@ewqwe/digital-identity 1.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,521 @@
1
+ /**
2
+ * @ewqwe/digital-identity — Type Definitions
3
+ *
4
+ * Shared types for OpenID4VP, DCQL, credential formats, and protocol profiles.
5
+ * Node.js compatible — no platform-specific APIs. Used by both front-end and back-end.
6
+ *
7
+ * Standards references:
8
+ * - OpenID4VP 1.0: https://openid.net/specs/openid-4-verifiable-presentations-1_0.html
9
+ * - DCQL: OpenID4VP 1.0 §6
10
+ * - ISO/IEC 18013-5 (mDL/mDoc)
11
+ * - SD-JWT VC: https://www.ietf.org/archive/id/draft-ietf-oauth-sd-jwt-vc-08.html
12
+ * - EU Age Verification Profile: https://ageverification.dev/Technical%20Specification/annexes/annex-A/annex-A-av-profile
13
+ */
14
+ import type { DCQLQuery } from "./dcql.js";
15
+ /** Protocol profile identifier. */
16
+ export type ProfileId = "haip" | "haip-x509-san-dns" | "annex-a";
17
+ /** Client ID scheme (OpenID4VP 1.0 §5.9). */
18
+ export type ClientIdScheme = "x509_san_dns" | "redirect_uri" | "x509_san_uri" | "did" | "x509_hash";
19
+ /** Authorization request format. */
20
+ export type RequestFormat = "jar" | "plain";
21
+ /**
22
+ * Response mode for wallet responses (OpenID4VP 1.0 §5.2, Appendix A.2).
23
+ *
24
+ * | Value | Description |
25
+ * |------------------|-------------------------------------------------------------------|
26
+ * | `fragment` | Default for `vp_token`; response in redirect URL fragment (same-device) |
27
+ * | `direct_post` | Wallet POSTs response to `response_uri` (cross-device) |
28
+ * | `direct_post.jwt`| Like `direct_post` but response is encrypted JWE (HAIP mandatory) |
29
+ * | `dc_api` | Response via W3C Digital Credentials API, unencrypted |
30
+ * | `dc_api.jwt` | Response via W3C DC API, encrypted JWE (Appendix A §8.3) |
31
+ */
32
+ export type ResponseMode = "fragment" | "direct_post" | "direct_post.jwt" | "dc_api" | "dc_api.jwt";
33
+ /**
34
+ * Protocol profile configuration.
35
+ *
36
+ * Defines the OpenID4VP profile to use for a credential type.
37
+ *
38
+ * - HAIP: x509_san_dns, signed JAR, direct_post.jwt (EUDI Wallet)
39
+ * - Annex A: redirect_uri, plain JSON, direct_post (EU AV Profile)
40
+ */
41
+ export interface ProtocolProfile {
42
+ id: ProfileId;
43
+ name: string;
44
+ description: string;
45
+ clientIdScheme: ClientIdScheme;
46
+ requestFormat: RequestFormat;
47
+ responseMode: ResponseMode;
48
+ urlSchemes: string[];
49
+ requiresJarSigning: boolean;
50
+ }
51
+ /** Credential type identifier. */
52
+ export type CredentialType = "mdl" | "national-id" | "national-id-sd-jwt" | "proof-of-age" | "photo-id" | "tax" | "tax-sd-jwt" | "pseudonym-age" | "pseudonym-age-sd-jwt" | "france-identite-numerique" | "ehic" | "ehic-sd-jwt" | "health-id" | "health-id-sd-jwt" | "iban" | "iban-sd-jwt" | "loyalty" | "msisdn" | "msisdn-sd-jwt" | "pda1" | "pda1-sd-jwt" | "por" | "por-sd-jwt" | "reservation" | "cor";
53
+ /** Credential format identifier used in DCQL queries. */
54
+ export type CredentialFormat = "mso_mdoc" | "dc+sd-jwt";
55
+ /** Definition of a single claim within a credential type. */
56
+ export interface ClaimDefinition {
57
+ id: string;
58
+ name: string;
59
+ description?: string;
60
+ }
61
+ /** Configuration for a credential type (mDL, PID, Proof of Age, etc.). */
62
+ export interface CredentialTypeConfig {
63
+ id: CredentialType;
64
+ name: string;
65
+ /**
66
+ * Credential format identifier for DCQL queries.
67
+ * - `"mso_mdoc"` — ISO/IEC 18013-5 Mobile Documents (CBOR-encoded)
68
+ * - `"dc+sd-jwt"` — IETF SD-JWT Verifiable Credentials (JSON-encoded)
69
+ */
70
+ format: CredentialFormat;
71
+ /** Document type for mso_mdoc credentials (e.g. `"org.iso.18013.5.1.mDL"`). */
72
+ docType: string;
73
+ /** Namespace for mso_mdoc claims (e.g. `"org.iso.18013.5.1"`). */
74
+ namespace: string;
75
+ /** Verifiable Credential Type for dc+sd-jwt credentials (e.g. `"urn:eudi:pid:1"`). */
76
+ vct?: string;
77
+ profile: ProfileId;
78
+ claims: ClaimDefinition[];
79
+ }
80
+ /**
81
+ * OpenID4VP 1.0 Authorization Request parameters.
82
+ *
83
+ * Built by the frontend and sent to the backend for transaction creation.
84
+ * The backend injects server-side fields (`response_uri`, `request_uri`, JAR
85
+ * signing, JWKS for encrypted responses) before forwarding to the wallet.
86
+ *
87
+ * **Key spec constraints (OpenID4VP 1.0 §5)**:
88
+ * - `dcql_query` MUST be present (either directly or via `scope`); it is the
89
+ * only credential-query mechanism in OpenID4VP 1.0. The legacy DIF
90
+ * Presentation Exchange parameter `presentation_definition` **does not exist**
91
+ * in OpenID4VP 1.0 and MUST NOT be sent.
92
+ * - `response_mode` is REQUIRED per §5.2; defaults to `fragment` when omitted.
93
+ * - When `response_mode` is `direct_post`/`direct_post.jwt`, use `response_uri`
94
+ * (not `redirect_uri`) — the two MUST NOT coexist (§8.2).
95
+ * - For the W3C Digital Credentials API flow use `dc_api` / `dc_api.jwt`
96
+ * (Appendix A.2); `state` is ignored by DC API.
97
+ *
98
+ * @see https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#section-5
99
+ */
100
+ export interface OpenID4VPRequest {
101
+ /** REQUIRED. Client Identifier of the Verifier (§5.2). */
102
+ client_id: string;
103
+ /**
104
+ * Client Identifier Prefix — tells the wallet how to validate the client_id
105
+ * (§5.9). The prefix is prepended to `client_id` with a `:` separator on
106
+ * the wire (e.g. `x509_san_dns:rp.example.com`).
107
+ */
108
+ client_id_scheme?: ClientIdScheme;
109
+ /** REQUIRED. Must be `"vp_token"` for VP-only requests (§5.6). */
110
+ response_type: "vp_token";
111
+ /**
112
+ * REQUIRED. How the wallet returns the Authorization Response (§5.2).
113
+ * Defaults to `"fragment"` when absent.
114
+ */
115
+ response_mode?: ResponseMode;
116
+ /** REQUIRED. Fresh, random nonce binding the presentation to this request (§5.2). */
117
+ nonce: string;
118
+ /**
119
+ * REQUIRED when no Holder Binding proof is requested (§5.3), recommended
120
+ * otherwise for session fixation protection (§14.2).
121
+ */
122
+ state?: string;
123
+ /**
124
+ * Redirect URI for `fragment` / `query` response modes.
125
+ * MUST NOT be present when `response_mode` is `direct_post` or
126
+ * `direct_post.jwt` — use `response_uri` instead (§8.2).
127
+ */
128
+ redirect_uri?: string;
129
+ /**
130
+ * DCQL credential query (§6, §5.1).
131
+ *
132
+ * This is the **only** credential-query parameter in OpenID4VP 1.0.
133
+ * Either `dcql_query` or a `scope` referencing a DCQL query MUST be
134
+ * present, but not both.
135
+ */
136
+ dcql_query?: DCQLQuery;
137
+ /** Verifier metadata forwarded to the wallet (§5.1). */
138
+ client_metadata?: SimpleClientMetadata;
139
+ }
140
+ /**
141
+ * OpenID4VP 1.0 Authorization Response (§8.1 / §8.2).
142
+ *
143
+ * Represents the wallet's Authorization Response in all transport variants:
144
+ * - **`direct_post`** (cross-device): wallet HTTP-POSTs form data to `response_uri`.
145
+ * - **`fragment`** / **`dc_api`** (same-device / W3C DC API): response returned inline.
146
+ *
147
+ * **`vp_token` structure with DCQL (§8.1)**:
148
+ * A JSON-encoded `Record<credentialQueryId, presentation[]>` — each key is the
149
+ * `id` of a Credential Query from the DCQL request and the value is an array of
150
+ * base64url-encoded credential presentations:
151
+ * ```json
152
+ * { "my_mdl": ["<base64url-DeviceResponse>"] }
153
+ * ```
154
+ *
155
+ * **`presentation_submission`**: DIF Presentation Exchange field — **absent in
156
+ * OpenID4VP 1.0 DCQL responses**. Kept for backward-compatibility with wallets
157
+ * still on older drafts. May arrive as a raw JSON **string** (wire format from
158
+ * `direct_post`) or as a parsed {@link PresentationSubmission} object (after
159
+ * processing by the backend).
160
+ *
161
+ * @see https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#section-8.1
162
+ */
163
+ export interface OpenID4VPResponse {
164
+ /**
165
+ * JSON-encoded `Record<credentialQueryId, presentation[]>` (§8.1).
166
+ * Parse with `JSON.parse()` to obtain the credential ID → presentations mapping.
167
+ */
168
+ vp_token: string;
169
+ /**
170
+ * @deprecated Not part of OpenID4VP 1.0 DCQL responses.
171
+ * Only present for backward-compatibility with wallets using the legacy
172
+ * DIF Presentation Exchange format. Will be absent in all spec-compliant
173
+ * responses. May be a raw JSON string (wire) or a parsed object.
174
+ */
175
+ presentation_submission?: string | PresentationSubmission;
176
+ /** Echoes the `state` from the Authorization Request (§8.2). */
177
+ state?: string;
178
+ }
179
+ /**
180
+ * Per-format parameters for **ISO/IEC 18013-5 mDoc** (`mso_mdoc`).
181
+ *
182
+ * Algorithm identifiers are **COSE integer IDs** (RFC 8152 / IANA COSE Algorithms):
183
+ * - `-7` → ES256 (ECDSA P-256 + SHA-256) — HAIP mandatory
184
+ * - `-35` → ES384 (ECDSA P-384 + SHA-384)
185
+ * - `-36` → ES512 (ECDSA P-521 + SHA-512)
186
+ * - `-8` → EdDSA
187
+ *
188
+ * @see https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#appendix-B.2.2
189
+ */
190
+ export interface MsoMdocVpFormat {
191
+ /** COSE algorithm IDs accepted for the IssuerAuth `COSE_Sign1` structure. */
192
+ issuerauth_alg_values?: number[];
193
+ /** COSE algorithm IDs accepted for DeviceSignature or DeviceMac. */
194
+ deviceauth_alg_values?: number[];
195
+ }
196
+ /**
197
+ * Per-format parameters for **IETF SD-JWT VC** (`dc+sd-jwt` / `vc+sd-jwt`).
198
+ *
199
+ * Algorithm identifiers use JOSE string names and MUST be fully-specified
200
+ * per draft-ietf-jose-fully-specified-algorithms.
201
+ *
202
+ * @see https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#appendix-B.3.4
203
+ */
204
+ export interface SdJwtVcVpFormat {
205
+ /** JOSE algorithm identifiers for the Issuer-signed SD-JWT (`alg` JOSE header). */
206
+ "sd-jwt_alg_values"?: string[];
207
+ /** JOSE algorithm identifiers for the Key Binding JWT (`alg` JOSE header). */
208
+ "kb-jwt_alg_values"?: string[];
209
+ }
210
+ /**
211
+ * Per-format parameters for **W3C VC signed as JWT** (`jwt_vc_json`).
212
+ *
213
+ * @see https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#appendix-B.1.3.1.3
214
+ */
215
+ export interface JwtVcJsonVpFormat {
216
+ /** JOSE algorithm identifiers for the Verifiable Credential / Presentation
217
+ * (`alg` JWS header, RFC 7515). */
218
+ alg_values?: string[];
219
+ }
220
+ /**
221
+ * Per-format parameters for **W3C VC with Linked Data Proofs** (`ldp_vc`).
222
+ *
223
+ * @see https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#appendix-B.1.3.2.3
224
+ */
225
+ export interface LdpVcVpFormat {
226
+ /** Data Integrity proof type identifiers (e.g. `"DataIntegrityProof"`). */
227
+ proof_type_values?: string[];
228
+ /** Cryptosuite identifiers when proof type includes `"DataIntegrityProof"`
229
+ * (e.g. `"ecdsa-rdfc-2019"`, `"bbs-2023"`). */
230
+ cryptosuite_values?: string[];
231
+ }
232
+ /**
233
+ * VP format capabilities included in `client_metadata`.
234
+ *
235
+ * Each field corresponds to a **Credential Format Identifier** (a fixed enumeration
236
+ * per OpenID4VP 1.0 §11.1 and Appendix B). The server re-keys this object from
237
+ * `vp_formats` (request body) to `vp_formats_supported` (wallet wire format).
238
+ *
239
+ * Format identifiers: `mso_mdoc`, `dc+sd-jwt`, `vc+sd-jwt`, `jwt_vc_json`, `ldp_vc`.
240
+ *
241
+ * @see https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#section-11.1
242
+ */
243
+ export interface VpFormats {
244
+ /**
245
+ * ISO/IEC 18013-5 Mobile Documents (§B.2).
246
+ * Algorithm IDs use COSE integers (RFC 8152).
247
+ */
248
+ mso_mdoc?: MsoMdocVpFormat;
249
+ /**
250
+ * IETF SD-JWT VC — current IANA-registered identifier, canonical since Nov 2024 (§B.3).
251
+ * Algorithm IDs use JOSE strings.
252
+ */
253
+ "dc+sd-jwt"?: SdJwtVcVpFormat;
254
+ /**
255
+ * IETF SD-JWT VC — legacy identifier, superseded by `dc+sd-jwt` (§B.3).
256
+ * Both SHOULD be accepted during the transitional period per
257
+ * draft-ietf-oauth-sd-jwt-vc-08 §3.2.1.
258
+ */
259
+ "vc+sd-jwt"?: SdJwtVcVpFormat;
260
+ /** W3C VC signed as JWT, without JSON-LD (§B.1.3.1). */
261
+ jwt_vc_json?: JwtVcJsonVpFormat;
262
+ /** W3C VC with Linked Data / Data Integrity Proofs (§B.1.3.2). */
263
+ ldp_vc?: LdpVcVpFormat;
264
+ }
265
+ /**
266
+ * Simplified client metadata for frontend-initiated requests.
267
+ *
268
+ * The backend augments this with JWE/JWKS params for HAIP:
269
+ * - `jwks`: ephemeral P-256 key for response encryption (generated per request)
270
+ * - `authorization_encrypted_response_alg`: `"ECDH-ES"` (fixed, HAIP §5 mandates P-256)
271
+ * - `authorization_encrypted_response_enc`: `"A256GCM"` (server default; OpenID4VP §8.3
272
+ * default is `A128GCM` but the server uses `A256GCM` for stronger 256-bit encryption)
273
+ *
274
+ * @see https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#section-5.9
275
+ */
276
+ export interface SimpleClientMetadata {
277
+ /** Wallet-facing display name for the Relying Party (RFC 7591 `client_name`). */
278
+ client_name?: string;
279
+ /** Wallet-facing logo URI for the Relying Party (RFC 7591 `logo_uri`). */
280
+ logo_uri?: string;
281
+ /**
282
+ * Credential format capabilities (OpenID4VP §11.1, Appendix B).
283
+ * Re-keyed to `vp_formats_supported` by the server before sending to the wallet.
284
+ */
285
+ vp_formats?: VpFormats;
286
+ }
287
+ /**
288
+ * Request body for `POST /ewqwe_api/openid4vp/init`.
289
+ *
290
+ * Sent by the frontend to the RP backend to initialize a new OpenID4VP
291
+ * transaction. The backend injects `public_url` and constructs the actual
292
+ * OpenID4VP Authorization Request delivered to the wallet.
293
+ *
294
+ * Replaces the former `OpenID4VPRequest & { credential_type: CredentialType }`
295
+ * ad-hoc intersection type — now a first-class named interface matching the
296
+ * Rust `InitTransactionRequest` struct.
297
+ */
298
+ export interface InitTransactionRequest {
299
+ /** **Required**: The RP's public URL that the wallet will interact with.
300
+ * Used to construct `response_uri` and `request_uri` in the OpenID4VP flow. */
301
+ public_url: string;
302
+ /** DCQL query specifying the credentials to request. */
303
+ dcql_query?: DCQLQuery;
304
+ /** Optional nonce (auto-generated by the backend if omitted). */
305
+ nonce?: string;
306
+ /** Optional OAuth/OpenID4VP state value maintained by the client. */
307
+ state?: string;
308
+ /** RP metadata for wallet display. */
309
+ client_metadata?: SimpleClientMetadata;
310
+ /** Protocol profile to use: `"haip"` or `"annex-a"`. */
311
+ profile?: ProfileId;
312
+ /**
313
+ * Credential type shorthand for automatic profile determination.
314
+ * One of: `"mdl"`, `"national-id"`, `"proof-of-age"`.
315
+ */
316
+ credential_type?: CredentialType;
317
+ }
318
+ export interface InitTransactionResponse {
319
+ /** Unique transaction ID for polling status. */
320
+ transaction_id: string;
321
+ /** Constructed client_id. */
322
+ client_id: string;
323
+ /** Client ID scheme used. */
324
+ client_id_scheme: ClientIdScheme;
325
+ /** URI where wallet fetches the authorization request. */
326
+ request_uri: string;
327
+ /** Full authorization request URI for QR code / deep link. */
328
+ authorization_request_uri: string;
329
+ /** Seconds until transaction expires. */
330
+ expires_in: number;
331
+ /** Selected protocol profile. */
332
+ profile: ProfileId;
333
+ /**
334
+ * QR code as a `data:image/svg+xml;base64,...` data URL.
335
+ * Only present for cross-device flows — assign directly to `<img src>`.
336
+ */
337
+ qr_code_data_url?: string;
338
+ }
339
+ export interface PresentationDefinition {
340
+ id: string;
341
+ name?: string;
342
+ purpose?: string;
343
+ input_descriptors: InputDescriptor[];
344
+ }
345
+ export interface InputDescriptor {
346
+ id: string;
347
+ name?: string;
348
+ purpose?: string;
349
+ format?: {
350
+ mso_mdoc?: {
351
+ alg?: string[];
352
+ };
353
+ jwt_vp?: {
354
+ alg?: string[];
355
+ };
356
+ jwt_vc?: {
357
+ alg?: string[];
358
+ };
359
+ ldp_vp?: {
360
+ proof_type?: string[];
361
+ };
362
+ };
363
+ constraints: {
364
+ limit_disclosure?: "required" | "preferred";
365
+ fields: ConstraintField[];
366
+ };
367
+ }
368
+ export interface ConstraintField {
369
+ path: string[];
370
+ id?: string;
371
+ name?: string;
372
+ purpose?: string;
373
+ filter?: {
374
+ type: string;
375
+ const?: unknown;
376
+ enum?: unknown[];
377
+ };
378
+ intent_to_retain?: boolean;
379
+ }
380
+ export interface PresentationSubmission {
381
+ id: string;
382
+ definition_id: string;
383
+ descriptor_map: DescriptorMap[];
384
+ }
385
+ export interface DescriptorMap {
386
+ id: string;
387
+ format: string;
388
+ path: string;
389
+ path_nested?: {
390
+ format: string;
391
+ path: string;
392
+ };
393
+ }
394
+ /**
395
+ * Request to verify a verifiable presentation (VP) token.
396
+ */
397
+ export interface VerifyRequest {
398
+ vp_token: string;
399
+ presentation_submission?: string | PresentationSubmission;
400
+ state?: string;
401
+ client_id?: string;
402
+ }
403
+ /**
404
+ * Response from the credential verifier backend.
405
+ * Uses snake_case to match the Rust credential verifier's JSON output.
406
+ */
407
+ export interface VerifyResponse {
408
+ success: boolean;
409
+ message: string;
410
+ verification_details?: {
411
+ signature_valid: boolean;
412
+ not_expired: boolean;
413
+ issuer_trusted: boolean;
414
+ };
415
+ /** Signed attestation JWT — always present (contains `verified`, `doc_type`, and credential claims). */
416
+ attestation: string;
417
+ errors?: string[];
418
+ }
419
+ /** Transaction status values. */
420
+ export type TransactionStatus = "pending" | "received" | "verified" | "error" | "expired";
421
+ /**
422
+ * A decoded entry from the `transaction_data` Authorization Request parameter (§8.4).
423
+ *
424
+ * The Authorization Request MAY include `transaction_data` — a non-empty array of
425
+ * base64url-encoded JSON objects, each describing a transaction the wallet is asked
426
+ * to authorise (e.g. a payment, consent, or contract signing).
427
+ *
428
+ * The wallet MUST bind these into its credential presentations:
429
+ * - **SD-JWT VC**: via `transaction_data_hashes` in the Key Binding JWT (§B.3.3.1).
430
+ * - **mdoc**: via the `DeviceSigned` structure (§B.2.1).
431
+ *
432
+ * The credential verifier echoes the raw `transaction_data` strings back to the RP
433
+ * in {@link TransactionStatusResult} so it can verify the hashes.
434
+ *
435
+ * @see https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#section-8.4
436
+ */
437
+ export interface TransactionDataEntry {
438
+ /** Transaction data type identifier (REQUIRED per §8.4). */
439
+ type: string;
440
+ /**
441
+ * DCQL Credential Query IDs that can authorise this transaction data entry
442
+ * (REQUIRED per §8.4).
443
+ */
444
+ credential_ids: string[];
445
+ /**
446
+ * Hash algorithm(s) the RP accepts for `transaction_data_hashes` in the
447
+ * SD-JWT VC Key Binding JWT (§B.3.3.1, OPTIONAL).
448
+ *
449
+ * Values are string identifiers from the
450
+ * [IANA Named Information Hash Algorithm registry](https://www.iana.org/assignments/named-information/named-information.xhtml)
451
+ * (e.g. `"sha-256"`, `"sha-384"`).
452
+ * When absent the wallet MUST use `"sha-256"` (the default).
453
+ * Only meaningful for `dc+sd-jwt` credential formats.
454
+ */
455
+ transaction_data_hashes_alg?: string[];
456
+ /** Type-specific parameters (arbitrary extra fields defined by the `type` schema). */
457
+ [key: string]: unknown;
458
+ }
459
+ /** Result of polling for transaction status. */
460
+ export interface TransactionStatusResult {
461
+ /** Current transaction status. */
462
+ status: TransactionStatus;
463
+ /** Seconds until the transaction expires. Present when `status === "pending"`. */
464
+ expires_in?: number;
465
+ /**
466
+ * The Authorization Response received from the wallet (OpenID4VP 1.0 §8.1 + §8.2).
467
+ * Only present when `status === "received"`.
468
+ */
469
+ authorization_response?: OpenID4VPResponse;
470
+ /**
471
+ * The `nonce` from the original Authorization Request (§5.2).
472
+ * Present when `status === "received"`, needed for VP Token replay validation (§14.1).
473
+ */
474
+ nonce?: string;
475
+ /**
476
+ * Error response sent by the Wallet (§8.5). Present when `status === "error"`
477
+ * and the error originated from the wallet (not an internal server error).
478
+ */
479
+ wallet_error?: WalletAuthorizationError;
480
+ error_message?: string;
481
+ /**
482
+ * The original `transaction_data` entries from the Authorization Request (§8.4).
483
+ * Present when `status === "received"` so the RP can verify the hashes that the
484
+ * wallet embedded in its credential presentations.
485
+ *
486
+ * Each element is a base64url-encoded JSON string (as sent in the auth request).
487
+ */
488
+ transaction_data?: string[];
489
+ }
490
+ /** Request payload for the Digital Credentials API. */
491
+ export interface DigitalCredentialRequest {
492
+ protocol: string;
493
+ data: OpenID4VPRequest;
494
+ }
495
+ /** Response from the Digital Credentials API. */
496
+ export interface DigitalCredential {
497
+ protocol: string;
498
+ data: OpenID4VPResponse;
499
+ }
500
+ /**
501
+ * Error response sent by the Wallet to the Verifier's `response_uri` (§8.5).
502
+ *
503
+ * Instead of a VP Token the Wallet sends this when it cannot or will not fulfil
504
+ * the Authorization Request. Field names are snake_case to match Rust API JSON.
505
+ *
506
+ * Error codes:
507
+ * - `invalid_request` — malformed / unsupported request parameters
508
+ * - `access_denied` — no matching credentials, user denied consent, or auth failed
509
+ * - `vp_formats_not_supported` — no supported VP format found
510
+ * - `invalid_request_uri_method` — unsupported `request_uri_method` value
511
+ * - `invalid_transaction_data` — `transaction_data` claim issue
512
+ * - `wallet_unavailable` — wallet cannot be invoked (§15.9.1)
513
+ */
514
+ export interface WalletAuthorizationError {
515
+ /** Error code from §8.5 (e.g. `"access_denied"`). */
516
+ error: string;
517
+ /** Human-readable error description (optional). */
518
+ error_description?: string;
519
+ /** The `state` parameter echoed back from the Authorization Request. */
520
+ state?: string;
521
+ }
package/package.json ADDED
@@ -0,0 +1,57 @@
1
+ {
2
+ "name": "@ewqwe/digital-identity",
3
+ "version": "1.1.1",
4
+ "license": "MIT",
5
+ "description": "JavaScript/TypeScript library for EU Digital Identity (OpenID4VP, DCQL, mDoc, SD-JWT VC, Age Verification)",
6
+ "keywords": [
7
+ "digital-identity",
8
+ "openid4vp",
9
+ "dcql",
10
+ "mdoc",
11
+ "sd-jwt",
12
+ "eudi-wallet",
13
+ "age-verification",
14
+ "eu-av"
15
+ ],
16
+ "author": "ewQwe",
17
+ "author-email": "rd@ewqwe.eu",
18
+ "type": "module",
19
+ "main": "./dist/index.cjs",
20
+ "module": "./dist/index.mjs",
21
+ "types": "./dist/lib.d.ts",
22
+ "sideEffects": false,
23
+ "exports": {
24
+ ".": {
25
+ "types": "./dist/lib.d.ts",
26
+ "import": "./dist/index.mjs",
27
+ "require": "./dist/index.cjs"
28
+ }
29
+ },
30
+ "files": [
31
+ "dist",
32
+ "README.md",
33
+ "LICENSE"
34
+ ],
35
+ "repository": {
36
+ "type": "git",
37
+ "url": "https://github.com/rd-ewqwe/ewqwe-identity.git",
38
+ "directory": "typescript/ewqwe-digital-identity"
39
+ },
40
+ "scripts": {
41
+ "build": "vite build && tsc --emitDeclarationOnly --declaration --declarationDir dist --outDir dist",
42
+ "dev": "vite build --watch",
43
+ "test": "vitest run",
44
+ "test:watch": "vitest",
45
+ "typecheck": "tsc --noEmit",
46
+ "prepublishOnly": "npm run build && npm test"
47
+ },
48
+ "engines": {
49
+ "node": ">=18.0.0"
50
+ },
51
+ "devDependencies": {
52
+ "@types/node": "^20.19.41",
53
+ "typescript": "^5.0.0",
54
+ "vite": "^6.4.3",
55
+ "vitest": "^3.2.6"
56
+ }
57
+ }