Skip to content

[INJICERT-#902]: Integrate inji-verify as library in certify #928

Merged
swatigoel merged 11 commits into
inji:release-1.0.xfrom
Infosys:INJICERT_902_release-1.0.x
Jul 6, 2026
Merged

[INJICERT-#902]: Integrate inji-verify as library in certify #928
swatigoel merged 11 commits into
inji:release-1.0.xfrom
Infosys:INJICERT_902_release-1.0.x

Conversation

@Sakshiijk

@Sakshiijk Sakshiijk commented Jul 6, 2026

Copy link
Copy Markdown

#902

Summary by CodeRabbit

  • New Features
    • Certify now uses built-in verification (embedded inji-verify) for VP request creation and VP verification results, improving local and bundled deployment support.
    • The service is now served from the root path (context path overridden to /).
  • Bug Fixes
    • Improved VP submission/verification handling, including more reliable identity extraction and clearer authorization denial logging.
    • Updated scanning and wiring to ensure embedded verification components are properly included.
  • Chores
    • Added/updated database tables and migrations for storing VP authorization, presentation definitions, and verification submissions.
    • Updated Maven dependencies and test/local configuration for embedded verification.

Sakshiijk and others added 10 commits July 6, 2026 15:38
Signed-off-by: Sakshiijk <sakshi.jhanwar@infosys.com>
Signed-off-by: Sakshiijk <sakshi.jhanwar@ad.infosys.com>
Signed-off-by: Sakshiijk <sakshi.jhanwar@ad.infosys.com>
Signed-off-by: Sakshiijk <sakshi.jhanwar@ad.infosys.com>
Signed-off-by: Sakshiijk <sakshi.jhanwar@ad.infosys.com>
Signed-off-by: Sakshiijk <sakshi.jhanwar@ad.infosys.com>
Signed-off-by: Sakshiijk <sakshi.jhanwar@ad.infosys.com>
Signed-off-by: Sakshiijk <sakshi.jhanwar@ad.infosys.com>
Signed-off-by: Sakshiijk <sakshi.jhanwar@ad.infosys.com>
…elease-1.0.x

Signed-off-by: Sakshiijk <sakshi.jhanwar@ad.infosys.com>
@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown

Review Change Stack

Walkthrough

Certify service now embeds inji-verify for VP request and presentation processing, updates Spring wiring and configuration, and adds supporting database schema plus startup scripts for the new verification tables.

Changes

Embedded inji-verify integration

Layer / File(s) Summary
Dependency and Spring wiring for inji-verify
certify-service/pom.xml, certify-service/src/main/java/io/mosip/certify/CertifyServiceApplication.java, certify-service/src/main/java/io/mosip/certify/config/AppConfig.java, certify-service/src/main/java/io/mosip/certify/config/CertifyContextPathOverride.java, certify-service/src/main/java/io/mosip/certify/services/CertifyIssuanceServiceImpl.java
Adds Maven repositories and the verify-service library dependency, imports its AppConfig, expands component and JPA/entity scan packages, adds a context path override bean, and qualifies the PixelPass bean.
VP request creation via embedded library
certify-service/src/main/java/io/mosip/certify/services/IarVpRequestService.java
Refactors VP request creation to call VerifiablePresentationRequestService, maps PresentationDefinition into library DTOs, and updates response mapping and configuration validation.
VP submission and verification via embedded library
certify-service/src/main/java/io/mosip/certify/services/IarPresentationService.java
Refactors VP submission and verification to use embedded inji-verify services, updates verification detail shaping, and adjusts identity extraction for the new result structure.
Configuration property updates
certify-service/src/main/resources/application-local.properties, certify-service/src/test/resources/application-test.properties, docker-compose/docker-compose-injistack/config/certify-default.properties
Removes external verify-service endpoint properties and adds embedded inji-verify library properties for requests, submissions, DID key access, and keystore settings.
Database schema and docker-compose init
db_scripts/inji_certify/ddl.sql, db_scripts/inji_certify/ddl/verify-*.sql, db_upgrade_script/inji_certify/sql/0.14.0_to_1.0.0_upgrade.sql, db_upgrade_script/inji_certify/sql/0.14.0_to_1.0.0_rollback.sql, docker-compose/docker-compose-injistack/certify_init.sql, docker-compose/docker-compose-injistack/docker-compose.yaml
Adds authorization_request_details, presentation_definition, vc_submission, and vp_submission tables with indexes and comments across DDL, upgrade, rollback, and docker-compose init scripts; removes the separate verify init mount and commented service block.

Estimated code review effort: 4 (Complex) | ~60 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Wallet
  participant IarPresentationService
  participant VerifiablePresentationSubmissionService
  participant VerifiablePresentationRequestService
  participant IarSessionRepository

  Wallet->>IarPresentationService: submit VP token
  IarPresentationService->>IarPresentationService: parse vp_token and presentation_submission
  IarPresentationService->>VerifiablePresentationSubmissionService: submit(requestId, transactionId, vpData)
  VerifiablePresentationSubmissionService-->>IarPresentationService: submission response
  IarPresentationService->>VerifiablePresentationRequestService: getLatestRequestIds(transactionId)
  VerifiablePresentationRequestService-->>IarPresentationService: request ids
  IarPresentationService->>VerifiablePresentationSubmissionService: getVPResultV2(...)
  VerifiablePresentationSubmissionService-->>IarPresentationService: VPVerificationResultDto
  IarPresentationService->>IarSessionRepository: store authorization code
  IarPresentationService-->>Wallet: authorization response
Loading

Suggested reviewers: swatigoel, ckm007

Poem

🐇 I hop through requests, both fast and neat,
With inji-verify now in the seat.
New tables bloom in rows so spry,
And springtime config lights the sky.
Hop hop—this certify update feels sweet!

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly states the main change: integrating inji-verify as a library in certify.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
certify-service/src/main/java/io/mosip/certify/services/IarVpRequestService.java (1)

194-205: 🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

validateConfiguration() throws unchecked IllegalStateException, breaking the method's CertifyException contract.

createVpRequest(...) declares throws CertifyException, but validateConfiguration() (called at line 78, before the try/catch blocks) throws IllegalStateException on missing config. This propagates as an unhandled runtime exception rather than a structured CertifyException, likely surfacing as a generic 500 to callers instead of the API's expected error contract.

Per prior guidance on this codebase, configuration validation is best performed once at application startup rather than per-request; if runtime validation must remain here, at minimum wrap it in CertifyException for a consistent error contract.

🛠️ Suggested fix
     private void validateConfiguration() {
         if (!StringUtils.hasText(vpRequestConfigUrl)) {
-            throw new IllegalStateException("mosip.certify.vp-request.config-file-url must be configured");
+            throw new CertifyException("unknown_error", "mosip.certify.vp-request.config-file-url must be configured");
         }
         if (!StringUtils.hasText(verifierClientId)) {
-            throw new IllegalStateException("mosip.certify.verify.service.verifier-client-id must be configured");
+            throw new CertifyException("unknown_error", "mosip.certify.verify.service.verifier-client-id must be configured");
         }
         if (!StringUtils.hasText(certifyIaeEndpoint)) {
-            throw new IllegalStateException("mosip.certify.oauth.interactive-authorization-endpoint must be configured");
+            throw new CertifyException("unknown_error", "mosip.certify.oauth.interactive-authorization-endpoint must be configured");
         }
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@certify-service/src/main/java/io/mosip/certify/services/IarVpRequestService.java`
around lines 194 - 205, validateConfiguration() in IarVpRequestService currently
throws IllegalStateException, which bypasses createVpRequest(...)’s
CertifyException contract and can surface as an unhandled runtime error. Move
this configuration check to startup if possible; otherwise, update
validateConfiguration() (or its call site in createVpRequest()) to catch
missing-config failures and rethrow a CertifyException with the same messages so
the service returns a consistent error type.

Source: Learnings

🧹 Nitpick comments (3)
certify-service/pom.xml (1)

29-41: 🔒 Security & Privacy | 🔵 Trivial | 💤 Low value

Broadly-enabled snapshot repository widens supply-chain surface.

The new ossrh-inji repository enables snapshots without restricting resolution to a specific groupId, so any transitive/direct dependency declared as a -SNAPSHOT could resolve through this repo, not just io.inji.verify. Combined with the pre-existing jitpack.io repo, this increases the trusted-artifact surface for the build.

Consider scoping the repository to the io.inji* groupId (e.g., via a repository manager mirror/content filter) once your build tooling supports it, to reduce accidental snapshot resolution from unrelated coordinates.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@certify-service/pom.xml` around lines 29 - 41, The new ossrh-inji entry in
the repository section is too broad because snapshots can resolve for any
-SNAPSHOT dependency, not just the intended io.inji.verify artifacts. Update the
Maven repository configuration in the repository block to scope snapshot access
to the io.inji* groupId using the build tool’s supported content filter or a
repository manager mirror. Keep the change localized to the repository
definitions so only the ossrh-inji repository behavior is tightened.
db_upgrade_script/inji_certify/sql/0.14.0_to_1.0.0_upgrade.sql (1)

28-97: 🗄️ Data Integrity & Integration | 🔵 Trivial | ⚖️ Poor tradeoff

No enforced FK constraints between the new verify tables despite documented relationships.

vp_submission.request_id is commented as a foreign key to authorization_request_details.request_id (line 87), and both authorization_request_details.transaction_id and vc_submission.transaction_id are described as linking to the issuance session — but none of these are backed by actual FOREIGN KEY constraints. This allows orphaned rows if either side of the relationship is deleted independently.

Given this schema is likely mirrored from the embedded inji-verify library's own JPA entities, confirm whether the library manages these relationships itself (e.g., via application-level cleanup) before adding constraints that could conflict with its expected DDL.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@db_upgrade_script/inji_certify/sql/0.14.0_to_1.0.0_upgrade.sql` around lines
28 - 97, The new verify tables document relationships that are not enforced by
the schema, so add the missing foreign key constraints in the upgrade script for
certify.vp_submission, certify.authorization_request_details, and
certify.vc_submission where appropriate. Use the existing table definitions and
column names in the script to wire vp_submission.request_id to
authorization_request_details.request_id, and verify whether transaction_id
should also reference the issuance-session table before adding constraints that
could conflict with the embedded inji-verify library’s expected DDL. Keep the
current indexes and comments, but make the actual relational links explicit in
the CREATE TABLE or follow-up ALTER statements.
docker-compose/docker-compose-injistack/config/certify-default.properties (1)

245-245: 🚀 Performance & Scalability | 🔵 Trivial

Long-polling in the embedded library has a documented multi-pod scaling limitation.

Per inji-verify's own release notes, Long-polling listeners are implemented within the service layer, preventing the backend from scaling effectively in a multi-pod (distributed) environment. Since this PR embeds the library directly into certify-service (rather than running it as an independently-scaled service), this limitation now directly constrains certify-service's own horizontal scalability for VP flows.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docker-compose/docker-compose-injistack/config/certify-default.properties` at
line 245, The inji.vp-request.long-polling-timeout setting introduces a backend
long-polling dependency that limits horizontal scaling in multi-pod deployments.
Remove this property from certify-service’s embedded configuration or replace it
with a non-long-polling VP flow setting, and update the related
certify-default.properties entry so the service no longer relies on the
long-polling listener behavior from the embedded library.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@certify-service/pom.xml`:
- Around line 252-263: The dependency on verify-service is pinned to a SNAPSHOT,
which makes builds non-reproducible over time. Update the verify-service entry
in the pom dependency block to a stable release version instead of
0.18.2-SNAPSHOT, while keeping the existing pixelpass-jar exclusion unchanged;
if a release is not available yet, add an explicit fallback strategy for
snapshot unavailability before merging.

In `@docker-compose/docker-compose-injistack/config/certify-default.properties`:
- Around line 244-250: The shared docker-compose injistack config is using a
checked-in test keystore and password for VP signing/verification, which should
not be hardcoded in a network-facing deployment. Update the
inji.verify.keystore.file.path and inji.verify.keystore.file.pass entries in
certify-default.properties to read from environment-injected values or Docker
secrets, using the existing inji-verify property keys so the compose stack can
supply a per-environment keystore instead of classpath:sample-keystore/test.p12
and mosip. If this stack is intentionally ephemeral, add clear documentation
near these properties to state that it is non-production only.

---

Outside diff comments:
In
`@certify-service/src/main/java/io/mosip/certify/services/IarVpRequestService.java`:
- Around line 194-205: validateConfiguration() in IarVpRequestService currently
throws IllegalStateException, which bypasses createVpRequest(...)’s
CertifyException contract and can surface as an unhandled runtime error. Move
this configuration check to startup if possible; otherwise, update
validateConfiguration() (or its call site in createVpRequest()) to catch
missing-config failures and rethrow a CertifyException with the same messages so
the service returns a consistent error type.

---

Nitpick comments:
In `@certify-service/pom.xml`:
- Around line 29-41: The new ossrh-inji entry in the repository section is too
broad because snapshots can resolve for any -SNAPSHOT dependency, not just the
intended io.inji.verify artifacts. Update the Maven repository configuration in
the repository block to scope snapshot access to the io.inji* groupId using the
build tool’s supported content filter or a repository manager mirror. Keep the
change localized to the repository definitions so only the ossrh-inji repository
behavior is tightened.

In `@db_upgrade_script/inji_certify/sql/0.14.0_to_1.0.0_upgrade.sql`:
- Around line 28-97: The new verify tables document relationships that are not
enforced by the schema, so add the missing foreign key constraints in the
upgrade script for certify.vp_submission, certify.authorization_request_details,
and certify.vc_submission where appropriate. Use the existing table definitions
and column names in the script to wire vp_submission.request_id to
authorization_request_details.request_id, and verify whether transaction_id
should also reference the issuance-session table before adding constraints that
could conflict with the embedded inji-verify library’s expected DDL. Keep the
current indexes and comments, but make the actual relational links explicit in
the CREATE TABLE or follow-up ALTER statements.

In `@docker-compose/docker-compose-injistack/config/certify-default.properties`:
- Line 245: The inji.vp-request.long-polling-timeout setting introduces a
backend long-polling dependency that limits horizontal scaling in multi-pod
deployments. Remove this property from certify-service’s embedded configuration
or replace it with a non-long-polling VP flow setting, and update the related
certify-default.properties entry so the service no longer relies on the
long-polling listener behavior from the embedded library.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: faaecf4d-d353-4b63-9e5d-504680ab6807

📥 Commits

Reviewing files that changed from the base of the PR and between a366c80 and bc13ce1.

📒 Files selected for processing (20)
  • certify-service/pom.xml
  • certify-service/src/main/java/io/mosip/certify/CertifyServiceApplication.java
  • certify-service/src/main/java/io/mosip/certify/config/AppConfig.java
  • certify-service/src/main/java/io/mosip/certify/config/CertifyContextPathOverride.java
  • certify-service/src/main/java/io/mosip/certify/services/CertifyIssuanceServiceImpl.java
  • certify-service/src/main/java/io/mosip/certify/services/IarPresentationService.java
  • certify-service/src/main/java/io/mosip/certify/services/IarVpRequestService.java
  • certify-service/src/main/resources/application-local.properties
  • certify-service/src/main/resources/sample-keystore/test.p12
  • certify-service/src/test/resources/application-test.properties
  • db_scripts/inji_certify/ddl.sql
  • db_scripts/inji_certify/ddl/verify-authorization_request_details.sql
  • db_scripts/inji_certify/ddl/verify-presentation_definition.sql
  • db_scripts/inji_certify/ddl/verify-vc_submission.sql
  • db_scripts/inji_certify/ddl/verify-vp_submission.sql
  • db_upgrade_script/inji_certify/sql/0.14.0_to_1.0.0_rollback.sql
  • db_upgrade_script/inji_certify/sql/0.14.0_to_1.0.0_upgrade.sql
  • docker-compose/docker-compose-injistack/certify_init.sql
  • docker-compose/docker-compose-injistack/config/certify-default.properties
  • docker-compose/docker-compose-injistack/docker-compose.yaml
💤 Files with no reviewable changes (1)
  • docker-compose/docker-compose-injistack/docker-compose.yaml

Comment thread certify-service/pom.xml
Signed-off-by: Sakshiijk <sakshi.jhanwar@ad.infosys.com>
@Sakshiijk Sakshiijk changed the title [INJICERT_902]: Integrate inji-verify as library in certify [INJICERT-#902]: Integrate inji-verify as library in certify Jul 6, 2026
@swatigoel swatigoel merged commit 1e60ed1 into inji:release-1.0.x Jul 6, 2026
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants