Commit-Boost · jclapis · Sep 30, 2025 · Sep 18, 2025 · Sep 18, 2025 · Sep 18, 2025
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -33,6 +33,7 @@ cb-pbs = { path = "crates/pbs" }
 cb-signer = { path = "crates/signer" }
 cipher = "0.4"
 clap = { version = "4.5.4", features = ["derive", "env"] }
+client-ip = { version = "0.1.1", features = [ "forwarded-header" ] }
 color-eyre = "0.6.3"
 const_format = "0.2.34"
 ctr = "0.9.2"
@@ -74,6 +75,7 @@ tower-http = { version = "0.6", features = ["trace"] }
 tracing = "0.1.40"
 tracing-appender = "0.2.3"
 tracing-subscriber = { version = "0.3.18", features = ["env-filter", "json"] }
+tracing-test = { version = "0.2.5", features = ["no-env-filter"] }
 tree_hash = "0.9"
 tree_hash_derive = "0.9"
 typenum = "1.17.0"

diff --git a/api/signer-api.yml b/api/signer-api.yml
@@ -15,6 +15,7 @@ paths:
 
         The token **must include** the following claims:
         - `exp` (integer): Expiration timestamp
+        - `route` (string): The route being requested (must be `/signer/v1/get_pubkeys` for this endpoint).
         - `module` (string): The ID of the module making the request, which must match a module ID in the Commit-Boost configuration file.
       tags:
         - Signer
@@ -73,6 +74,7 @@ paths:
         The token **must include** the following claims:
         - `exp` (integer): Expiration timestamp
         - `module` (string): The ID of the module making the request, which must match a module ID in the Commit-Boost configuration file.
+        - `route` (string): The route being requested (must be `/signer/v1/request_signature/bls` for this endpoint).
         - `payload_hash` (string): The Keccak-256 hash of the JSON-encoded request body, with optional `0x` prefix. This is required to prevent JWT replay attacks.
       tags:
         - Signer
@@ -220,6 +222,7 @@ paths:
         The token **must include** the following claims:
         - `exp` (integer): Expiration timestamp
         - `module` (string): The ID of the module making the request, which must match a module ID in the Commit-Boost configuration file.
+        - `route` (string): The route being requested (must be `/signer/v1/request_signature/proxy-bls` for this endpoint).
         - `payload_hash` (string): The Keccak-256 hash of the JSON-encoded request body, with optional `0x` prefix. This is required to prevent JWT replay attacks.
       tags:
         - Signer
@@ -367,6 +370,7 @@ paths:
         The token **must include** the following claims:
         - `exp` (integer): Expiration timestamp
         - `module` (string): The ID of the module making the request, which must match a module ID in the Commit-Boost configuration file.
+        - `route` (string): The route being requested (must be `/signer/v1/request_signature/proxy-ecdsa` for this endpoint).
         - `payload_hash` (string): The Keccak-256 hash of the JSON-encoded request body, with optional `0x` prefix. This is required to prevent JWT replay attacks.
       tags:
         - Signer
@@ -514,6 +518,7 @@ paths:
         The token **must include** the following claims:
         - `exp` (integer): Expiration timestamp
         - `module` (string): The ID of the module making the request, which must match a module ID in the Commit-Boost configuration file.
+        - `route` (string): The route being requested (must be `/signer/v1/generate_proxy_key` for this endpoint).
         - `payload_hash` (string): The Keccak-256 hash of the JSON-encoded request body, with optional `0x` prefix. This is required to prevent JWT replay attacks.
       tags:
         - Signer

diff --git a/config.example.toml b/config.example.toml
@@ -165,7 +165,8 @@ port = 20000
 # Number of JWT authentication attempts a client can fail before blocking that client temporarily from Signer access
 # OPTIONAL, DEFAULT: 3
 jwt_auth_fail_limit = 3
-# How long to block a client from Signer access, in seconds, if it failed JWT authentication too many times
+# How long to block a client from Signer access, in seconds, if it failed JWT authentication too many times.
+# This also defines the interval at which failed attempts are regularly checked and expired ones are cleaned up.
 # OPTIONAL, DEFAULT: 300
 jwt_auth_fail_timeout_seconds = 300
 

diff --git a/crates/common/src/commit/client.rs b/crates/common/src/commit/client.rs
@@ -2,10 +2,7 @@ use std::path::PathBuf;
 
 use alloy::primitives::Address;
 use eyre::WrapErr;
-use reqwest::{
-    Certificate,
-    header::{AUTHORIZATION, HeaderMap, HeaderValue},
-};
+use reqwest::Certificate;
 use serde::{Deserialize, Serialize};
 use url::Url;
 
@@ -60,30 +57,13 @@ impl SignerClient {
         Ok(Self { url: signer_server_url, client: builder.build()?, module_id, jwt_secret })
     }
 
-    fn refresh_jwt(&mut self) -> Result<(), SignerClientError> {
-        let jwt = create_jwt(&self.module_id, &self.jwt_secret, None)?;
-
-        let mut auth_value =
-            HeaderValue::from_str(&format!("Bearer {jwt}")).wrap_err("invalid jwt")?;
-        auth_value.set_sensitive(true);
-
-        let mut headers = HeaderMap::new();
-        headers.insert(AUTHORIZATION, auth_value);
-
-        self.client = reqwest::Client::builder()
-            .timeout(DEFAULT_REQUEST_TIMEOUT)
-            .default_headers(headers)
-            .build()?;
-
-        Ok(())
-    }
-
     fn create_jwt_for_payload<T: Serialize>(
         &mut self,
+        route: &str,
         payload: &T,
     ) -> Result<Jwt, SignerClientError> {
         let payload_vec = serde_json::to_vec(payload)?;
-        create_jwt(&self.module_id, &self.jwt_secret, Some(&payload_vec))
+        create_jwt(&self.module_id, &self.jwt_secret, route, Some(&payload_vec))
             .wrap_err("failed to create JWT for payload")
             .map_err(SignerClientError::JWTError)
     }
@@ -92,10 +72,12 @@ impl SignerClient {
     /// requested.
     // TODO: add more docs on how proxy keys work
     pub async fn get_pubkeys(&mut self) -> Result<GetPubkeysResponse, SignerClientError> {
-        self.refresh_jwt()?;
+        let jwt = create_jwt(&self.module_id, &self.jwt_secret, GET_PUBKEYS_PATH, None)
+            .wrap_err("failed to create JWT for payload")
+            .map_err(SignerClientError::JWTError)?;
 
         let url = self.url.join(GET_PUBKEYS_PATH)?;
-        let res = self.client.get(url).send().await?;
+        let res = self.client.get(url).bearer_auth(jwt).send().await?;
 
         if !res.status().is_success() {
             return Err(SignerClientError::FailedRequest {
@@ -117,7 +99,7 @@ impl SignerClient {
         Q: Serialize,
         T: for<'de> Deserialize<'de>,
     {
-        let jwt = self.create_jwt_for_payload(request)?;
+        let jwt = self.create_jwt_for_payload(route, request)?;
 
         let url = self.url.join(route)?;
         let res = self.client.post(url).json(&request).bearer_auth(jwt).send().await?;
@@ -165,7 +147,7 @@ impl SignerClient {
     where
         T: ProxyId + for<'de> Deserialize<'de>,
     {
-        let jwt = self.create_jwt_for_payload(request)?;
+        let jwt = self.create_jwt_for_payload(GENERATE_PROXY_KEY_PATH, request)?;
 
         let url = self.url.join(GENERATE_PROXY_KEY_PATH)?;
         let res = self.client.post(url).json(&request).bearer_auth(jwt).send().await?;

diff --git a/crates/common/src/config/signer.rs b/crates/common/src/config/signer.rs
@@ -88,7 +88,8 @@ pub struct SignerConfig {
     pub jwt_auth_fail_limit: u32,
 
     /// Duration in seconds to rate limit an endpoint after the JWT auth failure
-    /// limit has been reached
+    /// limit has been reached. This also defines the interval at which failed
+    /// attempts are regularly checked and expired ones are cleaned up.
     #[serde(default = "default_u32::<SIGNER_JWT_AUTH_FAIL_TIMEOUT_SECONDS_DEFAULT>")]
     pub jwt_auth_fail_timeout_seconds: u32,
 

diff --git a/crates/common/src/signer/store.rs b/crates/common/src/signer/store.rs
@@ -244,14 +244,14 @@ impl ProxyStore {
                                         serde_json::from_str(&file_content)?;
                                     let signer =
                                         EcdsaSigner::new_from_bytes(&key_and_delegation.secret)?;
-                                    let pubkey = signer.address();
+                                    let address = signer.address();
                                     let proxy_signer = EcdsaProxySigner {
                                         signer,
                                         delegation: key_and_delegation.delegation,
                                     };
 
-                                    proxy_signers.ecdsa_signers.insert(pubkey, proxy_signer);
-                                    ecdsa_map.entry(module_id.clone()).or_default().push(pubkey);
+                                    proxy_signers.ecdsa_signers.insert(address, proxy_signer);
+                                    ecdsa_map.entry(module_id.clone()).or_default().push(address);
                                 }
                             }
                         }

diff --git a/crates/common/src/types.rs b/crates/common/src/types.rs
@@ -26,13 +26,15 @@ pub struct Jwt(pub String);
 pub struct JwtClaims {
     pub exp: u64,
     pub module: ModuleId,
+    pub route: String,
     pub payload_hash: Option<B256>,
 }
 
 #[derive(Debug, Serialize, Deserialize)]
 pub struct JwtAdminClaims {
     pub exp: u64,
     pub admin: bool,
+    pub route: String,
     pub payload_hash: Option<B256>,
 }