@bedrock/vc-verifier 6.0.0

package/.eslintrc.cjs

@@ -0,0 +1,12 @@
+module.exports = {
+  root: true,
+  parserOptions: {
+    // this is required for dynamic import()
+    ecmaVersion: 2020
+  },
+  env: {
+    node: true
+  },
+  extends: ['digitalbazaar', 'digitalbazaar/jsdoc'],
+  ignorePatterns: ['node_modules/']
+};

package/.github/workflows/main.yml

@@ -0,0 +1,77 @@
+name: Bedrock Node.js CI
+
+on: [push]
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    strategy:
+      matrix:
+        node-version: [14.x]
+    steps:
+    - uses: actions/checkout@v2
+    - name: Use Node.js ${{ matrix.node-version }}
+      uses: actions/setup-node@v1
+      with:
+        node-version: ${{ matrix.node-version }}
+    - run: npm install
+    - name: Run eslint
+      run: npm run lint
+  test-node:
+    needs: [lint]
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    services:
+      mongodb:
+        image: mongo:4.2
+        ports:
+          - 27017:27017
+    strategy:
+      matrix:
+        node-version: [14.x]
+    steps:
+    - uses: actions/checkout@v2
+    - name: Use Node.js ${{ matrix.node-version }}
+      uses: actions/setup-node@v1
+      with:
+        node-version: ${{ matrix.node-version }}
+    - run: |
+        npm install
+        cd test
+        npm install
+    - name: Run test with Node.js ${{ matrix.node-version }}
+      run: |
+        cd test
+        npm test
+  coverage:
+    needs: [test-node]
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    services:
+      mongodb:
+        image: mongo:4.2
+        ports:
+          - 27017:27017
+    strategy:
+      matrix:
+        node-version: [14.x]
+    steps:
+    - uses: actions/checkout@v2
+    - name: Use Node.js ${{ matrix.node-version }}
+      uses: actions/setup-node@v1
+      with:
+        node-version: ${{ matrix.node-version }}
+    - run: |
+        npm install
+        cd test
+        npm install
+    - name: Generate coverage report
+      run: |
+        cd test
+        npm run coverage-ci
+    - name: Upload coverage to Codecov
+      uses: codecov/codecov-action@v2
+      with:
+        file: ./test/coverage/lcov.info
+        fail_ci_if_error: true

package/CHANGELOG.md

@@ -0,0 +1,123 @@
+# bedrock-vc-verifier ChangeLog
+
+## 6.0.0 - 2022-04-06
+
+### Changed
+- **BREAKING**: Rename package to `@bedrock/vc-verifier`.
+- **BREAKING**: Convert to module (ESM).
+- **BREAKING**: Remove default export.
+- **BREAKING**: Require node 14.x.
+
+## 5.2.0 - 2022-03-14
+
+### Added
+- Add missing dependencies `@digitalbazaar/webkms-client@10.0` and
+  `@digitalbazaar/edv-client@13.0` in test.
+- Add coverage action in github workflows.
+
+### Removed
+- Remove unused dependency `crypto-ld@6.0`.
+- Remove unused dependencies `veres-one-context`, `did-veres-one`, `crypto-ld`,
+  `did-context` and `bedrock-views` from test.
+
+## 5.1.0 - 2022-03-12
+
+### Changed
+- Update dependencies:
+  - `@digitalbazaar/vc-status-list@2.1`.
+
+## 5.0.0 - 2022-03-11
+
+### Changed
+- **BREAKING**: Update peer dependencies:
+  - `bedrock-service-core@3`
+  - `bedrock-service-context-store@3`
+  - `bedrock-did-io@6.1`.
+
+## 4.0.0 - 2022-03-01
+
+### Changed
+- **BREAKING**: Move zcap revocations to `/zcaps/revocations` to better
+  future proof.
+- **BREAKING**: Require `bedrock-service-core@2`, `bedrock-service-agent@2`,
+  and `bedrock-service-context-store@2` peer dependencies.
+
+## 3.1.0 - 2022-02-23
+
+### Added
+- Add default (dev mode) `app-identity` entry for `vc-verifier` service.
+
+## 3.0.1 - 2022-02-21
+
+### Changed
+- Use `@digitalbazaar/vc-status-list-context` and updated bedrock-vc-status-list-context.
+  These dependencies have no changes other than moved package locations.
+
+## 3.0.0 - 2022-02-20
+
+### Changed
+- **BREAKING**: Complete refactor to run on top of `bedrock-service*` modules. While
+  this version has similar functionality, its APIs and implementation are a clean
+  break from previous versions.
+
+## 2.3.0 - 2022-02-15
+
+### Changed
+- Refactor documentLoader.
+
+## 2.2.0 - 2022-02-09
+
+### Added
+- Add support for "StatusList2021Credential" status checks using
+  `vc-status-list@1.0`
+- Add tests.
+
+## 2.1.0 - 2021-09-14
+
+### Added
+- Add support for unsigned VPs.
+
+## 2.0.2 - 2021-08-23
+
+### Changed
+- Update deps to fix multicodec bugs and set `verificationSuite` for `v1` to
+  `Ed25519VerificationKey2020` in config.
+
+## 2.0.1 - 2021-05-28
+
+### Fixed
+- Fix bedrock peer dependencies.
+
+## 2.0.0 - 2021-05-28
+
+### Changed
+- **BREAKING**: Remove `axios` and use `@digitalbazaar/http-client@1.1.0`.
+  Errors surfaced from `http-client` do not have the same signature as `axios`.
+- **BREAKING**: Remove `cfg.ledgerHostname` and `cfg.mode` from `config.js`.
+- **BREAKING**: Use [vc-revocation-list@3](https://github.com/digitalbazaar/vc-revocation-list/blob/main/CHANGELOG.md).
+  Revocation list credentials must have the same issuer value as the credential
+  to be revoked.
+- **BREAKING**: Use [bedrock-did-io@3.0](https://github.com/digitalbazaar/bedrock-did-io/blob/main/CHANGELOG.md).
+- Replace `vc-js` with `@digitalbazaar/vc`.
+- Update to support ed25519 2020 signature suite.
+- Update peerDeps and testDeps.
+
+## 1.2.0 - 2021-03-03
+
+### Fixed
+
+- Only verify based on `options.checks`.
+
+## 1.1.0 - 2020-05-18
+
+### Added
+
+- Implement W3C CCG VC Verification HTTP API.
+
+## 1.0.0 - 2020-02-27
+
+### Added
+  - API endpoint /vc/verify which can verify a presentation.
+  - Mock API endpoint /verifiers/:verifierId/verifications/:referenceId
+  - Positive tests for both endpoints.
+  - Utils to serialize errors in verification reports.

package/LICENSE.md

@@ -0,0 +1,115 @@
+Bedrock Non-Commercial License v1.0
+===================================
+
+Copyright (c) 2011-2022 Digital Bazaar, Inc.
+All rights reserved.
+
+Summary
+=======
+
+This license allows the licensee to use Bedrock and its software modules
+for non-commercial purposes such as self-study, research, personal
+projects, or for evaluation purposes. If the licensee uses Bedrock
+directly or indirectly to generate revenue, or to provide products or
+services to more than 500 people (users), the licensee must immediately
+obtain a non-profit or commercial license.
+
+Examples
+========
+
+These are examples of cases that are allowed by this license:
+
+* The licensee is an individual that creates Bedrock-dependent software for
+  personal use only.
+* The licensee is an individual or group of students/researchers that uses
+  Bedrock to experiment with an idea for a non-commercial project.
+* The licensee is a startup company that prototypes a Bedrock-dependent
+  product before they have cash flow and will be testing the prototype
+  software with less than 500 users. The service will not generate revenue
+  of any kind.
+* The licensee is a for-profit organization that creates a product or
+  service that is used by less than 500 users and is built with or
+  integrates with Bedrock. The service must be exclusively provided for free
+  and no parent, subsidiary, agent, or affiliate organization may profit
+  from its direct or indirect use.
+
+These cases require a non-profit or commercial license:
+
+* The licensee is a non-profit that receives funding to create and/or run a
+  Bedrock-dependent service.
+* The licensee is a startup company with Bedrock-dependent software that is
+  funded by another organization.
+* The licensee is a startup company that is going into production with
+  Bedrock-dependent software.
+* The licensee has more than 500 users using a Bedrock-dependent service
+  either directly or indirectly.
+* The licensee is a medium to large organization that builds or integrates a
+  commercial product or service with Bedrock.
+
+THE LICENSE
+===========
+
+This section and all subsequent sections of this document constitute the
+agreement between the licensee and Digital Bazaar, Inc.
+
+DEFINITIONS
+===========
+
+* Product - The Bedrock software and any modules associated with Bedrock
+where Digital Bazaar, Inc. owns the copyright.
+
+CONDITIONS
+==========
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted for NON-COMMERCIAL PURPOSES as long as the
+following conditions are met:
+
+1. Any use of the Product must not generate revenue for the licensee or
+   any parent, subsidiary, agent, or affiliate of the licensee. Use of
+   Product includes, but is not limited to, interacting with any of the
+   licensee's Product-dependent products or services over a network.
+
+2. The aggregate number of individual people (users) of the licensee's
+   products or services that use Product must be less than 500.
+
+3. Redistributions of source code must retain the above copyright notice
+   intact, this list of conditions and the following disclaimer.
+
+4. Redistributions in binary form must reproduce the above copyright
+   notice, this license and the following disclaimer in the documentation and
+   on a web page available via interactive use and/or other materials
+   provided with the distribution.
+
+5. Neither the name of the copyright holder, the names of its
+   contributors, nor any trademarks held by the copyright holder may be used
+   to endorse or promote products or services built using the Product without
+   specific prior written permission.
+
+6. Any modifications are clearly outlined in release documentation and are
+   specifically mentioned as not being a part of an official Product release.
+   No additional restrictions to this license may be made when distributing
+   modifications.
+
+7. For the avoidance of doubt, this license prohibits sublicensing of the
+   Product.
+
+8. Any breach of this license by licensee must be resolved within 30 days.
+   Failure to do so results in the termination of this license.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR
+CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+To obtain a non-profit or commercial license for Product, please contact
+Digital Bazaar, Inc. at the following email address:
+
+Digital Bazaar <support@digitalbazaar.com>

package/README.md

@@ -0,0 +1,126 @@
+# Bedrock VC Verifier API module _(bedrock-vc-verifier)_
+
+[![Build Status](https://img.shields.io/github/workflow/status/digitalbazaar/bedrock-vc-verifier/Bedrock%20Node.js%20CI)](https://github.com/digitalbazaar/bedrock-vc-verifier/actions?query=workflow%3A%22Bedrock+Node.js+CI%22)
+[![NPM Version](https://img.shields.io/npm/v/bedrock-vc-verifier.svg)](https://npm.im/bedrock-vc-verifier)
+
+> A VC Verifier API library for use with Bedrock applications.
+
+## Table of Contents
+
+- [Background](#background)
+- [Security](#security)
+- [Install](#install)
+- [Usage](#usage)
+- [Contribute](#contribute)
+- [Commercial Support](#commercial-support)
+- [License](#license)
+
+## Background
+
+* [Verifiable Credentials HTTP API v0.3](https://w3c-ccg.github.io/vc-http-api/) specification.
+
+## Security
+
+TBD
+
+## Install
+
+- Node.js 14+ is required.
+
+### NPM
+
+To install via NPM:
+
+```
+npm install --save @bedrock/vc-verifier
+```
+
+### Development
+
+To install locally (for development):
+
+```
+git clone https://github.com/digitalbazaar/bedrock-vc-verifier.git
+cd bedrock-vc-verifier
+npm install
+```
+
+## Usage
+
+In `lib/index.js`:
+
+```js
+import '@bedrock/vc-verifier';
+```
+
+### Verifier HTTP API
+
+This module exposes the following API endpoints.
+
+#### Verify Presentation - `POST /vc/verify`
+
+Example request:
+
+```json
+{
+  "presentation": {},
+  "challenge": "...",
+  "domain": "issuer.example.com"
+}
+```
+
+#### Verify Credentials - `POST /verifier/credentials`
+
+Alias: `/instances/:instanceId/credentials/verify`
+
+Optionally performs status checks using the `vc-revocation-list` or
+`vc-status-list` library.
+
+Example request:
+
+```json
+{
+  "verifiableCredential": {},
+  "options": {
+    "checks": ["proof", "credentialStatus"]
+  }
+}
+```
+
+#### Verify Presentations - `POST /verifier/presentations`
+
+Alias: `/instances/:instanceId/presentations/verify`
+
+Optionally performs status checks using the `vc-revocation-list` or
+`vc-status-list` library.
+
+Example request:
+
+```json
+{
+  "verifiablePresentation": {},
+  "options": {
+    "challenge": "...",
+    "checks": ["proof", "credentialStatus"],
+    "domain": "issuer.exmaple.com"
+  }
+}
+```
+
+## Contribute
+
+See [the contribute file](https://github.com/digitalbazaar/bedrock/blob/master/CONTRIBUTING.md)!
+
+PRs accepted.
+
+If editing the Readme, please conform to the
+[standard-readme](https://github.com/RichardLitt/standard-readme) specification.
+
+## Commercial Support
+
+Commercial support for this library is available upon request from
+Digital Bazaar: support@digitalbazaar.com
+
+## License
+
+[Bedrock Non-Commercial License v1.0](LICENSE.md) © Digital Bazaar

package/lib/challenges.js

@@ -0,0 +1,199 @@
+/*!
+ * Copyright (c) 2022 Digital Bazaar, Inc. All rights reserved.
+ */
+import * as bedrock from '@bedrock/core';
+import * as database from '@bedrock/mongodb';
+import assert from 'assert-plus';
+import {createRequire} from 'module';
+const require = createRequire(import.meta.url);
+const {generateId, decodeId} = require('bnid');
+
+const {util: {BedrockError}} = bedrock;
+
+const COLLECTION_NAME = 'vc-verifier-challenge';
+
+bedrock.events.on('bedrock-mongodb.ready', async () => {
+  await database.openCollections([COLLECTION_NAME]);
+
+  await database.createIndexes([{
+    collection: COLLECTION_NAME,
+    fields: {'challenge.value': 1},
+    options: {unique: true, background: false}
+  }, {
+    // automatically expire challenges
+    collection: COLLECTION_NAME,
+    fields: {'challenge.expires': 1},
+    options: {
+      unique: false,
+      background: false,
+      expireAfterSeconds: 0
+    }
+  }]);
+});
+
+/**
+ * Generates and stores a challenge to be used within the configured time
+ * frame.
+ *
+ * @param {object} options - The options to use.
+ * @param {object} options.verifierId - The verifier instance ID.
+ *
+ * @returns {Promise<string>} The challenge.
+ */
+export async function createChallenge({verifierId}) {
+  // generate challenge
+  const challenge = await _generateChallenge();
+  // insert and return challenge
+  const {ttl} = bedrock.config['vc-verifier'].challenges;
+  await _insert({challenge, verifierId, ttl});
+  return challenge;
+}
+
+/**
+ * Verifies that a challenge has not expired.
+ *
+ * @param {object} options - The options to use.
+ * @param {object} options.verifierId - The verifier instance ID.
+ * @param {string} options.challenge - The challenge to verify.
+ *
+ * @returns {Promise<object>} `{verified: <boolean>, uses, error?}`.
+ */
+export async function verifyChallenge({verifierId, challenge} = {}) {
+  try {
+    // try to use challenge
+    const record = await _use({challenge, verifierId});
+    return {verified: true, uses: record.challenge.uses};
+  } catch(error) {
+    return {verified: false, error};
+  }
+}
+
+async function _generateChallenge() {
+  // 128-bit random number, base58 multibase + multihash encoded
+  return generateId({
+    bitLength: 128,
+    encoding: 'base58',
+    multibase: true,
+    multihash: true
+  });
+}
+
+function _decodeChallenge({challenge}) {
+  // convert to `Buffer` for database storage savings
+  try {
+    return Buffer.from(decodeId({
+      id: challenge,
+      encoding: 'base58',
+      multibase: true,
+      multihash: true,
+      expectedSize: 16
+    }));
+  } catch(e) {
+    throw new BedrockError(
+      'Invalid challenge.', 'DataError', {
+        httpStatusCode: 400,
+        public: true
+      });
+  }
+}
+
+/**
+ * Inserts a new challenge into storage.
+ *
+ * @param {object} options - The options to use.
+ * @param {string} options.challenge - The challenge to upsert.
+ * @param {number} options.ttl - The time to live for the challenge.
+ *
+ * @returns {Promise<object>} Resolves with an object representing the
+ *   challenge record.
+ */
+async function _insert({challenge, ttl} = {}) {
+  assert.string(challenge, 'challenge');
+  assert.number(ttl, 'ttl');
+  challenge = _decodeChallenge({challenge});
+
+  // insert the configuration and get the updated record
+  const now = Date.now();
+  const meta = {created: now, updated: now};
+  const expires = new Date(now + ttl);
+  const record = {
+    challenge: {
+      value: challenge,
+      expires,
+      uses: 0
+    },
+    meta
+  };
+  try {
+    const collection = database.collections[COLLECTION_NAME];
+    const result = await collection.insertOne(record);
+    return result.ops[0];
+  } catch(e) {
+    if(!database.isDuplicateError(e)) {
+      throw e;
+    }
+    // should never happen; challenge values are sufficiently large and random
+    throw new BedrockError(
+      'Duplicate challenge.',
+      'DuplicateError', {
+        public: true,
+        httpStatusCode: 409
+      }, e);
+  }
+}
+
+/**
+ * Finds and updates a challenge's `uses`.
+ *
+ * @param {object} options - Options to use.
+ * @param {string} options.challenge - The challenge to mark as used.
+ * @param {boolean} [options.explain] - An optional explain boolean.
+ *
+ * @returns {Promise<object | ExplainObject>} Resolves with an object
+ *   representing the challenge record or an ExplainObject if `explain=true`.
+ */
+async function _use({challenge, explain = false} = {}) {
+  assert.string(challenge, 'challenge');
+  assert.bool(explain, 'explain');
+  challenge = _decodeChallenge({challenge});
+
+  const collection = database.collections[COLLECTION_NAME];
+  const query = {'challenge.value': challenge};
+  const $inc = {
+    'challenge.uses': 1,
+  };
+  const $set = {
+    'meta.updated': Date.now()
+  };
+  const options = {
+    ...database.writeOptions,
+    // return document after the update
+    returnDocument: 'after'
+  };
+
+  if(explain) {
+    // 'find().limit(1)' is used here because 'updateOne()' doesn't return a
+    // cursor which allows the use of the explain function.
+    const cursor = await collection.find(query).limit(1);
+    return cursor.explain('executionStats');
+  }
+
+  // this upsert cannot trigger duplicate error; no try/catch needed
+  const result = await collection.findOneAndUpdate(
+    query, {$inc, $set}, options);
+
+  if(!result.value) {
+    // no document found, challenge invalid or expired
+    throw new BedrockError(
+      'Invalid or expired challenge.', 'DataError', {
+        httpStatusCode: 400,
+        public: true
+      });
+  }
+
+  return result.value;
+}
+
+/**
+ * @typedef ExplainObject - MongoDB explain object.
+ */

package/lib/config.js

@@ -0,0 +1,41 @@
+/*!
+ * Copyright (c) 2019-2022 Digital Bazaar, Inc. All rights reserved.
+ */
+import {config} from '@bedrock/core';
+import '@bedrock/app-identity';
+
+const cfg = config['vc-verifier'] = {};
+
+cfg.challenges = {
+  // by default, challenges must be used within 15 minutes
+  ttl: 1000 * 60 * 15
+};
+
+// document loader configuration for the verifier; all verifier instances
+// will securely load DID documents using `bedrock-did-io` and any contexts
+// that have been specifically added to them; these config options below
+// also allow any verifier instance to optionally load `http` and `https`
+// documents directly from the Web
+cfg.documentLoader = {
+  // `true` enables all verifiers to fetch `http` documents from the Web
+  http: false,
+  // `true` enables all verifiers to fetch `https` documents from the Web
+  https: true
+};
+
+cfg.supportedSuites = ['Ed25519Signature2018', 'Ed25519Signature2020'];
+
+cfg.routes = {
+  challenges: '/challenges',
+  credentialsVerify: '/credentials/verify',
+  presentationsVerify: '/presentations/verify'
+};
+
+// create dev application identity for vc-verifier (must be overridden in
+// deployments) ...and `ensureConfigOverride` has already been set via
+// `bedrock-app-identity` so it doesn't have to be set here
+config['app-identity'].seeds.services['vc-verifier'] = {
+  id: 'did:key:z6Mkff1TPyQ7nh3qXYGe3gJn26aaLX5ACJBi7s6Ei6MW3qAc',
+  seedMultibase: 'z1AYfdySL6F2wHarpfjSo1GaMaCW11TWbKyTP4eKBosmiDw',
+  serviceType: 'vc-verifier'
+};