interledger · mkurapov · Dec 16, 2024 · Dec 11, 2024 · Dec 11, 2024 · Dec 13, 2024
diff --git a/packages/backend/src/app.ts b/packages/backend/src/app.ts
@@ -385,7 +385,7 @@ export class App {
 
     if (this.config.adminApiSecret) {
       koa.use(async (ctx, next: Koa.Next): Promise<void> => {
-        if (!verifyApiSignature(ctx, this.config)) {
+        if (!(await verifyApiSignature(ctx, this.config))) {
           ctx.throw(401, 'Unauthorized')
         }
         return next()

diff --git a/packages/backend/src/tests/app.ts b/packages/backend/src/tests/app.ts
@@ -12,8 +12,9 @@ import {
 import { setContext } from '@apollo/client/link/context'
 import { start, gracefulShutdown } from '..'
 import { onError } from '@apollo/client/link/error'
-
+import { print } from 'graphql/language/printer'
 import { App, AppServices } from '../app'
+import { generateApiSignature } from './apiSignature'
 
 export const testAccessToken = 'test-app-access'
 
@@ -76,10 +77,20 @@ export const createTestApp = async (
       })
     }
   })
-  const authLink = setContext((_, { headers }) => {
+  const authLink = setContext((request, { headers }) => {
+    const requestBody = {
+      variables: request.variables,
+      operationName: request.operationName,
+      query: print(request.query)
+    }
     return {
       headers: {
-        ...headers
+        ...headers,
+        signature: generateApiSignature(
+          config.adminApiSecret,
+          config.adminApiSignatureVersion,
+          requestBody
+        )
       }
     }
   })

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
diff --git a/test/integration/lib/apollo-client.ts b/test/integration/lib/apollo-client.ts
@@ -1,11 +1,55 @@
 import type { NormalizedCacheObject } from '@apollo/client'
-import { ApolloClient, InMemoryCache } from '@apollo/client'
+import {
+  ApolloClient,
+  ApolloLink,
+  createHttpLink,
+  InMemoryCache
+} from '@apollo/client'
+import { createHmac } from 'crypto'
+import { print } from 'graphql/language/printer'
+import { canonicalize } from 'json-canonicalize'
+import { setContext } from '@apollo/client/link/context'
 
-export function createApolloClient(
+interface CreateApolloClientArgs {
   graphqlUrl: string
+  signatureSecret: string
+  signatureVersion: string
+}
+
+function createAuthLink(args: CreateApolloClientArgs) {
+  return setContext((request, { headers }) => {
+    const timestamp = Math.round(new Date().getTime() / 1000)
+    const version = args.signatureVersion
+
+    const { query, variables, operationName } = request
+    const formattedRequest = {
+      variables,
+      operationName,
+      query: print(query)
+    }
+
+    const payload = `${timestamp}.${canonicalize(formattedRequest)}`
+    const hmac = createHmac('sha256', args.signatureSecret)
+    hmac.update(payload)
+    const digest = hmac.digest('hex')
+    return {
+      headers: {
+        ...headers,
+        signature: `t=${timestamp}, v${version}=${digest}`
+      }
+    }
+  })
+}
+
+export function createApolloClient(
+  args: CreateApolloClientArgs
 ): ApolloClient<NormalizedCacheObject> {
+  const httpLink = createHttpLink({
+    uri: args.graphqlUrl
+  })
+
   return new ApolloClient({
-    uri: graphqlUrl,
+    link: ApolloLink.from([createAuthLink(args), httpLink]),
     cache: new InMemoryCache(),
     defaultOptions: {
       query: {

diff --git a/test/integration/lib/config.ts b/test/integration/lib/config.ts
@@ -11,6 +11,8 @@ export type TestConfig = Config & {
   interactionServer: string
   walletAddressUrl: string
   keyId: string
+  signatureSecret: string
+  signatureVersion: string
 }
 
 type EnvConfig = {
@@ -22,7 +24,10 @@ type EnvConfig = {
   GRAPHQL_URL: string
   KEY_ID: string
   IDP_SECRET: string
+  SIGNATURE_SECRET: string
+  SIGNATURE_VERSION: string
 }
+
 const REQUIRED_KEYS: (keyof EnvConfig)[] = [
   'OPEN_PAYMENTS_URL',
   'AUTH_SERVER_DOMAIN',
@@ -31,7 +36,9 @@ const REQUIRED_KEYS: (keyof EnvConfig)[] = [
   'WALLET_ADDRESS_URL',
   'GRAPHQL_URL',
   'KEY_ID',
-  'IDP_SECRET'
+  'IDP_SECRET',
+  'SIGNATURE_SECRET',
+  'SIGNATURE_VERSION'
 ]
 
 const loadEnv = (filePath: string): EnvConfig => {
@@ -69,7 +76,9 @@ const createConfig = (name: string): TestConfig => {
     walletAddressUrl: env.WALLET_ADDRESS_URL,
     graphqlUrl: env.GRAPHQL_URL,
     keyId: env.KEY_ID,
-    idpSecret: env.IDP_SECRET
+    idpSecret: env.IDP_SECRET,
+    signatureSecret: env.SIGNATURE_SECRET,
+    signatureVersion: env.SIGNATURE_VERSION
   }
 }
 

diff --git a/test/integration/lib/mock-ase.ts b/test/integration/lib/mock-ase.ts
@@ -30,7 +30,11 @@ export class MockASE {
   // Use static MockASE.create instead.
   private constructor(config: TestConfig) {
     this.config = config
-    this.apolloClient = createApolloClient(config.graphqlUrl)
+    this.apolloClient = createApolloClient({
+      graphqlUrl: config.graphqlUrl,
+      signatureSecret: config.signatureSecret,
+      signatureVersion: config.signatureVersion
+    })
     this.adminClient = new AdminClient(this.apolloClient)
     this.accounts = new AccountProvider()
     this.integrationServer = new IntegrationServer(

diff --git a/test/integration/package.json b/test/integration/package.json
@@ -22,7 +22,9 @@
     "@types/koa-bodyparser": "^4.3.12",
     "@types/node": "^20.14.15",
     "dotenv": "^16.4.5",
+    "graphql": "^16.8.1",
     "hostile": "^1.4.0",
+    "json-canonicalize": "^1.0.6",
     "koa": "^2.15.3",
     "mock-account-service-lib": "workspace:*",
     "yaml": "^2.6.0"

diff --git a/test/integration/testenv/cloud-nine-wallet/.env b/test/integration/testenv/cloud-nine-wallet/.env
@@ -5,5 +5,7 @@ INTEGRATION_SERVER_PORT=8888
 WALLET_ADDRESS_URL=https://cloud-nine-wallet-test-backend:3100/.well-known/pay
 GRAPHQL_URL=http://cloud-nine-wallet-test-backend:3101/graphql
 IDP_SECRET=2pEcn2kkCclbOHQiGNEwhJ0rucATZhrA807HTm2rNXE=
+SIGNATURE_VERSION=1
+SIGNATURE_SECRET=iyIgCprjb9uL8wFckR+pLEkJWMB7FJhgkvqhTQR/964=
 # matches pfry key id
 KEY_ID=keyid-97a3a431-8ee1-48fc-ac85-70e2f5eba8e5
diff --git a/test/integration/testenv/cloud-nine-wallet/docker-compose.yml b/test/integration/testenv/cloud-nine-wallet/docker-compose.yml
@@ -42,6 +42,7 @@ services:
       USE_TIGERBEETLE: false
       OPERATOR_TENANT_ID: 438fa74a-fa7d-4317-9ced-dde32ece1787
       API_SECRET: iyIgCprjb9uL8wFckR+pLEkJWMB7FJhgkvqhTQR/964=
+      API_SIGNATURE_VERSION: 1
     volumes:
       - ../private-key.pem:/workspace/private-key.pem
     depends_on:

diff --git a/test/integration/testenv/happy-life-bank/.env b/test/integration/testenv/happy-life-bank/.env
@@ -5,5 +5,7 @@ INTEGRATION_SERVER_PORT=8889
 WALLET_ADDRESS_URL=https://happy-life-bank-test-backend:4100/accounts/pfry
 GRAPHQL_URL=http://happy-life-bank-test-backend:4101/graphql
 IDP_SECRET=2pEcn2kkCclbOHQiGNEwhJ0rucATZhrA807HTm2rNXE=
+SIGNATURE_VERSION=1
+SIGNATURE_SECRET=iyIgCprjb9uL8wFckR+pLEkJWMB7FJhgkvqhTQR/964=
 # matches pfry key id
 KEY_ID=keyid-97a3a431-8ee1-48fc-ac85-70e2f5eba8e5
diff --git a/test/integration/testenv/happy-life-bank/docker-compose.yml b/test/integration/testenv/happy-life-bank/docker-compose.yml
@@ -40,6 +40,7 @@ services:
       USE_TIGERBEETLE: false
       OPERATOR_TENANT_ID: cf5fd7d3-1eb1-4041-8e43-ba45747e9e5d
       API_SECRET: iyIgCprjb9uL8wFckR+pLEkJWMB7FJhgkvqhTQR/964=
+      API_SIGNATURE_VERSION: 1
     volumes:
       - ../private-key.pem:/workspace/private-key.pem
     depends_on: