@pagopa/io-react-native-wallet 0.13.1 → 0.14.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (63) hide show
  1. package/lib/commonjs/cie/component.js +180 -0
  2. package/lib/commonjs/cie/component.js.map +1 -0
  3. package/lib/commonjs/cie/error.js +44 -0
  4. package/lib/commonjs/cie/error.js.map +1 -0
  5. package/lib/commonjs/cie/index.js +32 -0
  6. package/lib/commonjs/cie/index.js.map +1 -0
  7. package/lib/commonjs/cie/manager.js +142 -0
  8. package/lib/commonjs/cie/manager.js.map +1 -0
  9. package/lib/commonjs/client/index.js +5 -2
  10. package/lib/commonjs/client/index.js.map +1 -1
  11. package/lib/commonjs/credential/issuance/04-complete-user-authorization.js +6 -2
  12. package/lib/commonjs/credential/issuance/04-complete-user-authorization.js.map +1 -1
  13. package/lib/commonjs/credential/issuance/index.js +6 -0
  14. package/lib/commonjs/credential/issuance/index.js.map +1 -1
  15. package/lib/commonjs/index.js +3 -1
  16. package/lib/commonjs/index.js.map +1 -1
  17. package/lib/module/cie/component.js +171 -0
  18. package/lib/module/cie/component.js.map +1 -0
  19. package/lib/module/cie/error.js +36 -0
  20. package/lib/module/cie/error.js.map +1 -0
  21. package/lib/module/cie/index.js +4 -0
  22. package/lib/module/cie/index.js.map +1 -0
  23. package/lib/module/cie/manager.js +133 -0
  24. package/lib/module/cie/manager.js.map +1 -0
  25. package/lib/module/client/index.js +5 -2
  26. package/lib/module/client/index.js.map +1 -1
  27. package/lib/module/credential/issuance/04-complete-user-authorization.js +3 -0
  28. package/lib/module/credential/issuance/04-complete-user-authorization.js.map +1 -1
  29. package/lib/module/credential/issuance/index.js +2 -2
  30. package/lib/module/credential/issuance/index.js.map +1 -1
  31. package/lib/module/index.js +2 -1
  32. package/lib/module/index.js.map +1 -1
  33. package/lib/typescript/cie/component.d.ts +46 -0
  34. package/lib/typescript/cie/component.d.ts.map +1 -0
  35. package/lib/typescript/cie/error.d.ts +31 -0
  36. package/lib/typescript/cie/error.d.ts.map +1 -0
  37. package/lib/typescript/cie/index.d.ts +4 -0
  38. package/lib/typescript/cie/index.d.ts.map +1 -0
  39. package/lib/typescript/cie/manager.d.ts +5 -0
  40. package/lib/typescript/cie/manager.d.ts.map +1 -0
  41. package/lib/typescript/client/index.d.ts.map +1 -1
  42. package/lib/typescript/credential/issuance/04-complete-user-authorization.d.ts +5 -0
  43. package/lib/typescript/credential/issuance/04-complete-user-authorization.d.ts.map +1 -1
  44. package/lib/typescript/credential/issuance/index.d.ts +2 -2
  45. package/lib/typescript/credential/issuance/index.d.ts.map +1 -1
  46. package/lib/typescript/index.d.ts +2 -1
  47. package/lib/typescript/index.d.ts.map +1 -1
  48. package/package.json +6 -2
  49. package/src/cie/component.tsx +216 -0
  50. package/src/cie/error.ts +58 -0
  51. package/src/cie/index.ts +4 -0
  52. package/src/cie/manager.ts +183 -0
  53. package/src/client/index.ts +4 -1
  54. package/src/credential/issuance/04-complete-user-authorization.ts +16 -13
  55. package/src/credential/issuance/index.ts +2 -0
  56. package/src/index.ts +2 -0
  57. package/lib/commonjs/credential/issuance/03-start-credential-issuance.js +0 -287
  58. package/lib/commonjs/credential/issuance/03-start-credential-issuance.js.map +0 -1
  59. package/lib/module/credential/issuance/03-start-credential-issuance.js +0 -276
  60. package/lib/module/credential/issuance/03-start-credential-issuance.js.map +0 -1
  61. package/lib/typescript/credential/issuance/03-start-credential-issuance.d.ts +0 -41
  62. package/lib/typescript/credential/issuance/03-start-credential-issuance.d.ts.map +0 -1
  63. package/src/credential/issuance/03-start-credential-issuance.ts +0 -407
@@ -1,287 +0,0 @@
1
- "use strict";
2
-
3
- Object.defineProperty(exports, "__esModule", {
4
- value: true
5
- });
6
- exports.startCredentialIssuance = exports.createNonceProof = exports.authorizeUserWithQueryMode = void 0;
7
- var _reactNativeUuid = _interopRequireDefault(require("react-native-uuid"));
8
- var _par = require("../../utils/par");
9
- var _ioReactNativeJwt = require("@pagopa/io-react-native-jwt");
10
- var _misc = require("../../utils/misc");
11
- var _const = require("./const");
12
- var _parseUrl = _interopRequireDefault(require("parse-url"));
13
- var _errors = require("../../utils/errors");
14
- var _auth = require("../../utils/auth");
15
- var _crypto = require("../../utils/crypto");
16
- var _dpop = require("../../utils/dpop");
17
- var _pop = require("../../utils/pop");
18
- var _types = require("./types");
19
- var WalletInstanceAttestation = _interopRequireWildcard(require("../../wallet-instance-attestation"));
20
- var _reactNative = require("react-native");
21
- function _getRequireWildcardCache(nodeInterop) { if (typeof WeakMap !== "function") return null; var cacheBabelInterop = new WeakMap(); var cacheNodeInterop = new WeakMap(); return (_getRequireWildcardCache = function (nodeInterop) { return nodeInterop ? cacheNodeInterop : cacheBabelInterop; })(nodeInterop); }
22
- function _interopRequireWildcard(obj, nodeInterop) { if (!nodeInterop && obj && obj.__esModule) { return obj; } if (obj === null || typeof obj !== "object" && typeof obj !== "function") { return { default: obj }; } var cache = _getRequireWildcardCache(nodeInterop); if (cache && cache.has(obj)) { return cache.get(obj); } var newObj = {}; var hasPropertyDescriptor = Object.defineProperty && Object.getOwnPropertyDescriptor; for (var key in obj) { if (key !== "default" && Object.prototype.hasOwnProperty.call(obj, key)) { var desc = hasPropertyDescriptor ? Object.getOwnPropertyDescriptor(obj, key) : null; if (desc && (desc.get || desc.set)) { Object.defineProperty(newObj, key, desc); } else { newObj[key] = obj[key]; } } } newObj.default = obj; if (cache) { cache.set(obj, newObj); } return newObj; }
23
- function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
24
- /**
25
- * Ensures that the credential type requested is supported by the issuer and contained in the
26
- * issuer configuration.
27
- * @param issuerConf The issuer configuration
28
- * @param credentialType The type of the credential to be requested
29
- * @returns The credential definition to be used in the request which includes the format and the type and its type
30
- */
31
- const selectCredentialDefinition = (issuerConf, credentialType) => {
32
- const credential_configurations_supported = issuerConf.openid_credential_issuer.credential_configurations_supported;
33
- const [result] = Object.keys(credential_configurations_supported).filter(e => e.includes(credentialType)).map(e => ({
34
- credential_configuration_id: credentialType,
35
- format: credential_configurations_supported[e].format,
36
- type: "openid_credential"
37
- }));
38
- if (!result) {
39
- throw new Error(`No credential support the type '${credentialType}'`);
40
- }
41
- return result;
42
- };
43
-
44
- /**
45
- * Ensures that the response mode requested is supported by the issuer and contained in the issuer configuration.
46
- * @param issuerConf The issuer configuration
47
- * @param credentialType The type of the credential to be requested
48
- * @returns The response mode to be used in the request, "query" for PersonIdentificationData and "form_post.jwt" for all other types.
49
- */
50
- const selectResponseMode = (issuerConf, credentialType) => {
51
- const responseModeSupported = issuerConf.oauth_authorization_server.response_modes_supported;
52
- const responseMode = credentialType === "PersonIdentificationData" ? "query" : "form_post.jwt";
53
- if (!responseModeSupported.includes(responseMode)) {
54
- throw new Error(`No response mode support the type '${credentialType}'`);
55
- }
56
- return responseMode;
57
- };
58
- /**
59
- * Starts the credential issuance flow to obtain a credential from the issuer.
60
- * @param issuerConf The Issuer configuration
61
- * @param credentialType The type of the credential to be requested
62
- * @param context.wiaCryptoContext The context to access the key associated with the Wallet Instance Attestation
63
- * @param context.credentialCryptoContext The context to access the key to associat with credential
64
- * @param context.walletInstanceAttestation The Wallet Instance Attestation token
65
- * @param context.authorizationContext The context to identify the user which will be used to start the authorization. It's needed only when requesting a PersonalIdentificationData credential. The implementantion should open an in-app browser capable of catching the redirectSchema. If not specified, the default browser is used.
66
- * @param context.redirectUri The internal URL to which to redirect has passed the in-app browser login phase. If you don't use authorizationContext remember to register this URL as customUrl or deepLink. See https://reactnative.dev/docs/linking
67
- * @param context.idphint Unique identifier of the SPID IDP
68
- * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
69
- * @throws {AuthorizationError} When the response from the authorization response is not parsable
70
- * @returns The credential obtained
71
- */
72
-
73
- const startCredentialIssuance = async (issuerConf, credentialType, ctx) => {
74
- const {
75
- wiaCryptoContext,
76
- credentialCryptoContext,
77
- walletInstanceAttestation,
78
- authorizationContext,
79
- redirectUri,
80
- idphint,
81
- appFetch = fetch
82
- } = ctx;
83
-
84
- /**
85
- * Creates and sends a PAR request to the /as/par endpoint of the authroization server.
86
- * This starts the authentication flow to obtain an access token.
87
- * This token enables the Wallet Instance to request a digital credential from the Credential Endpoint of the Credential Issuer.
88
- * This is an HTTP POST request containing the Wallet Instance identifier (client id), the code challenge and challenge method as specified by PKCE according to RFC 9126
89
- * along with the WTE and its proof of possession (WTE-PoP).
90
- * Additionally, it includes a request object, which is a signed JWT encapsulating the type of digital credential requested (authorization_details),
91
- * the application session identifier on the Wallet Instance side (state),
92
- * the method (query or form_post.jwt) by which the Authorization Server
93
- * should transmit the Authorization Response containing the authorization code issued upon the end user's authentication (response_mode)
94
- * to the Wallet Instance's Token Endpoint to obtain the Access Token, and the redirect_uri of the Wallet Instance where the Authorization Response
95
- * should be delivered. The redirect is achived by using a custom URL scheme that the Wallet Instance is registered to handle.
96
- */
97
- const clientId = await wiaCryptoContext.getPublicKey().then(_ => _.kid);
98
- const codeVerifier = (0, _misc.generateRandomAlphaNumericString)(64);
99
- const parEndpoint = issuerConf.oauth_authorization_server.pushed_authorization_request_endpoint;
100
- const parUrl = new URL(parEndpoint);
101
- const aud = `${parUrl.protocol}//${parUrl.hostname}`;
102
- const iss = WalletInstanceAttestation.decode(walletInstanceAttestation).payload.cnf.jwk.kid;
103
- const credentialDefinition = selectCredentialDefinition(issuerConf, credentialType);
104
- const responseMode = selectResponseMode(issuerConf, credentialType);
105
- const getPar = (0, _par.makeParRequest)({
106
- wiaCryptoContext,
107
- appFetch
108
- });
109
- const issuerRequestUri = await getPar(clientId, codeVerifier, redirectUri, responseMode, parEndpoint, walletInstanceAttestation, [credentialDefinition], _const.ASSERTION_TYPE);
110
-
111
- /**
112
- * Starts the authorization flow which dependes on the response mode and the request credential.
113
- * If the response mode is "query" the authorization flow is handled differently via the authorization context which opens an in-app browser capable of catching the redirectSchema.
114
- * The form_post.jwt mode is not currently supported.
115
- */
116
- const authorizeFlowResult = await (async () => {
117
- const authzRequestEndpoint = issuerConf.oauth_authorization_server.authorization_endpoint;
118
- if (responseMode === "query") {
119
- const params = new URLSearchParams({
120
- client_id: clientId,
121
- request_uri: issuerRequestUri,
122
- idphint
123
- });
124
-
125
- /**
126
- * Starts the authorization flow to obtain an authorization code by performing a GET request to the /authorize endpoint of the authorization server.
127
- */
128
- return await authorizeUserWithQueryMode(authzRequestEndpoint, params, redirectUri, authorizationContext);
129
- } else {
130
- throw new _errors.AuthorizationError("Response mode not supported for this type of credential");
131
- }
132
- })();
133
-
134
- /**
135
- * Creates and sends the DPoP Proof JWT to be presented with the authorization code to the /token endpoint of the authorization server
136
- * for requesting the issuance of an access token bound to the public key of the Wallet Instance contained within the DPoP.
137
- * This enables the Wallet Instance to request a digital credential.
138
- * The DPoP Proof JWT is generated according to the section 4.3 of the DPoP RFC 9449 specification.
139
- */
140
-
141
- const {
142
- code
143
- } = authorizeFlowResult;
144
- const tokenUrl = issuerConf.oauth_authorization_server.token_endpoint;
145
- // Use an ephemeral key to be destroyed after use
146
- const tokenRequestSignedDPop = await (0, _crypto.withEphemeralKey)(async ephimeralContext => {
147
- return await (0, _dpop.createDPopToken)({
148
- htm: "POST",
149
- htu: tokenUrl,
150
- jti: `${_reactNativeUuid.default.v4()}`
151
- }, ephimeralContext);
152
- });
153
- const signedWiaPoP = await (0, _pop.createPopToken)({
154
- jti: `${_reactNativeUuid.default.v4()}`,
155
- aud,
156
- iss
157
- }, wiaCryptoContext);
158
- const requestBody = {
159
- grant_type: "authorization_code",
160
- client_id: clientId,
161
- code,
162
- redirect_uri: redirectUri,
163
- code_verifier: codeVerifier,
164
- client_assertion_type: _const.ASSERTION_TYPE,
165
- client_assertion: walletInstanceAttestation + "~" + signedWiaPoP
166
- };
167
- const authorizationRequestFormBody = new URLSearchParams(requestBody);
168
- const tokenRes = await appFetch(tokenUrl, {
169
- method: "POST",
170
- headers: {
171
- "Content-Type": "application/x-www-form-urlencoded",
172
- DPoP: tokenRequestSignedDPop
173
- },
174
- body: authorizationRequestFormBody.toString()
175
- }).then((0, _misc.hasStatus)(200)).then(res => res.json()).then(body => _types.TokenResponse.safeParse(body));
176
- if (!tokenRes.success) {
177
- throw new _errors.ValidationFailed(tokenRes.error.message);
178
- }
179
-
180
- /**
181
- * Validates the token response and extracts the access token, c_nonce and c_nonce_expires_in.
182
- */
183
- const accessTokenResponse = tokenRes.data;
184
- const credentialUrl = issuerConf.openid_credential_issuer.credential_endpoint;
185
-
186
- /**
187
- * JWT proof token to bind the request nonce to the key that will bind the holder User with the Credential
188
- * This is presented along with the access token to the Credential Endpoint as proof of possession of the private key used to sign the Access Token.
189
- * @see https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-proof-types
190
- */
191
- const signedNonceProof = await createNonceProof(accessTokenResponse.c_nonce, clientId, credentialUrl, credentialCryptoContext);
192
-
193
- // Validation of accessTokenResponse.authorization_details if contain credentialDefinition
194
- const constainsCredentialDefinition = accessTokenResponse.authorization_details.some(c => c.credential_configuration_id === credentialDefinition.credential_configuration_id && c.format === credentialDefinition.format && c.type === credentialDefinition.type);
195
- if (!constainsCredentialDefinition) {
196
- throw new _errors.ValidationFailed("The access token response does not contain the requested credential");
197
- }
198
-
199
- /** The credential request body */
200
- const credentialRequestFormBody = {
201
- credential_definition: {
202
- type: [credentialDefinition.credential_configuration_id]
203
- },
204
- format: credentialDefinition.format,
205
- proof: {
206
- jwt: signedNonceProof,
207
- proof_type: "jwt"
208
- }
209
- };
210
- const credentialRes = await appFetch(credentialUrl, {
211
- method: "POST",
212
- headers: {
213
- "Content-Type": "application/json",
214
- DPoP: tokenRequestSignedDPop,
215
- Authorization: `${accessTokenResponse.token_type} ${accessTokenResponse.access_token}`
216
- },
217
- body: JSON.stringify(credentialRequestFormBody)
218
- }).then((0, _misc.hasStatus)(200)).then(res => res.json()).then(body => _types.CredentialResponse.safeParse(body));
219
- if (!credentialRes.success) {
220
- throw new _errors.ValidationFailed(credentialRes.error.message);
221
- }
222
- return credentialRes.data;
223
- };
224
-
225
- /**
226
- * Authorizes the user using the query mode and the authorization context.
227
- * @param authzRequestEndpoint The authorization endpoint of the authorization server
228
- * @param params The query parameters to be used in the request
229
- * @param redirectUri The URL to which the redirect is made is usually a custom URL or deeplink
230
- * @param authorizationContext The AuthorizationContext to manage the internal webview. If not specified, the default browser is used
231
- * @returns The authrozation result containing the authorization code, state and issuer
232
- */
233
- exports.startCredentialIssuance = startCredentialIssuance;
234
- const authorizeUserWithQueryMode = async (authzRequestEndpoint, params, redirectUri, authorizationContext) => {
235
- const authUrl = `${authzRequestEndpoint}?${params}`;
236
- var authRedirectUrl;
237
- if (authorizationContext) {
238
- const redirectSchema = new URL(redirectUri).protocol.replace(":", "");
239
- authRedirectUrl = await authorizationContext.authorize(authUrl, redirectSchema).catch(e => {
240
- throw new _errors.AuthorizationError(e.message);
241
- });
242
- } else {
243
- // handler for redirectUri
244
- _reactNative.Linking.addEventListener("url", _ref => {
245
- let {
246
- url
247
- } = _ref;
248
- if (url.includes(redirectUri)) {
249
- authRedirectUrl = url;
250
- }
251
- });
252
- const openAuthUrlInBrowser = _reactNative.Linking.openURL(authUrl);
253
-
254
- /*
255
- * Waits for 120 seconds for the identificationRedirectUrl variable to be set
256
- * by the custom url handler. If the timeout is exceeded, throw an exception
257
- */
258
- const unitAuthRedirectIsNotUndefined = (0, _misc.until)(() => authRedirectUrl !== undefined, 120);
259
- await Promise.all([openAuthUrlInBrowser, unitAuthRedirectIsNotUndefined]);
260
- if (authRedirectUrl === undefined) {
261
- throw new _errors.AuthorizationError("Invalid authentication redirect url");
262
- }
263
- }
264
- const urlParse = (0, _parseUrl.default)(authRedirectUrl);
265
- const authRes = _auth.AuthorizationResultShape.safeParse(urlParse.query);
266
- if (!authRes.success) {
267
- const authErr = _auth.AuthorizationErrorShape.safeParse(urlParse.query);
268
- if (!authErr.success) {
269
- throw new _errors.AuthorizationError(authRes.error.message); // an error occured while parsing the result and the error
270
- }
271
-
272
- throw new _errors.AuthorizationIdpError(authErr.data.error, authErr.data.error_description);
273
- }
274
- return authRes.data;
275
- };
276
- exports.authorizeUserWithQueryMode = authorizeUserWithQueryMode;
277
- const createNonceProof = async (nonce, issuer, audience, ctx) => {
278
- const jwk = await ctx.getPublicKey();
279
- return new _ioReactNativeJwt.SignJWT(ctx).setPayload({
280
- nonce
281
- }).setProtectedHeader({
282
- typ: "openid4vci-proof+jwt",
283
- jwk
284
- }).setAudience(audience).setIssuer(issuer).setIssuedAt().setExpirationTime("5min").sign();
285
- };
286
- exports.createNonceProof = createNonceProof;
287
- //# sourceMappingURL=03-start-credential-issuance.js.map
@@ -1 +0,0 @@
1
- {"version":3,"names":["_reactNativeUuid","_interopRequireDefault","require","_par","_ioReactNativeJwt","_misc","_const","_parseUrl","_errors","_auth","_crypto","_dpop","_pop","_types","WalletInstanceAttestation","_interopRequireWildcard","_reactNative","_getRequireWildcardCache","nodeInterop","WeakMap","cacheBabelInterop","cacheNodeInterop","obj","__esModule","default","cache","has","get","newObj","hasPropertyDescriptor","Object","defineProperty","getOwnPropertyDescriptor","key","prototype","hasOwnProperty","call","desc","set","selectCredentialDefinition","issuerConf","credentialType","credential_configurations_supported","openid_credential_issuer","result","keys","filter","e","includes","map","credential_configuration_id","format","type","Error","selectResponseMode","responseModeSupported","oauth_authorization_server","response_modes_supported","responseMode","startCredentialIssuance","ctx","wiaCryptoContext","credentialCryptoContext","walletInstanceAttestation","authorizationContext","redirectUri","idphint","appFetch","fetch","clientId","getPublicKey","then","_","kid","codeVerifier","generateRandomAlphaNumericString","parEndpoint","pushed_authorization_request_endpoint","parUrl","URL","aud","protocol","hostname","iss","decode","payload","cnf","jwk","credentialDefinition","getPar","makeParRequest","issuerRequestUri","ASSERTION_TYPE","authorizeFlowResult","authzRequestEndpoint","authorization_endpoint","params","URLSearchParams","client_id","request_uri","authorizeUserWithQueryMode","AuthorizationError","code","tokenUrl","token_endpoint","tokenRequestSignedDPop","withEphemeralKey","ephimeralContext","createDPopToken","htm","htu","jti","uuid","v4","signedWiaPoP","createPopToken","requestBody","grant_type","redirect_uri","code_verifier","client_assertion_type","client_assertion","authorizationRequestFormBody","tokenRes","method","headers","DPoP","body","toString","hasStatus","res","json","TokenResponse","safeParse","success","ValidationFailed","error","message","accessTokenResponse","data","credentialUrl","credential_endpoint","signedNonceProof","createNonceProof","c_nonce","constainsCredentialDefinition","authorization_details","some","c","credentialRequestFormBody","credential_definition","proof","jwt","proof_type","credentialRes","Authorization","token_type","access_token","JSON","stringify","CredentialResponse","exports","authUrl","authRedirectUrl","redirectSchema","replace","authorize","catch","Linking","addEventListener","_ref","url","openAuthUrlInBrowser","openURL","unitAuthRedirectIsNotUndefined","until","undefined","Promise","all","urlParse","parseUrl","authRes","AuthorizationResultShape","query","authErr","AuthorizationErrorShape","AuthorizationIdpError","error_description","nonce","issuer","audience","SignJWT","setPayload","setProtectedHeader","typ","setAudience","setIssuer","setIssuedAt","setExpirationTime","sign"],"sourceRoot":"../../../../src","sources":["credential/issuance/03-start-credential-issuance.ts"],"mappings":";;;;;;AAAA,IAAAA,gBAAA,GAAAC,sBAAA,CAAAC,OAAA;AACA,IAAAC,IAAA,GAAAD,OAAA;AACA,IAAAE,iBAAA,GAAAF,OAAA;AACA,IAAAG,KAAA,GAAAH,OAAA;AAQA,IAAAI,MAAA,GAAAJ,OAAA;AACA,IAAAK,SAAA,GAAAN,sBAAA,CAAAC,OAAA;AACA,IAAAM,OAAA,GAAAN,OAAA;AAKA,IAAAO,KAAA,GAAAP,OAAA;AAMA,IAAAQ,OAAA,GAAAR,OAAA;AACA,IAAAS,KAAA,GAAAT,OAAA;AACA,IAAAU,IAAA,GAAAV,OAAA;AACA,IAAAW,MAAA,GAAAX,OAAA;AACA,IAAAY,yBAAA,GAAAC,uBAAA,CAAAb,OAAA;AACA,IAAAc,YAAA,GAAAd,OAAA;AAAuC,SAAAe,yBAAAC,WAAA,eAAAC,OAAA,kCAAAC,iBAAA,OAAAD,OAAA,QAAAE,gBAAA,OAAAF,OAAA,YAAAF,wBAAA,YAAAA,CAAAC,WAAA,WAAAA,WAAA,GAAAG,gBAAA,GAAAD,iBAAA,KAAAF,WAAA;AAAA,SAAAH,wBAAAO,GAAA,EAAAJ,WAAA,SAAAA,WAAA,IAAAI,GAAA,IAAAA,GAAA,CAAAC,UAAA,WAAAD,GAAA,QAAAA,GAAA,oBAAAA,GAAA,wBAAAA,GAAA,4BAAAE,OAAA,EAAAF,GAAA,UAAAG,KAAA,GAAAR,wBAAA,CAAAC,WAAA,OAAAO,KAAA,IAAAA,KAAA,CAAAC,GAAA,CAAAJ,GAAA,YAAAG,KAAA,CAAAE,GAAA,CAAAL,GAAA,SAAAM,MAAA,WAAAC,qBAAA,GAAAC,MAAA,CAAAC,cAAA,IAAAD,MAAA,CAAAE,wBAAA,WAAAC,GAAA,IAAAX,GAAA,QAAAW,GAAA,kBAAAH,MAAA,CAAAI,SAAA,CAAAC,cAAA,CAAAC,IAAA,CAAAd,GAAA,EAAAW,GAAA,SAAAI,IAAA,GAAAR,qBAAA,GAAAC,MAAA,CAAAE,wBAAA,CAAAV,GAAA,EAAAW,GAAA,cAAAI,IAAA,KAAAA,IAAA,CAAAV,GAAA,IAAAU,IAAA,CAAAC,GAAA,KAAAR,MAAA,CAAAC,cAAA,CAAAH,MAAA,EAAAK,GAAA,EAAAI,IAAA,YAAAT,MAAA,CAAAK,GAAA,IAAAX,GAAA,CAAAW,GAAA,SAAAL,MAAA,CAAAJ,OAAA,GAAAF,GAAA,MAAAG,KAAA,IAAAA,KAAA,CAAAa,GAAA,CAAAhB,GAAA,EAAAM,MAAA,YAAAA,MAAA;AAAA,SAAA3B,uBAAAqB,GAAA,WAAAA,GAAA,IAAAA,GAAA,CAAAC,UAAA,GAAAD,GAAA,KAAAE,OAAA,EAAAF,GAAA;AAEvC;AACA;AACA;AACA;AACA;AACA;AACA;AACA,MAAMiB,0BAA0B,GAAGA,CACjCC,UAAkD,EAClDC,cAAgD,KACxB;EACxB,MAAMC,mCAAmC,GACvCF,UAAU,CAACG,wBAAwB,CAACD,mCAAmC;EAEzE,MAAM,CAACE,MAAM,CAAC,GAAGd,MAAM,CAACe,IAAI,CAACH,mCAAmC,CAAC,CAC9DI,MAAM,CAAEC,CAAC,IAAKA,CAAC,CAACC,QAAQ,CAACP,cAAc,CAAC,CAAC,CACzCQ,GAAG,CAAEF,CAAC,KAAM;IACXG,2BAA2B,EAAET,cAAc;IAC3CU,MAAM,EAAET,mCAAmC,CAACK,CAAC,CAAC,CAAEI,MAAM;IACtDC,IAAI,EAAE;EACR,CAAC,CAAC,CAAC;EAEL,IAAI,CAACR,MAAM,EAAE;IACX,MAAM,IAAIS,KAAK,CAAE,mCAAkCZ,cAAe,GAAE,CAAC;EACvE;EACA,OAAOG,MAAM;AACf,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA,MAAMU,kBAAkB,GAAGA,CACzBd,UAAkD,EAClDC,cAAgD,KAC/B;EACjB,MAAMc,qBAAqB,GACzBf,UAAU,CAACgB,0BAA0B,CAACC,wBAAwB;EAEhE,MAAMC,YAAY,GAChBjB,cAAc,KAAK,0BAA0B,GAAG,OAAO,GAAG,eAAe;EAE3E,IAAI,CAACc,qBAAqB,CAACP,QAAQ,CAACU,YAAY,CAAC,EAAE;IACjD,MAAM,IAAIL,KAAK,CAAE,sCAAqCZ,cAAe,GAAE,CAAC;EAC1E;EAEA,OAAOiB,YAAY;AACrB,CAAC;AAgBD;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEO,MAAMC,uBAAgD,GAAG,MAAAA,CAC9DnB,UAAU,EACVC,cAAc,EACdmB,GAAG,KACA;EACH,MAAM;IACJC,gBAAgB;IAChBC,uBAAuB;IACvBC,yBAAyB;IACzBC,oBAAoB;IACpBC,WAAW;IACXC,OAAO;IACPC,QAAQ,GAAGC;EACb,CAAC,GAAGR,GAAG;;EAEP;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACE,MAAMS,QAAQ,GAAG,MAAMR,gBAAgB,CAACS,YAAY,CAAC,CAAC,CAACC,IAAI,CAAEC,CAAC,IAAKA,CAAC,CAACC,GAAG,CAAC;EACzE,MAAMC,YAAY,GAAG,IAAAC,sCAAgC,EAAC,EAAE,CAAC;EACzD,MAAMC,WAAW,GACfpC,UAAU,CAACgB,0BAA0B,CAACqB,qCAAqC;EAC7E,MAAMC,MAAM,GAAG,IAAIC,GAAG,CAACH,WAAW,CAAC;EACnC,MAAMI,GAAG,GAAI,GAAEF,MAAM,CAACG,QAAS,KAAIH,MAAM,CAACI,QAAS,EAAC;EACpD,MAAMC,GAAG,GAAGrE,yBAAyB,CAACsE,MAAM,CAACrB,yBAAyB,CAAC,CACpEsB,OAAO,CAACC,GAAG,CAACC,GAAG,CAACd,GAAG;EACtB,MAAMe,oBAAoB,GAAGjD,0BAA0B,CACrDC,UAAU,EACVC,cACF,CAAC;EACD,MAAMiB,YAAY,GAAGJ,kBAAkB,CAACd,UAAU,EAAEC,cAAc,CAAC;EAEnE,MAAMgD,MAAM,GAAG,IAAAC,mBAAc,EAAC;IAAE7B,gBAAgB;IAAEM;EAAS,CAAC,CAAC;EAC7D,MAAMwB,gBAAgB,GAAG,MAAMF,MAAM,CACnCpB,QAAQ,EACRK,YAAY,EACZT,WAAW,EACXP,YAAY,EACZkB,WAAW,EACXb,yBAAyB,EACzB,CAACyB,oBAAoB,CAAC,EACtBI,qBACF,CAAC;;EAED;AACF;AACA;AACA;AACA;EACE,MAAMC,mBAAmB,GAAG,MAAM,CAAC,YAAY;IAC7C,MAAMC,oBAAoB,GACxBtD,UAAU,CAACgB,0BAA0B,CAACuC,sBAAsB;IAC9D,IAAIrC,YAAY,KAAK,OAAO,EAAE;MAC5B,MAAMsC,MAAM,GAAG,IAAIC,eAAe,CAAC;QACjCC,SAAS,EAAE7B,QAAQ;QACnB8B,WAAW,EAAER,gBAAgB;QAC7BzB;MACF,CAAC,CAAC;;MAEF;AACN;AACA;MACM,OAAO,MAAMkC,0BAA0B,CACrCN,oBAAoB,EACpBE,MAAM,EACN/B,WAAW,EACXD,oBACF,CAAC;IACH,CAAC,MAAM;MACL,MAAM,IAAIqC,0BAAkB,CAC1B,yDACF,CAAC;IACH;EACF,CAAC,EAAE,CAAC;;EAEJ;AACF;AACA;AACA;AACA;AACA;;EAEE,MAAM;IAAEC;EAAK,CAAC,GAAGT,mBAAmB;EACpC,MAAMU,QAAQ,GAAG/D,UAAU,CAACgB,0BAA0B,CAACgD,cAAc;EACrE;EACA,MAAMC,sBAAsB,GAAG,MAAM,IAAAC,wBAAgB,EACnD,MAAOC,gBAAgB,IAAK;IAC1B,OAAO,MAAM,IAAAC,qBAAe,EAC1B;MACEC,GAAG,EAAE,MAAM;MACXC,GAAG,EAAEP,QAAQ;MACbQ,GAAG,EAAG,GAAEC,wBAAI,CAACC,EAAE,CAAC,CAAE;IACpB,CAAC,EACDN,gBACF,CAAC;EACH,CACF,CAAC;EAED,MAAMO,YAAY,GAAG,MAAM,IAAAC,mBAAc,EACvC;IACEJ,GAAG,EAAG,GAAEC,wBAAI,CAACC,EAAE,CAAC,CAAE,EAAC;IACnBjC,GAAG;IACHG;EACF,CAAC,EACDtB,gBACF,CAAC;EAED,MAAMuD,WAAW,GAAG;IAClBC,UAAU,EAAE,oBAAoB;IAChCnB,SAAS,EAAE7B,QAAQ;IACnBiC,IAAI;IACJgB,YAAY,EAAErD,WAAW;IACzBsD,aAAa,EAAE7C,YAAY;IAC3B8C,qBAAqB,EAAE5B,qBAAc;IACrC6B,gBAAgB,EAAE1D,yBAAyB,GAAG,GAAG,GAAGmD;EACtD,CAAC;EAED,MAAMQ,4BAA4B,GAAG,IAAIzB,eAAe,CAACmB,WAAW,CAAC;EACrE,MAAMO,QAAQ,GAAG,MAAMxD,QAAQ,CAACoC,QAAQ,EAAE;IACxCqB,MAAM,EAAE,MAAM;IACdC,OAAO,EAAE;MACP,cAAc,EAAE,mCAAmC;MACnDC,IAAI,EAAErB;IACR,CAAC;IACDsB,IAAI,EAAEL,4BAA4B,CAACM,QAAQ,CAAC;EAC9C,CAAC,CAAC,CACCzD,IAAI,CAAC,IAAA0D,eAAS,EAAC,GAAG,CAAC,CAAC,CACpB1D,IAAI,CAAE2D,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzB5D,IAAI,CAAEwD,IAAI,IAAKK,oBAAa,CAACC,SAAS,CAACN,IAAI,CAAC,CAAC;EAEhD,IAAI,CAACJ,QAAQ,CAACW,OAAO,EAAE;IACrB,MAAM,IAAIC,wBAAgB,CAACZ,QAAQ,CAACa,KAAK,CAACC,OAAO,CAAC;EACpD;;EAEA;AACF;AACA;EACE,MAAMC,mBAAmB,GAAGf,QAAQ,CAACgB,IAAI;EACzC,MAAMC,aAAa,GAAGpG,UAAU,CAACG,wBAAwB,CAACkG,mBAAmB;;EAE7E;AACF;AACA;AACA;AACA;EACE,MAAMC,gBAAgB,GAAG,MAAMC,gBAAgB,CAC7CL,mBAAmB,CAACM,OAAO,EAC3B3E,QAAQ,EACRuE,aAAa,EACb9E,uBACF,CAAC;;EAED;EACA,MAAMmF,6BAA6B,GACjCP,mBAAmB,CAACQ,qBAAqB,CAACC,IAAI,CAC3CC,CAAC,IACAA,CAAC,CAAClG,2BAA2B,KAC3BsC,oBAAoB,CAACtC,2BAA2B,IAClDkG,CAAC,CAACjG,MAAM,KAAKqC,oBAAoB,CAACrC,MAAM,IACxCiG,CAAC,CAAChG,IAAI,KAAKoC,oBAAoB,CAACpC,IACpC,CAAC;EAEH,IAAI,CAAC6F,6BAA6B,EAAE;IAClC,MAAM,IAAIV,wBAAgB,CACxB,qEACF,CAAC;EACH;;EAEA;EACA,MAAMc,yBAAyB,GAAG;IAChCC,qBAAqB,EAAE;MACrBlG,IAAI,EAAE,CAACoC,oBAAoB,CAACtC,2BAA2B;IACzD,CAAC;IACDC,MAAM,EAAEqC,oBAAoB,CAACrC,MAAM;IACnCoG,KAAK,EAAE;MACLC,GAAG,EAAEV,gBAAgB;MACrBW,UAAU,EAAE;IACd;EACF,CAAC;EAED,MAAMC,aAAa,GAAG,MAAMvF,QAAQ,CAACyE,aAAa,EAAE;IAClDhB,MAAM,EAAE,MAAM;IACdC,OAAO,EAAE;MACP,cAAc,EAAE,kBAAkB;MAClCC,IAAI,EAAErB,sBAAsB;MAC5BkD,aAAa,EAAG,GAAEjB,mBAAmB,CAACkB,UAAW,IAAGlB,mBAAmB,CAACmB,YAAa;IACvF,CAAC;IACD9B,IAAI,EAAE+B,IAAI,CAACC,SAAS,CAACV,yBAAyB;EAChD,CAAC,CAAC,CACC9E,IAAI,CAAC,IAAA0D,eAAS,EAAC,GAAG,CAAC,CAAC,CACpB1D,IAAI,CAAE2D,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzB5D,IAAI,CAAEwD,IAAI,IAAKiC,yBAAkB,CAAC3B,SAAS,CAACN,IAAI,CAAC,CAAC;EAErD,IAAI,CAAC2B,aAAa,CAACpB,OAAO,EAAE;IAC1B,MAAM,IAAIC,wBAAgB,CAACmB,aAAa,CAAClB,KAAK,CAACC,OAAO,CAAC;EACzD;EAEA,OAAOiB,aAAa,CAACf,IAAI;AAC3B,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAPAsB,OAAA,CAAAtG,uBAAA,GAAAA,uBAAA;AAQO,MAAMyC,0BAA0B,GAAG,MAAAA,CACxCN,oBAA4B,EAC5BE,MAAuB,EACvB/B,WAAmB,EACnBD,oBAA2C,KACV;EACjC,MAAMkG,OAAO,GAAI,GAAEpE,oBAAqB,IAAGE,MAAO,EAAC;EACnD,IAAImE,eAAmC;EAEvC,IAAInG,oBAAoB,EAAE;IACxB,MAAMoG,cAAc,GAAG,IAAIrF,GAAG,CAACd,WAAW,CAAC,CAACgB,QAAQ,CAACoF,OAAO,CAAC,GAAG,EAAE,EAAE,CAAC;IACrEF,eAAe,GAAG,MAAMnG,oBAAoB,CACzCsG,SAAS,CAACJ,OAAO,EAAEE,cAAc,CAAC,CAClCG,KAAK,CAAExH,CAAC,IAAK;MACZ,MAAM,IAAIsD,0BAAkB,CAACtD,CAAC,CAAC0F,OAAO,CAAC;IACzC,CAAC,CAAC;EACN,CAAC,MAAM;IACL;IACA+B,oBAAO,CAACC,gBAAgB,CAAC,KAAK,EAAEC,IAAA,IAAa;MAAA,IAAZ;QAAEC;MAAI,CAAC,GAAAD,IAAA;MACtC,IAAIC,GAAG,CAAC3H,QAAQ,CAACiB,WAAW,CAAC,EAAE;QAC7BkG,eAAe,GAAGQ,GAAG;MACvB;IACF,CAAC,CAAC;IAEF,MAAMC,oBAAoB,GAAGJ,oBAAO,CAACK,OAAO,CAACX,OAAO,CAAC;;IAErD;AACJ;AACA;AACA;IACI,MAAMY,8BAA8B,GAAG,IAAAC,WAAK,EAC1C,MAAMZ,eAAe,KAAKa,SAAS,EACnC,GACF,CAAC;IAED,MAAMC,OAAO,CAACC,GAAG,CAAC,CAACN,oBAAoB,EAAEE,8BAA8B,CAAC,CAAC;IAEzE,IAAIX,eAAe,KAAKa,SAAS,EAAE;MACjC,MAAM,IAAI3E,0BAAkB,CAAC,qCAAqC,CAAC;IACrE;EACF;EAEA,MAAM8E,QAAQ,GAAG,IAAAC,iBAAQ,EAACjB,eAAe,CAAC;EAC1C,MAAMkB,OAAO,GAAGC,8BAAwB,CAACjD,SAAS,CAAC8C,QAAQ,CAACI,KAAK,CAAC;EAClE,IAAI,CAACF,OAAO,CAAC/C,OAAO,EAAE;IACpB,MAAMkD,OAAO,GAAGC,6BAAuB,CAACpD,SAAS,CAAC8C,QAAQ,CAACI,KAAK,CAAC;IACjE,IAAI,CAACC,OAAO,CAAClD,OAAO,EAAE;MACpB,MAAM,IAAIjC,0BAAkB,CAACgF,OAAO,CAAC7C,KAAK,CAACC,OAAO,CAAC,CAAC,CAAC;IACvD;;IACA,MAAM,IAAIiD,6BAAqB,CAC7BF,OAAO,CAAC7C,IAAI,CAACH,KAAK,EAClBgD,OAAO,CAAC7C,IAAI,CAACgD,iBACf,CAAC;EACH;EACA,OAAON,OAAO,CAAC1C,IAAI;AACrB,CAAC;AAACsB,OAAA,CAAA7D,0BAAA,GAAAA,0BAAA;AAEK,MAAM2C,gBAAgB,GAAG,MAAAA,CAC9B6C,KAAa,EACbC,MAAc,EACdC,QAAgB,EAChBlI,GAAkB,KACE;EACpB,MAAM2B,GAAG,GAAG,MAAM3B,GAAG,CAACU,YAAY,CAAC,CAAC;EACpC,OAAO,IAAIyH,yBAAO,CAACnI,GAAG,CAAC,CACpBoI,UAAU,CAAC;IACVJ;EACF,CAAC,CAAC,CACDK,kBAAkB,CAAC;IAClBC,GAAG,EAAE,sBAAsB;IAC3B3G;EACF,CAAC,CAAC,CACD4G,WAAW,CAACL,QAAQ,CAAC,CACrBM,SAAS,CAACP,MAAM,CAAC,CACjBQ,WAAW,CAAC,CAAC,CACbC,iBAAiB,CAAC,MAAM,CAAC,CACzBC,IAAI,CAAC,CAAC;AACX,CAAC;AAACtC,OAAA,CAAAlB,gBAAA,GAAAA,gBAAA"}
@@ -1,276 +0,0 @@
1
- import uuid from "react-native-uuid";
2
- import { makeParRequest } from "../../utils/par";
3
- import { SignJWT } from "@pagopa/io-react-native-jwt";
4
- import { generateRandomAlphaNumericString, hasStatus, until } from "../../utils/misc";
5
- import { ASSERTION_TYPE } from "./const";
6
- import parseUrl from "parse-url";
7
- import { AuthorizationError, AuthorizationIdpError, ValidationFailed } from "../../utils/errors";
8
- import { AuthorizationErrorShape, AuthorizationResultShape } from "../../utils/auth";
9
- import { withEphemeralKey } from "../../utils/crypto";
10
- import { createDPopToken } from "../../utils/dpop";
11
- import { createPopToken } from "../../utils/pop";
12
- import { CredentialResponse, TokenResponse } from "./types";
13
- import * as WalletInstanceAttestation from "../../wallet-instance-attestation";
14
- import { Linking } from "react-native";
15
-
16
- /**
17
- * Ensures that the credential type requested is supported by the issuer and contained in the
18
- * issuer configuration.
19
- * @param issuerConf The issuer configuration
20
- * @param credentialType The type of the credential to be requested
21
- * @returns The credential definition to be used in the request which includes the format and the type and its type
22
- */
23
- const selectCredentialDefinition = (issuerConf, credentialType) => {
24
- const credential_configurations_supported = issuerConf.openid_credential_issuer.credential_configurations_supported;
25
- const [result] = Object.keys(credential_configurations_supported).filter(e => e.includes(credentialType)).map(e => ({
26
- credential_configuration_id: credentialType,
27
- format: credential_configurations_supported[e].format,
28
- type: "openid_credential"
29
- }));
30
- if (!result) {
31
- throw new Error(`No credential support the type '${credentialType}'`);
32
- }
33
- return result;
34
- };
35
-
36
- /**
37
- * Ensures that the response mode requested is supported by the issuer and contained in the issuer configuration.
38
- * @param issuerConf The issuer configuration
39
- * @param credentialType The type of the credential to be requested
40
- * @returns The response mode to be used in the request, "query" for PersonIdentificationData and "form_post.jwt" for all other types.
41
- */
42
- const selectResponseMode = (issuerConf, credentialType) => {
43
- const responseModeSupported = issuerConf.oauth_authorization_server.response_modes_supported;
44
- const responseMode = credentialType === "PersonIdentificationData" ? "query" : "form_post.jwt";
45
- if (!responseModeSupported.includes(responseMode)) {
46
- throw new Error(`No response mode support the type '${credentialType}'`);
47
- }
48
- return responseMode;
49
- };
50
- /**
51
- * Starts the credential issuance flow to obtain a credential from the issuer.
52
- * @param issuerConf The Issuer configuration
53
- * @param credentialType The type of the credential to be requested
54
- * @param context.wiaCryptoContext The context to access the key associated with the Wallet Instance Attestation
55
- * @param context.credentialCryptoContext The context to access the key to associat with credential
56
- * @param context.walletInstanceAttestation The Wallet Instance Attestation token
57
- * @param context.authorizationContext The context to identify the user which will be used to start the authorization. It's needed only when requesting a PersonalIdentificationData credential. The implementantion should open an in-app browser capable of catching the redirectSchema. If not specified, the default browser is used.
58
- * @param context.redirectUri The internal URL to which to redirect has passed the in-app browser login phase. If you don't use authorizationContext remember to register this URL as customUrl or deepLink. See https://reactnative.dev/docs/linking
59
- * @param context.idphint Unique identifier of the SPID IDP
60
- * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
61
- * @throws {AuthorizationError} When the response from the authorization response is not parsable
62
- * @returns The credential obtained
63
- */
64
-
65
- export const startCredentialIssuance = async (issuerConf, credentialType, ctx) => {
66
- const {
67
- wiaCryptoContext,
68
- credentialCryptoContext,
69
- walletInstanceAttestation,
70
- authorizationContext,
71
- redirectUri,
72
- idphint,
73
- appFetch = fetch
74
- } = ctx;
75
-
76
- /**
77
- * Creates and sends a PAR request to the /as/par endpoint of the authroization server.
78
- * This starts the authentication flow to obtain an access token.
79
- * This token enables the Wallet Instance to request a digital credential from the Credential Endpoint of the Credential Issuer.
80
- * This is an HTTP POST request containing the Wallet Instance identifier (client id), the code challenge and challenge method as specified by PKCE according to RFC 9126
81
- * along with the WTE and its proof of possession (WTE-PoP).
82
- * Additionally, it includes a request object, which is a signed JWT encapsulating the type of digital credential requested (authorization_details),
83
- * the application session identifier on the Wallet Instance side (state),
84
- * the method (query or form_post.jwt) by which the Authorization Server
85
- * should transmit the Authorization Response containing the authorization code issued upon the end user's authentication (response_mode)
86
- * to the Wallet Instance's Token Endpoint to obtain the Access Token, and the redirect_uri of the Wallet Instance where the Authorization Response
87
- * should be delivered. The redirect is achived by using a custom URL scheme that the Wallet Instance is registered to handle.
88
- */
89
- const clientId = await wiaCryptoContext.getPublicKey().then(_ => _.kid);
90
- const codeVerifier = generateRandomAlphaNumericString(64);
91
- const parEndpoint = issuerConf.oauth_authorization_server.pushed_authorization_request_endpoint;
92
- const parUrl = new URL(parEndpoint);
93
- const aud = `${parUrl.protocol}//${parUrl.hostname}`;
94
- const iss = WalletInstanceAttestation.decode(walletInstanceAttestation).payload.cnf.jwk.kid;
95
- const credentialDefinition = selectCredentialDefinition(issuerConf, credentialType);
96
- const responseMode = selectResponseMode(issuerConf, credentialType);
97
- const getPar = makeParRequest({
98
- wiaCryptoContext,
99
- appFetch
100
- });
101
- const issuerRequestUri = await getPar(clientId, codeVerifier, redirectUri, responseMode, parEndpoint, walletInstanceAttestation, [credentialDefinition], ASSERTION_TYPE);
102
-
103
- /**
104
- * Starts the authorization flow which dependes on the response mode and the request credential.
105
- * If the response mode is "query" the authorization flow is handled differently via the authorization context which opens an in-app browser capable of catching the redirectSchema.
106
- * The form_post.jwt mode is not currently supported.
107
- */
108
- const authorizeFlowResult = await (async () => {
109
- const authzRequestEndpoint = issuerConf.oauth_authorization_server.authorization_endpoint;
110
- if (responseMode === "query") {
111
- const params = new URLSearchParams({
112
- client_id: clientId,
113
- request_uri: issuerRequestUri,
114
- idphint
115
- });
116
-
117
- /**
118
- * Starts the authorization flow to obtain an authorization code by performing a GET request to the /authorize endpoint of the authorization server.
119
- */
120
- return await authorizeUserWithQueryMode(authzRequestEndpoint, params, redirectUri, authorizationContext);
121
- } else {
122
- throw new AuthorizationError("Response mode not supported for this type of credential");
123
- }
124
- })();
125
-
126
- /**
127
- * Creates and sends the DPoP Proof JWT to be presented with the authorization code to the /token endpoint of the authorization server
128
- * for requesting the issuance of an access token bound to the public key of the Wallet Instance contained within the DPoP.
129
- * This enables the Wallet Instance to request a digital credential.
130
- * The DPoP Proof JWT is generated according to the section 4.3 of the DPoP RFC 9449 specification.
131
- */
132
-
133
- const {
134
- code
135
- } = authorizeFlowResult;
136
- const tokenUrl = issuerConf.oauth_authorization_server.token_endpoint;
137
- // Use an ephemeral key to be destroyed after use
138
- const tokenRequestSignedDPop = await withEphemeralKey(async ephimeralContext => {
139
- return await createDPopToken({
140
- htm: "POST",
141
- htu: tokenUrl,
142
- jti: `${uuid.v4()}`
143
- }, ephimeralContext);
144
- });
145
- const signedWiaPoP = await createPopToken({
146
- jti: `${uuid.v4()}`,
147
- aud,
148
- iss
149
- }, wiaCryptoContext);
150
- const requestBody = {
151
- grant_type: "authorization_code",
152
- client_id: clientId,
153
- code,
154
- redirect_uri: redirectUri,
155
- code_verifier: codeVerifier,
156
- client_assertion_type: ASSERTION_TYPE,
157
- client_assertion: walletInstanceAttestation + "~" + signedWiaPoP
158
- };
159
- const authorizationRequestFormBody = new URLSearchParams(requestBody);
160
- const tokenRes = await appFetch(tokenUrl, {
161
- method: "POST",
162
- headers: {
163
- "Content-Type": "application/x-www-form-urlencoded",
164
- DPoP: tokenRequestSignedDPop
165
- },
166
- body: authorizationRequestFormBody.toString()
167
- }).then(hasStatus(200)).then(res => res.json()).then(body => TokenResponse.safeParse(body));
168
- if (!tokenRes.success) {
169
- throw new ValidationFailed(tokenRes.error.message);
170
- }
171
-
172
- /**
173
- * Validates the token response and extracts the access token, c_nonce and c_nonce_expires_in.
174
- */
175
- const accessTokenResponse = tokenRes.data;
176
- const credentialUrl = issuerConf.openid_credential_issuer.credential_endpoint;
177
-
178
- /**
179
- * JWT proof token to bind the request nonce to the key that will bind the holder User with the Credential
180
- * This is presented along with the access token to the Credential Endpoint as proof of possession of the private key used to sign the Access Token.
181
- * @see https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-proof-types
182
- */
183
- const signedNonceProof = await createNonceProof(accessTokenResponse.c_nonce, clientId, credentialUrl, credentialCryptoContext);
184
-
185
- // Validation of accessTokenResponse.authorization_details if contain credentialDefinition
186
- const constainsCredentialDefinition = accessTokenResponse.authorization_details.some(c => c.credential_configuration_id === credentialDefinition.credential_configuration_id && c.format === credentialDefinition.format && c.type === credentialDefinition.type);
187
- if (!constainsCredentialDefinition) {
188
- throw new ValidationFailed("The access token response does not contain the requested credential");
189
- }
190
-
191
- /** The credential request body */
192
- const credentialRequestFormBody = {
193
- credential_definition: {
194
- type: [credentialDefinition.credential_configuration_id]
195
- },
196
- format: credentialDefinition.format,
197
- proof: {
198
- jwt: signedNonceProof,
199
- proof_type: "jwt"
200
- }
201
- };
202
- const credentialRes = await appFetch(credentialUrl, {
203
- method: "POST",
204
- headers: {
205
- "Content-Type": "application/json",
206
- DPoP: tokenRequestSignedDPop,
207
- Authorization: `${accessTokenResponse.token_type} ${accessTokenResponse.access_token}`
208
- },
209
- body: JSON.stringify(credentialRequestFormBody)
210
- }).then(hasStatus(200)).then(res => res.json()).then(body => CredentialResponse.safeParse(body));
211
- if (!credentialRes.success) {
212
- throw new ValidationFailed(credentialRes.error.message);
213
- }
214
- return credentialRes.data;
215
- };
216
-
217
- /**
218
- * Authorizes the user using the query mode and the authorization context.
219
- * @param authzRequestEndpoint The authorization endpoint of the authorization server
220
- * @param params The query parameters to be used in the request
221
- * @param redirectUri The URL to which the redirect is made is usually a custom URL or deeplink
222
- * @param authorizationContext The AuthorizationContext to manage the internal webview. If not specified, the default browser is used
223
- * @returns The authrozation result containing the authorization code, state and issuer
224
- */
225
- export const authorizeUserWithQueryMode = async (authzRequestEndpoint, params, redirectUri, authorizationContext) => {
226
- const authUrl = `${authzRequestEndpoint}?${params}`;
227
- var authRedirectUrl;
228
- if (authorizationContext) {
229
- const redirectSchema = new URL(redirectUri).protocol.replace(":", "");
230
- authRedirectUrl = await authorizationContext.authorize(authUrl, redirectSchema).catch(e => {
231
- throw new AuthorizationError(e.message);
232
- });
233
- } else {
234
- // handler for redirectUri
235
- Linking.addEventListener("url", _ref => {
236
- let {
237
- url
238
- } = _ref;
239
- if (url.includes(redirectUri)) {
240
- authRedirectUrl = url;
241
- }
242
- });
243
- const openAuthUrlInBrowser = Linking.openURL(authUrl);
244
-
245
- /*
246
- * Waits for 120 seconds for the identificationRedirectUrl variable to be set
247
- * by the custom url handler. If the timeout is exceeded, throw an exception
248
- */
249
- const unitAuthRedirectIsNotUndefined = until(() => authRedirectUrl !== undefined, 120);
250
- await Promise.all([openAuthUrlInBrowser, unitAuthRedirectIsNotUndefined]);
251
- if (authRedirectUrl === undefined) {
252
- throw new AuthorizationError("Invalid authentication redirect url");
253
- }
254
- }
255
- const urlParse = parseUrl(authRedirectUrl);
256
- const authRes = AuthorizationResultShape.safeParse(urlParse.query);
257
- if (!authRes.success) {
258
- const authErr = AuthorizationErrorShape.safeParse(urlParse.query);
259
- if (!authErr.success) {
260
- throw new AuthorizationError(authRes.error.message); // an error occured while parsing the result and the error
261
- }
262
-
263
- throw new AuthorizationIdpError(authErr.data.error, authErr.data.error_description);
264
- }
265
- return authRes.data;
266
- };
267
- export const createNonceProof = async (nonce, issuer, audience, ctx) => {
268
- const jwk = await ctx.getPublicKey();
269
- return new SignJWT(ctx).setPayload({
270
- nonce
271
- }).setProtectedHeader({
272
- typ: "openid4vci-proof+jwt",
273
- jwk
274
- }).setAudience(audience).setIssuer(issuer).setIssuedAt().setExpirationTime("5min").sign();
275
- };
276
- //# sourceMappingURL=03-start-credential-issuance.js.map
@@ -1 +0,0 @@
1
- {"version":3,"names":["uuid","makeParRequest","SignJWT","generateRandomAlphaNumericString","hasStatus","until","ASSERTION_TYPE","parseUrl","AuthorizationError","AuthorizationIdpError","ValidationFailed","AuthorizationErrorShape","AuthorizationResultShape","withEphemeralKey","createDPopToken","createPopToken","CredentialResponse","TokenResponse","WalletInstanceAttestation","Linking","selectCredentialDefinition","issuerConf","credentialType","credential_configurations_supported","openid_credential_issuer","result","Object","keys","filter","e","includes","map","credential_configuration_id","format","type","Error","selectResponseMode","responseModeSupported","oauth_authorization_server","response_modes_supported","responseMode","startCredentialIssuance","ctx","wiaCryptoContext","credentialCryptoContext","walletInstanceAttestation","authorizationContext","redirectUri","idphint","appFetch","fetch","clientId","getPublicKey","then","_","kid","codeVerifier","parEndpoint","pushed_authorization_request_endpoint","parUrl","URL","aud","protocol","hostname","iss","decode","payload","cnf","jwk","credentialDefinition","getPar","issuerRequestUri","authorizeFlowResult","authzRequestEndpoint","authorization_endpoint","params","URLSearchParams","client_id","request_uri","authorizeUserWithQueryMode","code","tokenUrl","token_endpoint","tokenRequestSignedDPop","ephimeralContext","htm","htu","jti","v4","signedWiaPoP","requestBody","grant_type","redirect_uri","code_verifier","client_assertion_type","client_assertion","authorizationRequestFormBody","tokenRes","method","headers","DPoP","body","toString","res","json","safeParse","success","error","message","accessTokenResponse","data","credentialUrl","credential_endpoint","signedNonceProof","createNonceProof","c_nonce","constainsCredentialDefinition","authorization_details","some","c","credentialRequestFormBody","credential_definition","proof","jwt","proof_type","credentialRes","Authorization","token_type","access_token","JSON","stringify","authUrl","authRedirectUrl","redirectSchema","replace","authorize","catch","addEventListener","_ref","url","openAuthUrlInBrowser","openURL","unitAuthRedirectIsNotUndefined","undefined","Promise","all","urlParse","authRes","query","authErr","error_description","nonce","issuer","audience","setPayload","setProtectedHeader","typ","setAudience","setIssuer","setIssuedAt","setExpirationTime","sign"],"sourceRoot":"../../../../src","sources":["credential/issuance/03-start-credential-issuance.ts"],"mappings":"AAAA,OAAOA,IAAI,MAAM,mBAAmB;AACpC,SAA8BC,cAAc,QAAQ,iBAAiB;AACrE,SAASC,OAAO,QAA4B,6BAA6B;AACzE,SACEC,gCAAgC,EAChCC,SAAS,EACTC,KAAK,QAEA,kBAAkB;AAGzB,SAASC,cAAc,QAAQ,SAAS;AACxC,OAAOC,QAAQ,MAAM,WAAW;AAChC,SACEC,kBAAkB,EAClBC,qBAAqB,EACrBC,gBAAgB,QACX,oBAAoB;AAC3B,SACEC,uBAAuB,EACvBC,wBAAwB,QAGnB,kBAAkB;AACzB,SAASC,gBAAgB,QAAQ,oBAAoB;AACrD,SAASC,eAAe,QAAQ,kBAAkB;AAClD,SAASC,cAAc,QAAQ,iBAAiB;AAChD,SAASC,kBAAkB,EAAEC,aAAa,QAA2B,SAAS;AAC9E,OAAO,KAAKC,yBAAyB,MAAM,mCAAmC;AAC9E,SAASC,OAAO,QAAQ,cAAc;;AAEtC;AACA;AACA;AACA;AACA;AACA;AACA;AACA,MAAMC,0BAA0B,GAAGA,CACjCC,UAAkD,EAClDC,cAAgD,KACxB;EACxB,MAAMC,mCAAmC,GACvCF,UAAU,CAACG,wBAAwB,CAACD,mCAAmC;EAEzE,MAAM,CAACE,MAAM,CAAC,GAAGC,MAAM,CAACC,IAAI,CAACJ,mCAAmC,CAAC,CAC9DK,MAAM,CAAEC,CAAC,IAAKA,CAAC,CAACC,QAAQ,CAACR,cAAc,CAAC,CAAC,CACzCS,GAAG,CAAEF,CAAC,KAAM;IACXG,2BAA2B,EAAEV,cAAc;IAC3CW,MAAM,EAAEV,mCAAmC,CAACM,CAAC,CAAC,CAAEI,MAAM;IACtDC,IAAI,EAAE;EACR,CAAC,CAAC,CAAC;EAEL,IAAI,CAACT,MAAM,EAAE;IACX,MAAM,IAAIU,KAAK,CAAE,mCAAkCb,cAAe,GAAE,CAAC;EACvE;EACA,OAAOG,MAAM;AACf,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA,MAAMW,kBAAkB,GAAGA,CACzBf,UAAkD,EAClDC,cAAgD,KAC/B;EACjB,MAAMe,qBAAqB,GACzBhB,UAAU,CAACiB,0BAA0B,CAACC,wBAAwB;EAEhE,MAAMC,YAAY,GAChBlB,cAAc,KAAK,0BAA0B,GAAG,OAAO,GAAG,eAAe;EAE3E,IAAI,CAACe,qBAAqB,CAACP,QAAQ,CAACU,YAAY,CAAC,EAAE;IACjD,MAAM,IAAIL,KAAK,CAAE,sCAAqCb,cAAe,GAAE,CAAC;EAC1E;EAEA,OAAOkB,YAAY;AACrB,CAAC;AAgBD;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEA,OAAO,MAAMC,uBAAgD,GAAG,MAAAA,CAC9DpB,UAAU,EACVC,cAAc,EACdoB,GAAG,KACA;EACH,MAAM;IACJC,gBAAgB;IAChBC,uBAAuB;IACvBC,yBAAyB;IACzBC,oBAAoB;IACpBC,WAAW;IACXC,OAAO;IACPC,QAAQ,GAAGC;EACb,CAAC,GAAGR,GAAG;;EAEP;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACE,MAAMS,QAAQ,GAAG,MAAMR,gBAAgB,CAACS,YAAY,CAAC,CAAC,CAACC,IAAI,CAAEC,CAAC,IAAKA,CAAC,CAACC,GAAG,CAAC;EACzE,MAAMC,YAAY,GAAGrD,gCAAgC,CAAC,EAAE,CAAC;EACzD,MAAMsD,WAAW,GACfpC,UAAU,CAACiB,0BAA0B,CAACoB,qCAAqC;EAC7E,MAAMC,MAAM,GAAG,IAAIC,GAAG,CAACH,WAAW,CAAC;EACnC,MAAMI,GAAG,GAAI,GAAEF,MAAM,CAACG,QAAS,KAAIH,MAAM,CAACI,QAAS,EAAC;EACpD,MAAMC,GAAG,GAAG9C,yBAAyB,CAAC+C,MAAM,CAACpB,yBAAyB,CAAC,CACpEqB,OAAO,CAACC,GAAG,CAACC,GAAG,CAACb,GAAG;EACtB,MAAMc,oBAAoB,GAAGjD,0BAA0B,CACrDC,UAAU,EACVC,cACF,CAAC;EACD,MAAMkB,YAAY,GAAGJ,kBAAkB,CAACf,UAAU,EAAEC,cAAc,CAAC;EAEnE,MAAMgD,MAAM,GAAGrE,cAAc,CAAC;IAAE0C,gBAAgB;IAAEM;EAAS,CAAC,CAAC;EAC7D,MAAMsB,gBAAgB,GAAG,MAAMD,MAAM,CACnCnB,QAAQ,EACRK,YAAY,EACZT,WAAW,EACXP,YAAY,EACZiB,WAAW,EACXZ,yBAAyB,EACzB,CAACwB,oBAAoB,CAAC,EACtB/D,cACF,CAAC;;EAED;AACF;AACA;AACA;AACA;EACE,MAAMkE,mBAAmB,GAAG,MAAM,CAAC,YAAY;IAC7C,MAAMC,oBAAoB,GACxBpD,UAAU,CAACiB,0BAA0B,CAACoC,sBAAsB;IAC9D,IAAIlC,YAAY,KAAK,OAAO,EAAE;MAC5B,MAAMmC,MAAM,GAAG,IAAIC,eAAe,CAAC;QACjCC,SAAS,EAAE1B,QAAQ;QACnB2B,WAAW,EAAEP,gBAAgB;QAC7BvB;MACF,CAAC,CAAC;;MAEF;AACN;AACA;MACM,OAAO,MAAM+B,0BAA0B,CACrCN,oBAAoB,EACpBE,MAAM,EACN5B,WAAW,EACXD,oBACF,CAAC;IACH,CAAC,MAAM;MACL,MAAM,IAAItC,kBAAkB,CAC1B,yDACF,CAAC;IACH;EACF,CAAC,EAAE,CAAC;;EAEJ;AACF;AACA;AACA;AACA;AACA;;EAEE,MAAM;IAAEwE;EAAK,CAAC,GAAGR,mBAAmB;EACpC,MAAMS,QAAQ,GAAG5D,UAAU,CAACiB,0BAA0B,CAAC4C,cAAc;EACrE;EACA,MAAMC,sBAAsB,GAAG,MAAMtE,gBAAgB,CACnD,MAAOuE,gBAAgB,IAAK;IAC1B,OAAO,MAAMtE,eAAe,CAC1B;MACEuE,GAAG,EAAE,MAAM;MACXC,GAAG,EAAEL,QAAQ;MACbM,GAAG,EAAG,GAAEvF,IAAI,CAACwF,EAAE,CAAC,CAAE;IACpB,CAAC,EACDJ,gBACF,CAAC;EACH,CACF,CAAC;EAED,MAAMK,YAAY,GAAG,MAAM1E,cAAc,CACvC;IACEwE,GAAG,EAAG,GAAEvF,IAAI,CAACwF,EAAE,CAAC,CAAE,EAAC;IACnB3B,GAAG;IACHG;EACF,CAAC,EACDrB,gBACF,CAAC;EAED,MAAM+C,WAAW,GAAG;IAClBC,UAAU,EAAE,oBAAoB;IAChCd,SAAS,EAAE1B,QAAQ;IACnB6B,IAAI;IACJY,YAAY,EAAE7C,WAAW;IACzB8C,aAAa,EAAErC,YAAY;IAC3BsC,qBAAqB,EAAExF,cAAc;IACrCyF,gBAAgB,EAAElD,yBAAyB,GAAG,GAAG,GAAG4C;EACtD,CAAC;EAED,MAAMO,4BAA4B,GAAG,IAAIpB,eAAe,CAACc,WAAW,CAAC;EACrE,MAAMO,QAAQ,GAAG,MAAMhD,QAAQ,CAACgC,QAAQ,EAAE;IACxCiB,MAAM,EAAE,MAAM;IACdC,OAAO,EAAE;MACP,cAAc,EAAE,mCAAmC;MACnDC,IAAI,EAAEjB;IACR,CAAC;IACDkB,IAAI,EAAEL,4BAA4B,CAACM,QAAQ,CAAC;EAC9C,CAAC,CAAC,CACCjD,IAAI,CAACjD,SAAS,CAAC,GAAG,CAAC,CAAC,CACpBiD,IAAI,CAAEkD,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBnD,IAAI,CAAEgD,IAAI,IAAKpF,aAAa,CAACwF,SAAS,CAACJ,IAAI,CAAC,CAAC;EAEhD,IAAI,CAACJ,QAAQ,CAACS,OAAO,EAAE;IACrB,MAAM,IAAIhG,gBAAgB,CAACuF,QAAQ,CAACU,KAAK,CAACC,OAAO,CAAC;EACpD;;EAEA;AACF;AACA;EACE,MAAMC,mBAAmB,GAAGZ,QAAQ,CAACa,IAAI;EACzC,MAAMC,aAAa,GAAG1F,UAAU,CAACG,wBAAwB,CAACwF,mBAAmB;;EAE7E;AACF;AACA;AACA;AACA;EACE,MAAMC,gBAAgB,GAAG,MAAMC,gBAAgB,CAC7CL,mBAAmB,CAACM,OAAO,EAC3BhE,QAAQ,EACR4D,aAAa,EACbnE,uBACF,CAAC;;EAED;EACA,MAAMwE,6BAA6B,GACjCP,mBAAmB,CAACQ,qBAAqB,CAACC,IAAI,CAC3CC,CAAC,IACAA,CAAC,CAACvF,2BAA2B,KAC3BqC,oBAAoB,CAACrC,2BAA2B,IAClDuF,CAAC,CAACtF,MAAM,KAAKoC,oBAAoB,CAACpC,MAAM,IACxCsF,CAAC,CAACrF,IAAI,KAAKmC,oBAAoB,CAACnC,IACpC,CAAC;EAEH,IAAI,CAACkF,6BAA6B,EAAE;IAClC,MAAM,IAAI1G,gBAAgB,CACxB,qEACF,CAAC;EACH;;EAEA;EACA,MAAM8G,yBAAyB,GAAG;IAChCC,qBAAqB,EAAE;MACrBvF,IAAI,EAAE,CAACmC,oBAAoB,CAACrC,2BAA2B;IACzD,CAAC;IACDC,MAAM,EAAEoC,oBAAoB,CAACpC,MAAM;IACnCyF,KAAK,EAAE;MACLC,GAAG,EAAEV,gBAAgB;MACrBW,UAAU,EAAE;IACd;EACF,CAAC;EAED,MAAMC,aAAa,GAAG,MAAM5E,QAAQ,CAAC8D,aAAa,EAAE;IAClDb,MAAM,EAAE,MAAM;IACdC,OAAO,EAAE;MACP,cAAc,EAAE,kBAAkB;MAClCC,IAAI,EAAEjB,sBAAsB;MAC5B2C,aAAa,EAAG,GAAEjB,mBAAmB,CAACkB,UAAW,IAAGlB,mBAAmB,CAACmB,YAAa;IACvF,CAAC;IACD3B,IAAI,EAAE4B,IAAI,CAACC,SAAS,CAACV,yBAAyB;EAChD,CAAC,CAAC,CACCnE,IAAI,CAACjD,SAAS,CAAC,GAAG,CAAC,CAAC,CACpBiD,IAAI,CAAEkD,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBnD,IAAI,CAAEgD,IAAI,IAAKrF,kBAAkB,CAACyF,SAAS,CAACJ,IAAI,CAAC,CAAC;EAErD,IAAI,CAACwB,aAAa,CAACnB,OAAO,EAAE;IAC1B,MAAM,IAAIhG,gBAAgB,CAACmH,aAAa,CAAClB,KAAK,CAACC,OAAO,CAAC;EACzD;EAEA,OAAOiB,aAAa,CAACf,IAAI;AAC3B,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAM/B,0BAA0B,GAAG,MAAAA,CACxCN,oBAA4B,EAC5BE,MAAuB,EACvB5B,WAAmB,EACnBD,oBAA2C,KACV;EACjC,MAAMqF,OAAO,GAAI,GAAE1D,oBAAqB,IAAGE,MAAO,EAAC;EACnD,IAAIyD,eAAmC;EAEvC,IAAItF,oBAAoB,EAAE;IACxB,MAAMuF,cAAc,GAAG,IAAIzE,GAAG,CAACb,WAAW,CAAC,CAACe,QAAQ,CAACwE,OAAO,CAAC,GAAG,EAAE,EAAE,CAAC;IACrEF,eAAe,GAAG,MAAMtF,oBAAoB,CACzCyF,SAAS,CAACJ,OAAO,EAAEE,cAAc,CAAC,CAClCG,KAAK,CAAE3G,CAAC,IAAK;MACZ,MAAM,IAAIrB,kBAAkB,CAACqB,CAAC,CAAC+E,OAAO,CAAC;IACzC,CAAC,CAAC;EACN,CAAC,MAAM;IACL;IACAzF,OAAO,CAACsH,gBAAgB,CAAC,KAAK,EAAEC,IAAA,IAAa;MAAA,IAAZ;QAAEC;MAAI,CAAC,GAAAD,IAAA;MACtC,IAAIC,GAAG,CAAC7G,QAAQ,CAACiB,WAAW,CAAC,EAAE;QAC7BqF,eAAe,GAAGO,GAAG;MACvB;IACF,CAAC,CAAC;IAEF,MAAMC,oBAAoB,GAAGzH,OAAO,CAAC0H,OAAO,CAACV,OAAO,CAAC;;IAErD;AACJ;AACA;AACA;IACI,MAAMW,8BAA8B,GAAGzI,KAAK,CAC1C,MAAM+H,eAAe,KAAKW,SAAS,EACnC,GACF,CAAC;IAED,MAAMC,OAAO,CAACC,GAAG,CAAC,CAACL,oBAAoB,EAAEE,8BAA8B,CAAC,CAAC;IAEzE,IAAIV,eAAe,KAAKW,SAAS,EAAE;MACjC,MAAM,IAAIvI,kBAAkB,CAAC,qCAAqC,CAAC;IACrE;EACF;EAEA,MAAM0I,QAAQ,GAAG3I,QAAQ,CAAC6H,eAAe,CAAC;EAC1C,MAAMe,OAAO,GAAGvI,wBAAwB,CAAC6F,SAAS,CAACyC,QAAQ,CAACE,KAAK,CAAC;EAClE,IAAI,CAACD,OAAO,CAACzC,OAAO,EAAE;IACpB,MAAM2C,OAAO,GAAG1I,uBAAuB,CAAC8F,SAAS,CAACyC,QAAQ,CAACE,KAAK,CAAC;IACjE,IAAI,CAACC,OAAO,CAAC3C,OAAO,EAAE;MACpB,MAAM,IAAIlG,kBAAkB,CAAC2I,OAAO,CAACxC,KAAK,CAACC,OAAO,CAAC,CAAC,CAAC;IACvD;;IACA,MAAM,IAAInG,qBAAqB,CAC7B4I,OAAO,CAACvC,IAAI,CAACH,KAAK,EAClB0C,OAAO,CAACvC,IAAI,CAACwC,iBACf,CAAC;EACH;EACA,OAAOH,OAAO,CAACrC,IAAI;AACrB,CAAC;AAED,OAAO,MAAMI,gBAAgB,GAAG,MAAAA,CAC9BqC,KAAa,EACbC,MAAc,EACdC,QAAgB,EAChB/G,GAAkB,KACE;EACpB,MAAM0B,GAAG,GAAG,MAAM1B,GAAG,CAACU,YAAY,CAAC,CAAC;EACpC,OAAO,IAAIlD,OAAO,CAACwC,GAAG,CAAC,CACpBgH,UAAU,CAAC;IACVH;EACF,CAAC,CAAC,CACDI,kBAAkB,CAAC;IAClBC,GAAG,EAAE,sBAAsB;IAC3BxF;EACF,CAAC,CAAC,CACDyF,WAAW,CAACJ,QAAQ,CAAC,CACrBK,SAAS,CAACN,MAAM,CAAC,CACjBO,WAAW,CAAC,CAAC,CACbC,iBAAiB,CAAC,MAAM,CAAC,CACzBC,IAAI,CAAC,CAAC;AACX,CAAC"}