It might be dangerous to throw an error here, we might still want to keep the proofs, even if the verification failed. I have no good solution for this case though.

It might be dangerous to throw an error here

Agreed.

What if cashu-ts just constructs the dleq, then its up to the implementer to verify and handle failures?

The other idea I had was have some sort of flag either on the Proof or in the return value of constructProofs that indicates the verification failed, but that gets gross:

/**
 * represents a single Cashu proof.
 */
export type Proof = {
	...

         /**
	 * DLEQ proof
	 */
	dleq?: SerializedDLEQ;
        /**
        * Is the DLEQ proof valid
        */
         dleqValid?: boolan;
};

I really like @gudnuf 's idea

What do you think @callebtc

nostr-tools uses a Symbol to signal verified events: https://github.com/nbd-wtf/nostr-tools/blob/master/core.ts

@Egge21M What changes from a normal boolean flag?

Symbols are a bit "safer" than regular properties. The are not enumerable and have to be accessed very purposefully. Also, because they are not enumerable they will be excluded by default by methods like JSON.stringify

Why use nullish coalescing here?

does !options?.includeDleq have two meanings in this case? Ignoring proofs without dleqs when true and stripping dleqs when false ? Maybe we should not overload this option to be more clear.

Yea that's what I intended and what made most sense to me.

Okay I see. I think most people will assume that not-passing an optional flag is equal to setting the boolean to false. Diverging from that needs to be documented very clearly I believe. However I would love to get some implementers thoughts on this. @callebtc @gudnuf could you leave your 2 sats on this?

Could you maybe explain the usecase to me? WWhy would someone decide to strip DLEQs when sending to another wallet?

I think it just clicked for me... sorry for all the confusion. includeDleq signals wether or not a token sent should include DLEQs for all included proofs, THEREFORE:

if (options?.includeDleq) -> Filter proofs for proofs with DLEQ, do not strip them
if (!options?.includeDleq) This is not an explicit false, simply NOT an explicit true -> Include all proofs, strip all DLEQs

We can avoid dleq:undefined being present on every token without dleqs by doing something like

proofs.push({
    secret: p.s,
    C: bytesToHex(p.c),
    amount: p.a,
    id: bytesToHex(t.i),
    ...(p.d && {
        dleq: {
	    e: bytesToHex(p.d.e),
	    s: bytesToHex(p.d.s),
	    r: bytesToHex(p.d.r)
	} as SerializedDLEQ
    })
});

What do you think?

We could also use an if-statement, as it might be more readable

I tried using this elegant solution in the place of almost all other ugly dleq == undefined ? undefined : ... check it out.

I might be missing something here, but it seems like this function does not rely on any of the instance state. Therefore I would like to move it to utils.ts and export it to the public API.

Functions that do not return anything, but instead throw are hard to work with IMHO. Would you not agree that it would be clearer to rename this to hasValidDleq, make it take a SINGLE proof, and make it return true is all pass and false if dleq are either missing or invalid?

We could then use this util to build filters like proofs.filter(p => hasValidDleq(p, keys) or a util to replace requireDleq with a better best-case running time like

if (proofs.some(p => !hasValidDelq(p, keys))) {
    throw new Error("Proofs contain invalid DLEQ")
}

You are right.

Doing this right now. Should I let hasValidDleq throw in case there is no matching key from the keyset proof.id for a particular proof amount? Or should I just return false.

I think it makes sense to throw in this case. false would indicate an invalid DLEQ, while in this case it's more than just that.

added a test for hasValidDleq as well.

Could you maybe explain the usecase to me? WWhy would someone decide to strip DLEQs when sending to another wallet?

Can we use the spread syntax here too?

Yes. Also I am responding here to your other comment about "why would someone strip the DLEQs when sending to Carol". One might try to get a smaller size cashuB token for example. In general if it's not required by Carol why include it?