Home / Input Output / atala-prism-wallet-sdk-ts
Insights Pull Requests
May 17, 1-2 AM (0)
May 17, 2-3 AM (0)
May 17, 3-4 AM (0)
May 17, 4-5 AM (0)
May 17, 5-6 AM (0)
May 17, 6-7 AM (0)
May 17, 7-8 AM (0)
May 17, 8-9 AM (0)
May 17, 9-10 AM (0)
May 17, 10-11 AM (0)
May 17, 11-12 PM (0)
May 17, 12-1 PM (0)
May 17, 1-2 PM (0)
May 17, 2-3 PM (0)
May 17, 3-4 PM (0)
May 17, 4-5 PM (0)
May 17, 5-6 PM (0)
May 17, 6-7 PM (0)
May 17, 7-8 PM (0)
May 17, 8-9 PM (0)
May 17, 9-10 PM (0)
May 17, 10-11 PM (0)
May 17, 11-12 AM (0)
May 18, 12-1 AM (0)
May 18, 1-2 AM (0)
May 18, 2-3 AM (0)
May 18, 3-4 AM (0)
May 18, 4-5 AM (0)
May 18, 5-6 AM (0)
May 18, 6-7 AM (0)
May 18, 7-8 AM (0)
May 18, 8-9 AM (0)
May 18, 9-10 AM (0)
May 18, 10-11 AM (0)
May 18, 11-12 PM (0)
May 18, 12-1 PM (0)
May 18, 1-2 PM (0)
May 18, 2-3 PM (0)
May 18, 3-4 PM (0)
May 18, 4-5 PM (2)
May 18, 5-6 PM (0)
May 18, 6-7 PM (0)
May 18, 7-8 PM (0)
May 18, 8-9 PM (0)
May 18, 9-10 PM (0)
May 18, 10-11 PM (2)
May 18, 11-12 AM (0)
May 19, 12-1 AM (0)
May 19, 1-2 AM (0)
May 19, 2-3 AM (0)
May 19, 3-4 AM (0)
May 19, 4-5 AM (0)
May 19, 5-6 AM (0)
May 19, 6-7 AM (0)
May 19, 7-8 AM (0)
May 19, 8-9 AM (0)
May 19, 9-10 AM (0)
May 19, 10-11 AM (0)
May 19, 11-12 PM (1)
May 19, 12-1 PM (0)
May 19, 1-2 PM (0)
May 19, 2-3 PM (1)
May 19, 3-4 PM (4)
May 19, 4-5 PM (0)
May 19, 5-6 PM (0)
May 19, 6-7 PM (0)
May 19, 7-8 PM (0)
May 19, 8-9 PM (0)
May 19, 9-10 PM (0)
May 19, 10-11 PM (0)
May 19, 11-12 AM (0)
May 20, 12-1 AM (0)
May 20, 1-2 AM (0)
May 20, 2-3 AM (0)
May 20, 3-4 AM (0)
May 20, 4-5 AM (0)
May 20, 5-6 AM (2)
May 20, 6-7 AM (0)
May 20, 7-8 AM (4)
May 20, 8-9 AM (0)
May 20, 9-10 AM (0)
May 20, 10-11 AM (2)
May 20, 11-12 PM (0)
May 20, 12-1 PM (0)
May 20, 1-2 PM (0)
May 20, 2-3 PM (0)
May 20, 3-4 PM (1)
May 20, 4-5 PM (2)
May 20, 5-6 PM (1)
May 20, 6-7 PM (1)
May 20, 7-8 PM (0)
May 20, 8-9 PM (0)
May 20, 9-10 PM (0)
May 20, 10-11 PM (0)
May 20, 11-12 AM (0)
May 21, 12-1 AM (0)
May 21, 1-2 AM (0)
May 21, 2-3 AM (3)
May 21, 3-4 AM (0)
May 21, 4-5 AM (0)
May 21, 5-6 AM (0)
May 21, 6-7 AM (5)
May 21, 7-8 AM (0)
May 21, 8-9 AM (1)
May 21, 9-10 AM (0)
May 21, 10-11 AM (0)
May 21, 11-12 PM (0)
May 21, 12-1 PM (0)
May 21, 1-2 PM (0)
May 21, 2-3 PM (0)
May 21, 3-4 PM (0)
May 21, 4-5 PM (0)
May 21, 5-6 PM (0)
May 21, 6-7 PM (0)
May 21, 7-8 PM (0)
May 21, 8-9 PM (0)
May 21, 9-10 PM (0)
May 21, 10-11 PM (0)
May 21, 11-12 AM (0)
May 22, 12-1 AM (0)
May 22, 1-2 AM (0)
May 22, 2-3 AM (0)
May 22, 3-4 AM (0)
May 22, 4-5 AM (0)
May 22, 5-6 AM (0)
May 22, 6-7 AM (0)
May 22, 7-8 AM (0)
May 22, 8-9 AM (0)
May 22, 9-10 AM (0)
May 22, 10-11 AM (0)
May 22, 11-12 PM (0)
May 22, 12-1 PM (0)
May 22, 1-2 PM (0)
May 22, 2-3 PM (0)
May 22, 3-4 PM (0)
May 22, 4-5 PM (0)
May 22, 5-6 PM (0)
May 22, 6-7 PM (0)
May 22, 7-8 PM (0)
May 22, 8-9 PM (0)
May 22, 9-10 PM (0)
May 22, 10-11 PM (0)
May 22, 11-12 AM (0)
May 23, 12-1 AM (0)
May 23, 1-2 AM (0)
May 23, 2-3 AM (0)
May 23, 3-4 AM (0)
May 23, 4-5 AM (0)
May 23, 5-6 AM (2)
May 23, 6-7 AM (0)
May 23, 7-8 AM (0)
May 23, 8-9 AM (0)
May 23, 9-10 AM (0)
May 23, 10-11 AM (0)
May 23, 11-12 PM (0)
May 23, 12-1 PM (0)
May 23, 1-2 PM (0)
May 23, 2-3 PM (0)
May 23, 3-4 PM (0)
May 23, 4-5 PM (0)
May 23, 5-6 PM (0)
May 23, 6-7 PM (0)
May 23, 7-8 PM (0)
May 23, 8-9 PM (0)
May 23, 9-10 PM (0)
May 23, 10-11 PM (0)
May 23, 11-12 AM (0)
May 24, 12-1 AM (0)
May 24, 1-2 AM (0)
34 commits this week May 17, 2026 - May 24, 2026
A-Chronicle
A-Chronicle · · atala-prism-wallet-sdk-ts
fix(pollux): add regex validation to prevent ReDoS in presentation verification 
The validateField method in PresentationVerify passes the filter.pattern
from the presentation definition directly to new RegExp() without any
safety checks. An attacker can craft a presentation request with a regex
pattern that causes catastrophic backtracking (e.g. (a|aa)+b), blocking
the JavaScript event loop indefinitely.

This is an unauthenticated attack vector since the presentation definition
originates from an external verifier.

Add a safeRegex utility that:
- Validates the pattern is a non-empty string
- Enforces a maximum pattern length of 256 characters
- Verifies the pattern compiles as a valid regex
- Detects and rejects patterns with nested quantifiers (ReDoS vectors)
- Detects and rejects patterns with alternation inside quantified groups

Fixes #646

Signed-off-by: A-Chronicle <[email protected]>
7fc68238 · pull/647/head · 3/100 ++ 1 --
A-Chronicle
A-Chronicle · · atala-prism-wallet-sdk-ts
fix(pollux): add regex validation to prevent ReDoS in presentation verification 
The validateField method in PresentationVerify passes the filter.pattern
from the presentation definition directly to new RegExp() without any
safety checks. An attacker can craft a presentation request with a regex
pattern that causes catastrophic backtracking (e.g. (a|aa)+b), blocking
the JavaScript event loop indefinitely.

This is an unauthenticated attack vector since the presentation definition
originates from an external verifier.

Add a safeRegex utility that:
- Validates the pattern is a non-empty string
- Enforces a maximum pattern length of 256 characters
- Verifies the pattern compiles as a valid regex
- Detects and rejects patterns with nested quantifiers (ReDoS vectors)
- Detects and rejects patterns with alternation inside quantified groups

Fixes #646

Signed-off-by: A-Chronicle <[email protected]>
6eb9e88a · pull/647/head · 3/38 ++ 1 --
A-Chronicle
A-Chronicle · · atala-prism-wallet-sdk-ts
fix(mercury,castor): replace unsafe JWK as any casts with runtime type validation 
Remove unsafe `as any` casts when accessing `x` and `kid` fields on
publicKeyJwk. Use the SDKs existing `expect()` utility and explicit
type guards to validate that JWK coordinates are present before
passing them to cryptographic operations.

- DIDCommDIDResolver: use `expect()` instead of `as any` for `x`, drop
  unnecessary `as any` for `kid` (already typed on JWK.Base)
- prism/index.ts: replace `as any` on `x` with typeof guard throwing
  InvalidKeyError when x is missing or not a string
- Add test: missing JWK x coordinate in DIDDoc throws InvalidKeyError

Fixes #625

Signed-off-by: A-Chronicle <[email protected]>
c53be990 · pull/645/head · 3/31 ++ 4 --
A-Chronicle
A-Chronicle · · atala-prism-wallet-sdk-ts
fix: restore SD+JWT credentials from backup (issue #458) 
When backing up SD+JWT credentials, only the JWT ID field was being
stored instead of the full SDJWT JWS. This caused restore to fail
because SDJWTCredential.fromJWS() expects the complete JWS including
disclosures.

Changes:
- Modified Backup.ts to reconstruct full SDJWT JWS from JWT + disclosures
- Updated tests to use correct data format for SDJWT restore
- Added SDJWT to round-trip backup/restore test
- Exported credential JWS strings from fixtures for test use

Fixes #458

Signed-off-by: A-Chronicle <[email protected]>
fd1a1cfa · pull/623/head~2 · 3/37 ++ 6 --
A-Chronicle
A-Chronicle · · atala-prism-wallet-sdk-ts
fix: add SDJWT disclosure handling and type-safe error handling during backup 
- Add proper type assertions and validation for credential data
- Handle disclosure objects with _encoded property format
- Improve SDJWT JWS reconstruction logic
- Add SDJWT with disclosures test fixture and test coverage
- Replace import type with runtime import for Domain error classes

Signed-off-by: A-Chronicle <[email protected]>
60dec1d1 · pull/623/head · 3/61 ++ 19 --
A-Chronicle
A-Chronicle · · atala-prism-wallet-sdk-ts
docs: add comments explaining DID verification relationships and key purposes 
- Add module-level documentation to FindDIDSigningKeys explaining:
  * DID verification relationships concept
  * ISSUING_KEY ↔ assertionMethod mapping (for credential issuance)
  * AUTHENTICATION_KEY ↔ authentication mapping (for DID ownership proofs)
  * Why multiple keys exist (key rotation, security, scalability)
  * Reference to W3C DID Core Specification
  * Other verification relationships: keyAgreement, capabilityInvocation, capabilityDelegation

- Enhance CreateJwt documentation:
  * Explain SSI JWT use cases
  * Clarify why ISSUING_KEY is default for credential issuance
  * Document when to use AUTHENTICATION_KEY for authentication flows
  * Add complete JSDoc parameter descriptions

- Add CreateSDJWT documentation:
  * Explain Selective Disclosure JWT (SD-JWT) concept
  * Document privacy-preserving credential sharing use case
  * Reference RFC 9052 specification
  * Explain verification process
  * Confirm SD-JWT also defaults to ISSUING_KEY

- Add matchKeys() documentation:
  * Explain key matching algorithm
  * Clarify multibase and JWK encoding support
  * Ensure keys are authorized for requested purpose

- Provide complete DID document structure example with all verification relationships
- Clarify that SDK currently supports ISSUING_KEY and AUTHENTICATION_KEY

Addresses issue #598: Makes it easier for new contributors to understand
DID verification relationships, key purposes, and SSI concepts.

Signed-off-by: A-Chronicle <[email protected]>
09ac600b · pull/604/head · 3/138 ++ 25 --
A-Chronicle
A-Chronicle · · atala-prism-wallet-sdk-ts
docs: add comments explaining DID verification relationships and key purposes 
- Add module-level documentation to FindDIDSigningKeys explaining:
  * DID verification relationships concept
  * ISSUING_KEY ↔ assertionMethod mapping (for credential issuance)
  * AUTHENTICATION_KEY ↔ authentication mapping (for DID ownership proofs)
  * Why multiple keys exist (key rotation, security, scalability)
  * Reference to W3C DID Core Specification
  * Other verification relationships: keyAgreement, capabilityInvocation, capabilityDelegation

- Enhance CreateJwt documentation:
  * Explain SSI JWT use cases
  * Clarify why ISSUING_KEY is default for credential issuance
  * Document when to use AUTHENTICATION_KEY for authentication flows
  * Add complete JSDoc parameter descriptions

- Add CreateSDJWT documentation:
  * Explain Selective Disclosure JWT (SD-JWT) concept
  * Document privacy-preserving credential sharing use case
  * Reference RFC 9052 specification
  * Explain verification process
  * Confirm SD-JWT also defaults to ISSUING_KEY

- Add matchKeys() documentation:
  * Explain key matching algorithm
  * Clarify multibase and JWK encoding support
  * Ensure keys are authorized for requested purpose

- Provide complete DID document structure example with all verification relationships
- Clarify that SDK currently supports ISSUING_KEY and AUTHENTICATION_KEY

Addresses issue #598: Makes it easier for new contributors to understand
DID verification relationships, key purposes, and SSI concepts.

Signed-off-by: A-Chronicle <[email protected]>
b7b42440 · pull/604/head · 3/161 ++ 19 --
TheSeydiCharyyev
TheSeydiCharyyev · · atala-prism-wallet-sdk-ts
fix(mediation): add async fallback for the keylist-update response 
Addresses review feedback on #566: the mediator may answer a
keylist-update either inline in the same HTTP reply or asynchronously
as a separate inbound message, and the SDK should handle both.

updateKeyListWithDID now registers a MESSAGE listener before sending.
When Send resolves with a matching inline response that response is
used directly (path A); otherwise the method waits for the response to
arrive on the MESSAGE event (path B), racing against the existing 60 s
timeout. The response is matched by piuri and by a thread id equal to
either the outgoing message id or the registered peer DID.

Tests cover the async success path, a response threaded on the peer
DID, an async failure result, and a non-matching thid timing out.

Signed-off-by: Seydi Charyyev <[email protected]>
685e8624 · pull/566/head · 2/165 ++ 43 --
abhigyan1102
abhigyan1102 · · atala-prism-wallet-sdk-ts
feat(pollux): wire SD-JWT requiredClaimKeys from presentation request to verify 
Extract required claim keys from the presentation request's
input_descriptors.constraints.fields and forward them to
SDJWT.verify() during presentation verification. Previously
hardcoded to [], which meant @sd-jwt/core never enforced that
required claims were actually disclosed by the holder.

Fixes #366

Signed-off-by: Abhigyan Singh <[email protected]>
4f6c7942 · pull/644/head · 2/285 ++ 9 --
TheSeydiCharyyev
TheSeydiCharyyev · · atala-prism-wallet-sdk-ts
fix(mediation): add return_route to keylist-update so the response is observable 
The previous flow assumed Send.run would resolve to the mediator's
keylist-update-response. In practice it always resolved to undefined:
DIDCommConnection.send returned the registered handler's result rather
than the parsed message, and the SDK never asked the mediator for an
inline reply. Per coordinate-mediation 2.0 the mediator only answers
synchronously when the request carries `return_route: "all"`, and
Mercury auto-attaches that header for the piuris in ReturnRouteProtocols
(packages/wasm/didcomm/src/Wrapper.ts) -- but keylist-update was never
on that list. So every keylist-update went out without return_route, the
mediator dispatched the response asynchronously, and the client never
observed it.

Add keylist-update to ReturnRouteProtocols, make DIDCommConnection.send
return the inline response, and rewrite updateKeyListWithDID to send the
message, race the call against a 60 s timeout, assert the response is a
Message with the expected piuri and a thid matching the outgoing id, and
validate the body via MediationKeysUpdateResponse (throws on any
non-success / non-no_change result).

Tests cover success, no_change, client_error, server_error, malformed
body, timeout, wrong piuri, wrong thid and a missing response. A guard
on ReturnRouteProtocols prevents the same kind of regression that
originally introduced this bug (PR #85).

Closes #391

Signed-off-by: Seydi Charyyev <[email protected]>
411f6955 · pull/566/head~1 · 11/385 ++ 17 --
Showing 25 of 34 recent commits. Check out Input Output on GitHub to see more.