@bedrock/vc-delivery 7.11.2 → 7.12.0

package/lib/oid4/oid4vp.js

@@ -2,22 +2,17 @@
  * Copyright (c) 2022-2026 Digital Bazaar, Inc. All rights reserved.
  */
 import * as bedrock from '@bedrock/core';
-import * as exchanges from '../storage/exchanges.js';
 import {
-  buildPresentationFromResults,
-  buildVerifyPresentationResults,
-  emitExchangeUpdated,
   evaluateExchangeStep,
   resolveVariableName,
   setVariable
 } from '../helpers.js';
 import {getClientBaseUrl, getClientProfile} from './clientProfiles.js';
-import {compile} from '@bedrock/validation';
 import {create as createAuthorizationRequest} from './authorizationRequest.js';
-import {logger} from '../logger.js';
+import {verify as defaultVerify} from '../verify.js';
+import {ExchangeProcessor} from '../ExchangeProcessor.js';
 import {oid4vp} from '@digitalbazaar/oid4-client';
 import {parse as parseAuthorizationResponse} from './authorizationResponse.js';
-import {verify} from '../verify.js';
 
 const {util: {BedrockError}} = bedrock;
 
@@ -26,73 +21,59 @@ export {encode as encodeAuthorizationRequest} from './authorizationRequest.js';
 export async function getAuthorizationRequest({req, clientProfileId}) {
   const {config: workflow} = req.serviceObject;
   const exchangeRecord = await req.getExchange();
-  let {exchange} = exchangeRecord;
-  let step;
-  let clientProfile;
-
-  while(true) {
-    // exchange step required for OID4VP
-    const currentStep = exchange.step;
-    if(!currentStep) {
-      _throwUnsupportedProtocol();
-    }
-
-    step = await evaluateExchangeStep({workflow, exchange});
 
-    // step must have `openId` to perform OID4VP
-    if(!step.openId) {
-      _throwUnsupportedProtocol();
-    }
+  // process exchange and capture values to return
+  const result = {};
+  const exchangeProcessor = new ExchangeProcessor({
+    workflow, exchangeRecord,
+    async prepareStep({exchange, step}) {
+      const {
+        clientProfile, authorizationRequest
+      } = await getStepAuthorizationRequest({
+        workflow, exchange, step, clientProfileId
+      });
 
-    // deny retrieval of authorization request if an authorization response
-    // has already been accepted for this step
-    if(exchange.variables?.results?.[exchange.step]) {
-      throw new BedrockError(
-        'This OID4VP exchange is already in progress.', {
-          name: 'NotAllowedError',
-          details: {httpStatusCode: 403, public: true}
-        });
+      // save values to return
+      result.clientProfile = clientProfile;
+      result.authorizationRequest = authorizationRequest;
+      result.exchange = exchange;
+      result.step = step;
+    },
+    inputRequired() {
+      // input always required (authz response required)
+      return true;
     }
+  });
+  await exchangeProcessor.process();
 
-    // get OID4VP client profile
-    clientProfile = getClientProfile({step, clientProfileId});
+  return result;
+}
 
-    const {
-      authorizationRequest,
-      exchangeChanged
-    } = await _getStepAuthorizationRequest({
-      workflow, exchange, clientProfileId, clientProfile, step
+export async function getStepAuthorizationRequest({
+  workflow, exchange, step, clientProfileId
+}) {
+  // step must have `openId` to perform OID4VP
+  if(!step.openId) {
+    _throwUnsupportedProtocol();
+  }
+  // deny retrieval of authorization request if an authorization response
+  // has already been accepted for this step
+  if(exchange.variables.results[exchange.step]?.verifiablePresentation) {
+    throw new BedrockError('This OID4VP exchange is already in progress.', {
+      name: 'NotAllowedError',
+      details: {httpStatusCode: 403, public: true}
     });
+  }
 
-    const prevState = exchange.state;
-    let updateExchange = exchangeChanged;
-    if(exchange.state === 'pending') {
-      exchange.state = 'active';
-      updateExchange = true;
-    }
+  // get OID4VP client profile
+  const clientProfile = getClientProfile({step, clientProfileId});
 
-    if(updateExchange) {
-      try {
-        exchange.sequence++;
-        await exchanges.update({workflowId: workflow.id, exchange});
-        await emitExchangeUpdated({workflow, exchange, step});
-      } catch(e) {
-        exchange.state = prevState;
-        exchange.sequence--;
-        if(e.name !== 'InvalidStateError') {
-          // unrecoverable error
-          throw e;
-        }
-        // get exchange and loop to try again on `InvalidStateError`
-        const record = await exchanges.get(
-          {workflowId: workflow.id, id: exchange.id});
-        ({exchange} = record);
-        continue;
-      }
-    }
+  // generate authorization request
+  const {authorizationRequest} = await _getOrCreateStepAuthorizationRequest({
+    workflow, exchange, clientProfileId, clientProfile, step
+  });
 
-    return {authorizationRequest, exchange, step, clientProfile};
-  }
+  return {clientProfile, authorizationRequest};
 }
 
 export async function getOID4VPProtocols({workflow, exchange, step}) {
@@ -125,7 +106,7 @@ export async function getOID4VPProtocols({workflow, exchange, step}) {
     });
     const {
       authorizationRequest: {client_id}
-    } = await _getStepAuthorizationRequest({
+    } = await _getOrCreateStepAuthorizationRequest({
       workflow, exchange, clientProfileId, clientProfile, step
     });
     const searchParams = new URLSearchParams({
@@ -148,7 +129,7 @@ export async function initExchange({workflow, exchange, initialStep} = {}) {
   const clientProfiles = openId.clientProfiles ?
     Object.entries(openId.clientProfiles) : [[undefined, openId]];
   await Promise.all(clientProfiles.map(([clientProfileId, clientProfile]) =>
-    _getStepAuthorizationRequest({
+    _getOrCreateStepAuthorizationRequest({
       workflow, exchange, clientProfileId, clientProfile, step: initialStep
     })));
 }
@@ -156,184 +137,153 @@ export async function initExchange({workflow, exchange, initialStep} = {}) {
 export async function processAuthorizationResponse({req, clientProfileId}) {
   const {config: workflow} = req.serviceObject;
   const exchangeRecord = await req.getExchange();
-  let {exchange} = exchangeRecord;
-
-  // ensure authz response can be parsed
-  const {
-    presentation, envelope, presentationSubmission,
-    responseMode, protectedHeader
-  } = await parseAuthorizationResponse({req, exchange, clientProfileId});
-
-  let {meta: {updated: lastUpdated}} = exchangeRecord;
-  let step;
-  try {
-    // get authorization request and updated exchange associated with exchange
-    const arResult = await getAuthorizationRequest({req, clientProfileId});
-    const {authorizationRequest} = arResult;
-    ({exchange, step} = arResult);
-
-    // ensure a result for this step has not already been stored
-    const currentStep = exchange.step;
-    if(exchange.variables?.results?.[currentStep]) {
-      throw new BedrockError(
-        'This OID4VP exchange is already in progress.', {
-          name: 'NotAllowedError',
-          details: {httpStatusCode: 403, public: true}
-        });
-    }
 
-    // ensure response mode matches
-    if(responseMode !== authorizationRequest.response_mode) {
-      throw new BedrockError(
-        `The used response mode ("${responseMode}") does not match the ` +
-        `expected response mode ("${authorizationRequest.response_mode}".`, {
-          name: 'ConstraintError',
-          details: {httpStatusCode: 400, public: true}
-        });
-    }
+  // process exchange and produce result
+  let parseResponseResult;
+  const result = {};
+  const exchangeProcessor = new ExchangeProcessor({
+    workflow, exchangeRecord,
+    async prepareStep({exchange, step}) {
+      const {authorizationRequest} = await getStepAuthorizationRequest({
+        workflow, exchange, step, clientProfileId
+      });
+      result.authorizationRequest = authorizationRequest;
+
+      // ensure authz response can be parsed
+      parseResponseResult = await parseAuthorizationResponse({
+        req, exchange: exchangeRecord.exchange, clientProfileId,
+        authorizationRequest
+      });
 
-    // FIXME: check the VP against the presentation submission if requested
-    // FIXME: check the VP against "trustedIssuer" in VPR, if provided
-    const {presentationSchema} = step;
-    if(presentationSchema) {
-      // if the VP is enveloped, validate the contents of the envelope
-      const toValidate = envelope ? envelope.contents : presentation;
-
-      // validate the received VP / envelope contents
-      const {jsonSchema: schema} = presentationSchema;
-      const validate = compile({schema});
-      const {valid, error} = validate(toValidate);
-      if(!valid) {
-        throw error;
+      // only mark exchange complete if there is nothing to be issued; this
+      // handles same-step OID4VCI+OID4VP case
+      const {credentialTemplates = []} = workflow;
+      if(credentialTemplates.length === 0) {
+        exchange.state = 'complete';
       }
-    }
 
-    // verify the received VP
-    const {verifiablePresentationRequest} = await oid4vp.toVpr(
-      {authorizationRequest});
-    const {
-      allowUnprotectedPresentation = false,
-      verifyPresentationResultSchema
-    } = step;
-    const verifyPresentationOptions = {
-      ...step.verifyPresentationOptions
-    };
-
-    // if `direct_post.jwt` used w/ mDL presentation, include `mDL` options
-    if(responseMode === 'direct_post.jwt' &&
-      oid4vp.authzResponse.submitsFormat({
-        presentationSubmission, format: 'mso_mdoc'
-      })) {
-      verifyPresentationOptions.challenge = authorizationRequest.nonce;
-      verifyPresentationOptions.domain = authorizationRequest.response_uri;
-      verifyPresentationOptions.mdl = {
-        ...verifyPresentationOptions.mdl,
-        // note: in session transcript:
-        // `domain` option above will be used for `responseUri`
-        // `challenge` option above will be used for `verifierGeneratedNonce`
-        // so do not send here to avoid redundancy
-        sessionTranscript: {
-          // per ISO 18013-7 the `mdocGeneratedNonce` is base64url-encoded
-          // and put into the `apu` protected header parameter -- and the
-          // VC API `mdl.sessionTranscript` option expects the
-          // `mdocGeneratedNonce` to be base64url-encoded, so we can pass
-          // it straight through
-          mdocGeneratedNonce: protectedHeader.apu,
-          clientId: authorizationRequest.client_id
-        }
-      };
-    }
+      // include `redirect_uri` if specified in step
+      const {redirect_uri} = step.openId;
+      if(redirect_uri) {
+        result.redirect_uri = redirect_uri;
+      }
 
-    const verifyResult = await verify({
-      workflow,
+      const {presentation: receivedPresentation} = parseResponseResult;
+      return {receivedPresentation};
+    },
+    inputRequired({step}) {
+      // indicate input always required to avoid automatically advancing
+      // to the next step, but clear `step.verifiablePresentationRequest`
+      // to avoid overwriting previous value
+      delete step.verifiablePresentationRequest;
+      return true;
+    },
+    async verify({
+      workflow, exchange,
       verifyPresentationOptions,
       verifyPresentationResultSchema,
-      verifiablePresentationRequest,
       presentation,
       allowUnprotectedPresentation,
-      expectedChallenge: authorizationRequest.nonce
-    });
-    const {verificationMethod} = verifyResult;
+      expectedChallenge,
+      expectedDomain
+    }) {
+      const {authorizationRequest} = result;
+      verifyPresentationOptions.challenge = authorizationRequest.nonce;
+      verifyPresentationOptions.domain = authorizationRequest.response_uri;
 
-    // store VP results in variables associated with current step
-    if(!exchange.variables.results) {
-      exchange.variables.results = {};
-    }
-    const stepResult = {
-      // common use case of DID Authentication; provide `did` for ease
-      // of use in template
-      did: verificationMethod?.controller || null,
-      verificationMethod,
-      verifiablePresentation: buildPresentationFromResults({
-        presentation,
-        verifyResult
-      }),
-      verifyPresentationResults: buildVerifyPresentationResults({
-        verifyResult
-      }),
-      openId: {
-        clientProfileId,
-        authorizationRequest,
-        presentationSubmission
-      }
-    };
-    if(envelope) {
-      // include enveloped VP in step result
-      stepResult.envelopedPresentation = presentation;
-    }
-    const prevState = exchange.state;
-    exchange.variables.results[currentStep] = stepResult;
-    try {
-      exchange.sequence++;
+      // FIXME: OID4VP 1.0+ does not have a presentation submission
+      // handle mDL submission
+      const {envelope} = parseResponseResult;
+      if(envelope?.mediaType === 'application/mdl-vp-token') {
+        // generate `handover` for mDL verification
+        let handover;
+
+        // common `handover` parameters:
+        const origin = authorizationRequest?.expected_origins?.[0] ??
+          new URL(authorizationRequest.response_uri).origin;
+        const nonce = authorizationRequest.nonce;
+
+        // `direct_post.jwt` => ISO18013-7 Annex B
+        // FIXME: same response mode is also used for OID4VP 1.0 with
+        // `OpenID4VPHandover` where `presentationSubmission` will be absent;
+        // this is not yet supported
+        // https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#name-invocation-via-redirects
+        const {responseMode} = parseResponseResult;
+        if(responseMode === 'direct_post.jwt') {
+          handover = {
+            type: 'AnnexBHandover',
+            // per ISO 18013-7 B the `mdocGeneratedNonce` is base64url-encoded
+            // and put into the `apu` protected header parameter, so parse that
+            // here and convert it to a UTF-8 string instead
+            mdocGeneratedNonce: Buffer
+              .from(parseResponseResult.protectedHeader?.apu ?? '', 'base64url')
+              .toString('utf8'),
+            clientId: authorizationRequest.client_id,
+            responseUri: authorizationRequest.response_uri,
+            verifierGeneratedNonce: nonce
+          };
+        } else if(responseMode === 'dc_api') {
+          // `dc_api` => ISO18013-7 Annex C
+          handover = {
+            type: 'dcapi',
+            origin,
+            nonce,
+            recipientPublicJwk: parseResponseResult.recipientPublicJwk
+          };
+        } else if(responseMode === 'dc_api.jwt') {
+          // `dc_api.jwt` => ISO18013-7 Annex D
+          handover = {
+            type: 'OpenID4VPDCAPIHandover',
+            origin,
+            nonce,
+            jwkThumbprint: parseResponseResult.recipientPublicJwkThumbprint
+          };
+        }
 
-      // if there is something to issue, update exchange, do not complete it
-      const {credentialTemplates = []} = workflow;
-      if(credentialTemplates?.length > 0 &&
-        (exchange.state === 'pending' || exchange.state === 'active')) {
-        // ensure exchange state is set to `active` (will be rejected as a
-        // conflict if the state in database at update time isn't `pending` or
-        // `active`)
-        exchange.state = 'active';
-        await exchanges.update({workflowId: workflow.id, exchange});
-      } else {
-        // mark exchange complete
-        exchange.state = 'complete';
-        await exchanges.complete({workflowId: workflow.id, exchange});
+        verifyPresentationOptions.mdl = {
+          ...verifyPresentationOptions.mdl,
+          // send encoded mDL `sessionTranscript`
+          sessionTranscript: Buffer
+            .from(await oid4vp.mdl.encodeSessionTranscript({handover}))
+            .toString('base64url')
+        };
       }
-      await emitExchangeUpdated({workflow, exchange, step});
-      lastUpdated = Date.now();
-    } catch(e) {
-      // revert exchange changes as it couldn't be written
-      exchange.sequence--;
-      exchange.state = prevState;
-      delete exchange.variables.results[currentStep];
-      throw e;
-    }
 
-    const result = {};
+      // verify presentation
+      const verifyResult = await defaultVerify({
+        workflow,
+        verifyPresentationOptions,
+        verifyPresentationResultSchema,
+        presentation,
+        allowUnprotectedPresentation,
+        expectedChallenge,
+        expectedDomain
+      });
 
-    // include `redirect_uri` if specified in step
-    const {redirect_uri} = step.openId;
-    if(redirect_uri) {
-      result.redirect_uri = redirect_uri;
-    }
+      // save OID4VP results in exchange
+      const {presentationSubmission} = parseResponseResult;
+      exchange.variables.results[exchange.step] = {
+        ...exchange.variables.results[exchange.step],
+        openId: {
+          clientProfileId,
+          authorizationRequest,
+          presentationSubmission
+        }
+      };
+      // FIXME: do w/o `parseResponseResult.envelope` to eliminate envelope
+      // parsing (let verifier do it)
+      if(parseResponseResult.envelope) {
+        // include enveloped VP in step result
+        exchange.variables.results[exchange.step]
+          .envelopedPresentation = presentation;
+      }
 
-    return result;
-  } catch(e) {
-    if(e.name === 'InvalidStateError') {
-      throw e;
+      return verifyResult;
     }
-    // write last error if exchange hasn't been frequently updated
-    const {id: workflowId} = workflow;
-    const copy = {...exchange};
-    copy.sequence++;
-    copy.lastError = e;
-    await exchanges.setLastError({workflowId, exchange: copy, lastUpdated})
-      .catch(error => logger.error(
-        'Could not set last exchange error: ' + error.message, {error}));
-    await emitExchangeUpdated({workflow, exchange, step});
-    throw e;
-  }
+  });
+  await exchangeProcessor.process();
+
+  return result;
 }
 
 export async function supportsOID4VP({workflow, exchange, step}) {
@@ -346,7 +296,7 @@ export async function supportsOID4VP({workflow, exchange, step}) {
   return step.openId !== undefined;
 }
 
-async function _getStepAuthorizationRequest({
+async function _getOrCreateStepAuthorizationRequest({
   workflow, exchange, clientProfileId, clientProfile, step
 }) {
   let authorizationRequest;