interledger · BlairCurrey · May 13, 2024 · May 1, 2024 · May 1, 2024 · May 1, 2024
diff --git a/localenv/cloud-nine-wallet/docker-compose.yml b/localenv/cloud-nine-wallet/docker-compose.yml
@@ -85,8 +85,10 @@ services:
       TRUST_PROXY: ${TRUST_PROXY}
       AUTH_DATABASE_URL: postgresql://cloud_nine_wallet_auth:cloud_nine_wallet_auth@shared-database/cloud_nine_wallet_auth
       AUTH_SERVER_DOMAIN: ${CLOUD_NINE_AUTH_SERVER_DOMAIN:-http://localhost:3006}
+      REDIS_URL: redis://shared-redis:6379/1
     depends_on:
       - shared-database
+      - shared-redis
   shared-database:
     image: 'postgres:15' # use latest official postgres version
     restart: unless-stopped

diff --git a/localenv/happy-life-bank/docker-compose.yml b/localenv/happy-life-bank/docker-compose.yml
@@ -54,7 +54,7 @@ services:
       WEBHOOK_URL: http://happy-life-bank/webhooks
       OPEN_PAYMENTS_URL: ${HAPPY_LIFE_BANK_OPEN_PAYMENTS_URL:-http://happy-life-bank-backend}
       EXCHANGE_RATES_URL: http://happy-life-bank/rates
-      REDIS_URL: redis://shared-redis:6379/1
+      REDIS_URL: redis://shared-redis:6379/2
       WALLET_ADDRESS_URL: ${HAPPY_LIFE_BANK_WALLET_ADDRESS_URL:-https://happy-life-bank-backend/.well-known/pay}
       ENABLE_TELEMETRY: false
     depends_on:
@@ -73,6 +73,7 @@ services:
       NODE_ENV: development
       AUTH_DATABASE_URL: postgresql://happy_life_bank_auth:happy_life_bank_auth@shared-database/happy_life_bank_auth
       AUTH_SERVER_DOMAIN: ${HAPPY_LIFE_BANK_AUTH_SERVER_DOMAIN:-http://localhost:4006}
+      REDIS_URL: redis://shared-redis:6379/3
     depends_on:
       - cloud-nine-auth
   happy-life-admin:

diff --git a/packages/auth/package.json b/packages/auth/package.json
@@ -37,6 +37,7 @@
     "axios": "^1.6.8",
     "dotenv": "^16.4.5",
     "graphql": "^16.8.1",
+    "ioredis": "^5.3.2",
     "knex": "^3.1.0",
     "koa": "^2.15.2",
     "koa-bodyparser": "^4.4.1",

diff --git a/packages/auth/src/app.ts b/packages/auth/src/app.ts
@@ -50,6 +50,7 @@ import { AccessService } from './access/service'
 import { AccessTokenService } from './accessToken/service'
 import { InteractionRoutes } from './interaction/routes'
 import { ApolloArmor } from '@escape.tech/graphql-armor'
+import { Redis } from 'ioredis'
 import { LoggingPlugin } from './graphql/plugin'
 
 export interface AppContextData extends DefaultContext {
@@ -98,6 +99,7 @@ export interface AppServices {
   accessTokenService: Promise<AccessTokenService>
   grantRoutes: Promise<GrantRoutes>
   interactionRoutes: Promise<InteractionRoutes>
+  redis: Promise<Redis>
 }
 
 export type AppContainer = IocContract<AppServices>
@@ -346,12 +348,31 @@ export class App {
 
     koa.use(cors())
     koa.keys = [this.config.cookieKey]
+
+    const redis = await this.container.use('redis')
+    const maxAgeMs = 60 * 1000
     koa.use(
       session(
         {
           key: 'sessionId',
-          maxAge: 60 * 1000,
-          signed: true
+          maxAge: maxAgeMs,
+          signed: true,
+          store: {
+            async get(key) {
+              return await redis.hgetall(key)
+            },
+            async set(key, session) {
+              // Add a delay to cookie age to ensure redis record expires after cookie
+              const expireInMs = maxAgeMs + 10 * 1000
+              const op = redis.multi()
+              op.hset(key, session)
+              op.expire(key, expireInMs)
+              await op.exec()
+            },
-            },
+              await redis.set(key, JSON.stringify(session), 'PX', expireInMs)
-            },
+              await redis.set(key, JSON.stringify(session), 'PX', expireInMs)
+            async destroy(key) {
+              await redis.hdel(key)
+            }
+          }
         },
         koa
       )

diff --git a/packages/auth/src/config/app.ts b/packages/auth/src/config/app.ts
@@ -1,5 +1,7 @@
 import * as crypto from 'crypto'
 import dotenv from 'dotenv'
+import * as fs from 'fs'
+import { ConnectionOptions } from 'tls'
 
 function envString(name: string, value: string): string {
   const envValue = process.env[name]
@@ -53,5 +55,35 @@ export const Config = {
   accessTokenDeletionDays: envInt('ACCESS_TOKEN_DELETION_DAYS', 30),
   incomingPaymentInteraction: envBool('INCOMING_PAYMENT_INTERACTION', false),
   quoteInteraction: envBool('QUOTE_INTERACTION', false),
-  listAllInteraction: envBool('LIST_ALL_ACCESS_INTERACTION', true)
+  listAllInteraction: envBool('LIST_ALL_ACCESS_INTERACTION', true),
+  redisUrl: envString('REDIS_URL', 'redis://127.0.0.1:6379'),
+  redisTls: parseRedisTlsConfig(
+    envString('REDIS_TLS_CA_FILE_PATH', ''),
+    envString('REDIS_TLS_KEY_FILE_PATH', ''),
+    envString('REDIS_TLS_CERT_FILE_PATH', '')
+  )
+}
+
+function parseRedisTlsConfig(
+  caFile: string,
+  keyFile: string,
+  certFile: string
+): ConnectionOptions | undefined {
+  const options: ConnectionOptions = {}
+
+  // self-signed certs.
+  if (caFile !== '') {
+    options.ca = fs.readFileSync(caFile)
+    options.rejectUnauthorized = false
+  }
+
+  if (certFile !== '') {
+    options.cert = fs.readFileSync(certFile)
+  }
+
+  if (keyFile !== '') {
+    options.key = fs.readFileSync(keyFile)
+  }
+
+  return Object.keys(options).length > 0 ? options : undefined
 }
diff --git a/packages/auth/src/index.ts b/packages/auth/src/index.ts
@@ -20,6 +20,7 @@ import {
 } from '@interledger/open-payments'
 import { createInteractionService } from './interaction/service'
 import { getTokenIntrospectionOpenAPI } from 'token-introspection'
+import { Redis } from 'ioredis'
 
 const container = initIocContainer(Config)
 const app = new App(container)
@@ -197,6 +198,11 @@ export function initIocContainer(
     }
   )
 
+  container.singleton('redis', async (deps): Promise<Redis> => {
+    const config = await deps.use('config')
+    return new Redis(config.redisUrl, { tls: config.redisTls })
+  })
+
   return container
 }
 

diff --git a/packages/documentation/public/img/localenv-architecture.png b/packages/documentation/public/img/localenv-architecture.png
diff --git a/packages/documentation/public/img/rafiki-architecture.png b/packages/documentation/public/img/rafiki-architecture.png
diff --git a/packages/documentation/src/content/docs/integration/deployment.md b/packages/documentation/src/content/docs/integration/deployment.md
@@ -12,7 +12,7 @@ and the databases
 
 - TigerBeetle or Postgres (accounting)
 - Postgres (Open Payments resources, auth resources)
-- Redis (STREAM details)
+- Redis (STREAM details, auth sessions)
 
 To integrate Rafiki with your own services, view the [integration documentation](/integration/getting-started).
 
@@ -128,6 +128,10 @@ Now, the Admin UI can be found on localhost:3010.
 | `LOG_LEVEL`                    | auth.logLevel                                                                                                            | `info`                                                           | [Pino Log Level](https://getpino.io/#/docs/api?id=levels)                                                                                                                          |
 | `NODE_ENV`                     | auth.nodeEnv                                                                                                             | `development`                                                    | node environment, `development`, `test`, or `production`                                                                                                                           |
 | `QUOTE_INTERACTION`            | auth.interaction.quote                                                                                                   | `false`                                                          | flag - quote grants are interactive or not                                                                                                                                         |
+| `REDIS_TLS_CA_FILE_PATH`       | auth.redis.tlsCaFile                                                                                                     | `''`                                                             | [Redis TLS config](https://redis.io/docs/management/security/encryption/)                                                                                                          |
+| `REDIS_TLS_CERT_FILE_PATH`     | auth.redis.tlsCertFile                                                                                                   | `''`                                                             | [Redis TLS config](https://redis.io/docs/management/security/encryption/)                                                                                                          |
+| `REDIS_TLS_KEY_FILE_PATH`      | auth.redis.tlsKeyFile                                                                                                    | `''`                                                             | [Redis TLS config](https://redis.io/docs/management/security/encryption/)                                                                                                          |
+| `REDIS_URL`                    | `auth.redis.host`, `auth.redis.port`                                                                                     | `redis://127.0.0.1:6379`                                         | The connection URL for Redis. For Helm, these components are provided individually.                                                                                                |
 | `TRUST_PROXY`                  |                                                                                                                          | `false`                                                          | flag to use X-Forwarded-Proto header to determine if connections is secure                                                                                                         |
 | `WAIT_SECONDS`                 | auth.grant.waitSeconds                                                                                                   | `5`                                                              | wait time included in grant request response (`grant.continue`)                                                                                                                    |
 | `ENABLE_MANUAL_MIGRATIONS`     | auth.enableManualMigrations                                                                                              | `false`                                                          | When set to true, user needs to run database manually with command `npm run knex -- migrate:latest --env production`                                                               |

diff --git a/packages/documentation/src/content/docs/introduction/architecture.md b/packages/documentation/src/content/docs/introduction/architecture.md
@@ -15,7 +15,7 @@ These services rely on four databases:
 - A postgres database used by the `backend`
 - A separate postgres database used by `auth`.
 - [TigerBeetle](https://github.com/coilhq/tigerbeetle) used by `backend` for accounting balances at the ILP layer.
-- Redis used by `backend` as a cache to share STREAM connection details across processes.
+- Redis used by `backend` as a cache to share STREAM connection details across processes and `auth` to store session data.
 
 ## Backend
 

diff --git a/packages/documentation/src/content/docs/playground/overview.md b/packages/documentation/src/content/docs/playground/overview.md
@@ -15,7 +15,7 @@ These packages depend on the following databases:
 
 - TigerBeetle or Postgres (accounting)
 - Postgres (Open Payments resources, auth resources)
-- Redis (STREAM details)
+- Redis (STREAM details, auth sessions)
 
 We provide containerized versions of our packages together with two pre-configured docker-compose files ([Cloud Nine Wallet](https://github.com/interledger/rafiki/blob/main/localenv/cloud-nine-wallet/docker-compose.yml) and [Happy Life Bank](https://github.com/interledger/rafiki/blob/main/localenv/happy-life-bank/docker-compose.yml)) to start two Mock Account Servicing Entities with their respective Rafiki backend and auth servers. They automatically peer and 2 to 3 user accounts are created on both of them.