@pagopa/io-react-native-wallet 0.1.0 → 0.2.0

package/src/rp/index.ts

@@ -0,0 +1,150 @@
+import { AuthRequestDecodeError, IoWalletError } from "../utils/errors";
+import {
+  decode as decodeJwt,
+  decodeBase64,
+  sha256ToBase64,
+  SignJWT,
+} from "@pagopa/io-react-native-jwt";
+import { RequestObject, RpEntityConfiguration } from "./types";
+
+import uuid from "react-native-uuid";
+import type { JWK } from "@pagopa/io-react-native-jwt/lib/typescript/types";
+
+export class RelyingPartySolution {
+  relyingPartyBaseUrl: string;
+  walletInstanceAttestation: string;
+  appFetch: GlobalFetch["fetch"];
+
+  constructor(
+    relyingPartyBaseUrl: string,
+    walletInstanceAttestation: string,
+    appFetch: GlobalFetch["fetch"] = fetch
+  ) {
+    this.relyingPartyBaseUrl = relyingPartyBaseUrl;
+    this.walletInstanceAttestation = walletInstanceAttestation;
+    this.appFetch = appFetch;
+  }
+
+  /**
+   * Decode a QR code content to an authentication request url.
+   * @function
+   * @param qrcode QR code content
+   *
+   * @returns The authentication request url
+   *
+   */
+  decodeAuthRequestQR(qrcode: string): string {
+    try {
+      const decoded = decodeBase64(qrcode);
+      const decodedUrl = new URL(decoded);
+      const requestUri = decodedUrl.searchParams.get("request_uri");
+      if (requestUri) {
+        return requestUri;
+      } else {
+        throw new AuthRequestDecodeError(
+          "Unable to obtain request_uri from QR code",
+          `${decodedUrl}`
+        );
+      }
+    } catch {
+      throw new AuthRequestDecodeError(
+        "Unable to decode QR code authentication request url",
+        qrcode
+      );
+    }
+  }
+  /**
+   * Obtain the unsigned wallet instance DPoP for authentication request
+   *
+   * @function
+   * @param walletInstanceAttestationJwk JWT of the Wallet Instance Attestation
+   * @param authRequestUrl authentication request url
+   *
+   * @returns The unsigned wallet instance DPoP
+   *
+   */
+  async getUnsignedWalletInstanceDPoP(
+    walletInstanceAttestationJwk: JWK,
+    authRequestUrl: string
+  ): Promise<string> {
+    return await new SignJWT({
+      jti: `${uuid.v4()}`,
+      htm: "GET",
+      htu: authRequestUrl,
+      ath: await sha256ToBase64(this.walletInstanceAttestation),
+    })
+      .setProtectedHeader({
+        alg: "ES256",
+        jwk: walletInstanceAttestationJwk,
+        typ: "dpop+jwt",
+      })
+      .setIssuedAt()
+      .setExpirationTime("1h")
+      .toSign();
+  }
+
+  /**
+   * Obtain the Request Object for RP authentication
+   *
+   * @function
+   * @param signedWalletInstanceDPoP JWT of the Wallet Instance Attestation DPoP
+   *
+   * @returns The Request Object JWT
+   *
+   */
+  async getRequestObject(
+    signedWalletInstanceDPoP: string
+  ): Promise<RequestObject> {
+    const decodedJwtDPop = await decodeJwt(signedWalletInstanceDPoP);
+    const requestUri = decodedJwtDPop.payload.htu as string;
+
+    const response = await this.appFetch(requestUri, {
+      method: "GET",
+      headers: {
+        Authorization: `DPoP ${this.walletInstanceAttestation}`,
+        DPoP: signedWalletInstanceDPoP,
+      },
+    });
+
+    if (response.status === 200) {
+      const responseText = await response.text();
+      const responseJwt = await decodeJwt(responseText);
+      const requestObj = RequestObject.parse({
+        header: responseJwt.protectedHeader,
+        payload: responseJwt.payload,
+      });
+      return requestObj;
+    }
+
+    throw new IoWalletError(
+      `Unable to obtain Request Object. Response code: ${response.status}`
+    );
+  }
+
+  /**
+   * Obtain the relying party entity configuration.
+   */
+  async getEntityConfiguration(): Promise<RpEntityConfiguration> {
+    const wellKnownUrl = new URL(
+      "/.well-known/openid-federation",
+      this.relyingPartyBaseUrl
+    ).href;
+
+    const response = await this.appFetch(wellKnownUrl, {
+      method: "GET",
+    });
+
+    if (response.status === 200) {
+      const responseText = await response.text();
+      const responseJwt = await decodeJwt(responseText);
+      return RpEntityConfiguration.parse({
+        header: responseJwt.protectedHeader,
+        payload: responseJwt.payload,
+      });
+    }
+
+    throw new IoWalletError(
+      `Unable to obtain RP Entity Configuration. Response code: ${response.status}`
+    );
+  }
+}

package/src/rp/types.ts

@@ -0,0 +1,64 @@
+import { JWK } from "../utils/jwk";
+import { UnixTime } from "../sd-jwt/types";
+import * as z from "zod";
+
+export type RequestObject = z.infer<typeof RequestObject>;
+export const RequestObject = z.object({
+  header: z.object({
+    typ: z.literal("JWT"),
+    alg: z.string(),
+    kid: z.string(),
+    trust_chain: z.array(z.string()),
+  }),
+  payload: z.object({
+    iss: z.string(),
+    iat: UnixTime,
+    exp: UnixTime,
+    state: z.string(),
+    nonce: z.string(),
+    response_uri: z.string(),
+    response_type: z.literal("vp_token"),
+    response_mode: z.literal("direct_post.jwt"),
+    client_id: z.string(),
+    client_id_scheme: z.literal("entity_id"),
+    scope: z.string(),
+  }),
+});
+
+// TODO: This types is WIP in technical rules
+export type RpEntityConfiguration = z.infer<typeof RpEntityConfiguration>;
+export const RpEntityConfiguration = z.object({
+  header: z.object({
+    typ: z.literal("entity-statement+jwt"),
+    alg: z.string(),
+    kid: z.string(),
+  }),
+  payload: z.object({
+    exp: UnixTime,
+    iat: UnixTime,
+    iss: z.string(),
+    sub: z.string(),
+    jwks: z.object({
+      keys: z.array(JWK),
+    }),
+    metadata: z.object({
+      wallet_relying_party: z.object({
+        application_type: z.string(),
+        client_id: z.string(),
+        client_name: z.string(),
+        jwks: z.object({
+          keys: z.array(JWK),
+        }),
+        contacts: z.array(z.string()),
+      }),
+      federation_entity: z.object({
+        organization_name: z.string(),
+        homepage_uri: z.string(),
+        policy_uri: z.string(),
+        logo_uri: z.string(),
+        contacts: z.array(z.string()),
+      }),
+    }),
+    authority_hints: z.array(z.string()),
+  }),
+});

package/src/sd-jwt/types.ts

@@ -25,7 +25,7 @@ export const SdJwt4VC = z.object({
   header: z.object({
     typ: z.literal("vc+sd-jwt"),
     alg: z.string(),
-    kid: z.string(),
+    kid: z.string().optional(),
     trust_chain: z.array(z.string()),
   }),
   payload: z.object({

package/src/utils/dpop.ts

@@ -0,0 +1,25 @@
+import * as z from "zod";
+
+import { SignJWT } from "@pagopa/io-react-native-jwt";
+import type { JWK } from "./jwk";
+
+export const getUnsignedDPop = (jwk: JWK, payload: DPoPPayload): string => {
+  const dPop = new SignJWT(payload)
+    .setProtectedHeader({
+      alg: "ES256",
+      typ: "dpop+jwt",
+      jwk,
+    })
+    .setIssuedAt()
+    .setExpirationTime("1h")
+    .toSign();
+  return dPop;
+};
+
+export type DPoPPayload = z.infer<typeof DPoPPayload>;
+export const DPoPPayload = z.object({
+  jti: z.string(),
+  htm: z.union([z.literal("POST"), z.literal("GET")]),
+  htu: z.string(),
+  ath: z.string().optional(),
+});

package/src/utils/errors.ts

@@ -72,3 +72,51 @@ export class WalletInstanceAttestationIssuingError extends IoWalletError {
     this.reason = reason;
   }
 }
+
+/**
+ * An error subclass thrown when auth request decode fail
+ *
+ */
+export class AuthRequestDecodeError extends IoWalletError {
+  static get code(): "ERR_IO_WALLET_AUTHENTICATION_REQUEST_DECODE_FAILED" {
+    return "ERR_IO_WALLET_AUTHENTICATION_REQUEST_DECODE_FAILED";
+  }
+
+  code = "ERR_IO_WALLET_AUTHENTICATION_REQUEST_DECODE_FAILED";
+
+  /** The Claim for which the validation failed. */
+  claim: string;
+
+  /** Reason code for the validation failure. */
+  reason: string;
+
+  constructor(message: string, claim = "unspecified", reason = "unspecified") {
+    super(message);
+    this.claim = claim;
+    this.reason = reason;
+  }
+}
+
+/**
+ * An error subclass thrown when validation fail
+ *
+ */
+export class PidIssuingError extends IoWalletError {
+  static get code(): "ERR_IO_WALLET_PID_ISSUING_FAILED" {
+    return "ERR_IO_WALLET_PID_ISSUING_FAILED";
+  }
+
+  code = "ERR_IO_WALLET_PID_ISSUING_FAILED";
+
+  /** The Claim for which the validation failed. */
+  claim: string;
+
+  /** Reason code for the validation failure. */
+  reason: string;
+
+  constructor(message: string, claim = "unspecified", reason = "unspecified") {
+    super(message);
+    this.claim = claim;
+    this.reason = reason;
+  }
+}

package/src/wallet-instance-attestation/issuing.ts

@@ -8,9 +8,13 @@ import { WalletInstanceAttestationIssuingError } from "../utils/errors";
 
 export class Issuing {
   walletProviderBaseUrl: string;
-
-  constructor(walletProviderBaseUrl: string) {
+  appFetch: GlobalFetch["fetch"];
+  constructor(
+    walletProviderBaseUrl: string,
+    appFetch: GlobalFetch["fetch"] = fetch
+  ) {
     this.walletProviderBaseUrl = walletProviderBaseUrl;
+    this.appFetch = appFetch;
   }
 
   /**
@@ -58,16 +62,14 @@ export class Issuing {
    * @param attestationRequest Wallet Instance Attestaion Request
    * obtained with {@link getAttestationRequestToSign}
    * @param signature Signature of the Wallet Instance Attestaion Request
-   * @param appFetch Optional object with fetch function to use
    *
    * @returns {string} Wallet Instance Attestation
    *
    */
   async getAttestation(
     attestationRequest: string,
-    signature: string,
-    appFetch: GlobalFetch = { fetch }
-  ): Promise<String> {
+    signature: string
+  ): Promise<string> {
     const signedAttestationRequest = await SignJWT.appendSignature(
       attestationRequest,
       signature
@@ -87,7 +89,7 @@ export class Issuing {
         "urn:ietf:params:oauth:client-assertion-type:jwt-key-attestation",
       assertion: signedAttestationRequest,
     };
-    const response = await appFetch.fetch(tokenUrl, {
+    const response = await this.appFetch(tokenUrl, {
       method: "POST",
       headers: {
         "Content-Type": "application/json",