consistent auth token for validator apis (#13747)

* wip

* fixing tests

* adding more tests especially to handle legacy

* fixing linting

* fixing deepsource issues and flags

* fixing some deepsource issues,pathing issues, and logs

* some review items

* adding additional review feedback

* updating to follow updates from https://github.com/ethereum/keymanager-APIs/pull/74

* adjusting functions to match changes in keymanagers PR

* Update validator/rpc/auth_token.go

Co-authored-by: Radosław Kapka <rkapka@wp.pl>

* Update validator/rpc/auth_token.go

Co-authored-by: Radosław Kapka <rkapka@wp.pl>

* Update validator/rpc/auth_token.go

Co-authored-by: Radosław Kapka <rkapka@wp.pl>

* review feedback

---------

Co-authored-by: Radosław Kapka <rkapka@wp.pl>

cmd/validator/flags/BUILD.bazel

@@ -15,6 +15,7 @@ go_library(
         "//validator:__subpackages__",
     ],
     deps = [
+        "//api:go_default_library",
         "//config/params:go_default_library",
         "//io/file:go_default_library",
         "@com_github_urfave_cli_v2//:go_default_library",

cmd/validator/flags/flags.go

@@ -8,6 +8,7 @@ import (
 	"runtime"
 	"time"
 
+	"github.com/prysmaticlabs/prysm/v5/api"
 	"github.com/prysmaticlabs/prysm/v5/config/params"
 	"github.com/prysmaticlabs/prysm/v5/io/file"
 	"github.com/urfave/cli/v2"
@@ -133,6 +134,15 @@ var (
 		Usage: "Port used to listening and respond metrics for Prometheus.",
 		Value: 8081,
 	}
+
+	// AuthTokenPathFlag defines the path to the auth token used to secure the validator api.
+	AuthTokenPathFlag = &cli.StringFlag{
+		Name:    "keymanager-token-file",
+		Usage:   "Path to auth token file used for validator apis.",
+		Value:   filepath.Join(filepath.Join(DefaultValidatorDir(), WalletDefaultDirName), api.AuthTokenFileName),
+		Aliases: []string{"validator-api-bearer-file"},
+	}
+
 	// WalletDirFlag defines the path to a wallet directory for Prysm accounts.
 	WalletDirFlag = &cli.StringFlag{
 		Name:  "wallet-dir",

cmd/validator/main.go

@@ -75,6 +75,7 @@ var appFlags = []cli.Flag{
 	flags.EnableWebFlag,
 	flags.GraffitiFileFlag,
 	flags.EnableDistributed,
+	flags.AuthTokenPathFlag,
 	// Consensys' Web3Signer flags
 	flags.Web3SignerURLFlag,
 	flags.Web3SignerPublicValidatorKeysFlag,

cmd/validator/usage.go

@@ -123,6 +123,7 @@ var appHelpFlagGroups = []flagGroup{
 			flags.BuilderGasLimitFlag,
 			flags.ValidatorsRegistrationBatchSizeFlag,
 			flags.EnableDistributed,
+			flags.AuthTokenPathFlag,
 		},
 	},
 	{

cmd/validator/web/BUILD.bazel

@@ -9,6 +9,7 @@ go_library(
     importpath = "github.com/prysmaticlabs/prysm/v5/cmd/validator/web",
     visibility = ["//visibility:public"],
     deps = [
+        "//api:go_default_library",
         "//cmd:go_default_library",
         "//cmd/validator/flags:go_default_library",
         "//config/features:go_default_library",

cmd/validator/web/web.go

@@ -2,7 +2,9 @@ package web
 
 import (
 	"fmt"
+	"path/filepath"
 
+	"github.com/prysmaticlabs/prysm/v5/api"
 	"github.com/prysmaticlabs/prysm/v5/cmd"
 	"github.com/prysmaticlabs/prysm/v5/cmd/validator/flags"
 	"github.com/prysmaticlabs/prysm/v5/config/features"
@@ -24,6 +26,7 @@ var Commands = &cli.Command{
 				flags.WalletDirFlag,
 				flags.GRPCGatewayHost,
 				flags.GRPCGatewayPort,
+				flags.AuthTokenPathFlag,
 				cmd.AcceptTosFlag,
 			}),
 			Before: func(cliCtx *cli.Context) error {
@@ -43,7 +46,12 @@ var Commands = &cli.Command{
 				gatewayHost := cliCtx.String(flags.GRPCGatewayHost.Name)
 				gatewayPort := cliCtx.Int(flags.GRPCGatewayPort.Name)
 				validatorWebAddr := fmt.Sprintf("%s:%d", gatewayHost, gatewayPort)
-				if err := rpc.CreateAuthToken(walletDirPath, validatorWebAddr); err != nil {
+				authTokenPath := filepath.Join(walletDirPath, api.AuthTokenFileName)
+				tempAuthTokenPath := cliCtx.String(flags.AuthTokenPathFlag.Name)
+				if tempAuthTokenPath != "" {
+					authTokenPath = tempAuthTokenPath
+				}
+				if err := rpc.CreateAuthToken(authTokenPath, validatorWebAddr); err != nil {
 					log.WithError(err).Fatal("Could not create web auth token")
 				}
 				return nil