Start payjoin-io

[jbesraa]

#211

[DanGould]

Great start. I went through each commit and left comments on the code.

Two high level comments

1. Have payjoin-io (Are we set on that name? payjoin-defaults?) depend on payjoin so that you can make use of its types. It should be an abstraction on top of payjoin after all. This should require fewer lines of changes and be easier to reason about and maintain.
2. I'd like to see the last three commits combined to show a clean change history from two separate implementations, one in payjoin/tests/integration.rs and one in payjoin-cli/src/app/v2.rs into one to demonstrate that the abstraction works and is a drop-in replacement.

This crate is going to be an enormous help to all of our implementations. I can't wait to see it published.

[DanGould]

This doesn't open a new repository, just a library. We may post this to crates.io so this should be catered to an audience there. I also get sad any time I come to a website that says WIP/coming soon. Just tell me what it does! All software is WIP. This isn't a draft PR, it's published software ;)

Try something like

This provides a collection of I/O utilities for working with the payjoin crate.
The payjoin crate only deals with the low-level protocol. payjoin-io provides sane defaults to make implementing payjoin easy.

[DanGould]

The idea of this crate is to encapsulate payjoin, so we can depend on a version of payjoin with relevant features directly.

[jbesraa]

yea I thought about this but was not sure, because I thought we might use payjoin-io in integration tests and then we would have circular deps(although it can be dev-dep to payjoin). what do you think?

[DanGould]

I think it should be a dev-dep in payjoin. That shouldn't be circular, is it?

[DanGould]

Check for the latest version of ohttp-relay before this is merged

[DanGould]

This is very neat and thought through. However, we should be able to get all of these errors from the payjoin crate instead of re-implementing them.

[DanGould]

What I mean by this is to encapsulate a payjoin_io::Error variant payjoin_io::Error::PayjoinV2(payjoin::v2::Error)

[DanGould]

Since the very first iteration does only one thing it makes more sense to me to put all of the functionality in lib.rs. We probably don't have modules to separate yet.

[jbesraa]

I did this after I added the Error and ProxyServer and lib.rs didnt feel like the right place for them. with that said, if following the comment above we make payjoin-io depend on payjoin for the error object and other types, that could trim some of the code I think then it would make sense to move everything to lib.rs

[DanGould]

I'm not sure we want to or need to depend on tokio or async operations in this crate yet. I'd prefer we didn't and focused on simple but correct I/O operations and the consumer upstream can still make their own decision on whether or not to use tokio/async-std etc. Having tokio as a feature that exposes async functions may make sense in later versions.

[DanGould]

• ureq::Agent represents an Http client, not a servers.
• Use conventional BIP 77 naming. s/payjoin server/payjoin directory/ s/Proxy server/Ohttp relay/

[DanGould]

Not sure we need a Struct impl here, simple private fn implementations that return an agent may do. We also want to support a danger-local-https feature right away to make this crate compatible with local integration testing as well as payjoin-cli

[DanGould]

I love seeing the tests this early. However, now that we've got a common implementation, couldn't this go into integration tests with a local directory server instead of the production payjo.in server hack?

[DanGould]

👍 This makes a lot of sense to me vs a versioned dependency before our first release. I think we'll have to version it in order to release payjoin-cli with a payjoin-io dependency

[DanGould]

Since at this commit payjoin-io depends on payjoin with v2 feature, It should also only be optionally compiled

v2 = ["payjoin/v2", "payjoin-io"]
...
payjoin-io = { path = "../payjoin-io", optional = true }

And included in the v2 payjoin-cli feature

[jbesraa]

@DanGould This is ready for review

[DanGould]

The overall shape of the integration looks good to me now. There are some nits you may pick up if you like and an payjoin-cli/danger-local-https issue to fix. The error handling is clever to workaround an issue with OhttpKeys::decode: It returns a private error! That api can be addressed in another PR. You handled it gracefully for now.

However, The payjoin/v1 integration test no longer ever runs because payjoin-io is a dev-dependency of payjoin which always depends on payjoin/v2. You'll see the test payjoin integration v1 task in CI only runs the v2 tests.

Perhaps it makes more sense for the payjoin v2 integration tests to migrate to payjoin-io while the v1 test stays in payjoin for now until the i/o operations for v1 are handled by that crate. Another way to possibly solve this would be to feature gate fetch-ohttp-keys with a payjoin-io/v2 feature. But I'm not sure the second potential solution would work, and as you mentioned before, testing this way is sort of a circular dependency that may have caused more of a problem than I initially imagined.

[DanGould]

nit: It seems like this could just be readme = "README.md"

[DanGould]

I'm glad this is documented however there are a few things to consider. This function actually returns a Result. I tend to like letting the function signature speak for itself and documenting the why rather than the what. The signature could change easily which we could forget to update. Make sure to be consistent with bip77 naming (server vs relay vs proxy vs directory)

To improve readability and follow Rust's conventions more closely, consider separating the parameter name from its description with a colon and a space, and ensure that each description is a grammatically complete sentence. Here's a slightly refined version of your documentation:

/// Fetch the ohttp keys from the specified payjoin directory via proxy.
///
/// * `ohttp_relay`: The http CONNNECT method proxy to requesti the ohttp keys from a payjoin directory.
///   Proxying requests for ohttp keys ensures a client IP address is never revealed to the payjoin directory.
///
/// * `payjoin_directory`: The payjoin directory from which to fetch the ohttp keys.
///   This directory stores and forwards payjoin client payloads.
///
/// * `cert_der` (optional): The DER-encoded certificate to use for local HTTPS connections.
///   This parameter is only available when the "danger-local-https" feature is enabled.
pub fn fetch_ohttp_keys(
    ohttp_relay: Url,
    payjoin_directory: Url,
    #[cfg(feature = "danger-local-https")] cert_der: Vec<u8>,
) -> Result<payjoin::OhttpKeys, Error> {
    // Function implementation goes here
}

the payjoin directory endpoint from which to fetch ohttp keys is actually directory.url/ohttp-keys and the function just takes the directory url.

[DanGould]

nit: Except for certain parts of payjoin-cli, our crates use log to better organize log messages.

[DanGould]

Since at this commit payjoin-io depends on payjoin with v2 feature, It should also only be optionally compiled

v2 = ["payjoin/v2", "payjoin-io"]
...
payjoin-io = { path = "../payjoin-io", optional = true }

And included in the v2 payjoin-cli feature

[DanGould]

Are you sure? This v1 module should only compile withOUT payjoin v2 feature since the signature of that function looks like this:

    pub fn new(
        address: Address,
        pj: Url,
        #[cfg(feature = "v2")] ohttp_keys: Option<OhttpKeys>,
    ) -> Self {

The inclusion of payjoin-io for all feature configurations of payjoin-cli must have forced payjoin/v2 even for payjoin-cli/not(v2) and caused a compile time error here. Making payjoin-io an explicit dependency of payjoin-cli/v2 will render this change unnecessary.

[DanGould]

I think we need some danger-local-https logic here. Otherwise, if that feature is enabled the fetch_ohttp_keys function call has too few arguments and will not compile.

I think you could also get the Result::Ok you want out with a couple fewer conversions

    if let Some(keys) = config.ohttp_keys.clone() {
        Ok(keys)
    } else {
        tokio::task::spawn_blocking(move || {
            payjoin_io::fetch_ohttp_keys(config.ohttp_relay.clone(), config.pj_endpoint.clone())
        })
        .await?
        .map_err(|e| anyhow!("Failed to fetch ohttp keys: {}", e))
    }
}

[jbesraa]

one standing problem I still face is if i run cargo b in the workspace root it will fail due to v2 error in the payjoin-cli.
I think cargo build payjoin-io in the same context and some things are conflicting even tho in payjoin-cli its guarded behind v2. we might need to guard payjoin-io behind v2 as well

[jbesraa]

decided to move v2 integration tests to payjoin-io, I agree that it fits there and doesnt make much sense to import payjoin-io to payjoin..

also I think I agree about the naming, we should probably go with payjoin-defaults

[DanGould]

I just had success with cargo b in the workspace root and in payjoin-cli on stable on 06d3397. Are you sure you don't need to cargo clean the old dependency with the same version out?

[jbesraa]

oops I was on nightly. working for me as well

[DanGould]

Nightly must build too. I just had success with cargo b in building with 1.78.0-nightly the workspace root and in payjoin-cli on stable on 06d3397.

[jbesraa]

can you please dump the output of rustup show here?

cargo build is not consistent on my machine, now the stable-rust is again not building(because of v2 incompatibility)

[DanGould]

Most of the time I don't use rustup, but a nix profile installed with https://github.com/nix-community/fenix.

However to test nightly I did use the rustup installed in ohttp-relay:

$ ohttp-relay % rustup --version
rustup 1.26.0 (1980-01-01)
info: This is the version for the rustup toolchain manager, not the rustc compiler.
info: The currently active `rustc` version is `rustc 1.63.0 (4b91a6ea7 2022-08-08)`
$ ohttp-relay % rustup show
Default host: aarch64-apple-darwin
rustup home:  /Users/dan/.rustup

installed toolchains
--------------------

stable-aarch64-apple-darwin
nightly-aarch64-apple-darwin (default)
1.63-aarch64-apple-darwin

active toolchain
----------------

1.63-aarch64-apple-darwin (directory override for '/Users/dan/f/dev/ohttp-relay')
rustc 1.63.0 (4b91a6ea7 2022-08-08)

Are you sure you don't just need to call cargo clean to get rid of the previous dependency tree?

[DanGould]

Aha! I have a feeling you're calling cargo build at the top level workspace where payjoin-io defaults to depend on payjoin/v2 which is then tried to use for payjoin-cli and fails. I bet if you called cargo build from payjoin-cli it would build. A v2 feature on payjoin-io could fix this.

[jbesraa]

Aha! I have a feeling you're calling cargo build at the top level workspace where payjoin-io defaults to depend on payjoin/v2 which is then tried to use for payjoin-cli and fails. I bet if you called cargo build from payjoin-cli it would build. A v2 feature on payjoin-io could fix this.

yup, thats what I was trying to say here #220 (comment)

should I go on and add the v2 feature to payjoin-io ?

[DanGould]

I somehow failed to replicate that on first attempt, apologies. Yes gate fetch function behind v2.

[DanGould]

Another simple option may be to have an optional io feature in the payjoin crate instead of a new one. The feature would depends on ureq, rustls, etc. payjoin would still be possible with use without io. Do you think that might be a smaller change or easier to maintain?

[jbesraa]

I prefer the current approach of a new crate.
The 'payjoin' crate should be isolated IMO and have very few deps and features.
I think the current feature flagging is not perfect but as we add more functionality to 'payjoin-defaults' we will be smarter about it and maybe get rid of some of those.

[jbesraa]

@DanGould let me know when its ok to fixup the commits

[DanGould]

There's just one problem blocking this from merge in my view. payjoin-cli will not compile with --features v2, danger-local-https because that branch of payjoin_defaults::fetch_ohttp_keys has not been handled. Otherwise looking good 🪽

[DanGould]

nit: try to keep dependencies listed in alphabetical order. And keep spacing consistent.

Suggested change

	payjoin-io = { path = "../payjoin-io", features = ["danger-local-https"]}
	payjoin-io = { path = "../payjoin-io", features = ["danger-local-https"] }

[DanGould]

since the module exists I wouldn't necessarily remove the module feature gate.

[DanGould]

Feature gating here is still a minor problem. Integration tests shouldn't necessarily be feature gated wholesale. that's what the the modules were there for.

[DanGould]

try not to include changes that don't have effects

[DanGould]

nit:

Suggested change

	payjoin-io = { path = "../payjoin-io", optional = true}
	payjoin-io = { path = "../payjoin-io", optional = true }

[DanGould]

sp. "requesti"

[DanGould]

I think I realized you probably have an instinct to put this in a struct because you might be used to the object oriented paradigm. Just a comment.

[DanGould]

I'm seeing both Error variants returned by this impl block return clippy warnings. In a follow up pr they can probably be made opaque and have the error source which is not actionable ignored. I read "Thinking about errors" this week which helped me re-think the whole error design space. Unless a downstream user can make critical decisions from these internal errors, we don't have to pass them up to each caller.

warning: the `Err`-variant returned from this function is very large
   --> payjoin-defaults/src/lib.rs:123:44
    |
123 |     fn normalize_proxy_url(proxy: &Url) -> Result<String, Error> {
    |                                            ^^^^^^^^^^^^^^^^^^^^^ the `Err`-variant is at least 272 bytes
    |
    = help: try reducing the size of `Error`, for example by boxing large elements or replacing it with `Box<Error>`
    = help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#result_large_err

[DanGould]

Two comments:

1. This won't compile with #[cfg(features = "danger-local-https")] because it's missing the local cert parameter.
2. Cloning the Url types that need to be owned will clone fewer bytes than cloning the whole AppConfig struct

async fn unwrap_ohttp_keys_or_else_fetch(config: &AppConfig) -> Result<payjoin::OhttpKeys> {
    if let Some(keys) = config.ohttp_keys.clone() {
        Ok(keys)
    } else {
        let ohttp_relay = config.ohttp_relay.clone();
        let payjoin_directory = config.pj_endpoint.clone();
        Ok(tokio::task::spawn_blocking(move || {
            payjoin_defaults::fetch_ohttp_keys(
                ohttp_relay,
                payjoin_directory,
            )
        })
        .await
        .map_err(|e| anyhow!("Failed to fetch ohttp keys: {}", e))??)
    }
}```

[jbesraa]

the danger-local-https feature from payjoin-default is not used by the cli and its not included in the cli cargo.toml. should we still accommodate for that?

[DanGould]

Yes, it should be used if is danger-local-https && v2 features are set. It can probably be switched on by the payjoin-cli/danger-local-https feature since it's a test feature and an extra dependency shouldn't hurt there.

This PR deletes danger-local-https fetch code which the new crate replaces and it should maintain feature parity.

[DanGould]

Gah, the one blocking issue was resolved but another opened.

We can't default payjoin-cli to a dangerous feature set. If we do, the default mode for payjoin-cli will be one where users can lose money. That should be for those who want to compile the dangerous feature set explicitly only.

[DanGould]

It's a bit over complicated a fallible expression in Ok() without first handling the error. Better to handle one error at a time and then return Ok if the result is actually Ok. We can fix this in a follow up.

[DanGould]

Since proxy is your own abstraction, it probably makes sense more to have it take your abstraction (Url). Otherwise, what's the point of the abstraction? I don't really think we need this abstraction / impl layer though so I'm OK ignoring it for now.

[DanGould]

danger-local-https is a test-only feature. If it is used by default then the CLI tool won't check https certs. That's dangerous! We can't ship a production build with this feature set. Where did the idea to set this default come from?

[jbesraa]

aye sorry that's a leftover from some manual local testing

[DanGould]

Feature gating here is still a minor problem. Integration tests shouldn't necessarily be feature gated wholesale. that's what the the modules were there for.