@openid4vc/openid4vci 0.3.0-alpha-20250820113635 → 0.3.0-alpha-20250825150235
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.d.mts +1595 -488
- package/dist/index.d.ts +1595 -488
- package/dist/index.js +193 -153
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +193 -153
- package/dist/index.mjs.map +1 -1
- package/package.json +3 -3
package/dist/index.mjs
CHANGED
|
@@ -240,7 +240,7 @@ import { joinUriParts } from "@openid4vc/utils";
|
|
|
240
240
|
// src/metadata/credential-issuer/z-credential-issuer-metadata.ts
|
|
241
241
|
import { zCompactJwt } from "@openid4vc/oauth2";
|
|
242
242
|
import { zHttpsUrl as zHttpsUrl2 } from "@openid4vc/utils";
|
|
243
|
-
import
|
|
243
|
+
import z13 from "zod";
|
|
244
244
|
|
|
245
245
|
// src/formats/credential/mso-mdoc/z-mso-mdoc.ts
|
|
246
246
|
import z5 from "zod";
|
|
@@ -399,25 +399,28 @@ var zMsoMdocCredentialRequestFormatDraft14 = z5.object({
|
|
|
399
399
|
|
|
400
400
|
// src/formats/credential/sd-jwt-vc/z-sd-jwt-vc.ts
|
|
401
401
|
import z6 from "zod";
|
|
402
|
-
var
|
|
403
|
-
var
|
|
402
|
+
var zLegacySdJwtVcFormatIdentifier = z6.literal("vc+sd-jwt");
|
|
403
|
+
var zLegacySdJwtVcCredentialIssuerMetadataDraft16 = zCredentialConfigurationSupportedCommon.extend({
|
|
404
404
|
vct: z6.string(),
|
|
405
|
-
format:
|
|
405
|
+
format: zLegacySdJwtVcFormatIdentifier,
|
|
406
406
|
order: z6.optional(z6.array(z6.string())),
|
|
407
407
|
credential_metadata: zCredentialConfigurationSupportedCommonCredentialMetadata.extend({
|
|
408
408
|
claims: z6.array(zCredentialConfigurationSupportedClaimsDraft14).optional()
|
|
409
|
-
}).optional()
|
|
409
|
+
}).optional(),
|
|
410
|
+
credential_definition: z6.optional(z6.never())
|
|
410
411
|
});
|
|
411
|
-
var
|
|
412
|
+
var zLegacySdJwtVcCredentialIssuerMetadataDraft14 = zCredentialConfigurationSupportedCommonDraft15.extend({
|
|
412
413
|
vct: z6.string(),
|
|
413
|
-
format:
|
|
414
|
+
format: zLegacySdJwtVcFormatIdentifier,
|
|
414
415
|
claims: z6.optional(zCredentialConfigurationSupportedClaimsDraft14),
|
|
415
|
-
order: z6.optional(z6.array(z6.string()))
|
|
416
|
+
order: z6.optional(z6.array(z6.string())),
|
|
417
|
+
credential_definition: z6.optional(z6.never())
|
|
416
418
|
});
|
|
417
|
-
var
|
|
418
|
-
format:
|
|
419
|
+
var zLegacySdJwtVcCredentialRequestFormatDraft14 = z6.object({
|
|
420
|
+
format: zLegacySdJwtVcFormatIdentifier,
|
|
419
421
|
vct: z6.string(),
|
|
420
|
-
claims: z6.optional(zCredentialConfigurationSupportedClaimsDraft14)
|
|
422
|
+
claims: z6.optional(zCredentialConfigurationSupportedClaimsDraft14),
|
|
423
|
+
credential_definition: z6.optional(z6.never())
|
|
421
424
|
});
|
|
422
425
|
|
|
423
426
|
// src/formats/credential/sd-jwt-dc/z-sd-jwt-dc.ts
|
|
@@ -459,7 +462,7 @@ var zClaimValueSchemaDraft14 = z8.union([
|
|
|
459
462
|
var zW3cVcCredentialSubjectDraft14 = z8.record(z8.string(), zClaimValueSchemaDraft14);
|
|
460
463
|
var zW3cVcJsonLdCredentialDefinition = z8.object({
|
|
461
464
|
"@context": z8.array(z8.string()),
|
|
462
|
-
type: z8.array(z8.string())
|
|
465
|
+
type: z8.array(z8.string()).nonempty()
|
|
463
466
|
}).passthrough();
|
|
464
467
|
var zW3cVcJsonLdCredentialDefinitionDraft14 = zW3cVcJsonLdCredentialDefinition.extend({
|
|
465
468
|
credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
|
|
@@ -618,7 +621,7 @@ var zJwtVcJsonLdCredentialRequestDraft14To11 = zJwtVcJsonLdCredentialRequestForm
|
|
|
618
621
|
import z11 from "zod";
|
|
619
622
|
var zJwtVcJsonFormatIdentifier = z11.literal("jwt_vc_json");
|
|
620
623
|
var zJwtVcJsonCredentialDefinition = z11.object({
|
|
621
|
-
type: z11.array(z11.string())
|
|
624
|
+
type: z11.array(z11.string()).nonempty()
|
|
622
625
|
}).passthrough();
|
|
623
626
|
var zJwtVcJsonCredentialDefinitionDraft14 = zJwtVcJsonCredentialDefinition.extend({
|
|
624
627
|
credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
|
|
@@ -692,6 +695,28 @@ var zJwtVcJsonCredentialRequestDraft14To11 = zJwtVcJsonCredentialRequestFormatDr
|
|
|
692
695
|
...credentialDefinition
|
|
693
696
|
})).pipe(zJwtVcJsonCredentialRequestDraft11);
|
|
694
697
|
|
|
698
|
+
// src/formats/credential/w3c-vc/z-w3c-sd-jwt-vc.ts
|
|
699
|
+
import z12 from "zod";
|
|
700
|
+
var zSdJwtW3VcFormatIdentifier = z12.literal("vc+sd-jwt");
|
|
701
|
+
var zSdJwtW3VcCredentialDefinition = z12.object({
|
|
702
|
+
type: z12.array(z12.string()).nonempty()
|
|
703
|
+
}).passthrough();
|
|
704
|
+
var zSdJwtW3VcCredentialIssuerMetadata = zCredentialConfigurationSupportedCommon.extend({
|
|
705
|
+
format: zSdJwtW3VcFormatIdentifier,
|
|
706
|
+
credential_definition: zSdJwtW3VcCredentialDefinition,
|
|
707
|
+
credential_metadata: zCredentialConfigurationSupportedCommonCredentialMetadata.extend({
|
|
708
|
+
claims: zIssuerMetadataClaimsDescription.optional()
|
|
709
|
+
}).optional(),
|
|
710
|
+
// FIXME(vc+sd-jwt): remove when dropping support for legacy vc+sd-jwt. Allows type narrowing.
|
|
711
|
+
vct: z12.optional(z12.never())
|
|
712
|
+
});
|
|
713
|
+
var zSdJwtW3VcCredentialRequestFormatDraft14 = z12.object({
|
|
714
|
+
format: zSdJwtW3VcFormatIdentifier,
|
|
715
|
+
credential_definition: zSdJwtW3VcCredentialDefinition,
|
|
716
|
+
// FIXME(vc+sd-jwt): remove when dropping support for legacy vc+sd-jwt. Allows type narrowing.
|
|
717
|
+
vct: z12.optional(z12.never())
|
|
718
|
+
});
|
|
719
|
+
|
|
695
720
|
// src/metadata/credential-issuer/z-credential-issuer-metadata.ts
|
|
696
721
|
var allCredentialIssuerMetadataFormats = [
|
|
697
722
|
zSdJwtDcCredentialIssuerMetadata,
|
|
@@ -699,14 +724,15 @@ var allCredentialIssuerMetadataFormats = [
|
|
|
699
724
|
zJwtVcJsonLdCredentialIssuerMetadata,
|
|
700
725
|
zLdpVcCredentialIssuerMetadata,
|
|
701
726
|
zJwtVcJsonCredentialIssuerMetadata,
|
|
702
|
-
|
|
727
|
+
zSdJwtW3VcCredentialIssuerMetadata,
|
|
728
|
+
zLegacySdJwtVcCredentialIssuerMetadataDraft16,
|
|
703
729
|
zSdJwtDcCredentialIssuerMetadataDraft15,
|
|
704
730
|
zMsoMdocCredentialIssuerMetadataDraft15,
|
|
705
731
|
zJwtVcJsonLdCredentialIssuerMetadataDraft15,
|
|
706
732
|
zLdpVcCredentialIssuerMetadataDraft15,
|
|
707
733
|
zJwtVcJsonCredentialIssuerMetadataDraft15,
|
|
708
734
|
zMsoMdocCredentialIssuerMetadataDraft14,
|
|
709
|
-
|
|
735
|
+
zLegacySdJwtVcCredentialIssuerMetadataDraft14,
|
|
710
736
|
zJwtVcJsonLdCredentialIssuerMetadataDraft14,
|
|
711
737
|
zLdpVcCredentialIssuerMetadataDraft14,
|
|
712
738
|
zJwtVcJsonCredentialIssuerMetadataDraft14
|
|
@@ -714,13 +740,13 @@ var allCredentialIssuerMetadataFormats = [
|
|
|
714
740
|
var allCredentialIssuerMetadataFormatIdentifiers = allCredentialIssuerMetadataFormats.map(
|
|
715
741
|
(format) => format.shape.format.value
|
|
716
742
|
);
|
|
717
|
-
var zCredentialConfigurationSupportedWithFormats =
|
|
743
|
+
var zCredentialConfigurationSupportedWithFormats = z13.union([zCredentialConfigurationSupportedCommon, zCredentialConfigurationSupportedCommonDraft15]).transform((data, ctx) => {
|
|
718
744
|
if (!allCredentialIssuerMetadataFormatIdentifiers.includes(data.format)) return data;
|
|
719
745
|
const validators = allCredentialIssuerMetadataFormats.filter(
|
|
720
746
|
(formatValidator) => formatValidator.shape.format.value === data.format
|
|
721
747
|
);
|
|
722
|
-
const result =
|
|
723
|
-
validators.length > 1 ?
|
|
748
|
+
const result = z13.object({}).passthrough().and(
|
|
749
|
+
validators.length > 1 ? z13.union(
|
|
724
750
|
validators
|
|
725
751
|
) : validators[0]
|
|
726
752
|
).safeParse(data);
|
|
@@ -730,52 +756,52 @@ var zCredentialConfigurationSupportedWithFormats = z12.union([zCredentialConfigu
|
|
|
730
756
|
for (const issue of result.error.issues) {
|
|
731
757
|
ctx.addIssue(issue);
|
|
732
758
|
}
|
|
733
|
-
return
|
|
759
|
+
return z13.NEVER;
|
|
734
760
|
});
|
|
735
|
-
var zCredentialIssuerMetadataDisplayEntry =
|
|
736
|
-
name:
|
|
737
|
-
locale:
|
|
738
|
-
logo:
|
|
761
|
+
var zCredentialIssuerMetadataDisplayEntry = z13.object({
|
|
762
|
+
name: z13.string().optional(),
|
|
763
|
+
locale: z13.string().optional(),
|
|
764
|
+
logo: z13.object({
|
|
739
765
|
// FIXME: make required again, but need to support draft 11 first
|
|
740
|
-
uri:
|
|
741
|
-
alt_text:
|
|
766
|
+
uri: z13.string().optional(),
|
|
767
|
+
alt_text: z13.string().optional()
|
|
742
768
|
}).passthrough().optional()
|
|
743
769
|
}).passthrough();
|
|
744
|
-
var zCredentialIssuerMetadataDraft14Draft15Draft16 =
|
|
770
|
+
var zCredentialIssuerMetadataDraft14Draft15Draft16 = z13.object({
|
|
745
771
|
credential_issuer: zHttpsUrl2,
|
|
746
|
-
authorization_servers:
|
|
772
|
+
authorization_servers: z13.array(zHttpsUrl2).optional(),
|
|
747
773
|
credential_endpoint: zHttpsUrl2,
|
|
748
774
|
deferred_credential_endpoint: zHttpsUrl2.optional(),
|
|
749
775
|
notification_endpoint: zHttpsUrl2.optional(),
|
|
750
776
|
// Added after draft 14, but needed for proper
|
|
751
777
|
nonce_endpoint: zHttpsUrl2.optional(),
|
|
752
|
-
credential_response_encryption:
|
|
753
|
-
alg_values_supported:
|
|
754
|
-
enc_values_supported:
|
|
755
|
-
encryption_required:
|
|
778
|
+
credential_response_encryption: z13.object({
|
|
779
|
+
alg_values_supported: z13.array(z13.string()),
|
|
780
|
+
enc_values_supported: z13.array(z13.string()),
|
|
781
|
+
encryption_required: z13.boolean()
|
|
756
782
|
}).passthrough().optional(),
|
|
757
|
-
batch_credential_issuance:
|
|
758
|
-
batch_size:
|
|
783
|
+
batch_credential_issuance: z13.object({
|
|
784
|
+
batch_size: z13.number().positive()
|
|
759
785
|
}).passthrough().optional(),
|
|
760
786
|
signed_metadata: zCompactJwt.optional(),
|
|
761
|
-
display:
|
|
762
|
-
credential_configurations_supported:
|
|
787
|
+
display: z13.array(zCredentialIssuerMetadataDisplayEntry).optional(),
|
|
788
|
+
credential_configurations_supported: z13.record(z13.string(), zCredentialConfigurationSupportedWithFormats)
|
|
763
789
|
}).passthrough();
|
|
764
|
-
var zCredentialConfigurationSupportedDraft11To16 =
|
|
765
|
-
id:
|
|
766
|
-
format:
|
|
767
|
-
cryptographic_suites_supported:
|
|
768
|
-
display:
|
|
769
|
-
|
|
770
|
-
logo:
|
|
771
|
-
url:
|
|
790
|
+
var zCredentialConfigurationSupportedDraft11To16 = z13.object({
|
|
791
|
+
id: z13.string().optional(),
|
|
792
|
+
format: z13.string(),
|
|
793
|
+
cryptographic_suites_supported: z13.array(z13.string()).optional(),
|
|
794
|
+
display: z13.array(
|
|
795
|
+
z13.object({
|
|
796
|
+
logo: z13.object({
|
|
797
|
+
url: z13.string().url().optional()
|
|
772
798
|
}).passthrough().optional(),
|
|
773
|
-
background_image:
|
|
774
|
-
url:
|
|
799
|
+
background_image: z13.object({
|
|
800
|
+
url: z13.string().url().optional()
|
|
775
801
|
}).passthrough().optional()
|
|
776
802
|
}).passthrough()
|
|
777
803
|
).optional(),
|
|
778
|
-
claims:
|
|
804
|
+
claims: z13.any().optional()
|
|
779
805
|
}).passthrough().transform(({ cryptographic_suites_supported, display, claims, id, ...rest }) => ({
|
|
780
806
|
...rest,
|
|
781
807
|
...cryptographic_suites_supported ? { credential_signing_alg_values_supported: cryptographic_suites_supported } : {},
|
|
@@ -818,7 +844,7 @@ var zCredentialConfigurationSupportedDraft11To16 = z12.object({
|
|
|
818
844
|
for (const issue of result.error.issues) {
|
|
819
845
|
ctx.addIssue(issue);
|
|
820
846
|
}
|
|
821
|
-
return
|
|
847
|
+
return z13.NEVER;
|
|
822
848
|
}).pipe(zCredentialConfigurationSupportedWithFormats);
|
|
823
849
|
var zCredentialConfigurationSupportedDraft16To15 = zCredentialConfigurationSupportedWithFormats.transform(
|
|
824
850
|
({ credential_metadata, ...rest }) => ({
|
|
@@ -827,8 +853,8 @@ var zCredentialConfigurationSupportedDraft16To15 = zCredentialConfigurationSuppo
|
|
|
827
853
|
})
|
|
828
854
|
);
|
|
829
855
|
var zCredentialConfigurationSupportedDraft16To11 = zCredentialConfigurationSupportedDraft16To15.and(
|
|
830
|
-
|
|
831
|
-
id:
|
|
856
|
+
z13.object({
|
|
857
|
+
id: z13.string()
|
|
832
858
|
}).passthrough()
|
|
833
859
|
).transform(({ id, credential_signing_alg_values_supported, display, proof_types_supported, scope, ...rest }) => ({
|
|
834
860
|
...rest,
|
|
@@ -848,15 +874,15 @@ var zCredentialConfigurationSupportedDraft16To11 = zCredentialConfigurationSuppo
|
|
|
848
874
|
} : {},
|
|
849
875
|
id
|
|
850
876
|
})).pipe(
|
|
851
|
-
|
|
877
|
+
z13.union([
|
|
852
878
|
zLdpVcCredentialIssuerMetadataDraft14To11,
|
|
853
879
|
zJwtVcJsonCredentialIssuerMetadataDraft14To11,
|
|
854
880
|
zJwtVcJsonLdCredentialIssuerMetadataDraft14To11,
|
|
855
881
|
// To handle unrecognized formats and not error immediately we allow the common format as well
|
|
856
882
|
// but they can't use any of the format identifiers that have a specific transformation. This way if a format is
|
|
857
883
|
// has a transformation it NEEDS to use the format specific transformation, and otherwise we fall back to the common validation
|
|
858
|
-
|
|
859
|
-
format:
|
|
884
|
+
z13.object({
|
|
885
|
+
format: z13.string().refine(
|
|
860
886
|
(input) => ![
|
|
861
887
|
zLdpVcFormatIdentifier.value,
|
|
862
888
|
zJwtVcJsonFormatIdentifier.value,
|
|
@@ -866,11 +892,11 @@ var zCredentialConfigurationSupportedDraft16To11 = zCredentialConfigurationSuppo
|
|
|
866
892
|
}).passthrough()
|
|
867
893
|
])
|
|
868
894
|
);
|
|
869
|
-
var zCredentialIssuerMetadataDraft11To16 =
|
|
870
|
-
authorization_server:
|
|
871
|
-
credentials_supported:
|
|
872
|
-
|
|
873
|
-
id:
|
|
895
|
+
var zCredentialIssuerMetadataDraft11To16 = z13.object({
|
|
896
|
+
authorization_server: z13.string().optional(),
|
|
897
|
+
credentials_supported: z13.array(
|
|
898
|
+
z13.object({
|
|
899
|
+
id: z13.string().optional()
|
|
874
900
|
}).passthrough()
|
|
875
901
|
)
|
|
876
902
|
}).passthrough().transform(({ authorization_server, credentials_supported, ...rest }) => {
|
|
@@ -883,9 +909,9 @@ var zCredentialIssuerMetadataDraft11To16 = z12.object({
|
|
|
883
909
|
)
|
|
884
910
|
};
|
|
885
911
|
}).pipe(
|
|
886
|
-
|
|
912
|
+
z13.object({
|
|
887
913
|
// Update from v11 structure to v14 structure
|
|
888
|
-
credential_configurations_supported:
|
|
914
|
+
credential_configurations_supported: z13.record(z13.string(), zCredentialConfigurationSupportedDraft11To16)
|
|
889
915
|
}).passthrough()
|
|
890
916
|
).pipe(zCredentialIssuerMetadataDraft14Draft15Draft16);
|
|
891
917
|
var zCredentialIssuerMetadataWithDraft11 = zCredentialIssuerMetadataDraft14Draft15Draft16.transform((issuerMetadata) => ({
|
|
@@ -897,16 +923,16 @@ var zCredentialIssuerMetadataWithDraft11 = zCredentialIssuerMetadataDraft14Draft
|
|
|
897
923
|
}))
|
|
898
924
|
})).pipe(
|
|
899
925
|
zCredentialIssuerMetadataDraft14Draft15Draft16.extend({
|
|
900
|
-
credentials_supported:
|
|
926
|
+
credentials_supported: z13.array(zCredentialConfigurationSupportedDraft16To11)
|
|
901
927
|
})
|
|
902
928
|
);
|
|
903
|
-
var zCredentialIssuerMetadata =
|
|
929
|
+
var zCredentialIssuerMetadata = z13.union([
|
|
904
930
|
// First prioritize draft 16/15/14 (and 13)
|
|
905
931
|
zCredentialIssuerMetadataDraft14Draft15Draft16,
|
|
906
932
|
// Then try parsing draft 11 and transform into draft 16
|
|
907
933
|
zCredentialIssuerMetadataDraft11To16
|
|
908
934
|
]);
|
|
909
|
-
var zCredentialIssuerMetadataWithDraftVersion =
|
|
935
|
+
var zCredentialIssuerMetadataWithDraftVersion = z13.union([
|
|
910
936
|
zCredentialIssuerMetadataDraft14Draft15Draft16.transform((credentialIssuerMetadata) => {
|
|
911
937
|
const credentialConfigurations = Object.values(credentialIssuerMetadata.credential_configurations_supported);
|
|
912
938
|
const isDraft15 = credentialConfigurations.some((configuration) => {
|
|
@@ -981,7 +1007,12 @@ function getCredentialConfigurationsMatchingRequestFormat({
|
|
|
981
1007
|
return arrayEqualsIgnoreOrder(r.credential_definition.type, c.credential_definition.type);
|
|
982
1008
|
}
|
|
983
1009
|
if (c.format === "vc+sd-jwt" && r.format === c.format) {
|
|
984
|
-
|
|
1010
|
+
if (r.vct && c.vct) {
|
|
1011
|
+
return r.vct === c.vct;
|
|
1012
|
+
}
|
|
1013
|
+
if (c.credential_definition && r.credential_definition) {
|
|
1014
|
+
return arrayEqualsIgnoreOrder(r.credential_definition.type, c.credential_definition.type);
|
|
1015
|
+
}
|
|
985
1016
|
}
|
|
986
1017
|
if (c.format === "mso_mdoc" && r.format === c.format) {
|
|
987
1018
|
return r.doctype === c.doctype;
|
|
@@ -1133,7 +1164,7 @@ function getCredentialRequestFormatPayloadForCredentialConfigurationId(options)
|
|
|
1133
1164
|
options.issuerMetadata.credentialIssuer.credential_configurations_supported,
|
|
1134
1165
|
options.credentialConfigurationId
|
|
1135
1166
|
);
|
|
1136
|
-
if (zIs(
|
|
1167
|
+
if (zIs(zLegacySdJwtVcCredentialIssuerMetadataDraft16, credentialConfiguration) || zIs(zLegacySdJwtVcCredentialIssuerMetadataDraft14, credentialConfiguration)) {
|
|
1137
1168
|
return {
|
|
1138
1169
|
format: credentialConfiguration.format,
|
|
1139
1170
|
vct: credentialConfiguration.vct
|
|
@@ -1173,9 +1204,17 @@ function getCredentialRequestFormatPayloadForCredentialConfigurationId(options)
|
|
|
1173
1204
|
}
|
|
1174
1205
|
if (zIs(zSdJwtDcCredentialIssuerMetadata, credentialConfiguration)) {
|
|
1175
1206
|
throw new Openid4vciError(
|
|
1176
|
-
`Credential configuration id '${options.credentialConfigurationId}' with format ${
|
|
1207
|
+
`Credential configuration id '${options.credentialConfigurationId}' with format ${zLegacySdJwtVcFormatIdentifier.value} does not support credential request based on 'format'. Use 'credential_configuration_id' directly.`
|
|
1177
1208
|
);
|
|
1178
1209
|
}
|
|
1210
|
+
if (zIs(zSdJwtW3VcCredentialIssuerMetadata, credentialConfiguration)) {
|
|
1211
|
+
return {
|
|
1212
|
+
format: credentialConfiguration.format,
|
|
1213
|
+
credential_definition: {
|
|
1214
|
+
type: credentialConfiguration.credential_definition.type
|
|
1215
|
+
}
|
|
1216
|
+
};
|
|
1217
|
+
}
|
|
1179
1218
|
throw new Openid4vciError(
|
|
1180
1219
|
`Unknown format '${credentialConfiguration.format}' in credential configuration with id '${options.credentialConfigurationId}' for credential issuer '${options.issuerMetadata.credentialIssuer.credential_issuer}'`
|
|
1181
1220
|
);
|
|
@@ -1190,33 +1229,33 @@ import { ContentType as ContentType2, isResponseContentType, parseWithErrorHandl
|
|
|
1190
1229
|
|
|
1191
1230
|
// src/credential-request/z-credential-request.ts
|
|
1192
1231
|
import { zJwk as zJwk3 } from "@openid4vc/oauth2";
|
|
1193
|
-
import
|
|
1232
|
+
import z17 from "zod";
|
|
1194
1233
|
|
|
1195
1234
|
// src/credential-request/z-credential-request-common.ts
|
|
1196
1235
|
import { zJwk as zJwk2 } from "@openid4vc/oauth2";
|
|
1197
|
-
import
|
|
1236
|
+
import z16 from "zod";
|
|
1198
1237
|
|
|
1199
1238
|
// src/formats/proof-type/jwt/z-jwt-proof-type.ts
|
|
1200
1239
|
import { zCompactJwt as zCompactJwt2, zJwtHeader as zJwtHeader2, zJwtPayload as zJwtPayload2 } from "@openid4vc/oauth2";
|
|
1201
1240
|
import { zHttpsUrl as zHttpsUrl3, zInteger as zInteger2 } from "@openid4vc/utils";
|
|
1202
|
-
import
|
|
1203
|
-
var zJwtProofTypeIdentifier =
|
|
1241
|
+
import z14 from "zod";
|
|
1242
|
+
var zJwtProofTypeIdentifier = z14.literal("jwt");
|
|
1204
1243
|
var jwtProofTypeIdentifier = zJwtProofTypeIdentifier.value;
|
|
1205
|
-
var zCredentialRequestProofJwt =
|
|
1244
|
+
var zCredentialRequestProofJwt = z14.object({
|
|
1206
1245
|
proof_type: zJwtProofTypeIdentifier,
|
|
1207
1246
|
jwt: zCompactJwt2
|
|
1208
1247
|
});
|
|
1209
1248
|
var zCredentialRequestJwtProofTypeHeader = zJwtHeader2.merge(
|
|
1210
|
-
|
|
1211
|
-
key_attestation:
|
|
1212
|
-
typ:
|
|
1249
|
+
z14.object({
|
|
1250
|
+
key_attestation: z14.optional(zCompactJwt2),
|
|
1251
|
+
typ: z14.literal("openid4vci-proof+jwt")
|
|
1213
1252
|
})
|
|
1214
1253
|
).passthrough().refine(({ kid, jwk }) => jwk === void 0 || kid === void 0, {
|
|
1215
1254
|
message: `Both 'jwk' and 'kid' are defined. Only one is allowed`
|
|
1216
1255
|
}).refine(({ trust_chain, kid }) => !trust_chain || !kid, {
|
|
1217
1256
|
message: `When 'trust_chain' is provided, 'kid' is required`
|
|
1218
1257
|
});
|
|
1219
|
-
var zCredentialRequestJwtProofTypePayload =
|
|
1258
|
+
var zCredentialRequestJwtProofTypePayload = z14.object({
|
|
1220
1259
|
...zJwtPayload2.shape,
|
|
1221
1260
|
aud: zHttpsUrl3,
|
|
1222
1261
|
iat: zInteger2
|
|
@@ -1224,40 +1263,40 @@ var zCredentialRequestJwtProofTypePayload = z13.object({
|
|
|
1224
1263
|
|
|
1225
1264
|
// src/formats/proof-type/attestation/z-attestation-proof-type.ts
|
|
1226
1265
|
import { zCompactJwt as zCompactJwt3 } from "@openid4vc/oauth2";
|
|
1227
|
-
import
|
|
1228
|
-
var zAttestationProofTypeIdentifier =
|
|
1266
|
+
import z15 from "zod";
|
|
1267
|
+
var zAttestationProofTypeIdentifier = z15.literal("attestation");
|
|
1229
1268
|
var attestationProofTypeIdentifier = zAttestationProofTypeIdentifier.value;
|
|
1230
|
-
var zCredentialRequestProofAttestation =
|
|
1269
|
+
var zCredentialRequestProofAttestation = z15.object({
|
|
1231
1270
|
proof_type: zAttestationProofTypeIdentifier,
|
|
1232
1271
|
attestation: zCompactJwt3
|
|
1233
1272
|
});
|
|
1234
1273
|
var zCredentialRequestAttestationProofTypePayload = zKeyAttestationJwtPayloadForUse("proof_type.attestation");
|
|
1235
1274
|
|
|
1236
1275
|
// src/credential-request/z-credential-request-common.ts
|
|
1237
|
-
var zCredentialRequestProofCommon =
|
|
1238
|
-
proof_type:
|
|
1276
|
+
var zCredentialRequestProofCommon = z16.object({
|
|
1277
|
+
proof_type: z16.string()
|
|
1239
1278
|
}).passthrough();
|
|
1240
1279
|
var allCredentialRequestProofs = [zCredentialRequestProofJwt, zCredentialRequestProofAttestation];
|
|
1241
|
-
var zCredentialRequestProof =
|
|
1280
|
+
var zCredentialRequestProof = z16.union([
|
|
1242
1281
|
zCredentialRequestProofCommon,
|
|
1243
|
-
|
|
1282
|
+
z16.discriminatedUnion("proof_type", allCredentialRequestProofs)
|
|
1244
1283
|
]);
|
|
1245
|
-
var zCredentialRequestProofsCommon =
|
|
1246
|
-
var zCredentialRequestProofs =
|
|
1247
|
-
[zJwtProofTypeIdentifier.value]:
|
|
1248
|
-
[zAttestationProofTypeIdentifier.value]:
|
|
1284
|
+
var zCredentialRequestProofsCommon = z16.record(z16.string(), z16.array(z16.unknown()));
|
|
1285
|
+
var zCredentialRequestProofs = z16.object({
|
|
1286
|
+
[zJwtProofTypeIdentifier.value]: z16.optional(z16.array(zCredentialRequestProofJwt.shape.jwt)),
|
|
1287
|
+
[zAttestationProofTypeIdentifier.value]: z16.optional(z16.array(zCredentialRequestProofAttestation.shape.attestation))
|
|
1249
1288
|
});
|
|
1250
|
-
var zCredentialRequestCommon =
|
|
1289
|
+
var zCredentialRequestCommon = z16.object({
|
|
1251
1290
|
proof: zCredentialRequestProof.optional(),
|
|
1252
|
-
proofs:
|
|
1253
|
-
|
|
1291
|
+
proofs: z16.optional(
|
|
1292
|
+
z16.intersection(zCredentialRequestProofsCommon, zCredentialRequestProofs).refine((proofs) => Object.values(proofs).length === 1, {
|
|
1254
1293
|
message: `The 'proofs' object in a credential request should contain exactly one attribute`
|
|
1255
1294
|
})
|
|
1256
1295
|
),
|
|
1257
|
-
credential_response_encryption:
|
|
1296
|
+
credential_response_encryption: z16.object({
|
|
1258
1297
|
jwk: zJwk2,
|
|
1259
|
-
alg:
|
|
1260
|
-
enc:
|
|
1298
|
+
alg: z16.string(),
|
|
1299
|
+
enc: z16.string()
|
|
1261
1300
|
}).passthrough().optional()
|
|
1262
1301
|
}).passthrough().refine(({ proof, proofs }) => !(proof !== void 0 && proofs !== void 0), {
|
|
1263
1302
|
message: `Both 'proof' and 'proofs' are defined. Only one is allowed`
|
|
@@ -1265,50 +1304,51 @@ var zCredentialRequestCommon = z15.object({
|
|
|
1265
1304
|
|
|
1266
1305
|
// src/credential-request/z-credential-request.ts
|
|
1267
1306
|
var allCredentialRequestFormats = [
|
|
1268
|
-
|
|
1307
|
+
zSdJwtW3VcCredentialRequestFormatDraft14,
|
|
1269
1308
|
zMsoMdocCredentialRequestFormatDraft14,
|
|
1270
1309
|
zLdpVcCredentialRequestFormatDraft14,
|
|
1271
1310
|
zJwtVcJsonLdCredentialRequestFormatDraft14,
|
|
1272
|
-
zJwtVcJsonCredentialRequestFormatDraft14
|
|
1311
|
+
zJwtVcJsonCredentialRequestFormatDraft14,
|
|
1312
|
+
zLegacySdJwtVcCredentialRequestFormatDraft14
|
|
1273
1313
|
];
|
|
1274
1314
|
var allCredentialRequestFormatIdentifiers = allCredentialRequestFormats.map(
|
|
1275
1315
|
(format) => format.shape.format.value
|
|
1276
1316
|
);
|
|
1277
|
-
var zCredentialRequestCredentialConfigurationId =
|
|
1278
|
-
credential_configuration_id:
|
|
1279
|
-
format:
|
|
1280
|
-
credential_identifier:
|
|
1317
|
+
var zCredentialRequestCredentialConfigurationId = z17.object({
|
|
1318
|
+
credential_configuration_id: z17.string(),
|
|
1319
|
+
format: z17.never({ message: "'format' cannot be defined when 'credential_configuration_id' is set." }).optional(),
|
|
1320
|
+
credential_identifier: z17.never({ message: "'credential_identifier' cannot be defined when 'credential_configuration_id' is set." }).optional()
|
|
1281
1321
|
});
|
|
1282
|
-
var zAuthorizationDetailsCredentialRequest =
|
|
1283
|
-
credential_identifier:
|
|
1284
|
-
credential_configuration_id:
|
|
1322
|
+
var zAuthorizationDetailsCredentialRequest = z17.object({
|
|
1323
|
+
credential_identifier: z17.string(),
|
|
1324
|
+
credential_configuration_id: z17.never({ message: "'credential_configuration_id' cannot be defined when 'credential_identifier' is set." }).optional(),
|
|
1285
1325
|
// Cannot be present if credential identifier is present
|
|
1286
|
-
format:
|
|
1326
|
+
format: z17.never({ message: "'format' cannot be defined when 'credential_identifier' is set." }).optional()
|
|
1287
1327
|
});
|
|
1288
|
-
var zCredentialRequestFormat =
|
|
1289
|
-
format:
|
|
1290
|
-
credential_identifier:
|
|
1291
|
-
credential_configuration_id:
|
|
1328
|
+
var zCredentialRequestFormat = z17.object({
|
|
1329
|
+
format: z17.string(),
|
|
1330
|
+
credential_identifier: z17.never({ message: "'credential_identifier' cannot be defined when 'format' is set." }).optional(),
|
|
1331
|
+
credential_configuration_id: z17.never({ message: "'credential_configuration_id' cannot be defined when 'format' is set." }).optional()
|
|
1292
1332
|
}).passthrough();
|
|
1293
1333
|
var zCredentialRequestDraft14WithFormat = zCredentialRequestCommon.and(zCredentialRequestFormat).transform((data, ctx) => {
|
|
1294
1334
|
if (!allCredentialRequestFormatIdentifiers.includes(
|
|
1295
1335
|
data.format
|
|
1296
1336
|
))
|
|
1297
1337
|
return data;
|
|
1298
|
-
const result =
|
|
1338
|
+
const result = z17.object({}).passthrough().and(z17.union(allCredentialRequestFormats)).safeParse(data);
|
|
1299
1339
|
if (result.success) {
|
|
1300
1340
|
return result.data;
|
|
1301
1341
|
}
|
|
1302
1342
|
for (const issue of result.error.issues) {
|
|
1303
1343
|
ctx.addIssue(issue);
|
|
1304
1344
|
}
|
|
1305
|
-
return
|
|
1345
|
+
return z17.NEVER;
|
|
1306
1346
|
});
|
|
1307
|
-
var zCredentialRequestDraft15 =
|
|
1347
|
+
var zCredentialRequestDraft15 = z17.union([
|
|
1308
1348
|
zCredentialRequestCommon.and(zAuthorizationDetailsCredentialRequest),
|
|
1309
1349
|
zCredentialRequestCommon.and(zCredentialRequestCredentialConfigurationId)
|
|
1310
1350
|
]);
|
|
1311
|
-
var zCredentialRequestDraft14 =
|
|
1351
|
+
var zCredentialRequestDraft14 = z17.union([
|
|
1312
1352
|
zCredentialRequestDraft14WithFormat,
|
|
1313
1353
|
zCredentialRequestCommon.and(zAuthorizationDetailsCredentialRequest)
|
|
1314
1354
|
]);
|
|
@@ -1325,7 +1365,7 @@ var zCredentialRequestDraft11To14 = zCredentialRequestCommon.and(zCredentialRequ
|
|
|
1325
1365
|
for (const issue of result.error.issues) {
|
|
1326
1366
|
ctx.addIssue(issue);
|
|
1327
1367
|
}
|
|
1328
|
-
return
|
|
1368
|
+
return z17.NEVER;
|
|
1329
1369
|
}).pipe(zCredentialRequestDraft14);
|
|
1330
1370
|
var zCredentialRequestDraft14To11 = zCredentialRequestDraft14.refine(
|
|
1331
1371
|
(data) => data.credential_identifier === void 0,
|
|
@@ -1343,27 +1383,27 @@ var zCredentialRequestDraft14To11 = zCredentialRequestDraft14.refine(
|
|
|
1343
1383
|
for (const issue of result.error.issues) {
|
|
1344
1384
|
ctx.addIssue(issue);
|
|
1345
1385
|
}
|
|
1346
|
-
return
|
|
1386
|
+
return z17.NEVER;
|
|
1347
1387
|
});
|
|
1348
|
-
var zCredentialRequest =
|
|
1388
|
+
var zCredentialRequest = z17.union([
|
|
1349
1389
|
zCredentialRequestDraft15,
|
|
1350
1390
|
zCredentialRequestDraft14,
|
|
1351
1391
|
zCredentialRequestDraft11To14
|
|
1352
1392
|
]);
|
|
1353
|
-
var zDeferredCredentialRequest =
|
|
1354
|
-
transaction_id:
|
|
1355
|
-
credential_response_encryption:
|
|
1393
|
+
var zDeferredCredentialRequest = z17.object({
|
|
1394
|
+
transaction_id: z17.string().nonempty(),
|
|
1395
|
+
credential_response_encryption: z17.object({
|
|
1356
1396
|
jwk: zJwk3,
|
|
1357
|
-
alg:
|
|
1358
|
-
enc:
|
|
1397
|
+
alg: z17.string(),
|
|
1398
|
+
enc: z17.string()
|
|
1359
1399
|
}).passthrough().optional()
|
|
1360
1400
|
});
|
|
1361
1401
|
|
|
1362
1402
|
// src/credential-request/z-credential-response.ts
|
|
1363
|
-
import
|
|
1403
|
+
import z19 from "zod";
|
|
1364
1404
|
|
|
1365
1405
|
// ../oauth2/src/common/z-oauth2-error.ts
|
|
1366
|
-
import
|
|
1406
|
+
import z18 from "zod";
|
|
1367
1407
|
var Oauth2ErrorCodes = /* @__PURE__ */ ((Oauth2ErrorCodes4) => {
|
|
1368
1408
|
Oauth2ErrorCodes4["ServerError"] = "server_error";
|
|
1369
1409
|
Oauth2ErrorCodes4["InvalidTarget"] = "invalid_target";
|
|
@@ -1403,49 +1443,49 @@ var Oauth2ErrorCodes = /* @__PURE__ */ ((Oauth2ErrorCodes4) => {
|
|
|
1403
1443
|
Oauth2ErrorCodes4["WalletUnavailable"] = "wallet_unavailable";
|
|
1404
1444
|
return Oauth2ErrorCodes4;
|
|
1405
1445
|
})(Oauth2ErrorCodes || {});
|
|
1406
|
-
var zOauth2ErrorResponse =
|
|
1407
|
-
error:
|
|
1408
|
-
error_description:
|
|
1409
|
-
error_uri:
|
|
1446
|
+
var zOauth2ErrorResponse = z18.object({
|
|
1447
|
+
error: z18.union([z18.nativeEnum(Oauth2ErrorCodes), z18.string()]),
|
|
1448
|
+
error_description: z18.string().optional(),
|
|
1449
|
+
error_uri: z18.string().optional()
|
|
1410
1450
|
}).passthrough();
|
|
1411
1451
|
|
|
1412
1452
|
// src/credential-request/z-credential-response.ts
|
|
1413
|
-
var zCredentialEncoding =
|
|
1414
|
-
var zBaseCredentialResponse =
|
|
1415
|
-
credentials:
|
|
1416
|
-
interval:
|
|
1417
|
-
notification_id:
|
|
1453
|
+
var zCredentialEncoding = z19.union([z19.string(), z19.record(z19.string(), z19.any())]);
|
|
1454
|
+
var zBaseCredentialResponse = z19.object({
|
|
1455
|
+
credentials: z19.optional(z19.array(zCredentialEncoding)),
|
|
1456
|
+
interval: z19.number().int().positive().optional(),
|
|
1457
|
+
notification_id: z19.string().optional()
|
|
1418
1458
|
}).passthrough();
|
|
1419
1459
|
var zCredentialResponse = zBaseCredentialResponse.extend({
|
|
1420
|
-
credential:
|
|
1421
|
-
transaction_id:
|
|
1422
|
-
c_nonce:
|
|
1423
|
-
c_nonce_expires_in:
|
|
1460
|
+
credential: z19.optional(zCredentialEncoding),
|
|
1461
|
+
transaction_id: z19.string().optional(),
|
|
1462
|
+
c_nonce: z19.string().optional(),
|
|
1463
|
+
c_nonce_expires_in: z19.number().int().optional()
|
|
1424
1464
|
}).passthrough().superRefine((value, ctx) => {
|
|
1425
1465
|
const { credential, credentials, transaction_id, interval, notification_id } = value;
|
|
1426
1466
|
if ([credential, credentials, transaction_id].filter((i) => i !== void 0).length !== 1) {
|
|
1427
1467
|
ctx.addIssue({
|
|
1428
|
-
code:
|
|
1468
|
+
code: z19.ZodIssueCode.custom,
|
|
1429
1469
|
message: `Exactly one of 'credential', 'credentials', or 'transaction_id' MUST be defined.`
|
|
1430
1470
|
});
|
|
1431
1471
|
}
|
|
1432
1472
|
if (transaction_id && !interval) {
|
|
1433
1473
|
ctx.addIssue({
|
|
1434
|
-
code:
|
|
1474
|
+
code: z19.ZodIssueCode.custom,
|
|
1435
1475
|
message: `'interval' MUST be defined when 'transaction_id' is defined.`
|
|
1436
1476
|
});
|
|
1437
1477
|
}
|
|
1438
1478
|
if (notification_id && !(credentials || credential)) {
|
|
1439
1479
|
ctx.addIssue({
|
|
1440
|
-
code:
|
|
1480
|
+
code: z19.ZodIssueCode.custom,
|
|
1441
1481
|
message: `'notification_id' MUST NOT be defined when 'credential' or 'credentials' are not defined.`
|
|
1442
1482
|
});
|
|
1443
1483
|
}
|
|
1444
1484
|
});
|
|
1445
|
-
var zCredentialErrorResponse =
|
|
1485
|
+
var zCredentialErrorResponse = z19.object({
|
|
1446
1486
|
...zOauth2ErrorResponse.shape,
|
|
1447
|
-
c_nonce:
|
|
1448
|
-
c_nonce_expires_in:
|
|
1487
|
+
c_nonce: z19.string().optional(),
|
|
1488
|
+
c_nonce_expires_in: z19.number().int().optional()
|
|
1449
1489
|
}).passthrough();
|
|
1450
1490
|
var zDeferredCredentialResponse = zBaseCredentialResponse.refine(
|
|
1451
1491
|
(value) => {
|
|
@@ -1598,7 +1638,7 @@ async function retrieveDeferredCredentials(options) {
|
|
|
1598
1638
|
deferredCredentialErrorResponseResult
|
|
1599
1639
|
};
|
|
1600
1640
|
}
|
|
1601
|
-
const deferredCredentialResponseResult = isResponseContentType(ContentType2.Json, resourceResponse.response) ?
|
|
1641
|
+
const deferredCredentialResponseResult = isResponseContentType(ContentType2.Json, resourceResponse.response) ? zDeferredCredentialResponse.safeParse(await resourceResponse.response.clone().json()) : void 0;
|
|
1602
1642
|
if (!deferredCredentialResponseResult?.success) {
|
|
1603
1643
|
return {
|
|
1604
1644
|
...resourceResponse,
|
|
@@ -1747,10 +1787,10 @@ import { ContentType as ContentType3, ValidationError as ValidationError3, creat
|
|
|
1747
1787
|
|
|
1748
1788
|
// src/nonce/z-nonce.ts
|
|
1749
1789
|
import { zInteger as zInteger3 } from "@openid4vc/utils";
|
|
1750
|
-
import
|
|
1751
|
-
var zNonceResponse =
|
|
1752
|
-
c_nonce:
|
|
1753
|
-
c_nonce_expires_in:
|
|
1790
|
+
import z20 from "zod";
|
|
1791
|
+
var zNonceResponse = z20.object({
|
|
1792
|
+
c_nonce: z20.string(),
|
|
1793
|
+
c_nonce_expires_in: z20.optional(zInteger3)
|
|
1754
1794
|
}).passthrough();
|
|
1755
1795
|
|
|
1756
1796
|
// src/nonce/nonce-request.ts
|
|
@@ -1793,15 +1833,15 @@ import {
|
|
|
1793
1833
|
import { ContentType as ContentType4, isResponseContentType as isResponseContentType2, parseWithErrorHandling as parseWithErrorHandling7 } from "@openid4vc/utils";
|
|
1794
1834
|
|
|
1795
1835
|
// src/notification/z-notification.ts
|
|
1796
|
-
import
|
|
1797
|
-
var zNotificationEvent =
|
|
1798
|
-
var zNotificationRequest =
|
|
1799
|
-
notification_id:
|
|
1836
|
+
import z21 from "zod";
|
|
1837
|
+
var zNotificationEvent = z21.enum(["credential_accepted", "credential_failure", "credential_deleted"]);
|
|
1838
|
+
var zNotificationRequest = z21.object({
|
|
1839
|
+
notification_id: z21.string(),
|
|
1800
1840
|
event: zNotificationEvent,
|
|
1801
|
-
event_description:
|
|
1841
|
+
event_description: z21.optional(z21.string())
|
|
1802
1842
|
}).passthrough();
|
|
1803
|
-
var zNotificationErrorResponse =
|
|
1804
|
-
error:
|
|
1843
|
+
var zNotificationErrorResponse = z21.object({
|
|
1844
|
+
error: z21.enum(["invalid_notification_id", "invalid_notification_request"])
|
|
1805
1845
|
}).passthrough();
|
|
1806
1846
|
|
|
1807
1847
|
// src/notification/notification.ts
|
|
@@ -2276,7 +2316,7 @@ function createDeferredCredentialResponse(options) {
|
|
|
2276
2316
|
|
|
2277
2317
|
// src/credential-request/parse-credential-request.ts
|
|
2278
2318
|
import { parseWithErrorHandling as parseWithErrorHandling9 } from "@openid4vc/utils";
|
|
2279
|
-
import
|
|
2319
|
+
import z22 from "zod";
|
|
2280
2320
|
function parseCredentialRequest(options) {
|
|
2281
2321
|
const credentialRequest = parseWithErrorHandling9(
|
|
2282
2322
|
zCredentialRequest,
|
|
@@ -2288,7 +2328,7 @@ function parseCredentialRequest(options) {
|
|
|
2288
2328
|
if (knownProofs.success) {
|
|
2289
2329
|
proofs = knownProofs.data;
|
|
2290
2330
|
}
|
|
2291
|
-
const knownProof =
|
|
2331
|
+
const knownProof = z22.union(allCredentialRequestProofs).safeParse(credentialRequest.proof);
|
|
2292
2332
|
if (knownProof.success && knownProof.data.proof_type === jwtProofTypeIdentifier) {
|
|
2293
2333
|
proofs = { [jwtProofTypeIdentifier]: [knownProof.data.jwt] };
|
|
2294
2334
|
} else if (knownProof.success && knownProof.data.proof_type === attestationProofTypeIdentifier) {
|
|
@@ -2322,7 +2362,7 @@ function parseCredentialRequest(options) {
|
|
|
2322
2362
|
return {
|
|
2323
2363
|
// Removes all claims that are not specific to this format
|
|
2324
2364
|
format: parseWithErrorHandling9(
|
|
2325
|
-
|
|
2365
|
+
z22.union(allCredentialRequestFormats),
|
|
2326
2366
|
credentialRequest,
|
|
2327
2367
|
"Unable to validate format specific properties from credential request"
|
|
2328
2368
|
),
|