fix: Add DID deactivation check for credential issuing [DEV-3136]

src/controllers/credentials.ts

@@ -6,6 +6,8 @@ import { check, query, validationResult } from 'express-validator';
 
 import { Credentials } from '../services/credentials.js';
 import { IdentityServiceStrategySetup } from '../services/identity/index.js';
+import InvalidTokenError from "jwt-decode";
+import jwt_decode from 'jwt-decode';
 
 export class CredentialController {
 	public static issueValidator = [
@@ -101,6 +103,13 @@ export class CredentialController {
 			request.body['@context'] = [request.body['@context']];
 		}
 
+		const resolvedResult = await new IdentityServiceStrategySetup(response.locals.customerId).agent.resolveDid(request.body.issuerDid);
+		if (!resolvedResult?.didDocument || resolvedResult.didDocumentMetadata.deactivated) {
+			return response.status(StatusCodes.BAD_REQUEST).send({
+				error: `${request.body.issuerDid} is either Deactivated or Not found`,
+			});
+		}
+
 		try {
 			const credential: VerifiableCredential = await Credentials.instance.issue_credential(
 				request.body,
@@ -136,6 +145,12 @@ export class CredentialController {
 	 *         schema:
 	 *           type: boolean
 	 *           default: false
+	 *       - in: query
+	 *         name: allowDeactivatedDid
+	 *         description: If set to `true` allow to verify credential which based on deactivated DID.
+	 *         schema:
+	 *           type: boolean
+	 *           default: false
 	 *     requestBody:
 	 *       content:
 	 *         application/x-www-form-urlencoded:
@@ -165,7 +180,35 @@ export class CredentialController {
 		}
 
 		const { credential, policies } = request.body;
-		const verifyStatus = request.query.verifyStatus === 'true' ? true : false;
+		const verifyStatus = request.query.verifyStatus === 'true';
+		const allowDeactivatedDid = request.query.allowDeactivatedDid === "true";
+
+		let issuerDid = "";
+		let decoded: any;
+
+		if (credential.issuer?.id) {
+			issuerDid = credential.issuer.id;
+		} else {
+			try {
+				decoded = jwt_decode(credential);
+				issuerDid = decoded.iss;
+			} catch (e) {
+				// If it's not a JWT - just skip it
+				if (!(e instanceof InvalidTokenError)) {
+					throw e;
+				}
+			}
+		}
+
+		if (!allowDeactivatedDid) {
+			const result = await new IdentityServiceStrategySetup(response.locals.customerId).agent.resolveDid(issuerDid);
+			if (!result?.didDocument || result.didDocumentMetadata.deactivated) {
+				return response.status(StatusCodes.BAD_REQUEST).send({
+					error: `${issuerDid} is either Deactivated or Not found`,
+				});
+			}
+		}
+
 		try {
 			const result = await new IdentityServiceStrategySetup(response.locals.customerId).agent.verifyCredential(
 				credential,
@@ -394,6 +437,12 @@ export class CredentialController {
 	 *         schema:
 	 *           type: boolean
 	 *           default: false
+	 *       - in: query
+	 *         name: allowDeactivatedDid
+	 *         description: If set to `true` allow to verify credential which based on deactivated DID.
+	 *         schema:
+	 *           type: boolean
+	 *           default: false
 	 *     requestBody:
 	 *       content:
 	 *         application/x-www-form-urlencoded:
@@ -423,7 +472,35 @@ export class CredentialController {
 		}
 
 		const { presentation, verifierDid, policies } = request.body;
-		const verifyStatus = request.query.verifyStatus === 'true' ? true : false;
+		const verifyStatus = request.query.verifyStatus === 'true';
+		const allowDeactivatedDid = request.query.allowDeactivatedDid === "true";
+
+		let issuerDid = "";
+		let decoded: any;
+
+		if (presentation.issuer?.id) {
+			issuerDid = presentation.issuer.id;
+		} else {
+			try {
+				decoded = jwt_decode(presentation);
+				issuerDid = decoded.iss;
+			} catch (e) {
+				// If it's not a JWT - just skip it
+				if (!(e instanceof InvalidTokenError)) {
+					throw e;
+				}
+			}
+		}
+
+		if (!allowDeactivatedDid) {
+			const result = await new IdentityServiceStrategySetup(response.locals.customerId).agent.resolveDid(issuerDid);
+			if (!result?.didDocument || result.didDocumentMetadata.deactivated) {
+				return response.status(StatusCodes.BAD_REQUEST).send({
+					error: `${issuerDid} is either Deactivated or Not found`,
+				});
+			}
+		}
+
 		try {
 			const result = await new IdentityServiceStrategySetup(response.locals.customerId).agent.verifyPresentation(
 				presentation,

src/static/swagger.json

@@ -97,6 +97,15 @@
               "type": "boolean",
               "default": false
             }
+          },
+          {
+            "in": "query",
+            "name": "allowDeactivatedDid",
+            "description": "If set to `true` allow to verify credential which based on deactivated DID.",
+            "schema": {
+              "type": "boolean",
+              "default": false
+            }
           }
         ],
         "requestBody": {
@@ -329,6 +338,15 @@
               "type": "boolean",
               "default": false
             }
+          },
+          {
+            "in": "query",
+            "name": "allowDeactivatedDid",
+            "description": "If set to `true` allow to verify credential which based on deactivated DID.",
+            "schema": {
+              "type": "boolean",
+              "default": false
+            }
           }
         ],
         "requestBody": {