npm - @prosopo/provider - Versions diffs - 3.15.0 → 4.7.2 - Mend

@prosopo/provider 3.15.0 → 4.7.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (623) hide show

package/dist/cjs/api/captcha/getFrictionlessCaptchaChallenge/decisionMachine.cjs ADDED Viewed

@@ -0,0 +1,287 @@
+"use strict";
+Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+const common = require("@prosopo/common");
+const types = require("@prosopo/types");
+const util = require("@prosopo/util");
+const frictionlessTasks = require("../../../tasks/frictionless/frictionlessTasks.cjs");
+const frictionlessTasksUtils = require("../../../tasks/frictionless/frictionlessTasksUtils.cjs");
+const hashUserAgent = require("../../../utils/hashUserAgent.cjs");
+const contextAwareValidation = require("../contextAwareValidation.cjs");
+const constants = require("./constants.cjs");
+const honeypotResponse = require("./honeypotResponse.cjs");
+const runDecisionMachine = async (input, handle) => {
+  const {
+    tasks,
+    env,
+    clientRecord,
+    dapp,
+    userSitekeyIpHash,
+    flatHeaders,
+    ipInfo
+  } = input;
+  const { req, res } = handle;
+  let { botScore, scoreComponents } = input;
+  const autoBanThreshold = clientRecord.settings.autoBanScoreThreshold;
+  if (autoBanThreshold !== void 0 && Number(botScore) >= autoBanThreshold) {
+    req.logger.info(() => ({
+      msg: "Frictionless decision",
+      data: {
+        requestId: req.requestId,
+        decision: "auto_ban_score",
+        botScore,
+        autoBanThreshold,
+        token: input.token
+      }
+    }));
+    await tasks.frictionlessManager.registerBlockedSession({
+      solvedImagesCount: clientRecord.settings.imageMaxRounds,
+      userSitekeyIpHash,
+      reason: types.FrictionlessReason.AUTO_BAN_SCORE,
+      siteKey: dapp,
+      ipInfo,
+      headers: flatHeaders
+    });
+    return res.status(401).json({ error: "Unauthorized" });
+  }
+  const userAgentMismatchResponse = await runUserAgentMismatchCheck(
+    input,
+    handle
+  );
+  if (userAgentMismatchResponse) return userAgentMismatchResponse;
+  const contextResponse = await runContextAwareValidation(input, handle);
+  if (contextResponse) return contextResponse;
+  if (clientRecord.settings.disallowWebView && input.webView) {
+    tasks.logger.info(() => ({ msg: "WebView detected" }));
+    const scoreUpdate = tasks.frictionlessManager.scoreIncreaseWebView(
+      input.baseBotScore,
+      botScore,
+      scoreComponents
+    );
+    botScore = scoreUpdate.score;
+    scoreComponents = scoreUpdate.scoreComponents;
+    tasks.frictionlessManager.updateScore(botScore, scoreComponents);
+    req.logger.info(() => ({
+      msg: "Frictionless decision",
+      data: {
+        requestId: req.requestId,
+        decision: "webview_detected",
+        captchaType: types.CaptchaType.image
+      }
+    }));
+    honeypotResponse.attachHoneypot(res, clientRecord);
+    return res.json(
+      await tasks.frictionlessManager.sendImageCaptcha({
+        solvedImagesCount: Math.min(
+          env.config.captchas.solved.count * 2,
+          clientRecord.settings.imageMaxRounds
+        ),
+        userSitekeyIpHash,
+        reason: types.FrictionlessReason.WEBVIEW_DETECTED,
+        siteKey: dapp,
+        ipInfo,
+        headers: flatHeaders
+      })
+    );
+  }
+  if (frictionlessTasks.FrictionlessManager.timestampTooOld(input.timestamp)) {
+    const scoreUpdate = tasks.frictionlessManager.scoreIncreaseTimestamp(
+      input.timestamp,
+      input.baseBotScore,
+      botScore,
+      scoreComponents
+    );
+    botScore = scoreUpdate.score;
+    scoreComponents = scoreUpdate.scoreComponents;
+    tasks.frictionlessManager.updateScore(botScore, scoreComponents);
+    req.logger.info(() => ({
+      msg: "Frictionless decision",
+      data: {
+        requestId: req.requestId,
+        decision: "timestamp_too_old",
+        captchaType: types.CaptchaType.image
+      }
+    }));
+    honeypotResponse.attachHoneypot(res, clientRecord);
+    return res.json(
+      await tasks.frictionlessManager.sendImageCaptcha({
+        solvedImagesCount: frictionlessTasksUtils.timestampDecayFunction(
+          input.timestamp,
+          input.decryptionFailed,
+          clientRecord.settings.imageMaxRounds
+        ),
+        userSitekeyIpHash,
+        reason: types.FrictionlessReason.OLD_TIMESTAMP,
+        siteKey: dapp,
+        ipInfo,
+        headers: flatHeaders
+      })
+    );
+  }
+  const hostVerified = await tasks.frictionlessManager.hostVerified(
+    input.providerSelectEntropy
+  );
+  if (!hostVerified.verified) {
+    const scoreUpdate = tasks.frictionlessManager.scoreIncreaseUnverifiedHost(
+      hostVerified.domain,
+      input.baseBotScore,
+      botScore,
+      scoreComponents
+    );
+    botScore = scoreUpdate.score;
+    scoreComponents = scoreUpdate.scoreComponents;
+    tasks.frictionlessManager.updateScore(botScore, scoreComponents);
+  }
+  if (Number(botScore) > input.botThreshold) {
+    req.logger.info(() => ({
+      msg: "Bot score is greater than threshold",
+      data: {
+        botScore,
+        botThreshold: input.botThreshold,
+        token: input.token
+      }
+    }));
+    req.logger.info(() => ({
+      msg: "Frictionless decision",
+      data: {
+        requestId: req.requestId,
+        decision: "bot_score_above_threshold",
+        captchaType: types.CaptchaType.image
+      }
+    }));
+    honeypotResponse.attachHoneypot(res, clientRecord);
+    return res.json(
+      await tasks.frictionlessManager.sendImageCaptcha({
+        solvedImagesCount: Math.min(
+          env.config.captchas.solved.count,
+          clientRecord.settings.imageMaxRounds
+        ),
+        userSitekeyIpHash,
+        reason: types.FrictionlessReason.BOT_SCORE_ABOVE_THRESHOLD,
+        siteKey: dapp,
+        ipInfo,
+        headers: flatHeaders
+      })
+    );
+  }
+  req.logger.info(() => ({
+    msg: "Frictionless decision",
+    data: {
+      requestId: req.requestId,
+      decision: "default_pow",
+      captchaType: types.CaptchaType.pow
+    }
+  }));
+  honeypotResponse.attachHoneypot(res, clientRecord);
+  return res.json(
+    await tasks.frictionlessManager.sendPowCaptcha({
+      userSitekeyIpHash,
+      siteKey: dapp,
+      ipInfo,
+      headers: flatHeaders
+    })
+  );
+};
+const runUserAgentMismatchCheck = async (input, handle) => {
+  const { req, res } = handle;
+  const headersUserAgent = req.headers["user-agent"];
+  const headersProsopoUser = req.headers["prosopo-user"];
+  const hashedHeadersUserAgent = headersUserAgent ? hashUserAgent.hashUserAgent(headersUserAgent) : "";
+  if (hashedHeadersUserAgent === input.userAgent && headersProsopoUser === input.userId) {
+    return null;
+  }
+  req.logger.info(() => ({
+    msg: "User agent or user id does not match",
+    data: {
+      headersUserAgent,
+      hashedHeadersUserAgent,
+      userAgent: input.userAgent,
+      headersProsopoUser,
+      userId: input.userId
+    }
+  }));
+  req.logger.info(() => ({
+    msg: "Frictionless decision",
+    data: {
+      requestId: req.requestId,
+      decision: "user_agent_mismatch",
+      captchaType: types.CaptchaType.image
+    }
+  }));
+  honeypotResponse.attachHoneypot(res, input.clientRecord);
+  return res.json(
+    await input.tasks.frictionlessManager.sendImageCaptcha({
+      solvedImagesCount: frictionlessTasksUtils.timestampDecayFunction(
+        input.timestamp,
+        input.decryptionFailed,
+        input.clientRecord.settings.imageMaxRounds
+      ),
+      userSitekeyIpHash: input.userSitekeyIpHash,
+      reason: types.FrictionlessReason.USER_AGENT_MISMATCH,
+      siteKey: input.dapp,
+      ipInfo: input.ipInfo,
+      headers: input.flatHeaders
+    })
+  );
+};
+const runContextAwareValidation = async (input, handle) => {
+  const { tasks, clientRecord, dapp, user } = input;
+  const { req, res, next } = handle;
+  if (!clientRecord.settings.contextAware?.enabled) return null;
+  const contexts = clientRecord.settings.contextAware?.contexts || {};
+  const hasDefault = contexts[types.ContextType.Default] !== void 0;
+  const hasWebview = contexts[types.ContextType.Webview] !== void 0;
+  let contextType;
+  if (hasDefault && hasWebview) {
+    contextType = contextAwareValidation.determineContextType(input.webView);
+  } else if (hasDefault) {
+    contextType = types.ContextType.Default;
+  } else if (hasWebview) {
+    contextType = types.ContextType.Webview;
+  }
+  if (!contextType) return null;
+  const clientEntropy = await tasks.frictionlessManager.getClientContextEntropy(
+    clientRecord.account,
+    contextType
+  );
+  if (!clientEntropy) return null;
+  if (!input.decryptedHeadHash) {
+    tasks.logger.info(() => ({
+      msg: "No decryptedHeadHash in session for context aware client"
+    }));
+    return next(
+      new common.ProsopoApiError("API.BAD_REQUEST", {
+        context: { code: 400, siteKey: dapp, user },
+        i18n: req.i18n,
+        logger: req.logger
+      })
+    );
+  }
+  const threshold = contextAwareValidation.getContextThreshold(clientRecord.settings, contextType);
+  const sim = util.compareBinaryStrings(input.decryptedHeadHash, clientEntropy);
+  if (sim >= threshold) return null;
+  req.logger.info(() => ({
+    msg: "Frictionless decision",
+    data: {
+      requestId: req.requestId,
+      decision: "context_aware_failed",
+      captchaType: types.CaptchaType.image,
+      sim,
+      threshold
+    }
+  }));
+  honeypotResponse.attachHoneypot(res, clientRecord);
+  return res.json(
+    await tasks.frictionlessManager.sendImageCaptcha({
+      solvedImagesCount: Math.min(
+        constants.getRoundsFromSimScore(sim),
+        clientRecord.settings.imageMaxRounds
+      ),
+      userSitekeyIpHash: input.userSitekeyIpHash,
+      reason: types.FrictionlessReason.CONTEXT_AWARE_VALIDATION_FAILED,
+      siteKey: dapp,
+      ipInfo: input.ipInfo,
+      headers: input.flatHeaders
+    })
+  );
+};
+exports.runDecisionMachine = runDecisionMachine;

package/dist/cjs/api/captcha/getFrictionlessCaptchaChallenge/decryptSimdReadings.cjs ADDED Viewed

@@ -0,0 +1,14 @@
+"use strict";
+Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+const decryptIncomingSimdReadings = async (manager, encrypted) => {
+  if (!encrypted) return void 0;
+  const decryptKeys = [
+    ...await manager.getDetectorKeys(),
+    process.env.BOT_DECRYPTION_KEY
+  ];
+  const decrypted = await manager.decryptSimdReadings(encrypted, decryptKeys);
+  if (!decrypted) return void 0;
+  const { timestamp: _ignored, ...readings } = decrypted;
+  return readings;
+};
+exports.decryptIncomingSimdReadings = decryptIncomingSimdReadings;

package/dist/cjs/api/captcha/getFrictionlessCaptchaChallenge/handler.cjs ADDED Viewed

@@ -0,0 +1,315 @@
+"use strict";
+const common = require("@prosopo/common");
+const types = require("@prosopo/types");
+const util = require("@prosopo/util");
+const compositeIpAddress = require("../../../compositeIpAddress.cjs");
+require("../../../tasks/index.cjs");
+const devicePlatform = require("../../../utils/devicePlatform.cjs");
+const hashUserIp = require("../../../utils/hashUserIp.cjs");
+const normalizeRequestIp = require("../../../utils/normalizeRequestIp.cjs");
+const apiToggleMaintenanceModeEndpoint = require("../../admin/apiToggleMaintenanceModeEndpoint.cjs");
+const blacklistRequestInspector = require("../../blacklistRequestInspector.cjs");
+const dnsEventUrl = require("../../dnsEventUrl.cjs");
+const testSiteKey = require("../../testSiteKey.cjs");
+const maintenanceModeResponses = require("../maintenanceModeResponses.cjs");
+const accessPolicy = require("./accessPolicy.cjs");
+const constants = require("./constants.cjs");
+const decisionMachine = require("./decisionMachine.cjs");
+const decryptSimdReadings = require("./decryptSimdReadings.cjs");
+const honeypotResponse = require("./honeypotResponse.cjs");
+const sessionDedup = require("./sessionDedup.cjs");
+const shortCircuit = require("./shortCircuit.cjs");
+const tasks = require("../../../tasks/tasks.cjs");
+const getFrictionlessCaptchaChallenge = (env, userAccessRulesStorage) => async (req, res, next) => {
+  try {
+    res.on("finish", () => {
+      req.logger.info(() => ({
+        msg: "Frictionless response finished",
+        data: {
+          requestId: req.requestId,
+          status: res.statusCode,
+          path: req.path,
+          method: req.method
+        }
+      }));
+    });
+    const tasks$1 = new tasks.Tasks(env, req.logger);
+    const { token, headHash, dapp, user, mode, simdReadings } = types.GetFrictionlessCaptchaChallengeRequestBody.parse(req.body);
+    const decodedSimdReadings = await decryptSimdReadings.decryptIncomingSimdReadings(
+      tasks$1.frictionlessManager,
+      simdReadings
+    );
+    const normalizedIp = normalizeRequestIp.normalizeRequestIp(req.ip, req.logger);
+    const sessionMode = mode === types.ModeEnum.invisible ? types.ModeEnum.invisible : void 0;
+    req.logger.info(() => ({
+      msg: "Frictionless handler entry",
+      data: {
+        requestId: req.requestId,
+        token,
+        user,
+        dapp,
+        normalizedIp,
+        ja4: req.ja4,
+        path: req.path,
+        method: req.method,
+        ...sessionMode && { mode: sessionMode }
+      }
+    }));
+    if (apiToggleMaintenanceModeEndpoint.getMaintenanceMode()) {
+      req.logger.info(() => ({
+        msg: "Maintenance mode active - returning dummy PoW captcha session",
+        data: { dapp, user }
+      }));
+      return res.json(
+        maintenanceModeResponses.buildFrictionlessMaintenanceResponse(
+          types.CaptchaType.pow,
+          env.config.host
+        )
+      );
+    }
+    if (testSiteKey.isReservedTestSiteKey(dapp)) {
+      req.logger.warn(() => ({
+        msg: "Reserved TEST site key - returning invisible PoW session",
+        data: { dapp, user }
+      }));
+      return res.json(
+        maintenanceModeResponses.buildFrictionlessMaintenanceResponse(
+          types.CaptchaType.pow,
+          env.config.host
+        )
+      );
+    }
+    const userSitekeyIpHash = hashUserIp.hashUserIp(user, normalizedIp, dapp);
+    const { existingToken, dedup } = await sessionDedup.resolveSessionDedup(
+      tasks$1,
+      token,
+      userSitekeyIpHash,
+      req.logger
+    );
+    if (existingToken) {
+      req.logger.info(() => ({
+        token: existingToken,
+        msg: "Token has already been used"
+      }));
+      return next(
+        new common.ProsopoApiError("API.BAD_REQUEST", {
+          context: { code: 400, siteKey: dapp, user },
+          i18n: req.i18n,
+          logger: req.logger
+        })
+      );
+    }
+    const clientRecord = await tasks$1.db.getClientRecord(dapp);
+    if (!clientRecord) {
+      return next(
+        new common.ProsopoApiError("API.SITE_KEY_NOT_REGISTERED", {
+          context: { code: 400, siteKey: dapp },
+          i18n: req.i18n,
+          logger: req.logger
+        })
+      );
+    }
+    if (dedup) {
+      req.logger.info(() => ({
+        msg: "Reusing existing session for user-IP-sitekey combination",
+        data: {
+          userSitekeyIpHash,
+          sessionId: dedup.sessionId,
+          captchaType: dedup.captchaType
+        }
+      }));
+      req.logger.info(() => ({
+        msg: "Frictionless decision",
+        data: {
+          requestId: req.requestId,
+          decision: "reuse_session",
+          captchaType: dedup.captchaType,
+          sessionId: dedup.sessionId
+        }
+      }));
+      honeypotResponse.attachHoneypot(res, clientRecord);
+      return res.json({
+        [types.ApiParams.captchaType]: dedup.captchaType,
+        [types.ApiParams.sessionId]: dedup.sessionId,
+        [types.ApiParams.status]: "ok",
+        dns_url: dnsEventUrl.buildDnsEventUrl(dedup.sessionId)
+      });
+    }
+    const ipAddress = compositeIpAddress.getCompositeIpAddress(normalizedIp);
+    const flatHeaders = util.flatten(req.headers);
+    const countryCode = req.ipInfo && "isValid" in req.ipInfo && req.ipInfo.isValid ? req.ipInfo.countryCode : void 0;
+    const shortCircuitResponse = await shortCircuit.runConfiguredCaptchaTypeShortCircuit(
+      {
+        tasks: tasks$1,
+        env,
+        clientRecord,
+        token,
+        dapp,
+        ipAddress,
+        ipInfo: req.ipInfo,
+        flatHeaders,
+        sessionMode,
+        userSitekeyIpHash,
+        requestId: req.requestId,
+        logger: req.logger
+      },
+      res
+    );
+    if (shortCircuitResponse) return shortCircuitResponse;
+    const lScore = tasks$1.frictionlessManager.checkLangRules(
+      req.headers["accept-language"] || ""
+    );
+    const {
+      baseBotScore,
+      timestamp,
+      providerSelectEntropy,
+      userId,
+      userAgent,
+      webView,
+      iFrame,
+      decryptedHeadHash,
+      decryptionFailed,
+      triggeredDetectors,
+      shadowDomPenalty
+    } = await tasks$1.frictionlessManager.decryptPayload(token, headHash);
+    req.logger.debug(() => ({
+      msg: "Decrypted payload",
+      data: {
+        baseBotScore,
+        timestamp,
+        providerSelectEntropy,
+        userId,
+        userAgent,
+        webView
+      }
+    }));
+    let botScore = baseBotScore + lScore;
+    const { valid, reason } = await tasks$1.frictionlessManager.isValidRequest(
+      clientRecord,
+      types.CaptchaType.frictionless,
+      env
+    );
+    if (!valid) {
+      return next(
+        new common.ProsopoApiError(reason || "API.BAD_REQUEST", {
+          context: { code: 400, siteKey: dapp, user },
+          i18n: req.i18n,
+          logger: req.logger
+        })
+      );
+    }
+    const botThreshold = clientRecord.settings?.frictionlessThreshold || constants.DEFAULT_FRICTIONLESS_THRESHOLD;
+    let scoreComponents = {
+      baseScore: baseBotScore,
+      ...lScore && { lScore },
+      ...triggeredDetectors && triggeredDetectors.length > 0 && { triggeredDetectors },
+      ...shadowDomPenalty !== void 0 && { shadowDomPenalty }
+    };
+    tasks$1.frictionlessManager.setSessionParams({
+      token,
+      score: botScore,
+      threshold: botThreshold,
+      scoreComponents,
+      providerSelectEntropy,
+      ipAddress,
+      webView,
+      iFrame,
+      decryptedHeadHash,
+      siteKey: dapp,
+      ipInfo: req.ipInfo,
+      headers: flatHeaders,
+      mode: sessionMode,
+      ...decodedSimdReadings && { simdReadings: decodedSimdReadings }
+    });
+    const ipInfoMobile = req.ipInfo && "isValid" in req.ipInfo && req.ipInfo.isValid ? req.ipInfo.isMobile : void 0;
+    const safeUserAgent = userAgent ?? "";
+    tasks$1.frictionlessManager.setRoutingContext({
+      dappAccount: dapp,
+      userAccount: user,
+      ip: normalizedIp,
+      countryCode,
+      score: botScore,
+      platform: devicePlatform.derivePlatform(safeUserAgent, webView, {
+        ...typeof ipInfoMobile === "boolean" && { isMobile: ipInfoMobile }
+      }),
+      raw: {
+        headers: flatHeaders,
+        userAgent: safeUserAgent,
+        ...req.ja4 && { ja4: req.ja4 }
+      }
+    });
+    const userScope = blacklistRequestInspector.getRequestUserScope(
+      util.flatten(req.headers),
+      req.ja4,
+      normalizedIp,
+      user,
+      void 0,
+      void 0,
+      countryCode
+    );
+    const userAccessPolicy = (await tasks$1.frictionlessManager.getPrioritisedAccessPolicies(
+      userAccessRulesStorage,
+      dapp,
+      userScope
+    ))[0];
+    const accessPolicyOutcome = await accessPolicy.handleAccessPolicy(
+      {
+        tasks: tasks$1,
+        clientRecord,
+        userAccessPolicy,
+        baseBotScore,
+        botScore,
+        scoreComponents,
+        userSitekeyIpHash,
+        dapp,
+        ipInfo: req.ipInfo,
+        flatHeaders,
+        requestId: req.requestId,
+        logger: req.logger,
+        userScope
+      },
+      res
+    );
+    if (accessPolicyOutcome.handled) return accessPolicyOutcome.response;
+    botScore = accessPolicyOutcome.botScore;
+    scoreComponents = accessPolicyOutcome.scoreComponents;
+    return await decisionMachine.runDecisionMachine(
+      {
+        tasks: tasks$1,
+        env,
+        clientRecord,
+        dapp,
+        user,
+        userSitekeyIpHash,
+        flatHeaders,
+        ipInfo: req.ipInfo,
+        timestamp,
+        decryptionFailed,
+        userAgent,
+        userId,
+        webView,
+        decryptedHeadHash,
+        providerSelectEntropy,
+        baseBotScore,
+        botScore,
+        scoreComponents,
+        token,
+        botThreshold
+      },
+      { req, res, next }
+    );
+  } catch (err) {
+    req.logger.error(() => ({
+      err,
+      msg: "Error in frictionless captcha challenge"
+    }));
+    return next(
+      new common.ProsopoApiError("API.BAD_REQUEST", {
+        context: { code: 400, error: err },
+        i18n: req.i18n,
+        logger: req.logger
+      })
+    );
+  }
+};
+module.exports = getFrictionlessCaptchaChallenge;

package/dist/cjs/api/captcha/getFrictionlessCaptchaChallenge/honeypotResponse.cjs ADDED Viewed

@@ -0,0 +1,17 @@
+"use strict";
+Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+const encoders = require("../../../utils/honeypot/encoders.cjs");
+const phraseBank = require("../../../utils/honeypot/phraseBank.cjs");
+const HONEYPOT_HEADER = "x-prosopo-meta";
+const attachHoneypot = (res, clientRecord) => {
+  const cfg = clientRecord.settings?.honeypot;
+  if (!cfg?.enabled) return;
+  const question = cfg.question ?? phraseBank.getRandomPhrase();
+  if (!question) return;
+  res.setHeader(
+    HONEYPOT_HEADER,
+    encoders.encodeHoneypotQuestion(question, cfg.encodingType)
+  );
+};
+exports.HONEYPOT_HEADER = HONEYPOT_HEADER;
+exports.attachHoneypot = attachHoneypot;

package/dist/cjs/api/captcha/getFrictionlessCaptchaChallenge/sessionDedup.cjs ADDED Viewed

@@ -0,0 +1,28 @@
+"use strict";
+Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+const resolveSessionDedup = async (tasks, token, userSitekeyIpHash, logger) => {
+  const [existingToken, existingSession] = await Promise.all([
+    tasks.db.getSessionRecordByToken(token),
+    tasks.db.getSessionByuserSitekeyIpHash(userSitekeyIpHash)
+  ]);
+  const dedup = existingSession ? {
+    sessionId: existingSession.sessionId,
+    captchaType: existingSession.captchaType,
+    session: existingSession
+  } : null;
+  if (!dedup && tasks.writeQueue) {
+    const stalePointer = await tasks.writeQueue.getCachedSessionByHash(userSitekeyIpHash);
+    if (stalePointer) {
+      logger.warn(() => ({
+        msg: "Evicting stale Redis dedup pointer",
+        data: { userSitekeyIpHash, staleSessionId: stalePointer }
+      }));
+      await Promise.all([
+        tasks.writeQueue.invalidateCachedSessionByHash(userSitekeyIpHash),
+        tasks.writeQueue.invalidateCachedSession(stalePointer)
+      ]);
+    }
+  }
+  return { existingToken, dedup };
+};
+exports.resolveSessionDedup = resolveSessionDedup;