feat(backend): request grant to query incoming payment receiver (#779)

* feat(backend): request grant to query incoming payment receiver

Add services for managing grants.

* fix(localenv): connect Docker network

Update environment variables.

* fix(auth): add grant access actions

Remove unused locations and interval fields and account access.

* fix(backend): properly export public key jwk

* fix(open-payments): properly construct grant request body

* chore(backend): import open-payments generateJwk

* chore(backend): store and check grant expiresAt

* chore(auth): add interval to OutgoingPaymentLimit

* chore(localenv): re-format networks

* chore(backend): don't cast GrantRequest

infrastructure/local/docker-compose.yml

@@ -7,7 +7,7 @@ services:
       dockerfile: ./packages/auth/Dockerfile
     restart: always
     networks:
-      rafiki:
+      - rafiki
     ports:
       - '3006:3006'
     environment:
@@ -24,7 +24,7 @@ services:
       dockerfile: ./packages/mock-account-provider/Dockerfile
     restart: always
     networks:
-      rafiki:
+      - rafiki
     ports:
       - '3030:80'
     environment:
@@ -47,7 +47,7 @@ services:
       - '3000:80'
       - '3001:3001'
     networks:
-      rafiki:
+      - rafiki
     environment:
       NODE_ENV: development
       LOG_LEVEL: debug
@@ -71,6 +71,7 @@ services:
       REDIS_URL: redis://redis:6379/0
       QUOTE_URL: http://fynbos/quotes
       BYPASS_SIGNATURE_VALIDATION: "true"
+      PAYMENT_POINTER_URL: https://backend/.well-known/pay
     depends_on:
       - tigerbeetle
       - database
@@ -79,7 +80,7 @@ services:
     image: 'postgres:15' # use latest official postgres version
     restart: unless-stopped
     networks:
-      rafiki:
+      - rafiki
     volumes:
       - database-data:/var/lib/postgresql/data/ # persist data even if container shuts down
       - ./dbinit.sql:/docker-entrypoint-initdb.d/init.sql
@@ -119,7 +120,7 @@ services:
     image: 'redis:7'
     restart: unless-stopped
     networks:
-      rafiki:
+      - rafiki
 volumes:
   database-data: # named volumes can be managed easier using docker-compose
   tigerbeetle-data: # named volumes can be managed easier using docker-compose

infrastructure/local/peer-docker-compose.yml

@@ -7,7 +7,7 @@ services:
       dockerfile: ./packages/auth/Dockerfile
     restart: always
     networks:
-      rafiki:
+      - local_rafiki
     ports:
       - "4006:3006"
     environment:
@@ -27,7 +27,7 @@ services:
       - "4000:80"
       - "4001:3001"
     networks:
-      rafiki:
+      - local_rafiki
     environment:
       NODE_ENV: development
       LOG_LEVEL: debug
@@ -51,13 +51,14 @@ services:
       REDIS_URL: redis://redis:6379/1
       QUOTE_URL: http://local-bank/quote
       BYPASS_SIGNATURE_VALIDATION: "true"
+      PAYMENT_POINTER_URL: https://peer-backend/.well-known/pay
   local-bank:
     build:
       context: ../..
       dockerfile: ./packages/mock-account-provider/Dockerfile
     restart: always
     networks:
-      rafiki:
+      - local_rafiki
     ports:
       - '3031:80'
     environment:
@@ -69,3 +70,6 @@ services:
       - ./seed.peer.yml:/workspace/seed.peer.yml
     depends_on:
       - peer-backend
+networks:
+  local_rafiki:
+    external: true

packages/auth/migrations/20220504163024_create_accesses_table.js

@@ -4,8 +4,6 @@ exports.up = function (knex) {
     table.string('type').notNullable()
     table.specificType('actions', 'text[]').notNullable()
     table.string('identifier')
-    table.specificType('locations', 'text[]')
-    table.integer('interval')
     table.jsonb('limits')
     table.uuid('grantId').notNullable()
     table.foreign('grantId').references('grants.id').onDelete('CASCADE')

packages/auth/src/access/model.ts

@@ -25,7 +25,5 @@ export class Access extends BaseModel {
   public type!: AccessType
   public actions!: Action[]
   public identifier?: string
-  public locations?: string[]
-  public interval?: string
   public limits?: LimitData
 }

packages/auth/src/access/types.ts

@@ -1,5 +1,4 @@
 export enum AccessType {
-  Account = 'account',
   IncomingPayment = 'incoming-payment',
   OutgoingPayment = 'outgoing-payment',
   Quote = 'quote'
@@ -16,9 +15,7 @@ export enum Action {
 
 interface BaseAccessRequest {
   actions: Action[]
-  locations?: string[]
   identifier?: string
-  interval?: string
 }
 
 export interface IncomingPaymentRequest extends BaseAccessRequest {
@@ -31,11 +28,6 @@ interface OutgoingPaymentRequest extends BaseAccessRequest {
   limits?: OutgoingPaymentLimit
 }
 
-interface AccountRequest extends BaseAccessRequest {
-  type: AccessType.Account
-  limits?: never
-}
-
 interface QuoteRequest extends BaseAccessRequest {
   type: AccessType.Quote
   limits?: never
@@ -44,7 +36,6 @@ interface QuoteRequest extends BaseAccessRequest {
 export type AccessRequest =
   | IncomingPaymentRequest
   | OutgoingPaymentRequest
-  | AccountRequest
   | QuoteRequest
 
 export function isAccessType(accessType: AccessType): accessType is AccessType {
@@ -80,16 +71,6 @@ function isOutgoingPaymentAccessRequest(
   )
 }
 
-function isAccountAccessRequest(
-  accessRequest: AccountRequest
-): accessRequest is AccountRequest {
-  return (
-    accessRequest.type === AccessType.Account &&
-    isAction(accessRequest.actions) &&
-    !accessRequest.limits
-  )
-}
-
 function isQuoteAccessRequest(
   accessRequest: QuoteRequest
 ): accessRequest is QuoteRequest {
@@ -106,7 +87,6 @@ export function isAccessRequest(
   return (
     isIncomingPaymentAccessRequest(accessRequest as IncomingPaymentRequest) ||
     isOutgoingPaymentAccessRequest(accessRequest as OutgoingPaymentRequest) ||
-    isAccountAccessRequest(accessRequest as AccountRequest) ||
     isQuoteAccessRequest(accessRequest as QuoteRequest)
   )
 }
@@ -123,6 +103,7 @@ export type OutgoingPaymentLimit = {
   receiver: string
   sendAmount?: PaymentAmount
   receiveAmount?: PaymentAmount
+  interval?: string
 }
 
 export type LimitData = OutgoingPaymentLimit

packages/auth/src/grant/service.test.ts

@@ -71,7 +71,6 @@ describe('Grant Service', (): void => {
 
   const BASE_GRANT_ACCESS = {
     actions: [Action.Create, Action.Read, Action.List],
-    locations: ['https://example.com'],
     identifier: `https://example.com/${v4()}`
   }
 

packages/backend/migrations/20221005181411_create_auth_servers_table.js

@@ -0,0 +1,12 @@
+exports.up = function (knex) {
+  return knex.schema.createTable('authServers', function (table) {
+    table.uuid('id').notNullable().primary()
+    table.string('url').notNullable().unique()
+    table.timestamp('createdAt').defaultTo(knex.fn.now())
+    table.timestamp('updatedAt').defaultTo(knex.fn.now())
+  })
+}
+
+exports.down = function (knex) {
+  return knex.schema.dropTableIfExists('authServers')
+}

packages/backend/migrations/20221012013413_create_grants_table.js

@@ -0,0 +1,23 @@
+exports.up = function (knex) {
+  return knex.schema.createTable('grants', function (table) {
+    table.uuid('id').notNullable().primary()
+    table.uuid('authServerId').notNullable()
+    table.foreign('authServerId').references('authServers.id')
+    table.string('continueId').nullable()
+    table.string('continueToken').nullable()
+    table.string('accessToken').nullable().unique()
+    table.string('accessType').notNullable()
+    table.specificType('accessActions', 'text[]')
+
+    table.timestamp('expiresAt').nullable()
+
+    table.timestamp('createdAt').defaultTo(knex.fn.now())
+    table.timestamp('updatedAt').defaultTo(knex.fn.now())
+
+    table.unique(['authServerId', 'accessType', 'accessActions'])
+  })
+}
+
+exports.down = function (knex) {
+  return knex.schema.dropTableIfExists('grants')
+}

packages/backend/src/index.ts

@@ -24,7 +24,8 @@ import { createAssetService } from './asset/service'
 import { createAccountingService } from './accounting/service'
 import { createPeerService } from './peer/service'
 import { createAuthService } from './open_payments/auth/service'
-
+import { createAuthServerService } from './open_payments/authServer/service'
+import { createGrantService } from './open_payments/grant/service'
 import { createPaymentPointerService } from './open_payments/payment_pointer/service'
 import { createSPSPRoutes } from './spsp/routes'
 import { createPaymentPointerKeyRoutes } from './paymentPointerKey/routes'
@@ -175,6 +176,19 @@ export function initIocContainer(
       authOpenApi: await deps.use('authOpenApi')
     })
   })
+  container.singleton('authServerService', async (deps) => {
+    return await createAuthServerService({
+      logger: await deps.use('logger'),
+      knex: await deps.use('knex')
+    })
+  })
+  container.singleton('grantService', async (deps) => {
+    return await createGrantService({
+      authServerService: await deps.use('authServerService'),
+      logger: await deps.use('logger'),
+      knex: await deps.use('knex')
+    })
+  })
   container.singleton('paymentPointerService', async (deps) => {
     const logger = await deps.use('logger')
     const assetService = await deps.use('assetService')
@@ -217,8 +231,9 @@ export function initIocContainer(
     })
   })
   container.singleton('paymentPointerRoutes', async (deps) => {
+    const config = await deps.use('config')
     return createPaymentPointerRoutes({
-      config: await deps.use('config')
+      authServer: config.authServerGrantUrl
     })
   })
   container.singleton('paymentPointerKeyRoutes', async (deps) => {
@@ -247,9 +262,8 @@ export function initIocContainer(
     const config = await deps.use('config')
     return await createReceiverService({
       logger: await deps.use('logger'),
-      // TODO: https://github.com/interledger/rafiki/issues/583
-      accessToken: config.devAccessToken,
       connectionService: await deps.use('connectionService'),
+      grantService: await deps.use('grantService'),
       incomingPaymentService: await deps.use('incomingPaymentService'),
       openPaymentsUrl: config.openPaymentsUrl,
       paymentPointerService: await deps.use('paymentPointerService'),

packages/backend/src/open_payments/auth/grant.ts

@@ -10,6 +10,7 @@ interface AmountJSON {
   assetScale: number
 }
 
+// TODO: replace with open-payments generated types
 export enum AccessType {
   IncomingPayment = 'incoming-payment',
   OutgoingPayment = 'outgoing-payment',

packages/backend/src/open_payments/authServer/model.ts

@@ -0,0 +1,9 @@
+import { BaseModel } from '../../shared/baseModel'
+
+export class AuthServer extends BaseModel {
+  public static get tableName(): string {
+    return 'authServers'
+  }
+
+  public url!: string
+}

packages/backend/src/open_payments/authServer/service.test.ts

@@ -0,0 +1,50 @@
+import { IocContract } from '@adonisjs/fold'
+import { faker } from '@faker-js/faker'
+import { Knex } from 'knex'
+
+import { AuthServer } from './model'
+import { AuthServerService } from './service'
+import { initIocContainer } from '../../'
+import { AppServices } from '../../app'
+import { Config } from '../../config/app'
+import { createTestApp, TestContainer } from '../../tests/app'
+import { truncateTables } from '../../tests/tableManager'
+
+describe('Auth Server Service', (): void => {
+  let deps: IocContract<AppServices>
+  let appContainer: TestContainer
+  let authServerService: AuthServerService
+  let knex: Knex
+
+  beforeAll(async (): Promise<void> => {
+    deps = await initIocContainer(Config)
+    appContainer = await createTestApp(deps)
+    knex = await deps.use('knex')
+    authServerService = await deps.use('authServerService')
+  })
+
+  afterEach(async (): Promise<void> => {
+    await truncateTables(knex)
+  })
+
+  afterAll(async (): Promise<void> => {
+    await appContainer.shutdown()
+  })
+
+  describe('getOrCreate', (): void => {
+    test('Auth server can be created or fetched', async (): Promise<void> => {
+      const url = faker.internet.url()
+      await expect(
+        AuthServer.query(knex).findOne({ url })
+      ).resolves.toBeUndefined()
+      const authServer = await authServerService.getOrCreate(url)
+      await expect(authServer).toMatchObject({ url })
+      await expect(AuthServer.query(knex).findOne({ url })).resolves.toEqual(
+        authServer
+      )
+      await expect(authServerService.getOrCreate(url)).resolves.toEqual(
+        authServer
+      )
+    })
+  })
+})

packages/backend/src/open_payments/authServer/service.ts

@@ -0,0 +1,40 @@
+import { UniqueViolationError } from 'objection'
+
+import { AuthServer } from './model'
+import { BaseService } from '../../shared/baseService'
+
+export interface AuthServerService {
+  getOrCreate(url: string): Promise<AuthServer>
+}
+
+type ServiceDependencies = BaseService
+
+export async function createAuthServerService(
+  deps_: ServiceDependencies
+): Promise<AuthServerService> {
+  const deps: ServiceDependencies = {
+    ...deps_,
+    logger: deps_.logger.child({
+      service: 'AuthServerService'
+    })
+  }
+  return {
+    getOrCreate: (url) => getOrCreateAuthServer(deps, url)
+  }
+}
+
+async function getOrCreateAuthServer(
+  deps: ServiceDependencies,
+  url: string
+): Promise<AuthServer> {
+  try {
+    return await AuthServer.query(deps.knex).insertAndFetch({
+      url
+    })
+  } catch (err) {
+    if (err instanceof UniqueViolationError) {
+      return await AuthServer.query(deps.knex).findOne({ url })
+    }
+    throw err
+  }
+}