[Partisia] IssuedDocument - getCredentials() returns expired credentials

sraptis-scy · sraptis-scy · commit db692a830144 · 2026-04-24T12:55:03.000+03:00
- #123
diff --git a/README.md b/README.md
@@ -284,14 +284,14 @@ Issued documents provide methods to work with individual credentials:
 val issuedDocument = documentManager.getDocumentById("document_id") as? IssuedDocument
 requireNotNull(issuedDocument)
 
-// Get the number of valid credentials for the document
-val numberOfValidCredentials = issuedDocument.credentialsCount()
+// Get the number of credentials (does not filter by temporal validity)
+val numberOfCredentials = issuedDocument.credentialsCount()
 
 // Get the initial number of credentials for the document
 val initialNumberOfCredentials = issuedDocument.initialCredentialsCount()
 
-// Get a list of all valid credentials for the document
-val validCredentials = issuedDocument.getCredentials()
+// Get all credentials (does not filter by temporal validity — may include expired credentials)
+val credentials = issuedDocument.getCredentials()
 
 // Find an available credential (automatically selects the best one based on policy)
 val credential = issuedDocument?.findCredential()
@@ -503,7 +503,8 @@ Documents can be certified to verify their authenticity:
 val issuedDocument = documentManager.getDocumentById("document_id") as? IssuedDocument
 val isCertified = issuedDocument?.isCertified() == true
 
-// Check if any of the document's key has been invalidated
+// Check if any of the document's credentials have been invalidated
+// Note: getCredentials() does not filter by temporal validity (validFrom/validUntil)
 val invalidatedKeys: Map<String, Boolean> = issuedDocument?.getCredentials()
     ?.associate { it.alias to it.isInvalidated() }
     ?: emptyMap()
diff --git a/document-manager/src/main/java/eu/europa/ec/eudi/wallet/document/Document.kt b/document-manager/src/main/java/eu/europa/ec/eudi/wallet/document/Document.kt
@@ -63,12 +63,16 @@ sealed interface Document {
     val isKeyInvalidated: Boolean
 
     /**
-     * Returns the number of valid credentials associated with this document.
+     * Returns the number of credentials associated with this document that pass structural
+     * validity checks.
      *
-     * For UnsignedDocument, this counts credentials that can be used for proof of possession.
-     * For IssuedDocument, this counts valid credentials according to the credential policy.
+     * For [UnsignedDocument], this counts credentials that can be used for proof of possession.
+     * For [IssuedDocument], this counts credentials according to the credential policy but
+     * does **not** filter by temporal validity (`validFrom`/`validUntil`). The count may include
+     * expired or not-yet-valid credentials. Use [IssuedDocument.findCredential] to check if a
+     * credential is valid at a specific point in time.
      *
-     * @return The number of valid credentials available for this document
+     * @return The number of credentials that pass structural validity checks
      */
     suspend fun credentialsCount(): Int
 }
diff --git a/document-manager/src/main/java/eu/europa/ec/eudi/wallet/document/IssuedDocument.kt b/document-manager/src/main/java/eu/europa/ec/eudi/wallet/document/IssuedDocument.kt
@@ -113,16 +113,20 @@ class IssuedDocument(
     }
 
     /**
-     * Retrieves all valid credentials associated with this document.
+     * Retrieves all credentials associated with this document that pass structural validity checks.
      *
      * This method filters the document's credentials based on several criteria:
      * - Only certified credentials bound to a secure area
      * - Only credentials that are not invalidated
      * - Only credentials that belong to the current document manager
      * - For OneTimeUse policy, only credentials that haven't been used (usageCount == 0)
-     * - For RotateUse policy, all valid credentials
+     * - For RotateUse policy, all credentials regardless of usage count
      *
-     * @return A list of valid [SecureAreaBoundCredential] objects
+     * **Note:** This method does **not** filter by temporal validity (`validFrom`/`validUntil`).
+     * The returned list may include credentials that are expired or not yet valid.
+     * Use [findCredential] to obtain a credential that is valid at a specific point in time.
+     *
+     * @return A list of [SecureAreaBoundCredential] objects that pass structural validity checks
      */
     suspend fun getCredentials(): List<SecureAreaBoundCredential> {
         return baseDocument.getCertifiedCredentials()
@@ -169,6 +173,14 @@ class IssuedDocument(
         return candidate
     }
 
+    /**
+     * Returns the number of credentials that pass structural validity checks.
+     *
+     * Delegates to [getCredentials], which does **not** filter by temporal validity.
+     * This count may include expired or not-yet-valid credentials.
+     * To check how many credentials are currently usable, filter [getCredentials] by
+     * `validFrom`/`validUntil` or use [findCredential] to check if at least one is valid.
+     */
     override suspend fun credentialsCount(): Int {
         return getCredentials().size
     }
