@reclaimprotocol/js-sdk 5.4.0 → 5.4.2-dev.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.d.ts +491 -9
- package/dist/index.js +489 -120
- package/dist/index.js.map +1 -1
- package/package.json +13 -2
package/dist/index.js
CHANGED
|
@@ -84,10 +84,20 @@ var require_package = __commonJS({
|
|
|
84
84
|
"package.json"(exports2, module2) {
|
|
85
85
|
module2.exports = {
|
|
86
86
|
name: "@reclaimprotocol/js-sdk",
|
|
87
|
-
version: "5.4.0",
|
|
87
|
+
version: "5.4.2-dev.0",
|
|
88
88
|
description: "Designed to request proofs from the Reclaim protocol and manage the flow of claims and witness interactions.",
|
|
89
89
|
main: "dist/index.js",
|
|
90
90
|
types: "dist/index.d.ts",
|
|
91
|
+
exports: {
|
|
92
|
+
".": {
|
|
93
|
+
types: "./dist/index.d.ts",
|
|
94
|
+
default: "./dist/index.js"
|
|
95
|
+
},
|
|
96
|
+
"./internal": {
|
|
97
|
+
types: "./dist/internal.d.ts",
|
|
98
|
+
default: "./dist/internal.js"
|
|
99
|
+
}
|
|
100
|
+
},
|
|
91
101
|
keywords: [
|
|
92
102
|
"reclaim",
|
|
93
103
|
"protocol",
|
|
@@ -108,7 +118,8 @@ var require_package = __commonJS({
|
|
|
108
118
|
],
|
|
109
119
|
tsup: {
|
|
110
120
|
entry: [
|
|
111
|
-
"src/index.ts"
|
|
121
|
+
"src/index.ts",
|
|
122
|
+
"src/internal.ts"
|
|
112
123
|
],
|
|
113
124
|
splitting: false,
|
|
114
125
|
sourcemap: true,
|
|
@@ -192,8 +203,40 @@ var require_package = __commonJS({
|
|
|
192
203
|
// src/index.ts
|
|
193
204
|
var index_exports = {};
|
|
194
205
|
__export(index_exports, {
|
|
206
|
+
ApplicationError: () => ApplicationError,
|
|
207
|
+
AttestorTeeVerificationError: () => AttestorTeeVerificationError,
|
|
208
|
+
BackendServerError: () => BackendServerError,
|
|
209
|
+
CallbackUrlRequiredError: () => CallbackUrlRequiredError,
|
|
210
|
+
ErrorDuringVerificationError: () => ErrorDuringVerificationError,
|
|
211
|
+
GetAppCallbackUrlError: () => GetAppCallbackUrlError,
|
|
212
|
+
GetStatusUrlError: () => GetStatusUrlError,
|
|
213
|
+
HASH_MATCH_MULTIPLE_DEFAULT: () => HASH_MATCH_MULTIPLE_DEFAULT,
|
|
214
|
+
HASH_REQUIRED_DEFAULT: () => HASH_REQUIRED_DEFAULT,
|
|
215
|
+
InavlidParametersError: () => InavlidParametersError,
|
|
216
|
+
InitError: () => InitError,
|
|
217
|
+
InitSessionError: () => InitSessionError,
|
|
218
|
+
InvalidParamError: () => InvalidParamError,
|
|
219
|
+
InvalidRequestSpecError: () => InvalidRequestSpecError,
|
|
220
|
+
InvalidSignatureError: () => InvalidSignatureError,
|
|
221
|
+
NoProviderParamsError: () => NoProviderParamsError,
|
|
222
|
+
ProofNotValidatedError: () => ProofNotValidatedError,
|
|
223
|
+
ProofNotVerifiedError: () => ProofNotVerifiedError,
|
|
224
|
+
ProofSubmissionFailedError: () => ProofSubmissionFailedError,
|
|
225
|
+
ProviderConfigFetchError: () => ProviderConfigFetchError,
|
|
226
|
+
ProviderFailedError: () => ProviderFailedError,
|
|
227
|
+
ProviderNotFoundError: () => ProviderNotFoundError,
|
|
195
228
|
ReclaimProofRequest: () => ReclaimProofRequest,
|
|
229
|
+
SessionNotStartedError: () => SessionNotStartedError,
|
|
230
|
+
SetContextError: () => SetContextError,
|
|
231
|
+
SetParamsError: () => SetParamsError,
|
|
232
|
+
SetSignatureError: () => SetSignatureError,
|
|
233
|
+
SignatureGeneratingError: () => SignatureGeneratingError,
|
|
234
|
+
SignatureNotFoundError: () => SignatureNotFoundError,
|
|
235
|
+
StatusUrlError: () => StatusUrlError,
|
|
196
236
|
TeeVerificationError: () => TeeVerificationError,
|
|
237
|
+
TimeoutError: () => TimeoutError,
|
|
238
|
+
UnknownProofsNotValidatedError: () => UnknownProofsNotValidatedError,
|
|
239
|
+
UpdateSessionError: () => UpdateSessionError,
|
|
197
240
|
assertValidProofsByHash: () => assertValidProofsByHash,
|
|
198
241
|
assertValidateProof: () => assertValidateProof,
|
|
199
242
|
assertVerifiedProof: () => assertVerifiedProof,
|
|
@@ -208,6 +251,7 @@ __export(index_exports, {
|
|
|
208
251
|
generateSpecsFromRequestSpecTemplate: () => generateSpecsFromRequestSpecTemplate,
|
|
209
252
|
getAttestors: () => getAttestors,
|
|
210
253
|
getDeviceType: () => getDeviceType,
|
|
254
|
+
getHashFromProof: () => getHashFromProof,
|
|
211
255
|
getHttpProviderClaimParamsFromProof: () => getHttpProviderClaimParamsFromProof,
|
|
212
256
|
getIdentifierFromClaimInfo: () => getIdentifierFromClaimInfo,
|
|
213
257
|
getMobileDeviceType: () => getMobileDeviceType,
|
|
@@ -227,6 +271,7 @@ __export(index_exports, {
|
|
|
227
271
|
takeTemplateParametersFromProofs: () => takeTemplateParametersFromProofs,
|
|
228
272
|
transformForOnchain: () => transformForOnchain,
|
|
229
273
|
updateSession: () => updateSession,
|
|
274
|
+
verifyAttestorTeeAttestation: () => verifyAttestorTeeAttestation,
|
|
230
275
|
verifyProof: () => verifyProof,
|
|
231
276
|
verifyTeeAttestation: () => verifyTeeAttestation
|
|
232
277
|
});
|
|
@@ -241,7 +286,7 @@ var RECLAIM_EXTENSION_ACTIONS = {
|
|
|
241
286
|
};
|
|
242
287
|
|
|
243
288
|
// src/Reclaim.ts
|
|
244
|
-
var
|
|
289
|
+
var import_ethers7 = require("ethers");
|
|
245
290
|
var import_canonicalize3 = __toESM(require("canonicalize"));
|
|
246
291
|
|
|
247
292
|
// src/utils/errors.ts
|
|
@@ -289,6 +334,7 @@ var ProofSubmissionFailedError = createErrorClass("ProofSubmissionFailedError");
|
|
|
289
334
|
var ErrorDuringVerificationError = createErrorClass("ErrorDuringVerificationError");
|
|
290
335
|
var CallbackUrlRequiredError = createErrorClass("CallbackUrlRequiredError");
|
|
291
336
|
var TeeVerificationError = createErrorClass("TeeVerificationError");
|
|
337
|
+
var AttestorTeeVerificationError = createErrorClass("AttestorTeeVerificationError");
|
|
292
338
|
|
|
293
339
|
// src/utils/logger.ts
|
|
294
340
|
var SimpleLogger = class {
|
|
@@ -563,19 +609,21 @@ function scheduleIntervalEndingTask(sessionId, intervals, onFailureCallback, tim
|
|
|
563
609
|
}
|
|
564
610
|
}, timeout);
|
|
565
611
|
}
|
|
566
|
-
var createVerifyProofResultSuccess = (proofs, isTeeAttestationVerified) => {
|
|
612
|
+
var createVerifyProofResultSuccess = (proofs, isTeeAttestationVerified, isAttestorTeeAttestationVerified) => {
|
|
567
613
|
return {
|
|
568
614
|
isVerified: true,
|
|
569
615
|
isTeeAttestationVerified,
|
|
616
|
+
isAttestorTeeAttestationVerified,
|
|
570
617
|
error: void 0,
|
|
571
618
|
data: proofs.map(createTrustedDataFromProofData),
|
|
572
619
|
publicData: getPublicDataFromProofs(proofs)
|
|
573
620
|
};
|
|
574
621
|
};
|
|
575
|
-
var createVerifyProofResultFailure = (error, isTeeAttestationVerified) => {
|
|
622
|
+
var createVerifyProofResultFailure = (error, isTeeAttestationVerified, isAttestorTeeAttestationVerified) => {
|
|
576
623
|
return {
|
|
577
624
|
isVerified: false,
|
|
578
625
|
isTeeAttestationVerified,
|
|
626
|
+
isAttestorTeeAttestationVerified,
|
|
579
627
|
error,
|
|
580
628
|
data: [],
|
|
581
629
|
publicData: []
|
|
@@ -651,6 +699,43 @@ var constants = {
|
|
|
651
699
|
// Chrome extension URL for Reclaim Protocol
|
|
652
700
|
CHROME_EXTENSION_URL: "https://chromewebstore.google.com/detail/reclaim-extension/oafieibbbcepkmenknelhmgaoahamdeh"
|
|
653
701
|
};
|
|
702
|
+
var GCP_CONFIDENTIAL_SPACE_ROOT_CA = `-----BEGIN CERTIFICATE-----
|
|
703
|
+
MIIGCDCCA/CgAwIBAgITYBvRy5g9aYYMh7tJS7pFwafL6jANBgkqhkiG9w0BAQsF
|
|
704
|
+
ADCBizELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcT
|
|
705
|
+
DU1vdW50YWluIFZpZXcxEzARBgNVBAoTCkdvb2dsZSBMTEMxFTATBgNVBAsTDEdv
|
|
706
|
+
b2dsZSBDbG91ZDEjMCEGA1UEAxMaQ29uZmlkZW50aWFsIFNwYWNlIFJvb3QgQ0Ew
|
|
707
|
+
HhcNMjQwMTE5MjIxMDUwWhcNMzQwMTE2MjIxMDQ5WjCBizELMAkGA1UEBhMCVVMx
|
|
708
|
+
EzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxEzAR
|
|
709
|
+
BgNVBAoTCkdvb2dsZSBMTEMxFTATBgNVBAsTDEdvb2dsZSBDbG91ZDEjMCEGA1UE
|
|
710
|
+
AxMaQ29uZmlkZW50aWFsIFNwYWNlIFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUA
|
|
711
|
+
A4ICDwAwggIKAoICAQCvRuZasczAqhMZe1ODHJ6MFLX8EYVV+RN7xiO9GpuA53iz
|
|
712
|
+
l9Oxgp3NXik3FbYn+7bcIkMMSQpCr6K0jbSQCZT6d5P5PJT5DpNGYjLHkW67/fl+
|
|
713
|
+
Bu7eSMb0qRCa1jS+3OhNK7t7SIaHm1XdmSRghjwoglKRuk3CGrF4Zia9RcE/p2MU
|
|
714
|
+
69GyJZpqHYwTplNr3x4zF+2nJk86GywDP+sGwSPWfcmqY04VQD7ZPDEZZ/qgzdoL
|
|
715
|
+
5ilE92eQnAsy+6m6LxBEHHVcFpfDtNVUIt2VMCWLBeOKUQcn5js756xblInqw/Qt
|
|
716
|
+
QRR0An0yfRjBuGvmMjAwETDo5ETY/fc+nbQVYJzNQTc9EOpFFWPpw/ZjFcN9Amnd
|
|
717
|
+
dxYUETFXPmBYerMez0LKNtGpfKYHHhMMTI3mj0m/V9fCbfh2YbBUnMS2Swd20YSI
|
|
718
|
+
Mi/HiGaqOpGUqXMeQVw7phGTS3QYK8ZM65sC/QhIQzXdsiLDgFBitVnlIu3lIv6C
|
|
719
|
+
uiHvXeSJBRlRxQ8Vu+t6J7hBdl0etWBKAu9Vti46af5cjC03dspkHR3MAUGcrLWE
|
|
720
|
+
TkQ0msQAKvIAlwyQRLuQOI5D6pF+6af1Nbl+vR7sLCbDWdMqm1E9X6KyFKd6e3rn
|
|
721
|
+
E9O4dkFJp35WvR2gqIAkUoa+Vq1MXLFYG4imanZKH0igrIblbawRCr3Gr24FXQID
|
|
722
|
+
AQABo2MwYTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E
|
|
723
|
+
FgQUF+fBOE6Th1snpKuvIb6S8/mtPL4wHwYDVR0jBBgwFoAUF+fBOE6Th1snpKuv
|
|
724
|
+
Ib6S8/mtPL4wDQYJKoZIhvcNAQELBQADggIBAGtCuV5eHxWcffylK9GPumaD6Yjd
|
|
725
|
+
cs76KDBe3mky5ItBIrEOeZq3z47zM4dbKZHhFuoq4yAaO1MyApnG0w9wIQLBDndI
|
|
726
|
+
ovtkw6j9/64aqPWpNaoB5MB0SahCUCgI83Dx9SRqGmjPI/MTMfwDLdE5EF9gFmVI
|
|
727
|
+
oH62YnG2aa/sc6m/8wIK8WtTJazEI16/8GPG4ZUhwT6aR3IGGnEBPMbMd5VZQ0Hw
|
|
728
|
+
VbHBKWK3UykaSCxnEg8uaNx/rhNaOWuWtos4qL00dYyGV7ZXg4fpAq7244QUgkWV
|
|
729
|
+
AtVcU2SPBjDd30OFHASnenDHRzQdOtHaxLp4a4WaY3jb2V6Sn3LfE8zSy6GevxmN
|
|
730
|
+
COIWW3xnPF8rwKz4ABEPqECe37zzu3W1nzZAFtdkhPBNnlWYkIusTMtU+8v6EPKp
|
|
731
|
+
GIIRphpaDhtGPJQukpENOfk2728lenPycRfjxwA96UKWq0dKZC45MwBEK9Jngn8Q
|
|
732
|
+
cPmpPmx7pSMkSxEX2Vos2JNaNmCKJd2VaXz8M6F2cxscRdh9TbAYAjGEEjE1nLUH
|
|
733
|
+
2YHDS8Y7xYNFIDSFaJAlqGcCUbzjGhrwHGj4voTe9ZvlmngrcA/ptSuBidvsnRDw
|
|
734
|
+
kNPLowCd0NqxYYSLNL7GroYCFPxoBpr+++4vsCaXalbs8iJxdU2EPqG4MB4xWKYg
|
|
735
|
+
uyT5CnJulxSC5CT1
|
|
736
|
+
-----END CERTIFICATE-----`;
|
|
737
|
+
var ATTESTOR_NONCE_PATTERN = /^attestor_public_key:0x([0-9a-fA-F]{40})$/;
|
|
738
|
+
var GCP_CONFIDENTIAL_SPACE_ISSUER = "https://confidentialcomputing.googleapis.com";
|
|
654
739
|
|
|
655
740
|
// src/utils/fetch.ts
|
|
656
741
|
var import_fetch_retry = __toESM(require("fetch-retry"));
|
|
@@ -1463,6 +1548,9 @@ function generateAttestationNonce(appSecret, applicationId, sessionId, timestamp
|
|
|
1463
1548
|
return import_ethers4.ethers.keccak256(import_ethers4.ethers.toUtf8Bytes(noncePayload)).replace(/^0x/i, "");
|
|
1464
1549
|
}
|
|
1465
1550
|
|
|
1551
|
+
// src/utils/proofValidationUtils.ts
|
|
1552
|
+
var import_assert = __toESM(require("assert"));
|
|
1553
|
+
|
|
1466
1554
|
// src/utils/providerUtils.ts
|
|
1467
1555
|
var logger7 = logger_default.logger;
|
|
1468
1556
|
function fetchProviderHashRequirementsBy(providerId, exactProviderVersionString, allowedTags, proofs) {
|
|
@@ -1584,7 +1672,20 @@ function hashRequestSpec(request) {
|
|
|
1584
1672
|
var logger8 = logger_default.logger;
|
|
1585
1673
|
var HASH_REQUIRED_DEFAULT = true;
|
|
1586
1674
|
var HASH_MATCH_MULTIPLE_DEFAULT = true;
|
|
1587
|
-
function
|
|
1675
|
+
function getHashFromProof(proof, piiConfig) {
|
|
1676
|
+
if ((piiConfig == null ? void 0 : piiConfig.hasNoPii) === true) {
|
|
1677
|
+
const contextObject = JSON.parse(proof.claimData.context);
|
|
1678
|
+
(0, import_assert.default)(contextObject, "Context must be present in proof's claimData");
|
|
1679
|
+
const providerHash = contextObject.providerHash;
|
|
1680
|
+
(0, import_assert.default)(providerHash, "Provider hash must be present in proof's claimData.context");
|
|
1681
|
+
return [providerHash];
|
|
1682
|
+
}
|
|
1683
|
+
const claimParams = getHttpProviderClaimParamsFromProof(proof);
|
|
1684
|
+
const computedHashesOfProof = hashProofClaimParams(claimParams);
|
|
1685
|
+
const proofHashes = Array.isArray(computedHashesOfProof) ? computedHashesOfProof.map((h) => h.toLowerCase().trim()) : [computedHashesOfProof.toLowerCase().trim()];
|
|
1686
|
+
return proofHashes;
|
|
1687
|
+
}
|
|
1688
|
+
function assertValidProofsByHash(proofs, config, piiConfig) {
|
|
1588
1689
|
var _a, _b;
|
|
1589
1690
|
if (!config.hashes) {
|
|
1590
1691
|
throw new ProofNotValidatedError("No proof hash was provided for validation");
|
|
@@ -1592,9 +1693,7 @@ function assertValidProofsByHash(proofs, config) {
|
|
|
1592
1693
|
const unvalidatedProofHashByIndex = /* @__PURE__ */ new Map();
|
|
1593
1694
|
for (let i = 0; i < proofs.length; i++) {
|
|
1594
1695
|
const proof = proofs[i];
|
|
1595
|
-
const
|
|
1596
|
-
const computedHashesOfProof = hashProofClaimParams(claimParams);
|
|
1597
|
-
const proofHashes = Array.isArray(computedHashesOfProof) ? computedHashesOfProof.map((h) => h.toLowerCase().trim()) : [computedHashesOfProof.toLowerCase().trim()];
|
|
1696
|
+
const proofHashes = getHashFromProof(proof, piiConfig);
|
|
1598
1697
|
unvalidatedProofHashByIndex.set(i, proofHashes);
|
|
1599
1698
|
}
|
|
1600
1699
|
for (const hashRequirement of config.hashes) {
|
|
@@ -1602,7 +1701,9 @@ function assertValidProofsByHash(proofs, config) {
|
|
|
1602
1701
|
const expectedHashes = Array.isArray(hashRequirement.value) ? hashRequirement.value.map((h) => h.toLowerCase().trim()) : [hashRequirement.value.toLowerCase().trim()];
|
|
1603
1702
|
const isRequired = (_a = hashRequirement.required) != null ? _a : HASH_REQUIRED_DEFAULT;
|
|
1604
1703
|
const canMatchMultiple = (_b = hashRequirement.multiple) != null ? _b : HASH_MATCH_MULTIPLE_DEFAULT;
|
|
1605
|
-
for (
|
|
1704
|
+
for (let i = 0; i < proofs.length; i++) {
|
|
1705
|
+
if (!unvalidatedProofHashByIndex.has(i)) continue;
|
|
1706
|
+
const proofHashes = unvalidatedProofHashByIndex.get(i);
|
|
1606
1707
|
const intersection = expectedHashes.filter((eh) => proofHashes.includes(eh));
|
|
1607
1708
|
if (intersection.length > 0) {
|
|
1608
1709
|
unvalidatedProofHashByIndex.delete(i);
|
|
@@ -1643,7 +1744,7 @@ function getHttpProviderClaimParamsFromProof(proof) {
|
|
|
1643
1744
|
}
|
|
1644
1745
|
throw new ProofNotValidatedError("Proof has no HTTP provider params to hash");
|
|
1645
1746
|
}
|
|
1646
|
-
function assertValidateProof(proofs, config) {
|
|
1747
|
+
function assertValidateProof(proofs, config, piiConfig) {
|
|
1647
1748
|
return __async(this, null, function* () {
|
|
1648
1749
|
if ("dangerouslyDisableContentValidation" in config && config.dangerouslyDisableContentValidation) {
|
|
1649
1750
|
logger8.warn("Validation skipped because it was disabled during proof verification");
|
|
@@ -1664,14 +1765,14 @@ function assertValidateProof(proofs, config) {
|
|
|
1664
1765
|
let lastError = null;
|
|
1665
1766
|
for (const hashRequirement of hashRequirementsFromProvider) {
|
|
1666
1767
|
try {
|
|
1667
|
-
return yield assertValidateProof(proofs, hashRequirement);
|
|
1768
|
+
return yield assertValidateProof(proofs, hashRequirement, piiConfig);
|
|
1668
1769
|
} catch (e) {
|
|
1669
1770
|
lastError = e;
|
|
1670
1771
|
}
|
|
1671
1772
|
}
|
|
1672
1773
|
throw new ProofNotValidatedError("Could not validate proof", lastError);
|
|
1673
1774
|
} else {
|
|
1674
|
-
return assertValidateProof(proofs, hashRequirementsFromProvider[0]);
|
|
1775
|
+
return assertValidateProof(proofs, hashRequirementsFromProvider[0], piiConfig);
|
|
1675
1776
|
}
|
|
1676
1777
|
}
|
|
1677
1778
|
const effectiveHashRequirement = ("hashes" in config && Array.isArray(config == null ? void 0 : config.hashes) ? config.hashes : []).map((it) => {
|
|
@@ -1683,16 +1784,19 @@ function assertValidateProof(proofs, config) {
|
|
|
1683
1784
|
return it;
|
|
1684
1785
|
}
|
|
1685
1786
|
});
|
|
1686
|
-
return assertValidProofsByHash(
|
|
1687
|
-
|
|
1688
|
-
|
|
1787
|
+
return assertValidProofsByHash(
|
|
1788
|
+
proofs,
|
|
1789
|
+
{
|
|
1790
|
+
hashes: effectiveHashRequirement
|
|
1791
|
+
},
|
|
1792
|
+
piiConfig
|
|
1793
|
+
);
|
|
1689
1794
|
});
|
|
1690
1795
|
}
|
|
1691
1796
|
|
|
1692
1797
|
// src/utils/verifyTee.ts
|
|
1693
1798
|
var import_ethers5 = require("ethers");
|
|
1694
1799
|
var logger9 = logger_default.logger;
|
|
1695
|
-
var EXPECTED_ISSUER = "https://confidentialcomputing.googleapis.com";
|
|
1696
1800
|
var EXPECTED_HW_MODEL = "GCP_AMD_SEV";
|
|
1697
1801
|
var EXPECTED_TEE_PROVIDER = "gcp";
|
|
1698
1802
|
var EXPECTED_TEE_TECHNOLOGY = "amd-sev";
|
|
@@ -1700,7 +1804,7 @@ var SUPPORTED_PROOF_VERSIONS = ["v2", "v3"];
|
|
|
1700
1804
|
var TOKEN_CLOCK_SKEW_S = 60;
|
|
1701
1805
|
var NONCE_TIMESTAMP_MAX_SKEW_MS = 10 * 60 * 1e3;
|
|
1702
1806
|
var BROWSER_ENVIRONMENT_ERROR = "TEE attestation verification is only supported in non-browser environments. Run verifyTeeAttestation on your server or API route.";
|
|
1703
|
-
function
|
|
1807
|
+
function assert2(condition, message) {
|
|
1704
1808
|
if (!condition) {
|
|
1705
1809
|
throw new Error(message);
|
|
1706
1810
|
}
|
|
@@ -1750,7 +1854,7 @@ function decodeUtf8(bytes) {
|
|
|
1750
1854
|
}
|
|
1751
1855
|
function decodeJwt(token) {
|
|
1752
1856
|
const parts = token.split(".");
|
|
1753
|
-
|
|
1857
|
+
assert2(parts.length === 3, "attestation token is not a JWT");
|
|
1754
1858
|
return {
|
|
1755
1859
|
header: JSON.parse(decodeUtf8(decodeBase64Url(parts[0]))),
|
|
1756
1860
|
payload: JSON.parse(decodeUtf8(decodeBase64Url(parts[1]))),
|
|
@@ -1760,7 +1864,7 @@ function decodeJwt(token) {
|
|
|
1760
1864
|
}
|
|
1761
1865
|
function getFetch() {
|
|
1762
1866
|
const fetchFn = globalThis.fetch;
|
|
1763
|
-
|
|
1867
|
+
assert2(fetchFn, "fetch is not available in this environment");
|
|
1764
1868
|
return fetchFn.bind(globalThis);
|
|
1765
1869
|
}
|
|
1766
1870
|
function getSubtleCrypto() {
|
|
@@ -1796,19 +1900,19 @@ var cachedJwksAt = 0;
|
|
|
1796
1900
|
function verifyJwtSignature(token, issuer) {
|
|
1797
1901
|
return __async(this, null, function* () {
|
|
1798
1902
|
const { header, payload, signingInput, signature } = decodeJwt(token);
|
|
1799
|
-
|
|
1800
|
-
|
|
1903
|
+
assert2(header.alg === "RS256", `unexpected attestation signing algorithm: ${header.alg}`);
|
|
1904
|
+
assert2(typeof header.kid === "string" && header.kid.length > 0, "attestation token kid is missing");
|
|
1801
1905
|
const isCacheFresh = cachedJwksKeys && Date.now() - cachedJwksAt < JWKS_CACHE_TTL_MS;
|
|
1802
1906
|
if (!isCacheFresh) {
|
|
1803
1907
|
const oidc = yield fetchJson(`${issuer}/.well-known/openid-configuration`);
|
|
1804
|
-
|
|
1908
|
+
assert2(typeof (oidc == null ? void 0 : oidc.jwks_uri) === "string" && oidc.jwks_uri.length > 0, "issuer JWKS URI is missing");
|
|
1805
1909
|
cachedJwksUri = oidc.jwks_uri;
|
|
1806
1910
|
const jwks = yield fetchJson(cachedJwksUri);
|
|
1807
1911
|
cachedJwksKeys = (jwks == null ? void 0 : jwks.keys) || [];
|
|
1808
1912
|
cachedJwksAt = Date.now();
|
|
1809
1913
|
}
|
|
1810
1914
|
const jwk = cachedJwksKeys.find((key) => key.kid === header.kid);
|
|
1811
|
-
|
|
1915
|
+
assert2(jwk, `no JWKS key found for kid ${header.kid}`);
|
|
1812
1916
|
const cryptoKey = yield getSubtleCrypto().importKey(
|
|
1813
1917
|
"jwk",
|
|
1814
1918
|
jwk,
|
|
@@ -1822,7 +1926,7 @@ function verifyJwtSignature(token, issuer) {
|
|
|
1822
1926
|
signature,
|
|
1823
1927
|
new TextEncoder().encode(signingInput)
|
|
1824
1928
|
);
|
|
1825
|
-
|
|
1929
|
+
assert2(isValid, "JWT signature verification failed");
|
|
1826
1930
|
return payload;
|
|
1827
1931
|
});
|
|
1828
1932
|
}
|
|
@@ -1843,16 +1947,16 @@ function parseProofContext(proof) {
|
|
|
1843
1947
|
}
|
|
1844
1948
|
const ctx = parsedContext;
|
|
1845
1949
|
const expectedNonce = ctx.attestationNonce;
|
|
1846
|
-
|
|
1950
|
+
assert2(typeof expectedNonce === "string" && expectedNonce.length > 0, "Proof context is missing attestationNonce");
|
|
1847
1951
|
const nonceDataObj = ctx.attestationNonceData;
|
|
1848
|
-
|
|
1952
|
+
assert2(isNonceContextData(nonceDataObj), "Proof context is missing or has invalid attestationNonceData (requires applicationId, sessionId, timestamp)");
|
|
1849
1953
|
return { parsedContext: ctx, nonceDataObj, expectedNonce };
|
|
1850
1954
|
}
|
|
1851
1955
|
function verifyApplicationAndSessionBinding(proof, parsedContext, nonceDataObj, expectedApplicationId) {
|
|
1852
1956
|
var _a;
|
|
1853
1957
|
const { applicationId, sessionId, timestamp } = nonceDataObj;
|
|
1854
1958
|
if (expectedApplicationId) {
|
|
1855
|
-
|
|
1959
|
+
assert2(
|
|
1856
1960
|
applicationId.toLowerCase() === expectedApplicationId.toLowerCase(),
|
|
1857
1961
|
`Application ID Mismatch! Expected ${expectedApplicationId}, but proof context contains ${applicationId}`
|
|
1858
1962
|
);
|
|
@@ -1887,11 +1991,11 @@ function verifyApplicationAndSessionBinding(proof, parsedContext, nonceDataObj,
|
|
|
1887
1991
|
function verifyNonceMaterial(expectedNonce, nonceDataObj, expectedAppSecret) {
|
|
1888
1992
|
const cleanExpectedNonce = normalizeHex(expectedNonce);
|
|
1889
1993
|
const { applicationId, sessionId, timestamp } = nonceDataObj;
|
|
1890
|
-
|
|
1891
|
-
|
|
1994
|
+
assert2(cleanExpectedNonce.length > 0, "Proof context attestationNonce is empty");
|
|
1995
|
+
assert2(isHex(cleanExpectedNonce), "Proof context attestationNonce is not valid hex");
|
|
1892
1996
|
if (expectedAppSecret) {
|
|
1893
1997
|
const recomputedNonce = generateAttestationNonce(expectedAppSecret, applicationId, sessionId, timestamp);
|
|
1894
|
-
|
|
1998
|
+
assert2(
|
|
1895
1999
|
recomputedNonce === cleanExpectedNonce,
|
|
1896
2000
|
"Attestation nonce verification failed: app secret, application ID, session ID, or timestamp do not match"
|
|
1897
2001
|
);
|
|
@@ -1904,7 +2008,7 @@ function verifyNonceMaterial(expectedNonce, nonceDataObj, expectedAppSecret) {
|
|
|
1904
2008
|
nonceMsg,
|
|
1905
2009
|
expectedNonce.startsWith("0x") ? expectedNonce : `0x${expectedNonce}`
|
|
1906
2010
|
);
|
|
1907
|
-
|
|
2011
|
+
assert2(
|
|
1908
2012
|
recoveredAddress.toLowerCase() === applicationId.toLowerCase(),
|
|
1909
2013
|
`Nonce signature verification failed: recovered ${recoveredAddress}, expected ${applicationId}`
|
|
1910
2014
|
);
|
|
@@ -1926,12 +2030,12 @@ function assertTokenFresh(claims) {
|
|
|
1926
2030
|
}
|
|
1927
2031
|
function assertAudienceClaim(aud) {
|
|
1928
2032
|
if (typeof aud === "string") {
|
|
1929
|
-
|
|
2033
|
+
assert2(aud.length > 0, "attestation token audience is empty");
|
|
1930
2034
|
return;
|
|
1931
2035
|
}
|
|
1932
2036
|
if (Array.isArray(aud)) {
|
|
1933
|
-
|
|
1934
|
-
|
|
2037
|
+
assert2(aud.length > 0, "attestation token audience is empty");
|
|
2038
|
+
assert2(aud.every((entry) => typeof entry === "string" && entry.length > 0), "attestation token audience contains invalid entries");
|
|
1935
2039
|
return;
|
|
1936
2040
|
}
|
|
1937
2041
|
throw new Error("attestation token audience is missing");
|
|
@@ -1946,22 +2050,22 @@ function assertProofShape(teeAttestation) {
|
|
|
1946
2050
|
throw new Error(`${teeAttestation.error.code}: ${teeAttestation.error.message}`);
|
|
1947
2051
|
}
|
|
1948
2052
|
const proofVersion = getProofVersion(teeAttestation);
|
|
1949
|
-
|
|
1950
|
-
|
|
1951
|
-
|
|
1952
|
-
|
|
1953
|
-
|
|
1954
|
-
|
|
1955
|
-
|
|
1956
|
-
|
|
1957
|
-
|
|
2053
|
+
assert2(typeof proofVersion === "string" && SUPPORTED_PROOF_VERSIONS.includes(proofVersion), `unexpected proof version: ${proofVersion}`);
|
|
2054
|
+
assert2(teeAttestation.tee_provider === EXPECTED_TEE_PROVIDER, `unexpected tee provider: ${teeAttestation.tee_provider}`);
|
|
2055
|
+
assert2(teeAttestation.tee_technology === EXPECTED_TEE_TECHNOLOGY, `unexpected tee technology: ${teeAttestation.tee_technology}`);
|
|
2056
|
+
assert2(typeof teeAttestation.nonce === "string" && teeAttestation.nonce.length > 0, "tee attestation nonce missing");
|
|
2057
|
+
assert2(typeof teeAttestation.timestamp === "string" && teeAttestation.timestamp.length > 0, "tee attestation timestamp missing");
|
|
2058
|
+
assert2(!Number.isNaN(Date.parse(teeAttestation.timestamp)), "tee attestation timestamp is invalid");
|
|
2059
|
+
assert2(typeof ((_a = teeAttestation.workload) == null ? void 0 : _a.image_digest) === "string" && teeAttestation.workload.image_digest.length > 0, "workload image digest missing");
|
|
2060
|
+
assert2(typeof ((_b = teeAttestation.verifier) == null ? void 0 : _b.image_digest) === "string" && teeAttestation.verifier.image_digest.length > 0, "verifier image digest missing");
|
|
2061
|
+
assert2(typeof ((_c = teeAttestation.attestation) == null ? void 0 : _c.token) === "string" && teeAttestation.attestation.token.length > 0, "attestation token missing");
|
|
1958
2062
|
}
|
|
1959
2063
|
function computeDigestBinding(teeAttestation) {
|
|
1960
2064
|
return __async(this, null, function* () {
|
|
1961
2065
|
const proofVersion = getProofVersion(teeAttestation);
|
|
1962
2066
|
if (proofVersion === "v3") {
|
|
1963
|
-
|
|
1964
|
-
|
|
2067
|
+
assert2(typeof teeAttestation.workload.container_name === "string" && teeAttestation.workload.container_name.length > 0, "workload container name missing");
|
|
2068
|
+
assert2(typeof teeAttestation.verifier.container_name === "string" && teeAttestation.verifier.container_name.length > 0, "verifier container name missing");
|
|
1965
2069
|
return sha256Hex([
|
|
1966
2070
|
"v3",
|
|
1967
2071
|
`workload.container_name=${teeAttestation.workload.container_name}`,
|
|
@@ -1979,16 +2083,16 @@ ${teeAttestation.verifier.image_digest}`
|
|
|
1979
2083
|
function verifyGcpClaims(teeAttestation, expectedNonce) {
|
|
1980
2084
|
return __async(this, null, function* () {
|
|
1981
2085
|
var _a;
|
|
1982
|
-
const claims = yield verifyJwtSignature(teeAttestation.attestation.token,
|
|
1983
|
-
|
|
2086
|
+
const claims = yield verifyJwtSignature(teeAttestation.attestation.token, GCP_CONFIDENTIAL_SPACE_ISSUER);
|
|
2087
|
+
assert2(claims.iss === GCP_CONFIDENTIAL_SPACE_ISSUER, `unexpected issuer: ${claims.iss}`);
|
|
1984
2088
|
assertAudienceClaim(claims.aud);
|
|
1985
|
-
|
|
2089
|
+
assert2(Array.isArray(claims.eat_nonce), "eat_nonce claim missing");
|
|
1986
2090
|
const digestBinding = yield computeDigestBinding(teeAttestation);
|
|
1987
|
-
|
|
1988
|
-
|
|
1989
|
-
|
|
1990
|
-
|
|
1991
|
-
|
|
2091
|
+
assert2(claims.eat_nonce.includes(expectedNonce), "request nonce is not present in attestation token");
|
|
2092
|
+
assert2(claims.eat_nonce.includes(digestBinding), "digest-binding nonce is not present in attestation token");
|
|
2093
|
+
assert2(claims.hwmodel === EXPECTED_HW_MODEL, `unexpected hwmodel: ${claims.hwmodel}`);
|
|
2094
|
+
assert2(claims.secboot === true, "secure boot claim is not true");
|
|
2095
|
+
assert2((_a = claims.submods) == null ? void 0 : _a.gce, "gce submod claim missing");
|
|
1992
2096
|
assertTokenFresh(claims);
|
|
1993
2097
|
});
|
|
1994
2098
|
}
|
|
@@ -2010,9 +2114,9 @@ function verifyTeeAttestation(proof, appSecret) {
|
|
|
2010
2114
|
verifyNonceMaterial(expectedNonce, nonceDataObj, appSecret);
|
|
2011
2115
|
const cleanExpectedNonce = normalizeHex(expectedNonce);
|
|
2012
2116
|
const cleanTeeNonce = normalizeHex(teeAttestation.nonce);
|
|
2013
|
-
|
|
2014
|
-
|
|
2015
|
-
|
|
2117
|
+
assert2(cleanTeeNonce.length > 0, "TEE attestation nonce is empty");
|
|
2118
|
+
assert2(isHex(cleanTeeNonce), "TEE attestation nonce is not valid hex");
|
|
2119
|
+
assert2(cleanTeeNonce === cleanExpectedNonce, `Nonce Mismatch! Expected ${cleanExpectedNonce}, got ${cleanTeeNonce}`);
|
|
2016
2120
|
yield verifyGcpClaims(teeAttestation, cleanExpectedNonce);
|
|
2017
2121
|
return { isVerified: true };
|
|
2018
2122
|
} catch (error) {
|
|
@@ -2047,8 +2151,225 @@ function runTeeVerification(proofs, config) {
|
|
|
2047
2151
|
});
|
|
2048
2152
|
}
|
|
2049
2153
|
|
|
2050
|
-
// src/
|
|
2154
|
+
// src/utils/verifyAttestorTee.ts
|
|
2155
|
+
var import_crypto = __toESM(require("crypto"));
|
|
2156
|
+
var import_ethers6 = require("ethers");
|
|
2051
2157
|
var logger10 = logger_default.logger;
|
|
2158
|
+
var BROWSER_ENVIRONMENT_ERROR2 = "Attestor TEE attestation verification is only supported in non-browser environments. Run verifyAttestorTeeAttestation on your server or API route.";
|
|
2159
|
+
function isBrowserEnvironment2() {
|
|
2160
|
+
if (typeof window !== "undefined" || typeof document !== "undefined") {
|
|
2161
|
+
return true;
|
|
2162
|
+
}
|
|
2163
|
+
if (typeof navigator !== "undefined" && typeof process === "undefined") {
|
|
2164
|
+
return true;
|
|
2165
|
+
}
|
|
2166
|
+
const workerGlobalScope = globalThis.WorkerGlobalScope;
|
|
2167
|
+
if (typeof workerGlobalScope !== "undefined" && typeof self !== "undefined" && self instanceof workerGlobalScope) {
|
|
2168
|
+
return true;
|
|
2169
|
+
}
|
|
2170
|
+
return false;
|
|
2171
|
+
}
|
|
2172
|
+
function assertNonBrowserEnvironment2() {
|
|
2173
|
+
if (isBrowserEnvironment2()) {
|
|
2174
|
+
throw new Error(BROWSER_ENVIRONMENT_ERROR2);
|
|
2175
|
+
}
|
|
2176
|
+
}
|
|
2177
|
+
var TOKEN_CLOCK_SKEW_S2 = 60;
|
|
2178
|
+
function decodeBase64Url2(input) {
|
|
2179
|
+
const normalized = input.replace(/-/g, "+").replace(/_/g, "/");
|
|
2180
|
+
const padded = normalized + "=".repeat((4 - normalized.length % 4) % 4);
|
|
2181
|
+
return Buffer.from(padded, "base64");
|
|
2182
|
+
}
|
|
2183
|
+
function normalizeAddress(address) {
|
|
2184
|
+
return address.trim().toLowerCase().replace(/^0x/, "");
|
|
2185
|
+
}
|
|
2186
|
+
function verifyX5cChain(x5cChain) {
|
|
2187
|
+
if (!x5cChain || x5cChain.length === 0) {
|
|
2188
|
+
throw new Error("Empty x5c certificate chain");
|
|
2189
|
+
}
|
|
2190
|
+
const certs = x5cChain.map(
|
|
2191
|
+
(b64) => new import_crypto.X509Certificate(`-----BEGIN CERTIFICATE-----
|
|
2192
|
+
${b64}
|
|
2193
|
+
-----END CERTIFICATE-----`)
|
|
2194
|
+
);
|
|
2195
|
+
const root = new import_crypto.X509Certificate(GCP_CONFIDENTIAL_SPACE_ROOT_CA);
|
|
2196
|
+
for (let i = 0; i < certs.length - 1; i++) {
|
|
2197
|
+
if (!certs[i].verify(certs[i + 1].publicKey)) {
|
|
2198
|
+
throw new Error(`Certificate chain verification failed at level ${i}`);
|
|
2199
|
+
}
|
|
2200
|
+
}
|
|
2201
|
+
const top = certs[certs.length - 1];
|
|
2202
|
+
if (!top.verify(root.publicKey)) {
|
|
2203
|
+
throw new Error("Certificate chain does not root to GCP Confidential Space Root CA");
|
|
2204
|
+
}
|
|
2205
|
+
return certs[0].publicKey;
|
|
2206
|
+
}
|
|
2207
|
+
function verifyAttestorTeeAttestation(report, expectedAttestorAddress) {
|
|
2208
|
+
return __async(this, null, function* () {
|
|
2209
|
+
var _a, _b, _c, _d, _e;
|
|
2210
|
+
try {
|
|
2211
|
+
assertNonBrowserEnvironment2();
|
|
2212
|
+
if (!report || typeof report !== "string") {
|
|
2213
|
+
throw new Error("attestation report is empty or not a string");
|
|
2214
|
+
}
|
|
2215
|
+
if (!expectedAttestorAddress || typeof expectedAttestorAddress !== "string") {
|
|
2216
|
+
throw new Error("expectedAttestorAddress is required");
|
|
2217
|
+
}
|
|
2218
|
+
const parts = report.split(".");
|
|
2219
|
+
if (parts.length !== 3) {
|
|
2220
|
+
throw new Error("attestation report is not a JWT (expected 3 parts)");
|
|
2221
|
+
}
|
|
2222
|
+
const [headerB64, payloadB64, signatureB64] = parts;
|
|
2223
|
+
const header = JSON.parse(decodeBase64Url2(headerB64).toString("utf8"));
|
|
2224
|
+
const payload = JSON.parse(decodeBase64Url2(payloadB64).toString("utf8"));
|
|
2225
|
+
if (header.alg !== "RS256") {
|
|
2226
|
+
throw new Error(`unexpected signing algorithm: ${header.alg}`);
|
|
2227
|
+
}
|
|
2228
|
+
if (!Array.isArray(header.x5c) || header.x5c.length === 0) {
|
|
2229
|
+
throw new Error("attestation report is missing x5c certificate chain");
|
|
2230
|
+
}
|
|
2231
|
+
if (payload.iss !== GCP_CONFIDENTIAL_SPACE_ISSUER) {
|
|
2232
|
+
throw new Error(`unexpected issuer: ${payload.iss}`);
|
|
2233
|
+
}
|
|
2234
|
+
const now = Math.floor(Date.now() / 1e3);
|
|
2235
|
+
if (typeof payload.nbf === "number" && now + TOKEN_CLOCK_SKEW_S2 < payload.nbf) {
|
|
2236
|
+
throw new Error(`attestation not yet valid (nbf=${payload.nbf})`);
|
|
2237
|
+
}
|
|
2238
|
+
if (typeof payload.exp === "number" && now - TOKEN_CLOCK_SKEW_S2 > payload.exp) {
|
|
2239
|
+
throw new Error(`attestation expired (exp=${payload.exp})`);
|
|
2240
|
+
}
|
|
2241
|
+
if (typeof payload.iat === "number" && payload.iat > now + TOKEN_CLOCK_SKEW_S2) {
|
|
2242
|
+
throw new Error(`attestation issued in future (iat=${payload.iat})`);
|
|
2243
|
+
}
|
|
2244
|
+
const publicKey = verifyX5cChain(header.x5c);
|
|
2245
|
+
const verifier = import_crypto.default.createVerify("RSA-SHA256");
|
|
2246
|
+
verifier.update(`${headerB64}.${payloadB64}`);
|
|
2247
|
+
if (!verifier.verify(publicKey, new Uint8Array(decodeBase64Url2(signatureB64)))) {
|
|
2248
|
+
throw new Error("attestation signature verification failed");
|
|
2249
|
+
}
|
|
2250
|
+
if (!payload.eat_nonce) {
|
|
2251
|
+
throw new Error("eat_nonce claim is missing");
|
|
2252
|
+
}
|
|
2253
|
+
const nonces = Array.isArray(payload.eat_nonce) ? payload.eat_nonce : [payload.eat_nonce];
|
|
2254
|
+
let attestedAddress;
|
|
2255
|
+
for (const n of nonces) {
|
|
2256
|
+
const m = typeof n === "string" ? n.match(ATTESTOR_NONCE_PATTERN) : null;
|
|
2257
|
+
if (m) {
|
|
2258
|
+
attestedAddress = m[1];
|
|
2259
|
+
break;
|
|
2260
|
+
}
|
|
2261
|
+
}
|
|
2262
|
+
if (!attestedAddress) {
|
|
2263
|
+
throw new Error(
|
|
2264
|
+
`attestor_public_key nonce not found in eat_nonce: ${JSON.stringify(payload.eat_nonce)}`
|
|
2265
|
+
);
|
|
2266
|
+
}
|
|
2267
|
+
if (normalizeAddress(attestedAddress) !== normalizeAddress(expectedAttestorAddress)) {
|
|
2268
|
+
throw new Error(
|
|
2269
|
+
`attestor address mismatch: attestation binds to 0x${attestedAddress.toLowerCase()}, expected ${expectedAttestorAddress}`
|
|
2270
|
+
);
|
|
2271
|
+
}
|
|
2272
|
+
const imageDigest = (_e = (_b = (_a = payload.submods) == null ? void 0 : _a.container) == null ? void 0 : _b.image_digest) != null ? _e : (_d = (_c = payload.google) == null ? void 0 : _c.compute_engine) == null ? void 0 : _d.image_digest;
|
|
2273
|
+
return { isVerified: true, imageDigest };
|
|
2274
|
+
} catch (error) {
|
|
2275
|
+
return {
|
|
2276
|
+
isVerified: false,
|
|
2277
|
+
error: error instanceof Error ? error.message : String(error)
|
|
2278
|
+
};
|
|
2279
|
+
}
|
|
2280
|
+
});
|
|
2281
|
+
}
|
|
2282
|
+
function normalizeAttestorAddress(address) {
|
|
2283
|
+
return address.trim().toLowerCase();
|
|
2284
|
+
}
|
|
2285
|
+
function normalizeSignature(sig) {
|
|
2286
|
+
return sig.trim().toLowerCase();
|
|
2287
|
+
}
|
|
2288
|
+
function verifyAttestorTeeForProof(proof, config) {
|
|
2289
|
+
return __async(this, null, function* () {
|
|
2290
|
+
var _a;
|
|
2291
|
+
if (!proof.witnesses || proof.witnesses.length === 0) {
|
|
2292
|
+
throw new AttestorTeeVerificationError("Proof has no witnesses");
|
|
2293
|
+
}
|
|
2294
|
+
const expectedDigests = (_a = config.expectedImageDigests) == null ? void 0 : _a.map((d) => d.trim());
|
|
2295
|
+
const proofSignatures = new Set((proof.signatures || []).map(normalizeSignature));
|
|
2296
|
+
const claimSignData = createSignDataForClaim(proof.claimData);
|
|
2297
|
+
for (const witness of proof.witnesses) {
|
|
2298
|
+
const att = witness.claimAttestation;
|
|
2299
|
+
if (!att) {
|
|
2300
|
+
throw new AttestorTeeVerificationError(
|
|
2301
|
+
`Witness ${witness.id} is missing claimAttestation`
|
|
2302
|
+
);
|
|
2303
|
+
}
|
|
2304
|
+
if (normalizeAttestorAddress(att.attestor_address) !== normalizeAttestorAddress(witness.id)) {
|
|
2305
|
+
throw new AttestorTeeVerificationError(
|
|
2306
|
+
`claimAttestation.attestor_address ${att.attestor_address} does not match witness id ${witness.id}`
|
|
2307
|
+
);
|
|
2308
|
+
}
|
|
2309
|
+
if (!proofSignatures.has(normalizeSignature(att.claim_signature))) {
|
|
2310
|
+
throw new AttestorTeeVerificationError(
|
|
2311
|
+
`claimAttestation.claim_signature for witness ${witness.id} is not present in proof.signatures`
|
|
2312
|
+
);
|
|
2313
|
+
}
|
|
2314
|
+
let recoveredSigner;
|
|
2315
|
+
try {
|
|
2316
|
+
recoveredSigner = import_ethers6.ethers.verifyMessage(claimSignData, att.claim_signature);
|
|
2317
|
+
} catch (error) {
|
|
2318
|
+
throw new AttestorTeeVerificationError(
|
|
2319
|
+
`Failed to recover signer from claimAttestation.claim_signature for witness ${witness.id}`,
|
|
2320
|
+
error
|
|
2321
|
+
);
|
|
2322
|
+
}
|
|
2323
|
+
if (normalizeAttestorAddress(recoveredSigner) !== normalizeAttestorAddress(witness.id)) {
|
|
2324
|
+
throw new AttestorTeeVerificationError(
|
|
2325
|
+
`claim_signature recovers to ${recoveredSigner}, expected attestor ${witness.id}`
|
|
2326
|
+
);
|
|
2327
|
+
}
|
|
2328
|
+
const result = yield verifyAttestorTeeAttestation(att.attestation_report, witness.id);
|
|
2329
|
+
if (!result.isVerified) {
|
|
2330
|
+
throw new AttestorTeeVerificationError(
|
|
2331
|
+
`Attestor TEE attestation verification failed for witness ${witness.id}: ${result.error}`
|
|
2332
|
+
);
|
|
2333
|
+
}
|
|
2334
|
+
if (expectedDigests && expectedDigests.length > 0) {
|
|
2335
|
+
if (!result.imageDigest) {
|
|
2336
|
+
throw new AttestorTeeVerificationError(
|
|
2337
|
+
`Attestor TEE attestation for witness ${witness.id} did not expose an image digest to check against expectedImageDigests`
|
|
2338
|
+
);
|
|
2339
|
+
}
|
|
2340
|
+
if (!expectedDigests.includes(result.imageDigest)) {
|
|
2341
|
+
throw new AttestorTeeVerificationError(
|
|
2342
|
+
`Attestor image digest ${result.imageDigest} for witness ${witness.id} is not in expectedImageDigests`
|
|
2343
|
+
);
|
|
2344
|
+
}
|
|
2345
|
+
}
|
|
2346
|
+
}
|
|
2347
|
+
});
|
|
2348
|
+
}
|
|
2349
|
+
function runAttestorTeeVerification(_0) {
|
|
2350
|
+
return __async(this, arguments, function* (proofs, config = {}) {
|
|
2351
|
+
if (!proofs || proofs.length === 0) {
|
|
2352
|
+
throw new AttestorTeeVerificationError("No proofs provided for attestor TEE verification");
|
|
2353
|
+
}
|
|
2354
|
+
try {
|
|
2355
|
+
for (const proof of proofs) {
|
|
2356
|
+
yield verifyAttestorTeeForProof(proof, config);
|
|
2357
|
+
}
|
|
2358
|
+
} catch (error) {
|
|
2359
|
+
logger10.error("Attestor TEE attestation verification failed:", error);
|
|
2360
|
+
if (error instanceof AttestorTeeVerificationError) {
|
|
2361
|
+
throw error;
|
|
2362
|
+
}
|
|
2363
|
+
throw new AttestorTeeVerificationError(
|
|
2364
|
+
"Attestor TEE attestation verification failed",
|
|
2365
|
+
error
|
|
2366
|
+
);
|
|
2367
|
+
}
|
|
2368
|
+
});
|
|
2369
|
+
}
|
|
2370
|
+
|
|
2371
|
+
// src/Reclaim.ts
|
|
2372
|
+
var logger11 = logger_default.logger;
|
|
2052
2373
|
var sdkVersion = require_package().version;
|
|
2053
2374
|
var SDK_TEE_ATTESTATION_VERSION = "v3";
|
|
2054
2375
|
function verifyProof(proofOrProofs, config) {
|
|
@@ -2061,22 +2382,30 @@ function verifyProof(proofOrProofs, config) {
|
|
|
2061
2382
|
if (!config) {
|
|
2062
2383
|
throw new ProofNotValidatedError("Verification configuration is required for `verifyProof(proof, config)`");
|
|
2063
2384
|
}
|
|
2064
|
-
|
|
2065
|
-
|
|
2066
|
-
yield
|
|
2385
|
+
if (config.hasNoPii !== true) {
|
|
2386
|
+
console.info({ pii: config.hasNoPii });
|
|
2387
|
+
const attestors = yield getAttestors();
|
|
2388
|
+
for (const proof of proofs) {
|
|
2389
|
+
yield assertVerifiedProof(proof, attestors);
|
|
2390
|
+
}
|
|
2067
2391
|
}
|
|
2068
|
-
yield assertValidateProof(proofs, config);
|
|
2392
|
+
yield assertValidateProof(proofs, config, { hasNoPii: config.hasNoPii });
|
|
2069
2393
|
let isTeeAttestationVerified;
|
|
2394
|
+
let isAttestorTeeAttestationVerified;
|
|
2070
2395
|
if (config.teeAttestation && "dangerouslyDisableContentValidation" in config && config.dangerouslyDisableContentValidation) {
|
|
2071
|
-
|
|
2396
|
+
logger11.warn("teeAttestation is enabled but content validation is disabled \u2014 TEE attestation alone does not guarantee proof contents are valid");
|
|
2072
2397
|
}
|
|
2073
2398
|
if (config.teeAttestation) {
|
|
2074
2399
|
yield runTeeVerification(proofs, config.teeAttestation);
|
|
2075
2400
|
isTeeAttestationVerified = true;
|
|
2076
2401
|
}
|
|
2077
|
-
|
|
2402
|
+
if (config.attestorTeeAttestation) {
|
|
2403
|
+
yield runAttestorTeeVerification(proofs, config.attestorTeeAttestation);
|
|
2404
|
+
isAttestorTeeAttestationVerified = true;
|
|
2405
|
+
}
|
|
2406
|
+
return createVerifyProofResultSuccess(proofs, isTeeAttestationVerified, isAttestorTeeAttestationVerified);
|
|
2078
2407
|
} catch (error) {
|
|
2079
|
-
|
|
2408
|
+
logger11.error("Error in validating proof:", error);
|
|
2080
2409
|
const _error = error instanceof Error ? error : new Error(String(error));
|
|
2081
2410
|
return createVerifyProofResultFailure(_error);
|
|
2082
2411
|
}
|
|
@@ -2226,7 +2555,7 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
|
|
|
2226
2555
|
}
|
|
2227
2556
|
this.options = options;
|
|
2228
2557
|
this.sdkVersion = "js-" + sdkVersion;
|
|
2229
|
-
|
|
2558
|
+
logger11.info(`Initializing client with applicationId: ${this.applicationId}`);
|
|
2230
2559
|
}
|
|
2231
2560
|
/**
|
|
2232
2561
|
* Initializes a new Reclaim proof request instance with automatic signature generation and session creation.
|
|
@@ -2285,7 +2614,7 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
|
|
|
2285
2614
|
return proofRequestInstance;
|
|
2286
2615
|
} catch (error) {
|
|
2287
2616
|
console.error(error);
|
|
2288
|
-
|
|
2617
|
+
logger11.info("Failed to initialize ReclaimProofRequest", error);
|
|
2289
2618
|
throw new InitError("Failed to initialize ReclaimProofRequest", error);
|
|
2290
2619
|
}
|
|
2291
2620
|
});
|
|
@@ -2374,7 +2703,7 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
|
|
|
2374
2703
|
return proofRequestInstance;
|
|
2375
2704
|
} catch (error) {
|
|
2376
2705
|
console.error(error);
|
|
2377
|
-
|
|
2706
|
+
logger11.info("Failed to initialize ReclaimProofRequest with signature", error);
|
|
2378
2707
|
throw new InitError("Failed to initialize ReclaimProofRequest with signature", error);
|
|
2379
2708
|
}
|
|
2380
2709
|
});
|
|
@@ -2491,7 +2820,7 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
|
|
|
2491
2820
|
Intl.getCanonicalLocales(options.preferredLocale);
|
|
2492
2821
|
return true;
|
|
2493
2822
|
} catch (error) {
|
|
2494
|
-
|
|
2823
|
+
logger11.info("Failed to canonicalize locale", error);
|
|
2495
2824
|
return false;
|
|
2496
2825
|
}
|
|
2497
2826
|
}
|
|
@@ -2516,7 +2845,7 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
|
|
|
2516
2845
|
proofRequestInstance.cancelRedirectUrlOptions = cancelRedirectUrlOptions;
|
|
2517
2846
|
return proofRequestInstance;
|
|
2518
2847
|
} catch (error) {
|
|
2519
|
-
|
|
2848
|
+
logger11.info("Failed to parse JSON string in fromJsonString:", error);
|
|
2520
2849
|
throw new InvalidParamError("Invalid JSON string provided to fromJsonString");
|
|
2521
2850
|
}
|
|
2522
2851
|
});
|
|
@@ -2677,9 +3006,9 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
|
|
|
2677
3006
|
try {
|
|
2678
3007
|
validateModalOptions(options, "setModalOptions");
|
|
2679
3008
|
this.modalOptions = __spreadValues(__spreadValues({}, this.modalOptions), options);
|
|
2680
|
-
|
|
3009
|
+
logger11.info("Modal options set successfully");
|
|
2681
3010
|
} catch (error) {
|
|
2682
|
-
|
|
3011
|
+
logger11.info("Error setting modal options:", error);
|
|
2683
3012
|
throw new SetParamsError("Error setting modal options", error);
|
|
2684
3013
|
}
|
|
2685
3014
|
}
|
|
@@ -2709,7 +3038,7 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
|
|
|
2709
3038
|
this.context = JSON.parse(canonicalStringify(__spreadProps(__spreadValues({}, context), { reclaimSessionId: this.sessionId })));
|
|
2710
3039
|
this.applyAttestationContext();
|
|
2711
3040
|
} catch (error) {
|
|
2712
|
-
|
|
3041
|
+
logger11.info("Error setting context", error);
|
|
2713
3042
|
throw new SetContextError("Error setting context", error);
|
|
2714
3043
|
}
|
|
2715
3044
|
}
|
|
@@ -2741,7 +3070,7 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
|
|
|
2741
3070
|
this.context = { contextAddress: address, contextMessage: message, reclaimSessionId: this.sessionId };
|
|
2742
3071
|
this.applyAttestationContext();
|
|
2743
3072
|
} catch (error) {
|
|
2744
|
-
|
|
3073
|
+
logger11.info("Error setting context", error);
|
|
2745
3074
|
throw new SetContextError("Error setting context", error);
|
|
2746
3075
|
}
|
|
2747
3076
|
}
|
|
@@ -2776,7 +3105,7 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
|
|
|
2776
3105
|
validateParameters(params);
|
|
2777
3106
|
this.parameters = __spreadValues(__spreadValues({}, this.parameters), params);
|
|
2778
3107
|
} catch (error) {
|
|
2779
|
-
|
|
3108
|
+
logger11.info("Error Setting Params:", error);
|
|
2780
3109
|
throw new SetParamsError("Error setting params", error);
|
|
2781
3110
|
}
|
|
2782
3111
|
}
|
|
@@ -2800,7 +3129,7 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
|
|
|
2800
3129
|
validateFunctionParams([{ input: this.sessionId, paramName: "sessionId", isString: true }], "getAppCallbackUrl");
|
|
2801
3130
|
return this.appCallbackUrl || `${constants.DEFAULT_RECLAIM_CALLBACK_URL}${this.sessionId}`;
|
|
2802
3131
|
} catch (error) {
|
|
2803
|
-
|
|
3132
|
+
logger11.info("Error getting app callback url", error);
|
|
2804
3133
|
throw new GetAppCallbackUrlError("Error getting app callback url", error);
|
|
2805
3134
|
}
|
|
2806
3135
|
}
|
|
@@ -2824,7 +3153,7 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
|
|
|
2824
3153
|
validateFunctionParams([{ input: this.sessionId, paramName: "sessionId", isString: true }], "getCancelCallbackUrl");
|
|
2825
3154
|
return this.cancelCallbackUrl || `${constants.DEFAULT_RECLAIM_CANCEL_CALLBACK_URL}${this.sessionId}`;
|
|
2826
3155
|
} catch (error) {
|
|
2827
|
-
|
|
3156
|
+
logger11.info("Error getting cancel callback url", error);
|
|
2828
3157
|
throw new GetAppCallbackUrlError("Error getting cancel callback url", error);
|
|
2829
3158
|
}
|
|
2830
3159
|
}
|
|
@@ -2847,7 +3176,7 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
|
|
|
2847
3176
|
validateFunctionParams([{ input: this.sessionId, paramName: "sessionId", isString: true }], "getStatusUrl");
|
|
2848
3177
|
return `${constants.DEFAULT_RECLAIM_STATUS_URL}${this.sessionId}`;
|
|
2849
3178
|
} catch (error) {
|
|
2850
|
-
|
|
3179
|
+
logger11.info("Error fetching Status Url", error);
|
|
2851
3180
|
throw new GetStatusUrlError("Error fetching status url", error);
|
|
2852
3181
|
}
|
|
2853
3182
|
}
|
|
@@ -2917,7 +3246,7 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
|
|
|
2917
3246
|
Intl.getCanonicalLocales(options.preferredLocale);
|
|
2918
3247
|
return true;
|
|
2919
3248
|
} catch (error) {
|
|
2920
|
-
|
|
3249
|
+
logger11.info("Failed to canonicalize locale", error);
|
|
2921
3250
|
return false;
|
|
2922
3251
|
}
|
|
2923
3252
|
}
|
|
@@ -2929,24 +3258,24 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
|
|
|
2929
3258
|
try {
|
|
2930
3259
|
validateFunctionParams([{ input: signature, paramName: "signature", isString: true }], "setSignature");
|
|
2931
3260
|
this.signature = signature;
|
|
2932
|
-
|
|
3261
|
+
logger11.info(`Signature set successfully for applicationId: ${this.applicationId}`);
|
|
2933
3262
|
} catch (error) {
|
|
2934
|
-
|
|
3263
|
+
logger11.info("Error setting signature", error);
|
|
2935
3264
|
throw new SetSignatureError("Error setting signature", error);
|
|
2936
3265
|
}
|
|
2937
3266
|
}
|
|
2938
3267
|
generateSignature(applicationSecret) {
|
|
2939
3268
|
return __async(this, null, function* () {
|
|
2940
3269
|
try {
|
|
2941
|
-
const wallet = new
|
|
3270
|
+
const wallet = new import_ethers7.ethers.Wallet(applicationSecret);
|
|
2942
3271
|
const canonicalData = (0, import_canonicalize3.default)({ providerId: this.providerId, timestamp: this.timeStamp });
|
|
2943
3272
|
if (!canonicalData) {
|
|
2944
3273
|
throw new SignatureGeneratingError("Failed to canonicalize data for signing.");
|
|
2945
3274
|
}
|
|
2946
|
-
const messageHash =
|
|
2947
|
-
return yield wallet.signMessage(
|
|
3275
|
+
const messageHash = import_ethers7.ethers.keccak256(new TextEncoder().encode(canonicalData));
|
|
3276
|
+
return yield wallet.signMessage(import_ethers7.ethers.getBytes(messageHash));
|
|
2948
3277
|
} catch (err) {
|
|
2949
|
-
|
|
3278
|
+
logger11.info(`Error generating proof request for applicationId: ${this.applicationId}, providerId: ${this.providerId}, timeStamp: ${this.timeStamp}`);
|
|
2950
3279
|
throw new SignatureGeneratingError(`Error generating signature for applicationId: ${this.applicationId}`);
|
|
2951
3280
|
}
|
|
2952
3281
|
});
|
|
@@ -2987,7 +3316,7 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
|
|
|
2987
3316
|
return __async(this, null, function* () {
|
|
2988
3317
|
const newTab = preOpenedTab != null ? preOpenedTab : window.open("about:blank", "_blank");
|
|
2989
3318
|
const link = yield createLinkWithTemplateData(templateData, this.customSharePageUrl);
|
|
2990
|
-
|
|
3319
|
+
logger11.info("Opening portal in new tab: " + link);
|
|
2991
3320
|
if (newTab) {
|
|
2992
3321
|
this.portalTab = newTab;
|
|
2993
3322
|
newTab.location = link;
|
|
@@ -3017,7 +3346,7 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
|
|
|
3017
3346
|
let link = yield createLinkWithTemplateData(templateData, this.customSharePageUrl);
|
|
3018
3347
|
const separator = link.includes("?") ? "&" : "?";
|
|
3019
3348
|
link = `${link}${separator}embedded=true`;
|
|
3020
|
-
|
|
3349
|
+
logger11.info("Embedding portal in iframe: " + link);
|
|
3021
3350
|
this.closeEmbeddedFlow();
|
|
3022
3351
|
const iframe = document.createElement("iframe");
|
|
3023
3352
|
iframe.src = link;
|
|
@@ -3129,7 +3458,7 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
|
|
|
3129
3458
|
var _a, _b, _c;
|
|
3130
3459
|
const options = __spreadValues(__spreadValues({}, (_a = this.options) == null ? void 0 : _a.launchOptions), launchOptions);
|
|
3131
3460
|
const mode = (_b = options.verificationMode) != null ? _b : "portal";
|
|
3132
|
-
|
|
3461
|
+
logger11.info("Creating Request Url");
|
|
3133
3462
|
if (!this.signature) {
|
|
3134
3463
|
throw new SignatureNotFoundError("Signature is not set.");
|
|
3135
3464
|
}
|
|
@@ -3140,18 +3469,18 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
|
|
|
3140
3469
|
const template = this.encodeTemplateData(templateData);
|
|
3141
3470
|
if (((_c = this.options) == null ? void 0 : _c.useAppClip) && getDeviceType() === "mobile" /* MOBILE */ && getMobileDeviceType() === "ios" /* IOS */) {
|
|
3142
3471
|
const appClipUrl = this.customAppClipUrl ? `${this.customAppClipUrl}&template=${template}` : `https://appclip.apple.com/id?p=org.reclaimprotocol.app.clip&template=${template}`;
|
|
3143
|
-
|
|
3472
|
+
logger11.info("App Clip Url created successfully: " + appClipUrl);
|
|
3144
3473
|
return appClipUrl;
|
|
3145
3474
|
}
|
|
3146
3475
|
const sharePageUrl = yield createLinkWithTemplateData(templateData, this.appSharePageUrl);
|
|
3147
|
-
|
|
3476
|
+
logger11.info("Share page Url created successfully: " + sharePageUrl);
|
|
3148
3477
|
return sharePageUrl;
|
|
3149
3478
|
}
|
|
3150
3479
|
const link = yield createLinkWithTemplateData(templateData, this.customSharePageUrl);
|
|
3151
|
-
|
|
3480
|
+
logger11.info("Request Url created successfully: " + link);
|
|
3152
3481
|
return link;
|
|
3153
3482
|
} catch (error) {
|
|
3154
|
-
|
|
3483
|
+
logger11.info("Error creating Request Url:", error);
|
|
3155
3484
|
throw error;
|
|
3156
3485
|
}
|
|
3157
3486
|
});
|
|
@@ -3210,11 +3539,11 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
|
|
|
3210
3539
|
try {
|
|
3211
3540
|
const templateData = this.getTemplateData();
|
|
3212
3541
|
this.templateData = templateData;
|
|
3213
|
-
|
|
3542
|
+
logger11.info(`Triggering Reclaim flow (mode: ${mode})`);
|
|
3214
3543
|
const deviceType = getDeviceType();
|
|
3215
3544
|
updateSession(this.sessionId, "SESSION_STARTED" /* SESSION_STARTED */);
|
|
3216
3545
|
if (launchOptions && "target" in launchOptions && !launchOptions.target) {
|
|
3217
|
-
|
|
3546
|
+
logger11.warn("triggerReclaimFlow: target was provided but is null/undefined \u2014 falling back to default flow. Ensure the element exists in the DOM.");
|
|
3218
3547
|
}
|
|
3219
3548
|
if ((launchOptions == null ? void 0 : launchOptions.target) && mode === "portal") {
|
|
3220
3549
|
yield this.embedPortalIframe(templateData, launchOptions.target);
|
|
@@ -3227,7 +3556,7 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
|
|
|
3227
3556
|
if ((_c = this.options) == null ? void 0 : _c.useBrowserExtension) {
|
|
3228
3557
|
const extensionAvailable = yield this.isBrowserExtensionAvailable();
|
|
3229
3558
|
if (extensionAvailable) {
|
|
3230
|
-
|
|
3559
|
+
logger11.info("Triggering browser extension flow");
|
|
3231
3560
|
this.triggerBrowserExtensionFlow();
|
|
3232
3561
|
return {
|
|
3233
3562
|
close: () => {
|
|
@@ -3239,16 +3568,16 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
|
|
|
3239
3568
|
if (mode === "portal") {
|
|
3240
3569
|
yield this.openPortalTab(templateData);
|
|
3241
3570
|
} else {
|
|
3242
|
-
|
|
3571
|
+
logger11.info("Showing QR code modal with share page URL");
|
|
3243
3572
|
yield this.showQRCodeModal();
|
|
3244
3573
|
}
|
|
3245
3574
|
} else if (deviceType === "mobile" /* MOBILE */) {
|
|
3246
3575
|
if (mode === "app") {
|
|
3247
3576
|
if (((_d = this.options) == null ? void 0 : _d.useAppClip) && getMobileDeviceType() === "ios" /* IOS */) {
|
|
3248
|
-
|
|
3577
|
+
logger11.info("Redirecting to iOS app clip");
|
|
3249
3578
|
this.redirectToAppClip();
|
|
3250
3579
|
} else {
|
|
3251
|
-
|
|
3580
|
+
logger11.info("Redirecting to share page");
|
|
3252
3581
|
yield this.redirectToInstantApp(options);
|
|
3253
3582
|
}
|
|
3254
3583
|
} else {
|
|
@@ -3265,7 +3594,7 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
|
|
|
3265
3594
|
tab: (_e = this.portalTab) != null ? _e : void 0
|
|
3266
3595
|
};
|
|
3267
3596
|
} catch (error) {
|
|
3268
|
-
|
|
3597
|
+
logger11.info("Error triggering Reclaim flow:", error);
|
|
3269
3598
|
throw error;
|
|
3270
3599
|
}
|
|
3271
3600
|
});
|
|
@@ -3313,7 +3642,7 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
|
|
|
3313
3642
|
window.postMessage(message, "*");
|
|
3314
3643
|
});
|
|
3315
3644
|
} catch (error) {
|
|
3316
|
-
|
|
3645
|
+
logger11.info("Error checking Reclaim extension installed:", error);
|
|
3317
3646
|
return false;
|
|
3318
3647
|
}
|
|
3319
3648
|
});
|
|
@@ -3326,7 +3655,7 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
|
|
|
3326
3655
|
extensionID: this.extensionID
|
|
3327
3656
|
};
|
|
3328
3657
|
window.postMessage(message, "*");
|
|
3329
|
-
|
|
3658
|
+
logger11.info("Browser extension flow triggered");
|
|
3330
3659
|
}
|
|
3331
3660
|
showQRCodeModal() {
|
|
3332
3661
|
return __async(this, null, function* () {
|
|
@@ -3335,7 +3664,7 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
|
|
|
3335
3664
|
this.modal = new QRCodeModal(this.modalOptions);
|
|
3336
3665
|
yield this.modal.show(requestUrl);
|
|
3337
3666
|
} catch (error) {
|
|
3338
|
-
|
|
3667
|
+
logger11.info("Error showing QR code modal:", error);
|
|
3339
3668
|
throw error;
|
|
3340
3669
|
}
|
|
3341
3670
|
});
|
|
@@ -3346,7 +3675,7 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
|
|
|
3346
3675
|
try {
|
|
3347
3676
|
const template = this.encodeTemplateData(this.templateData);
|
|
3348
3677
|
let instantAppUrl = this.buildSharePageUrl(template);
|
|
3349
|
-
|
|
3678
|
+
logger11.info("Redirecting to Android instant app: " + instantAppUrl);
|
|
3350
3679
|
const isDeferredDeeplinksFlowEnabled = (_a = options.canUseDeferredDeepLinksFlow) != null ? _a : false;
|
|
3351
3680
|
if (isDeferredDeeplinksFlowEnabled) {
|
|
3352
3681
|
instantAppUrl = instantAppUrl.replace("/verifier", "/link");
|
|
@@ -3396,7 +3725,7 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
|
|
|
3396
3725
|
}
|
|
3397
3726
|
window.location.href = instantAppUrl;
|
|
3398
3727
|
} catch (error) {
|
|
3399
|
-
|
|
3728
|
+
logger11.info("Error redirecting to instant app:", error);
|
|
3400
3729
|
throw error;
|
|
3401
3730
|
}
|
|
3402
3731
|
});
|
|
@@ -3405,14 +3734,14 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
|
|
|
3405
3734
|
try {
|
|
3406
3735
|
const template = this.encodeTemplateData(this.templateData);
|
|
3407
3736
|
const appClipUrl = this.customAppClipUrl ? `${this.customAppClipUrl}&template=${template}` : `https://appclip.apple.com/id?p=org.reclaimprotocol.app.clip&template=${template}`;
|
|
3408
|
-
|
|
3737
|
+
logger11.info("Redirecting to iOS app clip: " + appClipUrl);
|
|
3409
3738
|
const verifierUrl = `${this.appSharePageUrl}/?template=${template}`;
|
|
3410
3739
|
window.location.href = appClipUrl;
|
|
3411
3740
|
setTimeout(() => {
|
|
3412
3741
|
window.location.href = verifierUrl;
|
|
3413
3742
|
}, 5 * 1e3);
|
|
3414
3743
|
} catch (error) {
|
|
3415
|
-
|
|
3744
|
+
logger11.info("Error redirecting to app clip:", error);
|
|
3416
3745
|
throw error;
|
|
3417
3746
|
}
|
|
3418
3747
|
}
|
|
@@ -3493,13 +3822,13 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
|
|
|
3493
3822
|
return __async(this, arguments, function* ({ onSuccess, onError, verificationConfig }) {
|
|
3494
3823
|
if (!this.sessionId) {
|
|
3495
3824
|
const message = "Session can't be started due to undefined value of sessionId";
|
|
3496
|
-
|
|
3825
|
+
logger11.info(message);
|
|
3497
3826
|
throw new SessionNotStartedError(message);
|
|
3498
3827
|
}
|
|
3499
|
-
|
|
3828
|
+
logger11.info("Starting session");
|
|
3500
3829
|
const sessionUpdatePollingInterval = 3 * 1e3;
|
|
3501
3830
|
const interval = setInterval(() => __async(this, null, function* () {
|
|
3502
|
-
var _a, _b, _c, _d, _e;
|
|
3831
|
+
var _a, _b, _c, _d, _e, _f;
|
|
3503
3832
|
try {
|
|
3504
3833
|
const statusUrlResponse = yield fetchStatusUrl(this.sessionId);
|
|
3505
3834
|
if (!statusUrlResponse.session) return;
|
|
@@ -3524,9 +3853,15 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
|
|
|
3524
3853
|
if (statusUrlResponse.session.proofs && statusUrlResponse.session.proofs.length > 0) {
|
|
3525
3854
|
const proofs = statusUrlResponse.session.proofs;
|
|
3526
3855
|
if (this.claimCreationType === "createClaim" /* STANDALONE */) {
|
|
3527
|
-
const
|
|
3856
|
+
const sessionProviderVersion = statusUrlResponse.session.providerVersionString;
|
|
3857
|
+
const effectiveConfig = verificationConfig != null ? verificationConfig : {
|
|
3858
|
+
providerId: this.providerId,
|
|
3859
|
+
providerVersion: sessionProviderVersion || this.resolvedProviderVersion || "",
|
|
3860
|
+
allowedTags: ((_b = this.options) == null ? void 0 : _b.acceptAiProviders) ? ["ai"] : []
|
|
3861
|
+
};
|
|
3862
|
+
const result = yield verifyProof(proofs, effectiveConfig);
|
|
3528
3863
|
if (!result.isVerified) {
|
|
3529
|
-
|
|
3864
|
+
logger11.info(`Proofs not verified: count=${proofs == null ? void 0 : proofs.length}`);
|
|
3530
3865
|
throw new ProofNotVerifiedError(`Proofs not verified: count=${proofs == null ? void 0 : proofs.length}`, result.error);
|
|
3531
3866
|
}
|
|
3532
3867
|
}
|
|
@@ -3536,13 +3871,13 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
|
|
|
3536
3871
|
onSuccess(proofs);
|
|
3537
3872
|
}
|
|
3538
3873
|
this.clearInterval();
|
|
3539
|
-
(
|
|
3874
|
+
(_c = this.modal) == null ? void 0 : _c.close();
|
|
3540
3875
|
this.closePortalTab();
|
|
3541
3876
|
this.closeEmbeddedFlow();
|
|
3542
3877
|
}
|
|
3543
3878
|
} else {
|
|
3544
3879
|
if (statusUrlResponse.session.statusV2 === "PROOF_SUBMISSION_FAILED" /* PROOF_SUBMISSION_FAILED */) {
|
|
3545
|
-
const errorMessage = ((
|
|
3880
|
+
const errorMessage = ((_d = statusUrlResponse.session.error) == null ? void 0 : _d.message) || "Proof submission failed";
|
|
3546
3881
|
throw new ProofSubmissionFailedError(errorMessage);
|
|
3547
3882
|
}
|
|
3548
3883
|
if (statusUrlResponse.session.statusV2 === "PROOF_SUBMITTED" /* PROOF_SUBMITTED */ || statusUrlResponse.session.statusV2 === "AI_PROOF_SUBMITTED" /* AI_PROOF_SUBMITTED */) {
|
|
@@ -3550,7 +3885,7 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
|
|
|
3550
3885
|
onSuccess([]);
|
|
3551
3886
|
}
|
|
3552
3887
|
this.clearInterval();
|
|
3553
|
-
(
|
|
3888
|
+
(_e = this.modal) == null ? void 0 : _e.close();
|
|
3554
3889
|
this.closePortalTab();
|
|
3555
3890
|
this.closeEmbeddedFlow();
|
|
3556
3891
|
}
|
|
@@ -3560,7 +3895,7 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
|
|
|
3560
3895
|
onError(e);
|
|
3561
3896
|
}
|
|
3562
3897
|
this.clearInterval();
|
|
3563
|
-
(
|
|
3898
|
+
(_f = this.modal) == null ? void 0 : _f.close();
|
|
3564
3899
|
this.closePortalTab();
|
|
3565
3900
|
this.closeEmbeddedFlow();
|
|
3566
3901
|
}
|
|
@@ -3584,7 +3919,7 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
|
|
|
3584
3919
|
closeModal() {
|
|
3585
3920
|
if (this.modal) {
|
|
3586
3921
|
this.modal.close();
|
|
3587
|
-
|
|
3922
|
+
logger11.info("Modal closed by user");
|
|
3588
3923
|
}
|
|
3589
3924
|
}
|
|
3590
3925
|
/**
|
|
@@ -3604,7 +3939,7 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
|
|
|
3604
3939
|
};
|
|
3605
3940
|
|
|
3606
3941
|
// src/utils/signatureUtils.ts
|
|
3607
|
-
var
|
|
3942
|
+
var import_ethers8 = require("ethers");
|
|
3608
3943
|
var import_canonicalize4 = __toESM(require("canonicalize"));
|
|
3609
3944
|
function generateInitSignature(appSecret, providerId, timestamp) {
|
|
3610
3945
|
return __async(this, null, function* () {
|
|
@@ -3614,13 +3949,13 @@ function generateInitSignature(appSecret, providerId, timestamp) {
|
|
|
3614
3949
|
{ input: timestamp, paramName: "timestamp", isString: true }
|
|
3615
3950
|
], "generateInitSignature");
|
|
3616
3951
|
try {
|
|
3617
|
-
const wallet = new
|
|
3952
|
+
const wallet = new import_ethers8.ethers.Wallet(appSecret);
|
|
3618
3953
|
const canonicalData = (0, import_canonicalize4.default)({ providerId, timestamp });
|
|
3619
3954
|
if (!canonicalData) {
|
|
3620
3955
|
throw new SignatureGeneratingError("Failed to canonicalize data for signing.");
|
|
3621
3956
|
}
|
|
3622
|
-
const messageHash =
|
|
3623
|
-
return yield wallet.signMessage(
|
|
3957
|
+
const messageHash = import_ethers8.ethers.keccak256(new TextEncoder().encode(canonicalData));
|
|
3958
|
+
return yield wallet.signMessage(import_ethers8.ethers.getBytes(messageHash));
|
|
3624
3959
|
} catch (err) {
|
|
3625
3960
|
throw new SignatureGeneratingError(
|
|
3626
3961
|
`Error generating init signature for providerId: ${providerId}`,
|
|
@@ -3631,8 +3966,40 @@ function generateInitSignature(appSecret, providerId, timestamp) {
|
|
|
3631
3966
|
}
|
|
3632
3967
|
// Annotate the CommonJS export names for ESM import in node:
|
|
3633
3968
|
0 && (module.exports = {
|
|
3969
|
+
ApplicationError,
|
|
3970
|
+
AttestorTeeVerificationError,
|
|
3971
|
+
BackendServerError,
|
|
3972
|
+
CallbackUrlRequiredError,
|
|
3973
|
+
ErrorDuringVerificationError,
|
|
3974
|
+
GetAppCallbackUrlError,
|
|
3975
|
+
GetStatusUrlError,
|
|
3976
|
+
HASH_MATCH_MULTIPLE_DEFAULT,
|
|
3977
|
+
HASH_REQUIRED_DEFAULT,
|
|
3978
|
+
InavlidParametersError,
|
|
3979
|
+
InitError,
|
|
3980
|
+
InitSessionError,
|
|
3981
|
+
InvalidParamError,
|
|
3982
|
+
InvalidRequestSpecError,
|
|
3983
|
+
InvalidSignatureError,
|
|
3984
|
+
NoProviderParamsError,
|
|
3985
|
+
ProofNotValidatedError,
|
|
3986
|
+
ProofNotVerifiedError,
|
|
3987
|
+
ProofSubmissionFailedError,
|
|
3988
|
+
ProviderConfigFetchError,
|
|
3989
|
+
ProviderFailedError,
|
|
3990
|
+
ProviderNotFoundError,
|
|
3634
3991
|
ReclaimProofRequest,
|
|
3992
|
+
SessionNotStartedError,
|
|
3993
|
+
SetContextError,
|
|
3994
|
+
SetParamsError,
|
|
3995
|
+
SetSignatureError,
|
|
3996
|
+
SignatureGeneratingError,
|
|
3997
|
+
SignatureNotFoundError,
|
|
3998
|
+
StatusUrlError,
|
|
3635
3999
|
TeeVerificationError,
|
|
4000
|
+
TimeoutError,
|
|
4001
|
+
UnknownProofsNotValidatedError,
|
|
4002
|
+
UpdateSessionError,
|
|
3636
4003
|
assertValidProofsByHash,
|
|
3637
4004
|
assertValidateProof,
|
|
3638
4005
|
assertVerifiedProof,
|
|
@@ -3647,6 +4014,7 @@ function generateInitSignature(appSecret, providerId, timestamp) {
|
|
|
3647
4014
|
generateSpecsFromRequestSpecTemplate,
|
|
3648
4015
|
getAttestors,
|
|
3649
4016
|
getDeviceType,
|
|
4017
|
+
getHashFromProof,
|
|
3650
4018
|
getHttpProviderClaimParamsFromProof,
|
|
3651
4019
|
getIdentifierFromClaimInfo,
|
|
3652
4020
|
getMobileDeviceType,
|
|
@@ -3666,6 +4034,7 @@ function generateInitSignature(appSecret, providerId, timestamp) {
|
|
|
3666
4034
|
takeTemplateParametersFromProofs,
|
|
3667
4035
|
transformForOnchain,
|
|
3668
4036
|
updateSession,
|
|
4037
|
+
verifyAttestorTeeAttestation,
|
|
3669
4038
|
verifyProof,
|
|
3670
4039
|
verifyTeeAttestation
|
|
3671
4040
|
});
|