@reclaimprotocol/attestor-core 5.0.4 → 5.0.5

package/lib/server/utils/tee-verification.js

@@ -1,421 +0,0 @@
-/**
- * TEE Bundle verification utilities
- * Handles validation of TEE verification bundles including attestations and signatures
- */
-import { ServiceSignatureType } from "../../proto/api.js";
-import { BodyType, KOutputPayload, TOutputPayload, VerificationBundle } from "../../proto/tee-bundle.js";
-import { validateGcpAttestationAndExtractKey } from "./gcp-attestation.js";
-import { validateNitroAttestationAndExtractKey } from "./nitro-attestation.js";
-import { AttestorError } from "../../utils/error.js";
-import { SIGNATURES } from "../../utils/signatures/index.js";
-/**
- * Verifies a complete TEE verification bundle
- * @param bundleBytes - Raw protobuf-encoded verification bundle
- * @param logger - Logger instance
- * @returns Validated TEE bundle data
- */
-export async function verifyTeeBundle(bundleBytes, logger) {
-    // Parse the verification bundle protobuf
-    const bundle = parseVerificationBundle(bundleBytes);
-    // Validate required components are present
-    validateBundleCompleteness(bundle);
-    // Extract public keys (from attestations or embedded keys)
-    const { teekKeyResult, teetKeyResult } = await extractPublicKeys(bundle, logger);
-    // Verify TEE signatures using extracted public keys
-    await verifyTeeSignatures(bundle, teekKeyResult, teetKeyResult, logger);
-    // Ensure signed messages are present
-    if (!bundle.teekSigned || !bundle.teetSigned) {
-        throw new AttestorError('ERROR_INVALID_CLAIM', 'Missing TEE signed messages');
-    }
-    // Parse TEE payloads
-    const kOutputPayload = parseKOutputPayload(bundle.teekSigned);
-    const tOutputPayload = parseTOutputPayload(bundle.teetSigned);
-    // Validate timestamps
-    validateTimestamps(kOutputPayload, tOutputPayload, logger);
-    // Validate session IDs match (prevents cross-session component substitution)
-    const teeSessionId = validateSessionIds(kOutputPayload, tOutputPayload, logger);
-    logger.info('TEE bundle verification successful');
-    return {
-        teekSigned: bundle.teekSigned,
-        teetSigned: bundle.teetSigned,
-        kOutputPayload,
-        tOutputPayload,
-        teekPcr0: teekKeyResult.pcr0,
-        teetPcr0: teetKeyResult.pcr0,
-        teeSessionId,
-    };
-}
-/**
- * Parses the raw verification bundle bytes into structured data
- */
-function parseVerificationBundle(bundleBytes) {
-    try {
-        // Use the actual protobuf decoder for the TEE bundle format
-        return VerificationBundle.decode(bundleBytes);
-    }
-    catch (error) {
-        throw new Error(`Failed to parse verification bundle: ${error.message}`);
-    }
-}
-/**
- * Validates that all required bundle components are present
- */
-function validateBundleCompleteness(bundle) {
-    if (!bundle.teekSigned) {
-        throw new Error('SECURITY ERROR: missing TEE_K signed message - verification bundle incomplete');
-    }
-    if (!bundle.teetSigned) {
-        throw new Error('SECURITY ERROR: missing TEE_T signed message - verification bundle incomplete');
-    }
-    // Check if we're in standalone mode (development/testing) or attestation mode (production)
-    // Attestations are now embedded in SignedMessage.attestationReport
-    const hasAttestations = (bundle.teekSigned.attestationReport?.report && bundle.teekSigned.attestationReport.report.length > 0) ||
-        (bundle.teetSigned.attestationReport?.report && bundle.teetSigned.attestationReport.report.length > 0);
-    const hasPublicKeys = (bundle.teekSigned.ethAddress && bundle.teekSigned.ethAddress.length > 0) ||
-        (bundle.teetSigned.ethAddress && bundle.teetSigned.ethAddress.length > 0);
-    if (!hasAttestations && !hasPublicKeys) {
-        throw new Error('SECURITY ERROR: bundle must have either Nitro attestations (production) or embedded public keys (development)');
-    }
-    // Validate signed message structure
-    if (bundle.teekSigned.bodyType !== BodyType.BODY_TYPE_K_OUTPUT) {
-        throw new Error('Invalid TEE_K signed message: wrong body type');
-    }
-    if (bundle.teetSigned.bodyType !== BodyType.BODY_TYPE_T_OUTPUT) {
-        throw new Error('Invalid TEE_T signed message: wrong body type');
-    }
-    if (!bundle.teekSigned.body || bundle.teekSigned.body.length === 0) {
-        throw new Error('Invalid TEE_K signed message: empty body');
-    }
-    if (!bundle.teetSigned.body || bundle.teetSigned.body.length === 0) {
-        throw new Error('Invalid TEE_T signed message: empty body');
-    }
-    if (!bundle.teekSigned.signature || bundle.teekSigned.signature.length === 0) {
-        throw new Error('Invalid TEE_K signed message: missing signature');
-    }
-    if (!bundle.teetSigned.signature || bundle.teetSigned.signature.length === 0) {
-        throw new Error('Invalid TEE_T signed message: missing signature');
-    }
-}
-/**
- * Extracts public keys from either Nitro attestations or embedded keys (standalone mode)
- */
-async function extractPublicKeys(bundle, logger) {
-    // Check if we have attestations (production mode) or embedded keys (standalone mode)
-    // Attestations are now embedded in SignedMessage.attestationReport
-    const hasEmbeddedAttestations = (bundle.teekSigned.attestationReport?.report && bundle.teekSigned.attestationReport.report.length > 0) &&
-        (bundle.teetSigned.attestationReport?.report && bundle.teetSigned.attestationReport.report.length > 0);
-    let teekKeyResult;
-    let teetKeyResult;
-    if (hasEmbeddedAttestations) {
-        // Production mode: Extract from attestations (Nitro or GCP)
-        logger.info('Using production mode: extracting keys from attestations');
-        if (!bundle.teekSigned?.attestationReport?.report) {
-            throw new Error('TEE_K embedded attestation report missing');
-        }
-        if (!bundle.teetSigned?.attestationReport?.report) {
-            throw new Error('TEE_T embedded attestation report missing');
-        }
-        const teekAttestationType = bundle.teekSigned.attestationReport.type || 'nitro';
-        const teetAttestationType = bundle.teetSigned.attestationReport.type || 'nitro';
-        logger.info(`TEE_K attestation type: ${teekAttestationType}`);
-        logger.info(`TEE_T attestation type: ${teetAttestationType}`);
-        const teekAttestationBytes = bundle.teekSigned.attestationReport.report;
-        const teetAttestationBytes = bundle.teetSigned.attestationReport.report;
-        // Validate TEE_K attestation based on type
-        if (teekAttestationType === 'gcp') {
-            const gcpResult = await validateGcpAttestationAndExtractKey(teekAttestationBytes, logger);
-            if (!gcpResult.isValid) {
-                throw new Error(`TEE_K GCP attestation validation failed: ${gcpResult.errors.join(', ')}`);
-            }
-            if (!gcpResult.ethAddress) {
-                throw new Error('TEE_K GCP attestation validation failed: no address');
-            }
-            if (gcpResult.userDataType !== 'tee_k') {
-                throw new Error(`TEE_K GCP attestation validation failed: wrong TEE type, expected tee_k, got ${gcpResult.userDataType}`);
-            }
-            teekKeyResult = {
-                teeType: gcpResult.userDataType,
-                ethAddress: '0x' + Buffer.from(gcpResult.ethAddress).toString('hex'),
-                pcr0: gcpResult.pcr0 || 'gcp-no-digest'
-            };
-        }
-        else {
-            const nitroResult = await validateNitroAttestationAndExtractKey(teekAttestationBytes);
-            if (!nitroResult.isValid) {
-                throw new Error(`TEE_K Nitro attestation validation failed: ${nitroResult.errors.join(', ')}`);
-            }
-            if (!nitroResult.ethAddress) {
-                throw new Error('TEE_K Nitro attestation validation failed: no address');
-            }
-            if (nitroResult.userDataType !== 'tee_k') {
-                throw new Error(`TEE_K Nitro attestation validation failed: wrong TEE type, expected tee_k, got ${nitroResult.userDataType}`);
-            }
-            teekKeyResult = {
-                teeType: nitroResult.userDataType,
-                ethAddress: nitroResult.ethAddress,
-                pcr0: nitroResult.pcr0
-            };
-        }
-        // Validate TEE_T attestation based on type
-        if (teetAttestationType === 'gcp') {
-            const gcpResult = await validateGcpAttestationAndExtractKey(teetAttestationBytes, logger);
-            if (!gcpResult.isValid) {
-                throw new Error(`TEE_T GCP attestation validation failed: ${gcpResult.errors.join(', ')}`);
-            }
-            if (!gcpResult.ethAddress) {
-                throw new Error('TEE_T GCP attestation validation failed: no address');
-            }
-            if (gcpResult.userDataType !== 'tee_t') {
-                throw new Error(`TEE_T GCP attestation validation failed: wrong TEE type, expected tee_t, got ${gcpResult.userDataType}`);
-            }
-            teetKeyResult = {
-                teeType: gcpResult.userDataType,
-                ethAddress: '0x' + Buffer.from(gcpResult.ethAddress).toString('hex'),
-                pcr0: gcpResult.pcr0 || 'gcp-no-digest'
-            };
-            // Cross-validate: TEE_T must have EXPECTED_TEEK_PCR0 env var matching TEE_K's PCR0
-            if (!gcpResult.envVars?.EXPECTED_TEEK_PCR0) {
-                throw new Error('TEE_T GCP attestation missing required EXPECTED_TEEK_PCR0 environment variable');
-            }
-            const expectedPcr0 = gcpResult.envVars.EXPECTED_TEEK_PCR0;
-            const actualPcr0 = teekKeyResult.pcr0;
-            logger.info(`Cross-validating TEE_K PCR0: expected=${expectedPcr0}, actual=${actualPcr0}`);
-            if (expectedPcr0 !== actualPcr0) {
-                throw new Error(`TEE cross-validation failed: TEE_T expects TEE_K PCR0 "${expectedPcr0}" but got "${actualPcr0}"`);
-            }
-            logger.info('TEE cross-validation successful: TEE_K PCR0 matches TEE_T expectation');
-        }
-        else {
-            const nitroResult = await validateNitroAttestationAndExtractKey(teetAttestationBytes);
-            if (!nitroResult.isValid) {
-                throw new Error(`TEE_T Nitro attestation validation failed: ${nitroResult.errors.join(', ')}`);
-            }
-            if (!nitroResult.ethAddress) {
-                throw new Error('TEE_T Nitro attestation validation failed: no address');
-            }
-            if (nitroResult.userDataType !== 'tee_t') {
-                throw new Error(`TEE_T Nitro attestation validation failed: wrong TEE type, expected tee_t, got ${nitroResult.userDataType}`);
-            }
-            teetKeyResult = {
-                teeType: nitroResult.userDataType,
-                ethAddress: nitroResult.ethAddress,
-                pcr0: nitroResult.pcr0
-            };
-        }
-        logger.info('Attestations validated successfully');
-    }
-    else {
-        // Standalone/Development mode: Extract from embedded ETH addresses
-        // SECURITY: Only allow standalone mode when explicitly enabled via environment variable
-        const standaloneEnabled = process.env.TEE_STANDALONE === 'true' || process.env.TEE_STANDALONE === '1';
-        if (!standaloneEnabled) {
-            throw new Error('Missing attestation reports and standalone mode is not enabled (set TEE_STANDALONE=true to enable)');
-        }
-        const hasEmbeddedKeys = (bundle.teekSigned.ethAddress && bundle.teekSigned.ethAddress.length > 0) &&
-            (bundle.teetSigned.ethAddress && bundle.teetSigned.ethAddress.length > 0);
-        if (!hasEmbeddedKeys) {
-            throw new Error('Missing attestation and no embedded ETH addresses for standalone mode');
-        }
-        logger.warn('STANDALONE MODE ENABLED: Using embedded ETH addresses without attestation verification');
-        // Extract TEE_K address (stored as UTF-8 string like "0xe3c8d66...")
-        const teekAddress = Buffer.from(bundle.teekSigned.ethAddress).toString('utf8');
-        teekKeyResult = {
-            teeType: 'tee_k',
-            ethAddress: teekAddress,
-            pcr0: 'standalone-mode' // No PCR0 in standalone mode
-        };
-        logger.info(`TEE_K standalone address: ${teekAddress}`);
-        // Extract TEE_T address (stored as UTF-8 string like "0x3b8ad67...")
-        const teetAddress = Buffer.from(bundle.teetSigned.ethAddress).toString('utf8');
-        teetKeyResult = {
-            teeType: 'tee_t',
-            ethAddress: teetAddress,
-            pcr0: 'standalone-mode' // No PCR0 in standalone mode
-        };
-        logger.info(`TEE_T standalone address: ${teetAddress}`);
-        logger.info('Standalone mode key extraction successful');
-    }
-    return {
-        teekKeyResult,
-        teetKeyResult
-    };
-}
-/**
- * Verifies TEE signatures using extracted key results
- */
-async function verifyTeeSignatures(bundle, teekKeyResult, teetKeyResult, logger) {
-    // Verify TEE_K signature
-    if (!bundle.teekSigned) {
-        throw new Error('TEE_K signed message is missing');
-    }
-    const teekResult = await verifyTeeSignature(bundle.teekSigned, teekKeyResult, 'TEE_K', logger);
-    if (!teekResult.isValid) {
-        throw new Error(`TEE_K signature verification failed: ${teekResult.errors.join(', ')}`);
-    }
-    // Verify TEE_T signature
-    if (!bundle.teetSigned) {
-        throw new Error('TEE_T signed message is missing');
-    }
-    const teetResult = await verifyTeeSignature(bundle.teetSigned, teetKeyResult, 'TEE_T', logger);
-    if (!teetResult.isValid) {
-        throw new Error(`TEE_T signature verification failed: ${teetResult.errors.join(', ')}`);
-    }
-    logger.info('TEE signatures verified successfully');
-}
-/**
- * Verifies a single TEE signature using ETH address format
- */
-async function verifyTeeSignature(signedMessage, extractedKey, teeType, logger) {
-    const errors = [];
-    if (!signedMessage) {
-        return {
-            isValid: false,
-            errors: ['Signed message is null or undefined']
-        };
-    }
-    try {
-        let ethAddress;
-        if (extractedKey.ethAddress) {
-            ethAddress = extractedKey.ethAddress;
-            logger.debug(`${teeType} using ETH address from attestation: ${ethAddress}`);
-        }
-        else {
-            return {
-                isValid: false,
-                errors: ['eth address is null'],
-            };
-        }
-        // Use the ETH signature verification from the existing system
-        const { verify: verifySig } = SIGNATURES[ServiceSignatureType.SERVICE_SIGNATURE_TYPE_ETH];
-        // Verify signature over the body bytes
-        const isValid = await verifySig(signedMessage.body, signedMessage.signature, ethAddress);
-        if (!isValid) {
-            errors.push(`${teeType} signature verification failed for address ${ethAddress}`);
-        }
-        logger.debug(`${teeType} signature verification result: ${isValid} for address ${ethAddress}`);
-        return {
-            isValid: errors.length === 0,
-            errors,
-            address: extractedKey.ethAddress
-        };
-    }
-    catch (error) {
-        errors.push(`${teeType} signature verification error: ${error.message}`);
-        return {
-            isValid: false,
-            errors
-        };
-    }
-}
-/**
- * Parses TEE_K output payload
- */
-function parseKOutputPayload(signedMessage) {
-    // Use actual protobuf decoding
-    const payload = KOutputPayload.decode(signedMessage.body);
-    // Validate required fields
-    if (!payload.redactedRequest) {
-        throw new Error('Missing redacted request in TEE_K payload');
-    }
-    if (!payload.consolidatedResponseKeystream || payload.consolidatedResponseKeystream.length === 0) {
-        throw new Error('Missing consolidated response keystream in TEE_K payload');
-    }
-    if (!payload.certificateInfo) {
-        throw new Error('Missing certificate info in TEE_K payload');
-    }
-    return payload;
-}
-/**
- * Parses TEE_T output payload
- */
-function parseTOutputPayload(signedMessage) {
-    // Use actual protobuf decoding
-    const payload = TOutputPayload.decode(signedMessage.body);
-    // Validate required fields
-    if (!payload.consolidatedResponseCiphertext || payload.consolidatedResponseCiphertext.length === 0) {
-        throw new Error('Missing consolidated response ciphertext in TEE_T payload');
-    }
-    return payload;
-}
-/**
- * Validates that both K and T timestamps are within acceptable range
- * @param kPayload - K output payload with timestamp
- * @param tPayload - T output payload with timestamp
- * @param logger - Logger instance
- */
-function validateTimestamps(kPayload, tPayload, logger) {
-    const now = Date.now(); // Current time in milliseconds
-    const kTimestamp = kPayload.timestampMs;
-    const tTimestamp = tPayload.timestampMs;
-    // Convert to seconds for logging consistency with existing code
-    const kTimestampS = Math.floor(kTimestamp / 1000);
-    const tTimestampS = Math.floor(tTimestamp / 1000);
-    const nowS = Math.floor(now / 1000);
-    logger.info('Validating TEE timestamps', {
-        kTimestampMs: kTimestamp,
-        tTimestampMs: tTimestamp,
-        kTimestampS,
-        tTimestampS,
-        nowS
-    });
-    // 1. Check that both timestamps are not earlier than 10 minutes in the past
-    const maxAgeMs = 10 * 60 * 1000; // 10 minutes in milliseconds
-    const oldestAllowed = now - maxAgeMs;
-    if (kTimestamp < oldestAllowed) {
-        throw new Error(`TEE_K timestamp ${kTimestamp} is too old. Must be within 10 minutes of current time ${now}`);
-    }
-    if (tTimestamp < oldestAllowed) {
-        throw new Error(`TEE_T timestamp ${tTimestamp} is too old. Must be within 10 minutes of current time ${now}`);
-    }
-    // 1b. Check that timestamps are not in the future (with small tolerance for clock skew)
-    const maxFutureMs = 60 * 1000; // 1 minute tolerance for clock skew
-    const maxAllowed = now + maxFutureMs;
-    if (kTimestamp > maxAllowed) {
-        throw new Error(`TEE_K timestamp ${kTimestamp} is in the future. Current time is ${now}`);
-    }
-    if (tTimestamp > maxAllowed) {
-        throw new Error(`TEE_T timestamp ${tTimestamp} is in the future. Current time is ${now}`);
-    }
-    // 2. Check that both timestamps are within 1 minute of each other
-    const timestampDiffMs = Math.abs(kTimestamp - tTimestamp);
-    const maxDiffMs = 60 * 1000; // 1 minute
-    if (timestampDiffMs > maxDiffMs) {
-        throw new Error(`TEE timestamps differ by ${timestampDiffMs}ms, which exceeds maximum allowed difference of ${maxDiffMs}ms (1 minute)`);
-    }
-    logger.info('TEE timestamp validation successful', {
-        timestampDiffMs,
-        ageKMs: now - kTimestamp,
-        ageTMs: now - tTimestamp
-    });
-}
-/**
- * Validates that both K and T payloads have matching session IDs
- * SECURITY: Prevents cross-session component substitution attacks
- * @param kPayload - K output payload with session_id
- * @param tPayload - T output payload with session_id
- * @param logger - Logger instance
- * @returns The validated session ID
- */
-function validateSessionIds(kPayload, tPayload, logger) {
-    const kSessionId = kPayload.sessionId;
-    const tSessionId = tPayload.sessionId;
-    logger.info('Validating TEE session IDs', {
-        kSessionId,
-        tSessionId
-    });
-    // Both session IDs must be present
-    if (!kSessionId || kSessionId.length === 0) {
-        throw new AttestorError('ERROR_INVALID_CLAIM', 'Missing session_id in TEE_K payload - required for cross-TEE binding');
-    }
-    if (!tSessionId || tSessionId.length === 0) {
-        throw new AttestorError('ERROR_INVALID_CLAIM', 'Missing session_id in TEE_T payload - required for cross-TEE binding');
-    }
-    // Session IDs must match
-    if (kSessionId !== tSessionId) {
-        throw new AttestorError('ERROR_INVALID_CLAIM', `Session ID mismatch: TEE_K session_id "${kSessionId}" does not match TEE_T session_id "${tSessionId}".`);
-    }
-    logger.info('TEE session ID validation successful', {
-        sessionId: kSessionId
-    });
-    return kSessionId;
-}

package/lib/server/utils/validation.js

@@ -1,38 +0,0 @@
-import { Ajv } from 'ajv';
-import { PROVIDER_SCHEMAS } from "../../types/providers.gen.js";
-import { AttestorError } from "../../utils/error.js";
-const PROVIDER_VALIDATOR_MAP = {};
-const AJV = new Ajv({
-    allErrors: true,
-    strict: true,
-    strictRequired: false,
-    formats: {
-        binary(data) {
-            return data instanceof Uint8Array
-                || (typeof Buffer !== 'undefined'
-                    && Buffer.isBuffer(data));
-        },
-        url(data) {
-            try {
-                new URL(data);
-                return true;
-            }
-            catch {
-                return false;
-            }
-        }
-    }
-});
-export function assertValidateProviderParams(name, params) {
-    let validate = PROVIDER_VALIDATOR_MAP[name];
-    if (!validate) {
-        const schema = PROVIDER_SCHEMAS[name]?.parameters;
-        if (!schema) {
-            throw new AttestorError('ERROR_BAD_REQUEST', `Invalid provider name "${String(name)}"`);
-        }
-        validate = AJV.compile(schema);
-    }
-    if (!validate?.(params)) {
-        throw new AttestorError('ERROR_BAD_REQUEST', 'Params validation failed', { errors: JSON.stringify(validate.errors) });
-    }
-}

package/lib/types/bgp.js

@@ -1 +0,0 @@
-export {};

package/lib/types/claims.js

@@ -1 +0,0 @@
-export {};

package/lib/types/client.js

@@ -1 +0,0 @@
-export {};

package/lib/types/general.js

@@ -1 +0,0 @@
-export {};

package/lib/types/handlers.js

@@ -1 +0,0 @@
-export {};

package/lib/types/index.js

@@ -1,10 +0,0 @@
-export * from "./providers.js";
-export * from "./general.js";
-export * from "./signatures.js";
-export * from "./claims.js";
-export * from "./zk.js";
-export * from "./client.js";
-export * from "./rpc.js";
-export * from "./tunnel.js";
-export * from "./handlers.js";
-export * from "./bgp.js";

package/lib/types/providers.gen.js

@@ -1,10 +0,0 @@
-/* eslint-disable */
-/* Generated file. Do not edit */
-export const HttpProviderParametersJson = { "title": "HttpProviderParameters", "type": "object", "required": ["url", "method", "responseMatches"], "properties": { "url": { "type": "string", "format": "url", "description": "which URL does the request have to be made to Has to be a valid https URL for eg. https://amazon.in/orders?q=abcd" }, "method": { "type": "string", "enum": ["GET", "POST", "PUT", "PATCH"] }, "geoLocation": { "type": "string", "nullable": true, "description": "Specify the geographical location from where to proxy the request. 2-letter ISO country code or parameter (public or secret)" }, "proxySessionId": { "type": "string", "nullable": true, "description": "Specify the unique session id for allowing use of same proxy ip across multiple requests. Can be a smallcase alphanumeric string of length 8-14 characters. eg. \"mystring12345\", \"something1234\"." }, "headers": { "type": "object", "description": "Any additional headers to be sent with the request Note: these will be revealed to the attestor & won't be redacted from the transcript. To add hidden headers, use 'secretParams.headers' instead", "additionalProperties": { "type": "string" } }, "body": { "description": "Body of the HTTP request", "oneOf": [{ "type": "string", "format": "binary" }, { "type": "string" }] }, "writeRedactionMode": { "type": "string", "description": "If the API doesn't perform well with the \"key-update\" method of redaction, you can switch to \"zk\" mode by setting this to \"zk\"", "enum": ["zk", "key-update"] }, "additionalClientOptions": { "type": "object", "description": "Apply TLS configuration when creating the tunnel to the attestor.", "nullable": true, "properties": { "supportedProtocolVersions": { "type": "array", "minItems": 1, "uniqueItems": true, "items": { "type": "string", "enum": ["TLS1_2", "TLS1_3"] } } } }, "responseMatches": { "type": "array", "minItems": 1, "uniqueItems": true, "description": "The attestor will use this list to check that the redacted response does indeed match all the provided strings/regexes", "items": { "type": "object", "required": ["value", "type"], "properties": { "value": { "type": "string", "description": "\"regex\": the response must match the regex \"contains\": the response must contain the provided\n string exactly" }, "type": { "type": "string", "description": "The string/regex to match against", "enum": ["regex", "contains"] }, "invert": { "type": "boolean", "description": "Inverses the matching logic. Fail when match is found and proceed otherwise" } }, "additionalProperties": false } }, "responseRedactions": { "type": "array", "uniqueItems": true, "description": "which portions to select from a response. These are selected in order, xpath => jsonPath => regex * These redactions are done client side and only the selected portions are sent to the attestor. The attestor will only be able to see the selected portions alongside the first line of the HTTP response (i.e. \"HTTP/1.1 200 OK\") * To disable any redactions, pass an empty array", "items": { "type": "object", "properties": { "xPath": { "type": "string", "nullable": true, "description": "expect an HTML response, and to contain a certain xpath for eg. \"/html/body/div.a1/div.a2/span.a5\"" }, "jsonPath": { "type": "string", "nullable": true, "description": "expect a JSON response, retrieve the item at this path using dot notation for e.g. 'email.addresses.0'" }, "regex": { "type": "string", "nullable": true, "description": "select a regex match from the response" }, "hash": { "type": "string", "description": "If provided, the value inside will be hashed instead of being redacted. Useful for cases where the data inside is an identifiying piece of information that you don't want to reveal to the attestor, eg. an email address.\nIf the hash function produces more bytes than the original value, the hash will be truncated.\nEg. if hash is enabled, the original value is \"hello\", and hashed is \"a1b2c\", then the attestor will only see \"a1b2c\".\nNote: if a regex with named groups is provided, only the named groups will be hashed.", "enum": ["oprf", "oprf-mpc"] } }, "additionalProperties": false } }, "paramValues": { "type": "object", "description": "A map of parameter values which are user in form of {{param}} in URL, responseMatches, responseRedactions, body, geolocation. Those in URL, responseMatches & geo will be put into context and signed This value will NOT be included in provider hash", "additionalProperties": { "type": "string" } } }, "additionalProperties": false };
-export const HttpProviderSecretParametersJson = { "title": "HttpProviderSecretParameters", "type": "object", "description": "Secret parameters to be used with HTTP provider. None of the values in this object will be shown to the attestor", "properties": { "cookieStr": { "type": "string", "description": "cookie string for authorisation." }, "authorisationHeader": { "type": "string", "description": "authorisation header value" }, "headers": { "type": "object", "description": "Headers that need to be hidden from the attestor", "additionalProperties": { "type": "string" } }, "paramValues": { "type": "object", "description": "A map of parameter values which are user in form of {{param}} in body these parameters will NOT be shown to attestor and extracted", "additionalProperties": { "type": "string" } } }, "additionalProperties": false };
-export const PROVIDER_SCHEMAS = {
-    http: {
-        parameters: HttpProviderParametersJson,
-        secretParameters: HttpProviderSecretParametersJson
-    },
-};

package/lib/types/providers.js

@@ -1 +0,0 @@
-export {};

package/lib/types/rpc.js

@@ -1 +0,0 @@
-export {};

package/lib/types/signatures.js

@@ -1 +0,0 @@
-export {};

package/lib/types/tunnel.js

@@ -1 +0,0 @@
-export {};

package/lib/types/zk.js

@@ -1 +0,0 @@
-export {};

package/lib/utils/auth.js

@@ -1,59 +0,0 @@
-import { ethers } from 'ethers';
-import { DEFAULT_AUTH_EXPIRY_S } from "../config/index.js";
-import { AuthenticatedUserData } from "../proto/api.js";
-import { getEnvVariable } from "./env.js";
-import { AttestorError } from "./error.js";
-import { unixTimestampSeconds } from "./generics.js";
-import { SelectedServiceSignature, SIGNATURES } from "./signatures/index.js";
-export async function assertValidAuthRequest(request, signatureType) {
-    const publicKey = getEnvVariable('AUTHENTICATION_PUBLIC_KEY');
-    // nothing to verify
-    if (!request) {
-        // if pub key is provided -- but user didn't attempt to
-        // authenticate, then we should throw an error
-        if (publicKey) {
-            throw new AttestorError('ERROR_AUTHENTICATION_FAILED', 'User must be authenticated');
-        }
-        return;
-    }
-    if (!publicKey) {
-        throw new AttestorError('ERROR_BAD_REQUEST', 'The attestor is not configured for authentication');
-    }
-    const { signature, data } = request;
-    if (!data) {
-        throw new AttestorError('ERROR_AUTHENTICATION_FAILED', 'Missing data in auth request');
-    }
-    if (data.expiresAt < unixTimestampSeconds()) {
-        throw new AttestorError('ERROR_AUTHENTICATION_FAILED', 'Authentication request has expired');
-    }
-    const proto = AuthenticatedUserData.encode(data).finish();
-    const signatureAlg = SIGNATURES[signatureType];
-    const address = signatureAlg.getAddress(await ethers.utils.arrayify(publicKey));
-    const verified = await signatureAlg
-        .verify(proto, signature, address);
-    if (!verified) {
-        throw new AttestorError('ERROR_AUTHENTICATION_FAILED', 'Signature verification failed');
-    }
-}
-/**
- * Create an authentication request with the given data and private key,
- * which can then be used to authenticate with the service.
- */
-export async function createAuthRequest(_data, privateKey) {
-    const createdAt = unixTimestampSeconds();
-    const data = {
-        createdAt,
-        expiresAt: createdAt + DEFAULT_AUTH_EXPIRY_S,
-        id: '',
-        hostWhitelist: [],
-        ..._data,
-    };
-    const proto = AuthenticatedUserData.encode(data).finish();
-    const signature = await SelectedServiceSignature
-        .sign(proto, privateKey);
-    const request = {
-        data,
-        signature
-    };
-    return request;
-}

package/lib/utils/b64-json.js

@@ -1,17 +0,0 @@
-import { utils } from 'ethers';
-export const B64_JSON_REPLACER = (key, value) => {
-    if (value instanceof Uint8Array
-        || (typeof value === 'object'
-            && value
-            && 'buffer' in value
-            && value.buffer instanceof ArrayBuffer)) {
-        return { type: 'uint8array', value: utils.base64.encode(value) };
-    }
-    return value;
-};
-export const B64_JSON_REVIVER = (key, value) => {
-    if (value?.type === 'uint8array') {
-        return utils.base64.decode(value.value);
-    }
-    return value;
-};