feat(auth): add subject to grant

[cozminu]

Changes proposed in this pull request

Context

fixes #3343

Checklist

• Related issues linked using fixes #number
• Tests added/updated
• Make sure that all checks pass
• Bruno collection updated (if necessary)
• Documentation issue created with user-docs label (if necessary)
• OpenAPI specs updated (if necessary)

[netlify]

✅ Deploy Preview for brilliant-pasca-3e80ec canceled.

Name	Link
🔨 Latest commit	8e0b9c0
🔍 Latest deploy log	https://app.netlify.com/projects/brilliant-pasca-3e80ec/deploys/68efae64e149b30008fa0c41

[github-actions]

🚀 Performance Test Results

Test Configuration:

• VUs: 4
• Duration: 1m0s

Test Metrics:

• Requests/s: 42.50
• Iterations/s: 14.18
• Failed Requests: 0.00% (0 of 2556)

📜 Logs

> performance@1.0.0 run-tests:testenv /home/runner/work/rafiki/rafiki/test/performance
> ./scripts/run-tests.sh -e test "-k" "-q" "--vus" "4" "--duration" "1m"

Cloud Nine GraphQL API is up: http://localhost:3101/graphql
Cloud Nine Wallet Address is up: http://localhost:3100/
Happy Life Bank Address is up: http://localhost:4100/
cloud-nine-wallet-test-backend already set
cloud-nine-wallet-test-auth already set
happy-life-bank-test-backend already set
happy-life-bank-test-auth already set
     data_received..................: 923 kB 15 kB/s
     data_sent......................: 2.0 MB 33 kB/s
     http_req_blocked...............: avg=7.44µs   min=2.36µs   med=5.55µs   max=942.82µs p(90)=6.77µs   p(95)=7.42µs  
     http_req_connecting............: avg=802ns    min=0s       med=0s       max=902.55µs p(90)=0s       p(95)=0s      
     http_req_duration..............: avg=93.45ms  min=7.37ms   med=77.04ms  max=571.08ms p(90)=160.15ms p(95)=185.01ms
       { expected_response:true }...: avg=93.45ms  min=7.37ms   med=77.04ms  max=571.08ms p(90)=160.15ms p(95)=185.01ms
     http_req_failed................: 0.00%  ✓ 0         ✗ 2556
     http_req_receiving.............: avg=96.17µs  min=23.16µs  med=82.81µs  max=4ms      p(90)=121.63µs p(95)=156.46µs
     http_req_sending...............: avg=37.26µs  min=10.43µs  med=28.62µs  max=2.44ms   p(90)=41.63µs  p(95)=57.49µs 
     http_req_tls_handshaking.......: avg=0s       min=0s       med=0s       max=0s       p(90)=0s       p(95)=0s      
     http_req_waiting...............: avg=93.32ms  min=7.22ms   med=76.89ms  max=571.01ms p(90)=160.05ms p(95)=184.86ms
     http_reqs......................: 2556   42.504649/s
     iteration_duration.............: avg=281.73ms min=173.38ms med=267.29ms max=1.09s    p(90)=350.12ms p(95)=381.1ms 
     iterations.....................: 853    14.184846/s
     vus............................: 4      min=4       max=4 
     vus_max........................: 4      min=4       max=4 

[mkurapov]

Why do we need this mock?

[cozminu]

canSkipInteraction function uses them and the purpose of the unit test is to test only the unit and not the deps, but I see there are also benefits from using the unmocked functions. removed the mock

[njlie]

Overall LGTM, just a couple things

[njlie]

nit: this is getting subject, not access

[cozminu]

yes, fixed

[mkurapov]

Few comments!

[mkurapov]

We should match GrantErrors to their respective HTTP codes and GNAPErrorCodes.
This is similar to how @oana-lolea maps AccessErrors to the respective code & error codes in her PR.

[cozminu]

done

[mkurapov]

Should this throw a GrantError instead?

[cozminu]

yes, adapted to throw GrantError

[mkurapov]

If we don't use subjects anywhere (given that we don't pass it in during the introspection request), then its OK to leave out

[cozminu]

removed

[njlie]

Just one suggestion to be applied accross all the places where trx was cast in order to silence a Typescript error.

[njlie]

It might be healthier to actually initialize trx in the beforeAll block so that the tables get properly truncated when the test is finished, but the editor also doesn't flag a Typescript error. I assume this type casting was done to address the TS error.

beforeAll(async (): Promise<void> => {
	...
	trx = await appContainer.knex.transaction()
})

[cozminu]

Yes, It was a fix to a TS error

Variable 'trx' is used before being assigned.ts(2454)

Using a transaction is tricky because it can deadlock tests because some queries are done within a transaction and others are not. Managed to fix it, but in another manner.

let trx: KnexOrTransaction

beforeAll(async (): Promise<void> => {
	...
	trx = await appContainer.knex
})

Is this ok with you?

[njlie]

Ditto to prior comment on initializing trx.

[njlie]

Ditto to prior comment on initializing trx.

[njlie]

Ditto to prior comment on initializing trx.

[njlie]

Ditto to prior comment on initializing trx.

[njlie]

Thanks for adding these tests! Especially since they cover logic that existed before this PR

[njlie]

Ditto to prior comment on initializing trx.

[njlie]

Ditto to prior comment on initializing trx.

[mkurapov]

grant.subjects only exists if we add it to the withGraphFetched request in the service methods OR we have subjects as a separate "child" resolver under grants, and call the subjectService.getByGrantId directly.

An example of this is the Asset > sendingFee resolver in backend.

[cozminu]

fixed with withGraphFetched('subjects') in the service methods

[mkurapov]

I think we can keep it as [Access!]!, if there is no access it can simply be an empty array.

[mkurapov]

to avoid empty string, let's provide some generic message instead at least. It's less important for the client, its more so for us to find where to debug it.

[cozminu]

changed to 'unknown error while checking interaction requirement'

[mkurapov]

Suggested change

	if (subject.format != 'uri') {
	if (subject.format !== 'uri') {

[mkurapov]

not sure if @njlie agrees, but I think just checking that it is a valid URL is sufficient, without checking the https://. IMO it can be up to the ASE to determine how strict they want to be with the specifics, like protocol.

[njlie]

For the record, I also agree.

[cozminu]

fixed

[mkurapov]

access_token could be undefined now, just like subject

[cozminu]

fixed

[mkurapov]

We should remove the import { Knex } from 'knex' import

[mkurapov]

there can only be one subject for a grant, but the sub_ids can be many. So this can either be a subject object with sub_ids array, (like the Open Payments spec), or we can directly return sub_ids here.

[mkurapov]

The same applies for the subject updates in the GraphQL schema

[cozminu]

changed to subject object with sub_ids array.
I'm not aware of a subject updates.

[mkurapov]

We should make this spec standalone, and move over the correct components (access/subject) into this file, similar to how it was done for token-introspection

[mkurapov]

I think we should only create an accessToken if the access_token was provided in the initial grant request. We can use length of access to verify that, I believe. Otherwise, if the client is just requesting subject information, and not access_token, we would return an access_token still, eg:

{
  "access_token": {
    "access": [],
    "value": "EC6884A68394DAC1E186",
    "manage": "http://localhost:3006/token/965841c8-1671-4174-944d-56778083dfdb",
    "expires_in": 600
  },
  "continue": {
    "access_token": {
      "value": "B785F0F5ED51E08A923E"
    },
    "uri": "http://localhost:3006/continue/b094d601-cd62-43fd-9389-5ed6628c1c1d"
  },
  "subject": {
    "sub_ids": [
      {
        "id": "https://cloud-nine-wallet-backend/accounts/gfranklin",
        "format": "uri"
      }
    ]
  }
}

CC @njlie to confirm as well

[njlie]

Yeah agreed, there's nothing to access, hence no access token.

[cozminu]

fixed, access_token is no more when the grant doesn't contain access items

[mkurapov]

The auth server changes look good 👍
I found a few things in the mock ase, but I will put up a change separately