@moneypot/hub 0.0.1

package/dist/src/server/graphile.config.js

@@ -0,0 +1,166 @@
+import "graphile-config";
+import "postgraphile";
+import { makePgService } from "postgraphile/adaptors/pg";
+import { PostGraphileAmberPreset } from "postgraphile/presets/amber";
+import config from "../config.js";
+import { maskError } from "./handle-errors.js";
+import * as db from "../db/index.js";
+import { SmartTagsPlugin } from "../smart-tags.js";
+import { HubAuthenticatePlugin } from "../plugins/hub-authenticate.js";
+import { IdToNodeIdPlugin } from "../plugins/id-to-node-id.js";
+import { HubClaimFaucetPlugin } from "../plugins/hub-claim-faucet.js";
+import { DebugPlugin } from "../plugins/debug.js";
+import { HubWithdrawPlugin } from "../plugins/hub-withdraw.js";
+import { HubPrefixPlugin } from "../plugins/hub-schema-prefix.js";
+import { isUuid } from "../util.js";
+import { HubUserBalanceByCurrencyPlugin } from "../plugins/hub-user-balance-by-currency.js";
+import { logger } from "../logger.js";
+import { ValidateCasinoFieldsPlugin } from "../plugins/validate-fields.js";
+import { HubAddCasinoPlugin } from "../plugins/hub-add-casino.js";
+import { HubBalanceAlertPlugin } from "../plugins/hub-balance-alert.js";
+import { custom as customPgOmitArchivedPlugin } from "@graphile-contrib/pg-omit-archived";
+import { HubCurrentXPlugin } from "../plugins/hub-current-x.js";
+export const requiredPlugins = [
+    SmartTagsPlugin,
+    IdToNodeIdPlugin,
+    HubPrefixPlugin,
+    HubAuthenticatePlugin,
+    HubCurrentXPlugin,
+    HubWithdrawPlugin,
+    HubBalanceAlertPlugin,
+    HubUserBalanceByCurrencyPlugin,
+    HubAddCasinoPlugin,
+    ValidateCasinoFieldsPlugin,
+];
+export const defaultPlugins = [
+    ...(config.NODE_ENV === "development" ? [DebugPlugin] : []),
+    ...requiredPlugins,
+    HubClaimFaucetPlugin,
+    customPgOmitArchivedPlugin("deleted"),
+];
+export function createPreset({ plugins, exportSchemaSDLPath, extraPgSchemas, }) {
+    if (!exportSchemaSDLPath.startsWith("/")) {
+        throw new Error("exportSchemaSDLPath must be an absolute path");
+    }
+    if (!exportSchemaSDLPath.endsWith(".graphql")) {
+        throw new Error("exportSchemaSDLPath must end with .graphql");
+    }
+    const mutablePlugins = [...plugins];
+    for (const requiredPlugin of requiredPlugins) {
+        if (!plugins.some((plugin) => plugin === requiredPlugin)) {
+            logger.warn(`Adding required plugin "${requiredPlugin.name}"`);
+            mutablePlugins.unshift(requiredPlugin);
+        }
+    }
+    logger.info("Will save generated graphql schema to:", exportSchemaSDLPath);
+    const preset = {
+        extends: [PostGraphileAmberPreset],
+        disablePlugins: ["NodePlugin"],
+        pgServices: [
+            makePgService({
+                connectionString: config.DATABASE_URL,
+                schemas: [...extraPgSchemas, "hub"],
+            }),
+        ],
+        schema: {
+            dontSwallowErrors: true,
+            exportSchemaSDLPath,
+            sortExport: true,
+            defaultBehavior: [
+                "-resource:update",
+                "-resource:delete",
+                "-resource:insert",
+                "-query:resource:list",
+                "-query:resource:connection",
+            ].join(" "),
+            pgDeletedColumnName: "deleted_at",
+        },
+        grafserv: {
+            dangerouslyAllowAllCORSRequests: true,
+            websockets: true,
+            maskError(error) {
+                return maskError(error);
+            },
+        },
+        grafast: {
+            context(ctx, _args) {
+                if (ctx.ws) {
+                    return handleWebsocketContext(ctx) || {};
+                }
+                const expressReq = ctx.expressv4.req;
+                const reqIdentity = expressReq.identity;
+                let pluginIdentity = undefined;
+                if (reqIdentity?.kind === "operator") {
+                    pluginIdentity = {
+                        kind: "operator",
+                    };
+                }
+                else if (reqIdentity?.kind === "user") {
+                    pluginIdentity = {
+                        kind: "user",
+                        session: {
+                            user_id: reqIdentity.user.id,
+                            mp_user_id: reqIdentity.user.mp_user_id,
+                            casino_id: reqIdentity.user.casino_id,
+                            experience_id: reqIdentity.user.experience_id,
+                            session_id: reqIdentity.sessionId,
+                        },
+                    };
+                }
+                const pgSettings = {};
+                if (reqIdentity?.kind === "user") {
+                    pgSettings["session.user_id"] = reqIdentity.user.id;
+                    pgSettings["session.experience_id"] = reqIdentity.user.experience_id;
+                    pgSettings["session.casino_id"] = reqIdentity.user.casino_id;
+                    pgSettings["session.session_id"] = reqIdentity.sessionId;
+                }
+                else if (reqIdentity?.kind === "operator") {
+                    pgSettings["operator.api_key"] = reqIdentity.apiKey;
+                }
+                return {
+                    pgSettings,
+                    identity: pluginIdentity,
+                };
+            },
+        },
+        plugins: mutablePlugins,
+    };
+    return preset;
+}
+function getSessionIdFromWebsocketCtx(ctx) {
+    const value = Object.entries(ctx.ws.connectionParams).find(([key]) => key.toLowerCase() === "authorization")?.[1];
+    if (typeof value !== "string") {
+        return "";
+    }
+    const uuid = value.slice("session:".length);
+    return isUuid(uuid) ? uuid : "";
+}
+async function handleWebsocketContext(ctx) {
+    const sessionId = getSessionIdFromWebsocketCtx(ctx);
+    if (!sessionId) {
+        throw new Error("Unauthorized");
+    }
+    const result = await db.userFromActiveSessionKey(db.superuserPool, sessionId);
+    if (!result) {
+        throw new Error("Unauthorized");
+    }
+    const session = {
+        user_id: result.user.id,
+        mp_user_id: result.user.mp_user_id,
+        casino_id: result.user.casino_id,
+        experience_id: result.user.experience_id,
+        session_id: result.sessionId,
+    };
+    return {
+        pgSettings: {
+            "session.user_id": result.user.id,
+            "session.experience_id": result.user.experience_id,
+            "session.casino_id": result.user.casino_id,
+            "session.session_id": result.sessionId,
+        },
+        identity: {
+            kind: "user",
+            session,
+        },
+    };
+}

package/dist/src/server/handle-errors.d.ts

@@ -0,0 +1,10 @@
+import { GraphQLError } from "postgraphile/graphql";
+declare const pluck: (err: any) => {
+    [key: string]: any;
+};
+export declare const ERROR_MESSAGE_OVERRIDES: {
+    [code: string]: typeof pluck;
+};
+export declare function maskError(error: GraphQLError): GraphQLError;
+export default function handleErrors(errors: readonly GraphQLError[]): GraphQLError[];
+export {};

package/dist/src/server/handle-errors.js

@@ -0,0 +1,88 @@
+import { GraphQLError } from "postgraphile/graphql";
+import config from "../config.js";
+const isDev = config.NODE_ENV === "development";
+const isTest = config.NODE_ENV === "test";
+const camelCase = (s) => s.toLowerCase().replace(/(_\\w)/g, (m) => m[1].toUpperCase());
+const ERROR_PROPERTIES_TO_EXPOSE = isDev || isTest
+    ? [
+        "code",
+        "severity",
+        "detail",
+        "hint",
+        "position",
+        "internalPosition",
+        "internalQuery",
+        "where",
+        "schema",
+        "table",
+        "column",
+        "dataType",
+        "constraint",
+    ]
+    : ["code"];
+const pluck = (err) => {
+    return ERROR_PROPERTIES_TO_EXPOSE.reduce((memo, key) => {
+        const value = key === "code"
+            ?
+                err.code || err.errcode
+            : err[key];
+        if (value != null) {
+            memo[key] = value;
+        }
+        return memo;
+    }, Object.create(null));
+};
+export const ERROR_MESSAGE_OVERRIDES = {
+    "42501": (err) => ({
+        ...pluck(err),
+        message: "Permission denied (by RLS)",
+    }),
+    "23505": (err) => ({
+        ...pluck(err),
+        message: "Conflict occurred",
+        fields: conflictFieldsFromError(err),
+        code: "NUNIQ",
+    }),
+    "23503": (err) => ({
+        ...pluck(err),
+        message: "Invalid reference",
+        fields: conflictFieldsFromError(err),
+        code: "BADFK",
+    }),
+};
+function conflictFieldsFromError(err) {
+    const { table, constraint } = err;
+    if (constraint && table) {
+        const PREFIX = `${table}_`;
+        const SUFFIX_LIST = [`_key`, `_fkey`];
+        if (constraint.startsWith(PREFIX)) {
+            const matchingSuffix = SUFFIX_LIST.find((SUFFIX) => constraint.endsWith(SUFFIX));
+            if (matchingSuffix) {
+                const maybeColumnNames = constraint.substr(PREFIX.length, constraint.length - PREFIX.length - matchingSuffix.length);
+                return [camelCase(maybeColumnNames)];
+            }
+        }
+    }
+    return undefined;
+}
+export function maskError(error) {
+    const { message: rawMessage, originalError } = error;
+    const code = originalError ? originalError["code"] : null;
+    const localPluck = ERROR_MESSAGE_OVERRIDES[code] || pluck;
+    const exception = localPluck(originalError || error);
+    const options = {
+        nodes: error.nodes,
+        source: error.source,
+        positions: error.positions,
+        path: error.path,
+        originalError: error.originalError,
+        extensions: {
+            exception,
+            code: code || exception.code || error.extensions.code,
+        },
+    };
+    return new GraphQLError(exception.message || rawMessage, options);
+}
+export default function handleErrors(errors) {
+    return errors.map(maskError);
+}

package/dist/src/server/index.d.ts

@@ -0,0 +1,2 @@
+import { ServerOptions } from "../index.js";
+export declare function listen({ configureApp, plugins, exportSchemaSDLPath, extraPgSchemas, }: Pick<ServerOptions, "plugins" | "exportSchemaSDLPath" | "extraPgSchemas" | "configureApp">): Promise<void>;

package/dist/src/server/index.js

@@ -0,0 +1,69 @@
+import { createServer } from "node:http";
+import { grafserv } from "grafserv/express/v4";
+import postgraphile from "postgraphile";
+import { createPreset, defaultPlugins } from "./graphile.config.js";
+import express from "express";
+import config from "../config.js";
+import { logger } from "../logger.js";
+import cors from "./middleware/cors.js";
+import authentication from "./middleware/authentication.js";
+import path, { dirname } from "node:path";
+import { fileURLToPath } from "node:url";
+import fs from "node:fs";
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+function findDistDirectory(startPath) {
+    let currentPath = startPath;
+    while (currentPath !== "/") {
+        console.log(currentPath);
+        const distPath = path.join(currentPath, "dist");
+        if (fs.existsSync(distPath)) {
+            return distPath;
+        }
+        currentPath = path.dirname(currentPath);
+    }
+    return null;
+}
+const distDir = findDistDirectory(__dirname);
+if (!distDir) {
+    throw new Error("Could not find dist directory");
+}
+const dashboardDir = path.join(distDir, "dashboard");
+if (!fs.existsSync(dashboardDir)) {
+    throw new Error(`Could not find dashboard directory. Expected it to be at "${dashboardDir}"`);
+}
+function createExpressServer() {
+    const app = express();
+    app.disable("x-powered-by");
+    app.use(cors());
+    app.use(authentication());
+    app.use("/dashboard", express.static(dashboardDir));
+    app.use("/dashboard/*splat", (_, res) => {
+        res.sendFile(path.join(dashboardDir, "index.html"));
+    });
+    return app;
+}
+export async function listen({ configureApp, plugins, exportSchemaSDLPath, extraPgSchemas, }) {
+    const expressServer = createExpressServer();
+    const preset = createPreset({
+        plugins: plugins ?? defaultPlugins,
+        exportSchemaSDLPath,
+        extraPgSchemas: extraPgSchemas ?? [],
+    });
+    const pgl = postgraphile.default(preset);
+    const serv = pgl.createServ(grafserv);
+    if (configureApp) {
+        configureApp(expressServer);
+    }
+    const server = createServer(expressServer);
+    server.on("error", (e) => {
+        logger.error(e);
+    });
+    serv.addTo(expressServer, server).catch((e) => {
+        logger.error(e);
+        process.exit(1);
+    });
+    return new Promise((resolve) => {
+        server.listen(config.PORT, resolve);
+    });
+}

package/dist/src/server/middleware/authentication.d.ts

@@ -0,0 +1,4 @@
+import { Response, NextFunction } from "express";
+import { HubRequest } from "../../express.js";
+declare const authentication: () => (req: HubRequest, _: Response, next: NextFunction) => Promise<void>;
+export default authentication;

package/dist/src/server/middleware/authentication.js

@@ -0,0 +1,55 @@
+import { isUuid } from "../../util.js";
+import * as db from "../../db/index.js";
+async function checkAndUpdateApiKey(key) {
+    const row = await db.superuserPool
+        .query(`
+    UPDATE hub.api_key 
+    SET last_used_at = now()
+    WHERE key = $1::uuid 
+    AND revoked_at IS NULL
+    RETURNING id`, [key])
+        .then(db.maybeOneRow);
+    return !!row;
+}
+const authentication = () => {
+    return async (req, _, next) => {
+        const header = req.get("authorization");
+        if (!header) {
+            return next();
+        }
+        const match = header.match(/^(session|apikey):(.+)$/);
+        if (!match) {
+            return next();
+        }
+        const tokenType = match[1];
+        const token = match[2];
+        if (!isUuid(token)) {
+            return next();
+        }
+        if (tokenType === "session") {
+            const sessionKey = token;
+            const result = await db.userFromActiveSessionKey(db.superuserPool, sessionKey);
+            if (result) {
+                req.identity = {
+                    kind: "user",
+                    user: result.user,
+                    sessionId: result.sessionId,
+                };
+            }
+            return next();
+        }
+        else if (tokenType === "apikey") {
+            const apiKey = token;
+            const isValid = await checkAndUpdateApiKey(apiKey);
+            if (isValid) {
+                req.identity = {
+                    kind: "operator",
+                    apiKey,
+                };
+            }
+            return next();
+        }
+        return next();
+    };
+};
+export default authentication;

package/dist/src/server/middleware/cors.d.ts

@@ -0,0 +1,3 @@
+import { Request, Response, NextFunction } from "express";
+declare const cors: () => (req: Request, res: Response, next: NextFunction) => Promise<void>;
+export default cors;

package/dist/src/server/middleware/cors.js

@@ -0,0 +1,14 @@
+const cors = () => {
+    return async (req, res, next) => {
+        res.header("Access-Control-Allow-Origin", "*");
+        res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, Authorization");
+        if (req.method === "OPTIONS") {
+            res.header("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, PATCH");
+            res.header("Access-Control-Max-Age", "86400");
+            res.status(204).end();
+            return;
+        }
+        next();
+    };
+};
+export default cors;

package/dist/src/services/jwt-service.d.ts

@@ -0,0 +1,13 @@
+import { PoolClient } from "pg";
+import { GraphQLClient } from "graphql-request";
+import { QueryExecutor, Result } from "../util.js";
+export declare function verifyJwtFromDbCacheAndEnsureNotAlreadyUsed(pgClient: PoolClient, { casinoId, jwt, }: {
+    casinoId: string;
+    jwt: string;
+}): Promise<Result<{
+    userToken: string;
+}, string>>;
+export declare function refreshCasinoJwksTask(pgClient: QueryExecutor, { casinoId, graphqlClient, }: {
+    casinoId: string;
+    graphqlClient: GraphQLClient;
+}): Promise<void>;

package/dist/src/services/jwt-service.js

@@ -0,0 +1,131 @@
+import { z } from "zod";
+import * as jose from "jose";
+import { gql } from "../__generated__/gql.js";
+import { maybeOneRow } from "../db/util.js";
+import { logger } from "../logger.js";
+const CACHE_TTL = "5 minutes";
+const GET_CASINO_JWKS = gql(`
+  query GetCasinoJWKS {
+    jwks
+  }
+`);
+const JSONWebKeySetSchema = z.object({
+    keys: z
+        .array(z.object({
+        kty: z.literal("OKP"),
+        kid: z.string().uuid(),
+        use: z.literal("sig"),
+        alg: z.literal("EdDSA"),
+        crv: z.literal("Ed25519"),
+        x: z.string(),
+    }))
+        .min(1),
+});
+async function dbInsertCasinoJWKS(pgClient, { casinoId, jwks: unvalidatedJwks, }) {
+    logger.debug(`[dbInsertCasinoJWKS] Inserting JWKS for casino ${casinoId}`, unvalidatedJwks);
+    const result = JSONWebKeySetSchema.safeParse(unvalidatedJwks);
+    if (!result.success) {
+        throw new Error(`Will not insert invalid JWKS into database: ${result.error}`);
+    }
+    await pgClient.query(`
+    WITH old_value AS (
+      SELECT jwks FROM hub.jwk_set WHERE casino_id = $1
+    ),
+    updated AS (
+      INSERT INTO hub.jwk_set(casino_id, jwks)
+      VALUES($1, $2)
+      ON CONFLICT (casino_id) DO UPDATE
+      SET jwks = EXCLUDED.jwks,
+          updated_at = NOW()
+      RETURNING casino_id, jwks,
+               (
+                 NOT EXISTS (SELECT 1 FROM old_value) -- new insert
+                 OR 
+                 (SELECT jwks::jsonb FROM old_value) IS DISTINCT FROM $2::jsonb -- content changed
+               ) as changed
+    )
+    INSERT INTO hub.jwk_set_snapshot(casino_id, jwks)
+    SELECT casino_id, jwks FROM updated
+    WHERE changed = true
+  `, [casinoId, result.data]);
+}
+async function dbGetCasinoJWKS(pgClient, { casinoId }) {
+    const jwks = await pgClient
+        .query(`
+    SELECT *
+    FROM hub.jwk_set
+    WHERE casino_id = $1 
+  `, [casinoId])
+        .then(maybeOneRow);
+    return jwks ?? null;
+}
+async function mpFetchCasinoJWKS(graphqlClient) {
+    console.log("sending request to casino");
+    const response = await graphqlClient.request(GET_CASINO_JWKS);
+    console.log("response", response);
+    const jwks = response.jwks;
+    if (jwks.keys.length === 0) {
+        throw new Error("No JWKS keys found in response");
+    }
+    const parseResult = JSONWebKeySetSchema.safeParse(jwks);
+    if (!parseResult.success) {
+        throw new Error("Invalid JWKS from casino", parseResult.error);
+    }
+    return parseResult.data;
+}
+export async function verifyJwtFromDbCacheAndEnsureNotAlreadyUsed(pgClient, { casinoId, jwt, }) {
+    const jwksRow = await dbGetCasinoJWKS(pgClient, { casinoId });
+    if (!jwksRow) {
+        throw new Error("No JWKS found in database");
+    }
+    const joseJwks = await jose.createLocalJWKSet(jwksRow.jwks);
+    let result;
+    try {
+        result = await jose.jwtVerify(jwt, joseJwks);
+    }
+    catch (e) {
+        if (e instanceof jose.errors.JWTExpired) {
+            return { ok: false, error: "User token expired" };
+        }
+        return { ok: false, error: "Invalid user token" };
+    }
+    const { userToken } = result.payload;
+    if (typeof userToken !== "string") {
+        return { ok: false, error: "No user token found in JWT" };
+    }
+    const alreadyUsed = await dbAlreadyUsedUserToken(pgClient, { userToken });
+    if (alreadyUsed) {
+        return { ok: false, error: "User token already used" };
+    }
+    return { ok: true, value: { userToken } };
+}
+async function dbAlreadyUsedUserToken(pgClient, { userToken }) {
+    const result = await pgClient
+        .query(`
+      SELECT 1
+      FROM hub.session
+      WHERE user_token = $1
+
+      FOR UPDATE SKIP LOCKED  
+    `, [userToken])
+        .then(maybeOneRow);
+    return !!result;
+}
+export async function refreshCasinoJwksTask(pgClient, { casinoId, graphqlClient, }) {
+    const cacheHit = await pgClient
+        .query(`
+        SELECT 1
+        FROM hub.jwk_set 
+        WHERE casino_id = $1 
+        AND updated_at > NOW() - $2::interval
+      `, [casinoId, CACHE_TTL])
+        .then((res) => res.rows.length > 0);
+    if (cacheHit) {
+        return;
+    }
+    const jwks = await mpFetchCasinoJWKS(graphqlClient);
+    await dbInsertCasinoJWKS(pgClient, {
+        casinoId,
+        jwks,
+    });
+}

package/dist/src/smart-tags.d.ts

@@ -0,0 +1 @@
+export declare const SmartTagsPlugin: GraphileConfig.Plugin;

package/dist/src/smart-tags.js

@@ -0,0 +1,55 @@
+import { makeJSONPgSmartTagsPlugin } from "postgraphile/utils";
+export const SmartTagsPlugin = makeJSONPgSmartTagsPlugin({
+    version: 1,
+    config: {
+        attribute: {
+            "hub.casino.id": {
+                tags: {
+                    behavior: ["-attribute:update"],
+                },
+            },
+            "hub.session.user_token": {
+                tags: {
+                    behavior: ["-orderBy"],
+                },
+            },
+            "hub.session.key": {
+                tags: {
+                    behavior: ["-orderBy"],
+                },
+            },
+            "hub.bankroll.amount": {
+                tags: {
+                    behavior: ["+attribute:update"],
+                },
+            },
+        },
+        class: {
+            "hub.balance": {
+                tags: {
+                    behavior: ["-resource:select"],
+                },
+            },
+            "hub.bankroll": {
+                tags: {
+                    behavior: ["+resource:update"],
+                },
+            },
+            "hub.casino": {
+                tags: {
+                    behavior: [
+                        "+query:resource:connection",
+                        "+resource:update",
+                    ],
+                },
+            },
+            "hub.api_key": {
+                tags: {
+                    behavior: [
+                        "+query:resource:connection",
+                    ],
+                },
+            },
+        },
+    },
+});

package/dist/src/util.d.ts

@@ -0,0 +1,12 @@
+import { QueryResult, QueryResultRow } from "pg";
+export declare function isUuid(input: any): boolean;
+export interface QueryExecutor {
+    query<T extends QueryResultRow = any>(queryText: string, values?: any[]): Promise<QueryResult<T>>;
+}
+export type Result<V, E> = {
+    ok: true;
+    value: V;
+} | {
+    ok: false;
+    error: E;
+};

package/dist/src/util.js

@@ -0,0 +1,4 @@
+const UUID_REGEX = /^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$/;
+export function isUuid(input) {
+    return typeof input === "string" && UUID_REGEX.test(input);
+}

package/dist/src/validate.d.ts

@@ -0,0 +1,9 @@
+import * as Yup from "yup";
+export declare const isUuid: {
+    name: string;
+    message: string;
+    test(value: string | undefined): boolean;
+};
+export declare const graphqlUrl: () => Yup.StringSchema<string | undefined, Yup.AnyObject, undefined, "">;
+export declare const baseUrl: () => Yup.StringSchema<string | undefined, Yup.AnyObject, undefined, "">;
+export declare const uuid: () => Yup.StringSchema<string | undefined, Yup.AnyObject, undefined, "">;