feat(op-service): add route-specific JWT authentication support#19
Closed
opsuperchain wants to merge 16 commits intodevelopfrom
Closed
feat(op-service): add route-specific JWT authentication support#19opsuperchain wants to merge 16 commits intodevelopfrom
opsuperchain wants to merge 16 commits intodevelopfrom
Conversation
…timism#18660) * feat: initial add-game-type-v2 command (ethereum-optimism#770) * WIP: opcmv2 upgrade op chain (ethereum-optimism#752) * feat: upgrade op chain wip * feat: add deployv2 wip * fix: deployerv2 wip * refactor: remove additional V2 version of scripts * refactor: adds OPCM v2 support for UpgradeOPChain.s.sol * refactor: adds OPCM v2 support for UpgradeSuperchainConfig.s.sol * fix: uses correct json key for upgradeInput * fix: uses correct feature flag for OPCM v2 in devfeatures.go * chore: add json tag to ExtraInstruction --------- Co-authored-by: Flux <175354924+0xiamflux@users.noreply.github.com> * feat: adds intermediary struct for op-deployer upgrade (ethereum-optimism#759) * feat: adds intermediary struct for op-deployer upgrade * chore: moved upgrade scripts to v6_0_0 * chore: remove v2 go scripts * refactor: make v2_0_0 upgrade path to support both OPCM v1 and v2 * feat: add support for both OPCM v1 and v2 on embedded upgrade * refactor: make v6_0_0 fall back to v2_0_0 * refactor: add extra instructions for upgrade superchain input * test: fix op-deployer tests * chore: remove deploy OP chain test step * test: use systemconfig proxy address * fix: remove the unneeded proxyadmin in OPChainConfig in op-deployer * refactor: revert v2_0_0 changes in favor of a new v6_0_0 that supports OPCMv2 * feat: add v6_0_0 upgrade * fix: check for 0 len OPChainConfigs * chore: pre-pr ready * Merge pull request ethereum-optimism#764 from defi-wonderland/fix/opcm2-upgradeopchain-comments fix: opcm2 upgradeopchain comments * refactor: remove enshrined v7_0_0 upgrade in op-deployer (ethereum-optimism#766) * test: use correct game type and pass correct extra instruction to UpgradeOPChain (ethereum-optimism#768) * test: add missing extra instructions for OPCM v2 input * fix: add correct game type for cannon kona * feat: initial add-game-type-v2 command * test: add tests for ShouldAllowV1 flag * refactor: remove shouldAllowV1 flag * chore: remove unused private key flag from the add game type v2 command * chore: remove skipping upgrade test * chore: name changes and comments * chore: update usage description add-game-type-v2 * test: update add-game-type-opcm-v2 tests --------- Co-authored-by: niha <205694301+0xniha@users.noreply.github.com> * chore: opcm2 addgametypev2 comments (ethereum-optimism#780) * chore: move ABI types to lib file * chore: move hardcoded values to constants file * refactor: make abi_types use MustType * test: deploys OPCM v2 for use during CLI testing (ethereum-optimism#784) * test: deploys OPCM v2 for use during CLI testing * chore: reference a github issue for TODO * test: add assertions on the output of add game type command * test: update cli tests (ethereum-optimism#792) * chore: Address review comments (ethereum-optimism#793) * refactor: remove re-declared flags from add-game-type v2 * chore: remove irrelevant TODO * refactor: rename "add-game-type-opcm-v2" command to "add-game-type-v2" * test: add cache dir check for add-game-type-v2 * test: removes cache dir files check on e2e test (ethereum-optimism#794) --------- Co-authored-by: niha <205694301+0xniha@users.noreply.github.com>
…timism#18638) * op-node: validate EIP-1559 params in derivation pipeline Add redundant validation for zero elasticity multiplier in EIP-1559 parameters during derivation, providing defense-in-depth against contract-level checks being accidentally removed. The SystemConfig contract already enforces denominator >= 1 and elasticity >= 1, but this adds the same check in the derivation pipeline for redundancy. Closes ethereum-optimism#18625 Co-Authored-By: Kelvin Fichter <kelvinfichter@gmail.com> * op-node: use ValidateHolocene1559Params for EIP-1559 validation - Move validation from ProcessSystemConfigUpdateLogEvent into parseSystemConfigUpdateEIP1559Params - Use eip1559.ValidateHolocene1559Params instead of manual checks - Update op-geth dependency to include elasticity validation (PR ethereum-optimism#743) Co-Authored-By: Kelvin Fichter <kelvinfichter@gmail.com> * op-node: fix test to use valid EIP-1559 params The createMismatchedEIP1559Params test was creating invalid params (denominator=1, elasticity=0) which now triggers validation error from op-geth PR ethereum-optimism#743. Fix by using valid but mismatched params (999, 999). Co-Authored-By: Kelvin Fichter <kelvinfichter@gmail.com> * update go.mod * fix test * update go.mod (after merging op-geth PR) --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Co-authored-by: Kelvin Fichter <kelvinfichter@gmail.com> Co-authored-by: Sebastian Stammler <seb@oplabs.co>
…st (ethereum-optimism#18739) * sysgo: allow OS to assign ports for opreth and rbuilder * sysgo: allow OS to assign ports for rollup-boost * make lint-go
* op-challenger: Use wrapped RPC client with multicaller. Ensures that timeouts are applied to requests. * op-challenger: Convert preimage fetcher to use L1Source. Adds timeouts on requests and more efficient receipt fetching. * op-challenger: Switch generic player to use L1Client to fetch L1Head number * op-challenger: Add flag to set RPC Kind * op-challenger: Add timeout when fetching L2 block headers
…timism#18724) * Add EL eth_simulate acceptance test and init * Strengthen eth_simulate test assertions Add ReturnFullTransactions to simulation params and require the RPC call to succeed. Assert exactly one block and one transaction are returned and verify the transaction is a dynamic fee tx (type 0x2). * Assert blobGasUsed nonzero in eth_simulate test Decode blobGasUsed with hexutil and assert it's nonzero to ensure eth_simulateV1 can estimate DA size. Also fix a comment typo (bock -> block). * Assert eth_simulateV1 errors on genesis block Call eth_simulateV1 with block "0x0" (genesis) and require an error to ensure the method cannot be used on the genesis block move test under "base" directory * tidy * just update-op-geth e4826126d22171e97a31a05c7405b46143384ab7 * Fix spacing in commented replace in go.mod
…hereum-optimism#18624) * Remove go 1.24 feature flag, leaving SysGetRandom syscall enabled * contracts: Remove go 1.24 feature flag, leaving SysGetRandom syscall enabled * Update semver-lock.json * Remove commented-out Features struct and function
* Add timeout to vm-runner * Remove special handling and metric for vm timeout * Handle VM timeout errors differently from other errors in the runner * Don't treat errors in traceProviderCreator as VM timeouts * Combine VM failure metrics and add a reason label * Re-add "_current" to metric name
…coverage (ethereum-optimism#18744) * test(contracts): convert MintManager tests to fuzz tests for broader coverage * docs(contracts): add natspec explaining first mint is uncapped --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
…8634) * feat: have upgrade test blocks update every week * fix: performance enhancements * fix: corrected pinned block number statement * fix: correct trigger name * feat: simplify and use cast find block * fix: pass rpc to fork block write step * fix: errant comments
Add ability to configure different authentication handlers per route, enabling public APIs on the root path while protecting admin APIs with JWT authentication on a separate route (e.g., /admin). Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
opsuperchain
pushed a commit
that referenced
this pull request
Mar 8, 2026
…imism#19281) * fix(contracts): address audit findings #14, #6, #8, #13, #19 - #14: Reuse existing DelayedWETH from SystemConfig instead of deploying a new one in the Migrator, preventing divergence with future upgrades - #6: Document that hardcoded game type lists in OPCMv2 and Migrator are intentional and must be kept in sync when new types are added - #8: Document that migrate() does not enforce SuperchainConfig version floor - #13: Document why migration game config validation is deliberately minimal - #19: Document theoretical risk in AnchorStateRegistry.isGameRegistered when ASR proxy is replaced non-atomically Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(contracts): add cross-reference comment to GameTypes library Add a notice to the GameTypes library reminding developers to update the hardcoded game type lists in OPContractsManagerMigrator and OPContractsManagerV2's _assertValidFullConfig when adding new types. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(contracts): bump OPContractsManagerV2 version for rebase Bump OPContractsManagerV2 from 7.0.9 to 7.0.10 to account for the comment-only source change (cross-reference note added in prior commit) that affects the bytecode metadata hash. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(contracts): bump OPContractsManagerV2 version to 7.0.11 for semver-diff CI fix * fix(contracts): apply forge fmt and bump versions for formatting changes forge fmt changed OPContractsManager, FaultDisputeGame, SuperFaultDisputeGame, and several other files. Bump patch versions for the contracts with hash changes, and regenerate semver-lock and snapshots. - OPContractsManager: 6.0.3 -> 6.0.4 - FaultDisputeGame: 2.4.0 -> 2.4.1 - SuperFaultDisputeGame: 0.7.0 -> 0.7.1 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: smartcontracts <smartcontracts@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
10 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add ability to configure different authentication handlers per route in the RPC handler, enabling public APIs on the root path while protecting admin APIs with JWT authentication on a separate route (e.g.,
/admin).Changes
rootRPCAuthenticatedfield to handler to control root route authentication separatelyWithRootRPCAuthentication()option function for configuring root auth behaviorTestHandlerAuthenticationWithPublicRootdemonstrating public root + authenticated sub-routesUse Case
This enables services like op-interop-filter to expose public supervisor APIs on
/while protecting admin APIs (failsafe control) on/adminwith JWT authentication.Files Changed
op-service/rpc/handler.go- Added root auth controlop-service/rpc/handler_options.go- New option functionop-service/rpc/handler_test.go- Test coverageTest plan
🤖 Generated with Claude Code