add lambda authorizer based on ip

backend/.eslintrc

@@ -7,6 +7,7 @@
   "plugins": ["@typescript-eslint"],
   "extends": ["eslint:recommended", "plugin:@typescript-eslint/recommended"],
   "rules": {
-    "no-undef": "off"
+    "no-undef": "off",
+    "@typescript-eslint/no-explicit-any": "off"
   }
 }

backend/package.json

@@ -22,6 +22,7 @@
     "@solana/spl-token": "^0.4.3",
     "@solana/web3.js": "^1.91.1",
     "bs58": "^5.0.0",
+    "fast-geoip": "^1.1.88",
     "hi-base32": "^0.5.1",
     "tweetnacl": "^1.0.3"
   },

backend/src/handlers/authorizer.ts

@@ -0,0 +1,37 @@
+import {
+  APIGatewayRequestAuthorizerEventV2,
+  APIGatewaySimpleAuthorizerWithContextResult
+} from 'aws-lambda'
+import geoIP from 'fast-geoip'
+
+const DEFAULT_DENY_LIST = ['CU', 'IR', 'IQ', 'KP', 'RU', 'SY', 'GB', 'US', 'UA']
+
+export const authorizer = async (
+  authorizerEvent: APIGatewayRequestAuthorizerEventV2
+): Promise<
+  APIGatewaySimpleAuthorizerWithContextResult<Record<string, string>>
+> => {
+  let authorized = true
+  let country
+  const denyList = process.env.DENY_LIST?.split(',') ?? DEFAULT_DENY_LIST
+  const ip = authorizerEvent.requestContext.http.sourceIp
+
+  try {
+    const geo = await geoIP.lookup(ip)
+    country = geo?.country ?? 'unknown'
+    if (denyList.includes(country)) {
+      authorized = false
+    }
+  } catch (err) {
+    console.error('Error looking up country', err)
+  }
+
+  console.log(`IP:${ip} - Country:${country} - Authorized:${authorized}`)
+
+  return {
+    isAuthorized: authorized,
+    context: {
+      country: country ?? ''
+    }
+  }
+}

backend/src/index.ts

@@ -1,7 +1,7 @@
 import { signDiscordMessage } from './handlers/discord-signed-digest'
 import { fundTransactions } from './handlers/fund-transactions'
-import { handler as helloworld } from './handlers/helloworld'
+import { authorizer } from './handlers/authorizer'
 
 export const signDiscordMessageHandler = signDiscordMessage
-export const helloworldHandler = helloworld
+export const authorizerHandler = authorizer
 export const fundTransactionHandler = fundTransactions

backend/src/serve.ts

@@ -1,7 +1,11 @@
 import bodyParser from 'body-parser'
 import express from 'express'
-import { signDiscordMessageHandler, fundTransactionHandler } from './index'
-import { APIGatewayProxyEvent, APIGatewayProxyResult } from 'aws-lambda'
+import {
+  signDiscordMessageHandler,
+  fundTransactionHandler,
+  authorizerHandler
+} from './index'
+import { APIGatewayProxyEvent } from 'aws-lambda'
 
 const app = express()
 app.use(bodyParser.json())
@@ -14,12 +18,11 @@ app.post(
   '/api/grant/v1/fund_transaction',
   lambdaProxyWrapper(fundTransactionHandler)
 )
+app.get('/checker', lambdaProxyWrapper(authorizerHandler))
 
 app.listen(8200, () => console.info('Server running on port 8200...'))
 
-function lambdaProxyWrapper(
-  handler: (event: APIGatewayProxyEvent) => Promise<APIGatewayProxyResult>
-) {
+function lambdaProxyWrapper(handler: (event: any) => Promise<any>) {
   return async (req: express.Request, res: express.Response) => {
     const event = {
       httpMethod: req.method,
@@ -28,14 +31,23 @@ function lambdaProxyWrapper(
         proxy: req.params[0]
       },
       headers: req.headers,
-      body: JSON.stringify(req.body)
+      body: JSON.stringify(req.body),
+      requestContext: {
+        http: {
+          sourceIp: req.query.ip ?? ''
+        }
+      }
     }
 
     const response = await handler(event as unknown as APIGatewayProxyEvent)
 
-    res.status(response.statusCode)
-    res.set(response.headers)
+    res.status(response.statusCode ?? 200)
+    res.set(response.headers ?? {})
 
-    return res.json(JSON.parse(response.body))
+    if (response.body) {
+      return res.json(JSON.parse(response.body))
+    }
+
+    return res.json(response)
   }
 }