npm - @verii/server-credentialagent - Versions diffs - 1.0.0-pre.1752076816 - Mend

@verii/server-credentialagent 1.0.0-pre.1752076816

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (395) hide show

package/src/entities/offers/domains/constants.js ADDED Viewed

@@ -0,0 +1,32 @@
+/**
+ * Copyright 2023 Velocity Team
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+const OfferType = {
+  PREPREPARED_ONLY: 'PREPREPARED_ONLY',
+  ALL: 'ALL',
+  LEGACY: 'LEGACY',
+};
+const ISSUING_CHALLENGE_SIZE = 16;
+const VELOCITY_NETWORK_CREDENTIAL_TYPE = {
+  LAYER_1: 'VelocityNetworkLayer1Credential',
+  LAYER_2: 'VelocityNetworkLayer2Credential',
+};
+module.exports = {
+  OfferType,
+  ISSUING_CHALLENGE_SIZE,
+  VELOCITY_NETWORK_CREDENTIAL_TYPE,
+};

package/src/entities/offers/domains/filter-object-ids.js ADDED Viewed

@@ -0,0 +1,34 @@
+/**
+ * Copyright 2023 Velocity Team
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+const { map, flow, filter, includes } = require('lodash/fp');
+const { ObjectId } = require('mongodb');
+const filterObjectIds = (offerIds, exchange) => {
+  const exchangeOfferIds = map(
+    (offerId) => offerId.toString(),
+    exchange.offerIds
+  );
+  return flow(
+    filter((id) => includes(id, exchangeOfferIds)),
+    map((v) => new ObjectId(v))
+  )(offerIds);
+};
+module.exports = {
+  filterObjectIds,
+};

package/src/entities/offers/domains/generate-issuing-challenge.js ADDED Viewed

@@ -0,0 +1,26 @@
+/**
+ * Copyright 2023 Velocity Team
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+const { getUnixTime } = require('date-fns/fp');
+const { nanoid } = require('nanoid');
+const { ISSUING_CHALLENGE_SIZE } = require('./constants');
+const generateIssuingChallenge = () => ({
+  challenge: nanoid(ISSUING_CHALLENGE_SIZE),
+  challengeIssuedAt: getUnixTime(new Date()),
+});
+module.exports = { generateIssuingChallenge };

package/src/entities/offers/domains/generate-link-code.js ADDED Viewed

@@ -0,0 +1,35 @@
+/**
+ * Copyright 2023 Velocity Team
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+const { generateRandomBytes, createCommitment } = require('@verii/crypto');
+const LINK_CODE_BIT_LENGTH = 160;
+const LINK_CODE_BYTE_LENGTH = LINK_CODE_BIT_LENGTH / 8;
+const generateLinkCode = () => {
+  const linkCodeBytes = generateRandomBytes(LINK_CODE_BYTE_LENGTH);
+  const linkCodeCommit = createCommitment(linkCodeBytes);
+  return {
+    linkCodeCommitment: {
+      type: 'VelocityCredentialLinkCodeCommitment2022',
+      value: linkCodeCommit,
+    },
+    linkCode: linkCodeBytes.toString('base64'),
+  };
+};
+module.exports = { generateLinkCode };

package/src/entities/offers/domains/index.js ADDED Viewed

@@ -0,0 +1,31 @@
+/**
+ * Copyright 2023 Velocity Team
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+module.exports = {
+  ...require('./build-offer'),
+  ...require('./prepare-linked-credentials-for-holder'),
+  ...require('./constants'),
+  ...require('./post-validation-offers-handler'),
+  ...require('./validate-offer'),
+  ...require('./build-deeplink-url'),
+  ...require('./build-qr-code-url'),
+  ...require('./generate-link-code'),
+  ...require('./filter-object-ids'),
+  ...require('./generate-issuing-challenge'),
+  ...require('./resolve-subject'),
+  ...require('./build-clean-pii-filter'),
+  ...require('./validate-offer-commercial-entity'),
+};

package/src/entities/offers/domains/post-validation-offers-handler.js ADDED Viewed

@@ -0,0 +1,31 @@
+/**
+ * Copyright 2023 Velocity Team
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+const newError = require('http-errors');
+const { ExchangeStates } = require('../../exchanges');
+const postValidationOffersHandler = async (req) => {
+  const { repos, exchange } = req;
+  if (req.validationError) {
+    await repos.exchanges.addState(
+      exchange._id,
+      ExchangeStates.OFFER_VALIDATION_ERROR
+    );
+    throw new newError.BadRequest(req.validationError);
+  }
+};
+module.exports = { postValidationOffersHandler };

package/src/entities/offers/domains/prepare-linked-credentials-for-holder.js ADDED Viewed

@@ -0,0 +1,36 @@
+/**
+ * Copyright 2023 Velocity Team
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+const { flow, isEmpty, map, omit, reject } = require('lodash/fp');
+const prepareLinkedCredentialsForHolder = (linkedCredentials) => {
+  if (linkedCredentials == null) {
+    return undefined;
+  }
+  const result = flow(
+    reject((linkedCredential) => linkedCredential.invalidAt != null),
+    map(omit(['linkedCredentialId']))
+  )(linkedCredentials);
+  if (isEmpty(result)) {
+    return undefined;
+  }
+  return result;
+};
+module.exports = { prepareLinkedCredentialsForHolder };

package/src/entities/offers/domains/resolve-subject.js ADDED Viewed

@@ -0,0 +1,142 @@
+/**
+ * Copyright 2023 Velocity Team
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+const { first, startsWith, isEmpty, lastIndexOf } = require('lodash/fp');
+const { jwtVerify, jwtHeaderDecode, jwkThumbprint } = require('@verii/jwt');
+const newError = require('http-errors');
+const { getUnixTime } = require('date-fns/fp');
+const { resolveDidJwkDocument } = require('@verii/did-doc');
+const resolveSubject = async (proof, context) => {
+  verifyProofStructure(proof);
+  const { jwk, did } = await resolveJwk(proof);
+  await verifyProofJwt(context.exchange, proof, jwk, context);
+  if (did != null) {
+    return { id: did };
+  }
+  return { id: await jwkThumbprint(jwk), jwk };
+};
+const verifyProofStructure = (proof) => {
+  if (proof == null) {
+    throw newError(400, 'proof is missing', {
+      errorCode: 'invalid_or_missing_proof',
+    });
+  }
+  const { proof_type: proofType, jwt } = proof;
+  if (proofType !== 'jwt') {
+    throw newError(400, "proof_type isn't set to jwt", {
+      errorCode: 'proof_type_invalid',
+    });
+  }
+  if (isEmpty(jwt)) {
+    throw newError(400, 'proof.jwt is missing', {
+      errorCode: 'proof_jwt_is_required',
+    });
+  }
+};
+const decodeHeader = (jwt) => {
+  try {
+    return jwtHeaderDecode(jwt);
+  } catch (error) {
+    throw newError(400, 'proof.jwt is missing', {
+      errorCode: 'bad_proof_jwt',
+    });
+  }
+};
+const resolveJwk = async ({ jwt }) => {
+  const { jwk, kid } = decodeHeader(jwt);
+  if (jwk == null && kid == null) {
+    throw newError(400, 'proof.jwt is missing a kid', {
+      errorCode: 'proof_one_of_jwk_kid_required',
+    });
+  }
+  if (kid != null) {
+    try {
+      const didDocument = await resolveDidJwkDocument(
+        extractDidJwkWithoutSuffix(kid)
+      );
+      return {
+        did: didDocument.id,
+        jwk: first(didDocument.verificationMethod).publicKeyJwk,
+      };
+    } catch (error) {
+      throw newError(
+        400,
+        'kid in the jwt does not resolve to a supported DID document. (kid should be a did:jwk)',
+        {
+          errorCode: 'proof_invalid_kid',
+        }
+      );
+    }
+  }
+  return { jwk };
+};
+const extractDidJwkWithoutSuffix = (jwkIdentifier) => {
+  const endIndex = lastIndexOf('#', jwkIdentifier);
+  return jwkIdentifier.substring(0, endIndex);
+};
+const verifyProofJwt = async (
+  { challenge, challengeIssuedAt },
+  { jwt },
+  jwk,
+  { config: { hostUrl, oidcTokensExpireIn } }
+) => {
+  let payload;
+  try {
+    const { payload: verifiedPayload } = await jwtVerify(jwt, jwk);
+    payload = verifiedPayload;
+  } catch (error) {
+    throw newError(400, "proof.jwt isn't a jwt or signature is not correct", {
+      errorCode: 'proof_bad_jwt',
+    });
+  }
+  if (!startsWith(hostUrl, payload.aud)) {
+    throw newError(400, 'The aud in the jwt is not correct', {
+      errorCode: 'proof_bad_aud',
+    });
+  }
+  if (payload.nonce !== challenge) {
+    throw newError(
+      400,
+      'The nonce in the jwt does not match the supplied c_nonce',
+      {
+        errorCode: 'proof_challenge_mismatch',
+      }
+    );
+  }
+  if (challengeIssuedAt + oidcTokensExpireIn < getUnixTime(new Date())) {
+    throw newError(400, 'The c_nonce in the jwt has expired', {
+      errorCode: 'proof_challenge_expired',
+    });
+  }
+};
+module.exports = { resolveSubject };

package/src/entities/offers/domains/validate-offer-commercial-entity.js ADDED Viewed

@@ -0,0 +1,24 @@
+const newError = require('http-errors');
+const { isEmpty } = require('lodash/fp');
+const validateOfferCommercialEntity = (offer, disclosure = {}) => {
+  const { commercialEntityName, commercialEntityLogo } = disclosure;
+  const { issuer } = offer;
+  if (isEmpty(commercialEntityName) && isEmpty(commercialEntityLogo)) {
+    return;
+  }
+  if (
+    issuer?.name !== commercialEntityName ||
+    issuer?.image !== commercialEntityLogo
+  ) {
+    const errorCode = 'invalid_commercial_entity';
+    const errorMessage = 'Invalid commercial entity';
+    throw newError(400, errorMessage, { errorCode });
+  }
+};
+module.exports = {
+  validateOfferCommercialEntity,
+};

package/src/entities/offers/domains/validate-offer.js ADDED Viewed

@@ -0,0 +1,90 @@
+/**
+ * Copyright 2023 Velocity Team
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+const newError = require('http-errors');
+const { omit } = require('lodash/fp');
+const { extractCredentialType } = require('@verii/vc-checks');
+const {
+  newVendorOfferSchema,
+} = require('../../../controllers/operator/tenants/_tenantId/offers/schemas');
+const { initLoadSchemaValidate } = require('../../schemas');
+const {
+  validateOfferCommercialEntity,
+} = require('./validate-offer-commercial-entity');
+const initValidateOffer = (fastify) => {
+  const vendorOfferValidator = fastify.getDocValidator(
+    newVendorOfferSchema.$id
+  );
+  const createSchemaValidator = initLoadSchemaValidate(fastify);
+  const createValidationError = (validator, path = '$') => {
+    return newError.BadRequest(
+      fastify.errorsText(validator.errors, { dataVar: `'${path}'` })
+    );
+  };
+  return async (
+    offer,
+    isValidateVendorOffer,
+    forceCredentialSubjectValidation,
+    context
+  ) => {
+    if (isValidateVendorOffer && !vendorOfferValidator(offer)) {
+      throw createValidationError(vendorOfferValidator);
+    }
+    validateExpirationDates(offer);
+    validateOfferCommercialEntity(offer, context.disclosure);
+    const credentialSubject = omit(['vendorUserId'], offer.credentialSubject);
+    const validator = await createSchemaValidator(
+      extractCredentialType(offer),
+      context
+    );
+    validator(credentialSubject);
+    const validatedOffer = {
+      ...offer,
+      credentialSubject: {
+        vendorUserId: offer.credentialSubject?.vendorUserId,
+        ...credentialSubject,
+      },
+    };
+    // skip validating credential subjects if the config is off
+    if (
+      !context.config.enableOfferValidation &&
+      !forceCredentialSubjectValidation
+    ) {
+      return validatedOffer;
+    }
+    if (!validator(credentialSubject)) {
+      throw createValidationError(validator, '$.credentialSubject');
+    }
+    return validatedOffer;
+  };
+};
+const validateExpirationDates = (offer) => {
+  if (offer.expirationDate != null && offer.validUntil != null) {
+    throw newError.BadRequest(
+      "'$.expirationDate' and '$.validUntil' cannot both be set"
+    );
+  }
+};
+module.exports = { initValidateOffer };

package/src/entities/offers/factories/index.js ADDED Viewed

@@ -0,0 +1,19 @@
+/**
+ * Copyright 2023 Velocity Team
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+module.exports = {
+  ...require('./offer-factory'),
+};

package/src/entities/offers/factories/offer-factory.js ADDED Viewed

@@ -0,0 +1,119 @@
+/**
+ * Copyright 2023 Velocity Team
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+const { register } = require('@spencejs/spence-factories');
+const { nanoid } = require('nanoid/non-secure');
+const { ObjectId } = require('mongodb');
+const { hashOffer } = require('@verii/velocity-issuing');
+const { offerRepoPlugin } = require('../repos');
+const { initTenantFactory } = require('../../tenants');
+const { initOfferExchangeFactory } = require('../../exchanges');
+const { initUserFactory } = require('../../users');
+const initOfferFactory = (app) => {
+  const initRepo = offerRepoPlugin(app);
+  return register('offer', async (overrides, { getOrBuild }) => {
+    const tenant = await getOrBuild('tenant', initTenantFactory(app));
+    const exchange = await getOrBuild(
+      'exchange',
+      initOfferExchangeFactory(app)
+    );
+    const user = await getOrBuild('user', initUserFactory(app));
+    const unsetVendorUserId = await getOrBuild('_unsetVendorUserId', () => {});
+    const credentialSubjectTitle = await getOrBuild(
+      'credentialSubjectTitle',
+      () => 'Director, Communications (HoloLens & Mixed Reality Experiences)'
+    );
+    const credentialSubjectType = await getOrBuild(
+      'credentialSubjectType',
+      () => null
+    );
+    const credentialSchemaContext = await getOrBuild(
+      'credentialSchemaContext',
+      () => undefined
+    );
+    const credentialSubjectDefault = {
+      company: tenant.did,
+      companyName: {
+        localized: {
+          en: 'Microsoft Corporation',
+        },
+      },
+      title: {
+        localized: {
+          en: credentialSubjectTitle,
+        },
+      },
+      startMonthYear: {
+        month: 10,
+        year: 2010,
+      },
+      endMonthYear: {
+        month: 6,
+        year: 2019,
+      },
+      location: {
+        countryCode: 'US',
+        regionCode: 'MA',
+      },
+      description: {
+        localized: {
+          en: 'l Data, AI, Hybrid, IoT, Datacenter, Mixed Reality/HoloLens, D365, Power Platform - all kinds of fun stuff!',
+        },
+      },
+    };
+    const offerContext = await getOrBuild('offerContext', () => undefined);
+    const credentialSubject = {
+      ...(credentialSchemaContext
+        ? { '@context': credentialSchemaContext }
+        : {}),
+      ...(credentialSubjectType ? { type: credentialSubjectType } : {}),
+      vendorUserId: user.vendorUserId,
+      ...(await getOrBuild(
+        'credentialSubject',
+        () => credentialSubjectDefault
+      )),
+    };
+    if (unsetVendorUserId) {
+      delete credentialSubject.vendorUserId;
+    }
+    const item = {
+      ...(offerContext ? { '@context': offerContext } : {}),
+      type: ['PastEmploymentPosition'],
+      issuer: {
+        id: tenant.did,
+      },
+      credentialSubject,
+      offerId: nanoid(),
+      exchangeId: new ObjectId(exchange._id),
+      ...overrides(),
+    };
+    item.contentHash = {
+      type: 'VelocityContentHash2020',
+      value: hashOffer(item),
+    };
+    return {
+      item,
+      repo: initRepo({ tenant: { ...tenant, _id: new ObjectId(tenant._id) } }),
+    };
+  });
+};
+module.exports = { initOfferFactory };

package/src/entities/offers/index.js ADDED Viewed

@@ -0,0 +1,22 @@
+/**
+ * Copyright 2023 Velocity Team
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+module.exports = {
+  ...require('./domains'),
+  ...require('./factories'),
+  ...require('./repos'),
+  ...require('./orchestrators'),
+};