@bedrock/vc-delivery 5.1.0 → 5.3.0

package/lib/vcapi.js

@@ -90,179 +90,209 @@ export async function createExchange({workflow, exchange}) {
   return exchange;
 }
 
-export async function processExchange({req, res, workflow, exchange}) {
-  // get any `verifiablePresentation` from the body...
-  let receivedPresentation = req?.body?.verifiablePresentation;
+export async function processExchange({req, res, workflow, exchangeRecord}) {
+  const {exchange, meta} = exchangeRecord;
+  let {updated: lastUpdated} = meta;
+  try {
+    // get any `verifiablePresentation` from the body...
+    let receivedPresentation = req?.body?.verifiablePresentation;
 
-  // process exchange step(s)
-  let i = 0;
-  let currentStep = exchange.step;
-  let step;
-  while(true) {
-    if(i++ > MAXIMUM_STEPS) {
-      throw new BedrockError('Maximum steps exceeded.', {
-        name: 'DataError',
-        details: {httpStatusCode: 500, public: true}
-      });
-    }
+    // process exchange step(s)
+    let i = 0;
+    let currentStep = exchange.step;
+    let step;
+    while(true) {
+      if(i++ > MAXIMUM_STEPS) {
+        throw new BedrockError('Maximum steps exceeded.', {
+          name: 'DataError',
+          details: {httpStatusCode: 500, public: true}
+        });
+      }
 
-    // no step present, break out to complete exchange
-    if(!currentStep) {
-      break;
-    }
+      // no step present, break out to complete exchange
+      if(!currentStep) {
+        break;
+      }
+
+      // get current step details
+      step = workflow.steps[currentStep];
+      if(step.stepTemplate) {
+        // generate step from the template; assume the template type is
+        // `jsonata` per the JSON schema
+        step = await evaluateTemplate(
+          {workflow, exchange, typedTemplate: step.stepTemplate});
+        if(Object.keys(step).length === 0) {
+          throw new BedrockError('Empty step detected.', {
+            name: 'DataError',
+            details: {httpStatusCode: 500, public: true}
+          });
+        }
+      }
 
-    // get current step details
-    step = workflow.steps[currentStep];
-    if(step.stepTemplate) {
-      // generate step from the template; assume the template type is
-      // `jsonata` per the JSON schema
-      step = await evaluateTemplate(
-        {workflow, exchange, typedTemplate: step.stepTemplate});
-      if(Object.keys(step).length === 0) {
-        throw new BedrockError('Empty step detected.', {
+      // if next step is the same as the current step, throw an error
+      if(step.nextStep === currentStep) {
+        throw new BedrockError('Cyclical step detected.', {
           name: 'DataError',
           details: {httpStatusCode: 500, public: true}
         });
       }
-    }
 
-    // if next step is the same as the current step, throw an error
-    if(step.nextStep === currentStep) {
-      throw new BedrockError('Cyclical step detected.', {
-        name: 'DataError',
-        details: {httpStatusCode: 500, public: true}
-      });
-    }
+      // handle VPR: if step requires it, then `verifiablePresentation` must
+      // be in the request
+      if(step.verifiablePresentationRequest) {
+        const {createChallenge} = step;
+        const isInitialStep = exchange.step === workflow.initialStep;
 
-    // handle VPR: if step requires it, then `verifiablePresentation` must
-    // be in the request
-    if(step.verifiablePresentationRequest) {
-      const {createChallenge} = step;
-      const isInitialStep = exchange.step === workflow.initialStep;
+        // if no presentation was received in the body...
+        if(!receivedPresentation) {
+          const verifiablePresentationRequest = klona(
+            step.verifiablePresentationRequest);
+          if(createChallenge) {
+            /* Note: When creating a challenge, the initial step always
+            uses the local exchange ID because the initial step itself
+            is one-time use. Subsequent steps, which only VC-API (as opposed
+            to other protocols) supports creating additional challenges via
+            the VC-API verifier API. */
+            let challenge;
+            if(isInitialStep) {
+              challenge = exchange.id;
+            } else {
+              // generate a new challenge using verifier API
+              ({challenge} = await _createChallenge({workflow}));
+            }
+            verifiablePresentationRequest.challenge = challenge;
+          }
+          // send VPR and return
+          res.json({verifiablePresentationRequest});
+          // if exchange is pending, mark it as active out-of-band
+          if(exchange.state === 'pending') {
+            exchange.state = 'active';
+            exchange.sequence++;
+            exchanges.update({workflowId: workflow.id, exchange}).catch(
+              error => logger.error(
+                'Could not mark exchange active: ' + error.message, {error}));
+          }
+          return;
+        }
 
-      // if no presentation was received in the body...
-      if(!receivedPresentation) {
-        const verifiablePresentationRequest = klona(
-          step.verifiablePresentationRequest);
-        if(createChallenge) {
-          /* Note: When creating a challenge, the initial step always
-          uses the local exchange ID because the initial step itself
-          is one-time use. Subsequent steps, which only VC-API (as opposed
-          to other protocols) supports creating additional challenges via
-          the VC-API verifier API. */
-          let challenge;
-          if(isInitialStep) {
-            challenge = exchange.id;
+        const {presentationSchema} = step;
+        if(presentationSchema) {
+          // if the VP is enveloped, get the presentation from the envelope
+          let presentation;
+          if(receivedPresentation?.type === 'EnvelopedVerifiablePresentation') {
+            ({presentation} = await unenvelopePresentation({
+              envelopedPresentation: receivedPresentation
+            }));
           } else {
-            // generate a new challenge using verifier API
-            ({challenge} = await _createChallenge({workflow}));
+            presentation = receivedPresentation;
           }
-          verifiablePresentationRequest.challenge = challenge;
-        }
-        // send VPR and return
-        res.json({verifiablePresentationRequest});
-        // if exchange is pending, mark it as active out-of-band
-        if(exchange.state === 'pending') {
-          exchange.state = 'active';
-          exchange.sequence++;
-          exchanges.update({workflowId: workflow.id, exchange}).catch(
-            error => logger.error(
-              'Could not mark exchange active: ' + error.message, {error}));
-        }
-        return;
-      }
 
-      const {presentationSchema} = step;
-      if(presentationSchema) {
-        // if the VP is enveloped, get the presentation from the envelope
-        let presentation;
-        if(receivedPresentation?.type === 'EnvelopedVerifiablePresentation') {
-          ({presentation} = await unenvelopePresentation({
-            envelopedPresentation: receivedPresentation
-          }));
-        } else {
-          presentation = receivedPresentation;
+          // validate the received VP
+          const {jsonSchema: schema} = presentationSchema;
+          const validate = compile({schema});
+          const {valid, error} = validate(presentation);
+          if(!valid) {
+            throw error;
+          }
         }
 
-        // validate the received VP
-        const {jsonSchema: schema} = presentationSchema;
-        const validate = compile({schema});
-        const {valid, error} = validate(presentation);
-        if(!valid) {
-          throw error;
+        // verify the received VP
+        const expectedChallenge = isInitialStep ? exchange.id : undefined;
+        const {allowUnprotectedPresentation = false} = step;
+        const {verificationMethod} = await verify({
+          workflow,
+          verifiablePresentationRequest: step.verifiablePresentationRequest,
+          presentation: receivedPresentation,
+          allowUnprotectedPresentation,
+          expectedChallenge
+        });
+
+        // store VP results in variables associated with current step
+        if(!exchange.variables.results) {
+          exchange.variables.results = {};
         }
-      }
+        exchange.variables.results[currentStep] = {
+          // common use case of DID Authentication; provide `did` for ease
+          // of use in templates and consistency with OID4VCI which only
+          // receives `did` not verification method nor VP
+          did: verificationMethod?.controller || null,
+          verificationMethod,
+          verifiablePresentation: receivedPresentation
+        };
 
-      // verify the received VP
-      const expectedChallenge = isInitialStep ? exchange.id : undefined;
-      const {allowUnprotectedPresentation = false} = step;
-      const {verificationMethod} = await verify({
-        workflow,
-        verifiablePresentationRequest: step.verifiablePresentationRequest,
-        presentation: receivedPresentation,
-        allowUnprotectedPresentation,
-        expectedChallenge
-      });
+        // clear received presentation as it has been processed
+        receivedPresentation = null;
 
-      // store VP results in variables associated with current step
-      if(!exchange.variables.results) {
-        exchange.variables.results = {};
-      }
-      exchange.variables.results[currentStep] = {
-        // common use case of DID Authentication; provide `did` for ease
-        // of use in templates and consistency with OID4VCI which only
-        // receives `did` not verification method nor VP
-        did: verificationMethod?.controller || null,
-        verificationMethod,
-        verifiablePresentation: receivedPresentation
-      };
+        // if there is no next step, break out to complete exchange
+        if(!step.nextStep) {
+          break;
+        }
 
-      // clear received presentation as it has been processed
-      receivedPresentation = null;
+        // update the exchange to go to the next step, then loop to send
+        // next VPR
+        currentStep = exchange.step = step.nextStep;
+        // ensure exchange state is active
+        if(exchange.state === 'pending') {
+          exchange.state = 'active';
+        }
+        try {
+          exchange.sequence++;
+          await exchanges.update({workflowId: workflow.id, exchange});
+          lastUpdated = Date.now();
+        } catch(e) {
+          exchange.sequence--;
+          throw e;
+        }
 
-      // if there is no next step, break out to complete exchange
-      if(!step.nextStep) {
-        break;
+        // FIXME: there may be VCs to issue during this step, do so before
+        // sending the VPR above
+      } else if(step.nextStep) {
+        // next steps without VPRs are prohibited
+        throw new BedrockError(
+          'Invalid step detected; continuing exchanges must include VPRs.', {
+            name: 'DataError',
+            details: {httpStatusCode: 500, public: true}
+          });
       }
+    }
 
-      // update the exchange to go to the next step, then loop to send
-      // next VPR
-      currentStep = exchange.step = step.nextStep;
-      // ensure exchange state is active
-      if(exchange.state === 'pending') {
-        exchange.state = 'active';
-      }
+    // mark exchange complete
+    exchange.state = 'complete';
+    try {
       exchange.sequence++;
-      await exchanges.update({workflowId: workflow.id, exchange});
-
-      // FIXME: there may be VCs to issue during this step, do so before
-      // sending the VPR above
-    } else if(step.nextStep) {
-      // next steps without VPRs are prohibited
-      throw new BedrockError(
-        'Invalid step detected; continuing exchanges must include VPRs.', {
-          name: 'DataError',
-          details: {httpStatusCode: 500, public: true}
-        });
+      await exchanges.complete({workflowId: workflow.id, exchange});
+    } catch(e) {
+      exchange.sequence--;
+      throw e;
     }
-  }
+    lastUpdated = Date.now();
 
-  // mark exchange complete
-  exchange.sequence++;
-  await exchanges.complete({workflowId: workflow.id, exchange});
+    // FIXME: decide what the best recovery path is if delivery fails (but no
+    // replay attack detected) after exchange has been marked complete
 
-  // FIXME: decide what the best recovery path is if delivery fails (but no
-  // replay attack detected) after exchange has been marked complete
+    // issue any VCs; may return an empty response if the step defines no
+    // VCs to issue
+    const {response} = await issue({workflow, exchange});
 
-  // issue any VCs; may return an empty response if the step defines no
-  // VCs to issue
-  const {response} = await issue({workflow, exchange});
+    // if last `step` has a redirect URL, include it in the response
+    if(step?.redirectUrl) {
+      response.redirectUrl = step.redirectUrl;
+    }
 
-  // if last `step` has a redirect URL, include it in the response
-  if(step?.redirectUrl) {
-    response.redirectUrl = step.redirectUrl;
+    // send response
+    res.json(response);
+  } catch(e) {
+    if(e.name === 'InvalidStateError') {
+      throw e;
+    }
+    // write last error if exchange hasn't been frequently updated
+    const {id: workflowId} = workflow;
+    const copy = {...exchange};
+    copy.sequence++;
+    copy.lastError = e;
+    exchanges.setLastError({workflowId, exchange: copy, lastUpdated})
+      .catch(error => logger.error(
+        'Could not set last exchange error: ' + error.message, {error}));
+    throw e;
   }
-
-  // send response
-  res.json(response);
 }

package/lib/verify.js

@@ -4,9 +4,9 @@
 import * as bedrock from '@bedrock/core';
 import * as EcdsaMultikey from '@digitalbazaar/ecdsa-multikey';
 import * as Ed25519Multikey from '@digitalbazaar/ed25519-multikey';
+import {getZcapClient, stripStacktrace} from './helpers.js';
 import {importJWK, jwtVerify} from 'jose';
 import {didIo} from '@bedrock/did-io';
-import {getZcapClient} from './helpers.js';
 
 const {util: {BedrockError}} = bedrock;
 
@@ -77,17 +77,17 @@ export async function verify({
     if(credentialResults) {
       credentialResults.forEach(result => {
         if(result.error) {
-          result.error = _stripStacktrace(result.error);
+          result.error = stripStacktrace(result.error);
         }
       });
     }
     if(presentationResult.error) {
-      presentationResult.error = _stripStacktrace(presentationResult.error);
+      presentationResult.error = stripStacktrace(presentationResult.error);
     }
 
     // generate useful error to return to client
     const {name, errors, message} = cause.data.error;
-    const causeError = _stripStacktrace({...cause.data.error});
+    const causeError = stripStacktrace({...cause.data.error});
     delete causeError.errors;
     const error = new BedrockError(message ?? 'Verification error.', {
       name: (name === 'VerificationError' || name === 'DataError') ?
@@ -102,7 +102,7 @@ export async function verify({
       }
     });
     if(Array.isArray(errors)) {
-      error.details.errors = errors.map(_stripStacktrace);
+      error.details.errors = errors.map(stripStacktrace);
     }
     throw error;
   }
@@ -251,15 +251,3 @@ export async function verifyDidProofJwt({workflow, exchange, jwt} = {}) {
 
   return {verified: true, did: issuer, verifyResult};
 }
-
-function _stripStacktrace(error) {
-  error = {...error};
-  delete error.stack;
-  if(error.errors) {
-    error.errors = error.errors.map(_stripStacktrace);
-  }
-  if(error.cause) {
-    error.cause = _stripStacktrace(error.cause);
-  }
-  return error;
-}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bedrock/vc-delivery",
-  "version": "5.1.0",
+  "version": "5.3.0",
   "type": "module",
   "description": "Bedrock Verifiable Credential Delivery",
   "main": "./lib/index.js",
@@ -47,7 +47,8 @@
     "cors": "^2.8.5",
     "jose": "^5.6.3",
     "jsonata": "^2.0.5",
-    "klona": "^2.0.6"
+    "klona": "^2.0.6",
+    "serialize-error": "^11.0.3"
   },
   "peerDependencies": {
     "@bedrock/app-identity": "4.0.0",