@twin.org/trust-verifiers 0.0.3-next.17 → 0.0.3-next.18

package/dist/es/index.js

@@ -1,5 +1,8 @@
 // Copyright 2025 IOTA Stiftung.
 // SPDX-License-Identifier: Apache-2.0.
+export * from "./models/IIdentityAllowDenyVerifierConfig.js";
+export * from "./models/IIdentityAllowDenyVerifierConstructorOptions.js";
 export * from "./models/IJwtVerifiableCredentialVerifierConstructorOptions.js";
+export * from "./verifiers/identityAllowDenyVerifier.js";
 export * from "./verifiers/jwtVerifiableCredentialVerifier.js";
 //# sourceMappingURL=index.js.map

package/dist/es/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,uCAAuC;AACvC,cAAc,gEAAgE,CAAC;AAC/E,cAAc,gDAAgD,CAAC","sourcesContent":["// Copyright 2025 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nexport * from \"./models/IJwtVerifiableCredentialVerifierConstructorOptions.js\";\nexport * from \"./verifiers/jwtVerifiableCredentialVerifier.js\";\n"]}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,uCAAuC;AACvC,cAAc,8CAA8C,CAAC;AAC7D,cAAc,0DAA0D,CAAC;AACzE,cAAc,gEAAgE,CAAC;AAC/E,cAAc,0CAA0C,CAAC;AACzD,cAAc,gDAAgD,CAAC","sourcesContent":["// Copyright 2025 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nexport * from \"./models/IIdentityAllowDenyVerifierConfig.js\";\nexport * from \"./models/IIdentityAllowDenyVerifierConstructorOptions.js\";\nexport * from \"./models/IJwtVerifiableCredentialVerifierConstructorOptions.js\";\nexport * from \"./verifiers/identityAllowDenyVerifier.js\";\nexport * from \"./verifiers/jwtVerifiableCredentialVerifier.js\";\n"]}

package/dist/es/models/IIdentityAllowDenyVerifierConfig.js

@@ -0,0 +1,4 @@
+// Copyright 2025 IOTA Stiftung.
+// SPDX-License-Identifier: Apache-2.0.
+export {};
+//# sourceMappingURL=IIdentityAllowDenyVerifierConfig.js.map

package/dist/es/models/IIdentityAllowDenyVerifierConfig.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"IIdentityAllowDenyVerifierConfig.js","sourceRoot":"","sources":["../../../src/models/IIdentityAllowDenyVerifierConfig.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,uCAAuC","sourcesContent":["// Copyright 2025 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\n\n/**\n * Configuration for the Identity Allow/Deny Verifier.\n */\nexport interface IIdentityAllowDenyVerifierConfig {\n\t/**\n\t * Identities that are permitted; all others are rejected.\n\t * Skipped when empty or absent.\n\t */\n\tallowIdentities?: string[];\n\n\t/**\n\t * Identities that are explicitly rejected.\n\t * Skipped when empty or absent.\n\t */\n\tdenyIdentities?: string[];\n}\n"]}

package/dist/es/models/IIdentityAllowDenyVerifierConstructorOptions.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=IIdentityAllowDenyVerifierConstructorOptions.js.map

package/dist/es/models/IIdentityAllowDenyVerifierConstructorOptions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"IIdentityAllowDenyVerifierConstructorOptions.js","sourceRoot":"","sources":["../../../src/models/IIdentityAllowDenyVerifierConstructorOptions.ts"],"names":[],"mappings":"","sourcesContent":["// Copyright 2025 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nimport type { IIdentityAllowDenyVerifierConfig } from \"./IIdentityAllowDenyVerifierConfig.js\";\n\n/**\n * The options for the Identity Allow/Deny Verifier.\n */\nexport interface IIdentityAllowDenyVerifierConstructorOptions {\n\t/**\n\t * The allow/deny configuration for the verifier.\n\t */\n\tconfig?: IIdentityAllowDenyVerifierConfig;\n}\n"]}

package/dist/es/verifiers/identityAllowDenyVerifier.js

@@ -0,0 +1,70 @@
+// Copyright 2025 IOTA Stiftung.
+// SPDX-License-Identifier: Apache-2.0.
+import { GeneralError, Is } from "@twin.org/core";
+/**
+ * Class to gate verification based on allowed and denied identity lists.
+ */
+export class IdentityAllowDenyVerifier {
+    /**
+     * Runtime name for the class.
+     */
+    static CLASS_NAME = "IdentityAllowDenyVerifier";
+    /**
+     * The identities that are permitted.
+     * @internal
+     */
+    _allowIdentities;
+    /**
+     * The identities that are explicitly rejected.
+     * @internal
+     */
+    _denyIdentities;
+    /**
+     * Create a new instance of IdentityAllowDenyVerifier.
+     * @param options The options for the verifier.
+     */
+    constructor(options) {
+        this._allowIdentities = options?.config?.allowIdentities;
+        this._denyIdentities = options?.config?.denyIdentities;
+    }
+    /**
+     * Returns the class name of the component.
+     * @returns The class name of the component.
+     */
+    className() {
+        return IdentityAllowDenyVerifier.CLASS_NAME;
+    }
+    /**
+     * Verify a payload by checking the validity of its structure and content.
+     * @param payload The payload to verify.
+     * @param info Information extracted from previous verifiers and to be added by this verifier.
+     * @param info.identity The identity associated with the payload.
+     * @param errors Array to collect verification errors.
+     * @returns Whether the payload is verified, returns undefined if payload was not processed.
+     */
+    async verify(payload, info, errors) {
+        const hasAllow = Is.arrayValue(this._allowIdentities);
+        const hasDeny = Is.arrayValue(this._denyIdentities);
+        if (!hasAllow && !hasDeny) {
+            return undefined;
+        }
+        if (!Is.stringValue(info.identity)) {
+            errors.push(new GeneralError(IdentityAllowDenyVerifier.CLASS_NAME, "identityMissing"));
+            return false;
+        }
+        if (hasAllow && !this._allowIdentities?.includes(info.identity)) {
+            errors.push(new GeneralError(IdentityAllowDenyVerifier.CLASS_NAME, "identityNotAllowed", {
+                identity: info.identity
+            }));
+            return false;
+        }
+        if (hasDeny && this._denyIdentities?.includes(info.identity)) {
+            errors.push(new GeneralError(IdentityAllowDenyVerifier.CLASS_NAME, "identityDenied", {
+                identity: info.identity
+            }));
+            return false;
+        }
+        return true;
+    }
+}
+//# sourceMappingURL=identityAllowDenyVerifier.js.map

package/dist/es/verifiers/identityAllowDenyVerifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"identityAllowDenyVerifier.js","sourceRoot":"","sources":["../../../src/verifiers/identityAllowDenyVerifier.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,uCAAuC;AACvC,OAAO,EAAE,YAAY,EAAE,EAAE,EAAe,MAAM,gBAAgB,CAAC;AAK/D;;GAEG;AACH,MAAM,OAAO,yBAAyB;IACrC;;OAEG;IACI,MAAM,CAAU,UAAU,+BAA+C;IAEhF;;;OAGG;IACc,gBAAgB,CAAY;IAE7C;;;OAGG;IACc,eAAe,CAAY;IAE5C;;;OAGG;IACH,YAAY,OAAsD;QACjE,IAAI,CAAC,gBAAgB,GAAG,OAAO,EAAE,MAAM,EAAE,eAAe,CAAC;QACzD,IAAI,CAAC,eAAe,GAAG,OAAO,EAAE,MAAM,EAAE,cAAc,CAAC;IACxD,CAAC;IAED;;;OAGG;IACI,SAAS;QACf,OAAO,yBAAyB,CAAC,UAAU,CAAC;IAC7C,CAAC;IAED;;;;;;;OAOG;IACI,KAAK,CAAC,MAAM,CAClB,OAAgB,EAChB,IAA4B,EAC5B,MAAgB;QAEhB,MAAM,QAAQ,GAAG,EAAE,CAAC,UAAU,CAAS,IAAI,CAAC,gBAAgB,CAAC,CAAC;QAC9D,MAAM,OAAO,GAAG,EAAE,CAAC,UAAU,CAAS,IAAI,CAAC,eAAe,CAAC,CAAC;QAE5D,IAAI,CAAC,QAAQ,IAAI,CAAC,OAAO,EAAE,CAAC;YAC3B,OAAO,SAAS,CAAC;QAClB,CAAC;QAED,IAAI,CAAC,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YACpC,MAAM,CAAC,IAAI,CAAC,IAAI,YAAY,CAAC,yBAAyB,CAAC,UAAU,EAAE,iBAAiB,CAAC,CAAC,CAAC;YACvF,OAAO,KAAK,CAAC;QACd,CAAC;QAED,IAAI,QAAQ,IAAI,CAAC,IAAI,CAAC,gBAAgB,EAAE,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YACjE,MAAM,CAAC,IAAI,CACV,IAAI,YAAY,CAAC,yBAAyB,CAAC,UAAU,EAAE,oBAAoB,EAAE;gBAC5E,QAAQ,EAAE,IAAI,CAAC,QAAQ;aACvB,CAAC,CACF,CAAC;YACF,OAAO,KAAK,CAAC;QACd,CAAC;QAED,IAAI,OAAO,IAAI,IAAI,CAAC,eAAe,EAAE,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC9D,MAAM,CAAC,IAAI,CACV,IAAI,YAAY,CAAC,yBAAyB,CAAC,UAAU,EAAE,gBAAgB,EAAE;gBACxE,QAAQ,EAAE,IAAI,CAAC,QAAQ;aACvB,CAAC,CACF,CAAC;YACF,OAAO,KAAK,CAAC;QACd,CAAC;QAED,OAAO,IAAI,CAAC;IACb,CAAC","sourcesContent":["// Copyright 2025 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nimport { GeneralError, Is, type IError } from \"@twin.org/core\";\nimport { nameof } from \"@twin.org/nameof\";\nimport type { ITrustVerificationInfo, ITrustVerifier } from \"@twin.org/trust-models\";\nimport type { IIdentityAllowDenyVerifierConstructorOptions } from \"../models/IIdentityAllowDenyVerifierConstructorOptions.js\";\n\n/**\n * Class to gate verification based on allowed and denied identity lists.\n */\nexport class IdentityAllowDenyVerifier implements ITrustVerifier {\n\t/**\n\t * Runtime name for the class.\n\t */\n\tpublic static readonly CLASS_NAME: string = nameof<IdentityAllowDenyVerifier>();\n\n\t/**\n\t * The identities that are permitted.\n\t * @internal\n\t */\n\tprivate readonly _allowIdentities?: string[];\n\n\t/**\n\t * The identities that are explicitly rejected.\n\t * @internal\n\t */\n\tprivate readonly _denyIdentities?: string[];\n\n\t/**\n\t * Create a new instance of IdentityAllowDenyVerifier.\n\t * @param options The options for the verifier.\n\t */\n\tconstructor(options?: IIdentityAllowDenyVerifierConstructorOptions) {\n\t\tthis._allowIdentities = options?.config?.allowIdentities;\n\t\tthis._denyIdentities = options?.config?.denyIdentities;\n\t}\n\n\t/**\n\t * Returns the class name of the component.\n\t * @returns The class name of the component.\n\t */\n\tpublic className(): string {\n\t\treturn IdentityAllowDenyVerifier.CLASS_NAME;\n\t}\n\n\t/**\n\t * Verify a payload by checking the validity of its structure and content.\n\t * @param payload The payload to verify.\n\t * @param info Information extracted from previous verifiers and to be added by this verifier.\n\t * @param info.identity The identity associated with the payload.\n\t * @param errors Array to collect verification errors.\n\t * @returns Whether the payload is verified, returns undefined if payload was not processed.\n\t */\n\tpublic async verify(\n\t\tpayload: unknown,\n\t\tinfo: ITrustVerificationInfo,\n\t\terrors: IError[]\n\t): Promise<boolean | undefined> {\n\t\tconst hasAllow = Is.arrayValue<string>(this._allowIdentities);\n\t\tconst hasDeny = Is.arrayValue<string>(this._denyIdentities);\n\n\t\tif (!hasAllow && !hasDeny) {\n\t\t\treturn undefined;\n\t\t}\n\n\t\tif (!Is.stringValue(info.identity)) {\n\t\t\terrors.push(new GeneralError(IdentityAllowDenyVerifier.CLASS_NAME, \"identityMissing\"));\n\t\t\treturn false;\n\t\t}\n\n\t\tif (hasAllow && !this._allowIdentities?.includes(info.identity)) {\n\t\t\terrors.push(\n\t\t\t\tnew GeneralError(IdentityAllowDenyVerifier.CLASS_NAME, \"identityNotAllowed\", {\n\t\t\t\t\tidentity: info.identity\n\t\t\t\t})\n\t\t\t);\n\t\t\treturn false;\n\t\t}\n\n\t\tif (hasDeny && this._denyIdentities?.includes(info.identity)) {\n\t\t\terrors.push(\n\t\t\t\tnew GeneralError(IdentityAllowDenyVerifier.CLASS_NAME, \"identityDenied\", {\n\t\t\t\t\tidentity: info.identity\n\t\t\t\t})\n\t\t\t);\n\t\t\treturn false;\n\t\t}\n\n\t\treturn true;\n\t}\n}\n"]}

package/dist/types/index.d.ts

@@ -1,2 +1,5 @@
+export * from "./models/IIdentityAllowDenyVerifierConfig.js";
+export * from "./models/IIdentityAllowDenyVerifierConstructorOptions.js";
 export * from "./models/IJwtVerifiableCredentialVerifierConstructorOptions.js";
+export * from "./verifiers/identityAllowDenyVerifier.js";
 export * from "./verifiers/jwtVerifiableCredentialVerifier.js";

package/dist/types/models/IIdentityAllowDenyVerifierConfig.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Configuration for the Identity Allow/Deny Verifier.
+ */
+export interface IIdentityAllowDenyVerifierConfig {
+    /**
+     * Identities that are permitted; all others are rejected.
+     * Skipped when empty or absent.
+     */
+    allowIdentities?: string[];
+    /**
+     * Identities that are explicitly rejected.
+     * Skipped when empty or absent.
+     */
+    denyIdentities?: string[];
+}

package/dist/types/models/IIdentityAllowDenyVerifierConstructorOptions.d.ts

@@ -0,0 +1,10 @@
+import type { IIdentityAllowDenyVerifierConfig } from "./IIdentityAllowDenyVerifierConfig.js";
+/**
+ * The options for the Identity Allow/Deny Verifier.
+ */
+export interface IIdentityAllowDenyVerifierConstructorOptions {
+    /**
+     * The allow/deny configuration for the verifier.
+     */
+    config?: IIdentityAllowDenyVerifierConfig;
+}

package/dist/types/verifiers/identityAllowDenyVerifier.d.ts

@@ -0,0 +1,31 @@
+import { type IError } from "@twin.org/core";
+import type { ITrustVerificationInfo, ITrustVerifier } from "@twin.org/trust-models";
+import type { IIdentityAllowDenyVerifierConstructorOptions } from "../models/IIdentityAllowDenyVerifierConstructorOptions.js";
+/**
+ * Class to gate verification based on allowed and denied identity lists.
+ */
+export declare class IdentityAllowDenyVerifier implements ITrustVerifier {
+    /**
+     * Runtime name for the class.
+     */
+    static readonly CLASS_NAME: string;
+    /**
+     * Create a new instance of IdentityAllowDenyVerifier.
+     * @param options The options for the verifier.
+     */
+    constructor(options?: IIdentityAllowDenyVerifierConstructorOptions);
+    /**
+     * Returns the class name of the component.
+     * @returns The class name of the component.
+     */
+    className(): string;
+    /**
+     * Verify a payload by checking the validity of its structure and content.
+     * @param payload The payload to verify.
+     * @param info Information extracted from previous verifiers and to be added by this verifier.
+     * @param info.identity The identity associated with the payload.
+     * @param errors Array to collect verification errors.
+     * @returns Whether the payload is verified, returns undefined if payload was not processed.
+     */
+    verify(payload: unknown, info: ITrustVerificationInfo, errors: IError[]): Promise<boolean | undefined>;
+}

package/docs/changelog.md

@@ -1,5 +1,19 @@
 # Changelog
 
+## [0.0.3-next.18](https://github.com/iotaledger/twin-trust/compare/trust-verifiers-v0.0.3-next.17...trust-verifiers-v0.0.3-next.18) (2026-06-05)
+
+
+### Features
+
+* add allow deny verifier ([#32](https://github.com/iotaledger/twin-trust/issues/32)) ([daf5d03](https://github.com/iotaledger/twin-trust/commit/daf5d033ffbe82e2228c48ca7ffea870a1ce956e))
+
+
+### Dependencies
+
+* The following workspace dependencies were updated
+  * dependencies
+    * @twin.org/trust-models bumped from 0.0.3-next.17 to 0.0.3-next.18
+
 ## [0.0.3-next.17](https://github.com/iotaledger/twin-trust/compare/trust-verifiers-v0.0.3-next.16...trust-verifiers-v0.0.3-next.17) (2026-06-02)
 
 

package/docs/reference/classes/IdentityAllowDenyVerifier.md

@@ -0,0 +1,91 @@
+# Class: IdentityAllowDenyVerifier
+
+Class to gate verification based on allowed and denied identity lists.
+
+## Implements
+
+- `ITrustVerifier`
+
+## Constructors
+
+### Constructor
+
+> **new IdentityAllowDenyVerifier**(`options?`): `IdentityAllowDenyVerifier`
+
+Create a new instance of IdentityAllowDenyVerifier.
+
+#### Parameters
+
+##### options?
+
+[`IIdentityAllowDenyVerifierConstructorOptions`](../interfaces/IIdentityAllowDenyVerifierConstructorOptions.md)
+
+The options for the verifier.
+
+#### Returns
+
+`IdentityAllowDenyVerifier`
+
+## Properties
+
+### CLASS\_NAME {#class_name}
+
+> `readonly` `static` **CLASS\_NAME**: `string`
+
+Runtime name for the class.
+
+## Methods
+
+### className() {#classname}
+
+> **className**(): `string`
+
+Returns the class name of the component.
+
+#### Returns
+
+`string`
+
+The class name of the component.
+
+#### Implementation of
+
+`ITrustVerifier.className`
+
+***
+
+### verify() {#verify}
+
+> **verify**(`payload`, `info`, `errors`): `Promise`\<`boolean` \| `undefined`\>
+
+Verify a payload by checking the validity of its structure and content.
+
+#### Parameters
+
+##### payload
+
+`unknown`
+
+The payload to verify.
+
+##### info
+
+`ITrustVerificationInfo`
+
+Information extracted from previous verifiers and to be added by this verifier.
+
+##### errors
+
+`IError`[]
+
+Array to collect verification errors.
+
+#### Returns
+
+`Promise`\<`boolean` \| `undefined`\>
+
+Whether the payload is verified, returns undefined if payload was not processed.
+
+#### Implementation of
+
+`ITrustVerifier.verify`

package/docs/reference/index.md

@@ -2,8 +2,11 @@
 
 ## Classes
 
+- [IdentityAllowDenyVerifier](classes/IdentityAllowDenyVerifier.md)
 - [JwtVerifiableCredentialVerifier](classes/JwtVerifiableCredentialVerifier.md)
 
 ## Interfaces
 
+- [IIdentityAllowDenyVerifierConfig](interfaces/IIdentityAllowDenyVerifierConfig.md)
+- [IIdentityAllowDenyVerifierConstructorOptions](interfaces/IIdentityAllowDenyVerifierConstructorOptions.md)
 - [IJwtVerifiableCredentialVerifierConstructorOptions](interfaces/IJwtVerifiableCredentialVerifierConstructorOptions.md)

package/docs/reference/interfaces/IIdentityAllowDenyVerifierConfig.md

@@ -0,0 +1,21 @@
+# Interface: IIdentityAllowDenyVerifierConfig
+
+Configuration for the Identity Allow/Deny Verifier.
+
+## Properties
+
+### allowIdentities? {#allowidentities}
+
+> `optional` **allowIdentities?**: `string`[]
+
+Identities that are permitted; all others are rejected.
+Skipped when empty or absent.
+
+***
+
+### denyIdentities? {#denyidentities}
+
+> `optional` **denyIdentities?**: `string`[]
+
+Identities that are explicitly rejected.
+Skipped when empty or absent.

package/docs/reference/interfaces/IIdentityAllowDenyVerifierConstructorOptions.md

@@ -0,0 +1,11 @@
+# Interface: IIdentityAllowDenyVerifierConstructorOptions
+
+The options for the Identity Allow/Deny Verifier.
+
+## Properties
+
+### config? {#config}
+
+> `optional` **config?**: [`IIdentityAllowDenyVerifierConfig`](IIdentityAllowDenyVerifierConfig.md)
+
+The allow/deny configuration for the verifier.

package/locales/en.json

@@ -1,5 +1,10 @@
 {
 	"error": {
+		"identityAllowDenyVerifier": {
+			"identityMissing": "The identity is missing from the verification info.",
+			"identityNotAllowed": "The identity is not in the allowed identities list \"{identity}\".",
+			"identityDenied": "The identity is in the denied identities list \"{identity}\"."
+		},
 		"jwtVerifiableCredentialVerifier": {
 			"tokenMissingCredential": "The JWT token does not contain a verifiable credential.",
 			"tokenMissingIssuer": "The verifiable credential in the JWT does not contain an issuer.",

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@twin.org/trust-verifiers",
-	"version": "0.0.3-next.17",
+	"version": "0.0.3-next.18",
 	"description": "Implements trust verifiers that validate credentials and proofs against trust model requirements",
 	"repository": {
 		"type": "git",
@@ -19,7 +19,7 @@
 		"@twin.org/identity-models": "next",
 		"@twin.org/logging-models": "next",
 		"@twin.org/nameof": "next",
-		"@twin.org/trust-models": "0.0.3-next.17",
+		"@twin.org/trust-models": "0.0.3-next.18",
 		"@twin.org/web": "next"
 	},
 	"main": "./dist/es/index.js",