chore(backend): remove payment balance accounts

[wilsonianb]

Changes proposed in this pull request

• Send outgoing payments from and receive invoice payments to settlement accounts.
• Outgoing payments and invoices have accounts for tracking the amounts
  sent and received, but they do not represent (withdraw-able) balances.
• Remove outgoing payments and invoices accounts used for tracking the amounts
  sent and received.
• Add sendOutgoingPayment fundOutgoingPayment mutation resolver. Wallet operators will be
  notified when quote is complete (TODO) and call fundOutgoingPayment
  after payment is approved (if necessary) and funds are reserved in
  the sender's wallet account.
• Make incoming and outgoing accounts distinct types
• Rename Funding payment state as Ready
• Replace web monetization service with Open Payments account spsp fallback tigerbeetle account. (All invoices are now Open Payments invoices.)
• Do not update account balances when sending unfulfillable rate probe packets.

Context

• Remove outgoing payment accounts #196
• part of Add outgoing payment liquidity mutation resolvers #160

Checklist

• Related issues linked using fixes #number
• Tests added/updated
• Documentation added
• Make sure that all checks pass

[sentientwaffle]

The naming of receivedAccountId confuses me. It isn't the amount that has been received, it is the maximum amount that can be received, right?

[wilsonianb]

It's confusing because it depends:
https://github.com/interledger/rafiki/pull/197/files#diff-e5a9751319994ef97d1413f0c3bc6587f756163958ad21f877a5fe7d84a08661R81-R89

I considered having separate receivedAccountId and receiveLimitAccountId, but transferFundssendAndReceive would treat them the same.

[sentientwaffle]

Why does this parameter need to be exposed on the API?

If it does need to be exposed, it should have a more descriptive name to ensure that the caller doesn't assume that it should be subtracted from (e.g.) the maxSourceAmount.

[wilsonianb]

It doesn't need to be exposed since it's in the OutgoingPaymentOutcome

[wilsonianb]

@matdehaast Here's the possible webhooks for reference #199

[matdehaast]

This is good work @wilsonianb.

I do still worry that we are losing some accounting principals and accurate tracking of money movement by going in this direction. But I can see that it does simplify things greatly.

My assumption is that this is all to account for the need to enforce limits on certain payment accounts?

I wonder if there is a better abstraction where we can have another primitive within the account service that is called a limit account or something along those lines and we could bind that to an account. I'm trying to draw up some T accounts for this PR to see if we actually lose anything meaningful.

[matdehaast]

Does having a zero value here make sense? Should we not just define an account type enum for the case when its neither to remove ambiguity?

[wilsonianb]

👍
A reason I didn't add and expose one is that currently the only non-Debit/Credit account is being created within the accounting service (in createAssetAccounts).

[matdehaast]

Can an account have both a received and sent account id?

[matdehaast]

The reason I ask is, I'm wondering if its better to just have a singular account and then use a flag/enum/account type to determine if you are a received or sent account

[wilsonianb]

It looks like this comment is on an outdated commit. Here's the final form:
https://github.com/interledger/rafiki/pull/197/files#diff-72a5530c2c89f105f75e071479a382e8f8408459d37968fb93b546cca4783b31R75-R91
There's currently not a situation in which an account would have both a received and sent account id.
With this previous iteration, it could have been consolidated to one account whose type could be checked, but I like how it fit into separating the connector's incoming and outgoing account types.
https://github.com/interledger/rafiki/pull/197/files#diff-08011ba8622ef9b1a38af778014f9471eb8ce942adc8609074f019765f7338f6R26-R43

[matdehaast]

@wilsonianb are you worried this might be a footgun and catch someone else out?

[wilsonianb]

Yes.
I'd like to separate web monetization from invoices and make the invoice model follow the open payments spec which would make amountToReceive a required field.

[matdehaast]

@wilsonianb ah I see that is a required field. I can't for the life of me remember why. I wonder how fixed send amounts are handled if amount is required...

[wilsonianb]

• Define how to do fixed source amount payments with invoices. open-payments#39

[matdehaast]

I'm wondering if we should have a function in the invoice service rather to account for this, if somewhere else wants to quote the invoice balance, they will need to know this has to happen

[wilsonianb]

I started to add a function yesterday and then I added getTotalReceived to the accountingService. 2ce7778
I'll put that in this pr.

[wilsonianb]

My assumption is that this is all to account for the need to enforce limits on certain payment accounts?

We were already effectively enforcing limits on payments.
This change simplifies limit enforcement (one tigerbeetle account per invoice and outgoing payment), while giving Rafiki fewer limits to enforce.

For outgoing payments, there's no longer a liquidity balance to enforce. The amount sent is restricted by @interledger/pay with its quote.

Invoices do still enforce the receive limit, but there's similarly no enforcement of an invoice's withdrawable liquidity. It has an amount received that can only go up, which the wallet can reflect in the receiver's wallet account however it wants.

[wilsonianb]

This won't work as is for an intra-rafiki same asset outgoing payment to invoice. It'll get TransferError.SameAccounts for the settlement account sending to itself.
I'm working on a change to fix.

[wilsonianb]

☝️ that fixes the same account issue.
The pull request should be good to review.
@matdehaast @sentientwaffle

[sentientwaffle]

What is this constant for?

[wilsonianb]

It's used in generating deterministic asset account ids:
https://github.com/interledger/rafiki/blob/main/packages/backend/src/accounting/utils.ts#L28-L30
We're now down to two types of asset accounts (liquidity & settlement).

I was actually just considering replacing it with:

const MAX_ASSETS = 2**16

based on Tigerbeetle's two byte unit field. And then getAssetAccountId could do:

BigInt(type * MAX_ASSETS + unit)

[sentientwaffle]

Couldn't miscellaneous account uuids get generated into that range?

[wilsonianb]

Yeah, which is why I was still favoring ASSET_ACCOUNTS_RESERVED over MAX_ASSETS since the range is limited by the number of assets.

However, I think we would safely fail to create an asset if any of its tigerbeetle account ids are already used.
https://github.com/interledger/rafiki/blob/main/packages/backend/src/asset/service.ts#L57-L68
We'd end up with a unit sequence gap, and retrying would attempt to create the asset with the next unit value.

[wilsonianb]

I also had the thought that validateId in accountingService.createAccount could disallow ids in the possible asset id range.

[sentientwaffle]

If the payment state is not Ready should that be a client (400) error?

[wilsonianb]

Yeah, and maybe the same for requoteOutgoingPayment and cancelOutgoingPayment.

Should we define a WrongPaymentState error that the resolvers can catch and return 400?

[sentientwaffle]

Yeah. The alternative would be to check the state in the resolver itself, but I think that validation logic is better off in the service (where it already is).

[wilsonianb]

After talking with Matt, I'm in agreement that sending from and receiving to the settlement account prevents the wallet operator from getting an accurate snapshot of liabilities.
We also determined that we can still get by with a single tigerbeetle account for each payment:

• Invoices can be deactivated when they've received their full amount (a la 9b68ea5). The limit doesn't need to be enforced by Tigerbeetle.
• Outgoing payment total sent amount can be tracked with Tigerbeetle transfer codes. (since total debits won't work due to withdrawals)

I'll convert the payment accounts back to normal in this pr and do liquidity deposits/withdrawals and webhooks in separate pr(s).

[sentientwaffle]

Would it cause problems if this query + patch are in separate transactions?

[wilsonianb]

I don't think so since the amount currently isn't modified anywhere, but this could be put in a single

    await Invoice.query(deps.knex).patch({
      active: false
    }).where('id', invoiceId).andWhere('amount', '<=', amountReceived)

[wilsonianb]

I ran into objection/knex type errors trying to compare with a bigint in andWhere so I've put the query and patch in a transaction 88ba6d1

[sentientwaffle]

Did you try passing the toString of the bigint?

[wilsonianb]

Nope 🙃
6478831

[sentientwaffle]

Can you double-check that the forUpdate doesn't also get carried over the the account.asset being fetched? (i.e. that the payment row is locked but not the account/asset). I know we do this elsewhere too but it didn't occur to me until now...

[wilsonianb]

Vincit/objection.js#1608
I'm guessing it would for withGraphJoined