Feat/evault provisioning via phone

[coodos]

Description of change

Issue Number

Type of change

• Breaking (any change that would cause existing functionality to not work as expected)
• New (a change which implements a new feature)
• Update (a change which updates existing functionality)
• Fix (a change which fixes an issue)
• Docs (changes to the documentation)
• Chore (refactoring, build scripts or anything else that isn't user-facing)

How the change has been tested

Change checklist

• I have ensured that the CI Checks pass locally
• I have removed any unnecessary logic
• My code is well documented
• I have signed my commits
• My code follows the pattern of the application
• I have self reviewed my code

Summary by CodeRabbit

• New Features

  • Introduced a multi-step, real-time identity verification flow with passport and selfie capture, integrated with backend services for status updates and approval.
  • Added dynamic user and vault data loading, replacing static placeholders throughout the app.
  • Implemented a utility for string capitalization and exposed it for use in components.
  • Added a "nuke wallet" action in settings to clear user data and reset onboarding.
  • Integrated CORS support in backend services for improved cross-origin compatibility.
  • Added database support for verification sessions, including migrations, entities, and real-time event streaming.

• Bug Fixes

  • Improved error handling and state management in user and vault controllers.

• Refactor

  • Reformatted UI components and route handlers for clarity and maintainability.
  • Updated environment and build configurations for better development and production support.

• Chores

  • Updated and expanded package dependencies for both frontend and backend projects.
  • Added new scripts and configuration for database migrations and development workflows.

• Tests

  • Introduced Svelte stores and utility modules to support new verification flows and state management.

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

This update introduces a comprehensive identity verification and vault provisioning flow, spanning both the frontend (eid-wallet) and backend (evault-provisioner, registry). It adds new verification steps, dynamic user and document data handling, backend API integration, TypeORM-based persistence, event-driven status updates, and utility enhancements. Several new modules, entities, controllers, and configuration improvements are included.

Changes

Files/Groups	Change Summary
infrastructure/eid-wallet/package.json infrastructure/evault-provisioner/package.json platforms/registry/package.json	Added/updated dependencies and scripts for verification, HTTP, CORS, TypeORM, and utilities.
infrastructure/eid-wallet/src/lib/fragments/IdentityCard/IdentityCard.svelte infrastructure/eid-wallet/src/lib/ui/Button/ButtonAction.svelte	Code formatting and minor markup adjustments for clarity; no logic changes.
infrastructure/eid-wallet/src/lib/global/controllers/evault.ts	New VaultController class for vault state management.
infrastructure/eid-wallet/src/lib/global/controllers/user.ts	Added document getter/setter to UserController with async and error handling.
infrastructure/eid-wallet/src/lib/global/state.ts	Added vaultController property to GlobalState.
infrastructure/eid-wallet/src/lib/utils/capitalize.ts infrastructure/eid-wallet/src/lib/utils/index.ts	Added and exported new capitalize utility function.
infrastructure/eid-wallet/src/routes/(app)/ePassport/+page.svelte infrastructure/eid-wallet/src/routes/(app)/main/+page.svelte infrastructure/eid-wallet/src/routes/(app)/settings/+page.svelte infrastructure/eid-wallet/src/routes/(auth)/e-passport/+page.svelte infrastructure/eid-wallet/src/routes/(auth)/review/+page.svelte	Refactored to fetch and display dynamic user, document, and vault data from global state; removed hardcoded values; added wallet reset logic.
infrastructure/eid-wallet/src/routes/(auth)/verify/+page.svelte	Major rewrite: implements multi-step, real-time verification flow with backend API, SSE, and vault provisioning.
infrastructure/eid-wallet/src/routes/(auth)/verify/steps/passport.svelte infrastructure/eid-wallet/src/routes/(auth)/verify/steps/selfie.svelte	New components for passport and selfie capture, camera access, and image upload.
infrastructure/eid-wallet/src/routes/(auth)/verify/store.ts	New Svelte store module for verification step, media, and status state.
infrastructure/eid-wallet/src/routes/+layout.svelte	Added container height and scroll classes; enabled style block.
infrastructure/eid-wallet/svelte.config.js	Added SvelteKit env directory configuration.
infrastructure/evault-provisioner/src/config/database.ts	New TypeORM DataSource setup for PostgreSQL with env config.
infrastructure/evault-provisioner/src/controllers/VerificationController.ts	New controller for verification session management, SSE, media upload, webhooks, and API integration.
infrastructure/evault-provisioner/src/entities/Verification.ts	New TypeORM entity for verification records.
infrastructure/evault-provisioner/src/index.ts	Integrated CORS, database, new verification endpoints, and improved provision request validation.
infrastructure/evault-provisioner/src/migrations/1748932757644-migration.ts infrastructure/evault-provisioner/src/migrations/1748966722767-migration.ts infrastructure/evault-provisioner/src/migrations/1748968097591-migration.ts	New database migrations for verification table and schema evolution.
infrastructure/evault-provisioner/src/services/VerificationService.ts	New service for verification entity CRUD and queries.
infrastructure/evault-provisioner/src/utils/eventEmitter.ts	New event emitter utility for SSE and event-driven updates.
infrastructure/evault-provisioner/src/utils/hmac.ts	New HMAC signature creation and verification utilities.
infrastructure/evault-provisioner/tsconfig.json	Switched to CommonJS, enabled decorators and metadata.
platforms/registry/src/index.ts	Added CORS, improved formatting, and re-enabled entropy endpoint.

Sequence Diagram(s)

End-to-End Verification and Vault Provisioning Flow

sequenceDiagram
    participant User as User (Frontend)
    participant EidWallet as eid-wallet (Svelte)
    participant Provisioner as evault-provisioner (Backend)
    participant Veriff as Veriff API
    participant Registry as Registry Service

    User->>EidWallet: Start verification
    EidWallet->>Provisioner: POST /verification (create session)
    Provisioner->>Veriff: Create session via API
    Veriff-->>Provisioner: Session ID
    Provisioner-->>EidWallet: Session ID

    User->>EidWallet: Capture passport & selfie
    EidWallet->>Provisioner: POST /verification/:id/media (upload images)
    Provisioner->>Veriff: Forward images

    Veriff-->>Provisioner: Webhook (verification decision)
    Provisioner->>EidWallet: SSE status updates

    EidWallet->>Provisioner: POST /provision (with verificationId)
    Provisioner->>Registry: POST /register (register vault)
    Registry-->>Provisioner: Vault info
    Provisioner-->>EidWallet: Vault details

    EidWallet->>User: Display vault & onboarding complete

Loading

Possibly related PRs

• MetaState-Prototype-Project/prototype#119: Both PRs modify the same layout file to control height and scrolling, showing a direct code-level connection.
• MetaState-Prototype-Project/prototype#188: Both PRs update vault and user controllers, global state integration, and verification flow with backend interaction, indicating close feature relation.

Suggested reviewers

• sosweetham
• JulienAuvo

Poem

🐇
A passport snap, a selfie bright,
Through streams and steps, we check what's right.
The vault now opens, safe and sound,
With backend bits and bytes abound.
From code to cloud, our journey's spun—
Identity, secure, begun!
🗝️✨

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5992cac and e5bfecd.

📒 Files selected for processing (2)

• infrastructure/eid-wallet/src/lib/utils/capitalize.ts (1 hunks)
• infrastructure/evault-provisioner/src/utils/hmac.ts (1 hunks)

✨ Finishing Touches

• 📝 Generate Docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 33

🔭 Outside diff range comments (1)

infrastructure/evault-provisioner/src/index.ts (1)

141-149: 🛠️ Refactor suggestion

Improve error handling specificity

The current error handling loses the original error message when it's not an Axios error.

         } catch (error) {
-            const axiosError = error as AxiosError;
-            res.status(500).json({
-                success: false,
-                error: axiosError.response?.data || axiosError.message,
-                message: "Failed to provision evault instance",
-            });
+            if (error instanceof AxiosError) {
+                res.status(500).json({
+                    success: false,
+                    error: error.response?.data || error.message,
+                    message: "Failed to provision evault instance",
+                });
+            } else {
+                res.status(500).json({
+                    success: false,
+                    error: error instanceof Error ? error.message : String(error),
+                    message: "Failed to provision evault instance",
+                });
+            }
         }

🧹 Nitpick comments (24)

infrastructure/evault-provisioner/src/utils/hmac.ts (1)

1-1: Use node: protocol for Node.js imports.

Following Node.js best practices, builtin modules should be imported with the node: protocol for better clarity and explicit indication of Node.js modules.

-import { createHmac } from "crypto";
+import { createHmac } from "node:crypto";

🧰 Tools

🪛 Biome (1.9.4)

[error] 1-1: A Node.js builtin module should be imported with the node: protocol.

Using the node: protocol is more explicit and signals that the imported module belongs to Node.js.
Unsafe fix: Add the node: protocol.

(lint/style/useNodejsImportProtocol)

infrastructure/evault-provisioner/src/utils/eventEmitter.ts (1)

1-1: Use the node: protocol for Node.js builtin imports.

The import should use the node: protocol to be more explicit about importing a Node.js builtin module, following modern best practices.

-import { EventEmitter } from "events"
+import { EventEmitter } from "node:events"

🧰 Tools

🪛 Biome (1.9.4)

[error] 1-1: A Node.js builtin module should be imported with the node: protocol.

Using the node: protocol is more explicit and signals that the imported module belongs to Node.js.
Unsafe fix: Add the node: protocol.

(lint/style/useNodejsImportProtocol)

infrastructure/evault-provisioner/src/migrations/1748966722767-migration.ts (1)

1-1: Optimize imports for better tree-shaking.

Use import type for type-only imports to ensure they are removed by the compiler and avoid loading unnecessary modules.

-import { MigrationInterface, QueryRunner } from "typeorm";
+import type { MigrationInterface, QueryRunner } from "typeorm";

🧰 Tools

🪛 Biome (1.9.4)

[error] 1-1: All these imports are only used as types.

Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.
Safe fix: Use import type.

(lint/style/useImportType)

infrastructure/evault-provisioner/src/migrations/1748968097591-migration.ts (1)

1-1: Optimize imports by using import type for TypeORM interfaces.

The static analysis tool correctly identifies that these imports are only used as types. Using import type ensures they're removed during compilation and avoids loading unnecessary modules.

-import { MigrationInterface, QueryRunner } from "typeorm";
+import type { MigrationInterface, QueryRunner } from "typeorm";

🧰 Tools

🪛 Biome (1.9.4)

[error] 1-1: All these imports are only used as types.

Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.
Safe fix: Use import type.

(lint/style/useImportType)

infrastructure/eid-wallet/src/routes/(app)/ePassport/+page.svelte (2)

11-13: Remove unused shareEPassport function.

The shareEPassport function is no longer used since the share button was removed from the UI. Consider removing it to keep the code clean.

-    function shareEPassport() {
-        alert("EPassport Code shared!");
-    }

---

21-21: Consider removing debug console.log.

The console.log(userData) appears to be for debugging purposes and should be removed in production code.

-        console.log(userData);

infrastructure/evault-provisioner/src/migrations/1748932757644-migration.ts (1)

1-1: Optimize imports by using import type for TypeORM interfaces.

Same as the other migration file - these imports are only used as types and should use import type.

-import { MigrationInterface, QueryRunner } from "typeorm";
+import type { MigrationInterface, QueryRunner } from "typeorm";

🧰 Tools

🪛 Biome (1.9.4)

[error] 1-1: All these imports are only used as types.

Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.
Safe fix: Use import type.

(lint/style/useImportType)

infrastructure/eid-wallet/src/routes/(app)/settings/+page.svelte (2)

18-22: LGTM! Consider adding confirmation dialog for wallet reset.

The nukeWallet function correctly clears user data and security PIN before navigating to onboarding. This provides a clean reset mechanism for the wallet.

Consider adding a confirmation dialog before executing the wallet reset to prevent accidental data loss.

---

57-57: Replace placeholder text with meaningful label.

The ButtonAction component contains placeholder text "asdfasdf" which should be replaced with a descriptive label for the wallet reset functionality.

-    <ButtonAction callback={nukeWallet}>asdfasdf</ButtonAction>
+    <ButtonAction callback={nukeWallet}>Reset Wallet</ButtonAction>

infrastructure/evault-provisioner/src/config/database.ts (1)

4-4: Use Node.js import protocol for built-in modules.

Following the static analysis hint, use the node: protocol for Node.js built-in modules for better clarity and explicit indication.

-import { join } from "path"
+import { join } from "node:path"

🧰 Tools

🪛 Biome (1.9.4)

[error] 4-4: A Node.js builtin module should be imported with the node: protocol.

Using the node: protocol is more explicit and signals that the imported module belongs to Node.js.
Unsafe fix: Add the node: protocol.

(lint/style/useNodejsImportProtocol)

infrastructure/eid-wallet/src/lib/global/controllers/evault.ts (1)

17-17: Consider more descriptive variable name.

The variable name resolvedUser in the promise resolution should be resolvedVault to match the context.

-                .then((resolvedUser) => {
-                    this.#store.set("vault", resolvedUser);
+                .then((resolvedVault) => {
+                    this.#store.set("vault", resolvedVault);

🧰 Tools

🪛 Biome (1.9.4)

[error] 17-17: Expected an identifier, a string literal, a number literal, a private field name, or a computed name but instead found '.'.

Expected an identifier, a string literal, a number literal, a private field name, or a computed name here.

(parse)

---

[error] 17-17: Expected a parameter but instead found '('.

Expected a parameter here.

(parse)

---

[error] 17-17: expected , but instead found resolvedUser

Remove resolvedUser

(parse)

---

[error] 17-17: Expected a class method body but instead found '=>'.

Expected a class method body here.

(parse)

---

[error] 17-17: Do not add then to a class.

(lint/suspicious/noThenProperty)

infrastructure/eid-wallet/src/lib/fragments/IdentityCard/IdentityCard.svelte (1)

44-44: Break down the long CSS class string for better readability.

This single line contains a complex conditional expression that's difficult to read and maintain. Consider extracting this logic into a computed property or breaking it into multiple lines.

-    const baseClasses = `relative ${variant === "eName" ? "bg-black-900" : variant === "ePassport" ? "bg-primary" : "bg-gray"}  rounded-3xl w-full min-h-[150px] text-white overflow-hidden`;
+    const getBackgroundClass = (variant: string) => {
+        switch (variant) {
+            case "eName": return "bg-black-900";
+            case "ePassport": return "bg-primary"; 
+            default: return "bg-gray";
+        }
+    };
+    
+    const baseClasses = `relative ${getBackgroundClass(variant)} rounded-3xl w-full min-h-[150px] text-white overflow-hidden`;

platforms/registry/src/index.ts (1)

38-47: Improve authorization header validation.

The authorization header validation could be more robust and provide clearer error messages.

 const checkSharedSecret = async (request: any, reply: any) => {
     const authHeader = request.headers.authorization;
-    if (!authHeader || !authHeader.startsWith("Bearer ")) {
+    if (!authHeader) {
+        return reply
+            .status(401)
+            .send({ error: "Authorization header is required" });
+    }
+    
+    if (!authHeader.startsWith("Bearer ")) {
         return reply
             .status(401)
-            .send({ error: "Missing or invalid authorization header" });
+            .send({ error: "Authorization header must use Bearer token format" });
     }

infrastructure/eid-wallet/src/routes/(auth)/verify/steps/passport.svelte (1)

52-52: Remove debug console.log statements.

Debug console.log statements should be removed from production code.

-            console.log("huh?");
             const context1 = canvas1.getContext("2d");
             // ...
-                console.log("here???");

Also applies to: 72-72

infrastructure/evault-provisioner/src/entities/Verification.ts (1)

20-21: Consider more specific typing for the data field.

The Record<string, unknown> type is quite loose. Consider defining a more specific interface for the expected data structure.

+interface VerificationData {
+    // Define specific fields based on your verification data structure
+    [key: string]: unknown;
+}

-    @Column({ type: "jsonb", nullable: true })
-    data!: Record<string, unknown>;
+    @Column({ type: "jsonb", nullable: true })
+    data?: VerificationData | null;

infrastructure/evault-provisioner/src/services/VerificationService.ts (2)

1-2: Use import type for type-only imports.

Following the static analysis hint, imports that are only used as types should use import type to ensure they're removed during compilation.

-import { DeepPartial, Repository } from "typeorm";
-import { Verification } from "../entities/Verification";
+import type { DeepPartial, Repository } from "typeorm";
+import type { Verification } from "../entities/Verification";

🧰 Tools

🪛 Biome (1.9.4)

[error] 1-1: All these imports are only used as types.

Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.
Safe fix: Use import type.

(lint/style/useImportType)

---

[error] 2-2: All these imports are only used as types.

Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.
Safe fix: Use import type.

(lint/style/useImportType)

---

9-12: Consider adding input validation.

The create method should validate input data to ensure data integrity and provide better error messages.

     async create(data: Partial<Verification>): Promise<Verification> {
+        if (!data || Object.keys(data).length === 0) {
+            throw new Error("Verification data cannot be empty");
+        }
+        
         const verification = this.verificationRepository.create(data);
         return await this.verificationRepository.save(verification);
     }

infrastructure/evault-provisioner/src/index.ts (3)

8-8: Use Node.js protocol for builtin module import

For better clarity and consistency with modern Node.js practices.

-import path from "path";
+import path from "node:path";

🧰 Tools

🪛 Biome (1.9.4)

[error] 8-8: A Node.js builtin module should be imported with the node: protocol.

Using the node: protocol is more explicit and signals that the imported module belongs to Node.js.
Unsafe fix: Add the node: protocol.

(lint/style/useNodejsImportProtocol)

---

9-9: Remove unused import

The createHmacSignature import is not used in this file.

-import { createHmacSignature } from "./utils/hmac";

---

99-103: Simplify URL construction

The template literal is not needed here as noted by static analysis.

-                new URL(
-                    `/.well-known/jwks.json`,
-                    process.env.PUBLIC_REGISTRY_URL,
-                ).toString(),
+                new URL(
+                    "/.well-known/jwks.json",
+                    process.env.PUBLIC_REGISTRY_URL,
+                ).toString(),

🧰 Tools

🪛 Biome (1.9.4)

[error] 100-100: Do not use template literals if interpolation and special-character handling are not needed.

Unsafe fix: Replace with string literal

(lint/style/noUnusedTemplateLiteral)

infrastructure/eid-wallet/src/lib/global/controllers/user.ts (1)

57-72: Consider extracting common promise handling logic

Both user and document setters have identical promise handling logic. Consider extracting this to reduce duplication.

private async handleAsyncSetter<T>(
    key: string,
    value: Promise<T | undefined> | T | undefined
): Promise<void> {
    if (value instanceof Promise) {
        try {
            const resolved = await value;
            await this.#store.set(key, resolved);
        } catch (error) {
            console.error(`Failed to set ${key}:`, error);
        }
    } else {
        await this.#store.set(key, value);
    }
}

set user(user: Promise<Record<string, string> | undefined> | Record<string, string> | undefined) {
    this.handleAsyncSetter("user", user);
}

set document(document: Promise<Record<string, string> | undefined> | Record<string, string> | undefined) {
    this.handleAsyncSetter("doc", document);
}

Also applies to: 89-106

🧰 Tools

🪛 Biome (1.9.4)

[error] 61-61: expected ) but instead found ,

Remove ,

(parse)

---

[error] 63-63: expected a semicolon to end the class property, but found none

(parse)

---

[error] 63-63: expected a semicolon to end the class property, but found none

(parse)

---

[error] 63-63: expected a semicolon to end the class property, but found none

(parse)

---

[error] 63-63: Expected an identifier, a string literal, a number literal, a private field name, or a computed name but instead found ')'.

Expected an identifier, a string literal, a number literal, a private field name, or a computed name here.

(parse)

---

[error] 64-64: expected a semicolon to end the class property, but found none

(parse)

---

[error] 64-64: Expected an identifier, a string literal, a number literal, a private field name, or a computed name but instead found '.'.

Expected an identifier, a string literal, a number literal, a private field name, or a computed name here.

(parse)

---

[error] 64-64: Expected a parameter but instead found '('.

Expected a parameter here.

(parse)

---

[error] 64-64: expected , but instead found resolvedUser

Remove resolvedUser

(parse)

---

[error] 64-64: Expected a class method body but instead found '=>'.

Expected a class method body here.

(parse)

---

[error] 65-65: expected a semicolon to end the class property, but found none

(parse)

---

[error] 65-65: Expected an identifier, a string literal, a number literal, a private field name, or a computed name but instead found '.'.

Expected an identifier, a string literal, a number literal, a private field name, or a computed name here.

(parse)

---

[error] 65-65: expected a semicolon to end the class property, but found none

(parse)

---

[error] 65-65: Expected an identifier, a string literal, a number literal, a private field name, or a computed name but instead found ')'.

Expected an identifier, a string literal, a number literal, a private field name, or a computed name here.

(parse)

---

[error] 66-66: Expected a statement but instead found ').catch((error) =>'.

Expected a statement here.

(parse)

---

[error] 68-68: Expected a statement but instead found ')'.

Expected a statement here.

(parse)

---

[error] 69-69: Expected a statement but instead found '} else'.

Expected a statement here.

(parse)

---

[error] 63-63: Duplicate class member name "user"

(lint/suspicious/noDuplicateClassMembers)

---

[error] 64-64: Duplicate class member name "user"

(lint/suspicious/noDuplicateClassMembers)

---

[error] 65-65: Duplicate private class member "#store"

(syntax/correctness/noDuplicatePrivateClassMembers)

---

[error] 64-64: Do not add then to a class.

(lint/suspicious/noThenProperty)

---

[error] 66-68: This block statement doesn't serve any purpose and can be safely removed.

Standalone block statements without any block-level declarations are redundant in JavaScript and can be removed to simplify the code.

(lint/complexity/noUselessLoneBlockStatements)

---

[error] 69-71: This block statement doesn't serve any purpose and can be safely removed.

Standalone block statements without any block-level declarations are redundant in JavaScript and can be removed to simplify the code.

(lint/complexity/noUselessLoneBlockStatements)

infrastructure/eid-wallet/src/routes/(auth)/verify/store.ts (1)

5-7: Initialize writable stores with explicit null values

For consistency and clarity, consider initializing all nullable stores with explicit null values.

-export const DocFront = writable<string | null>();
-export const Selfie = writable<string | null>();
-export const verificaitonId = writable<string | null>();
+export const DocFront = writable<string | null>(null);
+export const Selfie = writable<string | null>(null);
+export const verificationId = writable<string | null>(null);

infrastructure/evault-provisioner/src/controllers/VerificationController.ts (2)

1-2: Use import type for type-only imports

These imports are only used as types and should use import type syntax.

-import { Request, Response } from "express";
-import { VerificationService } from "../services/VerificationService";
+import type { Request, Response } from "express";
+import type { VerificationService } from "../services/VerificationService";

🧰 Tools

🪛 Biome (1.9.4)

[error] 1-1: All these imports are only used as types.

Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.
Safe fix: Use import type.

(lint/style/useImportType)

---

[error] 2-2: All these imports are only used as types.

Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.
Safe fix: Use import type.

(lint/style/useImportType)

---

12-20: Remove unnecessary axios interceptor

The response interceptor doesn't add any functionality and can be removed.

-veriffClient.interceptors.response.use(
-    (response) => {
-        return response;
-    },
-    async function (error) {
-        if (!error.response) return Promise.reject(error);
-        return Promise.reject(error);
-    },
-);

🧰 Tools

🪛 Biome (1.9.4)

[error] 16-19: This function expression can be turned into an arrow function.

Function expressions that don't use this can be turned into arrow functions.
Safe fix: Use an arrow function instead.

(lint/complexity/useArrowFunction)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 60bf4eb and c645a19.

⛔ Files ignored due to path filters (4)

• infrastructure/eid-wallet/src-tauri/gen/apple/eid-wallet.xcodeproj/project.pbxproj is excluded by !**/gen/**
• infrastructure/eid-wallet/static/images/CameraCircle.svg is excluded by !**/*.svg
• infrastructure/eid-wallet/static/images/CameraFrame.svg is excluded by !**/*.svg
• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (33)

• infrastructure/eid-wallet/package.json (1 hunks)
• infrastructure/eid-wallet/src/lib/fragments/IdentityCard/IdentityCard.svelte (1 hunks)
• infrastructure/eid-wallet/src/lib/global/controllers/evault.ts (1 hunks)
• infrastructure/eid-wallet/src/lib/global/controllers/user.ts (2 hunks)
• infrastructure/eid-wallet/src/lib/global/state.ts (2 hunks)
• infrastructure/eid-wallet/src/lib/ui/Button/ButtonAction.svelte (1 hunks)
• infrastructure/eid-wallet/src/lib/utils/capitalize.ts (1 hunks)
• infrastructure/eid-wallet/src/lib/utils/index.ts (1 hunks)
• infrastructure/eid-wallet/src/routes/(app)/ePassport/+page.svelte (1 hunks)
• infrastructure/eid-wallet/src/routes/(app)/main/+page.svelte (3 hunks)
• infrastructure/eid-wallet/src/routes/(app)/settings/+page.svelte (1 hunks)
• infrastructure/eid-wallet/src/routes/(auth)/e-passport/+page.svelte (3 hunks)
• infrastructure/eid-wallet/src/routes/(auth)/review/+page.svelte (1 hunks)
• infrastructure/eid-wallet/src/routes/(auth)/verify/+page.svelte (1 hunks)
• infrastructure/eid-wallet/src/routes/(auth)/verify/steps/passport.svelte (1 hunks)
• infrastructure/eid-wallet/src/routes/(auth)/verify/steps/selfie.svelte (1 hunks)
• infrastructure/eid-wallet/src/routes/(auth)/verify/store.ts (1 hunks)
• infrastructure/eid-wallet/src/routes/+layout.svelte (2 hunks)
• infrastructure/eid-wallet/svelte.config.js (1 hunks)
• infrastructure/evault-provisioner/package.json (1 hunks)
• infrastructure/evault-provisioner/src/config/database.ts (1 hunks)
• infrastructure/evault-provisioner/src/controllers/VerificationController.ts (1 hunks)
• infrastructure/evault-provisioner/src/entities/Verification.ts (1 hunks)
• infrastructure/evault-provisioner/src/index.ts (4 hunks)
• infrastructure/evault-provisioner/src/migrations/1748932757644-migration.ts (1 hunks)
• infrastructure/evault-provisioner/src/migrations/1748966722767-migration.ts (1 hunks)
• infrastructure/evault-provisioner/src/migrations/1748968097591-migration.ts (1 hunks)
• infrastructure/evault-provisioner/src/services/VerificationService.ts (1 hunks)
• infrastructure/evault-provisioner/src/utils/eventEmitter.ts (1 hunks)
• infrastructure/evault-provisioner/src/utils/hmac.ts (1 hunks)
• infrastructure/evault-provisioner/tsconfig.json (2 hunks)
• platforms/registry/package.json (2 hunks)
• platforms/registry/src/index.ts (2 hunks)

🧰 Additional context used

🧬 Code Graph Analysis (2)

infrastructure/eid-wallet/src/lib/global/state.ts (1)

infrastructure/eid-wallet/src/lib/global/controllers/evault.ts (1)

• VaultController (3-42)

infrastructure/evault-provisioner/src/controllers/VerificationController.ts (3)

infrastructure/evault-provisioner/src/services/VerificationService.ts (1)

• VerificationService (4-50)

infrastructure/evault-provisioner/src/utils/eventEmitter.ts (1)

• eventEmitter (3-3)

infrastructure/evault-provisioner/src/utils/hmac.ts (1)

• createHmacSignature (3-7)

🪛 Biome (1.9.4)

infrastructure/evault-provisioner/src/utils/eventEmitter.ts

[error] 1-1: A Node.js builtin module should be imported with the node: protocol.

Using the node: protocol is more explicit and signals that the imported module belongs to Node.js.
Unsafe fix: Add the node: protocol.

(lint/style/useNodejsImportProtocol)

infrastructure/evault-provisioner/src/migrations/1748966722767-migration.ts

[error] 1-1: All these imports are only used as types.

Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.
Safe fix: Use import type.

(lint/style/useImportType)

infrastructure/eid-wallet/src/lib/global/controllers/evault.ts

[error] 13-13: expected ) but instead found ,

Remove ,

(parse)

---

[error] 15-15: expected a semicolon to end the class property, but found none

(parse)

---

[error] 15-15: expected a semicolon to end the class property, but found none

(parse)

---

[error] 15-15: expected a semicolon to end the class property, but found none

(parse)

---

[error] 15-15: Expected an identifier, a string literal, a number literal, a private field name, or a computed name but instead found ')'.

Expected an identifier, a string literal, a number literal, a private field name, or a computed name here.

(parse)

---

[error] 17-17: Expected an identifier, a string literal, a number literal, a private field name, or a computed name but instead found '.'.

Expected an identifier, a string literal, a number literal, a private field name, or a computed name here.

(parse)

---

[error] 17-17: Expected a parameter but instead found '('.

Expected a parameter here.

(parse)

---

[error] 17-17: expected , but instead found resolvedUser

Remove resolvedUser

(parse)

---

[error] 17-17: Expected a class method body but instead found '=>'.

Expected a class method body here.

(parse)

---

[error] 18-18: expected a semicolon to end the class property, but found none

(parse)

---

[error] 18-18: Expected an identifier, a string literal, a number literal, a private field name, or a computed name but instead found '.'.

Expected an identifier, a string literal, a number literal, a private field name, or a computed name here.

(parse)

---

[error] 18-18: expected a semicolon to end the class property, but found none

(parse)

---

[error] 18-18: Expected an identifier, a string literal, a number literal, a private field name, or a computed name but instead found ')'.

Expected an identifier, a string literal, a number literal, a private field name, or a computed name here.

(parse)

---

[error] 19-20: Expected a statement but instead found ')
.catch((error) =>'.

Expected a statement here.

(parse)

---

[error] 22-22: Expected a statement but instead found ')'.

Expected a statement here.

(parse)

---

[error] 23-23: Expected a statement but instead found '} else'.

Expected a statement here.

(parse)

---

[error] 26-28: Expected a statement but instead found '}

get vault()'.

Expected a statement here.

(parse)

---

[error] 29-40: Illegal return statement outside of a function

(parse)

---

[error] 41-42: Expected a statement but instead found '}'.

Expected a statement here.

(parse)

---

[error] 15-15: Duplicate class member name "vault"

(lint/suspicious/noDuplicateClassMembers)

---

[error] 16-16: Duplicate class member name "vault"

(lint/suspicious/noDuplicateClassMembers)

---

[error] 18-18: Duplicate private class member "#store"

(syntax/correctness/noDuplicatePrivateClassMembers)

---

[error] 17-17: Do not add then to a class.

(lint/suspicious/noThenProperty)

---

[error] 20-22: This block statement doesn't serve any purpose and can be safely removed.

Standalone block statements without any block-level declarations are redundant in JavaScript and can be removed to simplify the code.

(lint/complexity/noUselessLoneBlockStatements)

---

[error] 23-25: This block statement doesn't serve any purpose and can be safely removed.

Standalone block statements without any block-level declarations are redundant in JavaScript and can be removed to simplify the code.

(lint/complexity/noUselessLoneBlockStatements)

---

[error] 28-41: This block statement doesn't serve any purpose and can be safely removed.

Standalone block statements without any block-level declarations are redundant in JavaScript and can be removed to simplify the code.

(lint/complexity/noUselessLoneBlockStatements)

infrastructure/evault-provisioner/src/config/database.ts

[error] 4-4: A Node.js builtin module should be imported with the node: protocol.

Using the node: protocol is more explicit and signals that the imported module belongs to Node.js.
Unsafe fix: Add the node: protocol.

(lint/style/useNodejsImportProtocol)

infrastructure/evault-provisioner/src/services/VerificationService.ts

[error] 1-1: All these imports are only used as types.

Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.
Safe fix: Use import type.

(lint/style/useImportType)

---

[error] 2-2: All these imports are only used as types.

Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.
Safe fix: Use import type.

(lint/style/useImportType)

infrastructure/evault-provisioner/src/utils/hmac.ts

[error] 1-1: A Node.js builtin module should be imported with the node: protocol.

Using the node: protocol is more explicit and signals that the imported module belongs to Node.js.
Unsafe fix: Add the node: protocol.

(lint/style/useNodejsImportProtocol)

---

[error] 3-3: Unexpected any. Specify a different type.

any disables many type checking rules. Its use should be avoided.

(lint/suspicious/noExplicitAny)

---

[error] 10-10: Unexpected any. Specify a different type.

any disables many type checking rules. Its use should be avoided.

(lint/suspicious/noExplicitAny)

infrastructure/evault-provisioner/src/migrations/1748968097591-migration.ts

[error] 1-1: All these imports are only used as types.

Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.
Safe fix: Use import type.

(lint/style/useImportType)

infrastructure/eid-wallet/src/lib/global/controllers/user.ts

[error] 61-61: expected ) but instead found ,

Remove ,

(parse)

---

[error] 89-89: Expected a semicolon or an implicit semicolon after a statement, but found none

An explicit or implicit semicolon is expected here...

...Which is required to end this statement

(parse)

---

[error] 90-90: expected , but instead found :

Remove :

(parse)

---

[error] 91-91: expected , but instead found |

Remove |

(parse)

---

[error] 94-94: Expected a semicolon or an implicit semicolon after a statement, but found none

An explicit or implicit semicolon is expected here...

...Which is required to end this statement

(parse)

---

[error] 108-108: Expected a semicolon or an implicit semicolon after a statement, but found none

An explicit or implicit semicolon is expected here...

...Which is required to end this statement

(parse)

---

[error] 108-108: Expected a semicolon or an implicit semicolon after a statement, but found none

An explicit or implicit semicolon is expected here...

...Which is required to end this statement

(parse)

---

[error] 109-120: Illegal return statement outside of a function

(parse)

---

[error] 94-106: This block statement doesn't serve any purpose and can be safely removed.

Standalone block statements without any block-level declarations are redundant in JavaScript and can be removed to simplify the code.

(lint/complexity/noUselessLoneBlockStatements)

---

[error] 108-121: This block statement doesn't serve any purpose and can be safely removed.

Standalone block statements without any block-level declarations are redundant in JavaScript and can be removed to simplify the code.

(lint/complexity/noUselessLoneBlockStatements)

infrastructure/evault-provisioner/src/migrations/1748932757644-migration.ts

[error] 1-1: All these imports are only used as types.

Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.
Safe fix: Use import type.

(lint/style/useImportType)

infrastructure/evault-provisioner/src/index.ts

[error] 8-8: A Node.js builtin module should be imported with the node: protocol.

Using the node: protocol is more explicit and signals that the imported module belongs to Node.js.
Unsafe fix: Add the node: protocol.

(lint/style/useNodejsImportProtocol)

---

[error] 2-2: Some named imports are only used as types.

This import is only used as a type.

This import is only used as a type.

Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.
Safe fix: Add inline type keywords.

(lint/style/useImportType)

---

[error] 3-3: Some named imports are only used as types.

This import is only used as a type.

Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.
Safe fix: Add inline type keywords.

(lint/style/useImportType)

---

[error] 100-100: Do not use template literals if interpolation and special-character handling are not needed.

Unsafe fix: Replace with string literal

(lint/style/noUnusedTemplateLiteral)

infrastructure/evault-provisioner/src/controllers/VerificationController.ts

[error] 16-19: This function expression can be turned into an arrow function.

Function expressions that don't use this can be turned into arrow functions.
Safe fix: Use an arrow function instead.

(lint/complexity/useArrowFunction)

---

[error] 25-25: Unexpected any. Specify a different type.

any disables many type checking rules. Its use should be avoided.

(lint/suspicious/noExplicitAny)

---

[error] 46-46: Unexpected any. Specify a different type.

any disables many type checking rules. Its use should be avoided.

(lint/suspicious/noExplicitAny)

---

[error] 1-1: All these imports are only used as types.

Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.
Safe fix: Use import type.

(lint/style/useImportType)

---

[error] 2-2: All these imports are only used as types.

Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.
Safe fix: Use import type.

(lint/style/useImportType)

🔇 Additional comments (32)

platforms/registry/package.json (1)

4-4: LGTM: Description update aligns with vault provisioning focus.

The updated description accurately reflects the service's role in managing vault entries, which is consistent with the PR objectives for evault provisioning.

infrastructure/eid-wallet/src/lib/ui/Button/ButtonAction.svelte (1)

109-109: LGTM: Consistent comment formatting.

Good practice to maintain consistent formatting by removing the extra space in the HTML comment.

infrastructure/evault-provisioner/tsconfig.json (2)

4-4: LGTM: Module system change supports Node.js backend.

Changing from ESNext to commonjs is appropriate for a Node.js backend service and aligns with TypeORM requirements.

---

14-15: LGTM: Decorator support enables TypeORM integration.

Adding experimental decorators and decorator metadata emission is essential for TypeORM entities and dependency injection, supporting the new verification services mentioned in the AI summary.

infrastructure/eid-wallet/src/routes/+layout.svelte (1)

105-105: LGTM! Layout changes support dynamic content well.

The addition of h-[100dvh] and overflow-scroll classes properly sets up the layout for full viewport height with scrolling capability, which aligns with the dynamic data-driven UI components mentioned in the summary.

infrastructure/eid-wallet/src/lib/utils/index.ts (1)

3-3: LGTM! Clean utility export addition.

The export follows the established pattern for utility re-exports and properly exposes the new capitalize function.

infrastructure/eid-wallet/src/lib/utils/capitalize.ts (1)

1-7: LGTM! Solid utility implementation with minor behavior note.

The capitalize function correctly handles the common use case of capitalizing words. Note that multiple consecutive spaces will be collapsed to single spaces due to the split/join operation, which is likely acceptable for UI text formatting purposes.

infrastructure/evault-provisioner/src/utils/eventEmitter.ts (1)

3-3: LGTM! Appropriate singleton pattern for event-driven communication.

The singleton EventEmitter instance is well-suited for facilitating real-time communication between the webhook endpoint and SSE clients in the verification flow.

infrastructure/eid-wallet/svelte.config.js (1)

12-14: LGTM! Environment configuration properly set for monorepo structure.

The env.dir configuration pointing to the project root ("../../") is appropriate for a monorepo setup and aligns with the new identity verification features that require environment variable access.

infrastructure/eid-wallet/src/lib/global/state.ts (2)

4-4: LGTM! Proper import added for VaultController.

The import follows the established pattern and supports the new vault management functionality.

---

27-27: LGTM! VaultController properly integrated into GlobalState.

The vaultController property and initialization follow the same consistent pattern as the existing securityController and userController. The integration maintains the singleton pattern and provides centralized access to vault operations.

Also applies to: 33-33

infrastructure/eid-wallet/package.json (1)

30-32: LGTM! Dependencies appropriately added for identity verification features.

The new dependencies support the comprehensive identity verification flow:

• Veriff SDKs for identity verification services
• axios for HTTP requests to backend APIs
• dotenv for environment variable management
• svelte-loading-spinners for UI feedback
• uuid for unique identifier generation

These align well with the new verification functionality described in the PR.

Also applies to: 34-34, 37-40

infrastructure/evault-provisioner/src/migrations/1748966722767-migration.ts (1)

6-8: LGTM! Migration properly adds documentId column to verification table.

The migration correctly:

• Adds a nullable documentId column of type character varying
• Provides proper rollback in the down method
• Follows TypeORM migration conventions

This supports the enhanced verification system that tracks document IDs associated with verifications.

Also applies to: 10-12

infrastructure/evault-provisioner/src/migrations/1748968097591-migration.ts (2)

6-8: Migration logic looks correct.

The addition of the consumed boolean column with NOT NULL DEFAULT false is well-implemented. This supports tracking whether verification records have been used, which aligns with the verification workflow described in the AI summary.

---

10-12: Proper rollback implementation.

The down migration correctly drops the added column, ensuring clean rollbacks.

infrastructure/evault-provisioner/package.json (4)

8-8: Development script change looks good.

The switch from tsx watch to ts-node-dev with --respawn --transpile-only flags is appropriate for TypeORM-based development, providing better compatibility and faster transpilation.

---

11-14: TypeORM migration scripts are well-configured.

The TypeORM scripts properly reference the database configuration file and follow standard conventions for migration management.

---

19-26: Dependencies align with verification workflow requirements.

The added dependencies support the new verification system:

• cors: For cross-origin requests from the frontend
• pg: PostgreSQL client for database operations
• reflect-metadata: Required for TypeORM decorators
• typeorm: ORM for database management

---

30-35: Development dependencies are appropriate.

The type definitions and ts-node-dev support the development workflow changes effectively.

infrastructure/eid-wallet/src/routes/(app)/ePassport/+page.svelte (2)

15-22: Good refactoring to dynamic data fetching.

The replacement of hardcoded dummy data with asynchronous fetching from the global state is a significant improvement. The pattern properly handles the async nature of data retrieval.

---

28-42: Conditional rendering prevents errors.

The conditional rendering based on data availability is well-implemented and prevents rendering errors when data is still loading or unavailable.

infrastructure/evault-provisioner/src/migrations/1748932757644-migration.ts (2)

7-7: Well-designed verification table schema.

The table schema is comprehensive and well-designed:

• UUID primary key with auto-generation for distributed systems
• JSONB data field for flexible verification data storage
• Proper timestamp handling with automatic defaults
• Optional fields appropriately defined

---

10-12: Clean rollback implementation.

The down migration properly drops the entire table, ensuring complete rollback capability.

infrastructure/eid-wallet/src/routes/(auth)/review/+page.svelte (2)

16-19: Excellent implementation of dynamic vault data loading.

The onMount function properly fetches vault data asynchronously and updates the ename state. This replaces hardcoded data with live vault information.

---

31-31: Good use of loading state for better UX.

The template literal with fallback text "Loading..." provides good user feedback while vault data is being fetched asynchronously.

infrastructure/evault-provisioner/src/config/database.ts (1)

9-17: Verify database connection security in production.

The database configuration looks appropriate. Ensure that in production environments:

1. PROVISIONER_DATABASE_URL is properly secured and not logged
2. The default fallback URL is only used in development
3. Database credentials use proper authentication mechanisms

infrastructure/eid-wallet/src/lib/global/controllers/evault.ts (1)

3-42: Well-implemented async vault controller with good error handling.

The VaultController class provides a clean interface for managing vault data with the Tauri store. Key strengths:

• Proper encapsulation with private store instance
• Handles both direct values and promises in the setter
• Comprehensive error handling with logging
• Async getter that gracefully handles missing data

The static analysis errors appear to be false positives from the linter not correctly parsing TypeScript class property getter/setter syntax.

🧰 Tools

🪛 Biome (1.9.4)

[error] 13-13: expected ) but instead found ,

Remove ,

(parse)

---

[error] 15-15: expected a semicolon to end the class property, but found none

(parse)

---

[error] 15-15: expected a semicolon to end the class property, but found none

(parse)

---

[error] 15-15: expected a semicolon to end the class property, but found none

(parse)

---

[error] 15-15: Expected an identifier, a string literal, a number literal, a private field name, or a computed name but instead found ')'.

Expected an identifier, a string literal, a number literal, a private field name, or a computed name here.

(parse)

---

[error] 17-17: Expected an identifier, a string literal, a number literal, a private field name, or a computed name but instead found '.'.

Expected an identifier, a string literal, a number literal, a private field name, or a computed name here.

(parse)

---

[error] 17-17: Expected a parameter but instead found '('.

Expected a parameter here.

(parse)

---

[error] 17-17: expected , but instead found resolvedUser

Remove resolvedUser

(parse)

---

[error] 17-17: Expected a class method body but instead found '=>'.

Expected a class method body here.

(parse)

---

[error] 18-18: expected a semicolon to end the class property, but found none

(parse)

---

[error] 18-18: Expected an identifier, a string literal, a number literal, a private field name, or a computed name but instead found '.'.

Expected an identifier, a string literal, a number literal, a private field name, or a computed name here.

(parse)

---

[error] 18-18: expected a semicolon to end the class property, but found none

(parse)

---

[error] 18-18: Expected an identifier, a string literal, a number literal, a private field name, or a computed name but instead found ')'.

Expected an identifier, a string literal, a number literal, a private field name, or a computed name here.

(parse)

---

[error] 19-20: Expected a statement but instead found ')
.catch((error) =>'.

Expected a statement here.

(parse)

---

[error] 22-22: Expected a statement but instead found ')'.

Expected a statement here.

(parse)

---

[error] 23-23: Expected a statement but instead found '} else'.

Expected a statement here.

(parse)

---

[error] 26-28: Expected a statement but instead found '}

get vault()'.

Expected a statement here.

(parse)

---

[error] 29-40: Illegal return statement outside of a function

(parse)

---

[error] 41-42: Expected a statement but instead found '}'.

Expected a statement here.

(parse)

---

[error] 15-15: Duplicate class member name "vault"

(lint/suspicious/noDuplicateClassMembers)

---

[error] 16-16: Duplicate class member name "vault"

(lint/suspicious/noDuplicateClassMembers)

---

[error] 18-18: Duplicate private class member "#store"

(syntax/correctness/noDuplicatePrivateClassMembers)

---

[error] 17-17: Do not add then to a class.

(lint/suspicious/noThenProperty)

---

[error] 20-22: This block statement doesn't serve any purpose and can be safely removed.

Standalone block statements without any block-level declarations are redundant in JavaScript and can be removed to simplify the code.

(lint/complexity/noUselessLoneBlockStatements)

---

[error] 23-25: This block statement doesn't serve any purpose and can be safely removed.

Standalone block statements without any block-level declarations are redundant in JavaScript and can be removed to simplify the code.

(lint/complexity/noUselessLoneBlockStatements)

---

[error] 28-41: This block statement doesn't serve any purpose and can be safely removed.

Standalone block statements without any block-level declarations are redundant in JavaScript and can be removed to simplify the code.

(lint/complexity/noUselessLoneBlockStatements)

infrastructure/eid-wallet/src/lib/fragments/IdentityCard/IdentityCard.svelte (2)

120-120: Good addition of capitalize class for better formatting.

The addition of the capitalize class improves the user experience by properly formatting field names in the ePassport variant.

---

113-113:

✅ Verification successful

Verify the removal of "@" prefix is intentional.

The userId display no longer includes the "@" prefix. Ensure this change aligns with the design requirements and doesn't break consistency with other parts of the application.

---

🏁 Script executed:

#!/bin/bash
# Search for other usages of userId to check consistency
rg -A 2 -B 2 "userId.*@" --type svelte

Length of output: 71

---

🏁 Script executed:

#!/bin/bash
# Search all .svelte files for occurrences of userId with surrounding context
rg --context 2 "userId" -g '*.svelte' -n

Length of output: 2875

---

No “@” prefix found for userId in codebase — removal is consistent

I searched every .svelte file for occurrences of userId paired with an “@” prefix and found none. All IdentityCard usages now pass the raw string (e.g. {ename}) without prepending “@”.

• No instances of @${userId} or similar patterns in any .svelte file
• All <IdentityCard> props use userId={…} directly

Since the change is consistent across the codebase, it’s safe to consider the “@” removal intentional and resolve this comment.

infrastructure/eid-wallet/src/routes/(app)/main/+page.svelte (1)

55-55: Good implementation of loading state for ename.

The fallback to "Loading..." while data is being fetched provides good user feedback.

platforms/registry/src/index.ts (1)

80-88: Good addition of the entropy endpoint with proper error handling.

The re-addition of the /entropy endpoint with improved formatting and consistent error handling enhances the API's functionality.

infrastructure/evault-provisioner/src/index.ts (1)

30-33:

❓ Verification inconclusive

Large payload limit may pose security risks

The 50MB limit for JSON and URL-encoded payloads is quite large and could be exploited for DoS attacks. Consider if this large limit is necessary for your use case.

What's the expected maximum size of verification data and documents? If significantly less than 50MB, consider reducing this limit to a more reasonable value.

---

🏁 Script executed:

#!/bin/bash
# Display initial portion of index.ts to understand endpoints and payload usage
sed -n '1,200p' infrastructure/evault-provisioner/src/index.ts

Length of output: 5330

---

🏁 Script executed:

#!/bin/bash
# Locate and display VerificationController to inspect routes and payload usage
FILE=$(fd 'VerificationController.ts' -u)
if [ -z "$FILE" ]; then
  echo "VerificationController.ts not found"
  exit 1
fi
echo "Found: $FILE"
sed -n '1,200p' "$FILE"

Length of output: 7414

---

Review payload limits in index.ts

The 50 MB limits for JSON and URL-encoded bodies (in infrastructure/evault-provisioner/src/index.ts lines 30–33) may be excessive and open the service to DoS via oversized payloads (e.g. base64-encoded images).

• Confirm your最大expected request size—for instance, the largest document or image you’ll send (typically well under 50 MB).
• If your real-world payloads are significantly smaller, reduce these limits to the minimum safe threshold (e.g. 5 MB).

Lines to adjust:

// Increase JSON payload limit
app.use(express.json({ limit: "50mb" }));
// Increase URL-encoded payload limit
app.use(express.urlencoded({ limit: "50mb", extended: true }));

[coderabbitai]

🛠️ Refactor suggestion

Improve signature verification security and type safety.

Two improvements needed:

1. Replace any type with unknown for better type safety
2. Use timing-safe comparison to prevent timing attacks

 export function verifyHmacSignature(
-    body: Record<string, any>,
+    body: Record<string, unknown>,
     signature: string,
     secret: string,
 ) {
+    const crypto = require("node:crypto");
     const expectedSignature = createHmacSignature(body, secret);
-    return expectedSignature === signature;
+    return crypto.timingSafeEqual(
+        Buffer.from(expectedSignature, "hex"),
+        Buffer.from(signature, "hex")
+    );
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	export function verifyHmacSignature(
	body: Record<string, any>,
	signature: string,
	secret: string,
	) {
	const expectedSignature = createHmacSignature(body, secret);
	return expectedSignature === signature;
	}
	export function verifyHmacSignature(
	body: Record<string, unknown>,
	signature: string,
	secret: string,
	) {
	const crypto = require("node:crypto");
	const expectedSignature = createHmacSignature(body, secret);
	return crypto.timingSafeEqual(
	Buffer.from(expectedSignature, "hex"),
	Buffer.from(signature, "hex")
	);
	}

🧰 Tools

🪛 Biome (1.9.4)

[error] 10-10: Unexpected any. Specify a different type.

any disables many type checking rules. Its use should be avoided.

(lint/suspicious/noExplicitAny)

🤖 Prompt for AI Agents

In infrastructure/evault-provisioner/src/utils/hmac.ts around lines 9 to 16,
replace the type of the `body` parameter from `Record<string, any>` to
`Record<string, unknown>` to improve type safety. Additionally, change the
signature comparison from a simple equality check to a timing-safe comparison
method, such as using `crypto.timingSafeEqual`, to prevent timing attacks during
HMAC verification.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Verify the "import" package dependency.

The import package at version ^0.0.6 appears unusual and potentially problematic. This package name is very generic and the version suggests it might be outdated or incorrect.

---

🏁 Script executed:

#!/bin/bash
# Description: Check if the "import" package is legitimate and current
# Expected: Verify package exists, check its purpose, and validate version

# Check package info on npm
npm view import versions --json
npm view import description
npm view import repository

Length of output: 257

---

🏁 Script executed:

#!/bin/bash
# Search for any direct imports of the "import" package in the codebase
rg -n "require\(['\"]import['\"]" 
rg -n "from ['\"]import['\"] import"

Length of output: 82

---

🏁 Script executed:

#!/bin/bash
# Inspect the 'scripts' and 'bin' sections in infrastructure/eid-wallet/package.json
jq '{scripts, bin}' infrastructure/eid-wallet/package.json

Length of output: 717

---

Remove unused “import” dependency

The “import” package (v^0.0.6) isn’t referenced anywhere in your codebase or npm scripts, so it appears to be unused. Please either remove it from infrastructure/eid-wallet/package.json or document why it’s needed.

• File: infrastructure/eid-wallet/package.json
– Line with "import": "^0.0.6"

🤖 Prompt for AI Agents

In infrastructure/eid-wallet/package.json at line 36, the "import" package
dependency with version "^0.0.6" is not used anywhere in the codebase or npm
scripts. Remove this dependency line from the package.json file to clean up
unused packages, unless there is a specific documented reason to keep it.

[coderabbitai]

🛠️ Refactor suggestion

Use dynamic vault data instead of hardcoded values.

The eVault component still uses static storage values (15, 100) while other components have been updated to use dynamic data. This creates inconsistency.

-    <IdentityCard variant="eVault" usedStorage={15} totalStorage={100} />
+    <IdentityCard variant="eVault" usedStorage={vaultData?.usedStorage ?? 0} totalStorage={vaultData?.totalStorage ?? 100} />

You'll need to make the vault data available in the component scope.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	<IdentityCard variant="eVault" usedStorage={15} totalStorage={100} />
	<IdentityCard
	variant="eVault"
	usedStorage={vaultData?.usedStorage ?? 0}
	totalStorage={vaultData?.totalStorage ?? 100}
	/>

🤖 Prompt for AI Agents

In infrastructure/eid-wallet/src/routes/(app)/main/+page.svelte at line 68,
replace the hardcoded storage values (15 and 100) passed to the IdentityCard
component with dynamic vault data available in the component's scope. Ensure
that the dynamic values for usedStorage and totalStorage are properly fetched or
passed into the component so the IdentityCard reflects current vault storage
information consistently with other components.

[coderabbitai]

🛠️ Refactor suggestion

Replace any type with proper Express type

Use proper typing instead of any for better type safety.

-    registerRoutes(app: any) {
+    registerRoutes(app: Express.Application) {

Add the import at the top:

import type { Application } from "express";

🧰 Tools

🪛 Biome (1.9.4)

[error] 25-25: Unexpected any. Specify a different type.

any disables many type checking rules. Its use should be avoided.

(lint/suspicious/noExplicitAny)

🤖 Prompt for AI Agents

In infrastructure/evault-provisioner/src/controllers/VerificationController.ts
at line 25, replace the parameter type 'any' in the registerRoutes method with
the proper Express type 'Application'. Import 'Application' from 'express' at
the top of the file using 'import type { Application } from "express";' and
update the method signature to use 'app: Application' for better type safety.

[coderabbitai]

🛠️ Refactor suggestion

Remove debug console.log and fix type

Remove debug statement and add proper typing.

-                const handler = (data: any) => {
-                    console.log("hi?");
+                const handler = (data: Record<string, any>) => {
                     res.write(`data: ${JSON.stringify(data)}\n\n`);
                 };

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	const handler = (data: any) => {
	console.log("hi?");
	res.write(`data: ${JSON.stringify(data)}\n\n`);
	};
	const handler = (data: Record<string, any>) => {
	res.write(`data: ${JSON.stringify(data)}\n\n`);
	};

🧰 Tools

🪛 Biome (1.9.4)

[error] 46-46: Unexpected any. Specify a different type.

any disables many type checking rules. Its use should be avoided.

(lint/suspicious/noExplicitAny)

🤖 Prompt for AI Agents

In infrastructure/evault-provisioner/src/controllers/VerificationController.ts
between lines 46 and 49, remove the debug console.log statement "hi?" and
replace the parameter type of the handler function from any to a more specific
type that matches the expected data structure being handled. This improves code
cleanliness and type safety.

[coderabbitai]

⚠️ Potential issue

Add null check for verification

The endpoint uses optional chaining but doesn't handle the case where verification is not found.

 app.patch("/verification/:id", async (req: Request, res: Response) => {
     const verification = await this.verificationService.findById(
         req.params.id,
     );
+    
+    if (!verification) {
+        return res.status(404).json({ error: "Verification not found" });
+    }
+    
     const body = {
         verification: {
             status: "submitted",
         },
     };
     const signature = createHmacSignature(
         body,
         process.env.VERIFF_HMAC_KEY as string,
     );
-    await veriffClient.patch(
-        `/v1/sessions/${verification?.veriffId}`,
+    
+    try {
+        await veriffClient.patch(
+            `/v1/sessions/${verification.veriffId}`,
             body,
             {
                 headers: {
                     "X-HMAC-SIGNATURE": signature,
                     "X-AUTH-CLIENT": process.env.PUBLIC_VERIFF_KEY,
                 },
             },
         );
         res.sendStatus(201);
+    } catch (error) {
+        console.error("Failed to update verification status:", error);
+        return res.status(500).json({ error: "Failed to update verification status" });
+    }
 });

🤖 Prompt for AI Agents

In infrastructure/evault-provisioner/src/controllers/VerificationController.ts
around lines 161 to 185, the code uses optional chaining on verification but
does not handle the case when verification is null or undefined. Add a null
check after fetching verification; if it is not found, respond with an
appropriate error status (e.g., 404) and message, and only proceed with the
patch request if verification exists.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Add HMAC signature verification for webhook security

The webhook endpoint lacks HMAC signature verification, which is critical for ensuring the authenticity of webhook calls from Veriff. This is a security vulnerability that could allow unauthorized parties to manipulate verification decisions.

Additionally, remove the debug console.log statement.

 app.post(
     "/verification/decisions",
     async (req: Request, res: Response) => {
+        // Verify HMAC signature
+        const signature = req.headers['x-hmac-signature'] as string;
+        if (!signature) {
+            return res.status(401).json({ error: "Missing signature" });
+        }
+        
+        const expectedSignature = createHmacSignature(
+            req.body,
+            process.env.VERIFF_WEBHOOK_SECRET as string
+        );
+        
+        if (signature !== expectedSignature) {
+            return res.status(401).json({ error: "Invalid signature" });
+        }
+        
         const body = req.body;
-        console.log(body);
         const id = body.vendorData;

         const verification =
             await this.verificationService.findById(id);
         if (!verification) {
             return res
                 .status(404)
                 .json({ error: "Verification not found" });
         }
         
         // ... rest of the code

Verify that Veriff sends HMAC signatures with their webhooks:

---

🌐 Web query:

Does Veriff API send HMAC signatures in webhook headers for verification decision webhooks?

💡 Result:

Yes, Veriff's API includes HMAC signatures in the headers of verification decision webhooks. These signatures are provided in the X-HMAC-SIGNATURE header, allowing you to verify the authenticity and integrity of the webhook payloads. (developers.veriff.com)

To validate the webhook requests:

1. Extract the Signature and Timestamp: Retrieve the X-HMAC-SIGNATURE header from the incoming request. This header contains the timestamp and the HMAC signature, formatted as t=<timestamp>,s=<signature>.

2. Prepare the Payload: Concatenate the timestamp and the request body, separated by a dot (.). For example, if the timestamp is 1582267948 and the request body is {"verification": {"status": "approved"}}, the payload would be 1582267948.{"verification": {"status": "approved"}}.

3. Generate the Expected Signature: Use your shared secret key to compute an HMAC-SHA256 hash of the prepared payload. This can be done using cryptographic libraries available in your programming language.

4. Compare the Signatures: Compare the computed HMAC signature with the one extracted from the X-HMAC-SIGNATURE header. If they match, the request is authentic and has not been tampered with.

For detailed information and code examples on verifying webhook signatures, refer to Veriff's developer documentation. (developers.veriff.com)

Citations:

• 1: https://developers.veriff.com//?utm_source=openai
• 2: https://developers.veriff.com//?utm_source=openai

---

Implement HMAC-SHA256 webhook signature verification

Ensure that only genuine Veriff webhooks are processed by:

• Removing the debug console.log(body).
• Extracting and parsing the X-HMAC-SIGNATURE header (t=<timestamp>,s=<signature>).
• Concatenating <timestamp>.<JSON-stringified body>, computing an HMAC-SHA256 hash with your VERIFF_WEBHOOK_SECRET, and comparing it to the provided signature.
• Returning HTTP 401 on missing or invalid signatures.
• (Optional) Enforcing a maximum age on the timestamp (e.g. 5 minutes) to mitigate replay attacks.

Apply the following diff in
infrastructure/evault-provisioner/src/controllers/VerificationController.ts (around lines 187–236):

@@ -187,6 +187,24 @@ app.post(
     "/verification/decisions",
     async (req: Request, res: Response) => {
+        // HMAC signature verification (t=<timestamp>,s=<signature>)
+        const signatureHeader = req.headers['x-hmac-signature'] as string;
+        if (!signatureHeader) {
+            return res.status(401).json({ error: "Missing signature" });
+        }
+        const parts = signatureHeader.split(',');
+        const timestamp = parts[0].split('=')[1];
+        const signature = parts[1].split('=')[1];
+
+        // Optional: reject if timestamp is too old
+        // const age = Date.now()/1000 - Number(timestamp);
+        // if (age > 300) return res.status(401).json({ error: "Stale request" });
+
+        const payload = `${timestamp}.${JSON.stringify(req.body)}`;
+        const expected = crypto
+            .createHmac('sha256', process.env.VERIFF_WEBHOOK_SECRET!)
+            .update(payload)
+            .digest('hex');
+        if (signature !== expected) {
+            return res.status(401).json({ error: "Invalid signature" });
+        }
+
         const body = req.body;
-        console.log(body);
         const id = body.vendorData;

         const verification =

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	// Webhook for verification decisions
	app.post(
	"/verification/decisions",
	async (req: Request, res: Response) => {
	const body = req.body;
	console.log(body);
	const id = body.vendorData;
	const verification =
	await this.verificationService.findById(id);
	if (!verification) {
	return res
	.status(404)
	.json({ error: "Verification not found" });
	}
	const affirmativeStatusTypes = [
	"approved",
	"declined",
	"expired",
	"abandoned",
	];
	if (
	affirmativeStatusTypes.includes(
	body.data.verification.decision,
	)
	) {
	const approved =
	body.data.verification.decision === "approved";
	await this.verificationService.findByIdAndUpdate(id, {
	approved,
	data: {
	person: body.data.verification.person,
	document: body.data.verification.document,
	},
	documentId:
	body.data.verification.document.number.value,
	});
	}
	eventEmitter.emit(id, {
	reason: body.data.verification.reason,
	status: body.data.verification.decision,
	person: body.data.verification.person ?? null,
	document: body.data.verification.document,
	});
	return res.json({ success: true });
	},
	);
	// Webhook for verification decisions
	app.post(
	"/verification/decisions",
	async (req: Request, res: Response) => {
	+ // HMAC signature verification (t=<timestamp>,s=<signature>)
	+ const signatureHeader = req.headers['x-hmac-signature'] as string;
	+ if (!signatureHeader) {
	+ return res.status(401).json({ error: "Missing signature" });
	+ }
	+ const parts = signatureHeader.split(',');
	+ const timestamp = parts[0].split('=')[1];
	+ const signature = parts[1].split('=')[1];
	+
	+ // Optional: reject if timestamp is too old
	+ // const age = Date.now()/1000 - Number(timestamp);
	+ // if (age > 300) return res.status(401).json({ error: "Stale request" });
	+
	+ const payload = `${timestamp}.${JSON.stringify(req.body)}`;
	+ const expected = crypto
	+ .createHmac('sha256', process.env.VERIFF_WEBHOOK_SECRET!)
	+ .update(payload)
	+ .digest('hex');
	+ if (signature !== expected) {
	+ return res.status(401).json({ error: "Invalid signature" });
	+ }
	+
	const body = req.body;
	- console.log(body);
	const id = body.vendorData;
	const verification =
	await this.verificationService.findById(id);
	if (!verification) {
	return res
	.status(404)
	.json({ error: "Verification not found" });
	}
	const affirmativeStatusTypes = [
	"approved",
	"declined",
	"expired",
	"abandoned",
	];
	if (
	affirmativeStatusTypes.includes(
	body.data.verification.decision,
	)
	) {
	const approved =
	body.data.verification.decision === "approved";
	await this.verificationService.findByIdAndUpdate(id, {
	approved,
	data: {
	person: body.data.verification.person,
	document: body.data.verification.document,
	},
	documentId:
	body.data.verification.document.number.value,
	});
	}
	eventEmitter.emit(id, {
	reason: body.data.verification.reason,
	status: body.data.verification.decision,
	person: body.data.verification.person ?? null,
	document: body.data.verification.document,
	});
	return res.json({ success: true });
	},
	);

🤖 Prompt for AI Agents

In infrastructure/evault-provisioner/src/controllers/VerificationController.ts
around lines 187 to 236, remove the debug console.log statement and implement
HMAC-SHA256 verification for the webhook. Extract the X-HMAC-SIGNATURE header,
parse out the timestamp and signature, then concatenate the timestamp and the
raw JSON string of the request body separated by a dot. Compute the HMAC-SHA256
hash of this concatenated string using the VERIFF_WEBHOOK_SECRET environment
variable and compare it to the signature from the header. If the signature is
missing or invalid, respond with HTTP 401 Unauthorized. Optionally, validate
that the timestamp is recent (e.g., within 5 minutes) to prevent replay attacks
before processing the webhook logic.

[coderabbitai]

🛠️ Refactor suggestion

⚠️ Potential issue

Improve error handling and add validation

The endpoint throws errors instead of returning proper HTTP responses, and lacks validation for the image content.

 app.post(
     "/verification/:id/media",
     async (req: Request, res: Response) => {
         const { img, type } = req.body;
+        
+        if (!img || typeof img !== 'string') {
+            return res.status(400).json({ error: "Invalid or missing image data" });
+        }
+        
         const types = ["document-front", "document-back", "face"];
         if (!types.includes(type))
-            throw new Error(
-                `Wrong type specified, accepted types are ${types}`,
-            );
+            return res.status(400).json({ 
+                error: `Wrong type specified, accepted types are ${types.join(", ")}`
+            });
+            
         const verification = await this.verificationService.findById(
             req.params.id,
         );
-        if (!verification) throw new Error("Verification not found");
+        if (!verification) {
+            return res.status(404).json({ error: "Verification not found" });
+        }
+        
+        const hmacKey = process.env.VERIFF_HMAC_KEY;
+        const authClient = process.env.PUBLIC_VERIFF_KEY;
+        
+        if (!hmacKey || !authClient) {
+            console.error("Missing Veriff configuration");
+            return res.status(500).json({ error: "Server configuration error" });
+        }
+        
         const veriffBody = {
             image: {
                 context: type,
                 content: img,
             },
         };

         const signature = createHmacSignature(
             veriffBody,
-            process.env.VERIFF_HMAC_KEY as string,
+            hmacKey,
         );
-        await veriffClient.post(
-            `/v1/sessions/${verification.veriffId}/media`,
-            veriffBody,
-            {
-                headers: {
-                    "X-HMAC-SIGNATURE": signature,
-                    "X-AUTH-CLIENT": process.env.PUBLIC_VERIFF_KEY,
+        
+        try {
+            await veriffClient.post(
+                `/v1/sessions/${verification.veriffId}/media`,
+                veriffBody,
+                {
+                    headers: {
+                        "X-HMAC-SIGNATURE": signature,
+                        "X-AUTH-CLIENT": authClient,
+                    },
                 },
-            },
-        );
-        res.sendStatus(201);
+            );
+            res.sendStatus(201);
+        } catch (error) {
+            console.error("Failed to upload media to Veriff:", error);
+            return res.status(500).json({ error: "Failed to upload media" });
+        }
     },
 );

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	app.post(
	"/verification/:id/media",
	async (req: Request, res: Response) => {
	const { img, type } = req.body;
	const types = ["document-front", "document-back", "face"];
	if (!types.includes(type))
	throw new Error(
	`Wrong type specified, accepted types are ${types}`,
	);
	const verification = await this.verificationService.findById(
	req.params.id,
	);
	if (!verification) throw new Error("Verification not found");
	const veriffBody = {
	image: {
	context: type,
	content: img,
	},
	};
	const signature = createHmacSignature(
	veriffBody,
	process.env.VERIFF_HMAC_KEY as string,
	);
	await veriffClient.post(
	`/v1/sessions/${verification.veriffId}/media`,
	veriffBody,
	{
	headers: {
	"X-HMAC-SIGNATURE": signature,
	"X-AUTH-CLIENT": process.env.PUBLIC_VERIFF_KEY,
	},
	},
	);
	res.sendStatus(201);
	},
	);
	app.post(
	"/verification/:id/media",
	async (req: Request, res: Response) => {
	const { img, type } = req.body;
	if (!img || typeof img !== 'string') {
	return res.status(400).json({ error: "Invalid or missing image data" });
	}
	const types = ["document-front", "document-back", "face"];
	if (!types.includes(type)) {
	return res.status(400).json({
	error: `Wrong type specified, accepted types are ${types.join(", ")}`
	});
	}
	const verification = await this.verificationService.findById(
	req.params.id,
	);
	if (!verification) {
	return res.status(404).json({ error: "Verification not found" });
	}
	const hmacKey = process.env.VERIFF_HMAC_KEY;
	const authClient = process.env.PUBLIC_VERIFF_KEY;
	if (!hmacKey || !authClient) {
	console.error("Missing Veriff configuration");
	return res.status(500).json({ error: "Server configuration error" });
	}
	const veriffBody = {
	image: {
	context: type,
	content: img,
	},
	};
	const signature = createHmacSignature(
	veriffBody,
	hmacKey,
	);
	try {
	await veriffClient.post(
	`/v1/sessions/${verification.veriffId}/media`,
	veriffBody,
	{
	headers: {
	"X-HMAC-SIGNATURE": signature,
	"X-AUTH-CLIENT": authClient,
	},
	},
	);
	res.sendStatus(201);
	} catch (error) {
	console.error("Failed to upload media to Veriff:", error);
	return res.status(500).json({ error: "Failed to upload media" });
	}
	},
	);

🤖 Prompt for AI Agents

In infrastructure/evault-provisioner/src/controllers/VerificationController.ts
between lines 67 and 103, the endpoint currently throws errors directly and does
not validate the image content. Refactor the code to catch errors and respond
with appropriate HTTP status codes and messages instead of throwing exceptions.
Add validation to ensure the 'img' field is present and correctly formatted
before proceeding. Use try-catch blocks around the async logic and send
meaningful error responses to the client.

[coderabbitai]

Note

Generated docstrings for this pull request at #189

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (9)

infrastructure/eid-wallet/src/routes/(auth)/verify/+page.svelte (4)

17-17: Fix typo in import name

The import verificaitonId contains a typo and should be verificationId.

-        verificaitonId,
+        verificationId,

---

33-40: Add error handling for verification initiation

The function lacks error handling for the HTTP request and still uses the typo verificaitonId, both of which were flagged in previous reviews.

 async function handleVerification() {
+    try {
         const { data } = await axios.post(
             new URL("/verification", PUBLIC_PROVISIONER_URL).toString(),
         );
-        verificaitonId.set(data.id);
+        verificationId.set(data.id);
         showVeriffModal = true;
         watchEventStream(data.id);
+    } catch (error) {
+        console.error("Failed to initiate verification:", error);
+        status.set("error");
+        reason.set("Failed to initiate verification. Please try again.");
+        showVeriffModal = true;
+    }
 }

---

42-67: Remove console.log statements and add error handling

The function still contains debug console.log statements and lacks error handling for EventSource failures, as previously flagged.

 function watchEventStream(id: string) {
     const sseUrl = new URL(
         `/verification/sessions/${id}`,
         PUBLIC_PROVISIONER_URL,
     ).toString();
     const eventSource = new EventSource(sseUrl);

     eventSource.onopen = function (e) {
-        console.log("Successfully connected.");
+        // Connection established
     };

     eventSource.onmessage = function (e) {
         const data = JSON.parse(e.data);
-        if (!data.status) console.log(data);
-        console.log("STATUS", data);
         status.set(data.status);
         reason.set(data.reason);
         person = data.person;
         document = data.document;
         if (data.status === "resubmission_requested") {
             DocFront.set(null);
             Selfie.set(null);
         }
         verifStep.set(2);
     };
+
+    eventSource.onerror = function (error) {
+        console.error("SSE connection error:", error);
+        eventSource.close();
+        // Consider showing error to user
+        status.set("error");
+        reason.set("Connection error. Please try again.");
+    };
+
+    return eventSource;
 }

---

71-120: Add comprehensive error handling and resource cleanup

Multiple issues remain unresolved from previous reviews: missing error handling for API calls, hardcoded timeout, typo in variable name, and lack of resource cleanup.

+    let eventSource: EventSource | null = null;
+    let navigationTimeout: ReturnType<typeof setTimeout> | null = null;
+    const NAVIGATION_DELAY = 10_000;

     onMount(() => {
         globalState = getContext<() => GlobalState>("globalState")();
         
         handleContinue = async () => {
             if ($status !== "approved") return verifStep.set(0);
             if (!globalState) throw new Error("Global state is not defined");

             loading = true;
+            try {
                 globalState.userController.user = {
                     name: capitalize(
                         person.firstName.value + " " + person.lastName.value,
                     ),
                     "Date of Birth": new Date(
                         person.dateOfBirth.value,
                     ).toDateString(),
                     "ID submitted": "Passport - " + person.nationality.value,
                     "Passport Number": document.number.value,
                 };
                 globalState.userController.document = {
                     "Valid From": new Date(document.validFrom.value).toDateString(),
                     "Valid Until": new Date(
                         document.validUntil.value,
                     ).toDateString(),
                     "Verified On": new Date().toDateString(),
                 };
                 const {
                     data: { token: registryEntropy },
                 } = await axios.get(
                     new URL("/entropy", PUBLIC_REGISTRY_URL).toString(),
                 );
                 const { data } = await axios.post(
                     new URL("/provision", PUBLIC_PROVISIONER_URL).toString(),
                     {
                         registryEntropy,
                         namespace: uuidv4(),
-                        verificationId: $verificaitonId,
+                        verificationId: $verificationId,
                     },
                 );
                 if (data.success === true) {
                     globalState.vaultController.vault = {
                         uri: data.uri,
                         ename: data.w3id,
                     };
                 }
-                setTimeout(() => {
+                navigationTimeout = setTimeout(() => {
                     goto("/register");
-                }, 10_000);
+                }, NAVIGATION_DELAY);
+            } catch (error) {
+                console.error("Failed to complete verification:", error);
+                loading = false;
+                status.set("error");
+                reason.set("Failed to complete verification. Please try again.");
+            }
         };
+
+        // Update watchEventStream call
+        // In handleVerification function, store the returned EventSource:
+        // eventSource = watchEventStream(data.id);
+
+        return () => {
+            // Cleanup on component destroy
+            if (eventSource) {
+                eventSource.close();
+            }
+            if (navigationTimeout) {
+                clearTimeout(navigationTimeout);
+            }
+        };
     });

infrastructure/evault-provisioner/src/controllers/VerificationController.ts (5)

25-25: Replace any type with proper Express type

Use proper typing instead of any for better type safety.

-    registerRoutes(app: any) {
+    registerRoutes(app: Application) {

Add the import at the top:

import type { Application } from "express";

🧰 Tools

🪛 Biome (1.9.4)

[error] 25-25: Unexpected any. Specify a different type.

any disables many type checking rules. Its use should be avoided.

(lint/suspicious/noExplicitAny)

---

46-49: Remove debug console.log and fix type

Remove debug statement and add proper typing.

-                const handler = (data: any) => {
-                    console.log("hi?");
+                const handler = (data: Record<string, any>) => {
                     res.write(`data: ${JSON.stringify(data)}\n\n`);
                 };

🧰 Tools

🪛 Biome (1.9.4)

[error] 46-46: Unexpected any. Specify a different type.

any disables many type checking rules. Its use should be avoided.

(lint/suspicious/noExplicitAny)

---

67-103: Improve error handling and add validation

The endpoint throws errors instead of returning proper HTTP responses, and lacks validation for the image content.

 app.post(
     "/verification/:id/media",
     async (req: Request, res: Response) => {
         const { img, type } = req.body;
+        
+        if (!img || typeof img !== 'string') {
+            return res.status(400).json({ error: "Invalid or missing image data" });
+        }
+        
         const types = ["document-front", "document-back", "face"];
         if (!types.includes(type))
-            throw new Error(
-                `Wrong type specified, accepted types are ${types}`,
-            );
+            return res.status(400).json({ 
+                error: `Wrong type specified, accepted types are ${types.join(", ")}`
+            });
+            
         const verification = await this.verificationService.findById(
             req.params.id,
         );
-        if (!verification) throw new Error("Verification not found");
+        if (!verification) {
+            return res.status(404).json({ error: "Verification not found" });
+        }

---

161-185: Add null check for verification

The endpoint uses optional chaining but doesn't handle the case where verification is not found.

 app.patch("/verification/:id", async (req: Request, res: Response) => {
     const verification = await this.verificationService.findById(
         req.params.id,
     );
+    
+    if (!verification) {
+        return res.status(404).json({ error: "Verification not found" });
+    }
+    
     const body = {
         verification: {
             status: "submitted",
         },
     };
     const signature = createHmacSignature(
         body,
         process.env.VERIFF_HMAC_KEY as string,
     );
-    await veriffClient.patch(
-        `/v1/sessions/${verification?.veriffId}`,
+    
+    try {
+        await veriffClient.patch(
+            `/v1/sessions/${verification.veriffId}`,
             body,
             {
                 headers: {
                     "X-HMAC-SIGNATURE": signature,
                     "X-AUTH-CLIENT": process.env.PUBLIC_VERIFF_KEY,
                 },
             },
         );
         res.sendStatus(201);
+    } catch (error) {
+        console.error("Failed to update verification status:", error);
+        return res.status(500).json({ error: "Failed to update verification status" });
+    }
 });

---

187-253: Implement HMAC-SHA256 webhook signature verification

The webhook endpoint lacks HMAC signature verification and contains debug logging.

 app.post(
     "/verification/decisions",
     async (req: Request, res: Response) => {
+        // HMAC signature verification (t=<timestamp>,s=<signature>)
+        const signatureHeader = req.headers['x-hmac-signature'] as string;
+        if (!signatureHeader) {
+            return res.status(401).json({ error: "Missing signature" });
+        }
+        const parts = signatureHeader.split(',');
+        const timestamp = parts[0].split('=')[1];
+        const signature = parts[1].split('=')[1];
+
+        const payload = `${timestamp}.${JSON.stringify(req.body)}`;
+        const expected = crypto
+            .createHmac('sha256', process.env.VERIFF_WEBHOOK_SECRET!)
+            .update(payload)
+            .digest('hex');
+        if (signature !== expected) {
+            return res.status(401).json({ error: "Invalid signature" });
+        }
+
         const body = req.body;
-        console.log(body);
         const id = body.vendorData;

Also add the crypto import at the top:

import crypto from 'crypto';

🧹 Nitpick comments (5)

infrastructure/eid-wallet/src/routes/(app)/settings/+page.svelte (1)

47-49: Enhance the delete button with better UX patterns

While the ButtonAction implementation is correct, consider improving the user experience:

1. Visual distinction - Use a destructive variant/styling
2. Better placement - Consider separating from other settings
3. Loading state - Show loading during deletion process

-    <ButtonAction class="mt-5 w-full" callback={nukeWallet}
-        >Delete Account</ButtonAction
-    >
+    <div class="mt-8 pt-4 border-t border-gray-200">
+        <ButtonAction 
+            class="w-full bg-red-600 hover:bg-red-700 text-white" 
+            callback={nukeWallet}
+            disabled={isDeleting}
+        >
+            {isDeleting ? 'Deleting...' : 'Delete Account'}
+        </ButtonAction>
+    </div>

Note: You'll need to add an isDeleting reactive variable to track the deletion state.

infrastructure/eid-wallet/src/routes/(auth)/verify/+page.svelte (1)

138-180: Consider adding loading state management for verification steps

The template handles different verification states well, but consider adding loading indicators for individual verification steps to improve user experience.

     <Drawer bind:isPaneOpen={showVeriffModal}>
         {#if $verifStep === 0}
             <Passport></Passport>
         {:else if $verifStep === 1}
             <Selfie></Selfie>
         {:else if loading}
             <div class="my-20">
                 <div
                     class="align-center flex w-full flex-col items-center justify-center gap-6"
                 >
                     <Shadow size={40} color="rgb(142, 82, 255);" />
                     <h3>Generating your eName</h3>
                 </div>
             </div>
         {:else}
             <div class="flex flex-col gap-6">
                 {#if $status === "approved"}
                     <div>
                         <h3>Your verification was a success</h3>
                         <p>You can now continue on to create your eName</p>
                     </div>
                 {:else if $status === "resubmission_requested"}
                     <h3>Your verification failed due to the reason</h3>
                     <p>{$reason}</p>
+                {:else if $status === "error"}
+                    <h3>An error occurred</h3>
+                    <p>{$reason}</p>
                 {:else}
                     <h3>Your verification failed</h3>
                     <p>{$reason}</p>
                 {/if}
             </div>

infrastructure/evault-provisioner/src/controllers/VerificationController.ts (3)

1-2: Use import type for type-only imports

The imports for Request, Response, and VerificationService are only used as types, not runtime values.

-import { Request, Response } from "express";
-import { VerificationService } from "../services/VerificationService";
+import type { Request, Response } from "express";
+import type { VerificationService } from "../services/VerificationService";

🧰 Tools

🪛 Biome (1.9.4)

[error] 1-1: All these imports are only used as types.

Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.
Safe fix: Use import type.

(lint/style/useImportType)

---

[error] 2-2: All these imports are only used as types.

Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.
Safe fix: Use import type.

(lint/style/useImportType)

---

12-20: Simplify redundant response interceptor

The response interceptor doesn't add any value - it just returns the response or rejects with the same error.

-veriffClient.interceptors.response.use(
-    (response) => {
-        return response;
-    },
-    async function (error) {
-        if (!error.response) return Promise.reject(error);
-        return Promise.reject(error);
-    },
-);

Consider removing this interceptor entirely or adding meaningful error handling/logging if needed.

🧰 Tools

🪛 Biome (1.9.4)

[error] 16-19: This function expression can be turned into an arrow function.

Function expressions that don't use this can be turned into arrow functions.
Safe fix: Use an arrow function instead.

(lint/complexity/useArrowFunction)

---

222-225: Remove debug logging from production code

Debug console.log statements should be removed from production code.

                        const verificationMatch =
                            await this.verificationService.findOne({
                                documentId:
                                body.data.verification.document.number.value
                            });
-                        console.log("matched", verificationMatch)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c645a19 and 5992cac.

📒 Files selected for processing (3)

• infrastructure/eid-wallet/src/routes/(app)/settings/+page.svelte (1 hunks)
• infrastructure/eid-wallet/src/routes/(auth)/verify/+page.svelte (1 hunks)
• infrastructure/evault-provisioner/src/controllers/VerificationController.ts (1 hunks)

🧰 Additional context used

🪛 Biome (1.9.4)

infrastructure/evault-provisioner/src/controllers/VerificationController.ts

[error] 16-19: This function expression can be turned into an arrow function.

Function expressions that don't use this can be turned into arrow functions.
Safe fix: Use an arrow function instead.

(lint/complexity/useArrowFunction)

---

[error] 25-25: Unexpected any. Specify a different type.

any disables many type checking rules. Its use should be avoided.

(lint/suspicious/noExplicitAny)

---

[error] 46-46: Unexpected any. Specify a different type.

any disables many type checking rules. Its use should be avoided.

(lint/suspicious/noExplicitAny)

---

[error] 1-1: All these imports are only used as types.

Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.
Safe fix: Use import type.

(lint/style/useImportType)

---

[error] 2-2: All these imports are only used as types.

Importing the types with import type ensures that they are removed by the compilers and avoids loading unnecessary modules.
Safe fix: Use import type.

(lint/style/useImportType)

🔇 Additional comments (4)

infrastructure/eid-wallet/src/routes/(app)/settings/+page.svelte (4)

2-14: LGTM - Clean import organization

The imports are well-organized and include all necessary dependencies for the settings page functionality.

---

16-16: LGTM - Proper global state access

Using Svelte's context to access global state follows the established pattern mentioned in the AI summary.

---

24-26: LGTM - Standard page title setup

The effect properly sets the page title in the runtime header.

---

31-45: LGTM - Well-structured navigation buttons

The settings navigation buttons are properly implemented with appropriate icons and routes.

[coderabbitai]

🛠️ Refactor suggestion

Add user confirmation and error handling for account deletion

The nukeWallet function immediately deletes user data without confirmation, which could lead to accidental data loss. Consider implementing safety measures:

1. User confirmation dialog - Require explicit confirmation before deletion
2. Error handling - Handle potential failures in state clearing
3. Async operation - Consider if backend cleanup is needed

-    function nukeWallet() {
-        globalState.userController.user = null;
-        globalState.securityController.clearPin();
-        goto("/onboarding");
-    }
+    async function nukeWallet() {
+        const confirmed = confirm("Are you sure you want to delete your account? This action cannot be undone.");
+        if (!confirmed) return;
+        
+        try {
+            globalState.userController.user = null;
+            globalState.securityController.clearPin();
+            // Add any additional cleanup operations here
+            goto("/onboarding");
+        } catch (error) {
+            console.error("Failed to delete account:", error);
+            // Show error message to user
+        }
+    }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	function nukeWallet() {
	globalState.userController.user = null;
	globalState.securityController.clearPin();
	goto("/onboarding");
	}
	async function nukeWallet() {
	const confirmed = confirm("Are you sure you want to delete your account? This action cannot be undone.");
	if (!confirmed) return;
	try {
	globalState.userController.user = null;
	globalState.securityController.clearPin();
	// Add any additional cleanup operations here
	goto("/onboarding");
	} catch (error) {
	console.error("Failed to delete account:", error);
	// Show error message to user
	}
	}

🤖 Prompt for AI Agents

In infrastructure/eid-wallet/src/routes/(app)/settings/+page.svelte around lines
18 to 22, the nukeWallet function deletes user data immediately without
confirmation or error handling. Modify the function to first show a user
confirmation dialog and proceed only if confirmed. Add try-catch blocks to
handle any errors during user state clearing and securityController.clearPin
calls. If backend cleanup is required, make the function async and await the
necessary asynchronous operations before navigating to the onboarding page.

[coderabbitai]

🛠️ Refactor suggestion

Add error handling for external API calls

The verification creation endpoint lacks proper error handling for the Veriff API call.

-            const { data: veriffSession } = await veriffClient.post(
-                "/v1/sessions",
-                veriffBody,
-                {
-                    headers: {
-                        "X-HMAC-SIGNATURE": signature,
-                        "X-AUTH-CLIENT": process.env.PUBLIC_VERIFF_KEY,
-                    },
-                },
-            );
-            await this.verificationService.findByIdAndUpdate(verification.id, {
-                veriffId: veriffSession.verification.id,
-            });
+            try {
+                const { data: veriffSession } = await veriffClient.post(
+                    "/v1/sessions",
+                    veriffBody,
+                    {
+                        headers: {
+                            "X-HMAC-SIGNATURE": signature,
+                            "X-AUTH-CLIENT": process.env.PUBLIC_VERIFF_KEY,
+                        },
+                    },
+                );
+                await this.verificationService.findByIdAndUpdate(verification.id, {
+                    veriffId: veriffSession.verification.id,
+                });
+            } catch (error) {
+                console.error("Failed to create Veriff session:", error);
+                await this.verificationService.delete(verification.id);
+                return res.status(500).json({ error: "Failed to create verification session" });
+            }

🤖 Prompt for AI Agents

In infrastructure/evault-provisioner/src/controllers/VerificationController.ts
between lines 118 and 159, the code calls the external Veriff API without error
handling, which can cause unhandled exceptions. Wrap the Veriff API call and
subsequent update in a try-catch block to catch any errors. In the catch block,
log the error and return an appropriate error response (e.g., status 500 with an
error message) to the client to handle failures gracefully.