feat(backend): enforce uniqueness on tenant wallet address prefixes (#3695)

njlie · web-flow · commit 2cc4ca13fefd · 2025-10-14T07:23:02.000-07:00
* feat(backend): ensure wallet address setting is unique on creation

* feat: test for update setting

* fix: tests
diff --git a/packages/backend/src/graphql/resolvers/tenant_settings.test.ts b/packages/backend/src/graphql/resolvers/tenant_settings.test.ts
@@ -27,6 +27,7 @@ import {
   errorToMessage,
   TenantSettingError
 } from '../../tenants/settings/errors'
+import { createTenantSettings } from '../../tests/tenantSettings'
 
 function createTenantedApolloClient(
   appContainer: TestContainer,
@@ -183,6 +184,71 @@ describe('Tenant Settings Resolvers', (): void => {
         )
       }
     })
+
+    test('errors if existing wallet address url is provided', async (): Promise<void> => {
+      const walletAddressUrl = faker.internet.url()
+      const existingTenant = await createTenant(deps)
+      await createTenantSettings(deps, {
+        tenantId: existingTenant.id,
+        setting: [
+          {
+            key: TenantSettingKeys.WALLET_ADDRESS_URL.name,
+            value: walletAddressUrl
+          }
+        ]
+      })
+
+      const newTenant = await createTenant(deps)
+      const client = await createTenantedApolloClient(
+        appContainer,
+        newTenant.id
+      )
+      expect.assertions(2)
+      try {
+        await client
+          .mutate({
+            mutation: gql`
+              mutation CreateTenantSettings(
+                $input: CreateTenantSettingsInput!
+              ) {
+                createTenantSettings(input: $input) {
+                  settings {
+                    key
+                    value
+                  }
+                }
+              }
+            `,
+            variables: {
+              input: {
+                settings: [
+                  {
+                    key: SchemaTenantSettingKey.WalletAddressUrl,
+                    value: walletAddressUrl
+                  }
+                ]
+              }
+            }
+          })
+          .then((query): CreateTenantSettingsMutationResponse => {
+            if (query.data) {
+              return query.data.createTenantSettings
+            }
+            throw new Error('Data was empty')
+          })
+      } catch (error) {
+        expect(error).toBeInstanceOf(ApolloError)
+        expect((error as ApolloError).graphQLErrors).toContainEqual(
+          expect.objectContaining({
+            message:
+              errorToMessage[TenantSettingError.DuplicateWalletAddressUrl],
+            extensions: expect.objectContaining({
+              code: errorToCode[TenantSettingError.DuplicateWalletAddressUrl]
+            })
+          })
+        )
+      }
+    })
   })
 
   describe('Get Tenant Settings', (): void => {
diff --git a/packages/backend/src/open_payments/wallet_address/service.test.ts b/packages/backend/src/open_payments/wallet_address/service.test.ts
@@ -107,7 +107,7 @@ describe('Open Payments Wallet Address Service', (): void => {
       isOperator | tenantSettingUrl
       ${false}   | ${undefined}
       ${true}    | ${undefined}
-      ${true}    | ${'https://alice.me'}
+      ${true}    | ${`https://alice.me/${uuid()}`}
     `(
       'operator - $isOperator with tenantSettingUrl - $tenantSettingUrl',
       async ({ isOperator, tenantSettingUrl }): Promise<void> => {
diff --git a/packages/backend/src/tenants/settings/errors.ts b/packages/backend/src/tenants/settings/errors.ts
@@ -3,7 +3,8 @@ import { GraphQLErrorCode } from '../../graphql/errors'
 export enum TenantSettingError {
   TenantNotFound = 'TenantNotFound',
   UnknownError = 'UnknownError',
-  InvalidSetting = 'InvalidSettingError'
+  InvalidSetting = 'InvalidSettingError',
+  DuplicateWalletAddressUrl = 'DuplicateWalletAddressUrl'
 }
 
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
@@ -15,7 +16,8 @@ export const errorToCode: {
 } = {
   [TenantSettingError.InvalidSetting]: GraphQLErrorCode.BadUserInput,
   [TenantSettingError.TenantNotFound]: GraphQLErrorCode.NotFound,
-  [TenantSettingError.UnknownError]: GraphQLErrorCode.InternalServerError
+  [TenantSettingError.UnknownError]: GraphQLErrorCode.InternalServerError,
+  [TenantSettingError.DuplicateWalletAddressUrl]: GraphQLErrorCode.BadUserInput
 }
 
 export const errorToMessage: {
@@ -24,5 +26,7 @@ export const errorToMessage: {
   [TenantSettingError.TenantNotFound]: 'Tenant not found',
   [TenantSettingError.UnknownError]: 'Unknown error',
   [TenantSettingError.InvalidSetting]:
-    'Invalid value for one or more tenant settings'
+    'Invalid value for one or more tenant settings',
+  [TenantSettingError.DuplicateWalletAddressUrl]:
+    'Wallet Address Url already exists'
 }
diff --git a/packages/backend/src/tenants/settings/service.test.ts b/packages/backend/src/tenants/settings/service.test.ts
@@ -286,6 +286,28 @@ describe('TenantSetting Service', (): void => {
         tenantSettingService.create(invalidIlpAddressSetting)
       ).resolves.toEqual(TenantSettingError.InvalidSetting)
     })
+
+    test('cannot create setting with a non-unique wallet address url', async (): Promise<void> => {
+      const existingTenant = await createTenant(deps)
+      const existingSetting = [
+        {
+          key: TenantSettingKeys.WALLET_ADDRESS_URL.name,
+          value: faker.internet.url()
+        }
+      ]
+      await createTenantSettings(deps, {
+        tenantId: existingTenant.id,
+        setting: existingSetting
+      })
+
+      const newTenant = await createTenant(deps)
+      await expect(
+        tenantSettingService.create({
+          tenantId: newTenant.id,
+          setting: existingSetting
+        })
+      ).resolves.toEqual(TenantSettingError.DuplicateWalletAddressUrl)
+    })
   })
 
   describe('get', () => {
@@ -513,6 +535,29 @@ describe('TenantSetting Service', (): void => {
         tenantSettingService.update(negativeOption)
       ).resolves.toEqual(TenantSettingError.InvalidSetting)
     })
+
+    test('cannot update wallet address url to already existing value', async (): Promise<void> => {
+      const walletAddressUrl = faker.internet.url()
+      const existingTenant = await createTenant(deps)
+      await createTenantSettings(deps, {
+        tenantId: existingTenant.id,
+        setting: [
+          {
+            key: TenantSettingKeys.WALLET_ADDRESS_URL.name,
+            value: walletAddressUrl
+          }
+        ]
+      })
+      const newTenant = await createTenant(deps)
+
+      await expect(
+        tenantSettingService.update({
+          tenantId: newTenant.id,
+          key: TenantSettingKeys.WALLET_ADDRESS_URL.name,
+          value: walletAddressUrl
+        })
+      ).resolves.toEqual(TenantSettingError.DuplicateWalletAddressUrl)
+    })
   })
 
   describe('delete', (): void => {
diff --git a/packages/backend/src/tenants/settings/service.ts b/packages/backend/src/tenants/settings/service.ts
@@ -120,6 +120,18 @@ async function updateTenantSetting(
   ) {
     return TenantSettingError.InvalidSetting
   }
+
+  if (options.key === TenantSettingKeys.WALLET_ADDRESS_URL.name) {
+    const existingSetting = await TenantSetting.query(deps.knex).findOne({
+      key: TenantSettingKeys.WALLET_ADDRESS_URL.name,
+      value: options.value
+    })
+
+    if (existingSetting) {
+      return TenantSettingError.DuplicateWalletAddressUrl
+    }
+  }
+
   return TenantSetting.query(deps.knex)
     .patch({ value: options.value })
     .whereNull('deletedAt')
@@ -141,6 +153,19 @@ async function createTenantSetting(
     ) {
       return TenantSettingError.InvalidSetting
     }
+
+    if (setting.key === TenantSettingKeys.WALLET_ADDRESS_URL.name) {
+      const existingSetting = await TenantSetting.query(
+        extra?.trx ?? deps.knex
+      ).findOne({
+        key: TenantSettingKeys.WALLET_ADDRESS_URL.name,
+        value: setting.value
+      })
+
+      if (existingSetting) {
+        return TenantSettingError.DuplicateWalletAddressUrl
+      }
+    }
   }
 
   const dataToUpsert = options.setting
