feat(auth): soft delete access tokens and grant accesses (#2837)

interledger · Aug 8, 2024 · 4a43281 · 4a43281
1 parent aac63c7
commit 4a43281
Show file tree

Hide file tree

Showing 8 changed files with 66 additions and 52 deletions.
diff --git a/packages/auth/migrations/20240802171939_add_revoked_at_to_access_tokens.js b/packages/auth/migrations/20240802171939_add_revoked_at_to_access_tokens.js
@@ -0,0 +1,19 @@
+/**
+ * @param { import("knex").Knex } knex
+ * @returns { Promise<void> }
+ */
+exports.up = function (knex) {
+  return knex.schema.alterTable('accessTokens', function (table) {
+    table.timestamp('revokedAt')
+  })
+}
+
+/**
+ * @param { import("knex").Knex } knex
+ * @returns { Promise<void> }
+ */
+exports.down = function (knex) {
+  return knex.schema.alterTable('accessTokens', function (table) {
+    table.dropColumn('revokedAt')
+  })
+}
diff --git a/packages/auth/src/access/service.test.ts b/packages/auth/src/access/service.test.ts
@@ -125,18 +125,4 @@ describe('Access Service', (): void => {
       expect(fetchedAccess[0].actions).toEqual(incomingPaymentAccess.actions)
     })
   })
-
-  describe('revoke access', (): void => {
-    test('revokeByGrantId', async () => {
-      const access = await Access.query(trx).insert({
-        grantId: grant.id,
-        type: 'incoming-payment',
-        actions: [AccessAction.Create, AccessAction.Read, AccessAction.List]
-      })
-
-      await accessService.revokeByGrantId(grant.id)
-
-      expect(Access.query(trx).findById(access.id)).resolves.toBeUndefined()
-    })
-  })
 })
diff --git a/packages/auth/src/access/service.ts b/packages/auth/src/access/service.ts
@@ -11,7 +11,6 @@ export interface AccessService {
     trx?: Transaction
   ): Promise<Access[]>
   getByGrant(grantId: string, trx?: Transaction): Promise<Access[]>
-  revokeByGrantId(grantId: string, trx?: Transaction): Promise<number>
 }
 
 interface ServiceDependencies extends BaseService {
@@ -38,9 +37,7 @@ export async function createAccessService({
       trx?: Transaction
     ) => createAccess(deps, grantId, accessRequests, trx),
     getByGrant: (grantId: string, trx?: Transaction) =>
-      getByGrant(deps, grantId, trx),
-    revokeByGrantId: (grantId: string, trx?: Transaction) =>
-      revokeByGrantId(deps, grantId, trx)
+      getByGrant(deps, grantId, trx)
   }
 }
 
@@ -66,15 +63,3 @@ async function getByGrant(
     grantId
   })
 }
-
-async function revokeByGrantId(
-  deps: ServiceDependencies,
-  grantId: string,
-  trx?: Transaction
-): Promise<number> {
-  return Access.query(trx || deps.knex)
-    .delete()
-    .where({
-      grantId
-    })
-}
diff --git a/packages/auth/src/accessToken/model.ts b/packages/auth/src/accessToken/model.ts
@@ -27,6 +27,7 @@ export class AccessToken extends BaseModel {
   public managementId!: string
   public grantId!: string
   public expiresIn!: number
+  public revokedAt?: Date
 }
 
 interface ToOpenPaymentsAccessTokenArgs {

diff --git a/packages/auth/src/accessToken/service.test.ts b/packages/auth/src/accessToken/service.test.ts
@@ -102,6 +102,7 @@ describe('Access Token Service', (): void => {
         accessTokenService.getByManagementId(accessToken.managementId)
       ).resolves.toMatchObject({
         ...accessToken,
+        revokedAt: null,
         grant: retrievedGrant
       })
     })
@@ -267,21 +268,19 @@ describe('Access Token Service', (): void => {
     describe('Revoke by token id', (): void => {
       test('Can revoke un-expired token', async (): Promise<void> => {
         await token.$query(trx).patch({ expiresIn: 1000000 })
-        await expect(accessTokenService.revoke(token.id)).resolves.toEqual(
-          token
-        )
-        await expect(
-          AccessToken.query(trx).findById(token.id)
-        ).resolves.toBeUndefined()
+        await expect(accessTokenService.revoke(token.id)).resolves.toEqual({
+          ...token,
+          revokedAt: expect.any(Date),
+          updatedAt: expect.any(Date)
+        })
       })
       test('Can revoke even if token has already expired', async (): Promise<void> => {
         await token.$query(trx).patch({ expiresIn: -1 })
-        await expect(accessTokenService.revoke(token.id)).resolves.toEqual(
-          token
-        )
-        await expect(
-          AccessToken.query(trx).findById(token.id)
-        ).resolves.toBeUndefined()
+        await expect(accessTokenService.revoke(token.id)).resolves.toEqual({
+          ...token,
+          revokedAt: expect.any(Date),
+          updatedAt: expect.any(Date)
+        })
       })
       test('Can revoke even if token has already been revoked', async (): Promise<void> => {
         await token.$query(trx).delete()
@@ -309,7 +308,11 @@ describe('Access Token Service', (): void => {
         ).resolves.toEqual(1)
         await expect(
           AccessToken.query(trx).findById(token.id)
-        ).resolves.toBeUndefined()
+        ).resolves.toEqual({
+          ...token,
+          revokedAt: expect.any(Date),
+          updatedAt: expect.any(Date)
+        })
       })
       test('Can revoke even if token has already expired', async (): Promise<void> => {
         await token.$query(trx).patch({ expiresIn: -1 })
@@ -318,7 +321,11 @@ describe('Access Token Service', (): void => {
         ).resolves.toEqual(1)
         await expect(
           AccessToken.query(trx).findById(token.id)
-        ).resolves.toBeUndefined()
+        ).resolves.toEqual({
+          ...token,
+          revokedAt: expect.any(Date),
+          updatedAt: expect.any(Date)
+        })
       })
       test('Can revoke even if token has already been revoked', async (): Promise<void> => {
         await token.$query(trx).delete()

diff --git a/packages/auth/src/accessToken/service.ts b/packages/auth/src/accessToken/service.ts
@@ -70,6 +70,7 @@ async function getByManagementId(
 ): Promise<AccessToken | undefined> {
   return AccessToken.query()
     .findOne('managementId', managementId)
+    .whereNull('revokedAt')
     .withGraphFetched('grant')
 }
 
@@ -80,6 +81,7 @@ async function introspect(
 ): Promise<{ grant: Grant; access: Access[] } | undefined> {
   const token = await AccessToken.query(deps.knex)
     .findOne({ value: tokenValue })
+    .whereNull('revokedAt')
     .withGraphFetched('grant.access')
 
   const foundAccess: Access[] = []
@@ -117,7 +119,10 @@ async function revoke(
   trx?: TransactionOrKnex
 ): Promise<AccessToken | undefined> {
   return AccessToken.query(trx || deps.knex)
-    .deleteById(id)
+    .patchAndFetchById(id, {
+      revokedAt: new Date()
+    })
+    .whereNull('revokedAt')
     .returning('*')
     .first()
 }
@@ -128,7 +133,9 @@ async function revokeByGrantId(
   trx?: TransactionOrKnex
 ): Promise<number> {
   return await AccessToken.query(trx || deps.knex)
-    .delete()
+    .patch({
+      revokedAt: new Date()
+    })
     .where('grantId', grantId)
 }
 

diff --git a/packages/auth/src/grant/service.test.ts b/packages/auth/src/grant/service.test.ts
@@ -56,6 +56,8 @@ describe('Grant Service', (): void => {
 
   describe('grant flow', (): void => {
     let grant: Grant
+    let access: Access
+    let accessToken: AccessToken
 
     const CLIENT = faker.internet.url({ appendSlash: false })
 
@@ -79,13 +81,13 @@ describe('Grant Service', (): void => {
         grantId: grant.id
       })
 
-      await Access.query().insert({
+      access = await Access.query().insert({
         ...BASE_GRANT_ACCESS,
         type: AccessType.IncomingPayment,
         grantId: grant.id
       })
 
-      await AccessToken.query().insert({
+      accessToken = await AccessToken.query().insert({
         value: generateToken(),
         managementId: v4(),
         expiresIn: 10_000_000,
@@ -351,10 +353,18 @@ describe('Grant Service', (): void => {
         expect(revokedGrant?.finalizationReason).toEqual(
           GrantFinalization.Revoked
         )
-        expect(Access.query().where({ grantId: grant.id })).resolves.toEqual([])
+        expect(Access.query().where({ grantId: grant.id })).resolves.toEqual([
+          { ...access, limits: null }
+        ])
         expect(
           AccessToken.query().where({ grantId: grant.id })
-        ).resolves.toEqual([])
+        ).resolves.toEqual([
+          {
+            ...accessToken,
+            revokedAt: expect.any(Date),
+            updatedAt: expect.any(Date)
+          }
+        ])
       })
 
       test('Can "revoke" unknown grant', async (): Promise<void> => {

diff --git a/packages/auth/src/grant/service.ts b/packages/auth/src/grant/service.ts
@@ -178,7 +178,7 @@ async function revokeGrant(
   deps: ServiceDependencies,
   grantId: string
 ): Promise<boolean> {
-  const { accessTokenService, accessService } = deps
+  const { accessTokenService } = deps
 
   const trx = await deps.knex.transaction()
 
@@ -199,7 +199,6 @@ async function revokeGrant(
     }
 
     await accessTokenService.revokeByGrantId(grant.id, trx)
-    await accessService.revokeByGrantId(grant.id, trx)
 
     await trx.commit()
     return true