npm - @digitalbazaar/oid4-client - Versions diffs - 5.8.0 → 5.9.1 - Mend

@digitalbazaar/oid4-client 5.8.0 → 5.9.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/lib/convert/index.js +24 -6
package/lib/oid4vp/authorizationRequest.js +30 -9
package/lib/util.js +9 -1
package/package.json +1 -1

package/lib/convert/index.js CHANGED Viewed

@@ -62,11 +62,18 @@ export function fromVpr({
     if(verifiablePresentationRequest.domain) {
       // since a `domain` was provided, set these defaults:
       authorizationRequest.client_id = verifiablePresentationRequest.domain;
-      authorizationRequest.response_uri = authorizationRequest.client_id;
+      const usesRedirectUriPrefix =
+        authorizationRequest.client_id?.startsWith('redirect_uri:');
+      authorizationRequest.response_uri = usesRedirectUriPrefix ?
+        authorizationRequest.client_id.slice('redirect_uri:'.length) :
+        authorizationRequest.client_id;
       if(useClientIdPrefix) {
-        authorizationRequest.client_id =
-          `redirect_uri:${authorizationRequest.client_id}`;
-      } else {
+        if(!usesRedirectUriPrefix) {
+          authorizationRequest.client_id =
+            `redirect_uri:${authorizationRequest.client_id}`;
+        }
+      }
+      if(usesRedirectUriPrefix) {
         authorizationRequest.client_id_scheme = 'redirect_uri';
       }
     }
@@ -137,10 +144,13 @@ export function toVpr({authorizationRequest, strict = false} = {}) {
     const {
       client_id,
+      client_id_scheme,
       client_metadata,
       dcql_query,
+      expected_origins,
       nonce,
       presentation_definition,
+      response_mode,
       response_uri
     } = authorizationRequest;
@@ -186,9 +196,17 @@ export function toVpr({authorizationRequest, strict = false} = {}) {
       verifiablePresentationRequest.query = [didAuthnQuery];
     }
-    // map `response_uri` or `client_id` to `domain`
+    // map `expected_origins` / `client_id` / `response_uri` to `domain`
     if(response_uri !== undefined || client_id !== undefined) {
-      verifiablePresentationRequest.domain = response_uri ?? client_id;
+      if(response_mode?.startsWith('dc_api') && !response_uri &&
+        expected_origins?.length > 0) {
+        verifiablePresentationRequest.domain = expected_origins[0];
+      } else if(client_id_scheme === 'redirect_uri' ||
+        client_id?.startsWith('redirect_uri:')) {
+        verifiablePresentationRequest.domain = client_id ?? response_uri;
+      } else {
+        verifiablePresentationRequest.domain = response_uri;
+      }
     }
     // map `nonce` to `challenge`

package/lib/oid4vp/authorizationRequest.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /*!
- * Copyright (c) 2023-2025 Digital Bazaar, Inc. All rights reserved.
+ * Copyright (c) 2023-2026 Digital Bazaar, Inc. All rights reserved.
  */
 import {
   assert, assertOptional, base64Encode,
@@ -23,13 +23,15 @@ const SUPPORTED_CLIENT_ID_SCHEMES = new Set([
 // get an authorization request from a verifier
 export async function get({
-  url, getTrustedCertificates, getVerificationKey, agent
+  url, getTrustedCertificates, getVerificationKey, getPostBody, agent,
+  overrideMethod
 } = {}) {
   try {
     assert(url, 'url', 'string');
     let authorizationRequest;
     let requestUrl;
+    let requestUrlMethod = 'get';
     let expectedClientId;
     if(url.startsWith('https://')) {
       // the request must be retrieved via HTTP
@@ -40,6 +42,10 @@ export async function get({
       expectedClientId = authorizationRequest.client_id;
       if(authorizationRequest.request_uri) {
         requestUrl = authorizationRequest.request_uri;
+        if(authorizationRequest.request_uri_method === 'post' ||
+          authorizationRequest.request_uri_method === 'get') {
+          requestUrlMethod = authorizationRequest.request_uri_method;
+        }
       }
       // if whole request is passed by reference, then it MUST be a signed JWT
       if(authorizationRequest.request) {
@@ -52,6 +58,11 @@ export async function get({
       }
     }
+    // allow method override
+    if(overrideMethod) {
+      requestUrlMethod = overrideMethod;
+    }
     // fetch request if necessary...
     let fetched = false;
     let response;
@@ -60,8 +71,9 @@ export async function get({
       fetched = true;
       ({
         payload: authorizationRequest, response, jwt
-      } = await _fetch({
-        requestUrl, getTrustedCertificates, getVerificationKey, agent
+      } = await _fetchAuthzRequest({
+        method: requestUrlMethod, requestUrl, getPostBody,
+        getTrustedCertificates, getVerificationKey, agent
       }));
     }
@@ -268,8 +280,8 @@ async function _checkClientIdSchemeRequirements({
     }
     let {client_id: clientId} = authorizationRequest;
-    clientId = clientId.startsWith(`${clientIdScheme}:`) ?
-      clientId.slice(clientIdScheme.length + 2) : clientId;
+    clientId = clientId?.startsWith(`${clientIdScheme}:`) ?
+      clientId.slice(clientIdScheme.length + 1) : clientId;
     if(clientIdScheme === 'x509_san_dns') {
       // `x509_san_dns` requires leaf cert to have a dNSName ("domain" type) in
@@ -324,14 +336,21 @@ async function _checkClientIdSchemeRequirements({
   }
 }
-async function _fetch({
-  requestUrl, getTrustedCertificates, getVerificationKey, agent
+async function _fetchAuthzRequest({
+  method = 'get', requestUrl, getPostBody,
+  getTrustedCertificates, getVerificationKey, agent
 }) {
   // FIXME: every `fetchJSON` call needs to use a block list or other
   // protections to prevent a confused deputy attack where the `requestUrl`
   // accesses a location it should not, e.g., a URL `localhost` is used when
   // it shouldn't be
-  const response = await fetchJSON({url: requestUrl, agent});
+  const options = {url: requestUrl, agent};
+  if(method === 'post') {
+    const {body} = await getPostBody?.() ?? new URLSearchParams();
+    options.method = 'post';
+    options.body = body ?? new URLSearchParams();
+  }
+  const response = await fetchJSON(options);
   // parse payload from response data...
   const contentType = response.headers.get('content-type');
@@ -422,6 +441,7 @@ function _parseOID4VPUrl({url}) {
   const {searchParams} = new URL(url);
   const request = _get(searchParams, 'request');
   const request_uri = _get(searchParams, 'request_uri');
+  const request_uri_method = _get(searchParams, 'request_uri_method');
   const response_type = _get(searchParams, 'response_type');
   const response_mode = _get(searchParams, 'response_mode');
   const presentation_definition = _get(
@@ -452,6 +472,7 @@ function _parseOID4VPUrl({url}) {
   const authorizationRequest = {
     request,
     request_uri,
+    request_uri_method,
     response_type,
     response_mode,
     presentation_definition: presentation_definition &&

package/lib/util.js CHANGED Viewed

@@ -47,7 +47,7 @@ export function createNamedError({message, name, details, cause} = {}) {
   return error;
 }
-export function fetchJSON({url, agent} = {}) {
+export function fetchJSON({method = 'get', url, body, json, agent} = {}) {
   // allow these params to be passed / configured
   const fetchOptions = {
     // max size for issuer config related responses (in bytes, ~4 KiB)
@@ -57,6 +57,14 @@ export function fetchJSON({url, agent} = {}) {
     agent
   };
+  if(method === 'post') {
+    if(body !== undefined) {
+      fetchOptions.body = body;
+    } else if(json !== undefined) {
+      fetchOptions.json = json;
+    }
+    return httpClient.post(url, fetchOptions);
+  }
   return httpClient.get(url, fetchOptions);
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@digitalbazaar/oid4-client",
-  "version": "5.8.0",
+  "version": "5.9.1",
   "description": "An OID4 (VC + VP) client",
   "homepage": "https://github.com/digitalbazaar/oid4-client",
   "author": {