Qa - sign and verify methods

[RinkalBhojani]

Summary by CodeRabbit

• New Features

  • Introduced three new multi-tenancy API endpoints for digital signature verification, credential signing, and credential verification.
  • Added support for signing and verifying both raw data and W3C JSON-LD verifiable credentials.
  • Enhanced API documentation and schema definitions for verifiable credentials and cryptographic operations.

• Documentation

  • Updated API documentation to include new endpoints and detailed schema definitions for credential and proof structures.

[coderabbitai]

Walkthrough

This update introduces three new API endpoints to the multi-tenancy controller for signing and verifying raw data and JSON-LD verifiable credentials. It adds supporting type definitions, model schemas, and route registrations, and updates the OpenAPI specification to document the new endpoints and their request/response formats.

Changes

File(s)	Change Summary
.github/workflows/continuous-delivery.yml	Added two trailing blank lines after Docker image tags list (no functional change).
src/controllers/multi-tenancy/MultiTenancyController.ts	Added three new methods for verifying data signatures, signing credentials/data, and verifying credentials; all methods secured by API key and include input validation and error handling.
src/controllers/types.ts	Introduced new types/interfaces for signing/verifying data and credentials, supporting extensible JSON-LD credential structures and cryptographic options.
src/routes/routes.ts	Registered three new POST routes for multi-tenancy sign/verify operations; added extensive model definitions for credential and proof types.
src/routes/swagger.json	Added new schema components and documented the three new multi-tenancy endpoints; removed a redundant schema definition.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant API
    participant MultiTenancyController
    participant TenantAgent
    participant Wallet

    Client->>API: POST /multi-tenancy/verify/:tenantId (data, signature, key info)
    API->>MultiTenancyController: verify(tenantId, request)
    MultiTenancyController->>TenantAgent: getWallet()
    MultiTenancyController->>Wallet: verify(data, signature, key info)
    Wallet-->>MultiTenancyController: verification result
    MultiTenancyController-->>API: boolean result
    API-->>Client: verification result

    Client->>API: POST /multi-tenancy/credential/sign/:tenantId (data, options)
    API->>MultiTenancyController: signCredential(tenantId, ...)
    MultiTenancyController->>TenantAgent: getSigningKey()
    MultiTenancyController->>Wallet: sign(data, key)
    Wallet-->>MultiTenancyController: signature
    MultiTenancyController-->>API: signature or signed credential
    API-->>Client: signature or signed credential

    Client->>API: POST /multi-tenancy/credential/verify/:tenantId (credential)
    API->>MultiTenancyController: verifyCredential(tenantId, credential)
    MultiTenancyController->>TenantAgent: verifyCredential(credential)
    TenantAgent-->>MultiTenancyController: verification result
    MultiTenancyController-->>API: verification result
    API-->>Client: verification result

Loading

Possibly related PRs

• credebl/credo-controller#273: Extends MultiTenancyController with initial signing and verifying endpoints for raw data and credentials, upon which this PR directly builds.

Suggested labels

enhancement

Poem

Three new doors for tenants to sign and to check,
Credentials and data, with cryptographic tech.
JSON-LD or raw, the rabbit hops in delight,
New types and routes make the future bright!
🐇✨

"Hop, sign, verify—securely through the night."

✨ Finishing Touches

• 📝 Generate Docstrings

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[sonarqubecloud]

Quality Gate failed

Failed conditions
18.4% Duplication on New Code (required ≤ 3%)

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 13

♻️ Duplicate comments (1)

src/routes/swagger.json (1)

2092-2155: Consistent naming for JSON-LD credential schemas
The schema uses "context" vs "@context" again in W3cJsonLdVerifiableCredential. Align this with the LD spec or document the deviation to avoid confusion.

🧹 Nitpick comments (10)

src/controllers/types.ts (1)

425-425: Use single quotes for string literals.

Apply this diff to maintain consistency with the project's quote style:

-  proof: SingleOrArray<Omit<LinkedDataProofOptions, "cryptosuite"> | DataIntegrityProofOptions>
+  proof: SingleOrArray<Omit<LinkedDataProofOptions, 'cryptosuite'> | DataIntegrityProofOptions>

🧰 Tools

🪛 ESLint

[error] 425-425: Replace "cryptosuite" with 'cryptosuite'

(prettier/prettier)

src/controllers/multi-tenancy/MultiTenancyController.ts (1)

1959-2014: Consider refactoring the signCredential method for better separation of concerns.

The method handles two distinct types of signing (JSON-LD and raw data) in a single method with complex branching logic.

Consider splitting this into two separate endpoints or at least extracting the logic into separate private methods:

private async signJsonLdCredential(tenantAgent: TenantAgent, data: W3cJsonLdSignCredentialOptions, storeCredential: boolean) {
  // JSON-LD signing logic
}

private async signRawData(tenantAgent: TenantAgent, rawData: SignDataOptions) {
  // Raw data signing logic
}

This would improve readability, maintainability, and make the code easier to test.

src/routes/swagger.json (8)

1651-1665: Confirm usage of generic record schema for W3cCredentialRecord
Referencing Record_string.unknown_ is consistent with other record types, but consider renaming or documenting this alias to improve clarity in consumers.

---

1691-1719: Add examples and strictness to W3cCredentialSchema
Consider adding "additionalProperties": false and example values for id and type to guide integration.

---

1796-1838: Refactor Pick/Omit schemas for readability
The Pick_W3cJsonLdSignCredentialOptions... and Omit_W3cJsonLdSignCredentialOptions... definitions are very verbose. Consider using allOf with a base schema instead of manual picks to reduce duplication and improve maintainability.

---

1839-1863: Add strictness to SignDataOptions
Include "additionalProperties": false on SignDataOptions to prevent extra fields, and add an example for data to illustrate base64 format.

---

1864-1951: Simplify LinkedDataProofOptions schema definitions
The split between Pick_LinkedDataProofOptions... and Omit_LinkedDataProofOptions... is repetitive. You could define a core proof options schema and extend or override as needed with allOf, reducing complexity.

---

1979-2091: Ensure proof union schemas cover all cases
The LinkedDataProof, DataIntegrityProof, and their union appear correct. Consider adding examples to each proof type for consumer clarity.

---

2156-2180: Tighten SafeW3cJsonLdVerifyCredentialOptions
Add "additionalProperties": false and an example for proofPurpose to improve self-documentation.

---

6888-6936: Add example response for verify endpoint
The /multi-tenancy/verify/{tenantId} path returns a boolean but lacks an example. Adding an example under 200 will help clients.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3b83e49 and 8f40640.

📒 Files selected for processing (5)

• .github/workflows/continuous-delivery.yml (1 hunks)
• src/controllers/multi-tenancy/MultiTenancyController.ts (6 hunks)
• src/controllers/types.ts (2 hunks)
• src/routes/routes.ts (2 hunks)
• src/routes/swagger.json (2 hunks)

🧰 Additional context used

🧬 Code Graph Analysis (1)

src/routes/routes.ts (2)

src/utils/TsyringeAdapter.ts (1)

• iocContainer (5-9)

src/utils/tsyringeTsoaIocContainer.ts (1)

• iocContainer (5-9)

🪛 YAMLlint (1.37.1)

.github/workflows/continuous-delivery.yml

[error] 45-45: trailing spaces

(trailing-spaces)

---

[warning] 46-46: too many blank lines

(1 > 0) (empty-lines)

🪛 ESLint

src/controllers/multi-tenancy/MultiTenancyController.ts

[error] 19-19: 'W3cVerifiableCredential' is defined but never used.

(@typescript-eslint/no-unused-vars)

---

[error] 51-51: 'W3cCredential' is defined but never used.

(@typescript-eslint/no-unused-vars)

---

[error] 83-96: Import "SignDataOptions" is only used as types.

(@typescript-eslint/consistent-type-imports)

---

[error] 2029-2029: 'credential' is assigned a value but never used.

(@typescript-eslint/no-unused-vars)

src/controllers/types.ts

[error] 36-36: There should be at least one empty line between import groups

(import/order)

---

[error] 37-37: All imports in the declaration are only used as types. Use import type.

(@typescript-eslint/consistent-type-imports)

---

[error] 425-425: Replace "cryptosuite" with 'cryptosuite'

(prettier/prettier)

🔇 Additional comments (5)

src/controllers/types.ts (1)

396-440: Well-structured type definitions for signing and verification functionality.

The new types provide a solid foundation for the multi-tenancy signing and verification features. Good use of utility types and proper extensibility with the Extensible* types.

🧰 Tools

🪛 ESLint

[error] 425-425: Replace "cryptosuite" with 'cryptosuite'

(prettier/prettier)

src/routes/routes.ts (1)

1-5236: Auto-generated file looks structurally sound

This auto-generated routes file correctly implements the new multi-tenancy signing and verification endpoints with proper authentication middleware. The model definitions for W3C credentials are comprehensive and well-structured.

Note: Since this is an auto-generated file (as indicated by the warning comments), any manual changes would be lost on regeneration. Issues should be addressed in the source files that generate this code.

src/routes/swagger.json (3)

1666-1690: Validate required properties for W3cCredentialSubject
The W3cCredentialSubject schema has no required fields. Typically, a subject id is mandatory in W3C credentials. Please verify against the spec and add "required": ["id", "claims"] if needed.

---

1720-1735: W3cCredentialStatus enum and structure align with the typical pattern and look good.

---

1952-1978: The SingleOrArray_Omit_LinkedDataProofOptions... construct correctly handles both single and array forms.

[coderabbitai]

⚠️ Potential issue

Fix formatting issues: remove trailing spaces and extra blank line.

The static analysis tools correctly identified formatting issues:

• Line 45 has trailing spaces
• Line 46 has an unnecessary blank line

Apply this diff to fix the formatting:

-            ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ env.SERVICE }}:latest
-          
-
+            ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ env.SERVICE }}:latest

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ env.SERVICE }}:latest

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 45-45: trailing spaces

(trailing-spaces)

---

[warning] 46-46: too many blank lines

(1 > 0) (empty-lines)

🤖 Prompt for AI Agents

In .github/workflows/continuous-delivery.yml at lines 45 and 46, remove any
trailing spaces at line 45 and delete the extra blank line at line 46 to fix the
formatting issues.

[coderabbitai]

⚠️ Potential issue

Fix import formatting and use type imports for type-only imports.

Apply this diff to fix the import issues:

 } from '@credo-ts/core'
 import type { SingleOrArray } from '@credo-ts/core/build/utils'
+
 import type { DIDDocument } from 'did-resolver'
-import { LinkedDataProofOptions } from '@credo-ts/core/build/modules/vc/data-integrity/models/LinkedDataProof'
+import type { LinkedDataProofOptions } from '@credo-ts/core/build/modules/vc/data-integrity/models/LinkedDataProof'

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	import type { SingleOrArray } from '@credo-ts/core/build/utils'
	import type { DIDDocument } from 'did-resolver'
	import { LinkedDataProofOptions } from '@credo-ts/core/build/modules/vc/data-integrity/models/LinkedDataProof'
	import type { SingleOrArray } from '@credo-ts/core/build/utils'
	import type { DIDDocument } from 'did-resolver'
	import type { LinkedDataProofOptions } from '@credo-ts/core/build/modules/vc/data-integrity/models/LinkedDataProof'

🧰 Tools

🪛 ESLint

[error] 36-36: There should be at least one empty line between import groups

(import/order)

---

[error] 37-37: All imports in the declaration are only used as types. Use import type.

(@typescript-eslint/consistent-type-imports)

🤖 Prompt for AI Agents

In src/controllers/types.ts around lines 35 to 37, the imports include type-only
imports that are not using the 'import type' syntax consistently. Change all
imports that are only used for types to use 'import type' to improve clarity and
enable better tree-shaking. Ensure the import statements are formatted
consistently, using 'import type' for SingleOrArray, DIDDocument, and
LinkedDataProofOptions since they are types.

[coderabbitai]

🛠️ Refactor suggestion

Use PascalCase for type names to maintain consistency.

The type name jsonLdCredentialOptions should follow TypeScript naming conventions.

Apply this diff to fix the naming:

-export interface jsonLdCredentialOptions {
+export interface JsonLdCredentialOptions {
   '@context': Array<string | JsonObject>
   type: Array<string>
   credentialSubject: SingleOrArray<JsonObject>
   proofType: string
 }

Also update the reference in line 421:

-  credential: jsonLdCredentialOptions // TODO: add support for other credential format
+  credential: JsonLdCredentialOptions // TODO: add support for other credential format

🤖 Prompt for AI Agents

In src/controllers/types.ts around lines 412 to 417, the type name
jsonLdCredentialOptions should be renamed to PascalCase as
JsonLdCredentialOptions to follow TypeScript naming conventions. Rename the type
declaration and update all references to this type, including the one at line
421, to use the new PascalCase name.

[coderabbitai]

⚠️ Potential issue

Clean up imports: remove unused and fix type imports.

Apply these diffs to fix the import issues:

1. Move SignDataOptions and VerifyDataOptions to type imports (line 4):

-import type { CustomW3cJsonLdSignCredentialOptions, RecipientKeyOption, SafeW3cJsonLdVerifyCredentialOptions, SchemaMetadata } from '../types'
+import type { CustomW3cJsonLdSignCredentialOptions, RecipientKeyOption, SafeW3cJsonLdVerifyCredentialOptions, SchemaMetadata, SignDataOptions, VerifyDataOptions } from '../types'

2. Remove unused imports (lines 19, 51):

   W3cJsonLdSignCredentialOptions,
-  W3cVerifiableCredential} from '@credo-ts/core'
+} from '@credo-ts/core'

   W3cJsonLdVerifiableCredential,
-  W3cCredential,
   ClaimFormat} from '@credo-ts/core'

3. Remove from regular imports (line 96):

- VerifyDataOptions , SignDataOptions } from '../types'
+} from '../types'

Also applies to: 19-19, 51-52, 96-96

🤖 Prompt for AI Agents

In src/controllers/multi-tenancy/MultiTenancyController.ts around lines 4, 19,
51-52, and 96, clean up the imports by moving SignDataOptions and
VerifyDataOptions to type-only imports on line 4, removing any unused imports on
lines 19 and 51-52, and removing certain imports from the regular import
statements on line 96 as specified. This will ensure only necessary types and
modules are imported correctly and unused imports are eliminated.

[coderabbitai]

⚠️ Potential issue

Remove unused destructured variable.

The credential variable is destructured but never used.

Apply this diff to fix the issue:

-        const {credential,  ...credentialOptions}= credentialToVerify
+        const { ...credentialOptions } = credentialToVerify

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	const {credential, ...credentialOptions}= credentialToVerify
	const { ...credentialOptions } = credentialToVerify

🧰 Tools

🪛 ESLint

[error] 2029-2029: 'credential' is assigned a value but never used.

(@typescript-eslint/no-unused-vars)

🤖 Prompt for AI Agents

In src/controllers/multi-tenancy/MultiTenancyController.ts at line 2029, the
variable 'credential' is destructured from 'credentialToVerify' but never used.
Remove 'credential' from the destructuring assignment and only extract
'credentialOptions' to eliminate the unused variable warning.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Security concern: Avoid using any type in request body unions

The union types for request bodies include any, which bypasses TypeScript's type safety and could allow malformed or malicious data to be passed to the controllers. This is particularly concerning for credential signing and verification endpoints that handle sensitive cryptographic operations.

Consider updating the source type definitions to remove any from these unions and use more specific types instead.

Let me verify if these any types originate from the controller type definitions:

Also applies to: 3824-3824

---

🏁 Script executed:

#!/bin/bash
# Check the controller types to see if 'any' is defined there
rg -A 5 -B 5 "signCredential|verifyCredential" src/controllers/multi-tenancy/MultiTenancyController.ts

Length of output: 1793

---

🏁 Script executed:

#!/bin/bash
# Check the type definitions file mentioned in the AI summary
fd -e ts "types.ts" src/controllers --exec rg -l "CustomW3cJsonLdSignCredentialOptions|SafeW3cJsonLdVerifyCredentialOptions|SignDataOptions" {}

Length of output: 170

---

Remove any from credential endpoint unions

The | any fallback on the @Body() parameters in your controller is what’s propagating into the auto-generated routes. To restore full type safety, remove any from these unions in the source TSOA controller, then regenerate the routes.

• File: src/controllers/multi-tenancy/MultiTenancyController.ts
– signCredential method signature:
```ts
// before
@Body() data: CustomW3cJsonLdSignCredentialOptions | SignDataOptions | any

// after
@Body() data: CustomW3cJsonLdSignCredentialOptions | SignDataOptions
```

– verifyCredential method signature:
```ts
// before
@Body() credentialToVerify: SafeW3cJsonLdVerifyCredentialOptions | any

// after
@Body() credentialToVerify: SafeW3cJsonLdVerifyCredentialOptions
```

After making these changes, re-run your TSOA generation to update src/routes/routes.ts without the any type in those unions.

🤖 Prompt for AI Agents

In src/controllers/multi-tenancy/MultiTenancyController.ts around the
signCredential and verifyCredential method signatures, remove the `any` type
from the union types used in the @Body() parameters to restore type safety.
Specifically, change the signCredential method's parameter type from
`CustomW3cJsonLdSignCredentialOptions | SignDataOptions | any` to
`CustomW3cJsonLdSignCredentialOptions | SignDataOptions`, and change the
verifyCredential method's parameter type from
`SafeW3cJsonLdVerifyCredentialOptions | any` to
`SafeW3cJsonLdVerifyCredentialOptions`. After these changes, regenerate the
routes to update src/routes/routes.ts without the `any` type in the unions.

[coderabbitai]

⚠️ Potential issue

Property key mismatch in W3cCredential
The schema uses "context" instead of the JSON-LD standard "@context". This may break tooling that expects the @context keyword. Please rename or alias accordingly.

🤖 Prompt for AI Agents

In src/routes/swagger.json between lines 1736 and 1795, the W3cCredential schema
incorrectly uses the property key "context" instead of the JSON-LD standard
"@context". To fix this, rename the "context" property key to "@context"
throughout the schema to ensure compatibility with JSON-LD tooling and
standards.

[coderabbitai]

🛠️ Refactor suggestion

Enforce strict schema boundaries for VerifyDataOptions
The VerifyDataOptions schema currently allows extra fields by default. Add "additionalProperties": false to prevent unintended properties, and include property-level description or example to clarify expected formats (e.g., base64 encoding).

🤖 Prompt for AI Agents

In src/routes/swagger.json between lines 1628 and 1650, the VerifyDataOptions
schema lacks strict boundaries and property descriptions. Add
"additionalProperties": false to the schema to disallow extra fields, and add
descriptive "description" or "example" entries for each property to clarify
expected formats such as base64 encoding for data fields.

[coderabbitai]

🛠️ Refactor suggestion

Tighten VerifyCredential request schema
Similarly, the /multi-tenancy/credential/verify/{tenantId} uses anyOf including an empty catch-all. Switch to oneOf without an open object branch and add "additionalProperties": false on each branch.

🤖 Prompt for AI Agents

In src/routes/swagger.json around lines 7020 to 7067, the requestBody schema for
the VerifyCredential POST endpoint uses anyOf with an empty object branch, which
is too permissive. Replace anyOf with oneOf, remove the empty object branch, and
add "additionalProperties": false to each schema referenced to strictly validate
the request body and prevent extra properties.

[coderabbitai]

⚠️ Potential issue

Restrict requestBody anyOf in SignCredential endpoint
The requestBody uses anyOf with an empty object {}, effectively allowing any payload. Replace it with oneOf and remove the open {} branch to enforce exactly one schema.

🤖 Prompt for AI Agents

In src/routes/swagger.json between lines 6937 and 7019, the SignCredential
endpoint's requestBody uses anyOf with an empty object {}, which allows any
payload and weakens validation. Replace the anyOf keyword with oneOf and remove
the empty object branch so that exactly one of the defined schemas must be used,
enforcing stricter request validation.

[ankita-p17]

Some refactoring comments will be resolved in next release.