@bedrock/vc-delivery 7.11.2 → 7.12.0

package/lib/helpers.js

@@ -2,7 +2,6 @@
  * Copyright (c) 2022-2026 Digital Bazaar, Inc. All rights reserved.
  */
 import * as bedrock from '@bedrock/core';
-import * as vcjwt from './vcjwt.js';
 import {decodeId, generateId} from 'bnid';
 import {compile} from '@bedrock/validation';
 import {Ed25519Signature2020} from '@digitalbazaar/ed25519-signature-2020';
@@ -22,16 +21,6 @@ const ALLOWED_ERROR_KEYS = [
   'status'
 ];
 
-const JWT_FORMAT_ALIASES = new Set([
-  'application/jwt',
-  'application/vc+jwt',
-  'application/vp+jwt',
-  'jwt_vp',
-  'jwt_vp_json',
-  'jwt_vc_json-ld',
-  'jwt_vc_json'
-]);
-
 export function buildPresentationFromResults({
   presentation, verifyResult
 }) {
@@ -128,8 +117,9 @@ export async function evaluateExchangeStep({
 }) {
   let step = workflow.steps[stepName];
   if(step.stepTemplate) {
-    step = await evaluateTemplate(
-      {workflow, exchange, typedTemplate: step.stepTemplate});
+    step = await evaluateTemplate({
+      workflow, exchange, typedTemplate: step.stepTemplate
+    });
   }
   await validateStep({step});
   return step;
@@ -284,7 +274,7 @@ export function createVerifyOptions({
   // update `challenge`
   if(options.challenge === undefined) {
     options.challenge = expectedChallenge ??
-      verifiablePresentationRequest.challenge ??
+      verifiablePresentationRequest?.challenge ??
       presentation?.proof?.challenge;
   }
 
@@ -357,44 +347,6 @@ export function stripStacktrace(error) {
   return error;
 }
 
-export async function unenvelopeCredential({
-  envelopedCredential, format
-} = {}) {
-  const result = _getEnvelope({envelope: envelopedCredential, format});
-
-  // only supported format is VC-JWT at this time
-  const credential = vcjwt.decodeVCJWTCredential({jwt: result.envelope});
-  return {credential, ...result};
-}
-
-export async function unenvelopePresentation({
-  envelopedPresentation, format
-} = {}) {
-  const result = _getEnvelope({envelope: envelopedPresentation, format});
-
-  // only supported format is VC-JWT at this time
-  const presentation = vcjwt.decodeVCJWTPresentation({jwt: result.envelope});
-
-  // unenvelope any VCs in the presentation
-  let {verifiableCredential = []} = presentation;
-  if(!Array.isArray(verifiableCredential)) {
-    verifiableCredential = [verifiableCredential];
-  }
-  if(verifiableCredential.length > 0) {
-    presentation.verifiableCredential = await Promise.all(
-      verifiableCredential.map(async vc => {
-        if(vc?.type !== 'EnvelopedVerifiableCredential') {
-          return vc;
-        }
-        const {credential} = await unenvelopeCredential({
-          envelopedCredential: vc
-        });
-        return credential;
-      }));
-  }
-  return {presentation, ...result};
-}
-
 export async function validateStep({step} = {}) {
   // FIXME: use `ajv` and do JSON schema check
   if(Object.keys(step).length === 0) {
@@ -422,35 +374,19 @@ export async function validateStep({step} = {}) {
   }
 }
 
-function _getEnvelope({envelope, format}) {
-  const isString = typeof envelope === 'string';
-  if(isString) {
-    // supported formats
-    if(JWT_FORMAT_ALIASES.has(format)) {
-      format = 'application/jwt';
-    }
-  } else {
-    const {id} = envelope;
-    if(id?.startsWith('data:application/jwt,')) {
-      format = 'application/jwt';
-      envelope = id.slice('data:application/jwt,'.length);
-    }
-  }
-
-  if(format === 'application/jwt' && envelope !== undefined) {
-    return {envelope, format};
+export function validateVerifiablePresentation({schema, presentation}) {
+  const validate = compile({schema});
+  const {valid, error} = validate(presentation);
+  if(!valid) {
+    throw error;
   }
-
-  throw new BedrockError(
-    `Unsupported credential or presentation envelope format "${format}".`, {
-      name: 'NotSupportedError',
-      details: {httpStatusCode: 400, public: true}
-    });
 }
 
-export function validateVerifiablePresentation({schema, presentation}) {
+export function validateVerifiablePresentationRequest({
+  schema, presentationRequest
+}) {
   const validate = compile({schema});
-  const {valid, error} = validate(presentation);
+  const {valid, error} = validate(presentationRequest);
   if(!valid) {
     throw error;
   }

package/lib/inviteRequest/inviteRequest.js

@@ -2,89 +2,39 @@
  * Copyright (c) 2025-2026 Digital Bazaar, Inc. All rights reserved.
  */
 import * as bedrock from '@bedrock/core';
-import * as exchanges from '../storage/exchanges.js';
-import {emitExchangeUpdated, evaluateExchangeStep} from '../helpers.js';
-import {logger} from '../logger.js';
+import {ExchangeProcessor} from '../ExchangeProcessor.js';
 
 const {util: {BedrockError}} = bedrock;
 
 export async function processInviteResponse({req}) {
   const {config: workflow} = req.serviceObject;
   const exchangeRecord = await req.getExchange();
-  let {meta: {updated: lastUpdated}} = exchangeRecord;
-  const {exchange} = exchangeRecord;
-  let step;
 
-  try {
-    // exchange step required for `inviteRequest`
-    const currentStep = exchange.step;
-    if(!currentStep) {
-      _throwUnsupportedProtocol();
-    }
-
-    step = await evaluateExchangeStep({workflow, exchange});
-
-    // step must have `inviteRequest` to perform protocol
-    if(!step.inviteRequest) {
-      _throwUnsupportedProtocol();
-    }
+  // `inviteResponse` validated via HTTP body JSON schema already
+  const {body: inviteResponse} = req;
 
-    // exchange must still be pending
-    if(exchange.state !== 'pending') {
-      throw new BedrockError(
-        'This exchange is already in progress.', {
-          name: 'NotAllowedError',
-          details: {httpStatusCode: 403, public: true}
-        });
-    }
-
-    // `inviteResponse` validated via HTTP body JSON schema already
-    const {body: inviteResponse} = req;
-
-    // store invite response in variables associated with current step
-    if(!exchange.variables.results) {
-      exchange.variables.results = {};
-    }
-    const stepResult = {
-      inviteRequest: {inviteResponse}
-    };
-    const prevState = exchange.state;
-    exchange.variables.results[currentStep] = stepResult;
-    try {
-      // mark exchange complete
-      exchange.state = 'complete';
-      exchange.sequence++;
-      await exchanges.complete({workflowId: workflow.id, exchange});
-      await emitExchangeUpdated({workflow, exchange, step});
-      lastUpdated = Date.now();
-    } catch(e) {
-      // revert exchange changes as it couldn't be written
-      exchange.sequence--;
-      exchange.state = prevState;
-      delete exchange.variables.results[currentStep];
-      throw e;
+  // process exchange to completion
+  const exchangeProcessor = new ExchangeProcessor({
+    workflow, exchangeRecord,
+    prepareStep({exchange, step}) {
+      // step must have `inviteRequest` to perform protocol
+      if(!step.inviteRequest) {
+        _throwUnsupportedProtocol();
+      }
+      // store invite response in variables associated with current step
+      exchange.variables.results[exchange.step] = {
+        ...exchange.variables.results[exchange.step],
+        inviteRequest: {inviteResponse}
+      };
     }
+  });
+  await exchangeProcessor.process();
 
-    const result = {};
-    if(inviteResponse.referenceId !== undefined) {
-      result.referenceId = inviteResponse.referenceId;
-    }
-    return result;
-  } catch(e) {
-    if(e.name === 'InvalidStateError') {
-      throw e;
-    }
-    // write last error if exchange hasn't been frequently updated
-    const {id: workflowId} = workflow;
-    const copy = {...exchange};
-    copy.sequence++;
-    copy.lastError = e;
-    await exchanges.setLastError({workflowId, exchange: copy, lastUpdated})
-      .catch(error => logger.error(
-        'Could not set last exchange error: ' + error.message, {error}));
-    await emitExchangeUpdated({workflow, exchange, step});
-    throw e;
+  const result = {};
+  if(inviteResponse.referenceId !== undefined) {
+    result.referenceId = inviteResponse.referenceId;
   }
+  return result;
 }
 
 export function getInviteRequestProtocols({workflow, exchange, step}) {

package/lib/issue.js

@@ -15,13 +15,16 @@ const {util: {BedrockError}} = bedrock;
 
 export async function issue({
   workflow, exchange, step, format = 'application/vc',
+  issueRequestsParams,
+  verifiablePresentation,
+  // FIXME: remove `filter`
   // by default do not issue any VCs that are to be stored in the exchange;
   // (`result` is NOT set)
   filter = params => !params.result
 } = {}) {
   // eval all issue requests for current step in exchange
   const issueRequests = await _evalIssueRequests({
-    workflow, exchange, step, filter
+    workflow, exchange, step, issueRequestsParams, filter
   });
 
   // return early if there is no explicit VP in step nor nothing to issue
@@ -42,8 +45,10 @@ export async function issue({
 
   // generate VP to return VCs; use any explicitly defined VP from the step
   // (which may include out-of-band issued VCs that are to be delivered)
-  const verifiablePresentation =
-    structuredClone(step?.verifiablePresentation) ?? createPresentation();
+  verifiablePresentation =
+    verifiablePresentation ??
+    structuredClone(step?.verifiablePresentation) ??
+    createPresentation();
 
   // add issued VCs to VP
   if(issuedVcs.length > 0) {
@@ -60,31 +65,16 @@ export async function issue({
   return {response: {verifiablePresentation}, format, exchangeChanged};
 }
 
-async function _evalIssueRequests({workflow, exchange, step, filter}) {
-  // evaluate all issue requests in parallel
-  let results = await _getIssueRequestParams({workflow, exchange, step});
-  results = results.filter(filter);
-  return Promise.all(results.map(async params => {
-    const {typedTemplate, variables} = params;
-    return {
-      params,
-      body: await evaluateTemplate({
-        workflow, exchange, typedTemplate, variables
-      })
-    };
-  }));
-}
-
-async function _getIssueRequestParams({workflow, exchange, step}) {
+export function getIssueRequestsParams({workflow, exchange, step}) {
   // use any templates from workflow and variables from exchange to produce
   // credentials to be issued; issue via the configured issuer instance
   const {credentialTemplates = []} = workflow;
   if(!(credentialTemplates.length > 0)) {
-    // no issue request params
+    // no issue requests params
     return [];
   }
 
-  if(!step ||
+  if(!workflow.steps ||
     (!step.issueRequests && Object.keys(workflow.steps).length === 1)) {
     // backwards-compatibility: deprecated workflows with no step or a single
     // step do not explicitly define `issueRequests` but instead consider each
@@ -93,9 +83,14 @@ async function _getIssueRequestParams({workflow, exchange, step}) {
     return credentialTemplates.map(typedTemplate => ({typedTemplate}));
   }
 
-  // resolve all issue request params in parallel
+  if(!step.issueRequests) {
+    // no issue requests params
+    return [];
+  }
+
+  // resolve all issue requests params
   const variables = getTemplateVariables({workflow, exchange});
-  return Promise.all(step.issueRequests.map(async r => {
+  return step.issueRequests.map(r => {
     // find the typed template to use
     let typedTemplate;
     if(r.credentialTemplateIndex !== undefined) {
@@ -138,6 +133,23 @@ async function _getIssueRequestParams({workflow, exchange, step}) {
       params.result = r.result;
     }
     return params;
+  });
+}
+
+async function _evalIssueRequests({
+  workflow, exchange, step, issueRequestsParams, filter
+}) {
+  // evaluate all issue requests in parallel
+  const results = issueRequestsParams ??
+    getIssueRequestsParams({workflow, exchange, step}).filter(filter);
+  return Promise.all(results.map(async params => {
+    const {typedTemplate, variables} = params;
+    return {
+      params,
+      body: await evaluateTemplate({
+        workflow, exchange, typedTemplate, variables
+      })
+    };
   }));
 }
 

package/lib/oid4/authorizationRequest.js

@@ -12,6 +12,9 @@ import {randomUUID} from 'node:crypto';
 
 const {util: {BedrockError}} = bedrock;
 
+const ENCRYPTED_RESPONSE_MODES = new Set([
+  'direct_post.jwt', 'dc_api.jwt', 'dc_api'
+]);
 const OID4VP_JWT_TYP = 'oauth-authz-req+jwt';
 const TEXT_ENCODER = new TextEncoder();
 
@@ -28,6 +31,7 @@ export async function create({
   // get params from step OID4VP client profile to apply to the AR
   const {
     client_id, client_id_scheme,
+    dcql_query,
     nonce,
     presentation_definition,
     response_mode, response_uri
@@ -37,6 +41,10 @@ export async function create({
   // client_id_scheme (draft versions of OID4VP use this param)
   authorizationRequest.client_id_scheme = client_id_scheme ?? 'redirect_uri';
 
+  // dcql_query
+  authorizationRequest.dcql_query = dcql_query ??
+    authorizationRequest.dcql_query;
+
   // presentation_definition
   authorizationRequest.presentation_definition = presentation_definition ??
     authorizationRequest.presentation_definition;
@@ -175,8 +183,8 @@ async function _createClientMetaData({
     client_metadata.require_signed_request_object = true;
   }
 
-  // for response mode `direct_post.jwt`, offer encryption options
-  if(authorizationRequest.response_mode === 'direct_post.jwt') {
+  // offer encryption options for encrypted response modes
+  if(ENCRYPTED_RESPONSE_MODES.has(authorizationRequest.response_mode)) {
     // generate ECDH-ES P-256 key
     const kp = await generateKeyPair('ECDH-ES', {
       crv: 'P-256', extractable: true

package/lib/oid4/authorizationResponse.js

@@ -8,7 +8,6 @@ import {
 } from '../../schemas/bedrock-vc-workflow.js';
 import {compile} from '@bedrock/validation';
 import {oid4vp} from '@digitalbazaar/oid4-client';
-import {unenvelopePresentation} from '../helpers.js';
 
 const {util: {BedrockError}} = bedrock;
 
@@ -27,58 +26,46 @@ bedrock.events.on('bedrock.init', () => {
   });
 });
 
-export async function parse({req, exchange, clientProfileId} = {}) {
+export async function parse({
+  req, exchange, clientProfileId, authorizationRequest
+} = {}) {
   try {
     const {body} = req;
     const {
-      responseMode, parsed, protectedHeader
+      responseMode, parsed, protectedHeader,
+      recipientPublicJwk, recipientPublicJwkThumbprint,
+      vpTokenMediaType
     } = await oid4vp.verifier.parseAuthorizationResponse({
       body,
       getDecryptParameters() {
         return _getDecryptParameters({exchange, clientProfileId});
-      }
+      },
+      authorizationRequest
     });
 
-    // validate parsed presentation submission
+    // validate parsed presentation submission if given
     const {presentationSubmission} = parsed;
-    _validate(VALIDATORS.presentationSubmission, presentationSubmission);
+    if(presentationSubmission) {
+      _validate(VALIDATORS.presentationSubmission, presentationSubmission);
+    }
 
     // obtain `presentation` and optional `envelope` from parsed `vpToken`
     const {vpToken} = parsed;
     let presentation;
     let envelope;
 
-    if(oid4vp.authzResponse.submitsFormat({
-      presentationSubmission, format: 'mso_mdoc'
-    })) {
-      // `vp_token` is declared to be a base64url-encoded mDL device response
-      presentation = {
-        '@context': VC_CONTEXT_2,
-        id: `data:application/mdl-vp-token,${vpToken}`,
-        type: 'EnvelopedVerifiablePresentation'
-      };
-    } else if(typeof vpToken === 'string') {
-      // FIXME: remove unenveloping here and delegate it to VC API verifier;
-      // FIXME: check if envelope matches submission once verified
-      const {
-        envelope: raw, presentation: contents, format
-      } = await unenvelopePresentation({
-        envelopedPresentation: vpToken,
-        // FIXME: check `presentationSubmission` for VP format
-        format: 'application/jwt'
-      });
-      _validate(VALIDATORS.presentation, contents);
+    if(vpTokenMediaType !== 'application/vp') {
+      // `vp_token` contains some enveloped format
       presentation = {
         '@context': VC_CONTEXT_2,
-        id: `data:${format},${raw}`,
+        id: `data:${vpTokenMediaType},${vpToken}`,
         type: 'EnvelopedVerifiablePresentation'
       };
-      envelope = {raw, contents, format};
+      envelope = {mediaType: vpTokenMediaType};
     } else {
-      // simplest case: `vpToken` is a VP; validate it
+      // simplest case: `vpToken` is a VP; validate it against basic schema
       presentation = vpToken;
       _validate(VALIDATORS.presentation, presentation);
-      // FIXME: validate VP against presentation submission
     }
 
     return {
@@ -86,7 +73,9 @@ export async function parse({req, exchange, clientProfileId} = {}) {
       presentationSubmission,
       presentation,
       envelope,
-      protectedHeader
+      protectedHeader,
+      recipientPublicJwk,
+      recipientPublicJwkThumbprint
     };
   } catch(cause) {
     throw new BedrockError(

package/lib/oid4/http.js

@@ -405,7 +405,7 @@ function _normalizeCredentials({verifiablePresentation}) {
   // use raw format for each credential
   const {verifiableCredential} = verifiablePresentation;
   return verifiableCredential.map(vc => {
-    // parse any enveloped VC into its non-VC format
+    // parse any JWT-enveloped VC into its non-VC format
     if(vc.type === 'EnvelopedVerifiableCredential' &&
       vc.id?.startsWith('data:application/jwt,')) {
       return vc.id.slice('data:application/jwt,'.length);