feat: authenticated WebSocket + validator whitelist endpoint

- WebSocket now requires signature verification for hotkey auth
- Message format: 'ws_connect:{hotkey}:{timestamp}'
- Timestamp must be within 5 minutes
- Validators registered in DB on connect (updates last_seen)
- New endpoint GET /api/v1/validators/whitelist
- Returns validators with stake >= 10k TAO connected in last 24h

Author: echobt

crates/challenge-sdk/src/server.rs

@@ -31,10 +31,11 @@ use serde::{Deserialize, Serialize};
 use tokio::sync::RwLock;
 use tracing::{debug, error, info, warn};
 
-use crate::challenge::Challenge;
-use crate::context::ChallengeContext;
 use crate::error::ChallengeError;
 
+#[cfg(feature = "http-server")]
+use axum::extract::State;
+
 /// Server configuration
 #[derive(Debug, Clone)]
 pub struct ServerConfig {

crates/platform-server/src/api/validators.rs

@@ -71,3 +71,17 @@ pub async fn heartbeat(
         .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
     Ok(Json(serde_json::json!({ "success": true })))
 }
+
+/// Minimum stake required for whitelist (10,000 TAO in RAO)
+const MIN_STAKE_FOR_WHITELIST: i64 = 10_000_000_000_000;
+
+/// GET /api/v1/validators/whitelist - Get whitelisted validators
+/// Returns validators with stake >= 10,000 TAO who connected in the last 24h
+pub async fn get_whitelisted_validators(
+    State(state): State<Arc<AppState>>,
+) -> Result<Json<Vec<String>>, StatusCode> {
+    let validators = queries::get_whitelisted_validators(&state.db, MIN_STAKE_FOR_WHITELIST)
+        .await
+        .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
+    Ok(Json(validators))
+}

crates/platform-server/src/db/queries.rs

@@ -89,6 +89,23 @@ pub async fn get_total_stake(pool: &Pool) -> Result<u64> {
     Ok(stake as u64)
 }
 
+/// Get whitelisted validators (stake >= min_stake and last_seen within 24h)
+pub async fn get_whitelisted_validators(pool: &Pool, min_stake: i64) -> Result<Vec<String>> {
+    let client = pool.get().await?;
+    let rows = client
+        .query(
+            "SELECT hotkey FROM validators 
+             WHERE is_active = TRUE 
+             AND stake >= $1 
+             AND last_seen >= NOW() - INTERVAL '24 hours'
+             ORDER BY stake DESC",
+            &[&min_stake],
+        )
+        .await?;
+
+    Ok(rows.iter().map(|row| row.get(0)).collect())
+}
+
 // ============================================================================
 // SUBMISSIONS
 // ============================================================================

crates/platform-server/src/main.rs

@@ -152,6 +152,10 @@ async fn main() -> anyhow::Result<()> {
             "/api/v1/validators/heartbeat",
             post(api::validators::heartbeat),
         )
+        .route(
+            "/api/v1/validators/whitelist",
+            get(api::validators::get_whitelisted_validators),
+        )
         .route(
             "/api/v1/network/state",
             get(api::challenges::get_network_state),

crates/platform-server/src/websocket/handler.rs

@@ -1,5 +1,7 @@
 //! WebSocket connection handler
 
+use crate::api::auth::verify_signature;
+use crate::db::queries;
 use crate::models::WsEvent;
 use crate::state::AppState;
 use crate::websocket::events::WsConnection;
@@ -8,7 +10,8 @@ use axum::{
         ws::{Message, WebSocket, WebSocketUpgrade},
         Query, State,
     },
-    response::Response,
+    http::StatusCode,
+    response::{IntoResponse, Response},
 };
 use futures::{SinkExt, StreamExt};
 use serde::Deserialize;
@@ -19,8 +22,13 @@ use uuid::Uuid;
 
 #[derive(Debug, Deserialize)]
 pub struct WsQuery {
-    pub token: Option<String>,
+    /// Validator hotkey (SS58 format)
     pub hotkey: Option<String>,
+    /// Timestamp for signature verification
+    pub timestamp: Option<i64>,
+    /// Signature of "ws_connect:{hotkey}:{timestamp}"
+    pub signature: Option<String>,
+    /// Role (validator, miner, etc.)
     pub role: Option<String>,
 }
 
@@ -29,6 +37,60 @@ pub async fn ws_handler(
     State(state): State<Arc<AppState>>,
     Query(query): Query<WsQuery>,
 ) -> Response {
+    // Verify authentication if hotkey is provided
+    if let Some(ref hotkey) = query.hotkey {
+        let timestamp = match query.timestamp {
+            Some(ts) => ts,
+            None => {
+                warn!(
+                    "WebSocket connection rejected: missing timestamp for hotkey {}",
+                    hotkey
+                );
+                return (StatusCode::UNAUTHORIZED, "Missing timestamp").into_response();
+            }
+        };
+
+        let signature = match &query.signature {
+            Some(sig) => sig,
+            None => {
+                warn!(
+                    "WebSocket connection rejected: missing signature for hotkey {}",
+                    hotkey
+                );
+                return (StatusCode::UNAUTHORIZED, "Missing signature").into_response();
+            }
+        };
+
+        // Verify timestamp is recent (within 5 minutes)
+        let now = std::time::SystemTime::now()
+            .duration_since(std::time::UNIX_EPOCH)
+            .unwrap()
+            .as_secs() as i64;
+
+        if (now - timestamp).abs() > 300 {
+            warn!(
+                "WebSocket connection rejected: timestamp too old for hotkey {}",
+                hotkey
+            );
+            return (StatusCode::UNAUTHORIZED, "Timestamp too old").into_response();
+        }
+
+        // Verify signature
+        let message = format!("ws_connect:{}:{}", hotkey, timestamp);
+        if !verify_signature(hotkey, &message, signature) {
+            warn!(
+                "WebSocket connection rejected: invalid signature for hotkey {}",
+                hotkey
+            );
+            return (StatusCode::UNAUTHORIZED, "Invalid signature").into_response();
+        }
+
+        info!(
+            "WebSocket authenticated for hotkey: {}",
+            &hotkey[..16.min(hotkey.len())]
+        );
+    }
+
     let conn_id = Uuid::new_v4();
     ws.on_upgrade(move |socket| handle_socket(socket, state, conn_id, query))
 }
@@ -48,6 +110,15 @@ async fn handle_socket(socket: WebSocket, state: Arc<AppState>, conn_id: Uuid, q
         conn_id, query.hotkey, query.role
     );
 
+    // Register validator in DB when they connect with a hotkey (updates last_seen)
+    if let Some(ref hotkey) = query.hotkey {
+        if let Err(e) = queries::upsert_validator(&state.db, hotkey, 0).await {
+            warn!("Failed to register validator {}: {}", hotkey, e);
+        } else {
+            info!("Validator {} registered/updated last_seen", hotkey);
+        }
+    }
+
     let mut event_rx = state.broadcaster.subscribe();
 
     let send_task = tokio::spawn(async move {