rusty_common/auth/exchanges/

bybit.rs

//! Bybit V5 authentication implementation - Performance optimized for HFT
//!
//! This module provides high-performance HMAC-SHA256 authentication for Bybit V5 API.
//! Supports both REST API and WebSocket authentication with zero-copy operations.

use crate::collections::FxHashMap;
use crate::{Result, SmartString};
use hmac::{Hmac, Mac};
use serde::Serialize;
use sha2::Sha256;

type HmacSha256 = Hmac<Sha256>;

/// Bybit V5 API header key constants for type safety and performance
pub mod header_keys {
    use crate::SmartString;

    /// The header key for the API key.
    pub const X_BAPI_API_KEY: &str = "X-BAPI-API-KEY";
    /// The header key for the timestamp.
    pub const X_BAPI_TIMESTAMP: &str = "X-BAPI-TIMESTAMP";
    /// The header key for the signature.
    pub const X_BAPI_SIGN: &str = "X-BAPI-SIGN";
    /// The header key for the receive window.
    pub const X_BAPI_RECV_WINDOW: &str = "X-BAPI-RECV-WINDOW";
    /// The header key for the content type.
    pub const CONTENT_TYPE: &str = "Content-Type";
    /// The value for the application/json content type.
    pub const APPLICATION_JSON: &str = "application/json";
    /// The value for the application/x-www-form-urlencoded content type.
    pub const APPLICATION_FORM: &str = "application/x-www-form-urlencoded";

    /// Pre-allocated SmartString constants for zero-allocation header creation
    #[must_use]
    pub fn x_bapi_api_key() -> SmartString {
        X_BAPI_API_KEY.into()
    }

    /// Returns the `X-BAPI-TIMESTAMP` header key as a `SmartString`.
    #[must_use]
    pub fn x_bapi_timestamp() -> SmartString {
        X_BAPI_TIMESTAMP.into()
    }

    /// Returns the `X-BAPI-SIGN` header key as a `SmartString`.
    #[must_use]
    pub fn x_bapi_sign() -> SmartString {
        X_BAPI_SIGN.into()
    }

    /// Returns the `X-BAPI-RECV-WINDOW` header key as a `SmartString`.
    #[must_use]
    pub fn x_bapi_recv_window() -> SmartString {
        X_BAPI_RECV_WINDOW.into()
    }

    /// Returns the `Content-Type` header value as a `SmartString`.
    #[must_use]
    pub fn content_type() -> SmartString {
        CONTENT_TYPE.into()
    }

    /// Returns the `application/json` content type as a `SmartString`.
    #[must_use]
    pub fn application_json() -> SmartString {
        APPLICATION_JSON.into()
    }

    /// Returns the `application/x-www-form-urlencoded` content type as a `SmartString`.
    #[must_use]
    pub fn application_form() -> SmartString {
        APPLICATION_FORM.into()
    }
}

/// WebSocket authentication message for Bybit V5
#[derive(Debug, Clone, Serialize)]
pub struct BybitWsAuthMessage {
    /// Optional request ID to correlate requests and responses.
    pub req_id: Option<SmartString>,
    /// The operation to be performed.
    pub op: SmartString,
    /// The arguments for the authentication request: API key, expires timestamp, and signature.
    pub args: [SmartString; 3],
}

/// WebSocket trading message for Bybit V5
#[derive(Debug, Clone, Serialize)]
pub struct BybitWsTradingMessage {
    /// The request ID to correlate requests and responses.
    #[serde(rename = "reqId")]
    pub req_id: SmartString,
    /// The header for the WebSocket message.
    pub header: BybitWsMessageHeader,
    /// The operation to be performed.
    pub op: SmartString,
    /// The arguments for the trading operation.
    pub args: Vec<simd_json::OwnedValue>,
}

/// WebSocket message header for trading operations
#[derive(Debug, Clone, Serialize)]
pub struct BybitWsMessageHeader {
    /// The timestamp for the message.
    #[serde(rename = "X-BAPI-TIMESTAMP")]
    pub timestamp: SmartString,
    /// The receive window for the message.
    #[serde(rename = "X-BAPI-RECV-WINDOW")]
    pub recv_window: SmartString,
}

/// Bybit V5 authentication implementation
#[derive(Debug, Clone)]
pub struct BybitAuth {
    api_key: SmartString,
    secret_key: SmartString,
    recv_window: u64,
}

impl BybitAuth {
    /// Create new Bybit V5 auth instance
    #[must_use]
    pub const fn new(api_key: SmartString, secret_key: SmartString) -> Self {
        Self {
            api_key,
            secret_key,
            recv_window: 8000, // Default 8-second receive window
        }
    }

    /// Create new Bybit V5 auth instance with custom receive window
    #[must_use]
    pub const fn with_recv_window(
        api_key: SmartString,
        secret_key: SmartString,
        recv_window: u64,
    ) -> Self {
        Self {
            api_key,
            secret_key,
            recv_window,
        }
    }

    /// Get current timestamp in milliseconds
    #[must_use]
    pub fn get_timestamp() -> u64 {
        // Use the improved time utility that handles clock adjustments properly
        crate::time::get_timestamp_ms()
    }

    /// Generate signature for REST API requests
    /// Format: timestamp + api_key + recv_window + params
    pub fn generate_rest_signature(&self, timestamp: u64, params: &str) -> Result<SmartString> {
        let string_to_sign = crate::safe_format!(
            "{}{}{}{}",
            timestamp,
            self.api_key,
            self.recv_window,
            params
        );
        let mut mac = HmacSha256::new_from_slice(self.secret_key.as_bytes()).map_err(|e| {
            crate::error::CommonError::Auth(crate::safe_format!("HMAC initialization failed: {e}"))
        })?;
        mac.update(string_to_sign.as_bytes());
        let result = mac.finalize();
        Ok(hex::encode(result.into_bytes()).into())
    }

    /// Generate signature for WebSocket authentication
    /// Format: GET/realtime{expires}
    pub fn generate_ws_signature(&self, expires: u64) -> Result<SmartString> {
        let string_to_sign = crate::safe_format!("GET/realtime{expires}");
        let mut mac = HmacSha256::new_from_slice(self.secret_key.as_bytes()).map_err(|e| {
            crate::error::CommonError::Auth(crate::safe_format!("HMAC initialization failed: {e}"))
        })?;
        mac.update(string_to_sign.as_bytes());
        let result = mac.finalize();
        Ok(hex::encode(result.into_bytes()).into())
    }

    /// Create REST API headers for authenticated requests
    pub fn create_rest_headers(
        &self,
        timestamp: u64,
        params: &str,
    ) -> Result<FxHashMap<SmartString, SmartString>> {
        let signature = self.generate_rest_signature(timestamp, params)?;
        let mut headers = FxHashMap::default();
        headers.insert(header_keys::x_bapi_api_key(), self.api_key.clone());
        headers.insert(
            header_keys::x_bapi_timestamp(),
            timestamp.to_string().into(),
        );
        headers.insert(
            header_keys::x_bapi_recv_window(),
            self.recv_window.to_string().into(),
        );
        headers.insert(header_keys::x_bapi_sign(), signature);
        headers.insert(header_keys::content_type(), header_keys::application_json());
        Ok(headers)
    }

    /// Create WebSocket authentication message
    pub fn create_ws_auth_message(
        &self,
        req_id: Option<SmartString>,
    ) -> Result<BybitWsAuthMessage> {
        let expires = Self::get_timestamp() + 10_000; // 10 seconds from now
        let signature = self.generate_ws_signature(expires)?;

        Ok(BybitWsAuthMessage {
            req_id,
            op: "auth".into(),
            args: [self.api_key.clone(), expires.to_string().into(), signature],
        })
    }

    /// Create WebSocket trading message header
    #[must_use]
    pub fn create_ws_trading_header(&self, timestamp: u64) -> BybitWsMessageHeader {
        BybitWsMessageHeader {
            timestamp: timestamp.to_string().into(),
            recv_window: self.recv_window.to_string().into(),
        }
    }

    /// Create WebSocket trading message
    pub fn create_ws_trading_message(
        &self,
        req_id: SmartString,
        operation: SmartString,
        args: Vec<simd_json::OwnedValue>,
    ) -> BybitWsTradingMessage {
        let timestamp = Self::get_timestamp();
        let header = self.create_ws_trading_header(timestamp);

        BybitWsTradingMessage {
            req_id,
            header,
            op: operation,
            args,
        }
    }

    /// Validate timestamp to prevent replay attacks
    #[must_use]
    pub fn is_timestamp_valid(&self, timestamp: u64) -> bool {
        let now = Self::get_timestamp();
        let diff = now.abs_diff(timestamp);
        diff <= self.recv_window
    }

    /// Get API key for external use
    #[must_use]
    pub const fn api_key(&self) -> &SmartString {
        &self.api_key
    }

    /// Get receive window for external use
    #[must_use]
    pub const fn recv_window(&self) -> u64 {
        self.recv_window
    }

    /// Generate headers for REST API requests (compatibility method)
    ///
    /// This method provides compatibility with the expected signature for exchange implementations.
    /// It generates a timestamp internally and creates the parameter string for signing.
    ///
    /// For GET requests, query parameters from the path are used for signing.
    /// For POST/PUT/DELETE requests, the body is used for signing.
    pub fn generate_headers(
        &self,
        method: &str,
        path: &str,
        body: Option<&str>,
    ) -> Result<crate::collections::FxHashMap<SmartString, SmartString>> {
        let timestamp = Self::get_timestamp();
        let params = if method == "GET" {
            // For GET requests, extract query parameters from path
            if let Some(query_start) = path.find('?') {
                &path[query_start + 1..]
            } else {
                ""
            }
        } else {
            // For POST/PUT/DELETE requests, use body
            body.unwrap_or("")
        };
        self.create_rest_headers(timestamp, params)
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_rest_signature_generation() {
        let auth = BybitAuth::new("test_key".into(), "test_secret".into());
        let timestamp = 1_672_916_271_123;
        let params = r#"{"category":"spot","symbol":"BTCUSDT"}"#;

        let signature = auth.generate_rest_signature(timestamp, params).unwrap();
        assert!(!signature.is_empty());
        assert_eq!(signature.len(), 64); // HMAC-SHA256 produces 64 hex chars
    }

    #[test]
    fn test_ws_signature_generation() {
        let auth = BybitAuth::new("test_key".into(), "test_secret".into());
        let expires = 1_672_916_271_123;

        let signature = auth.generate_ws_signature(expires).unwrap();
        assert!(!signature.is_empty());
        assert_eq!(signature.len(), 64); // HMAC-SHA256 produces 64 hex chars
    }

    #[test]
    fn test_rest_headers_creation() {
        let auth = BybitAuth::new("test_key".into(), "test_secret".into());
        let timestamp = 1_672_916_271_123;
        let params = "";

        let headers = auth.create_rest_headers(timestamp, params).unwrap();
        assert!(headers.contains_key(&header_keys::x_bapi_api_key()));
        assert!(headers.contains_key(&header_keys::x_bapi_timestamp()));
        assert!(headers.contains_key(&header_keys::x_bapi_sign()));
        assert!(headers.contains_key(&header_keys::x_bapi_recv_window()));
        assert!(headers.contains_key(&header_keys::content_type()));
    }

    #[test]
    fn test_ws_auth_message_creation() {
        let auth = BybitAuth::new("test_key".into(), "test_secret".into());
        let req_id = Some("test_123".into());

        let message = auth.create_ws_auth_message(req_id).unwrap();
        assert_eq!(message.op, "auth");
        assert_eq!(message.args[0], *auth.api_key());
        assert!(!message.args[1].is_empty()); // expires
        assert!(!message.args[2].is_empty()); // signature
    }

    #[test]
    fn test_ws_trading_message_creation() {
        let auth = BybitAuth::new("test_key".into(), "test_secret".into());
        let req_id = "test_order_123".into();
        let operation = "order.create".into();
        let args = vec![simd_json::json!({"symbol": "BTCUSDT", "side": "Buy"})];

        let message = auth.create_ws_trading_message(req_id, operation, args);
        assert_eq!(message.req_id, "test_order_123");
        assert_eq!(message.op, "order.create");
        assert_eq!(message.args.len(), 1);
        assert!(!message.header.timestamp.is_empty());
        assert!(!message.header.recv_window.is_empty());
    }

    #[test]
    fn test_timestamp_validation() {
        let auth = BybitAuth::new("test_key".into(), "test_secret".into());
        let now = BybitAuth::get_timestamp();

        // Valid timestamps
        assert!(auth.is_timestamp_valid(now));
        assert!(auth.is_timestamp_valid(now + 1000)); // 1 second later
        assert!(auth.is_timestamp_valid(now - 1000)); // 1 second earlier

        // Invalid timestamps
        assert!(!auth.is_timestamp_valid(now + 10_000)); // 10 seconds later (beyond recv_window)
        assert!(!auth.is_timestamp_valid(now - 10_000)); // 10 seconds earlier (beyond recv_window)
    }

    #[test]
    fn test_custom_recv_window() {
        let auth = BybitAuth::with_recv_window("test_key".into(), "test_secret".into(), 5000);
        assert_eq!(auth.recv_window(), 5000);

        let now = BybitAuth::get_timestamp();
        assert!(auth.is_timestamp_valid(now + 4000)); // Valid within 5s window
        assert!(!auth.is_timestamp_valid(now + 6000)); // Invalid beyond 5s window
    }
}