@openvtc/pnm-core 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +129 -0
- package/dist/did/derive-signing-key.d.ts +19 -0
- package/dist/did/derive-signing-key.d.ts.map +1 -0
- package/dist/did/derive-signing-key.js +96 -0
- package/dist/did/derive-signing-key.js.map +1 -0
- package/dist/did/index.d.ts +5 -0
- package/dist/did/index.d.ts.map +1 -0
- package/dist/did/index.js +5 -0
- package/dist/did/index.js.map +1 -0
- package/dist/did/peer.d.ts +37 -0
- package/dist/did/peer.d.ts.map +1 -0
- package/dist/did/peer.js +49 -0
- package/dist/did/peer.js.map +1 -0
- package/dist/did/verification-method.d.ts +43 -0
- package/dist/did/verification-method.d.ts.map +1 -0
- package/dist/did/verification-method.js +32 -0
- package/dist/did/verification-method.js.map +1 -0
- package/dist/did/verify.d.ts +49 -0
- package/dist/did/verify.d.ts.map +1 -0
- package/dist/did/verify.js +89 -0
- package/dist/did/verify.js.map +1 -0
- package/dist/didcomm/index.d.ts +235 -0
- package/dist/didcomm/index.d.ts.map +1 -0
- package/dist/didcomm/index.js +415 -0
- package/dist/didcomm/index.js.map +1 -0
- package/dist/inbound/confirm.d.ts +50 -0
- package/dist/inbound/confirm.d.ts.map +1 -0
- package/dist/inbound/confirm.js +64 -0
- package/dist/inbound/confirm.js.map +1 -0
- package/dist/inbound/dedup.d.ts +9 -0
- package/dist/inbound/dedup.d.ts.map +1 -0
- package/dist/inbound/dedup.js +31 -0
- package/dist/inbound/dedup.js.map +1 -0
- package/dist/inbound/index.d.ts +3 -0
- package/dist/inbound/index.d.ts.map +1 -0
- package/dist/inbound/index.js +3 -0
- package/dist/inbound/index.js.map +1 -0
- package/dist/index.d.ts +14 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +14 -0
- package/dist/index.js.map +1 -0
- package/dist/onboarding/index.d.ts +2 -0
- package/dist/onboarding/index.d.ts.map +1 -0
- package/dist/onboarding/index.js +2 -0
- package/dist/onboarding/index.js.map +1 -0
- package/dist/onboarding/swap.d.ts +60 -0
- package/dist/onboarding/swap.d.ts.map +1 -0
- package/dist/onboarding/swap.js +148 -0
- package/dist/onboarding/swap.js.map +1 -0
- package/dist/provision/adopt.d.ts +31 -0
- package/dist/provision/adopt.d.ts.map +1 -0
- package/dist/provision/adopt.js +114 -0
- package/dist/provision/adopt.js.map +1 -0
- package/dist/provision/armor.d.ts +19 -0
- package/dist/provision/armor.d.ts.map +1 -0
- package/dist/provision/armor.js +243 -0
- package/dist/provision/armor.js.map +1 -0
- package/dist/provision/crc24.d.ts +5 -0
- package/dist/provision/crc24.d.ts.map +1 -0
- package/dist/provision/crc24.js +30 -0
- package/dist/provision/crc24.js.map +1 -0
- package/dist/provision/hpke.d.ts +17 -0
- package/dist/provision/hpke.d.ts.map +1 -0
- package/dist/provision/hpke.js +60 -0
- package/dist/provision/hpke.js.map +1 -0
- package/dist/provision/index.d.ts +10 -0
- package/dist/provision/index.d.ts.map +1 -0
- package/dist/provision/index.js +16 -0
- package/dist/provision/index.js.map +1 -0
- package/dist/provision/open.d.ts +28 -0
- package/dist/provision/open.d.ts.map +1 -0
- package/dist/provision/open.js +224 -0
- package/dist/provision/open.js.map +1 -0
- package/dist/provision/request.d.ts +65 -0
- package/dist/provision/request.d.ts.map +1 -0
- package/dist/provision/request.js +53 -0
- package/dist/provision/request.js.map +1 -0
- package/dist/provision/run.d.ts +76 -0
- package/dist/provision/run.d.ts.map +1 -0
- package/dist/provision/run.js +110 -0
- package/dist/provision/run.js.map +1 -0
- package/dist/provision/send.d.ts +85 -0
- package/dist/provision/send.d.ts.map +1 -0
- package/dist/provision/send.js +87 -0
- package/dist/provision/send.js.map +1 -0
- package/dist/provision/types.d.ts +110 -0
- package/dist/provision/types.d.ts.map +1 -0
- package/dist/provision/types.js +17 -0
- package/dist/provision/types.js.map +1 -0
- package/dist/rp-login/didcomm.d.ts +34 -0
- package/dist/rp-login/didcomm.d.ts.map +1 -0
- package/dist/rp-login/didcomm.js +72 -0
- package/dist/rp-login/didcomm.js.map +1 -0
- package/dist/rp-login/index.d.ts +3 -0
- package/dist/rp-login/index.d.ts.map +1 -0
- package/dist/rp-login/index.js +3 -0
- package/dist/rp-login/index.js.map +1 -0
- package/dist/rp-login/step-up.d.ts +43 -0
- package/dist/rp-login/step-up.d.ts.map +1 -0
- package/dist/rp-login/step-up.js +118 -0
- package/dist/rp-login/step-up.js.map +1 -0
- package/dist/siop/index.d.ts +3 -0
- package/dist/siop/index.d.ts.map +1 -0
- package/dist/siop/index.js +3 -0
- package/dist/siop/index.js.map +1 -0
- package/dist/siop/login-client.d.ts +29 -0
- package/dist/siop/login-client.d.ts.map +1 -0
- package/dist/siop/login-client.js +79 -0
- package/dist/siop/login-client.js.map +1 -0
- package/dist/siop/self-issued.d.ts +96 -0
- package/dist/siop/self-issued.d.ts.map +1 -0
- package/dist/siop/self-issued.js +162 -0
- package/dist/siop/self-issued.js.map +1 -0
- package/dist/store/holder-identity.d.ts +241 -0
- package/dist/store/holder-identity.d.ts.map +1 -0
- package/dist/store/holder-identity.js +441 -0
- package/dist/store/holder-identity.js.map +1 -0
- package/dist/store/index.d.ts +4 -0
- package/dist/store/index.d.ts.map +1 -0
- package/dist/store/index.js +4 -0
- package/dist/store/index.js.map +1 -0
- package/dist/store/kv-store.d.ts +51 -0
- package/dist/store/kv-store.d.ts.map +1 -0
- package/dist/store/kv-store.js +100 -0
- package/dist/store/kv-store.js.map +1 -0
- package/dist/store/secret-wrap.d.ts +109 -0
- package/dist/store/secret-wrap.d.ts.map +1 -0
- package/dist/store/secret-wrap.js +85 -0
- package/dist/store/secret-wrap.js.map +1 -0
- package/dist/trust-tasks/index.d.ts +2 -0
- package/dist/trust-tasks/index.d.ts.map +1 -0
- package/dist/trust-tasks/index.js +2 -0
- package/dist/trust-tasks/index.js.map +1 -0
- package/dist/trust-tasks/sign.d.ts +31 -0
- package/dist/trust-tasks/sign.d.ts.map +1 -0
- package/dist/trust-tasks/sign.js +141 -0
- package/dist/trust-tasks/sign.js.map +1 -0
- package/dist/util/timing.d.ts +14 -0
- package/dist/util/timing.d.ts.map +1 -0
- package/dist/util/timing.js +20 -0
- package/dist/util/timing.js.map +1 -0
- package/dist/vault/delete.d.ts +19 -0
- package/dist/vault/delete.d.ts.map +1 -0
- package/dist/vault/delete.js +35 -0
- package/dist/vault/delete.js.map +1 -0
- package/dist/vault/index.d.ts +8 -0
- package/dist/vault/index.d.ts.map +1 -0
- package/dist/vault/index.js +7 -0
- package/dist/vault/index.js.map +1 -0
- package/dist/vault/list.d.ts +96 -0
- package/dist/vault/list.d.ts.map +1 -0
- package/dist/vault/list.js +106 -0
- package/dist/vault/list.js.map +1 -0
- package/dist/vault/proxy-login.d.ts +100 -0
- package/dist/vault/proxy-login.d.ts.map +1 -0
- package/dist/vault/proxy-login.js +106 -0
- package/dist/vault/proxy-login.js.map +1 -0
- package/dist/vault/release.d.ts +33 -0
- package/dist/vault/release.d.ts.map +1 -0
- package/dist/vault/release.js +83 -0
- package/dist/vault/release.js.map +1 -0
- package/dist/vault/sign-trust-task.d.ts +26 -0
- package/dist/vault/sign-trust-task.d.ts.map +1 -0
- package/dist/vault/sign-trust-task.js +53 -0
- package/dist/vault/sign-trust-task.js.map +1 -0
- package/dist/vault/transport.d.ts +50 -0
- package/dist/vault/transport.d.ts.map +1 -0
- package/dist/vault/transport.js +118 -0
- package/dist/vault/transport.js.map +1 -0
- package/dist/vault/upsert.d.ts +102 -0
- package/dist/vault/upsert.d.ts.map +1 -0
- package/dist/vault/upsert.js +92 -0
- package/dist/vault/upsert.js.map +1 -0
- package/dist/vta/bridge-mediator-session.d.ts +26 -0
- package/dist/vta/bridge-mediator-session.d.ts.map +1 -0
- package/dist/vta/bridge-mediator-session.js +37 -0
- package/dist/vta/bridge-mediator-session.js.map +1 -0
- package/dist/vta/bridge-memory.d.ts +80 -0
- package/dist/vta/bridge-memory.d.ts.map +1 -0
- package/dist/vta/bridge-memory.js +162 -0
- package/dist/vta/bridge-memory.js.map +1 -0
- package/dist/vta/client.d.ts +40 -0
- package/dist/vta/client.d.ts.map +1 -0
- package/dist/vta/client.js +91 -0
- package/dist/vta/client.js.map +1 -0
- package/dist/vta/contexts.d.ts +60 -0
- package/dist/vta/contexts.d.ts.map +1 -0
- package/dist/vta/contexts.js +118 -0
- package/dist/vta/contexts.js.map +1 -0
- package/dist/vta/didcomm.d.ts +57 -0
- package/dist/vta/didcomm.d.ts.map +1 -0
- package/dist/vta/didcomm.js +138 -0
- package/dist/vta/didcomm.js.map +1 -0
- package/dist/vta/errors.d.ts +20 -0
- package/dist/vta/errors.d.ts.map +1 -0
- package/dist/vta/errors.js +64 -0
- package/dist/vta/errors.js.map +1 -0
- package/dist/vta/index.d.ts +15 -0
- package/dist/vta/index.d.ts.map +1 -0
- package/dist/vta/index.js +15 -0
- package/dist/vta/index.js.map +1 -0
- package/dist/vta/mediation.d.ts +80 -0
- package/dist/vta/mediation.d.ts.map +1 -0
- package/dist/vta/mediation.js +29 -0
- package/dist/vta/mediation.js.map +1 -0
- package/dist/vta/mediator-client.d.ts +66 -0
- package/dist/vta/mediator-client.d.ts.map +1 -0
- package/dist/vta/mediator-client.js +139 -0
- package/dist/vta/mediator-client.js.map +1 -0
- package/dist/vta/pickup.d.ts +81 -0
- package/dist/vta/pickup.d.ts.map +1 -0
- package/dist/vta/pickup.js +30 -0
- package/dist/vta/pickup.js.map +1 -0
- package/dist/vta/protocol.d.ts +76 -0
- package/dist/vta/protocol.d.ts.map +1 -0
- package/dist/vta/protocol.js +30 -0
- package/dist/vta/protocol.js.map +1 -0
- package/dist/vta/smoke.d.ts +59 -0
- package/dist/vta/smoke.d.ts.map +1 -0
- package/dist/vta/smoke.js +408 -0
- package/dist/vta/smoke.js.map +1 -0
- package/dist/vta/transport.d.ts +55 -0
- package/dist/vta/transport.d.ts.map +1 -0
- package/dist/vta/transport.js +2 -0
- package/dist/vta/transport.js.map +1 -0
- package/dist/vta/types.d.ts +50 -0
- package/dist/vta/types.d.ts.map +1 -0
- package/dist/vta/types.js +2 -0
- package/dist/vta/types.js.map +1 -0
- package/dist/vta/wallet-session.d.ts +87 -0
- package/dist/vta/wallet-session.d.ts.map +1 -0
- package/dist/vta/wallet-session.js +106 -0
- package/dist/vta/wallet-session.js.map +1 -0
- package/dist/webauthn/base64url.d.ts +3 -0
- package/dist/webauthn/base64url.d.ts.map +1 -0
- package/dist/webauthn/base64url.js +17 -0
- package/dist/webauthn/base64url.js.map +1 -0
- package/dist/webauthn/index.d.ts +4 -0
- package/dist/webauthn/index.d.ts.map +1 -0
- package/dist/webauthn/index.js +4 -0
- package/dist/webauthn/index.js.map +1 -0
- package/dist/webauthn/multikey.d.ts +26 -0
- package/dist/webauthn/multikey.d.ts.map +1 -0
- package/dist/webauthn/multikey.js +91 -0
- package/dist/webauthn/multikey.js.map +1 -0
- package/dist/webauthn/register.d.ts +36 -0
- package/dist/webauthn/register.d.ts.map +1 -0
- package/dist/webauthn/register.js +77 -0
- package/dist/webauthn/register.js.map +1 -0
- package/package.json +56 -0
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"send.d.ts","sourceRoot":"","sources":["../../src/provision/send.ts"],"names":[],"mappings":"AAiBA,OAAO,EAAiD,KAAK,QAAQ,EAAE,MAAM,qBAAqB,CAAC;AACnG,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAEhE,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAUvD;kDACkD;AAClD,MAAM,WAAW,oBAAoB;IACnC,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB;;2BAEuB;IACvB,IAAI,EAAE,MAAM,EAAE,CAAC;CAChB;AAED;;;;6CAI6C;AAC7C,qBAAa,2BAA4B,SAAQ,KAAK;IACpD,QAAQ,CAAC,MAAM,EAAE,oBAAoB,CAAC;gBAC1B,MAAM,EAAE,oBAAoB;CAKzC;AAED;2EAC2E;AAC3E,MAAM,WAAW,+BAA+B;IAC9C,OAAO,EAAE,kBAAkB,CAAC;IAC5B;;;oDAGgD;IAChD,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,YAAY,GAAG,aAAa,CAAC;IACzC,mEAAmE;IACnE,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,8DAA8D;IAC9D,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B;AAED;4EAC4E;AAC5E,MAAM,WAAW,gCAAgC;IAC/C,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,gBAAgB,CAAC;CAC3B;AAED,MAAM,WAAW,gBAAgB;IAC/B,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,mBAAmB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACpC,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;IACrB,eAAe,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,eAAe,CAAC,EAAE,OAAO,CAAC;CAC3B;AAED,MAAM,WAAW,+BAA+B;IAC9C;wDACoD;IACpD,MAAM,EAAE,oBAAoB,CAAC;IAC7B;8DAC0D;IAC1D,SAAS,EAAE,QAAQ,CAAC;IACpB,oEAAoE;IACpE,OAAO,EAAE,qBAAqB,CAAC;IAC/B,+EAA+E;IAC/E,QAAQ,CAAC,EAAE,qBAAqB,CAAC;IACjC,iDAAiD;IACjD,MAAM,EAAE,MAAM,CAAC;IACf,gCAAgC;IAChC,IAAI,EAAE,+BAA+B,CAAC;IACtC;;;qDAGiD;IACjD,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;mCAEmC;AACnC,wBAAsB,wBAAwB,CAC5C,IAAI,EAAE,+BAA+B,GACpC,OAAO,CAAC,gCAAgC,CAAC,CA4D3C"}
|
|
@@ -0,0 +1,87 @@
|
|
|
1
|
+
// DIDComm round-trip for the provision-integration flow.
|
|
2
|
+
//
|
|
3
|
+
// Mirrors `packages/core/src/onboarding/swap.ts` — same authcrypt-inner +
|
|
4
|
+
// authcrypt-forward-outer + send-and-await-reply shape. The only thing
|
|
5
|
+
// that differs is the message type URI and the body wire shape.
|
|
6
|
+
//
|
|
7
|
+
// Wire URIs (pre-spec-migration — see trust-tasks #51 for the canonical
|
|
8
|
+
// Trust Task URI that the VTA will accept once implementation lands):
|
|
9
|
+
// request: https://firstperson.network/protocols/provision-integration/1.0/provision-integration
|
|
10
|
+
// reply: https://firstperson.network/protocols/provision-integration/1.0/provision-integration-result
|
|
11
|
+
//
|
|
12
|
+
// Body field naming on the wire matches the existing Rust types in
|
|
13
|
+
// `vta-sdk::provision_integration::http` — `snake_case` for now. The
|
|
14
|
+
// canonical Trust Task spec uses `camelCase`; that migration is a
|
|
15
|
+
// separate downstream change that will keep both shapes accepted during
|
|
16
|
+
// the deprecation window.
|
|
17
|
+
import { packAuthcrypt, packAuthcryptJson, wrapForward } from "../didcomm/index.js";
|
|
18
|
+
const PROVISION_INTEGRATION = "https://firstperson.network/protocols/provision-integration/1.0/provision-integration";
|
|
19
|
+
const PROVISION_INTEGRATION_RESULT = "https://firstperson.network/protocols/provision-integration/1.0/provision-integration-result";
|
|
20
|
+
const PROBLEM_REPORT_TYPE = "https://didcomm.org/report-problem/2.0/problem-report";
|
|
21
|
+
const DEFAULT_TIMEOUT_MS = 60_000;
|
|
22
|
+
/** Thrown by `sendProvisionIntegration` when the VTA replies with a
|
|
23
|
+
* DIDComm problem-report rather than a success result. Carries the
|
|
24
|
+
* structured fields so callers can branch on the code (e.g. the
|
|
25
|
+
* popup's context-required recovery picker that reads
|
|
26
|
+
* `report.args` as the candidates list). */
|
|
27
|
+
export class ProvisionProblemReportError extends Error {
|
|
28
|
+
report;
|
|
29
|
+
constructor(report) {
|
|
30
|
+
super(`provision-integration: ${report.code} — ${report.comment}`);
|
|
31
|
+
this.name = "ProvisionProblemReportError";
|
|
32
|
+
this.report = report;
|
|
33
|
+
}
|
|
34
|
+
}
|
|
35
|
+
/** Pack + send the provision-integration request and return the reply
|
|
36
|
+
* body. Throws on timeout, wrong reply type, sender mismatch, or any
|
|
37
|
+
* problem-report from the VTA. */
|
|
38
|
+
export async function sendProvisionIntegration(opts) {
|
|
39
|
+
const { bridge, ephemeral, service, mediator, vtaDid, body } = opts;
|
|
40
|
+
const timeoutMs = opts.timeoutMs ?? DEFAULT_TIMEOUT_MS;
|
|
41
|
+
const requestId = globalThis.crypto.randomUUID();
|
|
42
|
+
const message = {
|
|
43
|
+
id: requestId,
|
|
44
|
+
type: PROVISION_INTEGRATION,
|
|
45
|
+
from: ephemeral.did,
|
|
46
|
+
to: [service.did],
|
|
47
|
+
body,
|
|
48
|
+
};
|
|
49
|
+
const inner = await packAuthcrypt(message, ephemeral, [
|
|
50
|
+
{ kid: service.keyAgreementKid, jwk: service.keyAgreementPublicJwk },
|
|
51
|
+
]);
|
|
52
|
+
let outer = inner;
|
|
53
|
+
if (mediator) {
|
|
54
|
+
const forwardJson = wrapForward(service.did, ephemeral.did, mediator.did, inner);
|
|
55
|
+
outer = await packAuthcryptJson(forwardJson, ephemeral, [
|
|
56
|
+
{ kid: mediator.keyAgreementKid, jwk: mediator.keyAgreementPublicJwk },
|
|
57
|
+
]);
|
|
58
|
+
}
|
|
59
|
+
const reply = await bridge.sendAndAwaitReply(outer, requestId, { timeoutMs });
|
|
60
|
+
if (reply.thid !== requestId) {
|
|
61
|
+
throw new Error(`provision-integration: reply thid ${reply.thid ?? "(none)"} != request ${requestId}`);
|
|
62
|
+
}
|
|
63
|
+
if (reply.from !== vtaDid) {
|
|
64
|
+
throw new Error(`provision-integration: reply from ${reply.from ?? "(none)"} != VTA ${vtaDid}`);
|
|
65
|
+
}
|
|
66
|
+
if (reply.type === PROBLEM_REPORT_TYPE) {
|
|
67
|
+
// Throw a typed error so callers can branch on the code without
|
|
68
|
+
// re-parsing the message string. The canonical case we surface a
|
|
69
|
+
// UX for is `provision/integration:context_required` — the
|
|
70
|
+
// wallet's popup catches the typed shape and shows the candidates
|
|
71
|
+
// (in `report.args`) as a picker so the operator can choose.
|
|
72
|
+
const body = (reply.body ?? {});
|
|
73
|
+
throw new ProvisionProblemReportError({
|
|
74
|
+
code: typeof body.code === "string" ? body.code : "(no code)",
|
|
75
|
+
comment: typeof body.comment === "string" ? body.comment : "",
|
|
76
|
+
args: Array.isArray(body.args) ? body.args.filter((a) => typeof a === "string") : [],
|
|
77
|
+
});
|
|
78
|
+
}
|
|
79
|
+
if (reply.type !== PROVISION_INTEGRATION_RESULT) {
|
|
80
|
+
// Unexpected reply type — not a problem-report and not the
|
|
81
|
+
// expected result. Could happen if a future VTA version
|
|
82
|
+
// introduces a new reply type the wallet doesn't know about.
|
|
83
|
+
throw new Error(`provision-integration: ${reply.type ?? "(no type)"} — ${JSON.stringify(reply.body ?? {})}`);
|
|
84
|
+
}
|
|
85
|
+
return (reply.body ?? {});
|
|
86
|
+
}
|
|
87
|
+
//# sourceMappingURL=send.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"send.js","sourceRoot":"","sources":["../../src/provision/send.ts"],"names":[],"mappings":"AAAA,yDAAyD;AACzD,EAAE;AACF,0EAA0E;AAC1E,uEAAuE;AACvE,gEAAgE;AAChE,EAAE;AACF,wEAAwE;AACxE,sEAAsE;AACtE,oGAAoG;AACpG,2GAA2G;AAC3G,EAAE;AACF,mEAAmE;AACnE,qEAAqE;AACrE,kEAAkE;AAClE,wEAAwE;AACxE,0BAA0B;AAE1B,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,WAAW,EAAiB,MAAM,qBAAqB,CAAC;AAMnG,MAAM,qBAAqB,GACzB,uFAAuF,CAAC;AAC1F,MAAM,4BAA4B,GAChC,8FAA8F,CAAC;AACjG,MAAM,mBAAmB,GAAG,uDAAuD,CAAC;AAEpF,MAAM,kBAAkB,GAAG,MAAM,CAAC;AAalC;;;;6CAI6C;AAC7C,MAAM,OAAO,2BAA4B,SAAQ,KAAK;IAC3C,MAAM,CAAuB;IACtC,YAAY,MAA4B;QACtC,KAAK,CAAC,0BAA0B,MAAM,CAAC,IAAI,MAAM,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC;QACnE,IAAI,CAAC,IAAI,GAAG,6BAA6B,CAAC;QAC1C,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;CACF;AA+DD;;mCAEmC;AACnC,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC5C,IAAqC;IAErC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,IAAI,CAAC;IACpE,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,kBAAkB,CAAC;IAEvD,MAAM,SAAS,GAAG,UAAU,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC;IACjD,MAAM,OAAO,GAAG;QACd,EAAE,EAAE,SAAS;QACb,IAAI,EAAE,qBAAqB;QAC3B,IAAI,EAAE,SAAS,CAAC,GAAG;QACnB,EAAE,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC;QACjB,IAAI;KACL,CAAC;IAEF,MAAM,KAAK,GAAG,MAAM,aAAa,CAAC,OAAO,EAAE,SAAS,EAAE;QACpD,EAAE,GAAG,EAAE,OAAO,CAAC,eAAe,EAAE,GAAG,EAAE,OAAO,CAAC,qBAAqB,EAAE;KACrE,CAAC,CAAC;IAEH,IAAI,KAAK,GAAG,KAAK,CAAC;IAClB,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,WAAW,GAAG,WAAW,CAAC,OAAO,CAAC,GAAG,EAAE,SAAS,CAAC,GAAG,EAAE,QAAQ,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACjF,KAAK,GAAG,MAAM,iBAAiB,CAAC,WAAW,EAAE,SAAS,EAAE;YACtD,EAAE,GAAG,EAAE,QAAQ,CAAC,eAAe,EAAE,GAAG,EAAE,QAAQ,CAAC,qBAAqB,EAAE;SACvE,CAAC,CAAC;IACL,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC,KAAK,EAAE,SAAS,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC;IAE9E,IAAI,KAAK,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CACb,qCAAqC,KAAK,CAAC,IAAI,IAAI,QAAQ,eAAe,SAAS,EAAE,CACtF,CAAC;IACJ,CAAC;IACD,IAAI,KAAK,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CACb,qCAAqC,KAAK,CAAC,IAAI,IAAI,QAAQ,WAAW,MAAM,EAAE,CAC/E,CAAC;IACJ,CAAC;IACD,IAAI,KAAK,CAAC,IAAI,KAAK,mBAAmB,EAAE,CAAC;QACvC,gEAAgE;QAChE,iEAAiE;QACjE,2DAA2D;QAC3D,kEAAkE;QAClE,6DAA6D;QAC7D,MAAM,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,IAAI,EAAE,CAAkC,CAAC;QACjE,MAAM,IAAI,2BAA2B,CAAC;YACpC,IAAI,EAAE,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,WAAW;YAC7D,OAAO,EAAE,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE;YAC7D,IAAI,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE;SACrF,CAAC,CAAC;IACL,CAAC;IACD,IAAI,KAAK,CAAC,IAAI,KAAK,4BAA4B,EAAE,CAAC;QAChD,2DAA2D;QAC3D,wDAAwD;QACxD,6DAA6D;QAC7D,MAAM,IAAI,KAAK,CACb,0BAA0B,KAAK,CAAC,IAAI,IAAI,WAAW,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,IAAI,IAAI,EAAE,CAAC,EAAE,CAC5F,CAAC;IACJ,CAAC;IAED,OAAO,CAAC,KAAK,CAAC,IAAI,IAAI,EAAE,CAAqC,CAAC;AAChE,CAAC"}
|
|
@@ -0,0 +1,110 @@
|
|
|
1
|
+
/** One armored block parsed from the BEGIN/END framing. */
|
|
2
|
+
export interface ArmoredChunk {
|
|
3
|
+
chunkIndex: number;
|
|
4
|
+
totalChunks: number;
|
|
5
|
+
/** CBOR-encoded HpkeSealed bytes. */
|
|
6
|
+
sealedBytes: Uint8Array;
|
|
7
|
+
}
|
|
8
|
+
/** A bundle of armored chunks sharing a Bundle-Id. */
|
|
9
|
+
export interface SealedBundle {
|
|
10
|
+
/** 16 raw bytes. Decoded from the lowercase-hex `Bundle-Id:` header. */
|
|
11
|
+
bundleId: Uint8Array;
|
|
12
|
+
/** Verbatim from the armor header (`sha256` for VTA bundles today). */
|
|
13
|
+
digestAlgo: string;
|
|
14
|
+
chunks: ArmoredChunk[];
|
|
15
|
+
}
|
|
16
|
+
/** Wire layout for one HPKE-sealed chunk (CBOR-encoded inside ArmoredChunk.sealedBytes). */
|
|
17
|
+
export interface HpkeSealed {
|
|
18
|
+
/** X25519 ephemeral public key from the KEM encapsulation (32 bytes). */
|
|
19
|
+
kem_encap: Uint8Array;
|
|
20
|
+
/** AEAD-sealed bytes (ciphertext || tag). */
|
|
21
|
+
aead_ciphertext: Uint8Array;
|
|
22
|
+
}
|
|
23
|
+
/** Wire shape for one chunk's plaintext (CBOR-encoded inside the HPKE seal). */
|
|
24
|
+
export interface ChunkPlaintext {
|
|
25
|
+
version: number;
|
|
26
|
+
bundle_id: Uint8Array;
|
|
27
|
+
chunk_index: number;
|
|
28
|
+
total_chunks: number;
|
|
29
|
+
/** Producer's `did:key` — present only on chunk 0. */
|
|
30
|
+
producer_did?: string;
|
|
31
|
+
/** Producer assertion — present only on chunk 0. */
|
|
32
|
+
producer_assertion?: ProducerAssertion;
|
|
33
|
+
/** CBOR-encoded fragment of the full SealedPayloadV1. */
|
|
34
|
+
payload_fragment: Uint8Array;
|
|
35
|
+
}
|
|
36
|
+
export interface ProducerAssertion {
|
|
37
|
+
producer_did: string;
|
|
38
|
+
proof: AssertionProof;
|
|
39
|
+
}
|
|
40
|
+
/** Tagged enum on `type` — `did_signed`, `attested`, or `pinned_only`. */
|
|
41
|
+
export type AssertionProof = {
|
|
42
|
+
type: "did_signed";
|
|
43
|
+
did: string;
|
|
44
|
+
signature_b64: string;
|
|
45
|
+
verification_method: string;
|
|
46
|
+
} | {
|
|
47
|
+
type: "attested";
|
|
48
|
+
format: string;
|
|
49
|
+
quote_b64: string;
|
|
50
|
+
} | {
|
|
51
|
+
type: "pinned_only";
|
|
52
|
+
};
|
|
53
|
+
/** Top-level sealed payload, externally-tagged enum.
|
|
54
|
+
*
|
|
55
|
+
* Wire shape is a CBOR map with exactly one key — the variant tag in
|
|
56
|
+
* snake_case — whose value is the variant's body. Only the variants the
|
|
57
|
+
* wallet might encounter are typed here; opening any other variant is a
|
|
58
|
+
* programmer error and `parseSealedPayloadV1` returns the raw tag for the
|
|
59
|
+
* call site to handle. */
|
|
60
|
+
export type SealedPayloadV1 = {
|
|
61
|
+
kind: "admin_rotation";
|
|
62
|
+
body: AdminRotationPayload;
|
|
63
|
+
} | {
|
|
64
|
+
kind: "template_bootstrap";
|
|
65
|
+
body: TemplateBootstrapPayload;
|
|
66
|
+
} | {
|
|
67
|
+
kind: "other";
|
|
68
|
+
tag: string;
|
|
69
|
+
body: unknown;
|
|
70
|
+
};
|
|
71
|
+
/** Payload carried by `SealedPayloadV1::AdminRotation`.
|
|
72
|
+
*
|
|
73
|
+
* Per the canonical Trust Task spec, the wallet pulls `admin.did` +
|
|
74
|
+
* `admin.signing_key.private_key_multibase` (+ ka_key.private_key_multibase
|
|
75
|
+
* for DIDComm) and discards the rest. */
|
|
76
|
+
export interface AdminRotationPayload {
|
|
77
|
+
/** VTA-issued VC (opaque JSON to the wallet — verified once at bundle open
|
|
78
|
+
* by callers that care; the wallet does not). */
|
|
79
|
+
authorization: unknown;
|
|
80
|
+
/** Key material for the freshly-minted admin DID. */
|
|
81
|
+
admin: DidKeyMaterial;
|
|
82
|
+
/** URL the wallet can reach the VTA's REST API at, if any. */
|
|
83
|
+
vta_url?: string;
|
|
84
|
+
/** VTA identity material — DID, DID document, optional log. */
|
|
85
|
+
vta_trust: VtaTrustBundle;
|
|
86
|
+
}
|
|
87
|
+
/** Payload carried by `SealedPayloadV1::TemplateBootstrap`. The wallet does
|
|
88
|
+
* not currently consume this variant; typed for completeness so a
|
|
89
|
+
* template-driven bootstrap doesn't silently fall into the `other` slot. */
|
|
90
|
+
export interface TemplateBootstrapPayload {
|
|
91
|
+
authorization: unknown;
|
|
92
|
+
secrets: Record<string, DidKeyMaterial>;
|
|
93
|
+
config: unknown;
|
|
94
|
+
}
|
|
95
|
+
export interface DidKeyMaterial {
|
|
96
|
+
did: string;
|
|
97
|
+
signing_key: KeyPair;
|
|
98
|
+
ka_key: KeyPair;
|
|
99
|
+
}
|
|
100
|
+
export interface KeyPair {
|
|
101
|
+
key_id: string;
|
|
102
|
+
public_key_multibase: string;
|
|
103
|
+
private_key_multibase: string;
|
|
104
|
+
}
|
|
105
|
+
export interface VtaTrustBundle {
|
|
106
|
+
vta_did: string;
|
|
107
|
+
vta_did_document: unknown;
|
|
108
|
+
vta_did_log?: string;
|
|
109
|
+
}
|
|
110
|
+
//# sourceMappingURL=types.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/provision/types.ts"],"names":[],"mappings":"AAgBA,2DAA2D;AAC3D,MAAM,WAAW,YAAY;IAC3B,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,qCAAqC;IACrC,WAAW,EAAE,UAAU,CAAC;CACzB;AAED,sDAAsD;AACtD,MAAM,WAAW,YAAY;IAC3B,wEAAwE;IACxE,QAAQ,EAAE,UAAU,CAAC;IACrB,uEAAuE;IACvE,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,YAAY,EAAE,CAAC;CACxB;AAED,4FAA4F;AAC5F,MAAM,WAAW,UAAU;IACzB,yEAAyE;IACzE,SAAS,EAAE,UAAU,CAAC;IACtB,6CAA6C;IAC7C,eAAe,EAAE,UAAU,CAAC;CAC7B;AAED,gFAAgF;AAChF,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,UAAU,CAAC;IACtB,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,sDAAsD;IACtD,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,oDAAoD;IACpD,kBAAkB,CAAC,EAAE,iBAAiB,CAAC;IACvC,yDAAyD;IACzD,gBAAgB,EAAE,UAAU,CAAC;CAC9B;AAED,MAAM,WAAW,iBAAiB;IAChC,YAAY,EAAE,MAAM,CAAC;IACrB,KAAK,EAAE,cAAc,CAAC;CACvB;AAED,0EAA0E;AAC1E,MAAM,MAAM,cAAc,GACtB;IAAE,IAAI,EAAE,YAAY,CAAC;IAAC,GAAG,EAAE,MAAM,CAAC;IAAC,aAAa,EAAE,MAAM,CAAC;IAAC,mBAAmB,EAAE,MAAM,CAAA;CAAE,GACvF;IAAE,IAAI,EAAE,UAAU,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,GACvD;IAAE,IAAI,EAAE,aAAa,CAAA;CAAE,CAAC;AAE5B;;;;;;2BAM2B;AAC3B,MAAM,MAAM,eAAe,GACvB;IAAE,IAAI,EAAE,gBAAgB,CAAC;IAAC,IAAI,EAAE,oBAAoB,CAAA;CAAE,GACtD;IAAE,IAAI,EAAE,oBAAoB,CAAC;IAAC,IAAI,EAAE,wBAAwB,CAAA;CAAE,GAC9D;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,GAAG,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,OAAO,CAAA;CAAE,CAAC;AAElD;;;;0CAI0C;AAC1C,MAAM,WAAW,oBAAoB;IACnC;sDACkD;IAClD,aAAa,EAAE,OAAO,CAAC;IACvB,qDAAqD;IACrD,KAAK,EAAE,cAAc,CAAC;IACtB,8DAA8D;IAC9D,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,+DAA+D;IAC/D,SAAS,EAAE,cAAc,CAAC;CAC3B;AAED;;6EAE6E;AAC7E,MAAM,WAAW,wBAAwB;IACvC,aAAa,EAAE,OAAO,CAAC;IACvB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;IACxC,MAAM,EAAE,OAAO,CAAC;CACjB;AAED,MAAM,WAAW,cAAc;IAC7B,GAAG,EAAE,MAAM,CAAC;IACZ,WAAW,EAAE,OAAO,CAAC;IACrB,MAAM,EAAE,OAAO,CAAC;CACjB;AAED,MAAM,WAAW,OAAO;IACtB,MAAM,EAAE,MAAM,CAAC;IACf,oBAAoB,EAAE,MAAM,CAAC;IAC7B,qBAAqB,EAAE,MAAM,CAAC;CAC/B;AAED,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,MAAM,CAAC;IAChB,gBAAgB,EAAE,OAAO,CAAC;IAC1B,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB"}
|
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
// Wire + decoded shapes for the VTA's sealed-bundle pipeline.
|
|
2
|
+
//
|
|
3
|
+
// Mirrors the on-the-wire structs in
|
|
4
|
+
// `verifiable-trust-infrastructure/vta-sdk/src/sealed_transfer/`:
|
|
5
|
+
// - `bundle.rs`: SealedBundle, ArmoredChunk
|
|
6
|
+
// - `hpke.rs`: HpkeSealed
|
|
7
|
+
// - `chunk.rs`: ChunkPlaintext
|
|
8
|
+
// - `bundle.rs`: SealedPayloadV1 (externally-tagged enum, snake_case)
|
|
9
|
+
// - `template_bootstrap.rs`: AdminRotationPayload, DidKeyMaterial, KeyPair
|
|
10
|
+
//
|
|
11
|
+
// Field-name discipline: the sealed envelope is CBOR + camelCase-on-wire was
|
|
12
|
+
// never agreed for the bundle interior — Rust's serde defaults to snake_case
|
|
13
|
+
// field names and the ports across languages depend on those names. This file
|
|
14
|
+
// keeps snake_case verbatim for any type that crosses the CBOR boundary, and
|
|
15
|
+
// converts to a typed camelCase summary at the orchestrator (`open.ts`).
|
|
16
|
+
export {};
|
|
17
|
+
//# sourceMappingURL=types.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/provision/types.ts"],"names":[],"mappings":"AAAA,8DAA8D;AAC9D,EAAE;AACF,qCAAqC;AACrC,kEAAkE;AAClE,8CAA8C;AAC9C,8BAA8B;AAC9B,kCAAkC;AAClC,wEAAwE;AACxE,6EAA6E;AAC7E,EAAE;AACF,6EAA6E;AAC7E,6EAA6E;AAC7E,8EAA8E;AAC9E,6EAA6E;AAC7E,yEAAyE"}
|
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
import { type Identity } from "../didcomm/index.js";
|
|
2
|
+
import type { RemoteDidcommEndpoint } from "../vta/didcomm.js";
|
|
3
|
+
import type { DidcommMessageBridge } from "../vta/transport.js";
|
|
4
|
+
export interface DidcommLoginResult {
|
|
5
|
+
accessToken: string;
|
|
6
|
+
refreshToken: string;
|
|
7
|
+
sessionId: string;
|
|
8
|
+
accessExpiresAt: number;
|
|
9
|
+
refreshExpiresAt: number;
|
|
10
|
+
}
|
|
11
|
+
export interface DidcommLoginOptions {
|
|
12
|
+
/** Mediator-backed bridge that ships the JWE and surfaces the decrypted,
|
|
13
|
+
* sender-authenticated reply (keyed by `thid`). */
|
|
14
|
+
bridge: DidcommMessageBridge;
|
|
15
|
+
/** The wallet's holder identity (authcrypt sender; its DID is the one the
|
|
16
|
+
* RP ACL-checks). */
|
|
17
|
+
holder: Identity;
|
|
18
|
+
/** The RP's control DID + its keyAgreement key (authcrypt recipient). */
|
|
19
|
+
service: RemoteDidcommEndpoint;
|
|
20
|
+
/** The RP's mediator. When set, the message is wrapped in a
|
|
21
|
+
* routing/2.0/forward and authcrypted to the mediator. Required whenever
|
|
22
|
+
* the RP is only reachable via a mediator (the usual case). */
|
|
23
|
+
mediator?: RemoteDidcommEndpoint;
|
|
24
|
+
/** Reply timeout (default 30s). */
|
|
25
|
+
timeoutMs?: number;
|
|
26
|
+
}
|
|
27
|
+
/**
|
|
28
|
+
* Authenticate to a did-hosting RP over DIDComm and return its session
|
|
29
|
+
* tokens. Throws if the RP replies with anything other than a
|
|
30
|
+
* `MSG_AUTH_RESPONSE` (e.g. a problem-report when the holder DID isn't in
|
|
31
|
+
* the RP's ACL).
|
|
32
|
+
*/
|
|
33
|
+
export declare function loginViaDidcomm(opts: DidcommLoginOptions): Promise<DidcommLoginResult>;
|
|
34
|
+
//# sourceMappingURL=didcomm.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"didcomm.d.ts","sourceRoot":"","sources":["../../src/rp-login/didcomm.ts"],"names":[],"mappings":"AAgBA,OAAO,EAAiD,KAAK,QAAQ,EAAE,MAAM,qBAAqB,CAAC;AACnG,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAOhE,MAAM,WAAW,kBAAkB;IACjC,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,eAAe,EAAE,MAAM,CAAC;IACxB,gBAAgB,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,mBAAmB;IAClC;wDACoD;IACpD,MAAM,EAAE,oBAAoB,CAAC;IAC7B;0BACsB;IACtB,MAAM,EAAE,QAAQ,CAAC;IACjB,yEAAyE;IACzE,OAAO,EAAE,qBAAqB,CAAC;IAC/B;;oEAEgE;IAChE,QAAQ,CAAC,EAAE,qBAAqB,CAAC;IACjC,mCAAmC;IACnC,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;;;;GAKG;AACH,wBAAsB,eAAe,CAAC,IAAI,EAAE,mBAAmB,GAAG,OAAO,CAAC,kBAAkB,CAAC,CA2D5F"}
|
|
@@ -0,0 +1,72 @@
|
|
|
1
|
+
// DIDComm session login to a did-hosting Relying Party.
|
|
2
|
+
//
|
|
3
|
+
// Unlike the REST SIOPv2 flow (`loginViaSiop`), there is **no `id_token`**.
|
|
4
|
+
// Over DIDComm the authcrypt layer (ECDH-1PU) already authenticates the
|
|
5
|
+
// sender DID to the recipient, so "login" is just: authcrypt an
|
|
6
|
+
// `authenticate` message to the RP's control DID → the RP checks its ACL on
|
|
7
|
+
// the authenticated sender → it returns a session JWT. The holder DID and
|
|
8
|
+
// ACL grant are exactly the same as the REST path.
|
|
9
|
+
//
|
|
10
|
+
// Server contract (did-hosting-control `handle_authenticate`):
|
|
11
|
+
// request type = MSG_AUTHENTICATE, authcrypted, body ignored
|
|
12
|
+
// reply type = MSG_AUTH_RESPONSE, thid = request id,
|
|
13
|
+
// body = { session_id, access_token, access_expires_at,
|
|
14
|
+
// refresh_token, refresh_expires_at }
|
|
15
|
+
// on ACL/other failure the reply is a problem-report (different type).
|
|
16
|
+
import { packAuthcrypt, packAuthcryptJson, wrapForward } from "../didcomm/index.js";
|
|
17
|
+
const MSG_AUTHENTICATE = "https://affinidi.com/webvh/1.0/authenticate";
|
|
18
|
+
const MSG_AUTH_RESPONSE = "https://affinidi.com/webvh/1.0/authenticate-response";
|
|
19
|
+
const DEFAULT_TIMEOUT_MS = 30_000;
|
|
20
|
+
/**
|
|
21
|
+
* Authenticate to a did-hosting RP over DIDComm and return its session
|
|
22
|
+
* tokens. Throws if the RP replies with anything other than a
|
|
23
|
+
* `MSG_AUTH_RESPONSE` (e.g. a problem-report when the holder DID isn't in
|
|
24
|
+
* the RP's ACL).
|
|
25
|
+
*/
|
|
26
|
+
export async function loginViaDidcomm(opts) {
|
|
27
|
+
const { bridge, holder, service, mediator } = opts;
|
|
28
|
+
const timeoutMs = opts.timeoutMs ?? DEFAULT_TIMEOUT_MS;
|
|
29
|
+
const requestId = globalThis.crypto.randomUUID();
|
|
30
|
+
const message = {
|
|
31
|
+
id: requestId,
|
|
32
|
+
type: MSG_AUTHENTICATE,
|
|
33
|
+
from: holder.did,
|
|
34
|
+
to: [service.did],
|
|
35
|
+
// Body is ignored by the server — the authcrypt sender identity is the
|
|
36
|
+
// authentication. Sent empty.
|
|
37
|
+
body: {},
|
|
38
|
+
};
|
|
39
|
+
const inner = await packAuthcrypt(message, holder, [
|
|
40
|
+
{ kid: service.keyAgreementKid, jwk: service.keyAgreementPublicJwk },
|
|
41
|
+
]);
|
|
42
|
+
let outer = inner;
|
|
43
|
+
if (mediator) {
|
|
44
|
+
const forwardJson = wrapForward(service.did, holder.did, mediator.did, inner);
|
|
45
|
+
outer = await packAuthcryptJson(forwardJson, holder, [
|
|
46
|
+
{ kid: mediator.keyAgreementKid, jwk: mediator.keyAgreementPublicJwk },
|
|
47
|
+
]);
|
|
48
|
+
}
|
|
49
|
+
const reply = await bridge.sendAndAwaitReply(outer, requestId, { timeoutMs });
|
|
50
|
+
if (reply.thid !== requestId) {
|
|
51
|
+
throw new Error(`didcomm login: reply thid ${reply.thid ?? "(none)"} != request ${requestId}`);
|
|
52
|
+
}
|
|
53
|
+
if (reply.from !== service.did) {
|
|
54
|
+
throw new Error(`didcomm login: reply from ${reply.from ?? "(none)"} != RP ${service.did}`);
|
|
55
|
+
}
|
|
56
|
+
if (reply.type !== MSG_AUTH_RESPONSE) {
|
|
57
|
+
// Most commonly a problem-report (e.g. holder DID not in the RP's ACL).
|
|
58
|
+
throw new Error(`didcomm login: ${reply.type ?? "(no type)"} — ${JSON.stringify(reply.body ?? {})}`);
|
|
59
|
+
}
|
|
60
|
+
const body = (reply.body ?? {});
|
|
61
|
+
if (!body.access_token || !body.session_id || !body.refresh_token) {
|
|
62
|
+
throw new Error(`didcomm login: malformed authenticate-response body: ${JSON.stringify(body)}`);
|
|
63
|
+
}
|
|
64
|
+
return {
|
|
65
|
+
accessToken: body.access_token,
|
|
66
|
+
refreshToken: body.refresh_token,
|
|
67
|
+
sessionId: body.session_id,
|
|
68
|
+
accessExpiresAt: body.access_expires_at ?? 0,
|
|
69
|
+
refreshExpiresAt: body.refresh_expires_at ?? 0,
|
|
70
|
+
};
|
|
71
|
+
}
|
|
72
|
+
//# sourceMappingURL=didcomm.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"didcomm.js","sourceRoot":"","sources":["../../src/rp-login/didcomm.ts"],"names":[],"mappings":"AAAA,wDAAwD;AACxD,EAAE;AACF,4EAA4E;AAC5E,wEAAwE;AACxE,gEAAgE;AAChE,4EAA4E;AAC5E,0EAA0E;AAC1E,mDAAmD;AACnD,EAAE;AACF,+DAA+D;AAC/D,gEAAgE;AAChE,0DAA0D;AAC1D,mEAAmE;AACnE,0DAA0D;AAC1D,yEAAyE;AAEzE,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,WAAW,EAAiB,MAAM,qBAAqB,CAAC;AAInG,MAAM,gBAAgB,GAAG,6CAA6C,CAAC;AACvE,MAAM,iBAAiB,GAAG,sDAAsD,CAAC;AAEjF,MAAM,kBAAkB,GAAG,MAAM,CAAC;AA2BlC;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,IAAyB;IAC7D,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC;IACnD,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,kBAAkB,CAAC;IAEvD,MAAM,SAAS,GAAG,UAAU,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC;IACjD,MAAM,OAAO,GAAG;QACd,EAAE,EAAE,SAAS;QACb,IAAI,EAAE,gBAAgB;QACtB,IAAI,EAAE,MAAM,CAAC,GAAG;QAChB,EAAE,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC;QACjB,uEAAuE;QACvE,8BAA8B;QAC9B,IAAI,EAAE,EAAE;KACT,CAAC;IAEF,MAAM,KAAK,GAAG,MAAM,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE;QACjD,EAAE,GAAG,EAAE,OAAO,CAAC,eAAe,EAAE,GAAG,EAAE,OAAO,CAAC,qBAAqB,EAAE;KACrE,CAAC,CAAC;IAEH,IAAI,KAAK,GAAG,KAAK,CAAC;IAClB,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,WAAW,GAAG,WAAW,CAAC,OAAO,CAAC,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE,QAAQ,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QAC9E,KAAK,GAAG,MAAM,iBAAiB,CAAC,WAAW,EAAE,MAAM,EAAE;YACnD,EAAE,GAAG,EAAE,QAAQ,CAAC,eAAe,EAAE,GAAG,EAAE,QAAQ,CAAC,qBAAqB,EAAE;SACvE,CAAC,CAAC;IACL,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC,KAAK,EAAE,SAAS,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC;IAE9E,IAAI,KAAK,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CAAC,6BAA6B,KAAK,CAAC,IAAI,IAAI,QAAQ,eAAe,SAAS,EAAE,CAAC,CAAC;IACjG,CAAC;IACD,IAAI,KAAK,CAAC,IAAI,KAAK,OAAO,CAAC,GAAG,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,6BAA6B,KAAK,CAAC,IAAI,IAAI,QAAQ,UAAU,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;IAC9F,CAAC;IACD,IAAI,KAAK,CAAC,IAAI,KAAK,iBAAiB,EAAE,CAAC;QACrC,wEAAwE;QACxE,MAAM,IAAI,KAAK,CACb,kBAAkB,KAAK,CAAC,IAAI,IAAI,WAAW,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,IAAI,IAAI,EAAE,CAAC,EAAE,CACpF,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,IAAI,EAAE,CAM7B,CAAC;IACF,IAAI,CAAC,IAAI,CAAC,YAAY,IAAI,CAAC,IAAI,CAAC,UAAU,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC;QAClE,MAAM,IAAI,KAAK,CAAC,wDAAwD,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAClG,CAAC;IACD,OAAO;QACL,WAAW,EAAE,IAAI,CAAC,YAAY;QAC9B,YAAY,EAAE,IAAI,CAAC,aAAa;QAChC,SAAS,EAAE,IAAI,CAAC,UAAU;QAC1B,eAAe,EAAE,IAAI,CAAC,iBAAiB,IAAI,CAAC;QAC5C,gBAAgB,EAAE,IAAI,CAAC,kBAAkB,IAAI,CAAC;KAC/C,CAAC;AACJ,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/rp-login/index.ts"],"names":[],"mappings":"AAAA,cAAc,cAAc,CAAC;AAC7B,cAAc,cAAc,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/rp-login/index.ts"],"names":[],"mappings":"AAAA,cAAc,cAAc,CAAC;AAC7B,cAAc,cAAc,CAAC"}
|
|
@@ -0,0 +1,43 @@
|
|
|
1
|
+
import { type Identity } from "../didcomm/index.js";
|
|
2
|
+
import type { RemoteDidcommEndpoint } from "../vta/didcomm.js";
|
|
3
|
+
import type { DidcommMessageBridge } from "../vta/transport.js";
|
|
4
|
+
export interface RequestVtaApprovalOptions {
|
|
5
|
+
/** Mediator-backed bridge that ships the JWE and surfaces the decrypted,
|
|
6
|
+
* sender-authenticated reply (keyed by `thid`). */
|
|
7
|
+
bridge: DidcommMessageBridge;
|
|
8
|
+
/** The wallet's holder identity (authcrypt sender). */
|
|
9
|
+
holder: Identity;
|
|
10
|
+
/** The VTA's DID + keyAgreement key (authcrypt recipient). */
|
|
11
|
+
service: RemoteDidcommEndpoint;
|
|
12
|
+
/** The VTA's mediator. When set, the message is wrapped in a
|
|
13
|
+
* routing/2.0/forward and authcrypted to the mediator. */
|
|
14
|
+
mediator?: RemoteDidcommEndpoint;
|
|
15
|
+
/** The RP's DID — bound into the approval the VTA signs. */
|
|
16
|
+
rpDid: string;
|
|
17
|
+
/** The nonce from the RP's step-up start call. */
|
|
18
|
+
nonce: string;
|
|
19
|
+
/** Reply timeout (default 30s). */
|
|
20
|
+
timeoutMs?: number;
|
|
21
|
+
}
|
|
22
|
+
/**
|
|
23
|
+
* Ask the holder's VTA to approve a step-up over DIDComm and return the
|
|
24
|
+
* compact-JWS approval token. Throws if the VTA replies with anything
|
|
25
|
+
* other than an approve-response (e.g. a problem-report).
|
|
26
|
+
*/
|
|
27
|
+
export declare function requestVtaApproval(opts: RequestVtaApprovalOptions): Promise<string>;
|
|
28
|
+
/**
|
|
29
|
+
* Step 1 — RP start. Authenticated with the existing `aal1` access token,
|
|
30
|
+
* returns the nonce the VTA must sign over.
|
|
31
|
+
*/
|
|
32
|
+
export declare function stepUpVtaStart(baseUrl: string, accessToken: string, fetchFn?: typeof fetch): Promise<string>;
|
|
33
|
+
export interface StepUpVtaFinishResult {
|
|
34
|
+
accessToken: string;
|
|
35
|
+
refreshToken: string;
|
|
36
|
+
sessionId: string;
|
|
37
|
+
}
|
|
38
|
+
/**
|
|
39
|
+
* Step 3 — RP finish. Submits the VTA's approval token and returns the
|
|
40
|
+
* elevated session tokens. Response body is **snake_case**.
|
|
41
|
+
*/
|
|
42
|
+
export declare function stepUpVtaFinish(baseUrl: string, accessToken: string, approvalToken: string, fetchFn?: typeof fetch): Promise<StepUpVtaFinishResult>;
|
|
43
|
+
//# sourceMappingURL=step-up.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"step-up.d.ts","sourceRoot":"","sources":["../../src/rp-login/step-up.ts"],"names":[],"mappings":"AAiBA,OAAO,EAAiD,KAAK,QAAQ,EAAE,MAAM,qBAAqB,CAAC;AACnG,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAShE,MAAM,WAAW,yBAAyB;IACxC;wDACoD;IACpD,MAAM,EAAE,oBAAoB,CAAC;IAC7B,uDAAuD;IACvD,MAAM,EAAE,QAAQ,CAAC;IACjB,8DAA8D;IAC9D,OAAO,EAAE,qBAAqB,CAAC;IAC/B;+DAC2D;IAC3D,QAAQ,CAAC,EAAE,qBAAqB,CAAC;IACjC,4DAA4D;IAC5D,KAAK,EAAE,MAAM,CAAC;IACd,kDAAkD;IAClD,KAAK,EAAE,MAAM,CAAC;IACd,mCAAmC;IACnC,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;;;GAIG;AACH,wBAAsB,kBAAkB,CAAC,IAAI,EAAE,yBAAyB,GAAG,OAAO,CAAC,MAAM,CAAC,CA+CzF;AAED;;;GAGG;AACH,wBAAsB,cAAc,CAClC,OAAO,EAAE,MAAM,EACf,WAAW,EAAE,MAAM,EACnB,OAAO,CAAC,EAAE,OAAO,KAAK,GACrB,OAAO,CAAC,MAAM,CAAC,CAmBjB;AAED,MAAM,WAAW,qBAAqB;IACpC,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,wBAAsB,eAAe,CACnC,OAAO,EAAE,MAAM,EACf,WAAW,EAAE,MAAM,EACnB,aAAa,EAAE,MAAM,EACrB,OAAO,CAAC,EAAE,OAAO,KAAK,GACrB,OAAO,CAAC,qBAAqB,CAAC,CA6BhC"}
|
|
@@ -0,0 +1,118 @@
|
|
|
1
|
+
// VTA-approval step-up for a did-hosting Relying Party.
|
|
2
|
+
//
|
|
3
|
+
// Elevates an existing `aal1` session to `aal2`: the RP issues a nonce, the
|
|
4
|
+
// holder's VTA signs an approval over DIDComm, and the RP exchanges that
|
|
5
|
+
// approval for a fresh, higher-assurance session token. The DIDComm leg
|
|
6
|
+
// mirrors `loginViaDidcomm` exactly (build message → authcrypt to the VTA →
|
|
7
|
+
// forward via its mediator → await reply by `thid`), but with the
|
|
8
|
+
// step-up approve-request/response message types.
|
|
9
|
+
//
|
|
10
|
+
// Three steps:
|
|
11
|
+
// 1. RP start (REST) → nonce
|
|
12
|
+
// 2. VTA approve (DIDComm) → approval_token (compact JWS)
|
|
13
|
+
// 3. RP finish (REST) → elevated session tokens
|
|
14
|
+
//
|
|
15
|
+
// Server contract (step 1 + 3 REST responses are **snake_case**, unlike the
|
|
16
|
+
// camelCase login responses).
|
|
17
|
+
import { packAuthcrypt, packAuthcryptJson, wrapForward } from "../didcomm/index.js";
|
|
18
|
+
// Canonical step-up approval specs from trusttasks-tf. The proof on
|
|
19
|
+
// approve-response is what the RP verifies to elevate the session's acr.
|
|
20
|
+
const MSG_APPROVE_REQUEST = "https://trusttasks.org/spec/auth/step-up/approve-request/0.1";
|
|
21
|
+
const MSG_APPROVE_RESPONSE = "https://trusttasks.org/spec/auth/step-up/approve-response/0.1";
|
|
22
|
+
const DEFAULT_TIMEOUT_MS = 30_000;
|
|
23
|
+
/**
|
|
24
|
+
* Ask the holder's VTA to approve a step-up over DIDComm and return the
|
|
25
|
+
* compact-JWS approval token. Throws if the VTA replies with anything
|
|
26
|
+
* other than an approve-response (e.g. a problem-report).
|
|
27
|
+
*/
|
|
28
|
+
export async function requestVtaApproval(opts) {
|
|
29
|
+
const { bridge, holder, service, mediator, rpDid, nonce } = opts;
|
|
30
|
+
const timeoutMs = opts.timeoutMs ?? DEFAULT_TIMEOUT_MS;
|
|
31
|
+
const requestId = globalThis.crypto.randomUUID();
|
|
32
|
+
const message = {
|
|
33
|
+
id: requestId,
|
|
34
|
+
type: MSG_APPROVE_REQUEST,
|
|
35
|
+
from: holder.did,
|
|
36
|
+
to: [service.did],
|
|
37
|
+
body: { rp_did: rpDid, nonce },
|
|
38
|
+
};
|
|
39
|
+
const inner = await packAuthcrypt(message, holder, [
|
|
40
|
+
{ kid: service.keyAgreementKid, jwk: service.keyAgreementPublicJwk },
|
|
41
|
+
]);
|
|
42
|
+
let outer = inner;
|
|
43
|
+
if (mediator) {
|
|
44
|
+
const forwardJson = wrapForward(service.did, holder.did, mediator.did, inner);
|
|
45
|
+
outer = await packAuthcryptJson(forwardJson, holder, [
|
|
46
|
+
{ kid: mediator.keyAgreementKid, jwk: mediator.keyAgreementPublicJwk },
|
|
47
|
+
]);
|
|
48
|
+
}
|
|
49
|
+
const reply = await bridge.sendAndAwaitReply(outer, requestId, { timeoutMs });
|
|
50
|
+
if (reply.thid !== requestId) {
|
|
51
|
+
throw new Error(`vta step-up: reply thid ${reply.thid ?? "(none)"} != request ${requestId}`);
|
|
52
|
+
}
|
|
53
|
+
if (reply.from !== service.did) {
|
|
54
|
+
throw new Error(`vta step-up: reply from ${reply.from ?? "(none)"} != VTA ${service.did}`);
|
|
55
|
+
}
|
|
56
|
+
if (reply.type !== MSG_APPROVE_RESPONSE) {
|
|
57
|
+
// Most commonly a problem-report (e.g. VTA declined the step-up).
|
|
58
|
+
throw new Error(`vta step-up: ${reply.type ?? "(no type)"} — ${JSON.stringify(reply.body ?? {})}`);
|
|
59
|
+
}
|
|
60
|
+
const body = (reply.body ?? {});
|
|
61
|
+
if (!body.approval_token) {
|
|
62
|
+
throw new Error(`vta step-up: malformed approve-response body: ${JSON.stringify(body)}`);
|
|
63
|
+
}
|
|
64
|
+
return body.approval_token;
|
|
65
|
+
}
|
|
66
|
+
/**
|
|
67
|
+
* Step 1 — RP start. Authenticated with the existing `aal1` access token,
|
|
68
|
+
* returns the nonce the VTA must sign over.
|
|
69
|
+
*/
|
|
70
|
+
export async function stepUpVtaStart(baseUrl, accessToken, fetchFn) {
|
|
71
|
+
const f = fetchFn ?? fetch.bind(globalThis);
|
|
72
|
+
const base = baseUrl.replace(/\/+$/, "");
|
|
73
|
+
const res = await f(`${base}/auth/step-up/vta/start`, {
|
|
74
|
+
method: "POST",
|
|
75
|
+
headers: {
|
|
76
|
+
"content-type": "application/json",
|
|
77
|
+
authorization: `Bearer ${accessToken}`,
|
|
78
|
+
},
|
|
79
|
+
body: JSON.stringify({}),
|
|
80
|
+
});
|
|
81
|
+
if (!res.ok) {
|
|
82
|
+
throw new Error(`vta step-up start: failed (${res.status}): ${await res.text()}`);
|
|
83
|
+
}
|
|
84
|
+
const json = (await res.json());
|
|
85
|
+
if (!json.nonce) {
|
|
86
|
+
throw new Error(`vta step-up start: malformed response: ${JSON.stringify(json)}`);
|
|
87
|
+
}
|
|
88
|
+
return json.nonce;
|
|
89
|
+
}
|
|
90
|
+
/**
|
|
91
|
+
* Step 3 — RP finish. Submits the VTA's approval token and returns the
|
|
92
|
+
* elevated session tokens. Response body is **snake_case**.
|
|
93
|
+
*/
|
|
94
|
+
export async function stepUpVtaFinish(baseUrl, accessToken, approvalToken, fetchFn) {
|
|
95
|
+
const f = fetchFn ?? fetch.bind(globalThis);
|
|
96
|
+
const base = baseUrl.replace(/\/+$/, "");
|
|
97
|
+
const res = await f(`${base}/auth/step-up/vta/finish`, {
|
|
98
|
+
method: "POST",
|
|
99
|
+
headers: {
|
|
100
|
+
"content-type": "application/json",
|
|
101
|
+
authorization: `Bearer ${accessToken}`,
|
|
102
|
+
},
|
|
103
|
+
body: JSON.stringify({ approval_token: approvalToken }),
|
|
104
|
+
});
|
|
105
|
+
if (!res.ok) {
|
|
106
|
+
throw new Error(`vta step-up finish: failed (${res.status}): ${await res.text()}`);
|
|
107
|
+
}
|
|
108
|
+
const body = (await res.json());
|
|
109
|
+
if (!body.access_token || !body.session_id || !body.refresh_token) {
|
|
110
|
+
throw new Error(`vta step-up finish: malformed response body: ${JSON.stringify(body)}`);
|
|
111
|
+
}
|
|
112
|
+
return {
|
|
113
|
+
accessToken: body.access_token,
|
|
114
|
+
refreshToken: body.refresh_token,
|
|
115
|
+
sessionId: body.session_id,
|
|
116
|
+
};
|
|
117
|
+
}
|
|
118
|
+
//# sourceMappingURL=step-up.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"step-up.js","sourceRoot":"","sources":["../../src/rp-login/step-up.ts"],"names":[],"mappings":"AAAA,wDAAwD;AACxD,EAAE;AACF,4EAA4E;AAC5E,yEAAyE;AACzE,wEAAwE;AACxE,4EAA4E;AAC5E,kEAAkE;AAClE,kDAAkD;AAClD,EAAE;AACF,eAAe;AACf,mCAAmC;AACnC,4DAA4D;AAC5D,qDAAqD;AACrD,EAAE;AACF,4EAA4E;AAC5E,8BAA8B;AAE9B,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,WAAW,EAAiB,MAAM,qBAAqB,CAAC;AAInG,oEAAoE;AACpE,yEAAyE;AACzE,MAAM,mBAAmB,GAAG,8DAA8D,CAAC;AAC3F,MAAM,oBAAoB,GAAG,+DAA+D,CAAC;AAE7F,MAAM,kBAAkB,GAAG,MAAM,CAAC;AAqBlC;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,IAA+B;IACtE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,IAAI,CAAC;IACjE,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,kBAAkB,CAAC;IAEvD,MAAM,SAAS,GAAG,UAAU,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC;IACjD,MAAM,OAAO,GAAG;QACd,EAAE,EAAE,SAAS;QACb,IAAI,EAAE,mBAAmB;QACzB,IAAI,EAAE,MAAM,CAAC,GAAG;QAChB,EAAE,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC;QACjB,IAAI,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE;KAC/B,CAAC;IAEF,MAAM,KAAK,GAAG,MAAM,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE;QACjD,EAAE,GAAG,EAAE,OAAO,CAAC,eAAe,EAAE,GAAG,EAAE,OAAO,CAAC,qBAAqB,EAAE;KACrE,CAAC,CAAC;IAEH,IAAI,KAAK,GAAG,KAAK,CAAC;IAClB,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,WAAW,GAAG,WAAW,CAAC,OAAO,CAAC,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE,QAAQ,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QAC9E,KAAK,GAAG,MAAM,iBAAiB,CAAC,WAAW,EAAE,MAAM,EAAE;YACnD,EAAE,GAAG,EAAE,QAAQ,CAAC,eAAe,EAAE,GAAG,EAAE,QAAQ,CAAC,qBAAqB,EAAE;SACvE,CAAC,CAAC;IACL,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC,KAAK,EAAE,SAAS,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC;IAE9E,IAAI,KAAK,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CAAC,2BAA2B,KAAK,CAAC,IAAI,IAAI,QAAQ,eAAe,SAAS,EAAE,CAAC,CAAC;IAC/F,CAAC;IACD,IAAI,KAAK,CAAC,IAAI,KAAK,OAAO,CAAC,GAAG,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,2BAA2B,KAAK,CAAC,IAAI,IAAI,QAAQ,WAAW,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;IAC7F,CAAC;IACD,IAAI,KAAK,CAAC,IAAI,KAAK,oBAAoB,EAAE,CAAC;QACxC,kEAAkE;QAClE,MAAM,IAAI,KAAK,CACb,gBAAgB,KAAK,CAAC,IAAI,IAAI,WAAW,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,IAAI,IAAI,EAAE,CAAC,EAAE,CAClF,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,IAAI,EAAE,CAAgC,CAAC;IAC/D,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CACb,iDAAiD,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,CACxE,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,CAAC,cAAc,CAAC;AAC7B,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,OAAe,EACf,WAAmB,EACnB,OAAsB;IAEtB,MAAM,CAAC,GAAG,OAAO,IAAI,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC5C,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACzC,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,GAAG,IAAI,yBAAyB,EAAE;QACpD,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,cAAc,EAAE,kBAAkB;YAClC,aAAa,EAAE,UAAU,WAAW,EAAE;SACvC;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;KACzB,CAAC,CAAC;IACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,8BAA8B,GAAG,CAAC,MAAM,MAAM,MAAM,GAAG,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IACpF,CAAC;IACD,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAuB,CAAC;IACtD,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;QAChB,MAAM,IAAI,KAAK,CAAC,0CAA0C,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACpF,CAAC;IACD,OAAO,IAAI,CAAC,KAAK,CAAC;AACpB,CAAC;AAQD;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,OAAe,EACf,WAAmB,EACnB,aAAqB,EACrB,OAAsB;IAEtB,MAAM,CAAC,GAAG,OAAO,IAAI,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC5C,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACzC,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,GAAG,IAAI,0BAA0B,EAAE;QACrD,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,cAAc,EAAE,kBAAkB;YAClC,aAAa,EAAE,UAAU,WAAW,EAAE;SACvC;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,cAAc,EAAE,aAAa,EAAE,CAAC;KACxD,CAAC,CAAC;IACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,+BAA+B,GAAG,CAAC,MAAM,MAAM,MAAM,GAAG,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IACrF,CAAC;IACD,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAM7B,CAAC;IACF,IAAI,CAAC,IAAI,CAAC,YAAY,IAAI,CAAC,IAAI,CAAC,UAAU,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC;QAClE,MAAM,IAAI,KAAK,CAAC,gDAAgD,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC1F,CAAC;IACD,OAAO;QACL,WAAW,EAAE,IAAI,CAAC,YAAY;QAC9B,YAAY,EAAE,IAAI,CAAC,aAAa;QAChC,SAAS,EAAE,IAAI,CAAC,UAAU;KAC3B,CAAC;AACJ,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/siop/index.ts"],"names":[],"mappings":"AAAA,cAAc,kBAAkB,CAAC;AACjC,cAAc,mBAAmB,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/siop/index.ts"],"names":[],"mappings":"AAAA,cAAc,kBAAkB,CAAC;AACjC,cAAc,mBAAmB,CAAC"}
|
|
@@ -0,0 +1,29 @@
|
|
|
1
|
+
import { type TimingMark } from "../util/timing.js";
|
|
2
|
+
import { type SigningIdentity } from "./self-issued.js";
|
|
3
|
+
export interface SiopLoginResult {
|
|
4
|
+
accessToken: string;
|
|
5
|
+
refreshToken: string;
|
|
6
|
+
sessionId: string;
|
|
7
|
+
/** Per-phase timings (challenge / id_token / authenticate). */
|
|
8
|
+
timings: TimingMark[];
|
|
9
|
+
}
|
|
10
|
+
export interface SiopLoginOptions {
|
|
11
|
+
/** Base URL of the RP's auth API (e.g. `https://hosting.example/api`). */
|
|
12
|
+
baseUrl: string;
|
|
13
|
+
/** The RP's identifier — its server DID — used as the `id_token` `aud`. */
|
|
14
|
+
rpDid: string;
|
|
15
|
+
/** The holder's Ed25519 signing identity (from `generateOrLoadHolderIdentity().signing`). */
|
|
16
|
+
signing: SigningIdentity;
|
|
17
|
+
/** Optional ephemeral session pubkey (`z6Mk…` Ed25519 multikey) to bind
|
|
18
|
+
* for subsequent trust-task proofs. */
|
|
19
|
+
sessionPubkeyB58btc?: string;
|
|
20
|
+
/** fetch impl (defaults to the global). */
|
|
21
|
+
fetch?: typeof fetch;
|
|
22
|
+
}
|
|
23
|
+
/**
|
|
24
|
+
* Log into a Trust-Tasks RP via SIOPv2 self-issuance. Returns the
|
|
25
|
+
* RP-issued session tokens. Throws on a transport error or an RP
|
|
26
|
+
* rejection (the error message carries the RP's response body).
|
|
27
|
+
*/
|
|
28
|
+
export declare function loginViaSiop(opts: SiopLoginOptions): Promise<SiopLoginResult>;
|
|
29
|
+
//# sourceMappingURL=login-client.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"login-client.d.ts","sourceRoot":"","sources":["../../src/siop/login-client.ts"],"names":[],"mappings":"AAOA,OAAO,EAAmB,KAAK,UAAU,EAAE,MAAM,mBAAmB,CAAC;AACrE,OAAO,EAAgB,KAAK,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAMtE,MAAM,WAAW,eAAe;IAC9B,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,+DAA+D;IAC/D,OAAO,EAAE,UAAU,EAAE,CAAC;CACvB;AAED,MAAM,WAAW,gBAAgB;IAC/B,0EAA0E;IAC1E,OAAO,EAAE,MAAM,CAAC;IAChB,2EAA2E;IAC3E,KAAK,EAAE,MAAM,CAAC;IACd,6FAA6F;IAC7F,OAAO,EAAE,eAAe,CAAC;IACzB;4CACwC;IACxC,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,2CAA2C;IAC3C,KAAK,CAAC,EAAE,OAAO,KAAK,CAAC;CACtB;AAED;;;;GAIG;AACH,wBAAsB,YAAY,CAChC,IAAI,EAAE,gBAAgB,GACrB,OAAO,CAAC,eAAe,CAAC,CAyF1B"}
|