auth for engine api (#3046)

## Issue Addressed Resolves #3015 ## Proposed Changes Add JWT token based authentication to engine api requests. The jwt secret key is read from the provided file and is used to sign tokens that are used for authenticated communication with the EL node. - [x] Interop with geth (synced `merge-devnet-4` with the `merge-kiln-v2` branch on geth) - [x] Interop with other EL clients (nethermind on `merge-devnet-4`) - [x] ~Implement `zeroize` for jwt secrets~ - [x] Add auth server tests with `mock_execution_layer` - [x] Get auth working with the `execution_engine_integration` tests Co-authored-by: Paul Hauner <paul@paulhauner.com>
2026-03-14 18:32:42 +00:00 · 2022-03-08 06:46:24 +00:00
parent 3b4865c3ae
commit 381d0ece3c
18 changed files with 735 additions and 79 deletions
--- a/beacon_node/src/cli.rs
+++ b/beacon_node/src/cli.rs
@@ -414,6 +414,35 @@ pub fn cli_app<'a, 'b>() -> App<'a, 'b> {
                       will be used. Defaults to http://127.0.0.1:8545.")
                .takes_value(true)
        )
+        .arg(
+            Arg::with_name("jwt-secrets")
+                .long("jwt-secrets")
+                .value_name("JWT-SECRETS")
+                .help("One or more comma-delimited file paths which contain the corresponding hex-encoded \
+                       JWT secrets for each execution endpoint provided in the --execution-endpoints flag. \
+                       The number of paths should be in the same order and strictly equal to the number \
+                       of execution endpoints provided.")
+                .takes_value(true)
+                .requires("execution-endpoints")
+        )
+        .arg(
+            Arg::with_name("jwt-id")
+                .long("jwt-id")
+                .value_name("JWT-ID")
+                .help("Used by the beacon node to communicate a unique identifier to execution nodes \
+                       during JWT authentication. It corresponds to the 'id' field in the JWT claims object.\
+                       Set to empty by deafult")
+                .takes_value(true)
+        )
+        .arg(
+            Arg::with_name("jwt-version")
+                .long("jwt-version")
+                .value_name("JWT-VERSION")
+                .help("Used by the beacon node to communicate a client version to execution nodes \
+                       during JWT authentication. It corresponds to the 'clv' field in the JWT claims object.\
+                       Set to empty by deafult")
+                .takes_value(true)
+        )
        .arg(
            Arg::with_name("suggested-fee-recipient")
                .long("suggested-fee-recipient")