Merge pull request #37 from rarimo/feature/join-program-protection

Feature: join program protection

README.md

@@ -115,12 +115,15 @@ func AuthMiddleware(auth *auth.Client, log *logan.Entry) func(http.Handler) http
 ```
 and in handlers/verify_passport:
 ```go
-	// never panics because of request validation
 	// proof.PubSignals[zk.Nullifier] = mustHexToInt(nullifier)
-	// err = Verifier(r).VerifyProof(*proof)
-	// if err != nil {
-	// 	return nil, problems.BadRequest(err)
-	// }
+    // err = Verifier(r).VerifyProof(*proof)
+    // if err != nil {
+    //	if errors.Is(err, identity.ErrContractCall) {
+    //		Log(r).WithError(err).Error("Failed to verify proof")
+    //		return nil, append(errs, problems.InternalError())
+    //	}
+    //	return nil, problems.BadRequest(err)
+    // }
 ```
 and in handlers/withdraw(lines 49-58):
 ```go

config-testing.yaml

@@ -76,6 +76,7 @@ levels:
       withdrawal_allowed: true
 
 countries:
+  verification_key: "37bc75afc97f8bdcd21cda85ae7b2885b5f1205ae3d79942e56457230f1636a037cc7ebfe42998d66a3dd3446b9d29366271b4f2bd8e0d307db1d320b38fc02f"
   countries:
     - code: "UKR"
       reserve_limit: 100000

docs/spec/components/schemas/VerifyPassport.yaml

@@ -7,10 +7,22 @@ allOf:
     properties:
       attributes:
         required:
-          - proof
+          - anonymous_id
+          - country
         type: object
         properties:
+          anonymous_id:
+            type: string
+            description: Unique identifier of the passport.
+            example: "2bd3a2532096fee10a45a40e444a11b4d00a707f3459376087747de05996fbf5"
+          country:
+            type: string
+            description: |
+              ISO 3166-1 alpha-3 country code, must match the one provided in `proof`.
+            example: "UKR"
           proof:
             type: object
             format: types.ZKProof
-            description: Iden3 ZK passport verification proof.
+            description: |
+              Query ZK passport verification proof.
+              Required for endpoint `/v2/balances/{nullifier}/verifypassport`.

docs/spec/components/schemas/Withdraw.yaml

@@ -24,4 +24,4 @@ allOf:
           proof:
             type: object
             format: types.ZKProof
-            description: Iden3 ZK passport verification proof.
+            description: Query ZK passport verification proof.

docs/spec/openapi.yaml

@@ -1,6 +1,6 @@
 openapi: 3.0.0
 info:
-  version: 1.0.0
+  version: 1.2.0
   title: rarime-points-svc
   description: ''
 servers:

docs/spec/paths/integrations@rarime-points-svc@v1@public@balances@{nullifier}@join_program.yaml

@@ -6,6 +6,13 @@ post:
   operationId: joinRewardsProgram
   parameters:
     - $ref: '#/components/parameters/pathNullifier'
+    - in: header
+      name: Signature
+      description: Signature of the request
+      required: true
+      schema:
+        type: string
+        pattern: '^[a-f0-9]{64}$'
   requestBody:
     required: true
     content:
@@ -16,7 +23,7 @@ post:
             - data
           properties:
             data:
-              $ref: '#/components/schemas/JoinProgram'
+              $ref: '#/components/schemas/VerifyPassport'
   responses:
     200:
       description: Success

docs/spec/paths/integrations@rarime-points-svc@v1@public@balances@{nullifier}@verifypassport.yaml

@@ -3,10 +3,18 @@ post:
     - Points balance
   summary: Verify passport
   description: |
-    Fulfill verify passport event if it is open
+    Verify passport with ZKP, fulfilling the event.
+    One passport can't be verified twice.
   operationId: verifyPassport
   parameters:
     - $ref: '#/components/parameters/pathNullifier'
+    - in: header
+      name: Signature
+      description: Signature of the request
+      required: true
+      schema:
+        type: string
+        pattern: '^[a-f0-9]{64}$'
   requestBody:
     required: true
     content:

internal/assets/migrations/004_anonymous_id.sql

@@ -0,0 +1,5 @@
+-- +migrate Up
+ALTER TABLE balances ADD COLUMN anonymous_id text UNIQUE;
+
+-- +migrate Down
+ALTER TABLE balances DROP COLUMN anonymous_id;

internal/data/balances.go

@@ -7,10 +7,11 @@ import (
 )
 
 const (
-	ColAmount     = "amount"
-	ColLevel      = "level"
-	ColCountry    = "country"
-	ColIsPassport = "is_passport_proven"
+	ColAmount      = "amount"
+	ColLevel       = "level"
+	ColCountry     = "country"
+	ColIsPassport  = "is_passport_proven"
+	ColAnonymousID = "anonymous_id"
 )
 
 type Balance struct {
@@ -23,6 +24,7 @@ type Balance struct {
 	Level            int            `db:"level"`
 	Country          *string        `db:"country"`
 	IsPassportProven bool           `db:"is_passport_proven"`
+	AnonymousID      *string        `db:"anonymous_id"`
 }
 
 type BalancesQ interface {
@@ -45,6 +47,7 @@ type BalancesQ interface {
 
 	FilterByNullifier(...string) BalancesQ
 	FilterDisabled() BalancesQ
+	FilterByAnonymousID(id string) BalancesQ
 }
 
 type WithoutPassportEventBalance struct {

internal/data/pg/balances.go

@@ -196,6 +196,10 @@ func (q *balances) FilterDisabled() data.BalancesQ {
 	return q.applyCondition(squirrel.NotEq{"referred_by": nil})
 }
 
+func (q *balances) FilterByAnonymousID(id string) data.BalancesQ {
+	return q.applyCondition(squirrel.Eq{"anonymous_id": id})
+}
+
 func (q *balances) applyCondition(cond squirrel.Sqlizer) data.BalancesQ {
 	q.selector = q.selector.Where(cond)
 	q.updater = q.updater.Where(cond)