@bedrock/vc-delivery 7.10.1 → 7.11.0

package/lib/helpers.js

@@ -1,5 +1,5 @@
 /*!
- * Copyright (c) 2022-2025 Digital Bazaar, Inc. All rights reserved.
+ * Copyright (c) 2022-2026 Digital Bazaar, Inc. All rights reserved.
  */
 import * as bedrock from '@bedrock/core';
 import * as vcjwt from './vcjwt.js';
@@ -9,6 +9,7 @@ import {Ed25519Signature2020} from '@digitalbazaar/ed25519-signature-2020';
 import {httpClient} from '@digitalbazaar/http-client';
 import {httpsAgent} from '@bedrock/https-agent';
 import jsonata from 'jsonata';
+import jsonpointer from 'json-pointer';
 import {logger} from './logger.js';
 import {serializeError} from 'serialize-error';
 import {serviceAgents} from '@bedrock/service-agent';
@@ -141,12 +142,14 @@ export function getTemplateVariables({workflow, exchange} = {}) {
     workflow: {
       id: workflow.id
     },
+    exchange: {
+      id: exchange.id
+    },
+    localExchangeId: exchange.id,
+    exchangeId: `${workflow.id}/exchanges/${exchange.id}`,
     // backwards compatibility
     exchanger: {
       id: workflow.id
-    },
-    exchange: {
-      id: exchange.id
     }
   };
   return variables;
@@ -293,6 +296,46 @@ export function createVerifyOptions({
   return options;
 }
 
+export function resolvePointer(obj, pointer) {
+  if(pointer === '/') {
+    return obj;
+  }
+  try {
+    return jsonpointer.get(obj, pointer);
+  } catch(e) {
+    return undefined;
+  }
+}
+
+export function resolveVariableName({variables, name} = {}) {
+  if(!name.startsWith('/')) {
+    return variables[name];
+  }
+  if(name === '/') {
+    return variables;
+  }
+  try {
+    return jsonpointer.get(variables, name);
+  } catch(e) {
+    return undefined;
+  }
+}
+
+export function setVariable({variables, name, value} = {}) {
+  if(!name.startsWith('/')) {
+    variables[name] = value;
+    return;
+  }
+  if(name === '/') {
+    throw new BedrockError(
+      `Invalid variable name "${name}".`, {
+        name: 'NotSupportedError',
+        details: {httpStatusCode: 500, public: true}
+      });
+  }
+  jsonpointer.set(variables, name, value);
+}
+
 export function stripStacktrace(error) {
   // serialize error and allow-list specific properties
   const serialized = serializeError(error);

package/lib/http.js

@@ -1,8 +1,8 @@
 /*!
- * Copyright (c) 2018-2025 Digital Bazaar, Inc. All rights reserved.
+ * Copyright (c) 2018-2026 Digital Bazaar, Inc. All rights reserved.
  */
 import * as bedrock from '@bedrock/core';
-import * as exchanges from './exchanges.js';
+import * as exchanges from './storage/exchanges.js';
 import * as inviteRequest from './inviteRequest/http.js';
 import * as oid4 from './oid4/http.js';
 import {createExchange, getProtocols, processExchange} from './vcapi.js';

package/lib/inviteRequest/inviteRequest.js

@@ -1,8 +1,8 @@
 /*!
- * Copyright (c) 2025 Digital Bazaar, Inc. All rights reserved.
+ * Copyright (c) 2025-2026 Digital Bazaar, Inc. All rights reserved.
  */
 import * as bedrock from '@bedrock/core';
-import * as exchanges from '../exchanges.js';
+import * as exchanges from '../storage/exchanges.js';
 import {emitExchangeUpdated, evaluateExchangeStep} from '../helpers.js';
 import {logger} from '../logger.js';
 

package/lib/issue.js

@@ -6,25 +6,39 @@ import {
   evaluateTemplate,
   getTemplateVariables,
   getWorkflowIssuerInstances,
-  getZcapClient
+  getZcapClient,
+  setVariable
 } from './helpers.js';
 import {createPresentation} from '@digitalbazaar/vc';
 
 const {util: {BedrockError}} = bedrock;
 
 export async function issue({
-  workflow, exchange, step, format = 'application/vc'
+  workflow, exchange, step, format = 'application/vc',
+  // by default do not issue any VCs that are to be stored in the exchange;
+  // (`result` is NOT set)
+  filter = params => !params.result
 } = {}) {
   // eval all issue requests for current step in exchange
-  const issueRequests = await _evalIssueRequests({workflow, exchange, step});
+  const issueRequests = await _evalIssueRequests({
+    workflow, exchange, step, filter
+  });
 
   // return early if there is no explicit VP in step nor nothing to issue
   if(!step?.verifiablePresentation && issueRequests.length === 0) {
-    return {response: {}};
+    return {response: {}, exchangeChanged: false};
   }
 
   // run all issue requests
-  const issuedVcs = await _issue({workflow, issueRequests, format});
+  const {
+    credentials: issuedVcs,
+    exchangeChanged
+  } = await _issue({workflow, exchange, issueRequests, format});
+
+  if(issuedVcs.length === 0 && !step?.verifiablePresentation) {
+    // no issued VCs/no VP to return in response
+    return {response: {}, exchangeChanged};
+  }
 
   // generate VP to return VCs; use any explicitly defined VP from the step
   // (which may include out-of-band issued VCs that are to be delivered)
@@ -43,30 +57,39 @@ export async function issue({
     }
     verifiablePresentation.verifiableCredential = vcs;
   }
-  return {response: {verifiablePresentation}, format};
+  return {response: {verifiablePresentation}, format, exchangeChanged};
 }
 
-async function _evalIssueRequests({workflow, exchange, step}) {
+async function _evalIssueRequests({workflow, exchange, step, filter}) {
   // evaluate all issue requests in parallel
-  const requests = await _getIssueRequests({workflow, exchange, step});
-  return Promise.all(requests.map(({typedTemplate, variables}) =>
-    evaluateTemplate({workflow, exchange, typedTemplate, variables})));
+  let results = await _getIssueRequestParams({workflow, exchange, step});
+  results = results.filter(filter);
+  return Promise.all(results.map(async params => {
+    const {typedTemplate, variables} = params;
+    return {
+      params,
+      body: await evaluateTemplate({
+        workflow, exchange, typedTemplate, variables
+      })
+    };
+  }));
 }
 
-async function _getIssueRequests({workflow, exchange, step}) {
+async function _getIssueRequestParams({workflow, exchange, step}) {
   // use any templates from workflow and variables from exchange to produce
   // credentials to be issued; issue via the configured issuer instance
   const {credentialTemplates = []} = workflow;
   if(!(credentialTemplates.length > 0)) {
-    // no issue requests
+    // no issue request params
     return [];
   }
 
   if(!step ||
     (!step.issueRequests && Object.keys(workflow.steps).length === 1)) {
     // backwards-compatibility: deprecated workflows with no step or a single
-    // step do not explicitly define `issueRequests` but instead use all
-    // templates for issue requests
+    // step do not explicitly define `issueRequests` but instead consider each
+    // credential template as the `typedTemplate` parameter (and the only
+    // parameter) for an issue request
     return credentialTemplates.map(typedTemplate => ({typedTemplate}));
   }
 
@@ -103,7 +126,7 @@ async function _getIssueRequests({workflow, exchange, step}) {
           });
       }
     }
-    return {
+    const params = {
       typedTemplate,
       variables: {
         // always include globals but allow local override
@@ -111,6 +134,10 @@ async function _getIssueRequests({workflow, exchange, step}) {
         ...vars
       }
     };
+    if(r.result) {
+      params.result = r.result;
+    }
+    return params;
   }));
 }
 
@@ -121,7 +148,7 @@ function _getIssueZcap({workflow, zcaps, format}) {
   return zcaps[issueRefId];
 }
 
-async function _issue({workflow, issueRequests, format} = {}) {
+async function _issue({workflow, exchange, issueRequests, format} = {}) {
   // create zcap client for issuing VCs
   const {zcapClient, zcaps} = await getZcapClient({workflow});
 
@@ -137,19 +164,38 @@ async function _issue({workflow, issueRequests, format} = {}) {
   }
 
   // issue VCs in parallel
-  return Promise.all(issueRequests.map(async issueRequest => {
-    /* Note: Issue request formats can be any one of these:
+  let exchangeChanged = false;
+  const results = await Promise.all(issueRequests.map(async issueRequest => {
+    const {params, body} = issueRequest;
+
+    /* Note: Issue request body can be any one of these:
 
     1. `{credential, options?}`
     2. `credential`
 
-    Normalize issue requests that use the full VC API issue request and those
-    that return only the `credential` param directly. */
-    const json = issueRequest.credential ?
-      issueRequest : {credential: issueRequest};
+    Normalize all issue request bodies to full VC API issue request bodies. */
+    const json = !body?.credential ? {credential: body} : body;
     const {
       data: {verifiableCredential}
     } = await zcapClient.write({url, capability, json});
+
+    // if the issue request specifies a location for storing the credential,
+    // put it there and return `undefined`; otherwise, return the credential
+    if(params.result) {
+      exchangeChanged = true;
+      setVariable({
+        variables: exchange.variables,
+        name: params.result,
+        value: verifiableCredential
+      });
+      return;
+    }
+
     return verifiableCredential;
   }));
+
+  // filter out any undefined results, which are for results that were written
+  // to exchange variables and are not to be automatically returned in a
+  // presentation
+  return {credentials: results.filter(vc => vc), exchangeChanged};
 }

package/lib/oid4/oid4vci.js

@@ -1,8 +1,8 @@
 /*!
- * Copyright (c) 2022-2025 Digital Bazaar, Inc. All rights reserved.
+ * Copyright (c) 2022-2026 Digital Bazaar, Inc. All rights reserved.
  */
 import * as bedrock from '@bedrock/core';
-import * as exchanges from '../exchanges.js';
+import * as exchanges from '../storage/exchanges.js';
 import {
   deepEqual, emitExchangeUpdated,
   evaluateExchangeStep, getWorkflowIssuerInstances

package/lib/oid4/oid4vp.js

@@ -1,13 +1,15 @@
 /*!
- * Copyright (c) 2022-2025 Digital Bazaar, Inc. All rights reserved.
+ * Copyright (c) 2022-2026 Digital Bazaar, Inc. All rights reserved.
  */
 import * as bedrock from '@bedrock/core';
-import * as exchanges from '../exchanges.js';
+import * as exchanges from '../storage/exchanges.js';
 import {
   buildPresentationFromResults,
   buildVerifyPresentationResults,
   emitExchangeUpdated,
-  evaluateExchangeStep
+  evaluateExchangeStep,
+  resolveVariableName,
+  setVariable
 } from '../helpers.js';
 import {getClientBaseUrl, getClientProfile} from './clientProfiles.js';
 import {compile} from '@bedrock/validation';
@@ -362,8 +364,19 @@ async function _getStepAuthorizationRequest({
     _throwUnsupportedProtocol();
   }
 
-  // create or get cached authorization request
-  authorizationRequest = exchange.variables?.[authzReqVarName];
+  // create or get cached authorization request...
+
+  if(authzReqVarName === '/') {
+    // overwriting all variables is not permitted
+    throw new BedrockError(
+      `Invalid authorization request variable name "${authzReqVarName}".`, {
+        name: 'NotSupportedError',
+        details: {httpStatusCode: 500, public: true}
+      });
+  }
+  authorizationRequest = resolveVariableName({
+    variables: exchange.variables, name: authzReqVarName
+  });
   if(authorizationRequest) {
     return {authorizationRequest, exchangeChanged: false};
   }
@@ -393,7 +406,11 @@ async function _getStepAuthorizationRequest({
   if(!exchange.variables) {
     exchange.variables = {};
   }
-  exchange.variables[authzReqVarName] = authorizationRequest;
+  setVariable({
+    variables: exchange.variables,
+    name: authzReqVarName,
+    value: authorizationRequest
+  });
 
   return {authorizationRequest, exchangeChanged: true};
 }

package/lib/{exchanges.js → storage/exchanges.js}

@@ -1,11 +1,11 @@
 /*!
- * Copyright (c) 2022-2025 Digital Bazaar, Inc. All rights reserved.
+ * Copyright (c) 2022-2026 Digital Bazaar, Inc. All rights reserved.
  */
 import * as bedrock from '@bedrock/core';
 import * as database from '@bedrock/mongodb';
-import {parseLocalId, stripStacktrace} from './helpers.js';
+import {parseLocalId, stripStacktrace} from '../helpers.js';
 import assert from 'assert-plus';
-import {logger} from './logger.js';
+import {logger} from '../logger.js';
 import {serializeError} from 'serialize-error';
 
 const {util: {BedrockError}} = bedrock;
@@ -18,11 +18,9 @@ If an exchange is marked as complete, any attempt to mark it complete again
 will result in an action, as specified in the exchange record, being taken
 such as auto-revocation or notification.
 
-Each pending exchange may include optionally encrypted VCs for pickup and / or
-VC templates and required variables (which may come from other VCs) that must
-be provided to populate those templates. If any templates are provided, then
-a capability to issue the VC must also be provided. If any VCs are to be
-provided during the exchange a capability to verify them must be provided. */
+Each pending exchange is an instance of a workflow. A workflow may have
+one or more steps, each that might issue, verify, or deliver VCs. Capabilities
+must be provided to issue or verify VCs. */
 
 const COLLECTION_NAME = 'vc-exchange';
 
@@ -244,7 +242,7 @@ export async function update({workflowId, exchange, explain = false} = {}) {
   exchange = _encodeVariables({exchange});
 
   // build update
-  const update = _buildUpdate({exchange, complete: false});
+  const update = _buildUpdate({exchange});
 
   const {base, localId: localWorkflowId} = parseLocalId({id: workflowId});
 
@@ -326,7 +324,7 @@ export async function complete({workflowId, exchange, explain = false} = {}) {
   const {id} = exchange;
 
   // build update
-  const update = _buildUpdate({exchange, complete: true});
+  const update = _buildUpdate({exchange});
 
   const {base, localId: localWorkflowId} = parseLocalId({id: workflowId});
 
@@ -564,7 +562,7 @@ async function _markExchangeInvalid({record}) {
   }
 }
 
-function _buildUpdate({exchange, complete}) {
+function _buildUpdate({exchange}) {
   // build update
   const now = Date.now();
   const update = {
@@ -572,21 +570,11 @@ function _buildUpdate({exchange, complete}) {
     $set: {
       'exchange.state': exchange.state,
       'exchange.secrets': exchange.secrets,
+      'exchange.variables': exchange.variables,
       'meta.updated': now
     },
     $unset: {}
   };
-  if(complete && typeof exchange.variables !== 'string') {
-    // exchange complete and variables not encoded, so only update results
-    if(exchange.variables?.results) {
-      update.$set['exchange.variables.results'] = exchange.variables.results;
-    }
-  } else {
-    // exchange not complete or variables are encoded, so update all variables
-    if(exchange.variables) {
-      update.$set['exchange.variables'] = exchange.variables;
-    }
-  }
   if(exchange.step !== undefined) {
     update.$set['exchange.step'] = exchange.step;
   }

package/lib/vcapi.js

@@ -1,8 +1,8 @@
 /*!
- * Copyright (c) 2018-2025 Digital Bazaar, Inc. All rights reserved.
+ * Copyright (c) 2018-2026 Digital Bazaar, Inc. All rights reserved.
  */
 import * as bedrock from '@bedrock/core';
-import * as exchanges from './exchanges.js';
+import * as exchanges from './storage/exchanges.js';
 import {createChallenge as _createChallenge, verify} from './verify.js';
 import {
   buildPresentationFromResults,
@@ -297,6 +297,9 @@ export async function processExchange({req, res, workflow, exchangeRecord}) {
       currentStep = step.nextStep;
     }
 
+    // issue any VCs that are to be stored in the exchange (`result` is set)
+    await issue({workflow, exchange, step, filter: params => params.result});
+
     // mark exchange complete
     exchange.state = 'complete';
     try {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bedrock/vc-delivery",
-  "version": "7.10.1",
+  "version": "7.11.0",
   "type": "module",
   "description": "Bedrock Verifiable Credential Delivery",
   "main": "./lib/index.js",
@@ -40,7 +40,7 @@
     "@digitalbazaar/ed25519-signature-2020": "^5.4.0",
     "@digitalbazaar/ezcap": "^4.1.0",
     "@digitalbazaar/http-client": "^4.2.0",
-    "@digitalbazaar/oid4-client": "^5.4.1",
+    "@digitalbazaar/oid4-client": "^5.6.3",
     "@digitalbazaar/vc": "^7.2.0",
     "@digitalbazaar/webkms-client": "^14.2.0",
     "assert-plus": "^1.0.0",
@@ -48,6 +48,7 @@
     "body-parser": "^1.20.3",
     "cors": "^2.8.5",
     "jose": "^6.1.0",
+    "json-pointer": "^0.6.2",
     "jsonata": "^2.0.6",
     "serialize-error": "^12.0.0"
   },

package/schemas/bedrock-vc-workflow.js

@@ -396,6 +396,11 @@ const issueRequestParameters = {
     credentialTemplateIndex: {
       type: 'number'
     },
+    // optional specify where to store the issued VCs instead of automatically
+    // including it in a VP to be returned to the client
+    result: {
+      type: 'string'
+    },
     // optionally specify different variables
     variables: {
       oneOf: [{type: 'string'}, {type: 'object'}]
@@ -533,6 +538,7 @@ function step() {
           'nextStep',
           'openId',
           'presentationSchema',
+          'redirectUrl',
           'verifiablePresentation',
           'verifiablePresentationRequest'
         ]
@@ -628,6 +634,9 @@ function step() {
           }
         }
       },
+      redirectUrl: {
+        type: 'string'
+      },
       stepTemplate: typedTemplate,
       // the base verifiable presentation to use in this step; any VCs that
       // are issued in this step (see: `issueRequests`) will be added to this