From 3925b192296c3d1a8793114ec38552f683fb4fb6 Mon Sep 17 00:00:00 2001 From: hailin Date: Sun, 7 Dec 2025 02:02:17 -0800 Subject: [PATCH] fix(mpc-service): use JWT auth instead of X-API-Key MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit mpc-account-service expects JWT Bearer tokens, not X-API-Key header. Added JWT token generation and use MPC_JWT_SECRET env var. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- backend/services/docker-compose.yml | 3 +- .../services/mpc-coordinator.service.ts | 75 +++++++++++-------- 2 files changed, 44 insertions(+), 34 deletions(-) diff --git a/backend/services/docker-compose.yml b/backend/services/docker-compose.yml index 361d8ae3..03999632 100644 --- a/backend/services/docker-compose.yml +++ b/backend/services/docker-compose.yml @@ -341,7 +341,8 @@ services: - MPC_SESSION_COORDINATOR_URL=http://mpc-session-coordinator:8080 - MPC_MESSAGE_ROUTER_WS_URL=ws://mpc-message-router:8080 - MPC_SERVER_PARTY_API_URL=http://mpc-server-party-api:8080 - - MPC_API_KEY=rwa-mpc-api-key-2024-secure-access-token + # JWT Secret 必须与 mpc-system 的 JWT_SECRET_KEY 一致 + - MPC_JWT_SECRET=change_this_jwt_secret_key_to_random_value_min_32_chars - SHARE_MASTER_KEY=${SHARE_MASTER_KEY} depends_on: postgres: diff --git a/backend/services/mpc-service/src/application/services/mpc-coordinator.service.ts b/backend/services/mpc-service/src/application/services/mpc-coordinator.service.ts index c4734811..6e915dca 100644 --- a/backend/services/mpc-service/src/application/services/mpc-coordinator.service.ts +++ b/backend/services/mpc-service/src/application/services/mpc-coordinator.service.ts @@ -112,11 +112,13 @@ export interface DelegateShareOutput { // Service // ============================================================================ +import * as jwt from 'jsonwebtoken'; + @Injectable() export class MPCCoordinatorService { private readonly logger = new Logger(MPCCoordinatorService.name); private readonly mpcSystemUrl: string; - private readonly mpcApiKey: string; + private readonly mpcJwtSecret: string; constructor( private readonly configService: ConfigService, @@ -124,7 +126,36 @@ export class MPCCoordinatorService { private readonly prisma: PrismaService, ) { this.mpcSystemUrl = this.configService.get('MPC_ACCOUNT_SERVICE_URL', 'http://localhost:4000'); - this.mpcApiKey = this.configService.get('MPC_API_KEY', 'test-api-key'); + this.mpcJwtSecret = this.configService.get('MPC_JWT_SECRET', 'change_this_jwt_secret_key_to_random_value_min_32_chars'); + } + + /** + * 生成 MPC 系统访问的 JWT token + */ + private generateMpcAccessToken(userId: string, username: string): string { + const now = Math.floor(Date.now() / 1000); + const payload = { + jti: crypto.randomUUID(), + iss: 'mpc-service', + sub: userId, + party_id: username, + token_type: 'access', + iat: now, + nbf: now, + exp: now + 24 * 60 * 60, // 24 hours + }; + return jwt.sign(payload, this.mpcJwtSecret, { algorithm: 'HS256' }); + } + + /** + * 获取 MPC 系统的 Authorization header + */ + private getMpcAuthHeaders(userId: string = 'service', username: string = 'mpc-service'): Record { + const token = this.generateMpcAccessToken(userId, username); + return { + 'Content-Type': 'application/json', + 'Authorization': `Bearer ${token}`, + }; } // ========================================================================== @@ -156,10 +187,7 @@ export class MPCCoordinatorService { require_delegate: input.requireDelegate, }, { - headers: { - 'Content-Type': 'application/json', - 'X-API-Key': this.mpcApiKey, - }, + headers: this.getMpcAuthHeaders(), timeout: 30000, }, ), @@ -201,9 +229,7 @@ export class MPCCoordinatorService { }>( `${this.mpcSystemUrl}/api/v1/mpc/sessions/${sessionId}`, { - headers: { - 'X-API-Key': this.mpcApiKey, - }, + headers: this.getMpcAuthHeaders(), timeout: 10000, }, ), @@ -266,10 +292,7 @@ export class MPCCoordinatorService { user_share: input.userShare, }, { - headers: { - 'Content-Type': 'application/json', - 'X-API-Key': this.mpcApiKey, - }, + headers: this.getMpcAuthHeaders(), timeout: 30000, }, ), @@ -305,9 +328,7 @@ export class MPCCoordinatorService { }>( `${this.mpcSystemUrl}/api/v1/mpc/sessions/${sessionId}`, { - headers: { - 'X-API-Key': this.mpcApiKey, - }, + headers: this.getMpcAuthHeaders(), timeout: 10000, }, ), @@ -356,9 +377,7 @@ export class MPCCoordinatorService { `${this.mpcSystemUrl}/api/v1/accounts`, { params: { username }, - headers: { - 'X-API-Key': this.mpcApiKey, - }, + headers: this.getMpcAuthHeaders(), timeout: 10000, }, ), @@ -401,10 +420,7 @@ export class MPCCoordinatorService { party_ids: input.partyIds, }, { - headers: { - 'Content-Type': 'application/json', - 'X-API-Key': this.mpcApiKey, - }, + headers: this.getMpcAuthHeaders(), timeout: 10000, }, ), @@ -437,10 +453,7 @@ export class MPCCoordinatorService { party_ids: input.partyIds, }, { - headers: { - 'Content-Type': 'application/json', - 'X-API-Key': this.mpcApiKey, - }, + headers: this.getMpcAuthHeaders(), timeout: 10000, }, ), @@ -472,9 +485,7 @@ export class MPCCoordinatorService { }>( `${this.mpcSystemUrl}/api/v1/accounts/by-username/${username}/signing-config`, { - headers: { - 'X-API-Key': this.mpcApiKey, - }, + headers: this.getMpcAuthHeaders(), timeout: 10000, }, ), @@ -503,9 +514,7 @@ export class MPCCoordinatorService { }>( `${this.mpcSystemUrl}/api/v1/accounts/by-username/${username}/signing-config`, { - headers: { - 'X-API-Key': this.mpcApiKey, - }, + headers: this.getMpcAuthHeaders(), timeout: 10000, }, ),