From 8594e4ffde7fa43948ac6c8639bb3a656490fcaa Mon Sep 17 00:00:00 2001
From: Zaptoss <zaptosgg@gmail.com>
Date: Fri, 2 Aug 2024 10:53:05 +0300
Subject: [PATCH] Fix fulfillPollEvent request validation. Change http method
 for fulfillPollEvent to POST. Add challenged event id validation

---
 internal/config/poll_verifier.go                |  9 +++++++--
 internal/service/handlers/fulfill_poll_event.go | 11 +++++++++--
 internal/service/requests/fulfill_poll_event.go |  4 +---
 internal/service/router.go                      |  2 +-
 4 files changed, 18 insertions(+), 8 deletions(-)

diff --git a/internal/config/poll_verifier.go b/internal/config/poll_verifier.go
index 1f5d579..990cc11 100644
--- a/internal/config/poll_verifier.go
+++ b/internal/config/poll_verifier.go
@@ -21,8 +21,9 @@ import (
 const pollVerificationKey = "./proof_keys/poll.json"
 
 var (
-	ErrInvalidProposalEventID = errors.New("proposal event id mismatching")
-	ErrInvalidRoot            = errors.New("invalid root")
+	ErrInvalidProposalEventID   = errors.New("invalid proposal event id")
+	ErrInvalidRoot              = errors.New("invalid root")
+	ErrInvalidChallengedEventID = errors.New("invalid challenged event id")
 )
 
 const (
@@ -112,6 +113,10 @@ func (v *PollVerifier) VerifyProof(proof zkptypes.ZKProof, proposalID, proposalE
 		return ErrInvalidRoot
 	}
 
+	if proof.PubSignals[PollChallengedEventID] != proofEventIDValue {
+		return ErrInvalidChallengedEventID
+	}
+
 	if err = zkpverifier.VerifyGroth16(proof, v.verificationKey); err != nil {
 		return fmt.Errorf("failed to verify proof: %w", err)
 	}
diff --git a/internal/service/handlers/fulfill_poll_event.go b/internal/service/handlers/fulfill_poll_event.go
index 8f673b5..12d049e 100644
--- a/internal/service/handlers/fulfill_poll_event.go
+++ b/internal/service/handlers/fulfill_poll_event.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"math/big"
 	"net/http"
+	"strings"
 
 	validation "github.com/go-ozzo/ozzo-validation/v4"
 	"github.com/rarimo/geo-auth-svc/pkg/auth"
@@ -26,9 +27,13 @@ func FulfillPollEvent(w http.ResponseWriter, r *http.Request) {
 	}
 
 	proof := req.Data.Attributes.Proof
-	nullifier := proof.PubSignals[config.PollChallengedNullifier]
+
+	nullifierDec, _ := new(big.Int).SetString(proof.PubSignals[config.PollChallengedNullifier], 10)
+	nullifier := "0x" + strings.ToLower(nullifierDec.Text(16))
+
 	proposalID, _ := new(big.Int).SetString(req.Data.Attributes.ProposalId, 10)
 	proposalEventID, _ := new(big.Int).SetString(proof.PubSignals[config.PollParticipationEventID], 10)
+
 	if !auth.Authenticates(UserClaims(r), auth.UserGrant(nullifier)) {
 		ape.RenderErr(w, problems.Unauthorized())
 		return
@@ -96,7 +101,9 @@ func FulfillPollEvent(w http.ResponseWriter, r *http.Request) {
 	err = PollVerifier(r).VerifyProof(proof, proposalID, proposalEventID)
 	if err != nil {
 		log.WithError(err).Debug("Failed to verify passport")
-		if errors.Is(err, config.ErrInvalidProposalEventID) || errors.Is(err, config.ErrInvalidRoot) {
+		if errors.Is(err, config.ErrInvalidProposalEventID) ||
+			errors.Is(err, config.ErrInvalidRoot) ||
+			errors.Is(err, config.ErrInvalidChallengedEventID) {
 			ape.RenderErr(w, problems.BadRequest(validation.Errors{
 				"proof": err,
 			})...)
diff --git a/internal/service/requests/fulfill_poll_event.go b/internal/service/requests/fulfill_poll_event.go
index 5f9aa1e..f592ebe 100644
--- a/internal/service/requests/fulfill_poll_event.go
+++ b/internal/service/requests/fulfill_poll_event.go
@@ -7,7 +7,6 @@ import (
 	val "github.com/go-ozzo/ozzo-validation/v4"
 	"github.com/go-ozzo/ozzo-validation/v4/is"
 	"github.com/rarimo/geo-points-svc/resources"
-	zk "github.com/rarimo/zkverifier-kit"
 )
 
 func NewFulfillPollEvent(r *http.Request) (req resources.FulfillPollEventRequest, err error) {
@@ -18,13 +17,12 @@ func NewFulfillPollEvent(r *http.Request) (req resources.FulfillPollEventRequest
 
 	var (
 		proof = req.Data.Attributes.Proof
-		count = zk.PubSignalsCount(zk.PollParticipation)
 	)
 
 	return req, val.Errors{
 		"data/type":                         val.Validate(req.Data.Type, val.Required, val.In(resources.FULFILL_POLL_EVENT)),
 		"data/attributes/proof/proof":       val.Validate(proof.Proof, val.Required),
-		"data/attributes/proof/pub_signals": val.Validate(proof.PubSignals, val.Required, val.Length(count, count)),
+		"data/attributes/proof/pub_signals": val.Validate(proof.PubSignals, val.Required, val.Length(4, 4)),
 		"data/attributes/proposal_id":       val.Validate(req.Data.Attributes.ProposalId, val.Required, is.Digit),
 	}.Filter()
 }
diff --git a/internal/service/router.go b/internal/service/router.go
index e08ba1d..077fd95 100644
--- a/internal/service/router.go
+++ b/internal/service/router.go
@@ -48,7 +48,7 @@ func Run(ctx context.Context, cfg config.Config) {
 			r.Route("/events", func(r chi.Router) {
 				r.Use(authMW)
 				r.Get("/", handlers.ListEvents)
-				r.Patch("/poll", handlers.FulfillPollEvent)
+				r.Post("/poll", handlers.FulfillPollEvent)
 				r.Route("/{id}", func(r chi.Router) {
 					r.Get("/", handlers.GetEvent)
 					r.Patch("/", handlers.ClaimEvent)