@prosopo/provider 3.3.0 → 3.12.14

package/dist/cjs/api/verify.cjs

@@ -6,12 +6,23 @@ const types = require("@prosopo/types");
 const utilCrypto = require("@prosopo/util-crypto");
 const express = require("express");
 const tasks = require("../tasks/tasks.cjs");
+const apiToggleMaintenanceModeEndpoint = require("./admin/apiToggleMaintenanceModeEndpoint.cjs");
 function prosopoVerifyRouter(env) {
   const router = express.Router();
   router.post(
     types.ClientApiPaths.VerifyImageCaptchaSolutionDapp,
     async (req, res, next) => {
       const tasks$1 = new tasks.Tasks(env, req.logger);
+      if (apiToggleMaintenanceModeEndpoint.getMaintenanceMode()) {
+        req.logger.info(() => ({
+          msg: "Maintenance mode active - returning verified for image captcha verification"
+        }));
+        const verificationResponse = {
+          status: "ok",
+          verified: true
+        };
+        return res.json(verificationResponse);
+      }
       let parsed;
       try {
         parsed = types.VerifySolutionBody.parse(req.body);
@@ -24,7 +35,7 @@ function prosopoVerifyRouter(env) {
           })
         );
       }
-      const { dappSignature, token, ip } = parsed;
+      const { dappSignature, token, ip, maxVerifiedTime } = parsed;
       try {
         const { user, dapp, timestamp, commitmentId } = types.decodeProcaptchaOutput(token);
         utilCrypto.validateAddress(dapp, false, 42);
@@ -45,8 +56,10 @@ function prosopoVerifyRouter(env) {
           user,
           dapp,
           commitmentId,
-          parsed.maxVerifiedTime,
-          ip
+          env,
+          maxVerifiedTime,
+          ip,
+          clientRecord.settings.disallowWebView
         );
         req.logger.debug(() => ({ data: { response } }));
         const verificationResponse = tasks$1.imgCaptchaManager.getVerificationResponse(
@@ -73,6 +86,16 @@ function prosopoVerifyRouter(env) {
     types.ClientApiPaths.VerifyPowCaptchaSolution,
     async (req, res, next) => {
       const tasks$1 = new tasks.Tasks(env, req.logger);
+      if (apiToggleMaintenanceModeEndpoint.getMaintenanceMode()) {
+        req.logger.info(() => ({
+          msg: "Maintenance mode active - returning verified for PoW captcha verification"
+        }));
+        const verificationResponse = {
+          status: "ok",
+          verified: true
+        };
+        return res.json(verificationResponse);
+      }
       let parsed;
       try {
         parsed = types.ServerPowCaptchaVerifyRequestBody.parse(req.body);
@@ -113,6 +136,7 @@ function prosopoVerifyRouter(env) {
           dapp,
           challenge,
           verifiedTimeout,
+          env,
           ip
         );
         const verificationResponse = tasks$1.powCaptchaManager.getVerificationResponse(

package/dist/cjs/compositeIpAddress.cjs

@@ -0,0 +1,53 @@
+"use strict";
+Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+const typesDatabase = require("@prosopo/types-database");
+const util = require("@prosopo/util");
+const ipAddress = require("ip-address");
+const V6_SHIFT = 64n;
+const v6_LOWER_MASK = (1n << V6_SHIFT) - 1n;
+const getCompositeIpAddress = (ip) => {
+  let ipAddress2;
+  try {
+    ipAddress2 = "string" === typeof ip ? util.getIPAddress(ip) : ip;
+  } catch (e) {
+    return {
+      lower: 0n,
+      type: typesDatabase.IpAddressType.v4
+    };
+  }
+  return getCompositeFromIpAddress(ipAddress2);
+};
+const getCompositeFromIpAddress = (ipAddress$1) => {
+  const numericIp = ipAddress$1.bigInt();
+  if (ipAddress$1 instanceof ipAddress.Address4) {
+    return {
+      lower: numericIp,
+      type: typesDatabase.IpAddressType.v4
+    };
+  }
+  ipAddress$1;
+  return {
+    lower: numericIp & v6_LOWER_MASK,
+    upper: numericIp >> V6_SHIFT,
+    type: typesDatabase.IpAddressType.v6
+  };
+};
+const getIpAddressFromComposite = (compositeIpAddress) => {
+  switch (compositeIpAddress.type) {
+    case typesDatabase.IpAddressType.v4:
+      return ipAddress.Address4.fromBigInt(getBigInt(compositeIpAddress.lower));
+    case typesDatabase.IpAddressType.v6:
+      return ipAddress.Address6.fromBigInt(
+        getBigInt(compositeIpAddress.upper) << V6_SHIFT | getBigInt(compositeIpAddress.lower) & v6_LOWER_MASK
+      );
+    default:
+      never();
+      return ipAddress.Address4.fromBigInt(0n);
+  }
+};
+const getBigInt = (number) => BigInt(number || 0n);
+const never = () => {
+  throw new Error("Unhandled type");
+};
+exports.getCompositeIpAddress = getCompositeIpAddress;
+exports.getIpAddressFromComposite = getIpAddressFromComposite;

package/dist/cjs/index.cjs

@@ -14,9 +14,13 @@ const headerCheckMiddleware = require("./api/headerCheckMiddleware.cjs");
 const createApiAdminRoutesProvider = require("./api/admin/createApiAdminRoutesProvider.cjs");
 const ignoreMiddleware = require("./api/ignoreMiddleware.cjs");
 const robotsMiddleware = require("./api/robotsMiddleware.cjs");
+const compositeIpAddress = require("./compositeIpAddress.cjs");
+const ipComparison = require("./services/ipComparison.cjs");
 const tasks = require("./tasks/tasks.cjs");
 exports.checkIfTaskIsRunning = util.checkIfTaskIsRunning;
+exports.deepValidateIpAddress = util.deepValidateIpAddress;
 exports.encodeStringAddress = util.encodeStringAddress;
+exports.evaluateIpValidationRules = util.evaluateIpValidationRules;
 exports.getIPAddress = util.getIPAddress;
 exports.getIPAddressFromBigInt = util.getIPAddressFromBigInt;
 exports.shuffleArray = util.shuffleArray;
@@ -35,4 +39,7 @@ exports.headerCheckMiddleware = headerCheckMiddleware.headerCheckMiddleware;
 exports.createApiAdminRoutesProvider = createApiAdminRoutesProvider.createApiAdminRoutesProvider;
 exports.ignoreMiddleware = ignoreMiddleware.ignoreMiddleware;
 exports.robotsMiddleware = robotsMiddleware.robotsMiddleware;
+exports.getCompositeIpAddress = compositeIpAddress.getCompositeIpAddress;
+exports.getIpAddressFromComposite = compositeIpAddress.getIpAddressFromComposite;
+exports.compareIPs = ipComparison.compareIPs;
 exports.Tasks = tasks.Tasks;

package/dist/cjs/pairs.cjs

@@ -0,0 +1,27 @@
+"use strict";
+Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+const util = require("@prosopo/util");
+const constructPairList = (list) => {
+  if (list.length % 2 !== 0) {
+    throw new Error("Invalid pairs length");
+  }
+  const pairList = [];
+  for (let i = 0; i < list.length; i += 2) {
+    pairList.push([util.at(list, i), util.at(list, i + 1)]);
+  }
+  return pairList;
+};
+const containsIdenticalPairs = (pairsLists) => {
+  const set = /* @__PURE__ */ new Set();
+  for (const pairList of pairsLists) {
+    for (const pair of pairList) {
+      const x = util.at(pair, 0);
+      const y = util.at(pair, 1);
+      const coordString = `${x},${y}`;
+      set.add(coordString);
+    }
+  }
+  return set.size !== pairsLists.flat().flat().length / 2;
+};
+exports.constructPairList = constructPairList;
+exports.containsIdenticalPairs = containsIdenticalPairs;

package/dist/cjs/services/ipComparison.cjs

@@ -0,0 +1,123 @@
+"use strict";
+Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+const geolib = require("geolib");
+const ipInfo = require("./ipInfo.cjs");
+async function compareIPs(ip1, ip2, apiKey, apiUrl) {
+  try {
+    if (!ip1 || !ip2 || typeof ip1 !== "string" || typeof ip2 !== "string") {
+      return {
+        error: "Invalid IP addresses provided",
+        ip1: ip1 || "undefined",
+        ip2: ip2 || "undefined"
+      };
+    }
+    if (ip1 === ip2) {
+      return {
+        ipsMatch: true,
+        ip1,
+        ip2
+      };
+    }
+    const [ip1Info, ip2Info] = await Promise.all([
+      ipInfo.getIPInfo(ip1, apiUrl, apiKey),
+      ipInfo.getIPInfo(ip2, apiUrl, apiKey)
+    ]);
+    if (!ip1Info.isValid && !ip2Info.isValid) {
+      return {
+        error: "Failed to lookup both IP addresses",
+        ip1,
+        ip2,
+        ip1Error: ip1Info.error,
+        ip2Error: ip2Info.error
+      };
+    }
+    if (!ip1Info.isValid) {
+      return {
+        error: "Failed to lookup first IP address",
+        ip1,
+        ip2,
+        ip1Error: ip1Info.error
+      };
+    }
+    if (!ip2Info.isValid) {
+      return {
+        error: "Failed to lookup second IP address",
+        ip1,
+        ip2,
+        ip2Error: ip2Info.error
+      };
+    }
+    const determineConnectionType = (ipInfo2) => {
+      if (ipInfo2.isMobile) return "mobile";
+      if (ipInfo2.isDatacenter) return "datacenter";
+      if (ipInfo2.isSatellite) return "satellite";
+      if (ipInfo2.providerType === "isp") return "residential";
+      switch (ipInfo2.providerType) {
+        case "hosting":
+          return "datacenter";
+        case "business":
+        case "education":
+        case "government":
+        case "banking":
+          return "residential";
+        default:
+          return "unknown";
+      }
+    };
+    const ip1ConnectionType = determineConnectionType(ip1Info);
+    const ip2ConnectionType = determineConnectionType(ip2Info);
+    const differentConnectionTypes = ip1ConnectionType !== ip2ConnectionType;
+    const ip1Provider = ip1Info.providerName || ip1Info.asnOrganization || "Unknown";
+    const ip2Provider = ip2Info.providerName || ip2Info.asnOrganization || "Unknown";
+    const differentProviders = ip1Provider !== ip2Provider;
+    let distanceKm;
+    if (ip1Info.latitude !== void 0 && ip1Info.longitude !== void 0 && ip2Info.latitude !== void 0 && ip2Info.longitude !== void 0) {
+      const distanceMeters = geolib.getDistance(
+        { latitude: ip1Info.latitude, longitude: ip1Info.longitude },
+        { latitude: ip2Info.latitude, longitude: ip2Info.longitude }
+      );
+      distanceKm = distanceMeters / 1e3;
+    }
+    const ip1IsVpnOrProxy = ip1Info.isVPN || ip1Info.isProxy || ip1Info.isTor;
+    const ip2IsVpnOrProxy = ip2Info.isVPN || ip2Info.isProxy || ip2Info.isTor;
+    const anyVpnOrProxy = ip1IsVpnOrProxy || ip2IsVpnOrProxy;
+    const ip1Coordinates = ip1Info.latitude !== void 0 && ip1Info.longitude !== void 0 ? { latitude: ip1Info.latitude, longitude: ip1Info.longitude } : void 0;
+    const ip2Coordinates = ip2Info.latitude !== void 0 && ip2Info.longitude !== void 0 ? { latitude: ip2Info.latitude, longitude: ip2Info.longitude } : void 0;
+    return {
+      ipsMatch: false,
+      ip1,
+      ip2,
+      comparison: {
+        differentProviders,
+        differentConnectionTypes,
+        distanceKm,
+        anyVpnOrProxy,
+        ip1Details: {
+          provider: ip1Provider,
+          connectionType: ip1ConnectionType,
+          isVpnOrProxy: ip1IsVpnOrProxy,
+          country: ip1Info.country,
+          countryCode: ip1Info.countryCode,
+          city: ip1Info.city,
+          coordinates: ip1Coordinates
+        },
+        ip2Details: {
+          provider: ip2Provider,
+          connectionType: ip2ConnectionType,
+          isVpnOrProxy: ip2IsVpnOrProxy,
+          country: ip2Info.country,
+          countryCode: ip2Info.countryCode,
+          city: ip2Info.city,
+          coordinates: ip2Coordinates
+        }
+      }
+    };
+  } catch (error) {
+    return {
+      error: `Comparison failed: ${error instanceof Error ? error.message : String(error)}`,
+      ip1,
+      ip2
+    };
+  }
+}
+exports.compareIPs = compareIPs;

package/dist/cjs/services/ipInfo.cjs

@@ -0,0 +1,87 @@
+"use strict";
+Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+async function getIPInfo(ip, apiUrl, apiKey, includeRawResponse = false) {
+  try {
+    if (!ip || typeof ip !== "string") {
+      return {
+        isValid: false,
+        error: "Invalid IP address provided",
+        ip: ip || "undefined"
+      };
+    }
+    const url = apiUrl;
+    const body = { q: ip };
+    if (apiKey) {
+      body.key = apiKey;
+    }
+    const response = await fetch(url, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Accept: "application/json"
+      },
+      body: JSON.stringify(body)
+    });
+    if (!response.ok) {
+      return {
+        isValid: false,
+        error: `API request failed with status ${response.status}: ${response.statusText}`,
+        ip
+      };
+    }
+    const data = await response.json();
+    if (data.is_bogon) {
+      return {
+        isValid: false,
+        error: "IP address is bogon (non-routable)",
+        ip
+      };
+    }
+    const result = {
+      ip: data.ip,
+      isValid: true,
+      // Threat indicators
+      isVPN: data.is_vpn,
+      isTor: data.is_tor,
+      isProxy: data.is_proxy,
+      isDatacenter: data.is_datacenter,
+      isAbuser: data.is_abuser,
+      isMobile: data.is_mobile,
+      isSatellite: data.is_satellite,
+      // Provider information
+      providerName: data.company?.name || data.datacenter?.datacenter,
+      providerType: data.company?.type || data.asn?.type,
+      asnNumber: data.asn?.asn,
+      asnOrganization: data.asn?.org,
+      // Geolocation
+      country: data.location?.country,
+      countryCode: data.location?.country_code,
+      region: data.location?.state,
+      city: data.location?.city,
+      latitude: data.location?.latitude,
+      longitude: data.location?.longitude,
+      timezone: data.location?.timezone,
+      // VPN specific details
+      vpnService: data.vpn?.service,
+      vpnType: data.vpn?.type,
+      // Risk scoring
+      abuserScore: Number.parseFloat(
+        data.asn?.abuser_score.split(" ")[0] || "0"
+      ),
+      companyAbuserScore: Number.parseFloat(
+        data.company?.abuser_score.split(" ")[0] || "0"
+      )
+    };
+    if (includeRawResponse) {
+      result.rawResponse = data;
+    }
+    return result;
+  } catch (error) {
+    return {
+      isValid: false,
+      error: `Network or parsing error: ${error instanceof Error ? error.message : String(error)}`,
+      ip
+    };
+  }
+}
+exports.getIPInfo = getIPInfo;

package/dist/cjs/tasks/captchaManager.cjs

@@ -3,19 +3,17 @@ Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
 const common = require("@prosopo/common");
 const types = require("@prosopo/types");
 const blacklistRequestInspector = require("../api/blacklistRequestInspector.cjs");
+var _documentCurrentScript = typeof document !== "undefined" ? document.currentScript : null;
 class CaptchaManager {
   constructor(db, pair, logger) {
     this.pair = pair;
     this.db = db;
-    this.logger = logger || common.getLogger("info", module);
+    this.logger = logger || common.getLogger("info", typeof document === "undefined" ? require("url").pathToFileURL(__filename).href : _documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === "SCRIPT" && _documentCurrentScript.src || new URL("tasks/captchaManager.cjs", document.baseURI).href);
   }
-  async getFrictionlessTokenIdFromSession(sessionRecord) {
-    const tokenRecord = await this.db.getFrictionlessTokenRecordByTokenId(
-      sessionRecord.tokenId
-    );
-    return tokenRecord ? tokenRecord._id : void 0;
+  async validateSessionIP(sessionRecord, currentIP, env) {
+    return { valid: true };
   }
-  async isValidRequest(clientSettings, requestedCaptchaType, sessionId, userAccessPolicy) {
+  async isValidRequest(clientSettings, requestedCaptchaType, env, sessionId, userAccessPolicy, currentIP) {
     this.logger.debug(() => ({
       msg: "Validating request",
       data: {
@@ -54,11 +52,44 @@ class CaptchaManager {
             type: requestedCaptchaType
           };
         }
-        const frictionlessTokenId = await this.getFrictionlessTokenIdFromSession(sessionRecord);
+        if (currentIP) {
+          const ipValidation = await this.validateSessionIP(
+            sessionRecord,
+            currentIP,
+            env
+          );
+          if (!ipValidation.valid) {
+            return {
+              valid: false,
+              reason: ipValidation.reason,
+              type: requestedCaptchaType
+            };
+          }
+        }
+        if (sessionRecord.captchaType !== requestedCaptchaType) {
+          this.logger.warn(() => ({
+            msg: "Invalid frictionless request",
+            data: {
+              account: clientSettings.account,
+              sessionId
+            }
+          }));
+          return {
+            valid: false,
+            reason: "CAPTCHA.NO_SESSION_FOUND",
+            type: requestedCaptchaType
+          };
+        }
         return {
           valid: true,
-          frictionlessTokenId,
-          type: requestedCaptchaType
+          sessionId: sessionRecord.sessionId,
+          type: requestedCaptchaType,
+          ...sessionRecord.powDifficulty && {
+            powDifficulty: sessionRecord.powDifficulty
+          },
+          ...sessionRecord.solvedImagesCount && {
+            solvedImagesCount: sessionRecord.solvedImagesCount
+          }
         };
       }
       this.logger.warn(() => ({

package/dist/cjs/tasks/client/clientTasks.cjs

@@ -102,39 +102,8 @@ class ClientTaskManager {
         async (skip) => await this.providerDB.getUnstoredSessionRecords(BATCH_SIZE, skip),
         async (batch) => {
           const filteredBatch = lastTask?.updated ? batch.filter((record) => this.isRecordUpdated(record)) : batch;
-          const frictionlessTokenRecords = await this.providerDB.getFrictionlessTokenRecordsByTokenIds(
-            filteredBatch.map((record) => record.tokenId)
-          );
-          this.logger.info(() => ({
-            msg: `Frictionless token records: ${frictionlessTokenRecords.length}`
-          }));
-          const filteredBatchWithScores = filteredBatch.map((record) => {
-            const tokenRecord = frictionlessTokenRecords.find(
-              (tokenRecord2) => tokenRecord2._id?.toString() === record.tokenId.toString()
-            );
-            if (!tokenRecord) {
-              this.logger.error(() => ({
-                msg: "No token record found",
-                data: { tokenId: record.tokenId }
-              }));
-              return {
-                ...record,
-                score: 0,
-                scoreComponents: {
-                  baseScore: 0
-                },
-                threshold: 0
-              };
-            }
-            return {
-              ...record,
-              score: tokenRecord?.score || 0,
-              scoreComponents: tokenRecord?.scoreComponents,
-              threshold: tokenRecord?.threshold || 0
-            };
-          });
           if (filteredBatch.length > 0) {
-            await captchaDB.saveCaptchas(filteredBatchWithScores, [], []);
+            await captchaDB.saveCaptchas(filteredBatch, [], []);
             await this.providerDB.markSessionRecordsStored(
               filteredBatch.map((record) => record.sessionId)
             );
@@ -194,7 +163,7 @@ class ClientTaskManager {
         this.logger
       );
       const tenMinuteWindow = 10 * 60 * 1e3;
-      const updatedAtTimestamp = lastTask?.updated ? lastTask.updated - tenMinuteWindow || 0 : 0;
+      const updatedAtTimestamp = lastTask?.updated ? lastTask.updated.getTime() - tenMinuteWindow || 0 : 0;
       this.logger.info(() => ({
         msg: `Getting updated client records since ${new Date(updatedAtTimestamp).toDateString()}`
       }));
@@ -248,25 +217,44 @@ class ClientTaskManager {
     const activeDetectorKeys = await this.providerDB.getDetectorKeys();
     return activeDetectorKeys;
   }
-  async removeDetectorKey(detectorKey) {
+  async removeDetectorKey(detectorKey, expirationInSeconds) {
     if (!isValidPrivateKey(detectorKey)) {
       throw new common.ProsopoApiError("INVALID_DETECTOR_KEY", {
         context: { detectorKey },
         logger: this.logger
       });
     }
-    await this.providerDB.removeDetectorKey(detectorKey);
+    await this.providerDB.removeDetectorKey(detectorKey, expirationInSeconds);
   }
-  isSubdomainOrExactMatch(referrer, clientDomain) {
+  /**
+   * Matches a request referrer against an allowed domain pattern.
+   * Supports global '*', subdomain '*.example.com', glob '*example*',
+   * plain domains (exact or subdomain), and 'localhost'.
+   */
+  domainPatternMatcher(referrer, clientDomain) {
     if (!referrer || !clientDomain) return false;
-    if (clientDomain === "*") return true;
     try {
-      const referrerDomain = util.parseUrl(referrer).hostname.replace(/\.$/, "");
-      const allowedDomain = util.parseUrl(clientDomain).hostname.replace(/\.$/, "");
-      return referrerDomain === allowedDomain || referrerDomain.endsWith(`.${allowedDomain}`);
-    } catch {
+      const referrerHost = util.parseUrl(referrer).hostname.replace(/\.$/, "");
+      const pattern = clientDomain.trim().toLowerCase();
+      if (pattern === "*") return true;
+      if (pattern === "localhost") {
+        return referrerHost === "localhost" || referrerHost.startsWith("localhost:");
+      }
+      if (pattern.startsWith("*.")) {
+        const suffix = pattern.slice(2);
+        const allowed = util.parseUrl(suffix).hostname.replace(/\.$/, "");
+        return referrerHost.endsWith(`.${allowed}`) || referrerHost === allowed;
+      }
+      if (pattern.includes("*")) {
+        const escaped = pattern.replace(/[.+?^${}()|\[\]\\]/g, "\\$&").replace(/\*/g, ".*");
+        const regex = new RegExp(`^${escaped}$`, "i");
+        return regex.test(referrerHost);
+      }
+      const allowedHost = util.parseUrl(pattern).hostname.replace(/\.$/, "");
+      return referrerHost === allowedHost || referrerHost.endsWith(`.${allowedHost}`);
+    } catch (e) {
       this.logger.error(() => ({
-        msg: "Error in isSubdomainOrExactMatch",
+        msg: "Error in domainPatternMatcher",
         data: { referrer, clientDomain }
       }));
       return false;
@@ -274,7 +262,7 @@ class ClientTaskManager {
   }
   isRecordUpdated(record) {
     const { lastUpdatedTimestamp, storedAtTimestamp } = record;
-    return !lastUpdatedTimestamp || !storedAtTimestamp || lastUpdatedTimestamp > storedAtTimestamp;
+    return !lastUpdatedTimestamp || !storedAtTimestamp || lastUpdatedTimestamp.getTime() > storedAtTimestamp.getTime();
   }
   async processBatchesWithCursor(fetchBatch, processBatch) {
     let skip = 0;