feat(cast): add JWT secret configuration (foundry-rs#5501)

* feat(cast): add JWT secret configuration

* set patches to branch

* fix cli test

* remove patches

* change `jwt` to `jwt-secret`

* change usages oops

* fix rpc_jwt_secret docs, add usage docs

* chore: use const-hex

---------

Co-authored-by: Enrique Ortiz <hi@enriqueortiz.dev>

Author: Rjected

Cargo.lock

@@ -23,6 +23,18 @@ pub struct RpcOpts {
     /// Use the Flashbots RPC URL (https://rpc.flashbots.net).
     #[clap(long)]
     pub flashbots: bool,
+
+    /// JWT Secret for the RPC endpoint.
+    ///
+    /// The JWT secret will be used to create a JWT for a RPC. For example, the following can be
+    /// used to simulate a CL `engine_forkchoiceUpdated` call:
+    ///
+    /// cast rpc --jwt-secret <JWT_SECRET> engine_forkchoiceUpdatedV2
+    /// '["0x6bb38c26db65749ab6e472080a3d20a2f35776494e72016d1e339593f21c59bc",
+    /// "0x6bb38c26db65749ab6e472080a3d20a2f35776494e72016d1e339593f21c59bc",
+    /// "0x6bb38c26db65749ab6e472080a3d20a2f35776494e72016d1e339593f21c59bc"]'
+    #[clap(long, env = "ETH_RPC_JWT_SECRET")]
+    pub jwt_secret: Option<String>,
 }
 
 impl_figment_convert_cast!(RpcOpts);
@@ -49,11 +61,24 @@ impl RpcOpts {
         Ok(url)
     }
 
+    /// Returns the JWT secret.
+    pub fn jwt<'a>(&'a self, config: Option<&'a Config>) -> Result<Option<Cow<'a, str>>> {
+        let jwt = match (self.jwt_secret.as_deref(), config) {
+            (Some(jwt), _) => Some(Cow::Borrowed(jwt)),
+            (None, Some(config)) => config.get_rpc_jwt_secret()?,
+            (None, None) => None,
+        };
+        Ok(jwt)
+    }
+
     pub fn dict(&self) -> Dict {
         let mut dict = Dict::new();
         if let Ok(Some(url)) = self.url(None) {
             dict.insert("eth_rpc_url".into(), url.into_owned().into());
         }
+        if let Ok(Some(jwt)) = self.jwt(None) {
+            dict.insert("eth_rpc_jwt".into(), jwt.into_owned().into());
+        }
         dict
     }
 }

crates/cli/src/opts/ethereum.rs

@@ -90,14 +90,22 @@ pub fn parse_u256(s: &str) -> Result<U256> {
 pub fn get_provider(config: &Config) -> Result<foundry_common::RetryProvider> {
     get_provider_builder(config)?.build()
 }
+
 /// Returns a [ProviderBuilder](foundry_common::ProviderBuilder) instantiated using [Config]'s RPC
 /// URL and chain.
 ///
 /// Defaults to `http://localhost:8545` and `Mainnet`.
 pub fn get_provider_builder(config: &Config) -> Result<foundry_common::ProviderBuilder> {
     let url = config.get_rpc_url_or_localhost_http()?;
     let chain = config.chain_id.unwrap_or_default();
-    Ok(foundry_common::ProviderBuilder::new(url.as_ref()).chain(chain))
+    let mut builder = foundry_common::ProviderBuilder::new(url.as_ref()).chain(chain);
+
+    let jwt = config.get_rpc_jwt_secret()?;
+    if let Some(jwt) = jwt {
+        builder = builder.jwt(jwt.as_ref());
+    }
+
+    Ok(builder)
 }
 
 pub async fn get_chain<M>(chain: Option<Chain>, provider: M) -> Result<Chain>

crates/cli/src/utils/mod.rs

@@ -43,6 +43,8 @@ once_cell = "1"
 dunce = "1"
 regex = "1"
 globset = "0.4"
+# Using const-hex instead of hex for speed
+hex.workspace = true
 
 [dev-dependencies]
 tokio = { version = "1", features = ["rt-multi-thread", "macros"] }

crates/common/Cargo.toml

@@ -4,11 +4,11 @@ use crate::{ALCHEMY_FREE_TIER_CUPS, REQUEST_TIMEOUT};
 use ethers_core::types::{Chain, U256};
 use ethers_middleware::gas_oracle::{GasCategory, GasOracle, Polygon};
 use ethers_providers::{
-    is_local_endpoint, Http, HttpRateLimitRetryPolicy, Middleware, Provider, RetryClient,
-    RetryClientBuilder, DEFAULT_LOCAL_POLL_INTERVAL,
+    is_local_endpoint, Authorization, Http, HttpRateLimitRetryPolicy, JwtAuth, JwtKey, Middleware,
+    Provider, RetryClient, RetryClientBuilder, DEFAULT_LOCAL_POLL_INTERVAL,
 };
 use eyre::WrapErr;
-use reqwest::{IntoUrl, Url};
+use reqwest::{header::HeaderValue, IntoUrl, Url};
 use std::{borrow::Cow, time::Duration};
 
 /// Helper type alias for a retry provider
@@ -53,6 +53,8 @@ pub struct ProviderBuilder {
     timeout: Duration,
     /// available CUPS
     compute_units_per_second: u64,
+    /// JWT Secret
+    jwt: Option<String>,
 }
 
 // === impl ProviderBuilder ===
@@ -76,6 +78,7 @@ impl ProviderBuilder {
             timeout: REQUEST_TIMEOUT,
             // alchemy max cpus <https://github.com/alchemyplatform/alchemy-docs/blob/master/documentation/compute-units.md#rate-limits-cups>
             compute_units_per_second: ALCHEMY_FREE_TIER_CUPS,
+            jwt: None,
         }
     }
 
@@ -141,6 +144,12 @@ impl ProviderBuilder {
         self.max_retry(100).initial_backoff(100)
     }
 
+    /// Sets the JWT secret
+    pub fn jwt(mut self, jwt: impl Into<String>) -> Self {
+        self.jwt = Some(jwt.into());
+        self
+    }
+
     /// Same as [`Self:build()`] but also retrieves the `chainId` in order to derive an appropriate
     /// interval
     pub async fn connect(self) -> eyre::Result<RetryProvider> {
@@ -163,10 +172,33 @@ impl ProviderBuilder {
             initial_backoff,
             timeout,
             compute_units_per_second,
+            jwt,
         } = self;
         let url = url?;
 
-        let client = reqwest::Client::builder().timeout(timeout).build()?;
+        let mut client_builder = reqwest::Client::builder().timeout(timeout);
+
+        // Set the JWT auth as a header if present
+        if let Some(jwt) = jwt {
+            // Decode jwt from hex, then generate claims (iat with current timestamp)
+            let jwt = hex::decode(jwt)?;
+            let secret =
+                JwtKey::from_slice(&jwt).map_err(|err| eyre::eyre!("Invalid JWT: {}", err))?;
+            let auth = JwtAuth::new(secret, None, None);
+            let token = auth.generate_token()?;
+
+            // Essentially unrolled ethers-rs new_with_auth to accomodate the custom timeout
+            let auth = Authorization::Bearer(token);
+            let mut auth_value = HeaderValue::from_str(&auth.to_string())?;
+            auth_value.set_sensitive(true);
+
+            let mut headers = reqwest::header::HeaderMap::new();
+            headers.insert(reqwest::header::AUTHORIZATION, auth_value);
+
+            client_builder = client_builder.default_headers(headers);
+        }
+
+        let client = client_builder.build()?;
         let is_local = is_local_endpoint(url.as_str());
 
         let provider = Http::new_with_client(url, client);

crates/common/src/provider.rs

@@ -205,6 +205,8 @@ pub struct Config {
     pub verbosity: u8,
     /// url of the rpc server that should be used for any rpc calls
     pub eth_rpc_url: Option<String>,
+    /// JWT secret that should be used for any rpc calls
+    pub eth_rpc_jwt: Option<String>,
     /// etherscan API key, or alias for an `EtherscanConfig` in `etherscan` table
     pub etherscan_api_key: Option<String>,
     /// Multiple etherscan api configs and their aliases
@@ -752,6 +754,25 @@ impl Config {
         self.remappings.iter().map(|m| m.clone().into()).collect()
     }
 
+    /// Returns the configured rpc jwt secret
+    ///
+    /// Returns:
+    ///    - The jwt secret, if configured
+    ///
+    /// # Example
+    ///
+    /// ```
+    /// 
+    /// use foundry_config::Config;
+    /// # fn t() {
+    ///     let config = Config::with_root("./");
+    ///     let rpc_jwt = config.get_rpc_jwt_secret().unwrap().unwrap();
+    /// # }
+    /// ```
+    pub fn get_rpc_jwt_secret(&self) -> Result<Option<Cow<str>>, UnresolvedEnvVarError> {
+        Ok(self.eth_rpc_jwt.as_ref().map(|jwt| Cow::Borrowed(jwt.as_str())))
+    }
+
     /// Returns the configured rpc url
     ///
     /// Returns:
@@ -1774,6 +1795,7 @@ impl Default for Config {
             block_gas_limit: None,
             memory_limit: 2u64.pow(25),
             eth_rpc_url: None,
+            eth_rpc_jwt: None,
             etherscan_api_key: None,
             verbosity: 0,
             remappings: vec![],

crates/config/src/lib.rs

@@ -84,6 +84,7 @@ forgetest!(can_extract_config_values, |prj: TestProject, mut cmd: TestCommand| {
         block_gas_limit: Some(100u64.into()),
         memory_limit: 2u64.pow(25),
         eth_rpc_url: Some("localhost".to_string()),
+        eth_rpc_jwt: None,
         etherscan_api_key: None,
         etherscan: Default::default(),
         verbosity: 4,