change flow for light verification: verify signature -> verify pub-si…

…gnals (#13)

* change flow for light verification: verify signature -> verify pub-signals

* one by one verification of pub-signals

* add more informative logs in light-verification

docs/spec/components/responses/Unauthorized.yaml

@@ -0,0 +1,5 @@
+description: You must provide a valid signature.
+content:
+  application/vnd.api+json:
+    schema:
+      $ref: '#/components/schemas/Errors'

docs/spec/paths/integrations@verificator-svc@light@public@callback-sign@{user_id_hash}.yaml

@@ -32,6 +32,8 @@ post:
                 $ref: '#/components/schemas/Status'
     400:
       $ref: '#/components/responses/invalidParameter'
+    401:
+      $ref: '#/components/responses/Unauthorized'
     404:
       $ref: '#/components/responses/notFound'
     500:

go.sum

@@ -1903,10 +1903,6 @@ github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4O
 github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
 github.com/prometheus/tsdb v0.7.1 h1:YZcsG11NqnK4czYLrWd9mpEuAJIHVQLwdrleYfszMAA=
 github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
-github.com/rarimo/zkverifier-kit v1.2.1 h1:sO6qgm6OBm+sBD53g3/xxo9WSvQoz1RiXsH+/jRw/X8=
-github.com/rarimo/zkverifier-kit v1.2.1/go.mod h1:3YDg5dTkDRr4IdfaDHGYetopd6gS/2SuwSeseYTWwNw=
-github.com/rarimo/zkverifier-kit v1.2.3 h1:4UQWGSWA4klDoS5MNYA6R4PNC4QRak6kauH/cDncZwc=
-github.com/rarimo/zkverifier-kit v1.2.3/go.mod h1:3YDg5dTkDRr4IdfaDHGYetopd6gS/2SuwSeseYTWwNw=
 github.com/rarimo/zkverifier-kit v1.2.4 h1:AJ5ZAyOYOGR2QiDlOA2ul/QMZnjBZ/VzPqLjSIUbZgw=
 github.com/rarimo/zkverifier-kit v1.2.4/go.mod h1:3YDg5dTkDRr4IdfaDHGYetopd6gS/2SuwSeseYTWwNw=
 github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=

internal/service/handlers/verification_callback_light.go

@@ -47,6 +47,13 @@ func VerificationSignatureCallback(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	validSignature := secp256k1.VerifySignature(pubKey, pubSignalsHash, signature[:64])
+	if !validSignature {
+		Log(r).Error("provided signature not valid")
+		ape.RenderErr(w, problems.Unauthorized())
+		return
+	}
+
 	verifiedUser, err := VerifyUsersQ(r).WhereHashID(userIDHash).Get()
 	if err != nil {
 		Log(r).WithError(err).Errorf("failed to get user with userHashID [%s]", userIDHash)
@@ -89,26 +96,17 @@ func VerificationSignatureCallback(w http.ResponseWriter, r *http.Request) {
 		verifiedUser.Sex = sex
 	}
 
+	verifiedUser.Status = "verified"
 	if eventData != userIDHash {
-		Log(r).Error("failed to verify eventData")
-		ape.RenderErr(w, problems.BadRequest(err)...)
-		return
+		Log(r).WithError(err).Errorf("failed to verify user: EventData from pub-signals [%s] != userIdHash from db [%s]", eventData, userIDHash)
+		verifiedUser.Status = "failed_verification"
 	}
 	if verifiedUser.Nationality != nationality {
-		Log(r).Error("failed to verify citizenship")
-		ape.RenderErr(w, problems.BadRequest(err)...)
-		return
+		Log(r).WithError(err).Errorf("failed to verify user with UserIdHash[%s]: Citizenship from pub-signals [%s] != User.Citizenship from db [%s]", userIDHash, nationality, verifiedUser.Nationality)
+		verifiedUser.Status = "failed_verification"
 	}
 	if verifiedUser.Sex != sex {
-		Log(r).Error("failed to verify sex")
-		ape.RenderErr(w, problems.BadRequest(err)...)
-		return
-	}
-
-	verificationStatus := secp256k1.VerifySignature(pubKey, pubSignalsHash, signature[:64])
-	if verificationStatus {
-		verifiedUser.Status = "verified"
-	} else {
+		Log(r).WithError(err).Errorf("failed to verify user with UserIdHash[%s]: Sex from pub-signals [%s] != User.Sex from db [%s]", userIDHash, sex, verifiedUser.Sex)
 		verifiedUser.Status = "failed_verification"
 	}