@prosopo/provider 3.12.3 → 3.13.0

package/dist/api/captcha.js

@@ -1,625 +1,37 @@
 import { handleErrors } from "@prosopo/api-express-router";
-import { ProsopoApiError } from "@prosopo/common";
-import { parseCaptchaAssets } from "@prosopo/datasets";
-import { ClientApiPaths, CaptchaRequestBody, CaptchaType, ApiParams, CaptchaSolutionBody, GetPowCaptchaChallengeRequestBody, SubmitPowCaptchaSolutionBody, GetFrictionlessCaptchaChallengeRequestBody } from "@prosopo/types";
-import { getIPAddress, flatten } from "@prosopo/util";
+import { ClientApiPaths } from "@prosopo/types";
 import express from "express";
-import { getCompositeIpAddress } from "../compositeIpAddress.js";
-import { FrictionlessManager } from "../tasks/frictionless/frictionlessTasks.js";
-import { timestampDecayFunction } from "../tasks/frictionless/frictionlessTasksUtils.js";
-import { Tasks } from "../tasks/tasks.js";
-import { hashUserAgent } from "../utils/hashUserAgent.js";
-import { getRequestUserScope } from "./blacklistRequestInspector.js";
-import { validateSiteKey, validateAddr } from "./validateAddress.js";
-const DEFAULT_FRICTIONLESS_THRESHOLD = 0.5;
+import getFrictionlessCaptchaChallenge from "./captcha/getFrictionlessCaptchaChallenge.js";
+import getImageCaptchaChallenge from "./captcha/getImageCaptchaChallenge.js";
+import getPoWCaptchaChallenge from "./captcha/getPoWCaptchaChallenge.js";
+import submitImageCaptchaSolution from "./captcha/submitImageCaptchaSolution.js";
+import submitPoWCaptchaSolution from "./captcha/submitPoWCaptchaSolution.js";
 function prosopoRouter(env) {
   const router = express.Router();
   const userAccessRulesStorage = env.getDb().getUserAccessRulesStorage();
   router.post(
     ClientApiPaths.GetImageCaptchaChallenge,
-    async (req, res, next) => {
-      const tasks = new Tasks(env, req.logger);
-      let parsed;
-      if (!req.ip) {
-        return next(
-          new ProsopoApiError("API.BAD_REQUEST", {
-            context: { code: 400, error: "IP address not found" },
-            i18n: req.i18n,
-            logger: req.logger
-          })
-        );
-      }
-      const ipAddress = getIPAddress(req.ip || "");
-      try {
-        parsed = CaptchaRequestBody.parse(req.body);
-      } catch (err) {
-        return next(
-          new ProsopoApiError("CAPTCHA.PARSE_ERROR", {
-            context: { code: 400, error: err },
-            i18n: req.i18n,
-            logger: req.logger
-          })
-        );
-      }
-      const { datasetId, user, dapp, sessionId } = parsed;
-      validateSiteKey(dapp);
-      validateAddr(user);
-      try {
-        const clientRecord = await tasks.db.getClientRecord(dapp);
-        if (!clientRecord) {
-          return next(
-            new ProsopoApiError("API.SITE_KEY_NOT_REGISTERED", {
-              context: { code: 400, siteKey: dapp },
-              i18n: req.i18n,
-              logger: req.logger
-            })
-          );
-        }
-        const userScope = getRequestUserScope(
-          flatten(req.headers),
-          req.ja4,
-          req.ip,
-          user
-        );
-        const userAccessPolicy = (await tasks.imgCaptchaManager.getPrioritisedAccessPolicies(
-          userAccessRulesStorage,
-          dapp,
-          userScope
-        ))[0];
-        const { valid, reason, frictionlessTokenId, solvedImagesCount } = await tasks.imgCaptchaManager.isValidRequest(
-          clientRecord,
-          CaptchaType.image,
-          env,
-          sessionId,
-          userAccessPolicy,
-          req.ip
-        );
-        if (!valid) {
-          return next(
-            new ProsopoApiError(reason || "API.BAD_REQUEST", {
-              context: {
-                code: 400,
-                siteKey: dapp,
-                user
-              },
-              i18n: req.i18n,
-              logger: req.logger
-            })
-          );
-        }
-        const captchaConfig = {
-          solved: {
-            count: solvedImagesCount || userAccessPolicy?.solvedImagesCount || env.config.captchas.solved.count
-          },
-          unsolved: {
-            count: userAccessPolicy?.unsolvedImagesCount || env.config.captchas.unsolved.count
-          }
-        };
-        const taskData = await tasks.imgCaptchaManager.getRandomCaptchasAndRequestHash(
-          datasetId,
-          user,
-          ipAddress,
-          captchaConfig,
-          clientRecord.settings.imageThreshold ?? 0.8,
-          frictionlessTokenId
-        );
-        const captchaResponse = {
-          [ApiParams.status]: "ok",
-          [ApiParams.captchas]: taskData.captchas.map((captcha) => ({
-            ...captcha,
-            target: req.t(`TARGET.${captcha.target}`),
-            items: captcha.items.map(
-              (item) => parseCaptchaAssets(item, env.assetsResolver)
-            )
-          })),
-          [ApiParams.requestHash]: taskData.requestHash,
-          [ApiParams.timestamp]: taskData.timestamp.toString(),
-          [ApiParams.signature]: {
-            [ApiParams.provider]: {
-              [ApiParams.requestHash]: taskData.signedRequestHash
-            }
-          }
-        };
-        req.logger.info(() => ({
-          msg: "Image captcha challenge issued",
-          data: {
-            captchaType: CaptchaType.image,
-            requestHash: taskData.requestHash,
-            solvedImagesCount: captchaConfig.solved.count,
-            user,
-            dapp,
-            sessionId
-          }
-        }));
-        return res.json(captchaResponse);
-      } catch (err) {
-        req.logger.error(() => ({
-          err,
-          data: req.params,
-          msg: "Error in image captcha challenge request"
-        }));
-        return next(
-          new ProsopoApiError("API.BAD_REQUEST", {
-            context: {
-              error: err,
-              code: 500,
-              params: req.params,
-              context: err
-            },
-            i18n: req.i18n,
-            logger: req.logger
-          })
-        );
-      }
-    }
+    (req, res, next) => getImageCaptchaChallenge(env, userAccessRulesStorage)(req, res, next)
   );
   router.post(
     ClientApiPaths.SubmitImageCaptchaSolution,
-    async (req, res, next) => {
-      const tasks = new Tasks(env, req.logger);
-      let parsed;
-      try {
-        parsed = CaptchaSolutionBody.parse(req.body);
-      } catch (err) {
-        return next(
-          new ProsopoApiError("CAPTCHA.PARSE_ERROR", {
-            context: { code: 400, error: err, body: req.body },
-            i18n: req.i18n,
-            logger: req.logger
-          })
-        );
-      }
-      const { user, dapp } = parsed;
-      validateSiteKey(dapp);
-      validateAddr(user);
-      try {
-        const clientRecord = await tasks.db.getClientRecord(parsed.dapp);
-        if (!clientRecord) {
-          return next(
-            new ProsopoApiError("API.SITE_KEY_NOT_REGISTERED", {
-              context: { code: 400, siteKey: dapp },
-              i18n: req.i18n,
-              logger: req.logger
-            })
-          );
-        }
-        const result = await tasks.imgCaptchaManager.dappUserSolution(
-          user,
-          dapp,
-          parsed[ApiParams.requestHash],
-          parsed[ApiParams.captchas],
-          parsed[ApiParams.signature].user.timestamp,
-          Number.parseInt(parsed[ApiParams.timestamp]),
-          parsed[ApiParams.signature].provider.requestHash,
-          getIPAddress(req.ip || ""),
-          flatten(req.headers),
-          req.ja4
-        );
-        const returnValue = {
-          status: req.i18n.t(
-            result.verified ? "API.CAPTCHA_PASSED" : "API.CAPTCHA_FAILED"
-          ),
-          ...result
-        };
-        return res.json(returnValue);
-      } catch (err) {
-        req.logger.error(() => ({
-          err,
-          body: req.body,
-          msg: "Error in image captcha solution submission"
-        }));
-        return next(
-          new ProsopoApiError("API.BAD_REQUEST", {
-            context: {
-              code: 500,
-              siteKey: req.body.dapp,
-              error: err
-            },
-            i18n: req.i18n,
-            logger: req.logger
-          })
-        );
-      }
-    }
+    (req, res, next) => submitImageCaptchaSolution(env, userAccessRulesStorage)(req, res, next)
+  );
+  router.post(
+    ClientApiPaths.GetPowCaptchaChallenge,
+    (req, res, next) => getPoWCaptchaChallenge(env, userAccessRulesStorage)(req, res, next)
   );
-  router.post(ClientApiPaths.GetPowCaptchaChallenge, async (req, res, next) => {
-    let parsed;
-    const tasks = new Tasks(env);
-    tasks.setLogger(req.logger);
-    try {
-      parsed = GetPowCaptchaChallengeRequestBody.parse(req.body);
-    } catch (err) {
-      return next(
-        new ProsopoApiError("CAPTCHA.PARSE_ERROR", {
-          context: { code: 400, error: err },
-          i18n: req.i18n,
-          logger: req.logger
-        })
-      );
-    }
-    const { user, dapp, sessionId } = parsed;
-    validateSiteKey(dapp);
-    validateAddr(user);
-    try {
-      const clientSettings = await tasks.db.getClientRecord(dapp);
-      if (!clientSettings) {
-        return next(
-          new ProsopoApiError("API.SITE_KEY_NOT_REGISTERED", {
-            context: { code: 400, siteKey: dapp },
-            i18n: req.i18n,
-            logger: req.logger
-          })
-        );
-      }
-      const userScope = getRequestUserScope(
-        flatten(req.headers),
-        req.ja4,
-        req.ip,
-        user
-      );
-      const userAccessPolicy = (await tasks.powCaptchaManager.getPrioritisedAccessPolicies(
-        userAccessRulesStorage,
-        dapp,
-        userScope
-      ))[0];
-      const { valid, reason, frictionlessTokenId, powDifficulty } = await tasks.powCaptchaManager.isValidRequest(
-        clientSettings,
-        CaptchaType.pow,
-        env,
-        sessionId,
-        userAccessPolicy,
-        req.ip
-      );
-      if (!valid) {
-        return next(
-          new ProsopoApiError(reason || "API.BAD_REQUEST", {
-            context: {
-              code: 400,
-              siteKey: dapp,
-              user
-            },
-            i18n: req.i18n,
-            logger: req.logger
-          })
-        );
-      }
-      const origin = req.headers.origin;
-      if (!origin) {
-        return next(
-          new ProsopoApiError("API.BAD_REQUEST", {
-            context: {
-              error: "Origin header not found",
-              code: 400,
-              siteKey: dapp,
-              user
-            },
-            i18n: req.i18n,
-            logger: req.logger
-          })
-        );
-      }
-      const difficulty = powDifficulty || userAccessPolicy?.powDifficulty || clientSettings?.settings?.powDifficulty;
-      const challenge = await tasks.powCaptchaManager.getPowCaptchaChallenge(
-        user,
-        dapp,
-        origin,
-        difficulty
-      );
-      await tasks.db.storePowCaptchaRecord(
-        challenge.challenge,
-        {
-          requestedAtTimestamp: challenge.requestedAtTimestamp,
-          userAccount: user,
-          dappAccount: dapp
-        },
-        challenge.difficulty,
-        challenge.providerSignature,
-        getCompositeIpAddress(req.ip || ""),
-        flatten(req.headers),
-        req.ja4,
-        frictionlessTokenId
-      );
-      const getPowCaptchaResponse = {
-        [ApiParams.status]: "ok",
-        [ApiParams.challenge]: challenge.challenge,
-        [ApiParams.difficulty]: challenge.difficulty,
-        [ApiParams.timestamp]: challenge.requestedAtTimestamp.toString(),
-        [ApiParams.signature]: {
-          [ApiParams.provider]: {
-            [ApiParams.challenge]: challenge.providerSignature
-          }
-        }
-      };
-      req.logger.info(() => ({
-        msg: "PoW captcha challenge issued",
-        data: {
-          captchaType: CaptchaType.pow,
-          challenge: challenge.challenge,
-          difficulty: challenge.difficulty,
-          user,
-          dapp,
-          session: sessionId
-        }
-      }));
-      return res.json(getPowCaptchaResponse);
-    } catch (err) {
-      req.logger.error(() => ({
-        err,
-        body: req.body,
-        msg: "Error in PoW captcha challenge request"
-      }));
-      return next(
-        new ProsopoApiError("API.BAD_REQUEST", {
-          context: {
-            code: 500,
-            siteKey: req.body.dapp,
-            user: req.body.user,
-            error: err
-          },
-          i18n: req.i18n,
-          logger: req.logger
-        })
-      );
-    }
-  });
   router.post(
     ClientApiPaths.SubmitPowCaptchaSolution,
-    async (req, res, next) => {
-      let parsed;
-      const tasks = new Tasks(env, req.logger);
-      try {
-        parsed = SubmitPowCaptchaSolutionBody.parse(req.body);
-      } catch (err) {
-        return next(
-          new ProsopoApiError("CAPTCHA.PARSE_ERROR", {
-            context: { code: 400, error: err, body: req.body },
-            i18n: req.i18n,
-            logger: req.logger
-          })
-        );
-      }
-      const { challenge, signature, nonce, verifiedTimeout, dapp, user } = parsed;
-      validateSiteKey(dapp);
-      validateAddr(user);
-      try {
-        const clientRecord = await tasks.db.getClientRecord(dapp);
-        if (!clientRecord) {
-          return next(
-            new ProsopoApiError("API.SITE_KEY_NOT_REGISTERED", {
-              context: { code: 400, siteKey: dapp },
-              i18n: req.i18n,
-              logger: req.logger
-            })
-          );
-        }
-        const verified = await tasks.powCaptchaManager.verifyPowCaptchaSolution(
-          challenge,
-          signature.provider.challenge,
-          nonce,
-          verifiedTimeout,
-          signature.user.timestamp,
-          getIPAddress(req.ip || ""),
-          flatten(req.headers)
-        );
-        const response = { status: "ok", verified };
-        return res.json(response);
-      } catch (err) {
-        req.logger.error(() => ({
-          err,
-          body: req.body,
-          msg: "Error in PoW captcha solution submission"
-        }));
-        return next(
-          new ProsopoApiError("API.BAD_REQUEST", {
-            context: {
-              code: 500,
-              siteKey: req.body.dapp,
-              error: err
-            },
-            i18n: req.i18n,
-            logger: req.logger
-          })
-        );
-      }
-    }
+    (req, res, next) => submitPoWCaptchaSolution(env)(req, res, next)
   );
   router.post(
     ClientApiPaths.GetFrictionlessCaptchaChallenge,
-    async (req, res, next) => {
-      try {
-        const tasks = new Tasks(env, req.logger);
-        const { token, dapp, user } = GetFrictionlessCaptchaChallengeRequestBody.parse(req.body);
-        const existingToken = await tasks.db.getFrictionlessTokenRecordByToken(token);
-        if (existingToken) {
-          req.logger.info(() => ({
-            token: existingToken,
-            msg: "Token has already been used"
-          }));
-          return next(
-            new ProsopoApiError("API.BAD_REQUEST", {
-              context: {
-                code: 400,
-                siteKey: dapp,
-                user
-              },
-              i18n: req.i18n,
-              logger: req.logger
-            })
-          );
-        }
-        const lScore = tasks.frictionlessManager.checkLangRules(
-          req.headers["accept-language"] || ""
-        );
-        const {
-          baseBotScore,
-          timestamp,
-          providerSelectEntropy,
-          userId,
-          userAgent
-        } = await tasks.frictionlessManager.decryptPayload(token);
-        req.logger.debug(() => ({
-          msg: "Decrypted payload",
-          data: {
-            baseBotScore,
-            timestamp,
-            providerSelectEntropy,
-            userId,
-            userAgent
-          }
-        }));
-        let botScore = baseBotScore + lScore;
-        const clientRecord = await tasks.db.getClientRecord(dapp);
-        if (!clientRecord) {
-          return next(
-            new ProsopoApiError("API.SITE_KEY_NOT_REGISTERED", {
-              context: { code: 400, siteKey: dapp },
-              i18n: req.i18n,
-              logger: req.logger
-            })
-          );
-        }
-        const { valid, reason } = await tasks.frictionlessManager.isValidRequest(
-          clientRecord,
-          CaptchaType.frictionless,
-          env
-        );
-        if (!valid) {
-          return next(
-            new ProsopoApiError(reason || "API.BAD_REQUEST", {
-              context: {
-                code: 400,
-                siteKey: dapp,
-                user
-              },
-              i18n: req.i18n,
-              logger: req.logger
-            })
-          );
-        }
-        const botThreshold = clientRecord.settings?.frictionlessThreshold || DEFAULT_FRICTIONLESS_THRESHOLD;
-        const tokenId = await tasks.db.storeFrictionlessTokenRecord({
-          token,
-          score: botScore,
-          threshold: botThreshold,
-          scoreComponents: {
-            baseScore: baseBotScore,
-            ...lScore && { lScore }
-          },
-          providerSelectEntropy,
-          ipAddress: getCompositeIpAddress(req.ip || "")
-        });
-        const userScope = getRequestUserScope(
-          flatten(req.headers),
-          req.ja4,
-          req.ip,
-          user
-        );
-        const userAccessPolicy = (await tasks.frictionlessManager.getPrioritisedAccessPolicies(
-          userAccessRulesStorage,
-          dapp,
-          userScope
-        ))[0];
-        const headersUserAgent = req.headers["user-agent"];
-        const hashedHeadersUserAgent = headersUserAgent ? hashUserAgent(headersUserAgent) : "";
-        const headersProsopoUser = req.headers["prosopo-user"];
-        if (hashedHeadersUserAgent !== userAgent || headersProsopoUser !== userId) {
-          req.logger.info(() => ({
-            msg: "User agent or user id does not match",
-            data: {
-              headersUserAgent,
-              hashedHeadersUserAgent,
-              userAgent,
-              // This is the hashed user agent from the token
-              headersProsopoUser,
-              userId
-            }
-          }));
-          return res.json(
-            await tasks.frictionlessManager.sendImageCaptcha(
-              tokenId,
-              timestampDecayFunction(timestamp)
-            )
-          );
-        }
-        if (userAccessPolicy) {
-          await tasks.frictionlessManager.scoreIncreaseAccessPolicy(
-            userAccessPolicy,
-            baseBotScore,
-            botScore,
-            tokenId
-          );
-          if (userAccessPolicy.captchaType === CaptchaType.image) {
-            return res.json(
-              await tasks.frictionlessManager.sendImageCaptcha(
-                tokenId,
-                userAccessPolicy.solvedImagesCount
-              )
-            );
-          }
-          if (userAccessPolicy.captchaType === CaptchaType.pow) {
-            return res.json(
-              await tasks.frictionlessManager.sendPowCaptcha(tokenId)
-            );
-          }
-        }
-        if (FrictionlessManager.timestampTooOld(timestamp)) {
-          await tasks.frictionlessManager.scoreIncreaseTimestamp(
-            timestamp,
-            baseBotScore,
-            botScore,
-            tokenId
-          );
-          return res.json(
-            await tasks.frictionlessManager.sendImageCaptcha(
-              tokenId,
-              timestampDecayFunction(timestamp)
-            )
-          );
-        }
-        const hostVerified = await tasks.frictionlessManager.hostVerified(
-          providerSelectEntropy
-        );
-        if (!hostVerified.verified) {
-          botScore = await tasks.frictionlessManager.scoreIncreaseUnverifiedHost(
-            hostVerified.domain,
-            baseBotScore,
-            botScore,
-            tokenId
-          );
-        }
-        if (Number(botScore) > botThreshold) {
-          req.logger.info(() => ({
-            msg: "Bot score is greater than threshold",
-            data: {
-              botScore,
-              botThreshold,
-              tokenId
-            }
-          }));
-          return res.json(
-            await tasks.frictionlessManager.sendImageCaptcha(
-              tokenId,
-              env.config.captchas.solved.count
-            )
-          );
-        }
-        return res.json(
-          await tasks.frictionlessManager.sendPowCaptcha(tokenId)
-        );
-      } catch (err) {
-        req.logger.error(() => ({
-          err,
-          msg: "Error in frictionless captcha challenge"
-        }));
-        return next(
-          new ProsopoApiError("API.BAD_REQUEST", {
-            context: { code: 400, error: err },
-            i18n: req.i18n,
-            logger: req.logger
-          })
-        );
-      }
-    }
+    (req, res, next) => getFrictionlessCaptchaChallenge(env, userAccessRulesStorage)(
+      req,
+      res,
+      next
+    )
   );
   router.use(handleErrors);
   return router;

package/dist/api/verify.js

@@ -4,12 +4,23 @@ import { ClientApiPaths, VerifySolutionBody, decodeProcaptchaOutput, ApiParams,
 import { validateAddress } from "@prosopo/util-crypto";
 import express from "express";
 import { Tasks } from "../tasks/tasks.js";
+import { getMaintenanceMode } from "./admin/apiToggleMaintenanceModeEndpoint.js";
 function prosopoVerifyRouter(env) {
   const router = express.Router();
   router.post(
     ClientApiPaths.VerifyImageCaptchaSolutionDapp,
     async (req, res, next) => {
       const tasks = new Tasks(env, req.logger);
+      if (getMaintenanceMode()) {
+        req.logger.info(() => ({
+          msg: "Maintenance mode active - returning verified for image captcha verification"
+        }));
+        const verificationResponse = {
+          status: "ok",
+          verified: true
+        };
+        return res.json(verificationResponse);
+      }
       let parsed;
       try {
         parsed = VerifySolutionBody.parse(req.body);
@@ -45,7 +56,9 @@ function prosopoVerifyRouter(env) {
           commitmentId,
           env,
           maxVerifiedTime,
-          ip
+          ip,
+          clientRecord.settings.disallowWebView,
+          clientRecord.settings.contextAware?.enabled
         );
         req.logger.debug(() => ({ data: { response } }));
         const verificationResponse = tasks.imgCaptchaManager.getVerificationResponse(
@@ -72,6 +85,16 @@ function prosopoVerifyRouter(env) {
     ClientApiPaths.VerifyPowCaptchaSolution,
     async (req, res, next) => {
       const tasks = new Tasks(env, req.logger);
+      if (getMaintenanceMode()) {
+        req.logger.info(() => ({
+          msg: "Maintenance mode active - returning verified for PoW captcha verification"
+        }));
+        const verificationResponse = {
+          status: "ok",
+          verified: true
+        };
+        return res.json(verificationResponse);
+      }
       let parsed;
       try {
         parsed = ServerPowCaptchaVerifyRequestBody.parse(req.body);