chore(auth, backend): removed unused multi-tenancy features, update env variables (#3699)

mkurapov · web-flow · commit f8709dbeae78 · 2025-10-16T20:47:01.000+02:00
* feat(auth): add migration to seed operators api secret

* feat(auth): propagate apiSecret during tenant creation

* test(auth): update api secret tests &amp; tableManager

* chore(localenv): update ADMIN_API_SECRET in docker compose files

* chore(bruno): update authApiSignatureSecret in requests

* feat(auth): add getTenantFromApiSignature middleware

* chore(auth): move tenant signature functions to separate file

* feat(auth): update authed tenant middleware, and add tests

* test(backend): update tenant test

* chore(testenv): add ADMIN_API_SECRET to auth

* feat(backend): call the auth service client if apiSecret has been updated

* test(auth): update tenant signature test name

* feat(auth): update tenant response from auth api to include the apiSecet

* test(auth): pull out apolloClient creation from test app

* feat(auth): add tenantId to GraphQL schema

* feat(auth): add tenant boundaries to resolvers

* feat(auth): disconnect from redis on app shutdown

* test(auth): add additional tests for tenant signature verification

* chore(backend): remove auth service client get method

* chore(backend): remove unused apolloClient

* chore(auth): remove unused GET route for tenant API

* chore(auth): remove unused GetContext

* chore(backend): fix peer migration

* chore(backend): rename API_SECRET and API_SIGNATURE_VERSION

* chore(testenv): rename API_SECRET and API_SIGNATURE_VERSION

* chore(localenv): rename API_SECRET and API_SIGNATURE_VERSION

* chore(localenv): remove unused AUTH_ADMIN_API_URL env vars

* chore(backend): update tenantId backfill migration for incoming payments
diff --git a/localenv/cloud-nine-wallet/docker-compose.yml b/localenv/cloud-nine-wallet/docker-compose.yml
@@ -67,12 +67,10 @@ services:
       TIGERBEETLE_REPLICA_ADDRESSES: ${TIGERBEETLE_REPLICA_ADDRESSES-''}
       AUTH_SERVER_GRANT_URL: ${CLOUD_NINE_AUTH_SERVER_DOMAIN:-http://cloud-nine-wallet-auth:3006}
       AUTH_SERVER_INTROSPECTION_URL: http://cloud-nine-wallet-auth:3007
-      AUTH_ADMIN_API_URL: 'http://cloud-nine-wallet-auth:3003/graphql'
-      AUTH_ADMIN_API_SECRET: 'rPoZpe9tVyBNCigm05QDco7WLcYa0xMao7lO5KG1XG4='
       AUTH_SERVICE_API_URL: 'http://cloud-nine-wallet-auth:3011'
       ILP_ADDRESS: ${ILP_ADDRESS:-test.cloud-nine-wallet}
       STREAM_SECRET: BjPXtnd00G2mRQwP/8ZpwyZASOch5sUXT5o0iR5b5wU=
-      API_SECRET: iyIgCprjb9uL8wFckR+pLEkJWMB7FJhgkvqhTQR/964=
+      ADMIN_API_SECRET: iyIgCprjb9uL8wFckR+pLEkJWMB7FJhgkvqhTQR/964=
       OPEN_PAYMENTS_URL: ${CLOUD_NINE_OPEN_PAYMENTS_URL:-https://cloud-nine-wallet-backend}
       WEBHOOK_URL: http://cloud-nine-wallet/webhooks
       EXCHANGE_RATES_URL: http://cloud-nine-wallet/rates
diff --git a/localenv/happy-life-bank/docker-compose.yml b/localenv/happy-life-bank/docker-compose.yml
@@ -63,13 +63,11 @@ services:
       USE_TIGERBEETLE: false
       AUTH_SERVER_GRANT_URL: ${HAPPY_LIFE_BANK_AUTH_SERVER_DOMAIN:-http://happy-life-bank-auth:3006}
       AUTH_SERVER_INTROSPECTION_URL: http://happy-life-bank-auth:3007
-      AUTH_ADMIN_API_URL: 'http://happy-life-bank-auth:4003/graphql'
-      AUTH_ADMIN_API_SECRET: 'rPoZpe9tVyBNCigm05QDco7WLcYa0xMao7lO5KG1XG4='
       AUTH_SERVICE_API_URL: 'http://happy-life-bank-auth:4011'
       ILP_ADDRESS: test.happy-life-bank
       ILP_CONNECTOR_URL: http://happy-life-bank-backend:4002
       STREAM_SECRET: BjPXtnd00G2mRQwP/8ZpwyZASOch5sUXT5o0iR5b5wU=
-      API_SECRET: iyIgCprjb9uL8wFckR+pLEkJWMB7FJhgkvqhTQR/964=
+      ADMIN_API_SECRET: iyIgCprjb9uL8wFckR+pLEkJWMB7FJhgkvqhTQR/964=
       WEBHOOK_URL: http://happy-life-bank/webhooks
       EXCHANGE_RATES_URL: http://happy-life-bank/rates
       OPEN_PAYMENTS_URL: ${HAPPY_LIFE_BANK_OPEN_PAYMENTS_URL:-https://happy-life-bank-backend}
diff --git a/packages/auth/src/app.ts b/packages/auth/src/app.ts
@@ -511,7 +511,6 @@ export class App {
 
     const tenantRoutes = await this.container.use('tenantRoutes')
 
-    router.get('/tenant/:id', tenantRoutes.get)
     router.post('/tenant', tenantRoutes.create)
     router.patch('/tenant/:id', tenantRoutes.update)
     router.delete('/tenant/:id', tenantRoutes.delete)
diff --git a/packages/auth/src/tenant/routes.test.ts b/packages/auth/src/tenant/routes.test.ts
@@ -12,8 +12,7 @@ import {
   UpdateContext,
   DeleteContext,
   TenantRoutes,
-  createTenantRoutes,
-  GetContext
+  createTenantRoutes
 } from './routes'
 import { TenantService } from './service'
 import { Tenant } from './model'
@@ -44,56 +43,6 @@ describe('Tenant Routes', (): void => {
     await appContainer.shutdown()
   })
 
-  describe('get', (): void => {
-    test('Gets a tenant', async (): Promise<void> => {
-      const tenant = await Tenant.query().insert({
-        id: v4(),
-        apiSecret: v4(),
-        idpConsentUrl: 'https://example.com/consent',
-        idpSecret: 'secret123'
-      })
-
-      const ctx = createContext<GetContext>(
-        {
-          headers: {
-            Accept: 'application/json',
-            'Content-Type': 'application/json'
-          }
-        },
-        {
-          id: tenant.id
-        }
-      )
-
-      await expect(tenantRoutes.get(ctx)).resolves.toBeUndefined()
-      expect(ctx.status).toBe(200)
-      expect(ctx.body).toEqual({
-        id: tenant.id,
-        apiSecret: tenant.apiSecret,
-        idpConsentUrl: tenant.idpConsentUrl,
-        idpSecret: tenant.idpSecret
-      })
-    })
-
-    test('Returns 404 when getting non-existent tenant', async (): Promise<void> => {
-      const ctx = createContext<GetContext>(
-        {
-          headers: {
-            Accept: 'application/json',
-            'Content-Type': 'application/json'
-          }
-        },
-        {
-          id: v4()
-        }
-      )
-
-      await expect(tenantRoutes.get(ctx)).resolves.toBeUndefined()
-      expect(ctx.status).toBe(404)
-      expect(ctx.body).toBeUndefined()
-    })
-  })
-
   describe('create', (): void => {
     test('Creates a tenant', async (): Promise<void> => {
       const tenantData = {
diff --git a/packages/auth/src/tenant/routes.ts b/packages/auth/src/tenant/routes.ts
@@ -2,7 +2,6 @@ import { ParsedUrlQuery } from 'querystring'
 import { AppContext } from '../app'
 import { TenantService } from './service'
 import { BaseService } from '../shared/baseService'
-import { Tenant } from './model'
 import { isValidDateString } from '../shared/utils'
 
 type TenantRequest<BodyT = never, QueryT = ParsedUrlQuery> = Exclude<
@@ -33,20 +32,11 @@ interface TenantParams {
   id: string
 }
 
-interface TenantResponse {
-  id: string
-  apiSecret: string
-  idpConsentUrl?: string
-  idpSecret?: string
-}
-
-export type GetContext = TenantContext<never, TenantParams>
 export type CreateContext = TenantContext<CreateTenantBody>
 export type UpdateContext = TenantContext<UpdateTenantBody, TenantParams>
 export type DeleteContext = TenantContext<{ deletedAt: string }, TenantParams>
 
 export interface TenantRoutes {
-  get(ctx: GetContext): Promise<void>
   create(ctx: CreateContext): Promise<void>
   update(ctx: UpdateContext): Promise<void>
   delete(ctx: DeleteContext): Promise<void>
@@ -67,7 +57,6 @@ export function createTenantRoutes({
   const deps = { tenantService, logger: log }
 
   return {
-    get: (ctx: GetContext) => getTenant(deps, ctx),
     create: (ctx: CreateContext) => createTenant(deps, ctx),
     update: (ctx: UpdateContext) => updateTenant(deps, ctx),
     delete: (ctx: DeleteContext) => deleteTenant(deps, ctx)
@@ -123,28 +112,3 @@ async function deleteTenant(
 
   ctx.status = 204
 }
-
-async function getTenant(
-  deps: ServiceDependencies,
-  ctx: GetContext
-): Promise<void> {
-  const { id } = ctx.params
-  const tenant = await deps.tenantService.get(id)
-
-  if (!tenant) {
-    ctx.status = 404
-    return
-  }
-
-  ctx.status = 200
-  ctx.body = toTenantResponse(tenant)
-}
-
-function toTenantResponse(tenant: Tenant): TenantResponse {
-  return {
-    id: tenant.id,
-    apiSecret: tenant.apiSecret,
-    idpConsentUrl: tenant.idpConsentUrl,
-    idpSecret: tenant.idpSecret
-  }
-}
diff --git a/packages/backend/jest.env.js b/packages/backend/jest.env.js
@@ -11,8 +11,6 @@ process.env.WEBHOOK_URL = 'http://127.0.0.1:4001/webhook'
 process.env.STREAM_SECRET = '2/PxuRFV9PAp0yJlnAifJ+1OxujjjI16lN+DBnLNRLA='
 process.env.USE_TIGERBEETLE = false
 process.env.ENABLE_TELEMETRY = false
-process.env.AUTH_ADMIN_API_URL = 'http://127.0.0.1:3003/graphql'
-process.env.AUTH_ADMIN_API_SECRET = 'test-secret'
 process.env.OPERATOR_TENANT_ID = 'cf5fd7d3-1eb1-4041-8e43-ba45747e9e5d'
-process.env.API_SECRET = 'KQEXlZO65jUJXakXnLxGO7dk387mt71G9tZ42rULSNU='
+process.env.ADMIN_API_SECRET = 'KQEXlZO65jUJXakXnLxGO7dk387mt71G9tZ42rULSNU='
 process.env.EXCHANGE_RATES_URL = 'http://example.com/rates'
diff --git a/packages/backend/migrations/20241205153035_seed_operator_tenant.js b/packages/backend/migrations/20241205153035_seed_operator_tenant.js
@@ -4,12 +4,12 @@
  */
 
 const OPERATOR_TENANT_ID = process.env['OPERATOR_TENANT_ID']
-const OPERATOR_API_SECRET = process.env['API_SECRET']
+const OPERATOR_API_SECRET = process.env['ADMIN_API_SECRET']
 
 exports.up = function (knex) {
   if (!OPERATOR_TENANT_ID || !OPERATOR_API_SECRET) {
     throw new Error(
-      'Could not seed operator tenant. Please configure OPERATOR_TENANT_ID and API_SECRET environment variables'
+      'Could not seed operator tenant. Please configure OPERATOR_TENANT_ID and ADMIN_API_SECRET environment variables'
     )
   }
 
diff --git a/packages/backend/migrations/20250120101610_add_tenant_to_incoming_payments.js b/packages/backend/migrations/20250120101610_add_tenant_to_incoming_payments.js
@@ -9,13 +9,13 @@ exports.up = function (knex) {
       table.foreign('tenantId').references('id').inTable('tenants')
     })
     .then(() => {
-      knex.raw(
+      return knex.raw(
         `UPDATE "incomingPayments" SET "tenantId" = (SELECT id from "tenants" LIMIT 1)`
       )
     })
     .then(() => {
-      knex.schema.alterTable('incomingPayments', function (table) {
-        table.uuid('tenantId').notNullable()
+      return knex.schema.alterTable('incomingPayments', function (table) {
+        table.uuid('tenantId').notNullable().alter()
       })
     })
 }
diff --git a/packages/backend/migrations/20250214141958_add_tenant_to_peer.js b/packages/backend/migrations/20250214141958_add_tenant_to_peer.js
@@ -9,13 +9,13 @@ exports.up = function (knex) {
       table.foreign('tenantId').references('id').inTable('tenants')
     })
     .then(() => {
-      knex.raw(
+      return knex.raw(
         `UPDATE "peers" SET "tenantId" = (SELECT id from "tenants" LIMIT 1)`
       )
     })
     .then(() => {
-      knex.schema.alterTable('peers', function (table) {
-        table.uuid('tenantId').notNullable()
+      return knex.schema.alterTable('peers', function (table) {
+        table.uuid('tenantId').notNullable().alter()
       })
     })
 }
diff --git a/packages/backend/src/auth-service-client/client.test.ts b/packages/backend/src/auth-service-client/client.test.ts
@@ -23,27 +23,6 @@ describe('AuthServiceClient', () => {
   })
 
   describe('tenant', () => {
-    describe('get', () => {
-      test('retrieves a tenant', async () => {
-        const tenantData = createTenantData()
-
-        nock(baseUrl).get(`/tenant/${tenantData.id}`).reply(200, tenantData)
-
-        const tenant = await client.tenant.get(tenantData.id)
-        expect(tenant).toEqual(tenantData)
-      })
-
-      test('throws on bad request', async () => {
-        const id = faker.string.uuid()
-
-        nock(baseUrl).get(`/tenant/${id}`).reply(404)
-
-        await expect(client.tenant.get(id)).rejects.toThrow(
-          AuthServiceClientError
-        )
-      })
-    })
-
     describe('create', () => {
       test('creates a new tenant', async () => {
         const tenantData = createTenantData()
diff --git a/packages/backend/src/auth-service-client/client.ts b/packages/backend/src/auth-service-client/client.ts
@@ -69,8 +69,6 @@ export class AuthServiceClient {
   }
 
   public tenant = {
-    get: (id: string) =>
-      this.request<Tenant>(`/tenant/${id}`, { method: 'GET' }),
     create: (data: Tenant) =>
       this.request('/tenant', {
         method: 'POST',
diff --git a/packages/backend/src/config/app.ts b/packages/backend/src/config/app.ts
@@ -125,9 +125,6 @@ export const Config = {
 
   authServerGrantUrl: envString('AUTH_SERVER_GRANT_URL'),
   authServerIntrospectionUrl: envString('AUTH_SERVER_INTROSPECTION_URL'),
-  authAdminApiUrl: envString('AUTH_ADMIN_API_URL'),
-  authAdminApiSecret: envString('AUTH_ADMIN_API_SECRET'),
-  authAdminApiSignatureVersion: envInt('AUTH_ADMIN_API_SIGNATURE_VERSION', 1),
   authServiceApiUrl: envString('AUTH_SERVICE_API_URL'),
 
   outgoingPaymentWorkers: envInt('OUTGOING_PAYMENT_WORKERS', 1),
@@ -162,8 +159,8 @@ export const Config = {
   signatureSecret: process.env.SIGNATURE_SECRET, // optional
   signatureVersion: envInt('SIGNATURE_VERSION', 1),
 
-  adminApiSecret: envString('API_SECRET'),
-  adminApiSignatureVersion: envInt('API_SIGNATURE_VERSION', 1),
+  adminApiSecret: envString('ADMIN_API_SECRET'),
+  adminApiSignatureVersion: envInt('ADMIN_API_SIGNATURE_VERSION', 1),
   adminApiSignatureTtlSeconds: envInt('ADMIN_API_SIGNATURE_TTL_SECONDS', 30),
 
   keyId: envString('KEY_ID'),
diff --git a/packages/backend/src/index.ts b/packages/backend/src/index.ts
@@ -7,23 +7,12 @@ import { createClient } from 'tigerbeetle-node'
 import { createClient as createIntrospectionClient } from 'token-introspection'
 import net from 'net'
 import dns from 'dns'
-import { createHmac } from 'crypto'
 
 import { createAuthenticatedClient as createOpenPaymentsClient } from '@interledger/open-payments'
 import { createOpenAPI } from '@interledger/openapi'
 import path from 'path'
 import { StreamServer } from '@interledger/stream-receiver'
 import axios from 'axios'
-import {
-  ApolloClient,
-  ApolloLink,
-  createHttpLink,
-  InMemoryCache
-} from '@apollo/client'
-import { onError } from '@apollo/client/link/error'
-import { setContext } from '@apollo/client/link/context'
-import { canonicalize } from 'json-canonicalize'
-import { print } from 'graphql/language/printer'
 
 import { createAccountingService as createPsqlAccountingService } from './accounting/psql/service'
 import { createAccountingService as createTigerbeetleAccountingService } from './accounting/tigerbeetle/service'
@@ -149,78 +138,6 @@ export function initIocContainer(
     })
   })
 
-  container.singleton('apolloClient', async (deps) => {
-    const [logger, config] = await Promise.all([
-      deps.use('logger'),
-      deps.use('config')
-    ])
-
-    const httpLink = createHttpLink({
-      uri: config.authAdminApiUrl
-    })
-
-    const errorLink = onError(({ graphQLErrors }) => {
-      if (graphQLErrors) {
-        logger.error(graphQLErrors)
-        graphQLErrors.map(({ extensions }) => {
-          if (extensions && extensions.code === 'UNAUTHENTICATED') {
-            logger.error('UNAUTHENTICATED')
-          }
-
-          if (extensions && extensions.code === 'FORBIDDEN') {
-            logger.error('FORBIDDEN')
-          }
-        })
-      }
-    })
-
-    const authLink = setContext((request, { headers }) => {
-      if (!config.authAdminApiSecret || !config.authAdminApiSignatureVersion)
-        return { headers }
-      const timestamp = Date.now()
-      const version = config.authAdminApiSignatureVersion
-
-      const { query, variables, operationName } = request
-      const formattedRequest = {
-        variables,
-        operationName,
-        query: print(query)
-      }
-
-      const payload = `${timestamp}.${canonicalize(formattedRequest)}`
-      const hmac = createHmac('sha256', config.authAdminApiSecret)
-      hmac.update(payload)
-      const digest = hmac.digest('hex')
-
-      return {
-        headers: {
-          ...headers,
-          signature: `t=${timestamp}, v${version}=${digest}`
-        }
-      }
-    })
-
-    const link = ApolloLink.from([errorLink, authLink, httpLink])
-
-    const client = new ApolloClient({
-      cache: new InMemoryCache({}),
-      link: link,
-      defaultOptions: {
-        query: {
-          fetchPolicy: 'no-cache'
-        },
-        mutate: {
-          fetchPolicy: 'no-cache'
-        },
-        watchQuery: {
-          fetchPolicy: 'no-cache'
-        }
-      }
-    })
-
-    return client
-  })
-
   container.singleton('tenantCache', async () => {
     return createInMemoryDataStore(config.localCacheDuration)
   })
diff --git a/test/testenv/cloud-nine-wallet/docker-compose.yml b/test/testenv/cloud-nine-wallet/docker-compose.yml
diff --git a/test/testenv/happy-life-bank/docker-compose.yml b/test/testenv/happy-life-bank/docker-compose.yml

Original file line number	Diff line number	Diff line change
`@@ -4,12 +4,12 @@`
`4`	`4`	`*/`
`5`	`5`
`6`	`6`	`const OPERATOR_TENANT_ID = process.env['OPERATOR_TENANT_ID']`
`7`		`-const OPERATOR_API_SECRET = process.env['API_SECRET']`
	`7`	`+const OPERATOR_API_SECRET = process.env['ADMIN_API_SECRET']`
`8`	`8`
`9`	`9`	`exports.up = function (knex) {`
`10`	`10`	`if (!OPERATOR_TENANT_ID \|\| !OPERATOR_API_SECRET) {`
`11`	`11`	`throw new Error(`
`12`		`- 'Could not seed operator tenant. Please configure OPERATOR_TENANT_ID and API_SECRET environment variables'`
	`12`	`+ 'Could not seed operator tenant. Please configure OPERATOR_TENANT_ID and ADMIN_API_SECRET environment variables'`
`13`	`13`	`)`
`14`	`14`	`}`
`15`	`15`