@credo-ts/openid4vc 0.6.0-pr-2088-20241109180557 → 0.6.0-pr-2088-20241116121656
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/build/openid4vc-holder/OpenId4VcHolderApi.d.ts +24 -6
- package/build/openid4vc-holder/OpenId4VcHolderApi.js +11 -2
- package/build/openid4vc-holder/OpenId4VcHolderApi.js.map +1 -1
- package/build/openid4vc-holder/OpenId4VciHolderService.js +19 -16
- package/build/openid4vc-holder/OpenId4VciHolderService.js.map +1 -1
- package/build/openid4vc-holder/OpenId4VciHolderServiceOptions.d.ts +16 -2
- package/build/openid4vc-holder/OpenId4vcSiopHolderService.d.ts +16 -4
- package/build/openid4vc-holder/OpenId4vcSiopHolderService.js +21 -10
- package/build/openid4vc-holder/OpenId4vcSiopHolderService.js.map +1 -1
- package/build/openid4vc-issuer/OpenId4VcIssuerApi.d.ts +40 -1
- package/build/openid4vc-issuer/OpenId4VcIssuerApi.js +14 -1
- package/build/openid4vc-issuer/OpenId4VcIssuerApi.js.map +1 -1
- package/build/openid4vc-issuer/OpenId4VcIssuerModuleConfig.d.ts +48 -6
- package/build/openid4vc-issuer/OpenId4VcIssuerModuleConfig.js +31 -4
- package/build/openid4vc-issuer/OpenId4VcIssuerModuleConfig.js.map +1 -1
- package/build/openid4vc-issuer/OpenId4VcIssuerService.d.ts +35 -1
- package/build/openid4vc-issuer/OpenId4VcIssuerService.js +54 -9
- package/build/openid4vc-issuer/OpenId4VcIssuerService.js.map +1 -1
- package/build/openid4vc-issuer/OpenId4VcIssuerServiceOptions.d.ts +39 -7
- package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRecord.d.ts +14 -3
- package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRecord.js +19 -3
- package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRecord.js.map +1 -1
- package/build/openid4vc-issuer/repository/OpenId4VcIssuerRecord.d.ts +13 -3
- package/build/openid4vc-issuer/repository/OpenId4VcIssuerRecord.js +51 -1
- package/build/openid4vc-issuer/repository/OpenId4VcIssuerRecord.js.map +1 -1
- package/build/openid4vc-issuer/router/accessTokenEndpoint.js +27 -16
- package/build/openid4vc-issuer/router/accessTokenEndpoint.js.map +1 -1
- package/build/openid4vc-issuer/router/authorizationChallengeEndpoint.js +31 -13
- package/build/openid4vc-issuer/router/authorizationChallengeEndpoint.js.map +1 -1
- package/build/openid4vc-issuer/router/credentialEndpoint.js +75 -24
- package/build/openid4vc-issuer/router/credentialEndpoint.js.map +1 -1
- package/build/openid4vc-verifier/OpenId4VcSiopVerifierService.js +17 -7
- package/build/openid4vc-verifier/OpenId4VcSiopVerifierService.js.map +1 -1
- package/build/openid4vc-verifier/OpenId4VcSiopVerifierServiceOptions.d.ts +8 -6
- package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRecord.d.ts +10 -0
- package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRecord.js +1 -0
- package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRecord.js.map +1 -1
- package/build/openid4vc-verifier/router/authorizationEndpoint.js +4 -1
- package/build/openid4vc-verifier/router/authorizationEndpoint.js.map +1 -1
- package/package.json +5 -5
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"OpenId4VcIssuanceSessionRecord.js","sourceRoot":"","sources":["../../../src/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRecord.ts"],"names":[],"mappings":";;;;;;;;;;;;AAIA,
|
|
1
|
+
{"version":3,"file":"OpenId4VcIssuanceSessionRecord.js","sourceRoot":"","sources":["../../../src/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRecord.ts"],"names":[],"mappings":";;;;;;;;;;;;AAIA,yCAA4E;AAC5E,yDAAiE;AAEjE,oFAAgF;AA+GhF,MAAa,8BAA+B,SAAQ,iBAAqD;IA0GvG,YAAmB,KAA0C;;QAC3D,KAAK,EAAE,CAAA;QAzGO,SAAI,GAAG,8BAA8B,CAAC,IAAI,CAAA;QAoB1D;;WAEG;QACI,sBAAiB,GAAa,EAAE,CAAA;QAoFrC,IAAI,KAAK,EAAE,CAAC;YACV,IAAI,CAAC,EAAE,GAAG,MAAA,KAAK,CAAC,EAAE,mCAAI,YAAK,CAAC,IAAI,EAAE,CAAA;YAClC,IAAI,CAAC,SAAS,GAAG,MAAA,KAAK,CAAC,SAAS,mCAAI,IAAI,IAAI,EAAE,CAAA;YAC9C,IAAI,CAAC,KAAK,GAAG,MAAA,KAAK,CAAC,IAAI,mCAAI,EAAE,CAAA;YAE7B,IAAI,CAAC,QAAQ,GAAG,KAAK,CAAC,QAAQ,CAAA;YAC9B,IAAI,CAAC,QAAQ,GAAG,KAAK,CAAC,QAAQ,CAAA;YAC9B,IAAI,CAAC,OAAO,GAAG,KAAK,CAAC,OAAO,CAAA;YAC5B,IAAI,CAAC,iBAAiB,GAAG,KAAK,CAAC,iBAAiB,CAAA;YAChD,IAAI,CAAC,IAAI,GAAG,KAAK,CAAC,IAAI,CAAA;YACtB,IAAI,CAAC,aAAa,GAAG,KAAK,CAAC,aAAa,CAAA;YACxC,IAAI,CAAC,kBAAkB,GAAG,KAAK,CAAC,kBAAkB,CAAA;YAClD,IAAI,CAAC,sBAAsB,GAAG,KAAK,CAAC,sBAAsB,CAAA;YAC1D,IAAI,CAAC,gBAAgB,GAAG,KAAK,CAAC,gBAAgB,CAAA;YAC9C,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC,KAAK,CAAA;YACxB,IAAI,CAAC,YAAY,GAAG,KAAK,CAAC,YAAY,CAAA;QACxC,CAAC;IACH,CAAC;IAEM,WAAW,CAAC,cAA+E;QAChG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,cAAc,CAAC,EAAE,CAAC;YACnC,cAAc,GAAG,CAAC,cAAc,CAAC,CAAA;QACnC,CAAC;QAED,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YACzC,MAAM,IAAI,iBAAU,CAClB,sDAAsD,IAAI,CAAC,KAAK,uBAAuB,cAAc,CAAC,IAAI,CACxG,IAAI,CACL,GAAG,CACL,CAAA;QACH,CAAC;IACH,CAAC;IAEM,OAAO;;QACZ,uCACK,IAAI,CAAC,KAAK,KACb,QAAQ,EAAE,IAAI,CAAC,QAAQ,EACvB,kBAAkB,EAAE,IAAI,CAAC,kBAAkB,EAC3C,KAAK,EAAE,IAAI,CAAC,KAAK;YAEjB,gBAAgB;YAChB,iBAAiB,EAAE,IAAI,CAAC,iBAAiB;YAEzC,YAAY;YACZ,WAAW,EAAE,MAAA,IAAI,CAAC,aAAa,0CAAE,WAAW,EAC5C,iBAAiB,EAAE,MAAA,IAAI,CAAC,aAAa,0CAAE,IAAI,EAE3C,oBAAoB,EAAE,MAAA,IAAI,CAAC,aAAa,0CAAE,OAAO;YAEjD,+BAA+B;YAC/B,uBAAuB,EAAE,MAAA,IAAI,CAAC,YAAY,0CAAE,WAAW,IACxD;IACH,CAAC;;AAjKH,wEAkKC;AAjKwB,mCAAI,GAAG,gCAAgC,AAAnC,CAAmC;AAmBvD;IARN,IAAA,6BAAS,EAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE;QACvB,yFAAyF;QACzF,IAAI,KAAK,KAAK,kBAAkB,EAAE,CAAC;YACjC,OAAO,6DAA6B,CAAC,KAAK,CAAA;QAC5C,CAAC;QAED,OAAO,KAAK,CAAA;IACd,CAAC,CAAC;;6DAC0C;AAwDrC;IAtBN,IAAA,6BAAS,EAAC,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE;QAC7B,IAAI,IAAI,KAAK,sCAAkB,CAAC,cAAc,IAAI,IAAA,mBAAY,EAAC,KAAK,CAAC,IAAI,OAAO,KAAK,CAAC,aAAa,KAAK,QAAQ,EAAE,CAAC;YACjH,uCACK,KAAK,KACR,aAAa,EAAE,IAAI,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,IAC7C;QACH,CAAC;QACD,IAAI,IAAI,KAAK,sCAAkB,CAAC,cAAc,IAAI,IAAA,mBAAY,EAAC,KAAK,CAAC,IAAI,KAAK,CAAC,aAAa,YAAY,IAAI,EAAE,CAAC;YAC7G,uCACK,KAAK,KACR,aAAa,EAAE,IAAI,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,OAAO,EAAE,CAAC,IACvD;QACH,CAAC;QACD,IAAI,IAAI,KAAK,sCAAkB,CAAC,cAAc,IAAI,IAAA,mBAAY,EAAC,KAAK,CAAC,IAAI,KAAK,CAAC,aAAa,YAAY,IAAI,EAAE,CAAC;YAC7G,uCACK,KAAK,KACR,aAAa,EAAE,KAAK,CAAC,aAAa,CAAC,WAAW,EAAE,IACjD;QACH,CAAC;QAED,OAAO,KAAK,CAAA;IACd,CAAC,CAAC;;qEAC0D"}
|
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
import type { OpenId4VciAuthorizationServerConfig, OpenId4VciCredentialConfigurationsSupportedWithFormats, OpenId4VciCredentialIssuerMetadataDisplay } from '../../shared';
|
|
2
|
+
import type { OpenId4VciBatchCredentialIssuanceOptions } from '../OpenId4VcIssuerServiceOptions';
|
|
2
3
|
import type { JwaSignatureAlgorithm, RecordTags, TagsBase } from '@credo-ts/core';
|
|
3
4
|
import { BaseRecord } from '@credo-ts/core';
|
|
4
5
|
export type OpenId4VcIssuerRecordTags = RecordTags<OpenId4VcIssuerRecord>;
|
|
@@ -23,9 +24,13 @@ export type OpenId4VcIssuerRecordProps = {
|
|
|
23
24
|
display?: OpenId4VciCredentialIssuerMetadataDisplay[];
|
|
24
25
|
authorizationServerConfigs?: OpenId4VciAuthorizationServerConfig[];
|
|
25
26
|
credentialConfigurationsSupported: OpenId4VciCredentialConfigurationsSupportedWithFormats;
|
|
27
|
+
/**
|
|
28
|
+
* Indicate support for batch issuane of credentials
|
|
29
|
+
*/
|
|
30
|
+
batchCredentialIssuance?: OpenId4VciBatchCredentialIssuanceOptions;
|
|
26
31
|
};
|
|
27
32
|
/**
|
|
28
|
-
* For OID4VC you need to
|
|
33
|
+
* For OID4VC you need to expose metadata files. Each issuer needs to host this metadata. This is not the case for DIDComm where we can just have one /didcomm endpoint.
|
|
29
34
|
* So we create a record per openid issuer/verifier that you want, and each tenant can create multiple issuers/verifiers which have different endpoints
|
|
30
35
|
* and metadata files
|
|
31
36
|
* */
|
|
@@ -34,11 +39,16 @@ export declare class OpenId4VcIssuerRecord extends BaseRecord<DefaultOpenId4VcIs
|
|
|
34
39
|
readonly type = "OpenId4VcIssuerRecord";
|
|
35
40
|
issuerId: string;
|
|
36
41
|
accessTokenPublicKeyFingerprint: string;
|
|
37
|
-
|
|
38
|
-
|
|
42
|
+
/**
|
|
43
|
+
* Only here for class transformation. If credentialsSupported is set we transform
|
|
44
|
+
* it to the new credentialConfigurationsSupported format
|
|
45
|
+
*/
|
|
46
|
+
private set credentialsSupported(value);
|
|
47
|
+
credentialConfigurationsSupported: OpenId4VciCredentialConfigurationsSupportedWithFormats;
|
|
39
48
|
display?: OpenId4VciCredentialIssuerMetadataDisplay[];
|
|
40
49
|
authorizationServerConfigs?: OpenId4VciAuthorizationServerConfig[];
|
|
41
50
|
dpopSigningAlgValuesSupported?: [JwaSignatureAlgorithm, ...JwaSignatureAlgorithm[]];
|
|
51
|
+
batchCredentialIssuance?: OpenId4VciBatchCredentialIssuanceOptions;
|
|
42
52
|
constructor(props: OpenId4VcIssuerRecordProps);
|
|
43
53
|
getTags(): {
|
|
44
54
|
issuerId: string;
|
|
@@ -1,13 +1,46 @@
|
|
|
1
1
|
"use strict";
|
|
2
|
+
var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
|
|
3
|
+
var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
|
|
4
|
+
if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
|
|
5
|
+
else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
|
|
6
|
+
return c > 3 && r && Object.defineProperty(target, key, r), r;
|
|
7
|
+
};
|
|
8
|
+
var __metadata = (this && this.__metadata) || function (k, v) {
|
|
9
|
+
if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
|
|
10
|
+
};
|
|
11
|
+
var __rest = (this && this.__rest) || function (s, e) {
|
|
12
|
+
var t = {};
|
|
13
|
+
for (var p in s) if (Object.prototype.hasOwnProperty.call(s, p) && e.indexOf(p) < 0)
|
|
14
|
+
t[p] = s[p];
|
|
15
|
+
if (s != null && typeof Object.getOwnPropertySymbols === "function")
|
|
16
|
+
for (var i = 0, p = Object.getOwnPropertySymbols(s); i < p.length; i++) {
|
|
17
|
+
if (e.indexOf(p[i]) < 0 && Object.prototype.propertyIsEnumerable.call(s, p[i]))
|
|
18
|
+
t[p[i]] = s[p[i]];
|
|
19
|
+
}
|
|
20
|
+
return t;
|
|
21
|
+
};
|
|
2
22
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
23
|
exports.OpenId4VcIssuerRecord = void 0;
|
|
24
|
+
const oid4vci_1 = require("@animo-id/oid4vci");
|
|
4
25
|
const core_1 = require("@credo-ts/core");
|
|
26
|
+
const class_transformer_1 = require("class-transformer");
|
|
5
27
|
/**
|
|
6
|
-
* For OID4VC you need to
|
|
28
|
+
* For OID4VC you need to expose metadata files. Each issuer needs to host this metadata. This is not the case for DIDComm where we can just have one /didcomm endpoint.
|
|
7
29
|
* So we create a record per openid issuer/verifier that you want, and each tenant can create multiple issuers/verifiers which have different endpoints
|
|
8
30
|
* and metadata files
|
|
9
31
|
* */
|
|
10
32
|
class OpenId4VcIssuerRecord extends core_1.BaseRecord {
|
|
33
|
+
/**
|
|
34
|
+
* Only here for class transformation. If credentialsSupported is set we transform
|
|
35
|
+
* it to the new credentialConfigurationsSupported format
|
|
36
|
+
*/
|
|
37
|
+
set credentialsSupported(credentialsSupported) {
|
|
38
|
+
if (this.credentialConfigurationsSupported)
|
|
39
|
+
return;
|
|
40
|
+
this.credentialConfigurationsSupported =
|
|
41
|
+
// eslint-disable-next-line @typescript-eslint/no-explicit-any
|
|
42
|
+
(0, oid4vci_1.credentialsSupportedToCredentialConfigurationsSupported)(credentialsSupported);
|
|
43
|
+
}
|
|
11
44
|
constructor(props) {
|
|
12
45
|
var _a, _b, _c;
|
|
13
46
|
super();
|
|
@@ -22,6 +55,7 @@ class OpenId4VcIssuerRecord extends core_1.BaseRecord {
|
|
|
22
55
|
this.dpopSigningAlgValuesSupported = props.dpopSigningAlgValuesSupported;
|
|
23
56
|
this.display = props.display;
|
|
24
57
|
this.authorizationServerConfigs = props.authorizationServerConfigs;
|
|
58
|
+
this.batchCredentialIssuance = props.batchCredentialIssuance;
|
|
25
59
|
}
|
|
26
60
|
}
|
|
27
61
|
getTags() {
|
|
@@ -30,4 +64,20 @@ class OpenId4VcIssuerRecord extends core_1.BaseRecord {
|
|
|
30
64
|
}
|
|
31
65
|
exports.OpenId4VcIssuerRecord = OpenId4VcIssuerRecord;
|
|
32
66
|
OpenId4VcIssuerRecord.type = 'OpenId4VcIssuerRecord';
|
|
67
|
+
__decorate([
|
|
68
|
+
(0, class_transformer_1.Transform)(({ type, value }) => {
|
|
69
|
+
if (type === class_transformer_1.TransformationType.PLAIN_TO_CLASS && Array.isArray(value)) {
|
|
70
|
+
return value.map((display) => {
|
|
71
|
+
var _a, _b;
|
|
72
|
+
if ((_a = display.logo) === null || _a === void 0 ? void 0 : _a.uri)
|
|
73
|
+
return display;
|
|
74
|
+
const _c = (_b = display.logo) !== null && _b !== void 0 ? _b : {}, { url } = _c, logoRest = __rest(_c, ["url"]);
|
|
75
|
+
return Object.assign(Object.assign({}, display), { logo: url
|
|
76
|
+
? Object.assign(Object.assign({}, logoRest), { uri: url }) : undefined });
|
|
77
|
+
});
|
|
78
|
+
}
|
|
79
|
+
return value;
|
|
80
|
+
}),
|
|
81
|
+
__metadata("design:type", Array)
|
|
82
|
+
], OpenId4VcIssuerRecord.prototype, "display", void 0);
|
|
33
83
|
//# sourceMappingURL=OpenId4VcIssuerRecord.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"OpenId4VcIssuerRecord.js","sourceRoot":"","sources":["../../../src/openid4vc-issuer/repository/OpenId4VcIssuerRecord.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"OpenId4VcIssuerRecord.js","sourceRoot":"","sources":["../../../src/openid4vc-issuer/repository/OpenId4VcIssuerRecord.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;AAQA,+CAA2F;AAC3F,yCAAkD;AAClD,yDAAiE;AAuCjE;;;;KAIK;AACL,MAAa,qBAAsB,SAAQ,iBAA4C;IAOrF;;;OAGG;IACH,IAAY,oBAAoB,CAAC,oBAAoC;QACnE,IAAI,IAAI,CAAC,iCAAiC;YAAE,OAAM;QAElD,IAAI,CAAC,iCAAiC;YACpC,8DAA8D;YAC9D,IAAA,iEAAuD,EAAC,oBAA2B,CAAQ,CAAA;IAC/F,CAAC;IA8BD,YAAmB,KAAiC;;QAClD,KAAK,EAAE,CAAA;QA9CO,SAAI,GAAG,qBAAqB,CAAC,IAAI,CAAA;QAgD/C,IAAI,KAAK,EAAE,CAAC;YACV,IAAI,CAAC,EAAE,GAAG,MAAA,KAAK,CAAC,EAAE,mCAAI,YAAK,CAAC,IAAI,EAAE,CAAA;YAClC,IAAI,CAAC,SAAS,GAAG,MAAA,KAAK,CAAC,SAAS,mCAAI,IAAI,IAAI,EAAE,CAAA;YAC9C,IAAI,CAAC,KAAK,GAAG,MAAA,KAAK,CAAC,IAAI,mCAAI,EAAE,CAAA;YAE7B,IAAI,CAAC,QAAQ,GAAG,KAAK,CAAC,QAAQ,CAAA;YAC9B,IAAI,CAAC,+BAA+B,GAAG,KAAK,CAAC,+BAA+B,CAAA;YAC5E,IAAI,CAAC,iCAAiC,GAAG,KAAK,CAAC,iCAAiC,CAAA;YAChF,IAAI,CAAC,6BAA6B,GAAG,KAAK,CAAC,6BAA6B,CAAA;YACxE,IAAI,CAAC,OAAO,GAAG,KAAK,CAAC,OAAO,CAAA;YAC5B,IAAI,CAAC,0BAA0B,GAAG,KAAK,CAAC,0BAA0B,CAAA;YAClE,IAAI,CAAC,uBAAuB,GAAG,KAAK,CAAC,uBAAuB,CAAA;QAC9D,CAAC;IACH,CAAC;IAEM,OAAO;QACZ,uCACK,IAAI,CAAC,KAAK,KACb,QAAQ,EAAE,IAAI,CAAC,QAAQ,IACxB;IACH,CAAC;;AAtEH,sDAuEC;AAtEwB,0BAAI,GAAG,uBAAuB,AAA1B,CAA0B;AAyC9C;IApBN,IAAA,6BAAS,EAAC,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE;QAC7B,IAAI,IAAI,KAAK,sCAAkB,CAAC,cAAc,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YACvE,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE;;gBAC3B,IAAI,MAAA,OAAO,CAAC,IAAI,0CAAE,GAAG;oBAAE,OAAO,OAAO,CAAA;gBAErC,MAAM,KAAuB,MAAA,OAAO,CAAC,IAAI,mCAAI,EAAE,EAAzC,EAAE,GAAG,OAAoC,EAA/B,QAAQ,cAAlB,OAAoB,CAAqB,CAAA;gBAC/C,uCACK,OAAO,KACV,IAAI,EAAE,GAAG;wBACP,CAAC,iCACM,QAAQ,KACX,GAAG,EAAE,GAAG,IAEZ,CAAC,CAAC,SAAS,IACd;YACH,CAAC,CAAC,CAAA;QACJ,CAAC;QAED,OAAO,KAAK,CAAA;IACd,CAAC,CAAC;;sDAC0D"}
|
|
@@ -3,7 +3,6 @@ Object.defineProperty(exports, "__esModule", { value: true });
|
|
|
3
3
|
exports.configureAccessTokenEndpoint = configureAccessTokenEndpoint;
|
|
4
4
|
exports.handleTokenRequest = handleTokenRequest;
|
|
5
5
|
const oauth2_1 = require("@animo-id/oauth2");
|
|
6
|
-
const oid4vci_1 = require("@animo-id/oid4vci");
|
|
7
6
|
const core_1 = require("@credo-ts/core");
|
|
8
7
|
const router_1 = require("../../shared/router");
|
|
9
8
|
const utils_1 = require("../../shared/utils");
|
|
@@ -15,7 +14,7 @@ function configureAccessTokenEndpoint(router, config) {
|
|
|
15
14
|
}
|
|
16
15
|
function handleTokenRequest(config) {
|
|
17
16
|
return async (request, response, next) => {
|
|
18
|
-
var _a, _b, _c;
|
|
17
|
+
var _a, _b, _c, _d;
|
|
19
18
|
response.set({ 'Cache-Control': 'no-store', Pragma: 'no-cache' });
|
|
20
19
|
const requestContext = (0, router_1.getRequestContext)(request);
|
|
21
20
|
const { agentContext, issuer } = requestContext;
|
|
@@ -32,7 +31,6 @@ function handleTokenRequest(config) {
|
|
|
32
31
|
method: request.method,
|
|
33
32
|
url: fullRequestUrl,
|
|
34
33
|
};
|
|
35
|
-
// What error does this throw?
|
|
36
34
|
const { accessTokenRequest, grant, dpopJwt, pkceCodeVerifier } = oauth2AuthorizationServer.parseAccessTokenRequest({
|
|
37
35
|
accessTokenRequest: request.body,
|
|
38
36
|
request: requestLike,
|
|
@@ -50,6 +48,16 @@ function handleTokenRequest(config) {
|
|
|
50
48
|
error_description: 'Invalid authorization code',
|
|
51
49
|
});
|
|
52
50
|
}
|
|
51
|
+
if (Date.now() >
|
|
52
|
+
(0, utils_1.addSecondsToDate)(issuanceSession.createdAt, config.statefullCredentialOfferExpirationInSeconds).getTime()) {
|
|
53
|
+
issuanceSession.errorMessage = 'Credential offer has expired';
|
|
54
|
+
await openId4VcIssuerService.updateState(agentContext, issuanceSession, OpenId4VcIssuanceSessionState_1.OpenId4VcIssuanceSessionState.Error);
|
|
55
|
+
throw new oauth2_1.Oauth2ServerErrorResponseError({
|
|
56
|
+
// What is the best error here?
|
|
57
|
+
error: oauth2_1.Oauth2ErrorCodes.InvalidGrant,
|
|
58
|
+
error_description: 'Session expired',
|
|
59
|
+
});
|
|
60
|
+
}
|
|
53
61
|
let verificationResult;
|
|
54
62
|
try {
|
|
55
63
|
if (grant.grantType === oauth2_1.preAuthorizedCodeGrantIdentifier) {
|
|
@@ -68,10 +76,12 @@ function handleTokenRequest(config) {
|
|
|
68
76
|
request: requestLike,
|
|
69
77
|
dpop: {
|
|
70
78
|
jwt: dpopJwt,
|
|
71
|
-
|
|
79
|
+
// This will only have effect when DPoP is not present.
|
|
80
|
+
// If it is present it will always be verified
|
|
81
|
+
required: config.dpopRequired,
|
|
72
82
|
},
|
|
73
83
|
expectedTxCode: issuanceSession.userPin,
|
|
74
|
-
preAuthorizedCodeExpiresAt: (0, utils_1.addSecondsToDate)(issuanceSession.createdAt, config.
|
|
84
|
+
preAuthorizedCodeExpiresAt: (0, utils_1.addSecondsToDate)(issuanceSession.createdAt, config.statefullCredentialOfferExpirationInSeconds),
|
|
75
85
|
});
|
|
76
86
|
}
|
|
77
87
|
else if (grant.grantType === oauth2_1.authorizationCodeGrantIdentifier) {
|
|
@@ -91,7 +101,9 @@ function handleTokenRequest(config) {
|
|
|
91
101
|
request: requestLike,
|
|
92
102
|
dpop: {
|
|
93
103
|
jwt: dpopJwt,
|
|
94
|
-
|
|
104
|
+
// This will only have effect when DPoP is not present.
|
|
105
|
+
// If it is present it will always be verified
|
|
106
|
+
required: config.dpopRequired,
|
|
95
107
|
},
|
|
96
108
|
pkce: issuanceSession.pkce
|
|
97
109
|
? {
|
|
@@ -110,35 +122,34 @@ function handleTokenRequest(config) {
|
|
|
110
122
|
}
|
|
111
123
|
await openId4VcIssuerService.updateState(agentContext, issuanceSession, OpenId4VcIssuanceSessionState_1.OpenId4VcIssuanceSessionState.AccessTokenRequested);
|
|
112
124
|
const { cNonce, cNonceExpiresInSeconds } = await openId4VcIssuerService.createNonce(agentContext, issuer);
|
|
113
|
-
//
|
|
114
|
-
|
|
115
|
-
|
|
116
|
-
|
|
117
|
-
});
|
|
125
|
+
// for authorization code flow we take the authorization scopes. For pre-auth we don't use scopes (we just
|
|
126
|
+
// use the offered credential configuration ids so a scope is not required)
|
|
127
|
+
const scopes = grant.grantType === oauth2_1.authorizationCodeGrantIdentifier ? (_c = issuanceSession.authorization) === null || _c === void 0 ? void 0 : _c.scopes : undefined;
|
|
128
|
+
const subject = `credo:${core_1.utils.uuid()}`;
|
|
118
129
|
const signerJwk = (0, core_1.getJwkFromKey)(accessTokenSigningKey);
|
|
119
130
|
const accessTokenResponse = await oauth2AuthorizationServer.createAccessTokenResponse({
|
|
120
131
|
audience: issuerMetadata.credentialIssuer.credential_issuer,
|
|
121
132
|
authorizationServer: issuerMetadata.credentialIssuer.credential_issuer,
|
|
122
133
|
expiresInSeconds: config.accessTokenExpiresInSeconds,
|
|
123
|
-
// TODO: we need to include kid and also host the jwks?
|
|
124
|
-
// Or we should somehow bypass the jwks_uri resolving if we verify our own token (only we will verify the token)
|
|
125
134
|
signer: {
|
|
126
135
|
method: 'jwk',
|
|
127
136
|
alg: signerJwk.supportedSignatureAlgorithms[0],
|
|
128
137
|
publicJwk: signerJwk.toJson(),
|
|
129
138
|
},
|
|
130
139
|
dpopJwk: verificationResult.dpopJwk,
|
|
131
|
-
scope: scopes === null || scopes === void 0 ? void 0 : scopes.join('
|
|
140
|
+
scope: scopes === null || scopes === void 0 ? void 0 : scopes.join(' '),
|
|
132
141
|
clientId: issuanceSession.clientId,
|
|
133
142
|
additionalAccessTokenPayload: {
|
|
134
143
|
'pre-authorized_code': grant.grantType === oauth2_1.preAuthorizedCodeGrantIdentifier ? grant.preAuthorizedCode : undefined,
|
|
135
|
-
issuer_state: (
|
|
144
|
+
issuer_state: (_d = issuanceSession.authorization) === null || _d === void 0 ? void 0 : _d.issuerState,
|
|
136
145
|
},
|
|
137
|
-
subject
|
|
146
|
+
// We generate a random subject for each access token and bind the issuance session to this.
|
|
147
|
+
subject,
|
|
138
148
|
// NOTE: these have been removed in newer drafts. Keeping them in for now
|
|
139
149
|
cNonce,
|
|
140
150
|
cNonceExpiresIn: cNonceExpiresInSeconds,
|
|
141
151
|
});
|
|
152
|
+
issuanceSession.authorization = Object.assign(Object.assign({}, issuanceSession.authorization), { subject });
|
|
142
153
|
await openId4VcIssuerService.updateState(agentContext, issuanceSession, OpenId4VcIssuanceSessionState_1.OpenId4VcIssuanceSessionState.AccessTokenCreated);
|
|
143
154
|
return (0, router_1.sendJsonResponse)(response, next, accessTokenResponse);
|
|
144
155
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"accessTokenEndpoint.js","sourceRoot":"","sources":["../../../src/openid4vc-issuer/router/accessTokenEndpoint.ts"],"names":[],"mappings":";;
|
|
1
|
+
{"version":3,"file":"accessTokenEndpoint.js","sourceRoot":"","sources":["../../../src/openid4vc-issuer/router/accessTokenEndpoint.ts"],"names":[],"mappings":";;AAwBA,oEAEC;AAED,gDA0LC;AAjND,6CAKyB;AACzB,yCAAwE;AAExE,gDAK4B;AAC5B,8CAAqD;AACrD,oFAAgF;AAChF,sEAAkE;AAClE,8CAAkE;AAElE,SAAgB,4BAA4B,CAAC,MAAc,EAAE,MAAmC;IAC9F,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,uBAAuB,EAAE,kBAAkB,CAAC,MAAM,CAAC,CAAC,CAAA;AACzE,CAAC;AAED,SAAgB,kBAAkB,CAAC,MAAmC;IACpE,OAAO,KAAK,EAAE,OAAiC,EAAE,QAAkB,EAAE,IAAkB,EAAE,EAAE;;QACzF,QAAQ,CAAC,GAAG,CAAC,EAAE,eAAe,EAAE,UAAU,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC,CAAA;QACjE,MAAM,cAAc,GAAG,IAAA,0BAAiB,EAAC,OAAO,CAAC,CAAA;QACjD,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,GAAG,cAAc,CAAA;QAE/C,MAAM,sBAAsB,GAAG,YAAY,CAAC,iBAAiB,CAAC,OAAO,CAAC,+CAAsB,CAAC,CAAA;QAC7F,MAAM,yBAAyB,GAAG,YAAY,CAAC,iBAAiB,CAAC,OAAO,CAAC,+CAAkC,CAAC,CAAA;QAC5G,MAAM,cAAc,GAAG,MAAM,sBAAsB,CAAC,iBAAiB,CAAC,YAAY,EAAE,MAAM,CAAC,CAAA;QAC3F,MAAM,qBAAqB,GAAG,UAAG,CAAC,eAAe,CAAC,MAAM,CAAC,+BAA+B,CAAC,CAAA;QACzF,MAAM,yBAAyB,GAAG,sBAAsB,CAAC,4BAA4B,CAAC,YAAY,CAAC,CAAA;QAEnG,MAAM,cAAc,GAAG,IAAA,mBAAY,EAAC,cAAc,CAAC,gBAAgB,CAAC,iBAAiB,EAAE;YACrF,MAAM,CAAC,uBAAuB;SAC/B,CAAC,CAAA;QACF,MAAM,WAAW,GAAG;YAClB,OAAO,EAAE,IAAI,OAAO,CAAC,OAAO,CAAC,OAAiC,CAAC;YAC/D,MAAM,EAAE,OAAO,CAAC,MAAoB;YACpC,GAAG,EAAE,cAAc;SACX,CAAA;QAEV,MAAM,EAAE,kBAAkB,EAAE,KAAK,EAAE,OAAO,EAAE,gBAAgB,EAAE,GAAG,yBAAyB,CAAC,uBAAuB,CAAC;YACjH,kBAAkB,EAAE,OAAO,CAAC,IAAI;YAChC,OAAO,EAAE,WAAW;SACrB,CAAC,CAAA;QAEF,MAAM,eAAe,GAAG,MAAM,yBAAyB,CAAC,iBAAiB,CAAC,YAAY,EAAE;YACtF,iBAAiB,EAAE,KAAK,CAAC,SAAS,KAAK,yCAAgC,CAAC,CAAC,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC,CAAC,SAAS;YAC7G,iBAAiB,EAAE,KAAK,CAAC,SAAS,KAAK,yCAAgC,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS;SACjG,CAAC,CAAA;QACF,MAAM,aAAa,GACjB,KAAK,CAAC,SAAS,KAAK,yCAAgC;YAClD,CAAC,CAAC,CAAC,6DAA6B,CAAC,YAAY,EAAE,6DAA6B,CAAC,iBAAiB,CAAC;YAC/F,CAAC,CAAC,CAAC,6DAA6B,CAAC,oBAAoB,CAAC,CAAA;QAC1D,IAAI,CAAC,eAAe,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,eAAe,CAAC,KAAK,CAAC,EAAE,CAAC;YACvE,MAAM,IAAI,uCAA8B,CAAC;gBACvC,KAAK,EAAE,yBAAgB,CAAC,YAAY;gBACpC,iBAAiB,EAAE,4BAA4B;aAChD,CAAC,CAAA;QACJ,CAAC;QAED,IACE,IAAI,CAAC,GAAG,EAAE;YACV,IAAA,wBAAgB,EAAC,eAAe,CAAC,SAAS,EAAE,MAAM,CAAC,2CAA2C,CAAC,CAAC,OAAO,EAAE,EACzG,CAAC;YACD,eAAe,CAAC,YAAY,GAAG,8BAA8B,CAAA;YAC7D,MAAM,sBAAsB,CAAC,WAAW,CAAC,YAAY,EAAE,eAAe,EAAE,6DAA6B,CAAC,KAAK,CAAC,CAAA;YAC5G,MAAM,IAAI,uCAA8B,CAAC;gBACvC,+BAA+B;gBAC/B,KAAK,EAAE,yBAAgB,CAAC,YAAY;gBACpC,iBAAiB,EAAE,iBAAiB;aACrC,CAAC,CAAA;QACJ,CAAC;QAED,IAAI,kBAAkD,CAAA;QACtD,IAAI,CAAC;YACH,IAAI,KAAK,CAAC,SAAS,KAAK,yCAAgC,EAAE,CAAC;gBACzD,IAAI,CAAC,eAAe,CAAC,iBAAiB,EAAE,CAAC;oBACvC,MAAM,IAAI,uCAA8B,CACtC;wBACE,KAAK,EAAE,yBAAgB,CAAC,YAAY;wBACpC,iBAAiB,EAAE,4BAA4B;qBAChD,EACD;wBACE,eAAe,EACb,8IAA8I;qBACjJ,CACF,CAAA;gBACH,CAAC;gBAED,kBAAkB,GAAG,MAAM,yBAAyB,CAAC,yCAAyC,CAAC;oBAC7F,kBAAkB;oBAClB,yBAAyB,EAAE,eAAe,CAAC,iBAAiB;oBAC5D,KAAK;oBACL,OAAO,EAAE,WAAW;oBACpB,IAAI,EAAE;wBACJ,GAAG,EAAE,OAAO;wBACZ,uDAAuD;wBACvD,8CAA8C;wBAC9C,QAAQ,EAAE,MAAM,CAAC,YAAY;qBAC9B;oBACD,cAAc,EAAE,eAAe,CAAC,OAAO;oBACvC,0BAA0B,EAAE,IAAA,wBAAgB,EAC1C,eAAe,CAAC,SAAS,EACzB,MAAM,CAAC,2CAA2C,CACnD;iBACF,CAAC,CAAA;YACJ,CAAC;iBAAM,IAAI,KAAK,CAAC,SAAS,KAAK,yCAAgC,EAAE,CAAC;gBAChE,IAAI,CAAC,CAAA,MAAA,eAAe,CAAC,aAAa,0CAAE,IAAI,CAAA,IAAI,CAAC,CAAA,MAAA,eAAe,CAAC,aAAa,0CAAE,aAAa,CAAA,EAAE,CAAC;oBAC1F,MAAM,IAAI,uCAA8B,CACtC;wBACE,KAAK,EAAE,yBAAgB,CAAC,YAAY;wBACpC,iBAAiB,EAAE,4BAA4B;qBAChD,EACD;wBACE,eAAe,EACb,6KAA6K;qBAChL,CACF,CAAA;gBACH,CAAC;gBACD,kBAAkB,GAAG,MAAM,yBAAyB,CAAC,yCAAyC,CAAC;oBAC7F,kBAAkB;oBAClB,YAAY,EAAE,eAAe,CAAC,aAAa,CAAC,IAAI;oBAChD,aAAa,EAAE,eAAe,CAAC,aAAa,CAAC,aAAa;oBAC1D,KAAK;oBACL,OAAO,EAAE,WAAW;oBACpB,IAAI,EAAE;wBACJ,GAAG,EAAE,OAAO;wBACZ,uDAAuD;wBACvD,8CAA8C;wBAC9C,QAAQ,EAAE,MAAM,CAAC,YAAY;qBAC9B;oBACD,IAAI,EAAE,eAAe,CAAC,IAAI;wBACxB,CAAC,CAAC;4BACE,aAAa,EAAE,eAAe,CAAC,IAAI,CAAC,aAAa;4BACjD,mBAAmB,EAAE,eAAe,CAAC,IAAI,CAAC,mBAAmB;4BAC7D,YAAY,EAAE,gBAAgB;yBAC/B;wBACH,CAAC,CAAC,SAAS;iBACd,CAAC,CAAA;YACJ,CAAC;iBAAM,CAAC;gBACN,MAAM,IAAI,uCAA8B,CAAC;oBACvC,KAAK,EAAE,yBAAgB,CAAC,oBAAoB;oBAC5C,iBAAiB,EAAE,wBAAwB;iBAC5C,CAAC,CAAA;YACJ,CAAC;YAED,MAAM,sBAAsB,CAAC,WAAW,CACtC,YAAY,EACZ,eAAe,EACf,6DAA6B,CAAC,oBAAoB,CACnD,CAAA;YACD,MAAM,EAAE,MAAM,EAAE,sBAAsB,EAAE,GAAG,MAAM,sBAAsB,CAAC,WAAW,CAAC,YAAY,EAAE,MAAM,CAAC,CAAA;YAEzG,0GAA0G;YAC1G,2EAA2E;YAC3E,MAAM,MAAM,GACV,KAAK,CAAC,SAAS,KAAK,yCAAgC,CAAC,CAAC,CAAC,MAAA,eAAe,CAAC,aAAa,0CAAE,MAAM,CAAC,CAAC,CAAC,SAAS,CAAA;YAC1G,MAAM,OAAO,GAAG,SAAS,YAAK,CAAC,IAAI,EAAE,EAAE,CAAA;YAEvC,MAAM,SAAS,GAAG,IAAA,oBAAa,EAAC,qBAAqB,CAAC,CAAA;YACtD,MAAM,mBAAmB,GAAG,MAAM,yBAAyB,CAAC,yBAAyB,CAAC;gBACpF,QAAQ,EAAE,cAAc,CAAC,gBAAgB,CAAC,iBAAiB;gBAC3D,mBAAmB,EAAE,cAAc,CAAC,gBAAgB,CAAC,iBAAiB;gBACtE,gBAAgB,EAAE,MAAM,CAAC,2BAA2B;gBACpD,MAAM,EAAE;oBACN,MAAM,EAAE,KAAK;oBACb,GAAG,EAAE,SAAS,CAAC,4BAA4B,CAAC,CAAC,CAAC;oBAC9C,SAAS,EAAE,SAAS,CAAC,MAAM,EAAE;iBAC9B;gBACD,OAAO,EAAE,kBAAkB,CAAC,OAAO;gBACnC,KAAK,EAAE,MAAM,aAAN,MAAM,uBAAN,MAAM,CAAE,IAAI,CAAC,GAAG,CAAC;gBACxB,QAAQ,EAAE,eAAe,CAAC,QAAQ;gBAElC,4BAA4B,EAAE;oBAC5B,qBAAqB,EACnB,KAAK,CAAC,SAAS,KAAK,yCAAgC,CAAC,CAAC,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC,CAAC,SAAS;oBAC5F,YAAY,EAAE,MAAA,eAAe,CAAC,aAAa,0CAAE,WAAW;iBACzD;gBACD,4FAA4F;gBAC5F,OAAO;gBAEP,yEAAyE;gBACzE,MAAM;gBACN,eAAe,EAAE,sBAAsB;aACxC,CAAC,CAAA;YAEF,eAAe,CAAC,aAAa,mCACxB,eAAe,CAAC,aAAa,KAChC,OAAO,GACR,CAAA;YACD,MAAM,sBAAsB,CAAC,WAAW,CACtC,YAAY,EACZ,eAAe,EACf,6DAA6B,CAAC,kBAAkB,CACjD,CAAA;YAED,OAAO,IAAA,yBAAgB,EAAC,QAAQ,EAAE,IAAI,EAAE,mBAAmB,CAAC,CAAA;QAC9D,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,uCAA8B,EAAE,CAAC;gBACpD,OAAO,IAAA,gCAAuB,EAAC,QAAQ,EAAE,IAAI,EAAE,YAAY,CAAC,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAA;YACnF,CAAC;YAED,OAAO,IAAA,uCAA8B,EAAC,QAAQ,EAAE,IAAI,EAAE,YAAY,CAAC,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAA;QAC1F,CAAC;IACH,CAAC,CAAA;AACH,CAAC"}
|
|
@@ -72,6 +72,16 @@ async function handleAuthorizationChallengeNoAuthSession(options) {
|
|
|
72
72
|
error_description: `Missing required 'issuer_state' parameter. Only requests initiated by a credential offer are supported for authorization challenge.`,
|
|
73
73
|
});
|
|
74
74
|
}
|
|
75
|
+
// FIXME: we need to authenticate the client. Could be either using client_id/client_secret
|
|
76
|
+
// but that doesn't make sense for wallets. So for now we just allow any client_id and we will
|
|
77
|
+
// need OAuth2 Attestation Based Client Auth and dynamically allow client_ids based on wallet providers
|
|
78
|
+
// we trust. Will add this in a follow up PR (basically we do no client authentication at the moment)
|
|
79
|
+
// if (!authorizationChallengeRequest.client_id) {
|
|
80
|
+
// throw new Oauth2ServerErrorResponseError({
|
|
81
|
+
// error: Oauth2ErrorCodes.InvalidRequest,
|
|
82
|
+
// error_description: `Missing required 'client_id' parameter..`,
|
|
83
|
+
// })
|
|
84
|
+
// }
|
|
75
85
|
const issuanceSession = await openId4VcIssuerService.findSingleIssuancSessionByQuery(agentContext, {
|
|
76
86
|
issuerId: issuer.issuerId,
|
|
77
87
|
issuerState: authorizationChallengeRequest.issuer_state,
|
|
@@ -88,8 +98,6 @@ async function handleAuthorizationChallengeNoAuthSession(options) {
|
|
|
88
98
|
});
|
|
89
99
|
}
|
|
90
100
|
const offeredCredentialConfigurations = (0, shared_1.getOfferedCredentials)(issuanceSession.credentialOfferPayload.credential_configuration_ids, issuerMetadata.credentialIssuer.credential_configurations_supported);
|
|
91
|
-
// NOTE: for now we assume all credential configurations that were offered have a scope (should
|
|
92
|
-
// be checked when creating offer that requires presentation)
|
|
93
101
|
const allowedScopes = (0, shared_1.getScopesFromCredentialConfigurationsSupported)(offeredCredentialConfigurations);
|
|
94
102
|
const requestedScopes = (0, shared_1.getAllowedAndRequestedScopeValues)({
|
|
95
103
|
allowedScopes,
|
|
@@ -102,18 +110,26 @@ async function handleAuthorizationChallengeNoAuthSession(options) {
|
|
|
102
110
|
error_description: `No requested 'scope' values match with offered credential configurations.`,
|
|
103
111
|
});
|
|
104
112
|
}
|
|
105
|
-
const { authorizationRequest, verificationSession } = await config.getVerificationSessionForIssuanceSessionAuthorization({
|
|
113
|
+
const { authorizationRequest, verificationSession, scopes: presentationScopes, } = await config.getVerificationSessionForIssuanceSessionAuthorization({
|
|
106
114
|
agentContext,
|
|
107
115
|
issuanceSession,
|
|
108
116
|
requestedCredentialConfigurations,
|
|
109
117
|
scopes: requestedScopes,
|
|
110
118
|
});
|
|
119
|
+
// Store presentation during issuance session on the record
|
|
120
|
+
verificationSession.presentationDuringIssuanceSession = core_1.TypedArrayEncoder.toBase64URL(agentContext.wallet.getRandomValues(32));
|
|
121
|
+
await agentContext.dependencyManager
|
|
122
|
+
.resolve(openid4vc_verifier_1.OpenId4VcVerificationSessionRepository)
|
|
123
|
+
.update(agentContext, verificationSession);
|
|
111
124
|
const authSession = core_1.TypedArrayEncoder.toBase64URL(agentContext.wallet.getRandomValues(32));
|
|
125
|
+
issuanceSession.authorization = Object.assign(Object.assign({}, issuanceSession.authorization), { scopes: presentationScopes });
|
|
112
126
|
issuanceSession.presentation = {
|
|
113
127
|
required: true,
|
|
114
128
|
authSession,
|
|
115
129
|
openId4VcVerificationSessionId: verificationSession.id,
|
|
116
130
|
};
|
|
131
|
+
// NOTE: should only allow authenticated clients in the future.
|
|
132
|
+
issuanceSession.clientId = authorizationChallengeRequest.client_id;
|
|
117
133
|
await openId4VcIssuerService.updateState(agentContext, issuanceSession, OpenId4VcIssuanceSessionState_1.OpenId4VcIssuanceSessionState.AuthorizationInitiated);
|
|
118
134
|
const authorizationChallengeErrorResponse = authorizationServer.createAuthorizationChallengePresentationErrorResponse({
|
|
119
135
|
authSession,
|
|
@@ -132,14 +148,13 @@ async function handleAuthorizationChallengeWithAuthSession(options) {
|
|
|
132
148
|
// should we validate that these are not in the request? I'm not sure what best practive would be here
|
|
133
149
|
const issuanceSession = await openId4VcIssuerService.findSingleIssuancSessionByQuery(agentContext, {
|
|
134
150
|
issuerId: issuer.issuerId,
|
|
135
|
-
|
|
151
|
+
presentationAuthSession: authorizationChallengeRequest.auth_session,
|
|
136
152
|
});
|
|
137
153
|
const allowedStates = [OpenId4VcIssuanceSessionState_1.OpenId4VcIssuanceSessionState.AuthorizationInitiated];
|
|
138
|
-
if (!issuanceSession ||
|
|
139
|
-
!issuanceSession.presentation ||
|
|
154
|
+
if (!(issuanceSession === null || issuanceSession === void 0 ? void 0 : issuanceSession.presentation) ||
|
|
140
155
|
!issuanceSession.presentation.openId4VcVerificationSessionId ||
|
|
141
156
|
!issuanceSession.presentation.authSession ||
|
|
142
|
-
allowedStates.includes(issuanceSession.state)) {
|
|
157
|
+
!allowedStates.includes(issuanceSession.state)) {
|
|
143
158
|
throw new oauth2_1.Oauth2ServerErrorResponseError({
|
|
144
159
|
error: oauth2_1.Oauth2ErrorCodes.InvalidSession,
|
|
145
160
|
error_description: `Invalid 'auth_session'`,
|
|
@@ -168,16 +183,19 @@ async function handleAuthorizationChallengeWithAuthSession(options) {
|
|
|
168
183
|
.then(async (verificationSession) => {
|
|
169
184
|
// Issuance session cannot be used anymore
|
|
170
185
|
if (verificationSession.state === openid4vc_verifier_1.OpenId4VcVerificationSessionState.Error) {
|
|
171
|
-
issuanceSession.errorMessage = `Associated
|
|
186
|
+
issuanceSession.errorMessage = `Associated openId4VcVerificationSessionRecord with id '${openId4VcVerificationSessionId}' has error state`;
|
|
172
187
|
await openId4VcIssuerService.updateState(agentContext, issuanceSession, OpenId4VcIssuanceSessionState_1.OpenId4VcIssuanceSessionState.Error);
|
|
173
188
|
}
|
|
174
|
-
if (verificationSession.state !== openid4vc_verifier_1.OpenId4VcVerificationSessionState.ResponseVerified
|
|
189
|
+
if (verificationSession.state !== openid4vc_verifier_1.OpenId4VcVerificationSessionState.ResponseVerified ||
|
|
190
|
+
authorizationChallengeRequest.presentation_during_issuance_session !==
|
|
191
|
+
verificationSession.presentationDuringIssuanceSession) {
|
|
175
192
|
throw new oauth2_1.Oauth2ServerErrorResponseError({
|
|
176
|
-
// InsufficentAuthorization?
|
|
177
193
|
error: oauth2_1.Oauth2ErrorCodes.InvalidSession,
|
|
178
|
-
error_description: `Invalid 'auth_session'`,
|
|
194
|
+
error_description: `Invalid presentation for 'auth_session'`,
|
|
179
195
|
}, {
|
|
180
|
-
internalMessage:
|
|
196
|
+
internalMessage: verificationSession.state !== openid4vc_verifier_1.OpenId4VcVerificationSessionState.ResponseVerified
|
|
197
|
+
? `Openid4vc verification session with id '${openId4VcVerificationSessionId}' has state '${verificationSession.state}', while '${openid4vc_verifier_1.OpenId4VcVerificationSessionState.ResponseVerified}' was expected.`
|
|
198
|
+
: `Openid4vc verification session with id '${openId4VcVerificationSessionId}' has 'presentation_during_issuance_session' '${verificationSession.presentationDuringIssuanceSession}', but authorization challenge request provided value '${authorizationChallengeRequest.presentation_during_issuance_session}'.`,
|
|
181
199
|
});
|
|
182
200
|
}
|
|
183
201
|
});
|
|
@@ -187,7 +205,7 @@ async function handleAuthorizationChallengeWithAuthSession(options) {
|
|
|
187
205
|
issuanceSession.authorization = Object.assign(Object.assign({}, issuanceSession.authorization), { code: authorizationCode, codeExpiresAt: authorizationCodeExpiresAt });
|
|
188
206
|
// TODO: we need to start using locks so we can't get corrupted state
|
|
189
207
|
await openId4VcIssuerService.updateState(agentContext, issuanceSession, OpenId4VcIssuanceSessionState_1.OpenId4VcIssuanceSessionState.AuthorizationGranted);
|
|
190
|
-
const authorizationChallengeResponse = authorizationServer.createAuthorizationChallengeResponse({
|
|
208
|
+
const { authorizationChallengeResponse } = authorizationServer.createAuthorizationChallengeResponse({
|
|
191
209
|
authorizationCode,
|
|
192
210
|
});
|
|
193
211
|
return (0, router_1.sendJsonResponse)(response, next, authorizationChallengeResponse);
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"authorizationChallengeEndpoint.js","sourceRoot":"","sources":["../../../src/openid4vc-issuer/router/authorizationChallengeEndpoint.ts"],"names":[],"mappings":";;
|
|
1
|
+
{"version":3,"file":"authorizationChallengeEndpoint.js","sourceRoot":"","sources":["../../../src/openid4vc-issuer/router/authorizationChallengeEndpoint.ts"],"names":[],"mappings":";;AAgCA,0FA2CC;AApED,6CAAmF;AACnF,yCAAkD;AAElD,iEAIiC;AACjC,yCAKqB;AACrB,gDAK4B;AAC5B,8CAAqD;AACrD,oFAAgF;AAChF,gFAA4E;AAC5E,sEAAkE;AAElE,SAAgB,uCAAuC,CAAC,MAAc,EAAE,MAAmC;IACzG,MAAM,CAAC,IAAI,CACT,MAAM,CAAC,kCAAkC,EACzC,KAAK,EAAE,OAAiC,EAAE,QAAkB,EAAE,IAAkB,EAAE,EAAE;QAClF,MAAM,cAAc,GAAG,IAAA,0BAAiB,EAAC,OAAO,CAAC,CAAA;QACjD,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,GAAG,cAAc,CAAA;QAE/C,IAAI,CAAC;YACH,MAAM,sBAAsB,GAAG,YAAY,CAAC,iBAAiB,CAAC,OAAO,CAAC,+CAAsB,CAAC,CAAA;YAC7F,MAAM,mBAAmB,GAAG,sBAAsB,CAAC,4BAA4B,CAAC,YAAY,CAAC,CAAA;YAE7F,MAAM,EAAE,6BAA6B,EAAE,GAAG,mBAAmB,CAAC,kCAAkC,CAAC;gBAC/F,6BAA6B,EAAE,OAAO,CAAC,IAAI;aAC5C,CAAC,CAAA;YAEF,IAAI,6BAA6B,CAAC,YAAY,EAAE,CAAC;gBAC/C,MAAM,2CAA2C,CAAC;oBAChD,QAAQ;oBACR,IAAI;oBACJ,6BAA6B,kCAExB,6BAA6B,KAChC,YAAY,EAAE,6BAA6B,CAAC,YAAY,GACzD;oBACD,YAAY;oBACZ,MAAM;iBACP,CAAC,CAAA;YACJ,CAAC;iBAAM,CAAC;gBACN,iCAAiC;gBACjC,MAAM,yCAAyC,CAAC;oBAC9C,6BAA6B;oBAC7B,YAAY;oBACZ,MAAM;iBACP,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,uCAA8B,EAAE,CAAC;gBACpD,OAAO,IAAA,gCAAuB,EAAC,QAAQ,EAAE,IAAI,EAAE,YAAY,CAAC,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAA;YACnF,CAAC;YACD,OAAO,IAAA,uCAA8B,EAAC,QAAQ,EAAE,IAAI,EAAE,YAAY,CAAC,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAA;QAC1F,CAAC;IACH,CAAC,CACF,CAAA;AACH,CAAC;AAED,KAAK,UAAU,yCAAyC,CAAC,OAIxD;IACC,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,6BAA6B,EAAE,GAAG,OAAO,CAAA;IAEvE,iCAAiC;IAEjC,MAAM,sBAAsB,GAAG,YAAY,CAAC,iBAAiB,CAAC,OAAO,CAAC,+CAAsB,CAAC,CAAA;IAC7F,MAAM,MAAM,GAAG,YAAY,CAAC,iBAAiB,CAAC,OAAO,CAAC,yDAA2B,CAAC,CAAA;IAClF,MAAM,cAAc,GAAG,MAAM,sBAAsB,CAAC,iBAAiB,CAAC,YAAY,EAAE,MAAM,CAAC,CAAA;IAC3F,MAAM,mBAAmB,GAAG,sBAAsB,CAAC,4BAA4B,CAAC,YAAY,CAAC,CAAA;IAE7F,IAAI,CAAC,MAAM,CAAC,qDAAqD,EAAE,CAAC;QAClE,MAAM,IAAI,uCAA8B,CACtC;YACE,KAAK,EAAE,yBAAgB,CAAC,WAAW;SACpC,EACD;YACE,eAAe,EAAE,wLAAwL;SAC1M,CACF,CAAA;IACH,CAAC;IAED,IAAI,CAAC,6BAA6B,CAAC,KAAK,EAAE,CAAC;QACzC,MAAM,IAAI,uCAA8B,CAAC;YACvC,KAAK,EAAE,yBAAgB,CAAC,YAAY;YACpC,iBAAiB,EAAE,oCAAoC;SACxD,CAAC,CAAA;IACJ,CAAC;IAED,IAAI,CAAC,6BAA6B,CAAC,YAAY,EAAE,CAAC;QAChD,MAAM,IAAI,uCAA8B,CAAC;YACvC,KAAK,EAAE,yBAAgB,CAAC,cAAc;YACtC,iBAAiB,EAAE,qIAAqI;SACzJ,CAAC,CAAA;IACJ,CAAC;IAED,2FAA2F;IAC3F,8FAA8F;IAC9F,uGAAuG;IACvG,qGAAqG;IACrG,kDAAkD;IAClD,+CAA+C;IAC/C,8CAA8C;IAC9C,qEAAqE;IACrE,OAAO;IACP,IAAI;IAEJ,MAAM,eAAe,GAAG,MAAM,sBAAsB,CAAC,+BAA+B,CAAC,YAAY,EAAE;QACjG,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,WAAW,EAAE,6BAA6B,CAAC,YAAY;KACxD,CAAC,CAAA;IACF,MAAM,aAAa,GAAG,CAAC,6DAA6B,CAAC,YAAY,EAAE,6DAA6B,CAAC,iBAAiB,CAAC,CAAA;IACnH,IAAI,CAAC,eAAe,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,eAAe,CAAC,KAAK,CAAC,EAAE,CAAC;QACvE,MAAM,IAAI,uCAA8B,CACtC;YACE,KAAK,EAAE,yBAAgB,CAAC,cAAc;YACtC,iBAAiB,EAAE,kCAAkC;SACtD,EACD;YACE,eAAe,EAAE,CAAC,eAAe;gBAC/B,CAAC,CAAC,4DAA4D,6BAA6B,CAAC,YAAY,GAAG;gBAC3G,CAAC,CAAC,qBAAqB,eAAe,CAAC,EAAE,gBACrC,eAAe,CAAC,KAClB,yBAAyB,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;SACxD,CACF,CAAA;IACH,CAAC;IAED,MAAM,+BAA+B,GAAG,IAAA,8BAAqB,EAC3D,eAAe,CAAC,sBAAsB,CAAC,4BAA4B,EACnE,cAAc,CAAC,gBAAgB,CAAC,mCAAmC,CACpE,CAAA;IAED,MAAM,aAAa,GAAG,IAAA,uDAA8C,EAAC,+BAA+B,CAAC,CAAA;IACrG,MAAM,eAAe,GAAG,IAAA,0CAAiC,EAAC;QACxD,aAAa;QACb,cAAc,EAAE,6BAA6B,CAAC,KAAK;KACpD,CAAC,CAAA;IACF,MAAM,iCAAiC,GAAG,IAAA,sDAA6C,EACrF,+BAA+B,EAC/B,eAAe,CAC0C,CAAA;IAE3D,IAAI,eAAe,CAAC,MAAM,KAAK,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,iCAAiC,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAChG,MAAM,IAAI,uCAA8B,CAAC;YACvC,KAAK,EAAE,yBAAgB,CAAC,YAAY;YACpC,iBAAiB,EAAE,2EAA2E;SAC/F,CAAC,CAAA;IACJ,CAAC;IAED,MAAM,EACJ,oBAAoB,EACpB,mBAAmB,EACnB,MAAM,EAAE,kBAAkB,GAC3B,GAAG,MAAM,MAAM,CAAC,qDAAqD,CAAC;QACrE,YAAY;QACZ,eAAe;QACf,iCAAiC;QACjC,MAAM,EAAE,eAAe;KACxB,CAAC,CAAA;IAEF,2DAA2D;IAC3D,mBAAmB,CAAC,iCAAiC,GAAG,wBAAiB,CAAC,WAAW,CACnF,YAAY,CAAC,MAAM,CAAC,eAAe,CAAC,EAAE,CAAC,CACxC,CAAA;IACD,MAAM,YAAY,CAAC,iBAAiB;SACjC,OAAO,CAAC,2DAAsC,CAAC;SAC/C,MAAM,CAAC,YAAY,EAAE,mBAAmB,CAAC,CAAA;IAE5C,MAAM,WAAW,GAAG,wBAAiB,CAAC,WAAW,CAAC,YAAY,CAAC,MAAM,CAAC,eAAe,CAAC,EAAE,CAAC,CAAC,CAAA;IAC1F,eAAe,CAAC,aAAa,mCACxB,eAAe,CAAC,aAAa,KAChC,MAAM,EAAE,kBAAkB,GAC3B,CAAA;IACD,eAAe,CAAC,YAAY,GAAG;QAC7B,QAAQ,EAAE,IAAI;QACd,WAAW;QACX,8BAA8B,EAAE,mBAAmB,CAAC,EAAE;KACvD,CAAA;IAED,+DAA+D;IAC/D,eAAe,CAAC,QAAQ,GAAG,6BAA6B,CAAC,SAAS,CAAA;IAElE,MAAM,sBAAsB,CAAC,WAAW,CACtC,YAAY,EACZ,eAAe,EACf,6DAA6B,CAAC,sBAAsB,CACrD,CAAA;IAED,MAAM,mCAAmC,GAAG,mBAAmB,CAAC,qDAAqD,CACnH;QACE,WAAW;QACX,YAAY,EAAE,oBAAoB;QAClC,gBAAgB,EAAE,uCAAuC;KAC1D,CACF,CAAA;IACD,MAAM,IAAI,uCAA8B,CAAC,mCAAmC,CAAC,CAAA;AAC/E,CAAC;AAED,KAAK,UAAU,2CAA2C,CAAC,OAM1D;IACC,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,6BAA6B,EAAE,QAAQ,EAAE,IAAI,EAAE,GAAG,OAAO,CAAA;IAEvF,MAAM,sBAAsB,GAAG,YAAY,CAAC,iBAAiB,CAAC,OAAO,CAAC,+CAAsB,CAAC,CAAA;IAC7F,MAAM,MAAM,GAAG,YAAY,CAAC,iBAAiB,CAAC,OAAO,CAAC,yDAA2B,CAAC,CAAA;IAClF,MAAM,mBAAmB,GAAG,sBAAsB,CAAC,4BAA4B,CAAC,YAAY,CAAC,CAAA;IAC7F,MAAM,WAAW,GAAG,YAAY,CAAC,iBAAiB,CAAC,OAAO,CAAC,yCAAoB,CAAC,CAAA;IAEhF,kFAAkF;IAClF,sGAAsG;IAEtG,MAAM,eAAe,GAAG,MAAM,sBAAsB,CAAC,+BAA+B,CAAC,YAAY,EAAE;QACjG,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,uBAAuB,EAAE,6BAA6B,CAAC,YAAY;KACpE,CAAC,CAAA;IACF,MAAM,aAAa,GAAG,CAAC,6DAA6B,CAAC,sBAAsB,CAAC,CAAA;IAC5E,IACE,CAAC,CAAA,eAAe,aAAf,eAAe,uBAAf,eAAe,CAAE,YAAY,CAAA;QAC9B,CAAC,eAAe,CAAC,YAAY,CAAC,8BAA8B;QAC5D,CAAC,eAAe,CAAC,YAAY,CAAC,WAAW;QACzC,CAAC,aAAa,CAAC,QAAQ,CAAC,eAAe,CAAC,KAAK,CAAC,EAC9C,CAAC;QACD,MAAM,IAAI,uCAA8B,CACtC;YACE,KAAK,EAAE,yBAAgB,CAAC,cAAc;YACtC,iBAAiB,EAAE,wBAAwB;SAC5C,EACD;YACE,eAAe,EAAE,CAAC,eAAe;gBAC/B,CAAC,CAAC,4DAA4D,6BAA6B,CAAC,YAAY,GAAG;gBAC3G,CAAC,CAAC,CAAC,CAAA,eAAe,aAAf,eAAe,uBAAf,eAAe,CAAE,YAAY,CAAA;oBAChC,CAAC,CAAC,qBAAqB,eAAe,CAAC,EAAE,8EAA8E;oBACvH,CAAC,CAAC,qBAAqB,eAAe,CAAC,EAAE,gBACrC,eAAe,CAAC,KAClB,yBAAyB,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;SACxD,CACF,CAAA;IACH,CAAC;IAED,MAAM,EAAE,8BAA8B,EAAE,GAAG,eAAe,CAAC,YAAY,CAAA;IAEvE,MAAM,WAAW;SACd,0BAA0B,CAAC,8BAA8B,CAAC;SAC1D,KAAK,CAAC,KAAK,IAAI,EAAE;QAChB,gCAAgC;QAChC,eAAe,CAAC,YAAY,GAAG,yDAAyD,8BAA8B,kBAAkB,CAAA;QACxI,MAAM,sBAAsB,CAAC,WAAW,CAAC,YAAY,EAAE,eAAe,EAAE,6DAA6B,CAAC,KAAK,CAAC,CAAA;QAE5G,MAAM,IAAI,uCAA8B,CACtC;YACE,KAAK,EAAE,yBAAgB,CAAC,cAAc;YACtC,iBAAiB,EAAE,wBAAwB;SAC5C,EACD;YACE,eAAe,EAAE,2CAA2C,8BAA8B,gDAAgD,eAAe,CAAC,EAAE,GAAG;SAChK,CACF,CAAA;IACH,CAAC,CAAC;SACD,IAAI,CAAC,KAAK,EAAE,mBAAmB,EAAE,EAAE;QAClC,0CAA0C;QAC1C,IAAI,mBAAmB,CAAC,KAAK,KAAK,sDAAiC,CAAC,KAAK,EAAE,CAAC;YAC1E,eAAe,CAAC,YAAY,GAAG,0DAA0D,8BAA8B,mBAAmB,CAAA;YAC1I,MAAM,sBAAsB,CAAC,WAAW,CAAC,YAAY,EAAE,eAAe,EAAE,6DAA6B,CAAC,KAAK,CAAC,CAAA;QAC9G,CAAC;QAED,IACE,mBAAmB,CAAC,KAAK,KAAK,sDAAiC,CAAC,gBAAgB;YAChF,6BAA6B,CAAC,oCAAoC;gBAChE,mBAAmB,CAAC,iCAAiC,EACvD,CAAC;YACD,MAAM,IAAI,uCAA8B,CACtC;gBACE,KAAK,EAAE,yBAAgB,CAAC,cAAc;gBACtC,iBAAiB,EAAE,yCAAyC;aAC7D,EACD;gBACE,eAAe,EACb,mBAAmB,CAAC,KAAK,KAAK,sDAAiC,CAAC,gBAAgB;oBAC9E,CAAC,CAAC,2CAA2C,8BAA8B,gBAAgB,mBAAmB,CAAC,KAAK,aAAa,sDAAiC,CAAC,gBAAgB,iBAAiB;oBACpM,CAAC,CAAC,2CAA2C,8BAA8B,iDAAiD,mBAAmB,CAAC,iCAAiC,0DAA0D,6BAA6B,CAAC,oCAAoC,IAAI;aACtT,CACF,CAAA;QACH,CAAC;IACH,CAAC,CAAC,CAAA;IAEJ,sBAAsB;IACtB,MAAM,iBAAiB,GAAG,wBAAiB,CAAC,WAAW,CAAC,YAAY,CAAC,MAAM,CAAC,eAAe,CAAC,EAAE,CAAC,CAAC,CAAA;IAChG,MAAM,0BAA0B,GAAG,IAAA,wBAAgB,EAAC,IAAI,IAAI,EAAE,EAAE,MAAM,CAAC,iCAAiC,CAAC,CAAA;IAEzG,eAAe,CAAC,aAAa,mCACxB,eAAe,CAAC,aAAa,KAChC,IAAI,EAAE,iBAAiB,EACvB,aAAa,EAAE,0BAA0B,GAC1C,CAAA;IAED,qEAAqE;IACrE,MAAM,sBAAsB,CAAC,WAAW,CACtC,YAAY,EACZ,eAAe,EACf,6DAA6B,CAAC,oBAAoB,CACnD,CAAA;IAED,MAAM,EAAE,8BAA8B,EAAE,GAAG,mBAAmB,CAAC,oCAAoC,CAAC;QAClG,iBAAiB;KAClB,CAAC,CAAA;IAEF,OAAO,IAAA,yBAAgB,EAAC,QAAQ,EAAE,IAAI,EAAE,8BAA8B,CAAC,CAAA;AACzE,CAAC"}
|
|
@@ -6,18 +6,17 @@ const oid4vci_1 = require("@animo-id/oid4vci");
|
|
|
6
6
|
const core_1 = require("@credo-ts/core");
|
|
7
7
|
const shared_1 = require("../../shared");
|
|
8
8
|
const router_1 = require("../../shared/router");
|
|
9
|
+
const utils_1 = require("../../shared/utils");
|
|
9
10
|
const OpenId4VcIssuanceSessionState_1 = require("../OpenId4VcIssuanceSessionState");
|
|
10
11
|
const OpenId4VcIssuerService_1 = require("../OpenId4VcIssuerService");
|
|
11
12
|
const repository_1 = require("../repository");
|
|
12
13
|
function configureCredentialEndpoint(router, config) {
|
|
13
14
|
router.post(config.credentialEndpointPath, async (request, response, next) => {
|
|
14
|
-
var _a, _b;
|
|
15
|
+
var _a, _b, _c;
|
|
15
16
|
const { agentContext, issuer } = (0, router_1.getRequestContext)(request);
|
|
16
17
|
const openId4VcIssuerService = agentContext.dependencyManager.resolve(OpenId4VcIssuerService_1.OpenId4VcIssuerService);
|
|
17
|
-
// TODO: we should allow delaying fetching auth metadata until it's needed
|
|
18
|
-
// also we should cache it. (both request and response)
|
|
19
18
|
const issuerMetadata = await openId4VcIssuerService.getIssuerMetadata(agentContext, issuer, true);
|
|
20
|
-
const vcIssuer =
|
|
19
|
+
const vcIssuer = openId4VcIssuerService.getIssuer(agentContext);
|
|
21
20
|
const resourceServer = openId4VcIssuerService.getResourceServer(agentContext, issuer);
|
|
22
21
|
const fullRequestUrl = (0, core_1.joinUriParts)(issuerMetadata.credentialIssuer.credential_issuer, [
|
|
23
22
|
config.credentialEndpointPath,
|
|
@@ -26,8 +25,8 @@ function configureCredentialEndpoint(router, config) {
|
|
|
26
25
|
.verifyResourceRequest({
|
|
27
26
|
authorizationServers: issuerMetadata.authorizationServers,
|
|
28
27
|
resourceServer: issuerMetadata.credentialIssuer.credential_issuer,
|
|
28
|
+
allowedAuthenticationSchemes: config.dpopRequired ? [oauth2_1.SupportedAuthenticationScheme.DPoP] : undefined,
|
|
29
29
|
request: {
|
|
30
|
-
// FIXME: we need to make the input type here easier
|
|
31
30
|
headers: new Headers(request.headers),
|
|
32
31
|
method: request.method,
|
|
33
32
|
url: fullRequestUrl,
|
|
@@ -38,31 +37,84 @@ function configureCredentialEndpoint(router, config) {
|
|
|
38
37
|
});
|
|
39
38
|
if (!resourceRequestResult)
|
|
40
39
|
return;
|
|
41
|
-
const { tokenPayload,
|
|
40
|
+
const { tokenPayload, accessToken, scheme, authorizationServer } = resourceRequestResult;
|
|
42
41
|
const credentialRequest = request.body;
|
|
43
42
|
const issuanceSessionRepository = agentContext.dependencyManager.resolve(repository_1.OpenId4VcIssuanceSessionRepository);
|
|
44
|
-
const preAuthorizedCode = typeof tokenPayload['pre-authorized_code'] === 'string' ? tokenPayload['pre-authorized_code'] : undefined;
|
|
45
|
-
const issuerState = typeof tokenPayload.issuer_state === 'string' ? tokenPayload.issuer_state : undefined;
|
|
46
|
-
let issuanceSession = await issuanceSessionRepository.findSingleByQuery(agentContext, {
|
|
47
|
-
issuerId: issuer.issuerId,
|
|
48
|
-
preAuthorizedCode,
|
|
49
|
-
// TODO: we should bind the issuance session to the `sub` of this token
|
|
50
|
-
// after we've matched it against the issuer_state, otherwise someone can
|
|
51
|
-
// get hold of an access token by providing an issuer_state value used in previous
|
|
52
|
-
// sessions from someone else and hijack the session
|
|
53
|
-
issuerState,
|
|
54
|
-
});
|
|
55
43
|
const parsedCredentialRequest = vcIssuer.parseCredentialRequest({
|
|
56
44
|
credentialRequest,
|
|
57
45
|
});
|
|
58
|
-
|
|
46
|
+
let issuanceSession = null;
|
|
47
|
+
const preAuthorizedCode = typeof tokenPayload['pre-authorized_code'] === 'string' ? tokenPayload['pre-authorized_code'] : undefined;
|
|
48
|
+
const issuerState = typeof tokenPayload.issuer_state === 'string' ? tokenPayload.issuer_state : undefined;
|
|
49
|
+
const subject = tokenPayload.sub;
|
|
50
|
+
if (!subject) {
|
|
51
|
+
return (0, router_1.sendOauth2ErrorResponse)(response, next, agentContext.config.logger, new oauth2_1.Oauth2ServerErrorResponseError({
|
|
52
|
+
error: oauth2_1.Oauth2ErrorCodes.ServerError,
|
|
53
|
+
}, {
|
|
54
|
+
internalMessage: `Received token without 'sub' claim. Subject is required for binding issuance session`,
|
|
55
|
+
}));
|
|
56
|
+
}
|
|
57
|
+
// Already handle request without format. Simplifies next code sections
|
|
58
|
+
if (!parsedCredentialRequest.format) {
|
|
59
|
+
return (0, router_1.sendOauth2ErrorResponse)(response, next, agentContext.config.logger, new oauth2_1.Oauth2ServerErrorResponseError({
|
|
60
|
+
error: parsedCredentialRequest.credentialIdentifier
|
|
61
|
+
? oauth2_1.Oauth2ErrorCodes.InvalidCredentialRequest
|
|
62
|
+
: oauth2_1.Oauth2ErrorCodes.UnsupportedCredentialFormat,
|
|
63
|
+
error_description: parsedCredentialRequest.credentialIdentifier
|
|
64
|
+
? `Credential request containing 'credential_identifier' not supported`
|
|
65
|
+
: `Credential format '${parsedCredentialRequest.credentialRequest.format}' not supported`,
|
|
66
|
+
}));
|
|
67
|
+
}
|
|
68
|
+
if (preAuthorizedCode || issuerState) {
|
|
69
|
+
issuanceSession = await issuanceSessionRepository.findSingleByQuery(agentContext, {
|
|
70
|
+
issuerId: issuer.issuerId,
|
|
71
|
+
preAuthorizedCode,
|
|
72
|
+
issuerState,
|
|
73
|
+
});
|
|
74
|
+
if (!issuanceSession) {
|
|
75
|
+
agentContext.config.logger.warn(`No issuance session found for incoming credential request for issuer ${issuer.issuerId} but access token data has ${issuerState ? 'issuer_state' : 'pre-authorized_code'}. Returning error response`, {
|
|
76
|
+
tokenPayload,
|
|
77
|
+
});
|
|
78
|
+
return (0, router_1.sendOauth2ErrorResponse)(response, next, agentContext.config.logger, new oauth2_1.Oauth2ServerErrorResponseError({
|
|
79
|
+
error: oauth2_1.Oauth2ErrorCodes.CredentialRequestDenied,
|
|
80
|
+
}, {
|
|
81
|
+
internalMessage: `No issuance session found for incoming credential request for issuer ${issuer.issuerId} and access token data`,
|
|
82
|
+
}));
|
|
83
|
+
}
|
|
84
|
+
// Verify the issuance session subject
|
|
85
|
+
if ((_a = issuanceSession.authorization) === null || _a === void 0 ? void 0 : _a.subject) {
|
|
86
|
+
if (issuanceSession.authorization.subject !== tokenPayload.sub) {
|
|
87
|
+
return (0, router_1.sendOauth2ErrorResponse)(response, next, agentContext.config.logger, new oauth2_1.Oauth2ServerErrorResponseError({
|
|
88
|
+
error: oauth2_1.Oauth2ErrorCodes.CredentialRequestDenied,
|
|
89
|
+
}, {
|
|
90
|
+
internalMessage: `Issuance session authorization subject does not match with the token payload subject for issuance session '${issuanceSession.id}'. Returning error response`,
|
|
91
|
+
}));
|
|
92
|
+
}
|
|
93
|
+
}
|
|
94
|
+
// Statefull session expired
|
|
95
|
+
else if (Date.now() >
|
|
96
|
+
(0, utils_1.addSecondsToDate)(issuanceSession.createdAt, config.statefullCredentialOfferExpirationInSeconds).getTime()) {
|
|
97
|
+
issuanceSession.errorMessage = 'Credential offer has expired';
|
|
98
|
+
await openId4VcIssuerService.updateState(agentContext, issuanceSession, OpenId4VcIssuanceSessionState_1.OpenId4VcIssuanceSessionState.Error);
|
|
99
|
+
throw new oauth2_1.Oauth2ServerErrorResponseError({
|
|
100
|
+
// What is the best error here?
|
|
101
|
+
error: oauth2_1.Oauth2ErrorCodes.CredentialRequestDenied,
|
|
102
|
+
error_description: 'Session expired',
|
|
103
|
+
});
|
|
104
|
+
}
|
|
105
|
+
else {
|
|
106
|
+
issuanceSession.authorization = Object.assign(Object.assign({}, issuanceSession.authorization), { subject: tokenPayload.sub });
|
|
107
|
+
await issuanceSessionRepository.update(agentContext, issuanceSession);
|
|
108
|
+
}
|
|
109
|
+
}
|
|
110
|
+
if (!issuanceSession && config.allowDynamicIssuanceSessions) {
|
|
59
111
|
agentContext.config.logger.warn(`No issuance session found for incoming credential request for issuer ${issuer.issuerId} and access token data has no issuer_state or pre-authorized_code. Creating on-demand issuance session`, {
|
|
60
112
|
tokenPayload,
|
|
61
113
|
});
|
|
62
114
|
// All credential configurations that match the request scope and credential request
|
|
63
115
|
// This is just so we don't create an issuance session that will fail immediately after
|
|
64
116
|
const credentialConfigurationsForToken = (0, oid4vci_1.getCredentialConfigurationsMatchingRequestFormat)({
|
|
65
|
-
credentialConfigurations: (0, shared_1.getCredentialConfigurationsSupportedForScopes)(issuerMetadata.credentialIssuer.credential_configurations_supported, (
|
|
117
|
+
credentialConfigurations: (0, shared_1.getCredentialConfigurationsSupportedForScopes)(issuerMetadata.credentialIssuer.credential_configurations_supported, (_c = (_b = tokenPayload.scope) === null || _b === void 0 ? void 0 : _b.split(' ')) !== null && _c !== void 0 ? _c : []),
|
|
66
118
|
requestFormat: parsedCredentialRequest.format,
|
|
67
119
|
});
|
|
68
120
|
if (Object.keys(credentialConfigurationsForToken).length === 0) {
|
|
@@ -80,21 +132,20 @@ function configureCredentialEndpoint(router, config) {
|
|
|
80
132
|
},
|
|
81
133
|
issuerId: issuer.issuerId,
|
|
82
134
|
state: OpenId4VcIssuanceSessionState_1.OpenId4VcIssuanceSessionState.CredentialRequestReceived,
|
|
83
|
-
dpopRequired: dpopJwk !== undefined,
|
|
84
135
|
clientId: tokenPayload.client_id,
|
|
136
|
+
authorization: {
|
|
137
|
+
subject: tokenPayload.sub,
|
|
138
|
+
},
|
|
85
139
|
});
|
|
86
140
|
// Save and update
|
|
87
141
|
await issuanceSessionRepository.save(agentContext, issuanceSession);
|
|
88
142
|
openId4VcIssuerService.emitStateChangedEvent(agentContext, issuanceSession, null);
|
|
89
143
|
}
|
|
90
144
|
else if (!issuanceSession) {
|
|
91
|
-
agentContext.config.logger.warn(`No issuance session found for incoming credential request for issuer ${issuer.issuerId} but access token data has no ${issuerState ? 'issuer_state' : 'pre-authorized_code'}. Returning error response`, {
|
|
92
|
-
tokenPayload,
|
|
93
|
-
});
|
|
94
145
|
return (0, router_1.sendOauth2ErrorResponse)(response, next, agentContext.config.logger, new oauth2_1.Oauth2ServerErrorResponseError({
|
|
95
146
|
error: oauth2_1.Oauth2ErrorCodes.CredentialRequestDenied,
|
|
96
147
|
}, {
|
|
97
|
-
internalMessage: `
|
|
148
|
+
internalMessage: `Access token without 'issuer_state' or 'pre-authorized_code' issued by external authorization server provided, but 'allowDynamicIssuanceSessions' is disabled. Either bind the access token to a statefull credential offer, or enable 'allowDynamicIssuanceSessions'.`,
|
|
98
149
|
}));
|
|
99
150
|
}
|
|
100
151
|
try {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"credentialEndpoint.js","sourceRoot":"","sources":["../../../src/openid4vc-issuer/router/credentialEndpoint.ts"],"names":[],"mappings":";;
|
|
1
|
+
{"version":3,"file":"credentialEndpoint.js","sourceRoot":"","sources":["../../../src/openid4vc-issuer/router/credentialEndpoint.ts"],"names":[],"mappings":";;AA2BA,kEA+OC;AArQD,6CAKyB;AACzB,+CAAoF;AACpF,yCAA6C;AAE7C,yCAA4E;AAC5E,gDAM4B;AAC5B,8CAAqD;AACrD,oFAAgF;AAChF,sEAAkE;AAClE,8CAAkG;AAElG,SAAgB,2BAA2B,CAAC,MAAc,EAAE,MAAmC;IAC7F,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,sBAAsB,EAAE,KAAK,EAAE,OAAiC,EAAE,QAAkB,EAAE,IAAI,EAAE,EAAE;;QAC/G,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,GAAG,IAAA,0BAAiB,EAAC,OAAO,CAAC,CAAA;QAC3D,MAAM,sBAAsB,GAAG,YAAY,CAAC,iBAAiB,CAAC,OAAO,CAAC,+CAAsB,CAAC,CAAA;QAC7F,MAAM,cAAc,GAAG,MAAM,sBAAsB,CAAC,iBAAiB,CAAC,YAAY,EAAE,MAAM,EAAE,IAAI,CAAC,CAAA;QACjG,MAAM,QAAQ,GAAG,sBAAsB,CAAC,SAAS,CAAC,YAAY,CAAC,CAAA;QAC/D,MAAM,cAAc,GAAG,sBAAsB,CAAC,iBAAiB,CAAC,YAAY,EAAE,MAAM,CAAC,CAAA;QAErF,MAAM,cAAc,GAAG,IAAA,mBAAY,EAAC,cAAc,CAAC,gBAAgB,CAAC,iBAAiB,EAAE;YACrF,MAAM,CAAC,sBAAsB;SAC9B,CAAC,CAAA;QACF,MAAM,qBAAqB,GAAG,MAAM,cAAc;aAC/C,qBAAqB,CAAC;YACrB,oBAAoB,EAAE,cAAc,CAAC,oBAAoB;YACzD,cAAc,EAAE,cAAc,CAAC,gBAAgB,CAAC,iBAAiB;YACjE,4BAA4B,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,sCAA6B,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS;YACpG,OAAO,EAAE;gBACP,OAAO,EAAE,IAAI,OAAO,CAAC,OAAO,CAAC,OAAiC,CAAC;gBAC/D,MAAM,EAAE,OAAO,CAAC,MAAoB;gBACpC,GAAG,EAAE,cAAc;aACpB;SACF,CAAC;aACD,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;YACf,IAAA,8BAAqB,EAAC,QAAQ,EAAE,IAAI,EAAE,YAAY,CAAC,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAA;QAC1E,CAAC,CAAC,CAAA;QACJ,IAAI,CAAC,qBAAqB;YAAE,OAAM;QAClC,MAAM,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,EAAE,mBAAmB,EAAE,GAAG,qBAAqB,CAAA;QAExF,MAAM,iBAAiB,GAAG,OAAO,CAAC,IAAI,CAAA;QACtC,MAAM,yBAAyB,GAAG,YAAY,CAAC,iBAAiB,CAAC,OAAO,CAAC,+CAAkC,CAAC,CAAA;QAE5G,MAAM,uBAAuB,GAAG,QAAQ,CAAC,sBAAsB,CAAC;YAC9D,iBAAiB;SAClB,CAAC,CAAA;QAEF,IAAI,eAAe,GAA0C,IAAI,CAAA;QACjE,MAAM,iBAAiB,GACrB,OAAO,YAAY,CAAC,qBAAqB,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC,qBAAqB,CAAC,CAAC,CAAC,CAAC,SAAS,CAAA;QAC3G,MAAM,WAAW,GAAG,OAAO,YAAY,CAAC,YAAY,KAAK,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS,CAAA;QAEzG,MAAM,OAAO,GAAG,YAAY,CAAC,GAAG,CAAA;QAChC,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,IAAA,gCAAuB,EAC5B,QAAQ,EACR,IAAI,EACJ,YAAY,CAAC,MAAM,CAAC,MAAM,EAC1B,IAAI,uCAA8B,CAChC;gBACE,KAAK,EAAE,yBAAgB,CAAC,WAAW;aACpC,EACD;gBACE,eAAe,EAAE,sFAAsF;aACxG,CACF,CACF,CAAA;QACH,CAAC;QAED,uEAAuE;QACvE,IAAI,CAAC,uBAAuB,CAAC,MAAM,EAAE,CAAC;YACpC,OAAO,IAAA,gCAAuB,EAC5B,QAAQ,EACR,IAAI,EACJ,YAAY,CAAC,MAAM,CAAC,MAAM,EAC1B,IAAI,uCAA8B,CAAC;gBACjC,KAAK,EAAE,uBAAuB,CAAC,oBAAoB;oBACjD,CAAC,CAAC,yBAAgB,CAAC,wBAAwB;oBAC3C,CAAC,CAAC,yBAAgB,CAAC,2BAA2B;gBAChD,iBAAiB,EAAE,uBAAuB,CAAC,oBAAoB;oBAC7D,CAAC,CAAC,qEAAqE;oBACvE,CAAC,CAAC,sBAAsB,uBAAuB,CAAC,iBAAiB,CAAC,MAAM,iBAAiB;aAC5F,CAAC,CACH,CAAA;QACH,CAAC;QAED,IAAI,iBAAiB,IAAI,WAAW,EAAE,CAAC;YACrC,eAAe,GAAG,MAAM,yBAAyB,CAAC,iBAAiB,CAAC,YAAY,EAAE;gBAChF,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,iBAAiB;gBACjB,WAAW;aACZ,CAAC,CAAA;YAEF,IAAI,CAAC,eAAe,EAAE,CAAC;gBACrB,YAAY,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAC7B,wEACE,MAAM,CAAC,QACT,8BACE,WAAW,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,qBACjC,4BAA4B,EAC5B;oBACE,YAAY;iBACb,CACF,CAAA;gBAED,OAAO,IAAA,gCAAuB,EAC5B,QAAQ,EACR,IAAI,EACJ,YAAY,CAAC,MAAM,CAAC,MAAM,EAC1B,IAAI,uCAA8B,CAChC;oBACE,KAAK,EAAE,yBAAgB,CAAC,uBAAuB;iBAChD,EACD;oBACE,eAAe,EAAE,wEAAwE,MAAM,CAAC,QAAQ,wBAAwB;iBACjI,CACF,CACF,CAAA;YACH,CAAC;YAED,sCAAsC;YACtC,IAAI,MAAA,eAAe,CAAC,aAAa,0CAAE,OAAO,EAAE,CAAC;gBAC3C,IAAI,eAAe,CAAC,aAAa,CAAC,OAAO,KAAK,YAAY,CAAC,GAAG,EAAE,CAAC;oBAC/D,OAAO,IAAA,gCAAuB,EAC5B,QAAQ,EACR,IAAI,EACJ,YAAY,CAAC,MAAM,CAAC,MAAM,EAC1B,IAAI,uCAA8B,CAChC;wBACE,KAAK,EAAE,yBAAgB,CAAC,uBAAuB;qBAChD,EACD;wBACE,eAAe,EAAE,8GAA8G,eAAe,CAAC,EAAE,6BAA6B;qBAC/K,CACF,CACF,CAAA;gBACH,CAAC;YACH,CAAC;YACD,4BAA4B;iBACvB,IACH,IAAI,CAAC,GAAG,EAAE;gBACV,IAAA,wBAAgB,EAAC,eAAe,CAAC,SAAS,EAAE,MAAM,CAAC,2CAA2C,CAAC,CAAC,OAAO,EAAE,EACzG,CAAC;gBACD,eAAe,CAAC,YAAY,GAAG,8BAA8B,CAAA;gBAC7D,MAAM,sBAAsB,CAAC,WAAW,CAAC,YAAY,EAAE,eAAe,EAAE,6DAA6B,CAAC,KAAK,CAAC,CAAA;gBAC5G,MAAM,IAAI,uCAA8B,CAAC;oBACvC,+BAA+B;oBAC/B,KAAK,EAAE,yBAAgB,CAAC,uBAAuB;oBAC/C,iBAAiB,EAAE,iBAAiB;iBACrC,CAAC,CAAA;YACJ,CAAC;iBAAM,CAAC;gBACN,eAAe,CAAC,aAAa,mCACxB,eAAe,CAAC,aAAa,KAChC,OAAO,EAAE,YAAY,CAAC,GAAG,GAC1B,CAAA;gBACD,MAAM,yBAAyB,CAAC,MAAM,CAAC,YAAY,EAAE,eAAe,CAAC,CAAA;YACvE,CAAC;QACH,CAAC;QAED,IAAI,CAAC,eAAe,IAAI,MAAM,CAAC,4BAA4B,EAAE,CAAC;YAC5D,YAAY,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAC7B,wEAAwE,MAAM,CAAC,QAAQ,wGAAwG,EAC/L;gBACE,YAAY;aACb,CACF,CAAA;YAED,oFAAoF;YACpF,uFAAuF;YACvF,MAAM,gCAAgC,GAAG,IAAA,0DAAgD,EAAC;gBACxF,wBAAwB,EAAE,IAAA,sDAA6C,EACrE,cAAc,CAAC,gBAAgB,CAAC,mCAAmC,EACnE,MAAA,MAAA,YAAY,CAAC,KAAK,0CAAE,KAAK,CAAC,GAAG,CAAC,mCAAI,EAAE,CACrC;gBACD,aAAa,EAAE,uBAAuB,CAAC,MAAM;aAC9C,CAAC,CAAA;YAEF,IAAI,MAAM,CAAC,IAAI,CAAC,gCAAgC,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC/D,OAAO,IAAA,8BAAqB,EAC1B,QAAQ,EACR,IAAI,EACJ,YAAY,CAAC,MAAM,CAAC,MAAM,EAC1B,IAAI,wCAA+B,CACjC,+EAA+E,EAC/E;oBACE,MAAM;oBACN,KAAK,EAAE,yBAAgB,CAAC,iBAAiB;iBAC1C,CACF;gBACD,kCAAkC;gBAClC,GAAG,CACJ,CAAA;YACH,CAAC;YAED,eAAe,GAAG,IAAI,2CAA8B,CAAC;gBACnD,sBAAsB,EAAE;oBACtB,4BAA4B,EAAE,MAAM,CAAC,IAAI,CAAC,gCAAgC,CAAC;oBAC3E,iBAAiB,EAAE,cAAc,CAAC,gBAAgB,CAAC,iBAAiB;iBACrE;gBACD,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,KAAK,EAAE,6DAA6B,CAAC,yBAAyB;gBAC9D,QAAQ,EAAE,YAAY,CAAC,SAAS;gBAChC,aAAa,EAAE;oBACb,OAAO,EAAE,YAAY,CAAC,GAAG;iBAC1B;aACF,CAAC,CAAA;YAEF,kBAAkB;YAClB,MAAM,yBAAyB,CAAC,IAAI,CAAC,YAAY,EAAE,eAAe,CAAC,CAAA;YACnE,sBAAsB,CAAC,qBAAqB,CAAC,YAAY,EAAE,eAAe,EAAE,IAAI,CAAC,CAAA;QACnF,CAAC;aAAM,IAAI,CAAC,eAAe,EAAE,CAAC;YAC5B,OAAO,IAAA,gCAAuB,EAC5B,QAAQ,EACR,IAAI,EACJ,YAAY,CAAC,MAAM,CAAC,MAAM,EAC1B,IAAI,uCAA8B,CAChC;gBACE,KAAK,EAAE,yBAAgB,CAAC,uBAAuB;aAChD,EACD;gBACE,eAAe,EAAE,wQAAwQ;aAC1R,CACF,CACF,CAAA;QACH,CAAC;QAED,IAAI,CAAC;YACH,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,sBAAsB,CAAC,wBAAwB,CAAC,YAAY,EAAE;gBACjG,eAAe;gBACf,iBAAiB;gBACjB,aAAa,EAAE;oBACb,mBAAmB;oBACnB,WAAW,EAAE;wBACX,OAAO,EAAE,YAAY;wBACrB,KAAK,EAAE,WAAW;qBACnB;iBACF;aACF,CAAC,CAAA;YAEF,OAAO,IAAA,yBAAgB,EAAC,QAAQ,EAAE,IAAI,EAAE,kBAAkB,CAAC,CAAA;QAC7D,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,uCAA8B,EAAE,CAAC;gBACpD,OAAO,IAAA,gCAAuB,EAAC,QAAQ,EAAE,IAAI,EAAE,YAAY,CAAC,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAA;YACnF,CAAC;YACD,IAAI,KAAK,YAAY,wCAA+B,EAAE,CAAC;gBACrD,OAAO,IAAA,8BAAqB,EAAC,QAAQ,EAAE,IAAI,EAAE,YAAY,CAAC,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAA;YACjF,CAAC;YAED,OAAO,IAAA,uCAA8B,EAAC,QAAQ,EAAE,IAAI,EAAE,YAAY,CAAC,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAA;QAC1F,CAAC;IACH,CAAC,CAAC,CAAA;AACJ,CAAC"}
|