check accept and esxires_time

iden3 · Nov 25, 2024 · e4623c3 · e4623c3
1 parent 6c52a8d
commit e4623c3
Show file tree

Hide file tree

Showing 4 changed files with 125 additions and 28 deletions.
diff --git a/src/auth/auth.ts b/src/auth/auth.ts
@@ -24,13 +24,29 @@ import {
   ICircuitStorage,
   cacheLoader,
   byteEncoder,
-  JSONObject
+  JSONObject,
+  verifyExpiresTime,
+  parseAcceptProfile
 } from '@0xpolygonid/js-sdk';
 import { Resolvable } from 'did-resolver';
 import { Options, DocumentLoader } from '@iden3/js-jsonld-merklization';
 import path from 'path';
-import { DID } from '@iden3/js-iden3-core';
+import { DID, getUnixTimestamp } from '@iden3/js-iden3-core';
 import { ZeroKnowledgeProofRequest } from '@0xpolygonid/js-sdk';
+import {
+  MediaType,
+  ProtocolVersion
+} from '@0xpolygonid/js-sdk/dist/types/iden3comm/constants';
+
+/**
+ * Options to pass to createAuthorizationRequest function
+ * @public
+ */
+export type AuthorizationRequestCreateOptions = {
+  accept?: string[];
+  scope?: ZeroKnowledgeProofRequest[];
+  expires_time?: Date;
+};
 
 /**
  *  createAuthorizationRequest is a function to create protocol authorization request
@@ -42,9 +58,10 @@ import { ZeroKnowledgeProofRequest } from '@0xpolygonid/js-sdk';
 export function createAuthorizationRequest(
   reason: string,
   sender: string,
-  callbackUrl: string
+  callbackUrl: string,
+  opts?: AuthorizationRequestCreateOptions
 ): AuthorizationRequestMessage {
-  return createAuthorizationRequestWithMessage(reason, '', sender, callbackUrl);
+  return createAuthorizationRequestWithMessage(reason, '', sender, callbackUrl, opts);
 }
 /**
  *  createAuthorizationRequestWithMessage is a function to create protocol authorization request with explicit message to sign
@@ -58,7 +75,8 @@ export function createAuthorizationRequestWithMessage(
   reason: string,
   message: string,
   sender: string,
-  callbackUrl: string
+  callbackUrl: string,
+  opts?: AuthorizationRequestCreateOptions
 ): AuthorizationRequestMessage {
   const uuid = uuidv4();
   const request: AuthorizationRequestMessage = {
@@ -71,8 +89,10 @@ export function createAuthorizationRequestWithMessage(
       reason: reason,
       message: message,
       callbackUrl: callbackUrl,
-      scope: []
-    }
+      scope: opts?.scope || []
+    },
+    created_time: getUnixTimestamp(new Date()),
+    expires_time: opts?.expires_time ? getUnixTimestamp(opts.expires_time) : undefined
   };
   return request;
 }
@@ -207,10 +227,11 @@ export class Verifier {
     return this.setPacker(jwsPacker);
   }
 
-  public verifyAuthRequest(request: AuthorizationRequestMessage) {
-    if (request?.expires_time && request.expires_time < Math.floor(Date.now() / 1000)) {
-      throw new Error('Message expired');
+  public verifyAuthRequest(request: AuthorizationRequestMessage, opts?: VerifyOpts) {
+    if (!opts?.allowExpiredMessages) {
+      verifyExpiresTime(request);
     }
+    this.verifyProfile(request.type, request.body.accept);
     const groupIdValidationMap: { [k: string]: ZeroKnowledgeProofRequest[] } = {};
     const requestScope = request.body.scope;
     for (const proofRequest of requestScope) {
@@ -258,8 +279,8 @@ export class Verifier {
     request: AuthorizationRequestMessage,
     opts?: VerifyOpts
   ) {
-    if (response?.expires_time && response.expires_time < Math.floor(Date.now() / 1000)) {
-      throw new Error('Message expired');
+    if (!opts?.allowExpiredMessages) {
+      verifyExpiresTime(request);
     }
     if ((request.body.message ?? '') !== (response.body.message ?? '')) {
       throw new Error('message for signing from request is not presented in response');
@@ -414,4 +435,31 @@ export class Verifier {
       this.setupJWSPacker(new KMS(), didResolver);
     }
   }
+
+  private verifyProfile(messageType: string, profile?: string[] | undefined) {
+    if (!profile?.length) {
+      return;
+    }
+    const supportedMediaTypes: MediaType[] = [];
+    for (const acceptProfile of profile) {
+      // 1. check protocol version
+      const { protocolVersion, env } = parseAcceptProfile(acceptProfile);
+      const messageTypeVersion = Number(messageType.split('/').at(-2));
+      if (
+        protocolVersion !== ProtocolVersion.V1 ||
+        (protocolVersion === ProtocolVersion.V1 &&
+          (messageTypeVersion < 1 || messageTypeVersion >= 2))
+      ) {
+        continue;
+      }
+      // 2. check packer support
+      if (this.packageManager.isProfileSupported(env, acceptProfile)) {
+        supportedMediaTypes.push(env);
+      }
+    }
+
+    if (!supportedMediaTypes.length) {
+      throw new Error('no packer with profile which meets `accept` header requirements');
+    }
+  }
 }
diff --git a/src/circuits/atomicV3.ts b/src/circuits/atomicV3.ts
@@ -31,7 +31,10 @@ const defaultProofVerifyOpts = 1 * 60 * 60 * 1000; // 1 hour
  * Verifies the public signals for the AtomicQueryV3 circuit.
  * @beta
  */
-export class AtomicQueryV3PubSignalsVerifier extends IDOwnershipPubSignals implements PubSignalsVerifier {
+export class AtomicQueryV3PubSignalsVerifier
+  extends IDOwnershipPubSignals
+  implements PubSignalsVerifier
+{
   pubSignals = new AtomicQueryV3PubSignals();
 
   constructor(pubSignals: string[]) {

diff --git a/src/circuits/registry.ts b/src/circuits/registry.ts
@@ -13,6 +13,8 @@ export type VerifyOpts = {
   acceptedStateTransitionDelay?: number;
   // acceptedProofGenerationDelay is the period of time in milliseconds that a generated proof remains valid.
   acceptedProofGenerationDelay?: number;
+  // allowExpiredMessages is a flag that allows the verification of expired messages.
+  allowExpiredMessages?: boolean;
 };
 
 export interface PubSignalsVerifier {

diff --git a/test/auth.test.ts b/test/auth.test.ts
@@ -3,12 +3,14 @@ import { v4 as uuidv4 } from 'uuid';
 import {
   AuthorizationRequestMessage,
   AuthorizationResponseMessage,
+  CircuitId,
   FSCircuitStorage,
   KMS,
   NativeProver,
   PROTOCOL_CONSTANTS,
   PackageManager,
-  ZeroKnowledgeProofRequest
+  ZeroKnowledgeProofRequest,
+  buildAccept
 } from '@0xpolygonid/js-sdk';
 import { AuthPubSignalsV2 } from '@lib/circuits/authV2';
 import {
@@ -19,9 +21,23 @@ import {
 import { Circuits } from '@lib/circuits/registry';
 import path from 'path';
 import { resolveDIDDocument, resolvers, schemaLoader, testOpts } from './mocks';
+import { getDateFromUnixTimestamp, getUnixTimestamp } from '@iden3/js-iden3-core';
+import {
+  AcceptAuthCircuits,
+  MediaType,
+  ProtocolVersion
+} from '@0xpolygonid/js-sdk/dist/types/iden3comm/constants';
 
 describe('auth tests', () => {
   const connectionString = process.env.IPFS_URL ?? 'https://ipfs.io';
+  const acceptProfile = buildAccept([
+    {
+      protocolVersion: ProtocolVersion.V1,
+      env: MediaType.ZKPMessage,
+      circuits: [AcceptAuthCircuits.AuthV2]
+    }
+  ]);
+  const expiresTime = getDateFromUnixTimestamp(getUnixTimestamp(new Date()) + 5 * 60);
   it('createAuthorizationRequest', () => {
     const sender = 'did:iden3:polygon:amoy:xCRp75DgAdS63W65fmXHz6p9DwdonuRU9e46DifhX';
     const callback = 'https://test.com/callback';
@@ -37,7 +53,7 @@ describe('auth tests', () => {
 
     const proofRequest: ZeroKnowledgeProofRequest = {
       id: 1,
-      circuitId: 'credentialAtomicQueryMTPV2',
+      circuitId: CircuitId.AtomicQueryMTPV2,
       query: {
         allowedIssuers: ['1195GJqgw6YEsKFwj63GY87MMxPL9kwDKxPUiwMLN9'],
         type: 'KYCAgeCredential',
@@ -63,7 +79,11 @@ describe('auth tests', () => {
       'kyc verification',
       msg,
       sender,
-      callback
+      callback,
+      {
+        accept: acceptProfile,
+        expires_time: expiresTime
+      }
     );
 
     const response: AuthorizationResponseMessage = {
@@ -101,7 +121,11 @@ describe('auth tests', () => {
       reason,
       message,
       sender,
-      callback
+      callback,
+      {
+        accept: acceptProfile,
+        expires_time: expiresTime
+      }
     );
     expect(request.body.scope.length).toEqual(0);
     expect(request.body.callbackUrl).toEqual(callback);
@@ -112,7 +136,7 @@ describe('auth tests', () => {
 
     const proofRequest: ZeroKnowledgeProofRequest = {
       id: 1,
-      circuitId: 'credentialAtomicQueryMTPV2',
+      circuitId: CircuitId.AtomicQueryMTPV2,
       query: {
         allowedIssuers: ['*'],
         context:
@@ -266,7 +290,11 @@ describe('auth tests', () => {
       reason,
       message,
       sender,
-      callback
+      callback,
+      {
+        accept: acceptProfile,
+        expires_time: expiresTime
+      }
     );
     expect(request.body.scope.length).toEqual(0);
     expect(request.body.callbackUrl).toEqual(callback);
@@ -277,7 +305,7 @@ describe('auth tests', () => {
 
     const proofRequest: ZeroKnowledgeProofRequest = {
       id: 1,
-      circuitId: 'credentialAtomicQuerySigV2',
+      circuitId: CircuitId.AtomicQuerySigV2,
       query: {
         allowedIssuers: ['*'],
         context:
@@ -444,7 +472,11 @@ describe('auth tests', () => {
       reason,
       'message to sign',
       sender,
-      callback
+      callback,
+      {
+        accept: acceptProfile,
+        expires_time: expiresTime
+      }
     );
     expect(request.body.scope.length).toEqual(0);
     expect(request.body.callbackUrl).toEqual(callback);
@@ -453,7 +485,7 @@ describe('auth tests', () => {
 
     const proofRequest: ZeroKnowledgeProofRequest = {
       id: 1,
-      circuitId: 'credentialAtomicQuerySigV2',
+      circuitId: CircuitId.AtomicQuerySigV2,
       query: {
         allowedIssuers: ['*'],
         context:
@@ -492,7 +524,11 @@ describe('auth tests', () => {
     const request: AuthorizationRequestMessage = createAuthorizationRequest(
       reason,
       sender,
-      callback
+      callback,
+      {
+        accept: acceptProfile,
+        expires_time: expiresTime
+      }
     );
     expect(request.body.scope.length).toEqual(0);
     expect(request.body.callbackUrl).toEqual(callback);
@@ -506,7 +542,7 @@ describe('auth tests', () => {
 
     const proofRequest: ZeroKnowledgeProofRequest = {
       id: 1,
-      circuitId: 'credentialAtomicQuerySigV2',
+      circuitId: CircuitId.AtomicQuerySigV2,
       query: {
         allowedIssuers: ['*'],
         context:
@@ -561,7 +597,11 @@ describe('auth tests', () => {
       reason,
       'message to sign',
       sender,
-      callback
+      callback,
+      {
+        accept: acceptProfile,
+        expires_time: expiresTime
+      }
     );
     expect(request.body.scope.length).toEqual(0);
     expect(request.body.callbackUrl).toEqual(callback);
@@ -570,7 +610,7 @@ describe('auth tests', () => {
 
     const proofRequest: ZeroKnowledgeProofRequest = {
       id: 1,
-      circuitId: 'credentialAtomicQuerySigV2',
+      circuitId: CircuitId.AtomicQuerySigV2,
       query: {
         allowedIssuers: ['*'],
         context:
@@ -607,7 +647,11 @@ describe('auth tests', () => {
       reason,
       'message to sign',
       sender,
-      callback
+      callback,
+      {
+        accept: acceptProfile,
+        expires_time: expiresTime
+      }
     );
     expect(request.body.scope.length).toEqual(0);
     expect(request.body.callbackUrl).toEqual(callback);
@@ -616,7 +660,7 @@ describe('auth tests', () => {
 
     const proofRequest: ZeroKnowledgeProofRequest = {
       id: 1,
-      circuitId: 'credentialAtomicQuerySigV2',
+      circuitId: CircuitId.AtomicQuerySigV2,
       query: {
         allowedIssuers: ['*'],
         context: