Prevent request hashes from being user more than once (#1191)

* Prevent request hashes from being user more than once * Sort user solutions before giving to tasks * fix typo
prosopo · May 2, 2024 · 0320c57 · 0320c57
1 parent 989b22e
commit 0320c57
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 7 deletions.
diff --git a/packages/database/src/databases/mongo.ts b/packages/database/src/databases/mongo.ts
@@ -634,9 +634,9 @@ export class ProsopoDatabase extends AsyncFactory implements Database {
     }
 
     /**
-     * @description Update a Dapp User's pending record
+     * @description Mark a pending request as used
      */
-    async updateDappUserPendingStatus(userAccount: string, requestHash: string, approve: boolean): Promise<void> {
+    async updateDappUserPendingStatus(requestHash: string): Promise<void> {
         if (!isHex(requestHash)) {
             throw new ProsopoEnvError('DATABASE.INVALID_HASH', {
                 context: { failedFuncName: this.updateDappUserPendingStatus.name, requestHash },
@@ -647,10 +647,7 @@ export class ProsopoDatabase extends AsyncFactory implements Database {
             { requestHash: requestHash },
             {
                 $set: {
-                    accountId: userAccount,
                     pending: false,
-                    approved: approve,
-                    requestHash,
                 },
             },
             { upsert: true }
@@ -794,7 +791,8 @@ export class ProsopoDatabase extends AsyncFactory implements Database {
      */
     async getDappUserCommitmentByAccount(userAccount: string): Promise<UserCommitmentRecord[]> {
         const docs: UserCommitmentRecord[] | null | undefined = await this.tables?.commitment
-            ?.find({ userAccount })
+            // sort by most recent first to avoid old solutions being used in development
+            ?.find({ userAccount }, { _id: 0 }, { sort: { _id: -1 } })
             .lean()
 
         return docs ? (docs as UserCommitmentRecord[]) : []

diff --git a/packages/provider/src/api/captcha.ts b/packages/provider/src/api/captcha.ts
@@ -147,6 +147,7 @@ export function prosopoRouter(env: ProviderEnvironment): Router {
                 : tasks.getDappUserCommitmentByAccount(parsed.user))
 
             if (!solution) {
+                tasks.logger.debug('Not verified - no solution found')
                 return res.json({
                     [ApiParams.status]: req.t('API.USER_NOT_VERIFIED'),
                     [ApiParams.verified]: false,
@@ -162,6 +163,7 @@ export function prosopoRouter(env: ProviderEnvironment): Router {
                     [ApiParams.verified]: false,
                 }
                 if (timeSinceCompletion > parsed.maxVerifiedTime) {
+                    tasks.logger.debug('Not verified - time run out')
                     return res.json(verificationResponse)
                 }
             }

diff --git a/packages/provider/src/tasks/tasks.ts b/packages/provider/src/tasks/tasks.ts
@@ -355,6 +355,8 @@ export class Tasks {
         const userSignature = hexToU8a(signature)
         const blockNumber = await getCurrentBlockNumber(this.contract.api)
         if (pendingRequest) {
+            // prevent this request hash from being used twice
+            await this.db.updateDappUserPendingStatus(requestHash)
             const commit: UserCommitmentRecord = {
                 id: commitmentId,
                 userAccount: userAccount,

diff --git a/packages/types-database/src/types/mongo.ts b/packages/types-database/src/types/mongo.ts
@@ -247,7 +247,7 @@ export interface Database {
 
     getDappUserPending(requestHash: string): Promise<PendingCaptchaRequest>
 
-    updateDappUserPendingStatus(userAccount: string, requestHash: string, approve: boolean): Promise<void>
+    updateDappUserPendingStatus(requestHash: string): Promise<void>
 
     getAllCaptchasByDatasetId(datasetId: string, captchaState?: CaptchaStates): Promise<Captcha[] | undefined>