
Research
/Security News
Weaponizing Discord for Command and Control Across npm, PyPI, and RubyGems.org
Socket researchers uncover how threat actors weaponize Discord across the npm, PyPI, and RubyGems ecosystems to exfiltrate sensitive data.
@iden3/js-iden3-auth
Advanced tools
Library for verification of authorization response messages of communication protocol in JWZ format
npm i @iden3/js-iden3-auth --save
The goal of iden3auth libraries is to handle authentication messages of communication protocol.
Currently, library implementation includes support of next message types
https://iden3-communication.io/authorization/1.0/request
https://iden3-communication.io/authorization/1.0/response
export IPFS_URL = https://username:password@ipfs.infura.io:5001
npm run test
Auth verification procedure:
Groth16 proof are supported by auth library
Verification keys must be provided using IKeyLoader
interface
Proof for each atomic circuit contains public signals that allow extracting user and issuer identifiers, states, signature challenges, etc.
Circuit public signals marshallers are defined inside library.To use custom circuit you need to register it with registerCircuitPubSignals
function.
The blockchain verification algorithm is used
Gets state from the blockchain (address of id state contract and URL must be provided by the caller of the library):
Only latest states for user are valid. Any existing issuer state for claim issuance is valid.
The blockchain verification algorithm is used
Import dependencies
import {
auth,
resolver,
protocol,
loaders,
circuits,
} from 'js-iden3-auth';
Request generation:
basic auth:
const request = auth.createAuthorizationRequestWithMessage(
'test flow', // reason
'message to sign', // message
'1125GJqgw6YEsKFwj63GY87MMxPL9kwDKxPUiwMLNZ', // sender
'http://example.com/callback?sessionId=1', // callback url
);
if you want request specific proof (example):
const proofRequest: protocol.ZKPRequest = {
id: 1,
circuitId: 'credentialAtomicQueryMTPV2',
query: {
allowedIssuers: ['*'],
type: 'KYCCountryOfResidenceCredential',
context: 'https://raw.githubusercontent.com/iden3/claim-schema-vocab/main/schemas/json-ld/kyc-v2.json-ld',
credentialSubject: {
countryCode: {
$nin: [840, 120, 340, 509],
},
},
},
};
request.body.scope = [...scope, proofRequest];
Token verification
Init Verifier:
const ethStateResolver = new resolver.EthStateResolver(
ethUrl,
contractAddress,
);
const resolvers: resolver.Resolvers = {
['polygon:mumbai']: ethStateResolver,
};
const verificationKeyloader = new loaders.FSKeyLoader('../../keys');
const sLoader = new loaders.UniversalSchemaLoader('ipfs.io');
const ethStateResolver = new resolver.EthStateResolver('rpc url', 'contractAddress');
const verifier = new auth.Verifier(
verificationKeyloader,
sLoader,
resolvers,
);
FullVerify
let authResponse: protocol.AuthorizationResponseMessage;
authResponse = await verifier.fullVerify(tokenStr, authRequest, ?VerifyOpts{});
Verify manually or thread id is used a session id to match request
const token = await verifier.verifyJWZ(tokenStr, ?VerifyOpts{});
authResponse = JSON.parse(
token.getPayload(),
) as protocol.AuthorizationResponseMessage;
const authRequest: protocol.AuthorizationRequestMessage; // get request from you session storage. You can use authResponse.thid field
await verifier.verifyAuthResponse(authResponse, authRequest, ?VerifyOpts{});
We can use TypeChain for generate TS types for a smart contract.
typechain --target ethers-v5 /path/to/state_contract.sol
FAQs
iden3-auth implementation in JavaScript
The npm package @iden3/js-iden3-auth receives a total of 265 weekly downloads. As such, @iden3/js-iden3-auth popularity was classified as not popular.
We found that @iden3/js-iden3-auth demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
/Security News
Socket researchers uncover how threat actors weaponize Discord across the npm, PyPI, and RubyGems ecosystems to exfiltrate sensitive data.
Security News
Socket now integrates with Bun 1.3’s Security Scanner API to block risky packages at install time and enforce your organization’s policies in local dev and CI.
Research
The Socket Threat Research Team is tracking weekly intrusions into the npm registry that follow a repeatable adversarial playbook used by North Korean state-sponsored actors.