Selfie age verification!

Author: thenoname-gurl

.gitignore

@@ -77,4 +77,7 @@ tunnel/server/target/*
 tunnel/client/target/*
 
 # UI Agents skills
-.agents/*
+.agents/*
+
+# Age Verification Model
+/backend/model

README.md

@@ -124,6 +124,7 @@ I have included system files inside of /systemd folder that are used for https:/
 
 - The API routes are documented in `example.com/openapi` and should be used by the
   frontend code.
+- You might need to run `npm rebuild @tensorflow/tfjs-node --build-from-source` on backend to make selfie verification work!
 
 > You may view API routes without deploying at https://backend.ecli.app/openapi for production or https://backend.canary.ecli.app/openapi for canary.
 > Canary version of EcliPanel are offline during non developmet periods.

backend/bun.lock

@@ -46,6 +46,9 @@
     "redis": "latest",
     "reflect-metadata": "latest",
     "sharp": "^0.34.5",
+    "@canvas/image": "latest",
+    "@tensorflow/tfjs-node": "latest",
+    "@vladmandic/face-api": "latest",
     "speakeasy": "latest",
     "srvx": "latest",
     "ssh2": "^1.17.0",

backend/package.json

@@ -1153,10 +1153,13 @@ export async function authRoutes(app: any, prefix = '') {
     if (user) {
       user.portalType = 'educational';
       user.educationLimits = {
-        memory: eduPlan?.memory ?? 2048,
-        disk: eduPlan?.disk ?? 20480,
-        cpu: eduPlan?.cpu ?? 400,
-        serverLimit: eduPlan?.serverLimit ?? 2,
+        memory: eduPlan?.memory ?? 4096,
+        disk: eduPlan?.disk ?? 51200,
+        cpu: eduPlan?.cpu ?? 600,
+        serverLimit: eduPlan?.serverLimit ?? 3,
+        portCount: eduPlan?.portCount ?? 3,
+        emailSendDailyLimit: eduPlan?.emailSendDailyLimit ?? 10,
+        emailSendQueueLimit: eduPlan?.emailSendQueueLimit ?? 10,
       };
       user.limits = user.educationLimits ? { ...user.educationLimits } : null;
       ctx.log.info({ eduPlan: eduPlan?.id ?? null, limits: user.limits }, 'Applying educational plan limits to user');
@@ -1285,10 +1288,13 @@ export async function authRoutes(app: any, prefix = '') {
       user.studentVerifiedAt = new Date();
 
       const defaultEduLimits = {
-        memory: eduPlan?.memory ?? 2048,
-        disk: eduPlan?.disk ?? 20480,
-        cpu: eduPlan?.cpu ?? 400,
-        serverLimit: eduPlan?.serverLimit ?? 2,
+        memory: eduPlan?.memory ?? 4096,
+        disk: eduPlan?.disk ?? 51200,
+        cpu: eduPlan?.cpu ?? 600,
+        serverLimit: eduPlan?.serverLimit ?? 3,
+        portCount: eduPlan?.portCount ?? 3,
+        emailSendDailyLimit: eduPlan?.emailSendDailyLimit ?? 10,
+        emailSendQueueLimit: eduPlan?.emailSendQueueLimit ?? 10,
       };
 
       const existingLimits = user.educationLimits || {};
@@ -1299,6 +1305,9 @@ export async function authRoutes(app: any, prefix = '') {
         disk: Math.max(existingLimits.disk || 0, currentBaseLimits.disk || 0, defaultEduLimits.disk),
         cpu: Math.max(existingLimits.cpu || 0, currentBaseLimits.cpu || 0, defaultEduLimits.cpu),
         serverLimit: Math.max(existingLimits.serverLimit || 0, currentBaseLimits.serverLimit || 0, defaultEduLimits.serverLimit),
+        portCount: Math.max(existingLimits.portCount || 0, currentBaseLimits.portCount || 0, defaultEduLimits.portCount),
+        emailSendDailyLimit: Math.max(existingLimits.emailSendDailyLimit || 0, currentBaseLimits.emailSendDailyLimit || 0, defaultEduLimits.emailSendDailyLimit),
+        emailSendQueueLimit: Math.max(existingLimits.emailSendQueueLimit || 0, currentBaseLimits.emailSendQueueLimit || 0, defaultEduLimits.emailSendQueueLimit),
       };
 
       if (!keepExistingPaidTier) {

backend/pnpm-lock.yaml

@@ -3,9 +3,10 @@ import { IDVerification } from '../models/idVerification.entity';
 import { authenticate } from '../middleware/auth';
 import { hasPermissionSync } from '../middleware/authorize';
 import { User } from '../models/user.entity';
-import { canPerformIdVerification } from '../utils/eu';
+import { canPerformIdVerification, getMinimumAgeForCountry } from '../utils/eu';
 import { encryptBuffer } from '../utils/crypto';
 import { encryptBufferWithWorker } from '../workers/cryptoWorker';
+import { estimateAgeFromSelfie } from '../services/faceApiService';
 import path from 'path';
 import fs from 'fs';
 import { pipeline } from 'stream/promises';
@@ -85,6 +86,123 @@ export async function idVerificationRoutes(app: any, prefix = '') {
     detail: { summary: 'Submit ID verification', description: 'User submits scanned ID and selfie for manual review.', tags: ['Identity'] }
   });
 
+  app.post(prefix + '/id-verification/age-selfie', async (ctx: any) => {
+    const user = ctx.user as User;
+    if (!user) {
+      ctx.set.status = 401;
+      return { error: 'Unauthorized' };
+    }
+
+    const body = (ctx.body || {}) as any;
+    const selfie = Array.isArray(body.selfie) ? body.selfie[0] : body.selfie;
+    if (!selfie) {
+      ctx.set.status = 400;
+      return { error: 'selfie_required', message: 'A selfie image is required for age verification.' };
+    }
+
+    const settings = user.settings && typeof user.settings === 'object' ? { ...user.settings } : {};
+    const attempts = Number(settings.ageVerificationSelfieAttempts ?? 0);
+    if (attempts >= 3) {
+      ctx.set.status = 403;
+      return { error: 'selfie_attempts_exceeded', message: 'Maximum selfie verification attempts reached.' };
+    }
+
+    const dateOfBirth = body.dateOfBirth ? new Date(String(body.dateOfBirth)) : user.dateOfBirth ? new Date(String(user.dateOfBirth)) : null;
+    if (!dateOfBirth || isNaN(dateOfBirth.getTime())) {
+      ctx.set.status = 400;
+      return { error: 'date_of_birth_required', message: 'Your date of birth is required for selfie age verification.' };
+    }
+    const age = ((): number | null => {
+      const now = new Date();
+      let calculated = now.getUTCFullYear() - dateOfBirth.getUTCFullYear();
+      const monthDiff = now.getUTCMonth() - dateOfBirth.getUTCMonth();
+      const dayDiff = now.getUTCDate() - dateOfBirth.getUTCDate();
+      if (monthDiff < 0 || (monthDiff === 0 && dayDiff < 0)) calculated -= 1;
+      return Number.isFinite(calculated) ? calculated : null;
+    })();
+    if (age === null) {
+      ctx.set.status = 400;
+      return { error: 'invalid_date_of_birth', message: 'dateOfBirth must be a valid date string in YYYY-MM-DD format.' };
+    }
+
+    try {
+      const data = await selfie.arrayBuffer();
+      const buffer = Buffer.from(data);
+      const predictedAge = await estimateAgeFromSelfie(buffer);
+      if (predictedAge === null) {
+        ctx.set.status = 400;
+        return { error: 'no_face_detected', message: 'Could not detect a face in the selfie. Please try again.' };
+      }
+
+      const effectiveCountry = typeof body.billingCountry === 'string' ? body.billingCountry : user.billingCountry;
+      const minimumAge = await getMinimumAgeForCountry(effectiveCountry);
+      if (age < minimumAge) {
+        await AppDataSource.getRepository(User).save({
+          id: user.id,
+          suspended: true,
+          fraudFlag: true,
+          fraudReason: `Underage account (<${minimumAge} years)`,
+          fraudDetectedAt: new Date(),
+        });
+        ctx.set.status = 400;
+        return { error: 'minimum_age', message: `Users must be at least ${minimumAge} years old.` };
+      }
+
+      const maxDelta = 11;
+      const difference = Math.abs(predictedAge - age);
+      const remaining = Math.max(0, 3 - attempts - 1);
+
+      if (difference > maxDelta) {
+        settings.ageVerificationSelfieAttempts = attempts + 1;
+        settings.ageVerificationSelfieLastAttemptAt = new Date().toISOString();
+        await AppDataSource.getRepository(User).save({ id: user.id, settings });
+
+        ctx.set.status = 400;
+        return {
+          error: 'age_mismatch',
+          message: `Estimated age ${predictedAge.toFixed(1)} does not match your DOB age ${age}. Please ensure your face is clearly visible in the selfie and try again.`,
+          attempts: settings.ageVerificationSelfieAttempts,
+          remaining,
+        };
+      }
+
+      settings.ageVerificationSelfieAttempts = 0;
+      settings.ageVerificationSelfieVerifiedAt = new Date().toISOString();
+
+      const update: any = { id: user.id, settings };
+      if (!user.dateOfBirth) {
+        update.dateOfBirth = dateOfBirth;
+      }
+      await AppDataSource.getRepository(User).save(update);
+
+      return {
+        success: true,
+        age: predictedAge,
+        difference,
+        maxError: maxDelta,
+        attempts: 0,
+        remaining: 3,
+      };
+    } catch (err: any) {
+      ctx.log.error({ err: err?.message || err }, 'Selfie age verification failed');
+      ctx.set.status = 500;
+      return {
+        error: 'age_verification_failed',
+        message: 'Failed to estimate age from the selfie. Please try again later.',
+        details: String(err?.message || err || 'unknown error'),
+      };
+    }
+  }, { beforeHandle: authenticate,
+    body: t.Any(),
+    response: {
+      200: t.Object({ success: t.Boolean(), age: t.Number(), difference: t.Number(), maxError: t.Number(), attempts: t.Number(), remaining: t.Number() }),
+      400: t.Object({ error: t.String(), message: t.String(), details: t.Optional(t.String()) }),
+      401: t.Object({ error: t.String() }),
+      403: t.Object({ error: t.String(), message: t.Optional(t.String()) }),
+    },
+    detail: { summary: 'Verify age from selfie', description: 'Estimate a user age from selfie data and compare against the provided date of birth.', tags: ['Identity'] }
+  });
+
   app.get(prefix + '/id-verification/:id', async (ctx: any) => {
     const userId = Number(ctx.params['id']);
     const requester = ctx.user;

backend/src/handlers/authHandler.ts

@@ -138,6 +138,9 @@ export async function planRoutes(app: any, prefix = '') {
     if (plan.serverLimit != null) planLimits.serverLimit = Number(plan.serverLimit);
     if (plan.databases != null) planLimits.databases = Number(plan.databases);
     if (plan.backups != null) planLimits.backups = Number(plan.backups);
+    if (plan.emailSendDailyLimit != null) planLimits.emailSendDailyLimit = Number(plan.emailSendDailyLimit);
+    if (plan.emailSendQueueLimit != null) planLimits.emailSendQueueLimit = Number(plan.emailSendQueueLimit);
+    if (plan.portCount != null) planLimits.portCount = Number(plan.portCount);
 
     const isCustomLimits = (userLimits: Record<string, any> | null | undefined, planLimits: Record<string, number>) => {
       if (!userLimits || Object.keys(userLimits).length === 0) return false;

backend/src/handlers/idVerificationHandler.ts

@@ -2120,9 +2120,10 @@ export async function userRoutes(app: any, prefix = '') {
     }
 
     if ('dateOfBirth' in payload) {
-      if (user.idVerified && !isAdmin && requester.id === user.id) {
+      const hasVerifiedDob = Boolean(user.idVerified || user.settings?.ageVerificationSelfieVerifiedAt);
+      if (hasVerifiedDob && !isAdmin && requester.id === user.id) {
         ctx.set.status = 403;
-        return { error: 'date_of_birth_locked', message: 'Date of birth is locked after identity verification and can only be updated by an administrator.' };
+        return { error: 'date_of_birth_locked', message: 'Date of birth is locked after identity or selfie verification and can only be updated by an administrator.' };
       }
       const dateOfBirth = parseDateOfBirth(payload.dateOfBirth);
       if (!dateOfBirth) {

backend/src/handlers/planHandler.ts

@@ -0,0 +1,95 @@
+import fs from 'fs'
+import path from 'path'
+
+let initialized = false
+let faceapi: any = null
+let tf: any = null
+let imageLib: any = null
+
+const MODEL_PATH = process.env.FACE_API_MODEL_PATH
+  ? String(process.env.FACE_API_MODEL_PATH)
+  : path.join(process.cwd(), 'model')
+const MODEL_BASE_URL = process.env.FACE_API_MODEL_BASE_URL || 'https://raw.githubusercontent.com/vladmandic/face-api/master/model'
+const REQUIRED_MODEL_FILES = [
+  'ssd_mobilenetv1_model-weights_manifest.json',
+  'ssd_mobilenetv1_model.bin',
+  'age_gender_model-weights_manifest.json',
+  'age_gender_model.bin',
+  'face_landmark_68_model-weights_manifest.json',
+  'face_landmark_68_model.bin',
+]
+
+async function downloadFile(filename: string): Promise<void> {
+  const url = `${MODEL_BASE_URL}/${filename}`
+  const response = await fetch(url)
+  if (!response.ok) {
+    throw new Error(`Failed to download FaceAPI model file ${filename}: ${response.status} ${response.statusText}`)
+  }
+  const data = Buffer.from(await response.arrayBuffer())
+  fs.writeFileSync(path.join(MODEL_PATH, filename), data)
+}
+
+async function ensureModelFiles(): Promise<void> {
+  if (!fs.existsSync(MODEL_PATH)) {
+    fs.mkdirSync(MODEL_PATH, { recursive: true })
+  }
+
+  for (const filename of REQUIRED_MODEL_FILES) {
+    const filePath = path.join(MODEL_PATH, filename)
+    if (!fs.existsSync(filePath)) {
+      await downloadFile(filename)
+    }
+  }
+}
+
+async function initFaceApi(): Promise<void> {
+  if (initialized) return
+
+  // @ts-ignore
+  const tfModule = await import('@tensorflow/tfjs-node')
+  // @ts-ignore
+  const faceApiModule = await import('@vladmandic/face-api')
+  // @ts-ignore
+  const imageModule = await import('@canvas/image')
+
+  tf = tfModule?.default || tfModule
+  faceapi = faceApiModule?.default || faceApiModule
+  imageLib = imageModule?.default || imageModule
+  if (!faceapi.tf) {
+    faceapi.tf = tf
+  }
+
+  await ensureModelFiles()
+
+  await faceapi.nets.ssdMobilenetv1.loadFromDisk(MODEL_PATH)
+  await faceapi.nets.ageGenderNet.loadFromDisk(MODEL_PATH)
+  await faceapi.nets.faceLandmark68Net.loadFromDisk(MODEL_PATH)
+
+  initialized = true
+}
+
+export async function estimateAgeFromSelfie(buffer: Buffer): Promise<number | null> {
+  await initFaceApi()
+
+  const canvas = await imageLib.imageFromBuffer(buffer)
+  const imageData = imageLib.getImageData(canvas)
+
+  const tensor = tf.tidy(() => {
+    const rgba = tf.tensor(Array.from(imageData?.data || []), [canvas.height, canvas.width, 4], 'int32')
+    const channels = tf.split(rgba, 4, 2)
+    const rgb = tf.stack([channels[0], channels[1], channels[2]], 2)
+    const reshape = tf.reshape(rgb, [1, canvas.height, canvas.width, 3])
+    return reshape
+  })
+
+  try {
+    const options = new faceapi.SsdMobilenetv1Options({ minConfidence: 0.3, maxResults: 1 })
+    const result = await faceapi.detectSingleFace(tensor, options).withFaceLandmarks().withAgeAndGender()
+    if (!result || typeof result.age !== 'number') {
+      return null
+    }
+    return Number(result.age)
+  } finally {
+    tensor.dispose()
+  }
+}