@velocitycareerlabs/server-careerwallet 1.25.0-dev-build.12642c864

package/test/verification-controller.test.js

@@ -0,0 +1,1372 @@
+const { mongoDb } = require('@spencejs/spence-mongo-repos');
+const { wait } = require('@velocitycareerlabs/common-functions');
+const { subMinutes, addHours } = require('date-fns/fp');
+const { forEach } = require('lodash/fp');
+const { nanoid } = require('nanoid/non-secure');
+const { decodeCredentialJwt } = require('@velocitycareerlabs/jwt');
+const { initVerifyDomain } = require('@velocitycareerlabs/aws-clients');
+const { errorResponseMatcher } = require('@velocitycareerlabs/tests-helpers');
+const { ObjectId } = require('mongodb');
+const { hashAndEncodeHex } = require('@velocitycareerlabs/crypto/src/crypto');
+const { generateKeyPair } = require('@velocitycareerlabs/crypto');
+const { hexFromJwk } = require('@velocitycareerlabs/jwt');
+const buildFastify = require('./helpers/careerwallet-build-fastify');
+const initVerificationFactory = require('./factories/verification-factory');
+const initVerificationOfferFactory = require('./factories/verification-offer-factory');
+const initVerificationCodeAttemptsFactory = require('./factories/verification-code-attempts-factory');
+const VerificationCredentialTypes = require('../src/controllers/api/v0.6/verify/verification-credential-types');
+const { accountScopes } = require('../src/entities');
+const {
+  createAccessToken,
+  missingAccessTokenExpectation,
+  incorrectAccessTokenExpectation,
+  incorrectScopeExpectation,
+} = require('./helpers/access-token');
+
+describe('Email & Phone Verification', () => {
+  let fastify;
+  let persistVerification;
+  let persistVerificationOffer;
+  let persistVerificationCodeAttempt;
+  let publicKey;
+  let privateKey;
+
+  beforeAll(async () => {
+    ({ publicKey, privateKey } = generateKeyPair({ format: 'jwk' }));
+
+    fastify = buildFastify({
+      holderAppServerAccessTokenPublicKey: publicKey,
+      holderAppServerAccessTokenSigningKey: hexFromJwk(privateKey),
+      oauthVerificationDisabledEndpoints: [
+        'POST:/api/v0.6/verify/:valueType/request-code',
+        'POST:/api/v0.6/verify/confirm',
+        'POST:/api/v0.6/verify/issuing/identify',
+        'POST:/api/v0.6/verify/issuing/generate-offers',
+      ],
+    });
+    await fastify.ready();
+    ({ persistVerification } = initVerificationFactory(fastify));
+    ({ persistVerificationOffer } = initVerificationOfferFactory(fastify));
+    ({ persistVerificationCodeAttempt } =
+      initVerificationCodeAttemptsFactory(fastify));
+    await initVerifyDomain(fastify.config)('example.com');
+  }, 30000);
+
+  beforeEach(async () => {
+    await mongoDb().collection('verifications').deleteMany({});
+    await mongoDb().collection('verificationOffers').deleteMany({});
+    await mongoDb().collection('verificationCodeAttempts').deleteMany({});
+  });
+
+  afterAll(async () => {
+    await fastify.close();
+  });
+
+  const generateEmailAddress = () => `${nanoid()}@example.com`;
+
+  describe('Access Token verification disabled', () => {
+    beforeEach(async () => {
+      fastify.resetOverrides();
+    });
+    describe('Start email address verification', () => {
+      it('Should return 400 when request is malformed', async () => {
+        const response = await fastify.injectJson({
+          method: 'POST',
+          url: '/api/v0.6/verify/email/request-code',
+          payload: {
+            test: 'MALFORMED',
+          },
+        });
+
+        expect(response.statusCode).toEqual(400);
+      });
+
+      it('Start email address verification flow', async () => {
+        const response = await fastify.injectJson({
+          method: 'POST',
+          url: '/api/v0.6/verify/email/request-code',
+          payload: {
+            value: generateEmailAddress(),
+          },
+        });
+
+        expect(response.statusCode).toEqual(204);
+      });
+
+      it('Increase attempts count on email verification repeat', async () => {
+        const emailAddress = generateEmailAddress();
+
+        await fastify.injectJson({
+          method: 'POST',
+          url: '/api/v0.6/verify/email/request-code',
+          payload: {
+            value: emailAddress,
+          },
+        });
+
+        const response = await fastify.injectJson({
+          method: 'POST',
+          url: '/api/v0.6/verify/email/request-code',
+          payload: {
+            value: emailAddress,
+          },
+        });
+
+        const verifications = await mongoDb()
+          .collection('verifications')
+          .find({ value: emailAddress })
+          .toArray();
+
+        expect(response.statusCode).toEqual(204);
+        expect(verifications).toHaveLength(2);
+      });
+
+      it('Exhaust attempts count if too many request-codes', async () => {
+        const emailAddress = generateEmailAddress();
+
+        const attempt1 = await fastify.injectJson({
+          method: 'POST',
+          url: '/api/v0.6/verify/email/request-code',
+          payload: {
+            value: emailAddress,
+          },
+        });
+        expect(attempt1.statusCode).toEqual(204);
+
+        const attempt2 = await fastify.injectJson({
+          method: 'POST',
+          url: '/api/v0.6/verify/email/request-code',
+          payload: {
+            value: emailAddress,
+          },
+        });
+        expect(attempt2.statusCode).toEqual(204);
+
+        const attempt3 = await fastify.injectJson({
+          method: 'POST',
+          url: '/api/v0.6/verify/email/request-code',
+          payload: {
+            value: emailAddress,
+          },
+        });
+        expect(attempt3.statusCode).toEqual(204);
+
+        const attempt4 = await fastify.injectJson({
+          method: 'POST',
+          url: '/api/v0.6/verify/email/request-code',
+          payload: {
+            value: emailAddress,
+          },
+        });
+        expect(attempt4.statusCode).toEqual(400);
+
+        const verifications = await mongoDb()
+          .collection('verifications')
+          .find({ value: emailAddress })
+          .toArray();
+
+        expect(verifications).toHaveLength(3);
+      });
+
+      it('Successfully issue if old attempts are expired', async () => {
+        const emailAddress = generateEmailAddress();
+        const verification = { value: emailAddress };
+
+        await Promise.all([
+          persistVerification(verification),
+          persistVerification(verification),
+          persistVerification(verification),
+        ]);
+
+        await mongoDb()
+          .collection('verifications')
+          .updateMany({}, { $set: { createdAt: subMinutes(10, new Date()) } });
+
+        const attempt4 = await fastify.injectJson({
+          method: 'POST',
+          url: '/api/v0.6/verify/email/request-code',
+          payload: {
+            value: emailAddress,
+          },
+        });
+        expect(attempt4.statusCode).toEqual(204);
+
+        const verifications = await mongoDb()
+          .collection('verifications')
+          .countDocuments({ value: emailAddress });
+
+        expect(verifications).toEqual(4);
+      });
+    });
+
+    describe('Start phone number verification', () => {
+      it('Should return 400 when request is malformed', async () => {
+        const response = await fastify.injectJson({
+          method: 'POST',
+          url: '/api/v0.6/verify/phone/request-code',
+          payload: {
+            test: 'MALFORMED',
+          },
+        });
+
+        expect(response.statusCode).toEqual(400);
+      });
+
+      it('Start phone number verification flow', async () => {
+        const response = await fastify.injectJson({
+          method: 'POST',
+          url: '/api/v0.6/verify/phone/request-code',
+          payload: {
+            value: '123456789',
+          },
+        });
+
+        expect(response.statusCode).toEqual(204);
+      });
+
+      it('Increase attempts count on email verification repeat', async () => {
+        await fastify.injectJson({
+          method: 'POST',
+          url: '/api/v0.6/verify/phone/request-code',
+          payload: {
+            value: '123456789',
+          },
+        });
+
+        const response = await fastify.injectJson({
+          method: 'POST',
+          url: '/api/v0.6/verify/phone/request-code',
+          payload: {
+            value: '123456789',
+          },
+        });
+
+        const verifications = await mongoDb()
+          .collection('verifications')
+          .countDocuments({ value: '123456789' });
+
+        expect(response.statusCode).toEqual(204);
+        expect(verifications).toEqual(2);
+      });
+    });
+
+    describe('Phone number auto blocking Test Suite', () => {
+      it('Should return 400 if phone number prefix is blocked', async () => {
+        fastify.overrides.reqConfig = (config) => ({
+          ...config,
+          phonePrefixesToBlock: ['f'],
+        });
+
+        const response = await fastify.injectJson({
+          method: 'POST',
+          url: '/api/v0.6/verify/phone/request-code',
+          payload: {
+            value: 'foo',
+          },
+        });
+
+        expect(response.statusCode).toEqual(400);
+        expect(response.json).toEqual(
+          errorResponseMatcher({
+            statusCode: 400,
+            error: 'Bad Request',
+            errorCode: 'attempt_blocked',
+            message: 'Attempt Blocked',
+          })
+        );
+
+        const attemptsFromDb = await mongoDb()
+          .collection('verificationCodeAttempts')
+          .find()
+          .sort({ attemptedAt: 1 })
+          .toArray();
+        expect(attemptsFromDb).toEqual([verificationCodeAttemptMatcher()]);
+        const [attempt0] = attemptsFromDb;
+        expect(attempt0.releaseAt).toBeUndefined();
+      });
+      it('Should return 400 and set releaseAt for 3rd request in 30 minutes', async () => {
+        const initialTime = new Date();
+        await persistVerificationCodeAttempt({
+          attemptedAt: subMinutes(97, initialTime),
+        });
+        await persistVerificationCodeAttempt({
+          attemptedAt: subMinutes(47, initialTime),
+        });
+        await persistVerificationCodeAttempt({
+          attemptedAt: subMinutes(20, initialTime),
+        });
+
+        const response = await fastify.injectJson({
+          method: 'POST',
+          url: '/api/v0.6/verify/phone/request-code',
+          payload: {
+            value: 'foo',
+          },
+        });
+
+        expect(response.statusCode).toEqual(400);
+        expect(response.json).toEqual(
+          errorResponseMatcher({
+            statusCode: 400,
+            error: 'Bad Request',
+            errorCode: 'attempt_blocked',
+            message: 'Attempt Blocked',
+          })
+        );
+
+        const attemptsFromDb = await mongoDb()
+          .collection('verificationCodeAttempts')
+          .find()
+          .sort({ attemptedAt: 1 })
+          .toArray();
+        expect(attemptsFromDb).toEqual([
+          verificationCodeAttemptMatcher(),
+          verificationCodeAttemptMatcher({ releaseAt: expect.any(Date) }),
+          verificationCodeAttemptMatcher({ releaseAt: expect.any(Date) }),
+          verificationCodeAttemptMatcher({ releaseAt: expect.any(Date) }),
+        ]);
+        const [attempt0, attempt1, attempt2, attempt3] = attemptsFromDb;
+        expect(attempt0.releaseAt).toBeUndefined();
+        expect(attempt1.releaseAt > addHours(1, initialTime)).toEqual(true);
+        expect(attempt2.releaseAt > addHours(2, initialTime)).toEqual(true);
+        expect(attempt3.releaseAt > addHours(3, initialTime)).toEqual(true);
+      });
+      it('Should return 400 and update releaseAt for 5th request in 30 minutes', async () => {
+        const initialTime = new Date();
+        await persistVerificationCodeAttempt({
+          attemptedAt: subMinutes(97, initialTime),
+        });
+        await persistVerificationCodeAttempt({
+          attemptedAt: subMinutes(37, initialTime),
+          releaseAt: addHours(1, initialTime),
+        });
+        await persistVerificationCodeAttempt({
+          attemptedAt: subMinutes(20, initialTime),
+          releaseAt: addHours(2, initialTime),
+        });
+        await persistVerificationCodeAttempt({
+          attemptedAt: subMinutes(15, initialTime),
+          releaseAt: addHours(3, initialTime),
+        });
+        await persistVerificationCodeAttempt({
+          attemptedAt: subMinutes(10, initialTime),
+          releaseAt: addHours(4, initialTime),
+        });
+
+        const response = await fastify.injectJson({
+          method: 'POST',
+          url: '/api/v0.6/verify/phone/request-code',
+          payload: {
+            value: 'foo',
+          },
+        });
+
+        expect(response.statusCode).toEqual(400);
+        expect(response.json).toEqual(
+          errorResponseMatcher({
+            statusCode: 400,
+            error: 'Bad Request',
+            errorCode: 'attempt_blocked',
+            message: 'Attempt Blocked',
+          })
+        );
+
+        const attemptsFromDb = await mongoDb()
+          .collection('verificationCodeAttempts')
+          .find()
+          .sort({ attemptedAt: 1 })
+          .toArray();
+        expect(attemptsFromDb).toEqual([
+          verificationCodeAttemptMatcher(),
+          verificationCodeAttemptMatcher({ releaseAt: expect.any(Date) }),
+          verificationCodeAttemptMatcher({ releaseAt: expect.any(Date) }),
+          verificationCodeAttemptMatcher({ releaseAt: expect.any(Date) }),
+          verificationCodeAttemptMatcher({ releaseAt: expect.any(Date) }),
+          verificationCodeAttemptMatcher({ releaseAt: expect.any(Date) }),
+        ]);
+        const [attempt0, attempt1, attempt2, attempt3, attempt4, attempt5] =
+          attemptsFromDb;
+        expect(attempt0.releaseAt).toBeUndefined();
+        expect(attempt1.releaseAt > addHours(1, initialTime)).toEqual(true);
+        expect(attempt2.releaseAt > addHours(2, initialTime)).toEqual(true);
+        expect(attempt3.releaseAt > addHours(3, initialTime)).toEqual(true);
+        expect(attempt4.releaseAt > addHours(4, initialTime)).toEqual(true);
+        expect(attempt5.releaseAt > addHours(5, initialTime)).toEqual(true);
+      });
+      it('Should return 400 and update releaseAt for 10th request in 60 minutes', async () => {
+        const initialTime = new Date();
+        await persistVerificationCodeAttempt({
+          attemptedAt: subMinutes(65, initialTime),
+        });
+        await persistVerificationCodeAttempt({
+          attemptedAt: subMinutes(55, initialTime),
+        });
+        await persistVerificationCodeAttempt({
+          attemptedAt: subMinutes(50, initialTime),
+        });
+        await persistVerificationCodeAttempt({
+          attemptedAt: subMinutes(45, initialTime),
+        });
+        await persistVerificationCodeAttempt({
+          attemptedAt: subMinutes(40, initialTime),
+        });
+        await persistVerificationCodeAttempt({
+          attemptedAt: subMinutes(37, initialTime),
+        });
+        await persistVerificationCodeAttempt({
+          attemptedAt: subMinutes(27, initialTime),
+          releaseAt: addHours(1, initialTime),
+        });
+        await persistVerificationCodeAttempt({
+          attemptedAt: subMinutes(20, initialTime),
+          releaseAt: addHours(2, initialTime),
+        });
+        await persistVerificationCodeAttempt({
+          attemptedAt: subMinutes(15, initialTime),
+          releaseAt: addHours(3, initialTime),
+        });
+        await persistVerificationCodeAttempt({
+          attemptedAt: subMinutes(10, initialTime),
+          releaseAt: addHours(4, initialTime),
+        });
+
+        const response = await fastify.injectJson({
+          method: 'POST',
+          url: '/api/v0.6/verify/phone/request-code',
+          payload: {
+            value: 'foo',
+          },
+        });
+
+        expect(response.statusCode).toEqual(400);
+        expect(response.json).toEqual(
+          errorResponseMatcher({
+            statusCode: 400,
+            error: 'Bad Request',
+            errorCode: 'attempt_blocked',
+            message: 'Attempt Blocked',
+          })
+        );
+
+        const attemptsFromDb = await mongoDb()
+          .collection('verificationCodeAttempts')
+          .find()
+          .sort({ attemptedAt: 1 })
+          .toArray();
+        expect(attemptsFromDb).toEqual([
+          verificationCodeAttemptMatcher(),
+          verificationCodeAttemptMatcher({ releaseAt: expect.any(Date) }),
+          verificationCodeAttemptMatcher({ releaseAt: expect.any(Date) }),
+          verificationCodeAttemptMatcher({ releaseAt: expect.any(Date) }),
+          verificationCodeAttemptMatcher({ releaseAt: expect.any(Date) }),
+          verificationCodeAttemptMatcher({ releaseAt: expect.any(Date) }),
+          verificationCodeAttemptMatcher({ releaseAt: expect.any(Date) }),
+          verificationCodeAttemptMatcher({ releaseAt: expect.any(Date) }),
+          verificationCodeAttemptMatcher({ releaseAt: expect.any(Date) }),
+          verificationCodeAttemptMatcher({ releaseAt: expect.any(Date) }),
+          verificationCodeAttemptMatcher({ releaseAt: expect.any(Date) }),
+        ]);
+        const [attempt0, ...attempts] = attemptsFromDb;
+        expect(attempt0.releaseAt).toBeUndefined();
+        forEach((attempt) => {
+          expect(attempt.releaseAt > addHours(475, initialTime)).toEqual(true);
+        }, attempts);
+      });
+      it('Should return 204 for request within the rate limits', async () => {
+        fastify.overrides.reqConfig = (config) => ({
+          ...config,
+          phonePrefixesToBlock: ['f', 'b'],
+        });
+
+        const key = '123456789';
+        const initialTime = new Date();
+        await persistVerificationCodeAttempt({
+          key,
+          attemptedAt: subMinutes(95, initialTime),
+          releaseAt: subMinutes(10, initialTime),
+        });
+        await persistVerificationCodeAttempt({
+          key,
+          attemptedAt: subMinutes(75, initialTime),
+        });
+        await persistVerificationCodeAttempt({
+          key,
+          attemptedAt: subMinutes(70, initialTime),
+        });
+        await persistVerificationCodeAttempt({
+          key,
+          attemptedAt: subMinutes(10, initialTime),
+        });
+
+        const response = await fastify.injectJson({
+          method: 'POST',
+          url: '/api/v0.6/verify/phone/request-code',
+          payload: {
+            value: key,
+          },
+        });
+
+        expect(response.statusCode).toEqual(204);
+
+        const attemptsFromDb = await mongoDb()
+          .collection('verificationCodeAttempts')
+          .find()
+          .sort({ attemptedAt: 1 })
+          .toArray();
+        expect(attemptsFromDb).toEqual([
+          verificationCodeAttemptMatcher({ releaseAt: expect.any(Date), key }),
+          verificationCodeAttemptMatcher({ key }),
+          verificationCodeAttemptMatcher({ key }),
+          verificationCodeAttemptMatcher({ key }),
+          verificationCodeAttemptMatcher({ key }),
+        ]);
+      });
+    });
+
+    describe('Complete verification', () => {
+      describe('Complete verification VCL Verification Version < 2', () => {
+        it('Should return 400 when request is malformed', async () => {
+          const response = await fastify.injectJson({
+            method: 'POST',
+            url: '/api/v0.6/verify/confirm',
+            payload: {
+              test: 'MALFORMED',
+            },
+          });
+
+          expect(response.statusCode).toEqual(400);
+        });
+
+        it('Should return 404 when verfication code does not match any verfication', async () => {
+          const response = await fastify.injectJson({
+            method: 'POST',
+            url: '/api/v0.6/verify/confirm',
+            payload: {
+              verificationCode: 'VERFICATION-CODE',
+            },
+          });
+
+          expect(response.statusCode).toEqual(404);
+        });
+
+        it('Should return 404 when verification code does not match any incomplete verification', async () => {
+          const verification = await persistVerification({
+            complete: new Date(),
+          });
+
+          const response = await fastify.injectJson({
+            method: 'POST',
+            url: '/api/v0.6/verify/confirm',
+            payload: {
+              verificationCode: verification.attemptId,
+            },
+          });
+
+          expect(response.statusCode).toEqual(404);
+        });
+
+        it('Should return 200 when verification code has almost expired', async () => {
+          const verification = await persistVerification();
+          await mongoDb()
+            .collection('verifications')
+            .updateMany({}, { $set: { createdAt: subMinutes(9, new Date()) } });
+
+          const response = await fastify.injectJson({
+            method: 'POST',
+            url: '/api/v0.6/verify/confirm',
+            payload: {
+              verificationCode: verification.attemptId,
+            },
+          });
+
+          expect(response.statusCode).toEqual(200);
+        });
+
+        it('Should return 404 when verification code has expired', async () => {
+          const verification = await persistVerification();
+          await mongoDb()
+            .collection('verifications')
+            .updateMany(
+              {},
+              { $set: { createdAt: subMinutes(10, new Date()) } }
+            );
+
+          const response = await fastify.injectJson({
+            method: 'POST',
+            url: '/api/v0.6/verify/confirm',
+            payload: {
+              verificationCode: verification.attemptId,
+            },
+          });
+
+          expect(response.statusCode).toEqual(404);
+        });
+
+        it('Should return 404 when verificaiton code isnt the latest', async () => {
+          const verification1 = await persistVerification();
+          await wait(10);
+          await persistVerification();
+
+          const response = await fastify.injectJson({
+            method: 'POST',
+            url: '/api/v0.6/verify/confirm',
+            payload: {
+              verificationCode: verification1.attemptId,
+            },
+          });
+
+          expect(response.statusCode).toEqual(404);
+        });
+
+        it('Complete verification confirmation', async () => {
+          await persistVerification();
+          await wait(10);
+
+          const verification2 = await persistVerification();
+
+          const response = await fastify.injectJson({
+            method: 'POST',
+            url: '/api/v0.6/verify/confirm',
+            payload: {
+              verificationCode: verification2.attemptId,
+            },
+          });
+
+          const verifiedCredential = decodeCredentialJwt(
+            response.json.credential
+          );
+          const offer = await mongoDb()
+            .collection('verificationOffers')
+            .findOne({
+              type: VerificationCredentialTypes.EmailAddressVerification,
+            });
+
+          expect(response.statusCode).toEqual(200);
+          expect(verifiedCredential.credentialSubject.id).toEqual(
+            offer.offerId
+          );
+        });
+      });
+      describe('Complete verification VCL Verification Version 2', () => {
+        it('Complete verification confirmation and return a token', async () => {
+          await persistVerification();
+          await wait(10);
+
+          const verification2 = await persistVerification();
+
+          const response = await fastify.injectJson({
+            method: 'POST',
+            url: '/api/v0.6/verify/confirm',
+            headers: {
+              'x-vcl-verif-version': '2',
+            },
+            payload: {
+              verificationCode: verification2.attemptId,
+            },
+          });
+          const offer = await mongoDb()
+            .collection('verificationOffers')
+            .findOne({
+              type: VerificationCredentialTypes.EmailAddressVerification,
+            });
+
+          expect(response.statusCode).toEqual(200);
+          expect(response.json).toEqual({
+            token: offer.offerId,
+          });
+        });
+      });
+    });
+
+    describe('Verified Holder Identification', () => {
+      it('Should return 400 when request idDocumentCredential is missing id [Deprecated] AND credentialSubject.id', async () => {
+        const response = await fastify.injectJson({
+          method: 'POST',
+          url: '/api/v0.6/verify/issuing/identify',
+          payload: {
+            idDocumentCredentials: [
+              {
+                test: 'MALFORMED',
+              },
+            ],
+            exchangeId: nanoid(),
+          },
+        });
+
+        expect(response.statusCode).toEqual(400);
+      });
+
+      it('Should return 404 when offer ID does not match any offer', async () => {
+        const response = await fastify.injectJson({
+          method: 'POST',
+          url: '/api/v0.6/verify/issuing/identify',
+          payload: {
+            idDocumentCredentials: [
+              {
+                credentialSubject: {
+                  id: 'OFFER-ID',
+                },
+              },
+            ],
+            exchangeId: nanoid(),
+          },
+        });
+
+        expect(response.statusCode).toEqual(404);
+      });
+
+      it('Should return 404 when idDocumentCredentials is empty and no vendorOriginContext', async () => {
+        const response = await fastify.injectJson({
+          method: 'POST',
+          url: '/api/v0.6/verify/issuing/identify',
+          payload: {
+            exchangeId: nanoid(),
+            idDocumentCredentials: [],
+          },
+        });
+
+        expect(response.statusCode).toEqual(400);
+        expect(response.json).toEqual(
+          errorResponseMatcher({
+            error: 'Bad Request',
+            errorCode: 'request_validation_failed',
+            message:
+              // eslint-disable-next-line max-len
+              "body/idDocumentCredentials must NOT have fewer than 1 items, body must have required property 'vendorOriginContext', body must match a schema in anyOf",
+            statusCode: 400,
+          })
+        );
+      });
+
+      it('Should complete identification', async () => {
+        const verificationOffer = await persistVerificationOffer();
+
+        const response = await fastify.injectJson({
+          method: 'POST',
+          url: '/api/v0.6/verify/issuing/identify',
+          payload: {
+            idDocumentCredentials: [
+              {
+                id: 'foo',
+                credentialSubject: {
+                  id: verificationOffer.offerId,
+                },
+              },
+            ],
+            exchangeId: nanoid(),
+          },
+        });
+
+        expect(response.statusCode).toEqual(200);
+        expect(response.json.vendorUserId).toEqual(verificationOffer.offerId);
+      });
+
+      it('Should complete identification with idDocumentCredential.id [Deprecated]', async () => {
+        const verificationOffer = await persistVerificationOffer();
+
+        const response = await fastify.injectJson({
+          method: 'POST',
+          url: '/api/v0.6/verify/issuing/identify',
+          payload: {
+            idDocumentCredentials: [
+              {
+                id: verificationOffer.offerId,
+              },
+            ],
+            exchangeId: nanoid(),
+          },
+        });
+
+        expect(response.statusCode).toEqual(200);
+        expect(response.json.vendorUserId).toEqual(verificationOffer.offerId);
+      });
+
+      it('Should complete identification using vendorOriginContext', async () => {
+        const verificationOffer = await persistVerificationOffer();
+
+        const response = await fastify.injectJson({
+          method: 'POST',
+          url: '/api/v0.6/verify/issuing/identify',
+          payload: {
+            exchangeId: nanoid(),
+            vendorOriginContext: verificationOffer.offerId,
+            idDocumentCredentials: [],
+          },
+        });
+
+        expect(response.statusCode).toEqual(200);
+        expect(response.json.vendorUserId).toEqual(verificationOffer.offerId);
+      });
+    });
+
+    describe('Verification Offer Generation', () => {
+      it('Should return 400 when request is malformed', async () => {
+        const response = await fastify.injectJson({
+          method: 'POST',
+          url: '/api/v0.6/verify/issuing/generate-offers',
+          payload: {
+            test: 'MALFORMED',
+          },
+        });
+
+        expect(response.statusCode).toEqual(400);
+      });
+
+      it('Should return 404 when offer ID does not match any offer', async () => {
+        const response = await fastify.injectJson({
+          method: 'POST',
+          url: '/api/v0.6/verify/issuing/generate-offers',
+          payload: {
+            vendorOrganizationId: '',
+            vendorUserId: 'OFFER-ID',
+            exchangeId: '',
+          },
+        });
+
+        expect(response.statusCode).toEqual(404);
+      });
+
+      it('Should generate email offers', async () => {
+        const verificationOffer = await persistVerificationOffer();
+
+        const response = await fastify.injectJson({
+          method: 'POST',
+          url: '/api/v0.6/verify/issuing/generate-offers',
+          payload: {
+            vendorOrganizationId: 'VENDOR-ORG-ID',
+            vendorUserId: verificationOffer.offerId,
+            exchangeId: 'EXCHANGE-ID',
+          },
+        });
+
+        expect(response.statusCode).toEqual(200);
+        expect(response.json.offers).toHaveLength(1);
+        expect(response.json.offers[0].offerId).toEqual(
+          verificationOffer.offerId
+        );
+        expect(response.json.offers[0].offerCreationDate).toEqual(
+          verificationOffer.offerCreationDate
+        );
+        expect(response.json.offers[0].exchangeId).toEqual('EXCHANGE-ID');
+        expect(response.json.offers[0].credentialSubject.vendorUserId).toEqual(
+          verificationOffer.value
+        );
+        expect(response.json.offers[0].credentialSubject.email).toEqual(
+          verificationOffer.value
+        );
+      });
+
+      it('Should generate phone offers', async () => {
+        const verificationOffer = await persistVerificationOffer({
+          type: [VerificationCredentialTypes.PhoneNumberVerification],
+          value: '123456789',
+        });
+
+        const response = await fastify.injectJson({
+          method: 'POST',
+          url: '/api/v0.6/verify/issuing/generate-offers',
+          payload: {
+            vendorOrganizationId: 'VENDOR-ORG-ID',
+            vendorUserId: verificationOffer.offerId,
+            exchangeId: 'EXCHANGE-ID',
+          },
+        });
+
+        expect(response.statusCode).toEqual(200);
+        expect(response.json.offers).toHaveLength(1);
+        expect(response.json.offers[0].offerId).toEqual(
+          verificationOffer.offerId
+        );
+        expect(response.json.offers[0].offerCreationDate).toEqual(
+          verificationOffer.offerCreationDate
+        );
+        expect(response.json.offers[0].exchangeId).toEqual('EXCHANGE-ID');
+        expect(response.json.offers[0].credentialSubject.phone).toEqual(
+          verificationOffer.value
+        );
+      });
+
+      it('Should generate phone offers using a tenantDID', async () => {
+        const verificationOffer = await persistVerificationOffer({
+          type: [VerificationCredentialTypes.PhoneNumberVerification],
+          value: '123456789',
+        });
+        const tenantDid = 'did:ion:abc';
+
+        const response = await fastify.injectJson({
+          method: 'POST',
+          url: '/api/v0.6/verify/issuing/generate-offers',
+          payload: {
+            tenantDID: tenantDid,
+            vendorUserId: verificationOffer.offerId,
+            exchangeId: 'EXCHANGE-ID',
+          },
+        });
+
+        expect(response.statusCode).toEqual(200);
+      });
+    });
+  });
+  describe('Access Token verification enabled', () => {
+    beforeAll(async () => {
+      fastify.overrides.reqConfig = (config) => ({
+        ...config,
+        oauthVerificationDisabledEndpoints: [], // enabled for all endpoints
+      });
+    });
+
+    describe('Start email address verification', () => {
+      it('Start email address verification flow if correct access token is provided', async () => {
+        const accessToken = await createAccessToken(
+          accountScopes.account,
+          privateKey
+        );
+        const response = await fastify.injectJson({
+          method: 'POST',
+          url: '/api/v0.6/verify/email/request-code',
+          payload: {
+            value: generateEmailAddress(),
+          },
+          headers: {
+            authorization: `Bearer ${accessToken}`,
+          },
+        });
+
+        expect(response.statusCode).toEqual(204);
+      });
+
+      it('Should return 401 when no access token is provided', async () => {
+        const response = await fastify.injectJson({
+          method: 'POST',
+          url: '/api/v0.6/verify/email/request-code',
+          payload: {
+            value: generateEmailAddress(),
+          },
+        });
+
+        missingAccessTokenExpectation(response);
+      });
+
+      it('Should return 401 when incorrect access token is provided', async () => {
+        const response = await fastify.injectJson({
+          method: 'POST',
+          url: '/api/v0.6/verify/email/request-code',
+          payload: {
+            value: generateEmailAddress(),
+          },
+          headers: {
+            authorization: 'Bearer incorrect_access_token',
+          },
+        });
+
+        incorrectAccessTokenExpectation(response);
+      });
+
+      it('Should return 403 when incorrect scope is provided', async () => {
+        const accessToken = await createAccessToken(
+          'incorrect_scope',
+          privateKey
+        );
+
+        const response = await fastify.injectJson({
+          method: 'POST',
+          url: '/api/v0.6/verify/email/request-code',
+          payload: {
+            value: generateEmailAddress(),
+          },
+          headers: {
+            authorization: `Bearer ${accessToken}`,
+          },
+        });
+
+        incorrectScopeExpectation(response);
+      });
+    });
+
+    describe('Start phone number verification', () => {
+      it('Start phone number verification flow', async () => {
+        const accessToken = await createAccessToken(
+          accountScopes.account,
+          privateKey
+        );
+
+        const response = await fastify.injectJson({
+          method: 'POST',
+          url: '/api/v0.6/verify/phone/request-code',
+          payload: {
+            value: '123456789',
+          },
+          headers: {
+            authorization: `Bearer ${accessToken}`,
+          },
+        });
+
+        expect(response.statusCode).toEqual(204);
+      });
+
+      it('Should return 401 when no access token is provided', async () => {
+        const response = await fastify.injectJson({
+          method: 'POST',
+          url: '/api/v0.6/verify/phone/request-code',
+          payload: {
+            value: '123456789',
+          },
+        });
+
+        missingAccessTokenExpectation(response);
+      });
+
+      it('Should return 401 when incorrect access token is provided', async () => {
+        const response = await fastify.injectJson({
+          method: 'POST',
+          url: '/api/v0.6/verify/phone/request-code',
+          payload: {
+            value: '123456789',
+          },
+          headers: {
+            authorization: 'Bearer incorrect_access_token',
+          },
+        });
+
+        incorrectAccessTokenExpectation(response);
+      });
+
+      it('Should return 403 when incorrect scope is provided', async () => {
+        const accessToken = await createAccessToken(
+          'incorrect_scope',
+          privateKey
+        );
+
+        const response = await fastify.injectJson({
+          method: 'POST',
+          url: '/api/v0.6/verify/phone/request-code',
+          payload: {
+            value: '123456789',
+          },
+          headers: {
+            authorization: `Bearer ${accessToken}`,
+          },
+        });
+
+        incorrectScopeExpectation(response);
+      });
+    });
+
+    describe('Phone number auto blocking Test Suite', () => {
+      it('Should return 204 for request within the rate limits', async () => {
+        const accessToken = await createAccessToken(
+          accountScopes.account,
+          privateKey
+        );
+        fastify.overrides.reqConfig = (config) => ({
+          ...config,
+          phonePrefixesToBlock: ['f', 'b'],
+          oauthVerificationDisabledEndpoints: [], // enabled for all endpoints
+        });
+
+        const key = '123456789';
+        const initialTime = new Date();
+        await persistVerificationCodeAttempt({
+          key,
+          attemptedAt: subMinutes(95, initialTime),
+          releaseAt: subMinutes(10, initialTime),
+        });
+        await persistVerificationCodeAttempt({
+          key,
+          attemptedAt: subMinutes(75, initialTime),
+        });
+        await persistVerificationCodeAttempt({
+          key,
+          attemptedAt: subMinutes(70, initialTime),
+        });
+        await persistVerificationCodeAttempt({
+          key,
+          attemptedAt: subMinutes(10, initialTime),
+        });
+
+        const response = await fastify.injectJson({
+          method: 'POST',
+          url: '/api/v0.6/verify/phone/request-code',
+          payload: {
+            value: key,
+          },
+          headers: {
+            authorization: `Bearer ${accessToken}`,
+          },
+        });
+
+        expect(response.statusCode).toEqual(204);
+
+        const attemptsFromDb = await mongoDb()
+          .collection('verificationCodeAttempts')
+          .find()
+          .sort({ attemptedAt: 1 })
+          .toArray();
+        expect(attemptsFromDb).toEqual([
+          verificationCodeAttemptMatcher({ releaseAt: expect.any(Date), key }),
+          verificationCodeAttemptMatcher({ key }),
+          verificationCodeAttemptMatcher({ key }),
+          verificationCodeAttemptMatcher({ key }),
+          verificationCodeAttemptMatcher({ key }),
+        ]);
+      });
+
+      it('Should return 401 when no access token is provided', async () => {
+        const response = await fastify.injectJson({
+          method: 'POST',
+          url: '/api/v0.6/verify/phone/request-code',
+          payload: {
+            value: '123456789',
+          },
+        });
+
+        missingAccessTokenExpectation(response);
+      });
+
+      it('Should return 401 when incorrect access token is provided', async () => {
+        const response = await fastify.injectJson({
+          method: 'POST',
+          url: '/api/v0.6/verify/phone/request-code',
+          payload: {
+            value: '123456789',
+          },
+          headers: {
+            authorization: 'Bearer incorrect_access_token',
+          },
+        });
+
+        incorrectAccessTokenExpectation(response);
+      });
+
+      it('Should return 403 when incorrect scope is provided', async () => {
+        const accessToken = await createAccessToken(
+          'incorrect_scope',
+          privateKey
+        );
+
+        const response = await fastify.injectJson({
+          method: 'POST',
+          url: '/api/v0.6/verify/phone/request-code',
+          payload: {
+            value: '123456789',
+          },
+          headers: {
+            authorization: `Bearer ${accessToken}`,
+          },
+        });
+
+        incorrectScopeExpectation(response);
+      });
+    });
+
+    describe('Complete verification', () => {
+      describe('Complete verification VCL Verification Version < 2', () => {
+        it('Complete verification confirmation', async () => {
+          const accessToken = await createAccessToken(
+            accountScopes.account,
+            privateKey
+          );
+          await persistVerification();
+          await wait(10);
+
+          const verification2 = await persistVerification();
+
+          const response = await fastify.injectJson({
+            method: 'POST',
+            url: '/api/v0.6/verify/confirm',
+            payload: {
+              verificationCode: verification2.attemptId,
+            },
+            headers: {
+              authorization: `Bearer ${accessToken}`,
+            },
+          });
+
+          const verifiedCredential = decodeCredentialJwt(
+            response.json.credential
+          );
+          const offer = await mongoDb()
+            .collection('verificationOffers')
+            .findOne({
+              type: VerificationCredentialTypes.EmailAddressVerification,
+            });
+
+          expect(response.statusCode).toEqual(200);
+          expect(verifiedCredential.credentialSubject.id).toEqual(
+            offer.offerId
+          );
+        });
+
+        it('Should return 401 when no access token is provided', async () => {
+          const response = await fastify.injectJson({
+            method: 'POST',
+            url: '/api/v0.6/verify/confirm',
+            payload: {
+              verificationCode: 'VERFICATION-CODE',
+            },
+          });
+          missingAccessTokenExpectation(response);
+        });
+
+        it('Should return 401 when incorrect access token is provided', async () => {
+          const response = await fastify.injectJson({
+            method: 'POST',
+            url: '/api/v0.6/verify/confirm',
+            payload: {
+              verificationCode: 'VERFICATION-CODE',
+            },
+            headers: {
+              authorization: 'Bearer incorrect_access_token',
+            },
+          });
+          incorrectAccessTokenExpectation(response);
+        });
+
+        it('Should return 403 when incorrect scope is provided', async () => {
+          const accessToken = await createAccessToken(
+            'incorrect_scope',
+            privateKey
+          );
+
+          const response = await fastify.injectJson({
+            method: 'POST',
+            url: '/api/v0.6/verify/confirm',
+            payload: {
+              verificationCode: 'VERFICATION-CODE',
+            },
+            headers: {
+              authorization: `Bearer ${accessToken}`,
+            },
+          });
+          incorrectScopeExpectation(response);
+        });
+      });
+      describe('Complete verification VCL Verification Version 2', () => {
+        it('Complete verification confirmation and return a token', async () => {
+          const accessToken = await createAccessToken(
+            accountScopes.account,
+            privateKey
+          );
+
+          await persistVerification();
+          await wait(10);
+
+          const verification2 = await persistVerification();
+
+          const response = await fastify.injectJson({
+            method: 'POST',
+            url: '/api/v0.6/verify/confirm',
+            headers: {
+              'x-vcl-verif-version': '2',
+              authorization: `Bearer ${accessToken}`,
+            },
+            payload: {
+              verificationCode: verification2.attemptId,
+            },
+          });
+          const offer = await mongoDb()
+            .collection('verificationOffers')
+            .findOne({
+              type: VerificationCredentialTypes.EmailAddressVerification,
+            });
+
+          expect(response.statusCode).toEqual(200);
+          expect(response.json).toEqual({
+            token: offer.offerId,
+          });
+        });
+
+        it('Should return 401 when no access token is provided', async () => {
+          const response = await fastify.injectJson({
+            method: 'POST',
+            url: '/api/v0.6/verify/confirm',
+            headers: {
+              'x-vcl-verif-version': '2',
+            },
+            payload: {
+              verificationCode: 'VERFICATION-CODE',
+            },
+          });
+          missingAccessTokenExpectation(response);
+        });
+
+        it('Should return 401 when incorrect access token is provided', async () => {
+          const response = await fastify.injectJson({
+            method: 'POST',
+            url: '/api/v0.6/verify/confirm',
+
+            headers: {
+              'x-vcl-verif-version': '2',
+              authorization: 'Bearer incorrect_access_token',
+            },
+          });
+          incorrectAccessTokenExpectation(response);
+        });
+
+        it('Should return 403 when incorrect scope is provided', async () => {
+          const accessToken = await createAccessToken(
+            'incorrect_scope',
+            privateKey
+          );
+
+          const response = await fastify.injectJson({
+            method: 'POST',
+            url: '/api/v0.6/verify/confirm',
+            headers: {
+              'x-vcl-verif-version': '2',
+              authorization: `Bearer ${accessToken}`,
+            },
+          });
+          incorrectScopeExpectation(response);
+        });
+      });
+    });
+
+    describe('Verified Holder Identification', () => {
+      it('Should complete identification', async () => {
+        const accessToken = await createAccessToken(
+          accountScopes.account,
+          privateKey
+        );
+
+        const verificationOffer = await persistVerificationOffer();
+
+        const response = await fastify.injectJson({
+          method: 'POST',
+          url: '/api/v0.6/verify/issuing/identify',
+          payload: {
+            idDocumentCredentials: [
+              {
+                id: 'foo',
+                credentialSubject: {
+                  id: verificationOffer.offerId,
+                },
+              },
+            ],
+            exchangeId: nanoid(),
+          },
+
+          headers: {
+            authorization: `Bearer ${accessToken}`,
+          },
+        });
+
+        expect(response.statusCode).toEqual(200);
+        expect(response.json.vendorUserId).toEqual(verificationOffer.offerId);
+      });
+    });
+  });
+});
+
+const verificationCodeAttemptMatcher = (overrides = {}) => {
+  const key = hashAndEncodeHex(overrides.key ?? 'foo');
+  return {
+    _id: expect.any(ObjectId),
+    attemptedAt: expect.any(Date),
+    createdAt: expect.any(Date),
+    releaseAt: undefined,
+    updatedAt: expect.any(Date),
+    ...overrides,
+    key,
+  };
+};