@devtion/backend 0.0.0-5d170d3 → 0.0.0-7cfaa5d

package/README.md

@@ -100,6 +100,32 @@ yarn firebase:init
 
 ### Deployment
 
+#### AWS Infrastructure
+
+0. Login or create a [new AWS Account](https://portal.aws.amazon.com/billing/signup?nc2=h_ct&src=header_signup&redirect_url=https%3A%2F%2Faws.amazon.com%2Fregistration-confirmation#/start/email).
+    - The AWS free tier account will cover a good number of requests for ceremonies but there could be some costs based on your ceremony circuits size.
+1. Create an access key for a user with Admin privileges (**NOT ROOT USER**)
+2. Setup the `awscli` ([docs](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html)) and add the keys for this user.
+3. Install `terraform` ([docs](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli))
+4. Decide on an AWS region (by default this is **us-east-1**) - if you want to change you will need to do the following:
+    1. update **aws/lambda/index.mjs** ([exact line](https://github.com/privacy-scaling-explorations/p0tion/blob/dev/packages/backend/aws/lambda/index.mjs#L3)) to the new region
+    2. update **main.tf** ([exact line](https://github.com/privacy-scaling-explorations/p0tion/blob/dev/packages/backend/aws/main.tf#L2)) to the new region
+5. zip the Lambda folder:
+    1. `cd lambda`
+    2. `zip -r ../lambda.zip .`
+6. Run terraform:
+    1. `terraform init`
+    2. `terraform plan`
+    3. `terraform apply`
+    4. `terraform output secret_key`
+        - To print the secret access key for the IAM user
+    5. Store the other values (sns_topic_arn etc.)
+        - These will be needed for the .env file configuration
+
+The IAM user created with the steps above can be used for all p0tion's features.
+
+#### Firebase
+
 Deploy the current configuration to the `prod` project running
 
 ```bash

package/dist/src/functions/index.js

@@ -1,6 +1,6 @@
 /**
- * @module @p0tion/backend
- * @version 1.0.5
+ * @module @devtion/backend
+ * @version 1.0.8
  * @file MPC Phase 2 backend for Firebase services management
  * @copyright Ethereum Foundation 2022
  * @license MIT
@@ -11,7 +11,7 @@
 var admin = require('firebase-admin');
 var functions = require('firebase-functions');
 var dotenv = require('dotenv');
-var actions = require('@p0tion/actions');
+var actions = require('@devtion/actions');
 var htmlEntities = require('html-entities');
 var firestore = require('firebase-admin/firestore');
 var clientS3 = require('@aws-sdk/client-s3');
@@ -144,7 +144,8 @@ const SPECIFIC_ERRORS = {
     SE_VM_FAILED_COMMAND_EXECUTION: makeError("failed-precondition", "VM command execution failed", "Please, contact the coordinator if this error persists."),
     SE_VM_TIMEDOUT_COMMAND_EXECUTION: makeError("deadline-exceeded", "VM command execution took too long and has been timed-out", "Please, contact the coordinator if this error persists."),
     SE_VM_CANCELLED_COMMAND_EXECUTION: makeError("cancelled", "VM command execution has been cancelled", "Please, contact the coordinator if this error persists."),
-    SE_VM_DELAYED_COMMAND_EXECUTION: makeError("unavailable", "VM command execution has been delayed since there were no available instance at the moment", "Please, contact the coordinator if this error persists.")
+    SE_VM_DELAYED_COMMAND_EXECUTION: makeError("unavailable", "VM command execution has been delayed since there were no available instance at the moment", "Please, contact the coordinator if this error persists."),
+    SE_VM_UNKNOWN_COMMAND_STATUS: makeError("unavailable", "VM command execution has failed due to an unknown status code", "Please, contact the coordinator if this error persists.")
 };
 /**
  * A set of common errors.
@@ -328,7 +329,7 @@ const downloadArtifactFromS3Bucket = async (bucketName, objectKey, localFilePath
     const writeStream = node_fs.createWriteStream(localFilePath);
     const streamPipeline = node_util.promisify(node_stream.pipeline);
     await streamPipeline(response.body, writeStream);
-    writeStream.on('finish', () => {
+    writeStream.on("finish", () => {
         writeStream.end();
     });
 };
@@ -544,8 +545,10 @@ const registerAuthUser = functions__namespace
     const { uid } = user;
     // Reference to a document using uid.
     const userRef = firestore.collection(actions.commonTerms.collections.users.name).doc(uid);
-    // html encode the display name
-    const encodedDisplayName = htmlEntities.encode(displayName);
+    // html encode the display name (or put the ID if the name is not displayed)
+    const encodedDisplayName = user.displayName === "Null" || user.displayName === null ? user.uid : htmlEntities.encode(displayName);
+    // store the avatar URL of a contributor
+    let avatarUrl = "";
     // we only do reputation check if the user is not a coordinator
     if (!(email?.endsWith(`@${process.env.CUSTOM_CLAIMS_COORDINATOR_EMAIL_ADDRESS_OR_DOMAIN}`) ||
         email === process.env.CUSTOM_CLAIMS_COORDINATOR_EMAIL_ADDRESS_OR_DOMAIN)) {
@@ -555,14 +558,18 @@ const registerAuthUser = functions__namespace
             const vars = getGitHubVariables();
             // this return true or false
             try {
-                const res = await actions.githubReputation(user.providerData[0].uid, vars.minimumFollowing, vars.minimumFollowers, vars.minimumPublicRepos);
-                if (!res) {
+                const { reputable, avatarUrl: avatarURL } = await actions.githubReputation(user.providerData[0].uid, vars.minimumFollowing, vars.minimumFollowers, vars.minimumPublicRepos);
+                if (!reputable) {
                     // Delete user
                     await auth.deleteUser(user.uid);
                     // Throw error
-                    logAndThrowError(makeError("permission-denied", "The user is not allowed to sign up because their Github reputation is not high enough.", `The user ${user.displayName} is not allowed to sign up because their Github reputation is not high enough. Please contact the administrator if you think this is a mistake.`));
+                    logAndThrowError(makeError("permission-denied", "The user is not allowed to sign up because their Github reputation is not high enough.", `The user ${user.displayName === "Null" || user.displayName === null
+                        ? user.uid
+                        : user.displayName} is not allowed to sign up because their Github reputation is not high enough. Please contact the administrator if you think this is a mistake.`));
                 }
-                printLog(`Github reputation check passed for user ${user.displayName}`, LogLevel.DEBUG);
+                // store locally
+                avatarUrl = avatarURL;
+                printLog(`Github reputation check passed for user ${user.displayName === "Null" || user.displayName === null ? user.uid : user.displayName}`, LogLevel.DEBUG);
             }
             catch (error) {
                 // Delete user
@@ -572,6 +579,8 @@ const registerAuthUser = functions__namespace
         }
     }
     // Set document (nb. we refer to providerData[0] because we use Github OAuth provider only).
+    // In future releases we might want to loop through the providerData array as we support
+    // more providers.
     await userRef.set({
         name: encodedDisplayName,
         encodedDisplayName,
@@ -584,7 +593,13 @@ const registerAuthUser = functions__namespace
         photoURL: photoURL || "",
         lastUpdated: getCurrentServerTimestampInMillis()
     });
+    // we want to create a new collection for the users to store the avatars
+    const avatarRef = firestore.collection(actions.commonTerms.collections.avatars.name).doc(uid);
+    await avatarRef.set({
+        avatarUrl: avatarUrl || ""
+    });
     printLog(`Authenticated user document with identifier ${uid} has been correctly stored`, LogLevel.DEBUG);
+    printLog(`Authenticated user avatar with identifier ${uid} has been correctly stored`, LogLevel.DEBUG);
 });
 /**
  * Set custom claims for role-based access control on the newly created user.
@@ -721,7 +736,7 @@ const setupCeremony = functions__namespace
         // Check if using the VM approach for contribution verification.
         if (circuit.verification.cfOrVm === "VM" /* CircuitContributionVerificationMechanism.VM */) {
             // VM command to be run at the startup.
-            const startupCommand = actions.vmBootstrapCommand(bucketName);
+            const startupCommand = actions.vmBootstrapCommand(`${bucketName}/circuits/${circuit.name}`);
             // Get EC2 client.
             const ec2Client = await createEC2Client();
             // Get AWS variables.
@@ -730,7 +745,8 @@ const setupCeremony = functions__namespace
             const vmCommands = actions.vmDependenciesAndCacheArtifactsCommand(`${bucketName}/${circuit.files?.initialZkeyStoragePath}`, `${bucketName}/${circuit.files?.potStoragePath}`, snsTopic, region);
             printLog(`Check VM dependencies and cache artifacts commands ${vmCommands.join("\n")}`, LogLevel.DEBUG);
             // Upload the post-startup commands script file.
-            await uploadFileToBucketNoFile(bucketName, actions.vmBootstrapScriptFilename, vmCommands.join("\n"));
+            printLog(`Uploading VM post-startup commands script file ${actions.vmBootstrapScriptFilename}`, LogLevel.DEBUG);
+            await uploadFileToBucketNoFile(bucketName, `circuits/${circuit.name}/${actions.vmBootstrapScriptFilename}`, vmCommands.join("\n"));
             // Compute the VM disk space requirement (in GB).
             const vmDiskSize = actions.computeDiskSizeForVM(circuit.zKeySizeInBytes, circuit.metadata?.pot);
             printLog(`Check VM startup commands ${startupCommand.join("\n")}`, LogLevel.DEBUG);
@@ -877,7 +893,7 @@ dotenv.config();
  * @dev true when the participant can participate (1.A, 3.B, 1.D); otherwise false.
  */
 const checkParticipantForCeremony = functions__namespace
-    .region('europe-west1')
+    .region("europe-west1")
     .runWith({
     memory: "512MB"
 })
@@ -981,7 +997,7 @@ const checkParticipantForCeremony = functions__namespace
  * 2) the participant has just finished the contribution for a circuit (contributionProgress != 0 && status = CONTRIBUTED && contributionStep = COMPLETED).
  */
 const progressToNextCircuitForContribution = functions__namespace
-    .region('europe-west1')
+    .region("europe-west1")
     .runWith({
     memory: "512MB"
 })
@@ -1028,7 +1044,7 @@ const progressToNextCircuitForContribution = functions__namespace
  * 5) Completed contribution computation and verification.
  */
 const progressToNextContributionStep = functions__namespace
-    .region('europe-west1')
+    .region("europe-west1")
     .runWith({
     memory: "512MB"
 })
@@ -1079,7 +1095,7 @@ const progressToNextContributionStep = functions__namespace
  * @dev enable the current contributor to resume a contribution from where it had left off.
  */
 const permanentlyStoreCurrentContributionTimeAndHash = functions__namespace
-    .region('europe-west1')
+    .region("europe-west1")
     .runWith({
     memory: "512MB"
 })
@@ -1121,7 +1137,7 @@ const permanentlyStoreCurrentContributionTimeAndHash = functions__namespace
  * @dev enable the current contributor to resume a multi-part upload from where it had left off.
  */
 const temporaryStoreCurrentContributionMultiPartUploadId = functions__namespace
-    .region('europe-west1')
+    .region("europe-west1")
     .runWith({
     memory: "512MB"
 })
@@ -1159,7 +1175,7 @@ const temporaryStoreCurrentContributionMultiPartUploadId = functions__namespace
  * @dev enable the current contributor to resume a multi-part upload from where it had left off.
  */
 const temporaryStoreCurrentContributionUploadedChunkData = functions__namespace
-    .region('europe-west1')
+    .region("europe-west1")
     .runWith({
     memory: "512MB"
 })
@@ -1201,7 +1217,7 @@ const temporaryStoreCurrentContributionUploadedChunkData = functions__namespace
  * contributed to every selected ceremony circuits (= DONE).
  */
 const checkAndPrepareCoordinatorForFinalization = functions__namespace
-    .region('europe-west1')
+    .region("europe-west1")
     .runWith({
     memory: "512MB"
 })
@@ -1292,6 +1308,7 @@ const coordinate = async (participant, circuit, isSingleParticipantCoordination,
             printLog(`Coordinate - executing scenario A - single - participantResumingAfterTimeoutExpiration`, LogLevel.DEBUG);
             newParticipantStatus = "CONTRIBUTING" /* ParticipantStatus.CONTRIBUTING */;
             newContributionStep = "DOWNLOADING" /* ParticipantContributionStep.DOWNLOADING */;
+            newCurrentContributorId = participant.id;
         }
         // Scenario (B).
         else if (participantIsNotCurrentContributor) {
@@ -1352,39 +1369,54 @@ const coordinate = async (participant, circuit, isSingleParticipantCoordination,
  * Wait until the command has completed its execution inside the VM.
  * @dev this method implements a custom interval to check 5 times after 1 minute if the command execution
  * has been completed or not by calling the `retrieveCommandStatus` method.
- * @param {any} resolve the promise.
- * @param {any} reject the promise.
  * @param {SSMClient} ssm the SSM client.
  * @param {string} vmInstanceId the unique identifier of the VM instance.
  * @param {string} commandId the unique identifier of the VM command.
  * @returns <Promise<void>> true when the command execution succeed; otherwise false.
  */
-const waitForVMCommandExecution = (resolve, reject, ssm, vmInstanceId, commandId) => {
-    const interval = setInterval(async () => {
+const waitForVMCommandExecution = (ssm, vmInstanceId, commandId) => new Promise((resolve, reject) => {
+    const poll = async () => {
         try {
             // Get command status.
             const cmdStatus = await actions.retrieveCommandStatus(ssm, vmInstanceId, commandId);
             printLog(`Checking command ${commandId} status => ${cmdStatus}`, LogLevel.DEBUG);
-            if (cmdStatus === clientSsm.CommandInvocationStatus.SUCCESS) {
-                printLog(`Command ${commandId} successfully completed`, LogLevel.DEBUG);
-                // Resolve the promise.
-                resolve();
-            }
-            else if (cmdStatus === clientSsm.CommandInvocationStatus.FAILED) {
-                logAndThrowError(SPECIFIC_ERRORS.SE_VM_FAILED_COMMAND_EXECUTION);
-                reject();
-            }
-            else if (cmdStatus === clientSsm.CommandInvocationStatus.TIMED_OUT) {
-                logAndThrowError(SPECIFIC_ERRORS.SE_VM_TIMEDOUT_COMMAND_EXECUTION);
-                reject();
-            }
-            else if (cmdStatus === clientSsm.CommandInvocationStatus.CANCELLED) {
-                logAndThrowError(SPECIFIC_ERRORS.SE_VM_CANCELLED_COMMAND_EXECUTION);
-                reject();
+            let error;
+            switch (cmdStatus) {
+                case clientSsm.CommandInvocationStatus.CANCELLING:
+                case clientSsm.CommandInvocationStatus.CANCELLED: {
+                    error = SPECIFIC_ERRORS.SE_VM_CANCELLED_COMMAND_EXECUTION;
+                    break;
+                }
+                case clientSsm.CommandInvocationStatus.DELAYED: {
+                    error = SPECIFIC_ERRORS.SE_VM_DELAYED_COMMAND_EXECUTION;
+                    break;
+                }
+                case clientSsm.CommandInvocationStatus.FAILED: {
+                    error = SPECIFIC_ERRORS.SE_VM_FAILED_COMMAND_EXECUTION;
+                    break;
+                }
+                case clientSsm.CommandInvocationStatus.TIMED_OUT: {
+                    error = SPECIFIC_ERRORS.SE_VM_TIMEDOUT_COMMAND_EXECUTION;
+                    break;
+                }
+                case clientSsm.CommandInvocationStatus.IN_PROGRESS:
+                case clientSsm.CommandInvocationStatus.PENDING: {
+                    // wait a minute and poll again
+                    setTimeout(poll, 60000);
+                    return;
+                }
+                case clientSsm.CommandInvocationStatus.SUCCESS: {
+                    printLog(`Command ${commandId} successfully completed`, LogLevel.DEBUG);
+                    // Resolve the promise.
+                    resolve();
+                    return;
+                }
+                default: {
+                    logAndThrowError(SPECIFIC_ERRORS.SE_VM_UNKNOWN_COMMAND_STATUS);
+                }
             }
-            else if (cmdStatus === clientSsm.CommandInvocationStatus.DELAYED) {
-                logAndThrowError(SPECIFIC_ERRORS.SE_VM_DELAYED_COMMAND_EXECUTION);
-                reject();
+            if (error) {
+                logAndThrowError(error);
             }
         }
         catch (error) {
@@ -1394,59 +1426,9 @@ const waitForVMCommandExecution = (resolve, reject, ssm, vmInstanceId, commandId
             // Reject the promise.
             reject();
         }
-        finally {
-            // Clear the interval.
-            clearInterval(interval);
-        }
-    }, 60000); // 1 minute.
-};
-/**
- * Wait until the artifacts have been downloaded.
- * @param {any} resolve the promise.
- * @param {any} reject the promise.
- * @param {string} potTempFilePath the tmp path to the locally downloaded pot file.
- * @param {string} firstZkeyTempFilePath the tmp path to the locally downloaded first zkey file.
- * @param {string} lastZkeyTempFilePath the tmp path to the locally downloaded last zkey file.
- */
-const waitForFileDownload = (resolve, reject, potTempFilePath, firstZkeyTempFilePath, lastZkeyTempFilePath, circuitId, participantId) => {
-    const maxWaitTime = 5 * 60 * 1000; // 5 minutes
-    // every second check if the file download was completed
-    const interval = setInterval(async () => {
-        printLog(`Verifying that the artifacts were downloaded for circuit ${circuitId} and participant ${participantId}`, LogLevel.DEBUG);
-        try {
-            // check if files have been downloaded
-            if (!fs.existsSync(potTempFilePath)) {
-                printLog(`Pot file not found at ${potTempFilePath}`, LogLevel.DEBUG);
-            }
-            if (!fs.existsSync(firstZkeyTempFilePath)) {
-                printLog(`First zkey file not found at ${firstZkeyTempFilePath}`, LogLevel.DEBUG);
-            }
-            if (!fs.existsSync(lastZkeyTempFilePath)) {
-                printLog(`Last zkey file not found at ${lastZkeyTempFilePath}`, LogLevel.DEBUG);
-            }
-            // if all files were downloaded
-            if (fs.existsSync(potTempFilePath) && fs.existsSync(firstZkeyTempFilePath) && fs.existsSync(lastZkeyTempFilePath)) {
-                printLog(`All required files are present on disk.`, LogLevel.INFO);
-                // resolve the promise
-                resolve();
-            }
-        }
-        catch (error) {
-            // if we have an error then we print it as a warning and reject
-            printLog(`Error while downloading files: ${error}`, LogLevel.WARN);
-            reject();
-        }
-        finally {
-            printLog(`Clearing the interval for file download. Circuit ${circuitId} and participant ${participantId}`, LogLevel.DEBUG);
-            clearInterval(interval);
-        }
-    }, 5000);
-    // we want to clean in 5 minutes in case
-    setTimeout(() => {
-        clearInterval(interval);
-        reject(new Error('Timeout exceeded while waiting for files to be downloaded.'));
-    }, maxWaitTime);
-};
+    };
+    setTimeout(poll, 60000);
+});
 /**
  * This method is used to coordinate the waiting queues of ceremony circuits.
  * @dev this cloud function is triggered whenever an update of a document related to a participant of a ceremony occurs.
@@ -1467,7 +1449,7 @@ const waitForFileDownload = (resolve, reject, potTempFilePath, firstZkeyTempFile
  * - Just completed a contribution or all contributions for each circuit. If yes, coordinate (multi-participant scenario).
  */
 const coordinateCeremonyParticipant = functionsV1__namespace
-    .region('europe-west1')
+    .region("europe-west1")
     .runWith({
     memory: "512MB"
 })
@@ -1570,7 +1552,7 @@ const checkIfVMRunning = async (ec2, vmInstanceId, attempts = 5) => {
  *       1.A.4.C.1) If true, update circuit waiting for queue and average timings accordingly to contribution verification results;
  * 2) Send all updates atomically to the Firestore database.
  */
-const verifycontribution = functionsV2__namespace.https.onCall({ memory: "16GiB", timeoutSeconds: 3600, region: 'europe-west1' }, async (request) => {
+const verifycontribution = functionsV2__namespace.https.onCall({ memory: "16GiB", timeoutSeconds: 3600, region: "europe-west1" }, async (request) => {
     if (!request.auth || (!request.auth.token.participant && !request.auth.token.coordinator))
         logAndThrowError(SPECIFIC_ERRORS.SE_AUTH_NO_CURRENT_AUTH_USER);
     if (!request.data.ceremonyId ||
@@ -1681,8 +1663,6 @@ const verifycontribution = functionsV2__namespace.https.onCall({ memory: "16GiB"
                 lastZkeyBlake2bHash = match.at(0);
                 // re upload the formatted verification transcript
                 await uploadFileToBucket(bucketName, verificationTranscriptStoragePathAndFilename, verificationTranscriptTemporaryLocalPath, true);
-                // Stop VM instance.
-                await actions.stopEC2Instance(ec2, vmInstanceId);
             }
             else {
                 // Upload verification transcript.
@@ -1743,6 +1723,9 @@ const verifycontribution = functionsV2__namespace.https.onCall({ memory: "16GiB"
                 lastUpdated: getCurrentServerTimestampInMillis()
             });
         }
+        // Stop VM instance
+        if (isUsingVM)
+            await actions.stopEC2Instance(ec2, vmInstanceId);
         // Step (1.A.4.C)
         if (!isFinalizing) {
             // Step (1.A.4.C.1)
@@ -1758,6 +1741,8 @@ const verifycontribution = functionsV2__namespace.https.onCall({ memory: "16GiB"
                 ? (avgVerifyCloudFunctionTime + verifyCloudFunctionTime) / 2
                 : verifyCloudFunctionTime;
             // Prepare tx to update circuit average contribution/verification time.
+            const updatedCircuitDoc = await getDocumentById(actions.getCircuitsCollectionPath(ceremonyId), circuitId);
+            const { waitingQueue: updatedWaitingQueue } = updatedCircuitDoc.data();
             /// @dev this must happen only for valid contributions.
             batch.update(circuitDoc.ref, {
                 avgTimings: {
@@ -1770,7 +1755,7 @@ const verifycontribution = functionsV2__namespace.https.onCall({ memory: "16GiB"
                         : avgVerifyCloudFunctionTime
                 },
                 waitingQueue: {
-                    ...waitingQueue,
+                    ...updatedWaitingQueue,
                     completedContributions: isContributionValid
                         ? completedContributions + 1
                         : completedContributions,
@@ -1805,7 +1790,7 @@ const verifycontribution = functionsV2__namespace.https.onCall({ memory: "16GiB"
             commandId = await actions.runCommandUsingSSM(ssm, vmInstanceId, verificationCommand);
             printLog(`Starting the execution of command ${commandId}`, LogLevel.DEBUG);
             // Step (1.A.3.3).
-            return new Promise((resolve, reject) => waitForVMCommandExecution(resolve, reject, ssm, vmInstanceId, commandId))
+            return waitForVMCommandExecution(ssm, vmInstanceId, commandId)
                 .then(async () => {
                 // Command execution successfully completed.
                 printLog(`Command ${commandId} execution has been successfully completed`, LogLevel.DEBUG);
@@ -1817,52 +1802,38 @@ const verifycontribution = functionsV2__namespace.https.onCall({ memory: "16GiB"
                 logAndThrowError(COMMON_ERRORS.CM_INVALID_COMMAND_EXECUTION);
             });
         }
-        else {
-            // CF approach.
-            printLog(`CF mechanism`, LogLevel.DEBUG);
-            const potStoragePath = actions.getPotStorageFilePath(files.potFilename);
-            const firstZkeyStoragePath = actions.getZkeyStorageFilePath(prefix, `${prefix}_${actions.genesisZkeyIndex}.zkey`);
-            // Prepare temporary file paths.
-            // (nb. these are needed to download the necessary artifacts for verification from AWS S3).
-            verificationTranscriptTemporaryLocalPath = createTemporaryLocalPath(verificationTranscriptCompleteFilename);
-            const potTempFilePath = createTemporaryLocalPath(`${circuitId}_${participantDoc.id}.pot`);
-            const firstZkeyTempFilePath = createTemporaryLocalPath(`${circuitId}_${participantDoc.id}_genesis.zkey`);
-            const lastZkeyTempFilePath = createTemporaryLocalPath(`${circuitId}_${participantDoc.id}_last.zkey`);
-            // Create and populate transcript.
-            const transcriptLogger = actions.createCustomLoggerForFile(verificationTranscriptTemporaryLocalPath);
-            transcriptLogger.info(`${isFinalizing ? `Final verification` : `Verification`} transcript for ${prefix} circuit Phase 2 contribution.\n${isFinalizing ? `Coordinator ` : `Contributor # ${Number(lastZkeyIndex)}`} (${contributorOrCoordinatorIdentifier})\n`);
-            // Step (1.A.2).
-            await downloadArtifactFromS3Bucket(bucketName, potStoragePath, potTempFilePath);
-            await downloadArtifactFromS3Bucket(bucketName, firstZkeyStoragePath, firstZkeyTempFilePath);
-            await downloadArtifactFromS3Bucket(bucketName, lastZkeyStoragePath, lastZkeyTempFilePath);
-            await sleep(6000);
-            // wait until the files are actually downloaded
-            return new Promise((resolve, reject) => waitForFileDownload(resolve, reject, potTempFilePath, firstZkeyTempFilePath, lastZkeyTempFilePath, circuitId, participantDoc.id))
-                .then(async () => {
-                printLog(`Downloads from AWS S3 bucket completed - ceremony ${ceremonyId} circuit ${circuitId}`, LogLevel.DEBUG);
-                // Step (1.A.4).
-                isContributionValid = await snarkjs.zKey.verifyFromInit(firstZkeyTempFilePath, potTempFilePath, lastZkeyTempFilePath, transcriptLogger);
-                // Compute contribution hash.
-                lastZkeyBlake2bHash = await actions.blake512FromPath(lastZkeyTempFilePath);
-                // Free resources by unlinking temporary folders.
-                // Do not free-up verification transcript path here.
-                try {
-                    fs.unlinkSync(potTempFilePath);
-                    fs.unlinkSync(firstZkeyTempFilePath);
-                    fs.unlinkSync(lastZkeyTempFilePath);
-                }
-                catch (error) {
-                    printLog(`Error while unlinking temporary files - Error ${error}`, LogLevel.WARN);
-                }
-                await completeVerification();
-            })
-                .catch((error) => {
-                // Throw the new error
-                const commonError = COMMON_ERRORS.CM_INVALID_REQUEST;
-                const additionalDetails = error.toString();
-                logAndThrowError(makeError(commonError.code, commonError.message, additionalDetails));
-            });
+        // CF approach.
+        printLog(`CF mechanism`, LogLevel.DEBUG);
+        const potStoragePath = actions.getPotStorageFilePath(files.potFilename);
+        const firstZkeyStoragePath = actions.getZkeyStorageFilePath(prefix, `${prefix}_${actions.genesisZkeyIndex}.zkey`);
+        // Prepare temporary file paths.
+        // (nb. these are needed to download the necessary artifacts for verification from AWS S3).
+        verificationTranscriptTemporaryLocalPath = createTemporaryLocalPath(verificationTranscriptCompleteFilename);
+        const potTempFilePath = createTemporaryLocalPath(`${circuitId}_${participantDoc.id}.pot`);
+        const firstZkeyTempFilePath = createTemporaryLocalPath(`${circuitId}_${participantDoc.id}_genesis.zkey`);
+        const lastZkeyTempFilePath = createTemporaryLocalPath(`${circuitId}_${participantDoc.id}_last.zkey`);
+        // Create and populate transcript.
+        const transcriptLogger = actions.createCustomLoggerForFile(verificationTranscriptTemporaryLocalPath);
+        transcriptLogger.info(`${isFinalizing ? `Final verification` : `Verification`} transcript for ${prefix} circuit Phase 2 contribution.\n${isFinalizing ? `Coordinator ` : `Contributor # ${Number(lastZkeyIndex)}`} (${contributorOrCoordinatorIdentifier})\n`);
+        // Step (1.A.2).
+        await downloadArtifactFromS3Bucket(bucketName, potStoragePath, potTempFilePath);
+        await downloadArtifactFromS3Bucket(bucketName, firstZkeyStoragePath, firstZkeyTempFilePath);
+        await downloadArtifactFromS3Bucket(bucketName, lastZkeyStoragePath, lastZkeyTempFilePath);
+        // Step (1.A.4).
+        isContributionValid = await snarkjs.zKey.verifyFromInit(firstZkeyTempFilePath, potTempFilePath, lastZkeyTempFilePath, transcriptLogger);
+        // Compute contribution hash.
+        lastZkeyBlake2bHash = await actions.blake512FromPath(lastZkeyTempFilePath);
+        // Free resources by unlinking temporary folders.
+        // Do not free-up verification transcript path here.
+        try {
+            fs.unlinkSync(potTempFilePath);
+            fs.unlinkSync(firstZkeyTempFilePath);
+            fs.unlinkSync(lastZkeyTempFilePath);
+        }
+        catch (error) {
+            printLog(`Error while unlinking temporary files - Error ${error}`, LogLevel.WARN);
         }
+        await completeVerification();
     }
 });
 /**
@@ -1871,7 +1842,7 @@ const verifycontribution = functionsV2__namespace.https.onCall({ memory: "16GiB"
  * this does not happen if the participant is actually the coordinator who is finalizing the ceremony.
  */
 const refreshParticipantAfterContributionVerification = functionsV1__namespace
-    .region('europe-west1')
+    .region("europe-west1")
     .runWith({
     memory: "512MB"
 })
@@ -1932,7 +1903,7 @@ const refreshParticipantAfterContributionVerification = functionsV1__namespace
  * and verification key extracted from the circuit final contribution (as part of the ceremony finalization process).
  */
 const finalizeCircuit = functionsV1__namespace
-    .region('europe-west1')
+    .region("europe-west1")
     .runWith({
     memory: "512MB"
 })
@@ -2129,8 +2100,10 @@ const createBucket = functions__namespace
                     CORSConfiguration: {
                         CORSRules: [
                             {
-                                AllowedMethods: ["GET"],
-                                AllowedOrigins: ["*"]
+                                AllowedMethods: ["GET", "PUT"],
+                                AllowedOrigins: ["*"],
+                                ExposeHeaders: ["ETag", "Content-Length"],
+                                AllowedHeaders: ["*"]
                             }
                         ]
                     }
@@ -2523,7 +2496,7 @@ const checkAndRemoveBlockingContributor = functions__namespace
                                 // Prepare Firestore batch of txs.
                                 const batch = firestore.batch();
                                 // Remove current contributor from waiting queue.
-                                contributors.shift(1);
+                                contributors.shift();
                                 // Check if someone else is ready to start the contribution.
                                 if (contributors.length > 0) {
                                     // Step (E.1).
@@ -2607,7 +2580,8 @@ const resumeContributionAfterTimeoutExpiration = functions__namespace
     if (status === "EXHUMED" /* ParticipantStatus.EXHUMED */)
         await participantDoc.ref.update({
             status: "READY" /* ParticipantStatus.READY */,
-            lastUpdated: getCurrentServerTimestampInMillis()
+            lastUpdated: getCurrentServerTimestampInMillis(),
+            tempContributionData: {}
         });
     else
         logAndThrowError(SPECIFIC_ERRORS.SE_CONTRIBUTE_CANNOT_PROGRESS_TO_NEXT_CIRCUIT);