@bedrock/vc-delivery 5.3.3 → 5.3.5

package/lib/helpers.js

@@ -110,6 +110,44 @@ export function decodeLocalId({localId} = {}) {
   }));
 }
 
+export function deepEqual(obj1, obj2) {
+  const isObject1 = obj1 && typeof obj1 === 'object';
+  const isObject2 = obj2 && typeof obj2 === 'object';
+  if(isObject1 !== isObject2) {
+    return false;
+  }
+  if(!isObject1) {
+    return obj1 === obj2;
+  }
+  const isArray1 = Array.isArray(obj1);
+  const isArray2 = Array.isArray(obj2);
+  if(isArray1 !== isArray2) {
+    return false;
+  }
+  if(isArray1) {
+    if(obj1.length !== obj2.length) {
+      return false;
+    }
+    for(const [i, e] of obj1.entries()) {
+      if(!deepEqual(e, obj2[i])) {
+        return false;
+      }
+    }
+    return true;
+  }
+  const keys1 = Object.keys(obj1);
+  const keys2 = Object.keys(obj2);
+  if(keys1.length !== keys2.length) {
+    return false;
+  }
+  for(const k of keys1) {
+    if(!deepEqual(obj1[k], obj2[k])) {
+      return false;
+    }
+  }
+  return true;
+}
+
 export function stripStacktrace(error) {
   // serialize error and allow-list specific properties
   const serialized = serializeError(error);

package/lib/oid4/http.js

@@ -62,8 +62,17 @@ export async function createRoutes({
     authorizationResponse: `${openIdRoute}/client/authorization/response`
   };
 
-  // urlencoded body parser (extended=true for rich JSON-like representation)
-  const urlencoded = bodyParser.urlencoded({extended: true});
+  // urlencoded body parser
+  const urlencodedSmall = bodyParser.urlencoded({
+    // (extended=true for rich JSON-like representation)
+    extended: true
+  });
+  const urlencodedLarge = bodyParser.urlencoded({
+    // (extended=true for rich JSON-like representation)
+    extended: true,
+    // allow larger payloads
+    limit: '10MB'
+  });
 
   /* Note: The well-known metadata paths for the OID4VCI spec have been
   specified in at least two different ways over time, including
@@ -142,7 +151,7 @@ export async function createRoutes({
   app.post(
     routes.token,
     cors(),
-    urlencoded,
+    urlencodedSmall,
     validate({bodySchema: openIdTokenBody}),
     getConfigMiddleware,
     getExchange,
@@ -316,7 +325,7 @@ export async function createRoutes({
   app.post(
     routes.authorizationResponse,
     cors(),
-    urlencoded,
+    urlencodedLarge,
     validate({bodySchema: openIdAuthorizationResponseBody()}),
     getConfigMiddleware,
     getExchange,

package/lib/oid4/oid4vci.js

@@ -4,7 +4,7 @@
 import * as bedrock from '@bedrock/core';
 import * as exchanges from '../exchanges.js';
 import {
-  evaluateTemplate, getWorkflowIssuerInstances
+  deepEqual, evaluateTemplate, getWorkflowIssuerInstances
 } from '../helpers.js';
 import {importJWK, SignJWT} from 'jose';
 import {checkAccessToken} from '@bedrock/oauth2-verifier';
@@ -372,9 +372,9 @@ function _getSupportedFormats({workflow}) {
 function _matchCredentialRequest(expected, cr) {
   const {credential_definition: {'@context': c1, type: t1}} = expected;
   const {credential_definition: {'@context': c2, type: t2}} = cr;
-  // contexts must match exact order but types can have different order
+  // contexts must match exactly but types can have different order
   return (c1.length === c2.length && t1.length === t2.length &&
-    c1.every((c, i) => c === c2[i]) && t1.every(t => t2.some(x => t === x)));
+    deepEqual(c1, c2) && t1.every(t => t2.some(x => t === x)));
 }
 
 function _normalizeCredentialDefinitionTypes({credentialRequests}) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bedrock/vc-delivery",
-  "version": "5.3.3",
+  "version": "5.3.5",
   "type": "module",
   "description": "Bedrock Verifiable Credential Delivery",
   "main": "./lib/index.js",