Merge branch '2852/mk/get-or-create-ip-grants' into 2852/mk/improve-i…

…p-grant-lookups

packages/backend/src/open_payments/grant/service.test.ts

@@ -195,6 +195,61 @@ describe('Grant Service', (): void => {
       expect(authServerServiceGetOrCreateSoy).toHaveBeenCalled()
     })
 
+    test('creates new grant with additional subset actions', async () => {
+      const newOpenPaymentsGrant = mockGrant()
+      const openPaymentsGrantRequestSpy = jest
+        .spyOn(openPaymentsClient.grant, 'request')
+        .mockResolvedValueOnce({
+          ...newOpenPaymentsGrant
+        })
+
+      const options = {
+        authServer: authServer.url,
+        accessType: AccessType.IncomingPayment,
+        accessActions: [
+          AccessAction.Create,
+          AccessAction.ReadAll,
+          AccessAction.ListAll
+        ]
+      }
+
+      const authServerServiceGetOrCreateSoy = jest.spyOn(
+        authServerService,
+        'getOrCreate'
+      )
+
+      const grant = await grantService.getOrCreate(options)
+
+      assert(!isGrantError(grant))
+      expect(grant.accessActions.sort()).toEqual(
+        [
+          AccessAction.Create,
+          AccessAction.ReadAll,
+          AccessAction.ListAll,
+          AccessAction.List,
+          AccessAction.Read
+        ].sort()
+      )
+      expect(openPaymentsGrantRequestSpy).toHaveBeenCalledWith(
+        { url: options.authServer },
+        {
+          access_token: {
+            access: [
+              {
+                // eslint-disable-next-line @typescript-eslint/no-explicit-any
+                type: options.accessType as any,
+                actions: options.accessActions
+              }
+            ]
+          },
+          interact: {
+            start: ['redirect']
+          }
+        }
+      )
+      expect(authServerServiceGetOrCreateSoy).toHaveBeenCalled()
+    })
+
     test('creates new grant and deletes old one after being unable to rotate existing token', async () => {
       const existingGrant = await Grant.query(knex).insertAndFetch({
         authServerId: authServer.id,

packages/backend/src/open_payments/grant/service.ts

@@ -95,7 +95,9 @@ export async function getExistingGrant(
     })
     .whereNull('deletedAt')
     .andWhere('authServer.url', options.authServer)
-    .andWhere('accessActions', '@>', options.accessActions) // all options.accessActions are a subset of saved accessActions
+    // all options.accessActions are a subset of saved accessActions
+    // e.g. if [ReadAll, Create] is saved, requesting just [Create] would still match
+    .andWhere('accessActions', '@>', options.accessActions)
     .withGraphJoined('authServer')
 }
 
@@ -142,7 +144,7 @@ async function requestNewGrant(
   return Grant.query(deps.knex)
     .insertAndFetch({
       accessType: options.accessType,
-      accessActions: options.accessActions,
+      accessActions: addSubsetActions(options.accessActions),
       accessToken: openPaymentsGrant.access_token.value,
       managementId: retrieveManagementId(openPaymentsGrant.access_token.manage),
       authServerId,
@@ -199,6 +201,28 @@ async function deleteGrant(
   })
 }
 
+function addSubsetActions(accessActions: AccessAction[]): AccessAction[] {
+  const newAccessActions = [...accessActions]
+
+  // Read is a subset action of ReadAll
+  if (
+    accessActions.includes(AccessAction.ReadAll) &&
+    !accessActions.includes(AccessAction.Read)
+  ) {
+    newAccessActions.push(AccessAction.Read)
+  }
+
+  // List is a subset action of ListAll
+  if (
+    accessActions.includes(AccessAction.ListAll) &&
+    !accessActions.includes(AccessAction.List)
+  ) {
+    newAccessActions.push(AccessAction.List)
+  }
+
+  return newAccessActions
+}
+
 function retrieveManagementId(managementUrl: string): string {
   const managementUrlParts = managementUrl.split('/')
   const managementId = managementUrlParts.pop() || managementUrlParts.pop() // handle trailing slash