npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

ethr-status-registry

v2.1.3

Published

Verifiable Credential status resolver using an ethereum contract as registry

Downloads

22

Readme

ethr-status-registry

Verifiable Credential status resolver using an ethereum contract as registry

This library can check the revocation status of a credential against a registry deployed as an ethereum smart contract. This library only supports credentials that embed a credentialStatus field.

Usage

Check credential status

Normally, this is used in conjunction with the credential-status library, so besides configuring it there's not much else to do. If your use-case requires direct verification it can also be used independently:

const statusReg = new EthrStatusRegistry(config)

//... obtain issuer DID document either from `did-jwt`->`verifyJWT` or `did-resolver` -> `resolve()`
const revocationStatus = await statusReg.checkStatus(token, didDocument)
// {revoked : false}

Config

There is an easy way to use an infuraProjectId to quickly configure it for the popular public ethereum networks.

import { EthrStatusRegistry } from 'ethr-status-registry'
import { Status } from 'credential-status'

const status = new Status({
    ...new EthrStatusRegistry({infuraProjectId: 'YOUR Infura PROJECT ID HERE'}).asStatusMethod,
})

You can also use your own web3 providers and can specify your own custom networks:

new EthrStatusRegistry({
  networks: [
    { name: 'mainnet', rpcUrl: 'http://127.0.0.1:8545' },
    { name: 'rinkeby', rpcUrl: 'rinkeby.example.com' },
    { name: 'customNetwork', provider: new JsonRpcProvider('http://custom.network:8545') }
  ]
})

Revoke a credential

A credential can be revoked by anyone, but the convention is that issuer controlled ethereumAddresses are considered valid revokers. An issuer controlled ethereumAddress appears as one of the PublicKey entries in the DID document of the issuer of the credential.

import { EthrCredentialRevoker } from 'ethr-status-registry'
import { sign } from `ethjs-signer`

const privateKey = '0x<Issuer Private Key>'
const ethSigner = (rawTx: any, cb: any) => cb(null, sign(rawTx, privateKey))

const credential = '<JWT token with credentialStatus>'
const revoker = new EthrCredentialRevoker({ infuraProjectId: '<Your infura project ID>' })
const txHash = await revoker.revoke(credential, ethSigner)

after the transaction gets mined, the credential is considered revoked.

Example

An example JWT that includes a credentialStatus field:

eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NksifQ.eyJpYXQiOjE1ODg5MjIyMDEsImNyZWRlbnRpYWx
TdGF0dXMiOnsidHlwZSI6IkV0aHJTdGF0dXNSZWdpc3RyeTIwMTkiLCJpZCI6InJpbmtlYnk6MHg5N2
ZkMjc4OTJjZGNEMDM1ZEFlMWZlNzEyMzVjNjM2MDQ0QjU5MzQ4In0sImlzcyI6ImRpZDpldGhyOjB4N
TRkNTllM2ZmZDc2OTE3ZjYyZGI3MDJhYzM1NGIxN2YzODQyOTU1ZSJ9.0sLZupOnyrdZPQAhtfa2eP_
2HN_FELJu_clbXBrk9SgaU_ZO0izjDLTnNkip9RVM6ED0nLznfT35XHk6_C9S_Q

The payload of this token decodes like this:

{
  "credentialStatus": {
    "type": "EthrStatusRegistry2019",
    "id": "rinkeby:0x97fd27892cdcD035dAe1fe71235c636044B59348"
  },
  "iss": "did:ethr:0x54d59e3ffd76917f62db702ac354b17f3842955e",
  //...
}

This is based on the credentialStatus proposal in the W3C spec.

The issuer of this credential (iss) has a DID document that contains a publicKey entry like so:

{
  "type": "Secp256k1VerificationKey2018",
  "ethereumAddress": "0x54d59e3ffd76917f62db702ac354b17f3842955e"
  //...
}

which is considered to be a valid revoker.

How this works

The credentialStatus entry embedded in the payload tells the credential-status library that this credential revocation status can be checked using the EthrStatusRegistry2019 implementation. This library provides such an implementation and maps it to the correct method (EthrStatusRegistry2019) through the asStatusMethod property.

Next, this library interprets the status field, extracting the registry address 0x97fd27892cdcD035dAe1fe71235c636044B59348 and the network name rinkeby where the contract should exist.

Next, it computes a keccak hash of the credential and gathers ethereumAddress entries from the issuer DID document It uses these params to call the revoked() method of the contract and obtain a revocation result.

Notes

Consider this a draft implementation since many of the standards are still in development.

Limitations

  • it supports only ethereumAddress entries from the provided DID document
  • the library returns a boolean result, so it's not easy to learn the time of revocation. This will probably be fixed in a future version of the lib.

Potential improvements

  • use secp256k1 publicKey entries and automatically compute their corresponding ethereumAddress as valid revokers
  • provide a credentialStatus entry that can override or augment the entry embedded in credentials.
  • also, there may be default registries deployed so that credentials don't have to specify their own.

Other improvement proposals are welcome.