@prosopo/provider 2.5.5 → 2.7.1

package/dist/cjs/api/captcha.cjs

@@ -0,0 +1,482 @@
+"use strict";
+Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+const apiExpressRouter = require("@prosopo/api-express-router");
+const common = require("@prosopo/common");
+const datasets = require("@prosopo/datasets");
+const types = require("@prosopo/types");
+const userAccessPolicy = require("@prosopo/user-access-policy");
+const util$1 = require("@prosopo/util");
+const express = require("express");
+const frictionlessTasks = require("../tasks/frictionless/frictionlessTasks.cjs");
+const tasks = require("../tasks/tasks.cjs");
+const util = require("../util.cjs");
+const validateAddress = require("./validateAddress.cjs");
+const DEFAULT_FRICTIONLESS_THRESHOLD = 0.5;
+function prosopoRouter(env) {
+  const router = express.Router();
+  const tasks$1 = new tasks.Tasks(env);
+  const userAccessRulesStorage = env.getDb().getUserAccessRulesStorage();
+  router.post(
+    types.ClientApiPaths.GetImageCaptchaChallenge,
+    async (req, res, next) => {
+      let parsed;
+      if (!req.ip) {
+        return next(
+          new common.ProsopoApiError("API.BAD_REQUEST", {
+            context: { code: 400, error: "IP address not found" },
+            i18n: req.i18n,
+            logger: req.logger
+          })
+        );
+      }
+      const ipAddress = util.getIPAddress(req.ip || "");
+      try {
+        parsed = types.CaptchaRequestBody.parse(req.body);
+      } catch (err) {
+        return next(
+          new common.ProsopoApiError("CAPTCHA.PARSE_ERROR", {
+            context: { code: 400, error: err },
+            i18n: req.i18n,
+            logger: req.logger
+          })
+        );
+      }
+      const { datasetId, user, dapp, sessionId } = parsed;
+      validateAddress.validiateSiteKey(dapp);
+      validateAddress.validateAddr(user);
+      try {
+        const clientRecord = await tasks$1.db.getClientRecord(dapp);
+        if (!clientRecord) {
+          return next(
+            new common.ProsopoApiError("API.SITE_KEY_NOT_REGISTERED", {
+              context: { code: 400, siteKey: dapp },
+              i18n: req.i18n,
+              logger: req.logger
+            })
+          );
+        }
+        const imageCaptchaConfigResolver = userAccessPolicy.createImageCaptchaConfigResolver(
+          userAccessRulesStorage,
+          req.logger
+        );
+        const captchaConfig = await imageCaptchaConfigResolver.resolveConfig(
+          env.config.captchas,
+          ipAddress,
+          req.ja4,
+          user,
+          dapp
+        );
+        const { valid, reason, frictionlessTokenId } = await tasks$1.imgCaptchaManager.isValidRequest(
+          clientRecord,
+          types.CaptchaType.image,
+          sessionId
+        );
+        if (!valid) {
+          return next(
+            new common.ProsopoApiError(reason || "API.BAD_REQUEST", {
+              context: {
+                code: 400,
+                siteKey: dapp,
+                user
+              },
+              i18n: req.i18n,
+              logger: req.logger
+            })
+          );
+        }
+        const taskData = await tasks$1.imgCaptchaManager.getRandomCaptchasAndRequestHash(
+          datasetId,
+          user,
+          ipAddress,
+          captchaConfig,
+          clientRecord.settings.imageThreshold,
+          frictionlessTokenId
+        );
+        const captchaResponse = {
+          [types.ApiParams.status]: "ok",
+          [types.ApiParams.captchas]: taskData.captchas.map((captcha) => ({
+            ...captcha,
+            target: req.t(`TARGET.${captcha.target}`),
+            items: captcha.items.map(
+              (item) => datasets.parseCaptchaAssets(item, env.assetsResolver)
+            )
+          })),
+          [types.ApiParams.requestHash]: taskData.requestHash,
+          [types.ApiParams.timestamp]: taskData.timestamp.toString(),
+          [types.ApiParams.signature]: {
+            [types.ApiParams.provider]: {
+              [types.ApiParams.requestHash]: taskData.signedRequestHash
+            }
+          }
+        };
+        return res.json(captchaResponse);
+      } catch (err) {
+        req.logger.error({ err, params: req.params });
+        return next(
+          new common.ProsopoApiError("API.BAD_REQUEST", {
+            context: {
+              error: err,
+              code: 500,
+              params: req.params,
+              context: err
+            },
+            i18n: req.i18n,
+            logger: req.logger
+          })
+        );
+      }
+    }
+  );
+  router.post(
+    types.ClientApiPaths.SubmitImageCaptchaSolution,
+    async (req, res, next) => {
+      let parsed;
+      try {
+        parsed = types.CaptchaSolutionBody.parse(req.body);
+      } catch (err) {
+        return next(
+          new common.ProsopoApiError("CAPTCHA.PARSE_ERROR", {
+            context: { code: 400, error: err, body: req.body },
+            i18n: req.i18n,
+            logger: req.logger
+          })
+        );
+      }
+      const { user, dapp } = parsed;
+      validateAddress.validiateSiteKey(dapp);
+      validateAddress.validateAddr(user);
+      try {
+        const clientRecord = await tasks$1.db.getClientRecord(parsed.dapp);
+        if (!clientRecord) {
+          return next(
+            new common.ProsopoApiError("API.SITE_KEY_NOT_REGISTERED", {
+              context: { code: 400, siteKey: dapp },
+              i18n: req.i18n,
+              logger: req.logger
+            })
+          );
+        }
+        const result = await tasks$1.imgCaptchaManager.dappUserSolution(
+          user,
+          dapp,
+          parsed[types.ApiParams.requestHash],
+          parsed[types.ApiParams.captchas],
+          parsed[types.ApiParams.signature].user.timestamp,
+          Number.parseInt(parsed[types.ApiParams.timestamp]),
+          parsed[types.ApiParams.signature].provider.requestHash,
+          util.getIPAddress(req.ip || "").bigInt(),
+          util$1.flatten(req.headers),
+          req.ja4
+        );
+        const returnValue = {
+          status: req.i18n.t(
+            result.verified ? "API.CAPTCHA_PASSED" : "API.CAPTCHA_FAILED"
+          ),
+          ...result
+        };
+        return res.json(returnValue);
+      } catch (err) {
+        req.logger.error({ err, body: req.body });
+        return next(
+          new common.ProsopoApiError("API.BAD_REQUEST", {
+            context: {
+              code: 500,
+              siteKey: req.body.dapp,
+              error: err
+            },
+            i18n: req.i18n,
+            logger: req.logger
+          })
+        );
+      }
+    }
+  );
+  router.post(types.ClientApiPaths.GetPowCaptchaChallenge, async (req, res, next) => {
+    let parsed;
+    try {
+      parsed = types.GetPowCaptchaChallengeRequestBody.parse(req.body);
+    } catch (err) {
+      return next(
+        new common.ProsopoApiError("CAPTCHA.PARSE_ERROR", {
+          context: { code: 400, error: err },
+          i18n: req.i18n,
+          logger: req.logger
+        })
+      );
+    }
+    const { user, dapp, sessionId } = parsed;
+    validateAddress.validiateSiteKey(dapp);
+    validateAddress.validateAddr(user);
+    try {
+      const clientSettings = await tasks$1.db.getClientRecord(dapp);
+      if (!clientSettings) {
+        return next(
+          new common.ProsopoApiError("API.SITE_KEY_NOT_REGISTERED", {
+            context: { code: 400, siteKey: dapp },
+            i18n: req.i18n,
+            logger: req.logger
+          })
+        );
+      }
+      const { valid, reason, frictionlessTokenId } = await tasks$1.powCaptchaManager.isValidRequest(
+        clientSettings,
+        types.CaptchaType.pow,
+        sessionId
+      );
+      if (!valid) {
+        return next(
+          new common.ProsopoApiError(reason || "API.BAD_REQUEST", {
+            context: {
+              code: 400,
+              siteKey: dapp,
+              user
+            },
+            i18n: req.i18n,
+            logger: req.logger
+          })
+        );
+      }
+      const origin = req.headers.origin;
+      if (!origin) {
+        return next(
+          new common.ProsopoApiError("API.BAD_REQUEST", {
+            context: {
+              error: "Origin header not found",
+              code: 400,
+              siteKey: dapp,
+              user
+            },
+            i18n: req.i18n,
+            logger: req.logger
+          })
+        );
+      }
+      const challenge = await tasks$1.powCaptchaManager.getPowCaptchaChallenge(
+        user,
+        dapp,
+        origin,
+        clientSettings?.settings?.powDifficulty
+      );
+      await tasks$1.db.storePowCaptchaRecord(
+        challenge.challenge,
+        {
+          requestedAtTimestamp: challenge.requestedAtTimestamp,
+          userAccount: user,
+          dappAccount: dapp
+        },
+        challenge.difficulty,
+        challenge.providerSignature,
+        util.getIPAddress(req.ip || "").bigInt(),
+        util$1.flatten(req.headers),
+        req.ja4,
+        frictionlessTokenId
+      );
+      const getPowCaptchaResponse = {
+        [types.ApiParams.status]: "ok",
+        [types.ApiParams.challenge]: challenge.challenge,
+        [types.ApiParams.difficulty]: challenge.difficulty,
+        [types.ApiParams.timestamp]: challenge.requestedAtTimestamp.toString(),
+        [types.ApiParams.signature]: {
+          [types.ApiParams.provider]: {
+            [types.ApiParams.challenge]: challenge.providerSignature
+          }
+        }
+      };
+      return res.json(getPowCaptchaResponse);
+    } catch (err) {
+      req.logger.error({ err, body: req.body });
+      return next(
+        new common.ProsopoApiError("API.BAD_REQUEST", {
+          context: {
+            code: 500,
+            siteKey: req.body.dapp,
+            user: req.body.user,
+            error: err
+          },
+          i18n: req.i18n,
+          logger: req.logger
+        })
+      );
+    }
+  });
+  router.post(
+    types.ClientApiPaths.SubmitPowCaptchaSolution,
+    async (req, res, next) => {
+      let parsed;
+      try {
+        parsed = types.SubmitPowCaptchaSolutionBody.parse(req.body);
+      } catch (err) {
+        return next(
+          new common.ProsopoApiError("CAPTCHA.PARSE_ERROR", {
+            context: { code: 400, error: err, body: req.body },
+            i18n: req.i18n,
+            logger: req.logger
+          })
+        );
+      }
+      const {
+        challenge,
+        difficulty,
+        signature,
+        nonce,
+        verifiedTimeout,
+        dapp,
+        user
+      } = parsed;
+      validateAddress.validiateSiteKey(dapp);
+      validateAddress.validateAddr(user);
+      try {
+        const clientRecord = await tasks$1.db.getClientRecord(dapp);
+        if (!clientRecord) {
+          return next(
+            new common.ProsopoApiError("API.SITE_KEY_NOT_REGISTERED", {
+              context: { code: 400, siteKey: dapp },
+              i18n: req.i18n,
+              logger: req.logger
+            })
+          );
+        }
+        const verified = await tasks$1.powCaptchaManager.verifyPowCaptchaSolution(
+          challenge,
+          difficulty,
+          signature.provider.challenge,
+          nonce,
+          verifiedTimeout,
+          signature.user.timestamp,
+          util.getIPAddress(req.ip || ""),
+          util$1.flatten(req.headers)
+        );
+        const response = { status: "ok", verified };
+        return res.json(response);
+      } catch (err) {
+        req.logger.error({ err, body: req.body });
+        return next(
+          new common.ProsopoApiError("API.BAD_REQUEST", {
+            context: {
+              code: 500,
+              siteKey: req.body.dapp,
+              error: err
+            },
+            i18n: req.i18n,
+            logger: req.logger
+          })
+        );
+      }
+    }
+  );
+  router.post(
+    types.ClientApiPaths.GetFrictionlessCaptchaChallenge,
+    async (req, res, next) => {
+      try {
+        const { token, dapp, user } = types.GetFrictionlessCaptchaChallengeRequestBody.parse(req.body);
+        const existingToken = await tasks$1.db.getFrictionlessTokenRecordByToken(token);
+        if (existingToken) {
+          req.logger.info(`Token ${existingToken} has already been used`);
+          return res.json(
+            await tasks$1.frictionlessManager.sendImageCaptcha(
+              existingToken._id
+            )
+          );
+        }
+        const lScore = tasks$1.frictionlessManager.checkLangRules(
+          req.headers["accept-language"] || ""
+        );
+        const { baseBotScore, timestamp } = await tasks$1.frictionlessManager.decryptPayload(token);
+        const botScore = baseBotScore + lScore;
+        const clientRecord = await tasks$1.db.getClientRecord(dapp);
+        if (!clientRecord) {
+          return next(
+            new common.ProsopoApiError("API.SITE_KEY_NOT_REGISTERED", {
+              context: { code: 400, siteKey: dapp },
+              i18n: req.i18n,
+              logger: req.logger
+            })
+          );
+        }
+        const { valid, reason } = await tasks$1.frictionlessManager.isValidRequest(
+          clientRecord,
+          types.CaptchaType.frictionless
+        );
+        if (!valid) {
+          return next(
+            new common.ProsopoApiError(reason || "API.BAD_REQUEST", {
+              context: {
+                code: 400,
+                siteKey: dapp,
+                user
+              },
+              i18n: req.i18n,
+              logger: req.logger
+            })
+          );
+        }
+        const botThreshold = clientRecord.settings?.frictionlessThreshold || DEFAULT_FRICTIONLESS_THRESHOLD;
+        const tokenId = await tasks$1.db.storeFrictionlessTokenRecord({
+          token,
+          score: botScore,
+          threshold: botThreshold,
+          scoreComponents: {
+            baseScore: baseBotScore,
+            ...lScore && { lScore }
+          }
+        });
+        if (frictionlessTasks.FrictionlessManager.timestampTooOld(timestamp)) {
+          await tasks$1.frictionlessManager.scoreIncreaseTimestamp(
+            timestamp,
+            baseBotScore,
+            botScore,
+            tokenId
+          );
+          return res.json(
+            await tasks$1.frictionlessManager.sendImageCaptcha(tokenId)
+          );
+        }
+        const ipAddress = util.getIPAddress(req.ip || "");
+        const imageCaptchaConfigResolver = userAccessPolicy.createImageCaptchaConfigResolver(
+          userAccessRulesStorage,
+          req.logger
+        );
+        const imageCaptchaConfigDefined = await imageCaptchaConfigResolver.isConfigDefined(
+          dapp,
+          ipAddress,
+          req.ja4,
+          user
+        );
+        if (imageCaptchaConfigDefined) {
+          await tasks$1.frictionlessManager.scoreIncreaseAccessPolicy(
+            imageCaptchaConfigResolver.accessRule,
+            baseBotScore,
+            botScore,
+            tokenId
+          );
+          return res.json(
+            await tasks$1.frictionlessManager.sendImageCaptcha(tokenId)
+          );
+        }
+        if (Number(botScore) > botThreshold) {
+          req.logger.info({
+            message: `Bot score ${botScore} is greater than threshold ${botThreshold}`
+          });
+          return res.json(
+            await tasks$1.frictionlessManager.sendImageCaptcha(tokenId)
+          );
+        }
+        return res.json(
+          await tasks$1.frictionlessManager.sendPowCaptcha(tokenId)
+        );
+      } catch (err) {
+        req.logger.error("Error in frictionless captcha challenge:", err);
+        return next(
+          new common.ProsopoApiError("API.BAD_REQUEST", {
+            context: { code: 400, error: err },
+            i18n: req.i18n,
+            logger: req.logger
+          })
+        );
+      }
+    }
+  );
+  router.use(apiExpressRouter.handleErrors);
+  return router;
+}
+exports.prosopoRouter = prosopoRouter;

package/dist/cjs/api/domainMiddleware.cjs

@@ -0,0 +1,89 @@
+"use strict";
+Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+const utilCrypto = require("@polkadot/util-crypto");
+const apiExpressRouter = require("@prosopo/api-express-router");
+const common = require("@prosopo/common");
+const zod = require("zod");
+require("../tasks/index.cjs");
+const tasks = require("../tasks/tasks.cjs");
+const domainMiddleware = (env) => {
+  const tasks$1 = new tasks.Tasks(env);
+  return async (req, res, next) => {
+    try {
+      const dapp = req.headers["prosopo-site-key"];
+      if (!dapp)
+        throw siteKeyNotRegisteredError(
+          req.i18n,
+          "No sitekey provided",
+          req.logger
+        );
+      try {
+        utilCrypto.validateAddress(dapp, false, 42);
+      } catch (err) {
+        throw invalidSiteKeyError(req.i18n, dapp, req.logger);
+      }
+      const clientSettings = await tasks$1.db.getClientRecord(dapp);
+      if (!clientSettings)
+        throw siteKeyNotRegisteredError(req.i18n, dapp, req.logger);
+      const allowedDomains = clientSettings.settings?.domains;
+      if (!allowedDomains)
+        throw siteKeyInvalidDomainError(
+          req.i18n,
+          dapp,
+          req.hostname,
+          req.logger
+        );
+      const origin = req.headers.origin;
+      if (!origin)
+        throw unauthorizedOriginError(req.i18n, void 0, req.logger);
+      for (const domain of allowedDomains) {
+        if (tasks$1.clientTaskManager.isSubdomainOrExactMatch(origin, domain)) {
+          next();
+          return;
+        }
+      }
+      throw unauthorizedOriginError(req.i18n, origin, req.logger);
+    } catch (err) {
+      if (err instanceof common.ProsopoApiError || err instanceof zod.ZodError || err instanceof SyntaxError) {
+        apiExpressRouter.handleErrors(err, req, res, next);
+      } else {
+        res.status(401).json({ error: "Unauthorized", message: err });
+        return;
+      }
+    }
+  };
+};
+const siteKeyNotRegisteredError = (i18n, dapp, logger) => {
+  return new common.ProsopoApiError("API.SITE_KEY_NOT_REGISTERED", {
+    context: { code: 400, siteKey: dapp },
+    i18n,
+    logger
+  });
+};
+const invalidSiteKeyError = (i18n, dapp, logger) => {
+  return new common.ProsopoApiError("API.INVALID_SITE_KEY", {
+    context: { code: 400, siteKey: dapp },
+    i18n,
+    logger
+  });
+};
+const unauthorizedOriginError = (i18n, origin, logger) => {
+  return new common.ProsopoApiError("API.UNAUTHORIZED_ORIGIN_URL", {
+    context: { code: 400, origin },
+    i18n,
+    logger
+  });
+};
+const siteKeyInvalidDomainError = (i18n, dapp, domain, logger) => {
+  return new common.ProsopoApiError("API.UNAUTHORIZED_ORIGIN_URL", {
+    context: {
+      code: 400,
+      message: "No domains are allowed for this site key. Please fix in the Procaptcha Portal",
+      siteKey: dapp,
+      domain
+    },
+    i18n,
+    logger
+  });
+};
+exports.domainMiddleware = domainMiddleware;

package/dist/cjs/api/headerCheckMiddleware.cjs

@@ -0,0 +1,29 @@
+"use strict";
+Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+const apiExpressRouter = require("@prosopo/api-express-router");
+const validateAddress = require("./validateAddress.cjs");
+const headerCheckMiddleware = (env) => {
+  return async (req, res, next) => {
+    try {
+      const user = req.headers["prosopo-user"];
+      const siteKey = req.headers["prosopo-site-key"];
+      if (!user) {
+        unauthorised(res);
+        return;
+      }
+      if (!siteKey) {
+        unauthorised(res);
+        return;
+      }
+      validateAddress.validiateSiteKey(siteKey, req.logger);
+      validateAddress.validateAddr(user, void 0, req.logger);
+      req.user = user;
+      req.siteKey = siteKey;
+      next();
+    } catch (err) {
+      return apiExpressRouter.handleErrors(err, req, res, next);
+    }
+  };
+};
+const unauthorised = (res) => res.status(401).json({ error: "Unauthorized", message: "Unauthorized" });
+exports.headerCheckMiddleware = headerCheckMiddleware;

package/dist/cjs/api/ignoreMiddleware.cjs

@@ -0,0 +1,14 @@
+"use strict";
+Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+const types = require("@prosopo/types");
+function ignoreMiddleware() {
+  return (req, res, next) => {
+    if (req.originalUrl.indexOf(types.ApiPrefix) === -1) {
+      res.statusCode = 404;
+      res.send("Not Found");
+      return;
+    }
+    next();
+  };
+}
+exports.ignoreMiddleware = ignoreMiddleware;

package/dist/cjs/api/ja4Middleware.cjs

@@ -0,0 +1,73 @@
+"use strict";
+Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+const node_crypto = require("node:crypto");
+const node_stream = require("node:stream");
+const apiExpressRouter = require("@prosopo/api-express-router");
+const common = require("@prosopo/common");
+const readTlsClientHello = require("read-tls-client-hello");
+const DEFAULT_JA4 = "ja4";
+const getJA4 = async (headers, logger) => {
+  logger = logger || common.getLoggerDefault();
+  if (process.env.NODE_ENV === "development") {
+    return { ja4PlusFingerprint: DEFAULT_JA4 };
+  }
+  try {
+    const xTlsClientHello = (headers["x-tls-clienthello"] || "").toString();
+    const xTlsVersion = (headers["x-tls-version"] || "").toString().toLowerCase();
+    const xTlsServerName = (headers["x-tls-server-name"] || "").toString();
+    const clientHelloBuffer = Buffer.from(xTlsClientHello, "base64");
+    logger.debug(
+      "ClientHello First Bytes:",
+      clientHelloBuffer.subarray(0, 5).toString("hex")
+    );
+    if (clientHelloBuffer[5] !== 1) {
+      logger.warn("Invalid ClientHello message: First byte is not 0x01");
+      return { ja4PlusFingerprint: DEFAULT_JA4 };
+    }
+    logger.debug("Headers TLS Version:", xTlsVersion);
+    const tlsVersion = xTlsVersion.replace(/(tls)|\./g, "");
+    const readableStream = new node_stream.Readable({
+      read() {
+        this.push(clientHelloBuffer);
+      }
+    });
+    const clientHello = await readTlsClientHello.readTlsClientHello(readableStream);
+    const { alpnProtocols } = clientHello;
+    const [_tlsVersion, cipherSuites, extensions] = clientHello.fingerprintData;
+    const transport = "t";
+    const sniIndicator = xTlsServerName ? "d" : "i";
+    const validCipherSuites = cipherSuites.filter(
+      (cs) => (cs & 3855) !== 2570
+    );
+    const cipherCount = validCipherSuites.length;
+    const validExtensions = extensions.filter(
+      (ext) => (ext & 3855) !== 2570
+    );
+    const extensionCount = validExtensions.length;
+    const alpn = alpnProtocols?.length ? alpnProtocols[0] : "";
+    const alpnLabel = alpn ? `${alpn[0]}${alpn[alpn.length - 1]}` : "00";
+    const sortedCiphers = validCipherSuites.map((cs) => cs.toString(16).padStart(4, "0")).sort().join(",");
+    const cipherHash = node_crypto.createHash("sha256").update(sortedCiphers).digest("hex").slice(0, 12);
+    const decimalString = extensions.sort((a, b) => a - b).map((ext) => ext.toString(10)).join("-");
+    const extensionHash = node_crypto.createHash("sha256").update(decimalString).digest("hex").slice(0, 12);
+    const ja4PlusFingerprint = `${transport}${tlsVersion}${sniIndicator}${cipherCount}${extensionCount}${alpnLabel}_${cipherHash}_${extensionHash}`;
+    return { ja4PlusFingerprint };
+  } catch (e) {
+    logger.error("Error generating JA4+ fingerprint:", e);
+    return { ja4PlusFingerprint: DEFAULT_JA4 };
+  }
+};
+const ja4Middleware = (env) => {
+  return async (req, res, next) => {
+    try {
+      const ja4 = await getJA4(req.headers, req.logger);
+      req.ja4 = ja4.ja4PlusFingerprint || "";
+      next();
+    } catch (err) {
+      return apiExpressRouter.handleErrors(err, req, res, next);
+    }
+  };
+};
+exports.DEFAULT_JA4 = DEFAULT_JA4;
+exports.getJA4 = getJA4;
+exports.ja4Middleware = ja4Middleware;