npm - @pagopa/io-react-native-wallet - Versions diffs - 0.12.0 → 0.13.1 - Mend

@pagopa/io-react-native-wallet 0.12.0 → 0.13.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (205) hide show

package/src/utils/misc.ts CHANGED Viewed

@@ -25,3 +25,46 @@ export type Out<FN> = FN extends (...args: any[]) => Promise<any>
   : FN extends (...args: any[]) => any
   ? ReturnType<FN>
   : never;
+/**
+ * TODO [SIW-1310]: replace this function with a cryptographically secure one.
+ * @param size - The size of the string to generate
+ * @returns A random alphanumeric string of the given size
+ */
+export const generateRandomAlphaNumericString = (size: number) =>
+  Array.from(Array(size), () =>
+    Math.floor(Math.random() * 36).toString(36)
+  ).join("");
+/**
+ * Repeatedly checks a condition function until it returns true,
+ * then resolves the returned promise. If the condition function does not return true
+ * within the specified timeout, the promise is rejected.
+ *
+ * @param conditionFunction - A function that returns a boolean value.
+ *                            The promise resolves when this function returns true.
+ * @param timeout - An optional timeout in seconds. The promise is rejected if the
+ *                  condition function does not return true within this time.
+ * @returns A promise that resolves once the conditionFunction returns true or rejects if timed out.
+ */
+export const until = (
+  conditionFunction: () => boolean,
+  timeoutSeconds?: number
+): Promise<void> =>
+  new Promise<void>((resolve, reject) => {
+    const start = Date.now();
+    const poll = () => {
+      if (conditionFunction()) {
+        resolve();
+      } else if (
+        timeoutSeconds !== undefined &&
+        Date.now() - start >= timeoutSeconds * 1000
+      ) {
+        reject(new Error("Timeout exceeded"));
+      } else {
+        setTimeout(poll, 400);
+      }
+    };
+    poll();
+  });

package/src/utils/par.ts CHANGED Viewed

@@ -6,13 +6,12 @@ import {
 import uuid from "react-native-uuid";
 import * as z from "zod";
 import * as WalletInstanceAttestation from "../wallet-instance-attestation";
-import { hasStatus } from "./misc";
+import { generateRandomAlphaNumericString, hasStatus } from "./misc";
+import { createPopToken } from "./pop";
 export type AuthorizationDetail = z.infer<typeof AuthorizationDetail>;
 export const AuthorizationDetail = z.object({
-  credential_definition: z.object({
-    type: z.string(),
-  }),
+  credential_configuration_id: z.string(),
   format: z.union([z.literal("vc+sd-jwt"), z.literal("vc+mdoc-cbor")]),
   type: z.literal("openid_credential"),
 });
@@ -34,7 +33,8 @@ export const makeParRequest =
   async (
     clientId: string,
     codeVerifier: string,
-    walletProviderBaseUrl: string,
+    redirectUri: string,
+    responseMode: string,
     parEndpoint: string,
     walletInstanceAttestation: string,
     authorizationDetails: AuthorizationDetails,
@@ -48,10 +48,19 @@ export const makeParRequest =
     const iss = WalletInstanceAttestation.decode(walletInstanceAttestation)
       .payload.cnf.jwk.kid;
+    const signedWiaPoP = await createPopToken(
+      {
+        jti: `${uuid.v4()}`,
+        aud,
+        iss,
+      },
+      wiaCryptoContext
+    );
     /** A code challenge is provided so that the PAR is bound
         to the subsequent authorization code request
         @see https://datatracker.ietf.org/doc/html/rfc9126#name-request */
-    const codeChallengeMethod = "s256";
+    const codeChallengeMethod = "S256";
     const codeChallenge = await sha256ToBase64(codeVerifier);
     /** The PAR request token is signed used the Wallet Instance Attestation key.
@@ -60,23 +69,26 @@ export const makeParRequest =
         The key is matched by its kid */
     const signedJwtForPar = await new SignJWT(wiaCryptoContext)
       .setProtectedHeader({
+        typ: "jwk",
         kid: wiaPublicKey.kid,
       })
       .setPayload({
-        iss,
-        aud,
         jti: `${uuid.v4()}`,
-        client_assertion_type: assertionType,
-        authorization_details: authorizationDetails,
+        aud,
         response_type: "code",
-        redirect_uri: walletProviderBaseUrl,
-        state: `${uuid.v4()}`,
+        response_mode: responseMode,
         client_id: clientId,
-        code_challenge_method: codeChallengeMethod,
+        iss,
+        state: generateRandomAlphaNumericString(32),
         code_challenge: codeChallenge,
+        code_challenge_method: codeChallengeMethod,
+        authorization_details: authorizationDetails,
+        redirect_uri: redirectUri,
+        client_assertion_type: assertionType,
+        client_assertion: walletInstanceAttestation + "~" + signedWiaPoP,
       })
-      .setIssuedAt()
-      .setExpirationTime("1h")
+      .setIssuedAt() //iat is set to now
+      .setExpirationTime("5min")
       .sign();
     /** The request body for the Pushed Authorization Request */
@@ -85,9 +97,9 @@ export const makeParRequest =
       client_id: clientId,
       code_challenge: codeChallenge,
       code_challenge_method: "S256",
-      client_assertion_type: assertionType,
-      client_assertion: walletInstanceAttestation,
       request: signedJwtForPar,
+      client_assertion_type: assertionType,
+      client_assertion: walletInstanceAttestation + "~" + signedWiaPoP,
     });
     return await appFetch(parEndpoint, {

package/src/utils/pop.ts ADDED Viewed

@@ -0,0 +1,34 @@
+import * as z from "zod";
+import { SignJWT, type CryptoContext } from "@pagopa/io-react-native-jwt";
+/**
+ * Create a signed PoP token
+ *
+ * @param payload The payload to be included in the token.
+ * @param crypto The crypto context that handles the key bound to the DPoP.
+ *
+ * @returns The signed crypto token.
+ */
+export const createPopToken = async (
+  payload: PoPPayload,
+  crypto: CryptoContext
+): Promise<string> => {
+  const kid = await crypto.getPublicKey().then((_) => _.kid);
+  return new SignJWT(crypto)
+    .setPayload(payload)
+    .setProtectedHeader({
+      typ: "jwt-client-attestation-pop",
+      kid,
+    })
+    .setIssuedAt()
+    .setExpirationTime("5min")
+    .sign();
+};
+export type PoPPayload = z.infer<typeof PoPPayload>;
+export const PoPPayload = z.object({
+  jti: z.string(),
+  aud: z.string(),
+  iss: z.string(),
+});

package/src/wallet-instance-attestation/issuing.ts CHANGED Viewed

@@ -1,9 +1,15 @@
 import { type CryptoContext } from "@pagopa/io-react-native-jwt";
 import { SignJWT, thumbprint } from "@pagopa/io-react-native-jwt";
+import { z } from "zod";
 import { JWK, fixBase64EncodingOnKey } from "../utils/jwk";
 import { getWalletProviderClient } from "../client";
 import type { IntegrityContext } from "..";
-import { z } from "zod";
+import {
+  WalletProviderResponseError,
+  WalletInstanceRevokedError,
+  WalletInstanceNotFoundError,
+  WalletInstanceAttestationIssuingError,
+} from "../utils/errors";
 /**
  * Getter for an attestation request. The attestation request is a JWT that will be sent to the Wallet Provider to request a Wallet Instance Attestation.
@@ -64,6 +70,8 @@ export async function getAttestationRequest(
  * @param params.appFetch (optional) Http client
  * @param walletProviderBaseUrl Base url for the Wallet Provider
  * @returns The retrieved Wallet Instance Attestation token
+ * @throws {WalletInstanceRevokedError} The Wallet Instance was revoked
+ * @throws {WalletInstanceNotFoundError} The Wallet Instance does not exist
  */
 export const getAttestation = async ({
   wiaCryptoContext,
@@ -100,7 +108,36 @@ export const getAttestation = async ({
         assertion: signedAttestationRequest,
       },
     })
-    .then((result) => z.string().parse(result));
+    .then((result) => z.string().parse(result))
+    .catch(handleAttestationCreationError);
   return wia;
 };
+const handleAttestationCreationError = (e: unknown) => {
+  if (!(e instanceof WalletProviderResponseError)) {
+    throw e;
+  }
+  if (e.statusCode === 403) {
+    throw new WalletInstanceRevokedError(
+      "Unable to get an attestation for a revoked Wallet Instance",
+      e.claim,
+      e.reason
+    );
+  }
+  if (e.statusCode === 404) {
+    throw new WalletInstanceNotFoundError(
+      "Unable to get an attestation for a Wallet Instance that does not exist",
+      e.claim,
+      e.reason
+    );
+  }
+  throw new WalletInstanceAttestationIssuingError(
+    `Unable to obtain wallet instance attestation [response status code: ${e.statusCode}]`,
+    e.claim,
+    e.reason
+  );
+};

package/src/wallet-instance-attestation/types.ts CHANGED Viewed

@@ -60,16 +60,20 @@ export const WalletInstanceAttestationJwt = z.object({
     Jwt.shape.payload,
     z.object({
       sub: z.string(),
-      attested_security_context: z.string(),
+      aal: z.string(),
       authorization_endpoint: z.string(),
       response_types_supported: z.array(z.string()),
       vp_formats_supported: z.object({
-        jwt_vp_json: z.object({
-          alg_values_supported: z.array(z.string()),
-        }),
-        jwt_vc_json: z.object({
-          alg_values_supported: z.array(z.string()),
-        }),
+        "vc+sd-jwt": z
+          .object({
+            "sd-jwt_alg_values": z.array(z.string()),
+          })
+          .optional(),
+        "vp+sd-jwt": z
+          .object({
+            "sd-jwt_alg_values": z.array(z.string()),
+          })
+          .optional(),
       }),
       request_object_signing_alg_values_supported: z.array(z.string()),
       presentation_definition_uri_supported: z.boolean(),

package/lib/commonjs/credential/issuance/07-confirm-credential.js DELETED Viewed

@@ -1,6 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", {
-  value: true
-});
-//# sourceMappingURL=07-confirm-credential.js.map

package/lib/commonjs/credential/issuance/07-confirm-credential.js.map DELETED Viewed

	@@ -1 +0,0 @@
1	- {"version":3,"names":[],"sourceRoot":"../../../../src","sources":["credential/issuance/07-confirm-credential.ts"],"mappings":""}

package/lib/commonjs/credential/issuance/08-confirm-credential.js DELETED Viewed

@@ -1,6 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", {
-  value: true
-});
-//# sourceMappingURL=08-confirm-credential.js.map

package/lib/commonjs/credential/issuance/08-confirm-credential.js.map DELETED Viewed

	@@ -1 +0,0 @@
1	- {"version":3,"names":[],"sourceRoot":"../../../../src","sources":["credential/issuance/08-confirm-credential.ts"],"mappings":""}

package/lib/module/credential/issuance/07-confirm-credential.js DELETED Viewed

	@@ -1,2 +0,0 @@
1	- export {};
2	- //# sourceMappingURL=07-confirm-credential.js.map

package/lib/module/credential/issuance/07-confirm-credential.js.map DELETED Viewed

	@@ -1 +0,0 @@
1	- {"version":3,"names":[],"sourceRoot":"../../../../src","sources":["credential/issuance/07-confirm-credential.ts"],"mappings":""}

package/lib/module/credential/issuance/08-confirm-credential.js DELETED Viewed

	@@ -1,2 +0,0 @@
1	- export {};
2	- //# sourceMappingURL=08-confirm-credential.js.map

package/lib/module/credential/issuance/08-confirm-credential.js.map DELETED Viewed

	@@ -1 +0,0 @@
1	- {"version":3,"names":[],"sourceRoot":"../../../../src","sources":["credential/issuance/08-confirm-credential.ts"],"mappings":""}

package/lib/typescript/credential/issuance/07-confirm-credential.d.ts DELETED Viewed

@@ -1,11 +0,0 @@
-import type { ObtainCredential } from "./06-obtain-credential";
-import type { Out } from "../../utils/misc";
-/**
- * The end of the issuing flow.
- * The User accepted the Credential and it can be stored in the device according to the app implementation preferences.
- * To be implemented.
- *
- * @returns The type of the Credential to be issued and the url of the Issuer
- */
-export type ConfirmCredential = (credential: Out<ObtainCredential>["credential"], format: Out<ObtainCredential>["format"]) => Promise<void>;
-//# sourceMappingURL=07-confirm-credential.d.ts.map

package/lib/typescript/credential/issuance/07-confirm-credential.d.ts.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"07-confirm-credential.d.ts","sourceRoot":"","sources":["../../../../src/credential/issuance/07-confirm-credential.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC/D,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,kBAAkB,CAAC;AAE5C;;;;;;GAMG;AACH,MAAM,MAAM,iBAAiB,GAAG,CAC9B,UAAU,EAAE,GAAG,CAAC,gBAAgB,CAAC,CAAC,YAAY,CAAC,EAC/C,MAAM,EAAE,GAAG,CAAC,gBAAgB,CAAC,CAAC,QAAQ,CAAC,KACpC,OAAO,CAAC,IAAI,CAAC,CAAC"}

package/lib/typescript/credential/issuance/08-confirm-credential.d.ts DELETED Viewed

@@ -1,11 +0,0 @@
-import type { ObtainCredential } from "./06-obtain-credential";
-import type { Out } from "../../utils/misc";
-/**
- * The end of the issuing flow.
- * The User accepted the Credential and it can be stored in the device according to the app implementation preferences.
- * To be implemented.
- *
- * @returns The type of the Credential to be issued and the url of the Issuer
- */
-export type ConfirmCredential = (credential: Out<ObtainCredential>["credential"], format: Out<ObtainCredential>["format"]) => Promise<void>;
-//# sourceMappingURL=08-confirm-credential.d.ts.map

package/lib/typescript/credential/issuance/08-confirm-credential.d.ts.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"08-confirm-credential.d.ts","sourceRoot":"","sources":["../../../../src/credential/issuance/08-confirm-credential.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC/D,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,kBAAkB,CAAC;AAE5C;;;;;;GAMG;AACH,MAAM,MAAM,iBAAiB,GAAG,CAC9B,UAAU,EAAE,GAAG,CAAC,gBAAgB,CAAC,CAAC,YAAY,CAAC,EAC/C,MAAM,EAAE,GAAG,CAAC,gBAAgB,CAAC,CAAC,QAAQ,CAAC,KACpC,OAAO,CAAC,IAAI,CAAC,CAAC"}

package/src/credential/issuance/07-confirm-credential.ts DELETED Viewed

@@ -1,14 +0,0 @@
-import type { ObtainCredential } from "./06-obtain-credential";
-import type { Out } from "../../utils/misc";
-/**
- * The end of the issuing flow.
- * The User accepted the Credential and it can be stored in the device according to the app implementation preferences.
- * To be implemented.
- *
- * @returns The type of the Credential to be issued and the url of the Issuer
- */
-export type ConfirmCredential = (
-  credential: Out<ObtainCredential>["credential"],
-  format: Out<ObtainCredential>["format"]
-) => Promise<void>;

package/src/credential/issuance/08-confirm-credential.ts DELETED Viewed

@@ -1,14 +0,0 @@
-import type { ObtainCredential } from "./06-obtain-credential";
-import type { Out } from "../../utils/misc";
-/**
- * The end of the issuing flow.
- * The User accepted the Credential and it can be stored in the device according to the app implementation preferences.
- * To be implemented.
- *
- * @returns The type of the Credential to be issued and the url of the Issuer
- */
-export type ConfirmCredential = (
-  credential: Out<ObtainCredential>["credential"],
-  format: Out<ObtainCredential>["format"]
-) => Promise<void>;

package/src/sd-jwt/__test__/converters.test.js DELETED Viewed

@@ -1,24 +0,0 @@
-import { getValueFromDisclosures } from "../converters";
-const disclosures = [
-  ["6w1_soRXFgaHKfpYn3cvfQ", "given_name", "Mario"],
-  ["fuNp97Hf3wV6y48y-QZhIg", "birthdate", "1980-10-01"],
-  [
-    "p-9LzyWHZBVDvhXDWkN2xA",
-    "place_of_birth",
-    { country: "IT", locality: "Rome" },
-  ],
-];
-describe("getValueFromDisclosures", () => {
-  it("should return correct value for given_name", () => {
-    const success = getValueFromDisclosures(disclosures, "given_name");
-    expect(success).toBe("Mario");
-  });
-  it("should return correct value for place_of_birth", () => {
-    const success = getValueFromDisclosures(disclosures, "place_of_birth");
-    expect(success).toEqual({ country: "IT", locality: "Rome" });
-  });
-  it("should fail", () => {
-    const success = getValueFromDisclosures(disclosures, "given_surname");
-    expect(success).toBeUndefined();
-  });
-});

package/src/sd-jwt/verifier.js DELETED Viewed

@@ -1,12 +0,0 @@
-import { sha256ToBase64 } from "@pagopa/io-react-native-jwt";
-import { ValidationFailed } from "../utils/errors";
-export const verifyDisclosure = async ({ encoded, decoded }, claims) => {
-  let hash = await sha256ToBase64(encoded);
-  if (!claims.includes(hash)) {
-    throw new ValidationFailed(
-      "Validation of disclosure failed",
-      `${decoded}`,
-      "Disclosure hash not found in claims"
-    );
-  }
-};