@reclaimprotocol/attestor-core 4.0.3 → 5.0.1-beta.10

package/lib/server/utils/assert-valid-claim-request.js

@@ -1,200 +1,354 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.assertValidClaimRequest = assertValidClaimRequest;
-exports.assertValidProviderTranscript = assertValidProviderTranscript;
-exports.assertTranscriptsMatch = assertTranscriptsMatch;
-exports.decryptTranscript = decryptTranscript;
-exports.getWithoutHeader = getWithoutHeader;
-const tls_1 = require("@reclaimprotocol/tls");
-const api_1 = require("../../proto/api");
-const providers_1 = require("../../providers");
-const generics_1 = require("../../server/utils/generics");
-const process_handshake_1 = require("../../server/utils/process-handshake");
-const utils_1 = require("../../utils");
-const signatures_1 = require("../../utils/signatures");
-/**
- * Asserts that the claim request is valid.
- *
- * 1. We begin by verifying the signature of the claim request.
- * 2. Next, we produce the transcript of the TLS exchange
- * from the proofs provided by the client.
- * 3. We then pull the provider the client is trying to claim
- * from
- * 4. We then use the provider's verification function to verify
- *  whether the claim is valid.
- *
- * If any of these steps fail, we throw an error.
- */
+import { areUint8ArraysEqual, concatenateUint8Arrays } from "@reclaimprotocol/tls";
+import { ClaimTunnelRequest, TranscriptMessageSenderType } from "../../proto/api.js";
+import { providers } from "../../providers/index.js";
+import { niceParseJsonObject } from "../../server/utils/generics.js";
+import { computeOPRFRaw } from "../../server/utils/oprf-raw.js";
+import { processHandshake } from "../../server/utils/process-handshake.js";
+import { assertValidateProviderParams } from "../../server/utils/validation.js";
+import {
+  AttestorError,
+  binaryHashToStr,
+  canonicalStringify,
+  decryptDirect,
+  extractApplicationDataFromTranscript,
+  hashProviderParams,
+  SIGNATURES,
+  verifyZkPacket
+} from "../../utils/index.js";
+import { getEngineString } from "../../utils/zk.js";
 async function assertValidClaimRequest(request, metadata, logger) {
-    var _a;
-    const { data, signatures: { requestSignature } = {}, zkEngine, fixedServerIV, fixedClientIV } = request;
-    if (!data) {
-        throw new utils_1.AttestorError('ERROR_INVALID_CLAIM', 'No info provided on claim request');
-    }
-    if (!(requestSignature === null || requestSignature === void 0 ? void 0 : requestSignature.length)) {
-        throw new utils_1.AttestorError('ERROR_INVALID_CLAIM', 'No signature provided on claim request');
-    }
-    // verify request signature
-    const serialisedReq = api_1.ClaimTunnelRequest
-        .encode({ ...request, signatures: undefined })
-        .finish();
-    const { verify: verifySig } = signatures_1.SIGNATURES[metadata.signatureType];
-    const verified = await verifySig(serialisedReq, requestSignature, data.owner);
-    if (!verified) {
-        throw new utils_1.AttestorError('ERROR_INVALID_CLAIM', 'Invalid signature on claim request');
-    }
-    const receipt = await decryptTranscript(request.transcript, logger, zkEngine === api_1.ZKProofEngine.ZK_ENGINE_GNARK ? 'gnark' : 'snarkjs', fixedServerIV, fixedClientIV);
-    const reqHost = (_a = request.request) === null || _a === void 0 ? void 0 : _a.host;
-    if (receipt.hostname !== reqHost) {
-        throw new Error(`Expected server name ${reqHost}, got ${receipt.hostname}`);
-    }
-    // get all application data messages
-    const applData = (0, utils_1.extractApplicationDataFromTranscript)(receipt);
-    const newData = await assertValidProviderTranscript(applData, data, logger, { version: metadata.clientVersion });
-    if (newData !== data) {
-        logger.info({ newData }, 'updated claim info');
-    }
-    return newData;
+  const {
+    data,
+    signatures: { requestSignature } = {},
+    zkEngine,
+    fixedServerIV,
+    fixedClientIV
+  } = request;
+  if (!data) {
+    throw new AttestorError(
+      "ERROR_INVALID_CLAIM",
+      "No info provided on claim request"
+    );
+  }
+  if (!requestSignature?.length) {
+    throw new AttestorError(
+      "ERROR_INVALID_CLAIM",
+      "No signature provided on claim request"
+    );
+  }
+  const serialisedReq = ClaimTunnelRequest.encode({ ...request, signatures: void 0 }).finish();
+  const { verify: verifySig } = SIGNATURES[metadata.signatureType];
+  const verified = await verifySig(serialisedReq, requestSignature, data.owner);
+  if (!verified) {
+    throw new AttestorError(
+      "ERROR_INVALID_CLAIM",
+      "Invalid signature on claim request"
+    );
+  }
+  const receipt = await decryptTranscript(
+    request.transcript,
+    logger,
+    getEngineString(zkEngine),
+    fixedServerIV,
+    fixedClientIV
+  );
+  const reqHost = request.request?.host;
+  if (receipt.hostname !== reqHost) {
+    throw new Error(
+      `Expected server name ${reqHost}, got ${receipt.hostname}`
+    );
+  }
+  const applData = extractApplicationDataFromTranscript(receipt);
+  const newData = await assertValidProviderTranscript(
+    applData,
+    data,
+    logger,
+    { version: metadata.clientVersion },
+    receipt.oprfRawReplacements
+  );
+  if (newData !== data) {
+    logger.info({ newData }, "updated claim info");
+  }
+  return newData;
 }
-/**
- * Verify that the transcript contains a valid claim
- * for the provider.
- */
-async function assertValidProviderTranscript(applData, info, logger, providerCtx) {
-    var _a;
-    const providerName = info.provider;
-    const provider = providers_1.providers[providerName];
-    if (!provider) {
-        throw new utils_1.AttestorError('ERROR_INVALID_CLAIM', `Unsupported provider: ${providerName}`);
-    }
-    const params = (0, generics_1.niceParseJsonObject)(info.parameters, 'params');
-    const ctx = (0, generics_1.niceParseJsonObject)(info.context, 'context');
-    (0, utils_1.assertValidateProviderParams)(providerName, params);
-    const rslt = await provider.assertValidProviderReceipt({
-        receipt: applData,
-        params,
-        logger,
-        ctx: providerCtx
-    });
-    ctx.providerHash = (0, utils_1.hashProviderParams)(params);
-    const extractedParameters = (rslt === null || rslt === void 0 ? void 0 : rslt.extractedParameters) || {};
-    if (Object.keys(extractedParameters).length) {
-        ctx.extractedParameters = extractedParameters;
+async function assertValidProviderTranscript(applData, info, logger, providerCtx, oprfRawReplacements) {
+  const providerName = info.provider;
+  const provider = providers[providerName];
+  if (!provider) {
+    throw new AttestorError(
+      "ERROR_INVALID_CLAIM",
+      `Unsupported provider: ${providerName}`
+    );
+  }
+  let params = niceParseJsonObject(info.parameters, "params");
+  const ctx = niceParseJsonObject(info.context, "context");
+  if (oprfRawReplacements?.length) {
+    let strParams = canonicalStringify(params) ?? "{}";
+    for (const { originalText, nullifierText } of oprfRawReplacements) {
+      strParams = strParams.replaceAll(originalText, nullifierText);
     }
-    info.context = (_a = (0, utils_1.canonicalStringify)(ctx)) !== null && _a !== void 0 ? _a : '';
-    return info;
+    params = JSON.parse(strParams);
+    info.parameters = strParams;
+    logger.debug(
+      { replacements: oprfRawReplacements.length },
+      "applied oprf-raw parameter replacements"
+    );
+  }
+  assertValidateProviderParams(providerName, params);
+  const rslt = await provider.assertValidProviderReceipt({
+    receipt: applData,
+    params,
+    logger,
+    ctx: providerCtx
+  });
+  ctx.providerHash = hashProviderParams(params);
+  const extractedParameters = rslt?.extractedParameters || {};
+  if (Object.keys(extractedParameters).length) {
+    ctx.extractedParameters = extractedParameters;
+  }
+  info.context = canonicalStringify(ctx) ?? "";
+  return info;
 }
-/**
- * Verify that the transcript provided by the client
- * matches the transcript of the tunnel, the server
- * has created.
- */
 function assertTranscriptsMatch(clientTranscript, tunnelTranscript) {
-    const clientSends = (0, tls_1.concatenateUint8Arrays)(clientTranscript
-        .filter(m => m.sender === api_1.TranscriptMessageSenderType.TRANSCRIPT_MESSAGE_SENDER_TYPE_CLIENT)
-        .map(m => m.message));
-    const tunnelSends = (0, tls_1.concatenateUint8Arrays)(tunnelTranscript
-        .filter(m => m.sender === 'client')
-        .map(m => m.message));
-    if (!(0, tls_1.areUint8ArraysEqual)(clientSends, tunnelSends)) {
-        throw utils_1.AttestorError.badRequest('Outgoing messages from client do not match the tunnel transcript');
-    }
-    const clientRecvs = (0, tls_1.concatenateUint8Arrays)(clientTranscript
-        .filter(m => m.sender === api_1.TranscriptMessageSenderType.TRANSCRIPT_MESSAGE_SENDER_TYPE_SERVER)
-        .map(m => m.message));
-    const tunnelRecvs = (0, tls_1.concatenateUint8Arrays)(tunnelTranscript
-        .filter(m => m.sender === 'server')
-        .map(m => m.message))
-        // We only need to compare the first N messages
-        // that the client claims to have received
-        // the rest are not relevant -- so even if they're
-        // not present in the tunnel transcript, it's fine
-        .slice(0, clientRecvs.length);
-    if (!(0, tls_1.areUint8ArraysEqual)(clientRecvs, tunnelRecvs)) {
-        throw utils_1.AttestorError.badRequest('Incoming messages from server do not match the tunnel transcript');
-    }
+  const clientSends = concatenateUint8Arrays(
+    clientTranscript.filter((m) => m.sender === TranscriptMessageSenderType.TRANSCRIPT_MESSAGE_SENDER_TYPE_CLIENT).map((m) => m.message)
+  );
+  const tunnelSends = concatenateUint8Arrays(
+    tunnelTranscript.filter((m) => m.sender === "client").map((m) => m.message)
+  );
+  if (!areUint8ArraysEqual(clientSends, tunnelSends)) {
+    throw AttestorError.badRequest(
+      "Outgoing messages from client do not match the tunnel transcript"
+    );
+  }
+  const clientRecvs = concatenateUint8Arrays(
+    clientTranscript.filter((m) => m.sender === TranscriptMessageSenderType.TRANSCRIPT_MESSAGE_SENDER_TYPE_SERVER).map((m) => m.message)
+  );
+  const tunnelRecvs = concatenateUint8Arrays(
+    tunnelTranscript.filter((m) => m.sender === "server").map((m) => m.message)
+  ).slice(0, clientRecvs.length);
+  if (!areUint8ArraysEqual(clientRecvs, tunnelRecvs)) {
+    throw AttestorError.badRequest(
+      "Incoming messages from server do not match the tunnel transcript"
+    );
+  }
 }
 async function decryptTranscript(transcript, logger, zkEngine, serverIV, clientIV) {
-    const { tlsVersion, cipherSuite, hostname, nextMsgIndex } = await (0, process_handshake_1.processHandshake)(transcript, logger);
-    let clientRecordNumber = tlsVersion === 'TLS1_3' ? -1 : 0; // TLS 1.3 has already one record encrypted at this point
-    let serverRecordNumber = clientRecordNumber;
-    transcript = transcript.slice(nextMsgIndex);
-    const decryptedTranscript = [];
-    for (const [i, { sender, message, reveal: { zkReveal, directReveal } = {} }] of transcript.entries()) {
-        //start with first message after last handshake message
-        await getDecryptedMessage(sender, message, directReveal, zkReveal, i);
+  const {
+    tlsVersion,
+    cipherSuite,
+    hostname,
+    nextMsgIndex
+  } = await processHandshake(transcript, logger);
+  let clientRecordNumber = tlsVersion === "TLS1_3" ? -1 : 0;
+  let serverRecordNumber = clientRecordNumber;
+  transcript = transcript.slice(nextMsgIndex);
+  const overshotMap = {};
+  const decryptedTranscript = [];
+  const oprfRawReplacements = [];
+  const pendingOprfRaw = {};
+  for (const [i, {
+    sender,
+    message,
+    reveal: { zkReveal, directReveal } = {}
+  }] of transcript.entries()) {
+    try {
+      await decryptMessage(sender, message, directReveal, zkReveal, i);
+    } catch (error) {
+      const err = new AttestorError(
+        "ERROR_INVALID_CLAIM",
+        `error in handling packet at idx ${i}: ${error}`,
+        { packetIdx: i, error }
+      );
+      if (error.stack) {
+        err.stack = error.stack;
+      }
+      throw err;
     }
-    return {
-        transcript: decryptedTranscript,
-        hostname: hostname,
-        tlsVersion: tlsVersion,
-    };
-    async function getDecryptedMessage(sender, message, directReveal, zkReveal, i) {
-        var _a, _b;
-        try {
-            const isServer = sender === api_1.TranscriptMessageSenderType
-                .TRANSCRIPT_MESSAGE_SENDER_TYPE_SERVER;
-            const recordHeader = message.slice(0, 5);
-            const content = getWithoutHeader(message);
-            if (isServer) {
-                serverRecordNumber++;
-            }
-            else {
-                clientRecordNumber++;
-            }
-            let redacted = true;
-            let plaintext = undefined;
-            let plaintextLength;
-            if ((_a = directReveal === null || directReveal === void 0 ? void 0 : directReveal.key) === null || _a === void 0 ? void 0 : _a.length) {
-                const result = await (0, utils_1.decryptDirect)(directReveal, cipherSuite, recordHeader, tlsVersion, content);
-                plaintext = result.plaintext;
-                redacted = false;
-                plaintextLength = plaintext.length;
-            }
-            else if ((_b = zkReveal === null || zkReveal === void 0 ? void 0 : zkReveal.proofs) === null || _b === void 0 ? void 0 : _b.length) {
-                const result = await (0, utils_1.verifyZkPacket)({
-                    ciphertext: content,
-                    zkReveal,
-                    logger,
-                    cipherSuite,
-                    zkEngine: zkEngine,
-                    iv: sender === api_1.TranscriptMessageSenderType
-                        .TRANSCRIPT_MESSAGE_SENDER_TYPE_SERVER
-                        ? serverIV
-                        : clientIV,
-                    recordNumber: isServer
-                        ? serverRecordNumber
-                        : clientRecordNumber
-                });
-                plaintext = result.redactedPlaintext;
-                redacted = false;
-                plaintextLength = plaintext.length;
-            }
-            else {
-                plaintext = content;
-                plaintextLength = plaintext.length;
+  }
+  const remainingPending = Object.keys(pendingOprfRaw);
+  if (remainingPending.length) {
+    throw new AttestorError(
+      "ERROR_INVALID_CLAIM",
+      `oprf-raw cross-block markers incomplete: pending for packets ${remainingPending.join(", ")}`
+    );
+  }
+  return {
+    transcript: decryptedTranscript,
+    hostname,
+    tlsVersion,
+    oprfRawReplacements: oprfRawReplacements.length ? oprfRawReplacements : void 0
+  };
+  async function decryptMessage(sender, message, directReveal, zkReveal, i) {
+    const isServer = sender === TranscriptMessageSenderType.TRANSCRIPT_MESSAGE_SENDER_TYPE_SERVER;
+    const recordHeader = message.slice(0, 5);
+    const content = getWithoutHeader(message);
+    if (isServer) {
+      serverRecordNumber++;
+    } else {
+      clientRecordNumber++;
+    }
+    let redacted = true;
+    let plaintext = void 0;
+    let plaintextLength;
+    if (directReveal?.key?.length) {
+      const result = await decryptDirect(
+        directReveal,
+        cipherSuite,
+        recordHeader,
+        tlsVersion,
+        content
+      );
+      plaintext = result.plaintext;
+      redacted = false;
+      plaintextLength = plaintext.length;
+    } else if (zkReveal?.proofs?.length) {
+      const iv = sender === TranscriptMessageSenderType.TRANSCRIPT_MESSAGE_SENDER_TYPE_SERVER ? serverIV : clientIV;
+      const recordNumber = isServer ? serverRecordNumber : clientRecordNumber;
+      const result = await verifyZkPacket(
+        {
+          ciphertext: content,
+          zkReveal,
+          iv,
+          recordNumber,
+          toprfOvershotNullifier: overshotMap[i]?.data,
+          getNextPacket(overshot) {
+            const nextIdx = transcript.findIndex((t, j) => t.sender === sender && j > i);
+            if (nextIdx < 0) {
+              return;
             }
-            decryptedTranscript.push({
-                sender: sender === api_1.TranscriptMessageSenderType
-                    .TRANSCRIPT_MESSAGE_SENDER_TYPE_CLIENT
-                    ? 'client'
-                    : 'server',
-                redacted,
-                message: plaintext,
-                recordHeader,
-                plaintextLength,
-            });
+            overshotMap[nextIdx] = { data: overshot };
+            return getWithoutHeader(transcript[nextIdx].message);
+          },
+          logger,
+          cipherSuite,
+          zkEngine
+        }
+      );
+      plaintext = result.redactedPlaintext;
+      const pendingForThis = pendingOprfRaw[i];
+      if (pendingForThis && zkReveal?.overshotOprfRawLength) {
+        const overshootLen = zkReveal.overshotOprfRawLength;
+        const overshootData = plaintext.slice(0, overshootLen);
+        const fullData = concatenateUint8Arrays([
+          pendingForThis.partialData,
+          overshootData
+        ]);
+        const expectedLen = pendingForThis.dataLocation.length;
+        if (fullData.length !== expectedLen) {
+          throw new AttestorError(
+            "ERROR_INVALID_CLAIM",
+            `oprf-raw cross-block length mismatch: got ${fullData.length}, expected ${expectedLen}`
+          );
+        }
+        const oprfResults = await computeOPRFRaw(
+          fullData,
+          [{ dataLocation: { fromIndex: 0, length: fullData.length } }],
+          logger
+        );
+        if (oprfResults.length) {
+          const { nullifier } = oprfResults[0];
+          const originalText = new TextDecoder().decode(fullData);
+          const nullifierStr = binaryHashToStr(nullifier, fullData.length);
+          oprfRawReplacements.push({ originalText, nullifierText: nullifierStr });
+          const nullifierBytes = new TextEncoder().encode(nullifierStr);
+          const overshootNullifier = nullifierBytes.slice(pendingForThis.partialData.length);
+          plaintext.set(overshootNullifier, 0);
+          const prevPkt = decryptedTranscript[pendingForThis.originPktIdx];
+          if (prevPkt) {
+            const firstPartNullifier = nullifierBytes.slice(0, pendingForThis.partialData.length);
+            prevPkt.message.set(firstPartNullifier, pendingForThis.dataLocation.fromIndex);
+          }
+        }
+        delete pendingOprfRaw[i];
+      }
+      if (result.oprfRawMarkers?.length) {
+        const { markersThisPacket, pendingMarker } = separateOprfRawMarkers(
+          result.oprfRawMarkers,
+          plaintext.length,
+          () => transcript.findIndex((t, j) => t.sender === sender && j > i),
+          decryptedTranscript.length,
+          logger
+        );
+        if (pendingMarker) {
+          pendingMarker.pending.partialData.set(
+            plaintext.slice(pendingMarker.pending.dataLocation.fromIndex)
+          );
+          pendingOprfRaw[pendingMarker.nextIdx] = pendingMarker.pending;
         }
-        catch (error) {
-            throw new utils_1.AttestorError('ERROR_INVALID_CLAIM', `error in handling packet at idx ${i}: ${error}`, {
-                packetIdx: i,
-                error: error,
-            });
+        if (markersThisPacket.length) {
+          const pt = plaintext;
+          const oprfResults = await computeOPRFRaw(pt, markersThisPacket, logger);
+          const originalTexts = oprfResults.map(({ dataLocation }) => new TextDecoder().decode(
+            pt.slice(dataLocation.fromIndex, dataLocation.fromIndex + dataLocation.length)
+          ));
+          for (const [idx, { dataLocation, nullifier }] of oprfResults.entries()) {
+            const originalText = originalTexts[idx];
+            const nullifierStr = binaryHashToStr(nullifier, dataLocation.length);
+            oprfRawReplacements.push({ originalText, nullifierText: nullifierStr });
+            const nullifierBytes = new TextEncoder().encode(nullifierStr);
+            pt.set(nullifierBytes, dataLocation.fromIndex);
+          }
         }
+      }
+      redacted = false;
+      plaintextLength = plaintext.length;
+    } else {
+      plaintext = content;
+      plaintextLength = plaintext.length;
     }
+    decryptedTranscript.push({
+      sender: sender === TranscriptMessageSenderType.TRANSCRIPT_MESSAGE_SENDER_TYPE_CLIENT ? "client" : "server",
+      redacted,
+      message: plaintext,
+      recordHeader,
+      plaintextLength
+    });
+  }
 }
 function getWithoutHeader(message) {
-    // strip the record header (xx 03 03 xx xx)
-    return message.slice(5);
+  return message.slice(5);
+}
+function separateOprfRawMarkers(markers, plaintextLength, findNextPacketIdx, currentTranscriptLength, logger) {
+  const markersThisPacket = [];
+  let pendingMarker;
+  for (const marker of markers) {
+    const dataLocation = marker.dataLocation;
+    if (!dataLocation) {
+      continue;
+    }
+    const { fromIndex, length } = dataLocation;
+    const endInPacket = fromIndex + length;
+    if (endInPacket <= plaintextLength) {
+      markersThisPacket.push({ dataLocation });
+      continue;
+    }
+    const nextIdx = findNextPacketIdx();
+    if (nextIdx < 0) {
+      throw new AttestorError(
+        "ERROR_INVALID_CLAIM",
+        "oprf-raw marker spans packets but no next packet found"
+      );
+    }
+    pendingMarker = {
+      nextIdx,
+      pending: {
+        partialData: new Uint8Array(plaintextLength - fromIndex),
+        dataLocation: { fromIndex, length },
+        originPktIdx: currentTranscriptLength
+      }
+    };
+    logger.debug(
+      { fromIndex, length, partialLen: plaintextLength - fromIndex, nextIdx },
+      "oprf-raw marker spans packets, storing partial data"
+    );
+  }
+  return { markersThisPacket, pendingMarker };
 }
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYXNzZXJ0LXZhbGlkLWNsYWltLXJlcXVlc3QuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvc2VydmVyL3V0aWxzL2Fzc2VydC12YWxpZC1jbGFpbS1yZXF1ZXN0LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7O0FBK0NBLDBEQW9FQztBQU1ELHNFQXFDQztBQU9ELHdEQTJDQztBQUVELDhDQTZHQztBQUVELDRDQUdDO0FBcFVELDhDQUc2QjtBQUU3Qix1Q0FRc0I7QUFDdEIsNkNBQXlDO0FBQ3pDLHdEQUErRDtBQUMvRCwwRUFBcUU7QUFTckUscUNBTWtCO0FBQ2xCLHFEQUFpRDtBQUVqRDs7Ozs7Ozs7Ozs7O0dBWUc7QUFDSSxLQUFLLFVBQVUsdUJBQXVCLENBQzVDLE9BQTJCLEVBQzNCLFFBQXFCLEVBQ3JCLE1BQWM7O0lBRWQsTUFBTSxFQUNMLElBQUksRUFDSixVQUFVLEVBQUUsRUFBRSxnQkFBZ0IsRUFBRSxHQUFHLEVBQUUsRUFDckMsUUFBUSxFQUNSLGFBQWEsRUFDYixhQUFhLEVBQ2IsR0FBRyxPQUFPLENBQUE7SUFDWCxJQUFHLENBQUMsSUFBSSxFQUFFLENBQUM7UUFDVixNQUFNLElBQUkscUJBQWEsQ0FDdEIscUJBQXFCLEVBQ3JCLG1DQUFtQyxDQUNuQyxDQUFBO0lBQ0YsQ0FBQztJQUVELElBQUcsQ0FBQyxDQUFBLGdCQUFnQixhQUFoQixnQkFBZ0IsdUJBQWhCLGdCQUFnQixDQUFFLE1BQU0sQ0FBQSxFQUFFLENBQUM7UUFDOUIsTUFBTSxJQUFJLHFCQUFhLENBQ3RCLHFCQUFxQixFQUNyQix3Q0FBd0MsQ0FDeEMsQ0FBQTtJQUNGLENBQUM7SUFFRCwyQkFBMkI7SUFDM0IsTUFBTSxhQUFhLEdBQUcsd0JBQWtCO1NBQ3RDLE1BQU0sQ0FBQyxFQUFFLEdBQUcsT0FBTyxFQUFFLFVBQVUsRUFBRSxTQUFTLEVBQUUsQ0FBQztTQUM3QyxNQUFNLEVBQUUsQ0FBQTtJQUNWLE1BQU0sRUFBRSxNQUFNLEVBQUUsU0FBUyxFQUFFLEdBQUcsdUJBQVUsQ0FBQyxRQUFRLENBQUMsYUFBYSxDQUFDLENBQUE7SUFDaEUsTUFBTSxRQUFRLEdBQUcsTUFBTSxTQUFTLENBQy9CLGFBQWEsRUFDYixnQkFBZ0IsRUFDaEIsSUFBSSxDQUFDLEtBQUssQ0FDVixDQUFBO0lBQ0QsSUFBRyxDQUFDLFFBQVEsRUFBRSxDQUFDO1FBQ2QsTUFBTSxJQUFJLHFCQUFhLENBQ3RCLHFCQUFxQixFQUNyQixvQ0FBb0MsQ0FDcEMsQ0FBQTtJQUNGLENBQUM7SUFFRCxNQUFNLE9BQU8sR0FBRyxNQUFNLGlCQUFpQixDQUN0QyxPQUFPLENBQUMsVUFBVSxFQUNsQixNQUFNLEVBQ04sUUFBUSxLQUFLLG1CQUFhLENBQUMsZUFBZSxDQUFDLENBQUMsQ0FBQyxPQUFPLENBQUMsQ0FBQyxDQUFDLFNBQVMsRUFDaEUsYUFBYSxFQUNiLGFBQWEsQ0FDYixDQUFBO0lBQ0QsTUFBTSxPQUFPLEdBQUcsTUFBQSxPQUFPLENBQUMsT0FBTywwQ0FBRSxJQUFJLENBQUE7SUFDckMsSUFBRyxPQUFPLENBQUMsUUFBUSxLQUFLLE9BQU8sRUFBRSxDQUFDO1FBQ2pDLE1BQU0sSUFBSSxLQUFLLENBQ2Qsd0JBQXdCLE9BQU8sU0FBUyxPQUFPLENBQUMsUUFBUSxFQUFFLENBQzFELENBQUE7SUFDRixDQUFDO0lBR0Qsb0NBQW9DO0lBQ3BDLE1BQU0sUUFBUSxHQUFHLElBQUEsNENBQW9DLEVBQUMsT0FBTyxDQUFDLENBQUE7SUFDOUQsTUFBTSxPQUFPLEdBQUcsTUFBTSw2QkFBNkIsQ0FDbEQsUUFBUSxFQUFFLElBQUksRUFBRSxNQUFNLEVBQUUsRUFBRSxPQUFPLEVBQUUsUUFBUSxDQUFDLGFBQWEsRUFBRSxDQUMzRCxDQUFBO0lBQ0QsSUFBRyxPQUFPLEtBQUssSUFBSSxFQUFFLENBQUM7UUFDckIsTUFBTSxDQUFDLElBQUksQ0FBQyxFQUFFLE9BQU8sRUFBRSxFQUFFLG9CQUFvQixDQUFDLENBQUE7SUFDL0MsQ0FBQztJQUVELE9BQU8sT0FBTyxDQUFBO0FBQ2YsQ0FBQztBQUVEOzs7R0FHRztBQUNJLEtBQUssVUFBVSw2QkFBNkIsQ0FDbEQsUUFBZ0MsRUFDaEMsSUFBTyxFQUNQLE1BQWMsRUFDZCxXQUF3Qjs7SUFFeEIsTUFBTSxZQUFZLEdBQUcsSUFBSSxDQUFDLFFBQXdCLENBQUE7SUFDbEQsTUFBTSxRQUFRLEdBQUcscUJBQVMsQ0FBQyxZQUFZLENBQUMsQ0FBQTtJQUN4QyxJQUFHLENBQUMsUUFBUSxFQUFFLENBQUM7UUFDZCxNQUFNLElBQUkscUJBQWEsQ0FDdEIscUJBQXFCLEVBQ3JCLHlCQUF5QixZQUFZLEVBQUUsQ0FDdkMsQ0FBQTtJQUNGLENBQUM7SUFFRCxNQUFNLE1BQU0sR0FBRyxJQUFBLDhCQUFtQixFQUFDLElBQUksQ0FBQyxVQUFVLEVBQUUsUUFBUSxDQUFDLENBQUE7SUFDN0QsTUFBTSxHQUFHLEdBQUcsSUFBQSw4QkFBbUIsRUFBQyxJQUFJLENBQUMsT0FBTyxFQUFFLFNBQVMsQ0FBQyxDQUFBO0lBRXhELElBQUEsb0NBQTRCLEVBQUMsWUFBWSxFQUFFLE1BQU0sQ0FBQyxDQUFBO0lBRWxELE1BQU0sSUFBSSxHQUFHLE1BQU0sUUFBUSxDQUFDLDBCQUEwQixDQUFDO1FBQ3RELE9BQU8sRUFBRSxRQUFRO1FBQ2pCLE1BQU07UUFDTixNQUFNO1FBQ04sR0FBRyxFQUFFLFdBQVc7S0FDaEIsQ0FBQyxDQUFBO0lBRUYsR0FBRyxDQUFDLFlBQVksR0FBRyxJQUFBLDBCQUFrQixFQUFDLE1BQU0sQ0FBQyxDQUFBO0lBRTdDLE1BQU0sbUJBQW1CLEdBQUcsQ0FBQSxJQUFJLGFBQUosSUFBSSx1QkFBSixJQUFJLENBQUUsbUJBQW1CLEtBQUksRUFBRSxDQUFBO0lBQzNELElBQUcsTUFBTSxDQUFDLElBQUksQ0FBQyxtQkFBbUIsQ0FBQyxDQUFDLE1BQU0sRUFBRSxDQUFDO1FBQzVDLEdBQUcsQ0FBQyxtQkFBbUIsR0FBRyxtQkFBbUIsQ0FBQTtJQUM5QyxDQUFDO0lBRUQsSUFBSSxDQUFDLE9BQU8sR0FBRyxNQUFBLElBQUEsMEJBQWtCLEVBQUMsR0FBRyxDQUFDLG1DQUFJLEVBQUUsQ0FBQTtJQUU1QyxPQUFPLElBQUksQ0FBQTtBQUNaLENBQUM7QUFFRDs7OztHQUlHO0FBQ0gsU0FBZ0Isc0JBQXNCLENBQ3JDLGdCQUFrRCxFQUNsRCxnQkFBbUQ7SUFFbkQsTUFBTSxXQUFXLEdBQUcsSUFBQSw0QkFBc0IsRUFDekMsZ0JBQWdCO1NBQ2QsTUFBTSxDQUFDLENBQUMsQ0FBQyxFQUFFLENBQUMsQ0FBQyxDQUFDLE1BQU0sS0FBSyxpQ0FBMkIsQ0FBQyxxQ0FBcUMsQ0FBQztTQUMzRixHQUFHLENBQUMsQ0FBQyxDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUMsT0FBTyxDQUFDLENBQ3JCLENBQUE7SUFFRCxNQUFNLFdBQVcsR0FBRyxJQUFBLDRCQUFzQixFQUN6QyxnQkFBZ0I7U0FDZCxNQUFNLENBQUMsQ0FBQyxDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUMsTUFBTSxLQUFLLFFBQVEsQ0FBQztTQUNsQyxHQUFHLENBQUMsQ0FBQyxDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUMsT0FBTyxDQUFDLENBQ3JCLENBQUE7SUFFRCxJQUFHLENBQUMsSUFBQSx5QkFBbUIsRUFBQyxXQUFXLEVBQUUsV0FBVyxDQUFDLEVBQUUsQ0FBQztRQUNuRCxNQUFNLHFCQUFhLENBQUMsVUFBVSxDQUM3QixrRUFBa0UsQ0FDbEUsQ0FBQTtJQUNGLENBQUM7SUFFRCxNQUFNLFdBQVcsR0FBRyxJQUFBLDRCQUFzQixFQUN6QyxnQkFBZ0I7U0FDZCxNQUFNLENBQUMsQ0FBQyxDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUMsTUFBTSxLQUFLLGlDQUEyQixDQUFDLHFDQUFxQyxDQUFDO1NBQzNGLEdBQUcsQ0FBQyxDQUFDLENBQUMsRUFBRSxDQUFDLENBQUMsQ0FBQyxPQUFPLENBQUMsQ0FDckIsQ0FBQTtJQUVELE1BQU0sV0FBVyxHQUFHLElBQUEsNEJBQXNCLEVBQ3pDLGdCQUFnQjtTQUNkLE1BQU0sQ0FBQyxDQUFDLENBQUMsRUFBRSxDQUFDLENBQUMsQ0FBQyxNQUFNLEtBQUssUUFBUSxDQUFDO1NBQ2xDLEdBQUcsQ0FBQyxDQUFDLENBQUMsRUFBRSxDQUFDLENBQUMsQ0FBQyxPQUFPLENBQUMsQ0FDckI7UUFDQSwrQ0FBK0M7UUFDL0MsMENBQTBDO1FBQzFDLGtEQUFrRDtRQUNsRCxrREFBa0Q7U0FDakQsS0FBSyxDQUFDLENBQUMsRUFBRSxXQUFXLENBQUMsTUFBTSxDQUFDLENBQUE7SUFDOUIsSUFBRyxDQUFDLElBQUEseUJBQW1CLEVBQUMsV0FBVyxFQUFFLFdBQVcsQ0FBQyxFQUFFLENBQUM7UUFDbkQsTUFBTSxxQkFBYSxDQUFDLFVBQVUsQ0FDN0Isa0VBQWtFLENBQ2xFLENBQUE7SUFDRixDQUFDO0FBQ0YsQ0FBQztBQUVNLEtBQUssVUFBVSxpQkFBaUIsQ0FDdEMsVUFBNEMsRUFDNUMsTUFBYyxFQUNkLFFBQWtCLEVBQ2xCLFFBQW9CLEVBQ3BCLFFBQW9CO0lBR3BCLE1BQU0sRUFBRSxVQUFVLEVBQUUsV0FBVyxFQUFFLFFBQVEsRUFBRSxZQUFZLEVBQUUsR0FBRyxNQUFNLElBQUEsb0NBQWdCLEVBQUMsVUFBVSxFQUFFLE1BQU0sQ0FBQyxDQUFBO0lBRXRHLElBQUksa0JBQWtCLEdBQUcsVUFBVSxLQUFLLFFBQVEsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQSxDQUFDLHlEQUF5RDtJQUNuSCxJQUFJLGtCQUFrQixHQUFHLGtCQUFrQixDQUFBO0lBRTNDLFVBQVUsR0FBRyxVQUFVLENBQUMsS0FBSyxDQUFDLFlBQVksQ0FBQyxDQUFBO0lBRTNDLE1BQU0sbUJBQW1CLEdBQWtDLEVBQUUsQ0FBQTtJQUU3RCxLQUFJLE1BQU0sQ0FBQyxDQUFDLEVBQUUsRUFDYixNQUFNLEVBQ04sT0FBTyxFQUNQLE1BQU0sRUFBRSxFQUFFLFFBQVEsRUFBRSxZQUFZLEVBQUUsR0FBRyxFQUFFLEVBQ3ZDLENBQUMsSUFBSSxVQUFVLENBQUMsT0FBTyxFQUFFLEVBQUUsQ0FBQztRQUM1Qix1REFBdUQ7UUFDdkQsTUFBTSxtQkFBbUIsQ0FBQyxNQUFNLEVBQUUsT0FBTyxFQUFFLFlBQVksRUFBRSxRQUFRLEVBQUUsQ0FBQyxDQUFDLENBQUE7SUFDdEUsQ0FBQztJQUVELE9BQU87UUFDTixVQUFVLEVBQUUsbUJBQW1CO1FBQy9CLFFBQVEsRUFBRSxRQUFRO1FBQ2xCLFVBQVUsRUFBRSxVQUFVO0tBQ3RCLENBQUE7SUFFRCxLQUFLLFVBQVUsbUJBQW1CLENBQ2pDLE1BQW1DLEVBQ25DLE9BQW1CLEVBQ25CLFlBQTZDLEVBQzdDLFFBQXFDLEVBQ3JDLENBQVM7O1FBRVQsSUFBSSxDQUFDO1lBQ0osTUFBTSxRQUFRLEdBQUcsTUFBTSxLQUFLLGlDQUEyQjtpQkFDckQscUNBQXFDLENBQUE7WUFDdkMsTUFBTSxZQUFZLEdBQUcsT0FBTyxDQUFDLEtBQUssQ0FBQyxDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUE7WUFDeEMsTUFBTSxPQUFPLEdBQUcsZ0JBQWdCLENBQUMsT0FBTyxDQUFDLENBQUE7WUFDekMsSUFBRyxRQUFRLEVBQUUsQ0FBQztnQkFDYixrQkFBa0IsRUFBRSxDQUFBO1lBQ3JCLENBQUM7aUJBQU0sQ0FBQztnQkFDUCxrQkFBa0IsRUFBRSxDQUFBO1lBQ3JCLENBQUM7WUFFRCxJQUFJLFFBQVEsR0FBRyxJQUFJLENBQUE7WUFDbkIsSUFBSSxTQUFTLEdBQTJCLFNBQVMsQ0FBQTtZQUNqRCxJQUFJLGVBQXVCLENBQUE7WUFFM0IsSUFBRyxNQUFBLFlBQVksYUFBWixZQUFZLHVCQUFaLFlBQVksQ0FBRSxHQUFHLDBDQUFFLE1BQU0sRUFBRSxDQUFDO2dCQUM5QixNQUFNLE1BQU0sR0FBRyxNQUFNLElBQUEscUJBQWEsRUFDakMsWUFBWSxFQUFFLFdBQVcsRUFBRSxZQUFZLEVBQ3ZDLFVBQVUsRUFBRSxPQUFPLENBQ25CLENBQUE7Z0JBQ0QsU0FBUyxHQUFHLE1BQU0sQ0FBQyxTQUFTLENBQUE7Z0JBQzVCLFFBQVEsR0FBRyxLQUFLLENBQUE7Z0JBQ2hCLGVBQWUsR0FBRyxTQUFTLENBQUMsTUFBTSxDQUFBO1lBQ25DLENBQUM7aUJBQU0sSUFBRyxNQUFBLFFBQVEsYUFBUixRQUFRLHVCQUFSLFFBQVEsQ0FBRSxNQUFNLDBDQUFFLE1BQU0sRUFBRSxDQUFDO2dCQUNwQyxNQUFNLE1BQU0sR0FBRyxNQUFNLElBQUEsc0JBQWMsRUFDbEM7b0JBQ0MsVUFBVSxFQUFFLE9BQU87b0JBQ25CLFFBQVE7b0JBQ1IsTUFBTTtvQkFDTixXQUFXO29CQUNYLFFBQVEsRUFBRSxRQUFRO29CQUNsQixFQUFFLEVBQUUsTUFBTSxLQUFLLGlDQUEyQjt5QkFDeEMscUNBQXFDO3dCQUN0QyxDQUFDLENBQUMsUUFBUTt3QkFDVixDQUFDLENBQUMsUUFBUTtvQkFDWCxZQUFZLEVBQUUsUUFBUTt3QkFDckIsQ0FBQyxDQUFDLGtCQUFrQjt3QkFDcEIsQ0FBQyxDQUFDLGtCQUFrQjtpQkFDckIsQ0FDRCxDQUFBO2dCQUNELFNBQVMsR0FBRyxNQUFNLENBQUMsaUJBQWlCLENBQUE7Z0JBQ3BDLFFBQVEsR0FBRyxLQUFLLENBQUE7Z0JBQ2hCLGVBQWUsR0FBRyxTQUFTLENBQUMsTUFBTSxDQUFBO1lBQ25DLENBQUM7aUJBQU0sQ0FBQztnQkFDUCxTQUFTLEdBQUcsT0FBTyxDQUFBO2dCQUNuQixlQUFlLEdBQUcsU0FBUyxDQUFDLE1BQU0sQ0FBQTtZQUNuQyxDQUFDO1lBRUQsbUJBQW1CLENBQUMsSUFBSSxDQUFDO2dCQUN4QixNQUFNLEVBQUUsTUFBTSxLQUFLLGlDQUEyQjtxQkFDNUMscUNBQXFDO29CQUN0QyxDQUFDLENBQUMsUUFBUTtvQkFDVixDQUFDLENBQUMsUUFBUTtnQkFDWCxRQUFRO2dCQUNSLE9BQU8sRUFBRSxTQUFTO2dCQUNsQixZQUFZO2dCQUNaLGVBQWU7YUFDZixDQUFDLENBQUE7UUFFSCxDQUFDO1FBQUMsT0FBTSxLQUFLLEVBQUUsQ0FBQztZQUNmLE1BQU0sSUFBSSxxQkFBYSxDQUN0QixxQkFBcUIsRUFDckIsbUNBQW1DLENBQUMsS0FBSyxLQUFLLEVBQUUsRUFDaEQ7Z0JBQ0MsU0FBUyxFQUFFLENBQUM7Z0JBQ1osS0FBSyxFQUFFLEtBQUs7YUFDWixDQUNELENBQUE7UUFDRixDQUFDO0lBQ0YsQ0FBQztBQUNGLENBQUM7QUFFRCxTQUFnQixnQkFBZ0IsQ0FBQyxPQUFtQjtJQUNuRCwyQ0FBMkM7SUFDM0MsT0FBTyxPQUFPLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQyxDQUFBO0FBQ3hCLENBQUMifQ==
+export {
+  assertTranscriptsMatch,
+  assertValidClaimRequest,
+  assertValidProviderTranscript,
+  decryptTranscript,
+  getWithoutHeader
+};

package/lib/server/utils/config-env.js

@@ -1,7 +1,4 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-const dotenv_1 = require("dotenv");
-const env_1 = require("../../utils/env");
-const nodeEnv = (0, env_1.getEnvVariable)('NODE_ENV') || 'development';
-(0, dotenv_1.config)({ path: `.env.${nodeEnv}` });
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY29uZmlnLWVudi5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3NyYy9zZXJ2ZXIvdXRpbHMvY29uZmlnLWVudi50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOztBQUFBLG1DQUErQjtBQUMvQix1Q0FBOEM7QUFFOUMsTUFBTSxPQUFPLEdBQUcsSUFBQSxvQkFBYyxFQUFDLFVBQVUsQ0FBQyxJQUFJLGFBQWEsQ0FBQTtBQUMzRCxJQUFBLGVBQU0sRUFBQyxFQUFFLElBQUksRUFBRSxRQUFRLE9BQU8sRUFBRSxFQUFFLENBQUMsQ0FBQSJ9
+import { config } from "dotenv";
+import { getEnvVariable } from "../../utils/env.js";
+const nodeEnv = getEnvVariable("NODE_ENV") || "development";
+config({ path: `.env.${nodeEnv}` });

package/lib/server/utils/dns.js

@@ -1,22 +1,24 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.resolveHostnames = resolveHostnames;
-const dns_1 = require("dns");
-const config_1 = require("../../config");
+import { resolve, setServers } from "dns";
+import { DNS_SERVERS } from "../../config/index.js";
 setDnsServers();
 async function resolveHostnames(hostname) {
-    return new Promise((_resolve, reject) => {
-        (0, dns_1.resolve)(hostname, (err, addresses) => {
-            if (err) {
-                reject(new Error(`Could not resolve hostname: ${hostname}, ${err.message}`));
-            }
-            else {
-                _resolve(addresses);
-            }
-        });
+  return new Promise((_resolve, reject) => {
+    resolve(hostname, (err, addresses) => {
+      if (err) {
+        reject(
+          new Error(
+            `Could not resolve hostname: ${hostname}, ${err.message}`
+          )
+        );
+      } else {
+        _resolve(addresses);
+      }
     });
+  });
 }
 function setDnsServers() {
-    (0, dns_1.setServers)(config_1.DNS_SERVERS);
+  setServers(DNS_SERVERS);
 }
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZG5zLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL3NlcnZlci91dGlscy9kbnMudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7QUFLQSw0Q0FjQztBQW5CRCw2QkFBeUM7QUFDekMsdUNBQXdDO0FBRXhDLGFBQWEsRUFBRSxDQUFBO0FBRVIsS0FBSyxVQUFVLGdCQUFnQixDQUFDLFFBQWdCO0lBQ3RELE9BQU8sSUFBSSxPQUFPLENBQVcsQ0FBQyxRQUFRLEVBQUUsTUFBTSxFQUFFLEVBQUU7UUFDakQsSUFBQSxhQUFPLEVBQUMsUUFBUSxFQUFFLENBQUMsR0FBRyxFQUFFLFNBQVMsRUFBRSxFQUFFO1lBQ3BDLElBQUcsR0FBRyxFQUFFLENBQUM7Z0JBQ1IsTUFBTSxDQUNMLElBQUksS0FBSyxDQUNSLCtCQUErQixRQUFRLEtBQUssR0FBRyxDQUFDLE9BQU8sRUFBRSxDQUN6RCxDQUNELENBQUE7WUFDRixDQUFDO2lCQUFNLENBQUM7Z0JBQ1AsUUFBUSxDQUFDLFNBQVMsQ0FBQyxDQUFBO1lBQ3BCLENBQUM7UUFDRixDQUFDLENBQUMsQ0FBQTtJQUNILENBQUMsQ0FBQyxDQUFBO0FBQ0gsQ0FBQztBQUVELFNBQVMsYUFBYTtJQUNyQixJQUFBLGdCQUFVLEVBQUMsb0JBQVcsQ0FBQyxDQUFBO0FBQ3hCLENBQUMifQ==
+export {
+  resolveHostnames
+};

package/lib/server/utils/gcp-attestation.d.ts

@@ -0,0 +1,17 @@
+/**
+ * GCP attestation validation utilities
+ * Validates JWT tokens from Google Confidential Computing
+ */
+import type { Logger } from '#src/types/general.ts';
+export interface GcpValidationResult {
+    isValid: boolean;
+    errors: string[];
+    ethAddress?: Uint8Array;
+    userDataType?: string;
+    pcr0?: string;
+    envVars?: Record<string, string>;
+}
+/**
+ * Validates GCP JWT attestation and extracts ETH address
+ */
+export declare function validateGcpAttestationAndExtractKey(attestationBytes: Uint8Array, logger?: Logger): Promise<GcpValidationResult>;