@openid4vc/openid4vp 0.3.0-alpha-20250707121837 → 0.3.0-alpha-20250711140312

package/dist/index.mjs

@@ -728,6 +728,110 @@ async function verifyJarmAuthorizationResponse(options) {
   return { jarmAuthorizationResponse, type, issuer };
 }
 
+// src/version.ts
+import { Oauth2ErrorCodes as Oauth2ErrorCodes2, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError2 } from "@openid4vc/oauth2";
+function parseAuthorizationRequestVersion(request) {
+  const requirements = [];
+  if (request.verifier_info) {
+    requirements.push([">=", 100]);
+  }
+  if (request.verifier_attestations) {
+    requirements.push(["<", 100]);
+  }
+  if (request.client_metadata?.vp_formats_supported?.mso_mdoc?.deviceauth_alg_values || request.client_metadata?.vp_formats_supported?.mso_mdoc?.deviceauth_alg_values) {
+    requirements.push([">=", 28]);
+  }
+  if (request.client_metadata?.vp_formats_supported?.mso_mdoc?.issuer_signed_alg_values || request.client_metadata?.vp_formats_supported?.mso_mdoc?.device_signed_alg_values) {
+    requirements.push(["<", 28]);
+  }
+  if (request.client_metadata?.vp_formats) {
+    requirements.push([">=", 27]);
+  }
+  if (request.client_metadata?.vp_formats_supported) {
+    requirements.push(["<", 27]);
+  }
+  if (request.client_id?.startsWith("openid_federation:") || request.client_id?.startsWith("decentralized_identifier:")) {
+    requirements.push([">=", 26]);
+  }
+  if (request.client_id?.startsWith("did:")) {
+    requirements.push(["<", 26]);
+  }
+  if (request.presentation_definition || request.presentation_definition_uri) {
+    requirements.push([">=", 26]);
+  }
+  if (request.verifier_attestations) {
+    requirements.push([">=", 26]);
+  }
+  if (request.client_id?.startsWith("x509_san_uri:")) {
+    requirements.push(["<", 25]);
+  }
+  if (request.client_id?.startsWith("x509_hash:")) {
+    requirements.push([">=", 25]);
+  }
+  if (request.client_id?.startsWith("web-origin:")) {
+    requirements.push(["<", 25]);
+  }
+  if (request.client_id?.startsWith("origin:")) {
+    requirements.push([">=", 25]);
+  }
+  if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.response_mode === "w3c_dc_api" || request.response_mode === "w3c_dc_api.jwt")) {
+    requirements.push(["<", 23]);
+    requirements.push([">=", 21]);
+  }
+  if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.response_mode === "dc_api" || request.response_mode === "dc_api.jwt")) {
+    requirements.push([">=", 23]);
+  }
+  if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.transaction_data || request.dcql_query)) {
+    requirements.push([">=", 23]);
+  }
+  if (request.transaction_data) {
+    requirements.push([">=", 22]);
+  }
+  if (request.client_id_scheme) {
+    requirements.push(["<", 22]);
+  }
+  if (request.client_id) {
+    const colonIndex = request.client_id.indexOf(":");
+    const schemePart = request.client_id.substring(0, colonIndex);
+    const parsedScheme = zClientIdPrefix.safeParse(schemePart);
+    if (parsedScheme.success && parsedScheme.data !== "did" && parsedScheme.data !== "https") {
+      requirements.push([">=", 22]);
+    }
+  }
+  if (!request.client_id) {
+    requirements.push([">=", 21]);
+  }
+  if (request.dcql_query) {
+    requirements.push([">=", 21]);
+  }
+  if (request.client_metadata_uri) {
+    requirements.push(["<", 21]);
+  }
+  if (isOpenid4vpAuthorizationRequestDcApi(request)) {
+    requirements.push([">=", 21]);
+  }
+  if (request.request_uri_method || request.wallet_nonce) {
+    requirements.push([">=", 21]);
+  }
+  if (request.client_id_scheme === "verifier_attestation") {
+    requirements.push([">=", 20]);
+  }
+  if (request.client_id_scheme === "x509_san_dns" || request.client_id_scheme === "x509_san_uri") {
+    requirements.push([">=", 19]);
+  }
+  const lessThanVersions = requirements.filter(([operator]) => operator === "<").map(([_, version]) => version);
+  const greaterThanVersions = requirements.filter(([operator]) => operator === ">=").map(([_, version]) => version);
+  const highestPossibleVersion = lessThanVersions.length > 0 ? Math.max(Math.min(...lessThanVersions) - 1, 18) : 100;
+  const lowestRequiredVersion = greaterThanVersions.length > 0 ? Math.max(...greaterThanVersions) : 18;
+  if (lowestRequiredVersion > highestPossibleVersion) {
+    throw new Oauth2ServerErrorResponseError2({
+      error: Oauth2ErrorCodes2.InvalidRequest,
+      error_description: `Could not infer openid4vp version from the openid4vp request payload. Based on specification requirements, lowest required version is ${lowestRequiredVersion} and highest possible version is ${highestPossibleVersion}`
+    });
+  }
+  return highestPossibleVersion;
+}
+
 // src/authorization-request/create-authorization-request.ts
 import { Oauth2Error as Oauth2Error4 } from "@openid4vc/oauth2";
 import { URL as URL3, URLSearchParams, objectToQueryParams, parseWithErrorHandling as parseWithErrorHandling2 } from "@openid4vc/utils";
@@ -763,94 +867,94 @@ async function createJarAuthorizationRequest(options) {
 }
 
 // src/authorization-request/validate-authorization-request.ts
-import { Oauth2ErrorCodes as Oauth2ErrorCodes2, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError2 } from "@openid4vc/oauth2";
+import { Oauth2ErrorCodes as Oauth2ErrorCodes3, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError3 } from "@openid4vc/oauth2";
 import { zHttpsUrl as zHttpsUrl4 } from "@openid4vc/utils";
 var validateOpenid4vpAuthorizationRequestPayload = (options) => {
   const { params, walletVerificationOptions } = options;
   if (!params.redirect_uri && !params.response_uri) {
-    throw new Oauth2ServerErrorResponseError2({
-      error: Oauth2ErrorCodes2.InvalidRequest,
+    throw new Oauth2ServerErrorResponseError3({
+      error: Oauth2ErrorCodes3.InvalidRequest,
       error_description: `Missing required 'redirect_uri' or 'response_uri' in openid4vp authorization request.`
     });
   }
   if (params.response_uri && !["direct_post", "direct_post.jwt"].find((mode) => mode === params.response_mode)) {
-    throw new Oauth2ServerErrorResponseError2({
-      error: Oauth2ErrorCodes2.InvalidRequest,
+    throw new Oauth2ServerErrorResponseError3({
+      error: Oauth2ErrorCodes3.InvalidRequest,
       error_description: `The 'response_mode' parameter MUST be 'direct_post' or 'direct_post.jwt' when 'response_uri' is provided. Current: ${params.response_mode}`
     });
   }
   if ([params.presentation_definition_uri, params.presentation_definition, params.dcql_query, params.scope].filter(
     Boolean
   ).length > 1) {
-    throw new Oauth2ServerErrorResponseError2({
-      error: Oauth2ErrorCodes2.InvalidRequest,
+    throw new Oauth2ServerErrorResponseError3({
+      error: Oauth2ErrorCodes3.InvalidRequest,
       error_description: "Exactly one of the following parameters MUST be present in the authorization request: dcql_query, presentation_definition, presentation_definition_uri, or a scope value representing a Presentation Definition."
     });
   }
   if (params.request_uri_method && !params.request_uri) {
-    throw new Oauth2ServerErrorResponseError2({
-      error: Oauth2ErrorCodes2.InvalidRequest,
+    throw new Oauth2ServerErrorResponseError3({
+      error: Oauth2ErrorCodes3.InvalidRequest,
       error_description: 'The "request_uri_method" parameter MUST NOT be present in the authorization request if the "request_uri" parameter is not present.'
     });
   }
   if (params.request_uri_method && !["GET", "POST"].includes(params.request_uri_method)) {
-    throw new Oauth2ServerErrorResponseError2({
-      error: Oauth2ErrorCodes2.InvalidRequestUriMethod,
+    throw new Oauth2ServerErrorResponseError3({
+      error: Oauth2ErrorCodes3.InvalidRequestUriMethod,
       error_description: `The 'request_uri_method' parameter MUST be 'GET' or 'POST'. Current: ${params.request_uri_method}`
     });
   }
   if (params.trust_chain && !zHttpsUrl4.safeParse(params.client_id).success) {
-    throw new Oauth2ServerErrorResponseError2({
-      error: Oauth2ErrorCodes2.InvalidRequest,
+    throw new Oauth2ServerErrorResponseError3({
+      error: Oauth2ErrorCodes3.InvalidRequest,
       error_description: 'The "trust_chain" parameter MUST NOT be present in the authorization request if the "client_id" is not an OpenId Federation Entity Identifier starting with http:// or https://.'
     });
   }
   if (walletVerificationOptions?.expectedNonce && !params.wallet_nonce) {
-    throw new Oauth2ServerErrorResponseError2({
-      error: Oauth2ErrorCodes2.InvalidRequest,
+    throw new Oauth2ServerErrorResponseError3({
+      error: Oauth2ErrorCodes3.InvalidRequest,
       error_description: 'The "wallet_nonce" parameter MUST be present in the authorization request when the "expectedNonce" parameter is provided.'
     });
   }
   if (walletVerificationOptions?.expectedNonce !== params.wallet_nonce) {
-    throw new Oauth2ServerErrorResponseError2({
-      error: Oauth2ErrorCodes2.InvalidRequest,
+    throw new Oauth2ServerErrorResponseError3({
+      error: Oauth2ErrorCodes3.InvalidRequest,
       error_description: 'The "wallet_nonce" parameter MUST match the "expectedNonce" parameter when the "expectedNonce" parameter is provided.'
     });
   }
   if (params.client_id.startsWith("web-origin:") || params.client_id.startsWith("origin:")) {
-    throw new Oauth2ServerErrorResponseError2({
-      error: Oauth2ErrorCodes2.InvalidRequest,
+    throw new Oauth2ServerErrorResponseError3({
+      error: Oauth2ErrorCodes3.InvalidRequest,
       error_description: `The 'client_id' parameter MUST NOT use client identifier scheme '${params.client_id.split(":")[0]}' when not using the dc_api response mode. Current: ${params.client_id}`
     });
   }
 };
 
 // src/authorization-request/validate-authorization-request-dc-api.ts
-import { Oauth2ErrorCodes as Oauth2ErrorCodes3, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError3 } from "@openid4vc/oauth2";
+import { Oauth2ErrorCodes as Oauth2ErrorCodes4, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError4 } from "@openid4vc/oauth2";
 var validateOpenid4vpAuthorizationRequestDcApiPayload = (options) => {
   const { params, isJarRequest, disableOriginValidation, origin } = options;
   if (isJarRequest && !params.expected_origins) {
-    throw new Oauth2ServerErrorResponseError3({
-      error: Oauth2ErrorCodes3.InvalidRequest,
+    throw new Oauth2ServerErrorResponseError4({
+      error: Oauth2ErrorCodes4.InvalidRequest,
       error_description: `The 'expected_origins' parameter MUST be present when using the dc_api response mode in combinaction with jar.`
     });
   }
   if ([params.presentation_definition, params.dcql_query].filter(Boolean).length !== 1) {
-    throw new Oauth2ServerErrorResponseError3({
-      error: Oauth2ErrorCodes3.InvalidRequest,
+    throw new Oauth2ServerErrorResponseError4({
+      error: Oauth2ErrorCodes4.InvalidRequest,
       error_description: "Exactly one of the following parameters MUST be present in the Authorization Request: dcql_query or presentation_definition"
     });
   }
   if (params.expected_origins && !disableOriginValidation) {
     if (!origin) {
-      throw new Oauth2ServerErrorResponseError3({
-        error: Oauth2ErrorCodes3.InvalidRequest,
+      throw new Oauth2ServerErrorResponseError4({
+        error: Oauth2ErrorCodes4.InvalidRequest,
         error_description: `Failed to validate the 'origin' of the authorization request. The 'origin' was not provided.`
       });
     }
     if (params.expected_origins && !params.expected_origins.includes(origin)) {
-      throw new Oauth2ServerErrorResponseError3({
-        error: Oauth2ErrorCodes3.InvalidRequest,
+      throw new Oauth2ServerErrorResponseError4({
+        error: Oauth2ErrorCodes4.InvalidRequest,
         error_description: `The 'expected_origins' parameter MUST include the origin of the authorization request. Current: ${params.expected_origins.join(", ")}`
       });
     }
@@ -932,7 +1036,7 @@ import { parseWithErrorHandling as parseWithErrorHandling3 } from "@openid4vc/ut
 import z11 from "zod";
 
 // src/jar/z-jar-authorization-request.ts
-import { Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError4 } from "@openid4vc/oauth2";
+import { Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError5 } from "@openid4vc/oauth2";
 import { zHttpsUrl as zHttpsUrl5 } from "@openid4vc/utils";
 import { z as z10 } from "zod";
 var zJarAuthorizationRequest = z10.object({
@@ -944,13 +1048,13 @@ var zJarAuthorizationRequest = z10.object({
 function validateJarRequestParams(options) {
   const { jarRequestParams } = options;
   if (jarRequestParams.request && jarRequestParams.request_uri) {
-    throw new Oauth2ServerErrorResponseError4({
+    throw new Oauth2ServerErrorResponseError5({
       error: "invalid_request_object",
       error_description: "request and request_uri cannot both be present in a JAR request"
     });
   }
   if (!jarRequestParams.request && !jarRequestParams.request_uri) {
-    throw new Oauth2ServerErrorResponseError4({
+    throw new Oauth2ServerErrorResponseError5({
       error: "invalid_request_object",
       error_description: "request or request_uri must be present"
     });
@@ -1013,7 +1117,7 @@ import { parseWithErrorHandling as parseWithErrorHandling4 } from "@openid4vc/ut
 import z15 from "zod";
 
 // src/fetch-client-metadata.ts
-import { Oauth2ErrorCodes as Oauth2ErrorCodes4, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError5 } from "@openid4vc/oauth2";
+import { Oauth2ErrorCodes as Oauth2ErrorCodes5, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError6 } from "@openid4vc/oauth2";
 import { ContentType, createZodFetcher } from "@openid4vc/utils";
 async function fetchClientMetadata(options) {
   const { fetch, clientMetadataUri } = options;
@@ -1025,15 +1129,15 @@ async function fetchClientMetadata(options) {
     }
   });
   if (!response.ok) {
-    throw new Oauth2ServerErrorResponseError5({
+    throw new Oauth2ServerErrorResponseError6({
       error_description: `Fetching client metadata from '${clientMetadataUri}' failed with status code '${response.status}'.`,
-      error: Oauth2ErrorCodes4.InvalidRequestUri
+      error: Oauth2ErrorCodes5.InvalidRequestUri
     });
   }
   if (!result || !result.success) {
-    throw new Oauth2ServerErrorResponseError5({
+    throw new Oauth2ServerErrorResponseError6({
       error_description: `Parsing client metadata from '${clientMetadataUri}' failed.`,
-      error: Oauth2ErrorCodes4.InvalidRequestObject
+      error: Oauth2ErrorCodes5.InvalidRequestObject
     });
   }
   return result.data;
@@ -1052,110 +1156,6 @@ import {
 } from "@openid4vc/oauth2";
 import z13 from "zod";
 
-// src/version.ts
-import { Oauth2ErrorCodes as Oauth2ErrorCodes5, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError6 } from "@openid4vc/oauth2";
-function parseAuthorizationRequestVersion(request) {
-  const requirements = [];
-  if (request.verifier_info) {
-    requirements.push([">=", 29]);
-  }
-  if (request.verifier_attestations) {
-    requirements.push(["<", 29]);
-  }
-  if (request.client_metadata?.vp_formats_supported?.mso_mdoc?.deviceauth_alg_values || request.client_metadata?.vp_formats_supported?.mso_mdoc?.deviceauth_alg_values) {
-    requirements.push([">=", 28]);
-  }
-  if (request.client_metadata?.vp_formats_supported?.mso_mdoc?.issuer_signed_alg_values || request.client_metadata?.vp_formats_supported?.mso_mdoc?.device_signed_alg_values) {
-    requirements.push(["<", 28]);
-  }
-  if (request.client_metadata?.vp_formats) {
-    requirements.push([">=", 27]);
-  }
-  if (request.client_metadata?.vp_formats_supported) {
-    requirements.push(["<", 27]);
-  }
-  if (request.client_id?.startsWith("openid_federation:") || request.client_id?.startsWith("decentralized_identifier:")) {
-    requirements.push([">=", 26]);
-  }
-  if (request.client_id?.startsWith("did:")) {
-    requirements.push(["<", 26]);
-  }
-  if (request.presentation_definition || request.presentation_definition_uri) {
-    requirements.push([">=", 26]);
-  }
-  if (request.verifier_attestations) {
-    requirements.push([">=", 26]);
-  }
-  if (request.client_id?.startsWith("x509_san_uri:")) {
-    requirements.push(["<", 25]);
-  }
-  if (request.client_id?.startsWith("x509_hash:")) {
-    requirements.push([">=", 25]);
-  }
-  if (request.client_id?.startsWith("web-origin:")) {
-    requirements.push(["<", 25]);
-  }
-  if (request.client_id?.startsWith("origin:")) {
-    requirements.push([">=", 25]);
-  }
-  if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.response_mode === "w3c_dc_api" || request.response_mode === "w3c_dc_api.jwt")) {
-    requirements.push(["<", 23]);
-    requirements.push([">=", 21]);
-  }
-  if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.response_mode === "dc_api" || request.response_mode === "dc_api.jwt")) {
-    requirements.push([">=", 23]);
-  }
-  if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.transaction_data || request.dcql_query)) {
-    requirements.push([">=", 23]);
-  }
-  if (request.transaction_data) {
-    requirements.push([">=", 22]);
-  }
-  if (request.client_id_scheme) {
-    requirements.push(["<", 22]);
-  }
-  if (request.client_id) {
-    const colonIndex = request.client_id.indexOf(":");
-    const schemePart = request.client_id.substring(0, colonIndex);
-    const parsedScheme = zClientIdPrefix.safeParse(schemePart);
-    if (parsedScheme.success && parsedScheme.data !== "did" && parsedScheme.data !== "https") {
-      requirements.push([">=", 22]);
-    }
-  }
-  if (!request.client_id) {
-    requirements.push([">=", 21]);
-  }
-  if (request.dcql_query) {
-    requirements.push([">=", 21]);
-  }
-  if (request.client_metadata_uri) {
-    requirements.push(["<", 21]);
-  }
-  if (isOpenid4vpAuthorizationRequestDcApi(request)) {
-    requirements.push([">=", 21]);
-  }
-  if (request.request_uri_method || request.wallet_nonce) {
-    requirements.push([">=", 21]);
-  }
-  if (request.client_id_scheme === "verifier_attestation") {
-    requirements.push([">=", 20]);
-  }
-  if (request.client_id_scheme === "x509_san_dns" || request.client_id_scheme === "x509_san_uri") {
-    requirements.push([">=", 19]);
-  }
-  const lessThanVersions = requirements.filter(([operator]) => operator === "<").map(([_, version]) => version);
-  const greaterThanVersions = requirements.filter(([operator]) => operator === ">=").map(([_, version]) => version);
-  const highestPossibleVersion = lessThanVersions.length > 0 ? Math.max(Math.min(...lessThanVersions) - 1, 18) : 29;
-  const lowestRequiredVersion = greaterThanVersions.length > 0 ? Math.max(...greaterThanVersions) : 18;
-  if (lowestRequiredVersion > highestPossibleVersion) {
-    throw new Oauth2ServerErrorResponseError6({
-      error: Oauth2ErrorCodes5.InvalidRequest,
-      error_description: "Could not infer openid4vp version from the openid4vp request payload."
-    });
-  }
-  return highestPossibleVersion;
-}
-
 // src/jar/jar-request-object/fetch-jar-request-object.ts
 import { Oauth2ErrorCodes as Oauth2ErrorCodes6, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError7 } from "@openid4vc/oauth2";
 import { ContentType as ContentType2, createFetcher, objectToQueryParams as objectToQueryParams2 } from "@openid4vc/utils";
@@ -1747,18 +1747,24 @@ import { parseIfJson as parseIfJson2, parseWithErrorHandling as parseWithErrorHa
 
 // src/vp-token/z-vp-token.ts
 import { z as z17 } from "zod";
-var zVpTokenPexEntry = z17.union([z17.string(), z17.record(z17.any())], {
-  message: "pex vp_token entry must be a string or object"
+var zVpTokenPresentationEntry = z17.union([z17.string(), z17.record(z17.any())], {
+  message: "vp_token presentation entry must be string or object"
 });
 var zVpTokenPex = z17.union(
-  [zVpTokenPexEntry, z17.array(zVpTokenPexEntry).nonempty("Must have at least entry in vp_token array")],
+  [
+    zVpTokenPresentationEntry,
+    z17.array(zVpTokenPresentationEntry).nonempty("Must have at least entry in vp_token array")
+  ],
   {
-    message: "pex vp_token must be a string, object or array of strings and objects"
+    message: "pex vp_token must be a string, object or non-empty array of strings and objects"
+  }
+);
+var zVpTokenDcql = z17.record(
+  z17.union([z17.array(zVpTokenPresentationEntry).nonempty(), zVpTokenPresentationEntry]),
+  {
+    message: "dcql vp_token must be an object with keys referencing the dcql credential query id, and values a non-empty array of strings and objects, or string, or object"
   }
 );
-var zVpTokenDcql = z17.record(z17.union([z17.string(), z17.record(z17.any())]), {
-  message: "dcql vp_token must be an object with keys referencing the dcql credential query id, and values the encoded (string or object) presentation"
-});
 var zVpToken = zVpTokenDcql.or(zVpTokenPex);
 
 // src/vp-token/parse-vp-token.ts
@@ -1771,11 +1777,17 @@ function parsePexVpToken(vpToken) {
   return Array.isArray(parsedVpToken) ? parsedVpToken : [parsedVpToken];
 }
 function parseDcqlVpToken(vpToken) {
-  return parseWithErrorHandling5(
+  const parsedVpToken = parseWithErrorHandling5(
     zVpTokenDcql,
     parseIfJson2(vpToken),
     "Could not parse dcql vp_token. Expected an object where the values are encoded presentations"
   );
+  return Object.fromEntries(
+    Object.entries(parsedVpToken).map(([queryId, presentations]) => [
+      queryId,
+      Array.isArray(presentations) ? presentations : [presentations]
+    ])
+  );
 }
 
 // src/authorization-response/validate-authorization-response.ts
@@ -2094,6 +2106,7 @@ export {
   getOpenid4vpClientId,
   isJarmResponseMode,
   isOpenid4vpAuthorizationRequestDcApi,
+  parseAuthorizationRequestVersion,
   parseDcqlVpToken,
   parseJarmAuthorizationResponse,
   parseOpenid4VpAuthorizationResponsePayload,