npm - @credo-ts/openid4vc - Versions diffs - 0.6.1-pr-2091-20241119140918 → 0.6.1 - Mend

@credo-ts/openid4vc 0.6.1-pr-2091-20241119140918 → 0.6.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (409) hide show

package/build/openid4vc-issuer/router/credentialOfferEndpoint.mjs ADDED Viewed

@@ -0,0 +1,38 @@
+import { getRequestContext, sendErrorResponse, sendJsonResponse, sendNotFoundResponse, sendUnknownServerErrorResponse } from "../../shared/router/context.mjs";
+import "../../shared/router/index.mjs";
+import { OpenId4VcIssuanceSessionState } from "../OpenId4VcIssuanceSessionState.mjs";
+import { OpenId4VcIssuanceSessionRepository } from "../repository/OpenId4VcIssuanceSessionRepository.mjs";
+import "../repository/index.mjs";
+import { OpenId4VcIssuerService } from "../OpenId4VcIssuerService.mjs";
+import { joinUriParts, utils } from "@credo-ts/core";
+//#region src/openid4vc-issuer/router/credentialOfferEndpoint.ts
+function configureCredentialOfferEndpoint(router, config) {
+	router.get(joinUriParts(config.credentialOfferEndpointPath, [":credentialOfferId"]), async (request, response, next) => {
+		const { agentContext, issuer } = getRequestContext(request);
+		if (!request.params.credentialOfferId || typeof request.params.credentialOfferId !== "string") return sendErrorResponse(response, next, agentContext.config.logger, 400, "invalid_request", "Invalid credential offer url");
+		try {
+			const issuerService = agentContext.dependencyManager.resolve(OpenId4VcIssuerService);
+			const issuerMetadata = await issuerService.getIssuerMetadata(agentContext, issuer);
+			const openId4VcIssuanceSessionRepository = agentContext.dependencyManager.resolve(OpenId4VcIssuanceSessionRepository);
+			const fullCredentialOfferUri = joinUriParts(issuerMetadata.credentialIssuer.credential_issuer, [config.credentialOfferEndpointPath, request.params.credentialOfferId]);
+			const openId4VcIssuanceSession = await openId4VcIssuanceSessionRepository.findSingleByQuery(agentContext, {
+				issuerId: issuer.issuerId,
+				credentialOfferUri: fullCredentialOfferUri,
+				$or: [{ credentialOfferId: request.params.credentialOfferId }, { credentialOfferUri: fullCredentialOfferUri }]
+			});
+			if (!openId4VcIssuanceSession) return sendNotFoundResponse(response, next, agentContext.config.logger, "Credential offer not found");
+			if (openId4VcIssuanceSession.state !== OpenId4VcIssuanceSessionState.OfferCreated && openId4VcIssuanceSession.state !== OpenId4VcIssuanceSessionState.OfferUriRetrieved) return sendNotFoundResponse(response, next, agentContext.config.logger, "Invalid state for credential offer");
+			const expiresAt = openId4VcIssuanceSession.expiresAt ?? utils.addSecondsToDate(openId4VcIssuanceSession.createdAt, config.statefulCredentialOfferExpirationInSeconds);
+			if (Date.now() > expiresAt.getTime()) return sendNotFoundResponse(response, next, agentContext.config.logger, "Session expired");
+			if (openId4VcIssuanceSession.state !== OpenId4VcIssuanceSessionState.OfferUriRetrieved) await issuerService.updateState(agentContext, openId4VcIssuanceSession, OpenId4VcIssuanceSessionState.OfferUriRetrieved);
+			return sendJsonResponse(response, next, openId4VcIssuanceSession.credentialOfferPayload);
+		} catch (error) {
+			return sendUnknownServerErrorResponse(response, next, agentContext.config.logger, error);
+		}
+	});
+}
+//#endregion
+export { configureCredentialOfferEndpoint };
+//# sourceMappingURL=credentialOfferEndpoint.mjs.map

package/build/openid4vc-issuer/router/credentialOfferEndpoint.mjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"credentialOfferEndpoint.mjs","names":[],"sources":["../../../src/openid4vc-issuer/router/credentialOfferEndpoint.ts"],"sourcesContent":["import { joinUriParts, utils } from '@credo-ts/core'\nimport type { Response, Router } from 'express'\nimport {\n getRequestContext,\n sendErrorResponse,\n sendJsonResponse,\n sendNotFoundResponse,\n sendUnknownServerErrorResponse,\n} from '../../shared/router'\nimport { OpenId4VcIssuanceSessionState } from '../OpenId4VcIssuanceSessionState'\nimport type { OpenId4VcIssuerModuleConfig } from '../OpenId4VcIssuerModuleConfig'\nimport { OpenId4VcIssuerService } from '../OpenId4VcIssuerService'\nimport { OpenId4VcIssuanceSessionRepository } from '../repository'\nimport type { OpenId4VcIssuanceRequest } from './requestContext'\n\nexport function configureCredentialOfferEndpoint(router: Router, config: OpenId4VcIssuerModuleConfig) {\n router.get(\n joinUriParts(config.credentialOfferEndpointPath, [':credentialOfferId']),\n async (request: OpenId4VcIssuanceRequest, response: Response, next) => {\n const { agentContext, issuer } = getRequestContext(request)\n\n if (!request.params.credentialOfferId || typeof request.params.credentialOfferId !== 'string') {\n return sendErrorResponse(\n response,\n next,\n agentContext.config.logger,\n 400,\n 'invalid_request',\n 'Invalid credential offer url'\n )\n }\n\n try {\n const issuerService = agentContext.dependencyManager.resolve(OpenId4VcIssuerService)\n const issuerMetadata = await issuerService.getIssuerMetadata(agentContext, issuer)\n const openId4VcIssuanceSessionRepository = agentContext.dependencyManager.resolve(\n OpenId4VcIssuanceSessionRepository\n )\n\n const fullCredentialOfferUri = joinUriParts(issuerMetadata.credentialIssuer.credential_issuer, [\n config.credentialOfferEndpointPath,\n request.params.credentialOfferId,\n ])\n\n const openId4VcIssuanceSession = await openId4VcIssuanceSessionRepository.findSingleByQuery(agentContext, {\n issuerId: issuer.issuerId,\n credentialOfferUri: fullCredentialOfferUri,\n $or: [\n {\n credentialOfferId: request.params.credentialOfferId,\n },\n // NOTE: this can soon be removed, credential offer id is cleaner,\n // but only introduced since 0.6\n {\n credentialOfferUri: fullCredentialOfferUri,\n },\n ],\n })\n if (!openId4VcIssuanceSession) {\n return sendNotFoundResponse(response, next, agentContext.config.logger, 'Credential offer not found')\n }\n\n if (\n openId4VcIssuanceSession.state !== OpenId4VcIssuanceSessionState.OfferCreated &&\n openId4VcIssuanceSession.state !== OpenId4VcIssuanceSessionState.OfferUriRetrieved\n ) {\n return sendNotFoundResponse(response, next, agentContext.config.logger, 'Invalid state for credential offer')\n }\n\n const expiresAt =\n openId4VcIssuanceSession.expiresAt ??\n utils.addSecondsToDate(openId4VcIssuanceSession.createdAt, config.statefulCredentialOfferExpirationInSeconds)\n\n if (Date.now() > expiresAt.getTime()) {\n return sendNotFoundResponse(response, next, agentContext.config.logger, 'Session expired')\n }\n\n // It's okay to retrieve the offer multiple times. So we only update the state if it's not already retrieved\n if (openId4VcIssuanceSession.state !== OpenId4VcIssuanceSessionState.OfferUriRetrieved) {\n await issuerService.updateState(\n agentContext,\n openId4VcIssuanceSession,\n OpenId4VcIssuanceSessionState.OfferUriRetrieved\n )\n }\n\n return sendJsonResponse(response, next, openId4VcIssuanceSession.credentialOfferPayload)\n } catch (error) {\n return sendUnknownServerErrorResponse(response, next, agentContext.config.logger, error)\n }\n }\n )\n}\n"],"mappings":";;;;;;;;;AAeA,SAAgB,iCAAiC,QAAgB,QAAqC;AACpG,QAAO,IACL,aAAa,OAAO,6BAA6B,CAAC,qBAAqB,CAAC,EACxE,OAAO,SAAmC,UAAoB,SAAS;EACrE,MAAM,EAAE,cAAc,WAAW,kBAAkB,QAAQ;AAE3D,MAAI,CAAC,QAAQ,OAAO,qBAAqB,OAAO,QAAQ,OAAO,sBAAsB,SACnF,QAAO,kBACL,UACA,MACA,aAAa,OAAO,QACpB,KACA,mBACA,+BACD;AAGH,MAAI;GACF,MAAM,gBAAgB,aAAa,kBAAkB,QAAQ,uBAAuB;GACpF,MAAM,iBAAiB,MAAM,cAAc,kBAAkB,cAAc,OAAO;GAClF,MAAM,qCAAqC,aAAa,kBAAkB,QACxE,mCACD;GAED,MAAM,yBAAyB,aAAa,eAAe,iBAAiB,mBAAmB,CAC7F,OAAO,6BACP,QAAQ,OAAO,kBAChB,CAAC;GAEF,MAAM,2BAA2B,MAAM,mCAAmC,kBAAkB,cAAc;IACxG,UAAU,OAAO;IACjB,oBAAoB;IACpB,KAAK,CACH,EACE,mBAAmB,QAAQ,OAAO,mBACnC,EAGD,EACE,oBAAoB,wBACrB,CACF;IACF,CAAC;AACF,OAAI,CAAC,yBACH,QAAO,qBAAqB,UAAU,MAAM,aAAa,OAAO,QAAQ,6BAA6B;AAGvG,OACE,yBAAyB,UAAU,8BAA8B,gBACjE,yBAAyB,UAAU,8BAA8B,kBAEjE,QAAO,qBAAqB,UAAU,MAAM,aAAa,OAAO,QAAQ,qCAAqC;GAG/G,MAAM,YACJ,yBAAyB,aACzB,MAAM,iBAAiB,yBAAyB,WAAW,OAAO,2CAA2C;AAE/G,OAAI,KAAK,KAAK,GAAG,UAAU,SAAS,CAClC,QAAO,qBAAqB,UAAU,MAAM,aAAa,OAAO,QAAQ,kBAAkB;AAI5F,OAAI,yBAAyB,UAAU,8BAA8B,kBACnE,OAAM,cAAc,YAClB,cACA,0BACA,8BAA8B,kBAC/B;AAGH,UAAO,iBAAiB,UAAU,MAAM,yBAAyB,uBAAuB;WACjF,OAAO;AACd,UAAO,+BAA+B,UAAU,MAAM,aAAa,OAAO,QAAQ,MAAM;;GAG7F"}

package/build/openid4vc-issuer/router/deferredCredentialEndpoint.mjs ADDED Viewed

@@ -0,0 +1,84 @@
+import { getRequestContext, sendJsonResponse, sendOauth2ErrorResponse, sendUnauthorizedError, sendUnknownServerErrorResponse } from "../../shared/router/context.mjs";
+import "../../shared/router/index.mjs";
+import { OpenId4VcIssuanceSessionState } from "../OpenId4VcIssuanceSessionState.mjs";
+import { OpenId4VcIssuanceSessionRepository } from "../repository/OpenId4VcIssuanceSessionRepository.mjs";
+import "../repository/index.mjs";
+import { OpenId4VcIssuerService } from "../OpenId4VcIssuerService.mjs";
+import { joinUriParts, utils } from "@credo-ts/core";
+import { Oauth2ErrorCodes, Oauth2ResourceUnauthorizedError, Oauth2ServerErrorResponseError } from "@openid4vc/oauth2";
+//#region src/openid4vc-issuer/router/deferredCredentialEndpoint.ts
+function configureDeferredCredentialEndpoint(router, config) {
+	router.post(config.deferredCredentialEndpointPath, async (request, response, next) => {
+		const { agentContext, issuer } = getRequestContext(request);
+		const openId4VcIssuerService = agentContext.dependencyManager.resolve(OpenId4VcIssuerService);
+		const issuerMetadata = await openId4VcIssuerService.getIssuerMetadata(agentContext, issuer, true);
+		const vcIssuer = openId4VcIssuerService.getIssuer(agentContext);
+		const resourceServer = openId4VcIssuerService.getResourceServer(agentContext, issuer);
+		const fullRequestUrl = joinUriParts(issuerMetadata.credentialIssuer.credential_issuer, [config.deferredCredentialEndpointPath]);
+		const resourceRequestResult = await resourceServer.verifyResourceRequest({
+			authorizationServers: issuerMetadata.authorizationServers,
+			resourceServer: issuerMetadata.credentialIssuer.credential_issuer,
+			request: {
+				headers: new Headers(request.headers),
+				method: request.method,
+				url: fullRequestUrl
+			}
+		}).catch((error) => {
+			sendUnauthorizedError(response, next, agentContext.config.logger, error);
+		});
+		if (!resourceRequestResult) return;
+		const { tokenPayload, accessToken, scheme, authorizationServer } = resourceRequestResult;
+		const deferredCredentialRequest = request.body;
+		const issuanceSessionRepository = agentContext.dependencyManager.resolve(OpenId4VcIssuanceSessionRepository);
+		const parsedCredentialRequest = vcIssuer.parseDeferredCredentialRequest({ deferredCredentialRequest });
+		const preAuthorizedCode = typeof tokenPayload["pre-authorized_code"] === "string" ? tokenPayload["pre-authorized_code"] : void 0;
+		const issuerState = typeof tokenPayload.issuer_state === "string" ? tokenPayload.issuer_state : void 0;
+		if (!tokenPayload.sub) return sendOauth2ErrorResponse(response, next, agentContext.config.logger, new Oauth2ServerErrorResponseError({ error: Oauth2ErrorCodes.ServerError }, { internalMessage: `Received token without 'sub' claim. Subject is required for binding issuance session` }));
+		if (!issuerState && !preAuthorizedCode) return sendOauth2ErrorResponse(response, next, agentContext.config.logger, new Oauth2ServerErrorResponseError({ error: Oauth2ErrorCodes.InvalidRequest }, { internalMessage: `Received deferred credential request without 'pre-authorized_code' or 'issuer_state' claim. At least one of these claims is required to identify the issuance session` }));
+		const issuanceSession = await issuanceSessionRepository.findSingleByQuery(agentContext, {
+			preAuthorizedCode,
+			issuerState
+		});
+		if (!issuanceSession || !issuanceSession.transactions?.find((tx) => tx.transactionId === parsedCredentialRequest.deferredCredentialRequest.transaction_id)) {
+			agentContext.config.logger.warn(`No issuance session found for incoming deferred credential request for issuer ${issuer.issuerId} but access token data has ${issuerState ? "issuer_state" : "pre-authorized_code"}. Returning error response`, { tokenPayload });
+			return sendOauth2ErrorResponse(response, next, agentContext.config.logger, new Oauth2ServerErrorResponseError({ error: Oauth2ErrorCodes.InvalidTransactionId }, { internalMessage: `No issuance session found for incoming credential request for issuer ${issuer.issuerId}, access token data and transaction id` }));
+		}
+		if (issuanceSession.dpop?.required && !resourceRequestResult.dpop) return sendUnauthorizedError(response, next, agentContext.config.logger, new Oauth2ResourceUnauthorizedError("Missing required DPoP proof", {
+			scheme,
+			error: Oauth2ErrorCodes.InvalidDpopProof
+		}));
+		if (issuanceSession.authorization?.subject && issuanceSession.authorization.subject !== tokenPayload.sub) return sendOauth2ErrorResponse(response, next, agentContext.config.logger, new Oauth2ServerErrorResponseError({ error: Oauth2ErrorCodes.CredentialRequestDenied }, { internalMessage: `Issuance session authorization subject does not match with the token payload subject for issuance session '${issuanceSession.id}'. Returning error response` }));
+		const expiresAt = issuanceSession.expiresAt ?? utils.addSecondsToDate(issuanceSession.createdAt, config.statefulCredentialOfferExpirationInSeconds);
+		if (Date.now() > expiresAt.getTime()) {
+			issuanceSession.errorMessage = "Credential offer has expired";
+			await openId4VcIssuerService.updateState(agentContext, issuanceSession, OpenId4VcIssuanceSessionState.Error);
+			return sendOauth2ErrorResponse(response, next, agentContext.config.logger, new Oauth2ServerErrorResponseError({
+				error: Oauth2ErrorCodes.CredentialRequestDenied,
+				error_description: "Session expired"
+			}));
+		}
+		try {
+			const { deferredCredentialResponse } = await openId4VcIssuerService.createDeferredCredentialResponse(agentContext, {
+				issuanceSession,
+				deferredCredentialRequest: parsedCredentialRequest.deferredCredentialRequest,
+				authorization: {
+					authorizationServer,
+					accessToken: {
+						payload: tokenPayload,
+						value: accessToken
+					}
+				}
+			});
+			return sendJsonResponse(response, next, deferredCredentialResponse, void 0, deferredCredentialResponse.interval ? 202 : 200);
+		} catch (error) {
+			if (error instanceof Oauth2ServerErrorResponseError) return sendOauth2ErrorResponse(response, next, agentContext.config.logger, error);
+			if (error instanceof Oauth2ResourceUnauthorizedError) return sendUnauthorizedError(response, next, agentContext.config.logger, error);
+			return sendUnknownServerErrorResponse(response, next, agentContext.config.logger, error);
+		}
+	});
+}
+//#endregion
+export { configureDeferredCredentialEndpoint };
+//# sourceMappingURL=deferredCredentialEndpoint.mjs.map

package/build/openid4vc-issuer/router/deferredCredentialEndpoint.mjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"deferredCredentialEndpoint.mjs","names":[],"sources":["../../../src/openid4vc-issuer/router/deferredCredentialEndpoint.ts"],"sourcesContent":["import { joinUriParts, utils } from '@credo-ts/core'\nimport type { HttpMethod } from '@openid4vc/oauth2'\nimport { Oauth2ErrorCodes, Oauth2ResourceUnauthorizedError, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport type { Response, Router } from 'express'\nimport {\n getRequestContext,\n sendJsonResponse,\n sendOauth2ErrorResponse,\n sendUnauthorizedError,\n sendUnknownServerErrorResponse,\n} from '../../shared/router'\nimport { OpenId4VcIssuanceSessionState } from '../OpenId4VcIssuanceSessionState'\nimport type { OpenId4VcIssuerModuleConfig } from '../OpenId4VcIssuerModuleConfig'\nimport { OpenId4VcIssuerService } from '../OpenId4VcIssuerService'\nimport { OpenId4VcIssuanceSessionRepository } from '../repository'\nimport type { OpenId4VcIssuanceRequest } from './requestContext'\n\nexport function configureDeferredCredentialEndpoint(router: Router, config: OpenId4VcIssuerModuleConfig) {\n router.post(\n config.deferredCredentialEndpointPath,\n async (request: OpenId4VcIssuanceRequest, response: Response, next) => {\n const { agentContext, issuer } = getRequestContext(request)\n const openId4VcIssuerService = agentContext.dependencyManager.resolve(OpenId4VcIssuerService)\n const issuerMetadata = await openId4VcIssuerService.getIssuerMetadata(agentContext, issuer, true)\n const vcIssuer = openId4VcIssuerService.getIssuer(agentContext)\n const resourceServer = openId4VcIssuerService.getResourceServer(agentContext, issuer)\n\n const fullRequestUrl = joinUriParts(issuerMetadata.credentialIssuer.credential_issuer, [\n config.deferredCredentialEndpointPath,\n ])\n\n const resourceRequestResult = await resourceServer\n .verifyResourceRequest({\n authorizationServers: issuerMetadata.authorizationServers,\n resourceServer: issuerMetadata.credentialIssuer.credential_issuer,\n request: {\n headers: new Headers(request.headers as Record<string, string>),\n method: request.method as HttpMethod,\n url: fullRequestUrl,\n },\n })\n .catch((error) => {\n sendUnauthorizedError(response, next, agentContext.config.logger, error)\n })\n\n if (!resourceRequestResult) return\n const { tokenPayload, accessToken, scheme, authorizationServer } = resourceRequestResult\n\n const deferredCredentialRequest = request.body\n const issuanceSessionRepository = agentContext.dependencyManager.resolve(OpenId4VcIssuanceSessionRepository)\n\n const parsedCredentialRequest = vcIssuer.parseDeferredCredentialRequest({\n deferredCredentialRequest,\n })\n\n const preAuthorizedCode =\n typeof tokenPayload['pre-authorized_code'] === 'string' ? tokenPayload['pre-authorized_code'] : undefined\n const issuerState = typeof tokenPayload.issuer_state === 'string' ? tokenPayload.issuer_state : undefined\n\n const subject = tokenPayload.sub\n if (!subject) {\n return sendOauth2ErrorResponse(\n response,\n next,\n agentContext.config.logger,\n new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.ServerError,\n },\n {\n internalMessage: `Received token without 'sub' claim. Subject is required for binding issuance session`,\n }\n )\n )\n }\n\n if (!issuerState && !preAuthorizedCode) {\n return sendOauth2ErrorResponse(\n response,\n next,\n agentContext.config.logger,\n new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.InvalidRequest,\n },\n {\n internalMessage: `Received deferred credential request without 'pre-authorized_code' or 'issuer_state' claim. At least one of these claims is required to identify the issuance session`,\n }\n )\n )\n }\n\n const issuanceSession = await issuanceSessionRepository.findSingleByQuery(agentContext, {\n preAuthorizedCode,\n issuerState,\n })\n\n if (\n !issuanceSession ||\n !issuanceSession.transactions?.find(\n (tx) => tx.transactionId === parsedCredentialRequest.deferredCredentialRequest.transaction_id\n )\n ) {\n agentContext.config.logger.warn(\n `No issuance session found for incoming deferred credential request for issuer ${\n issuer.issuerId\n } but access token data has ${\n issuerState ? 'issuer_state' : 'pre-authorized_code'\n }. Returning error response`,\n {\n tokenPayload,\n }\n )\n\n return sendOauth2ErrorResponse(\n response,\n next,\n agentContext.config.logger,\n new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.InvalidTransactionId,\n },\n {\n internalMessage: `No issuance session found for incoming credential request for issuer ${issuer.issuerId}, access token data and transaction id`,\n }\n )\n )\n }\n\n // Use issuance session dpop config\n if (issuanceSession.dpop?.required && !resourceRequestResult.dpop) {\n return sendUnauthorizedError(\n response,\n next,\n agentContext.config.logger,\n new Oauth2ResourceUnauthorizedError('Missing required DPoP proof', {\n scheme,\n error: Oauth2ErrorCodes.InvalidDpopProof,\n })\n )\n }\n\n // Verify the issuance session subject\n if (issuanceSession.authorization?.subject && issuanceSession.authorization.subject !== tokenPayload.sub) {\n return sendOauth2ErrorResponse(\n response,\n next,\n agentContext.config.logger,\n new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.CredentialRequestDenied,\n },\n {\n internalMessage: `Issuance session authorization subject does not match with the token payload subject for issuance session '${issuanceSession.id}'. Returning error response`,\n }\n )\n )\n }\n\n const expiresAt =\n issuanceSession.expiresAt ??\n utils.addSecondsToDate(issuanceSession.createdAt, config.statefulCredentialOfferExpirationInSeconds)\n\n if (Date.now() > expiresAt.getTime()) {\n issuanceSession.errorMessage = 'Credential offer has expired'\n await openId4VcIssuerService.updateState(agentContext, issuanceSession, OpenId4VcIssuanceSessionState.Error)\n return sendOauth2ErrorResponse(\n response,\n next,\n agentContext.config.logger,\n new Oauth2ServerErrorResponseError({\n // What is the best error here?\n error: Oauth2ErrorCodes.CredentialRequestDenied,\n error_description: 'Session expired',\n })\n )\n }\n\n try {\n const { deferredCredentialResponse } = await openId4VcIssuerService.createDeferredCredentialResponse(\n agentContext,\n {\n issuanceSession,\n deferredCredentialRequest: parsedCredentialRequest.deferredCredentialRequest,\n authorization: {\n authorizationServer,\n accessToken: {\n payload: tokenPayload,\n value: accessToken,\n },\n },\n }\n )\n\n return sendJsonResponse(\n response,\n next,\n deferredCredentialResponse,\n undefined,\n deferredCredentialResponse.interval ? 202 : 200\n )\n } catch (error) {\n if (error instanceof Oauth2ServerErrorResponseError) {\n return sendOauth2ErrorResponse(response, next, agentContext.config.logger, error)\n }\n if (error instanceof Oauth2ResourceUnauthorizedError) {\n return sendUnauthorizedError(response, next, agentContext.config.logger, error)\n }\n\n return sendUnknownServerErrorResponse(response, next, agentContext.config.logger, error)\n }\n }\n )\n}\n"],"mappings":";;;;;;;;;;AAiBA,SAAgB,oCAAoC,QAAgB,QAAqC;AACvG,QAAO,KACL,OAAO,gCACP,OAAO,SAAmC,UAAoB,SAAS;EACrE,MAAM,EAAE,cAAc,WAAW,kBAAkB,QAAQ;EAC3D,MAAM,yBAAyB,aAAa,kBAAkB,QAAQ,uBAAuB;EAC7F,MAAM,iBAAiB,MAAM,uBAAuB,kBAAkB,cAAc,QAAQ,KAAK;EACjG,MAAM,WAAW,uBAAuB,UAAU,aAAa;EAC/D,MAAM,iBAAiB,uBAAuB,kBAAkB,cAAc,OAAO;EAErF,MAAM,iBAAiB,aAAa,eAAe,iBAAiB,mBAAmB,CACrF,OAAO,+BACR,CAAC;EAEF,MAAM,wBAAwB,MAAM,eACjC,sBAAsB;GACrB,sBAAsB,eAAe;GACrC,gBAAgB,eAAe,iBAAiB;GAChD,SAAS;IACP,SAAS,IAAI,QAAQ,QAAQ,QAAkC;IAC/D,QAAQ,QAAQ;IAChB,KAAK;IACN;GACF,CAAC,CACD,OAAO,UAAU;AAChB,yBAAsB,UAAU,MAAM,aAAa,OAAO,QAAQ,MAAM;IACxE;AAEJ,MAAI,CAAC,sBAAuB;EAC5B,MAAM,EAAE,cAAc,aAAa,QAAQ,wBAAwB;EAEnE,MAAM,4BAA4B,QAAQ;EAC1C,MAAM,4BAA4B,aAAa,kBAAkB,QAAQ,mCAAmC;EAE5G,MAAM,0BAA0B,SAAS,+BAA+B,EACtE,2BACD,CAAC;EAEF,MAAM,oBACJ,OAAO,aAAa,2BAA2B,WAAW,aAAa,yBAAyB;EAClG,MAAM,cAAc,OAAO,aAAa,iBAAiB,WAAW,aAAa,eAAe;AAGhG,MAAI,CADY,aAAa,IAE3B,QAAO,wBACL,UACA,MACA,aAAa,OAAO,QACpB,IAAI,+BACF,EACE,OAAO,iBAAiB,aACzB,EACD,EACE,iBAAiB,wFAClB,CACF,CACF;AAGH,MAAI,CAAC,eAAe,CAAC,kBACnB,QAAO,wBACL,UACA,MACA,aAAa,OAAO,QACpB,IAAI,+BACF,EACE,OAAO,iBAAiB,gBACzB,EACD,EACE,iBAAiB,yKAClB,CACF,CACF;EAGH,MAAM,kBAAkB,MAAM,0BAA0B,kBAAkB,cAAc;GACtF;GACA;GACD,CAAC;AAEF,MACE,CAAC,mBACD,CAAC,gBAAgB,cAAc,MAC5B,OAAO,GAAG,kBAAkB,wBAAwB,0BAA0B,eAChF,EACD;AACA,gBAAa,OAAO,OAAO,KACzB,iFACE,OAAO,SACR,6BACC,cAAc,iBAAiB,sBAChC,6BACD,EACE,cACD,CACF;AAED,UAAO,wBACL,UACA,MACA,aAAa,OAAO,QACpB,IAAI,+BACF,EACE,OAAO,iBAAiB,sBACzB,EACD,EACE,iBAAiB,wEAAwE,OAAO,SAAS,yCAC1G,CACF,CACF;;AAIH,MAAI,gBAAgB,MAAM,YAAY,CAAC,sBAAsB,KAC3D,QAAO,sBACL,UACA,MACA,aAAa,OAAO,QACpB,IAAI,gCAAgC,+BAA+B;GACjE;GACA,OAAO,iBAAiB;GACzB,CAAC,CACH;AAIH,MAAI,gBAAgB,eAAe,WAAW,gBAAgB,cAAc,YAAY,aAAa,IACnG,QAAO,wBACL,UACA,MACA,aAAa,OAAO,QACpB,IAAI,+BACF,EACE,OAAO,iBAAiB,yBACzB,EACD,EACE,iBAAiB,8GAA8G,gBAAgB,GAAG,8BACnJ,CACF,CACF;EAGH,MAAM,YACJ,gBAAgB,aAChB,MAAM,iBAAiB,gBAAgB,WAAW,OAAO,2CAA2C;AAEtG,MAAI,KAAK,KAAK,GAAG,UAAU,SAAS,EAAE;AACpC,mBAAgB,eAAe;AAC/B,SAAM,uBAAuB,YAAY,cAAc,iBAAiB,8BAA8B,MAAM;AAC5G,UAAO,wBACL,UACA,MACA,aAAa,OAAO,QACpB,IAAI,+BAA+B;IAEjC,OAAO,iBAAiB;IACxB,mBAAmB;IACpB,CAAC,CACH;;AAGH,MAAI;GACF,MAAM,EAAE,+BAA+B,MAAM,uBAAuB,iCAClE,cACA;IACE;IACA,2BAA2B,wBAAwB;IACnD,eAAe;KACb;KACA,aAAa;MACX,SAAS;MACT,OAAO;MACR;KACF;IACF,CACF;AAED,UAAO,iBACL,UACA,MACA,4BACA,QACA,2BAA2B,WAAW,MAAM,IAC7C;WACM,OAAO;AACd,OAAI,iBAAiB,+BACnB,QAAO,wBAAwB,UAAU,MAAM,aAAa,OAAO,QAAQ,MAAM;AAEnF,OAAI,iBAAiB,gCACnB,QAAO,sBAAsB,UAAU,MAAM,aAAa,OAAO,QAAQ,MAAM;AAGjF,UAAO,+BAA+B,UAAU,MAAM,aAAa,OAAO,QAAQ,MAAM;;GAG7F"}

package/build/openid4vc-issuer/router/index.mjs ADDED Viewed

@@ -0,0 +1,12 @@
+import { configureAccessTokenEndpoint } from "./accessTokenEndpoint.mjs";
+import { configurePushedAuthorizationRequestEndpoint } from "./pushedAuthorizationRequestEndpoint.mjs";
+import { configureAuthorizationChallengeEndpoint } from "./authorizationChallengeEndpoint.mjs";
+import { configureAuthorizationEndpoint } from "./authorizationEndpoint.mjs";
+import { configureOAuthAuthorizationServerMetadataEndpoint } from "./authorizationServerMetadataEndpoint.mjs";
+import { configureCredentialEndpoint } from "./credentialEndpoint.mjs";
+import { configureCredentialOfferEndpoint } from "./credentialOfferEndpoint.mjs";
+import { configureDeferredCredentialEndpoint } from "./deferredCredentialEndpoint.mjs";
+import { configureIssuerMetadataEndpoint } from "./issuerMetadataEndpoint.mjs";
+import { configureJwksEndpoint } from "./jwksEndpoint.mjs";
+import { configureNonceEndpoint } from "./nonceEndpoint.mjs";
+import { configureRedirectEndpoint } from "./redirectEndpoint.mjs";

package/build/openid4vc-issuer/router/issuerMetadataEndpoint.mjs ADDED Viewed

@@ -0,0 +1,43 @@
+import { getRequestContext, sendJsonResponse, sendUnknownServerErrorResponse } from "../../shared/router/context.mjs";
+import "../../shared/router/index.mjs";
+import { OpenId4VcIssuerService } from "../OpenId4VcIssuerService.mjs";
+import { getAuthorizationServerMetadataFromList } from "@openid4vc/oauth2";
+//#region src/openid4vc-issuer/router/issuerMetadataEndpoint.ts
+function configureIssuerMetadataEndpoint(router, path) {
+	router.get(path, async (request, response, next) => {
+		const { agentContext, issuer } = getRequestContext(request);
+		try {
+			const openId4VcIssuerService = agentContext.dependencyManager.resolve(OpenId4VcIssuerService);
+			const issuerMetadata = await openId4VcIssuerService.getIssuerMetadata(agentContext, issuer);
+			const vcIssuer = openId4VcIssuerService.getIssuer(agentContext);
+			const issuerAuthorizationServer = getAuthorizationServerMetadataFromList(issuerMetadata.authorizationServers, issuerMetadata.credentialIssuer.credential_issuer);
+			const mediaTypeToUse = (request.headers.accept ? parseAcceptHeader(request.headers.accept) : []).find(({ mediaType }) => mediaType === "application/json" || issuerMetadata.signedMetadataJwt && mediaType === "application/jwt")?.mediaType ?? "application/json";
+			const transformedMetadata = {
+				...vcIssuer.getCredentialIssuerMetadataDraft11(issuerMetadata.credentialIssuer),
+				token_endpoint: issuerAuthorizationServer.token_endpoint,
+				dpop_signing_alg_values_supported: issuerAuthorizationServer.dpop_signing_alg_values_supported
+			};
+			if (issuerMetadata.signedMetadataJwt && mediaTypeToUse === "application/jwt") response.type("application/jwt").status(200).send(issuerMetadata.signedMetadataJwt);
+			else return sendJsonResponse(response, next, transformedMetadata);
+		} catch (e) {
+			return sendUnknownServerErrorResponse(response, next, agentContext.config.logger, e);
+		}
+	});
+}
+function parseAcceptHeader(header) {
+	return header.split(",").map((type) => {
+		const [mediaType, ...params] = type.trim().split(";");
+		let quality = 1;
+		const qParam = params.find((p) => p.trim().startsWith("q="));
+		if (qParam) quality = parseFloat(qParam.split("=")[1]) || 1;
+		return {
+			mediaType: mediaType.trim(),
+			quality
+		};
+	}).sort((a, b) => b.quality - a.quality);
+}
+//#endregion
+export { configureIssuerMetadataEndpoint };
+//# sourceMappingURL=issuerMetadataEndpoint.mjs.map

package/build/openid4vc-issuer/router/issuerMetadataEndpoint.mjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"issuerMetadataEndpoint.mjs","names":[],"sources":["../../../src/openid4vc-issuer/router/issuerMetadataEndpoint.ts"],"sourcesContent":["import { getAuthorizationServerMetadataFromList } from '@openid4vc/oauth2'\nimport type { Response, Router } from 'express'\nimport type { OpenId4VciCredentialIssuerMetadata } from '../../shared'\nimport { getRequestContext, sendJsonResponse, sendUnknownServerErrorResponse } from '../../shared/router'\nimport { OpenId4VcIssuerService } from '../OpenId4VcIssuerService'\nimport type { OpenId4VcIssuanceRequest } from './requestContext'\n\nexport function configureIssuerMetadataEndpoint(router: Router, path: string) {\n router.get(path, async (request: OpenId4VcIssuanceRequest, response: Response, next) => {\n const { agentContext, issuer } = getRequestContext(request)\n try {\n const openId4VcIssuerService = agentContext.dependencyManager.resolve(OpenId4VcIssuerService)\n const issuerMetadata = await openId4VcIssuerService.getIssuerMetadata(agentContext, issuer)\n const vcIssuer = openId4VcIssuerService.getIssuer(agentContext)\n const issuerAuthorizationServer = getAuthorizationServerMetadataFromList(\n issuerMetadata.authorizationServers,\n issuerMetadata.credentialIssuer.credential_issuer\n )\n\n // NOTE: for now we default to unsigned if the wallet doesn't explicitly indicate it supports signed\n const acceptedMediaTypes = request.headers.accept ? parseAcceptHeader(request.headers.accept) : []\n\n const mediaTypeToUse =\n acceptedMediaTypes.find(\n ({ mediaType }) =>\n mediaType === 'application/json' || (issuerMetadata.signedMetadataJwt && mediaType === 'application/jwt')\n )?.mediaType ?? 'application/json'\n\n const transformedMetadata = {\n // Get the draft 11 metadata (it also contains draft 14)\n ...vcIssuer.getCredentialIssuerMetadataDraft11(issuerMetadata.credentialIssuer),\n\n // TODO: these values should be removed, as they need to be hosted in the oauth-authorization-server\n // metadata. For backwards compatibility we will keep them in now.\n token_endpoint: issuerAuthorizationServer.token_endpoint,\n dpop_signing_alg_values_supported: issuerAuthorizationServer.dpop_signing_alg_values_supported,\n } satisfies OpenId4VciCredentialIssuerMetadata\n\n if (issuerMetadata.signedMetadataJwt && mediaTypeToUse === 'application/jwt') {\n response.type('application/jwt').status(200).send(issuerMetadata.signedMetadataJwt)\n } else {\n return sendJsonResponse(response, next, transformedMetadata)\n }\n } catch (e) {\n return sendUnknownServerErrorResponse(response, next, agentContext.config.logger, e)\n }\n })\n}\n\nfunction parseAcceptHeader(header: string) {\n return header\n .split(',')\n .map((type) => {\n const [mediaType, ...params] = type.trim().split(';')\n let quality = 1\n\n // Extract quality value if present\n const qParam = params.find((p) => p.trim().startsWith('q='))\n if (qParam) {\n quality = parseFloat(qParam.split('=')[1]) || 1.0\n }\n\n return {\n mediaType: mediaType.trim(),\n quality: quality,\n }\n })\n .sort((a, b) => b.quality - a.quality) // Sort by preference\n}\n"],"mappings":";;;;;;AAOA,SAAgB,gCAAgC,QAAgB,MAAc;AAC5E,QAAO,IAAI,MAAM,OAAO,SAAmC,UAAoB,SAAS;EACtF,MAAM,EAAE,cAAc,WAAW,kBAAkB,QAAQ;AAC3D,MAAI;GACF,MAAM,yBAAyB,aAAa,kBAAkB,QAAQ,uBAAuB;GAC7F,MAAM,iBAAiB,MAAM,uBAAuB,kBAAkB,cAAc,OAAO;GAC3F,MAAM,WAAW,uBAAuB,UAAU,aAAa;GAC/D,MAAM,4BAA4B,uCAChC,eAAe,sBACf,eAAe,iBAAiB,kBACjC;GAKD,MAAM,kBAFqB,QAAQ,QAAQ,SAAS,kBAAkB,QAAQ,QAAQ,OAAO,GAAG,EAAE,EAG7E,MAChB,EAAE,gBACD,cAAc,sBAAuB,eAAe,qBAAqB,cAAc,kBAC1F,EAAE,aAAa;GAElB,MAAM,sBAAsB;IAE1B,GAAG,SAAS,mCAAmC,eAAe,iBAAiB;IAI/E,gBAAgB,0BAA0B;IAC1C,mCAAmC,0BAA0B;IAC9D;AAED,OAAI,eAAe,qBAAqB,mBAAmB,kBACzD,UAAS,KAAK,kBAAkB,CAAC,OAAO,IAAI,CAAC,KAAK,eAAe,kBAAkB;OAEnF,QAAO,iBAAiB,UAAU,MAAM,oBAAoB;WAEvD,GAAG;AACV,UAAO,+BAA+B,UAAU,MAAM,aAAa,OAAO,QAAQ,EAAE;;GAEtF;;AAGJ,SAAS,kBAAkB,QAAgB;AACzC,QAAO,OACJ,MAAM,IAAI,CACV,KAAK,SAAS;EACb,MAAM,CAAC,WAAW,GAAG,UAAU,KAAK,MAAM,CAAC,MAAM,IAAI;EACrD,IAAI,UAAU;EAGd,MAAM,SAAS,OAAO,MAAM,MAAM,EAAE,MAAM,CAAC,WAAW,KAAK,CAAC;AAC5D,MAAI,OACF,WAAU,WAAW,OAAO,MAAM,IAAI,CAAC,GAAG,IAAI;AAGhD,SAAO;GACL,WAAW,UAAU,MAAM;GAClB;GACV;GACD,CACD,MAAM,GAAG,MAAM,EAAE,UAAU,EAAE,QAAQ"}

package/build/openid4vc-issuer/router/jwksEndpoint.mjs ADDED Viewed

@@ -0,0 +1,18 @@
+import { getRequestContext, sendJsonResponse, sendUnknownServerErrorResponse } from "../../shared/router/context.mjs";
+import "../../shared/router/index.mjs";
+//#region src/openid4vc-issuer/router/jwksEndpoint.ts
+function configureJwksEndpoint(router, config) {
+	router.get(config.jwksEndpointPath, async (_request, response, next) => {
+		const { agentContext, issuer } = getRequestContext(_request);
+		try {
+			return sendJsonResponse(response, next, { keys: [issuer.resolvedAccessTokenPublicJwk.toJson({ includeKid: false })] }, "application/jwk-set+json");
+		} catch (e) {
+			return sendUnknownServerErrorResponse(response, next, agentContext.config.logger, e);
+		}
+	});
+}
+//#endregion
+export { configureJwksEndpoint };
+//# sourceMappingURL=jwksEndpoint.mjs.map

package/build/openid4vc-issuer/router/jwksEndpoint.mjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"jwksEndpoint.mjs","names":[],"sources":["../../../src/openid4vc-issuer/router/jwksEndpoint.ts"],"sourcesContent":["import type { Jwk, JwkSet } from '@openid4vc/oauth2'\nimport type { Response, Router } from 'express'\nimport { getRequestContext, sendJsonResponse, sendUnknownServerErrorResponse } from '../../shared/router'\nimport type { OpenId4VcIssuerModuleConfig } from '../OpenId4VcIssuerModuleConfig'\nimport type { OpenId4VcIssuanceRequest } from './requestContext'\n\nexport function configureJwksEndpoint(router: Router, config: OpenId4VcIssuerModuleConfig) {\n router.get(config.jwksEndpointPath, async (_request: OpenId4VcIssuanceRequest, response: Response, next) => {\n const { agentContext, issuer } = getRequestContext(_request)\n try {\n const jwks = {\n // Not needed to include kid in public facing JWKs\n keys: [issuer.resolvedAccessTokenPublicJwk.toJson({ includeKid: false }) as Jwk],\n } satisfies JwkSet\n\n return sendJsonResponse(response, next, jwks, 'application/jwk-set+json')\n } catch (e) {\n return sendUnknownServerErrorResponse(response, next, agentContext.config.logger, e)\n }\n })\n}\n"],"mappings":";;;;AAMA,SAAgB,sBAAsB,QAAgB,QAAqC;AACzF,QAAO,IAAI,OAAO,kBAAkB,OAAO,UAAoC,UAAoB,SAAS;EAC1G,MAAM,EAAE,cAAc,WAAW,kBAAkB,SAAS;AAC5D,MAAI;AAMF,UAAO,iBAAiB,UAAU,MALrB,EAEX,MAAM,CAAC,OAAO,6BAA6B,OAAO,EAAE,YAAY,OAAO,CAAC,CAAQ,EACjF,EAE6C,2BAA2B;WAClE,GAAG;AACV,UAAO,+BAA+B,UAAU,MAAM,aAAa,OAAO,QAAQ,EAAE;;GAEtF"}

package/build/openid4vc-issuer/router/nonceEndpoint.mjs ADDED Viewed

@@ -0,0 +1,29 @@
+import { getRequestContext, sendJsonResponse, sendUnknownServerErrorResponse } from "../../shared/router/context.mjs";
+import "../../shared/router/index.mjs";
+import { OpenId4VcIssuerService } from "../OpenId4VcIssuerService.mjs";
+//#region src/openid4vc-issuer/router/nonceEndpoint.ts
+function configureNonceEndpoint(router, config) {
+	router.post(config.nonceEndpointPath, async (request, response, next) => {
+		response.set({
+			"Cache-Control": "no-store",
+			Pragma: "no-cache"
+		});
+		const { agentContext, issuer } = getRequestContext(request);
+		try {
+			const openId4VcIssuerService = agentContext.dependencyManager.resolve(OpenId4VcIssuerService);
+			const vcIssuer = openId4VcIssuerService.getIssuer(agentContext);
+			const { cNonce, cNonceExpiresInSeconds } = await openId4VcIssuerService.createNonce(agentContext, issuer);
+			return sendJsonResponse(response, next, vcIssuer.createNonceResponse({
+				cNonce,
+				cNonceExpiresIn: cNonceExpiresInSeconds
+			}));
+		} catch (error) {
+			return sendUnknownServerErrorResponse(response, next, agentContext.config.logger, error);
+		}
+	});
+}
+//#endregion
+export { configureNonceEndpoint };
+//# sourceMappingURL=nonceEndpoint.mjs.map

package/build/openid4vc-issuer/router/nonceEndpoint.mjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"nonceEndpoint.mjs","names":[],"sources":["../../../src/openid4vc-issuer/router/nonceEndpoint.ts"],"sourcesContent":["import type { NextFunction, Response, Router } from 'express'\nimport { getRequestContext, sendJsonResponse, sendUnknownServerErrorResponse } from '../../shared/router'\nimport type { OpenId4VcIssuerModuleConfig } from '../OpenId4VcIssuerModuleConfig'\nimport { OpenId4VcIssuerService } from '../OpenId4VcIssuerService'\nimport type { OpenId4VcIssuanceRequest } from './requestContext'\n\nexport function configureNonceEndpoint(router: Router, config: OpenId4VcIssuerModuleConfig) {\n router.post(\n config.nonceEndpointPath,\n async (request: OpenId4VcIssuanceRequest, response: Response, next: NextFunction) => {\n response.set({ 'Cache-Control': 'no-store', Pragma: 'no-cache' })\n const requestContext = getRequestContext(request)\n const { agentContext, issuer } = requestContext\n\n try {\n const openId4VcIssuerService = agentContext.dependencyManager.resolve(OpenId4VcIssuerService)\n const vcIssuer = openId4VcIssuerService.getIssuer(agentContext)\n\n const { cNonce, cNonceExpiresInSeconds } = await openId4VcIssuerService.createNonce(agentContext, issuer)\n\n const nonceResponse = vcIssuer.createNonceResponse({\n cNonce,\n cNonceExpiresIn: cNonceExpiresInSeconds,\n })\n\n return sendJsonResponse(response, next, nonceResponse)\n } catch (error) {\n return sendUnknownServerErrorResponse(response, next, agentContext.config.logger, error)\n }\n }\n )\n}\n"],"mappings":";;;;;AAMA,SAAgB,uBAAuB,QAAgB,QAAqC;AAC1F,QAAO,KACL,OAAO,mBACP,OAAO,SAAmC,UAAoB,SAAuB;AACnF,WAAS,IAAI;GAAE,iBAAiB;GAAY,QAAQ;GAAY,CAAC;EAEjE,MAAM,EAAE,cAAc,WADC,kBAAkB,QAAQ;AAGjD,MAAI;GACF,MAAM,yBAAyB,aAAa,kBAAkB,QAAQ,uBAAuB;GAC7F,MAAM,WAAW,uBAAuB,UAAU,aAAa;GAE/D,MAAM,EAAE,QAAQ,2BAA2B,MAAM,uBAAuB,YAAY,cAAc,OAAO;AAOzG,UAAO,iBAAiB,UAAU,MALZ,SAAS,oBAAoB;IACjD;IACA,iBAAiB;IAClB,CAAC,CAEoD;WAC/C,OAAO;AACd,UAAO,+BAA+B,UAAU,MAAM,aAAa,OAAO,QAAQ,MAAM;;GAG7F"}

package/build/openid4vc-issuer/router/pushedAuthorizationRequestEndpoint.mjs ADDED Viewed

@@ -0,0 +1,164 @@
+import { OpenId4VcIssuerModuleConfig } from "../OpenId4VcIssuerModuleConfig.mjs";
+import { getRequestContext, sendJsonResponse, sendOauth2ErrorResponse, sendUnknownServerErrorResponse } from "../../shared/router/context.mjs";
+import "../../shared/router/index.mjs";
+import { getAllowedAndRequestedScopeValues, getCredentialConfigurationsSupportedForScopes, getOfferedCredentials, getScopesFromCredentialConfigurationsSupported } from "../../shared/issuerMetadataUtils.mjs";
+import "../../shared/index.mjs";
+import { OpenId4VcIssuanceSessionState } from "../OpenId4VcIssuanceSessionState.mjs";
+import "../repository/index.mjs";
+import { OpenId4VcIssuerService } from "../OpenId4VcIssuerService.mjs";
+import { AgentContext, joinUriParts, utils } from "@credo-ts/core";
+import { Oauth2ErrorCodes, Oauth2ServerErrorResponseError, pushedAuthorizationRequestUriPrefix } from "@openid4vc/oauth2";
+import { addSecondsToDate } from "@openid4vc/utils";
+//#region src/openid4vc-issuer/router/pushedAuthorizationRequestEndpoint.ts
+async function handlePushedAuthorizationRequest(agentContext, options) {
+	const openId4VcIssuerService = agentContext.dependencyManager.resolve(OpenId4VcIssuerService);
+	const config = agentContext.dependencyManager.resolve(OpenId4VcIssuerModuleConfig);
+	const { issuanceSession, parsedAuthorizationRequest, issuer, request } = options;
+	const issuerMetadata = await openId4VcIssuerService.getIssuerMetadata(agentContext, issuer);
+	if (!parsedAuthorizationRequest.authorizationRequest.scope) throw new Oauth2ServerErrorResponseError({
+		error: Oauth2ErrorCodes.InvalidScope,
+		error_description: `Missing required 'scope' parameter`
+	});
+	if (!parsedAuthorizationRequest.authorizationRequest.redirect_uri) throw new Oauth2ServerErrorResponseError({
+		error: Oauth2ErrorCodes.InvalidScope,
+		error_description: `Missing required 'redirect_uri' parameter.`
+	});
+	const allowedStates = [OpenId4VcIssuanceSessionState.OfferCreated, OpenId4VcIssuanceSessionState.OfferUriRetrieved];
+	if (!allowedStates.includes(issuanceSession.state)) throw new Oauth2ServerErrorResponseError({
+		error: Oauth2ErrorCodes.InvalidRequest,
+		error_description: `Invalid 'issuer_state' parameter`
+	}, { internalMessage: `Issuance session '${issuanceSession.id}' has state '${issuanceSession.state}' but expected one of ${allowedStates.join(", ")}` });
+	if (!issuanceSession.chainedIdentity?.externalAuthorizationServerUrl) throw new Oauth2ServerErrorResponseError({
+		error: Oauth2ErrorCodes.InvalidRequest,
+		error_description: `Unexpected redirect call for session.`
+	}, { internalMessage: `Issuance session '${issuanceSession.id}' is not configured to use chained identity for authorization.` });
+	const authorizationServer = openId4VcIssuerService.getOauth2AuthorizationServer(agentContext, { issuanceSessionId: issuanceSession.id });
+	const { clientAttestation, dpop } = await authorizationServer.verifyPushedAuthorizationRequest({
+		authorizationRequest: parsedAuthorizationRequest.authorizationRequest,
+		authorizationServerMetadata: issuerMetadata.authorizationServers[0],
+		request,
+		clientAttestation: {
+			...parsedAuthorizationRequest.clientAttestation,
+			required: issuanceSession.walletAttestation?.required ?? config.walletAttestationsRequired
+		},
+		dpop: {
+			...parsedAuthorizationRequest.dpop,
+			required: issuanceSession.dpop?.required ?? config.dpopRequired
+		}
+	});
+	if (dpop) issuanceSession.dpop = {
+		required: true,
+		dpopJkt: dpop.jwkThumbprint
+	};
+	if (clientAttestation) issuanceSession.walletAttestation = { required: true };
+	const offeredCredentialConfigurations = getOfferedCredentials(issuanceSession.credentialOfferPayload.credential_configuration_ids, issuerMetadata.credentialIssuer.credential_configurations_supported);
+	const requestedScopes = getAllowedAndRequestedScopeValues({
+		allowedScopes: getScopesFromCredentialConfigurationsSupported(offeredCredentialConfigurations),
+		requestedScope: parsedAuthorizationRequest.authorizationRequest.scope
+	});
+	const requestedCredentialConfigurations = getCredentialConfigurationsSupportedForScopes(offeredCredentialConfigurations, requestedScopes);
+	if (requestedScopes.length === 0 || Object.keys(requestedCredentialConfigurations).length === 0) throw new Oauth2ServerErrorResponseError({
+		error: Oauth2ErrorCodes.InvalidScope,
+		error_description: `No requested 'scope' values match with offered credential configurations.`
+	});
+	issuanceSession.authorization = {
+		...issuanceSession.authorization,
+		scopes: requestedScopes
+	};
+	issuanceSession.clientId = clientAttestation?.clientAttestation.payload.sub ?? parsedAuthorizationRequest.authorizationRequest.client_id;
+	const oauth2Client = openId4VcIssuerService.getOauth2Client(agentContext, issuer);
+	const authorizationServerUrl = issuanceSession.chainedIdentity.externalAuthorizationServerUrl;
+	const authorizationServerConfig = issuer.chainedAuthorizationServerConfigs?.find((config$1) => config$1.issuer === authorizationServerUrl);
+	if (!authorizationServerConfig) throw new Oauth2ServerErrorResponseError({ error: Oauth2ErrorCodes.ServerError }, { internalMessage: `Issuer '${issuer.issuerId}' does not have a chained authorization server config for issuer '${authorizationServerUrl}'` });
+	const authorizationServerMetadata = await oauth2Client.fetchAuthorizationServerMetadata(authorizationServerConfig.issuer);
+	if (!authorizationServerMetadata) throw new Oauth2ServerErrorResponseError({
+		error: Oauth2ErrorCodes.ServerError,
+		error_description: `Unable to retrieve authorization server metadata from external identity provider.`
+	}, { internalMessage: `Unable to retrieve authorization server metadata from '${authorizationServerConfig.issuer}'` });
+	const redirectUri = joinUriParts(config.baseUrl, [issuer.issuerId, "redirect"]);
+	const chainedIdentityState = utils.uuid();
+	const scopes = requestedScopes.flatMap((scope) => {
+		if (scope in authorizationServerConfig.scopesMapping) return authorizationServerConfig.scopesMapping[scope];
+		throw new Oauth2ServerErrorResponseError({ error: Oauth2ErrorCodes.ServerError }, { internalMessage: `Issuer '${issuer.issuerId}' does not have a scope mapping for scope '${scope}' for external authorization server '${authorizationServerConfig.issuer}'` });
+	});
+	const { authorizationRequestUrl, pkce } = await oauth2Client.initiateAuthorization({
+		authorizationServerMetadata,
+		clientId: authorizationServerConfig.clientAuthentication.clientId,
+		redirectUri,
+		state: chainedIdentityState,
+		scope: scopes.join(" ")
+	});
+	issuanceSession.chainedIdentity = {
+		...issuanceSession.chainedIdentity,
+		requestUriReferenceValue: utils.uuid(),
+		externalAuthorizationRequestUrl: authorizationRequestUrl,
+		requestUriExpiresAt: addSecondsToDate(/* @__PURE__ */ new Date(), config.requestUriExpiresInSeconds),
+		pkceCodeVerifier: pkce?.codeVerifier,
+		externalState: chainedIdentityState,
+		state: parsedAuthorizationRequest.authorizationRequest.state,
+		redirectUri: parsedAuthorizationRequest.authorizationRequest.redirect_uri,
+		externalAuthorizationServerMetadata: authorizationServerMetadata
+	};
+	const { pushedAuthorizationResponse } = authorizationServer.createPushedAuthorizationResponse({
+		expiresInSeconds: config.requestUriExpiresInSeconds,
+		requestUri: pushedAuthorizationRequestUriPrefix + issuanceSession.chainedIdentity.requestUriReferenceValue
+	});
+	await openId4VcIssuerService.updateState(agentContext, issuanceSession, OpenId4VcIssuanceSessionState.AuthorizationInitiated);
+	return { pushedAuthorizationResponse };
+}
+function configurePushedAuthorizationRequestEndpoint(router, config) {
+	router.post(config.pushedAuthorizationRequestEndpoint, async (request, response, next) => {
+		const { agentContext, issuer } = getRequestContext(request);
+		try {
+			const config$1 = agentContext.dependencyManager.resolve(OpenId4VcIssuerModuleConfig);
+			const openId4VcIssuerService = agentContext.dependencyManager.resolve(OpenId4VcIssuerService);
+			const issuerMetadata = await openId4VcIssuerService.getIssuerMetadata(agentContext, issuer);
+			const authorizationServer = openId4VcIssuerService.getOauth2AuthorizationServer(agentContext);
+			const fullRequestUrl = joinUriParts(issuerMetadata.credentialIssuer.credential_issuer, [config$1.pushedAuthorizationRequestEndpoint]);
+			const requestLike = {
+				headers: new Headers(request.headers),
+				method: request.method,
+				url: fullRequestUrl
+			};
+			const parseResult = await authorizationServer.parsePushedAuthorizationRequest({
+				authorizationRequest: request.body,
+				request: requestLike
+			});
+			if (parseResult.authorizationRequestJwt) throw new Oauth2ServerErrorResponseError({
+				error: Oauth2ErrorCodes.InvalidRequest,
+				error_description: `Using JWT-secured authorization request is not supported.`
+			});
+			if (!parseResult.authorizationRequest.issuer_state) throw new Oauth2ServerErrorResponseError({
+				error: Oauth2ErrorCodes.InvalidRequest,
+				error_description: `Missing required 'issuer_state' parameter. Only requests initiated by a credential offer are supported for pushed authorization requests.`
+			});
+			if (!parseResult.authorizationRequest.scope) throw new Oauth2ServerErrorResponseError({
+				error: Oauth2ErrorCodes.InvalidScope,
+				error_description: `Missing required 'scope' parameter`
+			});
+			const issuanceSession = await openId4VcIssuerService.findSingleIssuanceSessionByQuery(agentContext, {
+				issuerId: issuer.issuerId,
+				issuerState: parseResult.authorizationRequest.issuer_state
+			});
+			if (!issuanceSession) throw new Oauth2ServerErrorResponseError({
+				error: Oauth2ErrorCodes.InvalidRequest,
+				error_description: `Invalid 'issuer_state' parameter`
+			}, { internalMessage: `Issuance session not found for 'issuer_state' parameter '${parseResult.authorizationRequest.issuer_state}'` });
+			const { pushedAuthorizationResponse } = await handlePushedAuthorizationRequest(agentContext, {
+				issuanceSession,
+				issuer,
+				parsedAuthorizationRequest: parseResult,
+				request: requestLike
+			});
+			return sendJsonResponse(response, next, pushedAuthorizationResponse);
+		} catch (error) {
+			if (error instanceof Oauth2ServerErrorResponseError) return sendOauth2ErrorResponse(response, next, agentContext.config.logger, error);
+			return sendUnknownServerErrorResponse(response, next, agentContext.config.logger, error);
+		}
+	});
+}
+//#endregion
+export { configurePushedAuthorizationRequestEndpoint, handlePushedAuthorizationRequest };
+//# sourceMappingURL=pushedAuthorizationRequestEndpoint.mjs.map

package/build/openid4vc-issuer/router/pushedAuthorizationRequestEndpoint.mjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"pushedAuthorizationRequestEndpoint.mjs","names":["config"],"sources":["../../../src/openid4vc-issuer/router/pushedAuthorizationRequestEndpoint.ts"],"sourcesContent":["import { AgentContext, joinUriParts, utils } from '@credo-ts/core'\nimport type { HttpMethod, ParsePushedAuthorizationRequestResult, RequestLike } from '@openid4vc/oauth2'\nimport {\n Oauth2ErrorCodes,\n Oauth2ServerErrorResponseError,\n pushedAuthorizationRequestUriPrefix,\n} from '@openid4vc/oauth2'\nimport { addSecondsToDate } from '@openid4vc/utils'\nimport type { NextFunction, Response, Router } from 'express'\nimport type { OpenId4VciCredentialConfigurationsSupportedWithFormats } from '../../shared'\nimport {\n getAllowedAndRequestedScopeValues,\n getCredentialConfigurationsSupportedForScopes,\n getOfferedCredentials,\n getScopesFromCredentialConfigurationsSupported,\n} from '../../shared'\nimport {\n getRequestContext,\n sendJsonResponse,\n sendOauth2ErrorResponse,\n sendUnknownServerErrorResponse,\n} from '../../shared/router'\nimport { OpenId4VcIssuanceSessionState } from '../OpenId4VcIssuanceSessionState'\nimport { OpenId4VcIssuerModuleConfig } from '../OpenId4VcIssuerModuleConfig'\nimport { OpenId4VcIssuerService } from '../OpenId4VcIssuerService'\nimport { OpenId4VcIssuanceSessionRecord, OpenId4VcIssuerRecord } from '../repository'\nimport type { OpenId4VcIssuanceRequest } from './requestContext'\n\nexport async function handlePushedAuthorizationRequest(\n agentContext: AgentContext,\n options: {\n issuer: OpenId4VcIssuerRecord\n issuanceSession: OpenId4VcIssuanceSessionRecord\n parsedAuthorizationRequest: ParsePushedAuthorizationRequestResult\n request: RequestLike\n }\n) {\n const openId4VcIssuerService = agentContext.dependencyManager.resolve(OpenId4VcIssuerService)\n const config = agentContext.dependencyManager.resolve(OpenId4VcIssuerModuleConfig)\n\n const { issuanceSession, parsedAuthorizationRequest, issuer, request } = options\n const issuerMetadata = await openId4VcIssuerService.getIssuerMetadata(agentContext, issuer)\n\n if (!parsedAuthorizationRequest.authorizationRequest.scope) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidScope,\n error_description: `Missing required 'scope' parameter`,\n })\n }\n\n if (!parsedAuthorizationRequest.authorizationRequest.redirect_uri) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidScope,\n error_description: `Missing required 'redirect_uri' parameter.`,\n })\n }\n\n const allowedStates = [OpenId4VcIssuanceSessionState.OfferCreated, OpenId4VcIssuanceSessionState.OfferUriRetrieved]\n if (!allowedStates.includes(issuanceSession.state)) {\n throw new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Invalid 'issuer_state' parameter`,\n },\n {\n internalMessage: `Issuance session '${issuanceSession.id}' has state '${\n issuanceSession.state\n }' but expected one of ${allowedStates.join(', ')}`,\n }\n )\n }\n\n if (!issuanceSession.chainedIdentity?.externalAuthorizationServerUrl) {\n throw new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Unexpected redirect call for session.`,\n },\n {\n internalMessage: `Issuance session '${issuanceSession.id}' is not configured to use chained identity for authorization.`,\n }\n )\n }\n\n const authorizationServer = openId4VcIssuerService.getOauth2AuthorizationServer(agentContext, {\n issuanceSessionId: issuanceSession.id,\n })\n\n const { clientAttestation, dpop } = await authorizationServer.verifyPushedAuthorizationRequest({\n authorizationRequest: parsedAuthorizationRequest.authorizationRequest,\n // First authorization server is the internal authorization server\n authorizationServerMetadata: issuerMetadata.authorizationServers[0],\n request,\n clientAttestation: {\n ...parsedAuthorizationRequest.clientAttestation,\n // First session config, fall back to global config\n required: issuanceSession.walletAttestation?.required ?? config.walletAttestationsRequired,\n },\n dpop: {\n ...parsedAuthorizationRequest.dpop,\n // First session config, fall back to global config\n required: issuanceSession.dpop?.required ?? config.dpopRequired,\n },\n })\n\n if (dpop) {\n // Bind dpop jwk thumbprint to session\n issuanceSession.dpop = {\n // If dpop is provided at the start, it's required from now on.\n required: true,\n dpopJkt: dpop.jwkThumbprint,\n }\n }\n\n if (clientAttestation) {\n issuanceSession.walletAttestation = {\n // If client attestation is provided at the start, it's required from now on.\n required: true,\n }\n }\n\n const offeredCredentialConfigurations = getOfferedCredentials(\n issuanceSession.credentialOfferPayload.credential_configuration_ids,\n issuerMetadata.credentialIssuer.credential_configurations_supported\n )\n const allowedScopes = getScopesFromCredentialConfigurationsSupported(offeredCredentialConfigurations)\n const requestedScopes = getAllowedAndRequestedScopeValues({\n allowedScopes,\n requestedScope: parsedAuthorizationRequest.authorizationRequest.scope,\n })\n const requestedCredentialConfigurations = getCredentialConfigurationsSupportedForScopes(\n offeredCredentialConfigurations,\n requestedScopes\n ) as OpenId4VciCredentialConfigurationsSupportedWithFormats\n if (requestedScopes.length === 0 || Object.keys(requestedCredentialConfigurations).length === 0) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidScope,\n error_description: `No requested 'scope' values match with offered credential configurations.`,\n })\n }\n\n issuanceSession.authorization = {\n ...issuanceSession.authorization,\n scopes: requestedScopes,\n }\n\n // If client attestation is used we have verified this client_id matches with the sub\n // of the wallet attestation\n issuanceSession.clientId =\n clientAttestation?.clientAttestation.payload.sub ?? parsedAuthorizationRequest.authorizationRequest.client_id\n\n const oauth2Client = openId4VcIssuerService.getOauth2Client(agentContext, issuer)\n const authorizationServerUrl = issuanceSession.chainedIdentity.externalAuthorizationServerUrl\n\n const authorizationServerConfig = issuer.chainedAuthorizationServerConfigs?.find(\n (config) => config.issuer === authorizationServerUrl\n )\n if (!authorizationServerConfig) {\n throw new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.ServerError,\n },\n {\n internalMessage: `Issuer '${issuer.issuerId}' does not have a chained authorization server config for issuer '${authorizationServerUrl}'`,\n }\n )\n }\n\n const authorizationServerMetadata = await oauth2Client.fetchAuthorizationServerMetadata(\n authorizationServerConfig.issuer\n )\n if (!authorizationServerMetadata) {\n throw new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.ServerError,\n error_description: `Unable to retrieve authorization server metadata from external identity provider.`,\n },\n {\n internalMessage: `Unable to retrieve authorization server metadata from '${authorizationServerConfig.issuer}'`,\n }\n )\n }\n\n const redirectUri = joinUriParts(config.baseUrl, [issuer.issuerId, 'redirect'])\n const chainedIdentityState = utils.uuid()\n\n const scopes = requestedScopes.flatMap((scope) => {\n if (scope in authorizationServerConfig.scopesMapping) {\n return authorizationServerConfig.scopesMapping[scope]\n }\n\n throw new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.ServerError,\n },\n {\n internalMessage: `Issuer '${issuer.issuerId}' does not have a scope mapping for scope '${scope}' for external authorization server '${authorizationServerConfig.issuer}'`,\n }\n )\n })\n\n // TODO: add support for DPoP\n const { authorizationRequestUrl, pkce } = await oauth2Client.initiateAuthorization({\n authorizationServerMetadata,\n clientId: authorizationServerConfig.clientAuthentication.clientId,\n redirectUri,\n state: chainedIdentityState,\n scope: scopes.join(' '),\n })\n\n issuanceSession.chainedIdentity = {\n ...issuanceSession.chainedIdentity,\n requestUriReferenceValue: utils.uuid(),\n externalAuthorizationRequestUrl: authorizationRequestUrl,\n requestUriExpiresAt: addSecondsToDate(new Date(), config.requestUriExpiresInSeconds),\n pkceCodeVerifier: pkce?.codeVerifier,\n externalState: chainedIdentityState,\n state: parsedAuthorizationRequest.authorizationRequest.state,\n redirectUri: parsedAuthorizationRequest.authorizationRequest.redirect_uri,\n externalAuthorizationServerMetadata: authorizationServerMetadata,\n }\n\n const { pushedAuthorizationResponse } = authorizationServer.createPushedAuthorizationResponse({\n expiresInSeconds: config.requestUriExpiresInSeconds,\n requestUri: pushedAuthorizationRequestUriPrefix + issuanceSession.chainedIdentity.requestUriReferenceValue,\n })\n\n await openId4VcIssuerService.updateState(\n agentContext,\n issuanceSession,\n OpenId4VcIssuanceSessionState.AuthorizationInitiated\n )\n\n return { pushedAuthorizationResponse }\n}\n\nexport function configurePushedAuthorizationRequestEndpoint(router: Router, config: OpenId4VcIssuerModuleConfig) {\n router.post(\n config.pushedAuthorizationRequestEndpoint,\n async (request: OpenId4VcIssuanceRequest, response: Response, next: NextFunction) => {\n const requestContext = getRequestContext(request)\n const { agentContext, issuer } = requestContext\n\n try {\n const config = agentContext.dependencyManager.resolve(OpenId4VcIssuerModuleConfig)\n const openId4VcIssuerService = agentContext.dependencyManager.resolve(OpenId4VcIssuerService)\n const issuerMetadata = await openId4VcIssuerService.getIssuerMetadata(agentContext, issuer)\n const authorizationServer = openId4VcIssuerService.getOauth2AuthorizationServer(agentContext)\n const fullRequestUrl = joinUriParts(issuerMetadata.credentialIssuer.credential_issuer, [\n config.pushedAuthorizationRequestEndpoint,\n ])\n\n const requestLike = {\n headers: new Headers(request.headers as Record<string, string>),\n method: request.method as HttpMethod,\n url: fullRequestUrl,\n } as const\n\n const parseResult = await authorizationServer.parsePushedAuthorizationRequest({\n authorizationRequest: request.body,\n request: requestLike,\n })\n\n if (parseResult.authorizationRequestJwt) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Using JWT-secured authorization request is not supported.`,\n })\n }\n\n // TODO: we could allow dynamic issuance sessions here. Maybe based on a callback?\n // Not sure how to decide which credentials are allowed to be requested dynamically\n if (!parseResult.authorizationRequest.issuer_state) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Missing required 'issuer_state' parameter. Only requests initiated by a credential offer are supported for pushed authorization requests.`,\n })\n }\n\n if (!parseResult.authorizationRequest.scope) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidScope,\n error_description: `Missing required 'scope' parameter`,\n })\n }\n\n const issuanceSession = await openId4VcIssuerService.findSingleIssuanceSessionByQuery(agentContext, {\n issuerId: issuer.issuerId,\n issuerState: parseResult.authorizationRequest.issuer_state,\n })\n\n if (!issuanceSession) {\n throw new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Invalid 'issuer_state' parameter`,\n },\n {\n internalMessage: `Issuance session not found for 'issuer_state' parameter '${parseResult.authorizationRequest.issuer_state}'`,\n }\n )\n }\n\n const { pushedAuthorizationResponse } = await handlePushedAuthorizationRequest(agentContext, {\n issuanceSession,\n issuer,\n parsedAuthorizationRequest: parseResult,\n request: requestLike,\n })\n\n return sendJsonResponse(response, next, pushedAuthorizationResponse)\n } catch (error) {\n if (error instanceof Oauth2ServerErrorResponseError) {\n return sendOauth2ErrorResponse(response, next, agentContext.config.logger, error)\n }\n return sendUnknownServerErrorResponse(response, next, agentContext.config.logger, error)\n }\n }\n )\n}\n"],"mappings":";;;;;;;;;;;;;AA4BA,eAAsB,iCACpB,cACA,SAMA;CACA,MAAM,yBAAyB,aAAa,kBAAkB,QAAQ,uBAAuB;CAC7F,MAAM,SAAS,aAAa,kBAAkB,QAAQ,4BAA4B;CAElF,MAAM,EAAE,iBAAiB,4BAA4B,QAAQ,YAAY;CACzE,MAAM,iBAAiB,MAAM,uBAAuB,kBAAkB,cAAc,OAAO;AAE3F,KAAI,CAAC,2BAA2B,qBAAqB,MACnD,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB;EACpB,CAAC;AAGJ,KAAI,CAAC,2BAA2B,qBAAqB,aACnD,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB;EACpB,CAAC;CAGJ,MAAM,gBAAgB,CAAC,8BAA8B,cAAc,8BAA8B,kBAAkB;AACnH,KAAI,CAAC,cAAc,SAAS,gBAAgB,MAAM,CAChD,OAAM,IAAI,+BACR;EACE,OAAO,iBAAiB;EACxB,mBAAmB;EACpB,EACD,EACE,iBAAiB,qBAAqB,gBAAgB,GAAG,eACvD,gBAAgB,MACjB,wBAAwB,cAAc,KAAK,KAAK,IAClD,CACF;AAGH,KAAI,CAAC,gBAAgB,iBAAiB,+BACpC,OAAM,IAAI,+BACR;EACE,OAAO,iBAAiB;EACxB,mBAAmB;EACpB,EACD,EACE,iBAAiB,qBAAqB,gBAAgB,GAAG,iEAC1D,CACF;CAGH,MAAM,sBAAsB,uBAAuB,6BAA6B,cAAc,EAC5F,mBAAmB,gBAAgB,IACpC,CAAC;CAEF,MAAM,EAAE,mBAAmB,SAAS,MAAM,oBAAoB,iCAAiC;EAC7F,sBAAsB,2BAA2B;EAEjD,6BAA6B,eAAe,qBAAqB;EACjE;EACA,mBAAmB;GACjB,GAAG,2BAA2B;GAE9B,UAAU,gBAAgB,mBAAmB,YAAY,OAAO;GACjE;EACD,MAAM;GACJ,GAAG,2BAA2B;GAE9B,UAAU,gBAAgB,MAAM,YAAY,OAAO;GACpD;EACF,CAAC;AAEF,KAAI,KAEF,iBAAgB,OAAO;EAErB,UAAU;EACV,SAAS,KAAK;EACf;AAGH,KAAI,kBACF,iBAAgB,oBAAoB,EAElC,UAAU,MACX;CAGH,MAAM,kCAAkC,sBACtC,gBAAgB,uBAAuB,8BACvC,eAAe,iBAAiB,oCACjC;CAED,MAAM,kBAAkB,kCAAkC;EACxD,eAFoB,+CAA+C,gCAAgC;EAGnG,gBAAgB,2BAA2B,qBAAqB;EACjE,CAAC;CACF,MAAM,oCAAoC,8CACxC,iCACA,gBACD;AACD,KAAI,gBAAgB,WAAW,KAAK,OAAO,KAAK,kCAAkC,CAAC,WAAW,EAC5F,OAAM,IAAI,+BAA+B;EACvC,OAAO,iBAAiB;EACxB,mBAAmB;EACpB,CAAC;AAGJ,iBAAgB,gBAAgB;EAC9B,GAAG,gBAAgB;EACnB,QAAQ;EACT;AAID,iBAAgB,WACd,mBAAmB,kBAAkB,QAAQ,OAAO,2BAA2B,qBAAqB;CAEtG,MAAM,eAAe,uBAAuB,gBAAgB,cAAc,OAAO;CACjF,MAAM,yBAAyB,gBAAgB,gBAAgB;CAE/D,MAAM,4BAA4B,OAAO,mCAAmC,MACzE,aAAWA,SAAO,WAAW,uBAC/B;AACD,KAAI,CAAC,0BACH,OAAM,IAAI,+BACR,EACE,OAAO,iBAAiB,aACzB,EACD,EACE,iBAAiB,WAAW,OAAO,SAAS,oEAAoE,uBAAuB,IACxI,CACF;CAGH,MAAM,8BAA8B,MAAM,aAAa,iCACrD,0BAA0B,OAC3B;AACD,KAAI,CAAC,4BACH,OAAM,IAAI,+BACR;EACE,OAAO,iBAAiB;EACxB,mBAAmB;EACpB,EACD,EACE,iBAAiB,0DAA0D,0BAA0B,OAAO,IAC7G,CACF;CAGH,MAAM,cAAc,aAAa,OAAO,SAAS,CAAC,OAAO,UAAU,WAAW,CAAC;CAC/E,MAAM,uBAAuB,MAAM,MAAM;CAEzC,MAAM,SAAS,gBAAgB,SAAS,UAAU;AAChD,MAAI,SAAS,0BAA0B,cACrC,QAAO,0BAA0B,cAAc;AAGjD,QAAM,IAAI,+BACR,EACE,OAAO,iBAAiB,aACzB,EACD,EACE,iBAAiB,WAAW,OAAO,SAAS,6CAA6C,MAAM,uCAAuC,0BAA0B,OAAO,IACxK,CACF;GACD;CAGF,MAAM,EAAE,yBAAyB,SAAS,MAAM,aAAa,sBAAsB;EACjF;EACA,UAAU,0BAA0B,qBAAqB;EACzD;EACA,OAAO;EACP,OAAO,OAAO,KAAK,IAAI;EACxB,CAAC;AAEF,iBAAgB,kBAAkB;EAChC,GAAG,gBAAgB;EACnB,0BAA0B,MAAM,MAAM;EACtC,iCAAiC;EACjC,qBAAqB,iCAAiB,IAAI,MAAM,EAAE,OAAO,2BAA2B;EACpF,kBAAkB,MAAM;EACxB,eAAe;EACf,OAAO,2BAA2B,qBAAqB;EACvD,aAAa,2BAA2B,qBAAqB;EAC7D,qCAAqC;EACtC;CAED,MAAM,EAAE,gCAAgC,oBAAoB,kCAAkC;EAC5F,kBAAkB,OAAO;EACzB,YAAY,sCAAsC,gBAAgB,gBAAgB;EACnF,CAAC;AAEF,OAAM,uBAAuB,YAC3B,cACA,iBACA,8BAA8B,uBAC/B;AAED,QAAO,EAAE,6BAA6B;;AAGxC,SAAgB,4CAA4C,QAAgB,QAAqC;AAC/G,QAAO,KACL,OAAO,oCACP,OAAO,SAAmC,UAAoB,SAAuB;EAEnF,MAAM,EAAE,cAAc,WADC,kBAAkB,QAAQ;AAGjD,MAAI;GACF,MAAMA,WAAS,aAAa,kBAAkB,QAAQ,4BAA4B;GAClF,MAAM,yBAAyB,aAAa,kBAAkB,QAAQ,uBAAuB;GAC7F,MAAM,iBAAiB,MAAM,uBAAuB,kBAAkB,cAAc,OAAO;GAC3F,MAAM,sBAAsB,uBAAuB,6BAA6B,aAAa;GAC7F,MAAM,iBAAiB,aAAa,eAAe,iBAAiB,mBAAmB,CACrFA,SAAO,mCACR,CAAC;GAEF,MAAM,cAAc;IAClB,SAAS,IAAI,QAAQ,QAAQ,QAAkC;IAC/D,QAAQ,QAAQ;IAChB,KAAK;IACN;GAED,MAAM,cAAc,MAAM,oBAAoB,gCAAgC;IAC5E,sBAAsB,QAAQ;IAC9B,SAAS;IACV,CAAC;AAEF,OAAI,YAAY,wBACd,OAAM,IAAI,+BAA+B;IACvC,OAAO,iBAAiB;IACxB,mBAAmB;IACpB,CAAC;AAKJ,OAAI,CAAC,YAAY,qBAAqB,aACpC,OAAM,IAAI,+BAA+B;IACvC,OAAO,iBAAiB;IACxB,mBAAmB;IACpB,CAAC;AAGJ,OAAI,CAAC,YAAY,qBAAqB,MACpC,OAAM,IAAI,+BAA+B;IACvC,OAAO,iBAAiB;IACxB,mBAAmB;IACpB,CAAC;GAGJ,MAAM,kBAAkB,MAAM,uBAAuB,iCAAiC,cAAc;IAClG,UAAU,OAAO;IACjB,aAAa,YAAY,qBAAqB;IAC/C,CAAC;AAEF,OAAI,CAAC,gBACH,OAAM,IAAI,+BACR;IACE,OAAO,iBAAiB;IACxB,mBAAmB;IACpB,EACD,EACE,iBAAiB,4DAA4D,YAAY,qBAAqB,aAAa,IAC5H,CACF;GAGH,MAAM,EAAE,gCAAgC,MAAM,iCAAiC,cAAc;IAC3F;IACA;IACA,4BAA4B;IAC5B,SAAS;IACV,CAAC;AAEF,UAAO,iBAAiB,UAAU,MAAM,4BAA4B;WAC7D,OAAO;AACd,OAAI,iBAAiB,+BACnB,QAAO,wBAAwB,UAAU,MAAM,aAAa,OAAO,QAAQ,MAAM;AAEnF,UAAO,+BAA+B,UAAU,MAAM,aAAa,OAAO,QAAQ,MAAM;;GAG7F"}