Skip to content

feat(worker): add proxy routes for Beacon API, Bitcoin RPC and EVM RPC#335

Open
AugustoL wants to merge 7 commits intoopenscan-explorer:devfrom
AugustoL:feat/worker-proxy-routes
Open

feat(worker): add proxy routes for Beacon API, Bitcoin RPC and EVM RPC#335
AugustoL wants to merge 7 commits intoopenscan-explorer:devfrom
AugustoL:feat/worker-proxy-routes

Conversation

@AugustoL
Copy link
Collaborator

@AugustoL AugustoL commented Mar 20, 2026
edited
Loading

Description

Add per-provider proxy routes to the OpenScan worker to hide API keys for multiple RPC providers. This enables built-in fallback RPC endpoints for all supported networks without exposing API keys to users.

Providers: Alchemy, Infura, dRPC, Ankr, OnFinality

Related Issue

Closes #334

Type of Change

  • Bug fix
  • New feature
  • Documentation update
  • Refactoring
  • Performance improvement
  • Other (please describe):

Changes Made

Worker (15 new files + 4 modified)

  • Types (worker/src/types.ts): Added env bindings for ALCHEMY_API_KEY, INFURA_API_KEY, DRPC_API_KEY, ONFINALITY_BTC_API_KEY, ANKR_API_KEY. Added ALLOWED_BEACON_NETWORKS, ALLOWED_BTC_METHODS, ALLOWED_EVM_NETWORKS maps with per-provider chain slugs, and request body types
  • Rate limiting: 3 new middleware files — Beacon (60 req/min), BTC (30 req/min), EVM (60 req/min)
  • Validation: 3 new middleware files — Beacon (networkId + slot), BTC (JSON-RPC + method allowlist), EVM (networkId + JSON-RPC body)
  • Route handlers: 6 new files — beaconBlobSidecars.ts, btcRpc.ts, evmRpc.ts, drpcRpc.ts, ankrRpc.ts, onfinalityRpc.ts
  • Router (worker/src/index.ts): Registered all new routes
  • CORS (worker/src/middleware/cors.ts): Added GET to allowed methods
  • Config (worker/wrangler.toml): Renamed worker to openscan-worker-proxy, documented all new secrets

Routes

Method Path Provider Networks
GET /beacon/alchemy/:networkId/blob_sidecars/:slot Alchemy ETH, Sepolia
POST /btc/alchemy Alchemy BTC mainnet
POST /btc/drpc dRPC BTC mainnet
POST /btc/ankr Ankr BTC mainnet
POST /btc/onfinality/:networkId OnFinality BTC mainnet + testnet
POST /evm/alchemy/:networkId Alchemy All 8 EVM networks
POST /evm/infura/:networkId Infura 7 EVM networks (no BSC)
POST /evm/drpc/:networkId dRPC All 8 EVM networks
POST /evm/ankr/:networkId Ankr All 8 EVM networks

Frontend (3 new files + 4 modified)

  • src/config/workerConfig.ts (new): Shared OPENSCAN_WORKER_URL constant, updated to new worker URL
  • src/services/BeaconService.ts (new): getBlobSidecarsViaWorker() for fetching blob sidecars via worker
  • src/hooks/useBeaconBlobs.ts (new): React hook for beacon blob data
  • src/utils/rpcStorage.ts: Added worker URLs to BUILTIN_RPC_DEFAULTS for all supported networks (BTC + EVM, all providers)
  • src/components/pages/settings/index.tsx: Worker-proxied URLs labeled as "OpenScan Alchemy/Infura/dRPC/Ankr/OnFinality" with rpc-opensource tag
  • src/hooks/useEtherscan.ts + src/utils/contractLookup.ts: Refactored to import from workerConfig.ts

Screenshots (if applicable)

N/A — backend/infra changes

Checklist

  • I have run npm run format:fix and npm run lint:fix
  • I have run npm run typecheck with no errors
  • I have run tests with npm run test:run
  • I have tested my changes locally
  • I have updated documentation if needed
  • My code follows the project's architecture patterns

Additional Notes

@AugustoL
feat(worker): add proxy routes for Beacon API, Bitcoin RPC and EVM RPC
325c212 
Add per-provider proxy routes to the OpenScan worker to hide API keys
for Alchemy (Beacon, BTC, EVM) and Infura (EVM). Includes rate limiting,
request validation with method allowlists, and CORS support for GET.

Routes:
- GET  /beacon/alchemy/:networkId/blob_sidecars/:slot
- POST /btc/alchemy
- POST /evm/alchemy/:networkId
- POST /evm/infura/:networkId

Frontend changes:
- Extract shared OPENSCAN_WORKER_URL into src/config/workerConfig.ts
- Add BeaconService and useBeaconBlobs hook for blob sidecar fetching
- Add worker BTC and EVM URLs to BUILTIN_RPC_DEFAULTS as fallbacks
- Recognize worker-proxied URLs in settings RPC tag labels

Closes openscan-explorer#334
@github-actions
Copy link

github-actions bot commented Mar 20, 2026
edited
Loading

🚀 Preview: https://pr-335--openscan.netlify.app
📝 Commit: 6445aadd3a88215c9cd0ffdbe5de021900d020a8

AugustoL added 4 commits March 20, 2026 08:20
@AugustoL
feat(worker): add dRPC as third provider for EVM and Bitcoin RPC proxy
afd14d8 
Add dRPC routes reusing existing rate limiting and validation middleware.
dRPC supports all EVM networks plus Bitcoin via authenticated query params.

Routes:
- POST /evm/drpc/:networkId
- POST /btc/drpc
@AugustoL
chore(worker): rename worker to openscan-worker-proxy
1a1b7a1 
Rename from openscan-groq-ai-proxy to reflect broader scope. Old worker
remains live until all frontend builds use the new URL.
@AugustoL
feat(worker): add OnFinality as Bitcoin RPC provider (mainnet + testnet)
c6f5f59 
Route: POST /btc/onfinality/:networkId
Supports bip122:000000000019d6689c085ae165831e93 (mainnet)
and bip122:000000000933ea01ad0ee984209779ba (testnet).
@AugustoL
feat(worker): add Ankr as EVM and Bitcoin RPC provider
b28d34d 
Routes:
- POST /evm/ankr/:networkId (all 8 EVM networks)
- POST /btc/ankr
josealoha666
josealoha666 reviewed Mar 20, 2026
View reviewed changes
Copy link
Collaborator

@josealoha666 josealoha666 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice direction overall, but I don't think this is ready to merge yet.

The main issue is that the new /evm/* proxy exposes a shared-key JSON-RPC gateway with no EVM method allowlist at all. validateEvmMiddleware only checks that method is a non-empty string, so any public caller can send arbitrary methods through our Alchemy/Infura/dRPC/Ankr keys. That makes the worker much easier to abuse for expensive or unintended calls than the BTC routes, which at least have an explicit allowlist.

Before merging, I'd lock the EVM proxy down to the subset of read-only methods the app actually needs (and ideally add payload/range guards for expensive methods like log scans).

Also worth keeping an eye on the red E2E jobs before landing this.

AugustoL added 2 commits March 20, 2026 12:18
@AugustoL
fix(e2e): update tests to match current UI components
358b8a2 
- Input Data is now a tab in TX Analyser, not an inline section
- Nonce/Position fields are in the details grid, no "Other Attributes:" header
- Gas Price label uses FieldLabel with tooltip, breaking exact text match
- Invalid address may show timeout or redirect to home
- ERC1155 token image may show loading timeout for slow metadata
- Blocks header test waits for table data before checking info text
@AugustoL
Merge remote-tracking branch 'openscan-explorer/dev' into feat/worker…
6445aad 
…-proxy-routes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MatiasOS MatiasOS MatiasOS approved these changes

+1 more reviewer

@josealoha666 josealoha666 josealoha666 left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@AugustoL @MatiasOS @josealoha666