@credo-ts/openid4vc 0.6.0-pr-2392-20251010173905 → 0.6.0-pr-2457-20251016083534

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (163) hide show
  1. package/build/OpenId4VcApi.d.mts +1 -1
  2. package/build/OpenId4VcApi.d.ts +1 -1
  3. package/build/OpenId4VcApi.js +2 -2
  4. package/build/OpenId4VcApi.mjs +2 -2
  5. package/build/OpenId4VcModule.d.mts +1 -1
  6. package/build/OpenId4VcModule.d.ts +1 -1
  7. package/build/OpenId4VcModule.js +2 -2
  8. package/build/OpenId4VcModule.mjs +2 -2
  9. package/build/OpenId4VcModuleConfig.js +1 -1
  10. package/build/OpenId4VcModuleConfig.mjs +1 -1
  11. package/build/index.d.mts +15 -14
  12. package/build/index.d.ts +15 -14
  13. package/build/index.js +22 -15
  14. package/build/index.mjs +18 -17
  15. package/build/openid4vc-holder/OpenId4VcHolderApi.d.mts.map +1 -1
  16. package/build/openid4vc-holder/OpenId4VcHolderApi.d.ts.map +1 -1
  17. package/build/openid4vc-holder/OpenId4VcHolderApi.mjs.map +1 -1
  18. package/build/openid4vc-holder/OpenId4VciHolderService.d.mts.map +1 -1
  19. package/build/openid4vc-holder/OpenId4VciHolderService.d.ts.map +1 -1
  20. package/build/openid4vc-holder/OpenId4VciHolderService.js +11 -8
  21. package/build/openid4vc-holder/OpenId4VciHolderService.mjs +11 -8
  22. package/build/openid4vc-holder/OpenId4VciHolderService.mjs.map +1 -1
  23. package/build/openid4vc-holder/OpenId4VciHolderServiceOptions.d.mts.map +1 -1
  24. package/build/openid4vc-holder/OpenId4VciHolderServiceOptions.d.ts.map +1 -1
  25. package/build/openid4vc-holder/OpenId4VciHolderServiceOptions.mjs.map +1 -1
  26. package/build/openid4vc-holder/OpenId4vpHolderService.d.mts.map +1 -1
  27. package/build/openid4vc-holder/OpenId4vpHolderService.d.ts.map +1 -1
  28. package/build/openid4vc-holder/OpenId4vpHolderService.js +4 -4
  29. package/build/openid4vc-holder/OpenId4vpHolderService.mjs +4 -4
  30. package/build/openid4vc-holder/OpenId4vpHolderService.mjs.map +1 -1
  31. package/build/openid4vc-issuer/OpenId4VcIssuerApi.d.mts +5 -214
  32. package/build/openid4vc-issuer/OpenId4VcIssuerApi.d.mts.map +1 -1
  33. package/build/openid4vc-issuer/OpenId4VcIssuerApi.d.ts +5 -214
  34. package/build/openid4vc-issuer/OpenId4VcIssuerApi.d.ts.map +1 -1
  35. package/build/openid4vc-issuer/OpenId4VcIssuerApi.js +1 -1
  36. package/build/openid4vc-issuer/OpenId4VcIssuerApi.mjs +1 -1
  37. package/build/openid4vc-issuer/OpenId4VcIssuerApi.mjs.map +1 -1
  38. package/build/openid4vc-issuer/OpenId4VcIssuerModule.d.mts.map +1 -1
  39. package/build/openid4vc-issuer/OpenId4VcIssuerModule.d.ts.map +1 -1
  40. package/build/openid4vc-issuer/OpenId4VcIssuerModule.js +7 -7
  41. package/build/openid4vc-issuer/OpenId4VcIssuerModule.mjs +7 -7
  42. package/build/openid4vc-issuer/OpenId4VcIssuerModule.mjs.map +1 -1
  43. package/build/openid4vc-issuer/OpenId4VcIssuerModuleConfig.d.mts.map +1 -1
  44. package/build/openid4vc-issuer/OpenId4VcIssuerModuleConfig.d.ts.map +1 -1
  45. package/build/openid4vc-issuer/OpenId4VcIssuerModuleConfig.mjs.map +1 -1
  46. package/build/openid4vc-issuer/OpenId4VcIssuerService.d.mts +8 -218
  47. package/build/openid4vc-issuer/OpenId4VcIssuerService.d.mts.map +1 -1
  48. package/build/openid4vc-issuer/OpenId4VcIssuerService.d.ts +8 -218
  49. package/build/openid4vc-issuer/OpenId4VcIssuerService.d.ts.map +1 -1
  50. package/build/openid4vc-issuer/OpenId4VcIssuerService.js +18 -18
  51. package/build/openid4vc-issuer/OpenId4VcIssuerService.mjs +19 -19
  52. package/build/openid4vc-issuer/OpenId4VcIssuerService.mjs.map +1 -1
  53. package/build/openid4vc-issuer/OpenId4VcIssuerServiceOptions.d.mts +1 -1
  54. package/build/openid4vc-issuer/OpenId4VcIssuerServiceOptions.d.ts +1 -1
  55. package/build/openid4vc-issuer/index.js +2 -2
  56. package/build/openid4vc-issuer/index.mjs +2 -2
  57. package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRecord.d.mts +1 -1
  58. package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRecord.d.mts.map +1 -1
  59. package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRecord.d.ts +1 -1
  60. package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRecord.d.ts.map +1 -1
  61. package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRecord.js +1 -1
  62. package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRecord.mjs +1 -1
  63. package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRecord.mjs.map +1 -1
  64. package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRepository.js +1 -1
  65. package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRepository.mjs +1 -1
  66. package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRepository.mjs.map +1 -1
  67. package/build/openid4vc-issuer/repository/OpenId4VcIssuerRecord.d.mts.map +1 -1
  68. package/build/openid4vc-issuer/repository/OpenId4VcIssuerRecord.d.ts.map +1 -1
  69. package/build/openid4vc-issuer/repository/OpenId4VcIssuerRecord.mjs.map +1 -1
  70. package/build/openid4vc-issuer/repository/OpenId4VcIssuerRepository.js +1 -1
  71. package/build/openid4vc-issuer/repository/OpenId4VcIssuerRepository.mjs +1 -1
  72. package/build/openid4vc-issuer/repository/OpenId4VcIssuerRepository.mjs.map +1 -1
  73. package/build/openid4vc-issuer/repository/index.js +2 -2
  74. package/build/openid4vc-issuer/repository/index.mjs +2 -2
  75. package/build/openid4vc-issuer/router/accessTokenEndpoint.js +3 -4
  76. package/build/openid4vc-issuer/router/accessTokenEndpoint.mjs +3 -4
  77. package/build/openid4vc-issuer/router/accessTokenEndpoint.mjs.map +1 -1
  78. package/build/openid4vc-issuer/router/authorizationChallengeEndpoint.js +5 -6
  79. package/build/openid4vc-issuer/router/authorizationChallengeEndpoint.mjs +6 -7
  80. package/build/openid4vc-issuer/router/authorizationChallengeEndpoint.mjs.map +1 -1
  81. package/build/openid4vc-issuer/router/authorizationServerMetadataEndpoint.mjs.map +1 -1
  82. package/build/openid4vc-issuer/router/credentialEndpoint.js +5 -6
  83. package/build/openid4vc-issuer/router/credentialEndpoint.mjs +5 -6
  84. package/build/openid4vc-issuer/router/credentialEndpoint.mjs.map +1 -1
  85. package/build/openid4vc-issuer/router/credentialOfferEndpoint.js +2 -4
  86. package/build/openid4vc-issuer/router/credentialOfferEndpoint.mjs +3 -4
  87. package/build/openid4vc-issuer/router/credentialOfferEndpoint.mjs.map +1 -1
  88. package/build/openid4vc-issuer/router/deferredCredentialEndpoint.js +2 -4
  89. package/build/openid4vc-issuer/router/deferredCredentialEndpoint.mjs +3 -4
  90. package/build/openid4vc-issuer/router/deferredCredentialEndpoint.mjs.map +1 -1
  91. package/build/openid4vc-issuer/router/index.js +4 -4
  92. package/build/openid4vc-issuer/router/index.mjs +4 -4
  93. package/build/openid4vc-issuer/router/issuerMetadataEndpoint.mjs.map +1 -1
  94. package/build/openid4vc-issuer/router/jwksEndpoint.mjs.map +1 -1
  95. package/build/openid4vc-issuer/router/nonceEndpoint.mjs.map +1 -1
  96. package/build/openid4vc-verifier/OpenId4VcVerifierApi.d.mts +1 -1
  97. package/build/openid4vc-verifier/OpenId4VcVerifierApi.d.mts.map +1 -1
  98. package/build/openid4vc-verifier/OpenId4VcVerifierApi.d.ts +1 -1
  99. package/build/openid4vc-verifier/OpenId4VcVerifierApi.d.ts.map +1 -1
  100. package/build/openid4vc-verifier/OpenId4VcVerifierApi.js +1 -1
  101. package/build/openid4vc-verifier/OpenId4VcVerifierApi.mjs +1 -1
  102. package/build/openid4vc-verifier/OpenId4VcVerifierApi.mjs.map +1 -1
  103. package/build/openid4vc-verifier/OpenId4VcVerifierModule.d.mts.map +1 -1
  104. package/build/openid4vc-verifier/OpenId4VcVerifierModule.d.ts.map +1 -1
  105. package/build/openid4vc-verifier/OpenId4VcVerifierModule.js +2 -2
  106. package/build/openid4vc-verifier/OpenId4VcVerifierModule.mjs +2 -2
  107. package/build/openid4vc-verifier/OpenId4VcVerifierModule.mjs.map +1 -1
  108. package/build/openid4vc-verifier/OpenId4VpVerifierService.d.mts +3 -3
  109. package/build/openid4vc-verifier/OpenId4VpVerifierService.d.mts.map +1 -1
  110. package/build/openid4vc-verifier/OpenId4VpVerifierService.d.ts +3 -3
  111. package/build/openid4vc-verifier/OpenId4VpVerifierService.d.ts.map +1 -1
  112. package/build/openid4vc-verifier/OpenId4VpVerifierService.js +17 -17
  113. package/build/openid4vc-verifier/OpenId4VpVerifierService.mjs +17 -17
  114. package/build/openid4vc-verifier/OpenId4VpVerifierService.mjs.map +1 -1
  115. package/build/openid4vc-verifier/OpenId4VpVerifierServiceOptions.d.mts +1 -1
  116. package/build/openid4vc-verifier/OpenId4VpVerifierServiceOptions.d.ts +1 -1
  117. package/build/openid4vc-verifier/index.js +3 -3
  118. package/build/openid4vc-verifier/index.mjs +3 -3
  119. package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRecord.d.mts +1 -1
  120. package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRecord.d.mts.map +1 -1
  121. package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRecord.d.ts +1 -1
  122. package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRecord.d.ts.map +1 -1
  123. package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRecord.mjs.map +1 -1
  124. package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRepository.js +1 -1
  125. package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRepository.mjs +1 -1
  126. package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRepository.mjs.map +1 -1
  127. package/build/openid4vc-verifier/repository/OpenId4VcVerifierRecord.d.mts.map +1 -1
  128. package/build/openid4vc-verifier/repository/OpenId4VcVerifierRecord.d.ts.map +1 -1
  129. package/build/openid4vc-verifier/repository/OpenId4VcVerifierRecord.mjs.map +1 -1
  130. package/build/openid4vc-verifier/repository/OpenId4VcVerifierRepository.js +1 -1
  131. package/build/openid4vc-verifier/repository/OpenId4VcVerifierRepository.mjs +1 -1
  132. package/build/openid4vc-verifier/repository/OpenId4VcVerifierRepository.mjs.map +1 -1
  133. package/build/openid4vc-verifier/repository/index.js +2 -2
  134. package/build/openid4vc-verifier/repository/index.mjs +2 -2
  135. package/build/openid4vc-verifier/router/authorizationEndpoint.js +1 -1
  136. package/build/openid4vc-verifier/router/authorizationEndpoint.mjs +1 -1
  137. package/build/openid4vc-verifier/router/authorizationEndpoint.mjs.map +1 -1
  138. package/build/openid4vc-verifier/router/authorizationRequestEndpoint.js +1 -1
  139. package/build/openid4vc-verifier/router/authorizationRequestEndpoint.mjs +1 -1
  140. package/build/openid4vc-verifier/router/authorizationRequestEndpoint.mjs.map +1 -1
  141. package/build/shared/callbacks.d.mts +46 -0
  142. package/build/shared/callbacks.d.mts.map +1 -0
  143. package/build/shared/callbacks.d.ts +46 -0
  144. package/build/shared/callbacks.d.ts.map +1 -0
  145. package/build/shared/callbacks.js +5 -1
  146. package/build/shared/callbacks.mjs +1 -1
  147. package/build/shared/callbacks.mjs.map +1 -1
  148. package/build/shared/index.js +2 -1
  149. package/build/shared/index.mjs +2 -1
  150. package/build/shared/issuerMetadataUtils.d.mts +2 -258
  151. package/build/shared/issuerMetadataUtils.d.mts.map +1 -1
  152. package/build/shared/issuerMetadataUtils.d.ts +2 -258
  153. package/build/shared/issuerMetadataUtils.d.ts.map +1 -1
  154. package/build/shared/issuerMetadataUtils.mjs.map +1 -1
  155. package/build/shared/models/index.d.ts +1 -1
  156. package/build/shared/router/context.mjs.map +1 -1
  157. package/build/shared/router/index.js +1 -1
  158. package/build/shared/router/index.mjs +1 -1
  159. package/build/shared/router/tenants.mjs.map +1 -1
  160. package/build/shared/utils.js +0 -8
  161. package/build/shared/utils.mjs +1 -7
  162. package/build/shared/utils.mjs.map +1 -1
  163. package/package.json +8 -8
package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRepository.mjs CHANGED
@@ -1,6 +1,6 @@
1
1
  import { __decorateMetadata } from "../../_virtual/_@oxc-project_runtime@0.94.0/helpers/decorateMetadata.mjs";
2
- import { __decorateParam } from "../../_virtual/_@oxc-project_runtime@0.94.0/helpers/decorateParam.mjs";
3
2
  import { __decorate } from "../../_virtual/_@oxc-project_runtime@0.94.0/helpers/decorate.mjs";
3
+ import { __decorateParam } from "../../_virtual/_@oxc-project_runtime@0.94.0/helpers/decorateParam.mjs";
4
4
  import { OpenId4VcIssuanceSessionRecord } from "./OpenId4VcIssuanceSessionRecord.mjs";
5
5
  import { EventEmitter, InjectionSymbols, Repository, inject, injectable } from "@credo-ts/core";
6
6
 
package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRepository.mjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"OpenId4VcIssuanceSessionRepository.mjs","names":["OpenId4VcIssuanceSessionRepository","storageService: StorageService<OpenId4VcIssuanceSessionRecord>"],"sources":["../../../src/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRepository.ts"],"sourcesContent":["import { EventEmitter, InjectionSymbols, Repository, type StorageService, inject, injectable } from '@credo-ts/core'\n\nimport { OpenId4VcIssuanceSessionRecord } from './OpenId4VcIssuanceSessionRecord'\n\n@injectable()\nexport class OpenId4VcIssuanceSessionRepository extends Repository<OpenId4VcIssuanceSessionRecord> {\n public constructor(\n @inject(InjectionSymbols.StorageService) storageService: StorageService<OpenId4VcIssuanceSessionRecord>,\n eventEmitter: EventEmitter\n ) {\n super(OpenId4VcIssuanceSessionRecord, storageService, eventEmitter)\n }\n}\n"],"mappings":";;;;;;;;AAKO,+CAAMA,6CAA2C,WAA2C;CACjG,AAAO,YACL,AAAyCC,gBACzC,cACA;AACA,QAAM,gCAAgC,gBAAgB,aAAa;;;;CANtE,YAAY;oBAGR,OAAO,iBAAiB,eAAe"}
1
+ {"version":3,"file":"OpenId4VcIssuanceSessionRepository.mjs","names":["OpenId4VcIssuanceSessionRepository","storageService: StorageService<OpenId4VcIssuanceSessionRecord>"],"sources":["../../../src/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRepository.ts"],"sourcesContent":["import { EventEmitter, InjectionSymbols, inject, injectable, Repository, type StorageService } from '@credo-ts/core'\n\nimport { OpenId4VcIssuanceSessionRecord } from './OpenId4VcIssuanceSessionRecord'\n\n@injectable()\nexport class OpenId4VcIssuanceSessionRepository extends Repository<OpenId4VcIssuanceSessionRecord> {\n public constructor(\n @inject(InjectionSymbols.StorageService) storageService: StorageService<OpenId4VcIssuanceSessionRecord>,\n eventEmitter: EventEmitter\n ) {\n super(OpenId4VcIssuanceSessionRecord, storageService, eventEmitter)\n }\n}\n"],"mappings":";;;;;;;;AAKO,+CAAMA,6CAA2C,WAA2C;CACjG,AAAO,YACL,AAAyCC,gBACzC,cACA;AACA,QAAM,gCAAgC,gBAAgB,aAAa;;;;CANtE,YAAY;oBAGR,OAAO,iBAAiB,eAAe"}
package/build/openid4vc-issuer/repository/OpenId4VcIssuerRecord.d.mts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"OpenId4VcIssuerRecord.d.mts","names":[],"sources":["../../../src/openid4vc-issuer/repository/OpenId4VcIssuerRecord.ts"],"sourcesContent":[],"mappings":";;;;;;KAYY,yBAAA,GAA4B,WAAW;KAEvC,gCAAA;EAFA,QAAA,EAAA,MAAA;CAAyB;AAAc,KAMvC,0BAAA,GANuC;KAAX,EAAA,MAAA;EAAU,SAAA,CAAA,EAQpC,IARoC;EAEtC,IAAA,CAAA,EAOH,QAPG;EAIA,QAAA,EAAA,MAAA;EAA0B;;;sBAUV,EAAJ,GAAA,CAAI,sBAAA;;;;;+BAWS,CAAA,EAAA,CALF,GAAA,CAAI,0BAKF,EAAA,GALiC,GAAA,CAAI,0BAKrC,EAAA,CAAA;SAKT,CAAA,EARhB,yCAQgB,EAAA;EAAwC,0BAAA,CAAA,EAPrC,mCAOqC,EAAA;EAQvD,iCAAsB,EAbE,sDAaF;EAAA;;;yBAyBU,CAAA,EAjCjB,wCAiCiB;;;;;;;AA4BJ,cArD5B,qBAAA,SAA8B,UAqDF,CArDa,gCAqDb,CAAA,CAAA;kBAAA,IAAA,GAAA,uBAAA;WAAA,IAAA,GAAA,uBAAA;UAAA,EAAA,MAAA;;;;;iCArDE,CAAA,EAAA,MAAA;EAAU,oBAAA,CAAA,EAWrB,GAAA,CAAI,sBAXiB;;;;;;qCAyBR;YAuB1B;+BACmB;mCACI,GAAA,CAAI,+BAA+B,GAAA,CAAI;4BAC9C;sCAEM,GAAA,CAAA,UAAA,GAAA,CAAA,mBAAA,GAAA,CAAA,gBAAA,GAAA,CAAA,gBAAA,GAAA,CAAA,gBAAA,GAAA,CAAA,eAAA,GAAA,CAAA,qBAAA,GAAA,CAAA;qBAiBb"}
1
+ {"version":3,"file":"OpenId4VcIssuerRecord.d.mts","names":[],"sources":["../../../src/openid4vc-issuer/repository/OpenId4VcIssuerRecord.ts"],"sourcesContent":[],"mappings":";;;;;;KAUY,yBAAA,GAA4B,WAAW;KAEvC,gCAAA;;AAFZ,CAAA;AAAqC,KAMzB,0BAAA,GANyB;KAAc,EAAA,MAAA;WAAX,CAAA,EAQ1B,IAR0B;EAAU,IAAA,CAAA,EASzC,QATyC;EAEtC,QAAA,EAAA,MAAA;EAIA;;;sBAGH,EAOe,GAAA,CAAI,sBAPnB;;;;;+BAgBsB,CAAA,EAAA,CAHI,GAAA,CAAI,0BAGR,EAAA,GAHuC,GAAA,CAAI,0BAG3C,EAAA,CAAA;SAEM,CAAA,EAHzB,yCAGyB,EAAA;4BAKT,CAAA,EAPG,mCAOH,EAAA;EAAwC,iCAAA,EAL/B,sDAK+B;EAQvD;;;yBAWuB,CAAA,EAnBR,wCAmBQ;;;;;;;AA2CK,cAtD5B,qBAAA,SAA8B,UAsDF,CAtDa,gCAsDb,CAAA,CAAA;kBAAA,IAAA,GAAA,uBAAA;WAAA,IAAA,GAAA,uBAAA;UAAA,EAAA,MAAA;;;;;iCAiBb,CAAA,EAAA,MAAA;sBAvEe,CAAA,EAWX,GAAA,CAAI,sBAXO;EAAU;;;;;qCA0BR;YAuB1B;+BACmB;mCACI,GAAA,CAAI,+BAA+B,GAAA,CAAI;4BAC9C;sCAEM,GAAA,CAAA,UAAA,GAAA,CAAA,mBAAA,GAAA,CAAA,gBAAA,GAAA,CAAA,gBAAA,GAAA,CAAA,gBAAA,GAAA,CAAA,eAAA,GAAA,CAAA,qBAAA,GAAA,CAAA;qBAiBb"}
package/build/openid4vc-issuer/repository/OpenId4VcIssuerRecord.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"OpenId4VcIssuerRecord.d.ts","names":[],"sources":["../../../src/openid4vc-issuer/repository/OpenId4VcIssuerRecord.ts"],"sourcesContent":[],"mappings":";;;;;;KAYY,yBAAA,GAA4B,WAAW;KAEvC,gCAAA;EAFA,QAAA,EAAA,MAAA;CAAyB;AAAc,KAMvC,0BAAA,GANuC;KAAX,EAAA,MAAA;EAAU,SAAA,CAAA,EAQpC,IARoC;EAEtC,IAAA,CAAA,EAOH,QAPG;EAIA,QAAA,EAAA,MAAA;EAA0B;;;sBAUV,EAAJ,GAAA,CAAI,sBAAA;;;;;+BAWS,CAAA,EAAA,CALF,GAAA,CAAI,0BAKF,EAAA,GALiC,GAAA,CAAI,0BAKrC,EAAA,CAAA;SAKT,CAAA,EARhB,yCAQgB,EAAA;EAAwC,0BAAA,CAAA,EAPrC,mCAOqC,EAAA;EAQvD,iCAAsB,EAbE,sDAaF;EAAA;;;yBAyBU,CAAA,EAjCjB,wCAiCiB;;;;;;;AA4BJ,cArD5B,qBAAA,SAA8B,UAqDF,CArDa,gCAqDb,CAAA,CAAA;kBAAA,IAAA,GAAA,uBAAA;WAAA,IAAA,GAAA,uBAAA;UAAA,EAAA,MAAA;;;;;iCArDE,CAAA,EAAA,MAAA;EAAU,oBAAA,CAAA,EAWrB,GAAA,CAAI,sBAXiB;;;;;;qCAyBR;YAuB1B;+BACmB;mCACI,GAAA,CAAI,+BAA+B,GAAA,CAAI;4BAC9C;sCAEM,GAAA,CAAA,UAAA,GAAA,CAAA,mBAAA,GAAA,CAAA,gBAAA,GAAA,CAAA,gBAAA,GAAA,CAAA,gBAAA,GAAA,CAAA,eAAA,GAAA,CAAA,qBAAA,GAAA,CAAA;qBAiBb"}
1
+ {"version":3,"file":"OpenId4VcIssuerRecord.d.ts","names":[],"sources":["../../../src/openid4vc-issuer/repository/OpenId4VcIssuerRecord.ts"],"sourcesContent":[],"mappings":";;;;;;KAUY,yBAAA,GAA4B,WAAW;KAEvC,gCAAA;;AAFZ,CAAA;AAAqC,KAMzB,0BAAA,GANyB;KAAc,EAAA,MAAA;WAAX,CAAA,EAQ1B,IAR0B;EAAU,IAAA,CAAA,EASzC,QATyC;EAEtC,QAAA,EAAA,MAAA;EAIA;;;sBAGH,EAOe,GAAA,CAAI,sBAPnB;;;;;+BAgBsB,CAAA,EAAA,CAHI,GAAA,CAAI,0BAGR,EAAA,GAHuC,GAAA,CAAI,0BAG3C,EAAA,CAAA;SAEM,CAAA,EAHzB,yCAGyB,EAAA;4BAKT,CAAA,EAPG,mCAOH,EAAA;EAAwC,iCAAA,EAL/B,sDAK+B;EAQvD;;;yBAWuB,CAAA,EAnBR,wCAmBQ;;;;;;;AA2CK,cAtD5B,qBAAA,SAA8B,UAsDF,CAtDa,gCAsDb,CAAA,CAAA;kBAAA,IAAA,GAAA,uBAAA;WAAA,IAAA,GAAA,uBAAA;UAAA,EAAA,MAAA;;;;;iCAiBb,CAAA,EAAA,MAAA;sBAvEe,CAAA,EAWX,GAAA,CAAI,sBAXO;EAAU;;;;;qCA0BR;YAuB1B;+BACmB;mCACI,GAAA,CAAI,+BAA+B,GAAA,CAAI;4BAC9C;sCAEM,GAAA,CAAA,UAAA,GAAA,CAAA,mBAAA,GAAA,CAAA,gBAAA,GAAA,CAAA,gBAAA,GAAA,CAAA,gBAAA,GAAA,CAAA,eAAA,GAAA,CAAA,qBAAA,GAAA,CAAA;qBAiBb"}
package/build/openid4vc-issuer/repository/OpenId4VcIssuerRecord.mjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"OpenId4VcIssuerRecord.mjs","names":[],"sources":["../../../src/openid4vc-issuer/repository/OpenId4VcIssuerRecord.ts"],"sourcesContent":["import { Kms, type RecordTags, type TagsBase } from '@credo-ts/core'\nimport type {\n OpenId4VciAuthorizationServerConfig,\n OpenId4VciCredentialConfigurationsSupportedWithFormats,\n OpenId4VciCredentialIssuerMetadataDisplay,\n} from '../../shared'\nimport type { OpenId4VciBatchCredentialIssuanceOptions } from '../OpenId4VcIssuerServiceOptions'\n\nimport { BaseRecord, CredoError, utils } from '@credo-ts/core'\nimport { credentialsSupportedToCredentialConfigurationsSupported } from '@openid4vc/openid4vci'\nimport { Transform, TransformationType } from 'class-transformer'\n\nexport type OpenId4VcIssuerRecordTags = RecordTags<OpenId4VcIssuerRecord>\n\nexport type DefaultOpenId4VcIssuerRecordTags = {\n issuerId: string\n}\n\nexport type OpenId4VcIssuerRecordProps = {\n id?: string\n createdAt?: Date\n tags?: TagsBase\n\n issuerId: string\n\n /**\n * The public jwk of the key used to sign access tokens for this issuer. Must include a `kid` parameter.\n */\n accessTokenPublicJwk: Kms.KmsJwkPublicAsymmetric\n\n /**\n * The DPoP signing algorithms supported by this issuer.\n * If not provided, dPoP is considered unsupported.\n */\n dpopSigningAlgValuesSupported?: [Kms.KnownJwaSignatureAlgorithm, ...Kms.KnownJwaSignatureAlgorithm[]]\n\n display?: OpenId4VciCredentialIssuerMetadataDisplay[]\n authorizationServerConfigs?: OpenId4VciAuthorizationServerConfig[]\n\n credentialConfigurationsSupported: OpenId4VciCredentialConfigurationsSupportedWithFormats\n\n /**\n * Indicate support for batch issuane of credentials\n */\n batchCredentialIssuance?: OpenId4VciBatchCredentialIssuanceOptions\n}\n\n/**\n * For OID4VC you need to expose metadata files. Each issuer needs to host this metadata. This is not the case for DIDComm where we can just have one /didcomm endpoint.\n * So we create a record per openid issuer/verifier that you want, and each tenant can create multiple issuers/verifiers which have different endpoints\n * and metadata files\n * */\nexport class OpenId4VcIssuerRecord extends BaseRecord<DefaultOpenId4VcIssuerRecordTags> {\n public static readonly type = 'OpenId4VcIssuerRecord'\n public readonly type = OpenId4VcIssuerRecord.type\n\n public issuerId!: string\n\n /**\n * @deprecated accessTokenPublicJwk should be used\n * @todo remove in migration\n */\n public accessTokenPublicKeyFingerprint?: string\n public accessTokenPublicJwk?: Kms.KmsJwkPublicAsymmetric\n\n /**\n * Only here for class transformation. If credentialsSupported is set we transform\n * it to the new credentialConfigurationsSupported format\n */\n private set credentialsSupported(credentialsSupported: Array<unknown>) {\n if (this.credentialConfigurationsSupported) return\n\n this.credentialConfigurationsSupported =\n // biome-ignore lint/suspicious/noExplicitAny: <explanation>\n credentialsSupportedToCredentialConfigurationsSupported(credentialsSupported as any) as any\n }\n\n public credentialConfigurationsSupported!: OpenId4VciCredentialConfigurationsSupportedWithFormats\n\n // Draft 11 to draft 13+ syntax\n @Transform(({ type, value }) => {\n if (type === TransformationType.PLAIN_TO_CLASS && Array.isArray(value)) {\n return value.map((display) => {\n if (display.logo?.uri) return display\n\n const { url, ...logoRest } = display.logo ?? {}\n return {\n ...display,\n logo: url\n ? {\n ...logoRest,\n uri: url,\n }\n : undefined,\n }\n })\n }\n\n return value\n })\n public display?: OpenId4VciCredentialIssuerMetadataDisplay[]\n public authorizationServerConfigs?: OpenId4VciAuthorizationServerConfig[]\n public dpopSigningAlgValuesSupported?: [Kms.KnownJwaSignatureAlgorithm, ...Kms.KnownJwaSignatureAlgorithm[]]\n public batchCredentialIssuance?: OpenId4VciBatchCredentialIssuanceOptions\n\n public get resolvedAccessTokenPublicJwk() {\n if (this.accessTokenPublicJwk) {\n return Kms.PublicJwk.fromPublicJwk(this.accessTokenPublicJwk)\n }\n\n // From before we introduced key ids, uses legacy key id\n if (this.accessTokenPublicKeyFingerprint) {\n const publicJwk = Kms.PublicJwk.fromFingerprint(this.accessTokenPublicKeyFingerprint)\n publicJwk.keyId = publicJwk.legacyKeyId\n return publicJwk\n }\n\n throw new CredoError(\n 'Neither accessTokenPublicJwk or accessTokenPublicKeyFingerprint defined. Unable to resolve access token public jwk.'\n )\n }\n\n public constructor(props: OpenId4VcIssuerRecordProps) {\n super()\n\n if (props) {\n this.id = props.id ?? utils.uuid()\n this.createdAt = props.createdAt ?? new Date()\n this._tags = props.tags ?? {}\n\n this.issuerId = props.issuerId\n this.accessTokenPublicJwk = props.accessTokenPublicJwk\n this.credentialConfigurationsSupported = props.credentialConfigurationsSupported\n this.dpopSigningAlgValuesSupported = props.dpopSigningAlgValuesSupported\n this.display = props.display\n this.authorizationServerConfigs = props.authorizationServerConfigs\n this.batchCredentialIssuance = props.batchCredentialIssuance\n }\n }\n\n public getTags() {\n return {\n ...this._tags,\n issuerId: this.issuerId,\n }\n }\n}\n"],"mappings":";;;;;;;;;;;;AAoDA,IAAa,wBAAb,MAAa,8BAA8B,WAA6C;;;;;CAiBtF,IAAY,qBAAqB,sBAAsC;AACrE,MAAI,KAAK,kCAAmC;AAE5C,OAAK,oCAEH,wDAAwD,qBAA4B;;CA+BxF,IAAW,+BAA+B;AACxC,MAAI,KAAK,qBACP,QAAO,IAAI,UAAU,cAAc,KAAK,qBAAqB;AAI/D,MAAI,KAAK,iCAAiC;GACxC,MAAM,YAAY,IAAI,UAAU,gBAAgB,KAAK,gCAAgC;AACrF,aAAU,QAAQ,UAAU;AAC5B,UAAO;;AAGT,QAAM,IAAI,WACR,sHACD;;CAGH,AAAO,YAAY,OAAmC;AACpD,SAAO;OArEO,OAAO,sBAAsB;AAuE3C,MAAI,OAAO;AACT,QAAK,KAAK,MAAM,MAAM,MAAM,MAAM;AAClC,QAAK,YAAY,MAAM,6BAAa,IAAI,MAAM;AAC9C,QAAK,QAAQ,MAAM,QAAQ,EAAE;AAE7B,QAAK,WAAW,MAAM;AACtB,QAAK,uBAAuB,MAAM;AAClC,QAAK,oCAAoC,MAAM;AAC/C,QAAK,gCAAgC,MAAM;AAC3C,QAAK,UAAU,MAAM;AACrB,QAAK,6BAA6B,MAAM;AACxC,QAAK,0BAA0B,MAAM;;;CAIzC,AAAO,UAAU;AACf,SAAO;GACL,GAAG,KAAK;GACR,UAAU,KAAK;GAChB;;;sBA3FoB,OAAO;YA2B7B,WAAW,EAAE,MAAM,YAAY;AAC9B,KAAI,SAAS,mBAAmB,kBAAkB,MAAM,QAAQ,MAAM,CACpE,QAAO,MAAM,KAAK,YAAY;AAC5B,MAAI,QAAQ,MAAM,IAAK,QAAO;EAE9B,MAAM,EAAE,IAAK,GAAG,aAAa,QAAQ,QAAQ,EAAE;AAC/C,SAAO;GACL,GAAG;GACH,MAAM,MACF;IACE,GAAG;IACH,KAAK;IACN,GACD;GACL;GACD;AAGJ,QAAO;EACP"}
1
+ {"version":3,"file":"OpenId4VcIssuerRecord.mjs","names":[],"sources":["../../../src/openid4vc-issuer/repository/OpenId4VcIssuerRecord.ts"],"sourcesContent":["import { BaseRecord, CredoError, Kms, type RecordTags, type TagsBase, utils } from '@credo-ts/core'\nimport { credentialsSupportedToCredentialConfigurationsSupported } from '@openid4vc/openid4vci'\nimport { Transform, TransformationType } from 'class-transformer'\nimport type {\n OpenId4VciAuthorizationServerConfig,\n OpenId4VciCredentialConfigurationsSupportedWithFormats,\n OpenId4VciCredentialIssuerMetadataDisplay,\n} from '../../shared'\nimport type { OpenId4VciBatchCredentialIssuanceOptions } from '../OpenId4VcIssuerServiceOptions'\n\nexport type OpenId4VcIssuerRecordTags = RecordTags<OpenId4VcIssuerRecord>\n\nexport type DefaultOpenId4VcIssuerRecordTags = {\n issuerId: string\n}\n\nexport type OpenId4VcIssuerRecordProps = {\n id?: string\n createdAt?: Date\n tags?: TagsBase\n\n issuerId: string\n\n /**\n * The public jwk of the key used to sign access tokens for this issuer. Must include a `kid` parameter.\n */\n accessTokenPublicJwk: Kms.KmsJwkPublicAsymmetric\n\n /**\n * The DPoP signing algorithms supported by this issuer.\n * If not provided, dPoP is considered unsupported.\n */\n dpopSigningAlgValuesSupported?: [Kms.KnownJwaSignatureAlgorithm, ...Kms.KnownJwaSignatureAlgorithm[]]\n\n display?: OpenId4VciCredentialIssuerMetadataDisplay[]\n authorizationServerConfigs?: OpenId4VciAuthorizationServerConfig[]\n\n credentialConfigurationsSupported: OpenId4VciCredentialConfigurationsSupportedWithFormats\n\n /**\n * Indicate support for batch issuane of credentials\n */\n batchCredentialIssuance?: OpenId4VciBatchCredentialIssuanceOptions\n}\n\n/**\n * For OID4VC you need to expose metadata files. Each issuer needs to host this metadata. This is not the case for DIDComm where we can just have one /didcomm endpoint.\n * So we create a record per openid issuer/verifier that you want, and each tenant can create multiple issuers/verifiers which have different endpoints\n * and metadata files\n * */\nexport class OpenId4VcIssuerRecord extends BaseRecord<DefaultOpenId4VcIssuerRecordTags> {\n public static readonly type = 'OpenId4VcIssuerRecord'\n public readonly type = OpenId4VcIssuerRecord.type\n\n public issuerId!: string\n\n /**\n * @deprecated accessTokenPublicJwk should be used\n * @todo remove in migration\n */\n public accessTokenPublicKeyFingerprint?: string\n public accessTokenPublicJwk?: Kms.KmsJwkPublicAsymmetric\n\n /**\n * Only here for class transformation. If credentialsSupported is set we transform\n * it to the new credentialConfigurationsSupported format\n */\n // biome-ignore lint/correctness/noUnusedPrivateClassMembers: see above\n private set credentialsSupported(credentialsSupported: Array<unknown>) {\n if (this.credentialConfigurationsSupported) return\n\n this.credentialConfigurationsSupported =\n // biome-ignore lint/suspicious/noExplicitAny: no explanation\n credentialsSupportedToCredentialConfigurationsSupported(credentialsSupported as any) as any\n }\n\n public credentialConfigurationsSupported!: OpenId4VciCredentialConfigurationsSupportedWithFormats\n\n // Draft 11 to draft 13+ syntax\n @Transform(({ type, value }) => {\n if (type === TransformationType.PLAIN_TO_CLASS && Array.isArray(value)) {\n return value.map((display) => {\n if (display.logo?.uri) return display\n\n const { url, ...logoRest } = display.logo ?? {}\n return {\n ...display,\n logo: url\n ? {\n ...logoRest,\n uri: url,\n }\n : undefined,\n }\n })\n }\n\n return value\n })\n public display?: OpenId4VciCredentialIssuerMetadataDisplay[]\n public authorizationServerConfigs?: OpenId4VciAuthorizationServerConfig[]\n public dpopSigningAlgValuesSupported?: [Kms.KnownJwaSignatureAlgorithm, ...Kms.KnownJwaSignatureAlgorithm[]]\n public batchCredentialIssuance?: OpenId4VciBatchCredentialIssuanceOptions\n\n public get resolvedAccessTokenPublicJwk() {\n if (this.accessTokenPublicJwk) {\n return Kms.PublicJwk.fromPublicJwk(this.accessTokenPublicJwk)\n }\n\n // From before we introduced key ids, uses legacy key id\n if (this.accessTokenPublicKeyFingerprint) {\n const publicJwk = Kms.PublicJwk.fromFingerprint(this.accessTokenPublicKeyFingerprint)\n publicJwk.keyId = publicJwk.legacyKeyId\n return publicJwk\n }\n\n throw new CredoError(\n 'Neither accessTokenPublicJwk or accessTokenPublicKeyFingerprint defined. Unable to resolve access token public jwk.'\n )\n }\n\n public constructor(props: OpenId4VcIssuerRecordProps) {\n super()\n\n if (props) {\n this.id = props.id ?? utils.uuid()\n this.createdAt = props.createdAt ?? new Date()\n this._tags = props.tags ?? {}\n\n this.issuerId = props.issuerId\n this.accessTokenPublicJwk = props.accessTokenPublicJwk\n this.credentialConfigurationsSupported = props.credentialConfigurationsSupported\n this.dpopSigningAlgValuesSupported = props.dpopSigningAlgValuesSupported\n this.display = props.display\n this.authorizationServerConfigs = props.authorizationServerConfigs\n this.batchCredentialIssuance = props.batchCredentialIssuance\n }\n }\n\n public getTags() {\n return {\n ...this._tags,\n issuerId: this.issuerId,\n }\n }\n}\n"],"mappings":";;;;;;;;;;;;AAkDA,IAAa,wBAAb,MAAa,8BAA8B,WAA6C;;;;;CAkBtF,IAAY,qBAAqB,sBAAsC;AACrE,MAAI,KAAK,kCAAmC;AAE5C,OAAK,oCAEH,wDAAwD,qBAA4B;;CA+BxF,IAAW,+BAA+B;AACxC,MAAI,KAAK,qBACP,QAAO,IAAI,UAAU,cAAc,KAAK,qBAAqB;AAI/D,MAAI,KAAK,iCAAiC;GACxC,MAAM,YAAY,IAAI,UAAU,gBAAgB,KAAK,gCAAgC;AACrF,aAAU,QAAQ,UAAU;AAC5B,UAAO;;AAGT,QAAM,IAAI,WACR,sHACD;;CAGH,AAAO,YAAY,OAAmC;AACpD,SAAO;OAtEO,OAAO,sBAAsB;AAwE3C,MAAI,OAAO;AACT,QAAK,KAAK,MAAM,MAAM,MAAM,MAAM;AAClC,QAAK,YAAY,MAAM,6BAAa,IAAI,MAAM;AAC9C,QAAK,QAAQ,MAAM,QAAQ,EAAE;AAE7B,QAAK,WAAW,MAAM;AACtB,QAAK,uBAAuB,MAAM;AAClC,QAAK,oCAAoC,MAAM;AAC/C,QAAK,gCAAgC,MAAM;AAC3C,QAAK,UAAU,MAAM;AACrB,QAAK,6BAA6B,MAAM;AACxC,QAAK,0BAA0B,MAAM;;;CAIzC,AAAO,UAAU;AACf,SAAO;GACL,GAAG,KAAK;GACR,UAAU,KAAK;GAChB;;;sBA5FoB,OAAO;YA4B7B,WAAW,EAAE,MAAM,YAAY;AAC9B,KAAI,SAAS,mBAAmB,kBAAkB,MAAM,QAAQ,MAAM,CACpE,QAAO,MAAM,KAAK,YAAY;AAC5B,MAAI,QAAQ,MAAM,IAAK,QAAO;EAE9B,MAAM,EAAE,IAAK,GAAG,aAAa,QAAQ,QAAQ,EAAE;AAC/C,SAAO;GACL,GAAG;GACH,MAAM,MACF;IACE,GAAG;IACH,KAAK;IACN,GACD;GACL;GACD;AAGJ,QAAO;EACP"}
package/build/openid4vc-issuer/repository/OpenId4VcIssuerRepository.js CHANGED
@@ -1,7 +1,7 @@
1
1
  const require_rolldown_runtime = require('../../_virtual/rolldown_runtime.js');
2
2
  const require_decorateMetadata = require('../../_virtual/_@oxc-project_runtime@0.94.0/helpers/decorateMetadata.js');
3
- const require_decorateParam = require('../../_virtual/_@oxc-project_runtime@0.94.0/helpers/decorateParam.js');
4
3
  const require_decorate = require('../../_virtual/_@oxc-project_runtime@0.94.0/helpers/decorate.js');
4
+ const require_decorateParam = require('../../_virtual/_@oxc-project_runtime@0.94.0/helpers/decorateParam.js');
5
5
  const require_OpenId4VcIssuerRecord = require('./OpenId4VcIssuerRecord.js');
6
6
  let __credo_ts_core = require("@credo-ts/core");
7
7
  __credo_ts_core = require_rolldown_runtime.__toESM(__credo_ts_core);
package/build/openid4vc-issuer/repository/OpenId4VcIssuerRepository.mjs CHANGED
@@ -1,6 +1,6 @@
1
1
  import { __decorateMetadata } from "../../_virtual/_@oxc-project_runtime@0.94.0/helpers/decorateMetadata.mjs";
2
- import { __decorateParam } from "../../_virtual/_@oxc-project_runtime@0.94.0/helpers/decorateParam.mjs";
3
2
  import { __decorate } from "../../_virtual/_@oxc-project_runtime@0.94.0/helpers/decorate.mjs";
3
+ import { __decorateParam } from "../../_virtual/_@oxc-project_runtime@0.94.0/helpers/decorateParam.mjs";
4
4
  import { OpenId4VcIssuerRecord } from "./OpenId4VcIssuerRecord.mjs";
5
5
  import { EventEmitter, InjectionSymbols, Repository, inject, injectable } from "@credo-ts/core";
6
6
 
package/build/openid4vc-issuer/repository/OpenId4VcIssuerRepository.mjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"OpenId4VcIssuerRepository.mjs","names":["OpenId4VcIssuerRepository","storageService: StorageService<OpenId4VcIssuerRecord>"],"sources":["../../../src/openid4vc-issuer/repository/OpenId4VcIssuerRepository.ts"],"sourcesContent":["import type { AgentContext } from '@credo-ts/core'\n\nimport { EventEmitter, InjectionSymbols, Repository, type StorageService, inject, injectable } from '@credo-ts/core'\n\nimport { OpenId4VcIssuerRecord } from './OpenId4VcIssuerRecord'\n\n@injectable()\nexport class OpenId4VcIssuerRepository extends Repository<OpenId4VcIssuerRecord> {\n public constructor(\n @inject(InjectionSymbols.StorageService) storageService: StorageService<OpenId4VcIssuerRecord>,\n eventEmitter: EventEmitter\n ) {\n super(OpenId4VcIssuerRecord, storageService, eventEmitter)\n }\n\n public findByIssuerId(agentContext: AgentContext, issuerId: string) {\n return this.findSingleByQuery(agentContext, { issuerId })\n }\n\n public getByIssuerId(agentContext: AgentContext, issuerId: string) {\n return this.getSingleByQuery(agentContext, { issuerId })\n }\n}\n"],"mappings":";;;;;;;;AAOO,sCAAMA,oCAAkC,WAAkC;CAC/E,AAAO,YACL,AAAyCC,gBACzC,cACA;AACA,QAAM,uBAAuB,gBAAgB,aAAa;;CAG5D,AAAO,eAAe,cAA4B,UAAkB;AAClE,SAAO,KAAK,kBAAkB,cAAc,EAAE,UAAU,CAAC;;CAG3D,AAAO,cAAc,cAA4B,UAAkB;AACjE,SAAO,KAAK,iBAAiB,cAAc,EAAE,UAAU,CAAC;;;;CAd3D,YAAY;oBAGR,OAAO,iBAAiB,eAAe"}
1
+ {"version":3,"file":"OpenId4VcIssuerRepository.mjs","names":["OpenId4VcIssuerRepository","storageService: StorageService<OpenId4VcIssuerRecord>"],"sources":["../../../src/openid4vc-issuer/repository/OpenId4VcIssuerRepository.ts"],"sourcesContent":["import type { AgentContext } from '@credo-ts/core'\n\nimport { EventEmitter, InjectionSymbols, inject, injectable, Repository, type StorageService } from '@credo-ts/core'\n\nimport { OpenId4VcIssuerRecord } from './OpenId4VcIssuerRecord'\n\n@injectable()\nexport class OpenId4VcIssuerRepository extends Repository<OpenId4VcIssuerRecord> {\n public constructor(\n @inject(InjectionSymbols.StorageService) storageService: StorageService<OpenId4VcIssuerRecord>,\n eventEmitter: EventEmitter\n ) {\n super(OpenId4VcIssuerRecord, storageService, eventEmitter)\n }\n\n public findByIssuerId(agentContext: AgentContext, issuerId: string) {\n return this.findSingleByQuery(agentContext, { issuerId })\n }\n\n public getByIssuerId(agentContext: AgentContext, issuerId: string) {\n return this.getSingleByQuery(agentContext, { issuerId })\n }\n}\n"],"mappings":";;;;;;;;AAOO,sCAAMA,oCAAkC,WAAkC;CAC/E,AAAO,YACL,AAAyCC,gBACzC,cACA;AACA,QAAM,uBAAuB,gBAAgB,aAAa;;CAG5D,AAAO,eAAe,cAA4B,UAAkB;AAClE,SAAO,KAAK,kBAAkB,cAAc,EAAE,UAAU,CAAC;;CAG3D,AAAO,cAAc,cAA4B,UAAkB;AACjE,SAAO,KAAK,iBAAiB,cAAc,EAAE,UAAU,CAAC;;;;CAd3D,YAAY;oBAGR,OAAO,iBAAiB,eAAe"}
package/build/openid4vc-issuer/repository/index.js CHANGED
@@ -1,4 +1,4 @@
1
- const require_OpenId4VcIssuerRecord = require('./OpenId4VcIssuerRecord.js');
2
- const require_OpenId4VcIssuerRepository = require('./OpenId4VcIssuerRepository.js');
3
1
  const require_OpenId4VcIssuanceSessionRecord = require('./OpenId4VcIssuanceSessionRecord.js');
4
2
  const require_OpenId4VcIssuanceSessionRepository = require('./OpenId4VcIssuanceSessionRepository.js');
3
+ const require_OpenId4VcIssuerRecord = require('./OpenId4VcIssuerRecord.js');
4
+ const require_OpenId4VcIssuerRepository = require('./OpenId4VcIssuerRepository.js');
package/build/openid4vc-issuer/repository/index.mjs CHANGED
@@ -1,4 +1,4 @@
1
- import { OpenId4VcIssuerRecord } from "./OpenId4VcIssuerRecord.mjs";
2
- import { OpenId4VcIssuerRepository } from "./OpenId4VcIssuerRepository.mjs";
3
1
  import { OpenId4VcIssuanceSessionRecord } from "./OpenId4VcIssuanceSessionRecord.mjs";
4
2
  import { OpenId4VcIssuanceSessionRepository } from "./OpenId4VcIssuanceSessionRepository.mjs";
3
+ import { OpenId4VcIssuerRecord } from "./OpenId4VcIssuerRecord.mjs";
4
+ import { OpenId4VcIssuerRepository } from "./OpenId4VcIssuerRepository.mjs";
package/build/openid4vc-issuer/router/accessTokenEndpoint.js CHANGED
@@ -1,8 +1,7 @@
1
1
  const require_rolldown_runtime = require('../../_virtual/rolldown_runtime.js');
2
- const require_utils = require('../../shared/utils.js');
2
+ const require_OpenId4VcIssuanceSessionState = require('../OpenId4VcIssuanceSessionState.js');
3
3
  const require_context = require('../../shared/router/context.js');
4
4
  require('../../shared/router/index.js');
5
- const require_OpenId4VcIssuanceSessionState = require('../OpenId4VcIssuanceSessionState.js');
6
5
  const require_OpenId4VcIssuanceSessionRepository = require('../repository/OpenId4VcIssuanceSessionRepository.js');
7
6
  require('../repository/index.js');
8
7
  const require_OpenId4VcIssuerService = require('../OpenId4VcIssuerService.js');
@@ -68,7 +67,7 @@ function handleTokenRequest(config) {
68
67
  error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidGrant,
69
68
  error_description: "Invalid authorization code"
70
69
  });
71
- const expiresAt = issuanceSession.expiresAt ?? require_utils.addSecondsToDate(issuanceSession.createdAt, config.statefulCredentialOfferExpirationInSeconds);
70
+ const expiresAt = issuanceSession.expiresAt ?? __credo_ts_core.utils.addSecondsToDate(issuanceSession.createdAt, config.statefulCredentialOfferExpirationInSeconds);
72
71
  if (Date.now() > expiresAt.getTime()) {
73
72
  issuanceSession.errorMessage = "Credential offer has expired";
74
73
  await openId4VcIssuerService.updateState(agentContext, issuanceSession, require_OpenId4VcIssuanceSessionState.OpenId4VcIssuanceSessionState.Error);
@@ -99,7 +98,7 @@ function handleTokenRequest(config) {
99
98
  required: issuanceSession.dpop?.required ?? config.dpopRequired
100
99
  },
101
100
  expectedTxCode: issuanceSession.userPin,
102
- preAuthorizedCodeExpiresAt: issuanceSession.expiresAt ?? require_utils.addSecondsToDate(issuanceSession.createdAt, config.statefulCredentialOfferExpirationInSeconds)
101
+ preAuthorizedCodeExpiresAt: issuanceSession.expiresAt ?? __credo_ts_core.utils.addSecondsToDate(issuanceSession.createdAt, config.statefulCredentialOfferExpirationInSeconds)
103
102
  });
104
103
  } else if (grant.grantType === __openid4vc_oauth2.authorizationCodeGrantIdentifier) {
105
104
  if (!issuanceSession.authorization?.code || !issuanceSession.authorization?.codeExpiresAt) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
package/build/openid4vc-issuer/router/accessTokenEndpoint.mjs CHANGED
@@ -1,7 +1,6 @@
1
- import { addSecondsToDate } from "../../shared/utils.mjs";
1
+ import { OpenId4VcIssuanceSessionState } from "../OpenId4VcIssuanceSessionState.mjs";
2
2
  import { getRequestContext, sendJsonResponse, sendOauth2ErrorResponse, sendUnknownServerErrorResponse } from "../../shared/router/context.mjs";
3
3
  import "../../shared/router/index.mjs";
4
- import { OpenId4VcIssuanceSessionState } from "../OpenId4VcIssuanceSessionState.mjs";
5
4
  import { OpenId4VcIssuanceSessionRepository } from "../repository/OpenId4VcIssuanceSessionRepository.mjs";
6
5
  import "../repository/index.mjs";
7
6
  import { OpenId4VcIssuerService } from "../OpenId4VcIssuerService.mjs";
@@ -65,7 +64,7 @@ function handleTokenRequest(config) {
65
64
  error: Oauth2ErrorCodes.InvalidGrant,
66
65
  error_description: "Invalid authorization code"
67
66
  });
68
- const expiresAt = issuanceSession.expiresAt ?? addSecondsToDate(issuanceSession.createdAt, config.statefulCredentialOfferExpirationInSeconds);
67
+ const expiresAt = issuanceSession.expiresAt ?? utils.addSecondsToDate(issuanceSession.createdAt, config.statefulCredentialOfferExpirationInSeconds);
69
68
  if (Date.now() > expiresAt.getTime()) {
70
69
  issuanceSession.errorMessage = "Credential offer has expired";
71
70
  await openId4VcIssuerService.updateState(agentContext, issuanceSession, OpenId4VcIssuanceSessionState.Error);
@@ -96,7 +95,7 @@ function handleTokenRequest(config) {
96
95
  required: issuanceSession.dpop?.required ?? config.dpopRequired
97
96
  },
98
97
  expectedTxCode: issuanceSession.userPin,
99
- preAuthorizedCodeExpiresAt: issuanceSession.expiresAt ?? addSecondsToDate(issuanceSession.createdAt, config.statefulCredentialOfferExpirationInSeconds)
98
+ preAuthorizedCodeExpiresAt: issuanceSession.expiresAt ?? utils.addSecondsToDate(issuanceSession.createdAt, config.statefulCredentialOfferExpirationInSeconds)
100
99
  });
101
100
  } else if (grant.grantType === authorizationCodeGrantIdentifier) {
102
101
  if (!issuanceSession.authorization?.code || !issuanceSession.authorization?.codeExpiresAt) throw new Oauth2ServerErrorResponseError({
package/build/openid4vc-issuer/router/accessTokenEndpoint.mjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"accessTokenEndpoint.mjs","names":["allowedStates: OpenId4VcIssuanceSessionState[]","query: Query<OpenId4VcIssuanceSessionRecord>","parsedRefreshToken: ReturnType<OpenId4VcIssuerService['parseRefreshToken']> | undefined","verificationResult: VerifyAccessTokenRequestReturn","refreshToken: string | undefined"],"sources":["../../../src/openid4vc-issuer/router/accessTokenEndpoint.ts"],"sourcesContent":["import type { HttpMethod, Jwk, VerifyAccessTokenRequestReturn } from '@openid4vc/oauth2'\nimport type { NextFunction, Response, Router } from 'express'\nimport type { OpenId4VcIssuerModuleConfig } from '../OpenId4VcIssuerModuleConfig'\nimport type { OpenId4VcIssuanceRequest } from './requestContext'\n\nimport { CredoError, type Query, joinUriParts, utils } from '@credo-ts/core'\nimport {\n Oauth2ErrorCodes,\n Oauth2ServerErrorResponseError,\n authorizationCodeGrantIdentifier,\n preAuthorizedCodeGrantIdentifier,\n refreshTokenGrantIdentifier,\n} from '@openid4vc/oauth2'\nimport {\n getRequestContext,\n sendJsonResponse,\n sendOauth2ErrorResponse,\n sendUnknownServerErrorResponse,\n} from '../../shared/router'\nimport { addSecondsToDate } from '../../shared/utils'\nimport { OpenId4VcIssuanceSessionState } from '../OpenId4VcIssuanceSessionState'\nimport { OpenId4VcIssuerService } from '../OpenId4VcIssuerService'\nimport { OpenId4VcIssuanceSessionRecord, OpenId4VcIssuanceSessionRepository } from '../repository'\n\nexport function configureAccessTokenEndpoint(router: Router, config: OpenId4VcIssuerModuleConfig) {\n router.post(config.accessTokenEndpointPath, handleTokenRequest(config))\n}\n\nexport function handleTokenRequest(config: OpenId4VcIssuerModuleConfig) {\n return async (request: OpenId4VcIssuanceRequest, response: Response, next: NextFunction) => {\n response.set({ 'Cache-Control': 'no-store', Pragma: 'no-cache' })\n const requestContext = getRequestContext(request)\n const { agentContext, issuer } = requestContext\n\n try {\n const openId4VcIssuerService = agentContext.dependencyManager.resolve(OpenId4VcIssuerService)\n const issuanceSessionRepository = agentContext.dependencyManager.resolve(OpenId4VcIssuanceSessionRepository)\n const issuerMetadata = await openId4VcIssuerService.getIssuerMetadata(agentContext, issuer)\n const accessTokenSigningKey = issuer.resolvedAccessTokenPublicJwk\n let oauth2AuthorizationServer = openId4VcIssuerService.getOauth2AuthorizationServer(agentContext)\n\n const fullRequestUrl = joinUriParts(issuerMetadata.credentialIssuer.credential_issuer, [\n config.accessTokenEndpointPath,\n ])\n const requestLike = {\n headers: new Headers(request.headers as Record<string, string>),\n method: request.method as HttpMethod,\n url: fullRequestUrl,\n } as const\n\n const { accessTokenRequest, grant, dpop, clientAttestation, pkceCodeVerifier } =\n oauth2AuthorizationServer.parseAccessTokenRequest({\n accessTokenRequest: request.body,\n request: requestLike,\n })\n\n let allowedStates: OpenId4VcIssuanceSessionState[]\n let query: Query<OpenId4VcIssuanceSessionRecord>\n let parsedRefreshToken: ReturnType<OpenId4VcIssuerService['parseRefreshToken']> | undefined\n\n switch (grant.grantType) {\n case preAuthorizedCodeGrantIdentifier:\n allowedStates = [OpenId4VcIssuanceSessionState.OfferCreated, OpenId4VcIssuanceSessionState.OfferUriRetrieved]\n query = { preAuthorizedCode: grant.preAuthorizedCode }\n break\n case authorizationCodeGrantIdentifier:\n allowedStates = [OpenId4VcIssuanceSessionState.AuthorizationGranted]\n query = { authorizationCode: grant.code }\n break\n case refreshTokenGrantIdentifier:\n allowedStates = [\n OpenId4VcIssuanceSessionState.CredentialRequestReceived,\n OpenId4VcIssuanceSessionState.CredentialsPartiallyIssued,\n ]\n parsedRefreshToken = openId4VcIssuerService.parseRefreshToken(grant.refreshToken)\n query = {\n preAuthorizedCode: parsedRefreshToken.preAuthorizedCode,\n authorizationCode: parsedRefreshToken.issuerState,\n }\n break\n default:\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.UnsupportedGrantType,\n error_description: 'Unsupported grant type',\n })\n }\n\n const issuanceSession = await issuanceSessionRepository.findSingleByQuery(agentContext, query)\n if (!issuanceSession || !allowedStates.includes(issuanceSession.state)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidGrant,\n error_description: 'Invalid authorization code',\n })\n }\n\n const expiresAt =\n issuanceSession.expiresAt ??\n addSecondsToDate(issuanceSession.createdAt, config.statefulCredentialOfferExpirationInSeconds)\n\n if (Date.now() > expiresAt.getTime()) {\n issuanceSession.errorMessage = 'Credential offer has expired'\n await openId4VcIssuerService.updateState(agentContext, issuanceSession, OpenId4VcIssuanceSessionState.Error)\n throw new Oauth2ServerErrorResponseError({\n // What is the best error here?\n error: Oauth2ErrorCodes.InvalidGrant,\n error_description: 'Session expired',\n })\n }\n\n oauth2AuthorizationServer = openId4VcIssuerService.getOauth2AuthorizationServer(agentContext, {\n issuanceSessionId: issuanceSession.id,\n })\n let verificationResult: VerifyAccessTokenRequestReturn\n\n if (grant.grantType === preAuthorizedCodeGrantIdentifier) {\n if (!issuanceSession.preAuthorizedCode) {\n throw new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.InvalidGrant,\n error_description: 'Invalid authorization code',\n },\n {\n internalMessage:\n 'Found issuance session without preAuthorizedCode. This should not happen as the issuance session is fetched based on the pre authorized code',\n }\n )\n }\n\n verificationResult = await oauth2AuthorizationServer.verifyPreAuthorizedCodeAccessTokenRequest({\n accessTokenRequest,\n expectedPreAuthorizedCode: issuanceSession.preAuthorizedCode,\n grant,\n request: requestLike,\n authorizationServerMetadata: issuerMetadata.authorizationServers[0],\n clientAttestation: {\n ...clientAttestation,\n // First session config, fall back to global config\n required: issuanceSession.walletAttestation?.required ?? config.walletAttestationsRequired,\n\n // NOTE: we might want to enforce this? Not sure\n // ensureConfirmationKeyMatchesDpopKey: true\n },\n dpop: {\n ...dpop,\n // First session config, fall back to global config\n required: issuanceSession.dpop?.required ?? config.dpopRequired,\n },\n expectedTxCode: issuanceSession.userPin,\n preAuthorizedCodeExpiresAt:\n issuanceSession.expiresAt ??\n addSecondsToDate(issuanceSession.createdAt, config.statefulCredentialOfferExpirationInSeconds),\n })\n } else if (grant.grantType === authorizationCodeGrantIdentifier) {\n if (!issuanceSession.authorization?.code || !issuanceSession.authorization?.codeExpiresAt) {\n throw new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.InvalidGrant,\n error_description: 'Invalid authorization code',\n },\n {\n internalMessage:\n 'Found issuance session without authorization.code or authorization.codeExpiresAt. This should not happen as the issuance session is fetched based on the authorization code',\n }\n )\n }\n verificationResult = await oauth2AuthorizationServer.verifyAuthorizationCodeAccessTokenRequest({\n accessTokenRequest,\n expectedCode: issuanceSession.authorization.code,\n codeExpiresAt: issuanceSession.authorization.codeExpiresAt,\n grant,\n authorizationServerMetadata: issuerMetadata.authorizationServers[0],\n request: requestLike,\n clientAttestation: {\n ...clientAttestation,\n\n // Ensure it matches the previously provided client id\n // FIXME: we don't verify that the attestation is issued by the same party\n expectedClientId: issuanceSession.clientId,\n\n // NOTE: we don't look at the global config here. As we already checked and\n // set required to true previously if client attestations were provided or required.\n required: issuanceSession.walletAttestation?.required,\n\n // NOTE: we might want to enforce this? Not sure\n // ensureConfirmationKeyMatchesDpopKey: true\n },\n dpop: {\n ...dpop,\n // NOTE: we don't look at the global config here. As we already checked and\n // set required to true previously if client attestations were provided or required.\n required: issuanceSession.dpop?.required,\n\n // Ensure it matches previously provided jwk thumbprint\n expectedJwkThumbprint: issuanceSession.dpop?.dpopJkt,\n },\n pkce: issuanceSession.pkce\n ? {\n codeChallenge: issuanceSession.pkce.codeChallenge,\n codeChallengeMethod: issuanceSession.pkce.codeChallengeMethod,\n codeVerifier: pkceCodeVerifier,\n }\n : undefined,\n })\n } else if (grant.grantType === refreshTokenGrantIdentifier) {\n if (!parsedRefreshToken) {\n throw new CredoError('Refresh token verification is required for refresh token grant type')\n }\n\n verificationResult = await oauth2AuthorizationServer.verifyRefreshTokenAccessTokenRequest({\n accessTokenRequest,\n // Refresh token validity is already checked before\n expectedRefreshToken: grant.refreshToken,\n grant,\n request: requestLike,\n authorizationServerMetadata: issuerMetadata.authorizationServers[0],\n clientAttestation: {\n ...clientAttestation,\n // First session config, fall back to global config\n required: issuanceSession.walletAttestation?.required ?? config.walletAttestationsRequired,\n\n // NOTE: we might want to enforce this? Not sure\n // ensureConfirmationKeyMatchesDpopKey: true\n },\n dpop: {\n ...dpop,\n // First session config, fall back to global config\n required: issuanceSession.dpop?.required ?? config.dpopRequired,\n },\n refreshTokenExpiresAt: parsedRefreshToken?.expiresAt,\n })\n\n await openId4VcIssuerService.verifyRefreshToken(agentContext, issuer, parsedRefreshToken, {\n dpop: verificationResult.dpop,\n })\n } else {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.UnsupportedGrantType,\n error_description: 'Unsupported grant type',\n })\n }\n\n // Do not update the session state if the grant type is refresh token. This\n // avoids the session state going \"backwards\".\n if (grant.grantType !== refreshTokenGrantIdentifier) {\n await openId4VcIssuerService.updateState(\n agentContext,\n issuanceSession,\n OpenId4VcIssuanceSessionState.AccessTokenRequested\n )\n }\n\n const { cNonce, cNonceExpiresInSeconds } = await openId4VcIssuerService.createNonce(agentContext, issuer)\n\n // for authorization code flow we take the authorization scopes. For pre-auth we don't use scopes (we just\n // use the offered credential configuration ids so a scope is not required)\n const scopes =\n grant.grantType === authorizationCodeGrantIdentifier ? issuanceSession.authorization?.scopes : undefined\n const subject = `credo:${utils.uuid()}`\n\n const tokenDpop = verificationResult.dpop\n ? {\n jwk: verificationResult.dpop?.jwk,\n }\n : undefined\n\n // Generate a refresh token if they're enabled in the config and the grant type is not refresh token\n let refreshToken: string | undefined\n if (issuanceSession.generateRefreshTokens && grant.grantType !== refreshTokenGrantIdentifier) {\n refreshToken = await openId4VcIssuerService.createRefreshToken(agentContext, issuer, {\n preAuthorizedCode: grant.grantType === preAuthorizedCodeGrantIdentifier ? grant.preAuthorizedCode : undefined,\n issuerState: issuanceSession.authorization?.issuerState,\n dpop: tokenDpop,\n })\n }\n\n const signerJwk = accessTokenSigningKey\n const accessTokenResponse = await oauth2AuthorizationServer.createAccessTokenResponse({\n audience: issuerMetadata.credentialIssuer.credential_issuer,\n authorizationServer: issuerMetadata.credentialIssuer.credential_issuer,\n expiresInSeconds: config.accessTokenExpiresInSeconds,\n signer: {\n method: 'jwk',\n alg: signerJwk.supportedSignatureAlgorithms[0],\n publicJwk: signerJwk.toJson() as Jwk,\n },\n dpop: tokenDpop,\n scope: scopes?.join(' '),\n clientId: issuanceSession.clientId,\n\n additionalAccessTokenPayload: {\n 'pre-authorized_code':\n grant.grantType === preAuthorizedCodeGrantIdentifier\n ? grant.preAuthorizedCode\n : parsedRefreshToken?.preAuthorizedCode,\n issuer_state: issuanceSession.authorization?.issuerState,\n },\n // We generate a random subject for each access token and bind the issuance session to this.\n subject,\n\n refreshToken,\n\n // NOTE: these have been removed in newer drafts. Keeping them in for now\n cNonce,\n cNonceExpiresIn: cNonceExpiresInSeconds,\n })\n\n issuanceSession.authorization = {\n ...issuanceSession.authorization,\n subject,\n }\n\n await openId4VcIssuerService.updateState(\n agentContext,\n issuanceSession,\n // Retain the current session state when refreshing the access token.\n grant.grantType === refreshTokenGrantIdentifier\n ? issuanceSession.state\n : OpenId4VcIssuanceSessionState.AccessTokenCreated\n )\n\n return sendJsonResponse(response, next, accessTokenResponse)\n } catch (error) {\n if (error instanceof Oauth2ServerErrorResponseError) {\n return sendOauth2ErrorResponse(response, next, agentContext.config.logger, error)\n }\n\n return sendUnknownServerErrorResponse(response, next, agentContext.config.logger, error)\n }\n }\n}\n"],"mappings":";;;;;;;;;;;AAwBA,SAAgB,6BAA6B,QAAgB,QAAqC;AAChG,QAAO,KAAK,OAAO,yBAAyB,mBAAmB,OAAO,CAAC;;AAGzE,SAAgB,mBAAmB,QAAqC;AACtE,QAAO,OAAO,SAAmC,UAAoB,SAAuB;AAC1F,WAAS,IAAI;GAAE,iBAAiB;GAAY,QAAQ;GAAY,CAAC;EAEjE,MAAM,EAAE,cAAc,WADC,kBAAkB,QAAQ;AAGjD,MAAI;GACF,MAAM,yBAAyB,aAAa,kBAAkB,QAAQ,uBAAuB;GAC7F,MAAM,4BAA4B,aAAa,kBAAkB,QAAQ,mCAAmC;GAC5G,MAAM,iBAAiB,MAAM,uBAAuB,kBAAkB,cAAc,OAAO;GAC3F,MAAM,wBAAwB,OAAO;GACrC,IAAI,4BAA4B,uBAAuB,6BAA6B,aAAa;GAEjG,MAAM,iBAAiB,aAAa,eAAe,iBAAiB,mBAAmB,CACrF,OAAO,wBACR,CAAC;GACF,MAAM,cAAc;IAClB,SAAS,IAAI,QAAQ,QAAQ,QAAkC;IAC/D,QAAQ,QAAQ;IAChB,KAAK;IACN;GAED,MAAM,EAAE,oBAAoB,OAAO,MAAM,mBAAmB,qBAC1D,0BAA0B,wBAAwB;IAChD,oBAAoB,QAAQ;IAC5B,SAAS;IACV,CAAC;GAEJ,IAAIA;GACJ,IAAIC;GACJ,IAAIC;AAEJ,WAAQ,MAAM,WAAd;IACE,KAAK;AACH,qBAAgB,CAAC,8BAA8B,cAAc,8BAA8B,kBAAkB;AAC7G,aAAQ,EAAE,mBAAmB,MAAM,mBAAmB;AACtD;IACF,KAAK;AACH,qBAAgB,CAAC,8BAA8B,qBAAqB;AACpE,aAAQ,EAAE,mBAAmB,MAAM,MAAM;AACzC;IACF,KAAK;AACH,qBAAgB,CACd,8BAA8B,2BAC9B,8BAA8B,2BAC/B;AACD,0BAAqB,uBAAuB,kBAAkB,MAAM,aAAa;AACjF,aAAQ;MACN,mBAAmB,mBAAmB;MACtC,mBAAmB,mBAAmB;MACvC;AACD;IACF,QACE,OAAM,IAAI,+BAA+B;KACvC,OAAO,iBAAiB;KACxB,mBAAmB;KACpB,CAAC;;GAGN,MAAM,kBAAkB,MAAM,0BAA0B,kBAAkB,cAAc,MAAM;AAC9F,OAAI,CAAC,mBAAmB,CAAC,cAAc,SAAS,gBAAgB,MAAM,CACpE,OAAM,IAAI,+BAA+B;IACvC,OAAO,iBAAiB;IACxB,mBAAmB;IACpB,CAAC;GAGJ,MAAM,YACJ,gBAAgB,aAChB,iBAAiB,gBAAgB,WAAW,OAAO,2CAA2C;AAEhG,OAAI,KAAK,KAAK,GAAG,UAAU,SAAS,EAAE;AACpC,oBAAgB,eAAe;AAC/B,UAAM,uBAAuB,YAAY,cAAc,iBAAiB,8BAA8B,MAAM;AAC5G,UAAM,IAAI,+BAA+B;KAEvC,OAAO,iBAAiB;KACxB,mBAAmB;KACpB,CAAC;;AAGJ,+BAA4B,uBAAuB,6BAA6B,cAAc,EAC5F,mBAAmB,gBAAgB,IACpC,CAAC;GACF,IAAIC;AAEJ,OAAI,MAAM,cAAc,kCAAkC;AACxD,QAAI,CAAC,gBAAgB,kBACnB,OAAM,IAAI,+BACR;KACE,OAAO,iBAAiB;KACxB,mBAAmB;KACpB,EACD,EACE,iBACE,gJACH,CACF;AAGH,yBAAqB,MAAM,0BAA0B,0CAA0C;KAC7F;KACA,2BAA2B,gBAAgB;KAC3C;KACA,SAAS;KACT,6BAA6B,eAAe,qBAAqB;KACjE,mBAAmB;MACjB,GAAG;MAEH,UAAU,gBAAgB,mBAAmB,YAAY,OAAO;MAIjE;KACD,MAAM;MACJ,GAAG;MAEH,UAAU,gBAAgB,MAAM,YAAY,OAAO;MACpD;KACD,gBAAgB,gBAAgB;KAChC,4BACE,gBAAgB,aAChB,iBAAiB,gBAAgB,WAAW,OAAO,2CAA2C;KACjG,CAAC;cACO,MAAM,cAAc,kCAAkC;AAC/D,QAAI,CAAC,gBAAgB,eAAe,QAAQ,CAAC,gBAAgB,eAAe,cAC1E,OAAM,IAAI,+BACR;KACE,OAAO,iBAAiB;KACxB,mBAAmB;KACpB,EACD,EACE,iBACE,+KACH,CACF;AAEH,yBAAqB,MAAM,0BAA0B,0CAA0C;KAC7F;KACA,cAAc,gBAAgB,cAAc;KAC5C,eAAe,gBAAgB,cAAc;KAC7C;KACA,6BAA6B,eAAe,qBAAqB;KACjE,SAAS;KACT,mBAAmB;MACjB,GAAG;MAIH,kBAAkB,gBAAgB;MAIlC,UAAU,gBAAgB,mBAAmB;MAI9C;KACD,MAAM;MACJ,GAAG;MAGH,UAAU,gBAAgB,MAAM;MAGhC,uBAAuB,gBAAgB,MAAM;MAC9C;KACD,MAAM,gBAAgB,OAClB;MACE,eAAe,gBAAgB,KAAK;MACpC,qBAAqB,gBAAgB,KAAK;MAC1C,cAAc;MACf,GACD;KACL,CAAC;cACO,MAAM,cAAc,6BAA6B;AAC1D,QAAI,CAAC,mBACH,OAAM,IAAI,WAAW,sEAAsE;AAG7F,yBAAqB,MAAM,0BAA0B,qCAAqC;KACxF;KAEA,sBAAsB,MAAM;KAC5B;KACA,SAAS;KACT,6BAA6B,eAAe,qBAAqB;KACjE,mBAAmB;MACjB,GAAG;MAEH,UAAU,gBAAgB,mBAAmB,YAAY,OAAO;MAIjE;KACD,MAAM;MACJ,GAAG;MAEH,UAAU,gBAAgB,MAAM,YAAY,OAAO;MACpD;KACD,uBAAuB,oBAAoB;KAC5C,CAAC;AAEF,UAAM,uBAAuB,mBAAmB,cAAc,QAAQ,oBAAoB,EACxF,MAAM,mBAAmB,MAC1B,CAAC;SAEF,OAAM,IAAI,+BAA+B;IACvC,OAAO,iBAAiB;IACxB,mBAAmB;IACpB,CAAC;AAKJ,OAAI,MAAM,cAAc,4BACtB,OAAM,uBAAuB,YAC3B,cACA,iBACA,8BAA8B,qBAC/B;GAGH,MAAM,EAAE,QAAQ,2BAA2B,MAAM,uBAAuB,YAAY,cAAc,OAAO;GAIzG,MAAM,SACJ,MAAM,cAAc,mCAAmC,gBAAgB,eAAe,SAAS;GACjG,MAAM,UAAU,SAAS,MAAM,MAAM;GAErC,MAAM,YAAY,mBAAmB,OACjC,EACE,KAAK,mBAAmB,MAAM,KAC/B,GACD;GAGJ,IAAIC;AACJ,OAAI,gBAAgB,yBAAyB,MAAM,cAAc,4BAC/D,gBAAe,MAAM,uBAAuB,mBAAmB,cAAc,QAAQ;IACnF,mBAAmB,MAAM,cAAc,mCAAmC,MAAM,oBAAoB;IACpG,aAAa,gBAAgB,eAAe;IAC5C,MAAM;IACP,CAAC;GAGJ,MAAM,YAAY;GAClB,MAAM,sBAAsB,MAAM,0BAA0B,0BAA0B;IACpF,UAAU,eAAe,iBAAiB;IAC1C,qBAAqB,eAAe,iBAAiB;IACrD,kBAAkB,OAAO;IACzB,QAAQ;KACN,QAAQ;KACR,KAAK,UAAU,6BAA6B;KAC5C,WAAW,UAAU,QAAQ;KAC9B;IACD,MAAM;IACN,OAAO,QAAQ,KAAK,IAAI;IACxB,UAAU,gBAAgB;IAE1B,8BAA8B;KAC5B,uBACE,MAAM,cAAc,mCAChB,MAAM,oBACN,oBAAoB;KAC1B,cAAc,gBAAgB,eAAe;KAC9C;IAED;IAEA;IAGA;IACA,iBAAiB;IAClB,CAAC;AAEF,mBAAgB,gBAAgB;IAC9B,GAAG,gBAAgB;IACnB;IACD;AAED,SAAM,uBAAuB,YAC3B,cACA,iBAEA,MAAM,cAAc,8BAChB,gBAAgB,QAChB,8BAA8B,mBACnC;AAED,UAAO,iBAAiB,UAAU,MAAM,oBAAoB;WACrD,OAAO;AACd,OAAI,iBAAiB,+BACnB,QAAO,wBAAwB,UAAU,MAAM,aAAa,OAAO,QAAQ,MAAM;AAGnF,UAAO,+BAA+B,UAAU,MAAM,aAAa,OAAO,QAAQ,MAAM"}
1
+ {"version":3,"file":"accessTokenEndpoint.mjs","names":["allowedStates: OpenId4VcIssuanceSessionState[]","query: Query<OpenId4VcIssuanceSessionRecord>","parsedRefreshToken: ReturnType<OpenId4VcIssuerService['parseRefreshToken']> | undefined","verificationResult: VerifyAccessTokenRequestReturn","refreshToken: string | undefined"],"sources":["../../../src/openid4vc-issuer/router/accessTokenEndpoint.ts"],"sourcesContent":["import { CredoError, joinUriParts, type Query, utils } from '@credo-ts/core'\nimport type { HttpMethod, Jwk, VerifyAccessTokenRequestReturn } from '@openid4vc/oauth2'\nimport {\n authorizationCodeGrantIdentifier,\n Oauth2ErrorCodes,\n Oauth2ServerErrorResponseError,\n preAuthorizedCodeGrantIdentifier,\n refreshTokenGrantIdentifier,\n} from '@openid4vc/oauth2'\nimport type { NextFunction, Response, Router } from 'express'\nimport {\n getRequestContext,\n sendJsonResponse,\n sendOauth2ErrorResponse,\n sendUnknownServerErrorResponse,\n} from '../../shared/router'\nimport { OpenId4VcIssuanceSessionState } from '../OpenId4VcIssuanceSessionState'\nimport type { OpenId4VcIssuerModuleConfig } from '../OpenId4VcIssuerModuleConfig'\nimport { OpenId4VcIssuerService } from '../OpenId4VcIssuerService'\nimport { OpenId4VcIssuanceSessionRecord, OpenId4VcIssuanceSessionRepository } from '../repository'\nimport type { OpenId4VcIssuanceRequest } from './requestContext'\n\nexport function configureAccessTokenEndpoint(router: Router, config: OpenId4VcIssuerModuleConfig) {\n router.post(config.accessTokenEndpointPath, handleTokenRequest(config))\n}\n\nexport function handleTokenRequest(config: OpenId4VcIssuerModuleConfig) {\n return async (request: OpenId4VcIssuanceRequest, response: Response, next: NextFunction) => {\n response.set({ 'Cache-Control': 'no-store', Pragma: 'no-cache' })\n const requestContext = getRequestContext(request)\n const { agentContext, issuer } = requestContext\n\n try {\n const openId4VcIssuerService = agentContext.dependencyManager.resolve(OpenId4VcIssuerService)\n const issuanceSessionRepository = agentContext.dependencyManager.resolve(OpenId4VcIssuanceSessionRepository)\n const issuerMetadata = await openId4VcIssuerService.getIssuerMetadata(agentContext, issuer)\n const accessTokenSigningKey = issuer.resolvedAccessTokenPublicJwk\n let oauth2AuthorizationServer = openId4VcIssuerService.getOauth2AuthorizationServer(agentContext)\n\n const fullRequestUrl = joinUriParts(issuerMetadata.credentialIssuer.credential_issuer, [\n config.accessTokenEndpointPath,\n ])\n const requestLike = {\n headers: new Headers(request.headers as Record<string, string>),\n method: request.method as HttpMethod,\n url: fullRequestUrl,\n } as const\n\n const { accessTokenRequest, grant, dpop, clientAttestation, pkceCodeVerifier } =\n oauth2AuthorizationServer.parseAccessTokenRequest({\n accessTokenRequest: request.body,\n request: requestLike,\n })\n\n let allowedStates: OpenId4VcIssuanceSessionState[]\n let query: Query<OpenId4VcIssuanceSessionRecord>\n let parsedRefreshToken: ReturnType<OpenId4VcIssuerService['parseRefreshToken']> | undefined\n\n switch (grant.grantType) {\n case preAuthorizedCodeGrantIdentifier:\n allowedStates = [OpenId4VcIssuanceSessionState.OfferCreated, OpenId4VcIssuanceSessionState.OfferUriRetrieved]\n query = { preAuthorizedCode: grant.preAuthorizedCode }\n break\n case authorizationCodeGrantIdentifier:\n allowedStates = [OpenId4VcIssuanceSessionState.AuthorizationGranted]\n query = { authorizationCode: grant.code }\n break\n case refreshTokenGrantIdentifier:\n allowedStates = [\n OpenId4VcIssuanceSessionState.CredentialRequestReceived,\n OpenId4VcIssuanceSessionState.CredentialsPartiallyIssued,\n ]\n parsedRefreshToken = openId4VcIssuerService.parseRefreshToken(grant.refreshToken)\n query = {\n preAuthorizedCode: parsedRefreshToken.preAuthorizedCode,\n authorizationCode: parsedRefreshToken.issuerState,\n }\n break\n default:\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.UnsupportedGrantType,\n error_description: 'Unsupported grant type',\n })\n }\n\n const issuanceSession = await issuanceSessionRepository.findSingleByQuery(agentContext, query)\n if (!issuanceSession || !allowedStates.includes(issuanceSession.state)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidGrant,\n error_description: 'Invalid authorization code',\n })\n }\n\n const expiresAt =\n issuanceSession.expiresAt ??\n utils.addSecondsToDate(issuanceSession.createdAt, config.statefulCredentialOfferExpirationInSeconds)\n\n if (Date.now() > expiresAt.getTime()) {\n issuanceSession.errorMessage = 'Credential offer has expired'\n await openId4VcIssuerService.updateState(agentContext, issuanceSession, OpenId4VcIssuanceSessionState.Error)\n throw new Oauth2ServerErrorResponseError({\n // What is the best error here?\n error: Oauth2ErrorCodes.InvalidGrant,\n error_description: 'Session expired',\n })\n }\n\n oauth2AuthorizationServer = openId4VcIssuerService.getOauth2AuthorizationServer(agentContext, {\n issuanceSessionId: issuanceSession.id,\n })\n let verificationResult: VerifyAccessTokenRequestReturn\n\n if (grant.grantType === preAuthorizedCodeGrantIdentifier) {\n if (!issuanceSession.preAuthorizedCode) {\n throw new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.InvalidGrant,\n error_description: 'Invalid authorization code',\n },\n {\n internalMessage:\n 'Found issuance session without preAuthorizedCode. This should not happen as the issuance session is fetched based on the pre authorized code',\n }\n )\n }\n\n verificationResult = await oauth2AuthorizationServer.verifyPreAuthorizedCodeAccessTokenRequest({\n accessTokenRequest,\n expectedPreAuthorizedCode: issuanceSession.preAuthorizedCode,\n grant,\n request: requestLike,\n authorizationServerMetadata: issuerMetadata.authorizationServers[0],\n clientAttestation: {\n ...clientAttestation,\n // First session config, fall back to global config\n required: issuanceSession.walletAttestation?.required ?? config.walletAttestationsRequired,\n\n // NOTE: we might want to enforce this? Not sure\n // ensureConfirmationKeyMatchesDpopKey: true\n },\n dpop: {\n ...dpop,\n // First session config, fall back to global config\n required: issuanceSession.dpop?.required ?? config.dpopRequired,\n },\n expectedTxCode: issuanceSession.userPin,\n preAuthorizedCodeExpiresAt:\n issuanceSession.expiresAt ??\n utils.addSecondsToDate(issuanceSession.createdAt, config.statefulCredentialOfferExpirationInSeconds),\n })\n } else if (grant.grantType === authorizationCodeGrantIdentifier) {\n if (!issuanceSession.authorization?.code || !issuanceSession.authorization?.codeExpiresAt) {\n throw new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.InvalidGrant,\n error_description: 'Invalid authorization code',\n },\n {\n internalMessage:\n 'Found issuance session without authorization.code or authorization.codeExpiresAt. This should not happen as the issuance session is fetched based on the authorization code',\n }\n )\n }\n verificationResult = await oauth2AuthorizationServer.verifyAuthorizationCodeAccessTokenRequest({\n accessTokenRequest,\n expectedCode: issuanceSession.authorization.code,\n codeExpiresAt: issuanceSession.authorization.codeExpiresAt,\n grant,\n authorizationServerMetadata: issuerMetadata.authorizationServers[0],\n request: requestLike,\n clientAttestation: {\n ...clientAttestation,\n\n // Ensure it matches the previously provided client id\n // FIXME: we don't verify that the attestation is issued by the same party\n expectedClientId: issuanceSession.clientId,\n\n // NOTE: we don't look at the global config here. As we already checked and\n // set required to true previously if client attestations were provided or required.\n required: issuanceSession.walletAttestation?.required,\n\n // NOTE: we might want to enforce this? Not sure\n // ensureConfirmationKeyMatchesDpopKey: true\n },\n dpop: {\n ...dpop,\n // NOTE: we don't look at the global config here. As we already checked and\n // set required to true previously if client attestations were provided or required.\n required: issuanceSession.dpop?.required,\n\n // Ensure it matches previously provided jwk thumbprint\n expectedJwkThumbprint: issuanceSession.dpop?.dpopJkt,\n },\n pkce: issuanceSession.pkce\n ? {\n codeChallenge: issuanceSession.pkce.codeChallenge,\n codeChallengeMethod: issuanceSession.pkce.codeChallengeMethod,\n codeVerifier: pkceCodeVerifier,\n }\n : undefined,\n })\n } else if (grant.grantType === refreshTokenGrantIdentifier) {\n if (!parsedRefreshToken) {\n throw new CredoError('Refresh token verification is required for refresh token grant type')\n }\n\n verificationResult = await oauth2AuthorizationServer.verifyRefreshTokenAccessTokenRequest({\n accessTokenRequest,\n // Refresh token validity is already checked before\n expectedRefreshToken: grant.refreshToken,\n grant,\n request: requestLike,\n authorizationServerMetadata: issuerMetadata.authorizationServers[0],\n clientAttestation: {\n ...clientAttestation,\n // First session config, fall back to global config\n required: issuanceSession.walletAttestation?.required ?? config.walletAttestationsRequired,\n\n // NOTE: we might want to enforce this? Not sure\n // ensureConfirmationKeyMatchesDpopKey: true\n },\n dpop: {\n ...dpop,\n // First session config, fall back to global config\n required: issuanceSession.dpop?.required ?? config.dpopRequired,\n },\n refreshTokenExpiresAt: parsedRefreshToken?.expiresAt,\n })\n\n await openId4VcIssuerService.verifyRefreshToken(agentContext, issuer, parsedRefreshToken, {\n dpop: verificationResult.dpop,\n })\n } else {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.UnsupportedGrantType,\n error_description: 'Unsupported grant type',\n })\n }\n\n // Do not update the session state if the grant type is refresh token. This\n // avoids the session state going \"backwards\".\n if (grant.grantType !== refreshTokenGrantIdentifier) {\n await openId4VcIssuerService.updateState(\n agentContext,\n issuanceSession,\n OpenId4VcIssuanceSessionState.AccessTokenRequested\n )\n }\n\n const { cNonce, cNonceExpiresInSeconds } = await openId4VcIssuerService.createNonce(agentContext, issuer)\n\n // for authorization code flow we take the authorization scopes. For pre-auth we don't use scopes (we just\n // use the offered credential configuration ids so a scope is not required)\n const scopes =\n grant.grantType === authorizationCodeGrantIdentifier ? issuanceSession.authorization?.scopes : undefined\n const subject = `credo:${utils.uuid()}`\n\n const tokenDpop = verificationResult.dpop\n ? {\n jwk: verificationResult.dpop?.jwk,\n }\n : undefined\n\n // Generate a refresh token if they're enabled in the config and the grant type is not refresh token\n let refreshToken: string | undefined\n if (issuanceSession.generateRefreshTokens && grant.grantType !== refreshTokenGrantIdentifier) {\n refreshToken = await openId4VcIssuerService.createRefreshToken(agentContext, issuer, {\n preAuthorizedCode: grant.grantType === preAuthorizedCodeGrantIdentifier ? grant.preAuthorizedCode : undefined,\n issuerState: issuanceSession.authorization?.issuerState,\n dpop: tokenDpop,\n })\n }\n\n const signerJwk = accessTokenSigningKey\n const accessTokenResponse = await oauth2AuthorizationServer.createAccessTokenResponse({\n audience: issuerMetadata.credentialIssuer.credential_issuer,\n authorizationServer: issuerMetadata.credentialIssuer.credential_issuer,\n expiresInSeconds: config.accessTokenExpiresInSeconds,\n signer: {\n method: 'jwk',\n alg: signerJwk.supportedSignatureAlgorithms[0],\n publicJwk: signerJwk.toJson() as Jwk,\n },\n dpop: tokenDpop,\n scope: scopes?.join(' '),\n clientId: issuanceSession.clientId,\n\n additionalAccessTokenPayload: {\n 'pre-authorized_code':\n grant.grantType === preAuthorizedCodeGrantIdentifier\n ? grant.preAuthorizedCode\n : parsedRefreshToken?.preAuthorizedCode,\n issuer_state: issuanceSession.authorization?.issuerState,\n },\n // We generate a random subject for each access token and bind the issuance session to this.\n subject,\n\n refreshToken,\n\n // NOTE: these have been removed in newer drafts. Keeping them in for now\n cNonce,\n cNonceExpiresIn: cNonceExpiresInSeconds,\n })\n\n issuanceSession.authorization = {\n ...issuanceSession.authorization,\n subject,\n }\n\n await openId4VcIssuerService.updateState(\n agentContext,\n issuanceSession,\n // Retain the current session state when refreshing the access token.\n grant.grantType === refreshTokenGrantIdentifier\n ? issuanceSession.state\n : OpenId4VcIssuanceSessionState.AccessTokenCreated\n )\n\n return sendJsonResponse(response, next, accessTokenResponse)\n } catch (error) {\n if (error instanceof Oauth2ServerErrorResponseError) {\n return sendOauth2ErrorResponse(response, next, agentContext.config.logger, error)\n }\n\n return sendUnknownServerErrorResponse(response, next, agentContext.config.logger, error)\n }\n }\n}\n"],"mappings":";;;;;;;;;;AAsBA,SAAgB,6BAA6B,QAAgB,QAAqC;AAChG,QAAO,KAAK,OAAO,yBAAyB,mBAAmB,OAAO,CAAC;;AAGzE,SAAgB,mBAAmB,QAAqC;AACtE,QAAO,OAAO,SAAmC,UAAoB,SAAuB;AAC1F,WAAS,IAAI;GAAE,iBAAiB;GAAY,QAAQ;GAAY,CAAC;EAEjE,MAAM,EAAE,cAAc,WADC,kBAAkB,QAAQ;AAGjD,MAAI;GACF,MAAM,yBAAyB,aAAa,kBAAkB,QAAQ,uBAAuB;GAC7F,MAAM,4BAA4B,aAAa,kBAAkB,QAAQ,mCAAmC;GAC5G,MAAM,iBAAiB,MAAM,uBAAuB,kBAAkB,cAAc,OAAO;GAC3F,MAAM,wBAAwB,OAAO;GACrC,IAAI,4BAA4B,uBAAuB,6BAA6B,aAAa;GAEjG,MAAM,iBAAiB,aAAa,eAAe,iBAAiB,mBAAmB,CACrF,OAAO,wBACR,CAAC;GACF,MAAM,cAAc;IAClB,SAAS,IAAI,QAAQ,QAAQ,QAAkC;IAC/D,QAAQ,QAAQ;IAChB,KAAK;IACN;GAED,MAAM,EAAE,oBAAoB,OAAO,MAAM,mBAAmB,qBAC1D,0BAA0B,wBAAwB;IAChD,oBAAoB,QAAQ;IAC5B,SAAS;IACV,CAAC;GAEJ,IAAIA;GACJ,IAAIC;GACJ,IAAIC;AAEJ,WAAQ,MAAM,WAAd;IACE,KAAK;AACH,qBAAgB,CAAC,8BAA8B,cAAc,8BAA8B,kBAAkB;AAC7G,aAAQ,EAAE,mBAAmB,MAAM,mBAAmB;AACtD;IACF,KAAK;AACH,qBAAgB,CAAC,8BAA8B,qBAAqB;AACpE,aAAQ,EAAE,mBAAmB,MAAM,MAAM;AACzC;IACF,KAAK;AACH,qBAAgB,CACd,8BAA8B,2BAC9B,8BAA8B,2BAC/B;AACD,0BAAqB,uBAAuB,kBAAkB,MAAM,aAAa;AACjF,aAAQ;MACN,mBAAmB,mBAAmB;MACtC,mBAAmB,mBAAmB;MACvC;AACD;IACF,QACE,OAAM,IAAI,+BAA+B;KACvC,OAAO,iBAAiB;KACxB,mBAAmB;KACpB,CAAC;;GAGN,MAAM,kBAAkB,MAAM,0BAA0B,kBAAkB,cAAc,MAAM;AAC9F,OAAI,CAAC,mBAAmB,CAAC,cAAc,SAAS,gBAAgB,MAAM,CACpE,OAAM,IAAI,+BAA+B;IACvC,OAAO,iBAAiB;IACxB,mBAAmB;IACpB,CAAC;GAGJ,MAAM,YACJ,gBAAgB,aAChB,MAAM,iBAAiB,gBAAgB,WAAW,OAAO,2CAA2C;AAEtG,OAAI,KAAK,KAAK,GAAG,UAAU,SAAS,EAAE;AACpC,oBAAgB,eAAe;AAC/B,UAAM,uBAAuB,YAAY,cAAc,iBAAiB,8BAA8B,MAAM;AAC5G,UAAM,IAAI,+BAA+B;KAEvC,OAAO,iBAAiB;KACxB,mBAAmB;KACpB,CAAC;;AAGJ,+BAA4B,uBAAuB,6BAA6B,cAAc,EAC5F,mBAAmB,gBAAgB,IACpC,CAAC;GACF,IAAIC;AAEJ,OAAI,MAAM,cAAc,kCAAkC;AACxD,QAAI,CAAC,gBAAgB,kBACnB,OAAM,IAAI,+BACR;KACE,OAAO,iBAAiB;KACxB,mBAAmB;KACpB,EACD,EACE,iBACE,gJACH,CACF;AAGH,yBAAqB,MAAM,0BAA0B,0CAA0C;KAC7F;KACA,2BAA2B,gBAAgB;KAC3C;KACA,SAAS;KACT,6BAA6B,eAAe,qBAAqB;KACjE,mBAAmB;MACjB,GAAG;MAEH,UAAU,gBAAgB,mBAAmB,YAAY,OAAO;MAIjE;KACD,MAAM;MACJ,GAAG;MAEH,UAAU,gBAAgB,MAAM,YAAY,OAAO;MACpD;KACD,gBAAgB,gBAAgB;KAChC,4BACE,gBAAgB,aAChB,MAAM,iBAAiB,gBAAgB,WAAW,OAAO,2CAA2C;KACvG,CAAC;cACO,MAAM,cAAc,kCAAkC;AAC/D,QAAI,CAAC,gBAAgB,eAAe,QAAQ,CAAC,gBAAgB,eAAe,cAC1E,OAAM,IAAI,+BACR;KACE,OAAO,iBAAiB;KACxB,mBAAmB;KACpB,EACD,EACE,iBACE,+KACH,CACF;AAEH,yBAAqB,MAAM,0BAA0B,0CAA0C;KAC7F;KACA,cAAc,gBAAgB,cAAc;KAC5C,eAAe,gBAAgB,cAAc;KAC7C;KACA,6BAA6B,eAAe,qBAAqB;KACjE,SAAS;KACT,mBAAmB;MACjB,GAAG;MAIH,kBAAkB,gBAAgB;MAIlC,UAAU,gBAAgB,mBAAmB;MAI9C;KACD,MAAM;MACJ,GAAG;MAGH,UAAU,gBAAgB,MAAM;MAGhC,uBAAuB,gBAAgB,MAAM;MAC9C;KACD,MAAM,gBAAgB,OAClB;MACE,eAAe,gBAAgB,KAAK;MACpC,qBAAqB,gBAAgB,KAAK;MAC1C,cAAc;MACf,GACD;KACL,CAAC;cACO,MAAM,cAAc,6BAA6B;AAC1D,QAAI,CAAC,mBACH,OAAM,IAAI,WAAW,sEAAsE;AAG7F,yBAAqB,MAAM,0BAA0B,qCAAqC;KACxF;KAEA,sBAAsB,MAAM;KAC5B;KACA,SAAS;KACT,6BAA6B,eAAe,qBAAqB;KACjE,mBAAmB;MACjB,GAAG;MAEH,UAAU,gBAAgB,mBAAmB,YAAY,OAAO;MAIjE;KACD,MAAM;MACJ,GAAG;MAEH,UAAU,gBAAgB,MAAM,YAAY,OAAO;MACpD;KACD,uBAAuB,oBAAoB;KAC5C,CAAC;AAEF,UAAM,uBAAuB,mBAAmB,cAAc,QAAQ,oBAAoB,EACxF,MAAM,mBAAmB,MAC1B,CAAC;SAEF,OAAM,IAAI,+BAA+B;IACvC,OAAO,iBAAiB;IACxB,mBAAmB;IACpB,CAAC;AAKJ,OAAI,MAAM,cAAc,4BACtB,OAAM,uBAAuB,YAC3B,cACA,iBACA,8BAA8B,qBAC/B;GAGH,MAAM,EAAE,QAAQ,2BAA2B,MAAM,uBAAuB,YAAY,cAAc,OAAO;GAIzG,MAAM,SACJ,MAAM,cAAc,mCAAmC,gBAAgB,eAAe,SAAS;GACjG,MAAM,UAAU,SAAS,MAAM,MAAM;GAErC,MAAM,YAAY,mBAAmB,OACjC,EACE,KAAK,mBAAmB,MAAM,KAC/B,GACD;GAGJ,IAAIC;AACJ,OAAI,gBAAgB,yBAAyB,MAAM,cAAc,4BAC/D,gBAAe,MAAM,uBAAuB,mBAAmB,cAAc,QAAQ;IACnF,mBAAmB,MAAM,cAAc,mCAAmC,MAAM,oBAAoB;IACpG,aAAa,gBAAgB,eAAe;IAC5C,MAAM;IACP,CAAC;GAGJ,MAAM,YAAY;GAClB,MAAM,sBAAsB,MAAM,0BAA0B,0BAA0B;IACpF,UAAU,eAAe,iBAAiB;IAC1C,qBAAqB,eAAe,iBAAiB;IACrD,kBAAkB,OAAO;IACzB,QAAQ;KACN,QAAQ;KACR,KAAK,UAAU,6BAA6B;KAC5C,WAAW,UAAU,QAAQ;KAC9B;IACD,MAAM;IACN,OAAO,QAAQ,KAAK,IAAI;IACxB,UAAU,gBAAgB;IAE1B,8BAA8B;KAC5B,uBACE,MAAM,cAAc,mCAChB,MAAM,oBACN,oBAAoB;KAC1B,cAAc,gBAAgB,eAAe;KAC9C;IAED;IAEA;IAGA;IACA,iBAAiB;IAClB,CAAC;AAEF,mBAAgB,gBAAgB;IAC9B,GAAG,gBAAgB;IACnB;IACD;AAED,SAAM,uBAAuB,YAC3B,cACA,iBAEA,MAAM,cAAc,8BAChB,gBAAgB,QAChB,8BAA8B,mBACnC;AAED,UAAO,iBAAiB,UAAU,MAAM,oBAAoB;WACrD,OAAO;AACd,OAAI,iBAAiB,+BACnB,QAAO,wBAAwB,UAAU,MAAM,aAAa,OAAO,QAAQ,MAAM;AAGnF,UAAO,+BAA+B,UAAU,MAAM,aAAa,OAAO,QAAQ,MAAM"}
package/build/openid4vc-issuer/router/authorizationChallengeEndpoint.js CHANGED
@@ -1,15 +1,14 @@
1
1
  const require_rolldown_runtime = require('../../_virtual/rolldown_runtime.js');
2
- const require_issuerMetadataUtils = require('../../shared/issuerMetadataUtils.js');
3
- require('../../shared/index.js');
4
- const require_utils = require('../../shared/utils.js');
2
+ const require_OpenId4VcIssuanceSessionState = require('../OpenId4VcIssuanceSessionState.js');
5
3
  const require_context = require('../../shared/router/context.js');
6
4
  require('../../shared/router/index.js');
5
+ const require_OpenId4VcIssuerModuleConfig = require('../OpenId4VcIssuerModuleConfig.js');
7
6
  const require_OpenId4VcVerificationSessionState = require('../../openid4vc-verifier/OpenId4VcVerificationSessionState.js');
8
7
  const require_OpenId4VcVerificationSessionRepository = require('../../openid4vc-verifier/repository/OpenId4VcVerificationSessionRepository.js');
9
8
  const require_OpenId4VcVerifierApi = require('../../openid4vc-verifier/OpenId4VcVerifierApi.js');
10
9
  require('../../openid4vc-verifier/index.js');
11
- const require_OpenId4VcIssuerModuleConfig = require('../OpenId4VcIssuerModuleConfig.js');
12
- const require_OpenId4VcIssuanceSessionState = require('../OpenId4VcIssuanceSessionState.js');
10
+ const require_issuerMetadataUtils = require('../../shared/issuerMetadataUtils.js');
11
+ require('../../shared/index.js');
13
12
  const require_OpenId4VcIssuerService = require('../OpenId4VcIssuerService.js');
14
13
  let __credo_ts_core = require("@credo-ts/core");
15
14
  __credo_ts_core = require_rolldown_runtime.__toESM(__credo_ts_core);
@@ -193,7 +192,7 @@ async function handleAuthorizationChallengeWithAuthSession(options) {
193
192
  });
194
193
  const kms = agentContext.resolve(__credo_ts_core.Kms.KeyManagementApi);
195
194
  const authorizationCode = __credo_ts_core.TypedArrayEncoder.toBase64URL(kms.randomBytes({ length: 32 }));
196
- const authorizationCodeExpiresAt = require_utils.addSecondsToDate(/* @__PURE__ */ new Date(), config.authorizationCodeExpiresInSeconds);
195
+ const authorizationCodeExpiresAt = __credo_ts_core.utils.addSecondsToDate(/* @__PURE__ */ new Date(), config.authorizationCodeExpiresInSeconds);
197
196
  issuanceSession.authorization = {
198
197
  ...issuanceSession.authorization,
199
198
  code: authorizationCode,
package/build/openid4vc-issuer/router/authorizationChallengeEndpoint.mjs CHANGED
@@ -1,16 +1,15 @@
1
- import { getAllowedAndRequestedScopeValues, getCredentialConfigurationsSupportedForScopes, getOfferedCredentials, getScopesFromCredentialConfigurationsSupported } from "../../shared/issuerMetadataUtils.mjs";
2
- import "../../shared/index.mjs";
3
- import { addSecondsToDate } from "../../shared/utils.mjs";
1
+ import { OpenId4VcIssuanceSessionState } from "../OpenId4VcIssuanceSessionState.mjs";
4
2
  import { getRequestContext, sendJsonResponse, sendOauth2ErrorResponse, sendUnknownServerErrorResponse } from "../../shared/router/context.mjs";
5
3
  import "../../shared/router/index.mjs";
4
+ import { OpenId4VcIssuerModuleConfig } from "../OpenId4VcIssuerModuleConfig.mjs";
6
5
  import { OpenId4VcVerificationSessionState } from "../../openid4vc-verifier/OpenId4VcVerificationSessionState.mjs";
7
6
  import { OpenId4VcVerificationSessionRepository } from "../../openid4vc-verifier/repository/OpenId4VcVerificationSessionRepository.mjs";
8
7
  import { OpenId4VcVerifierApi } from "../../openid4vc-verifier/OpenId4VcVerifierApi.mjs";
9
8
  import "../../openid4vc-verifier/index.mjs";
10
- import { OpenId4VcIssuerModuleConfig } from "../OpenId4VcIssuerModuleConfig.mjs";
11
- import { OpenId4VcIssuanceSessionState } from "../OpenId4VcIssuanceSessionState.mjs";
9
+ import { getAllowedAndRequestedScopeValues, getCredentialConfigurationsSupportedForScopes, getOfferedCredentials, getScopesFromCredentialConfigurationsSupported } from "../../shared/issuerMetadataUtils.mjs";
10
+ import "../../shared/index.mjs";
12
11
  import { OpenId4VcIssuerService } from "../OpenId4VcIssuerService.mjs";
13
- import { Kms, TypedArrayEncoder, joinUriParts } from "@credo-ts/core";
12
+ import { Kms, TypedArrayEncoder, joinUriParts, utils } from "@credo-ts/core";
14
13
  import { Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from "@openid4vc/oauth2";
15
14
 
16
15
  //#region src/openid4vc-issuer/router/authorizationChallengeEndpoint.ts
@@ -190,7 +189,7 @@ async function handleAuthorizationChallengeWithAuthSession(options) {
190
189
  });
191
190
  const kms = agentContext.resolve(Kms.KeyManagementApi);
192
191
  const authorizationCode = TypedArrayEncoder.toBase64URL(kms.randomBytes({ length: 32 }));
193
- const authorizationCodeExpiresAt = addSecondsToDate(/* @__PURE__ */ new Date(), config.authorizationCodeExpiresInSeconds);
192
+ const authorizationCodeExpiresAt = utils.addSecondsToDate(/* @__PURE__ */ new Date(), config.authorizationCodeExpiresInSeconds);
194
193
  issuanceSession.authorization = {
195
194
  ...issuanceSession.authorization,
196
195
  code: authorizationCode,
package/build/openid4vc-issuer/router/authorizationChallengeEndpoint.mjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"authorizationChallengeEndpoint.mjs","names":[],"sources":["../../../src/openid4vc-issuer/router/authorizationChallengeEndpoint.ts"],"sourcesContent":["import type { AgentContext } from '@credo-ts/core'\nimport type {\n HttpMethod,\n ParseAuthorizationChallengeRequestOptions,\n ParseAuthorizationChallengeRequestResult,\n} from '@openid4vc/oauth2'\nimport type { NextFunction, Response, Router } from 'express'\nimport type { OpenId4VciCredentialConfigurationsSupportedWithFormats } from '../../shared'\nimport type { OpenId4VcIssuerRecord } from '../repository'\nimport type { OpenId4VcIssuanceRequest } from './requestContext'\n\nimport { Kms, TypedArrayEncoder, joinUriParts } from '@credo-ts/core'\nimport { Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\n\nimport {\n OpenId4VcVerificationSessionRepository,\n OpenId4VcVerificationSessionState,\n OpenId4VcVerifierApi,\n} from '../../openid4vc-verifier'\nimport {\n getAllowedAndRequestedScopeValues,\n getCredentialConfigurationsSupportedForScopes,\n getOfferedCredentials,\n getScopesFromCredentialConfigurationsSupported,\n} from '../../shared'\nimport {\n getRequestContext,\n sendJsonResponse,\n sendOauth2ErrorResponse,\n sendUnknownServerErrorResponse,\n} from '../../shared/router'\nimport { addSecondsToDate } from '../../shared/utils'\nimport { OpenId4VcIssuanceSessionState } from '../OpenId4VcIssuanceSessionState'\nimport { OpenId4VcIssuerModuleConfig } from '../OpenId4VcIssuerModuleConfig'\nimport { OpenId4VcIssuerService } from '../OpenId4VcIssuerService'\n\nexport function configureAuthorizationChallengeEndpoint(router: Router, config: OpenId4VcIssuerModuleConfig) {\n router.post(\n config.authorizationChallengeEndpointPath,\n async (request: OpenId4VcIssuanceRequest, response: Response, next: NextFunction) => {\n const requestContext = getRequestContext(request)\n const { agentContext, issuer } = requestContext\n\n try {\n const openId4VcIssuerService = agentContext.dependencyManager.resolve(OpenId4VcIssuerService)\n const issuerMetadata = await openId4VcIssuerService.getIssuerMetadata(agentContext, issuer)\n const authorizationServer = openId4VcIssuerService.getOauth2AuthorizationServer(agentContext)\n const fullRequestUrl = joinUriParts(issuerMetadata.credentialIssuer.credential_issuer, [\n config.authorizationChallengeEndpointPath,\n ])\n\n const requestLike = {\n headers: new Headers(request.headers as Record<string, string>),\n method: request.method as HttpMethod,\n url: fullRequestUrl,\n } as const\n\n const parseResult = authorizationServer.parseAuthorizationChallengeRequest({\n authorizationChallengeRequest: request.body,\n request: requestLike,\n })\n const { authorizationChallengeRequest } = parseResult\n\n if (authorizationChallengeRequest.auth_session) {\n await handleAuthorizationChallengeWithAuthSession({\n response,\n next,\n parseResult,\n request: requestLike,\n agentContext,\n issuer,\n })\n } else {\n // First call, no auth_session yet\n await handleAuthorizationChallengeNoAuthSession({\n agentContext,\n issuer,\n parseResult,\n request: requestLike,\n })\n }\n } catch (error) {\n if (error instanceof Oauth2ServerErrorResponseError) {\n return sendOauth2ErrorResponse(response, next, agentContext.config.logger, error)\n }\n return sendUnknownServerErrorResponse(response, next, agentContext.config.logger, error)\n }\n }\n )\n}\n\nasync function handleAuthorizationChallengeNoAuthSession(options: {\n agentContext: AgentContext\n issuer: OpenId4VcIssuerRecord\n parseResult: ParseAuthorizationChallengeRequestResult\n // FIXME: export in oid4vc-ts\n request: ParseAuthorizationChallengeRequestOptions['request']\n}) {\n const { agentContext, issuer, parseResult, request } = options\n const { authorizationChallengeRequest } = parseResult\n\n // First call, no auth_session yet\n\n const openId4VcIssuerService = agentContext.dependencyManager.resolve(OpenId4VcIssuerService)\n const config = agentContext.dependencyManager.resolve(OpenId4VcIssuerModuleConfig)\n const issuerMetadata = await openId4VcIssuerService.getIssuerMetadata(agentContext, issuer)\n\n if (!config.getVerificationSessionForIssuanceSessionAuthorization) {\n throw new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.ServerError,\n },\n {\n internalMessage: `Missing required 'getVerificationSessionForIssuanceSessionAuthorization' callback in openid4vc issuer module config. This callback is required for presentation during issuance flows.`,\n }\n )\n }\n\n if (!authorizationChallengeRequest.issuer_state) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Missing required 'issuer_state' parameter. Only requests initiated by a credential offer are supported for authorization challenge.`,\n })\n }\n\n if (!authorizationChallengeRequest.scope) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidScope,\n error_description: `Missing required 'scope' parameter`,\n })\n }\n\n const issuanceSession = await openId4VcIssuerService.findSingleIssuanceSessionByQuery(agentContext, {\n issuerId: issuer.issuerId,\n issuerState: authorizationChallengeRequest.issuer_state,\n })\n const allowedStates = [OpenId4VcIssuanceSessionState.OfferCreated, OpenId4VcIssuanceSessionState.OfferUriRetrieved]\n if (!issuanceSession || !allowedStates.includes(issuanceSession.state)) {\n throw new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Invalid 'issuer_state' parameter`,\n },\n {\n internalMessage: !issuanceSession\n ? `Issuance session not found for 'issuer_state' parameter '${authorizationChallengeRequest.issuer_state}'`\n : `Issuance session '${issuanceSession.id}' has state '${\n issuanceSession.state\n }' but expected one of ${allowedStates.join(', ')}`,\n }\n )\n }\n\n const authorizationServer = openId4VcIssuerService.getOauth2AuthorizationServer(agentContext, {\n issuanceSessionId: issuanceSession.id,\n })\n const { clientAttestation, dpop } = await authorizationServer.verifyAuthorizationChallengeRequest({\n authorizationChallengeRequest,\n authorizationServerMetadata: issuerMetadata.authorizationServers[0],\n request,\n clientAttestation: {\n ...parseResult.clientAttestation,\n // First session config, fall back to global config\n required: issuanceSession.walletAttestation?.required ?? config.walletAttestationsRequired,\n },\n dpop: {\n ...parseResult.dpop,\n // First session config, fall back to global config\n required: issuanceSession.dpop?.required ?? config.dpopRequired,\n },\n })\n\n // Bind dpop jwk thumbprint to session\n if (dpop)\n issuanceSession.dpop = {\n // If dpop is provided at the start, it's required from now on.\n required: true,\n dpopJkt: dpop.jwkThumbprint,\n }\n if (clientAttestation)\n issuanceSession.walletAttestation = {\n // If dpop is provided at the start, it's required from now on.\n required: true,\n }\n\n const offeredCredentialConfigurations = getOfferedCredentials(\n issuanceSession.credentialOfferPayload.credential_configuration_ids,\n issuerMetadata.credentialIssuer.credential_configurations_supported\n )\n\n const allowedScopes = getScopesFromCredentialConfigurationsSupported(offeredCredentialConfigurations)\n const requestedScopes = getAllowedAndRequestedScopeValues({\n allowedScopes,\n requestedScope: authorizationChallengeRequest.scope,\n })\n const requestedCredentialConfigurations = getCredentialConfigurationsSupportedForScopes(\n offeredCredentialConfigurations,\n requestedScopes\n ) as OpenId4VciCredentialConfigurationsSupportedWithFormats\n\n if (requestedScopes.length === 0 || Object.keys(requestedCredentialConfigurations).length === 0) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidScope,\n error_description: `No requested 'scope' values match with offered credential configurations.`,\n })\n }\n\n const {\n authorizationRequest,\n verificationSession,\n scopes: presentationScopes,\n } = await config.getVerificationSessionForIssuanceSessionAuthorization({\n agentContext,\n issuanceSession,\n requestedCredentialConfigurations,\n scopes: requestedScopes,\n })\n\n const kms = agentContext.resolve(Kms.KeyManagementApi)\n // Store presentation during issuance session on the record\n verificationSession.presentationDuringIssuanceSession = TypedArrayEncoder.toBase64URL(kms.randomBytes({ length: 32 }))\n await agentContext.dependencyManager\n .resolve(OpenId4VcVerificationSessionRepository)\n .update(agentContext, verificationSession)\n\n const authSession = TypedArrayEncoder.toBase64URL(kms.randomBytes({ length: 32 }))\n issuanceSession.authorization = {\n ...issuanceSession.authorization,\n scopes: presentationScopes,\n }\n issuanceSession.presentation = {\n required: true,\n authSession,\n openId4VcVerificationSessionId: verificationSession.id,\n }\n\n // If client attestation is used we have verified this client_id matches with the sub\n // of the wallet attestation\n issuanceSession.clientId = clientAttestation?.clientAttestation.payload.sub ?? authorizationChallengeRequest.client_id\n\n await openId4VcIssuerService.updateState(\n agentContext,\n issuanceSession,\n OpenId4VcIssuanceSessionState.AuthorizationInitiated\n )\n\n const authorizationChallengeErrorResponse = authorizationServer.createAuthorizationChallengePresentationErrorResponse(\n {\n authSession,\n presentation: authorizationRequest,\n errorDescription: 'Presentation required before issuance',\n }\n )\n throw new Oauth2ServerErrorResponseError(authorizationChallengeErrorResponse)\n}\n\nasync function handleAuthorizationChallengeWithAuthSession(options: {\n response: Response\n agentContext: AgentContext\n issuer: OpenId4VcIssuerRecord\n next: NextFunction\n parseResult: ParseAuthorizationChallengeRequestResult\n // FIXME: export in oid4vc-ts\n request: ParseAuthorizationChallengeRequestOptions['request']\n}) {\n const { agentContext, issuer, parseResult, request, response, next } = options\n const { authorizationChallengeRequest } = parseResult\n\n const openId4VcIssuerService = agentContext.dependencyManager.resolve(OpenId4VcIssuerService)\n const config = agentContext.dependencyManager.resolve(OpenId4VcIssuerModuleConfig)\n const issuerMetadata = await openId4VcIssuerService.getIssuerMetadata(agentContext, issuer)\n\n const verifierApi = agentContext.dependencyManager.resolve(OpenId4VcVerifierApi)\n\n // NOTE: we ignore scope, issuer_state etc.. parameters if auth_session is present\n // should we validate that these are not in the request? I'm not sure what best practice would be here\n\n const issuanceSession = await openId4VcIssuerService.findSingleIssuanceSessionByQuery(agentContext, {\n issuerId: issuer.issuerId,\n presentationAuthSession: authorizationChallengeRequest.auth_session,\n })\n const allowedStates = [OpenId4VcIssuanceSessionState.AuthorizationInitiated]\n if (\n !issuanceSession?.presentation ||\n !issuanceSession.presentation.openId4VcVerificationSessionId ||\n !issuanceSession.presentation.authSession ||\n !allowedStates.includes(issuanceSession.state)\n ) {\n throw new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.InvalidSession,\n error_description: `Invalid 'auth_session'`,\n },\n {\n internalMessage: !issuanceSession\n ? `Issuance session not found for 'auth_session' parameter '${authorizationChallengeRequest.auth_session}'`\n : !issuanceSession?.presentation\n ? `Issuance session '${issuanceSession.id}' has no 'presentation'. This should not happen and means state is corrupted`\n : `Issuance session '${issuanceSession.id}' has state '${\n issuanceSession.state\n }' but expected one of ${allowedStates.join(', ')}`,\n }\n )\n }\n\n const authorizationServer = openId4VcIssuerService.getOauth2AuthorizationServer(agentContext, {\n issuanceSessionId: issuanceSession.id,\n })\n const { clientAttestation, dpop } = await authorizationServer.verifyAuthorizationChallengeRequest({\n authorizationChallengeRequest,\n authorizationServerMetadata: issuerMetadata.authorizationServers[0],\n request,\n clientAttestation: {\n ...parseResult.clientAttestation,\n // We only look at the issuance session here. If it is required\n // it will be defined on the issuance session now.\n required: issuanceSession.walletAttestation?.required,\n },\n dpop: {\n ...parseResult.dpop,\n // We only look at the issuance session here. If it is required\n // it will be defined on the issuance session now.\n required: issuanceSession.dpop?.required,\n },\n })\n\n if (dpop && dpop.jwkThumbprint !== issuanceSession.dpop?.dpopJkt) {\n throw new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.InvalidDpopProof,\n error_description: 'Invalid jwk thumbprint',\n },\n {\n internalMessage: `DPoP JWK thumbprint '${dpop.jwkThumbprint}' does not match expected value '${issuanceSession.dpop?.dpopJkt}'`,\n }\n )\n }\n\n if (clientAttestation && clientAttestation.clientAttestation.payload.sub !== issuanceSession.clientId) {\n throw new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.InvalidClient,\n error_description: 'Invalid client',\n },\n {\n internalMessage: `Client id '${authorizationChallengeRequest.client_id}' from authorization challenge request does not match client id '${issuanceSession.clientId}' on issuance session`,\n }\n )\n }\n\n const { openId4VcVerificationSessionId } = issuanceSession.presentation\n\n await verifierApi\n .getVerificationSessionById(openId4VcVerificationSessionId)\n .catch(async () => {\n // Issuance session is corrupted\n issuanceSession.errorMessage = `Associated openId4VcVerificationSessionRecord with id '${openId4VcVerificationSessionId}' does not exist`\n await openId4VcIssuerService.updateState(agentContext, issuanceSession, OpenId4VcIssuanceSessionState.Error)\n\n throw new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.InvalidSession,\n error_description: `Invalid 'auth_session'`,\n },\n {\n internalMessage: `Openid4vc verification session with id '${openId4VcVerificationSessionId}' not found during issuance session with id '${issuanceSession.id}'`,\n }\n )\n })\n .then(async (verificationSession) => {\n // Issuance session cannot be used anymore\n if (verificationSession.state === OpenId4VcVerificationSessionState.Error) {\n issuanceSession.errorMessage = `Associated openId4VcVerificationSessionRecord with id '${openId4VcVerificationSessionId}' has error state`\n await openId4VcIssuerService.updateState(agentContext, issuanceSession, OpenId4VcIssuanceSessionState.Error)\n }\n\n if (\n verificationSession.state !== OpenId4VcVerificationSessionState.ResponseVerified ||\n authorizationChallengeRequest.presentation_during_issuance_session !==\n verificationSession.presentationDuringIssuanceSession\n ) {\n throw new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.InvalidSession,\n error_description: `Invalid presentation for 'auth_session'`,\n },\n {\n internalMessage:\n verificationSession.state !== OpenId4VcVerificationSessionState.ResponseVerified\n ? `Openid4vc verification session with id '${openId4VcVerificationSessionId}' has state '${verificationSession.state}', while '${OpenId4VcVerificationSessionState.ResponseVerified}' was expected.`\n : `Openid4vc verification session with id '${openId4VcVerificationSessionId}' has 'presentation_during_issuance_session' '${verificationSession.presentationDuringIssuanceSession}', but authorization challenge request provided value '${authorizationChallengeRequest.presentation_during_issuance_session}'.`,\n }\n )\n }\n })\n\n // Grant authorization\n const kms = agentContext.resolve(Kms.KeyManagementApi)\n const authorizationCode = TypedArrayEncoder.toBase64URL(kms.randomBytes({ length: 32 }))\n const authorizationCodeExpiresAt = addSecondsToDate(new Date(), config.authorizationCodeExpiresInSeconds)\n\n issuanceSession.authorization = {\n ...issuanceSession.authorization,\n code: authorizationCode,\n codeExpiresAt: authorizationCodeExpiresAt,\n }\n\n // TODO: we need to start using locks so we can't get corrupted state\n await openId4VcIssuerService.updateState(\n agentContext,\n issuanceSession,\n OpenId4VcIssuanceSessionState.AuthorizationGranted\n )\n\n const { authorizationChallengeResponse } = authorizationServer.createAuthorizationChallengeResponse({\n authorizationCode,\n })\n\n return sendJsonResponse(response, next, authorizationChallengeResponse)\n}\n"],"mappings":";;;;;;;;;;;;;;;;AAoCA,SAAgB,wCAAwC,QAAgB,QAAqC;AAC3G,QAAO,KACL,OAAO,oCACP,OAAO,SAAmC,UAAoB,SAAuB;EAEnF,MAAM,EAAE,cAAc,WADC,kBAAkB,QAAQ;AAGjD,MAAI;GACF,MAAM,yBAAyB,aAAa,kBAAkB,QAAQ,uBAAuB;GAC7F,MAAM,iBAAiB,MAAM,uBAAuB,kBAAkB,cAAc,OAAO;GAC3F,MAAM,sBAAsB,uBAAuB,6BAA6B,aAAa;GAC7F,MAAM,iBAAiB,aAAa,eAAe,iBAAiB,mBAAmB,CACrF,OAAO,mCACR,CAAC;GAEF,MAAM,cAAc;IAClB,SAAS,IAAI,QAAQ,QAAQ,QAAkC;IAC/D,QAAQ,QAAQ;IAChB,KAAK;IACN;GAED,MAAM,cAAc,oBAAoB,mCAAmC;IACzE,+BAA+B,QAAQ;IACvC,SAAS;IACV,CAAC;GACF,MAAM,EAAE,kCAAkC;AAE1C,OAAI,8BAA8B,aAChC,OAAM,4CAA4C;IAChD;IACA;IACA;IACA,SAAS;IACT;IACA;IACD,CAAC;OAGF,OAAM,0CAA0C;IAC9C;IACA;IACA;IACA,SAAS;IACV,CAAC;WAEG,OAAO;AACd,OAAI,iBAAiB,+BACnB,QAAO,wBAAwB,UAAU,MAAM,aAAa,OAAO,QAAQ,MAAM;AAEnF,UAAO,+BAA+B,UAAU,MAAM,aAAa,OAAO,QAAQ,MAAM;;GAG7F;;AAGH,eAAe,0CAA0C,SAMtD;CACD,MAAM,EAAE,cAAc,QAAQ,aAAa,YAAY;CACvD,MAAM,EAAE,kCAAkC;CAI1C,MAAM,yBAAyB,aAAa,kBAAkB,QAAQ,uBAAuB;CAC7F,MAAM,SAAS,aAAa,kBAAkB,QAAQ,4BAA4B;CAClF,MAAM,iBAAiB,MAAM,uBAAuB,kBAAkB,cAAc,OAAO;AAE3F,KAAI,CAAC,OAAO,sDACV,OAAM,IAAI,+BACR,EACE,OAAO,iBAAiB,aACzB,EACD,EACE,iBAAiB,0LAClB,CACF;AAGH,KAAI,CAAC,8BAA8B,aACjC,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB;EACpB,CAAC;AAGJ,KAAI,CAAC,8BAA8B,MACjC,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB;EACpB,CAAC;CAGJ,MAAM,kBAAkB,MAAM,uBAAuB,iCAAiC,cAAc;EAClG,UAAU,OAAO;EACjB,aAAa,8BAA8B;EAC5C,CAAC;CACF,MAAM,gBAAgB,CAAC,8BAA8B,cAAc,8BAA8B,kBAAkB;AACnH,KAAI,CAAC,mBAAmB,CAAC,cAAc,SAAS,gBAAgB,MAAM,CACpE,OAAM,IAAI,+BACR;EACE,OAAO,iBAAiB;EACxB,mBAAmB;EACpB,EACD,EACE,iBAAiB,CAAC,kBACd,4DAA4D,8BAA8B,aAAa,KACvG,qBAAqB,gBAAgB,GAAG,eACtC,gBAAgB,MACjB,wBAAwB,cAAc,KAAK,KAAK,IACtD,CACF;CAGH,MAAM,sBAAsB,uBAAuB,6BAA6B,cAAc,EAC5F,mBAAmB,gBAAgB,IACpC,CAAC;CACF,MAAM,EAAE,mBAAmB,SAAS,MAAM,oBAAoB,oCAAoC;EAChG;EACA,6BAA6B,eAAe,qBAAqB;EACjE;EACA,mBAAmB;GACjB,GAAG,YAAY;GAEf,UAAU,gBAAgB,mBAAmB,YAAY,OAAO;GACjE;EACD,MAAM;GACJ,GAAG,YAAY;GAEf,UAAU,gBAAgB,MAAM,YAAY,OAAO;GACpD;EACF,CAAC;AAGF,KAAI,KACF,iBAAgB,OAAO;EAErB,UAAU;EACV,SAAS,KAAK;EACf;AACH,KAAI,kBACF,iBAAgB,oBAAoB,EAElC,UAAU,MACX;CAEH,MAAM,kCAAkC,sBACtC,gBAAgB,uBAAuB,8BACvC,eAAe,iBAAiB,oCACjC;CAGD,MAAM,kBAAkB,kCAAkC;EACxD,eAFoB,+CAA+C,gCAAgC;EAGnG,gBAAgB,8BAA8B;EAC/C,CAAC;CACF,MAAM,oCAAoC,8CACxC,iCACA,gBACD;AAED,KAAI,gBAAgB,WAAW,KAAK,OAAO,KAAK,kCAAkC,CAAC,WAAW,EAC5F,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB;EACpB,CAAC;CAGJ,MAAM,EACJ,sBACA,qBACA,QAAQ,uBACN,MAAM,OAAO,sDAAsD;EACrE;EACA;EACA;EACA,QAAQ;EACT,CAAC;CAEF,MAAM,MAAM,aAAa,QAAQ,IAAI,iBAAiB;AAEtD,qBAAoB,oCAAoC,kBAAkB,YAAY,IAAI,YAAY,EAAE,QAAQ,IAAI,CAAC,CAAC;AACtH,OAAM,aAAa,kBAChB,QAAQ,uCAAuC,CAC/C,OAAO,cAAc,oBAAoB;CAE5C,MAAM,cAAc,kBAAkB,YAAY,IAAI,YAAY,EAAE,QAAQ,IAAI,CAAC,CAAC;AAClF,iBAAgB,gBAAgB;EAC9B,GAAG,gBAAgB;EACnB,QAAQ;EACT;AACD,iBAAgB,eAAe;EAC7B,UAAU;EACV;EACA,gCAAgC,oBAAoB;EACrD;AAID,iBAAgB,WAAW,mBAAmB,kBAAkB,QAAQ,OAAO,8BAA8B;AAE7G,OAAM,uBAAuB,YAC3B,cACA,iBACA,8BAA8B,uBAC/B;AASD,OAAM,IAAI,+BAPkC,oBAAoB,sDAC9D;EACE;EACA,cAAc;EACd,kBAAkB;EACnB,CACF,CAC4E;;AAG/E,eAAe,4CAA4C,SAQxD;CACD,MAAM,EAAE,cAAc,QAAQ,aAAa,SAAS,UAAU,SAAS;CACvE,MAAM,EAAE,kCAAkC;CAE1C,MAAM,yBAAyB,aAAa,kBAAkB,QAAQ,uBAAuB;CAC7F,MAAM,SAAS,aAAa,kBAAkB,QAAQ,4BAA4B;CAClF,MAAM,iBAAiB,MAAM,uBAAuB,kBAAkB,cAAc,OAAO;CAE3F,MAAM,cAAc,aAAa,kBAAkB,QAAQ,qBAAqB;CAKhF,MAAM,kBAAkB,MAAM,uBAAuB,iCAAiC,cAAc;EAClG,UAAU,OAAO;EACjB,yBAAyB,8BAA8B;EACxD,CAAC;CACF,MAAM,gBAAgB,CAAC,8BAA8B,uBAAuB;AAC5E,KACE,CAAC,iBAAiB,gBAClB,CAAC,gBAAgB,aAAa,kCAC9B,CAAC,gBAAgB,aAAa,eAC9B,CAAC,cAAc,SAAS,gBAAgB,MAAM,CAE9C,OAAM,IAAI,+BACR;EACE,OAAO,iBAAiB;EACxB,mBAAmB;EACpB,EACD,EACE,iBAAiB,CAAC,kBACd,4DAA4D,8BAA8B,aAAa,KACvG,CAAC,iBAAiB,eAChB,qBAAqB,gBAAgB,GAAG,gFACxC,qBAAqB,gBAAgB,GAAG,eACtC,gBAAgB,MACjB,wBAAwB,cAAc,KAAK,KAAK,IACxD,CACF;CAGH,MAAM,sBAAsB,uBAAuB,6BAA6B,cAAc,EAC5F,mBAAmB,gBAAgB,IACpC,CAAC;CACF,MAAM,EAAE,mBAAmB,SAAS,MAAM,oBAAoB,oCAAoC;EAChG;EACA,6BAA6B,eAAe,qBAAqB;EACjE;EACA,mBAAmB;GACjB,GAAG,YAAY;GAGf,UAAU,gBAAgB,mBAAmB;GAC9C;EACD,MAAM;GACJ,GAAG,YAAY;GAGf,UAAU,gBAAgB,MAAM;GACjC;EACF,CAAC;AAEF,KAAI,QAAQ,KAAK,kBAAkB,gBAAgB,MAAM,QACvD,OAAM,IAAI,+BACR;EACE,OAAO,iBAAiB;EACxB,mBAAmB;EACpB,EACD,EACE,iBAAiB,wBAAwB,KAAK,cAAc,mCAAmC,gBAAgB,MAAM,QAAQ,IAC9H,CACF;AAGH,KAAI,qBAAqB,kBAAkB,kBAAkB,QAAQ,QAAQ,gBAAgB,SAC3F,OAAM,IAAI,+BACR;EACE,OAAO,iBAAiB;EACxB,mBAAmB;EACpB,EACD,EACE,iBAAiB,cAAc,8BAA8B,UAAU,mEAAmE,gBAAgB,SAAS,wBACpK,CACF;CAGH,MAAM,EAAE,mCAAmC,gBAAgB;AAE3D,OAAM,YACH,2BAA2B,+BAA+B,CAC1D,MAAM,YAAY;AAEjB,kBAAgB,eAAe,0DAA0D,+BAA+B;AACxH,QAAM,uBAAuB,YAAY,cAAc,iBAAiB,8BAA8B,MAAM;AAE5G,QAAM,IAAI,+BACR;GACE,OAAO,iBAAiB;GACxB,mBAAmB;GACpB,EACD,EACE,iBAAiB,2CAA2C,+BAA+B,+CAA+C,gBAAgB,GAAG,IAC9J,CACF;GACD,CACD,KAAK,OAAO,wBAAwB;AAEnC,MAAI,oBAAoB,UAAU,kCAAkC,OAAO;AACzE,mBAAgB,eAAe,0DAA0D,+BAA+B;AACxH,SAAM,uBAAuB,YAAY,cAAc,iBAAiB,8BAA8B,MAAM;;AAG9G,MACE,oBAAoB,UAAU,kCAAkC,oBAChE,8BAA8B,yCAC5B,oBAAoB,kCAEtB,OAAM,IAAI,+BACR;GACE,OAAO,iBAAiB;GACxB,mBAAmB;GACpB,EACD,EACE,iBACE,oBAAoB,UAAU,kCAAkC,mBAC5D,2CAA2C,+BAA+B,eAAe,oBAAoB,MAAM,YAAY,kCAAkC,iBAAiB,mBAClL,2CAA2C,+BAA+B,gDAAgD,oBAAoB,kCAAkC,yDAAyD,8BAA8B,qCAAqC,KACnT,CACF;GAEH;CAGJ,MAAM,MAAM,aAAa,QAAQ,IAAI,iBAAiB;CACtD,MAAM,oBAAoB,kBAAkB,YAAY,IAAI,YAAY,EAAE,QAAQ,IAAI,CAAC,CAAC;CACxF,MAAM,6BAA6B,iCAAiB,IAAI,MAAM,EAAE,OAAO,kCAAkC;AAEzG,iBAAgB,gBAAgB;EAC9B,GAAG,gBAAgB;EACnB,MAAM;EACN,eAAe;EAChB;AAGD,OAAM,uBAAuB,YAC3B,cACA,iBACA,8BAA8B,qBAC/B;CAED,MAAM,EAAE,mCAAmC,oBAAoB,qCAAqC,EAClG,mBACD,CAAC;AAEF,QAAO,iBAAiB,UAAU,MAAM,+BAA+B"}
1
+ {"version":3,"file":"authorizationChallengeEndpoint.mjs","names":[],"sources":["../../../src/openid4vc-issuer/router/authorizationChallengeEndpoint.ts"],"sourcesContent":["import type { AgentContext } from '@credo-ts/core'\nimport { joinUriParts, Kms, TypedArrayEncoder, utils } from '@credo-ts/core'\nimport type {\n HttpMethod,\n ParseAuthorizationChallengeRequestOptions,\n ParseAuthorizationChallengeRequestResult,\n} from '@openid4vc/oauth2'\nimport { Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport type { NextFunction, Response, Router } from 'express'\nimport {\n OpenId4VcVerificationSessionRepository,\n OpenId4VcVerificationSessionState,\n OpenId4VcVerifierApi,\n} from '../../openid4vc-verifier'\nimport type { OpenId4VciCredentialConfigurationsSupportedWithFormats } from '../../shared'\nimport {\n getAllowedAndRequestedScopeValues,\n getCredentialConfigurationsSupportedForScopes,\n getOfferedCredentials,\n getScopesFromCredentialConfigurationsSupported,\n} from '../../shared'\nimport {\n getRequestContext,\n sendJsonResponse,\n sendOauth2ErrorResponse,\n sendUnknownServerErrorResponse,\n} from '../../shared/router'\nimport { OpenId4VcIssuanceSessionState } from '../OpenId4VcIssuanceSessionState'\nimport { OpenId4VcIssuerModuleConfig } from '../OpenId4VcIssuerModuleConfig'\nimport { OpenId4VcIssuerService } from '../OpenId4VcIssuerService'\nimport type { OpenId4VcIssuerRecord } from '../repository'\nimport type { OpenId4VcIssuanceRequest } from './requestContext'\n\nexport function configureAuthorizationChallengeEndpoint(router: Router, config: OpenId4VcIssuerModuleConfig) {\n router.post(\n config.authorizationChallengeEndpointPath,\n async (request: OpenId4VcIssuanceRequest, response: Response, next: NextFunction) => {\n const requestContext = getRequestContext(request)\n const { agentContext, issuer } = requestContext\n\n try {\n const openId4VcIssuerService = agentContext.dependencyManager.resolve(OpenId4VcIssuerService)\n const issuerMetadata = await openId4VcIssuerService.getIssuerMetadata(agentContext, issuer)\n const authorizationServer = openId4VcIssuerService.getOauth2AuthorizationServer(agentContext)\n const fullRequestUrl = joinUriParts(issuerMetadata.credentialIssuer.credential_issuer, [\n config.authorizationChallengeEndpointPath,\n ])\n\n const requestLike = {\n headers: new Headers(request.headers as Record<string, string>),\n method: request.method as HttpMethod,\n url: fullRequestUrl,\n } as const\n\n const parseResult = authorizationServer.parseAuthorizationChallengeRequest({\n authorizationChallengeRequest: request.body,\n request: requestLike,\n })\n const { authorizationChallengeRequest } = parseResult\n\n if (authorizationChallengeRequest.auth_session) {\n await handleAuthorizationChallengeWithAuthSession({\n response,\n next,\n parseResult,\n request: requestLike,\n agentContext,\n issuer,\n })\n } else {\n // First call, no auth_session yet\n await handleAuthorizationChallengeNoAuthSession({\n agentContext,\n issuer,\n parseResult,\n request: requestLike,\n })\n }\n } catch (error) {\n if (error instanceof Oauth2ServerErrorResponseError) {\n return sendOauth2ErrorResponse(response, next, agentContext.config.logger, error)\n }\n return sendUnknownServerErrorResponse(response, next, agentContext.config.logger, error)\n }\n }\n )\n}\n\nasync function handleAuthorizationChallengeNoAuthSession(options: {\n agentContext: AgentContext\n issuer: OpenId4VcIssuerRecord\n parseResult: ParseAuthorizationChallengeRequestResult\n // FIXME: export in oid4vc-ts\n request: ParseAuthorizationChallengeRequestOptions['request']\n}) {\n const { agentContext, issuer, parseResult, request } = options\n const { authorizationChallengeRequest } = parseResult\n\n // First call, no auth_session yet\n\n const openId4VcIssuerService = agentContext.dependencyManager.resolve(OpenId4VcIssuerService)\n const config = agentContext.dependencyManager.resolve(OpenId4VcIssuerModuleConfig)\n const issuerMetadata = await openId4VcIssuerService.getIssuerMetadata(agentContext, issuer)\n\n if (!config.getVerificationSessionForIssuanceSessionAuthorization) {\n throw new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.ServerError,\n },\n {\n internalMessage: `Missing required 'getVerificationSessionForIssuanceSessionAuthorization' callback in openid4vc issuer module config. This callback is required for presentation during issuance flows.`,\n }\n )\n }\n\n if (!authorizationChallengeRequest.issuer_state) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Missing required 'issuer_state' parameter. Only requests initiated by a credential offer are supported for authorization challenge.`,\n })\n }\n\n if (!authorizationChallengeRequest.scope) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidScope,\n error_description: `Missing required 'scope' parameter`,\n })\n }\n\n const issuanceSession = await openId4VcIssuerService.findSingleIssuanceSessionByQuery(agentContext, {\n issuerId: issuer.issuerId,\n issuerState: authorizationChallengeRequest.issuer_state,\n })\n const allowedStates = [OpenId4VcIssuanceSessionState.OfferCreated, OpenId4VcIssuanceSessionState.OfferUriRetrieved]\n if (!issuanceSession || !allowedStates.includes(issuanceSession.state)) {\n throw new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Invalid 'issuer_state' parameter`,\n },\n {\n internalMessage: !issuanceSession\n ? `Issuance session not found for 'issuer_state' parameter '${authorizationChallengeRequest.issuer_state}'`\n : `Issuance session '${issuanceSession.id}' has state '${\n issuanceSession.state\n }' but expected one of ${allowedStates.join(', ')}`,\n }\n )\n }\n\n const authorizationServer = openId4VcIssuerService.getOauth2AuthorizationServer(agentContext, {\n issuanceSessionId: issuanceSession.id,\n })\n const { clientAttestation, dpop } = await authorizationServer.verifyAuthorizationChallengeRequest({\n authorizationChallengeRequest,\n authorizationServerMetadata: issuerMetadata.authorizationServers[0],\n request,\n clientAttestation: {\n ...parseResult.clientAttestation,\n // First session config, fall back to global config\n required: issuanceSession.walletAttestation?.required ?? config.walletAttestationsRequired,\n },\n dpop: {\n ...parseResult.dpop,\n // First session config, fall back to global config\n required: issuanceSession.dpop?.required ?? config.dpopRequired,\n },\n })\n\n // Bind dpop jwk thumbprint to session\n if (dpop)\n issuanceSession.dpop = {\n // If dpop is provided at the start, it's required from now on.\n required: true,\n dpopJkt: dpop.jwkThumbprint,\n }\n if (clientAttestation)\n issuanceSession.walletAttestation = {\n // If dpop is provided at the start, it's required from now on.\n required: true,\n }\n\n const offeredCredentialConfigurations = getOfferedCredentials(\n issuanceSession.credentialOfferPayload.credential_configuration_ids,\n issuerMetadata.credentialIssuer.credential_configurations_supported\n )\n\n const allowedScopes = getScopesFromCredentialConfigurationsSupported(offeredCredentialConfigurations)\n const requestedScopes = getAllowedAndRequestedScopeValues({\n allowedScopes,\n requestedScope: authorizationChallengeRequest.scope,\n })\n const requestedCredentialConfigurations = getCredentialConfigurationsSupportedForScopes(\n offeredCredentialConfigurations,\n requestedScopes\n ) as OpenId4VciCredentialConfigurationsSupportedWithFormats\n\n if (requestedScopes.length === 0 || Object.keys(requestedCredentialConfigurations).length === 0) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidScope,\n error_description: `No requested 'scope' values match with offered credential configurations.`,\n })\n }\n\n const {\n authorizationRequest,\n verificationSession,\n scopes: presentationScopes,\n } = await config.getVerificationSessionForIssuanceSessionAuthorization({\n agentContext,\n issuanceSession,\n requestedCredentialConfigurations,\n scopes: requestedScopes,\n })\n\n const kms = agentContext.resolve(Kms.KeyManagementApi)\n // Store presentation during issuance session on the record\n verificationSession.presentationDuringIssuanceSession = TypedArrayEncoder.toBase64URL(kms.randomBytes({ length: 32 }))\n await agentContext.dependencyManager\n .resolve(OpenId4VcVerificationSessionRepository)\n .update(agentContext, verificationSession)\n\n const authSession = TypedArrayEncoder.toBase64URL(kms.randomBytes({ length: 32 }))\n issuanceSession.authorization = {\n ...issuanceSession.authorization,\n scopes: presentationScopes,\n }\n issuanceSession.presentation = {\n required: true,\n authSession,\n openId4VcVerificationSessionId: verificationSession.id,\n }\n\n // If client attestation is used we have verified this client_id matches with the sub\n // of the wallet attestation\n issuanceSession.clientId = clientAttestation?.clientAttestation.payload.sub ?? authorizationChallengeRequest.client_id\n\n await openId4VcIssuerService.updateState(\n agentContext,\n issuanceSession,\n OpenId4VcIssuanceSessionState.AuthorizationInitiated\n )\n\n const authorizationChallengeErrorResponse = authorizationServer.createAuthorizationChallengePresentationErrorResponse(\n {\n authSession,\n presentation: authorizationRequest,\n errorDescription: 'Presentation required before issuance',\n }\n )\n throw new Oauth2ServerErrorResponseError(authorizationChallengeErrorResponse)\n}\n\nasync function handleAuthorizationChallengeWithAuthSession(options: {\n response: Response\n agentContext: AgentContext\n issuer: OpenId4VcIssuerRecord\n next: NextFunction\n parseResult: ParseAuthorizationChallengeRequestResult\n // FIXME: export in oid4vc-ts\n request: ParseAuthorizationChallengeRequestOptions['request']\n}) {\n const { agentContext, issuer, parseResult, request, response, next } = options\n const { authorizationChallengeRequest } = parseResult\n\n const openId4VcIssuerService = agentContext.dependencyManager.resolve(OpenId4VcIssuerService)\n const config = agentContext.dependencyManager.resolve(OpenId4VcIssuerModuleConfig)\n const issuerMetadata = await openId4VcIssuerService.getIssuerMetadata(agentContext, issuer)\n\n const verifierApi = agentContext.dependencyManager.resolve(OpenId4VcVerifierApi)\n\n // NOTE: we ignore scope, issuer_state etc.. parameters if auth_session is present\n // should we validate that these are not in the request? I'm not sure what best practice would be here\n\n const issuanceSession = await openId4VcIssuerService.findSingleIssuanceSessionByQuery(agentContext, {\n issuerId: issuer.issuerId,\n presentationAuthSession: authorizationChallengeRequest.auth_session,\n })\n const allowedStates = [OpenId4VcIssuanceSessionState.AuthorizationInitiated]\n if (\n !issuanceSession?.presentation ||\n !issuanceSession.presentation.openId4VcVerificationSessionId ||\n !issuanceSession.presentation.authSession ||\n !allowedStates.includes(issuanceSession.state)\n ) {\n throw new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.InvalidSession,\n error_description: `Invalid 'auth_session'`,\n },\n {\n internalMessage: !issuanceSession\n ? `Issuance session not found for 'auth_session' parameter '${authorizationChallengeRequest.auth_session}'`\n : !issuanceSession?.presentation\n ? `Issuance session '${issuanceSession.id}' has no 'presentation'. This should not happen and means state is corrupted`\n : `Issuance session '${issuanceSession.id}' has state '${\n issuanceSession.state\n }' but expected one of ${allowedStates.join(', ')}`,\n }\n )\n }\n\n const authorizationServer = openId4VcIssuerService.getOauth2AuthorizationServer(agentContext, {\n issuanceSessionId: issuanceSession.id,\n })\n const { clientAttestation, dpop } = await authorizationServer.verifyAuthorizationChallengeRequest({\n authorizationChallengeRequest,\n authorizationServerMetadata: issuerMetadata.authorizationServers[0],\n request,\n clientAttestation: {\n ...parseResult.clientAttestation,\n // We only look at the issuance session here. If it is required\n // it will be defined on the issuance session now.\n required: issuanceSession.walletAttestation?.required,\n },\n dpop: {\n ...parseResult.dpop,\n // We only look at the issuance session here. If it is required\n // it will be defined on the issuance session now.\n required: issuanceSession.dpop?.required,\n },\n })\n\n if (dpop && dpop.jwkThumbprint !== issuanceSession.dpop?.dpopJkt) {\n throw new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.InvalidDpopProof,\n error_description: 'Invalid jwk thumbprint',\n },\n {\n internalMessage: `DPoP JWK thumbprint '${dpop.jwkThumbprint}' does not match expected value '${issuanceSession.dpop?.dpopJkt}'`,\n }\n )\n }\n\n if (clientAttestation && clientAttestation.clientAttestation.payload.sub !== issuanceSession.clientId) {\n throw new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.InvalidClient,\n error_description: 'Invalid client',\n },\n {\n internalMessage: `Client id '${authorizationChallengeRequest.client_id}' from authorization challenge request does not match client id '${issuanceSession.clientId}' on issuance session`,\n }\n )\n }\n\n const { openId4VcVerificationSessionId } = issuanceSession.presentation\n\n await verifierApi\n .getVerificationSessionById(openId4VcVerificationSessionId)\n .catch(async () => {\n // Issuance session is corrupted\n issuanceSession.errorMessage = `Associated openId4VcVerificationSessionRecord with id '${openId4VcVerificationSessionId}' does not exist`\n await openId4VcIssuerService.updateState(agentContext, issuanceSession, OpenId4VcIssuanceSessionState.Error)\n\n throw new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.InvalidSession,\n error_description: `Invalid 'auth_session'`,\n },\n {\n internalMessage: `Openid4vc verification session with id '${openId4VcVerificationSessionId}' not found during issuance session with id '${issuanceSession.id}'`,\n }\n )\n })\n .then(async (verificationSession) => {\n // Issuance session cannot be used anymore\n if (verificationSession.state === OpenId4VcVerificationSessionState.Error) {\n issuanceSession.errorMessage = `Associated openId4VcVerificationSessionRecord with id '${openId4VcVerificationSessionId}' has error state`\n await openId4VcIssuerService.updateState(agentContext, issuanceSession, OpenId4VcIssuanceSessionState.Error)\n }\n\n if (\n verificationSession.state !== OpenId4VcVerificationSessionState.ResponseVerified ||\n authorizationChallengeRequest.presentation_during_issuance_session !==\n verificationSession.presentationDuringIssuanceSession\n ) {\n throw new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.InvalidSession,\n error_description: `Invalid presentation for 'auth_session'`,\n },\n {\n internalMessage:\n verificationSession.state !== OpenId4VcVerificationSessionState.ResponseVerified\n ? `Openid4vc verification session with id '${openId4VcVerificationSessionId}' has state '${verificationSession.state}', while '${OpenId4VcVerificationSessionState.ResponseVerified}' was expected.`\n : `Openid4vc verification session with id '${openId4VcVerificationSessionId}' has 'presentation_during_issuance_session' '${verificationSession.presentationDuringIssuanceSession}', but authorization challenge request provided value '${authorizationChallengeRequest.presentation_during_issuance_session}'.`,\n }\n )\n }\n })\n\n // Grant authorization\n const kms = agentContext.resolve(Kms.KeyManagementApi)\n const authorizationCode = TypedArrayEncoder.toBase64URL(kms.randomBytes({ length: 32 }))\n const authorizationCodeExpiresAt = utils.addSecondsToDate(new Date(), config.authorizationCodeExpiresInSeconds)\n\n issuanceSession.authorization = {\n ...issuanceSession.authorization,\n code: authorizationCode,\n codeExpiresAt: authorizationCodeExpiresAt,\n }\n\n // TODO: we need to start using locks so we can't get corrupted state\n await openId4VcIssuerService.updateState(\n agentContext,\n issuanceSession,\n OpenId4VcIssuanceSessionState.AuthorizationGranted\n )\n\n const { authorizationChallengeResponse } = authorizationServer.createAuthorizationChallengeResponse({\n authorizationCode,\n })\n\n return sendJsonResponse(response, next, authorizationChallengeResponse)\n}\n"],"mappings":";;;;;;;;;;;;;;;AAiCA,SAAgB,wCAAwC,QAAgB,QAAqC;AAC3G,QAAO,KACL,OAAO,oCACP,OAAO,SAAmC,UAAoB,SAAuB;EAEnF,MAAM,EAAE,cAAc,WADC,kBAAkB,QAAQ;AAGjD,MAAI;GACF,MAAM,yBAAyB,aAAa,kBAAkB,QAAQ,uBAAuB;GAC7F,MAAM,iBAAiB,MAAM,uBAAuB,kBAAkB,cAAc,OAAO;GAC3F,MAAM,sBAAsB,uBAAuB,6BAA6B,aAAa;GAC7F,MAAM,iBAAiB,aAAa,eAAe,iBAAiB,mBAAmB,CACrF,OAAO,mCACR,CAAC;GAEF,MAAM,cAAc;IAClB,SAAS,IAAI,QAAQ,QAAQ,QAAkC;IAC/D,QAAQ,QAAQ;IAChB,KAAK;IACN;GAED,MAAM,cAAc,oBAAoB,mCAAmC;IACzE,+BAA+B,QAAQ;IACvC,SAAS;IACV,CAAC;GACF,MAAM,EAAE,kCAAkC;AAE1C,OAAI,8BAA8B,aAChC,OAAM,4CAA4C;IAChD;IACA;IACA;IACA,SAAS;IACT;IACA;IACD,CAAC;OAGF,OAAM,0CAA0C;IAC9C;IACA;IACA;IACA,SAAS;IACV,CAAC;WAEG,OAAO;AACd,OAAI,iBAAiB,+BACnB,QAAO,wBAAwB,UAAU,MAAM,aAAa,OAAO,QAAQ,MAAM;AAEnF,UAAO,+BAA+B,UAAU,MAAM,aAAa,OAAO,QAAQ,MAAM;;GAG7F;;AAGH,eAAe,0CAA0C,SAMtD;CACD,MAAM,EAAE,cAAc,QAAQ,aAAa,YAAY;CACvD,MAAM,EAAE,kCAAkC;CAI1C,MAAM,yBAAyB,aAAa,kBAAkB,QAAQ,uBAAuB;CAC7F,MAAM,SAAS,aAAa,kBAAkB,QAAQ,4BAA4B;CAClF,MAAM,iBAAiB,MAAM,uBAAuB,kBAAkB,cAAc,OAAO;AAE3F,KAAI,CAAC,OAAO,sDACV,OAAM,IAAI,+BACR,EACE,OAAO,iBAAiB,aACzB,EACD,EACE,iBAAiB,0LAClB,CACF;AAGH,KAAI,CAAC,8BAA8B,aACjC,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB;EACpB,CAAC;AAGJ,KAAI,CAAC,8BAA8B,MACjC,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB;EACpB,CAAC;CAGJ,MAAM,kBAAkB,MAAM,uBAAuB,iCAAiC,cAAc;EAClG,UAAU,OAAO;EACjB,aAAa,8BAA8B;EAC5C,CAAC;CACF,MAAM,gBAAgB,CAAC,8BAA8B,cAAc,8BAA8B,kBAAkB;AACnH,KAAI,CAAC,mBAAmB,CAAC,cAAc,SAAS,gBAAgB,MAAM,CACpE,OAAM,IAAI,+BACR;EACE,OAAO,iBAAiB;EACxB,mBAAmB;EACpB,EACD,EACE,iBAAiB,CAAC,kBACd,4DAA4D,8BAA8B,aAAa,KACvG,qBAAqB,gBAAgB,GAAG,eACtC,gBAAgB,MACjB,wBAAwB,cAAc,KAAK,KAAK,IACtD,CACF;CAGH,MAAM,sBAAsB,uBAAuB,6BAA6B,cAAc,EAC5F,mBAAmB,gBAAgB,IACpC,CAAC;CACF,MAAM,EAAE,mBAAmB,SAAS,MAAM,oBAAoB,oCAAoC;EAChG;EACA,6BAA6B,eAAe,qBAAqB;EACjE;EACA,mBAAmB;GACjB,GAAG,YAAY;GAEf,UAAU,gBAAgB,mBAAmB,YAAY,OAAO;GACjE;EACD,MAAM;GACJ,GAAG,YAAY;GAEf,UAAU,gBAAgB,MAAM,YAAY,OAAO;GACpD;EACF,CAAC;AAGF,KAAI,KACF,iBAAgB,OAAO;EAErB,UAAU;EACV,SAAS,KAAK;EACf;AACH,KAAI,kBACF,iBAAgB,oBAAoB,EAElC,UAAU,MACX;CAEH,MAAM,kCAAkC,sBACtC,gBAAgB,uBAAuB,8BACvC,eAAe,iBAAiB,oCACjC;CAGD,MAAM,kBAAkB,kCAAkC;EACxD,eAFoB,+CAA+C,gCAAgC;EAGnG,gBAAgB,8BAA8B;EAC/C,CAAC;CACF,MAAM,oCAAoC,8CACxC,iCACA,gBACD;AAED,KAAI,gBAAgB,WAAW,KAAK,OAAO,KAAK,kCAAkC,CAAC,WAAW,EAC5F,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB;EACpB,CAAC;CAGJ,MAAM,EACJ,sBACA,qBACA,QAAQ,uBACN,MAAM,OAAO,sDAAsD;EACrE;EACA;EACA;EACA,QAAQ;EACT,CAAC;CAEF,MAAM,MAAM,aAAa,QAAQ,IAAI,iBAAiB;AAEtD,qBAAoB,oCAAoC,kBAAkB,YAAY,IAAI,YAAY,EAAE,QAAQ,IAAI,CAAC,CAAC;AACtH,OAAM,aAAa,kBAChB,QAAQ,uCAAuC,CAC/C,OAAO,cAAc,oBAAoB;CAE5C,MAAM,cAAc,kBAAkB,YAAY,IAAI,YAAY,EAAE,QAAQ,IAAI,CAAC,CAAC;AAClF,iBAAgB,gBAAgB;EAC9B,GAAG,gBAAgB;EACnB,QAAQ;EACT;AACD,iBAAgB,eAAe;EAC7B,UAAU;EACV;EACA,gCAAgC,oBAAoB;EACrD;AAID,iBAAgB,WAAW,mBAAmB,kBAAkB,QAAQ,OAAO,8BAA8B;AAE7G,OAAM,uBAAuB,YAC3B,cACA,iBACA,8BAA8B,uBAC/B;AASD,OAAM,IAAI,+BAPkC,oBAAoB,sDAC9D;EACE;EACA,cAAc;EACd,kBAAkB;EACnB,CACF,CAC4E;;AAG/E,eAAe,4CAA4C,SAQxD;CACD,MAAM,EAAE,cAAc,QAAQ,aAAa,SAAS,UAAU,SAAS;CACvE,MAAM,EAAE,kCAAkC;CAE1C,MAAM,yBAAyB,aAAa,kBAAkB,QAAQ,uBAAuB;CAC7F,MAAM,SAAS,aAAa,kBAAkB,QAAQ,4BAA4B;CAClF,MAAM,iBAAiB,MAAM,uBAAuB,kBAAkB,cAAc,OAAO;CAE3F,MAAM,cAAc,aAAa,kBAAkB,QAAQ,qBAAqB;CAKhF,MAAM,kBAAkB,MAAM,uBAAuB,iCAAiC,cAAc;EAClG,UAAU,OAAO;EACjB,yBAAyB,8BAA8B;EACxD,CAAC;CACF,MAAM,gBAAgB,CAAC,8BAA8B,uBAAuB;AAC5E,KACE,CAAC,iBAAiB,gBAClB,CAAC,gBAAgB,aAAa,kCAC9B,CAAC,gBAAgB,aAAa,eAC9B,CAAC,cAAc,SAAS,gBAAgB,MAAM,CAE9C,OAAM,IAAI,+BACR;EACE,OAAO,iBAAiB;EACxB,mBAAmB;EACpB,EACD,EACE,iBAAiB,CAAC,kBACd,4DAA4D,8BAA8B,aAAa,KACvG,CAAC,iBAAiB,eAChB,qBAAqB,gBAAgB,GAAG,gFACxC,qBAAqB,gBAAgB,GAAG,eACtC,gBAAgB,MACjB,wBAAwB,cAAc,KAAK,KAAK,IACxD,CACF;CAGH,MAAM,sBAAsB,uBAAuB,6BAA6B,cAAc,EAC5F,mBAAmB,gBAAgB,IACpC,CAAC;CACF,MAAM,EAAE,mBAAmB,SAAS,MAAM,oBAAoB,oCAAoC;EAChG;EACA,6BAA6B,eAAe,qBAAqB;EACjE;EACA,mBAAmB;GACjB,GAAG,YAAY;GAGf,UAAU,gBAAgB,mBAAmB;GAC9C;EACD,MAAM;GACJ,GAAG,YAAY;GAGf,UAAU,gBAAgB,MAAM;GACjC;EACF,CAAC;AAEF,KAAI,QAAQ,KAAK,kBAAkB,gBAAgB,MAAM,QACvD,OAAM,IAAI,+BACR;EACE,OAAO,iBAAiB;EACxB,mBAAmB;EACpB,EACD,EACE,iBAAiB,wBAAwB,KAAK,cAAc,mCAAmC,gBAAgB,MAAM,QAAQ,IAC9H,CACF;AAGH,KAAI,qBAAqB,kBAAkB,kBAAkB,QAAQ,QAAQ,gBAAgB,SAC3F,OAAM,IAAI,+BACR;EACE,OAAO,iBAAiB;EACxB,mBAAmB;EACpB,EACD,EACE,iBAAiB,cAAc,8BAA8B,UAAU,mEAAmE,gBAAgB,SAAS,wBACpK,CACF;CAGH,MAAM,EAAE,mCAAmC,gBAAgB;AAE3D,OAAM,YACH,2BAA2B,+BAA+B,CAC1D,MAAM,YAAY;AAEjB,kBAAgB,eAAe,0DAA0D,+BAA+B;AACxH,QAAM,uBAAuB,YAAY,cAAc,iBAAiB,8BAA8B,MAAM;AAE5G,QAAM,IAAI,+BACR;GACE,OAAO,iBAAiB;GACxB,mBAAmB;GACpB,EACD,EACE,iBAAiB,2CAA2C,+BAA+B,+CAA+C,gBAAgB,GAAG,IAC9J,CACF;GACD,CACD,KAAK,OAAO,wBAAwB;AAEnC,MAAI,oBAAoB,UAAU,kCAAkC,OAAO;AACzE,mBAAgB,eAAe,0DAA0D,+BAA+B;AACxH,SAAM,uBAAuB,YAAY,cAAc,iBAAiB,8BAA8B,MAAM;;AAG9G,MACE,oBAAoB,UAAU,kCAAkC,oBAChE,8BAA8B,yCAC5B,oBAAoB,kCAEtB,OAAM,IAAI,+BACR;GACE,OAAO,iBAAiB;GACxB,mBAAmB;GACpB,EACD,EACE,iBACE,oBAAoB,UAAU,kCAAkC,mBAC5D,2CAA2C,+BAA+B,eAAe,oBAAoB,MAAM,YAAY,kCAAkC,iBAAiB,mBAClL,2CAA2C,+BAA+B,gDAAgD,oBAAoB,kCAAkC,yDAAyD,8BAA8B,qCAAqC,KACnT,CACF;GAEH;CAGJ,MAAM,MAAM,aAAa,QAAQ,IAAI,iBAAiB;CACtD,MAAM,oBAAoB,kBAAkB,YAAY,IAAI,YAAY,EAAE,QAAQ,IAAI,CAAC,CAAC;CACxF,MAAM,6BAA6B,MAAM,iCAAiB,IAAI,MAAM,EAAE,OAAO,kCAAkC;AAE/G,iBAAgB,gBAAgB;EAC9B,GAAG,gBAAgB;EACnB,MAAM;EACN,eAAe;EAChB;AAGD,OAAM,uBAAuB,YAC3B,cACA,iBACA,8BAA8B,qBAC/B;CAED,MAAM,EAAE,mCAAmC,oBAAoB,qCAAqC,EAClG,mBACD,CAAC;AAEF,QAAO,iBAAiB,UAAU,MAAM,+BAA+B"}
package/build/openid4vc-issuer/router/authorizationServerMetadataEndpoint.mjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"authorizationServerMetadataEndpoint.mjs","names":[],"sources":["../../../src/openid4vc-issuer/router/authorizationServerMetadataEndpoint.ts"],"sourcesContent":["import type { Response, Router } from 'express'\nimport type { OpenId4VcIssuanceRequest } from './requestContext'\n\nimport { getAuthorizationServerMetadataFromList } from '@openid4vc/oauth2'\n\nimport { getRequestContext, sendJsonResponse, sendUnknownServerErrorResponse } from '../../shared/router'\nimport { OpenId4VcIssuerService } from '../OpenId4VcIssuerService'\n\n/**\n * This is the credo authorization server metadata. It is only used for pre-authorized\n * code flow.\n */\nexport function configureOAuthAuthorizationServerMetadataEndpoint(router: Router) {\n router.get(\n '/.well-known/oauth-authorization-server',\n async (_request: OpenId4VcIssuanceRequest, response: Response, next) => {\n const { agentContext, issuer } = getRequestContext(_request)\n try {\n const openId4VcIssuerService = agentContext.dependencyManager.resolve(OpenId4VcIssuerService)\n const issuerMetadata = await openId4VcIssuerService.getIssuerMetadata(agentContext, issuer)\n const issuerAuthorizationServer = getAuthorizationServerMetadataFromList(\n issuerMetadata.authorizationServers,\n issuerMetadata.credentialIssuer.credential_issuer\n )\n\n return sendJsonResponse(response, next, issuerAuthorizationServer)\n } catch (e) {\n return sendUnknownServerErrorResponse(response, next, agentContext.config.logger, e)\n }\n }\n )\n}\n"],"mappings":";;;;;;;;;;AAYA,SAAgB,kDAAkD,QAAgB;AAChF,QAAO,IACL,2CACA,OAAO,UAAoC,UAAoB,SAAS;EACtE,MAAM,EAAE,cAAc,WAAW,kBAAkB,SAAS;AAC5D,MAAI;GAEF,MAAM,iBAAiB,MADQ,aAAa,kBAAkB,QAAQ,uBAAuB,CACzC,kBAAkB,cAAc,OAAO;AAM3F,UAAO,iBAAiB,UAAU,MALA,uCAChC,eAAe,sBACf,eAAe,iBAAiB,kBACjC,CAEiE;WAC3D,GAAG;AACV,UAAO,+BAA+B,UAAU,MAAM,aAAa,OAAO,QAAQ,EAAE;;GAGzF"}
1
+ {"version":3,"file":"authorizationServerMetadataEndpoint.mjs","names":[],"sources":["../../../src/openid4vc-issuer/router/authorizationServerMetadataEndpoint.ts"],"sourcesContent":["import { getAuthorizationServerMetadataFromList } from '@openid4vc/oauth2'\nimport type { Response, Router } from 'express'\nimport { getRequestContext, sendJsonResponse, sendUnknownServerErrorResponse } from '../../shared/router'\nimport { OpenId4VcIssuerService } from '../OpenId4VcIssuerService'\nimport type { OpenId4VcIssuanceRequest } from './requestContext'\n\n/**\n * This is the credo authorization server metadata. It is only used for pre-authorized\n * code flow.\n */\nexport function configureOAuthAuthorizationServerMetadataEndpoint(router: Router) {\n router.get(\n '/.well-known/oauth-authorization-server',\n async (_request: OpenId4VcIssuanceRequest, response: Response, next) => {\n const { agentContext, issuer } = getRequestContext(_request)\n try {\n const openId4VcIssuerService = agentContext.dependencyManager.resolve(OpenId4VcIssuerService)\n const issuerMetadata = await openId4VcIssuerService.getIssuerMetadata(agentContext, issuer)\n const issuerAuthorizationServer = getAuthorizationServerMetadataFromList(\n issuerMetadata.authorizationServers,\n issuerMetadata.credentialIssuer.credential_issuer\n )\n\n return sendJsonResponse(response, next, issuerAuthorizationServer)\n } catch (e) {\n return sendUnknownServerErrorResponse(response, next, agentContext.config.logger, e)\n }\n }\n )\n}\n"],"mappings":";;;;;;;;;;AAUA,SAAgB,kDAAkD,QAAgB;AAChF,QAAO,IACL,2CACA,OAAO,UAAoC,UAAoB,SAAS;EACtE,MAAM,EAAE,cAAc,WAAW,kBAAkB,SAAS;AAC5D,MAAI;GAEF,MAAM,iBAAiB,MADQ,aAAa,kBAAkB,QAAQ,uBAAuB,CACzC,kBAAkB,cAAc,OAAO;AAM3F,UAAO,iBAAiB,UAAU,MALA,uCAChC,eAAe,sBACf,eAAe,iBAAiB,kBACjC,CAEiE;WAC3D,GAAG;AACV,UAAO,+BAA+B,UAAU,MAAM,aAAa,OAAO,QAAQ,EAAE;;GAGzF"}
package/build/openid4vc-issuer/router/credentialEndpoint.js CHANGED
@@ -1,10 +1,9 @@
1
1
  const require_rolldown_runtime = require('../../_virtual/rolldown_runtime.js');
2
- const require_issuerMetadataUtils = require('../../shared/issuerMetadataUtils.js');
3
- require('../../shared/index.js');
4
- const require_utils = require('../../shared/utils.js');
2
+ const require_OpenId4VcIssuanceSessionState = require('../OpenId4VcIssuanceSessionState.js');
5
3
  const require_context = require('../../shared/router/context.js');
6
4
  require('../../shared/router/index.js');
7
- const require_OpenId4VcIssuanceSessionState = require('../OpenId4VcIssuanceSessionState.js');
5
+ const require_issuerMetadataUtils = require('../../shared/issuerMetadataUtils.js');
6
+ require('../../shared/index.js');
8
7
  const require_OpenId4VcIssuanceSessionRecord = require('../repository/OpenId4VcIssuanceSessionRecord.js');
9
8
  const require_OpenId4VcIssuanceSessionRepository = require('../repository/OpenId4VcIssuanceSessionRepository.js');
10
9
  require('../repository/index.js');
@@ -66,7 +65,7 @@ function configureCredentialEndpoint(router, config) {
66
65
  scheme,
67
66
  error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidDpopProof
68
67
  }));
69
- const expiresAt = issuanceSession.expiresAt ?? require_utils.addSecondsToDate(issuanceSession.createdAt, config.statefulCredentialOfferExpirationInSeconds);
68
+ const expiresAt = issuanceSession.expiresAt ?? __credo_ts_core.utils.addSecondsToDate(issuanceSession.createdAt, config.statefulCredentialOfferExpirationInSeconds);
70
69
  if (issuanceSession.authorization?.subject) {
71
70
  if (issuanceSession.authorization.subject !== tokenPayload.sub) return require_context.sendOauth2ErrorResponse(response, next, agentContext.config.logger, new __openid4vc_oauth2.Oauth2ServerErrorResponseError({ error: __openid4vc_oauth2.Oauth2ErrorCodes.CredentialRequestDenied }, { internalMessage: `Issuance session authorization subject does not match with the token payload subject for issuance session '${issuanceSession.id}'. Returning error response` }));
72
71
  } else if (Date.now() > expiresAt.getTime()) {
@@ -105,7 +104,7 @@ function configureCredentialEndpoint(router, config) {
105
104
  const createdAt = /* @__PURE__ */ new Date();
106
105
  issuanceSession = new require_OpenId4VcIssuanceSessionRecord.OpenId4VcIssuanceSessionRecord({
107
106
  createdAt,
108
- expiresAt: require_utils.addSecondsToDate(createdAt, config.statefulCredentialOfferExpirationInSeconds),
107
+ expiresAt: __credo_ts_core.utils.addSecondsToDate(createdAt, config.statefulCredentialOfferExpirationInSeconds),
109
108
  credentialOfferPayload: {
110
109
  credential_configuration_ids: Object.keys(configurationsForToken),
111
110
  credential_issuer: issuerMetadata.credentialIssuer.credential_issuer
package/build/openid4vc-issuer/router/credentialEndpoint.mjs CHANGED
@@ -1,9 +1,8 @@
1
- import { getCredentialConfigurationsSupportedForScopes } from "../../shared/issuerMetadataUtils.mjs";
2
- import "../../shared/index.mjs";
3
- import { addSecondsToDate } from "../../shared/utils.mjs";
1
+ import { OpenId4VcIssuanceSessionState } from "../OpenId4VcIssuanceSessionState.mjs";
4
2
  import { getRequestContext, sendJsonResponse, sendOauth2ErrorResponse, sendUnauthorizedError, sendUnknownServerErrorResponse } from "../../shared/router/context.mjs";
5
3
  import "../../shared/router/index.mjs";
6
- import { OpenId4VcIssuanceSessionState } from "../OpenId4VcIssuanceSessionState.mjs";
4
+ import { getCredentialConfigurationsSupportedForScopes } from "../../shared/issuerMetadataUtils.mjs";
5
+ import "../../shared/index.mjs";
7
6
  import { OpenId4VcIssuanceSessionRecord } from "../repository/OpenId4VcIssuanceSessionRecord.mjs";
8
7
  import { OpenId4VcIssuanceSessionRepository } from "../repository/OpenId4VcIssuanceSessionRepository.mjs";
9
8
  import "../repository/index.mjs";
@@ -62,7 +61,7 @@ function configureCredentialEndpoint(router, config) {
62
61
  scheme,
63
62
  error: Oauth2ErrorCodes.InvalidDpopProof
64
63
  }));
65
- const expiresAt = issuanceSession.expiresAt ?? addSecondsToDate(issuanceSession.createdAt, config.statefulCredentialOfferExpirationInSeconds);
64
+ const expiresAt = issuanceSession.expiresAt ?? utils.addSecondsToDate(issuanceSession.createdAt, config.statefulCredentialOfferExpirationInSeconds);
66
65
  if (issuanceSession.authorization?.subject) {
67
66
  if (issuanceSession.authorization.subject !== tokenPayload.sub) return sendOauth2ErrorResponse(response, next, agentContext.config.logger, new Oauth2ServerErrorResponseError({ error: Oauth2ErrorCodes.CredentialRequestDenied }, { internalMessage: `Issuance session authorization subject does not match with the token payload subject for issuance session '${issuanceSession.id}'. Returning error response` }));
68
67
  } else if (Date.now() > expiresAt.getTime()) {
@@ -101,7 +100,7 @@ function configureCredentialEndpoint(router, config) {
101
100
  const createdAt = /* @__PURE__ */ new Date();
102
101
  issuanceSession = new OpenId4VcIssuanceSessionRecord({
103
102
  createdAt,
104
- expiresAt: addSecondsToDate(createdAt, config.statefulCredentialOfferExpirationInSeconds),
103
+ expiresAt: utils.addSecondsToDate(createdAt, config.statefulCredentialOfferExpirationInSeconds),
105
104
  credentialOfferPayload: {
106
105
  credential_configuration_ids: Object.keys(configurationsForToken),
107
106
  credential_issuer: issuerMetadata.credentialIssuer.credential_issuer