Switchain Services

Appearance

Web service render APP to manage request from our partners. We should support different versions of the api (v1, v2, v3). We would need to have this feature migrated before start this development.

CurrentBlock providers endpoint for all blockchains

ExchangeWallets package

Shifts package. ShiftFinder and ShiftCreator should interact with switchain mongodb to create and fetch data.

Jobs package. JobCreator to create mongodb jobs that will keep running on Switchain admin app, once the shift is created.

REST API PREHOOKS: /interface/imports/api/restapi/server/restApiPreHooks.js /interface/imports/api/restapi/server/restapiHelpers.js

All the code executed before any of the endpoints are executed. The code is hooks are applied in this order:

// general middleware JsonRoutes.Middleware.use(JsonRoutes.Middleware.parseBearerToken) JsonRoutes.Middleware.use(parseExtraHeaders) JsonRoutes.Middleware.use(parseRequesterIp) JsonRoutes.Middleware.use(handleCors)

// api middleware JsonRoutes.Middleware.use('/rest', checkForCountryMiddleware) JsonRoutes.Middleware.use('/rest', checkForApiKeyMiddleware) JsonRoutes.Middleware.use('/rest', checkDenyListIP) JsonRoutes.Middleware.use('/rest', checkDenyListAddress) JsonRoutes.Middleware.use('/rest', checkForWaitingShiftForIp) JsonRoutes.Middleware.use('/rest', checkAppSpam)

// error handling middleware JsonRoutes.ErrorMiddleware.use(handleErrorAsJsonMiddlewareV2) parseBearerToken Parses Authorization header to the format Bearer and stores it in authToken

parseExtraHeaders Gets IP address from headers x-user-ip or x-forwarded-for or from IP package, in this exact priority and stores it in requesterIp. IP from IP package is stored in sourceIp.

parseExtraHeaders if (request.headers) { request.userCountry = request.headers['cf-ipcountry'] request.userAgent = request.headers['user-agent'] request.userDeviceType = request.headers['x-user-device-type'] request.userTimeZone = request.headers['x-user-time-zone'] request.signatureAppId = request.headers['x-signature-appid'] request.signatureTimestamp = request.headers['x-signature-timestamp'] request.signatureNonce = request.headers['x-signature-nonce'] request.signatureSignature = request.headers['x-signature-signature'] } handleCors export function handleCors(request, response, next) { // https://github.com/stubailo/meteor-rest/pull/146/commits/dac077c0d7098c11d25c568f1e68e7bbe90aaa38 const origin = request.headers && request.headers.origin && request.headers.origin !== 'null' ? request.headers.origin : '*'

const newHeaders = { CORSTEST: origin, 'Cache-Control': 'no-store', Pragma: 'no-cache', 'Access-Control-Allow-Origin': origin, 'Access-Control-Allow-Methods': 'PUT, GET, POST, DELETE, OPTIONS', 'Access-Control-Allow-Headers': 'Origin, X-Requested-With, Content-Type, Accept, Authorization, X-Requested-With', 'Access-Control-Allow-Credentials': 'true' } if (!response.headers) response.headers = {} Object.keys(newHeaders).forEach((k) => { if (!response.headers[k]) { response.headers[k] = newHeaders[k] response.setHeader(k, newHeaders[k]) } }) next() } checkForCountryMiddleware Checks if country is US and rejects the request unless the IP address belongs to a list of allowlisted IPs (exodus US based servers usually) It does not apply to endpoints /graphql, GET order and OPTIONS Country is determined by cloudflare and if it can't be determined the request will be rejected.

checkForApiKeyMiddleware Checks if the api key used in the requests exists, is active and is of the type REST_API. It does not apply to endpoints /graphql, GET order and OPTIONS

checkDenyListIP Checks if requesterIp IP address is in the blocklist and if it is returns 401 error. If requesterIp is not available returns 403 error. It does not apply to GET order endpoint.

checkDenyListAddress Only applies to create order endpoint (/order POST). Check if withdrawAddress, refundAddress and toAddress (old name for withdrawAddress) exist in our internal denylist or in binance denylist. If so return 401 error specifying which address has been rejected.

checkForWaitingShiftForIp Check for applications where audience is public check if requesterIp can be identified. If there is already a shift in waiting status reject the reuest with 429 code. It does not apply to GET order endpoint.

checkAppSpam Checks if requesterIp exists and if not rejects the request with 403 code. Checks if waiting shifts for the authToken is above MAX_WAITING_SHIFTS_BY_APP (100) and returns 429 error in that case. Checks if waiting shifts for the requesterIp is above MAX_WAITING_SHIFTS_BY_IP (20) and returns 429 error in that case. It does not apply to GET order endpoint.