@reclaimprotocol/attestor-core 3.0.1

package/lib/server/tunnels/make-tcp-tunnel.js

@@ -0,0 +1,182 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.makeTcpTunnel = void 0;
+const dns_1 = require("dns");
+const https_proxy_agent_1 = require("https-proxy-agent");
+const net_1 = require("net");
+const config_1 = require("src/config");
+const iso_1 = require("src/server/utils/iso");
+const utils_1 = require("src/utils");
+const env_1 = require("src/utils/env");
+const HTTPS_PROXY_URL = (0, env_1.getEnvVariable)('HTTPS_PROXY_URL');
+/**
+ * Builds a TCP tunnel to the given host and port.
+ * If a geolocation is provided -- an HTTPS proxy is used
+ * to connect to the host.
+ *
+ * HTTPS proxy essentially creates an opaque tunnel to the
+ * host using the CONNECT method. Any data can be sent through
+ * this tunnel to the end host.
+ * https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/CONNECT
+ *
+ * The tunnel also retains a transcript of all messages sent and received.
+ */
+const makeTcpTunnel = async ({ onClose, onMessage, logger, ...opts }) => {
+    const transcript = [];
+    const socket = await connectTcp({ ...opts, logger });
+    socket.once('error', close);
+    socket.once('end', () => close(undefined));
+    socket.on('data', message => {
+        onMessage === null || onMessage === void 0 ? void 0 : onMessage(message);
+        transcript.push({ sender: 'server', message });
+    });
+    return {
+        transcript,
+        createRequest: opts,
+        async write(data) {
+            transcript.push({ sender: 'client', message: data });
+            await new Promise((resolve, reject) => {
+                socket.write(data, err => {
+                    if (err) {
+                        reject(err);
+                    }
+                    else {
+                        resolve();
+                    }
+                });
+            });
+        },
+        close,
+    };
+    function close(error) {
+        if (socket.readableEnded) {
+            return;
+        }
+        logger.debug({ err: error }, 'closing socket');
+        socket.end(() => {
+            // Do nothing
+        });
+        onClose === null || onClose === void 0 ? void 0 : onClose(error);
+        onClose = undefined;
+    }
+};
+exports.makeTcpTunnel = makeTcpTunnel;
+setDnsServers();
+async function connectTcp({ host, port, geoLocation, logger }) {
+    let connectTimeout;
+    let socket;
+    try {
+        await new Promise(async (resolve, reject) => {
+            try {
+                // add a timeout to ensure the connection doesn't hang
+                // and cause our gateway to send out a 504
+                connectTimeout = setTimeout(() => reject(new utils_1.AttestorError('ERROR_NETWORK_ERROR', 'Server connection timed out')), config_1.CONNECTION_TIMEOUT_MS);
+                socket = await getSocket({
+                    host,
+                    port,
+                    geoLocation,
+                    logger
+                });
+                socket.once('connect', resolve);
+                socket.once('error', reject);
+                socket.once('end', () => (reject(new utils_1.AttestorError('ERROR_NETWORK_ERROR', 'connection closed'))));
+            }
+            catch (err) {
+                reject(err);
+            }
+        });
+        logger.debug({ addr: `${host}:${port}` }, 'connected');
+        return socket;
+    }
+    catch (err) {
+        socket === null || socket === void 0 ? void 0 : socket.end();
+        throw err;
+    }
+    finally {
+        clearTimeout(connectTimeout);
+    }
+}
+async function getSocket(opts) {
+    var _a;
+    const { logger } = opts;
+    try {
+        return await _getSocket(opts);
+    }
+    catch (err) {
+        // see if the proxy is blocking the connection
+        // due to their own arbitrary rules,
+        // if so -- we resolve hostname first &
+        // connect directly via address to
+        // avoid proxy knowing which host we're connecting to
+        if (!(err instanceof utils_1.AttestorError)
+            || ((_a = err.data) === null || _a === void 0 ? void 0 : _a.code) !== 403) {
+            throw err;
+        }
+        const addrs = await resolveHostnames(opts.host);
+        logger.info({ addrs, host: opts.host }, 'failed to connect due to restricted IP, trying via raw addr');
+        for (const addr of addrs) {
+            try {
+                return await _getSocket({ ...opts, host: addr });
+            }
+            catch (err) {
+                logger.error({ addr, err }, 'failed to connect to host');
+            }
+        }
+        throw err;
+    }
+}
+async function _getSocket({ host, port, geoLocation, logger }) {
+    const socket = new net_1.Socket();
+    if (geoLocation && !HTTPS_PROXY_URL) {
+        logger.warn({ geoLocation }, 'geoLocation provided but no proxy URL found');
+        geoLocation = '';
+    }
+    if (!geoLocation) {
+        socket.connect({ host, port, });
+        return socket;
+    }
+    if (!(0, iso_1.isValidCountryCode)(geoLocation)) {
+        throw utils_1.AttestorError.badRequest(`Geolocation "${geoLocation}" is invalid. Must be 2 letter ISO country code`, { geoLocation });
+    }
+    const agentUrl = HTTPS_PROXY_URL.replace('{{geoLocation}}', (geoLocation === null || geoLocation === void 0 ? void 0 : geoLocation.toLowerCase()) || '');
+    const agent = new https_proxy_agent_1.HttpsProxyAgent(agentUrl);
+    const waitForProxyRes = new Promise(resolve => {
+        // @ts-ignore
+        socket.once('proxyConnect', resolve);
+    });
+    const proxySocket = await agent.connect(
+    // ignore, because https-proxy-agent
+    // expects an http request object
+    // @ts-ignore
+    socket, { host, port, timeout: config_1.CONNECTION_TIMEOUT_MS });
+    const res = await waitForProxyRes;
+    if (res.statusCode !== 200) {
+        logger.error({ geoLocation, res }, 'Proxy geo location failed');
+        throw new utils_1.AttestorError('ERROR_PROXY_ERROR', `Proxy via geo location "${geoLocation}" failed with status code: ${res.statusCode}, message: ${res.statusText}`, {
+            code: res.statusCode,
+            message: res.statusText,
+        });
+    }
+    process.nextTick(() => {
+        // ensure connect event is emitted
+        // so it can be captured by the caller
+        proxySocket.emit('connect');
+    });
+    return proxySocket;
+}
+async function resolveHostnames(hostname) {
+    return new Promise((_resolve, reject) => {
+        (0, dns_1.resolve)(hostname, (err, addresses) => {
+            if (err) {
+                reject(new Error(`Could not resolve hostname: ${hostname}, ${err.message}`));
+            }
+            else {
+                _resolve(addresses);
+            }
+        });
+    });
+}
+function setDnsServers() {
+    (0, dns_1.setServers)(config_1.DNS_SERVERS);
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoibWFrZS10Y3AtdHVubmVsLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL3NlcnZlci90dW5uZWxzL21ha2UtdGNwLXR1bm5lbC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7QUFBQSw2QkFBeUM7QUFDekMseURBQW1EO0FBRW5ELDZCQUE0QjtBQUM1Qix1Q0FBK0Q7QUFFL0QsOENBQXlEO0FBR3pELHFDQUF5QztBQUN6Qyx1Q0FBOEM7QUFFOUMsTUFBTSxlQUFlLEdBQUcsSUFBQSxvQkFBYyxFQUFDLGlCQUFpQixDQUFDLENBQUE7QUFLekQ7Ozs7Ozs7Ozs7O0dBV0c7QUFDSSxNQUFNLGFBQWEsR0FBaUQsS0FBSyxFQUFDLEVBQ2hGLE9BQU8sRUFDUCxTQUFTLEVBQ1QsTUFBTSxFQUNOLEdBQUcsSUFBSSxFQUNQLEVBQUUsRUFBRTtJQUNKLE1BQU0sVUFBVSxHQUFzQyxFQUFFLENBQUE7SUFDeEQsTUFBTSxNQUFNLEdBQUcsTUFBTSxVQUFVLENBQUMsRUFBRSxHQUFHLElBQUksRUFBRSxNQUFNLEVBQUUsQ0FBQyxDQUFBO0lBRXBELE1BQU0sQ0FBQyxJQUFJLENBQUMsT0FBTyxFQUFFLEtBQUssQ0FBQyxDQUFBO0lBQzNCLE1BQU0sQ0FBQyxJQUFJLENBQUMsS0FBSyxFQUFFLEdBQUcsRUFBRSxDQUFDLEtBQUssQ0FBQyxTQUFTLENBQUMsQ0FBQyxDQUFBO0lBQzFDLE1BQU0sQ0FBQyxFQUFFLENBQUMsTUFBTSxFQUFFLE9BQU8sQ0FBQyxFQUFFO1FBQzNCLFNBQVMsYUFBVCxTQUFTLHVCQUFULFNBQVMsQ0FBRyxPQUFPLENBQUMsQ0FBQTtRQUNwQixVQUFVLENBQUMsSUFBSSxDQUFDLEVBQUUsTUFBTSxFQUFFLFFBQVEsRUFBRSxPQUFPLEVBQUUsQ0FBQyxDQUFBO0lBQy9DLENBQUMsQ0FBQyxDQUFBO0lBRUYsT0FBTztRQUNOLFVBQVU7UUFDVixhQUFhLEVBQUUsSUFBSTtRQUNuQixLQUFLLENBQUMsS0FBSyxDQUFDLElBQUk7WUFDZixVQUFVLENBQUMsSUFBSSxDQUFDLEVBQUUsTUFBTSxFQUFFLFFBQVEsRUFBRSxPQUFPLEVBQUUsSUFBSSxFQUFFLENBQUMsQ0FBQTtZQUNwRCxNQUFNLElBQUksT0FBTyxDQUFPLENBQUMsT0FBTyxFQUFFLE1BQU0sRUFBRSxFQUFFO2dCQUMzQyxNQUFNLENBQUMsS0FBSyxDQUFDLElBQUksRUFBRSxHQUFHLENBQUMsRUFBRTtvQkFDeEIsSUFBRyxHQUFHLEVBQUUsQ0FBQzt3QkFDUixNQUFNLENBQUMsR0FBRyxDQUFDLENBQUE7b0JBQ1osQ0FBQzt5QkFBTSxDQUFDO3dCQUNQLE9BQU8sRUFBRSxDQUFBO29CQUNWLENBQUM7Z0JBQ0YsQ0FBQyxDQUFDLENBQUE7WUFDSCxDQUFDLENBQUMsQ0FBQTtRQUNILENBQUM7UUFDRCxLQUFLO0tBQ0wsQ0FBQTtJQUVELFNBQVMsS0FBSyxDQUFDLEtBQWE7UUFDM0IsSUFBRyxNQUFNLENBQUMsYUFBYSxFQUFFLENBQUM7WUFDekIsT0FBTTtRQUNQLENBQUM7UUFFRCxNQUFNLENBQUMsS0FBSyxDQUFDLEVBQUUsR0FBRyxFQUFFLEtBQUssRUFBRSxFQUFFLGdCQUFnQixDQUFDLENBQUE7UUFFOUMsTUFBTSxDQUFDLEdBQUcsQ0FBQyxHQUFHLEVBQUU7WUFDZixhQUFhO1FBQ2QsQ0FBQyxDQUFDLENBQUE7UUFDRixPQUFPLGFBQVAsT0FBTyx1QkFBUCxPQUFPLENBQUcsS0FBSyxDQUFDLENBQUE7UUFDaEIsT0FBTyxHQUFHLFNBQVMsQ0FBQTtJQUNwQixDQUFDO0FBQ0YsQ0FBQyxDQUFBO0FBL0NZLFFBQUEsYUFBYSxpQkErQ3pCO0FBRUQsYUFBYSxFQUFFLENBQUE7QUFFZixLQUFLLFVBQVUsVUFBVSxDQUFDLEVBQUUsSUFBSSxFQUFFLElBQUksRUFBRSxXQUFXLEVBQUUsTUFBTSxFQUFhO0lBQ3ZFLElBQUksY0FBMEMsQ0FBQTtJQUM5QyxJQUFJLE1BQTBCLENBQUE7SUFDOUIsSUFBSSxDQUFDO1FBQ0osTUFBTSxJQUFJLE9BQU8sQ0FBQyxLQUFLLEVBQUMsT0FBTyxFQUFFLE1BQU0sRUFBRSxFQUFFO1lBQzFDLElBQUksQ0FBQztnQkFDSixzREFBc0Q7Z0JBQ3RELDBDQUEwQztnQkFDMUMsY0FBYyxHQUFHLFVBQVUsQ0FDMUIsR0FBRyxFQUFFLENBQUMsTUFBTSxDQUNYLElBQUkscUJBQWEsQ0FDaEIscUJBQXFCLEVBQ3JCLDZCQUE2QixDQUM3QixDQUNELEVBQ0QsOEJBQXFCLENBQ3JCLENBQUE7Z0JBQ0QsTUFBTSxHQUFHLE1BQU0sU0FBUyxDQUFDO29CQUN4QixJQUFJO29CQUNKLElBQUk7b0JBQ0osV0FBVztvQkFDWCxNQUFNO2lCQUNOLENBQUMsQ0FBQTtnQkFDRixNQUFNLENBQUMsSUFBSSxDQUFDLFNBQVMsRUFBRSxPQUFPLENBQUMsQ0FBQTtnQkFDL0IsTUFBTSxDQUFDLElBQUksQ0FBQyxPQUFPLEVBQUUsTUFBTSxDQUFDLENBQUE7Z0JBQzVCLE1BQU0sQ0FBQyxJQUFJLENBQUMsS0FBSyxFQUFFLEdBQUcsRUFBRSxDQUFDLENBQ3hCLE1BQU0sQ0FDTCxJQUFJLHFCQUFhLENBQ2hCLHFCQUFxQixFQUNyQixtQkFBbUIsQ0FDbkIsQ0FDRCxDQUNELENBQUMsQ0FBQTtZQUNILENBQUM7WUFBQyxPQUFNLEdBQUcsRUFBRSxDQUFDO2dCQUNiLE1BQU0sQ0FBQyxHQUFHLENBQUMsQ0FBQTtZQUNaLENBQUM7UUFDRixDQUFDLENBQUMsQ0FBQTtRQUVGLE1BQU0sQ0FBQyxLQUFLLENBQUMsRUFBRSxJQUFJLEVBQUUsR0FBRyxJQUFJLElBQUksSUFBSSxFQUFFLEVBQUUsRUFBRSxXQUFXLENBQUMsQ0FBQTtRQUV0RCxPQUFPLE1BQU8sQ0FBQTtJQUNmLENBQUM7SUFBQyxPQUFNLEdBQUcsRUFBRSxDQUFDO1FBQ2IsTUFBTSxhQUFOLE1BQU0sdUJBQU4sTUFBTSxDQUFFLEdBQUcsRUFBRSxDQUFBO1FBQ2IsTUFBTSxHQUFHLENBQUE7SUFDVixDQUFDO1lBQVMsQ0FBQztRQUNWLFlBQVksQ0FBQyxjQUFjLENBQUMsQ0FBQTtJQUM3QixDQUFDO0FBQ0YsQ0FBQztBQUVELEtBQUssVUFBVSxTQUFTLENBQUMsSUFBZTs7SUFDdkMsTUFBTSxFQUFFLE1BQU0sRUFBRSxHQUFHLElBQUksQ0FBQTtJQUN2QixJQUFJLENBQUM7UUFDSixPQUFPLE1BQU0sVUFBVSxDQUFDLElBQUksQ0FBQyxDQUFBO0lBQzlCLENBQUM7SUFBQyxPQUFNLEdBQUcsRUFBRSxDQUFDO1FBQ2IsOENBQThDO1FBQzlDLG9DQUFvQztRQUNwQyx1Q0FBdUM7UUFDdkMsa0NBQWtDO1FBQ2xDLHFEQUFxRDtRQUNyRCxJQUNDLENBQUMsQ0FBQyxHQUFHLFlBQVkscUJBQWEsQ0FBQztlQUM1QixDQUFBLE1BQUEsR0FBRyxDQUFDLElBQUksMENBQUUsSUFBSSxNQUFLLEdBQUcsRUFDeEIsQ0FBQztZQUNGLE1BQU0sR0FBRyxDQUFBO1FBQ1YsQ0FBQztRQUVELE1BQU0sS0FBSyxHQUFHLE1BQU0sZ0JBQWdCLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxDQUFBO1FBQy9DLE1BQU0sQ0FBQyxJQUFJLENBQ1YsRUFBRSxLQUFLLEVBQUUsSUFBSSxFQUFFLElBQUksQ0FBQyxJQUFJLEVBQUUsRUFDMUIsNkRBQTZELENBQzdELENBQUE7UUFFRCxLQUFJLE1BQU0sSUFBSSxJQUFJLEtBQUssRUFBRSxDQUFDO1lBQ3pCLElBQUksQ0FBQztnQkFDSixPQUFPLE1BQU0sVUFBVSxDQUFDLEVBQUUsR0FBRyxJQUFJLEVBQUUsSUFBSSxFQUFFLElBQUksRUFBRSxDQUFDLENBQUE7WUFDakQsQ0FBQztZQUFDLE9BQU0sR0FBRyxFQUFFLENBQUM7Z0JBQ2IsTUFBTSxDQUFDLEtBQUssQ0FDWCxFQUFFLElBQUksRUFBRSxHQUFHLEVBQUUsRUFDYiwyQkFBMkIsQ0FDM0IsQ0FBQTtZQUNGLENBQUM7UUFDRixDQUFDO1FBRUQsTUFBTSxHQUFHLENBQUE7SUFDVixDQUFDO0FBQ0YsQ0FBQztBQUVELEtBQUssVUFBVSxVQUFVLENBQ3hCLEVBQ0MsSUFBSSxFQUNKLElBQUksRUFDSixXQUFXLEVBQ1gsTUFBTSxFQUNLO0lBRVosTUFBTSxNQUFNLEdBQUcsSUFBSSxZQUFNLEVBQUUsQ0FBQTtJQUMzQixJQUFHLFdBQVcsSUFBSSxDQUFDLGVBQWUsRUFBRSxDQUFDO1FBQ3BDLE1BQU0sQ0FBQyxJQUFJLENBQ1YsRUFBRSxXQUFXLEVBQUUsRUFDZiw2Q0FBNkMsQ0FDN0MsQ0FBQTtRQUNELFdBQVcsR0FBRyxFQUFFLENBQUE7SUFDakIsQ0FBQztJQUVELElBQUcsQ0FBQyxXQUFXLEVBQUUsQ0FBQztRQUNqQixNQUFNLENBQUMsT0FBTyxDQUFDLEVBQUUsSUFBSSxFQUFFLElBQUksR0FBRyxDQUFDLENBQUE7UUFDL0IsT0FBTyxNQUFNLENBQUE7SUFDZCxDQUFDO0lBRUQsSUFBRyxDQUFDLElBQUEsd0JBQWtCLEVBQUMsV0FBVyxDQUFDLEVBQUUsQ0FBQztRQUNyQyxNQUFNLHFCQUFhLENBQUMsVUFBVSxDQUM3QixnQkFBZ0IsV0FBVyxpREFBaUQsRUFDNUUsRUFBRSxXQUFXLEVBQUUsQ0FDZixDQUFBO0lBQ0YsQ0FBQztJQUVELE1BQU0sUUFBUSxHQUFHLGVBQWdCLENBQUMsT0FBTyxDQUN4QyxpQkFBaUIsRUFDakIsQ0FBQSxXQUFXLGFBQVgsV0FBVyx1QkFBWCxXQUFXLENBQUUsV0FBVyxFQUFFLEtBQUksRUFBRSxDQUNoQyxDQUFBO0lBRUQsTUFBTSxLQUFLLEdBQUcsSUFBSSxtQ0FBZSxDQUFDLFFBQVEsQ0FBQyxDQUFBO0lBQzNDLE1BQU0sZUFBZSxHQUFHLElBQUksT0FBTyxDQUFrQixPQUFPLENBQUMsRUFBRTtRQUM5RCxhQUFhO1FBQ2IsTUFBTSxDQUFDLElBQUksQ0FBQyxjQUFjLEVBQUUsT0FBTyxDQUFDLENBQUE7SUFDckMsQ0FBQyxDQUFDLENBQUE7SUFFRixNQUFNLFdBQVcsR0FBRyxNQUFNLEtBQUssQ0FBQyxPQUFPO0lBQ3RDLG9DQUFvQztJQUNwQyxpQ0FBaUM7SUFDakMsYUFBYTtJQUNiLE1BQU0sRUFDTixFQUFFLElBQUksRUFBRSxJQUFJLEVBQUUsT0FBTyxFQUFFLDhCQUFxQixFQUFFLENBQzlDLENBQUE7SUFFRCxNQUFNLEdBQUcsR0FBRyxNQUFNLGVBQWUsQ0FBQTtJQUNqQyxJQUFHLEdBQUcsQ0FBQyxVQUFVLEtBQUssR0FBRyxFQUFFLENBQUM7UUFDM0IsTUFBTSxDQUFDLEtBQUssQ0FDWCxFQUFFLFdBQVcsRUFBRSxHQUFHLEVBQUUsRUFDcEIsMkJBQTJCLENBQzNCLENBQUE7UUFDRCxNQUFNLElBQUkscUJBQWEsQ0FDdEIsbUJBQW1CLEVBQ25CLDJCQUEyQixXQUFXLDhCQUE4QixHQUFHLENBQUMsVUFBVSxjQUFjLEdBQUcsQ0FBQyxVQUFVLEVBQUUsRUFDaEg7WUFDQyxJQUFJLEVBQUUsR0FBRyxDQUFDLFVBQVU7WUFDcEIsT0FBTyxFQUFFLEdBQUcsQ0FBQyxVQUFVO1NBQ3ZCLENBQ0QsQ0FBQTtJQUNGLENBQUM7SUFFRCxPQUFPLENBQUMsUUFBUSxDQUFDLEdBQUcsRUFBRTtRQUNyQixrQ0FBa0M7UUFDbEMsc0NBQXNDO1FBQ3RDLFdBQVcsQ0FBQyxJQUFJLENBQUMsU0FBUyxDQUFDLENBQUE7SUFDNUIsQ0FBQyxDQUFDLENBQUE7SUFFRixPQUFPLFdBQVcsQ0FBQTtBQUNuQixDQUFDO0FBRUQsS0FBSyxVQUFVLGdCQUFnQixDQUFDLFFBQWdCO0lBQy9DLE9BQU8sSUFBSSxPQUFPLENBQVcsQ0FBQyxRQUFRLEVBQUUsTUFBTSxFQUFFLEVBQUU7UUFDakQsSUFBQSxhQUFPLEVBQUMsUUFBUSxFQUFFLENBQUMsR0FBRyxFQUFFLFNBQVMsRUFBRSxFQUFFO1lBQ3BDLElBQUcsR0FBRyxFQUFFLENBQUM7Z0JBQ1IsTUFBTSxDQUNMLElBQUksS0FBSyxDQUNSLCtCQUErQixRQUFRLEtBQUssR0FBRyxDQUFDLE9BQU8sRUFBRSxDQUN6RCxDQUNELENBQUE7WUFDRixDQUFDO2lCQUFNLENBQUM7Z0JBQ1AsUUFBUSxDQUFDLFNBQVMsQ0FBQyxDQUFBO1lBQ3BCLENBQUM7UUFDRixDQUFDLENBQUMsQ0FBQTtJQUNILENBQUMsQ0FBQyxDQUFBO0FBQ0gsQ0FBQztBQUVELFNBQVMsYUFBYTtJQUNyQixJQUFBLGdCQUFVLEVBQUMsb0JBQVcsQ0FBQyxDQUFBO0FBQ3hCLENBQUMifQ==

package/lib/server/utils/apm.d.ts

@@ -0,0 +1,11 @@
+import { Agent } from 'elastic-apm-node';
+/**
+ * Initialises the APM agent if required,
+ * and returns it.
+ * If ELASTIC_APM_SERVER_URL & ELASTIC_APM_SECRET_TOKEN
+ * are not set will return undefined
+ *
+ * Utilises the standard env variables mentioned
+ * here: https://www.elastic.co/guide/en/apm/agent/nodejs/current/custom-stack.html#custom-stack-advanced-configuration
+ */
+export declare function getApm(): Agent | undefined;

package/lib/server/utils/apm.js

@@ -0,0 +1,39 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getApm = getApm;
+const elastic_apm_node_1 = __importDefault(require("elastic-apm-node"));
+const env_1 = require("src/utils/env");
+const logger_1 = require("src/utils/logger");
+let apm;
+/**
+ * Initialises the APM agent if required,
+ * and returns it.
+ * If ELASTIC_APM_SERVER_URL & ELASTIC_APM_SECRET_TOKEN
+ * are not set will return undefined
+ *
+ * Utilises the standard env variables mentioned
+ * here: https://www.elastic.co/guide/en/apm/agent/nodejs/current/custom-stack.html#custom-stack-advanced-configuration
+ */
+function getApm() {
+    if (!(0, env_1.getEnvVariable)('ELASTIC_APM_SERVER_URL') || !(0, env_1.getEnvVariable)('ELASTIC_APM_SECRET_TOKEN')) {
+        logger_1.logger.info('ELASTIC_APM_SERVER_URL or ELASTIC_APM_SECRET_TOKEN no found in env APM agent not initialised');
+        return undefined;
+    }
+    if (!apm) {
+        const sampleRate = +((0, env_1.getEnvVariable)('ELASTIC_APM_SAMPLE_RATE')
+            || '0.1');
+        apm = elastic_apm_node_1.default.start({
+            serviceName: 'reclaim_attestor',
+            serviceVersion: '2.0.0',
+            transactionSampleRate: sampleRate,
+            instrumentIncomingHTTPRequests: false,
+            instrument: true,
+        });
+        logger_1.logger.info('initialised APM agent');
+    }
+    return apm;
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYXBtLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL3NlcnZlci91dGlscy9hcG0udHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7Ozs7QUFlQSx3QkFzQkM7QUFyQ0Qsd0VBQW9EO0FBQ3BELHVDQUE4QztBQUM5Qyw2Q0FBeUM7QUFFekMsSUFBSSxHQUFzQixDQUFBO0FBRTFCOzs7Ozs7OztHQVFHO0FBQ0gsU0FBZ0IsTUFBTTtJQUNyQixJQUFHLENBQUMsSUFBQSxvQkFBYyxFQUFDLHdCQUF3QixDQUFDLElBQUksQ0FBQyxJQUFBLG9CQUFjLEVBQUMsMEJBQTBCLENBQUMsRUFBRSxDQUFDO1FBQzdGLGVBQU0sQ0FBQyxJQUFJLENBQUMsOEZBQThGLENBQUMsQ0FBQTtRQUMzRyxPQUFPLFNBQVMsQ0FBQTtJQUNqQixDQUFDO0lBRUQsSUFBRyxDQUFDLEdBQUcsRUFBRSxDQUFDO1FBQ1QsTUFBTSxVQUFVLEdBQUcsQ0FBQyxDQUNuQixJQUFBLG9CQUFjLEVBQUMseUJBQXlCLENBQUM7ZUFDdEMsS0FBSyxDQUNSLENBQUE7UUFDRCxHQUFHLEdBQUcsMEJBQVUsQ0FBQyxLQUFLLENBQUM7WUFDdEIsV0FBVyxFQUFFLGtCQUFrQjtZQUMvQixjQUFjLEVBQUUsT0FBTztZQUN2QixxQkFBcUIsRUFBRSxVQUFVO1lBQ2pDLDhCQUE4QixFQUFFLEtBQUs7WUFDckMsVUFBVSxFQUFFLElBQUk7U0FDaEIsQ0FBQyxDQUFBO1FBQ0YsZUFBTSxDQUFDLElBQUksQ0FBQyx1QkFBdUIsQ0FBQyxDQUFBO0lBQ3JDLENBQUM7SUFFRCxPQUFPLEdBQUcsQ0FBQTtBQUNYLENBQUMifQ==

package/lib/server/utils/assert-valid-claim-request.d.ts

@@ -0,0 +1,29 @@
+import { ClaimTunnelRequest, InitRequest, ProviderClaimInfo } from 'src/proto/api';
+import { IDecryptedTranscript, Logger, TCPSocketProperties, Transcript, ZKEngine } from 'src/types';
+/**
+ * Asserts that the claim request is valid.
+ *
+ * 1. We begin by verifying the signature of the claim request.
+ * 2. Next, we produce the transcript of the TLS exchange
+ * from the proofs provided by the client.
+ * 3. We then pull the provider the client is trying to claim
+ * from
+ * 4. We then use the provider's verification function to verify
+ *  whether the claim is valid.
+ *
+ * If any of these steps fail, we throw an error.
+ */
+export declare function assertValidClaimRequest(request: ClaimTunnelRequest, metadata: InitRequest, logger: Logger): Promise<import("src/proto/api").ClaimRequestData>;
+/**
+ * Verify that the transcript contains a valid claim
+ * for the provider.
+ */
+export declare function assertValidProviderTranscript<T extends ProviderClaimInfo>(applData: Transcript<Uint8Array>, info: T): Promise<T>;
+/**
+ * Verify that the transcript provided by the client
+ * matches the transcript of the tunnel, the server
+ * has created.
+ */
+export declare function assertTranscriptsMatch(clientTranscript: ClaimTunnelRequest['transcript'], tunnelTranscript: TCPSocketProperties['transcript']): void;
+export declare function decryptTranscript(transcript: ClaimTunnelRequest['transcript'], logger: Logger, zkEngine: ZKEngine, serverIV: Uint8Array, clientIV: Uint8Array): Promise<IDecryptedTranscript>;
+export declare function getWithoutHeader(message: Uint8Array): Uint8Array;

package/lib/server/utils/assert-valid-claim-request.js

@@ -0,0 +1,189 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.assertValidClaimRequest = assertValidClaimRequest;
+exports.assertValidProviderTranscript = assertValidProviderTranscript;
+exports.assertTranscriptsMatch = assertTranscriptsMatch;
+exports.decryptTranscript = decryptTranscript;
+exports.getWithoutHeader = getWithoutHeader;
+const tls_1 = require("@reclaimprotocol/tls");
+const api_1 = require("src/proto/api");
+const providers_1 = require("src/providers");
+const generics_1 = require("src/server/utils/generics");
+const process_handshake_1 = require("src/server/utils/process-handshake");
+const utils_1 = require("src/utils");
+const signatures_1 = require("src/utils/signatures");
+/**
+ * Asserts that the claim request is valid.
+ *
+ * 1. We begin by verifying the signature of the claim request.
+ * 2. Next, we produce the transcript of the TLS exchange
+ * from the proofs provided by the client.
+ * 3. We then pull the provider the client is trying to claim
+ * from
+ * 4. We then use the provider's verification function to verify
+ *  whether the claim is valid.
+ *
+ * If any of these steps fail, we throw an error.
+ */
+async function assertValidClaimRequest(request, metadata, logger) {
+    var _a;
+    const { data, signatures: { requestSignature } = {}, zkEngine, fixedServerIV, fixedClientIV } = request;
+    if (!data) {
+        throw new utils_1.AttestorError('ERROR_INVALID_CLAIM', 'No info provided on claim request');
+    }
+    if (!(requestSignature === null || requestSignature === void 0 ? void 0 : requestSignature.length)) {
+        throw new utils_1.AttestorError('ERROR_INVALID_CLAIM', 'No signature provided on claim request');
+    }
+    // verify request signature
+    const serialisedReq = api_1.ClaimTunnelRequest
+        .encode({ ...request, signatures: undefined })
+        .finish();
+    const { verify: verifySig } = signatures_1.SIGNATURES[metadata.signatureType];
+    const verified = await verifySig(serialisedReq, requestSignature, data.owner);
+    if (!verified) {
+        throw new utils_1.AttestorError('ERROR_INVALID_CLAIM', 'Invalid signature on claim request');
+    }
+    const receipt = await decryptTranscript(request.transcript, logger, zkEngine === api_1.ZKProofEngine.ZK_ENGINE_GNARK ? 'gnark' : 'snarkJS', fixedServerIV, fixedClientIV);
+    const reqHost = (_a = request.request) === null || _a === void 0 ? void 0 : _a.host;
+    if (receipt.hostname !== reqHost) {
+        throw new Error(`Expected server name ${reqHost}, got ${receipt.hostname}`);
+    }
+    // get all application data messages
+    const applData = (0, utils_1.extractApplicationDataFromTranscript)(receipt);
+    const newData = await assertValidProviderTranscript(applData, data);
+    if (newData !== data) {
+        logger.info({ newData }, 'updated claim info');
+    }
+    return newData;
+}
+/**
+ * Verify that the transcript contains a valid claim
+ * for the provider.
+ */
+async function assertValidProviderTranscript(applData, info) {
+    var _a;
+    const providerName = info.provider;
+    const provider = providers_1.providers[providerName];
+    if (!provider) {
+        throw new utils_1.AttestorError('ERROR_INVALID_CLAIM', `Unsupported provider: ${providerName}`);
+    }
+    const params = (0, generics_1.niceParseJsonObject)(info.parameters, 'params');
+    const ctx = (0, generics_1.niceParseJsonObject)(info.context, 'context');
+    (0, utils_1.assertValidateProviderParams)(providerName, params);
+    const rslt = await provider.assertValidProviderReceipt(applData, params);
+    const extractedParameters = (rslt === null || rslt === void 0 ? void 0 : rslt.extractedParameters) || {};
+    if (!Object.keys(extractedParameters).length) {
+        return info;
+    }
+    const newInfo = { ...info };
+    ctx.extractedParameters = extractedParameters;
+    ctx.providerHash = (0, utils_1.hashProviderParams)(params);
+    newInfo.context = (_a = (0, utils_1.canonicalStringify)(ctx)) !== null && _a !== void 0 ? _a : '';
+    return newInfo;
+}
+/**
+ * Verify that the transcript provided by the client
+ * matches the transcript of the tunnel, the server
+ * has created.
+ */
+function assertTranscriptsMatch(clientTranscript, tunnelTranscript) {
+    const clientSends = (0, tls_1.concatenateUint8Arrays)(clientTranscript
+        .filter(m => m.sender === api_1.TranscriptMessageSenderType.TRANSCRIPT_MESSAGE_SENDER_TYPE_CLIENT)
+        .map(m => m.message));
+    const tunnelSends = (0, tls_1.concatenateUint8Arrays)(tunnelTranscript
+        .filter(m => m.sender === 'client')
+        .map(m => m.message));
+    if (!(0, tls_1.areUint8ArraysEqual)(clientSends, tunnelSends)) {
+        throw utils_1.AttestorError.badRequest('Outgoing messages from client do not match the tunnel transcript');
+    }
+    const clientRecvs = (0, tls_1.concatenateUint8Arrays)(clientTranscript
+        .filter(m => m.sender === api_1.TranscriptMessageSenderType.TRANSCRIPT_MESSAGE_SENDER_TYPE_SERVER)
+        .map(m => m.message));
+    const tunnelRecvs = (0, tls_1.concatenateUint8Arrays)(tunnelTranscript
+        .filter(m => m.sender === 'server')
+        .map(m => m.message))
+        // We only need to compare the first N messages
+        // that the client claims to have received
+        // the rest are not relevant -- so even if they're
+        // not present in the tunnel transcript, it's fine
+        .slice(0, clientRecvs.length);
+    if (!(0, tls_1.areUint8ArraysEqual)(clientRecvs, tunnelRecvs)) {
+        throw utils_1.AttestorError.badRequest('Incoming messages from server do not match the tunnel transcript');
+    }
+}
+async function decryptTranscript(transcript, logger, zkEngine, serverIV, clientIV) {
+    const { tlsVersion, cipherSuite, hostname, nextMsgIndex } = await (0, process_handshake_1.processHandshake)(transcript, logger);
+    let clientRecordNumber = tlsVersion === 'TLS1_3' ? -1 : 0; // TLS 1.3 has already one record encrypted at this point
+    let serverRecordNumber = clientRecordNumber;
+    transcript = transcript.slice(nextMsgIndex);
+    const decryptedTranscript = [];
+    for (const [i, { sender, message, reveal: { zkReveal, directReveal } = {} }] of transcript.entries()) { //start with first message after last handshake message
+        await getDecryptedMessage(sender, message, directReveal, zkReveal, i);
+    }
+    return {
+        transcript: decryptedTranscript,
+        hostname: hostname,
+        tlsVersion: tlsVersion,
+    };
+    async function getDecryptedMessage(sender, message, directReveal, zkReveal, i) {
+        var _a, _b;
+        try {
+            const isServer = sender === api_1.TranscriptMessageSenderType.TRANSCRIPT_MESSAGE_SENDER_TYPE_SERVER;
+            const recordHeader = message.slice(0, 5);
+            const content = getWithoutHeader(message);
+            if (isServer) {
+                serverRecordNumber++;
+            }
+            else {
+                clientRecordNumber++;
+            }
+            let redacted = true;
+            let plaintext = undefined;
+            let plaintextLength;
+            if ((_a = directReveal === null || directReveal === void 0 ? void 0 : directReveal.key) === null || _a === void 0 ? void 0 : _a.length) {
+                const result = await (0, utils_1.decryptDirect)(directReveal, cipherSuite, recordHeader, tlsVersion, content);
+                plaintext = result.plaintext;
+                redacted = false;
+                plaintextLength = plaintext.length;
+            }
+            else if ((_b = zkReveal === null || zkReveal === void 0 ? void 0 : zkReveal.proofs) === null || _b === void 0 ? void 0 : _b.length) {
+                const result = await (0, utils_1.verifyZkPacket)({
+                    ciphertext: content,
+                    zkReveal,
+                    logger,
+                    cipherSuite,
+                    zkEngine: zkEngine,
+                    iv: sender === api_1.TranscriptMessageSenderType.TRANSCRIPT_MESSAGE_SENDER_TYPE_SERVER ? serverIV : clientIV,
+                    recordNumber: isServer ? serverRecordNumber : clientRecordNumber
+                });
+                plaintext = result.redactedPlaintext;
+                redacted = false;
+                plaintextLength = plaintext.length;
+            }
+            else {
+                plaintext = content;
+                plaintextLength = plaintext.length;
+            }
+            decryptedTranscript.push({
+                sender: sender === api_1.TranscriptMessageSenderType.TRANSCRIPT_MESSAGE_SENDER_TYPE_CLIENT
+                    ? 'client'
+                    : 'server',
+                redacted,
+                message: plaintext,
+                recordHeader,
+                plaintextLength,
+            });
+        }
+        catch (error) {
+            throw new utils_1.AttestorError('ERROR_INVALID_CLAIM', `error in handling packet at idx ${i}: ${error}`, {
+                packetIdx: i,
+                error: error,
+            });
+        }
+    }
+}
+function getWithoutHeader(message) {
+    // strip the record header (xx 03 03 xx xx)
+    return message.slice(5);
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYXNzZXJ0LXZhbGlkLWNsYWltLXJlcXVlc3QuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvc2VydmVyL3V0aWxzL2Fzc2VydC12YWxpZC1jbGFpbS1yZXF1ZXN0LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7O0FBNENBLDBEQWtFQztBQU1ELHNFQWtDQztBQU9ELHdEQTJDQztBQUVELDhDQThGQztBQUVELDRDQUdDO0FBN1NELDhDQUc2QjtBQUM3Qix1Q0FNc0I7QUFDdEIsNkNBQXlDO0FBQ3pDLHdEQUErRDtBQUMvRCwwRUFBcUU7QUFTckUscUNBTWtCO0FBQ2xCLHFEQUFpRDtBQUVqRDs7Ozs7Ozs7Ozs7O0dBWUc7QUFDSSxLQUFLLFVBQVUsdUJBQXVCLENBQzVDLE9BQTJCLEVBQzNCLFFBQXFCLEVBQ3JCLE1BQWM7O0lBRWQsTUFBTSxFQUNMLElBQUksRUFDSixVQUFVLEVBQUUsRUFBRSxnQkFBZ0IsRUFBRSxHQUFHLEVBQUUsRUFDckMsUUFBUSxFQUNSLGFBQWEsRUFDYixhQUFhLEVBQ2IsR0FBRyxPQUFPLENBQUE7SUFDWCxJQUFHLENBQUMsSUFBSSxFQUFFLENBQUM7UUFDVixNQUFNLElBQUkscUJBQWEsQ0FDdEIscUJBQXFCLEVBQ3JCLG1DQUFtQyxDQUNuQyxDQUFBO0lBQ0YsQ0FBQztJQUVELElBQUcsQ0FBQyxDQUFBLGdCQUFnQixhQUFoQixnQkFBZ0IsdUJBQWhCLGdCQUFnQixDQUFFLE1BQU0sQ0FBQSxFQUFFLENBQUM7UUFDOUIsTUFBTSxJQUFJLHFCQUFhLENBQ3RCLHFCQUFxQixFQUNyQix3Q0FBd0MsQ0FDeEMsQ0FBQTtJQUNGLENBQUM7SUFFRCwyQkFBMkI7SUFDM0IsTUFBTSxhQUFhLEdBQUcsd0JBQWtCO1NBQ3RDLE1BQU0sQ0FBQyxFQUFFLEdBQUcsT0FBTyxFQUFFLFVBQVUsRUFBRSxTQUFTLEVBQUUsQ0FBQztTQUM3QyxNQUFNLEVBQUUsQ0FBQTtJQUNWLE1BQU0sRUFBRSxNQUFNLEVBQUUsU0FBUyxFQUFFLEdBQUcsdUJBQVUsQ0FBQyxRQUFRLENBQUMsYUFBYSxDQUFDLENBQUE7SUFDaEUsTUFBTSxRQUFRLEdBQUcsTUFBTSxTQUFTLENBQy9CLGFBQWEsRUFDYixnQkFBZ0IsRUFDaEIsSUFBSSxDQUFDLEtBQUssQ0FDVixDQUFBO0lBQ0QsSUFBRyxDQUFDLFFBQVEsRUFBRSxDQUFDO1FBQ2QsTUFBTSxJQUFJLHFCQUFhLENBQ3RCLHFCQUFxQixFQUNyQixvQ0FBb0MsQ0FDcEMsQ0FBQTtJQUNGLENBQUM7SUFFRCxNQUFNLE9BQU8sR0FBRyxNQUFNLGlCQUFpQixDQUN0QyxPQUFPLENBQUMsVUFBVSxFQUNsQixNQUFNLEVBQ04sUUFBUSxLQUFLLG1CQUFhLENBQUMsZUFBZSxDQUFDLENBQUMsQ0FBQyxPQUFPLENBQUMsQ0FBQyxDQUFDLFNBQVMsRUFDaEUsYUFBYSxFQUNiLGFBQWEsQ0FDYixDQUFBO0lBQ0QsTUFBTSxPQUFPLEdBQUcsTUFBQSxPQUFPLENBQUMsT0FBTywwQ0FBRSxJQUFJLENBQUE7SUFDckMsSUFBRyxPQUFPLENBQUMsUUFBUSxLQUFLLE9BQU8sRUFBRSxDQUFDO1FBQ2pDLE1BQU0sSUFBSSxLQUFLLENBQ2Qsd0JBQXdCLE9BQU8sU0FBUyxPQUFPLENBQUMsUUFBUSxFQUFFLENBQzFELENBQUE7SUFDRixDQUFDO0lBR0Qsb0NBQW9DO0lBQ3BDLE1BQU0sUUFBUSxHQUFHLElBQUEsNENBQW9DLEVBQUMsT0FBTyxDQUFDLENBQUE7SUFDOUQsTUFBTSxPQUFPLEdBQUcsTUFBTSw2QkFBNkIsQ0FBQyxRQUFRLEVBQUUsSUFBSSxDQUFDLENBQUE7SUFDbkUsSUFBRyxPQUFPLEtBQUssSUFBSSxFQUFFLENBQUM7UUFDckIsTUFBTSxDQUFDLElBQUksQ0FBQyxFQUFFLE9BQU8sRUFBRSxFQUFFLG9CQUFvQixDQUFDLENBQUE7SUFDL0MsQ0FBQztJQUVELE9BQU8sT0FBTyxDQUFBO0FBQ2YsQ0FBQztBQUVEOzs7R0FHRztBQUNJLEtBQUssVUFBVSw2QkFBNkIsQ0FDbEQsUUFBZ0MsRUFDaEMsSUFBTzs7SUFFUCxNQUFNLFlBQVksR0FBRyxJQUFJLENBQUMsUUFBd0IsQ0FBQTtJQUNsRCxNQUFNLFFBQVEsR0FBRyxxQkFBUyxDQUFDLFlBQVksQ0FBQyxDQUFBO0lBQ3hDLElBQUcsQ0FBQyxRQUFRLEVBQUUsQ0FBQztRQUNkLE1BQU0sSUFBSSxxQkFBYSxDQUN0QixxQkFBcUIsRUFDckIseUJBQXlCLFlBQVksRUFBRSxDQUN2QyxDQUFBO0lBQ0YsQ0FBQztJQUVELE1BQU0sTUFBTSxHQUFHLElBQUEsOEJBQW1CLEVBQUMsSUFBSSxDQUFDLFVBQVUsRUFBRSxRQUFRLENBQUMsQ0FBQTtJQUM3RCxNQUFNLEdBQUcsR0FBRyxJQUFBLDhCQUFtQixFQUFDLElBQUksQ0FBQyxPQUFPLEVBQUUsU0FBUyxDQUFDLENBQUE7SUFFeEQsSUFBQSxvQ0FBNEIsRUFBQyxZQUFZLEVBQUUsTUFBTSxDQUFDLENBQUE7SUFFbEQsTUFBTSxJQUFJLEdBQUcsTUFBTSxRQUFRLENBQUMsMEJBQTBCLENBQ3JELFFBQVEsRUFDUixNQUFNLENBQ04sQ0FBQTtJQUVELE1BQU0sbUJBQW1CLEdBQUcsQ0FBQSxJQUFJLGFBQUosSUFBSSx1QkFBSixJQUFJLENBQUUsbUJBQW1CLEtBQUksRUFBRSxDQUFBO0lBQzNELElBQUcsQ0FBQyxNQUFNLENBQUMsSUFBSSxDQUFDLG1CQUFtQixDQUFDLENBQUMsTUFBTSxFQUFFLENBQUM7UUFDN0MsT0FBTyxJQUFJLENBQUE7SUFDWixDQUFDO0lBRUQsTUFBTSxPQUFPLEdBQUcsRUFBRSxHQUFHLElBQUksRUFBRSxDQUFBO0lBQzNCLEdBQUcsQ0FBQyxtQkFBbUIsR0FBRyxtQkFBbUIsQ0FBQTtJQUM3QyxHQUFHLENBQUMsWUFBWSxHQUFHLElBQUEsMEJBQWtCLEVBQUMsTUFBTSxDQUFDLENBQUE7SUFDN0MsT0FBTyxDQUFDLE9BQU8sR0FBRyxNQUFBLElBQUEsMEJBQWtCLEVBQUMsR0FBRyxDQUFDLG1DQUFJLEVBQUUsQ0FBQTtJQUUvQyxPQUFPLE9BQU8sQ0FBQTtBQUNmLENBQUM7QUFFRDs7OztHQUlHO0FBQ0gsU0FBZ0Isc0JBQXNCLENBQ3JDLGdCQUFrRCxFQUNsRCxnQkFBbUQ7SUFFbkQsTUFBTSxXQUFXLEdBQUcsSUFBQSw0QkFBc0IsRUFDekMsZ0JBQWdCO1NBQ2QsTUFBTSxDQUFDLENBQUMsQ0FBQyxFQUFFLENBQUMsQ0FBQyxDQUFDLE1BQU0sS0FBSyxpQ0FBMkIsQ0FBQyxxQ0FBcUMsQ0FBQztTQUMzRixHQUFHLENBQUMsQ0FBQyxDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUMsT0FBTyxDQUFDLENBQ3JCLENBQUE7SUFFRCxNQUFNLFdBQVcsR0FBRyxJQUFBLDRCQUFzQixFQUN6QyxnQkFBZ0I7U0FDZCxNQUFNLENBQUMsQ0FBQyxDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUMsTUFBTSxLQUFLLFFBQVEsQ0FBQztTQUNsQyxHQUFHLENBQUMsQ0FBQyxDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUMsT0FBTyxDQUFDLENBQ3JCLENBQUE7SUFFRCxJQUFHLENBQUMsSUFBQSx5QkFBbUIsRUFBQyxXQUFXLEVBQUUsV0FBVyxDQUFDLEVBQUUsQ0FBQztRQUNuRCxNQUFNLHFCQUFhLENBQUMsVUFBVSxDQUM3QixrRUFBa0UsQ0FDbEUsQ0FBQTtJQUNGLENBQUM7SUFFRCxNQUFNLFdBQVcsR0FBRyxJQUFBLDRCQUFzQixFQUN6QyxnQkFBZ0I7U0FDZCxNQUFNLENBQUMsQ0FBQyxDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUMsTUFBTSxLQUFLLGlDQUEyQixDQUFDLHFDQUFxQyxDQUFDO1NBQzNGLEdBQUcsQ0FBQyxDQUFDLENBQUMsRUFBRSxDQUFDLENBQUMsQ0FBQyxPQUFPLENBQUMsQ0FDckIsQ0FBQTtJQUVELE1BQU0sV0FBVyxHQUFHLElBQUEsNEJBQXNCLEVBQ3pDLGdCQUFnQjtTQUNkLE1BQU0sQ0FBQyxDQUFDLENBQUMsRUFBRSxDQUFDLENBQUMsQ0FBQyxNQUFNLEtBQUssUUFBUSxDQUFDO1NBQ2xDLEdBQUcsQ0FBQyxDQUFDLENBQUMsRUFBRSxDQUFDLENBQUMsQ0FBQyxPQUFPLENBQUMsQ0FDckI7UUFDQSwrQ0FBK0M7UUFDL0MsMENBQTBDO1FBQzFDLGtEQUFrRDtRQUNsRCxrREFBa0Q7U0FDakQsS0FBSyxDQUFDLENBQUMsRUFBRSxXQUFXLENBQUMsTUFBTSxDQUFDLENBQUE7SUFDOUIsSUFBRyxDQUFDLElBQUEseUJBQW1CLEVBQUMsV0FBVyxFQUFFLFdBQVcsQ0FBQyxFQUFFLENBQUM7UUFDbkQsTUFBTSxxQkFBYSxDQUFDLFVBQVUsQ0FDN0Isa0VBQWtFLENBQ2xFLENBQUE7SUFDRixDQUFDO0FBQ0YsQ0FBQztBQUVNLEtBQUssVUFBVSxpQkFBaUIsQ0FDdEMsVUFBNEMsRUFDNUMsTUFBYyxFQUNkLFFBQWtCLEVBQ2xCLFFBQW9CLEVBQ3BCLFFBQW9CO0lBR3BCLE1BQU0sRUFBRSxVQUFVLEVBQUUsV0FBVyxFQUFFLFFBQVEsRUFBRSxZQUFZLEVBQUUsR0FBRyxNQUFNLElBQUEsb0NBQWdCLEVBQUMsVUFBVSxFQUFFLE1BQU0sQ0FBQyxDQUFBO0lBRXRHLElBQUksa0JBQWtCLEdBQUcsVUFBVSxLQUFLLFFBQVEsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQSxDQUFDLHlEQUF5RDtJQUNuSCxJQUFJLGtCQUFrQixHQUFHLGtCQUFrQixDQUFBO0lBRTNDLFVBQVUsR0FBRyxVQUFVLENBQUMsS0FBSyxDQUFDLFlBQVksQ0FBQyxDQUFBO0lBRTNDLE1BQU0sbUJBQW1CLEdBQWtDLEVBQUUsQ0FBQTtJQUU3RCxLQUFJLE1BQU0sQ0FBQyxDQUFDLEVBQUUsRUFDYixNQUFNLEVBQ04sT0FBTyxFQUNQLE1BQU0sRUFBRSxFQUFFLFFBQVEsRUFBRSxZQUFZLEVBQUUsR0FBRyxFQUFFLEVBQ3ZDLENBQUMsSUFBSSxVQUFVLENBQUMsT0FBTyxFQUFFLEVBQUUsQ0FBQyxDQUFDLHVEQUF1RDtRQUNwRixNQUFNLG1CQUFtQixDQUFDLE1BQU0sRUFBRSxPQUFPLEVBQUUsWUFBWSxFQUFFLFFBQVEsRUFBRSxDQUFDLENBQUMsQ0FBQTtJQUN0RSxDQUFDO0lBR0QsT0FBTztRQUNOLFVBQVUsRUFBRSxtQkFBbUI7UUFDL0IsUUFBUSxFQUFFLFFBQVE7UUFDbEIsVUFBVSxFQUFFLFVBQVU7S0FDdEIsQ0FBQTtJQUdELEtBQUssVUFBVSxtQkFBbUIsQ0FBQyxNQUFtQyxFQUFFLE9BQW1CLEVBQUUsWUFBWSxFQUFFLFFBQVEsRUFBRSxDQUFTOztRQUM3SCxJQUFJLENBQUM7WUFDSixNQUFNLFFBQVEsR0FBRyxNQUFNLEtBQUssaUNBQTJCLENBQUMscUNBQXFDLENBQUE7WUFDN0YsTUFBTSxZQUFZLEdBQUcsT0FBTyxDQUFDLEtBQUssQ0FBQyxDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUE7WUFDeEMsTUFBTSxPQUFPLEdBQUcsZ0JBQWdCLENBQUMsT0FBTyxDQUFDLENBQUE7WUFDekMsSUFBRyxRQUFRLEVBQUUsQ0FBQztnQkFDYixrQkFBa0IsRUFBRSxDQUFBO1lBQ3JCLENBQUM7aUJBQU0sQ0FBQztnQkFDUCxrQkFBa0IsRUFBRSxDQUFBO1lBQ3JCLENBQUM7WUFFRCxJQUFJLFFBQVEsR0FBRyxJQUFJLENBQUE7WUFDbkIsSUFBSSxTQUFTLEdBQTJCLFNBQVMsQ0FBQTtZQUNqRCxJQUFJLGVBQXVCLENBQUE7WUFFM0IsSUFBRyxNQUFBLFlBQVksYUFBWixZQUFZLHVCQUFaLFlBQVksQ0FBRSxHQUFHLDBDQUFFLE1BQU0sRUFBRSxDQUFDO2dCQUM5QixNQUFNLE1BQU0sR0FBRyxNQUFNLElBQUEscUJBQWEsRUFBQyxZQUFZLEVBQUUsV0FBVyxFQUFFLFlBQVksRUFBRSxVQUFVLEVBQUUsT0FBTyxDQUFDLENBQUE7Z0JBQ2hHLFNBQVMsR0FBRyxNQUFNLENBQUMsU0FBUyxDQUFBO2dCQUM1QixRQUFRLEdBQUcsS0FBSyxDQUFBO2dCQUNoQixlQUFlLEdBQUcsU0FBUyxDQUFDLE1BQU0sQ0FBQTtZQUNuQyxDQUFDO2lCQUFNLElBQUcsTUFBQSxRQUFRLGFBQVIsUUFBUSx1QkFBUixRQUFRLENBQUUsTUFBTSwwQ0FBRSxNQUFNLEVBQUUsQ0FBQztnQkFDcEMsTUFBTSxNQUFNLEdBQUcsTUFBTSxJQUFBLHNCQUFjLEVBQ2xDO29CQUNDLFVBQVUsRUFBRSxPQUFPO29CQUNuQixRQUFRO29CQUNSLE1BQU07b0JBQ04sV0FBVztvQkFDWCxRQUFRLEVBQUUsUUFBUTtvQkFDbEIsRUFBRSxFQUFFLE1BQU0sS0FBSyxpQ0FBMkIsQ0FBQyxxQ0FBcUMsQ0FBQyxDQUFDLENBQUMsUUFBUSxDQUFDLENBQUMsQ0FBQyxRQUFRO29CQUN0RyxZQUFZLEVBQUUsUUFBUSxDQUFDLENBQUMsQ0FBQyxrQkFBa0IsQ0FBQyxDQUFDLENBQUMsa0JBQWtCO2lCQUNoRSxDQUNELENBQUE7Z0JBQ0QsU0FBUyxHQUFHLE1BQU0sQ0FBQyxpQkFBaUIsQ0FBQTtnQkFDcEMsUUFBUSxHQUFHLEtBQUssQ0FBQTtnQkFDaEIsZUFBZSxHQUFHLFNBQVMsQ0FBQyxNQUFNLENBQUE7WUFDbkMsQ0FBQztpQkFBTSxDQUFDO2dCQUNQLFNBQVMsR0FBRyxPQUFPLENBQUE7Z0JBQ25CLGVBQWUsR0FBRyxTQUFTLENBQUMsTUFBTSxDQUFBO1lBQ25DLENBQUM7WUFFRCxtQkFBbUIsQ0FBQyxJQUFJLENBQUM7Z0JBQ3hCLE1BQU0sRUFBRSxNQUFNLEtBQUssaUNBQTJCLENBQUMscUNBQXFDO29CQUNuRixDQUFDLENBQUMsUUFBUTtvQkFDVixDQUFDLENBQUMsUUFBUTtnQkFDWCxRQUFRO2dCQUNSLE9BQU8sRUFBRSxTQUFTO2dCQUNsQixZQUFZO2dCQUNaLGVBQWU7YUFDZixDQUFDLENBQUE7UUFFSCxDQUFDO1FBQUMsT0FBTSxLQUFLLEVBQUUsQ0FBQztZQUNmLE1BQU0sSUFBSSxxQkFBYSxDQUN0QixxQkFBcUIsRUFDckIsbUNBQW1DLENBQUMsS0FBSyxLQUFLLEVBQUUsRUFDaEQ7Z0JBQ0MsU0FBUyxFQUFFLENBQUM7Z0JBQ1osS0FBSyxFQUFFLEtBQUs7YUFDWixDQUNELENBQUE7UUFDRixDQUFDO0lBQ0YsQ0FBQztBQUNGLENBQUM7QUFFRCxTQUFnQixnQkFBZ0IsQ0FBQyxPQUFtQjtJQUNuRCwyQ0FBMkM7SUFDM0MsT0FBTyxPQUFPLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQyxDQUFBO0FBQ3hCLENBQUMifQ==

package/lib/server/utils/config-env.d.ts

@@ -0,0 +1 @@
+export {};

package/lib/server/utils/config-env.js

@@ -0,0 +1,7 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const dotenv_1 = require("dotenv");
+const env_1 = require("src/utils/env");
+const nodeEnv = (0, env_1.getEnvVariable)('NODE_ENV') || 'development';
+(0, dotenv_1.config)({ path: `.env.${nodeEnv}` });
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY29uZmlnLWVudi5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3NyYy9zZXJ2ZXIvdXRpbHMvY29uZmlnLWVudi50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOztBQUFBLG1DQUErQjtBQUMvQix1Q0FBOEM7QUFFOUMsTUFBTSxPQUFPLEdBQUcsSUFBQSxvQkFBYyxFQUFDLFVBQVUsQ0FBQyxJQUFJLGFBQWEsQ0FBQTtBQUMzRCxJQUFBLGVBQU0sRUFBQyxFQUFFLElBQUksRUFBRSxRQUFRLE9BQU8sRUFBRSxFQUFFLENBQUMsQ0FBQSJ9

package/lib/server/utils/generics.d.ts

@@ -0,0 +1,22 @@
+import { IncomingMessage } from 'http';
+import { ServiceSignatureType } from 'src/proto/api';
+/**
+ * Sign message using the PRIVATE_KEY env var.
+ */
+export declare function signAsAttestor(data: Uint8Array | string, scheme: ServiceSignatureType): Uint8Array | Promise<Uint8Array>;
+/**
+ * Obtain the address on chain, from the PRIVATE_KEY env var.
+ */
+export declare function getAttestorAddress(scheme: ServiceSignatureType): string;
+/**
+ * Nice parse JSON with a key.
+ * If the data is empty, returns an empty object.
+ * And if the JSON is invalid, throws a bad request error,
+ * with the key in the error message.
+ */
+export declare function niceParseJsonObject(data: string, key: string): any;
+/**
+ * Extract any initial messages sent via the query string,
+ * in the `messages` parameter.
+ */
+export declare function getInitialMessagesFromQuery(req: IncomingMessage): import("src/proto/api").RPCMessage[];

package/lib/server/utils/generics.js

@@ -0,0 +1,59 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.signAsAttestor = signAsAttestor;
+exports.getAttestorAddress = getAttestorAddress;
+exports.niceParseJsonObject = niceParseJsonObject;
+exports.getInitialMessagesFromQuery = getInitialMessagesFromQuery;
+const tls_1 = require("@reclaimprotocol/tls");
+const api_1 = require("src/proto/api");
+const utils_1 = require("src/utils");
+const env_1 = require("src/utils/env");
+const signatures_1 = require("src/utils/signatures");
+const PRIVATE_KEY = (0, env_1.getEnvVariable)('PRIVATE_KEY');
+/**
+ * Sign message using the PRIVATE_KEY env var.
+ */
+function signAsAttestor(data, scheme) {
+    const { sign } = signatures_1.SIGNATURES[scheme];
+    return sign(typeof data === 'string' ? (0, tls_1.strToUint8Array)(data) : data, PRIVATE_KEY);
+}
+/**
+ * Obtain the address on chain, from the PRIVATE_KEY env var.
+ */
+function getAttestorAddress(scheme) {
+    const { getAddress, getPublicKey } = signatures_1.SIGNATURES[scheme];
+    const publicKey = getPublicKey(PRIVATE_KEY);
+    return getAddress(publicKey);
+}
+/**
+ * Nice parse JSON with a key.
+ * If the data is empty, returns an empty object.
+ * And if the JSON is invalid, throws a bad request error,
+ * with the key in the error message.
+ */
+function niceParseJsonObject(data, key) {
+    if (!data) {
+        return {};
+    }
+    try {
+        return JSON.parse(data);
+    }
+    catch (e) {
+        throw utils_1.AttestorError.badRequest(`Invalid JSON in ${key}: ${e.message}`);
+    }
+}
+/**
+ * Extract any initial messages sent via the query string,
+ * in the `messages` parameter.
+ */
+function getInitialMessagesFromQuery(req) {
+    const url = new URL(req.url, 'http://localhost');
+    const messagesB64 = url.searchParams.get('messages');
+    if (!(messagesB64 === null || messagesB64 === void 0 ? void 0 : messagesB64.length)) {
+        return [];
+    }
+    const msgsBytes = Buffer.from(messagesB64, 'base64');
+    const msgs = api_1.RPCMessages.decode(msgsBytes);
+    return msgs.messages;
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZ2VuZXJpY3MuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvc2VydmVyL3V0aWxzL2dlbmVyaWNzLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7O0FBWUEsd0NBU0M7QUFLRCxnREFJQztBQVFELGtEQVlDO0FBTUQsa0VBVUM7QUFsRUQsOENBQXNEO0FBRXRELHVDQUFpRTtBQUNqRSxxQ0FBeUM7QUFDekMsdUNBQThDO0FBQzlDLHFEQUFpRDtBQUVqRCxNQUFNLFdBQVcsR0FBRyxJQUFBLG9CQUFjLEVBQUMsYUFBYSxDQUFFLENBQUE7QUFFbEQ7O0dBRUc7QUFDSCxTQUFnQixjQUFjLENBQzdCLElBQXlCLEVBQ3pCLE1BQTRCO0lBRTVCLE1BQU0sRUFBRSxJQUFJLEVBQUUsR0FBRyx1QkFBVSxDQUFDLE1BQU0sQ0FBQyxDQUFBO0lBQ25DLE9BQU8sSUFBSSxDQUNWLE9BQU8sSUFBSSxLQUFLLFFBQVEsQ0FBQyxDQUFDLENBQUMsSUFBQSxxQkFBZSxFQUFDLElBQUksQ0FBQyxDQUFDLENBQUMsQ0FBQyxJQUFJLEVBQ3ZELFdBQVcsQ0FDWCxDQUFBO0FBQ0YsQ0FBQztBQUVEOztHQUVHO0FBQ0gsU0FBZ0Isa0JBQWtCLENBQUMsTUFBNEI7SUFDOUQsTUFBTSxFQUFFLFVBQVUsRUFBRSxZQUFZLEVBQUUsR0FBRyx1QkFBVSxDQUFDLE1BQU0sQ0FBQyxDQUFBO0lBQ3ZELE1BQU0sU0FBUyxHQUFHLFlBQVksQ0FBQyxXQUFXLENBQUMsQ0FBQTtJQUMzQyxPQUFPLFVBQVUsQ0FBQyxTQUFTLENBQUMsQ0FBQTtBQUM3QixDQUFDO0FBRUQ7Ozs7O0dBS0c7QUFDSCxTQUFnQixtQkFBbUIsQ0FBQyxJQUFZLEVBQUUsR0FBVztJQUM1RCxJQUFHLENBQUMsSUFBSSxFQUFFLENBQUM7UUFDVixPQUFPLEVBQUUsQ0FBQTtJQUNWLENBQUM7SUFFRCxJQUFJLENBQUM7UUFDSixPQUFPLElBQUksQ0FBQyxLQUFLLENBQUMsSUFBSSxDQUFDLENBQUE7SUFDeEIsQ0FBQztJQUFDLE9BQU0sQ0FBQyxFQUFFLENBQUM7UUFDWCxNQUFNLHFCQUFhLENBQUMsVUFBVSxDQUM3QixtQkFBbUIsR0FBRyxLQUFLLENBQUMsQ0FBQyxPQUFPLEVBQUUsQ0FDdEMsQ0FBQTtJQUNGLENBQUM7QUFDRixDQUFDO0FBRUQ7OztHQUdHO0FBQ0gsU0FBZ0IsMkJBQTJCLENBQUMsR0FBb0I7SUFDL0QsTUFBTSxHQUFHLEdBQUcsSUFBSSxHQUFHLENBQUMsR0FBRyxDQUFDLEdBQUksRUFBRSxrQkFBa0IsQ0FBQyxDQUFBO0lBQ2pELE1BQU0sV0FBVyxHQUFHLEdBQUcsQ0FBQyxZQUFZLENBQUMsR0FBRyxDQUFDLFVBQVUsQ0FBQyxDQUFBO0lBQ3BELElBQUcsQ0FBQyxDQUFBLFdBQVcsYUFBWCxXQUFXLHVCQUFYLFdBQVcsQ0FBRSxNQUFNLENBQUEsRUFBRSxDQUFDO1FBQ3pCLE9BQU8sRUFBRSxDQUFBO0lBQ1YsQ0FBQztJQUVELE1BQU0sU0FBUyxHQUFHLE1BQU0sQ0FBQyxJQUFJLENBQUMsV0FBVyxFQUFFLFFBQVEsQ0FBQyxDQUFBO0lBQ3BELE1BQU0sSUFBSSxHQUFHLGlCQUFXLENBQUMsTUFBTSxDQUFDLFNBQVMsQ0FBQyxDQUFBO0lBQzFDLE9BQU8sSUFBSSxDQUFDLFFBQVEsQ0FBQTtBQUNyQixDQUFDIn0=

package/lib/server/utils/iso.d.ts

@@ -0,0 +1 @@
+export declare function isValidCountryCode(countryCode: string): boolean;