fix: use tenantId properly during asset creation

Author: njlie

localenv/mock-account-servicing-entity/generated/graphql.ts

@@ -3,7 +3,11 @@ import assert from 'assert'
 import { v4 as uuid } from 'uuid'
 
 import { getPageTests } from './page.test'
-import { createTestApp, TestContainer } from '../../tests/app'
+import {
+  createApolloClient,
+  createTestApp,
+  TestContainer
+} from '../../tests/app'
 import { IocContract } from '@adonisjs/fold'
 import { AppServices } from '../../app'
 import { initIocContainer } from '../..'
@@ -32,6 +36,7 @@ import { isFeeError } from '../../fee/errors'
 import { createFee } from '../../tests/fee'
 import { createAsset } from '../../tests/asset'
 import { GraphQLErrorCode } from '../errors'
+import { createTenant } from '../../tests/tenant'
 
 describe('Asset Resolvers', (): void => {
   let deps: IocContract<AppServices>
@@ -212,6 +217,55 @@ describe('Asset Resolvers', (): void => {
         )
       }
     })
+
+    test('bad input data when not allowed to perform cross tenant create', async (): Promise<void> => {
+      const otherTenant = await createTenant(deps)
+      const badInputData = {
+        ...randomAsset(),
+        tenantId: uuid()
+      }
+
+      const tenantedApolloClient = await createApolloClient(
+        appContainer.container,
+        appContainer.app,
+        otherTenant.id
+      )
+      try {
+        expect.assertions(2)
+        await tenantedApolloClient
+          .mutate({
+            mutation: gql`
+              mutation CreateAsset($input: CreateAssetInput!) {
+                createAsset(input: $input) {
+                  asset {
+                    id
+                  }
+                }
+              }
+            `,
+            variables: {
+              input: badInputData
+            }
+          })
+          .then((query): AssetMutationResponse => {
+            if (query.data) {
+              return query.data.createAsset
+            } else {
+              throw new Error('Data was empty')
+            }
+          })
+      } catch (error) {
+        expect(error).toBeInstanceOf(ApolloError)
+        expect((error as ApolloError).graphQLErrors).toContainEqual(
+          expect.objectContaining({
+            message: 'Assignment to the specified tenant is not permitted',
+            extensions: expect.objectContaining({
+              code: GraphQLErrorCode.BadUserInput
+            })
+          })
+        )
+      }
+    })
   })
 
   describe('Asset Queries', (): void => {

packages/backend/src/graphql/generated/graphql.schema.json

@@ -7,7 +7,7 @@ import {
 } from '../generated/graphql'
 import { Asset } from '../../asset/model'
 import { errorToCode, errorToMessage, isAssetError } from '../../asset/errors'
-import { TenantedApolloContext } from '../../app'
+import { ForTenantIdContext, TenantedApolloContext } from '../../app'
 import { getPageInfo } from '../../shared/pagination'
 import { Pagination, SortOrder } from '../../shared/baseModel'
 import { feeToGraphql } from './fee'
@@ -50,7 +50,10 @@ export const getAsset: QueryResolvers<TenantedApolloContext>['asset'] = async (
   ctx
 ): Promise<ResolversTypes['Asset']> => {
   const assetService = await ctx.container.use('assetService')
-  const asset = await assetService.get(args.id, ctx.tenant.id)
+  const asset = await assetService.get(
+    args.id,
+    ctx.isOperator ? undefined : ctx.tenant.id
+  )
   if (!asset) {
     throw new GraphQLError('Asset not found', {
       extensions: {
@@ -72,16 +75,27 @@ export const getAssetByCodeAndScale: QueryResolvers<TenantedApolloContext>['asse
     return asset ? assetToGraphql(asset) : null
   }
 
-export const createAsset: MutationResolvers<TenantedApolloContext>['createAsset'] =
+export const createAsset: MutationResolvers<ForTenantIdContext>['createAsset'] =
   async (
     parent,
     args,
     ctx
   ): Promise<ResolversTypes['AssetMutationResponse']> => {
+    const tenantId = ctx.forTenantId
+    if (!tenantId)
+      throw new GraphQLError(
+        `Assignment to the specified tenant is not permitted`,
+        {
+          extensions: {
+            code: GraphQLErrorCode.BadUserInput
+          }
+        }
+      )
+    ctx.logger.info({ tenantId }, 'tenantId for create asset')
     const assetService = await ctx.container.use('assetService')
     const assetOrError = await assetService.create({
       ...args.input,
-      tenantId: ctx.tenant.id
+      tenantId
     })
     if (isAssetError(assetOrError)) {
       throw new GraphQLError(errorToMessage[assetOrError], {

packages/backend/src/graphql/generated/graphql.ts

@@ -390,6 +390,8 @@ input CreateAssetInput {
   liquidityThreshold: UInt64
   "Unique key to ensure duplicate or retried requests are processed only once. For more information, refer to [idempotency](https://rafiki.dev/apis/graphql/admin-api-overview/#idempotency)."
   idempotencyKey: String
+  "Unique identifier of the tenant associated with the asset. This cannot be changed. Optional, if not provided, the tenantId will be obtained from the signature."
+  tenantId: ID
 }
 
 input UpdateAssetInput {

packages/backend/src/graphql/resolvers/asset.test.ts

@@ -28,36 +28,13 @@ export interface TestContainer {
   container: IocContract<AppServices>
 }
 
-export const createTestApp = async (
-  container: IocContract<AppServices>
-): Promise<TestContainer> => {
-  const config = await container.use('config')
-  config.adminPort = 0
-  config.openPaymentsPort = 0
-  config.connectorPort = 0
-  config.autoPeeringServerPort = 0
-  config.openPaymentsUrl = 'https://op.example'
-  config.walletAddressUrl = 'https://wallet.example/.well-known/pay'
+export const createApolloClient = async (
+  container: IocContract<AppServices>,
+  app: App,
+  tenantId?: string
+): Promise<ApolloClient<NormalizedCacheObject>> => {
   const logger = await container.use('logger')
-
-  const app = new App(container)
-  await start(container, app)
-
-  const nock = (global as unknown as { nock: typeof import('nock') }).nock
-
-  // Since wallet addresses MUST use HTTPS, manually mock an HTTPS proxy to the Open Payments / SPSP server
-  nock(config.openPaymentsUrl)
-    .get(/.*/)
-    .matchHeader('Accept', /application\/((ilp-stream|spsp4)\+)?json*./)
-    .reply(200, function (path) {
-      return Axios.get(`http://localhost:${app.getOpenPaymentsPort()}${path}`, {
-        headers: this.req.headers
-      }).then((res) => res.data)
-    })
-    .persist()
-
-  const knex = await container.use('knex')
-
+  const config = await container.use('config')
   const httpLink = createHttpLink({
     uri: `http://localhost:${app.getAdminPort()}/graphql`,
     fetch
@@ -80,14 +57,14 @@ export const createTestApp = async (
     return {
       headers: {
         ...headers,
-        'tenant-id': config.operatorTenantId
+        'tenant-id': tenantId || config.operatorTenantId
       }
     }
   })
 
   const link = ApolloLink.from([errorLink, authLink, httpLink])
 
-  const client = new ApolloClient({
+  return new ApolloClient({
     cache: new InMemoryCache({}),
     link: link,
     defaultOptions: {
@@ -102,6 +79,38 @@ export const createTestApp = async (
       }
     }
   })
+}
+
+export const createTestApp = async (
+  container: IocContract<AppServices>
+): Promise<TestContainer> => {
+  const config = await container.use('config')
+  config.adminPort = 0
+  config.openPaymentsPort = 0
+  config.connectorPort = 0
+  config.autoPeeringServerPort = 0
+  config.openPaymentsUrl = 'https://op.example'
+  config.walletAddressUrl = 'https://wallet.example/.well-known/pay'
+
+  const app = new App(container)
+  await start(container, app)
+
+  const nock = (global as unknown as { nock: typeof import('nock') }).nock
+
+  // Since wallet addresses MUST use HTTPS, manually mock an HTTPS proxy to the Open Payments / SPSP server
+  nock(config.openPaymentsUrl)
+    .get(/.*/)
+    .matchHeader('Accept', /application\/((ilp-stream|spsp4)\+)?json*./)
+    .reply(200, function (path) {
+      return Axios.get(`http://localhost:${app.getOpenPaymentsPort()}${path}`, {
+        headers: this.req.headers
+      }).then((res) => res.data)
+    })
+    .persist()
+
+  const knex = await container.use('knex')
+
+  const client = await createApolloClient(container, app)
 
   return {
     app,

packages/backend/src/graphql/resolvers/asset.ts

@@ -140,12 +140,8 @@ export const listAssets = async (request: Request, args: QueryAssetsArgs) => {
   return response.data.assets
 }
 
-export const createAsset = async (
-  request: Request,
-  args: CreateAssetInput,
-  tenantId?: string
-) => {
-  const apolloClient = await getApolloClient(request, tenantId)
+export const createAsset = async (request: Request, args: CreateAssetInput) => {
+  const apolloClient = await getApolloClient(request)
   const response = await apolloClient.mutate<
     CreateAssetMutation,
     CreateAssetMutationVariables

packages/backend/src/graphql/schema.graphql

@@ -23,7 +23,7 @@ BigInt.prototype.toJSON = function (this: bigint) {
   return this.toString()
 }
 
-async function createAuthLink(request: Request, tenantId?: string) {
+async function createAuthLink(request: Request) {
   return setContext(async (gqlRequest, { headers }) => {
     const timestamp = Date.now()
     const version = process.env.SIGNATURE_VERSION
@@ -53,10 +53,9 @@ async function createAuthLink(request: Request, tenantId?: string) {
       }
     }
 
-    const sessionTenantId = session.get('tenantId')
-    if (sessionTenantId || tenantId) {
-      // Use session tenant id if operator does not specify other tenant
-      link.headers['tenant-id'] = tenantId ?? sessionTenantId
+    const tenantId = session.get('tenantId')
+    if (tenantId) {
+      link.headers['tenant-id'] = tenantId
     }
 
     return link
@@ -67,9 +66,9 @@ const httpLink = createHttpLink({
   uri: process.env.GRAPHQL_URL
 })
 
-export async function getApolloClient(request: Request, tenantId?: string) {
+export async function getApolloClient(request: Request) {
   return new ApolloClient({
     cache: new InMemoryCache({}),
-    link: ApolloLink.from([await createAuthLink(request, tenantId), httpLink])
+    link: ApolloLink.from([await createAuthLink(request), httpLink])
   })
 }

packages/backend/src/tests/app.ts

@@ -6,7 +6,7 @@ import {
   useNavigation
 } from '@remix-run/react'
 import { PageHeader } from '~/components'
-import { Button, Dropdown, ErrorPanel, Input } from '~/components/ui'
+import { Button, Select, ErrorPanel, Input } from '~/components/ui'
 import { createAsset } from '~/lib/api/asset.server'
 import { messageStorage, setMessageAndRedirect } from '~/lib/message.server'
 import { createAssetSchema } from '~/lib/validate.server'
@@ -81,10 +81,10 @@ export default function CreateAssetPage() {
                     error={response?.errors.fieldErrors.withdrawalThreshold}
                   />
                   {tenants && (
-                    <Dropdown
+                    <Select
                       options={tenants.map((tenant) => ({
-                        label: tenant.node.id,
-                        value: `${tenant.node.id} ${tenant.node.publicName ? `(${tenant.node.publicName})` : ''}`
+                        label: `${tenant.node.id}${tenant.node.publicName ? ` (${tenant.node.publicName})` : ''}`,
+                        value: tenant.node.id
                       }))}
                       name='tenantId'
                       placeholder='Select tenant...'
@@ -130,8 +130,6 @@ export async function action({ request }: ActionFunctionArgs) {
     return json({ errors }, { status: 400 })
   }
 
-  // Make input fields match GraphQL schema
-  delete result.data.tenantId
   const response = await createAsset(request, {
     ...result.data,
     ...(result.data.withdrawalThreshold