feat: add support for auth-protected subgraph query URLs (#226)

* feat: add support for auth-protected subgraph query URLs

This allows to configure a bearer auth token for the network and
escrow subgraphs, in case that is required for the endpoint used.

* fix(all): create function for_query_url_with_token

Signed-off-by: Gustavo Inacio <[email protected]>

* docs(config): adding new `query_auth_token` field

It is commented-out because TOML does not support `null` optionals

Signed-off-by: Alexis Asseman <[email protected]>

---------

Signed-off-by: Gustavo Inacio <[email protected]>
Signed-off-by: Alexis Asseman <[email protected]>
Co-authored-by: Gustavo Inacio <[email protected]>
Co-authored-by: Alexis Asseman <[email protected]>

common/src/indexer_service/http/config.rs

@@ -20,6 +20,7 @@ pub struct SubgraphConfig {
 
     pub deployment: Option<DeploymentId>,
     pub query_url: String,
+    pub query_auth_token: Option<String>,
     pub syncing_interval: u64,
     pub recently_closed_allocation_buffer_seconds: u64,
 }

common/src/indexer_service/http/indexer_service.rs

@@ -211,7 +211,10 @@ impl IndexerService {
                     )
                 })
                 .transpose()?,
-            DeploymentDetails::for_query_url(&options.config.network_subgraph.query_url)?,
+            DeploymentDetails::for_query_url_with_token(
+                &options.config.network_subgraph.query_url,
+                options.config.network_subgraph.query_auth_token.clone(),
+            )?,
         )));
 
         // Identify the dispute manager for the configured network
@@ -254,7 +257,10 @@ impl IndexerService {
                     )
                 })
                 .transpose()?,
-            DeploymentDetails::for_query_url(&options.config.escrow_subgraph.query_url)?,
+            DeploymentDetails::for_query_url_with_token(
+                &options.config.escrow_subgraph.query_url,
+                options.config.escrow_subgraph.query_auth_token.clone(),
+            )?,
         )));
 
         let escrow_accounts = escrow_accounts(

common/src/subgraph_client/client.rs

@@ -80,6 +80,7 @@ pub struct DeploymentDetails {
     pub deployment: Option<DeploymentId>,
     pub status_url: Option<Url>,
     pub query_url: Url,
+    pub query_auth_token: Option<String>,
 }
 
 impl DeploymentDetails {
@@ -93,6 +94,7 @@ impl DeploymentDetails {
             status_url: Some(Url::parse(graph_node_status_url)?),
             query_url: Url::parse(graph_node_base_url)?
                 .join(&format!("subgraphs/id/{deployment}"))?,
+            query_auth_token: None,
         })
     }
 
@@ -101,6 +103,19 @@ impl DeploymentDetails {
             deployment: None,
             status_url: None,
             query_url: Url::parse(query_url)?,
+            query_auth_token: None,
+        })
+    }
+
+    pub fn for_query_url_with_token(
+        query_url: &str,
+        query_auth_token: Option<String>,
+    ) -> Result<Self, anyhow::Error> {
+        Ok(Self {
+            deployment: None,
+            status_url: None,
+            query_url: Url::parse(query_url)?,
+            query_auth_token,
         })
     }
 }
@@ -114,10 +129,11 @@ struct DeploymentClient {
 
 impl DeploymentClient {
     pub fn new(http_client: reqwest::Client, details: DeploymentDetails) -> Self {
-        let subgraph_client = Mutex::new(GraphCoreSubgraphClient::new(
-            http_client.clone(),
-            details.query_url.clone(),
-        ));
+        let subgraph_client = Mutex::new(
+            GraphCoreSubgraphClient::builder(http_client.clone(), details.query_url.clone())
+                .with_auth_token(details.query_auth_token)
+                .build(),
+        );
         Self {
             http_client,
             subgraph_client,

config/maximal-config-example.toml

@@ -40,6 +40,9 @@ status_url = "http://graph-node:8000/graphql"
 [subgraphs.network]
 # Query URL for the Graph Network subgraph.
 query_url = "http://example.com/network-subgraph"
+# Optional, Auth token will used a "bearer auth"
+# query_auth_token = "super-secret"
+
 # Optional, deployment to look for in the local `graph-node`, if locally indexed.
 # Locally indexing the subgraph is recommended.
 # NOTE: Use `query_url` or `deployment_id` only
@@ -55,6 +58,9 @@ recently_closed_allocation_buffer_secs = 3600
 [subgraphs.escrow]
 # Query URL for the Escrow subgraph.
 query_url = "http://example.com/network-subgraph"
+# Optional, Auth token will used a "bearer auth"
+# query_auth_token = "super-secret"
+
 # Optional, deployment to look for in the local `graph-node`, if locally indexed.
 # Locally indexing the subgraph is recommended.
 # NOTE: Use `query_url` or `deployment_id` only

config/src/config.rs

@@ -183,6 +183,7 @@ pub struct EscrowSubgraphConfig {
 #[serde(deny_unknown_fields)]
 pub struct SubgraphConfig {
     pub query_url: Url,
+    pub query_auth_token: Option<String>,
     pub deployment_id: Option<DeploymentId>,
     #[serde_as(as = "DurationSecondsWithFrac<f64>")]
     pub syncing_interval_secs: Duration,

service/src/config.rs

@@ -41,6 +41,7 @@ impl From<MainConfig> for Config {
                 serve_auth_token: value.service.serve_auth_token.clone(),
                 deployment: value.subgraphs.network.config.deployment_id,
                 query_url: value.subgraphs.network.config.query_url.into(),
+                query_auth_token: value.subgraphs.network.config.query_auth_token.clone(),
                 syncing_interval: value
                     .subgraphs
                     .network
@@ -58,6 +59,7 @@ impl From<MainConfig> for Config {
                 serve_auth_token: value.service.serve_auth_token,
                 deployment: value.subgraphs.escrow.config.deployment_id,
                 query_url: value.subgraphs.escrow.config.query_url.into(),
+                query_auth_token: value.subgraphs.network.config.query_auth_token,
                 syncing_interval: value
                     .subgraphs
                     .escrow

tap-agent/src/agent.rs

@@ -38,13 +38,15 @@ pub async fn start_agent() -> (ActorRef<SenderAccountsManagerMessage>, JoinHandl
             NetworkSubgraph {
                 network_subgraph_deployment,
                 network_subgraph_endpoint,
+                network_subgraph_auth_token,
                 allocation_syncing_interval_ms,
                 recently_closed_allocation_buffer_seconds,
             },
         escrow_subgraph:
             EscrowSubgraph {
                 escrow_subgraph_deployment,
                 escrow_subgraph_endpoint,
+                escrow_subgraph_auth_token,
                 escrow_syncing_interval_ms,
             },
         tap:
@@ -71,8 +73,11 @@ pub async fn start_agent() -> (ActorRef<SenderAccountsManagerMessage>, JoinHandl
             })
             .transpose()
             .expect("Failed to parse graph node query endpoint and network subgraph deployment"),
-        DeploymentDetails::for_query_url(network_subgraph_endpoint)
-            .expect("Failed to parse network subgraph endpoint"),
+        DeploymentDetails::for_query_url_with_token(
+            network_subgraph_endpoint,
+            network_subgraph_auth_token.clone(),
+        )
+        .expect("Failed to parse network subgraph endpoint"),
     )));
 
     let indexer_allocations = indexer_allocations(
@@ -94,8 +99,11 @@ pub async fn start_agent() -> (ActorRef<SenderAccountsManagerMessage>, JoinHandl
             })
             .transpose()
             .expect("Failed to parse graph node query endpoint and escrow subgraph deployment"),
-        DeploymentDetails::for_query_url(escrow_subgraph_endpoint)
-            .expect("Failed to parse escrow subgraph endpoint"),
+        DeploymentDetails::for_query_url_with_token(
+            escrow_subgraph_endpoint,
+            escrow_subgraph_auth_token.clone(),
+        )
+        .expect("Failed to parse escrow subgraph endpoint"),
     )));
 
     let escrow_accounts = escrow_accounts(

tap-agent/src/config.rs

@@ -42,6 +42,7 @@ impl From<IndexerConfig> for Config {
             network_subgraph: NetworkSubgraph {
                 network_subgraph_deployment: value.subgraphs.network.config.deployment_id,
                 network_subgraph_endpoint: value.subgraphs.network.config.query_url.into(),
+                network_subgraph_auth_token: value.subgraphs.network.config.query_auth_token,
                 allocation_syncing_interval_ms: value
                     .subgraphs
                     .network
@@ -57,6 +58,7 @@ impl From<IndexerConfig> for Config {
             escrow_subgraph: EscrowSubgraph {
                 escrow_subgraph_deployment: value.subgraphs.escrow.config.deployment_id,
                 escrow_subgraph_endpoint: value.subgraphs.escrow.config.query_url.into(),
+                escrow_subgraph_auth_token: value.subgraphs.escrow.config.query_auth_token,
                 escrow_syncing_interval_ms: value
                     .subgraphs
                     .escrow
@@ -137,6 +139,7 @@ impl Default for Postgres {
 pub struct NetworkSubgraph {
     pub network_subgraph_deployment: Option<DeploymentId>,
     pub network_subgraph_endpoint: String,
+    pub network_subgraph_auth_token: Option<String>,
     pub allocation_syncing_interval_ms: u64,
     pub recently_closed_allocation_buffer_seconds: u64,
 }
@@ -145,6 +148,7 @@ pub struct NetworkSubgraph {
 pub struct EscrowSubgraph {
     pub escrow_subgraph_deployment: Option<DeploymentId>,
     pub escrow_subgraph_endpoint: String,
+    pub escrow_subgraph_auth_token: Option<String>,
     pub escrow_syncing_interval_ms: u64,
 }