@bedrock/vc-delivery 7.11.1 → 7.11.3

package/lib/inviteRequest/inviteRequest.js

@@ -2,89 +2,39 @@
  * Copyright (c) 2025-2026 Digital Bazaar, Inc. All rights reserved.
  */
 import * as bedrock from '@bedrock/core';
-import * as exchanges from '../storage/exchanges.js';
-import {emitExchangeUpdated, evaluateExchangeStep} from '../helpers.js';
-import {logger} from '../logger.js';
+import {ExchangeProcessor} from '../ExchangeProcessor.js';
 
 const {util: {BedrockError}} = bedrock;
 
 export async function processInviteResponse({req}) {
   const {config: workflow} = req.serviceObject;
   const exchangeRecord = await req.getExchange();
-  let {meta: {updated: lastUpdated}} = exchangeRecord;
-  const {exchange} = exchangeRecord;
-  let step;
 
-  try {
-    // exchange step required for `inviteRequest`
-    const currentStep = exchange.step;
-    if(!currentStep) {
-      _throwUnsupportedProtocol();
-    }
-
-    step = await evaluateExchangeStep({workflow, exchange});
-
-    // step must have `inviteRequest` to perform protocol
-    if(!step.inviteRequest) {
-      _throwUnsupportedProtocol();
-    }
+  // `inviteResponse` validated via HTTP body JSON schema already
+  const {body: inviteResponse} = req;
 
-    // exchange must still be pending
-    if(exchange.state !== 'pending') {
-      throw new BedrockError(
-        'This exchange is already in progress.', {
-          name: 'NotAllowedError',
-          details: {httpStatusCode: 403, public: true}
-        });
-    }
-
-    // `inviteResponse` validated via HTTP body JSON schema already
-    const {body: inviteResponse} = req;
-
-    // store invite response in variables associated with current step
-    if(!exchange.variables.results) {
-      exchange.variables.results = {};
-    }
-    const stepResult = {
-      inviteRequest: {inviteResponse}
-    };
-    const prevState = exchange.state;
-    exchange.variables.results[currentStep] = stepResult;
-    try {
-      // mark exchange complete
-      exchange.state = 'complete';
-      exchange.sequence++;
-      await exchanges.complete({workflowId: workflow.id, exchange});
-      await emitExchangeUpdated({workflow, exchange, step});
-      lastUpdated = Date.now();
-    } catch(e) {
-      // revert exchange changes as it couldn't be written
-      exchange.sequence--;
-      exchange.state = prevState;
-      delete exchange.variables.results[currentStep];
-      throw e;
+  // process exchange to completion
+  const exchangeProcessor = new ExchangeProcessor({
+    workflow, exchangeRecord,
+    prepareStep({exchange, step}) {
+      // step must have `inviteRequest` to perform protocol
+      if(!step.inviteRequest) {
+        _throwUnsupportedProtocol();
+      }
+      // store invite response in variables associated with current step
+      exchange.variables.results[exchange.step] = {
+        ...exchange.variables.results[exchange.step],
+        inviteRequest: {inviteResponse}
+      };
     }
+  });
+  await exchangeProcessor.process();
 
-    const result = {};
-    if(inviteResponse.referenceId !== undefined) {
-      result.referenceId = inviteResponse.referenceId;
-    }
-    return result;
-  } catch(e) {
-    if(e.name === 'InvalidStateError') {
-      throw e;
-    }
-    // write last error if exchange hasn't been frequently updated
-    const {id: workflowId} = workflow;
-    const copy = {...exchange};
-    copy.sequence++;
-    copy.lastError = e;
-    await exchanges.setLastError({workflowId, exchange: copy, lastUpdated})
-      .catch(error => logger.error(
-        'Could not set last exchange error: ' + error.message, {error}));
-    await emitExchangeUpdated({workflow, exchange, step});
-    throw e;
+  const result = {};
+  if(inviteResponse.referenceId !== undefined) {
+    result.referenceId = inviteResponse.referenceId;
   }
+  return result;
 }
 
 export function getInviteRequestProtocols({workflow, exchange, step}) {

package/lib/issue.js

@@ -15,13 +15,16 @@ const {util: {BedrockError}} = bedrock;
 
 export async function issue({
   workflow, exchange, step, format = 'application/vc',
+  issueRequestsParams,
+  verifiablePresentation,
+  // FIXME: remove `filter`
   // by default do not issue any VCs that are to be stored in the exchange;
   // (`result` is NOT set)
   filter = params => !params.result
 } = {}) {
   // eval all issue requests for current step in exchange
   const issueRequests = await _evalIssueRequests({
-    workflow, exchange, step, filter
+    workflow, exchange, step, issueRequestsParams, filter
   });
 
   // return early if there is no explicit VP in step nor nothing to issue
@@ -42,8 +45,10 @@ export async function issue({
 
   // generate VP to return VCs; use any explicitly defined VP from the step
   // (which may include out-of-band issued VCs that are to be delivered)
-  const verifiablePresentation =
-    structuredClone(step?.verifiablePresentation) ?? createPresentation();
+  verifiablePresentation =
+    verifiablePresentation ??
+    structuredClone(step?.verifiablePresentation) ??
+    createPresentation();
 
   // add issued VCs to VP
   if(issuedVcs.length > 0) {
@@ -60,31 +65,16 @@ export async function issue({
   return {response: {verifiablePresentation}, format, exchangeChanged};
 }
 
-async function _evalIssueRequests({workflow, exchange, step, filter}) {
-  // evaluate all issue requests in parallel
-  let results = await _getIssueRequestParams({workflow, exchange, step});
-  results = results.filter(filter);
-  return Promise.all(results.map(async params => {
-    const {typedTemplate, variables} = params;
-    return {
-      params,
-      body: await evaluateTemplate({
-        workflow, exchange, typedTemplate, variables
-      })
-    };
-  }));
-}
-
-async function _getIssueRequestParams({workflow, exchange, step}) {
+export function getIssueRequestsParams({workflow, exchange, step}) {
   // use any templates from workflow and variables from exchange to produce
   // credentials to be issued; issue via the configured issuer instance
   const {credentialTemplates = []} = workflow;
   if(!(credentialTemplates.length > 0)) {
-    // no issue request params
+    // no issue requests params
     return [];
   }
 
-  if(!step ||
+  if(!workflow.steps ||
     (!step.issueRequests && Object.keys(workflow.steps).length === 1)) {
     // backwards-compatibility: deprecated workflows with no step or a single
     // step do not explicitly define `issueRequests` but instead consider each
@@ -93,9 +83,14 @@ async function _getIssueRequestParams({workflow, exchange, step}) {
     return credentialTemplates.map(typedTemplate => ({typedTemplate}));
   }
 
-  // resolve all issue request params in parallel
+  if(!step.issueRequests) {
+    // no issue requests params
+    return [];
+  }
+
+  // resolve all issue requests params
   const variables = getTemplateVariables({workflow, exchange});
-  return Promise.all(step.issueRequests.map(async r => {
+  return step.issueRequests.map(r => {
     // find the typed template to use
     let typedTemplate;
     if(r.credentialTemplateIndex !== undefined) {
@@ -138,6 +133,23 @@ async function _getIssueRequestParams({workflow, exchange, step}) {
       params.result = r.result;
     }
     return params;
+  });
+}
+
+async function _evalIssueRequests({
+  workflow, exchange, step, issueRequestsParams, filter
+}) {
+  // evaluate all issue requests in parallel
+  const results = issueRequestsParams ??
+    getIssueRequestsParams({workflow, exchange, step}).filter(filter);
+  return Promise.all(results.map(async params => {
+    const {typedTemplate, variables} = params;
+    return {
+      params,
+      body: await evaluateTemplate({
+        workflow, exchange, typedTemplate, variables
+      })
+    };
   }));
 }
 

package/lib/oid4/authorizationRequest.js

@@ -12,7 +12,7 @@ import {randomUUID} from 'node:crypto';
 
 const {util: {BedrockError}} = bedrock;
 
-const OID4VP_JWT_TYP = 'application/oauth-authz-req+jwt';
+const OID4VP_JWT_TYP = 'oauth-authz-req+jwt';
 const TEXT_ENCODER = new TextEncoder();
 
 export async function create({

package/lib/oid4/oid4vci.js

@@ -2,16 +2,12 @@
  * Copyright (c) 2022-2026 Digital Bazaar, Inc. All rights reserved.
  */
 import * as bedrock from '@bedrock/core';
-import * as exchanges from '../storage/exchanges.js';
-import {
-  deepEqual, emitExchangeUpdated,
-  evaluateExchangeStep, getWorkflowIssuerInstances
-} from '../helpers.js';
+import {deepEqual, getWorkflowIssuerInstances} from '../helpers.js';
 import {importJWK, SignJWT} from 'jose';
 import {checkAccessToken} from '@bedrock/oauth2-verifier';
-import {getAuthorizationRequest} from './oid4vp.js';
-import {issue} from '../issue.js';
-import {logger} from '../logger.js';
+import {issue as defaultIssue} from '../issue.js';
+import {ExchangeProcessor} from '../ExchangeProcessor.js';
+import {getStepAuthorizationRequest} from './oid4vp.js';
 import {timingSafeEqual} from 'node:crypto';
 import {verifyDidProofJwt} from '../verify.js';
 
@@ -428,58 +424,51 @@ function _normalizeCredentialDefinitionTypes({credentialRequests}) {
 async function _processExchange({
   req, res, workflow, exchangeRecord, isBatchRequest
 }) {
-  let step;
-  const {id: workflowId} = workflow;
-  const {exchange, meta} = exchangeRecord;
-  let {updated: lastUpdated} = meta;
-  try {
-    // validate body against expected credential requests
-    const {openId: {expectedCredentialRequests}} = exchange;
-    let credentialRequests;
-    if(isBatchRequest) {
-      ({credential_requests: credentialRequests} = req.body);
-    } else {
-      if(expectedCredentialRequests.length > 1) {
-        // FIXME: it is no longer the case that the batch endpoint must be used
-        // for multiple requests; determine if the request has changed
-
-        // clients interacting with exchanges with more than one VC to be
-        // delivered must use the "batch credential" endpoint
-        // FIXME: improve error
-        throw new Error('batch_credential_endpoint must be used');
+  // process exchange and capture values to return
+  let format;
+  let didProofRequired = false;
+  const exchangeProcessor = new ExchangeProcessor({
+    workflow, exchangeRecord,
+    async prepareStep({exchange, step}) {
+      // validate body against expected credential requests
+      const {openId: {expectedCredentialRequests}} = exchange;
+      let credentialRequests;
+      if(isBatchRequest) {
+        ({credential_requests: credentialRequests} = req.body);
+      } else {
+        if(expectedCredentialRequests.length > 1) {
+          // FIXME: batch endpoint has been removed in OID4VCI 1.0; if used,
+          // then it is for a legacy OID4VCI draft 13 request, so this should
+          // be reworked
+          throw new Error('batch_credential_endpoint must be used');
+        }
+        credentialRequests = [req.body];
       }
-      credentialRequests = [req.body];
-    }
 
-    // before asserting, normalize credential requests to use `type` instead of
-    // `types`; this is to allow for OID4VCI draft implementers that followed
-    // the non-normative examples
-    _normalizeCredentialDefinitionTypes({credentialRequests});
-    const {format} = _assertCredentialRequests({
-      workflow, credentialRequests, expectedCredentialRequests
-    });
+      // before asserting, normalize credential requests to use `type` instead
+      // of `types`; this is to allow for OID4VCI draft implementers that
+      // followed the non-normative examples
+      _normalizeCredentialDefinitionTypes({credentialRequests});
+      ({format} = _assertCredentialRequests({
+        workflow, credentialRequests, expectedCredentialRequests
+      }));
 
-    // process exchange step if present
-    const currentStep = exchange.step;
-    if(currentStep) {
-      step = await evaluateExchangeStep({workflow, exchange});
       const {jwtDidProofRequest} = step;
 
       // check to see if step supports OID4VP during OID4VCI
       if(step.openId) {
         // if there is no `presentationSubmission`, request one
         const {results} = exchange.variables;
-        if(!results?.[exchange.step]?.openId?.presentationSubmission) {
-          // FIXME: optimize away double step-template processing that
-          // currently occurs when calling `_getAuthorizationRequest`
+        if(!results[exchange.step]?.openId?.presentationSubmission) {
           // note: only the "default" `clientProfileId` is supported at this
           // time because there isn't presently a defined way to specify
           // alternatives
           const clientProfileId = step.openId.clientProfiles ?
             'default' : undefined;
-          const {
-            authorizationRequest
-          } = await getAuthorizationRequest({req, clientProfileId});
+          // get authorization request
+          const {authorizationRequest} = await getStepAuthorizationRequest({
+            workflow, exchange, step, clientProfileId
+          });
           return _requestOID4VP({authorizationRequest, res});
         }
         // otherwise drop down below to complete exchange...
@@ -489,6 +478,7 @@ async function _processExchange({
         // `proof` must be in every credential request; if any request is
         // missing `proof` then request a DID proof
         if(credentialRequests.some(cr => !cr.proof?.jwt)) {
+          didProofRequired = true;
           return _requestDidProof({res, exchangeRecord});
         }
 
@@ -507,48 +497,36 @@ async function _processExchange({
           throw new Error('every DID must be the same');
         }
         // store did results in variables associated with current step
-        if(!exchange.variables.results) {
-          exchange.variables.results = {};
-        }
-        exchange.variables.results[currentStep] = {
+        exchange.variables.results[exchange.step] = {
+          ...exchange.variables.results[exchange.step],
           // common use case of DID Authentication; provide `did` for ease
           // of use in templates
           did
         };
       }
+    },
+    inputRequired({exchange, step}) {
+      // input is required if:
+      // 1. a `jwtDidProofRequest` is required and hasn't been provided
+      // 2. OID4VP is enabled and no OID4VP result has been stored yet
+      return didProofRequired || (step.openId && !exchange.variables
+        .results[exchange.step]?.openId?.authorizationRequest);
+    },
+    issue({
+      workflow, exchange, step, issueRequestsParams,
+      verifiablePresentation
+    }) {
+      return defaultIssue({
+        workflow, exchange, step, issueRequestsParams,
+        verifiablePresentation, format
+      });
     }
-
-    // mark exchange complete
-    exchange.state = 'complete';
-    try {
-      exchange.sequence++;
-      await exchanges.complete({workflowId, exchange});
-      await emitExchangeUpdated({workflow, exchange, step});
-      lastUpdated = Date.now();
-    } catch(e) {
-      exchange.sequence--;
-      throw e;
-    }
-
-    // FIXME: decide what the best recovery path is if delivery fails (but no
-    // replay attack detected) after exchange has been marked complete
-
-    // issue VCs
-    return issue({workflow, exchange, step, format});
-  } catch(e) {
-    if(e.name === 'InvalidStateError') {
-      throw e;
-    }
-    // write last error if exchange hasn't been frequently updated
-    const copy = {...exchange};
-    copy.sequence++;
-    copy.lastError = e;
-    exchanges.setLastError({workflowId, exchange: copy, lastUpdated})
-      .catch(error => logger.error(
-        'Could not set last exchange error: ' + error.message, {error}));
-    await emitExchangeUpdated({workflow, exchange, step});
-    throw e;
+  });
+  const response = await exchangeProcessor.process();
+  if(!response.verifiablePresentation) {
+    return null;
   }
+  return {response, format};
 }
 
 async function _requestDidProof({res, exchangeRecord}) {