Early out failure on delegation verify if missing credentials from chain

Author: cykoder

examples/CHANGELOG.md

@@ -1,5 +1,11 @@
 # @docknetwork/sdk-examples
 
+## 0.21.14
+
+### Patch Changes
+
+- @docknetwork/credential-sdk@0.54.14
+
 ## 0.21.13
 
 ### Patch Changes

examples/package.json

@@ -2,7 +2,7 @@
   "name": "@docknetwork/sdk-examples",
   "private": true,
   "type": "module",
-  "version": "0.21.13",
+  "version": "0.21.14",
   "scripts": {
     "bbs-dock-example": "babel-node ./src/bbs-dock.js",
     "claim-deduction-example": "babel-node ./src/claim-deduction.js",
@@ -18,7 +18,7 @@
     "lint": "eslint \"src/**/*.js\""
   },
   "dependencies": {
-    "@docknetwork/credential-sdk": "0.54.13",
+    "@docknetwork/credential-sdk": "0.54.14",
     "@docknetwork/cheqd-blockchain-api": "4.0.7",
     "@docknetwork/cheqd-blockchain-modules": "4.0.8"
   },

packages/credential-sdk/CHANGELOG.md

@@ -1,5 +1,12 @@
 # @docknetwork/credential-sdk
 
+## 0.54.14
+
+### Patch Changes
+
+- Updated dependencies
+  - @docknetwork/vc-delegation-engine@1.0.3
+
 ## 0.54.13
 
 ### Patch Changes

packages/credential-sdk/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@docknetwork/credential-sdk",
-  "version": "0.54.13",
+  "version": "0.54.14",
   "license": "MIT",
   "type": "module",
   "files": [
@@ -62,7 +62,7 @@
     "uuid": "^10.0.0",
     "uuidv4": "^6.2.13",
     "varint": "^6.0.0",
-    "@docknetwork/vc-delegation-engine": "1.0.2"
+    "@docknetwork/vc-delegation-engine": "1.0.3"
   },
   "devDependencies": {
     "@babel/cli": "^7.24.1",

packages/vc-delegation-engine/CHANGELOG.md

@@ -1,5 +1,11 @@
 # @docknetwork/vc-delegation-engine
 
+## 1.0.3
+
+### Patch Changes
+
+- Early out failure on delegation verify if missing credentials from chain
+
 ## 1.0.2
 
 ### Patch Changes

packages/vc-delegation-engine/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@docknetwork/vc-delegation-engine",
-  "version": "1.0.2",
+  "version": "1.0.3",
   "description": "",
   "main": "dist/cjs/index.cjs",
   "module": "dist/esm/index.js",

packages/vc-delegation-engine/src/engine.js

@@ -456,6 +456,30 @@ export async function verifyVPWithDelegation({
         skippedCredentials,
       };
     }
+
+    // Early out failure if missing credential from chain
+    normalizedCredentials.forEach((credential) => {
+      const { id, previousCredentialId, rootCredentialId } = credential;
+      if (previousCredentialId && !normalizedById.has(previousCredentialId)) {
+        throw new DelegationError(
+          DelegationErrorCodes.MISSING_CREDENTIAL,
+          `Missing credential ${previousCredentialId} referenced as previous by ${id}`,
+        );
+      }
+      if (!rootCredentialId || typeof rootCredentialId !== 'string' || rootCredentialId.length === 0) {
+        throw new DelegationError(
+          DelegationErrorCodes.INVALID_CREDENTIAL,
+          `Delegation credential ${id} is missing rootCredentialId`,
+        );
+      }
+      if (!normalizedById.has(rootCredentialId)) {
+        throw new DelegationError(
+          DelegationErrorCodes.MISSING_CREDENTIAL,
+          `Missing root credential ${rootCredentialId} referenced by ${id}`,
+        );
+      }
+    });
+
     const tailCredentials = normalizedCredentials.filter((vc) => !referencedPreviousIds.has(vc.id));
     if (tailCredentials.length === 0) {
       throw new DelegationError(

packages/vc-delegation-engine/tests/unit/engine.test.js

@@ -3,6 +3,7 @@ import {
 } from 'vitest';
 import jsonld from 'jsonld';
 import { verifyVPWithDelegation } from '../../src/engine.js';
+import { DelegationErrorCodes } from '../../src/errors.js';
 import {
   VC_TYPE,
   VC_VC,
@@ -17,6 +18,8 @@ import {
 
 const ROOT_CREDENTIAL_ID = 'urn:cred:root';
 const LEAF_CREDENTIAL_ID = 'urn:cred:leaf';
+const MISSING_PREVIOUS_ID = 'urn:cred:missing-prev';
+const UNKNOWN_ROOT_REFERENCE = 'urn:cred:missing-root';
 const W3C_CONTEXT = 'https://www.w3.org/2018/credentials/v1';
 const ISSUER_ROOT = 'did:root';
 const SUBJECT_DELEGATE = 'did:delegate';
@@ -124,6 +127,94 @@ describe('engine', () => {
     expect(result.decision).toBe('allow');
     expect(result.evaluations).toHaveLength(1);
   });
+
+  it('denies when a credential references a missing previous credential', async () => {
+    const presentation = [
+      {
+        '@type': [VC_TYPE],
+        [VC_VC]: [
+          {
+            '@graph': [
+              {
+                '@id': LEAF_CREDENTIAL_ID,
+                '@type': [VC_TYPE_DELEGATION_CREDENTIAL],
+                [VC_ISSUER]: [{ '@id': SUBJECT_DELEGATE }],
+                [VC_SUBJECT]: [{ '@id': SUBJECT_HOLDER }],
+                [VC_ROOT_CREDENTIAL_ID]: [{ '@id': LEAF_CREDENTIAL_ID }],
+                [VC_PREVIOUS_CREDENTIAL_ID]: [{ '@id': MISSING_PREVIOUS_ID }],
+              },
+            ],
+          },
+        ],
+        [SECURITY_PROOF]: [
+          {
+            [SECURITY_VERIFICATION_METHOD]: [{ '@id': `${SUBJECT_DELEGATE}#key` }],
+          },
+        ],
+      },
+    ];
+    const contexts = new Map([[LEAF_CREDENTIAL_ID, [W3C_CONTEXT]]]);
+
+    const result = await verifyVPWithDelegation({
+      expandedPresentation: presentation,
+      credentialContexts: contexts,
+    });
+
+    expect(result.decision).toBe('deny');
+    expect(result.failures?.[0]?.code).toBe(DelegationErrorCodes.MISSING_CREDENTIAL);
+    expect(result.failures?.[0]?.message).toContain(MISSING_PREVIOUS_ID);
+  });
+
+  it('denies when a credential references a root credential that is not present', async () => {
+    const presentation = [
+      {
+        '@type': [VC_TYPE],
+        [VC_VC]: [
+          {
+            '@graph': [
+              {
+                '@id': ROOT_CREDENTIAL_ID,
+                '@type': [VC_TYPE_DELEGATION_CREDENTIAL],
+                [VC_ISSUER]: [{ '@id': ISSUER_ROOT }],
+                [VC_SUBJECT]: [{ '@id': SUBJECT_DELEGATE }],
+                [VC_ROOT_CREDENTIAL_ID]: [{ '@id': ROOT_CREDENTIAL_ID }],
+              },
+            ],
+          },
+          {
+            '@graph': [
+              {
+                '@id': LEAF_CREDENTIAL_ID,
+                '@type': [VC_TYPE_DELEGATION_CREDENTIAL],
+                [VC_ISSUER]: [{ '@id': SUBJECT_DELEGATE }],
+                [VC_SUBJECT]: [{ '@id': SUBJECT_HOLDER }],
+                [VC_ROOT_CREDENTIAL_ID]: [{ '@id': UNKNOWN_ROOT_REFERENCE }],
+                [VC_PREVIOUS_CREDENTIAL_ID]: [{ '@id': ROOT_CREDENTIAL_ID }],
+              },
+            ],
+          },
+        ],
+        [SECURITY_PROOF]: [
+          {
+            [SECURITY_VERIFICATION_METHOD]: [{ '@id': `${ISSUER_ROOT}#key` }],
+          },
+        ],
+      },
+    ];
+    const contexts = new Map([
+      [ROOT_CREDENTIAL_ID, [W3C_CONTEXT]],
+      [LEAF_CREDENTIAL_ID, [W3C_CONTEXT]],
+    ]);
+
+    const result = await verifyVPWithDelegation({
+      expandedPresentation: presentation,
+      credentialContexts: contexts,
+    });
+
+    expect(result.decision).toBe('deny');
+    expect(result.failures?.[0]?.code).toBe(DelegationErrorCodes.MISSING_CREDENTIAL);
+    expect(result.failures?.[0]?.message).toContain(UNKNOWN_ROOT_REFERENCE);
+  });
   it('fails when credential contexts are missing', async () => {
     const result = await verifyVPWithDelegation({
       expandedPresentation: buildPresentation(),

scripts/bench/CHANGELOG.md

@@ -1,5 +1,11 @@
 # @docknetwork/benchmarks
 
+## 0.4.14
+
+### Patch Changes
+
+- @docknetwork/credential-sdk@0.54.14
+
 ## 0.4.13
 
 ### Patch Changes

scripts/bench/package.json

@@ -2,14 +2,14 @@
   "name": "@docknetwork/benchmarks",
   "private": true,
   "type": "module",
-  "version": "0.4.13",
+  "version": "0.4.14",
   "scripts": {
     "bench": "babel-node src/main.js"
   },
   "dependencies": {
     "@docknetwork/cheqd-blockchain-api": "4.0.7",
     "@docknetwork/cheqd-blockchain-modules": "4.0.8",
-    "@docknetwork/credential-sdk": "0.54.13",
+    "@docknetwork/credential-sdk": "0.54.14",
     "@docknetwork/crypto-wasm-ts": "^0.63.0"
   },
   "devDependencies": {