@reclaimprotocol/attestor-core 5.0.1-beta.2 → 5.0.1-beta.21

package/lib/server/utils/tee-verification.js

@@ -1,358 +0,0 @@
-import { ServiceSignatureType } from "../../proto/api.js";
-import { BodyType, KOutputPayload, TOutputPayload, VerificationBundle } from "../../proto/tee-bundle.js";
-import { validateGcpAttestationAndExtractKey } from "../../server/utils/gcp-attestation.js";
-import { validateNitroAttestationAndExtractKey } from "../../server/utils/nitro-attestation.js";
-import { AttestorError } from "../../utils/error.js";
-import { SIGNATURES } from "../../utils/signatures/index.js";
-async function verifyTeeBundle(bundleBytes, logger) {
-  const bundle = parseVerificationBundle(bundleBytes);
-  validateBundleCompleteness(bundle);
-  const { teekKeyResult, teetKeyResult } = await extractPublicKeys(bundle, logger);
-  await verifyTeeSignatures(bundle, teekKeyResult, teetKeyResult, logger);
-  if (!bundle.teekSigned || !bundle.teetSigned) {
-    throw new AttestorError("ERROR_INVALID_CLAIM", "Missing TEE signed messages");
-  }
-  const kOutputPayload = parseKOutputPayload(bundle.teekSigned);
-  const tOutputPayload = parseTOutputPayload(bundle.teetSigned);
-  validateTimestamps(kOutputPayload, tOutputPayload, logger);
-  const teeSessionId = validateSessionIds(kOutputPayload, tOutputPayload, logger);
-  logger.info("TEE bundle verification successful");
-  return {
-    teekSigned: bundle.teekSigned,
-    teetSigned: bundle.teetSigned,
-    kOutputPayload,
-    tOutputPayload,
-    teekPcr0: teekKeyResult.pcr0,
-    teetPcr0: teetKeyResult.pcr0,
-    teeSessionId
-  };
-}
-function parseVerificationBundle(bundleBytes) {
-  try {
-    return VerificationBundle.decode(bundleBytes);
-  } catch (error) {
-    throw new Error(`Failed to parse verification bundle: ${error.message}`);
-  }
-}
-function validateBundleCompleteness(bundle) {
-  if (!bundle.teekSigned) {
-    throw new Error("SECURITY ERROR: missing TEE_K signed message - verification bundle incomplete");
-  }
-  if (!bundle.teetSigned) {
-    throw new Error("SECURITY ERROR: missing TEE_T signed message - verification bundle incomplete");
-  }
-  const hasAttestations = bundle.teekSigned.attestationReport?.report && bundle.teekSigned.attestationReport.report.length > 0 || bundle.teetSigned.attestationReport?.report && bundle.teetSigned.attestationReport.report.length > 0;
-  const hasPublicKeys = bundle.teekSigned.ethAddress && bundle.teekSigned.ethAddress.length > 0 || bundle.teetSigned.ethAddress && bundle.teetSigned.ethAddress.length > 0;
-  if (!hasAttestations && !hasPublicKeys) {
-    throw new Error("SECURITY ERROR: bundle must have either Nitro attestations (production) or embedded public keys (development)");
-  }
-  if (bundle.teekSigned.bodyType !== BodyType.BODY_TYPE_K_OUTPUT) {
-    throw new Error("Invalid TEE_K signed message: wrong body type");
-  }
-  if (bundle.teetSigned.bodyType !== BodyType.BODY_TYPE_T_OUTPUT) {
-    throw new Error("Invalid TEE_T signed message: wrong body type");
-  }
-  if (!bundle.teekSigned.body || bundle.teekSigned.body.length === 0) {
-    throw new Error("Invalid TEE_K signed message: empty body");
-  }
-  if (!bundle.teetSigned.body || bundle.teetSigned.body.length === 0) {
-    throw new Error("Invalid TEE_T signed message: empty body");
-  }
-  if (!bundle.teekSigned.signature || bundle.teekSigned.signature.length === 0) {
-    throw new Error("Invalid TEE_K signed message: missing signature");
-  }
-  if (!bundle.teetSigned.signature || bundle.teetSigned.signature.length === 0) {
-    throw new Error("Invalid TEE_T signed message: missing signature");
-  }
-}
-async function extractPublicKeys(bundle, logger) {
-  const hasEmbeddedAttestations = bundle.teekSigned.attestationReport?.report && bundle.teekSigned.attestationReport.report.length > 0 && (bundle.teetSigned.attestationReport?.report && bundle.teetSigned.attestationReport.report.length > 0);
-  let teekKeyResult;
-  let teetKeyResult;
-  if (hasEmbeddedAttestations) {
-    logger.info("Using production mode: extracting keys from attestations");
-    if (!bundle.teekSigned?.attestationReport?.report) {
-      throw new Error("TEE_K embedded attestation report missing");
-    }
-    if (!bundle.teetSigned?.attestationReport?.report) {
-      throw new Error("TEE_T embedded attestation report missing");
-    }
-    const teekAttestationType = bundle.teekSigned.attestationReport.type || "nitro";
-    const teetAttestationType = bundle.teetSigned.attestationReport.type || "nitro";
-    logger.info(`TEE_K attestation type: ${teekAttestationType}`);
-    logger.info(`TEE_T attestation type: ${teetAttestationType}`);
-    const teekAttestationBytes = bundle.teekSigned.attestationReport.report;
-    const teetAttestationBytes = bundle.teetSigned.attestationReport.report;
-    if (teekAttestationType === "gcp") {
-      const gcpResult = await validateGcpAttestationAndExtractKey(teekAttestationBytes, logger);
-      if (!gcpResult.isValid) {
-        throw new Error(`TEE_K GCP attestation validation failed: ${gcpResult.errors.join(", ")}`);
-      }
-      if (!gcpResult.ethAddress) {
-        throw new Error("TEE_K GCP attestation validation failed: no address");
-      }
-      if (gcpResult.userDataType !== "tee_k") {
-        throw new Error(`TEE_K GCP attestation validation failed: wrong TEE type, expected tee_k, got ${gcpResult.userDataType}`);
-      }
-      teekKeyResult = {
-        teeType: gcpResult.userDataType,
-        ethAddress: "0x" + Buffer.from(gcpResult.ethAddress).toString("hex"),
-        pcr0: gcpResult.pcr0 || "gcp-no-digest"
-      };
-    } else {
-      const nitroResult = await validateNitroAttestationAndExtractKey(teekAttestationBytes);
-      if (!nitroResult.isValid) {
-        throw new Error(`TEE_K Nitro attestation validation failed: ${nitroResult.errors.join(", ")}`);
-      }
-      if (!nitroResult.ethAddress) {
-        throw new Error("TEE_K Nitro attestation validation failed: no address");
-      }
-      if (nitroResult.userDataType !== "tee_k") {
-        throw new Error(`TEE_K Nitro attestation validation failed: wrong TEE type, expected tee_k, got ${nitroResult.userDataType}`);
-      }
-      teekKeyResult = {
-        teeType: nitroResult.userDataType,
-        ethAddress: nitroResult.ethAddress,
-        pcr0: nitroResult.pcr0
-      };
-    }
-    if (teetAttestationType === "gcp") {
-      const gcpResult = await validateGcpAttestationAndExtractKey(teetAttestationBytes, logger);
-      if (!gcpResult.isValid) {
-        throw new Error(`TEE_T GCP attestation validation failed: ${gcpResult.errors.join(", ")}`);
-      }
-      if (!gcpResult.ethAddress) {
-        throw new Error("TEE_T GCP attestation validation failed: no address");
-      }
-      if (gcpResult.userDataType !== "tee_t") {
-        throw new Error(`TEE_T GCP attestation validation failed: wrong TEE type, expected tee_t, got ${gcpResult.userDataType}`);
-      }
-      teetKeyResult = {
-        teeType: gcpResult.userDataType,
-        ethAddress: "0x" + Buffer.from(gcpResult.ethAddress).toString("hex"),
-        pcr0: gcpResult.pcr0 || "gcp-no-digest"
-      };
-      if (!gcpResult.envVars?.EXPECTED_TEEK_PCR0) {
-        throw new Error("TEE_T GCP attestation missing required EXPECTED_TEEK_PCR0 environment variable");
-      }
-      const expectedPcr0 = gcpResult.envVars.EXPECTED_TEEK_PCR0;
-      const actualPcr0 = teekKeyResult.pcr0;
-      logger.info(`Cross-validating TEE_K PCR0: expected=${expectedPcr0}, actual=${actualPcr0}`);
-      if (expectedPcr0 !== actualPcr0) {
-        throw new Error(`TEE cross-validation failed: TEE_T expects TEE_K PCR0 "${expectedPcr0}" but got "${actualPcr0}"`);
-      }
-      logger.info("TEE cross-validation successful: TEE_K PCR0 matches TEE_T expectation");
-    } else {
-      const nitroResult = await validateNitroAttestationAndExtractKey(teetAttestationBytes);
-      if (!nitroResult.isValid) {
-        throw new Error(`TEE_T Nitro attestation validation failed: ${nitroResult.errors.join(", ")}`);
-      }
-      if (!nitroResult.ethAddress) {
-        throw new Error("TEE_T Nitro attestation validation failed: no address");
-      }
-      if (nitroResult.userDataType !== "tee_t") {
-        throw new Error(`TEE_T Nitro attestation validation failed: wrong TEE type, expected tee_t, got ${nitroResult.userDataType}`);
-      }
-      teetKeyResult = {
-        teeType: nitroResult.userDataType,
-        ethAddress: nitroResult.ethAddress,
-        pcr0: nitroResult.pcr0
-      };
-    }
-    logger.info("Attestations validated successfully");
-  } else {
-    const standaloneEnabled = process.env.TEE_STANDALONE === "true" || process.env.TEE_STANDALONE === "1";
-    if (!standaloneEnabled) {
-      throw new Error("Missing attestation reports and standalone mode is not enabled (set TEE_STANDALONE=true to enable)");
-    }
-    const hasEmbeddedKeys = bundle.teekSigned.ethAddress && bundle.teekSigned.ethAddress.length > 0 && (bundle.teetSigned.ethAddress && bundle.teetSigned.ethAddress.length > 0);
-    if (!hasEmbeddedKeys) {
-      throw new Error("Missing attestation and no embedded ETH addresses for standalone mode");
-    }
-    logger.warn("STANDALONE MODE ENABLED: Using embedded ETH addresses without attestation verification");
-    const teekAddress = Buffer.from(bundle.teekSigned.ethAddress).toString("utf8");
-    teekKeyResult = {
-      teeType: "tee_k",
-      ethAddress: teekAddress,
-      pcr0: "standalone-mode"
-      // No PCR0 in standalone mode
-    };
-    logger.info(`TEE_K standalone address: ${teekAddress}`);
-    const teetAddress = Buffer.from(bundle.teetSigned.ethAddress).toString("utf8");
-    teetKeyResult = {
-      teeType: "tee_t",
-      ethAddress: teetAddress,
-      pcr0: "standalone-mode"
-      // No PCR0 in standalone mode
-    };
-    logger.info(`TEE_T standalone address: ${teetAddress}`);
-    logger.info("Standalone mode key extraction successful");
-  }
-  return {
-    teekKeyResult,
-    teetKeyResult
-  };
-}
-async function verifyTeeSignatures(bundle, teekKeyResult, teetKeyResult, logger) {
-  if (!bundle.teekSigned) {
-    throw new Error("TEE_K signed message is missing");
-  }
-  const teekResult = await verifyTeeSignature(
-    bundle.teekSigned,
-    teekKeyResult,
-    "TEE_K",
-    logger
-  );
-  if (!teekResult.isValid) {
-    throw new Error(`TEE_K signature verification failed: ${teekResult.errors.join(", ")}`);
-  }
-  if (!bundle.teetSigned) {
-    throw new Error("TEE_T signed message is missing");
-  }
-  const teetResult = await verifyTeeSignature(
-    bundle.teetSigned,
-    teetKeyResult,
-    "TEE_T",
-    logger
-  );
-  if (!teetResult.isValid) {
-    throw new Error(`TEE_T signature verification failed: ${teetResult.errors.join(", ")}`);
-  }
-  logger.info("TEE signatures verified successfully");
-}
-async function verifyTeeSignature(signedMessage, extractedKey, teeType, logger) {
-  const errors = [];
-  if (!signedMessage) {
-    return {
-      isValid: false,
-      errors: ["Signed message is null or undefined"]
-    };
-  }
-  try {
-    let ethAddress;
-    if (extractedKey.ethAddress) {
-      ethAddress = extractedKey.ethAddress;
-      logger.debug(`${teeType} using ETH address from attestation: ${ethAddress}`);
-    } else {
-      return {
-        isValid: false,
-        errors: ["eth address is null"]
-      };
-    }
-    const { verify: verifySig } = SIGNATURES[ServiceSignatureType.SERVICE_SIGNATURE_TYPE_ETH];
-    const isValid = await verifySig(
-      signedMessage.body,
-      signedMessage.signature,
-      ethAddress
-    );
-    if (!isValid) {
-      errors.push(`${teeType} signature verification failed for address ${ethAddress}`);
-    }
-    logger.debug(`${teeType} signature verification result: ${isValid} for address ${ethAddress}`);
-    return {
-      isValid: errors.length === 0,
-      errors,
-      address: extractedKey.ethAddress
-    };
-  } catch (error) {
-    errors.push(`${teeType} signature verification error: ${error.message}`);
-    return {
-      isValid: false,
-      errors
-    };
-  }
-}
-function parseKOutputPayload(signedMessage) {
-  const payload = KOutputPayload.decode(signedMessage.body);
-  if (!payload.redactedRequest) {
-    throw new Error("Missing redacted request in TEE_K payload");
-  }
-  if (!payload.consolidatedResponseKeystream || payload.consolidatedResponseKeystream.length === 0) {
-    throw new Error("Missing consolidated response keystream in TEE_K payload");
-  }
-  if (!payload.certificateInfo) {
-    throw new Error("Missing certificate info in TEE_K payload");
-  }
-  return payload;
-}
-function parseTOutputPayload(signedMessage) {
-  const payload = TOutputPayload.decode(signedMessage.body);
-  if (!payload.consolidatedResponseCiphertext || payload.consolidatedResponseCiphertext.length === 0) {
-    throw new Error("Missing consolidated response ciphertext in TEE_T payload");
-  }
-  return payload;
-}
-function validateTimestamps(kPayload, tPayload, logger) {
-  const now = Date.now();
-  const kTimestamp = kPayload.timestampMs;
-  const tTimestamp = tPayload.timestampMs;
-  const kTimestampS = Math.floor(kTimestamp / 1e3);
-  const tTimestampS = Math.floor(tTimestamp / 1e3);
-  const nowS = Math.floor(now / 1e3);
-  logger.info("Validating TEE timestamps", {
-    kTimestampMs: kTimestamp,
-    tTimestampMs: tTimestamp,
-    kTimestampS,
-    tTimestampS,
-    nowS
-  });
-  const maxAgeMs = 10 * 60 * 1e3;
-  const oldestAllowed = now - maxAgeMs;
-  if (kTimestamp < oldestAllowed) {
-    throw new Error(`TEE_K timestamp ${kTimestamp} is too old. Must be within 10 minutes of current time ${now}`);
-  }
-  if (tTimestamp < oldestAllowed) {
-    throw new Error(`TEE_T timestamp ${tTimestamp} is too old. Must be within 10 minutes of current time ${now}`);
-  }
-  const maxFutureMs = 60 * 1e3;
-  const maxAllowed = now + maxFutureMs;
-  if (kTimestamp > maxAllowed) {
-    throw new Error(`TEE_K timestamp ${kTimestamp} is in the future. Current time is ${now}`);
-  }
-  if (tTimestamp > maxAllowed) {
-    throw new Error(`TEE_T timestamp ${tTimestamp} is in the future. Current time is ${now}`);
-  }
-  const timestampDiffMs = Math.abs(kTimestamp - tTimestamp);
-  const maxDiffMs = 60 * 1e3;
-  if (timestampDiffMs > maxDiffMs) {
-    throw new Error(`TEE timestamps differ by ${timestampDiffMs}ms, which exceeds maximum allowed difference of ${maxDiffMs}ms (1 minute)`);
-  }
-  logger.info("TEE timestamp validation successful", {
-    timestampDiffMs,
-    ageKMs: now - kTimestamp,
-    ageTMs: now - tTimestamp
-  });
-}
-function validateSessionIds(kPayload, tPayload, logger) {
-  const kSessionId = kPayload.sessionId;
-  const tSessionId = tPayload.sessionId;
-  logger.info("Validating TEE session IDs", {
-    kSessionId,
-    tSessionId
-  });
-  if (!kSessionId || kSessionId.length === 0) {
-    throw new AttestorError(
-      "ERROR_INVALID_CLAIM",
-      "Missing session_id in TEE_K payload - required for cross-TEE binding"
-    );
-  }
-  if (!tSessionId || tSessionId.length === 0) {
-    throw new AttestorError(
-      "ERROR_INVALID_CLAIM",
-      "Missing session_id in TEE_T payload - required for cross-TEE binding"
-    );
-  }
-  if (kSessionId !== tSessionId) {
-    throw new AttestorError(
-      "ERROR_INVALID_CLAIM",
-      `Session ID mismatch: TEE_K session_id "${kSessionId}" does not match TEE_T session_id "${tSessionId}".`
-    );
-  }
-  logger.info("TEE session ID validation successful", {
-    sessionId: kSessionId
-  });
-  return kSessionId;
-}
-export {
-  verifyTeeBundle
-};

package/lib/server/utils/validation.js

@@ -1,45 +0,0 @@
-import { Ajv } from "ajv";
-import { PROVIDER_SCHEMAS } from "../../types/providers.gen.js";
-import { AttestorError } from "../../utils/error.js";
-const PROVIDER_VALIDATOR_MAP = {};
-const AJV = new Ajv({
-  allErrors: true,
-  strict: true,
-  strictRequired: false,
-  formats: {
-    binary(data) {
-      return data instanceof Uint8Array || typeof Buffer !== "undefined" && Buffer.isBuffer(data);
-    },
-    url(data) {
-      try {
-        new URL(data);
-        return true;
-      } catch {
-        return false;
-      }
-    }
-  }
-});
-function assertValidateProviderParams(name, params) {
-  let validate = PROVIDER_VALIDATOR_MAP[name];
-  if (!validate) {
-    const schema = PROVIDER_SCHEMAS[name]?.parameters;
-    if (!schema) {
-      throw new AttestorError(
-        "ERROR_BAD_REQUEST",
-        `Invalid provider name "${String(name)}"`
-      );
-    }
-    validate = AJV.compile(schema);
-  }
-  if (!validate?.(params)) {
-    throw new AttestorError(
-      "ERROR_BAD_REQUEST",
-      "Params validation failed",
-      { errors: JSON.stringify(validate.errors) }
-    );
-  }
-}
-export {
-  assertValidateProviderParams
-};

package/lib/types/index.js

@@ -1,10 +0,0 @@
-export * from "./providers.js";
-export * from "./general.js";
-export * from "./signatures.js";
-export * from "./claims.js";
-export * from "./zk.js";
-export * from "./client.js";
-export * from "./rpc.js";
-export * from "./tunnel.js";
-export * from "./handlers.js";
-export * from "./bgp.js";

package/lib/types/providers.gen.js

@@ -1,16 +0,0 @@
-const HttpProviderParametersJson = { "title": "HttpProviderParameters", "type": "object", "required": ["url", "method", "responseMatches"], "properties": { "url": { "type": "string", "format": "url", "description": "which URL does the request have to be made to Has to be a valid https URL for eg. https://amazon.in/orders?q=abcd" }, "method": { "type": "string", "enum": ["GET", "POST", "PUT", "PATCH"] }, "geoLocation": { "type": "string", "nullable": true, "description": "Specify the geographical location from where to proxy the request. 2-letter ISO country code or parameter (public or secret)" }, "proxySessionId": { "type": "string", "nullable": true, "description": 'Specify the unique session id for allowing use of same proxy ip across multiple requests. Can be a smallcase alphanumeric string of length 8-14 characters. eg. "mystring12345", "something1234".' }, "headers": { "type": "object", "description": "Any additional headers to be sent with the request Note: these will be revealed to the attestor & won't be redacted from the transcript. To add hidden headers, use 'secretParams.headers' instead", "additionalProperties": { "type": "string" } }, "body": { "description": "Body of the HTTP request", "oneOf": [{ "type": "string", "format": "binary" }, { "type": "string" }] }, "writeRedactionMode": { "type": "string", "description": `If the API doesn't perform well with the "key-update" method of redaction, you can switch to "zk" mode by setting this to "zk"`, "enum": ["zk", "key-update"] }, "additionalClientOptions": { "type": "object", "description": "Apply TLS configuration when creating the tunnel to the attestor.", "nullable": true, "properties": { "supportedProtocolVersions": { "type": "array", "minItems": 1, "uniqueItems": true, "items": { "type": "string", "enum": ["TLS1_2", "TLS1_3"] } } } }, "responseMatches": { "type": "array", "minItems": 1, "uniqueItems": true, "description": "The attestor will use this list to check that the redacted response does indeed match all the provided strings/regexes", "items": { "type": "object", "required": ["value", "type"], "properties": { "value": { "type": "string", "description": '"regex": the response must match the regex "contains": the response must contain the provided\n string exactly' }, "type": { "type": "string", "description": "The string/regex to match against", "enum": ["regex", "contains"] }, "invert": { "type": "boolean", "description": "Inverses the matching logic. Fail when match is found and proceed otherwise" } }, "additionalProperties": false } }, "responseRedactions": { "type": "array", "uniqueItems": true, "description": 'which portions to select from a response. These are selected in order, xpath => jsonPath => regex * These redactions are done client side and only the selected portions are sent to the attestor. The attestor will only be able to see the selected portions alongside the first line of the HTTP response (i.e. "HTTP/1.1 200 OK") * To disable any redactions, pass an empty array', "items": { "type": "object", "properties": { "xPath": { "type": "string", "nullable": true, "description": 'expect an HTML response, and to contain a certain xpath for eg. "/html/body/div.a1/div.a2/span.a5"' }, "jsonPath": { "type": "string", "nullable": true, "description": "expect a JSON response, retrieve the item at this path using dot notation for e.g. 'email.addresses.0'" }, "regex": { "type": "string", "nullable": true, "description": "select a regex match from the response" }, "hash": { "type": "string", "description": `If provided, the value inside will be hashed instead of being redacted. Useful for cases where the data inside is an identifiying piece of information that you don't want to reveal to the attestor, eg. an email address.
-If the hash function produces more bytes than the original value, the hash will be truncated.
-Eg. if hash is enabled, the original value is "hello", and hashed is "a1b2c", then the attestor will only see "a1b2c".
-Note: if a regex with named groups is provided, only the named groups will be hashed.`, "enum": ["oprf", "oprf-mpc", "oprf-raw"] } }, "additionalProperties": false } }, "paramValues": { "type": "object", "description": "A map of parameter values which are user in form of {{param}} in URL, responseMatches, responseRedactions, body, geolocation. Those in URL, responseMatches & geo will be put into context and signed This value will NOT be included in provider hash", "additionalProperties": { "type": "string" } } }, "additionalProperties": false };
-const HttpProviderSecretParametersJson = { "title": "HttpProviderSecretParameters", "type": "object", "description": "Secret parameters to be used with HTTP provider. None of the values in this object will be shown to the attestor", "properties": { "cookieStr": { "type": "string", "description": "cookie string for authorisation." }, "authorisationHeader": { "type": "string", "description": "authorisation header value" }, "headers": { "type": "object", "description": "Headers that need to be hidden from the attestor", "additionalProperties": { "type": "string" } }, "paramValues": { "type": "object", "description": "A map of parameter values which are user in form of {{param}} in body these parameters will NOT be shown to attestor and extracted", "additionalProperties": { "type": "string" } } }, "additionalProperties": false };
-const PROVIDER_SCHEMAS = {
-  http: {
-    parameters: HttpProviderParametersJson,
-    secretParameters: HttpProviderSecretParametersJson
-  }
-};
-export {
-  HttpProviderParametersJson,
-  HttpProviderSecretParametersJson,
-  PROVIDER_SCHEMAS
-};

package/lib/utils/auth.js

@@ -1,71 +0,0 @@
-import { getBytes } from "ethers";
-import { DEFAULT_AUTH_EXPIRY_S } from "../config/index.js";
-import { AuthenticatedUserData } from "../proto/api.js";
-import { getEnvVariable } from "../utils/env.js";
-import { AttestorError } from "../utils/error.js";
-import { unixTimestampSeconds } from "../utils/generics.js";
-import { SelectedServiceSignature, SIGNATURES } from "../utils/signatures/index.js";
-async function assertValidAuthRequest(request, signatureType) {
-  const publicKey = getEnvVariable("AUTHENTICATION_PUBLIC_KEY");
-  if (!request) {
-    if (publicKey) {
-      throw new AttestorError(
-        "ERROR_AUTHENTICATION_FAILED",
-        "User must be authenticated"
-      );
-    }
-    return;
-  }
-  if (!publicKey) {
-    throw new AttestorError(
-      "ERROR_BAD_REQUEST",
-      "The attestor is not configured for authentication"
-    );
-  }
-  const { signature, data } = request;
-  if (!data) {
-    throw new AttestorError(
-      "ERROR_AUTHENTICATION_FAILED",
-      "Missing data in auth request"
-    );
-  }
-  if (data.expiresAt < unixTimestampSeconds()) {
-    throw new AttestorError(
-      "ERROR_AUTHENTICATION_FAILED",
-      "Authentication request has expired"
-    );
-  }
-  const proto = AuthenticatedUserData.encode(data).finish();
-  const signatureAlg = SIGNATURES[signatureType];
-  const address = signatureAlg.getAddress(
-    getBytes(publicKey)
-  );
-  const verified = await signatureAlg.verify(proto, signature, address);
-  if (!verified) {
-    throw new AttestorError(
-      "ERROR_AUTHENTICATION_FAILED",
-      "Signature verification failed"
-    );
-  }
-}
-async function createAuthRequest(_data, privateKey) {
-  const createdAt = unixTimestampSeconds();
-  const data = {
-    createdAt,
-    expiresAt: createdAt + DEFAULT_AUTH_EXPIRY_S,
-    id: "",
-    hostWhitelist: [],
-    ..._data
-  };
-  const proto = AuthenticatedUserData.encode(data).finish();
-  const signature = await SelectedServiceSignature.sign(proto, privateKey);
-  const request = {
-    data,
-    signature
-  };
-  return request;
-}
-export {
-  assertValidAuthRequest,
-  createAuthRequest
-};

package/lib/utils/b64-json.js

@@ -1,17 +0,0 @@
-import { decodeBase64, encodeBase64 } from "ethers";
-const B64_JSON_REPLACER = (key, value) => {
-  if (value instanceof Uint8Array || typeof value === "object" && value && "buffer" in value && value.buffer instanceof ArrayBuffer) {
-    return { type: "uint8array", value: encodeBase64(value) };
-  }
-  return value;
-};
-const B64_JSON_REVIVER = (key, value) => {
-  if (value?.type === "uint8array") {
-    return decodeBase64(value.value);
-  }
-  return value;
-};
-export {
-  B64_JSON_REPLACER,
-  B64_JSON_REVIVER
-};

package/lib/utils/bgp-listener.js

@@ -1,123 +0,0 @@
-import CIDR from "ip-cidr";
-import { BGP_WS_URL } from "../config/index.js";
-import { makeWebSocket } from "../utils/ws.js";
-const ANNOUNCEMENT_OVERLAP = "announcement-overlap";
-class BGPAnnouncementOverlapEvent extends Event {
-  data;
-  constructor(data) {
-    super(ANNOUNCEMENT_OVERLAP);
-    this.data = data;
-  }
-}
-function createBgpListener(logger) {
-  let ws;
-  let closed = false;
-  const targetIps = /* @__PURE__ */ new Set();
-  const eventTarget = new EventTarget();
-  openWs();
-  return {
-    onOverlap(ips, callback) {
-      for (const ip of ips) {
-        targetIps.add(ip);
-      }
-      eventTarget.addEventListener(
-        ANNOUNCEMENT_OVERLAP,
-        _callback
-      );
-      return () => {
-        for (const ip of ips) {
-          targetIps.delete(ip);
-        }
-        eventTarget.removeEventListener(
-          ANNOUNCEMENT_OVERLAP,
-          _callback
-        );
-      };
-      function _callback(event) {
-        callback(event.data);
-      }
-    },
-    close() {
-      ws.onclose = null;
-      ws.onerror = null;
-      ws.close();
-      closed = true;
-    }
-  };
-  function openWs() {
-    logger.debug("connecting to BGP websocket");
-    ws = makeWebSocket(BGP_WS_URL);
-    ws.onopen = onOpen;
-    ws.onerror = (ev) => onClose(ev);
-    ws.onclose = () => onClose(new Error("Unexpected close"));
-    ws.onmessage = ({ data }) => {
-      const str = typeof data === "string" ? data : data.toString();
-      try {
-        onMessage(str);
-      } catch (err) {
-        logger.error({ data, err }, "error processing BGP message");
-      }
-    };
-  }
-  function onOpen() {
-    const subscriptionMessage = {
-      type: "ris_subscribe",
-      data: {
-        type: "UPDATE"
-      }
-    };
-    ws.send(JSON.stringify(subscriptionMessage));
-    logger.info("connected to BGP websocket");
-  }
-  function onClose(err) {
-    if (closed) {
-      return;
-    }
-    logger.info({ err }, "BGP websocket closed");
-    if (!err) {
-      return;
-    }
-    logger.info("reconnecting to BGP websocket");
-    openWs();
-  }
-  function onMessage(message) {
-    const data = JSON.parse(message);
-    const announcements = data?.data?.announcements;
-    logger.trace({ data }, "got BGP update");
-    if (!Array.isArray(announcements)) {
-      return;
-    }
-    const asPath = data?.data?.path;
-    for (const announcement of announcements) {
-      const prefixes = announcement?.prefixes;
-      const nextHop = announcement?.["next_hop"];
-      const hasPrefixes = prefixes?.length && (nextHop || asPath);
-      if (!hasPrefixes) {
-        return;
-      }
-      for (const prefix of prefixes) {
-        if (!overlapsTargetIps(prefix)) {
-          continue;
-        }
-        eventTarget.dispatchEvent(
-          new BGPAnnouncementOverlapEvent({ prefix })
-        );
-      }
-    }
-  }
-  function overlapsTargetIps(prefix) {
-    if (prefix.endsWith("/0")) {
-      return false;
-    }
-    const cidr = new CIDR(prefix);
-    for (const ip of targetIps) {
-      if (cidr.contains(ip)) {
-        return true;
-      }
-    }
-    return false;
-  }
-}
-export {
-  createBgpListener
-};