feat(mojaloop/#3670): add standard components lib update for k6 valid…

…ation (#465)

* bypass ilp validation

* feat: add mods for harness k6 test

* use native deepclone interface

* downgrade nx

* fix typo

* update standard-components version

* update dependencies

* update dep check

* update dep check

* capital letters

* Restore nx version

* update standard-library version

* fix unit tests

* revert native deepcopy

* fix pm4ml tests

* fix typo

* more deepcopies

* delete more deepcopies

* delete checkILP

* remove upgrades

* just do dependency update

* add utils deepcopy

* add inbound deepcopies

* remove controlagent deepcopies

* fix yarn.lock

* fix deepcopys

* dep update

* fix yarn lock

* remove ilp if not declared

* linting

* dep update

* refactor headers

* move headears validation from library

* chore(snapshot): 23.2.0-snapshot.0

* chore(snapshot): 23.3.0-snapshot.0

* inbound parties and quotes

* inbound transfers

* chore(snapshot): 23.3.0-snapshot.1

* fix assignations

* fix headers movement

* bump library version

.ncurc.yaml

@@ -6,5 +6,7 @@ reject: [
   ## TODO: The kafka connectivity is not working properly and the following update is causing service crash.
   '@mojaloop/logging-bc-client-lib',
   ## TODO: The new version of npm-check-updates uses new Glob v9.x and it is introducing a dependency Package "path-scurry@1.6.1" which is licensed under "BlueOak-1.0.0" which is not permitted by the Mojaloop License Policy
-  npm-check-updates
+  npm-check-updates,
+  ## TODO: The new version of nx causes submodules to be broken.
+  "nx"
 ]

audit-ci.jsonc

@@ -24,6 +24,10 @@
         // Some audit issues with api-snippets
         "GHSA-c2qf-rxjj-qqgw",
         // Issue with protobuffs (https://github.com/advisories/GHSA-h755-8qp9-cq85). No fix available.
-        "GHSA-h755-8qp9-cq85"
+        "GHSA-h755-8qp9-cq85",
+        // Issue with PostCSS library (https://github.com/advisories/GHSA-7fh5-64p2-3v2j)
+        "GHSA-7fh5-64p2-3v2j",
+        // SSRF attacks against npm IP (https://github.com/advisories/GHSA-78xj-cgh5-2h22)
+        "GHSA-78xj-cgh5-2h22"
     ]
 }

modules/api-svc/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mojaloop/sdk-scheme-adapter-api-svc",
-  "version": "20.7.0-snapshot.1",
+  "version": "20.7.0-snapshot.4",
   "description": "An adapter for connecting to Mojaloop API enabled switches.",
   "main": "src/index.js",
   "types": "src/index.d.ts",
@@ -62,58 +62,58 @@
     "url": "git@github.com:mojaloop/sdk-scheme-adapter.git"
   },
   "dependencies": {
-    "@koa/cors": "^4.0.0",
-    "@mojaloop/api-snippets": "17.2.0",
-    "@mojaloop/central-services-error-handling": "^12.0.5",
-    "@mojaloop/central-services-logger": "^11.2.0",
-    "@mojaloop/central-services-metrics": "^12.0.5",
-    "@mojaloop/central-services-shared": "17.5.1",
-    "@mojaloop/event-sdk": "^11.0.2",
+    "@koa/cors": "^5.0.0",
+    "@mojaloop/api-snippets": "17.4.0",
+    "@mojaloop/central-services-error-handling": "^12.0.7",
+    "@mojaloop/central-services-logger": "^11.2.2",
+    "@mojaloop/central-services-metrics": "^12.0.8",
+    "@mojaloop/central-services-shared": "18.2.0",
+    "@mojaloop/event-sdk": "^14.0.0",
     "@mojaloop/sdk-scheme-adapter-private-shared-lib": "workspace:^",
-    "@mojaloop/sdk-standard-components": "^17.1.1",
+    "@mojaloop/sdk-standard-components": "v17.2.0",
     "ajv": "8.12.0",
-    "axios": "^1.4.0",
+    "axios": "^1.6.7",
     "co-body": "^6.1.0",
-    "dotenv": "^16.3.1",
-    "env-var": "^7.3.1",
+    "dotenv": "^16.4.3",
+    "env-var": "^7.4.1",
     "express": "^4.18.2",
     "fast-json-patch": "^3.1.1",
     "javascript-state-machine": "^3.1.0",
     "js-yaml": "^4.1.0",
     "json-schema-ref-parser": "^9.0.9",
-    "koa": "^2.14.2",
+    "koa": "^2.15.0",
     "koa-body": "^6.0.1",
     "lodash": "^4.17.21",
     "module-alias": "^2.2.3",
     "oauth2-server": "^4.0.0-dev.2",
     "openapi-jsonschema-parameters": "^12.1.3",
-    "prom-client": "^14.2.0",
+    "prom-client": "^15.1.0",
     "promise-timeout": "^1.3.0",
     "random-word-slugs": "^0.1.7",
-    "redis": "^4.6.7",
+    "redis": "^4.6.13",
     "uuidv4": "^6.2.13",
-    "ws": "^8.13.0"
+    "ws": "^8.16.0"
   },
   "devDependencies": {
-    "@babel/core": "^7.22.8",
-    "@babel/preset-env": "^7.22.7",
+    "@babel/core": "^7.23.9",
+    "@babel/preset-env": "^7.23.9",
     "@redocly/openapi-cli": "^1.0.0-beta.94",
-    "@types/jest": "^29.5.2",
-    "babel-jest": "^29.6.1",
-    "eslint": "^8.44.0",
+    "@types/jest": "^29.5.12",
+    "babel-jest": "^29.7.0",
+    "eslint": "^8.56.0",
     "eslint-config-airbnb-base": "^15.0.0",
-    "eslint-plugin-import": "^2.27.5",
-    "eslint-plugin-jest": "^27.2.2",
-    "jest": "^29.6.1",
+    "eslint-plugin-import": "^2.29.1",
+    "eslint-plugin-jest": "^27.6.3",
+    "jest": "^29.7.0",
     "jest-junit": "^16.0.0",
-    "nock": "^13.3.1",
+    "nock": "^13.5.1",
     "npm-check-updates": "^16.7.10",
     "openapi-response-validator": "^12.1.3",
-    "openapi-typescript": "^6.3.2",
+    "openapi-typescript": "^6.7.4",
     "redis-mock": "^0.56.3",
     "replace": "^1.2.2",
     "standard-version": "^9.5.0",
-    "supertest": "^6.3.3",
+    "supertest": "^6.3.4",
     "swagger-cli": "^4.0.4"
   },
   "standard-version": {

modules/api-svc/src/ControlServer/index.js

@@ -255,7 +255,7 @@ class Server extends ws.Server {
                             client.send(build.CONFIGURATION.NOTIFY(this._appConfig, msg.id));
                             break;
                         case VERB.NOTIFY: {
-                            const dup = JSON.parse(JSON.stringify(this._appConfig)); // fast-json-patch explicitly mutates
+                            const dup = structuredClone(this._appConfig); // fast-json-patch explicitly mutates
                             _.merge(dup, msg.data);
                             this._logger.push({ oldConf: this._appConfig, newConf: dup }).log('Emitting new configuration');
                             this.emit(EVENT.RECONFIGURE, dup);
@@ -264,7 +264,7 @@ class Server extends ws.Server {
                         case VERB.PATCH: {
                             // TODO: validate the incoming patch? Or assume clients have used the
                             // client library?
-                            const dup = JSON.parse(JSON.stringify(this._appConfig)); // fast-json-patch explicitly mutates
+                            const dup = structuredClone(this._appConfig); // fast-json-patch explicitly mutates
                             jsonPatch.applyPatch(dup, msg.data);
                             logger.push({ oldConf: this._appConfig, newConf: dup }).log('Emitting new configuration');
                             this.emit(EVENT.RECONFIGURE, dup);

modules/api-svc/src/InboundServer/handlers.js

@@ -118,8 +118,16 @@ const getPartiesByTypeAndId = async (ctx) => {
                 resourceVersions: ctx.resourceVersions,
             });
 
+            let response;
+
             // use the model to handle the request
-            const response = await model.getParties(idType, idValue, subIdValue, sourceFspId);
+            if (ctx.request.header?.tracestate && ctx.request.header?.traceparent) {
+                const { tracestate, traceparent } = ctx.request.header;
+                response = await model.getParties(idType, idValue, subIdValue, sourceFspId, { tracestate, traceparent });
+            } else {
+                response = await model.getParties(idType, idValue, subIdValue, sourceFspId);
+            }
+
 
             // log the result
             ctx.state.logger.push({ response }).log('Inbound transfers model handled GET /parties/{idType}/{idValue} request');
@@ -168,8 +176,15 @@ const postQuotes = async (ctx) => {
                 resourceVersions: ctx.resourceVersions,
             });
 
+            let response;
+
             // use the model to handle the request
-            const response = await model.quoteRequest(quoteRequest, sourceFspId);
+            if (ctx.request.header?.tracestate && ctx.request.header?.traceparent) {
+                const { tracestate, traceparent } = ctx.request.header;
+                response = await model.quoteRequest(quoteRequest, sourceFspId, { tracestate, traceparent });
+            } else {
+                response = await model.quoteRequest(quoteRequest, sourceFspId);
+            }
 
             // log the result
             ctx.state.logger.push({ response }).log('Inbound transfers model handled POST /quotes request');

modules/api-svc/src/lib/model/Async2SyncModel.js

@@ -117,7 +117,7 @@ function generate({
                 await this.error(err);
 
                 // avoid circular ref between requestActionState.lastError and err
-                err.requestActionState = JSON.parse(JSON.stringify(this.getResponse()));
+                err.requestActionState = structuredClone(this.getResponse());
             }
             throw err;
         }

modules/api-svc/src/lib/model/InboundTransfersModel.js

@@ -142,7 +142,7 @@ class InboundTransfersModel {
     /**
      * Queries the backend API for the specified party and makes a callback to the originator with the result
      */
-    async getParties(idType, idValue, idSubValue, sourceFspId) {
+    async getParties(idType, idValue, idSubValue, sourceFspId, headers = {}) {
         try {
             // make a call to the backend to resolve the party lookup
             const response = await this._backendRequests.getParties(idType, idValue, idSubValue);
@@ -156,6 +156,14 @@ class InboundTransfersModel {
                 party: shared.internalPartyToMojaloopParty(response, this._dfspId)
             };
 
+            let { tracestate = undefined, traceparent = undefined } = headers;
+
+            if (tracestate && traceparent) {
+                const TRACESTATE_KEY_CALLBACK_START_TS = 'tx_callback_start_ts';
+                tracestate += `,${TRACESTATE_KEY_CALLBACK_START_TS}=${Date.now()}`;
+                return this._mojaloopRequests.putParties(idType, idValue, idSubValue, mlParty, sourceFspId, { tracestate, traceparent });
+            }
+
             // make a callback to the source fsp with the party info
             return this._mojaloopRequests.putParties(idType, idValue, idSubValue, mlParty, sourceFspId);
         }
@@ -172,7 +180,7 @@ class InboundTransfersModel {
      * Asks the backend for a response to an incoming quote request and makes a callback to the originator with
      * the result
      */
-    async quoteRequest(request, sourceFspId) {
+    async quoteRequest(request, sourceFspId, headers = {}) {
         const quoteRequest = request.body;
 
         // keep track of our state.
@@ -213,6 +221,7 @@ class InboundTransfersModel {
 
             // make a call to the backend to ask for a quote response
             const response = await this._backendRequests.postQuoteRequests(internalForm);
+
             if(!response) {
                 // make an error callback to the source fsp
                 return 'No response from backend';
@@ -242,8 +251,19 @@ class InboundTransfersModel {
             };
             await this._save();
 
+            let res;
+
+            let { tracestate = undefined, traceparent = undefined } = headers;
+
+
             // make a callback to the source fsp with the quote response
-            const res = await this._mojaloopRequests.putQuotes(quoteRequest.quoteId, mojaloopResponse, sourceFspId);
+            if (tracestate && traceparent) {
+                const TRACESTATE_KEY_CALLBACK_START_TS = 'tx_callback_start_ts';
+                tracestate += `,${TRACESTATE_KEY_CALLBACK_START_TS}=${Date.now()}`;
+                res = await this._mojaloopRequests.putQuotes(quoteRequest.quoteId, mojaloopResponse, sourceFspId, { tracestate, traceparent });
+            } else {
+                res = await this._mojaloopRequests.putQuotes(quoteRequest.quoteId, mojaloopResponse, sourceFspId);
+            }
             this.data.quoteResponse = {
                 headers: res.originalRequest.headers,
                 body: res.originalRequest.body,
@@ -374,7 +394,7 @@ class InboundTransfersModel {
                 this.data = await this._load(prepareRequest.transferId);
             }
 
-            const quote = this.data.quote;
+            const quote = this.data?.quote;
 
             if(!this.data || !quote) {
                 // If using the sdk-scheme-adapter in place of the deprecated `mojaloop-connector`
@@ -386,6 +406,10 @@ class InboundTransfersModel {
                 if(!this._allowTransferWithoutQuote) {
                     throw new Error(`Corresponding quote not found for transfer ${prepareRequest.transferId}`);
                 }
+
+                if (!this.data) {
+                    this.data = {};
+                }
             }
 
             // persist our state so we have a record if we crash during processing the prepare
@@ -422,7 +446,7 @@ class InboundTransfersModel {
             }
 
             // project the incoming transfer prepare into an internal transfer request
-            const internalForm = shared.mojaloopPrepareToInternalTransfer(prepareRequest, quote, this._ilp);
+            const internalForm = shared.mojaloopPrepareToInternalTransfer(prepareRequest, quote, this._ilp, this._checkIlp);
 
             // make a call to the backend to inform it of the incoming transfer
             const response = await this._backendRequests.postTransfers(internalForm);
@@ -919,4 +943,4 @@ class InboundTransfersModel {
 }
 
 
-module.exports = InboundTransfersModel;
+module.exports = InboundTransfersModel;

modules/api-svc/src/lib/model/OutboundBulkQuotesModel.js

@@ -478,7 +478,7 @@ class OutboundBulkQuotesModel {
                 await this.stateMachine.error(err);
 
                 // avoid circular ref between bulkQuoteState.lastError and err
-                err.bulkQuoteState = JSON.parse(JSON.stringify(this.getResponse()));
+                err.bulkQuoteState = structuredClone(this.getResponse());
             }
             throw err;
         }

modules/api-svc/src/lib/model/OutboundBulkTransfersModel.js

@@ -470,7 +470,7 @@ class OutboundBulkTransfersModel {
                 await this.stateMachine.error(err);
 
                 // avoid circular ref between bulkTransferState.lastError and err
-                err.bulkTransferState = JSON.parse(JSON.stringify(this.getResponse()));
+                err.bulkTransferState = structuredClone(this.getResponse());
             }
             throw err;
         }

modules/api-svc/src/lib/model/OutboundRequestToPayModel.js

@@ -456,7 +456,7 @@ class OutboundRequestToPayModel {
                 await this.stateMachine.error(err);
 
                 // avoid circular ref between transferState.lastError and err
-                err.lastError = JSON.parse(JSON.stringify(this.getResponse()));
+                err.lastError = structuredClone(this.getResponse());
             }
             throw err;
         }

modules/api-svc/src/lib/model/OutboundRequestToPayTransferModel.js

@@ -195,7 +195,7 @@ class OutboundRequestToPayTransferModel {
                 await this.stateMachine.error(err);
 
                 // avoid circular ref between transferState.lastError and err
-                err.transferState = JSON.parse(JSON.stringify(this.getResponse()));
+                err.transferState = structuredClone(this.getResponse());
             }
             throw err;
         }

modules/api-svc/src/lib/model/lib/shared.js

@@ -255,7 +255,7 @@ const internalTransactionRequestResponseToMojaloop = (internal) => {
  *
  * @returns {object}
  */
-const mojaloopPrepareToInternalTransfer = (external, quote, ilp) => {
+const mojaloopPrepareToInternalTransfer = (external, quote, ilp, checkILP) => {
     let internal = null;
     if(quote) {
         internal = {
@@ -270,14 +270,14 @@ const mojaloopPrepareToInternalTransfer = (external, quote, ilp) => {
             amount: quote.request.amount.amount,
             transactionType: quote.request.transactionType.scenario,
             subScenario: quote.request.transactionType.subScenario,
-            ilpPacket: {
-                data: ilp.getTransactionObject(external.ilpPacket),
-            },
             note: quote.request.note
         };
         if (quote.internalRequest && quote.internalRequest.extensionList && quote.internalRequest.extensionList.extension) {
             internal.quoteRequestExtensions = { ...quote.internalRequest.extensionList.extension };
         }
+        if (checkILP) {
+            internal.ilpPacket = { data: ilp.getTransactionObject(external.ilpPacket) };
+        } 
     } else {
         internal = {
             transferId: external.transferId,

modules/api-svc/test/integration-pm4ml/mockServers/managementService/server.js

@@ -211,7 +211,7 @@ class Server extends ws.Server {
    * Update outbound tls configuration and broadcast the change
    */
   updateOutboundTLSConfig(outboundTLSConfig) {
-    const newConfig = JSON.parse(JSON.stringify(this._currentConfig));
+    const newConfig = structuredClone(this._currentConfig);
     newConfig.outbound.tls = outboundTLSConfig;
     this.updateNewConfig(newConfig)
   }

modules/api-svc/test/unit/api/utils.js

@@ -51,7 +51,7 @@ const createValidators = async () => {
 
 const createTestServers = async (config) => {
     const logger = new Logger.Logger({ stringify: () => '' });
-    const defConfig = JSON.parse(JSON.stringify(config));
+    const defConfig = structuredClone(config);
     const cache = new Cache({
         cacheUrl: defConfig.cacheUrl,
         logger: logger.push({ component: 'cache' })