npm - @prosopo/provider - Versions diffs - 3.15.0 → 4.7.1 - Mend

@prosopo/provider 3.15.0 → 4.7.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (623) hide show

package/dist/cjs/api/captcha/getPuzzleCaptchaChallenge.cjs ADDED Viewed

@@ -0,0 +1,200 @@
+"use strict";
+const common = require("@prosopo/common");
+const types = require("@prosopo/types");
+const util = require("@prosopo/util");
+const compositeIpAddress = require("../../compositeIpAddress.cjs");
+require("../../tasks/index.cjs");
+const normalizeRequestIp = require("../../utils/normalizeRequestIp.cjs");
+const apiToggleMaintenanceModeEndpoint = require("../admin/apiToggleMaintenanceModeEndpoint.cjs");
+const blacklistRequestInspector = require("../blacklistRequestInspector.cjs");
+const validateAddress = require("../validateAddress.cjs");
+const maintenanceModeResponses = require("./maintenanceModeResponses.cjs");
+const tasks = require("../../tasks/tasks.cjs");
+const getPuzzleCaptchaChallenge = (env, userAccessRulesStorage) => async (req, res, next) => {
+  let parsed;
+  const tasks$1 = new tasks.Tasks(env, req.logger);
+  tasks$1.setLogger(req.logger);
+  try {
+    parsed = types.GetPuzzleCaptchaChallengeRequestBody.parse(req.body);
+  } catch (err) {
+    return next(
+      new common.ProsopoApiError("CAPTCHA.PARSE_ERROR", {
+        context: { code: 400, error: err },
+        i18n: req.i18n,
+        logger: req.logger
+      })
+    );
+  }
+  const { user, dapp, sessionId, simdReadings } = parsed;
+  validateAddress.validateSiteKey(dapp);
+  validateAddress.validateAddr(user);
+  if (apiToggleMaintenanceModeEndpoint.getMaintenanceMode()) {
+    req.logger.info(() => ({
+      msg: "Maintenance mode active - returning dummy puzzle challenge",
+      data: { dapp, user, sessionId }
+    }));
+    return res.json(maintenanceModeResponses.buildPuzzleMaintenanceResponse(user, dapp));
+  }
+  try {
+    const clientSettings = await tasks$1.db.getClientRecord(dapp);
+    if (!clientSettings) {
+      return next(
+        new common.ProsopoApiError("API.SITE_KEY_NOT_REGISTERED", {
+          context: { code: 400, siteKey: dapp },
+          i18n: req.i18n,
+          logger: req.logger
+        })
+      );
+    }
+    const normalizedIp = normalizeRequestIp.normalizeRequestIp(req.ip, req.logger);
+    if (!normalizedIp) {
+      req.logger.warn(() => ({
+        msg: "Request missing IP; geoblocking will be skipped"
+      }));
+    }
+    const countryCode = req.ipInfo && "isValid" in req.ipInfo && req.ipInfo.isValid ? req.ipInfo.countryCode : void 0;
+    const userScope = blacklistRequestInspector.getRequestUserScope(
+      util.flatten(req.headers),
+      req.ja4,
+      normalizedIp,
+      user,
+      void 0,
+      // headHash
+      void 0,
+      // coords
+      countryCode
+    );
+    const userAccessPolicy = (await tasks$1.puzzleCaptchaManager.getPrioritisedAccessPolicies(
+      userAccessRulesStorage,
+      dapp,
+      userScope
+    ))[0];
+    const {
+      valid,
+      reason,
+      sessionId: validSessionId
+    } = await tasks$1.puzzleCaptchaManager.isValidRequest(
+      clientSettings,
+      types.CaptchaType.puzzle,
+      env,
+      sessionId,
+      userAccessPolicy,
+      normalizedIp
+    );
+    if (!valid) {
+      return next(
+        new common.ProsopoApiError(reason || "API.BAD_REQUEST", {
+          context: {
+            code: 400,
+            siteKey: dapp,
+            user
+          },
+          i18n: req.i18n,
+          logger: req.logger
+        })
+      );
+    }
+    const origin = req.headers.origin;
+    if (!origin) {
+      return next(
+        new common.ProsopoApiError("API.BAD_REQUEST", {
+          context: {
+            error: "Origin header not found",
+            code: 400,
+            siteKey: dapp,
+            user
+          },
+          i18n: req.i18n,
+          logger: req.logger
+        })
+      );
+    }
+    const tolerance = clientSettings?.settings?.puzzleTolerance;
+    const challenge = await tasks$1.puzzleCaptchaManager.getPuzzleCaptchaChallenge(
+      user,
+      dapp,
+      origin,
+      tolerance
+    );
+    if (validSessionId && simdReadings) {
+      await tasks$1.frictionlessManager.decryptAndAttachSimdReadingsIfAbsent(
+        validSessionId,
+        simdReadings,
+        types.SimdReadingsStage.challenge
+      ).catch((updateErr) => {
+        req.logger.warn(() => ({
+          err: updateErr,
+          msg: "Failed to patch session with SIMD readings on puzzle challenge"
+        }));
+      });
+    }
+    await tasks$1.db.storePuzzleCaptchaRecord(
+      challenge.challenge,
+      {
+        requestedAtTimestamp: challenge.requestedAtTimestamp,
+        userAccount: user,
+        dappAccount: dapp
+      },
+      challenge.targetX,
+      challenge.targetY,
+      challenge.originX,
+      challenge.originY,
+      challenge.tolerance,
+      challenge.providerSignature,
+      compositeIpAddress.getCompositeIpAddress(normalizedIp),
+      util.flatten(req.headers),
+      req.ja4,
+      validSessionId,
+      // Persist the full ipinfo payload — consumers read
+      // individual flags off this object instead of separate
+      // flat fields.
+      req.ipInfo
+    );
+    const getPuzzleCaptchaResponse = {
+      [types.ApiParams.status]: "ok",
+      [types.ApiParams.challenge]: challenge.challenge,
+      [types.ApiParams.targetX]: challenge.targetX,
+      [types.ApiParams.targetY]: challenge.targetY,
+      [types.ApiParams.originX]: challenge.originX,
+      [types.ApiParams.originY]: challenge.originY,
+      [types.ApiParams.tolerance]: challenge.tolerance,
+      [types.ApiParams.timestamp]: challenge.requestedAtTimestamp.toString(),
+      [types.ApiParams.signature]: {
+        [types.ApiParams.provider]: {
+          [types.ApiParams.challenge]: challenge.providerSignature
+        }
+      }
+    };
+    req.logger.info(() => ({
+      msg: "Puzzle captcha challenge issued",
+      data: {
+        captchaType: types.CaptchaType.puzzle,
+        challenge: challenge.challenge,
+        tolerance: challenge.tolerance,
+        user,
+        dapp,
+        session: sessionId
+      }
+    }));
+    return res.json(getPuzzleCaptchaResponse);
+  } catch (err) {
+    req.logger.error(() => ({
+      err,
+      body: req.body,
+      msg: "Error in puzzle captcha challenge request"
+    }));
+    return next(
+      new common.ProsopoApiError("API.BAD_REQUEST", {
+        context: {
+          code: 500,
+          siteKey: req.body.dapp,
+          user: req.body.user,
+          error: err
+        },
+        i18n: req.i18n,
+        logger: req.logger
+      })
+    );
+  }
+};
+module.exports = getPuzzleCaptchaChallenge;

package/dist/cjs/api/captcha/maintenanceModeResponses.cjs ADDED Viewed

@@ -0,0 +1,42 @@
+"use strict";
+Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+const node_crypto = require("node:crypto");
+const types = require("@prosopo/types");
+const sessionPrefix = (host) => host ? host.replace(".prosopo.io", "") : "local";
+const buildChallenge = (user, dapp) => `${Date.now()}${types.POW_SEPARATOR}${user}${types.POW_SEPARATOR}${dapp}${types.POW_SEPARATOR}0`;
+const buildFrictionlessMaintenanceResponse = (captchaType, host) => ({
+  [types.ApiParams.captchaType]: captchaType,
+  [types.ApiParams.sessionId]: `${sessionPrefix(host)}-${node_crypto.randomUUID()}`,
+  [types.ApiParams.status]: "ok"
+});
+const buildPowMaintenanceResponse = (user, dapp) => {
+  const timestamp = Date.now();
+  return {
+    [types.ApiParams.status]: "ok",
+    [types.ApiParams.challenge]: buildChallenge(user, dapp),
+    [types.ApiParams.difficulty]: 1,
+    [types.ApiParams.timestamp]: timestamp.toString(),
+    [types.ApiParams.signature]: {
+      [types.ApiParams.provider]: { [types.ApiParams.challenge]: "" }
+    }
+  };
+};
+const buildPuzzleMaintenanceResponse = (user, dapp) => {
+  const timestamp = Date.now();
+  return {
+    [types.ApiParams.status]: "ok",
+    [types.ApiParams.challenge]: buildChallenge(user, dapp),
+    [types.ApiParams.targetX]: 100,
+    [types.ApiParams.targetY]: 100,
+    [types.ApiParams.originX]: 0,
+    [types.ApiParams.originY]: 0,
+    [types.ApiParams.tolerance]: 1e3,
+    [types.ApiParams.timestamp]: timestamp.toString(),
+    [types.ApiParams.signature]: {
+      [types.ApiParams.provider]: { [types.ApiParams.challenge]: "" }
+    }
+  };
+};
+exports.buildFrictionlessMaintenanceResponse = buildFrictionlessMaintenanceResponse;
+exports.buildPowMaintenanceResponse = buildPowMaintenanceResponse;
+exports.buildPuzzleMaintenanceResponse = buildPuzzleMaintenanceResponse;

package/dist/cjs/api/captcha/submitImageCaptchaSolution.cjs CHANGED Viewed

@@ -4,9 +4,10 @@ const types = require("@prosopo/types");
 const util = require("@prosopo/util");
 require("../../tasks/index.cjs");
 const apiToggleMaintenanceModeEndpoint = require("../admin/apiToggleMaintenanceModeEndpoint.cjs");
+const testSiteKey = require("../testSiteKey.cjs");
 const validateAddress = require("../validateAddress.cjs");
 const tasks = require("../../tasks/tasks.cjs");
-const submitImageCaptchaSolution = (env, userAccessRulesStorage) => async (req, res, next) => {
+const submitImageCaptchaSolution = (env) => async (req, res, next) => {
   const tasks$1 = new tasks.Tasks(env, req.logger);
   if (apiToggleMaintenanceModeEndpoint.getMaintenanceMode()) {
     req.logger.info(() => ({
@@ -34,6 +35,15 @@ const submitImageCaptchaSolution = (env, userAccessRulesStorage) => async (req,
   const { user, dapp } = parsed;
   validateAddress.validateSiteKey(dapp);
   validateAddress.validateAddr(user);
+  const testVerdict = testSiteKey.resolveTestSiteKeyVerdict(dapp, req.logger);
+  if (testVerdict !== null) {
+    const result = {
+      status: "ok",
+      captchas: [],
+      verified: testVerdict
+    };
+    return res.json(result);
+  }
   try {
     const clientRecord = await tasks$1.db.getClientRecord(parsed.dapp);
     if (!clientRecord) {
@@ -55,7 +65,14 @@ const submitImageCaptchaSolution = (env, userAccessRulesStorage) => async (req,
       parsed[types.ApiParams.signature].provider.requestHash,
       util.getIPAddress(req.ip || ""),
       util.flatten(req.headers),
-      req.ja4
+      req.ja4,
+      parsed[types.ApiParams.behavioralData],
+      // Persist the full ipinfo payload — consumers read
+      // individual flags off this object instead of separate
+      // flat fields.
+      req.ipInfo,
+      parsed[types.ApiParams.simdReadings],
+      parsed[types.ApiParams.clientMetaData]
     );
     const returnValue = {
       status: req.i18n.t(

package/dist/cjs/api/captcha/submitPoWCaptchaSolution.cjs CHANGED Viewed

@@ -3,7 +3,9 @@ const common = require("@prosopo/common");
 const types = require("@prosopo/types");
 const util = require("@prosopo/util");
 const tasks = require("../../tasks/tasks.cjs");
+const devicePlatform = require("../../utils/devicePlatform.cjs");
 const apiToggleMaintenanceModeEndpoint = require("../admin/apiToggleMaintenanceModeEndpoint.cjs");
+const testSiteKey = require("../testSiteKey.cjs");
 const validateAddress = require("../validateAddress.cjs");
 const submitPoWCaptchaSolution = (env) => async (req, res, next) => {
   let parsed;
@@ -37,10 +39,20 @@ const submitPoWCaptchaSolution = (env) => async (req, res, next) => {
     dapp,
     user,
     behavioralData,
-    salt
+    salt,
+    simdReadings,
+    clientMetaData
   } = parsed;
   validateAddress.validateSiteKey(dapp);
   validateAddress.validateAddr(user);
+  const testVerdict = testSiteKey.resolveTestSiteKeyVerdict(dapp, req.logger);
+  if (testVerdict !== null) {
+    const response = {
+      status: "ok",
+      verified: testVerdict
+    };
+    return res.json(response);
+  }
   try {
     const clientRecord = await tasks$1.db.getClientRecord(dapp);
     if (!clientRecord) {
@@ -52,18 +64,42 @@ const submitPoWCaptchaSolution = (env) => async (req, res, next) => {
         })
       );
     }
-    const verified = await tasks$1.powCaptchaManager.verifyPowCaptchaSolution(
+    const flatHeaders = util.flatten(req.headers);
+    const userAgent = req.headers["user-agent"] ?? "";
+    const countryCode = req.ipInfo && "isValid" in req.ipInfo && req.ipInfo.isValid ? req.ipInfo.countryCode : void 0;
+    tasks$1.powCaptchaManager.setPostPowContext({
+      ip: req.ip || "",
+      countryCode,
+      // `false` here is a placeholder — `runPostPowRouting` overrides
+      // isWebView with the value recorded on the originating session.
+      platform: devicePlatform.derivePlatform(userAgent, false),
+      raw: {
+        headers: flatHeaders,
+        userAgent,
+        ...req.ja4 && { ja4: req.ja4 }
+      }
+    });
+    const result = await tasks$1.powCaptchaManager.verifyPowCaptchaSolution(
       challenge,
       signature.provider.challenge,
       nonce,
       verifiedTimeout,
       signature.user.timestamp,
       util.getIPAddress(req.ip || ""),
-      util.flatten(req.headers),
+      flatHeaders,
       behavioralData,
-      salt
+      salt,
+      simdReadings,
+      clientMetaData
     );
-    const response = { status: "ok", verified };
+    const escalation = await buildEscalation(tasks$1, result, challenge);
+    const response = {
+      status: "ok",
+      // On escalation the user is not done — they still need to clear
+      // the follow-up image/puzzle challenge before we hand them a token.
+      verified: escalation ? false : result.verified,
+      ...escalation && { escalation }
+    };
     return res.json(response);
   } catch (err) {
     req.logger.error(() => ({
@@ -84,4 +120,45 @@ const submitPoWCaptchaSolution = (env) => async (req, res, next) => {
     );
   }
 };
+const buildEscalation = async (tasks2, result, challenge) => {
+  if (!result.verified || !result.routingOutput) return void 0;
+  const routedType = result.routingOutput.captchaType;
+  if (routedType !== types.CaptchaType.image && routedType !== types.CaptchaType.puzzle) {
+    return void 0;
+  }
+  const powRecord = await tasks2.db.getPowCaptchaRecordByChallenge(challenge);
+  if (!powRecord?.sessionId) return void 0;
+  const originSession = await tasks2.db.getSessionRecordBySessionId(
+    powRecord.sessionId
+  );
+  if (!originSession) return void 0;
+  const routed = result.routingOutput;
+  const newSession = await tasks2.frictionlessManager.createSession(
+    originSession.token,
+    originSession.score,
+    originSession.threshold,
+    originSession.scoreComponents,
+    originSession.providerSelectEntropy,
+    originSession.ipAddress,
+    routed.captchaType,
+    originSession.siteKey ?? powRecord.dappAccount,
+    routed.captchaType === types.CaptchaType.image ? routed.solvedImagesCount ?? originSession.solvedImagesCount : void 0,
+    void 0,
+    originSession.userSitekeyIpHash,
+    originSession.webView,
+    originSession.iFrame,
+    originSession.decryptedHeadHash,
+    originSession.reason,
+    void 0,
+    void 0,
+    originSession.ipInfo,
+    originSession.headers,
+    originSession.mode,
+    originSession.simdReadings
+  );
+  return {
+    captchaType: routed.captchaType,
+    sessionId: newSession.sessionId
+  };
+};
 module.exports = submitPoWCaptchaSolution;

package/dist/cjs/api/captcha/submitPuzzleCaptchaSolution.cjs ADDED Viewed

@@ -0,0 +1,107 @@
+"use strict";
+const common = require("@prosopo/common");
+const types = require("@prosopo/types");
+const util = require("@prosopo/util");
+const tasks = require("../../tasks/tasks.cjs");
+const apiToggleMaintenanceModeEndpoint = require("../admin/apiToggleMaintenanceModeEndpoint.cjs");
+const testSiteKey = require("../testSiteKey.cjs");
+const validateAddress = require("../validateAddress.cjs");
+const submitPuzzleCaptchaSolution = (env) => async (req, res, next) => {
+  let parsed;
+  const tasks$1 = new tasks.Tasks(env, req.logger);
+  if (apiToggleMaintenanceModeEndpoint.getMaintenanceMode()) {
+    req.logger.info(() => ({
+      msg: "Maintenance mode active - returning verified"
+    }));
+    const response = {
+      status: "ok",
+      verified: true
+    };
+    return res.json(response);
+  }
+  try {
+    parsed = types.SubmitPuzzleCaptchaSolutionBody.parse(req.body);
+  } catch (err) {
+    return next(
+      new common.ProsopoApiError("CAPTCHA.PARSE_ERROR", {
+        context: { code: 400, error: err, body: req.body },
+        i18n: req.i18n,
+        logger: req.logger
+      })
+    );
+  }
+  const {
+    challenge,
+    signature,
+    finalX,
+    finalY,
+    puzzleEvents,
+    verifiedTimeout,
+    dapp,
+    user,
+    behavioralData,
+    salt,
+    simdReadings,
+    clientMetaData
+  } = parsed;
+  validateAddress.validateSiteKey(dapp);
+  validateAddress.validateAddr(user);
+  const testVerdict = testSiteKey.resolveTestSiteKeyVerdict(dapp, req.logger);
+  if (testVerdict !== null) {
+    const response = {
+      status: "ok",
+      verified: testVerdict
+    };
+    return res.json(response);
+  }
+  try {
+    const clientRecord = await tasks$1.db.getClientRecord(dapp);
+    if (!clientRecord) {
+      return next(
+        new common.ProsopoApiError("API.SITE_KEY_NOT_REGISTERED", {
+          context: { code: 400, siteKey: dapp },
+          i18n: req.i18n,
+          logger: req.logger
+        })
+      );
+    }
+    const verified = await tasks$1.puzzleCaptchaManager.verifyPuzzleCaptchaSolution(
+      challenge,
+      signature.provider.challenge,
+      finalX,
+      finalY,
+      puzzleEvents,
+      verifiedTimeout,
+      signature.user.timestamp,
+      util.getIPAddress(req.ip || ""),
+      util.flatten(req.headers),
+      behavioralData,
+      salt,
+      simdReadings,
+      clientMetaData
+    );
+    const response = {
+      status: "ok",
+      verified
+    };
+    return res.json(response);
+  } catch (err) {
+    req.logger.error(() => ({
+      err,
+      body: req.body,
+      msg: "Error in puzzle captcha solution submission"
+    }));
+    return next(
+      new common.ProsopoApiError("API.BAD_REQUEST", {
+        context: {
+          code: 500,
+          siteKey: req.body.dapp,
+          error: err
+        },
+        i18n: req.i18n,
+        logger: req.logger
+      })
+    );
+  }
+};
+module.exports = submitPuzzleCaptchaSolution;

package/dist/cjs/api/captcha.cjs CHANGED Viewed

@@ -3,21 +3,34 @@ Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
 const apiExpressRouter = require("@prosopo/api-express-router");
 const types = require("@prosopo/types");
 const express = require("express");
-const getFrictionlessCaptchaChallenge = require("./captcha/getFrictionlessCaptchaChallenge.cjs");
+const checkSpamEmail = require("./captcha/checkSpamEmail.cjs");
+require("./captcha/getFrictionlessCaptchaChallenge.cjs");
 const getImageCaptchaChallenge = require("./captcha/getImageCaptchaChallenge.cjs");
 const getPoWCaptchaChallenge = require("./captcha/getPoWCaptchaChallenge.cjs");
+const getPuzzleCaptchaChallenge = require("./captcha/getPuzzleCaptchaChallenge.cjs");
 const submitImageCaptchaSolution = require("./captcha/submitImageCaptchaSolution.cjs");
 const submitPoWCaptchaSolution = require("./captcha/submitPoWCaptchaSolution.cjs");
+const submitPuzzleCaptchaSolution = require("./captcha/submitPuzzleCaptchaSolution.cjs");
+const handler = require("./captcha/getFrictionlessCaptchaChallenge/handler.cjs");
 function prosopoRouter(env) {
   const router = express.Router();
-  const userAccessRulesStorage = env.getDb().getUserAccessRulesStorage();
+  let userAccessRulesStorage;
+  try {
+    userAccessRulesStorage = env.getDb().getUserAccessRulesStorage();
+  } catch (err) {
+    env.logger.warn(() => ({
+      msg: "User access rules storage unavailable; captcha endpoints will skip access-policy checks",
+      err
+    }));
+    userAccessRulesStorage = void 0;
+  }
   router.post(
     types.ClientApiPaths.GetImageCaptchaChallenge,
     (req, res, next) => getImageCaptchaChallenge(env, userAccessRulesStorage)(req, res, next)
   );
   router.post(
     types.ClientApiPaths.SubmitImageCaptchaSolution,
-    (req, res, next) => submitImageCaptchaSolution(env, userAccessRulesStorage)(req, res, next)
+    (req, res, next) => submitImageCaptchaSolution(env)(req, res, next)
   );
   router.post(
     types.ClientApiPaths.GetPowCaptchaChallenge,
@@ -29,12 +42,24 @@ function prosopoRouter(env) {
   );
   router.post(
     types.ClientApiPaths.GetFrictionlessCaptchaChallenge,
-    (req, res, next) => getFrictionlessCaptchaChallenge(env, userAccessRulesStorage)(
+    (req, res, next) => handler(env, userAccessRulesStorage)(
       req,
       res,
       next
     )
   );
+  router.post(
+    types.ClientApiPaths.GetPuzzleCaptchaChallenge,
+    (req, res, next) => getPuzzleCaptchaChallenge(env, userAccessRulesStorage)(req, res, next)
+  );
+  router.post(
+    types.ClientApiPaths.SubmitPuzzleCaptchaSolution,
+    (req, res, next) => submitPuzzleCaptchaSolution(env)(req, res, next)
+  );
+  router.post(
+    types.ClientApiPaths.CheckSpamEmail,
+    (req, res, next) => checkSpamEmail(env)(req, res, next)
+  );
   router.use(apiExpressRouter.handleErrors);
   return router;
 }

package/dist/cjs/api/dnsEventUrl.cjs ADDED Viewed

@@ -0,0 +1,25 @@
+"use strict";
+Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+const node_crypto = require("node:crypto");
+const EXTENSIONS = ["gif", "png", "webp"];
+const buildDnsEventUrl = (sessionId) => {
+  const subzone = process.env.DNS_EVENT_SUBZONE;
+  const secret = process.env.DNS_EVENT_HMAC_SECRET;
+  if (!subzone || !secret) {
+    return void 0;
+  }
+  const path = derivePath(sessionId, secret);
+  const port = process.env.DNS_EVENT_PORT;
+  const host = port ? `${sessionId}.${subzone}:${port}` : `${sessionId}.${subzone}`;
+  return `https://${host}${path}?sid=${sessionId}`;
+};
+const derivePath = (sessionId, secret) => {
+  const mac = node_crypto.createHmac("sha256", secret);
+  mac.update(sessionId);
+  const digest = mac.digest();
+  const name = digest.subarray(0, 8).toString("hex");
+  const ext = EXTENSIONS[(digest.at(8) ?? 0) % EXTENSIONS.length];
+  return `/${name}.${ext}`;
+};
+exports.buildDnsEventUrl = buildDnsEventUrl;
+exports.derivePath = derivePath;

package/dist/cjs/api/domainMiddleware.cjs CHANGED Viewed

@@ -2,14 +2,28 @@
 Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
 const apiExpressRouter = require("@prosopo/api-express-router");
 const common = require("@prosopo/common");
+const util = require("@prosopo/util");
 const utilCrypto = require("@prosopo/util-crypto");
 const zod = require("zod");
 require("../tasks/index.cjs");
+const apiToggleMaintenanceModeEndpoint = require("./admin/apiToggleMaintenanceModeEndpoint.cjs");
+const testSiteKey = require("./testSiteKey.cjs");
 const tasks = require("../tasks/tasks.cjs");
 const domainMiddleware = (env) => {
-  const tasks$1 = new tasks.Tasks(env);
+  let cachedTasks;
   return async (req, res, next) => {
     try {
+      if (apiToggleMaintenanceModeEndpoint.getMaintenanceMode()) {
+        req.logger.info(() => ({
+          msg: "Maintenance mode active - skipping domain validation"
+        }));
+        next();
+        return;
+      }
+      if (!cachedTasks) {
+        cachedTasks = new tasks.Tasks(env);
+      }
+      const tasks$1 = cachedTasks;
       const siteKey = req.headers["prosopo-site-key"];
       if (!siteKey)
         throw siteKeyNotRegisteredError(
@@ -22,6 +36,10 @@ const domainMiddleware = (env) => {
       } catch (err) {
         throw invalidSiteKeyError(req.i18n, siteKey, req.logger);
       }
+      if (testSiteKey.isReservedTestSiteKey(siteKey)) {
+        next();
+        return;
+      }
       const clientSettings = await tasks$1.db.getClientRecord(siteKey);
       if (!clientSettings)
         throw siteKeyNotRegisteredError(req.i18n, siteKey, req.logger);
@@ -36,10 +54,13 @@ const domainMiddleware = (env) => {
       const origin = req.headers.origin;
       if (!origin)
         throw unauthorizedOriginError(req.i18n, void 0, req.logger);
-      for (const domain of allowedDomains) {
-        if (tasks$1.clientTaskManager.domainPatternMatcher(origin, domain)) {
-          next();
-          return;
+      const candidateOrigins = [origin, ...googleTranslateOrigins(origin)];
+      for (const candidate of candidateOrigins) {
+        for (const domain of allowedDomains) {
+          if (tasks$1.clientTaskManager.domainPatternMatcher(candidate, domain)) {
+            next();
+            return;
+          }
         }
       }
       throw unauthorizedOriginError(req.i18n, origin, req.logger);
@@ -53,6 +74,16 @@ const domainMiddleware = (env) => {
     }
   };
 };
+const googleTranslateOrigins = (origin) => {
+  try {
+    const url = util.parseUrl(origin);
+    const decodedHost = util.decodeGoogleTranslateHost(url.hostname);
+    if (!decodedHost) return [];
+    return [`${url.protocol}//${decodedHost}`];
+  } catch {
+    return [];
+  }
+};
 const siteKeyNotRegisteredError = (i18n, dapp, logger) => {
   return new common.ProsopoApiError("API.SITE_KEY_NOT_REGISTERED", {
     context: { code: 400, siteKey: dapp },