feat(auth): add event for grant revoked

packages/auth/jest.env.js

@@ -4,3 +4,5 @@ process.env.IDENTITY_SERVER_SECRET =
   '2pEcn2kkCclbOHQiGNEwhJ0rucATZhrA807HTm2rNXE='
 process.env.AUTH_SERVER_URL = 'http://localhost:3006'
 process.env.IDENTITY_SERVER_URL = 'http://localhost:3030/mock-idp/'
+process.env.WEBHOOK_ENABLED = 'true'
+process.env.WEBHOOK_URL = 'http://127.0.0.1:4001/webhook'

packages/auth/migrations/20250321110501_create_webhook_events_table.js

@@ -0,0 +1,28 @@
+exports.up = function (knex) {
+  return knex.schema.createTable('webhookEvents', function (table) {
+    table.uuid('id').notNullable().primary()
+
+    table.string('type').notNullable()
+    table.json('data').notNullable()
+    table.integer('attempts').notNullable().defaultTo(0)
+    table.integer('statusCode').nullable()
+
+    table
+      .uuid('grantId')
+      .nullable()
+      .references('grants.id')
+      .index()
+      .onDelete('CASCADE')
+
+    table.timestamp('processAt').nullable().defaultTo(knex.fn.now())
+
+    table.timestamp('createdAt').defaultTo(knex.fn.now())
+    table.timestamp('updatedAt').defaultTo(knex.fn.now())
+
+    table.index('processAt')
+  })
+}
+
+exports.down = function (knex) {
+  return knex.schema.dropTableIfExists('webhookEvents')
+}

packages/auth/package.json

@@ -46,6 +46,7 @@
     "koa-session": "^6.4.0",
     "objection": "^3.1.5",
     "objection-db-errors": "^1.1.2",
+    "@opentelemetry/api": "^1.8.0",
     "pg": "^8.11.3",
     "pino": "^8.19.0",
     "token-introspection": "workspace:*",

packages/auth/src/access/service.test.ts

@@ -19,7 +19,7 @@ describe('Access Service', (): void => {
   let deps: IocContract<AppServices>
   let appContainer: TestContainer
   let accessService: AccessService
-  let trx: Knex.Transaction
+  let knex: Knex
   let grant: Grant
 
   const generateBaseGrant = () => ({
@@ -34,17 +34,18 @@ describe('Access Service', (): void => {
   })
 
   beforeEach(async (): Promise<void> => {
-    grant = await Grant.query(trx).insertAndFetch(generateBaseGrant())
+    grant = await Grant.query(knex).insertAndFetch(generateBaseGrant())
   })
 
   beforeAll(async (): Promise<void> => {
     deps = initIocContainer(Config)
     appContainer = await createTestApp(deps)
     accessService = await deps.use('accessService')
+    knex = appContainer.knex
   })
 
   afterEach(async (): Promise<void> => {
-    await truncateTables(appContainer.knex)
+    await truncateTables(knex)
   })
 
   afterAll(async (): Promise<void> => {
@@ -108,7 +109,7 @@ describe('Access Service', (): void => {
         actions: [AccessAction.Create, AccessAction.Read, AccessAction.List]
       }
 
-      const access = await Access.query(trx).insert([
+      const access = await Access.query(knex).insert([
         {
           grantId: grant.id,
           type: incomingPaymentAccess.type,

packages/auth/src/access/utils.test.ts

@@ -21,7 +21,7 @@ import { compareRequestAndGrantAccessItems } from './utils'
 describe('Access utilities', (): void => {
   let deps: IocContract<AppServices>
   let appContainer: TestContainer
-  let trx: Knex.Transaction
+  let knex: Knex
   let identifier: string
   let grant: Grant
   let grantAccessItem: Access
@@ -32,11 +32,12 @@ describe('Access utilities', (): void => {
   beforeAll(async (): Promise<void> => {
     deps = initIocContainer(Config)
     appContainer = await createTestApp(deps)
+    knex = appContainer.knex
   })
 
   beforeEach(async (): Promise<void> => {
     identifier = `https://example.com/${v4()}`
-    grant = await Grant.query(trx).insertAndFetch({
+    grant = await Grant.query(knex).insertAndFetch({
       state: GrantState.Processing,
       startMethod: [StartMethod.Redirect],
       continueToken: generateToken(),
@@ -47,7 +48,7 @@ describe('Access utilities', (): void => {
       client: faker.internet.url({ appendSlash: false })
     })
 
-    grantAccessItem = await Access.query(trx).insertAndFetch({
+    grantAccessItem = await Access.query(knex).insertAndFetch({
       grantId: grant.id,
       type: AccessType.OutgoingPayment,
       actions: [AccessAction.Read, AccessAction.Create, AccessAction.List],
@@ -118,7 +119,7 @@ describe('Access utilities', (): void => {
   })
 
   test('Can compare an access item on a grant and an access item from a request with a subaction of the grant', async (): Promise<void> => {
-    const grantAccessItemSuperAction = await Access.query(trx).insertAndFetch({
+    const grantAccessItemSuperAction = await Access.query(knex).insertAndFetch({
       grantId: grant.id,
       type: AccessType.OutgoingPayment,
       actions: [AccessAction.ReadAll],
@@ -156,7 +157,7 @@ describe('Access utilities', (): void => {
   })
 
   test('Can compare an access item on a grant and an access item from a request with different action ordering', async (): Promise<void> => {
-    const grantAccessItemSuperAction = await Access.query(trx).insertAndFetch({
+    const grantAccessItemSuperAction = await Access.query(knex).insertAndFetch({
       grantId: grant.id,
       type: AccessType.OutgoingPayment,
       actions: [AccessAction.Create, AccessAction.ReadAll, AccessAction.List],
@@ -194,7 +195,7 @@ describe('Access utilities', (): void => {
   })
 
   test('Can compare an access item on a grant without an identifier with a request with an identifier', async (): Promise<void> => {
-    const grantAccessItemSuperAction = await Access.query(trx).insertAndFetch({
+    const grantAccessItemSuperAction = await Access.query(knex).insertAndFetch({
       grantId: grant.id,
       type: AccessType.IncomingPayment,
       actions: [AccessAction.ReadAll],
@@ -233,7 +234,7 @@ describe('Access utilities', (): void => {
       }
     }
 
-    const grant = await Grant.query(trx).insertAndFetch({
+    const grant = await Grant.query(knex).insertAndFetch({
       state: GrantState.Processing,
       startMethod: [StartMethod.Redirect],
       continueToken: generateToken(),
@@ -244,7 +245,7 @@ describe('Access utilities', (): void => {
       client: faker.internet.url({ appendSlash: false })
     })
 
-    const grantAccessItem = await Access.query(trx).insertAndFetch({
+    const grantAccessItem = await Access.query(knex).insertAndFetch({
       grantId: grant.id,
       type: AccessType.OutgoingPayment,
       actions: [AccessAction.Read, AccessAction.Create],
@@ -268,7 +269,7 @@ describe('Access utilities', (): void => {
   })
 
   test('access comparison fails if identifier mismatch', async (): Promise<void> => {
-    const grantAccessItemSuperAction = await Access.query(trx).insertAndFetch({
+    const grantAccessItemSuperAction = await Access.query(knex).insertAndFetch({
       grantId: grant.id,
       type: AccessType.IncomingPayment,
       actions: [AccessAction.ReadAll],
@@ -290,7 +291,7 @@ describe('Access utilities', (): void => {
   })
 
   test('access comparison fails if type mismatch', async (): Promise<void> => {
-    const grantAccessItemSuperAction = await Access.query(trx).insertAndFetch({
+    const grantAccessItemSuperAction = await Access.query(knex).insertAndFetch({
       grantId: grant.id,
       type: AccessType.Quote,
       actions: [AccessAction.Read]

packages/auth/src/accessToken/routes.test.ts

@@ -28,14 +28,15 @@ import { GNAPErrorCode } from '../shared/gnapErrors'
 describe('Access Token Routes', (): void => {
   let deps: IocContract<AppServices>
   let appContainer: TestContainer
-  let trx: Knex.Transaction
+  let knex: Knex
   let accessTokenRoutes: AccessTokenRoutes
   let accessTokenService: AccessTokenService
   let grantService: GrantService
 
   beforeAll(async (): Promise<void> => {
     deps = initIocContainer(Config)
     appContainer = await createTestApp(deps)
+    knex = appContainer.knex
     accessTokenRoutes = await deps.use('accessTokenRoutes')
     grantService = await deps.use('grantService')
     accessTokenService = await deps.use('accessTokenService')
@@ -96,12 +97,12 @@ describe('Access Token Routes', (): void => {
     const method = 'POST'
 
     beforeEach(async (): Promise<void> => {
-      grant = await Grant.query(trx).insertAndFetch(BASE_GRANT)
-      access = await Access.query(trx).insertAndFetch({
+      grant = await Grant.query(knex).insertAndFetch(BASE_GRANT)
+      access = await Access.query(knex).insertAndFetch({
         grantId: grant.id,
         ...BASE_ACCESS
       })
-      token = await AccessToken.query(trx).insertAndFetch({
+      token = await AccessToken.query(knex).insertAndFetch({
         grantId: grant.id,
         ...BASE_TOKEN
       })
@@ -285,7 +286,7 @@ describe('Access Token Routes', (): void => {
         type: 'quote',
         actions: ['create', 'read']
       }
-      await Access.query(trx).insertAndFetch({
+      await Access.query(knex).insertAndFetch({
         grantId: grant.id,
         ...secondAccess
       })
@@ -370,8 +371,8 @@ describe('Access Token Routes', (): void => {
     let token: AccessToken
 
     beforeEach(async (): Promise<void> => {
-      grant = await Grant.query(trx).insertAndFetch(BASE_GRANT)
-      token = await AccessToken.query(trx).insertAndFetch({
+      grant = await Grant.query(knex).insertAndFetch(BASE_GRANT)
+      token = await AccessToken.query(knex).insertAndFetch({
         grantId: grant.id,
         ...BASE_TOKEN
       })
@@ -380,7 +381,7 @@ describe('Access Token Routes', (): void => {
     test('Returns status 204 even if token does not exist', async (): Promise<void> => {
       const ctx = createTokenHttpSigContext(token, grant)
 
-      await token.$query(trx).delete()
+      await token.$query(knex).delete()
 
       await accessTokenRoutes.revoke(ctx)
       expect(ctx.response.status).toBe(204)
@@ -389,15 +390,15 @@ describe('Access Token Routes', (): void => {
     test('Returns status 204 if token has not expired', async (): Promise<void> => {
       const ctx = createTokenHttpSigContext(token, grant)
 
-      await token.$query(trx).patch({ expiresIn: 10000 })
+      await token.$query(knex).patch({ expiresIn: 10000 })
       await accessTokenRoutes.revoke(ctx)
       expect(ctx.response.status).toBe(204)
     })
 
     test('Returns status 204 if token has expired', async (): Promise<void> => {
       const ctx = createTokenHttpSigContext(token, grant)
 
-      await token.$query(trx).patch({ expiresIn: -1 })
+      await token.$query(knex).patch({ expiresIn: -1 })
       await accessTokenRoutes.revoke(ctx)
       expect(ctx.response.status).toBe(204)
     })
@@ -409,12 +410,12 @@ describe('Access Token Routes', (): void => {
     let token: AccessToken
 
     beforeEach(async (): Promise<void> => {
-      grant = await Grant.query(trx).insertAndFetch(BASE_GRANT)
-      access = await Access.query(trx).insertAndFetch({
+      grant = await Grant.query(knex).insertAndFetch(BASE_GRANT)
+      access = await Access.query(knex).insertAndFetch({
         grantId: grant.id,
         ...BASE_ACCESS
       })
-      token = await AccessToken.query(trx).insertAndFetch({
+      token = await AccessToken.query(knex).insertAndFetch({
         grantId: grant.id,
         ...BASE_TOKEN
       })
@@ -450,7 +451,7 @@ describe('Access Token Routes', (): void => {
     test('Can rotate an expired token', async (): Promise<void> => {
       const ctx = createTokenHttpSigContext(token, grant)
 
-      await token.$query(trx).patch({ expiresIn: -1 })
+      await token.$query(knex).patch({ expiresIn: -1 })
       await accessTokenRoutes.rotate(ctx)
       expect(ctx.response.status).toBe(200)
       expect(ctx.response.get('Content-Type')).toBe(