feat: add jwt secret for authentication (#243)

* feat: Add jwt secret for authentication

The code changes add a new field `jwt_secret` to the `Cli` struct in `lib.rs`. This field allows setting the JWT secret for authentication. Additionally, the `create_router` function in `api/mod.rs` now takes the `jwt_secret` as a parameter.

Recent user commits and repository commits are not relevant for generating the commit message.

* feat: jwt as option without default value

* feat: add dummy token

* fix: lock file permission

host/src/lib.rs

@@ -106,6 +106,10 @@ pub struct Cli {
     #[serde(flatten)]
     /// Proof request options
     pub proof_request_opt: ProofRequestOpt,
+
+    #[arg(long, require_equals = true)]
+    /// Set jwt secret for auth
+    jwt_secret: Option<String>,
 }
 
 impl Cli {

host/src/server/api/mod.rs

@@ -11,13 +11,14 @@ use tower_http::{
     compression::CompressionLayer,
     cors::{self, CorsLayer},
     trace::TraceLayer,
+    validate_request::ValidateRequestHeaderLayer,
 };
 
 use crate::ProverState;
 
 mod v1;
 
-pub fn create_router(concurrency_limit: usize) -> Router<ProverState> {
+pub fn create_router(concurrency_limit: usize, jwt_secret: Option<&str>) -> Router<ProverState> {
     let cors = CorsLayer::new()
         .allow_methods([Method::GET, Method::POST, Method::OPTIONS])
         .allow_headers([
@@ -35,15 +36,22 @@ pub fn create_router(concurrency_limit: usize) -> Router<ProverState> {
 
     let v1_api = v1::create_router(concurrency_limit);
 
-    Router::new()
+    let router = Router::new()
         .nest("/v1", v1_api.clone())
         .merge(v1_api)
         .layer(middleware)
         .layer(middleware::from_fn(check_max_body_size))
         .layer(trace)
         .fallback(|uri: Uri| async move {
             (StatusCode::NOT_FOUND, format!("No handler found for {uri}"))
-        })
+        });
+
+    if let Some(jwt_secret) = jwt_secret {
+        let auth = ValidateRequestHeaderLayer::bearer(jwt_secret);
+        router.layer(auth)
+    } else {
+        router
+    }
 }
 
 pub fn create_docs() -> utoipa::openapi::OpenApi {

host/src/server/mod.rs

@@ -16,7 +16,11 @@ pub async fn serve(state: ProverState) -> anyhow::Result<()> {
 
     debug!("Listening on: {}", listener.local_addr()?);
 
-    let router = create_router(state.opts.concurrency_limit).with_state(state);
+    let router = create_router(
+        state.opts.concurrency_limit,
+        state.opts.jwt_secret.as_deref(),
+    )
+    .with_state(state);
     axum::serve(listener, router)
         .await
         .context("Server couldn't serve")?;

provers/sgx/setup/src/setup_bootstrap.rs

@@ -28,7 +28,7 @@ pub(crate) async fn setup_bootstrap(
     let _filelock = FileLock::lock(
         config_dir.join("bootstrap.lock"),
         true,
-        FileOptions::new().create(true),
+        FileOptions::new().create(true).write(true),
     )?;
     let chain_specs = SupportedChainSpecs::merge_from_file(bootstrap_args.chain_spec_path.clone())?;
     let l1_chain_spec = chain_specs

script/prove-block.sh

@@ -32,7 +32,7 @@ elif [ "$chain" == "taiko_a7" ]; then
 	l1_network="holesky"
 else
 	echo "Using customized chain name $1. Please double check the RPCs."
-    l1_network="holesky"
+	l1_network="holesky"
 fi
 
 if [ "$proof" == "native" ]; then
@@ -114,6 +114,7 @@ for block in $(eval echo {$rangeStart..$rangeEnd}); do
 	echo "- proving block $block"
 	curl --location --request POST 'http://localhost:8080/proof' \
 		--header 'Content-Type: application/json' \
+		--header 'Authorization: Bearer 4cbd753fbcbc2639de804f8ce425016a50e0ecd53db00cb5397912e83f5e570e' \
 		--data-raw "{
          \"network\": \"$chain\",
          \"l1_network\": \"$l1_network\",