Connection based verification (#802)

* Initial POC of connection based verification

Signed-off-by: Gavin Jaeger-Freeborn <gavinfreeborn@gmail.com>

* Applied black formatting

Signed-off-by: Gavin Jaeger-Freeborn <gavinfreeborn@gmail.com>

* Removed assertion to ensure we didn't use oob

Signed-off-by: Gavin Jaeger-Freeborn <gavinfreeborn@gmail.com>

* Added problem reports on failed connections

Signed-off-by: Gavin Jaeger-Freeborn <gavinfreeborn@gmail.com>

* Add connection verification testing

Signed-off-by: Gavin Jaeger-Freeborn <gavinfreeborn@gmail.com>

1. Updated timestamps in models to use UTC for consistency across the application.
2. Added comprehensive tests for ACA-Py webhook handler, covering various scenarios including connection status changes, presentation request handling, and error reporting.
3. Introduced new dependencies in the `pyproject.toml` for HTTP handling in tests.
4. Improved mocking strategies in test cases for better isolation and reliability.

These changes ensure better adherence to time standards and robustness in handling connection-based verification's and related testing.

* Improve test coverage

Signed-off-by: Gavin Jaeger-Freeborn <gavinfreeborn@gmail.com>

* Use multi_use keyword rather than ephemeral and only delete multi_use auth_sessions

Signed-off-by: Gavin Jaeger-Freeborn <gavinfreeborn@gmail.com>

* Remove NEW comments and removed depreciated create_invitation

Signed-off-by: Gavin Jaeger-Freeborn <gavinfreeborn@gmail.com>

- Removed commented-out code for the depreciated create_invitation method
- Changed comments in the acapy_handler and oidc router modules to remove "NEW" indicators for clarification.

* Fix: removed "pending-" prefix and error reporting with invi_msg_id

Signed-off-by: Gavin Jaeger-Freeborn <gavinfreeborn@gmail.com>

- Removed the hardcoded "pending-" prefix from the session ID lookup when searching by `pres_exch_id` in `acapy_handler.py`, allowing for more flexible ID matching.
- Added a check in `oidc.py` to raise an HTTP 500 error if the invitation message ID is missing, ensuring proper error handling and clearer diagnostics when creating an OOB invitation message.

* Removed pointless "assert False" that was left over from testing

Signed-off-by: Gavin Jaeger-Freeborn <gavinfreeborn@gmail.com>

* Remove unnecessary dependencies and group allocations in poetry.lock and pyproject.toml

Signed-off-by: Gavin Jaeger-Freeborn <gavinfreeborn@gmail.com>

- Removed 'httpx' packages from pyproject.toml as they were not needed.

* Restore httpx dependancy

Signed-off-by: Gavin Jaeger-Freeborn <gavinfreeborn@gmail.com>

* Change logging type

Signed-off-by: Gavin Jaeger-Freeborn <gavinfreeborn@gmail.com>

* Corrected inconsistent expiry and creation timestamps

Signed-off-by: Gavin Jaeger-Freeborn <gavinfreeborn@gmail.com>

* Handle timezone aware comparison datetimes

Signed-off-by: Gavin Jaeger-Freeborn <gavinfreeborn@gmail.com>

* Add USE_CONNECTION_BASED_VERIFICATION to docker compose

Signed-off-by: Gavin Jaeger-Freeborn <gavinfreeborn@gmail.com>

---------

Signed-off-by: Gavin Jaeger-Freeborn <gavinfreeborn@gmail.com>
Signed-off-by: Gavinok <34443260+Gavinok@users.noreply.github.com>

Author: Gavinok

docker/docker-compose.yaml

@@ -36,6 +36,7 @@ services:
       - ST_ACAPY_ADMIN_API_KEY=${AGENT_ADMIN_API_KEY}
       - ST_ACAPY_ADMIN_API_KEY_NAME=${ST_ACAPY_ADMIN_API_KEY_NAME}
       - USE_OOB_LOCAL_DID_SERVICE=${USE_OOB_LOCAL_DID_SERVICE}
+      - USE_CONNECTION_BASED_VERIFICATION=${USE_CONNECTION_BASED_VERIFICATION}
       - WALLET_DEEP_LINK_PREFIX=${WALLET_DEEP_LINK_PREFIX}
       - INVITATION_LABEL=${INVITATION_LABEL}
     ports:

docker/manage

@@ -189,6 +189,7 @@ configureEnvironment() {
   export INVITATION_LABEL=${INVITATION_LABEL:-"VC-AuthN"}
   export SET_NON_REVOKED="True"
   export USE_OOB_LOCAL_DID_SERVICE=${USE_OOB_LOCAL_DID_SERVICE:-"true"}
+  export USE_CONNECTION_BASED_VERIFICATION=${USE_CONNECTION_BASED_VERIFICATION:-"true"}
   export WALLET_DEEP_LINK_PREFIX=${WALLET_DEEP_LINK_PREFIX:-"bcwallet://aries_proof-request"}
 
   # agent

oidc-controller/api/authSessions/crud.py

@@ -27,6 +27,12 @@ async def create(self, auth_session: AuthSessionCreate) -> AuthSession:
         result = col.insert_one(jsonable_encoder(auth_session))
         return AuthSession(**col.find_one({"_id": result.inserted_id}))
 
+    async def get_by_connection_id(self, connection_id: str) -> AuthSession | None:
+        """Get auth session by connection ID for connection-based verification."""
+        col = self._db.get_collection(COLLECTION_NAMES.AUTH_SESSION)
+        result = col.find_one({"connection_id": connection_id})
+        return AuthSession(**result) if result else None
+
     async def get(self, id: str) -> AuthSession:
         if not PyObjectId.is_valid(id):
             raise HTTPException(

oidc-controller/api/authSessions/models.py

@@ -1,4 +1,4 @@
-from datetime import datetime, timedelta
+from datetime import datetime, timedelta, UTC
 from enum import StrEnum, auto
 
 from api.core.models import UUIDModel
@@ -17,18 +17,21 @@ class AuthSessionState(StrEnum):
 
 
 class AuthSessionBase(BaseModel):
-    pres_exch_id: str
+    pres_exch_id: str | None = None  # Optional for connection-based flow
     expired_timestamp: datetime = Field(
-        default=datetime.now()
+        default_factory=lambda: datetime.now(UTC)
         + timedelta(seconds=settings.CONTROLLER_PRESENTATION_EXPIRE_TIME)
     )
     ver_config_id: str
     request_parameters: dict
     pyop_auth_code: str
     response_url: str
     presentation_request_msg: dict | None = None
+    connection_id: str | None = None  # Track connection ID
+    proof_request: dict | None = None  # Store proof request for later use
+    multi_use: bool = False  # Track if connection is multi-use (default: single-use)
     model_config = ConfigDict(populate_by_name=True)
-    created_at: datetime = Field(default_factory=datetime.utcnow)
+    created_at: datetime = Field(default_factory=lambda: datetime.now(UTC))
 
 
 class AuthSession(AuthSessionBase, UUIDModel):

oidc-controller/api/authSessions/tests/__init__.py

@@ -0,0 +1 @@
+"""AuthSession tests package."""