Implement request owner in GetTokenAccountInfos

jeffyanta · jeffyanta · commit 2d0616d651e8 · 2025-06-05T13:34:30.000-04:00
diff --git a/go.mod b/go.mod
@@ -6,7 +6,7 @@ require (
 	filippo.io/edwards25519 v1.1.0
 	github.com/aws/aws-sdk-go-v2 v0.17.0
 	github.com/bits-and-blooms/bloom/v3 v3.1.0
-	github.com/code-payments/code-protobuf-api v1.19.1-0.20250603030803-cbe2bfca5052
+	github.com/code-payments/code-protobuf-api v1.19.1-0.20250605155512-63da5d11d58a
 	github.com/code-payments/code-vm-indexer v0.1.11-0.20241028132209-23031e814fba
 	github.com/emirpasic/gods v1.12.0
 	github.com/envoyproxy/protoc-gen-validate v1.2.1
diff --git a/go.sum b/go.sum
@@ -80,8 +80,8 @@ github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnht
 github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/cockroachdb/apd v1.1.0 h1:3LFP3629v+1aKXU5Q37mxmRxX/pIu1nijXydLShEq5I=
 github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ=
-github.com/code-payments/code-protobuf-api v1.19.1-0.20250603030803-cbe2bfca5052 h1:lfxaakPHAWFPukrqsUn8nYdpw1WaXQfP4KLCzmL8UxU=
-github.com/code-payments/code-protobuf-api v1.19.1-0.20250603030803-cbe2bfca5052/go.mod h1:ee6TzKbgMS42ZJgaFEMG3c4R3dGOiffHSu6MrY7WQvs=
+github.com/code-payments/code-protobuf-api v1.19.1-0.20250605155512-63da5d11d58a h1:h5AFZjmn+Zzkkd0u2Y+h9msj7HYBOSI3l4i5CD0ls34=
+github.com/code-payments/code-protobuf-api v1.19.1-0.20250605155512-63da5d11d58a/go.mod h1:ee6TzKbgMS42ZJgaFEMG3c4R3dGOiffHSu6MrY7WQvs=
 github.com/code-payments/code-vm-indexer v0.1.11-0.20241028132209-23031e814fba h1:Bkp+gmeb6Y2PWXfkSCTMBGWkb2P1BujRDSjWeI+0j5I=
 github.com/code-payments/code-vm-indexer v0.1.11-0.20241028132209-23031e814fba/go.mod h1:jSiifpiBpyBQ8q2R0MGEbkSgWC6sbdRTyDBntmW+j1E=
 github.com/containerd/continuity v0.0.0-20190827140505-75bee3e2ccb6 h1:NmTXa/uVnDyp0TY5MKi197+3HWcnYWfnHGyaFthlnGw=
diff --git a/pkg/code/auth/signature.go b/pkg/code/auth/signature.go
@@ -68,6 +68,10 @@ var defaultMarshalStrategies = []marshalStrategy{
 }
 
 func (v *RPCSignatureVerifier) isSignatureVerifiedProtoMessage(owner *common.Account, message proto.Message, signature *commonpb.Signature) (bool, error) {
+	if signature == nil {
+		return false, nil
+	}
+
 	for _, marshalStrategy := range defaultMarshalStrategies {
 		messageBytes, err := marshalStrategy(message)
 		if err != nil {
diff --git a/pkg/code/auth/signature_test.go b/pkg/code/auth/signature_test.go
@@ -54,6 +54,9 @@ func TestAuthenticate(t *testing.T) {
 		err = env.verifier.Authenticate(env.ctx, ownerAccount, msg, signatureProto)
 		require.NoError(t, err)
 
+		err = env.verifier.Authenticate(env.ctx, ownerAccount, msg, nil)
+		testutil.AssertStatusErrorWithCode(t, err, codes.Unauthenticated)
+
 		signature, err = maliciousAccount.Sign(msgBytes)
 		require.NoError(t, err)
 		signatureProto = &commonpb.Signature{
diff --git a/pkg/code/server/account/server.go b/pkg/code/server/account/server.go
@@ -5,6 +5,7 @@ import (
 	"errors"
 	"time"
 
+	"github.com/golang/protobuf/proto"
 	"github.com/sirupsen/logrus"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
@@ -102,15 +103,44 @@ func (s *server) GetTokenAccountInfos(ctx context.Context, req *accountpb.GetTok
 	}
 	log = log.WithField("owner_account", owner.PublicKey().ToBase58())
 
-	signature := req.Signature
+	ownerSignature := req.Signature
 	req.Signature = nil
-	if err := s.auth.Authenticate(ctx, owner, req, signature); err != nil {
+
+	var requestingOwner *common.Account
+	var requestingOwnerSignature *commonpb.Signature
+	if req.RequestingOwner != nil {
+		requestingOwner, err = common.NewAccountFromProto(req.RequestingOwner)
+		if err != nil {
+			log.WithError(err).Warn("invalid requesting owner account")
+			return nil, status.Error(codes.Internal, "")
+		}
+		log = log.WithField("requesting_owner_account", requestingOwner.PublicKey().ToBase58())
+
+		requestingOwnerSignature = req.RequestingOwnerSignature
+		req.RequestingOwnerSignature = nil
+	}
+
+	if err := s.auth.Authenticate(ctx, owner, req, ownerSignature); err != nil {
 		return nil, err
 	}
+	if requestingOwner != nil {
+		if err := s.auth.Authenticate(ctx, requestingOwner, req, requestingOwnerSignature); err != nil {
+			return nil, err
+		}
+	}
 
 	cachedResp, ok := giftCardCacheByOwner.Retrieve(owner.PublicKey().ToBase58())
 	if ok {
-		return cachedResp.(*accountpb.GetTokenAccountInfosResponse), nil
+		cachedResp := cachedResp.(*accountpb.GetTokenAccountInfosResponse)
+
+		s.updateCachedResponse(cachedResp)
+
+		resp, err := s.addRequestingOwnerMetadata(ctx, cachedResp, requestingOwner)
+		if err != nil {
+			log.WithError(err).Warn("failure adding requesting owner metadata")
+			return nil, status.Error(codes.Internal, "")
+		}
+		return resp, nil
 	}
 
 	// Fetch all account records
@@ -175,6 +205,11 @@ func (s *server) GetTokenAccountInfos(ctx context.Context, req *accountpb.GetTok
 		}
 	}
 
+	resp, err = s.addRequestingOwnerMetadata(ctx, resp, requestingOwner)
+	if err != nil {
+		log.WithError(err).Warn("failure adding requesting owner metadata")
+		return nil, status.Error(codes.Internal, "")
+	}
 	return resp, nil
 }
 
@@ -397,3 +432,46 @@ func (s *server) getOriginalGiftCardExchangeData(ctx context.Context, records *c
 		Quarks:       intentRecord.SendPublicPaymentMetadata.Quantity,
 	}, nil
 }
+
+func (s *server) addRequestingOwnerMetadata(ctx context.Context, resp *accountpb.GetTokenAccountInfosResponse, requestingOwner *common.Account) (*accountpb.GetTokenAccountInfosResponse, error) {
+	if requestingOwner == nil {
+		return resp, nil
+	}
+
+	cloned := proto.Clone(resp).(*accountpb.GetTokenAccountInfosResponse)
+
+	for _, ai := range cloned.TokenAccountInfos {
+		switch ai.AccountType {
+		case commonpb.AccountType_REMOTE_SEND_GIFT_CARD:
+			giftCardVaultAccount, err := common.NewAccountFromProto(ai.Address)
+			if err != nil {
+				return nil, err
+			}
+
+			intentRecord, err := s.data.GetOriginalGiftCardIssuedIntent(ctx, giftCardVaultAccount.PublicKey().ToBase58())
+			if err != nil {
+				return nil, err
+			}
+
+			if intentRecord.InitiatorOwnerAccount == requestingOwner.PublicKey().ToBase58() {
+				ai.IsGiftCardIssuer = true
+			}
+		}
+	}
+
+	return cloned, nil
+}
+
+func (s *server) updateCachedResponse(resp *accountpb.GetTokenAccountInfosResponse) {
+	for _, ai := range resp.TokenAccountInfos {
+		switch ai.AccountType {
+		case commonpb.AccountType_REMOTE_SEND_GIFT_CARD:
+			// Transition any gift card records to expired if we elapsed the expiry window
+			if time.Since(ai.CreatedAt.AsTime()) >= async_account.GiftCardExpiry {
+				ai.ClaimState = accountpb.TokenAccountInfo_CLAIM_STATE_EXPIRED
+				ai.BalanceSource = accountpb.TokenAccountInfo_BALANCE_SOURCE_CACHE
+				ai.Balance = 0
+			}
+		}
+	}
+}
diff --git a/pkg/code/server/account/server_test.go b/pkg/code/server/account/server_test.go
@@ -363,26 +363,16 @@ func TestGetTokenAccountInfos_RemoteSendGiftCard_HappyPath(t *testing.T) {
 			expectedClaimState:       accountpb.TokenAccountInfo_CLAIM_STATE_CLAIMED,
 		},
 	} {
-		ownerAccount := testutil.NewRandomAccount(t)
-		timelockAccounts, err := ownerAccount.GetTimelockAccounts(common.CodeVmAccount, common.CoreMintAccount)
-		require.NoError(t, err)
+		giftCardIssuerOwnerAccount := testutil.NewRandomAccount(t)
+		giftCardOwnerAccount := testutil.NewRandomAccount(t)
 
-		req := &accountpb.GetTokenAccountInfosRequest{
-			Owner: ownerAccount.ToProto(),
-		}
-		reqBytes, err := proto.Marshal(req)
-		require.NoError(t, err)
-		req.Signature = &commonpb.Signature{
-			Value: ed25519.Sign(ownerAccount.PrivateKey().ToBytes(), reqBytes),
-		}
-
-		accountRecords := setupAccountRecords(t, env, ownerAccount, ownerAccount, 0, commonpb.AccountType_REMOTE_SEND_GIFT_CARD)
+		accountRecords := setupAccountRecords(t, env, giftCardOwnerAccount, giftCardOwnerAccount, 0, commonpb.AccountType_REMOTE_SEND_GIFT_CARD)
 
 		giftCardIssuedIntentRecord := &intent.Record{
 			IntentId:   testutil.NewRandomAccount(t).PublicKey().ToBase58(),
 			IntentType: intent.SendPublicPayment,
 
-			InitiatorOwnerAccount: testutil.NewRandomAccount(t).PrivateKey().ToBase58(),
+			InitiatorOwnerAccount: giftCardIssuerOwnerAccount.PublicKey().ToBase58(),
 
 			SendPublicPaymentMetadata: &intent.SendPublicPaymentMetadata{
 				DestinationTokenAccount: accountRecords.General.TokenAccount,
@@ -444,43 +434,73 @@ func TestGetTokenAccountInfos_RemoteSendGiftCard_HappyPath(t *testing.T) {
 		accountRecords.Timelock.Block += 1
 		require.NoError(t, env.data.SaveTimelock(env.ctx, accountRecords.Timelock))
 
-		resp, err := env.client.GetTokenAccountInfos(env.ctx, req)
-		require.NoError(t, err)
-		assert.Equal(t, accountpb.GetTokenAccountInfosResponse_OK, resp.Result)
-		assert.Len(t, resp.TokenAccountInfos, 1)
+		for _, requestingOwnerAccount := range []*common.Account{
+			nil,
+			testutil.NewRandomAccount(t),
+			giftCardIssuerOwnerAccount,
+		} {
+			timelockAccounts, err := giftCardOwnerAccount.GetTimelockAccounts(common.CodeVmAccount, common.CoreMintAccount)
+			require.NoError(t, err)
 
-		accountInfo, ok := resp.TokenAccountInfos[timelockAccounts.Vault.PublicKey().ToBase58()]
-		require.True(t, ok)
+			req := &accountpb.GetTokenAccountInfosRequest{
+				Owner: giftCardOwnerAccount.ToProto(),
+			}
+			if requestingOwnerAccount != nil {
+				req.RequestingOwner = requestingOwnerAccount.ToProto()
+			}
+			reqBytes, err := proto.Marshal(req)
+			require.NoError(t, err)
+			sig1 := &commonpb.Signature{
+				Value: ed25519.Sign(giftCardOwnerAccount.PrivateKey().ToBytes(), reqBytes),
+			}
+			if requestingOwnerAccount != nil {
+				sig2 := &commonpb.Signature{
+					Value: ed25519.Sign(requestingOwnerAccount.PrivateKey().ToBytes(), reqBytes),
+				}
+				req.RequestingOwnerSignature = sig2
+			}
+			req.Signature = sig1
 
-		assert.Equal(t, commonpb.AccountType_REMOTE_SEND_GIFT_CARD, accountInfo.AccountType)
-		assert.Equal(t, ownerAccount.PublicKey().ToBytes(), accountInfo.Owner.Value)
-		assert.Equal(t, ownerAccount.PublicKey().ToBytes(), accountInfo.Authority.Value)
-		assert.Equal(t, timelockAccounts.Vault.PublicKey().ToBytes(), accountInfo.Address.Value)
-		assert.Equal(t, common.CoreMintAccount.PublicKey().ToBytes(), accountInfo.Mint.Value)
-		assert.EqualValues(t, 0, accountInfo.Index)
+			resp, err := env.client.GetTokenAccountInfos(env.ctx, req)
+			require.NoError(t, err)
+			assert.Equal(t, accountpb.GetTokenAccountInfosResponse_OK, resp.Result)
+			assert.Len(t, resp.TokenAccountInfos, 1)
 
-		assert.Equal(t, tc.expectedBalanceSource, accountInfo.BalanceSource)
-		if tc.simulateClaimInCode || tc.simulateAutoReturnInCode || tc.expectedClaimState == accountpb.TokenAccountInfo_CLAIM_STATE_CLAIMED || tc.expectedClaimState == accountpb.TokenAccountInfo_CLAIM_STATE_EXPIRED {
-			assert.EqualValues(t, 0, accountInfo.Balance)
-		} else if tc.expectedBalanceSource == accountpb.TokenAccountInfo_BALANCE_SOURCE_CACHE {
-			assert.EqualValues(t, tc.balance, accountInfo.Balance)
-		} else {
-			assert.EqualValues(t, 0, accountInfo.Balance)
-		}
+			accountInfo, ok := resp.TokenAccountInfos[timelockAccounts.Vault.PublicKey().ToBase58()]
+			require.True(t, ok)
 
-		assert.Equal(t, tc.expectedManagementState, accountInfo.ManagementState)
-		assert.Equal(t, tc.expectedBlockchainState, accountInfo.BlockchainState)
-		assert.Equal(t, tc.expectedClaimState, accountInfo.ClaimState)
+			assert.Equal(t, commonpb.AccountType_REMOTE_SEND_GIFT_CARD, accountInfo.AccountType)
+			assert.Equal(t, giftCardOwnerAccount.PublicKey().ToBytes(), accountInfo.Owner.Value)
+			assert.Equal(t, giftCardOwnerAccount.PublicKey().ToBytes(), accountInfo.Authority.Value)
+			assert.Equal(t, timelockAccounts.Vault.PublicKey().ToBytes(), accountInfo.Address.Value)
+			assert.Equal(t, common.CoreMintAccount.PublicKey().ToBytes(), accountInfo.Mint.Value)
+			assert.EqualValues(t, 0, accountInfo.Index)
 
-		require.NotNil(t, accountInfo.OriginalExchangeData)
-		assert.EqualValues(t, giftCardIssuedIntentRecord.SendPublicPaymentMetadata.ExchangeCurrency, accountInfo.OriginalExchangeData.Currency)
-		assert.Equal(t, giftCardIssuedIntentRecord.SendPublicPaymentMetadata.ExchangeRate, accountInfo.OriginalExchangeData.ExchangeRate)
-		assert.Equal(t, giftCardIssuedIntentRecord.SendPublicPaymentMetadata.NativeAmount, accountInfo.OriginalExchangeData.NativeAmount)
-		assert.Equal(t, giftCardIssuedIntentRecord.SendPublicPaymentMetadata.Quantity, accountInfo.OriginalExchangeData.Quarks)
+			assert.Equal(t, tc.expectedBalanceSource, accountInfo.BalanceSource)
+			if tc.simulateClaimInCode || tc.simulateAutoReturnInCode || tc.expectedClaimState == accountpb.TokenAccountInfo_CLAIM_STATE_CLAIMED || tc.expectedClaimState == accountpb.TokenAccountInfo_CLAIM_STATE_EXPIRED {
+				assert.EqualValues(t, 0, accountInfo.Balance)
+			} else if tc.expectedBalanceSource == accountpb.TokenAccountInfo_BALANCE_SOURCE_CACHE {
+				assert.EqualValues(t, tc.balance, accountInfo.Balance)
+			} else {
+				assert.EqualValues(t, 0, accountInfo.Balance)
+			}
 
-		accountInfoRecord, err := env.data.GetLatestAccountInfoByOwnerAddressAndType(env.ctx, ownerAccount.PublicKey().ToBase58(), commonpb.AccountType_REMOTE_SEND_GIFT_CARD)
-		require.NoError(t, err)
-		assert.False(t, accountInfoRecord.RequiresDepositSync)
+			assert.Equal(t, tc.expectedManagementState, accountInfo.ManagementState)
+			assert.Equal(t, tc.expectedBlockchainState, accountInfo.BlockchainState)
+			assert.Equal(t, tc.expectedClaimState, accountInfo.ClaimState)
+
+			require.NotNil(t, accountInfo.OriginalExchangeData)
+			assert.EqualValues(t, giftCardIssuedIntentRecord.SendPublicPaymentMetadata.ExchangeCurrency, accountInfo.OriginalExchangeData.Currency)
+			assert.Equal(t, giftCardIssuedIntentRecord.SendPublicPaymentMetadata.ExchangeRate, accountInfo.OriginalExchangeData.ExchangeRate)
+			assert.Equal(t, giftCardIssuedIntentRecord.SendPublicPaymentMetadata.NativeAmount, accountInfo.OriginalExchangeData.NativeAmount)
+			assert.Equal(t, giftCardIssuedIntentRecord.SendPublicPaymentMetadata.Quantity, accountInfo.OriginalExchangeData.Quarks)
+
+			assert.Equal(t, requestingOwnerAccount != nil && requestingOwnerAccount == giftCardIssuerOwnerAccount, accountInfo.IsGiftCardIssuer)
+
+			accountInfoRecord, err := env.data.GetLatestAccountInfoByOwnerAddressAndType(env.ctx, giftCardOwnerAccount.PublicKey().ToBase58(), commonpb.AccountType_REMOTE_SEND_GIFT_CARD)
+			require.NoError(t, err)
+			assert.False(t, accountInfoRecord.RequiresDepositSync)
+		}
 	}
 }
 
@@ -618,7 +638,7 @@ func TestUnauthenticatedRPC(t *testing.T) {
 	defer cleanup()
 
 	ownerAccount := testutil.NewRandomAccount(t)
-	// swapAuthorityAccount := testutil.NewRandomAccount(t)
+	requestingOwnerAccount := testutil.NewRandomAccount(t)
 	maliciousAccount := testutil.NewRandomAccount(t)
 
 	isCodeAccountReq := &accountpb.IsCodeAccountRequest{
@@ -644,6 +664,37 @@ func TestUnauthenticatedRPC(t *testing.T) {
 
 	_, err = env.client.GetTokenAccountInfos(env.ctx, getTokenAccountInfosReq)
 	testutil.AssertStatusErrorWithCode(t, err, codes.Unauthenticated)
+
+	getTokenAccountInfosReq = &accountpb.GetTokenAccountInfosRequest{
+		Owner:           ownerAccount.ToProto(),
+		RequestingOwner: requestingOwnerAccount.ToProto(),
+	}
+	reqBytes, err = proto.Marshal(getTokenAccountInfosReq)
+	require.NoError(t, err)
+	getTokenAccountInfosReq.Signature = &commonpb.Signature{
+		Value: ed25519.Sign(ownerAccount.PrivateKey().ToBytes(), reqBytes),
+	}
+
+	_, err = env.client.GetTokenAccountInfos(env.ctx, getTokenAccountInfosReq)
+	testutil.AssertStatusErrorWithCode(t, err, codes.Unauthenticated)
+
+	getTokenAccountInfosReq = &accountpb.GetTokenAccountInfosRequest{
+		Owner:           ownerAccount.ToProto(),
+		RequestingOwner: requestingOwnerAccount.ToProto(),
+	}
+	reqBytes, err = proto.Marshal(getTokenAccountInfosReq)
+	require.NoError(t, err)
+	sig1 := &commonpb.Signature{
+		Value: ed25519.Sign(ownerAccount.PrivateKey().ToBytes(), reqBytes),
+	}
+	sig2 := &commonpb.Signature{
+		Value: ed25519.Sign(maliciousAccount.PrivateKey().ToBytes(), reqBytes),
+	}
+	getTokenAccountInfosReq.Signature = sig1
+	getTokenAccountInfosReq.RequestingOwnerSignature = sig2
+
+	_, err = env.client.GetTokenAccountInfos(env.ctx, getTokenAccountInfosReq)
+	testutil.AssertStatusErrorWithCode(t, err, codes.Unauthenticated)
 }
 
 func setupAccountRecords(t *testing.T, env testEnv, ownerAccount, authorityAccount *common.Account, index uint64, accountType commonpb.AccountType) *common.AccountRecords {
@@ -722,18 +773,3 @@ func setupCachedBalance(t *testing.T, env testEnv, accountRecords *common.Accoun
 	}
 	require.NoError(t, env.data.SaveExternalDeposit(env.ctx, depositRecord))
 }
-
-func setupOpenAccountsIntent(t *testing.T, env testEnv, ownerAccount *common.Account) {
-	intentRecord := &intent.Record{
-		IntentId:   testutil.NewRandomAccount(t).PublicKey().ToBase58(),
-		IntentType: intent.OpenAccounts,
-
-		InitiatorOwnerAccount: ownerAccount.PublicKey().ToBase58(),
-
-		OpenAccountsMetadata: &intent.OpenAccountsMetadata{},
-
-		State: intent.StatePending,
-	}
-
-	require.NoError(t, env.data.SaveIntent(env.ctx, intentRecord))
-}
