@bedrock/vc-delivery 7.11.1 → 7.11.3

package/lib/vcapi.js

@@ -3,17 +3,9 @@
  */
 import * as bedrock from '@bedrock/core';
 import * as exchanges from './storage/exchanges.js';
-import {createChallenge as _createChallenge, verify} from './verify.js';
-import {
-  buildPresentationFromResults,
-  buildVerifyPresentationResults,
-  emitExchangeUpdated,
-  evaluateExchangeStep,
-  generateRandom, validateVerifiablePresentation
-} from './helpers.js';
+import {evaluateExchangeStep, generateRandom} from './helpers.js';
 import {exportJWK, generateKeyPair, importJWK} from 'jose';
-import {issue} from './issue.js';
-import {logger} from './logger.js';
+import {ExchangeProcessor} from './ExchangeProcessor.js';
 
 // supported protocols
 import * as inviteRequest from './inviteRequest/inviteRequest.js';
@@ -22,7 +14,6 @@ import * as oid4vp from './oid4/oid4vp.js';
 
 const {util: {BedrockError}} = bedrock;
 
-const MAXIMUM_STEPS = 100;
 const FIFTEEN_MINUTES = 60 * 15;
 
 // 48 hours; make configurable
@@ -112,36 +103,13 @@ export async function getProtocols({req} = {}) {
 }
 
 export async function processExchange({req, res, workflow, exchangeRecord}) {
-  const {exchange, meta} = exchangeRecord;
-  let {updated: lastUpdated} = meta;
-  let step;
+  // get any `verifiablePresentation` from the body...
+  const receivedPresentation = req?.body?.verifiablePresentation;
 
-  try {
-    // get any `verifiablePresentation` from the body...
-    let receivedPresentation = req?.body?.verifiablePresentation;
-
-    // process exchange step(s)
-    let i = 0;
-    let currentStep = exchange.step;
-    while(true) {
-      if(i++ > MAXIMUM_STEPS) {
-        throw new BedrockError('Maximum steps exceeded.', {
-          name: 'DataError',
-          details: {httpStatusCode: 500, public: true}
-        });
-      }
-
-      // no step present, break out to complete exchange
-      if(!currentStep) {
-        break;
-      }
-
-      // get current step details
-      step = await evaluateExchangeStep({
-        workflow, exchange, stepName: currentStep
-      });
-
-      // if step does not support VCAPI, throw
+  // use exchange processor to generate a response
+  const exchangeProcessor = new ExchangeProcessor({
+    workflow, exchangeRecord,
+    prepareStep({workflow, step}) {
       if(!_supportsVcApi({workflow, step})) {
         throw new BedrockError(
           'VC API protocol not supported by this exchange.', {
@@ -149,198 +117,15 @@ export async function processExchange({req, res, workflow, exchangeRecord}) {
             details: {httpStatusCode: 400, public: true}
           });
       }
-
-      // if next step is the same as the current step, throw an error
-      if(step.nextStep === currentStep) {
-        throw new BedrockError('Cyclical step detected.', {
-          name: 'DataError',
-          details: {httpStatusCode: 500, public: true}
-        });
-      }
-
-      // handle VPR: if step requires it, then `verifiablePresentation` must
-      // be in the request
-      if(step.verifiablePresentationRequest) {
-        const {createChallenge} = step;
-        const isInitialStep = exchange.step === workflow.initialStep;
-
-        // if no presentation was received in the body...
-        if(!receivedPresentation) {
-          const verifiablePresentationRequest = structuredClone(
-            step.verifiablePresentationRequest);
-          if(createChallenge) {
-            /* Note: When creating a challenge, the initial step always
-            uses the local exchange ID because the initial step itself
-            is one-time use. Subsequent steps, which only VC-API (as opposed
-            to other protocols) supports creating additional challenges via
-            the VC-API verifier API. */
-            let challenge;
-            if(isInitialStep) {
-              challenge = exchange.id;
-            } else {
-              // generate a new challenge using verifier API
-              ({challenge} = await _createChallenge({workflow}));
-            }
-            verifiablePresentationRequest.challenge = challenge;
-          }
-          // send VPR and return
-          res.json({verifiablePresentationRequest});
-          // if exchange is pending, mark it as active out-of-band
-          if(exchange.state === 'pending') {
-            exchange.state = 'active';
-            exchange.sequence++;
-            exchanges.update({workflowId: workflow.id, exchange}).catch(
-              error => logger.error(
-                'Could not mark exchange active: ' + error.message, {error}));
-          }
-          return;
-        }
-
-        const {presentationSchema} = step;
-
-        const isEnvelopedVP =
-          receivedPresentation?.type === 'EnvelopedVerifiablePresentation';
-
-        if(presentationSchema && !isEnvelopedVP) {
-          validateVerifiablePresentation({
-            schema: presentationSchema.jsonSchema,
-            presentation: receivedPresentation
-          });
-        }
-
-        // verify the received VP
-        const expectedChallenge = isInitialStep ? exchange.id : undefined;
-        const {
-          allowUnprotectedPresentation = false,
-          verifyPresentationOptions = {},
-          verifyPresentationResultSchema
-        } = step;
-        const verifyResult = await verify({
-          workflow,
-          verifyPresentationOptions,
-          verifyPresentationResultSchema,
-          verifiablePresentationRequest: step.verifiablePresentationRequest,
-          presentation: receivedPresentation,
-          allowUnprotectedPresentation,
-          expectedChallenge
-        });
-
-        // validate enveloped VP after verification
-        if(presentationSchema && isEnvelopedVP) {
-          validateVerifiablePresentation({
-            schema: presentationSchema.jsonSchema,
-            presentation: verifyResult?.presentationResult?.presentation ?? {}
-          });
-        }
-
-        // store VP results in variables associated with current step
-        if(!exchange.variables.results) {
-          exchange.variables.results = {};
-        }
-        const {verificationMethod} = verifyResult;
-        const result = {
-          // common use case of DID Authentication; provide `did` for ease
-          // of use in templates and consistency with OID4VCI which only
-          // receives `did` not verification method nor VP
-          did: verificationMethod?.controller || null,
-          verificationMethod,
-          verifiablePresentation: buildPresentationFromResults({
-            presentation: receivedPresentation,
-            verifyResult
-          }),
-          verifyPresentationResults: buildVerifyPresentationResults({
-            verifyResult
-          })
-        };
-        exchange.variables.results[currentStep] = result;
-
-        // clear received presentation as it has been processed
-        receivedPresentation = null;
-
-        // if there is no next step, break out to complete exchange
-        if(!step.nextStep) {
-          break;
-        }
-
-        // FIXME: remove this once the other FIXME below is implemented
-        // and provides support for issuance in non-last step
-        if(step.verifiablePresentation || step.issueRequests?.length > 0) {
-          throw new BedrockError(
-            'Invalid step detected; continuing exchanges currently must ' +
-            'only issue in the final step.', {
-              name: 'DataError',
-              details: {httpStatusCode: 500, public: true}
-            });
-        }
-
-        // update the exchange to go to the next step, then loop to send
-        // next VPR
-        exchange.step = step.nextStep;
-        // ensure exchange state is active
-        if(exchange.state === 'pending') {
-          exchange.state = 'active';
-        }
-        try {
-          exchange.sequence++;
-          await exchanges.update({workflowId: workflow.id, exchange});
-          await emitExchangeUpdated({workflow, exchange, step});
-          lastUpdated = Date.now();
-        } catch(e) {
-          exchange.sequence--;
-          throw e;
-        }
-
-        // FIXME: there may be VCs to issue during this step, do so before
-        // sending the VPR above and remove error that prevents continuing
-        // exchanges that issue
-      }
-      currentStep = step.nextStep;
-    }
-
-    // issue any VCs that are to be stored in the exchange (`result` is set)
-    await issue({workflow, exchange, step, filter: params => params.result});
-
-    // mark exchange complete
-    exchange.state = 'complete';
-    try {
-      exchange.sequence++;
-      await exchanges.complete({workflowId: workflow.id, exchange});
-      await emitExchangeUpdated({workflow, exchange, step});
-    } catch(e) {
-      exchange.sequence--;
-      throw e;
-    }
-    lastUpdated = Date.now();
-
-    // FIXME: decide what the best recovery path is if delivery fails (but no
-    // replay attack detected) after exchange has been marked complete
-
-    // issue any VCs; may return an empty response if the step defines no
-    // VCs to issue
-    const {response} = await issue({workflow, exchange, step});
-
-    // if last `step` has a redirect URL, include it in the response
-    if(step?.redirectUrl) {
-      response.redirectUrl = step.redirectUrl;
+    },
+    inputRequired({step}) {
+      return step.verifiablePresentationRequest && !receivedPresentation;
     }
+  });
+  const response = await exchangeProcessor.process({receivedPresentation});
 
-    // send response
-    res.json(response);
-  } catch(e) {
-    if(e.name === 'InvalidStateError') {
-      throw e;
-    }
-    // write last error if exchange hasn't been frequently updated
-    const {id: workflowId} = workflow;
-    const copy = {...exchange};
-    copy.sequence++;
-    copy.lastError = e;
-    await exchanges.setLastError({workflowId, exchange: copy, lastUpdated})
-      .catch(error => logger.error(
-        'Could not set last exchange error: ' + error.message, {error}));
-    await emitExchangeUpdated({workflow, exchange, step});
-    throw e;
-  }
+  // send response
+  res.json(response);
 }
 
 async function _initOAuth2({oauth2}) {

package/lib/verify.js

@@ -31,27 +31,28 @@ export async function createChallenge({workflow} = {}) {
 
 export async function verify({
   workflow, verifyPresentationOptions, verifiablePresentationRequest,
-  presentation, allowUnprotectedPresentation = false, expectedChallenge,
+  presentation, allowUnprotectedPresentation = false,
+  expectedChallenge, expectedDomain,
   verifyPresentationResultSchema
 } = {}) {
   // create zcap client for verifying
   const {zcapClient, zcaps} = await getZcapClient({workflow});
 
-  // verify presentation
-  const hasProof = presentation?.proof ||
+  // determine if presentation is secured or not
+  const isSecured = presentation?.proof ||
     presentation?.type === 'EnvelopedVerifiablePresentation';
 
-  const checks = (!hasProof && allowUnprotectedPresentation) ?
-    [] : ['proof'];
+  const checks = (!isSecured && allowUnprotectedPresentation) ? [] : ['proof'];
   if(!expectedChallenge) {
     // if no expected challenge, rely on verifier for challenge management
     checks.push('challenge');
   }
-  const capability = zcaps.verifyPresentation;
-  const domain = verifiablePresentationRequest.domain ??
-    new URL(workflow.id).origin;
+
+  // verify presentation
   let result;
   try {
+    const domain = expectedDomain ??
+      verifiablePresentationRequest?.domain ?? new URL(workflow.id).origin;
     const options = createVerifyOptions({
       verifyPresentationOptions,
       expectedChallenge,
@@ -60,6 +61,7 @@ export async function verify({
       domain,
       checks
     });
+    const capability = zcaps.verifyPresentation;
     result = await zcapClient.write({
       capability,
       json: {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bedrock/vc-delivery",
-  "version": "7.11.1",
+  "version": "7.11.3",
   "type": "module",
   "description": "Bedrock Verifiable Credential Delivery",
   "main": "./lib/index.js",