feat(verifyVC): add verifyVC method to Claims Service #592
Conversation
whitneypurdum
changed the title
There was a problem hiding this comment.
It looks like it's coming along, thanks @whitneypurdum . I think the biggest thing to do is to update the @energyweb/vc-verification package to use the latest library API.
Also, it seems like the changes to domains.service and verifiable-credentials-base.service are just styling. IMO, I would remove these changes from the PR to avoid having them included in the history and limit the PR to the relevant functional changes.
Sure thing, these have been removed from PR. |
whitneypurdum
force-pushed
the
task/ICL-210_verify_ewf_vc
branch
from
c62e14e to
a573e51
Compare
There was a problem hiding this comment.
Looks like strong progress to the PR, thank you for all of your efforts @whitneypurdum . However, I think there might be a couple tweaks and ideally some tests to add
src/modules/claims/claims.service.ts
Outdated
| /** | ||
| * Verifies that credential was issued by authorized issuer | ||
| * | ||
| * @param {VerifiableCredential<RoleCredentialSubject} vc to be verified | ||
| */ | ||
| async verifyVc(vc: VerifiableCredential<RoleCredentialSubject>) { |
There was a problem hiding this comment.
I think it would be good to:
- Add the return type
- Add to the documentation that the expected behaviour is that errors are thrown if verification passes (it would be good to include this in the tests as well)
src/modules/claims/claims.service.ts
Outdated
| @@ -1,17 +1,14 @@ | |||
| /* eslint-disable @typescript-eslint/no-unused-vars */ | |||
| import { providers, utils, Wallet } from 'ethers'; | |||
| import { verifyCredential } from 'didkit-wasm-node'; | |||
There was a problem hiding this comment.
@whitneypurdum We can use verifyCredential from VC service. Actually I added it already when updated vc-verification. You just need to merge develop
|
|
src/modules/claims/claims.service.ts
Outdated
| @@ -1354,6 +1350,23 @@ export class ClaimsService { | |||
| ); | |||
| } | |||
|
|
|||
| /** | |||
| * Verifies that credential was issued by authorized issuer | |||
There was a problem hiding this comment.
| * Verifies that credential was issued by authorized issuer | |
| * Verifies: | |
| * - That credential proof is valid | |
| * - That credential was issued by authorized issuer |
There was a problem hiding this comment.
I think the API should be
resolveCredentialAndVerify(subjectDID, roleNamespace) {
...some code to resolve the credential
if (foundOffChainClaim) {
return verifyOffChainClaim(offChainClaim);
}
if (foundVc) {
return verifyVc(vc);
}
where resolveCredentialAndVerify is a rename of the current verify method.
This allow us to have methods which can accept the offChainClaim and VCs directly without needing the credentials to be "resolvable"
How does this sound @whitneypurdum @nichonien ?
whitneypurdum
force-pushed
the
task/ICL-210_verify_ewf_vc
branch
from
9496e0b to
0da3229
Compare
src/modules/claims/claims.service.ts
Outdated
| * @param roleNamesapce The role to try to get a credential for. Should be a full role namespace (for example, "myrole.roles.myorg.auth.ewc") | ||
| * @return Boolean indicating if verified and array of error messages | ||
| */ | ||
| async verifyOffChainClaim(subjectDID: string, roleNamespace: string): Promise<CredentialVerificationResult> { |
There was a problem hiding this comment.
IMO, this should accept the OffChainClaim interface of ew-credentials https://github.com/energywebfoundation/ew-credentials/blob/55b84926b85a7e2261fffad[…]6/packages/vc-verification/src/models/verifiable-credentials.ts
The idea is that there should be some symmetry between async verifyVc(vc: VerifiableCredential<RoleCredentialSubject>): Promise<CredentialVerificationResult> (which accepts the actual VerifiableCredential) and this verifyOffChainClaim method (which will accept an actual offChainClaim)
| async verifyOffChainClaim(subjectDID: string, roleNamespace: string): Promise<CredentialVerificationResult> { | |
| async verifyOffChainClaim(offChainClaim: OffChainClaim): Promise<CredentialVerificationResult> { |
There was a problem hiding this comment.
Sure, can do, but the two methods used for offchain verification only use the subject did and role name. How can I resolve those in ICL from the claim?
e2e/claims.service.e2e.ts
Outdated
| expect(result.errors).toHaveLength(0); | ||
| expect(result.isVerified).toBeTruthy; | ||
| }); | ||
| test('verifyVc should: not verify a credential and return an issuer error if the issuer is not authorized', async () => { |
| * @param roleNamesapce The role to try to get a credential for. Should be a full role namespace (for example, "myrole.roles.myorg.auth.ewc") | ||
| * @return void. Returns "Proof Not Verified" error if VC not verified. Returns error if issuer not verified | ||
| */ | ||
| async resolveCredentialAndVerify( |
There was a problem hiding this comment.
@JGiter @jrhender This is the new verify code based on previous comments. I have a few of the tests passing, but questions on others - I think maybe I am misunderstanding the limitations of ew-credentials, but I don't think I need to mock anything else out as _verifyIssuer is verifying the credential successfully.
| console.log(result, 'THE RESOLVE RESULT'); | ||
| }); | ||
| test('verifyOffChainClaim should verify an issued off chain claim', async () => { | ||
| const roleName = `${verifyOffChainClaimRole}.${root}`; |
There was a problem hiding this comment.
@whitneypurdum Sorry, I think I made a mistake. I think that the signature of verifyOffChainClaim should be async verifyOffChainClaim(eip191JWT: string): Promise<CredentialVerificationResult>
And then you can use the jsonwebtoken package to decode the body.
where a decoded body should look something like:
{
"claimData": {
"claimType": "myrole.roles.myorg.iam.ewc",
"claimTypeVersion": 1
},
"signer": "did:ethr:volta:0xb764D50751fF83e66FCF5A08Fb0De3f830248728",
"iss": "did:ethr:volta:0xb764D50751fF83e66FCF5A08Fb0De3f830248728",
"sub": "did:ethr:volta:0x0fAe481148C2DF77886CE3874f0fb2E7118acDa0"
}
There was a problem hiding this comment.
Great work, thanks for all of your efforts on this @whitneypurdum
Co-authored-by: John Henderson <[email protected]>
|
🎉 This PR is included in version 6.0.0-alpha.29 🎉 The release is available on: Your semantic-release bot 📦🚀 |
|
🎉 This PR is included in version 6.0.0 🎉 The release is available on: Your semantic-release bot 📦🚀 |
Description
Contributor checklist