@ducatus/ducatus-wallet-client-rev/src/lib/paypro.ts

Client for @ducatus/ducatus-wallet-service-rev

import { BitcoreLib, BitcoreLibCash, DucatuscoreLib } from '@ducatus/ducatus-crypto-wallet-core-rev';

var $ = require('preconditions').singleton();
const URL = require('url');
const _ = require('lodash');
const superagent = require('superagent');
var Bitcore = BitcoreLib;
const Errors = require('./errors');
var Bitcore_ = {
  btc: Bitcore,
  bch: BitcoreLibCash,
  duc: DucatuscoreLib
};
// const request = require('request');
const JSON_PAYMENT_REQUEST_CONTENT_TYPE = 'application/payment-request';
const JSON_PAYMENT_VERIFY_CONTENT_TYPE = 'application/verify-payment';
const JSON_PAYMENT_CONTENT_TYPE = 'application/payment';
const JSON_PAYMENT_ACK_CONTENT_TYPE = 'application/payment-ack';

const dfltTrustedKeys = require('../util/JsonPaymentProtocolKeys.js');
const MAX_FEE_PER_KB = 500000;

export class PayPro {
  // static request: request;
  static r = superagent;
  constructor() {}
  // var PayPro = {
  //
  // };

  // /**
  // * Verifies the signature of a given payment request is both valid and from a trusted key
  // */
  static _verify(requestUrl, headers, network, trustedKeys, callback) {
    let hash = headers.digest.split('=')[1];
    let signature = headers.signature;
    let signatureType = headers['x-signature-type'];
    let identity = headers['x-identity'];
    let host;

    if (network == 'testnet') network = 'test';
    if (network == 'livenet') network = 'main';

    if (!requestUrl) {
      return callback(new Error('You must provide the original payment request url'));
    }
    if (!trustedKeys) {
      return callback(new Error('You must provide a set of trusted keys'));
    }

    try {
      host = URL.parse(requestUrl).hostname;
    } catch (e) {}

    if (!host) {
      return callback(new Error('Invalid requestUrl'));
    }
    if (!signatureType) {
      return callback(new Error('Response missing x-signature-type header'));
    }
    if (typeof signatureType !== 'string') {
      return callback(new Error('Invalid x-signature-type header'));
    }
    if (signatureType !== 'ecc') {
      return callback(new Error(`Unknown signature type ${signatureType}`));
    }
    if (!signature) {
      return callback(new Error('Response missing signature header'));
    }
    if (typeof signature !== 'string') {
      return callback(new Error('Invalid signature header'));
    }
    if (!identity) {
      return callback(new Error('Response missing x-identity header'));
    }
    if (typeof identity !== 'string') {
      return callback(new Error('Invalid identity header'));
    }
    if (!trustedKeys[identity]) {
      return callback(new Error(`Response signed by unknown key (${identity}), unable to validate`));
    }

    let keyData = trustedKeys[identity];
    if (keyData.domains.indexOf(host) === -1) {
      return callback(new Error(`The key on the response (${identity}) is not trusted for domain ${host}`));
    } else if (!keyData.networks.includes(network)) {
      return callback(new Error(`The key on the response is not trusted for transactions on the '${network}' network`));
    }

    var hashbuf = Buffer.from(hash, 'hex');
    let sigbuf = Buffer.from(signature, 'hex');

    let s_r = Buffer.alloc(32);
    let s_s = Buffer.alloc(32);

    sigbuf.copy(s_r, 0, 0);
    sigbuf.copy(s_s, 0, 32);

    let s_rBN = Bitcore.crypto.BN.fromBuffer(s_r);
    let s_sBN = Bitcore.crypto.BN.fromBuffer(s_s);

    let pub = Bitcore.PublicKey.fromString(keyData.publicKey);

    let sig = new Bitcore.crypto.Signature();
    sig.set({ r: s_rBN, s: s_sBN });

    let valid = Bitcore.crypto.ECDSA.verify(hashbuf, sig, pub);

    if (!valid) {
      return callback(new Error('Response signature invalid'));
    }

    return callback(null, keyData.owner);
  }

  static runRequest(opts, cb) {
    $.checkArgument(opts.network, 'should pass network');
    var r = this.r[opts.method.toLowerCase()](opts.url);
    _.each(opts.headers, function(v, k) {
      if (v) r.set(k, v);
    });
    if (opts.args) {
      if (opts.method.toLowerCase() == 'post' || opts.method.toLowerCase() == 'put') {
        r.send(opts.args);
      } else {
        r.query(opts.args);
      }
    }
    r.end((err, res) => {
      if (err) return cb(err);
      var body = res.text;
      if (!res || res.statusCode != 200) {
        // some know codes
        if (res.statusCode == 400) {
          return cb(new Errors.INVOICE_EXPIRED());
        } else if (res.statusCode == 404) {
          return cb(new Errors.INVOICE_NOT_AVAILABLE());
        } else if (res.statusCode == 422) {
          return cb(new Errors.UNCONFIRMED_INPUTS_NOT_ACCEPTED());
        }

        let m = res ? res.statusMessage || res.statusCode : '';
        return cb(new Error('Could not fetch invoice: ' + m));
      }

      // console.log('########################### SKIPPING VERIFICATION!!!!!!!!!!! ');
      // TODO TODO TODO
      //  return cb(null, body);

      if (opts.noVerify) return cb(null, body);

      if (!res.headers.digest) {
        return cb(new Error('Digest missing from response headers'));
      }

      //
      // Verification
      //

      // Step 1: Check digest from header
      let digest = res.headers.digest.toString().split('=')[1];
      let hash = Bitcore.crypto.Hash.sha256(Buffer.from(body, 'utf8')).toString('hex');

      if (digest !== hash) {
        return cb(new Error(`Response body hash does not match digest header. Actual: ${hash} Expected: ${digest}`));
      }
      // Step 2: verify digest's signature
      PayPro._verify(opts.url, res.headers, opts.network, opts.trustedKeys, err => {
        if (err) return cb(err);

        let ret;
        try {
          ret = JSON.parse(body);
        } catch (e) {
          return cb(new Error('Could not payment request:' + body));
        }
        ret.verified = 1;
        return cb(null, ret);
      });
    });
  }

  static get(opts, cb) {
    $.checkArgument(opts && opts.url);
    opts.trustedKeys = opts.trustedKeys || dfltTrustedKeys;

    var coin = opts.coin || 'btc';
    var bitcore = Bitcore_[coin];

    var COIN = coin.toUpperCase();
    opts.headers = opts.headers || {
      Accept: JSON_PAYMENT_REQUEST_CONTENT_TYPE,
      'Content-Type': 'application/octet-stream'
    };
    opts.method = 'GET';
    opts.network = opts.network || 'livenet';

    PayPro.runRequest(opts, function(err, data) {
      if (err) return cb(err);

      var ret: any = {};

      // otherwise, it returns err.
      ret.verified = true;

      // network
      if (data.network == 'test') ret.network = 'testnet';

      if (data.network == 'main') ret.network = 'livenet';

      if (!data.network) return cb(new Error('No network at payment request'));

      // currency
      if (data.currency != COIN) return cb(new Error('Currency mismatch. Expecting:' + COIN));

      ret.coin = coin;

      // fee
      if (data.requiredFeeRate > MAX_FEE_PER_KB) return cb(new Error('Fee rate too high:' + data.requiredFeeRate));

      ret.requiredFeeRate = data.requiredFeeRate;

      // outputs
      if (!data.outputs || data.outputs.length != 1) {
        return cb(new Error('Must have 1 output'));
      }

      if (!_.isNumber(data.outputs[0].amount)) {
        return cb(new Error('Bad output amount'));
      }
      ret.amount = data.outputs[0].amount;

      try {
        ret.toAddress = new bitcore.Address(data.outputs[0].address).toString(true);
      } catch (e) {
        return cb(new Error('Bad output address ' + e));
      }

      ret.memo = data.memo;
      ret.paymentId = data.paymentId;
      try {
        ret.expires = new Date(data.expires).toISOString();
      } catch (e) {
        return cb(new Error('Bad expiration'));
      }
      return cb(null, ret);
    });
  }

  static send(opts, cb) {
    $.checkArgument(opts.rawTxUnsigned)
      .checkArgument(opts.url)
      .checkArgument(opts.rawTx);

    var coin = opts.coin || 'btc';
    var COIN = coin.toUpperCase();

    opts.network = opts.network || 'livenet';
    opts.method = 'POST';
    opts.headers = opts.headers || {
      'Content-Type': JSON_PAYMENT_VERIFY_CONTENT_TYPE
    };
    let size = opts.rawTx.length / 2;
    opts.args = JSON.stringify({
      currency: COIN,
      unsignedTransaction: opts.rawTxUnsigned,
      weightedSize: size
    });

    // Do not verify verify-payment message's response
    opts.noVerify = true;

    // verify request
    PayPro.runRequest(opts, function(err, rawData) {
      if (err) {
        console.log('Error at verify-payment:', err.message ? err.message : '', opts);
        return cb(err);
      }

      opts.headers = {
        'Content-Type': JSON_PAYMENT_CONTENT_TYPE,
        Accept: JSON_PAYMENT_ACK_CONTENT_TYPE
      };

      if (opts.bp_partner) {
        opts.headers['BP_PARTNER'] = opts.bp_partner;
        if (opts.bp_partner_version) {
          opts.headers['BP_PARTNER_VERSION'] = opts.bp_partner_version;
        }
      }

      opts.args = JSON.stringify({
        currency: COIN,
        transactions: [opts.rawTx]
      });

      // Do not verify payment message's response
      opts.noVerify = true;

      PayPro.runRequest(opts, function(err, rawData) {
        if (err) {
          console.log('Error at payment:', err.message ? err.message : '', opts);
          return cb(err);
        }

        var memo;
        if (rawData) {
          try {
            var data = JSON.parse(rawData.toString());
            memo = data.memo;
          } catch (e) {
            console.log('Could not decode paymentACK');
          }
        }
        return cb(null, rawData, memo);
      });
    });
  }
}