Fix fulfillPollEvent request validation. Change http method for fulfi…

…llPollEvent to POST. Add challenged event id validation

internal/config/poll_verifier.go

@@ -21,8 +21,9 @@ import (
 const pollVerificationKey = "./proof_keys/poll.json"
 
 var (
-	ErrInvalidProposalEventID = errors.New("proposal event id mismatching")
-	ErrInvalidRoot            = errors.New("invalid root")
+	ErrInvalidProposalEventID   = errors.New("invalid proposal event id")
+	ErrInvalidRoot              = errors.New("invalid root")
+	ErrInvalidChallengedEventID = errors.New("invalid challenged event id")
 )
 
 const (
@@ -112,6 +113,10 @@ func (v *PollVerifier) VerifyProof(proof zkptypes.ZKProof, proposalID, proposalE
 		return ErrInvalidRoot
 	}
 
+	if proof.PubSignals[PollChallengedEventID] != proofEventIDValue {
+		return ErrInvalidChallengedEventID
+	}
+
 	if err = zkpverifier.VerifyGroth16(proof, v.verificationKey); err != nil {
 		return fmt.Errorf("failed to verify proof: %w", err)
 	}

internal/service/handlers/fulfill_poll_event.go

@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"math/big"
 	"net/http"
+	"strings"
 
 	validation "github.com/go-ozzo/ozzo-validation/v4"
 	"github.com/rarimo/geo-auth-svc/pkg/auth"
@@ -26,9 +27,13 @@ func FulfillPollEvent(w http.ResponseWriter, r *http.Request) {
 	}
 
 	proof := req.Data.Attributes.Proof
-	nullifier := proof.PubSignals[config.PollChallengedNullifier]
+
+	nullifierDec, _ := new(big.Int).SetString(proof.PubSignals[config.PollChallengedNullifier], 10)
+	nullifier := "0x" + strings.ToLower(nullifierDec.Text(16))
+
 	proposalID, _ := new(big.Int).SetString(req.Data.Attributes.ProposalId, 10)
 	proposalEventID, _ := new(big.Int).SetString(proof.PubSignals[config.PollParticipationEventID], 10)
+
 	if !auth.Authenticates(UserClaims(r), auth.UserGrant(nullifier)) {
 		ape.RenderErr(w, problems.Unauthorized())
 		return
@@ -96,7 +101,9 @@ func FulfillPollEvent(w http.ResponseWriter, r *http.Request) {
 	err = PollVerifier(r).VerifyProof(proof, proposalID, proposalEventID)
 	if err != nil {
 		log.WithError(err).Debug("Failed to verify passport")
-		if errors.Is(err, config.ErrInvalidProposalEventID) || errors.Is(err, config.ErrInvalidRoot) {
+		if errors.Is(err, config.ErrInvalidProposalEventID) ||
+			errors.Is(err, config.ErrInvalidRoot) ||
+			errors.Is(err, config.ErrInvalidChallengedEventID) {
 			ape.RenderErr(w, problems.BadRequest(validation.Errors{
 				"proof": err,
 			})...)

internal/service/requests/fulfill_poll_event.go

@@ -7,7 +7,6 @@ import (
 	val "github.com/go-ozzo/ozzo-validation/v4"
 	"github.com/go-ozzo/ozzo-validation/v4/is"
 	"github.com/rarimo/geo-points-svc/resources"
-	zk "github.com/rarimo/zkverifier-kit"
 )
 
 func NewFulfillPollEvent(r *http.Request) (req resources.FulfillPollEventRequest, err error) {
@@ -18,13 +17,12 @@ func NewFulfillPollEvent(r *http.Request) (req resources.FulfillPollEventRequest
 
 	var (
 		proof = req.Data.Attributes.Proof
-		count = zk.PubSignalsCount(zk.PollParticipation)
 	)
 
 	return req, val.Errors{
 		"data/type":                         val.Validate(req.Data.Type, val.Required, val.In(resources.FULFILL_POLL_EVENT)),
 		"data/attributes/proof/proof":       val.Validate(proof.Proof, val.Required),
-		"data/attributes/proof/pub_signals": val.Validate(proof.PubSignals, val.Required, val.Length(count, count)),
+		"data/attributes/proof/pub_signals": val.Validate(proof.PubSignals, val.Required, val.Length(4, 4)),
 		"data/attributes/proposal_id":       val.Validate(req.Data.Attributes.ProposalId, val.Required, is.Digit),
 	}.Filter()
 }

internal/service/router.go

@@ -48,7 +48,7 @@ func Run(ctx context.Context, cfg config.Config) {
 			r.Route("/events", func(r chi.Router) {
 				r.Use(authMW)
 				r.Get("/", handlers.ListEvents)
-				r.Patch("/poll", handlers.FulfillPollEvent)
+				r.Post("/poll", handlers.FulfillPollEvent)
 				r.Route("/{id}", func(r chi.Router) {
 					r.Get("/", handlers.GetEvent)
 					r.Patch("/", handlers.ClaimEvent)