npm - @openid4vc/openid4vp - Versions diffs - 0.3.0-alpha-20250227094616 → 0.3.0-alpha-20250304095426 - Mend

@openid4vc/openid4vp 0.3.0-alpha-20250227094616 → 0.3.0-alpha-20250304095426

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.mjs CHANGED Viewed

@@ -19,7 +19,7 @@ import {
   jwtSignerFromJwt,
   zCompactJwe,
   zCompactJwt,
-  zJwtHeader
+  zJwtHeader as zJwtHeader2
 } from "@openid4vc/oauth2";
 import z3 from "zod";
@@ -28,8 +28,9 @@ import { Oauth2Error } from "@openid4vc/oauth2";
 import { dateToSeconds } from "@openid4vc/utils";
 // src/jarm/jarm-auth-response/z-jarm-auth-response.ts
-import { zJwtPayload } from "@openid4vc/oauth2";
+import { zJwtHeader, zJwtPayload } from "@openid4vc/oauth2";
 import { z as z2 } from "zod";
+var zJarmHeader = z2.object({ ...zJwtHeader.shape, apu: z2.string().optional(), apv: z2.string().optional() });
 var zJarmAuthResponse = z2.object({
   /**
    * iss: The issuer URL of the authorization server that created the response
@@ -86,7 +87,7 @@ async function verifyJarmAuthorizationResponse(options) {
   if (responseIsSigned) {
     const { header: jwsProtectedHeader, payload: jwsPayload } = decodeJwt({
       jwt: decryptedRequestData,
-      headerSchema: z3.object({ ...zJwtHeader.shape, kid: z3.string() })
+      headerSchema: z3.object({ ...zJwtHeader2.shape, kid: z3.string() })
     });
     const response = zJarmAuthResponse.parse(jwsPayload);
     const jwtSigner = jwtSignerFromJwt({ header: jwsProtectedHeader, payload: jwsPayload });
@@ -1205,8 +1206,10 @@ function extractJwksFromClientMetadata(clientMetadata) {
   const parsed = zJarmClientMetadataParsed.parse(clientMetadata);
   const encryptionAlg = parsed.client_metadata.authorization_encrypted_response_enc;
   const signingAlg = parsed.client_metadata.authorization_signed_response_alg;
-  const encJwk = clientMetadata.jwks.keys.find((key) => key.use === "enc" && key.alg === encryptionAlg) ?? clientMetadata.jwks.keys.find((key) => key.use === "enc");
-  const sigJwk = clientMetadata.jwks.keys.find((key) => key.use === "sig" && key.alg === signingAlg) ?? clientMetadata.jwks.keys.find((key) => key.use === "sig");
+  const encJwk = clientMetadata.jwks.keys.find((key) => key.use === "enc" && key.alg === encryptionAlg) ?? clientMetadata.jwks.keys.find((key) => key.use === "enc") ?? // fallback, take first key. HAIP does not specify requirement on enc
+  clientMetadata.jwks.keys?.[0];
+  const sigJwk = clientMetadata.jwks.keys.find((key) => key.use === "sig" && key.alg === signingAlg) ?? clientMetadata.jwks.keys.find((key) => key.use === "sig") ?? // falback, take first key
+  clientMetadata.jwks.keys?.[0];
   return { encJwk, sigJwk };
 }
@@ -1412,190 +1415,90 @@ async function submitOpenid4vpAuthorizationResponse(options) {
 }
 // src/authorization-response/validate-authorization-response.ts
-import { Oauth2Error as Oauth2Error11 } from "@openid4vc/oauth2";
+import { Oauth2Error as Oauth2Error10 } from "@openid4vc/oauth2";
+// src/vp-token/parse-vp-token.ts
+import { parseIfJson as parseIfJson2, parseWithErrorHandling as parseWithErrorHandling5 } from "@openid4vc/utils";
-// src/vp-token/parse-presentations-from-vp-token.ts
-import { Oauth2Error as Oauth2Error10, decodeJwt as decodeJwt4 } from "@openid4vc/oauth2";
-import { zCompactJwt as zCompactJwt3 } from "@openid4vc/oauth2";
-import { isObject, parseIfJson as parseIfJson2, parseWithErrorHandling as parseWithErrorHandling5 } from "@openid4vc/utils";
+// src/vp-token/z-vp-token.ts
 import { z as z17 } from "zod";
-function parsePresentationsFromVpToken(options) {
-  const { vpToken: _vpToken } = options;
-  const vpToken = parseIfJson2(_vpToken);
-  if (Array.isArray(vpToken)) {
-    if (vpToken.length === 0) {
-      throw new Oauth2Error10("Could not parse vp_token. vp_token is an empty array.");
-    }
-    return vpToken.map((token, idx) => parseSinglePresentationFromVpToken({ vpToken: token, path: `$[${idx}]` }));
-  }
-  if (typeof vpToken === "string" || typeof vpToken === "object") {
-    return [parseSinglePresentationFromVpToken({ vpToken, path: "$" })];
+var zVpTokenPexEntry = z17.union([z17.string(), z17.record(z17.any())], {
+  message: "pex vp_token entry must be a string or object"
+});
+var zVpTokenPex = z17.union(
+  [zVpTokenPexEntry, z17.array(zVpTokenPexEntry).nonempty("Must have at least entry in vp_token array")],
+  {
+    message: "pex vp_token must be a string, object or array of strings and objects"
   }
-  throw new Oauth2Error10(
-    `Could not parse vp_token. Expected a string or an array of strings. Received: ${typeof vpToken}`
+);
+var zVpTokenDcql = z17.record(z17.union([z17.string(), z17.record(z17.any())]), {
+  message: "dcql vp_token must be an object with keys referencing the dcql credential query id, and values the encoded (string or object) presentation"
+});
+var zVpToken = zVpTokenDcql.or(zVpTokenPex);
+// src/vp-token/parse-vp-token.ts
+function parsePexVpToken(vpToken) {
+  const parsedVpToken = parseWithErrorHandling5(
+    zVpTokenPex,
+    parseIfJson2(vpToken),
+    "Could not parse presentation exchange vp_token. Expected a string or an array of strings"
   );
+  return Array.isArray(parsedVpToken) ? parsedVpToken : [parsedVpToken];
 }
-function parseDcqlPresentationFromVpToken(options) {
-  const { vpToken: _vpToken } = options;
-  const vpToken = parseIfJson2(_vpToken);
-  const parsed = parseWithErrorHandling5(z17.object({}).passthrough(), vpToken);
-  const dcqlPresentationRecord = Object.fromEntries(
-    Object.entries(parsed).map(([key, value]) => {
-      return [key, parseSinglePresentationFromVpToken({ vpToken: value })];
-    })
+function parseDcqlVpToken(vpToken) {
+  return parseWithErrorHandling5(
+    zVpTokenDcql,
+    parseIfJson2(vpToken),
+    "Could not parse dcql vp_token. Expected an object where the values are encoded presentations"
   );
-  return dcqlPresentationRecord;
-}
-function parseSinglePresentationFromVpToken(options) {
-  const { vpToken: _vpToken, path } = options;
-  const vpToken = parseIfJson2(_vpToken);
-  const zLdpVpProof = z17.object({ challenge: z17.string().optional() }).passthrough();
-  const ldpVpParseResult = z17.object({
-    "@context": z17.string().optional(),
-    verifiableCredential: z17.string().optional(),
-    proof: z17.union([zLdpVpProof, z17.array(zLdpVpProof)]).optional()
-  }).passthrough().safeParse(vpToken);
-  if (ldpVpParseResult.success && (ldpVpParseResult.data["@context"] || ldpVpParseResult.data.verifiableCredential)) {
-    const challenge = Array.isArray(ldpVpParseResult.data.proof) ? ldpVpParseResult.data.proof.map((proof) => proof.challenge) : ldpVpParseResult.data.proof?.challenge;
-    if (Array.isArray(challenge)) {
-      const allNoncesAreTheSame = challenge.every((nonce) => nonce === challenge[0]);
-      if (!allNoncesAreTheSame) {
-        throw new Oauth2Error10(
-          "Failed to parse presentation from vp_token. LDP presentation is missing the proof.challenge parameter."
-        );
-      }
-    }
-    if (!challenge) {
-      throw new Oauth2Error10(
-        "Failed to parse presentation from vp_token. LDP presentation is missing the proof.challenge parameter."
-      );
-    }
-    return {
-      format: "ldp_vp",
-      presentation: ldpVpParseResult,
-      path,
-      nonce: Array.isArray(challenge) ? challenge[0] : challenge
-    };
-  }
-  if (isObject(vpToken) && (vpToken.schema_id || vpToken.cred_def_id)) {
-    return {
-      format: "ac_vp",
-      presentation: vpToken,
-      path: options.path
-    };
-  }
-  if (typeof vpToken !== "string") {
-    throw new Oauth2Error10(
-      `Could not parse vp_token. Expected a string since the vp_token is neither a ldp_vp nor an ac_vp. Received: ${typeof vpToken}`
-    );
-  }
-  if (vpToken.includes("~")) {
-    const split = vpToken.split("~");
-    const keyBindingJwt = split[split.length - 1];
-    let nonce;
-    try {
-      const decoded = decodeJwt4({ jwt: keyBindingJwt });
-      nonce = decoded.payload.nonce;
-    } catch (error) {
-      nonce = void 0;
-    }
-    return {
-      format: "dc+sd-jwt",
-      presentation: vpToken,
-      path: options.path
-    };
-  }
-  const result = zCompactJwt3.safeParse(vpToken);
-  if (result.success) {
-    let nonce;
-    try {
-      const decoded = decodeJwt4({ jwt: vpToken });
-      nonce = decoded.payload.nonce;
-    } catch (error) {
-      nonce = void 0;
-    }
-    return {
-      format: "jwt_vp_json",
-      presentation: vpToken,
-      path: options.path,
-      nonce
-    };
-  }
-  return {
-    format: "mso_mdoc",
-    presentation: vpToken,
-    path: options.path
-  };
 }
 // src/authorization-response/validate-authorization-response.ts
-function validateOpenid4vpAuthorizationResponse(options) {
+function validateOpenid4vpAuthorizationResponsePayload(options) {
   const { requestPayload, responsePayload } = options;
-  if (!responsePayload.vp_token) {
-    throw new Oauth2Error11("Failed to verify OpenId4Vp Authorization Response. vp_token is missing.");
-  }
   if ("state" in requestPayload && requestPayload.state !== responsePayload.state) {
-    throw new Oauth2Error11("OpenId4Vp Authorization Response state mismatch.");
+    throw new Oauth2Error10("OpenId4Vp Authorization Response state mismatch.");
   }
   if (responsePayload.id_token) {
-    throw new Oauth2Error11("OpenId4Vp Authorization Response id_token is not supported.");
+    throw new Oauth2Error10("OpenId4Vp Authorization Response id_token is not supported.");
   }
   if (responsePayload.presentation_submission) {
     if (!requestPayload.presentation_definition) {
-      throw new Oauth2Error11("OpenId4Vp Authorization Request is missing the required presentation_definition.");
-    }
-    const presentations = parsePresentationsFromVpToken({ vpToken: responsePayload.vp_token });
-    if (presentations.every((p) => p.nonce) && !presentations.every((p) => p.nonce === requestPayload.nonce)) {
-      throw new Oauth2Error11(
-        "Presentation nonce mismatch. The nonce of some presentations does not match the nonce of the request."
-      );
+      throw new Oauth2Error10("OpenId4Vp Authorization Request is missing the required presentation_definition.");
     }
     return {
       type: "pex",
       pex: "scope" in requestPayload && requestPayload.scope ? {
         scope: requestPayload.scope,
         presentationSubmission: responsePayload.presentation_submission,
-        presentations
+        presentations: parsePexVpToken(responsePayload.vp_token)
       } : {
         presentationDefinition: requestPayload.presentation_definition,
         presentationSubmission: responsePayload.presentation_submission,
-        presentations
+        presentations: parsePexVpToken(responsePayload.vp_token)
       }
     };
   }
   if (requestPayload.dcql_query) {
-    if (Array.isArray(responsePayload.vp_token)) {
-      throw new Oauth2Error11(
-        "The OpenId4Vp Authorization Response contains multiple vp_token values. In combination with dcql this is not possible."
-      );
-    }
-    if (typeof responsePayload.vp_token !== "string" && typeof responsePayload.vp_token !== "object") {
-      throw new Oauth2Error11("With DCQL the vp_token must be a JSON-encoded object.");
-    }
-    const presentation = parseDcqlPresentationFromVpToken({ vpToken: responsePayload.vp_token });
-    if (Object.values(presentation).every((p) => p.nonce) && !Object.values(presentation).every((p) => p.nonce === requestPayload.nonce)) {
-      throw new Oauth2Error11(
-        "Presentation nonce mismatch. The nonce of some presentations does not match the nonce of the request."
-      );
-    }
+    const presentations = parseDcqlVpToken(responsePayload.vp_token);
     return {
       type: "dcql",
       dcql: "scope" in requestPayload && requestPayload.scope ? {
         scope: requestPayload.scope,
-        presentation
+        presentations
       } : {
         query: requestPayload.dcql_query,
-        presentation
+        presentations
       }
     };
   }
-  throw new Oauth2Error11(
-    "Invalid OpenId4Vp Authorization Response. Response neither contains a presentation_submission nor a dcql_query."
+  throw new Oauth2Error10(
+    "Invalid OpenId4Vp Authorization Response. Response neither contains a presentation_submission nor request contains a dcql_query."
   );
 }
 // src/authorization-response/parse-authorization-response.ts
-import { Oauth2Error as Oauth2Error13, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError12 } from "@openid4vc/oauth2";
+import { Oauth2Error as Oauth2Error12, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError12 } from "@openid4vc/oauth2";
 // src/authorization-response/parse-authorization-response-payload.ts
 import { parseWithErrorHandling as parseWithErrorHandling6 } from "@openid4vc/utils";
@@ -1603,16 +1506,17 @@ import { parseWithErrorHandling as parseWithErrorHandling6 } from "@openid4vc/ut
 // src/authorization-response/z-authorization-response.ts
 import { z as z19 } from "zod";
-// src/vp-token/z-vp-token.ts
+// src/models/z-pex.ts
 import { z as z18 } from "zod";
-var zVpToken = z18.union([z18.string(), z18.array(z18.union([z18.string(), z18.record(z18.any())])), z18.record(z18.any())]);
+var zPexPresentationDefinition = z18.record(z18.any());
+var zPexPresentationSubmission = z18.record(z18.any());
 // src/authorization-response/z-authorization-response.ts
 var zOpenid4vpAuthorizationResponse = z19.object({
   state: z19.string().optional(),
   id_token: z19.string().optional(),
   vp_token: zVpToken,
-  presentation_submission: z19.unknown().optional(),
+  presentation_submission: zPexPresentationSubmission.optional(),
   refresh_token: z19.string().optional(),
   token_type: z19.string().optional(),
   access_token: z19.string().optional(),
@@ -1629,24 +1533,17 @@ function parseOpenid4VpAuthorizationResponsePayload(payload) {
 }
 // src/authorization-response/parse-jarm-authorization-response.ts
-import {
-  Oauth2Error as Oauth2Error12,
-  decodeJwtHeader as decodeJwtHeader2,
-  zCompactJwe as zCompactJwe3,
-  zCompactJwt as zCompactJwt4,
-  zJwtHeader as zJwtHeader2
-} from "@openid4vc/oauth2";
+import { Oauth2Error as Oauth2Error11, decodeJwtHeader as decodeJwtHeader2, zCompactJwe as zCompactJwe3, zCompactJwt as zCompactJwt3 } from "@openid4vc/oauth2";
 import { decodeBase64 as decodeBase642, encodeToUtf8String as encodeToUtf8String2, parseWithErrorHandling as parseWithErrorHandling7 } from "@openid4vc/utils";
 import z20 from "zod";
 async function parseJarmAuthorizationResponse(options) {
   const { jarmResponseJwt, callbacks } = options;
   const jarmAuthorizationResponseJwt = parseWithErrorHandling7(
-    z20.union([zCompactJwt4, zCompactJwe3]),
+    z20.union([zCompactJwt3, zCompactJwe3]),
     jarmResponseJwt,
     "Invalid jarm authorization response jwt."
   );
   const verifiedJarmResponse = await verifyJarmAuthorizationResponse({ jarmAuthorizationResponseJwt, callbacks });
-  const zJarmHeader = z20.object({ ...zJwtHeader2.shape, apu: z20.string().optional(), apv: z20.string().optional() });
   const { header: jarmHeader } = decodeJwtHeader2({
     jwt: jarmAuthorizationResponseJwt,
     headerSchema: zJarmHeader
@@ -1655,17 +1552,17 @@ async function parseJarmAuthorizationResponse(options) {
     authorizationRequest: verifiedJarmResponse.authorizationRequest
   });
   if (parsedAuthorizationRequest.type !== "openid4vp" && parsedAuthorizationRequest.type !== "openid4vp_dc_api") {
-    throw new Oauth2Error12("Invalid authorization request. Could not parse openid4vp authorization request.");
+    throw new Oauth2Error11("Invalid authorization request. Could not parse openid4vp authorization request.");
   }
-  const authResponsePayload = parseOpenid4VpAuthorizationResponsePayload(verifiedJarmResponse.jarmAuthResponse);
-  const validateOpenId4vpResponse = validateOpenid4vpAuthorizationResponse({
+  const authorizationResponsePayload = parseOpenid4VpAuthorizationResponsePayload(verifiedJarmResponse.jarmAuthResponse);
+  const validateOpenId4vpResponse = validateOpenid4vpAuthorizationResponsePayload({
     requestPayload: parsedAuthorizationRequest.params,
-    responsePayload: authResponsePayload
+    responsePayload: authorizationResponsePayload
   });
-  const authRequestPayload = parsedAuthorizationRequest.params;
-  if (!authRequestPayload.response_mode || !isJarmResponseMode(authRequestPayload.response_mode)) {
-    throw new Oauth2Error12(
-      `Invalid response mode for jarm response. Response mode: '${authRequestPayload.response_mode ?? "fragment"}'`
+  const authorizationRequestPayload = parsedAuthorizationRequest.params;
+  if (!authorizationRequestPayload.response_mode || !isJarmResponseMode(authorizationRequestPayload.response_mode)) {
+    throw new Oauth2Error11(
+      `Invalid response mode for jarm response. Response mode: '${authorizationRequestPayload.response_mode ?? "fragment"}'`
     );
   }
   let mdocGeneratedNonce = void 0;
@@ -1674,15 +1571,16 @@ async function parseJarmAuthorizationResponse(options) {
   }
   if (jarmHeader?.apv) {
     const jarmRequestNonce = encodeToUtf8String2(decodeBase642(jarmHeader.apv));
-    if (jarmRequestNonce !== authRequestPayload.nonce) {
-      throw new Oauth2Error12("The nonce in the jarm header does not match the nonce in the request.");
+    if (jarmRequestNonce !== authorizationRequestPayload.nonce) {
+      throw new Oauth2Error11("The nonce in the jarm header does not match the nonce in the request.");
     }
   }
   return {
     ...validateOpenId4vpResponse,
     jarm: { ...verifiedJarmResponse, jarmHeader, mdocGeneratedNonce },
-    authResponsePayload,
-    authRequestPayload
+    expectedNonce: authorizationRequestPayload.nonce,
+    authorizationResponsePayload,
+    authorizationRequestPayload
   };
 }
@@ -1692,18 +1590,18 @@ async function parseOpenid4vpAuthorizationResponse(options) {
   if (responsePayload.response) {
     return parseJarmAuthorizationResponse({ jarmResponseJwt: responsePayload.response, callbacks });
   }
-  const authResponsePayload = parseOpenid4VpAuthorizationResponsePayload(responsePayload);
-  const { authorizationRequest } = await callbacks.getOpenid4vpAuthorizationRequest(authResponsePayload);
+  const authorizationResponsePayload = parseOpenid4VpAuthorizationResponsePayload(responsePayload);
+  const { authorizationRequest } = await callbacks.getOpenid4vpAuthorizationRequest(authorizationResponsePayload);
   const parsedAuthRequest = parseOpenid4vpAuthorizationRequestPayload({ authorizationRequest });
   if (parsedAuthRequest.type !== "openid4vp" && parsedAuthRequest.type !== "openid4vp_dc_api") {
-    throw new Oauth2Error13("Invalid authorization request. Could not parse openid4vp authorization request.");
+    throw new Oauth2Error12("Invalid authorization request. Could not parse openid4vp authorization request.");
   }
-  const authRequestPayload = parsedAuthRequest.params;
-  const validateOpenId4vpResponse = validateOpenid4vpAuthorizationResponse({
-    requestPayload: authRequestPayload,
-    responsePayload: authResponsePayload
+  const authorizationRequestPayload = parsedAuthRequest.params;
+  const validateOpenId4vpResponse = validateOpenid4vpAuthorizationResponsePayload({
+    requestPayload: authorizationRequestPayload,
+    responsePayload: authorizationResponsePayload
   });
-  if (authRequestPayload.response_mode && isJarmResponseMode(authRequestPayload.response_mode)) {
+  if (authorizationRequestPayload.response_mode && isJarmResponseMode(authorizationRequestPayload.response_mode)) {
     throw new Oauth2ServerErrorResponseError12(
       {
         error: "invalid_request",
@@ -1716,8 +1614,9 @@ async function parseOpenid4vpAuthorizationResponse(options) {
   }
   return {
     ...validateOpenId4vpResponse,
-    authResponsePayload,
-    authRequestPayload,
+    expectedNonce: authorizationRequestPayload.nonce,
+    authorizationResponsePayload,
+    authorizationRequestPayload,
     jarm: void 0
   };
 }
@@ -1755,11 +1654,14 @@ var Openid4vpVerifier = class {
   parseOpenid4vpAuthorizationResponse(options) {
     return parseOpenid4vpAuthorizationResponse(options);
   }
-  validateOpenid4vpAuthorizationResponse(options) {
-    return validateOpenid4vpAuthorizationResponse(options);
+  validateOpenid4vpAuthorizationResponsePayload(options) {
+    return validateOpenid4vpAuthorizationResponsePayload(options);
+  }
+  parsePexVpToken(vpToken) {
+    return parsePexVpToken(vpToken);
   }
-  parsePresentationsFromVpToken(options) {
-    return parsePresentationsFromVpToken(options);
+  parseDcqlVpToken(vpToken) {
+    return parseDcqlVpToken(vpToken);
   }
   parseTransactionData(options) {
     return parseTransactionData(options);
@@ -1780,15 +1682,16 @@ export {
   createOpenid4vpAuthorizationResponse,
   isJarmResponseMode,
   isOpenid4vpAuthorizationRequestDcApi,
+  parseDcqlVpToken,
   parseJarmAuthorizationResponse,
   parseOpenid4vpAuthorizationRequestPayload,
   parseOpenid4vpAuthorizationResponse,
-  parsePresentationsFromVpToken,
+  parsePexVpToken,
   parseTransactionData,
   resolveOpenid4vpAuthorizationRequest,
   submitOpenid4vpAuthorizationResponse,
   validateOpenid4vpAuthorizationRequestPayload,
-  validateOpenid4vpAuthorizationResponse,
+  validateOpenid4vpAuthorizationResponsePayload,
   verifyJarmAuthorizationResponse,
   zClientIdScheme,
   zClientMetadata,