interledger · sabineschaller · Aug 1, 2024 · Aug 15, 2024 · Jul 31, 2024 · Jul 31, 2024
diff --git a/packages/backend/migrations/20241119125038_add_unique_constraint_to_kid.js b/packages/backend/migrations/20241119125038_add_unique_constraint_to_kid.js
@@ -0,0 +1,36 @@
+/**
+ * @param { import("knex").Knex } knex
+ * @returns { Promise<void> }
+ */
+exports.up = async function (knex) {
+  return knex
+    .raw(
+      // Keep only one active walletAddressKey (the most recent row)
+      `DELETE FROM "walletAddressKeys" w
+       WHERE revoked = false
+       AND ctid NOT IN (
+          SELECT MAX(ctid)
+          FROM "walletAddressKeys"
+          WHERE revoked = false
+            AND kid = w.kid
+          GROUP BY kid, "walletAddressId"
+       )`
-      `DELETE FROM "walletAddressKeys" w
-       WHERE revoked = false
-       AND ctid NOT IN (
-          SELECT MAX(ctid)
-          FROM "walletAddressKeys"
-          WHERE revoked = false
-            AND kid = w.kid
-          GROUP BY kid, "walletAddressId"
-       )`
+      `DELETE FROM "walletAddressKeys" w
+       AND ctid NOT IN (
+          SELECT MAX(ctid)
+          FROM "walletAddressKeys"
+          WHERE revoked = false
+          GROUP BY kid, "walletAddressId"
+       )`
-      `DELETE FROM "walletAddressKeys" w
-       WHERE revoked = false
-       AND ctid NOT IN (
-          SELECT MAX(ctid)
-          FROM "walletAddressKeys"
-          WHERE revoked = false
-            AND kid = w.kid
-          GROUP BY kid, "walletAddressId"
-       )`
+      `DELETE FROM "walletAddressKeys" w
+       AND ctid NOT IN (
+          SELECT MAX(ctid)
+          FROM "walletAddressKeys"
+          WHERE revoked = false
+          GROUP BY kid, "walletAddressId"
+       )`
+    )
+    .then(() => {
+      return knex.raw(`
+        CREATE UNIQUE INDEX "wallet_address_keys_revoked_false_idx"
+        ON "walletAddressKeys" ("walletAddressId", kid)
+        WHERE revoked = false;
+      `)
+    })
+}
+
+/**
+ * @param { import("knex").Knex } knex
+ * @returns { Promise<void> }
+ */
+exports.down = function (knex) {
+  return knex.raw(
+    `DROP INDEX IF EXISTS "wallet_address_keys_revoked_false_idx"`
+  )
+}
diff --git a/packages/backend/src/graphql/resolvers/walletAddressKey.test.ts b/packages/backend/src/graphql/resolvers/walletAddressKey.test.ts
@@ -20,6 +20,12 @@ import { createWalletAddress } from '../../tests/walletAddress'
 import { getPageTests } from './page.test'
 import { createWalletAddressKey } from '../../tests/walletAddressKey'
 import { GraphQLErrorCode } from '../errors'
+import {
+  errorToCode,
+  errorToMessage,
+  isWalletAddressKeyError,
+  WalletAddressKeyError
+} from '../../open_payments/wallet_address/key/errors'
 
 const TEST_KEY = generateJwk({ keyId: uuid() })
 
@@ -99,6 +105,66 @@ describe('Wallet Address Key Resolvers', (): void => {
       })
     })
 
+    test('Cannot add duplicate key', async (): Promise<void> => {
+      const walletAddress = await createWalletAddress(deps)
+
+      const input: CreateWalletAddressKeyInput = {
+        walletAddressId: walletAddress.id,
+        jwk: TEST_KEY as JwkInput
+      }
+
+      await walletAddressKeyService.create(input)
+
+      expect.assertions(2)
+
+      try {
+        await appContainer.apolloClient
+          .mutate({
+            mutation: gql`
+              mutation CreateWalletAddressKey(
+                $input: CreateWalletAddressKeyInput!
+              ) {
+                createWalletAddressKey(input: $input) {
+                  walletAddressKey {
+                    id
+                    walletAddressId
+                    jwk {
+                      kid
+                      x
+                      alg
+                      kty
+                      crv
+                    }
+                    revoked
+                    createdAt
+                  }
+                }
+              }
+            `,
+            variables: {
+              input
+            }
+          })
+          .then((query): CreateWalletAddressKeyMutationResponse => {
+            if (query.data) {
+              return query.data.createWalletAddressKey
+            } else {
+              throw new Error('Data was empty')
+            }
+          })
+      } catch (error) {
+        expect(error).toBeInstanceOf(ApolloError)
+        expect((error as ApolloError).graphQLErrors).toContainEqual(
+          expect.objectContaining({
+            message: errorToMessage[WalletAddressKeyError.DuplicateKey],
+            extensions: expect.objectContaining({
+              code: errorToCode[WalletAddressKeyError.DuplicateKey]
+            })
+          })
+        )
+      }
+    })
+
     test('internal server error', async (): Promise<void> => {
       jest
         .spyOn(walletAddressKeyService, 'create')
@@ -170,6 +236,7 @@ describe('Wallet Address Key Resolvers', (): void => {
         walletAddressId: walletAddress.id,
         jwk: TEST_KEY
       })
+      assert.ok(!isWalletAddressKeyError(key))
 
       const response = await appContainer.apolloClient
         .mutate({

diff --git a/packages/backend/src/graphql/resolvers/walletAddressKey.ts b/packages/backend/src/graphql/resolvers/walletAddressKey.ts
@@ -14,6 +14,11 @@ import { GraphQLError } from 'graphql'
 import { GraphQLErrorCode } from '../errors'
 import { Pagination } from '../../shared/baseModel'
 import { getPageInfo } from '../../shared/pagination'
+import {
+  errorToCode,
+  errorToMessage,
+  isWalletAddressKeyError
+} from '../../open_payments/wallet_address/key/errors'
 
 export const getWalletAddressKeys: WalletAddressResolvers<ApolloContext>['walletAddressKeys'] =
   async (
@@ -85,10 +90,17 @@ export const createWalletAddressKey: MutationResolvers<ApolloContext>['createWal
       'walletAddressKeyService'
     )
 
-    const key = await walletAddressKeyService.create(args.input)
+    const keyOrError = await walletAddressKeyService.create(args.input)
+    if (isWalletAddressKeyError(keyOrError)) {
+      throw new GraphQLError(errorToMessage[keyOrError], {
+        extensions: {
+          code: errorToCode[keyOrError]
+        }
+      })
+    }
 
     return {
-      walletAddressKey: walletAddressKeyToGraphql(key)
+      walletAddressKey: walletAddressKeyToGraphql(keyOrError)
     }
   }
 

diff --git a/packages/backend/src/open_payments/wallet_address/key/errors.ts b/packages/backend/src/open_payments/wallet_address/key/errors.ts
@@ -0,0 +1,21 @@
+import { GraphQLErrorCode } from '../../../graphql/errors'
+
+export enum WalletAddressKeyError {
+  DuplicateKey = 'DuplicateKey'
+}
+
+// eslint-disable-next-line @typescript-eslint/no-explicit-any, @typescript-eslint/explicit-module-boundary-types
+export const isWalletAddressKeyError = (o: any): o is WalletAddressKeyError =>
+  Object.values(WalletAddressKeyError).includes(o)
+
+export const errorToCode: {
+  [key in WalletAddressKeyError]: GraphQLErrorCode
+} = {
+  [WalletAddressKeyError.DuplicateKey]: GraphQLErrorCode.Duplicate
+}
+
+export const errorToMessage: {
+  [key in WalletAddressKeyError]: string
+} = {
+  [WalletAddressKeyError.DuplicateKey]: 'Key already exists'
+}
diff --git a/packages/backend/src/open_payments/wallet_address/key/routes.test.ts b/packages/backend/src/open_payments/wallet_address/key/routes.test.ts
@@ -15,6 +15,7 @@ import { createWalletAddress } from '../../../tests/walletAddress'
 import { WalletAddressService } from '../service'
 import { OpenPaymentsServerRouteError } from '../../route-errors'
 import assert from 'assert'
+import { isWalletAddressKeyError } from './errors'
 
 const TEST_KEY = generateJwk({ keyId: uuid() })
 
@@ -52,6 +53,7 @@ describe('Wallet Address Keys Routes', (): void => {
         jwk: TEST_KEY
       }
       const key = await walletAddressKeyService.create(keyOption)
+      assert.ok(!isWalletAddressKeyError(key))
 
       const ctx = createContext<WalletAddressUrlContext>({
         headers: { Accept: 'application/json' },

diff --git a/packages/backend/src/open_payments/wallet_address/key/service.test.ts b/packages/backend/src/open_payments/wallet_address/key/service.test.ts
@@ -1,3 +1,4 @@
+import assert from 'assert'
 import { generateJwk } from '@interledger/http-signature-utils'
 import { v4 as uuid } from 'uuid'
 
@@ -13,6 +14,7 @@ import { getPageTests } from '../../../shared/baseModel.test'
 import { createWalletAddressKey } from '../../../tests/walletAddressKey'
 import { WalletAddress } from '../model'
 import { Pagination, SortOrder } from '../../../shared/baseModel'
+import { isWalletAddressKeyError, WalletAddressKeyError } from './errors'
 
 const TEST_KEY = generateJwk({ keyId: uuid() })
 
@@ -51,6 +53,39 @@ describe('Wallet Address Key Service', (): void => {
         walletAddressKeyService.create(options)
       ).resolves.toMatchObject(options)
     })
+
+    test('cannot add duplicate key to a wallet address', async (): Promise<void> => {
+      const options = {
+        walletAddressId: walletAddress.id,
+        jwk: TEST_KEY
+      }
+
+      await walletAddressKeyService.create(options)
+      await expect(walletAddressKeyService.create(options)).resolves.toEqual(
+        WalletAddressKeyError.DuplicateKey
+      )
+    })
+
+    test('Creates a new key unrevoked', async (): Promise<void> => {
+      const keyOption = {
+        walletAddressId: walletAddress.id,
+        jwk: TEST_KEY
+      }
+
+      const key = await walletAddressKeyService.create(keyOption)
+      assert.ok(!isWalletAddressKeyError(key))
+      await walletAddressKeyService.revoke(key.id)
+
+      const unrevokedKey = await walletAddressKeyService.create(keyOption)
+
+      assert.ok(!isWalletAddressKeyError(key))
+
+      expect(unrevokedKey).toMatchObject({
+        jwk: key.jwk,
+        walletAddressId: key.walletAddressId,
+        revoked: false
+      })
+    })
   })
 
   describe('Fetch Wallet Address Keys', (): void => {
@@ -79,6 +114,8 @@ describe('Wallet Address Key Service', (): void => {
 
       const key1 = await walletAddressKeyService.create(keyOption1)
       const key2 = await walletAddressKeyService.create(keyOption2)
+      assert.ok(!isWalletAddressKeyError(key1))
+      assert.ok(!isWalletAddressKeyError(key2))
       await walletAddressKeyService.revoke(key1.id)
 
       await expect(
@@ -107,6 +144,7 @@ describe('Wallet Address Key Service', (): void => {
       }
 
       const key = await walletAddressKeyService.create(keyOption)
+      assert.ok(!isWalletAddressKeyError(key))
       const revokedKey = await walletAddressKeyService.revoke(key.id)
       expect(revokedKey).toEqual({
         ...key,
@@ -129,6 +167,7 @@ describe('Wallet Address Key Service', (): void => {
       }
 
       const key = await walletAddressKeyService.create(keyOption)
+      assert.ok(!isWalletAddressKeyError(key))
 
       const revokedKey = await walletAddressKeyService.revoke(key.id)
       await expect(walletAddressKeyService.revoke(key.id)).resolves.toEqual(

diff --git a/packages/backend/src/open_payments/wallet_address/key/service.ts b/packages/backend/src/open_payments/wallet_address/key/service.ts
@@ -1,12 +1,15 @@
-import { TransactionOrKnex } from 'objection'
+import { TransactionOrKnex, UniqueViolationError } from 'objection'
 
 import { WalletAddressKey } from './model'
 import { BaseService } from '../../../shared/baseService'
 import { JWK } from '@interledger/http-signature-utils'
 import { Pagination, SortOrder } from '../../../shared/baseModel'
+import { WalletAddressKeyError } from './errors'
 
 export interface WalletAddressKeyService {
-  create(options: CreateOptions): Promise<WalletAddressKey>
+  create(
+    options: CreateOptions
+  ): Promise<WalletAddressKey | WalletAddressKeyError>
   revoke(id: string): Promise<WalletAddressKey | undefined>
   getPage(
     walletAddressId: string,
@@ -52,12 +55,25 @@ export interface CreateOptions {
 async function create(
   deps: ServiceDependencies,
   options: CreateOptions
-): Promise<WalletAddressKey> {
-  const key = await WalletAddressKey.query(deps.knex).insertAndFetch({
-    walletAddressId: options.walletAddressId,
-    jwk: options.jwk
-  })
-  return key
+): Promise<WalletAddressKey | WalletAddressKeyError> {
+  try {
+    const key = await WalletAddressKey.query(deps.knex).insertAndFetch({
+      walletAddressId: options.walletAddressId,
+      jwk: options.jwk
+    })
+    return key
+  } catch (err) {
+    if (err instanceof UniqueViolationError) {
+      return WalletAddressKeyError.DuplicateKey
+    }
+    deps.logger.error(
+      {
+        err
+      },
+      'error adding key'
+    )
+    throw err
+  }
 }
 
 async function revoke(

diff --git a/packages/backend/src/tests/walletAddressKey.ts b/packages/backend/src/tests/walletAddressKey.ts
@@ -4,6 +4,7 @@ import { WalletAddressKey } from '../open_payments/wallet_address/key/model'
 import { CreateOptions } from '../open_payments/wallet_address/key/service'
 import { v4 as uuidv4 } from 'uuid'
 import { generateJwk, generateKey } from '@interledger/http-signature-utils'
+import { isWalletAddressKeyError } from '../open_payments/wallet_address/key/errors'
 export async function createWalletAddressKey(
   deps: IocContract<AppServices>,
   walletAddressId: string
@@ -18,5 +19,9 @@ export async function createWalletAddressKey(
     })
   }
 
-  return walletAddressKeyService.create(options)
+  const keyOrError = await walletAddressKeyService.create(options)
+  if (isWalletAddressKeyError(keyOrError)) {
+    throw keyOrError
+  }
+  return keyOrError
 }