use(prettyJSON())
+app
+	.use('*', requestId({ headerName: 'X-Tempo-Request-Id' }))
+	.use(
+		cors({
+			allowMethods: ['GET', 'POST', 'OPTIONS', 'HEAD'],
+			origin: (origin, _) => {
+				return WHITELISTED_ORIGINS.some((p) =>
+					originMatches({ origin, pattern: p }),
+				)
+					? origin
+					: null
+			},
+		}),
+	)
+	.use(
+		rateLimiter<AppEnv>({
+			binding: (context) => context.env.RATE_LIMITER,
+			keyGenerator: (context) =>
+				(context.req.header('X-Real-IP') ??
+					context.req.header('CF-Connecting-IP') ??
+					context.req.header('X-Forwarded-For')) ||
+				'',
+			skip: (context) =>
+				WHITELISTED_ORIGINS.some((p) =>
+					originMatches({
+						origin: new URL(context.req.url).hostname,
+						pattern: p,
+					}),
+				),
+			message: { error: 'Rate limit exceeded', retryAfter: '60s' },
+		}),
+	)
+	.use(bodyLimit({ maxSize: 2 * 10_24 })) // 1mb
+	.use('*', timeout(12_000)) // 12 seconds
+	.use(prettyJSON())
+	.use(async (context, next) => {
+		if (context.env.NODE_ENV !== 'development') return await next()
+		const baseLogMessage = `${context.get('requestId')}-[${context.req.method}] ${context.req.path}`
+		if (context.req.method === 'GET') {
+			console.info(`${baseLogMessage}\n`)
+			return await next()
+		}
+		const body = await context.req.text()
+		console.info(`${baseLogMessage} \n${body}\n`)
+		return await next()
+	})
 
 app.route('/docs', docsRoute)
 app.route('/verify', legacyVerifyRoute)
@@ -60,12 +106,6 @@ app
 			),
 	)
 
-app.use('*', async (context, next) => {
-	if (context.env.NODE_ENV !== 'development') return await next()
-	console.info(`[${context.req.method}] ${context.req.path}`)
-	await next()
-})
-
 showRoutes(app)
 
 export default app satisfies ExportedHandler<Cloudflare.Env>

apps/contract-verification/src/utilities.ts

@@ -1,3 +1,4 @@
+import { env } from 'cloudflare:workers'
 import type { Context } from 'hono'
 import type { ContentfulStatusCode } from 'hono/utils/http-status'
 
@@ -37,3 +38,30 @@ export function sourcifyError(
 		status,
 	)
 }
+
+/**
+ * Checks if an origin matches an allowed hostname pattern.
+ * pathname and search parameters are ignored
+ */
+export function originMatches(params: { origin: string; pattern: string }) {
+	if (env.NODE_ENV === 'development') return true
+
+	const { pattern } = params
+
+	if (!params.origin) return false
+	let origin: string
+
+	try {
+		const stripExtra = new URL(params.origin)
+		origin = `${stripExtra.protocol}//${stripExtra.hostname}`
+	} catch {
+		return false
+	}
+
+	if (origin === pattern) return true
+	if (!pattern.includes('*')) return false
+
+	return new RegExp(
+		`^${pattern.replace(/[.+?^${}()|[\]\\]/g, '\\$&').replace(/\*/g, '.*')}$`,
+	).test(origin)
+}

apps/contract-verification/vite.config.ts

@@ -2,6 +2,7 @@ import NodeChildProcess from 'node:child_process'
 import NodeProcess from 'node:process'
 import { cloudflare } from '@cloudflare/vite-plugin'
 import { defineConfig, loadEnv } from 'vite'
+import vitePluginChromiumDevTools from 'vite-plugin-devtools-json'
 
 const commitSha =
 	NodeChildProcess.execSync('git rev-parse --short HEAD').toString().trim() ||
@@ -19,10 +20,11 @@ export default defineConfig((config) => {
 	const port = Number(lastPort ?? env.PORT ?? 3_000)
 
 	return {
-		plugins: [cloudflare()],
+		plugins: [cloudflare(), vitePluginChromiumDevTools()],
 		server: {
 			port,
-			cors: config.mode === 'development' ? true : undefined,
+			// https://hono.dev/docs/middleware/builtin/cors#using-with-vite
+			cors: false,
 			allowedHosts: config.mode === 'development' ? true : undefined,
 		},
 		define: {

apps/contract-verification/wrangler.jsonc

@@ -7,6 +7,20 @@
 	"keep_vars": true,
 	"workers_dev": true,
 	"preview_urls": true,
+	"vars": {
+		// in addition to localhost
+		"WHITELISTED_ORIGINS": "https://tempo.xyz,https://*.tempo.xyz,https://*.porto.workers.dev"
+	},
+	"ratelimits": [
+		{
+			"name": "RATE_LIMITER",
+			"namespace_id": "1001",
+			"simple": {
+				"limit": 10,
+				"period": 60
+			}
+		}
+	],
 	"d1_databases": [
 		{
 			"binding": "CONTRACTS_DB",
@@ -39,9 +53,9 @@
 	],
 	"observability": {
 		"enabled": true,
+		"head_sampling_rate": 1,
 		"logs": {
 			"enabled": true,
-			"persist": true,
 			"head_sampling_rate": 1,
 			"invocation_logs": true
 		}