The self-issued token used in the VP flow carries an access_token (JWT) which MUST have a jti field. This field is currently not checked, when the token is used to retrieve a verifiable presentation. This would enable the requesting party to retrieve the presentation multiple times.
To mitigate this, the jti must be logged in a database table and marked as used when the access_token is used.
Acceptance Criteria
[x] New database table to hold the jti values and their status (use a new migration to create the table)
[x] The necessary business logic to reject a request which tries to re-use an access_token with an expired jti
[x] The necessary business logic to add the jti to a database table whenever an access_token is created OR passed through via the /token endpoint.
Description
The self-issued token used in the VP flow carries an
access_token
(JWT) which MUST have ajti
field. This field is currently not checked, when the token is used to retrieve a verifiable presentation. This would enable the requesting party to retrieve the presentation multiple times. To mitigate this, thejti
must be logged in a database table and marked asused
when theaccess_token
is used.Acceptance Criteria
jti
values and their status (use a new migration to create the table)access_token
with an expiredjti
jti
to a database table whenever anaccess_token
is created OR passed through via the/token
endpoint.