rusty_common/auth/exchanges/

coinbase.rs

use crate::auth::pem::validate_pem_format;
use crate::collections::FxHashMap;
use crate::{CommonError, Result, SmartString};
use hmac::{Hmac, Mac};
use jsonwebtoken::{Algorithm, EncodingKey, Header, encode};
use serde::{Deserialize, Serialize};
use sha2::{Digest, Sha256};

type HmacSha256 = Hmac<Sha256>;

/// Coinbase API key type - Advanced Trade uses ECDSA
#[derive(Debug, Clone)]
pub enum CoinbaseKeyType {
    /// Legacy HMAC-SHA256 (deprecated in Advanced Trade)
    Hmac(SmartString),
    /// ECDSA P-256 for Advanced Trade API
    Ecdsa(SmartString),
}

/// Coinbase header key constants for type safety and performance
pub mod header_keys {
    use crate::SmartString;

    /// The header key for the API key.
    pub const CB_ACCESS_KEY: &str = "CB-ACCESS-KEY";
    /// The header key for the signature.
    pub const CB_ACCESS_SIGN: &str = "CB-ACCESS-SIGN";
    /// The header key for the timestamp.
    pub const CB_ACCESS_TIMESTAMP: &str = "CB-ACCESS-TIMESTAMP";
    /// The header key for authorization.
    pub const AUTHORIZATION: &str = "Authorization";

    /// Pre-allocated SmartString constants for zero-allocation header creation
    /// Returns the `CB-ACCESS-KEY` header key as a `SmartString`.
    #[must_use]
    pub fn cb_access_key() -> SmartString {
        CB_ACCESS_KEY.into()
    }
    /// Returns the `CB-ACCESS-SIGN` header key as a `SmartString`.
    #[must_use]
    pub fn cb_access_sign() -> SmartString {
        CB_ACCESS_SIGN.into()
    }
    /// Returns the `CB-ACCESS-TIMESTAMP` header key as a `SmartString`.
    #[must_use]
    pub fn cb_access_timestamp() -> SmartString {
        CB_ACCESS_TIMESTAMP.into()
    }
    /// Returns the `Authorization` header key as a `SmartString`.
    #[must_use]
    pub fn authorization() -> SmartString {
        AUTHORIZATION.into()
    }
}

/// WebSocket subscription message for Coinbase
#[derive(Debug, Clone, Serialize)]
pub struct CoinbaseWsSubscription {
    /// The type of the message, e.g., `subscribe`.
    #[serde(rename = "type")]
    pub message_type: SmartString,
    /// The channels to subscribe to.
    pub channels: Vec<SmartString>,
    /// The JWT for authentication.
    #[serde(skip_serializing_if = "Option::is_none")]
    pub jwt: Option<SmartString>,
    /// The API key for authentication.
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api_key: Option<SmartString>,
    /// The timestamp for the request.
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timestamp: Option<SmartString>,
    /// The signature for the request.
    #[serde(skip_serializing_if = "Option::is_none")]
    pub signature: Option<SmartString>,
}

/// Coinbase authentication implementation for Advanced Trade API
#[derive(Debug, Clone)]
pub struct CoinbaseAuth {
    api_key: SmartString,
    key_type: CoinbaseKeyType,
}

/// JWT payload for Coinbase Cloud authentication
#[derive(Debug, Serialize, Deserialize)]
struct CoinbaseJwtPayload {
    sub: SmartString,      // API Key ID
    iss: SmartString,      // Issuer, typically "coinbase-cloud"
    nbf: u64,              // Not before timestamp
    exp: u64,              // Expiration timestamp
    aud: Vec<SmartString>, // Audience
}

impl CoinbaseAuth {
    /// Create new Coinbase auth with HMAC key (legacy)
    #[must_use]
    pub const fn new_hmac(api_key: SmartString, secret_key: SmartString) -> Self {
        Self {
            api_key,
            key_type: CoinbaseKeyType::Hmac(secret_key),
        }
    }

    /// Create new Coinbase auth with ECDSA key (Advanced Trade)
    /// private_key should be a PEM-encoded ECDSA P-256 private key
    pub fn new_ecdsa(api_key: SmartString, private_key: SmartString) -> Result<Self> {
        // Validate PEM format using proper parser
        validate_pem_format(&private_key)?;

        Ok(Self {
            api_key,
            key_type: CoinbaseKeyType::Ecdsa(private_key),
        })
    }

    /// Get current timestamp in seconds
    fn get_timestamp_seconds() -> u64 {
        // Use milliseconds and convert to seconds for better precision
        crate::time::get_timestamp_ms() / 1000
    }

    /// Generate timestamp in nanoseconds for high-precision timing
    #[must_use]
    pub fn generate_timestamp_nanos() -> u128 {
        // Use the improved time utility that handles clock adjustments properly
        crate::time::get_timestamp_ns_result().unwrap_or_else(|_| {
            std::time::SystemTime::now()
                .duration_since(std::time::UNIX_EPOCH)
                .unwrap_or_default()
                .as_nanos() as u64
        }) as u128
    }

    /// Generate HMAC-SHA256 signature (legacy method)
    fn generate_hmac_signature(&self, secret: &str, payload: &str) -> Result<SmartString> {
        let mut mac = HmacSha256::new_from_slice(secret.as_bytes())
            .map_err(|e| CommonError::Auth(format!("HMAC error: {e}").into()))?;
        mac.update(payload.as_bytes());
        let result = mac.finalize();
        Ok(hex::encode(result.into_bytes()).into())
    }

    /// Generate ECDSA signature (Advanced Trade method)
    fn generate_ecdsa_signature(
        &self,
        private_key_pem: &str,
        _payload: &str,
    ) -> Result<SmartString> {
        // Create JWT for Coinbase Cloud API
        let now = Self::get_timestamp_seconds();
        let jwt_payload = CoinbaseJwtPayload {
            sub: self.api_key.clone(),
            iss: "coinbase-cloud".into(),
            nbf: now,
            exp: now + 120, // JWT expires in 2 minutes
            aud: vec!["retail_rest_api_proxy".into()],
        };

        let header = Header {
            alg: Algorithm::ES256, // ECDSA using P-256 curve and SHA-256 hash
            ..Default::default()
        };

        let encoding_key = EncodingKey::from_ec_pem(private_key_pem.as_bytes())
            .map_err(|e| CommonError::Auth(format!("Invalid ECDSA private key: {e}").into()))?;

        let jwt = encode(&header, &jwt_payload, &encoding_key)
            .map_err(|e| CommonError::Auth(format!("JWT encoding error: {e}").into()))?;

        Ok(jwt.into())
    }

    /// Generate signature for REST API request
    fn generate_signature(&self, method: &str, path: &str, body: &str) -> Result<SmartString> {
        let timestamp = Self::get_timestamp_seconds();
        let payload = format!("{}{}{}{}", timestamp, method.to_uppercase(), path, body);

        match &self.key_type {
            CoinbaseKeyType::Hmac(secret) => self.generate_hmac_signature(secret, &payload),
            CoinbaseKeyType::Ecdsa(private_key) => {
                self.generate_ecdsa_signature(private_key, &payload)
            }
        }
    }

    /// Generate REST API authentication headers (optimized for performance)
    /// Returns headers directly as HashMap to avoid conversion overhead in hot paths
    pub fn generate_headers(
        &self,
        method: &str,
        path: &str,
        body: Option<&str>,
    ) -> Result<FxHashMap<SmartString, SmartString>> {
        // Pre-allocate HashMap with exact capacity for optimal performance
        let _capacity = match &self.key_type {
            CoinbaseKeyType::Hmac(_) => 3, // CB-ACCESS-KEY, CB-ACCESS-SIGN, CB-ACCESS-TIMESTAMP
            CoinbaseKeyType::Ecdsa(_) => 2, // Authorization, CB-ACCESS-KEY
        };
        let mut headers = FxHashMap::default();
        let timestamp = Self::get_timestamp_seconds();
        let body_str = body.unwrap_or("");

        match &self.key_type {
            CoinbaseKeyType::Hmac(secret) => {
                // Legacy authentication
                let payload = format!("{}{}{}{}", timestamp, method.to_uppercase(), path, body_str);
                let signature = self.generate_hmac_signature(secret, &payload)?;

                headers.insert(header_keys::cb_access_key(), self.api_key.clone());
                headers.insert(header_keys::cb_access_sign(), signature);
                headers.insert(
                    header_keys::cb_access_timestamp(),
                    timestamp.to_string().into(),
                );
            }
            CoinbaseKeyType::Ecdsa(private_key) => {
                // Advanced Trade authentication
                let jwt = self.generate_ecdsa_signature(private_key, "")?;

                headers.insert(header_keys::authorization(), format!("Bearer {jwt}").into());
                headers.insert(header_keys::cb_access_key(), self.api_key.clone());
            }
        }

        Ok(headers)
    }

    /// Generate WebSocket subscription message
    pub fn generate_ws_subscription(&self, channels: &[&str]) -> Result<CoinbaseWsSubscription> {
        let channels: Vec<SmartString> = channels.iter().map(|&c| c.into()).collect();

        match &self.key_type {
            CoinbaseKeyType::Ecdsa(private_key) => {
                // For WebSocket authentication, generate a JWT
                let jwt = self.generate_ecdsa_signature(private_key, "")?;

                Ok(CoinbaseWsSubscription {
                    message_type: "subscribe".into(),
                    channels,
                    jwt: Some(jwt),
                    api_key: None,
                    timestamp: None,
                    signature: None,
                })
            }
            CoinbaseKeyType::Hmac(_secret) => {
                // Legacy WebSocket auth uses API key + signature method
                let timestamp = Self::get_timestamp_seconds();
                let _payload = format!("{timestamp}user");
                let signature = self.generate_signature("GET", "/users/self/verify", "")?;

                Ok(CoinbaseWsSubscription {
                    message_type: "subscribe".into(),
                    channels,
                    jwt: None,
                    api_key: Some(self.api_key.clone()),
                    timestamp: Some(timestamp.to_string().into()),
                    signature: Some(signature),
                })
            }
        }
    }

    /// Get JWT token for ECDSA authentication (Advanced Trade)
    pub fn generate_jwt(&self) -> Result<SmartString> {
        match &self.key_type {
            CoinbaseKeyType::Ecdsa(private_key) => self.generate_ecdsa_signature(private_key, ""),
            CoinbaseKeyType::Hmac(_) => Err(CommonError::Auth(SmartString::from(
                "JWT generation is only available for ECDSA authentication",
            ))),
        }
    }

    /// Generate HMAC signature for legacy authentication
    pub fn generate_signature_for_request(
        &self,
        method: &str,
        path: &str,
        body: &str,
    ) -> Result<SmartString> {
        match &self.key_type {
            CoinbaseKeyType::Hmac(secret) => {
                let timestamp = Self::get_timestamp_seconds();
                let payload = format!("{}{}{}{}", timestamp, method.to_uppercase(), path, body);
                self.generate_hmac_signature(secret, &payload)
            }
            CoinbaseKeyType::Ecdsa(_) => Err(CommonError::Auth(SmartString::from(
                "HMAC signature generation is only available for HMAC authentication",
            ))),
        }
    }

    /// Optimized parameter string building using the pure URL encoding function
    /// Uses the auth module's URL encoding for consistency and performance
    pub fn build_param_string_optimized(params: &[(&str, &str)]) -> Result<SmartString> {
        if params.is_empty() {
            return Ok(SmartString::new());
        }

        let mut result = SmartString::new();

        for (i, (key, value)) in params.iter().enumerate() {
            if i > 0 {
                result.push('&');
            }
            result.push_str(key);
            result.push('=');

            // URL encode only the value, not the key or structure characters
            let mut encoded_value = SmartString::new();
            crate::auth::exchanges::url_encode_params(value, &mut encoded_value)?;
            result.push_str(&encoded_value);
        }

        Ok(result)
    }

    /// Fast parameter count for pre-allocation decisions
    #[inline]
    #[must_use]
    pub fn param_count(params: Option<&[(&str, &str)]>) -> usize {
        params.map_or(0, |p| p.len())
    }

    /// Create a SHA256 hash of query parameters (for GET requests with query parameters)
    #[allow(dead_code)]
    fn create_query_hash(query_string: &str) -> SmartString {
        let mut hasher = Sha256::new();
        hasher.update(query_string.as_bytes());
        hex::encode(hasher.finalize()).into()
    }

    /// Generate FIX protocol authentication (username and password)
    /// For Coinbase FIX, username is the API key and password is a signed message
    pub fn generate_fix_auth(&self) -> Result<(SmartString, SmartString)> {
        let username = self.api_key.clone();

        match &self.key_type {
            CoinbaseKeyType::Ecdsa(private_key) => {
                // For FIX with ECDSA, we use JWT as the password
                let jwt = self.generate_ecdsa_signature(private_key, "")?;
                Ok((username, jwt))
            }
            CoinbaseKeyType::Hmac(secret) => {
                // For FIX with HMAC, create a signed timestamp
                let timestamp = Self::get_timestamp_seconds();
                let payload = format!("{timestamp}");
                let signature = self.generate_hmac_signature(secret, &payload)?;
                let password = format!("{timestamp}:{signature}").into();
                Ok((username, password))
            }
        }
    }

    /// Generate HMAC signature for FIX logon message
    /// Used by FIX client for creating signed authentication messages
    pub fn sign_hmac(&self, data: &[u8]) -> Result<SmartString> {
        match &self.key_type {
            CoinbaseKeyType::Hmac(secret) => {
                let mut mac = HmacSha256::new_from_slice(secret.as_bytes())
                    .map_err(|e| CommonError::Auth(format!("HMAC error: {e}").into()))?;
                mac.update(data);
                let result = mac.finalize();
                use base64::{Engine as _, engine::general_purpose};
                Ok(general_purpose::STANDARD.encode(result.into_bytes()).into())
            }
            CoinbaseKeyType::Ecdsa(_) => Err(CommonError::Auth(SmartString::from(
                "HMAC signing is only available for HMAC authentication",
            ))),
        }
    }

    /// Get passphrase for authentication (used by FIX protocol)
    /// Returns the passphrase field needed for Coinbase FIX authentication
    pub fn passphrase(&self) -> SmartString {
        // For Coinbase, passphrase is typically the same as the API key
        // This can be overridden if a different passphrase is used
        self.api_key.clone()
    }
}

impl CoinbaseAuth {
    /// Get API key
    #[must_use]
    pub fn api_key(&self) -> &str {
        &self.api_key
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_build_param_string_optimized_empty() {
        let params: &[(&str, &str)] = &[];
        let result = CoinbaseAuth::build_param_string_optimized(params);
        assert!(result.is_ok());
        assert_eq!(result.unwrap(), SmartString::from(""));
    }

    #[test]
    fn test_build_param_string_optimized_single_param() {
        let params = &[("key1", "value1")];
        let result = CoinbaseAuth::build_param_string_optimized(params);
        assert!(result.is_ok());
        assert_eq!(result.unwrap(), SmartString::from("key1=value1"));
    }

    #[test]
    fn test_build_param_string_optimized_multiple_params() {
        let params = &[("symbol", "BTC-USD"), ("side", "buy"), ("type", "limit")];
        let result = CoinbaseAuth::build_param_string_optimized(params);
        assert!(result.is_ok());
        assert_eq!(
            result.unwrap(),
            SmartString::from("symbol=BTC-USD&side=buy&type=limit")
        );
    }

    #[test]
    fn test_build_param_string_optimized_url_encoding() {
        let params = &[("key", "value with spaces"), ("special", "chars!@#$%")];
        let result = CoinbaseAuth::build_param_string_optimized(params);
        assert!(result.is_ok());
        let encoded = result.unwrap();
        assert!(encoded.contains("value%20with%20spaces"));
        assert!(encoded.contains("chars%21%40%23%24%25"));
    }

    #[test]
    fn test_param_count() {
        assert_eq!(CoinbaseAuth::param_count(None), 0);
        assert_eq!(CoinbaseAuth::param_count(Some(&[])), 0);
        assert_eq!(CoinbaseAuth::param_count(Some(&[("key", "value")])), 1);
        assert_eq!(
            CoinbaseAuth::param_count(Some(&[("key1", "value1"), ("key2", "value2")])),
            2
        );
    }

    #[test]
    fn test_generate_timestamp_nanos() {
        let timestamp1 = CoinbaseAuth::generate_timestamp_nanos();
        std::thread::sleep(std::time::Duration::from_nanos(1));
        let timestamp2 = CoinbaseAuth::generate_timestamp_nanos();
        assert!(timestamp2 > timestamp1);
    }

    #[test]
    fn test_hmac_auth_creation() {
        let auth = CoinbaseAuth::new_hmac("test_api_key".into(), "test_secret".into());
        assert_eq!(auth.api_key(), "test_api_key");
    }

    #[test]
    fn test_ecdsa_auth_creation() {
        // Test with a mock PEM format (not a real key)
        let mock_pem = "-----BEGIN PRIVATE KEY-----\nMOCK_KEY_DATA\n-----END PRIVATE KEY-----";
        let auth = CoinbaseAuth::new_ecdsa("test_api_key".into(), mock_pem.into());
        assert!(auth.is_ok());
        let auth = auth.unwrap();
        assert_eq!(auth.api_key(), "test_api_key");
    }

    #[test]
    fn test_ecdsa_invalid_key_format() {
        // Test with invalid key format
        let auth = CoinbaseAuth::new_ecdsa("test_api_key".into(), "invalid_key_format".into());
        assert!(auth.is_err());
    }

    #[test]
    fn test_query_hash_generation() {
        let query = "symbol=BTC-USD&side=buy";
        let hash = CoinbaseAuth::create_query_hash(query);
        assert!(!hash.is_empty());
        assert_eq!(hash.len(), 64); // SHA256 hex string is 64 characters
    }

    #[test]
    fn test_hmac_headers_generation() {
        let auth = CoinbaseAuth::new_hmac("test_api_key".into(), "test_secret".into());

        let headers = auth.generate_headers("GET", "/accounts", None);
        assert!(headers.is_ok());

        let headers = headers.unwrap();
        assert_eq!(
            headers.get(&header_keys::cb_access_key()).unwrap(),
            "test_api_key"
        );
        assert!(headers.contains_key(&header_keys::cb_access_sign()));
        assert!(headers.contains_key(&header_keys::cb_access_timestamp()));
        assert!(
            !headers
                .get(&header_keys::cb_access_sign())
                .unwrap()
                .is_empty()
        );
        assert!(
            !headers
                .get(&header_keys::cb_access_timestamp())
                .unwrap()
                .is_empty()
        );
    }

    #[test]
    fn test_usage_example() {
        // Example 1: HMAC Authentication (Legacy)
        let hmac_auth = CoinbaseAuth::new_hmac("your_api_key".into(), "your_secret_key".into());

        let headers = hmac_auth.generate_headers("GET", "/accounts", None);
        assert!(headers.is_ok());

        // Example 2: ECDSA Authentication (Advanced Trade - Recommended)
        // Note: This test only validates creation, not actual JWT generation
        // as we don't have a real ECDSA key for testing
        let mock_pem = "-----BEGIN PRIVATE KEY-----\nMOCK_KEY_DATA\n-----END PRIVATE KEY-----";
        let ecdsa_auth = CoinbaseAuth::new_ecdsa("your_api_key".into(), mock_pem.into()).unwrap();

        // Verify the auth was created successfully
        assert_eq!(ecdsa_auth.api_key(), "your_api_key");

        // Test HMAC WebSocket subscription generation (this will work with mock credentials)
        let hmac_ws_subscription = hmac_auth.generate_ws_subscription(&["user", "heartbeat"]);
        assert!(hmac_ws_subscription.is_ok());
        let hmac_subscription = hmac_ws_subscription.unwrap();
        assert_eq!(hmac_subscription.message_type, "subscribe");
        assert_eq!(hmac_subscription.channels.len(), 2);
        assert!(hmac_subscription.jwt.is_none());
        assert!(hmac_subscription.api_key.is_some());

        // Note: WebSocket subscription generation would fail with mock ECDSA keys
        // as JWT generation requires a valid ECDSA private key
        // In real usage, this would work with actual ECDSA private keys
    }
}