feat(auth): add subject to grant

localenv/mock-account-servicing-entity/package.json

@@ -17,7 +17,7 @@
     "@remix-run/serve": "^2.16.4",
     "@types/node": "^18.7.12",
     "@types/uuid": "^9.0.8",
-    "axios": "^1.8.2",
+    "axios": "^1.12.0",
     "class-variance-authority": "^0.7.1",
     "graphql": "^16.11.0",
     "json-canonicalize": "^1.0.6",

package.json

@@ -74,7 +74,8 @@
       "path-to-regexp@>=0.1.7": "^0.1.12",
       "path-to-regexp@>=6.3.0": "^6.3.0",
       "next": "^15.2.3",
-      "form-data": "^4.0.4"
+      "form-data": "^4.0.4",
+      "sha.js": ">=2.4.12"
     }
   }
 }

packages/auth/migrations/20250509114109_create_subject_table.js

@@ -0,0 +1,26 @@
+/**
+ * @param { import("knex").Knex } knex
+ * @returns { Promise<void> }
+ */
+exports.up = function (knex) {
+  return knex.schema.createTable('subjects', function (table) {
+    table.uuid('id').primary()
+
+    table.uuid('grantId').notNullable()
+    table.foreign('grantId').references('grants.id').onDelete('CASCADE')
+
+    table.string('subId').notNullable()
+    table.string('subIdFormat').notNullable()
+
+    table.timestamp('createdAt').defaultTo(knex.fn.now())
+    table.timestamp('updatedAt').defaultTo(knex.fn.now())
+  })
+}
+
+/**
+ * @param { import("knex").Knex } knex
+ * @returns { Promise<void> }
+ */
+exports.down = function (knex) {
+  return knex.schema.dropTableIfExists('subjects')
+}

packages/auth/package.json

@@ -35,7 +35,7 @@
     "@koa/cors": "^5.0.0",
     "@koa/router": "^12.0.2",
     "ajv": "^8.12.0",
-    "axios": "^1.8.2",
+    "axios": "^1.12.0",
     "dotenv": "^16.4.7",
     "graphql": "^16.11.0",
     "ioredis": "^5.3.2",

packages/auth/src/access/service.test.ts

@@ -1,5 +1,4 @@
 import nock from 'nock'
-import { Knex } from 'knex'
 import { createTestApp, TestContainer } from '../tests/app'
 import { truncateTables } from '../tests/tableManager'
 import { Config } from '../config/app'
@@ -13,14 +12,15 @@ import { AccessError } from './errors'
 import { generateBaseGrant } from '../tests/grant'
 import { AccessType, AccessAction } from '@interledger/open-payments'
 import { Access } from './model'
+import { TransactionOrKnex } from 'objection'
 import { Tenant } from '../tenant/model'
 import { generateTenant } from '../tests/tenant'
 
 describe('Access Service', (): void => {
   let deps: IocContract<AppServices>
   let appContainer: TestContainer
   let accessService: AccessService
-  let trx: Knex.Transaction
+  let trx: TransactionOrKnex
   let grant: Grant
 
   beforeEach(async (): Promise<void> => {
@@ -34,6 +34,7 @@ describe('Access Service', (): void => {
     deps = initIocContainer(Config)
     appContainer = await createTestApp(deps)
     accessService = await deps.use('accessService')
+    trx = appContainer.knex
   })
 
   afterEach(async (): Promise<void> => {

packages/auth/src/access/utils.test.ts

@@ -1,6 +1,5 @@
 import { v4 } from 'uuid'
 import { IocContract } from '@adonisjs/fold'
-import { Knex } from 'knex'
 import { faker } from '@faker-js/faker'
 import {
   AccessItem,
@@ -17,13 +16,14 @@ import { createTestApp, TestContainer } from '../tests/app'
 import { truncateTables } from '../tests/tableManager'
 import { generateToken, generateNonce } from '../shared/utils'
 import { compareRequestAndGrantAccessItems } from './utils'
+import { TransactionOrKnex } from 'objection'
 import { Tenant } from '../tenant/model'
 import { generateTenant } from '../tests/tenant'
 
 describe('Access utilities', (): void => {
   let deps: IocContract<AppServices>
   let appContainer: TestContainer
-  let trx: Knex.Transaction
+  let trx: TransactionOrKnex
   let identifier: string
   let grant: Grant
   let grantAccessItem: Access
@@ -35,6 +35,7 @@ describe('Access utilities', (): void => {
   beforeAll(async (): Promise<void> => {
     deps = initIocContainer(Config)
     appContainer = await createTestApp(deps)
+    trx = appContainer.knex
   })
 
   beforeEach(async (): Promise<void> => {

packages/auth/src/accessToken/routes.test.ts

@@ -1,6 +1,5 @@
 import { faker } from '@faker-js/faker'
 import nock from 'nock'
-import { Knex } from 'knex'
 import { v4 } from 'uuid'
 import jestOpenAPI from 'jest-openapi'
 
@@ -24,13 +23,14 @@ import {
 import { GrantService } from '../grant/service'
 import { AccessTokenService } from './service'
 import { GNAPErrorCode } from '../shared/gnapErrors'
+import { TransactionOrKnex } from 'objection'
 import { generateTenant } from '../tests/tenant'
 import { Tenant } from '../tenant/model'
 
 describe('Access Token Routes', (): void => {
   let deps: IocContract<AppServices>
   let appContainer: TestContainer
-  let trx: Knex.Transaction
+  let trx: TransactionOrKnex
   let accessTokenRoutes: AccessTokenRoutes
   let accessTokenService: AccessTokenService
   let grantService: GrantService
@@ -42,6 +42,7 @@ describe('Access Token Routes', (): void => {
     grantService = await deps.use('grantService')
     accessTokenService = await deps.use('accessTokenService')
     const openApi = await deps.use('openApi')
+    trx = appContainer.knex
     jestOpenAPI(openApi.authServerSpec)
   })
 

packages/auth/src/accessToken/service.test.ts

@@ -1,5 +1,4 @@
 import nock from 'nock'
-import { Knex } from 'knex'
 import { v4 } from 'uuid'
 import assert from 'assert'
 
@@ -20,19 +19,21 @@ import {
   AccessItem
 } from '@interledger/open-payments'
 import { generateBaseGrant } from '../tests/grant'
+import { TransactionOrKnex } from 'objection'
 import { Tenant } from '../tenant/model'
 import { generateTenant } from '../tests/tenant'
 
 describe('Access Token Service', (): void => {
   let deps: IocContract<AppServices>
   let appContainer: TestContainer
-  let trx: Knex.Transaction
+  let trx: TransactionOrKnex
   let accessTokenService: AccessTokenService
 
   beforeAll(async (): Promise<void> => {
     deps = initIocContainer(Config)
     appContainer = await createTestApp(deps)
     accessTokenService = await deps.use('accessTokenService')
+    trx = appContainer.knex
   })
 
   afterEach(async (): Promise<void> => {
@@ -175,7 +176,7 @@ describe('Access Token Service', (): void => {
         accessTokenService.introspect(accessToken.value, [
           outgoingPaymentAccess
         ])
-      ).resolves.toEqual({ grant, access: [grant.access[0]] })
+      ).resolves.toEqual({ grant, access: [grant.access?.[0]] })
     })
 
     test('Can introspect active token with partial access actions', async (): Promise<void> => {
@@ -185,7 +186,7 @@ describe('Access Token Service', (): void => {
       }
       await expect(
         accessTokenService.introspect(accessToken.value, [access])
-      ).resolves.toEqual({ grant, access: [grant.access[0]] })
+      ).resolves.toEqual({ grant, access: [grant.access?.[0]] })
     })
 
     test('Introspection only returns requested access', async (): Promise<void> => {

packages/auth/src/accessToken/service.ts

@@ -93,7 +93,7 @@ async function introspect(
   if (access) {
     for (const accessItem of access) {
       const { access: grantAccess } = token.grant
-      const foundAccessItem = grantAccess.find((grantAccessItem) =>
+      const foundAccessItem = grantAccess?.find((grantAccessItem) =>
         compareRequestAndGrantAccessItems(
           accessItem,
           toOpenPaymentsAccess(grantAccessItem)

packages/auth/src/grant/errors.ts

@@ -0,0 +1,49 @@
+import { HttpStatusCode } from 'axios'
+import { GNAPErrorCode } from '../shared/gnapErrors'
+import { AccessError } from '../access/errors'
+
+export enum GrantErrorCode {
+  InvalidRequest,
+  OnlyOneAccessAmountAllowed
+}
+
+export class GrantError extends Error {
+  code: GrantErrorCode
+  constructor(code: GrantErrorCode, message: string) {
+    super(message)
+    this.name = 'GrantError'
+    this.code = code
+  }
+}
+
+export function isGrantError(error: unknown): error is GrantError {
+  return error instanceof GrantError
+}
+
+export const errorToHTTPCode: {
+  [key in GrantErrorCode]: number
+} = {
+  [GrantErrorCode.InvalidRequest]: HttpStatusCode.BadRequest,
+  [GrantErrorCode.OnlyOneAccessAmountAllowed]: HttpStatusCode.BadRequest
+}
+
+export const errorToGNAPCode: {
+  [key in GrantErrorCode]: GNAPErrorCode
+} = {
+  [GrantErrorCode.InvalidRequest]: GNAPErrorCode.InvalidRequest,
+  [GrantErrorCode.OnlyOneAccessAmountAllowed]: GNAPErrorCode.InvalidRequest
+}
+
+export const errorToMessage: {
+  [key in GrantErrorCode]: string
+} = {
+  [GrantErrorCode.InvalidRequest]: 'Invalid request',
+  [GrantErrorCode.OnlyOneAccessAmountAllowed]: 'only one access amount allowed'
+}
+
+export const accessErrorToGrantError: {
+  [key in AccessError]: GrantErrorCode
+} = {
+  [AccessError.OnlyOneAccessAmountAllowed]:
+    GrantErrorCode.OnlyOneAccessAmountAllowed
+}

packages/auth/src/grant/model.ts

@@ -9,6 +9,7 @@ import {
 } from '@interledger/open-payments'
 import { AccessToken, toOpenPaymentsAccessToken } from '../accessToken/model'
 import { Interaction } from '../interaction/model'
+import { Subject, toOpenPaymentsSubject } from '../subject/model'
 import { Tenant } from '../tenant/model'
 
 export enum StartMethod {
@@ -55,6 +56,14 @@ export class Grant extends BaseModel {
         to: 'accesses.grantId'
       }
     },
+    subjects: {
+      relation: Model.HasManyRelation,
+      modelClass: join(__dirname, '../subject/model'),
+      join: {
+        from: 'grants.id',
+        to: 'subjects.grantId'
+      }
+    },
     interaction: {
       relation: Model.HasManyRelation,
       modelClass: join(__dirname, '../interaction/model'),
@@ -72,7 +81,8 @@ export class Grant extends BaseModel {
       }
     }
   })
-  public access!: Access[]
+  public access?: Access[]
+  public subjects?: Subject[]
   public state!: GrantState
   public finalizationReason?: GrantFinalization
   public startMethod!: StartMethod[]
@@ -167,20 +177,29 @@ export function toOpenPaymentsGrantContinuation(
 export function toOpenPaymentsGrant(
   grant: Grant,
   args: ToOpenPaymentsGrantArgs,
-  accessToken: AccessToken,
-  accessItems: Access[]
+  accessToken?: AccessToken,
+  accessItems?: Access[],
+  subjectItems?: Subject[]
 ): OpenPaymentsGrant {
   return {
-    access_token: toOpenPaymentsAccessToken(accessToken, accessItems, {
-      authServerUrl: args.authServerUrl
-    }),
+    access_token:
+      accessToken && accessItems
+        ? toOpenPaymentsAccessToken(accessToken, accessItems, {
+            authServerUrl: args.authServerUrl
+          })
+        : undefined,
     continue: {
       access_token: {
         value: grant.continueToken
       },
       uri: `${args.authServerUrl}/continue/${grant.continueId}`
-    }
-  }
+    },
+    subject: subjectItems?.length
+      ? {
+          sub_ids: subjectItems.map(toOpenPaymentsSubject)
+        }
+      : undefined
+  } as OpenPaymentsGrant
 }
 
 export interface FinishableGrant extends Grant {

packages/auth/src/grant/routes.test.ts

@@ -405,6 +405,7 @@ describe('Grant Routes', (): void => {
           message: 'internal server error'
         })
       })
+
       test('Fails to initiate a grant w/o interact field', async (): Promise<void> => {
         const ctx = createContext<CreateContext>(
           {