feat: add receipts endpoint

filecoin/store/receipt.js

@@ -110,7 +110,6 @@ export const useReceiptStore = (s3client, invocationBucketName, workflowBucketNa
         headers: {},
       })
 
-
       // @ts-expect-error unknown link does not mach expectations
       const receipt = agentMessage.receipts.get(invocationCid.toString())
       if (!receipt) {

stacks/ucan-invocation-stack.js

@@ -5,6 +5,7 @@ import {
   Queue,
   use
 } from '@serverless-stack/resources'
+import { PolicyStatement, StarPrincipal, Effect } from 'aws-cdk-lib/aws-iam'
 
 import { CarparkStack } from './carpark-stack.js'
 import { UploadDbStack } from './upload-db-stack.js'
@@ -33,9 +34,28 @@ export function UcanInvocationStack({ stack, app }) {
   const workflowBucket = new Bucket(stack, 'workflow-store', {
     cors: true,
     cdk: {
-      bucket: getBucketConfig('workflow-store', app.stage)
+      bucket: {
+        ...getBucketConfig('workflow-store', app.stage),
+        // change the defaults accordingly to allow access via new Policy
+        blockPublicAccess: {
+          blockPublicAcls: true,
+          ignorePublicAcls: true,
+          restrictPublicBuckets: false,
+          blockPublicPolicy: false,
+        }
+      },
     }
   })
+  // Make bucket public for `s3:GetObject` command
+  workflowBucket.cdk.bucket.addToResourcePolicy(
+    new PolicyStatement({
+      actions: ['s3:GetObject'],
+      effect: Effect.ALLOW,
+      principals: [new StarPrincipal()],
+      resources: [workflowBucket.cdk.bucket.arnForObjects('*')],
+    })
+  )
+
   const invocationBucket = new Bucket(stack, 'invocation-store', {
     cors: true,
     cdk: {

stacks/upload-api-stack.js

@@ -121,6 +121,7 @@ export function UploadApiStack({ stack, app }) {
       'GET /error':   'functions/get.error',
       'GET /version': 'functions/get.version',
       'GET /metrics': 'functions/metrics.handler',
+      'GET /receipt/{taskCid}': 'functions/receipt.handler',
       'GET /storefront-cron': 'functions/storefront-cron.handler',
       // AWS API Gateway does not know trailing slash... and Grafana Agent puts trailing slash
       'GET /metrics/{proxy+}': 'functions/metrics.handler',

test/filecoin.test.js

@@ -1,6 +1,7 @@
 import { testFilecoin as test } from './helpers/context.js'
 import { fetch } from '@web-std/fetch'
 import pWaitFor from 'p-wait-for'
+import * as CAR from '@ucanto/transport/car'
 import { Storefront } from '@web3-storage/filecoin-client'
 import { DynamoDBClient } from '@aws-sdk/client-dynamodb'
 
@@ -119,6 +120,35 @@ test('w3filecoin integration flow', async t => {
     throw new Error('filecoin/offer receipt has no effect for filecoin/accept')
   }
 
+  // Get receipt from endpoint
+  const filecoinOfferInvCid = filecoinOfferRes.ran.link()
+  const workflowWithReceiptResponse = await fetch(
+    `${t.context.apiEndpoint}/receipt/${filecoinOfferInvCid.toString()}`,
+    {
+      redirect: 'manual'
+    }
+  )
+  t.is(workflowWithReceiptResponse.status, 302)
+  const workflowLocation = workflowWithReceiptResponse.headers.get('location')
+  if (!workflowLocation) {
+    throw new Error(`no workflow with receipt for task cid ${filecoinOfferInvCid.toString()}`)
+  }
+
+  const workflowWithReceiptResponseAfterRedirect = await fetch(workflowLocation)
+  // Get receipt from Message Archive
+  const agentMessageBytes = new Uint8Array((await workflowWithReceiptResponseAfterRedirect.arrayBuffer()))
+  const agentMessage = await CAR.request.decode({
+    body: agentMessageBytes,
+    headers: {},
+  })
+  // @ts-expect-error unknown link does not mach expectations
+  const receipt = agentMessage.receipts.get(filecoinOfferInvCid.toString())
+  t.assert(receipt)
+  // Receipt matches what we received when invoked
+  t.truthy(receipt?.ran.link().equals(filecoinOfferInvCid))
+  t.truthy(receipt?.fx.join?.equals(filecoinAcceptReceiptCid))
+  t.truthy(receipt?.fx.fork[0].equals(filecoinSubmitReceiptCid))
+
   // Verify receipt chain
   console.log(`wait for receipt chain...`)
   const receiptStore = useReceiptStore(s3Client, `invocation-store-${stage}-0`, `workflow-store-${stage}-0`)

upload-api/buckets/invocation-store.js

@@ -116,12 +116,12 @@ export const useInvocationStore = (s3client, bucketName) => {
       })
       const listObject = await s3client.send(listObjectCmd)
       const carEntry = listObject.Contents?.find(
-        content => content.Key?.endsWith('.workflow')
+        content => content.Key?.endsWith('.out')
       )
       if (!carEntry) {
         return
       }
-      return carEntry.Key?.replace(prefix, '').replace('.workflow', '')
+      return carEntry.Key?.replace(prefix, '').replace('.out', '')
     }
   }
 }

upload-api/functions/receipt.js

@@ -0,0 +1,57 @@
+import * as Sentry from '@sentry/serverless'
+import { parseLink } from '@ucanto/server'
+
+import { createInvocationStore } from '../buckets/invocation-store.js'
+import { mustGetEnv } from './utils.js'
+
+Sentry.AWSLambda.init({
+  environment: process.env.SST_STAGE,
+  dsn: process.env.SENTRY_DSN,
+  tracesSampleRate: 1.0,
+})
+
+const AWS_REGION = process.env.AWS_REGION || 'us-west-2'
+
+/**
+ * AWS HTTP Gateway handler for GET /receipt.
+ *
+ * @param {import('aws-lambda').APIGatewayProxyEventV2} event
+ */
+export async function receiptGet (event) {
+  const {
+    invocationBucketName,
+    workflowBucketName,
+  } = getLambdaEnv()
+  const invocationBucket = createInvocationStore(
+    AWS_REGION,
+    invocationBucketName
+  )
+
+  if (!event.pathParameters?.taskCid) {
+    return {
+      statusCode: 400,
+      body: Buffer.from(`no task cid received`).toString('base64'),
+    }
+  }
+  const taskCid = parseLink(event.pathParameters.taskCid)
+
+  const workflowLinkWithReceipt = await invocationBucket.getWorkflowLink(taskCid.toString())
+  const url = `https://${workflowBucketName}.s3.${AWS_REGION}.amazonaws.com/${workflowLinkWithReceipt}/${workflowLinkWithReceipt}`
+
+  // redirect to bucket
+  return {
+    statusCode: 302,
+    headers: {
+      Location: url
+    }
+  }
+}
+
+function getLambdaEnv () {
+  return {
+    invocationBucketName: mustGetEnv('INVOCATION_BUCKET_NAME'),
+    workflowBucketName: mustGetEnv('WORKFLOW_BUCKET_NAME'),
+  }
+}
+
+export const handler = Sentry.AWSLambda.wrapHandler(receiptGet)

upload-api/types.ts

@@ -5,6 +5,9 @@ import { CID } from 'multiformats/cid'
 import { Kinesis } from '@aws-sdk/client-kinesis'
 import { AccountDID, ProviderDID, Service, SpaceDID } from '@web3-storage/upload-api'
 
+export interface StoreOperationError extends Error {
+  name: 'StoreOperationFailed'
+}
 
 export interface UcanLogCtx extends WorkflowCtx, ReceiptBlockCtx {
   basicAuth: string