fix: do not enumerate all VCTM claims in fallback DCQL query#481
Conversation
There was a problem hiding this comment.
Pull request overview
This PR adjusts the verifier’s fallback DCQL query construction so that, when presentation request templates aren’t available, it no longer enumerates all claims from the VCTM into the DCQL query (preventing “request everything” behavior and aligning disclosure decisions with the wallet unless operators explicitly configure claim paths via templates).
Changes:
- Remove VCTM claim enumeration from
buildDCQLQueryFromConfig()so fallback DCQL omitsclaims. - Add/extend tests to assert that fallback DCQL credentials do not populate
Claims. - Add clarifying inline documentation for the fallback behavior.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| internal/verifier/apiv1/client.go | Stops fallback DCQL generation from enumerating VCTM claims; adds explanatory comment. |
| internal/verifier/apiv1/client_test.go | Adds assertion that fallback DCQL does not populate Claims. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| // This is the fallback path used when no presentation request templates are configured. | ||
| // It does NOT enumerate individual claims from the VCTM — instead it omits the Claims | ||
| // field, letting the wallet decide what to disclose. To request specific claims, | ||
| // configure presentation request templates with explicit DCQL claim paths. |
There was a problem hiding this comment.
Good point — updated the doc comment to mention template loading failures as well.
When no presentation request templates are configured, the verifier falls back to buildDCQLQueryFromConfig() which iterated all claims from the VCTM and added them to the DCQL query. This caused the verifier to request every possible claim from the wallet, ignoring any claim filtering configured in presentation request templates. Remove the VCTM claim enumeration from the fallback path. When no templates are configured, the DCQL query now omits the Claims field entirely, letting the wallet decide what to disclose. To request specific claims, configure presentation request templates with explicit DCQL claim paths. Fixes SUNET#480
leifj
force-pushed
the
fix/dcql-fallback-omit-claims
branch
from
9f7ad4d to
dae860a
Compare
|
Summary
Fixes #480
When no presentation request templates are configured (
presentation_requests_dirnot set), the verifier falls back tobuildDCQLQueryFromConfig()which iterated all claims from the VCTM and added them to the DCQL query. This caused the verifier to request every possible claim from the wallet, regardless of what the operator intended.Changes
internal/verifier/apiv1/client.go: Remove VCTM claim enumeration frombuildDCQLQueryFromConfig(). The fallback DCQL query now omits theClaimsfield entirely, letting the wallet decide what to disclose. To request specific claims, operators should configure presentation request templates with explicit DCQL claim paths.internal/verifier/apiv1/client_test.go: Add assertion that fallback DCQL credentials do not enumerate individual claims.Testing
buildDCQLQueryFromConfigandcreateDCQLQuerytest suites)scope with VCTM containing claimstest case now explicitly verifies that claims are not populated in fallback mode