Merge pull request #259: release/1.1.6 to main

## [1.1.6](1.1.5...1.1.6) Attention, this version is compatible with the frontend version [1.1.2](https://github.com/stellar/stellar-disbursement-platform-frontend/releases/tag/1.1.2). ### Changed - Update the `PATCH /receivers/{id}` request, so a receiver's verification info is not just inserted but upserted. The update part of the upsert only takes place if the verification info has not been confirmed yet. [#205](#205) - Update the order of the verification field that is shown to the receiver during the [SEP-24] flow. The order was `(updated_at DESC)` and was updated to the composed sorting `(updated_at DESC, rv.verification_field ASC)` to ensure consistency when multiple verification fields share the same `updated_at` value. - Improve information in the error message returned when the disbursement instruction contains a verification info that is different from an already existing verification info that was already confirmed by the receiver. [#178](#178) - When adding an asset, make sure to trim the spaces fom the issuer field. [#185](#185) ### Security - Bump Go version from 1.19 to 1.22, and upgraded the version of some CI tools. [#196](#196) - Add rate-limiter in both in the application and the kubernetes deployment. [#195](#195)
stellar · Apr 15, 2024 · 9ddf61a · 9ddf61a
2 parents cb86e4a + 35e1123
commit 9ddf61a
Show file tree

Hide file tree

Showing 33 changed files with 462 additions and 129 deletions.
diff --git a/.github/workflows/anchor_platform_integration_check.yml b/.github/workflows/anchor_platform_integration_check.yml
@@ -22,7 +22,7 @@ jobs:
       SEP10_SIGNING_PRIVATE_KEY: ${{ vars.SEP10_SIGNING_PRIVATE_KEY }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Run Docker Compose for SDP and Anchor Platform
         working-directory: dev

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -16,10 +16,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Set up Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v4
         with:
           go-version: 1.22.1
 
@@ -32,17 +32,30 @@ jobs:
       - name: Run ./gomod.sh
         run: ./gomod.sh
 
-      - name: Install github.com/nishanths/exhaustive
-        run: go install github.com/nishanths/exhaustive/cmd/exhaustive@latest
+      - name: Install github.com/nishanths/[email protected] and golang.org/x/tools/cmd/[email protected]
+        run: |
+          go install github.com/nishanths/exhaustive/cmd/[email protected]
+          go install golang.org/x/tools/cmd/[email protected]
 
-      - name: Run exhaustive
+      - name: Run `exhaustive`
         run: exhaustive -default-signifies-exhaustive ./...
 
+      - name: Run `deadcode`
+        run: |
+          output=$(deadcode -test ./...)
+          if [[ -n "$output" ]]; then
+            echo "🚨 Deadcode found:"
+            echo "$output"
+            exit 1
+          else
+            echo "✅ No deadcode found"
+          fi
+
   check-helm-readme:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Install NodeJs
         uses: actions/setup-node@v2
@@ -70,10 +83,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Set up Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v4
         with:
           go-version: 1.22.1
 
@@ -107,15 +120,15 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Setup Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v4
         with:
           go-version: 1.22.1
 
       - name: Run tests
-        run: go test -race -coverpkg=./... -coverprofile=c.out ./...
+        run: go test -race -timeout 3m -coverpkg=./... -coverprofile=c.out ./...
 
       - name: Validate Test Coverage Threshold
         env:

diff --git a/.github/workflows/docker_image_public_release.yml b/.github/workflows/docker_image_public_release.yml
@@ -43,7 +43,7 @@ jobs:
             exit 1
           fi
 
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Login to DockerHub
         uses: docker/[email protected]
@@ -69,7 +69,7 @@ jobs:
       - anchor_platform_integration_check
       - e2e_integration_test
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Login to DockerHub
         uses: docker/[email protected]

diff --git a/.github/workflows/e2e_integration_test.yml b/.github/workflows/e2e_integration_test.yml
@@ -26,7 +26,7 @@ jobs:
       SEP10_SIGNING_PRIVATE_KEY: ${{ vars.SEP10_SIGNING_PRIVATE_KEY }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Cleanup data
         working-directory: internal/integrationtests

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,12 +2,28 @@
 
 All notable changes to this project will be documented in this file.
 
-The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
+The format is based on [Keep a Changelog](https://keepachangelog.com/).
 
 ## Unreleased
 
 None
 
+## [1.1.6](https://github.com/stellar/stellar-disbursement-platform-backend/compare/1.1.5...1.1.6)
+
+Attention, this version is compatible with the frontend version [1.1.2](https://github.com/stellar/stellar-disbursement-platform-frontend/releases/tag/1.1.2).
+
+### Changed
+
+- Update the `PATCH /receivers/{id}` request, so a receiver's verification info is not just inserted but upserted. The update part of the upsert only takes place if the verification info has not been confirmed yet. [#205](https://github.com/stellar/stellar-disbursement-platform-backend/pull/205)
+- Update the order of the verification field that is shown to the receiver during the [SEP-24] flow. The order was `(updated_at DESC)` and was updated to the composed sorting `(updated_at DESC, rv.verification_field ASC)` to ensure consistency when multiple verification fields share the same `updated_at` value.
+- Improve information in the error message returned when the disbursement instruction contains a verification info that is different from an already existing verification info that was already confirmed by the receiver. [#178](https://github.com/stellar/stellar-disbursement-platform-backend/pull/178)
+- When adding an asset, make sure to trim the spaces fom the issuer field. [#185](https://github.com/stellar/stellar-disbursement-platform-backend/pull/185)
+
+### Security
+
+- Bump Go version from 1.19 to 1.22, and upgraded the version of some CI tools. [#196](https://github.com/stellar/stellar-disbursement-platform-backend/pull/196)
+- Add rate-limiter in both in the application and the kubernetes deployment. [#195](https://github.com/stellar/stellar-disbursement-platform-backend/pull/195)
+
 ## [1.1.5](https://github.com/stellar/stellar-disbursement-platform-backend/compare/1.1.4...1.1.5)
 
 ### Fixed
@@ -32,7 +48,7 @@ None
 
 ### Fixed
 
-- SEP24 registration flow not working properly when the phone number was not found in the DB [#187](https://github.com/stellar/stellar-disbursement-platform-backend/pull/187)
+- [SEP-24] registration flow not working properly when the phone number was not found in the DB [#187](https://github.com/stellar/stellar-disbursement-platform-backend/pull/187)
 - Fix distribution account balance validation that fails when the intended asset is XLM [#186](https://github.com/stellar/stellar-disbursement-platform-backend/pull/186)
 
 ## [1.1.2](https://github.com/stellar/stellar-disbursement-platform-backend/compare/1.1.1...1.1.2)
@@ -52,7 +68,7 @@ None
 ### Changed
 
 - Change `POST /disbursements` to accept different verification types [#103](https://github.com/stellar/stellar-disbursement-platform-backend/pull/103)
-- Change `SEP-24` Flow to display different verifications based on disbursement verification type [#116](https://github.com/stellar/stellar-disbursement-platform-backend/pull/116)
+- Change [SEP-24] Flow to display different verifications based on disbursement verification type [#116](https://github.com/stellar/stellar-disbursement-platform-backend/pull/116)
 - Add sorting to `GET /users` endpoint [#104](https://github.com/stellar/stellar-disbursement-platform-backend/pull/104)
 - Change read permission for receiver details to include business roles [#144](https://github.com/stellar/stellar-disbursement-platform-backend/pull/144)
 - Add support for unique payment ID to disbursement instructions file as an optional field in `GET /payments/{id}` [#131](https://github.com/stellar/stellar-disbursement-platform-backend/pull/131)
@@ -144,7 +160,7 @@ None
 
 - Stellar.Expert URL in env-config.js for dev environment setup. [#34](https://github.com/stellar/stellar-disbursement-platform-backend/pull/34)
 - Patch the correct transaction data fields in AnchorPlatform. [#40](https://github.com/stellar/stellar-disbursement-platform-backend/pull/40)
-- Sep10 domain configuration for Vibrant wallet on Testnet. [#42](https://github.com/stellar/stellar-disbursement-platform-backend/pull/42)
+- [SEP-10] domain configuration for Vibrant wallet on Testnet. [#42](https://github.com/stellar/stellar-disbursement-platform-backend/pull/42)
 - The SMS invitation link for XLM asset. [#46](https://github.com/stellar/stellar-disbursement-platform-backend/pull/46)
 
 ### Security
@@ -199,11 +215,13 @@ number, transfer amount, and essential customer validation data such as the date
 
 The platform subsequently sends an SMS to the recipient, which includes a deep link to the wallet. This link permits
 recipients with compatible wallets to register their wallet on the SDP. During this step, they are required to verify
-their phone number and additional customer data through the SEP-24 interactive deposit flow, where this data is shared
+their phone number and additional customer data through the [SEP-24] interactive deposit flow, where this data is shared
 directly with the backend through a webpage inside the wallet, but the wallet itself does not have access to this data.
 
 Upon successful verification, the SDP will transfer the funds directly to the recipient's wallet. When the recipient's
 wallet has been successfully associated with their phone number in the SDP, all subsequent payments will occur
 automatically.
 
 [stellar/stellar-disbursement-platform-frontend]: https://github.com/stellar/stellar-disbursement-platform-frontend
+[SEP-10]: https://stellar.org/protocol/sep-10
+[SEP-24]: https://stellar.org/protocol/sep-24
diff --git a/go.list b/go.list
@@ -70,6 +70,7 @@ github.com/gin-contrib/sse v0.1.0
 github.com/gin-gonic/gin v1.8.1
 github.com/go-chi/chi v4.1.2+incompatible
 github.com/go-chi/chi/v5 v5.0.10
+github.com/go-chi/httprate v0.8.0
 github.com/go-errors/errors v1.5.1
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4

diff --git a/go.mod b/go.mod
@@ -8,6 +8,7 @@ require (
 	github.com/getsentry/sentry-go v0.23.0
 	github.com/go-chi/chi v4.1.2+incompatible
 	github.com/go-chi/chi/v5 v5.0.10
+	github.com/go-chi/httprate v0.8.0
 	github.com/gocarina/gocsv v0.0.0-20230616125104-99d496ca653d
 	github.com/golang-jwt/jwt/v4 v4.5.0
 	github.com/google/uuid v1.3.1

diff --git a/go.sum b/go.sum
@@ -95,6 +95,8 @@ github.com/go-chi/chi v4.1.2+incompatible h1:fGFk2Gmi/YKXk0OmGfBh0WgmN3XB8lVnEyN
 github.com/go-chi/chi v4.1.2+incompatible/go.mod h1:eB3wogJHnLi3x/kFX2A+IbTBlXxmMeXJVKy9tTv1XzQ=
 github.com/go-chi/chi/v5 v5.0.10 h1:rLz5avzKpjqxrYwXNfmjkrYYXOyLJd37pz53UFHC6vk=
 github.com/go-chi/chi/v5 v5.0.10/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
+github.com/go-chi/httprate v0.8.0 h1:CyKng28yhGnlGXH9EDGC/Qizj29afJQSNW15W/yj34o=
+github.com/go-chi/httprate v0.8.0/go.mod h1:6GOYBSwnpra4CQfAKXu8sQZg+nZ0M1g9QnyFvxrAB8A=
 github.com/go-errors/errors v1.5.1 h1:ZwEMSLRCapFLflTpT7NKaAc7ukJ8ZPEjzlxt8rPN8bk=
 github.com/go-errors/errors v1.5.1/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=

diff --git a/helmchart/sdp/Chart.yaml b/helmchart/sdp/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: stellar-disbursement-platform
 description: A Helm chart for the Stellar Disbursement Platform Backend (A.K.A. `sdp`)
 version: 0.9.4
-appVersion: "1.1.5"
+appVersion: "1.1.6"
 type: application
 maintainers:
   - name: Stellar Development Foundation

diff --git a/helmchart/sdp/values.yaml b/helmchart/sdp/values.yaml
@@ -202,6 +202,8 @@ sdp:
     className: "nginx"
     annotations:
       nginx.ingress.kubernetes.io/custom-response-headers: "X-XSS-Protection: 1; mode=block || X-Frame-Options: DENY || X-Content-Type-Options: nosniff || Strict-Transport-Security: max-age=31536000; includeSubDomains"
+      nginx.ingress.kubernetes.io/limit-rpm: "120"
+      nginx.ingress.kubernetes.io/limit-burst-multiplier: "5"
     tls:
       - hosts:
           - '{{ include "sdp.domain" . }}'
@@ -345,6 +347,8 @@ anchorPlatform:
     className: "nginx"
     annotations:
       nginx.ingress.kubernetes.io/custom-response-headers: "X-XSS-Protection: 1; mode=block || X-Frame-Options: DENY || X-Content-Type-Options: nosniff || Strict-Transport-Security: max-age=31536000; includeSubDomains"
+      nginx.ingress.kubernetes.io/limit-rpm: "120"
+      nginx.ingress.kubernetes.io/limit-burst-multiplier: "5"
     tls:
       - hosts:
           - '{{ include "sdp.ap.domain" . }}'

diff --git a/internal/anchorplatform/platform_api_service.go b/internal/anchorplatform/platform_api_service.go
@@ -6,10 +6,10 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
+	"slices"
 	"strings"
 
 	"github.com/gorilla/schema"
-	"golang.org/x/exp/slices"
 
 	"github.com/stellar/stellar-disbursement-platform-backend/internal/serve/httpclient"
 	"github.com/stellar/stellar-disbursement-platform-backend/internal/utils"

diff --git a/internal/data/assets.go b/internal/data/assets.go
@@ -5,11 +5,11 @@ import (
 	"database/sql"
 	"errors"
 	"fmt"
+	"slices"
 	"strings"
 	"time"
 
 	"github.com/lib/pq"
-	"golang.org/x/exp/slices"
 
 	"github.com/stellar/go/protocols/horizon/base"
 	"github.com/stellar/stellar-disbursement-platform-backend/internal/db"

diff --git a/internal/data/disbursement_instructions.go b/internal/data/disbursement_instructions.go
@@ -25,6 +25,11 @@ type DisbursementInstructionModel struct {
 	disbursementModel         *DisbursementModel
 }
 
+type InstructionLine struct {
+	line                    int
+	disbursementInstruction *DisbursementInstruction
+}
+
 const MaxInstructionsPerDisbursement = 10000 // TODO: update this number with load testing results [SDP-524]
 
 // NewDisbursementInstructionModel creates a new DisbursementInstructionModel.
@@ -85,9 +90,12 @@ func (di DisbursementInstructionModel) ProcessAll(ctx context.Context, userID st
 			receiverMap[receiver.PhoneNumber] = receiver
 		}
 
-		instructionMap := make(map[string]*DisbursementInstruction)
-		for _, instruction := range instructions {
-			instructionMap[instruction.Phone] = instruction
+		instructionMap := make(map[string]InstructionLine)
+		for line, instruction := range instructions {
+			instructionMap[instruction.Phone] = InstructionLine{
+				line:                    line + 1,
+				disbursementInstruction: instruction,
+			}
 		}
 
 		for _, instruction := range instructions {
@@ -126,7 +134,7 @@ func (di DisbursementInstructionModel) ProcessAll(ctx context.Context, userID st
 			if !verificationExists {
 				verificationInsert := ReceiverVerificationInsert{
 					ReceiverID:        receiver.ID,
-					VerificationValue: instruction.VerificationValue,
+					VerificationValue: instruction.disbursementInstruction.VerificationValue,
 					VerificationField: disbursement.VerificationField,
 				}
 				hashedVerification, insertError := di.receiverVerificationModel.Insert(ctx, dbTx, verificationInsert)
@@ -140,11 +148,11 @@ func (di DisbursementInstructionModel) ProcessAll(ctx context.Context, userID st
 				}
 
 			} else {
-				if verified := CompareVerificationValue(verification.HashedValue, instruction.VerificationValue); !verified {
+				if verified := CompareVerificationValue(verification.HashedValue, instruction.disbursementInstruction.VerificationValue); !verified {
 					if verification.ConfirmedAt != nil {
-						return fmt.Errorf("%w: receiver verification for %s doesn't match", ErrReceiverVerificationMismatch, receiver.PhoneNumber)
+						return fmt.Errorf("%w: receiver verification for %s doesn't match. Check line %d on CSV file - Internal ID %s", ErrReceiverVerificationMismatch, receiver.PhoneNumber, instruction.line, instruction.disbursementInstruction.ID)
 					}
-					err = di.receiverVerificationModel.UpdateVerificationValue(ctx, dbTx, verification.ReceiverID, verification.VerificationField, instruction.VerificationValue)
+					err = di.receiverVerificationModel.UpdateVerificationValue(ctx, dbTx, verification.ReceiverID, verification.VerificationField, instruction.disbursementInstruction.VerificationValue)
 					if err != nil {
 						return fmt.Errorf("error updating receiver verification for disbursement id %s: %w", disbursement.ID, err)
 					}

diff --git a/internal/data/disbursement_instructions_test.go b/internal/data/disbursement_instructions_test.go
@@ -235,25 +235,48 @@ func Test_DisbursementInstructionModel_ProcessAll(t *testing.T) {
 	})
 
 	t.Run("failure - Confirmed Verification Value not matching", func(t *testing.T) {
+		instruction4 := DisbursementInstruction{
+			Phone:             "+380-12-345-674",
+			Amount:            "100.04",
+			ID:                "123456784",
+			VerificationValue: "1990-01-04",
+			ExternalPaymentId: &externalPaymentID,
+		}
+
+		instruction5 := DisbursementInstruction{
+			Phone:             "+380-12-345-675",
+			Amount:            "100.05",
+			ID:                "123456785",
+			VerificationValue: "1990-01-05",
+			ExternalPaymentId: &externalPaymentID,
+		}
+
+		instruction6 := DisbursementInstruction{
+			Phone:             "+380-12-345-676",
+			Amount:            "100.06",
+			ID:                "123456786",
+			VerificationValue: "1990-01-06",
+			ExternalPaymentId: &externalPaymentID,
+		}
 		// process instructions for the first time
 		err := di.ProcessAll(ctx, "user-id", instructions, disbursement, disbursementUpdate, MaxInstructionsPerDisbursement)
 		require.NoError(t, err)
 
-		receivers, err := di.receiverModel.GetByPhoneNumbers(ctx, dbConnectionPool, []string{instruction1.Phone, instruction2.Phone, instruction3.Phone})
+		receivers, err := di.receiverModel.GetByPhoneNumbers(ctx, dbConnectionPool, []string{instruction1.Phone, instruction2.Phone, instruction3.Phone, instruction4.Phone, instruction5.Phone, instruction6.Phone})
 		require.NoError(t, err)
 		receiversMap := make(map[string]*Receiver)
 		for _, receiver := range receivers {
 			receiversMap[receiver.PhoneNumber] = receiver
 		}
 
 		// confirm a verification
-		ConfirmVerificationForRecipient(t, ctx, dbConnectionPool, receiversMap[instruction1.Phone].ID)
+		ConfirmVerificationForRecipient(t, ctx, dbConnectionPool, receiversMap[instruction3.Phone].ID)
 
 		// process instructions with mismatched verification values
-		instruction1.VerificationValue = "1990-01-07"
+		instruction3.VerificationValue = "1990-01-07"
 		err = di.ProcessAll(ctx, "user-id", instructions, disbursement, disbursementUpdate, MaxInstructionsPerDisbursement)
 		require.Error(t, err)
-		assert.EqualError(t, err, "running atomic function in RunInTransactionWithResult: receiver verification mismatch: receiver verification for +380-12-345-671 doesn't match")
+		assert.EqualError(t, err, "running atomic function in RunInTransactionWithResult: receiver verification mismatch: receiver verification for +380-12-345-673 doesn't match. Check line 3 on CSV file - Internal ID 123456783")
 	})
 }