@zkpassport/sdk 0.3.3 → 0.4.0

package/src/index.ts

@@ -1,4 +1,3 @@
-import { randomBytes } from "crypto"
 import { Alpha3Code, getAlpha3Code, registerLocale } from "i18n-iso-countries"
 import {
   type DisclosableIDCredential,
@@ -57,11 +56,9 @@ import {
   ProofData,
   getScopeFromOuterProof,
   getSubscopeFromOuterProof,
+  getServiceScopeHash,
 } from "@zkpassport/utils"
 import { bytesToHex } from "@noble/ciphers/utils"
-import { getWebSocketClient, WebSocketClient } from "./websocket"
-import { createEncryptedJsonRpcRequest } from "./json-rpc"
-import { decrypt, generateECDHKeyPair, getSharedSecret } from "./encryption"
 import { noLogger as logger } from "./logger"
 import { inflate } from "pako"
 import i18en from "i18n-iso-countries/langs/en.json"
@@ -70,6 +67,7 @@ import { sha256 } from "@noble/hashes/sha2"
 import { hexToBytes } from "@noble/hashes/utils"
 import ZKPassportVerifierAbi from "./assets/abi/ZKPassportVerifier.json"
 import { RegistryClient } from "@zkpassport/registry"
+import { Bridge, BridgeInterface } from "@obsidion/bridge"
 
 const DEFAULT_DATE_VALUE = new Date(1111, 10, 11)
 
@@ -124,6 +122,24 @@ export type SolidityVerifierParameters = {
 
 export type EVMChain = "ethereum_sepolia" | "local_anvil"
 
+function getChainIdFromEVMChain(chain: EVMChain): number {
+  if (chain === "ethereum_sepolia") {
+    return 11155111
+  } else if (chain === "local_anvil") {
+    return 31337
+  }
+  throw new Error(`Unsupported chain: ${chain}`)
+}
+
+function getEVMChainFromChainId(chainId: number): EVMChain {
+  if (chainId === 11155111) {
+    return "ethereum_sepolia"
+  } else if (chainId === 31337) {
+    return "local_anvil"
+  }
+  throw new Error(`Unsupported chain ID: ${chainId}`)
+}
+
 registerLocale(i18en)
 
 function hasRequestedAccessToField(credentialsRequest: Query, field: IDCredential): boolean {
@@ -351,13 +367,12 @@ export class ZKPassport {
       devMode: boolean
     }
   > = {}
-  private topicToKeyPair: Record<string, { privateKey: Uint8Array; publicKey: Uint8Array }> = {}
-  private topicToWebSocketClient: Record<string, WebSocketClient> = {}
-  private topicToSharedSecret: Record<string, Uint8Array> = {}
+  private topicToPublicKey: Record<string, string> = {}
+  private topicToBridge: Record<string, BridgeInterface> = {}
   private topicToRequestReceived: Record<string, boolean> = {}
   private topicToService: Record<
     string,
-    { name: string; logo: string; purpose: string; scope?: string }
+    { name: string; logo: string; purpose: string; scope?: string; chainId?: number }
   > = {}
   private topicToProofs: Record<string, Array<ProofResult>> = {}
   private topicToExpectedProofCount: Record<string, number> = {}
@@ -400,6 +415,9 @@ export class ZKPassport {
       queryResult: result,
       validity: this.topicToLocalConfig[topic]?.validity,
       scope: this.topicToService[topic]?.scope,
+      evmChain: this.topicToService[topic]?.chainId
+        ? getEVMChainFromChainId(this.topicToService[topic]?.chainId)
+        : undefined,
       devMode: this.topicToLocalConfig[topic]?.devMode,
     })
     delete this.topicToProofs[topic]
@@ -498,11 +516,7 @@ export class ZKPassport {
    * @param request The request.
    * @param outerRequest The outer request.
    */
-  private async handleEncryptedMessage(
-    topic: string,
-    request: JsonRpcRequest,
-    outerRequest: JsonRpcRequest,
-  ) {
+  private async handleEncryptedMessage(topic: string, request: JsonRpcRequest) {
     logger.debug("Received encrypted message:", request)
     if (request.method === "accept") {
       logger.debug(`User accepted the request and is generating a proof`)
@@ -512,31 +526,9 @@ export class ZKPassport {
       await Promise.all(this.onRejectCallbacks[topic].map((callback) => callback()))
     } else if (request.method === "proof") {
       logger.debug(`User generated proof`)
-      // Uncompress the proof and convert it to a hex string
-      const bytesProof = Buffer.from(request.params.proof, "base64")
-      const bytesCommittedInputs = request.params.committedInputs
-        ? Buffer.from(request.params.committedInputs, "base64")
-        : null
-      const uncompressedProof = inflate(bytesProof)
-      const uncompressedCommittedInputs = bytesCommittedInputs
-        ? inflate(bytesCommittedInputs)
-        : null
-      // The gzip lib in the app compress the proof as ASCII
-      // and since the app passes the proof as a hex string, we can
-      // just decode the bytes as hex characters using the TextDecoder
-      const hexProof = new TextDecoder().decode(uncompressedProof)
-      const processedProof: ProofResult = {
-        proof: hexProof,
-        vkeyHash: request.params.vkeyHash,
-        name: request.params.name,
-        version: request.params.version,
-        committedInputs: uncompressedCommittedInputs
-          ? JSON.parse(new TextDecoder().decode(uncompressedCommittedInputs))
-          : undefined,
-      }
-      this.topicToProofs[topic].push(processedProof)
+      this.topicToProofs[topic].push(request.params)
       await Promise.all(
-        this.onProofGeneratedCallbacks[topic].map((callback) => callback(processedProof)),
+        this.onProofGeneratedCallbacks[topic].map((callback) => callback(request.params)),
       )
       // If the results were received before all the proofs were generated,
       // we can handle the result now
@@ -651,7 +643,7 @@ export class ZKPassport {
         const base64Service = Buffer.from(JSON.stringify(this.topicToService[topic])).toString(
           "base64",
         )
-        const pubkey = bytesToHex(this.topicToKeyPair[topic].publicKey)
+        const pubkey = this.topicToPublicKey[topic]
         this.setExpectedProofCount(topic)
         return {
           url: `https://zkpassport.id/r?d=${this.domain}&t=${topic}&c=${base64Config}&s=${base64Service}&p=${pubkey}&m=${this.topicToLocalConfig[topic].mode}`,
@@ -675,7 +667,7 @@ export class ZKPassport {
           onReject: (callback: () => void) => this.onRejectCallbacks[topic].push(callback),
           onError: (callback: (error: string) => void) =>
             this.onErrorCallbacks[topic].push(callback),
-          isBridgeConnected: () => this.topicToWebSocketClient[topic].readyState === WebSocket.OPEN,
+          isBridgeConnected: () => this.topicToBridge[topic].isBridgeConnected(),
           requestReceived: () => this.topicToRequestReceived[topic] === true,
         }
       },
@@ -690,6 +682,7 @@ export class ZKPassport {
    * @param scope Scope this request to a specific use case
    * @param validity How many days ago should have the ID been last scanned by the user?
    * @param devMode Whether to enable dev mode. This will allow you to verify mock proofs (i.e. from ZKR)
+   * @param evmChain The EVM chain to use for the request (if using the proof onchain)
    * @returns The query builder object.
    */
   public async request({
@@ -698,6 +691,7 @@ export class ZKPassport {
     purpose,
     scope,
     mode,
+    evmChain,
     validity,
     devMode,
     topicOverride,
@@ -708,21 +702,27 @@ export class ZKPassport {
     purpose: string
     scope?: string
     mode?: ProofMode
+    evmChain?: EVMChain
     validity?: number
     devMode?: boolean
     topicOverride?: string
     keyPairOverride?: { privateKey: Uint8Array; publicKey: Uint8Array }
   }): Promise<QueryBuilder> {
-    const topic = topicOverride || randomBytes(16).toString("hex")
+    const bridge = await Bridge.create({
+      keyPair: keyPairOverride,
+      bridgeId: topicOverride,
+    })
 
-    const keyPair = keyPairOverride || (await generateECDHKeyPair())
-    this.topicToKeyPair[topic] = {
-      privateKey: keyPair.privateKey,
-      publicKey: keyPair.publicKey,
-    }
+    const topic = bridge.connection.getBridgeId()
 
     this.topicToConfig[topic] = {}
-    this.topicToService[topic] = { name, logo, purpose, scope }
+    this.topicToService[topic] = {
+      name,
+      logo,
+      purpose,
+      scope,
+      chainId: evmChain ? getChainIdFromEVMChain(evmChain) : undefined,
+    }
     this.topicToProofs[topic] = []
     this.topicToExpectedProofCount[topic] = 0
     this.topicToLocalConfig[topic] = {
@@ -740,68 +740,22 @@ export class ZKPassport {
     this.onRejectCallbacks[topic] = []
     this.onErrorCallbacks[topic] = []
 
-    const wsClient = getWebSocketClient(`wss://bridge.zkpassport.id?topic=${topic}`, this.domain)
-    this.topicToWebSocketClient[topic] = wsClient
-    wsClient.onopen = async () => {
-      logger.info("[frontend] WebSocket connection established")
-      await Promise.all(this.onBridgeConnectCallbacks[topic].map((callback) => callback()))
-    }
-    wsClient.addEventListener("message", async (event: any) => {
-      logger.debug("[frontend] Received message:", event.data)
-      try {
-        const data: JsonRpcRequest = JSON.parse(event.data)
-        // Handshake happens when the mobile app scans the QR code and connects to the bridge
-        if (data.method === "handshake") {
-          logger.debug("[frontend] Received handshake:", event.data)
-
-          this.topicToRequestReceived[topic] = true
-          this.topicToSharedSecret[topic] = await getSharedSecret(
-            bytesToHex(keyPair.privateKey),
-            data.params.pubkey,
-          )
-          logger.debug(
-            "[frontend] Shared secret:",
-            Buffer.from(this.topicToSharedSecret[topic]).toString("hex"),
-          )
-
-          const encryptedMessage = await createEncryptedJsonRpcRequest(
-            "hello",
-            null,
-            this.topicToSharedSecret[topic],
-            topic,
-          )
-          logger.debug("[frontend] Sending encrypted message:", encryptedMessage)
-          wsClient.send(JSON.stringify(encryptedMessage))
-
-          await Promise.all(this.onRequestReceivedCallbacks[topic].map((callback) => callback()))
-          return
-        }
+    this.topicToPublicKey[topic] = bridge.getPublicKey()
 
-        // Handle encrypted messages
-        if (data.method === "encryptedMessage") {
-          // Decode the payload from base64 to Uint8Array
-          const payload = new Uint8Array(
-            atob(data.params.payload)
-              .split("")
-              .map((c) => c.charCodeAt(0)),
-          )
-          try {
-            // Decrypt the payload using the shared secret
-            const decrypted = await decrypt(payload, this.topicToSharedSecret[topic], topic)
-            const decryptedJson: JsonRpcRequest = JSON.parse(decrypted)
-            this.handleEncryptedMessage(topic, decryptedJson, data)
-          } catch (error) {
-            logger.error("[frontend] Error decrypting message:", error)
-          }
-          return
-        }
-      } catch (error) {
-        logger.error("[frontend] Error:", error)
-      }
+    this.topicToBridge[topic] = bridge
+    bridge.onConnect(async (reconnection: boolean) => {
+      logger.debug("Bridge connected")
+      logger.debug("Is reconnection:", reconnection)
+      await Promise.all(this.onBridgeConnectCallbacks[topic].map((callback) => callback()))
+    })
+    bridge.onSecureChannelEstablished(async () => {
+      logger.debug("Secure channel established")
+      await Promise.all(this.onRequestReceivedCallbacks[topic].map((callback) => callback()))
+    })
+    bridge.onSecureMessage(async (message: any) => {
+      logger.debug("Received message:", message)
+      this.handleEncryptedMessage(topic, message)
     })
-    wsClient.onerror = (error: Event) => {
-      logger.error("[frontend] WebSocket error:", error)
-    }
     return this.getZkPassportRequest(topic)
   }
 
@@ -1780,13 +1734,17 @@ export class ZKPassport {
     queryResultErrors: QueryResultErrors,
     key: string,
     scope?: string,
+    chainId?: number,
   ) {
     let isCorrect = true
-    if (this.domain && getScopeHash(this.domain) !== BigInt(proofData.publicInputs[1])) {
+    if (
+      this.domain &&
+      getServiceScopeHash(this.domain, chainId) !== BigInt(proofData.publicInputs[1])
+    ) {
       console.warn("The proof comes from a different domain than the one expected")
       isCorrect = false
       queryResultErrors[key as keyof QueryResultErrors].scope = {
-        expected: `Scope: ${getScopeHash(this.domain).toString()}`,
+        expected: `Scope: ${getServiceScopeHash(this.domain, chainId).toString()}`,
         received: `Scope: ${BigInt(proofData.publicInputs[1]).toString()}`,
         message: "The proof comes from a different domain than the one expected",
       }
@@ -1840,6 +1798,7 @@ export class ZKPassport {
     queryResult: QueryResult,
     validity?: number,
     scope?: string,
+    chainId?: number,
   ) {
     let commitmentIn: bigint | undefined
     let commitmentOut: bigint | undefined
@@ -1945,11 +1904,14 @@ export class ZKPassport {
             message: "The proof does not verify all the requested conditions and information",
           }
         }
-        if (this.domain && getScopeHash(this.domain) !== getScopeFromOuterProof(proofData)) {
+        if (
+          this.domain &&
+          getServiceScopeHash(this.domain, chainId) !== getScopeFromOuterProof(proofData)
+        ) {
           console.warn("The proof comes from a different domain than the one expected")
           isCorrect = false
           queryResultErrors.outer.scope = {
-            expected: `Scope: ${getScopeHash(this.domain).toString()}`,
+            expected: `Scope: ${getServiceScopeHash(this.domain, chainId).toString()}`,
             received: `Scope: ${getScopeFromOuterProof(proofData).toString()}`,
             message: "The proof comes from a different domain than the one expected",
           }
@@ -2646,6 +2608,9 @@ export class ZKPassport {
    * @param proofs The proofs to verify.
    * @param queryResult The query result to verify against
    * @param validity How many days ago should have the ID been last scanned by the user?
+   * @param scope Scope this request to a specific use case
+   * @param evmChain The EVM chain to use for the verification (if using the proof onchain)
+   * @param devMode Whether to enable dev mode. This will allow you to verify mock proofs (i.e. from ZKR)
    * @returns An object containing the unique identifier associated to the user
    * and a boolean indicating whether the proofs were successfully verified.
    */
@@ -2654,18 +2619,28 @@ export class ZKPassport {
     queryResult,
     validity,
     scope,
+    evmChain,
     devMode = false,
   }: {
     proofs: Array<ProofResult>
     queryResult: QueryResult
     validity?: number
     scope?: string
+    evmChain?: EVMChain
     devMode?: boolean
   }): Promise<{
     uniqueIdentifier: string | undefined
     verified: boolean
     queryResultErrors?: QueryResultErrors
   }> {
+    // If no proofs were generated, the results can't be trusted.
+    // We still return it but verified will be false
+    if (!proofs || proofs.length === 0) {
+      return {
+        uniqueIdentifier: undefined,
+        verified: false,
+      }
+    }
     const formattedResult: QueryResult = queryResult
     // Make sure to reconvert the dates to Date objects
     if (formattedResult.birthdate && formattedResult.birthdate.disclose) {
@@ -2684,11 +2659,12 @@ export class ZKPassport {
     let verified = true
     let uniqueIdentifier: string | undefined
     let queryResultErrors: QueryResultErrors | undefined
+    const chainId = evmChain ? getChainIdFromEVMChain(evmChain) : undefined
     const {
       isCorrect,
       uniqueIdentifier: uniqueIdentifierFromPublicInputs,
       queryResultErrors: queryResultErrorsFromPublicInputs,
-    } = await this.checkPublicInputs(proofs, formattedResult, validity, scope)
+    } = await this.checkPublicInputs(proofs, formattedResult, validity, scope, chainId)
     uniqueIdentifier = uniqueIdentifierFromPublicInputs
     verified = isCorrect
     queryResultErrors = isCorrect ? undefined : queryResultErrorsFromPublicInputs
@@ -2782,7 +2758,7 @@ export class ZKPassport {
     if (network === "ethereum_sepolia") {
       return {
         ...baseConfig,
-        address: "0x8c6982D77f7a8f60aE3133cA9b2FAA6f3e78c394",
+        address: "0xDfE02DFd5c208854884B58bFf6522De5c42F73E3",
       }
     } else if (network === "local_anvil") {
       return {
@@ -2951,7 +2927,7 @@ export class ZKPassport {
    * @returns The URL of the request.
    */
   public getUrl(requestId: string) {
-    const pubkey = bytesToHex(this.topicToKeyPair[requestId].publicKey)
+    const pubkey = this.topicToPublicKey[requestId]
     const base64Config = Buffer.from(JSON.stringify(this.topicToConfig[requestId])).toString(
       "base64",
     )
@@ -2966,14 +2942,13 @@ export class ZKPassport {
    * @param requestId The request ID.
    */
   public cancelRequest(requestId: string) {
-    if (this.topicToWebSocketClient[requestId]) {
-      this.topicToWebSocketClient[requestId].close()
-      delete this.topicToWebSocketClient[requestId]
+    if (this.topicToBridge[requestId]) {
+      this.topicToBridge[requestId].close()
+      delete this.topicToBridge[requestId]
     }
-    delete this.topicToKeyPair[requestId]
+    delete this.topicToPublicKey[requestId]
     delete this.topicToConfig[requestId]
     delete this.topicToLocalConfig[requestId]
-    delete this.topicToSharedSecret[requestId]
     delete this.topicToProofs[requestId]
     delete this.topicToExpectedProofCount[requestId]
     delete this.topicToFailedProofCount[requestId]
@@ -2990,7 +2965,7 @@ export class ZKPassport {
    * @notice Clears all requests.
    */
   public clearAllRequests() {
-    for (const requestId in this.topicToWebSocketClient) {
+    for (const requestId in this.topicToBridge) {
       this.cancelRequest(requestId)
     }
   }

package/src/encryption.ts

@@ -1,45 +0,0 @@
-import { gcm } from "@noble/ciphers/aes"
-import { utf8ToBytes } from "@noble/ciphers/utils"
-
-async function sha256Truncate(topic: string): Promise<Uint8Array> {
-  const encoder = new TextEncoder()
-  const data = encoder.encode(topic)
-  const hashBuffer = await crypto.subtle.digest("SHA-256", data)
-  const fullHashArray = new Uint8Array(hashBuffer)
-  const truncatedHashArray = fullHashArray.slice(0, 12)
-  return truncatedHashArray
-}
-
-export async function generateECDHKeyPair() {
-  const secp256k1 = await import("@noble/secp256k1")
-  const privKey = secp256k1.utils.randomPrivateKey()
-  const pubKey = secp256k1.getPublicKey(privKey)
-  return {
-    privateKey: privKey,
-    publicKey: pubKey,
-  }
-}
-
-export async function getSharedSecret(privateKey: string, publicKey: string) {
-  const secp256k1 = await import("@noble/secp256k1")
-  const sharedSecret = secp256k1.getSharedSecret(privateKey, publicKey)
-  return sharedSecret.slice(0, 32)
-}
-
-export async function encrypt(message: string, sharedSecret: Uint8Array, topic: string) {
-  // Nonce must be 12 bytes
-  const nonce = await sha256Truncate(topic)
-  const aes = gcm(sharedSecret, nonce)
-  const data = utf8ToBytes(message)
-  const ciphertext = aes.encrypt(data)
-  return ciphertext
-}
-
-export async function decrypt(ciphertext: Uint8Array, sharedSecret: Uint8Array, topic: string) {
-  // Nonce must be 12 bytes
-  const nonce = await sha256Truncate(topic)
-  const aes = gcm(sharedSecret, nonce)
-  const data = aes.decrypt(ciphertext)
-  const dataString = new TextDecoder().decode(data)
-  return dataString
-}

package/src/json-rpc.ts

@@ -1,61 +0,0 @@
-import { randomBytes } from "crypto"
-import type { JsonRpcRequest, JsonRpcResponse } from "@zkpassport/utils"
-import { encrypt } from "./encryption"
-import { WebSocketClient } from "./websocket"
-import { noLogger as logger } from "./logger"
-
-export function createJsonRpcRequest(method: string, params: any): JsonRpcRequest {
-  return {
-    jsonrpc: "2.0",
-    id: randomBytes(16).toString("hex"),
-    method,
-    params,
-  }
-}
-
-export async function createEncryptedJsonRpcRequest(
-  method: string,
-  params: any,
-  sharedSecret: Uint8Array,
-  topic: string,
-): Promise<JsonRpcRequest> {
-  const encryptedMessage = await encrypt(
-    JSON.stringify({ method, params: params || {} }),
-    sharedSecret,
-    topic,
-  )
-  return createJsonRpcRequest("encryptedMessage", {
-    payload: Buffer.from(encryptedMessage).toString("base64"),
-  })
-}
-
-export async function sendEncryptedJsonRpcRequest(
-  method: string,
-  params: any,
-  sharedSecret: Uint8Array,
-  topic: string,
-  wsClient: WebSocketClient,
-): Promise<boolean> {
-  try {
-    const message = { method, params: params || {} }
-    const encryptedMessage = await encrypt(JSON.stringify(message), sharedSecret, topic)
-    const request = createJsonRpcRequest("encryptedMessage", {
-      payload: Buffer.from(encryptedMessage).toString("base64"),
-    })
-    logger.debug("Sending encrypted message (original):", message)
-    logger.debug("Sending encrypted message (encrypted):", request)
-    wsClient.send(JSON.stringify(request))
-    return true
-  } catch (error) {
-    logger.error("Error sending encrypted message:", error)
-    return false
-  }
-}
-
-export function createJsonRpcResponse(id: string, result: any): JsonRpcResponse {
-  return {
-    jsonrpc: "2.0",
-    id,
-    result,
-  }
-}