Move to new auth package with HMAC lib

docs/spec/components/schemas/VerifyPassport.yaml

@@ -8,18 +8,12 @@ allOf:
       attributes:
         required:
           - anonymous_id
-          - country
         type: object
         properties:
           anonymous_id:
             type: string
             description: Unique identifier of the passport.
             example: "2bd3a2532096fee10a45a40e444a11b4d00a707f3459376087747de05996fbf5"
-          country:
-            type: string
-            description: |
-              ISO 3166-1 alpha-3 country code, must match the one provided in `proof`.
-            example: "UKR"
           proof:
             type: object
             format: types.ZKProof

go.mod

@@ -123,6 +123,7 @@ require (
 	github.com/prometheus/common v0.39.0 // indirect
 	github.com/prometheus/procfs v0.9.0 // indirect
 	github.com/rarimo/broadcaster-svc v1.0.2 // indirect
+	github.com/rarimo/geo-auth-svc v0.1.1-0.20240705093615-133c4e6dfd40 // indirect
 	github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
 	github.com/robfig/cron/v3 v3.0.1 // indirect
 	github.com/sagikazarmark/locafero v0.4.0 // indirect

go.sum

@@ -2116,6 +2116,8 @@ github.com/rarimo/cosmos-sdk v0.46.7 h1:jU2PiWzc+19SF02cXM0O0puKPeH1C6Q6t2lzJ9s1
 github.com/rarimo/cosmos-sdk v0.46.7/go.mod h1:fqKqz39U5IlEFb4nbQ72951myztsDzFKKDtffYJ63nk=
 github.com/rarimo/decentralized-auth-svc v0.0.0-20240522134350-2694eafa9509 h1:U3gu/Z61tVIVEVoWL1YdwiNzkaXlkgd7cSeEslVfsLI=
 github.com/rarimo/decentralized-auth-svc v0.0.0-20240522134350-2694eafa9509/go.mod h1:V9XSqZSBN/YmLdI6PW6GL2xNeJ94IXAnhcuvyQfVBL8=
+github.com/rarimo/geo-auth-svc v0.1.1-0.20240705093615-133c4e6dfd40 h1:1AD0ePxRMxMGwvIrTFYlzYQwpVUkObYNGQIqD11d+oc=
+github.com/rarimo/geo-auth-svc v0.1.1-0.20240705093615-133c4e6dfd40/go.mod h1:SB4bo1xHYDAsBaQGX2+FoEgD3xxqYmcgr4XTTjy4/OM=
 github.com/rarimo/saver-grpc-lib v1.0.0 h1:MGUVjYg7unmodYczVsLqlqZNkT4CIgKqdo6aQtL1qdE=
 github.com/rarimo/saver-grpc-lib v1.0.0/go.mod h1:DpugWK5B7Hi0bdC3MPe/9FD2zCxaRwsyykdwxtF1Zgg=
 github.com/rarimo/zkverifier-kit v1.0.0 h1:zMW85hyDP3Uk6p9Dk9U4TBzOf0Pry+RNlWpli1tUZ1Q=

internal/config/main.go

@@ -2,6 +2,7 @@ package config
 
 import (
 	"github.com/rarimo/decentralized-auth-svc/pkg/auth"
+	"github.com/rarimo/geo-auth-svc/pkg/hmacsig"
 	"github.com/rarimo/geo-points-svc/internal/data/evtypes"
 	"github.com/rarimo/saver-grpc-lib/broadcaster"
 	zk "github.com/rarimo/zkverifier-kit"
@@ -18,10 +19,10 @@ type Config interface {
 	auth.Auther //nolint:misspell
 	broadcaster.Broadcasterer
 	evtypes.EventTypeser
+	hmacsig.SigCalculatorProvider
 
 	Levels() Levels
 	Verifier() *zk.Verifier
-	SigVerifier() []byte
 }
 
 type config struct {
@@ -32,22 +33,23 @@ type config struct {
 	broadcaster.Broadcasterer
 	identity.VerifierProvider
 	evtypes.EventTypeser
+	hmacsig.SigCalculatorProvider
 
-	levels      comfig.Once
-	verifier    comfig.Once
-	sigVerifier comfig.Once
-	getter      kv.Getter
+	levels   comfig.Once
+	verifier comfig.Once
+	getter   kv.Getter
 }
 
 func New(getter kv.Getter) Config {
 	return &config{
-		getter:           getter,
-		Databaser:        pgdb.NewDatabaser(getter),
-		Listenerer:       comfig.NewListenerer(getter),
-		Logger:           comfig.NewLogger(getter, comfig.LoggerOpts{}),
-		Auther:           auth.NewAuther(getter), //nolint:misspell
-		Broadcasterer:    broadcaster.New(getter),
-		VerifierProvider: identity.NewVerifierProvider(getter),
-		EventTypeser:     evtypes.NewConfig(getter),
+		getter:                getter,
+		Databaser:             pgdb.NewDatabaser(getter),
+		Listenerer:            comfig.NewListenerer(getter),
+		Logger:                comfig.NewLogger(getter, comfig.LoggerOpts{}),
+		Auther:                auth.NewAuther(getter), //nolint:misspell
+		Broadcasterer:         broadcaster.New(getter),
+		VerifierProvider:      identity.NewVerifierProvider(getter),
+		EventTypeser:          evtypes.NewConfig(getter),
+		SigCalculatorProvider: hmacsig.NewCalculatorProvider(getter),
 	}
 }

internal/service/handlers/ctx.go

@@ -5,6 +5,7 @@ import (
 	"net/http"
 
 	"github.com/rarimo/decentralized-auth-svc/resources"
+	"github.com/rarimo/geo-auth-svc/pkg/hmacsig"
 	"github.com/rarimo/geo-points-svc/internal/config"
 	"github.com/rarimo/geo-points-svc/internal/data"
 	"github.com/rarimo/geo-points-svc/internal/data/evtypes"
@@ -23,7 +24,7 @@ const (
 	userClaimsCtxKey
 	levelsCtxKey
 	verifierCtxKey
-	sigVerifierCtxKey
+	sigCalculatorCtxKey
 )
 
 func CtxLog(entry *logan.Entry) func(context.Context) context.Context {
@@ -106,14 +107,14 @@ func Verifier(r *http.Request) *zk.Verifier {
 	return r.Context().Value(verifierCtxKey).(*zk.Verifier)
 }
 
-func CtxSigVerifier(sigVerifier []byte) func(context.Context) context.Context {
+func CtxSigCalculator(calc hmacsig.Calculator) func(context.Context) context.Context {
 	return func(ctx context.Context) context.Context {
-		return context.WithValue(ctx, sigVerifierCtxKey, sigVerifier)
+		return context.WithValue(ctx, sigCalculatorCtxKey, calc)
 	}
 }
 
-func SigVerifier(r *http.Request) []byte {
-	return r.Context().Value(sigVerifierCtxKey).([]byte)
+func SigCalculator(r *http.Request) hmacsig.Calculator {
+	return r.Context().Value(sigCalculatorCtxKey).(hmacsig.Calculator)
 }
 
 func CtxLevels(levels config.Levels) func(context.Context) context.Context {

internal/service/handlers/fulfill_qr_event.go

@@ -7,7 +7,6 @@ import (
 	"github.com/rarimo/decentralized-auth-svc/pkg/auth"
 	"github.com/rarimo/geo-points-svc/internal/data"
 	"github.com/rarimo/geo-points-svc/internal/data/evtypes"
-	"github.com/rarimo/geo-points-svc/internal/service/hmacsig"
 	"github.com/rarimo/geo-points-svc/internal/service/requests"
 	"gitlab.com/distributed_lab/ape"
 	"gitlab.com/distributed_lab/ape/problems"
@@ -38,7 +37,7 @@ func FulfillQREvent(w http.ResponseWriter, r *http.Request) {
 	}
 
 	gotSig := r.Header.Get("Signature")
-	wantSig, err := hmacsig.CalculateQREventSignature(SigVerifier(r), event.Nullifier, event.ID, req.Data.Attributes.QrCode)
+	wantSig, err := SigCalculator(r).QREventSignature(event.Nullifier, event.ID, req.Data.Attributes.QrCode)
 	if err != nil { // must never happen due to preceding validation
 		Log(r).WithError(err).Error("Failed to calculate HMAC signature")
 		ape.RenderErr(w, problems.InternalError())

internal/service/handlers/verify_passport.go

@@ -15,7 +15,6 @@ import (
 	"github.com/rarimo/geo-points-svc/internal/data"
 	"github.com/rarimo/geo-points-svc/internal/data/evtypes"
 	"github.com/rarimo/geo-points-svc/internal/data/evtypes/models"
-	"github.com/rarimo/geo-points-svc/internal/service/hmacsig"
 	"github.com/rarimo/geo-points-svc/internal/service/requests"
 	"github.com/rarimo/geo-points-svc/resources"
 	zk "github.com/rarimo/zkverifier-kit"
@@ -32,20 +31,18 @@ func VerifyPassport(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	log := Log(r).WithFields(map[string]any{
-		"balance.nullifier":    req.Data.ID,
-		"balance.anonymous_id": req.Data.Attributes.AnonymousId,
-		"country":              req.Data.Attributes.Country,
-	})
-
 	var (
-		country     = req.Data.Attributes.Country
 		anonymousID = req.Data.Attributes.AnonymousId
 		proof       = req.Data.Attributes.Proof
+		log         = Log(r).WithFields(map[string]any{
+			"balance.nullifier":    req.Data.ID,
+			"balance.anonymous_id": anonymousID,
+		})
+
+		gotSig = r.Header.Get("Signature")
 	)
 
-	gotSig := r.Header.Get("Signature")
-	wantSig, err := hmacsig.CalculatePassportVerificationSignature(SigVerifier(r), req.Data.ID, country, anonymousID)
+	wantSig, err := SigCalculator(r).PassportVerificationSignature(req.Data.ID, anonymousID)
 	if err != nil { // must never happen due to preceding validation
 		Log(r).WithError(err).Error("Failed to calculate HMAC signature")
 		ape.RenderErr(w, problems.InternalError())
@@ -97,15 +94,7 @@ func VerifyPassport(w http.ResponseWriter, r *http.Request) {
 			balAID = *balance.AnonymousID
 		}
 
-		proofCountry, err := requests.ExtractCountry(*proof)
-		if err != nil {
-			log.WithError(err).Error("failed to extract country while proof was successfully verified")
-			ape.RenderErr(w, problems.InternalError())
-			return
-		}
-
 		err = validation.Errors{
-			"data/attributes/country":      validation.Validate(country, validation.Required, validation.In(proofCountry)),
 			"data/attributes/anonymous_id": validation.Validate(anonymousID, validation.Required, validation.In(balAID)),
 		}.Filter()
 		if err != nil {
@@ -148,8 +137,8 @@ func VerifyPassport(w http.ResponseWriter, r *http.Request) {
 	ape.Render(w, newEventClaimingStateResponse(req.Data.ID, event != nil))
 }
 
-func newEventClaimingStateResponse(id string, isClaimed bool) resources.PassportEventStateResponse {
-	var res resources.PassportEventStateResponse
+func newEventClaimingStateResponse(id string, isClaimed bool) resources.EventClaimingStateResponse {
+	var res resources.EventClaimingStateResponse
 	res.Data.ID = id
 	res.Data.Type = resources.EVENT_CLAIMING_STATE
 	res.Data.Attributes.Claimed = isClaimed