npm - @verii/server-credentialagent - Versions diffs - 1.0.0-pre.1752076816 - Mend

@verii/server-credentialagent 1.0.0-pre.1752076816

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (395) hide show

package/src/entities/offers/repos/repo.js ADDED Viewed

@@ -0,0 +1,177 @@
+/**
+ * Copyright 2023 Velocity Team
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+const {
+  repoFactory,
+  autoboxIdsExtension,
+} = require('@spencejs/spence-mongo-repos');
+const { multitenantExtension } = require('@verii/spencer-mongo-extensions');
+const { size, map, pick } = require('lodash/fp');
+const { ObjectId } = require('mongodb');
+const {
+  issuedCredentialProjection,
+} = require('./issued-credential-projection');
+const { cleanPiiExtension } = require('./clean-pii-extension');
+module.exports = (app, options, next = () => {}) => {
+  next();
+  return repoFactory(
+    {
+      name: 'offers',
+      entityName: 'offers',
+      defaultProjection: {
+        _id: 1,
+        '@context': 1,
+        exchangeId: 1,
+        issuer: 1,
+        type: 1,
+        offerId: 1,
+        credentialSubject: 1,
+        credentialSchema: 1,
+        credentialStatus: 1,
+        contentHash: 1,
+        linkCodeCommitment: 1,
+        linkedCredentials: 1,
+        replaces: 1,
+        relatedResource: 1,
+        digestSRI: 1,
+        name: 1,
+        description: 1,
+        image: 1,
+        awardedDate: 1,
+        endorsement: 1,
+        endorsementJwt: 1,
+        evidence: 1,
+        refreshService: 1,
+        termsOfUrl: 1,
+        notifiedOfRevocationAt: 1,
+        validFrom: 1,
+        validUntil: 1,
+        issuanceDate: 1,
+        expirationDate: 1,
+        createdAt: 1,
+        updatedAt: 1,
+        rejectedAt: 1,
+        consentedAt: 1,
+      },
+      extensions: [
+        autoboxIdsExtension,
+        multitenantExtension({
+          migrateFrom: { repoProp: 'issuer.id', tenantProp: 'did' },
+        }),
+        (parent) => ({
+          findUnexpiredOffersById: async (offerIds) =>
+            parent.find({
+              filter: {
+                _id: {
+                  $in: offerIds,
+                },
+              },
+              orderBy: [{ createdAt: 1 }],
+            }),
+          findUniquePreparedOffers: async (
+            { vendorUserId, types, offerHashes, exchangeId = null },
+            { log }
+          ) => {
+            let mongoFilter = {
+              'credentialSubject.vendorUserId': vendorUserId,
+              consentedAt: { $exists: false },
+              rejectedAt: { $exists: false },
+            };
+            if (size(types)) {
+              mongoFilter.type = { $in: types };
+            }
+            if (size(offerHashes)) {
+              mongoFilter['contentHash.value'] = { $nin: offerHashes };
+            }
+            if (exchangeId != null) {
+              mongoFilter.exchangeId = exchangeId;
+            }
+            mongoFilter = parent.prepFilter(mongoFilter);
+            log.info({ message: 'findUniquePreparedOffers', mongoFilter });
+            const offers = await parent.find({ filter: mongoFilter });
+            // FYI don't run validation on the offer
+            return filterDuplicates(offers);
+          },
+          approveOffer: async (
+            id,
+            vendorUserId,
+            credential,
+            consentedAt,
+            digestSRI,
+            context
+          ) => {
+            const { config } = context;
+            const updates = {
+              did: credential.id,
+              consentedAt: consentedAt ?? new Date(),
+              digestSRI,
+              ...pick(
+                [
+                  'credentialStatus',
+                  'credentialSchema',
+                  'linkCodeCommitment',
+                  'issued',
+                  'issuanceDate',
+                  'type',
+                  '@context',
+                ],
+                credential
+              ),
+            };
+            if (config.autocleanFinalizedOfferPii) {
+              updates.credentialSubject = { vendorUserId };
+            } else {
+              updates['credentialSubject.id'] = credential.credentialSubject.id;
+            }
+            return parent.update(id, updates, issuedCredentialProjection);
+          },
+          rejectOffers: async (vendorUserId, offerIds, context) => {
+            const { config } = context;
+            const updates = { rejectedAt: new Date() };
+            if (config.autocleanFinalizedOfferPii) {
+              updates.credentialSubject = { vendorUserId };
+            }
+            return parent.updateUsingFilter(
+              {
+                filter: {
+                  _id: { $in: map((v) => new ObjectId(v), offerIds) },
+                  rejectedAt: { $exists: false },
+                },
+              },
+              updates
+            );
+          },
+        }),
+        cleanPiiExtension,
+      ],
+    },
+    app
+  );
+};
+const filterDuplicates = (offers) => {
+  const hashes = new Set();
+  const filtered = [];
+  for (const offer of offers) {
+    if (!hashes.has(offer.contentHash.value)) {
+      filtered.push(offer);
+      hashes.add(offer.contentHash.value);
+    }
+  }
+  return filtered;
+};

package/src/entities/presentations/domains/build-identity-doc.js ADDED Viewed

@@ -0,0 +1,120 @@
+/*
+ * Copyright 2025 Velocity Team
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+const {
+  reduce,
+  flow,
+  get,
+  filter,
+  first,
+  omitBy,
+  isNil,
+} = require('lodash/fp');
+const {
+  extractFieldsFromIdCredential,
+} = require('./extract-fields-from-id-credential');
+const buildIdentityDoc = (credentials, context) =>
+  reduce(
+    (acc, { credential, credentialChecks }) => {
+      const docCredential = buildDocCredential(
+        credential,
+        credentialChecks,
+        context
+      );
+      if (['PhoneV1.0', 'Phone'].includes(docCredential.credentialType)) {
+        acc.phoneCredentials.push(docCredential);
+        acc.phones.push(credential?.credentialSubject?.phone);
+        return acc;
+      }
+      if (['EmailV1.0', 'Email'].includes(docCredential.credentialType)) {
+        acc.emailCredentials.push(docCredential);
+        acc.emails.push(credential?.credentialSubject?.email);
+        return acc;
+      }
+      acc.idDocumentCredentials.push(docCredential);
+      return {
+        ...acc,
+        ...extractFieldsFromIdCredential(
+          docCredential.credentialType,
+          credential,
+          context
+        ),
+      };
+    },
+    {
+      emails: [],
+      phones: [],
+      emailCredentials: [],
+      idDocumentCredentials: [],
+      phoneCredentials: [],
+    },
+    credentials
+  );
+const buildDocCredential = (credential, credentialChecks, context) => {
+  const basicDocCredential = {
+    credentialType: flow([
+      get('type'),
+      filter((type) => type !== 'VerifiableCredential'),
+      first,
+    ])(credential),
+    issuer: credential.issuer,
+    issuanceDate: credential.issuanceDate,
+    validUntil: extractValidUntil(credential),
+    validFrom: extractValidFrom(credential),
+    ...addWebhookSpecificFields(credential, credentialChecks, context),
+  };
+  if (context.config.vendorCredentialsIncludeIssuedClaim) {
+    basicDocCredential.issued = credential.issuanceDate;
+  }
+  return omitBy(isNil, basicDocCredential);
+};
+const addWebhookSpecificFields = (
+  credential,
+  credentialChecks,
+  { config: { identifyWebhookVersion } }
+) => {
+  if (identifyWebhookVersion === 2) {
+    return {
+      id: credential.id,
+      credentialSchema: credential.credentialSchema,
+      type: credential.type,
+      credentialSubject: credential.credentialSubject,
+      credentialChecks,
+    };
+  }
+  return credential.credentialSubject; // credentialSubject hoisted in older versions. Remove by 01/01/2023
+};
+const extractValidUntil = (credential) =>
+  credential?.credentialSubject?.validity?.validUntil ??
+  credential?.credentialSubject?.validUntil ??
+  credential?.validUntil ??
+  credential?.expirationDate;
+const extractValidFrom = (credential) =>
+  credential?.credentialSubject?.validity?.validFrom ??
+  credential?.credentialSubject?.validFrom ??
+  credential?.validFrom;
+module.exports = { buildIdentityDoc };

package/src/entities/presentations/domains/build-request-response-schema.js ADDED Viewed

@@ -0,0 +1,46 @@
+/**
+ * Copyright 2023 Velocity Team
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+const buildRequestResponseSchema = (prefix, { isProd }) => {
+  const requestName = `${prefix}_request`;
+  const defaultResponse = {
+    type: 'object',
+    properties: { [requestName]: { type: 'string' } },
+    required: [requestName],
+  };
+  if (isProd) {
+    return defaultResponse;
+  }
+  return {
+    oneOf: [
+      defaultResponse,
+      {
+        type: 'object',
+        properties: {
+          [requestName]: {
+            type: 'object',
+            additionalProperties: true,
+          },
+        },
+        required: [requestName],
+      },
+    ],
+  };
+};
+module.exports = { buildRequestResponseSchema };

package/src/entities/presentations/domains/build-vendor-data.js ADDED Viewed

@@ -0,0 +1,31 @@
+/*
+ * Copyright 2025 Velocity Team
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+const buildVendorData = (
+  disclosure,
+  vendorOriginContext,
+  { tenant, exchange }
+) => ({
+  tenantId: tenant._id,
+  tenantDID: tenant.did,
+  exchangeId: exchange._id.toString(),
+  vendorOrganizationId: tenant.vendorOrganizationId,
+  vendorDisclosureId: disclosure.vendorDisclosureId,
+  vendorOriginContext,
+  sendPushOnVerification: disclosure.sendPushOnVerification,
+});
+module.exports = { buildVendorData };

package/src/entities/presentations/domains/check-payment-requirement.js ADDED Viewed

@@ -0,0 +1,30 @@
+/**
+ * Copyright 2023 Velocity Team
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+const { CheckResults } = require('@verii/vc-checks');
+const { any } = require('lodash/fp');
+const checkPaymentRequirement = (checkedCredentials) =>
+  any(
+    (credential) =>
+      CheckResults.VOUCHER_RESERVE_EXHAUSTED ===
+        credential.credentialChecks?.TRUSTED_ISSUER ||
+      CheckResults.VOUCHER_RESERVE_EXHAUSTED ===
+        credential.credentialChecks?.UNTAMPERED,
+    checkedCredentials
+  );
+module.exports = { checkPaymentRequirement };

package/src/entities/presentations/domains/errors.js ADDED Viewed

@@ -0,0 +1,28 @@
+/**
+ * Copyright 2023 Velocity Team
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+const PresentationErrors = {
+  INVALID_INTEGRATED_IDENTIFICATION_RULE:
+    'Credential Agent only supports "pick" or "all" for "identityMatchers.rule"',
+  PRESENTATION_JSON_PATH_MISSING: ({ path }) =>
+    `Presentation doesnt contain value at ${path}`,
+  CHECKS_FAILED: ({ reason, id }) =>
+    `${reason}_credential_check_failed_credential_${id}`,
+  PRESENTATION_PREAUTH_MUST_CONTAIN_VENDOR_ORIGIN_CONTEXT:
+    'Presentation for a preauth disclosure must contain a vendorOriginContext',
+};
+module.exports = { PresentationErrors };

package/src/entities/presentations/domains/extract-fields-from-id-credential.js ADDED Viewed

@@ -0,0 +1,35 @@
+/**
+ * Copyright 2023 Velocity Team
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+const { flow, isNil, mapValues, omitBy, pick, sample } = require('lodash/fp');
+const idCredentialMapper = (credential) =>
+  flow(
+    pick(['firstName', 'lastName', 'middleNames', 'address', 'dob']),
+    omitBy(isNil),
+    mapValues((val) => sample(val?.localized) ?? val) // extracts out firstName.localized.en = "Sam" or otherwise assumes its a string.
+  )(credential?.credentialSubject);
+const extractFieldsFromIdCredential = (credentialType, credential) => {
+  if (credentialType === 'IdDocument') {
+    return idCredentialMapper(credential);
+  }
+  return {};
+};
+module.exports = {
+  extractFieldsFromIdCredential,
+};

package/src/entities/presentations/domains/index.js ADDED Viewed

@@ -0,0 +1,26 @@
+/**
+ * Copyright 2023 Velocity Team
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+module.exports = {
+  ...require('./build-identity-doc'),
+  ...require('./build-request-response-schema'),
+  ...require('./build-vendor-data'),
+  ...require('./check-payment-requirement'),
+  ...require('./errors'),
+  ...require('./extract-fields-from-id-credential'),
+  ...require('./merge-credential-check-results'),
+  ...require('./validate-presentation'),
+};

package/src/entities/presentations/domains/merge-credential-check-results.js ADDED Viewed

@@ -0,0 +1,24 @@
+/*
+ * Copyright 2025 Velocity Team
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+const { map } = require('lodash/fp');
+const mergeCredentialCheckResults = map(({ credential, credentialChecks }) => ({
+  ...credential,
+  credentialChecks,
+}));
+module.exports = { mergeCredentialCheckResults };

package/src/entities/presentations/domains/validate-presentation.js ADDED Viewed

@@ -0,0 +1,128 @@
+/*
+ * Copyright 2025 Velocity Team
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+const createError = require('http-errors');
+const { reduce, isEmpty, first, includes } = require('lodash/fp');
+const { jwtDecode } = require('@verii/jwt');
+const {
+  validatePresentationContext,
+} = require('@verii/verifiable-credentials');
+const { getJsonAtPath } = require('../../common');
+const {
+  ExchangeErrorCodeState,
+  ensureExchangeStateValid,
+} = require('../../exchanges');
+const { IdentificationMethods } = require('../../disclosures');
+const { PresentationErrors } = require('./errors');
+const validatePresentation = async (presentation, disclosure, context) => {
+  validatePresentationContext(presentation, context);
+  ensureExchangeStateValid(ExchangeErrorCodeState.EXCHANGE_INVALID, context);
+  crossValidateVp(presentation, context);
+  validateVendorOriginContext(presentation, disclosure);
+  return buildCanonicalVp(presentation);
+};
+const crossValidateVp = (presentation, { exchange }) => {
+  const { presentation_submission: presentationSubmission } = presentation;
+  if (presentationSubmission.definition_id == null) {
+    return;
+  }
+  const [exchangeId, disclosureId] =
+    presentationSubmission.definition_id.split('.');
+  if (exchange?._id.toString() !== exchangeId) {
+    throw createError(400, 'Mismatched Exchange Ids', {
+      exchange,
+      presentationSubmission,
+      errorCode: 'presention_mismatch_exchange',
+    });
+  }
+  if (exchange?.disclosureId.toString() !== disclosureId) {
+    throw createError(400, 'Mismatched Disclosure Ids', {
+      exchange,
+      presentationSubmission,
+      errorCode: 'presention_mismatch_disclosure',
+    });
+  }
+};
+const validateVendorOriginContext = ({ vendorOriginContext }, disclosure) => {
+  if (
+    !includes(IdentificationMethods.PREAUTH, disclosure.identificationMethods)
+  ) {
+    return;
+  }
+  if (isEmpty(vendorOriginContext)) {
+    throw createError(
+      401,
+      PresentationErrors.PRESENTATION_PREAUTH_MUST_CONTAIN_VENDOR_ORIGIN_CONTEXT,
+      { errorCode: 'presentation_request_invalid' }
+    );
+  }
+};
+const buildCanonicalVp = ({
+  presentation_submission: presentationSubmission,
+  ...json
+}) =>
+  reduce(
+    (acc, descriptor) => {
+      if (!['jwt_vc', 'jwt_vp', 'JWT'].includes(descriptor.format)) {
+        throw createError(
+          400,
+          "Velocity Presentation Submission only supports 'jwt_vc' or 'jwt_vp' inputs",
+          { errorCode: 'presentation_missing_jwtvc_or_jwtvp' }
+        );
+      }
+      const result = getJsonAtPath(descriptor.path, json);
+      if (isEmpty(result)) {
+        throw createError(
+          400,
+          'Velocity Presentation contains path descriptor that is empty',
+          { descriptor, json, errorCode: 'presentation_jsonpath_empty' }
+        );
+      }
+      const jwtString = first(result);
+      if (isEmpty(jwtString)) {
+        return acc;
+      }
+      const { payload } = jwtDecode(jwtString);
+      if (payload.vc) {
+        acc.verifiableCredential.push(jwtString);
+      } else {
+        acc.verifiableCredential = acc.verifiableCredential.concat(
+          payload.vp.verifiableCredential
+        );
+      }
+      return acc;
+    },
+    {
+      id: json.id,
+      verifiableCredential: [],
+      vendorOriginContext: json.vendorOriginContext,
+      presentationIssuer: json?.issuer?.id,
+    },
+    presentationSubmission.descriptor_map
+  );
+module.exports = { validatePresentation };

package/src/entities/presentations/index.js ADDED Viewed

@@ -0,0 +1,20 @@
+/**
+ * Copyright 2023 Velocity Team
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+module.exports = {
+  ...require('./domains'),
+  ...require('./orchestrators'),
+};