-
Notifications
You must be signed in to change notification settings - Fork 81
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(backend): serve jwks.json from client payment pointer #758
Conversation
@@ -125,7 +126,8 @@ export const createAuthenticatedClient = async ( | |||
grant: createGrantRoutes({ | |||
axiosInstance, | |||
openApi: authServerOpenApi, | |||
logger | |||
logger, | |||
client: args.client |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was going to have createAuthenticatedClient
query ${client}/jwks.json
to validate that the key with the specified keyid
is served there, but backend
calls createAuthenticatedClient
long before its routes are set up.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah I was thinking you'd possibly get some kind of race condition type behaviour - could add some kind of retry mechanism but gets too complicated for what it's worth.
Is there a more straightforward name than client
? Even just paymentPointerUrl
? or clientPaymentPointer
?
@@ -125,7 +126,8 @@ export const createAuthenticatedClient = async ( | |||
grant: createGrantRoutes({ | |||
axiosInstance, | |||
openApi: authServerOpenApi, | |||
logger | |||
logger, | |||
client: args.client |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah I was thinking you'd possibly get some kind of race condition type behaviour - could add some kind of retry mechanism but gets too complicated for what it's worth.
Is there a more straightforward name than client
? Even just paymentPointerUrl
? or clientPaymentPointer
?
ctx.throw(404) | ||
const url = `https://${ctx.request.host}/${ctx.params.paymentPointerPath}` | ||
const config = await ctx.container.use('config') | ||
if (url !== config.paymentPointerUrl) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In which situations will this equality happen?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When this is an Open Payments resource request for the RS's own payment pointer, which will now/soon be happening when a separate AS is querying RS's client payment pointer /jwks.json
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Few comments, otherwise LGTM 👍
deps.config.paymentPointerUrl === | ||
`https://${ctx.request.host}/${ctx.params.paymentPointerPath}` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be made into a function we can use across this package? Any function name will also help with the self-commenting of the code IMO
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd like to be able to do this via a paymentPointerUrl
getter on AppContext
(?), but I'm struggling to pull it off.
@@ -93,6 +93,7 @@ export interface CreateAuthenticatedClientArgs | |||
extends CreateUnauthenticatedClientArgs { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Kind of outside the scope of this PR, but I'm a bit confused why TS doesn't complain about
const axiosInstance = createAxiosInstance({
privateKey: args.privateKey,
keyId: args.keyId,
requestTimeoutMs:
args?.requestTimeoutMs ?? config.DEFAULT_REQUEST_TIMEOUT_MS
}
when privateKey and keyId are optional in createUnauthenticatedClient
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this due to
Line 28 in 2f17be3
"strict": false /* Enable all strict type-checking options. */, |
which was toggled in
@matdehaast @traviscrist Do either of you remember why we disabled strict type checking?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@wilsonianb I think its was due to it not being run properly so when run it was showing tons of issues and we didn't want to fix them all when getting pnpm setup. If you enable it how many issues does it find?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you enable it how many issues does it find?
tbd
Changes proposed in this pull request
Context
Checklist
fixes #number