feat:API for verify the authorization response

[shitrerohit]

What?

API for verify authorization response

How?

Created a new route to verify the authorization response received from a proof request when the response mode is dc_api or dc_api.jwt.

Summary by CodeRabbit

• New Features

  • Added a new endpoint to verify OpenID4VC DCQL proof requests.
  • Exposed origin tracking in authorization flows to preserve request provenance.

• Bug Fixes

  • Improved proof request resolution to accept additional options and made response handling more robust when returning server submissions.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• ✅ Review completed - (🔄 Check again to review again)

📝 Walkthrough

Walkthrough

The PR extends OpenID4VC holder and verifier functionality to support DCQL proof request verification. It propagates authorization options through the resolution flow, introduces a new verification endpoint for handling DCQL authorization responses with session tracking, and updates result handling to store complete submission results.

Changes

Cohort / File(s)	Summary
Holder Authorization Options src/controllers/openid4vc/holder/holder.service.ts, src/controllers/openid4vc/types/holder.types.ts	Extended ResolveProofRequest to accept optional authorization options and modified acceptPresentationRequest to propagate options including origin to resolution flow; adjusted result handling to default to empty status 200 response and store complete submission results.
Verifier DCQL Session Verification src/controllers/openid4vc/types/verifier.types.ts, src/controllers/openid4vc/verifier-sessions/verification-sessions.Controller.ts, src/controllers/openid4vc/verifier-sessions/verification-sessions.service.ts	Added OpenId4VCDCQLVerificationSessionRecord type to track verification sessions with authorization responses and origin; introduced new POST endpoint and service method verifyDcqlProofRequest to verify DCQL proof requests using the verifier module.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Possibly related PRs

• Fix/oid4vc verification flow changes #340: Updates to holder.service and related types directly touch OpenID4VC holder/verifier code paths modified in this PR for DCQL support.
• Fix/issuer verifier session type issues #337: Additions to verification-sessions controller and service, including new verifyDcqlProofRequest method and verification session types, align with verification-sessions infrastructure changes.

Suggested reviewers

• GHkrishna
• RinkalBhojani

Poem

🐰 A holder hops with options new,
Authorization flows straight through,
Sessions verified, DCQL's way,
Responses stored in bright display! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat:API for verify the authorization response' directly relates to the main objective of adding an API route to verify authorization responses, though it contains a minor grammatical issue.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/oid4vc-verify-authorization-response

Tip

Issue Planner is now in beta. Read the docs and try it out! Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[shitrerohit]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In `@src/controllers/openid4vc/holder/holder.service.ts`:
- Around line 231-233: Don't mutate submissionResult.serverResponse in place or
overwrite its body; instead create and return a new object that copies needed
HTTP metadata (e.g., status, headers) from submissionResult.serverResponse (or
uses defaults) and preserves its original body, and attach the full submission
payload under a new key (e.g., submission or submissionResult). Concretely, stop
assigning submissionResult.serverResponse to result and then setting
result['body'] = submissionResult; instead build a fresh object that merges
metadata from serverResponse and sets a separate field for the submission
payload so serverResponse.body is not discarded and no library-owned object is
mutated.

In
`@src/controllers/openid4vc/verifier-sessions/verification-sessions.service.ts`:
- Around line 203-210: The parameter name verifydcqlProofRquest in method
verifyDcqlProofRequest is misspelled and inconsistently cased; rename it to
verifyDCQLProofRequest (or verifyDcqlProofRequest -> verifyDCQLProofRequest)
throughout the service method signature and all call sites (including the
corresponding controller) and update the spread usage in
verifier.verifyAuthorizationResponse({ ...verifyDCQLProofRequest }) to use the
corrected identifier so types (OpenId4VCDCQLVerificationSessionRecord) and
naming are consistent.
- Line 208: Replace the incorrect call to
verifier.verifyAuthorizationResponse(...verifydcqlProofRquest) with
verifier.getVerifiedAuthorizationResponse(verificationSessionId); specifically,
stop spreading the verifydcqlProofRquest object and instead pass only the
verificationSessionId (the same id used earlier on line 118 usage), update the
surrounding code to accept the returned verified response type (remove the as
any cast if possible) and rename the local variable if needed to reflect that it
contains the verified authorization response.

🧹 Nitpick comments (3)

src/controllers/openid4vc/holder/holder.service.ts (1)

217-223: No-op try-catch — remove or add meaningful handling.

The catch (error) { throw error } block does nothing; it re-throws the same error. Either remove the try-catch entirely or add logging/wrapping before re-throwing.

♻️ Proposed fix

-    let dcqlCredentials
-    try {
-      dcqlCredentials = await agentReq.agent.modules.openid4vc.holder.selectCredentialsForDcqlRequest(
-        resolved.dcql.queryResult,
-      )
-    } catch (error) {
-      throw error
-    }
+    const dcqlCredentials = await agentReq.agent.modules.openid4vc.holder.selectCredentialsForDcqlRequest(
+      resolved.dcql.queryResult,
+    )

src/controllers/openid4vc/verifier-sessions/verification-sessions.Controller.ts (2)

90-103: Endpoint looks consistent with existing patterns; fix the parameter typo here too.

The new endpoint follows the established try/catch + ErrorHandlingService.handle pattern. Apply the same parameter rename (verifydcqlProofRquest → verifyDcqlProofRequest) as noted in the service file.

✏️ Proposed rename

   public async verifyDcqlProofRequest(
     `@Request`() request: Req,
-    `@Body`() verifydcqlProofRquest: OpenId4VCDCQLVerificationSessionRecord,
+    `@Body`() verifyDcqlProofRequest: OpenId4VCDCQLVerificationSessionRecord,
   ) {
     try {
-      return await this.verificationSessionService.verifyDcqlProofRequest(request, verifydcqlProofRquest)
+      return await this.verificationSessionService.verifyDcqlProofRequest(request, verifyDcqlProofRequest)
     } catch (error) {
       throw ErrorHandlingService.handle(error)
     }
   }

---

90-92: Consider adding a JSDoc note about expected responseMode values.

The PR description mentions this endpoint handles dc_api and dc_api.jwt response modes, but the doc comment doesn't clarify this constraint. A brief note would help API consumers understand when to use this endpoint versus the existing flow.

[sonarqubecloud]

Quality Gate passed

Issues
2 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/controllers/openid4vc/verifier-sessions/verification-sessions.service.ts (1)

14-23: ⚠️ Potential issue | 🔴 Critical

Duplicate imports will cause compilation error.

ClientIdPrefix and OpenId4VcIssuerX5cOptions are imported twice in the same import block (lines 15/20 and 17/21 respectively). This will fail TypeScript compilation.

🔧 Proposed fix to remove duplicates

 import {
   ClientIdPrefix,
   CreateAuthorizationRequest,
   OpenId4VcIssuerX5cOptions,
   OpenId4VCDCQLVerificationSessionRecord,
   OpenId4VcIssuerX5c,
-  ClientIdPrefix,
-  OpenId4VcIssuerX5cOptions,
   ResponseModeEnum,
 } from '../types/verifier.types'

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/controllers/openid4vc/verifier-sessions/verification-sessions.service.ts`
around lines 14 - 23, The import block in verification-sessions.service.ts
contains duplicate symbols (ClientIdPrefix and OpenId4VcIssuerX5cOptions) which
will break TypeScript compilation; edit the import list where ClientIdPrefix and
OpenId4VcIssuerX5cOptions are listed and remove the duplicate occurrences so
each symbol is imported only once (keep one entry for ClientIdPrefix and one for
OpenId4VcIssuerX5cOptions alongside the other imports such as
CreateAuthorizationRequest, OpenId4VCDCQLVerificationSessionRecord,
OpenId4VcIssuerX5c, and ResponseModeEnum).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In
`@src/controllers/openid4vc/verifier-sessions/verification-sessions.service.ts`:
- Around line 14-23: The import block in verification-sessions.service.ts
contains duplicate symbols (ClientIdPrefix and OpenId4VcIssuerX5cOptions) which
will break TypeScript compilation; edit the import list where ClientIdPrefix and
OpenId4VcIssuerX5cOptions are listed and remove the duplicate occurrences so
each symbol is imported only once (keep one entry for ClientIdPrefix and one for
OpenId4VcIssuerX5cOptions alongside the other imports such as
CreateAuthorizationRequest, OpenId4VCDCQLVerificationSessionRecord,
OpenId4VcIssuerX5c, and ResponseModeEnum).

---

Duplicate comments:
In
`@src/controllers/openid4vc/verifier-sessions/verification-sessions.service.ts`:
- Line 216: The code incorrectly calls verifier.verifyAuthorizationResponse(...)
which doesn't exist; replace this by waiting until the verification session
reaches the ResponseVerified state and then call
verifier.getVerifiedAuthorizationResponse(verificationSessionId) (the same
pattern used elsewhere in this file), passing the verificationSessionId and
handling/typing the returned result appropriately; remove the invalid
verifyAuthorizationResponse call and adapt any downstream logic to use the
object returned by getVerifiedAuthorizationResponse instead.
- Line 210: Rename the misspelled parameter verifydcqlProofRquest to
verifyDcqlProofRequest (camelCase) in the function/method declaration that
accepts OpenId4VCDCQLVerificationSessionRecord, and update every use site inside
the function (references, destructuring, JSDoc, and any callers) to the new
identifier; ensure exports, type annotations and tests that reference
verifydcqlProofRquest are updated to the new name so compilation and imports
stay consistent.