@reclaimprotocol/attestor-core 5.0.4 → 5.0.5

package/lib/server/handlers/claimTunnel.js

@@ -1,73 +0,0 @@
-import { MAX_CLAIM_TIMESTAMP_DIFF_S } from "../../config/index.js";
-import { ClaimTunnelResponse } from "../../proto/api.js";
-import { getApm } from "../utils/apm.js";
-import { assertTranscriptsMatch, assertValidClaimRequest } from "../utils/assert-valid-claim-request.js";
-import { getAttestorAddress, signAsAttestor } from "../utils/generics.js";
-import { AttestorError, createSignDataForClaim, getIdentifierFromClaimInfo, unixTimestampSeconds } from "../../utils/index.js";
-export const claimTunnel = async (claimRequest, { tx, logger, client }) => {
-    const { request, data: { timestampS } = {}, } = claimRequest;
-    const tunnel = client.getTunnel(request?.id);
-    try {
-        await tunnel.close();
-    }
-    catch (err) {
-        logger.debug({ err }, 'error closing tunnel');
-    }
-    if (tx) {
-        const transcriptBytes = tunnel.transcript.reduce((acc, { message }) => acc + message.length, 0);
-        tx?.setLabel('transcriptBytes', transcriptBytes.toString());
-    }
-    // we throw an error for cases where the attestor cannot prove
-    // the user's request is faulty. For eg. if the user sends a
-    // "createRequest" that does not match the tunnel's actual
-    // create request -- the attestor cannot prove that the user
-    // is lying. In such cases, we throw a bad request error.
-    // Same goes for matching the transcript.
-    if (tunnel.createRequest?.host !== request?.host
-        || tunnel.createRequest?.port !== request?.port
-        || tunnel.createRequest?.geoLocation !== request?.geoLocation
-        || tunnel.createRequest?.proxySessionId !== request?.proxySessionId) {
-        throw AttestorError.badRequest('Tunnel request does not match');
-    }
-    assertTranscriptsMatch(claimRequest.transcript, tunnel.transcript);
-    const res = ClaimTunnelResponse.create({ request: claimRequest });
-    try {
-        const now = unixTimestampSeconds();
-        if (Math.floor(timestampS - now) > MAX_CLAIM_TIMESTAMP_DIFF_S) {
-            throw new AttestorError('ERROR_INVALID_CLAIM', `Timestamp provided ${timestampS} is too far off. Current time is ${now}`);
-        }
-        const assertTx = getApm()
-            ?.startTransaction('assertValidClaimRequest', { childOf: tx });
-        try {
-            const claim = await assertValidClaimRequest(claimRequest, client.metadata, logger);
-            res.claim = {
-                ...claim,
-                identifier: getIdentifierFromClaimInfo(claim),
-                // hardcode for compatibility with V1 claims
-                epoch: 1
-            };
-        }
-        catch (err) {
-            assertTx?.setOutcome('failure');
-            throw err;
-        }
-        finally {
-            assertTx?.end();
-        }
-    }
-    catch (err) {
-        logger.error({ err }, 'invalid claim request');
-        const attestorErr = AttestorError.fromError(err, 'ERROR_INVALID_CLAIM');
-        res.error = attestorErr.toProto();
-    }
-    res.signatures = {
-        attestorAddress: getAttestorAddress(client.metadata.signatureType),
-        claimSignature: res.claim
-            ? await signAsAttestor(createSignDataForClaim(res.claim), client.metadata.signatureType)
-            : new Uint8Array(),
-        resultSignature: await signAsAttestor(ClaimTunnelResponse.encode(res).finish(), client.metadata.signatureType)
-    };
-    // remove tunnel from client -- to free up our mem
-    client.removeTunnel(request.id);
-    return res;
-};

package/lib/server/handlers/completeClaimOnChain.js

@@ -1,22 +0,0 @@
-import { getContracts } from "../../avs/utils/contracts.js";
-import { getEnvVariable } from "../../utils/env.js";
-import { AttestorError, ethersStructToPlainObject } from "../../utils/index.js";
-const ACCEPT_CLAIM_PAYMENT_REQUESTS = getEnvVariable('ACCEPT_CLAIM_PAYMENT_REQUESTS') === '1';
-export const completeClaimOnChain = async ({ chainId: chainIdNum, taskIndex, completedTaskJson }) => {
-    if (!ACCEPT_CLAIM_PAYMENT_REQUESTS) {
-        throw new AttestorError('ERROR_PAYMENT_REFUSED', 'Payment requests are not accepted at this time');
-    }
-    const chainId = chainIdNum.toString();
-    const { contract } = getContracts(chainId.toString());
-    const task = JSON.parse(completedTaskJson);
-    const tx = await contract.taskCompleted(task, taskIndex);
-    const rslt = await tx.wait();
-    // check task created event was emitted
-    const ev = rslt.events?.[0];
-    const obj = ev?.args;
-    const plainObj = ethersStructToPlainObject(obj);
-    return {
-        txHash: rslt.transactionHash,
-        taskCompletedObjectJson: JSON.stringify(plainObj)
-    };
-};

package/lib/server/handlers/createClaimOnChain.js

@@ -1,26 +0,0 @@
-import { getContracts } from "../../avs/utils/contracts.js";
-import { createNewClaimRequestOnChain } from "../../avs/utils/tasks.js";
-import { getEnvVariable } from "../../utils/env.js";
-import { AttestorError, ethersStructToPlainObject } from "../../utils/index.js";
-const ACCEPT_CLAIM_PAYMENT_REQUESTS = getEnvVariable('ACCEPT_CLAIM_PAYMENT_REQUESTS') === '1';
-export const createClaimOnChain = async ({ chainId: chainIdNum, jsonCreateClaimRequest, requestSignature }) => {
-    if (!ACCEPT_CLAIM_PAYMENT_REQUESTS) {
-        throw new AttestorError('ERROR_PAYMENT_REFUSED', 'Payment requests are not accepted at this time');
-    }
-    const chainId = chainIdNum.toString();
-    const { wallet } = getContracts(chainId.toString());
-    const request = JSON.parse(jsonCreateClaimRequest);
-    const { task, tx } = await createNewClaimRequestOnChain({
-        request,
-        owner: request.owner,
-        payer: wallet,
-        chainId,
-        requestSignature: requestSignature
-    });
-    const plainTask = ethersStructToPlainObject(task);
-    return {
-        txHash: tx.transactionHash,
-        taskIndex: task.taskIndex,
-        jsonTask: JSON.stringify(plainTask)
-    };
-};

package/lib/server/handlers/createTaskOnMechain.js

@@ -1,47 +0,0 @@
-import { Contract, providers, utils, Wallet } from 'ethers';
-import { governanceABI } from "../../mechain/abis/governanceABI.js";
-import { taskABI } from "../../mechain/abis/taskABI.js";
-import { GOVERNANCE_CONTRACT_ADDRESS, RPC_URL, TASK_CONTRACT_ADDRESS } from "../../mechain/constants/index.js";
-import { getEnvVariable } from "../../utils/env.js";
-export const createTaskOnMechain = async ({ timestamp }) => {
-    const { taskContract } = await getContracts();
-    const seed = utils.randomBytes(32);
-    // Perform a static call to fetch taskId and attestors for the next task
-    const result = await taskContract.callStatic.createNewTaskRequest(seed, timestamp);
-    const taskId = result[0];
-    // Fetch requiredAttestors to determine how many proofs to request
-    const requiredAttestors = await taskContract.requiredAttestors();
-    const hosts = [];
-    // Fetch attestors's WebSocket URI, e.g. wss://attestor.reclaimprotocol.org:444/ws
-    for (let i = 0; i < requiredAttestors; i++) {
-        hosts.push(result[1][i].host);
-    }
-    // Perform the call that was statically-called previously
-    const tx = await taskContract.createNewTaskRequest(seed, timestamp);
-    await tx.wait();
-    return {
-        taskId: taskId,
-        requiredAttestors: requiredAttestors,
-        hosts: hosts
-    };
-};
-async function getContracts() {
-    const privateKey = getEnvVariable('MECHAIN_PRIVATE_KEY');
-    const taskContractAddress = getEnvVariable('TASK_CONTRACT_ADDRESS') || TASK_CONTRACT_ADDRESS;
-    const governanceContractAddress = getEnvVariable('GOVERNANCE_CONTRACT_ADDRESS') || GOVERNANCE_CONTRACT_ADDRESS;
-    if (!privateKey) {
-        throw new Error('MECHAIN_PRIVATE_KEY environment variable is not set');
-    }
-    try {
-        const provider = new providers.JsonRpcProvider(RPC_URL);
-        // Validate connection to provider
-        await provider.getNetwork();
-        const signer = new Wallet(privateKey, provider);
-        const taskContract = new Contract(taskContractAddress, taskABI, signer);
-        const governanceContract = new Contract(governanceContractAddress, governanceABI, signer);
-        return { taskContract, governanceContract };
-    }
-    catch (error) {
-        throw new Error(`Failed to initialize contracts: ${error.message || error}`);
-    }
-}

package/lib/server/handlers/createTunnel.js

@@ -1,93 +0,0 @@
-import { makeTcpTunnel } from "../tunnels/make-tcp-tunnel.js";
-import { getApm } from "../utils/apm.js";
-import { resolveHostnames } from "../utils/dns.js";
-import { AttestorError } from "../../utils/index.js";
-export const createTunnel = async ({ id, ...opts }, { tx, logger, client }) => {
-    if (client.tunnels[id]) {
-        throw AttestorError.badRequest(`Tunnel "${id}" already exists`);
-    }
-    const allowedHosts = client.metadata?.auth?.data?.hostWhitelist;
-    if (allowedHosts?.length && !allowedHosts.includes(opts.host)) {
-        throw AttestorError.badRequest(`Host "${opts.host}" not allowed by auth request`);
-    }
-    let cancelBgp;
-    const apm = getApm();
-    const sessionTx = apm
-        ?.startTransaction('tunnelConnection', { childOf: tx });
-    sessionTx?.setLabel('tunnelId', id.toString());
-    sessionTx?.setLabel('hostPort', `${opts.host}:${opts.port}`);
-    sessionTx?.setLabel('geoLocation', opts.geoLocation);
-    sessionTx?.setLabel('proxySessionId', opts.proxySessionId);
-    try {
-        const tunnel = await makeTcpTunnel({
-            ...opts,
-            logger,
-            onMessage(message) {
-                if (!client.isOpen) {
-                    logger.warn('client is closed, dropping message');
-                    return;
-                }
-                return client
-                    .sendMessage({ tunnelMessage: { tunnelId: id, message } });
-            },
-            onClose(err) {
-                cancelBgp?.();
-                if (err) {
-                    apm?.captureError(err, { parent: sessionTx });
-                    sessionTx?.setOutcome('failure');
-                }
-                else {
-                    sessionTx?.setOutcome('success');
-                }
-                sessionTx?.end();
-                if (!client.isOpen) {
-                    return;
-                }
-                client.sendMessage({
-                    tunnelDisconnectEvent: {
-                        tunnelId: id,
-                        error: err
-                            ? AttestorError
-                                .fromError(err)
-                                .toProto()
-                            : undefined
-                    }
-                })
-                    .catch(err => {
-                    logger.error({ err }, 'failed to send tunnel disconnect event');
-                });
-            },
-        });
-        try {
-            await checkForBgp(tunnel);
-        }
-        catch (err) {
-            logger.warn({ err, host: opts.host }, 'failed to start BGP overlap check');
-        }
-        client.tunnels[id] = tunnel;
-        return {};
-    }
-    catch (err) {
-        apm?.captureError(err, { parent: sessionTx });
-        sessionTx?.setOutcome('failure');
-        sessionTx?.end();
-        cancelBgp?.();
-        throw err;
-    }
-    async function checkForBgp(tunnel) {
-        if (!client.bgpListener) {
-            return;
-        }
-        // listen to all IPs for the host -- in case any of them
-        // has a BGP announcement overlap, we'll close the tunnel
-        // so the user can retry
-        const ips = await resolveHostnames(opts.host);
-        cancelBgp = client.bgpListener.onOverlap(ips, (info) => {
-            logger.warn({ info, host: opts.host }, 'BGP announcement overlap detected');
-            // track how many times we've seen a BGP overlap
-            sessionTx?.addLabels({ bgpOverlap: true, ...info });
-            void tunnel?.close(new AttestorError('ERROR_BGP_ANNOUNCEMENT_OVERLAP', `BGP announcement overlap detected for ${opts.host}`));
-        });
-        logger.debug({ ips }, 'checking for BGP overlap');
-    }
-};

package/lib/server/handlers/disconnectTunnel.js

@@ -1,5 +0,0 @@
-export const disconnectTunnel = async ({ id }, { client }) => {
-    const tunnel = client.getTunnel(id);
-    await tunnel.close();
-    return {};
-};

package/lib/server/handlers/fetchCertificateBytes.js

@@ -1,41 +0,0 @@
-import { concatenateUint8Arrays, loadX509FromPem } from '@reclaimprotocol/tls';
-import { CERT_ALLOWED_MIMETYPES, MAX_CERT_SIZE_BYTES } from "../../config/index.js";
-import { AttestorError } from "../../utils/error.js";
-export const fetchCertificateBytes = async ({ url }) => {
-    const res = await fetch(url, {
-        redirect: 'follow',
-        signal: AbortSignal.timeout(10_000)
-    });
-    if (!res.ok) {
-        res.body?.cancel('Not ok');
-        throw new AttestorError('ERROR_CERTIFICATE_FETCH_FAILED', `Failed to fetch certificate from URL: ${url}, status: ${res.status}`);
-    }
-    const contentType = res.headers.get('content-type');
-    if (!contentType || !CERT_ALLOWED_MIMETYPES.includes(contentType)) {
-        res.body?.cancel('Mismatch');
-        throw new AttestorError('ERROR_CERTIFICATE_FETCH_FAILED', `Invalid content-type when fetching certificate from URL: ${url},`
-            + ` content-type: ${contentType}`);
-    }
-    if (!res.body) {
-        throw new AttestorError('ERROR_CERTIFICATE_FETCH_FAILED', `No body in response when fetching certificate from URL: ${url}`);
-    }
-    let total = 0;
-    const byteArr = [];
-    for await (const chunk of res.body) {
-        total += chunk.length;
-        if (total > MAX_CERT_SIZE_BYTES) {
-            res.body.cancel('Too many bytes');
-            throw new AttestorError('ERROR_CERTIFICATE_FETCH_FAILED', `Certificate size exceeds maximum limit of ${MAX_CERT_SIZE_BYTES}b`);
-        }
-        byteArr.push(chunk);
-    }
-    const bytes = concatenateUint8Arrays(byteArr);
-    try {
-        const cert = loadX509FromPem(bytes);
-        TLS_INTERMEDIATE_CA_CACHE[url] = cert;
-    }
-    catch (err) {
-        throw new AttestorError('ERROR_CERTIFICATE_FETCH_FAILED', `Failed to parse certificate, error: ${err.message}`);
-    }
-    return { bytes: concatenateUint8Arrays(byteArr) };
-};

package/lib/server/handlers/index.js

@@ -1,22 +0,0 @@
-import { claimTeeBundle } from "./claimTeeBundle.js";
-import { claimTunnel } from "./claimTunnel.js";
-import { completeClaimOnChain } from "./completeClaimOnChain.js";
-import { createClaimOnChain } from "./createClaimOnChain.js";
-import { createTaskOnMechain } from "./createTaskOnMechain.js";
-import { createTunnel } from "./createTunnel.js";
-import { disconnectTunnel } from "./disconnectTunnel.js";
-import { fetchCertificateBytes } from "./fetchCertificateBytes.js";
-import { init } from "./init.js";
-import { toprf } from "./toprf.js";
-export const HANDLERS = {
-    createTunnel,
-    disconnectTunnel,
-    claimTunnel,
-    claimTeeBundle,
-    init,
-    createClaimOnChain,
-    completeClaimOnChain,
-    toprf,
-    createTaskOnMechain,
-    fetchCertificateBytes
-};

package/lib/server/handlers/init.js

@@ -1,32 +0,0 @@
-import { ethers } from 'ethers';
-import { getAttestorAddress } from "../utils/generics.js";
-import { assertValidAuthRequest } from "../../utils/auth.js";
-import { getEnvVariable } from "../../utils/env.js";
-import { AttestorError } from "../../utils/index.js";
-import { SIGNATURES } from "../../utils/signatures/index.js";
-const TOPRF_PUBLIC_KEY = getEnvVariable('TOPRF_PUBLIC_KEY');
-export const init = async (initRequest, { client }) => {
-    if (client.isInitialised) {
-        throw AttestorError.badRequest('Client already initialised');
-    }
-    if (!SIGNATURES[initRequest.signatureType]) {
-        throw AttestorError.badRequest('Unsupported signature type');
-    }
-    if (initRequest.clientVersion <= 0) {
-        throw AttestorError.badRequest('Unsupported client version');
-    }
-    await assertValidAuthRequest(initRequest.auth, initRequest.signatureType);
-    if (initRequest.auth?.data) {
-        client.logger = client.logger.child({
-            userId: initRequest.auth.data.id
-        });
-    }
-    client.metadata = initRequest;
-    client.isInitialised = true;
-    return {
-        toprfPublicKey: TOPRF_PUBLIC_KEY
-            ? ethers.utils.arrayify(TOPRF_PUBLIC_KEY)
-            : new Uint8Array(),
-        attestorAddress: getAttestorAddress(initRequest.signatureType)
-    };
-};

package/lib/server/handlers/toprf.js

@@ -1,16 +0,0 @@
-import { ethers } from 'ethers';
-import { getEnvVariable } from "../../utils/env.js";
-import { getEngineString, makeDefaultOPRFOperator } from "../../utils/index.js";
-export const toprf = async ({ maskedData, engine }, { logger }) => {
-    const PRIVATE_KEY_STR = getEnvVariable('TOPRF_SHARE_PRIVATE_KEY');
-    const PUBLIC_KEY_STR = getEnvVariable('TOPRF_SHARE_PUBLIC_KEY');
-    if (!PRIVATE_KEY_STR || !PUBLIC_KEY_STR) {
-        throw new Error('private/public keys not set. Cannot execute OPRF');
-    }
-    const PRIVATE_KEY = ethers.utils.arrayify(PRIVATE_KEY_STR);
-    const PUBLIC_KEY = ethers.utils.arrayify(PUBLIC_KEY_STR);
-    const engineStr = getEngineString(engine);
-    const operator = makeDefaultOPRFOperator('chacha20', engineStr, logger);
-    const res = await operator.evaluateOPRF(PRIVATE_KEY, maskedData);
-    return { ...res, publicKeyShare: PUBLIC_KEY };
-};

package/lib/server/index.js

@@ -1,4 +0,0 @@
-export * from "./utils/config-env.js";
-export * from "./create-server.js";
-export * from "./tunnels/make-tcp-tunnel.js";
-export * from "./utils/assert-valid-claim-request.js";

package/lib/server/socket.js

@@ -1,109 +0,0 @@
-import { promisify } from 'util';
-import { handleMessage } from "../client/utils/message-handler.js";
-import { DEFAULT_RPC_TIMEOUT_MS } from "../config/index.js";
-import { HANDLERS } from "./handlers/index.js";
-import { getApm } from "./utils/apm.js";
-import { getInitialMessagesFromQuery } from "./utils/generics.js";
-import { AttestorError, generateSessionId } from "../utils/index.js";
-import { AttestorSocket } from "../utils/socket-base.js";
-export class AttestorServerSocket extends AttestorSocket {
-    tunnels = {};
-    sessionId;
-    bgpListener;
-    constructor(socket, sessionId, bgpListener, logger) {
-        // @ts-ignore
-        super(socket, {}, logger);
-        this.sessionId = sessionId;
-        this.bgpListener = bgpListener;
-        // handle RPC requests
-        this.addEventListener('rpc-request', handleRpcRequest.bind(this));
-        // forward packets to the appropriate tunnel
-        this.addEventListener('tunnel-message', handleTunnelMessage.bind(this));
-        // close all tunnels when the connection is terminated
-        // since this tunnel can no longer be written to
-        this.addEventListener('connection-terminated', () => {
-            for (const tunnelId in this.tunnels) {
-                const tunnel = this.tunnels[tunnelId];
-                void tunnel.close(new Error('WS session terminated'));
-            }
-        });
-    }
-    getTunnel(tunnelId) {
-        const tunnel = this.tunnels[tunnelId];
-        if (!tunnel) {
-            throw new AttestorError('ERROR_NOT_FOUND', `Tunnel "${tunnelId}" not found`);
-        }
-        return tunnel;
-    }
-    removeTunnel(tunnelId) {
-        delete this.tunnels[tunnelId];
-    }
-    static async acceptConnection(socket, { req, logger, bgpListener }) {
-        // promisify ws.send -- so the sendMessage method correctly
-        // awaits the send operation
-        const bindSend = socket.send.bind(socket);
-        socket.send = promisify(bindSend);
-        const sessionId = generateSessionId();
-        logger = logger.child({ sessionId });
-        const client = new AttestorServerSocket(socket, sessionId, bgpListener, logger);
-        try {
-            const initMsgs = getInitialMessagesFromQuery(req);
-            logger.trace({ initMsgs: initMsgs.length }, 'new connection, validating...');
-            for (const msg of initMsgs) {
-                await handleMessage.call(client, msg);
-            }
-            logger.debug('connection accepted');
-        }
-        catch (err) {
-            logger.error({ err }, 'error in new connection');
-            if (client.isOpen) {
-                await client.terminateConnection(err instanceof AttestorError
-                    ? err
-                    : AttestorError.badRequest(err.message));
-            }
-            return;
-        }
-        return client;
-    }
-}
-async function handleTunnelMessage({ data: { tunnelId, message } }) {
-    try {
-        const tunnel = this.getTunnel(tunnelId);
-        await tunnel.write(message);
-    }
-    catch (err) {
-        this.logger?.error({ err, tunnelId }, 'error writing to tunnel');
-    }
-}
-async function handleRpcRequest({ data: { data, requestId, respond, type } }) {
-    const logger = this.logger.child({ rpc: type, requestId });
-    const apm = getApm();
-    const tx = apm?.startTransaction(type);
-    tx?.setLabel('requestId', requestId);
-    tx?.setLabel('sessionId', this.sessionId.toString());
-    const userId = this.metadata.auth?.data?.id;
-    if (userId) {
-        tx?.setLabel('authUserId', userId);
-    }
-    const timeout = setTimeout(() => {
-        logger.warn({ type, requestId }, 'RPC took too long to respond');
-    }, DEFAULT_RPC_TIMEOUT_MS);
-    try {
-        logger.debug({ data }, 'handling RPC request');
-        const handler = HANDLERS[type];
-        const res = await handler(data, { client: this, logger, tx });
-        respond(res);
-        logger.debug({ res }, 'handled RPC request');
-        tx?.setOutcome('success');
-    }
-    catch (err) {
-        logger.error({ err }, 'error in RPC request');
-        respond(AttestorError.fromError(err));
-        tx?.setOutcome('failure');
-        apm?.captureError(err, { parent: tx });
-    }
-    finally {
-        clearTimeout(timeout);
-        tx?.end();
-    }
-}