[IND-526] Block subscribing to subaccounts from restricted regions for read-only mode.

[vincentwschau]

Changelist

Update socks to return a blocked error message when subscribing to subaccounts channel from a restricted region. This is done by storing additional metadata per websocket connection indicating which country the connection was made from.
In the case where no country exists, this blocking logic fails-open (allows subscribing to subaccounts).

Test Plan

Unit tests.

Author/Reviewer Checklist

• If this PR has changes that result in a different app state given the same prior state and transaction list, manually add the state-breaking label.
• If the PR has breaking postgres changes to the indexer add the indexer-postgres-breaking label.
• If this PR isn't state-breaking but has changes that modify behavior in PrepareProposal or ProcessProposal, manually add the label proposal-breaking.
• If this PR is one of many that implement a specific feature, manually label them all feature:[feature-name].
• If you wish to for mergify-bot to automatically create a PR to backport your change to a release branch, manually add the label backport/[branch-name].
• Manually add any of the following labels: refactor, chore, bug.

[linear]

IND-526 [READ-ONLY MODE] Track country headers from connection request in socks to forward to comlink

[coderabbitai]

Warning

Rate Limit Exceeded

@vincentwschau has exceeded the limit for the number of files or commits that can be reviewed per hour. Please wait 12 minutes and 57 seconds before requesting another review.

How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.
Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.
Please see our FAQ for further information.

Commits

Files that changed from the base of the PR and between f781d99 and 137f4b7.

Walkthrough

The changes reflect an update to a compliance-related feature within an indexer's codebase. Constants regarding geoblocking messages have been explicitly typed, and a new constant for country header keys has been introduced. Testing has been extended to include mock compliance checks and country-related variables. The main service logic now incorporates country checks, with a new countryCode parameter added to various methods and interfaces. A CountryRestrictor class has also been introduced, enhancing the system's ability to handle connections based on geographic restrictions.

Changes

File Path	Change Summary
indexer/packages/compliance/src/constants.ts	Added explicit string type to geoblocking payloads; introduced COUNTRY_HEADER_KEY constant.
indexer/services/socks/__tests__/lib/subscriptions.test.ts indexer/services/socks/__tests__/websocket/index.test.ts	Added mock compliance, country variables, and updated method calls.
indexer/services/socks/src/lib/subscription.ts	Imported isRestrictedCountry function and updated methods to accept country parameter.
indexer/services/socks/src/types.ts	Added countryCode property to Connection interface.
indexer/services/socks/src/websocket/index.ts	Included countryCode in connections object and updated subscribe method call.
indexer/services/socks/src/websocket/restrict-countries.ts	Added getCountry method to CountryRestrictor class for extracting country from IncomingMessage.

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on X ?

---

Tips

Chat with CodeRabbit Bot (@coderabbitai)

• You can reply to a review comment made by CodeRabbit.
• You can tag CodeRabbit on specific lines of code or files in the PR by tagging @coderabbitai in a comment.
• You can tag @coderabbitai in a PR comment and ask one-off questions about the PR and the codebase. Use quoted replies to pass the context for follow-up questions.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger a review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• The JSON schema for the configuration file is available here.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/coderabbit-overrides.v2.json

[coderabbitai]

Review Status

Actionable comments generated: 4

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between a795a81 and e5084f7.

Files selected for processing (7)

• indexer/packages/compliance/src/constants.ts (1 hunks)
• indexer/services/socks/tests/lib/subscriptions.test.ts (13 hunks)
• indexer/services/socks/tests/websocket/index.test.ts (4 hunks)
• indexer/services/socks/src/lib/subscription.ts (5 hunks)
• indexer/services/socks/src/types.ts (1 hunks)
• indexer/services/socks/src/websocket/index.ts (2 hunks)
• indexer/services/socks/src/websocket/restrict-countries.ts (1 hunks)

Files skipped from review due to trivial changes (1)

• indexer/packages/compliance/src/constants.ts

Additional comments: 13

indexer/services/socks/__tests__/lib/subscriptions.test.ts (5)

• 13-18: The addition of a mock for @dydxprotocol-indexer/compliance and the introduction of restrictedCountry and nonRestrictedCountry variables are consistent with the PR's objectives to handle regional restrictions in websocket subscriptions. The mock implementation of isRestrictedCountry is set up correctly to simulate a restricted region.

• 61-62: The restrictedCountry and nonRestrictedCountry variables have been added to the test file to facilitate testing the new functionality. Ensure that these variables are used consistently throughout the test cases to simulate the correct behavior based on the country's restriction status.

• 86-88: The mock implementation of isRestrictedCountry correctly returns true for the restrictedCountry, which aligns with the test's intention to simulate a restricted region. This is a critical part of testing the new functionality.

• 108-109: The subscribe method has been updated to accept additional parameters for the country code and a boolean flag. The test cases have been updated accordingly to include these parameters. This change is crucial for testing the new functionality that blocks subscriptions from restricted countries.

Also applies to: 152-153, 181-182, 196-197, 219-220, 255-257, 307-308, 344-345, 364-365, 388-389

• 272-284: The test case specifically designed to test the blocking of subscriptions from restricted countries is a good addition and covers the new functionality introduced in the PR. This test case is essential for verifying that the regional restrictions are enforced as intended.

indexer/services/socks/__tests__/websocket/index.test.ts (1)

• 143-151: > Note: This review was outside the patches, so it was mapped to the patch with the greatest overlap. Original lines [15-263]

The changes in the provided hunks align with the PR objectives and do not introduce any issues. The addition of COUNTRY_HEADER_KEY and the handling of countryCode in tests are consistent with the new functionality to enforce regional restrictions on websocket subscriptions.

indexer/services/socks/src/lib/subscription.ts (4)

• 78-81: The addition of the country parameter to the subscribe method is consistent with the PR's objectives to enforce regional restrictions.

• 582-588: The update to getInitialResponsesForChannels to accept a country parameter and the subsequent call to getInitialResponseForSubaccountSubscription with this parameter is in line with the PR's intent to enforce regional restrictions.

• 486-499: The implementation of country-based restrictions in getInitialResponseForSubaccountSubscription by throwing a BlockedError when the country is restricted aligns with the PR's compliance requirements. However, ensure that the comment on line 494-496 is addressed if it's part of the technical specification.

• 582-591: The conditional logic in getInitialResponsesForChannels to handle Channel.V4_ACCOUNTS differently by invoking getInitialResponseForSubaccountSubscription is a necessary change to support the new country-based restrictions.

indexer/services/socks/src/types.ts (1)

• 119-122: The addition of the countryCode property to the Connection interface is consistent with the PR's objective to handle regional restrictions for websocket connections. Ensure that all parts of the codebase that instantiate or manipulate Connection objects are updated to handle this new property appropriately.

Verification successful

The previous scripts contained a few errors. I will correct the rg command to properly search for TypeScript files and fix the regex pattern. Additionally, I will adjust the ast-grep pattern to search for object literals that match the Connection interface, which should include the new countryCode property.

---

The rg command has provided us with files that reference the Connection interface. To ensure that the countryCode property is being handled correctly, I will search within these files for object literals that may represent Connection objects. Additionally, I will correct the ast-grep command to search for object literals that match the Connection interface.

---

The ast-grep command confirmed the structure of the Connection interface, but we still need to verify how instances of this interface are being handled in the codebase. I will correct the rg pattern to search for object literals that may represent Connection objects.

---

The current output indicates where the Connection interface is referenced, but it does not provide details on how the countryCode property is being handled. To verify the correct handling of the countryCode property, I will search for its usage within Connection objects.

---

The verification process has provided evidence that the countryCode property is being set when new connections are established and is being accessed when handling subscription messages, which aligns with the PR's objectives. Additionally, the property is considered in the unit tests, indicating that the new functionality is being tested as intended.

Scripts Executed

The following scripts were executed for the analysis:

---

Script:

#!/bin/bash
# Search for instances where Connection objects are created or manipulated.
rg --type typescript --files-with-matches 'Connection' | xargs rg 'new Connection|{.*Connection.*}'
# Verify that the countryCode property is being handled correctly where Connection objects are used.
ast-grep --lang typescript --pattern $'new Connection({$$$})'

Length of output: 319

---

---

Script:

#!/bin/bash
# Correct the file type for rg and fix the regex pattern to search for Connection objects creation or manipulation
rg --type ts --files-with-matches 'Connection' | xargs rg 'new Connection|\{.*Connection.*\}'

# Adjust the ast-grep pattern to search for object literals that match the Connection interface
ast-grep --lang typescript --pattern $'interface Connection {
  $$$
}' --exec 'rg "$_"'

Length of output: 573

---

---

Script:

#!/bin/bash
# Search within the identified files for object literals that may represent Connection objects
rg --type ts --glob 'index.ts' --glob 'invalid-message.ts' '{.*Connection.*}'

# Correct the ast-grep command to search for object literals that match the Connection interface
ast-grep --lang typescript --pattern $'interface Connection {
  $$$
}'

Length of output: 688

---

---

Script:

#!/bin/bash
# Correct the regex pattern to search for object literals that may represent Connection objects
rg --type ts --glob 'index.ts' --glob 'invalid-message.ts' '\{.*Connection.*\}'

Length of output: 274

---

---

Script:

#!/bin/bash
# Search for the usage of the countryCode property within Connection objects
rg --type ts 'countryCode' --context 5

Length of output: 5327

indexer/services/socks/src/websocket/index.ts (2)

• 109-115: The implementation of the country restriction logic in the onConnection method correctly terminates connections from restricted countries before they are added to the connections object. This preemptive check ensures that no further processing is done for connections that should not be allowed, which is a good security practice.

• 288-294: The use of countryCode in the subscribe method call is consistent with the PR's objective to enforce regional restrictions on subscriptions. The surrounding try-catch block is a good practice to handle any potential errors that may occur during the subscription process.

[coderabbitai]

Review Status

Actionable comments generated: 0

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between e5084f7 and f781d99.

Files selected for processing (1)

• indexer/packages/compliance/src/constants.ts (1 hunks)

Files skipped from review as they are similar to previous changes (1)

• indexer/packages/compliance/src/constants.ts