@connectid-tools/rp-nodejs-sdk 4.2.1 → 5.0.0

package/src/tests/relying-party-client-sdk.test.js

@@ -0,0 +1,313 @@
+import RelyingPartyClientSdk from '../relying-party-client-sdk.js';
+import { config } from '../config.js';
+import { parse } from 'url';
+import { participantsTestData } from '../test-data/participants-test-data.js';
+import { sandboxParticipantsTestData } from '../test-data/sandbox-participants-test-data.js';
+import { largeParticipantsTestData } from '../test-data/large-participants-test-data.js';
+import { describe, it, mock } from 'node:test';
+import assert from 'node:assert';
+describe('getParticipants', () => {
+    it('should return participants', async () => {
+        const rpClient = withMockedDate(new RelyingPartyClientSdk(config));
+        // Mock the endpoint's fetchParticipants method instead
+        const participantsEndpoint = rpClient.participantsEndpoint;
+        const mockedFetch = mock.method(participantsEndpoint, 'fetchParticipants', async () => getParticipantsTestData());
+        const idps = await rpClient.getParticipants();
+        idps.forEach((idp) => assert.ok(idp.OrganisationId));
+        assert.equal(mockedFetch.mock.calls.length, 1);
+    });
+    it('should throw error when url points to wrong place', async () => {
+        const newConfig = JSON.parse(JSON.stringify(config));
+        newConfig.data.registry_participants_uri = 'http://www.thisurldoesnotexist123456790.test';
+        const wrongRpClient = withMockedDate(new RelyingPartyClientSdk(newConfig));
+        await assert.rejects(async () => wrongRpClient.getParticipants());
+    });
+    it('should return only active participants except Fallback providers when include_uncertified_participants is set', async () => {
+        const participantsTestData = getParticipantsTestData();
+        const newConfig = JSON.parse(JSON.stringify(config));
+        newConfig.data.include_uncertified_participants = true;
+        const filteringRpClient = withMockedDate(new RelyingPartyClientSdk(newConfig));
+        mock.method(filteringRpClient.participantsEndpoint, 'fetchParticipants', async () => getParticipantsTestData());
+        const participants = await filteringRpClient.getParticipants();
+        assert.deepEqual(participants[0], participantsTestData[0]);
+        assert.deepEqual(participants[1], participantsTestData[1]);
+        assert.equal(participants.length, 2);
+    });
+    it('should return only active participants who support the requested claims', async () => {
+        const participantsData = getParticipantsTestData();
+        const newConfig = JSON.parse(JSON.stringify(config));
+        newConfig.data.required_claims = ['given_name'];
+        const filteringRpClient = withMockedDate(new RelyingPartyClientSdk(newConfig));
+        mock.method(filteringRpClient.participantsEndpoint, 'fetchParticipants', async () => getParticipantsTestData());
+        const participants = await filteringRpClient.getParticipants();
+        assert.equal(participants.length, 1);
+        assert.deepEqual(participants[0].AuthorisationServers[0].AuthorisationServerId, participantsData[0].AuthorisationServers[0].AuthorisationServerId);
+    });
+    it('should return no participants if none support the required claims', async () => {
+        const newConfig = JSON.parse(JSON.stringify(config));
+        newConfig.data.required_claims = ['nonexistentclaim'];
+        const filteringRpClient = withMockedDate(new RelyingPartyClientSdk(newConfig));
+        mock.method(filteringRpClient.participantsEndpoint, 'fetchParticipants', async () => getParticipantsTestData());
+        const participants = await filteringRpClient.getParticipants();
+        assert.ok(participants.length === 0);
+    });
+    it('should return only active participants who have the TDIF certification', async () => {
+        const participantsData = getSandboxParticipantsTestData();
+        const newConfig = JSON.parse(JSON.stringify(config));
+        newConfig.data.required_participant_certifications = [{ profileType: 'TDIF Accreditation', profileVariant: 'Identity Provider' }];
+        const filteringRpClient = withMockedDate(new RelyingPartyClientSdk(newConfig));
+        mock.method(filteringRpClient.participantsEndpoint, 'fetchParticipants', async () => getSandboxParticipantsTestData());
+        const participants = await filteringRpClient.getParticipants();
+        assert.equal(participants[0].AuthorisationServers[0].AuthorisationServerId, participantsData[7].AuthorisationServers[1].AuthorisationServerId);
+        assert.equal(participants[0].AuthorisationServers[1].AuthorisationServerId, participantsData[7].AuthorisationServers[2].AuthorisationServerId);
+        assert.ok(participants.length === 1);
+        assert.ok(participants[0].AuthorisationServers.length === 2);
+    });
+    it('should return no participants if no-one has the required certification', async () => {
+        const newConfig = JSON.parse(JSON.stringify(config));
+        newConfig.data.required_participant_certifications = [{ profileType: 'Nonexistent Accreditation', profileVariant: 'Identity Provider' }];
+        const filteringRpClient = withMockedDate(new RelyingPartyClientSdk(newConfig));
+        mock.method(filteringRpClient.participantsEndpoint, 'fetchParticipants', async () => getSandboxParticipantsTestData());
+        const participants = await filteringRpClient.getParticipants();
+        assert.ok(participants.length === 0);
+    });
+    it('should run really fast', async () => {
+        const rpClient = withMockedDate(new RelyingPartyClientSdk(config));
+        mock.method(rpClient.participantsEndpoint, 'fetchParticipants', async () => getLargeParticipantsTestData());
+        const startTime = new Date().getTime();
+        const numCalls = 1000;
+        let numParticipants = 0;
+        for (let i = 0; i < numCalls; i++) {
+            const participants = await rpClient.getParticipants();
+            numParticipants += participants.length;
+        }
+        const endTime = new Date().getTime();
+        const timeDiff = endTime - startTime;
+        const timePerCall = timeDiff / numCalls;
+        const timePerCallThreshold = 20; // ms, Arbitrary threshold based on performance when filters mutate (if non mutating filters are used, this increases by order of magnitude)
+        console.log(`Time taken for ${numCalls} calls:  ${timeDiff} ms, per call: ${timePerCall} ms, numParticipants: ${numParticipants}`);
+        assert.ok(timePerCall < timePerCallThreshold);
+    });
+    it('should return only active participants and certifications (except Fallback providers) when using default settings', async () => {
+        const rpClient = withMockedDate(new RelyingPartyClientSdk(config));
+        mock.method(rpClient.participantsEndpoint, 'fetchParticipants', async () => getParticipantsTestData());
+        const participants = await rpClient.getParticipants();
+        const firstParticipant = participants[0];
+        assert.equal(firstParticipant.OrganisationId, participantsTestData[0].OrganisationId);
+        assert.ok(participants[0].AuthorisationServers.length === 2);
+        assert.ok(participants[0].AuthorisationServers[0].AuthorisationServerCertifications.length === 2);
+        assert.ok(participants[0].AuthorisationServers[1].AuthorisationServerCertifications.length === 2);
+        assert.ok(participants.length === 1);
+    });
+    it('should return an empty participants array when no auth servers have the required claims', async () => {
+        const newConfig = JSON.parse(JSON.stringify(config));
+        newConfig.data.required_claims = ['bogus_claim'];
+        const filteringRpClient = withMockedDate(new RelyingPartyClientSdk(newConfig));
+        mock.method(filteringRpClient.participantsEndpoint, 'fetchParticipants', async () => getParticipantsTestData());
+        const participants = await filteringRpClient.getParticipants();
+        assert.ok(participants.length === 0);
+    });
+});
+describe('getFallbackProviderParticipants', () => {
+    it('should return just the participants with a certified Fallback Providers auth server', async () => {
+        const rpClient = withMockedDate(new RelyingPartyClientSdk(config));
+        mock.method(rpClient.participantsEndpoint, 'fetchParticipants', async () => getParticipantsTestData());
+        const participants = await rpClient.getFallbackProviderParticipants();
+        assert.ok(participants.length === 1);
+        assert.deepEqual(participants[0], getParticipantsTestData()[2]);
+    });
+});
+describe('getAuthServerDetails', () => {
+    it('should find Mock Bank 3 authorisation server details', async () => {
+        const rpClient = withMockedDate(new RelyingPartyClientSdk(config));
+        const participantsEndpoint = rpClient.participantsEndpoint;
+        mock.method(participantsEndpoint, 'fetchParticipants', async () => getSandboxParticipantsTestData());
+        const bank3AuthServerId = 'ce868ca5-0b99-47e6-b8cd-e26aac082448';
+        const { AuthorisationServerId, CustomerFriendlyDescription, } = await participantsEndpoint.getAuthServerDetails(bank3AuthServerId);
+        assert.equal(AuthorisationServerId, bank3AuthServerId);
+        assert.equal(CustomerFriendlyDescription, 'Bank N');
+    });
+    it('should throw error when cannot find authorisation server details because it does not exist', async () => {
+        const rpClient = withMockedDate(new RelyingPartyClientSdk(config));
+        const participantsEndpoint = rpClient.participantsEndpoint;
+        await assert.rejects(async () => participantsEndpoint.getAuthServerDetails('foo'), { message: 'Unable to find specified Authorisation Server: foo' });
+    });
+    it('should not find uncertified auth servers when include_uncertified_participants is not set', async () => {
+        const uncertifiedAuthServerId = '6a3b1012-d5c8-4e08-b280-313051d24004';
+        const newConfig = JSON.parse(JSON.stringify(config));
+        delete newConfig.data.include_uncertified_participants;
+        const filteringRpClient = withMockedDate(new RelyingPartyClientSdk(newConfig));
+        const participantsEndpoint = filteringRpClient.participantsEndpoint;
+        mock.method(participantsEndpoint, 'fetchParticipants', async () => getParticipantsTestData());
+        await assert.rejects(async () => participantsEndpoint.getAuthServerDetails(uncertifiedAuthServerId));
+    });
+    it('should not find uncertified auth servers when include_uncertified_participants is false', async () => {
+        const uncertifiedAuthServerId = '6a3b1012-d5c8-4e08-b280-313051d24004';
+        const newConfig = JSON.parse(JSON.stringify(config));
+        newConfig.data.include_uncertified_participants = false;
+        const filteringRpClient = withMockedDate(new RelyingPartyClientSdk(newConfig));
+        const participantsEndpoint = filteringRpClient.participantsEndpoint;
+        mock.method(participantsEndpoint, 'fetchParticipants', async () => getParticipantsTestData());
+        await assert.rejects(async () => participantsEndpoint.getAuthServerDetails(uncertifiedAuthServerId));
+    });
+    it('should tell the caller when the requested server was not returned because it has been filtered out based on server certification status', async () => {
+        const rpClient = withMockedDate(new RelyingPartyClientSdk(config));
+        const participantsEndpoint = rpClient.participantsEndpoint;
+        mock.method(participantsEndpoint, 'fetchParticipants', async () => getParticipantsTestData());
+        const uncertifiedAuthServerId = '6a3b1012-d5c8-4e08-b280-313051d24004';
+        await assert.rejects(async () => participantsEndpoint.getAuthServerDetails(uncertifiedAuthServerId));
+    });
+    it('should find uncertified auth servers if include_uncertified_participants is true', async () => {
+        const responseConfig = JSON.parse(JSON.stringify(config));
+        responseConfig.data.include_uncertified_participants = true;
+        const rpClient = new RelyingPartyClientSdk(responseConfig);
+        const participantsEndpoint = rpClient.participantsEndpoint;
+        mock.method(participantsEndpoint, 'fetchParticipants', async () => getParticipantsTestData());
+        const uncertifiedAuthServerId = '6a3b1012-d5c8-4e08-b280-313051d24004';
+        const { AuthorisationServerId, CustomerFriendlyDescription, } = await participantsEndpoint.getAuthServerDetails(uncertifiedAuthServerId);
+        assert.equal(AuthorisationServerId, uncertifiedAuthServerId);
+        assert.equal(CustomerFriendlyDescription, 'Do not use - Paul\'s Test Bank');
+    });
+    it('should find the fallback auth server', async () => {
+        const rpClient = withMockedDate(new RelyingPartyClientSdk(config));
+        const participantsEndpoint = rpClient.participantsEndpoint;
+        mock.method(participantsEndpoint, 'fetchParticipants', async () => getSandboxParticipantsTestData());
+        const fallbackAuthServerId = '69653ee1-ad97-496e-8885-a9e5a5ecc2b9';
+        const { AuthorisationServerId, CustomerFriendlyDescription, } = await participantsEndpoint.getAuthServerDetails(fallbackAuthServerId);
+        assert.equal(AuthorisationServerId, fallbackAuthServerId);
+        assert.equal(CustomerFriendlyDescription, 'KC Test 3');
+    });
+});
+describe('sendPushedAuthorisationRequest', () => {
+    const essentialClaims = ['given_name', 'middle_name', 'family_name', 'phone_number', 'email', 'address', 'birthdate'];
+    it('should send a pushed authorisation request to Bank 3', async () => {
+        const rpClient = withMockedDate(new RelyingPartyClientSdk(config));
+        mock.method(rpClient.participantsEndpoint, 'fetchParticipants', async () => getSandboxParticipantsTestData());
+        const bank3AuthServerId = 'ce868ca5-0b99-47e6-b8cd-e26aac082448';
+        const essentialClaimsWithCbaLoyalty = [...essentialClaims, 'cba_loyalty'];
+        const { authUrl, codeVerifier, state, nonce, xFapiInteractionId, } = await rpClient.sendPushedAuthorisationRequest(bank3AuthServerId, essentialClaimsWithCbaLoyalty);
+        // Only the 'client_id' and 'request_uri' can be sent to the authorization endpoint.
+        // This verifies https://openid.net/specs/fapi-2_0-security-profile.html#name-authorization-code-flow-2
+        // which [will be|is] triggered through this change: https://bitbucket.org/openid/fapi/pull-requests/407
+        const url = new URL(authUrl);
+        const searchParams = new URLSearchParams(url.search);
+        const rfc9126Params = ['client_id', 'request_uri'];
+        assert.deepEqual(Array.from(searchParams.keys()), rfc9126Params);
+        assert.ok(codeVerifier.length > 0);
+        assert.ok(state.length > 0);
+        assert.ok(nonce.length > 0);
+        assert.ok(xFapiInteractionId.length > 0);
+    });
+    it('should fail to send a pushed authorisation to a server that is not certified', async () => {
+        const rpClient = withMockedDate(new RelyingPartyClientSdk(config));
+        mock.method(rpClient.participantsEndpoint, 'fetchParticipants', async () => getParticipantsTestData());
+        const uncertifiedAuthServerId = '6a3b1012-d5c8-4e08-b280-313051d24004';
+        // await expect(rpClient.sendPushedAuthorisationRequest(uncertifiedAuthServerId, ['name'], [])).rejects.toThrow('Unable to find specified Authorisation Server: 6a3b1012-d5c8-4e08-b280-313051d24004')
+        await assert.rejects(async () => rpClient.sendPushedAuthorisationRequest(uncertifiedAuthServerId, ['name'], []));
+    });
+    it('should fail to send a pushed authorisation request with an invalid purpose', async () => {
+        const rpClient = withMockedDate(new RelyingPartyClientSdk(config));
+        const bank3AuthServerId = 'ce868ca5-0b99-47e6-b8cd-e26aac082448';
+        // await expect(rpClient.sendPushedAuthorisationRequest(bank3AuthServerId, ['name'], [], 'aa')).rejects.toThrow('Invalid purpose for supplied for PAR: aa')
+        await assert.rejects(async () => rpClient.sendPushedAuthorisationRequest(bank3AuthServerId, ['name'], [], 'aa'));
+    });
+    it('should not return a redirect_uri in the authUrl if only one is present', async () => {
+        const redirectConfig = JSON.parse(JSON.stringify(config));
+        redirectConfig.data.redirect_uris = ['https://tpp.localhost/cb'];
+        const rpClient = new RelyingPartyClientSdk(redirectConfig);
+        mock.method(rpClient.participantsEndpoint, 'fetchParticipants', async () => getSandboxParticipantsTestData());
+        const bank3AuthServerId = 'ce868ca5-0b99-47e6-b8cd-e26aac082448';
+        const { authUrl } = await rpClient.sendPushedAuthorisationRequest(bank3AuthServerId, essentialClaims);
+        // Only the 'client_id' and 'request_uri' can be sent to the authorization endpoint.
+        // This verifies https://openid.net/specs/fapi-2_0-security-profile.html#name-authorization-code-flow-2
+        // which [will be|is] triggered through this change: https://bitbucket.org/openid/fapi/pull-requests/407
+        const url = new URL(authUrl);
+        const searchParams = new URLSearchParams(url.search);
+        const rfc9126Params = ['client_id', 'request_uri'];
+        assert.deepEqual(Array.from(searchParams.keys()), rfc9126Params);
+    });
+    it('should not return a response_type in the authUrl if only one is present', async () => {
+        const responseConfig = JSON.parse(JSON.stringify(config));
+        responseConfig.data.response_types = ['code id_token'];
+        const rpClient = new RelyingPartyClientSdk(responseConfig);
+        mock.method(rpClient.participantsEndpoint, 'fetchParticipants', async () => getSandboxParticipantsTestData());
+        const bank3AuthServerId = 'ce868ca5-0b99-47e6-b8cd-e26aac082448';
+        const { authUrl } = await rpClient.sendPushedAuthorisationRequest(bank3AuthServerId, essentialClaims);
+        // Only the 'client_id' and 'request_uri' can be sent to the authorization endpoint.
+        // This verifies https://openid.net/specs/fapi-2_0-security-profile.html#name-authorization-code-flow-2
+        // which [will be|is] triggered through this change: https://bitbucket.org/openid/fapi/pull-requests/407
+        const url = new URL(authUrl);
+        const searchParams = new URLSearchParams(url.search);
+        const rfc9126Params = ['client_id', 'request_uri'];
+        assert.deepEqual(Array.from(searchParams.keys()), rfc9126Params);
+    });
+    it('should throw an error when sending a pushed authorisation request to nonexistent auth server', async () => {
+        const rpClient = withMockedDate(new RelyingPartyClientSdk(config));
+        await assert.rejects(async () => rpClient.sendPushedAuthorisationRequest('foo', essentialClaims));
+    });
+});
+describe('retrieveTokens', () => {
+    it('should throw an error when sending an invalid auth code to Bank 4', async () => {
+        const rpClient = withMockedDate(new RelyingPartyClientSdk(config));
+        mock.method(rpClient.participantsEndpoint, 'fetchParticipants', async () => getSandboxParticipantsTestData());
+        const authorisationServerId = 'efc44d17-d137-4d41-8601-80f632c1b109';
+        const callbackQuery = parse('?code=DdW810nrra6opXT2RNScp8IWqs-5J-Xhp0ASjxqi22O&state=e4362a1e5f8e131904e9f1fa68efa29b0347e9fb24d239fc4206aa9d0f72afa0&iss=https%3A%2F%2Fauth.bank4.directory.sandbox.connectid.com.au', true).query;
+        const codeVerifier = 'f32AYjAtjVvNmzCrr0mqJq2oSM4q3eq9W2STNhgkmu0';
+        const state = 'e4362a1e5f8e131904e9f1fa68efa29b0347e9fb24d239fc4206aa9d0f72afa0';
+        const nonce = 'aca08ef3106a1a027e723dedc6ccc22a3a58332af93485a3fcf2969c84a3e931';
+        await assert.rejects(async () => rpClient.retrieveTokens(authorisationServerId, callbackQuery, codeVerifier, state, nonce));
+    });
+    it.skip('should build a consolidated tokenset - NEEDS UPDATE for new TokenSet implementation', () => {
+        // TODO: Update this test to use the new TokenSet and ConsolidatedTokenSet classes
+        /*
+        const tokenSet = new TokenSet({
+          scope: 'openid',
+          expires_in: 3600,
+          token_type: 'bearer',
+          id_token:
+            'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjE2NTk2MzM4NTEyNzEtZmYyMDFhZWNkZSJ9.eyJzdWIiOiIwYWI5NTBkNjhjNDcwNTliMTZiMTkwNjY5OTFiZTI4ZGQ2NGU3YmY2Y2Q4N2NiOGJkMjYwMGUzZWQwMTNjMjc0IiwidmVyaWZpZWRfY2xhaW1zIjp7InZlcmlmaWNhdGlvbiI6eyJ0cnVzdF9mcmFtZXdvcmsiOiJhdV9jb25uZWN0aWQifSwiY2xhaW1zIjp7Im92ZXIxOCI6dHJ1ZSwiYmVuZWZpY2lhcnlfYWNjb3VudF9hdSI6eyJiZW5lZmljaWFyeV9uYW1lIjoiSm9obiBTbWl0aCIsImFjY291bnRfYnNiIjoiMTAwLTIwMCIsImFjY291bnRfbnVtYmVyIjoiMTIzNDU2NzgifX19LCJuYW1lIjoiVGl0bGUgR2l2ZW4gRmFtaWx5IiwiZ2l2ZW5fbmFtZSI6IkdpdmVuIiwibWlkZGxlX25hbWUiOiJNaWRkbGUiLCJmYW1pbHlfbmFtZSI6IkZhbWlseSIsInBob25lX251bWJlciI6Iis2MTQ4MDA4OTE2MSIsImVtYWlsIjoiZG9iYXBvMjA2NkB0ZXJrb2VyLmNvbSIsImFkZHJlc3MiOnsiY291bnRyeSI6IkF1c3RyYWxpYSIsImxvY2FsaXR5IjoiQ2l0eSIsInBvc3RhbF9jb2RlIjoiMTAwMCIsInJlZ2lvbiI6IlJlZ2lvbiIsInN0cmVldF9hZGRyZXNzIjoiU3RyZWV0IEFkZHJlc3MifSwiYmlydGhkYXRlIjoiMjAwMC0wMS0wMSIsInR4biI6Im8yVm5XMTkxUVFIdGVtWkZ4ajBqUHJnMmtlNGRtZVFnMXJsNm1kR3dVMnIiLCJhdXRoX3RpbWUiOjE2NzgzMzcyMjQsIm5vbmNlIjoiMTNmZjRkODU4ZGZjNjY0ODFhMzI4OTJlYzAxYTk2ZWUyZTAxYWVjYTllZDMwM2NkZWY1YzliNzRlZWE3ZGE5NiIsImF0X2hhc2giOiJ6MUhyMGUtbi1sV1U2TVJVU0lVaWxBIiwiYXVkIjoiMDkwZDQxYzYtZmMyNy00YjFlLTkxZTktMGZlY2ZjMjQwNjAxIiwiZXhwIjoxNjc4MzM3ODkxLCJpYXQiOjE2NzgzMzcyOTEsImlzcyI6Imh0dHBzOi8vYXV0aC5iYW5rMi5kaXJlY3Rvcnkuc2FuZGJveC5jb25uZWN0aWQuY29tLmF1In0.ECQ-DF-caZJymZJSiJQ19VY7PqSYYXm-FN20qV2_0w0',
+        })
+    
+        const rpClient = withMockedDate(new RelyingPartyClientSdk(config))
+    
+        // Example Referencing
+        const {
+          over18,
+          beneficiary_account_au,
+          birthdate,
+          txn,
+        } = rpClient["buildConsolidatedTokenSet"](tokenSet, '0ad8cca6-3363-4cd4-b452-527dc490b041').consolidatedClaims()
+    
+        assert.equal(over18, true)
+        assert.deepEqual(beneficiary_account_au, {
+          beneficiary_name: 'John Smith',
+          account_bsb: '100-200',
+          account_number: '12345678',
+        })
+        assert.equal(birthdate, '2000-01-01')
+        assert.equal(txn, 'o2VnW191QQHtemZFxj0jPrg2ke4dmeQg1rl6mdGwU2r')
+        */
+    });
+});
+describe('configureDefaultPurpose', () => {
+    it('should fail to initialise SDK with an invalid purpose in config', () => {
+        const invalidConfig = JSON.parse(JSON.stringify(config));
+        invalidConfig.data.purpose = 'aa';
+        assert.throws(() => {
+            new RelyingPartyClientSdk(invalidConfig);
+        });
+    });
+});
+function getParticipantsTestData() {
+    return JSON.parse(JSON.stringify(participantsTestData));
+}
+function getSandboxParticipantsTestData() {
+    return JSON.parse(JSON.stringify(sandboxParticipantsTestData));
+}
+function getLargeParticipantsTestData() {
+    return JSON.parse(JSON.stringify(largeParticipantsTestData));
+}
+function withMockedDate(client) {
+    mock.method(client, 'getCurrentDate', () => new Date('2023-06-25'));
+    return client;
+}

package/src/tests/request-utils.test.d.ts

@@ -0,0 +1 @@
+export {};

package/src/tests/request-utils.test.js

@@ -0,0 +1,16 @@
+import test, { describe } from 'node:test';
+import { generatePushAuthorisationRequestParams } from '../utils/request-utils.js';
+import assert from 'node:assert';
+describe('generatePushAuthorisationRequestParams', () => {
+    test('should generate request params', () => {
+        const { codeChallenge, codeVerifier, nonce, state } = generatePushAuthorisationRequestParams();
+        assert.ok(codeChallenge);
+        assert.ok(codeVerifier);
+        assert.ok(nonce);
+        assert.ok(state);
+    });
+    test('should generate nonce with 43 chars', () => {
+        const { nonce } = generatePushAuthorisationRequestParams();
+        assert.ok(nonce.length === 43);
+    });
+});

package/src/tests/system-information.test.d.ts

@@ -0,0 +1 @@
+export {};

package/src/tests/system-information.test.js

@@ -0,0 +1,16 @@
+import { getSystemInformation } from '../utils/system-information.js';
+import { describe, it } from 'node:test';
+import assert from 'node:assert';
+describe('getSystemInformation', () => {
+    const USERAGENT_REGEX = /^\((darwin|Macintosh|Windows|Linux|linux|Other); .+; node \d+(\.\d+)*\)$/;
+    it('should return a user agent string', () => {
+        const systemInfo = getSystemInformation();
+        assert.match(systemInfo, USERAGENT_REGEX);
+    });
+    it('should match real world regex', () => {
+        assert.match('(darwin; Apple Silicon Mac OS X 10.15.7; node 16.13.0)', USERAGENT_REGEX);
+    });
+    it('should match gh action regex', () => {
+        assert.match('(linux; x64 6.5.0-1025-azure; node 18.20.6)', USERAGENT_REGEX);
+    });
+});

package/src/tests/user-agent.test.d.ts

@@ -0,0 +1 @@
+export {};

package/src/tests/user-agent.test.js

@@ -0,0 +1,23 @@
+import { describe, it } from 'node:test';
+import assert from 'node:assert';
+import { config } from '../config.js';
+import { buildUserAgent, packageJsonVersion } from '../utils/user-agent.js';
+import { version } from '../../package.json';
+describe('buildUserAgent', () => {
+    it('should build user agent', () => {
+        const userAgent = buildUserAgent(config.data.client_id);
+        const regex = /(.*?)\/(.*?)\s(\(.*?\))\s(\+.*)/;
+        const match = userAgent.match(regex);
+        assert.ok(match, 'UserAgent does not match the expected format');
+        const version = match[2];
+        const platform = match[3];
+        assert.strictEqual(userAgent.startsWith('cid-rp-nodejs-sdk'), true);
+        assert.match(version, /^(\d+)\.(\d+)\.(\d+)$/);
+        assert.match(platform, /\(.+; .+; .+\)/);
+        assert.strictEqual(userAgent.endsWith(config.data.client_id), true);
+    });
+    it('should match package json version and user agent version', () => {
+        const packageJsonVersionFromUserAgent = packageJsonVersion;
+        assert.equal(packageJsonVersionFromUserAgent, version);
+    });
+});

package/src/tests/validator.test.d.ts

@@ -0,0 +1 @@
+export {};

package/src/tests/validator.test.js

@@ -0,0 +1,38 @@
+import { describe, it } from 'node:test';
+import assert from 'node:assert';
+import { validatePurpose, isValidCertificate } from '../validator.js';
+describe('validateCertificate', () => {
+    it('should return false if certificateFilePath and certificateContent are not provided', () => {
+        assert.strictEqual(isValidCertificate(undefined, undefined), false);
+    });
+    it('should return true if certificateFilePath is provided', () => {
+        assert.strictEqual(isValidCertificate('./certs/transport.key', undefined), true);
+    });
+    it('should return true if certificateContent is provided', () => {
+        assert.strictEqual(isValidCertificate(undefined, 'thisIsAfakeCertificate'), true);
+    });
+    it('should return true if certificateContent and certificateFilePath are provided', () => {
+        assert.strictEqual(isValidCertificate('./certs/transport.key', 'thisIsAfakeCertificate'), true);
+    });
+});
+describe('validatePurpose', () => {
+    it('should reject when purpose length < 3', () => {
+        assert.strictEqual(validatePurpose('aa'), 'INVALID_LENGTH');
+    });
+    it('should reject when purpose length > 300', () => {
+        assert.strictEqual(validatePurpose('a'.repeat(301)), 'INVALID_LENGTH');
+    });
+    const specialChars = ['<', '>', '(', ')', '{', '}', "'", '\\'];
+    specialChars.forEach((char) => {
+        it('should reject special character', () => {
+            const purpose = `valid string ${char} more stuff`;
+            assert.strictEqual(validatePurpose(purpose), 'INVALID_CHARACTERS');
+        });
+    });
+    it('should accept when purpose length = 3', () => {
+        assert.strictEqual(validatePurpose('aaa'), 'VALID');
+    });
+    it('should accept when purpose length = 300', () => {
+        assert.strictEqual(validatePurpose('a'.repeat(300)), 'VALID');
+    });
+});

package/{types.d.ts → src/types.d.ts}

@@ -1,4 +1,7 @@
-import { IdTokenClaims, TokenSet } from 'openid-client';
+import { IdTokenClaims } from './model/claims.js';
+export type { IdTokenClaims, AddressClaim, VerifiedClaims } from './model/claims.js';
+export type { CallbackParams } from './model/callback-params.js';
+export type { TokenResponse } from './model/token-response.js';
 export type RelyingPartyClientSdkConfig = {
     data: {
         ca_pem?: string;
@@ -20,35 +23,7 @@ export type RelyingPartyClientSdkConfig = {
         log_level: 'debug' | 'info';
         enable_auto_compliance_verification: boolean;
         purpose?: string;
-        cache_ttl?: number;
-        client: {
-            client_id: string;
-            organisation_id: string;
-            jwks_uri: string;
-            redirect_uris: string[];
-            organisation_name: string;
-            organisation_number: string;
-            software_description: string;
-            software_roles: string[];
-            application_type: 'web';
-            grant_types: ['client_credentials', 'authorization_code', 'implicit'];
-            id_token_signed_response_alg: 'PS256';
-            post_logout_redirect_uris: [];
-            require_auth_time: false;
-            response_types: ['code id_token', 'code'];
-            subject_type: 'public';
-            token_endpoint_auth_method: 'private_key_jwt';
-            token_endpoint_auth_signing_alg: 'PS256';
-            introspection_endpoint_auth_method: 'private_key_jwt';
-            revocation_endpoint_auth_method: 'private_key_jwt';
-            request_object_signing_alg: 'PS256';
-            require_signed_request_object: true;
-            require_pushed_authorization_requests: true;
-            authorization_signed_response_alg: 'PS256';
-            tls_client_certificate_bound_access_tokens: true;
-            backchannel_user_code_parameter: false;
-            scope: 'openid';
-        };
+        client_id: string;
     };
 };
 export type Participant = {
@@ -152,9 +127,63 @@ export type ClaimsRequest = {
         };
     };
 };
-export type ConsolidatedTokenSet = TokenSet & {
+/**
+ * Consolidated Token Set
+ *
+ * Represents a complete token response with additional helper methods.
+ * Combines token response data with parsed ID token claims.
+ */
+export interface ConsolidatedTokenSet {
+    /**
+     * The access token issued by the authorization server.
+     */
+    readonly access_token?: string;
+    /**
+     * The type of token issued (typically "Bearer").
+     */
+    readonly token_type?: string;
+    /**
+     * The lifetime in seconds of the access token.
+     */
+    readonly expires_in?: number;
+    /**
+     * The refresh token for obtaining new access tokens.
+     */
+    readonly refresh_token?: string;
+    /**
+     * The scope of the access token.
+     */
+    readonly scope?: string;
+    /**
+     * The ID token as a JWT string.
+     */
+    readonly id_token?: string;
+    /**
+     * The x-fapi-interaction-id from the token response.
+     */
+    readonly xFapiInteractionId: string;
+    /**
+     * Checks if the access token has expired.
+     *
+     * @returns true if the token is expired, false otherwise
+     */
+    expired(): boolean;
+    /**
+     * Returns the parsed ID token claims.
+     *
+     * @returns Parsed ID token claims
+     */
+    claims(): IdTokenClaims;
+    /**
+     * Returns consolidated claims with verified_claims merged into top level.
+     *
+     * This is useful for accessing extended claims directly without
+     * navigating the verified_claims structure.
+     *
+     * @returns Consolidated claims object
+     */
     consolidatedClaims(): IdTokenClaims;
-};
+}
 export type CertificationFilter = {
     profileVariant: string;
     profileType: string;

package/src/types.js

@@ -0,0 +1 @@
+export {};

package/{utils → src/utils}/request-utils.d.ts

@@ -1,2 +1,2 @@
-import { PushAuthorisationRequestParams } from '../types';
+import { PushAuthorisationRequestParams } from '../types.js';
 export declare const generatePushAuthorisationRequestParams: () => PushAuthorisationRequestParams;

package/src/utils/request-utils.js

@@ -0,0 +1,8 @@
+import { PkceHelper } from '../crypto/pkce-helper.js';
+export const generatePushAuthorisationRequestParams = () => {
+    const state = PkceHelper.generateState();
+    const nonce = PkceHelper.generateNonce();
+    const codeVerifier = PkceHelper.generateCodeVerifier();
+    const codeChallenge = PkceHelper.generateCodeChallenge(codeVerifier);
+    return { state, nonce, codeVerifier, codeChallenge };
+};

package/{utils → src/utils}/user-agent.d.ts

@@ -1,2 +1,2 @@
-export declare const packageJsonVersion = "4.2.1";
+export declare const packageJsonVersion = "5.0.0";
 export declare const buildUserAgent: (clientId: string) => string;

package/{utils → src/utils}/user-agent.js

@@ -1,4 +1,4 @@
 import { getSystemInformation } from './system-information.js';
 // important: Update this every time the package version changes
-export const packageJsonVersion = '4.2.1';
+export const packageJsonVersion = '5.0.0';
 export const buildUserAgent = (clientId) => `cid-rp-nodejs-sdk/${packageJsonVersion} ${getSystemInformation()} +${clientId}`;

package/relying-party-client-sdk.d.ts

@@ -1,37 +0,0 @@
-import { CallbackParamsType } from 'openid-client';
-import { AuthorisationServer, ConsolidatedTokenSet, Participant, RelyingPartyClientSdkConfig } from './types';
-export default class RelyingPartyClientSdk {
-    private readonly logger;
-    private config;
-    private readonly transportKey;
-    private readonly transportPem;
-    private readonly signingKey;
-    private readonly caPem;
-    private readonly purpose;
-    private participantFilters;
-    private readonly default_cache_ttl;
-    private cachedParticipantsExpiry;
-    private cachedParticipants;
-    constructor(config: RelyingPartyClientSdkConfig);
-    getParticipants(): Promise<Participant[]>;
-    getFallbackProviderParticipants(): Promise<Participant[]>;
-    getCurrentDate(): Date;
-    fetchParticipants(participantsUri: string): Promise<Participant[]>;
-    private retrieveFullParticipantsList;
-    sendPushedAuthorisationRequest(authServerId: string, essentialClaims: string[], voluntaryClaims?: string[], purpose?: string): Promise<{
-        authUrl: string;
-        code_verifier: string;
-        state: string;
-        nonce: string;
-        xFapiInteractionId: `${string}-${string}-${string}-${string}-${string}`;
-    }>;
-    retrieveTokens(authorisationServerId: string, requestParams: CallbackParamsType, codeVerifier: string, state: string, nonce: string): Promise<ConsolidatedTokenSet>;
-    private buildConsolidatedTokenSet;
-    getAuthServerDetails(authServerId: string): Promise<AuthorisationServer>;
-    private generateClaimsRequest;
-    getUserInfo(authorisationServerId: string, accessToken: string): Promise<import("openid-client").UserinfoResponse<import("openid-client").UnknownObject, import("openid-client").UnknownObject>>;
-    private getKeyset;
-    private setupClient;
-    private generateRequest;
-    private generateXFapiInteractionId;
-}