feat(open-payments): add HTTP message signatures

packages/backend/src/app.ts

@@ -49,7 +49,7 @@ import { Session } from './session/util'
 import { createValidatorMiddleware, HttpMethod, isHttpMethod } from 'openapi'
 import { PaymentPointerKeyService } from './paymentPointerKey/service'
 import { GrantReferenceService } from './open_payments/grantReference/service'
-import { OpenPaymentsClient } from 'open-payments'
+import { AuthenticatedClient } from 'open-payments'
 
 export interface AppContextData {
   logger: Logger
@@ -147,7 +147,7 @@ export interface AppServices {
   sessionService: Promise<SessionService>
   paymentPointerKeyService: Promise<PaymentPointerKeyService>
   grantReferenceService: Promise<GrantReferenceService>
-  openPaymentsClient: Promise<OpenPaymentsClient>
+  openPaymentsClient: Promise<AuthenticatedClient>
 }
 
 export type AppContainer = IocContract<AppServices>

packages/backend/src/config/app.ts

@@ -112,6 +112,7 @@ export const Config = {
     'AUTH_SERVER_SPEC',
     'https://raw.githubusercontent.com/interledger/open-payments/77462cd0872be8d0fa487a4b233defe2897a7ee4/auth-server-open-api-spec.yaml'
   ),
+  keyId: envString('KEY_ID', 'rafiki'),
   privateKey: parseOrProvisionKey(envString('PRIVATE_KEY_FILE', undefined)),
 
   /** Frontend **/

packages/backend/src/index.ts

@@ -37,7 +37,7 @@ import { createConnectorService } from './connector'
 import { createSessionService } from './session/service'
 import { createApiKeyService } from './apiKey/service'
 import { createOpenAPI } from 'openapi'
-import { createClient as createOpenPaymentsClient } from 'open-payments'
+import { createAuthenticatedClient as createOpenPaymentsClient } from 'open-payments'
 import { createConnectionService } from './open_payments/connection/service'
 import { createConnectionRoutes } from './open_payments/connection/routes'
 import { createPaymentPointerKeyService } from './paymentPointerKey/service'
@@ -115,8 +115,13 @@ export function initIocContainer(
     return await createOpenAPI(config.authServerSpec)
   })
   container.singleton('openPaymentsClient', async (deps) => {
+    const config = await deps.use('config')
     const logger = await deps.use('logger')
-    return createOpenPaymentsClient({ logger })
+    return createOpenPaymentsClient({
+      logger,
+      keyId: config.keyId,
+      privateKey: config.privateKey
+    })
   })
 
   /**

packages/backend/src/open_payments/receiver/service.test.ts

@@ -12,14 +12,14 @@ import { createIncomingPayment } from '../../tests/incomingPayment'
 import { createPaymentPointer } from '../../tests/paymentPointer'
 import { truncateTables } from '../../tests/tableManager'
 import { ConnectionService } from '../connection/service'
-import { OpenPaymentsClient } from 'open-payments'
+import { AuthenticatedClient } from 'open-payments'
 import { PaymentPointerService } from '../payment_pointer/service'
 
 describe('Receiver Service', (): void => {
   let deps: IocContract<AppServices>
   let appContainer: TestContainer
   let receiverService: ReceiverService
-  let openPaymentsClient: OpenPaymentsClient
+  let openPaymentsClient: AuthenticatedClient
   let knex: Knex
   let connectionService: ConnectionService
   let paymentPointerService: PaymentPointerService

packages/backend/src/open_payments/receiver/service.ts

@@ -1,5 +1,5 @@
 import {
-  OpenPaymentsClient,
+  AuthenticatedClient,
   IncomingPayment as OpenPaymentsIncomingPayment,
   ILPStreamConnection as OpenPaymentsConnection
 } from 'open-payments'
@@ -22,7 +22,7 @@ interface ServiceDependencies extends BaseService {
   incomingPaymentService: IncomingPaymentService
   openPaymentsUrl: string
   paymentPointerService: PaymentPointerService
-  openPaymentsClient: OpenPaymentsClient
+  openPaymentsClient: AuthenticatedClient
 }
 
 const CONNECTION_URL_REGEX = /\/connections\/(.){36}$/

packages/open-payments/package.json

@@ -25,6 +25,7 @@
   },
   "dependencies": {
     "axios": "^1.1.2",
+    "http-message-signatures": "^0.1.2",
     "openapi": "workspace:../openapi",
     "pino": "^8.4.2"
   }

packages/open-payments/src/client/index.ts

@@ -1,3 +1,4 @@
+import { KeyLike } from 'crypto'
 import { createOpenAPI, OpenAPI } from 'openapi'
 import createLogger, { Logger } from 'pino'
 import config from '../config'
@@ -16,33 +17,61 @@ import {
 import { createAxiosInstance } from './requests'
 import { AxiosInstance } from 'axios'
 
-export interface CreateOpenPaymentClientArgs {
-  requestTimeoutMs?: number
-  logger?: Logger
-}
-
 export interface ClientDeps {
   axiosInstance: AxiosInstance
   openApi: OpenAPI
   logger: Logger
 }
 
-export interface OpenPaymentsClient {
-  incomingPayment: IncomingPaymentRoutes
-  ilpStreamConnection: ILPStreamConnectionRoutes
-  paymentPointer: PaymentPointerRoutes
-}
-
-export const createClient = async (
-  args?: CreateOpenPaymentClientArgs
-): Promise<OpenPaymentsClient> => {
+const createDeps = async (
+  args: Partial<CreateAuthenticatedClientArgs>
+): Promise<ClientDeps> => {
   const axiosInstance = createAxiosInstance({
+    privateKey: args.privateKey,
+    keyId: args.keyId,
     requestTimeoutMs:
       args?.requestTimeoutMs ?? config.DEFAULT_REQUEST_TIMEOUT_MS
   })
   const openApi = await createOpenAPI(config.OPEN_PAYMENTS_OPEN_API_URL)
   const logger = args?.logger ?? createLogger()
-  const deps = { axiosInstance, openApi, logger }
+  return { axiosInstance, openApi, logger }
+}
+
+export interface CreateUnauthenticatedClientArgs {
+  requestTimeoutMs?: number
+  logger?: Logger
+}
+
+export interface UnauthenticatedClient {
+  ilpStreamConnection: ILPStreamConnectionRoutes
+  paymentPointer: PaymentPointerRoutes
+}
+
+export const createUnauthenticatedClient = async (
+  args: CreateUnauthenticatedClientArgs
+): Promise<UnauthenticatedClient> => {
+  const deps = await createDeps(args)
+
+  return {
+    ilpStreamConnection: createILPStreamConnectionRoutes(deps),
+    paymentPointer: createPaymentPointerRoutes(deps)
+  }
+}
+
+export interface CreateAuthenticatedClientArgs
+  extends CreateUnauthenticatedClientArgs {
+  privateKey: KeyLike
+  keyId: string
+}
+
+export interface AuthenticatedClient extends UnauthenticatedClient {
+  incomingPayment: IncomingPaymentRoutes
+}
+
+export const createAuthenticatedClient = async (
+  args: CreateAuthenticatedClientArgs
+): Promise<AuthenticatedClient> => {
+  const deps = await createDeps(args)
 
   return {
     incomingPayment: createIncomingPaymentRoutes(deps),

packages/open-payments/src/client/requests.test.ts

@@ -1,37 +1,73 @@
 /* eslint-disable @typescript-eslint/no-empty-function */
 import { createAxiosInstance, get } from './requests'
+import { generateKeyPairSync } from 'crypto'
 import nock from 'nock'
 import { mockOpenApiResponseValidators, silentLogger } from '../test/helpers'
 
 describe('requests', (): void => {
   const logger = silentLogger
+  const privateKey = generateKeyPairSync('ed25519').privateKey
+  const keyId = 'myId'
 
   describe('createAxiosInstance', (): void => {
     test('sets timeout properly', async (): Promise<void> => {
       expect(
-        createAxiosInstance({ requestTimeoutMs: 1000 }).defaults.timeout
+        createAxiosInstance({ requestTimeoutMs: 1000, privateKey, keyId })
+          .defaults.timeout
       ).toBe(1000)
     })
     test('sets Content-Type header properly', async (): Promise<void> => {
       expect(
-        createAxiosInstance({ requestTimeoutMs: 0 }).defaults.headers.common[
-          'Content-Type'
-        ]
+        createAxiosInstance({ requestTimeoutMs: 0, privateKey, keyId }).defaults
+          .headers.common['Content-Type']
       ).toBe('application/json')
     })
   })
 
   describe('get', (): void => {
-    const axiosInstance = createAxiosInstance({ requestTimeoutMs: 0 })
+    const axiosInstance = createAxiosInstance({
+      requestTimeoutMs: 0,
+      privateKey,
+      keyId
+    })
     const baseUrl = 'http://localhost:1000'
     const responseValidators = mockOpenApiResponseValidators()
 
     beforeAll(() => {
       jest.spyOn(axiosInstance, 'get')
     })
 
+    afterEach(() => {
+      jest.useRealTimers()
+    })
+
     test('sets headers properly if accessToken provided', async (): Promise<void> => {
-      nock(baseUrl).get('/incoming-payment').reply(200)
+      // https://github.com/nock/nock/issues/2200#issuecomment-1280957462
+      jest
+        .useFakeTimers({
+          doNotFake: [
+            'nextTick',
+            'setImmediate',
+            'clearImmediate',
+            'setInterval',
+            'clearInterval',
+            'setTimeout',
+            'clearTimeout'
+          ]
+        })
+        .setSystemTime(new Date())
+
+      const scope = nock(baseUrl)
+        .matchHeader('Signature', /sig1=:([a-zA-Z0-9+/]){86}==:/)
+        .matchHeader(
+          'Signature-Input',
+          `sig1=("@method" "@target-uri" "authorization");created=${Math.floor(
+            Date.now() / 1000
+          )};keyid="${keyId}";alg="ed25519"`
+        )
+        .get('/incoming-payment')
+        // TODO: verify signature
+        .reply(200)
 
       await get(
         { axiosInstance, logger },
@@ -42,20 +78,24 @@ describe('requests', (): void => {
         responseValidators.successfulValidator
       )
 
+      scope.done()
+
       expect(axiosInstance.get).toHaveBeenCalledWith(
         `${baseUrl}/incoming-payment`,
         {
           headers: {
-            Authorization: 'GNAP accessToken',
-            Signature: 'TODO',
-            'Signature-Input': 'TODO'
+            Authorization: 'GNAP accessToken'
           }
         }
       )
     })
 
     test('sets headers properly if accessToken is not provided', async (): Promise<void> => {
-      nock(baseUrl).get('/incoming-payment').reply(200)
+      const scope = nock(baseUrl)
+        .matchHeader('Signature', (sig) => sig === undefined)
+        .matchHeader('Signature-Input', (sigInput) => sigInput === undefined)
+        .get('/incoming-payment')
+        .reply(200)
 
       await get(
         { axiosInstance, logger },
@@ -64,6 +104,7 @@ describe('requests', (): void => {
         },
         responseValidators.successfulValidator
       )
+      scope.done()
 
       expect(axiosInstance.get).toHaveBeenCalledWith(
         `${baseUrl}/incoming-payment`,

packages/open-payments/src/client/requests.ts

@@ -1,6 +1,8 @@
 import axios, { AxiosInstance } from 'axios'
+import { KeyLike } from 'crypto'
 import { ResponseValidator } from 'openapi'
 import { ClientDeps } from '.'
+import { createSignatureHeaders } from './signatures'
 
 interface GetArgs {
   url: string
@@ -26,9 +28,7 @@ export const get = async <T>(
     const { data, status } = await axiosInstance.get(url, {
       headers: accessToken
         ? {
-            Authorization: `GNAP ${accessToken}`,
-            Signature: 'TODO',
-            'Signature-Input': 'TODO'
+            Authorization: `GNAP ${accessToken}`
           }
         : {}
     })
@@ -65,12 +65,35 @@ export const get = async <T>(
 
 export const createAxiosInstance = (args: {
   requestTimeoutMs: number
+  privateKey: KeyLike
+  keyId: string
 }): AxiosInstance => {
   const axiosInstance = axios.create({
     timeout: args.requestTimeoutMs
   })
-
   axiosInstance.defaults.headers.common['Content-Type'] = 'application/json'
 
+  axiosInstance.interceptors.request.use(
+    async (config) => {
+      const sigHeaders = await createSignatureHeaders({
+        request: {
+          method: config.method.toUpperCase(),
+          url: config.url,
+          headers: config.headers,
+          body: config.data
+        },
+        privateKey: args.privateKey,
+        keyId: args.keyId
+      })
+      config.headers['Signature'] = sigHeaders['Signature']
+      config.headers['Signature-Input'] = sigHeaders['Signature-Input']
+      return config
+    },
+    null,
+    {
+      runWhen: (config) => !!config.headers['Authorization']
+    }
+  )
+
   return axiosInstance
 }

packages/open-payments/src/client/signatures.ts

@@ -0,0 +1,52 @@
+import { sign, KeyLike } from 'crypto'
+import {
+  httpis as httpsig,
+  Algorithm,
+  RequestLike,
+  Signer
+} from 'http-message-signatures'
+
+interface SignOptions {
+  request: RequestLike
+  privateKey: KeyLike
+  keyId: string
+}
+
+interface SignatureHeaders {
+  Signature: string
+  'Signature-Input': string
+}
+
+const createSigner = (privateKey: KeyLike): Signer => {
+  const signer = async (data: Buffer) => sign(null, data, privateKey)
+  signer.alg = 'ed25519' as Algorithm
+  return signer
+}
+
+export const createSignatureHeaders = async ({
+  request,
+  privateKey,
+  keyId
+}: SignOptions): Promise<SignatureHeaders> => {
+  const components = ['@method', '@target-uri']
+  if (request.headers['Authorization']) {
+    components.push('authorization')
+  }
+  if (request.body) {
+    // TODO: 'content-digest'
+    components.push('content-length', 'content-type')
+  }
+  const { headers } = await httpsig.sign(request, {
+    components,
+    parameters: {
+      created: Math.floor(Date.now() / 1000)
+    },
+    keyId,
+    signer: createSigner(privateKey),
+    format: 'httpbis'
+  })
+  return {
+    Signature: headers['Signature'] as string,
+    'Signature-Input': headers['Signature-Input'] as string
+  }
+}