@bedrock/vc-delivery 6.4.1 → 6.6.0

package/lib/exchanges.js

@@ -1,5 +1,5 @@
 /*!
- * Copyright (c) 2022-2024 Digital Bazaar, Inc. All rights reserved.
+ * Copyright (c) 2022-2025 Digital Bazaar, Inc. All rights reserved.
  */
 import * as bedrock from '@bedrock/core';
 import * as database from '@bedrock/mongodb';
@@ -35,6 +35,8 @@ const LAST_ERROR_UPDATE_CONSTRAINTS = {
   updateTimeLimit: 1000
 };
 
+const MONGODB_ILLEGAL_KEY_CHAR_REGEX = /[%$.]/;
+
 bedrock.events.on('bedrock-mongodb.ready', async () => {
   await database.openCollections([COLLECTION_NAME]);
 
@@ -110,14 +112,14 @@ export async function insert({workflowId, exchange}) {
     // backwards compatibility: enable existing systems to find record
     localExchangerId: localWorkflowId,
     meta,
-    exchange
+    exchange: _encodeVariables({exchange})
   };
 
   // insert the exchange and get the updated record
   try {
     const collection = database.collections[COLLECTION_NAME];
-    const result = await collection.insertOne(record);
-    return result.ops[0];
+    await collection.insertOne(record);
+    return record;
   } catch(e) {
     if(!database.isDuplicateError(e)) {
       throw e;
@@ -199,6 +201,8 @@ export async function get({
     });
   }
 
+  record.exchange = _decodeVariables({exchange: record.exchange});
+
   // backwards compatibility; initialize `sequence`
   if(record.exchange.sequence === undefined) {
     const query = {
@@ -237,6 +241,9 @@ export async function update({workflowId, exchange, explain = false} = {}) {
   assert.object(exchange, 'exchange');
   const {id} = exchange;
 
+  // encode variable content for storage in mongoDB
+  exchange = _encodeVariables({exchange});
+
   // build update
   const update = _buildUpdate({exchange, complete: false});
 
@@ -566,13 +573,13 @@ function _buildUpdate({exchange, complete}) {
     $set: {'exchange.state': exchange.state, 'meta.updated': now},
     $unset: {}
   };
-  if(complete) {
-    // exchange complete, only update results
+  if(complete && typeof exchange.variables !== 'string') {
+    // exchange complete and variables not encoded, so only update results
     if(exchange.variables?.results) {
       update.$set['exchange.variables.results'] = exchange.variables.results;
     }
   } else {
-    // exchange not complete, update all variables
+    // exchange not complete or variables are encoded, so update all variables
     if(exchange.variables) {
       update.$set['exchange.variables'] = exchange.variables;
     }
@@ -600,6 +607,41 @@ function _buildUpdate({exchange, complete}) {
   return update;
 }
 
+function _encodeVariables({exchange}) {
+  // if any JSON object any variable uses a character that is not legal in
+  // a JSON key in mongoDB then stringify all the variables
+  if(_hasIllegalMongoDBKeyChar(exchange.variables)) {
+    return {...exchange, variables: JSON.stringify(exchange.variables)};
+  }
+  return exchange;
+}
+
+function _decodeVariables({exchange}) {
+  if(typeof exchange.variables === 'string') {
+    return {...exchange, variables: JSON.parse(exchange.variables)};
+  }
+  return exchange;
+}
+
+function _hasIllegalMongoDBKeyChar(value) {
+  if(Array.isArray(value)) {
+    for(const e of value) {
+      if(_hasIllegalMongoDBKeyChar(e)) {
+        return true;
+      }
+    }
+  } else if(value && typeof value === 'object') {
+    const keys = Object.keys(value);
+    for(const key of keys) {
+      if(MONGODB_ILLEGAL_KEY_CHAR_REGEX.test(key) ||
+        _hasIllegalMongoDBKeyChar(value[key])) {
+        return true;
+      }
+    }
+  }
+  return false;
+}
+
 /**
  * An object containing information on the query plan.
  *

package/lib/helpers.js

@@ -1,5 +1,5 @@
 /*!
- * Copyright (c) 2022-2024 Digital Bazaar, Inc. All rights reserved.
+ * Copyright (c) 2022-2025 Digital Bazaar, Inc. All rights reserved.
  */
 import * as bedrock from '@bedrock/core';
 import * as vcjwt from './vcjwt.js';
@@ -18,6 +18,16 @@ const ALLOWED_ERROR_KEYS = [
   'status'
 ];
 
+const JWT_FORMAT_ALIASES = new Set([
+  'application/jwt',
+  'application/vc+jwt',
+  'application/vp+jwt',
+  'jwt_vp',
+  'jwt_vp_json',
+  'jwt_vc_json-ld',
+  'jwt_vc_json'
+]);
+
 export async function evaluateTemplate({
   workflow, exchange, typedTemplate, variables
 } = {}) {
@@ -243,7 +253,7 @@ function _getEnvelope({envelope, format}) {
   const isString = typeof envelope === 'string';
   if(isString) {
     // supported formats
-    if(format === 'application/jwt' || format === 'jwt_vc_json-ld') {
+    if(JWT_FORMAT_ALIASES.has(format)) {
       format = 'application/jwt';
     }
   } else {

package/lib/oid4/oid4vp.js

@@ -289,9 +289,20 @@ function _createClientMetaData() {
   // return default supported `vp_formats`
   return {
     vp_formats: {
+      // support both aliases `jwt_vp` and `jwt_vp_json`
       jwt_vp: {
         alg: ['EdDSA', 'Ed25519', 'ES256', 'ES384']
       },
+      jwt_vp_json: {
+        alg: ['EdDSA', 'Ed25519', 'ES256', 'ES384']
+      },
+      di_vp: {
+        proof_type: [
+          'ecdsa-rdfc-2019',
+          'eddsa-rdfc-2022',
+          'Ed25519Signature2020'
+        ]
+      },
       ldp_vp: {
         proof_type: [
           'ecdsa-rdfc-2019',
@@ -308,7 +319,7 @@ async function _parseAuthorizationResponse({req}) {
   const {vp_token, presentation_submission} = req.body;
 
   // JSON parse and validate `vp_token` and `presentation_submission`
-  let presentation = _jsonParse(vp_token, 'vp_token');
+  let presentation = _jsonParse(vp_token, 'vp_token', true);
   const presentationSubmission = _jsonParse(
     presentation_submission, 'presentation_submission');
   _validate(VALIDATORS.presentationSubmission, presentationSubmission);
@@ -319,8 +330,8 @@ async function _parseAuthorizationResponse({req}) {
       envelope: raw, presentation: contents, format
     } = await unenvelopePresentation({
       envelopedPresentation: presentation,
-      // FIXME: check presentationSubmission for VP format
-      format: 'jwt_vc_json-ld'
+      // FIXME: check `presentationSubmission` for VP format
+      format: 'application/jwt'
     });
     _validate(VALIDATORS.presentation, contents);
     presentation = {
@@ -336,10 +347,15 @@ async function _parseAuthorizationResponse({req}) {
   return {presentation, envelope, presentationSubmission};
 }
 
-function _jsonParse(x, name) {
+function _jsonParse(x, name, allowJWT = false) {
   try {
     return JSON.parse(x);
   } catch(cause) {
+    // presume the string is a non-JSON encoded JWT and let subsequent
+    // checking handle it (`ey` is base64url-encoded `{`)
+    if(allowJWT && x?.startsWith('ey')) {
+      return x;
+    }
     throw new BedrockError(`Could not parse "${name}".`, {
       name: 'DataError',
       details: {httpStatusCode: 400, public: true},

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bedrock/vc-delivery",
-  "version": "6.4.1",
+  "version": "6.6.0",
   "type": "module",
   "description": "Bedrock Verifiable Credential Delivery",
   "main": "./lib/index.js",

package/schemas/bedrock-vc-workflow.js

@@ -181,7 +181,7 @@ const expectedCredentialRequest = {
     credential_definition: credentialDefinition,
     format: {
       type: 'string',
-      enum: ['ldp_vc', 'jwt_vc_json-ld']
+      enum: ['di_vc', 'ldp_vc', 'jwt_vc_json-ld', 'jwt_vc_json']
     }
   }
 };
@@ -509,7 +509,7 @@ const openIdCredentialRequest = {
     credential_definition: credentialDefinition,
     format: {
       type: 'string',
-      enum: ['ldp_vc', 'jwt_vc_json-ld']
+      enum: ['di_vc', 'ldp_vc', 'jwt_vc_json-ld', 'jwt_vc_json']
     },
     did: {
       type: 'string'
@@ -631,7 +631,21 @@ export function openIdAuthorizationResponseBody() {
       presentation_submission: {
         type: 'string'
       },
-      // is a JSON string in the x-www-form-urlencoded body
+      // is a JSON-encoded string or object in the x-www-form-urlencoded body
+      /* Note: This can also be a simple base64url string for
+      backwards/forwards compatibility. While submitting VPs directly as
+      JSON objects has never changed in the OID4* specs, submitting VPs that
+      are wrapped in some envelope that is expressed as a string (e.g., a JWT)
+      has changed back and forth throughout the draft history. Sometimes these
+      vp_tokens are required to be JSON-encoded strings other times non-JSON
+      strings, i.e., no "extra/JSON quotes" around the string value inside the
+      x-www-form-urlencoded field value delimiting quotes. For example,
+      both of these:
+
+      `...&vp_token="non-string JSON"`
+      `...&vp_token="\"JSON string\""`
+
+      are accepted for these reasons. */
       vp_token: {
         type: 'string'
       },