fix: STOREFRONT_PROOF is a secret

[volmedo]

These changes require storacha/upload-service#570 to land first.

Handle STOREFRONT_PROOF as a secret rather than an environment variable.

Also, I noticed that some of the functions that were referencing the proof were not actually having it passed when defined in the stack, so I bound the secret to their configs.

Finally, the STOREFRONT_PROOF was renamed to AGGREGATOR_SERVICE_PROOF, as that aligns with what it actually is. I also removed the storefront proof from everywhere, based on the assumption that the storefront service will always be the upload service. Thus, invocations to the storefront service (the filecoin/* family of capabilities) are self-signed by the upload service and require no proofs.

[seed-deploy]

View stack outputs

• pr545-upload-api-BillingDbStack

  Name	Value
  customerTableName	pr545-upload-api-customer
  egressTrafficTableName	pr545-upload-api-egress-traffic-events
  spaceDiffTableName	pr545-upload-api-space-diff
  spaceSnapshotTableName	pr545-upload-api-space-snapshot
  usageTable	pr545-upload-api-usage

• pr545-upload-api-BillingStack

  Name	Value
  ApiEndpoint	https://8wkpclqq47.execute-api.us-east-2.amazonaws.com
  billingCronHandlerURL	https://6ons7v5jjqwegeoscjwmlwc6d40mvfrf.lambda-url.us-east-2.on.aws/
  CustomDomain	https://pr545.billing.forge.storacha.network
  EgressTrafficQueueURL	https://sqs.us-east-2.amazonaws.com/505595374361/pr545-upload-api-egress-traffic-queue

• pr545-upload-api-CarparkStack

  Name	Value
  BucketName	pr545-upload-api-carpark-0
  Region	us-east-2

• pr545-upload-api-RoundaboutStack

  Name	Value
  ApiEndpoint	https://staging.roundabout.web3.storage/
  CustomDomain	Using ROUNDABOUT_API_URL - no custom domain

• pr545-upload-api-UcanInvocationStack

  Name	Value
  agentIndexBucketName	pr545-upload-api-invocation-store-0
  agentMessageBucketName	pr545-upload-api-workflow-store-0

• pr545-upload-api-UploadApiStack

  Name	Value
  ApiEndpoints	["https://jrbuidzv37.execute-api.us-east-2.amazonaws.com"]
  CustomDomains	["https://pr545.up.forge.storacha.network"]

• pr545-upload-api-BusStack

• pr545-upload-api-FilecoinStack

• pr545-upload-api-UcanFirehoseStack

• pr545-upload-api-UploadDbStack

[volmedo]

the proof is parsed but then it's not used anywhere. I guess it should go in the context object below?

[alanshaw]

😩 yeah it's going to require changes in storefrontEvents.handleCronTick to accept the proof. It needs the proof so that effect it creates has the correct CID.

[alanshaw]

We should also do id = id.withDID(DID.parse(did).did()) regardless.

[volmedo]

😩 yeah it's going to require changes in storefrontEvents.handleCronTick to accept the proof. It needs the proof so that effect it creates has the correct CID.

I just understood this comment 😞

[volmedo]

is this correct? Shouldn't this have the upload service's DID if we are using a proof?

[volmedo]

oh, ok, so I guess we need both the aggregator service's DID and the upload service's DID to fix this invocation config

[alanshaw]

Yeah, the proof should be a proof for the uplaod service to use the aggregator and the aggregator DID needs to be the audience.

[hannahhoward]

LGTM by me

[alanshaw]

From a consistency POV I like this, but really the only reason the other proofs are secrets is because of the environment variable size limit which we are close to with the ucan-invocation-router.js lambda. We are not anywhere near that limit for these other lambdas so it is not really necessary.

If we do this, I would rather that we combine it with renaming the variable more appropriately. It should be named after the service it is used with, not the service that is using it (otherwise all proofs would be "storefront"/"upload service"!). This is already confused in the code here.

Unfortunately there is a bunch more work here than just moving an environment variable to secrets.

[alanshaw]

😩 yeah it's going to require changes in storefrontEvents.handleCronTick to accept the proof. It needs the proof so that effect it creates has the correct CID.

[alanshaw]

We should also do id = id.withDID(DID.parse(did).did()) regardless.

[alanshaw]

Yeah, the proof should be a proof for the uplaod service to use the aggregator and the aggregator DID needs to be the audience.

[volmedo]

If we do this, I would rather that we combine it with renaming the variable more appropriately. It should be named after the service it is used with, not the service that is using it (otherwise all proofs would be "storefront"/"upload service"!). This is already confused in the code here.

Unfortunately there is a bunch more work here than just moving an environment variable to secrets.

It wasn't clear to me that storefront was actually referring to the upload-service 🤷🏻

I'm working on this.

[volmedo]

@alanshaw I renamed STOREFRONT_PROOF to AGGREGATOR_SERVICE_PROOF and wired it where needed. The rest of the work required to pass the aggregator proof down is in storacha/upload-service#570.

There were also some functions getting a storefront proof, which allows using a storefront service that is not the upload service. I removed this possibility for now to simplify the code because we are not using it today. If you think we need that flexibility, let me know and I'll implement it properly.