verifiable credentials PoC

CHANGELOG.md

@@ -8,6 +8,12 @@
 
 HTTP input now accepts `field('..')` references in the HTTP body definition.
 
+## 1.9.2
+
+### New features
+
+- Toolkit now exports `window().location.get` to country config that can be used as a template variable e.g. in HttpField request body.
+
 ## 1.9.1
 
 ### Breaking changes

license-config.json

@@ -55,6 +55,7 @@
     "packages/events/.kanelrc.js",
     "packages/dashboards/data/metabase/*",
     "packages/events/src/tests/extract-dump.sh",
+    "packages/toolkit/build.sh",
     ".kube"
   ],
   "license": "license-header.txt",

package.json

@@ -1,7 +1,7 @@
 {
   "description": "OpenCRVS core workspace",
   "license": "MPL-2.0",
-  "version": "1.9.0",
+  "version": "1.9.2",
   "private": true,
   "os": [
     "darwin",

packages/api-docs/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@opencrvs/api-docs",
-  "version": "1.9.0",
+  "version": "1.9.2",
   "description": "OpenCRVS API documentation",
   "license": "MPL-2.0",
   "scripts": {

packages/auth/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@opencrvs/auth",
-  "version": "1.9.0",
+  "version": "1.9.2",
   "description": "OpenCRVS authentication service",
   "license": "MPL-2.0",
   "private": true,

packages/auth/src/features/authenticate/service.ts

@@ -178,6 +178,41 @@ export async function createTokenForActionConfirmation(
   )
 }
 
+export async function createTokenForVerifiableCredentialIssuance(
+  eventId: UUID,
+  userId: string
+) {
+  return sign(
+    {
+      scope: ['record.issue-vc'],
+      eventId,
+      userType: TokenUserType.enum.user
+    },
+    cert,
+    {
+      subject: userId,
+      algorithm: 'RS256',
+      expiresIn: '5 minutes',
+      audience: [
+        'opencrvs:gateway-user',
+        'opencrvs:user-mgnt-user',
+        'opencrvs:auth-user',
+        'opencrvs:hearth-user',
+        'opencrvs:notification-user',
+        'opencrvs:workflow-user',
+        'opencrvs:search-user',
+        'opencrvs:metrics-user',
+        'opencrvs:countryconfig-user',
+        'opencrvs:webhooks-user',
+        'opencrvs:config-user',
+        'opencrvs:documents-user',
+        'opencrvs:notification-api-user'
+      ],
+      issuer: JWT_ISSUER
+    }
+  )
+}
+
 export async function storeUserInformation(
   nonce: string,
   userFullName: IUserName[],

packages/auth/src/features/oauthToken/handler.ts

@@ -12,20 +12,30 @@ import * as Hapi from '@hapi/hapi'
 import { clientCredentialsHandler } from './client-credentials'
 import * as oauthResponse from './responses'
 import { tokenExchangeHandler } from './token-exchange'
+import { preAuthorizedCodeHandler } from './pre-authorized-code'
+
+const CLIENT_CREDENTIALS = 'client_credentials'
+const TOKEN_EXCHANGE = 'urn:opencrvs:oauth:grant-type:token-exchange'
+const PRE_AUTHORIZED_CODE_GRANT =
+  'urn:ietf:params:oauth:grant-type:pre-authorized_code'
 
 export async function tokenHandler(
   request: Hapi.Request,
   h: Hapi.ResponseToolkit
 ) {
   const grantType = request.query.grant_type
 
-  if (grantType === 'client_credentials') {
+  if (grantType === CLIENT_CREDENTIALS) {
     return clientCredentialsHandler(request, h)
   }
 
-  if (grantType === 'urn:opencrvs:oauth:grant-type:token-exchange') {
+  if (grantType === TOKEN_EXCHANGE) {
     return tokenExchangeHandler(request, h)
   }
 
+  if (grantType === PRE_AUTHORIZED_CODE_GRANT) {
+    return preAuthorizedCodeHandler(request, h)
+  }
+
   return oauthResponse.invalidGrantType(h)
 }

packages/auth/src/features/oauthToken/pre-authorized-code.ts

@@ -0,0 +1,45 @@
+/*
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * OpenCRVS is also distributed under the terms of the Civil Registration
+ * & Healthcare Disclaimer located at http://opencrvs.org/license.
+ *
+ * Copyright (C) The OpenCRVS Authors located at https://github.com/opencrvs/opencrvs-core/blob/master/AUTHORS.
+ */
+
+import * as Hapi from '@hapi/hapi'
+import * as oauthResponse from './responses'
+import { createTokenForVerifiableCredentialIssuance } from '../authenticate/service'
+
+/**
+ * Issues a token for a pre-authorized code grant.
+ * This is used in OID4VC flows where a client has obtained a pre-authorized code to get the verifiable credential.
+ */
+export async function preAuthorizedCodeHandler(
+  request: Hapi.Request,
+  h: Hapi.ResponseToolkit
+) {
+  const preAuthorizedCode = request.query?.['pre-authorized_code'] // for PoC: this is event ID
+
+  if (!preAuthorizedCode) {
+    return oauthResponse.invalidRequest(h, 'missing pre-authorized_code')
+  }
+
+  // const token = request.headers.authorization.replace('Bearer ', '')
+  // const decodedOrError = pipe(token, verifyToken)
+
+  // if (decodedOrError._tag === 'Left') {
+  //   return oauthResponse.invalidSubjectToken(h)
+  // }
+
+  // const { sub } = decodedOrError.right
+
+  const token = await createTokenForVerifiableCredentialIssuance(
+    preAuthorizedCode,
+    'anonymous-user' // In PoC, no user binding, see above comment when needed
+  )
+
+  return oauthResponse.preAuthorizedCodeSuccess(h, token)
+}

packages/auth/src/features/oauthToken/responses.ts

@@ -10,12 +10,14 @@
  */
 import * as Hapi from '@hapi/hapi'
 
-export const invalidRequest = (h: Hapi.ResponseToolkit) =>
+export const invalidRequest = (
+  h: Hapi.ResponseToolkit,
+  description = 'Invalid request. Check that all required parameters have been provided.'
+) =>
   h
     .response({
       error: 'invalid_request',
-      error_description:
-        'Invalid request. Check that all required parameters have been provided.',
+      error_description: description,
       error_uri:
         'Refer to https://documentation.opencrvs.org/technology/interoperability/authenticate-a-client'
     })
@@ -62,3 +64,16 @@ export const success = (h: Hapi.ResponseToolkit, token: string) =>
     })
     .header('Cache-Control', 'no-store')
     .code(200)
+
+export const preAuthorizedCodeSuccess = (
+  h: Hapi.ResponseToolkit,
+  token: string
+) =>
+  h
+    .response({
+      access_token: token,
+      token_type: 'Bearer',
+      expires_in: 300 // 5 minutes
+    })
+    .header('Cache-Control', 'no-store')
+    .code(200)

packages/auth/src/features/openid4vc/well-known-openid-credentials.ts

@@ -0,0 +1,38 @@
+/*
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * OpenCRVS is also distributed under the terms of the Civil Registration
+ * & Healthcare Disclaimer located at http://opencrvs.org/license.
+ *
+ * Copyright (C) The OpenCRVS Authors located at https://github.com/opencrvs/opencrvs-core/blob/master/AUTHORS.
+ */
+
+import { env } from '@auth/environment'
+import * as Hapi from '@hapi/hapi'
+
+// @TODO: What is actually the best way to figure this out?
+// - [ ] should we pass a new environment variable?
+// - [ ] should this live not in auth?
+const GATEWAY = env.isProduction
+  ? `https://gateway.${env.DOMAIN}`
+  : 'http://localhost:7070'
+
+export function openidCredentialIssuerHandler(
+  request: Hapi.Request,
+  h: Hapi.ResponseToolkit
+) {
+  return h.response({
+    credential_issuer: GATEWAY,
+    credential_endpoint: `${GATEWAY}/events/openid4vc.issuance.credential`,
+    token_endpoint: `${GATEWAY}/auth/token`,
+
+    credential_configurations_supported: {
+      BirthCertificateCredential: {
+        format: 'jwt_vc_json'
+        // claim schema etc...
+      }
+    }
+  })
+}

packages/auth/src/server.ts

@@ -69,6 +69,7 @@ import reindexingTokenHandler, {
   responseSchema as reindexResponseSchema
 } from './features/reindexToken/handler'
 import { Boom, badRequest } from '@hapi/boom'
+import { openidCredentialIssuerHandler } from './features/openid4vc/well-known-openid-credentials'
 
 export type AuthServer = {
   server: Hapi.Server
@@ -128,7 +129,15 @@ export async function createServer() {
   server.route({
     method: 'GET',
     path: '/.well-known',
-    handler: getPublicKey,
+    handler: (_, h) => h.response(getPublicKey()).type('text/plain'),
+    options: {
+      tags: ['api']
+    }
+  })
+  server.route({
+    method: 'GET',
+    path: '/.well-known/openid-credential-issuer',
+    handler: openidCredentialIssuerHandler,
     options: {
       tags: ['api']
     }

packages/client/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@opencrvs/client",
-  "version": "1.9.0",
+  "version": "1.9.2",
   "description": "OpenCRVS client application",
   "license": "MPL-2.0",
   "private": true,

packages/client/src/hooks/useHomePage.ts

@@ -32,10 +32,23 @@ export const useHomePage = () => {
   const { pathname } = useLocation()
   const { routes } = useNavigation()
   const userDetails = useSelector(getUserDetails)
-  const firstNavItem = routes
-    .filter((navigationGroup) => navigationGroup.tabs.length > 0)
-    .at(0)
-    ?.tabs.at(0)?.name
+
+  const firstDashboard = window.config.DASHBOARDS?.at(0)?.id
+
+  const tabs = routes.flatMap((navigationGroup) => navigationGroup.tabs)
+
+  const firstNavItem = tabs
+    .filter((tab) => {
+      if (
+        tab.name === WORKQUEUE_TABS.dashboard &&
+        window.config.DASHBOARDS.length === 0
+      ) {
+        // ignores dashboard tab when no dashboard is configured
+        return false
+      }
+      return true
+    })
+    .at(0)?.name
 
   let path: string | Partial<Path> = REGISTRAR_HOME
 
@@ -76,7 +89,7 @@ export const useHomePage = () => {
       path = ALL_USER_EMAIL
       break
     case WORKQUEUE_TABS.dashboard:
-      path = DASHBOARD
+      path = formatUrl(DASHBOARD, { id: firstDashboard! })
       break
     case WORKQUEUE_TABS.performance:
       path = generatePerformanceHomeUrl({

packages/client/src/v2-events/components/forms/FormFieldGenerator/FormFieldGenerator-2.interaction.stories.tsx

@@ -505,7 +505,7 @@ export const DisabledFormFields: StoryObj<typeof FormFieldGenerator> = {
 
       // in react-select v5 literal inputs are not rendered when disabled, so we ensure the fields are there.
       await canvas.findByLabelText('Region')
-      await canvas.findByLabelText('District *')
+      await canvas.findByLabelText('District')
     })
   }
 }
@@ -559,7 +559,7 @@ export const EnabledFormFields: StoryObj<typeof FormFieldGenerator> = {
       }
 
       await canvas.findByLabelText('Region')
-      await canvas.findByLabelText('District *')
+      await canvas.findByLabelText('District')
     })
   }
 }
@@ -647,9 +647,7 @@ export const EnabledFormFieldsByEnableCondition: StoryObj<
       }
 
       await expect(await canvas.findByLabelText('Region')).not.toBeDisabled()
-      await expect(
-        await canvas.findByLabelText('District *')
-      ).not.toBeDisabled()
+      await expect(await canvas.findByLabelText('District')).not.toBeDisabled()
     })
 
     await step('All form fields should be disabled again', async () => {
@@ -674,7 +672,7 @@ export const EnabledFormFieldsByEnableCondition: StoryObj<
 
         // in react-select v5 literal inputs are not rendered when disabled, so we ensure the fields are there.
         await canvas.findByLabelText('Region')
-        await canvas.findByLabelText('District *')
+        await canvas.findByLabelText('District')
       }
     })
   }

packages/client/src/v2-events/components/forms/FormFieldGenerator/GeneratedInputField.tsx

@@ -62,7 +62,8 @@ import {
   isIdReaderFieldType,
   isQrReaderFieldType,
   isLoaderFieldType,
-  isAgeFieldType
+  isAgeFieldType,
+  isImageFieldType
 } from '@opencrvs/commons/client'
 import { TextArea } from '@opencrvs/components/lib/TextArea'
 import { InputField } from '@client/components/form/InputField'
@@ -87,7 +88,8 @@ import {
   AlphaPrintButton,
   Http,
   LinkButton,
-  VerificationStatus
+  VerificationStatus,
+  Image
 } from '@client/v2-events/features/events/registered-fields'
 import { Address } from '@client/v2-events/features/events/registered-fields/Address'
 import { Data } from '@client/v2-events/features/events/registered-fields/Data'
@@ -800,6 +802,17 @@ export const GeneratedInputField = React.memo(
       )
     }
 
+    if (isImageFieldType(field)) {
+      return (
+        field.value && (
+          <Image.Input
+            alt={field.config.configuration.alt}
+            value={field.value}
+          />
+        )
+      )
+    }
+
     throw new Error(`Unsupported field ${JSON.stringify(fieldDefinition)}`)
   }
 )