feat: Support reading mnemonic or private key from file

Rather than read the mnemonic or private key directly from .env, specify the location of a separate file via the SECRET env var. Then, open that file and read the mnemonic or key from there. Global fs scope is applied to the location, so it can be located in a totally different path, and can even have more restrictive permissions. This significantly reduces the chance of leaking critical secrets - i.e. when sharing screen. A simple regex is applied to determine whether the format matches a private key, and if not, it's assumed to be a mnemonic. This should make it easier to manage for operators.
across-protocol · Oct 6, 2023 · 09c6656 · 09c6656
1 parent 36b75aa
commit 09c6656
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 4 deletions.
diff --git a/.gitignore b/.gitignore
@@ -6,6 +6,9 @@ typechain*
 .DS_Store
 dump.rdb*
 .idea
+.mnemonic
+.keyfile
+.secret
 
 # Hardhat files
 cache

diff --git a/src/utils/CLIUtils.ts b/src/utils/CLIUtils.ts
@@ -12,7 +12,7 @@ export function retrieveSignerFromCLIArgs(): Promise<Wallet> {
   // Resolve the wallet type & verify that it is valid.
   const keyType = (args.wallet as string) ?? "mnemonic";
   if (!isValidKeyType(keyType)) {
-    throw new Error(`Unsupported key type (${keyType}); expected "mnemonic", "privateKey" or "gckms"`);
+    throw new Error(`Unsupported key type (${keyType}); expected "secret", "mnemonic", "privateKey" or "gckms"`);
   }
 
   // Build out the signer options to pass to the signer utils.
@@ -30,6 +30,6 @@ export function retrieveSignerFromCLIArgs(): Promise<Wallet> {
  * @param keyType The key type to check.
  * @returns True if the key type is valid, false otherwise.
  */
-function isValidKeyType(keyType: unknown): keyType is "mnemonic" | "privateKey" | "gckms" {
-  return ["mnemonic", "privateKey", "gckms"].includes(keyType as string);
+function isValidKeyType(keyType: unknown): keyType is "secret" | "mnemonic" | "privateKey" | "gckms" {
+  return ["secret", "mnemonic", "privateKey", "gckms"].includes(keyType as string);
 }
diff --git a/src/utils/SignerUtils.ts b/src/utils/SignerUtils.ts
@@ -1,3 +1,5 @@
+import { readFile } from "fs/promises";
+import { typeguards } from "@across-protocol/sdk-v2";
 import { Wallet, retrieveGckmsKeys, getGckmsConfig, isDefined } from "./";
 
 /**
@@ -41,11 +43,14 @@ export async function getSigner({ keyType, gckmsKeys, cleanEnv }: SignerOptions)
     case "gckms":
       wallet = await getGckmsSigner(gckmsKeys);
       break;
+    case "secret":
+      wallet = await getSecretSigner();
+      break;
     default:
       throw new Error(`getSigner: Unsupported key type (${keyType})`);
   }
   if (!wallet) {
-    throw new Error("Must define mnemonic, privatekey or gckms for wallet");
+    throw new Error("Must define secret, mnemonic, privateKey or gckms for wallet");
   }
   if (cleanEnv) {
     cleanKeysFromEnvironment();
@@ -90,6 +95,26 @@ function getMnemonicSigner(): Wallet {
   return Wallet.fromMnemonic(process.env.MNEMONIC);
 }
 
+/**
+ * Retrieves a signer based on the secret stored in ./.secret.
+ * @returns An ethers Signer object.
+ * @throws If a valid secret could not be read.
+ */
+async function getSecretSigner(): Promise<Wallet> {
+  const { SECRET = "./.secret" } = process.env;
+  let secret: string;
+  try {
+    secret = await readFile(SECRET, { encoding: "utf8" });
+    secret = secret.trim().replace("\n", "");
+    return /^0x[0-9a-f]{64}$/.test(secret)
+      ? new Wallet(secret)
+      : Wallet.fromMnemonic(secret);
+  } catch (err) {
+    const msg = typeguards.isError(err) ? err.message : "unknown error";
+    throw new Error(`Unable to load secret (${SECRET}: ${msg})`);
+  }
+}
+
 /**
  * Clears the mnemonic and private key from the env.
  */