Prevent adding a credential with attributes not listed in schema

packages/browser-wallet/CHANGELOG.md

@@ -11,6 +11,8 @@
 -   An issue where the import window would fail to open.
 -   Updated the JSON schema for the verifiable credential schema validation, so that invalid schemas are rejected.
 -   An issue where a verifiable with the `NotActivated` status would show as `Pending`.
+-   An issue that allowed empty credential statements to be accepted by the wallet-api.
+-   An issue where the wallet allowed for requests adding credentials with more attributes than listed in the schema.
 
 ## 1.1.2
 

packages/browser-wallet/src/popup/pages/AddWeb3IdCredential/AddWeb3IdCredential.tsx

@@ -63,6 +63,7 @@ export default function AddWeb3IdCredential({ onAllow, onReject }: Props) {
     const network = useAtomValue(networkConfigurationAtom);
 
     const [error, setError] = useState<string>();
+    const [validationComplete, setValidationComplete] = useState<boolean>(false);
 
     const { credential: rawCredential, url, metadataUrl } = state.payload;
     const credential: APIVerifiableCredential = parse(rawCredential);
@@ -121,10 +122,24 @@ export default function AddWeb3IdCredential({ onAllow, onReject }: Props) {
             }
 
             if (missingRequiredAttributeKeys.length > 0) {
-                setError(t('error.attribute', { attributeKeys: missingRequiredAttributeKeys }));
+                setError(t('error.attribute.required', { attributeKeys: missingRequiredAttributeKeys }));
+                setValidationComplete(true);
+                return;
             }
+
+            // Ensure that a credential with more attributes than listed by the schema cannot be added.
+            const schemaAttributes = Object.keys(schema.properties.credentialSubject.properties.attributes.properties);
+            for (const credentialAttribute of Object.keys(credential.credentialSubject.attributes)) {
+                if (!schemaAttributes.includes(credentialAttribute)) {
+                    setError(t('error.attribute.additional', { credentialAttribute, schemaAttributes }));
+                    setValidationComplete(true);
+                    return;
+                }
+            }
+
+            setValidationComplete(true);
         }
-    }, [schema?.properties.credentialSubject.properties.attributes.required]);
+    }, [Boolean(schema)]);
 
     useEffect(() => () => controller.abort(), []);
 
@@ -193,7 +208,7 @@ export default function AddWeb3IdCredential({ onAllow, onReject }: Props) {
         return credentialSubjectId;
     }
 
-    if (web3IdCredentials.loading || storedWeb3IdCredentials.loading) {
+    if (web3IdCredentials.loading || storedWeb3IdCredentials.loading || !validationComplete) {
         return null;
     }
 

packages/browser-wallet/src/popup/pages/AddWeb3IdCredential/i18n/en.ts

@@ -7,7 +7,11 @@ const t = {
             'We are unable to add the web3Id credential to the wallet due to the following issue, please report this to the issuer:',
         metadata: 'We are unable to load the metadata for the credential.',
         schema: 'We are unable to load the schema specification for the credential.',
-        attribute: 'The received credential is missing one or more required attributes ({{ attributeKeys }})',
+        attribute: {
+            required: 'The received credential is missing one or more required attributes ({{ attributeKeys }})',
+            additional:
+                'The attribute with key [{{ credentialAttribute }}] is not available in the list of schema attributes: [{{ schemaAttributes }}]',
+        },
         localization: 'Failed to get localization',
     },
 };