vtc-service 0.9.5

Service for Verifiable Trust Communities
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156

//! `POST /v1/join-requests` — the REST submit adapter (M1.8.1): wire
//! body/response types + auth extraction. The shared orchestration spine
//! ([`crate::join::submit_inner`], also driven by the DIDComm handler and the
//! credential-exchange present path) lives in [`crate::join::orchestrate`].
//!
//! ## Holder binding
//!
//! Phase 1 plan §D4 requires only the holder-binding proof: the
//! signature must verify against the applicant_did's intrinsic
//! Ed25519 public key (did:key only — did:webvh resolution lands
//! in Phase 2).
//!
//! Wire shape:
//!
//! ```text
//! {
//!   "applicantDid": "did:key:z…",
//!   "vp":               { … opaque JSON … },
//!   "registryConsent":  ? bool,
//!   "extensions":       ? object,
//!   "audience":         "<this VTC's did>",
//!   "created":          <unix-seconds>,
//!   "signature":        "<hex Ed25519 signature>"
//! }
//! ```
//!
//! Canonical signing payload:
//!
//! ```text
//! "vtc-join-request/v1\0" || canonical_json({
//!   "applicantDid":     applicant_did,
//!   "vp":               vp,
//!   "registryConsent":  registry_consent (default false),
//!   "extensions":       extensions (default null),
//!   "audience":         audience,
//!   "created":          created,
//! })
//! ```
//!
//! `canonical_json` is just `serde_json::to_vec` on a
//! key-ordered object — sufficient because both sides agree on
//! the field ordering via the typed struct.
//!
//! `audience` (must equal this VTC's `vtc_did`) and `created` (within a
//! short freshness window) are bound into the signature so a captured body
//! can't be replayed against another community or after the window (P0.13).
//! On the DIDComm path the authcrypt envelope authenticates + addresses the
//! sender, so it carries no separate signature/audience/created.

use axum::Json;
use axum::extract::State;
use axum::http::StatusCode;
use serde::{Deserialize, Serialize};
use serde_json::Value as JsonValue;
use uuid::Uuid;

use vti_common::error::AppError;

use crate::join::{HolderBinding, JoinTransport, submit_inner};
use crate::server::AppState;

#[derive(Debug, Deserialize)]
#[serde(rename_all = "camelCase")]
#[derive(utoipa::ToSchema)]
pub struct SubmitRequestBody {
    pub applicant_did: String,
    pub vp: JsonValue,
    #[serde(default)]
    pub registry_consent: bool,
    #[serde(default)]
    pub extensions: JsonValue,
    /// The VTC this submission is addressed to — must equal this VTC's
    /// `vtc_did`. Bound into the holder signature so a body captured for one
    /// community can't be replayed against another (P0.13).
    pub audience: String,
    /// Unix-seconds the applicant signed at. Must be within the join-submit
    /// freshness window of now (small future skew allowed; enforced in
    /// `crate::join::submit_inner`). Bound into the signature so a stale
    /// captured body is rejected (P0.13).
    pub created: i64,
    /// Hex-encoded Ed25519 signature over the canonical payload (which now
    /// includes `audience` + `created`).
    pub signature: String,
}

#[derive(Debug, Serialize)]
#[serde(rename_all = "camelCase")]
#[derive(utoipa::ToSchema)]
pub struct SubmitResponse {
    pub request_id: Uuid,
    pub status: String,
    /// Issued VMC — present only when the join policy **auto-admitted**
    /// (verdict `allow`). The applicant, who proved holder-binding,
    /// receives their membership credential inline. `None` when the
    /// request was queued (`pending`/`deferred`) or rejected.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub vmc: Option<JsonValue>,
    /// Issued role VEC — same delivery story as [`Self::vmc`].
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub role_vec: Option<JsonValue>,
}

/// POST /join-requests — submit a join request. Public: the holder-binding
/// signature (REST) or authcrypt sender (DIDComm) IS the auth.
#[utoipa::path(
    post, path = "/join-requests", tag = "join-requests",
    request_body = SubmitRequestBody,
    responses(
        (status = 201, description = "Join request submitted", body = SubmitResponse),
        (status = 400, description = "Holder-binding / audience / freshness validation failed"),
        (status = 409, description = "An open join request already exists for this applicant"),
    ),
)]
pub async fn submit(
    State(state): State<AppState>,
    Json(req): Json<SubmitRequestBody>,
) -> Result<(StatusCode, Json<SubmitResponse>), AppError> {
    let outcome = submit_inner(
        &state,
        req.applicant_did,
        req.vp,
        req.registry_consent,
        req.extensions,
        Some(HolderBinding {
            signature_hex: &req.signature,
            audience: &req.audience,
            created: req.created,
        }),
        JoinTransport::Rest,
    )
    .await?;

    let (vmc, role_vec) = match &outcome.admit {
        Some(a) => (
            Some(
                serde_json::to_value(&a.vmc)
                    .map_err(|e| AppError::Internal(format!("serialise VMC: {e}")))?,
            ),
            Some(
                serde_json::to_value(&a.role_vec)
                    .map_err(|e| AppError::Internal(format!("serialise VEC: {e}")))?,
            ),
        ),
        None => (None, None),
    };

    Ok((
        StatusCode::CREATED,
        Json(SubmitResponse {
            request_id: outcome.request.id,
            status: outcome.request.status.to_string(),
            vmc,
            role_vec,
        }),
    ))
}