Add default state transition delay

Author: Kolezhniuk

src/iden3comm/constants.ts

@@ -72,3 +72,6 @@ export const SUPPORTED_PUBLIC_KEY_TYPES = {
     'JsonWebKey2020'
   ]
 };
+
+export const DEFAULT_PROOF_VERIFY_OPT = 1 * 60 * 60 * 1000; // 1 hour
+export const DEFAULT_AUTH_VERIFY_OPTS = 5 * 60 * 1000; // 5 minutes

src/iden3comm/handlers/auth.ts

@@ -3,6 +3,7 @@ import { IProofService } from '../../proof/proof-service';
 import { PROTOCOL_MESSAGE_TYPE } from '../constants';
 
 import {
+  StateVerificationOpts,
   AuthorizationRequestMessage,
   AuthorizationResponseMessage,
   BasicMessage,
@@ -64,19 +65,17 @@ export function createAuthorizationRequestWithMessage(
   };
   return request;
 }
+
 /**
  *
  * Options to pass to auth response handler
  *
  * @public
- * @interface AuthResponseHandlerOptions
  */
-export interface AuthResponseHandlerOptions {
-  // acceptedStateTransitionDelay is the period of time in milliseconds that a revoked state remains valid.
-  acceptedStateTransitionDelay?: number;
+export type AuthResponseHandlerOptions = StateVerificationOpts & {
   // acceptedProofGenerationDelay is the period of time in milliseconds that a generated proof remains valid.
   acceptedProofGenerationDelay?: number;
-}
+};
 
 /**
  * Interface that allows the processing of the authorization request in the raw format for given identifier

src/iden3comm/packers/zkp.ts

@@ -1,4 +1,5 @@
 import {
+  StateVerificationOpts,
   AuthDataPrepareFunc,
   BasicMessage,
   IPacker,
@@ -21,6 +22,7 @@ import {
 } from '../errors';
 import { MediaType } from '../constants';
 import { byteDecoder, byteEncoder } from '../../utils';
+import { DEFAULT_AUTH_VERIFY_OPTS } from '../constants';
 
 const { getProvingMethod } = proving;
 
@@ -70,8 +72,8 @@ export class VerificationHandlerFunc {
    * @param {Array<string>} pubSignals - signals that must contain user id and state
    * @returns `Promise<boolean>`
    */
-  verify(id: string, pubSignals: Array<string>): Promise<boolean> {
-    return this.stateVerificationFunc(id, pubSignals);
+  verify(id: string, pubSignals: Array<string>, opts?: StateVerificationOpts): Promise<boolean> {
+    return this.stateVerificationFunc(id, pubSignals, opts);
   }
 }
 
@@ -89,8 +91,11 @@ export class ZKPPacker implements IPacker {
    * @param {Map<string, VerificationParams>} verificationParamsMap - string is derived by JSON.parse(ProvingMethodAlg)
    */
   constructor(
-    public provingParamsMap: Map<string, ProvingParams>,
-    public verificationParamsMap: Map<string, VerificationParams>
+    public readonly provingParamsMap: Map<string, ProvingParams>,
+    public readonly verificationParamsMap: Map<string, VerificationParams>,
+    private readonly _opts: StateVerificationOpts = {
+      acceptedStateTransitionDelay: DEFAULT_AUTH_VERIFY_OPTS
+    }
   ) {}
 
   /**
@@ -150,8 +155,10 @@ export class ZKPPacker implements IPacker {
 
     const verificationResult = await verificationParams?.verificationFn?.verify(
       token.circuitId,
-      token.zkProof.pub_signals
+      token.zkProof.pub_signals,
+      this._opts
     );
+
     if (!verificationResult) {
       throw new Error(ErrStateVerificationFailed);
     }

src/iden3comm/types/index.ts

@@ -8,4 +8,5 @@ export * from './protocol/proposal-request';
 export * from './protocol/payment';
 
 export * from './packer';
+export * from './models';
 export * from './packageManager';

src/iden3comm/types/models.ts

@@ -0,0 +1,7 @@
+/**
+ * State verification options
+ */
+export type StateVerificationOpts = {
+  // acceptedStateTransitionDelay is the period of time in milliseconds that a revoked state remains valid.
+  acceptedStateTransitionDelay?: number;
+};

src/iden3comm/types/packer.ts

@@ -4,6 +4,7 @@ import { ProvingMethodAlg } from '@iden3/js-jwz';
 import { CircuitId } from '../../circuits';
 import { MediaType } from '../constants';
 import { DIDDocument, VerificationMethod } from 'did-resolver';
+import { StateVerificationOpts } from './models';
 /**
  *  Protocol message type
  */
@@ -79,7 +80,11 @@ export type AuthDataPrepareFunc = (
 /**
  *  signature of state function verifier
  */
-export type StateVerificationFunc = (id: string, pubSignals: Array<string>) => Promise<boolean>;
+export type StateVerificationFunc = (
+  id: string,
+  pubSignals: Array<string>,
+  opts?: StateVerificationOpts
+) => Promise<boolean>;
 
 /**
  * Defines method that must be implemented by any packer

src/proof/proof-service.ts

@@ -1,6 +1,19 @@
-import { BytesHelper, DID, MerklizedRootPosition } from '@iden3/js-iden3-core';
+import {
+  BytesHelper,
+  DID,
+  MerklizedRootPosition,
+  getDateFromUnixTimestamp
+} from '@iden3/js-iden3-core';
 import { Hash } from '@iden3/js-merkletree';
-import { AuthV2Inputs, CircuitId, Operators, Query, TreeState, ValueProof } from '../circuits';
+import {
+  AuthV2Inputs,
+  AuthV2PubSignals,
+  CircuitId,
+  Operators,
+  Query,
+  TreeState,
+  ValueProof
+} from '../circuits';
 import { ICredentialWallet } from '../credentials';
 import { IIdentityWallet } from '../identity';
 import {
@@ -22,7 +35,13 @@ import { IZKProver, NativeProver } from './provers/prover';
 import { Merklizer, Options, getDocumentLoader } from '@iden3/js-jsonld-merklization';
 import { ZKProof } from '@iden3/js-jwz';
 import { Signer } from 'ethers';
-import { JSONObject, ZeroKnowledgeProofRequest, ZeroKnowledgeProofResponse } from '../iden3comm';
+import {
+  StateVerificationOpts,
+  JSONObject,
+  ZeroKnowledgeProofRequest,
+  ZeroKnowledgeProofResponse,
+  PROTOCOL_CONSTANTS
+} from '../iden3comm';
 import { cacheLoader } from '../schema-processor';
 import { ICircuitStorage, IStateStorage } from '../storage';
 import { byteDecoder, byteEncoder } from '../utils/encoding';
@@ -469,12 +488,22 @@ export class ProofService implements IProofService {
     return authInputs.inputsMarshal();
   }
 
-  async verifyState(circuitId: string, pubSignals: string[]): Promise<boolean> {
+  async verifyState(
+    circuitId: string,
+    pubSignals: string[],
+    opts: StateVerificationOpts = {
+      acceptedStateTransitionDelay: PROTOCOL_CONSTANTS.DEFAULT_AUTH_VERIFY_OPTS
+    }
+  ): Promise<boolean> {
     if (circuitId !== CircuitId.AuthV2) {
       throw new Error(`CircuitId is not supported ${circuitId}`);
     }
-    const gistRoot = Hash.fromString(pubSignals[2]).bigInt();
-    const userId = BigInt(pubSignals[0]);
+
+    const authV2PubSignals = new AuthV2PubSignals().pubSignalsUnmarshal(
+      byteEncoder.encode(JSON.stringify(pubSignals))
+    );
+    const gistRoot = authV2PubSignals.GISTRoot.bigInt();
+    const userId = authV2PubSignals.userID.bigInt();
     const globalStateInfo = await this._stateStorage.getGISTRootInfo(gistRoot, userId);
 
     if (globalStateInfo.createdAtTimestamp === 0n) {
@@ -489,7 +518,16 @@ export class ProofService implements IProofService {
       if (globalStateInfo.replacedAtTimestamp === 0n) {
         throw new Error(`state was replaced, but replaced time unknown`);
       }
-      return false;
+
+      const timeDiff =
+        Date.now() -
+        getDateFromUnixTimestamp(Number(globalStateInfo.replacedAtTimestamp)).getTime();
+
+      if (timeDiff > (opts?.acceptedStateTransitionDelay ?? 300_000)) {
+        throw new Error('global state is outdated');
+      }
+
+      return true;
     }
 
     return true;

src/proof/verifiers/pub-signals-verifier.ts

@@ -1,7 +1,6 @@
 import { DID, getDateFromUnixTimestamp, Id } from '@iden3/js-iden3-core';
 import { DocumentLoader, getDocumentLoader, Path } from '@iden3/js-jsonld-merklization';
 import { Hash } from '@iden3/js-merkletree';
-import { JSONObject } from '../../iden3comm';
 import { IStateStorage, RootInfo, StateInfo } from '../../storage';
 import { byteEncoder, isGenesisState } from '../../utils';
 import { calculateCoreSchemaHash, ProofQuery, ProofType } from '../../verifiable';
@@ -33,6 +32,7 @@ import { parseQueriesMetadata, QueryMetadata } from '../common';
 import { Operators } from '../../circuits';
 import { calculateQueryHashV3 } from './query-hash';
 import { JsonLd } from 'jsonld/jsonld-spec';
+import { PROTOCOL_CONSTANTS, JSONObject } from '../../iden3comm';
 
 /**
  *  Verify Context - params for pub signal verification
@@ -50,8 +50,6 @@ export type VerifyContext = {
 
 export const userStateError = new Error(`user state is not valid`);
 const zeroInt = 0n;
-const defaultProofVerifyOpts = 1 * 60 * 60 * 1000; // 1 hour
-const defaultAuthVerifyOpts = 5 * 60 * 1000; // 5 minutes
 
 /**
  * PubSignalsVerifier provides verify method
@@ -395,7 +393,7 @@ export class PubSignalsVerifier {
     // verify state
     const gist = await this.checkGlobalState(authV2PubSignals.GISTRoot, this.userId);
 
-    let acceptedStateTransitionDelay = defaultAuthVerifyOpts;
+    let acceptedStateTransitionDelay = PROTOCOL_CONSTANTS.DEFAULT_AUTH_VERIFY_OPTS;
     if (opts?.acceptedStateTransitionDelay) {
       acceptedStateTransitionDelay = opts.acceptedStateTransitionDelay;
     }
@@ -714,7 +712,7 @@ export class PubSignalsVerifier {
     );
 
     const acceptedStateTransitionDelay =
-      opts?.acceptedStateTransitionDelay ?? defaultProofVerifyOpts;
+      opts?.acceptedStateTransitionDelay ?? PROTOCOL_CONSTANTS.DEFAULT_PROOF_VERIFY_OPT;
 
     if (!issuerNonRevStateResolved.latest) {
       const timeDiff =