feat: add --rpc.jwtsecret arg (#5271)

bin/reth/src/args/rpc_server_args.rs

@@ -116,10 +116,23 @@ pub struct RpcServerArgs {
     #[arg(long = "authrpc.port", default_value_t = constants::DEFAULT_AUTH_PORT)]
     pub auth_port: u16,
 
-    /// Path to a JWT secret to use for authenticated RPC endpoints
+    /// Path to a JWT secret to use for the authenticated engine-API RPC server.
+    ///
+    /// This will enforce JWT authentication for all requests coming from the consensus layer.
+    ///
+    /// If no path is provided, a secret will be generated and stored in the datadir under
+    /// `<DIR>/<CHAIN_ID>/jwt.hex`. For mainnet this would be `~/.reth/mainnet/jwt.hex` by default.
     #[arg(long = "authrpc.jwtsecret", value_name = "PATH", global = true, required = false)]
     pub auth_jwtsecret: Option<PathBuf>,
 
+    /// Hex encoded JWT secret to authenticate the regular RPC server(s), see `--http.api` and
+    /// `--ws.api`.
+    ///
+    /// This is __not__ used for the authenticated engine-API RPC server, see
+    /// `--authrpc.jwtsecret`.
+    #[arg(long = "rpc.jwtsecret", value_name = "HEX", global = true, required = false)]
+    pub rpc_jwtsecret: Option<JwtSecret>,
+
     /// Set the maximum RPC request payload size for both HTTP and WS in megabytes.
     #[arg(long, default_value_t = RPC_DEFAULT_MAX_REQUEST_SIZE_MB)]
     pub rpc_max_request_size: u32,
@@ -397,7 +410,7 @@ impl RethRpcConfig for RpcServerArgs {
     }
 
     fn rpc_server_config(&self) -> RpcServerConfig {
-        let mut config = RpcServerConfig::default();
+        let mut config = RpcServerConfig::default().with_jwt_secret(self.rpc_secret_key());
 
         if self.http {
             let socket_address = SocketAddr::new(self.http_addr, self.http_port);
@@ -427,7 +440,7 @@ impl RethRpcConfig for RpcServerArgs {
         Ok(AuthServerConfig::builder(jwt_secret).socket_addr(address).build())
     }
 
-    fn jwt_secret(&self, default_jwt_path: PathBuf) -> Result<JwtSecret, JwtError> {
+    fn auth_jwt_secret(&self, default_jwt_path: PathBuf) -> Result<JwtSecret, JwtError> {
         match self.auth_jwtsecret.as_ref() {
             Some(fpath) => {
                 debug!(target: "reth::cli", user_path=?fpath, "Reading JWT auth secret file");
@@ -444,6 +457,10 @@ impl RethRpcConfig for RpcServerArgs {
             }
         }
     }
+
+    fn rpc_secret_key(&self) -> Option<JwtSecret> {
+        self.rpc_jwtsecret.clone()
+    }
 }
 
 /// clap value parser for [RpcModuleSelection].

bin/reth/src/cli/config.rs

@@ -63,7 +63,12 @@ pub trait RethRpcConfig {
     ///
     /// The `default_jwt_path` provided as an argument will be used as the default location for the
     /// jwt secret in case the `auth_jwtsecret` argument is not provided.
-    fn jwt_secret(&self, default_jwt_path: PathBuf) -> Result<JwtSecret, JwtError>;
+    fn auth_jwt_secret(&self, default_jwt_path: PathBuf) -> Result<JwtSecret, JwtError>;
+
+    /// Returns the configured jwt secret key for the regular rpc servers, if any.
+    ///
+    /// Note: this is not used for the auth server (engine API).
+    fn rpc_secret_key(&self) -> Option<JwtSecret>;
 }
 
 /// A trait that provides payload builder settings.

bin/reth/src/dirs.rs

@@ -260,26 +260,36 @@ impl<D> ChainPath<D> {
     }
 
     /// Returns the path to the db directory for this chain.
+    ///
+    /// `<DIR>/<CHAIN_ID>/db`
     pub fn db_path(&self) -> PathBuf {
         self.0.join("db").into()
     }
 
     /// Returns the path to the reth p2p secret key for this chain.
+    ///
+    /// `<DIR>/<CHAIN_ID>/discovery-secret`
     pub fn p2p_secret_path(&self) -> PathBuf {
         self.0.join("discovery-secret").into()
     }
 
     /// Returns the path to the known peers file for this chain.
+    ///
+    /// `<DIR>/<CHAIN_ID>/known-peers.json`
     pub fn known_peers_path(&self) -> PathBuf {
         self.0.join("known-peers.json").into()
     }
 
     /// Returns the path to the config file for this chain.
+    ///
+    /// `<DIR>/<CHAIN_ID>/reth.toml`
     pub fn config_path(&self) -> PathBuf {
         self.0.join("reth.toml").into()
     }
 
     /// Returns the path to the jwtsecret file for this chain.
+    ///
+    /// `<DIR>/<CHAIN_ID>/jwt.hex`
     pub fn jwt_path(&self) -> PathBuf {
         self.0.join("jwt.hex").into()
     }

bin/reth/src/node/mod.rs

@@ -521,7 +521,7 @@ impl<Ext: RethCliExt> NodeCommand<Ext> {
 
         // extract the jwt secret from the args if possible
         let default_jwt_path = data_dir.jwt_path();
-        let jwt_secret = self.rpc.jwt_secret(default_jwt_path)?;
+        let jwt_secret = self.rpc.auth_jwt_secret(default_jwt_path)?;
 
         // adjust rpc port numbers based on instance number
         self.adjust_instance_ports();