From fcd753f1b05f493c5a1046858d6d5da258776688 Mon Sep 17 00:00:00 2001 From: chabanyknikita <92546152+chabanyknikita@users.noreply.github.com> Date: Tue, 1 Oct 2024 16:42:07 +0300 Subject: [PATCH] change flow for light verification: verify signature -> verify pub-signals (#13) * change flow for light verification: verify signature -> verify pub-signals * one by one verification of pub-signals * add more informative logs in light-verification --- .../components/responses/Unauthorized.yaml | 5 ++++ ...t@public@callback-sign@{user_id_hash}.yaml | 2 ++ go.sum | 4 --- .../handlers/verification_callback_light.go | 28 +++++++++---------- 4 files changed, 20 insertions(+), 19 deletions(-) create mode 100644 docs/spec/components/responses/Unauthorized.yaml diff --git a/docs/spec/components/responses/Unauthorized.yaml b/docs/spec/components/responses/Unauthorized.yaml new file mode 100644 index 0000000..9dfbac9 --- /dev/null +++ b/docs/spec/components/responses/Unauthorized.yaml @@ -0,0 +1,5 @@ +description: You must provide a valid signature. +content: + application/vnd.api+json: + schema: + $ref: '#/components/schemas/Errors' \ No newline at end of file diff --git a/docs/spec/paths/integrations@verificator-svc@light@public@callback-sign@{user_id_hash}.yaml b/docs/spec/paths/integrations@verificator-svc@light@public@callback-sign@{user_id_hash}.yaml index abc81ca..5b5c6f1 100644 --- a/docs/spec/paths/integrations@verificator-svc@light@public@callback-sign@{user_id_hash}.yaml +++ b/docs/spec/paths/integrations@verificator-svc@light@public@callback-sign@{user_id_hash}.yaml @@ -32,6 +32,8 @@ post: $ref: '#/components/schemas/Status' 400: $ref: '#/components/responses/invalidParameter' + 401: + $ref: '#/components/responses/Unauthorized' 404: $ref: '#/components/responses/notFound' 500: diff --git a/go.sum b/go.sum index 48809c7..6e5d6fe 100644 --- a/go.sum +++ b/go.sum @@ -1903,10 +1903,6 @@ github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4O github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= github.com/prometheus/tsdb v0.7.1 h1:YZcsG11NqnK4czYLrWd9mpEuAJIHVQLwdrleYfszMAA= github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU= -github.com/rarimo/zkverifier-kit v1.2.1 h1:sO6qgm6OBm+sBD53g3/xxo9WSvQoz1RiXsH+/jRw/X8= -github.com/rarimo/zkverifier-kit v1.2.1/go.mod h1:3YDg5dTkDRr4IdfaDHGYetopd6gS/2SuwSeseYTWwNw= -github.com/rarimo/zkverifier-kit v1.2.3 h1:4UQWGSWA4klDoS5MNYA6R4PNC4QRak6kauH/cDncZwc= -github.com/rarimo/zkverifier-kit v1.2.3/go.mod h1:3YDg5dTkDRr4IdfaDHGYetopd6gS/2SuwSeseYTWwNw= github.com/rarimo/zkverifier-kit v1.2.4 h1:AJ5ZAyOYOGR2QiDlOA2ul/QMZnjBZ/VzPqLjSIUbZgw= github.com/rarimo/zkverifier-kit v1.2.4/go.mod h1:3YDg5dTkDRr4IdfaDHGYetopd6gS/2SuwSeseYTWwNw= github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo= diff --git a/internal/service/handlers/verification_callback_light.go b/internal/service/handlers/verification_callback_light.go index 87cde3b..324880d 100644 --- a/internal/service/handlers/verification_callback_light.go +++ b/internal/service/handlers/verification_callback_light.go @@ -47,6 +47,13 @@ func VerificationSignatureCallback(w http.ResponseWriter, r *http.Request) { return } + validSignature := secp256k1.VerifySignature(pubKey, pubSignalsHash, signature[:64]) + if !validSignature { + Log(r).Error("provided signature not valid") + ape.RenderErr(w, problems.Unauthorized()) + return + } + verifiedUser, err := VerifyUsersQ(r).WhereHashID(userIDHash).Get() if err != nil { Log(r).WithError(err).Errorf("failed to get user with userHashID [%s]", userIDHash) @@ -89,26 +96,17 @@ func VerificationSignatureCallback(w http.ResponseWriter, r *http.Request) { verifiedUser.Sex = sex } + verifiedUser.Status = "verified" if eventData != userIDHash { - Log(r).Error("failed to verify eventData") - ape.RenderErr(w, problems.BadRequest(err)...) - return + Log(r).WithError(err).Errorf("failed to verify user: EventData from pub-signals [%s] != userIdHash from db [%s]", eventData, userIDHash) + verifiedUser.Status = "failed_verification" } if verifiedUser.Nationality != nationality { - Log(r).Error("failed to verify citizenship") - ape.RenderErr(w, problems.BadRequest(err)...) - return + Log(r).WithError(err).Errorf("failed to verify user with UserIdHash[%s]: Citizenship from pub-signals [%s] != User.Citizenship from db [%s]", userIDHash, nationality, verifiedUser.Nationality) + verifiedUser.Status = "failed_verification" } if verifiedUser.Sex != sex { - Log(r).Error("failed to verify sex") - ape.RenderErr(w, problems.BadRequest(err)...) - return - } - - verificationStatus := secp256k1.VerifySignature(pubKey, pubSignalsHash, signature[:64]) - if verificationStatus { - verifiedUser.Status = "verified" - } else { + Log(r).WithError(err).Errorf("failed to verify user with UserIdHash[%s]: Sex from pub-signals [%s] != User.Sex from db [%s]", userIDHash, sex, verifiedUser.Sex) verifiedUser.Status = "failed_verification" }