verify expires_time (#100)

* verify expires_time

* update js-sdk

* update node-version in ci

* supports accept profile

.github/workflows/ci.yaml

@@ -2,20 +2,20 @@ name: RUN ES LINT ANS TESTS
 on: push
 jobs:
   build:
-    strategy:
-      matrix:
-        version: [18.14.0]
     timeout-minutes: 7
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
         with:
-          node-version: ${{ matrix.version }}
+          node-version: 'lts/*'
 
       - name: Cache node modules
         id: cache-npm
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         env:
           cache-name: cache-node-modules
         with:

package.json

@@ -32,7 +32,7 @@
     "url": "https://github.com/iden3/js-iden3-auth"
   },
   "dependencies": {
-    "@0xpolygonid/js-sdk": "1.20.0",
+    "@0xpolygonid/js-sdk": "1.23.0",
     "@iden3/js-crypto": "1.1.0",
     "@iden3/js-iden3-core": "1.4.1",
     "@iden3/js-jsonld-merklization": "1.4.1",

src/auth/auth.ts

@@ -24,14 +24,26 @@ import {
   ICircuitStorage,
   cacheLoader,
   byteEncoder,
-  JSONObject
+  JSONObject,
+  verifyExpiresTime,
+  parseAcceptProfile
 } from '@0xpolygonid/js-sdk';
 import { Resolvable } from 'did-resolver';
 import { Options, DocumentLoader } from '@iden3/js-jsonld-merklization';
 import path from 'path';
-import { DID } from '@iden3/js-iden3-core';
+import { DID, getUnixTimestamp } from '@iden3/js-iden3-core';
 import { ZeroKnowledgeProofRequest } from '@0xpolygonid/js-sdk';
 
+/**
+ * Options to pass to createAuthorizationRequest function
+ * @public
+ */
+export type AuthorizationRequestCreateOptions = {
+  accept?: string[];
+  scope?: ZeroKnowledgeProofRequest[];
+  expires_time?: Date;
+};
+
 /**
  *  createAuthorizationRequest is a function to create protocol authorization request
  * @param {string} reason - reason to request proof
@@ -42,9 +54,10 @@ import { ZeroKnowledgeProofRequest } from '@0xpolygonid/js-sdk';
 export function createAuthorizationRequest(
   reason: string,
   sender: string,
-  callbackUrl: string
+  callbackUrl: string,
+  opts?: AuthorizationRequestCreateOptions
 ): AuthorizationRequestMessage {
-  return createAuthorizationRequestWithMessage(reason, '', sender, callbackUrl);
+  return createAuthorizationRequestWithMessage(reason, '', sender, callbackUrl, opts);
 }
 /**
  *  createAuthorizationRequestWithMessage is a function to create protocol authorization request with explicit message to sign
@@ -58,7 +71,8 @@ export function createAuthorizationRequestWithMessage(
   reason: string,
   message: string,
   sender: string,
-  callbackUrl: string
+  callbackUrl: string,
+  opts?: AuthorizationRequestCreateOptions
 ): AuthorizationRequestMessage {
   const uuid = uuidv4();
   const request: AuthorizationRequestMessage = {
@@ -71,8 +85,10 @@ export function createAuthorizationRequestWithMessage(
       reason: reason,
       message: message,
       callbackUrl: callbackUrl,
-      scope: []
-    }
+      scope: opts?.scope || []
+    },
+    created_time: getUnixTimestamp(new Date()),
+    expires_time: opts?.expires_time ? getUnixTimestamp(opts.expires_time) : undefined
   };
   return request;
 }
@@ -207,7 +223,11 @@ export class Verifier {
     return this.setPacker(jwsPacker);
   }
 
-  public verifyAuthRequest(request: AuthorizationRequestMessage) {
+  public verifyAuthRequest(request: AuthorizationRequestMessage, opts?: VerifyOpts) {
+    if (!opts?.allowExpiredMessages) {
+      verifyExpiresTime(request);
+    }
+    this.verifyProfile(request.type, request.body.accept);
     const groupIdValidationMap: { [k: string]: ZeroKnowledgeProofRequest[] } = {};
     const requestScope = request.body.scope;
     for (const proofRequest of requestScope) {
@@ -255,6 +275,9 @@ export class Verifier {
     request: AuthorizationRequestMessage,
     opts?: VerifyOpts
   ) {
+    if (!opts?.allowExpiredMessages) {
+      verifyExpiresTime(request);
+    }
     if ((request.body.message ?? '') !== (response.body.message ?? '')) {
       throw new Error('message for signing from request is not presented in response');
     }
@@ -408,4 +431,31 @@ export class Verifier {
       this.setupJWSPacker(new KMS(), didResolver);
     }
   }
+
+  private verifyProfile(messageType: string, profile?: string[] | undefined) {
+    if (!profile?.length) {
+      return;
+    }
+    const supportedMediaTypes: PROTOCOL_CONSTANTS.MediaType[] = [];
+    for (const acceptProfile of profile) {
+      // 1. check protocol version
+      const { protocolVersion, env } = parseAcceptProfile(acceptProfile);
+      const messageTypeVersion = Number(messageType.split('/').at(-2));
+      if (
+        protocolVersion !== PROTOCOL_CONSTANTS.ProtocolVersion.V1 ||
+        (protocolVersion === PROTOCOL_CONSTANTS.ProtocolVersion.V1 &&
+          (messageTypeVersion < 1 || messageTypeVersion >= 2))
+      ) {
+        continue;
+      }
+      // 2. check packer support
+      if (this.packageManager.isProfileSupported(env, acceptProfile)) {
+        supportedMediaTypes.push(env);
+      }
+    }
+
+    if (!supportedMediaTypes.length) {
+      throw new Error('no packer with profile which meets `accept` header requirements');
+    }
+  }
 }

src/circuits/atomicV3.ts

@@ -31,7 +31,10 @@ const defaultProofVerifyOpts = 1 * 60 * 60 * 1000; // 1 hour
  * Verifies the public signals for the AtomicQueryV3 circuit.
  * @beta
  */
-export class AtomicQueryV3PubSignalsVerifier extends IDOwnershipPubSignals implements PubSignalsVerifier {
+export class AtomicQueryV3PubSignalsVerifier
+  extends IDOwnershipPubSignals
+  implements PubSignalsVerifier
+{
   pubSignals = new AtomicQueryV3PubSignals();
 
   constructor(pubSignals: string[]) {

src/circuits/registry.ts

@@ -13,6 +13,8 @@ export type VerifyOpts = {
   acceptedStateTransitionDelay?: number;
   // acceptedProofGenerationDelay is the period of time in milliseconds that a generated proof remains valid.
   acceptedProofGenerationDelay?: number;
+  // allowExpiredMessages is a flag that allows the verification of expired messages.
+  allowExpiredMessages?: boolean;
 };
 
 export interface PubSignalsVerifier {

test/atomicV3.test.ts

@@ -358,7 +358,6 @@ describe('atomicV3', () => {
         callbackUrl: 'http://localhost:8080/callback?id=1234442-123123-123123',
         reason: 'reason',
         message: 'message',
-        did_doc: {},
         scope: [
           {
             id: 1,
@@ -417,7 +416,7 @@ describe('atomicV3', () => {
   });
 
   it('TestVerifyV3MessageWithMtpProof_Merklized_exists', async () => {
-    const request = {
+    const request: AuthorizationRequestMessage = {
       id: '7e5b5847-b479-4499-90ee-5fe4826a5bdd',
       typ: PROTOCOL_CONSTANTS.MediaType.PlainMessage,
       type: PROTOCOL_CONSTANTS.PROTOCOL_MESSAGE_TYPE.AUTHORIZATION_REQUEST_MESSAGE_TYPE,
@@ -431,11 +430,12 @@ describe('atomicV3', () => {
             circuitId: CircuitId.AtomicQueryV3,
 
             query: {
+              allowedIssuers: ['*'],
               context:
                 'https://raw.githubusercontent.com/iden3/claim-schema-vocab/main/schemas/json-ld/kyc-v4.jsonld',
               credentialSubject: { birthday: { $exists: true } },
               proofType: ProofType.BJJSignature,
-              type: 'KYCAgeCredential'
+              type: 'KYCAgeCredential',
             }
           }
         ]
@@ -578,7 +578,7 @@ describe('atomicV3', () => {
   });
 
   it('TestVerifyV3MessageWithMtpProof_Merklized_noop', async () => {
-    const request = {
+    const request: AuthorizationRequestMessage = {
       id: '7e5b5847-b479-4499-90ee-5fe4826a5bdd',
       typ: PROTOCOL_CONSTANTS.MediaType.PlainMessage,
       type: PROTOCOL_CONSTANTS.PROTOCOL_MESSAGE_TYPE.AUTHORIZATION_REQUEST_MESSAGE_TYPE,
@@ -592,6 +592,7 @@ describe('atomicV3', () => {
             circuitId: CircuitId.AtomicQueryV3,
 
             query: {
+              allowedIssuers: ['*'],
               context:
                 'https://raw.githubusercontent.com/iden3/claim-schema-vocab/main/schemas/json-ld/kyc-v4.jsonld',
               proofType: ProofType.BJJSignature,