@prosopo/provider 3.3.0 → 3.12.3

package/dist/cjs/tasks/detection/getBotScore.cjs

@@ -1,13 +1,24 @@
 "use strict";
 Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
 const decodePayload = require("./decodePayload.cjs");
+const DEFAULT_ENTROPY = 13837;
 const getBotScore = async (payload, privateKeyString) => {
-  const result = await decodePayload(payload, privateKeyString);
+  const result = await decodePayload(
+    payload,
+    privateKeyString
+  );
   const baseBotScore = result.score;
   const timestamp = result.timestamp;
+  const providerSelectEntropy = result.providerSelectEntropy;
+  const userId = result.userId;
+  const userAgent = result.userAgent;
   if (baseBotScore === void 0) {
-    return { baseBotScore: 1, timestamp: 0 };
+    return {
+      baseBotScore: 1,
+      timestamp: 0,
+      providerSelectEntropy: DEFAULT_ENTROPY
+    };
   }
-  return { baseBotScore, timestamp };
+  return { baseBotScore, timestamp, providerSelectEntropy, userId, userAgent };
 };
 exports.getBotScore = getBotScore;

package/dist/cjs/tasks/frictionless/frictionlessTasks.cjs

@@ -1,11 +1,22 @@
 "use strict";
 Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+const loadBalancer = require("@prosopo/load-balancer");
 const types = require("@prosopo/types");
 const uuid = require("uuid");
 const lang = require("../../rules/lang.cjs");
 const captchaManager = require("../captchaManager.cjs");
 const getBotScore = require("../detection/getBotScore.cjs");
+const getDefaultEntropy = () => {
+  if (process.env.PROSOPO_ENTROPY) {
+    const parsed = Number.parseInt(process.env.PROSOPO_ENTROPY);
+    if (!Number.isNaN(parsed)) {
+      return parsed;
+    }
+  }
+  return 13337;
+};
 const DEFAULT_MAX_TIMESTAMP_AGE = 60 * 10 * 1e3;
+const DEFAULT_ENTROPY = getDefaultEntropy();
 class FrictionlessManager extends captchaManager.CaptchaManager {
   constructor(db, pair, config, logger) {
     super(db, pair, logger);
@@ -14,26 +25,54 @@ class FrictionlessManager extends captchaManager.CaptchaManager {
   checkLangRules(acceptLanguage) {
     return lang.checkLangRules(this.config, acceptLanguage);
   }
-  async createSession(tokenId, captchaType) {
+  async createSession(tokenId, captchaType, solvedImagesCount, powDifficulty) {
     const sessionRecord = {
       sessionId: uuid.v4(),
       createdAt: /* @__PURE__ */ new Date(),
       tokenId,
-      captchaType
+      captchaType,
+      solvedImagesCount,
+      powDifficulty
     };
     await this.db.storeSessionRecord(sessionRecord);
     return sessionRecord;
   }
-  async sendImageCaptcha(tokenId) {
-    const sessionRecord = await this.createSession(tokenId, types.CaptchaType.image);
+  async hostVerified(entropy) {
+    const chosen = await loadBalancer.getRandomActiveProvider(
+      this.config.defaultEnvironment,
+      entropy
+    );
+    const domain = new URL(chosen.provider.url).hostname;
+    this.logger.info(() => ({
+      data: { entropy, host: this.config.host, domain }
+    }));
+    if (domain !== this.config.host) {
+      this.logger.info(() => ({
+        msg: "Host mismatch",
+        data: { expected: this.config.host, got: domain, entropy }
+      }));
+      return { verified: false, domain };
+    }
+    return { verified: true, domain };
+  }
+  async sendImageCaptcha(tokenId, solvedImagesCount) {
+    const sessionRecord = await this.createSession(
+      tokenId,
+      types.CaptchaType.image,
+      solvedImagesCount
+    );
     return {
       [types.ApiParams.captchaType]: types.CaptchaType.image,
       [types.ApiParams.sessionId]: sessionRecord.sessionId,
       [types.ApiParams.status]: "ok"
     };
   }
-  async sendPowCaptcha(tokenId) {
-    const sessionRecord = await this.createSession(tokenId, types.CaptchaType.pow);
+  async sendPowCaptcha(tokenId, powDifficulty) {
+    const sessionRecord = await this.createSession(
+      tokenId,
+      types.CaptchaType.pow,
+      powDifficulty
+    );
     return {
       [types.ApiParams.captchaType]: types.CaptchaType.pow,
       [types.ApiParams.sessionId]: sessionRecord.sessionId,
@@ -52,6 +91,21 @@ class FrictionlessManager extends captchaManager.CaptchaManager {
     });
     return botScore;
   }
+  async scoreIncreaseUnverifiedHost(host, baseBotScore, botScore, tokenId) {
+    this.logger.info(() => ({
+      msg: "Host not verified",
+      data: { requested: this.config.host, selected: host }
+    }));
+    botScore += this.config.penalties.PENALTY_UNVERIFIED_HOST;
+    await this.db.updateFrictionlessTokenRecord(tokenId, {
+      score: botScore,
+      scoreComponents: {
+        baseScore: baseBotScore,
+        unverifiedHost: this.config.penalties.PENALTY_UNVERIFIED_HOST
+      }
+    });
+    return botScore;
+  }
   async scoreIncreaseTimestamp(timestamp, baseBotScore, botScore, tokenId) {
     this.logger.info(() => ({
       msg: "Timestamp is older than 10 minutes",
@@ -72,22 +126,31 @@ class FrictionlessManager extends captchaManager.CaptchaManager {
     const diff = now - timestamp;
     return diff > DEFAULT_MAX_TIMESTAMP_AGE;
   }
+  /**
+   * Redacts a key for logging purposes by showing only the first 5, middle 10, and last 5 characters
+   * @param key - The key to redact
+   * @returns Redacted key string or empty string if key is falsy
+   */
+  redactKeyForLogging(key) {
+    if (!key) return "";
+    const start = key.slice(0, 5);
+    const middle = key.slice(
+      Math.floor(key.length / 2) - 5,
+      Math.floor(key.length / 2) + 5
+    );
+    const end = key.slice(-5);
+    return `${start}...${middle}...${end}`;
+  }
   async decryptPayload(token) {
     const decryptKeys = [
-      process.env.BOT_DECRYPTION_KEY,
-      ...await this.getDetectorKeys()
+      // Process DB keys first, then env var key last as env key will likely be invalid
+      ...await this.getDetectorKeys(),
+      process.env.BOT_DECRYPTION_KEY
     ].filter((k) => k);
     this.logger.debug(() => {
-      const loggedKeys = decryptKeys.map((key) => {
-        if (!key) return "";
-        const start = key.slice(0, 5);
-        const middle = key.slice(
-          Math.floor(key.length / 2) - 5,
-          Math.floor(key.length / 2) + 5
-        );
-        const end = key.slice(-5);
-        return `${start}...${middle}...${end}`;
-      });
+      const loggedKeys = decryptKeys.map(
+        (key) => this.redactKeyForLogging(key)
+      );
       return {
         msg: "Decrypting score",
         data: {
@@ -98,19 +161,39 @@ class FrictionlessManager extends captchaManager.CaptchaManager {
     });
     let baseBotScore;
     let timestamp;
+    let providerSelectEntropy;
+    let userId;
+    let userAgent;
     for (const [keyIndex, key] of decryptKeys.entries()) {
       try {
-        const { baseBotScore: s, timestamp: t } = await getBotScore.getBotScore(token, key);
         this.logger.info(() => ({
+          msg: "Attempting to decrypt score",
+          data: {
+            key: this.redactKeyForLogging(key)
+          }
+        }));
+        const decrypted = await getBotScore.getBotScore(token, key);
+        const s = decrypted.baseBotScore;
+        const t = decrypted.timestamp;
+        const p = decrypted.providerSelectEntropy;
+        const a = decrypted.userId;
+        const u = decrypted.userAgent;
+        this.logger.debug(() => ({
           msg: "Successfully decrypted score",
           data: {
-            key: key ? `${key.slice(0, 5)}...${key.slice(-5)}` : "",
+            key: this.redactKeyForLogging(key),
             baseBotScore: s,
-            timestamp: t
+            timestamp: t,
+            entropy: p,
+            userId: a,
+            userAgent: u
           }
         }));
         baseBotScore = s;
         timestamp = t;
+        providerSelectEntropy = p;
+        userId = a;
+        userAgent = u;
         break;
       } catch (err) {
         if (keyIndex === decryptKeys.length - 1) {
@@ -119,17 +202,38 @@ class FrictionlessManager extends captchaManager.CaptchaManager {
           }));
           baseBotScore = 1;
           timestamp = 0;
+          providerSelectEntropy = DEFAULT_ENTROPY + 1;
         }
       }
     }
-    if (baseBotScore === void 0 || timestamp === void 0) {
+    const baseBotScoreUndefined = baseBotScore === void 0;
+    const timestampUndefined = timestamp === void 0;
+    const providerSelectEntropyUndefined = providerSelectEntropy === void 0;
+    const undefinedCount = Number(baseBotScoreUndefined) + Number(timestampUndefined) + Number(providerSelectEntropyUndefined);
+    if (undefinedCount > 0) {
       this.logger.error(() => ({
-        msg: "Error decrypting score: baseBotScore or timestamp is undefined"
+        msg: "Error decrypting score: baseBotScore or timestamp or providerSelectEntropy is undefined"
       }));
       baseBotScore = 1;
       timestamp = 0;
+      providerSelectEntropy = DEFAULT_ENTROPY - undefinedCount;
     }
-    return { baseBotScore, timestamp };
+    this.logger.info(() => ({
+      msg: "decryptPayload result",
+      data: {
+        baseBotScore,
+        timestamp,
+        entropy: providerSelectEntropy
+      }
+    }));
+    return {
+      baseBotScore: Number(baseBotScore),
+      timestamp: Number(timestamp),
+      providerSelectEntropy: Number(providerSelectEntropy),
+      userId,
+      userAgent
+    };
   }
 }
+exports.DEFAULT_ENTROPY = DEFAULT_ENTROPY;
 exports.FrictionlessManager = FrictionlessManager;

package/dist/cjs/tasks/frictionless/frictionlessTasksUtils.cjs

@@ -8,4 +8,21 @@ const computeFrictionlessScore = (scoreComponents) => {
     ).toFixed(2)
   );
 };
+const timestampDecayFunction = (timestamp) => {
+  const max = (/* @__PURE__ */ new Date()).getTime();
+  if (max - timestamp > 36e5) {
+    return 12;
+  }
+  const min = 1e3;
+  const age = max - timestamp;
+  const decay = Math.log10(2e3) / max;
+  const bigScore = max * (1 - (1 - Math.exp(decay * age) ** 24));
+  return Math.max(
+    2,
+    Math.round(
+      (Math.log(bigScore) - Math.log(min)) / (Math.log(max) - Math.log(min)) * 2.5
+    )
+  );
+};
 exports.computeFrictionlessScore = computeFrictionlessScore;
+exports.timestampDecayFunction = timestampDecayFunction;

package/dist/cjs/tasks/imgCaptcha/imgCaptchaTasks.cjs

@@ -6,6 +6,8 @@ const datasets = require("@prosopo/datasets");
 const types = require("@prosopo/types");
 const util$2 = require("@prosopo/util");
 const utilCrypto = require("@prosopo/util-crypto");
+const compositeIpAddress = require("../../compositeIpAddress.cjs");
+const pairs = require("../../pairs.cjs");
 const lang = require("../../rules/lang.cjs");
 const util = require("../../util.cjs");
 const captchaManager = require("../captchaManager.cjs");
@@ -78,7 +80,7 @@ class ImgCaptchaManager extends captchaManager.CaptchaManager {
       salt,
       deadlineTs,
       currentTime,
-      ipAddress.bigInt(),
+      compositeIpAddress.getCompositeIpAddress(ipAddress),
       threshold,
       frictionlessTokenId
     );
@@ -100,7 +102,7 @@ class ImgCaptchaManager extends captchaManager.CaptchaManager {
    * @param providerRequestHashSignature
    * @param ipAddress
    * @param headers
-   * @param threshold the percentage of captchas that must be correct to return true
+   * @param ja4
    * @return {Promise<DappUserSolutionResult>} result containing the contract event
    */
   async dappUserSolution(userAccount, dappAccount, requestHash, captchas, userTimestampSignature, timestamp, providerRequestHashSignature, ipAddress, headers, ja4) {
@@ -152,6 +154,8 @@ class ImgCaptchaManager extends captchaManager.CaptchaManager {
     );
     if (pendingRequest) {
       const { storedCaptchas, receivedCaptchas, captchaIds } = await this.validateReceivedCaptchasAgainstStoredCaptchas(captchas);
+      const flat = receivedCaptchas.map((c) => util$2.extractData(c.salt));
+      const pairs$1 = flat.map((list) => pairs.constructPairList(list));
       const { tree, commitmentId } = imgCaptchaTasksUtils.buildTreeAndGetCommitmentId(receivedCaptchas);
       const datasetId = util$2.at(storedCaptchas, 0).datasetId;
       if (!datasetId) {
@@ -171,7 +175,7 @@ class ImgCaptchaManager extends captchaManager.CaptchaManager {
         userSubmitted: true,
         serverChecked: false,
         requestedAtTimestamp: timestamp,
-        ipAddress,
+        ipAddress: compositeIpAddress.getCompositeIpAddress(ipAddress),
         headers,
         frictionlessTokenId: pendingRecord.frictionlessTokenId,
         ja4
@@ -191,6 +195,21 @@ class ImgCaptchaManager extends captchaManager.CaptchaManager {
         })
       );
       const totalImages = storedCaptchas[0]?.items.length || 0;
+      if (pairs.containsIdenticalPairs(pairs$1)) {
+        await this.db.disapproveDappUserCommitment(
+          commitmentId,
+          "CAPTCHA.INVALID_SOLUTION",
+          pairs$1
+        );
+        response = {
+          captchas: captchaIds.map((id) => ({
+            captchaId: id,
+            proof: [[]]
+          })),
+          verified: false
+        };
+        return response;
+      }
       if (datasets.compareCaptchaSolutions(
         receivedCaptchas,
         solutionRecords,
@@ -204,11 +223,12 @@ class ImgCaptchaManager extends captchaManager.CaptchaManager {
           })),
           verified: true
         };
-        await this.db.approveDappUserCommitment(commitmentId);
+        await this.db.approveDappUserCommitment(commitmentId, pairs$1);
       } else {
         await this.db.disapproveDappUserCommitment(
           commitmentId,
-          "CAPTCHA.INVALID_SOLUTION"
+          "CAPTCHA.INVALID_SOLUTION",
+          pairs$1
         );
         response = {
           captchas: captchaIds.map((id) => ({
@@ -314,7 +334,7 @@ class ImgCaptchaManager extends captchaManager.CaptchaManager {
     }
     return void 0;
   }
-  async verifyImageCaptchaSolution(user, dapp, commitmentId, maxVerifiedTime, ip) {
+  async verifyImageCaptchaSolution(user, dapp, commitmentId, env, maxVerifiedTime, ip) {
     const solution = await (commitmentId ? this.getDappUserCommitmentById(commitmentId) : this.getDappUserCommitmentByAccount(user, dapp));
     if (!solution) {
       this.logger.debug(() => ({
@@ -322,10 +342,6 @@ class ImgCaptchaManager extends captchaManager.CaptchaManager {
       }));
       return { status: "API.USER_NOT_VERIFIED_NO_SOLUTION", verified: false };
     }
-    const ipValidation = util.validateIpAddress(ip, solution.ipAddress, this.logger);
-    if (!ipValidation.isValid) {
-      return { status: "API.USER_NOT_VERIFIED", verified: false };
-    }
     if (solution.serverChecked) {
       return { status: "API.USER_ALREADY_VERIFIED", verified: false };
     }
@@ -334,17 +350,43 @@ class ImgCaptchaManager extends captchaManager.CaptchaManager {
       return { status: "API.USER_NOT_VERIFIED", verified: false };
     }
     maxVerifiedTime = maxVerifiedTime || 60 * 1e3;
-    if (maxVerifiedTime) {
-      const currentTime = Date.now();
-      const timeSinceCompletion = currentTime - solution.requestedAtTimestamp;
-      if (timeSinceCompletion > maxVerifiedTime) {
-        this.logger.debug(() => ({
-          msg: "Not verified - timed out"
+    const currentTime = Date.now();
+    const timeSinceCompletion = currentTime - solution.requestedAtTimestamp;
+    if (timeSinceCompletion > maxVerifiedTime) {
+      this.logger.debug(() => ({
+        msg: "Not verified - timed out"
+      }));
+      return {
+        status: "API.USER_NOT_VERIFIED_TIME_EXPIRED",
+        verified: false
+      };
+    }
+    if (ip) {
+      const solutionIpAddress = compositeIpAddress.getIpAddressFromComposite(solution.ipAddress);
+      const clientRecord = await this.db.getClientRecord(dapp);
+      const ipValidationRules = clientRecord?.settings?.ipValidationRules;
+      await this.db.updateDappUserCommitment(solution.id, {
+        providedIp: compositeIpAddress.getCompositeIpAddress(ip)
+      });
+      const ipValidation = await util.deepValidateIpAddress(
+        ip,
+        solutionIpAddress,
+        this.logger,
+        env.config.ipApi.apiKey,
+        env.config.ipApi.baseUrl,
+        ipValidationRules
+      );
+      if (!ipValidation.isValid) {
+        this.logger.error(() => ({
+          msg: "IP validation failed for image captcha",
+          data: {
+            ip,
+            solutionIp: solutionIpAddress.address,
+            error: ipValidation.errorMessage,
+            distanceKm: ipValidation.distanceKm
+          }
         }));
-        return {
-          status: "API.USER_NOT_VERIFIED_TIME_EXPIRED",
-          verified: false
-        };
+        return { status: "API.USER_NOT_VERIFIED", verified: false };
       }
     }
     const isApproved = solution.result.status === types.CaptchaStatus.approved;

package/dist/cjs/tasks/powCaptcha/powTasks.cjs

@@ -4,6 +4,7 @@ const util = require("@polkadot/util");
 const common = require("@prosopo/common");
 const types = require("@prosopo/types");
 const util$1 = require("@prosopo/util");
+const compositeIpAddress = require("../../compositeIpAddress.cjs");
 const util$2 = require("../../util.cjs");
 const captchaManager = require("../captchaManager.cjs");
 const frictionlessTasksUtils = require("../frictionless/frictionlessTasksUtils.cjs");
@@ -47,7 +48,7 @@ class PowCaptchaManager extends captchaManager.CaptchaManager {
    * @param ipAddress
    * @param headers
    */
-  async verifyPowCaptchaSolution(challenge, difficulty, providerChallengeSignature, nonce, timeout, userTimestampSignature, ipAddress, headers) {
+  async verifyPowCaptchaSolution(challenge, providerChallengeSignature, nonce, timeout, userTimestampSignature, ipAddress, headers) {
     powTasksUtils.checkPowSignature(
       challenge,
       providerChallengeSignature,
@@ -70,8 +71,9 @@ class PowCaptchaManager extends captchaManager.CaptchaManager {
       }));
       return false;
     }
+    const difficulty = challengeRecord.difficulty;
     if (!util$1.verifyRecency(challenge, timeout)) {
-      await this.db.updatePowCaptchaRecord(
+      await this.db.updatePowCaptchaRecordResult(
         challenge,
         {
           status: types.CaptchaStatus.disapproved,
@@ -93,7 +95,7 @@ class PowCaptchaManager extends captchaManager.CaptchaManager {
         reason: "CAPTCHA.INVALID_SOLUTION"
       };
     }
-    await this.db.updatePowCaptchaRecord(
+    await this.db.updatePowCaptchaRecordResult(
       challenge,
       result,
       false,
@@ -111,21 +113,14 @@ class PowCaptchaManager extends captchaManager.CaptchaManager {
    * @param {number} timeout - the time in milliseconds since the Provider was selected to provide the PoW captcha
    * @param ip
    */
-  async serverVerifyPowCaptchaSolution(dappAccount, challenge, timeout, ip) {
+  async serverVerifyPowCaptchaSolution(dappAccount, challenge, timeout, env, ip) {
+    const notVerifiedResponse = { verified: false };
     const challengeRecord = await this.db.getPowCaptchaRecordByChallenge(challenge);
     if (!challengeRecord) {
       this.logger.debug(() => ({
         msg: `No record of this challenge: ${challenge}`
       }));
-      return { verified: false };
-    }
-    const ipValidation = util$2.validateIpAddress(
-      ip,
-      challengeRecord.ipAddress,
-      this.logger
-    );
-    if (!ipValidation.isValid) {
-      return { verified: false };
+      return notVerifiedResponse;
     }
     if (challengeRecord.result.status !== types.CaptchaStatus.approved) {
       throw new common.ProsopoApiError("CAPTCHA.INVALID_SOLUTION", {
@@ -135,7 +130,7 @@ class PowCaptchaManager extends captchaManager.CaptchaManager {
         }
       });
     }
-    if (challengeRecord.serverChecked) return { verified: false };
+    if (challengeRecord.serverChecked) return notVerifiedResponse;
     const challengeDappAccount = challengeRecord.dappAccount;
     if (dappAccount !== challengeDappAccount) {
       throw new common.ProsopoEnvError("CAPTCHA.DAPP_USER_SOLUTION_NOT_FOUND", {
@@ -146,10 +141,43 @@ class PowCaptchaManager extends captchaManager.CaptchaManager {
         }
       });
     }
-    util$1.verifyRecency(challenge, timeout);
     await this.db.markDappUserPoWCommitmentsChecked([
       challengeRecord.challenge
     ]);
+    const recent = util$1.verifyRecency(challenge, timeout);
+    if (!recent) {
+      return notVerifiedResponse;
+    }
+    if (ip) {
+      const challengeIpAddress = compositeIpAddress.getIpAddressFromComposite(
+        challengeRecord.ipAddress
+      );
+      const clientRecord = await this.db.getClientRecord(dappAccount);
+      const ipValidationRules = clientRecord?.settings?.ipValidationRules;
+      await this.db.updatePowCaptchaRecord(challengeRecord.challenge, {
+        providedIp: compositeIpAddress.getCompositeIpAddress(ip)
+      });
+      const ipValidation = await util$2.deepValidateIpAddress(
+        ip,
+        challengeIpAddress,
+        this.logger,
+        env.config.ipApi.apiKey,
+        env.config.ipApi.baseUrl,
+        ipValidationRules
+      );
+      if (!ipValidation.isValid) {
+        this.logger.error(() => ({
+          msg: "IP validation failed for PoW captcha",
+          data: {
+            ip,
+            challengeIp: challengeIpAddress.address,
+            error: ipValidation.errorMessage,
+            distanceKm: ipValidation.distanceKm
+          }
+        }));
+        return notVerifiedResponse;
+      }
+    }
     let score;
     if (challengeRecord.frictionlessTokenId) {
       const tokenRecord = await this.db.getFrictionlessTokenRecordByTokenId(