npm - @reclaimprotocol/js-sdk - Versions diffs - 5.2.0 → 5.3.0-dev.1 - Mend

@reclaimprotocol/js-sdk 5.2.0 → 5.3.0-dev.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/README.md CHANGED Viewed

@@ -705,16 +705,18 @@ const { isVerified } = await verifyProof(proof, {
 The SDK supports verifying TEE (Trusted Execution Environment) attestations included in proofs. The attestation flow verifies the Google Confidential Computing OIDC token returned by Popcorn's GCP attestor and checks that it is bound to the proof nonce, application identity, and image digests.
-### Enabling TEE Attestation
+### Requesting TEE Attestation
-To request TEE attestation during proof generation, enable it during initialization:
+TEE attestation is requested by default during proof generation:
 ```javascript
-const proofRequest = await ReclaimProofRequest.init(APP_ID, APP_SECRET, PROVIDER_ID, {
-  acceptTeeAttestation: true,
-});
+const proofRequest = await ReclaimProofRequest.init(APP_ID, APP_SECRET, PROVIDER_ID);
 ```
+The request includes the SDK's attestation version so the attestor can continue serving older SDK clients when newer attestation formats are introduced.
+To opt out, set `acceptTeeAttestation: false` during initialization.
 ### Verifying TEE Attestation via `verifyProof`
 Provide a `teeAttestation` config to require and verify TEE attestation. The application ID is derived automatically from `appSecret`. If TEE data is missing or invalid, verification will fail with a `TeeVerificationError`.

package/dist/index.d.ts CHANGED Viewed

@@ -1,5 +1,7 @@
+declare const SUPPORTED_TEE_ATTESTATION_VERSIONS: readonly ["v2", "v3"];
+type TeeAttestationVersion = typeof SUPPORTED_TEE_ATTESTATION_VERSIONS[number];
 interface TeeAttestation {
-    proof_version: string;
+    proof_version: TeeAttestationVersion;
     tee_provider: string;
     tee_technology: string;
     nonce: string;
@@ -70,6 +72,7 @@ interface Context {
         applicationId: string;
         sessionId: string;
         timestamp: string;
+        attestationVersion?: TeeAttestationVersion;
     };
 }
 interface Beacon {
@@ -503,7 +506,9 @@ type ProofRequestOptions = {
      */
     metadata?: Record<string, string>;
     /**
-     * If true, generates a TEE attestation nonce during session initialization and expects a TEE attestation in the proof.
+     * Generates a TEE attestation nonce during session initialization and expects a TEE attestation in the proof.
+     *
+     * @default true
      */
     acceptTeeAttestation?: boolean;
 };
@@ -688,6 +693,8 @@ type TemplateData = {
     canAutoSubmit?: boolean;
     metadata?: Record<string, string>;
     preferredLocale?: ProofRequestOptions['preferredLocale'];
+    acceptTeeAttestation?: boolean;
+    teeAttestationVersion?: TeeAttestationVersion;
 };
 type TrustedData = {
     context: Record<string, unknown>;
@@ -1558,4 +1565,4 @@ declare function isDesktopDevice(): boolean;
  */
 declare function clearDeviceCache(): void;
-export { type Beacon, type BeaconState, type BodySniff, ClaimCreationType, type ClaimID, type ClaimInfo, type CompleteClaimData, type Context, type CreateVerificationRequest, DeviceType, type EmbeddedFlowHandle, type ExtensionMessage, type FlowHandle, type HashRequirement, type HashableHttpProviderClaimParams, type HttpFormEntry, type HttpProviderClaimParams, type HttpRedirectionMethod, type HttpRedirectionOptions, type InitSessionResponse, type InjectedRequestSpec, type InterceptorRequestSpec, type ModalOptions, type OnError, type OnSuccess, type Proof, type ProofPropertiesJSON, type ProofRequestOptions, type ProviderClaimData, type ProviderConfigResponse, type ProviderHashRequirementSpec, type ProviderHashRequirementsConfig, type ProviderHashRequirementsResponse, type ProviderVersionConfig, type ProviderVersionInfo, RECLAIM_EXTENSION_ACTIONS, type ReclaimFlowInitOptions, type ReclaimFlowLaunchOptions, ReclaimProofRequest, type ReclaimProviderConfig, type ReclaimProviderConfigWithRequestSpec, type RequestSpec, type ResponseMatchSpec, type ResponseRedactionSpec, type SerializableModalOptions, SessionStatus, type SignedClaim, type StartSessionParams, type StatusUrlResponse, type TeeAttestation, type TeeAttestationConfig, TeeVerificationError, type TeeVerificationResult, type TemplateData, type TrustedData, type UpdateSessionResponse, type ValidationConfig, type ValidationConfigWithDisabledValidation, type ValidationConfigWithHash, type ValidationConfigWithProviderInformation, type VerificationConfig, type VerifyProofResult, type VerifyProofResultFailure, type VerifyProofResultSuccess, type WitnessData, assertValidProofsByHash, assertValidateProof, assertVerifiedProof, clearDeviceCache, createLinkWithTemplateData, createSignDataForClaim, fetchProviderConfigs, fetchProviderHashRequirementsBy, fetchStatusUrl, generateSpecsFromRequestSpecTemplate, getAttestors, getDeviceType, getHttpProviderClaimParamsFromProof, getIdentifierFromClaimInfo, getMobileDeviceType, getProviderHashRequirementSpecFromProviderConfig, getProviderHashRequirementsFromSpec, getProviderParamsAsCanonicalizedString, getShortenedUrl, hashProofClaimParams, hashRequestSpec, initSession, isDesktopDevice, isHttpProviderClaimParams, isMobileDevice, recoverSignersOfSignedClaim, runTeeVerification, takePairsWhereValueIsArray, takeTemplateParametersFromProofs, transformForOnchain, updateSession, verifyProof, verifyTeeAttestation };
+export { type Beacon, type BeaconState, type BodySniff, ClaimCreationType, type ClaimID, type ClaimInfo, type CompleteClaimData, type Context, type CreateVerificationRequest, DeviceType, type EmbeddedFlowHandle, type ExtensionMessage, type FlowHandle, type HashRequirement, type HashableHttpProviderClaimParams, type HttpFormEntry, type HttpProviderClaimParams, type HttpRedirectionMethod, type HttpRedirectionOptions, type InitSessionResponse, type InjectedRequestSpec, type InterceptorRequestSpec, type ModalOptions, type OnError, type OnSuccess, type Proof, type ProofPropertiesJSON, type ProofRequestOptions, type ProviderClaimData, type ProviderConfigResponse, type ProviderHashRequirementSpec, type ProviderHashRequirementsConfig, type ProviderHashRequirementsResponse, type ProviderVersionConfig, type ProviderVersionInfo, RECLAIM_EXTENSION_ACTIONS, type ReclaimFlowInitOptions, type ReclaimFlowLaunchOptions, ReclaimProofRequest, type ReclaimProviderConfig, type ReclaimProviderConfigWithRequestSpec, type RequestSpec, type ResponseMatchSpec, type ResponseRedactionSpec, SUPPORTED_TEE_ATTESTATION_VERSIONS, type SerializableModalOptions, SessionStatus, type SignedClaim, type StartSessionParams, type StatusUrlResponse, type TeeAttestation, type TeeAttestationConfig, type TeeAttestationVersion, TeeVerificationError, type TeeVerificationResult, type TemplateData, type TrustedData, type UpdateSessionResponse, type ValidationConfig, type ValidationConfigWithDisabledValidation, type ValidationConfigWithHash, type ValidationConfigWithProviderInformation, type VerificationConfig, type VerifyProofResult, type VerifyProofResultFailure, type VerifyProofResultSuccess, type WitnessData, assertValidProofsByHash, assertValidateProof, assertVerifiedProof, clearDeviceCache, createLinkWithTemplateData, createSignDataForClaim, fetchProviderConfigs, fetchProviderHashRequirementsBy, fetchStatusUrl, generateSpecsFromRequestSpecTemplate, getAttestors, getDeviceType, getHttpProviderClaimParamsFromProof, getIdentifierFromClaimInfo, getMobileDeviceType, getProviderHashRequirementSpecFromProviderConfig, getProviderHashRequirementsFromSpec, getProviderParamsAsCanonicalizedString, getShortenedUrl, hashProofClaimParams, hashRequestSpec, initSession, isDesktopDevice, isHttpProviderClaimParams, isMobileDevice, recoverSignersOfSignedClaim, runTeeVerification, takePairsWhereValueIsArray, takeTemplateParametersFromProofs, transformForOnchain, updateSession, verifyProof, verifyTeeAttestation };

package/dist/index.js CHANGED Viewed

@@ -84,7 +84,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "@reclaimprotocol/js-sdk",
-      version: "5.2.0",
+      version: "5.3.0-dev.1",
       description: "Designed to request proofs from the Reclaim protocol and manage the flow of claims and witness interactions.",
       main: "dist/index.js",
       types: "dist/index.d.ts",
@@ -1694,6 +1694,7 @@ var EXPECTED_ISSUER = "https://confidentialcomputing.googleapis.com";
 var EXPECTED_HW_MODEL = "GCP_AMD_SEV";
 var EXPECTED_TEE_PROVIDER = "gcp";
 var EXPECTED_TEE_TECHNOLOGY = "amd-sev";
+var SUPPORTED_PROOF_VERSIONS = ["v2", "v3"];
 var TOKEN_CLOCK_SKEW_S = 60;
 var NONCE_TIMESTAMP_MAX_SKEW_MS = 10 * 60 * 1e3;
 var BROWSER_ENVIRONMENT_ERROR = "TEE attestation verification is only supported in non-browser environments. Run verifyTeeAttestation on your server or API route.";
@@ -1933,12 +1934,17 @@ function assertAudienceClaim(aud) {
   }
   throw new Error("attestation token audience is missing");
 }
+function getProofVersion(teeAttestation) {
+  var _a;
+  return (_a = teeAttestation.proof_version) != null ? _a : teeAttestation.proofVersion;
+}
 function assertProofShape(teeAttestation) {
   var _a, _b, _c;
   if (teeAttestation.error) {
     throw new Error(`${teeAttestation.error.code}: ${teeAttestation.error.message}`);
   }
-  assert(teeAttestation.proof_version === "v2", `unexpected proof version: ${teeAttestation.proof_version}`);
+  const proofVersion = getProofVersion(teeAttestation);
+  assert(typeof proofVersion === "string" && SUPPORTED_PROOF_VERSIONS.includes(proofVersion), `unexpected proof version: ${proofVersion}`);
   assert(teeAttestation.tee_provider === EXPECTED_TEE_PROVIDER, `unexpected tee provider: ${teeAttestation.tee_provider}`);
   assert(teeAttestation.tee_technology === EXPECTED_TEE_TECHNOLOGY, `unexpected tee technology: ${teeAttestation.tee_technology}`);
   assert(typeof teeAttestation.nonce === "string" && teeAttestation.nonce.length > 0, "tee attestation nonce missing");
@@ -1948,6 +1954,26 @@ function assertProofShape(teeAttestation) {
   assert(typeof ((_b = teeAttestation.verifier) == null ? void 0 : _b.image_digest) === "string" && teeAttestation.verifier.image_digest.length > 0, "verifier image digest missing");
   assert(typeof ((_c = teeAttestation.attestation) == null ? void 0 : _c.token) === "string" && teeAttestation.attestation.token.length > 0, "attestation token missing");
 }
+function computeDigestBinding(teeAttestation) {
+  return __async(this, null, function* () {
+    const proofVersion = getProofVersion(teeAttestation);
+    if (proofVersion === "v3") {
+      assert(typeof teeAttestation.workload.container_name === "string" && teeAttestation.workload.container_name.length > 0, "workload container name missing");
+      assert(typeof teeAttestation.verifier.container_name === "string" && teeAttestation.verifier.container_name.length > 0, "verifier container name missing");
+      return sha256Hex([
+        "v3",
+        `workload.container_name=${teeAttestation.workload.container_name}`,
+        `workload.image_digest=${teeAttestation.workload.image_digest}`,
+        `verifier.container_name=${teeAttestation.verifier.container_name}`,
+        `verifier.image_digest=${teeAttestation.verifier.image_digest}`
+      ].join("\n"));
+    }
+    return sha256Hex(
+      `${teeAttestation.workload.image_digest}
+${teeAttestation.verifier.image_digest}`
+    );
+  });
+}
 function verifyGcpClaims(teeAttestation, expectedNonce) {
   return __async(this, null, function* () {
     var _a;
@@ -1955,10 +1981,7 @@ function verifyGcpClaims(teeAttestation, expectedNonce) {
     assert(claims.iss === EXPECTED_ISSUER, `unexpected issuer: ${claims.iss}`);
     assertAudienceClaim(claims.aud);
     assert(Array.isArray(claims.eat_nonce), "eat_nonce claim missing");
-    const digestBinding = yield sha256Hex(
-      `${teeAttestation.workload.image_digest}
-${teeAttestation.verifier.image_digest}`
-    );
+    const digestBinding = yield computeDigestBinding(teeAttestation);
     assert(claims.eat_nonce.includes(expectedNonce), "request nonce is not present in attestation token");
     assert(claims.eat_nonce.includes(digestBinding), "digest-binding nonce is not present in attestation token");
     assert(claims.hwmodel === EXPECTED_HW_MODEL, `unexpected hwmodel: ${claims.hwmodel}`);
@@ -2025,6 +2048,7 @@ function runTeeVerification(proofs, config) {
 // src/Reclaim.ts
 var logger10 = logger_default.logger;
 var sdkVersion = require_package().version;
+var SDK_TEE_ATTESTATION_VERSION = "v3";
 function verifyProof(proofOrProofs, config) {
   return __async(this, null, function* () {
     const proofs = Array.isArray(proofOrProofs) ? proofOrProofs : [proofOrProofs];
@@ -2111,7 +2135,7 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
      * @returns
      */
     this.getTemplateData = () => {
-      var _a, _b, _c, _d, _e, _f, _g, _h, _i, _j, _k, _l;
+      var _a, _b, _c, _d, _e, _f, _g, _h, _i, _j, _k, _l, _m, _n, _o;
       if (!this.signature) {
         throw new SignatureNotFoundError("Signature is not set.");
       }
@@ -2151,7 +2175,9 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
         log: (_h = (_g = this.options) == null ? void 0 : _g.log) != null ? _h : false,
         canAutoSubmit: (_j = (_i = this.options) == null ? void 0 : _i.canAutoSubmit) != null ? _j : true,
         metadata: (_k = this.options) == null ? void 0 : _k.metadata,
-        preferredLocale: (_l = this.options) == null ? void 0 : _l.preferredLocale
+        preferredLocale: (_l = this.options) == null ? void 0 : _l.preferredLocale,
+        acceptTeeAttestation: (_m = this.options) == null ? void 0 : _m.acceptTeeAttestation,
+        teeAttestationVersion: (_o = (_n = this.context.attestationNonceData) == null ? void 0 : _n.attestationVersion) != null ? _o : SDK_TEE_ATTESTATION_VERSION
       };
       return templateData;
     };
@@ -2222,6 +2248,7 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
    */
   static init(applicationId, appSecret, providerId, options) {
     return __async(this, null, function* () {
+      var _a;
       try {
         validateFunctionParams([
           { paramName: "applicationId", input: applicationId, isString: true },
@@ -2303,14 +2330,17 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
             }, "the constructor");
           }
         }
-        const proofRequestInstance = new _ReclaimProofRequest(applicationId, providerId, options);
+        const proofRequestOptions = __spreadProps(__spreadValues({}, options), {
+          acceptTeeAttestation: (_a = options == null ? void 0 : options.acceptTeeAttestation) != null ? _a : true
+        });
+        const proofRequestInstance = new _ReclaimProofRequest(applicationId, providerId, proofRequestOptions);
         const signature = yield proofRequestInstance.generateSignature(appSecret);
         proofRequestInstance.setSignature(signature);
         const data = yield initSession(providerId, applicationId, proofRequestInstance.timeStamp, signature, options == null ? void 0 : options.providerVersion);
         proofRequestInstance.sessionId = data.sessionId;
         proofRequestInstance.resolvedProviderVersion = data.resolvedProviderVersion;
         proofRequestInstance.context.reclaimSessionId = data.sessionId;
-        if (options == null ? void 0 : options.acceptTeeAttestation) {
+        if (proofRequestOptions.acceptTeeAttestation) {
           const attestationNonce = generateAttestationNonce(
             appSecret,
             applicationId,
@@ -2320,7 +2350,8 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
           proofRequestInstance.setAttestationContext(attestationNonce, {
             applicationId,
             sessionId: data.sessionId,
-            timestamp: proofRequestInstance.timeStamp
+            timestamp: proofRequestInstance.timeStamp,
+            attestationVersion: SDK_TEE_ATTESTATION_VERSION
           });
         }
         return proofRequestInstance;