BREAKING: VCHolder multitenant binding #3391
Conversation
|
@jamshale the missing tenant auth would be on me as I added this route. As for the soft binding I'm not aware of it's concept and seems to be at another layer in the code. Great find |
|
The goal of the "soft binding" was to enable binding a separate vc holder implementation to, for example, delegate storage of credentials to an external service. This was a need that we had but it would seem I didn't consider implications on multi-tenancy deeply enough. |
|
I'd like to take just a bit of time to understand how the soft binding caused this behavior. I'll report back very soon or else we can go ahead and merge with Patrick's approval. |
|
No problem, let's wait a bit then. |
Signed-off-by: jamshale <[email protected]>
Signed-off-by: Daniel Bluhm <[email protected]>
Signed-off-by: Daniel Bluhm <[email protected]>
|
Discussed in discord but for posterity's sake recording the discussion here. I pulled down Jamie's changes and dug around a bit and came up with a solution that enable us to retain the soft binding while making sure the correct profile was being used with the VC Holder interface. I also did a bit of tuning on the VC routes open api, building off of the updates Jamie had already made, correcting a few more things that were causing the OpenAPI to not accurately reflect what the endpoints expected. One of those changes included making the return value of This does technically constitute a breaking change and also means that this endpoint no longer perfectly aligns with https://w3c-ccg.github.io/vc-api/#get-credentials. @PatStLouis recommended we go ahead with this change regardless. |
Signed-off-by: Daniel Bluhm <[email protected]>
|
|
I will suggest the same change to the vc-api group so we maintain alignment. |
| @@ -153,7 +160,7 @@ async def store_credential_route(request: web.BaseRequest): | |||
| options = LDProofVCOptions.deserialize(options) | |||
|
|
|||
| await manager.verify_credential(vc) | |||
| await manager.store_credential(vc, options, cred_id) | |||
There was a problem hiding this comment.
The intention here was to enable the controller to set tags and pass them through options if they want to build a custom tag querying integration. This can be revisited at a later time, and we would likely provide the tags directly to the store_credential function instead of the options object.
|
Can someone please put into a comment a paragraph about the breaking change.
|
|
I'm going to squash and merge this soon. I can look into the backports after. |
swcurran
changed the title
|
We can safely ignore Sonar Cloud's complaint; most of the lines it's complaining about are just OpenAPI schemas and the remainder are covered by the scenario testing. |
I know this
"soft binding"was done for a reason, but it appears the multitenant storage issue is happening because of it. It was causing credentials to be stored in the base wallet. It's the only class with the soft binding.Also for some reason the tenant authentication method was missing on this endpoint for some reason and had no openapi examples :/
@dbluhm Do you have insight into the soft_binding? I can't really remember what it's for.