@raytio/core 8.1.3 → 9.0.0

package/dist/util/index.js

@@ -10,4 +10,5 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./canonicalJsonify"), exports);
 __exportStar(require("./handleResponse"), exports);

package/dist/verifications/getPOVerification.d.ts

@@ -1,4 +1,4 @@
-import { FieldVerification, ProfileObject, POVerification, RealVer, Schema, VerificationProvider, ProfileObjectForUpload } from "@raytio/types";
+import { FieldVerification, ProfileObject, POVerification, RealVer, Schema, VerificationProvider, ProfileObjectForUpload, NId } from "@raytio/types";
 /**
  * Determines the verification status of a profile object, and its individual fields.
  */
@@ -8,6 +8,9 @@ export declare function getPOVerification({ PO, schema, realVers, }: {
     realVers: RealVer[];
 }): {
     status: POVerification;
-    details: VerificationProvider[];
+    details: {
+        sourceNId?: NId;
+        verifiers: VerificationProvider[];
+    };
     fieldVerifications: Record<string, FieldVerification>;
 };

package/dist/verifications/getPOVerification.js

@@ -1,7 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.getPOVerification = void 0;
-/* eslint-disable fp/no-throw */
 const ramda_1 = require("ramda");
 const types_1 = require("@raytio/types");
 const crypto_1 = require("../crypto");
@@ -23,7 +22,7 @@ function getPOVerification({ PO, schema, realVers, }) {
     if (someAreEncrypted) {
         return {
             status: types_1.POVerification.Encrypted,
-            details: [],
+            details: { sourceNId: PO.n_id, verifiers: [] },
             fieldVerifications: {},
         };
     }
@@ -81,14 +80,14 @@ function getPOVerification({ PO, schema, realVers, }) {
         /* istanbul ignore next */
         return types_1.POVerification.NotVerified;
     })();
-    const details = (0, getVerifiedBy_1.getVerifiedBy)({
+    const verifiers = (0, getVerifiedBy_1.getVerifiedBy)({
         nId: PO.n_id,
         realVers,
         shouldBeVerifiedProps,
     });
     return {
         status,
-        details,
+        details: { sourceNId: PO.n_id, verifiers },
         fieldVerifications,
     };
 }

package/dist/verifications/index.d.ts

@@ -1,5 +1,5 @@
 export * from "./cleanInstance";
 export * from "./getPOVerification";
-export * from "./getRealVerifications";
+export * from "./verifyCheck";
 export * from "./getVerifiedBy";
 export * from "./safeHarbour";

package/dist/verifications/index.js

@@ -13,6 +13,6 @@ Object.defineProperty(exports, "__esModule", { value: true });
 // not exporting checkVerifications; it's not a public API
 __exportStar(require("./cleanInstance"), exports);
 __exportStar(require("./getPOVerification"), exports);
-__exportStar(require("./getRealVerifications"), exports);
+__exportStar(require("./verifyCheck"), exports);
 __exportStar(require("./getVerifiedBy"), exports);
 __exportStar(require("./safeHarbour"), exports);

package/dist/verifications/safeHarbour.d.ts

@@ -9,7 +9,7 @@ export declare type SafeHarbourResult = {
 /**
  * The Safe Harbour Score indidicates whether a person's identity has been verified
  * to the extent requried for Safe Harbour Compliance. This requires multiple verifications
- * from different sources. For infomation, refer to the
+ * from different sources. For information, refer to the
  * {@link https://dev-docs.rayt.io/docs/features/pep-checks Raytio Documentation}.
  */
 export declare const calcSafeHarbourScore: (data: {

package/dist/verifications/safeHarbour.js

@@ -38,7 +38,7 @@ async function getFlags({ person, profileObjects, realVers, getSchema, }) {
         }));
     })))
         .filter(v => v.status === types_1.POVerification.FullyVerified)
-        .flatMap(v => v.details.map(verProvider => realVers.find(ver => ver.belongsToNId === v.nId &&
+        .flatMap(v => v.details.verifiers.map(verProvider => realVers.find(ver => ver.belongsToNId === v.nId &&
         ver.provider.dataSourceNId === verProvider.dataSourceNId)))
         .filter((x) => !!x);
     // in case there are somehow duplicates (see #922)
@@ -67,7 +67,7 @@ exports.safeHarbourRequirementsMet = safeHarbourRequirementsMet;
 /**
  * The Safe Harbour Score indidicates whether a person's identity has been verified
  * to the extent requried for Safe Harbour Compliance. This requires multiple verifications
- * from different sources. For infomation, refer to the
+ * from different sources. For information, refer to the
  * {@link https://dev-docs.rayt.io/docs/features/pep-checks Raytio Documentation}.
  */
 const calcSafeHarbourScore = (data) => getFlags(data).then(safeHarbourRequirementsMet);

package/dist/verifications/verifyCheck/getOwnRealVerifications.d.ts

@@ -0,0 +1,13 @@
+import { ProfileObject, Verification, RealVer, UId } from "@raytio/types";
+/**
+ * Given a list of verifications and decrypted profile objects, this function
+ * locally verifies the credibility of the signatures in the verifications.
+ *
+ * This function does NOT call the API, except to fetch the public key.
+ * @returns a list of authentic RealVer
+ */
+export declare const getOwnRealVerifications: ({ verifications, profileObjects, userId, }: {
+    verifications: Verification[];
+    profileObjects: ProfileObject[];
+    userId: UId;
+}) => Promise<RealVer[]>;

package/dist/verifications/verifyCheck/getOwnRealVerifications.js

@@ -0,0 +1,63 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getOwnRealVerifications = void 0;
+const maybeRereference_1 = require("../maybeRereference");
+const operations_1 = require("./operations");
+/**
+ * Given a list of verifications and decrypted profile objects, this function
+ * locally verifies the credibility of the signatures in the verifications.
+ *
+ * This function does NOT call the API, except to fetch the public key.
+ * @returns a list of authentic RealVer
+ */
+const getOwnRealVerifications = async ({ verifications, profileObjects, userId, }) => {
+    const realVers = [];
+    // this code is deliberaly written using for-loops instead of Promise.all,
+    // because attempting hundreds of webcrypto operations simultaneously will
+    // probably upset some heritage web browser.
+    for (const ver of verifications) {
+        for (const { data, signature } of ver.properties.verifications) {
+            const sourcePO = profileObjects.find(PO => PO.n_id === data.source_n_id);
+            if (!sourcePO)
+                continue;
+            const value = sourcePO.properties[data.field];
+            if (!value)
+                continue;
+            /**
+             * this does NOT mean that the data is correct. It means the
+             * verification is genuinely signed by raytio, but the data
+             * might be bogus (i.e. `passed: false`)
+             */
+            const isGenuine = await (0, operations_1.checkOwnVerification)({
+                verObject: data,
+                userId,
+                value: (0, maybeRereference_1.maybeRereference)(value),
+                signature,
+            });
+            if (!isGenuine)
+                continue;
+            // a "RealVer" is what the client likes to deal with,
+            // rather than the "VerificationPayload" which is stored on the API.
+            // eslint-disable-next-line fp/no-mutating-methods
+            realVers.push({
+                fieldName: data.field,
+                value,
+                provider: {
+                    dataSourceNId: data.verifier_source_id,
+                    serviceProviderNId: data.verifier_service_id,
+                    verifierNId: data.verifier_id,
+                    date: new Date(`${data.verification_date}Z`), // the api returns invalid dates (missing the `Z`)
+                },
+                expired: data.valid_until ? new Date(data.valid_until) : false,
+                metadata: data.metadata,
+                xId: data.request_div,
+                signature,
+                verified: data.passed,
+                nID: ver.n_id,
+                belongsToNId: data.source_n_id,
+            });
+        }
+    }
+    return realVers;
+};
+exports.getOwnRealVerifications = getOwnRealVerifications;

package/dist/verifications/{getRealVerifications.d.ts → verifyCheck/getSomeoneElsesRealVerifications.d.ts}

@@ -1,5 +1,6 @@
-import { ProfileObject, Verification, RealVer } from "@raytio/types";
+import { ProfileObject, Verification, RealVer, AId } from "@raytio/types";
 declare type Props = {
+    aId: AId;
     apiUrl: string;
     verifications: Verification[];
     profileObjects: ProfileObject[];
@@ -16,7 +17,10 @@ declare type Props = {
  * Given a list of verifications and decrypted profile objects, this function calls
  * the Raytio API to verify the credibility of these verifications, returning only valid
  * verifications.
+ *
+ * ❗ prefer `getOwnRealVerifications` if the data to be verified belongs to the current user.
+ *
  * @returns a list of fileNames/values that are verified.
  */
-export declare const getRealVerifications: ({ apiUrl, verifications, profileObjects, controller, UNSAFE_treatNoValueAsVerified, }: Props) => Promise<RealVer[]>;
+export declare const getSomeoneElsesRealVerifications: ({ aId, apiUrl, verifications, profileObjects, controller, UNSAFE_treatNoValueAsVerified, }: Props) => Promise<RealVer[]>;
 export {};

package/dist/verifications/{getRealVerifications.js → verifyCheck/getSomeoneElsesRealVerifications.js}

@@ -1,25 +1,28 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getRealVerifications = void 0;
+exports.getSomeoneElsesRealVerifications = void 0;
 const ramda_1 = require("ramda");
-const crypto_1 = require("../crypto");
-const checkVerifications_1 = require("./checkVerifications");
-const maybeRereference_1 = require("./maybeRereference");
-const getValuesForAField = (fieldName) => (0, ramda_1.pipe)((0, ramda_1.map)(x => { var _a; return (_a = x.properties) === null || _a === void 0 ? void 0 : _a[fieldName]; }), (0, ramda_1.filter)(x => !!x), // truthy only
-(0, ramda_1.reject)(crypto_1.isEncrypted), // ignore encrypted properties. this function will be called again once they're decrypted
-ramda_1.uniq);
+const operations_1 = require("./operations");
+const maybeRereference_1 = require("../maybeRereference");
+const crypto_1 = require("../../crypto");
+const getValuesForAField = (fieldName, POs) => (0, ramda_1.uniq)(
+// truthy only, and ignore encrypted properties. this function will be called again once they're decrypted
+POs.map(x => { var _a; return (_a = x.properties) === null || _a === void 0 ? void 0 : _a[fieldName]; }).filter(x => !!x && !(0, crypto_1.isEncrypted)(x)));
 /**
  * Given a list of verifications and decrypted profile objects, this function calls
  * the Raytio API to verify the credibility of these verifications, returning only valid
  * verifications.
+ *
+ * ❗ prefer `getOwnRealVerifications` if the data to be verified belongs to the current user.
+ *
  * @returns a list of fileNames/values that are verified.
  */
-const getRealVerifications = async ({ apiUrl, verifications, profileObjects, controller, UNSAFE_treatNoValueAsVerified, }) => {
+const getSomeoneElsesRealVerifications = async ({ aId, apiUrl, verifications, profileObjects, controller, UNSAFE_treatNoValueAsVerified, }) => {
     // for each verification (including passed: false), create a list of every possible that
     // value that that verification might have been for. Flatten the list
     // and send the whole thing to the API.
     const toVerify = verifications.flatMap(ver => {
-        const values = getValuesForAField(ver.properties.field)(profileObjects);
+        const values = getValuesForAField(ver.properties.field, profileObjects);
         return values.flatMap(value => ver.properties.verifications.map(({ signature }) => ({
             verifications: [
                 Object.assign({ signature }, (ver.n_id.startsWith("HASHED::")
@@ -35,19 +38,21 @@ const getRealVerifications = async ({ apiUrl, verifications, profileObjects, con
     // the API can't cope with an empty array
     if (!toVerify.length)
         return [];
-    const apiResponse = await (0, checkVerifications_1.checkVerifications)({
+    const apiResponse = await (0, operations_1.checkSomeoneElsesVerifications)({
         apiUrl,
         toVerify,
         controller,
     });
     // do NOT expose the `verified` prop from the /verify_check API to avoid semantic confusion,
     // since verified: true does not mean that the verification is verified!
-    const realVers = (0, ramda_1.pipe)((0, ramda_1.filter)(x => x.verified ||
+    const realVers = apiResponse
+        .filter(x => x.verified ||
         // if UNSAFE_treatNoValueAsVerified is enabled, and we don't know the value of this field,
         // treat is as verified if the `passed` property is true (this is NOT a safe check).
         (!!UNSAFE_treatNoValueAsVerified &&
             x.data.value === UNSAFE_treatNoValueAsVerified &&
-            x.data.passed)), (0, ramda_1.map)(({ signature, data, n_id: nID, valid_until }) => ({
+            x.data.passed))
+        .map(({ signature, data, n_id: nID, valid_until }) => ({
         fieldName: data.field,
         value: data.value,
         provider: {
@@ -62,8 +67,10 @@ const getRealVerifications = async ({ apiUrl, verifications, profileObjects, con
         signature,
         verified: data.passed,
         nID,
-        belongsToNId: data.source_n_id,
-    })))(apiResponse);
+        belongsToNId: data.source_hashed_n_id
+            ? `HASHED::${data.source_hashed_n_id}::${aId}`
+            : data.source_n_id,
+    }));
     return realVers;
 };
-exports.getRealVerifications = getRealVerifications;
+exports.getSomeoneElsesRealVerifications = getSomeoneElsesRealVerifications;

package/dist/verifications/verifyCheck/index.d.ts

@@ -0,0 +1,2 @@
+export * from "./getOwnRealVerifications";
+export * from "./getSomeoneElsesRealVerifications";

package/dist/verifications/verifyCheck/index.js

@@ -0,0 +1,14 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./getOwnRealVerifications"), exports);
+__exportStar(require("./getSomeoneElsesRealVerifications"), exports);

package/dist/verifications/verifyCheck/operations/checkOwnVerification.d.ts

@@ -0,0 +1,9 @@
+import { UId, VerificationPayload } from "@raytio/types";
+declare type SingleVerToCheck = {
+    verObject: VerificationPayload<false>;
+    signature: string;
+    userId: UId;
+    value: unknown;
+};
+export declare const checkOwnVerification: ({ verObject, signature, userId, value, }: SingleVerToCheck) => Promise<boolean>;
+export {};

package/dist/verifications/verifyCheck/operations/checkOwnVerification.js

@@ -0,0 +1,31 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkOwnVerification = exports.checkSignature = void 0;
+const util_1 = require("../../../util");
+let cache; // eslint-disable-line fp/no-let
+const base64ToArrayBuffer = (str) => Uint8Array.from(atob(str), c => c.charCodeAt(0));
+async function getJwk() {
+    // eslint-disable-next-line fp/no-mutation
+    cache || (cache = fetch("https://api-docs.rayt.io/lookups/raytio.pem")
+        .then(r => r.text())
+        .then(pem => crypto.subtle.importKey("spki", base64ToArrayBuffer(pem.split("-----")[2].trim()), { name: "RSA-PSS", hash: "SHA-512" }, false, ["verify"])));
+    return cache;
+}
+/** @internal exported only for tests */
+async function checkSignature(publicCryptoKey, signature, data) {
+    // the logic must match https://gitlab.com/raytio/mono/-/blob/devo/common/signing/signing/sign.py
+    const signatureBuf = base64ToArrayBuffer(signature);
+    const isVerified = await crypto.subtle.verify({ name: "RSA-PSS", hash: "SHA-512", saltLength: 512 / 8 }, publicCryptoKey, signatureBuf, new TextEncoder().encode(data));
+    return isVerified;
+}
+exports.checkSignature = checkSignature;
+const checkOwnVerification = async ({ verObject, signature, userId, value, }) => {
+    const jwk = await getJwk();
+    if (!userId)
+        throw new Error("No userId supplied");
+    const exapandedObject = Object.assign(Object.assign({}, verObject), { sub: userId, value });
+    const stringified = (0, util_1.canonicalJsonify)(exapandedObject);
+    const result = await checkSignature(jwk, signature, stringified);
+    return result;
+};
+exports.checkOwnVerification = checkOwnVerification;

package/dist/verifications/verifyCheck/operations/checkSomeoneElsesVerifications.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/verifications/{checkVerifications.js → verifyCheck/operations/checkSomeoneElsesVerifications.js}

@@ -1,9 +1,9 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.checkVerifications = void 0;
-const util_1 = require("../util");
+exports.checkSomeoneElsesVerifications = void 0;
+const util_1 = require("../../../util");
 /** @internal */
-const checkVerifications = async ({ apiUrl, toVerify, controller, }) => {
+const checkSomeoneElsesVerifications = async ({ apiUrl, toVerify, controller, }) => {
     const response = await fetch(`${apiUrl}/extract_verify/v2/verify_check`, {
         method: "POST",
         body: JSON.stringify(toVerify),
@@ -13,4 +13,4 @@ const checkVerifications = async ({ apiUrl, toVerify, controller, }) => {
     // extra `m` items are garbage and don't have the verified field.
     return response.filter(ver => "verified" in ver);
 };
-exports.checkVerifications = checkVerifications;
+exports.checkSomeoneElsesVerifications = checkSomeoneElsesVerifications;

package/dist/verifications/verifyCheck/operations/index.d.ts

@@ -0,0 +1,2 @@
+export * from "./checkOwnVerification";
+export * from "./checkSomeoneElsesVerifications";

package/dist/verifications/verifyCheck/operations/index.js

@@ -0,0 +1,14 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./checkOwnVerification"), exports);
+__exportStar(require("./checkSomeoneElsesVerifications"), exports);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@raytio/core",
-  "version": "8.1.3",
+  "version": "9.0.0",
   "license": "MIT",
   "main": "index",
   "types": "index",
@@ -15,22 +15,22 @@
     "test": "jest"
   },
   "dependencies": {
-    "@raytio/maxcryptor": "3.0.1",
+    "@raytio/maxcryptor": "3.1.0",
     "@raytio/types": "5.2.1",
-    "ramda": "0.27.1"
+    "ramda": "0.28.0"
   },
   "devDependencies": {
-    "@types/ramda": "0.27.44",
-    "jest": "27.3.0",
+    "@types/ramda": "0.27.64",
+    "jest": "27.4.7",
     "localstorage-polyfill": "1.0.1",
-    "ts-jest": "27.0.5"
+    "ts-jest": "27.1.3"
   },
   "jest": {
     "transform": {
       "^.+\\.(t|j)sx?$": "ts-jest"
     },
     "testEnvironment": "node",
-    "collectCoverage": true,
+    "collectCoverage": false,
     "coverageThreshold": {
       "global": {
         "statements": 100