@credo-ts/openid4vc 0.6.1-pr-2091-20241119140918 → 0.6.1

package/build/openid4vc-issuer/repository/OpenId4VcIssuerRecord.mjs

@@ -0,0 +1,89 @@
+import { __decorateMetadata } from "../../_virtual/_@oxc-project_runtime@0.99.0/helpers/decorateMetadata.mjs";
+import { __decorate } from "../../_virtual/_@oxc-project_runtime@0.99.0/helpers/decorate.mjs";
+import { BaseRecord, CredoError, Kms, isJsonObject, utils } from "@credo-ts/core";
+import { credentialsSupportedToCredentialConfigurationsSupported } from "@openid4vc/openid4vci";
+import { Transform, TransformationType } from "class-transformer";
+
+//#region src/openid4vc-issuer/repository/OpenId4VcIssuerRecord.ts
+/**
+* For OID4VC you need to expose metadata files. Each issuer needs to host this metadata. This is not the case for DIDComm where we can just have one /didcomm endpoint.
+* So we create a record per openid issuer/verifier that you want, and each tenant can create multiple issuers/verifiers which have different endpoints
+* and metadata files
+* */
+var OpenId4VcIssuerRecord = class OpenId4VcIssuerRecord extends BaseRecord {
+	/**
+	* Only here for class transformation. If credentialsSupported is set we transform
+	* it to the new credentialConfigurationsSupported format
+	*/
+	set credentialsSupported(credentialsSupported) {
+		if (this.credentialConfigurationsSupported) return;
+		this.credentialConfigurationsSupported = credentialsSupportedToCredentialConfigurationsSupported(credentialsSupported);
+	}
+	get directAuthorizationServerConfigs() {
+		return this.authorizationServerConfigs?.filter((config) => config.type === "direct");
+	}
+	get chainedAuthorizationServerConfigs() {
+		return this.authorizationServerConfigs?.filter((config) => config.type === "chained");
+	}
+	get resolvedAccessTokenPublicJwk() {
+		if (this.accessTokenPublicJwk) return Kms.PublicJwk.fromPublicJwk(this.accessTokenPublicJwk);
+		if (this.accessTokenPublicKeyFingerprint) {
+			const publicJwk = Kms.PublicJwk.fromFingerprint(this.accessTokenPublicKeyFingerprint);
+			publicJwk.keyId = publicJwk.legacyKeyId;
+			return publicJwk;
+		}
+		throw new CredoError("Neither accessTokenPublicJwk or accessTokenPublicKeyFingerprint defined. Unable to resolve access token public jwk.");
+	}
+	constructor(props) {
+		super();
+		this.type = OpenId4VcIssuerRecord.type;
+		if (props) {
+			this.id = props.id ?? utils.uuid();
+			this.createdAt = props.createdAt ?? /* @__PURE__ */ new Date();
+			this._tags = props.tags ?? {};
+			this.issuerId = props.issuerId;
+			this.accessTokenPublicJwk = props.accessTokenPublicJwk;
+			this.credentialConfigurationsSupported = props.credentialConfigurationsSupported;
+			this.dpopSigningAlgValuesSupported = props.dpopSigningAlgValuesSupported;
+			this.display = props.display;
+			this.authorizationServerConfigs = props.authorizationServerConfigs;
+			this.batchCredentialIssuance = props.batchCredentialIssuance;
+			this.signedMetadata = props.signedMetadata;
+		}
+	}
+	getTags() {
+		return {
+			...this._tags,
+			issuerId: this.issuerId
+		};
+	}
+};
+OpenId4VcIssuerRecord.type = "OpenId4VcIssuerRecord";
+__decorate([Transform(({ type, value }) => {
+	if (type === TransformationType.PLAIN_TO_CLASS && Array.isArray(value)) return value.map((display) => {
+		if (display.logo?.uri) return display;
+		const { url, ...logoRest } = display.logo ?? {};
+		return {
+			...display,
+			logo: url ? {
+				...logoRest,
+				uri: url
+			} : void 0
+		};
+	});
+	return value;
+}), __decorateMetadata("design:type", Array)], OpenId4VcIssuerRecord.prototype, "display", void 0);
+__decorate([Transform(({ type, value }) => {
+	if (type === TransformationType.PLAIN_TO_CLASS && Array.isArray(value)) return value.map((config) => {
+		if (isJsonObject(config) && typeof config.type === "undefined") return {
+			...config,
+			type: "direct"
+		};
+		return config;
+	});
+	return value;
+}), __decorateMetadata("design:type", Array)], OpenId4VcIssuerRecord.prototype, "authorizationServerConfigs", void 0);
+
+//#endregion
+export { OpenId4VcIssuerRecord };
+//# sourceMappingURL=OpenId4VcIssuerRecord.mjs.map

package/build/openid4vc-issuer/repository/OpenId4VcIssuerRecord.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"OpenId4VcIssuerRecord.mjs","names":[],"sources":["../../../src/openid4vc-issuer/repository/OpenId4VcIssuerRecord.ts"],"sourcesContent":["import { BaseRecord, CredoError, isJsonObject, Kms, type RecordTags, type TagsBase, utils } from '@credo-ts/core'\nimport { credentialsSupportedToCredentialConfigurationsSupported } from '@openid4vc/openid4vci'\nimport { Transform, TransformationType } from 'class-transformer'\nimport type {\n  OpenId4VciAuthorizationServerConfig,\n  OpenId4VciCredentialConfigurationsSupportedWithFormats,\n  OpenId4VciCredentialIssuerMetadataDisplay,\n  OpenId4VcJwtIssuerEncoded,\n} from '../../shared'\nimport type { OpenId4VciBatchCredentialIssuanceOptions } from '../OpenId4VcIssuerServiceOptions'\n\nexport type OpenId4VcIssuerRecordTags = RecordTags<OpenId4VcIssuerRecord>\n\nexport type DefaultOpenId4VcIssuerRecordTags = {\n  issuerId: string\n}\n\nexport type OpenId4VcIssuerRecordSignedMetadata = {\n  signer: OpenId4VcJwtIssuerEncoded\n\n  /**\n   * The credential issuer metadata as a signed JWT\n   */\n  jwt: string\n}\n\nexport type OpenId4VcIssuerRecordProps = {\n  id?: string\n  createdAt?: Date\n  tags?: TagsBase\n\n  issuerId: string\n\n  /**\n   * The public jwk of the key used to sign access tokens for this issuer. Must include a `kid` parameter.\n   */\n  accessTokenPublicJwk: Kms.KmsJwkPublicAsymmetric\n\n  /**\n   * The DPoP signing algorithms supported by this issuer.\n   * If not provided, dPoP is considered unsupported.\n   */\n  dpopSigningAlgValuesSupported?: [Kms.KnownJwaSignatureAlgorithm, ...Kms.KnownJwaSignatureAlgorithm[]]\n\n  display?: OpenId4VciCredentialIssuerMetadataDisplay[]\n  authorizationServerConfigs?: OpenId4VciAuthorizationServerConfig[]\n\n  credentialConfigurationsSupported: OpenId4VciCredentialConfigurationsSupportedWithFormats\n\n  /**\n   * Indicate support for batch issuance of credentials\n   */\n  batchCredentialIssuance?: OpenId4VciBatchCredentialIssuanceOptions\n\n  /**\n   * When signed metadata is supported, this stores the\n   * signed jwt and signer information to update the JWT in the future.\n   */\n  signedMetadata?: OpenId4VcIssuerRecordSignedMetadata\n}\n\n/**\n * For OID4VC you need to expose metadata files. Each issuer needs to host this metadata. This is not the case for DIDComm where we can just have one /didcomm endpoint.\n * So we create a record per openid issuer/verifier that you want, and each tenant can create multiple issuers/verifiers which have different endpoints\n * and metadata files\n * */\nexport class OpenId4VcIssuerRecord extends BaseRecord<DefaultOpenId4VcIssuerRecordTags> {\n  public static readonly type = 'OpenId4VcIssuerRecord'\n  public readonly type = OpenId4VcIssuerRecord.type\n\n  public issuerId!: string\n\n  /**\n   * @deprecated accessTokenPublicJwk should be used\n   * @todo remove in migration\n   */\n  public accessTokenPublicKeyFingerprint?: string\n  public accessTokenPublicJwk?: Kms.KmsJwkPublicAsymmetric\n\n  /**\n   * Only here for class transformation. If credentialsSupported is set we transform\n   * it to the new credentialConfigurationsSupported format\n   */\n  // biome-ignore lint/correctness/noUnusedPrivateClassMembers: see above\n  private set credentialsSupported(credentialsSupported: Array<unknown>) {\n    if (this.credentialConfigurationsSupported) return\n\n    this.credentialConfigurationsSupported =\n      // biome-ignore lint/suspicious/noExplicitAny: no explanation\n      credentialsSupportedToCredentialConfigurationsSupported(credentialsSupported as any) as any\n  }\n\n  public credentialConfigurationsSupported!: OpenId4VciCredentialConfigurationsSupportedWithFormats\n\n  // Draft 11 to draft 13+ syntax\n  @Transform(({ type, value }) => {\n    if (type === TransformationType.PLAIN_TO_CLASS && Array.isArray(value)) {\n      return value.map((display) => {\n        if (display.logo?.uri) return display\n\n        const { url, ...logoRest } = display.logo ?? {}\n        return {\n          ...display,\n          logo: url\n            ? {\n                ...logoRest,\n                uri: url,\n              }\n            : undefined,\n        }\n      })\n    }\n\n    return value\n  })\n  public display?: OpenId4VciCredentialIssuerMetadataDisplay[]\n\n  // Adds the type field if missing (for older records)\n  @Transform(({ type, value }) => {\n    if (type === TransformationType.PLAIN_TO_CLASS && Array.isArray(value)) {\n      return value.map((config) => {\n        if (isJsonObject(config) && typeof config.type === 'undefined') {\n          return {\n            ...config,\n            type: 'direct',\n          }\n        }\n\n        return config\n      })\n    }\n\n    return value\n  })\n  public authorizationServerConfigs?: OpenId4VciAuthorizationServerConfig[]\n\n  public dpopSigningAlgValuesSupported?: [Kms.KnownJwaSignatureAlgorithm, ...Kms.KnownJwaSignatureAlgorithm[]]\n  public batchCredentialIssuance?: OpenId4VciBatchCredentialIssuanceOptions\n\n  public signedMetadata?: OpenId4VcIssuerRecordSignedMetadata\n\n  public get directAuthorizationServerConfigs() {\n    return this.authorizationServerConfigs?.filter((config) => config.type === 'direct')\n  }\n\n  public get chainedAuthorizationServerConfigs() {\n    return this.authorizationServerConfigs?.filter((config) => config.type === 'chained')\n  }\n\n  public get resolvedAccessTokenPublicJwk() {\n    if (this.accessTokenPublicJwk) {\n      return Kms.PublicJwk.fromPublicJwk(this.accessTokenPublicJwk)\n    }\n\n    // From before we introduced key ids, uses legacy key id\n    if (this.accessTokenPublicKeyFingerprint) {\n      const publicJwk = Kms.PublicJwk.fromFingerprint(this.accessTokenPublicKeyFingerprint)\n      publicJwk.keyId = publicJwk.legacyKeyId\n      return publicJwk\n    }\n\n    throw new CredoError(\n      'Neither accessTokenPublicJwk or accessTokenPublicKeyFingerprint defined. Unable to resolve access token public jwk.'\n    )\n  }\n\n  public constructor(props: OpenId4VcIssuerRecordProps) {\n    super()\n\n    if (props) {\n      this.id = props.id ?? utils.uuid()\n      this.createdAt = props.createdAt ?? new Date()\n      this._tags = props.tags ?? {}\n\n      this.issuerId = props.issuerId\n      this.accessTokenPublicJwk = props.accessTokenPublicJwk\n      this.credentialConfigurationsSupported = props.credentialConfigurationsSupported\n      this.dpopSigningAlgValuesSupported = props.dpopSigningAlgValuesSupported\n      this.display = props.display\n      this.authorizationServerConfigs = props.authorizationServerConfigs\n      this.batchCredentialIssuance = props.batchCredentialIssuance\n      this.signedMetadata = props.signedMetadata\n    }\n  }\n\n  public getTags() {\n    return {\n      ...this._tags,\n      issuerId: this.issuerId,\n    }\n  }\n}\n"],"mappings":";;;;;;;;;;;;AAkEA,IAAa,wBAAb,MAAa,8BAA8B,WAA6C;;;;;CAkBtF,IAAY,qBAAqB,sBAAsC;AACrE,MAAI,KAAK,kCAAmC;AAE5C,OAAK,oCAEH,wDAAwD,qBAA4B;;CAoDxF,IAAW,mCAAmC;AAC5C,SAAO,KAAK,4BAA4B,QAAQ,WAAW,OAAO,SAAS,SAAS;;CAGtF,IAAW,oCAAoC;AAC7C,SAAO,KAAK,4BAA4B,QAAQ,WAAW,OAAO,SAAS,UAAU;;CAGvF,IAAW,+BAA+B;AACxC,MAAI,KAAK,qBACP,QAAO,IAAI,UAAU,cAAc,KAAK,qBAAqB;AAI/D,MAAI,KAAK,iCAAiC;GACxC,MAAM,YAAY,IAAI,UAAU,gBAAgB,KAAK,gCAAgC;AACrF,aAAU,QAAQ,UAAU;AAC5B,UAAO;;AAGT,QAAM,IAAI,WACR,sHACD;;CAGH,AAAO,YAAY,OAAmC;AACpD,SAAO;OAnGO,OAAO,sBAAsB;AAqG3C,MAAI,OAAO;AACT,QAAK,KAAK,MAAM,MAAM,MAAM,MAAM;AAClC,QAAK,YAAY,MAAM,6BAAa,IAAI,MAAM;AAC9C,QAAK,QAAQ,MAAM,QAAQ,EAAE;AAE7B,QAAK,WAAW,MAAM;AACtB,QAAK,uBAAuB,MAAM;AAClC,QAAK,oCAAoC,MAAM;AAC/C,QAAK,gCAAgC,MAAM;AAC3C,QAAK,UAAU,MAAM;AACrB,QAAK,6BAA6B,MAAM;AACxC,QAAK,0BAA0B,MAAM;AACrC,QAAK,iBAAiB,MAAM;;;CAIhC,AAAO,UAAU;AACf,SAAO;GACL,GAAG,KAAK;GACR,UAAU,KAAK;GAChB;;;sBA1HoB,OAAO;YA4B7B,WAAW,EAAE,MAAM,YAAY;AAC9B,KAAI,SAAS,mBAAmB,kBAAkB,MAAM,QAAQ,MAAM,CACpE,QAAO,MAAM,KAAK,YAAY;AAC5B,MAAI,QAAQ,MAAM,IAAK,QAAO;EAE9B,MAAM,EAAE,KAAK,GAAG,aAAa,QAAQ,QAAQ,EAAE;AAC/C,SAAO;GACL,GAAG;GACH,MAAM,MACF;IACE,GAAG;IACH,KAAK;IACN,GACD;GACL;GACD;AAGJ,QAAO;EACP;YAID,WAAW,EAAE,MAAM,YAAY;AAC9B,KAAI,SAAS,mBAAmB,kBAAkB,MAAM,QAAQ,MAAM,CACpE,QAAO,MAAM,KAAK,WAAW;AAC3B,MAAI,aAAa,OAAO,IAAI,OAAO,OAAO,SAAS,YACjD,QAAO;GACL,GAAG;GACH,MAAM;GACP;AAGH,SAAO;GACP;AAGJ,QAAO;EACP"}

package/build/openid4vc-issuer/repository/OpenId4VcIssuerRepository.d.mts

@@ -0,0 +1,12 @@
+import { OpenId4VcIssuerRecord } from "./OpenId4VcIssuerRecord.mjs";
+import { AgentContext, EventEmitter, Repository, StorageService } from "@credo-ts/core";
+
+//#region src/openid4vc-issuer/repository/OpenId4VcIssuerRepository.d.ts
+declare class OpenId4VcIssuerRepository extends Repository<OpenId4VcIssuerRecord> {
+  constructor(storageService: StorageService<OpenId4VcIssuerRecord>, eventEmitter: EventEmitter);
+  findByIssuerId(agentContext: AgentContext, issuerId: string): Promise<OpenId4VcIssuerRecord | null>;
+  getByIssuerId(agentContext: AgentContext, issuerId: string): Promise<OpenId4VcIssuerRecord>;
+}
+//#endregion
+export { OpenId4VcIssuerRepository };
+//# sourceMappingURL=OpenId4VcIssuerRepository.d.mts.map

package/build/openid4vc-issuer/repository/OpenId4VcIssuerRepository.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"OpenId4VcIssuerRepository.d.mts","names":[],"sources":["../../../src/openid4vc-issuer/repository/OpenId4VcIssuerRepository.ts"],"sourcesContent":[],"mappings":";;;;cAOa,yBAAA,SAAkC,WAAW;EAA7C,WAAA,CAAA,cAAA,EAEgD,cAFtB,CAEqC,qBAFrC,CAAA,EAAA,YAAA,EAGrB,YAHqB;EAAmB,cAAA,CAAA,YAAA,EAQpB,YARoB,EAAA,QAAA,EAAA,MAAA,CAAA,EAQU,OARV,CAQU,qBARV,GAAA,IAAA,CAAA;EAEkB,aAAA,CAAA,YAAA,EAUvC,YAVuC,EAAA,QAAA,EAAA,MAAA,CAAA,EAUT,OAVS,CAUT,qBAVS,CAAA"}

package/build/openid4vc-issuer/repository/OpenId4VcIssuerRepository.mjs

@@ -0,0 +1,28 @@
+import { __decorateMetadata } from "../../_virtual/_@oxc-project_runtime@0.99.0/helpers/decorateMetadata.mjs";
+import { __decorateParam } from "../../_virtual/_@oxc-project_runtime@0.99.0/helpers/decorateParam.mjs";
+import { __decorate } from "../../_virtual/_@oxc-project_runtime@0.99.0/helpers/decorate.mjs";
+import { OpenId4VcIssuerRecord } from "./OpenId4VcIssuerRecord.mjs";
+import { EventEmitter, InjectionSymbols, Repository, inject, injectable } from "@credo-ts/core";
+
+//#region src/openid4vc-issuer/repository/OpenId4VcIssuerRepository.ts
+var _ref;
+let OpenId4VcIssuerRepository = class OpenId4VcIssuerRepository$1 extends Repository {
+	constructor(storageService, eventEmitter) {
+		super(OpenId4VcIssuerRecord, storageService, eventEmitter);
+	}
+	findByIssuerId(agentContext, issuerId) {
+		return this.findSingleByQuery(agentContext, { issuerId });
+	}
+	getByIssuerId(agentContext, issuerId) {
+		return this.getSingleByQuery(agentContext, { issuerId });
+	}
+};
+OpenId4VcIssuerRepository = __decorate([
+	injectable(),
+	__decorateParam(0, inject(InjectionSymbols.StorageService)),
+	__decorateMetadata("design:paramtypes", [Object, typeof (_ref = typeof EventEmitter !== "undefined" && EventEmitter) === "function" ? _ref : Object])
+], OpenId4VcIssuerRepository);
+
+//#endregion
+export { OpenId4VcIssuerRepository };
+//# sourceMappingURL=OpenId4VcIssuerRepository.mjs.map

package/build/openid4vc-issuer/repository/OpenId4VcIssuerRepository.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"OpenId4VcIssuerRepository.mjs","names":["OpenId4VcIssuerRepository","storageService: StorageService<OpenId4VcIssuerRecord>"],"sources":["../../../src/openid4vc-issuer/repository/OpenId4VcIssuerRepository.ts"],"sourcesContent":["import type { AgentContext } from '@credo-ts/core'\n\nimport { EventEmitter, InjectionSymbols, inject, injectable, Repository, type StorageService } from '@credo-ts/core'\n\nimport { OpenId4VcIssuerRecord } from './OpenId4VcIssuerRecord'\n\n@injectable()\nexport class OpenId4VcIssuerRepository extends Repository<OpenId4VcIssuerRecord> {\n  public constructor(\n    @inject(InjectionSymbols.StorageService) storageService: StorageService<OpenId4VcIssuerRecord>,\n    eventEmitter: EventEmitter\n  ) {\n    super(OpenId4VcIssuerRecord, storageService, eventEmitter)\n  }\n\n  public findByIssuerId(agentContext: AgentContext, issuerId: string) {\n    return this.findSingleByQuery(agentContext, { issuerId })\n  }\n\n  public getByIssuerId(agentContext: AgentContext, issuerId: string) {\n    return this.getSingleByQuery(agentContext, { issuerId })\n  }\n}\n"],"mappings":";;;;;;;;AAOO,sCAAMA,oCAAkC,WAAkC;CAC/E,AAAO,YACL,AAAyCC,gBACzC,cACA;AACA,QAAM,uBAAuB,gBAAgB,aAAa;;CAG5D,AAAO,eAAe,cAA4B,UAAkB;AAClE,SAAO,KAAK,kBAAkB,cAAc,EAAE,UAAU,CAAC;;CAG3D,AAAO,cAAc,cAA4B,UAAkB;AACjE,SAAO,KAAK,iBAAiB,cAAc,EAAE,UAAU,CAAC;;;;CAd3D,YAAY;oBAGR,OAAO,iBAAiB,eAAe"}

package/build/openid4vc-issuer/repository/index.d.mts

@@ -0,0 +1,4 @@
+import { DefaultOpenId4VcIssuanceSessionRecordTags, OpenId4VcIssuanceSessionAuthorization, OpenId4VcIssuanceSessionChainedIdentity, OpenId4VcIssuanceSessionDpop, OpenId4VcIssuanceSessionPkce, OpenId4VcIssuanceSessionPresentation, OpenId4VcIssuanceSessionRecord, OpenId4VcIssuanceSessionRecordProps, OpenId4VcIssuanceSessionRecordTransaction, OpenId4VcIssuanceSessionWalletAttestation } from "./OpenId4VcIssuanceSessionRecord.mjs";
+import { OpenId4VcIssuanceSessionRepository } from "./OpenId4VcIssuanceSessionRepository.mjs";
+import { DefaultOpenId4VcIssuerRecordTags, OpenId4VcIssuerRecord, OpenId4VcIssuerRecordProps, OpenId4VcIssuerRecordSignedMetadata, OpenId4VcIssuerRecordTags } from "./OpenId4VcIssuerRecord.mjs";
+import { OpenId4VcIssuerRepository } from "./OpenId4VcIssuerRepository.mjs";

package/build/openid4vc-issuer/repository/index.mjs

@@ -0,0 +1,4 @@
+import { OpenId4VcIssuanceSessionRecord } from "./OpenId4VcIssuanceSessionRecord.mjs";
+import { OpenId4VcIssuanceSessionRepository } from "./OpenId4VcIssuanceSessionRepository.mjs";
+import { OpenId4VcIssuerRecord } from "./OpenId4VcIssuerRecord.mjs";
+import { OpenId4VcIssuerRepository } from "./OpenId4VcIssuerRepository.mjs";

package/build/openid4vc-issuer/router/accessTokenEndpoint.mjs

@@ -0,0 +1,199 @@
+import { getRequestContext, sendJsonResponse, sendOauth2ErrorResponse, sendUnknownServerErrorResponse } from "../../shared/router/context.mjs";
+import "../../shared/router/index.mjs";
+import { OpenId4VcIssuanceSessionState } from "../OpenId4VcIssuanceSessionState.mjs";
+import { OpenId4VcIssuanceSessionRepository } from "../repository/OpenId4VcIssuanceSessionRepository.mjs";
+import "../repository/index.mjs";
+import { OpenId4VcIssuerService } from "../OpenId4VcIssuerService.mjs";
+import { CredoError, joinUriParts, utils } from "@credo-ts/core";
+import { Oauth2ErrorCodes, Oauth2ServerErrorResponseError, authorizationCodeGrantIdentifier, preAuthorizedCodeGrantIdentifier, refreshTokenGrantIdentifier } from "@openid4vc/oauth2";
+
+//#region src/openid4vc-issuer/router/accessTokenEndpoint.ts
+function configureAccessTokenEndpoint(router, config) {
+	router.post(config.accessTokenEndpointPath, handleTokenRequest(config));
+}
+function handleTokenRequest(config) {
+	return async (request, response, next) => {
+		response.set({
+			"Cache-Control": "no-store",
+			Pragma: "no-cache"
+		});
+		const { agentContext, issuer } = getRequestContext(request);
+		try {
+			const openId4VcIssuerService = agentContext.dependencyManager.resolve(OpenId4VcIssuerService);
+			const issuanceSessionRepository = agentContext.dependencyManager.resolve(OpenId4VcIssuanceSessionRepository);
+			const issuerMetadata = await openId4VcIssuerService.getIssuerMetadata(agentContext, issuer);
+			const accessTokenSigningKey = issuer.resolvedAccessTokenPublicJwk;
+			let oauth2AuthorizationServer = openId4VcIssuerService.getOauth2AuthorizationServer(agentContext);
+			const fullRequestUrl = joinUriParts(issuerMetadata.credentialIssuer.credential_issuer, [config.accessTokenEndpointPath]);
+			const requestLike = {
+				headers: new Headers(request.headers),
+				method: request.method,
+				url: fullRequestUrl
+			};
+			const { accessTokenRequest, grant, dpop, clientAttestation, pkceCodeVerifier } = oauth2AuthorizationServer.parseAccessTokenRequest({
+				accessTokenRequest: request.body,
+				request: requestLike
+			});
+			let allowedStates;
+			let query;
+			let parsedRefreshToken;
+			switch (grant.grantType) {
+				case preAuthorizedCodeGrantIdentifier:
+					allowedStates = [OpenId4VcIssuanceSessionState.OfferCreated, OpenId4VcIssuanceSessionState.OfferUriRetrieved];
+					query = { preAuthorizedCode: grant.preAuthorizedCode };
+					break;
+				case authorizationCodeGrantIdentifier:
+					allowedStates = [OpenId4VcIssuanceSessionState.AuthorizationGranted];
+					query = { authorizationCode: grant.code };
+					break;
+				case refreshTokenGrantIdentifier:
+					allowedStates = [OpenId4VcIssuanceSessionState.CredentialRequestReceived, OpenId4VcIssuanceSessionState.CredentialsPartiallyIssued];
+					parsedRefreshToken = openId4VcIssuerService.parseRefreshToken(grant.refreshToken);
+					query = {
+						preAuthorizedCode: parsedRefreshToken.preAuthorizedCode,
+						authorizationCode: parsedRefreshToken.issuerState
+					};
+					break;
+				default: throw new Oauth2ServerErrorResponseError({
+					error: Oauth2ErrorCodes.UnsupportedGrantType,
+					error_description: "Unsupported grant type"
+				});
+			}
+			const issuanceSession = await issuanceSessionRepository.findSingleByQuery(agentContext, query);
+			if (!issuanceSession || !allowedStates.includes(issuanceSession.state)) throw new Oauth2ServerErrorResponseError({
+				error: Oauth2ErrorCodes.InvalidGrant,
+				error_description: "Invalid authorization code"
+			});
+			const expiresAt = issuanceSession.expiresAt ?? utils.addSecondsToDate(issuanceSession.createdAt, config.statefulCredentialOfferExpirationInSeconds);
+			if (Date.now() > expiresAt.getTime()) {
+				issuanceSession.errorMessage = "Credential offer has expired";
+				await openId4VcIssuerService.updateState(agentContext, issuanceSession, OpenId4VcIssuanceSessionState.Error);
+				throw new Oauth2ServerErrorResponseError({
+					error: Oauth2ErrorCodes.InvalidGrant,
+					error_description: "Session expired"
+				});
+			}
+			oauth2AuthorizationServer = openId4VcIssuerService.getOauth2AuthorizationServer(agentContext, { issuanceSessionId: issuanceSession.id });
+			let verificationResult;
+			if (grant.grantType === preAuthorizedCodeGrantIdentifier) {
+				if (!issuanceSession.preAuthorizedCode) throw new Oauth2ServerErrorResponseError({
+					error: Oauth2ErrorCodes.InvalidGrant,
+					error_description: "Invalid authorization code"
+				}, { internalMessage: "Found issuance session without preAuthorizedCode. This should not happen as the issuance session is fetched based on the pre authorized code" });
+				verificationResult = await oauth2AuthorizationServer.verifyPreAuthorizedCodeAccessTokenRequest({
+					accessTokenRequest,
+					expectedPreAuthorizedCode: issuanceSession.preAuthorizedCode,
+					grant,
+					request: requestLike,
+					authorizationServerMetadata: issuerMetadata.authorizationServers[0],
+					clientAttestation: {
+						...clientAttestation,
+						required: issuanceSession.walletAttestation?.required ?? config.walletAttestationsRequired
+					},
+					dpop: {
+						...dpop,
+						required: issuanceSession.dpop?.required ?? config.dpopRequired
+					},
+					expectedTxCode: issuanceSession.userPin,
+					preAuthorizedCodeExpiresAt: issuanceSession.expiresAt ?? utils.addSecondsToDate(issuanceSession.createdAt, config.statefulCredentialOfferExpirationInSeconds)
+				});
+			} else if (grant.grantType === authorizationCodeGrantIdentifier) {
+				if (!issuanceSession.authorization?.code || !issuanceSession.authorization?.codeExpiresAt) throw new Oauth2ServerErrorResponseError({
+					error: Oauth2ErrorCodes.InvalidGrant,
+					error_description: "Invalid authorization code"
+				}, { internalMessage: "Found issuance session without authorization.code or authorization.codeExpiresAt. This should not happen as the issuance session is fetched based on the authorization code" });
+				verificationResult = await oauth2AuthorizationServer.verifyAuthorizationCodeAccessTokenRequest({
+					accessTokenRequest,
+					expectedCode: issuanceSession.authorization.code,
+					codeExpiresAt: issuanceSession.authorization.codeExpiresAt,
+					grant,
+					authorizationServerMetadata: issuerMetadata.authorizationServers[0],
+					request: requestLike,
+					clientAttestation: {
+						...clientAttestation,
+						expectedClientId: issuanceSession.clientId,
+						required: issuanceSession.walletAttestation?.required
+					},
+					dpop: {
+						...dpop,
+						required: issuanceSession.dpop?.required,
+						expectedJwkThumbprint: issuanceSession.dpop?.dpopJkt
+					},
+					pkce: issuanceSession.pkce ? {
+						codeChallenge: issuanceSession.pkce.codeChallenge,
+						codeChallengeMethod: issuanceSession.pkce.codeChallengeMethod,
+						codeVerifier: pkceCodeVerifier
+					} : void 0
+				});
+			} else if (grant.grantType === refreshTokenGrantIdentifier) {
+				if (!parsedRefreshToken) throw new CredoError("Refresh token verification is required for refresh token grant type");
+				verificationResult = await oauth2AuthorizationServer.verifyRefreshTokenAccessTokenRequest({
+					accessTokenRequest,
+					expectedRefreshToken: grant.refreshToken,
+					grant,
+					request: requestLike,
+					authorizationServerMetadata: issuerMetadata.authorizationServers[0],
+					clientAttestation: {
+						...clientAttestation,
+						required: issuanceSession.walletAttestation?.required ?? config.walletAttestationsRequired
+					},
+					dpop: {
+						...dpop,
+						required: issuanceSession.dpop?.required ?? config.dpopRequired
+					},
+					refreshTokenExpiresAt: parsedRefreshToken?.expiresAt
+				});
+				await openId4VcIssuerService.verifyRefreshToken(agentContext, issuer, parsedRefreshToken, { dpop: verificationResult.dpop });
+			} else throw new Oauth2ServerErrorResponseError({
+				error: Oauth2ErrorCodes.UnsupportedGrantType,
+				error_description: "Unsupported grant type"
+			});
+			if (grant.grantType !== refreshTokenGrantIdentifier) await openId4VcIssuerService.updateState(agentContext, issuanceSession, OpenId4VcIssuanceSessionState.AccessTokenRequested);
+			const { cNonce, cNonceExpiresInSeconds } = await openId4VcIssuerService.createNonce(agentContext, issuer);
+			const scopes = grant.grantType === authorizationCodeGrantIdentifier ? issuanceSession.authorization?.scopes : void 0;
+			const subject = `credo:${utils.uuid()}`;
+			const tokenDpop = verificationResult.dpop ? { jwk: verificationResult.dpop?.jwk } : void 0;
+			let refreshToken;
+			if (issuanceSession.generateRefreshTokens && grant.grantType !== refreshTokenGrantIdentifier) refreshToken = await openId4VcIssuerService.createRefreshToken(agentContext, issuer, {
+				preAuthorizedCode: grant.grantType === preAuthorizedCodeGrantIdentifier ? grant.preAuthorizedCode : void 0,
+				issuerState: issuanceSession.authorization?.issuerState,
+				dpop: tokenDpop
+			});
+			const signerJwk = accessTokenSigningKey;
+			const accessTokenResponse = await oauth2AuthorizationServer.createAccessTokenResponse({
+				audience: issuerMetadata.credentialIssuer.credential_issuer,
+				authorizationServer: issuerMetadata.credentialIssuer.credential_issuer,
+				expiresInSeconds: config.accessTokenExpiresInSeconds,
+				signer: {
+					method: "jwk",
+					alg: signerJwk.supportedSignatureAlgorithms[0],
+					publicJwk: signerJwk.toJson()
+				},
+				dpop: tokenDpop,
+				scope: scopes?.join(" "),
+				clientId: issuanceSession.clientId,
+				additionalAccessTokenPayload: {
+					"pre-authorized_code": grant.grantType === preAuthorizedCodeGrantIdentifier ? grant.preAuthorizedCode : parsedRefreshToken?.preAuthorizedCode,
+					issuer_state: issuanceSession.authorization?.issuerState
+				},
+				subject,
+				refreshToken,
+				cNonce,
+				cNonceExpiresIn: cNonceExpiresInSeconds
+			});
+			issuanceSession.authorization = {
+				...issuanceSession.authorization,
+				subject
+			};
+			await openId4VcIssuerService.updateState(agentContext, issuanceSession, grant.grantType === refreshTokenGrantIdentifier ? issuanceSession.state : OpenId4VcIssuanceSessionState.AccessTokenCreated);
+			return sendJsonResponse(response, next, accessTokenResponse);
+		} catch (error) {
+			if (error instanceof Oauth2ServerErrorResponseError) return sendOauth2ErrorResponse(response, next, agentContext.config.logger, error);
+			return sendUnknownServerErrorResponse(response, next, agentContext.config.logger, error);
+		}
+	};
+}
+
+//#endregion
+export { configureAccessTokenEndpoint };
+//# sourceMappingURL=accessTokenEndpoint.mjs.map

package/build/openid4vc-issuer/router/accessTokenEndpoint.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"accessTokenEndpoint.mjs","names":["allowedStates: OpenId4VcIssuanceSessionState[]","query: Query<OpenId4VcIssuanceSessionRecord>","parsedRefreshToken: ReturnType<OpenId4VcIssuerService['parseRefreshToken']> | undefined","verificationResult: VerifyAccessTokenRequestReturn","refreshToken: string | undefined"],"sources":["../../../src/openid4vc-issuer/router/accessTokenEndpoint.ts"],"sourcesContent":["import { CredoError, joinUriParts, type Query, utils } from '@credo-ts/core'\nimport type { HttpMethod, Jwk, VerifyAccessTokenRequestReturn } from '@openid4vc/oauth2'\nimport {\n  authorizationCodeGrantIdentifier,\n  Oauth2ErrorCodes,\n  Oauth2ServerErrorResponseError,\n  preAuthorizedCodeGrantIdentifier,\n  refreshTokenGrantIdentifier,\n} from '@openid4vc/oauth2'\nimport type { NextFunction, Response, Router } from 'express'\nimport {\n  getRequestContext,\n  sendJsonResponse,\n  sendOauth2ErrorResponse,\n  sendUnknownServerErrorResponse,\n} from '../../shared/router'\nimport { OpenId4VcIssuanceSessionState } from '../OpenId4VcIssuanceSessionState'\nimport type { OpenId4VcIssuerModuleConfig } from '../OpenId4VcIssuerModuleConfig'\nimport { OpenId4VcIssuerService } from '../OpenId4VcIssuerService'\nimport { OpenId4VcIssuanceSessionRecord, OpenId4VcIssuanceSessionRepository } from '../repository'\nimport type { OpenId4VcIssuanceRequest } from './requestContext'\n\nexport function configureAccessTokenEndpoint(router: Router, config: OpenId4VcIssuerModuleConfig) {\n  router.post(config.accessTokenEndpointPath, handleTokenRequest(config))\n}\n\nexport function handleTokenRequest(config: OpenId4VcIssuerModuleConfig) {\n  return async (request: OpenId4VcIssuanceRequest, response: Response, next: NextFunction) => {\n    response.set({ 'Cache-Control': 'no-store', Pragma: 'no-cache' })\n    const requestContext = getRequestContext(request)\n    const { agentContext, issuer } = requestContext\n\n    try {\n      const openId4VcIssuerService = agentContext.dependencyManager.resolve(OpenId4VcIssuerService)\n      const issuanceSessionRepository = agentContext.dependencyManager.resolve(OpenId4VcIssuanceSessionRepository)\n      const issuerMetadata = await openId4VcIssuerService.getIssuerMetadata(agentContext, issuer)\n      const accessTokenSigningKey = issuer.resolvedAccessTokenPublicJwk\n      let oauth2AuthorizationServer = openId4VcIssuerService.getOauth2AuthorizationServer(agentContext)\n\n      const fullRequestUrl = joinUriParts(issuerMetadata.credentialIssuer.credential_issuer, [\n        config.accessTokenEndpointPath,\n      ])\n      const requestLike = {\n        headers: new Headers(request.headers as Record<string, string>),\n        method: request.method as HttpMethod,\n        url: fullRequestUrl,\n      } as const\n\n      const { accessTokenRequest, grant, dpop, clientAttestation, pkceCodeVerifier } =\n        oauth2AuthorizationServer.parseAccessTokenRequest({\n          accessTokenRequest: request.body,\n          request: requestLike,\n        })\n\n      let allowedStates: OpenId4VcIssuanceSessionState[]\n      let query: Query<OpenId4VcIssuanceSessionRecord>\n      let parsedRefreshToken: ReturnType<OpenId4VcIssuerService['parseRefreshToken']> | undefined\n\n      switch (grant.grantType) {\n        case preAuthorizedCodeGrantIdentifier:\n          allowedStates = [OpenId4VcIssuanceSessionState.OfferCreated, OpenId4VcIssuanceSessionState.OfferUriRetrieved]\n          query = { preAuthorizedCode: grant.preAuthorizedCode }\n          break\n        case authorizationCodeGrantIdentifier:\n          allowedStates = [OpenId4VcIssuanceSessionState.AuthorizationGranted]\n          query = { authorizationCode: grant.code }\n          break\n        case refreshTokenGrantIdentifier:\n          allowedStates = [\n            OpenId4VcIssuanceSessionState.CredentialRequestReceived,\n            OpenId4VcIssuanceSessionState.CredentialsPartiallyIssued,\n          ]\n          parsedRefreshToken = openId4VcIssuerService.parseRefreshToken(grant.refreshToken)\n          query = {\n            preAuthorizedCode: parsedRefreshToken.preAuthorizedCode,\n            authorizationCode: parsedRefreshToken.issuerState,\n          }\n          break\n        default:\n          throw new Oauth2ServerErrorResponseError({\n            error: Oauth2ErrorCodes.UnsupportedGrantType,\n            error_description: 'Unsupported grant type',\n          })\n      }\n\n      const issuanceSession = await issuanceSessionRepository.findSingleByQuery(agentContext, query)\n      if (!issuanceSession || !allowedStates.includes(issuanceSession.state)) {\n        throw new Oauth2ServerErrorResponseError({\n          error: Oauth2ErrorCodes.InvalidGrant,\n          error_description: 'Invalid authorization code',\n        })\n      }\n\n      const expiresAt =\n        issuanceSession.expiresAt ??\n        utils.addSecondsToDate(issuanceSession.createdAt, config.statefulCredentialOfferExpirationInSeconds)\n\n      if (Date.now() > expiresAt.getTime()) {\n        issuanceSession.errorMessage = 'Credential offer has expired'\n        await openId4VcIssuerService.updateState(agentContext, issuanceSession, OpenId4VcIssuanceSessionState.Error)\n        throw new Oauth2ServerErrorResponseError({\n          // What is the best error here?\n          error: Oauth2ErrorCodes.InvalidGrant,\n          error_description: 'Session expired',\n        })\n      }\n\n      oauth2AuthorizationServer = openId4VcIssuerService.getOauth2AuthorizationServer(agentContext, {\n        issuanceSessionId: issuanceSession.id,\n      })\n      let verificationResult: VerifyAccessTokenRequestReturn\n\n      if (grant.grantType === preAuthorizedCodeGrantIdentifier) {\n        if (!issuanceSession.preAuthorizedCode) {\n          throw new Oauth2ServerErrorResponseError(\n            {\n              error: Oauth2ErrorCodes.InvalidGrant,\n              error_description: 'Invalid authorization code',\n            },\n            {\n              internalMessage:\n                'Found issuance session without preAuthorizedCode. This should not happen as the issuance session is fetched based on the pre authorized code',\n            }\n          )\n        }\n\n        verificationResult = await oauth2AuthorizationServer.verifyPreAuthorizedCodeAccessTokenRequest({\n          accessTokenRequest,\n          expectedPreAuthorizedCode: issuanceSession.preAuthorizedCode,\n          grant,\n          request: requestLike,\n          authorizationServerMetadata: issuerMetadata.authorizationServers[0],\n          clientAttestation: {\n            ...clientAttestation,\n            // First session config, fall back to global config\n            required: issuanceSession.walletAttestation?.required ?? config.walletAttestationsRequired,\n\n            // NOTE: we might want to enforce this? Not sure\n            // ensureConfirmationKeyMatchesDpopKey: true\n          },\n          dpop: {\n            ...dpop,\n            // First session config, fall back to global config\n            required: issuanceSession.dpop?.required ?? config.dpopRequired,\n          },\n          expectedTxCode: issuanceSession.userPin,\n          preAuthorizedCodeExpiresAt:\n            issuanceSession.expiresAt ??\n            utils.addSecondsToDate(issuanceSession.createdAt, config.statefulCredentialOfferExpirationInSeconds),\n        })\n      } else if (grant.grantType === authorizationCodeGrantIdentifier) {\n        if (!issuanceSession.authorization?.code || !issuanceSession.authorization?.codeExpiresAt) {\n          throw new Oauth2ServerErrorResponseError(\n            {\n              error: Oauth2ErrorCodes.InvalidGrant,\n              error_description: 'Invalid authorization code',\n            },\n            {\n              internalMessage:\n                'Found issuance session without authorization.code or authorization.codeExpiresAt. This should not happen as the issuance session is fetched based on the authorization code',\n            }\n          )\n        }\n        verificationResult = await oauth2AuthorizationServer.verifyAuthorizationCodeAccessTokenRequest({\n          accessTokenRequest,\n          expectedCode: issuanceSession.authorization.code,\n          codeExpiresAt: issuanceSession.authorization.codeExpiresAt,\n          grant,\n          authorizationServerMetadata: issuerMetadata.authorizationServers[0],\n          request: requestLike,\n          clientAttestation: {\n            ...clientAttestation,\n\n            // Ensure it matches the previously provided client id\n            // FIXME: we don't verify that the attestation is issued by the same party\n            expectedClientId: issuanceSession.clientId,\n\n            // NOTE: we don't look at the global config here. As we already checked and\n            // set required to true previously if client attestations were provided or required.\n            required: issuanceSession.walletAttestation?.required,\n\n            // NOTE: we might want to enforce this? Not sure\n            // ensureConfirmationKeyMatchesDpopKey: true\n          },\n          dpop: {\n            ...dpop,\n            // NOTE: we don't look at the global config here. As we already checked and\n            // set required to true previously if client attestations were provided or required.\n            required: issuanceSession.dpop?.required,\n\n            // Ensure it matches previously provided jwk thumbprint\n            expectedJwkThumbprint: issuanceSession.dpop?.dpopJkt,\n          },\n          pkce: issuanceSession.pkce\n            ? {\n                codeChallenge: issuanceSession.pkce.codeChallenge,\n                codeChallengeMethod: issuanceSession.pkce.codeChallengeMethod,\n                codeVerifier: pkceCodeVerifier,\n              }\n            : undefined,\n        })\n      } else if (grant.grantType === refreshTokenGrantIdentifier) {\n        if (!parsedRefreshToken) {\n          throw new CredoError('Refresh token verification is required for refresh token grant type')\n        }\n\n        verificationResult = await oauth2AuthorizationServer.verifyRefreshTokenAccessTokenRequest({\n          accessTokenRequest,\n          // Refresh token validity is already checked before\n          expectedRefreshToken: grant.refreshToken,\n          grant,\n          request: requestLike,\n          authorizationServerMetadata: issuerMetadata.authorizationServers[0],\n          clientAttestation: {\n            ...clientAttestation,\n            // First session config, fall back to global config\n            required: issuanceSession.walletAttestation?.required ?? config.walletAttestationsRequired,\n\n            // NOTE: we might want to enforce this? Not sure\n            // ensureConfirmationKeyMatchesDpopKey: true\n          },\n          dpop: {\n            ...dpop,\n            // First session config, fall back to global config\n            required: issuanceSession.dpop?.required ?? config.dpopRequired,\n          },\n          refreshTokenExpiresAt: parsedRefreshToken?.expiresAt,\n        })\n\n        await openId4VcIssuerService.verifyRefreshToken(agentContext, issuer, parsedRefreshToken, {\n          dpop: verificationResult.dpop,\n        })\n      } else {\n        throw new Oauth2ServerErrorResponseError({\n          error: Oauth2ErrorCodes.UnsupportedGrantType,\n          error_description: 'Unsupported grant type',\n        })\n      }\n\n      // Do not update the session state if the grant type is refresh token. This\n      // avoids the session state going \"backwards\".\n      if (grant.grantType !== refreshTokenGrantIdentifier) {\n        await openId4VcIssuerService.updateState(\n          agentContext,\n          issuanceSession,\n          OpenId4VcIssuanceSessionState.AccessTokenRequested\n        )\n      }\n\n      const { cNonce, cNonceExpiresInSeconds } = await openId4VcIssuerService.createNonce(agentContext, issuer)\n\n      // for authorization code flow we take the authorization scopes. For pre-auth we don't use scopes (we just\n      // use the offered credential configuration ids so a scope is not required)\n      const scopes =\n        grant.grantType === authorizationCodeGrantIdentifier ? issuanceSession.authorization?.scopes : undefined\n      const subject = `credo:${utils.uuid()}`\n\n      const tokenDpop = verificationResult.dpop\n        ? {\n            jwk: verificationResult.dpop?.jwk,\n          }\n        : undefined\n\n      // Generate a refresh token if they're enabled in the config and the grant type is not refresh token\n      let refreshToken: string | undefined\n      if (issuanceSession.generateRefreshTokens && grant.grantType !== refreshTokenGrantIdentifier) {\n        refreshToken = await openId4VcIssuerService.createRefreshToken(agentContext, issuer, {\n          preAuthorizedCode: grant.grantType === preAuthorizedCodeGrantIdentifier ? grant.preAuthorizedCode : undefined,\n          issuerState: issuanceSession.authorization?.issuerState,\n          dpop: tokenDpop,\n        })\n      }\n\n      const signerJwk = accessTokenSigningKey\n      const accessTokenResponse = await oauth2AuthorizationServer.createAccessTokenResponse({\n        audience: issuerMetadata.credentialIssuer.credential_issuer,\n        authorizationServer: issuerMetadata.credentialIssuer.credential_issuer,\n        expiresInSeconds: config.accessTokenExpiresInSeconds,\n        signer: {\n          method: 'jwk',\n          alg: signerJwk.supportedSignatureAlgorithms[0],\n          publicJwk: signerJwk.toJson() as Jwk,\n        },\n        dpop: tokenDpop,\n        scope: scopes?.join(' '),\n        clientId: issuanceSession.clientId,\n\n        additionalAccessTokenPayload: {\n          'pre-authorized_code':\n            grant.grantType === preAuthorizedCodeGrantIdentifier\n              ? grant.preAuthorizedCode\n              : parsedRefreshToken?.preAuthorizedCode,\n          issuer_state: issuanceSession.authorization?.issuerState,\n        },\n        // We generate a random subject for each access token and bind the issuance session to this.\n        subject,\n\n        refreshToken,\n\n        // NOTE: these have been removed in newer drafts. Keeping them in for now\n        cNonce,\n        cNonceExpiresIn: cNonceExpiresInSeconds,\n      })\n\n      issuanceSession.authorization = {\n        ...issuanceSession.authorization,\n        subject,\n      }\n\n      await openId4VcIssuerService.updateState(\n        agentContext,\n        issuanceSession,\n        // Retain the current session state when refreshing the access token.\n        grant.grantType === refreshTokenGrantIdentifier\n          ? issuanceSession.state\n          : OpenId4VcIssuanceSessionState.AccessTokenCreated\n      )\n\n      return sendJsonResponse(response, next, accessTokenResponse)\n    } catch (error) {\n      if (error instanceof Oauth2ServerErrorResponseError) {\n        return sendOauth2ErrorResponse(response, next, agentContext.config.logger, error)\n      }\n\n      return sendUnknownServerErrorResponse(response, next, agentContext.config.logger, error)\n    }\n  }\n}\n"],"mappings":";;;;;;;;;;AAsBA,SAAgB,6BAA6B,QAAgB,QAAqC;AAChG,QAAO,KAAK,OAAO,yBAAyB,mBAAmB,OAAO,CAAC;;AAGzE,SAAgB,mBAAmB,QAAqC;AACtE,QAAO,OAAO,SAAmC,UAAoB,SAAuB;AAC1F,WAAS,IAAI;GAAE,iBAAiB;GAAY,QAAQ;GAAY,CAAC;EAEjE,MAAM,EAAE,cAAc,WADC,kBAAkB,QAAQ;AAGjD,MAAI;GACF,MAAM,yBAAyB,aAAa,kBAAkB,QAAQ,uBAAuB;GAC7F,MAAM,4BAA4B,aAAa,kBAAkB,QAAQ,mCAAmC;GAC5G,MAAM,iBAAiB,MAAM,uBAAuB,kBAAkB,cAAc,OAAO;GAC3F,MAAM,wBAAwB,OAAO;GACrC,IAAI,4BAA4B,uBAAuB,6BAA6B,aAAa;GAEjG,MAAM,iBAAiB,aAAa,eAAe,iBAAiB,mBAAmB,CACrF,OAAO,wBACR,CAAC;GACF,MAAM,cAAc;IAClB,SAAS,IAAI,QAAQ,QAAQ,QAAkC;IAC/D,QAAQ,QAAQ;IAChB,KAAK;IACN;GAED,MAAM,EAAE,oBAAoB,OAAO,MAAM,mBAAmB,qBAC1D,0BAA0B,wBAAwB;IAChD,oBAAoB,QAAQ;IAC5B,SAAS;IACV,CAAC;GAEJ,IAAIA;GACJ,IAAIC;GACJ,IAAIC;AAEJ,WAAQ,MAAM,WAAd;IACE,KAAK;AACH,qBAAgB,CAAC,8BAA8B,cAAc,8BAA8B,kBAAkB;AAC7G,aAAQ,EAAE,mBAAmB,MAAM,mBAAmB;AACtD;IACF,KAAK;AACH,qBAAgB,CAAC,8BAA8B,qBAAqB;AACpE,aAAQ,EAAE,mBAAmB,MAAM,MAAM;AACzC;IACF,KAAK;AACH,qBAAgB,CACd,8BAA8B,2BAC9B,8BAA8B,2BAC/B;AACD,0BAAqB,uBAAuB,kBAAkB,MAAM,aAAa;AACjF,aAAQ;MACN,mBAAmB,mBAAmB;MACtC,mBAAmB,mBAAmB;MACvC;AACD;IACF,QACE,OAAM,IAAI,+BAA+B;KACvC,OAAO,iBAAiB;KACxB,mBAAmB;KACpB,CAAC;;GAGN,MAAM,kBAAkB,MAAM,0BAA0B,kBAAkB,cAAc,MAAM;AAC9F,OAAI,CAAC,mBAAmB,CAAC,cAAc,SAAS,gBAAgB,MAAM,CACpE,OAAM,IAAI,+BAA+B;IACvC,OAAO,iBAAiB;IACxB,mBAAmB;IACpB,CAAC;GAGJ,MAAM,YACJ,gBAAgB,aAChB,MAAM,iBAAiB,gBAAgB,WAAW,OAAO,2CAA2C;AAEtG,OAAI,KAAK,KAAK,GAAG,UAAU,SAAS,EAAE;AACpC,oBAAgB,eAAe;AAC/B,UAAM,uBAAuB,YAAY,cAAc,iBAAiB,8BAA8B,MAAM;AAC5G,UAAM,IAAI,+BAA+B;KAEvC,OAAO,iBAAiB;KACxB,mBAAmB;KACpB,CAAC;;AAGJ,+BAA4B,uBAAuB,6BAA6B,cAAc,EAC5F,mBAAmB,gBAAgB,IACpC,CAAC;GACF,IAAIC;AAEJ,OAAI,MAAM,cAAc,kCAAkC;AACxD,QAAI,CAAC,gBAAgB,kBACnB,OAAM,IAAI,+BACR;KACE,OAAO,iBAAiB;KACxB,mBAAmB;KACpB,EACD,EACE,iBACE,gJACH,CACF;AAGH,yBAAqB,MAAM,0BAA0B,0CAA0C;KAC7F;KACA,2BAA2B,gBAAgB;KAC3C;KACA,SAAS;KACT,6BAA6B,eAAe,qBAAqB;KACjE,mBAAmB;MACjB,GAAG;MAEH,UAAU,gBAAgB,mBAAmB,YAAY,OAAO;MAIjE;KACD,MAAM;MACJ,GAAG;MAEH,UAAU,gBAAgB,MAAM,YAAY,OAAO;MACpD;KACD,gBAAgB,gBAAgB;KAChC,4BACE,gBAAgB,aAChB,MAAM,iBAAiB,gBAAgB,WAAW,OAAO,2CAA2C;KACvG,CAAC;cACO,MAAM,cAAc,kCAAkC;AAC/D,QAAI,CAAC,gBAAgB,eAAe,QAAQ,CAAC,gBAAgB,eAAe,cAC1E,OAAM,IAAI,+BACR;KACE,OAAO,iBAAiB;KACxB,mBAAmB;KACpB,EACD,EACE,iBACE,+KACH,CACF;AAEH,yBAAqB,MAAM,0BAA0B,0CAA0C;KAC7F;KACA,cAAc,gBAAgB,cAAc;KAC5C,eAAe,gBAAgB,cAAc;KAC7C;KACA,6BAA6B,eAAe,qBAAqB;KACjE,SAAS;KACT,mBAAmB;MACjB,GAAG;MAIH,kBAAkB,gBAAgB;MAIlC,UAAU,gBAAgB,mBAAmB;MAI9C;KACD,MAAM;MACJ,GAAG;MAGH,UAAU,gBAAgB,MAAM;MAGhC,uBAAuB,gBAAgB,MAAM;MAC9C;KACD,MAAM,gBAAgB,OAClB;MACE,eAAe,gBAAgB,KAAK;MACpC,qBAAqB,gBAAgB,KAAK;MAC1C,cAAc;MACf,GACD;KACL,CAAC;cACO,MAAM,cAAc,6BAA6B;AAC1D,QAAI,CAAC,mBACH,OAAM,IAAI,WAAW,sEAAsE;AAG7F,yBAAqB,MAAM,0BAA0B,qCAAqC;KACxF;KAEA,sBAAsB,MAAM;KAC5B;KACA,SAAS;KACT,6BAA6B,eAAe,qBAAqB;KACjE,mBAAmB;MACjB,GAAG;MAEH,UAAU,gBAAgB,mBAAmB,YAAY,OAAO;MAIjE;KACD,MAAM;MACJ,GAAG;MAEH,UAAU,gBAAgB,MAAM,YAAY,OAAO;MACpD;KACD,uBAAuB,oBAAoB;KAC5C,CAAC;AAEF,UAAM,uBAAuB,mBAAmB,cAAc,QAAQ,oBAAoB,EACxF,MAAM,mBAAmB,MAC1B,CAAC;SAEF,OAAM,IAAI,+BAA+B;IACvC,OAAO,iBAAiB;IACxB,mBAAmB;IACpB,CAAC;AAKJ,OAAI,MAAM,cAAc,4BACtB,OAAM,uBAAuB,YAC3B,cACA,iBACA,8BAA8B,qBAC/B;GAGH,MAAM,EAAE,QAAQ,2BAA2B,MAAM,uBAAuB,YAAY,cAAc,OAAO;GAIzG,MAAM,SACJ,MAAM,cAAc,mCAAmC,gBAAgB,eAAe,SAAS;GACjG,MAAM,UAAU,SAAS,MAAM,MAAM;GAErC,MAAM,YAAY,mBAAmB,OACjC,EACE,KAAK,mBAAmB,MAAM,KAC/B,GACD;GAGJ,IAAIC;AACJ,OAAI,gBAAgB,yBAAyB,MAAM,cAAc,4BAC/D,gBAAe,MAAM,uBAAuB,mBAAmB,cAAc,QAAQ;IACnF,mBAAmB,MAAM,cAAc,mCAAmC,MAAM,oBAAoB;IACpG,aAAa,gBAAgB,eAAe;IAC5C,MAAM;IACP,CAAC;GAGJ,MAAM,YAAY;GAClB,MAAM,sBAAsB,MAAM,0BAA0B,0BAA0B;IACpF,UAAU,eAAe,iBAAiB;IAC1C,qBAAqB,eAAe,iBAAiB;IACrD,kBAAkB,OAAO;IACzB,QAAQ;KACN,QAAQ;KACR,KAAK,UAAU,6BAA6B;KAC5C,WAAW,UAAU,QAAQ;KAC9B;IACD,MAAM;IACN,OAAO,QAAQ,KAAK,IAAI;IACxB,UAAU,gBAAgB;IAE1B,8BAA8B;KAC5B,uBACE,MAAM,cAAc,mCAChB,MAAM,oBACN,oBAAoB;KAC1B,cAAc,gBAAgB,eAAe;KAC9C;IAED;IAEA;IAGA;IACA,iBAAiB;IAClB,CAAC;AAEF,mBAAgB,gBAAgB;IAC9B,GAAG,gBAAgB;IACnB;IACD;AAED,SAAM,uBAAuB,YAC3B,cACA,iBAEA,MAAM,cAAc,8BAChB,gBAAgB,QAChB,8BAA8B,mBACnC;AAED,UAAO,iBAAiB,UAAU,MAAM,oBAAoB;WACrD,OAAO;AACd,OAAI,iBAAiB,+BACnB,QAAO,wBAAwB,UAAU,MAAM,aAAa,OAAO,QAAQ,MAAM;AAGnF,UAAO,+BAA+B,UAAU,MAAM,aAAa,OAAO,QAAQ,MAAM"}