feat: verification webhook

[tipusinghaw]

What

• Added logic to the verification webhook
• Corrected config for nats
• Fixed batch size issue while issuer creation

Summary by CodeRabbit

Release Notes

• New Features

  • Added webhook support for presentation submissions with state tracking
  • Support for ED25519 signing method for credentials
  • Session-specific response messaging for operations

• Improvements

  • Enhanced validation for credential template signer options based on credential format
  • Made batch credential issuance configuration more flexible
  • Improved presentation data persistence and management

• Chores

  • Updated service configuration and environment variable handling

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

Updates implement OID4VP presentation webhook handling across verification and issuance services, introduce a new database table and Prisma model for presentations, add stricter validation to credential templates with conditional signer options, update NATS configuration with new service constants, and expand response message structures.

Changes

Cohort / File(s)	Summary
DTO & Interface Definitions apps/api-gateway/src/oid4vc-issuance/dtos/oid4vc-issuer-template.dto.ts, apps/api-gateway/src/oid4vc-issuance/dtos/oid4vp-presentation-wh.dto.ts, apps/oid4vc-verification/interfaces/oid4vp-verification-sessions.interfaces.ts	Added Oid4vpPresentationWhDto and Oid4vpPresentationWh interface with six string properties. Updated signerOption in CreateCredentialTemplateDto with conditional validation (required for Mdoc format, cannot be DID).
Verification Module API Layer apps/api-gateway/src/oid4vc-verification/oid4vc-verification.controller.ts, apps/api-gateway/src/oid4vc-verification/oid4vc-verification.module.ts, apps/oid4vc-verification/src/oid4vc-verification.controller.ts	Added storePresentationWebhook POST endpoint in API gateway. Added webhook MessagePattern handler in verification service controller. Updated NATS service constant to OIDC4VC_VERIFICATION_SERVICE.
Verification Service Logic apps/api-gateway/src/oid4vc-verification/oid4vc-verification.service.ts, apps/oid4vc-verification/src/oid4vc-verification.service.ts, apps/oid4vc-verification/src/oid4vc-verification.repository.ts	Introduced oid4vpPresentationWebhook method forwarding payloads via NATS. Added storeOid4vpPresentationDetails repository method with upsert logic. Updated endpoint constant to OIDC_VERIFIER_SESSION_RESPONSE_GET_BY_ID.
Issuance Service Updates apps/oid4vc-issuance/interfaces/oid4vc-issuance.interfaces.ts, apps/oid4vc-issuance/src/oid4vc-issuance.service.ts, apps/oid4vc-issuance/libs/helpers/credential-sessions.builder.ts, apps/oid4vc-issuance/src/main.ts	Made batchCredentialIssuance optional in IssuerInitialConfig. Conditionally included batchCredentialIssuance in issuer config. Updated environment variable from ISSUANCE_NKEY_SEED to OIDC4VC_ISSUANCE_NKEY_SEED. Removed logging and added TODO comment.
Constants & Messages libs/common/src/common.constant.ts, libs/common/src/response-messages/index.ts	Updated URL_OIDC_VERIFIER_SESSION_RESPONSE_GET_BY_ID with slash before fragment. Added oid4vpSession nested response message structure with success and error keys.
Database Schema & Migration libs/prisma-service/prisma/schema.prisma, libs/prisma-service/prisma/migrations/20251105180717_created_table_oid4vp_presentation/migration.sql	Created oid4vp_presentations table with versioning and org-scoped data. Added model to schema with relation to organisation. Added X509_ED25519 enum value to SignerOption.

Sequence Diagram

sequenceDiagram
    participant Client as Client
    participant GW as API Gateway
    participant NATS as NATS Bus
    participant Service as Verification Service
    participant Repo as Repository
    participant DB as Database

    Client->>GW: POST /wh/:id/openid4vc-verification
    GW->>GW: Validate Oid4vpPresentationWhDto
    GW->>Service: oid4vpPresentationWebhook(dto, id)
    Service->>NATS: Publish webhook-oid4vp-presentation
    NATS->>Service: webhook-oid4vp-presentation message
    Service->>Service: Resolve organization from contextCorrelationId
    Service->>Repo: storeOid4vpPresentationDetails(dto, orgId)
    Repo->>DB: Upsert into oid4vp_presentations
    alt Update existing
        DB->>DB: Set lastChangedBy, update state
    else Create new
        DB->>DB: Initialize with orgId, createdBy, presentationId
    end
    Repo-->>Service: Return upsert result
    Service-->>GW: Return stored details
    GW-->>Client: 201 CREATED

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Signer validation logic: Review conditional ValidateIf, IsDefined, and NotEquals decorators in CreateCredentialTemplateDto to ensure proper constraint enforcement for Mdoc format.
• Webhook message flow: Verify NATS message routing from API gateway through service to repository, ensuring proper payload transformation and error handling.
• Database schema changes: Confirm oid4vp_presentations table structure, foreign key constraints, unique indexes, and Prisma model relation configuration.
• NATS configuration: Verify service constant changes (OIDC4VC_VERIFICATION_SERVICE, OIDC4VC_ISSUANCE_NKEY_SEED) are correctly referenced across modules.
• State management: Review upsert logic in repository to ensure state transitions and lastChangedBy tracking work as intended.

Possibly related PRs

• feat: Initial changes for x509 support #1482: Adds comprehensive X.509 support with new models and enums; overlaps with X509_ED25519 addition to SignerOption in this PR.
• feat: auth and draft 15 #1496: Makes overlapping changes to OID4VC signer options, credential session builders, Prisma schema, and related services.

Suggested labels

feature

Suggested reviewers

• RinkalBhojani
• GHkrishna

Poem

🐰 A webhook hops through the NATS terrain,
Presentations now dance in the verification lane,
X509 options bloom anew,
With stricter validation rings so true,
Databases echo with stories to store! 📚✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat: verification webhook' is related to a significant part of this changeset—specifically the webhook handling added across multiple files. However, the PR also addresses NATS configuration corrections and batch size issues during issuer creation, which are substantial changes not reflected in the title.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[tipusinghaw]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 5

🧹 Nitpick comments (2)

apps/oid4vc-issuance/src/oid4vc-issuance.service.ts (1)

103-109: Consider simplifying the conditional check.

The condition batchCredentialIssuanceSize && 0 < batchCredentialIssuanceSize is redundant. Since 0 < batchCredentialIssuanceSize already returns false for undefined, null, 0, or NaN, the truthy check is unnecessary.

Optionally apply this simplification:

-        ...(batchCredentialIssuanceSize && 0 < batchCredentialIssuanceSize
+        ...(0 < batchCredentialIssuanceSize
           ? {
               batchCredentialIssuance: {
                 batchSize: batchCredentialIssuanceSize
               }
             }
           : {})

Additionally, the empty object in the false branch is unnecessary:

-        ...(0 < batchCredentialIssuanceSize
-          ? {
-              batchCredentialIssuance: {
-                batchSize: batchCredentialIssuanceSize
-              }
-            }
-          : {})
+        ...(0 < batchCredentialIssuanceSize && {
+          batchCredentialIssuance: {
+            batchSize: batchCredentialIssuanceSize
+          }
+        })

apps/api-gateway/src/oid4vc-issuance/dtos/oid4vp-presentation-wh.dto.ts (1)

1-27: Consider adding more comprehensive validation.

The DTO currently only validates that fields are strings. Consider adding additional validation decorators for better input validation and API documentation:

• @IsNotEmpty() for required fields
• @IsUUID() for the id field if it's a UUID
• @IsDateString() or @IsISO8601() for createdAt and updatedAt fields
• Example values in @ApiProperty({ example: '...' }) for better Swagger documentation

Apply this diff to enhance validation:

 import { ApiProperty } from '@nestjs/swagger';
-import { IsString } from 'class-validator';
+import { IsString, IsNotEmpty, IsUUID, IsDateString } from 'class-validator';
 export class Oid4vpPresentationWhDto {
-  @ApiProperty()
+  @ApiProperty({ example: '550e8400-e29b-41d4-a716-446655440000' })
+  @IsNotEmpty()
+  @IsUUID()
-  @IsString()
   id!: string;

-  @ApiProperty()
+  @ApiProperty({ example: 'completed' })
+  @IsNotEmpty()
   @IsString()
   state!: string;

-  @ApiProperty()
+  @ApiProperty()
+  @IsNotEmpty()
   @IsString()
   authorizationRequestId!: string;

-  @ApiProperty()
+  @ApiProperty({ example: '2025-11-06T08:37:15Z' })
+  @IsNotEmpty()
+  @IsDateString()
-  @IsString()
   createdAt!: string;

-  @ApiProperty()
+  @ApiProperty({ example: '2025-11-06T08:37:15Z' })
+  @IsNotEmpty()
+  @IsDateString()
-  @IsString()
   updatedAt!: string;

-  @ApiProperty()
+  @ApiProperty()
+  @IsNotEmpty()
   @IsString()
   contextCorrelationId!: string;
 }

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f956fb6 and b7a98f0.

📒 Files selected for processing (17)

• apps/api-gateway/src/oid4vc-issuance/dtos/oid4vc-issuer-template.dto.ts (2 hunks)
• apps/api-gateway/src/oid4vc-issuance/dtos/oid4vp-presentation-wh.dto.ts (1 hunks)
• apps/api-gateway/src/oid4vc-verification/oid4vc-verification.controller.ts (4 hunks)
• apps/api-gateway/src/oid4vc-verification/oid4vc-verification.module.ts (1 hunks)
• apps/api-gateway/src/oid4vc-verification/oid4vc-verification.service.ts (2 hunks)
• apps/oid4vc-issuance/interfaces/oid4vc-issuance.interfaces.ts (1 hunks)
• apps/oid4vc-issuance/libs/helpers/credential-sessions.builder.ts (1 hunks)
• apps/oid4vc-issuance/src/main.ts (1 hunks)
• apps/oid4vc-issuance/src/oid4vc-issuance.service.ts (1 hunks)
• apps/oid4vc-verification/interfaces/oid4vp-verification-sessions.interfaces.ts (1 hunks)
• apps/oid4vc-verification/src/oid4vc-verification.controller.ts (2 hunks)
• apps/oid4vc-verification/src/oid4vc-verification.repository.ts (2 hunks)
• apps/oid4vc-verification/src/oid4vc-verification.service.ts (3 hunks)
• libs/common/src/common.constant.ts (1 hunks)
• libs/common/src/response-messages/index.ts (1 hunks)
• libs/prisma-service/prisma/migrations/20251105180717_created_table_oid4vp_presentation/migration.sql (1 hunks)
• libs/prisma-service/prisma/schema.prisma (4 hunks)

🔇 Additional comments (19)

apps/oid4vc-issuance/src/main.ts (1)

15-15: The environment variable change is correctly scoped and requires no action.

The update from ISSUANCE_NKEY_SEED to OIDC4VC_ISSUANCE_NKEY_SEED in the oid4vc-issuance app is a localized naming improvement that aligns with the service constant. Each service (webhook, issuance, oid4vc-issuance) maintains its own environment variable naming convention—the old variable remains appropriately used in other services. The constant exists and both entry points in the oid4vc-issuance app are consistent.

Likely an incorrect or invalid review comment.

apps/oid4vc-issuance/interfaces/oid4vc-issuance.interfaces.ts (1)

72-72: LGTM! Interface change aligns with conditional logic.

Making batchCredentialIssuance optional correctly reflects the conditional usage in the service layer, where it's only included when batchCredentialIssuanceSize is valid.

apps/api-gateway/src/oid4vc-issuance/dtos/oid4vc-issuer-template.dto.ts (1)

221-226: LGTM! Validation properly constrains signerOption for Mdoc credentials.

The conditional validation correctly enforces that:

• signerOption must be defined when format is Mdoc
• signerOption cannot be DID when format is Mdoc

This aligns well with the X.509 certificate requirements for mdoc credentials and complements the runtime validation needed in the builder.

apps/api-gateway/src/oid4vc-verification/oid4vc-verification.module.ts (1)

19-19: LGTM! Correct NATS service configuration.

This fix properly routes the verification module to OIDC4VC_VERIFICATION_SERVICE instead of the incorrect ISSUANCE_SERVICE constant. This aligns the module with its verification-specific functionality.

apps/api-gateway/src/oid4vc-verification/oid4vc-verification.service.ts (1)

86-94: LGTM! Webhook method properly integrated.

The new oid4vpPresentationWebhook method follows the established service pattern for NATS message handling and correctly forwards presentation webhook data to the verification service.

apps/oid4vc-verification/src/oid4vc-verification.repository.ts (1)

193-228: LGTM! Repository method properly implements presentation storage.

The upsert operation correctly handles webhook idempotency using verificationSessionId as the unique key. The field mapping from authorizationRequestId to presentationId is appropriate, and error handling is consistent with other repository methods.

libs/prisma-service/prisma/migrations/20251105180717_created_table_oid4vp_presentation/migration.sql (1)

1-21: LGTM! Migration properly creates presentation tracking table.

The table schema is well-designed with:

• Appropriate UUID primary key
• Unique constraint on verificationSessionId supporting idempotent upsert operations
• Foreign key with ON DELETE RESTRICT preventing orphaned presentations
• NOT NULL constraints ensuring data integrity
• Timestamp defaults for audit tracking

apps/oid4vc-verification/interfaces/oid4vp-verification-sessions.interfaces.ts (1)

1-8: LGTM! Interface clearly defines webhook payload structure.

The Oid4vpPresentationWh interface provides proper typing for the verification presentation webhook payload, with descriptive property names that align with the database schema and service layer usage.

apps/oid4vc-verification/src/oid4vc-verification.controller.ts (2)

7-7: LGTM!

The import correctly brings in the Oid4vpPresentationWh interface for use in the new webhook handler.

---

96-102: LGTM!

The webhook handler is properly implemented as a NATS MessagePattern listener that accepts the presentation webhook payload and delegates processing to the service layer.

libs/prisma-service/prisma/schema.prisma (3)

155-155: LGTM!

The new relation correctly links the organisation model to the oid4vp_presentations table.

---

610-622: LGTM!

The new oid4vp_presentations model is well-structured with:

• Proper UUID primary key
• Unique constraint on verificationSessionId for efficient lookups
• Complete audit trail fields (createdBy, createDateTime, lastChangedDateTime, lastChangedBy)
• Foreign key relationship to the organisation table

---

624-628: LGTM!

The addition of X509_ED25519 to the SignerOption enum aligns with the X.509 certificate support mentioned in the PR objectives.

apps/api-gateway/src/oid4vc-verification/oid4vc-verification.controller.ts (4)

30-31: LGTM!

The additional Swagger imports support the new webhook endpoint's exclusion from API documentation.

---

38-38: LGTM!

Adding IResponseType to support the webhook endpoint's response structure.

---

50-50: LGTM!

Correctly imports the DTO for the webhook payload validation.

---

301-301: LGTM!

Correctly updated to use the session-specific response message key.

apps/oid4vc-verification/src/oid4vc-verification.service.ts (2)

30-30: LGTM!

Correctly imports the interface for the webhook payload.

---

286-290: LGTM!

The URL construction correctly uses the OIDC_VERIFIER_SESSION_RESPONSE_GET_BY_ID constant for building the verification session response endpoint.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix typo in success message.

Line 582 contains a typo: "OID4V session" should be "OID4VP session" (missing 'P').

Apply this diff to fix the typo:

-      update: 'OID4V session verifier updated successfully.',
+      update: 'OID4VP session verifier updated successfully.',

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	oid4vpSession: {
	success: {
	create: 'OID4VP session verifier created successfully.',
	update: 'OID4V session verifier updated successfully.',
	delete: 'OID4VP session verifier deleted successfully.',
	fetch: 'OID4VP session verifier(s) fetched successfully.',
	getById: 'OID4VP session verifier details fetched successfully.'
	},
	error: {
	notFound: 'OID4VP session verifier not found.',
	invalidId: 'Invalid OID4VP session verifier ID.',
	createFailed: 'Failed to create OID4VP session verifier.',
	updateFailed: 'Failed to update OID4VP session verifier.',
	deleteFailed: 'Failed to delete OID4VP session verifier.',
	notFoundIssuerDisplay: 'Issuer display not found.',
	notFoundIssuerDetails: 'Issuer details not found.',
	verifierIdAlreadyExists: 'Verifier ID already exists for this verifier.',
	deleteTemplate: 'Error while deleting template.'
	}
	},
	oid4vpSession: {
	success: {
	create: 'OID4VP session verifier created successfully.',
	update: 'OID4VP session verifier updated successfully.',
	delete: 'OID4VP session verifier deleted successfully.',
	fetch: 'OID4VP session verifier(s) fetched successfully.',
	getById: 'OID4VP session verifier details fetched successfully.'
	},
	error: {
	notFound: 'OID4VP session verifier not found.',
	invalidId: 'Invalid OID4VP session verifier ID.',
	createFailed: 'Failed to create OID4VP session verifier.',
	updateFailed: 'Failed to update OID4VP session verifier.',
	deleteFailed: 'Failed to delete OID4VP session verifier.',
	notFoundIssuerDisplay: 'Issuer display not found.',
	notFoundIssuerDetails: 'Issuer details not found.',
	verifierIdAlreadyExists: 'Verifier ID already exists for this verifier.',
	deleteTemplate: 'Error while deleting template.'
	}
	},

🤖 Prompt for AI Agents

In libs/common/src/response-messages/index.ts around lines 579 to 598, the
success.create message has a typo ("OID4V session" missing the 'P'); update that
string to "OID4VP session verifier created successfully." so it consistently
matches the other OID4VP messages.

[GHkrishna]

@tipusinghaw I think we missed this

[coderabbitai]

Seems like the humans are having a chat. I'll hop back into my burrow for now. If you need me again, just tag @coderabbitai in a new comment, and I'll come hopping out!

[GHkrishna]

@tipusinghaw
Did you have a look at the poem coderabbit created for us 😄

🐰 A webhook hops through the NATS terrain,
Presentations now dance in the verification lane,
X509 options bloom anew,
With stricter validation rings so true,
Databases echo with stories to store! 📚✨

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[tipusinghaw]

@tipusinghaw Did you have a look at the poem coderabbit created for us 😄

🐰 A webhook hops through the NATS terrain,
Presentations now dance in the verification lane,
X509 options bloom anew,
With stricter validation rings so true,
Databases echo with stories to store! 📚✨

That's great :-)

[GHkrishna]

Looks good just that one spelling mistake needs to be corrected

[GHkrishna]

@tipusinghaw I think we missed this