@credo-ts/openid4vc 0.6.0-pr-2392-20251010173905 → 0.6.0-pr-2457-20251016083534
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/build/OpenId4VcApi.d.mts +1 -1
- package/build/OpenId4VcApi.d.ts +1 -1
- package/build/OpenId4VcApi.js +2 -2
- package/build/OpenId4VcApi.mjs +2 -2
- package/build/OpenId4VcModule.d.mts +1 -1
- package/build/OpenId4VcModule.d.ts +1 -1
- package/build/OpenId4VcModule.js +2 -2
- package/build/OpenId4VcModule.mjs +2 -2
- package/build/OpenId4VcModuleConfig.js +1 -1
- package/build/OpenId4VcModuleConfig.mjs +1 -1
- package/build/index.d.mts +15 -14
- package/build/index.d.ts +15 -14
- package/build/index.js +22 -15
- package/build/index.mjs +18 -17
- package/build/openid4vc-holder/OpenId4VcHolderApi.d.mts.map +1 -1
- package/build/openid4vc-holder/OpenId4VcHolderApi.d.ts.map +1 -1
- package/build/openid4vc-holder/OpenId4VcHolderApi.mjs.map +1 -1
- package/build/openid4vc-holder/OpenId4VciHolderService.d.mts.map +1 -1
- package/build/openid4vc-holder/OpenId4VciHolderService.d.ts.map +1 -1
- package/build/openid4vc-holder/OpenId4VciHolderService.js +11 -8
- package/build/openid4vc-holder/OpenId4VciHolderService.mjs +11 -8
- package/build/openid4vc-holder/OpenId4VciHolderService.mjs.map +1 -1
- package/build/openid4vc-holder/OpenId4VciHolderServiceOptions.d.mts.map +1 -1
- package/build/openid4vc-holder/OpenId4VciHolderServiceOptions.d.ts.map +1 -1
- package/build/openid4vc-holder/OpenId4VciHolderServiceOptions.mjs.map +1 -1
- package/build/openid4vc-holder/OpenId4vpHolderService.d.mts.map +1 -1
- package/build/openid4vc-holder/OpenId4vpHolderService.d.ts.map +1 -1
- package/build/openid4vc-holder/OpenId4vpHolderService.js +4 -4
- package/build/openid4vc-holder/OpenId4vpHolderService.mjs +4 -4
- package/build/openid4vc-holder/OpenId4vpHolderService.mjs.map +1 -1
- package/build/openid4vc-issuer/OpenId4VcIssuerApi.d.mts +5 -214
- package/build/openid4vc-issuer/OpenId4VcIssuerApi.d.mts.map +1 -1
- package/build/openid4vc-issuer/OpenId4VcIssuerApi.d.ts +5 -214
- package/build/openid4vc-issuer/OpenId4VcIssuerApi.d.ts.map +1 -1
- package/build/openid4vc-issuer/OpenId4VcIssuerApi.js +1 -1
- package/build/openid4vc-issuer/OpenId4VcIssuerApi.mjs +1 -1
- package/build/openid4vc-issuer/OpenId4VcIssuerApi.mjs.map +1 -1
- package/build/openid4vc-issuer/OpenId4VcIssuerModule.d.mts.map +1 -1
- package/build/openid4vc-issuer/OpenId4VcIssuerModule.d.ts.map +1 -1
- package/build/openid4vc-issuer/OpenId4VcIssuerModule.js +7 -7
- package/build/openid4vc-issuer/OpenId4VcIssuerModule.mjs +7 -7
- package/build/openid4vc-issuer/OpenId4VcIssuerModule.mjs.map +1 -1
- package/build/openid4vc-issuer/OpenId4VcIssuerModuleConfig.d.mts.map +1 -1
- package/build/openid4vc-issuer/OpenId4VcIssuerModuleConfig.d.ts.map +1 -1
- package/build/openid4vc-issuer/OpenId4VcIssuerModuleConfig.mjs.map +1 -1
- package/build/openid4vc-issuer/OpenId4VcIssuerService.d.mts +8 -218
- package/build/openid4vc-issuer/OpenId4VcIssuerService.d.mts.map +1 -1
- package/build/openid4vc-issuer/OpenId4VcIssuerService.d.ts +8 -218
- package/build/openid4vc-issuer/OpenId4VcIssuerService.d.ts.map +1 -1
- package/build/openid4vc-issuer/OpenId4VcIssuerService.js +18 -18
- package/build/openid4vc-issuer/OpenId4VcIssuerService.mjs +19 -19
- package/build/openid4vc-issuer/OpenId4VcIssuerService.mjs.map +1 -1
- package/build/openid4vc-issuer/OpenId4VcIssuerServiceOptions.d.mts +1 -1
- package/build/openid4vc-issuer/OpenId4VcIssuerServiceOptions.d.ts +1 -1
- package/build/openid4vc-issuer/index.js +2 -2
- package/build/openid4vc-issuer/index.mjs +2 -2
- package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRecord.d.mts +1 -1
- package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRecord.d.mts.map +1 -1
- package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRecord.d.ts +1 -1
- package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRecord.d.ts.map +1 -1
- package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRecord.js +1 -1
- package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRecord.mjs +1 -1
- package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRecord.mjs.map +1 -1
- package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRepository.js +1 -1
- package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRepository.mjs +1 -1
- package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRepository.mjs.map +1 -1
- package/build/openid4vc-issuer/repository/OpenId4VcIssuerRecord.d.mts.map +1 -1
- package/build/openid4vc-issuer/repository/OpenId4VcIssuerRecord.d.ts.map +1 -1
- package/build/openid4vc-issuer/repository/OpenId4VcIssuerRecord.mjs.map +1 -1
- package/build/openid4vc-issuer/repository/OpenId4VcIssuerRepository.js +1 -1
- package/build/openid4vc-issuer/repository/OpenId4VcIssuerRepository.mjs +1 -1
- package/build/openid4vc-issuer/repository/OpenId4VcIssuerRepository.mjs.map +1 -1
- package/build/openid4vc-issuer/repository/index.js +2 -2
- package/build/openid4vc-issuer/repository/index.mjs +2 -2
- package/build/openid4vc-issuer/router/accessTokenEndpoint.js +3 -4
- package/build/openid4vc-issuer/router/accessTokenEndpoint.mjs +3 -4
- package/build/openid4vc-issuer/router/accessTokenEndpoint.mjs.map +1 -1
- package/build/openid4vc-issuer/router/authorizationChallengeEndpoint.js +5 -6
- package/build/openid4vc-issuer/router/authorizationChallengeEndpoint.mjs +6 -7
- package/build/openid4vc-issuer/router/authorizationChallengeEndpoint.mjs.map +1 -1
- package/build/openid4vc-issuer/router/authorizationServerMetadataEndpoint.mjs.map +1 -1
- package/build/openid4vc-issuer/router/credentialEndpoint.js +5 -6
- package/build/openid4vc-issuer/router/credentialEndpoint.mjs +5 -6
- package/build/openid4vc-issuer/router/credentialEndpoint.mjs.map +1 -1
- package/build/openid4vc-issuer/router/credentialOfferEndpoint.js +2 -4
- package/build/openid4vc-issuer/router/credentialOfferEndpoint.mjs +3 -4
- package/build/openid4vc-issuer/router/credentialOfferEndpoint.mjs.map +1 -1
- package/build/openid4vc-issuer/router/deferredCredentialEndpoint.js +2 -4
- package/build/openid4vc-issuer/router/deferredCredentialEndpoint.mjs +3 -4
- package/build/openid4vc-issuer/router/deferredCredentialEndpoint.mjs.map +1 -1
- package/build/openid4vc-issuer/router/index.js +4 -4
- package/build/openid4vc-issuer/router/index.mjs +4 -4
- package/build/openid4vc-issuer/router/issuerMetadataEndpoint.mjs.map +1 -1
- package/build/openid4vc-issuer/router/jwksEndpoint.mjs.map +1 -1
- package/build/openid4vc-issuer/router/nonceEndpoint.mjs.map +1 -1
- package/build/openid4vc-verifier/OpenId4VcVerifierApi.d.mts +1 -1
- package/build/openid4vc-verifier/OpenId4VcVerifierApi.d.mts.map +1 -1
- package/build/openid4vc-verifier/OpenId4VcVerifierApi.d.ts +1 -1
- package/build/openid4vc-verifier/OpenId4VcVerifierApi.d.ts.map +1 -1
- package/build/openid4vc-verifier/OpenId4VcVerifierApi.js +1 -1
- package/build/openid4vc-verifier/OpenId4VcVerifierApi.mjs +1 -1
- package/build/openid4vc-verifier/OpenId4VcVerifierApi.mjs.map +1 -1
- package/build/openid4vc-verifier/OpenId4VcVerifierModule.d.mts.map +1 -1
- package/build/openid4vc-verifier/OpenId4VcVerifierModule.d.ts.map +1 -1
- package/build/openid4vc-verifier/OpenId4VcVerifierModule.js +2 -2
- package/build/openid4vc-verifier/OpenId4VcVerifierModule.mjs +2 -2
- package/build/openid4vc-verifier/OpenId4VcVerifierModule.mjs.map +1 -1
- package/build/openid4vc-verifier/OpenId4VpVerifierService.d.mts +3 -3
- package/build/openid4vc-verifier/OpenId4VpVerifierService.d.mts.map +1 -1
- package/build/openid4vc-verifier/OpenId4VpVerifierService.d.ts +3 -3
- package/build/openid4vc-verifier/OpenId4VpVerifierService.d.ts.map +1 -1
- package/build/openid4vc-verifier/OpenId4VpVerifierService.js +17 -17
- package/build/openid4vc-verifier/OpenId4VpVerifierService.mjs +17 -17
- package/build/openid4vc-verifier/OpenId4VpVerifierService.mjs.map +1 -1
- package/build/openid4vc-verifier/OpenId4VpVerifierServiceOptions.d.mts +1 -1
- package/build/openid4vc-verifier/OpenId4VpVerifierServiceOptions.d.ts +1 -1
- package/build/openid4vc-verifier/index.js +3 -3
- package/build/openid4vc-verifier/index.mjs +3 -3
- package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRecord.d.mts +1 -1
- package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRecord.d.mts.map +1 -1
- package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRecord.d.ts +1 -1
- package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRecord.d.ts.map +1 -1
- package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRecord.mjs.map +1 -1
- package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRepository.js +1 -1
- package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRepository.mjs +1 -1
- package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRepository.mjs.map +1 -1
- package/build/openid4vc-verifier/repository/OpenId4VcVerifierRecord.d.mts.map +1 -1
- package/build/openid4vc-verifier/repository/OpenId4VcVerifierRecord.d.ts.map +1 -1
- package/build/openid4vc-verifier/repository/OpenId4VcVerifierRecord.mjs.map +1 -1
- package/build/openid4vc-verifier/repository/OpenId4VcVerifierRepository.js +1 -1
- package/build/openid4vc-verifier/repository/OpenId4VcVerifierRepository.mjs +1 -1
- package/build/openid4vc-verifier/repository/OpenId4VcVerifierRepository.mjs.map +1 -1
- package/build/openid4vc-verifier/repository/index.js +2 -2
- package/build/openid4vc-verifier/repository/index.mjs +2 -2
- package/build/openid4vc-verifier/router/authorizationEndpoint.js +1 -1
- package/build/openid4vc-verifier/router/authorizationEndpoint.mjs +1 -1
- package/build/openid4vc-verifier/router/authorizationEndpoint.mjs.map +1 -1
- package/build/openid4vc-verifier/router/authorizationRequestEndpoint.js +1 -1
- package/build/openid4vc-verifier/router/authorizationRequestEndpoint.mjs +1 -1
- package/build/openid4vc-verifier/router/authorizationRequestEndpoint.mjs.map +1 -1
- package/build/shared/callbacks.d.mts +46 -0
- package/build/shared/callbacks.d.mts.map +1 -0
- package/build/shared/callbacks.d.ts +46 -0
- package/build/shared/callbacks.d.ts.map +1 -0
- package/build/shared/callbacks.js +5 -1
- package/build/shared/callbacks.mjs +1 -1
- package/build/shared/callbacks.mjs.map +1 -1
- package/build/shared/index.js +2 -1
- package/build/shared/index.mjs +2 -1
- package/build/shared/issuerMetadataUtils.d.mts +2 -258
- package/build/shared/issuerMetadataUtils.d.mts.map +1 -1
- package/build/shared/issuerMetadataUtils.d.ts +2 -258
- package/build/shared/issuerMetadataUtils.d.ts.map +1 -1
- package/build/shared/issuerMetadataUtils.mjs.map +1 -1
- package/build/shared/models/index.d.ts +1 -1
- package/build/shared/router/context.mjs.map +1 -1
- package/build/shared/router/index.js +1 -1
- package/build/shared/router/index.mjs +1 -1
- package/build/shared/router/tenants.mjs.map +1 -1
- package/build/shared/utils.js +0 -8
- package/build/shared/utils.mjs +1 -7
- package/build/shared/utils.mjs.map +1 -1
- package/package.json +8 -8
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"OpenId4VcVerificationSessionRecord.d.ts","names":[],"sources":["../../../src/openid4vc-verifier/repository/OpenId4VcVerificationSessionRecord.ts"],"sourcesContent":[],"mappings":";;;;;;
|
|
1
|
+
{"version":3,"file":"OpenId4VcVerificationSessionRecord.d.ts","names":[],"sources":["../../../src/openid4vc-verifier/repository/OpenId4VcVerificationSessionRecord.ts"],"sourcesContent":[],"mappings":";;;;;;KAKY,sCAAA,GAAyC,WAAW;KAEpD,6CAAA;EAFA,UAAA,EAAA,MAAA;EAAsC,KAAA,EAIzC,iCAJyC;OAAc,EAAA,MAAA;cAAX,CAAA,EAAA,MAAA;EAAU,uBAAA,CAAA,EAAA,MAAA;EAEnD,sBAAA,CAAA,EAAA,MAAA;EAA6C,gBAAA,CAAA,EAOpC,gBAPoC;;AAOpC,UAGJ,uCAAA,CAHI;EAAgB,EAAA,CAAA,EAAA,MAAA;EAGpB,SAAA,CAAA,EAEH,IAFG;EAAuC,IAAA,CAAA,EAG/C,QAH+C;YAE1C,EAAA,MAAA;OACL,EAGA,iCAHA;cAGA,CAAA,EAAA,MAAA;yBAMuB,CAAA,EAAA,MAAA;yBAInB,CAAA,EAAA,MAAA;wBAEoB,EAAA,MAAA;6BAWb,CAAA,EAjBY,oCAiBZ;EAAgB,gCAAA,CAAA,EAAA,MAAA;EAGvB,SAAA,EAhBA,IAgBA;EAAmC,4BAAA,CAAA,EAdf,qCAce;;;;;mCAiE3B,CAAA,EAAA,MAAA;;;;kBAoDU,EAxHX,gBAwHW;;AAU0C,cA/H5D,kCAAA,SAA2C,UA+HiB,CA/HN,6CA+HM,CAAA,CAAA;;;;;;;;;;SAnHxD;;;;;;;;;;;;gCAesB;;;;;;;;;;;;;;;;;;;;;;;;;;;qBA8BX;;;;;;cAQP;;;;iCAKmB;;;;;;;;;;;;;qBAgBZ;0BAwBK;wBAOF;8BAUM,oCAAoC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"OpenId4VcVerificationSessionRecord.mjs","names":[],"sources":["../../../src/openid4vc-verifier/repository/OpenId4VcVerificationSessionRecord.ts"],"sourcesContent":["import type
|
|
1
|
+
{"version":3,"file":"OpenId4VcVerificationSessionRecord.mjs","names":[],"sources":["../../../src/openid4vc-verifier/repository/OpenId4VcVerificationSessionRecord.ts"],"sourcesContent":["import { BaseRecord, CredoError, DateTransformer, Jwt, type RecordTags, type TagsBase, utils } from '@credo-ts/core'\nimport type { OpenId4VpAuthorizationRequestPayload, OpenId4VpAuthorizationResponsePayload } from '../../shared/models'\nimport type { OpenId4VcVerificationSessionState } from '../OpenId4VcVerificationSessionState'\nimport type { OpenId4VpVersion } from '../OpenId4VpVerifierServiceOptions'\n\nexport type OpenId4VcVerificationSessionRecordTags = RecordTags<OpenId4VcVerificationSessionRecord>\n\nexport type DefaultOpenId4VcVerificationSessionRecordTags = {\n verifierId: string\n state: OpenId4VcVerificationSessionState\n nonce: string\n payloadState?: string\n authorizationRequestUri?: string\n authorizationRequestId?: string\n openId4VpVersion?: OpenId4VpVersion\n}\n\nexport interface OpenId4VcVerificationSessionRecordProps {\n id?: string\n createdAt?: Date\n tags?: TagsBase\n\n verifierId: string\n state: OpenId4VcVerificationSessionState\n errorMessage?: string\n\n authorizationRequestJwt?: string\n authorizationRequestUri?: string\n authorizationRequestId: string\n authorizationRequestPayload?: OpenId4VpAuthorizationRequestPayload\n\n authorizationResponseRedirectUri?: string\n\n expiresAt: Date\n\n authorizationResponsePayload?: OpenId4VpAuthorizationResponsePayload\n\n /**\n * Presentation during issuance session. This is used when issuance of a credential requires a presentation, and helps\n * prevent session fixation attacks\n */\n presentationDuringIssuanceSession?: string\n\n /**\n * The version of openid4vp used for the request\n */\n openId4VpVersion: OpenId4VpVersion\n}\n\nexport class OpenId4VcVerificationSessionRecord extends BaseRecord<DefaultOpenId4VcVerificationSessionRecordTags> {\n public static readonly type = 'OpenId4VcVerificationSessionRecord'\n public readonly type = OpenId4VcVerificationSessionRecord.type\n\n /**\n * The id of the verifier that this session is for.\n */\n public verifierId!: string\n\n /**\n * The state of the verification session.\n */\n public state!: OpenId4VcVerificationSessionState\n\n /**\n * Optional error message of the error that occurred during the verification session. Will be set when state is {@link OpenId4VcVerificationSessionState.Error}\n */\n public errorMessage?: string\n\n /**\n * The signed JWT containing the authorization request\n */\n public authorizationRequestJwt?: string\n\n /**\n * Authorization request payload. This should be used only for unsigned requests\n */\n public authorizationRequestPayload?: OpenId4VpAuthorizationRequestPayload\n\n /**\n * URI of the authorization request. This is the url that can be used to\n * retrieve the authorization request.\n *\n * Not used for requests with response_mode of dc_api or dc_api.jwt\n */\n public authorizationRequestUri?: string\n\n /**\n * The public id for the authorization request. This is used in the authorization\n * request uri.\n *\n * @since 0.6\n */\n public authorizationRequestId?: string\n\n /**\n * The version of OpenID4VP used.\n *\n * If `v1` is used this is always defined. Otherwise it could be both\n * `v1.draft21` or `v1.draft24`.\n *\n * You can detect this based on:\n * - if `client_id_scheme` is defined -> `v1.draft21`\n * - otherwise `v1.draft24`\n *\n * @since 0.6\n */\n public openId4VpVersion?: OpenId4VpVersion\n\n /**\n * The time at which the authorization request expires.\n *\n * @since 0.6\n */\n @DateTransformer()\n public expiresAt?: Date\n\n /**\n * The payload of the received authorization response\n */\n public authorizationResponsePayload?: OpenId4VpAuthorizationResponsePayload\n\n /**\n * Presentation during issuance session. This is used when issuance of a credential requires a presentation, and helps\n * prevent session fixation attacks\n */\n public presentationDuringIssuanceSession?: string\n\n /**\n * Redirect uri that should be used in the authorization response. This will be included in both error and success\n * responses.\n *\n * @since 0.6\n */\n public authorizationResponseRedirectUri?: string\n\n public constructor(props: OpenId4VcVerificationSessionRecordProps) {\n super()\n\n if (props) {\n this.id = props.id ?? utils.uuid()\n this.createdAt = props.createdAt ?? new Date()\n this._tags = props.tags ?? {}\n\n this.verifierId = props.verifierId\n this.state = props.state\n this.errorMessage = props.errorMessage\n this.authorizationRequestPayload = props.authorizationRequestPayload\n this.authorizationRequestJwt = props.authorizationRequestJwt\n this.authorizationRequestUri = props.authorizationRequestUri\n this.authorizationRequestId = props.authorizationRequestId\n this.authorizationResponseRedirectUri = props.authorizationResponseRedirectUri\n this.authorizationResponsePayload = props.authorizationResponsePayload\n this.expiresAt = props.expiresAt\n this.openId4VpVersion = props.openId4VpVersion\n\n this.presentationDuringIssuanceSession = props.presentationDuringIssuanceSession\n }\n }\n\n public get request(): string | OpenId4VpAuthorizationRequestPayload {\n if (this.authorizationRequestJwt) return this.authorizationRequestJwt\n if (this.authorizationRequestPayload) return this.authorizationRequestPayload\n\n throw new CredoError('Unable to extract authorization payload from openid4vc session record')\n }\n\n public get requestPayload(): OpenId4VpAuthorizationRequestPayload {\n if (this.authorizationRequestJwt)\n return Jwt.fromSerializedJwt(\n this.authorizationRequestJwt\n ).payload.toJson() as OpenId4VpAuthorizationRequestPayload\n if (this.authorizationRequestPayload) return this.authorizationRequestPayload\n\n throw new CredoError('Unable to extract authorization payload from openid4vc session record')\n }\n\n public assertState(expectedStates: OpenId4VcVerificationSessionState | OpenId4VcVerificationSessionState[]) {\n if (!Array.isArray(expectedStates)) {\n expectedStates = [expectedStates]\n }\n\n if (!expectedStates.includes(this.state)) {\n throw new CredoError(\n `OpenId4VcVerificationSessionRecord is in invalid state ${this.state}. Valid states are: ${expectedStates.join(\n ', '\n )}.`\n )\n }\n }\n\n public getTags() {\n const request = this.requestPayload\n\n const nonce = request.nonce\n const payloadState = 'state' in request ? (request.state as string) : undefined\n\n return {\n ...this._tags,\n verifierId: this.verifierId,\n state: this.state,\n nonce,\n payloadState,\n authorizationRequestUri: this.authorizationRequestUri,\n authorizationRequestId: this.authorizationRequestId,\n openId4VpVersion: this.openId4VpVersion,\n }\n }\n}\n"],"mappings":";;;;;;AAiDA,IAAa,qCAAb,MAAa,2CAA2C,WAA0D;CAsFhH,AAAO,YAAY,OAAgD;AACjE,SAAO;OArFO,OAAO,mCAAmC;AAuFxD,MAAI,OAAO;AACT,QAAK,KAAK,MAAM,MAAM,MAAM,MAAM;AAClC,QAAK,YAAY,MAAM,6BAAa,IAAI,MAAM;AAC9C,QAAK,QAAQ,MAAM,QAAQ,EAAE;AAE7B,QAAK,aAAa,MAAM;AACxB,QAAK,QAAQ,MAAM;AACnB,QAAK,eAAe,MAAM;AAC1B,QAAK,8BAA8B,MAAM;AACzC,QAAK,0BAA0B,MAAM;AACrC,QAAK,0BAA0B,MAAM;AACrC,QAAK,yBAAyB,MAAM;AACpC,QAAK,mCAAmC,MAAM;AAC9C,QAAK,+BAA+B,MAAM;AAC1C,QAAK,YAAY,MAAM;AACvB,QAAK,mBAAmB,MAAM;AAE9B,QAAK,oCAAoC,MAAM;;;CAInD,IAAW,UAAyD;AAClE,MAAI,KAAK,wBAAyB,QAAO,KAAK;AAC9C,MAAI,KAAK,4BAA6B,QAAO,KAAK;AAElD,QAAM,IAAI,WAAW,wEAAwE;;CAG/F,IAAW,iBAAuD;AAChE,MAAI,KAAK,wBACP,QAAO,IAAI,kBACT,KAAK,wBACN,CAAC,QAAQ,QAAQ;AACpB,MAAI,KAAK,4BAA6B,QAAO,KAAK;AAElD,QAAM,IAAI,WAAW,wEAAwE;;CAG/F,AAAO,YAAY,gBAAyF;AAC1G,MAAI,CAAC,MAAM,QAAQ,eAAe,CAChC,kBAAiB,CAAC,eAAe;AAGnC,MAAI,CAAC,eAAe,SAAS,KAAK,MAAM,CACtC,OAAM,IAAI,WACR,0DAA0D,KAAK,MAAM,sBAAsB,eAAe,KACxG,KACD,CAAC,GACH;;CAIL,AAAO,UAAU;EACf,MAAM,UAAU,KAAK;EAErB,MAAM,QAAQ,QAAQ;EACtB,MAAM,eAAe,WAAW,UAAW,QAAQ,QAAmB;AAEtE,SAAO;GACL,GAAG,KAAK;GACR,YAAY,KAAK;GACjB,OAAO,KAAK;GACZ;GACA;GACA,yBAAyB,KAAK;GAC9B,wBAAwB,KAAK;GAC7B,kBAAkB,KAAK;GACxB;;;mCA3JoB,OAAO;YA+D7B,iBAAiB"}
|
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
const require_rolldown_runtime = require('../../_virtual/rolldown_runtime.js');
|
|
2
2
|
const require_decorateMetadata = require('../../_virtual/_@oxc-project_runtime@0.94.0/helpers/decorateMetadata.js');
|
|
3
|
-
const require_decorateParam = require('../../_virtual/_@oxc-project_runtime@0.94.0/helpers/decorateParam.js');
|
|
4
3
|
const require_decorate = require('../../_virtual/_@oxc-project_runtime@0.94.0/helpers/decorate.js');
|
|
5
4
|
const require_OpenId4VcVerificationSessionRecord = require('./OpenId4VcVerificationSessionRecord.js');
|
|
5
|
+
const require_decorateParam = require('../../_virtual/_@oxc-project_runtime@0.94.0/helpers/decorateParam.js');
|
|
6
6
|
let __credo_ts_core = require("@credo-ts/core");
|
|
7
7
|
__credo_ts_core = require_rolldown_runtime.__toESM(__credo_ts_core);
|
|
8
8
|
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
import { __decorateMetadata } from "../../_virtual/_@oxc-project_runtime@0.94.0/helpers/decorateMetadata.mjs";
|
|
2
|
-
import { __decorateParam } from "../../_virtual/_@oxc-project_runtime@0.94.0/helpers/decorateParam.mjs";
|
|
3
2
|
import { __decorate } from "../../_virtual/_@oxc-project_runtime@0.94.0/helpers/decorate.mjs";
|
|
4
3
|
import { OpenId4VcVerificationSessionRecord } from "./OpenId4VcVerificationSessionRecord.mjs";
|
|
4
|
+
import { __decorateParam } from "../../_virtual/_@oxc-project_runtime@0.94.0/helpers/decorateParam.mjs";
|
|
5
5
|
import { EventEmitter, InjectionSymbols, Repository, inject, injectable } from "@credo-ts/core";
|
|
6
6
|
|
|
7
7
|
//#region src/openid4vc-verifier/repository/OpenId4VcVerificationSessionRepository.ts
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"OpenId4VcVerificationSessionRepository.mjs","names":["OpenId4VcVerificationSessionRepository","storageService: StorageService<OpenId4VcVerificationSessionRecord>"],"sources":["../../../src/openid4vc-verifier/repository/OpenId4VcVerificationSessionRepository.ts"],"sourcesContent":["import { EventEmitter, InjectionSymbols, Repository, type StorageService
|
|
1
|
+
{"version":3,"file":"OpenId4VcVerificationSessionRepository.mjs","names":["OpenId4VcVerificationSessionRepository","storageService: StorageService<OpenId4VcVerificationSessionRecord>"],"sources":["../../../src/openid4vc-verifier/repository/OpenId4VcVerificationSessionRepository.ts"],"sourcesContent":["import { EventEmitter, InjectionSymbols, inject, injectable, Repository, type StorageService } from '@credo-ts/core'\n\nimport { OpenId4VcVerificationSessionRecord } from './OpenId4VcVerificationSessionRecord'\n\n@injectable()\nexport class OpenId4VcVerificationSessionRepository extends Repository<OpenId4VcVerificationSessionRecord> {\n public constructor(\n @inject(InjectionSymbols.StorageService) storageService: StorageService<OpenId4VcVerificationSessionRecord>,\n eventEmitter: EventEmitter\n ) {\n super(OpenId4VcVerificationSessionRecord, storageService, eventEmitter)\n }\n}\n"],"mappings":";;;;;;;;AAKO,mDAAMA,iDAA+C,WAA+C;CACzG,AAAO,YACL,AAAyCC,gBACzC,cACA;AACA,QAAM,oCAAoC,gBAAgB,aAAa;;;;CAN1E,YAAY;oBAGR,OAAO,iBAAiB,eAAe"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"OpenId4VcVerifierRecord.d.mts","names":[],"sources":["../../../src/openid4vc-verifier/repository/OpenId4VcVerifierRecord.ts"],"sourcesContent":[],"mappings":";;;;
|
|
1
|
+
{"version":3,"file":"OpenId4VcVerifierRecord.d.mts","names":[],"sources":["../../../src/openid4vc-verifier/repository/OpenId4VcVerifierRecord.ts"],"sourcesContent":[],"mappings":";;;;KAIY,2BAAA,GAA8B,WAAW;AAAzC,KAEA,kCAAA,GAF2B;EAAA,UAAA,EAAA,MAAA;;AAAG,UAMzB,4BAAA,CANyB;EAAU,EAAA,CAAA,EAAA,MAAA;EAExC,SAAA,CAAA,EAME,IANF;EAIK,IAAA,CAAA,EAGR,QAHQ;EAA4B,UAAA,EAAA,MAAA;gBAE/B,CAAA,EAKK,+BALL;;;;AAad;;;AAK0B,cALb,uBAAA,SAAgC,UAKnB,CAL8B,kCAK9B,CAAA,CAAA;kBAEE,IAAA,GAAA,yBAAA;WAPiB,IAAA,GAAA,yBAAA;EAAU,UAAA,EAAA,MAAA;mBAK7B;qBAEE"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"OpenId4VcVerifierRecord.d.ts","names":[],"sources":["../../../src/openid4vc-verifier/repository/OpenId4VcVerifierRecord.ts"],"sourcesContent":[],"mappings":";;;;
|
|
1
|
+
{"version":3,"file":"OpenId4VcVerifierRecord.d.ts","names":[],"sources":["../../../src/openid4vc-verifier/repository/OpenId4VcVerifierRecord.ts"],"sourcesContent":[],"mappings":";;;;KAIY,2BAAA,GAA8B,WAAW;AAAzC,KAEA,kCAAA,GAF2B;EAAA,UAAA,EAAA,MAAA;;AAAG,UAMzB,4BAAA,CANyB;EAAU,EAAA,CAAA,EAAA,MAAA;EAExC,SAAA,CAAA,EAME,IANF;EAIK,IAAA,CAAA,EAGR,QAHQ;EAA4B,UAAA,EAAA,MAAA;gBAE/B,CAAA,EAKK,+BALL;;;;AAad;;;AAK0B,cALb,uBAAA,SAAgC,UAKnB,CAL8B,kCAK9B,CAAA,CAAA;kBAEE,IAAA,GAAA,yBAAA;WAPiB,IAAA,GAAA,yBAAA;EAAU,UAAA,EAAA,MAAA;mBAK7B;qBAEE"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"OpenId4VcVerifierRecord.mjs","names":[],"sources":["../../../src/openid4vc-verifier/repository/OpenId4VcVerifierRecord.ts"],"sourcesContent":["import type { RecordTags, TagsBase } from '@credo-ts/core'\nimport
|
|
1
|
+
{"version":3,"file":"OpenId4VcVerifierRecord.mjs","names":[],"sources":["../../../src/openid4vc-verifier/repository/OpenId4VcVerifierRecord.ts"],"sourcesContent":["import type { RecordTags, TagsBase } from '@credo-ts/core'\nimport { BaseRecord, utils } from '@credo-ts/core'\nimport type { OpenId4VpVerifierClientMetadata } from '../OpenId4VpVerifierServiceOptions'\n\nexport type OpenId4VcVerifierRecordTags = RecordTags<OpenId4VcVerifierRecord>\n\nexport type DefaultOpenId4VcVerifierRecordTags = {\n verifierId: string\n}\n\nexport interface OpenId4VcVerifierRecordProps {\n id?: string\n createdAt?: Date\n tags?: TagsBase\n\n verifierId: string\n\n clientMetadata?: OpenId4VpVerifierClientMetadata\n}\n\n/**\n * For OID4VC you need to expos metadata files. Each issuer needs to host this metadata. This is not the case for DIDComm where we can just have one /didcomm endpoint.\n * So we create a record per openid issuer/verifier that you want, and each tenant can create multiple issuers/verifiers which have different endpoints\n * and metadata files\n * */\nexport class OpenId4VcVerifierRecord extends BaseRecord<DefaultOpenId4VcVerifierRecordTags> {\n public static readonly type = 'OpenId4VcVerifierRecord'\n public readonly type = OpenId4VcVerifierRecord.type\n\n public verifierId!: string\n public clientMetadata?: OpenId4VpVerifierClientMetadata\n\n public constructor(props: OpenId4VcVerifierRecordProps) {\n super()\n\n if (props) {\n this.id = props.id ?? utils.uuid()\n this.createdAt = props.createdAt ?? new Date()\n this._tags = props.tags ?? {}\n\n this.verifierId = props.verifierId\n this.clientMetadata = props.clientMetadata\n }\n }\n\n public getTags() {\n return {\n ...this._tags,\n verifierId: this.verifierId,\n }\n }\n}\n"],"mappings":";;;;;;;;AAyBA,IAAa,0BAAb,MAAa,gCAAgC,WAA+C;CAO1F,AAAO,YAAY,OAAqC;AACtD,SAAO;OANO,OAAO,wBAAwB;AAQ7C,MAAI,OAAO;AACT,QAAK,KAAK,MAAM,MAAM,MAAM,MAAM;AAClC,QAAK,YAAY,MAAM,6BAAa,IAAI,MAAM;AAC9C,QAAK,QAAQ,MAAM,QAAQ,EAAE;AAE7B,QAAK,aAAa,MAAM;AACxB,QAAK,iBAAiB,MAAM;;;CAIhC,AAAO,UAAU;AACf,SAAO;GACL,GAAG,KAAK;GACR,YAAY,KAAK;GAClB;;;wBAvBoB,OAAO"}
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
const require_rolldown_runtime = require('../../_virtual/rolldown_runtime.js');
|
|
2
2
|
const require_decorateMetadata = require('../../_virtual/_@oxc-project_runtime@0.94.0/helpers/decorateMetadata.js');
|
|
3
|
-
const require_decorateParam = require('../../_virtual/_@oxc-project_runtime@0.94.0/helpers/decorateParam.js');
|
|
4
3
|
const require_decorate = require('../../_virtual/_@oxc-project_runtime@0.94.0/helpers/decorate.js');
|
|
4
|
+
const require_decorateParam = require('../../_virtual/_@oxc-project_runtime@0.94.0/helpers/decorateParam.js');
|
|
5
5
|
const require_OpenId4VcVerifierRecord = require('./OpenId4VcVerifierRecord.js');
|
|
6
6
|
let __credo_ts_core = require("@credo-ts/core");
|
|
7
7
|
__credo_ts_core = require_rolldown_runtime.__toESM(__credo_ts_core);
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
import { __decorateMetadata } from "../../_virtual/_@oxc-project_runtime@0.94.0/helpers/decorateMetadata.mjs";
|
|
2
|
-
import { __decorateParam } from "../../_virtual/_@oxc-project_runtime@0.94.0/helpers/decorateParam.mjs";
|
|
3
2
|
import { __decorate } from "../../_virtual/_@oxc-project_runtime@0.94.0/helpers/decorate.mjs";
|
|
3
|
+
import { __decorateParam } from "../../_virtual/_@oxc-project_runtime@0.94.0/helpers/decorateParam.mjs";
|
|
4
4
|
import { OpenId4VcVerifierRecord } from "./OpenId4VcVerifierRecord.mjs";
|
|
5
5
|
import { EventEmitter, InjectionSymbols, Repository, inject, injectable } from "@credo-ts/core";
|
|
6
6
|
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"OpenId4VcVerifierRepository.mjs","names":["OpenId4VcVerifierRepository","storageService: StorageService<OpenId4VcVerifierRecord>"],"sources":["../../../src/openid4vc-verifier/repository/OpenId4VcVerifierRepository.ts"],"sourcesContent":["import type { AgentContext } from '@credo-ts/core'\n\nimport { EventEmitter, InjectionSymbols, Repository, type StorageService
|
|
1
|
+
{"version":3,"file":"OpenId4VcVerifierRepository.mjs","names":["OpenId4VcVerifierRepository","storageService: StorageService<OpenId4VcVerifierRecord>"],"sources":["../../../src/openid4vc-verifier/repository/OpenId4VcVerifierRepository.ts"],"sourcesContent":["import type { AgentContext } from '@credo-ts/core'\n\nimport { EventEmitter, InjectionSymbols, inject, injectable, Repository, type StorageService } from '@credo-ts/core'\n\nimport { OpenId4VcVerifierRecord } from './OpenId4VcVerifierRecord'\n\n@injectable()\nexport class OpenId4VcVerifierRepository extends Repository<OpenId4VcVerifierRecord> {\n public constructor(\n @inject(InjectionSymbols.StorageService) storageService: StorageService<OpenId4VcVerifierRecord>,\n eventEmitter: EventEmitter\n ) {\n super(OpenId4VcVerifierRecord, storageService, eventEmitter)\n }\n\n public findByVerifierId(agentContext: AgentContext, verifierId: string) {\n return this.findSingleByQuery(agentContext, { verifierId })\n }\n\n public getByVerifierId(agentContext: AgentContext, verifierId: string) {\n return this.getSingleByQuery(agentContext, { verifierId })\n }\n}\n"],"mappings":";;;;;;;;AAOO,wCAAMA,sCAAoC,WAAoC;CACnF,AAAO,YACL,AAAyCC,gBACzC,cACA;AACA,QAAM,yBAAyB,gBAAgB,aAAa;;CAG9D,AAAO,iBAAiB,cAA4B,YAAoB;AACtE,SAAO,KAAK,kBAAkB,cAAc,EAAE,YAAY,CAAC;;CAG7D,AAAO,gBAAgB,cAA4B,YAAoB;AACrE,SAAO,KAAK,iBAAiB,cAAc,EAAE,YAAY,CAAC;;;;CAd7D,YAAY;oBAGR,OAAO,iBAAiB,eAAe"}
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
const require_OpenId4VcVerifierRecord = require('./OpenId4VcVerifierRecord.js');
|
|
2
|
-
const require_OpenId4VcVerifierRepository = require('./OpenId4VcVerifierRepository.js');
|
|
3
1
|
const require_OpenId4VcVerificationSessionRecord = require('./OpenId4VcVerificationSessionRecord.js');
|
|
4
2
|
const require_OpenId4VcVerificationSessionRepository = require('./OpenId4VcVerificationSessionRepository.js');
|
|
3
|
+
const require_OpenId4VcVerifierRecord = require('./OpenId4VcVerifierRecord.js');
|
|
4
|
+
const require_OpenId4VcVerifierRepository = require('./OpenId4VcVerifierRepository.js');
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import { OpenId4VcVerifierRecord } from "./OpenId4VcVerifierRecord.mjs";
|
|
2
|
-
import { OpenId4VcVerifierRepository } from "./OpenId4VcVerifierRepository.mjs";
|
|
3
1
|
import { OpenId4VcVerificationSessionRecord } from "./OpenId4VcVerificationSessionRecord.mjs";
|
|
4
2
|
import { OpenId4VcVerificationSessionRepository } from "./OpenId4VcVerificationSessionRepository.mjs";
|
|
3
|
+
import { OpenId4VcVerifierRecord } from "./OpenId4VcVerifierRecord.mjs";
|
|
4
|
+
import { OpenId4VcVerifierRepository } from "./OpenId4VcVerifierRepository.mjs";
|
|
@@ -19,7 +19,7 @@ function configureAuthorizationEndpoint(router, config) {
|
|
|
19
19
|
router.post(config.authorizationEndpoint, async (request, response, next) => {
|
|
20
20
|
const { agentContext, verifier } = require_context.getRequestContext(request);
|
|
21
21
|
const openId4VcVerifierService = agentContext.dependencyManager.resolve(require_OpenId4VpVerifierService.OpenId4VpVerifierService);
|
|
22
|
-
let authorizationResponseRedirectUri
|
|
22
|
+
let authorizationResponseRedirectUri;
|
|
23
23
|
try {
|
|
24
24
|
const result = await getVerificationSession(agentContext, request, response, next, verifier);
|
|
25
25
|
if (!result.success) return;
|
|
@@ -14,7 +14,7 @@ function configureAuthorizationEndpoint(router, config) {
|
|
|
14
14
|
router.post(config.authorizationEndpoint, async (request, response, next) => {
|
|
15
15
|
const { agentContext, verifier } = getRequestContext(request);
|
|
16
16
|
const openId4VcVerifierService = agentContext.dependencyManager.resolve(OpenId4VpVerifierService);
|
|
17
|
-
let authorizationResponseRedirectUri
|
|
17
|
+
let authorizationResponseRedirectUri;
|
|
18
18
|
try {
|
|
19
19
|
const result = await getVerificationSession(agentContext, request, response, next, verifier);
|
|
20
20
|
if (!result.success) return;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"authorizationEndpoint.mjs","names":["authorizationResponseRedirectUri: string | undefined"],"sources":["../../../src/openid4vc-verifier/router/authorizationEndpoint.ts"],"sourcesContent":["import type { NextFunction, Request, Response, Router } from 'express'\nimport type { OpenId4VcVerificationRequest } from './requestContext'\n\nimport { Oauth2ErrorCodes, Oauth2ServerErrorResponseError, decodeJwtHeader } from '@openid4vc/oauth2'\n\nimport { AgentContext, TypedArrayEncoder } from '@credo-ts/core'\n// FIXME: export parseOpenid4VpAuthorizationResponsePayload from openid4vp\nimport { zOpenid4vpAuthorizationResponse } from '@openid4vc/openid4vp'\nimport {\n getRequestContext,\n sendErrorResponse,\n sendJsonResponse,\n sendOauth2ErrorResponse,\n sendUnknownServerErrorResponse,\n} from '../../shared/router'\nimport { OpenId4VpVerifierService } from '../OpenId4VpVerifierService'\nimport {\n OpenId4VcVerificationSessionRecord,\n OpenId4VcVerificationSessionRepository,\n OpenId4VcVerifierRecord,\n} from '../repository'\n\nimport { ValidationError } from '@openid4vc/utils'\nimport { OpenId4VcVerifierModuleConfig } from '../OpenId4VcVerifierModuleConfig'\n\nexport function configureAuthorizationEndpoint(router: Router, config: OpenId4VcVerifierModuleConfig) {\n router.post(config.authorizationEndpoint, async (request: OpenId4VcVerificationRequest, response: Response, next) => {\n const { agentContext, verifier } = getRequestContext(request)\n const openId4VcVerifierService = agentContext.dependencyManager.resolve(OpenId4VpVerifierService)\n\n let authorizationResponseRedirectUri: string | undefined = undefined\n\n try {\n const result = await getVerificationSession(agentContext, request, response, next, verifier)\n\n // Response already handled in the method\n if (!result.success) return\n\n authorizationResponseRedirectUri = result.verificationSession.authorizationResponseRedirectUri\n\n const { verificationSession } = await openId4VcVerifierService.verifyAuthorizationResponse(agentContext, {\n authorizationResponse: request.body,\n verificationSession: result.verificationSession,\n })\n\n return sendJsonResponse(response, next, {\n // Used only for presentation during issuance flow, to prevent session fixation.\n presentation_during_issuance_session: verificationSession.presentationDuringIssuanceSession,\n\n redirect_uri: verificationSession.authorizationResponseRedirectUri,\n })\n } catch (error) {\n if (error instanceof Oauth2ServerErrorResponseError) {\n error.errorResponse.redirect_uri = authorizationResponseRedirectUri\n return sendOauth2ErrorResponse(response, next, agentContext.config.logger, error)\n }\n\n // FIXME: should throw a Oauth2ServerErrorResponseError in the oid4vp library\n if (error instanceof ValidationError) {\n return sendOauth2ErrorResponse(\n response,\n next,\n agentContext.config.logger,\n new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: error.message,\n redirect_uri: authorizationResponseRedirectUri,\n },\n { cause: error }\n )\n )\n }\n\n return sendUnknownServerErrorResponse(response, next, agentContext.config.logger, error, {\n redirect_uri: authorizationResponseRedirectUri,\n })\n }\n })\n}\n\nasync function getVerificationSession(\n agentContext: AgentContext,\n request: Request,\n response: Response,\n next: NextFunction,\n verifier: OpenId4VcVerifierRecord\n): Promise<{ success: true; verificationSession: OpenId4VcVerificationSessionRecord } | { success: false }> {\n const openId4VcVerificationSessionRepository = agentContext.dependencyManager.resolve(\n OpenId4VcVerificationSessionRepository\n )\n\n try {\n if (request.query.session) {\n if (typeof request.query.session !== 'string') {\n sendErrorResponse(\n response,\n next,\n agentContext.config.logger,\n 400,\n Oauth2ErrorCodes.InvalidRequest,\n `Unexpected value for 'session' query param`\n )\n return { success: false }\n }\n\n const verificationSession = await openId4VcVerificationSessionRepository.findSingleByQuery(agentContext, {\n verifierId: verifier.verifierId,\n authorizationRequestId: request.query.session,\n })\n\n if (!verificationSession) {\n sendErrorResponse(\n response,\n next,\n agentContext.config.logger,\n 400,\n Oauth2ErrorCodes.InvalidRequest,\n `Invalid 'session' parameter`\n )\n return { success: false }\n }\n\n return { success: true, verificationSession }\n }\n\n const parsedResponse = zOpenid4vpAuthorizationResponse.safeParse(request.body)\n if (parsedResponse.success) {\n if (!parsedResponse.data.state) {\n sendErrorResponse(\n response,\n next,\n agentContext.config.logger,\n 400,\n Oauth2ErrorCodes.InvalidRequest,\n `Missing required 'state' parameter in response without response encryption`\n )\n return { success: false }\n }\n\n const verificationSession = await openId4VcVerificationSessionRepository.findSingleByQuery(agentContext, {\n payloadState: parsedResponse.data.state,\n verifierId: verifier.verifierId,\n })\n\n if (!verificationSession) {\n sendErrorResponse(\n response,\n next,\n agentContext.config.logger,\n 400,\n Oauth2ErrorCodes.InvalidRequest,\n `Invalid 'state' parameter`\n )\n return { success: false }\n }\n\n return { success: true, verificationSession }\n }\n\n // Try extracting apv (request nonce), which is used in encrypted responses (for ISO 18013-7/before draft 24)\n if (typeof request.body === 'object' && 'response' in request.body) {\n const { header } = decodeJwtHeader({\n jwt: request.body.response,\n })\n\n if (!header.apv) {\n sendErrorResponse(\n response,\n next,\n agentContext.config.logger,\n 400,\n Oauth2ErrorCodes.InvalidRequest,\n `Missing 'session' query param or 'apv' value in header of encrypted JARM response.`\n )\n return { success: false }\n }\n\n if (typeof header.apv !== 'string') {\n sendErrorResponse(\n response,\n next,\n agentContext.config.logger,\n 400,\n Oauth2ErrorCodes.InvalidRequest,\n `'apv' value in header of encrypted JARM response is not of type string.`\n )\n return { success: false }\n }\n\n const nonce = TypedArrayEncoder.toUtf8String(TypedArrayEncoder.fromBase64(header.apv))\n const verificationSession = await openId4VcVerificationSessionRepository.findSingleByQuery(agentContext, {\n nonce,\n verifierId: verifier.verifierId,\n })\n\n if (!verificationSession) {\n sendErrorResponse(\n response,\n next,\n agentContext.config.logger,\n 400,\n Oauth2ErrorCodes.InvalidRequest,\n `Invalid 'apv' parameter`\n )\n return { success: false }\n }\n\n return { success: true, verificationSession }\n }\n\n sendErrorResponse(\n response,\n next,\n agentContext.config.logger,\n 400,\n Oauth2ErrorCodes.InvalidRequest,\n 'Invalid response'\n )\n return { success: false }\n } catch (error) {\n sendUnknownServerErrorResponse(response, next, agentContext.config.logger, error)\n return { success: false }\n }\n}\n"],"mappings":";;;;;;;;;;;;AAyBA,SAAgB,+BAA+B,QAAgB,QAAuC;AACpG,QAAO,KAAK,OAAO,uBAAuB,OAAO,SAAuC,UAAoB,SAAS;EACnH,MAAM,EAAE,cAAc,aAAa,kBAAkB,QAAQ;EAC7D,MAAM,2BAA2B,aAAa,kBAAkB,QAAQ,yBAAyB;EAEjG,IAAIA,mCAAuD;AAE3D,MAAI;GACF,MAAM,SAAS,MAAM,uBAAuB,cAAc,SAAS,UAAU,MAAM,SAAS;AAG5F,OAAI,CAAC,OAAO,QAAS;AAErB,sCAAmC,OAAO,oBAAoB;GAE9D,MAAM,EAAE,wBAAwB,MAAM,yBAAyB,4BAA4B,cAAc;IACvG,uBAAuB,QAAQ;IAC/B,qBAAqB,OAAO;IAC7B,CAAC;AAEF,UAAO,iBAAiB,UAAU,MAAM;IAEtC,sCAAsC,oBAAoB;IAE1D,cAAc,oBAAoB;IACnC,CAAC;WACK,OAAO;AACd,OAAI,iBAAiB,gCAAgC;AACnD,UAAM,cAAc,eAAe;AACnC,WAAO,wBAAwB,UAAU,MAAM,aAAa,OAAO,QAAQ,MAAM;;AAInF,OAAI,iBAAiB,gBACnB,QAAO,wBACL,UACA,MACA,aAAa,OAAO,QACpB,IAAI,+BACF;IACE,OAAO,iBAAiB;IACxB,mBAAmB,MAAM;IACzB,cAAc;IACf,EACD,EAAE,OAAO,OAAO,CACjB,CACF;AAGH,UAAO,+BAA+B,UAAU,MAAM,aAAa,OAAO,QAAQ,OAAO,EACvF,cAAc,kCACf,CAAC;;GAEJ;;AAGJ,eAAe,uBACb,cACA,SACA,UACA,MACA,UAC0G;CAC1G,MAAM,yCAAyC,aAAa,kBAAkB,QAC5E,uCACD;AAED,KAAI;AACF,MAAI,QAAQ,MAAM,SAAS;AACzB,OAAI,OAAO,QAAQ,MAAM,YAAY,UAAU;AAC7C,sBACE,UACA,MACA,aAAa,OAAO,QACpB,KACA,iBAAiB,gBACjB,6CACD;AACD,WAAO,EAAE,SAAS,OAAO;;GAG3B,MAAM,sBAAsB,MAAM,uCAAuC,kBAAkB,cAAc;IACvG,YAAY,SAAS;IACrB,wBAAwB,QAAQ,MAAM;IACvC,CAAC;AAEF,OAAI,CAAC,qBAAqB;AACxB,sBACE,UACA,MACA,aAAa,OAAO,QACpB,KACA,iBAAiB,gBACjB,8BACD;AACD,WAAO,EAAE,SAAS,OAAO;;AAG3B,UAAO;IAAE,SAAS;IAAM;IAAqB;;EAG/C,MAAM,iBAAiB,gCAAgC,UAAU,QAAQ,KAAK;AAC9E,MAAI,eAAe,SAAS;AAC1B,OAAI,CAAC,eAAe,KAAK,OAAO;AAC9B,sBACE,UACA,MACA,aAAa,OAAO,QACpB,KACA,iBAAiB,gBACjB,6EACD;AACD,WAAO,EAAE,SAAS,OAAO;;GAG3B,MAAM,sBAAsB,MAAM,uCAAuC,kBAAkB,cAAc;IACvG,cAAc,eAAe,KAAK;IAClC,YAAY,SAAS;IACtB,CAAC;AAEF,OAAI,CAAC,qBAAqB;AACxB,sBACE,UACA,MACA,aAAa,OAAO,QACpB,KACA,iBAAiB,gBACjB,4BACD;AACD,WAAO,EAAE,SAAS,OAAO;;AAG3B,UAAO;IAAE,SAAS;IAAM;IAAqB;;AAI/C,MAAI,OAAO,QAAQ,SAAS,YAAY,cAAc,QAAQ,MAAM;GAClE,MAAM,EAAE,WAAW,gBAAgB,EACjC,KAAK,QAAQ,KAAK,UACnB,CAAC;AAEF,OAAI,CAAC,OAAO,KAAK;AACf,sBACE,UACA,MACA,aAAa,OAAO,QACpB,KACA,iBAAiB,gBACjB,qFACD;AACD,WAAO,EAAE,SAAS,OAAO;;AAG3B,OAAI,OAAO,OAAO,QAAQ,UAAU;AAClC,sBACE,UACA,MACA,aAAa,OAAO,QACpB,KACA,iBAAiB,gBACjB,0EACD;AACD,WAAO,EAAE,SAAS,OAAO;;GAG3B,MAAM,QAAQ,kBAAkB,aAAa,kBAAkB,WAAW,OAAO,IAAI,CAAC;GACtF,MAAM,sBAAsB,MAAM,uCAAuC,kBAAkB,cAAc;IACvG;IACA,YAAY,SAAS;IACtB,CAAC;AAEF,OAAI,CAAC,qBAAqB;AACxB,sBACE,UACA,MACA,aAAa,OAAO,QACpB,KACA,iBAAiB,gBACjB,0BACD;AACD,WAAO,EAAE,SAAS,OAAO;;AAG3B,UAAO;IAAE,SAAS;IAAM;IAAqB;;AAG/C,oBACE,UACA,MACA,aAAa,OAAO,QACpB,KACA,iBAAiB,gBACjB,mBACD;AACD,SAAO,EAAE,SAAS,OAAO;UAClB,OAAO;AACd,iCAA+B,UAAU,MAAM,aAAa,OAAO,QAAQ,MAAM;AACjF,SAAO,EAAE,SAAS,OAAO"}
|
|
1
|
+
{"version":3,"file":"authorizationEndpoint.mjs","names":["authorizationResponseRedirectUri: string | undefined"],"sources":["../../../src/openid4vc-verifier/router/authorizationEndpoint.ts"],"sourcesContent":["import { AgentContext, TypedArrayEncoder } from '@credo-ts/core'\nimport { decodeJwtHeader, Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\n// FIXME: export parseOpenid4VpAuthorizationResponsePayload from openid4vp\nimport { zOpenid4vpAuthorizationResponse } from '@openid4vc/openid4vp'\nimport { ValidationError } from '@openid4vc/utils'\nimport type { NextFunction, Request, Response, Router } from 'express'\nimport {\n getRequestContext,\n sendErrorResponse,\n sendJsonResponse,\n sendOauth2ErrorResponse,\n sendUnknownServerErrorResponse,\n} from '../../shared/router'\nimport { OpenId4VcVerifierModuleConfig } from '../OpenId4VcVerifierModuleConfig'\nimport { OpenId4VpVerifierService } from '../OpenId4VpVerifierService'\nimport {\n OpenId4VcVerificationSessionRecord,\n OpenId4VcVerificationSessionRepository,\n OpenId4VcVerifierRecord,\n} from '../repository'\nimport type { OpenId4VcVerificationRequest } from './requestContext'\n\nexport function configureAuthorizationEndpoint(router: Router, config: OpenId4VcVerifierModuleConfig) {\n router.post(config.authorizationEndpoint, async (request: OpenId4VcVerificationRequest, response: Response, next) => {\n const { agentContext, verifier } = getRequestContext(request)\n const openId4VcVerifierService = agentContext.dependencyManager.resolve(OpenId4VpVerifierService)\n\n let authorizationResponseRedirectUri: string | undefined\n\n try {\n const result = await getVerificationSession(agentContext, request, response, next, verifier)\n\n // Response already handled in the method\n if (!result.success) return\n\n authorizationResponseRedirectUri = result.verificationSession.authorizationResponseRedirectUri\n\n const { verificationSession } = await openId4VcVerifierService.verifyAuthorizationResponse(agentContext, {\n authorizationResponse: request.body,\n verificationSession: result.verificationSession,\n })\n\n return sendJsonResponse(response, next, {\n // Used only for presentation during issuance flow, to prevent session fixation.\n presentation_during_issuance_session: verificationSession.presentationDuringIssuanceSession,\n\n redirect_uri: verificationSession.authorizationResponseRedirectUri,\n })\n } catch (error) {\n if (error instanceof Oauth2ServerErrorResponseError) {\n error.errorResponse.redirect_uri = authorizationResponseRedirectUri\n return sendOauth2ErrorResponse(response, next, agentContext.config.logger, error)\n }\n\n // FIXME: should throw a Oauth2ServerErrorResponseError in the oid4vp library\n if (error instanceof ValidationError) {\n return sendOauth2ErrorResponse(\n response,\n next,\n agentContext.config.logger,\n new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: error.message,\n redirect_uri: authorizationResponseRedirectUri,\n },\n { cause: error }\n )\n )\n }\n\n return sendUnknownServerErrorResponse(response, next, agentContext.config.logger, error, {\n redirect_uri: authorizationResponseRedirectUri,\n })\n }\n })\n}\n\nasync function getVerificationSession(\n agentContext: AgentContext,\n request: Request,\n response: Response,\n next: NextFunction,\n verifier: OpenId4VcVerifierRecord\n): Promise<{ success: true; verificationSession: OpenId4VcVerificationSessionRecord } | { success: false }> {\n const openId4VcVerificationSessionRepository = agentContext.dependencyManager.resolve(\n OpenId4VcVerificationSessionRepository\n )\n\n try {\n if (request.query.session) {\n if (typeof request.query.session !== 'string') {\n sendErrorResponse(\n response,\n next,\n agentContext.config.logger,\n 400,\n Oauth2ErrorCodes.InvalidRequest,\n `Unexpected value for 'session' query param`\n )\n return { success: false }\n }\n\n const verificationSession = await openId4VcVerificationSessionRepository.findSingleByQuery(agentContext, {\n verifierId: verifier.verifierId,\n authorizationRequestId: request.query.session,\n })\n\n if (!verificationSession) {\n sendErrorResponse(\n response,\n next,\n agentContext.config.logger,\n 400,\n Oauth2ErrorCodes.InvalidRequest,\n `Invalid 'session' parameter`\n )\n return { success: false }\n }\n\n return { success: true, verificationSession }\n }\n\n const parsedResponse = zOpenid4vpAuthorizationResponse.safeParse(request.body)\n if (parsedResponse.success) {\n if (!parsedResponse.data.state) {\n sendErrorResponse(\n response,\n next,\n agentContext.config.logger,\n 400,\n Oauth2ErrorCodes.InvalidRequest,\n `Missing required 'state' parameter in response without response encryption`\n )\n return { success: false }\n }\n\n const verificationSession = await openId4VcVerificationSessionRepository.findSingleByQuery(agentContext, {\n payloadState: parsedResponse.data.state,\n verifierId: verifier.verifierId,\n })\n\n if (!verificationSession) {\n sendErrorResponse(\n response,\n next,\n agentContext.config.logger,\n 400,\n Oauth2ErrorCodes.InvalidRequest,\n `Invalid 'state' parameter`\n )\n return { success: false }\n }\n\n return { success: true, verificationSession }\n }\n\n // Try extracting apv (request nonce), which is used in encrypted responses (for ISO 18013-7/before draft 24)\n if (typeof request.body === 'object' && 'response' in request.body) {\n const { header } = decodeJwtHeader({\n jwt: request.body.response,\n })\n\n if (!header.apv) {\n sendErrorResponse(\n response,\n next,\n agentContext.config.logger,\n 400,\n Oauth2ErrorCodes.InvalidRequest,\n `Missing 'session' query param or 'apv' value in header of encrypted JARM response.`\n )\n return { success: false }\n }\n\n if (typeof header.apv !== 'string') {\n sendErrorResponse(\n response,\n next,\n agentContext.config.logger,\n 400,\n Oauth2ErrorCodes.InvalidRequest,\n `'apv' value in header of encrypted JARM response is not of type string.`\n )\n return { success: false }\n }\n\n const nonce = TypedArrayEncoder.toUtf8String(TypedArrayEncoder.fromBase64(header.apv))\n const verificationSession = await openId4VcVerificationSessionRepository.findSingleByQuery(agentContext, {\n nonce,\n verifierId: verifier.verifierId,\n })\n\n if (!verificationSession) {\n sendErrorResponse(\n response,\n next,\n agentContext.config.logger,\n 400,\n Oauth2ErrorCodes.InvalidRequest,\n `Invalid 'apv' parameter`\n )\n return { success: false }\n }\n\n return { success: true, verificationSession }\n }\n\n sendErrorResponse(\n response,\n next,\n agentContext.config.logger,\n 400,\n Oauth2ErrorCodes.InvalidRequest,\n 'Invalid response'\n )\n return { success: false }\n } catch (error) {\n sendUnknownServerErrorResponse(response, next, agentContext.config.logger, error)\n return { success: false }\n }\n}\n"],"mappings":";;;;;;;;;;;;AAsBA,SAAgB,+BAA+B,QAAgB,QAAuC;AACpG,QAAO,KAAK,OAAO,uBAAuB,OAAO,SAAuC,UAAoB,SAAS;EACnH,MAAM,EAAE,cAAc,aAAa,kBAAkB,QAAQ;EAC7D,MAAM,2BAA2B,aAAa,kBAAkB,QAAQ,yBAAyB;EAEjG,IAAIA;AAEJ,MAAI;GACF,MAAM,SAAS,MAAM,uBAAuB,cAAc,SAAS,UAAU,MAAM,SAAS;AAG5F,OAAI,CAAC,OAAO,QAAS;AAErB,sCAAmC,OAAO,oBAAoB;GAE9D,MAAM,EAAE,wBAAwB,MAAM,yBAAyB,4BAA4B,cAAc;IACvG,uBAAuB,QAAQ;IAC/B,qBAAqB,OAAO;IAC7B,CAAC;AAEF,UAAO,iBAAiB,UAAU,MAAM;IAEtC,sCAAsC,oBAAoB;IAE1D,cAAc,oBAAoB;IACnC,CAAC;WACK,OAAO;AACd,OAAI,iBAAiB,gCAAgC;AACnD,UAAM,cAAc,eAAe;AACnC,WAAO,wBAAwB,UAAU,MAAM,aAAa,OAAO,QAAQ,MAAM;;AAInF,OAAI,iBAAiB,gBACnB,QAAO,wBACL,UACA,MACA,aAAa,OAAO,QACpB,IAAI,+BACF;IACE,OAAO,iBAAiB;IACxB,mBAAmB,MAAM;IACzB,cAAc;IACf,EACD,EAAE,OAAO,OAAO,CACjB,CACF;AAGH,UAAO,+BAA+B,UAAU,MAAM,aAAa,OAAO,QAAQ,OAAO,EACvF,cAAc,kCACf,CAAC;;GAEJ;;AAGJ,eAAe,uBACb,cACA,SACA,UACA,MACA,UAC0G;CAC1G,MAAM,yCAAyC,aAAa,kBAAkB,QAC5E,uCACD;AAED,KAAI;AACF,MAAI,QAAQ,MAAM,SAAS;AACzB,OAAI,OAAO,QAAQ,MAAM,YAAY,UAAU;AAC7C,sBACE,UACA,MACA,aAAa,OAAO,QACpB,KACA,iBAAiB,gBACjB,6CACD;AACD,WAAO,EAAE,SAAS,OAAO;;GAG3B,MAAM,sBAAsB,MAAM,uCAAuC,kBAAkB,cAAc;IACvG,YAAY,SAAS;IACrB,wBAAwB,QAAQ,MAAM;IACvC,CAAC;AAEF,OAAI,CAAC,qBAAqB;AACxB,sBACE,UACA,MACA,aAAa,OAAO,QACpB,KACA,iBAAiB,gBACjB,8BACD;AACD,WAAO,EAAE,SAAS,OAAO;;AAG3B,UAAO;IAAE,SAAS;IAAM;IAAqB;;EAG/C,MAAM,iBAAiB,gCAAgC,UAAU,QAAQ,KAAK;AAC9E,MAAI,eAAe,SAAS;AAC1B,OAAI,CAAC,eAAe,KAAK,OAAO;AAC9B,sBACE,UACA,MACA,aAAa,OAAO,QACpB,KACA,iBAAiB,gBACjB,6EACD;AACD,WAAO,EAAE,SAAS,OAAO;;GAG3B,MAAM,sBAAsB,MAAM,uCAAuC,kBAAkB,cAAc;IACvG,cAAc,eAAe,KAAK;IAClC,YAAY,SAAS;IACtB,CAAC;AAEF,OAAI,CAAC,qBAAqB;AACxB,sBACE,UACA,MACA,aAAa,OAAO,QACpB,KACA,iBAAiB,gBACjB,4BACD;AACD,WAAO,EAAE,SAAS,OAAO;;AAG3B,UAAO;IAAE,SAAS;IAAM;IAAqB;;AAI/C,MAAI,OAAO,QAAQ,SAAS,YAAY,cAAc,QAAQ,MAAM;GAClE,MAAM,EAAE,WAAW,gBAAgB,EACjC,KAAK,QAAQ,KAAK,UACnB,CAAC;AAEF,OAAI,CAAC,OAAO,KAAK;AACf,sBACE,UACA,MACA,aAAa,OAAO,QACpB,KACA,iBAAiB,gBACjB,qFACD;AACD,WAAO,EAAE,SAAS,OAAO;;AAG3B,OAAI,OAAO,OAAO,QAAQ,UAAU;AAClC,sBACE,UACA,MACA,aAAa,OAAO,QACpB,KACA,iBAAiB,gBACjB,0EACD;AACD,WAAO,EAAE,SAAS,OAAO;;GAG3B,MAAM,QAAQ,kBAAkB,aAAa,kBAAkB,WAAW,OAAO,IAAI,CAAC;GACtF,MAAM,sBAAsB,MAAM,uCAAuC,kBAAkB,cAAc;IACvG;IACA,YAAY,SAAS;IACtB,CAAC;AAEF,OAAI,CAAC,qBAAqB;AACxB,sBACE,UACA,MACA,aAAa,OAAO,QACpB,KACA,iBAAiB,gBACjB,0BACD;AACD,WAAO,EAAE,SAAS,OAAO;;AAG3B,UAAO;IAAE,SAAS;IAAM;IAAqB;;AAG/C,oBACE,UACA,MACA,aAAa,OAAO,QACpB,KACA,iBAAiB,gBACjB,mBACD;AACD,SAAO,EAAE,SAAS,OAAO;UAClB,OAAO;AACd,iCAA+B,UAAU,MAAM,aAAa,OAAO,QAAQ,MAAM;AACjF,SAAO,EAAE,SAAS,OAAO"}
|
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
const require_rolldown_runtime = require('../../_virtual/rolldown_runtime.js');
|
|
2
2
|
const require_context = require('../../shared/router/context.js');
|
|
3
3
|
require('../../shared/router/index.js');
|
|
4
|
-
const require_OpenId4VcVerifierModuleConfig = require('../OpenId4VcVerifierModuleConfig.js');
|
|
5
4
|
const require_OpenId4VcVerificationSessionState = require('../OpenId4VcVerificationSessionState.js');
|
|
5
|
+
const require_OpenId4VcVerifierModuleConfig = require('../OpenId4VcVerifierModuleConfig.js');
|
|
6
6
|
const require_OpenId4VpVerifierService = require('../OpenId4VpVerifierService.js');
|
|
7
7
|
let __credo_ts_core = require("@credo-ts/core");
|
|
8
8
|
__credo_ts_core = require_rolldown_runtime.__toESM(__credo_ts_core);
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
import { getRequestContext, sendErrorResponse, sendNotFoundResponse, sendUnknownServerErrorResponse } from "../../shared/router/context.mjs";
|
|
2
2
|
import "../../shared/router/index.mjs";
|
|
3
|
-
import { OpenId4VcVerifierModuleConfig } from "../OpenId4VcVerifierModuleConfig.mjs";
|
|
4
3
|
import { OpenId4VcVerificationSessionState } from "../OpenId4VcVerificationSessionState.mjs";
|
|
4
|
+
import { OpenId4VcVerifierModuleConfig } from "../OpenId4VcVerifierModuleConfig.mjs";
|
|
5
5
|
import { OpenId4VpVerifierService } from "../OpenId4VpVerifierService.mjs";
|
|
6
6
|
import { joinUriParts } from "@credo-ts/core";
|
|
7
7
|
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"authorizationRequestEndpoint.mjs","names":[],"sources":["../../../src/openid4vc-verifier/router/authorizationRequestEndpoint.ts"],"sourcesContent":["import
|
|
1
|
+
{"version":3,"file":"authorizationRequestEndpoint.mjs","names":[],"sources":["../../../src/openid4vc-verifier/router/authorizationRequestEndpoint.ts"],"sourcesContent":["import { joinUriParts } from '@credo-ts/core'\nimport type { Response, Router } from 'express'\nimport {\n getRequestContext,\n sendErrorResponse,\n sendNotFoundResponse,\n sendUnknownServerErrorResponse,\n} from '../../shared/router'\nimport { OpenId4VcVerificationSessionState } from '../OpenId4VcVerificationSessionState'\nimport { OpenId4VcVerifierModuleConfig } from '../OpenId4VcVerifierModuleConfig'\nimport { OpenId4VpVerifierService } from '../OpenId4VpVerifierService'\nimport type { OpenId4VcVerificationRequest } from './requestContext'\n\nexport function configureAuthorizationRequestEndpoint(router: Router, config: OpenId4VcVerifierModuleConfig) {\n router.get(\n joinUriParts(config.authorizationRequestEndpoint, [':authorizationRequestId']),\n async (request: OpenId4VcVerificationRequest, response: Response, next) => {\n const { agentContext, verifier } = getRequestContext(request)\n\n if (!request.params.authorizationRequestId || typeof request.params.authorizationRequestId !== 'string') {\n return sendErrorResponse(\n response,\n next,\n agentContext.config.logger,\n 400,\n 'invalid_request',\n 'Invalid authorization request url'\n )\n }\n\n try {\n const verifierService = agentContext.dependencyManager.resolve(OpenId4VpVerifierService)\n const verifierConfig = agentContext.dependencyManager.resolve(OpenId4VcVerifierModuleConfig)\n\n // We always use shortened URIs currently\n const fullAuthorizationRequestUri = joinUriParts(verifierConfig.baseUrl, [\n verifier.verifierId,\n verifierConfig.authorizationRequestEndpoint,\n request.params.authorizationRequestId,\n ])\n\n const [verificationSession] = await verifierService.findVerificationSessionsByQuery(agentContext, {\n verifierId: verifier.verifierId,\n $or: [\n {\n authorizationRequestId: request.params.authorizationRequestId,\n },\n // NOTE: this can soon be removed, authorization request id is cleaner,\n // but only introduced since 0.6\n {\n authorizationRequestUri: fullAuthorizationRequestUri,\n },\n ],\n })\n\n // Not all requets are signed, and those are not fetcheable\n if (!verificationSession || !verificationSession.authorizationRequestJwt) {\n return sendErrorResponse(\n response,\n next,\n agentContext.config.logger,\n 404,\n 'not_found',\n 'Authorization request not found'\n )\n }\n\n if (\n ![\n OpenId4VcVerificationSessionState.RequestCreated,\n OpenId4VcVerificationSessionState.RequestUriRetrieved,\n ].includes(verificationSession.state)\n ) {\n return sendErrorResponse(\n response,\n next,\n agentContext.config.logger,\n 400,\n 'invalid_request',\n 'Invalid state for authorization request'\n )\n }\n\n if (verificationSession.expiresAt && Date.now() > verificationSession.expiresAt.getTime()) {\n return sendNotFoundResponse(response, next, agentContext.config.logger, 'Session expired')\n }\n\n // It's okay to retrieve the offer multiple times. So we only update the state if it's not already retrieved\n if (verificationSession.state !== OpenId4VcVerificationSessionState.RequestUriRetrieved) {\n await verifierService.updateState(\n agentContext,\n verificationSession,\n OpenId4VcVerificationSessionState.RequestUriRetrieved\n )\n }\n\n response.type('application/oauth-authz-req+jwt').status(200).send(verificationSession.authorizationRequestJwt)\n next()\n } catch (error) {\n return sendUnknownServerErrorResponse(response, next, agentContext.config.logger, error)\n }\n }\n )\n}\n"],"mappings":";;;;;;;;AAaA,SAAgB,sCAAsC,QAAgB,QAAuC;AAC3G,QAAO,IACL,aAAa,OAAO,8BAA8B,CAAC,0BAA0B,CAAC,EAC9E,OAAO,SAAuC,UAAoB,SAAS;EACzE,MAAM,EAAE,cAAc,aAAa,kBAAkB,QAAQ;AAE7D,MAAI,CAAC,QAAQ,OAAO,0BAA0B,OAAO,QAAQ,OAAO,2BAA2B,SAC7F,QAAO,kBACL,UACA,MACA,aAAa,OAAO,QACpB,KACA,mBACA,oCACD;AAGH,MAAI;GACF,MAAM,kBAAkB,aAAa,kBAAkB,QAAQ,yBAAyB;GACxF,MAAM,iBAAiB,aAAa,kBAAkB,QAAQ,8BAA8B;GAG5F,MAAM,8BAA8B,aAAa,eAAe,SAAS;IACvE,SAAS;IACT,eAAe;IACf,QAAQ,OAAO;IAChB,CAAC;GAEF,MAAM,CAAC,uBAAuB,MAAM,gBAAgB,gCAAgC,cAAc;IAChG,YAAY,SAAS;IACrB,KAAK,CACH,EACE,wBAAwB,QAAQ,OAAO,wBACxC,EAGD,EACE,yBAAyB,6BAC1B,CACF;IACF,CAAC;AAGF,OAAI,CAAC,uBAAuB,CAAC,oBAAoB,wBAC/C,QAAO,kBACL,UACA,MACA,aAAa,OAAO,QACpB,KACA,aACA,kCACD;AAGH,OACE,CAAC,CACC,kCAAkC,gBAClC,kCAAkC,oBACnC,CAAC,SAAS,oBAAoB,MAAM,CAErC,QAAO,kBACL,UACA,MACA,aAAa,OAAO,QACpB,KACA,mBACA,0CACD;AAGH,OAAI,oBAAoB,aAAa,KAAK,KAAK,GAAG,oBAAoB,UAAU,SAAS,CACvF,QAAO,qBAAqB,UAAU,MAAM,aAAa,OAAO,QAAQ,kBAAkB;AAI5F,OAAI,oBAAoB,UAAU,kCAAkC,oBAClE,OAAM,gBAAgB,YACpB,cACA,qBACA,kCAAkC,oBACnC;AAGH,YAAS,KAAK,kCAAkC,CAAC,OAAO,IAAI,CAAC,KAAK,oBAAoB,wBAAwB;AAC9G,SAAM;WACC,OAAO;AACd,UAAO,+BAA+B,UAAU,MAAM,aAAa,OAAO,QAAQ,MAAM;;GAG7F"}
|
|
@@ -0,0 +1,46 @@
|
|
|
1
|
+
import { OpenId4VcIssuerRecord } from "../openid4vc-issuer/repository/OpenId4VcIssuerRecord.mjs";
|
|
2
|
+
import { AgentContext, Kms } from "@credo-ts/core";
|
|
3
|
+
import * as _openid4vc_oauth20 from "@openid4vc/oauth2";
|
|
4
|
+
import { ClientAuthenticationCallback, DecryptJweCallback, EncryptJweCallback, SignJwtCallback, VerifyJwtCallback } from "@openid4vc/oauth2";
|
|
5
|
+
|
|
6
|
+
//#region src/shared/callbacks.d.ts
|
|
7
|
+
declare function getOid4vcJwtVerifyCallback(agentContext: AgentContext, options?: {
|
|
8
|
+
trustedCertificates?: string[];
|
|
9
|
+
issuanceSessionId?: string;
|
|
10
|
+
/**
|
|
11
|
+
* Whether this verification callback should assume a JAR authorization is verified
|
|
12
|
+
* Starting from OID4VP draft 24 the JAR must use oauth-authz-req+jwt header typ
|
|
13
|
+
* but for backwards compatiblity we need to also handle the case where the header typ is different
|
|
14
|
+
* @default false
|
|
15
|
+
*/
|
|
16
|
+
isAuthorizationRequestJwt?: boolean;
|
|
17
|
+
}): VerifyJwtCallback;
|
|
18
|
+
declare function getOid4vcEncryptJweCallback(agentContext: AgentContext): EncryptJweCallback;
|
|
19
|
+
declare function getOid4vcDecryptJweCallback(agentContext: AgentContext): DecryptJweCallback;
|
|
20
|
+
declare function getOid4vcJwtSignCallback(agentContext: AgentContext): SignJwtCallback;
|
|
21
|
+
declare function getOid4vcCallbacks(agentContext: AgentContext, options?: {
|
|
22
|
+
trustedCertificates?: string[];
|
|
23
|
+
isVerifyOpenId4VpAuthorizationRequest?: boolean;
|
|
24
|
+
issuanceSessionId?: string;
|
|
25
|
+
}): {
|
|
26
|
+
hash: (data: Uint8Array<ArrayBufferLike>, alg: _openid4vc_oauth20.HashAlgorithm) => Uint8Array<ArrayBuffer>;
|
|
27
|
+
generateRandom: (length: number) => Kms.KmsRandomBytesReturn;
|
|
28
|
+
signJwt: SignJwtCallback;
|
|
29
|
+
clientAuthentication: () => never;
|
|
30
|
+
verifyJwt: VerifyJwtCallback;
|
|
31
|
+
fetch: typeof fetch;
|
|
32
|
+
encryptJwe: EncryptJweCallback;
|
|
33
|
+
decryptJwe: DecryptJweCallback;
|
|
34
|
+
getX509CertificateMetadata: (certificate: string) => {
|
|
35
|
+
sanDnsNames: string[];
|
|
36
|
+
sanUriNames: string[];
|
|
37
|
+
};
|
|
38
|
+
};
|
|
39
|
+
/**
|
|
40
|
+
* Allows us to authenticate when making requests to an external
|
|
41
|
+
* authorization server
|
|
42
|
+
*/
|
|
43
|
+
declare function dynamicOid4vciClientAuthentication(agentContext: AgentContext, issuerRecord: OpenId4VcIssuerRecord): ClientAuthenticationCallback;
|
|
44
|
+
//#endregion
|
|
45
|
+
export { dynamicOid4vciClientAuthentication, getOid4vcCallbacks, getOid4vcDecryptJweCallback, getOid4vcEncryptJweCallback, getOid4vcJwtSignCallback, getOid4vcJwtVerifyCallback };
|
|
46
|
+
//# sourceMappingURL=callbacks.d.mts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"callbacks.d.mts","names":[],"sources":["../../src/shared/callbacks.ts"],"sourcesContent":[],"mappings":";;;;;;iBA6BgB,0BAAA,eACA;;;EADA;;;;;AAgIhB;EAA2C,yBAAA,CAAA,EAAA,OAAA;IAjHxC,iBAiHuD;AAAe,iBAAzD,2BAAA,CAAyD,YAAA,EAAf,YAAe,CAAA,EAAA,kBAAA;AAAkB,iBAyF3E,2BAAA,CAzF2E,YAAA,EAyFjC,YAzFiC,CAAA,EAyFlB,kBAzFkB;AAyF3E,iBA4FA,wBAAA,CA5F2B,YAAA,EA4FY,YA5FZ,CAAA,EA4F2B,eA5F3B;AAAA,iBA0I3B,kBAAA,CA1I2B,YAAA,EA2I3B,YA3I2B,EAAA,OA4F3C,CA5F2C,EAAA;qBAAe,CAAA,EAAA,MAAA,EAAA;uCAAe,CAAA,EAAA,OAAA;EAAkB,iBAAA,CAAA,EAAA,MAAA;AA4F3F,CAAA,CAAA,EAAgB;EAAwB,IAAA,EAAA,CAAA,IAAA,YAAA,gBAAA,CAAA,EAAA,GAAA,kCAAA,EAAA,aAAA,YAAA,CAAA;gBAAe,EAAA,CAAA,MAAA,EAAA,MAAA,EAAA,2BAAA;SAAe,iBAAA;EAAe,oBAAA,EAAA,GAAA,GAAA,KAAA;EA8CrE,SAAA,mBAAkB;EAAA,KAAA,EAAA,YAAA;YAClB,oBAAA;;;;;;;;;;;iBAsCA,kCAAA,eACA,4BACA,wBACb"}
|
|
@@ -0,0 +1,46 @@
|
|
|
1
|
+
import { OpenId4VcIssuerRecord } from "../openid4vc-issuer/repository/OpenId4VcIssuerRecord.js";
|
|
2
|
+
import { AgentContext, Kms } from "@credo-ts/core";
|
|
3
|
+
import * as _openid4vc_oauth20 from "@openid4vc/oauth2";
|
|
4
|
+
import { ClientAuthenticationCallback, DecryptJweCallback, EncryptJweCallback, SignJwtCallback, VerifyJwtCallback } from "@openid4vc/oauth2";
|
|
5
|
+
|
|
6
|
+
//#region src/shared/callbacks.d.ts
|
|
7
|
+
declare function getOid4vcJwtVerifyCallback(agentContext: AgentContext, options?: {
|
|
8
|
+
trustedCertificates?: string[];
|
|
9
|
+
issuanceSessionId?: string;
|
|
10
|
+
/**
|
|
11
|
+
* Whether this verification callback should assume a JAR authorization is verified
|
|
12
|
+
* Starting from OID4VP draft 24 the JAR must use oauth-authz-req+jwt header typ
|
|
13
|
+
* but for backwards compatiblity we need to also handle the case where the header typ is different
|
|
14
|
+
* @default false
|
|
15
|
+
*/
|
|
16
|
+
isAuthorizationRequestJwt?: boolean;
|
|
17
|
+
}): VerifyJwtCallback;
|
|
18
|
+
declare function getOid4vcEncryptJweCallback(agentContext: AgentContext): EncryptJweCallback;
|
|
19
|
+
declare function getOid4vcDecryptJweCallback(agentContext: AgentContext): DecryptJweCallback;
|
|
20
|
+
declare function getOid4vcJwtSignCallback(agentContext: AgentContext): SignJwtCallback;
|
|
21
|
+
declare function getOid4vcCallbacks(agentContext: AgentContext, options?: {
|
|
22
|
+
trustedCertificates?: string[];
|
|
23
|
+
isVerifyOpenId4VpAuthorizationRequest?: boolean;
|
|
24
|
+
issuanceSessionId?: string;
|
|
25
|
+
}): {
|
|
26
|
+
hash: (data: Uint8Array<ArrayBufferLike>, alg: _openid4vc_oauth20.HashAlgorithm) => Uint8Array<ArrayBuffer>;
|
|
27
|
+
generateRandom: (length: number) => Kms.KmsRandomBytesReturn;
|
|
28
|
+
signJwt: SignJwtCallback;
|
|
29
|
+
clientAuthentication: () => never;
|
|
30
|
+
verifyJwt: VerifyJwtCallback;
|
|
31
|
+
fetch: typeof fetch;
|
|
32
|
+
encryptJwe: EncryptJweCallback;
|
|
33
|
+
decryptJwe: DecryptJweCallback;
|
|
34
|
+
getX509CertificateMetadata: (certificate: string) => {
|
|
35
|
+
sanDnsNames: string[];
|
|
36
|
+
sanUriNames: string[];
|
|
37
|
+
};
|
|
38
|
+
};
|
|
39
|
+
/**
|
|
40
|
+
* Allows us to authenticate when making requests to an external
|
|
41
|
+
* authorization server
|
|
42
|
+
*/
|
|
43
|
+
declare function dynamicOid4vciClientAuthentication(agentContext: AgentContext, issuerRecord: OpenId4VcIssuerRecord): ClientAuthenticationCallback;
|
|
44
|
+
//#endregion
|
|
45
|
+
export { dynamicOid4vciClientAuthentication, getOid4vcCallbacks, getOid4vcDecryptJweCallback, getOid4vcEncryptJweCallback, getOid4vcJwtSignCallback, getOid4vcJwtVerifyCallback };
|
|
46
|
+
//# sourceMappingURL=callbacks.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"callbacks.d.ts","names":[],"sources":["../../src/shared/callbacks.ts"],"sourcesContent":[],"mappings":";;;;;;iBA6BgB,0BAAA,eACA;;;EADA;;;;;AAgIhB;EAA2C,yBAAA,CAAA,EAAA,OAAA;IAjHxC,iBAiHuD;AAAe,iBAAzD,2BAAA,CAAyD,YAAA,EAAf,YAAe,CAAA,EAAA,kBAAA;AAAkB,iBAyF3E,2BAAA,CAzF2E,YAAA,EAyFjC,YAzFiC,CAAA,EAyFlB,kBAzFkB;AAyF3E,iBA4FA,wBAAA,CA5F2B,YAAA,EA4FY,YA5FZ,CAAA,EA4F2B,eA5F3B;AAAA,iBA0I3B,kBAAA,CA1I2B,YAAA,EA2I3B,YA3I2B,EAAA,OA4F3C,CA5F2C,EAAA;qBAAe,CAAA,EAAA,MAAA,EAAA;uCAAe,CAAA,EAAA,OAAA;EAAkB,iBAAA,CAAA,EAAA,MAAA;AA4F3F,CAAA,CAAA,EAAgB;EAAwB,IAAA,EAAA,CAAA,IAAA,YAAA,gBAAA,CAAA,EAAA,GAAA,kCAAA,EAAA,aAAA,YAAA,CAAA;gBAAe,EAAA,CAAA,MAAA,EAAA,MAAA,EAAA,2BAAA;SAAe,iBAAA;EAAe,oBAAA,EAAA,GAAA,GAAA,KAAA;EA8CrE,SAAA,mBAAkB;EAAA,KAAA,EAAA,YAAA;YAClB,oBAAA;;;;;;;;;;;iBAsCA,kCAAA,eACA,4BACA,wBACb"}
|
|
@@ -265,4 +265,8 @@ function dynamicOid4vciClientAuthentication(agentContext, issuerRecord) {
|
|
|
265
265
|
|
|
266
266
|
//#endregion
|
|
267
267
|
exports.dynamicOid4vciClientAuthentication = dynamicOid4vciClientAuthentication;
|
|
268
|
-
exports.getOid4vcCallbacks = getOid4vcCallbacks;
|
|
268
|
+
exports.getOid4vcCallbacks = getOid4vcCallbacks;
|
|
269
|
+
exports.getOid4vcDecryptJweCallback = getOid4vcDecryptJweCallback;
|
|
270
|
+
exports.getOid4vcEncryptJweCallback = getOid4vcEncryptJweCallback;
|
|
271
|
+
exports.getOid4vcJwtSignCallback = getOid4vcJwtSignCallback;
|
|
272
|
+
exports.getOid4vcJwtVerifyCallback = getOid4vcJwtVerifyCallback;
|
|
@@ -261,5 +261,5 @@ function dynamicOid4vciClientAuthentication(agentContext, issuerRecord) {
|
|
|
261
261
|
}
|
|
262
262
|
|
|
263
263
|
//#endregion
|
|
264
|
-
export { dynamicOid4vciClientAuthentication, getOid4vcCallbacks };
|
|
264
|
+
export { dynamicOid4vciClientAuthentication, getOid4vcCallbacks, getOid4vcDecryptJweCallback, getOid4vcEncryptJweCallback, getOid4vcJwtSignCallback, getOid4vcJwtVerifyCallback };
|
|
265
265
|
//# sourceMappingURL=callbacks.mjs.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"callbacks.mjs","names":["jwsSigner: JwsSignerWithJwk | undefined","publicJwk","decryptedPayload: string","publicJwk: Kms.PublicJwk"],"sources":["../../src/shared/callbacks.ts"],"sourcesContent":["import { AgentContext, type JwsSignerWithJwk, Kms } from '@credo-ts/core'\nimport type {\n CallbackContext,\n ClientAuthenticationCallback,\n DecryptJweCallback,\n EncryptJweCallback,\n Jwk,\n SignJwtCallback,\n VerifyJwtCallback,\n} from '@openid4vc/oauth2'\nimport type { OpenId4VcIssuerRecord } from '../openid4vc-issuer/repository'\n\nimport {\n Buffer,\n CredoError,\n Hasher,\n JsonEncoder,\n JwsService,\n JwtPayload,\n TypedArrayEncoder,\n X509Certificate,\n X509ModuleConfig,\n X509Service,\n} from '@credo-ts/core'\nimport { clientAuthenticationDynamic, decodeJwtHeader } from '@openid4vc/oauth2'\n\nimport { getPublicJwkFromDid } from './utils'\n\nexport function getOid4vcJwtVerifyCallback(\n agentContext: AgentContext,\n options?: {\n trustedCertificates?: string[]\n\n issuanceSessionId?: string\n\n /**\n * Whether this verification callback should assume a JAR authorization is verified\n * Starting from OID4VP draft 24 the JAR must use oauth-authz-req+jwt header typ\n * but for backwards compatiblity we need to also handle the case where the header typ is different\n * @default false\n */\n isAuthorizationRequestJwt?: boolean\n }\n): VerifyJwtCallback {\n const jwsService = agentContext.dependencyManager.resolve(JwsService)\n\n return async (signer, { compact, header, payload }) => {\n let trustedCertificates = options?.trustedCertificates\n if (\n signer.method === 'x5c' &&\n (header.typ === 'oauth-authz-req+jwt' || options?.isAuthorizationRequestJwt) &&\n !trustedCertificates\n ) {\n const x509Config = agentContext.dependencyManager.resolve(X509ModuleConfig)\n const certificateChain = signer.x5c?.map((cert) => X509Certificate.fromEncodedCertificate(cert))\n\n trustedCertificates = await x509Config.getTrustedCertificatesForVerification?.(agentContext, {\n certificateChain,\n verification: {\n type: 'oauth2SecuredAuthorizationRequest',\n authorizationRequest: {\n jwt: compact,\n payload: JwtPayload.fromJson(payload),\n },\n },\n })\n }\n\n if (\n signer.method === 'x5c' &&\n (header.typ === 'keyattestation+jwt' || header.typ === 'key-attestation+jwt') &&\n options?.issuanceSessionId &&\n !trustedCertificates\n ) {\n const x509Config = agentContext.dependencyManager.resolve(X509ModuleConfig)\n const certificateChain = signer.x5c?.map((cert) => X509Certificate.fromEncodedCertificate(cert))\n\n trustedCertificates = await x509Config.getTrustedCertificatesForVerification?.(agentContext, {\n certificateChain,\n verification: {\n type: 'openId4VciKeyAttestation',\n openId4VcIssuanceSessionId: options.issuanceSessionId,\n keyAttestation: {\n jwt: compact,\n payload: JwtPayload.fromJson(payload),\n },\n },\n })\n }\n\n if (\n signer.method === 'x5c' &&\n header.typ === 'oauth-client-attestation+jwt' &&\n options?.issuanceSessionId &&\n !trustedCertificates\n ) {\n const x509Config = agentContext.dependencyManager.resolve(X509ModuleConfig)\n const certificateChain = signer.x5c?.map((cert) => X509Certificate.fromEncodedCertificate(cert))\n\n trustedCertificates = await x509Config.getTrustedCertificatesForVerification?.(agentContext, {\n certificateChain,\n verification: {\n type: 'oauth2ClientAttestation',\n openId4VcIssuanceSessionId: options.issuanceSessionId,\n clientAttestation: {\n jwt: compact,\n payload: JwtPayload.fromJson(payload),\n },\n },\n })\n }\n\n const alg = signer.alg as Kms.KnownJwaSignatureAlgorithm\n if (!Object.values(Kms.KnownJwaSignatureAlgorithms).includes(alg)) {\n throw new CredoError(`Unsupported jwa signatre algorithm '${alg}'`)\n }\n\n const jwsSigner: JwsSignerWithJwk | undefined =\n signer.method === 'did'\n ? {\n method: 'did',\n didUrl: signer.didUrl,\n jwk: await getPublicJwkFromDid(agentContext, signer.didUrl),\n }\n : signer.method === 'jwk'\n ? {\n method: 'jwk',\n jwk: Kms.PublicJwk.fromUnknown(signer.publicJwk),\n }\n : signer.method === 'x5c'\n ? {\n method: 'x5c',\n x5c: signer.x5c,\n jwk: X509Certificate.fromEncodedCertificate(signer.x5c[0]).publicJwk,\n }\n : undefined\n\n if (!jwsSigner) {\n throw new CredoError(`Unable to verify jws with unsupported jws signer method '${signer.method}'`)\n }\n\n const { isValid, jwsSigners } = await jwsService.verifyJws(agentContext, {\n jws: compact,\n trustedCertificates,\n jwsSigner,\n })\n\n if (!isValid) {\n return { verified: false, signerJwk: undefined }\n }\n\n const signerJwk = jwsSigners[0].jwk.toJson() as Jwk\n return { verified: true, signerJwk }\n }\n}\n\nexport function getOid4vcEncryptJweCallback(agentContext: AgentContext): EncryptJweCallback {\n const kms = agentContext.dependencyManager.resolve(Kms.KeyManagementApi)\n\n return async (jweEncryptor, compact) => {\n if (jweEncryptor.method !== 'jwk') {\n throw new CredoError(\n `Jwt encryption method '${jweEncryptor.method}' is not supported for jwt signer. Only 'jwk' is supported.`\n )\n }\n\n // TODO: we should probably add a key id or ference to the jweEncryptor/jwsSigner in\n // oid4vc-ts so we can keep a reference to the key\n const jwk = Kms.PublicJwk.fromUnknown(jweEncryptor.publicJwk)\n if (!jwk.hasKeyId) {\n throw new CredoError('Expected kid to be defined on the JWK')\n }\n\n if (jweEncryptor.alg !== 'ECDH-ES') {\n throw new CredoError(\"Only 'ECDH-ES' is supported as 'alg' value for JARM response encryption\")\n }\n\n if (jweEncryptor.enc !== 'A256GCM' && jweEncryptor.enc !== 'A128GCM' && jweEncryptor.enc !== 'A128CBC-HS256') {\n throw new CredoError(\n \"Only 'A256GCM', 'A128GCM', and 'A128CBC-HS256' is supported as 'enc' value for JARM response encryption\"\n )\n }\n\n const jwkJson = jwk.toJson()\n if (jwkJson.kty !== 'EC' && jwkJson.kty !== 'OKP') {\n throw new CredoError(`Expected EC or OKP jwk for encryption, found ${Kms.getJwkHumanDescription(jwkJson)}`)\n }\n\n if (jwkJson.crv === 'Ed25519') {\n throw new CredoError(`Expected ${jwkJson.kty} with crv X25519, found ${Kms.getJwkHumanDescription(jwkJson)}`)\n }\n\n // TODO: create a JWE service that handles this\n const ephmeralKey = await kms.createKey({\n type: jwkJson,\n })\n\n try {\n const header = {\n kid: jweEncryptor.publicJwk.kid,\n apu: jweEncryptor.apu,\n apv: jweEncryptor.apv,\n enc: jweEncryptor.enc,\n alg: 'ECDH-ES',\n epk: ephmeralKey.publicJwk,\n }\n const encodedHeader = JsonEncoder.toBase64URL(header)\n\n const encrypted = await kms.encrypt({\n key: {\n keyAgreement: {\n // FIXME: We can make the keyId optional for ECDH-ES\n // That way we don't have to store the key\n keyId: ephmeralKey.keyId,\n algorithm: 'ECDH-ES',\n apu: jweEncryptor.apu ? TypedArrayEncoder.fromBase64(jweEncryptor.apu) : undefined,\n apv: jweEncryptor.apv ? TypedArrayEncoder.fromBase64(jweEncryptor.apv) : undefined,\n externalPublicJwk: jwkJson,\n },\n },\n data: Buffer.from(compact),\n encryption: {\n algorithm: jweEncryptor.enc,\n aad: Buffer.from(encodedHeader),\n },\n })\n\n if (!encrypted.iv || !encrypted.tag) {\n throw new CredoError(\"Expected 'iv' and 'tag' to be defined\")\n }\n\n const compactJwe = `${encodedHeader}..${TypedArrayEncoder.toBase64URL(encrypted.iv)}.${TypedArrayEncoder.toBase64URL(\n encrypted.encrypted\n )}.${TypedArrayEncoder.toBase64URL(encrypted.tag)}`\n\n return { encryptionJwk: jweEncryptor.publicJwk, jwe: compactJwe }\n } finally {\n // Delete the key\n await kms.deleteKey({\n keyId: ephmeralKey.keyId,\n })\n }\n }\n}\n\nexport function getOid4vcDecryptJweCallback(agentContext: AgentContext): DecryptJweCallback {\n const kms = agentContext.resolve(Kms.KeyManagementApi)\n return async (jwe, options) => {\n // TODO: use custom header zod schema to limit which algorithms can be used\n const { header } = decodeJwtHeader({ jwt: jwe })\n\n let kid = options?.jwk?.kid ?? header.kid\n if (!kid) {\n throw new CredoError('Uanbel to decrypt jwe. No kid or jwk found')\n }\n\n // Previously we used the fingerprint as the kid for JARM\n // We try to parse it as fingerprint if it starts with z (base58 encoding)\n // It's not 100%\n if (kid.startsWith('z')) {\n try {\n const publicJwk = Kms.PublicJwk.fromFingerprint(kid)\n if (publicJwk) kid = publicJwk.legacyKeyId\n } catch {\n // no-op\n }\n }\n\n // TODO: decodeJwe method in oid4vc-ts\n // encryption key is not used (we don't use key wrapping)\n const [encodedHeader /* encryptionKey */, , encodedIv, encodedCiphertext, encodedTag] = jwe.split('.')\n\n if (header.alg !== 'ECDH-ES') {\n throw new CredoError(\"Only 'ECDH-ES' is supported as 'alg' value for JARM response decryption\")\n }\n\n if (header.enc !== 'A256GCM' && header.enc !== 'A128GCM' && header.enc !== 'A128CBC-HS256') {\n throw new CredoError(\n \"Only 'A256GCM', 'A128GCM', and 'A128CBC-HS256' is supported as 'enc' value for JARM response decryption\"\n )\n }\n\n let decryptedPayload: string\n let publicJwk: Kms.PublicJwk\n\n const epk = Kms.PublicJwk.fromUnknown(header.epk)\n\n try {\n const decrypted = await kms.decrypt({\n encrypted: TypedArrayEncoder.fromBase64(encodedCiphertext),\n decryption: {\n algorithm: header.enc,\n // aad is the base64 encoded bytes (not just the bytes)\n aad: TypedArrayEncoder.fromString(encodedHeader),\n iv: TypedArrayEncoder.fromBase64(encodedIv),\n tag: TypedArrayEncoder.fromBase64(encodedTag),\n },\n key: {\n keyAgreement: {\n algorithm: header.alg,\n externalPublicJwk: epk.toJson() as Kms.KmsJwkPublicEcdh,\n keyId: kid,\n apu: typeof header.apu === 'string' ? TypedArrayEncoder.fromBase64(header.apu) : undefined,\n apv: typeof header.apv === 'string' ? TypedArrayEncoder.fromBase64(header.apv) : undefined,\n },\n },\n })\n\n // TODO: decrypt should return the public jwk instance\n publicJwk = Kms.PublicJwk.fromUnknown(\n await kms.getPublicKey({\n keyId: kid,\n })\n )\n\n decryptedPayload = TypedArrayEncoder.toUtf8String(decrypted.data)\n } catch (error) {\n agentContext.config.logger.error('Error decrypting JWE', {\n error,\n })\n return {\n decrypted: false,\n encryptionJwk: options?.jwk,\n payload: undefined,\n header,\n }\n }\n\n return {\n decrypted: true,\n decryptionJwk: publicJwk.toJson() as Jwk,\n payload: decryptedPayload,\n header,\n }\n }\n}\n\nexport function getOid4vcJwtSignCallback(agentContext: AgentContext): SignJwtCallback {\n const jwsService = agentContext.dependencyManager.resolve(JwsService)\n\n return async (signer, { payload, header }) => {\n if (signer.method === 'custom' || signer.method === 'federation') {\n throw new CredoError(`Jwt signer method 'custom' and 'federation' are not supported for jwt signer.`)\n }\n\n if (signer.method === 'x5c') {\n const leafCertificate = X509Service.getLeafCertificate(agentContext, { certificateChain: signer.x5c })\n\n const jws = await jwsService.createJwsCompact(agentContext, {\n protectedHeaderOptions: { ...header, alg: signer.alg as Kms.KnownJwaSignatureAlgorithm, jwk: undefined },\n payload: JwtPayload.fromJson(payload),\n keyId: signer.kid ?? leafCertificate.publicJwk.keyId,\n })\n\n return { jwt: jws, signerJwk: leafCertificate.publicJwk.toJson() as Jwk }\n }\n\n // TOOD: createJwsCompact should return the Jwk, so we don't have to reoslve it here\n const publicJwk =\n signer.method === 'did'\n ? await getPublicJwkFromDid(agentContext, signer.didUrl)\n : Kms.PublicJwk.fromUnknown(signer.publicJwk)\n\n if (!publicJwk.supportedSignatureAlgorithms.includes(signer.alg as Kms.KnownJwaSignatureAlgorithm)) {\n throw new CredoError(\n `jwk ${publicJwk.jwkTypehumanDescription} does not support JWS signature alg '${signer.alg}'`\n )\n }\n\n const jwt = await jwsService.createJwsCompact(agentContext, {\n protectedHeaderOptions: {\n ...header,\n jwk: header.jwk ? publicJwk : undefined,\n alg: signer.alg as Kms.KnownJwaSignatureAlgorithm,\n },\n payload: JsonEncoder.toBuffer(payload),\n keyId: signer.kid ?? publicJwk.keyId,\n })\n\n return { jwt, signerJwk: publicJwk.toJson() as Jwk }\n }\n}\n\nexport function getOid4vcCallbacks(\n agentContext: AgentContext,\n options?: {\n trustedCertificates?: string[]\n isVerifyOpenId4VpAuthorizationRequest?: boolean\n issuanceSessionId?: string\n }\n) {\n const kms = agentContext.resolve(Kms.KeyManagementApi)\n\n return {\n hash: (data, alg) => Hasher.hash(data, alg.toLowerCase()),\n generateRandom: (length) => kms.randomBytes({ length }),\n signJwt: getOid4vcJwtSignCallback(agentContext),\n clientAuthentication: () => {\n throw new CredoError('Did not expect client authentication to be called.')\n },\n verifyJwt: getOid4vcJwtVerifyCallback(agentContext, {\n trustedCertificates: options?.trustedCertificates,\n isAuthorizationRequestJwt: options?.isVerifyOpenId4VpAuthorizationRequest,\n issuanceSessionId: options?.issuanceSessionId,\n }),\n fetch: agentContext.config.agentDependencies.fetch,\n encryptJwe: getOid4vcEncryptJweCallback(agentContext),\n decryptJwe: getOid4vcDecryptJweCallback(agentContext),\n getX509CertificateMetadata: (certificate: string) => {\n const leafCertificate = X509Service.getLeafCertificate(agentContext, { certificateChain: [certificate] })\n return {\n sanDnsNames: leafCertificate.sanDnsNames,\n sanUriNames: leafCertificate.sanUriNames,\n }\n },\n } satisfies Partial<CallbackContext>\n}\n\n/**\n * Allows us to authenticate when making requests to an external\n * authorization server\n */\nexport function dynamicOid4vciClientAuthentication(\n agentContext: AgentContext,\n issuerRecord: OpenId4VcIssuerRecord\n): ClientAuthenticationCallback {\n return (callbackOptions) => {\n const authorizationServer = issuerRecord.authorizationServerConfigs?.find(\n (a) => a.issuer === callbackOptions.authorizationServerMetadata.issuer\n )\n\n if (!authorizationServer) {\n // No client authentication if authorization server is not configured\n agentContext.config.logger.debug(\n `Unknown authorization server '${callbackOptions.authorizationServerMetadata.issuer}' for issuer '${issuerRecord.issuerId}' for request to '${callbackOptions.url}'`\n )\n return\n }\n\n if (!authorizationServer.clientAuthentication) {\n throw new CredoError(\n `Unable to authenticate to authorization server '${authorizationServer.issuer}' for issuer '${issuerRecord.issuerId}' for request to '${callbackOptions.url}'. Make sure to configure a 'clientId' and 'clientSecret' for the authorization server on the issuer record.`\n )\n }\n\n return clientAuthenticationDynamic({\n clientId: authorizationServer.clientAuthentication.clientId,\n clientSecret: authorizationServer.clientAuthentication.clientSecret,\n })(callbackOptions)\n }\n}\n"],"mappings":";;;;;AA4BA,SAAgB,2BACd,cACA,SAamB;CACnB,MAAM,aAAa,aAAa,kBAAkB,QAAQ,WAAW;AAErE,QAAO,OAAO,QAAQ,EAAE,SAAS,QAAQ,cAAc;EACrD,IAAI,sBAAsB,SAAS;AACnC,MACE,OAAO,WAAW,UACjB,OAAO,QAAQ,yBAAyB,SAAS,8BAClD,CAAC,qBACD;GACA,MAAM,aAAa,aAAa,kBAAkB,QAAQ,iBAAiB;GAC3E,MAAM,mBAAmB,OAAO,KAAK,KAAK,SAAS,gBAAgB,uBAAuB,KAAK,CAAC;AAEhG,yBAAsB,MAAM,WAAW,wCAAwC,cAAc;IAC3F;IACA,cAAc;KACZ,MAAM;KACN,sBAAsB;MACpB,KAAK;MACL,SAAS,WAAW,SAAS,QAAQ;MACtC;KACF;IACF,CAAC;;AAGJ,MACE,OAAO,WAAW,UACjB,OAAO,QAAQ,wBAAwB,OAAO,QAAQ,0BACvD,SAAS,qBACT,CAAC,qBACD;GACA,MAAM,aAAa,aAAa,kBAAkB,QAAQ,iBAAiB;GAC3E,MAAM,mBAAmB,OAAO,KAAK,KAAK,SAAS,gBAAgB,uBAAuB,KAAK,CAAC;AAEhG,yBAAsB,MAAM,WAAW,wCAAwC,cAAc;IAC3F;IACA,cAAc;KACZ,MAAM;KACN,4BAA4B,QAAQ;KACpC,gBAAgB;MACd,KAAK;MACL,SAAS,WAAW,SAAS,QAAQ;MACtC;KACF;IACF,CAAC;;AAGJ,MACE,OAAO,WAAW,SAClB,OAAO,QAAQ,kCACf,SAAS,qBACT,CAAC,qBACD;GACA,MAAM,aAAa,aAAa,kBAAkB,QAAQ,iBAAiB;GAC3E,MAAM,mBAAmB,OAAO,KAAK,KAAK,SAAS,gBAAgB,uBAAuB,KAAK,CAAC;AAEhG,yBAAsB,MAAM,WAAW,wCAAwC,cAAc;IAC3F;IACA,cAAc;KACZ,MAAM;KACN,4BAA4B,QAAQ;KACpC,mBAAmB;MACjB,KAAK;MACL,SAAS,WAAW,SAAS,QAAQ;MACtC;KACF;IACF,CAAC;;EAGJ,MAAM,MAAM,OAAO;AACnB,MAAI,CAAC,OAAO,OAAO,IAAI,4BAA4B,CAAC,SAAS,IAAI,CAC/D,OAAM,IAAI,WAAW,uCAAuC,IAAI,GAAG;EAGrE,MAAMA,YACJ,OAAO,WAAW,QACd;GACE,QAAQ;GACR,QAAQ,OAAO;GACf,KAAK,MAAM,oBAAoB,cAAc,OAAO,OAAO;GAC5D,GACD,OAAO,WAAW,QAChB;GACE,QAAQ;GACR,KAAK,IAAI,UAAU,YAAY,OAAO,UAAU;GACjD,GACD,OAAO,WAAW,QAChB;GACE,QAAQ;GACR,KAAK,OAAO;GACZ,KAAK,gBAAgB,uBAAuB,OAAO,IAAI,GAAG,CAAC;GAC5D,GACD;AAEV,MAAI,CAAC,UACH,OAAM,IAAI,WAAW,4DAA4D,OAAO,OAAO,GAAG;EAGpG,MAAM,EAAE,SAAS,eAAe,MAAM,WAAW,UAAU,cAAc;GACvE,KAAK;GACL;GACA;GACD,CAAC;AAEF,MAAI,CAAC,QACH,QAAO;GAAE,UAAU;GAAO,WAAW;GAAW;AAIlD,SAAO;GAAE,UAAU;GAAM,WADP,WAAW,GAAG,IAAI,QAAQ;GACR;;;AAIxC,SAAgB,4BAA4B,cAAgD;CAC1F,MAAM,MAAM,aAAa,kBAAkB,QAAQ,IAAI,iBAAiB;AAExE,QAAO,OAAO,cAAc,YAAY;AACtC,MAAI,aAAa,WAAW,MAC1B,OAAM,IAAI,WACR,0BAA0B,aAAa,OAAO,6DAC/C;EAKH,MAAM,MAAM,IAAI,UAAU,YAAY,aAAa,UAAU;AAC7D,MAAI,CAAC,IAAI,SACP,OAAM,IAAI,WAAW,wCAAwC;AAG/D,MAAI,aAAa,QAAQ,UACvB,OAAM,IAAI,WAAW,0EAA0E;AAGjG,MAAI,aAAa,QAAQ,aAAa,aAAa,QAAQ,aAAa,aAAa,QAAQ,gBAC3F,OAAM,IAAI,WACR,0GACD;EAGH,MAAM,UAAU,IAAI,QAAQ;AAC5B,MAAI,QAAQ,QAAQ,QAAQ,QAAQ,QAAQ,MAC1C,OAAM,IAAI,WAAW,gDAAgD,IAAI,uBAAuB,QAAQ,GAAG;AAG7G,MAAI,QAAQ,QAAQ,UAClB,OAAM,IAAI,WAAW,YAAY,QAAQ,IAAI,0BAA0B,IAAI,uBAAuB,QAAQ,GAAG;EAI/G,MAAM,cAAc,MAAM,IAAI,UAAU,EACtC,MAAM,SACP,CAAC;AAEF,MAAI;GACF,MAAM,SAAS;IACb,KAAK,aAAa,UAAU;IAC5B,KAAK,aAAa;IAClB,KAAK,aAAa;IAClB,KAAK,aAAa;IAClB,KAAK;IACL,KAAK,YAAY;IAClB;GACD,MAAM,gBAAgB,YAAY,YAAY,OAAO;GAErD,MAAM,YAAY,MAAM,IAAI,QAAQ;IAClC,KAAK,EACH,cAAc;KAGZ,OAAO,YAAY;KACnB,WAAW;KACX,KAAK,aAAa,MAAM,kBAAkB,WAAW,aAAa,IAAI,GAAG;KACzE,KAAK,aAAa,MAAM,kBAAkB,WAAW,aAAa,IAAI,GAAG;KACzE,mBAAmB;KACpB,EACF;IACD,MAAM,OAAO,KAAK,QAAQ;IAC1B,YAAY;KACV,WAAW,aAAa;KACxB,KAAK,OAAO,KAAK,cAAc;KAChC;IACF,CAAC;AAEF,OAAI,CAAC,UAAU,MAAM,CAAC,UAAU,IAC9B,OAAM,IAAI,WAAW,wCAAwC;GAG/D,MAAM,aAAa,GAAG,cAAc,IAAI,kBAAkB,YAAY,UAAU,GAAG,CAAC,GAAG,kBAAkB,YACvG,UAAU,UACX,CAAC,GAAG,kBAAkB,YAAY,UAAU,IAAI;AAEjD,UAAO;IAAE,eAAe,aAAa;IAAW,KAAK;IAAY;YACzD;AAER,SAAM,IAAI,UAAU,EAClB,OAAO,YAAY,OACpB,CAAC;;;;AAKR,SAAgB,4BAA4B,cAAgD;CAC1F,MAAM,MAAM,aAAa,QAAQ,IAAI,iBAAiB;AACtD,QAAO,OAAO,KAAK,YAAY;EAE7B,MAAM,EAAE,WAAW,gBAAgB,EAAE,KAAK,KAAK,CAAC;EAEhD,IAAI,MAAM,SAAS,KAAK,OAAO,OAAO;AACtC,MAAI,CAAC,IACH,OAAM,IAAI,WAAW,6CAA6C;AAMpE,MAAI,IAAI,WAAW,IAAI,CACrB,KAAI;GACF,MAAMC,cAAY,IAAI,UAAU,gBAAgB,IAAI;AACpD,OAAIA,YAAW,OAAMA,YAAU;UACzB;EAOV,MAAM,CAAC,iBAAqC,WAAW,mBAAmB,cAAc,IAAI,MAAM,IAAI;AAEtG,MAAI,OAAO,QAAQ,UACjB,OAAM,IAAI,WAAW,0EAA0E;AAGjG,MAAI,OAAO,QAAQ,aAAa,OAAO,QAAQ,aAAa,OAAO,QAAQ,gBACzE,OAAM,IAAI,WACR,0GACD;EAGH,IAAIC;EACJ,IAAIC;EAEJ,MAAM,MAAM,IAAI,UAAU,YAAY,OAAO,IAAI;AAEjD,MAAI;GACF,MAAM,YAAY,MAAM,IAAI,QAAQ;IAClC,WAAW,kBAAkB,WAAW,kBAAkB;IAC1D,YAAY;KACV,WAAW,OAAO;KAElB,KAAK,kBAAkB,WAAW,cAAc;KAChD,IAAI,kBAAkB,WAAW,UAAU;KAC3C,KAAK,kBAAkB,WAAW,WAAW;KAC9C;IACD,KAAK,EACH,cAAc;KACZ,WAAW,OAAO;KAClB,mBAAmB,IAAI,QAAQ;KAC/B,OAAO;KACP,KAAK,OAAO,OAAO,QAAQ,WAAW,kBAAkB,WAAW,OAAO,IAAI,GAAG;KACjF,KAAK,OAAO,OAAO,QAAQ,WAAW,kBAAkB,WAAW,OAAO,IAAI,GAAG;KAClF,EACF;IACF,CAAC;AAGF,eAAY,IAAI,UAAU,YACxB,MAAM,IAAI,aAAa,EACrB,OAAO,KACR,CAAC,CACH;AAED,sBAAmB,kBAAkB,aAAa,UAAU,KAAK;WAC1D,OAAO;AACd,gBAAa,OAAO,OAAO,MAAM,wBAAwB,EACvD,OACD,CAAC;AACF,UAAO;IACL,WAAW;IACX,eAAe,SAAS;IACxB,SAAS;IACT;IACD;;AAGH,SAAO;GACL,WAAW;GACX,eAAe,UAAU,QAAQ;GACjC,SAAS;GACT;GACD;;;AAIL,SAAgB,yBAAyB,cAA6C;CACpF,MAAM,aAAa,aAAa,kBAAkB,QAAQ,WAAW;AAErE,QAAO,OAAO,QAAQ,EAAE,SAAS,aAAa;AAC5C,MAAI,OAAO,WAAW,YAAY,OAAO,WAAW,aAClD,OAAM,IAAI,WAAW,gFAAgF;AAGvG,MAAI,OAAO,WAAW,OAAO;GAC3B,MAAM,kBAAkB,YAAY,mBAAmB,cAAc,EAAE,kBAAkB,OAAO,KAAK,CAAC;AAQtG,UAAO;IAAE,KANG,MAAM,WAAW,iBAAiB,cAAc;KAC1D,wBAAwB;MAAE,GAAG;MAAQ,KAAK,OAAO;MAAuC,KAAK;MAAW;KACxG,SAAS,WAAW,SAAS,QAAQ;KACrC,OAAO,OAAO,OAAO,gBAAgB,UAAU;KAChD,CAAC;IAEiB,WAAW,gBAAgB,UAAU,QAAQ;IAAS;;EAI3E,MAAM,YACJ,OAAO,WAAW,QACd,MAAM,oBAAoB,cAAc,OAAO,OAAO,GACtD,IAAI,UAAU,YAAY,OAAO,UAAU;AAEjD,MAAI,CAAC,UAAU,6BAA6B,SAAS,OAAO,IAAsC,CAChG,OAAM,IAAI,WACR,OAAO,UAAU,wBAAwB,uCAAuC,OAAO,IAAI,GAC5F;AAaH,SAAO;GAAE,KAVG,MAAM,WAAW,iBAAiB,cAAc;IAC1D,wBAAwB;KACtB,GAAG;KACH,KAAK,OAAO,MAAM,YAAY;KAC9B,KAAK,OAAO;KACb;IACD,SAAS,YAAY,SAAS,QAAQ;IACtC,OAAO,OAAO,OAAO,UAAU;IAChC,CAAC;GAEY,WAAW,UAAU,QAAQ;GAAS;;;AAIxD,SAAgB,mBACd,cACA,SAKA;CACA,MAAM,MAAM,aAAa,QAAQ,IAAI,iBAAiB;AAEtD,QAAO;EACL,OAAO,MAAM,QAAQ,OAAO,KAAK,MAAM,IAAI,aAAa,CAAC;EACzD,iBAAiB,WAAW,IAAI,YAAY,EAAE,QAAQ,CAAC;EACvD,SAAS,yBAAyB,aAAa;EAC/C,4BAA4B;AAC1B,SAAM,IAAI,WAAW,qDAAqD;;EAE5E,WAAW,2BAA2B,cAAc;GAClD,qBAAqB,SAAS;GAC9B,2BAA2B,SAAS;GACpC,mBAAmB,SAAS;GAC7B,CAAC;EACF,OAAO,aAAa,OAAO,kBAAkB;EAC7C,YAAY,4BAA4B,aAAa;EACrD,YAAY,4BAA4B,aAAa;EACrD,6BAA6B,gBAAwB;GACnD,MAAM,kBAAkB,YAAY,mBAAmB,cAAc,EAAE,kBAAkB,CAAC,YAAY,EAAE,CAAC;AACzG,UAAO;IACL,aAAa,gBAAgB;IAC7B,aAAa,gBAAgB;IAC9B;;EAEJ;;;;;;AAOH,SAAgB,mCACd,cACA,cAC8B;AAC9B,SAAQ,oBAAoB;EAC1B,MAAM,sBAAsB,aAAa,4BAA4B,MAClE,MAAM,EAAE,WAAW,gBAAgB,4BAA4B,OACjE;AAED,MAAI,CAAC,qBAAqB;AAExB,gBAAa,OAAO,OAAO,MACzB,iCAAiC,gBAAgB,4BAA4B,OAAO,gBAAgB,aAAa,SAAS,oBAAoB,gBAAgB,IAAI,GACnK;AACD;;AAGF,MAAI,CAAC,oBAAoB,qBACvB,OAAM,IAAI,WACR,mDAAmD,oBAAoB,OAAO,gBAAgB,aAAa,SAAS,oBAAoB,gBAAgB,IAAI,8GAC7J;AAGH,SAAO,4BAA4B;GACjC,UAAU,oBAAoB,qBAAqB;GACnD,cAAc,oBAAoB,qBAAqB;GACxD,CAAC,CAAC,gBAAgB"}
|
|
1
|
+
{"version":3,"file":"callbacks.mjs","names":["jwsSigner: JwsSignerWithJwk | undefined","publicJwk","decryptedPayload: string","publicJwk: Kms.PublicJwk"],"sources":["../../src/shared/callbacks.ts"],"sourcesContent":["import {\n AgentContext,\n Buffer,\n CredoError,\n Hasher,\n JsonEncoder,\n JwsService,\n type JwsSignerWithJwk,\n JwtPayload,\n Kms,\n TypedArrayEncoder,\n X509Certificate,\n X509ModuleConfig,\n X509Service,\n} from '@credo-ts/core'\nimport type {\n CallbackContext,\n ClientAuthenticationCallback,\n DecryptJweCallback,\n EncryptJweCallback,\n Jwk,\n SignJwtCallback,\n VerifyJwtCallback,\n} from '@openid4vc/oauth2'\nimport { clientAuthenticationDynamic, decodeJwtHeader } from '@openid4vc/oauth2'\nimport type { OpenId4VcIssuerRecord } from '../openid4vc-issuer/repository'\n\nimport { getPublicJwkFromDid } from './utils'\n\nexport function getOid4vcJwtVerifyCallback(\n agentContext: AgentContext,\n options?: {\n trustedCertificates?: string[]\n\n issuanceSessionId?: string\n\n /**\n * Whether this verification callback should assume a JAR authorization is verified\n * Starting from OID4VP draft 24 the JAR must use oauth-authz-req+jwt header typ\n * but for backwards compatiblity we need to also handle the case where the header typ is different\n * @default false\n */\n isAuthorizationRequestJwt?: boolean\n }\n): VerifyJwtCallback {\n const jwsService = agentContext.dependencyManager.resolve(JwsService)\n\n return async (signer, { compact, header, payload }) => {\n let trustedCertificates = options?.trustedCertificates\n if (\n signer.method === 'x5c' &&\n (header.typ === 'oauth-authz-req+jwt' || options?.isAuthorizationRequestJwt) &&\n !trustedCertificates\n ) {\n const x509Config = agentContext.dependencyManager.resolve(X509ModuleConfig)\n const certificateChain = signer.x5c?.map((cert) => X509Certificate.fromEncodedCertificate(cert))\n\n trustedCertificates = await x509Config.getTrustedCertificatesForVerification?.(agentContext, {\n certificateChain,\n verification: {\n type: 'oauth2SecuredAuthorizationRequest',\n authorizationRequest: {\n jwt: compact,\n payload: JwtPayload.fromJson(payload),\n },\n },\n })\n }\n\n if (\n signer.method === 'x5c' &&\n (header.typ === 'keyattestation+jwt' || header.typ === 'key-attestation+jwt') &&\n options?.issuanceSessionId &&\n !trustedCertificates\n ) {\n const x509Config = agentContext.dependencyManager.resolve(X509ModuleConfig)\n const certificateChain = signer.x5c?.map((cert) => X509Certificate.fromEncodedCertificate(cert))\n\n trustedCertificates = await x509Config.getTrustedCertificatesForVerification?.(agentContext, {\n certificateChain,\n verification: {\n type: 'openId4VciKeyAttestation',\n openId4VcIssuanceSessionId: options.issuanceSessionId,\n keyAttestation: {\n jwt: compact,\n payload: JwtPayload.fromJson(payload),\n },\n },\n })\n }\n\n if (\n signer.method === 'x5c' &&\n header.typ === 'oauth-client-attestation+jwt' &&\n options?.issuanceSessionId &&\n !trustedCertificates\n ) {\n const x509Config = agentContext.dependencyManager.resolve(X509ModuleConfig)\n const certificateChain = signer.x5c?.map((cert) => X509Certificate.fromEncodedCertificate(cert))\n\n trustedCertificates = await x509Config.getTrustedCertificatesForVerification?.(agentContext, {\n certificateChain,\n verification: {\n type: 'oauth2ClientAttestation',\n openId4VcIssuanceSessionId: options.issuanceSessionId,\n clientAttestation: {\n jwt: compact,\n payload: JwtPayload.fromJson(payload),\n },\n },\n })\n }\n\n const alg = signer.alg as Kms.KnownJwaSignatureAlgorithm\n if (!Object.values(Kms.KnownJwaSignatureAlgorithms).includes(alg)) {\n throw new CredoError(`Unsupported jwa signatre algorithm '${alg}'`)\n }\n\n const jwsSigner: JwsSignerWithJwk | undefined =\n signer.method === 'did'\n ? {\n method: 'did',\n didUrl: signer.didUrl,\n jwk: await getPublicJwkFromDid(agentContext, signer.didUrl),\n }\n : signer.method === 'jwk'\n ? {\n method: 'jwk',\n jwk: Kms.PublicJwk.fromUnknown(signer.publicJwk),\n }\n : signer.method === 'x5c'\n ? {\n method: 'x5c',\n x5c: signer.x5c,\n jwk: X509Certificate.fromEncodedCertificate(signer.x5c[0]).publicJwk,\n }\n : undefined\n\n if (!jwsSigner) {\n throw new CredoError(`Unable to verify jws with unsupported jws signer method '${signer.method}'`)\n }\n\n const { isValid, jwsSigners } = await jwsService.verifyJws(agentContext, {\n jws: compact,\n trustedCertificates,\n jwsSigner,\n })\n\n if (!isValid) {\n return { verified: false, signerJwk: undefined }\n }\n\n const signerJwk = jwsSigners[0].jwk.toJson() as Jwk\n return { verified: true, signerJwk }\n }\n}\n\nexport function getOid4vcEncryptJweCallback(agentContext: AgentContext): EncryptJweCallback {\n const kms = agentContext.dependencyManager.resolve(Kms.KeyManagementApi)\n\n return async (jweEncryptor, compact) => {\n if (jweEncryptor.method !== 'jwk') {\n throw new CredoError(\n `Jwt encryption method '${jweEncryptor.method}' is not supported for jwt signer. Only 'jwk' is supported.`\n )\n }\n\n // TODO: we should probably add a key id or ference to the jweEncryptor/jwsSigner in\n // oid4vc-ts so we can keep a reference to the key\n const jwk = Kms.PublicJwk.fromUnknown(jweEncryptor.publicJwk)\n if (!jwk.hasKeyId) {\n throw new CredoError('Expected kid to be defined on the JWK')\n }\n\n if (jweEncryptor.alg !== 'ECDH-ES') {\n throw new CredoError(\"Only 'ECDH-ES' is supported as 'alg' value for JARM response encryption\")\n }\n\n if (jweEncryptor.enc !== 'A256GCM' && jweEncryptor.enc !== 'A128GCM' && jweEncryptor.enc !== 'A128CBC-HS256') {\n throw new CredoError(\n \"Only 'A256GCM', 'A128GCM', and 'A128CBC-HS256' is supported as 'enc' value for JARM response encryption\"\n )\n }\n\n const jwkJson = jwk.toJson()\n if (jwkJson.kty !== 'EC' && jwkJson.kty !== 'OKP') {\n throw new CredoError(`Expected EC or OKP jwk for encryption, found ${Kms.getJwkHumanDescription(jwkJson)}`)\n }\n\n if (jwkJson.crv === 'Ed25519') {\n throw new CredoError(`Expected ${jwkJson.kty} with crv X25519, found ${Kms.getJwkHumanDescription(jwkJson)}`)\n }\n\n // TODO: create a JWE service that handles this\n const ephmeralKey = await kms.createKey({\n type: jwkJson,\n })\n\n try {\n const header = {\n kid: jweEncryptor.publicJwk.kid,\n apu: jweEncryptor.apu,\n apv: jweEncryptor.apv,\n enc: jweEncryptor.enc,\n alg: 'ECDH-ES',\n epk: ephmeralKey.publicJwk,\n }\n const encodedHeader = JsonEncoder.toBase64URL(header)\n\n const encrypted = await kms.encrypt({\n key: {\n keyAgreement: {\n // FIXME: We can make the keyId optional for ECDH-ES\n // That way we don't have to store the key\n keyId: ephmeralKey.keyId,\n algorithm: 'ECDH-ES',\n apu: jweEncryptor.apu ? TypedArrayEncoder.fromBase64(jweEncryptor.apu) : undefined,\n apv: jweEncryptor.apv ? TypedArrayEncoder.fromBase64(jweEncryptor.apv) : undefined,\n externalPublicJwk: jwkJson,\n },\n },\n data: Buffer.from(compact),\n encryption: {\n algorithm: jweEncryptor.enc,\n aad: Buffer.from(encodedHeader),\n },\n })\n\n if (!encrypted.iv || !encrypted.tag) {\n throw new CredoError(\"Expected 'iv' and 'tag' to be defined\")\n }\n\n const compactJwe = `${encodedHeader}..${TypedArrayEncoder.toBase64URL(encrypted.iv)}.${TypedArrayEncoder.toBase64URL(\n encrypted.encrypted\n )}.${TypedArrayEncoder.toBase64URL(encrypted.tag)}`\n\n return { encryptionJwk: jweEncryptor.publicJwk, jwe: compactJwe }\n } finally {\n // Delete the key\n await kms.deleteKey({\n keyId: ephmeralKey.keyId,\n })\n }\n }\n}\n\nexport function getOid4vcDecryptJweCallback(agentContext: AgentContext): DecryptJweCallback {\n const kms = agentContext.resolve(Kms.KeyManagementApi)\n return async (jwe, options) => {\n // TODO: use custom header zod schema to limit which algorithms can be used\n const { header } = decodeJwtHeader({ jwt: jwe })\n\n let kid = options?.jwk?.kid ?? header.kid\n if (!kid) {\n throw new CredoError('Uanbel to decrypt jwe. No kid or jwk found')\n }\n\n // Previously we used the fingerprint as the kid for JARM\n // We try to parse it as fingerprint if it starts with z (base58 encoding)\n // It's not 100%\n if (kid.startsWith('z')) {\n try {\n const publicJwk = Kms.PublicJwk.fromFingerprint(kid)\n if (publicJwk) kid = publicJwk.legacyKeyId\n } catch {\n // no-op\n }\n }\n\n // TODO: decodeJwe method in oid4vc-ts\n // encryption key is not used (we don't use key wrapping)\n const [encodedHeader /* encryptionKey */, , encodedIv, encodedCiphertext, encodedTag] = jwe.split('.')\n\n if (header.alg !== 'ECDH-ES') {\n throw new CredoError(\"Only 'ECDH-ES' is supported as 'alg' value for JARM response decryption\")\n }\n\n if (header.enc !== 'A256GCM' && header.enc !== 'A128GCM' && header.enc !== 'A128CBC-HS256') {\n throw new CredoError(\n \"Only 'A256GCM', 'A128GCM', and 'A128CBC-HS256' is supported as 'enc' value for JARM response decryption\"\n )\n }\n\n let decryptedPayload: string\n let publicJwk: Kms.PublicJwk\n\n const epk = Kms.PublicJwk.fromUnknown(header.epk)\n\n try {\n const decrypted = await kms.decrypt({\n encrypted: TypedArrayEncoder.fromBase64(encodedCiphertext),\n decryption: {\n algorithm: header.enc,\n // aad is the base64 encoded bytes (not just the bytes)\n aad: TypedArrayEncoder.fromString(encodedHeader),\n iv: TypedArrayEncoder.fromBase64(encodedIv),\n tag: TypedArrayEncoder.fromBase64(encodedTag),\n },\n key: {\n keyAgreement: {\n algorithm: header.alg,\n externalPublicJwk: epk.toJson() as Kms.KmsJwkPublicEcdh,\n keyId: kid,\n apu: typeof header.apu === 'string' ? TypedArrayEncoder.fromBase64(header.apu) : undefined,\n apv: typeof header.apv === 'string' ? TypedArrayEncoder.fromBase64(header.apv) : undefined,\n },\n },\n })\n\n // TODO: decrypt should return the public jwk instance\n publicJwk = Kms.PublicJwk.fromUnknown(\n await kms.getPublicKey({\n keyId: kid,\n })\n )\n\n decryptedPayload = TypedArrayEncoder.toUtf8String(decrypted.data)\n } catch (error) {\n agentContext.config.logger.error('Error decrypting JWE', {\n error,\n })\n return {\n decrypted: false,\n encryptionJwk: options?.jwk,\n payload: undefined,\n header,\n }\n }\n\n return {\n decrypted: true,\n decryptionJwk: publicJwk.toJson() as Jwk,\n payload: decryptedPayload,\n header,\n }\n }\n}\n\nexport function getOid4vcJwtSignCallback(agentContext: AgentContext): SignJwtCallback {\n const jwsService = agentContext.dependencyManager.resolve(JwsService)\n\n return async (signer, { payload, header }) => {\n if (signer.method === 'custom' || signer.method === 'federation') {\n throw new CredoError(`Jwt signer method 'custom' and 'federation' are not supported for jwt signer.`)\n }\n\n if (signer.method === 'x5c') {\n const leafCertificate = X509Service.getLeafCertificate(agentContext, { certificateChain: signer.x5c })\n\n const jws = await jwsService.createJwsCompact(agentContext, {\n protectedHeaderOptions: { ...header, alg: signer.alg as Kms.KnownJwaSignatureAlgorithm, jwk: undefined },\n payload: JwtPayload.fromJson(payload),\n keyId: signer.kid ?? leafCertificate.publicJwk.keyId,\n })\n\n return { jwt: jws, signerJwk: leafCertificate.publicJwk.toJson() as Jwk }\n }\n\n // TOOD: createJwsCompact should return the Jwk, so we don't have to reoslve it here\n const publicJwk =\n signer.method === 'did'\n ? await getPublicJwkFromDid(agentContext, signer.didUrl)\n : Kms.PublicJwk.fromUnknown(signer.publicJwk)\n\n if (!publicJwk.supportedSignatureAlgorithms.includes(signer.alg as Kms.KnownJwaSignatureAlgorithm)) {\n throw new CredoError(\n `jwk ${publicJwk.jwkTypehumanDescription} does not support JWS signature alg '${signer.alg}'`\n )\n }\n\n const jwt = await jwsService.createJwsCompact(agentContext, {\n protectedHeaderOptions: {\n ...header,\n jwk: header.jwk ? publicJwk : undefined,\n alg: signer.alg as Kms.KnownJwaSignatureAlgorithm,\n },\n payload: JsonEncoder.toBuffer(payload),\n keyId: signer.kid ?? publicJwk.keyId,\n })\n\n return { jwt, signerJwk: publicJwk.toJson() as Jwk }\n }\n}\n\nexport function getOid4vcCallbacks(\n agentContext: AgentContext,\n options?: {\n trustedCertificates?: string[]\n isVerifyOpenId4VpAuthorizationRequest?: boolean\n issuanceSessionId?: string\n }\n) {\n const kms = agentContext.resolve(Kms.KeyManagementApi)\n\n return {\n hash: (data, alg) => Hasher.hash(data, alg.toLowerCase()),\n generateRandom: (length) => kms.randomBytes({ length }),\n signJwt: getOid4vcJwtSignCallback(agentContext),\n clientAuthentication: () => {\n throw new CredoError('Did not expect client authentication to be called.')\n },\n verifyJwt: getOid4vcJwtVerifyCallback(agentContext, {\n trustedCertificates: options?.trustedCertificates,\n isAuthorizationRequestJwt: options?.isVerifyOpenId4VpAuthorizationRequest,\n issuanceSessionId: options?.issuanceSessionId,\n }),\n fetch: agentContext.config.agentDependencies.fetch,\n encryptJwe: getOid4vcEncryptJweCallback(agentContext),\n decryptJwe: getOid4vcDecryptJweCallback(agentContext),\n getX509CertificateMetadata: (certificate: string) => {\n const leafCertificate = X509Service.getLeafCertificate(agentContext, { certificateChain: [certificate] })\n return {\n sanDnsNames: leafCertificate.sanDnsNames,\n sanUriNames: leafCertificate.sanUriNames,\n }\n },\n } satisfies Partial<CallbackContext>\n}\n\n/**\n * Allows us to authenticate when making requests to an external\n * authorization server\n */\nexport function dynamicOid4vciClientAuthentication(\n agentContext: AgentContext,\n issuerRecord: OpenId4VcIssuerRecord\n): ClientAuthenticationCallback {\n return (callbackOptions) => {\n const authorizationServer = issuerRecord.authorizationServerConfigs?.find(\n (a) => a.issuer === callbackOptions.authorizationServerMetadata.issuer\n )\n\n if (!authorizationServer) {\n // No client authentication if authorization server is not configured\n agentContext.config.logger.debug(\n `Unknown authorization server '${callbackOptions.authorizationServerMetadata.issuer}' for issuer '${issuerRecord.issuerId}' for request to '${callbackOptions.url}'`\n )\n return\n }\n\n if (!authorizationServer.clientAuthentication) {\n throw new CredoError(\n `Unable to authenticate to authorization server '${authorizationServer.issuer}' for issuer '${issuerRecord.issuerId}' for request to '${callbackOptions.url}'. Make sure to configure a 'clientId' and 'clientSecret' for the authorization server on the issuer record.`\n )\n }\n\n return clientAuthenticationDynamic({\n clientId: authorizationServer.clientAuthentication.clientId,\n clientSecret: authorizationServer.clientAuthentication.clientSecret,\n })(callbackOptions)\n }\n}\n"],"mappings":";;;;;AA6BA,SAAgB,2BACd,cACA,SAamB;CACnB,MAAM,aAAa,aAAa,kBAAkB,QAAQ,WAAW;AAErE,QAAO,OAAO,QAAQ,EAAE,SAAS,QAAQ,cAAc;EACrD,IAAI,sBAAsB,SAAS;AACnC,MACE,OAAO,WAAW,UACjB,OAAO,QAAQ,yBAAyB,SAAS,8BAClD,CAAC,qBACD;GACA,MAAM,aAAa,aAAa,kBAAkB,QAAQ,iBAAiB;GAC3E,MAAM,mBAAmB,OAAO,KAAK,KAAK,SAAS,gBAAgB,uBAAuB,KAAK,CAAC;AAEhG,yBAAsB,MAAM,WAAW,wCAAwC,cAAc;IAC3F;IACA,cAAc;KACZ,MAAM;KACN,sBAAsB;MACpB,KAAK;MACL,SAAS,WAAW,SAAS,QAAQ;MACtC;KACF;IACF,CAAC;;AAGJ,MACE,OAAO,WAAW,UACjB,OAAO,QAAQ,wBAAwB,OAAO,QAAQ,0BACvD,SAAS,qBACT,CAAC,qBACD;GACA,MAAM,aAAa,aAAa,kBAAkB,QAAQ,iBAAiB;GAC3E,MAAM,mBAAmB,OAAO,KAAK,KAAK,SAAS,gBAAgB,uBAAuB,KAAK,CAAC;AAEhG,yBAAsB,MAAM,WAAW,wCAAwC,cAAc;IAC3F;IACA,cAAc;KACZ,MAAM;KACN,4BAA4B,QAAQ;KACpC,gBAAgB;MACd,KAAK;MACL,SAAS,WAAW,SAAS,QAAQ;MACtC;KACF;IACF,CAAC;;AAGJ,MACE,OAAO,WAAW,SAClB,OAAO,QAAQ,kCACf,SAAS,qBACT,CAAC,qBACD;GACA,MAAM,aAAa,aAAa,kBAAkB,QAAQ,iBAAiB;GAC3E,MAAM,mBAAmB,OAAO,KAAK,KAAK,SAAS,gBAAgB,uBAAuB,KAAK,CAAC;AAEhG,yBAAsB,MAAM,WAAW,wCAAwC,cAAc;IAC3F;IACA,cAAc;KACZ,MAAM;KACN,4BAA4B,QAAQ;KACpC,mBAAmB;MACjB,KAAK;MACL,SAAS,WAAW,SAAS,QAAQ;MACtC;KACF;IACF,CAAC;;EAGJ,MAAM,MAAM,OAAO;AACnB,MAAI,CAAC,OAAO,OAAO,IAAI,4BAA4B,CAAC,SAAS,IAAI,CAC/D,OAAM,IAAI,WAAW,uCAAuC,IAAI,GAAG;EAGrE,MAAMA,YACJ,OAAO,WAAW,QACd;GACE,QAAQ;GACR,QAAQ,OAAO;GACf,KAAK,MAAM,oBAAoB,cAAc,OAAO,OAAO;GAC5D,GACD,OAAO,WAAW,QAChB;GACE,QAAQ;GACR,KAAK,IAAI,UAAU,YAAY,OAAO,UAAU;GACjD,GACD,OAAO,WAAW,QAChB;GACE,QAAQ;GACR,KAAK,OAAO;GACZ,KAAK,gBAAgB,uBAAuB,OAAO,IAAI,GAAG,CAAC;GAC5D,GACD;AAEV,MAAI,CAAC,UACH,OAAM,IAAI,WAAW,4DAA4D,OAAO,OAAO,GAAG;EAGpG,MAAM,EAAE,SAAS,eAAe,MAAM,WAAW,UAAU,cAAc;GACvE,KAAK;GACL;GACA;GACD,CAAC;AAEF,MAAI,CAAC,QACH,QAAO;GAAE,UAAU;GAAO,WAAW;GAAW;AAIlD,SAAO;GAAE,UAAU;GAAM,WADP,WAAW,GAAG,IAAI,QAAQ;GACR;;;AAIxC,SAAgB,4BAA4B,cAAgD;CAC1F,MAAM,MAAM,aAAa,kBAAkB,QAAQ,IAAI,iBAAiB;AAExE,QAAO,OAAO,cAAc,YAAY;AACtC,MAAI,aAAa,WAAW,MAC1B,OAAM,IAAI,WACR,0BAA0B,aAAa,OAAO,6DAC/C;EAKH,MAAM,MAAM,IAAI,UAAU,YAAY,aAAa,UAAU;AAC7D,MAAI,CAAC,IAAI,SACP,OAAM,IAAI,WAAW,wCAAwC;AAG/D,MAAI,aAAa,QAAQ,UACvB,OAAM,IAAI,WAAW,0EAA0E;AAGjG,MAAI,aAAa,QAAQ,aAAa,aAAa,QAAQ,aAAa,aAAa,QAAQ,gBAC3F,OAAM,IAAI,WACR,0GACD;EAGH,MAAM,UAAU,IAAI,QAAQ;AAC5B,MAAI,QAAQ,QAAQ,QAAQ,QAAQ,QAAQ,MAC1C,OAAM,IAAI,WAAW,gDAAgD,IAAI,uBAAuB,QAAQ,GAAG;AAG7G,MAAI,QAAQ,QAAQ,UAClB,OAAM,IAAI,WAAW,YAAY,QAAQ,IAAI,0BAA0B,IAAI,uBAAuB,QAAQ,GAAG;EAI/G,MAAM,cAAc,MAAM,IAAI,UAAU,EACtC,MAAM,SACP,CAAC;AAEF,MAAI;GACF,MAAM,SAAS;IACb,KAAK,aAAa,UAAU;IAC5B,KAAK,aAAa;IAClB,KAAK,aAAa;IAClB,KAAK,aAAa;IAClB,KAAK;IACL,KAAK,YAAY;IAClB;GACD,MAAM,gBAAgB,YAAY,YAAY,OAAO;GAErD,MAAM,YAAY,MAAM,IAAI,QAAQ;IAClC,KAAK,EACH,cAAc;KAGZ,OAAO,YAAY;KACnB,WAAW;KACX,KAAK,aAAa,MAAM,kBAAkB,WAAW,aAAa,IAAI,GAAG;KACzE,KAAK,aAAa,MAAM,kBAAkB,WAAW,aAAa,IAAI,GAAG;KACzE,mBAAmB;KACpB,EACF;IACD,MAAM,OAAO,KAAK,QAAQ;IAC1B,YAAY;KACV,WAAW,aAAa;KACxB,KAAK,OAAO,KAAK,cAAc;KAChC;IACF,CAAC;AAEF,OAAI,CAAC,UAAU,MAAM,CAAC,UAAU,IAC9B,OAAM,IAAI,WAAW,wCAAwC;GAG/D,MAAM,aAAa,GAAG,cAAc,IAAI,kBAAkB,YAAY,UAAU,GAAG,CAAC,GAAG,kBAAkB,YACvG,UAAU,UACX,CAAC,GAAG,kBAAkB,YAAY,UAAU,IAAI;AAEjD,UAAO;IAAE,eAAe,aAAa;IAAW,KAAK;IAAY;YACzD;AAER,SAAM,IAAI,UAAU,EAClB,OAAO,YAAY,OACpB,CAAC;;;;AAKR,SAAgB,4BAA4B,cAAgD;CAC1F,MAAM,MAAM,aAAa,QAAQ,IAAI,iBAAiB;AACtD,QAAO,OAAO,KAAK,YAAY;EAE7B,MAAM,EAAE,WAAW,gBAAgB,EAAE,KAAK,KAAK,CAAC;EAEhD,IAAI,MAAM,SAAS,KAAK,OAAO,OAAO;AACtC,MAAI,CAAC,IACH,OAAM,IAAI,WAAW,6CAA6C;AAMpE,MAAI,IAAI,WAAW,IAAI,CACrB,KAAI;GACF,MAAMC,cAAY,IAAI,UAAU,gBAAgB,IAAI;AACpD,OAAIA,YAAW,OAAMA,YAAU;UACzB;EAOV,MAAM,CAAC,iBAAqC,WAAW,mBAAmB,cAAc,IAAI,MAAM,IAAI;AAEtG,MAAI,OAAO,QAAQ,UACjB,OAAM,IAAI,WAAW,0EAA0E;AAGjG,MAAI,OAAO,QAAQ,aAAa,OAAO,QAAQ,aAAa,OAAO,QAAQ,gBACzE,OAAM,IAAI,WACR,0GACD;EAGH,IAAIC;EACJ,IAAIC;EAEJ,MAAM,MAAM,IAAI,UAAU,YAAY,OAAO,IAAI;AAEjD,MAAI;GACF,MAAM,YAAY,MAAM,IAAI,QAAQ;IAClC,WAAW,kBAAkB,WAAW,kBAAkB;IAC1D,YAAY;KACV,WAAW,OAAO;KAElB,KAAK,kBAAkB,WAAW,cAAc;KAChD,IAAI,kBAAkB,WAAW,UAAU;KAC3C,KAAK,kBAAkB,WAAW,WAAW;KAC9C;IACD,KAAK,EACH,cAAc;KACZ,WAAW,OAAO;KAClB,mBAAmB,IAAI,QAAQ;KAC/B,OAAO;KACP,KAAK,OAAO,OAAO,QAAQ,WAAW,kBAAkB,WAAW,OAAO,IAAI,GAAG;KACjF,KAAK,OAAO,OAAO,QAAQ,WAAW,kBAAkB,WAAW,OAAO,IAAI,GAAG;KAClF,EACF;IACF,CAAC;AAGF,eAAY,IAAI,UAAU,YACxB,MAAM,IAAI,aAAa,EACrB,OAAO,KACR,CAAC,CACH;AAED,sBAAmB,kBAAkB,aAAa,UAAU,KAAK;WAC1D,OAAO;AACd,gBAAa,OAAO,OAAO,MAAM,wBAAwB,EACvD,OACD,CAAC;AACF,UAAO;IACL,WAAW;IACX,eAAe,SAAS;IACxB,SAAS;IACT;IACD;;AAGH,SAAO;GACL,WAAW;GACX,eAAe,UAAU,QAAQ;GACjC,SAAS;GACT;GACD;;;AAIL,SAAgB,yBAAyB,cAA6C;CACpF,MAAM,aAAa,aAAa,kBAAkB,QAAQ,WAAW;AAErE,QAAO,OAAO,QAAQ,EAAE,SAAS,aAAa;AAC5C,MAAI,OAAO,WAAW,YAAY,OAAO,WAAW,aAClD,OAAM,IAAI,WAAW,gFAAgF;AAGvG,MAAI,OAAO,WAAW,OAAO;GAC3B,MAAM,kBAAkB,YAAY,mBAAmB,cAAc,EAAE,kBAAkB,OAAO,KAAK,CAAC;AAQtG,UAAO;IAAE,KANG,MAAM,WAAW,iBAAiB,cAAc;KAC1D,wBAAwB;MAAE,GAAG;MAAQ,KAAK,OAAO;MAAuC,KAAK;MAAW;KACxG,SAAS,WAAW,SAAS,QAAQ;KACrC,OAAO,OAAO,OAAO,gBAAgB,UAAU;KAChD,CAAC;IAEiB,WAAW,gBAAgB,UAAU,QAAQ;IAAS;;EAI3E,MAAM,YACJ,OAAO,WAAW,QACd,MAAM,oBAAoB,cAAc,OAAO,OAAO,GACtD,IAAI,UAAU,YAAY,OAAO,UAAU;AAEjD,MAAI,CAAC,UAAU,6BAA6B,SAAS,OAAO,IAAsC,CAChG,OAAM,IAAI,WACR,OAAO,UAAU,wBAAwB,uCAAuC,OAAO,IAAI,GAC5F;AAaH,SAAO;GAAE,KAVG,MAAM,WAAW,iBAAiB,cAAc;IAC1D,wBAAwB;KACtB,GAAG;KACH,KAAK,OAAO,MAAM,YAAY;KAC9B,KAAK,OAAO;KACb;IACD,SAAS,YAAY,SAAS,QAAQ;IACtC,OAAO,OAAO,OAAO,UAAU;IAChC,CAAC;GAEY,WAAW,UAAU,QAAQ;GAAS;;;AAIxD,SAAgB,mBACd,cACA,SAKA;CACA,MAAM,MAAM,aAAa,QAAQ,IAAI,iBAAiB;AAEtD,QAAO;EACL,OAAO,MAAM,QAAQ,OAAO,KAAK,MAAM,IAAI,aAAa,CAAC;EACzD,iBAAiB,WAAW,IAAI,YAAY,EAAE,QAAQ,CAAC;EACvD,SAAS,yBAAyB,aAAa;EAC/C,4BAA4B;AAC1B,SAAM,IAAI,WAAW,qDAAqD;;EAE5E,WAAW,2BAA2B,cAAc;GAClD,qBAAqB,SAAS;GAC9B,2BAA2B,SAAS;GACpC,mBAAmB,SAAS;GAC7B,CAAC;EACF,OAAO,aAAa,OAAO,kBAAkB;EAC7C,YAAY,4BAA4B,aAAa;EACrD,YAAY,4BAA4B,aAAa;EACrD,6BAA6B,gBAAwB;GACnD,MAAM,kBAAkB,YAAY,mBAAmB,cAAc,EAAE,kBAAkB,CAAC,YAAY,EAAE,CAAC;AACzG,UAAO;IACL,aAAa,gBAAgB;IAC7B,aAAa,gBAAgB;IAC9B;;EAEJ;;;;;;AAOH,SAAgB,mCACd,cACA,cAC8B;AAC9B,SAAQ,oBAAoB;EAC1B,MAAM,sBAAsB,aAAa,4BAA4B,MAClE,MAAM,EAAE,WAAW,gBAAgB,4BAA4B,OACjE;AAED,MAAI,CAAC,qBAAqB;AAExB,gBAAa,OAAO,OAAO,MACzB,iCAAiC,gBAAgB,4BAA4B,OAAO,gBAAgB,aAAa,SAAS,oBAAoB,gBAAgB,IAAI,GACnK;AACD;;AAGF,MAAI,CAAC,oBAAoB,qBACvB,OAAM,IAAI,WACR,mDAAmD,oBAAoB,OAAO,gBAAgB,aAAa,SAAS,oBAAoB,gBAAgB,IAAI,8GAC7J;AAGH,SAAO,4BAA4B;GACjC,UAAU,oBAAoB,qBAAqB;GACnD,cAAc,oBAAoB,qBAAqB;GACxD,CAAC,CAAC,gBAAgB"}
|
package/build/shared/index.js
CHANGED
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
const require_rolldown_runtime = require('../_virtual/rolldown_runtime.js');
|
|
2
|
+
const require_callbacks = require('./callbacks.js');
|
|
3
|
+
const require_issuerMetadataUtils = require('./issuerMetadataUtils.js');
|
|
2
4
|
const require_OpenId4VciCredentialFormatProfile = require('./models/OpenId4VciCredentialFormatProfile.js');
|
|
3
5
|
require('./models/index.js');
|
|
4
|
-
const require_issuerMetadataUtils = require('./issuerMetadataUtils.js');
|
|
5
6
|
let __openid4vc_oauth2 = require("@openid4vc/oauth2");
|
|
6
7
|
__openid4vc_oauth2 = require_rolldown_runtime.__toESM(__openid4vc_oauth2);
|
package/build/shared/index.mjs
CHANGED
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
import { dynamicOid4vciClientAuthentication, getOid4vcCallbacks, getOid4vcDecryptJweCallback, getOid4vcEncryptJweCallback, getOid4vcJwtSignCallback, getOid4vcJwtVerifyCallback } from "./callbacks.mjs";
|
|
2
|
+
import { getAllowedAndRequestedScopeValues, getCredentialConfigurationsSupportedForScopes, getOfferedCredentials, getScopesFromCredentialConfigurationsSupported } from "./issuerMetadataUtils.mjs";
|
|
1
3
|
import { OpenId4VciCredentialFormatProfile } from "./models/OpenId4VciCredentialFormatProfile.mjs";
|
|
2
4
|
import { authorizationCodeGrantIdentifier, preAuthorizedCodeGrantIdentifier } from "./models/index.mjs";
|
|
3
|
-
import { getAllowedAndRequestedScopeValues, getCredentialConfigurationsSupportedForScopes, getOfferedCredentials, getScopesFromCredentialConfigurationsSupported } from "./issuerMetadataUtils.mjs";
|