@devtion/backend 0.0.0-bfc9ee4 → 0.0.0-c1f4cbe

package/dist/src/functions/index.mjs

@@ -1,6 +1,6 @@
 /**
  * @module @p0tion/backend
- * @version 1.0.5
+ * @version 1.1.1
  * @file MPC Phase 2 backend for Firebase services management
  * @copyright Ethereum Foundation 2022
  * @license MIT
@@ -9,7 +9,7 @@
 import admin from 'firebase-admin';
 import * as functions from 'firebase-functions';
 import dotenv from 'dotenv';
-import { getCircuitsCollectionPath, getTimeoutsCollectionPath, commonTerms, finalContributionIndex, getContributionsCollectionPath, githubReputation, getBucketName, vmBootstrapCommand, vmDependenciesAndCacheArtifactsCommand, vmBootstrapScriptFilename, computeDiskSizeForVM, createEC2Instance, getParticipantsCollectionPath, terminateEC2Instance, formatZkeyIndex, getTranscriptStorageFilePath, getZkeyStorageFilePath, startEC2Instance, vmContributionVerificationCommand, runCommandUsingSSM, getPotStorageFilePath, genesisZkeyIndex, createCustomLoggerForFile, blake512FromPath, getVerificationKeyStorageFilePath, getVerifierContractStorageFilePath, computeSHA256ToHex, retrieveCommandStatus, checkIfRunning, retrieveCommandOutput, stopEC2Instance, verificationKeyAcronym, verifierSmartContractAcronym } from '@p0tion/actions';
+import { getCircuitsCollectionPath, getTimeoutsCollectionPath, commonTerms, finalContributionIndex, getContributionsCollectionPath, githubReputation, getBucketName, vmBootstrapCommand, vmDependenciesAndCacheArtifactsCommand, vmBootstrapScriptFilename, computeDiskSizeForVM, createEC2Instance, getParticipantsCollectionPath, terminateEC2Instance, formatZkeyIndex, getTranscriptStorageFilePath, getZkeyStorageFilePath, startEC2Instance, vmContributionVerificationCommand, runCommandUsingSSM, getPotStorageFilePath, genesisZkeyIndex, createCustomLoggerForFile, blake512FromPath, getVerificationKeyStorageFilePath, getVerifierContractStorageFilePath, computeSHA256ToHex, checkIfRunning, retrieveCommandOutput, stopEC2Instance, verificationKeyAcronym, verifierSmartContractAcronym, retrieveCommandStatus } from '@p0tion/actions';
 import { encode } from 'html-entities';
 import { Timestamp, FieldValue } from 'firebase-admin/firestore';
 import { S3Client, GetObjectCommand, PutObjectCommand, DeleteObjectCommand, HeadBucketCommand, CreateBucketCommand, PutPublicAccessBlockCommand, PutBucketCorsCommand, HeadObjectCommand, CreateMultipartUploadCommand, UploadPartCommand, CompleteMultipartUploadCommand } from '@aws-sdk/client-s3';
@@ -19,16 +19,19 @@ import { pipeline } from 'node:stream';
 import { promisify } from 'node:util';
 import fs, { readFileSync } from 'fs';
 import mime from 'mime-types';
-import { setTimeout } from 'timers/promises';
+import { setTimeout as setTimeout$1 } from 'timers/promises';
 import fetch from '@adobe/node-fetch-retry';
 import path from 'path';
 import os from 'os';
 import { SSMClient, CommandInvocationStatus } from '@aws-sdk/client-ssm';
 import { EC2Client } from '@aws-sdk/client-ec2';
+import ethers from 'ethers';
 import * as functionsV1 from 'firebase-functions/v1';
 import * as functionsV2 from 'firebase-functions/v2';
 import { Timer } from 'timer-node';
-import { zKey } from 'snarkjs';
+import { zKey, groth16 } from 'snarkjs';
+import { ApiSdk } from '@bandada/api-sdk';
+import { getAuth } from 'firebase-admin/auth';
 
 /**
  * Log levels.
@@ -49,7 +52,7 @@ var LogLevel;
  * @notice the set of Firebase Functions status codes. The codes are the same at the
  * ones exposed by {@link https://github.com/grpc/grpc/blob/master/doc/statuscodes.md | gRPC}.
  * @param errorCode <FunctionsErrorCode> - the set of possible error codes.
- * @param message <string> - the error messge.
+ * @param message <string> - the error message.
  * @param [details] <string> - the details of the error (optional).
  * @returns <HttpsError>
  */
@@ -121,7 +124,8 @@ const SPECIFIC_ERRORS = {
     SE_VM_FAILED_COMMAND_EXECUTION: makeError("failed-precondition", "VM command execution failed", "Please, contact the coordinator if this error persists."),
     SE_VM_TIMEDOUT_COMMAND_EXECUTION: makeError("deadline-exceeded", "VM command execution took too long and has been timed-out", "Please, contact the coordinator if this error persists."),
     SE_VM_CANCELLED_COMMAND_EXECUTION: makeError("cancelled", "VM command execution has been cancelled", "Please, contact the coordinator if this error persists."),
-    SE_VM_DELAYED_COMMAND_EXECUTION: makeError("unavailable", "VM command execution has been delayed since there were no available instance at the moment", "Please, contact the coordinator if this error persists.")
+    SE_VM_DELAYED_COMMAND_EXECUTION: makeError("unavailable", "VM command execution has been delayed since there were no available instance at the moment", "Please, contact the coordinator if this error persists."),
+    SE_VM_UNKNOWN_COMMAND_STATUS: makeError("unavailable", "VM command execution has failed due to an unknown status code", "Please, contact the coordinator if this error persists.")
 };
 /**
  * A set of common errors.
@@ -140,6 +144,8 @@ const COMMON_ERRORS = {
     CM_INVALID_COMMAND_EXECUTION: makeError("unknown", "There was an error while executing the command on the VM", "Please, contact the coordinator if the error persists.")
 };
 
+dotenv.config();
+let provider;
 /**
  * Return a configured and connected instance of the AWS S3 client.
  * @dev this method check and utilize the environment variables to configure the connection
@@ -162,6 +168,36 @@ const getS3Client = async () => {
         region: process.env.AWS_REGION
     });
 };
+/**
+ * Returns a Prvider, connected via a configured JSON URL or else
+ * the ethers.js default provider, using configured API keys.
+ * @returns <ethers.providers.Provider> An Eth node provider
+ */
+const setEthProvider = () => {
+    if (provider)
+        return provider;
+    console.log(`setting new provider`);
+    // Use JSON URL if defined
+    // if ((hardhat as any).ethers) {
+    //     console.log(`using hardhat.ethers provider`)
+    //     provider = (hardhat as any).ethers.provider
+    // } else
+    if (process.env.ETH_PROVIDER_JSON_URL) {
+        console.log(`JSON URL provider at ${process.env.ETH_PROVIDER_JSON_URL}`);
+        provider = new ethers.providers.JsonRpcProvider({
+            url: process.env.ETH_PROVIDER_JSON_URL,
+            skipFetchSetup: true
+        });
+    }
+    else {
+        // Otherwise, connect the default provider with ALchemy, Infura, or both
+        provider = ethers.providers.getDefaultProvider("homestead", {
+            alchemy: process.env.ETH_PROVIDER_ALCHEMY_API_KEY,
+            infura: process.env.ETH_PROVIDER_INFURA_API_KEY
+        });
+    }
+    return provider;
+};
 
 dotenv.config();
 /**
@@ -191,7 +227,7 @@ const getCurrentServerTimestampInMillis = () => Timestamp.now().toMillis();
  * Interrupt the current execution for a specified amount of time.
  * @param ms <number> - the amount of time expressed in milliseconds.
  */
-const sleep = async (ms) => setTimeout(ms);
+const sleep = async (ms) => setTimeout$1(ms);
 /**
  * Query for ceremony circuits.
  * @notice the order by sequence position is fundamental to maintain parallelism among contributions for different circuits.
@@ -264,7 +300,7 @@ const queryOpenedCeremonies = async () => {
 const getCircuitDocumentByPosition = async (ceremonyId, sequencePosition) => {
     // Query for all ceremony circuits.
     const circuits = await getCeremonyCircuits(ceremonyId);
-    // Apply a filter using the sequence postion.
+    // Apply a filter using the sequence position.
     const matchedCircuits = circuits.filter((circuit) => circuit.data().sequencePosition === sequencePosition);
     if (matchedCircuits.length !== 1)
         logAndThrowError(COMMON_ERRORS.CM_NO_CIRCUIT_FOR_GIVEN_SEQUENCE_POSITION);
@@ -305,7 +341,7 @@ const downloadArtifactFromS3Bucket = async (bucketName, objectKey, localFilePath
     const writeStream = createWriteStream(localFilePath);
     const streamPipeline = promisify(pipeline);
     await streamPipeline(response.body, writeStream);
-    writeStream.on('finish', () => {
+    writeStream.on("finish", () => {
         writeStream.end();
     });
 };
@@ -429,12 +465,14 @@ const htmlEncodeCircuitData = (circuitDocument) => ({
 const getGitHubVariables = () => {
     if (!process.env.GITHUB_MINIMUM_FOLLOWERS ||
         !process.env.GITHUB_MINIMUM_FOLLOWING ||
-        !process.env.GITHUB_MINIMUM_PUBLIC_REPOS)
+        !process.env.GITHUB_MINIMUM_PUBLIC_REPOS ||
+        !process.env.GITHUB_MINIMUM_AGE)
         logAndThrowError(COMMON_ERRORS.CM_WRONG_CONFIGURATION);
     return {
         minimumFollowers: Number(process.env.GITHUB_MINIMUM_FOLLOWERS),
         minimumFollowing: Number(process.env.GITHUB_MINIMUM_FOLLOWING),
-        minimumPublicRepos: Number(process.env.GITHUB_MINIMUM_PUBLIC_REPOS)
+        minimumPublicRepos: Number(process.env.GITHUB_MINIMUM_PUBLIC_REPOS),
+        minimumAge: Number(process.env.GITHUB_MINIMUM_AGE)
     };
 };
 /**
@@ -444,7 +482,7 @@ const getGitHubVariables = () => {
 const getAWSVariables = () => {
     if (!process.env.AWS_ACCESS_KEY_ID ||
         !process.env.AWS_SECRET_ACCESS_KEY ||
-        !process.env.AWS_ROLE_ARN ||
+        !process.env.AWS_INSTANCE_PROFILE_ARN ||
         !process.env.AWS_AMI_ID ||
         !process.env.AWS_SNS_TOPIC_ARN)
         logAndThrowError(COMMON_ERRORS.CM_WRONG_CONFIGURATION);
@@ -452,7 +490,7 @@ const getAWSVariables = () => {
         accessKeyId: process.env.AWS_ACCESS_KEY_ID,
         secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY,
         region: process.env.AWS_REGION || "eu-central-1",
-        roleArn: process.env.AWS_ROLE_ARN,
+        instanceProfileArn: process.env.AWS_INSTANCE_PROFILE_ARN,
         amiId: process.env.AWS_AMI_ID,
         snsTopic: process.env.AWS_SNS_TOPIC_ARN
     };
@@ -521,25 +559,31 @@ const registerAuthUser = functions
     const { uid } = user;
     // Reference to a document using uid.
     const userRef = firestore.collection(commonTerms.collections.users.name).doc(uid);
-    // html encode the display name
-    const encodedDisplayName = encode(displayName);
+    // html encode the display name (or put the ID if the name is not displayed)
+    const encodedDisplayName = user.displayName === "Null" || user.displayName === null ? user.uid : encode(displayName);
+    // store the avatar URL of a contributor
+    let avatarUrl = "";
     // we only do reputation check if the user is not a coordinator
     if (!(email?.endsWith(`@${process.env.CUSTOM_CLAIMS_COORDINATOR_EMAIL_ADDRESS_OR_DOMAIN}`) ||
         email === process.env.CUSTOM_CLAIMS_COORDINATOR_EMAIL_ADDRESS_OR_DOMAIN)) {
         const auth = admin.auth();
         // if provider == github.com let's use our functions to check the user's reputation
-        if (user.providerData[0].providerId === "github.com") {
+        if (user.providerData.length > 0 && user.providerData[0].providerId === "github.com") {
             const vars = getGitHubVariables();
             // this return true or false
             try {
-                const res = await githubReputation(user.providerData[0].uid, vars.minimumFollowing, vars.minimumFollowers, vars.minimumPublicRepos);
-                if (!res) {
+                const { reputable, avatarUrl: avatarURL } = await githubReputation(user.providerData[0].uid, vars.minimumFollowing, vars.minimumFollowers, vars.minimumPublicRepos, vars.minimumAge);
+                if (!reputable) {
                     // Delete user
                     await auth.deleteUser(user.uid);
                     // Throw error
-                    logAndThrowError(makeError("permission-denied", "The user is not allowed to sign up because their Github reputation is not high enough.", `The user ${user.displayName} is not allowed to sign up because their Github reputation is not high enough. Please contact the administrator if you think this is a mistake.`));
+                    logAndThrowError(makeError("permission-denied", "The user is not allowed to sign up because their Github reputation is not high enough.", `The user ${user.displayName === "Null" || user.displayName === null
+                        ? user.uid
+                        : user.displayName} is not allowed to sign up because their Github reputation is not high enough. Please contact the administrator if you think this is a mistake.`));
                 }
-                printLog(`Github reputation check passed for user ${user.displayName}`, LogLevel.DEBUG);
+                // store locally
+                avatarUrl = avatarURL;
+                printLog(`Github reputation check passed for user ${user.displayName === "Null" || user.displayName === null ? user.uid : user.displayName}`, LogLevel.DEBUG);
             }
             catch (error) {
                 // Delete user
@@ -549,19 +593,27 @@ const registerAuthUser = functions
         }
     }
     // Set document (nb. we refer to providerData[0] because we use Github OAuth provider only).
+    // In future releases we might want to loop through the providerData array as we support
+    // more providers.
     await userRef.set({
         name: encodedDisplayName,
         encodedDisplayName,
         // Metadata.
         creationTime,
-        lastSignInTime,
+        lastSignInTime: lastSignInTime || creationTime,
         // Optional.
         email: email || "",
         emailVerified: emailVerified || false,
         photoURL: photoURL || "",
         lastUpdated: getCurrentServerTimestampInMillis()
     });
+    // we want to create a new collection for the users to store the avatars
+    const avatarRef = firestore.collection(commonTerms.collections.avatars.name).doc(uid);
+    await avatarRef.set({
+        avatarUrl: avatarUrl || ""
+    });
     printLog(`Authenticated user document with identifier ${uid} has been correctly stored`, LogLevel.DEBUG);
+    printLog(`Authenticated user avatar with identifier ${uid} has been correctly stored`, LogLevel.DEBUG);
 });
 /**
  * Set custom claims for role-based access control on the newly created user.
@@ -698,7 +750,7 @@ const setupCeremony = functions
         // Check if using the VM approach for contribution verification.
         if (circuit.verification.cfOrVm === "VM" /* CircuitContributionVerificationMechanism.VM */) {
             // VM command to be run at the startup.
-            const startupCommand = vmBootstrapCommand(bucketName);
+            const startupCommand = vmBootstrapCommand(`${bucketName}/circuits/${circuit.name}`);
             // Get EC2 client.
             const ec2Client = await createEC2Client();
             // Get AWS variables.
@@ -707,7 +759,8 @@ const setupCeremony = functions
             const vmCommands = vmDependenciesAndCacheArtifactsCommand(`${bucketName}/${circuit.files?.initialZkeyStoragePath}`, `${bucketName}/${circuit.files?.potStoragePath}`, snsTopic, region);
             printLog(`Check VM dependencies and cache artifacts commands ${vmCommands.join("\n")}`, LogLevel.DEBUG);
             // Upload the post-startup commands script file.
-            await uploadFileToBucketNoFile(bucketName, vmBootstrapScriptFilename, vmCommands.join("\n"));
+            printLog(`Uploading VM post-startup commands script file ${vmBootstrapScriptFilename}`, LogLevel.DEBUG);
+            await uploadFileToBucketNoFile(bucketName, `circuits/${circuit.name}/${vmBootstrapScriptFilename}`, vmCommands.join("\n"));
             // Compute the VM disk space requirement (in GB).
             const vmDiskSize = computeDiskSizeForVM(circuit.zKeySizeInBytes, circuit.metadata?.pot);
             printLog(`Check VM startup commands ${startupCommand.join("\n")}`, LogLevel.DEBUG);
@@ -801,7 +854,7 @@ const finalizeCeremony = functions
     // Get ceremony circuits.
     const circuits = await getCeremonyCircuits(ceremonyId);
     // Get final contribution for each circuit.
-    // nb. the `getFinalContributionDocument` checks the existance of the final contribution document (if not present, throws).
+    // nb. the `getFinalContributionDocument` checks the existence of the final contribution document (if not present, throws).
     // Therefore, we just need to call the method without taking any data to verify the pre-condition of having already computed
     // the final contributions for each ceremony circuit.
     for await (const circuit of circuits)
@@ -854,7 +907,7 @@ dotenv.config();
  * @dev true when the participant can participate (1.A, 3.B, 1.D); otherwise false.
  */
 const checkParticipantForCeremony = functions
-    .region('europe-west1')
+    .region("europe-west1")
     .runWith({
     memory: "512MB"
 })
@@ -925,7 +978,7 @@ const checkParticipantForCeremony = functions
             participantDoc.ref.update({
                 status: "EXHUMED" /* ParticipantStatus.EXHUMED */,
                 contributions,
-                tempContributionData: tempContributionData ? tempContributionData : FieldValue.delete(),
+                tempContributionData: tempContributionData || FieldValue.delete(),
                 contributionStep: "DOWNLOADING" /* ParticipantContributionStep.DOWNLOADING */,
                 contributionStartedAt: 0,
                 verificationStartedAt: FieldValue.delete(),
@@ -958,7 +1011,7 @@ const checkParticipantForCeremony = functions
  * 2) the participant has just finished the contribution for a circuit (contributionProgress != 0 && status = CONTRIBUTED && contributionStep = COMPLETED).
  */
 const progressToNextCircuitForContribution = functions
-    .region('europe-west1')
+    .region("europe-west1")
     .runWith({
     memory: "512MB"
 })
@@ -1005,7 +1058,7 @@ const progressToNextCircuitForContribution = functions
  * 5) Completed contribution computation and verification.
  */
 const progressToNextContributionStep = functions
-    .region('europe-west1')
+    .region("europe-west1")
     .runWith({
     memory: "512MB"
 })
@@ -1056,7 +1109,7 @@ const progressToNextContributionStep = functions
  * @dev enable the current contributor to resume a contribution from where it had left off.
  */
 const permanentlyStoreCurrentContributionTimeAndHash = functions
-    .region('europe-west1')
+    .region("europe-west1")
     .runWith({
     memory: "512MB"
 })
@@ -1098,7 +1151,7 @@ const permanentlyStoreCurrentContributionTimeAndHash = functions
  * @dev enable the current contributor to resume a multi-part upload from where it had left off.
  */
 const temporaryStoreCurrentContributionMultiPartUploadId = functions
-    .region('europe-west1')
+    .region("europe-west1")
     .runWith({
     memory: "512MB"
 })
@@ -1136,7 +1189,7 @@ const temporaryStoreCurrentContributionMultiPartUploadId = functions
  * @dev enable the current contributor to resume a multi-part upload from where it had left off.
  */
 const temporaryStoreCurrentContributionUploadedChunkData = functions
-    .region('europe-west1')
+    .region("europe-west1")
     .runWith({
     memory: "512MB"
 })
@@ -1178,7 +1231,7 @@ const temporaryStoreCurrentContributionUploadedChunkData = functions
  * contributed to every selected ceremony circuits (= DONE).
  */
 const checkAndPrepareCoordinatorForFinalization = functions
-    .region('europe-west1')
+    .region("europe-west1")
     .runWith({
     memory: "512MB"
 })
@@ -1330,54 +1383,74 @@ const coordinate = async (participant, circuit, isSingleParticipantCoordination,
  * Wait until the command has completed its execution inside the VM.
  * @dev this method implements a custom interval to check 5 times after 1 minute if the command execution
  * has been completed or not by calling the `retrieveCommandStatus` method.
- * @param {any} resolve the promise.
- * @param {any} reject the promise.
  * @param {SSMClient} ssm the SSM client.
  * @param {string} vmInstanceId the unique identifier of the VM instance.
  * @param {string} commandId the unique identifier of the VM command.
  * @returns <Promise<void>> true when the command execution succeed; otherwise false.
  */
-const waitForVMCommandExecution = (resolve, reject, ssm, vmInstanceId, commandId) => {
-    const interval = setInterval(async () => {
+const waitForVMCommandExecution = (ssm, vmInstanceId, commandId) => new Promise((resolve, reject) => {
+    const poll = async () => {
         try {
             // Get command status.
             const cmdStatus = await retrieveCommandStatus(ssm, vmInstanceId, commandId);
             printLog(`Checking command ${commandId} status => ${cmdStatus}`, LogLevel.DEBUG);
-            if (cmdStatus === CommandInvocationStatus.SUCCESS) {
-                printLog(`Command ${commandId} successfully completed`, LogLevel.DEBUG);
-                // Resolve the promise.
-                resolve();
-            }
-            else if (cmdStatus === CommandInvocationStatus.FAILED) {
-                logAndThrowError(SPECIFIC_ERRORS.SE_VM_FAILED_COMMAND_EXECUTION);
-                reject();
-            }
-            else if (cmdStatus === CommandInvocationStatus.TIMED_OUT) {
-                logAndThrowError(SPECIFIC_ERRORS.SE_VM_TIMEDOUT_COMMAND_EXECUTION);
-                reject();
-            }
-            else if (cmdStatus === CommandInvocationStatus.CANCELLED) {
-                logAndThrowError(SPECIFIC_ERRORS.SE_VM_CANCELLED_COMMAND_EXECUTION);
-                reject();
+            let error;
+            switch (cmdStatus) {
+                case CommandInvocationStatus.CANCELLING:
+                case CommandInvocationStatus.CANCELLED: {
+                    error = SPECIFIC_ERRORS.SE_VM_CANCELLED_COMMAND_EXECUTION;
+                    break;
+                }
+                case CommandInvocationStatus.DELAYED: {
+                    error = SPECIFIC_ERRORS.SE_VM_DELAYED_COMMAND_EXECUTION;
+                    break;
+                }
+                case CommandInvocationStatus.FAILED: {
+                    error = SPECIFIC_ERRORS.SE_VM_FAILED_COMMAND_EXECUTION;
+                    break;
+                }
+                case CommandInvocationStatus.TIMED_OUT: {
+                    error = SPECIFIC_ERRORS.SE_VM_TIMEDOUT_COMMAND_EXECUTION;
+                    break;
+                }
+                case CommandInvocationStatus.IN_PROGRESS:
+                case CommandInvocationStatus.PENDING: {
+                    // wait a minute and poll again
+                    setTimeout(poll, 60000);
+                    return;
+                }
+                case CommandInvocationStatus.SUCCESS: {
+                    printLog(`Command ${commandId} successfully completed`, LogLevel.DEBUG);
+                    // Resolve the promise.
+                    resolve();
+                    return;
+                }
+                default: {
+                    logAndThrowError(SPECIFIC_ERRORS.SE_VM_UNKNOWN_COMMAND_STATUS);
+                }
             }
-            else if (cmdStatus === CommandInvocationStatus.DELAYED) {
-                logAndThrowError(SPECIFIC_ERRORS.SE_VM_DELAYED_COMMAND_EXECUTION);
-                reject();
+            if (error) {
+                logAndThrowError(error);
             }
         }
         catch (error) {
             printLog(`Invalid command ${commandId} execution`, LogLevel.DEBUG);
+            const ec2 = await createEC2Client();
+            // if it errors out, let's just log it as a warning so the coordinator is aware
+            try {
+                await stopEC2Instance(ec2, vmInstanceId);
+            }
+            catch (error) {
+                printLog(`Error while stopping VM instance ${vmInstanceId} - Error ${error}`, LogLevel.WARN);
+            }
             if (!error.toString().includes(commandId))
                 logAndThrowError(COMMON_ERRORS.CM_INVALID_COMMAND_EXECUTION);
             // Reject the promise.
             reject();
         }
-        finally {
-            // Clear the interval.
-            clearInterval(interval);
-        }
-    }, 60000); // 1 minute.
-};
+    };
+    setTimeout(poll, 60000);
+});
 /**
  * This method is used to coordinate the waiting queues of ceremony circuits.
  * @dev this cloud function is triggered whenever an update of a document related to a participant of a ceremony occurs.
@@ -1398,7 +1471,7 @@ const waitForVMCommandExecution = (resolve, reject, ssm, vmInstanceId, commandId
  * - Just completed a contribution or all contributions for each circuit. If yes, coordinate (multi-participant scenario).
  */
 const coordinateCeremonyParticipant = functionsV1
-    .region('europe-west1')
+    .region("europe-west1")
     .runWith({
     memory: "512MB"
 })
@@ -1469,11 +1542,9 @@ const checkIfVMRunning = async (ec2, vmInstanceId, attempts = 5) => {
     const isVMRunning = await checkIfRunning(ec2, vmInstanceId);
     if (!isVMRunning) {
         printLog(`VM not running, ${attempts - 1} attempts remaining. Retrying in 1 minute...`, LogLevel.DEBUG);
-        return await checkIfVMRunning(ec2, vmInstanceId, attempts - 1);
-    }
-    else {
-        return true;
+        return checkIfVMRunning(ec2, vmInstanceId, attempts - 1);
     }
+    return true;
 };
 /**
  * Verify the contribution of a participant computed while contributing to a specific circuit of a ceremony.
@@ -1501,7 +1572,7 @@ const checkIfVMRunning = async (ec2, vmInstanceId, attempts = 5) => {
  *       1.A.4.C.1) If true, update circuit waiting for queue and average timings accordingly to contribution verification results;
  * 2) Send all updates atomically to the Firestore database.
  */
-const verifycontribution = functionsV2.https.onCall({ memory: "16GiB", timeoutSeconds: 3600, region: 'europe-west1' }, async (request) => {
+const verifycontribution = functionsV2.https.onCall({ memory: "16GiB", timeoutSeconds: 3600, region: "europe-west1" }, async (request) => {
     if (!request.auth || (!request.auth.token.participant && !request.auth.token.coordinator))
         logAndThrowError(SPECIFIC_ERRORS.SE_AUTH_NO_CURRENT_AUTH_USER);
     if (!request.data.ceremonyId ||
@@ -1612,8 +1683,6 @@ const verifycontribution = functionsV2.https.onCall({ memory: "16GiB", timeoutSe
                 lastZkeyBlake2bHash = match.at(0);
                 // re upload the formatted verification transcript
                 await uploadFileToBucket(bucketName, verificationTranscriptStoragePathAndFilename, verificationTranscriptTemporaryLocalPath, true);
-                // Stop VM instance.
-                await stopEC2Instance(ec2, vmInstanceId);
             }
             else {
                 // Upload verification transcript.
@@ -1674,6 +1743,18 @@ const verifycontribution = functionsV2.https.onCall({ memory: "16GiB", timeoutSe
                 lastUpdated: getCurrentServerTimestampInMillis()
             });
         }
+        // Stop VM instance
+        if (isUsingVM) {
+            // using try and catch as the VM stopping function can throw
+            // however we want to continue without stopping as the
+            // verification was valid, and inform the coordinator
+            try {
+                await stopEC2Instance(ec2, vmInstanceId);
+            }
+            catch (error) {
+                printLog(`Error while stopping VM instance ${vmInstanceId} - Error ${error}`, LogLevel.WARN);
+            }
+        }
         // Step (1.A.4.C)
         if (!isFinalizing) {
             // Step (1.A.4.C.1)
@@ -1688,7 +1769,7 @@ const verifycontribution = functionsV2.https.onCall({ memory: "16GiB", timeoutSe
             const newAvgVerifyCloudFunctionTime = avgVerifyCloudFunctionTime > 0
                 ? (avgVerifyCloudFunctionTime + verifyCloudFunctionTime) / 2
                 : verifyCloudFunctionTime;
-            // Prepare tx to update circuit average contribution/verification time.    
+            // Prepare tx to update circuit average contribution/verification time.
             const updatedCircuitDoc = await getDocumentById(getCircuitsCollectionPath(ceremonyId), circuitId);
             const { waitingQueue: updatedWaitingQueue } = updatedCircuitDoc.data();
             /// @dev this must happen only for valid contributions.
@@ -1738,7 +1819,7 @@ const verifycontribution = functionsV2.https.onCall({ memory: "16GiB", timeoutSe
             commandId = await runCommandUsingSSM(ssm, vmInstanceId, verificationCommand);
             printLog(`Starting the execution of command ${commandId}`, LogLevel.DEBUG);
             // Step (1.A.3.3).
-            return new Promise((resolve, reject) => waitForVMCommandExecution(resolve, reject, ssm, vmInstanceId, commandId))
+            return waitForVMCommandExecution(ssm, vmInstanceId, commandId)
                 .then(async () => {
                 // Command execution successfully completed.
                 printLog(`Command ${commandId} execution has been successfully completed`, LogLevel.DEBUG);
@@ -1750,40 +1831,38 @@ const verifycontribution = functionsV2.https.onCall({ memory: "16GiB", timeoutSe
                 logAndThrowError(COMMON_ERRORS.CM_INVALID_COMMAND_EXECUTION);
             });
         }
-        else {
-            // CF approach.
-            printLog(`CF mechanism`, LogLevel.DEBUG);
-            const potStoragePath = getPotStorageFilePath(files.potFilename);
-            const firstZkeyStoragePath = getZkeyStorageFilePath(prefix, `${prefix}_${genesisZkeyIndex}.zkey`);
-            // Prepare temporary file paths.
-            // (nb. these are needed to download the necessary artifacts for verification from AWS S3).
-            verificationTranscriptTemporaryLocalPath = createTemporaryLocalPath(verificationTranscriptCompleteFilename);
-            const potTempFilePath = createTemporaryLocalPath(`${circuitId}_${participantDoc.id}.pot`);
-            const firstZkeyTempFilePath = createTemporaryLocalPath(`${circuitId}_${participantDoc.id}_genesis.zkey`);
-            const lastZkeyTempFilePath = createTemporaryLocalPath(`${circuitId}_${participantDoc.id}_last.zkey`);
-            // Create and populate transcript.
-            const transcriptLogger = createCustomLoggerForFile(verificationTranscriptTemporaryLocalPath);
-            transcriptLogger.info(`${isFinalizing ? `Final verification` : `Verification`} transcript for ${prefix} circuit Phase 2 contribution.\n${isFinalizing ? `Coordinator ` : `Contributor # ${Number(lastZkeyIndex)}`} (${contributorOrCoordinatorIdentifier})\n`);
-            // Step (1.A.2).
-            await downloadArtifactFromS3Bucket(bucketName, potStoragePath, potTempFilePath);
-            await downloadArtifactFromS3Bucket(bucketName, firstZkeyStoragePath, firstZkeyTempFilePath);
-            await downloadArtifactFromS3Bucket(bucketName, lastZkeyStoragePath, lastZkeyTempFilePath);
-            // Step (1.A.4).
-            isContributionValid = await zKey.verifyFromInit(firstZkeyTempFilePath, potTempFilePath, lastZkeyTempFilePath, transcriptLogger);
-            // Compute contribution hash.
-            lastZkeyBlake2bHash = await blake512FromPath(lastZkeyTempFilePath);
-            // Free resources by unlinking temporary folders.
-            // Do not free-up verification transcript path here.
-            try {
-                fs.unlinkSync(potTempFilePath);
-                fs.unlinkSync(firstZkeyTempFilePath);
-                fs.unlinkSync(lastZkeyTempFilePath);
-            }
-            catch (error) {
-                printLog(`Error while unlinking temporary files - Error ${error}`, LogLevel.WARN);
-            }
-            await completeVerification();
+        // CF approach.
+        printLog(`CF mechanism`, LogLevel.DEBUG);
+        const potStoragePath = getPotStorageFilePath(files.potFilename);
+        const firstZkeyStoragePath = getZkeyStorageFilePath(prefix, `${prefix}_${genesisZkeyIndex}.zkey`);
+        // Prepare temporary file paths.
+        // (nb. these are needed to download the necessary artifacts for verification from AWS S3).
+        verificationTranscriptTemporaryLocalPath = createTemporaryLocalPath(verificationTranscriptCompleteFilename);
+        const potTempFilePath = createTemporaryLocalPath(`${circuitId}_${participantDoc.id}.pot`);
+        const firstZkeyTempFilePath = createTemporaryLocalPath(`${circuitId}_${participantDoc.id}_genesis.zkey`);
+        const lastZkeyTempFilePath = createTemporaryLocalPath(`${circuitId}_${participantDoc.id}_last.zkey`);
+        // Create and populate transcript.
+        const transcriptLogger = createCustomLoggerForFile(verificationTranscriptTemporaryLocalPath);
+        transcriptLogger.info(`${isFinalizing ? `Final verification` : `Verification`} transcript for ${prefix} circuit Phase 2 contribution.\n${isFinalizing ? `Coordinator ` : `Contributor # ${Number(lastZkeyIndex)}`} (${contributorOrCoordinatorIdentifier})\n`);
+        // Step (1.A.2).
+        await downloadArtifactFromS3Bucket(bucketName, potStoragePath, potTempFilePath);
+        await downloadArtifactFromS3Bucket(bucketName, firstZkeyStoragePath, firstZkeyTempFilePath);
+        await downloadArtifactFromS3Bucket(bucketName, lastZkeyStoragePath, lastZkeyTempFilePath);
+        // Step (1.A.4).
+        isContributionValid = await zKey.verifyFromInit(firstZkeyTempFilePath, potTempFilePath, lastZkeyTempFilePath, transcriptLogger);
+        // Compute contribution hash.
+        lastZkeyBlake2bHash = await blake512FromPath(lastZkeyTempFilePath);
+        // Free resources by unlinking temporary folders.
+        // Do not free-up verification transcript path here.
+        try {
+            fs.unlinkSync(potTempFilePath);
+            fs.unlinkSync(firstZkeyTempFilePath);
+            fs.unlinkSync(lastZkeyTempFilePath);
         }
+        catch (error) {
+            printLog(`Error while unlinking temporary files - Error ${error}`, LogLevel.WARN);
+        }
+        await completeVerification();
     }
 });
 /**
@@ -1792,7 +1871,7 @@ const verifycontribution = functionsV2.https.onCall({ memory: "16GiB", timeoutSe
  * this does not happen if the participant is actually the coordinator who is finalizing the ceremony.
  */
 const refreshParticipantAfterContributionVerification = functionsV1
-    .region('europe-west1')
+    .region("europe-west1")
     .runWith({
     memory: "512MB"
 })
@@ -1853,7 +1932,7 @@ const refreshParticipantAfterContributionVerification = functionsV1
  * and verification key extracted from the circuit final contribution (as part of the ceremony finalization process).
  */
 const finalizeCircuit = functionsV1
-    .region('europe-west1')
+    .region("europe-west1")
     .runWith({
     memory: "512MB"
 })
@@ -2050,8 +2129,10 @@ const createBucket = functions
                     CORSConfiguration: {
                         CORSRules: [
                             {
-                                AllowedMethods: ["GET"],
-                                AllowedOrigins: ["*"]
+                                AllowedMethods: ["GET", "PUT"],
+                                AllowedOrigins: ["*"],
+                                ExposeHeaders: ["ETag", "Content-Length"],
+                                AllowedHeaders: ["*"]
                             }
                         ]
                     }
@@ -2228,7 +2309,8 @@ const startMultiPartUpload = functions
 const generatePreSignedUrlsParts = functions
     .region("europe-west1")
     .runWith({
-    memory: "512MB"
+    memory: "512MB",
+    timeoutSeconds: 300
 })
     .https.onCall(async (data, context) => {
     if (!context.auth || (!context.auth.token.participant && !context.auth.token.coordinator))
@@ -2337,6 +2419,216 @@ const completeMultiPartUpload = functions
     }
 });
 
+const VKEY_DATA = {
+    protocol: "groth16",
+    curve: "bn128",
+    nPublic: 3,
+    vk_alpha_1: [
+        "20491192805390485299153009773594534940189261866228447918068658471970481763042",
+        "9383485363053290200918347156157836566562967994039712273449902621266178545958",
+        "1"
+    ],
+    vk_beta_2: [
+        [
+            "6375614351688725206403948262868962793625744043794305715222011528459656738731",
+            "4252822878758300859123897981450591353533073413197771768651442665752259397132"
+        ],
+        [
+            "10505242626370262277552901082094356697409835680220590971873171140371331206856",
+            "21847035105528745403288232691147584728191162732299865338377159692350059136679"
+        ],
+        ["1", "0"]
+    ],
+    vk_gamma_2: [
+        [
+            "10857046999023057135944570762232829481370756359578518086990519993285655852781",
+            "11559732032986387107991004021392285783925812861821192530917403151452391805634"
+        ],
+        [
+            "8495653923123431417604973247489272438418190587263600148770280649306958101930",
+            "4082367875863433681332203403145435568316851327593401208105741076214120093531"
+        ],
+        ["1", "0"]
+    ],
+    vk_delta_2: [
+        [
+            "3697618915467790705869942236922063775466274665053173890632463796679068973252",
+            "14948341351907992175709156460547989243732741534604949238422596319735704165658"
+        ],
+        [
+            "3028459181652799888716942141752307629938889957960373621898607910203491239368",
+            "11380736494786911280692284374675752681598754560757720296073023058533044108340"
+        ],
+        ["1", "0"]
+    ],
+    vk_alphabeta_12: [
+        [
+            [
+                "2029413683389138792403550203267699914886160938906632433982220835551125967885",
+                "21072700047562757817161031222997517981543347628379360635925549008442030252106"
+            ],
+            [
+                "5940354580057074848093997050200682056184807770593307860589430076672439820312",
+                "12156638873931618554171829126792193045421052652279363021382169897324752428276"
+            ],
+            [
+                "7898200236362823042373859371574133993780991612861777490112507062703164551277",
+                "7074218545237549455313236346927434013100842096812539264420499035217050630853"
+            ]
+        ],
+        [
+            [
+                "7077479683546002997211712695946002074877511277312570035766170199895071832130",
+                "10093483419865920389913245021038182291233451549023025229112148274109565435465"
+            ],
+            [
+                "4595479056700221319381530156280926371456704509942304414423590385166031118820",
+                "19831328484489333784475432780421641293929726139240675179672856274388269393268"
+            ],
+            [
+                "11934129596455521040620786944827826205713621633706285934057045369193958244500",
+                "8037395052364110730298837004334506829870972346962140206007064471173334027475"
+            ]
+        ]
+    ],
+    IC: [
+        [
+            "12951059800758687233303204819298121944551181861362200875212570257618182506154",
+            "5751958719396509176593242305268064754837298673622815112953832050159760501392",
+            "1"
+        ],
+        [
+            "9561588427935871983444704959674198910445823619407211599507208879011862515257",
+            "14576201570478094842467636169770180675293504492823217349086195663150934064643",
+            "1"
+        ],
+        [
+            "4811967233483727873912563574622036989372099129165459921963463310078093941559",
+            "1874883809855039536107616044787862082553628089593740724610117059083415551067",
+            "1"
+        ],
+        [
+            "12252730267779308452229639835051322390696643456253768618882001876621526827161",
+            "7899194018737016222260328309937800777948677569409898603827268776967707173231",
+            "1"
+        ]
+    ]
+};
+dotenv.config();
+const { BANDADA_API_URL, BANDADA_GROUP_ID } = process.env;
+const bandadaApi = new ApiSdk(BANDADA_API_URL);
+const bandadaValidateProof = functions
+    .region("europe-west1")
+    .runWith({
+    memory: "512MB"
+})
+    .https.onCall(async (data) => {
+    if (!BANDADA_GROUP_ID)
+        throw new Error("BANDADA_GROUP_ID is not defined in .env");
+    const { proof, publicSignals } = data;
+    const isCorrect = groth16.verify(VKEY_DATA, publicSignals, proof);
+    if (!isCorrect)
+        return {
+            valid: false,
+            message: "Invalid proof",
+            token: ""
+        };
+    const commitment = data.publicSignals[1];
+    const isMember = await bandadaApi.isGroupMember(BANDADA_GROUP_ID, commitment);
+    if (!isMember)
+        return {
+            valid: false,
+            message: "Not a member of the group",
+            token: ""
+        };
+    const auth = getAuth();
+    try {
+        await admin.auth().createUser({
+            uid: commitment
+        });
+    }
+    catch (error) {
+        // if user already exist then just pass
+        if (error.code !== "auth/uid-already-exists") {
+            throw new Error(error);
+        }
+    }
+    const token = await auth.createCustomToken(commitment);
+    return {
+        valid: true,
+        message: "Valid proof and group member",
+        token
+    };
+});
+
+dotenv.config();
+const checkNonceOfSIWEAddress = functions
+    .region("europe-west1")
+    .runWith({ memory: "1GB" })
+    .https.onCall(async (data) => {
+    try {
+        const { auth0Token } = data;
+        const result = (await fetch(`${process.env.AUTH0_APPLICATION_URL}/userinfo`, {
+            method: "GET",
+            headers: {
+                "content-type": "application/json",
+                authorization: `Bearer ${auth0Token}`
+            }
+        }).then((_res) => _res.json()));
+        if (!result.sub) {
+            return {
+                valid: false,
+                message: "No user detected. Please check device flow token"
+            };
+        }
+        const auth = getAuth();
+        // check nonce
+        const parts = result.sub.split("|");
+        const address = decodeURIComponent(parts[2]).split("eip155:534352:")[1];
+        const minimumNonce = Number(process.env.ETH_MINIMUM_NONCE);
+        const nonceBlockHeight = "latest"; // process.env.ETH_NONCE_BLOCK_HEIGHT
+        // look up nonce for address @block
+        let nonceOk = true;
+        if (minimumNonce > 0) {
+            const provider = setEthProvider();
+            console.log(`got provider - block # ${await provider.getBlockNumber()}`);
+            const nonce = await provider.getTransactionCount(address, nonceBlockHeight);
+            console.log(`nonce ${nonce}`);
+            nonceOk = nonce >= minimumNonce;
+        }
+        console.log(`checking nonce ${nonceOk}`);
+        if (!nonceOk) {
+            return {
+                valid: false,
+                message: "Eth address does not meet the nonce requirements"
+            };
+        }
+        try {
+            await admin.auth().createUser({
+                displayName: address,
+                uid: address
+            });
+        }
+        catch (error) {
+            // if user already exist then just pass
+            if (error.code !== "auth/uid-already-exists") {
+                throw new Error(error);
+            }
+        }
+        const token = await auth.createCustomToken(address);
+        return {
+            valid: true,
+            token
+        };
+    }
+    catch (error) {
+        return {
+            valid: false,
+            message: `Something went wrong ${error}`
+        };
+    }
+});
+
 dotenv.config();
 /**
  * Check and remove the current contributor if it doesn't complete the contribution on the specified amount of time.
@@ -2378,7 +2670,7 @@ const checkAndRemoveBlockingContributor = functions
             // Get ceremony circuits.
             const circuits = await getCeremonyCircuits(ceremony.id);
             // Extract ceremony data.
-            const { timeoutMechanismType, penalty } = ceremony.data();
+            const { timeoutType: timeoutMechanismType, penalty } = ceremony.data();
             for (const circuit of circuits) {
                 if (!circuit.data())
                     // Do not use `logAndThrowError` method to avoid the function to exit before checking every ceremony.
@@ -2528,7 +2820,8 @@ const resumeContributionAfterTimeoutExpiration = functions
     if (status === "EXHUMED" /* ParticipantStatus.EXHUMED */)
         await participantDoc.ref.update({
             status: "READY" /* ParticipantStatus.READY */,
-            lastUpdated: getCurrentServerTimestampInMillis()
+            lastUpdated: getCurrentServerTimestampInMillis(),
+            tempContributionData: {}
         });
     else
         logAndThrowError(SPECIFIC_ERRORS.SE_CONTRIBUTE_CANNOT_PROGRESS_TO_NEXT_CIRCUIT);
@@ -2537,4 +2830,4 @@ const resumeContributionAfterTimeoutExpiration = functions
 
 admin.initializeApp();
 
-export { checkAndPrepareCoordinatorForFinalization, checkAndRemoveBlockingContributor, checkIfObjectExist, checkParticipantForCeremony, completeMultiPartUpload, coordinateCeremonyParticipant, createBucket, finalizeCeremony, finalizeCircuit, generateGetObjectPreSignedUrl, generatePreSignedUrlsParts, initEmptyWaitingQueueForCircuit, permanentlyStoreCurrentContributionTimeAndHash, processSignUpWithCustomClaims, progressToNextCircuitForContribution, progressToNextContributionStep, refreshParticipantAfterContributionVerification, registerAuthUser, resumeContributionAfterTimeoutExpiration, setupCeremony, startCeremony, startMultiPartUpload, stopCeremony, temporaryStoreCurrentContributionMultiPartUploadId, temporaryStoreCurrentContributionUploadedChunkData, verifycontribution };
+export { bandadaValidateProof, checkAndPrepareCoordinatorForFinalization, checkAndRemoveBlockingContributor, checkIfObjectExist, checkNonceOfSIWEAddress, checkParticipantForCeremony, completeMultiPartUpload, coordinateCeremonyParticipant, createBucket, finalizeCeremony, finalizeCircuit, generateGetObjectPreSignedUrl, generatePreSignedUrlsParts, initEmptyWaitingQueueForCircuit, permanentlyStoreCurrentContributionTimeAndHash, processSignUpWithCustomClaims, progressToNextCircuitForContribution, progressToNextContributionStep, refreshParticipantAfterContributionVerification, registerAuthUser, resumeContributionAfterTimeoutExpiration, setupCeremony, startCeremony, startMultiPartUpload, stopCeremony, temporaryStoreCurrentContributionMultiPartUploadId, temporaryStoreCurrentContributionUploadedChunkData, verifycontribution };