@bedrock/vc-delivery 7.1.1 → 7.3.0

package/lib/helpers.js

@@ -5,8 +5,10 @@ import * as bedrock from '@bedrock/core';
 import * as vcjwt from './vcjwt.js';
 import {decodeId, generateId} from 'bnid';
 import {Ed25519Signature2020} from '@digitalbazaar/ed25519-signature-2020';
+import {httpClient} from '@digitalbazaar/http-client';
 import {httpsAgent} from '@bedrock/https-agent';
 import jsonata from 'jsonata';
+import {logger} from './logger.js';
 import {serializeError} from 'serialize-error';
 import {serviceAgents} from '@bedrock/service-agent';
 import {ZcapClient} from '@digitalbazaar/ezcap';
@@ -53,6 +55,27 @@ export function buildPresentationFromResults({
   return vp;
 }
 
+export function emitExchangeUpdated({workflow, exchange, step}) {
+  if(!step?.callback?.url) {
+    // no-op when there is no callback to notify
+    return;
+  }
+
+  const {url} = step.callback;
+  const exchangeId = `${workflow.id}/exchanges/${exchange.id}`;
+  httpClient.post(url, {
+    agent: httpsAgent,
+    json: {
+      event: {
+        data: {exchangeId}
+      }
+    }
+  }).catch(
+    error => logger.error(
+      'Could not send "exchangeUpdated" push notification: ' +
+      error.message, {error}));
+}
+
 export async function evaluateTemplate({
   workflow, exchange, typedTemplate, variables
 } = {}) {
@@ -188,6 +211,36 @@ export function deepEqual(obj1, obj2) {
   return true;
 }
 
+export function createVerifyOptions({
+  verifyPresentationOptions,
+  expectedChallenge,
+  verifiablePresentationRequest,
+  presentation,
+  domain,
+  checks
+}) {
+  // start with `verifyPresentationOptions`, then overwrite as needed
+  const options = {...verifyPresentationOptions};
+
+  // update `checks` with anything additional from `verifyPresentationOptions`
+  const checkSet = new Set(checks);
+  if(verifyPresentationOptions.checks) {
+    Object.entries(verifyPresentationOptions.checks)
+      .forEach(([check, enabled]) => enabled && checkSet.add(check));
+  }
+  options.checks = [...checkSet];
+
+  // update `challenge`
+  options.challenge = expectedChallenge ??
+    verifiablePresentationRequest.challenge ??
+    presentation?.proof?.challenge;
+
+  // update `domain`
+  options.domain = domain;
+
+  return options;
+}
+
 export function stripStacktrace(error) {
   // serialize error and allow-list specific properties
   const serialized = serializeError(error);

package/lib/oid4/oid4vci.js

@@ -1,10 +1,11 @@
 /*!
- * Copyright (c) 2022-2024 Digital Bazaar, Inc. All rights reserved.
+ * Copyright (c) 2022-2025 Digital Bazaar, Inc. All rights reserved.
  */
 import * as bedrock from '@bedrock/core';
 import * as exchanges from '../exchanges.js';
 import {
-  deepEqual, evaluateTemplate, getWorkflowIssuerInstances, validateStep
+  deepEqual, emitExchangeUpdated,
+  evaluateTemplate, getWorkflowIssuerInstances, validateStep
 } from '../helpers.js';
 import {importJWK, SignJWT} from 'jose';
 import {checkAccessToken} from '@bedrock/oauth2-verifier';
@@ -397,6 +398,7 @@ function _normalizeCredentialDefinitionTypes({credentialRequests}) {
 async function _processExchange({
   req, res, workflow, exchangeRecord, isBatchRequest
 }) {
+  let step;
   const {id: workflowId} = workflow;
   const {exchange, meta} = exchangeRecord;
   let {updated: lastUpdated} = meta;
@@ -428,7 +430,6 @@ async function _processExchange({
     });
 
     // process exchange step if present
-    let step;
     const currentStep = exchange.step;
     if(currentStep) {
       step = workflow.steps[exchange.step];
@@ -494,6 +495,7 @@ async function _processExchange({
     try {
       exchange.sequence++;
       await exchanges.complete({workflowId, exchange});
+      emitExchangeUpdated({workflow, exchange, step});
       lastUpdated = Date.now();
     } catch(e) {
       exchange.sequence--;
@@ -516,6 +518,7 @@ async function _processExchange({
     exchanges.setLastError({workflowId, exchange: copy, lastUpdated})
       .catch(error => logger.error(
         'Could not set last exchange error: ' + error.message, {error}));
+    emitExchangeUpdated({workflow, exchange, step});
     throw e;
   }
 }

package/lib/oid4/oid4vp.js

@@ -4,7 +4,8 @@
 import * as bedrock from '@bedrock/core';
 import * as exchanges from '../exchanges.js';
 import {
-  buildPresentationFromResults, evaluateTemplate, unenvelopePresentation,
+  buildPresentationFromResults, emitExchangeUpdated,
+  evaluateTemplate, unenvelopePresentation,
   validateStep
 } from '../helpers.js';
 import {
@@ -141,6 +142,7 @@ export async function getAuthorizationRequest({req}) {
       try {
         exchange.sequence++;
         await exchanges.update({workflowId: workflow.id, exchange});
+        emitExchangeUpdated({workflow, exchange, step});
       } catch(e) {
         exchange.sequence--;
         if(e.name !== 'InvalidStateError') {
@@ -168,11 +170,12 @@ export async function processAuthorizationResponse({req}) {
   const exchangeRecord = await req.getExchange();
   let {exchange} = exchangeRecord;
   let {meta: {updated: lastUpdated}} = exchangeRecord;
+  let step;
   try {
     // get authorization request and updated exchange associated with exchange
     const arRequest = await getAuthorizationRequest({req});
-    const {authorizationRequest, step} = arRequest;
-    ({exchange} = arRequest);
+    const {authorizationRequest} = arRequest;
+    ({exchange, step} = arRequest);
 
     // FIXME: check the VP against the presentation submission if requested
     // FIXME: check the VP against "trustedIssuer" in VPR, if provided
@@ -193,9 +196,15 @@ export async function processAuthorizationResponse({req}) {
     // verify the received VP
     const {verifiablePresentationRequest} = await oid4vp.toVpr(
       {authorizationRequest});
-    const {allowUnprotectedPresentation = false} = step;
+    const {
+      allowUnprotectedPresentation = false,
+      verifyPresentationOptions = {},
+      verifyPresentationResultSchema
+    } = step;
     const verifyResult = await verify({
       workflow,
+      verifyPresentationOptions,
+      verifyPresentationResultSchema,
       verifiablePresentationRequest,
       presentation,
       allowUnprotectedPresentation,
@@ -244,6 +253,7 @@ export async function processAuthorizationResponse({req}) {
         exchange.state = 'complete';
         await exchanges.complete({workflowId: workflow.id, exchange});
       }
+      emitExchangeUpdated({workflow, exchange, step});
       lastUpdated = Date.now();
     } catch(e) {
       exchange.sequence--;
@@ -271,6 +281,7 @@ export async function processAuthorizationResponse({req}) {
     exchanges.setLastError({workflowId, exchange: copy, lastUpdated})
       .catch(error => logger.error(
         'Could not set last exchange error: ' + error.message, {error}));
+    emitExchangeUpdated({workflow, exchange, step});
     throw e;
   }
 }

package/lib/vcapi.js

@@ -5,7 +5,8 @@ import * as bedrock from '@bedrock/core';
 import * as exchanges from './exchanges.js';
 import {createChallenge as _createChallenge, verify} from './verify.js';
 import {
-  buildPresentationFromResults, evaluateTemplate, generateRandom,
+  buildPresentationFromResults, emitExchangeUpdated,
+  evaluateTemplate, generateRandom,
   unenvelopePresentation, validateStep
 } from './helpers.js';
 import {exportJWK, generateKeyPair, importJWK} from 'jose';
@@ -93,6 +94,8 @@ export async function createExchange({workflow, exchange}) {
 export async function processExchange({req, res, workflow, exchangeRecord}) {
   const {exchange, meta} = exchangeRecord;
   let {updated: lastUpdated} = meta;
+  let step;
+
   try {
     // get any `verifiablePresentation` from the body...
     let receivedPresentation = req?.body?.verifiablePresentation;
@@ -100,7 +103,6 @@ export async function processExchange({req, res, workflow, exchangeRecord}) {
     // process exchange step(s)
     let i = 0;
     let currentStep = exchange.step;
-    let step;
     while(true) {
       if(i++ > MAXIMUM_STEPS) {
         throw new BedrockError('Maximum steps exceeded.', {
@@ -193,9 +195,15 @@ export async function processExchange({req, res, workflow, exchangeRecord}) {
 
         // verify the received VP
         const expectedChallenge = isInitialStep ? exchange.id : undefined;
-        const {allowUnprotectedPresentation = false} = step;
+        const {
+          allowUnprotectedPresentation = false,
+          verifyPresentationOptions = {},
+          verifyPresentationResultSchema
+        } = step;
         const verifyResult = await verify({
           workflow,
+          verifyPresentationOptions,
+          verifyPresentationResultSchema,
           verifiablePresentationRequest: step.verifiablePresentationRequest,
           presentation: receivedPresentation,
           allowUnprotectedPresentation,
@@ -249,6 +257,7 @@ export async function processExchange({req, res, workflow, exchangeRecord}) {
         try {
           exchange.sequence++;
           await exchanges.update({workflowId: workflow.id, exchange});
+          emitExchangeUpdated({workflow, exchange, step});
           lastUpdated = Date.now();
         } catch(e) {
           exchange.sequence--;
@@ -273,6 +282,7 @@ export async function processExchange({req, res, workflow, exchangeRecord}) {
     try {
       exchange.sequence++;
       await exchanges.complete({workflowId: workflow.id, exchange});
+      emitExchangeUpdated({workflow, exchange, step});
     } catch(e) {
       exchange.sequence--;
       throw e;
@@ -305,6 +315,7 @@ export async function processExchange({req, res, workflow, exchangeRecord}) {
     exchanges.setLastError({workflowId, exchange: copy, lastUpdated})
       .catch(error => logger.error(
         'Could not set last exchange error: ' + error.message, {error}));
+    emitExchangeUpdated({workflow, exchange, step});
     throw e;
   }
 }

package/lib/verify.js

@@ -4,8 +4,13 @@
 import * as bedrock from '@bedrock/core';
 import * as EcdsaMultikey from '@digitalbazaar/ecdsa-multikey';
 import * as Ed25519Multikey from '@digitalbazaar/ed25519-multikey';
-import {getZcapClient, stripStacktrace} from './helpers.js';
+import {
+  createVerifyOptions,
+  getZcapClient,
+  stripStacktrace
+} from './helpers.js';
 import {importJWK, jwtVerify} from 'jose';
+import {compile} from '@bedrock/validation';
 import {didIo} from '@bedrock/did-io';
 
 const {util: {BedrockError}} = bedrock;
@@ -25,8 +30,9 @@ export async function createChallenge({workflow} = {}) {
 }
 
 export async function verify({
-  workflow, verifiablePresentationRequest, presentation,
-  allowUnprotectedPresentation = false, expectedChallenge
+  workflow, verifyPresentationOptions, verifiablePresentationRequest,
+  presentation, allowUnprotectedPresentation = false, expectedChallenge,
+  verifyPresentationResultSchema
 } = {}) {
   // create zcap client for verifying
   const {zcapClient, zcaps} = await getZcapClient({workflow});
@@ -46,17 +52,18 @@ export async function verify({
     new URL(workflow.id).origin;
   let result;
   try {
+    const options = createVerifyOptions({
+      verifyPresentationOptions,
+      expectedChallenge,
+      verifiablePresentationRequest,
+      presentation,
+      domain,
+      checks
+    });
     result = await zcapClient.write({
       capability,
       json: {
-        options: {
-          // FIXME: support multi-proof presentations?
-          challenge: expectedChallenge ??
-            verifiablePresentationRequest.challenge ??
-            presentation?.proof?.challenge,
-          domain,
-          checks
-        },
+        options,
         verifiablePresentation: presentation
       }
     });
@@ -120,7 +127,15 @@ export async function verify({
   const verificationMethod = presentationResult?.results[0]
     .verificationMethod ?? null;
 
-  // FIXME: ensure VP satisfies VPR
+  // validate against the verify presentation result schema, if applicable
+  if(verifyPresentationResultSchema) {
+    const {jsonSchema: schema} = verifyPresentationResultSchema;
+    const validate = compile({schema});
+    const {valid, error} = validate(result.data);
+    if(!valid) {
+      throw error;
+    }
+  }
 
   return {
     verified,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bedrock/vc-delivery",
-  "version": "7.1.1",
+  "version": "7.3.0",
   "type": "module",
   "description": "Bedrock Verifiable Credential Delivery",
   "main": "./lib/index.js",
@@ -39,6 +39,7 @@
     "@digitalbazaar/ed25519-multikey": "^1.3.1",
     "@digitalbazaar/ed25519-signature-2020": "^5.4.0",
     "@digitalbazaar/ezcap": "^4.1.0",
+    "@digitalbazaar/http-client": "^4.2.0",
     "@digitalbazaar/oid4-client": "^4.3.0",
     "@digitalbazaar/vc": "^7.2.0",
     "assert-plus": "^1.0.0",

package/schemas/bedrock-vc-workflow.js

@@ -1,5 +1,5 @@
 /*!
- * Copyright (c) 2022-2024 Digital Bazaar, Inc. All rights reserved.
+ * Copyright (c) 2022-2025 Digital Bazaar, Inc. All rights reserved.
  */
 import {MAX_ISSUER_INSTANCES} from '../lib/constants.js';
 import {schemas} from '@bedrock/validation';
@@ -381,6 +381,7 @@ const step = {
     not: {
       required: [
         'allowUnprotectedPresentation',
+        'callback',
         'createChallenge',
         'issueRequests',
         'jwtDidProofRequest',
@@ -400,6 +401,16 @@ const step = {
     allowUnprotectedPresentation: {
       type: 'boolean'
     },
+    callback: {
+      type: 'object',
+      required: ['url'],
+      additionalProperties: false,
+      properties: {
+        url: {
+          type: 'string'
+        }
+      }
+    },
     createChallenge: {
       type: 'boolean'
     },
@@ -486,6 +497,28 @@ const step = {
     stepTemplate: typedTemplate,
     verifiablePresentationRequest: {
       type: 'object'
+    },
+    verifyPresentationOptions: {
+      type: 'object',
+      properties: {
+        checks: {
+          type: 'object'
+        }
+      },
+      additionalProperties: true
+    },
+    verifyPresentationResultSchema: {
+      type: 'object',
+      required: ['type', 'jsonSchema'],
+      additionalProperties: false,
+      properties: {
+        type: {
+          type: 'string'
+        },
+        jsonSchema: {
+          type: 'object'
+        }
+      }
     }
   }
 };