feat(backend): add clientId to OP resources

packages/backend/migrations/20220819162330_create_grant_references_table.js

@@ -0,0 +1,10 @@
+exports.up = function (knex) {
+  return knex.schema.createTable('grantReferences', function (table) {
+    table.string('id').notNullable().primary()
+    table.string('clientId').notNullable()
+  })
+}
+
+exports.down = function (knex) {
+  return knex.schema.dropTableIfExists('grantReferences')
+}

packages/backend/migrations/20220228162503_create_incoming_payments_table.js → packages/backend/migrations/20220908085845_create_incoming_payments_table.js

@@ -12,6 +12,9 @@ exports.up = function (knex) {
     table.string('externalRef').nullable()
     table.uuid('connectionId').nullable()
 
+    table.string('grantId').nullable()
+    table.foreign('grantId').references('grantReferences.id')
+
     table.uuid('assetId').notNullable()
     table.foreign('assetId').references('assets.id')
     table.timestamp('processAt').nullable()

packages/backend/migrations/20220414142553_create_outgoing_payments_table.js → packages/backend/migrations/20220908085854_create_outgoing_payments_table.js

@@ -9,7 +9,8 @@ exports.up = function (knex) {
     table.string('description').nullable()
     table.string('externalRef').nullable()
 
-    table.string('grantId').nullable().index()
+    table.string('grantId').nullable()
+    table.foreign('grantId').references('grantReferences.id')
 
     // Open payments payment pointer corresponding to wallet account
     // from which to request funds for payment

packages/backend/src/app.ts

@@ -49,6 +49,7 @@ import { Session } from './session/util'
 import { createValidatorMiddleware, HttpMethod, isHttpMethod } from 'openapi'
 import { ClientKeysService } from './clientKeys/service'
 import { ClientService } from './clients/service'
+import { GrantReferenceService } from './open_payments/grantReference/service'
 
 export interface AppContextData {
   logger: Logger
@@ -141,6 +142,7 @@ export interface AppServices {
   sessionService: Promise<SessionService>
   clientService: Promise<ClientService>
   clientKeysService: Promise<ClientKeysService>
+  grantReferenceService: Promise<GrantReferenceService>
 }
 
 export type AppContainer = IocContract<AppServices>
@@ -277,8 +279,10 @@ export class App {
     } = {
       [AccessAction.Create]: 'create',
       [AccessAction.Read]: 'get',
+      [AccessAction.ReadAll]: 'get',
       [AccessAction.Complete]: 'complete',
-      [AccessAction.List]: 'list'
+      [AccessAction.List]: 'list',
+      [AccessAction.ListAll]: 'list'
     }
 
     for (const path in openApi.paths) {

packages/backend/src/graphql/resolvers/incoming_payment.test.ts

@@ -10,19 +10,25 @@ import { randomAsset } from '../../tests/asset'
 import { createIncomingPayment } from '../../tests/incomingPayment'
 import { createPaymentPointer } from '../../tests/paymentPointer'
 import { truncateTables } from '../../tests/tableManager'
+import { v4 as uuid } from 'uuid'
+import { GrantReference } from '../../open_payments/grantReference/model'
+import { GrantReferenceService } from '../../open_payments/grantReference/service'
 
 describe('Incoming Payment Resolver', (): void => {
   let deps: IocContract<AppServices>
   let appContainer: TestContainer
   let knex: Knex
   let paymentPointerId: string
+  let grantReferenceService: GrantReferenceService
+  let grantRef: GrantReference
 
   const asset = randomAsset()
 
   beforeAll(async (): Promise<void> => {
     deps = await initIocContainer(Config)
     appContainer = await createTestApp(deps)
     knex = await deps.use('knex')
+    grantReferenceService = await deps.use('grantReferenceService')
   })
 
   afterAll(async (): Promise<void> => {
@@ -34,13 +40,18 @@ describe('Incoming Payment Resolver', (): void => {
   describe('Payment pointer incoming payments', (): void => {
     beforeEach(async (): Promise<void> => {
       paymentPointerId = (await createPaymentPointer(deps, { asset })).id
+      grantRef = await grantReferenceService.create({
+        id: uuid(),
+        clientId: uuid()
+      })
     })
 
     getPageTests({
       getClient: () => appContainer.apolloClient,
       createModel: () =>
         createIncomingPayment(deps, {
           paymentPointerId,
+          grantId: grantRef.id,
           incomingAmount: {
             value: BigInt(123),
             assetCode: asset.code,

packages/backend/src/index.ts

@@ -41,6 +41,7 @@ import { createConnectionService } from './open_payments/connection/service'
 import { createConnectionRoutes } from './open_payments/connection/routes'
 import { createClientKeysService } from './clientKeys/service'
 import { createClientService } from './clients/service'
+import { createGrantReferenceService } from './open_payments/grantReference/service'
 
 BigInt.prototype.toJSON = function () {
   return this.toString()
@@ -295,12 +296,16 @@ export function initIocContainer(
       quoteService: await deps.use('quoteService')
     })
   })
+  container.singleton('grantReferenceService', async () => {
+    return createGrantReferenceService()
+  })
   container.singleton('outgoingPaymentService', async (deps) => {
     return await createOutgoingPaymentService({
       logger: await deps.use('logger'),
       knex: await deps.use('knex'),
       accountingService: await deps.use('accountingService'),
       clientService: await deps.use('openPaymentsClientService'),
+      grantReferenceService: await deps.use('grantReferenceService'),
       makeIlpPlugin: await deps.use('makeIlpPlugin'),
       peerService: await deps.use('peerService')
     })

packages/backend/src/open_payments/auth/grant.test.ts

@@ -1,11 +1,13 @@
 import { Grant, AccessType, AccessAction, getInterval } from './grant'
 import { Interval } from 'luxon'
+import { v4 as uuid } from 'uuid'
 
 describe('Grant', (): void => {
   describe('includesAccess', (): void => {
     let grant: Grant
     const type = AccessType.IncomingPayment
     const action = AccessAction.Create
+    const clientId = uuid()
 
     describe.each`
       identifier                        | description
@@ -16,6 +18,7 @@ describe('Grant', (): void => {
         grant = new Grant({
           active: true,
           grant: 'PRY5NM33OM4TB8N6BW7',
+          clientId,
           access: [
             {
               type: AccessType.OutgoingPayment,
@@ -40,6 +43,34 @@ describe('Grant', (): void => {
           })
         ).toBe(true)
       })
+      test.each`
+        superAction             | subAction            | description
+        ${AccessAction.ReadAll} | ${AccessAction.Read} | ${'read'}
+        ${AccessAction.ListAll} | ${AccessAction.List} | ${'list'}
+      `(
+        'Returns true for $description super access',
+        async ({ superAction, subAction }): Promise<void> => {
+          const grant = new Grant({
+            active: true,
+            grant: 'PRY5NM33OM4TB8N6BW7',
+            clientId,
+            access: [
+              {
+                type,
+                actions: [superAction],
+                identifier
+              }
+            ]
+          })
+          expect(
+            grant.includesAccess({
+              type,
+              action: subAction,
+              identifier
+            })
+          ).toBe(true)
+        }
+      )
 
       test.each`
         type                          | action                   | identifier    | description

packages/backend/src/open_payments/auth/grant.ts

@@ -21,8 +21,10 @@ export enum AccessType {
 export enum AccessAction {
   Create = 'create',
   Read = 'read',
+  ReadAll = 'read-all',
   Complete = 'complete',
-  List = 'list'
+  List = 'list',
+  ListAll = 'list-all'
 }
 
 export interface AccessLimits {
@@ -53,6 +55,7 @@ export type GrantAccessJSON = Omit<GrantAccess, 'limits'> & {
 export interface GrantOptions {
   active: boolean
   grant: string
+  clientId: string
   access?: GrantAccess[]
 }
 
@@ -66,11 +69,13 @@ export class Grant {
     this.active = options.active
     this.grant = options.grant
     this.access = options.access || []
+    this.clientId = options.clientId
   }
 
   public readonly active: boolean
   public readonly grant: string
   public readonly access: GrantAccess[]
+  public readonly clientId: string
 
   public includesAccess({
     type,
@@ -85,14 +90,19 @@ export class Grant {
       (access) =>
         access.type === type &&
         (!access.identifier || access.identifier === identifier) &&
-        access.actions.includes(action)
+        (access.actions.includes(action) ||
+          (action === AccessAction.Read &&
+            access.actions.includes(AccessAction.ReadAll)) ||
+          (action === AccessAction.List &&
+            access.actions.includes(AccessAction.ListAll)))
     )
   }
 
   public toJSON(): GrantJSON {
     return {
       active: this.active,
       grant: this.grant,
+      clientId: this.clientId,
       access: this.access?.map((access) => {
         return {
           ...access,

packages/backend/src/open_payments/auth/middleware.test.ts

@@ -1,6 +1,7 @@
 import assert from 'assert'
 import nock, { Definition } from 'nock'
 import { URL } from 'url'
+import { v4 as uuid } from 'uuid'
 
 import { createAuthMiddleware } from './middleware'
 import { Grant, GrantJSON, AccessType, AccessAction } from './grant'
@@ -13,6 +14,8 @@ import { createTestApp, TestContainer } from '../../tests/app'
 import { createContext } from '../../tests/context'
 import { createPaymentPointer } from '../../tests/paymentPointer'
 import { truncateTables } from '../../tests/tableManager'
+import { GrantReference } from '../grantReference/model'
+import { GrantReferenceService } from '../grantReference/service'
 
 type AppMiddleware = (
   ctx: AppContext,
@@ -32,6 +35,7 @@ describe('Auth Middleware', (): void => {
   let ctx: AppContext
   let next: jest.MockedFunction<() => Promise<void>>
   let validateRequest: ValidateFunction<IntrospectionBody>
+  let grantReferenceService: GrantReferenceService
   const token = 'OS9M2PMHKUR64TB8N6BW7OZB8CDFONP219RP1LT0'
 
   beforeAll(async (): Promise<void> => {
@@ -47,6 +51,7 @@ describe('Auth Middleware', (): void => {
       path: '/introspect',
       method: HttpMethod.POST
     })
+    grantReferenceService = await deps.use('grantReferenceService')
   })
 
   beforeEach(async (): Promise<void> => {
@@ -108,7 +113,7 @@ describe('Auth Middleware', (): void => {
 
   const inactiveGrant = {
     active: false,
-    grant: 'PRY5NM33OM4TB8N6BW7'
+    grant: uuid()
   }
 
   test.each`
@@ -131,7 +136,8 @@ describe('Auth Middleware', (): void => {
   test('returns 403 for unauthorized request', async (): Promise<void> => {
     const scope = mockAuthServer({
       active: true,
-      grant: 'PRY5NM33OM4TB8N6BW7',
+      clientId: uuid(),
+      grant: uuid(),
       access: [
         {
           type: AccessType.OutgoingPayment,
@@ -146,6 +152,30 @@ describe('Auth Middleware', (): void => {
     expect(next).not.toHaveBeenCalled()
     scope.isDone()
   })
+  test('returns 500 for not matching clientId', async (): Promise<void> => {
+    const grant = new Grant({
+      active: true,
+      clientId: uuid(),
+      grant: uuid(),
+      access: [
+        {
+          type: AccessType.IncomingPayment,
+          actions: [AccessAction.Read],
+          identifier: ctx.params.paymentPointerId
+        }
+      ]
+    })
+    await grantReferenceService.create({
+      id: grant.grant,
+      clientId: uuid()
+    })
+    const scope = mockAuthServer(grant.toJSON())
+    await expect(middleware(ctx, next)).rejects.toMatchObject({
+      status: 500
+    })
+    expect(next).not.toHaveBeenCalled()
+    scope.isDone()
+  })
 
   test.each`
     limitAccount
@@ -156,7 +186,8 @@ describe('Auth Middleware', (): void => {
     async ({ limitAccount }): Promise<void> => {
       const grant = new Grant({
         active: true,
-        grant: 'PRY5NM33OM4TB8N6BW7',
+        clientId: uuid(),
+        grant: uuid(),
         access: [
           {
             type: AccessType.IncomingPayment,
@@ -197,6 +228,12 @@ describe('Auth Middleware', (): void => {
       await expect(middleware(ctx, next)).resolves.toBeUndefined()
       expect(next).toHaveBeenCalled()
       expect(ctx.grant).toEqual(grant)
+      await expect(
+        GrantReference.query().findById(grant.grant)
+      ).resolves.toEqual({
+        id: grant.grant,
+        clientId: grant.clientId
+      })
       scope.isDone()
     }
   )
@@ -208,4 +245,28 @@ describe('Auth Middleware', (): void => {
     expect(introspectSpy).not.toHaveBeenCalled()
     expect(next).toHaveBeenCalled()
   })
+
+  test('sets the context and calls next if grant has been seen before', async (): Promise<void> => {
+    const grant = new Grant({
+      active: true,
+      clientId: uuid(),
+      grant: uuid(),
+      access: [
+        {
+          type: AccessType.IncomingPayment,
+          actions: [AccessAction.Read],
+          identifier: ctx.params.paymentPointerId
+        }
+      ]
+    })
+    await grantReferenceService.create({
+      id: grant.grant,
+      clientId: grant.clientId
+    })
+    const scope = mockAuthServer(grant.toJSON())
+    await expect(middleware(ctx, next)).resolves.toBeUndefined()
+    expect(next).toHaveBeenCalled()
+    expect(ctx.grant).toEqual(grant)
+    scope.isDone()
+  })
 })