@prosopo/provider 3.3.0 → 3.12.3

package/dist/cjs/api/captcha.cjs

@@ -6,8 +6,11 @@ const datasets = require("@prosopo/datasets");
 const types = require("@prosopo/types");
 const util = require("@prosopo/util");
 const express = require("express");
+const compositeIpAddress = require("../compositeIpAddress.cjs");
 const frictionlessTasks = require("../tasks/frictionless/frictionlessTasks.cjs");
+const frictionlessTasksUtils = require("../tasks/frictionless/frictionlessTasksUtils.cjs");
 const tasks = require("../tasks/tasks.cjs");
+const hashUserAgent = require("../utils/hashUserAgent.cjs");
 const blacklistRequestInspector = require("./blacklistRequestInspector.cjs");
 const validateAddress = require("./validateAddress.cjs");
 const DEFAULT_FRICTIONLESS_THRESHOLD = 0.5;
@@ -65,11 +68,13 @@ function prosopoRouter(env) {
           dapp,
           userScope
         ))[0];
-        const { valid, reason, frictionlessTokenId } = await tasks$1.imgCaptchaManager.isValidRequest(
+        const { valid, reason, frictionlessTokenId, solvedImagesCount } = await tasks$1.imgCaptchaManager.isValidRequest(
           clientRecord,
           types.CaptchaType.image,
+          env,
           sessionId,
-          userAccessPolicy
+          userAccessPolicy,
+          req.ip
         );
         if (!valid) {
           return next(
@@ -86,7 +91,7 @@ function prosopoRouter(env) {
         }
         const captchaConfig = {
           solved: {
-            count: userAccessPolicy?.solvedImagesCount || env.config.captchas.solved.count
+            count: solvedImagesCount || userAccessPolicy?.solvedImagesCount || env.config.captchas.solved.count
           },
           unsolved: {
             count: userAccessPolicy?.unsolvedImagesCount || env.config.captchas.unsolved.count
@@ -117,12 +122,23 @@ function prosopoRouter(env) {
             }
           }
         };
+        req.logger.info(() => ({
+          msg: "Image captcha challenge issued",
+          data: {
+            captchaType: types.CaptchaType.image,
+            requestHash: taskData.requestHash,
+            solvedImagesCount: captchaConfig.solved.count,
+            user,
+            dapp,
+            sessionId
+          }
+        }));
         return res.json(captchaResponse);
       } catch (err) {
         req.logger.error(() => ({
           err,
           data: req.params,
-          msg: "Error in PoW captcha solution submission"
+          msg: "Error in image captcha challenge request"
         }));
         return next(
           new common.ProsopoApiError("API.BAD_REQUEST", {
@@ -177,7 +193,7 @@ function prosopoRouter(env) {
           parsed[types.ApiParams.signature].user.timestamp,
           Number.parseInt(parsed[types.ApiParams.timestamp]),
           parsed[types.ApiParams.signature].provider.requestHash,
-          util.getIPAddress(req.ip || "").bigInt(),
+          util.getIPAddress(req.ip || ""),
           util.flatten(req.headers),
           req.ja4
         );
@@ -192,7 +208,7 @@ function prosopoRouter(env) {
         req.logger.error(() => ({
           err,
           body: req.body,
-          msg: "Error in PoW captcha solution submission"
+          msg: "Error in image captcha solution submission"
         }));
         return next(
           new common.ProsopoApiError("API.BAD_REQUEST", {
@@ -248,11 +264,13 @@ function prosopoRouter(env) {
         dapp,
         userScope
       ))[0];
-      const { valid, reason, frictionlessTokenId } = await tasks$1.powCaptchaManager.isValidRequest(
+      const { valid, reason, frictionlessTokenId, powDifficulty } = await tasks$1.powCaptchaManager.isValidRequest(
         clientSettings,
         types.CaptchaType.pow,
+        env,
         sessionId,
-        userAccessPolicy
+        userAccessPolicy,
+        req.ip
       );
       if (!valid) {
         return next(
@@ -282,11 +300,12 @@ function prosopoRouter(env) {
           })
         );
       }
+      const difficulty = powDifficulty || userAccessPolicy?.powDifficulty || clientSettings?.settings?.powDifficulty;
       const challenge = await tasks$1.powCaptchaManager.getPowCaptchaChallenge(
         user,
         dapp,
         origin,
-        userAccessPolicy?.powDifficulty || clientSettings?.settings?.powDifficulty
+        difficulty
       );
       await tasks$1.db.storePowCaptchaRecord(
         challenge.challenge,
@@ -297,7 +316,7 @@ function prosopoRouter(env) {
         },
         challenge.difficulty,
         challenge.providerSignature,
-        util.getIPAddress(req.ip || "").bigInt(),
+        compositeIpAddress.getCompositeIpAddress(req.ip || ""),
         util.flatten(req.headers),
         req.ja4,
         frictionlessTokenId
@@ -313,12 +332,23 @@ function prosopoRouter(env) {
           }
         }
       };
+      req.logger.info(() => ({
+        msg: "PoW captcha challenge issued",
+        data: {
+          captchaType: types.CaptchaType.pow,
+          challenge: challenge.challenge,
+          difficulty: challenge.difficulty,
+          user,
+          dapp,
+          session: sessionId
+        }
+      }));
       return res.json(getPowCaptchaResponse);
     } catch (err) {
       req.logger.error(() => ({
         err,
         body: req.body,
-        msg: "Error in PoW captcha solution submission"
+        msg: "Error in PoW captcha challenge request"
       }));
       return next(
         new common.ProsopoApiError("API.BAD_REQUEST", {
@@ -350,15 +380,7 @@ function prosopoRouter(env) {
           })
         );
       }
-      const {
-        challenge,
-        difficulty,
-        signature,
-        nonce,
-        verifiedTimeout,
-        dapp,
-        user
-      } = parsed;
+      const { challenge, signature, nonce, verifiedTimeout, dapp, user } = parsed;
       validateAddress.validateSiteKey(dapp);
       validateAddress.validateAddr(user);
       try {
@@ -374,7 +396,6 @@ function prosopoRouter(env) {
         }
         const verified = await tasks$1.powCaptchaManager.verifyPowCaptchaSolution(
           challenge,
-          difficulty,
           signature.provider.challenge,
           nonce,
           verifiedTimeout,
@@ -416,17 +437,39 @@ function prosopoRouter(env) {
             token: existingToken,
             msg: "Token has already been used"
           }));
-          return res.json(
-            await tasks$1.frictionlessManager.sendImageCaptcha(
-              existingToken._id
-            )
+          return next(
+            new common.ProsopoApiError("API.BAD_REQUEST", {
+              context: {
+                code: 400,
+                siteKey: dapp,
+                user
+              },
+              i18n: req.i18n,
+              logger: req.logger
+            })
           );
         }
         const lScore = tasks$1.frictionlessManager.checkLangRules(
           req.headers["accept-language"] || ""
         );
-        const { baseBotScore, timestamp } = await tasks$1.frictionlessManager.decryptPayload(token);
-        const botScore = baseBotScore + lScore;
+        const {
+          baseBotScore,
+          timestamp,
+          providerSelectEntropy,
+          userId,
+          userAgent
+        } = await tasks$1.frictionlessManager.decryptPayload(token);
+        req.logger.debug(() => ({
+          msg: "Decrypted payload",
+          data: {
+            baseBotScore,
+            timestamp,
+            providerSelectEntropy,
+            userId,
+            userAgent
+          }
+        }));
+        let botScore = baseBotScore + lScore;
         const clientRecord = await tasks$1.db.getClientRecord(dapp);
         if (!clientRecord) {
           return next(
@@ -439,7 +482,8 @@ function prosopoRouter(env) {
         }
         const { valid, reason } = await tasks$1.frictionlessManager.isValidRequest(
           clientRecord,
-          types.CaptchaType.frictionless
+          types.CaptchaType.frictionless,
+          env
         );
         if (!valid) {
           return next(
@@ -462,7 +506,9 @@ function prosopoRouter(env) {
           scoreComponents: {
             baseScore: baseBotScore,
             ...lScore && { lScore }
-          }
+          },
+          providerSelectEntropy,
+          ipAddress: compositeIpAddress.getCompositeIpAddress(req.ip || "")
         });
         const userScope = blacklistRequestInspector.getRequestUserScope(
           util.flatten(req.headers),
@@ -475,6 +521,28 @@ function prosopoRouter(env) {
           dapp,
           userScope
         ))[0];
+        const headersUserAgent = req.headers["user-agent"];
+        const hashedHeadersUserAgent = headersUserAgent ? hashUserAgent.hashUserAgent(headersUserAgent) : "";
+        const headersProsopoUser = req.headers["prosopo-user"];
+        if (hashedHeadersUserAgent !== userAgent || headersProsopoUser !== userId) {
+          req.logger.info(() => ({
+            msg: "User agent or user id does not match",
+            data: {
+              headersUserAgent,
+              hashedHeadersUserAgent,
+              userAgent,
+              // This is the hashed user agent from the token
+              headersProsopoUser,
+              userId
+            }
+          }));
+          return res.json(
+            await tasks$1.frictionlessManager.sendImageCaptcha(
+              tokenId,
+              frictionlessTasksUtils.timestampDecayFunction(timestamp)
+            )
+          );
+        }
         if (userAccessPolicy) {
           await tasks$1.frictionlessManager.scoreIncreaseAccessPolicy(
             userAccessPolicy,
@@ -484,7 +552,10 @@ function prosopoRouter(env) {
           );
           if (userAccessPolicy.captchaType === types.CaptchaType.image) {
             return res.json(
-              await tasks$1.frictionlessManager.sendImageCaptcha(tokenId)
+              await tasks$1.frictionlessManager.sendImageCaptcha(
+                tokenId,
+                userAccessPolicy.solvedImagesCount
+              )
             );
           }
           if (userAccessPolicy.captchaType === types.CaptchaType.pow) {
@@ -501,12 +572,26 @@ function prosopoRouter(env) {
             tokenId
           );
           return res.json(
-            await tasks$1.frictionlessManager.sendImageCaptcha(tokenId)
+            await tasks$1.frictionlessManager.sendImageCaptcha(
+              tokenId,
+              frictionlessTasksUtils.timestampDecayFunction(timestamp)
+            )
+          );
+        }
+        const hostVerified = await tasks$1.frictionlessManager.hostVerified(
+          providerSelectEntropy
+        );
+        if (!hostVerified.verified) {
+          botScore = await tasks$1.frictionlessManager.scoreIncreaseUnverifiedHost(
+            hostVerified.domain,
+            baseBotScore,
+            botScore,
+            tokenId
           );
         }
         if (Number(botScore) > botThreshold) {
           req.logger.info(() => ({
-            message: "Bot score is greater than threshold",
+            msg: "Bot score is greater than threshold",
             data: {
               botScore,
               botThreshold,
@@ -514,7 +599,10 @@ function prosopoRouter(env) {
             }
           }));
           return res.json(
-            await tasks$1.frictionlessManager.sendImageCaptcha(tokenId)
+            await tasks$1.frictionlessManager.sendImageCaptcha(
+              tokenId,
+              env.config.captchas.solved.count
+            )
           );
         }
         return res.json(

package/dist/cjs/api/domainMiddleware.cjs

@@ -10,26 +10,26 @@ const domainMiddleware = (env) => {
   const tasks$1 = new tasks.Tasks(env);
   return async (req, res, next) => {
     try {
-      const dapp = req.headers["prosopo-site-key"];
-      if (!dapp)
+      const siteKey = req.headers["prosopo-site-key"];
+      if (!siteKey)
         throw siteKeyNotRegisteredError(
           req.i18n,
           "No sitekey provided",
           req.logger
         );
       try {
-        utilCrypto.validateAddress(dapp, false, 42);
+        utilCrypto.validateAddress(siteKey, false, 42);
       } catch (err) {
-        throw invalidSiteKeyError(req.i18n, dapp, req.logger);
+        throw invalidSiteKeyError(req.i18n, siteKey, req.logger);
       }
-      const clientSettings = await tasks$1.db.getClientRecord(dapp);
+      const clientSettings = await tasks$1.db.getClientRecord(siteKey);
       if (!clientSettings)
-        throw siteKeyNotRegisteredError(req.i18n, dapp, req.logger);
+        throw siteKeyNotRegisteredError(req.i18n, siteKey, req.logger);
       const allowedDomains = clientSettings.settings?.domains;
       if (!allowedDomains)
         throw siteKeyInvalidDomainError(
           req.i18n,
-          dapp,
+          siteKey,
           req.hostname,
           req.logger
         );
@@ -37,7 +37,7 @@ const domainMiddleware = (env) => {
       if (!origin)
         throw unauthorizedOriginError(req.i18n, void 0, req.logger);
       for (const domain of allowedDomains) {
-        if (tasks$1.clientTaskManager.isSubdomainOrExactMatch(origin, domain)) {
+        if (tasks$1.clientTaskManager.domainPatternMatcher(origin, domain)) {
           next();
           return;
         }

package/dist/cjs/api/headerCheckMiddleware.cjs

@@ -19,6 +19,10 @@ const headerCheckMiddleware = (env) => {
       validateAddress.validateAddr(user, void 0, req.logger);
       req.user = user;
       req.siteKey = siteKey;
+      req.logger = req.logger.with({
+        user,
+        siteKey
+      });
       next();
     } catch (err) {
       return apiExpressRouter.handleErrors(err, req, res, next);

package/dist/cjs/api/ignoreMiddleware.cjs

@@ -3,6 +3,9 @@ Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
 const types = require("@prosopo/types");
 function ignoreMiddleware() {
   return (req, res, next) => {
+    if (req.originalUrl.indexOf(types.PublicApiPaths.Healthz) !== -1) {
+      return next();
+    }
     if (req.originalUrl.indexOf(types.ApiPrefix) === -1) {
       res.statusCode = 404;
       res.send("Not Found");

package/dist/cjs/api/ja4Middleware.cjs

@@ -1,6 +1,5 @@
 "use strict";
 Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
-const node_crypto = require("node:crypto");
 const node_stream = require("node:stream");
 const apiExpressRouter = require("@prosopo/api-express-router");
 const common = require("@prosopo/common");
@@ -17,7 +16,6 @@ const getJA4 = async (headers, logger) => {
   try {
     const xTlsClientHello = (headers["x-tls-clienthello"] || "").toString();
     const xTlsVersion = (headers["x-tls-version"] || "").toString().toLowerCase();
-    const xTlsServerName = (headers["x-tls-server-name"] || "").toString();
     const clientHelloBuffer = Buffer.from(xTlsClientHello, "base64");
     logger.debug(() => ({
       msg: "ClientHello First Bytes:",
@@ -33,32 +31,13 @@ const getJA4 = async (headers, logger) => {
       msg: "Headers TLS Version:",
       data: { xTlsVersion }
     }));
-    const tlsVersion = xTlsVersion.replace(/(tls)|\./g, "");
     const readableStream = new node_stream.Readable({
       read() {
         this.push(clientHelloBuffer);
       }
     });
     const clientHello = await readTlsClientHello.readTlsClientHello(readableStream);
-    const { alpnProtocols } = clientHello;
-    const [_tlsVersion, cipherSuites, extensions] = clientHello.fingerprintData;
-    const transport = "t";
-    const sniIndicator = xTlsServerName ? "d" : "i";
-    const validCipherSuites = cipherSuites.filter(
-      (cs) => (cs & 3855) !== 2570
-    );
-    const cipherCount = validCipherSuites.length;
-    const validExtensions = extensions.filter(
-      (ext) => (ext & 3855) !== 2570
-    );
-    const extensionCount = validExtensions.length;
-    const alpn = alpnProtocols?.length ? alpnProtocols[0] : "";
-    const alpnLabel = alpn ? `${alpn[0]}${alpn[alpn.length - 1]}` : "00";
-    const sortedCiphers = validCipherSuites.map((cs) => cs.toString(16).padStart(4, "0")).sort().join(",");
-    const cipherHash = node_crypto.createHash("sha256").update(sortedCiphers).digest("hex").slice(0, 12);
-    const decimalString = extensions.sort((a, b) => a - b).map((ext) => ext.toString(10)).join("-");
-    const extensionHash = node_crypto.createHash("sha256").update(decimalString).digest("hex").slice(0, 12);
-    const ja4PlusFingerprint = `${transport}${tlsVersion}${sniIndicator}${cipherCount}${extensionCount}${alpnLabel}_${cipherHash}_${extensionHash}`;
+    const ja4PlusFingerprint = readTlsClientHello.calculateJa4FromHelloData(clientHello);
     return { ja4PlusFingerprint };
   } catch (e) {
     logger.error(() => ({
@@ -74,6 +53,9 @@ const ja4Middleware = (env) => {
       req.logger.debug(() => ({ data: { url: req.url } }));
       const ja4 = await getJA4(req.headers, req.logger);
       req.ja4 = ja4.ja4PlusFingerprint || "";
+      req.logger = req.logger.with({
+        ja4: req.ja4
+      });
       next();
     } catch (err) {
       return apiExpressRouter.handleErrors(err, req, res, next);

package/dist/cjs/api/public.cjs

@@ -5,16 +5,39 @@ const common = require("@prosopo/common");
 const types = require("@prosopo/types");
 const util = require("@prosopo/util");
 const express = require("express");
-function publicRouter() {
+function publicRouter(env) {
   const router = express.Router();
   router.get(types.PublicApiPaths.Healthz, (req, res) => {
     res.status(200).send("OK");
   });
   router.get(types.PublicApiPaths.GetProviderDetails, async (req, res, next) => {
     try {
-      return res.json({ version: util.version, ...{ message: "Provider online" } });
+      const db = env.getDb();
+      const redisConnection = db.getRedisConnection();
+      const redisAccessRulesConnection = db.getRedisAccessRulesConnection();
+      const response = {
+        version: util.version,
+        message: "Provider online",
+        redis: [
+          {
+            actor: "General",
+            isReady: redisConnection.isReady(),
+            awaitingTimeSeconds: Math.ceil(
+              redisConnection.getAwaitingTimeMs() / 1e3
+            )
+          },
+          {
+            actor: "UAP",
+            isReady: redisAccessRulesConnection.isReady(),
+            awaitingTimeSeconds: Math.ceil(
+              redisAccessRulesConnection.getAwaitingTimeMs() / 1e3
+            )
+          }
+        ]
+      };
+      return res.json(response);
     } catch (err) {
-      req.logger.error(() => ({
+      env.logger.error(() => ({
         err,
         data: { reqParams: req.params },
         msg: "Error getting provider details"

package/dist/cjs/api/verify.cjs

@@ -24,7 +24,7 @@ function prosopoVerifyRouter(env) {
           })
         );
       }
-      const { dappSignature, token, ip } = parsed;
+      const { dappSignature, token, ip, maxVerifiedTime } = parsed;
       try {
         const { user, dapp, timestamp, commitmentId } = types.decodeProcaptchaOutput(token);
         utilCrypto.validateAddress(dapp, false, 42);
@@ -45,7 +45,8 @@ function prosopoVerifyRouter(env) {
           user,
           dapp,
           commitmentId,
-          parsed.maxVerifiedTime,
+          env,
+          maxVerifiedTime,
           ip
         );
         req.logger.debug(() => ({ data: { response } }));
@@ -113,6 +114,7 @@ function prosopoVerifyRouter(env) {
           dapp,
           challenge,
           verifiedTimeout,
+          env,
           ip
         );
         const verificationResponse = tasks$1.powCaptchaManager.getVerificationResponse(

package/dist/cjs/compositeIpAddress.cjs

@@ -0,0 +1,53 @@
+"use strict";
+Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+const typesDatabase = require("@prosopo/types-database");
+const util = require("@prosopo/util");
+const ipAddress = require("ip-address");
+const V6_SHIFT = 64n;
+const v6_LOWER_MASK = (1n << V6_SHIFT) - 1n;
+const getCompositeIpAddress = (ip) => {
+  let ipAddress2;
+  try {
+    ipAddress2 = "string" === typeof ip ? util.getIPAddress(ip) : ip;
+  } catch (e) {
+    return {
+      lower: 0n,
+      type: typesDatabase.IpAddressType.v4
+    };
+  }
+  return getCompositeFromIpAddress(ipAddress2);
+};
+const getCompositeFromIpAddress = (ipAddress$1) => {
+  const numericIp = ipAddress$1.bigInt();
+  if (ipAddress$1 instanceof ipAddress.Address4) {
+    return {
+      lower: numericIp,
+      type: typesDatabase.IpAddressType.v4
+    };
+  }
+  ipAddress$1;
+  return {
+    lower: numericIp & v6_LOWER_MASK,
+    upper: numericIp >> V6_SHIFT,
+    type: typesDatabase.IpAddressType.v6
+  };
+};
+const getIpAddressFromComposite = (compositeIpAddress) => {
+  switch (compositeIpAddress.type) {
+    case typesDatabase.IpAddressType.v4:
+      return ipAddress.Address4.fromBigInt(getBigInt(compositeIpAddress.lower));
+    case typesDatabase.IpAddressType.v6:
+      return ipAddress.Address6.fromBigInt(
+        getBigInt(compositeIpAddress.upper) << V6_SHIFT | getBigInt(compositeIpAddress.lower) & v6_LOWER_MASK
+      );
+    default:
+      never();
+      return ipAddress.Address4.fromBigInt(0n);
+  }
+};
+const getBigInt = (number) => BigInt(number || 0n);
+const never = () => {
+  throw new Error("Unhandled type");
+};
+exports.getCompositeIpAddress = getCompositeIpAddress;
+exports.getIpAddressFromComposite = getIpAddressFromComposite;

package/dist/cjs/index.cjs

@@ -14,9 +14,13 @@ const headerCheckMiddleware = require("./api/headerCheckMiddleware.cjs");
 const createApiAdminRoutesProvider = require("./api/admin/createApiAdminRoutesProvider.cjs");
 const ignoreMiddleware = require("./api/ignoreMiddleware.cjs");
 const robotsMiddleware = require("./api/robotsMiddleware.cjs");
+const compositeIpAddress = require("./compositeIpAddress.cjs");
+const ipComparison = require("./services/ipComparison.cjs");
 const tasks = require("./tasks/tasks.cjs");
 exports.checkIfTaskIsRunning = util.checkIfTaskIsRunning;
+exports.deepValidateIpAddress = util.deepValidateIpAddress;
 exports.encodeStringAddress = util.encodeStringAddress;
+exports.evaluateIpValidationRules = util.evaluateIpValidationRules;
 exports.getIPAddress = util.getIPAddress;
 exports.getIPAddressFromBigInt = util.getIPAddressFromBigInt;
 exports.shuffleArray = util.shuffleArray;
@@ -35,4 +39,7 @@ exports.headerCheckMiddleware = headerCheckMiddleware.headerCheckMiddleware;
 exports.createApiAdminRoutesProvider = createApiAdminRoutesProvider.createApiAdminRoutesProvider;
 exports.ignoreMiddleware = ignoreMiddleware.ignoreMiddleware;
 exports.robotsMiddleware = robotsMiddleware.robotsMiddleware;
+exports.getCompositeIpAddress = compositeIpAddress.getCompositeIpAddress;
+exports.getIpAddressFromComposite = compositeIpAddress.getIpAddressFromComposite;
+exports.compareIPs = ipComparison.compareIPs;
 exports.Tasks = tasks.Tasks;

package/dist/cjs/pairs.cjs

@@ -0,0 +1,27 @@
+"use strict";
+Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+const util = require("@prosopo/util");
+const constructPairList = (list) => {
+  if (list.length % 2 !== 0) {
+    throw new Error("Invalid pairs length");
+  }
+  const pairList = [];
+  for (let i = 0; i < list.length; i += 2) {
+    pairList.push([util.at(list, i), util.at(list, i + 1)]);
+  }
+  return pairList;
+};
+const containsIdenticalPairs = (pairsLists) => {
+  const set = /* @__PURE__ */ new Set();
+  for (const pairList of pairsLists) {
+    for (const pair of pairList) {
+      const x = util.at(pair, 0);
+      const y = util.at(pair, 1);
+      const coordString = `${x},${y}`;
+      set.add(coordString);
+    }
+  }
+  return set.size !== pairsLists.flat().flat().length / 2;
+};
+exports.constructPairList = constructPairList;
+exports.containsIdenticalPairs = containsIdenticalPairs;