npm - @bifold/core - Versions diffs - 2.10.1 → 2.11.0 - Mend

@bifold/core 2.10.1 → 2.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (312) hide show

package/lib/module/modules/openid/refresh/refreshOrchestrator.js ADDED Viewed

@@ -0,0 +1,257 @@
+// modules/openid/refresh/RefreshOrchestrator.ts
+import { ClaimFormat, SdJwtVcRecord, W3cCredentialRecord } from '@credo-ts/core';
+import { refreshAccessToken } from './refreshToken';
+import { reissueCredentialWithAccessToken } from './reIssuance';
+import { RefreshStatus } from './types';
+import { credentialRegistry } from './registery';
+import { verifyCredentialStatus } from './verifyCredentialStatus';
+import { markOpenIDCredentialStatus } from '../metadata';
+const defaultToLite = rec => {
+  var _rec$createdAt;
+  return {
+    id: rec.id,
+    // best-effort: SdJwt/W3C both expose claimFormat via tags in many setups.
+    // Fallback to JwtVc if unknown so UI has *some* value.
+    format: rec instanceof W3cCredentialRecord && ClaimFormat.JwtVc || rec instanceof SdJwtVcRecord && ClaimFormat.SdJwtVc || ClaimFormat.JwtVc,
+    createdAt: (_rec$createdAt = rec.createdAt) === null || _rec$createdAt === void 0 ? void 0 : _rec$createdAt.toISOString(),
+    issuer: undefined
+  };
+};
+export class RefreshOrchestrator {
+  intervalOn = false; // interval enabled?
+  runningOnce = false; // a run is in progress?
+  recentlyIssued = new Map();
+  constructor(logger, bridge, opts) {
+    this.logger = logger;
+    this.opts = {
+      intervalMs: 15 * 60 * 1000,
+      autoStart: true,
+      onError: e => this.logger.error(String(e)),
+      listRecords: async () => [],
+      toLite: defaultToLite,
+      ...(opts ?? {})
+    };
+    logger.info(`🔧 [RefreshOrchestrator] initialized -> ${JSON.stringify({
+      intervalMs: this.opts.intervalMs,
+      autoStart: this.opts.autoStart
+    })}`);
+    bridge.onReady(agent => {
+      this.agent = agent;
+      this.logger.info('🪝 [RefreshOrchestrator] Agent ready');
+      if (this.opts.autoStart && this.opts.intervalMs) this.start();
+    }, true);
+  }
+  configure(next) {
+    const prev = {
+      intervalOn: this.intervalOn,
+      intervalMs: this.opts.intervalMs ?? null,
+      autoStart: this.opts.autoStart ?? true,
+      agentReady: !!this.agent
+    };
+    // merge
+    this.opts = {
+      ...this.opts,
+      ...next
+    };
+    this.logger.info(`🔧 [RefreshOrchestrator] configure -> ${JSON.stringify({
+      intervalMs: this.opts.intervalMs,
+      autoStart: this.opts.autoStart
+    })}`);
+    const nowIntervalMs = this.opts.intervalMs ?? null;
+    const nowAutoStart = this.opts.autoStart ?? true;
+    // Case A: timer is running and intervalMs changed → restart
+    if (prev.intervalOn && prev.intervalMs !== nowIntervalMs) {
+      this.stop();
+      if (nowIntervalMs) this.start();
+      return;
+    }
+    // Case B: timer is running but user disabled intervals
+    if (prev.intervalOn && nowIntervalMs === null) {
+      this.stop();
+      return;
+    }
+    // Case C: timer is NOT running, but user enabled intervals
+    // Start iff: we have a positive interval, and either autoStart is true
+    // or the caller intends to enable interval operation via configure.
+    if (!prev.intervalOn && nowIntervalMs && nowAutoStart) {
+      // If agent isn't ready yet, defer; onReady() will auto-start.
+      if (this.agent) this.start();
+      // else do nothing — the constructor's bridge.onReady() will call start()
+      return;
+    }
+    // Case D: autoStart toggled from false→true with an interval set, and timer isn't running
+    if (!prev.intervalOn && !prev.autoStart && nowAutoStart && nowIntervalMs) {
+      if (this.agent) this.start();
+      // else defer to onReady()
+      return;
+    }
+    // Otherwise: no timer state change needed.
+  }
+  isRunning() {
+    return this.runningOnce;
+  }
+  start() {
+    if (this.intervalOn || !this.opts.intervalMs) return;
+    this.logger.info('⏱️ [RefreshOrchestrator] start interval');
+    this.intervalOn = true;
+    this.timer = setInterval(() => {
+      // fire-and-forget; guard against overlap
+      void this.runOnce('interval');
+    }, this.opts.intervalMs);
+  }
+  stop() {
+    if (!this.intervalOn) return;
+    this.logger.info('⏹️ [RefreshOrchestrator] stop interval');
+    clearInterval(this.timer);
+    this.timer = undefined;
+    this.intervalOn = false;
+  }
+  async runOnce(reason = 'manual') {
+    var _this$agent;
+    if (this.runningOnce) {
+      this.logger.warn('⚠️ [RefreshOrchestrator] runOnce skipped: already running');
+      return;
+    }
+    if (!this.agent || !((_this$agent = this.agent) !== null && _this$agent !== void 0 && _this$agent.isInitialized)) {
+      this.logger.warn('⚠️ [RefreshOrchestrator] runOnce skipped: agent not ready');
+      return;
+    }
+    this.runningOnce = true;
+    this.logger.info(`🔁 [RefreshOrchestrator] runOnce (${reason})`);
+    try {
+      const records = await this.opts.listRecords();
+      this.logger.info(`📦 [Refresh] found ${records.length} credential records`);
+      for (const rec of records) {
+        // don’t block whole batch if one fails
+        try {
+          await this.refreshRecord(rec);
+        } catch (e) {
+          var _this$opts$onError, _this$opts;
+          this.logger.error(`💥 [Refresh] record ${rec.id} failed: ${String(e)}`);
+          (_this$opts$onError = (_this$opts = this.opts).onError) === null || _this$opts$onError === void 0 || _this$opts$onError.call(_this$opts, e);
+        }
+      }
+      this.logger.info('✅ [Refresh] run completed');
+    } catch (e) {
+      var _this$opts$onError2, _this$opts2;
+      this.logger.error(`💥 [Refresh] global error: ${String(e)}`);
+      (_this$opts$onError2 = (_this$opts2 = this.opts).onError) === null || _this$opts$onError2 === void 0 || _this$opts$onError2.call(_this$opts2, e);
+    } finally {
+      this.runningOnce = false;
+    }
+  }
+  setIntervalMs(intervalMs) {
+    this.configure({
+      intervalMs
+    });
+  }
+  resolveFull(id) {
+    return this.recentlyIssued.get(id);
+  }
+  // ---- internals ----
+  async refreshRecord(rec) {
+    const {
+      shouldSkip,
+      markRefreshing,
+      clearRefreshing,
+      clearExpired,
+      markExpiredWithReplacement,
+      blockAsFailed,
+      blockAsSucceeded,
+      upsert
+    } = credentialRegistry.getState();
+    const id = rec.id;
+    if (!this.agent) {
+      this.logger.error(`💥 [Refresh] Agent not initialized, cannot refresh credential ${id}`);
+      return;
+    }
+    // 0) fast exit if this cred is already handled or in-flight
+    if (shouldSkip(id)) {
+      this.logger.info(`⏭️ [Refresh] skip credential ${id} (blocked/expired/in-flight)`);
+      return;
+    }
+    // 1) ensure a lite copy exists in registry (handy for UI/debug)
+    upsert(this.opts.toLite(rec));
+    // 2) mark in-flight
+    markRefreshing(id);
+    this.logger.info(`🧭 [Refresh] check credential ${id}`);
+    try {
+      // 3) verification
+      const isValid = await verifyCredentialStatus(rec, this.logger);
+      if (isValid) {
+        this.logger.info(`✅ [Refresh] valid → ${id}`);
+        // If it was previously expired for any reason, clear that and block as succeeded
+        clearExpired(id);
+        //We can block if isValid but for now we will keep checking it again every time
+        // blockAsSucceeded(id)
+        return;
+      }
+      // Invalid case:
+      await markOpenIDCredentialStatus({
+        credential: rec,
+        status: RefreshStatus.Invalid,
+        agentContext: this.agent.context
+      });
+      // 4) needs refresh → get access token
+      this.logger.info(`♻️ [Refresh] invalid, attempting re-issue → ${id}`);
+      const token = await refreshAccessToken({
+        logger: this.logger,
+        cred: rec,
+        agentContext: this.agent.context
+      });
+      if (!token) {
+        const msg = `no refresh token available`;
+        this.logger.warn(`⚠️ [Refresh] ${msg} for ${id}`);
+        blockAsFailed(id, msg);
+        return;
+      }
+      // 5) re-issue
+      const newRecord = await reissueCredentialWithAccessToken({
+        agent: this.agent,
+        logger: this.logger,
+        record: rec,
+        tokenResponse: token
+      });
+      if (newRecord) {
+        this.logger.info(`💾 [Refresh] new credential → ${newRecord.id}`);
+        // Queue a replacement for UI/notifications and block the old one as succeeded
+        markExpiredWithReplacement(id, this.opts.toLite(newRecord));
+        blockAsSucceeded(id);
+        this.recentlyIssued.set(newRecord.id, newRecord);
+      } else {
+        const msg = `re-issue returned no record`;
+        this.logger.warn(`⚠️ [Refresh] ${msg} for ${id}`);
+        blockAsFailed(id, msg);
+        await markOpenIDCredentialStatus({
+          credential: rec,
+          status: RefreshStatus.Invalid,
+          agentContext: this.agent.context
+        });
+      }
+    } catch (e) {
+      const err = String(e);
+      this.logger.error(`💥 [Refresh] error on ${id}: ${err}`);
+      blockAsFailed(id, err);
+    } finally {
+      // 6) clear in-flight marker
+      clearRefreshing(id);
+    }
+  }
+}
+//# sourceMappingURL=refreshOrchestrator.js.map

package/lib/module/modules/openid/refresh/refreshOrchestrator.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"names":["ClaimFormat","SdJwtVcRecord","W3cCredentialRecord","refreshAccessToken","reissueCredentialWithAccessToken","RefreshStatus","credentialRegistry","verifyCredentialStatus","markOpenIDCredentialStatus","defaultToLite","rec","_rec$createdAt","id","format","JwtVc","SdJwtVc","createdAt","toISOString","issuer","undefined","RefreshOrchestrator","intervalOn","runningOnce","recentlyIssued","Map","constructor","logger","bridge","opts","intervalMs","autoStart","onError","e","error","String","listRecords","toLite","info","JSON","stringify","onReady","agent","start","configure","next","prev","agentReady","nowIntervalMs","nowAutoStart","stop","isRunning","timer","setInterval","runOnce","clearInterval","reason","_this$agent","warn","isInitialized","records","length","refreshRecord","_this$opts$onError","_this$opts","call","_this$opts$onError2","_this$opts2","setIntervalMs","resolveFull","get","shouldSkip","markRefreshing","clearRefreshing","clearExpired","markExpiredWithReplacement","blockAsFailed","blockAsSucceeded","upsert","getState","isValid","credential","status","Invalid","agentContext","context","token","cred","msg","newRecord","record","tokenResponse","set","err"],"sourceRoot":"../../../../../src","sources":["modules/openid/refresh/refreshOrchestrator.ts"],"mappings":"AAAA;AACA,SAAgBA,WAAW,EAAcC,aAAa,EAAEC,mBAAmB,QAAQ,gBAAgB;AAEnG,SAASC,kBAAkB,QAAQ,gBAAgB;AACnD,SAASC,gCAAgC,QAAQ,cAAc;AAC/D,SAAwDC,aAAa,QAAQ,SAAS;AAEtF,SAASC,kBAAkB,QAAQ,aAAa;AAChD,SAASC,sBAAsB,QAAQ,0BAA0B;AACjE,SAASC,0BAA0B,QAAQ,aAAa;AAIxD,MAAMC,aAAa,GAAIC,GAAY;EAAA,IAAAC,cAAA;EAAA,OAAM;IACvCC,EAAE,EAAEF,GAAG,CAACE,EAAE;IACV;IACA;IACAC,MAAM,EACHH,GAAG,YAAYR,mBAAmB,IAAIF,WAAW,CAACc,KAAK,IACvDJ,GAAG,YAAYT,aAAa,IAAID,WAAW,CAACe,OAAQ,IACrDf,WAAW,CAACc,KAAK;IACnBE,SAAS,GAAAL,cAAA,GAAED,GAAG,CAACM,SAAS,cAAAL,cAAA,uBAAbA,cAAA,CAAeM,WAAW,CAAC,CAAC;IACvCC,MAAM,EAAEC;EACV,CAAC;AAAA,CAAC;AAEF,OAAO,MAAMC,mBAAmB,CAAiC;EAEvDC,UAAU,GAAG,KAAK,EAAC;EACnBC,WAAW,GAAG,KAAK,EAAC;;EAGXC,cAAc,GAAG,IAAIC,GAAG,CAAkB,CAAC;EAErDC,WAAWA,CAAkBC,MAAoB,EAAEC,MAAmB,EAAEC,IAA8B,EAAE;IAAA,KAA3EF,MAAoB,GAApBA,MAAoB;IACtD,IAAI,CAACE,IAAI,GAAG;MACVC,UAAU,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI;MAC1BC,SAAS,EAAE,IAAI;MACfC,OAAO,EAAGC,CAAC,IAAK,IAAI,CAACN,MAAM,CAACO,KAAK,CAACC,MAAM,CAACF,CAAC,CAAC,CAAC;MAC5CG,WAAW,EAAE,MAAAA,CAAA,KAAY,EAAE;MAC3BC,MAAM,EAAE3B,aAAa;MACrB,IAAImB,IAAI,IAAI,CAAC,CAAC;IAChB,CAAC;IAEDF,MAAM,CAACW,IAAI,CACT,2CAA2CC,IAAI,CAACC,SAAS,CAAC;MACxDV,UAAU,EAAE,IAAI,CAACD,IAAI,CAACC,UAAU;MAChCC,SAAS,EAAE,IAAI,CAACF,IAAI,CAACE;IACvB,CAAC,CAAC,EACJ,CAAC;IAEDH,MAAM,CAACa,OAAO,CAAEC,KAAK,IAAK;MACxB,IAAI,CAACA,KAAK,GAAGA,KAAK;MAClB,IAAI,CAACf,MAAM,CAACW,IAAI,CAAC,sCAAsC,CAAC;MACxD,IAAI,IAAI,CAACT,IAAI,CAACE,SAAS,IAAI,IAAI,CAACF,IAAI,CAACC,UAAU,EAAE,IAAI,CAACa,KAAK,CAAC,CAAC;IAC/D,CAAC,EAAE,IAAI,CAAC;EACV;EAEOC,SAASA,CAACC,IAAsC,EAAE;IACvD,MAAMC,IAAI,GAAG;MACXxB,UAAU,EAAE,IAAI,CAACA,UAAU;MAC3BQ,UAAU,EAAE,IAAI,CAACD,IAAI,CAACC,UAAU,IAAI,IAAI;MACxCC,SAAS,EAAE,IAAI,CAACF,IAAI,CAACE,SAAS,IAAI,IAAI;MACtCgB,UAAU,EAAE,CAAC,CAAC,IAAI,CAACL;IACrB,CAAC;;IAED;IACA,IAAI,CAACb,IAAI,GAAG;MAAE,GAAG,IAAI,CAACA,IAAI;MAAE,GAAGgB;IAAK,CAAC;IAErC,IAAI,CAAClB,MAAM,CAACW,IAAI,CACd,yCAAyCC,IAAI,CAACC,SAAS,CAAC;MACtDV,UAAU,EAAE,IAAI,CAACD,IAAI,CAACC,UAAU;MAChCC,SAAS,EAAE,IAAI,CAACF,IAAI,CAACE;IACvB,CAAC,CAAC,EACJ,CAAC;IAED,MAAMiB,aAAa,GAAG,IAAI,CAACnB,IAAI,CAACC,UAAU,IAAI,IAAI;IAClD,MAAMmB,YAAY,GAAG,IAAI,CAACpB,IAAI,CAACE,SAAS,IAAI,IAAI;;IAEhD;IACA,IAAIe,IAAI,CAACxB,UAAU,IAAIwB,IAAI,CAAChB,UAAU,KAAKkB,aAAa,EAAE;MACxD,IAAI,CAACE,IAAI,CAAC,CAAC;MACX,IAAIF,aAAa,EAAE,IAAI,CAACL,KAAK,CAAC,CAAC;MAC/B;IACF;;IAEA;IACA,IAAIG,IAAI,CAACxB,UAAU,IAAI0B,aAAa,KAAK,IAAI,EAAE;MAC7C,IAAI,CAACE,IAAI,CAAC,CAAC;MACX;IACF;;IAEA;IACA;IACA;IACA,IAAI,CAACJ,IAAI,CAACxB,UAAU,IAAI0B,aAAa,IAAIC,YAAY,EAAE;MACrD;MACA,IAAI,IAAI,CAACP,KAAK,EAAE,IAAI,CAACC,KAAK,CAAC,CAAC;MAC5B;MACA;IACF;;IAEA;IACA,IAAI,CAACG,IAAI,CAACxB,UAAU,IAAI,CAACwB,IAAI,CAACf,SAAS,IAAIkB,YAAY,IAAID,aAAa,EAAE;MACxE,IAAI,IAAI,CAACN,KAAK,EAAE,IAAI,CAACC,KAAK,CAAC,CAAC;MAC5B;MACA;IACF;;IAEA;EACF;EAEOQ,SAASA,CAAA,EAAG;IACjB,OAAO,IAAI,CAAC5B,WAAW;EACzB;EAEOoB,KAAKA,CAAA,EAAG;IACb,IAAI,IAAI,CAACrB,UAAU,IAAI,CAAC,IAAI,CAACO,IAAI,CAACC,UAAU,EAAE;IAC9C,IAAI,CAACH,MAAM,CAACW,IAAI,CAAC,yCAAyC,CAAC;IAC3D,IAAI,CAAChB,UAAU,GAAG,IAAI;IACtB,IAAI,CAAC8B,KAAK,GAAGC,WAAW,CAAC,MAAM;MAC7B;MACA,KAAK,IAAI,CAACC,OAAO,CAAC,UAAU,CAAC;IAC/B,CAAC,EAAE,IAAI,CAACzB,IAAI,CAACC,UAAU,CAAC;EAC1B;EAEOoB,IAAIA,CAAA,EAAG;IACZ,IAAI,CAAC,IAAI,CAAC5B,UAAU,EAAE;IACtB,IAAI,CAACK,MAAM,CAACW,IAAI,CAAC,wCAAwC,CAAC;IAC1DiB,aAAa,CAAC,IAAI,CAACH,KAAM,CAAC;IAC1B,IAAI,CAACA,KAAK,GAAGhC,SAAS;IACtB,IAAI,CAACE,UAAU,GAAG,KAAK;EACzB;EAEA,MAAagC,OAAOA,CAACE,MAAM,GAAG,QAAQ,EAAE;IAAA,IAAAC,WAAA;IACtC,IAAI,IAAI,CAAClC,WAAW,EAAE;MACpB,IAAI,CAACI,MAAM,CAAC+B,IAAI,CAAC,2DAA2D,CAAC;MAC7E;IACF;IACA,IAAI,CAAC,IAAI,CAAChB,KAAK,IAAI,GAAAe,WAAA,GAAC,IAAI,CAACf,KAAK,cAAAe,WAAA,eAAVA,WAAA,CAAYE,aAAa,GAAE;MAC7C,IAAI,CAAChC,MAAM,CAAC+B,IAAI,CAAC,2DAA2D,CAAC;MAC7E;IACF;IAEA,IAAI,CAACnC,WAAW,GAAG,IAAI;IACvB,IAAI,CAACI,MAAM,CAACW,IAAI,CAAC,qCAAqCkB,MAAM,GAAG,CAAC;IAEhE,IAAI;MACF,MAAMI,OAAO,GAAG,MAAM,IAAI,CAAC/B,IAAI,CAACO,WAAW,CAAC,CAAC;MAC7C,IAAI,CAACT,MAAM,CAACW,IAAI,CAAC,sBAAsBsB,OAAO,CAACC,MAAM,qBAAqB,CAAC;MAC3E,KAAK,MAAMlD,GAAG,IAAIiD,OAAO,EAAe;QACtC;QACA,IAAI;UACF,MAAM,IAAI,CAACE,aAAa,CAACnD,GAAG,CAAC;QAC/B,CAAC,CAAC,OAAOsB,CAAC,EAAE;UAAA,IAAA8B,kBAAA,EAAAC,UAAA;UACV,IAAI,CAACrC,MAAM,CAACO,KAAK,CAAC,uBAAuBvB,GAAG,CAACE,EAAE,YAAYsB,MAAM,CAACF,CAAC,CAAC,EAAE,CAAC;UACvE,CAAA8B,kBAAA,IAAAC,UAAA,OAAI,CAACnC,IAAI,EAACG,OAAO,cAAA+B,kBAAA,eAAjBA,kBAAA,CAAAE,IAAA,CAAAD,UAAA,EAAoB/B,CAAC,CAAC;QACxB;MACF;MACA,IAAI,CAACN,MAAM,CAACW,IAAI,CAAC,2BAA2B,CAAC;IAC/C,CAAC,CAAC,OAAOL,CAAC,EAAE;MAAA,IAAAiC,mBAAA,EAAAC,WAAA;MACV,IAAI,CAACxC,MAAM,CAACO,KAAK,CAAC,8BAA8BC,MAAM,CAACF,CAAC,CAAC,EAAE,CAAC;MAC5D,CAAAiC,mBAAA,IAAAC,WAAA,OAAI,CAACtC,IAAI,EAACG,OAAO,cAAAkC,mBAAA,eAAjBA,mBAAA,CAAAD,IAAA,CAAAE,WAAA,EAAoBlC,CAAC,CAAC;IACxB,CAAC,SAAS;MACR,IAAI,CAACV,WAAW,GAAG,KAAK;IAC1B;EACF;EAEO6C,aAAaA,CAACtC,UAAyB,EAAE;IAC9C,IAAI,CAACc,SAAS,CAAC;MAAEd;IAAW,CAAC,CAAC;EAChC;EAEOuC,WAAWA,CAACxD,EAAU,EAAuB;IAClD,OAAO,IAAI,CAACW,cAAc,CAAC8C,GAAG,CAACzD,EAAE,CAAC;EACpC;;EAEA;;EAEA,MAAciD,aAAaA,CAACnD,GAAY,EAAE;IACxC,MAAM;MACJ4D,UAAU;MACVC,cAAc;MACdC,eAAe;MACfC,YAAY;MACZC,0BAA0B;MAC1BC,aAAa;MACbC,gBAAgB;MAChBC;IACF,CAAC,GAAGvE,kBAAkB,CAACwE,QAAQ,CAAC,CAAC;IAEjC,MAAMlE,EAAE,GAAGF,GAAG,CAACE,EAAE;IAEjB,IAAI,CAAC,IAAI,CAAC6B,KAAK,EAAE;MACf,IAAI,CAACf,MAAM,CAACO,KAAK,CAAC,iEAAiErB,EAAE,EAAE,CAAC;MACxF;IACF;;IAEA;IACA,IAAI0D,UAAU,CAAC1D,EAAE,CAAC,EAAE;MAClB,IAAI,CAACc,MAAM,CAACW,IAAI,CAAC,gCAAgCzB,EAAE,8BAA8B,CAAC;MAClF;IACF;;IAEA;IACAiE,MAAM,CAAC,IAAI,CAACjD,IAAI,CAACQ,MAAM,CAAC1B,GAAG,CAAC,CAAC;;IAE7B;IACA6D,cAAc,CAAC3D,EAAE,CAAC;IAClB,IAAI,CAACc,MAAM,CAACW,IAAI,CAAC,iCAAiCzB,EAAE,EAAE,CAAC;IAEvD,IAAI;MACF;MACA,MAAMmE,OAAO,GAAG,MAAMxE,sBAAsB,CAACG,GAAG,EAAE,IAAI,CAACgB,MAAM,CAAC;MAC9D,IAAIqD,OAAO,EAAE;QACX,IAAI,CAACrD,MAAM,CAACW,IAAI,CAAC,uBAAuBzB,EAAE,EAAE,CAAC;QAC7C;QACA6D,YAAY,CAAC7D,EAAE,CAAC;QAChB;QACA;QACA;MACF;;MAEA;;MAEA,MAAMJ,0BAA0B,CAAC;QAC/BwE,UAAU,EAAEtE,GAAG;QACfuE,MAAM,EAAE5E,aAAa,CAAC6E,OAAO;QAC7BC,YAAY,EAAE,IAAI,CAAC1C,KAAK,CAAC2C;MAC3B,CAAC,CAAC;;MAEF;MACA,IAAI,CAAC1D,MAAM,CAACW,IAAI,CAAC,+CAA+CzB,EAAE,EAAE,CAAC;MACrE,MAAMyE,KAAK,GAAG,MAAMlF,kBAAkB,CAAC;QAAEuB,MAAM,EAAE,IAAI,CAACA,MAAM;QAAE4D,IAAI,EAAE5E,GAAG;QAAEyE,YAAY,EAAE,IAAI,CAAC1C,KAAK,CAAC2C;MAAQ,CAAC,CAAC;MAC5G,IAAI,CAACC,KAAK,EAAE;QACV,MAAME,GAAG,GAAG,4BAA4B;QACxC,IAAI,CAAC7D,MAAM,CAAC+B,IAAI,CAAC,gBAAgB8B,GAAG,QAAQ3E,EAAE,EAAE,CAAC;QACjD+D,aAAa,CAAC/D,EAAE,EAAE2E,GAAG,CAAC;QACtB;MACF;;MAEA;MACA,MAAMC,SAAS,GAAG,MAAMpF,gCAAgC,CAAC;QACvDqC,KAAK,EAAE,IAAI,CAACA,KAAK;QACjBf,MAAM,EAAE,IAAI,CAACA,MAAM;QACnB+D,MAAM,EAAE/E,GAAG;QACXgF,aAAa,EAAEL;MACjB,CAAC,CAAC;MAEF,IAAIG,SAAS,EAAE;QACb,IAAI,CAAC9D,MAAM,CAACW,IAAI,CAAC,iCAAiCmD,SAAS,CAAC5E,EAAE,EAAE,CAAC;QACjE;QACA8D,0BAA0B,CAAC9D,EAAE,EAAE,IAAI,CAACgB,IAAI,CAACQ,MAAM,CAACoD,SAAS,CAAC,CAAC;QAC3DZ,gBAAgB,CAAChE,EAAE,CAAC;QACpB,IAAI,CAACW,cAAc,CAACoE,GAAG,CAACH,SAAS,CAAC5E,EAAE,EAAE4E,SAAS,CAAC;MAClD,CAAC,MAAM;QACL,MAAMD,GAAG,GAAG,6BAA6B;QACzC,IAAI,CAAC7D,MAAM,CAAC+B,IAAI,CAAC,gBAAgB8B,GAAG,QAAQ3E,EAAE,EAAE,CAAC;QACjD+D,aAAa,CAAC/D,EAAE,EAAE2E,GAAG,CAAC;QACtB,MAAM/E,0BAA0B,CAAC;UAC/BwE,UAAU,EAAEtE,GAAG;UACfuE,MAAM,EAAE5E,aAAa,CAAC6E,OAAO;UAC7BC,YAAY,EAAE,IAAI,CAAC1C,KAAK,CAAC2C;QAC3B,CAAC,CAAC;MACJ;IACF,CAAC,CAAC,OAAOpD,CAAC,EAAE;MACV,MAAM4D,GAAG,GAAG1D,MAAM,CAACF,CAAC,CAAC;MACrB,IAAI,CAACN,MAAM,CAACO,KAAK,CAAC,yBAAyBrB,EAAE,KAAKgF,GAAG,EAAE,CAAC;MACxDjB,aAAa,CAAC/D,EAAE,EAAEgF,GAAG,CAAC;IACxB,CAAC,SAAS;MACR;MACApB,eAAe,CAAC5D,EAAE,CAAC;IACrB;EACF;AACF","ignoreList":[]}

package/lib/module/modules/openid/refresh/refreshToken.js ADDED Viewed

@@ -0,0 +1,72 @@
+import { getRefreshCredentialMetadata, persistCredentialRecord, setRefreshCredentialMetadata } from '../metadata';
+export async function refreshAccessToken({
+  logger,
+  cred,
+  agentContext
+}) {
+  logger.info(`[refreshAccessToken] Checking new credential for record: ${cred.id}`);
+  //   return _mockTokenRefreshResponse
+  const refreshMetaData = getRefreshCredentialMetadata(cred);
+  if (!refreshMetaData) {
+    logger.error(`[refreshAccessToken] No refresh metadata found for credential: ${cred.id}`);
+    return;
+  }
+  logger.info(`[refreshAccessToken] Found refresh metadata for credential: ${cred.id}`);
+  const {
+    refreshToken,
+    authServer
+  } = refreshMetaData;
+  try {
+    if (!authServer) {
+      throw new Error('No authorization server found in the credential offer metadata');
+    }
+    logger.info(`[refreshAccessToken] Found auth server for credential: ${cred.id}: ${authServer}`);
+    // Build token endpoint: <AS>/token?force=false
+    // React-Native-safe URL build
+    const tokenUrl = (authServer.endsWith('/') ? authServer.slice(0, -1) : authServer) + '/token?force=false';
+    // const tokenUrl = new URL('token', authServer)
+    // tokenUrl.searchParams.set('force', 'false')
+    logger.info(`[refreshAccessToken] Refreshing access token at URL: ${tokenUrl} for credential: ${cred.id}`);
+    const body = new URLSearchParams({
+      grant_type: 'refresh_token',
+      refresh_token: refreshToken,
+      // these are accepted by some ASs that share the same endpoint with pre-auth:
+      pre_authorized_code: '',
+      pre_authorized_code_alt: '',
+      user_pin: ''
+    });
+    const res = await fetch(tokenUrl.toString(), {
+      method: 'POST',
+      headers: {
+        accept: 'application/json',
+        'Content-Type': 'application/x-www-form-urlencoded'
+      },
+      body: body.toString()
+    });
+    logger.info(`[refreshAccessToken] Response status: ${JSON.stringify(res)}`);
+    if (!res.ok) {
+      const errText = await res.text();
+      throw new Error(`Refresh failed ${res.status}: ${errText}`);
+    }
+    const data = await res.json();
+    logger.info(`[refreshAccessToken] New access token acquired: ${JSON.stringify(data)}`);
+    // If refresh token rotated, persist it
+    if (data.refresh_token && data.refresh_token !== refreshToken) {
+      logger.info(`[refreshAccessToken] Refresh token rotated; saving new one`);
+      setRefreshCredentialMetadata(cred, {
+        ...refreshMetaData,
+        authServer: authServer,
+        refreshToken: data.refresh_token
+      });
+      await persistCredentialRecord(agentContext, cred);
+    }
+    return data;
+  } catch (error) {
+    logger.error(`[refreshAccessToken] Error getting new token: ${error}`);
+    throw error;
+  }
+}
+//# sourceMappingURL=refreshToken.js.map

package/lib/module/modules/openid/refresh/refreshToken.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"names":["getRefreshCredentialMetadata","persistCredentialRecord","setRefreshCredentialMetadata","refreshAccessToken","logger","cred","agentContext","info","id","refreshMetaData","error","refreshToken","authServer","Error","tokenUrl","endsWith","slice","body","URLSearchParams","grant_type","refresh_token","pre_authorized_code","pre_authorized_code_alt","user_pin","res","fetch","toString","method","headers","accept","JSON","stringify","ok","errText","text","status","data","json"],"sourceRoot":"../../../../../src","sources":["modules/openid/refresh/refreshToken.ts"],"mappings":"AAGA,SAASA,4BAA4B,EAAEC,uBAAuB,EAAEC,4BAA4B,QAAQ,aAAa;AAEjH,OAAO,eAAeC,kBAAkBA,CAAC;EACvCC,MAAM;EACNC,IAAI;EACJC;AAKF,CAAC,EAAwC;EACvCF,MAAM,CAACG,IAAI,CAAC,4DAA4DF,IAAI,CAACG,EAAE,EAAE,CAAC;EAClF;EACA,MAAMC,eAAe,GAAGT,4BAA4B,CAACK,IAAI,CAAC;EAC1D,IAAI,CAACI,eAAe,EAAE;IACpBL,MAAM,CAACM,KAAK,CAAC,kEAAkEL,IAAI,CAACG,EAAE,EAAE,CAAC;IACzF;EACF;EAEAJ,MAAM,CAACG,IAAI,CAAC,+DAA+DF,IAAI,CAACG,EAAE,EAAE,CAAC;EACrF,MAAM;IAAEG,YAAY;IAAEC;EAAW,CAAC,GAAGH,eAAe;EAEpD,IAAI;IACF,IAAI,CAACG,UAAU,EAAE;MACf,MAAM,IAAIC,KAAK,CAAC,gEAAgE,CAAC;IACnF;IAEAT,MAAM,CAACG,IAAI,CAAC,0DAA0DF,IAAI,CAACG,EAAE,KAAKI,UAAU,EAAE,CAAC;;IAE/F;IACA;IACA,MAAME,QAAQ,GAAG,CAACF,UAAU,CAACG,QAAQ,CAAC,GAAG,CAAC,GAAGH,UAAU,CAACI,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAGJ,UAAU,IAAI,oBAAoB;IACzG;IACA;;IAEAR,MAAM,CAACG,IAAI,CAAC,wDAAwDO,QAAQ,oBAAoBT,IAAI,CAACG,EAAE,EAAE,CAAC;IAE1G,MAAMS,IAAI,GAAG,IAAIC,eAAe,CAAC;MAC/BC,UAAU,EAAE,eAAe;MAC3BC,aAAa,EAAET,YAAY;MAC3B;MACAU,mBAAmB,EAAE,EAAE;MACvBC,uBAAuB,EAAE,EAAE;MAC3BC,QAAQ,EAAE;IACZ,CAAC,CAAC;IAEF,MAAMC,GAAG,GAAG,MAAMC,KAAK,CAACX,QAAQ,CAACY,QAAQ,CAAC,CAAC,EAAE;MAC3CC,MAAM,EAAE,MAAM;MACdC,OAAO,EAAE;QACPC,MAAM,EAAE,kBAAkB;QAC1B,cAAc,EAAE;MAClB,CAAC;MACDZ,IAAI,EAAEA,IAAI,CAACS,QAAQ,CAAC;IACtB,CAAC,CAAC;IAEFtB,MAAM,CAACG,IAAI,CAAC,yCAAyCuB,IAAI,CAACC,SAAS,CAACP,GAAG,CAAC,EAAE,CAAC;IAE3E,IAAI,CAACA,GAAG,CAACQ,EAAE,EAAE;MACX,MAAMC,OAAO,GAAG,MAAMT,GAAG,CAACU,IAAI,CAAC,CAAC;MAChC,MAAM,IAAIrB,KAAK,CAAC,kBAAkBW,GAAG,CAACW,MAAM,KAAKF,OAAO,EAAE,CAAC;IAC7D;IAEA,MAAMG,IAAqB,GAAG,MAAMZ,GAAG,CAACa,IAAI,CAAC,CAAC;IAC9CjC,MAAM,CAACG,IAAI,CAAC,mDAAmDuB,IAAI,CAACC,SAAS,CAACK,IAAI,CAAC,EAAE,CAAC;;IAEtF;IACA,IAAIA,IAAI,CAAChB,aAAa,IAAIgB,IAAI,CAAChB,aAAa,KAAKT,YAAY,EAAE;MAC7DP,MAAM,CAACG,IAAI,CAAC,4DAA4D,CAAC;MACzEL,4BAA4B,CAACG,IAAI,EAAE;QACjC,GAAGI,eAAe;QAClBG,UAAU,EAAEA,UAAU;QACtBD,YAAY,EAAEyB,IAAI,CAAChB;MACrB,CAAC,CAAC;MAEF,MAAMnB,uBAAuB,CAACK,YAAY,EAAED,IAAI,CAAC;IACnD;IAEA,OAAO+B,IAAI;EACb,CAAC,CAAC,OAAO1B,KAAK,EAAE;IACdN,MAAM,CAACM,KAAK,CAAC,iDAAiDA,KAAK,EAAE,CAAC;IACtE,MAAMA,KAAK;EACb;AACF","ignoreList":[]}

package/lib/module/modules/openid/refresh/registery.js ADDED Viewed

@@ -0,0 +1,135 @@
+import { createStore } from 'zustand/vanilla';
+/** Permanent (until unblocked) blocks so the orchestrator won’t retry this cred again this session */
+export const credentialRegistry = createStore((set, get) => ({
+  byId: {},
+  expired: [],
+  replacements: {},
+  refreshing: {},
+  blocked: {},
+  lastSweepAt: undefined,
+  upsert: cred => set(s => ({
+    byId: {
+      ...s.byId,
+      [cred.id]: cred
+    }
+  })),
+  markRefreshing: id => set(s => ({
+    refreshing: {
+      ...s.refreshing,
+      [id]: true
+    }
+  })),
+  clearRefreshing: id => set(s => {
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    const {
+      [id]: _drop,
+      ...rest
+    } = s.refreshing;
+    return {
+      refreshing: rest
+    };
+  }),
+  markExpiredWithReplacement: (oldId, replacement) => set(s => ({
+    expired: s.expired.includes(oldId) ? s.expired : [...s.expired, oldId],
+    replacements: {
+      ...s.replacements,
+      [oldId]: replacement
+    }
+  })),
+  acceptReplacement: oldId => set(s => {
+    const repl = s.replacements[oldId];
+    if (!repl) return s;
+    const byId = {
+      ...s.byId
+    };
+    delete byId[oldId];
+    byId[repl.id] = repl;
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    const {
+      [oldId]: _drop,
+      ...restRepl
+    } = s.replacements;
+    return {
+      byId,
+      replacements: restRepl,
+      expired: s.expired.filter(x => x !== oldId),
+      // Once accepted, you can optionally block the oldId as succeeded:
+      blocked: {
+        ...s.blocked,
+        [oldId]: {
+          reason: 'succeeded',
+          at: new Date().toISOString()
+        }
+      }
+    };
+  }),
+  clearExpired: id => set(s => ({
+    expired: s.expired.filter(x => x !== id)
+  })),
+  blockAsSucceeded: id => set(s => ({
+    blocked: {
+      ...s.blocked,
+      [id]: {
+        reason: 'succeeded',
+        at: new Date().toISOString()
+      }
+    }
+  })),
+  blockAsFailed: (id, error) => set(s => ({
+    blocked: {
+      ...s.blocked,
+      [id]: {
+        reason: 'failed',
+        at: new Date().toISOString(),
+        error
+      }
+    }
+  })),
+  unblock: id => set(s => {
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    const {
+      [id]: _drop,
+      ...rest
+    } = s.blocked;
+    return {
+      blocked: rest
+    };
+  }),
+  shouldSkip: id => {
+    const s = get();
+    if (s.refreshing[id]) return true; // in-progress
+    if (s.expired.includes(id)) return true; // replacement already queued
+    if (s.blocked[id]) return true; // previously succeeded/failed
+    return false;
+  },
+  setLastSweep: iso => set({
+    lastSweepAt: iso
+  }),
+  reset: () => set({
+    byId: {},
+    expired: [],
+    replacements: {},
+    refreshing: {},
+    blocked: {},
+    lastSweepAt: undefined
+  })
+}));
+// Non-React helpers for workers/services
+export const readRegistry = () => credentialRegistry.getState();
+export const mutateRegistry = updater => credentialRegistry.setState(s => {
+  updater(s);
+  return s;
+});
+export const selectOldIdByReplacementId = replacementId => {
+  const {
+    replacements
+  } = credentialRegistry.getState();
+  for (const [oldId, repl] of Object.entries(replacements)) {
+    if (repl.id === replacementId) return oldId;
+  }
+  return undefined;
+};
+//# sourceMappingURL=registery.js.map

package/lib/module/modules/openid/refresh/registery.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"names":["createStore","credentialRegistry","set","get","byId","expired","replacements","refreshing","blocked","lastSweepAt","undefined","upsert","cred","s","id","markRefreshing","clearRefreshing","_drop","rest","markExpiredWithReplacement","oldId","replacement","includes","acceptReplacement","repl","restRepl","filter","x","reason","at","Date","toISOString","clearExpired","blockAsSucceeded","blockAsFailed","error","unblock","shouldSkip","setLastSweep","iso","reset","readRegistry","getState","mutateRegistry","updater","setState","selectOldIdByReplacementId","replacementId","Object","entries"],"sourceRoot":"../../../../../src","sources":["modules/openid/refresh/registery.ts"],"mappings":"AACA,SAASA,WAAW,QAAQ,iBAAiB;;AAiB7C;;AAyDA,OAAO,MAAMC,kBAAkB,GAAGD,WAAW,CAAgB,CAACE,GAAG,EAAEC,GAAG,MAAM;EAC1EC,IAAI,EAAE,CAAC,CAAC;EACRC,OAAO,EAAE,EAAE;EACXC,YAAY,EAAE,CAAC,CAAC;EAChBC,UAAU,EAAE,CAAC,CAAC;EACdC,OAAO,EAAE,CAAC,CAAC;EACXC,WAAW,EAAEC,SAAS;EAEtBC,MAAM,EAAGC,IAAI,IAAKV,GAAG,CAAEW,CAAC,KAAM;IAAET,IAAI,EAAE;MAAE,GAAGS,CAAC,CAACT,IAAI;MAAE,CAACQ,IAAI,CAACE,EAAE,GAAGF;IAAK;EAAE,CAAC,CAAC,CAAC;EAExEG,cAAc,EAAGD,EAAE,IAAKZ,GAAG,CAAEW,CAAC,KAAM;IAAEN,UAAU,EAAE;MAAE,GAAGM,CAAC,CAACN,UAAU;MAAE,CAACO,EAAE,GAAG;IAAK;EAAE,CAAC,CAAC,CAAC;EAErFE,eAAe,EAAGF,EAAE,IAClBZ,GAAG,CAAEW,CAAC,IAAK;IACT;IACA,MAAM;MAAE,CAACC,EAAE,GAAGG,KAAK;MAAE,GAAGC;IAAK,CAAC,GAAGL,CAAC,CAACN,UAAU;IAC7C,OAAO;MAAEA,UAAU,EAAEW;IAAK,CAAC;EAC7B,CAAC,CAAC;EAEJC,0BAA0B,EAAEA,CAACC,KAAK,EAAEC,WAAW,KAC7CnB,GAAG,CAAEW,CAAC,KAAM;IACVR,OAAO,EAAEQ,CAAC,CAACR,OAAO,CAACiB,QAAQ,CAACF,KAAK,CAAC,GAAGP,CAAC,CAACR,OAAO,GAAG,CAAC,GAAGQ,CAAC,CAACR,OAAO,EAAEe,KAAK,CAAC;IACtEd,YAAY,EAAE;MAAE,GAAGO,CAAC,CAACP,YAAY;MAAE,CAACc,KAAK,GAAGC;IAAY;EAC1D,CAAC,CAAC,CAAC;EAELE,iBAAiB,EAAGH,KAAK,IACvBlB,GAAG,CAAEW,CAAC,IAAK;IACT,MAAMW,IAAI,GAAGX,CAAC,CAACP,YAAY,CAACc,KAAK,CAAC;IAClC,IAAI,CAACI,IAAI,EAAE,OAAOX,CAAC;IACnB,MAAMT,IAAI,GAAG;MAAE,GAAGS,CAAC,CAACT;IAAK,CAAC;IAC1B,OAAOA,IAAI,CAACgB,KAAK,CAAC;IAClBhB,IAAI,CAACoB,IAAI,CAACV,EAAE,CAAC,GAAGU,IAAI;IACpB;IACA,MAAM;MAAE,CAACJ,KAAK,GAAGH,KAAK;MAAE,GAAGQ;IAAS,CAAC,GAAGZ,CAAC,CAACP,YAAY;IACtD,OAAO;MACLF,IAAI;MACJE,YAAY,EAAEmB,QAAQ;MACtBpB,OAAO,EAAEQ,CAAC,CAACR,OAAO,CAACqB,MAAM,CAAEC,CAAC,IAAKA,CAAC,KAAKP,KAAK,CAAC;MAC7C;MACAZ,OAAO,EAAE;QAAE,GAAGK,CAAC,CAACL,OAAO;QAAE,CAACY,KAAK,GAAG;UAAEQ,MAAM,EAAE,WAAW;UAAEC,EAAE,EAAE,IAAIC,IAAI,CAAC,CAAC,CAACC,WAAW,CAAC;QAAE;MAAE;IAC1F,CAAC;EACH,CAAC,CAAC;EAEJC,YAAY,EAAGlB,EAAE,IACfZ,GAAG,CAAEW,CAAC,KAAM;IACVR,OAAO,EAAEQ,CAAC,CAACR,OAAO,CAACqB,MAAM,CAAEC,CAAC,IAAKA,CAAC,KAAKb,EAAE;EAC3C,CAAC,CAAC,CAAC;EAELmB,gBAAgB,EAAGnB,EAAE,IACnBZ,GAAG,CAAEW,CAAC,KAAM;IACVL,OAAO,EAAE;MAAE,GAAGK,CAAC,CAACL,OAAO;MAAE,CAACM,EAAE,GAAG;QAAEc,MAAM,EAAE,WAAW;QAAEC,EAAE,EAAE,IAAIC,IAAI,CAAC,CAAC,CAACC,WAAW,CAAC;MAAE;IAAE;EACvF,CAAC,CAAC,CAAC;EAELG,aAAa,EAAEA,CAACpB,EAAE,EAAEqB,KAAK,KACvBjC,GAAG,CAAEW,CAAC,KAAM;IACVL,OAAO,EAAE;MAAE,GAAGK,CAAC,CAACL,OAAO;MAAE,CAACM,EAAE,GAAG;QAAEc,MAAM,EAAE,QAAQ;QAAEC,EAAE,EAAE,IAAIC,IAAI,CAAC,CAAC,CAACC,WAAW,CAAC,CAAC;QAAEI;MAAM;IAAE;EAC3F,CAAC,CAAC,CAAC;EAELC,OAAO,EAAGtB,EAAE,IACVZ,GAAG,CAAEW,CAAC,IAAK;IACT;IACA,MAAM;MAAE,CAACC,EAAE,GAAGG,KAAK;MAAE,GAAGC;IAAK,CAAC,GAAGL,CAAC,CAACL,OAAO;IAC1C,OAAO;MAAEA,OAAO,EAAEU;IAAK,CAAC;EAC1B,CAAC,CAAC;EAEJmB,UAAU,EAAGvB,EAAE,IAAK;IAClB,MAAMD,CAAC,GAAGV,GAAG,CAAC,CAAC;IACf,IAAIU,CAAC,CAACN,UAAU,CAACO,EAAE,CAAC,EAAE,OAAO,IAAI,EAAC;IAClC,IAAID,CAAC,CAACR,OAAO,CAACiB,QAAQ,CAACR,EAAE,CAAC,EAAE,OAAO,IAAI,EAAC;IACxC,IAAID,CAAC,CAACL,OAAO,CAACM,EAAE,CAAC,EAAE,OAAO,IAAI,EAAC;IAC/B,OAAO,KAAK;EACd,CAAC;EAEDwB,YAAY,EAAGC,GAAG,IAAKrC,GAAG,CAAC;IAAEO,WAAW,EAAE8B;EAAI,CAAC,CAAC;EAEhDC,KAAK,EAAEA,CAAA,KACLtC,GAAG,CAAC;IACFE,IAAI,EAAE,CAAC,CAAC;IACRC,OAAO,EAAE,EAAE;IACXC,YAAY,EAAE,CAAC,CAAC;IAChBC,UAAU,EAAE,CAAC,CAAC;IACdC,OAAO,EAAE,CAAC,CAAC;IACXC,WAAW,EAAEC;EACf,CAAC;AACL,CAAC,CAAC,CAAC;;AAEH;AACA,OAAO,MAAM+B,YAAY,GAAGA,CAAA,KAAMxC,kBAAkB,CAACyC,QAAQ,CAAC,CAAC;AAC/D,OAAO,MAAMC,cAAc,GAAIC,OAAmC,IAChE3C,kBAAkB,CAAC4C,QAAQ,CAAEhC,CAAC,IAAK;EACjC+B,OAAO,CAAC/B,CAAC,CAAC;EACV,OAAOA,CAAC;AACV,CAAC,CAAC;AAEJ,OAAO,MAAMiC,0BAA0B,GAAIC,aAAqB,IAAyB;EACvF,MAAM;IAAEzC;EAAa,CAAC,GAAGL,kBAAkB,CAACyC,QAAQ,CAAC,CAAC;EACtD,KAAK,MAAM,CAACtB,KAAK,EAAEI,IAAI,CAAC,IAAIwB,MAAM,CAACC,OAAO,CAAC3C,YAAY,CAAC,EAAE;IACxD,IAAIkB,IAAI,CAACV,EAAE,KAAKiC,aAAa,EAAE,OAAO3B,KAAK;EAC7C;EACA,OAAOV,SAAS;AAClB,CAAC","ignoreList":[]}

package/lib/module/modules/openid/refresh/types.js ADDED Viewed

@@ -0,0 +1,11 @@
+export let RefreshStatus = /*#__PURE__*/function (RefreshStatus) {
+  RefreshStatus["Valid"] = "valid";
+  RefreshStatus["Invalid"] = "invalid";
+  RefreshStatus["Error"] = "error";
+  return RefreshStatus;
+}({});
+export let OpenIDCustomNotificationType = /*#__PURE__*/function (OpenIDCustomNotificationType) {
+  OpenIDCustomNotificationType["CredentialReplacementAvailable"] = "CustomNotificationOpenIDCredential";
+  return OpenIDCustomNotificationType;
+}({});
+//# sourceMappingURL=types.js.map

package/lib/module/modules/openid/refresh/types.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"names":["RefreshStatus","OpenIDCustomNotificationType"],"sourceRoot":"../../../../../src","sources":["modules/openid/refresh/types.ts"],"mappings":"AAmBA,WAAYA,aAAa,0BAAbA,aAAa;EAAbA,aAAa;EAAbA,aAAa;EAAbA,aAAa;EAAA,OAAbA,aAAa;AAAA;AAoDzB,WAAYC,4BAA4B,0BAA5BA,4BAA4B;EAA5BA,4BAA4B;EAAA,OAA5BA,4BAA4B;AAAA","ignoreList":[]}

package/lib/module/modules/openid/refresh/verifyCredentialStatus.js ADDED Viewed

@@ -0,0 +1,28 @@
+// modules/openid/refresh/verifyCredentialStatus.ts
+import { getListFromStatusListJWT, getStatusListFromJWT } from '@sd-jwt/jwt-status-list';
+/**
+ * Verifies credential status for Sd-JWT credentials using status lists.
+ * Non–Sd-JWT credentials (W3C jwt_vc_json without status list, or mdoc) are treated as valid here.
+ * Returns true if valid; false if revoked/invalid or on error.
+ */
+export async function verifyCredentialStatus(rec, logger) {
+  try {
+    // Only Sd-JWT creds have compactSdJwtVc in this codebase
+    if (!('compactSdJwtVc' in rec)) return true;
+    logger === null || logger === void 0 || logger.info(`[Verifier] Verifying credential status for Sd-JWT credential: ${rec.id}`);
+    const ref = getStatusListFromJWT(rec.compactSdJwtVc);
+    const res = await fetch(ref.uri);
+    if (!res.ok) throw new Error(`HTTP ${res.status}`);
+    const jwt = await res.text();
+    const list = getListFromStatusListJWT(jwt);
+    const ok = list.getStatus(ref.idx) === 0;
+    logger === null || logger === void 0 || logger.info(`${ok ? '✅' : '❌'} [Verifier] ${rec.id} → ${ok ? 'valid' : 'revoked'}`);
+    return ok;
+  } catch (e) {
+    var _logger$error;
+    logger === null || logger === void 0 || (_logger$error = logger.error) === null || _logger$error === void 0 || _logger$error.call(logger, `💥 [Verifier] ${'id' in rec ? rec.id : 'unknown'} verify failed: ${String(e)}`);
+    return false;
+  }
+}
+//# sourceMappingURL=verifyCredentialStatus.js.map

package/lib/module/modules/openid/refresh/verifyCredentialStatus.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"names":["getListFromStatusListJWT","getStatusListFromJWT","verifyCredentialStatus","rec","logger","info","id","ref","compactSdJwtVc","res","fetch","uri","ok","Error","status","jwt","text","list","getStatus","idx","e","_logger$error","error","call","String"],"sourceRoot":"../../../../../src","sources":["modules/openid/refresh/verifyCredentialStatus.ts"],"mappings":"AAAA;;AAEA,SAASA,wBAAwB,EAAEC,oBAAoB,QAAQ,yBAAyB;AAKxF;AACA;AACA;AACA;AACA;AACA,OAAO,eAAeC,sBAAsBA,CAACC,GAAY,EAAEC,MAAqB,EAAoB;EAClG,IAAI;IACF;IACA,IAAI,EAAE,gBAAgB,IAAID,GAAG,CAAC,EAAE,OAAO,IAAI;IAE3CC,MAAM,aAANA,MAAM,eAANA,MAAM,CAAEC,IAAI,CAAC,iEAAiEF,GAAG,CAACG,EAAE,EAAE,CAAC;IAEvF,MAAMC,GAAG,GAAGN,oBAAoB,CAACE,GAAG,CAACK,cAAc,CAAC;IACpD,MAAMC,GAAG,GAAG,MAAMC,KAAK,CAACH,GAAG,CAACI,GAAG,CAAC;IAChC,IAAI,CAACF,GAAG,CAACG,EAAE,EAAE,MAAM,IAAIC,KAAK,CAAC,QAAQJ,GAAG,CAACK,MAAM,EAAE,CAAC;IAClD,MAAMC,GAAG,GAAG,MAAMN,GAAG,CAACO,IAAI,CAAC,CAAC;IAE5B,MAAMC,IAAI,GAAGjB,wBAAwB,CAACe,GAAG,CAAC;IAC1C,MAAMH,EAAE,GAAGK,IAAI,CAACC,SAAS,CAACX,GAAG,CAACY,GAAG,CAAC,KAAK,CAAC;IAExCf,MAAM,aAANA,MAAM,eAANA,MAAM,CAAEC,IAAI,CAAC,GAAGO,EAAE,GAAG,GAAG,GAAG,GAAG,eAAeT,GAAG,CAACG,EAAE,MAAMM,EAAE,GAAG,OAAO,GAAG,SAAS,EAAE,CAAC;IACpF,OAAOA,EAAE;EACX,CAAC,CAAC,OAAOQ,CAAC,EAAE;IAAA,IAAAC,aAAA;IACVjB,MAAM,aAANA,MAAM,gBAAAiB,aAAA,GAANjB,MAAM,CAAEkB,KAAK,cAAAD,aAAA,eAAbA,aAAA,CAAAE,IAAA,CAAAnB,MAAM,EAAU,iBAAiB,IAAI,IAAID,GAAG,GAAGA,GAAG,CAACG,EAAE,GAAG,SAAS,mBAAmBkB,MAAM,CAACJ,CAAC,CAAC,EAAE,CAAC;IAChG,OAAO,KAAK;EACd;AACF","ignoreList":[]}

package/lib/module/modules/openid/screens/OpenIDCredentialOffer.js CHANGED Viewed

@@ -7,6 +7,7 @@ import CommonRemoveModal from '../../../components/modals/CommonRemoveModal';
 import Record from '../../../components/record/Record';
 import { EventTypes } from '../../../constants';
 import { useTheme } from '../../../contexts/theme';
+import { TOKENS, useServices } from '../../../container-api';
 import ScreenLayout from '../../../layout/ScreenLayout';
 import CredentialOfferAccept from '../../../screens/CredentialOfferAccept';
 import { BifoldError } from '../../../types/error';
@@ -16,6 +17,10 @@ import { testIdWithKey } from '../../../utils/testable';
 import OpenIDCredentialCard from '../components/OpenIDCredentialCard';
 import { useOpenIDCredentials } from '../context/OpenIDCredentialRecordProvider';
 import { getCredentialForDisplay } from '../display';
+import { NotificationEventType, useOpenId4VciNotifications } from '../notification';
+import { temporaryMetaVanillaObject } from '../metadata';
+import { useAcceptReplacement } from '../hooks/useAcceptReplacement';
+import { useDeclineReplacement } from '../hooks/useDeclineReplacement';
 const OpenIDCredentialOffer = ({
   navigation,
   route
@@ -24,6 +29,7 @@ const OpenIDCredentialOffer = ({
   const {
     credential
   } = route.params;
+  const [logger] = useServices([TOKENS.UTIL_LOGGER]);
   const credentialDisplay = getCredentialForDisplay(credential);
   const {
     display
@@ -41,12 +47,22 @@ const OpenIDCredentialOffer = ({
     agent
   } = useAgent();
   const {
-    storeCredential,
     resolveBundleForCredential
   } = useOpenIDCredentials();
+  const {
+    sendOpenId4VciNotification
+  } = useOpenId4VciNotifications();
   const [isRemoveModalDisplayed, setIsRemoveModalDisplayed] = useState(false);
   const [buttonsVisible, setButtonsVisible] = useState(true);
   const [acceptModalVisible, setAcceptModalVisible] = useState(false);
+  const {
+    acceptNewCredential
+  } = useAcceptReplacement();
+  const {
+    declineByNewId
+  } = useDeclineReplacement({
+    logger: logger
+  });
   const [overlay, setOverlay] = useState({
     bundle: undefined,
     presentationFields: [],
@@ -80,17 +96,38 @@ const OpenIDCredentialOffer = ({
   const toggleDeclineModalVisible = () => setIsRemoveModalDisplayed(!isRemoveModalDisplayed);
   const handleDeclineTouched = async () => {
     var _navigation$getParent;
+    await handleSendNotification(NotificationEventType.CREDENTIAL_DELETED);
+    await declineByNewId(credential.id);
     toggleDeclineModalVisible();
     (_navigation$getParent = navigation.getParent()) === null || _navigation$getParent === void 0 || _navigation$getParent.navigate(TabStacks.HomeStack, {
       screen: Screens.Home
     });
   };
+  const handleSendNotification = async notificationEventType => {
+    try {
+      var _temporaryMetaVanilla, _temporaryMetaVanilla2, _temporaryMetaVanilla3;
+      if ((_temporaryMetaVanilla = temporaryMetaVanillaObject.notificationMetadata) !== null && _temporaryMetaVanilla !== void 0 && _temporaryMetaVanilla.notificationId && (_temporaryMetaVanilla2 = temporaryMetaVanillaObject.notificationMetadata) !== null && _temporaryMetaVanilla2 !== void 0 && _temporaryMetaVanilla2.notificationEndpoint && (_temporaryMetaVanilla3 = temporaryMetaVanillaObject.tokenResponse) !== null && _temporaryMetaVanilla3 !== void 0 && _temporaryMetaVanilla3.accessToken) {
+        var _temporaryMetaVanilla4, _temporaryMetaVanilla5, _temporaryMetaVanilla6;
+        await sendOpenId4VciNotification({
+          accessToken: (_temporaryMetaVanilla4 = temporaryMetaVanillaObject.tokenResponse) === null || _temporaryMetaVanilla4 === void 0 ? void 0 : _temporaryMetaVanilla4.accessToken,
+          notificationEvent: notificationEventType,
+          notificationMetadata: {
+            notificationId: temporaryMetaVanillaObject === null || temporaryMetaVanillaObject === void 0 || (_temporaryMetaVanilla5 = temporaryMetaVanillaObject.notificationMetadata) === null || _temporaryMetaVanilla5 === void 0 ? void 0 : _temporaryMetaVanilla5.notificationId,
+            notificationEndpoint: temporaryMetaVanillaObject === null || temporaryMetaVanillaObject === void 0 || (_temporaryMetaVanilla6 = temporaryMetaVanillaObject.notificationMetadata) === null || _temporaryMetaVanilla6 === void 0 ? void 0 : _temporaryMetaVanilla6.notificationEndpoint
+          }
+        });
+      }
+    } catch (err) {
+      logger.error('[Credential Offer] error sending notification');
+    }
+  };
   const handleAcceptTouched = async () => {
     if (!agent) {
       return;
     }
     try {
-      await storeCredential(credential);
+      await acceptNewCredential(credential);
+      await handleSendNotification(NotificationEventType.CREDENTIAL_ACCEPTED);
       setAcceptModalVisible(true);
     } catch (err) {
       setButtonsVisible(true);