Merge pull request #987 from shev-pro/dynamic_persession_ttl

Dynamic Session TTL Configuration for Issuance and Verification

Author: philpotisk

waltid-libraries/protocols/waltid-openid4vc/src/commonMain/kotlin/id/walt/oid4vc/interfaces/ISessionCache.kt

@@ -8,9 +8,13 @@ interface ISessionCache<T> {
 
     /**
      * Puts the specified [session] with the specified [id] in the session cache.
+     * @param id The ID to store the session under
+     * @param session The session to store
+     * @param ttl Optional custom time-to-live duration for this session.
+     *            If null, the default expiration is used.
      * @return the previous value associated with the [id], or `null` if the key was not present in the cache.
      */
-    fun putSession(id: String, session: T)
+    fun putSession(id: String, session: T, ttl: kotlin.time.Duration? = null)
 
     fun getSessionByAuthServerState(authServerState: String): T?
     /**

waltid-libraries/protocols/waltid-openid4vc/src/commonMain/kotlin/id/walt/oid4vc/providers/OpenIDCredentialVerifier.kt

@@ -46,7 +46,8 @@ abstract class OpenIDCredentialVerifier(val config: CredentialVerifierConfig) :
         clientIdScheme: ClientIdScheme = config.defaultClientIdScheme,
         openId4VPProfile: OpenId4VPProfile = OpenId4VPProfile.DEFAULT,
         walletInitiatedAuthState: String? = null,
-        trustedRootCAs: List<String>? = null
+        trustedRootCAs: List<String>? = null,
+        sessionTtl: Duration? = null // Custom TTL duration for the session
     ): PresentationSession {
         val session = PresentationSession(
             id = sessionId ?: ShortIdUtils.randomSessionId(),
@@ -58,7 +59,7 @@ abstract class OpenIDCredentialVerifier(val config: CredentialVerifierConfig) :
             openId4VPProfile = openId4VPProfile,
             trustedRootCAs = trustedRootCAs
         ).also {
-            putSession(it.id, it)
+            putSession(it.id, it, sessionTtl ?: expiresIn)
         }
         val presentationDefinitionUri = when(openId4VPProfile) {
             OpenId4VPProfile.ISO_18013_7_MDOC, OpenId4VPProfile.HAIP -> null
@@ -108,18 +109,28 @@ abstract class OpenIDCredentialVerifier(val config: CredentialVerifierConfig) :
             nonce = Uuid.random().toString()
         )
         return session.copy(authorizationRequest = authReq).also {
-            putSession(session.id, it)
+            putSession(session.id, it, sessionTtl ?: expiresIn)
         }
     }
 
     open fun verify(tokenResponse: TokenResponse, session: PresentationSession): PresentationSession {
         // https://json-schema.org/specification
         // https://github.com/OptimumCode/json-schema-validator
+        // Calculate the remaining time to live based on the session's expiration timestamp
+        val remainingTtl = session.expirationTimestamp?.let {
+            val now = Clock.System.now()
+            if (it > now) {
+                it - now  // Calculate duration between now and expiration
+            } else {
+                null  // Already expired
+            }
+        }
+        
         return session.copy(
             tokenResponse = tokenResponse,
             verificationResult = doVerify(tokenResponse, session)
         ).also {
-            putSession(it.id, it)
+            putSession(it.id, it, remainingTtl)
         }
     }
 

waltid-libraries/protocols/waltid-openid4vc/src/jvmTest/kotlin/id/walt/oid4vc/EBSITestWallet.kt

@@ -42,6 +42,7 @@ import io.ktor.serialization.kotlinx.json.*
 import kotlinx.coroutines.runBlocking
 import kotlinx.datetime.Instant
 import kotlinx.serialization.json.*
+import kotlin.time.Duration
 import kotlin.uuid.ExperimentalUuidApi
 import kotlin.uuid.Uuid
 
@@ -225,7 +226,7 @@ class EBSITestWallet(
         )
     }
 
-    override fun putSession(id: String, session: SIOPSession) {
+    override fun putSession(id: String, session: SIOPSession, ttl: Duration?) {
         sessionCache[id] = session
     }
 

waltid-libraries/protocols/waltid-openid4vc/src/jvmTest/kotlin/id/walt/oid4vc/TestCredentialWallet.kt

@@ -52,6 +52,7 @@ import io.ktor.util.*
 import kotlinx.coroutines.runBlocking
 import kotlinx.datetime.Instant
 import kotlinx.serialization.json.*
+import kotlin.time.Duration
 
 const val WALLET_PORT = 8001
 const val WALLET_BASE_URL = "http://localhost:${WALLET_PORT}"
@@ -241,7 +242,7 @@ class TestCredentialWallet(
         TODO("Not yet implemented")
     }
 
-    override fun putSession(id: String, session: SIOPSession) {
+    override fun putSession(id: String, session: SIOPSession, ttl: Duration?) {
         sessionCache[id] = session
     }
 

waltid-libraries/protocols/waltid-openid4vc/src/jvmTest/kotlin/id/walt/oid4vc/VPTestVerifier.kt

@@ -22,6 +22,7 @@ import kotlinx.coroutines.runBlocking
 import kotlinx.serialization.json.Json
 import kotlinx.serialization.json.jsonObject
 import kotlinx.serialization.json.jsonPrimitive
+import kotlin.time.Duration
 
 const val VP_VERIFIER_PORT = 8002
 const val VP_VERIFIER_BASE_URL = "http://localhost:$VP_VERIFIER_PORT"
@@ -34,7 +35,7 @@ class VPTestVerifier : OpenIDCredentialVerifier(
     private val presentationDefinitionCache = mutableMapOf<String, PresentationDefinition>()
     override fun getSession(id: String): PresentationSession? = sessionCache[id]
 
-    override fun putSession(id: String, session: PresentationSession) {
+    override fun putSession(id: String, session: PresentationSession, ttl: Duration?) {
         sessionCache[id] = session
     }
 

waltid-libraries/waltid-core-wallet/src/jvmMain/java/id/walt/wallet/core/service/oidc4vc/TestCredentialWallet.kt

@@ -383,7 +383,7 @@ class TestCredentialWallet(
         TODO("Not yet implemented")
     }
 
-    override fun putSession(id: String, session: VPresentationSession) {
+    override fun putSession(id: String, session: VPresentationSession, ttl: Duration?) {
         sessionCache[id] = session
     }
 

waltid-services/waltid-issuer-api/src/main/kotlin/id/walt/issuer/issuance/CIProvider.kt

@@ -154,9 +154,9 @@ open class CIProvider(
     }
 
 
-    fun putSession(id: String, session: IssuanceSession) {
+    fun putSession(id: String, session: IssuanceSession, ttl: Duration? = null) {
         log.debug { "SETTING CI AUTH SESSION: $id = $session" }
-        authSessions[id] = session
+        authSessions.set(id, session, ttl)
     }
 
     fun removeSession(id: String) {
@@ -444,10 +444,20 @@ open class CIProvider(
     }
 
     private fun generateProofOfPossessionNonceFor(session: IssuanceSession): IssuanceSession {
+        // Calculate remaining TTL based on session expiration
+        val remainingTtl = session.expirationTimestamp?.let {
+            val now = Clock.System.now()
+            if (it > now) {
+                it - now  // Calculate duration between now and expiration
+            } else {
+                null  // Already expired
+            }
+        }
+        
         return session.copy(
             cNonce = randomUUID()
         ).also {
-            putSession(it.id, it)
+            putSession(it.id, it, remainingTtl)
         }
     }
 
@@ -496,7 +506,7 @@ open class CIProvider(
             val updatedSession = IssuanceSession(
                 id = it.id,
                 authorizationRequest = authorizationRequest,
-                expirationTimestamp = Clock.System.now().plus(5.minutes),
+                expirationTimestamp = Clock.System.now().plus(expiresIn),
                 issuanceRequests = it.issuanceRequests,
                 authServerState = authServerState,
                 txCode = it.txCode,
@@ -506,7 +516,7 @@ open class CIProvider(
                 callbackUrl = it.callbackUrl,
                 customParameters = it.customParameters
             )
-            putSession(it.id, updatedSession)
+            putSession(it.id, updatedSession, expiresIn)
         }
     }
 
@@ -544,7 +554,7 @@ open class CIProvider(
             credentialOffer = credentialOfferBuilder.build(),
             callbackUrl = callbackUrl
         ).also {
-            putSession(it.id, it)
+            putSession(it.id, it, expiresIn)
         }
     }
 

waltid-services/waltid-issuer-api/src/main/kotlin/id/walt/issuer/issuance/IssuerApi.kt

@@ -26,13 +26,15 @@ import kotlinx.serialization.json.jsonPrimitive
 import kotlin.reflect.KClass
 import kotlin.time.Duration
 import kotlin.time.Duration.Companion.minutes
+import kotlin.time.Duration.Companion.seconds
 
 private val logger = KotlinLogging.logger {}
 suspend fun createCredentialOfferUri(
     issuanceRequests: List<IssuanceRequest>,
     credentialFormat: CredentialFormat,
     callbackUrl: String? = null,
     expiresIn: Duration = 5.minutes,
+    sessionTtl: Duration? = null,
 ): String {
     val overwrittenIssuanceRequests = issuanceRequests.map {
         it.copy(
@@ -44,7 +46,7 @@ suspend fun createCredentialOfferUri(
 
     val issuanceSession = OidcApi.initializeCredentialOffer(
         issuanceRequests = overwrittenIssuanceRequests,
-        expiresIn = expiresIn,
+        expiresIn = sessionTtl ?: expiresIn,
         callbackUrl = callbackUrl,
         standardVersion = overwrittenIssuanceRequests.first().standardVersion!!
     )
@@ -211,8 +213,15 @@ fun Application.issuerApi() {
                 description = "Callback to push state changes of the issuance process to"
                 required = false
             }
+            
+            fun OpenApiRequest.sessionTtlHeader() = headerParameter<Long>("sessionTtl") {
+                description = "Custom session time-to-live in seconds"
+                required = false
+            }
 
             fun RoutingContext.getCallbackUriHeader() = call.request.header("statusCallbackUri")
+            
+            fun RoutingContext.getSessionTtl() = call.request.header("sessionTtl")?.toLongOrNull()?.let { it.seconds }
 
             route("raw") {
                 route("jwt") {
@@ -281,6 +290,7 @@ fun Application.issuerApi() {
 
                         request {
                             statusCallbackUriHeader()
+                            sessionTtlHeader()
                             body<IssuanceRequest> {
                                 description =
                                     "Pass the unsigned credential that you intend to issue as the body of the request."
@@ -343,7 +353,8 @@ fun Application.issuerApi() {
                             listOf(jwtIssuanceRequest),
                             getFormatByCredentialConfigurationId(jwtIssuanceRequest.credentialConfigurationId)
                                 ?: throw IllegalArgumentException("Invalid Credential Configuration Id"),
-                            getCallbackUriHeader()
+                            getCallbackUriHeader(),
+                            sessionTtl = getSessionTtl()
                         )
                         call.respond(HttpStatusCode.OK, offerUri)
                     }
@@ -354,6 +365,7 @@ fun Application.issuerApi() {
 
                         request {
                             statusCallbackUriHeader()
+                            sessionTtlHeader()
                             body<List<IssuanceRequest>> {
                                 description =
                                     "Pass the unsigned credential that you intend to issue as the body of the request."
@@ -379,7 +391,8 @@ fun Application.issuerApi() {
                             issuanceRequests,
                             getFormatByCredentialConfigurationId(issuanceRequests.first().credentialConfigurationId)
                                 ?: throw IllegalArgumentException("Invalid Credential Configuration Id"),
-                            getCallbackUriHeader()
+                            getCallbackUriHeader(),
+                            sessionTtl = getSessionTtl()
                         )
                         logger.debug { "Offer URI: $offerUri" }
                         call.respond(HttpStatusCode.OK, offerUri)
@@ -394,6 +407,7 @@ fun Application.issuerApi() {
 
                         request {
                             statusCallbackUriHeader()
+                            sessionTtlHeader()
                             body<IssuanceRequest> {
                                 description =
                                     "Pass the unsigned credential that you intend to issue in the body of the request."
@@ -426,7 +440,8 @@ fun Application.issuerApi() {
                             listOf(sdJwtIssuanceRequest),
                             getFormatByCredentialConfigurationId(sdJwtIssuanceRequest.credentialConfigurationId)
                                 ?: throw IllegalArgumentException("Invalid Credential Configuration Id"),
-                            getCallbackUriHeader()
+                            getCallbackUriHeader(),
+                            sessionTtl = getSessionTtl()
                         )
 
                         call.respond(
@@ -441,6 +456,7 @@ fun Application.issuerApi() {
 
                         request {
                             statusCallbackUriHeader()
+                            sessionTtlHeader()
                             body<List<IssuanceRequest>> {
                                 description =
                                     "Pass the unsigned credential that you intend to issue as the body of the request."
@@ -467,7 +483,8 @@ fun Application.issuerApi() {
                                 sdJwtIssuanceRequests,
                                 getFormatByCredentialConfigurationId(sdJwtIssuanceRequests.first().credentialConfigurationId)
                                     ?: throw IllegalArgumentException("Invalid Credential Configuration Id"),
-                                getCallbackUriHeader()
+                                getCallbackUriHeader(),
+                                sessionTtl = getSessionTtl()
                             )
 
                         logger.debug { "Offer URI: $offerUri" }
@@ -484,6 +501,7 @@ fun Application.issuerApi() {
                         description = "This endpoint issues a mdoc and returns an issuance URL "
                         request {
                             statusCallbackUriHeader()
+                            sessionTtlHeader()
                             body<IssuanceRequest> {
                                 description =
                                     "Pass the unsigned credential that you intend to issue as the body of the request."
@@ -498,7 +516,8 @@ fun Application.issuerApi() {
                             listOf(mdocIssuanceRequest),
                             getFormatByCredentialConfigurationId(mdocIssuanceRequest.credentialConfigurationId)
                                 ?: throw IllegalArgumentException("Invalid Credential Configuration Id"),
-                            getCallbackUriHeader()
+                            getCallbackUriHeader(),
+                            sessionTtl = getSessionTtl()
                         )
 
                         call.respond(

waltid-services/waltid-service-commons/src/main/kotlin/id/walt/commons/persistence/ConfiguredPersistence.kt

@@ -48,8 +48,27 @@ class ConfiguredPersistence<V : Any>(
     override fun getAll(): Sequence<V> = underlyingPersistence.getAll()
     override fun listSize(id: String): Int = underlyingPersistence.listSize(id)
 
-    override fun listAdd(id: String, value: V) = underlyingPersistence.listAdd(id, value)
+    /**
+     * Add a value to a list with a specified or default expiration.
+     * @param id The key of the list
+     * @param value The value to add
+     * @param ttl Optional expiration duration. If null, defaultExpiration will be used
+     */
+    override fun listAdd(id: String, value: V, ttl: Duration?) = underlyingPersistence.listAdd(id, value, ttl)
 
-    override fun set(id: String, value: V) = underlyingPersistence.set(id, value)
+    /**
+     * Store a value with the default expiration.
+     * @param id The key to store the value under
+     * @param value The value to store
+     */
+    override operator fun set(id: String, value: V) { underlyingPersistence[id] = value }
+    
+    /**
+     * Store a value with a specified expiration.
+     * @param id The key to store the value under
+     * @param value The value to store
+     * @param ttl Expiration duration. If null, defaultExpiration will be used
+     */
+    override fun set(id: String, value: V, ttl: Duration?) = underlyingPersistence.set(id, value, ttl)
 
 }

waltid-services/waltid-service-commons/src/main/kotlin/id/walt/commons/persistence/InMemoryPersistence.kt

@@ -13,7 +13,12 @@ class InMemoryPersistence<V : Any>(discriminator: String, defaultExpiration: Dur
         .expireAfterWrite(defaultExpiration)
         .build() }
 
-    override fun listAdd(id: String, value: V) {
+    // Note: For in-memory persistence, we can't easily change TTL for individual entries
+    // without creating a new cache for each TTL, which would be inefficient.
+    // The Cache4k library doesn't support per-entry TTL configuration.
+    // This implementation will still use the default expiration for all entries.
+    
+    override fun listAdd(id: String, value: V, ttl: Duration?) {
         if (!listStore.asMap().containsKey(id)) {
             listStore.put(id, arrayListOf(value))
         } else {
@@ -29,6 +34,12 @@ class InMemoryPersistence<V : Any>(discriminator: String, defaultExpiration: Dur
     override operator fun set(id: String, value: V) {
         store.put(id, value)
     }
+    
+    override fun set(id: String, value: V, ttl: Duration?) {
+        // For in-memory persistence, we always use the defaultExpiration
+        // as Cache4k doesn't support per-entry TTL
+        store.put(id, value)
+    }
 
     override fun remove(id: String) {
         store.invalidate(id)