feat(backend): tenant support for wallet address (#3114)

localenv/mock-account-servicing-entity/app/lib/parse_config.server.ts

@@ -26,5 +26,7 @@ export const CONFIG: Config = {
   testnetAutoPeerUrl: process.env.TESTNET_AUTOPEER_URL ?? '',
   authServerDomain: process.env.AUTH_SERVER_DOMAIN || 'http://localhost:3006',
   graphqlUrl: process.env.GRAPHQL_URL,
-  idpSecret: process.env.IDP_SECRET
+  idpSecret: process.env.IDP_SECRET,
+  operatorTenantId:
+    process.env.OPERATOR_TENANT_ID || '438fa74a-fa7d-4317-9ced-dde32ece1787'
 }

packages/backend/migrations/20241203112902_add_tenant_to_wallet_address.js

@@ -0,0 +1,25 @@
+/**
+ * @param { import("knex").Knex } knex
+ * @returns { Promise<void> }
+ */
+exports.up = function (knex) {
+  return Promise.all([
+    knex.schema.alterTable('walletAddresses', function (table) {
+      table.uuid('tenantId').index().notNullable()
+      //table.foreign(['tenantId']).references('tenants.id')
+    })
+  ])
+}
+
+/**
+ * @param { import("knex").Knex } knex
+ * @returns { Promise<void> }
+ */
+exports.down = function (knex) {
+  return Promise.all([
+    knex.schema.alterTable('walletAddresses', function (table) {
+      table.dropIndex('tenantId')
+      table.dropColumn('tenantId')
+    })
+  ])
+}

packages/backend/src/app.ts

@@ -85,7 +85,6 @@ import { IlpPaymentService } from './payment-method/ilp/service'
 import { TelemetryService } from './telemetry/service'
 import { ApolloArmor } from '@escape.tech/graphql-armor'
 import { openPaymentsServerErrorMiddleware } from './open_payments/route-errors'
-import { verifyApiSignature } from './shared/utils'
 import { WalletAddress } from './open_payments/wallet_address/model'
 import {
   getWalletAddressUrlFromIncomingPayment,
@@ -101,6 +100,8 @@ import { LoggingPlugin } from './graphql/plugin'
 import { LocalPaymentService } from './payment-method/local/service'
 import { GrantService } from './open_payments/grant/service'
 import { AuthServerService } from './open_payments/authServer/service'
+import { Tenant } from './tenants/model'
+import { verifyTenantOrOperatorApiSignature } from './shared/utils'
 export interface AppContextData {
   logger: Logger
   container: AppContainer
@@ -144,6 +145,19 @@ export type HttpSigContext = AppContext & {
   client: string
 }
 
+type TenantedHttpSigHeaders = HttpSigHeaders & Record<'tenantId', string>
+
+type TenantedHttpSigRequest = Omit<HttpSigContext['request'], 'headers'> & {
+  headers: TenantedHttpSigHeaders
+}
+
+export type TenantedHttpSigContext = HttpSigContext & {
+  headers: TenantedHttpSigHeaders
+  request: TenantedHttpSigRequest
+  tenant?: Tenant
+  isOperator: boolean
+}
+
 export type HttpSigWithAuthenticatedStatusContext = HttpSigContext &
   AuthenticatedStatusContext
 
@@ -383,14 +397,14 @@ export class App {
       }
     )
 
-    if (this.config.adminApiSecret) {
-      koa.use(async (ctx, next: Koa.Next): Promise<void> => {
-        if (!verifyApiSignature(ctx, this.config)) {
+    koa.use(
+      async (ctx: TenantedHttpSigContext, next: Koa.Next): Promise<void> => {
+        if (!verifyTenantOrOperatorApiSignature(ctx, this.config)) {
           ctx.throw(401, 'Unauthorized')
         }
         return next()
-      })
-    }
+      }
+    )
 
     koa.use(
       koaMiddleware(this.apolloServer, {

packages/backend/src/asset/service.test.ts

@@ -275,6 +275,7 @@ describe('Asset Service', (): void => {
       // make sure there is at least 1 wallet address using asset
       const walletAddress = walletAddressService.create({
         url: 'https://alice.me/.well-known/pay',
+        tenantId: Config.operatorTenantId,
         assetId: newAssetId
       })
       assert.ok(!isWalletAddressError(walletAddress))

packages/backend/src/graphql/resolvers/wallet_address.test.ts

@@ -7,6 +7,7 @@ import { createTestApp, TestContainer } from '../../tests/app'
 import { IocContract } from '@adonisjs/fold'
 import { AppServices } from '../../app'
 import { Asset } from '../../asset/model'
+import { Tenant } from '../../tenants/model'
 import { initIocContainer } from '../..'
 import { Config } from '../../config/app'
 import { truncateTables } from '../../tests/tableManager'
@@ -35,6 +36,8 @@ import {
 import { getPageTests } from './page.test'
 import { WalletAddressAdditionalProperty } from '../../open_payments/wallet_address/additional_property/model'
 import { GraphQLErrorCode } from '../errors'
+//TODO import { TenantService } from '../../tenants/service'
+import { createTenant } from '../../tests/tenant'
 
 describe('Wallet Address Resolvers', (): void => {
   let deps: IocContract<AppServices>
@@ -63,11 +66,14 @@ describe('Wallet Address Resolvers', (): void => {
 
   describe('Create Wallet Address', (): void => {
     let asset: Asset
+    let tenant: Tenant
     let input: CreateWalletAddressInput
 
     beforeEach(async (): Promise<void> => {
       asset = await createAsset(deps)
+      tenant = await createTenant(deps)
       input = {
+        tenantId: tenant.id,
         assetId: asset.id,
         url: 'https://alice.me/.well-known/pay'
       }

packages/backend/src/graphql/resolvers/wallet_address.ts

@@ -99,6 +99,7 @@ export const createWalletAddress: MutationResolvers<ApolloContext>['createWallet
 
     const options: CreateOptions = {
       assetId: args.input.assetId,
+      tenantId: args.input.tenantId,
       additionalProperties: addProps,
       publicName: args.input.publicName,
       url: args.input.url

packages/backend/src/graphql/schema.graphql

@@ -1226,6 +1226,8 @@ type CreateReceiverResponse {
 }
 
 input CreateWalletAddressInput {
+  "Unique identifier of the tenant associated with the wallet address. This cannot be changed."
+  tenantId: String!
   "Unique identifier of the asset associated with the wallet address. This cannot be changed."
   assetId: String!
   "Wallet address URL. This cannot be changed."

packages/backend/src/index.ts

@@ -392,6 +392,7 @@ export function initIocContainer(
       logger: logger,
       accountingService: await deps.use('accountingService'),
       webhookService: await deps.use('webhookService'),
+      tenantService: await deps.use('tenantService'),
       assetService: await deps.use('assetService'),
       walletAddressCache: await deps.use('walletAddressCache')
     })

packages/backend/src/open_payments/payment/incoming/service.test.ts

@@ -53,7 +53,10 @@ describe('Incoming Payment Service', (): void => {
 
   beforeEach(async (): Promise<void> => {
     asset = await createAsset(deps)
-    const address = await createWalletAddress(deps, { assetId: asset.id })
+    const address = await createWalletAddress(deps, {
+      tenantId: config.operatorTenantId,
+      assetId: asset.id
+    })
     walletAddressId = address.id
     client = address.url
   })

packages/backend/src/open_payments/payment/outgoing/service.test.ts

@@ -272,12 +272,14 @@ describe('OutgoingPaymentService', (): void => {
     const { id: sendAssetId } = await createAsset(deps, asset)
     assetId = sendAssetId
     const walletAddress = await createWalletAddress(deps, {
+      tenantId: config.operatorTenantId,
       assetId: sendAssetId
     })
     walletAddressId = walletAddress.id
     client = walletAddress.url
     const { id: destinationAssetId } = await createAsset(deps, destinationAsset)
     receiverWalletAddress = await createWalletAddress(deps, {
+      tenantId: config.operatorTenantId,
       assetId: destinationAssetId,
       mockServerPort: appContainer.openPaymentsPort
     })
@@ -408,8 +410,12 @@ describe('OutgoingPaymentService', (): void => {
       let outgoingPayment: OutgoingPayment
       let otherOutgoingPayment: OutgoingPayment
       beforeEach(async (): Promise<void> => {
-        otherSenderWalletAddress = await createWalletAddress(deps, { assetId })
+        otherSenderWalletAddress = await createWalletAddress(deps, {
+          tenantId: config.operatorTenantId,
+          assetId
+        })
         otherReceiverWalletAddress = await createWalletAddress(deps, {
+          tenantId: config.operatorTenantId,
           assetId
         })
         const incomingPayment = await createIncomingPayment(deps, {
@@ -974,7 +980,9 @@ describe('OutgoingPaymentService', (): void => {
           validDestination: false,
           method: 'ilp'
         })
-        const walletAddress = await createWalletAddress(deps)
+        const walletAddress = await createWalletAddress(deps, {
+          tenantId: config.operatorTenantId
+        })
         const walletAddressUpdated = await WalletAddress.query(
           knex
         ).patchAndFetchById(walletAddress.id, { deactivatedAt: new Date() })

packages/backend/src/open_payments/quote/service.test.ts

@@ -96,10 +96,12 @@ describe('QuoteService', (): void => {
       scale: debitAmount.assetScale
     })
     sendingWalletAddress = await createWalletAddress(deps, {
+      tenantId: config.operatorTenantId,
       assetId: sendAssetId
     })
     const { id: destinationAssetId } = await createAsset(deps, destinationAsset)
     receivingWalletAddress = await createWalletAddress(deps, {
+      tenantId: config.operatorTenantId,
       assetId: destinationAssetId,
       mockServerPort: appContainer.openPaymentsPort
     })
@@ -525,9 +527,11 @@ describe('QuoteService', (): void => {
           scale: 2
         })
         sendingWalletAddress = await createWalletAddress(deps, {
+          tenantId: config.operatorTenantId,
           assetId: asset.id
         })
         receivingWalletAddress = await createWalletAddress(deps, {
+          tenantId: config.operatorTenantId,
           assetId: asset.id
         })
       })
@@ -633,9 +637,11 @@ describe('QuoteService', (): void => {
           scale: 2
         })
         sendingWalletAddress = await createWalletAddress(deps, {
+          tenantId: config.operatorTenantId,
           assetId: sendAsset.id
         })
         receivingWalletAddress = await createWalletAddress(deps, {
+          tenantId: config.operatorTenantId,
           assetId: receiveAsset.id
         })
       })

packages/backend/src/open_payments/wallet_address/model.ts

@@ -8,6 +8,7 @@ import { WebhookEvent } from '../../webhook/model'
 import { WalletAddressKey } from '../../open_payments/wallet_address/key/model'
 import { AmountJSON } from '../amount'
 import { WalletAddressAdditionalProperty } from './additional_property/model'
+import { Tenant } from '../../tenants/model'
 
 export class WalletAddress
   extends BaseModel
@@ -18,6 +19,14 @@ export class WalletAddress
   }
 
   static relationMappings = () => ({
+    tenant: {
+      relation: Model.HasOneRelation,
+      modelClass: Tenant,
+      join: {
+        from: 'walletAddresses.tenantId',
+        to: 'tenants.id'
+      }
+    },
     asset: {
       relation: Model.HasOneRelation,
       modelClass: Asset,
@@ -53,6 +62,9 @@ export class WalletAddress
   public readonly assetId!: string
   public asset!: Asset
 
+  public readonly tenantId!: string
+  public tenant!: Tenant
+
   // The cumulative received amount tracked by
   // `wallet_address.web_monetization` webhook events.
   // The value should be equivalent to the following query:

packages/backend/src/open_payments/wallet_address/routes.test.ts

@@ -102,6 +102,7 @@ describe('Wallet Address Routes', (): void => {
       addPropNotVisibleInOpenPayments.fieldValue = 'it-is-not'
       addPropNotVisibleInOpenPayments.visibleInOpenPayments = false
       const walletAddress = await createWalletAddress(deps, {
+        tenantId: config.operatorTenantId,
         publicName: faker.person.firstName(),
         additionalProperties: [addProp, addPropNotVisibleInOpenPayments]
       })
@@ -118,8 +119,9 @@ describe('Wallet Address Routes', (): void => {
         publicName: walletAddress.publicName,
         assetCode: walletAddress.asset.code,
         assetScale: walletAddress.asset.scale,
-        authServer: config.authServerGrantUrl,
-        resourceServer: config.openPaymentsUrl,
+        // Ensure the tenant id is returned for auth and resource server:
+        authServer: `${config.authServerGrantUrl}/${config.operatorTenantId}`,
+        resourceServer: `${config.openPaymentsUrl}/${config.operatorTenantId}`,
         additionalProperties: {
           [addProp.fieldKey]: addProp.fieldValue
         }
@@ -145,6 +147,7 @@ describe('Wallet Address Routes', (): void => {
 
     test('returns wallet address', async (): Promise<void> => {
       const walletAddress = await createWalletAddress(deps, {
+        tenantId: config.operatorTenantId,
         publicName: faker.person.firstName()
       })
 
@@ -160,8 +163,9 @@ describe('Wallet Address Routes', (): void => {
         publicName: walletAddress.publicName,
         assetCode: walletAddress.asset.code,
         assetScale: walletAddress.asset.scale,
-        authServer: config.authServerGrantUrl,
-        resourceServer: config.openPaymentsUrl
+        // Ensure the tenant id is returned for auth and resource server:
+        authServer: `${config.authServerGrantUrl}/${config.operatorTenantId}`,
+        resourceServer: `${config.openPaymentsUrl}/${config.operatorTenantId}`
       })
     })
   })

packages/backend/src/open_payments/wallet_address/routes.ts

@@ -11,6 +11,7 @@ import {
 } from '../../shared/pagination'
 import { OpenPaymentsServerRouteError } from '../route-errors'
 import { IAppConfig } from '../../config/app'
+import { ensureTrailingSlash } from '../../shared/utils'
 
 interface ServiceDependencies {
   config: IAppConfig
@@ -60,8 +61,8 @@ export async function getWalletAddress(
     )
 
   ctx.body = walletAddress.toOpenPaymentsType({
-    authServer: deps.config.authServerGrantUrl,
-    resourceServer: deps.config.openPaymentsUrl
+    authServer: `${ensureTrailingSlash(deps.config.authServerGrantUrl)}${walletAddress.tenantId}`,
+    resourceServer: `${ensureTrailingSlash(deps.config.openPaymentsUrl)}${walletAddress.tenantId}`
   })
 }
 

packages/backend/src/open_payments/wallet_address/service.test.ts

@@ -12,6 +12,7 @@ import { CreateOptions, FORBIDDEN_PATHS, WalletAddressService } from './service'
 import { AccountingService } from '../../accounting/service'
 import { createTestApp, TestContainer } from '../../tests/app'
 import { createAsset } from '../../tests/asset'
+import { createTenant } from '../../tests/tenant'
 import { createWalletAddress } from '../../tests/walletAddress'
 import { truncateTables } from '../../tests/tableManager'
 import { Config, IAppConfig } from '../../config/app'
@@ -61,9 +62,11 @@ describe('Open Payments Wallet Address Service', (): void => {
 
     beforeEach(async (): Promise<void> => {
       const { id: assetId } = await createAsset(deps)
+      const { id: tenantId } = await createTenant(deps)
       options = {
         url: 'https://alice.me/.well-known/pay',
-        assetId
+        assetId,
+        tenantId
       }
     })