@raytio/core 8.1.1 → 9.0.1

package/dist/verifications/verifyCheck/getOwnRealVerifications.js

@@ -0,0 +1,63 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getOwnRealVerifications = void 0;
+const maybeRereference_1 = require("../maybeRereference");
+const operations_1 = require("./operations");
+/**
+ * Given a list of verifications and decrypted profile objects, this function
+ * locally verifies the credibility of the signatures in the verifications.
+ *
+ * This function does NOT call the API, except to fetch the public key.
+ * @returns a list of authentic RealVer
+ */
+const getOwnRealVerifications = async ({ verifications, profileObjects, userId, }) => {
+    const realVers = [];
+    // this code is deliberaly written using for-loops instead of Promise.all,
+    // because attempting hundreds of webcrypto operations simultaneously will
+    // probably upset some heritage web browser.
+    for (const ver of verifications) {
+        for (const { data, signature } of ver.properties.verifications) {
+            const sourcePO = profileObjects.find(PO => PO.n_id === data.source_n_id);
+            if (!sourcePO)
+                continue;
+            const value = sourcePO.properties[data.field];
+            if (!value)
+                continue;
+            /**
+             * this does NOT mean that the data is correct. It means the
+             * verification is genuinely signed by raytio, but the data
+             * might be bogus (i.e. `passed: false`)
+             */
+            const isGenuine = await (0, operations_1.checkOwnVerification)({
+                verObject: data,
+                userId,
+                value: (0, maybeRereference_1.maybeRereference)(value),
+                signature,
+            });
+            if (!isGenuine)
+                continue;
+            // a "RealVer" is what the client likes to deal with,
+            // rather than the "VerificationPayload" which is stored on the API.
+            // eslint-disable-next-line fp/no-mutating-methods
+            realVers.push({
+                fieldName: data.field,
+                value,
+                provider: {
+                    dataSourceNId: data.verifier_source_id,
+                    serviceProviderNId: data.verifier_service_id,
+                    verifierNId: data.verifier_id,
+                    date: new Date(`${data.verification_date}Z`), // the api returns invalid dates (missing the `Z`)
+                },
+                expired: data.valid_until ? new Date(data.valid_until) : false,
+                metadata: data.metadata,
+                xId: data.request_div,
+                signature,
+                verified: data.passed,
+                nID: ver.n_id,
+                belongsToNId: data.source_n_id,
+            });
+        }
+    }
+    return realVers;
+};
+exports.getOwnRealVerifications = getOwnRealVerifications;

package/dist/verifications/{getRealVerifications.d.ts → verifyCheck/getSomeoneElsesRealVerifications.d.ts}

@@ -1,22 +1,26 @@
-import { ProfileObject, Verification, RealVer } from "@raytio/types";
-declare type Props = {
-    apiUrl: string;
-    verifications: Verification[];
-    profileObjects: ProfileObject[];
-    controller?: AbortController;
-    /**
-     * do NOT use this option. If the value of a field
-     * equals the value of this prop, that field will be treated
-     * as verified, even if the API says it's not verified. See
-     * #614 for context. @deprecated
-     */
-    UNSAFE_treatNoValueAsVerified?: string;
-};
-/**
- * Given a list of verifications and decrypted profile objects, this function calls
- * the Raytio API to verify the credibility of these verifications, returning only valid
- * verifications.
- * @returns a list of fileNames/values that are verified.
- */
-export declare const getRealVerifications: ({ apiUrl, verifications, profileObjects, controller, UNSAFE_treatNoValueAsVerified, }: Props) => Promise<RealVer[]>;
-export {};
+import { ProfileObject, Verification, RealVer, AId } from "@raytio/types";
+declare type Props = {
+    aId: AId;
+    apiUrl: string;
+    verifications: Verification[];
+    profileObjects: ProfileObject[];
+    controller?: AbortController;
+    /**
+     * do NOT use this option. If the value of a field
+     * equals the value of this prop, that field will be treated
+     * as verified, even if the API says it's not verified. See
+     * #614 for context. @deprecated
+     */
+    UNSAFE_treatNoValueAsVerified?: string;
+};
+/**
+ * Given a list of verifications and decrypted profile objects, this function calls
+ * the Raytio API to verify the credibility of these verifications, returning only valid
+ * verifications.
+ *
+ * ❗ prefer `getOwnRealVerifications` if the data to be verified belongs to the current user.
+ *
+ * @returns a list of fileNames/values that are verified.
+ */
+export declare const getSomeoneElsesRealVerifications: ({ aId, apiUrl, verifications, profileObjects, controller, UNSAFE_treatNoValueAsVerified, }: Props) => Promise<RealVer[]>;
+export {};

package/dist/verifications/{getRealVerifications.js → verifyCheck/getSomeoneElsesRealVerifications.js}

@@ -1,66 +1,76 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.getRealVerifications = void 0;
-const ramda_1 = require("ramda");
-const crypto_1 = require("../crypto");
-const checkVerifications_1 = require("./checkVerifications");
-const maybeRereference_1 = require("./maybeRereference");
-const getValuesForAField = (fieldName) => (0, ramda_1.pipe)((0, ramda_1.map)(x => { var _a; return (_a = x.properties) === null || _a === void 0 ? void 0 : _a[fieldName]; }), (0, ramda_1.filter)(x => !!x), // truthy only
-(0, ramda_1.reject)(crypto_1.isEncrypted), // ignore encrypted properties. this function will be called again once they're decrypted
-ramda_1.uniq);
-/**
- * Given a list of verifications and decrypted profile objects, this function calls
- * the Raytio API to verify the credibility of these verifications, returning only valid
- * verifications.
- * @returns a list of fileNames/values that are verified.
- */
-const getRealVerifications = async ({ apiUrl, verifications, profileObjects, controller, UNSAFE_treatNoValueAsVerified, }) => {
-    // for each verification (including passed: false), create a list of every possible that
-    // value that that verification might have been for. Flatten the list
-    // and send the whole thing to the API.
-    const toVerify = verifications.flatMap(ver => {
-        const values = getValuesForAField(ver.properties.field)(profileObjects);
-        return values.flatMap(value => ver.properties.verifications.map(({ signature }) => ({
-            verifications: [
-                Object.assign({ signature }, (ver.n_id.startsWith("HASHED::")
-                    ? { hashed_n_id: ver.n_id.slice(8) }
-                    : { n_id: ver.n_id })),
-            ],
-            data_to_verify: [{ value: (0, maybeRereference_1.maybeRereference)(value) }],
-        })));
-    });
-    // the API can't cope with an empty array
-    if (!toVerify.length)
-        return [];
-    const apiResponse = await (0, checkVerifications_1.checkVerifications)({
-        apiUrl,
-        toVerify,
-        controller,
-    });
-    // do NOT expose the `verified` prop from the /verify_check API to avoid semantic confusion,
-    // since verified: true does not mean that the verification is verified!
-    const realVers = (0, ramda_1.pipe)((0, ramda_1.filter)(x => x.verified ||
-        // if UNSAFE_treatNoValueAsVerified is enabled, and we don't know the value of this field,
-        // treat is as verified if the `passed` property is true (this is NOT a safe check).
-        (!!UNSAFE_treatNoValueAsVerified &&
-            x.data.value === UNSAFE_treatNoValueAsVerified &&
-            x.data.passed)), (0, ramda_1.map)(({ signature, data, n_id: nID, valid_until }) => ({
-        fieldName: data.field,
-        value: data.value,
-        provider: {
-            dataSourceNId: data.verifier_source_id,
-            serviceProviderNId: data.verifier_service_id,
-            verifierNId: data.verifier_id,
-            date: new Date(`${data.verification_date}Z`), // the api returns invalid dates (missing the `Z`)
-        },
-        expired: valid_until ? new Date(valid_until) : false,
-        metadata: data.metadata,
-        xId: data.request_div,
-        signature,
-        verified: data.passed,
-        nID,
-        belongsToNId: data.source_n_id,
-    })))(apiResponse);
-    return realVers;
-};
-exports.getRealVerifications = getRealVerifications;
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getSomeoneElsesRealVerifications = void 0;
+const ramda_1 = require("ramda");
+const operations_1 = require("./operations");
+const maybeRereference_1 = require("../maybeRereference");
+const crypto_1 = require("../../crypto");
+const getValuesForAField = (fieldName, POs) => (0, ramda_1.uniq)(
+// truthy only, and ignore encrypted properties. this function will be called again once they're decrypted
+POs.map(x => { var _a; return (_a = x.properties) === null || _a === void 0 ? void 0 : _a[fieldName]; }).filter(x => !!x && !(0, crypto_1.isEncrypted)(x)));
+/**
+ * Given a list of verifications and decrypted profile objects, this function calls
+ * the Raytio API to verify the credibility of these verifications, returning only valid
+ * verifications.
+ *
+ * ❗ prefer `getOwnRealVerifications` if the data to be verified belongs to the current user.
+ *
+ * @returns a list of fileNames/values that are verified.
+ */
+const getSomeoneElsesRealVerifications = async ({ aId, apiUrl, verifications, profileObjects, controller, UNSAFE_treatNoValueAsVerified, }) => {
+    // for each verification (including passed: false), create a list of every possible that
+    // value that that verification might have been for. Flatten the list
+    // and send the whole thing to the API.
+    const toVerify = verifications.flatMap(ver => {
+        const values = getValuesForAField(ver.properties.field, profileObjects);
+        return values.flatMap(value => ver.properties.verifications.map(({ signature }) => ({
+            verifications: [
+                Object.assign({ signature }, (ver.n_id.startsWith("HASHED::")
+                    ? {
+                        hashed_n_id: ver.n_id.split("::")[1],
+                        a_id: ver.n_id.split("::")[2],
+                    }
+                    : { n_id: ver.n_id })),
+            ],
+            data_to_verify: [{ value: (0, maybeRereference_1.maybeRereference)(value) }],
+        })));
+    });
+    // the API can't cope with an empty array
+    if (!toVerify.length)
+        return [];
+    const apiResponse = await (0, operations_1.checkSomeoneElsesVerifications)({
+        apiUrl,
+        toVerify,
+        controller,
+    });
+    // do NOT expose the `verified` prop from the /verify_check API to avoid semantic confusion,
+    // since verified: true does not mean that the verification is verified!
+    const realVers = apiResponse
+        .filter(x => x.verified ||
+        // if UNSAFE_treatNoValueAsVerified is enabled, and we don't know the value of this field,
+        // treat is as verified if the `passed` property is true (this is NOT a safe check).
+        (!!UNSAFE_treatNoValueAsVerified &&
+            x.data.value === UNSAFE_treatNoValueAsVerified &&
+            x.data.passed))
+        .map(({ signature, data, n_id: nID, valid_until }) => ({
+        fieldName: data.field,
+        value: data.value,
+        provider: {
+            dataSourceNId: data.verifier_source_id,
+            serviceProviderNId: data.verifier_service_id,
+            verifierNId: data.verifier_id,
+            date: new Date(`${data.verification_date}Z`), // the api returns invalid dates (missing the `Z`)
+        },
+        expired: valid_until ? new Date(valid_until) : false,
+        metadata: data.metadata,
+        xId: data.request_div,
+        signature,
+        verified: data.passed,
+        nID,
+        belongsToNId: data.source_hashed_n_id
+            ? `HASHED::${data.source_hashed_n_id}::${aId}`
+            : data.source_n_id,
+    }));
+    return realVers;
+};
+exports.getSomeoneElsesRealVerifications = getSomeoneElsesRealVerifications;

package/dist/verifications/verifyCheck/index.d.ts

@@ -0,0 +1,2 @@
+export * from "./getOwnRealVerifications";
+export * from "./getSomeoneElsesRealVerifications";

package/dist/verifications/verifyCheck/index.js

@@ -0,0 +1,14 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./getOwnRealVerifications"), exports);
+__exportStar(require("./getSomeoneElsesRealVerifications"), exports);

package/dist/verifications/verifyCheck/operations/checkOwnVerification.d.ts

@@ -0,0 +1,9 @@
+import { UId, VerificationPayload } from "@raytio/types";
+declare type SingleVerToCheck = {
+    verObject: VerificationPayload<false>;
+    signature: string;
+    userId: UId;
+    value: unknown;
+};
+export declare const checkOwnVerification: ({ verObject, signature, userId, value, }: SingleVerToCheck) => Promise<boolean>;
+export {};

package/dist/verifications/verifyCheck/operations/checkOwnVerification.js

@@ -0,0 +1,31 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkOwnVerification = exports.checkSignature = void 0;
+const util_1 = require("../../../util");
+let cache; // eslint-disable-line fp/no-let
+const base64ToArrayBuffer = (str) => Uint8Array.from(atob(str), c => c.charCodeAt(0));
+async function getJwk() {
+    // eslint-disable-next-line fp/no-mutation
+    cache || (cache = fetch("https://api-docs.rayt.io/lookups/raytio.pem")
+        .then(r => r.text())
+        .then(pem => crypto.subtle.importKey("spki", base64ToArrayBuffer(pem.split("-----")[2].trim()), { name: "RSA-PSS", hash: "SHA-512" }, false, ["verify"])));
+    return cache;
+}
+/** @internal exported only for tests */
+async function checkSignature(publicCryptoKey, signature, data) {
+    // the logic must match https://gitlab.com/raytio/mono/-/blob/devo/common/signing/signing/sign.py
+    const signatureBuf = base64ToArrayBuffer(signature);
+    const isVerified = await crypto.subtle.verify({ name: "RSA-PSS", hash: "SHA-512", saltLength: 512 / 8 }, publicCryptoKey, signatureBuf, new TextEncoder().encode(data));
+    return isVerified;
+}
+exports.checkSignature = checkSignature;
+const checkOwnVerification = async ({ verObject, signature, userId, value, }) => {
+    const jwk = await getJwk();
+    if (!userId)
+        throw new Error("No userId supplied");
+    const exapandedObject = Object.assign(Object.assign({}, verObject), { sub: userId, value });
+    const stringified = (0, util_1.canonicalJsonify)(exapandedObject);
+    const result = await checkSignature(jwk, signature, stringified);
+    return result;
+};
+exports.checkOwnVerification = checkOwnVerification;

package/dist/verifications/verifyCheck/operations/checkSomeoneElsesVerifications.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/verifications/{checkVerifications.js → verifyCheck/operations/checkSomeoneElsesVerifications.js}

@@ -1,16 +1,16 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.checkVerifications = void 0;
-const util_1 = require("../util");
-/** @internal */
-const checkVerifications = async ({ apiUrl, toVerify, controller, }) => {
-    const response = await fetch(`${apiUrl}/extract_verify/v2/verify_check`, {
-        method: "POST",
-        body: JSON.stringify(toVerify),
-        signal: controller === null || controller === void 0 ? void 0 : controller.signal,
-    }).then(util_1.handleResponse);
-    // if we send `n` items to the API, it returns `n + m` items. The
-    // extra `m` items are garbage and don't have the verified field.
-    return response.filter(ver => "verified" in ver);
-};
-exports.checkVerifications = checkVerifications;
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkSomeoneElsesVerifications = void 0;
+const util_1 = require("../../../util");
+/** @internal */
+const checkSomeoneElsesVerifications = async ({ apiUrl, toVerify, controller, }) => {
+    const response = await fetch(`${apiUrl}/extract_verify/v2/verify_check`, {
+        method: "POST",
+        body: JSON.stringify(toVerify),
+        signal: controller === null || controller === void 0 ? void 0 : controller.signal,
+    }).then(util_1.handleResponse);
+    // if we send `n` items to the API, it returns `n + m` items. The
+    // extra `m` items are garbage and don't have the verified field.
+    return response.filter(ver => "verified" in ver);
+};
+exports.checkSomeoneElsesVerifications = checkSomeoneElsesVerifications;

package/dist/verifications/verifyCheck/operations/index.d.ts

@@ -0,0 +1,2 @@
+export * from "./checkOwnVerification";
+export * from "./checkSomeoneElsesVerifications";

package/dist/verifications/verifyCheck/operations/index.js

@@ -0,0 +1,14 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./checkOwnVerification"), exports);
+__exportStar(require("./checkSomeoneElsesVerifications"), exports);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@raytio/core",
-  "version": "8.1.1",
+  "version": "9.0.1",
   "license": "MIT",
   "main": "index",
   "types": "index",
@@ -15,22 +15,22 @@
     "test": "jest"
   },
   "dependencies": {
-    "@raytio/maxcryptor": "3.0.1",
-    "@raytio/types": "5.2.0",
-    "ramda": "0.27.1"
+    "@raytio/maxcryptor": "3.1.0",
+    "@raytio/types": "6.0.0",
+    "ramda": "0.28.0"
   },
   "devDependencies": {
-    "@types/ramda": "0.27.44",
-    "jest": "27.1.0",
+    "@types/ramda": "0.27.64",
+    "jest": "27.4.7",
     "localstorage-polyfill": "1.0.1",
-    "ts-jest": "27.0.5"
+    "ts-jest": "27.1.3"
   },
   "jest": {
     "transform": {
       "^.+\\.(t|j)sx?$": "ts-jest"
     },
     "testEnvironment": "node",
-    "collectCoverage": true,
+    "collectCoverage": false,
     "coverageThreshold": {
       "global": {
         "statements": 100

package/dist/util/conditional.d.ts

@@ -1,7 +0,0 @@
-declare type ConditionValue = string | number | boolean;
-/**
- * Checks all other form values in case any have a
- * trigger value that makes this field requirted.
- */
-export declare const isConditionMet: (condition: Record<string, ConditionValue[]>, formValues: Record<string, unknown>) => boolean;
-export {};

package/dist/util/conditional.js

@@ -1,15 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.isConditionMet = void 0;
-/**
- * Checks all other form values in case any have a
- * trigger value that makes this field requirted.
- */
-const isConditionMet = (condition, formValues) => Object.entries(condition).every(([fieldName, triggerValues]) => {
-    if (Array.isArray(formValues[fieldName])) {
-        // if it's a multiselect, check if any of the selected values match the criteria
-        return formValues[fieldName].some(val => triggerValues.includes(val));
-    }
-    return triggerValues.includes(formValues[fieldName]);
-});
-exports.isConditionMet = isConditionMet;