fix(auth): add tenantId in grant request route in hash generation (#3728)

* fix(auth): add tenantId in grant request route in hash generation

* chore(backend): remove unused urlWithoutTenantId function

* test(integration): add hash verification as part of interaction test

Author: mkurapov

packages/auth/src/interaction/routes.test.ts

@@ -22,7 +22,7 @@ import {
 import { Interaction, InteractionState } from './model'
 import { Grant, GrantState, GrantFinalization } from '../grant/model'
 import { Access } from '../access/model'
-import { generateNonce } from '../shared/utils'
+import { ensureTrailingSlash, generateNonce } from '../shared/utils'
 import { GNAPErrorCode } from '../shared/gnapErrors'
 import { generateBaseGrant } from '../tests/grant'
 import { generateBaseInteraction } from '../tests/interaction'
@@ -418,13 +418,14 @@ describe('Interaction Routes', (): void => {
           const { clientNonce } = grant
           const { nonce: interactNonce, ref: interactRef } = interaction
 
-          const grantRequestUrl = config.authServerUrl + `/`
-
+          const grantRequestUrl =
+            ensureTrailingSlash(config.authServerUrl) + grant.tenantId
           const data = `${clientNonce}\n${interactNonce}\n${interactRef}\n${grantRequestUrl}`
           const hash = crypto
             .createHash('sha-256')
             .update(data)
             .digest('base64')
+
           clientRedirectUri.searchParams.set('hash', hash)
           assert.ok(interactRef)
           clientRedirectUri.searchParams.set('interact_ref', interactRef)
@@ -434,6 +435,7 @@ describe('Interaction Routes', (): void => {
           await expect(interactionRoutes.finish(ctx)).resolves.toBeUndefined()
           expect(ctx.response).toSatisfyApiSpec()
           expect(ctx.status).toBe(302)
+
           expect(redirectSpy).toHaveBeenCalledWith(clientRedirectUri.toString())
 
           const issuedGrant = await Grant.query().findById(grant.id)

packages/auth/src/interaction/routes.ts

@@ -18,7 +18,7 @@ import {
 } from '../grant/model'
 import { toOpenPaymentsAccess } from '../access/model'
 import { GNAPErrorCode, GNAPServerRouteError } from '../shared/gnapErrors'
-import { generateRouteLogs } from '../shared/utils'
+import { ensureTrailingSlash, generateRouteLogs } from '../shared/utils'
 import { SubjectService } from '../subject/service'
 import { toOpenPaymentsSubject } from '../subject/model'
 import { TenantService } from '../tenant/service'
@@ -377,7 +377,8 @@ async function handleFinishableGrant(
 
     const { clientNonce } = grant
     const { nonce: interactNonce, ref: interactRef } = interaction
-    const grantRequestUrl = config.authServerUrl + `/`
+    const grantRequestUrl =
+      ensureTrailingSlash(config.authServerUrl) + grant.tenantId
 
     // https://datatracker.ietf.org/doc/html/draft-ietf-gnap-core-protocol#section-4.2.3
     const data = `${clientNonce}\n${interactNonce}\n${interactRef}\n${grantRequestUrl}`

packages/auth/src/shared/utils.test.ts

@@ -1,4 +1,4 @@
-import { isValidDateString } from './utils'
+import { ensureTrailingSlash, isValidDateString } from './utils'
 
 describe('utils', (): void => {
   describe('isValidDateString', () => {
@@ -15,4 +15,13 @@ describe('utils', (): void => {
       expect(isValidDateString(input!)).toBe(expected)
     })
   })
+
+  describe('ensureTrailingSlash', (): void => {
+    test('test ensuring trailing slash', async (): Promise<void> => {
+      const path = '/utils'
+
+      expect(ensureTrailingSlash(path)).toBe(`${path}/`)
+      expect(ensureTrailingSlash(`${path}/`)).toBe(`${path}/`)
+    })
+  })
 })

packages/auth/src/shared/utils.ts

@@ -29,3 +29,8 @@ export function generateRouteLogs(ctx: AppContext): {
 export function isValidDateString(date: string): boolean {
   return !isNaN(Date.parse(date))
 }
+
+export function ensureTrailingSlash(str: string): string {
+  if (!str.endsWith('/')) return `${str}/`
+  return str
+}

packages/backend/src/shared/utils.test.ts

@@ -10,8 +10,7 @@ import {
   requestWithTimeout,
   sleep,
   getTenantFromApiSignature,
-  ensureTrailingSlash,
-  urlWithoutTenantId
+  ensureTrailingSlash
 } from './utils'
 import { AppServices, AppContext } from '../app'
 import { TestContainer, createTestApp } from '../tests/app'
@@ -457,13 +456,4 @@ describe('utils', (): void => {
     expect(ensureTrailingSlash(path)).toBe(`${path}/`)
     expect(ensureTrailingSlash(`${path}/`)).toBe(`${path}/`)
   })
-
-  test('test tenant id stripped from url', async (): Promise<void> => {
-    expect(
-      urlWithoutTenantId(
-        'http://happy-life-bank-test-auth:4106/cf5fd7d3-1eb1-4041-8e43-ba45747e9e5d'
-      )
-    ).toBe('http://happy-life-bank-test-auth:4106')
-    expect(urlWithoutTenantId('http://happy-life')).toBe('http://happy-life')
-  })
 })

packages/backend/src/shared/utils.ts

@@ -241,11 +241,3 @@ export function ensureTrailingSlash(str: string): string {
   if (!str.endsWith('/')) return `${str}/`
   return str
 }
-
-/**
- * @param url remove the tenant id from the {url}
- */
-export function urlWithoutTenantId(url: string): string {
-  if (url.length > 36 && validateId(url.slice(-36))) return url.slice(0, -37)
-  return url
-}

test/integration/integration.test.ts

@@ -199,18 +199,27 @@ describe('Integration tests', (): void => {
           quoteGrant.access_token.value,
           incomingPayment
         )
+
+        const clientNonce = crypto.randomUUID()
+        const finishUri = 'https://example.com'
+
         const outgoingPaymentGrant = await grantRequestOutgoingPayment(
           senderWalletAddress,
           { receiveAmount: quote.receiveAmount },
           {
             method: 'redirect',
-            uri: 'https://example.com',
-            nonce: '456'
+            uri: finishUri,
+            nonce: clientNonce
           }
         )
         const interactRef = await consentInteractionWithInteractRef(
           outgoingPaymentGrant,
-          senderWalletAddress
+          senderWalletAddress,
+          {
+            clientNonce,
+            finishUri,
+            initialGrantUrl: senderWalletAddress.authServer
+          }
         )
         const finalizedGrant = await grantContinue(
           outgoingPaymentGrant,

test/integration/lib/test-actions/index.ts

@@ -1,4 +1,5 @@
 import assert from 'assert'
+import { createHash } from 'crypto'
 import type { MockASE } from 'test-lib'
 import { parseCookies, urlWithoutTenantId } from '../utils'
 import { WalletAddress, PendingGrant } from '@interledger/open-payments'
@@ -10,14 +11,21 @@ export interface TestActionsDeps {
   receivingASE: MockASE
 }
 
+interface InteractionArgs {
+  clientNonce: string
+  initialGrantUrl: string
+  finishUri: string
+}
+
 export interface TestActions {
   consentInteraction(
     outgoingPaymentGrant: PendingGrant,
     senderWalletAddress: WalletAddress
   ): Promise<void>
   consentInteractionWithInteractRef(
     outgoingPaymentGrant: PendingGrant,
-    senderWalletAddress: WalletAddress
+    senderWalletAddress: WalletAddress,
+    args: InteractionArgs
   ): Promise<string>
   admin: AdminActions
   openPayments: OpenPaymentsActions
@@ -29,12 +37,14 @@ export function createTestActions(deps: TestActionsDeps): TestActions {
       consentInteraction(deps, outgoingPaymentGrant, senderWalletAddress),
     consentInteractionWithInteractRef: (
       outgoingPaymentGrant,
-      senderWalletAddress
+      senderWalletAddress,
+      args
     ) =>
       consentInteractionWithInteractRef(
         deps,
         outgoingPaymentGrant,
-        senderWalletAddress
+        senderWalletAddress,
+        args
       ),
     admin: createAdminActions(deps),
     openPayments: createOpenPaymentsActions(deps)
@@ -70,7 +80,8 @@ async function consentInteraction(
 async function consentInteractionWithInteractRef(
   deps: TestActionsDeps,
   outgoingPaymentGrant: PendingGrant,
-  senderWalletAddress: WalletAddress
+  senderWalletAddress: WalletAddress,
+  interactionArgs: InteractionArgs
 ): Promise<string> {
   const { idpSecret } = deps.sendingASE.config
   const { interactId, nonce, cookie } = await _startAndAcceptInteraction(
@@ -95,14 +106,49 @@ async function consentInteractionWithInteractRef(
 
   const redirectURI = finishResponse.headers.get('location')
   assert(redirectURI)
+  expect(redirectURI.startsWith(interactionArgs.finishUri))
 
   const url = new URL(redirectURI)
   const interact_ref = url.searchParams.get('interact_ref')
+  const hash = url.searchParams.get('hash')
+
+  assert(hash)
+  assert(interact_ref)
+
+  verifyHash({
+    initialGrantUrl: interactionArgs.initialGrantUrl,
+    clientNonce: interactionArgs.clientNonce,
+    interactNonce: nonce,
+    receivedHash: hash,
+    interactRef: interact_ref
+  })
   assert(interact_ref)
 
   return interact_ref
 }
 
+interface VerifyHashArgs {
+  clientNonce: string
+  initialGrantUrl: string
+  receivedHash: string
+  interactNonce: string
+  interactRef: string
+}
+
+async function verifyHash(args: VerifyHashArgs) {
+  const {
+    clientNonce,
+    interactNonce,
+    interactRef,
+    initialGrantUrl,
+    receivedHash
+  } = args
+  const data = `${clientNonce}\n${interactNonce}\n${interactRef}\n${initialGrantUrl}`
+  const hash = createHash('sha-256').update(data).digest('base64')
+
+  expect(hash).toBe(receivedHash)
+}
+
 async function _startAndAcceptInteraction(
   deps: TestActionsDeps,
   outgoingPaymentGrant: PendingGrant,