feat: add AWS lambda for https signatures (#1964)

* feat: update local http signatures

* feat: add http signature AWS lambda

* chore: use env variables

* feat: use lambda in pre-request scripts

* fix: format

* chore: use environment variables in postman

* Revert "chore: use environment variables in postman"

This reverts commit db00b06.

* chore(postman): replace collection variables with environment variables

* fix: payment pointer queries

* fix: remove deprecated context.succeed

* feat: move to just using one pre-request signature script

* feat: move to just one pre-request signature script

* docs: add POST example

* feat: update signature pre request script and add one for host headers

* feat: make OP example work with local and remote environment

* fix: formatting

* chore: remove signature service from docker compose

* chore: move postman scripts and remove local signature server

* feat: add postman environments

* chore: remove references to local-http-signatures

Author: sabineschaller

Diff for: .github/workflows/lint_test_build.yml

@@ -85,15 +85,6 @@ jobs:
       - uses: ./.github/workflows/rafiki/env-setup
       - run: pnpm --filter mock-account-servicing-entity build
 
-  local-http-signatures:
-    runs-on: ubuntu-22.04
-    needs: checkout
-    timeout-minutes: 5
-    steps:
-      - uses: actions/checkout@v4
-      - uses: ./.github/workflows/rafiki/env-setup
-      - run: pnpm --filter local-http-signatures build
-
   token-introspection:
     runs-on: ubuntu-22.04
     needs: checkout
@@ -117,7 +108,6 @@ jobs:
       - frontend
       - auth
       - mock-account-servicing-entity
-      - local-http-signatures
       - token-introspection
     steps:
       - uses: actions/checkout@v4

Diff for: .gitignore

@@ -50,3 +50,6 @@ build
 # Docusaurus
 .docusaurus
 .cache-loader
+
+# AWS Lambda
+*.zip

Diff for: .postman/api_84fc90ca-3153-4865-8b49-b91218e5d574

@@ -17,3 +17,4 @@ files[] = {"id":"23674746-92761441-6d0c-4fc6-aa04-73eccf6afd4c","path":"Interled
 rootDirectory = postman/schemas
 
 [config.relations.apiDefinition.metaData]
+type = openapi:3

Diff for: aws/README.md

@@ -0,0 +1,7 @@
+# Workers
+
+This directory contains AWS Lambdas which power some server-side functionality for Rafiki or the Open Payments APIs.
+
+## Sub-projects
+
+- `http-signatures` - powers the generation of request signature headers for Open Payments API requests

Diff for: aws/lambdas/http-signatures/README.md

@@ -0,0 +1,39 @@
+# HTTP Signatures AWS Lambda
+
+## Installation
+
+1.  Navigate to this directory
+
+```sh
+$ cd /PATH/TO/RAFIKI/aws/lambdas/http-signatures
+```
+
+2.  Install the packages using npm
+
+```sh
+$ npm install
+```
+
+3.  Zip the lambda
+
+```sh
+$ zip -r ../http-signatures.zip *
+```
+
+4.  Upload zipped lambda function to AWS Lambdas via the AWS console
+
+## Usage
+
+```sh
+$ curl -v 'https://<ID>.lambda-url.<REGION>.on.aws/' \
+-H 'content-type: application/json' \
+-d '{ "keyId": "<KEY_ID>", "base64Key": "<BASE64_ENCODED_Ed25519_PRIVATE_KEY>", "request":{"headers":{"host": "happy-life-bank-backend"}, "method": "GET", "url":"https://example.com"} }'
+```
+
+or
+
+```sh
+curl -v 'https://<ID>.lambda-url.<REGION>.on.aws/' \
+-H 'content-type: application/json' \
+-d '{ "keyId": "<KEY_ID>", "base64Key": "<BASE64_ENCODED_Ed25519_PRIVATE_KEY>", "request":{"headers":{"host": "happy-life-bank-backend"}, "method": "POST", "url":"https://example.com", "body": "{\"hello\": \"world\"}"}}'
+```

Diff for: aws/lambdas/http-signatures/index.js

@@ -0,0 +1,55 @@
+import { loadBase64Key, createHeaders } from '@interledger/http-signature-utils'
+
+const validateBody = (requestBody) =>
+  !!requestBody.keyId &&
+  !!requestBody.base64Key &&
+  !!requestBody.request.headers &&
+  !!requestBody.request.method &&
+  !!requestBody.request.url
+
+export const handler = async function (event) {
+  const requestBody = JSON.parse(event.body)
+
+  if (!validateBody(requestBody)) {
+    return {
+      statusCode: '400',
+      body: 'Unsufficient data in request body'
+    }
+  }
+
+  const { base64Key, keyId, request } = requestBody
+
+  let privateKey
+
+  try {
+    privateKey = loadBase64Key(base64Key)
+  } catch {
+    return {
+      statusCode: '400',
+      body: 'Not a valid private key'
+    }
+  }
+
+  if (privateKey === undefined) {
+    return {
+      statusCode: '400',
+      body: 'Not an Ed25519 private key'
+    }
+  }
+
+  const headers = await createHeaders({
+    request,
+    privateKey,
+    keyId
+  })
+  delete headers['Content-Length']
+  delete headers['Content-Type']
+
+  return {
+    statusCode: '200',
+    body: JSON.stringify(headers),
+    headers: {
+      'Content-Type': 'application/json'
+    }
+  }
+}

Diff for: aws/lambdas/http-signatures/package-lock.json

@@ -0,0 +1,8 @@
+{
+  "name": "http-signatures-lambda",
+  "main": "index.js",
+  "type": "module",
+  "dependencies": {
+    "@interledger/http-signature-utils": "1.1.0"
+  }
+}

Diff for: aws/lambdas/http-signatures/package.json

@@ -8,7 +8,6 @@ These packages include:
 - `auth` (GNAP auth server)
 - `mock-account-servicing-entity` (mocks an [Account Servicing Entity](https://rafiki.dev/concepts/account-servicing-entity/)
 - `frontend` (Remix app to expose a UI for Rafiki Admin management via interaction with the `backend` Admin APIs)
-- `local-http-signatures` (request signature generation for Postman)
 
 These packages depend on the following databases:
 

Diff for: localenv/README.md

@@ -75,21 +75,6 @@ services:
       AUTH_DATABASE_URL: postgresql://cloud_nine_wallet_auth:cloud_nine_wallet_auth@shared-database/cloud_nine_wallet_auth
     depends_on:
       - shared-database
-  cloud-nine-signatures:
-    hostname: cloud-nine-wallet-signatures
-    image: rafiki-postman-signatures
-    build:
-      context: ../..
-      dockerfile: ./localenv/local-http-signatures/Dockerfile
-    restart: always
-    ports:
-      - '3040:3000'
-    environment:
-      KEY_FILE: /workspace/private-key.pem
-    volumes:
-      - ../cloud-nine-wallet/private-key.pem:/workspace/private-key.pem
-    networks:
-      - rafiki
   shared-database:
     image: 'postgres:15' # use latest official postgres version
     restart: unless-stopped

Diff for: localenv/cloud-nine-wallet/docker-compose.yml

@@ -70,19 +70,6 @@ services:
       AUTH_SERVER_DOMAIN: "http://localhost:4006"
     depends_on:
       - cloud-nine-auth
-  happy-life-signatures:
-    hostname: happy-life-bank-signatures
-    image: rafiki-postman-signatures
-    pull_policy: never
-    restart: always
-    ports:
-      - '3041:3000'
-    environment:
-      KEY_FILE: /workspace/private-key.pem
-    volumes:
-      - ../happy-life-bank/private-key.pem:/workspace/private-key.pem
-    depends_on:
-      - cloud-nine-signatures
   happy-life-admin:
     hostname: happy-life-bank-admin
     image: rafiki-frontend