npm - @openid4vc/openid4vp - Versions diffs - 0.3.0-alpha-20250227094616 → 0.3.0-alpha-20250304095426 - Mend

@openid4vc/openid4vp 0.3.0-alpha-20250227094616 → 0.3.0-alpha-20250304095426

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.js CHANGED Viewed

@@ -36,15 +36,16 @@ __export(src_exports, {
   createOpenid4vpAuthorizationResponse: () => createOpenid4vpAuthorizationResponse,
   isJarmResponseMode: () => isJarmResponseMode,
   isOpenid4vpAuthorizationRequestDcApi: () => isOpenid4vpAuthorizationRequestDcApi,
+  parseDcqlVpToken: () => parseDcqlVpToken,
   parseJarmAuthorizationResponse: () => parseJarmAuthorizationResponse,
   parseOpenid4vpAuthorizationRequestPayload: () => parseOpenid4vpAuthorizationRequestPayload,
   parseOpenid4vpAuthorizationResponse: () => parseOpenid4vpAuthorizationResponse,
-  parsePresentationsFromVpToken: () => parsePresentationsFromVpToken,
+  parsePexVpToken: () => parsePexVpToken,
   parseTransactionData: () => parseTransactionData,
   resolveOpenid4vpAuthorizationRequest: () => resolveOpenid4vpAuthorizationRequest,
   submitOpenid4vpAuthorizationResponse: () => submitOpenid4vpAuthorizationResponse,
   validateOpenid4vpAuthorizationRequestPayload: () => validateOpenid4vpAuthorizationRequestPayload,
-  validateOpenid4vpAuthorizationResponse: () => validateOpenid4vpAuthorizationResponse,
+  validateOpenid4vpAuthorizationResponsePayload: () => validateOpenid4vpAuthorizationResponsePayload,
   verifyJarmAuthorizationResponse: () => verifyJarmAuthorizationResponse,
   zClientIdScheme: () => zClientIdScheme,
   zClientMetadata: () => zClientMetadata,
@@ -80,6 +81,7 @@ var import_utils = require("@openid4vc/utils");
 // src/jarm/jarm-auth-response/z-jarm-auth-response.ts
 var import_oauth2 = require("@openid4vc/oauth2");
 var import_zod2 = require("zod");
+var zJarmHeader = import_zod2.z.object({ ...import_oauth2.zJwtHeader.shape, apu: import_zod2.z.string().optional(), apv: import_zod2.z.string().optional() });
 var zJarmAuthResponse = import_zod2.z.object({
   /**
    * iss: The issuer URL of the authorization server that created the response
@@ -1238,8 +1240,10 @@ function extractJwksFromClientMetadata(clientMetadata) {
   const parsed = zJarmClientMetadataParsed.parse(clientMetadata);
   const encryptionAlg = parsed.client_metadata.authorization_encrypted_response_enc;
   const signingAlg = parsed.client_metadata.authorization_signed_response_alg;
-  const encJwk = clientMetadata.jwks.keys.find((key) => key.use === "enc" && key.alg === encryptionAlg) ?? clientMetadata.jwks.keys.find((key) => key.use === "enc");
-  const sigJwk = clientMetadata.jwks.keys.find((key) => key.use === "sig" && key.alg === signingAlg) ?? clientMetadata.jwks.keys.find((key) => key.use === "sig");
+  const encJwk = clientMetadata.jwks.keys.find((key) => key.use === "enc" && key.alg === encryptionAlg) ?? clientMetadata.jwks.keys.find((key) => key.use === "enc") ?? // fallback, take first key. HAIP does not specify requirement on enc
+  clientMetadata.jwks.keys?.[0];
+  const sigJwk = clientMetadata.jwks.keys.find((key) => key.use === "sig" && key.alg === signingAlg) ?? clientMetadata.jwks.keys.find((key) => key.use === "sig") ?? // falback, take first key
+  clientMetadata.jwks.keys?.[0];
   return { encJwk, sigJwk };
 }
@@ -1445,190 +1449,90 @@ async function submitOpenid4vpAuthorizationResponse(options) {
 }
 // src/authorization-response/validate-authorization-response.ts
-var import_oauth227 = require("@openid4vc/oauth2");
-// src/vp-token/parse-presentations-from-vp-token.ts
 var import_oauth225 = require("@openid4vc/oauth2");
-var import_oauth226 = require("@openid4vc/oauth2");
+// src/vp-token/parse-vp-token.ts
 var import_utils18 = require("@openid4vc/utils");
+// src/vp-token/z-vp-token.ts
 var import_zod17 = require("zod");
-function parsePresentationsFromVpToken(options) {
-  const { vpToken: _vpToken } = options;
-  const vpToken = (0, import_utils18.parseIfJson)(_vpToken);
-  if (Array.isArray(vpToken)) {
-    if (vpToken.length === 0) {
-      throw new import_oauth225.Oauth2Error("Could not parse vp_token. vp_token is an empty array.");
-    }
-    return vpToken.map((token, idx) => parseSinglePresentationFromVpToken({ vpToken: token, path: `$[${idx}]` }));
-  }
-  if (typeof vpToken === "string" || typeof vpToken === "object") {
-    return [parseSinglePresentationFromVpToken({ vpToken, path: "$" })];
+var zVpTokenPexEntry = import_zod17.z.union([import_zod17.z.string(), import_zod17.z.record(import_zod17.z.any())], {
+  message: "pex vp_token entry must be a string or object"
+});
+var zVpTokenPex = import_zod17.z.union(
+  [zVpTokenPexEntry, import_zod17.z.array(zVpTokenPexEntry).nonempty("Must have at least entry in vp_token array")],
+  {
+    message: "pex vp_token must be a string, object or array of strings and objects"
   }
-  throw new import_oauth225.Oauth2Error(
-    `Could not parse vp_token. Expected a string or an array of strings. Received: ${typeof vpToken}`
+);
+var zVpTokenDcql = import_zod17.z.record(import_zod17.z.union([import_zod17.z.string(), import_zod17.z.record(import_zod17.z.any())]), {
+  message: "dcql vp_token must be an object with keys referencing the dcql credential query id, and values the encoded (string or object) presentation"
+});
+var zVpToken = zVpTokenDcql.or(zVpTokenPex);
+// src/vp-token/parse-vp-token.ts
+function parsePexVpToken(vpToken) {
+  const parsedVpToken = (0, import_utils18.parseWithErrorHandling)(
+    zVpTokenPex,
+    (0, import_utils18.parseIfJson)(vpToken),
+    "Could not parse presentation exchange vp_token. Expected a string or an array of strings"
   );
+  return Array.isArray(parsedVpToken) ? parsedVpToken : [parsedVpToken];
 }
-function parseDcqlPresentationFromVpToken(options) {
-  const { vpToken: _vpToken } = options;
-  const vpToken = (0, import_utils18.parseIfJson)(_vpToken);
-  const parsed = (0, import_utils18.parseWithErrorHandling)(import_zod17.z.object({}).passthrough(), vpToken);
-  const dcqlPresentationRecord = Object.fromEntries(
-    Object.entries(parsed).map(([key, value]) => {
-      return [key, parseSinglePresentationFromVpToken({ vpToken: value })];
-    })
+function parseDcqlVpToken(vpToken) {
+  return (0, import_utils18.parseWithErrorHandling)(
+    zVpTokenDcql,
+    (0, import_utils18.parseIfJson)(vpToken),
+    "Could not parse dcql vp_token. Expected an object where the values are encoded presentations"
   );
-  return dcqlPresentationRecord;
-}
-function parseSinglePresentationFromVpToken(options) {
-  const { vpToken: _vpToken, path } = options;
-  const vpToken = (0, import_utils18.parseIfJson)(_vpToken);
-  const zLdpVpProof = import_zod17.z.object({ challenge: import_zod17.z.string().optional() }).passthrough();
-  const ldpVpParseResult = import_zod17.z.object({
-    "@context": import_zod17.z.string().optional(),
-    verifiableCredential: import_zod17.z.string().optional(),
-    proof: import_zod17.z.union([zLdpVpProof, import_zod17.z.array(zLdpVpProof)]).optional()
-  }).passthrough().safeParse(vpToken);
-  if (ldpVpParseResult.success && (ldpVpParseResult.data["@context"] || ldpVpParseResult.data.verifiableCredential)) {
-    const challenge = Array.isArray(ldpVpParseResult.data.proof) ? ldpVpParseResult.data.proof.map((proof) => proof.challenge) : ldpVpParseResult.data.proof?.challenge;
-    if (Array.isArray(challenge)) {
-      const allNoncesAreTheSame = challenge.every((nonce) => nonce === challenge[0]);
-      if (!allNoncesAreTheSame) {
-        throw new import_oauth225.Oauth2Error(
-          "Failed to parse presentation from vp_token. LDP presentation is missing the proof.challenge parameter."
-        );
-      }
-    }
-    if (!challenge) {
-      throw new import_oauth225.Oauth2Error(
-        "Failed to parse presentation from vp_token. LDP presentation is missing the proof.challenge parameter."
-      );
-    }
-    return {
-      format: "ldp_vp",
-      presentation: ldpVpParseResult,
-      path,
-      nonce: Array.isArray(challenge) ? challenge[0] : challenge
-    };
-  }
-  if ((0, import_utils18.isObject)(vpToken) && (vpToken.schema_id || vpToken.cred_def_id)) {
-    return {
-      format: "ac_vp",
-      presentation: vpToken,
-      path: options.path
-    };
-  }
-  if (typeof vpToken !== "string") {
-    throw new import_oauth225.Oauth2Error(
-      `Could not parse vp_token. Expected a string since the vp_token is neither a ldp_vp nor an ac_vp. Received: ${typeof vpToken}`
-    );
-  }
-  if (vpToken.includes("~")) {
-    const split = vpToken.split("~");
-    const keyBindingJwt = split[split.length - 1];
-    let nonce;
-    try {
-      const decoded = (0, import_oauth225.decodeJwt)({ jwt: keyBindingJwt });
-      nonce = decoded.payload.nonce;
-    } catch (error) {
-      nonce = void 0;
-    }
-    return {
-      format: "dc+sd-jwt",
-      presentation: vpToken,
-      path: options.path
-    };
-  }
-  const result = import_oauth226.zCompactJwt.safeParse(vpToken);
-  if (result.success) {
-    let nonce;
-    try {
-      const decoded = (0, import_oauth225.decodeJwt)({ jwt: vpToken });
-      nonce = decoded.payload.nonce;
-    } catch (error) {
-      nonce = void 0;
-    }
-    return {
-      format: "jwt_vp_json",
-      presentation: vpToken,
-      path: options.path,
-      nonce
-    };
-  }
-  return {
-    format: "mso_mdoc",
-    presentation: vpToken,
-    path: options.path
-  };
 }
 // src/authorization-response/validate-authorization-response.ts
-function validateOpenid4vpAuthorizationResponse(options) {
+function validateOpenid4vpAuthorizationResponsePayload(options) {
   const { requestPayload, responsePayload } = options;
-  if (!responsePayload.vp_token) {
-    throw new import_oauth227.Oauth2Error("Failed to verify OpenId4Vp Authorization Response. vp_token is missing.");
-  }
   if ("state" in requestPayload && requestPayload.state !== responsePayload.state) {
-    throw new import_oauth227.Oauth2Error("OpenId4Vp Authorization Response state mismatch.");
+    throw new import_oauth225.Oauth2Error("OpenId4Vp Authorization Response state mismatch.");
   }
   if (responsePayload.id_token) {
-    throw new import_oauth227.Oauth2Error("OpenId4Vp Authorization Response id_token is not supported.");
+    throw new import_oauth225.Oauth2Error("OpenId4Vp Authorization Response id_token is not supported.");
   }
   if (responsePayload.presentation_submission) {
     if (!requestPayload.presentation_definition) {
-      throw new import_oauth227.Oauth2Error("OpenId4Vp Authorization Request is missing the required presentation_definition.");
-    }
-    const presentations = parsePresentationsFromVpToken({ vpToken: responsePayload.vp_token });
-    if (presentations.every((p) => p.nonce) && !presentations.every((p) => p.nonce === requestPayload.nonce)) {
-      throw new import_oauth227.Oauth2Error(
-        "Presentation nonce mismatch. The nonce of some presentations does not match the nonce of the request."
-      );
+      throw new import_oauth225.Oauth2Error("OpenId4Vp Authorization Request is missing the required presentation_definition.");
     }
     return {
       type: "pex",
       pex: "scope" in requestPayload && requestPayload.scope ? {
         scope: requestPayload.scope,
         presentationSubmission: responsePayload.presentation_submission,
-        presentations
+        presentations: parsePexVpToken(responsePayload.vp_token)
       } : {
         presentationDefinition: requestPayload.presentation_definition,
         presentationSubmission: responsePayload.presentation_submission,
-        presentations
+        presentations: parsePexVpToken(responsePayload.vp_token)
       }
     };
   }
   if (requestPayload.dcql_query) {
-    if (Array.isArray(responsePayload.vp_token)) {
-      throw new import_oauth227.Oauth2Error(
-        "The OpenId4Vp Authorization Response contains multiple vp_token values. In combination with dcql this is not possible."
-      );
-    }
-    if (typeof responsePayload.vp_token !== "string" && typeof responsePayload.vp_token !== "object") {
-      throw new import_oauth227.Oauth2Error("With DCQL the vp_token must be a JSON-encoded object.");
-    }
-    const presentation = parseDcqlPresentationFromVpToken({ vpToken: responsePayload.vp_token });
-    if (Object.values(presentation).every((p) => p.nonce) && !Object.values(presentation).every((p) => p.nonce === requestPayload.nonce)) {
-      throw new import_oauth227.Oauth2Error(
-        "Presentation nonce mismatch. The nonce of some presentations does not match the nonce of the request."
-      );
-    }
+    const presentations = parseDcqlVpToken(responsePayload.vp_token);
     return {
       type: "dcql",
       dcql: "scope" in requestPayload && requestPayload.scope ? {
         scope: requestPayload.scope,
-        presentation
+        presentations
       } : {
         query: requestPayload.dcql_query,
-        presentation
+        presentations
       }
     };
   }
-  throw new import_oauth227.Oauth2Error(
-    "Invalid OpenId4Vp Authorization Response. Response neither contains a presentation_submission nor a dcql_query."
+  throw new import_oauth225.Oauth2Error(
+    "Invalid OpenId4Vp Authorization Response. Response neither contains a presentation_submission nor request contains a dcql_query."
   );
 }
 // src/authorization-response/parse-authorization-response.ts
-var import_oauth229 = require("@openid4vc/oauth2");
+var import_oauth227 = require("@openid4vc/oauth2");
 // src/authorization-response/parse-authorization-response-payload.ts
 var import_utils19 = require("@openid4vc/utils");
@@ -1636,16 +1540,17 @@ var import_utils19 = require("@openid4vc/utils");
 // src/authorization-response/z-authorization-response.ts
 var import_zod19 = require("zod");
-// src/vp-token/z-vp-token.ts
+// src/models/z-pex.ts
 var import_zod18 = require("zod");
-var zVpToken = import_zod18.z.union([import_zod18.z.string(), import_zod18.z.array(import_zod18.z.union([import_zod18.z.string(), import_zod18.z.record(import_zod18.z.any())])), import_zod18.z.record(import_zod18.z.any())]);
+var zPexPresentationDefinition = import_zod18.z.record(import_zod18.z.any());
+var zPexPresentationSubmission = import_zod18.z.record(import_zod18.z.any());
 // src/authorization-response/z-authorization-response.ts
 var zOpenid4vpAuthorizationResponse = import_zod19.z.object({
   state: import_zod19.z.string().optional(),
   id_token: import_zod19.z.string().optional(),
   vp_token: zVpToken,
-  presentation_submission: import_zod19.z.unknown().optional(),
+  presentation_submission: zPexPresentationSubmission.optional(),
   refresh_token: import_zod19.z.string().optional(),
   token_type: import_zod19.z.string().optional(),
   access_token: import_zod19.z.string().optional(),
@@ -1662,19 +1567,18 @@ function parseOpenid4VpAuthorizationResponsePayload(payload) {
 }
 // src/authorization-response/parse-jarm-authorization-response.ts
-var import_oauth228 = require("@openid4vc/oauth2");
+var import_oauth226 = require("@openid4vc/oauth2");
 var import_utils20 = require("@openid4vc/utils");
 var import_zod20 = __toESM(require("zod"));
 async function parseJarmAuthorizationResponse(options) {
   const { jarmResponseJwt, callbacks } = options;
   const jarmAuthorizationResponseJwt = (0, import_utils20.parseWithErrorHandling)(
-    import_zod20.default.union([import_oauth228.zCompactJwt, import_oauth228.zCompactJwe]),
+    import_zod20.default.union([import_oauth226.zCompactJwt, import_oauth226.zCompactJwe]),
     jarmResponseJwt,
     "Invalid jarm authorization response jwt."
   );
   const verifiedJarmResponse = await verifyJarmAuthorizationResponse({ jarmAuthorizationResponseJwt, callbacks });
-  const zJarmHeader = import_zod20.default.object({ ...import_oauth228.zJwtHeader.shape, apu: import_zod20.default.string().optional(), apv: import_zod20.default.string().optional() });
-  const { header: jarmHeader } = (0, import_oauth228.decodeJwtHeader)({
+  const { header: jarmHeader } = (0, import_oauth226.decodeJwtHeader)({
     jwt: jarmAuthorizationResponseJwt,
     headerSchema: zJarmHeader
   });
@@ -1682,17 +1586,17 @@ async function parseJarmAuthorizationResponse(options) {
     authorizationRequest: verifiedJarmResponse.authorizationRequest
   });
   if (parsedAuthorizationRequest.type !== "openid4vp" && parsedAuthorizationRequest.type !== "openid4vp_dc_api") {
-    throw new import_oauth228.Oauth2Error("Invalid authorization request. Could not parse openid4vp authorization request.");
+    throw new import_oauth226.Oauth2Error("Invalid authorization request. Could not parse openid4vp authorization request.");
   }
-  const authResponsePayload = parseOpenid4VpAuthorizationResponsePayload(verifiedJarmResponse.jarmAuthResponse);
-  const validateOpenId4vpResponse = validateOpenid4vpAuthorizationResponse({
+  const authorizationResponsePayload = parseOpenid4VpAuthorizationResponsePayload(verifiedJarmResponse.jarmAuthResponse);
+  const validateOpenId4vpResponse = validateOpenid4vpAuthorizationResponsePayload({
     requestPayload: parsedAuthorizationRequest.params,
-    responsePayload: authResponsePayload
+    responsePayload: authorizationResponsePayload
   });
-  const authRequestPayload = parsedAuthorizationRequest.params;
-  if (!authRequestPayload.response_mode || !isJarmResponseMode(authRequestPayload.response_mode)) {
-    throw new import_oauth228.Oauth2Error(
-      `Invalid response mode for jarm response. Response mode: '${authRequestPayload.response_mode ?? "fragment"}'`
+  const authorizationRequestPayload = parsedAuthorizationRequest.params;
+  if (!authorizationRequestPayload.response_mode || !isJarmResponseMode(authorizationRequestPayload.response_mode)) {
+    throw new import_oauth226.Oauth2Error(
+      `Invalid response mode for jarm response. Response mode: '${authorizationRequestPayload.response_mode ?? "fragment"}'`
     );
   }
   let mdocGeneratedNonce = void 0;
@@ -1701,15 +1605,16 @@ async function parseJarmAuthorizationResponse(options) {
   }
   if (jarmHeader?.apv) {
     const jarmRequestNonce = (0, import_utils20.encodeToUtf8String)((0, import_utils20.decodeBase64)(jarmHeader.apv));
-    if (jarmRequestNonce !== authRequestPayload.nonce) {
-      throw new import_oauth228.Oauth2Error("The nonce in the jarm header does not match the nonce in the request.");
+    if (jarmRequestNonce !== authorizationRequestPayload.nonce) {
+      throw new import_oauth226.Oauth2Error("The nonce in the jarm header does not match the nonce in the request.");
     }
   }
   return {
     ...validateOpenId4vpResponse,
     jarm: { ...verifiedJarmResponse, jarmHeader, mdocGeneratedNonce },
-    authResponsePayload,
-    authRequestPayload
+    expectedNonce: authorizationRequestPayload.nonce,
+    authorizationResponsePayload,
+    authorizationRequestPayload
   };
 }
@@ -1719,19 +1624,19 @@ async function parseOpenid4vpAuthorizationResponse(options) {
   if (responsePayload.response) {
     return parseJarmAuthorizationResponse({ jarmResponseJwt: responsePayload.response, callbacks });
   }
-  const authResponsePayload = parseOpenid4VpAuthorizationResponsePayload(responsePayload);
-  const { authorizationRequest } = await callbacks.getOpenid4vpAuthorizationRequest(authResponsePayload);
+  const authorizationResponsePayload = parseOpenid4VpAuthorizationResponsePayload(responsePayload);
+  const { authorizationRequest } = await callbacks.getOpenid4vpAuthorizationRequest(authorizationResponsePayload);
   const parsedAuthRequest = parseOpenid4vpAuthorizationRequestPayload({ authorizationRequest });
   if (parsedAuthRequest.type !== "openid4vp" && parsedAuthRequest.type !== "openid4vp_dc_api") {
-    throw new import_oauth229.Oauth2Error("Invalid authorization request. Could not parse openid4vp authorization request.");
+    throw new import_oauth227.Oauth2Error("Invalid authorization request. Could not parse openid4vp authorization request.");
   }
-  const authRequestPayload = parsedAuthRequest.params;
-  const validateOpenId4vpResponse = validateOpenid4vpAuthorizationResponse({
-    requestPayload: authRequestPayload,
-    responsePayload: authResponsePayload
+  const authorizationRequestPayload = parsedAuthRequest.params;
+  const validateOpenId4vpResponse = validateOpenid4vpAuthorizationResponsePayload({
+    requestPayload: authorizationRequestPayload,
+    responsePayload: authorizationResponsePayload
   });
-  if (authRequestPayload.response_mode && isJarmResponseMode(authRequestPayload.response_mode)) {
-    throw new import_oauth229.Oauth2ServerErrorResponseError(
+  if (authorizationRequestPayload.response_mode && isJarmResponseMode(authorizationRequestPayload.response_mode)) {
+    throw new import_oauth227.Oauth2ServerErrorResponseError(
       {
         error: "invalid_request",
         error_description: "Invalid response mode for openid4vp response. Expected jarm response."
@@ -1743,8 +1648,9 @@ async function parseOpenid4vpAuthorizationResponse(options) {
   }
   return {
     ...validateOpenId4vpResponse,
-    authResponsePayload,
-    authRequestPayload,
+    expectedNonce: authorizationRequestPayload.nonce,
+    authorizationResponsePayload,
+    authorizationRequestPayload,
     jarm: void 0
   };
 }
@@ -1782,11 +1688,14 @@ var Openid4vpVerifier = class {
   parseOpenid4vpAuthorizationResponse(options) {
     return parseOpenid4vpAuthorizationResponse(options);
   }
-  validateOpenid4vpAuthorizationResponse(options) {
-    return validateOpenid4vpAuthorizationResponse(options);
+  validateOpenid4vpAuthorizationResponsePayload(options) {
+    return validateOpenid4vpAuthorizationResponsePayload(options);
+  }
+  parsePexVpToken(vpToken) {
+    return parsePexVpToken(vpToken);
   }
-  parsePresentationsFromVpToken(options) {
-    return parsePresentationsFromVpToken(options);
+  parseDcqlVpToken(vpToken) {
+    return parseDcqlVpToken(vpToken);
   }
   parseTransactionData(options) {
     return parseTransactionData(options);
@@ -1808,15 +1717,16 @@ var zProofFormat = import_zod22.z.enum(["jwt_vp_json", "ldc_vp", "ac_vp", "dc+sd
   createOpenid4vpAuthorizationResponse,
   isJarmResponseMode,
   isOpenid4vpAuthorizationRequestDcApi,
+  parseDcqlVpToken,
   parseJarmAuthorizationResponse,
   parseOpenid4vpAuthorizationRequestPayload,
   parseOpenid4vpAuthorizationResponse,
-  parsePresentationsFromVpToken,
+  parsePexVpToken,
   parseTransactionData,
   resolveOpenid4vpAuthorizationRequest,
   submitOpenid4vpAuthorizationResponse,
   validateOpenid4vpAuthorizationRequestPayload,
-  validateOpenid4vpAuthorizationResponse,
+  validateOpenid4vpAuthorizationResponsePayload,
   verifyJarmAuthorizationResponse,
   zClientIdScheme,
   zClientMetadata,