npm - @openid4vc/oauth2 - Versions diffs - 0.3.0-alpha-20251017102623 → 0.3.0-alpha-20251017122507 - Mend

@openid4vc/oauth2 0.3.0-alpha-20251017102623 → 0.3.0-alpha-20251017122507

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.js CHANGED Viewed

@@ -158,7 +158,7 @@ const zJwk = zod.default.object({
 		d: zod.default.optional(zod.default.string()),
 		r: zod.default.optional(zod.default.string()),
 		t: zod.default.optional(zod.default.string())
-	}).passthrough())),
+	}).loose())),
 	p: zod.default.optional(zod.default.string()),
 	q: zod.default.optional(zod.default.string()),
 	qi: zod.default.optional(zod.default.string()),
@@ -167,8 +167,8 @@ const zJwk = zod.default.object({
 	x5t: zod.default.optional(zod.default.string()),
 	"x5t#S256": zod.default.optional(zod.default.string()),
 	x5u: zod.default.optional(zod.default.string())
-}).passthrough();
-const zJwkSet = zod.default.object({ keys: zod.default.array(zJwk) }).passthrough();
+}).loose();
+const zJwkSet = zod.default.object({ keys: zod.default.array(zJwk) }).loose();
 //#endregion
 //#region src/common/z-common.ts
@@ -180,7 +180,7 @@ const zCompactJwt = zod.default.string().regex(/^([a-zA-Z0-9-_]+)\.([a-zA-Z0-9-_
 const zJwtConfirmationPayload = zod.default.object({
 	jwk: zJwk.optional(),
 	jkt: zod.default.string().optional()
-}).passthrough();
+}).loose();
 const zJwtPayload = zod.default.object({
 	iss: zod.default.string().optional(),
 	aud: zod.default.string().optional(),
@@ -191,16 +191,16 @@ const zJwtPayload = zod.default.object({
 	jti: zod.default.string().optional(),
 	cnf: zJwtConfirmationPayload.optional(),
 	status: zod.default.record(zod.default.string(), zod.default.any()).optional(),
-	trust_chain: zod.default.array(zod.default.string()).nonempty().optional()
-}).passthrough();
+	trust_chain: zod.default.tuple([zod.default.string()], zod.default.string()).optional()
+}).loose();
 const zJwtHeader = zod.default.object({
 	alg: zAlgValueNotNone,
 	typ: zod.default.string().optional(),
 	kid: zod.default.string().optional(),
 	jwk: zJwk.optional(),
 	x5c: zod.default.array(zod.default.string()).optional(),
-	trust_chain: zod.default.array(zod.default.string()).nonempty().optional()
-}).passthrough();
+	trust_chain: zod.default.tuple([zod.default.string()], zod.default.string()).optional()
+}).loose();
 //#endregion
 //#region src/common/jwt/decode-jwt-header.ts
@@ -368,60 +368,12 @@ async function verifyJwt(options) {
 	} };
 }
-//#endregion
-//#region ../utils/src/zod-error.ts
-/**
-* Some code comes from `zod-validation-error` package (MIT License) and
-* was slightly simplified to fit our needs.
-*/
-const constants = {
-	identifierRegex: /[$_\p{ID_Start}][$\u200c\u200d\p{ID_Continue}]*/u,
-	unionSeparator: ", or ",
-	issueSeparator: "\n	- "
-};
-function escapeQuotes(str) {
-	return str.replace(/"/g, "\\\"");
-}
-function joinPath(path) {
-	if (path.length === 1) return path[0].toString();
-	return path.reduce((acc, item) => {
-		if (typeof item === "number") return `${acc}[${item.toString()}]`;
-		if (item.includes("\"")) return `${acc}["${escapeQuotes(item)}"]`;
-		if (!constants.identifierRegex.test(item)) return `${acc}["${item}"]`;
-		return acc + (acc.length === 0 ? "" : ".") + item;
-	}, "");
-}
-function getMessageFromZodIssue(issue) {
-	if (issue.code === zod.ZodIssueCode.invalid_union) return getMessageFromUnionErrors(issue.unionErrors);
-	if (issue.code === zod.ZodIssueCode.invalid_arguments) return [issue.message, ...issue.argumentsError.issues.map((issue$1) => getMessageFromZodIssue(issue$1))].join(constants.issueSeparator);
-	if (issue.code === zod.ZodIssueCode.invalid_return_type) return [issue.message, ...issue.returnTypeError.issues.map((issue$1) => getMessageFromZodIssue(issue$1))].join(constants.issueSeparator);
-	if (issue.path.length !== 0) {
-		if (issue.path.length === 1) {
-			const identifier = issue.path[0];
-			if (typeof identifier === "number") return `${issue.message} at index ${identifier}`;
-		}
-		return `${issue.message} at "${joinPath(issue.path)}"`;
-	}
-	return issue.message;
-}
-function getMessageFromUnionErrors(unionErrors) {
-	return unionErrors.reduce((acc, zodError) => {
-		const newIssues = zodError.issues.map((issue) => getMessageFromZodIssue(issue)).join(constants.issueSeparator);
-		if (!acc.includes(newIssues)) acc.push(newIssues);
-		return acc;
-	}, []).join(constants.unionSeparator);
-}
-function formatZodError$3(error) {
-	if (!error) return "";
-	return `\t- ${error?.issues.map((issue) => getMessageFromZodIssue(issue)).join(constants.issueSeparator)}`;
-}
 //#endregion
 //#region ../utils/src/error/ValidationError.ts
 var ValidationError$1 = class extends Error {
 	constructor(message, zodError) {
 		super(message);
-		this.message = `${message}\n${formatZodError$3(zodError)}`;
+		this.message = `${message}\n${zodError ? zod.default.prettifyError(zodError) : ""}`;
 		Object.defineProperty(this, "zodError", {
 			value: zodError,
 			writable: false,
@@ -453,7 +405,7 @@ async function fetchJwks(jwksUrl, fetch) {
 const zAccessTokenProfileJwtHeader = zod.default.object({
 	...zJwtHeader.shape,
 	typ: zod.default.enum(["application/at+jwt", "at+jwt"])
-}).passthrough();
+}).loose();
 const zAccessTokenProfileJwtPayload = zod.default.object({
 	...zJwtPayload.shape,
 	iss: zod.default.string(),
@@ -464,7 +416,7 @@ const zAccessTokenProfileJwtPayload = zod.default.object({
 	client_id: zod.default.optional(zod.default.string()),
 	jti: zod.default.string(),
 	scope: zod.default.optional(zod.default.string())
-}).passthrough();
+}).loose();
 //#endregion
 //#region src/access-token/verify-access-token.ts
@@ -560,10 +512,10 @@ let Oauth2ErrorCodes = /* @__PURE__ */ function(Oauth2ErrorCodes$1) {
 	return Oauth2ErrorCodes$1;
 }({});
 const zOauth2ErrorResponse = zod.default.object({
-	error: zod.default.union([zod.default.nativeEnum(Oauth2ErrorCodes), zod.default.string()]),
+	error: zod.default.union([zod.default.enum(Oauth2ErrorCodes), zod.default.string()]),
 	error_description: zod.default.string().optional(),
 	error_uri: zod.default.string().optional()
-}).passthrough();
+}).loose();
 //#endregion
 //#region src/error/Oauth2ServerErrorResponseError.ts
@@ -584,14 +536,14 @@ const zClientAttestationJwtPayload = zod.default.object({
 	iss: zod.default.string(),
 	sub: zod.default.string(),
 	exp: __openid4vc_utils.zInteger,
-	cnf: zod.default.object({ jwk: zJwk }).passthrough(),
+	cnf: zod.default.object({ jwk: zJwk }).loose(),
 	wallet_name: zod.default.string().optional(),
-	wallet_link: zod.default.string().url().optional()
-}).passthrough();
+	wallet_link: zod.default.url().optional()
+}).loose();
 const zClientAttestationJwtHeader = zod.default.object({
 	...zJwtHeader.shape,
 	typ: zod.default.literal("oauth-client-attestation+jwt")
-}).passthrough();
+}).loose();
 const zOauthClientAttestationPopHeader = zod.default.literal("OAuth-Client-Attestation-PoP");
 const oauthClientAttestationPopHeader = zOauthClientAttestationPopHeader.value;
 const zClientAttestationPopJwtPayload = zod.default.object({
@@ -601,11 +553,11 @@ const zClientAttestationPopJwtPayload = zod.default.object({
 	aud: __openid4vc_utils.zHttpsUrl,
 	jti: zod.default.string(),
 	nonce: zod.default.optional(zod.default.string())
-}).passthrough();
+}).loose();
 const zClientAttestationPopJwtHeader = zod.default.object({
 	...zJwtHeader.shape,
 	typ: zod.default.literal("oauth-client-attestation-pop+jwt")
-}).passthrough();
+}).loose();
 //#endregion
 //#region src/client-attestation/client-attestation-pop.ts
@@ -962,7 +914,7 @@ const zAuthorizationServerMetadata = zod.default.object({
 	authorization_challenge_endpoint: zod.default.optional(__openid4vc_utils.zHttpsUrl),
 	"pre-authorized_grant_anonymous_access_supported": zod.default.optional(zod.default.boolean()),
 	client_attestation_pop_nonce_required: zod.default.boolean().optional()
-}).passthrough().refine(({ introspection_endpoint_auth_methods_supported: methodsSupported, introspection_endpoint_auth_signing_alg_values_supported: algValuesSupported }) => {
+}).loose().refine(({ introspection_endpoint_auth_methods_supported: methodsSupported, introspection_endpoint_auth_signing_alg_values_supported: algValuesSupported }) => {
 	if (!methodsSupported) return true;
 	if (!methodsSupported.includes("private_key_jwt") && !methodsSupported.includes("client_secret_jwt")) return true;
 	return algValuesSupported !== void 0 && algValuesSupported.length > 0;
@@ -977,26 +929,15 @@ const wellKnownOpenIdConfigurationServerSuffix = ".well-known/openid-configurati
 *  a 404, the openid-configuration metadata will be fetched.
 */
 async function fetchAuthorizationServerMetadata(issuer, fetch) {
-	const openIdConfigurationWellKnownMetadataUrl = (0, __openid4vc_utils.joinUriParts)(issuer, [wellKnownOpenIdConfigurationServerSuffix]);
 	const parsedIssuerUrl = new __openid4vc_utils.URL(issuer);
+	const openIdConfigurationWellKnownMetadataUrl = (0, __openid4vc_utils.joinUriParts)(issuer, [wellKnownOpenIdConfigurationServerSuffix]);
 	const authorizationServerWellKnownMetadataUrl = (0, __openid4vc_utils.joinUriParts)(parsedIssuerUrl.origin, [wellKnownAuthorizationServerSuffix, parsedIssuerUrl.pathname]);
-	const authorizationServerResult = await fetchWellKnownMetadata(authorizationServerWellKnownMetadataUrl, zAuthorizationServerMetadata, fetch);
-	if (authorizationServerResult) {
-		if (authorizationServerResult.issuer !== issuer) throw new Oauth2Error(`The 'issuer' parameter '${authorizationServerResult.issuer}' in the well known authorization server metadata at '${authorizationServerWellKnownMetadataUrl}' does not match the provided issuer '${issuer}'.`);
-		return authorizationServerResult;
-	}
 	const nonCompliantAuthorizationServerWellKnownMetadataUrl = (0, __openid4vc_utils.joinUriParts)(issuer, [wellKnownAuthorizationServerSuffix]);
-	const alternativeAuthorizationServerResult = nonCompliantAuthorizationServerWellKnownMetadataUrl !== authorizationServerWellKnownMetadataUrl ? await fetchWellKnownMetadata(nonCompliantAuthorizationServerWellKnownMetadataUrl, zAuthorizationServerMetadata, fetch) : void 0;
-	if (alternativeAuthorizationServerResult) {
-		if (alternativeAuthorizationServerResult.issuer !== issuer) throw new Oauth2Error(`The 'issuer' parameter '${alternativeAuthorizationServerResult.issuer}' in the well known authorization server metadata at '${nonCompliantAuthorizationServerWellKnownMetadataUrl}' does not match the provided issuer '${issuer}'.`);
-		return alternativeAuthorizationServerResult;
-	}
-	const openIdConfigurationResult = await fetchWellKnownMetadata(openIdConfigurationWellKnownMetadataUrl, zAuthorizationServerMetadata, fetch);
-	if (openIdConfigurationResult) {
-		if (openIdConfigurationResult.issuer !== issuer) throw new Oauth2Error(`The 'issuer' parameter '${openIdConfigurationResult.issuer}' in the well known openid configuration metadata at '${openIdConfigurationWellKnownMetadataUrl}' does not match the provided issuer '${issuer}'.`);
-		return openIdConfigurationResult;
-	}
-	return null;
+	let authorizationServerResult = await fetchWellKnownMetadata(authorizationServerWellKnownMetadataUrl, zAuthorizationServerMetadata, fetch);
+	if (!authorizationServerResult && nonCompliantAuthorizationServerWellKnownMetadataUrl !== authorizationServerWellKnownMetadataUrl) authorizationServerResult = await fetchWellKnownMetadata(nonCompliantAuthorizationServerWellKnownMetadataUrl, zAuthorizationServerMetadata, fetch);
+	if (!authorizationServerResult) authorizationServerResult = await fetchWellKnownMetadata(openIdConfigurationWellKnownMetadataUrl, zAuthorizationServerMetadata, fetch);
+	if (authorizationServerResult && authorizationServerResult.issuer !== issuer) throw new Oauth2Error(`The 'issuer' parameter '${authorizationServerResult.issuer}' in the well known authorization server metadata at '${authorizationServerWellKnownMetadataUrl}' does not match the provided issuer '${issuer}'.`);
+	return authorizationServerResult;
 }
 function getAuthorizationServerMetadataFromList(authorizationServersMetadata, issuer) {
 	const authorizationServerMetadata = authorizationServersMetadata.find((authorizationServerMetadata$1) => authorizationServerMetadata$1.issuer === issuer);
@@ -1044,7 +985,7 @@ async function createAccessTokenJwt(options) {
 const zAccessTokenRequest = zod.default.intersection(zod.default.object({
 	"pre-authorized_code": zod.default.optional(zod.default.string()),
 	code: zod.default.optional(zod.default.string()),
-	redirect_uri: zod.default.string().url().optional(),
+	redirect_uri: zod.default.url().optional(),
 	refresh_token: zod.default.optional(zod.default.string()),
 	resource: zod.default.optional(__openid4vc_utils.zHttpsUrl),
 	code_verifier: zod.default.optional(zod.default.string()),
@@ -1054,10 +995,10 @@ const zAccessTokenRequest = zod.default.intersection(zod.default.object({
 		zRefreshTokenGrantIdentifier,
 		zod.default.string()
 	])
-}).passthrough(), zod.default.object({
+}).loose(), zod.default.object({
 	tx_code: zod.default.optional(zod.default.string()),
 	user_pin: zod.default.optional(zod.default.string())
-}).passthrough().refine(({ tx_code, user_pin }) => !tx_code || !user_pin || user_pin === tx_code, { message: `If both 'tx_code' and 'user_pin' are present they must match` }).transform(({ tx_code, user_pin,...rest }) => {
+}).loose().refine(({ tx_code, user_pin }) => !tx_code || !user_pin || user_pin === tx_code, { message: `If both 'tx_code' and 'user_pin' are present they must match` }).transform(({ tx_code, user_pin,...rest }) => {
 	return {
 		...rest,
 		...tx_code ?? user_pin ? { tx_code: tx_code ?? user_pin } : {}
@@ -1072,8 +1013,8 @@ const zAccessTokenResponse = zod.default.object({
 	refresh_token: zod.default.optional(zod.default.string()),
 	c_nonce: zod.default.optional(zod.default.string()),
 	c_nonce_expires_in: zod.default.optional(zod.default.number().int()),
-	authorization_details: zod.default.array(zod.default.object({}).passthrough()).optional()
-}).passthrough();
+	authorization_details: zod.default.array(zod.default.object({}).loose()).optional()
+}).loose();
 const zAccessTokenErrorResponse = zOauth2ErrorResponse;
 //#endregion
@@ -1099,12 +1040,12 @@ const zDpopJwtPayload = zod.default.object({
 	htm: __openid4vc_utils.zHttpMethod,
 	jti: zod.default.string(),
 	ath: zod.default.optional(zod.default.string())
-}).passthrough();
+}).loose();
 const zDpopJwtHeader = zod.default.object({
 	...zJwtHeader.shape,
 	typ: zod.default.literal("dpop+jwt"),
 	jwk: zJwk
-}).passthrough();
+}).loose();
 //#endregion
 //#region src/dpop/dpop.ts
@@ -1466,21 +1407,21 @@ const zAuthorizationRequest = zod.default.object({
 	response_type: zod.default.string(),
 	client_id: zod.default.string(),
 	issuer_state: zod.default.optional(zod.default.string()),
-	redirect_uri: zod.default.string().url().optional(),
+	redirect_uri: zod.default.url().optional(),
 	resource: zod.default.optional(__openid4vc_utils.zHttpsUrl),
 	scope: zod.default.optional(zod.default.string()),
-	dpop_jkt: zod.default.optional(zod.default.string().base64url()),
+	dpop_jkt: zod.default.optional(zod.default.base64url()),
 	code_challenge: zod.default.optional(zod.default.string()),
 	code_challenge_method: zod.default.optional(zod.default.string())
-}).passthrough();
+}).loose();
 const zPushedAuthorizationRequest = zod.default.object({
 	request_uri: zod.default.string(),
 	client_id: zod.default.string()
-}).passthrough();
+}).loose();
 const zPushedAuthorizationResponse = zod.default.object({
 	request_uri: zod.default.string(),
 	expires_in: zod.default.number().int()
-}).passthrough();
+}).loose();
 //#endregion
 //#region src/authorization-challenge/z-authorization-challenge.ts
@@ -1492,15 +1433,15 @@ const zAuthorizationChallengeRequest = zod.default.object({
 	client_id: zod.default.optional(zAuthorizationRequest.shape.client_id),
 	auth_session: zod.default.optional(zod.default.string()),
 	presentation_during_issuance_session: zod.default.optional(zod.default.string())
-}).passthrough();
-const zAuthorizationChallengeResponse = zod.default.object({ authorization_code: zod.default.string() }).passthrough();
+}).loose();
+const zAuthorizationChallengeResponse = zod.default.object({ authorization_code: zod.default.string() }).loose();
 const zAuthorizationChallengeErrorResponse = zod.default.object({
 	...zOauth2ErrorResponse.shape,
 	auth_session: zod.default.optional(zod.default.string()),
 	request_uri: zod.default.optional(zod.default.string()),
 	expires_in: zod.default.optional(__openid4vc_utils.zInteger),
 	presentation: zod.default.optional(zod.default.string())
-}).passthrough();
+}).loose();
 //#endregion
 //#region src/authorization-challenge/create-authorization-challenge-response.ts
@@ -2396,7 +2337,7 @@ var Oauth2ResourceServer = class {
 const zTokenIntrospectionRequest = zod.default.object({
 	token: zod.default.string(),
 	token_type_hint: zod.default.optional(zod.default.string())
-}).passthrough();
+}).loose();
 const zTokenIntrospectionResponse = zod.default.object({
 	active: zod.default.boolean(),
 	scope: zod.default.optional(zod.default.string()),
@@ -2411,7 +2352,7 @@ const zTokenIntrospectionResponse = zod.default.object({
 	iss: zod.default.optional(zod.default.string()),
 	jti: zod.default.optional(zod.default.string()),
 	cnf: zod.default.optional(zJwtConfirmationPayload)
-}).passthrough();
+}).loose();
 //#endregion
 //#region src/access-token/introspect-token.ts