npm - @velocitycareerlabs/server-careerwallet - Versions diffs - 1.25.0-dev-build.12642c864 - Mend

@velocitycareerlabs/server-careerwallet 1.25.0-dev-build.12642c864

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (252) hide show

package/src/controllers/api/v0.6/oauth/controller.js ADDED Viewed

@@ -0,0 +1,131 @@
+const newError = require('http-errors');
+const { values } = require('lodash/fp');
+const { initBuildRefreshToken } = require('@velocitycareerlabs/crypto');
+const {
+  TokenTypes,
+  GrantTypes,
+  initBuildAccessToken,
+  initValidateScopes,
+  initValidateClientId,
+  initValidateAudience,
+  initVerifyPresentation,
+  validateRefreshToken,
+  validatePresentation,
+  validateCredential,
+} = require('../../../../entities');
+const buildRefreshToken = initBuildRefreshToken();
+const careerWalletOauthController = async (fastify) => {
+  const { config } = fastify;
+  const validateScopes = initValidateScopes(config.holderAppServerOAuthScopes);
+  const validateClientId = initValidateClientId(
+    config.holderAppServerOAuthHolderAppClientId
+  );
+  const validateAudience = initValidateAudience(
+    config.holderAppServerOAuthAudience
+  );
+  fastify.post(
+    '/token',
+    {
+      schema: fastify.autoSchema({
+        tags: ['careerwallet'],
+        body: {
+          type: 'object',
+          properties: {
+            grant_type: {
+              type: 'string',
+              enum: values(GrantTypes),
+            },
+            presentation: { type: 'string' },
+            refresh_token: { type: 'string' },
+            scope: { type: 'string' },
+            audience: { type: 'string' },
+            client_id: { type: 'string' },
+          },
+          required: ['grant_type', 'scope', 'audience', 'client_id'],
+        },
+        response: {
+          200: {
+            type: 'object',
+            properties: {
+              access_token: { type: 'string' },
+              refresh_token: { type: 'string' },
+              token_type: { type: 'string', enum: values(TokenTypes) },
+            },
+            required: ['access_token', 'token_type'],
+          },
+          ...fastify.UnauthorizedResponse,
+        },
+      }),
+    },
+    async (req) => {
+      const { body, config: reqConfig } = req;
+      const {
+        grant_type: grantType,
+        presentation,
+        refresh_token: refreshToken,
+        client_id: clientId,
+        scope,
+        audience,
+      } = body;
+      const buildAccessToken = initBuildAccessToken(
+        reqConfig.holderAppServerAccessTokenSigningKey,
+        config.holderAppServerHolderAppProviderDid,
+        config.holderAppServerAccessTokenExpiresIn
+      );
+      const verifyPresentation = initVerifyPresentation(
+        reqConfig.oauthVclCredentialVerificationPublicKey
+      );
+      validateRefreshToken(grantType, refreshToken);
+      validatePresentation(grantType, presentation);
+      validateClientId(clientId);
+      validateScopes(scope);
+      validateAudience(audience);
+      let filterToFindUser;
+      if (grantType === GrantTypes.VNF_PRESENTATION) {
+        const decodedCredential = await verifyPresentation(presentation);
+        validateCredential(decodedCredential);
+        const userDid = decodedCredential.payload.vc.credentialSubject.id;
+        filterToFindUser = { 'didKeyMetadatum.did': userDid };
+      } else {
+        filterToFindUser = { refreshToken };
+      }
+      const { refreshToken: newRefreshToken, accountId } =
+        await findUserAndUpdateRefreshToken(filterToFindUser, scope, req);
+      return {
+        access_token: await buildAccessToken(scope, accountId),
+        token_type: TokenTypes.BEARER,
+        refresh_token: newRefreshToken,
+      };
+    }
+  );
+};
+const findUserAndUpdateRefreshToken = async (filter, scope, { repos }) => {
+  const refreshToken = buildRefreshToken();
+  const scopeValues = scope.split(' ');
+  const account = await repos.accounts.findAccountAndSetRefreshToken(
+    {
+      ...filter,
+      scope: { $all: scopeValues },
+    },
+    refreshToken
+  );
+  if (!account) {
+    throw newError.Unauthorized('Unknown refresh_token, user id or scope');
+  }
+  return { refreshToken, accountId: account._id };
+};
+module.exports = careerWalletOauthController;

package/src/controllers/api/v0.6/push/controller.js ADDED Viewed

@@ -0,0 +1,296 @@
+const newError = require('http-errors');
+const { map, isEmpty } = require('lodash/fp');
+const { ObjectId } = require('mongodb');
+const { pushGatewayAuth } = require('./push-gateway-auth');
+const { initFirebase } = require('./firebase-initializer');
+const {
+  NotificationTypes,
+  generateNotification,
+} = require('./notification-types');
+const icon = 'https://docs.velocitycareerlabs.io/Logos/vcl-app-push-logo.png';
+const sound = 'default';
+const deviceController = async (fastify) => {
+  const firebase = initFirebase(fastify.config);
+  const ttlSeconds = 60 * 60 * 24;
+  const notificationOptions = {
+    android: {
+      ttl: ttlSeconds * 1000,
+      priority: 'high',
+      notification: {
+        sound,
+        icon,
+      },
+    },
+    apns: {
+      headers: {
+        'apns-priority': '5',
+      },
+      payload: {
+        aps: {
+          sound,
+          icon,
+          'content-available': 1,
+        },
+      },
+    },
+    webpush: {
+      headers: {
+        TTL: `${ttlSeconds}`,
+        Urgency: 'high',
+      },
+    },
+  };
+  fastify.post(
+    '/generate',
+    {
+      preHandler: fastify.verifyAdmin,
+      schema: fastify.autoSchema({
+        tags: ['careerwallet'],
+        body: {
+          type: 'object',
+          properties: {
+            pushToken: { type: 'string' },
+            content: { type: 'object' },
+          },
+        },
+        response: {
+          200: {
+            type: 'object',
+            properties: {
+              content: { type: 'object' },
+            },
+          },
+        },
+      }),
+    },
+    async (req, reply) => {
+      const {
+        body,
+        repos: { devices, accounts },
+      } = req;
+      const { pushToken } = body;
+      const account = await accounts.findOne({
+        filter: { [`pushTokens.${pushToken}`]: { $exists: true } },
+      });
+      if (isEmpty(account)) {
+        const device = await devices.findOne({
+          filter: { pushToken },
+        });
+        if (isEmpty(device) || isEmpty(device?.deviceId)) {
+          throw new newError.NotFound(
+            `No device registered for token ${pushToken}`
+          );
+        }
+        await sendNotificationsToDevicesForGenerateRequest(
+          [device],
+          body.content,
+          firebase,
+          notificationOptions
+        );
+        return reply.status(200).send();
+      }
+      const connectedDevices = await devices.find({
+        filter: { accountId: account._id },
+      });
+      if (isEmpty(connectedDevices)) {
+        throw new newError.NotFound(
+          `No device registered for token ${pushToken}`
+        );
+      }
+      await sendNotificationsToDevicesForGenerateRequest(
+        connectedDevices,
+        body.content,
+        firebase,
+        notificationOptions
+      );
+      return reply.status(200).send();
+    }
+  );
+  fastify.post(
+    '/',
+    {
+      preHandler: pushGatewayAuth,
+      schema: fastify.autoSchema({
+        tags: ['careerwallet'],
+        body: {
+          type: 'object',
+          properties: {
+            id: { type: 'string' },
+            pushToken: { type: 'string' },
+            message: { type: 'string' },
+            messageParams: {
+              type: 'object',
+              properties: {
+                priority: { type: 'string' },
+                timeToLeave: { type: 'integer' },
+              },
+            },
+            data: {
+              type: 'object',
+              properties: {
+                serviceEndpoint: { type: 'string' },
+                count: { type: 'number' },
+                credentialId: { type: 'string' },
+                exchangeId: { type: 'string' },
+                issuer: { type: 'string' },
+                replacementCredentialType: { type: 'string' },
+                credentialTypes: { type: 'array' },
+                notificationType: {
+                  type: 'string',
+                  enum: Object.values(NotificationTypes),
+                },
+              },
+              required: ['notificationType'],
+            },
+          },
+          required: ['id', 'pushToken', 'data'],
+        },
+        response: {
+          204: {
+            type: 'null',
+          },
+          ...fastify.NotFoundResponse,
+        },
+      }),
+    },
+    async (req, reply) => {
+      const {
+        body,
+        repos: { devices, notifications, accounts },
+      } = req;
+      const { pushToken, data, message } = body;
+      const account = await accounts.findOne({
+        filter: { [`pushTokens.${pushToken}`]: { $exists: true } },
+      });
+      if (isEmpty(account)) {
+        const device = await devices.findOne({
+          filter: { pushToken },
+        });
+        if (isEmpty(device) || isEmpty(device?.deviceId)) {
+          throw new newError.NotFound(
+            `No device registered for token ${pushToken}`
+          );
+        }
+        await sendNotificationsToDevices(
+          [device],
+          data,
+          message,
+          firebase,
+          notifications,
+          notificationOptions
+        );
+        return reply.status(204).send();
+      }
+      const connectedDevices = await devices.find({
+        filter: { accountId: account._id },
+      });
+      if (isEmpty(connectedDevices)) {
+        throw new newError.NotFound(
+          `No device registered for token ${pushToken}`
+        );
+      }
+      await sendNotificationsToDevices(
+        connectedDevices,
+        data,
+        message,
+        firebase,
+        notifications,
+        notificationOptions
+      );
+      return reply.status(204).send();
+    }
+  );
+};
+const generateMessagingPayload = ({ data, message }) => {
+  const credentialTypes =
+    data && data.credentialTypes ? data.credentialTypes : [];
+  const count = data && data.count ? data.count : 0;
+  return {
+    notification: generateNotification(data, message),
+    data: {
+      ...data,
+      notificationId: `${new ObjectId()}`,
+      credentialTypes: JSON.stringify(credentialTypes),
+      count: `${count}`,
+    },
+  };
+};
+const sendNotificationsToDevices = async (
+  devices,
+  data,
+  message,
+  firebase,
+  notifications,
+  notificationOptions
+) => {
+  // eslint-disable-next-line consistent-return
+  const notificationPromises = map(async (device) => {
+    const payload = generateMessagingPayload({ data, message });
+    const deviceId = device?.deviceId;
+    await notifications.insert({
+      _id: new ObjectId(payload.data.notificationId),
+      deviceId,
+      linkedDevice: device._id,
+      ...payload,
+    });
+    if (device?.pushActivated) {
+      await firebase.messaging().send({
+        notification: payload.notification,
+        data: payload.data,
+        token: deviceId,
+        ...notificationOptions,
+      });
+    }
+  }, devices);
+  await Promise.allSettled(notificationPromises);
+};
+const sendNotificationsToDevicesForGenerateRequest = async (
+  devices,
+  content,
+  firebase,
+  notificationOptions
+) => {
+  // eslint-disable-next-line consistent-return
+  const notificationPromises = map(async (device) => {
+    const deviceId = device?.deviceId;
+    if (device?.pushActivated) {
+      firebase.messaging().send({
+        notification: content,
+        token: deviceId,
+        ...notificationOptions,
+      });
+    }
+  }, devices);
+  await Promise.allSettled(notificationPromises);
+};
+module.exports = deviceController;

package/src/controllers/api/v0.6/push/firebase-initializer.js ADDED Viewed

@@ -0,0 +1,21 @@
+const fbAdmin = require('firebase-admin');
+const initFirebase = (config) => {
+  fbAdmin.initializeApp({
+    credential: fbAdmin.credential.cert({
+      type: config.firebaseType,
+      project_id: config.firebaseProjectId,
+      private_key_id: config.firebasePrivateKeyId,
+      private_key: config.firebasePrivateKey,
+      client_email: config.firebaseClientEmail,
+      client_id: config.firebaseClientId,
+      auth_uri: config.firebaseAuthUri,
+      token_uri: config.firebaseTokenUri,
+      auth_provider_x509_cert_url: config.firebaseAuthProviderX509CertUrl,
+      client_x509_cert_url: config.firebaseClientX509CertUrl,
+    }),
+  });
+  return fbAdmin;
+};
+module.exports = { initFirebase };

package/src/controllers/api/v0.6/push/notification-types.js ADDED Viewed

@@ -0,0 +1,37 @@
+const NotificationTypes = Object.freeze({
+  CredentialRevoked: 'CredentialRevoked',
+  CredentialReplaced: 'CredentialReplaced',
+  NewOffersReady: 'NewOffersReady',
+  NoOffersFound: 'NoOffersFound',
+  PresentationVerified: 'PresentationVerified',
+});
+const generateNotification = (data, message) =>
+  ({
+    [NotificationTypes.CredentialRevoked]: {
+      title: 'Credential revoked',
+      body:
+        message ||
+        `Your ${data.credentialTypes?.[0]} credential has been revoked.`,
+    },
+    [NotificationTypes.CredentialReplaced]: {
+      title: 'Updated credential available',
+      body:
+        message ||
+        `Your ${data.credentialTypes?.[0]} credential can be updated. Tap here to receive the update.`,
+    },
+    [NotificationTypes.NewOffersReady]: {
+      title: 'New credential offer',
+      body: 'You have new credential offers.',
+    },
+    [NotificationTypes.NoOffersFound]: {
+      title: 'No offers found',
+      body: 'The issuer has no credential offers for you.',
+    },
+    [NotificationTypes.PresentationVerified]: {
+      title: 'Credentials verified',
+      body: 'Credentials that you shared have been verified',
+    },
+  }[data.notificationType]);
+module.exports = { NotificationTypes, generateNotification };

package/src/controllers/api/v0.6/push/push-gateway-auth.js ADDED Viewed

@@ -0,0 +1,123 @@
+const canonicalize = require('canonicalize');
+const newError = require('http-errors');
+const { isEmpty, intersection } = require('lodash/fp');
+const {
+  CredentialCheckResultValue,
+} = require('@velocitycareerlabs/verifiable-credentials');
+const {
+  ServiceCategories,
+} = require('@velocitycareerlabs/organizations-registry');
+const { createCommitment } = require('@velocitycareerlabs/crypto');
+const { jwtVerify, jwtDecode } = require('@velocitycareerlabs/jwt');
+const {
+  resolveKid,
+  getOrganizationVerifiedProfile,
+} = require('@velocitycareerlabs/common-fetchers');
+const { ErrorsUnauthorizedPushes } = require('../../../../entities');
+const RequiredServiceCategories = [
+  ServiceCategories.IdentityIssuer,
+  ServiceCategories.IdDocumentIssuer,
+  ServiceCategories.NotaryIdDocumentIssuer,
+  ServiceCategories.ContactIssuer,
+  ServiceCategories.NotaryContactIssuer,
+  ServiceCategories.NotaryIssuer,
+  ServiceCategories.Issuer,
+  ServiceCategories.Inspector,
+];
+const pushGatewayAuth = async (context) => {
+  const {
+    config: { hostUrl },
+    traceId,
+    body: {
+      data: { exchangeId },
+    },
+  } = context;
+  const token = context.headers?.authorization?.slice(7);
+  const {
+    header: { kid },
+    payload: { hash, iss },
+  } = jwtDecode(token);
+  const publicKey = await loadKey(kid, context);
+  await jwtVerify(token, publicKey, {
+    subject: exchangeId,
+    audience: hostUrl,
+    jti: traceId,
+  });
+  if (hash !== createCommitment(canonicalize(context.body))) {
+    throw newError.Unauthorized(ErrorsUnauthorizedPushes.INVALID_HASH);
+  }
+  const organizationVerifiedProfile = await loadOrganizationVerifiedProfile(
+    iss,
+    context
+  );
+  validateOrganizationVerifiedProfile(organizationVerifiedProfile);
+};
+const loadKey = async (kid, context) => {
+  try {
+    return await resolveKid({ kid }, context);
+  } catch (error) {
+    if (error.response?.statusCode === 404) {
+      throw newError.Unauthorized('kid_not_found');
+    }
+    throw newError.Unauthorized('kid_resolution_error');
+  }
+};
+const loadOrganizationVerifiedProfile = async (did, context) => {
+  try {
+    return await getOrganizationVerifiedProfile(did, context);
+  } catch (error) {
+    if (error.response?.statusCode === 404) {
+      throw newError.Unauthorized('issuer_not_found');
+    }
+    throw newError.Unauthorized('issuer_resolution_error');
+  }
+};
+const validateOrganizationVerifiedProfile = ({
+  credentialChecks,
+  ...orgVc
+}) => {
+  if (credentialChecks.UNTAMPERED === CredentialCheckResultValue.FAIL) {
+    throw pushGatewayAuthError('tampered_credential');
+  }
+  if (credentialChecks.UNREVOKED === CredentialCheckResultValue.FAIL) {
+    throw pushGatewayAuthError('revoked_credential');
+  }
+  if (credentialChecks.UNEXPIRED === CredentialCheckResultValue.FAIL) {
+    throw pushGatewayAuthError('expired_credential');
+  }
+  if (credentialChecks.TRUSTED_ISSUER === CredentialCheckResultValue.FAIL) {
+    throw pushGatewayAuthError('untrusted_issuer');
+  }
+  if (
+    isEmpty(
+      intersection(
+        RequiredServiceCategories,
+        orgVc.credentialSubject.permittedVelocityServiceCategory
+      )
+    )
+  ) {
+    throw pushGatewayAuthError(
+      `permitted service categories do not include one of ${RequiredServiceCategories.join(
+        ','
+      )}`
+    );
+  }
+};
+const pushGatewayAuthError = (reason) =>
+  newError.Unauthorized(
+    ErrorsUnauthorizedPushes.INVALID_ORG_ERROR_TEMPLATE({
+      reason,
+    })
+  );
+module.exports = { pushGatewayAuth };

package/src/controllers/api/v0.6/push/repo.js ADDED Viewed

@@ -0,0 +1,24 @@
+const {
+  autoboxIdsExtension,
+  repoFactory,
+} = require('@spencejs/spence-mongo-repos');
+module.exports = (app, options, next = () => {}) => {
+  next();
+  return repoFactory(
+    {
+      name: 'notifications',
+      entityName: 'notifications',
+      defaultProjection: {
+        _id: 1,
+        createdAt: 1,
+        linkedDevice: 1,
+        deviceId: 1,
+        data: 1,
+        notification: 1,
+      },
+      extensions: [autoboxIdsExtension],
+    },
+    app
+  );
+};

package/src/controllers/api/v0.6/verification-offers/repo.js ADDED Viewed

@@ -0,0 +1,25 @@
+const {
+  repoFactory,
+  autoboxIdsExtension,
+} = require('@spencejs/spence-mongo-repos');
+module.exports = (app, options, next = () => {}) => {
+  next();
+  return repoFactory(
+    {
+      name: 'verificationOffers',
+      entityName: 'verificationOffer',
+      defaultProjection: {
+        _id: 1,
+        type: 1,
+        value: 1,
+        offerId: 1,
+        offerCreationDate: 1,
+        offerExpirationDate: 1,
+        claimed: 1,
+      },
+      extensions: [autoboxIdsExtension],
+    },
+    app
+  );
+};

package/src/controllers/api/v0.6/verify/autohooks.js ADDED Viewed

@@ -0,0 +1,15 @@
+const {
+  identifyWebhookRequestBodySchema,
+  verificationIdentifyResponse200Schema,
+} = require('@velocitycareerlabs/common-schemas');
+const { verifyAccessTokenPlugin } = require('../../../../plugins');
+module.exports = async (fastify) => {
+  fastify
+    .addSchema(identifyWebhookRequestBodySchema)
+    .addSchema(verificationIdentifyResponse200Schema)
+    .autoSchemaPreset({
+      tags: ['credential_issuer_contact'],
+    })
+    .register(verifyAccessTokenPlugin);
+};