Backport metadata endpoint

Cargo.toml

@@ -102,6 +102,10 @@ members = [
     "common/wasm/storage",
     "common/wasm/utils",
     "common/wireguard",
+    "common/wireguard-private-metadata/client",
+    "common/wireguard-private-metadata/server",
+    "common/wireguard-private-metadata/shared",
+    "common/wireguard-private-metadata/tests",
     "common/wireguard-types",
     "common/zulip-client",
     "documentation/autodoc",

common/credential-verification/src/lib.rs

@@ -2,6 +2,7 @@
 // SPDX-License-Identifier: Apache-2.0
 
 use crate::ecash::traits::EcashManager;
+use async_trait::async_trait;
 use bandwidth_storage_manager::BandwidthStorageManager;
 use nym_credentials::ecash::utils::{cred_exp_date, ecash_today, EcashTime};
 use nym_credentials_interface::{Bandwidth, ClientTicket, TicketType};
@@ -139,3 +140,18 @@ impl CredentialVerifier {
             .await)
     }
 }
+
+#[async_trait]
+pub trait TicketVerifier {
+    /// Verify that the ticket is valid and cryptographically correct.
+    /// If the verification succeeds, also increase the bandwidth with the ticket's
+    /// amount and return the latest available bandwidth
+    async fn verify(&mut self) -> Result<i64>;
+}
+
+#[async_trait]
+impl TicketVerifier for CredentialVerifier {
+    async fn verify(&mut self) -> Result<i64> {
+        self.verify().await
+    }
+}

common/http-api-client/src/lib.rs

@@ -136,6 +136,7 @@
 //! ```
 #![warn(missing_docs)]
 
+pub use reqwest::ClientBuilder as ReqwestClientBuilder;
 pub use reqwest::StatusCode;
 
 use crate::path::RequestPath;

common/network-defaults/src/constants.rs

@@ -47,7 +47,8 @@ pub mod nyx {
 pub mod wireguard {
     use std::net::{Ipv4Addr, Ipv6Addr};
 
-    pub const WG_PORT: u16 = 51822;
+    pub const WG_TUNNEL_PORT: u16 = 51822;
+    pub const WG_METADATA_PORT: u16 = 51830;
 
     // The interface used to route traffic
     pub const WG_TUN_BASE_NAME: &str = "nymwg";

common/wireguard-private-metadata/client/Cargo.toml

@@ -0,0 +1,18 @@
+[package]
+name = "nym-wireguard-private-metadata-client"
+version = "1.0.0"
+authors.workspace = true
+repository.workspace = true
+homepage.workspace = true
+documentation.workspace = true
+edition.workspace = true
+license.workspace = true
+
+[dependencies]
+async-trait = { workspace = true }
+tracing = { workspace = true }
+nym-http-api-client = { path = "../../http-api-client" }
+nym-wireguard-private-metadata-shared = { path = "../shared" }
+
+[lints]
+workspace = true

common/wireguard-private-metadata/client/src/lib.rs

@@ -0,0 +1,58 @@
+// Copyright 2025 - Nym Technologies SA <[email protected]>
+// SPDX-License-Identifier: Apache-2.0
+
+use async_trait::async_trait;
+use tracing::instrument;
+
+use nym_http_api_client::{ApiClient, Client, HttpClientError, NO_PARAMS};
+
+use nym_wireguard_private_metadata_shared::{
+    routes, Version, {ErrorResponse, Request, Response},
+};
+
+pub type WireguardMetadataApiClientError = HttpClientError<ErrorResponse>;
+
+#[cfg_attr(target_arch = "wasm32", async_trait(?Send))]
+#[cfg_attr(not(target_arch = "wasm32"), async_trait)]
+pub trait WireguardMetadataApiClient: ApiClient {
+    #[instrument(level = "debug", skip(self))]
+    async fn version(&self) -> Result<Version, WireguardMetadataApiClientError> {
+        let version: u64 = self
+            .get_json(
+                &[routes::V1_API_VERSION, routes::BANDWIDTH, routes::VERSION],
+                NO_PARAMS,
+            )
+            .await?;
+        Ok(version.into())
+    }
+
+    #[instrument(level = "debug", skip(self))]
+    async fn available_bandwidth(
+        &self,
+        request_body: &Request,
+    ) -> Result<Response, WireguardMetadataApiClientError> {
+        self.post_json(
+            &[routes::V1_API_VERSION, routes::BANDWIDTH, routes::AVAILABLE],
+            NO_PARAMS,
+            request_body,
+        )
+        .await
+    }
+
+    #[instrument(level = "debug", skip(self, request_body))]
+    async fn topup_bandwidth(
+        &self,
+        request_body: &Request,
+    ) -> Result<Response, WireguardMetadataApiClientError> {
+        self.post_json(
+            &[routes::V1_API_VERSION, routes::BANDWIDTH, routes::TOPUP],
+            NO_PARAMS,
+            request_body,
+        )
+        .await
+    }
+}
+
+#[cfg_attr(target_arch = "wasm32", async_trait(?Send))]
+#[cfg_attr(not(target_arch = "wasm32"), async_trait)]
+impl WireguardMetadataApiClient for Client {}

common/wireguard-private-metadata/server/Cargo.toml

@@ -0,0 +1,43 @@
+[package]
+name = "nym-wireguard-private-metadata-server"
+version = "1.0.0"
+authors.workspace = true
+repository.workspace = true
+homepage.workspace = true
+documentation.workspace = true
+edition.workspace = true
+license.workspace = true
+
+[dependencies]
+anyhow = { workspace = true }
+axum = { workspace = true, features = ["tokio", "macros"] }
+futures = { workspace = true }
+tokio = { workspace = true, features = ["rt-multi-thread", "net", "io-util"] }
+tokio-util = { workspace = true }
+tower-http = { workspace = true, features = [
+    "cors",
+    "trace",
+    "compression-br",
+    "compression-deflate",
+    "compression-gzip",
+    "compression-zstd",
+] }
+utoipa = { workspace = true, features = ["axum_extras", "time"] }
+utoipa-swagger-ui = { workspace = true, features = ["axum"] }
+
+nym-credentials-interface = { path = "../../credentials-interface" }
+nym-credential-verification = { path = "../../credential-verification" }
+nym-http-api-common = { path = "../../http-api-common", features = [
+    "middleware",
+    "utoipa",
+    "output",
+] }
+nym-wireguard = { path = "../../wireguard" }
+nym-wireguard-private-metadata-shared = { path = "../shared" }
+
+[dev-dependencies]
+async-trait = { workspace = true }
+
+
+[lints]
+workspace = true

common/wireguard-private-metadata/server/src/http/mod.rs

@@ -0,0 +1,46 @@
+// Copyright 2025 - Nym Technologies SA <[email protected]>
+// SPDX-License-Identifier: Apache-2.0
+
+use std::sync::Arc;
+
+use tokio::task::JoinHandle;
+use tokio_util::sync::CancellationToken;
+
+use nym_wireguard::WgApiWrapper;
+
+pub(crate) mod openapi;
+pub(crate) mod router;
+pub(crate) mod state;
+
+/// Shutdown goes 2 directions:
+/// 1. signal background tasks to gracefully finish
+/// 2. signal server itself
+///
+/// These are done through separate shutdown handles. Of course, shut down server
+/// AFTER you have shut down BG tasks (or past their grace period).
+#[allow(unused)]
+pub struct ShutdownHandles {
+    axum_shutdown_button: CancellationToken,
+    /// Tokio JoinHandle for axum server's task
+    axum_join_handle: AxumJoinHandle,
+    /// Wireguard API for kernel interactions
+    wg_api: Arc<WgApiWrapper>,
+}
+
+impl ShutdownHandles {
+    /// Cancellation token is given to Axum server constructor. When the token
+    /// receives a shutdown signal, Axum server will shut down gracefully.
+    pub fn new(
+        axum_join_handle: AxumJoinHandle,
+        wg_api: Arc<WgApiWrapper>,
+        axum_shutdown_button: CancellationToken,
+    ) -> Self {
+        Self {
+            axum_shutdown_button,
+            axum_join_handle,
+            wg_api,
+        }
+    }
+}
+
+type AxumJoinHandle = JoinHandle<std::io::Result<()>>;

common/wireguard-private-metadata/server/src/http/openapi.rs

@@ -0,0 +1,14 @@
+// Copyright 2025 - Nym Technologies SA <[email protected]>
+// SPDX-License-Identifier: Apache-2.0
+
+use utoipa::OpenApi;
+
+use nym_wireguard_private_metadata_shared::{Request, Response};
+
+#[derive(OpenApi)]
+#[openapi(
+    info(title = "Nym Wireguard Private Metadata"),
+    tags(),
+    components(schemas(Request, Response))
+)]
+pub(crate) struct ApiDoc;