Allow issued credentials to be revoked

Author: reinkrul

api/api.go

@@ -1,12 +1,13 @@
 package api
 
 import (
+	"net/http"
+	"strings"
+
 	"github.com/nuts-foundation/nuts-admin/discovery"
 	"github.com/nuts-foundation/nuts-admin/identity"
 	"github.com/nuts-foundation/nuts-admin/issuer"
 	"github.com/nuts-foundation/nuts-admin/model"
-	"net/http"
-	"strings"
 
 	"github.com/labstack/echo/v4"
 )
@@ -60,7 +61,7 @@ func (w Wrapper) GetIssuedCredentials(ctx echo.Context, params GetIssuedCredenti
 	if err != nil {
 		return err
 	}
-	result := make([]model.VerifiableCredential, 0)
+	result := make([]model.IssuedCredential, 0)
 	for _, currID := range identities {
 		for _, issuerDID := range currID.DIDs {
 			credentials, err := w.IssuerService.GetIssuedCredentials(ctx.Request().Context(), issuerDID, strings.Split(params.CredentialTypes, ","))

api/api.yaml

@@ -67,15 +67,15 @@ paths:
         '404':
           description: The identity could not be found
   /api/issuer/vc:
-    parameters:
-      - name: credentialTypes
-        description: A comma-separated list of credential types which are returned.
-        in: query
-        required: true
-        schema:
-          type: string
     get:
       operationId: getIssuedCredentials
+      parameters:
+        - name: credentialTypes
+          description: A comma-separated list of credential types which are returned.
+          in: query
+          required: true
+          schema:
+            type: string
       responses:
         '200':
           description: List of issued VCs

api/proxy.go

@@ -71,6 +71,11 @@ var allowedProxyRoutes = []proxyRoute{
 		method: http.MethodPost,
 		path:   "/internal/auth/v2/([a-z-A-Z0-9_\\-\\:\\.%]+)/request-credential",
 	},
+	// Revoke Verifiable Credential
+	{
+		method: http.MethodDelete,
+		path:   "/internal/vcr/v2/issuer/vc/(.*)",
+	},
 }
 
 // ConfigureProxy configures the proxy middleware for the given Nuts node address.

identity/service.go

@@ -3,14 +3,15 @@ package identity
 import (
 	"context"
 	"errors"
+	"slices"
+	"strings"
+
 	"github.com/nuts-foundation/go-did/vc"
 	"github.com/nuts-foundation/go-nuts-client/nuts"
 	"github.com/nuts-foundation/go-nuts-client/nuts/vcr"
 	"github.com/nuts-foundation/go-nuts-client/nuts/vdr"
 	"github.com/nuts-foundation/nuts-admin/discovery"
 	"github.com/nuts-foundation/nuts-admin/model"
-	"slices"
-	"strings"
 )
 
 type Service struct {
@@ -101,7 +102,7 @@ func (i Service) Get(ctx context.Context, subjectID string) (*IdentityDetails, e
 	if err != nil {
 		return nil, err
 	}
-	creds := model.ToModel(vcs)
+	creds := model.ListToModel(vcs)
 	result.WalletCredentials = creds
 
 	return &result, nil

issuer/service.go

@@ -2,21 +2,37 @@ package issuer
 
 import (
 	"context"
-	"github.com/nuts-foundation/go-did/vc"
+	"encoding/json"
+	"strings"
+	"time"
+
 	"github.com/nuts-foundation/go-nuts-client/nuts"
 	"github.com/nuts-foundation/go-nuts-client/nuts/vcr"
 	"github.com/nuts-foundation/nuts-admin/identity"
 	"github.com/nuts-foundation/nuts-admin/model"
-	"strings"
 )
 
 type Service struct {
 	IdentityService identity.Service
 	VCRClient       *vcr.Client
 }
 
-func (s Service) GetIssuedCredentials(ctx context.Context, issuer string, credentialTypes []string) ([]model.VerifiableCredential, error) {
-	var result []vc.VerifiableCredential
+func (s Service) GetIssuedCredentials(ctx context.Context, issuer string, credentialTypes []string) ([]model.IssuedCredential, error) {
+	// Get all identities for lookup
+	identities, err := s.IdentityService.List(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	// Create a map of DID to subject name
+	didToSubject := make(map[string]string)
+	for _, ident := range identities {
+		for _, did := range ident.DIDs {
+			didToSubject[did] = ident.Subject
+		}
+	}
+
+	var result []model.IssuedCredential
 	for _, credentialType := range credentialTypes {
 		credentialType = strings.TrimSpace(credentialType)
 		if credentialType == "" {
@@ -31,8 +47,21 @@ func (s Service) GetIssuedCredentials(ctx context.Context, issuer string, creden
 			return nil, err
 		}
 		for _, searchResult := range response.JSON200.VerifiableCredentials {
-			result = append(result, searchResult.VerifiableCredential)
+			data, _ := json.Marshal(searchResult)
+			println(string(data))
+			currentResult := model.IssuedCredential{
+				VerifiableCredential: model.ToModel(searchResult.VerifiableCredential),
+				IssuerSubject:        didToSubject[searchResult.VerifiableCredential.Issuer.String()],
+			}
+			if searchResult.Revocation != nil {
+				currentResult.Status = "revoked"
+			} else if searchResult.VerifiableCredential.ExpirationDate != nil && searchResult.VerifiableCredential.ExpirationDate.Before(time.Now()) {
+				currentResult.Status = "expired"
+			} else {
+				currentResult.Status = "active"
+			}
+			result = append(result, currentResult)
 		}
 	}
-	return model.ToModel(result), nil
+	return result, nil
 }

model/model.go

@@ -1,6 +1,10 @@
 package model
 
-import "github.com/nuts-foundation/go-did/vc"
+import (
+	"time"
+
+	"github.com/nuts-foundation/go-did/vc"
+)
 
 type VerifiableCredential vc.VerifiableCredential
 
@@ -9,16 +13,38 @@ type CredentialProfile struct {
 	Issuer string `json:"issuer" koanf:"issuer"`
 }
 
-func ToModel(vcs []vc.VerifiableCredential) []VerifiableCredential {
+type IssuedCredential struct {
+	VerifiableCredential
+	IssuerSubject string `json:"issuer_subject,omitempty"`
+	Status        string `json:"status"`
+}
+
+func ListToModel(vcs []vc.VerifiableCredential) []VerifiableCredential {
 	result := make([]VerifiableCredential, 0)
 	for _, credential := range vcs {
-		currentCredential := VerifiableCredential(credential)
-		if credential.Format() == vc.JWTCredentialProofFormat {
-			currentCredential.Proof = []interface{}{
-				"jwt",
-			}
-		}
+		currentCredential := ToModel(credential)
 		result = append(result, currentCredential)
 	}
 	return result
 }
+
+func ToModel(credential vc.VerifiableCredential) VerifiableCredential {
+	currentCredential := VerifiableCredential(credential)
+	if credential.Format() == vc.JWTCredentialProofFormat {
+		currentCredential.Proof = []interface{}{
+			"jwt",
+		}
+	}
+	return currentCredential
+}
+
+// GetCredentialStatus determines if a credential is active, expired, or revoked
+func GetCredentialStatus(credential vc.VerifiableCredential, isRevoked bool) string {
+	if isRevoked {
+		return "revoked"
+	}
+	if credential.ExpirationDate != nil && credential.ExpirationDate.Before(time.Now()) {
+		return "expired"
+	}
+	return "active"
+}

web/src/admin/credentials/CredentialDetails.vue

@@ -22,6 +22,12 @@
           <label>Expiration date</label>
           <div>{{credential.expirationDate}}</div>
         </div>
+        <div v-if="credential.status">
+          <label>Status</label>
+          <div>
+            <span :class="statusClass">{{credential.status}}</span>
+          </div>
+        </div>
       </section>
       <section>
         <header>Credential Subject</header>
@@ -40,12 +46,36 @@
           </tbody>
         </table>
       </section>
+
+      <!-- Button bar for actions -->
+      <div v-if="showRevokeButton && credential.status === 'active'" class="mt-4 pt-4 border-t border-gray-200">
+        <button @click="revokeCredential"
+                class="bg-red-600 hover:bg-red-700 text-white font-semibold py-2 px-4 rounded disabled:opacity-50 disabled:cursor-not-allowed"
+                :disabled="revoking">
+          {{ revoking ? 'Revoking...' : 'Revoke Credential' }}
+        </button>
+        <p v-if="revokeError" class="text-red-600 mt-2">{{ revokeError }}</p>
+        <p v-if="revokeSuccess" class="text-green-600 mt-2 font-semibold">Credential revoked successfully</p>
+      </div>
     </div>
 </template>
 <script>
+import { parseApiError } from '../../lib/errors.js'
+
 export default {
   props: {
-    credential: Object
+    credential: Object,
+    showRevokeButton: {
+      type: Boolean,
+      default: false
+    }
+  },
+  data() {
+    return {
+      revoking: false,
+      revokeError: '',
+      revokeSuccess: false
+    }
   },
   computed: {
     credentialSubject() {
@@ -73,6 +103,50 @@ export default {
         return flatten(this.credential.credentialSubject[0])
       }
       return flatten(this.credential.credentialSubject)
+    },
+    statusClass() {
+      switch(this.credential.status) {
+        case 'active':
+          return 'text-green-600 font-semibold'
+        case 'expired':
+          return 'text-gray-500 font-semibold'
+        case 'revoked':
+          return 'text-red-600 font-semibold'
+        default:
+          return ''
+      }
+    }
+  },
+  methods: {
+    async revokeCredential() {
+      if (!confirm('Are you sure you want to revoke this credential? This action cannot be undone.')) {
+        return
+      }
+
+      this.revoking = true
+      this.revokeError = ''
+      this.revokeSuccess = false
+
+      try {
+        const credentialId = this.credential.id
+        if (!credentialId) {
+          throw new Error('Credential ID is missing')
+        }
+
+        // Call the proxy endpoint to revoke the credential
+        await this.$api.delete('api/proxy/internal/vcr/v2/issuer/vc/' + encodeURIComponent(credentialId))
+
+        this.revokeSuccess = true
+        // Update the credential status locally
+        this.credential.status = 'revoked'
+
+        // Emit event so parent component can refresh if needed
+        this.$emit('revoked')
+      } catch (error) {
+        this.revokeError = parseApiError(error)
+      } finally {
+        this.revoking = false
+      }
     }
   }
 }

web/src/admin/credentials/IssueCredential.vue

@@ -64,6 +64,13 @@
             <input id="daysValid" v-model="daysValid" type="number">
             <p>This will be used to set the credentials <code>expirationDate</code> property.</p>
           </div>
+          <div>
+            <label for="enableRevocation" class="flex items-center cursor-pointer">
+              <input id="enableRevocation" v-model="enableRevocation" type="checkbox" class="mr-2">
+              <span>Enable revocation (StatusList2021)</span>
+            </label>
+            <p>Allows the credential to be revoked later using the StatusList2021 feature.</p>
+          </div>
           <div v-for="(field, idx) in template.fields" :key="field.name">
             <label :for="field.name">
               {{ field.name }}
@@ -112,6 +119,7 @@ export default {
       template: undefined,
       credentialFields: [],
       daysValid: 365,
+      enableRevocation: true,
       credentialPreview: undefined,
       issuedCredential: undefined,
     }
@@ -160,8 +168,9 @@ export default {
       credentialToIssue['type'] = credentialToIssue['type'].find(t => t !== "VerifiableCredential")
       credentialToIssue['expirationDate'] = new Date(new Date().getTime() + 1000 * 60 * 60 * 24 * this.daysValid).toISOString()
       credentialToIssue['format'] = this.credentialProofFormat
-      // disable statusListRevocation2021 for now, causes issues on MS SQL Server
-      //credentialToIssue.withStatusList2021Revocation = true
+      if (this.enableRevocation) {
+        credentialToIssue.withStatusList2021Revocation = true
+      }
       this.fetchError = undefined
       this.$api.post('api/proxy/internal/vcr/v2/issuer/vc', credentialToIssue)
           .then(issuedCredential => {