Merge pull request #1063 from ensdomains/restrict-verifications-to-dentity-url

Add URL validation for Dentity verification credentials

Author: laurgk

e2e/specs/stateless/verifications.spec.ts

@@ -7,15 +7,17 @@ import { Hash } from 'viem'
 import { setRecords } from '@ensdomains/ensjs/wallet'
 
 import {
+  DENTITY_BASE_ENDPOINT,
   DENTITY_ISS,
-  DENTITY_VPTOKEN_ENDPOINT,
   VERIFICATION_OAUTH_BASE_URL,
   VERIFICATION_RECORD_KEY,
 } from '@app/constants/verification'
 
 import { createAccounts } from '../../../playwright/fixtures/accounts'
 import { testClient } from '../../../playwright/fixtures/contracts/utils/addTestContracts'
 
+const DENTITY_VPTOKEN_ENDPOINT = `${DENTITY_BASE_ENDPOINT}/oidc/vp-token`
+
 type MakeMockVPTokenRecordKey =
   | 'com.twitter'
   | 'com.github'

src/constants/verification.ts

@@ -1,3 +1,6 @@
+import { match } from 'ts-pattern'
+
+import { getNetworkFromUrl } from '@app/constants/chains'
 import type { VerificationProtocol } from '@app/transaction-flow/input/VerifyProfile/VerifyProfile-flow'
 
 /**
@@ -51,12 +54,13 @@ const DENTITY_ENV_CONFIGS = {
 
 type DentityEnvironment = keyof typeof DENTITY_ENV_CONFIGS
 
-const DENTITY_ENV: DentityEnvironment = 'production'
+const DENTITY_ENV: DentityEnvironment = match(getNetworkFromUrl())
+  .with('mainnet', () => 'production' as const)
+  .with('sepolia', () => 'staging' as const)
+  .otherwise(() => 'dev' as const)
 
 export const DENTITY_BASE_ENDPOINT = DENTITY_ENV_CONFIGS[DENTITY_ENV].endpoint
 
-export const DENTITY_VPTOKEN_ENDPOINT = `${DENTITY_BASE_ENDPOINT}/oidc/vp-token`
-
 export const DENTITY_CLIENT_ID = DENTITY_ENV_CONFIGS[DENTITY_ENV].clientId
 
 export const DENTITY_ISS = DENTITY_ENV_CONFIGS[DENTITY_ENV].iss

src/hooks/verification/useVerifiedRecords/useVerifiedRecords.test.ts

@@ -2,8 +2,12 @@ import { makeMockVerifiablePresentationData } from '@root/test/mock/makeMockVeri
 import { match } from 'ts-pattern'
 import { describe, expect, it, vi } from 'vitest'
 
+import { DENTITY_BASE_ENDPOINT } from '@app/constants/verification'
+
 import { getVerifiedRecords, parseVerificationRecord } from './useVerifiedRecords'
 
+const mockUrl = (path: string) => `${DENTITY_BASE_ENDPOINT}/${path}`
+
 describe('parseVerificationRecord', () => {
   it('should return empty array if undefined', () => {
     expect(parseVerificationRecord()).toEqual([])
@@ -25,7 +29,7 @@ describe('parseVerificationRecord', () => {
 describe('getVerifiedRecords', () => {
   const mockFetch = vi.fn().mockImplementation(async (uri) =>
     match(uri)
-      .with('error', () => Promise.reject('error'))
+      .with(mockUrl('error'), () => Promise.reject('error'))
       .otherwise(() =>
         Promise.resolve({
           json: () => Promise.resolve(makeMockVerifiablePresentationData('openid')),
@@ -36,14 +40,26 @@ describe('getVerifiedRecords', () => {
 
   it('should exclude fetches that error from results ', async () => {
     const result = await getVerifiedRecords({
-      queryKey: [{ verificationsRecord: '["error", "regular", "error"]' }, '0x123'],
+      queryKey: [
+        { verificationsRecord: JSON.stringify([mockUrl('error'), mockUrl('regular'), mockUrl('error')]) },
+        '0x123',
+      ],
     } as any)
     expect(result).toHaveLength(7)
   })
 
   it('should return a flat array of verified credentials', async () => {
     const result = await getVerifiedRecords({
-      queryKey: [{ verificationsRecord: '["one", "two", "error", "three"]' }],
+      queryKey: [
+        {
+          verificationsRecord: JSON.stringify([
+            mockUrl('one'),
+            mockUrl('two'),
+            mockUrl('error'),
+            mockUrl('three'),
+          ]),
+        },
+      ],
     } as any)
     expect(result).toHaveLength(21)
     expect(result.every((item) => !Array.isArray(item))).toBe(true)

src/hooks/verification/useVerifiedRecords/useVerifiedRecords.ts

@@ -1,6 +1,7 @@
 import { QueryFunctionContext } from '@tanstack/react-query'
 import { Hash } from 'viem'
 
+import { DENTITY_BASE_ENDPOINT } from '@app/constants/verification'
 import { useQueryOptions } from '@app/hooks/useQueryOptions'
 import { CreateQueryKey, QueryConfig } from '@app/types'
 import { getIsCachedData } from '@app/utils/getIsCachedData'
@@ -47,8 +48,14 @@ export const getVerifiedRecords = async <TParams extends UseVerifiedRecordsParam
   queryKey: [{ verificationsRecord, ownerAddress, name }],
 }: QueryFunctionContext<QueryKey<TParams>>): Promise<UseVerifiedRecordsReturnType> => {
   const verifiablePresentationUris = parseVerificationRecord(verificationsRecord)
+
+  // Filter to only allow Dentity verification URLs
+  const validUris = verifiablePresentationUris.filter((uri) =>
+    uri.startsWith(DENTITY_BASE_ENDPOINT),
+  )
+
   const responses = await Promise.allSettled(
-    verifiablePresentationUris.map((uri) => fetch(uri).then((resp) => resp.json())),
+    validUris.map((uri) => fetch(uri).then((resp) => resp.json())),
   )
   return Promise.all(
     responses