Merge branch 'main' into bw-openapi

.eslintignore

@@ -2,4 +2,5 @@
 public
 generated
 dist
-build
+build
+postman-scripts

.github/workflows/lint_test_build.yml

@@ -78,9 +78,18 @@ jobs:
     steps:
       - uses: actions/checkout@v3
       - uses: ./.github/workflows/rafiki/env-setup
-      - run: pnpm --filter openapi build
+      - run: pnpm --filter open-payments build:deps
       - run: pnpm --filter open-payments test
 
+  http-signature-utils:
+    runs-on: ubuntu-latest
+    needs: checkout
+    timeout-minutes: 5
+    steps:
+      - uses: actions/checkout@v3
+      - uses: ./.github/workflows/rafiki/env-setup
+      - run: pnpm --filter http-signature-utils test
+
   build:
     runs-on: ubuntu-latest
     timeout-minutes: 5
@@ -91,6 +100,7 @@ jobs:
       - openapi
       - mock-account-provider
       - open-payments
+      - http-signature-utils
     steps:
       - uses: actions/checkout@v3
       - uses: ./.github/workflows/rafiki/env-setup

infrastructure/helm/tigerbeetle/values.yaml

@@ -32,7 +32,7 @@ statefulset:
     repository: nginx
     pullPolicy: IfNotPresent
     # Overrides the image tag whose default is the chart appVersion.
-    tag: "1.23.1" 
+    tag: "1.23.3" 
 
   replicas: 6
   updateStrategy:

infrastructure/local/docker-compose.yml

@@ -14,7 +14,7 @@ services:
       NODE_ENV: development
       AUTH_DATABASE_URL: postgresql://auth:auth@database/auth
       INTROSPECTION_HTTPSIG: "false"
-      BYPASS_SIGNATURE_VALIDATION: "true"
+      BYPASS_SIGNATURE_VALIDATION: "false"
     depends_on:
       - tigerbeetle
       - database
@@ -32,8 +32,10 @@ services:
       LOG_LEVEL: debug
       PORT: 80
       SEED_FILE_LOCATION: /workspace/seed.primary.yml
+      KEY_FILE: /workspace/private-key.pem
     volumes:
       - ./seed.primary.yml:/workspace/seed.primary.yml
+      - ./private-key.pem:/workspace/private-key.pem
     depends_on:
       - backend
   backend:
@@ -70,7 +72,7 @@ services:
       PRICES_URL: http://fynbos/prices
       REDIS_URL: redis://redis:6379/0
       QUOTE_URL: http://fynbos/quotes
-      BYPASS_SIGNATURE_VALIDATION: "true"
+      BYPASS_SIGNATURE_VALIDATION: "false"
       PAYMENT_POINTER_URL: https://backend/.well-known/pay
     depends_on:
       - tigerbeetle
@@ -121,6 +123,19 @@ services:
     restart: unless-stopped
     networks:
       - rafiki
+  signatures:
+    build:
+      context: ../..
+      dockerfile: ./packages/http-signature-utils/Dockerfile
+    restart: always
+    ports:
+      - '3040:3000'
+    environment:
+      KEY_FILE: /workspace/private-key.pem
+    volumes:
+      - ./private-key.pem:/workspace/private-key.pem
+    networks:
+      - rafiki
 volumes:
   database-data: # named volumes can be managed easier using docker-compose
   tigerbeetle-data: # named volumes can be managed easier using docker-compose

infrastructure/local/peer-docker-compose.yml

@@ -14,7 +14,7 @@ services:
       NODE_ENV: development
       AUTH_DATABASE_URL: postgresql://peerauth:peerauth@database/peerauth
       INTROSPECTION_HTTPSIG: "false"
-      BYPASS_SIGNATURE_VALIDATION: "true"
+      BYPASS_SIGNATURE_VALIDATION: "false"
       AUTH_SERVER_DOMAIN: "http://localhost:4006"
   peer-backend:
     image: ghcr.io/interledger/rafiki-backend:latest
@@ -50,7 +50,7 @@ services:
       PRICES_URL: http://local-bank/prices
       REDIS_URL: redis://redis:6379/1
       QUOTE_URL: http://local-bank/quote
-      BYPASS_SIGNATURE_VALIDATION: "true"
+      BYPASS_SIGNATURE_VALIDATION: "false"
       PAYMENT_POINTER_URL: https://peer-backend/.well-known/pay
   local-bank:
     build:
@@ -66,10 +66,23 @@ services:
       LOG_LEVEL: debug
       PORT: 80
       SEED_FILE_LOCATION: /workspace/seed.peer.yml
+      KEY_FILE: /workspace/private-key.pem
     volumes:
       - ./seed.peer.yml:/workspace/seed.peer.yml
+      - ./peer-private-key.pem:/workspace/private-key.pem
     depends_on:
       - peer-backend
+  peer-signatures:
+    build:
+      context: ../..
+      dockerfile: ./packages/http-signature-utils/Dockerfile
+    restart: always
+    ports:
+      - '3041:3000'
+    environment:
+      KEY_FILE: /workspace/private-key.pem
+    volumes:
+      - ./peer-private-key.pem:/workspace/private-key.pem
 networks:
   local_rafiki:
     external: true

infrastructure/local/peer-private-key.pem

@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIEqezmcPhOE8bkwN+jQrppfRYzGIdFTVWQGTHJIKpz88
+-----END PRIVATE KEY-----

infrastructure/local/private-key.pem

@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEICxfM9mUurUGnwlMMQEDclDEQnX7c49BoGKOB48URBxO
+-----END PRIVATE KEY-----

package.json

@@ -28,7 +28,7 @@
     "@commitlint/config-conventional": "^17.0.3",
     "@jest/types": "^28.1.3",
     "@swc/core": "^1.2.242",
-    "@swc/jest": "^0.2.23",
+    "@swc/jest": "^0.2.24",
     "@types/jest": "^28.1.8",
     "@typescript-eslint/eslint-plugin": "^5.34.0",
     "@typescript-eslint/parser": "^5.34.0",

packages/auth/package.json

@@ -20,10 +20,10 @@
     "@koa/router": "^12.0.0",
     "ajv": "^8.11.2",
     "axios": "^0.27.2",
+    "http-signature-utils": "workspace:../http-signature-utils",
     "httpbis-digest-headers": "github:interledger/httpbis-digest-headers",
-    "jose": "^4.9.0",
     "knex": "^0.95",
-    "koa": "^2.13.4",
+    "koa": "^2.14.1",
     "koa-bodyparser": "^4.3.0",
     "koa-session": "^6.2.0",
     "node-mocks-http": "^1.11.0",
@@ -38,6 +38,7 @@
     "uuid": "^8.3.2"
   },
   "devDependencies": {
+    "@faker-js/faker": "^7.4.0",
     "@types/jest": "^28.1.8",
     "@types/koa": "2.13.5",
     "@types/koa-bodyparser": "^4.3.7",

packages/auth/src/accessToken/routes.test.ts

@@ -17,16 +17,21 @@ import { AccessToken } from './model'
 import { Access } from '../access/model'
 import { AccessTokenRoutes } from './routes'
 import { createContext } from '../tests/context'
-import { generateTestKeys } from '../tests/signature'
-import { JWKWithRequired } from '../client/service'
+import {
+  generateJwk,
+  generateTestKeys,
+  JWK,
+  TestKeys
+} from 'http-signature-utils'
 
 describe('Access Token Routes', (): void => {
   let deps: IocContract<AppServices>
   let appContainer: TestContainer
   let knex: Knex
   let trx: Knex.Transaction
   let accessTokenRoutes: AccessTokenRoutes
-  let testJwk: JWKWithRequired
+  let testKeys: TestKeys
+  let testClientKey: JWK
 
   beforeAll(async (): Promise<void> => {
     deps = await initIocContainer(Config)
@@ -36,8 +41,11 @@ describe('Access Token Routes', (): void => {
     const openApi = await deps.use('openApi')
     jestOpenAPI(openApi.authServerSpec)
 
-    const keys = await generateTestKeys()
-    testJwk = keys.publicKey
+    testKeys = await generateTestKeys()
+    testClientKey = generateJwk({
+      privateKey: testKeys.privateKey,
+      keyId: testKeys.keyId
+    })
   })
 
   afterEach(async (): Promise<void> => {
@@ -98,7 +106,7 @@ describe('Access Token Routes', (): void => {
     beforeEach(async (): Promise<void> => {
       grant = await Grant.query(trx).insertAndFetch({
         ...BASE_GRANT,
-        clientKeyId: testJwk.kid
+        clientKeyId: testKeys.keyId
       })
       access = await Access.query(trx).insertAndFetch({
         grantId: grant.id,
@@ -141,7 +149,7 @@ describe('Access Token Routes', (): void => {
       const scope = nock(CLIENT)
         .get('/jwks.json')
         .reply(200, {
-          keys: [testJwk]
+          keys: [testClientKey]
         })
 
       const ctx = createContext(
@@ -179,7 +187,7 @@ describe('Access Token Routes', (): void => {
         ],
         key: {
           proof: 'httpsig',
-          jwk: testJwk
+          jwk: testClientKey
         },
         client_id: clientId
       })
@@ -190,7 +198,7 @@ describe('Access Token Routes', (): void => {
       const scope = nock(CLIENT)
         .get('/jwks.json')
         .reply(200, {
-          keys: [testJwk]
+          keys: [testClientKey]
         })
       const tokenCreatedDate = new Date(token.createdAt)
       const now = new Date(
@@ -238,7 +246,7 @@ describe('Access Token Routes', (): void => {
     beforeEach(async (): Promise<void> => {
       grant = await Grant.query(trx).insertAndFetch({
         ...BASE_GRANT,
-        clientKeyId: testJwk.kid
+        clientKeyId: testKeys.keyId
       })
       token = await AccessToken.query(trx).insertAndFetch({
         grantId: grant.id,
@@ -269,7 +277,7 @@ describe('Access Token Routes', (): void => {
       const scope = nock(CLIENT)
         .get('/jwks.json')
         .reply(200, {
-          keys: [testJwk]
+          keys: [testClientKey]
         })
 
       const ctx = createContext(
@@ -298,7 +306,7 @@ describe('Access Token Routes', (): void => {
       const scope = nock(CLIENT)
         .get('/jwks.json')
         .reply(200, {
-          keys: [testJwk]
+          keys: [testClientKey]
         })
 
       const ctx = createContext(
@@ -333,7 +341,7 @@ describe('Access Token Routes', (): void => {
     beforeEach(async (): Promise<void> => {
       grant = await Grant.query(trx).insertAndFetch({
         ...BASE_GRANT,
-        clientKeyId: testJwk.kid
+        clientKeyId: testKeys.keyId
       })
       access = await Access.query(trx).insertAndFetch({
         grantId: grant.id,

packages/auth/src/accessToken/routes.ts

@@ -6,6 +6,29 @@ import { AccessTokenService, Introspection } from './service'
 import { accessToBody } from '../shared/utils'
 import { ClientService } from '../client/service'
 
+type TokenRequest<BodyT = never> = Omit<AppContext['request'], 'body'> & {
+  body?: BodyT
+}
+
+type TokenContext<BodyT = never> = Omit<AppContext, 'request'> & {
+  request: TokenRequest<BodyT>
+}
+
+type ManagementRequest = Omit<AppContext['request'], 'params'> & {
+  params?: Record<'id', string>
+}
+
+type ManagementContext = Omit<AppContext, 'request'> & {
+  request: ManagementRequest
+}
+
+interface IntrospectBody {
+  access_token: string
+}
+export type IntrospectContext = TokenContext<IntrospectBody>
+export type RevokeContext = ManagementContext
+export type RotateContext = ManagementContext
+
 interface ServiceDependencies {
   config: IAppConfig
   logger: Logger
@@ -14,9 +37,9 @@ interface ServiceDependencies {
 }
 
 export interface AccessTokenRoutes {
-  introspect(ctx: AppContext): Promise<void>
-  revoke(ctx: AppContext): Promise<void>
-  rotate(ctx: AppContext): Promise<void>
+  introspect(ctx: IntrospectContext): Promise<void>
+  revoke(ctx: RevokeContext): Promise<void>
+  rotate(ctx: RotateContext): Promise<void>
 }
 
 export function createAccessTokenRoutes(
@@ -27,15 +50,15 @@ export function createAccessTokenRoutes(
   })
   const deps = { ...deps_, logger }
   return {
-    introspect: (ctx: AppContext) => introspectToken(deps, ctx),
-    revoke: (ctx: AppContext) => revokeToken(deps, ctx),
-    rotate: (ctx: AppContext) => rotateToken(deps, ctx)
+    introspect: (ctx: IntrospectContext) => introspectToken(deps, ctx),
+    revoke: (ctx: RevokeContext) => revokeToken(deps, ctx),
+    rotate: (ctx: RotateContext) => rotateToken(deps, ctx)
   }
 }
 
 async function introspectToken(
   deps: ServiceDependencies,
-  ctx: AppContext
+  ctx: IntrospectContext
 ): Promise<void> {
   const { body } = ctx.request
   const introspectionResult = await deps.accessTokenService.introspect(
@@ -68,7 +91,7 @@ function introspectionToBody(result: Introspection) {
 
 async function revokeToken(
   deps: ServiceDependencies,
-  ctx: AppContext
+  ctx: RevokeContext
 ): Promise<void> {
   const { id: managementId } = ctx.params
   await deps.accessTokenService.revoke(managementId)
@@ -77,7 +100,7 @@ async function revokeToken(
 
 async function rotateToken(
   deps: ServiceDependencies,
-  ctx: AppContext
+  ctx: RotateContext
 ): Promise<void> {
   // TODO: verify Authorization: GNAP ${accessToken} contains correct token value
   const { id: managementId } = ctx.params