@prosopo/provider 3.2.5 → 3.12.3

package/dist/tasks/detection/getBotScore.js

@@ -1,12 +1,23 @@
-import uTahDN from "./decodePayload.js";
+import GGaYiU from "./decodePayload.js";
+const DEFAULT_ENTROPY = 13837;
 const getBotScore = async (payload, privateKeyString) => {
-  const result = await uTahDN(payload, privateKeyString);
+  const result = await GGaYiU(
+    payload,
+    privateKeyString
+  );
   const baseBotScore = result.score;
   const timestamp = result.timestamp;
+  const providerSelectEntropy = result.providerSelectEntropy;
+  const userId = result.userId;
+  const userAgent = result.userAgent;
   if (baseBotScore === void 0) {
-    return { baseBotScore: 1, timestamp: 0 };
+    return {
+      baseBotScore: 1,
+      timestamp: 0,
+      providerSelectEntropy: DEFAULT_ENTROPY
+    };
   }
-  return { baseBotScore, timestamp };
+  return { baseBotScore, timestamp, providerSelectEntropy, userId, userAgent };
 };
 export {
   getBotScore

package/dist/tasks/frictionless/frictionlessTasks.js

@@ -1,9 +1,20 @@
+import { getRandomActiveProvider } from "@prosopo/load-balancer";
 import { CaptchaType, ApiParams } from "@prosopo/types";
 import { v4 } from "uuid";
 import { checkLangRules } from "../../rules/lang.js";
 import { CaptchaManager } from "../captchaManager.js";
 import { getBotScore } from "../detection/getBotScore.js";
+const getDefaultEntropy = () => {
+  if (process.env.PROSOPO_ENTROPY) {
+    const parsed = Number.parseInt(process.env.PROSOPO_ENTROPY);
+    if (!Number.isNaN(parsed)) {
+      return parsed;
+    }
+  }
+  return 13337;
+};
 const DEFAULT_MAX_TIMESTAMP_AGE = 60 * 10 * 1e3;
+const DEFAULT_ENTROPY = getDefaultEntropy();
 class FrictionlessManager extends CaptchaManager {
   constructor(db, pair, config, logger) {
     super(db, pair, logger);
@@ -12,26 +23,54 @@ class FrictionlessManager extends CaptchaManager {
   checkLangRules(acceptLanguage) {
     return checkLangRules(this.config, acceptLanguage);
   }
-  async createSession(tokenId, captchaType) {
+  async createSession(tokenId, captchaType, solvedImagesCount, powDifficulty) {
     const sessionRecord = {
       sessionId: v4(),
       createdAt: /* @__PURE__ */ new Date(),
       tokenId,
-      captchaType
+      captchaType,
+      solvedImagesCount,
+      powDifficulty
     };
     await this.db.storeSessionRecord(sessionRecord);
     return sessionRecord;
   }
-  async sendImageCaptcha(tokenId) {
-    const sessionRecord = await this.createSession(tokenId, CaptchaType.image);
+  async hostVerified(entropy) {
+    const chosen = await getRandomActiveProvider(
+      this.config.defaultEnvironment,
+      entropy
+    );
+    const domain = new URL(chosen.provider.url).hostname;
+    this.logger.info(() => ({
+      data: { entropy, host: this.config.host, domain }
+    }));
+    if (domain !== this.config.host) {
+      this.logger.info(() => ({
+        msg: "Host mismatch",
+        data: { expected: this.config.host, got: domain, entropy }
+      }));
+      return { verified: false, domain };
+    }
+    return { verified: true, domain };
+  }
+  async sendImageCaptcha(tokenId, solvedImagesCount) {
+    const sessionRecord = await this.createSession(
+      tokenId,
+      CaptchaType.image,
+      solvedImagesCount
+    );
     return {
       [ApiParams.captchaType]: CaptchaType.image,
       [ApiParams.sessionId]: sessionRecord.sessionId,
       [ApiParams.status]: "ok"
     };
   }
-  async sendPowCaptcha(tokenId) {
-    const sessionRecord = await this.createSession(tokenId, CaptchaType.pow);
+  async sendPowCaptcha(tokenId, powDifficulty) {
+    const sessionRecord = await this.createSession(
+      tokenId,
+      CaptchaType.pow,
+      powDifficulty
+    );
     return {
       [ApiParams.captchaType]: CaptchaType.pow,
       [ApiParams.sessionId]: sessionRecord.sessionId,
@@ -50,6 +89,21 @@ class FrictionlessManager extends CaptchaManager {
     });
     return botScore;
   }
+  async scoreIncreaseUnverifiedHost(host, baseBotScore, botScore, tokenId) {
+    this.logger.info(() => ({
+      msg: "Host not verified",
+      data: { requested: this.config.host, selected: host }
+    }));
+    botScore += this.config.penalties.PENALTY_UNVERIFIED_HOST;
+    await this.db.updateFrictionlessTokenRecord(tokenId, {
+      score: botScore,
+      scoreComponents: {
+        baseScore: baseBotScore,
+        unverifiedHost: this.config.penalties.PENALTY_UNVERIFIED_HOST
+      }
+    });
+    return botScore;
+  }
   async scoreIncreaseTimestamp(timestamp, baseBotScore, botScore, tokenId) {
     this.logger.info(() => ({
       msg: "Timestamp is older than 10 minutes",
@@ -70,22 +124,31 @@ class FrictionlessManager extends CaptchaManager {
     const diff = now - timestamp;
     return diff > DEFAULT_MAX_TIMESTAMP_AGE;
   }
+  /**
+   * Redacts a key for logging purposes by showing only the first 5, middle 10, and last 5 characters
+   * @param key - The key to redact
+   * @returns Redacted key string or empty string if key is falsy
+   */
+  redactKeyForLogging(key) {
+    if (!key) return "";
+    const start = key.slice(0, 5);
+    const middle = key.slice(
+      Math.floor(key.length / 2) - 5,
+      Math.floor(key.length / 2) + 5
+    );
+    const end = key.slice(-5);
+    return `${start}...${middle}...${end}`;
+  }
   async decryptPayload(token) {
     const decryptKeys = [
-      process.env.BOT_DECRYPTION_KEY,
-      ...await this.getDetectorKeys()
+      // Process DB keys first, then env var key last as env key will likely be invalid
+      ...await this.getDetectorKeys(),
+      process.env.BOT_DECRYPTION_KEY
     ].filter((k) => k);
     this.logger.debug(() => {
-      const loggedKeys = decryptKeys.map((key) => {
-        if (!key) return "";
-        const start = key.slice(0, 5);
-        const middle = key.slice(
-          Math.floor(key.length / 2) - 5,
-          Math.floor(key.length / 2) + 5
-        );
-        const end = key.slice(-5);
-        return `${start}...${middle}...${end}`;
-      });
+      const loggedKeys = decryptKeys.map(
+        (key) => this.redactKeyForLogging(key)
+      );
       return {
         msg: "Decrypting score",
         data: {
@@ -96,19 +159,39 @@ class FrictionlessManager extends CaptchaManager {
     });
     let baseBotScore;
     let timestamp;
+    let providerSelectEntropy;
+    let userId;
+    let userAgent;
     for (const [keyIndex, key] of decryptKeys.entries()) {
       try {
-        const { baseBotScore: s, timestamp: t } = await getBotScore(token, key);
         this.logger.info(() => ({
+          msg: "Attempting to decrypt score",
+          data: {
+            key: this.redactKeyForLogging(key)
+          }
+        }));
+        const decrypted = await getBotScore(token, key);
+        const s = decrypted.baseBotScore;
+        const t = decrypted.timestamp;
+        const p = decrypted.providerSelectEntropy;
+        const a = decrypted.userId;
+        const u = decrypted.userAgent;
+        this.logger.debug(() => ({
           msg: "Successfully decrypted score",
           data: {
-            key: key ? `${key.slice(0, 5)}...${key.slice(-5)}` : "",
+            key: this.redactKeyForLogging(key),
             baseBotScore: s,
-            timestamp: t
+            timestamp: t,
+            entropy: p,
+            userId: a,
+            userAgent: u
           }
         }));
         baseBotScore = s;
         timestamp = t;
+        providerSelectEntropy = p;
+        userId = a;
+        userAgent = u;
         break;
       } catch (err) {
         if (keyIndex === decryptKeys.length - 1) {
@@ -117,19 +200,40 @@ class FrictionlessManager extends CaptchaManager {
           }));
           baseBotScore = 1;
           timestamp = 0;
+          providerSelectEntropy = DEFAULT_ENTROPY + 1;
         }
       }
     }
-    if (baseBotScore === void 0 || timestamp === void 0) {
+    const baseBotScoreUndefined = baseBotScore === void 0;
+    const timestampUndefined = timestamp === void 0;
+    const providerSelectEntropyUndefined = providerSelectEntropy === void 0;
+    const undefinedCount = Number(baseBotScoreUndefined) + Number(timestampUndefined) + Number(providerSelectEntropyUndefined);
+    if (undefinedCount > 0) {
       this.logger.error(() => ({
-        msg: "Error decrypting score: baseBotScore or timestamp is undefined"
+        msg: "Error decrypting score: baseBotScore or timestamp or providerSelectEntropy is undefined"
       }));
       baseBotScore = 1;
       timestamp = 0;
+      providerSelectEntropy = DEFAULT_ENTROPY - undefinedCount;
     }
-    return { baseBotScore, timestamp };
+    this.logger.info(() => ({
+      msg: "decryptPayload result",
+      data: {
+        baseBotScore,
+        timestamp,
+        entropy: providerSelectEntropy
+      }
+    }));
+    return {
+      baseBotScore: Number(baseBotScore),
+      timestamp: Number(timestamp),
+      providerSelectEntropy: Number(providerSelectEntropy),
+      userId,
+      userAgent
+    };
   }
 }
 export {
+  DEFAULT_ENTROPY,
   FrictionlessManager
 };

package/dist/tasks/frictionless/frictionlessTasksUtils.js

@@ -6,6 +6,23 @@ const computeFrictionlessScore = (scoreComponents) => {
     ).toFixed(2)
   );
 };
+const timestampDecayFunction = (timestamp) => {
+  const max = (/* @__PURE__ */ new Date()).getTime();
+  if (max - timestamp > 36e5) {
+    return 12;
+  }
+  const min = 1e3;
+  const age = max - timestamp;
+  const decay = Math.log10(2e3) / max;
+  const bigScore = max * (1 - (1 - Math.exp(decay * age) ** 24));
+  return Math.max(
+    2,
+    Math.round(
+      (Math.log(bigScore) - Math.log(min)) / (Math.log(max) - Math.log(min)) * 2.5
+    )
+  );
+};
 export {
-  computeFrictionlessScore
+  computeFrictionlessScore,
+  timestampDecayFunction
 };

package/dist/tasks/imgCaptcha/imgCaptchaTasks.js

@@ -2,10 +2,12 @@ import { u8aToHex, stringToHex } from "@polkadot/util";
 import { ProsopoEnvError } from "@prosopo/common";
 import { computePendingRequestHash, compareCaptchaSolutions, parseAndSortCaptchaSolutions } from "@prosopo/datasets";
 import { DEFAULT_IMAGE_CAPTCHA_TIMEOUT, CaptchaStatus, ApiParams } from "@prosopo/types";
-import { at } from "@prosopo/util";
+import { extractData, at } from "@prosopo/util";
 import { randomAsHex, signatureVerify } from "@prosopo/util-crypto";
+import { getCompositeIpAddress, getIpAddressFromComposite } from "../../compositeIpAddress.js";
+import { constructPairList, containsIdenticalPairs } from "../../pairs.js";
 import { checkLangRules } from "../../rules/lang.js";
-import { shuffleArray, validateIpAddress } from "../../util.js";
+import { shuffleArray, deepValidateIpAddress } from "../../util.js";
 import { CaptchaManager } from "../captchaManager.js";
 import { computeFrictionlessScore } from "../frictionless/frictionlessTasksUtils.js";
 import { buildTreeAndGetCommitmentId } from "./imgCaptchaTasksUtils.js";
@@ -76,7 +78,7 @@ class ImgCaptchaManager extends CaptchaManager {
       salt,
       deadlineTs,
       currentTime,
-      ipAddress.bigInt(),
+      getCompositeIpAddress(ipAddress),
       threshold,
       frictionlessTokenId
     );
@@ -98,7 +100,7 @@ class ImgCaptchaManager extends CaptchaManager {
    * @param providerRequestHashSignature
    * @param ipAddress
    * @param headers
-   * @param threshold the percentage of captchas that must be correct to return true
+   * @param ja4
    * @return {Promise<DappUserSolutionResult>} result containing the contract event
    */
   async dappUserSolution(userAccount, dappAccount, requestHash, captchas, userTimestampSignature, timestamp, providerRequestHashSignature, ipAddress, headers, ja4) {
@@ -150,6 +152,8 @@ class ImgCaptchaManager extends CaptchaManager {
     );
     if (pendingRequest) {
       const { storedCaptchas, receivedCaptchas, captchaIds } = await this.validateReceivedCaptchasAgainstStoredCaptchas(captchas);
+      const flat = receivedCaptchas.map((c) => extractData(c.salt));
+      const pairs = flat.map((list) => constructPairList(list));
       const { tree, commitmentId } = buildTreeAndGetCommitmentId(receivedCaptchas);
       const datasetId = at(storedCaptchas, 0).datasetId;
       if (!datasetId) {
@@ -169,7 +173,7 @@ class ImgCaptchaManager extends CaptchaManager {
         userSubmitted: true,
         serverChecked: false,
         requestedAtTimestamp: timestamp,
-        ipAddress,
+        ipAddress: getCompositeIpAddress(ipAddress),
         headers,
         frictionlessTokenId: pendingRecord.frictionlessTokenId,
         ja4
@@ -189,6 +193,21 @@ class ImgCaptchaManager extends CaptchaManager {
         })
       );
       const totalImages = storedCaptchas[0]?.items.length || 0;
+      if (containsIdenticalPairs(pairs)) {
+        await this.db.disapproveDappUserCommitment(
+          commitmentId,
+          "CAPTCHA.INVALID_SOLUTION",
+          pairs
+        );
+        response = {
+          captchas: captchaIds.map((id) => ({
+            captchaId: id,
+            proof: [[]]
+          })),
+          verified: false
+        };
+        return response;
+      }
       if (compareCaptchaSolutions(
         receivedCaptchas,
         solutionRecords,
@@ -202,11 +221,12 @@ class ImgCaptchaManager extends CaptchaManager {
           })),
           verified: true
         };
-        await this.db.approveDappUserCommitment(commitmentId);
+        await this.db.approveDappUserCommitment(commitmentId, pairs);
       } else {
         await this.db.disapproveDappUserCommitment(
           commitmentId,
-          "CAPTCHA.INVALID_SOLUTION"
+          "CAPTCHA.INVALID_SOLUTION",
+          pairs
         );
         response = {
           captchas: captchaIds.map((id) => ({
@@ -312,7 +332,7 @@ class ImgCaptchaManager extends CaptchaManager {
     }
     return void 0;
   }
-  async verifyImageCaptchaSolution(user, dapp, commitmentId, maxVerifiedTime, ip) {
+  async verifyImageCaptchaSolution(user, dapp, commitmentId, env, maxVerifiedTime, ip) {
     const solution = await (commitmentId ? this.getDappUserCommitmentById(commitmentId) : this.getDappUserCommitmentByAccount(user, dapp));
     if (!solution) {
       this.logger.debug(() => ({
@@ -320,10 +340,6 @@ class ImgCaptchaManager extends CaptchaManager {
       }));
       return { status: "API.USER_NOT_VERIFIED_NO_SOLUTION", verified: false };
     }
-    const ipValidation = validateIpAddress(ip, solution.ipAddress, this.logger);
-    if (!ipValidation.isValid) {
-      return { status: "API.USER_NOT_VERIFIED", verified: false };
-    }
     if (solution.serverChecked) {
       return { status: "API.USER_ALREADY_VERIFIED", verified: false };
     }
@@ -332,17 +348,43 @@ class ImgCaptchaManager extends CaptchaManager {
       return { status: "API.USER_NOT_VERIFIED", verified: false };
     }
     maxVerifiedTime = maxVerifiedTime || 60 * 1e3;
-    if (maxVerifiedTime) {
-      const currentTime = Date.now();
-      const timeSinceCompletion = currentTime - solution.requestedAtTimestamp;
-      if (timeSinceCompletion > maxVerifiedTime) {
-        this.logger.debug(() => ({
-          msg: "Not verified - timed out"
+    const currentTime = Date.now();
+    const timeSinceCompletion = currentTime - solution.requestedAtTimestamp;
+    if (timeSinceCompletion > maxVerifiedTime) {
+      this.logger.debug(() => ({
+        msg: "Not verified - timed out"
+      }));
+      return {
+        status: "API.USER_NOT_VERIFIED_TIME_EXPIRED",
+        verified: false
+      };
+    }
+    if (ip) {
+      const solutionIpAddress = getIpAddressFromComposite(solution.ipAddress);
+      const clientRecord = await this.db.getClientRecord(dapp);
+      const ipValidationRules = clientRecord?.settings?.ipValidationRules;
+      await this.db.updateDappUserCommitment(solution.id, {
+        providedIp: getCompositeIpAddress(ip)
+      });
+      const ipValidation = await deepValidateIpAddress(
+        ip,
+        solutionIpAddress,
+        this.logger,
+        env.config.ipApi.apiKey,
+        env.config.ipApi.baseUrl,
+        ipValidationRules
+      );
+      if (!ipValidation.isValid) {
+        this.logger.error(() => ({
+          msg: "IP validation failed for image captcha",
+          data: {
+            ip,
+            solutionIp: solutionIpAddress.address,
+            error: ipValidation.errorMessage,
+            distanceKm: ipValidation.distanceKm
+          }
         }));
-        return {
-          status: "API.USER_NOT_VERIFIED_TIME_EXPIRED",
-          verified: false
-        };
+        return { status: "API.USER_NOT_VERIFIED", verified: false };
       }
     }
     const isApproved = solution.result.status === CaptchaStatus.approved;

package/dist/tasks/powCaptcha/powTasks.js

@@ -2,7 +2,8 @@ import { u8aToHex, stringToHex } from "@polkadot/util";
 import { ProsopoApiError, ProsopoEnvError } from "@prosopo/common";
 import { POW_SEPARATOR, ApiParams, CaptchaStatus } from "@prosopo/types";
 import { at, verifyRecency } from "@prosopo/util";
-import { validateIpAddress } from "../../util.js";
+import { getIpAddressFromComposite, getCompositeIpAddress } from "../../compositeIpAddress.js";
+import { deepValidateIpAddress } from "../../util.js";
 import { CaptchaManager } from "../captchaManager.js";
 import { computeFrictionlessScore } from "../frictionless/frictionlessTasksUtils.js";
 import { checkPowSignature, validateSolution } from "./powTasksUtils.js";
@@ -45,7 +46,7 @@ class PowCaptchaManager extends CaptchaManager {
    * @param ipAddress
    * @param headers
    */
-  async verifyPowCaptchaSolution(challenge, difficulty, providerChallengeSignature, nonce, timeout, userTimestampSignature, ipAddress, headers) {
+  async verifyPowCaptchaSolution(challenge, providerChallengeSignature, nonce, timeout, userTimestampSignature, ipAddress, headers) {
     checkPowSignature(
       challenge,
       providerChallengeSignature,
@@ -68,8 +69,9 @@ class PowCaptchaManager extends CaptchaManager {
       }));
       return false;
     }
+    const difficulty = challengeRecord.difficulty;
     if (!verifyRecency(challenge, timeout)) {
-      await this.db.updatePowCaptchaRecord(
+      await this.db.updatePowCaptchaRecordResult(
         challenge,
         {
           status: CaptchaStatus.disapproved,
@@ -91,7 +93,7 @@ class PowCaptchaManager extends CaptchaManager {
         reason: "CAPTCHA.INVALID_SOLUTION"
       };
     }
-    await this.db.updatePowCaptchaRecord(
+    await this.db.updatePowCaptchaRecordResult(
       challenge,
       result,
       false,
@@ -109,21 +111,14 @@ class PowCaptchaManager extends CaptchaManager {
    * @param {number} timeout - the time in milliseconds since the Provider was selected to provide the PoW captcha
    * @param ip
    */
-  async serverVerifyPowCaptchaSolution(dappAccount, challenge, timeout, ip) {
+  async serverVerifyPowCaptchaSolution(dappAccount, challenge, timeout, env, ip) {
+    const notVerifiedResponse = { verified: false };
     const challengeRecord = await this.db.getPowCaptchaRecordByChallenge(challenge);
     if (!challengeRecord) {
       this.logger.debug(() => ({
         msg: `No record of this challenge: ${challenge}`
       }));
-      return { verified: false };
-    }
-    const ipValidation = validateIpAddress(
-      ip,
-      challengeRecord.ipAddress,
-      this.logger
-    );
-    if (!ipValidation.isValid) {
-      return { verified: false };
+      return notVerifiedResponse;
     }
     if (challengeRecord.result.status !== CaptchaStatus.approved) {
       throw new ProsopoApiError("CAPTCHA.INVALID_SOLUTION", {
@@ -133,7 +128,7 @@ class PowCaptchaManager extends CaptchaManager {
         }
       });
     }
-    if (challengeRecord.serverChecked) return { verified: false };
+    if (challengeRecord.serverChecked) return notVerifiedResponse;
     const challengeDappAccount = challengeRecord.dappAccount;
     if (dappAccount !== challengeDappAccount) {
       throw new ProsopoEnvError("CAPTCHA.DAPP_USER_SOLUTION_NOT_FOUND", {
@@ -144,10 +139,43 @@ class PowCaptchaManager extends CaptchaManager {
         }
       });
     }
-    verifyRecency(challenge, timeout);
     await this.db.markDappUserPoWCommitmentsChecked([
       challengeRecord.challenge
     ]);
+    const recent = verifyRecency(challenge, timeout);
+    if (!recent) {
+      return notVerifiedResponse;
+    }
+    if (ip) {
+      const challengeIpAddress = getIpAddressFromComposite(
+        challengeRecord.ipAddress
+      );
+      const clientRecord = await this.db.getClientRecord(dappAccount);
+      const ipValidationRules = clientRecord?.settings?.ipValidationRules;
+      await this.db.updatePowCaptchaRecord(challengeRecord.challenge, {
+        providedIp: getCompositeIpAddress(ip)
+      });
+      const ipValidation = await deepValidateIpAddress(
+        ip,
+        challengeIpAddress,
+        this.logger,
+        env.config.ipApi.apiKey,
+        env.config.ipApi.baseUrl,
+        ipValidationRules
+      );
+      if (!ipValidation.isValid) {
+        this.logger.error(() => ({
+          msg: "IP validation failed for PoW captcha",
+          data: {
+            ip,
+            challengeIp: challengeIpAddress.address,
+            error: ipValidation.errorMessage,
+            distanceKm: ipValidation.distanceKm
+          }
+        }));
+        return notVerifiedResponse;
+      }
+    }
     let score;
     if (challengeRecord.frictionlessTokenId) {
       const tokenRecord = await this.db.getFrictionlessTokenRecordByTokenId(