@prosopo/provider 3.15.0 → 4.7.2

package/dist/tests/unit/tasks/powCaptcha/powTasks.unit.test.js

@@ -2,7 +2,7 @@ import { stringToHex, u8aToHex } from "@polkadot/util";
 import { ApiParams, CaptchaStatus, CaptchaType, POW_SEPARATOR, } from "@prosopo/types";
 import { AccessPolicyType, } from "@prosopo/user-access-policy";
 import { getIPAddress, verifyRecency } from "@prosopo/util";
-import { beforeEach, describe, expect, it, vi } from "vitest";
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
 import { getCompositeIpAddress } from "../../../../compositeIpAddress.js";
 import { PowCaptchaManager } from "../../../../tasks/powCaptcha/powTasks.js";
 import { checkPowSignature, validateSolution, } from "../../../../tasks/powCaptcha/powTasksUtils.js";
@@ -29,6 +29,17 @@ describe("PowCaptchaManager", () => {
     let pair;
     let powCaptchaManager;
     let mockEnv;
+    let originalDecide;
+    const mockDecisionMachine = (mockFn) => {
+        originalDecide = powCaptchaManager.decisionMachineRunner.decide;
+        powCaptchaManager.decisionMachineRunner.decide = mockFn;
+    };
+    const restoreDecisionMachine = () => {
+        if (originalDecide) {
+            powCaptchaManager.decisionMachineRunner.decide = originalDecide;
+            originalDecide = undefined;
+        }
+    };
     beforeEach(() => {
         db = {
             storePowCaptchaRecord: vi.fn(),
@@ -36,6 +47,10 @@ describe("PowCaptchaManager", () => {
             updatePowCaptchaRecordResult: vi.fn(),
             updatePowCaptchaRecord: vi.fn(),
             markDappUserPoWCommitmentsChecked: vi.fn(),
+            getClientRecord: vi.fn(),
+            getSessionRecordBySessionId: vi.fn(),
+            updateSessionRecord: vi.fn(),
+            getSpamEmailDomain: vi.fn(),
         };
         pair = {
             sign: vi.fn(),
@@ -48,10 +63,22 @@ describe("PowCaptchaManager", () => {
                     baseUrl: "https://api.ipapi.is",
                 },
             },
+            ipInfoService: {
+                initialize: vi.fn().mockResolvedValue(undefined),
+                isAvailable: vi.fn().mockReturnValue(true),
+                lookup: vi.fn(async (ip) => ({
+                    isValid: false,
+                    error: "stubbed in test",
+                    ip,
+                })),
+            },
         };
         powCaptchaManager = new PowCaptchaManager(db, pair, mockEnv.config);
         vi.clearAllMocks();
     });
+    afterEach(() => {
+        restoreDecisionMachine();
+    });
     describe("getPowCaptchaChallenge", () => {
         it("should generate a PoW captcha challenge", async () => {
             const userAccount = "userAccount";
@@ -111,7 +138,7 @@ describe("PowCaptchaManager", () => {
                 undefined,
             ];
             const result = await powCaptchaManager.verifyPowCaptchaSolution(...verifyPowCaptchaSolutionArgs);
-            expect(result).toBe(true);
+            expect(result.verified).toBe(true);
             const verifyRecencyArgs = [
                 challenge,
                 timeout,
@@ -176,7 +203,7 @@ describe("PowCaptchaManager", () => {
             });
             db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
             validateSolution.mockImplementation(() => false);
-            expect(await powCaptchaManager.verifyPowCaptchaSolution(challenge, signature, nonce, timeout, timestampSignature, ipAddress, headers, undefined)).toBe(false);
+            expect((await powCaptchaManager.verifyPowCaptchaSolution(challenge, signature, nonce, timeout, timestampSignature, ipAddress, headers, undefined)).verified).toBe(false);
             expect(verifyRecency).toHaveBeenCalledWith(challenge, timeout);
         });
     });
@@ -194,6 +221,7 @@ describe("PowCaptchaManager", () => {
                 requestedAtTimestamp: new Date(timestamp),
                 serverChecked: false,
                 result: { status: CaptchaStatus.approved },
+                ipAddress: getCompositeIpAddress(getIPAddress("1.1.1.1")),
             };
             db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
             verifyRecency.mockImplementation(() => true);
@@ -381,117 +409,1305 @@ describe("PowCaptchaManager", () => {
             expect(result.verified).toBe(true);
         });
     });
-    describe("verifyPowCaptchaSolution with behavioral data", () => {
-        beforeEach(() => {
-            db.getDetectorKeys = vi.fn(() => Promise.resolve(["test-detector-key"]));
-            db.updatePowCaptchaRecord = vi.fn(() => Promise.resolve());
-        });
-        it("should process behavioral data when provided", async () => {
-            const requestedAtTimestamp = 123456789;
+    describe("serverVerifyPowCaptchaSolution with decision machine", () => {
+        it("should allow when decision machine returns allow", async () => {
+            const dappAccount = "dappAccount";
+            const timestamp = 123456789;
             const userAccount = "testUserAccount";
-            const challenge = `${requestedAtTimestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${pair.address}`;
-            const difficulty = 4;
-            const providerSignature = "testSignature";
-            const userSignature = "testTimestampSignature";
-            const nonce = 12345;
+            const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${dappAccount}`;
             const timeout = 1000;
             const ipAddress = getIPAddress("1.1.1.1");
             const headers = { a: "1", b: "2", c: "3" };
-            const behavioralData = "encrypted-behavioral-data";
+            const behavioralDataPacked = {
+                c1: [1, 2, 3],
+                c2: [4, 5, 6],
+                c3: [7, 8, 9],
+                d: "test-device",
+            };
             const challengeRecord = {
                 challenge,
-                difficulty,
-                dappAccount: pair.address,
+                difficulty: 4,
+                dappAccount,
                 userAccount,
-                requestedAtTimestamp: new Date(requestedAtTimestamp),
-                result: { status: CaptchaStatus.pending },
-                userSubmitted: false,
+                requestedAtTimestamp: new Date(timestamp),
+                result: { status: CaptchaStatus.approved },
+                userSubmitted: true,
                 serverChecked: false,
                 ipAddress: getCompositeIpAddress(ipAddress),
                 headers,
                 ja4: "ja4",
-                providerSignature,
+                providerSignature: "testSignature",
                 lastUpdatedTimestamp: new Date(),
+                behavioralDataPacked,
+                deviceCapability: "test-device",
             };
-            verifyRecency.mockImplementation(() => true);
-            checkPowSignature.mockImplementation(() => true);
-            validateSolution.mockImplementation(() => true);
             db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
-            db.updatePowCaptchaRecordResult.mockResolvedValue(true);
-            db.markDappUserPoWCommitmentsChecked.mockResolvedValue(true);
-            const result = await powCaptchaManager.verifyPowCaptchaSolution(challenge, providerSignature, nonce, timeout, userSignature, ipAddress, headers, behavioralData, undefined);
-            expect(result).toBe(true);
+            verifyRecency.mockImplementation(() => true);
+            const result = await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, timeout, mockEnv);
+            expect(result.verified).toBe(true);
         });
-        it("should handle behavioral data decryption failure gracefully", async () => {
-            const requestedAtTimestamp = 123456789;
+        it("should deny when decision machine returns deny", async () => {
+            const dappAccount = "dappAccount";
+            const timestamp = 123456789;
             const userAccount = "testUserAccount";
-            const challenge = `${requestedAtTimestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${pair.address}`;
-            const difficulty = 4;
-            const providerSignature = "testSignature";
-            const userSignature = "testTimestampSignature";
-            const nonce = 12345;
+            const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${dappAccount}`;
             const timeout = 1000;
             const ipAddress = getIPAddress("1.1.1.1");
             const headers = { a: "1", b: "2", c: "3" };
-            const behavioralData = "invalid-encrypted-data";
+            const behavioralDataPacked = {
+                c1: [1, 2, 3],
+                c2: [4, 5, 6],
+                c3: [7, 8, 9],
+                d: "suspicious-device",
+            };
             const challengeRecord = {
                 challenge,
-                difficulty,
-                dappAccount: pair.address,
+                difficulty: 4,
+                dappAccount,
                 userAccount,
-                requestedAtTimestamp: new Date(requestedAtTimestamp),
-                result: { status: CaptchaStatus.pending },
-                userSubmitted: false,
+                requestedAtTimestamp: new Date(timestamp),
+                result: { status: CaptchaStatus.approved },
+                userSubmitted: true,
                 serverChecked: false,
                 ipAddress: getCompositeIpAddress(ipAddress),
                 headers,
                 ja4: "ja4",
-                providerSignature,
+                providerSignature: "testSignature",
                 lastUpdatedTimestamp: new Date(),
+                behavioralDataPacked,
+                deviceCapability: "suspicious-device",
             };
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+            db.updatePowCaptchaRecord.mockResolvedValue(undefined);
             verifyRecency.mockImplementation(() => true);
-            checkPowSignature.mockImplementation(() => true);
-            validateSolution.mockImplementation(() => true);
+            mockDecisionMachine(vi.fn().mockResolvedValue({
+                decision: "deny",
+                reason: "Suspicious device detected",
+                score: 0,
+            }));
+            try {
+                const result = await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, timeout, mockEnv);
+                expect(result.verified).toBe(false);
+            }
+            finally {
+                restoreDecisionMachine();
+            }
+        });
+        it("should allow when no behavioral data is present (no decision machine run)", async () => {
+            const dappAccount = "dappAccount";
+            const timestamp = 123456789;
+            const userAccount = "testUserAccount";
+            const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${dappAccount}`;
+            const timeout = 1000;
+            const ipAddress = getIPAddress("1.1.1.1");
+            const headers = { a: "1", b: "2", c: "3" };
+            const challengeRecord = {
+                challenge,
+                difficulty: 4,
+                dappAccount,
+                userAccount,
+                requestedAtTimestamp: new Date(timestamp),
+                result: { status: CaptchaStatus.approved },
+                userSubmitted: true,
+                serverChecked: false,
+                ipAddress: getCompositeIpAddress(ipAddress),
+                headers,
+                ja4: "ja4",
+                providerSignature: "testSignature",
+                lastUpdatedTimestamp: new Date(),
+            };
             db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
-            db.updatePowCaptchaRecordResult.mockResolvedValue(true);
-            db.markDappUserPoWCommitmentsChecked.mockResolvedValue(true);
-            const result = await powCaptchaManager.verifyPowCaptchaSolution(challenge, providerSignature, nonce, timeout, userSignature, ipAddress, headers, behavioralData, undefined);
-            expect(result).toBe(true);
+            verifyRecency.mockImplementation(() => true);
+            const result = await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, timeout, mockEnv);
+            expect(result.verified).toBe(true);
         });
-        it("should work without behavioral data", async () => {
-            const requestedAtTimestamp = 123456789;
+        it("should default to allow if decision machine fails", async () => {
+            const dappAccount = "dappAccount";
+            const timestamp = 123456789;
             const userAccount = "testUserAccount";
-            const challenge = `${requestedAtTimestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${pair.address}`;
-            const difficulty = 4;
-            const providerSignature = "testSignature";
-            const userSignature = "testTimestampSignature";
-            const nonce = 12345;
+            const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${dappAccount}`;
             const timeout = 1000;
             const ipAddress = getIPAddress("1.1.1.1");
             const headers = { a: "1", b: "2", c: "3" };
+            const behavioralDataPacked = {
+                c1: [1, 2, 3],
+                c2: [4, 5, 6],
+                c3: [7, 8, 9],
+                d: "test-device",
+            };
             const challengeRecord = {
                 challenge,
-                difficulty,
-                dappAccount: pair.address,
+                difficulty: 4,
+                dappAccount,
                 userAccount,
-                requestedAtTimestamp: new Date(requestedAtTimestamp),
-                result: { status: CaptchaStatus.pending },
-                userSubmitted: false,
+                requestedAtTimestamp: new Date(timestamp),
+                result: { status: CaptchaStatus.approved },
+                userSubmitted: true,
                 serverChecked: false,
                 ipAddress: getCompositeIpAddress(ipAddress),
                 headers,
                 ja4: "ja4",
-                providerSignature,
+                providerSignature: "testSignature",
                 lastUpdatedTimestamp: new Date(),
+                behavioralDataPacked,
+                deviceCapability: "test-device",
             };
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
             verifyRecency.mockImplementation(() => true);
-            checkPowSignature.mockImplementation(() => true);
-            validateSolution.mockImplementation(() => true);
+            mockDecisionMachine(vi.fn().mockRejectedValue(new Error("Decision machine error")));
+            try {
+                const result = await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, timeout, mockEnv);
+                expect(result.verified).toBe(true);
+            }
+            finally {
+                restoreDecisionMachine();
+            }
+        });
+    });
+    describe("IP Validation Guard Conditions", () => {
+        it("should skip IP validation when ipValidationRules is undefined", async () => {
+            const dappAccount = "testDappAccount";
+            const userAccount = "testUserAccount";
+            const challenge = `123456789${POW_SEPARATOR}userAccount${POW_SEPARATOR}${pair.address}`;
+            const timeout = 1000;
+            const ip = "1.1.1.1";
+            const challengeRecord = {
+                dappAccount,
+                userAccount,
+                result: { status: CaptchaStatus.approved },
+                userSubmitted: true,
+                challenge,
+                serverChecked: false,
+                difficulty: 4,
+                requestedAtTimestamp: new Date(),
+                ipAddress: getCompositeIpAddress(ip),
+                headers: { a: "1", b: "2", c: "3" },
+                ja4: "ja4",
+                providerSignature: "testSignature",
+                lastUpdatedTimestamp: new Date(),
+            };
             db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
-            db.updatePowCaptchaRecordResult.mockResolvedValue(true);
-            db.markDappUserPoWCommitmentsChecked.mockResolvedValue(true);
-            const result = await powCaptchaManager.verifyPowCaptchaSolution(challenge, providerSignature, nonce, timeout, userSignature, ipAddress, headers, undefined, undefined);
-            expect(result).toBe(true);
+            db.getClientRecord.mockResolvedValue({
+                settings: {},
+            });
+            checkPowSignature.mockReturnValue(true);
+            validateSolution.mockReturnValue(true);
+            verifyRecency.mockImplementation(() => true);
+            const result = await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, timeout, mockEnv, ip);
+            expect(result.verified).toBe(true);
+            expect(db.updatePowCaptchaRecord).toHaveBeenCalledWith(challenge, {
+                providedIp: getCompositeIpAddress(ip),
+            });
+        });
+        it("should skip IP validation when ipValidationRules.enabled is false", async () => {
+            const dappAccount = pair.address;
+            const challenge = `123456789${POW_SEPARATOR}userAccount${POW_SEPARATOR}${pair.address}`;
+            const timeout = 1000;
+            const ip = "1.1.1.1";
+            const challengeRecord = {
+                userAccount: "userAccount",
+                challenge,
+                serverChecked: false,
+                difficulty: 4,
+                dappAccount,
+                result: {
+                    status: CaptchaStatus.approved,
+                },
+                requestedAtTimestamp: new Date(),
+                ipAddress: getCompositeIpAddress(ip),
+                headers: { a: "1", b: "2", c: "3" },
+                ja4: "ja4",
+                providerSignature: "testSignature",
+                userSubmitted: true,
+                lastUpdatedTimestamp: new Date(),
+            };
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+            db.getClientRecord.mockResolvedValue({
+                settings: {
+                    ipValidationRules: {
+                        enabled: false,
+                        actions: {
+                            countryChangeAction: "reject",
+                            cityChangeAction: "reject",
+                        },
+                    },
+                },
+            });
+            checkPowSignature.mockReturnValue(true);
+            validateSolution.mockReturnValue(true);
+            verifyRecency.mockImplementation(() => true);
+            const result = await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, timeout, mockEnv, ip);
+            expect(result.verified).toBe(true);
+            expect(db.updatePowCaptchaRecord).toHaveBeenCalledWith(challenge, {
+                providedIp: getCompositeIpAddress(ip),
+            });
+        });
+        it("should skip IP validation when ipValidationRules.enabled is undefined", async () => {
+            const dappAccount = pair.address;
+            const challenge = `123456789${POW_SEPARATOR}userAccount${POW_SEPARATOR}${pair.address}`;
+            const timeout = 1000;
+            const ip = "1.1.1.1";
+            const challengeRecord = {
+                dappAccount,
+                challenge,
+                serverChecked: false,
+                difficulty: 4,
+                result: {
+                    status: CaptchaStatus.approved,
+                },
+                requestedAtTimestamp: new Date(),
+                ipAddress: getCompositeIpAddress(ip),
+                userAccount: "userAccount",
+                headers: { a: "1", b: "2", c: "3" },
+                ja4: "ja4",
+                providerSignature: "testSignature",
+                userSubmitted: true,
+                lastUpdatedTimestamp: new Date(),
+            };
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+            db.getClientRecord.mockResolvedValue({
+                settings: {
+                    ipValidationRules: {
+                        actions: {
+                            countryChangeAction: "reject",
+                            cityChangeAction: "reject",
+                        },
+                    },
+                },
+            });
+            checkPowSignature.mockReturnValue(true);
+            validateSolution.mockReturnValue(true);
+            verifyRecency.mockImplementation(() => true);
+            const result = await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, timeout, mockEnv, ip);
+            expect(result.verified).toBe(true);
+            expect(db.updatePowCaptchaRecord).toHaveBeenCalledWith(challenge, {
+                providedIp: getCompositeIpAddress(ip),
+            });
+        });
+        it("should skip IP validation when clientRecord is null", async () => {
+            const dappAccount = pair.address;
+            const challenge = `123456789${POW_SEPARATOR}userAccount${POW_SEPARATOR}${pair.address}`;
+            const timeout = 1000;
+            const ip = "1.1.1.1";
+            const challengeRecord = {
+                dappAccount,
+                challenge,
+                serverChecked: false,
+                difficulty: 4,
+                result: {
+                    status: CaptchaStatus.approved,
+                },
+                requestedAtTimestamp: new Date(),
+                ipAddress: getCompositeIpAddress(ip),
+                userAccount: "userAccount",
+                headers: { a: "1", b: "2", c: "3" },
+                ja4: "ja4",
+                providerSignature: "testSignature",
+                userSubmitted: true,
+                lastUpdatedTimestamp: new Date(),
+            };
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+            db.getClientRecord.mockResolvedValue(null);
+            checkPowSignature.mockReturnValue(true);
+            validateSolution.mockReturnValue(true);
+            verifyRecency.mockImplementation(() => true);
+            const result = await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, timeout, mockEnv, ip);
+            expect(result.verified).toBe(true);
+            expect(db.updatePowCaptchaRecord).toHaveBeenCalledWith(challenge, {
+                providedIp: getCompositeIpAddress(ip),
+            });
+        });
+        it("should skip IP validation when no IP is provided", async () => {
+            const dappAccount = pair.address;
+            const challenge = `123456789${POW_SEPARATOR}userAccount${POW_SEPARATOR}${pair.address}`;
+            const timeout = 1000;
+            const challengeRecord = {
+                dappAccount,
+                challenge,
+                serverChecked: false,
+                difficulty: 4,
+                result: {
+                    status: CaptchaStatus.approved,
+                },
+                requestedAtTimestamp: new Date(),
+                ipAddress: getCompositeIpAddress("1.1.1.1"),
+                userAccount: "userAccount",
+                headers: { a: "1", b: "2", c: "3" },
+                ja4: "ja4",
+                providerSignature: "testSignature",
+                userSubmitted: true,
+                lastUpdatedTimestamp: new Date(),
+            };
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+            db.getClientRecord.mockResolvedValue({
+                settings: {
+                    ipValidationRules: {
+                        enabled: true,
+                        actions: {
+                            countryChangeAction: "reject",
+                        },
+                    },
+                },
+            });
+            checkPowSignature.mockReturnValue(true);
+            validateSolution.mockReturnValue(true);
+            verifyRecency.mockImplementation(() => true);
+            const result = await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, timeout, mockEnv);
+            expect(result.verified).toBe(true);
+        });
+    });
+    describe("Decision machine with no-cache header and no behavioral data", () => {
+        it("should deny when no-cache header is present and no behavioral data exists", async () => {
+            const dappAccount = "5EZVvsHMrKCFKp5NYNoTyDjTjetoVo1Z4UNNbTwJf1GfN6Xm";
+            const timestamp = 1770650564052;
+            const userAccount = "5CBFuSD5rgzhwVLLtDsA1WbLVkfrrAMEHdbiBBuZ78QvcEpv";
+            const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${dappAccount}${POW_SEPARATOR}351147`;
+            const timeout = 1000;
+            const ipAddress = getIPAddress("81.159.254.145");
+            const headers = {
+                host: "pronode2.prosopo.io",
+                "user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36",
+                "content-length": "182",
+                accept: "*/*",
+                "accept-encoding": "gzip, deflate, br, zstd",
+                "accept-language": "de,de-DE;q=0.9,en;q=0.8",
+                "cache-control": "no-cache",
+                "content-type": "application/json",
+                dnt: "1",
+                origin: "https://www.twickets.live",
+                pragma: "no-cache",
+                priority: "u=1, i",
+                "prosopo-site-key": dappAccount,
+                "prosopo-user": userAccount,
+                referer: "https://www.twickets.live/",
+                "sec-ch-ua": '"Google Chrome";v="126", "Chromium";v="126", "Not_A Brand";v="24"',
+                "sec-ch-ua-mobile": "?0",
+                "sec-ch-ua-platform": '"Windows"',
+                "sec-fetch-dest": "empty",
+                "sec-fetch-mode": "cors",
+                "sec-fetch-site": "cross-site",
+            };
+            const challengeRecord = {
+                challenge,
+                difficulty: 4,
+                dappAccount,
+                userAccount,
+                requestedAtTimestamp: new Date(timestamp),
+                result: { status: CaptchaStatus.approved },
+                userSubmitted: true,
+                serverChecked: false,
+                ipAddress: getCompositeIpAddress(ipAddress),
+                headers,
+                ja4: "t13d1516h2_8daaf6152771_02713d6af862",
+                providerSignature: "testSignature",
+                lastUpdatedTimestamp: new Date(),
+                sessionId: "pronode2-6d5deeee-78f1-4af0-97b3-f070037438dd",
+            };
+            const decisionMachineSource = `
+/**
+ * Decision machine for blocking German requests with no-cache header
+ */
+
+function checkNoCacheNoBehavioural(headers, behavioralDataPacked) {
+	const cacheControl =
+		"cache-control" in headers ? headers["cache-control"] : "";
+
+	const hasNoCache = cacheControl.toLowerCase().includes("no-cache");
+
+	const hasNoBehavioralData =
+		!behavioralDataPacked || behavioralDataPacked === "0";
+
+	if (hasNoCache && hasNoBehavioralData) {
+		return {
+			decision: "deny",
+			reason: "no-cache request with no behavioral data",
+			score: 0,
+			tags: ["blocked"],
+		};
+	}
+
+	return null;
+}
+
+module.exports = (input) => {
+	const {
+		userAccount,
+		dappAccount,
+		captchaResult,
+		headers,
+		captchaType,
+		countryCode,
+		behavioralDataPacked,
+	} = input;
+
+	const noCacheNoBehavioural = checkNoCacheNoBehavioural(
+		headers,
+		behavioralDataPacked,
+	);
+	if (noCacheNoBehavioural) {
+		return noCacheNoBehavioural;
+	}
+
+	if (captchaResult === "passed") {
+		return {
+			decision: "allow",
+			reason: "Captcha verification successful",
+			score: 100,
+			tags: [\`captcha-type:\${captchaType || "unknown"}\`],
+		};
+	}
+
+	return {
+		decision: "deny",
+		reason: "Captcha verification failed",
+		score: 0,
+		tags: ["blocked"],
+	};
+};
+`;
+            db.getSessionRecordBySessionId.mockResolvedValue(undefined);
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+            db.updatePowCaptchaRecord.mockResolvedValue(undefined);
+            verifyRecency.mockImplementation(() => true);
+            mockDecisionMachine(async (input) => {
+                const decideFn = eval(`(function() { const module = { exports: {} }; ${decisionMachineSource}; return module.exports; })()`);
+                return decideFn(input);
+            });
+            try {
+                const result = await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, timeout, mockEnv);
+                expect(result.verified).toBe(false);
+                expect(db.updatePowCaptchaRecord).toHaveBeenCalledWith(challenge, {
+                    result: {
+                        status: CaptchaStatus.disapproved,
+                        reason: "no-cache request with no behavioral data",
+                    },
+                });
+            }
+            finally {
+                restoreDecisionMachine();
+            }
+        });
+        it("should allow when no-cache header is present but behavioral data exists", async () => {
+            const dappAccount = "5EZVvsHMrKCFKp5NYNoTyDjTjetoVo1Z4UNNbTwJf1GfN6Xm";
+            const timestamp = 1770650564052;
+            const userAccount = "5CBFuSD5rgzhwVLLtDsA1WbLVkfrrAMEHdbiBBuZ78QvcEpv";
+            const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${dappAccount}${POW_SEPARATOR}351147`;
+            const timeout = 1000;
+            const ipAddress = getIPAddress("81.159.254.145");
+            const headers = {
+                "cache-control": "no-cache",
+                "user-agent": "Mozilla/5.0",
+            };
+            const behavioralDataPacked = {
+                c1: [1, 2, 3],
+                c2: [4, 5, 6],
+                c3: [7, 8, 9],
+                d: "test-device",
+            };
+            const challengeRecord = {
+                challenge,
+                difficulty: 4,
+                dappAccount,
+                userAccount,
+                requestedAtTimestamp: new Date(timestamp),
+                result: { status: CaptchaStatus.approved },
+                userSubmitted: true,
+                serverChecked: false,
+                ipAddress: getCompositeIpAddress(ipAddress),
+                headers,
+                ja4: "t13d1516h2_8daaf6152771_02713d6af862",
+                providerSignature: "testSignature",
+                lastUpdatedTimestamp: new Date(),
+                behavioralDataPacked,
+                deviceCapability: "test-device",
+            };
+            const decisionMachineSource = `
+function checkNoCacheNoBehavioural(headers, behavioralDataPacked) {
+	const cacheControl =
+		"cache-control" in headers ? headers["cache-control"] : "";
+	const hasNoCache = cacheControl.toLowerCase().includes("no-cache");
+	const hasNoBehavioralData =
+		!behavioralDataPacked || behavioralDataPacked === "0";
+
+	if (hasNoCache && hasNoBehavioralData) {
+		return {
+			decision: "deny",
+			reason: "no-cache request with no behavioral data",
+			score: 0,
+			tags: ["blocked"],
+		};
+	}
+	return null;
+}
+
+module.exports = (input) => {
+	const noCacheNoBehavioural = checkNoCacheNoBehavioural(
+		input.headers,
+		input.behavioralDataPacked,
+	);
+	if (noCacheNoBehavioural) {
+		return noCacheNoBehavioural;
+	}
+
+	if (input.captchaResult === "passed") {
+		return {
+			decision: "allow",
+			reason: "Captcha verification successful",
+			score: 100,
+			tags: [\`captcha-type:\${input.captchaType || "unknown"}\`],
+		};
+	}
+
+	return {
+		decision: "deny",
+		reason: "Captcha verification failed",
+		score: 0,
+		tags: ["blocked"],
+	};
+};
+`;
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+            verifyRecency.mockImplementation(() => true);
+            mockDecisionMachine(async (input) => {
+                const decideFn = eval(`(function() { const module = { exports: {} }; ${decisionMachineSource}; return module.exports; })()`);
+                return decideFn(input);
+            });
+            try {
+                const result = await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, timeout, mockEnv);
+                expect(result.verified).toBe(true);
+            }
+            finally {
+                restoreDecisionMachine();
+            }
+        });
+        it("should allow when behavioral data is missing but no no-cache header", async () => {
+            const dappAccount = "5EZVvsHMrKCFKp5NYNoTyDjTjetoVo1Z4UNNbTwJf1GfN6Xm";
+            const timestamp = 1770650564052;
+            const userAccount = "5CBFuSD5rgzhwVLLtDsA1WbLVkfrrAMEHdbiBBuZ78QvcEpv";
+            const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${dappAccount}${POW_SEPARATOR}351147`;
+            const timeout = 1000;
+            const ipAddress = getIPAddress("81.159.254.145");
+            const headers = {
+                "user-agent": "Mozilla/5.0",
+            };
+            const challengeRecord = {
+                challenge,
+                difficulty: 4,
+                dappAccount,
+                userAccount,
+                requestedAtTimestamp: new Date(timestamp),
+                result: { status: CaptchaStatus.approved },
+                userSubmitted: true,
+                serverChecked: false,
+                ipAddress: getCompositeIpAddress(ipAddress),
+                headers,
+                ja4: "t13d1516h2_8daaf6152771_02713d6af862",
+                providerSignature: "testSignature",
+                lastUpdatedTimestamp: new Date(),
+            };
+            const decisionMachineSource = `
+function checkNoCacheNoBehavioural(headers, behavioralDataPacked) {
+	const cacheControl =
+		"cache-control" in headers ? headers["cache-control"] : "";
+	const hasNoCache = cacheControl.toLowerCase().includes("no-cache");
+	const hasNoBehavioralData =
+		!behavioralDataPacked || behavioralDataPacked === "0";
+
+	if (hasNoCache && hasNoBehavioralData) {
+		return {
+			decision: "deny",
+			reason: "no-cache request with no behavioral data",
+			score: 0,
+			tags: ["blocked"],
+		};
+	}
+	return null;
+}
+
+module.exports = (input) => {
+	const noCacheNoBehavioural = checkNoCacheNoBehavioural(
+		input.headers,
+		input.behavioralDataPacked,
+	);
+	if (noCacheNoBehavioural) {
+		return noCacheNoBehavioural;
+	}
+
+	if (input.captchaResult === "passed") {
+		return {
+			decision: "allow",
+			reason: "Captcha verification successful",
+			score: 100,
+			tags: [\`captcha-type:\${input.captchaType || "unknown"}\`],
+		};
+	}
+
+	return {
+		decision: "deny",
+		reason: "Captcha verification failed",
+		score: 0,
+		tags: ["blocked"],
+	};
+};
+`;
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+            verifyRecency.mockImplementation(() => true);
+            mockDecisionMachine(async (input) => {
+                const decideFn = eval(`(function() { const module = { exports: {} }; ${decisionMachineSource}; return module.exports; })()`);
+                return decideFn(input);
+            });
+            try {
+                const result = await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, timeout, mockEnv);
+                expect(result.verified).toBe(true);
+            }
+            finally {
+                restoreDecisionMachine();
+            }
+        });
+    });
+    describe("serverVerifyPowCaptchaSolution with spam email domain checking", () => {
+        it("should disapprove when email domain is found in spam list", async () => {
+            const dappAccount = "dappAccount";
+            const timestamp = 123456789;
+            const userAccount = "testUserAccount";
+            const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${dappAccount}`;
+            const timeout = 1000;
+            const spamEmail = "user@spammydomain.com";
+            const challengeRecord = {
+                challenge,
+                difficulty: 4,
+                dappAccount,
+                userAccount,
+                requestedAtTimestamp: new Date(timestamp),
+                result: { status: CaptchaStatus.approved },
+                userSubmitted: true,
+                serverChecked: false,
+                ipAddress: getCompositeIpAddress(getIPAddress("1.1.1.1")),
+                headers: {},
+                ja4: "ja4",
+                providerSignature: "testSignature",
+                lastUpdatedTimestamp: new Date(),
+            };
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+            verifyRecency.mockImplementation(() => true);
+            db.markDappUserPoWCommitmentsChecked.mockResolvedValue(undefined);
+            db.updatePowCaptchaRecord.mockResolvedValue(undefined);
+            db.getSpamEmailDomain.mockResolvedValue({
+                domain: "spammydomain.com",
+            });
+            const result = await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, timeout, mockEnv, undefined, undefined, spamEmail, true);
+            expect(result.verified).toBe(false);
+            expect(db.getSpamEmailDomain).toHaveBeenCalledWith("spammydomain.com");
+            expect(db.updatePowCaptchaRecord).toHaveBeenCalledWith(challengeRecord.challenge, {
+                result: {
+                    status: CaptchaStatus.disapproved,
+                    reason: "API.SPAM_EMAIL_DOMAIN",
+                },
+            });
+        });
+        it("should allow when email domain is not in spam list", async () => {
+            const dappAccount = "dappAccount";
+            const timestamp = 123456789;
+            const userAccount = "testUserAccount";
+            const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${dappAccount}`;
+            const timeout = 1000;
+            const legitimateEmail = "user@legitimate.com";
+            const challengeRecord = {
+                challenge,
+                difficulty: 4,
+                dappAccount,
+                userAccount,
+                requestedAtTimestamp: new Date(timestamp),
+                result: { status: CaptchaStatus.approved },
+                userSubmitted: true,
+                serverChecked: false,
+                ipAddress: getCompositeIpAddress(getIPAddress("1.1.1.1")),
+                headers: {},
+                ja4: "ja4",
+                providerSignature: "testSignature",
+                lastUpdatedTimestamp: new Date(),
+            };
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+            verifyRecency.mockImplementation(() => true);
+            db.markDappUserPoWCommitmentsChecked.mockResolvedValue(undefined);
+            db.getSpamEmailDomain.mockResolvedValue(null);
+            mockDecisionMachine(async () => ({
+                decision: "allow",
+                reason: "Passed all checks",
+                score: 1,
+                tags: [],
+            }));
+            try {
+                const result = await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, timeout, mockEnv, undefined, undefined, legitimateEmail, true);
+                expect(result.verified).toBe(true);
+                expect(db.getSpamEmailDomain).toHaveBeenCalledWith("legitimate.com");
+                expect(db.updatePowCaptchaRecord).not.toHaveBeenCalledWith(challengeRecord.challenge, expect.objectContaining({
+                    result: expect.objectContaining({
+                        reason: "API.SPAM_EMAIL_DOMAIN",
+                    }),
+                }));
+            }
+            finally {
+                restoreDecisionMachine();
+            }
+        });
+        it("should skip spam check when no email is provided", async () => {
+            const dappAccount = "dappAccount";
+            const timestamp = 123456789;
+            const userAccount = "testUserAccount";
+            const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${dappAccount}`;
+            const timeout = 1000;
+            const challengeRecord = {
+                challenge,
+                difficulty: 4,
+                dappAccount,
+                userAccount,
+                requestedAtTimestamp: new Date(timestamp),
+                result: { status: CaptchaStatus.approved },
+                userSubmitted: true,
+                serverChecked: false,
+                ipAddress: getCompositeIpAddress(getIPAddress("1.1.1.1")),
+                headers: {},
+                ja4: "ja4",
+                providerSignature: "testSignature",
+                lastUpdatedTimestamp: new Date(),
+            };
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+            verifyRecency.mockImplementation(() => true);
+            db.markDappUserPoWCommitmentsChecked.mockResolvedValue(undefined);
+            mockDecisionMachine(async () => ({
+                decision: "allow",
+                reason: "Passed all checks",
+                score: 1,
+                tags: [],
+            }));
+            try {
+                const result = await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, timeout, mockEnv, undefined, undefined, undefined);
+                expect(result.verified).toBe(true);
+                expect(db.getSpamEmailDomain).not.toHaveBeenCalled();
+            }
+            finally {
+                restoreDecisionMachine();
+            }
+        });
+        it("should handle @domain.com email format correctly", async () => {
+            const dappAccount = "dappAccount";
+            const timestamp = 123456789;
+            const userAccount = "testUserAccount";
+            const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${dappAccount}`;
+            const timeout = 1000;
+            const atDomainEmail = "@spammydomain.com";
+            const challengeRecord = {
+                challenge,
+                difficulty: 4,
+                dappAccount,
+                userAccount,
+                requestedAtTimestamp: new Date(timestamp),
+                result: { status: CaptchaStatus.approved },
+                userSubmitted: true,
+                serverChecked: false,
+                ipAddress: getCompositeIpAddress(getIPAddress("1.1.1.1")),
+                headers: {},
+                ja4: "ja4",
+                providerSignature: "testSignature",
+                lastUpdatedTimestamp: new Date(),
+            };
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+            verifyRecency.mockImplementation(() => true);
+            db.markDappUserPoWCommitmentsChecked.mockResolvedValue(undefined);
+            db.updatePowCaptchaRecord.mockResolvedValue(undefined);
+            db.getSpamEmailDomain.mockResolvedValue({
+                domain: "spammydomain.com",
+            });
+            const result = await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, timeout, mockEnv, undefined, undefined, atDomainEmail, true);
+            expect(result.verified).toBe(false);
+            expect(db.getSpamEmailDomain).toHaveBeenCalledWith("spammydomain.com");
+            expect(db.updatePowCaptchaRecord).toHaveBeenCalledWith(challengeRecord.challenge, {
+                result: {
+                    status: CaptchaStatus.disapproved,
+                    reason: "API.SPAM_EMAIL_DOMAIN",
+                },
+            });
+        });
+        it("should handle domain-only format correctly", async () => {
+            const dappAccount = "dappAccount";
+            const timestamp = 123456789;
+            const userAccount = "testUserAccount";
+            const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${dappAccount}`;
+            const timeout = 1000;
+            const domainOnly = "spammydomain.com";
+            const challengeRecord = {
+                challenge,
+                difficulty: 4,
+                dappAccount,
+                userAccount,
+                requestedAtTimestamp: new Date(timestamp),
+                result: { status: CaptchaStatus.approved },
+                userSubmitted: true,
+                serverChecked: false,
+                ipAddress: getCompositeIpAddress(getIPAddress("1.1.1.1")),
+                headers: {},
+                ja4: "ja4",
+                providerSignature: "testSignature",
+                lastUpdatedTimestamp: new Date(),
+            };
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+            verifyRecency.mockImplementation(() => true);
+            db.markDappUserPoWCommitmentsChecked.mockResolvedValue(undefined);
+            db.updatePowCaptchaRecord.mockResolvedValue(undefined);
+            db.getSpamEmailDomain.mockResolvedValue({
+                domain: "spammydomain.com",
+            });
+            const result = await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, timeout, mockEnv, undefined, undefined, domainOnly, true);
+            expect(result.verified).toBe(false);
+            expect(db.getSpamEmailDomain).toHaveBeenCalledWith("spammydomain.com");
+        });
+        it("should continue verification if spam check fails (fail-safe)", async () => {
+            const dappAccount = "dappAccount";
+            const timestamp = 123456789;
+            const userAccount = "testUserAccount";
+            const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${dappAccount}`;
+            const timeout = 1000;
+            const email = "user@example.com";
+            const challengeRecord = {
+                challenge,
+                difficulty: 4,
+                dappAccount,
+                userAccount,
+                requestedAtTimestamp: new Date(timestamp),
+                result: { status: CaptchaStatus.approved },
+                userSubmitted: true,
+                serverChecked: false,
+                ipAddress: getCompositeIpAddress(getIPAddress("1.1.1.1")),
+                headers: {},
+                ja4: "ja4",
+                providerSignature: "testSignature",
+                lastUpdatedTimestamp: new Date(),
+            };
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+            verifyRecency.mockImplementation(() => true);
+            db.markDappUserPoWCommitmentsChecked.mockResolvedValue(undefined);
+            db.getSpamEmailDomain.mockRejectedValue(new Error("Database connection error"));
+            mockDecisionMachine(async () => ({
+                decision: "allow",
+                reason: "Passed all checks",
+                score: 1,
+                tags: [],
+            }));
+            try {
+                const result = await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, timeout, mockEnv, undefined, undefined, email, true);
+                expect(result.verified).toBe(true);
+                expect(db.getSpamEmailDomain).toHaveBeenCalled();
+            }
+            finally {
+                restoreDecisionMachine();
+            }
+        });
+    });
+    describe("session result tracking", () => {
+        const ipAddress = getIPAddress("1.1.1.1");
+        const headers = { a: "1", b: "2", c: "3" };
+        const sessionId = "test-session-for-result";
+        it("should update session with approved result after successful user submission", async () => {
+            const timestamp = 123456789;
+            const userAccount = "testUserAccount";
+            const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${pair.address}`;
+            const challengeRecord = {
+                challenge,
+                difficulty: 4,
+                dappAccount: pair.address,
+                userAccount,
+                requestedAtTimestamp: new Date(timestamp),
+                result: { status: CaptchaStatus.pending },
+                userSubmitted: false,
+                serverChecked: false,
+                ipAddress: getCompositeIpAddress(ipAddress),
+                headers,
+                ja4: "ja4",
+                providerSignature: "sig",
+                lastUpdatedTimestamp: new Date(),
+                sessionId,
+            };
+            verifyRecency.mockImplementation(() => true);
+            checkPowSignature.mockImplementation(() => true);
+            validateSolution.mockImplementation(() => true);
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+            db.updatePowCaptchaRecordResult.mockResolvedValue(undefined);
+            db.updateSessionRecord = vi.fn().mockResolvedValue(undefined);
+            await powCaptchaManager.verifyPowCaptchaSolution(challenge, "sig", 12345, 1000, "userSig", ipAddress, headers);
+            expect(db.updateSessionRecord).toHaveBeenCalledWith(sessionId, {
+                userSubmitted: true,
+                result: { status: CaptchaStatus.approved },
+            });
+        });
+        it("should update session with disapproved result on invalid solution", async () => {
+            const timestamp = 123456789;
+            const userAccount = "testUserAccount";
+            const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${pair.address}`;
+            const challengeRecord = {
+                challenge,
+                difficulty: 4,
+                dappAccount: pair.address,
+                userAccount,
+                requestedAtTimestamp: new Date(timestamp),
+                result: { status: CaptchaStatus.pending },
+                userSubmitted: false,
+                serverChecked: false,
+                ipAddress: getCompositeIpAddress(ipAddress),
+                headers,
+                ja4: "ja4",
+                providerSignature: "sig",
+                lastUpdatedTimestamp: new Date(),
+                sessionId,
+            };
+            verifyRecency.mockImplementation(() => true);
+            checkPowSignature.mockImplementation(() => true);
+            validateSolution.mockImplementation(() => false);
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+            db.updatePowCaptchaRecordResult.mockResolvedValue(undefined);
+            db.updateSessionRecord = vi.fn().mockResolvedValue(undefined);
+            await powCaptchaManager.verifyPowCaptchaSolution(challenge, "sig", 12345, 1000, "userSig", ipAddress, headers);
+            expect(db.updateSessionRecord).toHaveBeenCalledWith(sessionId, {
+                userSubmitted: true,
+                result: {
+                    status: CaptchaStatus.disapproved,
+                    reason: "CAPTCHA.INVALID_SOLUTION",
+                },
+            });
+        });
+        it("should update session with disapproved result on timeout during user submission", async () => {
+            const timestamp = 123456789;
+            const userAccount = "testUserAccount";
+            const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${pair.address}`;
+            const challengeRecord = {
+                challenge,
+                difficulty: 4,
+                dappAccount: pair.address,
+                userAccount,
+                requestedAtTimestamp: new Date(timestamp),
+                result: { status: CaptchaStatus.pending },
+                userSubmitted: false,
+                serverChecked: false,
+                ipAddress: getCompositeIpAddress(ipAddress),
+                headers,
+                ja4: "ja4",
+                providerSignature: "sig",
+                lastUpdatedTimestamp: new Date(),
+                sessionId,
+            };
+            verifyRecency.mockImplementation(() => false);
+            checkPowSignature.mockImplementation(() => true);
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+            db.updatePowCaptchaRecordResult.mockResolvedValue(undefined);
+            db.updateSessionRecord = vi.fn().mockResolvedValue(undefined);
+            await powCaptchaManager.verifyPowCaptchaSolution(challenge, "sig", 12345, 1000, "userSig", ipAddress, headers);
+            expect(db.updateSessionRecord).toHaveBeenCalledWith(sessionId, {
+                userSubmitted: true,
+                result: {
+                    status: CaptchaStatus.disapproved,
+                    reason: "CAPTCHA.INVALID_TIMESTAMP",
+                },
+            });
+        });
+        it("should not update session when challengeRecord has no sessionId", async () => {
+            const timestamp = 123456789;
+            const userAccount = "testUserAccount";
+            const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${pair.address}`;
+            const challengeRecord = {
+                challenge,
+                difficulty: 4,
+                dappAccount: pair.address,
+                userAccount,
+                requestedAtTimestamp: new Date(timestamp),
+                result: { status: CaptchaStatus.pending },
+                userSubmitted: false,
+                serverChecked: false,
+                ipAddress: getCompositeIpAddress(ipAddress),
+                headers,
+                ja4: "ja4",
+                providerSignature: "sig",
+                lastUpdatedTimestamp: new Date(),
+            };
+            verifyRecency.mockImplementation(() => true);
+            checkPowSignature.mockImplementation(() => true);
+            validateSolution.mockImplementation(() => true);
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+            db.updatePowCaptchaRecordResult.mockResolvedValue(undefined);
+            db.updateSessionRecord = vi.fn().mockResolvedValue(undefined);
+            await powCaptchaManager.verifyPowCaptchaSolution(challenge, "sig", 12345, 1000, "userSig", ipAddress, headers);
+            expect(db.updateSessionRecord).not.toHaveBeenCalled();
+        });
+        it("should update session as serverChecked and approved on successful server verification", async () => {
+            const dappAccount = "dappAccount";
+            const timestamp = 123456789;
+            const userAccount = "testUserAccount";
+            const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${dappAccount}`;
+            const challengeRecord = {
+                challenge,
+                dappAccount,
+                userAccount,
+                requestedAtTimestamp: new Date(timestamp),
+                serverChecked: false,
+                result: { status: CaptchaStatus.approved },
+                sessionId,
+                ipAddress: getCompositeIpAddress(getIPAddress("1.1.1.1")),
+            };
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+            verifyRecency.mockImplementation(() => true);
+            db.updateSessionRecord = vi.fn().mockResolvedValue(undefined);
+            const result = await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, 1000, mockEnv);
+            expect(result.verified).toBe(true);
+            expect(db.updateSessionRecord).toHaveBeenCalledWith(sessionId, {
+                serverChecked: true,
+                result: { status: CaptchaStatus.approved },
+            }, true);
+        });
+        it("should update session as serverChecked and disapproved on recency failure", async () => {
+            const dappAccount = "dappAccount";
+            const timestamp = 123456789;
+            const userAccount = "testUserAccount";
+            const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${dappAccount}`;
+            const challengeRecord = {
+                challenge,
+                dappAccount,
+                userAccount,
+                requestedAtTimestamp: new Date(timestamp),
+                serverChecked: false,
+                result: { status: CaptchaStatus.approved },
+                sessionId,
+            };
+            db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+            verifyRecency.mockImplementation(() => false);
+            db.updatePowCaptchaRecord.mockResolvedValue(undefined);
+            db.updateSessionRecord = vi.fn().mockResolvedValue(undefined);
+            const result = await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, 1000, mockEnv);
+            expect(result.verified).toBe(false);
+            expect(db.updateSessionRecord).toHaveBeenCalledWith(sessionId, {
+                serverChecked: true,
+                result: {
+                    status: CaptchaStatus.disapproved,
+                    reason: "API.TIMESTAMP_TOO_OLD",
+                },
+            }, true);
+        });
+    });
+    describe("Write batching optimizations", () => {
+        describe("verifyPowCaptchaSolution parallel writes", () => {
+            it("should write result and session update for valid solution with session", async () => {
+                const timestamp = Date.now();
+                const userAccount = "testUserAccount";
+                const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${pair.address}`;
+                const sessionId = "test-session-id";
+                const ipAddress = getIPAddress("1.1.1.1");
+                const headers = { a: "1" };
+                const challengeRecord = {
+                    challenge,
+                    difficulty: 4,
+                    dappAccount: pair.address,
+                    userAccount,
+                    requestedAtTimestamp: new Date(timestamp),
+                    result: { status: CaptchaStatus.pending },
+                    userSubmitted: false,
+                    serverChecked: false,
+                    ipAddress: getCompositeIpAddress(ipAddress),
+                    headers,
+                    ja4: "ja4",
+                    providerSignature: "sig",
+                    lastUpdatedTimestamp: new Date(),
+                    sessionId,
+                };
+                verifyRecency.mockReturnValue(true);
+                checkPowSignature.mockImplementation(() => { });
+                validateSolution.mockReturnValue(true);
+                db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+                db.updatePowCaptchaRecordResult.mockResolvedValue(undefined);
+                db.updateSessionRecord.mockResolvedValue(undefined);
+                await powCaptchaManager.verifyPowCaptchaSolution(challenge, "sig", 12345, 1000, "userSig", ipAddress, headers);
+                expect(db.updatePowCaptchaRecordResult).toHaveBeenCalledOnce();
+                expect(db.updateSessionRecord).toHaveBeenCalledWith(sessionId, {
+                    userSubmitted: true,
+                    result: { status: CaptchaStatus.approved },
+                });
+            });
+            it("should write timeout result and session for timed-out solution with session", async () => {
+                const timestamp = Date.now();
+                const userAccount = "testUserAccount";
+                const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${pair.address}`;
+                const sessionId = "test-session-id";
+                const ipAddress = getIPAddress("1.1.1.1");
+                const headers = {};
+                const challengeRecord = {
+                    challenge,
+                    difficulty: 4,
+                    dappAccount: pair.address,
+                    userAccount,
+                    requestedAtTimestamp: new Date(timestamp),
+                    result: { status: CaptchaStatus.pending },
+                    userSubmitted: false,
+                    serverChecked: false,
+                    ipAddress: getCompositeIpAddress(ipAddress),
+                    headers,
+                    ja4: "ja4",
+                    providerSignature: "sig",
+                    lastUpdatedTimestamp: new Date(),
+                    sessionId,
+                };
+                verifyRecency.mockReturnValue(false);
+                checkPowSignature.mockImplementation(() => { });
+                db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+                db.updatePowCaptchaRecordResult.mockResolvedValue(undefined);
+                db.updateSessionRecord.mockResolvedValue(undefined);
+                const result = await powCaptchaManager.verifyPowCaptchaSolution(challenge, "sig", 12345, 1000, "userSig", ipAddress, headers);
+                expect(result.verified).toBe(false);
+                expect(db.updatePowCaptchaRecordResult).toHaveBeenCalledOnce();
+                expect(db.updateSessionRecord).toHaveBeenCalledWith(sessionId, {
+                    userSubmitted: true,
+                    result: {
+                        status: CaptchaStatus.disapproved,
+                        reason: "CAPTCHA.INVALID_TIMESTAMP",
+                    },
+                });
+            });
+        });
+        describe("serverVerifyPowCaptchaSolution batched writes", () => {
+            it("should accumulate pow record updates and write once on success", async () => {
+                const dappAccount = "dappAccount";
+                const timestamp = Date.now();
+                const userAccount = "testUserAccount";
+                const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${dappAccount}`;
+                const sessionId = "test-session-id";
+                const ipAddress = getIPAddress("1.1.1.1");
+                const challengeRecord = {
+                    challenge,
+                    difficulty: 4,
+                    dappAccount,
+                    userAccount,
+                    requestedAtTimestamp: new Date(timestamp),
+                    result: { status: CaptchaStatus.approved },
+                    userSubmitted: true,
+                    serverChecked: false,
+                    ipAddress: getCompositeIpAddress(ipAddress),
+                    headers: {},
+                    ja4: "ja4",
+                    providerSignature: "sig",
+                    lastUpdatedTimestamp: new Date(),
+                    sessionId,
+                };
+                db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+                verifyRecency.mockReturnValue(true);
+                db.markDappUserPoWCommitmentsChecked.mockResolvedValue(undefined);
+                db.updatePowCaptchaRecord.mockResolvedValue(undefined);
+                db.updateSessionRecord.mockResolvedValue(undefined);
+                db.getSessionRecordBySessionId.mockResolvedValue(undefined);
+                const result = await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, 1000, mockEnv);
+                expect(result.verified).toBe(true);
+                expect(db.markDappUserPoWCommitmentsChecked).toHaveBeenCalledWith([
+                    challenge,
+                ]);
+                expect(db.updateSessionRecord).toHaveBeenCalledWith(sessionId, {
+                    serverChecked: true,
+                    result: { status: CaptchaStatus.approved },
+                }, true);
+            });
+            it("should accumulate providedIp and write in single batch on success with IP", async () => {
+                const dappAccount = "dappAccount";
+                const timestamp = Date.now();
+                const userAccount = "testUserAccount";
+                const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${dappAccount}`;
+                const sessionId = "test-session-id";
+                const ipAddress = getIPAddress("1.1.1.1");
+                const challengeRecord = {
+                    challenge,
+                    difficulty: 4,
+                    dappAccount,
+                    userAccount,
+                    requestedAtTimestamp: new Date(timestamp),
+                    result: { status: CaptchaStatus.approved },
+                    userSubmitted: true,
+                    serverChecked: false,
+                    ipAddress: getCompositeIpAddress(ipAddress),
+                    headers: {},
+                    ja4: "ja4",
+                    providerSignature: "sig",
+                    lastUpdatedTimestamp: new Date(),
+                    sessionId,
+                };
+                db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+                verifyRecency.mockReturnValue(true);
+                db.markDappUserPoWCommitmentsChecked.mockResolvedValue(undefined);
+                db.getClientRecord.mockResolvedValue(undefined);
+                db.updatePowCaptchaRecord.mockResolvedValue(undefined);
+                db.updateSessionRecord.mockResolvedValue(undefined);
+                db.getSessionRecordBySessionId.mockResolvedValue(undefined);
+                await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, 1000, mockEnv, "2.2.2.2");
+                expect(db.updatePowCaptchaRecord).toHaveBeenCalledOnce();
+                const updateCall = vi.mocked(db.updatePowCaptchaRecord).mock
+                    .calls[0];
+                expect(updateCall[0]).toBe(challenge);
+                expect(updateCall[1]).toHaveProperty("providedIp");
+            });
+            it("should not run subsequent checks after first failure (recency)", async () => {
+                const dappAccount = "dappAccount";
+                const timestamp = Date.now();
+                const userAccount = "testUserAccount";
+                const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${dappAccount}`;
+                const challengeRecord = {
+                    challenge,
+                    difficulty: 4,
+                    dappAccount,
+                    userAccount,
+                    requestedAtTimestamp: new Date(timestamp),
+                    result: { status: CaptchaStatus.approved },
+                    userSubmitted: true,
+                    serverChecked: false,
+                    ipAddress: getCompositeIpAddress(getIPAddress("1.1.1.1")),
+                    headers: {},
+                    ja4: "ja4",
+                    providerSignature: "sig",
+                    lastUpdatedTimestamp: new Date(),
+                };
+                db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+                verifyRecency.mockReturnValue(false);
+                db.markDappUserPoWCommitmentsChecked.mockResolvedValue(undefined);
+                db.updatePowCaptchaRecord.mockResolvedValue(undefined);
+                const result = await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, 1000, mockEnv, undefined, undefined, "user@spam.com", true);
+                expect(result.verified).toBe(false);
+                expect(result.reason).toBe("API.TIMESTAMP_TOO_OLD");
+                expect(db.getSpamEmailDomain).not.toHaveBeenCalled();
+            });
+            it("should write accumulated failure result in single batch", async () => {
+                const dappAccount = "dappAccount";
+                const timestamp = Date.now();
+                const userAccount = "testUserAccount";
+                const challenge = `${timestamp}${POW_SEPARATOR}${userAccount}${POW_SEPARATOR}${dappAccount}`;
+                const challengeRecord = {
+                    challenge,
+                    difficulty: 4,
+                    dappAccount,
+                    userAccount,
+                    requestedAtTimestamp: new Date(timestamp),
+                    result: { status: CaptchaStatus.approved },
+                    userSubmitted: true,
+                    serverChecked: false,
+                    ipAddress: getCompositeIpAddress(getIPAddress("1.1.1.1")),
+                    headers: {},
+                    ja4: "ja4",
+                    providerSignature: "sig",
+                    lastUpdatedTimestamp: new Date(),
+                };
+                db.getPowCaptchaRecordByChallenge.mockResolvedValue(challengeRecord);
+                verifyRecency.mockReturnValue(false);
+                db.markDappUserPoWCommitmentsChecked.mockResolvedValue(undefined);
+                db.updatePowCaptchaRecord.mockResolvedValue(undefined);
+                await powCaptchaManager.serverVerifyPowCaptchaSolution(dappAccount, challenge, 1000, mockEnv);
+                expect(db.updatePowCaptchaRecord).toHaveBeenCalledOnce();
+                expect(db.updatePowCaptchaRecord).toHaveBeenCalledWith(challenge, {
+                    result: {
+                        status: CaptchaStatus.disapproved,
+                        reason: "API.TIMESTAMP_TOO_OLD",
+                    },
+                });
+            });
         });
     });
 });