@prosopo/provider 3.2.5 → 3.12.3

package/dist/tasks/captchaManager.js

@@ -13,7 +13,20 @@ class CaptchaManager {
     );
     return tokenRecord ? tokenRecord._id : void 0;
   }
-  async isValidRequest(clientSettings, requestedCaptchaType, sessionId, userAccessPolicy) {
+  async validateFrictionlessTokenIP(sessionRecord, currentIP, env) {
+    const tokenRecord = await this.db.getFrictionlessTokenRecordByTokenId(
+      sessionRecord.tokenId
+    );
+    if (!tokenRecord) {
+      this.logger.info(() => ({
+        msg: "No frictionless token found for session",
+        data: { sessionId: sessionRecord.sessionId }
+      }));
+      return { valid: false, reason: "CAPTCHA.NO_SESSION_FOUND" };
+    }
+    return { valid: true };
+  }
+  async isValidRequest(clientSettings, requestedCaptchaType, env, sessionId, userAccessPolicy, currentIP) {
     this.logger.debug(() => ({
       msg: "Validating request",
       data: {
@@ -52,11 +65,45 @@ class CaptchaManager {
             type: requestedCaptchaType
           };
         }
+        if (currentIP) {
+          const ipValidation = await this.validateFrictionlessTokenIP(
+            sessionRecord,
+            currentIP,
+            env
+          );
+          if (!ipValidation.valid) {
+            return {
+              valid: false,
+              reason: ipValidation.reason,
+              type: requestedCaptchaType
+            };
+          }
+        }
         const frictionlessTokenId = await this.getFrictionlessTokenIdFromSession(sessionRecord);
+        if (sessionRecord.captchaType !== requestedCaptchaType) {
+          this.logger.warn(() => ({
+            msg: "Invalid frictionless request",
+            data: {
+              account: clientSettings.account,
+              sessionId
+            }
+          }));
+          return {
+            valid: false,
+            reason: "CAPTCHA.NO_SESSION_FOUND",
+            type: requestedCaptchaType
+          };
+        }
         return {
           valid: true,
           frictionlessTokenId,
-          type: requestedCaptchaType
+          type: requestedCaptchaType,
+          ...sessionRecord.powDifficulty && {
+            powDifficulty: sessionRecord.powDifficulty
+          },
+          ...sessionRecord.solvedImagesCount && {
+            solvedImagesCount: sessionRecord.solvedImagesCount
+          }
         };
       }
       this.logger.warn(() => ({

package/dist/tasks/client/clientTasks.js

@@ -124,11 +124,10 @@ class ClientTaskManager {
                 threshold: 0
               };
             }
+            const { _id, token, ...tokenRecordWithoutId } = tokenRecord;
             return {
               ...record,
-              score: tokenRecord?.score || 0,
-              scoreComponents: tokenRecord?.scoreComponents,
-              threshold: tokenRecord?.threshold || 0
+              ...tokenRecordWithoutId
             };
           });
           if (filteredBatch.length > 0) {
@@ -136,6 +135,9 @@ class ClientTaskManager {
             await this.providerDB.markSessionRecordsStored(
               filteredBatch.map((record) => record.sessionId)
             );
+            await this.providerDB.markFrictionlessTokenRecordsStored(
+              filteredBatch.map((record) => record.tokenId).filter((id) => !!id)
+            );
           }
           processedSessionRecords += filteredBatch.length;
         }
@@ -246,25 +248,44 @@ class ClientTaskManager {
     const activeDetectorKeys = await this.providerDB.getDetectorKeys();
     return activeDetectorKeys;
   }
-  async removeDetectorKey(detectorKey) {
+  async removeDetectorKey(detectorKey, expirationInSeconds) {
     if (!isValidPrivateKey(detectorKey)) {
       throw new ProsopoApiError("INVALID_DETECTOR_KEY", {
         context: { detectorKey },
         logger: this.logger
       });
     }
-    await this.providerDB.removeDetectorKey(detectorKey);
+    await this.providerDB.removeDetectorKey(detectorKey, expirationInSeconds);
   }
-  isSubdomainOrExactMatch(referrer, clientDomain) {
+  /**
+   * Matches a request referrer against an allowed domain pattern.
+   * Supports global '*', subdomain '*.example.com', glob '*example*',
+   * plain domains (exact or subdomain), and 'localhost'.
+   */
+  domainPatternMatcher(referrer, clientDomain) {
     if (!referrer || !clientDomain) return false;
-    if (clientDomain === "*") return true;
     try {
-      const referrerDomain = parseUrl(referrer).hostname.replace(/\.$/, "");
-      const allowedDomain = parseUrl(clientDomain).hostname.replace(/\.$/, "");
-      return referrerDomain === allowedDomain || referrerDomain.endsWith(`.${allowedDomain}`);
-    } catch {
+      const referrerHost = parseUrl(referrer).hostname.replace(/\.$/, "");
+      const pattern = clientDomain.trim().toLowerCase();
+      if (pattern === "*") return true;
+      if (pattern === "localhost") {
+        return referrerHost === "localhost" || referrerHost.startsWith("localhost:");
+      }
+      if (pattern.startsWith("*.")) {
+        const suffix = pattern.slice(2);
+        const allowed = parseUrl(suffix).hostname.replace(/\.$/, "");
+        return referrerHost.endsWith(`.${allowed}`) || referrerHost === allowed;
+      }
+      if (pattern.includes("*")) {
+        const escaped = pattern.replace(/[.+?^${}()|\[\]\\]/g, "\\$&").replace(/\*/g, ".*");
+        const regex = new RegExp(`^${escaped}$`, "i");
+        return regex.test(referrerHost);
+      }
+      const allowedHost = parseUrl(pattern).hostname.replace(/\.$/, "");
+      return referrerHost === allowedHost || referrerHost.endsWith(`.${allowedHost}`);
+    } catch (e) {
       this.logger.error(() => ({
-        msg: "Error in isSubdomainOrExactMatch",
+        msg: "Error in domainPatternMatcher",
         data: { referrer, clientDomain }
       }));
       return false;