@reclaimprotocol/attestor-core 5.0.1-beta.2 → 5.0.1-beta.22

package/lib/server/handlers/claimTeeBundle.js

@@ -1,232 +1,252 @@
+/**
+ * TEE Bundle Claim Handler
+ * Handles ClaimTeeBundleRequest by verifying TEE attestations and reconstructing TLS transcript
+ */
 import { ClaimTeeBundleResponse } from "../../proto/api.js";
 import { VerificationBundle } from "../../proto/tee-bundle.js";
 import { substituteParamValues } from "../../providers/http/index.js";
-import { assertValidProviderTranscript } from "../../server/utils/assert-valid-claim-request.js";
-import { getAttestorAddress, niceParseJsonObject, signAsAttestor } from "../../server/utils/generics.js";
-import { verifyOprfMpcOutputs } from "../../server/utils/tee-oprf-mpc-verification.js";
-import { verifyOprfProofs } from "../../server/utils/tee-oprf-verification.js";
-import { reconstructTlsTranscript } from "../../server/utils/tee-transcript-reconstruction.js";
-import { verifyTeeBundle } from "../../server/utils/tee-verification.js";
+import { assertValidProviderTranscript } from "../utils/assert-valid-claim-request.js";
+import { getAttestorAddress, niceParseJsonObject, signAsAttestor } from "../utils/generics.js";
+import { verifyOprfMpcOutputs } from "../utils/tee-oprf-mpc-verification.js";
+import { verifyOprfProofs } from "../utils/tee-oprf-verification.js";
+import { reconstructTlsTranscript } from "../utils/tee-transcript-reconstruction.js";
+import { verifyTeeBundle } from "../utils/tee-verification.js";
 import { AttestorError } from "../../utils/error.js";
 import { createSignDataForClaim, getIdentifierFromClaimInfo } from "../../utils/index.js";
-const claimTeeBundle = async (teeBundleRequest, { logger, client }) => {
-  const {
-    verificationBundle,
-    data
-  } = teeBundleRequest;
-  const res = ClaimTeeBundleResponse.create({ request: teeBundleRequest });
-  logger.info("Starting TEE bundle verification");
-  const teeData = await verifyTeeBundle(verificationBundle, logger);
-  const timestampS = Math.floor(teeData.kOutputPayload.timestampMs / 1e3);
-  logger.info("Verifying OPRF proofs");
-  const bundle = VerificationBundle.decode(verificationBundle);
-  const zkOprfResults = await verifyOprfProofs(
-    { ...teeData, oprfVerifications: bundle.oprfVerifications },
-    logger
-  );
-  logger.info("Verifying OPRF MPC outputs");
-  const oprfMpcResults = verifyOprfMpcOutputs(
-    teeData.kOutputPayload,
-    teeData.tOutputPayload,
-    logger
-  );
-  const allOprfResults = validateAndCombineOprfResults(zkOprfResults, oprfMpcResults, logger);
-  logger.info("Starting TLS transcript reconstruction with OPRF replacements");
-  const transcriptData = await reconstructTlsTranscript(teeData, logger, allOprfResults);
-  logger.info("Creating plaintext transcript from TEE data");
-  const plaintextTranscript = createPlaintextTranscriptFromTeeData(transcriptData, logger);
-  logger.info("Running direct provider validation on TEE reconstructed data");
-  if (!data) {
-    throw new AttestorError("ERROR_INVALID_CLAIM", "No claim data provided in TEE bundle request");
-  }
-  const validatedClaim = await validateTeeProviderReceipt(
-    plaintextTranscript,
-    data,
-    logger,
-    { version: client.metadata.clientVersion },
-    transcriptData.certificateInfo
-  );
-  const ctx = niceParseJsonObject(validatedClaim.context, "context");
-  ctx.pcr0_k = teeData.teekPcr0;
-  ctx.pcr0_t = teeData.teetPcr0;
-  ctx.tee_session_id = teeData.teeSessionId;
-  validatedClaim.context = JSON.stringify(ctx);
-  res.claim = {
-    ...validatedClaim,
-    identifier: getIdentifierFromClaimInfo(validatedClaim),
-    // Use timestampS from TEE_K bundle for claim signing
-    timestampS,
-    // hardcode for compatibility with V1 claims
-    epoch: 1
-  };
-  logger.info({ claim: res.claim }, "TEE bundle claim validation successful");
-  res.signatures = {
-    attestorAddress: getAttestorAddress(
-      client.metadata.signatureType
-    ),
-    claimSignature: res.claim ? await signAsAttestor(
-      createSignDataForClaim(res.claim),
-      client.metadata.signatureType
-    ) : new Uint8Array(),
-    resultSignature: await signAsAttestor(
-      ClaimTeeBundleResponse.encode(res).finish(),
-      client.metadata.signatureType
-    )
-  };
-  logger.info("TEE bundle claim processing completed");
-  return res;
+export const claimTeeBundle = async (teeBundleRequest, { logger, client }) => {
+    const { verificationBundle, data } = teeBundleRequest;
+    // Initialize response
+    const res = ClaimTeeBundleResponse.create({ request: teeBundleRequest });
+    // 1. Verify TEE bundle (attestations + signatures) - this includes timestamp validation
+    logger.info('Starting TEE bundle verification');
+    const teeData = await verifyTeeBundle(verificationBundle, logger);
+    // 2. Extract timestampS from TEE_K bundle for claim signing
+    const timestampS = Math.floor(teeData.kOutputPayload.timestampMs / 1000);
+    // 3. Verify OPRF proofs first (before transcript reconstruction)
+    logger.info('Verifying OPRF proofs');
+    // Parse the verification bundle to get OPRF verifications
+    const bundle = VerificationBundle.decode(verificationBundle);
+    const zkOprfResults = await verifyOprfProofs({ ...teeData, oprfVerifications: bundle.oprfVerifications }, logger);
+    // 4. Verify OPRF MPC outputs (TEE-to-TEE computed OPRF)
+    logger.info('Verifying OPRF MPC outputs');
+    const oprfMpcResults = verifyOprfMpcOutputs(teeData.kOutputPayload, teeData.tOutputPayload, logger);
+    // 5. Combine ZK and OPRF MPC results for transcript reconstruction
+    const allOprfResults = validateAndCombineOprfResults(zkOprfResults, oprfMpcResults, logger);
+    // 6. Reconstruct TLS transcript with all OPRF replacements applied
+    logger.info('Starting TLS transcript reconstruction with OPRF replacements');
+    const transcriptData = await reconstructTlsTranscript(teeData, logger, allOprfResults);
+    // 7. Create plaintext transcript for provider validation (OPRF already applied)
+    logger.info('Creating plaintext transcript from TEE data');
+    const plaintextTranscript = createPlaintextTranscriptFromTeeData(transcriptData, logger);
+    // 8. Direct provider validation
+    logger.info('Running direct provider validation on TEE reconstructed data');
+    if (!data) {
+        throw new AttestorError('ERROR_INVALID_CLAIM', 'No claim data provided in TEE bundle request');
+    }
+    const validatedClaim = await validateTeeProviderReceipt(plaintextTranscript, data, logger, { version: client.metadata.clientVersion }, transcriptData.certificateInfo);
+    const ctx = niceParseJsonObject(validatedClaim.context, 'context');
+    // eslint-disable-next-line camelcase
+    ctx.pcr0_k = teeData.teekPcr0;
+    // eslint-disable-next-line camelcase
+    ctx.pcr0_t = teeData.teetPcr0;
+    // eslint-disable-next-line camelcase
+    ctx.tee_session_id = teeData.teeSessionId;
+    validatedClaim.context = JSON.stringify(ctx);
+    res.claim = {
+        ...validatedClaim,
+        identifier: getIdentifierFromClaimInfo(validatedClaim),
+        // Use timestampS from TEE_K bundle for claim signing
+        timestampS,
+        // hardcode for compatibility with V1 claims
+        epoch: 1
+    };
+    logger.info({ claim: res.claim }, 'TEE bundle claim validation successful');
+    // 9. Sign the response
+    res.signatures = {
+        attestorAddress: getAttestorAddress(client.metadata.signatureType),
+        claimSignature: res.claim
+            ? await signAsAttestor(createSignDataForClaim(res.claim), client.metadata.signatureType)
+            : new Uint8Array(),
+        resultSignature: await signAsAttestor(ClaimTeeBundleResponse.encode(res).finish(), client.metadata.signatureType)
+    };
+    logger.info('TEE bundle claim processing completed');
+    return res;
 };
+/**
+ * Creates a plaintext transcript from TEE reconstructed data
+ * This converts the TEE transcript data into the format expected by provider validation
+ * NEW: Uses consolidated response instead of individual packets for simplicity
+ */
 function createPlaintextTranscriptFromTeeData(transcriptData, logger) {
-  const transcript = [];
-  if (transcriptData.revealedRequest && transcriptData.revealedRequest.length > 0) {
-    transcript.push({
-      sender: "client",
-      message: transcriptData.revealedRequest
-    });
-    logger.debug("Added TEE revealed request to plaintext transcript", {
-      length: transcriptData.revealedRequest.length
-    });
-  }
-  if (transcriptData.reconstructedResponse && transcriptData.reconstructedResponse.length > 0) {
-    transcript.push({
-      sender: "server",
-      message: transcriptData.reconstructedResponse
-    });
-    logger.debug("Added TEE consolidated response to plaintext transcript", {
-      length: transcriptData.reconstructedResponse.length
-    });
-  }
-  if (transcriptData.certificateInfo) {
-    logger.info("Certificate information available for validation", {
-      commonName: transcriptData.certificateInfo.commonName,
-      issuerCommonName: transcriptData.certificateInfo.issuerCommonName,
-      dnsNames: transcriptData.certificateInfo.dnsNames,
-      notBefore: new Date(transcriptData.certificateInfo.notBeforeUnix * 1e3).toISOString(),
-      notAfter: new Date(transcriptData.certificateInfo.notAfterUnix * 1e3).toISOString()
+    const transcript = [];
+    // Add reconstructed request (client -> server)
+    if (transcriptData.revealedRequest && transcriptData.revealedRequest.length > 0) {
+        transcript.push({
+            sender: 'client',
+            message: transcriptData.revealedRequest
+        });
+        logger.debug('Added TEE revealed request to plaintext transcript', {
+            length: transcriptData.revealedRequest.length
+        });
+    }
+    // Add consolidated reconstructed response (server -> client)
+    if (transcriptData.reconstructedResponse && transcriptData.reconstructedResponse.length > 0) {
+        transcript.push({
+            sender: 'server',
+            message: transcriptData.reconstructedResponse
+        });
+        logger.debug('Added TEE consolidated response to plaintext transcript', {
+            length: transcriptData.reconstructedResponse.length
+        });
+    }
+    // Log certificate validation info if available
+    if (transcriptData.certificateInfo) {
+        logger.info('Certificate information available for validation', {
+            commonName: transcriptData.certificateInfo.commonName,
+            issuerCommonName: transcriptData.certificateInfo.issuerCommonName,
+            dnsNames: transcriptData.certificateInfo.dnsNames,
+            notBefore: new Date(transcriptData.certificateInfo.notBeforeUnix * 1000).toISOString(),
+            notAfter: new Date(transcriptData.certificateInfo.notAfterUnix * 1000).toISOString()
+        });
+    }
+    logger.info('Created plaintext transcript from TEE data', {
+        totalMessages: transcript.length,
+        hasRequest: !!transcriptData.revealedRequest?.length,
+        hasResponse: !!transcriptData.reconstructedResponse?.length,
+        hasCertificateInfo: !!transcriptData.certificateInfo
     });
-  }
-  logger.info("Created plaintext transcript from TEE data", {
-    totalMessages: transcript.length,
-    hasRequest: !!transcriptData.revealedRequest?.length,
-    hasResponse: !!transcriptData.reconstructedResponse?.length,
-    hasCertificateInfo: !!transcriptData.certificateInfo
-  });
-  return transcript;
+    return transcript;
 }
+/**
+ * Validates TEE provider receipt directly without signature validation
+ * This is essentially assertValidProviderTranscript but for TEE data
+ * NEW: Includes certificate validation for domain authentication
+ */
 async function validateTeeProviderReceipt(plaintextTranscript, claimInfo, logger, providerCtx, certificateInfo) {
-  logger.info("Starting direct TEE provider validation", {
-    provider: claimInfo.provider,
-    transcriptMessages: plaintextTranscript.length,
-    hasCertificateInfo: !!certificateInfo
-  });
-  if (certificateInfo) {
-    validateTlsCertificate(claimInfo, certificateInfo, logger);
-  }
-  const validatedClaim = await assertValidProviderTranscript(
-    plaintextTranscript,
-    claimInfo,
-    logger,
-    providerCtx
-  );
-  logger.info("TEE provider validation completed successfully", {
-    provider: validatedClaim.provider,
-    owner: validatedClaim.owner || "unknown"
-  });
-  return validatedClaim;
+    logger.info('Starting direct TEE provider validation', {
+        provider: claimInfo.provider,
+        transcriptMessages: plaintextTranscript.length,
+        hasCertificateInfo: !!certificateInfo
+    });
+    // Validate certificate if available
+    if (certificateInfo) {
+        validateTlsCertificate(claimInfo, certificateInfo, logger);
+    }
+    // Use the existing provider validation logic directly
+    const validatedClaim = await assertValidProviderTranscript(plaintextTranscript, claimInfo, logger, providerCtx);
+    logger.info('TEE provider validation completed successfully', {
+        provider: validatedClaim.provider,
+        owner: validatedClaim.owner || 'unknown'
+    });
+    return validatedClaim;
 }
+/**
+ * Checks if a hostname matches a certificate name (with wildcard support)
+ * @param hostname - The hostname to check
+ * @param certName - The certificate name
+ * @returns true if the hostname is valid for this certificate name
+ */
 function isHostnameValidForCertificate(hostname, certName) {
-  if (hostname === certName) {
-    return true;
-  }
-  if (certName.startsWith("*.")) {
-    const wildcardDomain = certName.slice(2);
-    if (hostname.endsWith(wildcardDomain)) {
-      const subdomainPart = hostname.slice(0, -wildcardDomain.length);
-      if (subdomainPart.endsWith(".")) {
-        const subdomain = subdomainPart.slice(0, -1);
-        return !subdomain.includes(".");
-      }
+    // Exact match
+    if (hostname === certName) {
+        return true;
     }
-  }
-  return false;
+    // Wildcard match
+    if (certName.startsWith('*.')) {
+        // Extract the domain from wildcard
+        const wildcardDomain = certName.slice(2);
+        // Check if hostname ends with the wildcard domain
+        if (hostname.endsWith(wildcardDomain)) {
+            // Ensure we're matching a subdomain, not partial domain
+            const subdomainPart = hostname.slice(0, -(wildcardDomain.length));
+            // Valid if:
+            // 1. The subdomain part ends with a dot (proper subdomain boundary)
+            // 2. The subdomain part doesn't contain additional dots (single-level wildcard)
+            if (subdomainPart.endsWith('.')) {
+                const subdomain = subdomainPart.slice(0, -1);
+                // Wildcard only matches single level, not multiple subdomains
+                return !subdomain.includes('.');
+            }
+        }
+    }
+    return false;
 }
+/**
+ * Validates that the TLS certificate is valid for the domain being claimed
+ */
 function validateTlsCertificate(claimInfo, certificateInfo, logger) {
-  let claimedHostname;
-  const paramsWithTemplates = niceParseJsonObject(claimInfo.parameters, "params");
-  const params = substituteParamValues(paramsWithTemplates, void 0, true).newParams;
-  if ("url" in params && typeof params.url === "string") {
-    claimedHostname = new URL(params.url).hostname;
-  }
-  if (!claimedHostname) {
-    logger.warn("Could not extract hostname from claim for certificate validation", {
-      provider: claimInfo.provider
+    // Extract hostname from the claim (this varies by provider)
+    let claimedHostname;
+    const paramsWithTemplates = niceParseJsonObject(claimInfo.parameters, 'params');
+    const params = substituteParamValues(paramsWithTemplates, undefined, true).newParams;
+    // Different providers store hostname in different places
+    if ('url' in params && typeof params.url === 'string') {
+        claimedHostname = new URL(params.url).hostname;
+    }
+    if (!claimedHostname) {
+        logger.warn('Could not extract hostname from claim for certificate validation', {
+            provider: claimInfo.provider
+        });
+        throw new AttestorError('ERROR_INVALID_CLAIM', 'Certificate validation failed: hostname not found');
+    }
+    logger.info('Validating TLS certificate for claimed hostname', {
+        claimedHostname,
+        certificateCommonName: certificateInfo.commonName,
+        certificateDnsNames: certificateInfo.dnsNames
+    });
+    // Check if claimed hostname matches certificate (including wildcard support)
+    const isValidForHostname = isHostnameValidForCertificate(claimedHostname, certificateInfo.commonName) ||
+        certificateInfo.dnsNames.some(name => isHostnameValidForCertificate(claimedHostname, name));
+    if (!isValidForHostname) {
+        throw new AttestorError('ERROR_INVALID_CLAIM', `Certificate validation failed: hostname '${claimedHostname}' not valid for certificate (CN: ${certificateInfo.commonName}, SANs: ${certificateInfo.dnsNames.join(', ')})`);
+    }
+    // Check certificate validity period
+    const now = Date.now() / 1000; // Current time in Unix seconds
+    if (now < certificateInfo.notBeforeUnix || now > certificateInfo.notAfterUnix) {
+        throw new AttestorError('ERROR_INVALID_CLAIM', `Certificate validation failed: certificate not valid at current time (valid from ${new Date(certificateInfo.notBeforeUnix * 1000).toISOString()} to ${new Date(certificateInfo.notAfterUnix * 1000).toISOString()})`);
+    }
+    logger.info('TLS certificate validation passed', {
+        claimedHostname,
+        validatedAgainst: isHostnameValidForCertificate(claimedHostname, certificateInfo.commonName) ?
+            `CommonName: ${certificateInfo.commonName}` :
+            `SAN: ${certificateInfo.dnsNames.find(name => isHostnameValidForCertificate(claimedHostname, name))}`
     });
-    throw new AttestorError(
-      "ERROR_INVALID_CLAIM",
-      "Certificate validation failed: hostname not found"
-    );
-  }
-  logger.info("Validating TLS certificate for claimed hostname", {
-    claimedHostname,
-    certificateCommonName: certificateInfo.commonName,
-    certificateDnsNames: certificateInfo.dnsNames
-  });
-  const isValidForHostname = isHostnameValidForCertificate(claimedHostname, certificateInfo.commonName) || certificateInfo.dnsNames.some((name) => isHostnameValidForCertificate(claimedHostname, name));
-  if (!isValidForHostname) {
-    throw new AttestorError(
-      "ERROR_INVALID_CLAIM",
-      `Certificate validation failed: hostname '${claimedHostname}' not valid for certificate (CN: ${certificateInfo.commonName}, SANs: ${certificateInfo.dnsNames.join(", ")})`
-    );
-  }
-  const now = Date.now() / 1e3;
-  if (now < certificateInfo.notBeforeUnix || now > certificateInfo.notAfterUnix) {
-    throw new AttestorError(
-      "ERROR_INVALID_CLAIM",
-      `Certificate validation failed: certificate not valid at current time (valid from ${new Date(certificateInfo.notBeforeUnix * 1e3).toISOString()} to ${new Date(certificateInfo.notAfterUnix * 1e3).toISOString()})`
-    );
-  }
-  logger.info("TLS certificate validation passed", {
-    claimedHostname,
-    validatedAgainst: isHostnameValidForCertificate(claimedHostname, certificateInfo.commonName) ? `CommonName: ${certificateInfo.commonName}` : `SAN: ${certificateInfo.dnsNames.find((name) => isHostnameValidForCertificate(claimedHostname, name))}`
-  });
 }
+/**
+ * Validates OPRF results have no overlapping ranges and combines them
+ * SECURITY: Prevents position collisions between ZK and OPRF MPC results
+ */
 function validateAndCombineOprfResults(zkOprfResults, oprfMpcResults, logger) {
-  const allOprfResults = [...zkOprfResults, ...oprfMpcResults];
-  if (allOprfResults.length === 0) {
-    return allOprfResults;
-  }
-  logger.info(`Combined ${zkOprfResults.length} ZK OPRF + ${oprfMpcResults.length} OPRF MPC results`);
-  const seen = {};
-  for (const result of zkOprfResults) {
-    seen[result.position] = { length: result.length, source: "zk" };
-  }
-  for (const result of oprfMpcResults) {
-    const existing = seen[result.position];
-    if (existing) {
-      if (existing.length !== result.length) {
-        throw new AttestorError(
-          "ERROR_INVALID_CLAIM",
-          `OPRF range conflict at position ${result.position}: ZK length ${existing.length} vs MPC length ${result.length}`
-        );
-      }
-      logger.warn(`Duplicate OPRF range at position ${result.position} from both ZK and MPC - using MPC result`);
+    const allOprfResults = [...zkOprfResults, ...oprfMpcResults];
+    if (allOprfResults.length === 0) {
+        return allOprfResults;
+    }
+    logger.info(`Combined ${zkOprfResults.length} ZK OPRF + ${oprfMpcResults.length} OPRF MPC results`);
+    // Check for overlapping ranges (position collision detection)
+    const seen = {};
+    for (const result of zkOprfResults) {
+        seen[result.position] = { length: result.length, source: 'zk' };
     }
-    for (const [pos, data] of Object.entries(seen)) {
-      const position = Number(pos);
-      const existingEnd = position + data.length;
-      const newEnd = result.position + result.length;
-      const overlaps = result.position < existingEnd && newEnd > position && result.position !== position;
-      if (overlaps) {
-        throw new AttestorError(
-          "ERROR_INVALID_CLAIM",
-          `Overlapping OPRF ranges: [${position}:${existingEnd}] (${data.source}) and [${result.position}:${newEnd}] (mpc)`
-        );
-      }
+    for (const result of oprfMpcResults) {
+        const existing = seen[result.position];
+        if (existing) {
+            // Exact duplicate at same position - verify they match
+            if (existing.length !== result.length) {
+                throw new AttestorError('ERROR_INVALID_CLAIM', `OPRF range conflict at position ${result.position}: ZK length ${existing.length} vs MPC length ${result.length}`);
+            }
+            logger.warn(`Duplicate OPRF range at position ${result.position} from both ZK and MPC - using MPC result`);
+        }
+        // Check for overlapping (but not identical) ranges
+        for (const [pos, data] of Object.entries(seen)) {
+            const position = Number(pos);
+            const existingEnd = position + data.length;
+            const newEnd = result.position + result.length;
+            const overlaps = (result.position < existingEnd && newEnd > position) && result.position !== position;
+            if (overlaps) {
+                throw new AttestorError('ERROR_INVALID_CLAIM', `Overlapping OPRF ranges: [${position}:${existingEnd}] (${data.source}) and [${result.position}:${newEnd}] (mpc)`);
+            }
+        }
+        seen[result.position] = { length: result.length, source: 'mpc' };
     }
-    seen[result.position] = { length: result.length, source: "mpc" };
-  }
-  return allOprfResults;
+    return allOprfResults;
 }
-export {
-  claimTeeBundle
-};

package/lib/server/handlers/claimTunnel.js

@@ -1,80 +1,73 @@
 import { MAX_CLAIM_TIMESTAMP_DIFF_S } from "../../config/index.js";
 import { ClaimTunnelResponse } from "../../proto/api.js";
-import { getApm } from "../../server/utils/apm.js";
-import { assertTranscriptsMatch, assertValidClaimRequest } from "../../server/utils/assert-valid-claim-request.js";
-import { getAttestorAddress, signAsAttestor } from "../../server/utils/generics.js";
+import { getApm } from "../utils/apm.js";
+import { assertTranscriptsMatch, assertValidClaimRequest } from "../utils/assert-valid-claim-request.js";
+import { getAttestorAddress, signAsAttestor } from "../utils/generics.js";
 import { AttestorError, createSignDataForClaim, getIdentifierFromClaimInfo, unixTimestampSeconds } from "../../utils/index.js";
-const claimTunnel = async (claimRequest, { tx, logger, client }) => {
-  const {
-    request,
-    data: { timestampS } = {}
-  } = claimRequest;
-  const tunnel = client.getTunnel(request?.id);
-  try {
-    await tunnel.close();
-  } catch (err) {
-    logger.debug({ err }, "error closing tunnel");
-  }
-  if (tx) {
-    const transcriptBytes = tunnel.transcript.reduce(
-      (acc, { message }) => acc + message.length,
-      0
-    );
-    tx?.setLabel("transcriptBytes", transcriptBytes.toString());
-  }
-  if (tunnel.createRequest?.host !== request?.host || tunnel.createRequest?.port !== request?.port || tunnel.createRequest?.geoLocation !== request?.geoLocation || tunnel.createRequest?.proxySessionId !== request?.proxySessionId) {
-    throw AttestorError.badRequest("Tunnel request does not match");
-  }
-  assertTranscriptsMatch(claimRequest.transcript, tunnel.transcript);
-  const res = ClaimTunnelResponse.create({ request: claimRequest });
-  try {
-    const now = unixTimestampSeconds();
-    if (Math.floor(timestampS - now) > MAX_CLAIM_TIMESTAMP_DIFF_S) {
-      throw new AttestorError(
-        "ERROR_INVALID_CLAIM",
-        `Timestamp provided ${timestampS} is too far off. Current time is ${now}`
-      );
+export const claimTunnel = async (claimRequest, { tx, logger, client }) => {
+    const { request, data: { timestampS } = {}, } = claimRequest;
+    const tunnel = client.getTunnel(request?.id);
+    try {
+        await tunnel.close();
+    }
+    catch (err) {
+        logger.debug({ err }, 'error closing tunnel');
+    }
+    if (tx) {
+        const transcriptBytes = tunnel.transcript.reduce((acc, { message }) => acc + message.length, 0);
+        tx?.setLabel('transcriptBytes', transcriptBytes.toString());
     }
-    const assertTx = getApm()?.startTransaction("assertValidClaimRequest", { childOf: tx });
+    // we throw an error for cases where the attestor cannot prove
+    // the user's request is faulty. For eg. if the user sends a
+    // "createRequest" that does not match the tunnel's actual
+    // create request -- the attestor cannot prove that the user
+    // is lying. In such cases, we throw a bad request error.
+    // Same goes for matching the transcript.
+    if (tunnel.createRequest?.host !== request?.host
+        || tunnel.createRequest?.port !== request?.port
+        || tunnel.createRequest?.geoLocation !== request?.geoLocation
+        || tunnel.createRequest?.proxySessionId !== request?.proxySessionId) {
+        throw AttestorError.badRequest('Tunnel request does not match');
+    }
+    assertTranscriptsMatch(claimRequest.transcript, tunnel.transcript);
+    const res = ClaimTunnelResponse.create({ request: claimRequest });
     try {
-      const claim = await assertValidClaimRequest(
-        claimRequest,
-        client.metadata,
-        logger
-      );
-      res.claim = {
-        ...claim,
-        identifier: getIdentifierFromClaimInfo(claim),
-        // hardcode for compatibility with V1 claims
-        epoch: 1
-      };
-    } catch (err) {
-      assertTx?.setOutcome("failure");
-      throw err;
-    } finally {
-      assertTx?.end();
+        const now = unixTimestampSeconds();
+        if (Math.floor(timestampS - now) > MAX_CLAIM_TIMESTAMP_DIFF_S) {
+            throw new AttestorError('ERROR_INVALID_CLAIM', `Timestamp provided ${timestampS} is too far off. Current time is ${now}`);
+        }
+        const assertTx = getApm()
+            ?.startTransaction('assertValidClaimRequest', { childOf: tx });
+        try {
+            const claim = await assertValidClaimRequest(claimRequest, client.metadata, logger);
+            res.claim = {
+                ...claim,
+                identifier: getIdentifierFromClaimInfo(claim),
+                // hardcode for compatibility with V1 claims
+                epoch: 1
+            };
+        }
+        catch (err) {
+            assertTx?.setOutcome('failure');
+            throw err;
+        }
+        finally {
+            assertTx?.end();
+        }
     }
-  } catch (err) {
-    logger.error({ err }, "invalid claim request");
-    const attestorErr = AttestorError.fromError(err, "ERROR_INVALID_CLAIM");
-    res.error = attestorErr.toProto();
-  }
-  res.signatures = {
-    attestorAddress: getAttestorAddress(
-      client.metadata.signatureType
-    ),
-    claimSignature: res.claim ? await signAsAttestor(
-      createSignDataForClaim(res.claim),
-      client.metadata.signatureType
-    ) : new Uint8Array(),
-    resultSignature: await signAsAttestor(
-      ClaimTunnelResponse.encode(res).finish(),
-      client.metadata.signatureType
-    )
-  };
-  client.removeTunnel(request.id);
-  return res;
-};
-export {
-  claimTunnel
+    catch (err) {
+        logger.error({ err }, 'invalid claim request');
+        const attestorErr = AttestorError.fromError(err, 'ERROR_INVALID_CLAIM');
+        res.error = attestorErr.toProto();
+    }
+    res.signatures = {
+        attestorAddress: getAttestorAddress(client.metadata.signatureType),
+        claimSignature: res.claim
+            ? await signAsAttestor(createSignDataForClaim(res.claim), client.metadata.signatureType)
+            : new Uint8Array(),
+        resultSignature: await signAsAttestor(ClaimTunnelResponse.encode(res).finish(), client.metadata.signatureType)
+    };
+    // remove tunnel from client -- to free up our mem
+    client.removeTunnel(request.id);
+    return res;
 };