@devtion/devcli 0.0.0-09f6b45 → 0.0.0-0fb27d7

package/dist/index.js

@@ -2,17 +2,17 @@
 
 /**
  * @module @p0tion/phase2cli
- * @version 1.1.0
+ * @version 1.1.1
  * @file All-in-one interactive command-line for interfacing with zkSNARK Phase 2 Trusted Setup ceremonies
  * @copyright Ethereum Foundation 2022
  * @license MIT
  * @see [Github]{@link https://github.com/privacy-scaling-explorations/p0tion}
 */
 import { createCommand } from 'commander';
-import fs, { readFileSync, createWriteStream, renameSync } from 'fs';
-import { dirname } from 'path';
+import fs, { readFileSync, createWriteStream, existsSync, renameSync } from 'fs';
+import path, { dirname } from 'path';
 import { fileURLToPath } from 'url';
-import { zKey } from 'snarkjs';
+import { zKey, groth16 } from 'snarkjs';
 import boxen from 'boxen';
 import { pipeline } from 'node:stream';
 import { promisify } from 'node:util';
@@ -22,7 +22,7 @@ import fetch from '@adobe/node-fetch-retry';
 import { request } from '@octokit/request';
 import { SingleBar, Presets } from 'cli-progress';
 import dotenv from 'dotenv';
-import { GithubAuthProvider, getAuth, signOut } from 'firebase/auth';
+import { GithubAuthProvider, signInWithCustomToken, getAuth, signOut } from 'firebase/auth';
 import { getDiskInfoSync } from 'node-disk-info';
 import ora from 'ora';
 import { Timer } from 'timer-node';
@@ -36,6 +36,9 @@ import figlet from 'figlet';
 import { createOAuthDeviceAuth } from '@octokit/auth-oauth-device';
 import clipboard from 'clipboardy';
 import open from 'open';
+import { Identity } from '@semaphore-protocol/identity';
+import { httpsCallable } from 'firebase/functions';
+import { ApiSdk } from '@bandada/api-sdk';
 import { Timestamp, onSnapshot } from 'firebase/firestore';
 import readline from 'readline';
 
@@ -97,7 +100,7 @@ const CORE_SERVICES_ERRORS = {
     FIREBASE_TOKEN_EXPIRED_REMOVED_PERMISSIONS: `The Github authorization has failed due to lack of association between your account and the CLI`,
     FIREBASE_USER_DISABLED: `The Github account has been suspended by the ceremony coordinator(s), blocking the possibility of contribution. Please, contact them to understand the motivation behind it.`,
     FIREBASE_FAILED_CREDENTIALS_VERIFICATION: `Firebase cannot verify your Github credentials due to network errors. Please, try once again later.`,
-    FIREBASE_NETWORK_ERROR: `Unable to reach Firebase due to network erros. Please, try once again later and make sure your Internet connection is stable.`,
+    FIREBASE_NETWORK_ERROR: `Unable to reach Firebase due to network errors. Please, try once again later and make sure your Internet connection is stable.`,
     FIREBASE_CEREMONY_NOT_OPENED: `There are no ceremonies opened to contributions`,
     FIREBASE_CEREMONY_NOT_CLOSED: `There are no ceremonies ready to finalization`,
     AWS_CEREMONY_BUCKET_CREATION: `Unable to create a new bucket for the ceremony. Something went wrong during the creation. Please, repeat the process by providing a new ceremony name of the ceremony.`,
@@ -250,6 +253,10 @@ const config = new Conf({
         accessToken: {
             type: "string",
             default: ""
+        },
+        bandadaIdentity: {
+            type: "string",
+            default: ""
         }
     }
 });
@@ -310,6 +317,25 @@ const setLocalAccessToken = (token) => config.set("accessToken", token);
  * Delete the stored access token.
  */
 const deleteLocalAccessToken = () => config.delete("accessToken");
+/**
+ * Return the Bandada identity, if present.
+ * @returns <string | undefined> - the Bandada identity if present, otherwise undefined.
+ */
+const getLocalBandadaIdentity = () => config.get("bandadaIdentity");
+/**
+ * Check if the Bandada identity exists in the local storage.
+ * @returns <boolean>
+ */
+const checkLocalBandadaIdentity = () => config.has("bandadaIdentity") && !!config.get("bandadaIdentity");
+/**
+ * Set the Bandada identity.
+ * @param identity <string> - the Bandada identity to be stored.
+ */
+const setLocalBandadaIdentity = (identity) => config.set("bandadaIdentity", identity);
+/**
+ * Delete the stored Bandada identity.
+ */
+const deleteLocalBandadaIdentity = () => config.delete("bandadaIdentity");
 /**
  * Get the complete local file path.
  * @param cwd <string> - the current working directory path.
@@ -420,7 +446,7 @@ const getGithubAuthenticatedUserGists = async (githubToken, params) => {
         headers: {
             authorization: `token ${githubToken}`
         },
-        per_page: params.perPage,
+        per_page: params.perPage, // max items per page = 100.
         page: params.page
     });
     if (response && response.status === 200)
@@ -468,8 +494,9 @@ const getPublicAttestationGist = async (githubToken, publicAttestationFilename)
  * @returns <string> - the third-party provider handle of the user.
  */
 const getUserHandleFromProviderUserId = (providerUserId) => {
-    if (providerUserId.indexOf("-") === -1)
-        showError(THIRD_PARTY_SERVICES_ERRORS.GITHUB_GET_GITHUB_ACCOUNT_INFO, true);
+    if (providerUserId.indexOf("-") === -1) {
+        return providerUserId;
+    }
     return providerUserId.split("-")[0];
 };
 /**
@@ -1560,16 +1587,27 @@ const checkAuth = async (firebaseApp) => {
         showError(THIRD_PARTY_SERVICES_ERRORS.GITHUB_NOT_AUTHENTICATED, true);
     // Retrieve local access token.
     const token = String(getLocalAccessToken());
-    // Get credentials.
-    const credentials = exchangeGithubTokenForCredentials(token);
-    // Sign in to Firebase using credentials.
-    await signInToFirebase(firebaseApp, credentials);
+    let providerUserId;
+    let username;
+    const isLocalBandadaIdentityStored = checkLocalBandadaIdentity();
+    if (isLocalBandadaIdentityStored) {
+        const userCredentials = await signInWithCustomToken(getAuth(), token);
+        providerUserId = userCredentials.user.uid;
+        username = providerUserId;
+    }
+    else {
+        // Get credentials.
+        const credentials = exchangeGithubTokenForCredentials(token);
+        // Sign in to Firebase using credentials.
+        await signInToFirebase(firebaseApp, credentials);
+        // Get Github unique identifier (handle-id).
+        providerUserId = await getGithubProviderUserId(String(token));
+        username = getUserHandleFromProviderUserId(providerUserId);
+    }
     // Get current authenticated user.
     const user = getCurrentFirebaseAuthUser(firebaseApp);
-    // Get Github unique identifier (handle-id).
-    const providerUserId = await getGithubProviderUserId(String(token));
     // Greet the user.
-    console.log(`Greetings, @${theme.text.bold(getUserHandleFromProviderUserId(providerUserId))} ${theme.emojis.wave}\n`);
+    console.log(`Greetings, @${theme.text.bold(username)} ${theme.emojis.wave}\n`);
     return {
         user,
         token,
@@ -1891,12 +1929,20 @@ const setup = async (cmd) => {
             // 3. generate the zKey
             const spinner = customSpinner(`Generating genesis zKey for circuit ${theme.text.bold(circuit.name)}...`, `clock`);
             spinner.start();
-            await zKey.newZKey(r1csLocalPathAndFileName, getPotLocalFilePath(circuit.files.potFilename), zkeyLocalPathAndFileName, undefined);
-            spinner.succeed(`Generation of the genesis zKey for citcui ${theme.text.bold(circuit.name)} completed successfully`);
+            if (existsSync(zkeyLocalPathAndFileName)) {
+                spinner.succeed(`The genesis zKey for circuit ${theme.text.bold(circuit.name)} is already present on disk`);
+            }
+            else {
+                await zKey.newZKey(r1csLocalPathAndFileName, getPotLocalFilePath(circuit.files.potFilename), zkeyLocalPathAndFileName, undefined);
+                spinner.succeed(`Generation of the genesis zKey for circuit ${theme.text.bold(circuit.name)} completed successfully`);
+            }
+            const hashSpinner = customSpinner(`Calculating hashes for circuit ${theme.text.bold(circuit.name)}...`, `clock`);
+            hashSpinner.start();
             // 4. calculate the hashes
             const wasmBlake2bHash = await blake512FromPath(wasmLocalPathAndFileName);
             const potBlake2bHash = await blake512FromPath(getPotLocalFilePath(circuit.files.potFilename));
             const initialZkeyBlake2bHash = await blake512FromPath(zkeyLocalPathAndFileName);
+            hashSpinner.succeed(`Hashes for circuit ${theme.text.bold(circuit.name)} calculated successfully`);
             // 5. upload the artifacts
             // Upload zKey to Storage.
             await handleCircuitArtifactUploadToStorage(firebaseFunctions, bucketName, circuit.files.initialZkeyStoragePath, zkeyLocalPathAndFileName, circuit.files.initialZkeyFilename);
@@ -2217,6 +2263,91 @@ const auth = async () => {
     terminate(providerUserId);
 };
 
+const { BANDADA_API_URL } = process.env;
+const bandadaApi = new ApiSdk(BANDADA_API_URL);
+const addMemberToGroup = async (groupId, dashboardUrl, identity) => {
+    const commitment = identity.commitment.toString();
+    const group = await bandadaApi.getGroup(groupId);
+    const providerName = group.credentials.id.split("_")[0].toLowerCase();
+    // 6. open a new window with the url:
+    const url = `${dashboardUrl}credentials?group=${groupId}&member=${commitment}&provider=${providerName}`;
+    console.log(`${theme.text.bold(`Verification URL:`)} ${theme.text.underlined(url)}`);
+    open(url);
+    const { confirmation } = await askForConfirmation("Did you join the Bandada group in the browser?");
+    if (!confirmation)
+        showError("You must join the Bandada group to continue the login process", true);
+};
+const isGroupMember = async (groupId, identity) => {
+    const commitment = identity.commitment.toString();
+    const isMember = await bandadaApi.isGroupMember(groupId, commitment);
+    return isMember;
+};
+
+const { BANDADA_DASHBOARD_URL, BANDADA_GROUP_ID } = process.env;
+const authBandada = async () => {
+    const { firebaseFunctions } = await bootstrapCommandExecutionAndServices();
+    const spinner = customSpinner(`Checking identity string for Semaphore...`, `clock`);
+    spinner.start();
+    // 1. check if _identity string exists in local storage
+    let identityString;
+    const isIdentityStringStored = checkLocalBandadaIdentity();
+    if (isIdentityStringStored) {
+        identityString = getLocalBandadaIdentity();
+        spinner.succeed(`Identity seed found\n`);
+    }
+    else {
+        spinner.warn(`Identity seed not found\n`);
+        // 2. generate a random _identity string and save it in local storage
+        const { seed } = await prompts({
+            type: "text",
+            name: "seed",
+            message: theme.text.bold(`Enter a secret string to use as your identity seed in Semaphore:`),
+            initial: false
+        });
+        identityString = seed;
+        setLocalBandadaIdentity(identityString);
+    }
+    // 3. create a semaphore identity with _identity string as a seed
+    const identity = new Identity(identityString);
+    // 4. check if the user is a member of the group
+    console.log(`Checking Bandada membership...`);
+    const isMember = await isGroupMember(BANDADA_GROUP_ID, identity);
+    if (!isMember) {
+        await addMemberToGroup(BANDADA_GROUP_ID, BANDADA_DASHBOARD_URL, identity);
+    }
+    // 5. generate a proof that the user owns the commitment.
+    spinner.text = `Generating proof of identity...`;
+    spinner.start();
+    // publicSignals = [hash(externalNullifier, identityNullifier), commitment]
+    const { proof, publicSignals } = await groth16.fullProve({
+        identityTrapdoor: identity.trapdoor,
+        identityNullifier: identity.nullifier,
+        externalNullifier: BANDADA_GROUP_ID
+    }, path.join(path.resolve(), "/public/mini-semaphore.wasm"), path.join(path.resolve(), "/public/mini-semaphore.zkey"));
+    spinner.succeed(`Proof generated.\n`);
+    spinner.text = `Sending proof to verification...`;
+    spinner.start();
+    // 6. send proof to a cloud function that verifies it and checks membership
+    const cf = httpsCallable(firebaseFunctions, commonTerms.cloudFunctionsNames.bandadaValidateProof);
+    const result = await cf({
+        proof,
+        publicSignals
+    });
+    const { valid, token, message } = result.data;
+    if (!valid) {
+        showError(message, true);
+    }
+    spinner.succeed(`Proof verified.\n`);
+    spinner.text = `Authenticating...`;
+    spinner.start();
+    // 7. Auth to p0tion firebase
+    const userCredentials = await signInWithCustomToken(getAuth(), token);
+    setLocalAccessToken(token);
+    spinner.succeed(`Authenticated as ${theme.text.bold(userCredentials.user.uid)}.`);
+    console.log(`\n${theme.symbols.warning} You can always log out by running the ${theme.text.bold(`phase2cli logout`)} command`);
+    process.exit(0);
+};
+
 /**
  * Return the verification result for latest contribution.
  * @param firestoreDatabase <Firestore> - the Firestore service instance associated to the current Firebase application.
@@ -2408,8 +2539,12 @@ const handlePublicAttestation = async (firestoreDatabase, circuits, ceremonyId,
     // Write public attestation locally.
     writeFile(getAttestationLocalFilePath(`${ceremonyPrefix}_${commonTerms.foldersAndPathsTerms.attestation}.log`), Buffer.from(publicAttestation));
     await sleep(1000); // workaround for file descriptor unexpected close.
-    const gistUrl = await publishGist(participantAccessToken, publicAttestation, ceremonyName, ceremonyPrefix);
-    console.log(`\n${theme.symbols.info} Your public attestation has been successfully posted as Github Gist (${theme.text.bold(theme.text.underlined(gistUrl))})`);
+    let gistUrl = "";
+    const isBandada = checkLocalBandadaIdentity();
+    if (!isBandada) {
+        gistUrl = await publishGist(participantAccessToken, publicAttestation, ceremonyName, ceremonyPrefix);
+        console.log(`\n${theme.symbols.info} Your public attestation has been successfully posted as Github Gist (${theme.text.bold(theme.text.underlined(gistUrl))})`);
+    }
     // Prepare a ready-to-share tweet.
     await handleTweetGeneration(ceremonyName, gistUrl);
 };
@@ -2723,7 +2858,7 @@ const contribute = async (opt) => {
     const userDoc = await getDocumentById(firestoreDatabase, commonTerms.collections.users.name, user.uid);
     const userData = userDoc.data();
     if (!userData) {
-        spinner.fail(`Unfortunately we could not find a user document with your information. This likely means that you did not pass the GitHub reputation checks and therefore are not elegible to contribute to any ceremony. If you believe you pass the requirements, it might be possible that your profile is private and we were not able to fetch your real statistics, in this case please consider making your profile public for the duration of the contribution. Please contact the coordinator if you believe this to be an error.`);
+        spinner.fail(`Unfortunately we could not find a user document with your information. This likely means that you did not pass the GitHub reputation checks and therefore are not eligible to contribute to any ceremony. If you believe you pass the requirements, it might be possible that your profile is private and we were not able to fetch your real statistics, in this case please consider making your profile public for the duration of the contribution. Please contact the coordinator if you believe this to be an error.`);
         process.exit(0);
     }
     // Check the user's current participant readiness for contribution status (eligible, already contributed, timed out).
@@ -2923,7 +3058,7 @@ const handleVerificationKey = async (cloudFunctions, bucketName, finalZkeyLocalF
     spinner.text = "Writing verification key...";
     // Write the verification key locally.
     writeLocalJsonFile(verificationKeyLocalFilePath, vKey);
-    await sleep(3000); // workaound for file descriptor.
+    await sleep(3000); // workaround for file descriptor.
     // Upload verification key to storage.
     await multiPartUpload(cloudFunctions, bucketName, verificationKeyStorageFilePath, verificationKeyLocalFilePath, Number(process.env.CONFIG_STREAM_CHUNK_SIZE_IN_MB));
     spinner.succeed(`Verification key correctly saved on storage`);
@@ -2949,7 +3084,7 @@ const handleVerifierSmartContract = async (cloudFunctions, bucketName, finalZkey
     spinner.text = `Writing verifier smart contract...`;
     // Write the verification key locally.
     writeFile(verifierContractLocalFilePath, verifierCode);
-    await sleep(3000); // workaound for file descriptor.
+    await sleep(3000); // workaround for file descriptor.
     // Upload verifier smart contract to storage.
     await multiPartUpload(cloudFunctions, bucketName, verifierContractStorageFilePath, verifierContractLocalFilePath, Number(process.env.CONFIG_STREAM_CHUNK_SIZE_IN_MB));
     spinner.succeed(`Verifier smart contract correctly saved on storage`);
@@ -2975,7 +3110,7 @@ const handleVerifierSmartContract = async (cloudFunctions, bucketName, finalZkey
 const handleCircuitFinalization = async (cloudFunctions, firestoreDatabase, ceremony, circuit, participant, beacon, coordinatorIdentifier, circuitsLength) => {
     // Step (1).
     await handleStartOrResumeContribution(cloudFunctions, firestoreDatabase, ceremony, circuit, participant, computeSHA256ToHex(beacon), coordinatorIdentifier, true, circuitsLength);
-    await sleep(2000); // workaound for descriptors.
+    await sleep(2000); // workaround for descriptors.
     // Extract data.
     const { prefix: circuitPrefix } = circuit.data;
     const { prefix: ceremonyPrefix } = ceremony.data;
@@ -3125,6 +3260,7 @@ const logout = async () => {
             await signOut(auth);
             // Delete local token.
             deleteLocalAccessToken();
+            deleteLocalBandadaIdentity();
             await sleep(3000); // ~3s.
             spinner.stop();
             console.log(`${theme.symbols.success} Logout successfully completed`);
@@ -3194,6 +3330,10 @@ const program = createCommand();
 program.name(name).description(description).version(version);
 // User commands.
 program.command("auth").description("authenticate yourself using your Github account (OAuth 2.0)").action(auth);
+program
+    .command("auth-bandada")
+    .description("authenticate yourself in a privacy-perserving manner using Bandada")
+    .action(authBandada);
 program
     .command("contribute")
     .description("compute contributions for a Phase2 Trusted Setup ceremony circuits")

package/dist/types/commands/authBandada.d.ts

@@ -0,0 +1,2 @@
+declare const authBandada: () => Promise<never>;
+export default authBandada;

package/dist/types/commands/index.d.ts

@@ -1,5 +1,6 @@
 export { default as setup } from "./setup.js";
 export { default as auth } from "./auth.js";
+export { default as authBandada } from "./authBandada.js";
 export { default as contribute } from "./contribute.js";
 export { default as observe } from "./observe.js";
 export { default as finalize } from "./finalize.js";

package/dist/types/lib/bandada.d.ts

@@ -0,0 +1,6 @@
+import { GroupResponse } from "@bandada/api-sdk";
+import { Identity } from "@semaphore-protocol/identity";
+export declare const getGroup: (groupId: string) => Promise<GroupResponse | null>;
+export declare const getMembersOfGroup: (groupId: string) => Promise<string[] | null>;
+export declare const addMemberToGroup: (groupId: string, dashboardUrl: string, identity: Identity) => Promise<void>;
+export declare const isGroupMember: (groupId: string, identity: Identity) => Promise<boolean>;

package/dist/types/lib/files.d.ts

@@ -1,4 +1,5 @@
 /// <reference types="node" />
+/// <reference types="node" />
 import { Dirent, Stats } from "fs";
 /**
  * Check a directory path.

package/dist/types/lib/localConfigs.d.ts

@@ -35,6 +35,25 @@ export declare const setLocalAccessToken: (token: string) => void;
  * Delete the stored access token.
  */
 export declare const deleteLocalAccessToken: () => void;
+/**
+ * Return the Bandada identity, if present.
+ * @returns <string | undefined> - the Bandada identity if present, otherwise undefined.
+ */
+export declare const getLocalBandadaIdentity: () => string | unknown;
+/**
+ * Check if the Bandada identity exists in the local storage.
+ * @returns <boolean>
+ */
+export declare const checkLocalBandadaIdentity: () => boolean;
+/**
+ * Set the Bandada identity.
+ * @param identity <string> - the Bandada identity to be stored.
+ */
+export declare const setLocalBandadaIdentity: (identity: string) => void;
+/**
+ * Delete the stored Bandada identity.
+ */
+export declare const deleteLocalBandadaIdentity: () => void;
 /**
  * Get the complete local file path.
  * @param cwd <string> - the current working directory path.

package/dist/types/types/index.d.ts

@@ -63,3 +63,15 @@ export type GithubGistFile = {
     raw_url: string;
     size: number;
 };
+/**
+ * Define the return object of the function that verifies the Bandada membership and proof.
+ * @typedef {Object} VerifiedBandadaResponse
+ * @property {boolean} valid - true if the proof is valid and the user is a member of the group; otherwise false.
+ * @property {string} message - a message describing the result of the verification.
+ * @property {string} token - the custom access token.
+ */
+export type VerifiedBandadaResponse = {
+    valid: boolean;
+    message: string;
+    token: string;
+};

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@devtion/devcli",
   "type": "module",
-  "version": "0.0.0-09f6b45",
+  "version": "0.0.0-0fb27d7",
   "description": "All-in-one interactive command-line for interfacing with zkSNARK Phase 2 Trusted Setup ceremonies",
   "repository": "git@github.com:privacy-scaling-explorations/p0tion.git",
   "homepage": "https://github.com/privacy-scaling-explorations/p0tion",
@@ -34,6 +34,7 @@
     "build:watch": "rollup -c rollup.config.ts -w --configPlugin typescript",
     "start": "ts-node --esm ./src/index.ts",
     "auth": "yarn start auth",
+    "auth:bandada": "yarn start auth-bandada",
     "contribute": "yarn start contribute",
     "clean": "yarn start clean",
     "list": "yarn start list",
@@ -65,10 +66,12 @@
   "dependencies": {
     "@adobe/node-fetch-retry": "^2.2.0",
     "@aws-sdk/client-s3": "^3.329.0",
+    "@bandada/api-sdk": "^1.0.0-beta.1",
     "@devtion/actions": "latest",
     "@octokit/auth-oauth-app": "^5.0.5",
     "@octokit/auth-oauth-device": "^4.0.4",
     "@octokit/request": "^6.2.3",
+    "@semaphore-protocol/identity": "^3.15.1",
     "blakejs": "^1.2.1",
     "boxen": "^7.1.0",
     "chalk": "^5.2.0",
@@ -78,6 +81,7 @@
     "commander": "^10.0.1",
     "conf": "^11.0.1",
     "dotenv": "^16.0.3",
+    "ethers": "^6.9.0",
     "figlet": "^1.6.0",
     "firebase": "^9.21.0",
     "log-symbols": "^5.1.0",
@@ -90,12 +94,12 @@
     "prompts": "^2.4.2",
     "rimraf": "^5.0.0",
     "rollup": "^3.21.6",
-    "snarkjs": "^0.6.11",
+    "snarkjs": "0.7.3",
     "timer-node": "^5.0.7",
     "winston": "^3.8.2"
   },
   "publishConfig": {
     "access": "public"
   },
-  "gitHead": "c6b2cf678456f66e3540d6baf29f1eec13bb8631"
+  "gitHead": "a6302783a12ff8bbeaa18c90a9ad2eac7b2e4c6a"
 }

package/src/commands/authBandada.ts

@@ -0,0 +1,99 @@
+import { Identity } from "@semaphore-protocol/identity"
+
+import { commonTerms } from "@devtion/actions"
+import { httpsCallable } from "firebase/functions"
+import { groth16 } from "snarkjs"
+import path from "path"
+import { getAuth, signInWithCustomToken } from "firebase/auth"
+import theme from "../lib/theme.js"
+import { customSpinner } from "../lib/utils.js"
+import { VerifiedBandadaResponse } from "../types/index.js"
+import { showError } from "../lib/errors.js"
+import { bootstrapCommandExecutionAndServices } from "../lib/services.js"
+import { addMemberToGroup, isGroupMember } from "../lib/bandada.js"
+import {
+    checkLocalBandadaIdentity,
+    getLocalBandadaIdentity,
+    setLocalAccessToken,
+    setLocalBandadaIdentity
+} from "../lib/localConfigs.js"
+import prompts from "prompts"
+
+const { BANDADA_DASHBOARD_URL, BANDADA_GROUP_ID } = process.env
+
+const authBandada = async () => {
+    const { firebaseFunctions } = await bootstrapCommandExecutionAndServices()
+    const spinner = customSpinner(`Checking identity string for Semaphore...`, `clock`)
+    spinner.start()
+    // 1. check if _identity string exists in local storage
+    let identityString: string | unknown
+    const isIdentityStringStored = checkLocalBandadaIdentity()
+    if (isIdentityStringStored) {
+        identityString = getLocalBandadaIdentity()
+        spinner.succeed(`Identity seed found\n`)
+    } else {
+        spinner.warn(`Identity seed not found\n`)
+        // 2. generate a random _identity string and save it in local storage
+        const { seed } = await prompts({
+            type: "text",
+            name: "seed",
+            message: theme.text.bold(`Enter a secret string to use as your identity seed in Semaphore:`),
+            initial: false
+        })
+        identityString = seed as string
+        setLocalBandadaIdentity(identityString as string)
+    }
+    // 3. create a semaphore identity with _identity string as a seed
+    const identity = new Identity(identityString as string)
+
+    // 4. check if the user is a member of the group
+    console.log(`Checking Bandada membership...`)
+    const isMember = await isGroupMember(BANDADA_GROUP_ID, identity)
+    if (!isMember) {
+        await addMemberToGroup(BANDADA_GROUP_ID, BANDADA_DASHBOARD_URL, identity)
+    }
+
+    // 5. generate a proof that the user owns the commitment.
+    spinner.text = `Generating proof of identity...`
+    spinner.start()
+    // publicSignals = [hash(externalNullifier, identityNullifier), commitment]
+    const { proof, publicSignals } = await groth16.fullProve(
+        {
+            identityTrapdoor: identity.trapdoor,
+            identityNullifier: identity.nullifier,
+            externalNullifier: BANDADA_GROUP_ID
+        },
+        path.join(path.resolve(), "/public/mini-semaphore.wasm"),
+        path.join(path.resolve(), "/public/mini-semaphore.zkey")
+    )
+    spinner.succeed(`Proof generated.\n`)
+    spinner.text = `Sending proof to verification...`
+    spinner.start()
+    // 6. send proof to a cloud function that verifies it and checks membership
+    const cf = httpsCallable(firebaseFunctions, commonTerms.cloudFunctionsNames.bandadaValidateProof)
+    const result = await cf({
+        proof,
+        publicSignals
+    })
+    const { valid, token, message } = result.data as VerifiedBandadaResponse
+    if (!valid) {
+        showError(message, true)
+    }
+    spinner.succeed(`Proof verified.\n`)
+    spinner.text = `Authenticating...`
+    spinner.start()
+    // 7. Auth to p0tion firebase
+    const userCredentials = await signInWithCustomToken(getAuth(), token)
+    setLocalAccessToken(token)
+    spinner.succeed(`Authenticated as ${theme.text.bold(userCredentials.user.uid)}.`)
+
+    console.log(
+        `\n${theme.symbols.warning} You can always log out by running the ${theme.text.bold(
+            `phase2cli logout`
+        )} command`
+    )
+
+    process.exit(0)
+}
+
+export default authBandada

package/src/commands/contribute.ts

@@ -41,7 +41,7 @@ import {
 } from "../lib/utils.js"
 import { COMMAND_ERRORS, showError } from "../lib/errors.js"
 import { authWithToken, bootstrapCommandExecutionAndServices, checkAuth } from "../lib/services.js"
-import { getAttestationLocalFilePath, localPaths } from "../lib/localConfigs.js"
+import { checkLocalBandadaIdentity, getAttestationLocalFilePath, localPaths } from "../lib/localConfigs.js"
 import theme from "../lib/theme.js"
 import { checkAndMakeNewDirectoryIfNonexistent, writeFile } from "../lib/files.js"
 
@@ -419,14 +419,19 @@ export const handlePublicAttestation = async (
 
     await sleep(1000) // workaround for file descriptor unexpected close.
 
-    const gistUrl = await publishGist(participantAccessToken, publicAttestation, ceremonyName, ceremonyPrefix)
-
-    console.log(
-        `\n${theme.symbols.info} Your public attestation has been successfully posted as Github Gist (${theme.text.bold(
-            theme.text.underlined(gistUrl)
-        )})`
-    )
+    let gistUrl = ""
+    const isBandada = checkLocalBandadaIdentity()
+    if (!isBandada) {
+        gistUrl = await publishGist(participantAccessToken, publicAttestation, ceremonyName, ceremonyPrefix)
 
+        console.log(
+            `\n${
+                theme.symbols.info
+            } Your public attestation has been successfully posted as Github Gist (${theme.text.bold(
+                theme.text.underlined(gistUrl)
+            )})`
+        )
+    }
     // Prepare a ready-to-share tweet.
     await handleTweetGeneration(ceremonyName, gistUrl)
 }
@@ -952,7 +957,7 @@ const contribute = async (opt: any) => {
     const userData = userDoc.data()
     if (!userData) {
         spinner.fail(
-            `Unfortunately we could not find a user document with your information. This likely means that you did not pass the GitHub reputation checks and therefore are not elegible to contribute to any ceremony. If you believe you pass the requirements, it might be possible that your profile is private and we were not able to fetch your real statistics, in this case please consider making your profile public for the duration of the contribution. Please contact the coordinator if you believe this to be an error.`
+            `Unfortunately we could not find a user document with your information. This likely means that you did not pass the GitHub reputation checks and therefore are not eligible to contribute to any ceremony. If you believe you pass the requirements, it might be possible that your profile is private and we were not able to fetch your real statistics, in this case please consider making your profile public for the duration of the contribution. Please contact the coordinator if you believe this to be an error.`
         )
         process.exit(0)
     }

package/src/commands/finalize.ts

@@ -74,7 +74,7 @@ export const handleVerificationKey = async (
     // Write the verification key locally.
     writeLocalJsonFile(verificationKeyLocalFilePath, vKey)
 
-    await sleep(3000) // workaound for file descriptor.
+    await sleep(3000) // workaround for file descriptor.
 
     // Upload verification key to storage.
     await multiPartUpload(
@@ -122,7 +122,7 @@ export const handleVerifierSmartContract = async (
     // Write the verification key locally.
     writeFile(verifierContractLocalFilePath, verifierCode)
 
-    await sleep(3000) // workaound for file descriptor.
+    await sleep(3000) // workaround for file descriptor.
 
     // Upload verifier smart contract to storage.
     await multiPartUpload(
@@ -177,7 +177,7 @@ export const handleCircuitFinalization = async (
         circuitsLength
     )
 
-    await sleep(2000) // workaound for descriptors.
+    await sleep(2000) // workaround for descriptors.
 
     // Extract data.
     const { prefix: circuitPrefix } = circuit.data

package/src/commands/index.ts

@@ -1,5 +1,6 @@
 export { default as setup } from "./setup.js"
 export { default as auth } from "./auth.js"
+export { default as authBandada } from "./authBandada.js"
 export { default as contribute } from "./contribute.js"
 export { default as observe } from "./observe.js"
 export { default as finalize } from "./finalize.js"

package/src/commands/logout.ts

@@ -6,7 +6,7 @@ import { showError } from "../lib/errors.js"
 import { askForConfirmation } from "../lib/prompts.js"
 import { customSpinner, sleep, terminate } from "../lib/utils.js"
 import theme from "../lib/theme.js"
-import { deleteLocalAccessToken } from "../lib/localConfigs.js"
+import { deleteLocalAccessToken, deleteLocalBandadaIdentity } from "../lib/localConfigs.js"
 
 /**
  * Logout command.
@@ -53,6 +53,7 @@ const logout = async () => {
 
             // Delete local token.
             deleteLocalAccessToken()
+            deleteLocalBandadaIdentity()
 
             await sleep(3000) // ~3s.
 

package/src/commands/setup.ts

@@ -2,7 +2,7 @@
 
 import { zKey } from "snarkjs"
 import boxen from "boxen"
-import { createWriteStream, Dirent, renameSync } from "fs"
+import { createWriteStream, Dirent, renameSync, existsSync } from "fs"
 import { pipeline } from "node:stream"
 import { promisify } from "node:util"
 import fetch from "node-fetch"
@@ -537,20 +537,33 @@ const setup = async (cmd: { template?: string; auth?: string }) => {
                 `clock`
             )
             spinner.start()
-            await zKey.newZKey(
-                r1csLocalPathAndFileName,
-                getPotLocalFilePath(circuit.files.potFilename),
-                zkeyLocalPathAndFileName,
-                undefined
-            )
-            spinner.succeed(
-                `Generation of the genesis zKey for citcui ${theme.text.bold(circuit.name)} completed successfully`
-            )
 
+            if (existsSync(zkeyLocalPathAndFileName)) {
+                spinner.succeed(
+                    `The genesis zKey for circuit ${theme.text.bold(circuit.name)} is already present on disk`
+                )
+            } else {
+                await zKey.newZKey(
+                    r1csLocalPathAndFileName,
+                    getPotLocalFilePath(circuit.files.potFilename),
+                    zkeyLocalPathAndFileName,
+                    undefined
+                )
+                spinner.succeed(
+                    `Generation of the genesis zKey for circuit ${theme.text.bold(circuit.name)} completed successfully`
+                )
+            }
+
+            const hashSpinner = customSpinner(
+                `Calculating hashes for circuit ${theme.text.bold(circuit.name)}...`,
+                `clock`
+            )
+            hashSpinner.start()
             // 4. calculate the hashes
             const wasmBlake2bHash = await blake512FromPath(wasmLocalPathAndFileName)
             const potBlake2bHash = await blake512FromPath(getPotLocalFilePath(circuit.files.potFilename))
             const initialZkeyBlake2bHash = await blake512FromPath(zkeyLocalPathAndFileName)
+            hashSpinner.succeed(`Hashes for circuit ${theme.text.bold(circuit.name)} calculated successfully`)
 
             // 5. upload the artifacts
 

package/src/index.ts

@@ -7,6 +7,7 @@ import { fileURLToPath } from "url"
 import {
     setup,
     auth,
+    authBandada,
     contribute,
     observe,
     finalize,
@@ -26,6 +27,10 @@ program.name(name).description(description).version(version)
 
 // User commands.
 program.command("auth").description("authenticate yourself using your Github account (OAuth 2.0)").action(auth)
+program
+    .command("auth-bandada")
+    .description("authenticate yourself in a privacy-perserving manner using Bandada")
+    .action(authBandada)
 program
     .command("contribute")
     .description("compute contributions for a Phase2 Trusted Setup ceremony circuits")

package/src/lib/bandada.ts

@@ -0,0 +1,51 @@
+import { ApiSdk, GroupResponse } from "@bandada/api-sdk"
+import { Identity } from "@semaphore-protocol/identity"
+import open from "open"
+
+import { askForConfirmation } from "../lib/prompts.js"
+import { showError } from "./errors.js"
+import theme from "../lib/theme.js"
+
+const { BANDADA_API_URL } = process.env
+
+const bandadaApi = new ApiSdk(BANDADA_API_URL)
+
+export const getGroup = async (groupId: string): Promise<GroupResponse | null> => {
+    try {
+        const group = await bandadaApi.getGroup(groupId)
+        return group
+    } catch (error: any) {
+        showError(`Bandada getGroup error: ${error}`, true)
+        return null
+    }
+}
+
+export const getMembersOfGroup = async (groupId: string): Promise<string[] | null> => {
+    try {
+        const group = await bandadaApi.getGroup(groupId)
+        return group.members
+    } catch (error: any) {
+        showError(`Bandada getMembersOfGroup error: ${error}`, true)
+        return null
+    }
+}
+
+export const addMemberToGroup = async (groupId: string, dashboardUrl: string, identity: Identity) => {
+    const commitment = identity.commitment.toString()
+    const group = await bandadaApi.getGroup(groupId)
+    const providerName = group.credentials.id.split("_")[0].toLowerCase()
+
+    // 6. open a new window with the url:
+    const url = `${dashboardUrl}credentials?group=${groupId}&member=${commitment}&provider=${providerName}`
+    console.log(`${theme.text.bold(`Verification URL:`)} ${theme.text.underlined(url)}`)
+    open(url)
+
+    const { confirmation } = await askForConfirmation("Did you join the Bandada group in the browser?")
+    if (!confirmation) showError("You must join the Bandada group to continue the login process", true)
+}
+
+export const isGroupMember = async (groupId: string, identity: Identity): Promise<boolean> => {
+    const commitment = identity.commitment.toString()
+    const isMember: boolean = await bandadaApi.isGroupMember(groupId, commitment)
+    return isMember
+}

package/src/lib/errors.ts

@@ -6,7 +6,7 @@ export const CORE_SERVICES_ERRORS = {
     FIREBASE_TOKEN_EXPIRED_REMOVED_PERMISSIONS: `The Github authorization has failed due to lack of association between your account and the CLI`,
     FIREBASE_USER_DISABLED: `The Github account has been suspended by the ceremony coordinator(s), blocking the possibility of contribution. Please, contact them to understand the motivation behind it.`,
     FIREBASE_FAILED_CREDENTIALS_VERIFICATION: `Firebase cannot verify your Github credentials due to network errors. Please, try once again later.`,
-    FIREBASE_NETWORK_ERROR: `Unable to reach Firebase due to network erros. Please, try once again later and make sure your Internet connection is stable.`,
+    FIREBASE_NETWORK_ERROR: `Unable to reach Firebase due to network errors. Please, try once again later and make sure your Internet connection is stable.`,
     FIREBASE_CEREMONY_NOT_OPENED: `There are no ceremonies opened to contributions`,
     FIREBASE_CEREMONY_NOT_CLOSED: `There are no ceremonies ready to finalization`,
     AWS_CEREMONY_BUCKET_CREATION: `Unable to create a new bucket for the ceremony. Something went wrong during the creation. Please, repeat the process by providing a new ceremony name of the ceremony.`,

package/src/lib/localConfigs.ts

@@ -24,6 +24,10 @@ const config = new Conf({
         accessToken: {
             type: "string",
             default: ""
+        },
+        bandadaIdentity: {
+            type: "string",
+            default: ""
         }
     }
 })
@@ -91,6 +95,29 @@ export const setLocalAccessToken = (token: string) => config.set("accessToken",
  */
 export const deleteLocalAccessToken = () => config.delete("accessToken")
 
+/**
+ * Return the Bandada identity, if present.
+ * @returns <string | undefined> - the Bandada identity if present, otherwise undefined.
+ */
+export const getLocalBandadaIdentity = (): string | unknown => config.get("bandadaIdentity")
+
+/**
+ * Check if the Bandada identity exists in the local storage.
+ * @returns <boolean>
+ */
+export const checkLocalBandadaIdentity = (): boolean => config.has("bandadaIdentity") && !!config.get("bandadaIdentity")
+
+/**
+ * Set the Bandada identity.
+ * @param identity <string> - the Bandada identity to be stored.
+ */
+export const setLocalBandadaIdentity = (identity: string) => config.set("bandadaIdentity", identity)
+
+/**
+ * Delete the stored Bandada identity.
+ */
+export const deleteLocalBandadaIdentity = () => config.delete("bandadaIdentity")
+
 /**
  * Get the complete local file path.
  * @param cwd <string> - the current working directory path.

package/src/lib/services.ts

@@ -6,13 +6,18 @@ import {
 import clear from "clear"
 import figlet from "figlet"
 import { FirebaseApp } from "firebase/app"
-import { OAuthCredential } from "firebase/auth"
+import { OAuthCredential, getAuth, signInWithCustomToken } from "firebase/auth"
 import dotenv from "dotenv"
 import { fileURLToPath } from "url"
 import { dirname } from "path"
 import { AuthUser } from "../types/index.js"
 import { CONFIG_ERRORS, CORE_SERVICES_ERRORS, showError, THIRD_PARTY_SERVICES_ERRORS } from "./errors.js"
-import { checkLocalAccessToken, deleteLocalAccessToken, getLocalAccessToken } from "./localConfigs.js"
+import {
+    checkLocalAccessToken,
+    checkLocalBandadaIdentity,
+    deleteLocalAccessToken,
+    getLocalAccessToken
+} from "./localConfigs.js"
 import theme from "./theme.js"
 import { exchangeGithubTokenForCredentials, getGithubProviderUserId, getUserHandleFromProviderUserId } from "./utils.js"
 
@@ -164,22 +169,30 @@ export const checkAuth = async (firebaseApp: FirebaseApp): Promise<AuthUser> =>
     // Retrieve local access token.
     const token = String(getLocalAccessToken())
 
-    // Get credentials.
-    const credentials = exchangeGithubTokenForCredentials(token)
-
-    // Sign in to Firebase using credentials.
-    await signInToFirebase(firebaseApp, credentials)
+    let providerUserId: string
+    let username: string
+    const isLocalBandadaIdentityStored = checkLocalBandadaIdentity()
+    if (isLocalBandadaIdentityStored) {
+        const userCredentials = await signInWithCustomToken(getAuth(), token)
+        providerUserId = userCredentials.user.uid
+        username = providerUserId
+    } else {
+        // Get credentials.
+        const credentials = exchangeGithubTokenForCredentials(token)
+
+        // Sign in to Firebase using credentials.
+        await signInToFirebase(firebaseApp, credentials)
+
+        // Get Github unique identifier (handle-id).
+        providerUserId = await getGithubProviderUserId(String(token))
+        username = getUserHandleFromProviderUserId(providerUserId)
+    }
 
     // Get current authenticated user.
     const user = getCurrentFirebaseAuthUser(firebaseApp)
 
-    // Get Github unique identifier (handle-id).
-    const providerUserId = await getGithubProviderUserId(String(token))
-
     // Greet the user.
-    console.log(
-        `Greetings, @${theme.text.bold(getUserHandleFromProviderUserId(providerUserId))} ${theme.emojis.wave}\n`
-    )
+    console.log(`Greetings, @${theme.text.bold(username)} ${theme.emojis.wave}\n`)
 
     return {
         user,

package/src/lib/utils.ts

@@ -155,7 +155,9 @@ export const getPublicAttestationGist = async (
  * @returns <string> - the third-party provider handle of the user.
  */
 export const getUserHandleFromProviderUserId = (providerUserId: string): string => {
-    if (providerUserId.indexOf("-") === -1) showError(THIRD_PARTY_SERVICES_ERRORS.GITHUB_GET_GITHUB_ACCOUNT_INFO, true)
+    if (providerUserId.indexOf("-") === -1) {
+        return providerUserId
+    }
 
     return providerUserId.split("-")[0]
 }

package/src/types/index.ts

@@ -68,3 +68,16 @@ export type GithubGistFile = {
     raw_url: string
     size: number
 }
+
+/**
+ * Define the return object of the function that verifies the Bandada membership and proof.
+ * @typedef {Object} VerifiedBandadaResponse
+ * @property {boolean} valid - true if the proof is valid and the user is a member of the group; otherwise false.
+ * @property {string} message - a message describing the result of the verification.
+ * @property {string} token - the custom access token.
+ */
+export type VerifiedBandadaResponse = {
+    valid: boolean
+    message: string
+    token: string
+}