ots: proxy /digest through the backend -- full-shield stamp submissions

hans-crypto · hans-crypto · commit 7fc638382279 · 2026-05-13T08:17:07.000+02:00
Previously, ots-stamp.component.ts fetched calendar/digest directly
from the browser. Each calendar operator saw the user's IP at
submission time. Combined with the existing /upgrade proxy and the
fully-local verify flow, that was the last hop where the user could
be observed.

Add POST /api/v1/ordpool/ots/digest/:calendar in ordpool.routes.ts:
- 256-byte body cap (real OTS digests are 32; cap blocks open-relay
  abuse).
- Hostname whitelist via getOtsCalendarHosts(), same as /upgrade.
- 10s AbortController timeout.
- Forwards bytes verbatim; 502 on non-200 / network error.

Route-local express.raw middleware so we receive the digest as a
Buffer (not text-mangled by the global express.text body-parser).

Frontend ots-stamp.component.ts::postDigestToCalendar now POSTs to
`${apiBaseUrl}/api/v1/ordpool/ots/digest/&lt;host&gt;` instead of
`&lt;calendar-uri&gt;/digest`. Same response semantics.

7 regression tests pin the proxy behaviour: forwarding, host
whitelist, body validation (empty / oversize / non-Buffer), upstream
5xx → 502, fetch reject → 502. Backend baseline 343 → 350.
diff --git a/backend/.test-count-baseline.json b/backend/.test-count-baseline.json
@@ -1,4 +1,4 @@
 {
-  "passing": 343,
+  "passing": 350,
   "note": "Floor for .github/workflows/test-count-floor-backend.yml. Count of passing tests from the single jest config (node). Only an ordpool core maintainer is authorised to lower this number; every other change that reduces test count is treated as an accident and rejected. To raise the floor after legitimately adding tests, bump this value and commit. See also workspace CLAUDE.md, HARD RULE 'Never delete a passing test without explicit permission'."
 }
diff --git a/backend/src/api/explorer/_ordpool/ordpool.routes.test.ts b/backend/src/api/explorer/_ordpool/ordpool.routes.test.ts
@@ -281,3 +281,116 @@ describe('$isOtsCommit route handler', () => {
     expect(ordpoolOtsTxidSet.has).not.toHaveBeenCalled();
   });
 });
+
+// Mock the calendars config so we know exactly which hostnames are
+// whitelisted. The real config reads a JSON file; for tests we just
+// declare two hosts and assert that anything else 400s.
+jest.mock('./ots-calendars-config', () => ({
+  __esModule: true,
+  getOtsCalendars: jest.fn(),
+  getOtsCalendarHosts: jest.fn(() => new Set([
+    'alice.btc.calendar.opentimestamps.org',
+    'bob.btc.calendar.opentimestamps.org',
+  ])),
+}));
+
+describe('$proxyOtsDigest route handler (privacy shield for stamp submissions)', () => {
+
+  let fetchSpy: jest.SpyInstance;
+
+  beforeEach(() => {
+    jest.resetAllMocks();
+    // Re-arm the calendar-host whitelist because resetAllMocks clears it.
+    const cfg = require('./ots-calendars-config');
+    (cfg.getOtsCalendarHosts as jest.Mock).mockReturnValue(new Set([
+      'alice.btc.calendar.opentimestamps.org',
+      'bob.btc.calendar.opentimestamps.org',
+    ]));
+    fetchSpy = jest.spyOn(globalThis, 'fetch' as any);
+  });
+
+  afterEach(() => {
+    fetchSpy.mockRestore();
+  });
+
+  async function call$proxyOtsDigest(calendar: string, body: any) {
+    const res = makeRes();
+    await (generalOrdpoolRoutes as any).$proxyOtsDigest(
+      { params: { calendar }, body } as unknown as Request,
+      res,
+    );
+    return res as Response & { status: jest.Mock; setHeader: jest.Mock; send: jest.Mock; end: jest.Mock };
+  }
+
+  it('forwards a 32-byte SHA-256 digest to the whitelisted calendar and returns the upstream bytes', async () => {
+    const digest = Buffer.alloc(32, 0x42);
+    const upstreamBody = Buffer.from([0xf0, 0x10, 0x42, 0x00, 0xff]);
+    fetchSpy.mockResolvedValueOnce({
+      status: 200,
+      arrayBuffer: async () => upstreamBody.buffer.slice(upstreamBody.byteOffset, upstreamBody.byteOffset + upstreamBody.byteLength),
+    } as any);
+
+    const res = await call$proxyOtsDigest('alice.btc.calendar.opentimestamps.org', digest);
+
+    expect(fetchSpy).toHaveBeenCalledWith(
+      'https://alice.btc.calendar.opentimestamps.org/digest',
+      expect.objectContaining({ method: 'POST', body: digest }),
+    );
+    expect(res.status).toHaveBeenCalledWith(200);
+    expect(res.setHeader).toHaveBeenCalledWith('Cache-Control', 'no-store');
+    expect(res.setHeader).toHaveBeenCalledWith('Content-Type', 'application/vnd.opentimestamps.v1');
+  });
+
+  it('rejects an unknown calendar host with 400 (so this cannot be used as an open POST relay)', async () => {
+    const res = await call$proxyOtsDigest('evil.example.org', Buffer.alloc(32, 0));
+
+    expect(res.status).toHaveBeenCalledWith(400);
+    expect(res.send).toHaveBeenCalledWith('unknown calendar');
+    expect(fetchSpy).not.toHaveBeenCalled();
+  });
+
+  it('rejects an empty body', async () => {
+    const res = await call$proxyOtsDigest('alice.btc.calendar.opentimestamps.org', Buffer.alloc(0));
+
+    expect(res.status).toHaveBeenCalledWith(400);
+    expect(res.send).toHaveBeenCalledWith('invalid digest body');
+    expect(fetchSpy).not.toHaveBeenCalled();
+  });
+
+  it('rejects oversize bodies (cap 256 bytes, real OTS digests are 32)', async () => {
+    const res = await call$proxyOtsDigest('alice.btc.calendar.opentimestamps.org', Buffer.alloc(1024, 0));
+
+    expect(res.status).toHaveBeenCalledWith(400);
+    expect(res.send).toHaveBeenCalledWith('invalid digest body');
+    expect(fetchSpy).not.toHaveBeenCalled();
+  });
+
+  it('rejects non-Buffer bodies (middleware bypass guard)', async () => {
+    // If express.raw didn't run (or was bypassed), req.body might be the
+    // body-parser default of {} or undefined. The handler must refuse to
+    // forward in that case rather than POSTing nonsense to the calendar.
+    const res = await call$proxyOtsDigest('alice.btc.calendar.opentimestamps.org', { not: 'a buffer' });
+
+    expect(res.status).toHaveBeenCalledWith(400);
+    expect(res.send).toHaveBeenCalledWith('invalid digest body');
+    expect(fetchSpy).not.toHaveBeenCalled();
+  });
+
+  it('maps a non-200 upstream response to 502', async () => {
+    fetchSpy.mockResolvedValueOnce({ status: 503, arrayBuffer: async () => new ArrayBuffer(0) } as any);
+
+    const res = await call$proxyOtsDigest('bob.btc.calendar.opentimestamps.org', Buffer.alloc(32, 0));
+
+    expect(res.status).toHaveBeenCalledWith(502);
+    expect(res.send).toHaveBeenCalledWith('upstream returned 503');
+  });
+
+  it('maps a thrown fetch (network failure / abort) to 502', async () => {
+    fetchSpy.mockRejectedValueOnce(new Error('network down'));
+
+    const res = await call$proxyOtsDigest('alice.btc.calendar.opentimestamps.org', Buffer.alloc(32, 0));
+
+    expect(res.status).toHaveBeenCalledWith(502);
+    expect(res.send).toHaveBeenCalledWith('upstream error');
+  });
+});
diff --git a/backend/src/api/explorer/_ordpool/ordpool.routes.ts b/backend/src/api/explorer/_ordpool/ordpool.routes.ts
@@ -1,4 +1,4 @@
-import { Application, Request, Response } from 'express';
+import express, { Application, Request, Response } from 'express';
 import { AtomicalFile, getFirstInscriptionHeight, InscriptionPreviewService, isValidTxid, ParsedInscription, ParsedStamp, PreviewInstructions } from 'ordpool-parser';
 
 import config from '../../../config';
@@ -32,6 +32,13 @@ class GeneralOrdpoolRoutes {
       .get(config.MEMPOOL.API_URL_PREFIX + 'ordpool/ots/tx/:txid', this.$getOtsTx)
       .get(config.MEMPOOL.API_URL_PREFIX + 'ordpool/ots/block/:height', this.$getOtsBlock)
       .get(config.MEMPOOL.API_URL_PREFIX + 'ordpool/ots/upgrade/:calendar/:hash', this.$proxyOtsUpgrade)
+      // Route-local express.raw so we receive the digest as a Buffer (not
+      // body-parser-mangled text). 256-byte cap; real OTS digests are 32 bytes.
+      .post(
+        config.MEMPOOL.API_URL_PREFIX + 'ordpool/ots/digest/:calendar',
+        express.raw({ type: '*/*', limit: 256 }),
+        this.$proxyOtsDigest,
+      )
       .get(config.MEMPOOL.API_URL_PREFIX + 'ordpool/ots/stamp-calendars', this.$getOtsStampCalendars)
       .get(config.MEMPOOL.API_URL_PREFIX + 'ordpool/ots/is-commit/:txid', this.$isOtsCommit)
       .get('/content/:inscriptionId', this.getInscriptionContent)
@@ -136,6 +143,67 @@ class GeneralOrdpoolRoutes {
     }
   }
 
+  /**
+   * Proxy POST /digest on a public OTS calendar.
+   *
+   * Why we proxy: privacy. Without this, the browser submits the user's
+   * file hash directly to alice/bob/finney/catallaxy and each calendar
+   * operator learns the user's IP at submission time. Routing through
+   * ordpool makes the calendar see our backend's IP instead -- combined
+   * with the existing /upgrade proxy and the all-local verify flow,
+   * calendar operators never observe the user at all.
+   *
+   * The proxied body is the raw 32-byte SHA-256 digest. We enforce
+   * a tight 256-byte cap (route-local `express.raw` limit + a recheck
+   * here in case the middleware was bypassed) so this can't become a
+   * generic POST relay. Hostname is whitelisted, same as /upgrade.
+   *
+   * Calendar /digest responses are binary (the OpenTimestamps
+   * commitment subtree); we forward bytes verbatim.
+   */
+  // POST https://ordpool.space/api/v1/ordpool/ots/digest/alice.btc.calendar.opentimestamps.org
+  private async $proxyOtsDigest(req: Request, res: Response): Promise<void> {
+    const allowed = getOtsCalendarHosts();
+    const calendar = String(req.params.calendar || '').toLowerCase();
+    if (!allowed.has(calendar)) {
+      res.status(400).send('unknown calendar');
+      return;
+    }
+    const body = req.body;
+    if (!Buffer.isBuffer(body) || body.length === 0 || body.length > 256) {
+      res.status(400).send('invalid digest body');
+      return;
+    }
+    const abort = new AbortController();
+    const timeout = setTimeout(() => abort.abort(), 10_000);
+    try {
+      const upstream = await fetch(`https://${calendar}/digest`, {
+        method: 'POST',
+        // text/plain matches what the original direct-from-browser request
+        // used and keeps the upstream's "simple request" code path; no
+        // calendar validates Content-Type, they read the body verbatim.
+        headers: { 'Content-Type': 'text/plain' },
+        body,
+        signal: abort.signal,
+      });
+      if (upstream.status === 200) {
+        const out = Buffer.from(await upstream.arrayBuffer());
+        // The response is a pending OTS commitment subtree -- different
+        // every call, never cacheable.
+        res.setHeader('Cache-Control', 'no-store');
+        res.setHeader('Content-Type', 'application/vnd.opentimestamps.v1');
+        res.status(200).end(out);
+      } else {
+        res.setHeader('Cache-Control', 'no-store');
+        res.status(502).send(`upstream returned ${upstream.status}`);
+      }
+    } catch {
+      res.status(502).send('upstream error');
+    } finally {
+      clearTimeout(timeout);
+    }
+  }
+
   /**
    * Returns the URI list the frontend Stamp & Verify drop-zone fans out to.
    *
diff --git a/frontend/src/app/components/_ordpool/ots-stamp-verify/ots-stamp.component.ts b/frontend/src/app/components/_ordpool/ots-stamp-verify/ots-stamp.component.ts
@@ -15,6 +15,7 @@ import {
   hexEncode,
 } from './ots-store.service';
 import { OtsCalendarPickerService } from './ots-calendar-picker.service';
+import { environment } from 'src/environments/environment';
 
 /*
 Test cases:
@@ -190,11 +191,19 @@ export class OtsStampComponent {
   }
 
   private async postDigestToCalendar(uri: string, digest: Uint8Array): Promise<Uint8Array> {
-    // text/plain is a CORS-safelisted content type, so no preflight is sent.
-    // The OTS calendars don't validate Content-Type, they only read the body.
-    const resp = await fetch(uri + '/digest', {
+    // Privacy: we route /digest through the ordpool backend instead of
+    // hitting the calendar directly, so the calendar operator sees our
+    // backend's IP rather than the user's. The /upgrade poll is already
+    // proxied (CORS reason), and verify is fully local; this closes the
+    // last hop where the user's IP could leak.
+    const apiBase = environment.apiBaseUrl || '';
+    const calendarHost = (() => {
+      try { return new URL(uri).hostname; } catch { return ''; }
+    })();
+    const proxyUrl = `${apiBase}/api/v1/ordpool/ots/digest/${calendarHost}`;
+    const resp = await fetch(proxyUrl, {
       method: 'POST',
-      headers: { 'Content-Type': 'text/plain' },
+      headers: { 'Content-Type': 'application/octet-stream' },
       body: digest as BufferSource,
     });
     if (!resp.ok) throw new Error(uri + ' replied ' + resp.status);

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`	`1`	`{`
`2`		`- "passing": 343,`
	`2`	`+ "passing": 350,`
`3`	`3`	`"note": "Floor for .github/workflows/test-count-floor-backend.yml. Count of passing tests from the single jest config (node). Only an ordpool core maintainer is authorised to lower this number; every other change that reduces test count is treated as an accident and rejected. To raise the floor after legitimately adding tests, bump this value and commit. See also workspace CLAUDE.md, HARD RULE 'Never delete a passing test without explicit permission'."`
`4`	`4`	`}`