search

digitalbazaar / vc

W3C Verifiable Credentials implementation in JavaScript
BSD 3-Clause "New" or "Revised" License
177 stars 51 forks source link

Ensure README code examples are all runnable #185

Open dlongley opened 4 weeks ago

dlongley commented 4 weeks ago

This will likely include removing and clarifying that when suites are passed for verification, they should not include key pairs (unless key-pinning is desired, which is an advanced case). Similarly, the examples should pass signer APIs (created via keypair.signer(), etc.) instead of passing key pairs for signing directly to encourage this pattern as it supports hiding / not exposing secret key material better.

spetrac commented 4 weeks ago

Because I am new and wanted to explore the options, I started with the first README example:

import vc from '@digitalbazaar/vc';

// Required to set up a suite instance with private key
import {Ed25519VerificationKey2020} from '@digitalbazaar/ed25519-verification-key-2020';
import {Ed25519Signature2020} from '@digitalbazaar/ed25519-signature-2020';

const keyPair = await Ed25519VerificationKey2020.generate();

const suite = new Ed25519Signature2020({key: keyPair});

The first error was, that @digitalbazaar/vc has no default export, so the following import worked for me:

import * as vc from '@digitalbazaar/vc';

// [...]

Then to create my first VC, I used the code below:

// Sample unsigned credential
const credential = {
  "@context": [
    "https://www.w3.org/2018/credentials/v1",
    "https://www.w3.org/2018/credentials/examples/v1"
  ],
  "id": "https://example.com/credentials/1872",
  "type": ["VerifiableCredential", "AlumniCredential"],
  "issuer": "https://example.edu/issuers/565049",
  "issuanceDate": "2010-01-01T19:23:24Z",
  "credentialSubject": {
    "id": "did:example:ebfeb1f712ebc6f1c276e12ec21",
    "alumniOf": "Example University"
  }
};

const signedVC = await vc.issue({credential, suite, documentLoader});
console.log(JSON.stringify(signedVC, null, 2));

The problem with that was the documentLoader, which was not declared anywhere except in the custom documentLoader section. I re-engineered the code from jsonld-signatures and created the following simple documentLoader (which should not be used from a security perspective but works for the moment) that would preceed the above code:

const contexts = Object.create(null);

async function documentLoader(url) {
  if (!contexts[url]) {
    try {
      const response = await fetch(url)
      const document = await response.json()
      if (!document['@context']) throw new Error('invalid ContextDocument')
      contexts[url] = document
    } catch (err) {
      console.error(err)
      return defaultDocumentLoader(url)
    }
  }
  return { documentUrl: url, document: contexts[url] }
}

After all this, I still got the following error:

TypeError: "suite.verificationMethod" property is required.
    at Module.issue (file:///./node_modules/@digitalbazaar/vc/lib/index.js:123:11)
    at <anonymous> (./temp-sample.ts:44:27)

To just see a first result, I added the following before issuing the VC:

suite.verificationMethod = () => true;

This is obviously not the way it is meant to be, but I could also not find any documentation of the verificationMethod, how it is used and if I have to add it somewhere or this was an internal error.

davidlehn commented 4 weeks ago

Related to this are recent updates to an example script to issue and verify a VC and VP: https://github.com/digitalbazaar/vc/pull/162. The readme examples should be fixed as is, and it might be good to additionally add examples using the newer data integrity support.