Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

feat:API for verify authorization response#1561

Open
shitrerohit wants to merge 3 commits intomain from
feat/oidc4vc-verify-authorization-response
Open

feat:API for verify authorization response #1561
shitrerohit wants to merge 3 commits intomain from
feat/oidc4vc-verify-authorization-response

Conversation

@shitrerohit
Copy link
Contributor

@shitrerohit shitrerohit commented Feb 11, 2026
edited by coderabbitai bot
Loading

What?

API for verify authorization response

How?

Added support for verifying OpenID4VC DCQL proof requests through a new verification endpoint.
Added a new agent call to verify the authorization response.

Summary by CodeRabbit

  • New Features
    • Added support for verifying OID4VP (OpenID Connect for Verifiable Presentations) session authorization responses.
    • New HTTP endpoint to submit authorization responses (verificationSessionId, authorizationResponse object, optional origin) that returns a CREATED result with verification outcome.
    • Backend forwards submitted responses to the responsible agent and supports message-based verification flow with session tracking.

Copy link

coderabbitai bot commented Feb 11, 2026
edited
Loading

📝 Walkthrough

Walkthrough

Adds an OID4VP authorization-response verification flow: new DTO and HTTP endpoint in API Gateway, message routing through OID4VC verification service and NATS, a new agent-service controller/service handler, plus common constants and agent URL mapping.

Changes

Cohort / File(s) Summary
API Gateway — DTOs & HTTP endpoint
apps/api-gateway/src/oid4vc-verification/dtos/verify-authorization-response.dto.ts, apps/api-gateway/src/oid4vc-verification/oid4vc-verification.controller.ts, apps/api-gateway/src/oid4vc-verification/oid4vc-verification.service.ts		 Adds VerifyAuthorizationResponseDto; new POST endpoint /orgs/:orgId/oid4vp/verify-authorization-response; service method to publish verify-authorization-response payload via NATS.
OID4VC Verification — interfaces, controller & service
apps/oid4vc-verification/interfaces/oid4vp-verification-sessions.interfaces.ts, apps/oid4vc-verification/src/oid4vc-verification.controller.ts, apps/oid4vc-verification/src/oid4vc-verification.service.ts		 Adds VerifyAuthorizationResponse interface; controller message handler verifyAuthorizationResponse; service resolves agent endpoint, builds agent URL, and publishes to NATS subject agent-verify-oid4vp-session-auth-response.
Agent Service — interface, controller & service
apps/agent-service/src/interface/agent-service.interface.ts, apps/agent-service/src/agent-service.controller.ts, apps/agent-service/src/agent-service.service.ts		 Exports VerifyAuthorizationResponse type; new controller handler verifyOid4vpSessionAuthResponse; service posts authorization response to agent HTTP endpoint using org API key and returns result with error handling.
Common — constants & URL mapping
libs/common/src/common.constant.ts, libs/common/src/common.utils.ts		 Adds URL_OIDC_VERIFIER_SESSION_AUTH_RESPONSE_VERIFY and OIDC_VERIFIER_SESSION_AUTH_RESPONSE_VERIFY constants and extends getAgentUrl mapping to include the new constant → URL pair.

Sequence Diagram

sequenceDiagram
 participant Client as API Client
 participant Gateway as API Gateway
 participant OID4vcSvc as OID4VC Service
 participant NATS as NATS Broker
 participant AgentSvc as Agent Service
 participant AgentAPI as Agent HTTP Endpoint
 Client->>Gateway: POST /orgs/:orgId/oid4vp/verify-authorization-response\n(VerifyAuthorizationResponseDto)
 Gateway->>Gateway: Validate DTO
 Gateway->>OID4vcSvc: verifyAuthorizationResponse(payload, orgId)
 OID4vcSvc->>OID4vcSvc: Lookup agentEndPoint for orgId
 OID4vcSvc->>OID4vcSvc: Build agent URL (getAgentUrl + constant)
 OID4vcSvc->>NATS: Publish "agent-verify-oid4vp-session-auth-response"\n{ url, orgId, verifyAuthorizationResponse }
 NATS->>AgentSvc: Deliver message
 AgentSvc->>AgentSvc: Get org API key
 AgentSvc->>AgentAPI: POST to agent URL with authorizationResponse (API key)
 AgentAPI-->>AgentSvc: Return verification result
 AgentSvc-->>NATS: Reply result
 NATS-->>OID4vcSvc: Deliver result
 OID4vcSvc-->>Gateway: Return result
 Gateway-->>Client: 201 CREATED (result)
Loading

Estimated Code Review Effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

Suggested Labels

feature

Suggested Reviewers

  • RinkalBhojani
  • GHkrishna
  • tipusinghaw

Poem

🐇 I hopped a message swift and bright,
Through Gateway lanes and NATS alight,
Agent checked the session’s claim,
Returned the truth and sang my name,
I twitched my whiskers — code takes flight.

🚥 Pre-merge checks | ✅ 4
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'feat:API for verify authorization response' accurately describes the main change: adding a new API endpoint for verifying authorization responses in the OID4VP verification workflow.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Merge Conflict Detection ✅ Passed ✅ No merge conflicts detected when merging into main

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch feat/oidc4vc-verify-authorization-response

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 6

🤖 Fix all issues with AI agents 
In
`@apps/api-gateway/src/oid4vc-verification/dtos/verify-authorization-response.dto.ts`:
- Around line 29-34: The optional origin field in the
VerifyAuthorizationResponseDto is decorated with `@IsString`() but missing
`@IsOptional`(), causing validation to fail when origin is omitted; update the
origin property by adding `@IsOptional`() immediately above `@IsString`() (i.e.,
annotate the origin field in VerifyAuthorizationResponseDto with `@IsOptional`()
then `@IsString`()) so class-validator allows requests that don't include origin.
In `@apps/api-gateway/src/oid4vc-verification/oid4vc-verification.controller.ts`:
- Line 723: The POST route decorator currently defined as
`@Post`('/orgs/:orgId/verify-authorization-response') in
oid4vc-verification.controller.ts should be renamed to
`@Post`('/orgs/:orgId/oid4vp/verify-authorization-response') so it matches the
existing OID4VP endpoint prefix; update the route string on the same controller
method (the method handling the authorization response) and adjust any tests or
internal references that call the old path to the new
'/orgs/:orgId/oid4vp/verify-authorization-response' URL.
- Around line 758-763: Change the verification endpoint to return HTTP 200 OK
and use the shared message constant instead of a hardcoded string: replace
HttpStatus.CREATED with HttpStatus.OK in the finalResponse object and the
res.status(...) call, and swap the 'Authorization response verified
successfully' literal for the appropriate ResponseMessages constant (use the
same ResponseMessages pattern used by other endpoints). Ensure the variable
finalResponse and the response returned by res.status(...) are updated
accordingly.
In `@apps/api-gateway/src/oid4vc-verification/oid4vc-verification.service.ts`:
- Around line 184-186: The debug log in verifyAuthorizationResponse currently
serializes the full verifyAuthorizationResponse (risking leaking id_token and
other sensitive fields); change the logger.debug call in
oid4vc-verification.service (the verifyAuthorizationResponse handler) to omit
the full payload and log only non-sensitive identifiers such as
verifyAuthorizationResponse.verificationSessionId (keep orgId and user?.id),
removing JSON.stringify(verifyAuthorizationResponse) and any other full-object
prints.
In `@apps/oid4vc-verification/src/oid4vc-verification.controller.ts`:
- Around line 183-194: Change the handler to avoid logging the full
VerifyAuthorizationResponse and to use the same parameter name as other
handlers: rename the destructured `user` parameter to `userDetails` (to avoid
shadowing the `user` type) and in the logger.debug call remove
JSON.stringify(verifyAuthorizationResponse) — log only safe identifiers such as
`verificationSessionId` (from the VerifyAuthorizationResponse) plus `orgId` and
`userDetails.id`; then pass `verifyAuthorizationResponse` and `userDetails`
unchanged into `oid4vpVerificationService.verifyAuthorizationResponse`.
In `@apps/oid4vc-verification/src/oid4vc-verification.service.ts`:
- Around line 692-721: In verifyAuthorizationResponse, avoid logging full
payloads: stop JSON.stringifying verifyAuthorizationResponse and
verificationResult; instead extract and log a non-sensitive identifier (e.g.,
verificationSessionId or a correlation id) from the verifyAuthorizationResponse
object and log only that plus minimal outcome info (e.g.,
verificationResult.status or a success/failure flag). Update the logger.debug
calls in verifyAuthorizationResponse to reference the identifier variable (not
the whole object) and to redact or summarize verificationResult before logging
to prevent sensitive tokens/credentials from being written to logs.
🧹 Nitpick comments (3)
apps/api-gateway/src/oid4vc-verification/dtos/verify-authorization-response.dto.ts (1)

1-35: Consider adding @IsUrl() or a URL validation decorator for origin.

Since origin represents a URL origin (e.g., https://example.com), a bare @IsString() allows any arbitrary string. Consider @IsUrl() or a custom validator if stricter validation is desired.

apps/agent-service/src/interface/agent-service.interface.ts (1)

663-668: Duplicate VerifyAuthorizationResponse interface — also defined in oid4vp-verification-sessions.interfaces.ts.

This exact interface is duplicated at apps/oid4vc-verification/interfaces/oid4vp-verification-sessions.interfaces.ts:26-30. Consider extracting it to a shared location (e.g., libs/common/src/interfaces/) to avoid drift.

apps/agent-service/src/agent-service.service.ts (1)

2288-2309: Implementation follows existing patterns; consider extracting the shared interface.

The method is clean and consistent with peer methods like createOid4vpVerificationSession. No functional concerns.

One note: VerifyAuthorizationResponse is defined identically in both apps/agent-service/src/interface/agent-service.interface.ts (Lines 663–667) and apps/oid4vc-verification/interfaces/oid4vp-verification-sessions.interfaces.ts (Lines 25–29). Consider extracting this into a shared module (e.g., @credebl/common/interfaces) to avoid drift between the two copies.

,

Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Fix all issues with AI agents 
In `@apps/api-gateway/src/oid4vc-verification/oid4vc-verification.controller.ts`:
- Line 749: The debug log in the verifyAuthorizationResponse flow contains a
typo: the template literal in the logger.debug call within the method
verifyAuthorizationResponse (or the Oid4vcVerificationController) has an extra
closing brace `orgId=${orgId}}`; remove the stray `}` so it reads
`orgId=${orgId}` to fix the malformed log output.
🧹 Nitpick comments (3)
apps/api-gateway/src/oid4vc-verification/dtos/verify-authorization-response.dto.ts (1)

9-11: Consider adding @IsUUID() validation for verificationSessionId.

The example value is a UUID and other endpoints in this controller consistently validate UUID parameters with ParseUUIDPipe. Using @IsUUID() here would catch malformed IDs at the DTO validation layer rather than letting them propagate to the agent service.

Proposed fix 
+import { IsNotEmpty, IsObject, IsOptional, IsString, IsUUID } from 'class-validator';
-import { IsNotEmpty, IsObject, IsOptional, IsString } from 'class-validator';
 `@IsString`()
+ `@IsUUID`()
 `@IsNotEmpty`()
 verificationSessionId!: string;
apps/oid4vc-verification/src/oid4vc-verification.service.ts (2)

697-699: Unnecessary JSON.stringify on a plain string value.

verificationSessionId is already a string, so wrapping it in JSON.stringify just adds quotes around it in the log output. Use it directly.

Proposed fix 
 this.logger.debug(
- `[verifyAuthorizationResponse] called for orgId=${orgId}, verificationSessionId=${JSON.stringify(verifyAuthorizationResponse.verificationSessionId)}`
+ `[verifyAuthorizationResponse] called for orgId=${orgId}, verificationSessionId=${verifyAuthorizationResponse.verificationSessionId}`
 );

705-705: Unused id from destructuring.

id is destructured from agentDetails but never referenced. Only agentEndPoint is used.

Proposed fix 
- const { agentEndPoint, id } = agentDetails;
+ const { agentEndPoint } = agentDetails;
 

Signed-off-by: shitrerohit <rohit.shitre@ayanworks.com>
Signed-off-by: shitrerohit <rohit.shitre@ayanworks.com>
Signed-off-by: shitrerohit <rohit.shitre@ayanworks.com>
@shitrerohit shitrerohit force-pushed the feat/oidc4vc-verify-authorization-response branch from 0b5e177 to 262fc2b Compare February 16, 2026 08:17
Copy link

Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Fix all issues with AI agents 
In
`@apps/api-gateway/src/oid4vc-verification/dtos/verify-authorization-response.dto.ts`:
- Around line 16-23: Replace the real-looking example JWT in the Swagger example
payload with a clearly fake placeholder to avoid secret-detection false
positives: locate the example object in verify-authorization-response.dto.ts
(the example -> id_token -> Passport value) and change the token string to an
obvious placeholder like 'eyJ...example-token...' or 'REDACTED_EXAMPLE_TOKEN' so
the docs remain illustrative but won’t trigger Gitleaks.
🧹 Nitpick comments (1)
apps/oid4vc-verification/interfaces/oid4vp-verification-sessions.interfaces.ts (1)

27-31: Duplicate VerifyAuthorizationResponse interface across service boundaries.

This interface is identically defined in apps/agent-service/src/interface/agent-service.interface.ts (lines 663–667). Consider extracting it into a shared library (e.g., libs/common) to avoid drift between the two definitions.

#!/bin/bash
# Check if there are other duplicate interface patterns across these two directories
rg -n "VerifyAuthorizationResponse" --type=ts

Comment on lines +16 to +23
example: {
// eslint-disable-next-line camelcase
id_token: {
Passport: [
'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2V4YW1wbGUuY29tL2F1dGgvdjEvcmVhbG0tY3JlZGVibCIsInN1YiI6IjEyMzQ1Njc4OTAiLCJhdWQiOiJhdXRoLWNlbnRlci1pZCIsImV4cCI6MTY5ODAwMDAwMCwiaWF0IjoxNjk3OTk2NDAwfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c'
]
}
}
Copy link

@coderabbitai coderabbitai bot Feb 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Example JWT in Swagger docs triggers secret-detection (Gitleaks).

The example JWT on line 20 is flagged by Gitleaks as a potential secret. While it's clearly a dummy value for documentation, consider using a visibly fake placeholder (e.g., 'eyJ...example-token...') to suppress the false positive and avoid noise in CI secret scans.

🧰 Tools
🪛 ESLint

[error] 19-19: There should be no linebreak after '['.

(array-bracket-newline)

[error] 21-21: There should be no linebreak before ']'.

(array-bracket-newline)

🪛 Gitleaks (8.30.0)

[high] 20-20: Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data.

(jwt)

🤖 Prompt for AI Agents 
In
`@apps/api-gateway/src/oid4vc-verification/dtos/verify-authorization-response.dto.ts`
around lines 16 - 23, Replace the real-looking example JWT in the Swagger
example payload with a clearly fake placeholder to avoid secret-detection false
positives: locate the example object in verify-authorization-response.dto.ts
(the example -> id_token -> Passport value) and change the token string to an
obvious placeholder like 'eyJ...example-token...' or 'REDACTED_EXAMPLE_TOKEN' so
the docs remain illustrative but won’t trigger Gitleaks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@RinkalBhojani RinkalBhojani Awaiting requested review from RinkalBhojani

At least 1 approving review is required to merge this pull request.

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

Comments

AltStyle によって変換されたページ (->オリジナル) /