did-jwt-vc - npm Package Compare versions

Comparing version 2.1.14 to 3.0.0

lib/index.d.ts

 import { Resolvable } from 'did-resolver';
-import { JwtCredentialPayload, Issuer, JwtPresentationPayload, JWT, VerifiablePresentation, VerifiableCredential, CredentialPayload, PresentationPayload, Verifiable, W3CCredential, W3CPresentation, VerifiedCredential, VerifiedPresentation, VerifyPresentationOptions, CreatePresentationOptions, CreateCredentialOptions, VerifyCredentialOptions } from './types';
-import { transformCredentialInput, transformPresentationInput, normalizeCredential, normalizePresentation } from './converters';
-export { Issuer, CredentialPayload, PresentationPayload, JwtCredentialPayload, JwtPresentationPayload, VerifiableCredential, VerifiablePresentation, VerifiedCredential, VerifiedPresentation, Verifiable, W3CCredential, W3CPresentation, transformCredentialInput, transformPresentationInput, normalizeCredential, normalizePresentation, };
+import { CreateCredentialOptions, CreatePresentationOptions, CredentialPayload, Issuer, JWT, JwtCredentialPayload, JwtPresentationPayload, PresentationPayload, Verifiable, VerifiableCredential, VerifiablePresentation, VerifiedCredential, VerifiedPresentation, VerifyCredentialOptions, VerifyCredentialPolicies, VerifyPresentationOptions, W3CCredential, W3CPresentation } from './types';
+import { normalizeCredential, normalizePresentation, transformCredentialInput, transformPresentationInput } from './converters';
+import { VC_JWT_ERROR } from './errors';
+export { Issuer, CredentialPayload, PresentationPayload, JwtCredentialPayload, JwtPresentationPayload, VerifiableCredential, VerifiablePresentation, VerifiedCredential, VerifiedPresentation, Verifiable, W3CCredential, W3CPresentation, transformCredentialInput, transformPresentationInput, normalizeCredential, normalizePresentation, VC_JWT_ERROR, };
+export { CreateCredentialOptions, CreatePresentationOptions, VerifyCredentialOptions, VerifyCredentialPolicies, VerifyPresentationOptions, };
 /**
@@ -9,3 +11,4 @@ * Creates a VerifiableCredential given a `CredentialPayload` or `JwtCredentialPayload` and an `Issuer`.
  * This method transforms the payload into the [JWT encoding](https://www.w3.org/TR/vc-data-model/#jwt-encoding)
- * described in the [W3C VC spec](https://www.w3.org/TR/vc-data-model) and then validated to conform to the minimum spec
+ * described in the [W3C VC spec](https://www.w3.org/TR/vc-data-model) and then validated to conform to the minimum
+ * spec
  * required spec.
@@ -15,4 +18,5 @@ *
  *
- * @param payload `CredentialPayload` or `JwtCredentialPayload`
- * @param issuer `Issuer` the DID, signer and algorithm that will sign the token
+ * @param payload - `CredentialPayload` or `JwtCredentialPayload`
+ * @param issuer - `Issuer` the DID, signer and algorithm that will sign the token
+ * @param options - Use these options to tweak the creation of the JWT Credential. These are forwarded to did-jwt.
  * @return a `Promise` that resolves to the JWT encoded verifiable credential or rejects with `TypeError` if the
@@ -26,3 +30,4 @@ * `payload` is not W3C compliant
  * This method transforms the payload into the [JWT encoding](https://www.w3.org/TR/vc-data-model/#jwt-encoding)
- * described in the [W3C VC spec](https://www.w3.org/TR/vc-data-model) and then validated to conform to the minimum spec
+ * described in the [W3C VC spec](https://www.w3.org/TR/vc-data-model) and then validated to conform to the minimum
+ * spec
  * required spec.
@@ -32,5 +37,6 @@ *
  *
- * @param payload `PresentationPayload` or `JwtPresentationPayload`
- * @param holder `Issuer` of the Presentation JWT (holder of the VC), signer and algorithm that will sign the token
- * @param options `CreatePresentationOptions` allows to pass additional values to the resulting JWT payload
+ * @param payload - `PresentationPayload` or `JwtPresentationPayload`
+ * @param holder - `Issuer` of the Presentation JWT (holder of the VC), signer and algorithm that will sign the token
+ * @param options - `CreatePresentationOptions` allows to pass additional values to the resulting JWT payload. These
+ *   options are forwarded to did-jwt.
  * @return a `Promise` that resolves to the JWT encoded verifiable presentation or rejects with `TypeError` if the
@@ -49,4 +55,6 @@ * `payload` is not W3C compliant
  * W3C compliant
- * @param vc the credential to be verified. Currently only the JWT encoding is supported by this library
- * @param resolver a configured `Resolver` (or an implementation of `Resolvable`) that can provide the DID document of the JWT issuer
+ * @param vc - the credential to be verified. Currently only the JWT encoding is supported by this library
+ * @param resolver - a configured `Resolver` (or an implementation of `Resolvable`) that can provide the DID document
+ *   of the JWT issuer
+ * @param options - optional tweaks to the verification process. These are forwarded to did-jwt.
  */
@@ -57,4 +65,4 @@ export declare function verifyCredential(vc: JWT, resolver: Resolvable, options?: VerifyCredentialOptions): Promise<VerifiedCredential>;
  *
- * @param payload the JwtPresentationPayload to verify against
- * @param options the VerifyPresentationOptions that contain the optional values to verify.
+ * @param payload - the JwtPresentationPayload to verify against
+ * @param options - the VerifyPresentationOptions that contain the optional values to verify.
  * @throws {Error} If VerifyPresentationOptions are not satisfied
@@ -68,7 +76,8 @@ */
  * not W3C compliant or the VerifyPresentationOptions are not satisfied.
- * @param presentation the presentation to be verified. Currently only the JWT encoding is supported by this library
- * @param resolver a configured `Resolver` or an implementation of `Resolvable` that can provide the DID document of the JWT issuer (presentation holder)
- * @param options optional verification options that need to be satisfied
+ * @param presentation - the presentation to be verified. Currently only the JWT encoding is supported by this library
+ * @param resolver - a configured `Resolver` or an implementation of `Resolvable` that can provide the DID document of
+ *   the JWT issuer (presentation holder)
+ * @param options - optional verification options that need to be satisfied. These are also forwarded to did-jwt.
  */
 export declare function verifyPresentation(presentation: JWT, resolver: Resolvable, options?: VerifyPresentationOptions): Promise<VerifiedPresentation>;
 //# sourceMappingURL=index.d.ts.map

lib/index.modern.js

@@ -633,3 +633,5 @@ import { decodeJWT, createJWT, verifyJWT } from 'did-jwt';
   if (typeof value === 'string' && !value.match(JWT_FORMAT)) {
-    throw new TypeError(`"${value}" is not a valid JWT format`);
+    throw new TypeError(`${"format_error"
+    /* VC_ERROR.FORMAT_ERROR */
+    }: "${value}" is not a valid JWT format`);
   }
@@ -647,3 +649,5 @@ } // The main scenario we want to guard against is having a timestamp in milliseconds
     if (!(Number.isInteger(value) && value < 100000000000)) {
-      throw new TypeError(`"${value}" is not a unix timestamp in seconds`);
+      throw new TypeError(`${"schema_error"
+      /* VC_ERROR.SCHEMA_ERROR */
+      }: "${value}" is not a unix timestamp in seconds`);
     }
@@ -653,3 +657,5 @@ } else if (typeof value === 'string') {
   } else if (!isDateObject(value)) {
-    throw new TypeError(`"${value}" is not a valid time`);
+    throw new TypeError(`${"schema_error"
+    /* VC_ERROR.SCHEMA_ERROR */
+    }: "${value}" is not a valid time`);
   }
@@ -661,3 +667,5 @@ }
   if (input.length < 1 || input.indexOf(DEFAULT_CONTEXT) === -1) {
-    throw new TypeError(`@context is missing default context "${DEFAULT_CONTEXT}"`);
+    throw new TypeError(`${"schema_error"
+    /* VC_ERROR.SCHEMA_ERROR */
+    }: @context is missing default context "${DEFAULT_CONTEXT}"`);
   }
@@ -669,3 +677,5 @@ }
   if (input.length < 1 || input.indexOf(DEFAULT_VC_TYPE) === -1) {
-    throw new TypeError(`type is missing default "${DEFAULT_VC_TYPE}"`);
+    throw new TypeError(`${"schema_error"
+    /* VC_ERROR.SCHEMA_ERROR */
+    }: type is missing default "${DEFAULT_VC_TYPE}"`);
   }
@@ -677,3 +687,5 @@ }
   if (input.length < 1 || input.indexOf(DEFAULT_VP_TYPE) === -1) {
-    throw new TypeError(`type is missing default "${DEFAULT_VP_TYPE}"`);
+    throw new TypeError(`${"schema_error"
+    /* VC_ERROR.SCHEMA_ERROR */
+    }: type is missing default "${DEFAULT_VP_TYPE}"`);
   }
@@ -683,3 +695,5 @@ }
   if (Object.keys(value).length === 0) {
-    throw new TypeError('credentialSubject must not be empty');
+    throw new TypeError(`${"schema_error"
+    /* VC_ERROR.SCHEMA_ERROR */
+    }: credentialSubject must not be empty`);
   }
@@ -692,3 +706,4 @@ }
  * This method transforms the payload into the [JWT encoding](https://www.w3.org/TR/vc-data-model/#jwt-encoding)
- * described in the [W3C VC spec](https://www.w3.org/TR/vc-data-model) and then validated to conform to the minimum spec
+ * described in the [W3C VC spec](https://www.w3.org/TR/vc-data-model) and then validated to conform to the minimum
+ * spec
  * required spec.
@@ -698,4 +713,5 @@ *
  *
- * @param payload `CredentialPayload` or `JwtCredentialPayload`
- * @param issuer `Issuer` the DID, signer and algorithm that will sign the token
+ * @param payload - `CredentialPayload` or `JwtCredentialPayload`
+ * @param issuer - `Issuer` the DID, signer and algorithm that will sign the token
+ * @param options - Use these options to tweak the creation of the JWT Credential. These are forwarded to did-jwt.
  * @return a `Promise` that resolves to the JWT encoded verifiable credential or rejects with `TypeError` if the
@@ -724,3 +740,4 @@ * `payload` is not W3C compliant
  * This method transforms the payload into the [JWT encoding](https://www.w3.org/TR/vc-data-model/#jwt-encoding)
- * described in the [W3C VC spec](https://www.w3.org/TR/vc-data-model) and then validated to conform to the minimum spec
+ * described in the [W3C VC spec](https://www.w3.org/TR/vc-data-model) and then validated to conform to the minimum
+ * spec
  * required spec.
@@ -730,5 +747,6 @@ *
  *
- * @param payload `PresentationPayload` or `JwtPresentationPayload`
- * @param holder `Issuer` of the Presentation JWT (holder of the VC), signer and algorithm that will sign the token
- * @param options `CreatePresentationOptions` allows to pass additional values to the resulting JWT payload
+ * @param payload - `PresentationPayload` or `JwtPresentationPayload`
+ * @param holder - `Issuer` of the Presentation JWT (holder of the VC), signer and algorithm that will sign the token
+ * @param options - `CreatePresentationOptions` allows to pass additional values to the resulting JWT payload. These
+ *   options are forwarded to did-jwt.
  * @return a `Promise` that resolves to the JWT encoded verifiable presentation or rejects with `TypeError` if the
@@ -815,12 +833,29 @@ * `payload` is not W3C compliant
  * W3C compliant
- * @param vc the credential to be verified. Currently only the JWT encoding is supported by this library
- * @param resolver a configured `Resolver` (or an implementation of `Resolvable`) that can provide the DID document of the JWT issuer
+ * @param vc - the credential to be verified. Currently only the JWT encoding is supported by this library
+ * @param resolver - a configured `Resolver` (or an implementation of `Resolvable`) that can provide the DID document
+ *   of the JWT issuer
+ * @param options - optional tweaks to the verification process. These are forwarded to did-jwt.
  */
 
 async function verifyCredential(vc, resolver, options = {}) {
+  var _options, _options$policies, _options2, _options2$policies, _options3, _options4, _options5, _options5$policies;
+
+  const nbf = ((_options = options) == null ? void 0 : (_options$policies = _options.policies) == null ? void 0 : _options$policies.issuanceDate) === false ? false : undefined;
+  const exp = ((_options2 = options) == null ? void 0 : (_options2$policies = _options2.policies) == null ? void 0 : _options2$policies.expirationDate) === false ? false : undefined;
+  options = _extends({}, options, {
+    policies: _extends({}, (_options3 = options) == null ? void 0 : _options3.policies, {
+      nbf,
+      exp,
+      iat: nbf
+    })
+  });
   const verified = await verifyJWT(vc, _extends({
     resolver
   }, options));
-  verified.verifiableCredential = normalizeCredential(verified.jwt, options == null ? void 0 : options.removeOriginalFields);
-  validateCredentialPayload(verified.verifiableCredential);
+  verified.verifiableCredential = normalizeCredential(verified.jwt, (_options4 = options) == null ? void 0 : _options4.removeOriginalFields);
+
+  if (((_options5 = options) == null ? void 0 : (_options5$policies = _options5.policies) == null ? void 0 : _options5$policies.format) !== false) {
+    validateCredentialPayload(verified.verifiableCredential);
+  }
+
   return verified;
@@ -831,4 +866,4 @@ }
  *
- * @param payload the JwtPresentationPayload to verify against
- * @param options the VerifyPresentationOptions that contain the optional values to verify.
+ * @param payload - the JwtPresentationPayload to verify against
+ * @param options - the VerifyPresentationOptions that contain the optional values to verify.
  * @throws {Error} If VerifyPresentationOptions are not satisfied
@@ -839,7 +874,9 @@ */
   if (options.challenge && options.challenge !== payload.nonce) {
-    throw new Error(`Presentation does not contain the mandatory challenge (JWT: nonce) for : ${options.challenge}`);
+    throw new Error(`${"auth_error"
+    /* VC_ERROR.AUTH_ERROR */
+    }: Presentation does not contain the mandatory challenge (JWT: nonce) for : ${options.challenge}`);
   }
 
   if (options.domain) {
-    // aud might be array
+    // aud might be an array
     let matchedAudience;
@@ -853,3 +890,5 @@
     if (typeof matchedAudience === 'undefined') {
-      throw new Error(`Presentation does not contain the mandatory domain (JWT: aud) for : ${options.domain}`);
+      throw new Error(`${"auth_error"
+      /* VC_ERROR.AUTH_ERROR */
+      }: Presentation does not contain the mandatory domain (JWT: aud) for : ${options.domain}`);
     }
@@ -863,8 +902,22 @@ }
  * not W3C compliant or the VerifyPresentationOptions are not satisfied.
- * @param presentation the presentation to be verified. Currently only the JWT encoding is supported by this library
- * @param resolver a configured `Resolver` or an implementation of `Resolvable` that can provide the DID document of the JWT issuer (presentation holder)
- * @param options optional verification options that need to be satisfied
+ * @param presentation - the presentation to be verified. Currently only the JWT encoding is supported by this library
+ * @param resolver - a configured `Resolver` or an implementation of `Resolvable` that can provide the DID document of
+ *   the JWT issuer (presentation holder)
+ * @param options - optional verification options that need to be satisfied. These are also forwarded to did-jwt.
  */
 
 async function verifyPresentation(presentation, resolver, options = {}) {
+  var _options6, _options6$policies, _options7, _options7$policies, _options8, _options9, _options10, _options10$policies;
+
+  const nbf = ((_options6 = options) == null ? void 0 : (_options6$policies = _options6.policies) == null ? void 0 : _options6$policies.issuanceDate) === false ? false : undefined;
+  const exp = ((_options7 = options) == null ? void 0 : (_options7$policies = _options7.policies) == null ? void 0 : _options7$policies.expirationDate) === false ? false : undefined;
+  options = _extends({
+    audience: options.domain
+  }, options, {
+    policies: _extends({}, (_options8 = options) == null ? void 0 : _options8.policies, {
+      nbf,
+      exp,
+      iat: nbf
+    })
+  });
   const verified = await verifyJWT(presentation, _extends({
@@ -874,4 +927,8 @@ resolver
   verifyPresentationPayloadOptions(verified.payload, options);
-  verified.verifiablePresentation = normalizePresentation(verified.jwt, options == null ? void 0 : options.removeOriginalFields);
-  validatePresentationPayload(verified.verifiablePresentation);
+  verified.verifiablePresentation = normalizePresentation(verified.jwt, (_options9 = options) == null ? void 0 : _options9.removeOriginalFields);
+
+  if (((_options10 = options) == null ? void 0 : (_options10$policies = _options10.policies) == null ? void 0 : _options10$policies.format) !== false) {
+    validatePresentationPayload(verified.verifiablePresentation);
+  }
+
   return verified;
@@ -878,0 +935,0 @@ }

lib/index.module.js

@@ -608,3 +608,5 @@ import { decodeJWT, verifyJWT, createJWT } from 'did-jwt';
   if (typeof value === 'string' && !value.match(JWT_FORMAT)) {
-    throw new TypeError(`"${value}" is not a valid JWT format`);
+    throw new TypeError(`${"format_error"
+    /* VC_ERROR.FORMAT_ERROR */
+    }: "${value}" is not a valid JWT format`);
   }
@@ -622,3 +624,5 @@ } // The main scenario we want to guard against is having a timestamp in milliseconds
     if (!(Number.isInteger(value) && value < 100000000000)) {
-      throw new TypeError(`"${value}" is not a unix timestamp in seconds`);
+      throw new TypeError(`${"schema_error"
+      /* VC_ERROR.SCHEMA_ERROR */
+      }: "${value}" is not a unix timestamp in seconds`);
     }
@@ -628,3 +632,5 @@ } else if (typeof value === 'string') {
   } else if (!isDateObject(value)) {
-    throw new TypeError(`"${value}" is not a valid time`);
+    throw new TypeError(`${"schema_error"
+    /* VC_ERROR.SCHEMA_ERROR */
+    }: "${value}" is not a valid time`);
   }
@@ -636,3 +642,5 @@ }
   if (input.length < 1 || input.indexOf(DEFAULT_CONTEXT) === -1) {
-    throw new TypeError(`@context is missing default context "${DEFAULT_CONTEXT}"`);
+    throw new TypeError(`${"schema_error"
+    /* VC_ERROR.SCHEMA_ERROR */
+    }: @context is missing default context "${DEFAULT_CONTEXT}"`);
   }
@@ -644,3 +652,5 @@ }
   if (input.length < 1 || input.indexOf(DEFAULT_VC_TYPE) === -1) {
-    throw new TypeError(`type is missing default "${DEFAULT_VC_TYPE}"`);
+    throw new TypeError(`${"schema_error"
+    /* VC_ERROR.SCHEMA_ERROR */
+    }: type is missing default "${DEFAULT_VC_TYPE}"`);
   }
@@ -652,3 +662,5 @@ }
   if (input.length < 1 || input.indexOf(DEFAULT_VP_TYPE) === -1) {
-    throw new TypeError(`type is missing default "${DEFAULT_VP_TYPE}"`);
+    throw new TypeError(`${"schema_error"
+    /* VC_ERROR.SCHEMA_ERROR */
+    }: type is missing default "${DEFAULT_VP_TYPE}"`);
   }
@@ -658,3 +670,5 @@ }
   if (Object.keys(value).length === 0) {
-    throw new TypeError('credentialSubject must not be empty');
+    throw new TypeError(`${"schema_error"
+    /* VC_ERROR.SCHEMA_ERROR */
+    }: credentialSubject must not be empty`);
   }
@@ -668,8 +682,22 @@ }
  * not W3C compliant or the VerifyPresentationOptions are not satisfied.
- * @param presentation the presentation to be verified. Currently only the JWT encoding is supported by this library
- * @param resolver a configured `Resolver` or an implementation of `Resolvable` that can provide the DID document of the JWT issuer (presentation holder)
- * @param options optional verification options that need to be satisfied
+ * @param presentation - the presentation to be verified. Currently only the JWT encoding is supported by this library
+ * @param resolver - a configured `Resolver` or an implementation of `Resolvable` that can provide the DID document of
+ *   the JWT issuer (presentation holder)
+ * @param options - optional verification options that need to be satisfied. These are also forwarded to did-jwt.
  */
 const verifyPresentation = function (presentation, resolver, options = {}) {
   try {
+    var _options6, _options6$policies, _options7, _options7$policies, _options8;
+
+    const nbf = ((_options6 = options) == null ? void 0 : (_options6$policies = _options6.policies) == null ? void 0 : _options6$policies.issuanceDate) === false ? false : undefined;
+    const exp = ((_options7 = options) == null ? void 0 : (_options7$policies = _options7.policies) == null ? void 0 : _options7$policies.expirationDate) === false ? false : undefined;
+    options = {
+      audience: options.domain,
+      ...options,
+      policies: { ...((_options8 = options) == null ? void 0 : _options8.policies),
+        nbf,
+        exp,
+        iat: nbf
+      }
+    };
     return Promise.resolve(verifyJWT(presentation, {
@@ -679,5 +707,11 @@ resolver,
     })).then(function (verified) {
+      var _options9, _options10, _options10$policies;
+
       verifyPresentationPayloadOptions(verified.payload, options);
-      verified.verifiablePresentation = normalizePresentation(verified.jwt, options == null ? void 0 : options.removeOriginalFields);
-      validatePresentationPayload(verified.verifiablePresentation);
+      verified.verifiablePresentation = normalizePresentation(verified.jwt, (_options9 = options) == null ? void 0 : _options9.removeOriginalFields);
+
+      if (((_options10 = options) == null ? void 0 : (_options10$policies = _options10.policies) == null ? void 0 : _options10$policies.format) !== false) {
+        validatePresentationPayload(verified.verifiablePresentation);
+      }
+
       return verified;
@@ -695,7 +729,20 @@ });
  * W3C compliant
- * @param vc the credential to be verified. Currently only the JWT encoding is supported by this library
- * @param resolver a configured `Resolver` (or an implementation of `Resolvable`) that can provide the DID document of the JWT issuer
+ * @param vc - the credential to be verified. Currently only the JWT encoding is supported by this library
+ * @param resolver - a configured `Resolver` (or an implementation of `Resolvable`) that can provide the DID document
+ *   of the JWT issuer
+ * @param options - optional tweaks to the verification process. These are forwarded to did-jwt.
  */
 const verifyCredential = function (vc, resolver, options = {}) {
   try {
+    var _options, _options$policies, _options2, _options2$policies, _options3;
+
+    const nbf = ((_options = options) == null ? void 0 : (_options$policies = _options.policies) == null ? void 0 : _options$policies.issuanceDate) === false ? false : undefined;
+    const exp = ((_options2 = options) == null ? void 0 : (_options2$policies = _options2.policies) == null ? void 0 : _options2$policies.expirationDate) === false ? false : undefined;
+    options = { ...options,
+      policies: { ...((_options3 = options) == null ? void 0 : _options3.policies),
+        nbf,
+        exp,
+        iat: nbf
+      }
+    };
     return Promise.resolve(verifyJWT(vc, {
@@ -705,4 +752,10 @@ resolver,
     })).then(function (verified) {
-      verified.verifiableCredential = normalizeCredential(verified.jwt, options == null ? void 0 : options.removeOriginalFields);
-      validateCredentialPayload(verified.verifiableCredential);
+      var _options4, _options5, _options5$policies;
+
+      verified.verifiableCredential = normalizeCredential(verified.jwt, (_options4 = options) == null ? void 0 : _options4.removeOriginalFields);
+
+      if (((_options5 = options) == null ? void 0 : (_options5$policies = _options5.policies) == null ? void 0 : _options5$policies.format) !== false) {
+        validateCredentialPayload(verified.verifiableCredential);
+      }
+
       return verified;
@@ -717,4 +770,4 @@ });
  *
- * @param payload the JwtPresentationPayload to verify against
- * @param options the VerifyPresentationOptions that contain the optional values to verify.
+ * @param payload - the JwtPresentationPayload to verify against
+ * @param options - the VerifyPresentationOptions that contain the optional values to verify.
  * @throws {Error} If VerifyPresentationOptions are not satisfied
@@ -727,3 +780,4 @@ */
  * This method transforms the payload into the [JWT encoding](https://www.w3.org/TR/vc-data-model/#jwt-encoding)
- * described in the [W3C VC spec](https://www.w3.org/TR/vc-data-model) and then validated to conform to the minimum spec
+ * described in the [W3C VC spec](https://www.w3.org/TR/vc-data-model) and then validated to conform to the minimum
+ * spec
  * required spec.
@@ -733,5 +787,6 @@ *
  *
- * @param payload `PresentationPayload` or `JwtPresentationPayload`
- * @param holder `Issuer` of the Presentation JWT (holder of the VC), signer and algorithm that will sign the token
- * @param options `CreatePresentationOptions` allows to pass additional values to the resulting JWT payload
+ * @param payload - `PresentationPayload` or `JwtPresentationPayload`
+ * @param holder - `Issuer` of the Presentation JWT (holder of the VC), signer and algorithm that will sign the token
+ * @param options - `CreatePresentationOptions` allows to pass additional values to the resulting JWT payload. These
+ *   options are forwarded to did-jwt.
  * @return a `Promise` that resolves to the JWT encoded verifiable presentation or rejects with `TypeError` if the
@@ -775,3 +830,4 @@ * `payload` is not W3C compliant
  * This method transforms the payload into the [JWT encoding](https://www.w3.org/TR/vc-data-model/#jwt-encoding)
- * described in the [W3C VC spec](https://www.w3.org/TR/vc-data-model) and then validated to conform to the minimum spec
+ * described in the [W3C VC spec](https://www.w3.org/TR/vc-data-model) and then validated to conform to the minimum
+ * spec
  * required spec.
@@ -781,4 +837,5 @@ *
  *
- * @param payload `CredentialPayload` or `JwtCredentialPayload`
- * @param issuer `Issuer` the DID, signer and algorithm that will sign the token
+ * @param payload - `CredentialPayload` or `JwtCredentialPayload`
+ * @param issuer - `Issuer` the DID, signer and algorithm that will sign the token
+ * @param options - Use these options to tweak the creation of the JWT Credential. These are forwarded to did-jwt.
  * @return a `Promise` that resolves to the JWT encoded verifiable credential or rejects with `TypeError` if the
@@ -854,7 +911,9 @@ * `payload` is not W3C compliant
   if (options.challenge && options.challenge !== payload.nonce) {
-    throw new Error(`Presentation does not contain the mandatory challenge (JWT: nonce) for : ${options.challenge}`);
+    throw new Error(`${"auth_error"
+    /* VC_ERROR.AUTH_ERROR */
+    }: Presentation does not contain the mandatory challenge (JWT: nonce) for : ${options.challenge}`);
   }
 
   if (options.domain) {
-    // aud might be array
+    // aud might be an array
     let matchedAudience;
@@ -868,3 +927,5 @@
     if (typeof matchedAudience === 'undefined') {
-      throw new Error(`Presentation does not contain the mandatory domain (JWT: aud) for : ${options.domain}`);
+      throw new Error(`${"auth_error"
+      /* VC_ERROR.AUTH_ERROR */
+      }: Presentation does not contain the mandatory domain (JWT: aud) for : ${options.domain}`);
     }
@@ -871,0 +932,0 @@ }

lib/index.umd.js

@@ -611,3 +611,5 @@ (function (global, factory) {
     if (typeof value === 'string' && !value.match(JWT_FORMAT)) {
-      throw new TypeError(`"${value}" is not a valid JWT format`);
+      throw new TypeError(`${"format_error"
+    /* VC_ERROR.FORMAT_ERROR */
+    }: "${value}" is not a valid JWT format`);
     }
@@ -625,3 +627,5 @@ } // The main scenario we want to guard against is having a timestamp in milliseconds
       if (!(Number.isInteger(value) && value < 100000000000)) {
-        throw new TypeError(`"${value}" is not a unix timestamp in seconds`);
+        throw new TypeError(`${"schema_error"
+      /* VC_ERROR.SCHEMA_ERROR */
+      }: "${value}" is not a unix timestamp in seconds`);
       }
@@ -631,3 +635,5 @@ } else if (typeof value === 'string') {
     } else if (!isDateObject(value)) {
-      throw new TypeError(`"${value}" is not a valid time`);
+      throw new TypeError(`${"schema_error"
+    /* VC_ERROR.SCHEMA_ERROR */
+    }: "${value}" is not a valid time`);
     }
@@ -639,3 +645,5 @@ }
     if (input.length < 1 || input.indexOf(DEFAULT_CONTEXT) === -1) {
-      throw new TypeError(`@context is missing default context "${DEFAULT_CONTEXT}"`);
+      throw new TypeError(`${"schema_error"
+    /* VC_ERROR.SCHEMA_ERROR */
+    }: @context is missing default context "${DEFAULT_CONTEXT}"`);
     }
@@ -647,3 +655,5 @@ }
     if (input.length < 1 || input.indexOf(DEFAULT_VC_TYPE) === -1) {
-      throw new TypeError(`type is missing default "${DEFAULT_VC_TYPE}"`);
+      throw new TypeError(`${"schema_error"
+    /* VC_ERROR.SCHEMA_ERROR */
+    }: type is missing default "${DEFAULT_VC_TYPE}"`);
     }
@@ -655,3 +665,5 @@ }
     if (input.length < 1 || input.indexOf(DEFAULT_VP_TYPE) === -1) {
-      throw new TypeError(`type is missing default "${DEFAULT_VP_TYPE}"`);
+      throw new TypeError(`${"schema_error"
+    /* VC_ERROR.SCHEMA_ERROR */
+    }: type is missing default "${DEFAULT_VP_TYPE}"`);
     }
@@ -661,3 +673,5 @@ }
     if (Object.keys(value).length === 0) {
-      throw new TypeError('credentialSubject must not be empty');
+      throw new TypeError(`${"schema_error"
+    /* VC_ERROR.SCHEMA_ERROR */
+    }: credentialSubject must not be empty`);
     }
@@ -671,8 +685,22 @@ }
    * not W3C compliant or the VerifyPresentationOptions are not satisfied.
-   * @param presentation the presentation to be verified. Currently only the JWT encoding is supported by this library
-   * @param resolver a configured `Resolver` or an implementation of `Resolvable` that can provide the DID document of the JWT issuer (presentation holder)
-   * @param options optional verification options that need to be satisfied
+   * @param presentation - the presentation to be verified. Currently only the JWT encoding is supported by this library
+   * @param resolver - a configured `Resolver` or an implementation of `Resolvable` that can provide the DID document of
+   *   the JWT issuer (presentation holder)
+   * @param options - optional verification options that need to be satisfied. These are also forwarded to did-jwt.
    */
   const verifyPresentation = function (presentation, resolver, options = {}) {
     try {
+      var _options6, _options6$policies, _options7, _options7$policies, _options8;
+
+      const nbf = ((_options6 = options) == null ? void 0 : (_options6$policies = _options6.policies) == null ? void 0 : _options6$policies.issuanceDate) === false ? false : undefined;
+      const exp = ((_options7 = options) == null ? void 0 : (_options7$policies = _options7.policies) == null ? void 0 : _options7$policies.expirationDate) === false ? false : undefined;
+      options = {
+        audience: options.domain,
+        ...options,
+        policies: { ...((_options8 = options) == null ? void 0 : _options8.policies),
+          nbf,
+          exp,
+          iat: nbf
+        }
+      };
       return Promise.resolve(didJwt.verifyJWT(presentation, {
@@ -682,5 +710,11 @@ resolver,
       })).then(function (verified) {
+        var _options9, _options10, _options10$policies;
+
         verifyPresentationPayloadOptions(verified.payload, options);
-        verified.verifiablePresentation = normalizePresentation(verified.jwt, options == null ? void 0 : options.removeOriginalFields);
-        validatePresentationPayload(verified.verifiablePresentation);
+        verified.verifiablePresentation = normalizePresentation(verified.jwt, (_options9 = options) == null ? void 0 : _options9.removeOriginalFields);
+
+        if (((_options10 = options) == null ? void 0 : (_options10$policies = _options10.policies) == null ? void 0 : _options10$policies.format) !== false) {
+          validatePresentationPayload(verified.verifiablePresentation);
+        }
+
         return verified;
@@ -698,7 +732,20 @@ });
    * W3C compliant
-   * @param vc the credential to be verified. Currently only the JWT encoding is supported by this library
-   * @param resolver a configured `Resolver` (or an implementation of `Resolvable`) that can provide the DID document of the JWT issuer
+   * @param vc - the credential to be verified. Currently only the JWT encoding is supported by this library
+   * @param resolver - a configured `Resolver` (or an implementation of `Resolvable`) that can provide the DID document
+   *   of the JWT issuer
+   * @param options - optional tweaks to the verification process. These are forwarded to did-jwt.
    */
   const verifyCredential = function (vc, resolver, options = {}) {
     try {
+      var _options, _options$policies, _options2, _options2$policies, _options3;
+
+      const nbf = ((_options = options) == null ? void 0 : (_options$policies = _options.policies) == null ? void 0 : _options$policies.issuanceDate) === false ? false : undefined;
+      const exp = ((_options2 = options) == null ? void 0 : (_options2$policies = _options2.policies) == null ? void 0 : _options2$policies.expirationDate) === false ? false : undefined;
+      options = { ...options,
+        policies: { ...((_options3 = options) == null ? void 0 : _options3.policies),
+          nbf,
+          exp,
+          iat: nbf
+        }
+      };
       return Promise.resolve(didJwt.verifyJWT(vc, {
@@ -708,4 +755,10 @@ resolver,
       })).then(function (verified) {
-        verified.verifiableCredential = normalizeCredential(verified.jwt, options == null ? void 0 : options.removeOriginalFields);
-        validateCredentialPayload(verified.verifiableCredential);
+        var _options4, _options5, _options5$policies;
+
+        verified.verifiableCredential = normalizeCredential(verified.jwt, (_options4 = options) == null ? void 0 : _options4.removeOriginalFields);
+
+        if (((_options5 = options) == null ? void 0 : (_options5$policies = _options5.policies) == null ? void 0 : _options5$policies.format) !== false) {
+          validateCredentialPayload(verified.verifiableCredential);
+        }
+
         return verified;
@@ -720,4 +773,4 @@ });
    *
-   * @param payload the JwtPresentationPayload to verify against
-   * @param options the VerifyPresentationOptions that contain the optional values to verify.
+   * @param payload - the JwtPresentationPayload to verify against
+   * @param options - the VerifyPresentationOptions that contain the optional values to verify.
    * @throws {Error} If VerifyPresentationOptions are not satisfied
@@ -730,3 +783,4 @@ */
    * This method transforms the payload into the [JWT encoding](https://www.w3.org/TR/vc-data-model/#jwt-encoding)
-   * described in the [W3C VC spec](https://www.w3.org/TR/vc-data-model) and then validated to conform to the minimum spec
+   * described in the [W3C VC spec](https://www.w3.org/TR/vc-data-model) and then validated to conform to the minimum
+   * spec
    * required spec.
@@ -736,5 +790,6 @@ *
    *
-   * @param payload `PresentationPayload` or `JwtPresentationPayload`
-   * @param holder `Issuer` of the Presentation JWT (holder of the VC), signer and algorithm that will sign the token
-   * @param options `CreatePresentationOptions` allows to pass additional values to the resulting JWT payload
+   * @param payload - `PresentationPayload` or `JwtPresentationPayload`
+   * @param holder - `Issuer` of the Presentation JWT (holder of the VC), signer and algorithm that will sign the token
+   * @param options - `CreatePresentationOptions` allows to pass additional values to the resulting JWT payload. These
+   *   options are forwarded to did-jwt.
    * @return a `Promise` that resolves to the JWT encoded verifiable presentation or rejects with `TypeError` if the
@@ -778,3 +833,4 @@ * `payload` is not W3C compliant
    * This method transforms the payload into the [JWT encoding](https://www.w3.org/TR/vc-data-model/#jwt-encoding)
-   * described in the [W3C VC spec](https://www.w3.org/TR/vc-data-model) and then validated to conform to the minimum spec
+   * described in the [W3C VC spec](https://www.w3.org/TR/vc-data-model) and then validated to conform to the minimum
+   * spec
    * required spec.
@@ -784,4 +840,5 @@ *
    *
-   * @param payload `CredentialPayload` or `JwtCredentialPayload`
-   * @param issuer `Issuer` the DID, signer and algorithm that will sign the token
+   * @param payload - `CredentialPayload` or `JwtCredentialPayload`
+   * @param issuer - `Issuer` the DID, signer and algorithm that will sign the token
+   * @param options - Use these options to tweak the creation of the JWT Credential. These are forwarded to did-jwt.
    * @return a `Promise` that resolves to the JWT encoded verifiable credential or rejects with `TypeError` if the
@@ -857,7 +914,9 @@ * `payload` is not W3C compliant
     if (options.challenge && options.challenge !== payload.nonce) {
-      throw new Error(`Presentation does not contain the mandatory challenge (JWT: nonce) for : ${options.challenge}`);
+      throw new Error(`${"auth_error"
+    /* VC_ERROR.AUTH_ERROR */
+    }: Presentation does not contain the mandatory challenge (JWT: nonce) for : ${options.challenge}`);
     }
 
     if (options.domain) {
-      // aud might be array
+      // aud might be an array
       let matchedAudience;
@@ -871,3 +930,5 @@
       if (typeof matchedAudience === 'undefined') {
-        throw new Error(`Presentation does not contain the mandatory domain (JWT: aud) for : ${options.domain}`);
+        throw new Error(`${"auth_error"
+      /* VC_ERROR.AUTH_ERROR */
+      }: Presentation does not contain the mandatory domain (JWT: aud) for : ${options.domain}`);
       }
@@ -874,0 +935,0 @@ }

lib/types.d.ts

@@ -1,2 +0,2 @@
-import { Signer, JWTVerified, JWTHeader, JWTOptions } from 'did-jwt';
+import { Signer, JWTVerified, JWTHeader, JWTOptions, JWTVerifyOptions } from 'did-jwt';
 export declare const JWT_ALG = "ES256K";
@@ -98,3 +98,4 @@ export declare const DID_FORMAT: RegExp;
  * This data type represents a parsed VerifiableCredential.
- * It is meant to be an unambiguous representation of the properties of a Credential and is usually the result of a transformation method.
+ * It is meant to be an unambiguous representation of the properties of a Credential and is usually the result of a
+ * transformation method.
  *
@@ -105,3 +106,4 @@ * `issuer` is always an object with an `id` property and potentially other app specific issuer claims
  *
- * Any JWT specific properties are transformed to the broader W3C variant and any app specific properties are left intact
+ * Any JWT specific properties are transformed to the broader W3C variant and any app specific properties are left
+ * intact
  */
@@ -135,6 +137,8 @@ export declare type W3CCredential = Extensible<Replace<FixedCredentialPayload, NarrowCredentialDefinitions>>;
  * This data type represents a parsed Presentation payload.
- * It is meant to be an unambiguous representation of the properties of a Presentation and is usually the result of a transformation method.
+ * It is meant to be an unambiguous representation of the properties of a Presentation and is usually the result of a
+ * transformation method.
  *
  * The `verifiableCredential` array should contain parsed `Verifiable<Credential>` elements.
- * Any JWT specific properties are transformed to the broader W3C variant and any other app specific properties are left intact.
+ * Any JWT specific properties are transformed to the broader W3C variant and any other app specific properties are
+ * left intact.
  */
@@ -217,3 +221,24 @@ export declare type W3CPresentation = Extensible<Replace<FixedPresentationPayload, NarrowPresentationDefinitions>>;
  */
-export declare type VerifyCredentialOptions = Record<string, any>;
+export interface VerifyCredentialOptions extends JWTVerifyOptions {
+    /**
+     * When transforming the result of the verification into a W3C VerifiableCredential, this property dictates whether
+     * the JWT specific properties are removed from the payload or not. Defaults to `true`.
+     */
+    removeOriginalFields?: boolean;
+    /**
+     * Use this to override the default checks performed during verification
+     */
+    policies?: VerifyCredentialPolicies;
+    [x: string]: any;
+}
+export interface VerifyCredentialPolicies {
+    now?: number;
+    issuanceDate?: boolean;
+    expirationDate?: boolean;
+    format?: boolean;
+    /**
+     * Other policies are forwarded to lower level libs
+     */
+    [x: string]: any;
+}
 /**
@@ -220,0 +245,0 @@ * Represents the Verification Options that can be passed to the verifyPresentation method.

package.json

 {
   "name": "did-jwt-vc",
-  "version": "2.1.14",
+  "version": "3.0.0",
   "description": "Create and verify W3C Verifiable Credentials and Presentations in JWT format",
@@ -39,3 +39,3 @@ "type": "module",
   "dependencies": {
-    "did-jwt": "^6.2.2",
+    "did-jwt": "^6.5.0",
     "did-resolver": "^4.0.0"
@@ -42,0 +42,0 @@ },

src/__tests__/index.test.ts

@@ -359,5 +359,3 @@ import { EthrDID } from 'ethr-did'
     }
-    expect(verifyPresentation(PRESENTATION_JWT, resolver, options)).rejects.toThrow(
-      'Presentation does not contain the mandatory challenge (JWT: nonce) for : TEST_CHALLENGE'
-    )
+    expect(verifyPresentation(PRESENTATION_JWT, resolver, options)).rejects.toThrow(/^auth_error:.*/)
   })
@@ -369,5 +367,3 @@
     }
-    expect(verifyPresentation(PRESENTATION_JWT, resolver, options)).rejects.toThrow(
-      'Presentation does not contain the mandatory domain (JWT: aud) for : TEST_DOMAIN'
-    )
+    expect(verifyPresentation(PRESENTATION_JWT, resolver, options)).rejects.toThrow(/^auth_error:.*/)
   })
@@ -419,5 +415,3 @@
     }
-    expect(() => verifyPresentationPayloadOptions(presentationPayload, options)).toThrow(
-      'Presentation does not contain the mandatory challenge (JWT: nonce) for : TEST_CHALLENGE'
-    )
+    expect(() => verifyPresentationPayloadOptions(presentationPayload, options)).toThrow(/^auth_error:.*/)
   })
@@ -429,5 +423,3 @@
     }
-    expect(() => verifyPresentationPayloadOptions(presentationPayload, options)).toThrow(
-      'Presentation does not contain the mandatory domain (JWT: aud) for : TEST_DOMAIN'
-    )
+    expect(() => verifyPresentationPayloadOptions(presentationPayload, options)).toThrow(/^auth_error:.*/)
   })
@@ -434,0 +426,0 @@ })

src/__tests__/validators.test.ts

@@ -22,6 +22,6 @@ import * as validators from '../validators'
     it('throws a TypeError if the value is a millisecond timestamp', () => {
-      expect(() => validators.validateTimestamp(new Date().getTime())).toThrow(TypeError)
+      expect(() => validators.validateTimestamp(new Date().getTime())).toThrow(/^schema_error:.*/)
     })
     it('throws a TypeError if the value is not an integer', () => {
-      expect(() => validators.validateTimestamp(1653060380105 / 1000)).toThrow(TypeError)
+      expect(() => validators.validateTimestamp(1653060380105 / 1000)).toThrow(/^schema_error:.*/)
     })
@@ -38,6 +38,6 @@ })
     it('throws a TypeError the value contains no contexts', () => {
-      expect(() => validators.validateContext([])).toThrow(TypeError)
+      expect(() => validators.validateContext([])).toThrow(/^schema_error:.*/)
     })
     it('throws a TypeError the value is missing the default context', () => {
-      expect(() => validators.validateContext([EXTRA_CONTEXT_A, EXTRA_CONTEXT_B])).toThrow(TypeError)
+      expect(() => validators.validateContext([EXTRA_CONTEXT_A, EXTRA_CONTEXT_B])).toThrow(/^schema_error:.*/)
     })
@@ -54,6 +54,6 @@ })
     it('throws a TypeError the value contains no types', () => {
-      expect(() => validators.validateVcType([])).toThrow(TypeError)
+      expect(() => validators.validateVcType([])).toThrow(/^schema_error:.*/)
     })
     it('throws a TypeError the value is missing the default type', () => {
-      expect(() => validators.validateVcType([EXTRA_TYPE_A, EXTRA_TYPE_B])).toThrow(TypeError)
+      expect(() => validators.validateVcType([EXTRA_TYPE_A, EXTRA_TYPE_B])).toThrow(/^schema_error:.*/)
     })
@@ -70,6 +70,6 @@ })
     it('throws a TypeError the value contains no types', () => {
-      expect(() => validators.validateVpType([])).toThrow(TypeError)
+      expect(() => validators.validateVpType([])).toThrow(/^schema_error:.*/)
     })
     it('throws a TypeError the value is missing the default type', () => {
-      expect(() => validators.validateVpType([EXTRA_TYPE_A, EXTRA_TYPE_B])).toThrow(TypeError)
+      expect(() => validators.validateVpType([EXTRA_TYPE_A, EXTRA_TYPE_B])).toThrow(/^schema_error:.*/)
     })
@@ -83,3 +83,3 @@ })
     it('throws a TypeError if the value is not a valid JWT format', () => {
-      expect(() => validators.validateJwtFormat('not a jwt')).toThrow(TypeError)
+      expect(() => validators.validateJwtFormat('not a jwt')).toThrow(/^format_error:.*/)
     })
@@ -93,5 +93,5 @@ })
     it('throws a TypeError if the value is an object with no attributes', () => {
-      expect(() => validators.validateCredentialSubject({})).toThrow(TypeError)
+      expect(() => validators.validateCredentialSubject({})).toThrow(/^schema_error:.*/)
     })
   })
 })

src/index.ts

@@ -5,29 +5,32 @@ import { createJWT, verifyJWT } from 'did-jwt'
 import {
+  CreateCredentialOptions,
+  CreatePresentationOptions,
+  CredentialPayload,
+  Issuer,
+  JWT,
+  JWT_ALG,
   JwtCredentialPayload,
-  Issuer,
   JwtPresentationPayload,
-  JWT,
-  VerifiablePresentation,
-  VerifiableCredential,
-  CredentialPayload,
   PresentationPayload,
   Verifiable,
-  W3CCredential,
-  W3CPresentation,
+  VerifiableCredential,
+  VerifiablePresentation,
   VerifiedCredential,
   VerifiedPresentation,
+  VerifyCredentialOptions,
+  VerifyCredentialPolicies,
   VerifyPresentationOptions,
-  CreatePresentationOptions,
-  CreateCredentialOptions,
-  VerifyCredentialOptions,
-  JWT_ALG,
+  W3CCredential,
+  W3CPresentation,
 } from './types'
 import {
-  transformCredentialInput,
-  transformPresentationInput,
+  asArray,
   normalizeCredential,
   normalizePresentation,
-  asArray,
   notEmpty,
+  transformCredentialInput,
+  transformPresentationInput,
 } from './converters'
+import { VC_ERROR, VC_JWT_ERROR } from './errors'
+
 export {
@@ -50,4 +53,13 @@ Issuer,
   normalizePresentation,
+  VC_JWT_ERROR,
 }
 
+export {
+  CreateCredentialOptions,
+  CreatePresentationOptions,
+  VerifyCredentialOptions,
+  VerifyCredentialPolicies,
+  VerifyPresentationOptions,
+}
+
 /**
@@ -57,3 +69,4 @@ * Creates a VerifiableCredential given a `CredentialPayload` or `JwtCredentialPayload` and an `Issuer`.
  * This method transforms the payload into the [JWT encoding](https://www.w3.org/TR/vc-data-model/#jwt-encoding)
- * described in the [W3C VC spec](https://www.w3.org/TR/vc-data-model) and then validated to conform to the minimum spec
+ * described in the [W3C VC spec](https://www.w3.org/TR/vc-data-model) and then validated to conform to the minimum
+ * spec
  * required spec.
@@ -63,4 +76,5 @@ *
  *
- * @param payload `CredentialPayload` or `JwtCredentialPayload`
- * @param issuer `Issuer` the DID, signer and algorithm that will sign the token
+ * @param payload - `CredentialPayload` or `JwtCredentialPayload`
+ * @param issuer - `Issuer` the DID, signer and algorithm that will sign the token
+ * @param options - Use these options to tweak the creation of the JWT Credential. These are forwarded to did-jwt.
  * @return a `Promise` that resolves to the JWT encoded verifiable credential or rejects with `TypeError` if the
@@ -97,3 +111,4 @@ * `payload` is not W3C compliant
  * This method transforms the payload into the [JWT encoding](https://www.w3.org/TR/vc-data-model/#jwt-encoding)
- * described in the [W3C VC spec](https://www.w3.org/TR/vc-data-model) and then validated to conform to the minimum spec
+ * described in the [W3C VC spec](https://www.w3.org/TR/vc-data-model) and then validated to conform to the minimum
+ * spec
  * required spec.
@@ -103,5 +118,6 @@ *
  *
- * @param payload `PresentationPayload` or `JwtPresentationPayload`
- * @param holder `Issuer` of the Presentation JWT (holder of the VC), signer and algorithm that will sign the token
- * @param options `CreatePresentationOptions` allows to pass additional values to the resulting JWT payload
+ * @param payload - `PresentationPayload` or `JwtPresentationPayload`
+ * @param holder - `Issuer` of the Presentation JWT (holder of the VC), signer and algorithm that will sign the token
+ * @param options - `CreatePresentationOptions` allows to pass additional values to the resulting JWT payload. These
+ *   options are forwarded to did-jwt.
  * @return a `Promise` that resolves to the JWT encoded verifiable presentation or rejects with `TypeError` if the
@@ -199,4 +215,6 @@ * `payload` is not W3C compliant
  * W3C compliant
- * @param vc the credential to be verified. Currently only the JWT encoding is supported by this library
- * @param resolver a configured `Resolver` (or an implementation of `Resolvable`) that can provide the DID document of the JWT issuer
+ * @param vc - the credential to be verified. Currently only the JWT encoding is supported by this library
+ * @param resolver - a configured `Resolver` (or an implementation of `Resolvable`) that can provide the DID document
+ *   of the JWT issuer
+ * @param options - optional tweaks to the verification process. These are forwarded to did-jwt.
  */
@@ -208,5 +226,10 @@ export async function verifyCredential(
 ): Promise<VerifiedCredential> {
+  const nbf = options?.policies?.issuanceDate === false ? false : undefined
+  const exp = options?.policies?.expirationDate === false ? false : undefined
+  options = { ...options, policies: { ...options?.policies, nbf, exp, iat: nbf } }
   const verified: Partial<VerifiedCredential> = await verifyJWT(vc, { resolver, ...options })
   verified.verifiableCredential = normalizeCredential(verified.jwt as string, options?.removeOriginalFields)
-  validateCredentialPayload(verified.verifiableCredential)
+  if (options?.policies?.format !== false) {
+    validateCredentialPayload(verified.verifiableCredential)
+  }
   return verified as VerifiedCredential
@@ -218,4 +241,4 @@ }
  *
- * @param payload the JwtPresentationPayload to verify against
- * @param options the VerifyPresentationOptions that contain the optional values to verify.
+ * @param payload - the JwtPresentationPayload to verify against
+ * @param options - the VerifyPresentationOptions that contain the optional values to verify.
  * @throws {Error} If VerifyPresentationOptions are not satisfied
@@ -228,7 +251,9 @@ */
   if (options.challenge && options.challenge !== payload.nonce) {
-    throw new Error(`Presentation does not contain the mandatory challenge (JWT: nonce) for : ${options.challenge}`)
+    throw new Error(
+      `${VC_ERROR.AUTH_ERROR}: Presentation does not contain the mandatory challenge (JWT: nonce) for : ${options.challenge}`
+    )
   }
 
   if (options.domain) {
-    // aud might be array
+    // aud might be an array
     let matchedAudience
@@ -241,3 +266,5 @@ if (payload.aud) {
     if (typeof matchedAudience === 'undefined') {
-      throw new Error(`Presentation does not contain the mandatory domain (JWT: aud) for : ${options.domain}`)
+      throw new Error(
+        `${VC_ERROR.AUTH_ERROR}: Presentation does not contain the mandatory domain (JWT: aud) for : ${options.domain}`
+      )
     }
@@ -252,5 +279,6 @@ }
  * not W3C compliant or the VerifyPresentationOptions are not satisfied.
- * @param presentation the presentation to be verified. Currently only the JWT encoding is supported by this library
- * @param resolver a configured `Resolver` or an implementation of `Resolvable` that can provide the DID document of the JWT issuer (presentation holder)
- * @param options optional verification options that need to be satisfied
+ * @param presentation - the presentation to be verified. Currently only the JWT encoding is supported by this library
+ * @param resolver - a configured `Resolver` or an implementation of `Resolvable` that can provide the DID document of
+ *   the JWT issuer (presentation holder)
+ * @param options - optional verification options that need to be satisfied. These are also forwarded to did-jwt.
  */
@@ -262,7 +290,15 @@ export async function verifyPresentation(
 ): Promise<VerifiedPresentation> {
-  const verified: Partial<VerifiedPresentation> = await verifyJWT(presentation, { resolver, ...options })
+  const nbf = options?.policies?.issuanceDate === false ? false : undefined
+  const exp = options?.policies?.expirationDate === false ? false : undefined
+  options = { audience: options.domain, ...options, policies: { ...options?.policies, nbf, exp, iat: nbf } }
+  const verified: Partial<VerifiedPresentation> = await verifyJWT(presentation, {
+    resolver,
+    ...options,
+  })
   verifyPresentationPayloadOptions(verified.payload as JwtPresentationPayload, options)
   verified.verifiablePresentation = normalizePresentation(verified.jwt as string, options?.removeOriginalFields)
-  validatePresentationPayload(verified.verifiablePresentation)
+  if (options?.policies?.format !== false) {
+    validatePresentationPayload(verified.verifiablePresentation)
+  }
   return verified as VerifiedPresentation
 }

src/types.ts

@@ -1,2 +0,2 @@
-import { Signer, JWTVerified, JWTHeader, JWTOptions } from 'did-jwt'
+import { Signer, JWTVerified, JWTHeader, JWTOptions, JWTVerifyOptions } from 'did-jwt'
 
@@ -40,2 +40,3 @@ export const JWT_ALG = 'ES256K'
   jti?: string
+
   // eslint-disable-next-line @typescript-eslint/no-explicit-any
@@ -61,2 +62,3 @@ [x: string]: any
   nonce?: string
+
   // eslint-disable-next-line @typescript-eslint/no-explicit-any
@@ -68,2 +70,3 @@ [x: string]: any
 export type DateType = string | Date
+
 /**
@@ -115,3 +118,4 @@ * used as input when creating Verifiable Credentials
  * This data type represents a parsed VerifiableCredential.
- * It is meant to be an unambiguous representation of the properties of a Credential and is usually the result of a transformation method.
+ * It is meant to be an unambiguous representation of the properties of a Credential and is usually the result of a
+ * transformation method.
  *
@@ -122,3 +126,4 @@ * `issuer` is always an object with an `id` property and potentially other app specific issuer claims
  *
- * Any JWT specific properties are transformed to the broader W3C variant and any app specific properties are left intact
+ * Any JWT specific properties are transformed to the broader W3C variant and any app specific properties are left
+ * intact
  */
@@ -156,6 +161,8 @@ export type W3CCredential = Extensible<Replace<FixedCredentialPayload, NarrowCredentialDefinitions>>
  * This data type represents a parsed Presentation payload.
- * It is meant to be an unambiguous representation of the properties of a Presentation and is usually the result of a transformation method.
+ * It is meant to be an unambiguous representation of the properties of a Presentation and is usually the result of a
+ * transformation method.
  *
  * The `verifiableCredential` array should contain parsed `Verifiable<Credential>` elements.
- * Any JWT specific properties are transformed to the broader W3C variant and any other app specific properties are left intact.
+ * Any JWT specific properties are transformed to the broader W3C variant and any other app specific properties are
+ * left intact.
  */
@@ -166,2 +173,3 @@ export type W3CPresentation = Extensible<Replace<FixedPresentationPayload, NarrowPresentationDefinitions>>
   type?: string
+
   // eslint-disable-next-line @typescript-eslint/no-explicit-any
@@ -252,4 +260,35 @@ [x: string]: any
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
-export type VerifyCredentialOptions = Record<string, any>
+export interface VerifyCredentialOptions extends JWTVerifyOptions {
+  /**
+   * When transforming the result of the verification into a W3C VerifiableCredential, this property dictates whether
+   * the JWT specific properties are removed from the payload or not. Defaults to `true`.
+   */
+  removeOriginalFields?: boolean
 
+  /**
+   * Use this to override the default checks performed during verification
+   */
+  policies?: VerifyCredentialPolicies
+
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  [x: string]: any
+}
+
+export interface VerifyCredentialPolicies {
+  // tweak the time at which the credential should be valid (UNIX timestamp, in seconds)
+  now?: number
+  // when false skips issuanceDate check
+  issuanceDate?: boolean
+  // when false skips expirationDate check
+  expirationDate?: boolean
+  // when false skips format checks
+  format?: boolean
+
+  /**
+   * Other policies are forwarded to lower level libs
+   */
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  [x: string]: any
+}
+
 /**
@@ -256,0 +295,0 @@ * Represents the Verification Options that can be passed to the verifyPresentation method.

src/validators.ts

@@ -5,2 +5,3 @@ import { DEFAULT_CONTEXT, DEFAULT_VC_TYPE, DEFAULT_VP_TYPE, JWT_FORMAT } from './types'
 import { asArray } from './converters'
+import { VC_ERROR } from './errors'
 
@@ -14,3 +15,3 @@ // eslint-disable-next-line @typescript-eslint/no-explicit-any
   if (typeof value === 'string' && !value.match(JWT_FORMAT)) {
-    throw new TypeError(`"${value}" is not a valid JWT format`)
+    throw new TypeError(`${VC_ERROR.FORMAT_ERROR}: "${value}" is not a valid JWT format`)
   }
@@ -29,3 +30,3 @@ }
     if (!(Number.isInteger(value) && value < 100000000000)) {
-      throw new TypeError(`"${value}" is not a unix timestamp in seconds`)
+      throw new TypeError(`${VC_ERROR.SCHEMA_ERROR}: "${value}" is not a unix timestamp in seconds`)
     }
@@ -35,3 +36,3 @@ } else if (typeof value === 'string') {
   } else if (!isDateObject(value)) {
-    throw new TypeError(`"${value}" is not a valid time`)
+    throw new TypeError(`${VC_ERROR.SCHEMA_ERROR}: "${value}" is not a valid time`)
   }
@@ -43,3 +44,3 @@ }
   if (input.length < 1 || input.indexOf(DEFAULT_CONTEXT) === -1) {
-    throw new TypeError(`@context is missing default context "${DEFAULT_CONTEXT}"`)
+    throw new TypeError(`${VC_ERROR.SCHEMA_ERROR}: @context is missing default context "${DEFAULT_CONTEXT}"`)
   }
@@ -51,3 +52,3 @@ }
   if (input.length < 1 || input.indexOf(DEFAULT_VC_TYPE) === -1) {
-    throw new TypeError(`type is missing default "${DEFAULT_VC_TYPE}"`)
+    throw new TypeError(`${VC_ERROR.SCHEMA_ERROR}: type is missing default "${DEFAULT_VC_TYPE}"`)
   }
@@ -59,3 +60,3 @@ }
   if (input.length < 1 || input.indexOf(DEFAULT_VP_TYPE) === -1) {
-    throw new TypeError(`type is missing default "${DEFAULT_VP_TYPE}"`)
+    throw new TypeError(`${VC_ERROR.SCHEMA_ERROR}: type is missing default "${DEFAULT_VP_TYPE}"`)
   }
@@ -66,4 +67,4 @@ }
   if (Object.keys(value).length === 0) {
-    throw new TypeError('credentialSubject must not be empty')
+    throw new TypeError(`${VC_ERROR.SCHEMA_ERROR}: credentialSubject must not be empty`)
   }
 }

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

620014

increased by5.9%

Number of package files

28

increased by3.7%

Lines of code

6667

increased by5.14%

Dependency changes

• Updateddid-jwt@^6.5.0