fix(mpc-service): use JWT auth instead of X-API-Key

mpc-account-service expects JWT Bearer tokens, not X-API-Key header. Added JWT token generation and use MPC_JWT_SECRET env var. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-07 02:02:17 -08:00 · 2025-12-07 02:02:17 -08:00 · 3925b19229
parent 7588c9efb7
commit 3925b19229
2 changed files with 44 additions and 34 deletions
--- a/backend/services/docker-compose.yml
+++ b/backend/services/docker-compose.yml
@ -341,7 +341,8 @@ services:
      - MPC_SESSION_COORDINATOR_URL=http://mpc-session-coordinator:8080
      - MPC_MESSAGE_ROUTER_WS_URL=ws://mpc-message-router:8080
      - MPC_SERVER_PARTY_API_URL=http://mpc-server-party-api:8080
-      - MPC_API_KEY=rwa-mpc-api-key-2024-secure-access-token
+      # JWT Secret 必须与 mpc-system 的 JWT_SECRET_KEY 一致
+      - MPC_JWT_SECRET=change_this_jwt_secret_key_to_random_value_min_32_chars
      - SHARE_MASTER_KEY=${SHARE_MASTER_KEY}
    depends_on:
      postgres:
--- a/backend/services/mpc-service/src/application/services/mpc-coordinator.service.ts
+++ b/backend/services/mpc-service/src/application/services/mpc-coordinator.service.ts
@ -112,11 +112,13 @@ export interface DelegateShareOutput {
 // Service
 // ============================================================================

+import * as jwt from 'jsonwebtoken';
+
@Injectable()
 export class MPCCoordinatorService {
  private readonly logger = new Logger(MPCCoordinatorService.name);
  private readonly mpcSystemUrl: string;
-  private readonly mpcApiKey: string;
+  private readonly mpcJwtSecret: string;

  constructor(
    private readonly configService: ConfigService,
@ -124,7 +126,36 @@ export class MPCCoordinatorService {
    private readonly prisma: PrismaService,
  ) {
    this.mpcSystemUrl = this.configService.get<string>('MPC_ACCOUNT_SERVICE_URL', 'http://localhost:4000');
-    this.mpcApiKey = this.configService.get<string>('MPC_API_KEY', 'test-api-key');
+    this.mpcJwtSecret = this.configService.get<string>('MPC_JWT_SECRET', 'change_this_jwt_secret_key_to_random_value_min_32_chars');
+  }
+
+  /**
+   * 生成 MPC 系统访问的 JWT token
+   */
+  private generateMpcAccessToken(userId: string, username: string): string {
+    const now = Math.floor(Date.now() / 1000);
+    const payload = {
+      jti: crypto.randomUUID(),
+      iss: 'mpc-service',
+      sub: userId,
+      party_id: username,
+      token_type: 'access',
+      iat: now,
+      nbf: now,
+      exp: now + 24 * 60 * 60, // 24 hours
+    };
+    return jwt.sign(payload, this.mpcJwtSecret, { algorithm: 'HS256' });
+  }
+
+  /**
+   * 获取 MPC 系统的 Authorization header
+   */
+  private getMpcAuthHeaders(userId: string = 'service', username: string = 'mpc-service'): Record<string, string> {
+    const token = this.generateMpcAccessToken(userId, username);
+    return {
+      'Content-Type': 'application/json',
+      'Authorization': `Bearer ${token}`,
+    };
  }

  // ==========================================================================
@ -156,10 +187,7 @@ export class MPCCoordinatorService {
          require_delegate: input.requireDelegate,
        },
        {
-          headers: {
-            'Content-Type': 'application/json',
-            'X-API-Key': this.mpcApiKey,
-          },
+          headers: this.getMpcAuthHeaders(),
          timeout: 30000,
        },
      ),
@ -201,9 +229,7 @@ export class MPCCoordinatorService {
      }>(
        `${this.mpcSystemUrl}/api/v1/mpc/sessions/${sessionId}`,
        {
-          headers: {
-            'X-API-Key': this.mpcApiKey,
-          },
+          headers: this.getMpcAuthHeaders(),
          timeout: 10000,
        },
      ),
@ -266,10 +292,7 @@ export class MPCCoordinatorService {
          user_share: input.userShare,
        },
        {
-          headers: {
-            'Content-Type': 'application/json',
-            'X-API-Key': this.mpcApiKey,
-          },
+          headers: this.getMpcAuthHeaders(),
          timeout: 30000,
        },
      ),
@ -305,9 +328,7 @@ export class MPCCoordinatorService {
      }>(
        `${this.mpcSystemUrl}/api/v1/mpc/sessions/${sessionId}`,
        {
-          headers: {
-            'X-API-Key': this.mpcApiKey,
-          },
+          headers: this.getMpcAuthHeaders(),
          timeout: 10000,
        },
      ),
@ -356,9 +377,7 @@ export class MPCCoordinatorService {
        `${this.mpcSystemUrl}/api/v1/accounts`,
        {
          params: { username },
-          headers: {
-            'X-API-Key': this.mpcApiKey,
-          },
+          headers: this.getMpcAuthHeaders(),
          timeout: 10000,
        },
      ),
@ -401,10 +420,7 @@ export class MPCCoordinatorService {
          party_ids: input.partyIds,
        },
        {
-          headers: {
-            'Content-Type': 'application/json',
-            'X-API-Key': this.mpcApiKey,
-          },
+          headers: this.getMpcAuthHeaders(),
          timeout: 10000,
        },
      ),
@ -437,10 +453,7 @@ export class MPCCoordinatorService {
          party_ids: input.partyIds,
        },
        {
-          headers: {
-            'Content-Type': 'application/json',
-            'X-API-Key': this.mpcApiKey,
-          },
+          headers: this.getMpcAuthHeaders(),
          timeout: 10000,
        },
      ),
@ -472,9 +485,7 @@ export class MPCCoordinatorService {
      }>(
        `${this.mpcSystemUrl}/api/v1/accounts/by-username/${username}/signing-config`,
        {
-          headers: {
-            'X-API-Key': this.mpcApiKey,
-          },
+          headers: this.getMpcAuthHeaders(),
          timeout: 10000,
        },
      ),
@ -503,9 +514,7 @@ export class MPCCoordinatorService {
      }>(
        `${this.mpcSystemUrl}/api/v1/accounts/by-username/${username}/signing-config`,
        {
-          headers: {
-            'X-API-Key': this.mpcApiKey,
-          },
+          headers: this.getMpcAuthHeaders(),
          timeout: 10000,
        },
      ),