Skip to content

Fix v1 receipt validation #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
oathis wants to merge 1 commit into
base: main
Choose a base branch
from
+91 −8
Open

Fix v1 receipt validation #7

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 51 additions & 8 deletions src/verify.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,27 @@ const REQUIRED_SIGNED_FIELDS = [
'createdAt',
] as const;

const RECEIPT_VERSION = 'v1';

const REQUIRED_STRING_FIELDS = [
'id',
'companyId',
'idemKey',
'agentId',
'runId',
'inputHash',
'status',
'riskTier',
'policyVersion',
'summary',
'receiptVersion',
'canonicalization',
'signatureAlg',
'signatureKeyId',
'expiresAt',
'createdAt',
] as const;

export type VerifyResult =
| {
verified: true;
Expand Down Expand Up @@ -63,6 +84,16 @@ function isObject(value: unknown): value is Record<string, unknown> {
return typeof value === 'object' && value !== null;
}

function malformed(receipt: Record<string, unknown>, errorMessage: string): VerifyResult {
return {
verified: false,
exitCode: 3,
errorCode: 'MALFORMED_RECEIPT',
errorMessage,
receiptId: typeof receipt.id === 'string' ? receipt.id : undefined,
};
}

export async function verifyReceipt(receipt: unknown, options: VerifyOptions): Promise<VerifyResult> {
if (!isObject(receipt)) {
return {
Expand All @@ -74,17 +105,29 @@ export async function verifyReceipt(receipt: unknown, options: VerifyOptions): P
}

for (const field of REQUIRED_SIGNED_FIELDS) {
if (!(field in receipt)) {
return {
verified: false,
exitCode: 3,
errorCode: 'MALFORMED_RECEIPT',
errorMessage: `missing required signed field: ${field}`,
receiptId: typeof receipt.id === 'string' ? receipt.id : undefined,
};
if (!Object.hasOwn(receipt, field) || receipt[field] === undefined || receipt[field] === null) {
return malformed(receipt, `missing required signed field: ${field}`);
}
}

for (const field of REQUIRED_STRING_FIELDS) {
if (typeof receipt[field] !== 'string') {
return malformed(receipt, `required signed field must be a string: ${field}`);
}
}

if (!isObject(receipt.requestJson) || Array.isArray(receipt.requestJson)) {
return malformed(receipt, 'requestJson must be a JSON object');
}

if (!Array.isArray(receipt.reasonCodes)) {
return malformed(receipt, 'reasonCodes must be an array');
}

if (receipt.receiptVersion !== RECEIPT_VERSION) {
return malformed(receipt, 'unsupported receipt version');
}

if (receipt.canonicalization !== CANONICALIZATION_VERSION) {
return {
verified: false,
Expand Down
40 changes: 40 additions & 0 deletions tests/verify.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
import { readFile } from 'node:fs/promises';
import { createPrivateKey, sign } from 'node:crypto';
import { resolve } from 'node:path';
import { describe, expect, it } from 'vitest';
import { canonicalizeReceiptBytes } from '../src/canonicalize.js';
import { verifyReceipt } from '../src/verify.js';

async function loadJson(name: string): Promise<unknown> {
Expand All @@ -9,6 +11,15 @@ async function loadJson(name: string): Promise<unknown> {
}

const keyFile = resolve(process.cwd(), 'tests/fixtures/public-key.pem');
const privateKeyFile = resolve(process.cwd(), 'tests/fixtures/private-key.pem');

async function signFixtureReceipt(receipt: Record<string, unknown>): Promise<void> {
receipt.signatureValue = sign(
null,
canonicalizeReceiptBytes(receipt),
createPrivateKey(await readFile(privateKeyFile)),
).toString('base64');
}

describe('verifyReceipt', () => {
it('verifies a valid receipt', async () => {
Expand Down Expand Up @@ -40,6 +51,35 @@ describe('verifyReceipt', () => {
}
});

it('returns malformed for an unsupported receipt version', async () => {
const receipt = (await loadJson('valid.json')) as Record<string, unknown>;
receipt.receiptVersion = 'v2';
await signFixtureReceipt(receipt);

const result = await verifyReceipt(receipt, { keyFile, noNetwork: true });
expect(result.verified).toBe(false);
if (!result.verified) {
expect(result.exitCode).toBe(3);
expect(result.errorCode).toBe('MALFORMED_RECEIPT');
expect(result.errorMessage).toBe('unsupported receipt version');
}
});

it('returns malformed when a required signed field is null', async () => {
const receipt = (await loadJson('valid.json')) as Record<string, unknown>;
delete receipt.requestJson;
await signFixtureReceipt(receipt);
receipt.requestJson = null;

const result = await verifyReceipt(receipt, { keyFile, noNetwork: true });
expect(result.verified).toBe(false);
if (!result.verified) {
expect(result.exitCode).toBe(3);
expect(result.errorCode).toBe('MALFORMED_RECEIPT');
expect(result.errorMessage).toBe('missing required signed field: requestJson');
}
});

it('returns signature invalid for wrong key id pin', async () => {
const receipt = await loadJson('wrong-key.json');
const result = await verifyReceipt(receipt, { keyFile, keyId: 'pp-test-2026-q2', noNetwork: true });
Expand Down