From 1b45ec51c4a8ba900e1a7600821808fe1d07aca3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lubo=C5=A1=20Ra=C4=8Dansk=C3=BD?=
 <lubos.racansky@wultra.com>
Date: Thu, 10 Aug 2023 06:58:00 +0200
Subject: [PATCH] Fix #805: Add timestamps to proximity anti-fraud check (#806)

* Fix #805: Add timestamps to proximity anti-fraud check
---
 .../controller/api/MobileTokenController.java | 11 ++++-
 mtoken-model/pom.xml                          |  5 +++
 .../request/OperationApproveRequest.java      | 41 ++++++++++++++++++-
 3 files changed, 54 insertions(+), 3 deletions(-)

diff --git a/enrollment-server/src/main/java/com/wultra/app/enrollmentserver/controller/api/MobileTokenController.java b/enrollment-server/src/main/java/com/wultra/app/enrollmentserver/controller/api/MobileTokenController.java
index 518efff32..35358964a 100644
--- a/enrollment-server/src/main/java/com/wultra/app/enrollmentserver/controller/api/MobileTokenController.java
+++ b/enrollment-server/src/main/java/com/wultra/app/enrollmentserver/controller/api/MobileTokenController.java
@@ -205,7 +205,7 @@ public Response operationApprove(
                         .signatureFactors(signatureFactors)
                         .requestContext(requestContext)
                         .activationFlags(activationFlags)
-                        .proximityCheckOtp(requestObject.getProximityCheckOtp())
+                        .proximityCheckOtp(fetchProximityCheckOtp(requestObject))
                         .build();
 
                 return mobileTokenService.operationApprove(serviceRequest);
@@ -221,6 +221,15 @@ public Response operationApprove(
         }
     }
 
+    private static String fetchProximityCheckOtp(OperationApproveRequest requestObject) {
+        if (requestObject.getProximityCheck().isEmpty()) {
+            return null;
+        }
+        final var proximityCheck = requestObject.getProximityCheck().get();
+        logger.info("Operation ID: {} using proximity check OTP, timestampRequested: {}, timestampSigned: {}", requestObject.getId(), proximityCheck.getTimestampRequested(), proximityCheck.getTimestampSigned());
+        return proximityCheck.getOtp();
+    }
+
     /**
      * Operation reject.
      *
diff --git a/mtoken-model/pom.xml b/mtoken-model/pom.xml
index 6e2fa941b..7b11a3990 100644
--- a/mtoken-model/pom.xml
+++ b/mtoken-model/pom.xml
@@ -38,6 +38,11 @@
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-annotations</artifactId>
         </dependency>
+
+        <dependency>
+            <groupId>io.swagger.core.v3</groupId>
+            <artifactId>swagger-annotations-jakarta</artifactId>
+        </dependency>
     </dependencies>
 
 </project>
diff --git a/mtoken-model/src/main/java/com/wultra/security/powerauth/lib/mtoken/model/request/OperationApproveRequest.java b/mtoken-model/src/main/java/com/wultra/security/powerauth/lib/mtoken/model/request/OperationApproveRequest.java
index 699ac73d2..08a2c6868 100644
--- a/mtoken-model/src/main/java/com/wultra/security/powerauth/lib/mtoken/model/request/OperationApproveRequest.java
+++ b/mtoken-model/src/main/java/com/wultra/security/powerauth/lib/mtoken/model/request/OperationApproveRequest.java
@@ -18,9 +18,13 @@
 package com.wultra.security.powerauth.lib.mtoken.model.request;
 
 import com.wultra.security.powerauth.lib.mtoken.model.entity.PreApprovalScreen;
+import io.swagger.v3.oas.annotations.media.Schema;
 import jakarta.validation.constraints.NotNull;
 import lombok.Data;
 
+import java.time.Instant;
+import java.util.Optional;
+
 /**
  * Request for online token signature verification.
  *
@@ -35,7 +39,40 @@ public class OperationApproveRequest {
     private String data;
 
     /**
-     * Optional OTP used for proximity check. User is instructed by {@link PreApprovalScreen.ScreenType#QR_SCAN}.
+     * Optional proximity check data. User is instructed by {@link PreApprovalScreen.ScreenType#QR_SCAN}.
      */
-    private String proximityCheckOtp;
+    @Schema(description = "Optional proximity check data." )
+    private ProximityCheck proximityCheck;
+
+    public Optional<ProximityCheck> getProximityCheck() {
+        return Optional.ofNullable(proximityCheck);
+    }
+
+    @Data
+    public static class ProximityCheck {
+
+        @NotNull
+        @Schema(description = "OTP used for proximity check.")
+        private String otp;
+
+        @Schema(description = "Source from where the OTP has been gained.")
+        private Type type;
+
+        /**
+         * When OTP obtained by the client. An optional hint for possible better estimation of the time shift correction.
+         */
+        @Schema(description = "When OTP requested by the client. An optional hint for possible better estimation of the time shift correction.")
+        private Instant timestampRequested;
+
+        /**
+         * When OTP signed by the client. An optional hint for possible better estimation of the time shift correction.
+         */
+        @Schema(description = "When OTP signed by the client. An optional hint for possible better estimation of the time shift correction.")
+        private Instant timestampSigned;
+
+        public enum Type {
+            QR_CODE,
+            DEEPLINK
+        }
+    }
 }