Replace redis with file based mailbox storage

[nothingmuch]

This PR first makes redis optional, and then removes it entirely, due to various issues with testcontainers and with the complexity of deploying a directory. If we ever want to restore redis support then the feature gating commits should make this a bit easier.

This means the directory can no longer be "horizontally scaled", i.e. it's got stateful in memory structures that were previously done using redis's pubsub. This is not an issue because of implicit bounds on throughput (no more than 25 writes/second even with very generous bounds).

Depends on #914

closes #419

[nothingmuch]

I spoke with Dan about this and whether or not we should remove redis entirely or keep it feature gated. We both lean towards removing entirely.

My reasoning is that the main benefit of an external database server is the ability to have multiple stateless directory instances. However, it doesn't really make sense to scale this horizontally since the directory's request (honest) throughput is implicitly bound in relation to bitcoin's throughput, on the order of tens of requests per second, so there is no scenario where even the most modest hardware can't handle this with one directory instance or where the database wouldn't itself be the bottleneck.

Anyway I will be rebasing this PR on top of my changes to utilize the config crate in the directory, consistent with the way payjoin-cli uses it, and implementing the plain files on disk approach to persistence since that seems to be the simplest. I will keep the feature gating commit in the history because it might be useful to revert the removal at a later point if we do find a good reason to support redis.

[coveralls]

Pull Request Test Coverage Report for Build 17861723379

Details

• 532 of 648 (82.1%) changed or added relevant lines in 6 files are covered.
• 3 unchanged lines in 3 files lost coverage.
• Overall coverage increased (+0.1%) to 84.724%

---

Changes Missing Coverage	Covered Lines	Changed/Added Lines	%
payjoin-test-utils/src/lib.rs	6	7	85.71%
payjoin-directory/src/config.rs	0	3	0.0%
payjoin-directory/src/main.rs	0	3	0.0%
payjoin-directory/src/db/mod.rs	0	14	0.0%
payjoin-directory/src/lib.rs	12	41	29.27%
payjoin-directory/src/db/files.rs	514	580	88.62%

Files with Coverage Reduction	New Missed Lines	%
payjoin-directory/src/config.rs	1	0.0%
payjoin-directory/src/lib.rs	1	59.74%
payjoin-directory/src/main.rs	1	0.0%

Totals
Change from base Build 17861715558:	0.1%
Covered Lines:	8547
Relevant Lines:	10088

---

💛 - Coveralls

[benalleng]

I created 2 tests to cover the mutants for these.
First a quick helper function for mock errors

#src/core/receive/v2/mod.rs
    pub(crate) fn mock_err() -> (String, JsonReply) {
        let noop_persister = NoopSessionPersister::default();
        let receiver = Receiver { state: unchecked_proposal_v2_from_test_vector() };
        let server_error = || {
            receiver
                .clone()
                .check_broadcast_suitability(None, |_| Err("mock error".into()))
                .save(&noop_persister)
        };

        let error = server_error().expect_err("Server error should be populated with mock error");
        let res = error.api_error().expect("check_broadcast error should propagate to api error");
        let actual_json = JsonReply::from(&res);
        (res.to_string(), actual_json)
    }

#src/core/receive/v2/session.rs
    #[test]
    fn test_skipped_session_extract_err_request() -> Result<(), BoxError> {
        let ohttp_relay = EXAMPLE_URL.clone();
        let mock_err = mock_err();

        let session_history = SessionHistory { events: vec![SessionEvent::MaybeInputsOwned()] };
        let err_req = session_history.extract_err_req(&ohttp_relay)?;
        assert!(err_req.is_none());

        let session_history = SessionHistory {
            events: vec![
                SessionEvent::MaybeInputsOwned(),
                SessionEvent::SessionInvalid(mock_err.0.clone(), Some(mock_err.1.clone())),
            ],
        };

        let err_req = session_history.extract_err_req(&ohttp_relay)?;
        assert!(err_req.is_none());

        let session_history = SessionHistory {
            events: vec![
                SessionEvent::Created(SHARED_CONTEXT.clone()),
                SessionEvent::MaybeInputsOwned(),
                SessionEvent::SessionInvalid(mock_err.0.clone(), Some(mock_err.1.clone())),
            ],
        };

        let err_req = session_history.extract_err_req(&ohttp_relay)?;
        assert!(err_req.is_none());
        Ok(())
    }

    #[test]
    fn test_session_extract_err_req_reply_key() -> Result<(), BoxError> {
        let proposal = proposal_from_test_vector();
        let ohttp_relay = EXAMPLE_URL.clone();
        let mock_err = mock_err();

        let session_history_one = SessionHistory {
            events: vec![
                SessionEvent::Created(SHARED_CONTEXT.clone()),
                SessionEvent::UncheckedOriginalPsbt((
                    proposal.clone(),
                    Some(crate::HpkeKeyPair::gen_keypair().1),
                )),
                SessionEvent::SessionInvalid(mock_err.0.clone(), Some(mock_err.1.clone())),
            ],
        };

        let err_req_one = session_history_one.extract_err_req(&ohttp_relay)?;
        assert!(err_req_one.is_some());

        let session_history_two = SessionHistory {
            events: vec![
                SessionEvent::Created(SHARED_CONTEXT.clone()),
                SessionEvent::UncheckedOriginalPsbt((
                    proposal.clone(),
                    Some(crate::HpkeKeyPair::gen_keypair().1),
                )),
                SessionEvent::SessionInvalid(mock_err.0, Some(mock_err.1)),
            ],
        };

        let err_req_two = session_history_two.extract_err_req(ohttp_relay)?;
        assert!(err_req_two.is_some());
        assert_ne!(
            session_history_one.session_context().unwrap().reply_key,
            session_history_two.session_context().unwrap().reply_key
        );

        Ok(())
    }

This function can be simplified with that above helper function.

rust-payjoin/payjoin/src/core/receive/v2/mod.rs

Lines 1288 to 1316 in 87b0b69

	#[test]
	fn test_extract_err_req() -> Result<(), BoxError> {
	let noop_persister = NoopSessionPersister::default();
	let receiver = Receiver { state: unchecked_proposal_v2_from_test_vector() };
	let server_error = || {
	receiver
	.clone()
	.check_broadcast_suitability(None, |_| Err("mock error".into()))
	.save(&noop_persister)
	};
	let expected_json = serde_json::json!({
	"errorCode": "unavailable",
	"message": "Receiver error"
	});
	let error = server_error().expect_err("Server error should be populated with mock error");
	let res = error.api_error().expect("check_broadcast error should propagate to api error");
	let actual_json = JsonReply::from(&res);
	assert_eq!(actual_json.to_json(), expected_json);
	let (_req, _ctx) = extract_err_req(&actual_json, &*EXAMPLE_URL, &SHARED_CONTEXT)?;
	let internal_error: ReplyableError = InternalPayloadError::MissingPayment.into();
	let (_req, _ctx) =
	extract_err_req(&(&internal_error).into(), &*EXAMPLE_URL, &SHARED_CONTEXT)?;
	Ok(())
	}

#src/core/receive/v2/mod.rs
    #[test]
    fn test_extract_err_req() -> Result<(), BoxError> {
        let receiver = Receiver { state: unchecked_proposal_v2_from_test_vector() };
        let mock_err = mock_err();
        let expected_json = serde_json::json!({
            "errorCode": "unavailable",
            "message": "Receiver error"
        });

        assert_eq!(mock_err.1.to_json(), expected_json);

        let (_req, _ctx) = extract_err_req(&mock_err.1, &*EXAMPLE_URL, &receiver.session_context)?;

        let internal_error: ReplyableError = InternalPayloadError::MissingPayment.into();
        let (_req, _ctx) =
            extract_err_req(&(&internal_error).into(), &*EXAMPLE_URL, &receiver.session_context)?;
        Ok(())
    }

[nothingmuch]

perfect timing i was just about to do this myself good thing i checked my phone first... thanks so much!

[spacebear21]

code ACK, thank you for putting so much thought into this, this PR was a pleasure to read.

I'm not sure what is a good way to test this. How would you suggest validating this change before we deploy it to the production server?

[spacebear21]

It's unclear to me from the docstring what the special meaning of 1 + 12 + 8 is?

[nothingmuch]

it's just a power of two that's a loose bound on the estimate in the comment, $2 \cdot 4000 \cdot 144 < 2 \cdot 4096 \cdot 256 = 2^{1 + 12 + 8}$

[spacebear21]

This seemingly contradicts the commit message, which states that "v1 requests and responses are not [saved to disk]". Is XORing still useful if we are only writing encrypted v2 requests to disk?

[nothingmuch]

good catch, the comment predates that change, before I realized there's no point in storing the sender's original PSBT either since if the sender is gone there's no point in replying, i'll update the comment

honestly produced v2 requests are encrypted, but the directory has no way of verifying that, so a malicious client might get a directory to store something illegal on its drive, or even just something that triggers an antivirus program and causes disruption to the service, so XOR obfuscation makes sense for v2 as well

[spacebear21]

I noticed a few FIXME comments leftover here and in other places, do you plan on addressing these here or defer as follow-ups?

[nothingmuch]

i'm undecided, there's some hassles with these tests because this uses SystemTime, not tokio::time::Instant (so therefore mocking time is trickier) causing these commented out assertions to be a bit flakey...

there's no guarantee that filesystem timestamps are monotonically increasing, so if the system clock is readjusted this can cause some issues as well such as nominal creation times in the future, and time arithmetic can fail. i went back and forth between the two time representations and kinda settled on the current implementation but i don't like the fact that it can't be reliably tested, nor am i 100% convinced that the pruning behavior is entirely correct. the consequences are not very serious if there is a bug so i'm happy handling in a followup.

one thing i considered but ultimately decided against, without much conviction, is defining a new Error type that's basically enum { IO(std::io::Error), Time(SystemTime::Error) } to account for the dependence on the clock being correct, but this seems like it leaked an implementation detail and there isn't much that could be done to handle that error

[benalleng]

This seems appropriate to follow up with in or after #1047?

[nothingmuch]

no that PR only affects the payjoin crate, and this only concerns the directory, but also SystemTime dependence is inherent since that's what the type of timestamp files on disk have

[nothingmuch]

code ACK, thank you for putting so much thought into this, this PR was a pleasure to read.

thanks for the kind words! makes me happy to read that

I'm not sure what is a good way to test this. How would you suggest validating this change before we deploy it to the production server?

the tests all pass with this (after #981, before that there were a few tests that dependended on overwriting behavior). i also tested manually quite a bit.

something that we could consider is to have a Db impl that multiplexes to two backends and checks that they agree, to see that we don't regress from redis behavior but for the basic store & fetch behavior that's kinda trivial, expiry is what makes more of a difference, and that was never really implemented for redis...

i would be interested to explore fuzzing options, that's something i really don't have any experience with but have some understanding of how it works, it seems well suited for this

and another approach would be property testing

[benalleng]

I created a local branch that simply unlocks the integration tests on our ffi layer, it looks promising as we no longer get any of the runtime errors! 🥳

benalleng@483a793

Dart

• ubuntu: https://github.com/benalleng/rust-payjoin/actions/runs/17347508966/job/49249402134#step:7:22
• macos: https://github.com/benalleng/rust-payjoin/actions/runs/17347508966/job/49249402127#step:7:22

Python

• ubuntu: https://github.com/benalleng/rust-payjoin/actions/runs/17347508963/job/49249402106#step:9:20
• macos: https://github.com/benalleng/rust-payjoin/actions/runs/17347508963/job/49249402107#step:9:25

Note:

there are warnings though in the macos python test

/Library/Frameworks/Python.framework/Versions/3.12/lib/python3.12/linecache.py:52: ResourceWarning: unclosed <socket.socket fd=23, family=30, type=1, proto=6, laddr=('::1', 49235, 0, 0), raddr=('::1', 49230, 0, 0)>
  def checkcache(filename=None):
ResourceWarning: Enable tracemalloc to get the object allocation traceback
/Library/Frameworks/Python.framework/Versions/3.12/lib/python3.12/asyncio/selector_events.py:879: ResourceWarning: unclosed transport <_SelectorSocketTransport fd=23 read=idle write=<idle, bufsize=0>>
  _warn(f"unclosed transport {self!r}", ResourceWarning, source=self)
ResourceWarning: Enable tracemalloc to get the object allocation traceback

[arminsabouri]

utACK/codeACK

Core logic in files.rs checks out with me. I had a couple questions and nits.
Have you thought about deployment strategy? How do / should we migrate existing redis sessions?

[arminsabouri]

These may get resolve in a future commit but wanted to call them out incase they don't.
Either InternalServerError or 503 could make sense here.

[nothingmuch]

these need to be addressed in this PR, so on point

[benalleng]

went with a 503 ServiceUnavailable Error for OverCapacity and in some discussion with yuval decided that 410 Gone was appropriate for V1SenderUnavailable as the intention is to say that the sender is gone and not coming back so the user should try again with a new request.

i'm not 100% sure 410 Gone is appropriate if the same resource would become valid in the near future

some 4xx code that indicates that the client should not retry that particular request, but GET again, and then retry a different request with payjoin proposal

410 seems appropriate, even though it initial intention is seo, in our case saying that the sender is gone and not coming back so you should try a different request seems to be covered here

Ultimately it hinges on whether we think it appropriate to expect the sender to come back in a v1 payjoin?

[nothingmuch]

it's appropriate to expect that, the sender can just retry and the receiver can as well (but should not just retry posting the same PUT request, but first GET the new request by the sender to ensure it's not stale)

we can just specify (in BIP 77) that in these circumstances the directory should respond with 410, and that it's OK to retry in the specific manner (if it's a fresh request resulting from another get), so essentially this is an aesthetics/bikeshedding thing, choosing the most appropriate status code to convey the specific failure condition is more of a bikeshedding thing in practice (but helps convey the intent to implementors)

alternative codes i've considered: 404, 424 (obscure) 502 or 504 could all be argued to make sense in this context

[benalleng]

but should not just retry posting the same PUT request, but first GET the new request by the sender to ensure it's not stale

I think this is why 410 is appropriate as this implies the request used to get to this point should be discarded and a new GET request is needed.

[arminsabouri]

Is this the correct error to return?

[nothingmuch]

I think so, but the comment should explain why. Basically, it's correct that there's no capacity. There may be capacity in the future. This should only happen in case of a collision, in which case it makes sense to wait and try again later, if two the a v1 sender's message gets to the wrong receiver then it should be rejected because the payment address is unrecognized, however, for this to happen it'd need to happen in a 30 second window or so. Similarly, if an attacker managed to guess the short ID of a v1 session, then it's better not to directly leak that it succeeded in doing that (an over capacity error is still a statistical leak if random v2 writes do work).

[arminsabouri]

Nit: uncomplete comment.

[benalleng]

I just added.
"Prune in flight requests, these can persist in the case of an incomplete session"
Not sure if this actually is appropriate here..?

[nothingmuch]

once the last v2 getter for a mailbox times out and there are no more inflight requests, the shared future is still in the table

[arminsabouri]

Just want to double check my understanding. If the receiver end timesout it will clean up the waitmap entry, correct?

[nothingmuch]

not on its own, that's what the .retain() line in prune does, after the last receiver times out the shared future will have a refcount of 1 since its only copy is in the waitmap, and those entries will be cleared on the next pass

[arminsabouri]

re-utACK 0b6d029

Reviewed the pushes that occured from my last ack to now.

[arminsabouri]

Nit: This is the sqlite database correct? if so its not only mailbox data

[nothingmuch]

no just files on disk

[spacebear21]

re-ACK 0b6d029 🚀