WIP: OMNL compliance console, relay rpc pool, zedxion relay service

This commit is contained in:
defiQUG
2026-06-02 06:08:28 -07:00
parent 7c5b4f22aa
commit db517eca80
33 changed files with 2173 additions and 98 deletions

View File

@@ -4,7 +4,25 @@ function extractBearerOrQuery(req: Request, key: string): boolean {
const auth = String(req.headers.authorization || '');
const bearer = auth.startsWith('Bearer ') ? auth.slice(7).trim() : '';
const q = String(req.query.access_token ?? '').trim();
return bearer === key || q === key;
const dashHeader = String(req.headers['x-omnl-dashboard-token'] ?? '').trim();
return bearer === key || q === key || dashHeader === key;
}
function hasOmnlOperatorAuth(req: Request): boolean {
const apiKey = process.env.OMNL_API_KEY?.trim();
if (apiKey && extractBearerOrQuery(req, apiKey)) return true;
const dashKey = process.env.OMNL_DASHBOARD_TOKEN?.trim();
if (dashKey && extractBearerOrQuery(req, dashKey)) return true;
return false;
}
/** Read-only compliance console API (GET). */
function isComplianceConsolePath(path: string): boolean {
return (
path.endsWith('/omnl/compliance/console') ||
path.endsWith('/omnl/compliance/safe-notary-gate-tx') ||
path.endsWith('/omnl/compliance/web3')
);
}
/**
@@ -17,7 +35,7 @@ export function omnlSensitiveRouteGuard(req: Request, res: Response, next: NextF
next();
return;
}
if (extractBearerOrQuery(req, key)) {
if (hasOmnlOperatorAuth(req)) {
next();
return;
}
@@ -28,7 +46,10 @@ export function omnlSensitiveRouteGuard(req: Request, res: Response, next: NextF
const OMNL_PUBLIC_PATH_SUFFIXES = ['/omnl/openapi.json', '/omnl/catalog', '/omnl/integration-status'];
function isPublicOmnlPath(path: string): boolean {
return OMNL_PUBLIC_PATH_SUFFIXES.some((s) => path.endsWith(s));
if (OMNL_PUBLIC_PATH_SUFFIXES.some((s) => path.endsWith(s))) return true;
// Compliance console is read-only; allow without API key when explicitly enabled (LAN operator UI).
if (process.env.OMNL_COMPLIANCE_CONSOLE_PUBLIC === '1' && isComplianceConsolePath(path)) return true;
return false;
}
/**
@@ -59,5 +80,9 @@ export function omnlRequireApiKeyInProduction(req: Request, res: Response, next:
next();
return;
}
if (isComplianceConsolePath(req.path) && hasOmnlOperatorAuth(req)) {
next();
return;
}
res.status(401).json({ error: 'Unauthorized' });
}