@pagopa/io-react-native-wallet 0.12.0 → 0.13.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (205) hide show
  1. package/lib/commonjs/client/generated/wallet-provider.js +22 -22
  2. package/lib/commonjs/client/generated/wallet-provider.js.map +1 -1
  3. package/lib/commonjs/client/index.js +1 -2
  4. package/lib/commonjs/client/index.js.map +1 -1
  5. package/lib/commonjs/credential/issuance/02-evaluate-issuer-trust.js +2 -1
  6. package/lib/commonjs/credential/issuance/02-evaluate-issuer-trust.js.map +1 -1
  7. package/lib/commonjs/credential/issuance/03-start-credential-issuance.js +287 -0
  8. package/lib/commonjs/credential/issuance/03-start-credential-issuance.js.map +1 -0
  9. package/lib/commonjs/credential/issuance/03-start-user-authorization.js +56 -83
  10. package/lib/commonjs/credential/issuance/03-start-user-authorization.js.map +1 -1
  11. package/lib/commonjs/credential/issuance/04-complete-user-authorization.js +88 -0
  12. package/lib/commonjs/credential/issuance/04-complete-user-authorization.js.map +1 -1
  13. package/lib/commonjs/credential/issuance/05-authorize-access.js +56 -33
  14. package/lib/commonjs/credential/issuance/05-authorize-access.js.map +1 -1
  15. package/lib/commonjs/credential/issuance/06-obtain-credential.js +51 -78
  16. package/lib/commonjs/credential/issuance/06-obtain-credential.js.map +1 -1
  17. package/lib/commonjs/credential/issuance/07-verify-and-parse-credential.js +21 -44
  18. package/lib/commonjs/credential/issuance/07-verify-and-parse-credential.js.map +1 -1
  19. package/lib/commonjs/credential/issuance/index.js +7 -0
  20. package/lib/commonjs/credential/issuance/index.js.map +1 -1
  21. package/lib/commonjs/credential/issuance/types.js +28 -0
  22. package/lib/commonjs/credential/issuance/types.js.map +1 -0
  23. package/lib/commonjs/index.js.map +1 -1
  24. package/lib/commonjs/pid/sd-jwt/converters.js +5 -9
  25. package/lib/commonjs/pid/sd-jwt/converters.js.map +1 -1
  26. package/lib/commonjs/pid/sd-jwt/types.js +3 -3
  27. package/lib/commonjs/pid/sd-jwt/types.js.map +1 -1
  28. package/lib/commonjs/sd-jwt/__test__/converters.test.js +1 -1
  29. package/lib/commonjs/sd-jwt/__test__/converters.test.js.map +1 -1
  30. package/lib/commonjs/sd-jwt/__test__/index.test.js +30 -43
  31. package/lib/commonjs/sd-jwt/__test__/index.test.js.map +1 -1
  32. package/lib/commonjs/sd-jwt/__test__/types.test.js +16 -24
  33. package/lib/commonjs/sd-jwt/__test__/types.test.js.map +1 -1
  34. package/lib/commonjs/sd-jwt/index.js +3 -9
  35. package/lib/commonjs/sd-jwt/index.js.map +1 -1
  36. package/lib/commonjs/sd-jwt/types.js +11 -16
  37. package/lib/commonjs/sd-jwt/types.js.map +1 -1
  38. package/lib/commonjs/trust/types.js +70 -29
  39. package/lib/commonjs/trust/types.js.map +1 -1
  40. package/lib/commonjs/utils/auth.js +44 -0
  41. package/lib/commonjs/utils/auth.js.map +1 -0
  42. package/lib/commonjs/utils/errors.js +77 -2
  43. package/lib/commonjs/utils/errors.js.map +1 -1
  44. package/lib/commonjs/utils/misc.js +34 -1
  45. package/lib/commonjs/utils/misc.js.map +1 -1
  46. package/lib/commonjs/utils/par.js +23 -15
  47. package/lib/commonjs/utils/par.js.map +1 -1
  48. package/lib/commonjs/utils/pop.js +33 -0
  49. package/lib/commonjs/utils/pop.js.map +1 -0
  50. package/lib/commonjs/wallet-instance-attestation/issuing.js +17 -2
  51. package/lib/commonjs/wallet-instance-attestation/issuing.js.map +1 -1
  52. package/lib/commonjs/wallet-instance-attestation/types.js +7 -7
  53. package/lib/commonjs/wallet-instance-attestation/types.js.map +1 -1
  54. package/lib/module/client/generated/wallet-provider.js +16 -19
  55. package/lib/module/client/generated/wallet-provider.js.map +1 -1
  56. package/lib/module/client/index.js +1 -2
  57. package/lib/module/client/index.js.map +1 -1
  58. package/lib/module/credential/issuance/02-evaluate-issuer-trust.js +2 -1
  59. package/lib/module/credential/issuance/02-evaluate-issuer-trust.js.map +1 -1
  60. package/lib/module/credential/issuance/03-start-credential-issuance.js +276 -0
  61. package/lib/module/credential/issuance/03-start-credential-issuance.js.map +1 -0
  62. package/lib/module/credential/issuance/03-start-user-authorization.js +56 -80
  63. package/lib/module/credential/issuance/03-start-user-authorization.js.map +1 -1
  64. package/lib/module/credential/issuance/04-complete-user-authorization.js +85 -1
  65. package/lib/module/credential/issuance/04-complete-user-authorization.js.map +1 -1
  66. package/lib/module/credential/issuance/05-authorize-access.js +54 -33
  67. package/lib/module/credential/issuance/05-authorize-access.js.map +1 -1
  68. package/lib/module/credential/issuance/06-obtain-credential.js +50 -75
  69. package/lib/module/credential/issuance/06-obtain-credential.js.map +1 -1
  70. package/lib/module/credential/issuance/07-verify-and-parse-credential.js +21 -44
  71. package/lib/module/credential/issuance/07-verify-and-parse-credential.js.map +1 -1
  72. package/lib/module/credential/issuance/index.js +2 -1
  73. package/lib/module/credential/issuance/index.js.map +1 -1
  74. package/lib/module/credential/issuance/types.js +18 -0
  75. package/lib/module/credential/issuance/types.js.map +1 -0
  76. package/lib/module/index.js.map +1 -1
  77. package/lib/module/pid/sd-jwt/converters.js +5 -9
  78. package/lib/module/pid/sd-jwt/converters.js.map +1 -1
  79. package/lib/module/pid/sd-jwt/types.js +3 -3
  80. package/lib/module/pid/sd-jwt/types.js.map +1 -1
  81. package/lib/module/sd-jwt/__test__/converters.test.js +1 -1
  82. package/lib/module/sd-jwt/__test__/converters.test.js.map +1 -1
  83. package/lib/module/sd-jwt/__test__/index.test.js +30 -43
  84. package/lib/module/sd-jwt/__test__/index.test.js.map +1 -1
  85. package/lib/module/sd-jwt/__test__/types.test.js +16 -24
  86. package/lib/module/sd-jwt/__test__/types.test.js.map +1 -1
  87. package/lib/module/sd-jwt/index.js +3 -9
  88. package/lib/module/sd-jwt/index.js.map +1 -1
  89. package/lib/module/sd-jwt/types.js +11 -16
  90. package/lib/module/sd-jwt/types.js.map +1 -1
  91. package/lib/module/sd-jwt/verifier.js.map +1 -1
  92. package/lib/module/trust/types.js +70 -29
  93. package/lib/module/trust/types.js.map +1 -1
  94. package/lib/module/utils/auth.js +35 -0
  95. package/lib/module/utils/auth.js.map +1 -0
  96. package/lib/module/utils/errors.js +71 -0
  97. package/lib/module/utils/errors.js.map +1 -1
  98. package/lib/module/utils/misc.js +31 -0
  99. package/lib/module/utils/misc.js.map +1 -1
  100. package/lib/module/utils/par.js +24 -16
  101. package/lib/module/utils/par.js.map +1 -1
  102. package/lib/module/utils/pop.js +24 -0
  103. package/lib/module/utils/pop.js.map +1 -0
  104. package/lib/module/wallet-instance-attestation/issuing.js +17 -2
  105. package/lib/module/wallet-instance-attestation/issuing.js.map +1 -1
  106. package/lib/module/wallet-instance-attestation/types.js +7 -7
  107. package/lib/module/wallet-instance-attestation/types.js.map +1 -1
  108. package/lib/typescript/client/generated/wallet-provider.d.ts +35 -13
  109. package/lib/typescript/client/generated/wallet-provider.d.ts.map +1 -1
  110. package/lib/typescript/client/index.d.ts.map +1 -1
  111. package/lib/typescript/credential/issuance/01-start-flow.d.ts +1 -0
  112. package/lib/typescript/credential/issuance/01-start-flow.d.ts.map +1 -1
  113. package/lib/typescript/credential/issuance/02-evaluate-issuer-trust.d.ts +2 -1
  114. package/lib/typescript/credential/issuance/02-evaluate-issuer-trust.d.ts.map +1 -1
  115. package/lib/typescript/credential/issuance/03-start-credential-issuance.d.ts +41 -0
  116. package/lib/typescript/credential/issuance/03-start-credential-issuance.d.ts.map +1 -0
  117. package/lib/typescript/credential/issuance/03-start-user-authorization.d.ts +23 -18
  118. package/lib/typescript/credential/issuance/03-start-user-authorization.d.ts.map +1 -1
  119. package/lib/typescript/credential/issuance/04-complete-user-authorization.d.ts +24 -12
  120. package/lib/typescript/credential/issuance/04-complete-user-authorization.d.ts.map +1 -1
  121. package/lib/typescript/credential/issuance/05-authorize-access.d.ts +22 -16
  122. package/lib/typescript/credential/issuance/05-authorize-access.d.ts.map +1 -1
  123. package/lib/typescript/credential/issuance/06-obtain-credential.d.ts +19 -26
  124. package/lib/typescript/credential/issuance/06-obtain-credential.d.ts.map +1 -1
  125. package/lib/typescript/credential/issuance/07-verify-and-parse-credential.d.ts +10 -15
  126. package/lib/typescript/credential/issuance/07-verify-and-parse-credential.d.ts.map +1 -1
  127. package/lib/typescript/credential/issuance/index.d.ts +3 -4
  128. package/lib/typescript/credential/issuance/index.d.ts.map +1 -1
  129. package/lib/typescript/credential/issuance/types.d.ts +63 -0
  130. package/lib/typescript/credential/issuance/types.d.ts.map +1 -0
  131. package/lib/typescript/credential/presentation/types.d.ts +6 -6
  132. package/lib/typescript/index.d.ts +2 -1
  133. package/lib/typescript/index.d.ts.map +1 -1
  134. package/lib/typescript/pid/sd-jwt/converters.d.ts.map +1 -1
  135. package/lib/typescript/pid/sd-jwt/types.d.ts +36 -36
  136. package/lib/typescript/pid/sd-jwt/types.d.ts.map +1 -1
  137. package/lib/typescript/sd-jwt/index.d.ts +40 -68
  138. package/lib/typescript/sd-jwt/index.d.ts.map +1 -1
  139. package/lib/typescript/sd-jwt/types.d.ts +64 -121
  140. package/lib/typescript/sd-jwt/types.d.ts.map +1 -1
  141. package/lib/typescript/trust/index.d.ts +150 -48
  142. package/lib/typescript/trust/index.d.ts.map +1 -1
  143. package/lib/typescript/trust/types.d.ts +2838 -1740
  144. package/lib/typescript/trust/types.d.ts.map +1 -1
  145. package/lib/typescript/utils/auth.d.ts +52 -0
  146. package/lib/typescript/utils/auth.d.ts.map +1 -0
  147. package/lib/typescript/utils/errors.d.ts +36 -1
  148. package/lib/typescript/utils/errors.d.ts.map +1 -1
  149. package/lib/typescript/utils/integrity.d.ts +1 -1
  150. package/lib/typescript/utils/misc.d.ts +18 -0
  151. package/lib/typescript/utils/misc.d.ts.map +1 -1
  152. package/lib/typescript/utils/par.d.ts +8 -31
  153. package/lib/typescript/utils/par.d.ts.map +1 -1
  154. package/lib/typescript/utils/pop.d.ts +26 -0
  155. package/lib/typescript/utils/pop.d.ts.map +1 -0
  156. package/lib/typescript/wallet-instance-attestation/issuing.d.ts +2 -1
  157. package/lib/typescript/wallet-instance-attestation/issuing.d.ts.map +1 -1
  158. package/lib/typescript/wallet-instance-attestation/types.d.ts +59 -59
  159. package/lib/typescript/wallet-instance-attestation/types.d.ts.map +1 -1
  160. package/package.json +2 -1
  161. package/src/client/generated/wallet-provider.ts +24 -21
  162. package/src/client/index.ts +3 -8
  163. package/src/credential/issuance/01-start-flow.ts +1 -0
  164. package/src/credential/issuance/02-evaluate-issuer-trust.ts +2 -1
  165. package/src/credential/issuance/03-start-credential-issuance.ts +407 -0
  166. package/src/credential/issuance/03-start-user-authorization.ts +91 -92
  167. package/src/credential/issuance/04-complete-user-authorization.ts +114 -13
  168. package/src/credential/issuance/05-authorize-access.ts +74 -49
  169. package/src/credential/issuance/06-obtain-credential.ts +77 -111
  170. package/src/credential/issuance/07-verify-and-parse-credential.ts +30 -67
  171. package/src/credential/issuance/index.ts +6 -4
  172. package/src/credential/issuance/types.ts +25 -0
  173. package/src/index.ts +2 -1
  174. package/src/pid/sd-jwt/converters.ts +5 -11
  175. package/src/pid/sd-jwt/types.ts +8 -6
  176. package/src/sd-jwt/__test__/converters.test.ts +1 -1
  177. package/src/sd-jwt/__test__/index.test.ts +45 -74
  178. package/src/sd-jwt/__test__/types.test.ts +21 -33
  179. package/src/sd-jwt/index.ts +3 -12
  180. package/src/sd-jwt/types.ts +17 -22
  181. package/src/trust/types.ts +64 -32
  182. package/src/utils/auth.ts +37 -0
  183. package/src/utils/errors.ts +85 -1
  184. package/src/utils/integrity.ts +1 -1
  185. package/src/utils/misc.ts +43 -0
  186. package/src/utils/par.ts +29 -17
  187. package/src/utils/pop.ts +34 -0
  188. package/src/wallet-instance-attestation/issuing.ts +39 -2
  189. package/src/wallet-instance-attestation/types.ts +11 -7
  190. package/lib/commonjs/credential/issuance/07-confirm-credential.js +0 -6
  191. package/lib/commonjs/credential/issuance/07-confirm-credential.js.map +0 -1
  192. package/lib/commonjs/credential/issuance/08-confirm-credential.js +0 -6
  193. package/lib/commonjs/credential/issuance/08-confirm-credential.js.map +0 -1
  194. package/lib/module/credential/issuance/07-confirm-credential.js +0 -2
  195. package/lib/module/credential/issuance/07-confirm-credential.js.map +0 -1
  196. package/lib/module/credential/issuance/08-confirm-credential.js +0 -2
  197. package/lib/module/credential/issuance/08-confirm-credential.js.map +0 -1
  198. package/lib/typescript/credential/issuance/07-confirm-credential.d.ts +0 -11
  199. package/lib/typescript/credential/issuance/07-confirm-credential.d.ts.map +0 -1
  200. package/lib/typescript/credential/issuance/08-confirm-credential.d.ts +0 -11
  201. package/lib/typescript/credential/issuance/08-confirm-credential.d.ts.map +0 -1
  202. package/src/credential/issuance/07-confirm-credential.ts +0 -14
  203. package/src/credential/issuance/08-confirm-credential.ts +0 -14
  204. package/src/sd-jwt/__test__/converters.test.js +0 -24
  205. package/src/sd-jwt/verifier.js +0 -12
@@ -1,161 +1,127 @@
1
- import * as z from "zod";
2
- import uuid from "react-native-uuid";
3
1
  import { SignJWT, type CryptoContext } from "@pagopa/io-react-native-jwt";
4
- import { createDPopToken } from "../../utils/dpop";
5
-
6
- import type { StartFlow } from "./01-start-flow";
7
- import { hasStatus, type Out } from "../../utils/misc";
8
- import type { EvaluateIssuerTrust } from "./02-evaluate-issuer-trust";
9
2
  import type { AuthorizeAccess } from "./05-authorize-access";
10
- import { SupportedCredentialFormat } from "./const";
3
+ import type { EvaluateIssuerTrust } from "./02-evaluate-issuer-trust";
4
+ import { hasStatus, type Out } from "../../../src/utils/misc";
5
+ import type { StartUserAuthorization } from "./03-start-user-authorization";
6
+ import { ValidationFailed } from "../../../src/utils/errors";
7
+ import { CredentialResponse } from "./types";
8
+
9
+ export type ObtainCredential = (
10
+ issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
11
+ accessToken: Out<AuthorizeAccess>["accessToken"],
12
+ clientId: Out<StartUserAuthorization>["clientId"],
13
+ credentialDefinition: Out<StartUserAuthorization>["credentialDefinition"],
14
+ tokenRequestSignedDPop: Out<AuthorizeAccess>["tokenRequestSignedDPop"],
15
+ context: {
16
+ credentialCryptoContext: CryptoContext;
17
+ appFetch?: GlobalFetch["fetch"];
18
+ }
19
+ ) => Promise<CredentialResponse>;
11
20
 
12
- /**
13
- * Return the signed jwt for nonce proof of possession
14
- */
15
21
  export const createNonceProof = async (
16
22
  nonce: string,
17
23
  issuer: string,
18
24
  audience: string,
19
25
  ctx: CryptoContext
20
26
  ): Promise<string> => {
27
+ const jwk = await ctx.getPublicKey();
21
28
  return new SignJWT(ctx)
22
29
  .setPayload({
23
30
  nonce,
24
- jwk: await ctx.getPublicKey(),
25
31
  })
26
32
  .setProtectedHeader({
27
- type: "openid4vci-proof+jwt",
33
+ typ: "openid4vci-proof+jwt",
34
+ jwk,
28
35
  })
29
36
  .setAudience(audience)
30
37
  .setIssuer(issuer)
31
38
  .setIssuedAt()
32
- .setExpirationTime("1h")
39
+ .setExpirationTime("5min")
33
40
  .sign();
34
41
  };
35
42
 
36
- const CredentialEndpointResponse = z.object({
37
- credential: z.string(),
38
- format: SupportedCredentialFormat,
39
- // nonce used to perform multiple credential requests
40
- // re-using the same authorization profile
41
- c_nonce: z.string(),
42
- c_nonce_expires_in: z.number(),
43
- });
44
-
45
- export type ObtainCredential = (
46
- issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
47
- accessToken: Out<AuthorizeAccess>["accessToken"],
48
- nonce: Out<AuthorizeAccess>["nonce"],
49
- clientId: Out<AuthorizeAccess>["clientId"],
50
- credentialType: Out<StartFlow>["credentialType"],
51
- credentialFormat: SupportedCredentialFormat,
52
- context: {
53
- credentialCryptoContext: CryptoContext;
54
- walletProviderBaseUrl: string;
55
- appFetch?: GlobalFetch["fetch"];
56
- }
57
- ) => Promise<{
58
- credential: string;
59
- format: SupportedCredentialFormat;
60
- nonce: string;
61
- }>;
62
-
63
- // Checks whether in the Entity confoguration at least one credential
64
- // is defined for the given type and format
65
- const isCredentialAvailable = (
66
- issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
67
- credentialType: Out<StartFlow>["credentialType"],
68
- credentialFormat: SupportedCredentialFormat
69
- ): boolean =>
70
- issuerConf.openid_credential_issuer.credentials_supported.some(
71
- (c) =>
72
- c.format === credentialFormat &&
73
- c.credential_definition.type.includes(credentialType)
74
- );
75
-
76
43
  /**
77
- * Fetch a credential from the issuer
78
- *
79
- * @param issuerConf The Issuer configuration
80
- * @param accessToken The access token to grant access to the credential, obtained with the access authorization step
81
- * @param nonce The nonce value to prevent reply attacks, obtained with the access authorization step
82
- * @param clientId Identifies the current client across all the requests of the issuing flow
83
- * @param credentialType The type of the credential to be requested
84
- * @param credentialFormat The format of the requested credential. @see {SupportedCredentialFormat}
85
- * @param context.credentialCryptoContext The context to access the key the Credential will be bound to
86
- * @param context.walletProviderBaseUrl The base url of the Wallet Provider
44
+ * Obtains the credential from the issuer.
45
+ * The key pair of the credentialCryptoContext is used for Openid4vci proof JWT to be presented with the Access Token and the DPoP Proof JWT at the Credential Endpoint
46
+ * of the Credential Issuer to request the issuance of a credential linked to the public key contained in the JWT proof.
47
+ * The Openid4vci proof JWT incapsulates the nonce extracted from the token response from the {@link authorizeAccess} step.
48
+ * The credential request is sent to the Credential Endpoint of the Credential Issuer via HTTP POST with the type of the credential, its format, the access token and the JWT proof.
49
+ * @param issuerConf The issuer configuration returned by {@link evaluateIssuerTrust}
50
+ * @param accessToken The access token response returned by {@link authorizeAccess}
51
+ * @param clientId The client id returned by {@link startUserAuthorization}
52
+ * @param credentialDefinition The credential definition of the credential to be obtained returned by {@link startUserAuthorization}
53
+ * @param tokenRequestSignedDPop The DPoP signed token request returned by {@link authorizeAccess}
54
+ * @param context.credentialCryptoContext The crypto context used to obtain the credential
87
55
  * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
88
- * @returns The signed credential token
56
+ * @returns The credential response containing the credential
89
57
  */
90
58
  export const obtainCredential: ObtainCredential = async (
91
59
  issuerConf,
92
60
  accessToken,
93
- nonce,
94
61
  clientId,
95
- credentialType,
96
- credentialFormat,
62
+ credentialDefinition,
63
+ tokenRequestSignedDPop,
97
64
  context
98
65
  ) => {
99
- const {
100
- credentialCryptoContext,
101
- walletProviderBaseUrl,
102
- appFetch = fetch,
103
- } = context;
104
-
105
- if (!isCredentialAvailable(issuerConf, credentialType, credentialFormat)) {
106
- throw new Error(
107
- `The Issuer provides no credential for type ${credentialType} and format ${credentialFormat}`
108
- );
109
- }
66
+ const { credentialCryptoContext, appFetch = fetch } = context;
110
67
 
111
68
  const credentialUrl = issuerConf.openid_credential_issuer.credential_endpoint;
112
69
 
113
- /** DPoP token for demonstating the possession
114
- of the key that will bind the holder User with the Credential
115
- @see https://datatracker.ietf.org/doc/html/rfc9449 */
116
- const signedDPopForPid = await createDPopToken(
117
- {
118
- htm: "POST",
119
- htu: credentialUrl,
120
- jti: `${uuid.v4()}`,
121
- },
122
- credentialCryptoContext
123
- );
124
-
125
- /** JWT proof token to bind the request nonce
126
- to the key that will bind the holder User with the Credential
127
- @see https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-proof-types */
70
+ /**
71
+ * JWT proof token to bind the request nonce to the key that will bind the holder User with the Credential
72
+ * This is presented along with the access token to the Credential Endpoint as proof of possession of the private key used to sign the Access Token.
73
+ * @see https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-proof-types
74
+ */
128
75
  const signedNonceProof = await createNonceProof(
129
- nonce,
76
+ accessToken.c_nonce,
130
77
  clientId,
131
- walletProviderBaseUrl,
78
+ credentialUrl,
132
79
  credentialCryptoContext
133
80
  );
134
81
 
82
+ // Validation of accessTokenResponse.authorization_details if contain credentialDefinition
83
+ const constainsCredentialDefinition = accessToken.authorization_details.some(
84
+ (c) =>
85
+ c.credential_configuration_id ===
86
+ credentialDefinition.credential_configuration_id &&
87
+ c.format === credentialDefinition.format &&
88
+ c.type === credentialDefinition.type
89
+ );
90
+
91
+ if (!constainsCredentialDefinition) {
92
+ throw new ValidationFailed(
93
+ "The access token response does not contain the requested credential"
94
+ );
95
+ }
96
+
135
97
  /** The credential request body */
136
- const formBody = new URLSearchParams({
137
- credential_definition: JSON.stringify({
138
- type: [credentialType],
139
- }),
140
- format: credentialFormat,
141
- proof: JSON.stringify({
98
+ const credentialRequestFormBody = {
99
+ credential_definition: {
100
+ type: [credentialDefinition.credential_configuration_id],
101
+ },
102
+ format: credentialDefinition.format,
103
+ proof: {
142
104
  jwt: signedNonceProof,
143
105
  proof_type: "jwt",
144
- }),
145
- });
106
+ },
107
+ };
146
108
 
147
- const { credential, format, c_nonce } = await appFetch(credentialUrl, {
109
+ const credentialRes = await appFetch(credentialUrl, {
148
110
  method: "POST",
149
111
  headers: {
150
- "Content-Type": "application/x-www-form-urlencoded",
151
- DPoP: signedDPopForPid,
152
- Authorization: accessToken,
112
+ "Content-Type": "application/json",
113
+ DPoP: tokenRequestSignedDPop,
114
+ Authorization: `${accessToken.token_type} ${accessToken.access_token}`,
153
115
  },
154
- body: formBody.toString(),
116
+ body: JSON.stringify(credentialRequestFormBody),
155
117
  })
156
118
  .then(hasStatus(200))
157
119
  .then((res) => res.json())
158
- .then(CredentialEndpointResponse.parse);
120
+ .then((body) => CredentialResponse.safeParse(body));
121
+
122
+ if (!credentialRes.success) {
123
+ throw new ValidationFailed(credentialRes.error.message);
124
+ }
159
125
 
160
- return { credential, format, nonce: c_nonce };
126
+ return credentialRes.data;
161
127
  };
@@ -1,11 +1,11 @@
1
1
  import type { Out } from "../../utils/misc";
2
2
  import type { EvaluateIssuerTrust } from "./02-evaluate-issuer-trust";
3
- import type { ObtainCredential } from "./06-obtain-credential";
4
3
  import { IoWalletError } from "../../utils/errors";
5
4
  import { SdJwt4VC } from "../../sd-jwt/types";
6
5
  import { verify as verifySdJwt } from "../../sd-jwt";
7
6
  import type { JWK } from "../../utils/jwk";
8
7
  import type { CryptoContext } from "@pagopa/io-react-native-jwt";
8
+ import type { ObtainCredential } from "./06-obtain-credential";
9
9
 
10
10
  export type VerifyAndParseCredential = (
11
11
  issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
@@ -13,7 +13,6 @@ export type VerifyAndParseCredential = (
13
13
  format: Out<ObtainCredential>["format"],
14
14
  context: {
15
15
  credentialCryptoContext: CryptoContext;
16
- ignoreMissingAttributes?: boolean;
17
16
  }
18
17
  ) => Promise<{ parsedCredential: ParsedCredential }>;
19
18
 
@@ -28,9 +27,8 @@ type ParsedCredential = Record<
28
27
  string /* locale */,
29
28
  string /* value */
30
29
  >
31
- | /* if no i18n is provided */ string;
32
- /** If in defined as mandatory by the Issuer */
33
- mandatory: boolean;
30
+ | /* if no i18n is provided */ string
31
+ | undefined; // Add undefined as a possible value for the name property
34
32
  /** The actual value of the attribute */
35
33
  value: unknown;
36
34
  }
@@ -43,48 +41,34 @@ type DecodedSdJwtCredential = Out<typeof verifySdJwt> & {
43
41
 
44
42
  const parseCredentialSdJwt = (
45
43
  // the list of supported credentials, as defined in the issuer configuration
46
- credentials_supported: Out<EvaluateIssuerTrust>["issuerConf"]["openid_credential_issuer"]["credentials_supported"],
47
- { sdJwt, disclosures }: DecodedSdJwtCredential,
48
- ignoreMissingAttributes: boolean = false
44
+ credentials_supported: Out<EvaluateIssuerTrust>["issuerConf"]["openid_credential_issuer"]["credential_configurations_supported"],
45
+ { sdJwt, disclosures }: DecodedSdJwtCredential
49
46
  ): ParsedCredential => {
50
- // find the definition that matches the received credential's type
51
- // warning: if more then a defintion is found, the first is retrieved
52
- const credentialSubject = credentials_supported.find(
53
- (c) =>
54
- c.format === "vc+sd-jwt" &&
55
- c.credential_definition.type.includes(sdJwt.payload.type)
56
- )?.credential_definition.credentialSubject;
57
-
58
- // the received credential matches no supported credential, throw an exception
47
+ const credentialSubject = credentials_supported[sdJwt.payload.vct];
48
+
59
49
  if (!credentialSubject) {
60
- const expected = credentials_supported
61
- .flatMap((_) => _.credential_definition.type)
62
- .join(", ");
50
+ throw new IoWalletError("Credential type not supported by the issuer");
51
+ }
52
+
53
+ if (credentialSubject.format !== sdJwt.header.typ) {
63
54
  throw new IoWalletError(
64
- `Received credential is of an unknwown type. Expected one of [${expected}], received '${sdJwt.payload.type}', `
55
+ `Received credential is of an unknwown type. Expected one of [${credentialSubject.format}], received '${sdJwt.header.typ}', `
65
56
  );
66
57
  }
67
58
 
68
59
  // transfrom a record { key: value } in an iterable of pairs [key, value]
69
- const attrDefinitions = Object.entries(credentialSubject);
60
+ const attrDefinitions = Object.entries(credentialSubject.claims);
70
61
 
71
- // every mandatory attribute must be present in the credential's disclosures
72
62
  // the key of the attribute defintion must match the disclosure's name
73
63
  const attrsNotInDisclosures = attrDefinitions.filter(
74
- ([attrKey, { mandatory }]) =>
75
- mandatory && !disclosures.some(([, name]) => name === attrKey)
64
+ ([attrKey]) => !disclosures.some(([, name]) => name === attrKey)
76
65
  );
77
66
  if (attrsNotInDisclosures.length > 0) {
78
67
  const missing = attrsNotInDisclosures.map((_) => _[0 /* key */]).join(", ");
79
68
  const received = disclosures.map((_) => _[1 /* name */]).join(", ");
80
- // the rationale of this condition is that we may want to be permissive
81
- // on incomplete credentials in the test phase of the project.
82
- // we might want to be strict once in production, hence remove this condition
83
- if (!ignoreMissingAttributes) {
84
- throw new IoWalletError(
85
- `Some attributes are missing in the credential. Missing: [${missing}], received: [${received}]`
86
- );
87
- }
69
+ throw new IoWalletError(
70
+ `Some attributes are missing in the credential. Missing: [${missing}], received: [${received}]`
71
+ );
88
72
  }
89
73
 
90
74
  // attributes that are defined in the issuer configuration
@@ -126,7 +110,7 @@ const parseCredentialSdJwt = (
126
110
  const undefinedValues = Object.fromEntries(
127
111
  disclosures
128
112
  .filter((_) => !Object.keys(definedValues).includes(_[1]))
129
- .map(([, key, value]) => [key, { value, mandatory: false, name: key }])
113
+ .map(([, key, value]) => [key, { value, name: key }])
130
114
  );
131
115
 
132
116
  return {
@@ -185,7 +169,7 @@ const verifyAndParseCredentialSdJwt: WithFormat<"vc+sd-jwt"> = async (
185
169
  issuerConf,
186
170
  credential,
187
171
  _,
188
- { credentialCryptoContext, ignoreMissingAttributes }
172
+ { credentialCryptoContext }
189
173
  ) => {
190
174
  const decoded = await verifyCredentialSdJwt(
191
175
  credential,
@@ -194,36 +178,23 @@ const verifyAndParseCredentialSdJwt: WithFormat<"vc+sd-jwt"> = async (
194
178
  );
195
179
 
196
180
  const parsedCredential = parseCredentialSdJwt(
197
- issuerConf.openid_credential_issuer.credentials_supported,
198
- decoded,
199
- ignoreMissingAttributes
181
+ issuerConf.openid_credential_issuer.credential_configurations_supported,
182
+ decoded
200
183
  );
201
184
 
202
185
  return { parsedCredential };
203
186
  };
204
187
 
205
- const verifyAndParseCredentialMdoc: WithFormat<"vc+mdoc-cbor"> = async (
206
- _issuerConf,
207
- _credential,
208
- _,
209
- _ctx
210
- ) => {
211
- // TODO: [SIW-686] decode MDOC credentials
212
- throw new Error("verifyAndParseCredentialMdoc not implemented yet");
213
- };
214
-
215
188
  /**
216
- * Verify and parse an encoded credential
217
- *
218
- * @param issuerConf The Issuer configuration
219
- * @param credential The encoded credential
220
- * @param format The format of the credentual
221
- * @param context.credentialCryptoContext The context to access the key the Credential will be bound to
222
- * @param context.ignoreMissingAttributes (optional) Whether to fail if a defined attribute is note present in the credentual. Default: false
189
+ * Verify and parse an encoded credential.
190
+ * @param issuerConf The Issuer configuration returned by {@link evaluateIssuerTrust}
191
+ * @param credential The encoded credential returned by {@link obtainCredential}
192
+ * @param format The format of the credentual returned by {@link obtainCredential}
193
+ * @param context.credentialCryptoContext The crypto context used to obtain the credential in {@link obtainCredential}
223
194
  * @returns A parsed credential with attributes in plain value
224
- * @throws If the credential signature is not verified with the Issuer key set
225
- * @throws If the credential is not bound to the provided user key
226
- * @throws If the credential data fail to parse
195
+ * @throws {IoWalletError} If the credential signature is not verified with the Issuer key set
196
+ * @throws {IoWalletError} If the credential is not bound to the provided user key
197
+ * @throws {IoWalletError} If the credential data fail to parse
227
198
  */
228
199
  export const verifyAndParseCredential: VerifyAndParseCredential = async (
229
200
  issuerConf,
@@ -238,15 +209,7 @@ export const verifyAndParseCredential: VerifyAndParseCredential = async (
238
209
  format,
239
210
  context
240
211
  );
241
- } else if (format === "vc+mdoc-cbor") {
242
- return verifyAndParseCredentialMdoc(
243
- issuerConf,
244
- credential,
245
- format,
246
- context
247
- );
248
212
  }
249
213
 
250
- const _: never = format;
251
- throw new IoWalletError(`Unsupported credential format: ${_}`);
214
+ throw new IoWalletError(`Unsupported credential format: ${format}`);
252
215
  };
@@ -7,7 +7,10 @@ import {
7
7
  startUserAuthorization,
8
8
  type StartUserAuthorization,
9
9
  } from "./03-start-user-authorization";
10
- import { type CompleteUserAuthorization } from "./04-complete-user-authorization";
10
+ import {
11
+ completeUserAuthorizationWithQueryMode,
12
+ type CompleteUserAuthorizationWithQueryMode,
13
+ } from "./04-complete-user-authorization";
11
14
  import { authorizeAccess, type AuthorizeAccess } from "./05-authorize-access";
12
15
  import {
13
16
  obtainCredential,
@@ -17,11 +20,11 @@ import {
17
20
  verifyAndParseCredential,
18
21
  type VerifyAndParseCredential,
19
22
  } from "./07-verify-and-parse-credential";
20
- import type { ConfirmCredential } from "./08-confirm-credential";
21
23
 
22
24
  export {
23
25
  evaluateIssuerTrust,
24
26
  startUserAuthorization,
27
+ completeUserAuthorizationWithQueryMode,
25
28
  authorizeAccess,
26
29
  obtainCredential,
27
30
  verifyAndParseCredential,
@@ -30,9 +33,8 @@ export type {
30
33
  StartFlow,
31
34
  EvaluateIssuerTrust,
32
35
  StartUserAuthorization,
33
- CompleteUserAuthorization,
36
+ CompleteUserAuthorizationWithQueryMode,
34
37
  AuthorizeAccess,
35
38
  ObtainCredential,
36
39
  VerifyAndParseCredential,
37
- ConfirmCredential,
38
40
  };
@@ -0,0 +1,25 @@
1
+ import { AuthorizationDetail } from "../../utils/par";
2
+ import * as z from "zod";
3
+ import { SupportedCredentialFormat } from "./const";
4
+
5
+ export type TokenResponse = z.infer<typeof TokenResponse>;
6
+
7
+ export const TokenResponse = z.object({
8
+ access_token: z.string(),
9
+ authorization_details: z.array(AuthorizationDetail),
10
+ c_nonce: z.string(),
11
+ c_nonce_expires_in: z.number(),
12
+ expires_in: z.number(),
13
+ token_type: z.string(),
14
+ });
15
+
16
+ export type CredentialResponse = z.infer<typeof CredentialResponse>;
17
+
18
+ export const CredentialResponse = z.object({
19
+ c_nonce: z.string(),
20
+ c_nonce_expires_in: z.number(),
21
+ credential: z.string(),
22
+ format: SupportedCredentialFormat,
23
+ });
24
+
25
+ export type ResponseMode = "query" | "form_post.jwt";
package/src/index.ts CHANGED
@@ -1,3 +1,4 @@
1
+ import type { AuthorizationContext } from "./utils/auth";
1
2
  import { fixBase64EncodingOnKey } from "./utils/jwk";
2
3
  // polyfill due to known bugs on URL implementation for react native
3
4
  // https://github.com/facebook/react-native/issues/24428
@@ -28,4 +29,4 @@ export {
28
29
  fixBase64EncodingOnKey,
29
30
  };
30
31
 
31
- export type { IntegrityContext };
32
+ export type { IntegrityContext, AuthorizationContext };
@@ -3,24 +3,18 @@ import type { Disclosure, SdJwt4VC } from "../../sd-jwt/types";
3
3
  import { PID } from "./types";
4
4
 
5
5
  export function pidFromToken(sdJwt: SdJwt4VC, disclosures: Disclosure[]): PID {
6
+ const placeOfBirth = getValueFromDisclosures(disclosures, "place_of_birth");
6
7
  return PID.parse({
7
8
  issuer: sdJwt.payload.iss,
8
- issuedAt: new Date(sdJwt.payload.iat * 1000),
9
+ issuedAt: new Date(getValueFromDisclosures(disclosures, "iat") * 1000),
9
10
  expiration: new Date(sdJwt.payload.exp * 1000),
10
- verification: {
11
- trustFramework:
12
- sdJwt.payload.verified_claims.verification.trust_framework,
13
- assuranceLevel:
14
- sdJwt.payload.verified_claims.verification.assurance_level,
15
- evidence: getValueFromDisclosures(disclosures, "evidence"),
16
- },
17
11
  claims: {
18
12
  uniqueId: getValueFromDisclosures(disclosures, "unique_id"),
19
13
  givenName: getValueFromDisclosures(disclosures, "given_name"),
20
14
  familyName: getValueFromDisclosures(disclosures, "family_name"),
21
- birthdate: getValueFromDisclosures(disclosures, "birthdate"),
22
- placeOfBirth: getValueFromDisclosures(disclosures, "place_of_birth"),
23
- taxIdCode: getValueFromDisclosures(disclosures, "tax_id_number"),
15
+ birthDate: getValueFromDisclosures(disclosures, "birth_date"),
16
+ ...(placeOfBirth && placeOfBirth),
17
+ taxIdCode: getValueFromDisclosures(disclosures, "tax_id_code"),
24
18
  },
25
19
  });
26
20
  }
@@ -29,16 +29,18 @@ export const PID = z.object({
29
29
  issuer: z.string(),
30
30
  issuedAt: z.date(),
31
31
  expiration: z.date(),
32
- verification: Verification,
32
+ verification: Verification.optional(),
33
33
  claims: z.object({
34
34
  uniqueId: z.string(),
35
35
  givenName: z.string(),
36
36
  familyName: z.string(),
37
- birthdate: z.string(),
38
- placeOfBirth: z.object({
39
- country: z.string(),
40
- locality: z.string(),
41
- }),
37
+ birthDate: z.string(),
38
+ placeOfBirth: z
39
+ .object({
40
+ country: z.string(),
41
+ locality: z.string(),
42
+ })
43
+ .optional(),
42
44
  taxIdCode: z.string(),
43
45
  }),
44
46
  });
@@ -3,7 +3,7 @@ import { Disclosure } from "../types";
3
3
 
4
4
  const disclosures: Disclosure[] = [
5
5
  ["6w1_soRXFgaHKfpYn3cvfQ", "given_name", "Mario"],
6
- ["fuNp97Hf3wV6y48y-QZhIg", "birthdate", "1980-10-01"],
6
+ ["fuNp97Hf3wV6y48y-QZhIg", "birth_date", "1980-10-01"],
7
7
  [
8
8
  "p-9LzyWHZBVDvhXDWkN2xA",
9
9
  "place_of_birth",