The self-issued token used in the VP flow carries an access_token (JWT) which MUST have a jti field. This field is currently not checked, when the token is used to retrieve a verifiable presentation. This would enable the requesting party to retrieve the presentation multiple times.
To mitigate this, the jti must be logged in a database table and marked as used when the access_token is used.
Acceptance Criteria
[x] New database table to hold the jti values and their status (use a new migration to create the table)
[x] The necessary business logic to reject a request which tries to re-use an access_token with an expired jti
[x] The necessary business logic to add the jti to a database table whenever an access_token is created OR passed through via the /token endpoint.
Description
The self-issued token used in the VP flow carries an
access_token(JWT) which MUST have ajtifield. This field is currently not checked, when the token is used to retrieve a verifiable presentation. This would enable the requesting party to retrieve the presentation multiple times. To mitigate this, thejtimust be logged in a database table and marked asusedwhen theaccess_tokenis used.Acceptance Criteria
jtivalues and their status (use a new migration to create the table)access_tokenwith an expiredjtijtito a database table whenever anaccess_tokenis created OR passed through via the/tokenendpoint.