chore(backend): replace GrantReference with OutgoingPaymentGrant

[wilsonianb]

Changes proposed in this pull request

• Remove grant references table
• Store clientId directly on payment pointer subresources
• Add outgoing payment grants for locking while validating grant limits on outgoing payment creation

Context

• feat(backend): request grant to query incoming payment receiver  #779 (comment)
• should help reduce the footprint of Return client payment pointer in introspection response #737

Checklist

• Related issues linked using fixes #number
• Tests added/updated
• Documentation added
• Make sure that all checks pass

[sabineschaller]

Makes sense to me. Thank you!

[wilsonianb]

🤔 Would we still want to be able to link resources with the corresponding grants used to create them, for auditing or some other purpose?
I was just looking at section 2.1.3 of https://static.googleusercontent.com/media/nextbillionusers.google/en//tools/3PPI-2021-whitepaper.pdf which seems to actually recommend that the RS would store the grant permissions (or perhaps just keep things as is with GrantReference since our AS is currently bound to the RS)

[mkurapov]

@wilsonianb It feels like the "RTP" is more of a general concept in this case right? i.e. RTP != RS?

In general, having more information about the grant would be a good thing IMO, could do further checks other than the clientId, for example...

[mkurapov]

Left a few comments, but wouldn't mind going the other way and expanding the info stored in the og grantreference table

[mkurapov]

How will this have to change with #688?

[wilsonianb]

I think we'd be able to keep our current logic of defining ctx.clientId for everything except read-all/list-all requests

rafiki/packages/backend/src/open_payments/auth/middleware.ts

Lines 80 to 84 in 3a3f9e8

	// Unless the relevant grant action is ReadAll/ListAll add the
	// clientId to ctx for Read/List filtering
	if (access.actions.includes(action)) {
	ctx.clientId = grant.clientId
	}

[mkurapov]

Should this be in its own file? I was trying to find the model when I pulled down the branch originally, but wasn't able to right away

[wilsonianb]

I wanted to go all in on confining this to outgoing payments.
Are you thinking a separate model file in this directory, or its directory with its own service?

[mkurapov]

Makes sense - I was thinking of having one model per file in general, but if its confined as such and won't grow beyond its current scope, then it's good here

[mkurapov]

Should there be a separate issue for this? Or too far out/uncertain just yet?

[wilsonianb]

We have a PR that I could include in the comment

• add forNoKeyUpdate and forKeyShare Vincit/objection.js#2319

[mkurapov]

I think it's ok for now. Also, I'm guessing reviews haven't been fast on this because of: Vincit/objection.js#2335. Would be good to keep an eye on this thread

[wilsonianb]

@wilsonianb It feels like the "RTP" is more of a general concept in this case right? i.e. RTP != RS?

In general, having more information about the grant would be a good thing IMO, could do further checks other than the clientId, for example...

I'm not sure if our RS is more like the RTP or FSP.

Either way, I think we should associate created resources with corresponding grants for auditing purposes. I think just storing the grant id on the resource is currently sufficient with the RS bound to the AS. (The single account provider can look up grant details in the AS db tables. Although maybe we'd need to expand admin api to do so.)
However, do we need that for incoming payments and quotes? If not, then this PR still provides association of outgoing payments with corresponding grants.

[mkurapov]

Yeah, because of how the RS & AS are tied together, all the info can be found in the AS anyway if an audit is needed. I like that this simplifies things a bit in general + we don't need extra DB calls for incoming payments & quotes. I could see this changes down the line but LGTM for now